Hello I'm a new user, and i'm trying to set an Eap-Tls authentication using freeradius 1.1.2. My system is debian stable. I installed freeradius 1.1.2 (./confidure, make ,make install) and libssl-dev (apt-get install libssl-dev) like here: http://web.archive.org/web/20031206113912/http://www.impossiblereflex.com/80... http://www.alphacore.net/spip/article.php3?id_article=33 When I turn on freeradius I can see this: Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/eap.conf Config: including file: /etc/raddb/sql.conf main: prefix = "/usr/local" main: localstatedir = "/usr/local/var" main: logdir = "/usr/local/var/log/radius" main: libdir = "/usr/local/lib" main: radacctdir = "/usr/local/var/log/radius/radacct" main: hostname_lookups = yes main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = yes main: log_file = "/usr/local/var/log/radius/radius.log" main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = yes main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid" main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/sbin/checkrad" main: proxy_requests = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "(null)" unix: group = "(null)" unix: radwtmp = "/usr/local/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = "tls" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/etc/1x/jagger.pem" tls: certificate_file = "/etc/1x/jagger.pem" tls: CA_file = "/etc/1x/root.pem" tls: private_key_password = "whatever" tls: dh_file = "/etc/1x/dh" tls: random_file = "/etc/1x/random" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = "(null)" tls: cipher_list = "(null)" tls: check_cert_issuer = "(null)" rlm_eap_tls: Loading the certificate file as a chain rlm_eap: Loaded and initialized type tls peap: default_eap_type = "mschapv2" peap: copy_request_to_tunnel = no peap: use_tunneled_reply = no peap: proxy_tunneled_request_as_eap = yes rlm_eap: Loaded and initialized type peap mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/etc/raddb/huntgroups" preprocess: hints = "/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded detail detail: detailfile = "/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (auth_log) Module: Loaded files files: usersfile = "/etc/raddb/users" files: acctusersfile = "/etc/raddb/acct_users" files: preproxy_usersfile = "/etc/raddb/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) detail: detailfile = "/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = "/usr/local/var/log/radius/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. After I made the certificate and installed in the client I tried to request an authentication but the output show me an error: rad_recv: Access-Request packet from host 192.168.1.5:1217, id=17, length=139 User-Name = "marcello" NAS-IP-Address = 0.0.0.0 NAS-Port = 0 Called-Station-Id = "00-40-05-30-C5-86" Calling-Station-Id = "00-0C-F1-15-17-59" NAS-Identifier = "DLink-900AP+" Framed-MTU = 1380 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020d000d016d617263656c6c6f Message-Authenticator = 0x5cf6d0c113ea537193f632be5324ddac Processing the authorize section of radiusd.conf modcall: entering group authorize for request 8 modcall[authorize]: module "preprocess" returns ok for request 8 radius_xlat: '/usr/local/var/log/radius/radacct/192.168.1.5/auth-detail-20060821' rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/192.168.1.5/auth-detail-20060821 modcall[authorize]: module "auth_log" returns ok for request 8 rlm_eap: EAP packet type response id 13 length 13 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 8 users: Matched entry DEFAULT at line 152 users: Matched entry marcello at line 219 modcall[authorize]: module "files" returns ok for request 8 modcall: leaving group authorize (returns updated) for request 8 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 8 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Requiring client certificate rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 8 modcall: leaving group authenticate (returns handled) for request 8 Sending Access-Challenge of id 17 to 192.168.1.5 port 1217 EAP-Message = 0x010e00060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf07c05d2e094204483f4809fce1d0c28 Finished request 8 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.1.5:1217, id=18, length=224 User-Name = "marcello" NAS-IP-Address = 0.0.0.0 NAS-Port = 0 Called-Station-Id = "00-40-05-30-C5-86" Calling-Station-Id = "00-0C-F1-15-17-59" NAS-Identifier = "DLink-900AP+" Framed-MTU = 1380 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020e00500d800000004616030100410100003d030144e9b43485e72b29db6f1029820e8626f3358dc31aacc52a129ce61689ebe58f00001600040005000a000900640062000300060013001200630100 State = 0xf07c05d2e094204483f4809fce1d0c28 Message-Authenticator = 0x975a5fb5db9745857a408bd7f840d26b Processing the authorize section of radiusd.conf modcall: entering group authorize for request 9 modcall[authorize]: module "preprocess" returns ok for request 9 radius_xlat: '/usr/local/var/log/radius/radacct/192.168.1.5/auth-detail-20060821' rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/192.168.1.5/auth-detail-20060821 modcall[authorize]: module "auth_log" returns ok for request 9 rlm_eap: EAP packet type response id 14 length 80 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 9 users: Matched entry DEFAULT at line 152 users: Matched entry marcello at line 219 modcall[authorize]: module "files" returns ok for request 9 modcall: leaving group authorize (returns updated) for request 9 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 9 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 063f], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 009a], CertificateRequest TLS_accept: SSLv3 write certificate request A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0) In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 9 modcall: leaving group authenticate (returns handled) for request 9 Sending Access-Challenge of id 18 to 192.168.1.5 port 1217 EAP-Message = 0x010f040a0dc000000732160301004a02000046030144e9b49287208e1cb70e241db79d5673d7ab9517790375764670f4188240a51b20b4c816e499d080e2c6ab6b38806ea3fc5a2b57dd3b82c059da7f28e607c6eb47000400160301063f0b00063b0006380002ad308202a930820212a003020102020900ede70675d53a5468300d06092a864886f70d0101040500308188310b3009060355040613024954310e300c060355040813054954414c593110300e0603550407130742657267616d6f31123010060355040a130947727570706f696d693110300e060355040b1307494d492073726c3111300f060355040313084341726164697573311e30 EAP-Message = 0x1c06092a864886f70d010901160f63614067727570706f696d692e6974301e170d3036303832313130353231345a170d3037303832313130353231345a30818a310b3009060355040613024954310e300c060355040813054954414c593110300e0603550407130742657267616d6f31123010060355040a130947727570706f696d693110300e060355040b1307494d492073726c310f300d060355040313066a61676765723122302006092a864886f70d01090116136a61676765724067727570706f696d692e697430819f300d06092a864886f70d010101050003818d0030818902818100bbe2fe9126b2b0849877a8b391dda33f98ee5de4a34d EAP-Message = 0xb307dbb442f919f774a3b98af3fda705df91aa46c4659cc59b4a8059e6e93a21b99a778eb6474ec4339b6c1c3e69486dca6acf502004018ed8c095a4361e5295134d29e2fc3d3b9117aa5f6a4ffcf37669b86a7bc7fcd4687afb1e5ee869174509284bf6c1ca696e6f450203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010405000381810041308e67937e52103d21b47bcddebe72ef2cf474244a508ff5f74c34d95ece99284a24eee2fa85bbdbb8f38fcb4b04107f4d931bea52a34074fe53005163ddbe392f9b603b748a0acfe27a12b088b5bf18367fb666fee87286ecd730f49d5af0aaec EAP-Message = 0x068ea99f5b2f42aec356b15d82d4cf4d925dc611c0a4037aec9c5743625600038530820381308202eaa003020102020900ede70675d53a5467300d06092a864886f70d0101040500308188310b3009060355040613024954310e300c060355040813054954414c593110300e0603550407130742657267616d6f31123010060355040a130947727570706f696d693110300e060355040b1307494d492073726c3111300f060355040313084341726164697573311e301c06092a864886f70d010901160f63614067727570706f696d692e6974301e170d3036303832313130353035345a170d3036303932303130353035345a308188310b3009060355 EAP-Message = 0x040613024954310e300c060355040813054954414c59 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x8bfc44c788f3b51de96ef0e08569c6e5 Finished request 9 Going to the next request Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 8 ID 17 with timestamp 44e9b492 Cleaning up request 9 ID 18 with timestamp 44e9b492 Nothing to do. Sleeping until we see a request. Can Somebody help me? Thanks Matteo
Hi,
In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 9 modcall: leaving group authenticate (returns handled) for request 9 Sending Access-Challenge of id 18 to 192.168.1.5 port 1217 ... Finished request 9 Going to the next request Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 8 ID 17 with timestamp 44e9b492 Cleaning up request 9 ID 18 with timestamp 44e9b492 Nothing to do. Sleeping until we see a request.
Your server is sending a request to the client, but the client never replies to it. The client doesn't like what it gets. Have you included the Extended Usage OID for TLS Web Server Identification into your server cert? Also, when using EAP-TLS, your client's certificate must have the corresponding OID (TLS Client Identification). Greetings, Stefan Winter -- Stefan WINTER Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche - Ingénieur de recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg
Stefan Winter wrote:
Hi,
In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 9 modcall: leaving group authenticate (returns handled) for request 9 Sending Access-Challenge of id 18 to 192.168.1.5 port 1217 ... Finished request 9 Going to the next request Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 8 ID 17 with timestamp 44e9b492 Cleaning up request 9 ID 18 with timestamp 44e9b492 Nothing to do. Sleeping until we see a request.
Your server is sending a request to the client, but the client never replies to it. The client doesn't like what it gets. Have you included the Extended Usage OID for TLS Web Server Identification into your server cert? Also, when using EAP-TLS, your client's certificate must have the corresponding OID (TLS Client Identification).
