Re: Re : EAP/TTLS PEAP MSCHAP

Eshun Benjamin wrote:
Hello Arran, Which specific OID? I also think it has to do with the certificate. Could you please be specific if possible with example. I trried to use another certificate and I am getting 2 issues; 
 1. is before access challenge ;
Wed Apr 4 21:33:09 2007 : Debug: modsingle[authorize]: returned from suffix (rlm_realm) for request 2 Wed Apr 4 21:33:09 2007 : Debug: modcall[authorize]: module "suffix" returns noop for request 2 Wed Apr 4 21:33:09 2007 : Debug: modsingle[authorize]: calling eap (rlm_eap) for request 2 Wed Apr 4 21:33:09 2007 : Debug: rlm_eap: EAP packet type response id 2 length 192 Wed Apr 4 21:33:09 2007 : Debug: rlm_eap: No EAP Start, assuming it's an on-going EAP conversation Wed Apr 4 21:33:09 2007 : Debug: modsingle[authorize]: returned from eap (rlm_eap) for request 2 Wed Apr 4 21:33:09 2007 : Debug: modcall[authorize]: module "eap" returns updated for request 2 Wed Apr 4 21:33:09 2007 : Debug: modsingle[authorize]: calling files (rlm_files) for request 2 Wed Apr 4 21:33:09 2007 : Debug: users: Matched entry DEFAULT at line 225 Wed Apr 4 21:33:09 2007 : Debug: modsingle[authorize]: returned from files (rlm_files) for request 2 Wed Apr 4 21:33:09 2007 : Debug: modcall[authorize]: module "files" returns ok for request 2 Wed Apr 4 21:33:09 2007 : Debug: modsingle[authorize]: calling etc_smbpasswd (rlm_passwd) for request 2 Wed Apr 4 21:33:09 2007 : Debug: rlm_passwd: Added LM-Password: '739EA6CD54DF1680AAD3B435B51404EE' to config_items Wed Apr 4 21:33:09 2007 : Debug: rlm_passwd: Added NT-Password: 'F138C6624B18D0E17EA9630C746A8202' to config_items Wed Apr 4 21:33:09 2007 : Debug: rlm_passwd: Added SMB-Account-CTRL-TEXT: '[UX ]' to config_items 
Wed Apr  4 21:33:09 2007 : Info: rlm_passwd: Adding "Auth-Type = MS-CHAP"
Wed Apr 4 21:33:09 2007 : Debug: modsingle[authorize]: returned from etc_smbpasswd (rlm_passwd) for request 2 Wed Apr 4 21:33:09 2007 : Debug: modcall[authorize]: module "etc_smbpasswd" returns ok for request 2 Wed Apr 4 21:33:09 2007 : Debug: modsingle[authorize]: calling pap (rlm_pap) for request 2 Wed Apr 4 21:33:09 2007 : Debug: rlm_pap: Normalizing LM-Password from hex encoding Wed Apr 4 21:33:09 2007 : Debug: rlm_pap: Normalizing NT-Password from hex encoding Wed Apr 4 21:33:09 2007 : Debug: rlm_pap: Found existing Auth-Type, not changing it. Wed Apr 4 21:33:09 2007 : Debug: modsingle[authorize]: returned from pap (rlm_pap) for request 2 Wed Apr 4 21:33:09 2007 : Debug: modcall[authorize]: module "pap" returns noop for request 2 Wed Apr 4 21:33:09 2007 : Debug: modcall: leaving group authorize (returns updated) for request 2 Wed Apr 4 21:33:09 2007 : Debug: rad_check_password: Found Auth-Type EAP 
Wed Apr  4 21:33:09 2007 : Debug: auth: type "EAP"
Wed Apr 4 21:33:09 2007 : Debug: Processing the authenticate section of radiusd.conf Wed Apr 4 21:33:09 2007 : Debug: modcall: entering group authenticate for request 2 Wed Apr 4 21:33:09 2007 : Debug: modsingle[authenticate]: calling eap (rlm_eap) for request 2 Wed Apr 4 21:33:09 2007 : Debug: rlm_eap: Request found, released from the list 
Wed Apr  4 21:33:09 2007 : Debug:   rlm_eap: EAP/peap
