wpa_supplicant(eapol_test) with freeradius: error coming in TLS

Sergio Yébenes Moreno sergioyebenes at alumnos.upm.es
Thu Jul 10 17:12:57 CEST 2008


Gaurav Kansal escribió:
>
> Hi
>
>  
>
> I am trying to use EAP-TLS between wpa_supplicant and freeradius. I 
> created the certificates (ca/server/client) as mentioned in 
> freeradius-server-2.0.5/raddb/certs/README. In 
> freeradius-server-2.0.5/raddb/users, following line is added at end: 
> testuser Cleartext-Password := "password"
>
>  
>
> On wpa_supplicant-0.5.10, created eapol_test.conf.tls with following 
> contents:
>
> network={
>
> eap=TLS
>
> eapol_flags=0
>
> key_mgmt=IEEE8021X
>
> identity="testuser"
>
> ca_cert="/usr/local/etc/raddb/certs/ca.pem"
>
> client_cert="/usr/local/etc/raddb/certs/testuser at example.com.pem"
>
> private_key="/usr/local/etc/raddb/certs/client.key"
>
> private_key_passwd="whatever"
>
> }
>
> Executed wpa_supplicant (eapol_test) with following command 
> (wpa_supplicant side logs are after radius logs at end):
>
> eapol_test -c eapol_test.conf.tls -a127.0.0.1 -p1812 -stesting123 -r1
>
>  
>
> On executing /usr/local/sbin/radiusd -X, I get following log and error 
> too:
>
> rad_recv: Access-Request packet from host 127.0.0.1 port 32770, id=0, 
> length=124
>
>         User-Name = "testuser"
>
>         NAS-IP-Address = 127.0.0.1
>
>         Calling-Station-Id = "02-00-00-00-00-01"
>
>         Framed-MTU = 1400
>
>         NAS-Port-Type = Wireless-802.11
>
>         Connect-Info = "CONNECT 11Mbps 802.11b"
>
>         EAP-Message = 0x0200000d017465737475736572
>
>         Message-Authenticator = 0x0e5f593f30507d677e8d7e68b072b55f
>
> +- entering group authorize
>
> ++[preprocess] returns ok
>
> ++[chap] returns noop
>
> ++[mschap] returns noop
>
>     rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL
>
>     rlm_realm: No such realm "NULL"
>
> ++[suffix] returns noop
>
>   rlm_eap: EAP packet type response id 0 length 13
>
>   rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
>
> ++[eap] returns updated
>
> ++[unix] returns updated
>
> ++[files] returns noop
>
> ++[expiration] returns noop
>
> ++[logintime] returns noop
>
> rlm_pap: Found existing Auth-Type, not changing it.
>
> ++[pap] returns noop
>
>   rad_check_password:  Found Auth-Type EAP
>
> auth: type "EAP"
>
> +- entering group authenticate
>
>   rlm_eap: EAP Identity
>
>   rlm_eap: processing type md5
>
> rlm_eap_md5: Issuing Challenge
>
> ++[eap] returns handled
>
> Sending Access-Challenge of id 0 to 127.0.0.1 port 32770
>
>         EAP-Message = 0x01010016041017695d19037d705af68ca37a7262ddcb
>
>         Message-Authenticator = 0x00000000000000000000000000000000
>
>         State = 0x267673582677771a69809cb3876d58ea
>
> Finished request 0.
>
> Going to the next request
>
> Waking up in 4.9 seconds.
>
> rad_recv: Access-Request packet from host 127.0.0.1 port 32770, id=1, 
> length=135
>
>         User-Name = "testuser"
>
>         NAS-IP-Address = 127.0.0.1
>
>         Calling-Station-Id = "02-00-00-00-00-01"
>
>         Framed-MTU = 1400
>
>         NAS-Port-Type = Wireless-802.11
>
>         Connect-Info = "CONNECT 11Mbps 802.11b"
>
>         EAP-Message = 0x02010006030d
>
>         State = 0x267673582677771a69809cb3876d58ea
>
>         Message-Authenticator = 0x6dd1d34467725c79f19b72ff9612e3ce
>
> +- entering group authorize
>
> ++[preprocess] returns ok
>
> ++[chap] returns noop
>
> ++[mschap] returns noop
>
>     rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL
>
>     rlm_realm: No such realm "NULL"
>
> ++[suffix] returns noop
>
>   rlm_eap: EAP packet type response id 1 length 6
>
>   rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
>
> ++[eap] returns updated
>
> ++[unix] returns updated
>
> ++[files] returns noop
>
> ++[expiration] returns noop
>
> ++[logintime] returns noop
>
> rlm_pap: Found existing Auth-Type, not changing it.
