<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 10pt;
font-family:Tahoma
}
--></style>
</head>
<body class='hmmessage'><div dir='ltr'>
Ciao.<br><br>We're also facing the same issue, but on a Windows box. We did a quick test using a rather old FR version (1.1.7), on the same PC and using the same certificates, and we get a successful result using eapol_test. We've also followed the steps available in http://wiki.freeradius.org/Certificate_Compatibility. However, no one seems to know the answer/solution to this issue.<br>Just bear in mind I'm new to this project and my ignorance may contribute to ..... you know!<br><br>Thanks in advance.<br><br>Sergio.<br><br><div>> From: Martin.Ubank@uwe.ac.uk<br>> To: freeradius-users@lists.freeradius.org<br>> Date: Mon, 24 Oct 2011 11:25:01 +0100<br>> Subject: RADIUS certificate compatibility warning<br>> <br>> I've upgraded FreeRadius to 2.1.10 and Samba to 3.5.6.<br>> I've got right through (again) to the final "Configuring FreeRADIUS to use ntlm_auth for MS-CHAP" stage but the command 'eapol_test -c peap-mschapv2-cert-ntlm_auth.conf -s testing123' fails.<br>> <br>> The 'radiusd -X' output finishes with :<br>> <br>> WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!<br>> WARNING: !! EAP session for state 0x89fe3c9f81f72525 did not finish!<br>> WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility<br>> WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!<br>> <br>> http://wiki.freeradius.org/Certificate_Compatibility refers to a problem when the client is a Windows machine, but I'm running the 'eapol_test' command on the FreeRadius server which is Linux (CentOS).<br>> <br>> The following lines from the output of the 'eapol_test' command seem to indicate a problem with the root certificate.:<br>> <br>> OpenSSL: tls_connection_ca_cert - Failed to load root certificates error:00000000:lib(0):func(0):reason(0)<br>> OpenSSL: tls_connection_ca_cert - loaded DER format CA certificate<br>> <br>> I created the certificates using the method decsribed in http://deployingradius.com/documents/configuration/certificates.html<br>> <br>> I can supply the full output from the 'eapol_test' command and from 'radiusd -X' but they're too big to include in this email.<br>> <br>> Can anyone tell me what I'm doing wrong?<br>> <br>> Thanks<br>> <br>> Martin.<br>> <br>> ================================================================<br>> <br>> Here are the errors/warnings section from the output of the 'eapol_test' command and from 'radiusd -X', and the full contents of peap-mschapv2-cert-ntlm_auth.conf, the ca.cnf, server.cnf & client.cnf files & eap.conf:<br>> <br>> 'eapol_test' errors/warnings<br>> ============================<br>> <br>> :<br>> RADIUS packet matching with station<br>> decapsulated EAP packet (code=1 id=2 len=6) from RADIUS server: EAP-Request-PEAP (25)<br>> EAPOL: Received EAP-Packet frame<br>> EAPOL: SUPP_BE entering state REQUEST<br>> EAPOL: getSuppRsp<br>> EAP: EAP entering state RECEIVED<br>> EAP: Received EAP-Request id=2 method=25 vendor=0 vendorMethod=0<br>> EAP: EAP entering state GET_METHOD<br>> CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25<br>> EAP: Initialize selected EAP method: vendor 0 method 25 (PEAP)<br>> TLS: Phase2 EAP types - hexdump(len=40): 00 00 00 00 04 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00<br>> 05 00 00 00 00 00 00 00 11 00 00 00<br>> TLS: using phase1 config options<br>> OpenSSL: tls_connection_ca_cert - Failed to load