AW: EAP/TLS authentication timeout
Wiedemann, Joerg
Joerg.Wiedemann at edcllc.com
Wed Nov 4 14:23:08 CET 2009
Hi,
I got a little further in using eapol_test. Now the radius server
reports the following.
FreeRADIUS Version 2.1.3, for host i486-pc-linux-gnu, built on Feb 25
2009 at 14:17:43
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including files in directory /etc/freeradius/modules/
including configuration file /etc/freeradius/modules/pap
including configuration file /etc/freeradius/modules/policy
including configuration file /etc/freeradius/modules/digest
including configuration file /etc/freeradius/modules/files
including configuration file /etc/freeradius/modules/mac2vlan
including configuration file /etc/freeradius/modules/exec
including configuration file /etc/freeradius/modules/mac2ip
including configuration file /etc/freeradius/modules/counter
including configuration file /etc/freeradius/modules/wimax
including configuration file /etc/freeradius/modules/sradutmp
including configuration file
/etc/freeradius/modules/sqlcounter_expire_on_login
including configuration file /etc/freeradius/modules/echo
including configuration file /etc/freeradius/modules/smbpasswd
including configuration file /etc/freeradius/modules/checkval
including configuration file /etc/freeradius/modules/passwd
including configuration file /etc/freeradius/modules/always
including configuration file /etc/freeradius/modules/unix
including configuration file /etc/freeradius/modules/preprocess
including configuration file /etc/freeradius/modules/perl
including configuration file /etc/freeradius/modules/chap
including configuration file /etc/freeradius/modules/realm
including configuration file /etc/freeradius/modules/etc_group
including configuration file /etc/freeradius/modules/krb5
including configuration file /etc/freeradius/modules/ldap
including configuration file /etc/freeradius/modules/sql_log
including configuration file /etc/freeradius/modules/detail.example.com
including configuration file /etc/freeradius/modules/attr_rewrite
including configuration file /etc/freeradius/modules/detail
including configuration file /etc/freeradius/modules/attr_filter
including configuration file /etc/freeradius/modules/expr
including configuration file /etc/freeradius/modules/expiration
including configuration file /etc/freeradius/modules/pam
including configuration file /etc/freeradius/modules/ippool
including configuration file /etc/freeradius/modules/acct_unique
including configuration file /etc/freeradius/modules/detail.log
including configuration file /etc/freeradius/modules/mschap
including configuration file /etc/freeradius/modules/inner-eap
including configuration file /etc/freeradius/modules/logintime
including configuration file /etc/freeradius/modules/radutmp
including configuration file /etc/freeradius/modules/linelog
including configuration file /etc/freeradius/eap.conf
including configuration file /etc/freeradius/sql.conf
including configuration file /etc/freeradius/sql/mysql/dialup.conf
including configuration file /etc/freeradius/sql/mysql/counter.conf
including configuration file /etc/freeradius/policy.conf
including files in directory /etc/freeradius/sites-enabled/
including configuration file /etc/freeradius/sites-enabled/inner-tunnel
including configuration file /etc/freeradius/sites-enabled/default
group = freerad
user = freerad
including dictionary file /etc/freeradius/dictionary
main {
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/freeradius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/freeradius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = "/var/run/freeradius/freeradius.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = yes
auth_badpass = yes
auth_goodpass = yes
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
client dehanxp-8453 {
ipaddr = 10.149.123.111
require_message_authenticator = no
secret = "123"
}
client dehanrf-22201 {
ipaddr = 10.149.10.68
