eap-tls configuration not running...

fabien.crettaz at novelis.com fabien.crettaz at novelis.com
Wed Mar 4 11:06:59 CET 2009


Hello

My server is now accepting the eap authentication, but is sending after 
this accept an access challenge to the client. It seems that the client 
"ignores" the access challenge sent by the server !!
Any idea ??
Fabien

rad_recv: Access-Request packet from host 10.166.42.30:1024, id=3, 
length=159
        User-Name = "sierre08015"
        NAS-IP-Address = 10.166.42.30
        NAS-Port = 1
        Called-Station-Id = "00-14-C2-BB-FF-70:test"
        Calling-Station-Id = "00-1F-3C-13-1A-1F"
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        Connect-Info = "CONNECT 0Mbps 802.11g"
        EAP-Message = 0x02070010017369657272653038303135
        Message-Authenticator = 0x44d8e63aaf78d1dd710924a013bfe7ba
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 3
  modcall[authorize]: module "preprocess" returns ok for request 3
  rlm_eap: EAP packet type response id 7 length 16
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 3
    users: Matched entry sierre08015 at line 97
  modcall[authorize]: module "files" returns ok for request 3
modcall: leaving group authorize (returns updated) for request 3
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 3
  rlm_eap: EAP Identity
  rlm_eap: processing type tls
 rlm_eap_tls: Requiring client certificate
  rlm_eap_tls: Initiate
  rlm_eap_tls: Start returned 1
  modcall[authenticate]: module "eap" returns handled for request 3
modcall: leaving group authenticate (returns handled) for request 3
Sending Access-Challenge of id 3 to 10.166.42.30 port 1024
        EAP-Message = 0x010800060d20
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x70d9ca888398794265f013f1ea86a3b8
Finished request 3
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 10.166.42.30:1024, id=4, 
length=241
        User-Name = "sierre08015"
        NAS-IP-Address = 10.166.42.30
        NAS-Port = 1
        Called-Station-Id = "00-14-C2-BB-FF-70:test"
        Calling-Station-Id = "00-1F-3C-13-1A-1F"
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        Connect-Info = "CONNECT 0Mbps 802.11g"
        EAP-Message = 
0x020800500d800000004616030100410100003d030149ae3f67c2530394de05ba7fb9c39413db6dd4d884994527880e0543a428dee400001600040005000a000900640062000300060013001200630100
        State = 0x70d9ca888398794265f013f1ea86a3b8
        Message-Authenticator = 0x56372f6bfce57e79360ae0c757da625b
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 4
  modcall[authorize]: module "preprocess" returns ok for request 4
  rlm_eap: EAP packet type response id 8 length 80
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 4
    users: Matched entry sierre08015 at line 97
  modcall[authorize]: module "files" returns ok for request 4
modcall: leaving group authorize (returns updated) for request 4
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 4
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/tls
  rlm_eap: processing type tls
  rlm_eap_tls: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls:  Length Included
  eaptls_verify returned 11
    (other): before/accept initialization
    TLS_accept: before/accept initialization
  rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello
    TLS_accept: SSLv3 read client hello A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
    TLS_accept: SSLv3 write server hello A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 02ad], Certificate
    TLS_accept: SSLv3 write certificate A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 00a3], CertificateRequest
    TLS_accept: SSLv3 write certificate request A
    TLS_accept: SSLv3 flush data
    TLS_accept:error in SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
  eaptls_process returned 13
  modcall[authenticate]: module "eap" returns handled for request 4
modcall: leaving group authenticate (returns handled) for request 4
Sending Access-Challenge of id 4 to 10.166.42.30 port 1024
        EAP-Message = 
0x010903b30d80000003a9160301004a02000046030149ae3f6712908d3b767909434474e04763782e4799f5ba8fa55677e4cc5ebb69201f975e44af3ffdd4256b3608b4501983469357e875c2d3df0e562e297d56618300040016030102ad0b0002a90002a60002a33082029f30820208020900d79b076a9c2a726f300d06092a864886f70d0101050500308193310b3009060355040613024348311430120603550408130b537769747a65726c616e64310f300d06035504071306536965727265311d301b060355040a13144e6f76656c697320506c616e7420536965727265311630140603550403130d526164697573205365727665723126302406
