Problem with EAP-TLS authentication in Freeradius 2.1.0

senthil kumar mailbsk at gmail.com
Fri Apr 8 09:04:50 CEST 2011


 Hi All,
      I am using Freeradius 2.1.0
      PEAP/TTLS is working fine and I am facing problem in TLS
authentication. I am able to generate certificate but while connecting it
throws Authentication error.
     Please let me know how to debug it.






rad_recv: Access-Request packet from host 192.168.1.1 port 4906, id=6,
length=147

User-Name = "maemo at nokia.com"

NAS-IP-Address = 192.168.1.1

Called-Station-Id = "0023692c6f74"

Calling-Station-Id = "0025d05b72ab"

NAS-Identifier = "0023692c6f74"

NAS-Port = 2

Framed-MTU = 1400

State = 0xc0ff35f8c1fd389f4e860dc8a76c03f8

NAS-Port-Type = Wireless-802.11

EAP-Message = 0x020200060d00

Message-Authenticator = 0xcf453c67c6fe4f7695dbba231da2ba1e

+- entering group authorize {...}

++[preprocess] returns ok

++[chap] returns noop

++[mschap] returns noop

[suffix] Looking up realm "nokia.com" for User-Name = "maemo at nokia.com"

[suffix] Found realm "DEFAULT"

[suffix] Adding Stripped-User-Name = "maemo"

[suffix] Adding Realm = "DEFAULT"

[suffix] Authentication realm is LOCAL.

++[suffix] returns ok

[eap] EAP packet type response id 2 length 6

[eap] No EAP Start, assuming it's an on-going EAP conversation

++[eap] returns updated

++[unix] returns updated

[files] users: Matched entry maemo at line 74

++[files] returns ok

++[expiration] returns noop

++[logintime] returns noop

[pap] Found existing Auth-Type, not changing it.

++[pap] returns noop

Found Auth-Type = EAP

+- entering group authenticate {...}

[eap] Request found, released from the list

[eap] EAP/tls

[eap] processing type tls

[tls] Authenticate

[tls] processing EAP-TLS

[tls] Received TLS ACK

[tls] ACK handshake fragment handler

[tls] eaptls_verify returned 1

[tls] eaptls_process returned 13

++[eap] returns handled

Sending Access-Challenge of id 6 to 192.168.1.1 port 4906

EAP-Message =
0x010304000dc00000085b310e300c060355040a13054e6f6b6961311e301c06092a864886f70d010901160f6d616d656f406e6f6b69612e636f6d310e300c060355040313054d6565676f301e170d3131303430373038333135345a170d3132303430363038333135345a306e310b300906035504061302494e310b3009060355040813024b413112301006035504071309536f6d657768657265310e300c060355040a13054e6f6b6961311e301c06092a864886f70d010901160f6d616d656f406e6f6b69612e636f6d310e300c060355040313054d6565676f30820122300d06092a864886f70d01010105000382010f003082010a0282010100ebdf

EAP-Message =
0xbd5045d1129f68d6354ecaf6d0b003ba682e0399145d83af7d3f7baeac7b70278682f26b7a6cf02cb0f70d06c27cd5666f6acd0a6e1a05f14cbca9ee2ca06038289d718635789b9378b41d5d89d98c09528e5d75a7ed1210ab639c80a82bb7f727a6641b4ead338d36c98e4910f69add0990c1838bf1dd67d3ef00190a8c50afa3d267b4721eb24c9297eac37244c2f09bf5db1e864ed3e71d7b2f1523f957d040b88bdfbb50ffa7a1fcb77fe8f692faeaf4f26539f93d4b16fefd22576b63425a3b106d4100a7e606110980202629a14f721f576e7b57e94182c695034f33cc5cf153c08074379ee285a4800d30fcc3eeb9618e95b3298852c0e050cc

EAP-Message =
0x370203010001a381d33081d0301d0603551d0e041604146495968035da2071580d6554ff37f49f34a6a4fc3081a00603551d2304819830819580146495968035da2071580d6554ff37f49f34a6a4fca172a470306e310b300906035504061302494e310b3009060355040813024b413112301006035504071309536f6d657768657265310e300c060355040a13054e6f6b6961311e301c06092a864886f70d010901160f6d616d656f406e6f6b69612e636f6d310e300c060355040313054d6565676f82090088f0548531fc31df300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100c60eb4fe9642b5cf1a479ddd03