require_message_authenticator = no
secret = "Blu0DojNa"
}
client dehansw {
ipaddr = 10.149.10.0
netmask = 24
require_message_authenticator = no
secret = "RyftOnji"
}
client Sinus {
ipaddr = 10.149.12.222
require_message_authenticator = no
secret = "tcom"
}
client dehanrf-222c {
ipaddr = 10.149.10.50
require_message_authenticator = no
secret = "12345"
}
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "testing123"
nastype = "other"
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
realm www {
authhost = 10.149.12.11:1812
accthost = 10.149.12.11:1813
secret = e123Dcq
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "testing123"
response_window = 20
max_outstanding = 65536
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating expr
Module: Linked to module rlm_expiration
Module: Instantiating expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating logintime
logintime {
reply-message = "You are calling outside your allowed timespan
"
minimum-timeout = 60
}
}
radiusd: #### Loading Virtual Servers ####
server inner-tunnel {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating pap
pap {
encryption_scheme = "auto"
auto_header = yes
}
Module: Linked to module rlm_chap
Module: Instantiating chap
Module: Linked to module rlm_mschap
Module: Instantiating mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = no
}
Module: Linked to module rlm_unix
Module: Instantiating unix
unix {
radwtmp = "/var/log/freeradius/radwtmp"
}
Module: Linked to module rlm_eap
Module: Instantiating eap
eap {
default_eap_type = "md5"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 2048
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
pem_file_type = yes
private_key_file = "/etc/freeradius/certs/server.pem"
certificate_file = "/etc/freeradius/certs/server.pem"
CA_file = "/etc/freeradius/certs/ca.pem"
private_key_password = "whatever"
dh_file = "/etc/freeradius/certs/dh"
random_file = "/etc/freeradius/certs/random"
fragment_size = 1024
include_length = yes
check_crl = no
check_cert_cn = "%{User-Name}"
cipher_list = "DEFAULT"
cache {
enable = no
lifetime = 24
max_entries = 255
}
}
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = "md5"
copy_request_to_tunnel = yes
use_tunneled_reply = yes
virtual_server = "inner-tunnel"
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_realm
Module: Instantiating suffix
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_files
Module: Instantiating files
files {
usersfile = "/etc/freeradius/users"
acctusersfile = "/etc/freeradius/acct_users"
preproxy_usersfile = "/etc/freeradius/preproxy_users"
compat = "no"
}
[/etc/freeradius/users]:63 WARNING! Check item "Cleartext-Password"
found in reply item list for user "wiedemj at edcllc.net". This
attribute MUST go on the first line with the other check items
Module: Checking session {...} for more modules to load
Module: Linked to module rlm_radutmp
Module: Instantiating radutmp
radutmp {
filename = "/var/log/freeradius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Linked to module rlm_attr_filter
Module: Instantiating attr_filter.access_reject
attr_filter attr_filter.access_reject {
attrsfile = "/etc/freeradius/attrs.access_reject"
key = "%{User-Name}"
}
}
}
modules {
Module: Checking authenticate {...} for more modules to load
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating preprocess
preprocess {
huntgroups = "/etc/freeradius/huntgroups"
hints = "/etc/freeradius/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Linked to module rlm_detail
Module: Instantiating auth_log
detail auth_log {
detailfile =
"/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Instantiating DOT
realm DOT {
format = "suffix"
delimiter = "."
ignore_default = no
ignore_null = no
}
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
}
Module: Checking accounting {...} for more modules to load
Module: Instantiating detail
detail {
detailfile =
