<div dir="ltr">I have a problem authenticating with Cisco Aironet 1200 access point. I have valid certificates on my laptop and on Freeradius.<div></div><div><br>This is the output on AP:</div><div><br><span class="content">Interface Dot11Radio0, Deauthenticating Station 001e.4c8c.8406 Reason: Sending station has left the BSS</span><br>
<span class="content">Interface Dot11Radio0, Station NBD7FB3G3J 001e.4c8c.8406 Associated KEY_MGMT[NONE] </span><span class="content">3</span><br><span class="content">Interface Dot11Radio0, Deauthenticating Station 001e.4c8c.8406 Reason: Previous authentication no longer valid</span></div>
<div><br></div><div>This is what I get on freeradius:</div><div><br></div><div>[root@radius ~]# radiusd -X</div><div>Starting - reading configuration files ...</div><div>reread_config: reading radiusd.conf</div><div>Config: including file: /etc/raddb/proxy.conf</div>
<div>Config: including file: /etc/raddb/clients.conf</div><div>Config: including file: /etc/raddb/snmp.conf</div><div>Config: including file: /etc/raddb/eap.conf</div><div> main: prefix = "/usr"</div><div>
main: localstatedir = "/var"</div><div> main: logdir = "/var/log/radius"</div><div> main: libdir = "/usr/lib"</div><div> main: radacctdir = "/var/log/radius/radacct"</div><div> main: hostname_lookups = no</div>
<div> main: snmp = no</div><div> main: max_request_time = 30</div><div> main: cleanup_delay = 5</div><div> main: max_requests = 1024</div><div> main: delete_blocked_requests = 0</div><div> main: port = 0</div><div> main: allow_core_dumps = no</div>
<div> main: log_stripped_names = no</div><div> main: log_file = "/var/log/radius/radius.log"</div><div> main: log_auth = no</div><div> main: log_auth_badpass = no</div><div> main: log_auth_goodpass = no</div><div>
main: pidfile = "/var/run/radiusd/radiusd.pid"</div><div> main: user = "root"</div><div> main: group = "root"</div><div> main: usercollide = no</div><div> main: lower_user = "no"</div>
<div> main: lower_pass = "no"</div><div> main: nospace_user = "no"</div><div> main: nospace_pass = "no"</div><div> main: checkrad = "/usr/sbin/checkrad"</div><div> main: proxy_requests = yes</div>
<div> proxy: retry_delay = 5</div><div> proxy: retry_count = 3</div><div> proxy: synchronous = no</div><div> proxy: default_fallback = yes</div><div> proxy: dead_time = 120</div><div> proxy: post_proxy_authorize = no</div>
<div> proxy: wake_all_if_all_dead = no</div><div> security: max_attributes = 200</div><div> security: reject_delay = 1</div><div> security: status_server = no</div><div> main: debug_level = 0</div><div>read_config_files: reading dictionary</div>
<div>read_config_files: reading naslist</div><div>Using deprecated naslist file. Support for this will go away soon.</div><div>read_config_files: reading clients</div><div>read_config_files: reading realms</div><div>radiusd: entering modules setup</div>
<div>Module: Library search path is /usr/lib</div><div>Module: Loaded exec </div><div> exec: wait = yes</div><div> exec: program = "(null)"</div><div> exec: input_pairs = "request"</div><div> exec: output_pairs = "(null)"</div>
<div> exec: packet_type = "(null)"</div><div>rlm_exec: Wait=yes but no output defined. Did you mean output=none?</div><div>Module: Instantiated exec (exec) </div><div>Module: Loaded expr </div><div>Module: Instantiated expr (expr) </div>
<div>Module: Loaded PAP </div><div> pap: encryption_scheme = "crypt"</div><div>Module: Instantiated pap (pap) </div><div>Module: Loaded CHAP </div><div>Module: Instantiated chap (chap) </div><div>Module: Loaded MS-CHAP </div>
