eap-ttls + windows xp

Sergio Belkin sebelk at gmail.com
Mon Sep 24 21:42:58 CEST 2007


Hi community, I can't get Windows XP authenticate successfully against
freeradius 1.1.7   :(


I've created certificates with xpextensions in the same directory of
openssl.cnf (issuing openssl ca -config ./openssl.cnf -policy
policy_anything -out certificado_de_radius.pem -extensions
xpserver_ext -extfile ./xpextensions -infiles ./pedido_para_radius.pem
)

Erros when I run radiusd -X are as follow:
# 16:19:54.187160 IP ap.palermo.edu.1030 > lala.palermo.edu.radius:
RADIUS, Access Request (1), id: 0x45 length: 98
rad_recv: Access-Request packet from host 10.30.1.151:1030, id=69, length=98
        User-Name = "test"
        Calling-Station-Id = "00-0e-35-bf-51-18"
        EAP-Message = 0x020100090174657374
        Framed-MTU = 1287
        NAS-IP-Address = 192.168.1.1
        NAS-Port = 0
        NAS-Port-Type = Wireless-802.11
        Message-Authenticator = 0x620d0175629a6cde560f4ee4c40c7fe5
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 4
  modcall[authorize]: module "preprocess" returns ok for request 4
  modcall[authorize]: module "chap" returns noop for request 4
  modcall[authorize]: module "mschap" returns noop for request 4
    rlm_realm: No '@' in User-Name = "test", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 4
  rlm_eap: EAP packet type response id 1 length 9
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 4
    users: Matched entry test at line 51
  modcall[authorize]: module "files" returns ok for request 4
rlm_pap: Found existing Auth-Type, not changing it.
  modcall[authorize]: module "pap" returns noop for request 4
modcall: leaving group authorize (returns updated) for request 4
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 4
  rlm_eap: EAP Identity
  rlm_eap: processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
  modcall[authenticate]: module "eap" returns handled for request 4
modcall: leaving group authenticate (returns handled) for request 4
Sending Access-Challenge of id 69 to 10.30.1.151 port 1030
        EAP-Message =
0x0102001e1a01020019107c04d9d5a09c09a2ade61f9c65b3593d74657374
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x0feb13a7c16734b7c9258d34abe8af07
Finished request 4
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
16:19:54.188014 IP lala.palermo.edu.radius > ap.palermo.edu.1030:
RADIUS, Access Challenge (11), id: 0x45 length: 88
16:19:54.232380 IP ap.palermo.edu.1030 > lala.palermo.edu.radius:
RADIUS, Access Request (1), id: 0x46 length: 113
rad_recv: Access-Request packet from host 10.30.1.151:1030, id=70, length=113
        User-Name = "test"
        Calling-Station-Id = "00-0e-35-bf-51-18"
        EAP-Message = 0x020200060319
        Framed-MTU = 1287
        NAS-IP-Address = 192.168.1.1
        NAS-Port = 0
        NAS-Port-Type = Wireless-802.11
        State = 0x0feb13a7c16734b7c9258d34abe8af07
        Message-Authenticator = 0x18453d73e2119833997ee07ed1d83aa7
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 5
  modcall[authorize]: module "preprocess" returns ok for request 5
  modcall[authorize]: module "chap" returns noop for request 5
  modcall[authorize]: module "mschap" returns noop for request 5
    rlm_realm: No '@' in User-Name = "test", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 5
  rlm_eap: EAP packet type response id 2 length 6
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 5
    users: Matched entry test at line 51
  modcall[authorize]: module "files" returns ok for request 5
rlm_pap: Found existing Auth-Type, not changing it.
  modcall[authorize]: module "pap" returns noop for request 5
modcall: leaving group authorize (returns updated) for request 5
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 5
  rlm_eap: Request found, released from the list
  rlm_eap: EAP NAK
 rlm_eap: EAP-NAK asked for EAP-Type/peap
  rlm_eap: processing type tls
  rlm_eap_tls: Initiate
  rlm_eap_tls: Start returned 1
  modcall[authenticate]: module "eap" returns handled for request 5
modcall: leaving group authenticate (returns handled) for request 5
Sending Access-Challenge of id 70 to 10.30.1.151 port 1030
        EAP-Message = 0x010300061920
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x743e763892ef8def88c122b86125a743
Finished request 5
Going to the next request
Waking up in 6 seconds...
16:19:54.233408 IP lala.palermo.edu.radius > ap.palermo.edu.1030:
RADIUS, Access Challenge (11), id: 0x46 length: 64
rad_recv: Access-Request packet from host 10.30.1.151:1030, id=71, length=187
16:19:54.324947 IP ap.palermo.edu.1030 > lala.palermo.edu.radius:
RADIUS, Access Request (1), id: 0x47 length: 187
        User-Name = "test"
        Calling-Station-Id = "00-0e-35-bf-51-18"
        EAP-Message =
0x0203005019800000004616030100410100003d030146f80d12c6043152d3de3a08135866564c49fe73417ce122ccbe8d9b841da19c00001600040005000a000900640062000300060013001200630100
        Framed-MTU = 1287
        NAS-IP-Address = 192.168.1.1
        NAS-Port = 0
        NAS-Port-Type = Wireless-802.11
        State = 0x743e763892ef8def88c122b86125a743
        Message-Authenticator = 0x01f489f169371e82546775c351b6c21d
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 6
  modcall[authorize]: module "preprocess" returns ok for request 6
  modcall[authorize]: module "chap" returns noop for request 6
  modcall[authorize]: module "mschap" returns noop for request 6
    rlm_realm: No '@' in User-Name = "test", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 6
  rlm_eap: EAP packet type response id 3 length 80
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 6
    users: Matched entry test at line 51
