EAP-TTLS Problem

Milosh Droxy droxy.net at gmail.com
Sat Apr 16 16:16:35 CEST 2011


Hi

Something strange came up. after posting this, I tried it again one night,
and strangely everything worked out just fine. (with the two Ubiquiti
devices (http://www.ubnt.com/nanobridge) (one as AP and one as the client)
and I wanted to be sure, so I tested it with a WRT120N Wireless router, and
my laptop with ubuntu 10.10, worked OK again, I even tried it with my iPad
and after confirming a certificate warning, it succeeded in connecting to
the AP.
So everything was ok I thought, but today when I wanted to run the test
again, I got the same errors I got before

>WARNING:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
>WARNING: !! EAP session for state 0x829fae86829ebb1a did not finish!
>WARNING: !! Please read
http://wiki.freeradius.org/Certificate_Compatibility
>WARNING:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

I thought maybe it's a time related issue for the certificates, so I set up
a ntp server and sync the times and dates, but the WARNING showed up again.
does this situation seem familiar to anybody? I'm helpless now! I didn't
change ANYTHING! not before it was working fine, and not after, I just
didn't use it for maybe about 2 weeks
Here's the log when it was working fine.
Thank you guys
Milosh droxy


Listening on accounting address * port 1813
Listening on command file /usr/local/var/run/radiusd/radiusd.sock
Listening on authentication address 127.0.0.1 port 18120 as server
inner-tunnel
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 10.10.10.145 port 2048, id=0,
length=138
    User-Name = "test"
    NAS-Port = 0
    Called-Station-Id = "00-15-6D-1C-A8-C5:TEST"
    Calling-Station-Id = "00-15-6D-1C-A8-D3"
    Framed-MTU = 1400
    NAS-Port-Type = Wireless-802.11
    Connect-Info = "CONNECT 0Mbps 802.11"
    EAP-Message = 0x026700090174657374
    Message-Authenticator = 0x966c9a3758421ff32156e186c61eb76e
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "test", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 103 length 9
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[sql]     expand: %{User-Name} -> test
[sql] sql_set_user escaped user --> 'test'
rlm_sql (sql): Reserving sql socket id: 3
[sql]     expand: SELECT id, username, attribute, value, op           FROM
radcheck           WHERE username = '%{SQL-User-Name}'           ORDER BY id
-> SELECT id, username, attribute, value, op           FROM
radcheck           WHERE username = 'test'           ORDER BY id
[sql] User found in radcheck table
[sql]     expand: SELECT id, username, attribute, value, op           FROM
radreply           WHERE username = '%{SQL-User-Name}'           ORDER BY id
-> SELECT id, username, attribute, value, op           FROM
radreply           WHERE username = 'test'           ORDER BY id
[sql]     expand: SELECT groupname           FROM radusergroup
WHERE username = '%{SQL-User-Name}'           ORDER BY priority -> SELECT
groupname           FROM radusergroup           WHERE username =
'test'           ORDER BY priority
rlm_sql (sql): Released sql socket id: 3
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set.  Not setting to PAP
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 0 to 10.10.10.145 port 2048
    EAP-Message = 0x016800061520
    Message-Authenticator = 0x00000000000000000000000000000000
    State = 0xfed3ffabfebbeaab3449a6464e99ebae
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.10.10.145 port 2048, id=1,
length=209
    User-Name = "test"
    NAS-Port = 0
    Called-Station-Id = "00-15-6D-1C-A8-C5:TEST"
    Calling-Station-Id = "00-15-6D-1C-A8-D3"
    Framed-MTU = 1400
    NAS-Port-Type = Wireless-802.11
    Connect-Info = "CONNECT 0Mbps 802.11"
    EAP-Message =
0x0268003e150016030100330100002f03014d9a098bf0978c355df4d62fa42b17d3cc0eeae6fc276fe6dff9b29393f367db000008002f000a000500040100
    State = 0xfed3ffabfebbeaab3449a6464e99ebae
    Message-Authenticator = 0x4b1efe6eb985fe421236644cbdb113f5
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "test", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 104 length 62
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7
[ttls] Done initial handshake
[ttls]     (other): before/accept initialization
[ttls]     TLS_accept: before/accept initialization
[ttls] <<< TLS 1.0 Handshake [length 0033], ClientHello
[ttls]     TLS_accept: SSLv3 read client hello A
[ttls] >>> TLS 1.0 Handshake [length 002a], ServerHello
[ttls]     TLS_accept: SSLv3 write server hello A
[ttls] >>> TLS 1.0 Handshake [length 02ad], Certificate
[ttls]     TLS_accept: SSLv3 write certificate A
[ttls] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[ttls]     TLS_accept: SSLv3 write server done A
[ttls]     TLS_accept: SSLv3 flush data