<div> mschap: use_mppe = yes</div><div> mschap: require_encryption = no</div><div> mschap: require_strong = no</div><div> mschap: with_ntdomain_hack = no</div><div> mschap: passwd = "(null)"</div><div> mschap: ntlm_auth = "(null)"</div>
<div>Module: Instantiated mschap (mschap) </div><div>Module: Loaded System </div><div> unix: cache = no</div><div> unix: passwd = "/etc/passwd"</div><div> unix: shadow = "/etc/shadow"</div><div> unix: group = "/etc/group"</div>
<div> unix: radwtmp = "/var/log/radius/radwtmp"</div><div> unix: usegroup = no</div><div> unix: cache_reload = 600</div><div>Module: Instantiated unix (unix) </div><div>Module: Loaded eap </div><div> eap: default_eap_type = "tls"</div>
<div> eap: timer_expire = 60</div><div> eap: ignore_unknown_eap_types = no</div><div> eap: cisco_accounting_username_bug = no</div><div>rlm_eap: Loaded and initialized type md5</div><div>rlm_eap: Loaded and initialized type leap</div>
<div> gtc: challenge = "Password: "</div><div> gtc: auth_type = "PAP"</div><div>rlm_eap: Loaded and initialized type gtc</div><div> tls: rsa_key_exchange = no</div><div> tls: dh_key_exchange = yes</div>
<div> tls: rsa_key_length = 512</div><div> tls: dh_key_length = 512</div><div> tls: verify_depth = 0</div><div> tls: CA_path = "(null)"</div><div> tls: pem_file_type = yes</div><div> tls: private_key_file = "/etc/raddb/certs/server_keycert.pem"</div>
<div> tls: certificate_file = "/etc/raddb/certs/server_keycert.pem"</div><div> tls: CA_file = "/etc/raddb/certs/cacert.pem"</div><div> tls: private_key_password = "freeradius"</div><div> tls: dh_file = "/etc/raddb/certs/dh"</div>
<div> tls: random_file = "/etc/raddb/certs/random"</div><div> tls: fragment_size = 1024</div><div> tls: include_length = yes</div><div> tls: check_crl = no</div><div> tls: check_cert_cn = "(null)"</div>
<div> tls: cipher_list = "(null)"</div><div> tls: check_cert_issuer = "(null)"</div><div>rlm_eap_tls: Loading the certificate file as a chain</div><div>rlm_eap: Loaded and initialized type tls</div><div>
mschapv2: with_ntdomain_hack = no</div><div>rlm_eap: Loaded and initialized type mschapv2</div><div>Module: Instantiated eap (eap) </div><div>Module: Loaded preprocess </div><div> preprocess: huntgroups = "/etc/raddb/huntgroups"</div>
<div> preprocess: hints = "/etc/raddb/hints"</div><div> preprocess: with_ascend_hack = no</div><div> preprocess: ascend_channels_per_line = 23</div><div> preprocess: with_ntdomain_hack = no</div><div> preprocess: with_specialix_jetstream_hack = no</div>
<div> preprocess: with_cisco_vsa_hack = no</div><div> preprocess: with_alvarion_vsa_hack = no</div><div>Module: Instantiated preprocess (preprocess) </div><div>Module: Loaded realm </div><div> realm: format = "suffix"</div>
<div> realm: delimiter = "@"</div><div> realm: ignore_default = no</div><div> realm: ignore_null = no</div><div>Module: Instantiated realm (suffix) </div><div>Module: Loaded files </div><div> files: usersfile = "/etc/raddb/users"</div>
<div> files: acctusersfile = "/etc/raddb/acct_users"</div><div> files: preproxy_usersfile = "/etc/raddb/preproxy_users"</div><div> files: compat = "no"</div><div>Module: Instantiated files (files) </div>
<div>Module: Loaded Acct-Unique-Session-Id </div><div> acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"</div><div>Module: Instantiated acct_unique (acct_unique) </div>
