eap-ttls failing

Josh Hiner josh at remc1.org
Mon Jan 26 21:51:34 CET 2009


Josh Hiner wrote:
>
>
> tnt at kalik.net wrote:
>>> I have a Ruckus ZoneDirector 1025 with waps that I just installed.
>>> Testing out different EAP types I can use. I am using FreeRadius 2.1.3.
>>> I have eap-ttls and eap-peapv0 working perfectly (I am using windows to
>>> control the wireless card for peap and it works great). Was going to 
>>> try
>>> eap-tls by assigning client certificate to the machine account so the
>>> computer account authenticates on the wireless and then the user can 
>>> log
>>> into the domain. I did this and get errors. It kind-of looks to me that
>>> the Zone Director is not sending the correct eap message for eap-tls.
>>>     
>>
>> No you are forcing Auth-Type Reject in users file:
>>
>>  
>>> [files] users: Matched entry DEFAULT at line 226
>>>     
>>
>> Ivan Kalik
>> Kalik Informatika ISP
>>
>> -
>> List info/subscribe/unsubscribe? See 
>> http://www.freeradius.org/list/users.html
>>
>>   
> Ok thanks. I did take that out (whoops) and now I see no explicit 
> failure but when it hits the authentication section it just stops 
> (never authenticates the client). I tried sticking the common name 
> (user-name) in /etc/raddb/users to see if I could rig it up to 
> authenticate. It hits an "OK" for files section but still does not 
> authenticate the XP client. I dont think I should need anything in the 
> users file correct? Here is output from radiusd (version info etc.. at 
> top of this message). Thanks for any help.
>
> -Josh

Oh, and to add, the certificate does have this: Client Authentication 
purpose is 1.3.6.1.5.5.7.3.2 enabled (verified). Just wanted to clarify 
that I did read the FreeRadius Wiki FAQ.

