Version 3.0.4 Centos 7 EAP-TLS : EAP failure
John Teasley
ollieteasley at gmail.com
Sun Feb 7 03:22:08 CET 2016
Hello,
Thanks for the reply Alan! Made all the changes you indicated. However, I
am still having issues. Also, is it required to run a proxy if I only use
the radius host? This is just for a small home lab. Please see below
results. I really appreciate the help. Also, while I can build from source,
would doing so fix this? It seems more like something I have done wrong. A
rebuild would just reflect the same misconfigurations if that is what the
issue is.
SERVER DEBUG : ( listing DEBUG AFTER server came up using radiusd -X )
Received Access-Request Id 0 from 127.0.0.1:52104 to 127.0.0.1:1812 length
140
User-Name = 'user at example.org'
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = '02-00-00-00-00-01'
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = 'CONNECT 11Mbps 802.11b'
EAP-Message = 0x020000150175736572406578616d706c652e6f7267
Message-Authenticator = 0xbd9fa940f7dd27fd9abc4aa6e9bd9615
(0) Received Access-Request packet from host 127.0.0.1 port 52104, id=0,
length=140
(0) User-Name = 'user at example.org'
(0) NAS-IP-Address = 127.0.0.1
(0) Calling-Station-Id = '02-00-00-00-00-01'
(0) Framed-MTU = 1400
(0) NAS-Port-Type = Wireless-802.11
(0) Connect-Info = 'CONNECT 11Mbps 802.11b'
(0) EAP-Message = 0x020000150175736572406578616d706c652e6f7267
(0) Message-Authenticator = 0xbd9fa940f7dd27fd9abc4aa6e9bd9615
(0) # Executing section authorize from file /etc/raddb/sites-enabled/default
(0) authorize {
(0) filter_username filter_username {
(0) if (!&User-Name)
(0) if (!&User-Name) -> FALSE
(0) if (&User-Name =~ / /)
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@.*@/ )
(0) if (&User-Name =~ /@.*@/ ) -> FALSE
(0) if (&User-Name =~ /\\.\\./ )
(0) if (&User-Name =~ /\\.\\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) ->
FALSE
(0) if (&User-Name =~ /\\.$/)
(0) if (&User-Name =~ /\\.$/) -> FALSE
(0) if (&User-Name =~ /@\\./)
(0) if (&User-Name =~ /@\\./) -> FALSE
(0) } # filter_username filter_username = notfound
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix : Checking for suffix after "@"
(0) suffix : Looking up realm "example.org" for User-Name = "
user at example.org"
(0) suffix : Found realm "example.org"
(0) suffix : Adding Stripped-User-Name = "user"
(0) suffix : Adding Realm = "example.org"
(0) suffix : Authentication realm is LOCAL
(0) [suffix] = ok
(0) eap : Peer sent code Response (2) ID 0 length 21
(0) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(0) [eap] = ok
(0) } # authorize = ok
(0) Found Auth-Type = EAP
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0) authenticate {
(0) eap : Peer sent method Identity (1)
(0) eap : Calling eap_md5 to process EAP data
(0) eap_md5 : Issuing MD5 Challenge
(0) eap : New EAP session, adding 'State' attribute to reply
0x4bf773f04bf67754
(0) [eap] = handled
(0) } # authenticate = handled
(0) Sending Access-Challenge packet to host 127.0.0.1 port 52104, id=0,
length=0
(0) EAP-Message = 0x0101001604106ca31f737c07bba501ae819fa3fffc2f
(0) Message-Authenticator = 0x00000000000000000000000000000000
(0) State = 0x4bf773f04bf67754734c0cd3aa7a1f2e
Sending Access-Challenge Id 0 from 127.0.0.1:1812 to 127.0.0.1:52104
EAP-Message = 0x0101001604106ca31f737c07bba501ae819fa3fffc2f
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x4bf773f04bf67754734c0cd3aa7a1f2e
(0) Finished request
Waking up in 0.3 seconds.
