EAP/TTLS PEAP MSCHAP

Arran Cudbard-Bell A.Cudbard-Bell at sussex.ac.uk
Wed Apr 4 21:58:19 CEST 2007


Eshun Benjamin wrote:
> Hello Arran, Which specific OID?  I also think it has to do with the 
> certificate. Could you please be specific if possible with example. I 
> trried to use another certificate and I am getting 2 issues;
>  1. is before access challenge ;
>
> Wed Apr  4 21:33:09 2007 : Debug:   modsingle[authorize]: returned 
> from suffix (rlm_realm) for request 2
> Wed Apr  4 21:33:09 2007 : Debug:   modcall[authorize]: module 
> "suffix" returns noop for request 2
> Wed Apr  4 21:33:09 2007 : Debug:   modsingle[authorize]: calling eap 
> (rlm_eap) for request 2
> Wed Apr  4 21:33:09 2007 : Debug:   rlm_eap: EAP packet type response 
> id 2 length 192
> Wed Apr  4 21:33:09 2007 : Debug:   rlm_eap: No EAP Start, assuming 
> it's an on-going EAP conversation
> Wed Apr  4 21:33:09 2007 : Debug:   modsingle[authorize]: returned 
> from eap (rlm_eap) for request 2
> Wed Apr  4 21:33:09 2007 : Debug:   modcall[authorize]: module "eap" 
> returns updated for request 2
> Wed Apr  4 21:33:09 2007 : Debug:   modsingle[authorize]: calling 
> files (rlm_files) for request 2
> Wed Apr  4 21:33:09 2007 : Debug:     users: Matched entry DEFAULT at 
> line 225
> Wed Apr  4 21:33:09 2007 : Debug:   modsingle[authorize]: returned 
> from files (rlm_files) for request 2
> Wed Apr  4 21:33:09 2007 : Debug:   modcall[authorize]: module "files" 
> returns ok for request 2
> Wed Apr  4 21:33:09 2007 : Debug:   modsingle[authorize]: calling 
> etc_smbpasswd (rlm_passwd) for request 2
> Wed Apr  4 21:33:09 2007 : Debug: rlm_passwd: Added LM-Password: 
> '739EA6CD54DF1680AAD3B435B51404EE' to config_items
> Wed Apr  4 21:33:09 2007 : Debug: rlm_passwd: Added NT-Password: 
> 'F138C6624B18D0E17EA9630C746A8202' to config_items
> Wed Apr  4 21:33:09 2007 : Debug: rlm_passwd: Added 
> SMB-Account-CTRL-TEXT: '[UX         ]' to config_items
> Wed Apr  4 21:33:09 2007 : Info: rlm_passwd: Adding "Auth-Type = MS-CHAP"
> Wed Apr  4 21:33:09 2007 : Debug:   modsingle[authorize]: returned 
> from etc_smbpasswd (rlm_passwd) for request 2
> Wed Apr  4 21:33:09 2007 : Debug:   modcall[authorize]: module 
> "etc_smbpasswd" returns ok for request 2
> Wed Apr  4 21:33:09 2007 : Debug:   modsingle[authorize]: calling pap 
> (rlm_pap) for request 2
> Wed Apr  4 21:33:09 2007 : Debug: rlm_pap: Normalizing LM-Password 
> from hex encoding
> Wed Apr  4 21:33:09 2007 : Debug: rlm_pap: Normalizing NT-Password 
> from hex encoding
> Wed Apr  4 21:33:09 2007 : Debug: rlm_pap: Found existing Auth-Type, 
> not changing it.