  modcall[authorize]: module "files" returns ok for request 6
rlm_pap: Found existing Auth-Type, not changing it.
  modcall[authorize]: module "pap" returns noop for request 6
modcall: leaving group authorize (returns updated) for request 6
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 6
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls:  Length Included
  eaptls_verify returned 11
    (other): before/accept initialization
    TLS_accept: before/accept initialization
  rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello
    TLS_accept: SSLv3 read client hello A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
    TLS_accept: SSLv3 write server hello A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 0323], Certificate
    TLS_accept: SSLv3 write certificate A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
    TLS_accept: SSLv3 write server done A
    TLS_accept: SSLv3 flush data
    TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
  eaptls_process returned 13
  rlm_eap_peap: EAPTLS_HANDLED
  modcall[authenticate]: module "eap" returns handled for request 6
modcall: leaving group authenticate (returns handled) for request 6
Sending Access-Challenge of id 71 to 10.30.1.151 port 1030
        EAP-Message =
0x010403861900160301004a02000046030146f80dda01273cf23c3155d8651f4c9e4b992c110437bd78225c7bc1c7b051cc202355ad2eec597b02d357bc65942cab8f7f3f4558390a5c76d4165e160e0fdd2c00040016030103230b00031f00031c000319308203153082027ea003020102020101300d06092a864886f70d01010405003081c3310b3009060355040613024152311530130603550408130c4275656e6f73204169726573312b302906035504070c2243697564616420417574c383c2b36e6f6d61206465204275656e6f73204169726573311f301d060355040a1316556e6976657273696461642064652050616c65726d6f3111300f06
        EAP-Message =
0x0355040b1308496e7465726e657431193017060355040313106c616c612e70616c65726d6f2e6564753121301f06092a864886f70d01090116127362656c6b694070616c65726d6f2e656475301e170d3037303932343133343430355a170d3038303932333133343430355a3081c3310b3009060355040613024152311530130603550408130c4275656e6f73204169726573312b302906035504070c2243697564616420417574c383c2b36e6f6d61206465204275656e6f73204169726573311f301d060355040a1316556e6976657273696461642064652050616c65726d6f3111300f060355040b1308496e7465726e6574311930170603550403
        EAP-Message =
0x13106c616c612e70616c65726d6f2e6564753121301f06092a864886f70d01090116127362656c6b694070616c65726d6f2e65647530819f300d06092a864886f70d010101050003818d0030818902818100a3b26b1be6a56057e2eeb5ee11b6b878b968c41e3855d54fe5c8f7afbc804387b4fc7b584cc984bdb53ade60ef5155d5b817db502c0f7795a5d704acfa1edb10d5437183f324bb8b81e7d63a303988475823ab74ff680830fe76c1e6a3bda7ec8627ada0cb544dffaaa11d28cf09972692a1850d91631ff4389da7a09ba1a8c50203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010104
        EAP-Message =
0x050003818100dad5fef98af08eb802758d21bf9ac7f88972046fecf811c351d4eae41278fe21f57147628dcc3b01590225fd0b9d5259b9f33a620c353532eebbef62cd6bea03498eed6a1fbf211484a9d46105dfe8eaf2d7ad59ff246a3178d03c15fbbfd12696e18df18d9bc259f9716eecb8f7cf6445f903b448cbdcd723ded1bd6dcf28fb16030100040e000000
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xd07fd57f7a01313819fd813c13a3828a
Finished request 6
Going to the next request
Waking up in 6 seconds...
16:19:54.326376 IP lala.palermo.edu.radius > ap.palermo.edu.1030:
RADIUS, Access Challenge (11), id: 0x47 length: 966
16:19:54.384285 IP ap.palermo.edu.1030 > lala.palermo.edu.radius:
RADIUS, Access Request (1), id: 0x48 length: 113
rad_recv: Access-Request packet from host 10.30.1.151:1030, id=72, length=113
        User-Name = "test"
        Calling-Station-Id = "00-0e-35-bf-51-18"
        EAP-Message = 0x020400061900
        Framed-MTU = 1287
        NAS-IP-Address = 192.168.1.1
        NAS-Port = 0
        NAS-Port-Type = Wireless-802.11
        State = 0xd07fd57f7a01313819fd813c13a3828a
        Message-Authenticator = 0x81c246f538666a85e685033433d8692d
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 7
  modcall[authorize]: module "preprocess" returns ok for request 7
  modcall[authorize]: module "chap" returns noop for request 7
  modcall[authorize]: module "mschap" returns noop for request 7
    rlm_realm: No '@' in User-Name = "test", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 7
  rlm_eap: EAP packet type response id 4 length 6
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 7
    users: Matched entry test at line 51
  modcall[authorize]: module "files" returns ok for request 7
rlm_pap: Found existing Auth-Type, not changing it.
  modcall[authorize]: module "pap" returns noop for request 7
modcall: leaving group authorize (returns updated) for request 7
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 7
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
  rlm_eap_tls: ack handshake fragment handler
  eaptls_verify returned 1
  eaptls_process returned 13
  rlm_eap_peap: EAPTLS_HANDLED
  modcall[authenticate]: module "eap" returns handled for request 7
modcall: leaving group authenticate (returns handled) for request 7
Sending Access-Challenge of id 72 to 10.30.1.151 port 1030
        EAP-Message = 0x010500061900
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xe1d2cf562457c1deb151bda70947e97d
Finished request 7
Going to the next request
Waking up in 6 seconds...
16:19:54.385346 IP lala.palermo.edu.radius > ap.palermo.edu.1030:
RADIUS, Access Challenge (11), id: 0x48 length: 64
--- Walking the entire request list ---
Cleaning up request 4 ID 69 with timestamp 46f80dda
Cleaning up request 5 ID 70 with timestamp 46f80dda
Cleaning up request 6 ID 71 with timestamp 46f80dda
Cleaning up request 7 ID 72 with timestamp 46f80dda
Nothing to do.  Sleeping until we see a request.