Greetings,
Stefan Winter
I made server cert with this script: #!/bin/sh SSL=/usr/lib export PATH=${SSL}/bin/:${SSL}/ssl/misc:${PATH} export LD_LIBRARY_PATH=${SSL}/lib echo "*********************************************************************************" echo "Creating server private key and certificate" echo "When prompted enter the server name in the Common Name field." echo "*********************************************************************************" echo # Request a new PKCS#10 certificate. # First, newreq.pem will be overwritten with the new certificate request openssl req -new -keyout newreq.pem -out newreq.pem -passin pass:whatever -passout pass:whatever # Sign the certificate request. The policy is defined in the openssl.cnf file. # The request generated in the previous step is specified with the -infiles option and # the output is in newcert.pem # The -extensions option is necessary to add the OID for the extended key for server authentication openssl ca -policy policy_anything -out newcert.pem -passin pass:whatever -key whatever -extensions xpserver_ext -extfile xpextensions -infiles newreq.pem # Create a PKCS#12 file from the new certificate and its private key found in newreq.pem # and place in file specified on the command line openssl pkcs12 -export -in newcert.pem -inkey newreq.pem -out $1.p12 -clcerts -passin pass:whatever -passout pass:whatever # parse the PKCS#12 file just created and produce a PEM format certificate and key in certsrv.pem openssl pkcs12 -in $1.p12 -out $1.pem -passin pass:whatever -passout pass:whatever # Convert certificate from PEM format to DER format openssl x509 -inform PEM -outform DER -in $1.pem -out $1.der # Clean Up rm -rf newert.pem newreq.pem I attach the three certificate's generation scripts... Can you said me where is the fault? Thanks #!/bin/sh SSL=/usr/lib export PATH=${SSL}/bin/:${SSL}/ssl/misc:${PATH} export LD_LIBRARY_PATH=${SSL}/lib echo "*********************************************************************************" echo "Creating client private key and certificate" echo "When prompted enter the client name in the Common Name field. This is the same" echo " used as the Username in FreeRADIUS" echo "*********************************************************************************" echo # Request a new PKCS#10 certificate. # First, newreq.pem will be overwritten with the new certificate request openssl req -new -keyout newreq.pem -out newreq.pem -passin pass:whatever -passout pass:whatever # Sign the certificate request. The policy is defined in the openssl.cnf file. # The request generated in the previous step is specified with the -infiles option and # the output is in newcert.pem # The -extensions option is necessary to add the OID for the extended key for client authentication openssl ca -policy policy_anything -out newcert.pem -passin pass:whatever -key whatever -extensions xpclient_ext -extfile xpextensions -infiles newreq.pem # Create a PKCS#12 file from the new certificate and its private key found in newreq.pem # and place in file specified on the command line openssl pkcs12 -export -in newcert.pem -inkey newreq.pem -out $1.p12 -clcerts -passin pass:whatever -passout pass:whatever # parse the PKCS#12 file just created and produce a PEM format certificate and key in certclt.pem openssl pkcs12 -in $1.p12 -out $1.pem -passin pass:whatever -passout pass:whatever # Convert certificate from PEM format to DER format openssl x509 -inform PEM -outform DER -in $1.pem -out $1.der # clean up rm -rf newcert newreq.pem #!/bin/sh SSL=/usr/lib export PATH=${SSL}/bin/:${SSL}/ssl/misc:${PATH} export LD_LIBRARY_PATH=${SSL}/lib # needed if you need to start from scratch otherwise the CA.pl -newca command doesn't copy the new # private key into the CA directories rm -rf demoCA echo "*********************************************************************************" echo "Creating self-signed private key and certificate" echo "When prompted override the default value for the Common Name field" echo "*********************************************************************************" echo # Generate a new self-signed certificate. # After invocation, newreq.pem will contain a private key and certificate # newreq.pem will be used in the next step openssl req -new -x509 -keyout newreq.pem -out newreq.pem -passin pass:whatever -passout pass:whatever echo "*********************************************************************************" echo "Creating a new CA hierarchy (used later by the "ca" command) with the certificate" echo "and private key created in the last step" echo "*********************************************************************************" echo echo "newreq.pem" | CA.pl -newca >/dev/null echo "*********************************************************************************" echo "Creating ROOT CA" echo "*********************************************************************************" echo # Create a PKCS#12 file, using the previously created CA certificate/key # The certificate in demoCA/cacert.pem is the same as in newreq.pem. Instead of # using "-in demoCA/cacert.pem" we could have used "-in newreq.pem" and then omitted # the "-inkey newreq.pem" because newreq.pem contains both the private key and certificate openssl pkcs12 -export -in demoCA/cacert.pem -inkey newreq.pem -out root.p12 -cacerts -passin pass:whatever -passout pass:whatever # parse the PKCS#12 file just created and produce a PEM format certificate and key in root.pem openssl pkcs12 -in root.p12 -out root.pem -passin pass:whatever -passout pass:whatever # Convert root certificate from PEM format to DER format openssl x509 -inform PEM -outform DER -in root.pem -out root.der #Clean Up rm -rf newreq.pem #!/bin/sh SSL=/usr/lib export PATH=${SSL}/bin/:${SSL}/ssl/misc:${PATH} export LD_LIBRARY_PATH=${SSL}/lib echo "*********************************************************************************" echo "Creating server private key and certificate" echo "When prompted enter the server name in the Common Name field." echo "*********************************************************************************" echo # Request a new PKCS#10 certificate. # First, newreq.pem will be overwritten with the new certificate request openssl req -new -keyout newreq.pem -out newreq.pem -passin pass:whatever -passout pass:whatever # Sign the certificate request. The policy is defined in the openssl.cnf file. # The request generated in the previous step is specified with the -infiles option and # the output is in newcert.pem # The -extensions option is necessary to add the OID for the extended key for server authentication openssl ca -policy policy_anything -out newcert.pem -passin pass:whatever -key whatever -extensions xpserver_ext -extfile xpextensions -infiles newreq.pem # Create a PKCS#12 file from the new certificate and its private key found in newreq.pem # and place in file specified on the command line openssl pkcs12 -export -in newcert.pem -inkey newreq.pem -out $1.p12 -clcerts -passin pass:whatever -passout pass:whatever # parse the PKCS#12 file just created and produce a PEM format certificate and key in certsrv.pem openssl pkcs12 -in $1.p12 -out $1.pem -passin pass:whatever -passout pass:whatever # Convert certificate from PEM format to DER format openssl x509 -inform PEM -outform DER -in $1.pem -out $1.der # Clean Up rm -rf newert.pem newreq.pem
Matteo Lazzarini <mlazzarini@crema.unimi.it> wrote:
I made server cert with this script:
The server comes with scripts to generate the certs with the correct OID's. See the "scripts" directory. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
Alan DeKok wrote:
Matteo Lazzarini <mlazzarini@crema.unimi.it> wrote:
I made server cert with this script:
The server comes with scripts to generate the certs with the correct OID's. See the "scripts" directory.
Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
Hi, when I runned the server script I look this: ******************************************************************************** Creating client private key and certificate When prompted enter the client name in the Common Name field. This is the same used as the Username in FreeRADIUS ********************************************************************************* Generating a 1024 bit RSA private key .......++++++ ...............++++++ writing new private key to 'newreq.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [IT]: State or Province Name (full name) [ITALY]: Locality Name (eg, city) []:Bxxxxxxxx Organization Name (eg, company) [Grupxxxxx]: Second Organization Name (eg, company) [802.1x Authentication]: Organizational Unit Name (eg, section) []:xxxx xxx Common Name (eg, YOUR name) []:matteo Email Address []:matteo@xxxxxxxxxxx Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:whatever An optional company name []: Using configuration from /usr/lib/ssl/openssl.cnf DEBUG[load_index]: unique_subject = "yes" Check that the request matches the signature Signature ok Certificate Details: Serial Number: bd:b5:64:ad:c1:0b:34:50 Validity Not Before: Aug 22 09:18:19 2006 GMT Not After : Aug 22 09:18:19 2007 GMT Subject: countryName = IT stateOrProvinceName = ITALY localityName = Bxxxxxx organizationName = Grupxxxxxx organizationName = 802.1x Authentication organizationalUnitName = xxxx xxxx commonName = matteo emailAddress = matteo@xxxxxxxx *X509v3 extensions: X509v3 Extended Key Usage: TLS Web Client Authentication* Certificate is to be certified until Aug 22 09:18:19 2007 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated MAC verified OK Why I don't see the *X509v3 extensions *and* X509v3 Extended Key Usage*? Where are the faults in the script CA.clt and CA.srv? Thanks
Matteo Lazzarini <mlazzarini@crema.unimi.it> wrote:
Why I don't see the *X509v3 extensions *and* X509v3 Extended Key Usage*? Where are the faults in the script CA.clt and CA.srv?
Huh? What are you talking about? The certificate dump shows that it has X509v3 extensions, with an X509v3 extended key usage, with the TLS Web Client Authentication attribute. Yet you've somehow interpreted this as a problem. Why? And why not just use the certificate? It would take you 10 minutes to try it, and hours to wait for a response from the list. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
The certificate dump shows that it has X509v3 extensions, with an X509v3 extended key usage, with the TLS Web Client Authentication attribute. Yet you've somehow interpreted this as a problem. Why? And why not just use the certificate? It would take you 10 minutes to try it, and hours to wait for a response from the list. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - First of all I ask you excuse for the confusion that I have made! Now I used the CA.all script for generated the certificates but when i tryed to authenticate the client, radius show me an error and close the request. I tryed freeradius-SNAP, 1.1.1, 1.0.X, and now use 1.1.2. I have installed openssl with command apt-get install libssl-dev that they are used in order to create certs by the CA.all or other and for the Tls. It's ok? I don't understand where is the fault! The radius config? the openssl used? The AP (dlink-900AP+). What I must make? I do not know more truly what to make! :-(
"Lazzarini Matteo" <MLazzarini@crema.unimi.it> wrote:
Now I used the CA.all script for generated the certificates but when i tryed to authenticate the client, radius show me an error and close the request.
