No luck connecting from a ZyXEL NWA3160-N AP

Erich Titl erich.titl at think.ch
Fri Nov 2 15:56:46 CET 2012


Hi everybody

I am running a freshly compiled
FreeRADIUS Version 2.2.0, for host i686-pc-linux-gnu, built on Oct 31
2012 at 16:56:00
Copyright (C) 1999-2012 The FreeRADIUS server project and contributors.

authenticating against a MySQL database appeast to work fine using radtest

luna:/usr/local/etc/raddb # radtest test 1234 localhost 1812 testing123
Sending Access-Request of id 104 to 127.0.0.1 port 1812
        User-Name = "test"
        User-Password = "1234"
        NAS-IP-Address = 194.124.158.51
        NAS-Port = 1812
        Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=104,
length=20

I connected a ZyXEL NWA 3160-N (latest Firmware), generated a
certificate request, signed it using XCA and reimported it on the AP. I
also installed a certificate signed by the same CA in the
..../raddb/certs directory and of course the CA cert to be able to
verify the client cert.

If I try now to connect to the AP using the same credentials as before,
I am getting the following in the output of radiusd  -X

....
 Module: Linked to sub-module rlm_eap_tls
 Module: Instantiating eap-tls
   tls {
        rsa_key_exchange = no
        dh_key_exchange = yes
        rsa_key_length = 512
        dh_key_length = 512
        verify_depth = 0
        CA_path = "/usr/local/etc/raddb/certs"
        pem_file_type = yes
        private_key_file = "/usr/local/etc/raddb/certs/luna.think.ch.key"
        certificate_file = "/usr/local/etc/raddb/certs/luna.think.ch.pem"
        CA_file = "/usr/local/etc/raddb/certs/Think_CA.pem"
        private_key_password = ""
        dh_file = "/usr/local/etc/raddb/certs/dh"
        random_file = "/usr/local/etc/raddb/certs/random"
        fragment_size = 1024
        include_length = yes
        check_crl = no
        cipher_list = "DEFAULT"
        ecdh_curve = "prime256v1"
    cache {
        enable = no
        lifetime = 24
        max_entries = 255
    }

.....
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
Sending Access-Challenge of id 7 to 194.124.158.62 port 59115
        EAP-Message = 0x0102001604106133379bfac030f9a2efcf9a2e3e9641
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x0c2c33890c2e3790fae8bf762d1a9802
Finished request 0.
Waking up in 4.9 seconds.
Going to the next request
rad_recv: Access-Request packet from host 194.124.158.62 port 59115,
id=8, length=162
        User-Name = "test"
        NAS-Port = 0
        Called-Station-Id = "50-67-F0-38-A9-E5:ZyXEL"
        Vendor-Specific = 0x000000000402
        Calling-Station-Id = "74-F0-6D-07-9B-91"
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        Connect-Info = "CONNECT 0Mbps 802.11"
        EAP-Message = 0x020200060319
        State = 0x0c2c33890c2e3790fae8bf762d1a9802
        Message-Authenticator = 0x2ad76dbb03af18776e0c10b36df81895
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "test", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 2 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
......
......
......
[peap] <<< TLS 1.0 Alert [length 0002], fatal unknown_ca
TLS Alert read:fatal:unknown CA
    TLS_accept: failed in SSLv3 read client certificate A
rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1
alert unknown ca
.....

There appears to be something wrong with the client certificate passed
by the AP in the eap conversation. I doublechecked the certificates and
googled my fingers raw on this.

This is the server cert

luna:/usr/local/etc/raddb/certs # openssl x509 -in luna.think.ch.pem
-noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 29 (0x1d)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=CH, L=Stallikon, O=THINK, OU=CA Section, CN=Think
CA/emailAddress=ca at think.ch
        Validity
            Not Before: Nov  2 00:00:00 2012 GMT
            Not After : Sep 14 23:59:59 2014 GMT
        Subject: C=CH, L=Stallikon, O=THINK, OU=Mail Service,
CN=luna.think.ch
....

and the client cert

luna:/usr/local/etc/raddb/certs # openssl x509 -in 194.124.158.62.pem
-noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 28 (0x1c)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=CH, L=Stallikon, O=THINK, OU=CA Section, CN=Think
CA/emailAddress=ca at think.ch
        Validity
            Not Before: Nov  1 00:00:00 2012 GMT
            Not After : Oct 31 23:59:59 2013 GMT
        Subject: C=CH, L=Stallikon, O=THINK, OU=AP, CN=194.124.158.62
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
.....

and the CA cert

luna:/usr/local/etc/raddb/certs # openssl x509 -in Think_CA.pem  -noout
-text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 0 (0x0)
        Signature Algorithm: md5WithRSAEncryption
        Issuer: C=CH, L=Stallikon, O=THINK, OU=CA Section, CN=Think
CA/emailAddress=ca at think.ch
        Validity
            Not Before: Sep 16 17:00:07 2004 GMT
            Not After : Sep 14 17:00:07 2014 GMT
        Subject: C=CH, L=Stallikon, O=THINK, OU=CA Section, CN=Think
CA/emailAddress=ca at think.ch
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
...

If you need the full output of radiusd, let me know.

Maybe someone can give me a push in the right direction.

Thanks

Erich Titl


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 1877 bytes
Desc: S/MIME Kryptografische Unterschrift
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20121102/caa42681/attachment.bin>


More information about the Freeradius-Users mailing list