TLS fatal access_denied
Sergio Belkin
sebelk at gmail.com
Thu Oct 11 22:23:13 CEST 2007
Hi I am using eap-ttls and when I try to connect from Windows XP the
ouput in radius server iis as follows:
Waking up in 3 seconds...
rad_recv: Access-Request packet from host 10.30.1.151:1031, id=55, length=113
User-Name = "test"
Calling-Station-Id = "00-0e-35-bf-51-18"
EAP-Message = 0x020200060319
Framed-MTU = 1287
NAS-IP-Address = 192.168.1.1
NAS-Port = 0
NAS-Port-Type = Wireless-802.11
State = 0x496c1c12e0905d753f98f90dc4b0c2b2
Message-Authenticator = 0x11ec47975956d7defc19bff62d79430e
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 26
modcall[authorize]: module "preprocess" returns ok for request 26
modcall[authorize]: module "chap" returns noop for request 26
modcall[authorize]: module "mschap" returns noop for request 26
rlm_realm: No '@' in User-Name = "test", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 26
rlm_eap: EAP packet type response id 2 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 26
users: Matched entry test at line 62
modcall[authorize]: module "files" returns ok for request 26
rlm_pap: Found existing Auth-Type, not changing it.
modcall[authorize]: module "pap" returns noop for request 26
modcall: leaving group authorize (returns updated) for request 26
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 26
rlm_eap: Request found, released from the list
rlm_eap: EAP NAK
rlm_eap: EAP-NAK asked for EAP-Type/peap
rlm_eap: processing type tls
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
modcall[authenticate]: module "eap" returns handled for request 26
modcall: leaving group authenticate (returns handled) for request 26
Sending Access-Challenge of id 55 to 10.30.1.151 port 1031
Reply-Message = "Hola test"
EAP-Message = 0x010300061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xea0d4efbb9ef49d8de3c3f6d3ebc1769
Finished request 26
Going to the next request
Waking up in 3 seconds...
rad_recv: Access-Request packet from host 10.30.1.151:1031, id=56, length=187
User-Name = "test"
Calling-Station-Id = "00-0e-35-bf-51-18"
EAP-Message =
0x0203005019800000004616030100410100003d0301470fd5afa0768f1bf04970318849fc7a7839fb43ed9ed9cfe0317b2564ef140200001600040005000a000900640062000300060013001200630100
Framed-MTU = 1287
NAS-IP-Address = 192.168.1.1
NAS-Port = 0
NAS-Port-Type = Wireless-802.11
State = 0xea0d4efbb9ef49d8de3c3f6d3ebc1769
Message-Authenticator = 0x123ab7c62b0dcf0192516c84f15ed8a5
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 27
modcall[authorize]: module "preprocess" returns ok for request 27
modcall[authorize]: module "chap" returns noop for request 27
modcall[authorize]: module "mschap" returns noop for request 27
rlm_realm: No '@' in User-Name = "test", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 27
rlm_eap: EAP packet type response id 3 length 80
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 27
users: Matched entry test at line 62
modcall[authorize]: module "files" returns ok for request 27
rlm_pap: Found existing Auth-Type, not changing it.
modcall[authorize]: module "pap" returns noop for request 27
modcall: leaving group authorize (returns updated) for request 27
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 27
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Length Included
eaptls_verify returned 11
(other): before/accept initialization
TLS_accept: before/accept initialization
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello
TLS_accept: SSLv3 read client hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
TLS_accept: SSLv3 write server hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0516], Certificate
TLS_accept: SSLv3 write certificate A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
TLS_accept: SSLv3 write server done A
TLS_accept: SSLv3 flush data
TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
eaptls_process returned 13
rlm_eap_peap: EAPTLS_HANDLED
modcall[authenticate]: module "eap" returns handled for request 27
modcall: leaving group authenticate (returns handled) for request 27
Sending Access-Challenge of id 56 to 10.30.1.151 port 1031
Reply-Message = "Hola test"
EAP-Message =
0x0104040a19c000000573160301004a020000460301470e8458d181472ae6cb4c0cfd0aec460eabff70cefd31a7148291ed16b1d08720d5575fe66c35bfc84e095a83aa4e3a30c0134dc29308b7af2417fd43f32a0a9900040016030105160b00051200050f00050c30820508308203f0a003020102020109300d06092a864886f70d010104050030818e310b3009060355040613024152311530130603550407130c4275656e6f73204169726573311f301d060355040a1316556e6976657273696461642064652050616c65726d6f31273025060355040b131e446570617274616d656e746f20646520436f6d756e69636163696f6e6573311e301c06
