RADIUS certificate compatibility warning
Sergio NNX
sfhacker at hotmail.com
Mon Oct 24 12:50:29 CEST 2011
Ciao.
We're also facing the same issue, but on a Windows box. We did a quick test using a rather old FR version (1.1.7), on the same PC and using the same certificates, and we get a successful result using eapol_test. We've also followed the steps available in http://wiki.freeradius.org/Certificate_Compatibility. However, no one seems to know the answer/solution to this issue.
Just bear in mind I'm new to this project and my ignorance may contribute to ..... you know!
Thanks in advance.
Sergio.
> From: Martin.Ubank at uwe.ac.uk
> To: freeradius-users at lists.freeradius.org
> Date: Mon, 24 Oct 2011 11:25:01 +0100
> Subject: RADIUS certificate compatibility warning
>
> I've upgraded FreeRadius to 2.1.10 and Samba to 3.5.6.
> I've got right through (again) to the final "Configuring FreeRADIUS to use ntlm_auth for MS-CHAP" stage but the command 'eapol_test -c peap-mschapv2-cert-ntlm_auth.conf -s testing123' fails.
>
> The 'radiusd -X' output finishes with :
>
> WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> WARNING: !! EAP session for state 0x89fe3c9f81f72525 did not finish!
> WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility
> WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
>
> http://wiki.freeradius.org/Certificate_Compatibility refers to a problem when the client is a Windows machine, but I'm running the 'eapol_test' command on the FreeRadius server which is Linux (CentOS).
>
> The following lines from the output of the 'eapol_test' command seem to indicate a problem with the root certificate.:
>
> OpenSSL: tls_connection_ca_cert - Failed to load root certificates error:00000000:lib(0):func(0):reason(0)
> OpenSSL: tls_connection_ca_cert - loaded DER format CA certificate
>
> I created the certificates using the method decsribed in http://deployingradius.com/documents/configuration/certificates.html
>
> I can supply the full output from the 'eapol_test' command and from 'radiusd -X' but they're too big to include in this email.
>
> Can anyone tell me what I'm doing wrong?
>
> Thanks
>
> Martin.
>
> ================================================================
>
> Here are the errors/warnings section from the output of the 'eapol_test' command and from 'radiusd -X', and the full contents of peap-mschapv2-cert-ntlm_auth.conf, the ca.cnf, server.cnf & client.cnf files & eap.conf:
>
> 'eapol_test' errors/warnings
> ============================
>
> :
> RADIUS packet matching with station
> decapsulated EAP packet (code=1 id=2 len=6) from RADIUS server: EAP-Request-PEAP (25)
> EAPOL: Received EAP-Packet frame
> EAPOL: SUPP_BE entering state REQUEST
> EAPOL: getSuppRsp
> EAP: EAP entering state RECEIVED
> EAP: Received EAP-Request id=2 method=25 vendor=0 vendorMethod=0
> EAP: EAP entering state GET_METHOD
> CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
> EAP: Initialize selected EAP method: vendor 0 method 25 (PEAP)
> TLS: Phase2 EAP types - hexdump(len=40): 00 00 00 00 04 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00
> 05 00 00 00 00 00 00 00 11 00 00 00
> TLS: using phase1 config options
> OpenSSL: tls_connection_ca_cert - Failed to load root certificates error:00000000:lib(0):func(0):reason(0)
> OpenSSL: tls_connection_ca_cert - loaded DER format CA certificate
> CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
> EAP: EAP entering state METHOD
> SSL: Received packet(len=6) - Flags 0x20
> EAP-PEAP: Start (server ver=0, own ver=1)
> EAP-PEAP: Using PEAP version 0
> SSL: (where=0x10 ret=0x1)
> SSL: (where=0x1001 ret=0x1)
> SSL: SSL_connect:before/connect initialization
> SSL: (where=0x1001 ret=0x1)
> SSL: SSL_connect:SSLv3 write client hello A
> SSL: (where=0x1002 ret=0xffffffff)
> SSL: SSL_connect:error in SSLv3 read server hello A
> SSL: SSL_connect - want more data
> SSL: 112 bytes pending from ssl_out
> SSL: 112 bytes left to be sent out (of total 112 bytes)
> EAP: method process -> ignore=FALSE methodState=MAY_CONT decision=FAIL
> EAP: EAP entering state SEND_RESPONSE
> EAP: EAP entering state IDLE
> EAPOL: SUPP_BE entering state RESPONSE
> EAPOL: txSuppRsp
> WPA: eapol_test_eapol_send(type=0 len=122)
> :
>
> 'radiusd -X' errors/warnings
> ============================
>
> :
> # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP/mschapv2
> [eap] processing type mschapv2
> [mschapv2] # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
> [mschapv2] +- entering group MS-CHAP {...}
> [mschap] Creating challenge hash with username: USERNAME
> [mschap] Told to do MS-CHAPv2 for USERNAME with NT-Password
> [mschap] expand: --username=%{mschap:User-Name:-None} -> --username=USERNAME
> [mschap] No NT-Domain was found in the User-Name.