root certificates error:00000000:lib(0):func(0):reason(0)<br>> OpenSSL: tls_connection_ca_cert - loaded DER format CA certificate<br>> CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected<br>> EAP: EAP entering state METHOD<br>> SSL: Received packet(len=6) - Flags 0x20<br>> EAP-PEAP: Start (server ver=0, own ver=1)<br>> EAP-PEAP: Using PEAP version 0<br>> SSL: (where=0x10 ret=0x1)<br>> SSL: (where=0x1001 ret=0x1)<br>> SSL: SSL_connect:before/connect initialization<br>> SSL: (where=0x1001 ret=0x1)<br>> SSL: SSL_connect:SSLv3 write client hello A<br>> SSL: (where=0x1002 ret=0xffffffff)<br>> SSL: SSL_connect:error in SSLv3 read server hello A<br>> SSL: SSL_connect - want more data<br>> SSL: 112 bytes pending from ssl_out<br>> SSL: 112 bytes left to be sent out (of total 112 bytes)<br>> EAP: method process -> ignore=FALSE methodState=MAY_CONT decision=FAIL<br>> EAP: EAP entering state SEND_RESPONSE<br>> EAP: EAP entering state IDLE<br>> EAPOL: SUPP_BE entering state RESPONSE<br>> EAPOL: txSuppRsp<br>> WPA: eapol_test_eapol_send(type=0 len=122)<br>> :<br>> <br>> 'radiusd -X' errors/warnings<br>> ============================<br>> <br>> :<br>> # Executing group from file /etc/raddb/sites-enabled/inner-tunnel<br>> +- entering group authenticate {...}<br>> [eap] Request found, released from the list<br>> [eap] EAP/mschapv2<br>> [eap] processing type mschapv2<br>> [mschapv2] # Executing group from file /etc/raddb/sites-enabled/inner-tunnel<br>> [mschapv2] +- entering group MS-CHAP {...}<br>> [mschap] Creating challenge hash with username: USERNAME<br>> [mschap] Told to do MS-CHAPv2 for USERNAME with NT-Password<br>> [mschap] expand: --username=%{mschap:User-Name:-None} -> --username=USERNAME<br>> [mschap] No NT-Domain was found in the User-Name.<br>> [mschap] expand: %{mschap:NT-Domain} -><br>> [mschap] ... expanding second conditional<br>> [mschap] expand: --domain=%{%{mschap:NT-Domain}:-CAMPUS} -> --domain=CAMPUS<br>> [mschap] mschap2: 8a<br>> [mschap] Creating challenge hash with username: USERNAME<br>> [mschap] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=ee9182b1015b8ded<br>> [mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=69c37f86d6f44237a66d979b71072d9b874e0fd822ad<br>> f858<br>> Exec-Program output: NT_KEY: 4600A59AAB67436A4D937233DEED28B7<br>> Exec-Program-Wait: plaintext: NT_KEY: 4600A59AAB67436A4D937233DEED28B7<br>> Exec-Program: returned: 0<br>> [mschap] adding MS-CHAPv2 MPPE keys<br>> ++[mschap] returns ok<br>> MSCHAP Success<br>> ++[eap] returns handled<br>> } # server inner-tunnel<br>> [peap] Got tunneled reply code 11<br>> EAP-Message = 0x010900331a0308002e533d4343373038393531333746344638333338433834463437303836313636424637413735344643333<br>> 0<br>> Message-Authenticator = 0x00000000000000000000000000000000<br>> State = 0x9197308e909e2a67190d1c1ddd88b035<br>> [peap] Got tunneled reply RADIUS code 11<br>> EAP-Message = 0x010900331a0308002e533d4343373038393531333746344638333338433834463437303836313636424637413735344643333<br>> 0<br>> Message-Authenticator = 0x00000000000000000000000000000000<br>> State = 0x9197308e909e2a67190d1c1ddd88b035<br>> [peap] Got tunneled Access-Challenge<br>> ++[eap] returns handled<br>> Sending Access-Challenge of id 8 to 127.0.0.1 port 50462<br>> EAP-Message = 0x0109005b19001703010050ad7b5774ef100e1dd3a5c7a83b174202511c51378dc9f1932cf39dc92db9b588fa9f336d1aeb825<br>> 807e62e2cc34dd162d02aa28c9104381f52a86933e2b9e0f65927f00c2fb64b78a078cc5e8e79457b<br>> Message-Authenticator = 0x00000000000000000000000000000000<br>> State = 0x20754327287c5ad31b57225dabc8b87e<br>> Finished request 8.