EAP-Message =
0x035504031315436572746966696361746520417574686f72697479301e170d3037303130343230303132325a170d3131303130333230303132325a30818d310b3009060355040613024152311530130603550407130c4275656e6f73204169726573311f301d060355040a1316556e6976657273696461642064652050616c65726d6f31273025060355040b131e446570617274616d656e746f20646520436f6d756e69636163696f6e6573311d301b06035504031314737065637472756d2e70616c65726d6f2e65647530820122300d06092a864886f70d01010105000382010f003082010a02820101009fb7de37d68086cd8ddaccf857dc922a55
EAP-Message =
0x69d7105ec847db6bbe727aea4e583562dbc26949b48ef40cb17c256cf16ed6f6c3f5a605300ecc9329eaaee6e885a29d0078a07f3e436bed28c75db21f09f5ea85e6e8f65d00082ca44e7778f490ef7bbec2c6180d537dae3efec79ad3729a2410969902b3a92912e41e18294937c985e87c3f3504b039d84af22c0ab958a2104d41a299fcf28ee2c400ebc2d3b4e4071d697e2454b05e9145f3b87b806b50f4cd0efb13039c33ed3829cbf25f9af6a1a9537aa97ed42882694511cfc27014a7ce9d36cfdb93a0f68af3662823b2d70dbedd445b15f5e07444fc105e4a257548cce119b14166b663b4f68245c1191f0203010001a382016e3082016a30
EAP-Message =
0x090603551d1304023000301106096086480186f8420101040403020640300b0603551d0f0404030205e0302c06096086480186f842010d041f161d50616c65726d6f2047656e657261746564204365727469666963617465301d0603551d0e0416041424fcec6f0e868f46fc8e3d117be23c01307355203081bb0603551d230481b33081b08014fd77533bb6a66d1e3b48bfb5d21501d829ddf469a18194a4819130818e310b3009060355040613024152311530130603550407130c4275656e6f73204169726573311f301d060355040a1316556e6976657273696461642064652050616c65726d6f31273025060355040b131e446570617274616d65
EAP-Message = 0x6e746f20646520436f6d756e69636163696f6e657331
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xfed980e3ba92486eab6d27db87544c2d
Finished request 27
Going to the next request
Waking up in 3 seconds...
rad_recv: Access-Request packet from host 10.30.1.151:1031, id=57, length=113
User-Name = "test"
Calling-Station-Id = "00-0e-35-bf-51-18"
EAP-Message = 0x020400061900
Framed-MTU = 1287
NAS-IP-Address = 192.168.1.1
NAS-Port = 0
NAS-Port-Type = Wireless-802.11
State = 0xfed980e3ba92486eab6d27db87544c2d
Message-Authenticator = 0x5915220b581acc2913bea0a58a74cc9e
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 28
modcall[authorize]: module "preprocess" returns ok for request 28
modcall[authorize]: module "chap" returns noop for request 28
modcall[authorize]: module "mschap" returns noop for request 28
rlm_realm: No '@' in User-Name = "test", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 28
rlm_eap: EAP packet type response id 4 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 28
users: Matched entry test at line 62
modcall[authorize]: module "files" returns ok for request 28
rlm_pap: Found existing Auth-Type, not changing it.
modcall[authorize]: module "pap" returns noop for request 28
modcall: leaving group authorize (returns updated) for request 28
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 28
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake fragment handler
eaptls_verify returned 1
eaptls_process returned 13
rlm_eap_peap: EAPTLS_HANDLED
modcall[authenticate]: module "eap" returns handled for request 28
modcall: leaving group authenticate (returns handled) for request 28
Sending Access-Challenge of id 57 to 10.30.1.151 port 1031
Reply-Message = "Hola test"
EAP-Message =
0x0105017919001e301c06035504031315436572746966696361746520417574686f72697479820101303206096086480186f84201040425162368747470733a2f2f777777732e70616c65726d6f2e6564752f63612f63726c2e70656d300d06092a864886f70d01010405000382010100b2f0e85d815bfc024ef1b5269faa0a99de6bcbd537ab0f36e2bbf79afa4d1d958901c0a6df5fda13dd248cc05421f38b3aa82aede606a05ab6808ea86c631ce3d6a91fc2d3a2d956671c5014adc013c264e18e7fef1b82fa8f5e965b5f112888b10f416d4ce35a37bea4486d9f2060a5c541421d2ca1d0546423ad507ad67219a2f5a3459719204113de574dc7
EAP-Message =
0x1a1e154877647e7d5110a038d05249277e7db298b4f5929ae3075bcb26a2de63d0fcb0bb09d93909e8ed2cc4bec19e499b5891750feb425d1f9dbafb9fcae681a02b0d683e72bfd0bd27c5abbf893cb51802f952165410eeb912f334863f020c800f061227a39529cf7c65bb81ae508610ca7b16030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x93350c01179beee7339c64d8cb40746f
Finished request 28
Going to the next request
Waking up in 3 seconds...