> [mschap] expand: %{mschap:NT-Domain} ->
> [mschap] ... expanding second conditional
> [mschap] expand: --domain=%{%{mschap:NT-Domain}:-CAMPUS} -> --domain=CAMPUS
> [mschap] mschap2: 8a
> [mschap] Creating challenge hash with username: USERNAME
> [mschap] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=ee9182b1015b8ded
> [mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=69c37f86d6f44237a66d979b71072d9b874e0fd822ad
> f858
> Exec-Program output: NT_KEY: 4600A59AAB67436A4D937233DEED28B7
> Exec-Program-Wait: plaintext: NT_KEY: 4600A59AAB67436A4D937233DEED28B7
> Exec-Program: returned: 0
> [mschap] adding MS-CHAPv2 MPPE keys
> ++[mschap] returns ok
> MSCHAP Success
> ++[eap] returns handled
> } # server inner-tunnel
> [peap] Got tunneled reply code 11
> EAP-Message = 0x010900331a0308002e533d4343373038393531333746344638333338433834463437303836313636424637413735344643333
> 0
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x9197308e909e2a67190d1c1ddd88b035
> [peap] Got tunneled reply RADIUS code 11
> EAP-Message = 0x010900331a0308002e533d4343373038393531333746344638333338433834463437303836313636424637413735344643333
> 0
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x9197308e909e2a67190d1c1ddd88b035
> [peap] Got tunneled Access-Challenge
> ++[eap] returns handled
> Sending Access-Challenge of id 8 to 127.0.0.1 port 50462
> EAP-Message = 0x0109005b19001703010050ad7b5774ef100e1dd3a5c7a83b174202511c51378dc9f1932cf39dc92db9b588fa9f336d1aeb825
> 807e62e2cc34dd162d02aa28c9104381f52a86933e2b9e0f65927f00c2fb64b78a078cc5e8e79457b
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x20754327287c5ad31b57225dabc8b87e
> Finished request 8.
> Going to the next request
> Waking up in 4.9 seconds.
> Cleaning up request 0 ID 0 with timestamp +76
> Cleaning up request 1 ID 1 with timestamp +76
> Cleaning up request 2 ID 2 with timestamp +76
> Cleaning up request 3 ID 3 with timestamp +76
> Cleaning up request 4 ID 4 with timestamp +76
> Cleaning up request 5 ID 5 with timestamp +76
> Cleaning up request 6 ID 6 with timestamp +76
> Cleaning up request 7 ID 7 with timestamp +76
> Cleaning up request 8 ID 8 with timestamp +76
> WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> WARNING: !! EAP session for state 0x20754327287c5ad3 did not finish!
> WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility
> WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> Ready to process requests.
>
> peap-mschapv2-cert-ntlm_auth.conf
> =================================
>
> #
> # eapol_test -c peap-mschapv2-cert-ntlm_auth.conf -s testing123
> #
>
> # eapol_version=1
> # fast_reauth=0
>
> network={
> key_mgmt=WPA-EAP
> eap=PEAP
> identity="USERNAME"
> password="PASSWORD"
> phase2="autheap=MSCHAPV2"
>
> # priority=10
>
> ca_cert="/etc/raddb/certs/ca.der"
> }
>
> ca.cnf
> ======
>
> [ ca ]
> default_ca = CA_default
>
> [ CA_default ]
> dir = ./
> certs = $dir
> crl_dir = $dir/crl
> database = $dir/index.txt
> new_certs_dir = $dir
> certificate = $dir/ca.pem
> serial = $dir/serial
> crl = $dir/crl.pem
> private_key = $dir/ca.key
> RANDFILE = $dir/.rand
> name_opt = ca_default
> cert_opt = ca_default
> default_days = 3650
> default_crl_days = 30
> default_md = sha1
> preserve = no
> policy = policy_match
>
> [ policy_match ]
> countryName = match
> stateOrProvinceName = match
> organizationName = match
> organizationalUnitName = optional
> commonName = supplied
> emailAddress = optional
>
> [ policy_anything ]
> countryName = optional
> stateOrProvinceName = optional
> localityName = optional
> organizationName = optional
> organizationalUnitName = optional
> commonName = supplied
> emailAddress = optional
>
> [ req ]
> prompt = no
> distinguished_name = certificate_authority
> default_bits = 2048
> input_password = inpass
> output_password = outpass
> x509_extensions = v3_ca
>
> [certificate_authority]