Received Access-Request Id 1 from 127.0.0.1:52104 to 127.0.0.1:1812 length
143
User-Name = 'user at example.org'
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = '02-00-00-00-00-01'
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = 'CONNECT 11Mbps 802.11b'
EAP-Message = 0x02010006030d
State = 0x4bf773f04bf67754734c0cd3aa7a1f2e
Message-Authenticator = 0xa16f90d8ae45de1cdf7f0d503d820a2e
(1) Received Access-Request packet from host 127.0.0.1 port 52104, id=1,
length=143
(1) User-Name = 'user at example.org'
(1) NAS-IP-Address = 127.0.0.1
(1) Calling-Station-Id = '02-00-00-00-00-01'
(1) Framed-MTU = 1400
(1) NAS-Port-Type = Wireless-802.11
(1) Connect-Info = 'CONNECT 11Mbps 802.11b'
(1) EAP-Message = 0x02010006030d
(1) State = 0x4bf773f04bf67754734c0cd3aa7a1f2e
(1) Message-Authenticator = 0xa16f90d8ae45de1cdf7f0d503d820a2e
(1) # Executing section authorize from file /etc/raddb/sites-enabled/default
(1) authorize {
(1) filter_username filter_username {
(1) if (!&User-Name)
(1) if (!&User-Name) -> FALSE
(1) if (&User-Name =~ / /)
(1) if (&User-Name =~ / /) -> FALSE
(1) if (&User-Name =~ /@.*@/ )
(1) if (&User-Name =~ /@.*@/ ) -> FALSE
(1) if (&User-Name =~ /\\.\\./ )
(1) if (&User-Name =~ /\\.\\./ ) -> FALSE
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
(1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) ->
FALSE
(1) if (&User-Name =~ /\\.$/)
(1) if (&User-Name =~ /\\.$/) -> FALSE
(1) if (&User-Name =~ /@\\./)
(1) if (&User-Name =~ /@\\./) -> FALSE
(1) } # filter_username filter_username = notfound
(1) [preprocess] = ok
(1) [chap] = noop
(1) [mschap] = noop
(1) [digest] = noop
(1) suffix : Checking for suffix after "@"
(1) suffix : Looking up realm "example.org" for User-Name = "
user at example.org"
(1) suffix : Found realm "example.org"
(1) suffix : Adding Stripped-User-Name = "user"
(1) suffix : Adding Realm = "example.org"
(1) suffix : Authentication realm is LOCAL
(1) [suffix] = ok
(1) eap : Peer sent code Response (2) ID 1 length 6
(1) eap : No EAP Start, assuming it's an on-going EAP conversation
(1) [eap] = updated
(1) [files] = noop
(1) [expiration] = noop
(1) [logintime] = noop
(1) WARNING: pap : No "known good" password found for the user. Not
setting Auth-Type
(1) WARNING: pap : Authentication will fail unless a "known good" password
is available
(1) [pap] = noop
(1) } # authorize = updated
(1) Found Auth-Type = EAP
(1) # Executing group from file /etc/raddb/sites-enabled/default
(1) authenticate {
(1) eap : Expiring EAP session with state 0x4bf773f04bf67754
(1) eap : Finished EAP session with state 0x4bf773f04bf67754
(1) eap : Previous EAP request found for state 0x4bf773f04bf67754,
released from the list
(1) eap : Peer sent method NAK (3)
(1) eap : Found mutually acceptable type TLS (13)
(1) eap : Calling eap_tls to process EAP data
(1) eap_tls : Flushing SSL sessions (of #0)
(1) eap_tls : Requiring client certificate
(1) eap_tls : Initiate
(1) eap_tls : Requiring client certificate
(1) eap_tls : Start returned 1
(1) eap : New EAP session, adding 'State' attribute to reply
0x4bf773f04af57e54
(1) [eap] = handled
(1) } # authenticate = handled
(1) Sending Access-Challenge packet to host 127.0.0.1 port 52104, id=1,
length=0
(1) EAP-Message = 0x010200060d20
(1) Message-Authenticator = 0x00000000000000000000000000000000
(1) State = 0x4bf773f04af57e54734c0cd3aa7a1f2e
Sending Access-Challenge Id 1 from 127.0.0.1:1812 to 127.0.0.1:52104
EAP-Message = 0x010200060d20
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x4bf773f04af57e54734c0cd3aa7a1f2e
(1) Finished request
Waking up in 0.3 seconds.
