<html><head><style type="text/css"><!-- DIV {margin:0px;} --></style></head><body><div style="font-family:times new roman, new york, times, serif;font-size:12pt"><P>Hi Everyone,</P>
<P> </P>
<P>I am newbie to linux and recently I try to implement wireless connnection with EAP-TLS encryption. I am using Freeradius-1.1.7 installed into Red Hat Enterprise 4.<BR>Here I encounter problems that I can't solve it alone hence I need advice guru from this forum.<BR>the problem is client just can't get connected and keep request.</P>
<P><BR>>/usr/src/sbin/radiusd -XA<BR>Starting - reading configuration files ...<BR>reread_config: reading radiusd.conf<BR>Config: including file: /usr/local/etc/raddb/proxy.conf<BR>Config: including file: /usr/local/etc/raddb/clients.conf<BR>Config: including file: /usr/local/etc/raddb/snmp.conf<BR>Config: including file: /usr/local/etc/raddb/eap.conf<BR>Config: including file: /usr/local/etc/raddb/sql.conf<BR>main: prefix = "/usr/local"<BR>main: localstatedir = "/usr/local/var"<BR>main: logdir = "/usr/local/var/log/radius"<BR>main: libdir = "/usr/local/lib"<BR>main: radacctdir = "/usr/local/var/log/radius/radacct"<BR>main: hostname_lookups = no<BR>main: max_request_time = 30<BR>main: cleanup_delay = 5<BR>main: max_requests = 1024<BR>main: delete_blocked_requests = 0<BR>main: port = 0<BR>main: allow_core_dumps = no<BR>main: log_stripped_names = yes<BR>main: log_file = "/usr/local/var/log/radius/radius.log"<BR>main: log_auth = yes<BR>main:
log_auth_badpass = no<BR>main: log_auth_goodpass = no<BR>main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid"<BR>main: user = "(null)"<BR>main: group = "(null)"<BR>main: usercollide = no<BR>main: lower_user = "no"<BR>main: lower_pass = "no"<BR>main: nospace_user = "no"<BR>main: nospace_pass = "no"<BR>main: checkrad = "/usr/local/sbin/checkrad"<BR>main: proxy_requests = yes<BR>proxy: retry_delay = 5<BR>proxy: retry_count = 3<BR>proxy: synchronous = no<BR>proxy: default_fallback = yes<BR>proxy: dead_time = 120<BR>proxy: post_proxy_authorize = no<BR>proxy: wake_all_if_all_dead = no<BR>security: max_attributes = 200<BR>security: reject_delay = 1<BR>security: status_server = no<BR>main: debug_level = 0<BR>read_config_files: reading dictionary<BR>read_config_files: reading naslist<BR>Using deprecated naslist file. Support for this will go away soon.<BR>read_config_files: reading clients<BR>read_config_files: reading realms<BR>radiusd: entering modules
setup<BR>Module: Library search path is /usr/local/lib<BR>Module: Loaded exec<BR>exec: wait = yes<BR>exec: program = "(null)"<BR>exec: input_pairs = "request"<BR>exec: output_pairs = "(null)"<BR>exec: packet_type = "(null)"<BR>rlm_exec: Wait=yes but no output defined. Did you mean output=none?<BR>Module: Instantiated exec (exec)<BR>Module: Loaded expr<BR>Module: Instantiated expr (expr)<BR>Module: Loaded PAP<BR>pap: encryption_scheme = "crypt"<BR>pap: auto_header = yes<BR>Module: Instantiated pap (pap)<BR>Module: Loaded CHAP<BR>Module: Instantiated chap (chap)<BR>Module: Loaded MS-CHAP<BR>mschap: use_mppe = yes<BR>mschap: require_encryption = no<BR>mschap: require_strong = no<BR>mschap: with_ntdomain_hack = no<BR>mschap: passwd = "(null)"<BR>mschap: ntlm_auth = "(null)"<BR>Module: Instantiated mschap (mschap)<BR>Module: Loaded System<BR>unix: cache = no<BR>unix: passwd = "(null)"<BR>unix: shadow = "(null)"<BR>unix: group = "(null)"<BR>unix: radwtmp =
