<span class="gmail_quote"></span>Hi <br>
<br>
I'm trying to setup a freeradius server, to be able to authenticate
some handheld devices (Intermec 2415). The auth protocol supported by
the handheld is EAP-TTLS. <br>
I've Debian Sarge, and I compiled my self freeradius 1.0.5 with openssl-0.9.7e.<br>
(my compilation options ./configure
--with-openssl-includes=/usr/include
--with-openssl-libraries=/usr/lib/ssl -disable-shared -sysconfdir=/etc
--prefix=/usr/local )<br>
<br>
I got the certificates from Intermec for the server and the cacert. <br>
<br>
I cannot authenticate with the radius, I got this error when the handheld try to auth : <br>
<br>
Wed Feb 15 15:27:42 2006 : Info: Ready to process requests.<br>
Wed Feb 15 15:28:21 2006 : Error: TLS_accept:error in SSLv3 read client certificate A<br>
Wed Feb 15 15:28:21 2006 : Info: rlm_eap_tls: Received EAP-TLS ACK message<br>
<br>
However, if I enable the radius inside the access point, the handheld
can authenticate. This tells me that the handheld has been configured
properly. <br>
<br>
What is missing in my freeradius config ?<br>
<br>
Thanks in advance<br>
<br>
Johan <br>
<br>
<br>
<br>
The detailed debug log (radiusd -X)<br>
<br>
Starting - reading configuration files ...<br>
reread_config: reading radiusd.conf<br>
Config: including file: /etc/raddb/proxy.conf<br>
Config: including file: /etc/raddb/clients.conf<br>
Config: including file: /etc/raddb/snmp.conf<br>
Config: including file: /etc/raddb/eap.conf<br>
Config: including file: /etc/raddb/sql.conf<br>
main: prefix = "/usr"<br>
main: localstatedir = "/var"<br>
main: logdir = "/var/log/radius"<br>
main: libdir = "/usr/lib"<br>
main: radacctdir = "/var/log/radius/radacct"<br>
main: hostname_lookups = no<br>
main: max_request_time = 30<br>
main: cleanup_delay = 5<br>
main: max_requests = 1024<br>
main: delete_blocked_requests = 0<br>
main: port = 0<br>
main: allow_core_dumps = no<br>
main: log_stripped_names = yes<br>
main: log_file = "/var/log/radius/radius.log"<br>
main: log_auth = yes<br>
main: log_auth_badpass = yes<br>
main: log_auth_goodpass = yes<br>
main: pidfile = "/var/run/radiusd/radiusd.pid"<br>
main: user = "(null)"<br>
main: group = "(null)"<br>
main: usercollide = no<br>
main: lower_user = "no"<br>
main: lower_pass = "no"<br>
main: nospace_user = "no"<br>
main: nospace_pass = "no"<br>
main: checkrad = "/usr/sbin/checkrad"<br>
main: proxy_requests = yes<br>
proxy: retry_delay = 5<br>
proxy: retry_count = 3<br>
proxy: synchronous = no<br>
proxy: default_fallback = yes<br>
proxy: dead_time = 120<br>
proxy: post_proxy_authorize = yes<br>
proxy: wake_all_if_all_dead = no<br>
security: max_attributes = 200<br>
security: reject_delay = 1<br>
security: status_server = no<br>
main: debug_level = 0<br>
read_config_files: reading dictionary<br>
read_config_files: reading naslist<br>
Using deprecated naslist file. Support for this will go away soon.<br>
read_config_files: reading clients<br>
read_config_files: reading realms<br>
radiusd: entering modules setup<br>
Module: Library search path is /usr/lib<br>
Module: Loaded exec<br>
exec: wait = yes<br>
exec: program = "(null)"<br>
exec: input_pairs = "request"<br>
exec: output_pairs = "(null)"<br>
exec: packet_type = "(null)"<br>
rlm_exec: Wait=yes but no output defined. Did you mean output=none?<br>