Are you willing to post the error here, and the debug output, or should we guess? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
Alan DeKok wrote:
"Lazzarini Matteo" <MLazzarini@crema.unimi.it> wrote:
Now I used the CA.all script for generated the certificates but when i tryed to authenticate the client, radius show me an error and close the request.
Are you willing to post the error here, and the debug output, or should we guess?
Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
My AP is DLink-900AP+. My system is debian stable and I installed freeradius-1.1.2 and libssl-dev. I'm attach my config radius files and I'm put in the radius.log the output of this command: radiusd -X Thank for all. Matteo
Alan DeKok wrote:
"Lazzarini Matteo" <MLazzarini@crema.unimi.it> wrote:
Now I used the CA.all script for generated the certificates but when i tryed to authenticate the client, radius show me an error and close the request.
Are you willing to post the error here, and the debug output, or should we guess?
Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
And this is the guide that I used for my configuratios: http://www.alphacore.net/spip/article.php3?id_article=33
rad_recv: Access-Request packet from host 192.168.1.5:1218, id=97, length=139 User-Name = "marcello" NAS-IP-Address = 192.168.1.5 NAS-Port = 0 Called-Station-Id = "00-40-05-30-C5-86" Calling-Station-Id = "00-0C-F1-15-17-59" NAS-Identifier = "DLink-900AP+" Framed-MTU = 1380 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0201000d016d617263656c6c6f Message-Authenticator = 0x198e77929c34dbae3d21887e7c8fedb6 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 radius_xlat: '/usr/local/var/log/radius/radacct/192.168.1.5/auth-detail-20060822' rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/192.168.1.5/auth-detail-20060822 modcall[authorize]: module "auth_log" returns ok for request 0 rlm_eap: EAP packet type response id 1 length 13 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 users: Matched entry DEFAULT at line 152 users: Matched entry marcello at line 223 modcall[authorize]: module "files" returns ok for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Requiring client certificate rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 0 modcall: leaving group authenticate (returns handled) for request 0 Sending Access-Challenge of id 97 to 192.168.1.5 port 1218 EAP-Message = 0x010200060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x10ffb90c0007eb49a18f61eabd573132 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.1.5:1218, id=98, length=224 User-Name = "marcello" NAS-IP-Address = 192.168.1.5 NAS-Port = 0 Called-Station-Id = "00-40-05-30-C5-86" Calling-Station-Id = "00-0C-F1-15-17-59" NAS-Identifier = "DLink-900AP+" Framed-MTU = 1380 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020200500d800000004616030100410100003d030144eb3ca336a3103a0ffadab80df60c4e27696e763a5ebad813bc963683fff37800001600040005000a000900640062000300060013001200630100 State = 0x10ffb90c0007eb49a18f61eabd573132 Message-Authenticator = 0x3a2931277b7c91633740abd039fb5d26 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 radius_xlat: '/usr/local/var/log/radius/radacct/192.168.1.5/auth-detail-20060822' rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/192.168.1.5/auth-detail-20060822 modcall[authorize]: module "auth_log" returns ok for request 1 rlm_eap: EAP packet type response id 2 length 80 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 1 users: Matched entry DEFAULT at line 152 users: Matched entry marcello at line 223 modcall[authorize]: module "files" returns ok for request 1 modcall: leaving group authorize (returns updated) for request 1 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0715], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 00c7], CertificateRequest TLS_accept: SSLv3 write certificate request A TLS_accept: SSLv3 flush data * TLS_accept:error in SSLv3 read client certificate A rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0)* In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 1 modcall: leaving group authenticate (returns handled) for request 1 Sending Access-Challenge of id 98 to 192.168.1.5 port 1218 EAP-Message = 0x0103040a0dc000000835160301004a02000046030144eb3d0386a135fa7e544226488211ed9f6d798dd3b1b667ce1057e7c6f83a2120ac760e68727c64d564fa523a839ce6ca02136b0c8d2dcf15257eaa69617fec9200040016030107150b00071100070e0002fa308202f63082025fa003020102020900f224c648347dc88c300d06092a864886f70d01010405003081b5310b3009060355040613024954310e300c060355040813054954414c593110300e0603550407130742657267616d6f31123010060355040a130947727570706f696d69311e301c060355040a13153830322e31782041757468656e7469636174696f6e3110300e06035504 EAP-Message = 0x0b1307696d692073726c311630140603550403130d43412d467265657261646975733126302406092a864886f70d0109011617667265657261646975734067727570706f696d692e6974301e170d3036303832323136333935375a170d3037303832323136333935375a3081aa310b3009060355040613024954310e300c060355040813054954414c593110300e0603550407130742657267616d6f31123010060355040a130947727570706f696d69311e301c060355040a13153830322e31782041757468656e7469636174696f6e3110300e060355040b1307696d692073726c310f300d060355040313066a61676765723122302006092a864886 EAP-Message = 0xf70d01090116136a61676765724067727570706f696d692e697430819f300d06092a864886f70d010101050003818d0030818902818100c2889e425836d09f8235751e0ff076778dfad149ef3ef3f5d474375ad07c6d7d8924c1626b2c5478638564287fb4023b5ce68bcd0ffd7c21ac57d06ef8ef98f5ab9d5de84379f4f64bdef487a93350102d22f58200f16000756e3e98a677881f171155a679058c72d7a23d88e9d29daa1be63a014dca55ab45ac4383f04dbf610203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010104050003818100b2288be7befe02ede8b87a2965337aaa586ac346be EAP-Message = 0x14150f8914a326d60ec602e4e2076441b2266b013a2a5a6a083adf3abad567d1581e42fe22dfba9ae4b1a6e08333fe84d50950a5ff6a918f1bdcde276c6563d208ab5b6e95128e38e9454314e3a8be08896e031ef2f1332347d9b93e6caa8761ef5e9758ef6618946f816e00040e3082040a30820373a003020102020900f224c648347dc88a300d06092a864886f70d01010405003081b5310b3009060355040613024954310e300c060355040813054954414c593110300e0603550407130742657267616d6f31123010060355040a130947727570706f696d69311e301c060355040a13153830322e31782041757468656e7469636174696f6e3110 EAP-Message = 0x300e060355040b1307696d692073726c311630140603 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x582723ed1968a3dbf4d299bf04f83d9c Finished request 1 Going to the next request Waking up in 6 seconds... Can somebody said me what for I have this fault? I have used for TLS the certs made with the CA.all script in the freeradius scripts directory. I have used also certs made with other scripts find in internet. But the error is the same.
Matteo Lazzarini wrote:
rad_recv: Access-Request packet from host 192.168.1.5:1218, id=97, length=139 User-Name = "marcello" NAS-IP-Address = 192.168.1.5 NAS-Port = 0 Called-Station-Id = "00-40-05-30-C5-86" Calling-Station-Id = "00-0C-F1-15-17-59" NAS-Identifier = "DLink-900AP+" Framed-MTU = 1380 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0201000d016d617263656c6c6f Message-Authenticator = 0x198e77929c34dbae3d21887e7c8fedb6 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 radius_xlat: '/usr/local/var/log/radius/radacct/192.168.1.5/auth-detail-20060822' rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/192.168.1.5/auth-detail-20060822 modcall[authorize]: module "auth_log" returns ok for request 0 rlm_eap: EAP packet type response id 1 length 13 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 users: Matched entry DEFAULT at line 152 users: Matched entry marcello at line 223 modcall[authorize]: module "files" returns ok for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Requiring client certificate rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 0 modcall: leaving group authenticate (returns handled) for request 0 Sending Access-Challenge of id 97 to 192.168.1.5 port 1218 EAP-Message = 0x010200060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x10ffb90c0007eb49a18f61eabd573132 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.1.5:1218, id=98, length=224 User-Name = "marcello" NAS-IP-Address = 192.168.1.5 NAS-Port = 0 Called-Station-Id = "00-40-05-30-C5-86" Calling-Station-Id = "00-0C-F1-15-17-59" NAS-Identifier = "DLink-900AP+" Framed-MTU = 1380 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020200500d800000004616030100410100003d030144eb3ca336a3103a0ffadab80df60c4e27696e763a5ebad813bc963683fff37800001600040005000a000900640062000300060013001200630100
State = 0x10ffb90c0007eb49a18f61eabd573132 Message-Authenticator = 0x3a2931277b7c91633740abd039fb5d26 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 radius_xlat: '/usr/local/var/log/radius/radacct/192.168.1.5/auth-detail-20060822' rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/192.168.1.5/auth-detail-20060822 modcall[authorize]: module "auth_log" returns ok for request 1 rlm_eap: EAP packet type response id 2 length 80 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 1 users: Matched entry DEFAULT at line 152 users: Matched entry marcello at line 223 modcall[authorize]: module "files" returns ok for request 1 modcall: leaving group authorize (returns updated) for request 1 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0715], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 00c7], CertificateRequest TLS_accept: SSLv3 write certificate request A TLS_accept: SSLv3 flush data * TLS_accept:error in SSLv3 read client certificate A rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0)* In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 1 modcall: leaving group authenticate (returns handled) for request 1 Sending Access-Challenge of id 98 to 192.168.1.5 port 1218 EAP-Message = 0x0103040a0dc000000835160301004a02000046030144eb3d0386a135fa7e544226488211ed9f6d798dd3b1b667ce1057e7c6f83a2120ac760e68727c64d564fa523a839ce6ca02136b0c8d2dcf15257eaa69617fec9200040016030107150b00071100070e0002fa308202f63082025fa003020102020900f224c648347dc88c300d06092a864886f70d01010405003081b5310b3009060355040613024954310e300c060355040813054954414c593110300e0603550407130742657267616d6f31123010060355040a130947727570706f696d69311e301c060355040a13153830322e31782041757468656e7469636174696f6e3110300e06035504
EAP-Message = 0x0b1307696d692073726c311630140603550403130d43412d467265657261646975733126302406092a864886f70d0109011617667265657261646975734067727570706f696d692e6974301e170d3036303832323136333935375a170d3037303832323136333935375a3081aa310b3009060355040613024954310e300c060355040813054954414c593110300e0603550407130742657267616d6f31123010060355040a130947727570706f696d69311e301c060355040a13153830322e31782041757468656e7469636174696f6e3110300e060355040b1307696d692073726c310f300d060355040313066a61676765723122302006092a864886
EAP-Message = 0xf70d01090116136a61676765724067727570706f696d692e697430819f300d06092a864886f70d010101050003818d0030818902818100c2889e425836d09f8235751e0ff076778dfad149ef3ef3f5d474375ad07c6d7d8924c1626b2c5478638564287fb4023b5ce68bcd0ffd7c21ac57d06ef8ef98f5ab9d5de84379f4f64bdef487a93350102d22f58200f16000756e3e98a677881f171155a679058c72d7a23d88e9d29daa1be63a014dca55ab45ac4383f04dbf610203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010104050003818100b2288be7befe02ede8b87a2965337aaa586ac346be
EAP-Message = 0x14150f8914a326d60ec602e4e2076441b2266b013a2a5a6a083adf3abad567d1581e42fe22dfba9ae4b1a6e08333fe84d50950a5ff6a918f1bdcde276c6563d208ab5b6e95128e38e9454314e3a8be08896e031ef2f1332347d9b93e6caa8761ef5e9758ef6618946f816e00040e3082040a30820373a003020102020900f224c648347dc88a300d06092a864886f70d01010405003081b5310b3009060355040613024954310e300c060355040813054954414c593110300e0603550407130742657267616d6f31123010060355040a130947727570706f696d69311e301c060355040a13153830322e31782041757468656e7469636174696f6e3110
EAP-Message = 0x300e060355040b1307696d692073726c311630140603 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x582723ed1968a3dbf4d299bf04f83d9c Finished request 1 Going to the next request Waking up in 6 seconds...