"/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Instantiating attr_filter.accounting_response
attr_filter attr_filter.accounting_response {
attrsfile = "/etc/freeradius/attrs.accounting_response"
key = "%{User-Name}"
}
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
}
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
}
listen {
type = "acct"
ipaddr = *
port = 0
}
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 55334, id=0,
length=144
User-Name = "wiedemj at edcllc.net"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020000170177696564656d6a406564636c6c632e6e6574
Message-Authenticator = 0x775abc55737e6cea952a10e9328c70d1
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand:
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
/var/log/freeradius/radacct/127.0.0.1/auth-detail-20091104
[auth_log]
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/freeradius/radacct/127.0.0.1/auth-detail-20091104
[auth_log] expand: %t -> Wed Nov 4 12:05:43 2009
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[DOT] Looking up realm "net" for User-Name = "wiedemj at edcllc.net"
[DOT] No such realm "net"
++[DOT] returns noop
[suffix] Looking up realm "edcllc.net" for User-Name =
"wiedemj at edcllc.net"
[suffix] No such realm "edcllc.net"
++[suffix] returns noop
[eap] EAP packet type response id 0 length 23
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
[files] users: Matched entry wiedemj at edcllc.net at line 63
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
Sending Access-Challenge of id 0 to 127.0.0.1 port 55334
EAP-Message = 0x010100160410188a0c3e8d6cc7af9b6d4b283464185d
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x1fbca39a1fbda7840b404aff3aa5dd7e
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 55334, id=1,
length=145
User-Name = "wiedemj at edcllc.net"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x02010006030d
State = 0x1fbca39a1fbda7840b404aff3aa5dd7e
Message-Authenticator = 0x2c634dd080f01ff2ff343d5c717b44ba
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand:
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
/var/log/freeradius/radacct/127.0.0.1/auth-detail-20091104
[auth_log]
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/freeradius/radacct/127.0.0.1/auth-detail-20091104
[auth_log] expand: %t -> Wed Nov 4 12:05:43 2009
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[DOT] Looking up realm "net" for User-Name = "wiedemj at edcllc.net"
[DOT] No such realm "net"
++[DOT] returns noop
[suffix] Looking up realm "edcllc.net" for User-Name =
"wiedemj at edcllc.net"
[suffix] No such realm "edcllc.net"
++[suffix] returns noop
[eap] EAP packet type response id 1 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
[files] users: Matched entry wiedemj at edcllc.net at line 63
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP NAK
[eap] EAP-NAK asked for EAP-Type/tls
[eap] processing type tls
[tls] Requiring client certificate
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 1 to 127.0.0.1 port 55334
EAP-Message = 0x010200060d20
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x1fbca39a1ebeae840b404aff3aa5dd7e
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 55334, id=2,
length=232
User-Name = "wiedemj at edcllc.net"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message =
0x0202005d0d0016030100520100004e03014af1600722884b16fc3fd22eae365509d7ca
5fb0a984de178e9f76273d6e0dbf00002600390038003500160013000a00330032002f00
05000400150012000900140011000800060003020100
State = 0x1fbca39a1ebeae840b404aff3aa5dd7e
Message-Authenticator = 0xac646b18e37fa95bc0e70ac405cae14b
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand:
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
/var/log/freeradius/radacct/127.0.0.1/auth-detail-20091104
[auth_log]
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/freeradius/radacct/127.0.0.1/auth-detail-20091104
[auth_log] expand: %t -> Wed Nov 4 12:05:43 2009