Module: Instantiated exec (exec)<br>
Module: Loaded expr<br>
Module: Instantiated expr (expr)<br>
Module: Loaded PAP<br>
pap: encryption_scheme = "crypt"<br>
Module: Instantiated pap (pap)<br>
Module: Loaded CHAP<br>
Module: Instantiated chap (chap)<br>
Module: Loaded MS-CHAP<br>
mschap: use_mppe = yes<br>
mschap: require_encryption = no<br>
mschap: require_strong = no<br>
mschap: with_ntdomain_hack = no<br>
mschap: passwd = "(null)"<br>
mschap: authtype = "MS-CHAPv2"<br>
mschap: ntlm_auth = "(null)"<br>
Module: Instantiated mschap (mschap)<br>
Module: Loaded System<br>
unix: cache = no<br>
unix: passwd = "(null)"<br>
unix: shadow = "(null)"<br>
unix: group = "(null)"<br>
unix: radwtmp = "/var/log/radius/radwtmp"<br>
unix: usegroup = no<br>
unix: cache_reload = 600<br>
Module: Instantiated unix (unix)<br>
Module: Loaded eap<br>
eap: default_eap_type = "ttls"<br>
eap: timer_expire = 60<br>
eap: ignore_unknown_eap_types = no<br>
eap: cisco_accounting_username_bug = no<br>
rlm_eap: Loaded and initialized type md5<br>
rlm_eap: Loaded and initialized type leap<br>
gtc: challenge = "Password: "<br>
gtc: auth_type = "PAP"<br>
rlm_eap: Loaded and initialized type gtc<br>
tls: rsa_key_exchange = no<br>
tls: dh_key_exchange = yes<br>
tls: rsa_key_length = 512<br>
tls: dh_key_length = 512<br>
tls: verify_depth = 0<br>
tls: CA_path = "(null)"<br>
tls: pem_file_type = yes<br>
tls: private_key_file = "/etc/raddb/certs/intermec/server.pem"<br>
tls: certificate_file = "/etc/raddb/certs/intermec/server.pem"<br>
tls: CA_file = "/etc/raddb/certs/intermec/cacert.cer"<br>
tls: private_key_password = "BigSecretPass"<br>
tls: dh_file = "/dev/null"<br>
tls: random_file = "/dev/urandom"<br>
tls: fragment_size = 1024<br>
tls: include_length = yes<br>
tls: check_crl = no<br>
tls: check_cert_cn = "(null)"<br>
rlm_eap: Loaded and initialized type tls<br>
ttls: default_eap_type = "mschapv2"<br>
ttls: copy_request_to_tunnel = no<br>
ttls: use_tunneled_reply = no<br>
rlm_eap: Loaded and initialized type ttls<br>
peap: default_eap_type = "mschapv2"<br>
peap: copy_request_to_tunnel = no<br>
peap: use_tunneled_reply = no<br>
peap: proxy_tunneled_request_as_eap = yes<br>
rlm_eap: Loaded and initialized type peap<br>
mschapv2: with_ntdomain_hack = no<br>
rlm_eap: Loaded and initialized type mschapv2<br>
Module: Instantiated eap (eap)<br>
Module: Loaded preprocess<br>
preprocess: huntgroups = "/etc/raddb/huntgroups"<br>
preprocess: hints = "/etc/raddb/hints"<br>
preprocess: with_ascend_hack = no<br>
preprocess: ascend_channels_per_line = 23<br>
preprocess: with_ntdomain_hack = no<br>
preprocess: with_specialix_jetstream_hack = no<br>
preprocess: with_cisco_vsa_hack = no<br>
Module: Instantiated preprocess (preprocess)<br>
Module: Loaded detail<br>
detail: detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d"<br>
detail: detailperm = 384<br>
detail: dirperm = 493<br>
detail: locking = no<br>
Module: Instantiated detail (auth_log)<br>
Module: Loaded realm<br>
realm: format = "suffix"<br>
realm: delimiter = "@"<br>
realm: ignore_default = no<br>
realm: ignore_null = no<br>
Module: Instantiated realm (suffix)<br>
Module: Loaded files<br>
files: usersfile = "/etc/raddb/users"<br>
files: acctusersfile = "/etc/raddb/acct_users"<br>
files: preproxy_usersfile = "/etc/raddb/preproxy_users"<br>