Can somebody said me what for I have this fault? I have used for TLS the certs made with the CA.all script in the freeradius scripts directory. I have used also certs made with other scripts find in internet. But the error is the same.
I am continuing to make various tests but I do not resolve the problem… nobody has ideas/help?
Matteo Lazzarini wrote:
Matteo Lazzarini wrote:
I am continuing to make various tests but I do not resolve the problem… nobody has ideas/help? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
I don't know (never tried, no opportunity) how WEP, client PC and AAA server deal out the WLAN secrets, but from my logfiles using PPP as NAS on both sides it still looks like what Stefan Winter said: We have too large EAP packets, an incoming request containing the TLS Client Hello, Certificates, Cipherlist etc, and Radius replies with a similar long one containing the TLS Server Hello, Certificates, Cipherlist, etc, and the TLS request for a key exchange, I'd guess. From then on, either the XP client or the DLINK AP just choked. Thus, I'd recommend to look now more on the client side: 1) Event/Security/... logs in XP 2) Logging on the AP? There must be means to get some status/syslog messages/whatever from the device, isn't it? 3) Use Ethereal/WinPCAP on the XP client and do a capture of the WLAN interface. Verrry nice, it's even able to dissect all the TLS handshake conversation (to make sure that the right certificates are exchanged) and, if used to sniff on the RADIUS port, can also combine the EAP message fragments in the RADIUS attributes. OTOH, the french guideline is a little old by now, so I'd consider installing a super-recent version of openssl as rather harmful than necessary. Ciao, Michael
Michael Joosten wrote:
Matteo Lazzarini wrote:
Matteo Lazzarini wrote:
I am continuing to make various tests but I do not resolve the problem… nobody has ideas/help? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
I don't know (never tried, no opportunity) how WEP, client PC and AAA server deal out the WLAN secrets, but from my logfiles using PPP as NAS on both sides it still looks like what Stefan Winter said:
We have too large EAP packets, an incoming request containing the TLS Client Hello, Certificates, Cipherlist etc, and Radius replies with a similar long one containing the TLS Server Hello, Certificates, Cipherlist, etc, and the TLS request for a key exchange, I'd guess. From then on, either the XP client or the DLINK AP just choked.
Thus, I'd recommend to look now more on the client side: 1) Event/Security/... logs in XP 2) Logging on the AP? There must be means to get some status/syslog messages/whatever from the device, isn't it? 3) Use Ethereal/WinPCAP on the XP client and do a capture of the WLAN interface. Verrry nice, it's even able to dissect all the TLS handshake conversation (to make sure that the right certificates are exchanged) and, if used to sniff on the RADIUS port, can also combine the EAP message fragments in the RADIUS attributes.
OTOH, the french guideline is a little old by now, so I'd consider installing a super-recent version of openssl as rather harmful than necessary.
Ciao, Michael
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
Thanks I will make as you have said… I try to make an analysis of what turns in the WLAN! Freeradius I have installed last version available (1.1.2 that it seems to work!) but I know that there is also an August version SNAPSHOT but to me it has given problems in compile and did not install me module EAP-TLS (bug Debian). The lib I have installed to them with the command apt-get install openssl libssl-dev and this is the command dphg - l|grep SSL ii libflac++5c2 1.1.2-1ubuntu2 Free Lossless Audio Codec - C++ runtime libr ii libflac7 1.1.2-1ubuntu2 Free Lossless Audio Codec - runtime C librar ii liboggflac3 1.1.2-1ubuntu2 Free Lossless Audio Codec - runtime C librar ii libssl-dev 0.9.7g-1ubuntu1.1 SSL development libraries, header files and ii libssl0.9.7 0.9.7g-1ubuntu1.1 SSL shared libraries ii libwww-ssl0 5.4.0-9ubuntu0.5.10 The W3C-WWW library (SSL support) ii openssl 0.9.7g-1ubuntu1.1 Secure Socket Layer (SSL) binary and related ii python-pyopenssl 0.6-2ubuntu1 Python wrapper around the OpenSSL library (d ii python2.4-pyopenssl 0.6-2ubuntu1 Python wrapper around the OpenSSL library, e ii ssl-cert 1.0-11 Simple debconf wrapper for openssl On the Openssl site many versions can be downloaded which 0.9.7a-x, 0.9.8a-x, ecc.. Which the correct version? Someone knows gives to me of the information to care of coupled freeradius-version&Openssl-version? anticipated thanks Matteo
Matteo Lazzarini wrote:
Thus, I'd recommend to look now more on the client side: 1) Event/Security/... logs in XP 2) Logging on the AP? There must be means to get some status/syslog messages/whatever from the device, isn't it? 3) Use Ethereal/WinPCAP on the XP client and do a capture of the WLAN interface. Verrry nice, it's even able to dissect all the TLS handshake conversation (to make sure that the right certificates are exchanged) and, if used to sniff on the RADIUS port, can also combine the EAP message fragments in the RADIUS attributes.
OTOH, the french guideline is a little old by now, so I'd consider installing a super-recent version of openssl as rather harmful than necessary.
Thanks I will make as you have said… I try to make an analysis of what turns in the WLAN!
Another idea would be to reduced&uncomment the fragment_size in eap.conf from 1024 (default) to, say, 700-800. This will change the output of the log file, as more RADIUS request and challenges are required. Unlikely that this is the reason, but still worth a try.
Freeradius I have installed last version available (1.1.2 that it seems to work!) but I know that there is also an August version SNAPSHOT but to me it has given problems in compile and did not install me module EAP-TLS (bug Debian). The lib I have installed to them with the command apt-get install openssl libssl-dev and this is the command dphg - l|grep SSL
I'm also using 0.9.7g. You can check which openssl libs a running freeradius process is using by looking at /proc/<pid of radiusd>/maps. Good Luck, Michael
Michael Joosten wrote:
Matteo Lazzarini wrote:
Thus, I'd recommend to look now more on the client side: 1) Event/Security/... logs in XP 2) Logging on the AP? There must be means to get some status/syslog messages/whatever from the device, isn't it? 3) Use Ethereal/WinPCAP on the XP client and do a capture of the WLAN interface. Verrry nice, it's even able to dissect all the TLS handshake conversation (to make sure that the right certificates are exchanged) and, if used to sniff on the RADIUS port, can also combine the EAP message fragments in the RADIUS attributes.
OTOH, the french guideline is a little old by now, so I'd consider installing a super-recent version of openssl as rather harmful than necessary.
Thanks I will make as you have said… I try to make an analysis of what turns in the WLAN!
Another idea would be to reduced&uncomment the fragment_size in eap.conf from 1024 (default) to, say, 700-800. This will change the output of the log file, as more RADIUS request and challenges are required. Unlikely that this is the reason, but still worth a try.
Thanks for the council, I will try also this
Freeradius I have installed last version available (1.1.2 that it seems to work!) but I know that there is also an August version SNAPSHOT but to me it has given problems in compile and did not install me module EAP-TLS (bug Debian). The lib I have installed to them with the command apt-get install openssl libssl-dev and this is the command dphg - l|grep SSL
I'm also using 0.9.7g. You can check which openssl libs a running freeradius process is using by looking at /proc/<pid of radiusd>/maps.