> Wed Apr  4 21:33:09 2007 : Debug:   modsingle[authorize]: returned 
> from pap (rlm_pap) for request 2
> Wed Apr  4 21:33:09 2007 : Debug:   modcall[authorize]: module "pap" 
> returns noop for request 2
> Wed Apr  4 21:33:09 2007 : Debug: modcall: leaving group authorize 
> (returns updated) for request 2
> Wed Apr  4 21:33:09 2007 : Debug:   rad_check_password:  Found 
> Auth-Type EAP
> Wed Apr  4 21:33:09 2007 : Debug: auth: type "EAP"
> Wed Apr  4 21:33:09 2007 : Debug:   Processing the authenticate 
> section of radiusd.conf
> Wed Apr  4 21:33:09 2007 : Debug: modcall: entering group authenticate 
> for request 2
> Wed Apr  4 21:33:09 2007 : Debug:   modsingle[authenticate]: calling 
> eap (rlm_eap) for request 2
> Wed Apr  4 21:33:09 2007 : Debug:   rlm_eap: Request found, released 
> from the list
> Wed Apr  4 21:33:09 2007 : Debug:   rlm_eap: EAP/peap
> Wed Apr  4 21:33:09 2007 : Debug:   rlm_eap: processing type peap
> Wed Apr  4 21:33:09 2007 : Debug:   rlm_eap_peap: Authenticate
> Wed Apr  4 21:33:09 2007 : Debug:   rlm_eap_tls: processing TLS
> Wed Apr  4 21:33:09 2007 : Debug: rlm_eap_tls:  Length Included
> Wed Apr  4 21:33:09 2007 : Debug:   eaptls_verify returned 11
> Wed Apr  4 21:33:09 2007 : Debug:   rlm_eap_tls: <<< TLS 1.0 Handshake 
> [length 0086], ClientKeyExchange 
> Wed Apr  4 21:33:09 2007 : Debug:     TLS_accept: SSLv3 read client 
> key exchange A
> Wed Apr  4 21:33:09 2007 : Debug:   rlm_eap_tls: <<< TLS 1.0 
> ChangeCipherSpec [length 0001] 
> Wed Apr  4 21:33:09 2007 : Debug:   rlm_eap_tls: <<< TLS 1.0 Handshake 
> [length 0010], Finished 
> Wed Apr  4 21:33:09 2007 : Debug:     TLS_accept: SSLv3 read finished A
> Wed Apr  4 21:33:09 2007 : Debug:   rlm_eap_tls: >>> TLS 1.0 
> ChangeCipherSpec [length 0001] 
> Wed Apr  4 21:33:09 2007 : Debug:     TLS_accept: SSLv3 write change 
> cipher spec A
> Wed Apr  4 21:33:09 2007 : Debug:   rlm_eap_tls: >>> TLS 1.0 Handshake 
> [length 0010], Finished 
> Wed Apr  4 21:33:09 2007 : Debug:     TLS_accept: SSLv3 write finished A
> Wed Apr  4 21:33:09 2007 : Debug:     TLS_accept: SSLv3 flush data
> Wed Apr  4 21:33:09 2007 : Debug:     (other): SSL negotiation 
> finished successfully
> Wed Apr  4 21:33:09 2007 : Error: rlm_eap: SSL error 
> error:00000000:lib(0):func(0):reason(0)
> Wed Apr  4 21:33:09 2007 : Debug: SSL Connection Established
> Wed Apr  4 21:33:09 2007 : Debug:   eaptls_process returned 13
> Wed Apr  4 21:33:09 2007 : Debug:   rlm_eap_peap: EAPTLS_HANDLED
> Wed Apr  4 21:33:09 2007 : Debug:   modsingle[authenticate]: returned 
> from eap (rlm_eap) for request 2
> Wed Apr  4 21:33:09 2007 : Debug:   modcall[authenticate]: module 
> "eap" returns handled for request 2
> Wed Apr  4 21:33:09 2007 : Debug: modcall: leaving group authenticate 
> (returns handled) for request 2
>
> 2. Then during access challenge;  some access denied errors.
>
> Wed Apr  4 21:21:48 2007 : Debug:   eaptls_verify returned 11
> Wed Apr  4 21:21:48 2007 : Debug:   eaptls_process returned 7
> Wed Apr  4 21:21:48 2007 : Debug:   rlm_eap_peap: EAPTLS_OK
> Wed Apr  4 21:21:48 2007 : Debug:   rlm_eap_peap: Session 
> established.  Decoding tunneled attributes.
