troubles with eap-peap mschapv2

Bertrand Poulet bertrand.poulet at pasteur-lille.fr
Mon Mar 11 16:38:11 CET 2013 

Hi all ,


i try to migrate from  FreeRADIUS 1.1.6 (Mandrake)
to   FreeRADIUS 2.2.0 (from source) on ubuntu12.04.

The same supplicant and same AP with old FR is ok,
but not with  new FR 2.2.0.


What i've done :

I've installed with ./configure; make; make install
root at myhost:/usr/local/etc/raddb/certs# make
openssl dhparam -out dh 1024
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
.......................+.................+........................................................................+........................................+...............................................................+.................................+...............+.......+...........................++*++*++*
openssl req -new  -out server.csr -keyout server.key -config ./server.cnf
Generating a 2048 bit RSA private key
......................................................................+++
..........................................................+++
writing new private key to 'server.key'
-----
openssl req -new -x509 -keyout ca.key -out ca.pem \
                -days `grep default_days ca.cnf | sed 's/.*=//;s/^ *//'`
-config ./ca.cnf
Generating a 2048 bit RSA private key
.................................+++
.............................................................................................................+++
writing new private key to 'ca.key'
-----
openssl ca -batch -keyfile ca.key -cert ca.pem -in server.csr  -key
`grep output_password ca.cnf | sed 's/.*=//;s/^ *//'` -out server.crt
-extensions xpserver_ext -extfile xpextensions -config ./server.cnf
Using configuration from ./server.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Mar 11 13:18:05 2013 GMT
            Not After : Mar 11 13:18:05 2014 GMT
        Subject:
            countryName               = FR
            stateOrProvinceName       = Radius
            organizationName          = Example Inc.
            commonName                = Example Server Certificate
            emailAddress              = admin at example.com
        X509v3 extensions:
            X509v3 Extended Key Usage:
                TLS Web Server Authentication
Certificate is to be certified until Mar 11 13:18:05 2014 GMT (365 days)

Write out database with 1 new entries
Data Base Updated
openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 
-passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'`
-passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'`
openssl pkcs12 -in server.p12 -out server.pem -passin pass:`grep
output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep
output_password server.cnf | sed 's/.*=//;s/^ *//'`
MAC verified OK
openssl verify -CAfile ca.pem server.pem
server.pem: OK
openssl x509 -inform PEM -outform DER -in ca.pem -out ca.der
root at myhost:/usr/local/etc/raddb/certs# ll -tr
total 116
drwxr-xr-x 8 root root 4096 mars  11 14:10 ../
-rwxr-x--- 1 root root 2693 mars  11 14:10 bootstrap*
-rw-r----- 1 root root 4287 mars  11 14:10 Makefile
-rw-r----- 1 root root 7847 mars  11 14:10 README
-rw-r----- 1 root root  578 mars  11 14:10 xpextensions
-rw-r----- 1 root root 1289 mars  11 14:10 ca.cnf
-rw-r----- 1 root root 1124 mars  11 14:10 server.cnf
-rw-r----- 1 root root 1102 mars  11 14:10 client.cnf
-rw-r--r-- 1 root root    3 mars  11 14:18 serial.old
-rw-r--r-- 1 root root    0 mars  11 14:18 index.txt.old
-rw-r--r-- 1 root root  245 mars  11 14:18 dh
-rw-r--r-- 1 root root 5120 mars  11 14:18 random
-rw-r--r-- 1 root root 1834 mars  11 14:18 server.key
-rw-r--r-- 1 root root 1062 mars  11 14:18 server.csr
-rw-r--r-- 1 root root 1675 mars  11 14:18 ca.pem
-rw-r--r-- 1 root root 1834 mars  11 14:18 ca.key
-rw-r--r-- 1 root root 4212 mars  11 14:18 server.crt
-rw-r--r-- 1 root root    3 mars  11 14:18 serial
-rw-r--r-- 1 root root   21 mars  11 14:18 index.txt.attr
-rw-r--r-- 1 root root  120 mars  11 14:18 index.txt
-rw-r--r-- 1 root root 4212 mars  11 14:18 01.pem
-rw-r--r-- 1 root root 2533 mars  11 14:18 server.p12
-rw-r--r-- 1 root root 3586 mars  11 14:18 server.pem
-rw-r--r-- 1 root root 1195 mars  11 14:18 ca.der
drwxr-x--- 2 root root 4096 mars  11 14:18 ./