Received Access-Request Id 2 from 127.0.0.1:52104 to 127.0.0.1:1812 length
143
User-Name = 'user at example.org'
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = '02-00-00-00-00-01'
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = 'CONNECT 11Mbps 802.11b'
EAP-Message = 0x020200060300
State = 0x4bf773f04af57e54734c0cd3aa7a1f2e
Message-Authenticator = 0xb1da50c5d4bdd5bb67f32dec997d2d3a
(2) Received Access-Request packet from host 127.0.0.1 port 52104, id=2,
length=143
(2) User-Name = 'user at example.org'
(2) NAS-IP-Address = 127.0.0.1
(2) Calling-Station-Id = '02-00-00-00-00-01'
(2) Framed-MTU = 1400
(2) NAS-Port-Type = Wireless-802.11
(2) Connect-Info = 'CONNECT 11Mbps 802.11b'
(2) EAP-Message = 0x020200060300
(2) State = 0x4bf773f04af57e54734c0cd3aa7a1f2e
(2) Message-Authenticator = 0xb1da50c5d4bdd5bb67f32dec997d2d3a
(2) # Executing section authorize from file /etc/raddb/sites-enabled/default
(2) authorize {
(2) filter_username filter_username {
(2) if (!&User-Name)
(2) if (!&User-Name) -> FALSE
(2) if (&User-Name =~ / /)
(2) if (&User-Name =~ / /) -> FALSE
(2) if (&User-Name =~ /@.*@/ )
(2) if (&User-Name =~ /@.*@/ ) -> FALSE
(2) if (&User-Name =~ /\\.\\./ )
(2) if (&User-Name =~ /\\.\\./ ) -> FALSE
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) ->
FALSE
(2) if (&User-Name =~ /\\.$/)
(2) if (&User-Name =~ /\\.$/) -> FALSE
(2) if (&User-Name =~ /@\\./)
(2) if (&User-Name =~ /@\\./) -> FALSE
(2) } # filter_username filter_username = notfound
(2) [preprocess] = ok
(2) [chap] = noop
(2) [mschap] = noop
(2) [digest] = noop
(2) suffix : Checking for suffix after "@"
(2) suffix : Looking up realm "example.org" for User-Name = "
user at example.org"
(2) suffix : Found realm "example.org"
(2) suffix : Adding Stripped-User-Name = "user"
(2) suffix : Adding Realm = "example.org"
(2) suffix : Authentication realm is LOCAL
(2) [suffix] = ok
(2) eap : Peer sent code Response (2) ID 2 length 6
(2) eap : No EAP Start, assuming it's an on-going EAP conversation
(2) [eap] = updated
(2) [files] = noop
(2) [expiration] = noop
(2) [logintime] = noop
(2) WARNING: pap : No "known good" password found for the user. Not
setting Auth-Type
(2) WARNING: pap : Authentication will fail unless a "known good" password
is available
(2) [pap] = noop
(2) } # authorize = updated
(2) Found Auth-Type = EAP
(2) # Executing group from file /etc/raddb/sites-enabled/default
(2) authenticate {
(2) eap : Expiring EAP session with state 0x4bf773f04af57e54
(2) eap : Finished EAP session with state 0x4bf773f04af57e54
(2) eap : Previous EAP request found for state 0x4bf773f04af57e54,
released from the list
(2) eap : Peer sent method NAK (3)
(2) eap : Peer NAK'd indicating it is not willing to continue
(2) eap : Failed in EAP select
(2) [eap] = invalid
(2) } # authenticate = invalid
(2) Failed to authenticate the user
(2) Using Post-Auth-Type Reject
(2) # Executing group from file /etc/raddb/sites-enabled/default
(2) Post-Auth-Type REJECT {
(2) attr_filter.access_reject : EXPAND %{User-Name}
(2) attr_filter.access_reject : --> user at example.org
(2) attr_filter.access_reject : Matched entry DEFAULT at line 11
(2) [attr_filter.access_reject] = updated
(2) eap : Reply already contained an EAP-Message, not inserting EAP-Failure
(2) [eap] = noop
