PEAP with Machine auth

Bonald bonald at gmail.com
Wed Oct 26 14:49:19 CEST 2011


Hi,
I've spent too much time trying to fix this issue and going nowhere...

I am trying to make MACHINE auth working on Windows/CiscoWLC and Freeradius.
I have no problem with USER auth.

The certificate is fine, I've created it using xpextension. I've also
tried a Windows-CA certificate.
I've also tried MACHINE auth with IAS and it's working.
I've upgraded the WLC to 7.0.0.116, I was at 6.0.199-4 before.

Why is it working with USER auth but not MACHINE auth ?

Could someone give me some direction ?

Thanks!


Here's some logs:


rad_recv: Access-Request packet from host 10.10.1.1 port 32770, id=58,
length=280
       User-Name = "host/MININT-EC23NBT.domain.local"
       Calling-Station-Id = "b4-74-9f-9d-55-fb"
       Called-Station-Id = "00-25-84-23-52-60:SSID--Secure"
       NAS-Port = 1
       Cisco-AVPair = "audit-session-id=0132800a0000005618faa74e"
       NAS-IP-Address = 10.10.1.1
       NAS-Identifier = "Controller-WLC2125"
       Airespace-Wlan-Id = 5
       Service-Type = Framed-User
       Framed-MTU = 1300
       NAS-Port-Type = Wireless-802.11
       EAP-Message =
0x0202002801686f73742f4d494e494e542d454332334e42542e6373646573696c65732e71632e6361
       Message-Authenticator = 0x5b1e2e25b76f1f348cb1bb62b94b2d43
server peap {
# Executing section authorize from file /etc/raddb/sites-enabled/peap
+- entering group authorize {...}
[suffix] No '@' in User-Name = "host/MININT-EC23NBT.domain.local",
looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[preprocess] returns ok
[eap] EAP packet type response id 2 length 40
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/peap
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
} # server peap
Sending Access-Challenge of id 58 to 10.10.1.1 port 32770
       EAP-Message = 0x010300061920
       Message-Authenticator = 0x00000000000000000000000000000000
       State = 0xd4ade9e4d4aef086c00dbb7516145db0
Finished request 232.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.10.1.1 port 32770, id=59,
length=395
       User-Name = "host/MININT-EC23NBT.domain.local"
       Calling-Station-Id = "b4-74-9f-9d-55-fb"
       Called-Station-Id = "00-25-84-23-52-60:SSID--Secure"
       NAS-Port = 1
       Cisco-AVPair = "audit-session-id=0132800a0000005618faa74e"
       NAS-IP-Address = 10.10.1.1
       NAS-Identifier = "Controller-WLC2125"
       Airespace-Wlan-Id = 5
       Service-Type = Framed-User
       Framed-MTU = 1300
       NAS-Port-Type = Wireless-802.11
       EAP-Message =
0x0203008919800000007f160301007a0100007603014ea7fa1c69583120e18e33c7779ea4d03e42e8b960079d8f36ab746be5bb345a20512d0000ccfbf8a28c0c5d27fb46eac23b913c638cc133e76aa06671c2dca9bd0018002f00350005000ac013c014c009c00a003200380013000401000015ff01000100000a0006000400170018000b00020100
       State = 0xd4ade9e4d4aef086c00dbb7516145db0
       Message-Authenticator = 0xde1ff14a20623ba0cc79cb552d264947
server peap {
# Executing section authorize from file /etc/raddb/sites-enabled/peap
+- entering group authorize {...}
[suffix] No '@' in User-Name = "host/MININT-EC23NBT.domain.local",
looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[preprocess] returns ok
[eap] EAP packet type response id 3 length 137
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/peap
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
 TLS Length 127
[peap] Length Included
[peap] eaptls_verify returned 11
[peap]     (other): before/accept initialization
[peap]     TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 007a], ClientHello
[peap]     TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 0031], ServerHello
[peap]     TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 037c], Certificate
[peap]     TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap]     TLS_accept: SSLv3 write server done A
[peap]     TLS_accept: SSLv3 flush data
[peap]     TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
} # server peap
Sending Access-Challenge of id 59 to 10.10.1.1 port 32770