"/usr/local/var/log/radius/radwtmp"<BR>unix: usegroup = no<BR>unix: cache_reload = 600<BR>Module: Instantiated unix (unix)<BR>Module: Loaded eap<BR>eap: default_eap_type = "tls"<BR>eap: timer_expire = 60<BR>eap: ignore_unknown_eap_types = no<BR>eap: cisco_accounting_username_bug = no<BR>rlm_eap: Loaded and initialized type md5<BR>rlm_eap: Loaded and initialized type leap<BR>gtc: challenge = "Password: "<BR>gtc: auth_type = "PAP"<BR>rlm_eap: Loaded and initialized type gtc<BR>tls: rsa_key_exchange = no<BR>tls: dh_key_exchange = yes<BR>tls: rsa_key_length = 512<BR>tls: dh_key_length = 512<BR>tls: verify_depth = 0<BR>tls: CA_path = "(null)"<BR>tls: pem_file_type = yes<BR>tls: private_key_file = "/usr/local/etc/raddb/certs/cert-srv.pem"<BR>tls: certificate_file = "/usr/local/etc/raddb/certs/cert-srv.pem"<BR>tls: CA_file = "/usr/local/etc/raddb/certs/demoCA/cacert.pem"<BR>tls: private_key_password = "whatever"<BR>tls: dh_file =
"/usr/local/etc/raddb/certs/dh"<BR>tls: random_file = "/usr/local/etc/raddb/certs/random"<BR>tls: fragment_size = 1024<BR>tls: include_length = yes<BR>tls: check_crl = no<BR>tls: check_cert_cn = "(null)"<BR>tls: cipher_list = "(null)"<BR>tls: check_cert_issuer = "(null)"<BR>rlm_eap_tls: Loading the certificate file as a chain<BR>rlm_eap: Loaded and initialized type tls<BR>mschapv2: with_ntdomain_hack = no<BR>rlm_eap: Loaded and initialized type mschapv2<BR>Module: Instantiated eap (eap)<BR>Module: Loaded preprocess<BR>preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups"<BR>preprocess: hints = "/usr/local/etc/raddb/hints"<BR>preprocess: with_ascend_hack = no<BR>preprocess: ascend_channels_per_line = 23<BR>preprocess: with_ntdomain_hack = no<BR>preprocess: with_specialix_jetstream_hack = no<BR>preprocess: with_cisco_vsa_hack = no<BR>preprocess: with_alvarion_vsa_hack = no<BR>Module: Instantiated preprocess (preprocess)<BR>Module: Loaded
realm<BR>realm: format = "suffix"<BR>realm: delimiter = "@"<BR>realm: ignore_default = no<BR>realm: ignore_null = no<BR>Module: Instantiated realm (suffix)<BR>Module: Loaded files<BR>files: usersfile = "/usr/local/etc/raddb/users"<BR>files: acctusersfile = "/usr/local/etc/raddb/acct_users"<BR>files: preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users"<BR>files: compat = "no"<BR>Module: Instantiated files (files)<BR>Module: Loaded Acct-Unique-Session-Id<BR>acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"<BR>Module: Instantiated acct_unique (acct_unique)<BR>Module: Loaded detail<BR>detail: detailfile = "/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"<BR>detail: detailperm = 384<BR>detail: dirperm = 493<BR>detail: locking = no<BR>Module: Instantiated detail (detail)<BR>Module: Loaded radutmp<BR>radutmp: filename = "/usr/local/var/log/radius/radutmp"<BR>radutmp: username =
"%{User-Name}"<BR>radutmp: case_sensitive = yes<BR>radutmp: check_with_nas = yes<BR>radutmp: perm = 384<BR>radutmp: callerid = yes<BR>Module: Instantiated radutmp (radutmp)<BR>Listening on authentication *:1812<BR>Listening on accounting *:1813<BR>Ready to process requests.</P>
<P>......<BR>rad_recv: Access-Request packet from host 192.168.0.206:1025, id=15, length=249<BR>User-Name = "mars1.marsindo.com"<BR>NAS-IP-Address = 0.0.0.0<BR>Framed-MTU = 1488<BR>Called-Station-Id = "00:30:1a:29:03:66"<BR>Calling-Station-Id = "00:1c:f0:10:56:b8"<BR>NAS-Port-Type = Wireless-802.11<BR>NAS-Identifier = "127.0.0.1"<BR>Connect-Info = "CONNECT 11Mbps 802.11b"<BR>State = 0x67f83a14e00c0fa21121d8a0b508daa7<BR>EAP-Message = 0x020200500d800000004616030100410100003d030148231c14867403f94c4d0185bb9c07d8f12ad07bf1980b9c9266979afcf15cc500001600040005000a000900640062000300060013001200630100<BR>Message-Authenticator = 0xc493a17418b8010257a94b90bff667f1<BR>Processing the authorize section of radiusd.conf<BR>modcall: entering group authorize for request 5<BR>modcall[authorize]: module "preprocess" returns ok for request 5<BR>modcall[authorize]: module "chap" returns noop for request 5<BR>modcall[authorize]: module "mschap" returns noop for request