>
> ++[pap] returns noop
>
>   rad_check_password:  Found Auth-Type EAP
>
> auth: type "EAP"
>
> +- entering group authenticate
>
>   rlm_eap: Request found, released from the list
>
>   rlm_eap: EAP NAK
>
>  rlm_eap: EAP-NAK asked for EAP-Type/tls
>
>   rlm_eap: processing type tls
>
>  rlm_eap_tls: Requiring client certificate
>
>   rlm_eap_tls: Initiate
>
>   rlm_eap_tls: Start returned 1
>
> ++[eap] returns handled
>
> Sending Access-Challenge of id 1 to 127.0.0.1 port 32770
>
>         EAP-Message = 0x010200060d20
>
>         Message-Authenticator = 0x00000000000000000000000000000000
>
>         State = 0x2676735827747e1a69809cb3876d58ea
>
> Finished request 1.
>
> Going to the next request
>
> Waking up in 4.9 seconds.
>
> rad_recv: Access-Request packet from host 127.0.0.1 port 32770, id=2, 
> length=236
>
>         User-Name = "testuser"
>
>         NAS-IP-Address = 127.0.0.1
>
>         Calling-Station-Id = "02-00-00-00-00-01"
>
>         Framed-MTU = 1400
>
>         NAS-Port-Type = Wireless-802.11
>
>         Connect-Info = "CONNECT 11Mbps 802.11b"
>
>         EAP-Message = 
> 0x0202006b0d0016030100600100005c03014874ff7ae4659071f23a8aac506f1f25b7c9f1272eca77a38aaea1b9788b532d00003400390038003500160013000a00330032002f00660005000400630062006100150012000900650064006000140011000800060003020100
>
>         State = 0x2676735827747e1a69809cb3876d58ea
>
>         Message-Authenticator = 0x1a18c152c7a7d0032d7876c2e02214d3
>
> +- entering group authorize
>
> ++[preprocess] returns ok
>
> ++[chap] returns noop
>
> ++[mschap] returns noop
>
>     rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL
>
>     rlm_realm: No such realm "NULL"
>
> ++[suffix] returns noop
>
>   rlm_eap: EAP packet type response id 2 length 107
>
>   rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
>
> ++[eap] returns updated
>
> ++[unix] returns updated
>
> ++[files] returns noop
>
> ++[expiration] returns noop
>
> ++[logintime] returns noop
>
> rlm_pap: Found existing Auth-Type, not changing it.
>
> ++[pap] returns noop
>
>   rad_check_password:  Found Auth-Type EAP
>
> auth: type "EAP"
>
> +- entering group authenticate
>
>   rlm_eap: Request found, released from the list
>
>   rlm_eap: EAP/tls
>
>   rlm_eap: processing type tls
>
>   rlm_eap_tls: Authenticate
>
>   rlm_eap_tls: processing TLS
>
>   eaptls_verify returned 7
>
>   rlm_eap_tls: Done initial handshake
>
>     (other): before/accept initialization
>
>     TLS_accept: before/accept initialization
>
>   rlm_eap_tls: <<< TLS 1.0 Handshake [length 0060], ClientHello 
>
>     TLS_accept: SSLv3 read client hello A
>
>   rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello 
>
>     TLS_accept: SSLv3 write server hello A
>
>   rlm_eap_tls: >>> TLS 1.0 Handshake [length 085e], Certificate 
>
>     TLS_accept: SSLv3 write certificate A
>
>   rlm_eap_tls: >>> TLS 1.0 Handshake [length 020d], ServerKeyExchange 
>
>     TLS_accept: SSLv3 write key exchange A
>
>   rlm_eap_tls: >>> TLS 1.0 Handshake [length 00a7], CertificateRequest 
>
>     TLS_accept: SSLv3 write certificate request A
>
>     TLS_accept: SSLv3 flush data
>
>     TLS_accept: Need to read more data: SSLv3 read client certificate A