       EAP-Message =
0x010403c6190016030100310200002d03014ea7fa24d1353592fe67e3ae98e501bbfbe366dc12f730a1d2ab15d1efcc9f3200002f000005ff01000100160301037c0b0003780003750003723082036e30820256a003020102020106300d06092a864886f70d01010505003075310b3009060355040613024341310b3009060355040813025143310c300a0603550407130345444e310c300a060355040a13034353493123302106092a864886f70d010901161474656368406373646573696c65732e71632e6361311830160603550403130f435349205061636b657466656e6365301e170d3131313032353233333930315a170d313131323234323333
       EAP-Message =
0x3930315a3067310b3009060355040613024341310b3009060355040813025143310c300a060355040a1303435349311830160603550403130f435349205061636b657466656e63653123302106092a864886f70d010901161474656368406373646573696c65732e71632e636130820122300d06092a864886f70d01010105000382010f003082010a0282010100e8cae5b4a5b06ec6aea8b6e32c4490762772310d87985ea3d1bbf2632aafebd9b0ae70a615a77b3b8ef2dd985df3e54149b1d1bb0842e410c68dfa55ce176371db376a3bb1918d966ad140310224c4b510015ce15973537048a8e997bb2c7d21c2f57e99f90c1dbc3c584822f0d8bb
       EAP-Message =
0x1178343ddbcf2842aa1b17642bd60d545f3b505d1b1594e2981d472186df3b9132536b8a558f1836dd11039a3337886ab301b49de79ae5597f9958f030671aa3e47cae50f69e8008687492b3a97adc24111269da2585fc488943555520870007669e31550ea255fb9af4394cdae03ceadbffb29f2fafb0d16c47f57174fbaa4986e9749cdecb2fc33fd6886099f1538e670203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101050500038201010053b69c137577d12947a7f63b7617b0ace3133df2048831b206c42751a63d48c1ca0802fa0b3aee3df03a6030848f9ed9d8370a3901bf4498e829
       EAP-Message =
0xba37da6f48fb4f6aec7fee62fe06d36a11c2a13f94f188c1165c2ea8d0865cd5283462ec76c3de3df37967d94d9224425b8ea7921f8033711b4430ef1943ff29db366b7a0e6bdab6ddcdede222e7f3642fb886a3eea1316ed7ede26b8aa1dcdc7b4bcb6fefae97ba9c0eec9750bd45cf29e93be3b58b2534ba203f11b9e9a4b05980c844cebf79044f17f3f08797d9b912de8fc1cec712e42c2c87189817d456bcb3469c0043306504f2d58e779fc810a75d8d5784b54ce4c351188d50cd052b618d28d0461516030100040e000000
       Message-Authenticator = 0x00000000000000000000000000000000
       State = 0xd4ade9e4d5a9f086c00dbb7516145db0
Finished request 233.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.10.1.1 port 32770, id=60,
length=264
       User-Name = "host/MININT-EC23NBT.domain.local"
       Calling-Station-Id = "b4-74-9f-9d-55-fb"
       Called-Station-Id = "00-25-84-23-52-60:SSID--Secure"
       NAS-Port = 1
       Cisco-AVPair = "audit-session-id=0132800a0000005618faa74e"
       NAS-IP-Address = 10.10.1.1
       NAS-Identifier = "Controller-WLC2125"
       Airespace-Wlan-Id = 5
       Service-Type = Framed-User
       Framed-MTU = 1300
       NAS-Port-Type = Wireless-802.11
       EAP-Message = 0x020400061900
       State = 0xd4ade9e4d5a9f086c00dbb7516145db0
       Message-Authenticator = 0x3f92eaba33074a895121d2885b384802
server peap {
# Executing section authorize from file /etc/raddb/sites-enabled/peap
+- entering group authorize {...}
[suffix] No '@' in User-Name = "host/MININT-EC23NBT.domain.local",
looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[preprocess] returns ok
[eap] EAP packet type response id 4 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/peap
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
} # server peap
Sending Access-Challenge of id 60 to 10.10.1.1 port 32770
       EAP-Message = 0x010500061900
       Message-Authenticator = 0x00000000000000000000000000000000
       State = 0xd4ade9e4d6a8f086c00dbb7516145db0
Finished request 234.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 232 ID 58 with timestamp +4714
Cleaning up request 233 ID 59 with timestamp +4714
Cleaning up request 234 ID 60 with timestamp +4714
WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
WARNING: !! EAP session for state 0xd4ade9e4d6a8f086 did not finish!
WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility
WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Ready to process requests.




More information about the Freeradius-Users mailing list