thanks -Josh


>
>
> Ready to process requests.
> rad_recv: Access-Request packet from host 172.17.10.108 port 1027, 
> id=243, length=182
>    User-Name = "joshhiner"
>    NAS-IP-Address = 172.17.10.108
>    NAS-Identifier = "00:1f:41:3a:82:f9"
>    NAS-Port = 1
>    Called-Station-Id = "00-1F-41-3A-82-F9:CCISD-REMC1"
>    Calling-Station-Id = "00-0E-35-B6-74-AF"
>    Framed-MTU = 1400
>    NAS-Port-Type = Wireless-802.11
>    Connect-Info = "CONNECT 11Mbps 802.11b"
>    EAP-Message = 0x0200000e016a6f736868696e6572
>    Message-Authenticator = 0x799db1f3c98934494137e4e5b4864a7c
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> [suffix] No '@' in User-Name = "joshhiner", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [ntdomain] No '\' in User-Name = "joshhiner", looking up realm NULL
> [ntdomain] No such realm "NULL"
> ++[ntdomain] returns noop
> [eap] EAP packet type response id 0 length 14
> [eap] No EAP Start, assuming it's an on-going EAP conversation
> ++[eap] returns updated
> ++[unix] returns notfound
> ++[files] returns noop
> ++[expiration] returns noop
> ++[logintime] returns noop
> [pap] WARNING! No "known good" password found for the user.  
> Authentication may fail because of this.
> ++[pap] returns noop
> Found Auth-Type = EAP
> +- entering group authenticate {...}
> [eap] EAP Identity
> [eap] processing type tls
> [tls] Requiring client certificate
> [tls] Initiate
> [tls] Start returned 1
> ++[eap] returns handled
> Sending Access-Challenge of id 243 to 172.17.10.108 port 1027
>    EAP-Message = 0x010100060d20
>    Message-Authenticator = 0x00000000000000000000000000000000
>    State = 0x2378b52b2379b8326de9be9acd701ac8
> Finished request 0.
> Going to the next request
> Waking up in 4.9 seconds.
> rad_recv: Access-Request packet from host 172.17.10.108 port 1027, 
> id=244, length=266
>    User-Name = "joshhiner"
>    NAS-IP-Address = 172.17.10.108
>    NAS-Identifier = "00:1f:41:3a:82:f9"
>    NAS-Port = 1
>    Called-Station-Id = "00-1F-41-3A-82-F9:CCISD-REMC1"
>    Calling-Station-Id = "00-0E-35-B6-74-AF"
>    Framed-MTU = 1400
>    NAS-Port-Type = Wireless-802.11
>    Connect-Info = "CONNECT 11Mbps 802.11b"
>    EAP-Message = 
> 0x020100500d800000004616030100410100003d0301497e1887cc6de7f31a97d6b5b5dc5a68fc69dd8ee1da12099866c719e54e209d00001600040005000a000900640062000300060013001200630100 
>
>    State = 0x2378b52b2379b8326de9be9acd701ac8
>    Message-Authenticator = 0x1e56c72c8f7a8f9ea99c2e78fc74dab1
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> [suffix] No '@' in User-Name = "joshhiner", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [ntdomain] No '\' in User-Name = "joshhiner", looking up realm NULL
> [ntdomain] No such realm "NULL"
> ++[ntdomain] returns noop
> [eap] EAP packet type response id 1 length 80
> [eap] No EAP Start, assuming it's an on-going EAP conversation
> ++[eap] returns updated
> ++[unix] returns notfound
> ++[files] returns noop
> ++[expiration] returns noop
> ++[logintime] returns noop
> ++[pap] returns noop
> Found Auth-Type = EAP
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP/tls
> [eap] processing type tls
> [tls] Authenticate
> [tls] processing EAP-TLS
>  TLS Length 70
> [tls] Length Included
> [tls] eaptls_verify returned 11
> [tls]     (other): before/accept initialization
> [tls]     TLS_accept: before/accept initialization
> [tls] <<< TLS 1.0 Handshake [length 0041], ClientHello [tls]     
> TLS_accept: SSLv3 read client hello A
> [tls] >>> TLS 1.0 Handshake [length 002a], ServerHello [tls]     
> TLS_accept: SSLv3 write server hello A
> [tls] >>> TLS 1.0 Handshake [length 03c4], Certificate [tls]     
> TLS_accept: SSLv3 write certificate A
> [tls] >>> TLS 1.0 Handshake [length 00a3], CertificateRequest 
> [tls]     TLS_accept: SSLv3 write certificate request A
> [tls]     TLS_accept: SSLv3 flush data
> [tls]     TLS_accept: Need to read more data: SSLv3 read client 
> certificate A
> In SSL Handshake Phase
> In SSL Accept mode [tls] eaptls_process returned 13
> ++[eap] returns handled
> Sending Access-Challenge of id 244 to 172.17.10.108 port 1027
>    EAP-Message = 
> 0x010204000dc0000004a0160301002a020000260301497e188797e72d5161e32518e15cdf27e2ed3a7b56dc7c46d11c014f000000000000040016030103c40b0003c00003bd0003ba308203b63082029ea003020102020101300d06092a864886f70d0101050500308191310b30090603550406130255533111300f060355040813084d6963686967616e3110300e0603550407130748616e636f636b310e300c060355040a130552454d43313120301e06092a864886f70d0109011611737570706f72744072656d63312e6e6574312b30290603550403132252454d43312052616469757320436572746966696361746520417574686f72697479301e 
>
>    EAP-Message = 
> 0x170d3039303132323230343932395a170d3239303131373230343932395a308191310b30090603550406130255533111300f060355040813084d6963686967616e3110300e0603550407130748616e636f636b310e300c060355040a130552454d43313120301e06092a864886f70d0109011611737570706f72744072656d63312e6e6574312b30290603550403132252454d43312052616469757320436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100ae7c4ed6f235d19b4598e3c66cab0d21ff2721a6d53c5189bc2193fe5b3d01a085240dc02b55786a7c34 
>
>    EAP-Message = 