> Wed Apr  4 21:21:48 2007 : Debug:   rlm_eap_tls: <<< TLS 1.0 Alert 
> [length 0002], fatal access_denied 
> Wed Apr  4 21:21:48 2007 : Error: TLS Alert read:fatal:access denied
> Wed Apr  4 21:21:48 2007 : Info: rlm_eap_peap: No data inside of the 
> tunnel.
> Wed Apr  4 21:21:48 2007 : Debug:  rlm_eap: Handler failed in EAP/peap
> Wed Apr  4 21:21:48 2007 : Debug:   rlm_eap: Failed in EAP select
> Wed Apr  4 21:21:48 2007 : Debug:   modsingle[authenticate]: returned 
> from eap (rlm_eap) for request 11
> Wed Apr  4 21:21:48 2007 : Debug:   modcall[authenticate]: module 
> "eap" returns invalid for request 11
> Wed Apr  4 21:21:48 2007 : Debug: modcall: leaving group authenticate 
> (returns invalid) for request 11
> Wed Apr  4 21:21:48 2007 : Debug: auth: Failed to validate the user.
> Wed Apr  4 21:21:48 2007 : Debug: Delaying request 11 for 1 seconds
> Wed Apr  4 21:21:48 2007 : Debug: Finished request 11
> Wed Apr  4 21:21:48 2007 : Debug: Going to the next request
> Wed Apr  4 21:21:48 2007 : Debug: rl_next:  returning NULL
> Wed Apr  4 21:21:48 2007 : Debug: Waking up in 6 seconds...
> Wed Apr  4 21:21:54 2007 : Debug: --- Walking the entire request list ---
> Sending Access-Reject of id 0 to 10.1.5.26 port 2048
>
>  
> ==================================================
>
> Benjamin K. Eshun
>
>
> ----- Message d'origine ----
> De : Arran Cudbard-Bell <A.Cudbard-Bell at sussex.ac.uk>
> À : FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
> Envoyé le : Mercredi, 4 Avril 2007, 19h51mn 45s
> Objet : Re: EAP/TTLS PEAP MSCHAP
>
> Eshun Benjamin wrote:
> > Mac connects but ms windows does not.  I am doing server side cert.
> > Error from ms windows.
> >
> >
> > User-Name = "testgeneral"
> >         NAS-IP-Address = 10.1.5.26
> >         Called-Station-Id = "0016014d9158"
> >         Calling-Station-Id = "0019e3034ceb"
> >         NAS-Identifier = "0016014d9158"
> >         NAS-Port = 36
> >         Framed-MTU = 1400
> >         State = 0x3d946123f5f422f576bed1eb52863e55
> >         NAS-Port-Type = Wireless-802.11
> >         EAP-Message =
> > 
> 0x0202005019800000004616030100410100003d030146139aedbfdec7d57168bf7fdbe984cfd19f5d1e7c13ee839e4b0a55d34aa86600001600040005000a000900640062000300060013001200630100
> >         Message-Authenticator = 0x3efce19c566f372e8744589f65d58401
> > Wed Apr  4 14:32:48 2007 : Debug:   Processing the authorize section
> > of radiusd.conf
> > Wed Apr  4 14:32:48 2007 : Debug: modcall: entering group authorize
> > for request 74
> > Wed Apr  4 14:32:48 2007 : Debug:   modsingle[authorize]: calling