EAP-Message =
0x31954bd3c5a8c13dac220146915074390da01b0cf44950935ca2fad0bbca312ad8d1ac38a0ad88e51bc7bfc4df349d238aa9dee95ccc333e46e422da2fd67073a5fc1d6109e623efdf7be334a6746b4d3eb012ddb331600471732e961861980a4d0a146e56ee383e1717a209476a34d2ad7153a00f0729976f4d73d4979dc992ab8cc4515787e68afd1979038963882c5f55ed1d038c137689ef3e0fa52d63eabe0466ef126564ff4627776f31dba8bd91b9c486ddf6e8399c755bd29456cfed9bda7890851bfb23d3c381e5176a6b6c86ea9cefc5b7428409e35a794775d27f1664c06aeb46842f61c6145a71a7a0fdea54e316030100800d00007803

EAP-Message = 0x01024000720070306e310b30

Message-Authenticator = 0x00000000000000000000000000000000

State = 0xc0ff35f8c2fc389f4e860dc8a76c03f8

Finished request 156.

Going to the next request

Waking up in 0.4 seconds.

rad_recv: Access-Request packet from host 192.168.1.1 port 4908, id=6,
length=147

User-Name = "maemo at nokia.com"

NAS-IP-Address = 192.168.1.1

Called-Station-Id = "0023692c6f74"

Calling-Station-Id = "0025d05b72ab"

NAS-Identifier = "0023692c6f74"

NAS-Port = 2

Framed-MTU = 1400

State = 0xc0ff35f8c2fc389f4e860dc8a76c03f8

NAS-Port-Type = Wireless-802.11

EAP-Message = 0x020300060d00

Message-Authenticator = 0xdeea6893aacbe253ed951368cec20746

+- entering group authorize {...}

++[preprocess] returns ok

++[chap] returns noop

++[mschap] returns noop

[suffix] Looking up realm "nokia.com" for User-Name = "maemo at nokia.com"

[suffix] Found realm "DEFAULT"

[suffix] Adding Stripped-User-Name = "maemo"

[suffix] Adding Realm = "DEFAULT"

[suffix] Authentication realm is LOCAL.

++[suffix] returns ok

[eap] EAP packet type response id 3 length 6

[eap] No EAP Start, assuming it's an on-going EAP conversation

++[eap] returns updated

++[unix] returns updated

[files] users: Matched entry maemo at line 74

++[files] returns ok

++[expiration] returns noop

++[logintime] returns noop

[pap] Found existing Auth-Type, not changing it.

++[pap] returns noop

Found Auth-Type = EAP

+- entering group authenticate {...}

[eap] Request found, released from the list

[eap] EAP/tls

[eap] processing type tls

[tls] Authenticate

[tls] processing EAP-TLS

[tls] Received TLS ACK

[tls] ACK handshake fragment handler

[tls] eaptls_verify returned 1

[tls] eaptls_process returned 13

++[eap] returns handled

Sending Access-Challenge of id 6 to 192.168.1.1 port 4908

EAP-Message =
0x010400790d800000085b0906035504061302494e310b3009060355040813024b413112301006035504071309536f6d657768657265310e300c060355040a13054e6f6b6961311e301c06092a864886f70d010901160f6d616d656f406e6f6b69612e636f6d310e300c060355040313054d6565676f0e000000

Message-Authenticator = 0x00000000000000000000000000000000

State = 0xc0ff35f8c3fb389f4e860dc8a76c03f8

Finished request 157.

Going to the next request

Waking up in 0.4 seconds.

rad_recv: Access-Request packet from host 192.168.1.1 port 4910, id=6,
length=154

User-Name = "maemo at nokia.com"

NAS-IP-Address = 192.168.1.1

Called-Station-Id = "0023692c6f74"

Calling-Station-Id = "0025d05b72ab"

NAS-Identifier = "0023692c6f74"

NAS-Port = 2

Framed-MTU = 1400

State = 0xc0ff35f8c3fb389f4e860dc8a76c03f8

NAS-Port-Type = Wireless-802.11

EAP-Message = 0x0204000d0d001503010002012a

Message-Authenticator = 0x782f15b2fce0fe49f406f1cb224b1ccf

+- entering group authorize {...}

++[preprocess] returns ok

++[chap] returns noop

++[mschap] returns noop

[suffix] Looking up realm "nokia.com" for User-Name = "maemo at nokia.com"

[suffix] Found realm "DEFAULT"

[suffix] Adding Stripped-User-Name = "maemo"

[suffix] Adding Realm = "DEFAULT"

[suffix] Authentication realm is LOCAL.

++[suffix] returns ok

[eap] EAP packet type response id 4 length 13

[eap] No EAP Start, assuming it's an on-going EAP conversation

++[eap] returns updated

++[unix] returns updated

[files] users: Matched entry maemo at line 74

++[files] returns ok

++[expiration] returns noop

++[logintime] returns noop

[pap] Found existing Auth-Type, not changing it.

