Need help for EAP-TTLS problem on marvell 8686 wpa supplicant..

Raghavendra. S raghavendra.akkasali at gmail.com
Mon Dec 3 14:59:23 CET 2007


Hi,

  RADIUS log....

root at ims-wifi-server:/usr/local/radius/sbin# ./runradius.sh
+ export LD_LIBRARY_PATH=/usr/local/openssl/lib/
+ ./radiusd -X -y -z -A -f -i 10.89.49.12
Starting - reading configuration files ...
read_config_files:  reading dictionary
Config:   including file: /usr/local/radius/etc/raddb/proxy.conf
Config:   including file: /usr/local/radius/etc/raddb/clients.conf
Config:   including file: /usr/local/radius/etc/raddb/snmp.conf
Config:   including file: /usr/local/radius/etc/raddb/eap.conf
Config:   including file: /usr/local/radius/etc/raddb/sql.conf
 main: prefix = "/usr/local/radius"
 main: localstatedir = "/usr/local/radius/var"
 main: logdir = "/usr/local/radius/var/log/radius"
 main: libdir = "/usr/local/radius/lib"
 main: radacctdir = "/usr/local/radius/var/log/radius/radacct"
 main: hostname_lookups = no
 main: max_request_time = 30
 main: cleanup_delay = 5
 main: max_requests = 1024
 main: delete_blocked_requests = 0
 main: allow_core_dumps = no
 main: log_stripped_names = no
 main: log_file = "/usr/local/radius/var/log/radius/radius.log"
 main: log_auth = no
 main: log_auth_badpass = no
 main: log_auth_goodpass = no
 main: pidfile = "/usr/local/radius/var/run/radiusd/radiusd.pid"
 main: checkrad = "/usr/local/radius/sbin/checkrad"
 main: debug_level = 0
 main: proxy_requests = yes
 log: syslog_facility = "daemon"
 proxy: retry_delay = 5
 proxy: retry_count = 3
 proxy: default_fallback = yes
 proxy: dead_time = 120
 proxy: wake_all_if_all_dead = no
 security: max_attributes = 200
 security: reject_delay = 1
 security: status_server = no
read_config_files:  reading realms
 main: port = 1812
 client: secret = "testing123"
 client: shortname = "localhost"
 client: nastype = "other"
 client: secret = "raghu123456"
 client: shortname = "linksys"
 client: secret = "raghu123456"
 client: shortname = "3com"
radiusd:  entering modules setup
Module: Library search path is /usr/local/radius/lib
Module: Loaded exec
 exec: wait = yes
 exec: input_pairs = "request"
 exec: shell_escape = yes
rlm_exec: wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded expiration
 expiration: reply-message = "Password Has Expired  "
Module: Instantiated expiration (expiration)
Module: Loaded logintime
 logintime: reply-message = "You are calling outside your allowed timespan
"
 logintime: minimum-timeout = 60
Module: Instantiated logintime (logintime)
Module: Loaded PAP
 pap: encryption_scheme = "auto"
 pap: auto_header = no
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
 mschap: use_mppe = yes
 mschap: require_encryption = no