files: compat = "no"<br>
Module: Instantiated files (files)<br>
Module: Loaded Acct-Unique-Session-Id<br>
acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"<br>
Module: Instantiated acct_unique (acct_unique)<br>
detail: detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"<br>
detail: detailperm = 384<br>
detail: dirperm = 493<br>
detail: locking = no<br>
Module: Instantiated detail (detail)<br>
Module: Loaded radutmp<br>
radutmp: filename = "/var/log/radius/radutmp"<br>
radutmp: username = "%{User-Name}"<br>
radutmp: case_sensitive = yes<br>
radutmp: check_with_nas = yes<br>
radutmp: perm = 384<br>
radutmp: callerid = yes<br>
Module: Instantiated radutmp (radutmp)<br>
Listening on authentication *:1812<br>
Listening on accounting *:1813<br>
Ready to process requests.<br>
rad_recv: Access-Request packet from host <a href="http://192.168.0.1:1024" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">192.168.0.1:1024</a>, id=6, length=134<br>
User-Name = "anonymous"<br>
NAS-IP-Address = <a href="http://192.168.0.1" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">192.168.0.1</a><br>
Called-Station-Id = "00-10-40-01-90-09"<br>
NAS-Identifier = "31100100221"<br>
NAS-Port-Type = Wireless-802.11<br>
Framed-MTU = 1400<br>
Calling-Station-Id = "00-02-2d-3c-ef-79"<br>
EAP-Message = 0x0200000e01616e6f6e796d6f7573<br>
Message-Authenticator = 0x61efabf1e39ae3a5983e1b7c7ed39037<br>
Processing the authorize section of radiusd.conf<br>
modcall: entering group authorize for request 0<br>
modcall[authorize]: module "preprocess" returns ok for request 0<br>
radius_xlat: '/var/log/radius/radacct/192.168.0.1/auth-detail-20060216'<br>
rlm_detail:
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands
to /var/log/radius/radacct/192.168.0.1/auth-detail-20060216<br>
modcall[authorize]: module "auth_log" returns ok for request 0<br>
modcall[authorize]: module "chap" returns noop for request 0<br>
modcall[authorize]: module "mschap" returns noop for request 0<br>
rlm_realm: No '@' in User-Name = "anonymous", looking up realm NULL<br>
rlm_realm: No such realm "NULL"<br>
modcall[authorize]: module "suffix" returns noop for request 0<br>
rlm_eap: EAP packet type response id 0 length 14<br>
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation<br>
modcall[authorize]: module "eap" returns updated for request 0<br>
modcall[authorize]: module "files" returns notfound for request 0<br>
modcall: group authorize returns updated for request 0<br>
rad_check_password: Found Auth-Type EAP<br>
auth: type "EAP"<br>
Processing the authenticate section of radiusd.conf<br>
modcall: entering group authenticate for request 0<br>
rlm_eap: EAP Identity<br>
rlm_eap: processing type tls<br>
rlm_eap_tls: Initiate<br>
rlm_eap_tls: Start returned 1<br>
modcall[authenticate]: module "eap" returns handled for request 0<br>
modcall: group authenticate returns handled for request 0<br>
Sending Access-Challenge of id 6 to <a href="http://192.168.0.1:1024" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">192.168.0.1:1024</a><br>
EAP-Message = 0x010100061520<br>
Message-Authenticator = 0x00000000000000000000000000000000<br>
State = 0x8101bb02421a224e415fb643fd5a5a70<br>
Finished request 0<br>
Going to the next request<br>
--- Walking the entire request list ---<br>
Waking up in 6 seconds...<br>