<div>Module: Loaded detail </div><div> detail: detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"</div><div> detail: detailperm = 384</div><div> detail: dirperm = 493</div><div> detail: locking = no</div>
<div>Module: Instantiated detail (detail) </div><div>Module: Loaded radutmp </div><div> radutmp: filename = "/var/log/radius/radutmp"</div><div> radutmp: username = "%{User-Name}"</div><div> radutmp: case_sensitive = yes</div>
<div> radutmp: check_with_nas = yes</div><div> radutmp: perm = 384</div><div> radutmp: callerid = yes</div><div>Module: Instantiated radutmp (radutmp) </div><div>Listening on authentication *:1812</div><div>Listening on accounting *:1813</div>
<div>Ready to process requests.rad_recv: Access-Request packet from host <a href="http://192.168.177.121:1645">192.168.177.121:1645</a>, id=23, length=149</div><div>rad_recv: Access-Request packet from host <a href="http://192.168.177.121:1645">192.168.177.121:1645</a>, id=24, length=256</div>
<div> User-Name = "radius.rc.internal"</div><div> Framed-MTU = 1400</div><div> Called-Station-Id = "000f.9093.b5c0"</div><div> Calling-Station-Id = "001e.4c8c.8406"</div>
<div> Service-Type = Login-User</div><div> Message-Authenticator = 0x6fe0a230a00d77e3336c69daf8d5f435</div><div> EAP-Message = 0x020300700d800000006616030100610100005d030148f73a1b8c1dcc0750843f75c1f268c7dc1c034d6fb2487d406bcffe5d6cf4d600003600390038003500160013000a00330032002f0007006600050004006300620061001500120009006500640060001400110008000600030100</div>
<div> NAS-Port-Type = Wireless-802.11</div><div> NAS-Port = 261</div><div> State = 0x4f843413ae6144aacc887d596ec6161b</div><div> NAS-IP-Address = <a href="http://192.168.177.121">192.168.177.121</a></div>
<div> NAS-Identifier = "AP"</div><div> Processing the authorize section of radiusd.conf</div><div>modcall: entering group authorize for request 1</div><div> modcall[authorize]: module "preprocess" returns ok for request 1</div>
<div> modcall[authorize]: module "chap" returns noop for request 1</div><div> modcall[authorize]: module "mschap" returns noop for request 1</div><div> rlm_realm: No '@' in User-Name = "radius.rc.internal", looking up realm NULL</div>
<div> rlm_realm: No such realm "NULL"</div><div> modcall[authorize]: module "suffix" returns noop for request 1</div><div> rlm_eap: EAP packet type response id 3 length 112</div><div> rlm_eap: No EAP Start, assuming it's an on-going EAP conversation</div>
<div> modcall[authorize]: module "eap" returns updated for request 1</div><div> users: Matched entry DEFAULT at line 159</div><div> modcall[authorize]: module "files" returns ok for request 1</div>
<div>modcall: leaving group authorize (returns updated) for request 1</div><div> rad_check_password: Found Auth-Type EAP</div><div>auth: type "EAP"</div><div> Processing the authenticate section of radiusd.conf</div>
<div>modcall: entering group authenticate for request 1</div><div> rlm_eap: Request found, released from the list</div><div> rlm_eap: EAP/tls</div><div> rlm_eap: processing type tls</div><div> rlm_eap_tls: Authenticate</div>
<div> rlm_eap_tls: processing TLS</div><div>rlm_eap_tls: Length Included</div><div> eaptls_verify returned 11 </div><div> (other): before/accept initialization </div><div> TLS_accept: before/accept initialization </div>
<div> rlm_eap_tls: <<< TLS 1.0 Handshake [length 0061], ClientHello </div><div> TLS_accept: SSLv3 read client hello A </div><div> rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello </div>