[ttls]     TLS_accept: Need to read more data: SSLv3 read client certificate
A
In SSL Handshake Phase
In SSL Accept mode
[ttls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 1 to 10.10.10.145 port 2048
    EAP-Message =
0x016902f41580000002ea160301002a0200002603014d9a098b3b9e8bb3deeb97793284e56d45d2323870a337d1f35cdf94c179278c00002f0016030102ad0b0002a90002a60002a33082029f30820208a003020102020107300d06092a864886f70d0101050500308188310b3009060355040613024952310f300d0603550408130654656872616e310f300d0603550407130654656872616e3111300f060355040a13084b69616e614e65743111300f060355040b1308576972656c657373310e300c0603550403130541646d696e3121301f06092a864886f70d010901161261646d696e406b69616e616e65742e6e6574301e170d31313033323931
    EAP-Message =
0x30343634315a170d3132303332383130343634315a308188310b3009060355040613024952310f300d0603550408130654656872616e310f300d0603550407130654656872616e3111300f060355040a13084b69616e614e65743111300f060355040b1308576972656c657373310e300c0603550403130561646d696e3121301f06092a864886f70d010901161261646d696e406b69616e616e65742e6e657430819f300d06092a864886f70d010101050003818d0030818902818100b17583c61048d5da1d5fa392f432e3207d26738046b521ee303b4a79d49622e2317fc5e308cd43b47518c6a6b4af3f94657298ce34da415a2739e0fd8ac5ae3e
    EAP-Message =
0x9bf522f89a2a96ad3583c3c234403f0973a33910f788ead6bb7cd18b0979d3989168da37f8c4461267166b9239ef0fcb4ecc0dc113eb8872e1b91b7b9c1102e10203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010105050003818100a8e736361a28260f8e1f2a42d670a642a5f3af562e2186cff8cda7e8ffa67e1a691dc014c48353514366a7c2932196a414344a707f9334607714793b599de63b5a17e5a3f437fc6a4d52d209e00593a6cfe55ac93f9c1d70f56f9e75b4a20ef8741810eb15d2ee57671e840bb8575ddc958f76e36d5ec69c9a35b760a2f17a9816030100040e000000
    Message-Authenticator = 0x00000000000000000000000000000000
    State = 0xfed3ffabffbaeaab3449a6464e99ebae
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.10.10.145 port 2048, id=2,
length=351
    User-Name = "test"
    NAS-Port = 0
    Called-Station-Id = "00-15-6D-1C-A8-C5:TEST"
    Calling-Station-Id = "00-15-6D-1C-A8-D3"
    Framed-MTU = 1400
    NAS-Port-Type = Wireless-802.11
    Connect-Info = "CONNECT 0Mbps 802.11"
    EAP-Message =
0x026900cc1500160301008610000082008025a0c342d0e03d47cb83602f52d86a1abb8815964c220e763f7fdc7a34c46837658aaee06710e87e2f3de0d787291be6766a76dbb3fcf9285ad86f3e7b558234e7645f1804a955538e58b2e3db10af4cf80c3bd3d8f20d465cf8982bcec8e7ac844c6a1474295376f003cb9ed7c056319b9cccf830ecff5591a1e62b3174ac0f1403010001011603010030a4355f74e35bdfc0c09c3c285e5df2cf789ba51763df8e3dccc78c057614106aa975e5f63ad0f70f38d16bea623310df
    State = 0xfed3ffabffbaeaab3449a6464e99ebae
    Message-Authenticator = 0xdf7a9d7fffbfbbc12e23d0aedccc657e
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "test", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 105 length 204
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7
[ttls] Done initial handshake
[ttls] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
[ttls]     TLS_accept: SSLv3 read client key exchange A
[ttls] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[ttls] <<< TLS 1.0 Handshake [length 0010], Finished
[ttls]     TLS_accept: SSLv3 read finished A
[ttls] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[ttls]     TLS_accept: SSLv3 write change cipher spec A
[ttls] >>> TLS 1.0 Handshake [length 0010], Finished
[ttls]     TLS_accept: SSLv3 write finished A
[ttls]     TLS_accept: SSLv3 flush data
[ttls]     (other): SSL negotiation finished successfully
SSL Connection Established
[ttls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 2 to 10.10.10.145 port 2048
    EAP-Message =
0x016a004515800000003b1403010001011603010030515c28dbb9af01c5df68db5c9a79160a7bb650284637d9ad7aee4db1e2d7ef9f94f84dba9b6551dad2a422e0ebe39b61
    Message-Authenticator = 0x00000000000000000000000000000000
    State = 0xfed3ffabfcb9eaab3449a6464e99ebae
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.10.10.145 port 2048, id=3,
length=286
    User-Name = "test"
    NAS-Port = 0
    Called-Station-Id = "00-15-6D-1C-A8-C5:TEST"
    Calling-Station-Id = "00-15-6D-1C-A8-D3"
    Framed-MTU = 1400
    NAS-Port-Type = Wireless-802.11
    Connect-Info = "CONNECT 0Mbps 802.11"
    EAP-Message =
0x026a008b15001703010080db0fe23fd8479d2c92cb1c1ae0ccea708a4822cb2a37ea0648890d1b813e64e1a1875c8f5147c2621e0a325f2eba540a622567f058a8d27923a91df622869b617677fb0ed76e24d4e5ee4eb9da78d4367d7f121593b04d66577734f3a839f3b15ae2b56160224a9078a614f50c6f0b18129384b48d95dc93cf9119c1da2960d0
    State = 0xfed3ffabfcb9eaab3449a6464e99ebae
    Message-Authenticator = 0x9366d77282650efe70a69d65f9dfc957
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "test", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 106 length 139
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7