i got this known problem of certificates (default).
freeradius -XXX
....
Mon Mar 11 16:35:47 2013 : Debug:  Module: Instantiating eap-tls
Mon Mar 11 16:35:47 2013 : Debug:    tls {
Mon Mar 11 16:35:47 2013 : Debug:       rsa_key_exchange = no
Mon Mar 11 16:35:47 2013 : Debug:       dh_key_exchange = yes
Mon Mar 11 16:35:47 2013 : Debug:       rsa_key_length = 512
Mon Mar 11 16:35:47 2013 : Debug:       dh_key_length = 512
Mon Mar 11 16:35:47 2013 : Debug:       verify_depth = 0
Mon Mar 11 16:35:47 2013 : Debug:       CA_path =
"/usr/local/etc/raddb/certs"
Mon Mar 11 16:35:47 2013 : Debug:       pem_file_type = yes
Mon Mar 11 16:35:47 2013 : Debug:       private_key_file =
"/usr/local/etc/raddb/certs/server.pem"
Mon Mar 11 16:35:47 2013 : Debug:       certificate_file =
"/usr/local/etc/raddb/certs/server.pem"
Mon Mar 11 16:35:47 2013 : Debug:       CA_file =
"/usr/local/etc/raddb/certs/ca.pem"
Mon Mar 11 16:35:47 2013 : Debug:       private_key_password = "whatever"
Mon Mar 11 16:35:47 2013 : Debug:       dh_file =
"/usr/local/etc/raddb/certs/dh"
Mon Mar 11 16:35:47 2013 : Debug:       random_file =
"/usr/local/etc/raddb/certs/random"
Mon Mar 11 16:35:47 2013 : Debug:       fragment_size = 1024
Mon Mar 11 16:35:47 2013 : Debug:       include_length = yes
Mon Mar 11 16:35:47 2013 : Debug:       check_crl = no
Mon Mar 11 16:35:47 2013 : Debug:       cipher_list = "DEFAULT"
Mon Mar 11 16:35:47 2013 : Debug:       ecdh_curve = "prime256v1"
....
Sending Access-Challenge of id 202 to 172.20.100.53 port 1645
        EAP-Message = 0x010300061920
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x9ee5af279ee6b6b6ef02d416f50f62d3
Mon Mar 11 15:59:05 2013 : Info: Finished request 0.
Mon Mar 11 15:59:05 2013 : Debug: Going to the next request
Mon Mar 11 15:59:05 2013 : Debug: Waking up in 4.9 seconds.
Mon Mar 11 15:59:10 2013 : Info: Cleaning up request 0 ID 202 with
timestamp +8
Mon Mar 11 15:59:10 2013 : Debug: WARNING:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Mon Mar 11 15:59:10 2013 : Debug: WARNING: !! EAP session for state
0x9ee5af279ee6b6b6 did not finish!
Mon Mar 11 15:59:10 2013 : Debug: WARNING: !! Please read
http://wiki.freeradius.org/Certificate_Compatibility
Mon Mar 11 15:59:10 2013 : Debug: WARNING:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Mon Mar 11 15:59:10 2013 : Info: Ready to process requests.
....

The supplicant :Windows 7, with no  certifcates validated, with  PEAP,
EAP-MSCHAPV2 .

What's wrong

More information about the Freeradius-Users mailing list