eap-tls, debug

Miha miha at softnet.si
Tue Jul 18 13:23:42 CEST 2017 

Hello

i would kindly ask you for a little help regarding tls as I do not know 
how to debug this and if this is ok.
I have enabled tls under eap (before it was md5) and i have add CA.

here i am pasting log from freeradius. Is this is ok is not:)


Ready to process requests
(0) Received Access-Request Id 15 from 172.31.1.120:1812 to
172.31.1.124:1812 length 92
(0)   NAS-IP-Address = 172.31.1.120
(0)   NAS-Port = 50022
(0)   NAS-Port-Type = Ethernet
(0)   User-Name = "y"
(0)   Calling-Station-Id = "00-90-33-46-04-AD"
(0)   Service-Type = Framed-User
(0)   EAP-Message = 0x020400060179
(0)   Message-Authenticator = 0x605db39095dcdbe2e0b5efc1ada118f1
(0) # Executing section authorize from file /etc/raddb/sites-
enabled/default
(0)   authorize {
(0)     policy filter_username {
(0)       if (!&User-Name) {
(0)       if (!&User-Name)  -> FALSE
(0)       if (&User-Name =~ / /) {
(0)       if (&User-Name =~ / /)  -> FALSE
(0)       if (&User-Name =~ /@.*@/ ) {
(0)       if (&User-Name =~ /@.*@/ )  -> FALSE
(0)       if (&User-Name =~ /\.\./ ) {
(0)       if (&User-Name =~ /\.\./ )  -> FALSE
(0)       if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(0)       if ((&User-Name =~ /@/) && (&User-Name !~
/@(.+)\.(.+)$/))   -> FALSE
(0)       if (&User-Name =~ /\.$/)  {
(0)       if (&User-Name =~ /\.$/)   -> FALSE
(0)       if (&User-Name =~ /@\./)  {
(0)       if (&User-Name =~ /@\./)   -> FALSE
(0)     } # policy filter_username = notfound
(0)     [preprocess] = ok
(0)     [chap] = noop
(0)     [mschap] = noop
(0)     [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "y", looking up realm NULL
(0) suffix: No such realm "NULL"
(0)     [suffix] = noop
(0) eap: Peer sent EAP Response (code 2) ID 4 length 6
(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(0)     [eap] = ok
(0)   } # authorize = ok
(0) Found Auth-Type = EAP
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0)   authenticate {
(0) eap: Peer sent packet with method EAP Identity (1)
(0) eap: Calling submodule eap_tls to process data
(0) eap_tls: Initiating new EAP-TLS session
(0) eap_tls: Flushing SSL sessions (of #0)
(0) eap_tls: Setting verify mode to require certificate from client
(0) eap_tls: [eaptls start] = request
(0) eap: Sending EAP Request (code 1) ID 5 length 6
(0) eap: EAP session adding &reply:State = 0xfba9e51efbace8c4
(0)     [eap] = handled
(0)   } # authenticate = handled
(0) Using Post-Auth-Type Challenge
(0) Post-Auth-Type sub-section not found.  Ignoring.
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0) Sent Access-Challenge Id 15 from 172.31.1.124:1812 to
172.31.1.120:1812 length 0
(0)   EAP-Message = 0x010500060d20
(0)   Message-Authenticator = 0x00000000000000000000000000000000
(0)   State = 0xfba9e51efbace8c410d4292907198e26
(0) Finished request
Waking up in 4.9 seconds.
(1) Received Access-Request Id 16 from 172.31.1.120:1812 to
172.31.1.124:1812 length 164
(1)   NAS-IP-Address = 172.31.1.120
(1)   NAS-Port = 50022
(1)   NAS-Port-Type = Ethernet
(1)   User-Name = "y"
(1)   Calling-Station-Id = "00-90-33-46-04-AD"
(1)   Service-Type = Framed-User
(1)   State = 0xfba9e51efbace8c410d4292907198e26
(1)   EAP-Message =
0x0205003c0d0016030100310100002d030200002534152332c149557c927d87c699b1b
a10d7e5ec5b4b1a1ea5f64e50f0d70000060035002f000a0100
(1)   Message-Authenticator = 0x26446079a357c5cedc89cf1c8c2c6d7b
(1) session-state: No cached attributes
(1) # Executing section authorize from file /etc/raddb/sites-
enabled/default
(1)   authorize {
(1)     policy filter_username {
(1)       if (!&User-Name) {
(1)       if (!&User-Name)  -> FALSE
(1)       if (&User-Name =~ / /) {