I have watched /proc/ <pid of radiusd>/maps as you have advised to me. how you have installed them the 0.9.7g? with ./config --prefix=/usr/local/openssl and then you have passed the thing during ./configure of freeradius?
Good Luck, Michael
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
Freeradius I have installed last version available (1.1.2 that it seems to work!) but I know that there is also an August version SNAPSHOT but to me it has given problems in compile and did not install me module EAP-TLS (bug Debian). The lib I have installed to them with the command apt-get install openssl libssl-dev and this is the command dphg - l|grep SSL ii libflac++5c2 1.1.2-1ubuntu2 Free Lossless Audio Codec - C++ runtime libr ii libflac7 1.1.2-1ubuntu2 Free Lossless Audio Codec - runtime C librar ii liboggflac3 1.1.2-1ubuntu2 Free Lossless Audio Codec - runtime C librar ii libssl-dev 0.9.7g-1ubuntu1.1 SSL development libraries, header files and ii libssl0.9.7 0.9.7g-1ubuntu1.1 SSL shared libraries ii libwww-ssl0 5.4.0-9ubuntu0.5.10 The W3C-WWW library (SSL support) ii openssl 0.9.7g-1ubuntu1.1 Secure Socket Layer (SSL) binary and related ii python-pyopenssl 0.6-2ubuntu1 Python wrapper around the OpenSSL library (d ii python2.4-pyopenssl 0.6-2ubuntu1 Python wrapper around the OpenSSL library, e ii ssl-cert 1.0-11 Simple debconf wrapper for openssl On the Openssl site many versions can be downloaded which 0.9.7a-x, 0.9.8a-x, ecc.. Which the correct version? Someone knows gives to me of the information to care of coupled freeradius-version&Openssl-version? anticipated thanks Matteo
Ok, starting to sort this out. 1. This doesn't look like something for -devel. Please consider starting a new thread in -user with a brief write-up of the problem. But see below. 2. Stop asking for action (especially here, but nonetheless in -user). This will discourage people from answering you. 3. I more or less duplicated your setup from <44EB5C4F.2040504@crema.unimi.it>and tested it here with freeradius-1.1.2, hostapd-0.5.3, wpa_supplicant-0.5.4. It worked as you wish and should be expected. 4. It even worked with the hard Auth-Type setting in users file (changed to local environment) despite that being unnecessary and insofar wrong. Please see http://deployingradius.com/documents/configuration/auth_type.html. I cannot understand french, but at least in this respect http://www.alphacore.net/spip/article.php3?id_article=33 seems to err. 5. The error message: rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0) In SSL Handshake Phase is something from openssl not to bother about (search the archive). I do even get it at this point in negotiation: (other): SSL negotiation finished successfully rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0) SSL Connection Established eaptls_process returned 13 6. The radius.log you attached earlier didn't show any incoming EAP-Responses to the Challenges freeradius sent out. The snippets you keep posting since then show a part of the debug log, which doesn't exhibit a fault compared to what I'm getting here. If the cut off parts show the same as in the attached file, the same problem exists: your client isn't responding properly. Otherwise you should stop leaving us guessing around and post the full output. regards K. Hoercher
K. Hoercher wrote:
......... 3. I more or less duplicated your setup from <44EB5C4F.2040504@crema.unimi.it>and tested it here with freeradius-1.1.2, hostapd-0.5.3, wpa_supplicant-0.5.4. It worked as you wish and should be expected.
4. It even worked with the hard Auth-Type setting in users file (changed to local environment) despite that being unnecessary and insofar wrong. Please see http://deployingradius.com/documents/configuration/auth_type.html. I cannot understand french, but at least in this respect http://www.alphacore.net/spip/article.php3?id_article=33 seems to err.
Ok, i deleted Auth-Type setting in users file. My user now is: marcello
6. The radius.log you attached earlier didn't show any incoming EAP-Responses to the Challenges freeradius sent out. The snippets you keep posting since then show a part of the debug log, which doesn't exhibit a fault compared to what I'm getting here. If the cut off parts show the same as in the attached file, the same problem exists: your client isn't responding properly.
regards K. Hoercher
This is what continuous to see when start radiusd - X: rad_recv: Access-Request packet from host 192.168.1.5:1214, id=36, length=139 User-Name = "marcello" NAS-IP-Address = 192.168.1.5 NAS-Port = 0 Called-Station-Id = "00-40-05-30-C5-86" Calling-Station-Id = "00-0C-F1-15-17-59" NAS-Identifier = "DLink-900AP+" Framed-MTU = 1380 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0223000d016d617263656c6c6f Message-Authenticator = 0x8afce08acace447ca9a52f94717767dd Processing the authorize section of radiusd.conf modcall: entering group authorize for request 27 modcall[authorize]: module "preprocess" returns ok for request 27 radius_xlat: '/usr/local/var/log/radius/radacct/192.168.1.5/auth-detail-20060823' rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/192.168.1.5/auth-detail-20060823 modcall[authorize]: module "auth_log" returns ok for request 27 rlm_eap: EAP packet type response id 35 length 13 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 27 users: Matched entry marcello at line 7 modcall[authorize]: module "files" returns ok for request 27 modcall: leaving group authorize (returns updated) for request 27 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 27 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Requiring client certificate rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 27 modcall: leaving group authenticate (returns handled) for request 27 Sending Access-Challenge of id 36 to 192.168.1.5 port 1214 EAP-Message = 0x012400060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x4a4231b4adfeba0f626bea47adfe79b3 Finished request 27 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.1.5:1214, id=37, length=224 User-Name = "marcello" NAS-IP-Address = 192.168.1.5 NAS-Port = 0 Called-Station-Id = "00-40-05-30-C5-86" Calling-Station-Id = "00-0C-F1-15-17-59" NAS-Identifier = "DLink-900AP+" Framed-MTU = 1380 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x022400500d800000004616030100410100003d030144ec5fa59a64845898c9f5ad123fc6b0198a4905db195cec34455b869c4d4b1100001600040005000a000900640062000300060013001200630100 State = 0x4a4231b4adfeba0f626bea47adfe79b3 Message-Authenticator = 0x954557a26d69418d4ec39d196da5d9b1 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 28 modcall[authorize]: module "preprocess" returns ok for request 28 radius_xlat: '/usr/local/var/log/radius/radacct/192.168.1.5/auth-detail-20060823' rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/192.168.1.5/auth-detail-20060823 modcall[authorize]: module "auth_log" returns ok for request 28 rlm_eap: EAP packet type response id 36 length 80 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 28 users: Matched entry marcello at line 7 modcall[authorize]: module "files" returns ok for request 28 modcall: leaving group authorize (returns updated) for request 28 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 28 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0715], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 00c7], CertificateRequest TLS_accept: SSLv3 write certificate request A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0) In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 28 modcall: leaving group authenticate (returns handled) for request 28 Sending Access-Challenge of id 37 to 192.168.1.5 port 1214 EAP-Message = 0x0125040a0dc000000835160301004a02000046030144ec6005a36d16b4738f0725c7e28d3aacc9e100cee2b61fd3f8b5525dab88a12056e63ac6ba7034af4f37c7329304af510ee21461f940f7718850d502ebfad26200040016030107150b00071100070e0002fa308202f63082025fa003020102020900f224c648347dc88c300d06092a864886f70d01010405003081b5310b3009060355040613024954310e300c060355040813054954414c593110300e0603550407130742657267616d6f31123010060355040a130947727570706f696d69311e301c060355040a13153830322e31782041757468656e7469636174696f6e3110300e06035504 EAP-Message = 0x0b1307696d692073726c311630140603550403130d43412d467265657261646975733126302406092a864886f70d0109011617667265657261646975734067727570706f696d692e6974301e170d3036303832323136333935375a170d3037303832323136333935375a3081aa310b3009060355040613024954310e300c060355040813054954414c593110300e0603550407130742657267616d6f31123010060355040a130947727570706f696d69311e301c060355040a13153830322e31782041757468656e7469636174696f6e3110300e060355040b1307696d692073726c310f300d060355040313066a61676765723122302006092a864886 EAP-Message = 0xf70d01090116136a61676765724067727570706f696d692e697430819f300d06092a864886f70d010101050003818d0030818902818100c2889e425836d09f8235751e0ff076778dfad149ef3ef3f5d474375ad07c6d7d8924c1626b2c5478638564287fb4023b5ce68bcd0ffd7c21ac57d06ef8ef98f5ab9d5de84379f4f64bdef487a93350102d22f58200f16000756e3e98a677881f171155a679058c72d7a23d88e9d29daa1be63a014dca55ab45ac4383f04dbf610203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010104050003818100b2288be7befe02ede8b87a2965337aaa586ac346be EAP-Message = 0x14150f8914a326d60ec602e4e2076441b2266b013a2a5a6a083adf3abad567d1581e42fe22dfba9ae4b1a6e08333fe84d50950a5ff6a918f1bdcde276c6563d208ab5b6e95128e38e9454314e3a8be08896e031ef2f1332347d9b93e6caa8761ef5e9758ef6618946f816e00040e3082040a30820373a003020102020900f224c648347dc88a300d06092a864886f70d01010405003081b5310b3009060355040613024954310e300c060355040813054954414c593110300e0603550407130742657267616d6f31123010060355040a130947727570706f696d69311e301c060355040a13153830322e31782041757468656e7469636174696f6e3110 EAP-Message = 0x300e060355040b1307696d692073726c311630140603 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd61433c363fad2062dd0ed86dd317d38 Finished request 28 Going to the next request Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 27 ID 36 with timestamp 44ec6005 Cleaning up request 28 ID 37 with timestamp 44ec6005 Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 192.168.1.5:1214, id=38, length=139 User-Name = "marcello" NAS-IP-Address = 192.168.1.5 NAS-Port = 0 Called-Station-Id = "00-40-05-30-C5-86" Calling-Station-Id = "00-0C-F1-15-17-59" NAS-Identifier = "DLink-900AP+" Framed-MTU = 1380 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0226000d016d617263656c6c6f Message-Authenticator = 0xdc2e7392680a90e16f7675db392ae62a Processing the authorize section of radiusd.conf modcall: entering group authorize for request 29 modcall[authorize]: module "preprocess" returns ok for request 29 radius_xlat: '/usr/local/var/log/radius/radacct/192.168.1.5/auth-detail-20060823' rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/192.168.1.5/auth-detail-20060823 modcall[authorize]: module "auth_log" returns ok for request 29 rlm_eap: EAP packet type response id 38 length 13 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 29 users: Matched entry marcello at line 7 modcall[authorize]: module "files" returns ok for request 29 modcall: leaving group authorize (returns updated) for request 29 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 29 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Requiring client certificate rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 29 modcall: leaving group authenticate (returns handled) for request 29 Sending Access-Challenge of id 38 to 192.168.1.5 port 1214 EAP-Message = 0x012700060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xbe099fcd698213125f5c1f9b6f57edf0 Finished request 29 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.1.5:1214, id=39, length=224 User-Name = "marcello" NAS-IP-Address = 192.168.1.5 NAS-Port = 0 Called-Station-Id = "00-40-05-30-C5-86" Calling-Station-Id = "00-0C-F1-15-17-59" NAS-Identifier = "DLink-900AP+" Framed-MTU = 1380 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x022700500d800000004616030100410100003d030144ec5fc3b3c0a02d79dde2cbaee6994cb365bda0921afe69fea98cf513ae68be00001600040005000a000900640062000300060013001200630100 State = 0xbe099fcd698213125f5c1f9b6f57edf0 Message-Authenticator = 0xd6d1ed5825fe4c35f5a1d60b5898697c Processing the authorize section of radiusd.conf modcall: entering group authorize for request 30 modcall[authorize]: module "preprocess" returns ok for request 30 radius_xlat: '/usr/local/var/log/radius/radacct/192.168.1.5/auth-detail-20060823' rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/192.168.1.5/auth-detail-20060823 modcall[authorize]: module "auth_log" returns ok for request 30 rlm_eap: EAP packet type response id 39 length 80 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 30 users: Matched entry marcello at line 7 modcall[authorize]: module "files" returns ok for request 30 modcall: leaving group authorize (returns updated) for request 30 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 30 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0715], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 00c7], CertificateRequest TLS_accept: SSLv3 write certificate request A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0) In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 30 modcall: leaving group authenticate (returns handled) for request 30 Sending Access-Challenge of id 39 to 192.168.1.5 port 1214 EAP-Message = 0x0128040a0dc000000835160301004a02000046030144ec602379b9029259e24bf1b103bb550102f05bfed202c361b441e98891a58c20c0328494ad8c1af13e31715a0d7c244a442af30d449dd3b72f9811946120d00200040016030107150b00071100070e0002fa308202f63082025fa003020102020900f224c648347dc88c300d06092a864886f70d01010405003081b5310b3009060355040613024954310e300c060355040813054954414c593110300e0603550407130742657267616d6f31123010060355040a130947727570706f696d69311e301c060355040a13153830322e31782041757468656e7469636174696f6e3110300e06035504 EAP-Message = 0x0b1307696d692073726c311630140603550403130d43412d467265657261646975733126302406092a864886f70d0109011617667265657261646975734067727570706f696d692e6974301e170d3036303832323136333935375a170d3037303832323136333935375a3081aa310b3009060355040613024954310e300c060355040813054954414c593110300e0603550407130742657267616d6f31123010060355040a130947727570706f696d69311e301c060355040a13153830322e31782041757468656e7469636174696f6e3110300e060355040b1307696d692073726c310f300d060355040313066a61676765723122302006092a864886 EAP-Message = 0xf70d01090116136a61676765724067727570706f696d692e697430819f300d06092a864886f70d010101050003818d0030818902818100c2889e425836d09f8235751e0ff076778dfad149ef3ef3f5d474375ad07c6d7d8924c1626b2c5478638564287fb4023b5ce68bcd0ffd7c21ac57d06ef8ef98f5ab9d5de84379f4f64bdef487a93350102d22f58200f16000756e3e98a677881f171155a679058c72d7a23d88e9d29daa1be63a014dca55ab45ac4383f04dbf610203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010104050003818100b2288be7befe02ede8b87a2965337aaa586ac346be EAP-Message = 0x14150f8914a326d60ec602e4e2076441b2266b013a2a5a6a083adf3abad567d1581e42fe22dfba9ae4b1a6e08333fe84d50950a5ff6a918f1bdcde276c6563d208ab5b6e95128e38e9454314e3a8be08896e031ef2f1332347d9b93e6caa8761ef5e9758ef6618946f816e00040e3082040a30820373a003020102020900f224c648347dc88a300d06092a864886f70d01010405003081b5310b3009060355040613024954310e300c060355040813054954414c593110300e0603550407130742657267616d6f31123010060355040a130947727570706f696d69311e301c060355040a13153830322e31782041757468656e7469636174696f6e3110 EAP-Message = 0x300e060355040b1307696d692073726c311630140603 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x20848349a7d8931898eab18b497b7eaa Finished request 30 Going to the next request Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 29 ID 38 with timestamp 44ec6023 Cleaning up request 30 ID 39 with timestamp 44ec6023 Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 192.168.1.5:1214, id=40, length=139 User-Name = "marcello" NAS-IP-Address = 192.168.1.5 NAS-Port = 0 Called-Station-Id = "00-40-05-30-C5-86" Calling-Station-Id = "00-0C-F1-15-17-59" NAS-Identifier = "DLink-900AP+" Framed-MTU = 1380 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0229000d016d617263656c6c6f Message-Authenticator = 0xa1721cbe7301b0520d0be5a419388965 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 31 modcall[authorize]: module "preprocess" returns ok for request 31 radius_xlat: '/usr/local/var/log/radius/radacct/192.168.1.5/auth-detail-20060823' rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/192.168.1.5/auth-detail-20060823 modcall[authorize]: module "auth_log" returns ok for request 31 rlm_eap: EAP packet type response id 41 length 13 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 31 users: Matched entry marcello at line 7 modcall[authorize]: module "files" returns ok for request 31 modcall: leaving group authorize (returns updated) for request 31 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 31 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Requiring client certificate rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 31 modcall: leaving group authenticate (returns handled) for request 31 Sending Access-Challenge of id 40 to 192.168.1.5 port 1214 EAP-Message = 0x012a00060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x6e1434ca3d57d931af8880e288a906a5 Finished request 31 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.1.5:1214, id=41, length=224 User-Name = "marcello" NAS-IP-Address = 192.168.1.5 NAS-Port = 0 Called-Station-Id = "00-40-05-30-C5-86" Calling-Station-Id = "00-0C-F1-15-17-59" NAS-Identifier = "DLink-900AP+" Framed-MTU = 1380 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x022a00500d800000004616030100410100003d030144ec5fe1afe282c139685d0cc920d57ec74fadd16301b2b11d962a4c48167e9a00001600040005000a000900640062000300060013001200630100 State = 0x6e1434ca3d57d931af8880e288a906a5 Message-Authenticator = 0x562492cb1ddbe4fe6e6f26676b04641a Processing the authorize section of radiusd.conf modcall: entering group authorize for request 32 modcall[authorize]: module "preprocess" returns ok for request 32 radius_xlat: '/usr/local/var/log/radius/radacct/192.168.1.5/auth-detail-20060823' rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/192.168.1.5/auth-detail-20060823 modcall[authorize]: module "auth_log" returns ok for request 32 rlm_eap: EAP packet type response id 42 length 80 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 32 users: Matched entry marcello at line 7 modcall[authorize]: module "files" returns ok for request 32 modcall: leaving group authorize (returns updated) for request 32 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 32 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0715], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 00c7], CertificateRequest TLS_accept: SSLv3 write certificate request A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0) In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 32 modcall: leaving group authenticate (returns handled) for request 32 Sending Access-Challenge of id 41 to 192.168.1.5 port 1214 EAP-Message = 0x012b040a0dc000000835160301004a02000046030144ec6041b7dd765e8e8522dafce7f647e1e3f83e07194d2445c0e8ed0f6eb448205e608aec3f12e3763220cc2838cfe79c1a371553d637835c640b8cf3fa9ea46c00040016030107150b00071100070e0002fa308202f63082025fa003020102020900f224c648347dc88c300d06092a864886f70d01010405003081b5310b3009060355040613024954310e300c060355040813054954414c593110300e0603550407130742657267616d6f31123010060355040a130947727570706f696d69311e301c060355040a13153830322e31782041757468656e7469636174696f6e3110300e06035504 EAP-Message = 0x0b1307696d692073726c311630140603550403130d43412d467265657261646975733126302406092a864886f70d0109011617667265657261646975734067727570706f696d692e6974301e170d3036303832323136333935375a170d3037303832323136333935375a3081aa310b3009060355040613024954310e300c060355040813054954414c593110300e0603550407130742657267616d6f31123010060355040a130947727570706f696d69311e301c060355040a13153830322e31782041757468656e7469636174696f6e3110300e060355040b1307696d692073726c310f300d060355040313066a61676765723122302006092a864886 EAP-Message = 0xf70d01090116136a61676765724067727570706f696d692e697430819f300d06092a864886f70d010101050003818d0030818902818100c2889e425836d09f8235751e0ff076778dfad149ef3ef3f5d474375ad07c6d7d8924c1626b2c5478638564287fb4023b5ce68bcd0ffd7c21ac57d06ef8ef98f5ab9d5de84379f4f64bdef487a93350102d22f58200f16000756e3e98a677881f171155a679058c72d7a23d88e9d29daa1be63a014dca55ab45ac4383f04dbf610203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010104050003818100b2288be7befe02ede8b87a2965337aaa586ac346be EAP-Message = 