Upgrade 2.1 to 2.2 and EAP-TLS Problem

Oliver Werner oliver.werner at kontrast.de
Wed Mar 23 10:21:57 CET 2016


Hi,

i will test upgrade my Freeradius 2.1.12 (Debian Wheezy) to 2.2.5 (Debian Jessie).

So my configured sites for MAC authentication and sql module look like working right now.

But also i have configured a eap-tls site where i can’t auth anymore.

my eap.conf:
eap eapcert {
	default_eap_type = tls
	timer_expire     = 60
	ignore_unknown_eap_types = no
	cisco_accounting_username_bug = no
	max_sessions = 4096

	tls {
		certdir = ${confdir}/certs
		cadir = ${certdir}/ca
		CA_file = ${cadir}/cacert.crt

		# Freeradius01
     		private_key_password = <secret>
     		private_key_file = ${certdir}/Freeradius.pem
      		certificate_file = ${certdir}/Freeradius.pem

		dh_file = ${certdir}/dh
		random_file = ${certdir}/random
		fragment_size = 1024
		include_length = yes
		check_cert_cn = %{User-Name}
		cipher_list = "DEFAULT"
		check_crl = yes
		crl_file = ${cadir}/cacrl.pem
		CA_path = ${cadir}
		rsa_key_length = 1024
		rsa_key_exchange = yes
		virtual_server = "kontrast"
      cache {
         enable = no
         lifetime = 24h
         max_entries = 255
      }
      verify {
      }

   }
}


and my sites-enabled/kontrast look:

server kontrast {
	listen {
   		ipaddr = *
   		port = 1810
   		type = auth
   		virtual_server = kontrast
	}

	authorize {
   		eapcert {
      			ok = return
   		}
	}

	authenticate {
   		eapcert
	}
	post-auth{
	}
}


in version 2.2 i got an error here:

+group authorize {
[eapcert] EAP packet type response id 241 length 6
[eapcert] No EAP Start, assuming it's an on-going EAP conversation
++[eapcert] = updated
+} # group authorize = updated
Found Auth-Type = eapcert
# Executing group from file /etc/freeradius/sites-enabled/kontrast
+group authenticate {
rlm_eap: No EAP session matching the State variable.
[eapcert] Either EAP-request timed out OR EAP-response to an unknown EAP-request
[eapcert] Failed in handler
++[eapcert] = invalid
+} # group authenticate = invalid
Failed to authenticate the user.
[tls] } # server kontrast
[tls] Certifictes were rejected by the virtual server
[eapcert] Handler failed in EAP/tls
[eapcert] Failed in EAP select
++[eapcert] = invalid
+} # group authenticate = invalid
Failed to authenticate the user.
} # server kontrast
Delaying reject of request 13 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 13
Sending Access-Reject of id 4 to 192.168.10.167 port 39133
	EAP-Message = 0x04f10004
	Message-Authenticator = 0x0



anyone has an idea?

kind regards


OLIVER WERNER
System-Administrator




Kontrast Communication Services GmbH
Grafenberger Allee 100, 40237 Düsseldorf, Germany

Fon  +49-211-91505-500
Fax +49-211-91505-530
www.kontrast.de <http://www.kontrast.de/>

Amtsgericht Düsseldorf: HRB 26934
Geschäftsführer: Joachim Fischer, Anja Grote-Lutter, Leontine van der Vlist

 <https://www.facebook.com/kontrast.communication>     <https://twitter.com/KONTRAST_de>     <http://www.xing.com/companies/kontrastcommunicationservicesgmbh>     <http://www.linkedin.com/company/kontrast-communication-services-gmbh>     <https://vimeo.com/kontrastcs>     <http://instagram.com/kontrast_de>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20160323/63f119eb/attachment.sig>


More information about the Freeradius-Users mailing list