Wed Apr  4 21:33:09 2007 : Debug:   rlm_eap: processing type peap
Wed Apr  4 21:33:09 2007 : Debug:   rlm_eap_peap: Authenticate
Wed Apr  4 21:33:09 2007 : Debug:   rlm_eap_tls: processing TLS
Wed Apr  4 21:33:09 2007 : Debug: rlm_eap_tls:  Length Included
Wed Apr  4 21:33:09 2007 : Debug:   eaptls_verify returned 11
Wed Apr 4 21:33:09 2007 : Debug: rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange Wed Apr 4 21:33:09 2007 : Debug: TLS_accept: SSLv3 read client key exchange A Wed Apr 4 21:33:09 2007 : Debug: rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001] Wed Apr 4 21:33:09 2007 : Debug: rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished Wed Apr 4 21:33:09 2007 : Debug: TLS_accept: SSLv3 read finished A Wed Apr 4 21:33:09 2007 : Debug: rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001] Wed Apr 4 21:33:09 2007 : Debug: TLS_accept: SSLv3 write change cipher spec A Wed Apr 4 21:33:09 2007 : Debug: rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished Wed Apr 4 21:33:09 2007 : Debug: TLS_accept: SSLv3 write finished A 
Wed Apr  4 21:33:09 2007 : Debug:     TLS_accept: SSLv3 flush data
Wed Apr 4 21:33:09 2007 : Debug: (other): SSL negotiation finished successfully Wed Apr 4 21:33:09 2007 : Error: rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0) 
Wed Apr  4 21:33:09 2007 : Debug: SSL Connection Established
Wed Apr  4 21:33:09 2007 : Debug:   eaptls_process returned 13
Wed Apr  4 21:33:09 2007 : Debug:   rlm_eap_peap: EAPTLS_HANDLED
Wed Apr 4 21:33:09 2007 : Debug: modsingle[authenticate]: returned from eap (rlm_eap) for request 2 Wed Apr 4 21:33:09 2007 : Debug: modcall[authenticate]: module "eap" returns handled for request 2 Wed Apr 4 21:33:09 2007 : Debug: modcall: leaving group authenticate (returns handled) for request 2 

2. Then during access challenge;  some access denied errors.

Wed Apr  4 21:21:48 2007 : Debug:   eaptls_verify returned 11
Wed Apr  4 21:21:48 2007 : Debug:   eaptls_process returned 7
Wed Apr  4 21:21:48 2007 : Debug:   rlm_eap_peap: EAPTLS_OK
Wed Apr 4 21:21:48 2007 : Debug: rlm_eap_peap: Session established. Decoding tunneled attributes. Wed Apr 4 21:21:48 2007 : Debug: rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal access_denied Wed Apr 4 21:21:48 2007 : Error: TLS Alert read:fatal:access denied Wed Apr 4 21:21:48 2007 : Info: rlm_eap_peap: No data inside of the tunnel. 
Wed Apr  4 21:21:48 2007 : Debug:  rlm_eap: Handler failed in EAP/peap
Wed Apr  4 21:21:48 2007 : Debug:   rlm_eap: Failed in EAP select
Wed Apr 4 21:21:48 2007 : Debug: modsingle[authenticate]: returned from eap (rlm_eap) for request 11 Wed Apr 4 21:21:48 2007 : Debug: modcall[authenticate]: module "eap" returns invalid for request 11 Wed Apr 4 21:21:48 2007 : Debug: modcall: leaving group authenticate (returns invalid) for request 11 
Wed Apr  4 21:21:48 2007 : Debug: auth: Failed to validate the user.
Wed Apr  4 21:21:48 2007 : Debug: Delaying request 11 for 1 seconds
Wed Apr  4 21:21:48 2007 : Debug: Finished request 11
Wed Apr  4 21:21:48 2007 : Debug: Going to the next request
Wed Apr  4 21:21:48 2007 : Debug: rl_next:  returning NULL
Wed Apr  4 21:21:48 2007 : Debug: Waking up in 6 seconds...