(2) remove_reply_message_if_eap remove_reply_message_if_eap {
(2) if (&reply:EAP-Message && &reply:Reply-Message)
(2) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(2) else else {
(2) [noop] = noop
(2) } # else else = noop
(2) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop
(2) } # Post-Auth-Type REJECT = updated
(2) Delaying response for 1 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(2) Sending delayed response
(2) Sending Access-Reject packet to host 127.0.0.1 port 52104, id=2,
length=0
(2) EAP-Message = 0x04020004
(2) Message-Authenticator = 0x00000000000000000000000000000000
Sending Access-Reject Id 2 from 127.0.0.1:1812 to 127.0.0.1:52104
EAP-Message = 0x04020004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 0 with timestamp +22
(1) Cleaning up request packet ID 1 with timestamp +22
(2) Cleaning up request packet ID 2 with timestamp +22
Ready to process requests
EAPOL_TEST OUTPUT :
eapol_test -c /root/eapol_tls_test.tls -A127.0.0.1 -a127.0.0.1 -p1812
-stesting123 -r1
Reading configuration file '/root/eapol_tls_test.tls'
Line: 1 - start of a new network block
ssid - hexdump_ascii(len=9):
54 45 53 54 2d 53 53 49 44 TEST-SSID
eap methods - hexdump(len=16): 00 00 00 00 0d 00 00 00 00 00 00 00 00 00 00
00
eapol_flags=0 (0x0)
key_mgmt: 0x1
identity - hexdump_ascii(len=16):
75 73 65 72 40 65 78 61 6d 70 6c 65 2e 6f 72 67 user at example.org
ca_cert - hexdump_ascii(len=24):
2f 65 74 63 2f 72 61 64 64 62 2f 63 65 72 74 73 /etc/raddb/certs
2f 63 61 5f 2e 70 65 6d /ca_.pem
client_cert - hexdump_ascii(len=25):
2f 65 74 63 2f 72 61 64 64 62 2f 63 65 72 74 73 /etc/raddb/certs
2f 75 73 65 72 2e 70 65 6d /user.pem
private_key - hexdump_ascii(len=27):
2f 65 74 63 2f 72 61 64 64 62 2f 63 65 72 74 73 /etc/raddb/certs
2f 63 6c 69 65 6e 74 2e 6b 65 79 /client.key
private_key_passwd - hexdump_ascii(len=8):
77 68 61 74 65 76 65 72 whatever
eapol_flags=3 (0x3)
Priority group 0
id=0 ssid='TEST-SSID'
Authentication server 127.0.0.1:1812
RADIUS local address: 127.0.0.1:52104
EAPOL: SUPP_PAE entering state DISCONNECTED
EAPOL: KEY_RX entering state NO_KEY_RECEIVE
EAPOL: SUPP_BE entering state INITIALIZE
EAP: EAP entering state DISABLED
EAPOL: External notification - portValid=0
EAPOL: External notification - portEnabled=1
EAPOL: SUPP_PAE entering state CONNECTING
EAPOL: SUPP_BE entering state IDLE
EAP: EAP entering state INITIALIZE
EAP: EAP entering state IDLE
Sending fake EAP-Request-Identity
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_PAE entering state RESTART
EAP: EAP entering state INITIALIZE
EAP: EAP entering state IDLE
EAPOL: SUPP_PAE entering state AUTHENTICATING
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Request id=0 method=1 vendor=0 vendorMethod=0
EAP: EAP entering state IDENTITY
CTRL-EVENT-EAP-STARTED EAP authentication started
EAP: EAP-Request Identity data - hexdump_ascii(len=0):
EAP: using real identity - hexdump_ascii(len=16):
75 73 65 72 40 65 78 61 6d 70 6c 65 2e 6f 72 67 user at example.org
EAP: EAP entering state SEND_RESPONSE
EAP: EAP entering state IDLE
EAPOL: SUPP_BE entering state RESPONSE
EAPOL: txSuppRsp
WPA: eapol_test_eapol_send(type=0 len=21)
TX EAP -> RADIUS - hexdump(len=21): 02 00 00 15 01 75 73 65 72 40 65 78 61
6d 70 6c 65 2e 6f 72 67
Encapsulating EAP message into a RADIUS packet