5<BR>rlm_realm: No <A href="mailto:'@'">'@'</A> in User-Name = "mars1.marsindo.com", looking up realm NULL<BR>rlm_realm: No such realm "NULL"<BR>modcall[authorize]: module "suffix" returns noop for request 5<BR>rlm_eap: EAP packet type response id 2 length 80<BR>rlm_eap: No EAP Start, assuming it's an on-going EAP conversation<BR>modcall[authorize]: module "eap" returns updated for request 5<BR>users: Matched entry DEFAULT at line 156<BR>modcall[authorize]: module "files" returns ok for request 5<BR>rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this.<BR>modcall[authorize]: module "pap" returns noop for request 5<BR>modcall: leaving group authorize (returns updated) for request 5<BR>rad_check_password: Found Auth-Type EAP<BR>auth: type "EAP"<BR>Processing the authenticate section of radiusd.conf<BR>modcall: entering group authenticate for request 5<BR>rlm_eap: Request found, released from the
list<BR>rlm_eap: EAP/tls<BR>rlm_eap: processing type tls<BR>rlm_eap_tls: Authenticate<BR>rlm_eap_tls: processing TLS<BR>rlm_eap_tls: Length Included<BR>eaptls_verify returned 11<BR>(other): before/accept initialization<BR>TLS_accept: before/accept initialization<BR>rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello<BR>TLS_accept: SSLv3 read client hello A<BR>rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello<BR>TLS_accept: SSLv3 write server hello A<BR>rlm_eap_tls: >>> TLS 1.0 Handshake [length 0694], Certificate<BR>TLS_accept: SSLv3 write certificate A<BR>rlm_eap_tls: >>> TLS 1.0 Handshake [length 00b1], CertificateRequest<BR>TLS_accept: SSLv3 write certificate request A<BR>TLS_accept: SSLv3 flush data<BR>TLS_accept: Need to read more data: SSLv3 read client certificate A<BR>In SSL Handshake Phase<BR>In SSL Accept mode<BR>eaptls_process returned 13<BR>modcall[authenticate]: module "eap" returns
handled for request 5<BR>modcall: leaving group authenticate (returns handled) for request 5<BR>Sending Access-Challenge of id 15 to 192.168.0.206 port 1025<BR>EAP-Message = 0x0103040a0dc00000079e160301004a02000046030148231c071178ca610d87b2928af55e7d91fd04ad8097a06a065fa5ec7379be762023997cd4b544591192d007f351bdddb0fe229f9332e060b87c101f2b55e80cb000040016030106940b00069000068d0002cd308202c930820232a003020102020102300d06092a864886f70d010104050030819f310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e31123010060355040b13096c6f63616c686f7374311b301906035504031312436c69656e74206365<BR>EAP-Message =
0x7274696669636174653121301f06092a864886f70d0109011612636c69656e74406578616d706c652e636f6d301e170d3034303132353133323631305a170d3035303132343133323631305a30819b310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e31123010060355040b13096c6f63616c686f73743119301706035504031310526f6f74206365727469666963617465311f301d06092a864886f70d0109011610726f6f74406578616d706c652e636f6d30819f300d06092a864886f70d010101050003<BR>EAP-Message =
0x818d0030818902818100dac525422bfedb082629a2cba44b3449c90d0ab462fb72c8434a782098863d7eb7d7e70028c2b7ad555a51cc756cf4fa1d7091615ab450d5289553ae6616aff014a55085d6b8fb4aee98638e426175cdd36c665c63cda177d34920eb30585edc8773999c2980f81ad4638bbbea1c82d054023db7ef24a3ec1c3f6241a903d7f30203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101040500038181007a2d921b1cf13bf2982a9178ec9ede6d88edc178a2e8bd40a0a06fb6f0769957884cd7084537083496fd184165293f583c8e8240eb68e042c94b15752e4c07e80d09<BR>EAP-Message =