++[pap] returns noop

Found Auth-Type = EAP

+- entering group authenticate {...}

[eap] Request found, released from the list

[eap] EAP/tls

[eap] processing type tls

[tls] Authenticate

[tls] processing EAP-TLS

[tls] eaptls_verify returned 7

[tls] Done initial handshake

[tls] <<< TLS 1.0 Alert [length 0002], warning bad_certificate

TLS Alert read:warning:bad certificate

[tls] TLS_accept: Need to read more data: SSLv3 read client certificate A

In SSL Handshake Phase

In SSL Accept mode

SSL Application Data

TLS failed during operation

[tls] eaptls_process returned 4

[eap] Handler failed in EAP/tls

[eap] Failed in EAP select

++[eap] returns invalid

Failed to authenticate the user.

Using Post-Auth-Type Reject

+- entering group REJECT {...}

expand: %{User-Name} -> maemo at nokia.com

attr_filter: Matched entry DEFAULT at line 11

++[attr_filter.access_reject] returns updated

Delaying reject of request 158 for 1 seconds

Going to the next request

Waking up in 0.4 seconds.

rad_recv: Access-Request packet from host 192.168.1.1 port 4912, id=6,
length=136

User-Name = "maemo at nokia.com"

NAS-IP-Address = 192.168.1.1

Called-Station-Id = "0023692c6f74"

Calling-Station-Id = "0025d05b72ab"

NAS-Identifier = "0023692c6f74"

NAS-Port = 2

Framed-MTU = 1400

NAS-Port-Type = Wireless-802.11

EAP-Message = 0x0204000d0d001503010002020a

Message-Authenticator = 0x542730d7c53937fe5e038692a71646ff

+- entering group authorize {...}

++[preprocess] returns ok

++[chap] returns noop

++[mschap] returns noop

[suffix] Looking up realm "nokia.com" for User-Name = "maemo at nokia.com"

[suffix] Found realm "DEFAULT"

[suffix] Adding Stripped-User-Name = "maemo"

[suffix] Adding Realm = "DEFAULT"

[suffix] Authentication realm is LOCAL.

++[suffix] returns ok

[eap] EAP packet type response id 4 length 13

[eap] No EAP Start, assuming it's an on-going EAP conversation

++[eap] returns updated

++[unix] returns updated

[files] users: Matched entry maemo at line 74

++[files] returns ok

++[expiration] returns noop

++[logintime] returns noop

[pap] Found existing Auth-Type, not changing it.

++[pap] returns noop

Found Auth-Type = EAP

+- entering group authenticate {...}

[eap] Either EAP-request timed out OR EAP-response to an unknown EAP-request

[eap] Failed in handler

++[eap] returns invalid

Failed to authenticate the user.

Using Post-Auth-Type Reject

+- entering group REJECT {...}

expand: %{User-Name} -> maemo at nokia.com

attr_filter: Matched entry DEFAULT at line 11

++[attr_filter.access_reject] returns updated

Delaying reject of request 159 for 1 seconds

Going to the next request

Waking up in 0.4 seconds.

Cleaning up request 146 ID 6 with timestamp +2141

Cleaning up request 147 ID 6 with timestamp +2141

Waking up in 0.5 seconds.

Sending delayed reject for request 158

Sending Access-Reject of id 6 to 192.168.1.1 port 4910

EAP-Message = 0x04040004

Message-Authenticator = 0x00000000000000000000000000000000

Sending delayed reject for request 159

Sending Access-Reject of id 6 to 192.168.1.1 port 4912

Waking up in 1.1 seconds.

Cleaning up request 148 ID 6 with timestamp +2143

Cleaning up request 149 ID 6 with timestamp +2143

Cleaning up request 150 ID 6 with timestamp +2143

Cleaning up request 151 ID 6 with timestamp +2143

Waking up in 1.0 seconds.

Cleaning up request 152 ID 6 with timestamp +2143

Cleaning up request 153 ID 6 with timestamp +2143

Waking up in 1.7 seconds.

Cleaning up request 154 ID 6 with timestamp +2146

Cleaning up request 155 ID 6 with timestamp +2146

Cleaning up request 156 ID 6 with timestamp +2146

Cleaning up request 157 ID 6 with timestamp +2146

Waking up in 1.0 seconds.

Cleaning up request 158 ID 6 with timestamp +2146

Cleaning up request 159 ID 6 with timestamp +2146

-- 
"Adversity always presents opportunity for Introspection"

Regards
Senthil



-- 
"Adversity always presents opportunity for Introspection"

Regards
Senthil
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20110408/21985ec1/attachment.html>


More information about the Freeradius-Users mailing list