<div> TLS_accept: SSLv3 write server hello A </div><div> rlm_eap_tls: >>> TLS 1.0 Handshake [length 0654], Certificate </div><div> TLS_accept: SSLv3 write certificate A </div><div> rlm_eap_tls: >>> TLS 1.0 Handshake [length 010d], ServerKeyExchange </div>
<div> TLS_accept: SSLv3 write key exchange A </div><div> rlm_eap_tls: >>> TLS 1.0 Handshake [length 00a5], CertificateRequest </div><div> TLS_accept: SSLv3 write certificate request A </div><div> TLS_accept: SSLv3 flush data </div>
<div> TLS_accept:error in SSLv3 read client certificate A </div><div>rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0)</div><div>In SSL Handshake Phase </div><div>In SSL Accept mode </div><div> eaptls_process returned 13 </div>
<div> modcall[authenticate]: module "eap" returns handled for request 1</div><div>modcall: leaving group authenticate (returns handled) for request 1</div><div>Sending Access-Challenge of id 24 to <a href="http://192.168.177.121">192.168.177.121</a> port 1645</div>
<div> Tunnel-Type:0 = VLAN</div><div> Tunnel-Medium-Type:0 = IEEE-802</div><div> Tunnel-Private-Group-Id:0 = "4091"</div><div> EAP-Message = 0x0104040a0dc000000864160301004a02000046030148f73ae365e1f568fdc304f234482bb240a3a4c83815c22e71f46149d04fc67620cced767dfe705a0f1ff39a336f762a5982fbf84203e198293e429822cd1999b600390016030106540b00065000064d0002a7308202a33082020ca003020102020101300d06092a864886f70d0101050500308191310b300906035504061302706b311530130603550408130c70616b68746f6f6e6b687761311330110603550407130a6162626f747461626164310f300d060355040a0c06c29e63696974311b3019060355040313127261646975732e72632e696e7465726e616c3128302606092a864886f70d</div>
<div> EAP-Message = 0x0109011619726e644070656163652e6e6f7440636969742e6e65742e706b301e170d3038303830343036333034365a170d3039303830343036333034365a308183310b300906035504061302706b311530130603550408130c70616b68746f6f6e6b687761311330110603550407130a6162626f747461626164310d300b060355040a130463696974311b3019060355040313127261646975732e72632e696e7465726e616c311c301a06092a864886f70d010901160d726e644070656163652e6e6f7430819f300d06092a864886f70d010101050003818d0030818902818100c5a299bdab568d9d2cd1d6e53c6af5e2baeec9ffb8c9b29a5031f256</div>
<div> EAP-Message = 0x37c92cc0751ee4787911dbdf4ec0e41c722f80c246da7276928b20cc8a803ee1ef33cf4debdf3bbf831d5f50d022362bfea7894c1099b5302255df7d8be28a1c3c540b6f97e6059a2ac5de07343358214d6b64c20f6bfd3d56324e1a2c9c372ecc4b0df70203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010505000381810013677557b079795d7bd6a10067bcb55a9ccb70ed11143aaed9e7678b0282ac72b05414c42b264b28d23b161758a4bdfab4456459fd5ff8c471be519168062a792e17e274140b9c0860d07e83aa7b2835365172967507debaffed053dd297138db5d8ec5d335655c9</div>
<div> EAP-Message = 0xdbff6196ad607f4b8af88bba741f77227c5b389b902bcd720003a03082039c30820305a003020102020900d0b963753ebde4ab300d06092a864886f70d0101050500308191310b300906035504061302706b311530130603550408130c70616b68746f6f6e6b687761311330110603550407130a6162626f747461626164310f300d060355040a0c06c29e63696974311b3019060355040313127261646975732e72632e696e7465726e616c3128302606092a864886f70d0109011619726e644070656163652e6e6f7440636969742e6e65742e706b301e170d3038303830313037303635325a170d3138303733303037303635325a308191310b3009</div>
<div> EAP-Message = 0x06035504061302706b311530130603550408130c7061</div><div> Message-Authenticator = 0x00000000000000000000000000000000</div><div> State = 0x5dbbf6bd35b4c1f6c4bd34a2cd101387</div><div>
Finished request 1</div><div>Going to the next request</div><div>Waking up in 6 seconds... </div></div>