-------------------
radiusd.conf:
-------------------
prefix = /usr/local
exec_prefix = ${prefix}
sysconfdir = ${prefix}/etc
localstatedir = ${prefix}/var
sbindir = ${exec_prefix}/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
log_file = ${logdir}/radius.log
libdir = ${exec_prefix}/lib
pidfile = ${run_dir}/radiusd.pid
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
bind_address = *
port = 0
hostname_lookups = no
allow_core_dumps = no
regular_expressions	= yes
extended_expressions	= yes
log_stripped_names = no
log_auth = no
log_auth_badpass = no
log_auth_goodpass = no
usercollide = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
checkrad = ${sbindir}/checkrad
security {
	max_attributes = 200
	reject_delay = 1
	status_server = no
}
proxy_requests  = yes
$INCLUDE  ${confdir}/proxy.conf
$INCLUDE  ${confdir}/clients.conf
snmp	= no
$INCLUDE  ${confdir}/snmp.conf
thread pool {
	start_servers = 5
	max_servers = 32
	min_spare_servers = 3
	max_spare_servers = 10
	max_requests_per_server = 0
}
modules {
	pap {
		auto_header = yes
	}
	chap {
		authtype = CHAP
	}
	pam {
		pam_auth = radiusd
	}
	unix {
		cache = no
		cache_reload = 600
		radwtmp = ${logdir}/radwtmp
	}
$INCLUDE ${confdir}/eap.conf
	mschap {
	}
	ldap {
		server = "ldap.your.domain"
		basedn = "o=My Org,c=UA"
		filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
		start_tls = no
		access_attr = "dialupAccess"
		dictionary_mapping = ${raddbdir}/ldap.attrmap
		ldap_connections_number = 5
		edir_account_policy_check=no
		timeout = 4
		timelimit = 3
		net_timeout = 1
	}
	realm IPASS {
		format = prefix
		delimiter = "/"
		ignore_default = no
		ignore_null = no
	}
	realm suffix {
		format = suffix
		delimiter = "@"
		ignore_default = no
		ignore_null = no
	}
	realm realmpercent {
		format = suffix
		delimiter = "%"
		ignore_default = no
		ignore_null = no
	}
	realm ntdomain {
		format = prefix
		delimiter = "\\"
		ignore_default = no
		ignore_null = no
	}	
	checkval {
		item-name = Calling-Station-Id
		check-name = Calling-Station-Id
		data-type = string
	}
	