Wed Apr  4 21:21:54 2007 : Debug: --- Walking the entire request list ---
Sending Access-Reject of id 0 to 10.1.5.26 port 2048
================================================== 

Benjamin K. Eshun


----- Message d'origine ----
De : Arran Cudbard-Bell <A.Cudbard-Bell@sussex.ac.uk>
À : FreeRadius users mailing list <freeradius-users@lists.freeradius.org>
Envoyé le : Mercredi, 4 Avril 2007, 19h51mn 45s
Objet : Re: EAP/TTLS PEAP MSCHAP

Eshun Benjamin wrote:
> Mac connects but ms windows does not.  I am doing server side cert.
> Error from ms windows.
>
>
> User-Name = "testgeneral"
>         NAS-IP-Address = 10.1.5.26
>         Called-Station-Id = "0016014d9158"
>         Calling-Station-Id = "0019e3034ceb"
>         NAS-Identifier = "0016014d9158"
>         NAS-Port = 36
>         Framed-MTU = 1400
>         State = 0x3d946123f5f422f576bed1eb52863e55
>         NAS-Port-Type = Wireless-802.11
>         EAP-Message =
> 0x0202005019800000004616030100410100003d030146139aedbfdec7d57168bf7fdbe984cfd19f5d1e7c13ee839e4b0a55d34aa86600001600040005000a000900640062000300060013001200630100 
>         Message-Authenticator = 0x3efce19c566f372e8744589f65d58401
> Wed Apr  4 14:32:48 2007 : Debug:   Processing the authorize section
> of radiusd.conf
> Wed Apr  4 14:32:48 2007 : Debug: modcall: entering group authorize
> for request 74
> Wed Apr  4 14:32:48 2007 : Debug:   modsingle[authorize]: calling
> preprocess (rlm_preprocess) for request 74
> Wed Apr  4 14:32:48 2007 : Debug:   modsingle[authorize]: returned
> from preprocess (rlm_preprocess) for request 74
> Wed Apr  4 14:32:48 2007 : Debug:   modcall[authorize]: module
> "preprocess" returns ok for request 74
> Wed Apr  4 14:32:48 2007 : Debug:   modsingle[authorize]: calling
> mschap (rlm_mschap) for request 74
> Wed Apr  4 14:32:48 2007 : Debug:   modsingle[authorize]: returned
> from mschap (rlm_mschap) for request 74
> Wed Apr  4 14:32:48 2007 : Debug:   modcall[authorize]: module
> "mschap" returns noop for request 74
> Wed Apr  4 14:32:48 2007 : Debug:   modsingle[authorize]: calling
> suffix (rlm_realm) for request 74
> Wed Apr  4 14:32:48 2007 : Debug:     rlm_realm: No '@' in User-Name =
> "testgeneral", looking up realm NULL
> Wed Apr  4 14:32:48 2007 : Debug:     rlm_realm: No such realm "NULL"
> Wed Apr  4 14:32:48 2007 : Debug:   modsingle[authorize]: returned
> from suffix (rlm_realm) for request 74
> Wed Apr  4 14:32:48 2007 : Debug:   modcall[authorize]: module
> "suffix" returns noop for request 74
> Wed Apr  4 14:32:48 2007 : Debug:   modsingle[authorize]: calling eap
> (rlm_eap) for request 74
> Wed Apr  4 14:32:48 2007 : Debug:   rlm_eap: EAP packet type response
> id 2 length 80
> Wed Apr  4 14:32:48 2007 : Debug:   rlm_eap: No EAP Start, assuming
> it's an on-going EAP conversation
> Wed Apr  4 14:32:48 2007 : Debug:   modsingle[authorize]: returned
> from eap (rlm_eap) for request 74
> Wed Apr  4 14:32:48 2007 : Debug:   modcall[authorize]: module "eap"
> returns updated for request 74
> Wed Apr  4 14:32:48 2007 : Debug:   modsingle[authorize]: calling
> files (rlm_files) for request 74
> Wed Apr  4 14:32:48 2007 : Debug:     users: Matched entry testgeneral
> at line 216
> Wed Apr  4 14:32:48 2007 : Debug:   modsingle[authorize]: returned
> from files (rlm_files) for request 74
> Wed Apr  4 14:32:48 2007 : Debug:   modcall[authorize]: module "files"
> returns ok for request 74
> Wed Apr  4 14:32:48 2007 : Debug:   modsingle[authorize]: calling
> etc_smbpasswd (rlm_passwd) for request 74
> Wed Apr  4 14:32:48 2007 : Debug:   modsingle[authorize]: returned
> from etc_smbpasswd (rlm_passwd) for request 74
> Wed Apr  4 14:32:48 2007 : Debug:   modcall[authorize]: module
> "etc_smbpasswd" returns notfound for request 74
> Wed Apr  4 14:32:48 2007 : Debug:   modsingle[authorize]: calling pap
> (rlm_pap) for request 74
> Wed Apr  4 14:32:48 2007 : Debug: rlm_pap: Found existing Auth-Type,
> not changing it.