 mschap: require_strong = no
 mschap: with_ntdomain_hack = no
 mschap: authtype = "MS-CHAP"
Module: Instantiated mschap (mschap)
Module: Loaded System
 unix: radwtmp = "/usr/local/radius/var/log/radius/radwtmp"
Module: Instantiated unix (unix)
Module: Loaded eap
 eap: default_eap_type = "ttls"
 eap: timer_expire = 60
 eap: ignore_unknown_eap_types = no
 eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
 tls: rsa_key_exchange = no
 tls: dh_key_exchange = yes
 tls: rsa_key_length = 512
 tls: dh_key_length = 512
 tls: verify_depth = 0
 tls: pem_file_type = yes
 tls: private_key_file = "/etc/certs/cert-srv.pem"
 tls: certificate_file = "/etc/certs/cert-srv.pem"
 tls: CA_file = "/etc/certs/root.pem"
 tls: private_key_password = "whatever"
 tls: dh_file = "/etc/certs/dh"
 tls: random_file = "/etc/certs/random"
 tls: fragment_size = 1024
 tls: include_length = yes
 tls: check_crl = no
rlm_eap_tls: Loading the certificate file as a chain
rlm_eap: Loaded and initialized type tls
 ttls: default_eap_type = "md5"
 ttls: copy_request_to_tunnel = no
 ttls: use_tunneled_reply = no
rlm_eap: Loaded and initialized type ttls
 mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
 preprocess: huntgroups = "/usr/local/radius/etc/raddb/huntgroups"
 preprocess: hints = "/usr/local/radius/etc/raddb/hints"
 preprocess: with_ascend_hack = no
 preprocess: ascend_channels_per_line = 23
 preprocess: with_ntdomain_hack = no
 preprocess: with_specialix_jetstream_hack = no
 preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
 realm: format = "suffix"
 realm: delimiter = "@"
 realm: ignore_default = no
 realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded files
 files: usersfile = "/usr/local/radius/etc/raddb/users"
 files: acctusersfile = "/usr/local/radius/etc/raddb/acct_users"
 files: preproxy_usersfile = "/usr/local/radius/etc/raddb/preproxy_users"
 files: compat = "no"
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
 acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
 detail: detailfile =
"/usr/local/radius/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
 detail: header = "%t"
 detail: detailperm = 384
 detail: dirperm = 493
 detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
 radutmp: filename = "/usr/local/radius/var/log/radius/radutmp"
 radutmp: username = "%{User-Name}"
 radutmp: case_sensitive = yes
 radutmp: check_with_nas = yes
 radutmp: perm = 384
 radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Initializing the thread pool...
Listening on authentication address 10.89.49.12 port 1812
Listening on accounting address 10.89.49.12 port 1813
Listening on proxy address 10.89.49.12 port 1814
Ready to process requests.
Nothing to do.  Sleeping until we see a request.