--- Walking the entire request list ---<br>
Cleaning up request 0 ID 6 with timestamp 43f489f3<br>
Nothing to do. Sleeping until we see a request.<br>
rad_recv: Access-Request packet from host <a href="http://192.168.0.1:1024" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">192.168.0.1:1024</a>, id=7, length=210<br>
State = 0x8101bb02421a224e415fb643fd5a5a70<br>
User-Name = "anonymous"<br>
NAS-IP-Address = <a href="http://192.168.0.1" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">192.168.0.1</a><br>
Called-Station-Id = "00-10-40-01-90-09"<br>
NAS-Identifier = "31100100221"<br>
NAS-Port-Type = Wireless-802.11<br>
Framed-MTU = 1400<br>
Calling-Station-Id = "00-02-2d-3c-ef-79"<br>
EAP-Message =
0x020100481500160301003d01000039030143ea8be941bd45d21f3b9c251cd225b597150a6d8b46a8ff186ca6f97e3436e5000012000a000500040064006200600009000800030100<br>
Message-Authenticator = 0xd071d95101e82c9471633db7d877d373<br>
Processing the authorize section of radiusd.conf<br>
modcall: entering group authorize for request 1<br>
modcall[authorize]: module "preprocess" returns ok for request 1<br>
radius_xlat: '/var/log/radius/radacct/192.168.0.1/auth-detail-20060216'<br>
rlm_detail:
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands
to /var/log/radius/radacct/192.168.0.1/auth-detail-20060216<br>
modcall[authorize]: module "auth_log" returns ok for request 1<br>
modcall[authorize]: module "chap" returns noop for request 1<br>
modcall[authorize]: module "mschap" returns noop for request 1<br>
rlm_realm: No '@' in User-Name = "anonymous", looking up realm NULL<br>
rlm_realm: No such realm "NULL"<br>
modcall[authorize]: module "suffix" returns noop for request 1<br>
rlm_eap: EAP packet type response id 1 length 72<br>
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation<br>
modcall[authorize]: module "eap" returns updated for request 1<br>
modcall[authorize]: module "files" returns notfound for request 1<br>
modcall: group authorize returns updated for request 1<br>
rad_check_password: Found Auth-Type EAP<br>
auth: type "EAP"<br>
Processing the authenticate section of radiusd.conf<br>
modcall: entering group authenticate for request 1<br>
rlm_eap: Request found, released from the list<br>
rlm_eap: EAP/ttls<br>
rlm_eap: processing type ttls<br>
rlm_eap_ttls: Authenticate<br>
rlm_eap_tls: processing TLS<br>
eaptls_verify returned 7<br>
rlm_eap_tls: Done initial handshake<br>
(other): before/accept initialization<br>
TLS_accept: before/accept initialization<br>
rlm_eap_tls: <<< TLS 1.0 Handshake [length 003d], ClientHello<br>
TLS_accept: SSLv3 read client hello A<br>
rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello<br>
TLS_accept: SSLv3 write server hello A<br>
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0446], Certificate<br>
TLS_accept: SSLv3 write certificate A<br>
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone<br>
TLS_accept: SSLv3 write server done A<br>
TLS_accept: SSLv3 flush data<br>
TLS_accept:error in SSLv3 read client certificate A<br>
In SSL Handshake Phase<br>
In SSL Accept mode<br>
eaptls_process returned 13<br>
modcall[authenticate]: module "eap" returns handled for request 1<br>
modcall: group authenticate returns handled for request 1<br>
