EAP-TLS certificate problem

Muhammad Nadeem mnadeem8327 at gmail.com
Tue Feb 19 15:16:55 CET 2013


On 2/19/13, Phil Mayers <p.mayers at imperial.ac.uk> wrote:
> On 19/02/13 09:11, Muhammad Nadeem wrote:
>> Hi, everybody
>> I have used pre-shipped certificates of Freeradius for testing
>> purpose. This testing was succeed with a test user 'bob', with files
>> authentication.
>> Now in the next step I wanna authenticate a user from my Database with
>> Digital certificates. When i authenticate the user, server side
>> confirm and send "Access-Accept" packet, but at client, following
>> error occurs.
>> " No Message-Authenticator attribute found
>> Incoming RADIUS packet did not have correct Message-Authenticator -
>> dropped
>> STA 02:00:00:00:00:01: No RADIUS RX handler found (type=0 code=2 id=0)
>> - dropping packet"
>>
>> I googled this problem and found a solution that the user Auth-type is
>> set to Accept (I manually checked the user in Database , and its
>> Auth-Type was Accept) and this type prevent further process.
>
> Yes
>
>> Now my question is that , could I continue EAP-TLS authentication,
>> regardless of Auth-Type is set to Accept???
>
> No. Don't set Auth-Type unless you know what you're doing.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
Ok thanx,
I suucceed to authenticate the users from a database.
But when i setup the same setup on another machine, I was failed :(
The following output is the debug output of the freeradius server. (I
think EAP NAK,, is creating problems).
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.0.112 port 35397,
id=0, length=132
        User-Name = "001AAD3F8165"
        NAS-IP-Address = 127.0.0.1
        Calling-Station-Id = "02-00-00-00-00-01"
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        Connect-Info = "CONNECT 11Mbps 802.11b"
        EAP-Message = 0x0200001101303031414144334638313635
        Message-Authenticator = 0xebcf3f94a32bf89eaabf4be3b2ce493b
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "001AAD3F8165", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 0 length 17
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[eap] EAP packet type response id 0 length 17
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[sql]   expand: %{User-Name} -> 001AAD3F8165
[sql] sql_set_user escaped user --> '001AAD3F8165'
rlm_sql (sql): Reserving sql socket id: 9
[sql]   expand: SELECT '1' AS RC_ID,'%{SQL-USER-NAME}' AS
USERNAME,'Auth-Type' AS Attribute,
AAA_GETVALUETOCHECKWITRIBE('%{SQL-User-Name}') AS Value,':=' AS op
FROM dual ORDER BY RC_ID -> SELECT '1' AS RC_ID,'001AAD3F8165' AS
USERNAME,'Auth-Type' AS Attribute,
AAA_GETVALUETOCHECKWITRIBE('001AAD3F8165') AS Value,':=' AS op FROM
dual ORDER BY RC_ID
[sql] User found in radcheck table
[sql]   expand: select rownum, '%{SQL-USER-NAME}', RR_ATTRIBUTE,
RR_VALUE, RR_OP FROM AAA_TBLRADREPLY where PI_PROFILEID in (SELECT
PI_PROFILEID FROM SM_TBLSUBSIDENTIFICATIONS WHERE SI_IDENTIFICATION =
upper(replace('%{SQL-USER-NAME}',':','')) ) AND NE_ELEMENTID in
(SELECT NE_ELEMENTID FROM NC_TBLNEACESSCONF WHERE NEAC_IPADDRESS =
'%{NAS-IP-Address}') -> select rownum, '001AAD3F8165', RR_ATTRIBUTE,
RR_VALUE, RR_OP FROM AAA_TBLRADREPLY where PI_PROFILEID in (SELECT
PI_PROFILEID FROM SM_TBLSUBSIDENTIFICATIONS WHERE SI_IDENTIFICATION =
upper(replace('001AAD3F8165',':','')) ) AND NE_ELEMENTID in (SELECT
NE_ELEMENTID FROM NC_TBLNEACESSCONF WHERE NEAC_IPADDRESS =
'127.0.0.1')
rlm_sql (sql): Released sql socket id: 9
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
Found Auth-Type = Accept
Found Auth-Type = EAP