>
> In SSL Handshake Phase
>
> In SSL Accept mode 
>
>   eaptls_process returned 13
>
> ++[eap] returns handled
>
> Sending Access-Challenge of id 2 to 127.0.0.1 port 32770
>
>         EAP-Message = 
> 0x010304000dc000000b70160301004a0200004603014874ff7af840e0ce0c0562387841cbf363e6be64f8dd2def0915579fb271a7d320bc89e200ccdb1ad9ae9498442013c69878623fb1e470357891b9df6651cbf029003901160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d3126302406035504
>
>         EAP-Message = 
> 0x03131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3038303730393138313131375a170d3039303730393138313131375a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100c296eb2d169b654435a174fd8ead1b26d65b1298d9a7bcc561a051d2b667
>
>         EAP-Message = 
> 0x28a6c693620ce3c06c032ebe4dbeedff9020f24d06430433091b7e9762575c12fdb988ad5d6dfee570df9a0aa1ce55de2d308c162bbcf917c8441071ea895cfb102721f2a5059f402317457a104650b4fea1975e04fb83fc4d0a2cf72167830d5281398c981ac2f27370a34aa49b07e007fa955ebf187a8fd476174e7493ffa02bf466b07846382b4eaf03551fef5ca60ab3fc3aa19983aeb5015147ed3317f659f0355a43091eb19ab0c4a8d07651627d1fad596cc5ee44fa2ccfcd92d6c63d778a9d958a6ca4a02409c546d3b8400928e1b635c26ef5ab7fc54b68b8aa2e98b2830203010001a317301530130603551d25040c300a06082b06010505
>
>         EAP-Message = 
> 0x070301300d06092a864886f70d01010405000382010100095935837d63c395fca941ae947c03fac66f843b37c9969c2f46cb8b26348bfbd6348ac0d13b6a752886f1e83579122942dd8d0ab6b2757849735dccfd82d06d3a07d1a2de3097c76cbb431042062e26df240d5d40ada6bc999bade14ebc0661362f9a7f8644943e78a29e329c67ec32cf393205408021e56e461ce3320127b27df474f4c37be7cccf46754c32ee8243500a194759ba6c5b2fcd563117b2ea94b9c63eb1678ff836afd92118a98b93fc51992e9de619a9c7576fe3cae6a1e9988a2b10b0685ca7e58e5b100ec0817d511f34f59f794bcde25c247259a57ab8b1d686fce7c7cd
>
>         EAP-Message = 0x3f8d16472d4a3eb1ee492fd3
>
>         Message-Authenticator = 0x00000000000000000000000000000000
>
>         State = 0x2676735824757e1a69809cb3876d58ea
>
> Finished request 2.
>
> Going to the next request
>
> Waking up in 4.9 seconds.
>
> rad_recv: Access-Request packet from host 127.0.0.1 port 32770, id=3, 
> length=135
>
>         User-Name = "testuser"
>
>         NAS-IP-Address = 127.0.0.1
>
>         Calling-Station-Id = "02-00-00-00-00-01"
>
>         Framed-MTU = 1400
>
>         NAS-Port-Type = Wireless-802.11
>
>         Connect-Info = "CONNECT 11Mbps 802.11b"
>
>         EAP-Message = 0x020300060d00
>
>         State = 0x2676735824757e1a69809cb3876d58ea
>
>         Message-Authenticator = 0x86f3e31b265162f7716d461a9aae98f2
>
> +- entering group authorize
>
> ++[preprocess] returns ok
>
> ++[chap] returns noop
>
> ++[mschap] returns noop
>
>     rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL
>
>     rlm_realm: No such realm "NULL"
>
> ++[suffix] returns noop
>
>   rlm_eap: EAP packet type response id 3 length 6
>
>   rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
>
> ++[eap] returns updated
>
> ++[unix] returns updated
>
> ++[files] returns noop
>
> ++[expiration] returns noop
>
> ++[logintime] returns noop
>
> rlm_pap: Found existing Auth-Type, not changing it.