        EAP-Message = 
0x092a864886f70d01090116177369657272657261643130406e6f76656c69732e636f6d301e170d3039303131323139323733375a170d3039303231313139323733375a308193310b3009060355040613024348311430120603550408130b537769747a65726c616e64310f300d06035504071306536965727265311d301b060355040a13144e6f76656c697320506c616e7420536965727265311630140603550403130d526164697573205365727665723126302406092a864886f70d01090116177369657272657261643130406e6f76656c69732e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ec5d7c0b616c84
        EAP-Message = 
0x9cb4d290cf1ba7432d4581ef7602de5309e60866c877dd2772a62df72614f0988998a7c5feffd6c2454656c0376e3e0f9fd0586bed25ffa89e6f416b92b352fd6090d3b9cf3f0bcb182a2e68ca58848f7cca593c62726f96421e1726757ffc143bf16dd9b132909199d1292ba067160afff70e612f56bfcc550203010001300d06092a864886f70d0101050500038181008f10a3348b6a8192ab370370cf5bc572fe2228a782b7fa97828e798716d26508dfe471fa5352f4ea71a8e5eb12b71413733f07e0d6222a9dec199b76b4434aba154bb64d6e77cd3e5471003e2fceb03bfa6d69340a1b4802edc3959f0de8a52d1ae0cc88217a2db731513ad9
        EAP-Message = 
0xc8ad4170e9d80b47b6e9ae2a82cc577076dec8b316030100a30d00009b0301020500950093308190310b3009060355040613024348311430120603550408130b537769747a65726c616e64310f300d0603550407130653696572726531163014060355040a130d4e6f76656c697320506c616e74311730150603550403130e46616269656e204372657474617a3129302706092a864886f70d010901161a66616269656e2e6372657474617a406e6f76656c69732e636f6d0e000000
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xcad27a06a3667c11a3c87b3e41faa858
Finished request 4
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 10.166.42.30:1024, id=5, 
length=167
        User-Name = "sierre08015"
        NAS-IP-Address = 10.166.42.30
        NAS-Port = 1
        Called-Station-Id = "00-14-C2-BB-FF-70:test"
        Calling-Station-Id = "00-1F-3C-13-1A-1F"
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        Connect-Info = "CONNECT 0Mbps 802.11g"
        EAP-Message = 0x020900060d00
        State = 0xcad27a06a3667c11a3c87b3e41faa858
        Message-Authenticator = 0x57367206865668163c2155289735fb84
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 5
  modcall[authorize]: module "preprocess" returns ok for request 5
  rlm_eap: EAP packet type response id 9 length 6
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 5
    users: Matched entry sierre08015 at line 97
  modcall[authorize]: module "files" returns ok for request 5
modcall: leaving group authorize (returns updated) for request 5
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 5
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/tls
  rlm_eap: processing type tls
  rlm_eap_tls: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
  rlm_eap_tls: ack handshake fragment handler
  eaptls_verify returned 1
  eaptls_process returned 13
  modcall[authenticate]: module "eap" returns handled for request 5
modcall: leaving group authenticate (returns handled) for request 5
Sending Access-Challenge of id 5 to 10.166.42.30 port 1024
        EAP-Message = 0x010a000a0d8000000000
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x850de87f7a3c97df745f110aed8ce38e
Finished request 5
Going to the next request
Waking up in 6 seconds...


NOVELIS

Fabien Crettaz
IT System and Infrastructure
Novelis Automotive, Painted & Specialities

Novelis Switzerland SA
CH - 3960 Sierre, Switzerland
phone: +41 (0)27 457 7164 
fax: +41 (0)27 457 7105 
e-mail: fabien.crettaz at novelis.com
http://www.novelis.ch

P Please consider the environment before printing this email. 



<tnt at kalik.net> 
Sent by: 
freeradius-users-bounces+fabien.crettaz=novelis.com at lists.freeradius.org
03.03.2009 16:50
Please respond to
FreeRadius users mailing list <freeradius-users at lists.freeradius.org>


To
"FreeRadius users mailing list" <freeradius-users at lists.freeradius.org>
cc

Subject
Re: eap-tls configuration not running...






>Thanks for you response, what should I set as Auth-Type, as 'Auth-Type :=
>eap' is not recommended (cf. coment in eap.conf) ?

You don't set anything. Server will set what it needs. It "just works".

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20090304/adbabad1/attachment.html>


More information about the Freeradius-Users mailing list