<br>> Going to the next request<br>> Waking up in 4.9 seconds.<br>> Cleaning up request 0 ID 0 with timestamp +76<br>> Cleaning up request 1 ID 1 with timestamp +76<br>> Cleaning up request 2 ID 2 with timestamp +76<br>> Cleaning up request 3 ID 3 with timestamp +76<br>> Cleaning up request 4 ID 4 with timestamp +76<br>> Cleaning up request 5 ID 5 with timestamp +76<br>> Cleaning up request 6 ID 6 with timestamp +76<br>> Cleaning up request 7 ID 7 with timestamp +76<br>> Cleaning up request 8 ID 8 with timestamp +76<br>> WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!<br>> WARNING: !! EAP session for state 0x20754327287c5ad3 did not finish!<br>> WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility<br>> WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!<br>> Ready to process requests.<br>> <br>> peap-mschapv2-cert-ntlm_auth.conf<br>> =================================<br>> <br>> #<br>> # eapol_test -c peap-mschapv2-cert-ntlm_auth.conf -s testing123<br>> #<br>> <br>> # eapol_version=1<br>> # fast_reauth=0<br>> <br>> network={<br>> key_mgmt=WPA-EAP<br>> eap=PEAP<br>> identity="USERNAME"<br>> password="PASSWORD"<br>> phase2="autheap=MSCHAPV2"<br>> <br>> # priority=10<br>> <br>> ca_cert="/etc/raddb/certs/ca.der"<br>> }<br>> <br>> ca.cnf<br>> ======<br>> <br>> [ ca ]<br>> default_ca = CA_default<br>> <br>> [ CA_default ]<br>> dir = ./<br>> certs = $dir<br>> crl_dir = $dir/crl<br>> database = $dir/index.txt<br>> new_certs_dir = $dir<br>> certificate = $dir/ca.pem<br>> serial = $dir/serial<br>> crl = $dir/crl.pem<br>> private_key = $dir/ca.key<br>> RANDFILE = $dir/.rand<br>> name_opt = ca_default<br>> cert_opt = ca_default<br>> default_days = 3650<br>> default_crl_days = 30<br>> default_md = sha1<br>> preserve = no<br>> policy = policy_match<br>> <br>> [ policy_match ]<br>> countryName = match<br>> stateOrProvinceName = match<br>> organizationName = match<br>> organizationalUnitName = optional<br>> commonName = supplied<br>> emailAddress = optional<br>> <br>> [ policy_anything ]<br>> countryName = optional<br>> stateOrProvinceName = optional<br>> localityName = optional<br>> organizationName = optional<br>> organizationalUnitName = optional<br>> commonName = supplied<br>> emailAddress = optional<br>> <br>> [ req ]<br>> prompt = no<br>> distinguished_name = certificate_authority<br>> default_bits = 2048<br>> input_password = inpass<br>> output_password = outpass<br>> x509_extensions = v3_ca<br>> <br>> [certificate_authority]<br>> countryName = UK<br>> stateOrProvinceName = United Kingdom<br>> localityName = Bristol<br>> organizationName = UWE<br>> emailAddress = email@uwe.ac.uk<br>> commonName = "UWE Certificate Authority"<br>> <br>> [v3_ca]<br>> subjectKeyIdentifier = hash<br>> authorityKeyIdentifier = keyid:always,issuer:always<br>> basicConstraints = CA:true<br>> <br>> ================================================================<br>> <br>> server.cnf<br>> ==========<br>> <br>> [ ca ]<br>> default_ca = CA_default<br>> <br>> [ CA_default ]<br>> dir = ./<br>> certs = $dir<br>> crl_dir = $dir/crl<br>> database = $dir/index.txt<br>> new_certs_dir = $dir<br>> certificate = $dir/server.pem<br>> serial = $dir/serial<br>> crl = $dir/crl.pem<br>> private_key = $dir/server.key<br>> RANDFILE = $dir/.rand<br>> name_opt = ca_default<br>> cert_opt = ca_default<br>> default_days = 730<br>> default_crl_days = 30<br>> default_md = sha1<br>> preserve = no<br>> policy = policy_match<br>> <br>> [ policy_match ]<br>> countryName = match<br>> stateOrProvinceName = match<br>> organizationName = match<br>> organizationalUnitName = optional<br>> commonName = supplied<br>> emailAddress = optional<br>> <br>> [ policy_anything ]<br>> countryName = optional<br>> stateOrProvinceName = optional<br>> localityName = optional<br>> organizationName = optional<br>> organizationalUnitName = optional<br>> commonName = supplied<br>> emailAddress = optional<br>> <br>> [ req ]<br>> prompt = no<br>> distinguished_name = server<br>> default_bits = 2048<br>> input_password = inpass<br>> output_password = outpass<br>> <br>> [server]<br>> countryName = UK<br>> stateOrProvinceName = United Kingdom<br>> localityName = Bristol<br>> organizationName = UWE<br>> emailAddress = email@uwe.ac.uk<br>> commonName = "UWE Server Certificate"<br>> <br>> ================================================================<br>> <br>> client.cnf<br>> ==========<br>> <br>> [ ca ]<br>> default_ca = CA_default<br>> <br>> [ CA_default ]<br>> dir = ./<br>> certs = $dir<br>> crl_dir = $dir/crl<br>> database = $dir/index.txt<br>> new_certs_dir = $dir<br>> certificate = $dir/server.pem<br>> serial = $dir/serial<br>> crl = $dir/crl.pem<br>> private_key = $dir/server.key<br>> RANDFILE = $dir/.rand<br>> name_opt = ca_default<br>> cert_opt = ca_default<br>> default_days = 730<br>> default_crl_days = 30<br>> default_md = sha1<br>> preserve = no<br>> policy = policy_match<br>> <br>> [ policy_match ]<br>> countryName = match<br>> stateOrProvinceName = match<br>> organizationName = match<br>> organizationalUnitName = optional<br>> commonName = supplied<br>> emailAddress = optional<br>> <br>> [ policy_anything ]<br>> countryName = optional<br>> stateOrProvinceName = optional<br>> localityName = optional<br>> organizationName = optional<br>> organizationalUnitName = optional<br>> commonName = supplied<br>> emailAddress = optional<br>> <br>> [ req ]<br>> prompt = no<br>> distinguished_name = client<br>> default_bits = 2048<br>> input_password = inpass<br>> output_password = outpass<br>> <br>> [client]<br>> countryName = UK<br>> stateOrProvinceName = United Kingdom<br>> localityName = Bristol<br>> organizationName = UWE<br>> emailAddress = email@uwe.ac.uk<br>> commonName = "UWE Client Certificate"<br>> <br>> eap.conf<br>> ========<br>> <br>> eap {<br>> default_eap_type = md5<br>> timer_expire = 60<br>> ignore_unknown_eap_types = no<br>> cisco_accounting_username_bug = no<br>> max_sessions = 4096<br>> md5 {<br>> }<br>> leap {<br>> }<br>> gtc {<br>> auth_type = PAP<br>> }<br>> tls {<br>> certdir = ${confdir}/certs<br>> cadir = ${confdir}/certs<br>> private_key_password = outpass<br>> private_key_file = ${certdir}/server.pem<br>> certificate_file = ${certdir}/server.pem<br>> CA_file = ${cadir}/ca.pem<br>> dh_file = ${certdir}/dh<br>> random_file = ${certdir}/random<br>> cipher_list = "DEFAULT"<br>> cache {<br>> enable = no<br>> max_entries = 255<br>> }<br>> }<br>> ttls {<br>> default_eap_type = md5<br>> copy_request_to_tunnel = no<br>> use_tunneled_reply = no<br>> virtual_server = "inner-tunnel"<br>> }<br>> peap {<br>> default_eap_type = mschapv2<br>> copy_request_to_tunnel = no<br>> use_tunneled_reply = no<br>> virtual_server = "inner-tunnel"<br>> }<br>> mschapv2 {<br>> }<br>> }<br>> <br>> <br>> <br>> -<br>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html<br></div> </div></body>
</html>