	preprocess {
		huntgroups = ${confdir}/huntgroups
		hints = ${confdir}/hints
		with_ascend_hack = no
		ascend_channels_per_line = 23
		with_ntdomain_hack = no
		with_specialix_jetstream_hack = no
		with_cisco_vsa_hack = no
	}
	files {
		usersfile = ${confdir}/users
		acctusersfile = ${confdir}/acct_users
		preproxy_usersfile = ${confdir}/preproxy_users
		compat = no
	}
	detail {
		detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
		detailperm = 0600
	}
	acct_unique {
		key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
	}
	$INCLUDE  ${confdir}/sql.conf
	
	radutmp {
		filename = ${logdir}/radutmp
		username = %{User-Name}
		case_sensitive = yes
		check_with_nas = yes		
		perm = 0600
		callerid = "yes"
	}
	radutmp sradutmp {
		filename = ${logdir}/sradutmp
		perm = 0644
		callerid = "no"
	}
	attr_filter {
		attrsfile = ${confdir}/attrs
	}
	counter daily {
		filename = ${raddbdir}/db.daily
		key = User-Name
		count-attribute = Acct-Session-Time
		reset = daily
		counter-name = Daily-Session-Time
		check-name = Max-Daily-Session
		allowed-servicetype = Framed-User
		cache-size = 5000
	}
	sqlcounter dailycounter {
		counter-name = Daily-Session-Time
		check-name = Max-Daily-Session
		reply-name = Session-Timeout
		sqlmod-inst = sql
		key = User-Name
		reset = daily
		query = "SELECT SUM(AcctSessionTime - \
                 GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \
                 FROM radacct WHERE UserName='%{%k}' AND \
                 UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'"
	}
	sqlcounter monthlycounter {
		counter-name = Monthly-Session-Time
		check-name = Max-Monthly-Session
		reply-name = Session-Timeout
		sqlmod-inst = sql
		key = User-Name
		reset = monthly
		query = "SELECT SUM(AcctSessionTime - \
                 GREATEST((%b - UNIX_TIMESTAMP(AcctStartTime)), 0)) \
                 FROM radacct WHERE UserName='%{%k}' AND \
                 UNIX_TIMESTAMP(AcctStartTime) + AcctSessionTime > '%b'"
	}
	always fail {
		rcode = fail
	}
	always reject {
		rcode = reject
	}
	always ok {
		rcode = ok
		simulcount = 0
		mpp = no
	}
	expr {
	}
	digest {
	}
	exec {
		wait = yes
		input_pairs = request
	}
	exec echo {
		wait = yes
		program = "/bin/echo %{User-Name}"
		input_pairs = request
		output_pairs = reply
	}
	ippool main_pool {
		range-start = 192.168.1.1
		range-stop = 192.168.3.254
		netmask = 255.255.255.0
		cache-size = 800
		session-db = ${raddbdir}/db.ippool
		ip-index = ${raddbdir}/db.ipindex
		override = no
		maximum-timeout = 0
	}
}
instantiate {
	exec
	expr
}
authorize {
	preprocess
	
	chap
	mschap
	suffix
	eap
	files
	pap
}
authenticate {
	Auth-Type PAP {
		pap
	}
	Auth-Type CHAP {
		chap
	}
	Auth-Type MS-CHAP {
		mschap
	}
	unix
	eap
}
preacct {
	preprocess
	acct_unique
	suffix
	files
}
accounting {
	detail
	unix
	radutmp
}
session {
	radutmp
}
post-auth {
}
pre-proxy {
}
post-proxy {
	eap
}

-----------
users
-----------
"test"            User-Password == "test123"
DEFAULT Auth-Type = System
        Fall-Through = 1
DEFAULT Service-Type == Framed-User
        Framed-IP-Address = 255.255.255.254,
        Framed-MTU = 576,
        Service-Type = Framed-User,
        Fall-Through = Yes
DEFAULT Framed-Protocol == PPP
        Framed-Protocol = PPP,
        Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == "CSLIP"
        Framed-Protocol = SLIP,
        Framed-Compression = Van-Jacobson-TCP-IP
DEFAULT Hint == "SLIP"
        Framed-Protocol = SLIP
-----------------
clients.conf
----------------

client 127.0.0.1 {
        secret          = testing123
        shortname       = localhost
}
client 10.30.1.100 {
        secret          = qwerty123
        shortname       = lala
}
client 10.30.1.151 {
        secret          = qwerty123
        shortname       = ap
}

Please, could you help me a bit, is something wrong in these files???

Thanks in advance
-- 
--
Sergio Belkin -



More information about the Freeradius-Users mailing list