[ttls] Done initial handshake
[ttls] eaptls_process returned 7
[ttls] Session established.  Proceeding to decode tunneled attributes.
[ttls] Got tunneled request
    User-Name = "test"
    MS-CHAP-Challenge = 0xf35244302cde5941bf59400d3db2610b
    MS-CHAP2-Response =
0xd50025cd28a00db1f559c2571e91efcba6fb00000000000000007f75cc7e81573e9f3de6fc54397693cea0dd3458dce84b8f
    FreeRADIUS-Proxied-To = 127.0.0.1
[ttls] Sending tunneled request
    User-Name = "test"
    MS-CHAP-Challenge = 0xf35244302cde5941bf59400d3db2610b
    MS-CHAP2-Response =
0xd50025cd28a00db1f559c2571e91efcba6fb00000000000000007f75cc7e81573e9f3de6fc54397693cea0dd3458dce84b8f
    FreeRADIUS-Proxied-To = 127.0.0.1
server  {
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
[mschap] Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
++[mschap] returns ok
++[digest] returns noop
[suffix] No '@' in User-Name = "test", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
[sql]     expand: %{User-Name} -> test
[sql] sql_set_user escaped user --> 'test'
rlm_sql (sql): Reserving sql socket id: 2
[sql]     expand: SELECT id, username, attribute, value, op           FROM
radcheck           WHERE username = '%{SQL-User-Name}'           ORDER BY id
-> SELECT id, username, attribute, value, op           FROM
radcheck           WHERE username = 'test'           ORDER BY id
[sql] User found in radcheck table
[sql]     expand: SELECT id, username, attribute, value, op           FROM
radreply           WHERE username = '%{SQL-User-Name}'           ORDER BY id
-> SELECT id, username, attribute, value, op           FROM
radreply           WHERE username = 'test'           ORDER BY id
[sql]     expand: SELECT groupname           FROM radusergroup
WHERE username = '%{SQL-User-Name}'           ORDER BY priority -> SELECT
groupname           FROM radusergroup           WHERE username =
'test'           ORDER BY priority
rlm_sql (sql): Released sql socket id: 2
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set.  Not setting to PAP
++[pap] returns noop
Found Auth-Type = MSCHAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group MS-CHAP {...}
[mschap] Creating challenge hash with username: test
[mschap] Told to do MS-CHAPv2 for test with NT-Password
[mschap] adding MS-CHAPv2 MPPE keys
++[mschap] returns ok
# Executing section post-auth from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
} # server
[ttls] Got tunneled reply code 2
    MS-CHAP2-Success =
0xd5533d43383734464446363634433839434441413845314345323846423435433331313431394139313337
    MS-MPPE-Recv-Key = 0x3ea88b59cb73a3001d3ee04ac5dab228
    MS-MPPE-Send-Key = 0x64126ac7c2ec499c8f52925316357c84
    MS-MPPE-Encryption-Policy = 0x00000002
    MS-MPPE-Encryption-Types = 0x00000004
[ttls] Got tunneled Access-Accept
[ttls] Got MS-CHAP2-Success, tunneling it to the client in a challenge.
++[eap] returns handled
Sending Access-Challenge of id 3 to 10.10.10.145 port 2048
    EAP-Message =
0x016b005f1580000000551703010050f2fa45a56374155384f5693a65a4375b1f1557f4569f084c1bcd9be825add2c16dd4e50a02e21ef0b15f2d3ac7268bfa4f5be0dbecaacf063376ca4591b2f5bff75228372ca28baf2f7ba8019cb419d5
    Message-Authenticator = 0x00000000000000000000000000000000
    State = 0xfed3ffabfdb8eaab3449a6464e99ebae
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.10.10.145 port 2048, id=4,
length=153
    User-Name = "test"
    NAS-Port = 0
    Called-Station-Id = "00-15-6D-1C-A8-C5:TEST"
    Calling-Station-Id = "00-15-6D-1C-A8-D3"
    Framed-MTU = 1400
    NAS-Port-Type = Wireless-802.11
    Connect-Info = "CONNECT 0Mbps 802.11"
    EAP-Message = 0x026b00061500
    State = 0xfed3ffabfdb8eaab3449a6464e99ebae
    Message-Authenticator = 0x65aa0dd598e522b5a35c067571ac497c
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "test", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 107 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] Received TLS ACK
[ttls] ACK handshake is finished
[ttls] eaptls_verify returned 3
[ttls] eaptls_process returned 3
[ttls] Using saved attributes from the original Access-Accept
[eap] Freeing handler
++[eap] returns ok
# Executing section post-auth from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 4 to 10.10.10.145 port 2048
    MS-MPPE-Recv-Key =
0x597a4ceb752b01e71e733ddebf986d224906a62e975163479148f1f185a4dbee
    MS-MPPE-Send-Key =
0x3c7bbc2bea16305f5d1bcc22f9bd795fe6e50571d9ebf90939949d0bea7bcf2d
    EAP-Message = 0x036b0004
    Message-Authenticator = 0x00000000000000000000000000000000
    User-Name = "test"
Finished request 4.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 0 with timestamp +5
Cleaning up request 1 ID 1 with timestamp +5
Cleaning up request 2 ID 2 with timestamp +5
Cleaning up request 3 ID 3 with timestamp +5
Cleaning up request 4 ID 4 with timestamp +5
Ready to process requests.