> > preprocess (rlm_preprocess) for request 74
> > Wed Apr  4 14:32:48 2007 : Debug:   modsingle[authorize]: returned
> > from preprocess (rlm_preprocess) for request 74
> > Wed Apr  4 14:32:48 2007 : Debug:   modcall[authorize]: module
> > "preprocess" returns ok for request 74
> > Wed Apr  4 14:32:48 2007 : Debug:   modsingle[authorize]: calling
> > mschap (rlm_mschap) for request 74
> > Wed Apr  4 14:32:48 2007 : Debug:   modsingle[authorize]: returned
> > from mschap (rlm_mschap) for request 74
> > Wed Apr  4 14:32:48 2007 : Debug:   modcall[authorize]: module
> > "mschap" returns noop for request 74
> > Wed Apr  4 14:32:48 2007 : Debug:   modsingle[authorize]: calling
> > suffix (rlm_realm) for request 74
> > Wed Apr  4 14:32:48 2007 : Debug:     rlm_realm: No '@' in User-Name =
> > "testgeneral", looking up realm NULL
> > Wed Apr  4 14:32:48 2007 : Debug:     rlm_realm: No such realm "NULL"
> > Wed Apr  4 14:32:48 2007 : Debug:   modsingle[authorize]: returned
> > from suffix (rlm_realm) for request 74
> > Wed Apr  4 14:32:48 2007 : Debug:   modcall[authorize]: module
> > "suffix" returns noop for request 74
> > Wed Apr  4 14:32:48 2007 : Debug:   modsingle[authorize]: calling eap
> > (rlm_eap) for request 74
> > Wed Apr  4 14:32:48 2007 : Debug:   rlm_eap: EAP packet type response
> > id 2 length 80
> > Wed Apr  4 14:32:48 2007 : Debug:   rlm_eap: No EAP Start, assuming
> > it's an on-going EAP conversation
> > Wed Apr  4 14:32:48 2007 : Debug:   modsingle[authorize]: returned
> > from eap (rlm_eap) for request 74
> > Wed Apr  4 14:32:48 2007 : Debug:   modcall[authorize]: module "eap"
> > returns updated for request 74
> > Wed Apr  4 14:32:48 2007 : Debug:   modsingle[authorize]: calling
> > files (rlm_files) for request 74
> > Wed Apr  4 14:32:48 2007 : Debug:     users: Matched entry testgeneral
> > at line 216
> > Wed Apr  4 14:32:48 2007 : Debug:   modsingle[authorize]: returned
> > from files (rlm_files) for request 74
> > Wed Apr  4 14:32:48 2007 : Debug:   modcall[authorize]: module "files"
> > returns ok for request 74
> > Wed Apr  4 14:32:48 2007 : Debug:   modsingle[authorize]: calling
> > etc_smbpasswd (rlm_passwd) for request 74
> > Wed Apr  4 14:32:48 2007 : Debug:   modsingle[authorize]: returned
> > from etc_smbpasswd (rlm_passwd) for request 74
> > Wed Apr  4 14:32:48 2007 : Debug:   modcall[authorize]: module
> > "etc_smbpasswd" returns notfound for request 74
> > Wed Apr  4 14:32:48 2007 : Debug:   modsingle[authorize]: calling pap
> > (rlm_pap) for request 74
> > Wed Apr  4 14:32:48 2007 : Debug: rlm_pap: Found existing Auth-Type,
> > not changing it.