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[DOT] Looking up realm "net" for User-Name = "wiedemj at edcllc.net"
[DOT] No such realm "net"
++[DOT] returns noop
[suffix] Looking up realm "edcllc.net" for User-Name =
"wiedemj at edcllc.net"
[suffix] No such realm "edcllc.net"
++[suffix] returns noop
[eap] EAP packet type response id 2 length 93
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
[files] users: Matched entry wiedemj at edcllc.net at line 63
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
[tls] eaptls_verify returned 7
[tls] Done initial handshake
[tls] (other): before/accept initialization
[tls] TLS_accept: before/accept initialization
[tls] <<< TLS 1.0 Handshake [length 0052], ClientHello
[tls] TLS_accept: SSLv3 read client hello A
[tls] >>> TLS 1.0 Handshake [length 002a], ServerHello
[tls] TLS_accept: SSLv3 write server hello A
[tls] >>> TLS 1.0 Handshake [length 084f], Certificate
[tls] TLS_accept: SSLv3 write certificate A
[tls] >>> TLS 1.0 Handshake [length 020d], ServerKeyExchange
[tls] TLS_accept: SSLv3 write key exchange A
[tls] >>> TLS 1.0 Handshake [length 00a8], CertificateRequest
[tls] TLS_accept: SSLv3 write certificate request A
[tls] TLS_accept: SSLv3 flush data
[tls] TLS_accept: Need to read more data: SSLv3 read client
certificate A
In SSL Handshake Phase
In SSL Accept mode
[tls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 2 to 127.0.0.1 port 55334
EAP-Message =
0x010304000dc000000b42160301002a0200002603014af1600755acad64e5ba5c769cc3
97d2189311949c648d89b7d6f06ce909ca6f00003901160301084f0b00084b0008480003
97308203933082027ba003020102020101300d06092a864886f70d010104050030819331
0b3009060355040613024445310f300d0603550408130652616469757331123010060355
04071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e
3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d3126
30240603550403131d4578616d706c6520436572746966696361746520417574686f7269
7479
EAP-Message =
0x301e170d3039313130323133303532345a170d3130313130323133303532345a306d31
0b3009060355040613024445310f300d0603550408130652616469757331153013060355
040a130c4578616d706c6520496e632e311430120603550403130b646568616e6c78766d
31333120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d
30820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0b8c
135549b41155a064de008cd6a26b825262d28b9e9de6f0b7a6cf756e620185b6b8adac6f
7fa66b72bc4b6a57864fcc04dc45146e6bb16a6a5c167fb329399675c771b103797a52fa
0dd6
EAP-Message =
0x3f7ba1741eb42d03979eeb2db107b7df6431bd414eef60ef66d9213eaadd8fd58ebcae
740955f9738f11cf0488ad8bd48c3c4bb46e3c638030acaff7b1140404f845dd83f328af
cc7cfa8621511d0342cce54bb6c7ea47538a8ec3728dbb3d7a0c0bbea7fd93c9fa66e552
07e7929c8b742c398663df70557c20175559b4d485a4b0803af99bc655dbbdd03d264675
6098e8b4db91efe42639d33706f9f597b1f569402b0736fbdd8874a8b8c131b836ceda31
0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a86
4886f70d0101040500038201010056546b866e102443cfc90c4ec53d2380ee91f2be42f6
f166
EAP-Message =
0x8b3ccc06994cf5cc5952e73e2997a7a9d4f78e5cfda44e19c9feb806e8c9bb921ece6c
061f60fda3015400be4ac3c1e6a87c3de3f69dbe3f2288dc1b2cd8bd257fc32ce74968ee
cde89d314247507e040c0b8f2b7f1d31a31f28f1b95d17ac845668999c2c0ea1cc53af8b
576771fff9ff6ae4ec4e564db8fe358a37f6b6a6ddeb58f43136e3a573469e8304761a5c
6dcc2b828183ac7c51f191e39f7b6a2acc21621768a12c601fef8c8a1f489883d1a50a36
3258c0b4d0379885d0d16ed34f5a15664c39997b4fa4858aaa932123bac359c5f057b485
83a44a1137e4018b60c7e775701db6f2570004ab308204a73082038fa003020102020900
9b2c
EAP-Message = 0xffa3b12f2ee2300d06092a86
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x1fbca39a1dbfae840b404aff3aa5dd7e
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 55334, id=3,
length=145
User-Name = "wiedemj at edcllc.net"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020300060d00
State = 0x1fbca39a1dbfae840b404aff3aa5dd7e
Message-Authenticator = 0x88243ab728c8bbdbf13007e9c19174cb
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand:
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