rad_recv: Access-Request packet from host 10.30.1.151:1031, id=58, length=429
User-Name = "test"
Calling-Station-Id = "00-0e-35-bf-51-18"
EAP-Message =
0x0205014019800000013616030101061000010201004f6f2b51d96df9fbce202c27dd64b32fe239c2a7b872b49ecf206faa1fb11ae27d604a3092aa39bccf5f27bdabaf03cf119a217884a1b1611d8251a084dbe9a0e3968f17de1e27aa49398f5e5f10990c64be22a7d770e16e0682ab0e17092e1670c19fa1cba57d818c5f2da5af546eafec6d8d1852763970120e3ad1fc5df15e55fc6e086384280137f2208411f01816d81f4042a954efd8355e9f0ee89cd174e3d00438e89589b9bdf10d4a5851c51c738a5489a47ee5bcf3664f79b67a64949ef50dcfc382917654f1c6da2faa96e8b3d91212a589f65a7f4cc7c6d06b06604af7de927d28f6d4
EAP-Message =
0xd9ac56a2752efc9126c03a21226807ea7faa601a37a3c56a1403010001011603010020f8b221aeffd0aa7bcad9675b55a4d07cdc6c363cd9a5b4a10da12349cd425557
Framed-MTU = 1287
NAS-IP-Address = 192.168.1.1
NAS-Port = 0
NAS-Port-Type = Wireless-802.11
State = 0x93350c01179beee7339c64d8cb40746f
Message-Authenticator = 0x4469eb9d0d17398edd90a2e638bf0b99
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 29
modcall[authorize]: module "preprocess" returns ok for request 29
modcall[authorize]: module "chap" returns noop for request 29
modcall[authorize]: module "mschap" returns noop for request 29
rlm_realm: No '@' in User-Name = "test", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 29
rlm_eap: EAP packet type response id 5 length 253
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 29
users: Matched entry test at line 62
modcall[authorize]: module "files" returns ok for request 29
rlm_pap: Found existing Auth-Type, not changing it.
modcall[authorize]: module "pap" returns noop for request 29
modcall: leaving group authorize (returns updated) for request 29
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 29
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Length Included
eaptls_verify returned 11
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange
TLS_accept: SSLv3 read client key exchange A
rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001]
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished
TLS_accept: SSLv3 read finished A
rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001]
TLS_accept: SSLv3 write change cipher spec A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished
TLS_accept: SSLv3 write finished A
TLS_accept: SSLv3 flush data
(other): SSL negotiation finished successfully
SSL Connection Established
eaptls_process returned 13
rlm_eap_peap: EAPTLS_HANDLED
modcall[authenticate]: module "eap" returns handled for request 29
modcall: leaving group authenticate (returns handled) for request 29
Sending Access-Challenge of id 58 to 10.30.1.151 port 1031
Reply-Message = "Hola test"
EAP-Message =
0x01060031190014030100010116030100209b2cb1197db813a76c4e9ba9e135b4ae047a186da5890006b757c6f3f387f10c
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xad86ab92847abf65daa2c4174fcaa327
Finished request 29
Going to the next request
Waking up in 3 seconds...
rad_recv: Access-Request packet from host 10.30.1.151:1031, id=59, length=140
User-Name = "test"
Calling-Station-Id = "00-0e-35-bf-51-18"
EAP-Message =
0x0206002119800000001715030100121e4a51c221fd4fcdf3d307619f1676963db5
Framed-MTU = 1287
NAS-IP-Address = 192.168.1.1
NAS-Port = 0
NAS-Port-Type = Wireless-802.11
State = 0xad86ab92847abf65daa2c4174fcaa327
Message-Authenticator = 0x4a9ed2d5270ef65cd5444a241c322946
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 30
modcall[authorize]: module "preprocess" returns ok for request 30
modcall[authorize]: module "chap" returns noop for request 30
modcall[authorize]: module "mschap" returns noop for request 30
rlm_realm: No '@' in User-Name = "test", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 30
rlm_eap: EAP packet type response id 6 length 33
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 30
users: Matched entry test at line 62
modcall[authorize]: module "files" returns ok for request 30
rlm_pap: Found existing Auth-Type, not changing it.
modcall[authorize]: module "pap" returns noop for request 30
modcall: leaving group authorize (returns updated) for request 30
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 30
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Length Included
eaptls_verify returned 11
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal access_denied
TLS Alert read:fatal:access denied
rlm_eap_peap: No data inside of the tunnel.
rlm_eap: Handler failed in EAP/peap
rlm_eap: Failed in EAP select
modcall[authenticate]: module "eap" returns invalid for request 30
modcall: leaving group authenticate (returns invalid) for request 30
auth: Failed to validate the user.
Delaying request 30 for 1 seconds
Finished request 30
Going to the next request
Waking up in 3 seconds...
Why can this happen?
Thanks in advance!
--
--
Sergio Belkin -
More information about the Freeradius-Users
mailing list