(1)       if (&User-Name =~ / /)  -> FALSE
(1)       if (&User-Name =~ /@.*@/ ) {
(1)       if (&User-Name =~ /@.*@/ )  -> FALSE
(1)       if (&User-Name =~ /\.\./ ) {
(1)       if (&User-Name =~ /\.\./ )  -> FALSE
(1)       if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(1)       if ((&User-Name =~ /@/) && (&User-Name !~
/@(.+)\.(.+)$/))   -> FALSE
(1)       if (&User-Name =~ /\.$/)  {
(1)       if (&User-Name =~ /\.$/)   -> FALSE
(1)       if (&User-Name =~ /@\./)  {
(1)       if (&User-Name =~ /@\./)   -> FALSE
(1)     } # policy filter_username = notfound
(1)     [preprocess] = ok
(1)     [chap] = noop
(1)     [mschap] = noop
(1)     [digest] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "y", looking up realm NULL
(1) suffix: No such realm "NULL"
(1)     [suffix] = noop
(1) eap: Peer sent EAP Response (code 2) ID 5 length 60
(1) eap: No EAP Start, assuming it's an on-going EAP conversation
(1)     [eap] = updated
(1)     [files] = noop
(1)     [expiration] = noop
(1)     [logintime] = noop
(1)     [pap] = noop
(1)   } # authorize = updated
(1) Found Auth-Type = EAP
(1) # Executing group from file /etc/raddb/sites-enabled/default
(1)   authenticate {
(1) eap: Expiring EAP session with state 0xfba9e51efbace8c4
(1) eap: Finished EAP session with state 0xfba9e51efbace8c4
(1) eap: Previous EAP request found for state 0xfba9e51efbace8c4,
released from the list
(1) eap: Peer sent packet with method EAP TLS (13)
(1) eap: Calling submodule eap_tls to process data
(1) eap_tls: Continuing EAP-TLS
(1) eap_tls: Got final TLS record fragment (54 bytes)
(1) eap_tls: WARNING: Total received TLS record fragments (54 bytes),
does not equal indicated TLS record length (0 bytes)
(1) eap_tls: [eaptls verify] = ok
(1) eap_tls: Done initial handshake
(1) eap_tls: (other): before/accept initialization
(1) eap_tls: TLS_accept: before/accept initialization
(1) eap_tls: <<< UNKNOWN TLS VERSION ?0000? [length 0005]
(1) eap_tls: <<< TLS 1.1  [length 0031]
(1) eap_tls: TLS_accept: SSLv3 read client hello A
(1) eap_tls: >>> UNKNOWN TLS VERSION ?0000? [length 0005]
(1) eap_tls: >>> TLS 1.1  [length 004a]
(1) eap_tls: TLS_accept: SSLv3 write server hello A
(1) eap_tls: >>> UNKNOWN TLS VERSION ?0000? [length 0005]
(1) eap_tls: >>> TLS 1.1  [length 03e8]
(1) eap_tls: TLS_accept: SSLv3 write certificate A
(1) eap_tls: >>> UNKNOWN TLS VERSION ?0000? [length 0005]
(1) eap_tls: >>> TLS 1.1  [length 006a]
(1) eap_tls: TLS_accept: SSLv3 write certificate request A
(1) eap_tls: TLS_accept: SSLv3 flush data
(1) eap_tls: TLS_accept: Need to read more data: SSLv3 read client
certificate A
(1) eap_tls: TLS_accept: Need to read more data: SSLv3 read client
certificate A
(1) eap_tls: In SSL Handshake Phase
(1) eap_tls: In SSL Accept mode
(1) eap_tls: [eaptls process] = handled
(1) eap: Sending EAP Request (code 1) ID 6 length 1004
(1) eap: EAP session adding &reply:State = 0xfba9e51efaafe8c4
(1)     [eap] = handled
(1)   } # authenticate = handled
(1) Using Post-Auth-Type Challenge
(1) Post-Auth-Type sub-section not found.  Ignoring.
(1) # Executing group from file /etc/raddb/sites-enabled/default
(1) Sent Access-Challenge Id 16 from 172.31.1.124:1812 to
172.31.1.120:1812 length 0
(1)   EAP-Message =
0x010603ec0dc0000004ab160302004a02000046030258004f0a64cff924337d9ed0f50
0fb5489194fc4fbaa32a0d311de2ab53251002077853703cfefd060585ada2b1ccce810
bce4905b2744bd062170f5c8e84e8aa000350016030203e80b0003e40003e10003de308
203da308202c2a0030201020201
(1)   Message-Authenticator = 0x00000000000000000000000000000000
(1)   State = 0xfba9e51efaafe8c410d4292907198e26
(1) Finished request
Waking up in 4.9 seconds.




tnx so much!
miha

More information about the Freeradius-Users mailing list