Learned identity from EAP-Response-Identity - hexdump(len=16): 75 73 65 72
40 65 78 61 6d 70 6c 65 2e 6f 72 67
Sending RADIUS message to authentication server
RADIUS message: code=1 (Access-Request) identifier=0 length=140
Attribute 1 (User-Name) length=18
Value: 'user at example.org'
Attribute 4 (NAS-IP-Address) length=6
Value: 127.0.0.1
Attribute 31 (Calling-Station-Id) length=19
Value: '02-00-00-00-00-01'
Attribute 12 (Framed-MTU) length=6
Value: 1400
Attribute 61 (NAS-Port-Type) length=6
Value: 19
Attribute 77 (Connect-Info) length=24
Value: 'CONNECT 11Mbps 802.11b'
Attribute 79 (EAP-Message) length=23
Value: 02 00 00 15 01 75 73 65 72 40 65 78 61 6d 70 6c 65 2e 6f 72 67
Attribute 80 (Message-Authenticator) length=18
Value: bd 9f a9 40 f7 dd 27 fd 9a bc 4a a6 e9 bd 96 15
Next RADIUS client retransmit in 3 seconds
EAPOL: SUPP_BE entering state RECEIVE
Received 80 bytes from RADIUS server
Received RADIUS message
RADIUS message: code=11 (Access-Challenge) identifier=0 length=80
Attribute 79 (EAP-Message) length=24
Value: 01 01 00 16 04 10 6c a3 1f 73 7c 07 bb a5 01 ae 81 9f a3 ff fc
2f
Attribute 80 (Message-Authenticator) length=18
Value: f2 bf 89 14 05 06 6f 04 17 5e 85 a8 0d 5f db b0
Attribute 24 (State) length=18
Value: 4b f7 73 f0 4b f6 77 54 73 4c 0c d3 aa 7a 1f 2e
STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending
request, round trip time 0.00 sec
RADIUS packet matching with station
decapsulated EAP packet (code=1 id=1 len=22) from RADIUS server:
EAP-Request-MD5 (4)
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Request id=1 method=4 vendor=0 vendorMethod=0
EAP: EAP entering state GET_METHOD
EAP: configuration does not allow: vendor 0 method 4
EAP: vendor 0 method 4 not allowed
CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=4 -> NAK
EAP: Status notification: refuse proposed method (param=MD5)
EAP: Building EAP-Nak (requested type 4 vendor=0 method=0 not allowed)
EAP: allowed methods - hexdump(len=1): 0d
EAP: EAP entering state SEND_RESPONSE
EAP: EAP entering state IDLE
EAPOL: SUPP_BE entering state RESPONSE
EAPOL: txSuppRsp
WPA: eapol_test_eapol_send(type=0 len=6)
TX EAP -> RADIUS - hexdump(len=6): 02 01 00 06 03 0d
Encapsulating EAP message into a RADIUS packet
Copied RADIUS State Attribute
Sending RADIUS message to authentication server
RADIUS message: code=1 (Access-Request) identifier=1 length=143
Attribute 1 (User-Name) length=18
Value: 'user at example.org'
Attribute 4 (NAS-IP-Address) length=6
Value: 127.0.0.1
Attribute 31 (Calling-Station-Id) length=19
Value: '02-00-00-00-00-01'
Attribute 12 (Framed-MTU) length=6
Value: 1400
Attribute 61 (NAS-Port-Type) length=6
Value: 19
Attribute 77 (Connect-Info) length=24
Value: 'CONNECT 11Mbps 802.11b'
Attribute 79 (EAP-Message) length=8
Value: 02 01 00 06 03 0d
Attribute 24 (State) length=18
Value: 4b f7 73 f0 4b f6 77 54 73 4c 0c d3 aa 7a 1f 2e
Attribute 80 (Message-Authenticator) length=18
Value: a1 6f 90 d8 ae 45 de 1c df 7f 0d 50 3d 82 0a 2e
Next RADIUS client retransmit in 3 seconds
EAPOL: SUPP_BE entering state RECEIVE
Received 64 bytes from RADIUS server
Received RADIUS message
RADIUS message: code=11 (Access-Challenge) identifier=1 length=64
Attribute 79 (EAP-Message) length=8
Value: 01 02 00 06 0d 20
Attribute 80 (Message-Authenticator) length=18
Value: 46 0f 99 22 0c 12 9d 9d 15 b2 62 54 73 a2 1e 80