Sending Access-Challenge of id 7 to <a href="http://192.168.0.1:1024" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">192.168.0.1:1024</a><br>
EAP-Message =
0x0102040a15c0000004a3160301004a02000046030143f489f93df161b2e89390e55fd234535674a79034f30794cb9c234a4c5f40ca20390aa743f1124ba1362817c3efd596cb723cf00ba4e087e110a48a95aae24e27000a0016030104460b00044200043f00043c30820438308203a1a003020102020200d7300d06092a864886f70d01010505003081af310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e0603550407130745766572657474312a3028060355040a1321496e7465726d656320546563686e6f6c6f6769657320436f72706f726174696f6e311d301b060355040b131453656375726974
<br>
EAP-Message =
0x7920456e67696e656572696e67312e302c060355040313254576657265747420496e7465726d65646961746520526f6f74204365727469666963617465301e170d3034313133303134313230355a170d3231313132363134313230355a308190310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e0603550407130745766572657474312a3028060355040a1321496e7465726d656320546563686e6f6c6f6769657320436f72706f726174696f6e311d301b060355040b1314536563757269747920456e67696e656572696e67310f300d0603550403130644372d49544330819f300d06092a864886f70d
<br>
EAP-Message =
0x010101050003818d0030818902818100b211bc2380c6c9f07cc6f8e450d301f97eb9b5085f2d7b3d37e6f33e320f7c4becd44eb3e60d62b4e7bb9f9337c37e5840213d1f123937e45b061a14191891e9363386d4f014d4abecbaed6746e8dc9a125c2b3279547d975a033bf39aaa79ca2558b0d498db180620cdcde2f0b8cfa500e52c5c1378c0a6ff514531e9b2716d0203010001a382017e3082017a30090603551d1304023000300b0603551d0f0404030205e030270603551d250420301e06082b0601050507030306082b0601050507030206082b06010505070301302c06096086480186f842010d041f161d4f70656e53534c2047656e657261
<br>
EAP-Message =
0x746564204365727469666963617465301d0603551d0e04160414b7bbf4e9358908fc1b817d12dfb865725d5624053081e90603551d230481e13081de801427af545487c3c798e81afe4597a2b63ac07881f5a181c2a481bf3081bc310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e0603550407130745766572657474312a3028060355040a1321496e7465726d656320546563686e6f6c6f6769657320436f72706f726174696f6e311d301b060355040b1314536563757269747920456e67696e656572696e67313b303906035504031332496e7465726d656320546563686e6f6c6f6769657320436f
<br>
EAP-Message = 0x72706f726174696f6e20526f6f742043657274696669<br>
Message-Authenticator = 0x00000000000000000000000000000000<br>
State = 0xd25d03bb73b96d7b492916c20bbf44c2<br>
Finished request 1<br>
Going to the next request<br>
--- Walking the entire request list ---<br>
Waking up in 6 seconds...<br>
rad_recv: Access-Request packet from host <a href="http://192.168.0.1:1024" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">192.168.0.1:1024</a>, id=8, length=144<br>
State = 0xd25d03bb73b96d7b492916c20bbf44c2<br>
User-Name = "anonymous"<br>
NAS-IP-Address = <a href="http://192.168.0.1" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">192.168.0.1</a><br>
Called-Station-Id = "00-10-40-01-90-09"<br>
NAS-Identifier = "31100100221"<br>
NAS-Port-Type = Wireless-802.11<br>
Framed-MTU = 1400<br>
Calling-Station-Id = "00-02-2d-3c-ef-79"<br>
EAP-Message = 0x020200061500<br>
Message-Authenticator = 0x32438ef113d8e8232b1ad69ffa9ef400<br>
Processing the authorize section of radiusd.conf<br>
modcall: entering group authorize for request 2<br>
modcall[authorize]: module "preprocess" returns ok for request 2<br>
radius_xlat: '/var/log/radius/radacct/192.168.0.1/auth-detail-20060216'<br>