>
> ++[pap] returns noop
>
>   rad_check_password:  Found Auth-Type EAP
>
> auth: type "EAP"
>
> +- entering group authenticate
>
>   rlm_eap: Request found, released from the list
>
>   rlm_eap: EAP/tls
>
>   rlm_eap: processing type tls
>
>   rlm_eap_tls: Authenticate
>
>   rlm_eap_tls: processing TLS
>
> rlm_eap_tls: Received EAP-TLS ACK message
>
>   rlm_eap_tls: ack handshake fragment handler
>
>   eaptls_verify returned 1
>
>   eaptls_process returned 13
>
> ++[eap] returns handled
>
> Sending Access-Challenge of id 3 to 127.0.0.1 port 32770
>
>         EAP-Message = 
> 0x010404000dc000000b70bf312a81c68194ac03b073abf2410004ab308204a73082038fa003020102020900ac4ad85feeea230a300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3038303730393138313131325a170d3038303830383138313131325a308193310b
>
>         EAP-Message = 
> 0x3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100ccff47e75ebf3d06a9472810c0352b254cca71cbb52cb8202d29ae967c715640e4d2b6c3e60641c4d54fdc03fe6ebdfb1953dc1b8c1f44202cf488249d37f2b7902efdf546fabb283a9653
>
>         EAP-Message = 
> 0xfa065f9b063843f36456ac437df7cefeaad4d44004939d63ae9c4df03f1b856d8340ab4e6317a111aecfd860639f0056069404c4d2f9f10e9048b10f4bd65dfe2a61470543b7b323895dfbb54053f84cb0417f5eafdf8aa236a2afea06047be624e1f7b85e757be3749e6946439ad4e85de0d4f66f35e1a4ee8258727033035877b43232c0697a2baf3d09e8aa337366b1cbbccf72a509b977d426d546c7b165f873308f0a6964f430ee01b74cc0a561d9869fd84f0203010001a381fb3081f8301d0603551d0e041604141c71c3ab8dbd86f36bbf4b24d5b72d291bc88aaf3081c80603551d230481c03081bd80141c71c3ab8dbd86f36bbf4b24d5b7
>
>         EAP-Message = 
> 0x2d291bc88aafa18199a48196308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820900ac4ad85feeea230a300c0603551d13040530030101ff300d06092a864886f70d010105050003820101005925971768cfc1bb8f4b1dd4b9d0abd84cca91dc19d344451da159ae0925f1924022b20ea548d56947a26c987dc0
>
>         EAP-Message = 0xfb36d1078bef2f36de91d2b5
>
>         Message-Authenticator = 0x00000000000000000000000000000000
>
>         State = 0x2676735825727e1a69809cb3876d58ea
>
> Finished request 3.
>
> Going to the next request
>
> Waking up in 4.8 seconds.
>
> rad_recv: Access-Request packet from host 127.0.0.1 port 32770, id=4, 
> length=135
>
>         User-Name = "testuser"
>
>         NAS-IP-Address = 127.0.0.1
>
>         Calling-Station-Id = "02-00-00-00-00-01"
>
>         Framed-MTU = 1400
>
>         NAS-Port-Type = Wireless-802.11
>
>         Connect-Info = "CONNECT 11Mbps 802.11b"
>
>         EAP-Message = 0x020400060d00
>
>         State = 0x2676735825727e1a69809cb3876d58ea
>
>         Message-Authenticator = 0xd88cda63a2776910572007659978dff0
>
> +- entering group authorize
>
> ++[preprocess] returns ok
>
> ++[chap] returns noop
>
> ++[mschap] returns noop
>
>     rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL
>
>     rlm_realm: No such realm "NULL"
>
> ++[suffix] returns noop
>
>   rlm_eap: EAP packet type response id 4 length 6
>
>   rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
>
> ++[eap] returns updated
>
> ++[unix] returns updated
>
> ++[files] returns noop
>
> ++[expiration] returns noop
>
> ++[logintime] returns noop
>
> rlm_pap: Found existing Auth-Type, not changing it.