Attribute 24 (State) length=18
Value: 4b f7 73 f0 4a f5 7e 54 73 4c 0c d3 aa 7a 1f 2e
STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending
request, round trip time 0.00 sec
RADIUS packet matching with station
decapsulated EAP packet (code=1 id=2 len=6) from RADIUS server:
EAP-Request-TLS (13)
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Request id=2 method=13 vendor=0 vendorMethod=0
EAP: EAP entering state GET_METHOD
CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13
EAP: Status notification: accept proposed method (param=TLS)
EAP: Initialize selected EAP method: vendor 0 method 13 (TLS)
TLS: using phase1 config options
OpenSSL: tls_connection_ca_cert - Failed to load root certificates
error:02001002:system library:fopen:No such file or directory
OpenSSL: pending error: error:2006D080:BIO routines:BIO_new_file:no such
file
OpenSSL: pending error: error:0B084002:x509 certificate
routines:X509_load_cert_crl_file:system lib
OpenSSL: tls_load_ca_der - Failed load CA in DER format
error:02001002:system library:fopen:No such file or directory
OpenSSL: pending error: error:20074002:BIO routines:FILE_CTRL:system lib
OpenSSL: pending error: error:0B06F002:x509 certificate
routines:X509_load_cert_file:system lib
TLS: Failed to set TLS connection parameters
ENGINE: engine deinit
EAP-TLS: Failed to initialize SSL.
EAP: Failed to initialize EAP method: vendor 0 method 13 (TLS)
EAP: Building EAP-Nak (requested type 13 vendor=0 method=0 not allowed)
EAP: allowed methods - hexdump(len=0):
EAP: EAP entering state SEND_RESPONSE
EAP: EAP entering state IDLE
EAPOL: SUPP_BE entering state RESPONSE
EAPOL: txSuppRsp
WPA: eapol_test_eapol_send(type=0 len=6)
TX EAP -> RADIUS - hexdump(len=6): 02 02 00 06 03 00
Encapsulating EAP message into a RADIUS packet
Copied RADIUS State Attribute
Sending RADIUS message to authentication server
RADIUS message: code=1 (Access-Request) identifier=2 length=143
Attribute 1 (User-Name) length=18
Value: 'user at example.org'
Attribute 4 (NAS-IP-Address) length=6
Value: 127.0.0.1
Attribute 31 (Calling-Station-Id) length=19
Value: '02-00-00-00-00-01'
Attribute 12 (Framed-MTU) length=6
Value: 1400
Attribute 61 (NAS-Port-Type) length=6
Value: 19
Attribute 77 (Connect-Info) length=24
Value: 'CONNECT 11Mbps 802.11b'
Attribute 79 (EAP-Message) length=8
Value: 02 02 00 06 03 00
Attribute 24 (State) length=18
Value: 4b f7 73 f0 4a f5 7e 54 73 4c 0c d3 aa 7a 1f 2e
Attribute 80 (Message-Authenticator) length=18
Value: b1 da 50 c5 d4 bd d5 bb 67 f3 2d ec 99 7d 2d 3a
Next RADIUS client retransmit in 3 seconds
EAPOL: SUPP_BE entering state RECEIVE
EAPOL: startWhen --> 0
Received 44 bytes from RADIUS server
Received RADIUS message
RADIUS message: code=3 (Access-Reject) identifier=2 length=44
Attribute 79 (EAP-Message) length=6
Value: 04 02 00 04
Attribute 80 (Message-Authenticator) length=18
Value: fc 84 e6 2f ec ab 4f 8b 78 0d a8 32 37 03 18 99
STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending
request, round trip time 1.00 sec
RADIUS packet matching with station
decapsulated EAP packet (code=4 id=2 len=4) from RADIUS server: EAP Failure
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Failure
EAP: Status notification: completion (param=failure)
EAP: EAP entering state FAILURE