> countryName = UK
> stateOrProvinceName = United Kingdom
> localityName = Bristol
> organizationName = UWE
> emailAddress = email at uwe.ac.uk
> commonName = "UWE Certificate Authority"
>
> [v3_ca]
> subjectKeyIdentifier = hash
> authorityKeyIdentifier = keyid:always,issuer:always
> basicConstraints = CA:true
>
> ================================================================
>
> server.cnf
> ==========
>
> [ ca ]
> default_ca = CA_default
>
> [ CA_default ]
> dir = ./
> certs = $dir
> crl_dir = $dir/crl
> database = $dir/index.txt
> new_certs_dir = $dir
> certificate = $dir/server.pem
> serial = $dir/serial
> crl = $dir/crl.pem
> private_key = $dir/server.key
> RANDFILE = $dir/.rand
> name_opt = ca_default
> cert_opt = ca_default
> default_days = 730
> default_crl_days = 30
> default_md = sha1
> preserve = no
> policy = policy_match
>
> [ policy_match ]
> countryName = match
> stateOrProvinceName = match
> organizationName = match
> organizationalUnitName = optional
> commonName = supplied
> emailAddress = optional
>
> [ policy_anything ]
> countryName = optional
> stateOrProvinceName = optional
> localityName = optional
> organizationName = optional
> organizationalUnitName = optional
> commonName = supplied
> emailAddress = optional
>
> [ req ]
> prompt = no
> distinguished_name = server
> default_bits = 2048
> input_password = inpass
> output_password = outpass
>
> [server]
> countryName = UK
> stateOrProvinceName = United Kingdom
> localityName = Bristol
> organizationName = UWE
> emailAddress = email at uwe.ac.uk
> commonName = "UWE Server Certificate"
>
> ================================================================
>
> client.cnf
> ==========
>
> [ ca ]
> default_ca = CA_default
>
> [ CA_default ]
> dir = ./
> certs = $dir
> crl_dir = $dir/crl
> database = $dir/index.txt
> new_certs_dir = $dir
> certificate = $dir/server.pem
> serial = $dir/serial
> crl = $dir/crl.pem
> private_key = $dir/server.key
> RANDFILE = $dir/.rand
> name_opt = ca_default
> cert_opt = ca_default
> default_days = 730
> default_crl_days = 30
> default_md = sha1
> preserve = no
> policy = policy_match
>
> [ policy_match ]
> countryName = match
> stateOrProvinceName = match
> organizationName = match
> organizationalUnitName = optional
> commonName = supplied
> emailAddress = optional
>
> [ policy_anything ]
> countryName = optional
> stateOrProvinceName = optional
> localityName = optional
> organizationName = optional
> organizationalUnitName = optional
> commonName = supplied
> emailAddress = optional
>
> [ req ]
> prompt = no
> distinguished_name = client
> default_bits = 2048
> input_password = inpass
> output_password = outpass
>
> [client]
> countryName = UK
> stateOrProvinceName = United Kingdom
> localityName = Bristol
> organizationName = UWE
> emailAddress = email at uwe.ac.uk
> commonName = "UWE Client Certificate"
>
> eap.conf
> ========
>
> eap {
> default_eap_type = md5
> timer_expire = 60
> ignore_unknown_eap_types = no
> cisco_accounting_username_bug = no
> max_sessions = 4096
> md5 {
> }
> leap {
> }
> gtc {
> auth_type = PAP
> }
> tls {
> certdir = ${confdir}/certs
> cadir = ${confdir}/certs
> private_key_password = outpass
> private_key_file = ${certdir}/server.pem
> certificate_file = ${certdir}/server.pem
> CA_file = ${cadir}/ca.pem
> dh_file = ${certdir}/dh
> random_file = ${certdir}/random
> cipher_list = "DEFAULT"
> cache {
> enable = no
> max_entries = 255
> }
> }
> ttls {
> default_eap_type = md5
> copy_request_to_tunnel = no
> use_tunneled_reply = no
> virtual_server = "inner-tunnel"
> }
> peap {
> default_eap_type = mschapv2
> copy_request_to_tunnel = no
> use_tunneled_reply = no
> virtual_server = "inner-tunnel"
> }
> mschapv2 {
> }
> }
>
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20111024/c3640b2e/attachment.html>
More information about the Freeradius-Users
mailing list