> > Wed Apr  4 14:32:48 2007 : Debug:   modsingle[authorize]: returned
> > from pap (rlm_pap) for request 74
> > Wed Apr  4 14:32:48 2007 : Debug:   modcall[authorize]: module "pap"
> > returns noop for request 74
> > Wed Apr  4 14:32:48 2007 : Debug: modcall: leaving group authorize
> > (returns updated) for request 74
> > Wed Apr  4 14:32:48 2007 : Debug:   rad_check_password:  Found
> > Auth-Type EAP
> > Wed Apr  4 14:32:48 2007 : Debug: auth: type "EAP"
> > Wed Apr  4 14:32:48 2007 : Debug:   Processing the authenticate
> > section of radiusd.conf
> > Wed Apr  4 14:32:48 2007 : Debug: modcall: entering group authenticate
> > for request 74
> > Wed Apr  4 14:32:48 2007 : Debug:   modsingle[authenticate]: calling
> > eap (rlm_eap) for request 74
> > Wed Apr  4 14:32:48 2007 : Debug:   rlm_eap: Request found, released
> > from the list
> > Wed Apr  4 14:32:48 2007 : Debug:   rlm_eap: EAP/peap
> > Wed Apr  4 14:32:48 2007 : Debug:   rlm_eap: processing type peap
> > Wed Apr  4 14:32:48 2007 : Debug:   rlm_eap_peap: Authenticate
> > Wed Apr  4 14:32:48 2007 : Debug:   rlm_eap_tls: processing TLS
> > Wed Apr  4 14:32:48 2007 : Debug: rlm_eap_tls:  Length Included
> > Wed Apr  4 14:32:48 2007 : Debug:   eaptls_verify returned 11
> > Wed Apr  4 14:32:48 2007 : Debug:     (other): before/accept
> > initialization
> > Wed Apr  4 14:32:48 2007 : Debug:     TLS_accept: before/accept
> > initialization
> > Wed Apr  4 14:32:48 2007 : Debug:   rlm_eap_tls: <<< TLS 1.0 Handshake
> > [length 0041], ClientHello
> > Wed Apr  4 14:32:48 2007 : Debug:     TLS_accept: SSLv3 read client
> > hello A
> > Wed Apr  4 14:32:48 2007 : Debug:   rlm_eap_tls: >>> TLS 1.0 Handshake
> > [length 004a], ServerHello
> > Wed Apr  4 14:32:48 2007 : Debug:     TLS_accept: SSLv3 write server
> > hello A
> > Wed Apr  4 14:32:48 2007 : Debug:   rlm_eap_tls: >>> TLS 1.0 Handshake
> > [length 038f], Certificate
> > Wed Apr  4 14:32:48 2007 : Debug:     TLS_accept: SSLv3 write
> > certificate A
> > Wed Apr  4 14:32:48 2007 : Debug:   rlm_eap_tls: >>> TLS 1.0 Handshake
> > [length 0004], ServerHelloDone
> > Wed Apr  4 14:32:48 2007 : Debug:     TLS_accept: SSLv3 write server
> > done A
> > Wed Apr  4 14:32:48 2007 : Debug:     TLS_accept: SSLv3 flush data
> > Wed Apr  4 14:32:48 2007 : Error:     TLS_accept:error in SSLv3 read
> > client certificate A
> > Wed Apr  4 14:32:48 2007 : Error: rlm_eap: SSL error
> > error:00000000:lib(0):func(0):reason(0)
> > Wed Apr  4 14:32:48 2007 : Debug: In SSL Handshake Phase
> > Wed Apr  4 14:32:48 2007 : Debug: In SSL Accept mode
> > Wed Apr  4 14:32:48 2007 : Debug:   eaptls_process returned 13
> > Wed Apr  4 14:32:48 2007 : Debug:   rlm_eap_peap: EAPTLS_HANDLED
> > Wed Apr  4 14:32:48 2007 : Debug:   modsingle[authenticate]: returned
> > from eap (rlm_eap) for request 74
> > Wed Apr  4 14:32:48 2007 : Debug:   modcall[authenticate]: module
> > "eap" returns handled for request 74
> > Wed Apr  4 14:32:48 2007 : Debug: modcall: leaving group authenticate
> > (returns handled) for request 74