rlm_detail:
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands
to /var/log/radius/radacct/192.168.0.1/auth-detail-20060216<br>
modcall[authorize]: module "auth_log" returns ok for request 2<br>
modcall[authorize]: module "chap" returns noop for request 2<br>
modcall[authorize]: module "mschap" returns noop for request 2<br>
rlm_realm: No '@' in User-Name = "anonymous", looking up realm NULL<br>
rlm_realm: No such realm "NULL"<br>
modcall[authorize]: module "suffix" returns noop for request 2<br>
rlm_eap: EAP packet type response id 2 length 6<br>
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation<br>
modcall[authorize]: module "eap" returns updated for request 2<br>
modcall[authorize]: module "files" returns notfound for request 2<br>
modcall: group authorize returns updated for request 2<br>
rad_check_password: Found Auth-Type EAP<br>
auth: type "EAP"<br>
Processing the authenticate section of radiusd.conf<br>
modcall: entering group authenticate for request 2<br>
rlm_eap: Request found, released from the list<br>
rlm_eap: EAP/ttls<br>
rlm_eap: processing type ttls<br>
rlm_eap_ttls: Authenticate<br>
rlm_eap_tls: processing TLS<br>
rlm_eap_tls: Received EAP-TLS ACK message<br>
rlm_eap_tls: ack handshake fragment handler<br>
eaptls_verify returned 1<br>
eaptls_process returned 13<br>
modcall[authenticate]: module "eap" returns handled for request 2<br>
modcall: group authenticate returns handled for request 2<br>
Sending Access-Challenge of id 8 to <a href="http://192.168.0.1:1024" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">192.168.0.1:1024</a><br>
EAP-Message =
0x010300ad1580000004a363617465820101300d06092a864886f70d01010505000381810017814c3dc897e685aee5e734509712728a2cf5d4cce575147bcc0f974af3477fbd8d202d1f173ac76c03925e6870be35567d27e84d8096458dad6b99cdcf66e6d5967e920a64e0a4dacb6cee087b3768725bae1784d29ad41311bfb9e4dc8ade93390fe481def6c25a60c3c3d1e883e024d279fc6cbbe3723af4a76cfc0c9d6c16030100040e000000
<br>
Message-Authenticator = 0x00000000000000000000000000000000<br>
State = 0x8c3b86d02966b223e117138d5c1d946e<br>
Finished request 2<br>
Going to the next request<br>
Waking up in 6 seconds...<br>
--- Walking the entire request list ---<br>
Cleaning up request 1 ID 7 with timestamp 43f489f9<br>
Cleaning up request 2 ID 8 with timestamp 43f489f9<br>
Nothing to do. Sleeping until we see a request.<br>
<br>
<br>
My eap.conf <br>
<br>
eap {<br>
default_eap_type = ttls<br>
timer_expire = 60<br>
ignore_unknown_eap_types = no<br>
cisco_accounting_username_bug = no<br>
<br>
md5 {<br>
}<br>
<br>
leap {<br>
}<br>
<br>
gtc {<br>
#challenge = "Password: "<br>
#auth_type = PAP<br>
}<br>
<br>
tls {<br>
private_key_password = BigSecretPassword<br>
private_key_file =
${raddbdir}/certs/intermec/server.pem
<br>
certificate_file = ${raddbdir}/certs/intermec/server.pem<br>
CA_file = ${raddbdir}/certs/intermec/cacert.cer<br>
dh_file = /dev/null<br>
random_file = /dev/urandom<br>
fragment_size = 1024<br>
include_length = yes<br>
check_crl = no<br>
#check_cert_cn = %{User-Name}<br>
}<br>
ttls {<br>
default_eap_type = mschapv2<br>
#default_eap_type = md5<br>
copy_request_to_tunnel = no<br>
use_tunneled_reply = no<br>
}<br>
<br>
<br>
Users<br>
<br>
gun Auth-Type := EAP, User-Password := "gun123"<br>
<br>
<br>
<br>
<br>
<br>
<br>