Warning:  Found 2 auth-types on request for user '001AAD3F8165'
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Requiring client certificate
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 0 to 192.168.0.112 port 35397
        Qos-Policing-Profile-Name := "128K_UL"
        Qos-Metering-Profile-Name := "512K_DL"
        Context-Name := "Postpaid-VR"
        DHCP-Max-Leases := 1
        Forward-Policy := "in:nonpayment_redirect_post"
        HTTP-Redirect-Profile-Name := "nonpayment_redirect"
        EAP-Message = 0x010100060d20
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xb13fd7b2b13eda2327535c6f1b5e461f
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.0.112 port 35397,
id=1, length=139
        User-Name = "001AAD3F8165"
        NAS-IP-Address = 127.0.0.1
        Calling-Station-Id = "02-00-00-00-00-01"
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        Connect-Info = "CONNECT 11Mbps 802.11b"
        EAP-Message = 0x020100060300
        State = 0xb13fd7b2b13eda2327535c6f1b5e461f
        Message-Authenticator = 0x568912b7d14f9d2ed1a8cad6e4504182
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "001AAD3F8165", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 1 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[eap] EAP packet type response id 1 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[sql]   expand: %{User-Name} -> 001AAD3F8165
[sql] sql_set_user escaped user --> '001AAD3F8165'
rlm_sql (sql): Reserving sql socket id: 8
[sql]   expand: SELECT '1' AS RC_ID,'%{SQL-USER-NAME}' AS
USERNAME,'Auth-Type' AS Attribute,
AAA_GETVALUETOCHECKWITRIBE('%{SQL-User-Name}') AS Value,':=' AS op
FROM dual ORDER BY RC_ID -> SELECT '1' AS RC_ID,'001AAD3F8165' AS
USERNAME,'Auth-Type' AS Attribute,
AAA_GETVALUETOCHECKWITRIBE('001AAD3F8165') AS Value,':=' AS op FROM
dual ORDER BY RC_ID
[sql] User found in radcheck table
[sql]   expand: select rownum, '%{SQL-USER-NAME}', RR_ATTRIBUTE,
RR_VALUE, RR_OP FROM AAA_TBLRADREPLY where PI_PROFILEID in (SELECT
PI_PROFILEID FROM SM_TBLSUBSIDENTIFICATIONS WHERE SI_IDENTIFICATION =
upper(replace('%{SQL-USER-NAME}',':','')) ) AND NE_ELEMENTID in
(SELECT NE_ELEMENTID FROM NC_TBLNEACESSCONF WHERE NEAC_IPADDRESS =
'%{NAS-IP-Address}') -> select rownum, '001AAD3F8165', RR_ATTRIBUTE,
RR_VALUE, RR_OP FROM AAA_TBLRADREPLY where PI_PROFILEID in (SELECT
PI_PROFILEID FROM SM_TBLSUBSIDENTIFICATIONS WHERE SI_IDENTIFICATION =
upper(replace('001AAD3F8165',':','')) ) AND NE_ELEMENTID in (SELECT
NE_ELEMENTID FROM NC_TBLNEACESSCONF WHERE NEAC_IPADDRESS =
'127.0.0.1')
rlm_sql (sql): Released sql socket id: 8
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
Found Auth-Type = Accept
Found Auth-Type = EAP
Warning:  Found 2 auth-types on request for user '001AAD3F8165'
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP NAK
[eap] NAK asked for bad type 0
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type REJECT
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[sql]   expand: %{User-Name} -> 001AAD3F8165
[sql] sql_set_user escaped user --> '001AAD3F8165'
++[sql] returns noop
[attr_filter.access_reject]     expand: %{User-Name} -> 001AAD3F8165
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 1 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 1
Sending Access-Reject of id 1 to 192.168.0.112 port 35397
        EAP-Message = 0x04010004
        Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.9 seconds.
Cleaning up request 0 ID 0 with timestamp +7
Waking up in 0.9 seconds.
Cleaning up request 1 ID 1 with timestamp +7
Ready to process requests.


More information about the Freeradius-Users mailing list