0x779afa3dd55c24fa54ac292d77205d1c2477ed30d59f57caf9bd21ff2a8d16cc0911c50e4f295763fcb60efa3c3d2d0e43850f6e6fbe284902f6e83503650003ba308203b63082031fa003020102020100300d06092a864886f70d010104050030819f310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e31123010060355040b13096c6f63616c686f7374311b301906035504031312436c69656e742063657274696669636174653121301f06092a864886f70d0109011612636c69656e74406578616d706c<BR>EAP-Message = 0x652e636f6d301e170d3034303132353133323630375a<BR>Message-Authenticator = 0x00000000000000000000000000000000<BR>State = 0x59eb1d02dc1f6083321bcfbecf7ff5f6<BR>Finished request 5<BR>Going to the next request<BR>Waking up in 6 seconds...</P>
<P><BR>Testing </P>
<P>> radtest MarsindoNet testing123-1 localhost 0 testing123</P>
<P>the result is accept-accept..ok will no problem</P>
<P><BR>Here I post the CA.certs execution result as I suppect that the errors might be due to certificate error.<BR>When I run ./CA.certs and I got a few errors.</P>
<P><BR>##################<BR>create CA<BR>use just created 'newreq.pem' private key as filename<BR>CA.pl -newca<BR>##################</P>
<P><BR>##################<BR>exporting ROOT CA<BR>CA.pl -newreq<BR>CA.pl -signreq<BR>openssl pkcs12 -export -in demoCA/cacert.pem -inkey newreq.pem -out root.pem<BR>openssl pkcs12 -in root.cer -out root.pem<BR>##################</P>
<P>Error opening input file demoCA/cacert.pem<BR>demoCA/cacert.pem: No such file or directory<BR>Error opening input file root.p12<BR>root.p12: No such file or directory<BR>Error opening Certificate root.pem<BR>3937:error:02001002:system library:fopen:No such file or directory:bss_file.c:259:fopen('root.pem','r')<BR>3937:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:261:<BR>unable to load certificate</P>
<P>##################<BR>creating client certificate<BR>name : name-clt<BR>client certificate stored as cert-clt.pem<BR>CA.pl -newreq<BR>CA.pl -signreq<BR>##################</P>
<P>Generating a 1024 bit RSA private key<BR>.......++++++<BR>..................................................++++++<BR>writing new private key to 'newreq.pem'<BR>-----<BR>You are about to be asked to enter information that will be incorporated<BR>into your certificate request.<BR>What you are about to enter is what is called a Distinguished Name or a DN.<BR>There are quite a few fields but you can leave some blank<BR>For some fields there will be a default value,<BR>If you enter '.', the field will be left blank.<BR>-----<BR>Country Name (2 letter code) []:State or Province Name (full name) [Kepri]:Locality Name (eg, city) []:Organization Name (eg, company) []:Organizational Unit Name (eg, section) []:Common Name (eg, your name or your server's hostname) []:<BR>Please enter the following 'extra' attributes<BR>to be sent with your certificate request</P>
<P>Using configuration from /usr/share/ssl/openssl.cnf<BR>Error opening CA private key ./demoCA/private/cakey.pem<BR>3941:error:02001002:system library:fopen:No such file or directory:bss_file.c:259:fopen('./demoCA/private/cakey.pem','r')<BR>3941:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:261:<BR>unable to load CA private key<BR>Failed to do sign certificate</P>
<P>I'll be appreciated if anyone could help me solve such problem.<BR>Thanks in advance.<BR></P></div><br>
<hr size=1>Be a better friend, newshound, and
know-it-all with Yahoo! Mobile. <a href="http://us.rd.yahoo.com/evt=51733/*http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ "> Try it now.</a></body></html>