> > Sending Access-Challenge of id 0 to 10.1.5.26 port 2048
> >         EAP-Message =
> > 
> 0x010303f21900160301004a02000046030146139af0c3e704b47f4b6b436a8b07d916c60b21a951af6c2918a39cadca6aa22013971c62e79c9f9f6e232f6d035b7705438843f46c8e38f788750500db6621bf000400160301038f0b00038b00038800038530820381308202eaa003020102020900e8e427c494215d09300d06092a864886f70d0101050500308188310b30090603550406130244453110300e060355040813075361636873656e3110300e060355040713074472657364656e3110300e060355040a13074d50492d4342473111300f060355040b1308436f6d7075746572310f300d06035504031306736572766572311f301d06092a86
> >         EAP-Message =
> > 
> 0x4886f70d010901161061646d696e406d70692d6362672e6465301e170d3037303332343131313731395a170d3130303332333131313731395a308188310b30090603550406130244453110300e060355040813075361636873656e3110300e060355040713074472657364656e3110300e060355040a13074d50492d4342473111300f060355040b1308436f6d7075746572310f300d06035504031306736572766572311f301d06092a864886f70d010901161061646d696e406d70692d6362672e646530819f300d06092a864886f70d010101050003818d0030818902818100ac1158639bcdf711751f54bdf25c666d6f3a532967a7cba624a5167b
> >         EAP-Message =
> > 
> 0xfb5c89d5a3f9d86fe9a7a2b0899925a4373725bed9eb20d41f05019541ee096201bb57b8f01646ac62884f36d54ea32620a11c760e769ace49d8d7dc42b3ba35c6d410b2fddbc2d689536f66646e94f594b516cb5b312f96f562529bcd7015540fd2be7d0203010001a381f03081ed301d0603551d0e041604141acd4d6d72dc026df7d0a5e77ea636e2c9bcfd4f3081bd0603551d230481b53081b280141acd4d6d72dc026df7d0a5e77ea636e2c9bcfd4fa1818ea4818b308188310b30090603550406130244453110300e060355040813075361636873656e3110300e060355040713074472657364656e3110300e060355040a13074d50492d4342
> >         EAP-Message =
> > 
> 0x473111300f060355040b1308436f6d7075746572310f300d06035504031306736572766572311f301d06092a864886f70d010901161061646d696e406d70692d6362672e6465820900e8e427c494215d09300c0603551d13040530030101ff300d06092a864886f70d0101050500038181009e5e89fa8a5e26ce9710bfde499a2b36d412f5acff40b544eec4839a67b768e6a778a5b8d54c8ad8b3ec8f438e96e0740103cbdb3e64c751e722e2c3538dccac3a993b94824ba4e48ba40ebc5c7b37c5c6048616f3b10d7f3d4b23cd84cd1e3e4b318e75d4fcd637ee1b5f263cd4adb006a80f62639825f6fb1a284e254a89be16030100040e000000
> >         Message-Authenticator = 0x00000000000000000000000000000000
> >         State = 0x4e138cc588a831123b8c899c1e03c4fc
> > Wed Apr  4 14:32:48 2007 : Debug: Finished request 74
> > Wed Apr  4 14:32:48 2007 : Debug: Going to the next request
> > Wed Apr  4 14:32:48 2007 : Debug: rl_next:  returning NULL
> > Wed Apr  4 14:32:48 2007 : Debug: Waking up in 6 seconds...
> > rad_recv: Access-Request packet from host 10.1.5.26:2048, id=0, 
> length=143
> >         User-Name = "testgeneral"
> >         NAS-IP-Address = 10.1.5.26
> >         Called-Station-Id = "0016014d9158"
> >         Calling-Station-Id = "0019e3034ceb"
> >         NAS-Identifier = "0016014d9158"
> >         NAS-Port = 36
> >         Framed-MTU = 1400
> >         State = 0x4e138cc588a831123b8c899c1e03c4fc