0x14150f8914a326d60ec602e4e2076441b2266b013a2a5a6a083adf3abad567d1581e42fe22dfba9ae4b1a6e08333fe84d50950a5ff6a918f1bdcde276c6563d208ab5b6e95128e38e9454314e3a8be08896e031ef2f1332347d9b93e6caa8761ef5e9758ef6618946f816e00040e3082040a30820373a003020102020900f224c648347dc88a300d06092a864886f70d01010405003081b5310b3009060355040613024954310e300c060355040813054954414c593110300e0603550407130742657267616d6f31123010060355040a130947727570706f696d69311e301c060355040a13153830322e31782041757468656e7469636174696f6e3110 EAP-Message = 0x300e060355040b1307696d692073726c311630140603 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc9750d7b7c4f4c25d35382ef3c495bf3 Finished request 32 Going to the next request Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 31 ID 40 with timestamp 44ec6041 Cleaning up request 32 ID 41 with timestamp 44ec6041 Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 192.168.1.5:1214, id=42, length=139 User-Name = "marcello" NAS-IP-Address = 192.168.1.5 NAS-Port = 0 Called-Station-Id = "00-40-05-30-C5-86" Calling-Station-Id = "00-0C-F1-15-17-59" NAS-Identifier = "DLink-900AP+" Framed-MTU = 1380 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x022c000d016d617263656c6c6f Message-Authenticator = 0x490a18c23fc91fdc1c9b8e643b1e369c Processing the authorize section of radiusd.conf modcall: entering group authorize for request 33 modcall[authorize]: module "preprocess" returns ok for request 33 radius_xlat: '/usr/local/var/log/radius/radacct/192.168.1.5/auth-detail-20060823' rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/192.168.1.5/auth-detail-20060823 modcall[authorize]: module "auth_log" returns ok for request 33 rlm_eap: EAP packet type response id 44 length 13 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 33 users: Matched entry marcello at line 7 modcall[authorize]: module "files" returns ok for request 33 modcall: leaving group authorize (returns updated) for request 33 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 33 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Requiring client certificate rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 33 modcall: leaving group authenticate (returns handled) for request 33 Sending Access-Challenge of id 42 to 192.168.1.5 port 1214 EAP-Message = 0x012d00060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x03c28905812b5b3f6b129e967146cf6f Finished request 33 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.1.5:1214, id=43, length=224 User-Name = "marcello" NAS-IP-Address = 192.168.1.5 NAS-Port = 0 Called-Station-Id = "00-40-05-30-C5-86" Calling-Station-Id = "00-0C-F1-15-17-59" NAS-Identifier = "DLink-900AP+" Framed-MTU = 1380 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x022d00500d800000004616030100410100003d030144ec5fff1ddc76fd1cd92cf4a616ed25f594f37b078d23151e633e7adbaa807d00001600040005000a000900640062000300060013001200630100 State = 0x03c28905812b5b3f6b129e967146cf6f Message-Authenticator = 0x7d908821b7b8043f3af46b45ea38b038 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 34 modcall[authorize]: module "preprocess" returns ok for request 34 radius_xlat: '/usr/local/var/log/radius/radacct/192.168.1.5/auth-detail-20060823' rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/192.168.1.5/auth-detail-20060823 modcall[authorize]: module "auth_log" returns ok for request 34 rlm_eap: EAP packet type response id 45 length 80 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 34 users: Matched entry marcello at line 7 modcall[authorize]: module "files" returns ok for request 34 modcall: leaving group authorize (returns updated) for request 34 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 34 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0715], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 00c7], CertificateRequest TLS_accept: SSLv3 write certificate request A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0) In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 34 modcall: leaving group authenticate (returns handled) for request 34 Sending Access-Challenge of id 43 to 192.168.1.5 port 1214 EAP-Message = 0x012e040a0dc000000835160301004a02000046030144ec605fb82c174431ef92debba911fd499931199bf231f28652609ac0b808f6200f53f7874c685ad093cdc266a254182b21efc28655f8deb62304a41f7a23f9d500040016030107150b00071100070e0002fa308202f63082025fa003020102020900f224c648347dc88c300d06092a864886f70d01010405003081b5310b3009060355040613024954310e300c060355040813054954414c593110300e0603550407130742657267616d6f31123010060355040a130947727570706f696d69311e301c060355040a13153830322e31782041757468656e7469636174696f6e3110300e06035504 EAP-Message = 0x0b1307696d692073726c311630140603550403130d43412d467265657261646975733126302406092a864886f70d0109011617667265657261646975734067727570706f696d692e6974301e170d3036303832323136333935375a170d3037303832323136333935375a3081aa310b3009060355040613024954310e300c060355040813054954414c593110300e0603550407130742657267616d6f31123010060355040a130947727570706f696d69311e301c060355040a13153830322e31782041757468656e7469636174696f6e3110300e060355040b1307696d692073726c310f300d060355040313066a61676765723122302006092a864886 EAP-Message = 0xf70d01090116136a61676765724067727570706f696d692e697430819f300d06092a864886f70d010101050003818d0030818902818100c2889e425836d09f8235751e0ff076778dfad149ef3ef3f5d474375ad07c6d7d8924c1626b2c5478638564287fb4023b5ce68bcd0ffd7c21ac57d06ef8ef98f5ab9d5de84379f4f64bdef487a93350102d22f58200f16000756e3e98a677881f171155a679058c72d7a23d88e9d29daa1be63a014dca55ab45ac4383f04dbf610203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010104050003818100b2288be7befe02ede8b87a2965337aaa586ac346be EAP-Message = 0x14150f8914a326d60ec602e4e2076441b2266b013a2a5a6a083adf3abad567d1581e42fe22dfba9ae4b1a6e08333fe84d50950a5ff6a918f1bdcde276c6563d208ab5b6e95128e38e9454314e3a8be08896e031ef2f1332347d9b93e6caa8761ef5e9758ef6618946f816e00040e3082040a30820373a003020102020900f224c648347dc88a300d06092a864886f70d01010405003081b5310b3009060355040613024954310e300c060355040813054954414c593110300e0603550407130742657267616d6f31123010060355040a130947727570706f696d69311e301c060355040a13153830322e31782041757468656e7469636174696f6e3110 EAP-Message = 0x300e060355040b1307696d692073726c311630140603 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xeacc5432cc73aaa14a0bb9aae4a1c3cb Finished request 34 Going to the next request Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 33 ID 42 with timestamp 44ec605f Cleaning up request 34 ID 43 with timestamp 44ec605f Probably it is like you said; "If the cut off parts show the same as in the attached file, the same problem exists: your client isn't responding properly."... The clients system is Windows XP SP2 and I used the default supplicant. It is subject to particular problems? Many guides speak about as to configure an win xp supplicant and I have made like they without to change nothing. They could be the certs not-compatible? It could be AP not to send the messages correctly? The AP's log are very poors. Only see the Access-Request from the user "marcello". Aug/23/2006 16:48:48 Send Accounting logout message marcello Aug/23/2006 16:48:48 EAP-Failure 00-0C-F1-15-17-59 Aug/23/2006 16:48:48 state: paeDISCONNECTED Aug/23/2006 16:48:43 EAP-Request/Identity Aug/23/2006 16:48:38 EAP-Request/Identity Aug/23/2006 16:48:33 EAP-Request/Identity Aug/23/2006 16:48:28 EAP-Request/Identity Aug/23/2006 16:48:23 EAP-Request/Identity Aug/23/2006 16:48:18 EAP-Request/Identity Aug/23/2006 16:48:13 EAP-Request/Identity Aug/23/2006 16:48:08 EAP-Request/Identity Aug/23/2006 16:48:04 Authentication timeout 00-0C-F1-15-17-59 Aug/23/2006 16:48:04 EAP-Request/Identity Aug/23/2006 16:48:04 EAP-Failure 00-0C-F1-15-17-59 Aug/23/2006 16:48:04 EAP-Request/Identity Aug/23/2006 16:48:04 EAP-Failure 00-0C-F1-15-17-59 Aug/23/2006 16:48:00 EAP-Response/Identity marcello Aug/23/2006 16:48:00 EAP-Request/Identity Aug/23/2006 16:47:56 Authentication timeout 00-0C-F1-15-17-59 Aug/23/2006 16:47:56 EAP-Request/Identity Aug/23/2006 16:47:56 EAP-Failure 00-0C-F1-15-17-59 Aug/23/2006 16:47:52 EAP-Response/Identity marcello Aug/23/2006 16:47:52 EAP-Request/Identity This is a .../radacct/192.168.1.5/auth-detail-20060823 log file: Packet-Type = Access-Request Wed Aug 23 16:04:15 2006 User-Name = "marcello" NAS-IP-Address = 192.168.1.5 NAS-Port = 0 Called-Station-Id = "00-40-05-30-C5-86" Calling-Station-Id = "00-0C-F1-15-17-59" NAS-Identifier = "DLink-900AP+" Framed-MTU = 1380 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x022d00500d800000004616030100410100003d030144ec5fff1ddc7$ State = 0x03c28905812b5b3f6b129e967146cf6f Message-Authenticator = 0x7d908821b7b8043f3af46b45ea38b038 Packet-Type = Access-Request Wed Aug 23 16:04:15 2006 User-Name = "marcello" NAS-IP-Address = 192.168.1.5 NAS-Port = 0 Called-Station-Id = "00-40-05-30-C5-86" Calling-Station-Id = "00-0C-F1-15-17-59" NAS-Identifier = "DLink-900AP+" Framed-MTU = 1380 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x022d00500d800000004616030100410100003d030144ec5fff1ddc76fd1cd92cf4a616ed25f594f37b078d23151e633e7adbaa807d00001600040005000a0009006$ State = 0x03c28905812b5b3f6b129e967146cf6f Message-Authenticator = 0x7d908821b7b8043f3af46b45ea38b038 Client-IP-Address = 192.168.1.5 Packet-Type = Access-Request Wed Aug 23 16:54:41 2006 User-Name = "marcello" NAS-IP-Address = 192.168.1.5 NAS-Port = 0 Called-Station-Id = "00-40-05-30-C5-86" Calling-Station-Id = "00-0C-F1-15-17-59" NAS-Identifier = "DLink-900AP+" Framed-MTU = 1380 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0207000d016d617263656c6c6f Message-Authenticator = 0x35dce2ba502963e6a55781a6863ee665 Client-IP-Address = 192.168.1.5 Packet-Type = Access-Request Wed Aug 23 16:54:41 2006 User-Name = "marcello" NAS-IP-Address = 192.168.1.5 NAS-Port = 0 Called-Station-Id = "00-40-05-30-C5-86" Calling-Station-Id = "00-0C-F1-15-17-59" NAS-Identifier = "DLink-900AP+" Framed-MTU = 1380 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020800500d800000004616030100410100003d030144ec6bd18e05eb916c88e10b9cc8e5b620271365a5b4ea1f40965f1b1d18a19600001600040005000a0009006$ State = 0xfd9cd50d382b9c1e0da734eb064d896d Message-Authenticator = 0xb4f18cd8d063fcdc0b2291f37307a047 Client-IP-Address = 192.168.1.5
Matteo Lazzarini <mlazzarini@crema.unimi.it> wrote:
The clients system is Windows XP SP2 and I used the default supplicant. It is subject to particular problems?