>
> ++[pap] returns noop
>
>   rad_check_password:  Found Auth-Type EAP
>
> auth: type "EAP"
>
> +- entering group authenticate
>
>   rlm_eap: Request found, released from the list
>
>   rlm_eap: EAP/tls
>
>   rlm_eap: processing type tls
>
>   rlm_eap_tls: Authenticate
>
>   rlm_eap_tls: processing TLS
>
> rlm_eap_tls: Received EAP-TLS ACK message
>
>   rlm_eap_tls: ack handshake fragment handler
>
>   eaptls_verify returned 1
>
>   eaptls_process returned 13
>
> ++[eap] returns handled
>
> Sending Access-Challenge of id 4 to 127.0.0.1 port 32770
>
>         EAP-Message = 
> 0x0105038e0d8000000b7083ce8bd2a2e5a3df721979638d83518a19e079bf804773b82753a039b6b053a357acb9d1954ecb25330390d4d54583a6fdeb74f039f492238f8d93bdc53d3acc2366af2771253c218dbc3a006b911f1e4bb6fd491b99ed05b1520cf14d08d12119b177f754cae89d065edb48680f35d8df3c0e7fcec9c6e84d52a1136f7a56a90f539addc1ad3c44e25de731f0443844dbfe83d0432ad61f7ed89184a407e0b41a9ffbc0389637071d937e63e136311e467b914839fd7382c216734b1de93368e4fb6b2303f4160301020d0c0002090080b3afe7fd33f61741e813a2a82d3e2e44f4e3a6cba8ba274ff2a14cdee764e7ec4e45
>
>         EAP-Message = 
> 0x4df9c4b18aa0bb45b4dcbe5022790ed79559ec10e6b017165192ca92ee664df49dd6de389d1eba0400804b550239ffca80cdd27f3cc0ce1fc851463b672a8e260e415d3d3a40e8ae5102105bddc30b8c1a3031af0bc0a78b4ea69f5e66630001020080a0cc4357af8865d129c3e7c20c4283e7a4a4c522e23e0f3cb9b462c2923ea92c3a2781665e6d1fe4096f9832e39c33424106d2429f569da06ac67c9b0800351a1b7c512cd541edf0a135330412dbccd37885e35ce75111476fe045e0a85c70abf40a30089c4d4302179e1f084bffe853b1845c99010515a1970a03a87449615a010060149cd09ea980ec82c55cfe09857dbb7c5811f45c64e0fe
>
>         EAP-Message = 
> 0x9d59d03e704806e99f1cb29f0286c1015c81d7824e617a53bd69dacefe51425fec76315ad4861b81d8aff93491a3b7a18988a9a9ee16acba071272b143c7bb8106d29ac8e6087a066498b3f47cf216fb2a96f19d7ccd8459646ed27ce02852c2c402000778e68ec419b9f14059fea1eaaad700a5c1d71f8ba516d820a6b0520e9a808736de80b97588f6b72b6b405b1f8a5a8779e01cd882c352aabb41e4a60fd2e4c64382e2a12deb09e8fb2caaa26a86aec4606044a283b9d20b0bf2637a953e8716d0b90958aebeb9995898714edb927fb52e51c4a1a2ff1157ae26402265dbbbb03f99e23f2416030100a70d00009f040304010200980096308193
>
>         EAP-Message = 
> 0x310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f726974790e000000
>
>         Message-Authenticator = 0x00000000000000000000000000000000
>
>         State = 0x2676735822737e1a69809cb3876d58ea
>
> Finished request 4.
>
> Going to the next request
>
> Waking up in 4.7 seconds.