> Wed Apr  4 14:32:48 2007 : Debug:   modsingle[authorize]: returned
> from pap (rlm_pap) for request 74
> Wed Apr  4 14:32:48 2007 : Debug:   modcall[authorize]: module "pap"
> returns noop for request 74
> Wed Apr  4 14:32:48 2007 : Debug: modcall: leaving group authorize
> (returns updated) for request 74
> Wed Apr  4 14:32:48 2007 : Debug:   rad_check_password:  Found
> Auth-Type EAP
> Wed Apr  4 14:32:48 2007 : Debug: auth: type "EAP"
> Wed Apr  4 14:32:48 2007 : Debug:   Processing the authenticate
> section of radiusd.conf
> Wed Apr  4 14:32:48 2007 : Debug: modcall: entering group authenticate
> for request 74
> Wed Apr  4 14:32:48 2007 : Debug:   modsingle[authenticate]: calling
> eap (rlm_eap) for request 74
> Wed Apr  4 14:32:48 2007 : Debug:   rlm_eap: Request found, released
> from the list
> Wed Apr  4 14:32:48 2007 : Debug:   rlm_eap: EAP/peap
> Wed Apr  4 14:32:48 2007 : Debug:   rlm_eap: processing type peap
> Wed Apr  4 14:32:48 2007 : Debug:   rlm_eap_peap: Authenticate
> Wed Apr  4 14:32:48 2007 : Debug:   rlm_eap_tls: processing TLS
> Wed Apr  4 14:32:48 2007 : Debug: rlm_eap_tls:  Length Included
> Wed Apr  4 14:32:48 2007 : Debug:   eaptls_verify returned 11
> Wed Apr  4 14:32:48 2007 : Debug:     (other): before/accept
> initialization
> Wed Apr  4 14:32:48 2007 : Debug:     TLS_accept: before/accept
> initialization
> Wed Apr  4 14:32:48 2007 : Debug:   rlm_eap_tls: <<< TLS 1.0 Handshake
> [length 0041], ClientHello
> Wed Apr  4 14:32:48 2007 : Debug:     TLS_accept: SSLv3 read client
> hello A
> Wed Apr  4 14:32:48 2007 : Debug:   rlm_eap_tls: >>> TLS 1.0 Handshake
> [length 004a], ServerHello
> Wed Apr  4 14:32:48 2007 : Debug:     TLS_accept: SSLv3 write server
> hello A
> Wed Apr  4 14:32:48 2007 : Debug:   rlm_eap_tls: >>> TLS 1.0 Handshake
> [length 038f], Certificate
> Wed Apr  4 14:32:48 2007 : Debug:     TLS_accept: SSLv3 write
> certificate A
> Wed Apr  4 14:32:48 2007 : Debug:   rlm_eap_tls: >>> TLS 1.0 Handshake
> [length 0004], ServerHelloDone
> Wed Apr  4 14:32:48 2007 : Debug:     TLS_accept: SSLv3 write server
> done A
> Wed Apr  4 14:32:48 2007 : Debug:     TLS_accept: SSLv3 flush data
> Wed Apr  4 14:32:48 2007 : Error:     TLS_accept:error in SSLv3 read
> client certificate A
> Wed Apr  4 14:32:48 2007 : Error: rlm_eap: SSL error
> error:00000000:lib(0):func(0):reason(0)
> Wed Apr  4 14:32:48 2007 : Debug: In SSL Handshake Phase
> Wed Apr  4 14:32:48 2007 : Debug: In SSL Accept mode
> Wed Apr  4 14:32:48 2007 : Debug:   eaptls_process returned 13
> Wed Apr  4 14:32:48 2007 : Debug:   rlm_eap_peap: EAPTLS_HANDLED
> Wed Apr  4 14:32:48 2007 : Debug:   modsingle[authenticate]: returned
> from eap (rlm_eap) for request 74