rad_recv: Access-Request packet from host 10.89.49.1 port 1058, id=0,
length=176
        Message-Authenticator = 0xef3923bcefa2778f4a84e3c6834b6b9d
        Service-Type = Framed-User
        User-Name = "jbibe"
        Framed-MTU = 1488
        Called-Station-Id = "00-0F-CB-FE-2F-5F:3Com"
        Calling-Station-Id = "00-13-E0-9E-9B-2E"
        NAS-Identifier = "AP11G"
        NAS-Port-Type = Wireless-802.11
        Connect-Info = "CONNECT 54Mbps 802.11g"
        EAP-Message = 0x0200000a016a62696265
        NAS-IP-Address = 10.89.49.1
        NAS-Port = 1
        NAS-Port-Id = "STA port # 1"
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
  modcall[authorize]: module "preprocess" returns ok for request 0
  modcall[authorize]: module "chap" returns noop for request 0
  modcall[authorize]: module "mschap" returns noop for request 0
  modcall[authorize]: module "unix" returns notfound for request 0
    rlm_realm: No '@' in User-Name = "jbibe", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 0
  rlm_eap: EAP packet type response id 0 length 10
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 0
    users: Matched entry jbibe at line 93
  modcall[authorize]: module "files" returns ok for request 0
  modcall[authorize]: module "expiration" returns noop for request 0
  modcall[authorize]: module "logintime" returns noop for request 0
rlm_pap: Found existing Auth-Type, not changing it.
  modcall[authorize]: module "pap" returns noop for request 0
modcall: leaving group authorize (returns updated) for request 0
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
  rlm_eap: EAP Identity
  rlm_eap: processing type tls
  rlm_eap_tls: Initiate
  rlm_eap_tls: Start returned 1
  modcall[authenticate]: module "eap" returns handled for request 0
modcall: leaving group authenticate (returns handled) for request 0
Sending Access-Challenge of id 0 to 10.89.49.1 port 1058
        EAP-Message = 0x010100061520
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xb57b1868cae7102fc5220c50fcd079e9
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 5 seconds...
rad_recv: Access-Request packet from host 10.89.49.1 port 1060, id=0,
length=176
        Message-Authenticator = 0x3782e8f02c8699a3c42aca3f7ca282bd
        Service-Type = Framed-User
        User-Name = "jbibe"
        Framed-MTU = 1488
        Called-Station-Id = "00-0F-CB-FE-2F-5F:3Com"
        Calling-Station-Id = "00-13-E0-9E-9B-2E"
        NAS-Identifier = "AP11G"
        NAS-Port-Type = Wireless-802.11
        Connect-Info = "CONNECT 54Mbps 802.11g"
        EAP-Message = 0x0200000a016a62696265
        NAS-IP-Address = 10.89.49.1
        NAS-Port = 1
        NAS-Port-Id = "STA port # 1"
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
  modcall[authorize]: module "preprocess" returns ok for request 1
  modcall[authorize]: module "chap" returns noop for request 1
  modcall[authorize]: module "mschap" returns noop for request 1
  modcall[authorize]: module "unix" returns notfound for request 1
    rlm_realm: No '@' in User-Name = "jbibe", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 1
  rlm_eap: EAP packet type response id 0 length 10
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 1
    users: Matched entry jbibe at line 93
  modcall[authorize]: module "files" returns ok for request 1
  modcall[authorize]: module "expiration" returns noop for request 1
  modcall[authorize]: module "logintime" returns noop for request 1
rlm_pap: Found existing Auth-Type, not changing it.
  modcall[authorize]: module "pap" returns noop for request 1
modcall: leaving group authorize (returns updated) for request 1
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 1
  rlm_eap: EAP Identity
  rlm_eap: processing type tls
  rlm_eap_tls: Initiate
  rlm_eap_tls: Start returned 1
  modcall[authenticate]: module "eap" returns handled for request 1
modcall: leaving group authenticate (returns handled) for request 1
Sending Access-Challenge of id 0 to 10.89.49.1 port 1060
        EAP-Message = 0x010100061520
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x28269413248e97f17932076accdf7bf9
Finished request 1
Going to the next request
--- Walking the entire request list ---
Cleaning up request 0 ID 0 with timestamp 4753fbf2
Waking up in 5 seconds...
rad_recv: Access-Request packet from host 10.89.49.1 port 1060, id=1,
length=292
        Message-Authenticator = 0x40a2937466327040c8dff7c302dfb2a1
        Service-Type = Framed-User
        User-Name = "jbibe"
        Framed-MTU = 1488
        State = 0x28269413248e97f17932076accdf7bf9
        Called-Station-Id = "00-0F-CB-FE-2F-5F:3Com"
        Calling-Station-Id = "00-13-E0-9E-9B-2E"
        NAS-Identifier = "AP11G"
        NAS-Port-Type = Wireless-802.11
