Authenication with certifiactes

Andreas Meyer anmeyer at anup.de
Mon Jul 2 19:56:26 CEST 2012 

Hello!

# radiusd -v
radiusd: FreeRADIUS Version 2.1.9, for host i686-pc-linux-gnu

I could need some help with authenticating users per certificate
to a freeradius server.
I created the certificates and copied the ca.pem the testing supplicant.
Startet freeradius with radius -X and a local executed
radtest miles davis45 192.168.1.220 1812 testing123 gives this result:

Sending Access-Request of id 206 to 192.168.1.220 port 1812
        User-Name = "miles"
        User-Password = "davis45"
        NAS-IP-Address = 192.168.3.1
        NAS-Port = 1812
rad_recv: Access-Accept packet from host 192.168.1.220 port 1812, id=206, length=20

I have this in the sqltrace.sql then:

INSERT INTO radpostauth   (username, pass, reply, authdate)      VALUES (   'miles',   'davis45', 
      'Access-Accept', '2012-07-02 19:31:45');

I tried all kind of settings on the supplicant but I cannot get access using the ca.pem
and get no lease from the DHCP-Server of the AP, TL-WA901ND

I post the following output of a radius -X session:

rad_recv: Access-Request packet from host 192.168.1.254 port 2048, id=155, length=153
        User-Name = "andreas"
        NAS-IP-Address = 192.168.1.254
        NAS-Port = 0
        Called-Station-Id = "B0-48-7A-F8-A1-19:gehackt"
        Calling-Station-Id = "00-22-B0-E7-EF-98"
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        Connect-Info = "CONNECT 0Mbps 802.11"
        EAP-Message = 0x0200000c01616e6472656173
        Message-Authenticator = 0xcfc9907d0444926482192aafdcaba630
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "andreas", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 0 length 12
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[sql]   expand: %{User-Name} -> andreas
[sql] sql_set_user escaped user --> 'andreas'
rlm_sql (sql): Reserving sql socket id: 4
[sql]   expand: SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = 'andreas'           ORDER BY id
rlm_sql_mysql: query:  SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = 'andreas'           ORDER BY id
[sql] User found in radcheck table
[sql]   expand: SELECT id, username, attribute, value, op           FROM radreply           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radreply           WHERE username = 'andreas'           ORDER BY id
rlm_sql_mysql: query:  SELECT id, username, attribute, value, op           FROM radreply           WHERE username = 'andreas'           ORDER BY id
[sql]   expand: SELECT groupname           FROM radusergroup           WHERE username = '%{SQL-User-Name}'           ORDER BY priority -> SELECT groupname           FROM radusergroup           WHERE username = 'andreas'           ORDER BY priority
rlm_sql_mysql: query:  SELECT groupname           FROM radusergroup           WHERE username = 'andreas'           ORDER BY priority
rlm_sql (sql): Released sql socket id: 4
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
Sending Access-Challenge of id 155 to 192.168.1.254 port 2048
        EAP-Message = 0x010100160410627ca484105a5653ea83eec8c11115b0
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x0f58029d0f5906e7a9d59b95861c72dd
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.1.254 port 2048, id=156, length=165
        User-Name = "andreas"
        NAS-IP-Address = 192.168.1.254
        NAS-Port = 0
        Called-Station-Id = "B0-48-7A-F8-A1-19:gehackt"
        Calling-Station-Id = "00-22-B0-E7-EF-98"
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        Connect-Info = "CONNECT 0Mbps 802.11"
        EAP-Message = 0x020100060315
        State = 0x0f58029d0f5906e7a9d59b95861c72dd
        Message-Authenticator = 0x764f23c23137bd2125a294f54ca21ac1
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "andreas", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 1 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[sql]   expand: %{User-Name} -> andreas
[sql] sql_set_user escaped user --> 'andreas'
rlm_sql (sql): Reserving sql socket id: 3
[sql]   expand: SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = 'andreas'           ORDER BY id
rlm_sql_mysql: query:  SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = 'andreas'           ORDER BY id
[sql] User found in radcheck table
[sql]   expand: SELECT id, username, attribute, value, op           FROM radreply           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radreply           WHERE username = 'andreas'           ORDER BY id
rlm_sql_mysql: query:  SELECT id, username, attribute, value, op           FROM radreply           WHERE username = 'andreas'           ORDER BY id
[sql]   expand: SELECT groupname           FROM radusergroup           WHERE username = '%{SQL-User-Name}'           ORDER BY priority -> SELECT groupname           FROM radusergroup           WHERE username = 'andreas'           ORDER BY priority
rlm_sql_mysql: query:  SELECT groupname           FROM radusergroup           WHERE username = 'andreas'           ORDER BY priority
rlm_sql (sql): Released sql socket id: 3
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP NAK
[eap] EAP-NAK asked for EAP-Type/ttls
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 156 to 192.168.1.254 port 2048
        EAP-Message = 0x010200061520
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x0f58029d0e5a17e7a9d59b95861c72dd
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 155 with timestamp +25
Cleaning up request 1 ID 156 with timestamp +25
Ready to process requests.

Can somebody help and tell me what to look for next?

Thank you for every hint!

  Andreas

More information about the Freeradius-Users mailing list