/var/log/freeradius/radacct/127.0.0.1/auth-detail-20091104
[auth_log]
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/freeradius/radacct/127.0.0.1/auth-detail-20091104
[auth_log] expand: %t -> Wed Nov 4 12:05:43 2009
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[DOT] Looking up realm "net" for User-Name = "wiedemj at edcllc.net"
[DOT] No such realm "net"
++[DOT] returns noop
[suffix] Looking up realm "edcllc.net" for User-Name =
"wiedemj at edcllc.net"
[suffix] No such realm "edcllc.net"
++[suffix] returns noop
[eap] EAP packet type response id 3 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
[files] users: Matched entry wiedemj at edcllc.net at line 63
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
[tls] Received TLS ACK
[tls] ACK handshake fragment handler
[tls] eaptls_verify returned 1
[tls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 3 to 127.0.0.1 port 55334
EAP-Message =
0x010404000dc000000b424886f70d0101050500308193310b3009060355040613024445
310f300d060355040813065261646975733112301006035504071309536f6d6577686572
6531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d
010901161161646d696e406578616d706c652e636f6d312630240603550403131d457861
6d706c6520436572746966696361746520417574686f72697479301e170d303931313032
3133303232305a170d3130313130323133303232305a308193310b300906035504061302
4445310f300d060355040813065261646975733112301006035504071309536f6d657768
6572
EAP-Message =
0x6531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f7
0d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578
616d706c6520436572746966696361746520417574686f7269747930820122300d06092a
864886f70d01010105000382010f003082010a0282010100b1e1eecced65eab3ea1e21bb
e11a4b5d42232595738f000c321c8d9fe1fc597a94e27f1a53a9cbdc9917ad487a27c19f
82f094fbebc09b4be46d6d3a9be30fcf242716aa7b4e9afea5ec69aabf30324b7b086b8d
6df6a82a9ac9294d4ee671c59a41ee85569db6839ea997a09dd3280f3ccb626bcc9d376c
fc6c
EAP-Message =
0x9f4e4bc0ffc447b390dacf3c3253ce6bf244d64efbe2931a658145e2689fd6e8542158
4c6ac83f9e9f115198e9c47bbbb598da914733f79cada81e6f15e1b02332de5c1086b521
a1911173200a96a28e9d56c82a6d3bb192100cfb2d69f3487dc6fdbebfe0dca2e5e6a7ba
745d320e0323cf49826288e271a3ad0bcc1161c8fd3fce2e491ac30203010001a381fb30
81f8301d0603551d0e0416041479c0ec0a9c1cf0e5bcce878b7ceb23f083c9ae2d3081c8
0603551d230481c03081bd801479c0ec0a9c1cf0e5bcce878b7ceb23f083c9ae2da18199
a48196308193310b3009060355040613024445310f300d06035504081306526164697573
3112
EAP-Message =
0x301006035504071309536f6d65776865726531153013060355040a130c4578616d706c
6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c65
2e636f6d312630240603550403131d4578616d706c652043657274696669636174652041
7574686f726974798209009b2cffa3b12f2ee2300c0603551d13040530030101ff300d06
092a864886f70d0101050500038201010036410c8cf929f2b3090a3fc9754779f6dd1a80
89cefbe87aa0d191eb2d5a19d30003e352e8ae5e6236f195f4ff0d76d1532f9df4f85737
0afab09cb3223f6585e82e86def203567a5d103aca4351c22a9b19967940fd7fd69dea4b
9287
EAP-Message = 0xe9e24454363017f77583cf3a
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x1fbca39a1cb8ae840b404aff3aa5dd7e
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 55334, id=4,
length=145
User-Name = "wiedemj at edcllc.net"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020400060d00
State = 0x1fbca39a1cb8ae840b404aff3aa5dd7e
Message-Authenticator = 0x8b23cc610d83783fea5090e8d46deac8
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand:
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
/var/log/freeradius/radacct/127.0.0.1/auth-detail-20091104
[auth_log]
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/freeradius/radacct/127.0.0.1/auth-detail-20091104
[auth_log] expand: %t -> Wed Nov 4 12:05:43 2009
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[DOT] Looking up realm "net" for User-Name = "wiedemj at edcllc.net"
[DOT] No such realm "net"
++[DOT] returns noop
[suffix] Looking up realm "edcllc.net" for User-Name =