> >         NAS-Port-Type = Wireless-802.11
> >         EAP-Message = 0x020300061900
> >         Message-Authenticator = 0xf89ebcfef5ea8e2a15b9fc63884890df
> > Wed Apr  4 14:32:48 2007 : Debug:   Processing the authorize section
> > of radiusd.conf
> > Wed Apr  4 14:32:48 2007 : Debug: modcall: entering group authorize
> > for request 75
> > Wed Apr  4 14:32:48 2007 : Debug:   modsingle[authorize]: calling
> > preprocess (rlm_preprocess) for request 75
> > Wed Apr  4 14:32:48 2007 : Debug:   modsingle[authorize]: returned
> > from preprocess (rlm_preprocess) for request 75
> > Wed Apr  4 14:32:48 2007 : Debug:   modcall[authorize]: module
> > "preprocess" returns ok for request 75
> > Wed Apr  4 14:32:48 2007 : Debug:   modsingle[authorize]: calling
> > mschap (rlm_mschap) for request 75
> > Wed Apr  4 14:32:48 2007 : Debug:   modsingle[authorize]: returned
> > from mschap (rlm_mschap) for request 75
> > Wed Apr  4 14:32:48 2007 : Debug:   modcall[authorize]: module
> > "mschap" returns noop for request 75
> > Wed Apr  4 14:32:48 2007 : Debug:   modsingle[authorize]: calling
> > suffix (rlm_realm) for request 75
> > Wed Apr  4 14:32:48 2007 : Debug:     rlm_realm: No '@' in User-Name =
> > "testgeneral", looking up realm NULL
> > Wed Apr  4 14:32:48 2007 : Debug:     rlm_realm: No such realm "NULL"
> > Wed Apr  4 14:32:48 2007 : Debug:   modsingle[authorize]: returned
> > from suffix (rlm_realm) for request 75
> > Wed Apr  4 14:32:48 2007 : Debug:   modcall[authorize]: module
> > "suffix" returns noop for request 75
> > Wed Apr  4 14:32:48 2007 : Debug:   modsingle[authorize]: calling eap
> > (rlm_eap) for request 75
> > Wed Apr  4 14:32:48 2007 : Debug:   rlm_eap: EAP packet type response
> > id 3 length 6
> > Wed Apr  4 14:32:48 2007 : Debug:   rlm_eap: No EAP Start, assuming
> > it's an on-going EAP conversation
> > Wed Apr  4 14:32:48 2007 : Debug:   modsingle[authorize]: returned
> > from eap (rlm_eap) for request 75
> > Wed Apr  4 14:32:48 2007 : Debug:   modcall[authorize]: module "eap"
> > returns updated for request 75
> > Wed Apr  4 14:32:48 2007 : Debug:   modsingle[authorize]: calling
> > files (rlm_files) for request 75
> > Wed Apr  4 14:32:48 2007 : Debug:     users: Matched entry testgeneral
> > at line 216
> > Wed Apr  4 14:32:48 2007 : Debug:   modsingle[authorize]: returned
> > from files (rlm_files) for request 75
> > Wed Apr  4 14:32:48 2007 : Debug:   modcall[authorize]: module "files"
> > returns ok for request 75
> > Wed Apr  4 14:32:48 2007 : Debug:   modsingle[authorize]: calling
> > etc_smbpasswd (rlm_passwd) for request 75
> > Wed Apr  4 14:32:48 2007 : Debug:   modsingle[authorize]: returned
> > from etc_smbpasswd (rlm_passwd) for request 75
> > Wed Apr  4 14:32:48 2007 : Debug:   modcall[authorize]: module
> > "etc_smbpasswd" returns notfound for request 75
> > Wed Apr  4 14:32:48 2007 : Debug:   modsingle[authorize]: calling pap
> > (rlm_pap) for request 75
> > Wed Apr  4 14:32:48 2007 : Debug: rlm_pap: Found existing Auth-Type,
> > not changing it.