>
> rad_recv: Access-Request packet from host 127.0.0.1 port 32770, id=5, 
> length=1532
>
>         User-Name = "testuser"
>
>         NAS-IP-Address = 127.0.0.1
>
>         Calling-Station-Id = "02-00-00-00-00-01"
>
>         Framed-MTU = 1400
>
>         NAS-Port-Type = Wireless-802.11
>
>         Connect-Info = "CONNECT 11Mbps 802.11b"
>
>         EAP-Message = 
> 0x020505710d0016030103950b00039100038e00038b308203873082026fa003020102020102300d06092a864886f70d0101040500307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d301e170d3038303730393138313132345a170d3039303730393138313132345a3079310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c
>
>         EAP-Message = 
> 0x4578616d706c6520496e632e311d301b060355040314147465737475736572406578616d706c652e636f6d3123302106092a864886f70d01090116147465737475736572406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100b510efbf58ad201585beac3f327bba71b761612df254a3e44ffe4f5a182852e2a64d11912ca27013be01dae059ef3d8a9b2ca7a81c9da01b2291b6e38f07339c7668c6b7ce6c936bef181c33c16d5c34e17b0c878648bb73199645bb81febb577aff69f4881080ea593f31b5efcccebd3772dda5666a5e139a38e89b9ca13712462098dbfc5c526253985609
>
>         EAP-Message = 
> 0x583e54d9d74b9b263cda9647c523d9922c1992736d176c3b869b373a9824a8c046dfd49118a90d5c8e9504cae9209d8254c31f98c3979a307f0515e88e820c29c9092c0de6c9af76c9a1bc8eee37aea8d047bf8c1af257f42b550932995e5083364a7e185a62de08976e2ca45d334231109eeaf70203010001a317301530130603551d25040c300a06082b06010505070302300d06092a864886f70d0101040500038201010085cf673c6dd1deb8648e0589573c0e55e286ba9f3ef23a3882fbe024a5c54aeef510e96f36291f0172deb8bcf2b8ce9e6517a143c658e8fb24c80a7936138c5e6f7dda3ca8b33e4600a1cb92c2f079793304c0ddc296c4
>
>         EAP-Message = 
> 0x015d6d73cdae8f32eea68667d9cf33a6ad8c5e38a0ffbda541b5b789ffd0cd2b4de23592384ee23e154ea629f1a3743fcba443f8e6d355411d310f787d6551c413af2eccfabc2b28e9e786fd78cb3250a0ca2cd0adf11d8045d03ea0cca6b28d5c498c0965a238b05ccf7cadc3946ee0c42d65594ca3378ecd205c74b42b5f9c060287639e4cf76f5003ec0d3723abd391f4693556553f5aaac2684a2bb808e2a2cf16b425c9736e1c16030100861000008200803d7d38a765634fe46cd97911bbb0826fd6bb317dc04dbb7ca60c2d352f4a9be2f147f261ccf2d7c5e05b85783810260ddaed3c3772fcceab264dd8daf8a4467e6a6729a7152dabe5a4
>
>         EAP-Message = 
> 0x4c2375c148a15096de5c28842d80507318656b36edc71772326fd6fddbc6dbb9d5476332d561de95d1a40b59779113ada15e6b466977eb16030101060f00010201003fcdbdf9a53a3f14ce87dbc34568e1cc53d78b24457c12a7be38fc6e07932f6a253fc07cf73579bc7dbb98eeaf91076ba912ff6fe2f6bfc1d2803974757922cd8fa5142f870aae126053adf7b4c7456bb431a174446775b7e9f78fcfb0925edee9a12cf5a76fc6ef7fdf983adeb3ec234d89af9e7298602df31a4febaa1c9aa039c3142ec57416c3771b1ae8934b1444dda9e28b932ae8ff1a22aae98ceb9f2d7a9caac9efb16c01a4cd3dadda86513428a3bd3a11b262eaa750dc
>
>         EAP-Message = 
> 0xd50749f461997927394171b785ff74c98d883674fc8035287993a279f1ffa72b9c4cbc6b96fcaad6e5daaca7bd9aca988c6a8b3c487bd1e5cc73dd3c3c59f8ec39549ebeb61403010001011603010030f1c1d6ee34104fca2869c989529493079d85690315b83299b5d9567823fea467b507af2267dd69305c7d35d7809adf12
>
>         State = 0x2676735822737e1a69809cb3876d58ea
>
>         Message-Authenticator = 0xcc6ace4662072c78666cb7d873d7a354
>
> +- entering group authorize
>
> ++[preprocess] returns ok
>
> ++[chap] returns noop
>
> ++[mschap] returns noop
>
>     rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL
>
>     rlm_realm: No such realm "NULL"
>
> ++[suffix] returns noop
>
>   rlm_eap: EAP packet type response id 5 length 253
>
>   rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
>
> ++[eap] returns updated
>
> ++[unix] returns updated
>
> ++[files] returns noop
>
> ++[expiration] returns noop
>
> ++[logintime] returns noop
>
> rlm_pap: Found existing Auth-Type, not changing it.
>
> ++[pap] returns noop
>
>   rad_check_password:  Found Auth-Type EAP
>
> auth: type "EAP"
>
> +- entering group authenticate
>
>   rlm_eap: Request found, released from the list
>
>   rlm_eap: EAP/tls
>
>   rlm_eap: processing type tls
>
>   rlm_eap_tls: Authenticate
>
>   rlm_eap_tls: processing TLS
>
>   eaptls_verify returned 7
>
>   rlm_eap_tls: Done initial handshake
>
>   rlm_eap_tls: <<< TLS 1.0 Handshake [length 0395], Certificate 
>
> --> verify error:num=20:unable to get local issuer certificate
>
>   rlm_eap_tls: >>> TLS 1.0 Alert [length 0002], fatal unknown_ca 
>
> TLS Alert write:fatal:unknown CA
>
>     TLS_accept:error in SSLv3 read client certificate B
>
> rlm_eap: SSL error error:140890B2:SSL 
> routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
>
> rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails.