> 0x01a628b1ccfae2c47c743be8e97e4d2c4ee2e1dacdabe860d21e661e4fc4788506a335ed3c39f24f6f611e3b74dbb5b169e0cd96e35c6c6992d405b010b111e6169ef783c0a39b71f01b9bfff8714b4e635cce807ff1e4a8878ccabf3ade9cafd57707a1ecae05b6966e45904971f51774073e0ab6647d4374ba53a347d89adff83b0466317dfb250556ea19bd38f625f6dcfb6a3036e4cde1a2c7ef248a5f3b8e2dd53a1ca37f2009cea5f42e31604686bcb5a099fb4125010e4cfe4e8391204dc9789686e027da770ec4a5e1a1ee9b0cc1185e31110203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f7 
>
>    EAP-Message = 
> 0x0d01010505000382010100a7d5ebc5fda95ce18768414d16a178a3b9ec9873221c398a4f394334548c4bb05dd14664a2197451d1d67f899ffcde4c244eccdae67fee8f7f347acacedd3a376c8b6cfc42cf975f09a2681372721cad0d52b487ca1d30a8c51d625516aa30e1394837d4e43d91a0b80c429d770f00526c40c4344c26cd156984f3efeb92615a4cab847cb2f7b6a1ce613c0cbf55e7e9aca10177b52612a80b257e120fa09124316de1dd269f0d83cb162b97cbe8da92a062505cb403245b42e60d8a4d350691809d855d1c4cf597cf4d9cfa0d588b750c513e434fa5b1b8d59d1bc208f01be48f07ce72d14a844c7fa1ec1d2191c7a2ab2b 
>
>    EAP-Message = 0x884f0c3489f47015e1ad876a
>    Message-Authenticator = 0x00000000000000000000000000000000
>    State = 0x2378b52b227ab8326de9be9acd701ac8
> Finished request 1.
> Going to the next request
> Waking up in 4.9 seconds.
> rad_recv: Access-Request packet from host 172.17.10.108 port 1027, 
> id=245, length=192
>    User-Name = "joshhiner"
>    NAS-IP-Address = 172.17.10.108
>    NAS-Identifier = "00:1f:41:3a:82:f9"
>    NAS-Port = 1
>    Called-Station-Id = "00-1F-41-3A-82-F9:CCISD-REMC1"
>    Calling-Station-Id = "00-0E-35-B6-74-AF"
>    Framed-MTU = 1400
>    NAS-Port-Type = Wireless-802.11
>    Connect-Info = "CONNECT 11Mbps 802.11b"
>    EAP-Message = 0x020200060d00
>    State = 0x2378b52b227ab8326de9be9acd701ac8
>    Message-Authenticator = 0x61aa5b710916c0ee4384c347547492da
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> [suffix] No '@' in User-Name = "joshhiner", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [ntdomain] No '\' in User-Name = "joshhiner", looking up realm NULL
> [ntdomain] No such realm "NULL"
> ++[ntdomain] returns noop
> [eap] EAP packet type response id 2 length 6
> [eap] No EAP Start, assuming it's an on-going EAP conversation
> ++[eap] returns updated
> ++[unix] returns notfound
> ++[files] returns noop
> ++[expiration] returns noop
> ++[logintime] returns noop
> ++[pap] returns noop
> Found Auth-Type = EAP
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP/tls
> [eap] processing type tls
> [tls] Authenticate
> [tls] processing EAP-TLS
> [tls] Received TLS ACK
> [tls] ACK handshake fragment handler
> [tls] eaptls_verify returned 1
> [tls] eaptls_process returned 13
> ++[eap] returns handled
> Sending Access-Challenge of id 245 to 172.17.10.108 port 1027
>    EAP-Message = 
> 0x010300b40d80000004a067eb16030100a30d00009b02010200960094308191310b30090603550406130255533111300f060355040813084d6963686967616e3110300e0603550407130748616e636f636b310e300c060355040a130552454d43313120301e06092a864886f70d0109011611737570706f72744072656d63312e6e6574312b30290603550403132252454d43312052616469757320436572746966696361746520417574686f726974790e000000 
>
>    Message-Authenticator = 0x00000000000000000000000000000000
>    State = 0x2378b52b217bb8326de9be9acd701ac8
> Finished request 2.
> Going to the next request
> Waking up in 4.9 seconds.
> rad_recv: Access-Request packet from host 172.17.10.108 port 1027, 
> id=246, length=192
>    User-Name = "joshhiner"
>    NAS-IP-Address = 172.17.10.108
>    NAS-Identifier = "00:1f:41:3a:82:f9"
>    NAS-Port = 1
>    Called-Station-Id = "00-1F-41-3A-82-F9:CCISD-REMC1"
>    Calling-Station-Id = "00-0E-35-B6-74-AF"
>    Framed-MTU = 1400
>    NAS-Port-Type = Wireless-802.11
>    Connect-Info = "CONNECT 11Mbps 802.11b"
>    EAP-Message = 0x020300060d00
>    State = 0x2378b52b217bb8326de9be9acd701ac8
>    Message-Authenticator = 0x3ccd67f6b56a0fbcf45daf523f482b7b
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> [suffix] No '@' in User-Name = "joshhiner", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [ntdomain] No '\' in User-Name = "joshhiner", looking up realm NULL
> [ntdomain] No such realm "NULL"
> ++[ntdomain] returns noop
> [eap] EAP packet type response id 3 length 6
> [eap] No EAP Start, assuming it's an on-going EAP conversation
> ++[eap] returns updated
> ++[unix] returns notfound
> ++[files] returns noop
> ++[expiration] returns noop
> ++[logintime] returns noop
> ++[pap] returns noop
> Found Auth-Type = EAP
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP/tls
> [eap] processing type tls
> [tls] Authenticate
> [tls] processing EAP-TLS
> [tls] Received TLS ACK
> [tls] ACK handshake fragment handler
> [tls] eaptls_verify returned 1
> [tls] eaptls_process returned 13
> ++[eap] returns handled
> Sending Access-Challenge of id 246 to 172.17.10.108 port 1027
>    EAP-Message = 0x0104000a0d8000000000
>    Message-Authenticator = 0x00000000000000000000000000000000
>    State = 0x2378b52b207cb8326de9be9acd701ac8
> Finished request 3.
> Going to the next request
> Waking up in 4.9 seconds.
> Cleaning up request 0 ID 243 with timestamp +115
> Cleaning up request 1 ID 244 with timestamp +115
> Cleaning up request 2 ID 245 with timestamp +115
> Cleaning up request 3 ID 246 with timestamp +115
> Ready to process requests.
>
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
>




More information about the Freeradius-Users mailing list