        Connect-Info = "CONNECT 54Mbps 802.11g"
        EAP-Message =
0x0201006c150016030100610100005d0301475479af4fa14e56d54409683378930066355256926f9f730c13464cdc9d335900003600390038003500160013000a00330032002f0007006600050004006300620061001500120009006500640060001400110008000600030100
        NAS-IP-Address = 10.89.49.1
        NAS-Port = 1
        NAS-Port-Id = "STA port # 1"
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
  modcall[authorize]: module "preprocess" returns ok for request 2
  modcall[authorize]: module "chap" returns noop for request 2
  modcall[authorize]: module "mschap" returns noop for request 2
  modcall[authorize]: module "unix" returns notfound for request 2
    rlm_realm: No '@' in User-Name = "jbibe", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 2
  rlm_eap: EAP packet type response id 1 length 108
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 2
    users: Matched entry jbibe at line 93
  modcall[authorize]: module "files" returns ok for request 2
  modcall[authorize]: module "expiration" returns noop for request 2
  modcall[authorize]: module "logintime" returns noop for request 2
rlm_pap: Found existing Auth-Type, not changing it.
  modcall[authorize]: module "pap" returns noop for request 2
modcall: leaving group authorize (returns updated) for request 2
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 2
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/ttls
  rlm_eap: processing type ttls
  rlm_eap_ttls: Authenticate
  rlm_eap_tls: processing TLS
  eaptls_verify returned 7
  rlm_eap_tls: Done initial handshake
    (other): before/accept initialization
    TLS_accept: before/accept initialization
  rlm_eap_tls: <<< TLS 1.0 Handshake [length 0061], ClientHello
    TLS_accept: SSLv3 read client hello A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
    TLS_accept: SSLv3 write server hello A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 02af], Certificate
    TLS_accept: SSLv3 write certificate A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
    TLS_accept: SSLv3 write server done A
    TLS_accept: SSLv3 flush data
    TLS_accept:error in SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
  eaptls_process returned 13
  modcall[authenticate]: module "eap" returns handled for request 2
modcall: leaving group authenticate (returns handled) for request 2
Sending Access-Challenge of id 1 to 10.89.49.1 port 1060
        EAP-Message =
0x0102031615800000030c160301004a0200004603014753fbf8f58141daf95e0096db0adfb6f4edafa07203a81824f280d43d72b750205a2d477ae1678eb31d106c57d4858bcc649c3b95d203e6397f61280255dd942200350016030102af0b0002ab0002a80002a5308202a13082020aa003020102020102300d06092a864886f70d0101040500308189310b3009060355040613025553311230100603550408130954656e6e657373656531123010060355040713094272656e74776f6f64310f300d060355040a130648656c61766131143012060355040b130b456e67696e656572696e67310c300a06035504031303484149311d301b06092a8648
        EAP-Message =
0x86f70d010901160e6f686240636d636173742e6e6574301e170d3037313132373130333431375a170d3038313132363130333431375a308189310b3009060355040613025553311230100603550408130954656e6e657373656531123010060355040713094272656e74776f6f64310f300d060355040a130648656c61766131143012060355040b130b456e67696e656572696e67310c300a06035504031303484149311d301b06092a864886f70d010901160e6f686240636d636173742e6e657430819f300d06092a864886f70d010101050003818d0030818902818100c66bf62517d85f1a2a4da99c4ba13ac476f36f4f0081558281456bb5d393
        EAP-Message =
0x8fecfcf9139b9d0180bdb88918b80236a89cc22b3dee55a092eb50f030d84d772f72e3e5fa6fbc37d8a63dc7df9a291731d7e9879e698eaeac2e2bb89fdef4b4733842ae56dddcdbfd05e0d4865328bbf2d7acb884da421e5dea11c84964fa591fdb0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010104050003818100999d00ac8272163c5369bbd7d55002ff183856f23515e607972cfb7ea561717f9b8602831725b72b12ec049e140aea62f09e99d58ff510eac7fcd7e00f84e7ccba2d3940eaeee1d481d01390aef10c281e31bbc3eb66fb01af66b216fb1556e8ee6b3751df0fc6808d4f
        EAP-Message =
0x9fceedd9ecd8527a3a0eb778073cd4822e39c202083916030100040e000000
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xc1445c5677d1b2e404d7b7a50a056150
Finished request 2
Going to the next request
Waking up in 5 seconds...



On 12/3/07, tnt at kalik.co.yu <tnt at kalik.co.yu> wrote:
>
> 1. That's normal. You don't have a client certificate in TTLS. Ignore
> it.
>
> 2. Attach the debug output from radiusd -X.
>
> Ivan Kalik
> Kalik Informatika ISP
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>



-- 
Regards & Thanks
Raghavendra. S
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20071203/e8e088e6/attachment.html>


More information about the Freeradius-Users mailing list