> Wed Apr  4 14:32:48 2007 : Debug:   modcall[authenticate]: module
> "eap" returns handled for request 74
> Wed Apr  4 14:32:48 2007 : Debug: modcall: leaving group authenticate
> (returns handled) for request 74
> Sending Access-Challenge of id 0 to 10.1.5.26 port 2048
>         EAP-Message =
> 0x010303f21900160301004a02000046030146139af0c3e704b47f4b6b436a8b07d916c60b21a951af6c2918a39cadca6aa22013971c62e79c9f9f6e232f6d035b7705438843f46c8e38f788750500db6621bf000400160301038f0b00038b00038800038530820381308202eaa003020102020900e8e427c494215d09300d06092a864886f70d0101050500308188310b30090603550406130244453110300e060355040813075361636873656e3110300e060355040713074472657364656e3110300e060355040a13074d50492d4342473111300f060355040b1308436f6d7075746572310f300d06035504031306736572766572311f301d06092a86 
>         EAP-Message =
> 0x4886f70d010901161061646d696e406d70692d6362672e6465301e170d3037303332343131313731395a170d3130303332333131313731395a308188310b30090603550406130244453110300e060355040813075361636873656e3110300e060355040713074472657364656e3110300e060355040a13074d50492d4342473111300f060355040b1308436f6d7075746572310f300d06035504031306736572766572311f301d06092a864886f70d010901161061646d696e406d70692d6362672e646530819f300d06092a864886f70d010101050003818d0030818902818100ac1158639bcdf711751f54bdf25c666d6f3a532967a7cba624a5167b 
>         EAP-Message =
> 0xfb5c89d5a3f9d86fe9a7a2b0899925a4373725bed9eb20d41f05019541ee096201bb57b8f01646ac62884f36d54ea32620a11c760e769ace49d8d7dc42b3ba35c6d410b2fddbc2d689536f66646e94f594b516cb5b312f96f562529bcd7015540fd2be7d0203010001a381f03081ed301d0603551d0e041604141acd4d6d72dc026df7d0a5e77ea636e2c9bcfd4f3081bd0603551d230481b53081b280141acd4d6d72dc026df7d0a5e77ea636e2c9bcfd4fa1818ea4818b308188310b30090603550406130244453110300e060355040813075361636873656e3110300e060355040713074472657364656e3110300e060355040a13074d50492d4342 
>         EAP-Message =
> 0x473111300f060355040b1308436f6d7075746572310f300d06035504031306736572766572311f301d06092a864886f70d010901161061646d696e406d70692d6362672e6465820900e8e427c494215d09300c0603551d13040530030101ff300d06092a864886f70d0101050500038181009e5e89fa8a5e26ce9710bfde499a2b36d412f5acff40b544eec4839a67b768e6a778a5b8d54c8ad8b3ec8f438e96e0740103cbdb3e64c751e722e2c3538dccac3a993b94824ba4e48ba40ebc5c7b37c5c6048616f3b10d7f3d4b23cd84cd1e3e4b318e75d4fcd637ee1b5f263cd4adb006a80f62639825f6fb1a284e254a89be16030100040e000000 
>         Message-Authenticator = 0x00000000000000000000000000000000
>         State = 0x4e138cc588a831123b8c899c1e03c4fc
> Wed Apr  4 14:32:48 2007 : Debug: Finished request 74
> Wed Apr  4 14:32:48 2007 : Debug: Going to the next request
> Wed Apr  4 14:32:48 2007 : Debug: rl_next:  returning NULL
> Wed Apr  4 14:32:48 2007 : Debug: Waking up in 6 seconds...