CTRL-EVENT-EAP-FAILURE EAP authentication failed
EAPOL: SUPP_PAE entering state HELD
EAPOL: SUPP_BE entering state RECEIVE
EAPOL: SUPP_BE entering state FAIL
EAPOL: SUPP_BE entering state IDLE
eapol_sm_cb: success=0
EAPOL: EAP key not available
EAPOL: EAP key not available
MPPE keys OK: 0 mismatch: 2
FAILURE
EAPOL_CONFIG :
cat /root/eapol_tls_test.tls
network={
ssid="TEST-SSID"
eap=TLS
eapol_flags=0
key_mgmt=WPA-EAP
identity="user at example.org"
ca_cert="/etc/raddb/certs/ca_.pem"
client_cert="/etc/raddb/certs/user.pem"
private_key="/etc/raddb/certs/client.key"
private_key_passwd="whatever"
eapol_flags=3
}
Ollie Teasley
Linux Administrator
ISMELL.SHOES, LLC
On Sat, Feb 6, 2016 at 8:09 PM, Alan DeKok <aland at deployingradius.com>
wrote:
> On Feb 6, 2016, at 8:45 PM, John Teasley <ollieteasley at gmail.com> wrote:
> > I have been trying to freeRADIUS Version 3.0.4 worling with EAP-TLS for a
> > while now.
>
> Please don't. 3.0.11 was released recently. There are few reasons to
> use a version which is years out of date.
>
> > I was able to get PAP working using the guide
> > athttp://deployingradius.com/documents/configuration/pap.html.
> > However,
> > getting EAP-TLS to work has been a pain.
>
> 3.0.11 has a sample config for eapol_test in src/tests/eap-tls.conf. It
> should pretty much work.
>
> > In my case I used the freeradius as installed by yum from the repos.
> Before
> > doing the guide at the link posted below I built the certs in
> > /etc/raddb/certs using make. No changes have been made to the .cnf files
> in
> > the certs directory since this was a test. The eapol_test config is also
> > posted below.
>
> OK.
>
> > I have used radius as installed on pfsense in the past. However, I now
> wish
> > to have a standalone host to take care of this. I have spent 3 days
> trying
> > to get this to work. I am at a complete loss as what is wrong or how to
> > even find out at this point. I have already ran radius with radius -XX
> and
> > am not seeing that I know how to change. I would greatly appreciate some
> > help on this. The settings I have used are EXACTLY what i slisted in the
> > links.
>
> That's good...
>
> > eapol_test configuration :
> >
> > network={
> > ssid="TEST-SSID"
> > eap=TLS
> > eapol_flags=0
> > key_mgmt=WPA-EAP
> > identity="user at example.com"
>
> Which is the problem. If you read the debug output, you'll see it
> proxying requests. You probably don't want to do that.
> >
> > (0) suffix : Looking up realm "example.com" for User-Name = "
> user at example.com"
> > (0) suffix : Found realm "example.com"
> > (0) suffix : Adding Stripped-User-Name = "user"
> > (0) suffix : Adding Realm = "example.com"
> > (0) suffix : Proxying request from user user to realm example.com
> > (0) suffix : Preparing to proxy authentication request to realm "
> example.com"
> > (0) [suffix] = updated
> > (0) eap : Request is supposed to be proxied to Realm example.com. Not
> > doing EAP.
>
> Which is the issue.
>
> Change the eapol_test config file to use example.org, and edit
> proxy.conf to add:
>
> realm example.org {
> }
>
> Which says it's a local realm, and not to be proxied.
>
> This change is also available in 3.0.11, which is one reason why we
> suggest using the latest versions.
>
> Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list