"wiedemj at edcllc.net"
[suffix] No such realm "edcllc.net"
++[suffix] returns noop
[eap] EAP packet type response id 4 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
[files] users: Matched entry wiedemj at edcllc.net at line 63
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
[tls] Received TLS ACK
[tls] ACK handshake fragment handler
[tls] eaptls_verify returned 1
[tls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 4 to 127.0.0.1 port 55334
EAP-Message =
0x010503600d8000000b426489c1ab64aa271476c700a3412e5d56c9b2688d613f31848a
2ddf9f8e12c21a4023e7b5cfeee26b5dd9af6ead54fe3285225f1eaef895e5b390f04ea1
c3b4873f5825d6f5b00d7c7917d939390292b4bed0ae262ef2ea85c6befe9bd27004a52d
e68a776cb5f0b74eeecfce81ab578577060f2492a087ffe49d5a31a2afa13bca289c5817
d0e2ada5beba083eb8efa8623488c104ce28160301020d0c0002090080b0b57776b68eef
22cdd40b3545dd88663abfcc1575b9cc3f84fdeede9c8645e8c23a3d705fb78779f0306d
2dc37ac93933dadae2dead2f59003f7697045edf5606f42f89380c2704502f7dd5111f2f
456f
EAP-Message =
0x2ce9339fe727813559d8c823c71219200e0b0cc6d88cbb4cc168bbe68e3eeda2105dec
8479ace13839026a0c57a49300010200805e3b2245705709adefccd8707ada9356ffdf37
db35f29c0bf682449dcc59cfbb681cf793ae9a515179b27faf465975ac2fb62e7344d418
6a7c19e67e755ea7185f9079bdfe6773462b2c9e3e6b5ef0a3aabf6d2b41038cb9d68e30
8d85f5cc761ba9a38ae6f5023b167dc8b51b4f852e6dd6fd41c1c64209e6ab387d8f953d
a901008f17198c946db0f7a830babe23d8c1b443eadc67b704694b71f84619bbc46dd8b5
a59471bd79729684f21be4edb3f66e74fb78bc7913b2913ca80e2db2627e62bf75a3ad1a
a924
EAP-Message =
0xf89e73d8ca82db85a4d6635606c485fa9dda0c74188fe9656efef443530ef2db8433c8
0bb3118c620fb4f011a75dcb086967405aef7d8ea22bb8db8e558461f6d918873baecebd
bef9e72edcfb8537e0aab2306c437d3f1a4628228a6151d77574f351fede13b3b676d71c
5348b67e878f55c3baf76fe73d09812808d6ae7e9cff9a800d1a95c048fdd324b0b16f3b
7fd861d3c61a42f52ecb34940d9597022bc8c210e0ce344155f1c5a941f612c7913aba70
a5c3fa69d66a16030100a80d0000a005030401024000980096308193310b300906035504
0613024445310f300d060355040813065261646975733112301006035504071309536f6d
6577
EAP-Message =
0x6865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a86
4886f70d010901161161646d696e406578616d706c652e636f6d31263024060355040313
1d4578616d706c6520436572746966696361746520417574686f726974790e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x1fbca39a1bb9ae840b404aff3aa5dd7e
Finished request 4.
Going to the next request
Waking up in 4.5 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 55334, id=5,
length=1523
User-Name = "wiedemj at edcllc.net"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message =
0x0205055e0d0016030103820b00037e00037b000378308203743082025ca00302010202
0102300d06092a864886f70d0101040500306d310b3009060355040613024445310f300d
0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e
311430120603550403130b646568616e6c78766d31333120301e06092a864886f70d0109
01161161646d696e406578616d706c652e636f6d301e170d303931313032313330383033
5a170d3130313130323133303830335a3075310b3009060355040613024445310f300d06
03550408130652616469757331153013060355040a130c4578616d706c6520496e632e31
1b30
EAP-Message =
0x190603550403141277696564656d6a406564636c6c632e6e65743121301f06092a8648
86f70d010901161277696564656d6a406564636c6c632e6e657430820122300d06092a86
4886f70d01010105000382010f003082010a0282010100efa1dd7108bd0e4af0c47bbe79
40511a6a0e1b1c6937ae57308b1e55af1bc829024d13e546094d1c653cec9d6357aa5cac
469cbe9fc4a854221efc9c169fb2143bb92f1c3111782de488473ee712818355262b832f
da3f3f2ab6809d7bef72ac030f93e59d9b5e89c977e9cde76311ffed567a955844f40840
d73fb67b6342c9028dd5861a1d3dc9ee663db69014d3038b80648c62f1eab336a959bbcb
bf60
EAP-Message =
0x44708b215f59861238b57ba2bf0aed63eb4688160092f17b73546e9f7d77ca40d27832
956f81d15655cd32758e7c1af3a71f4bfcb5b28905585ab9b80689f878451ba2d6e890ec
8ccd919e6299bcc074fd09bfd0ba5fd4cb542160d2ba7c3002a30203010001a317301530
130603551d25040c300a06082b06010505070302300d06092a864886f70d010104050003