> rad_recv: Access-Request packet from host 10.1.5.26:2048, id=0, length=143 
>         User-Name = "testgeneral"
>         NAS-IP-Address = 10.1.5.26
>         Called-Station-Id = "0016014d9158"
>         Calling-Station-Id = "0019e3034ceb"
>         NAS-Identifier = "0016014d9158"
>         NAS-Port = 36
>         Framed-MTU = 1400
>         State = 0x4e138cc588a831123b8c899c1e03c4fc
>         NAS-Port-Type = Wireless-802.11
>         EAP-Message = 0x020300061900
>         Message-Authenticator = 0xf89ebcfef5ea8e2a15b9fc63884890df
> Wed Apr  4 14:32:48 2007 : Debug:   Processing the authorize section
> of radiusd.conf
> Wed Apr  4 14:32:48 2007 : Debug: modcall: entering group authorize
> for request 75
> Wed Apr  4 14:32:48 2007 : Debug:   modsingle[authorize]: calling
> preprocess (rlm_preprocess) for request 75
> Wed Apr  4 14:32:48 2007 : Debug:   modsingle[authorize]: returned
> from preprocess (rlm_preprocess) for request 75
> Wed Apr  4 14:32:48 2007 : Debug:   modcall[authorize]: module
> "preprocess" returns ok for request 75
> Wed Apr  4 14:32:48 2007 : Debug:   modsingle[authorize]: calling
> mschap (rlm_mschap) for request 75
> Wed Apr  4 14:32:48 2007 : Debug:   modsingle[authorize]: returned
> from mschap (rlm_mschap) for request 75
> Wed Apr  4 14:32:48 2007 : Debug:   modcall[authorize]: module
> "mschap" returns noop for request 75
> Wed Apr  4 14:32:48 2007 : Debug:   modsingle[authorize]: calling
> suffix (rlm_realm) for request 75
> Wed Apr  4 14:32:48 2007 : Debug:     rlm_realm: No '@' in User-Name =
> "testgeneral", looking up realm NULL
> Wed Apr  4 14:32:48 2007 : Debug:     rlm_realm: No such realm "NULL"
> Wed Apr  4 14:32:48 2007 : Debug:   modsingle[authorize]: returned
> from suffix (rlm_realm) for request 75
> Wed Apr  4 14:32:48 2007 : Debug:   modcall[authorize]: module
> "suffix" returns noop for request 75
> Wed Apr  4 14:32:48 2007 : Debug:   modsingle[authorize]: calling eap
> (rlm_eap) for request 75
> Wed Apr  4 14:32:48 2007 : Debug:   rlm_eap: EAP packet type response
> id 3 length 6
> Wed Apr  4 14:32:48 2007 : Debug:   rlm_eap: No EAP Start, assuming
> it's an on-going EAP conversation
> Wed Apr  4 14:32:48 2007 : Debug:   modsingle[authorize]: returned
> from eap (rlm_eap) for request 75
> Wed Apr  4 14:32:48 2007 : Debug:   modcall[authorize]: module "eap"
> returns updated for request 75
> Wed Apr  4 14:32:48 2007 : Debug:   modsingle[authorize]: calling
> files (rlm_files) for request 75
> Wed Apr  4 14:32:48 2007 : Debug:     users: Matched entry testgeneral
> at line 216
> Wed Apr  4 14:32:48 2007 : Debug:   modsingle[authorize]: returned
> from files (rlm_files) for request 75
> Wed Apr  4 14:32:48 2007 : Debug:   modcall[authorize]: module "files"
> returns ok for request 75
> Wed Apr  4 14:32:48 2007 : Debug:   modsingle[authorize]: calling
> etc_smbpasswd (rlm_passwd) for request 75
> Wed Apr  4 14:32:48 2007 : Debug:   modsingle[authorize]: returned
> from etc_smbpasswd (rlm_passwd) for request 75
> Wed Apr  4 14:32:48 2007 : Debug:   modcall[authorize]: module
> "etc_smbpasswd" returns notfound for request 75
> Wed Apr  4 14:32:48 2007 : Debug:   modsingle[authorize]: calling pap
> (rlm_pap) for request 75
> Wed Apr  4 14:32:48 2007 : Debug: rlm_pap: Found existing Auth-Type,
> not changing it.