> > Wed Apr  4 14:32:48 2007 : Debug:   modsingle[authorize]: returned
> > from pap (rlm_pap) for request 75
> > Wed Apr  4 14:32:48 2007 : Debug:   modcall[authorize]: module "pap"
> > returns noop for request 75
> > Wed Apr  4 14:32:48 2007 : Debug: modcall: leaving group authorize
> > (returns updated) for request 75
> > Wed Apr  4 14:32:48 2007 : Debug:   rad_check_password:  Found
> > Auth-Type EAP
> > Wed Apr  4 14:32:48 2007 : Debug: auth: type "EAP"
> > Wed Apr  4 14:32:48 2007 : Debug:   Processing the authenticate
> > section of radiusd.conf
> > Wed Apr  4 14:32:48 2007 : Debug: modcall: entering group authenticate
> > for request 75
> > Wed Apr  4 14:32:48 2007 : Debug:   modsingle[authenticate]: calling
> > eap (rlm_eap) for request 75
> > Wed Apr  4 14:32:48 2007 : Debug:   rlm_eap: Request found, released
> > from the list
> > Wed Apr  4 14:32:48 2007 : Debug:   rlm_eap: EAP/peap
> > Wed Apr  4 14:32:48 2007 : Debug:   rlm_eap: processing type peap
> > Wed Apr  4 14:32:48 2007 : Debug:   rlm_eap_peap: Authenticate
> > Wed Apr  4 14:32:48 2007 : Debug:   rlm_eap_tls: processing TLS
> > Wed Apr  4 14:32:48 2007 : Debug: rlm_eap_tls: Received EAP-TLS ACK
> > message
> > Wed Apr  4 14:32:48 2007 : Debug:   rlm_eap_tls: ack handshake
> > fragment handler
> > Wed Apr  4 14:32:48 2007 : Debug:   eaptls_verify returned 1
> > Wed Apr  4 14:32:48 2007 : Debug:   eaptls_process returned 13
> > Wed Apr  4 14:32:48 2007 : Debug:   rlm_eap_peap: EAPTLS_HANDLED
> > Wed Apr  4 14:32:48 2007 : Debug:   modsingle[authenticate]: returned
> > from eap (rlm_eap) for request 75
> > Wed Apr  4 14:32:48 2007 : Debug:   modcall[authenticate]: module
> > "eap" returns handled for request 75
> > Wed Apr  4 14:32:48 2007 : Debug: modcall: leaving group authenticate
> > (returns handled) for request 75
> >
> >  
> > ==================================================
> >
> > Benjamin K. Eshun
> >
> >
> > Découvrez une nouvelle façon d'obtenir des réponses à toutes vos
> > questions ! Profitez des connaissances, des opinions et des
> > expériences des internautes sur Yahoo! Questions/Réponses
> > <http://fr.rd.yahoo.com/evt=42054/*http://fr.answers.yahoo.com>.
> > ------------------------------------------------------------------------
> >
> > -
> > List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
> Your sever side certificate needs to have special OIDS, which the peap
> section of the eap.conf file warns you about. Windows will check that
> these OIDS are present in the certificate sent from the server, if they
> are not it will fail silently.
>
>
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
>
>
> ------------------------------------------------------------------------
> Découvrez une nouvelle façon d'obtenir des réponses à toutes vos 
> questions ! Profitez des connaissances, des opinions et des 
> expériences des internautes sur Yahoo! Questions/Réponses 
> <http://fr.rd.yahoo.com/evt=42054/*http://fr.answers.yahoo.com>.
Ok, your trying to do EAP-TLS ?

Looks like the client side is ok.

Wed Apr  4 21:33:09 2007 : Error: rlm_eap: SSL error 
error:00000000:lib(0):func(0):reason(0)
Wed Apr  4 21:33:09 2007 : Debug: SSL Connection Established

I don't think that error is actually an error, note the lack of an error 
location ... But could someone please confirm this ...

Wed Apr  4 21:21:48 2007 : Debug:   rlm_eap_peap: Session established.  
Decoding tunneled attributes.
Wed Apr  4 21:21:48 2007 : Debug:   rlm_eap_tls: <<< TLS 1.0 Alert 
[length 0002], fatal access_denied 
Wed Apr  4 21:21:48 2007 : Error: TLS Alert read:fatal:access denied
Wed Apr  4 21:21:48 2007 : Info: rlm_eap_peap: No data inside of the tunnel.

This however is an error. This would be where windows is rejecting the 
server side certificate and so TLS negotiation is failing.

I'm currently in the same situation, trying to generate a certificate 
with openssl containing the correct OID (object identifier) .

According to the microsoft support article 
(http://support.microsoft.com/kb/814394/en-us)

"The IAS or the VPN server computer certificate is configured with the 
Server Authentication purpose. The object identifier for Server 
Authentication is 1.3.6.1.5.5.7.3.1."

But I have no idea how to add it to the certificate, if you find out 
please let me know :)

Thanks,
Arran




More information about the Freeradius-Users mailing list