8201010077edb6f0bc87189299fd9157a30d7f29101008b241b540d9d08259f0c9f87199
3c2b072534c05cfce76d4f2df2df2c71d7061ef407aaaca7f6bc9d4e609c6fccf5a81e4d
18ae26a08303fc98eb6fd4a0bb3fbcdfae09cb1b3eae5da034ad1894ab757fb3547e8d6d
6a60
EAP-Message =
0xbfd44beb466b87b931d07e176e2e39106117c2beab257391835d80ada864c45840f069
a561ceee5ae603f6a20761e03b15ccef485aa46ffd185665c96141b6e7d66b89a0f63600
a5c7e64cfe17b2f5e84d93bcaacc6e9e955d6042a3d5370dd44351e997417f55973628a6
4ddc06e706b12a577802d209c21d7c8eb9121d03591d4b741332365b162538325b2c51ad
6697ef6993bd1716030100861000008200803bcb607c1515a79438ebba388bd45eaecd2c
80b195d2c00a06cb343521ccf5267290f99a2bd1ef8ed6ae20c31fbd8c6058d5d8287d2f
02e084ae2b93988ba5549abaecdf3ae2eab5948e3e24141d616fd7e96fa86031016be30d
b582
EAP-Message =
0x9e555c38dfead36089744d1afa36b14f6508d6d1e2fcfd7af0d363ddf5517ee6ebbdad
1516030101060f00010201005fe72b1a9cf9fa2c609ddc4074e57f8ca94a05eb3e7ccca6
d28f0122a31097c71b0a003f676cbcfbb6a23aa49c93731eabfe6896d6927fdd519c511a
fa1913cb08e03ef9ba435612d066ea9d1efd16b0fa9ee0560483b025a6d397bebc2681a9
87bed22764979e64520254f2bff93576a2b7cce0feb1d3043d5f09c08c375591152b802d
b2c9d478d58f00a37121ebeea2660a8f58a066323007af52f9f0a097444b9e2188c300e5
d96e8edfbea8a8f335308928a8b0430b623b179b3b3544df16e0b594e36515e890a90cbf
3edf
EAP-Message =
0xd270d8477e9c09ca99816d1866c1bc9c3be3fe5acd4dd6b7f3222bd7ce979b4edc7878
09de017ebc228ed5d6acff33434fcc14030100010116030100302d1de5f067aff761b157
255463114c29207ae08caa4f4be9717cf548dd609a798246eb6373cbc110ca236827974e
f445
State = 0x1fbca39a1bb9ae840b404aff3aa5dd7e
Message-Authenticator = 0x5ba244bc725517ccff1e3733f2331650
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand:
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
/var/log/freeradius/radacct/127.0.0.1/auth-detail-20091104
[auth_log]
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/freeradius/radacct/127.0.0.1/auth-detail-20091104
[auth_log] expand: %t -> Wed Nov 4 12:05:44 2009
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
[DOT] Looking up realm "net" for User-Name = "wiedemj at edcllc.net"
[DOT] No such realm "net"
++[DOT] returns noop
[suffix] Looking up realm "edcllc.net" for User-Name =
"wiedemj at edcllc.net"
[suffix] No such realm "edcllc.net"
++[suffix] returns noop
[eap] EAP packet type response id 5 length 253
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
[files] users: Matched entry wiedemj at edcllc.net at line 63
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
[tls] eaptls_verify returned 7
[tls] Done initial handshake
[tls] <<< TLS 1.0 Handshake [length 0382], Certificate
--> verify error:num=20:unable to get local issuer certificate
[tls] >>> TLS 1.0 Alert [length 0002], fatal unknown_ca
TLS Alert write:fatal:unknown CA
TLS_accept:error in SSLv3 read client certificate B
rlm_eap: SSL error error:140890B2:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
SSL: SSL_read failed in a system call (-1), TLS session fails.
TLS receive handshake failed during operation
[tls] eaptls_process returned 4
[eap] Handler failed in EAP/tls
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Login incorrect: [wiedemj at edcllc.net/<via Auth-Type = EAP>] (from client
localhost port 0 cli 02-00-00-00-00-01)
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} ->
wiedemj at edcllc.net
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 5 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 5
Sending Access-Reject of id 5 to 127.0.0.1 port 55334
EAP-Message = 0x04050004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.0 seconds.
Cleaning up request 0 ID 0 with timestamp +43
Cleaning up request 1 ID 1 with timestamp +43
Cleaning up request 2 ID 2 with timestamp +43
Cleaning up request 3 ID 3 with timestamp +43
Cleaning up request 4 ID 4 with timestamp +43
Waking up in 1.8 seconds.
Cleaning up request 5 ID 5 with timestamp +44
Ready to process requests.
Regards
Joerg
More information about the Freeradius-Users
mailing list