>
>   eaptls_process returned 13
>
>   rlm_eap: Freeing handler
>
> ++[eap] returns reject
>
> auth: Failed to validate the user.
>
>   Found Post-Auth-Type Reject
>
> +- entering group REJECT
>
>         expand: %{User-Name} -> testuser
>
>  attr_filter: Matched entry DEFAULT at line 11
>
> ++[attr_filter.access_reject] returns updated
>
> Sending Access-Reject of id 5 to 127.0.0.1 port 32770
>
>         EAP-Message = 0x04050004
>
>         Message-Authenticator = 0x00000000000000000000000000000000
>
> Finished request 5.
>
> Going to the next request
>
> Waking up in 4.4 seconds.
>
> Cleaning up request 0 ID 0 with timestamp +4
>
> Cleaning up request 1 ID 1 with timestamp +4
>
> Cleaning up request 2 ID 2 with timestamp +4
>
> Cleaning up request 3 ID 3 with timestamp +4
>
> Waking up in 0.1 seconds.
>
> Cleaning up request 4 ID 4 with timestamp +4
>
> Waking up in 0.2 seconds.
>
> Cleaning up request 5 ID 5 with timestamp +5
>
> Ready to process requests.
>
> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>
> wpa_supplicant logs (copying only FAILURE logs seen at end)
>
> ++++++++++++++++++++++++++++++++++++++++++++++++++++++
>
> EAPOL: SUPP_BE entering state RECEIVE
>
> Received 44 bytes from RADIUS server
>
> Received RADIUS message
>
> RADIUS message: code=3 (Access-Reject) identifier=5 length=44
>
>    Attribute 79 (EAP-Message) length=6
>
>       Value: 04 05 00 04
>
>    Attribute 80 (Message-Authenticator) length=18
>
>       Value: 7a 61 25 5b 8e cd 44 3b 18 b1 af e3 82 fd 32 5d
>
> STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending 
> request, round trip time 0.00 sec
>
> RADIUS packet matching with station
>
> decapsulated EAP packet (code=4 id=5 len=4) from RADIUS server: EAP 
> Failure
>
> EAPOL: Received EAP-Packet frame
>
> EAPOL: SUPP_BE entering state REQUEST
>
> EAPOL: getSuppRsp
>
> EAP: EAP entering state RECEIVED
>
> EAP: Received EAP-Failure
>
> EAP: EAP entering state FAILURE
>
> CTRL-EVENT-EAP-FAILURE EAP authentication failed
>
> EAPOL: SUPP_PAE entering state HELD
>
> EAPOL: SUPP_BE entering state RECEIVE
>
> EAPOL: SUPP_BE entering state FAIL
>
> EAPOL: SUPP_BE entering state IDLE
>
> eapol_sm_cb: success=0
>
> EAP: deinitialize previously used EAP method (13, TLS) at EAP deinit
>
> ENGINE: engine deinit
>
> MPPE keys OK: 0  mismatch: 2
>
> FAILURE
>
>  
>
> Regards,
> Gaurav Kansal
>
>  
>
> ------------------------------------------------------------------------
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I think that PKI that comes with freeradius by default are shit 
(./bootstrap). I had the same problem. If you see the certification 
route in firefox, for example, you will see that client certificate are 
signed by SERVER CERTIFICATE and this by ca certificate. Probably you 
put ca_cert="/usr/local/etc/raddb/certs/ca.pem" at eap.conf
 rlm_eap_tls: <<< TLS 1.0 Handshake [length 0395], Certificate 

--> verify error:num=20:unable to get local issuer certificate

  rlm_eap_tls: >>> TLS 1.0 Alert [length 0002], fatal unknown_ca)

, and should be server.pem, or make your own ca, that signs clients and 
servers certificates.



More information about the Freeradius-Users mailing list