> Wed Apr  4 14:32:48 2007 : Debug:   modsingle[authorize]: returned
> from pap (rlm_pap) for request 75
> Wed Apr  4 14:32:48 2007 : Debug:   modcall[authorize]: module "pap"
> returns noop for request 75
> Wed Apr  4 14:32:48 2007 : Debug: modcall: leaving group authorize
> (returns updated) for request 75
> Wed Apr  4 14:32:48 2007 : Debug:   rad_check_password:  Found
> Auth-Type EAP
> Wed Apr  4 14:32:48 2007 : Debug: auth: type "EAP"
> Wed Apr  4 14:32:48 2007 : Debug:   Processing the authenticate
> section of radiusd.conf
> Wed Apr  4 14:32:48 2007 : Debug: modcall: entering group authenticate
> for request 75
> Wed Apr  4 14:32:48 2007 : Debug:   modsingle[authenticate]: calling
> eap (rlm_eap) for request 75
> Wed Apr  4 14:32:48 2007 : Debug:   rlm_eap: Request found, released
> from the list
> Wed Apr  4 14:32:48 2007 : Debug:   rlm_eap: EAP/peap
> Wed Apr  4 14:32:48 2007 : Debug:   rlm_eap: processing type peap
> Wed Apr  4 14:32:48 2007 : Debug:   rlm_eap_peap: Authenticate
> Wed Apr  4 14:32:48 2007 : Debug:   rlm_eap_tls: processing TLS
> Wed Apr  4 14:32:48 2007 : Debug: rlm_eap_tls: Received EAP-TLS ACK
> message
> Wed Apr  4 14:32:48 2007 : Debug:   rlm_eap_tls: ack handshake
> fragment handler
> Wed Apr  4 14:32:48 2007 : Debug:   eaptls_verify returned 1
> Wed Apr  4 14:32:48 2007 : Debug:   eaptls_process returned 13
> Wed Apr  4 14:32:48 2007 : Debug:   rlm_eap_peap: EAPTLS_HANDLED
> Wed Apr  4 14:32:48 2007 : Debug:   modsingle[authenticate]: returned
> from eap (rlm_eap) for request 75
> Wed Apr  4 14:32:48 2007 : Debug:   modcall[authenticate]: module
> "eap" returns handled for request 75
> Wed Apr  4 14:32:48 2007 : Debug: modcall: leaving group authenticate
> (returns handled) for request 75
>
> > ================================================== 
>
> Benjamin K. Eshun
>
>
> Découvrez une nouvelle façon d'obtenir des réponses à toutes vos
> questions ! Profitez des connaissances, des opinions et des
> expériences des internautes sur Yahoo! Questions/Réponses
> <http://fr.rd.yahoo.com/evt=42054/*http://fr.answers.yahoo.com>.
> ------------------------------------------------------------------------
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html 
Your sever side certificate needs to have special OIDS, which the peap
section of the eap.conf file warns you about. Windows will check that
these OIDS are present in the certificate sent from the server, if they
are not it will fail silently.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html 


------------------------------------------------------------------------
Découvrez une nouvelle façon d'obtenir des réponses à toutes vos questions ! Profitez des connaissances, des opinions et des expériences des internautes sur Yahoo! Questions/Réponses <http://fr.rd.yahoo.com/evt=42054/*http://fr.answers.yahoo.com>. 
Ok, your trying to do EAP-TLS ?

Looks like the client side is ok.
Wed Apr 4 21:33:09 2007 : Error: rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0) 
Wed Apr  4 21:33:09 2007 : Debug: SSL Connection Established
I don't think that error is actually an error, note the lack of an error location ... But could someone please confirm this ...
Wed Apr 4 21:21:48 2007 : Debug: rlm_eap_peap: Session established. Decoding tunneled attributes. Wed Apr 4 21:21:48 2007 : Debug: rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal access_denied Wed Apr 4 21:21:48 2007 : Error: TLS Alert read:fatal:access denied 
Wed Apr  4 21:21:48 2007 : Info: rlm_eap_peap: No data inside of the tunnel.
This however is an error. This would be where windows is rejecting the server side certificate and so TLS negotiation is failing.
I'm currently in the same situation, trying to generate a certificate with openssl containing the correct OID (object identifier) .
According to the microsoft support article (http://support.microsoft.com/kb/814394/en-us)
"The IAS or the VPN server computer certificate is configured with the Server Authentication purpose. The object identifier for Server Authentication is 1.3.6.1.5.5.7.3.1."
But I have no idea how to add it to the certificate, if you find out please let me know :) 

Thanks,
Arran
This archive was generated by a fusion of Pipermail (Mailman edition) and MHonArc.