> Send Freeradius-Users mailing list submissions to
>        freeradius-users at lists.freeradius.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>        http://lists.freeradius.org/mailman/listinfo/freeradius-users
> or, via email, send a message with subject or body 'help' to
>        freeradius-users-request at lists.freeradius.org
>
> You can reach the person managing the list at
>        freeradius-users-owner at lists.freeradius.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Freeradius-Users digest..."
>
>
> Today's Topics:
>
>   1. EAP-TTLS Problem (Milosh Droxy)
>
>
> ------------------------------
----------------------------------------
>
> Message: 1
> Date: Tue, 29 Mar 2011 16:10:41 +0430
> From: Milosh Droxy <droxy.net at gmail.com>
> Subject: EAP-TTLS Problem
> To: freeradius-users at lists.freeradius.org
> Message-ID:
>        <AANLkTim1pbcg7w30RLQj-iMTW7BTVCxtHGN_Nc3xS6Rm at mail.gmail.com>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Hi
>
> ok, I've been searching and testing for about a week now. I'm quite sure
> I've read almost every topic related to my problem on this mailing-list
and
> others. and I was afraid to ask for help because I've never posted on a
> mailing list or a forum and I was really afraid of Alan DeKoK.
> The Problem:
> I'm trying to use Freeradius to authenticate users using EAP-TTLS MSCHAP,
> with no success.
> I use "FreeRADIUS Version 2.1.10, for host x86_64-unknown-linux-gnu". on a
> Ubuntu 10.04 64bit Server.
> I've used these devices as clients
> two Ubiquiti devices (http://www.ubnt.com/nanobridge) (one as AP and one
> as
> client)
> A TP-Link TL-WR542G as AP and my laptop (running ubuntu 10.10) as client.
> (and an iPad)
> (There were NO Windows XP in any of my tests, so it's not a Microsoft
> issue)
>
> and I've used eapol_test, with successful results, the problem only shows
> when I try to authenticate remotely. since the eapol_test results were
fine
> I wont post the output here. (or should I ?)
>
> and here is the output for when I try to authenticate remotely (the output
> is exactly the same with any combination I've tried)
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20110416/0e075e4e/attachment.html>


More information about the Freeradius-Users mailing list