Yes. There's a knowledge base article about it. SP2 breaks inter-operability with non-MS RADIUS servers. I don't recall the link, though. We should probably include the link in eap.conf. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
Alan DeKok wrote:
Matteo Lazzarini <mlazzarini@crema.unimi.it> wrote:
The clients system is Windows XP SP2 and I used the default supplicant. It is subject to particular problems?
Yes. There's a knowledge base article about it. SP2 breaks inter-operability with non-MS RADIUS servers. I don't recall the link, though. We should probably include the link in eap.conf.
You are saying to me that in order to authenticate the clients I must remove the SP2 from the PC? And How supplicant goes well that one of win xp or for a better management of the TLS it is better to install an other supplicant?
Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
Matteo Lazzarini <mlazzarini@crema.unimi.it> wrote:
You are saying to me that in order to authenticate the clients I must remove the SP2 from the PC?
No. I'm saying there's a fix provided by Microsof in one of their knowledge base articles. But they don't make the fix easy to find. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
K. Hoercher wrote:
......... 3. I more or less duplicated your setup from <44EB5C4F.2040504@crema.unimi.it>and tested it here with freeradius-1.1.2, hostapd-0.5.3, wpa_supplicant-0.5.4. It worked as you wish and should be expected.
4. It even worked with the hard Auth-Type setting in users file (changed to local environment) despite that being unnecessary and insofar wrong. Please see http://deployingradius.com/documents/configuration/auth_type.html. I cannot understand french, but at least in this respect http://www.alphacore.net/spip/article.php3?id_article=33 seems to err.
Ok, i deleted Auth-Type setting in users file. My user now is: marcello
6. The radius.log you attached earlier didn't show any incoming EAP-Responses to the Challenges freeradius sent out. The snippets you keep posting since then show a part of the debug log, which doesn't exhibit a fault compared to what I'm getting here. If the cut off parts show the same as in the attached file, the same problem exists: your client isn't responding properly.
regards K. Hoercher
This is what continuous to see when start radiusd - X: rad_recv: Access-Request packet from host 192.168.1.5:1214, id=36, length=139 User-Name = "marcello" NAS-IP-Address = 192.168.1.5 NAS-Port = 0 Called-Station-Id = "00-40-05-30-C5-86" Calling-Station-Id = "00-0C-F1-15-17-59" NAS-Identifier = "DLink-900AP+" Framed-MTU = 1380 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0223000d016d617263656c6c6f Message-Authenticator = 0x8afce08acace447ca9a52f94717767dd Processing the authorize section of radiusd.conf modcall: entering group authorize for request 27 modcall[authorize]: module "preprocess" returns ok for request 27 radius_xlat: '/usr/local/var/log/radius/radacct/192.168.1.5/auth-detail-20060823' rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/192.168.1.5/auth-detail-20060823 modcall[authorize]: module "auth_log" returns ok for request 27 rlm_eap: EAP packet type response id 35 length 13 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 27 users: Matched entry marcello at line 7 modcall[authorize]: module "files" returns ok for request 27 modcall: leaving group authorize (returns updated) for request 27 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 27 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Requiring client certificate rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 27 modcall: leaving group authenticate (returns handled) for request 27 Sending Access-Challenge of id 36 to 192.168.1.5 port 1214 EAP-Message = 0x012400060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x4a4231b4adfeba0f626bea47adfe79b3 Finished request 27 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.1.5:1214, id=37, length=224 User-Name = "marcello" NAS-IP-Address = 192.168.1.5 NAS-Port = 0 Called-Station-Id = "00-40-05-30-C5-86" Calling-Station-Id = "00-0C-F1-15-17-59" NAS-Identifier = "DLink-900AP+" Framed-MTU = 1380 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x022400500d800000004616030100410100003d030144ec5fa59a64845898c9f5ad123fc6b0198a4905db195cec34455b869c4d4b1100001600040005000a000900640062000300060013001200630100 State = 0x4a4231b4adfeba0f626bea47adfe79b3 Message-Authenticator = 0x954557a26d69418d4ec39d196da5d9b1 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 28 modcall[authorize]: module "preprocess" returns ok for request 28 radius_xlat: '/usr/local/var/log/radius/radacct/192.168.1.5/auth-detail-20060823' rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/192.168.1.5/auth-detail-20060823 modcall[authorize]: module "auth_log" returns ok for request 28 rlm_eap: EAP packet type response id 36 length 80 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 28 users: Matched entry marcello at line 7 modcall[authorize]: module "files" returns ok for request 28 modcall: leaving group authorize (returns updated) for request 28 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 28 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0715], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 00c7], CertificateRequest TLS_accept: SSLv3 write certificate request A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0) In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 28 modcall: leaving group authenticate (returns handled) for request 28 Sending Access-Challenge of id 37 to 192.168.1.5 port 1214 EAP-Message = 0x0125040a0dc000000835160301004a02000046030144ec6005a36d16b4738f0725c7e28d3aacc9e100cee2b61fd3f8b5525dab88a12056e63ac6ba7034af4f37c7329304af510ee21461f940f7718850d502ebfad26200040016030107150b00071100070e0002fa308202f63082025fa003020102020900f224c648347dc88c300d06092a864886f70d01010405003081b5310b3009060355040613024954310e300c060355040813054954414c593110300e0603550407130742657267616d6f31123010060355040a130947727570706f696d69311e301c060355040a13153830322e31782041757468656e7469636174696f6e3110300e06035504 EAP-Message = 0x0b1307696d692073726c311630140603550403130d43412d467265657261646975733126302406092a864886f70d0109011617667265657261646975734067727570706f696d692e6974301e170d3036303832323136333935375a170d3037303832323136333935375a3081aa310b3009060355040613024954310e300c060355040813054954414c593110300e0603550407130742657267616d6f31123010060355040a130947727570706f696d69311e301c060355040a13153830322e31782041757468656e7469636174696f6e3110300e060355040b1307696d692073726c310f300d060355040313066a61676765723122302006092a864886 EAP-Message = 0xf70d01090116136a61676765724067727570706f696d692e697430819f300d06092a864886f70d010101050003818d0030818902818100c2889e425836d09f8235751e0ff076778dfad149ef3ef3f5d474375ad07c6d7d8924c1626b2c5478638564287fb4023b5ce68bcd0ffd7c21ac57d06ef8ef98f5ab9d5de84379f4f64bdef487a93350102d22f58200f16000756e3e98a677881f171155a679058c72d7a23d88e9d29daa1be63a014dca55ab45ac4383f04dbf610203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010104050003818100b2288be7befe02ede8b87a2965337aaa586ac346be EAP-Message = 0x14150f8914a326d60ec602e4e2076441b2266b013a2a5a6a083adf3abad567d1581e42fe22dfba9ae4b1a6e08333fe84d50950a5ff6a918f1bdcde276c6563d208ab5b6e95128e38e9454314e3a8be08896e031ef2f1332347d9b93e6caa8761ef5e9758ef6618946f816e00040e3082040a30820373a003020102020900f224c648347dc88a300d06092a864886f70d01010405003081b5310b3009060355040613024954310e300c060355040813054954414c593110300e0603550407130742657267616d6f31123010060355040a130947727570706f696d69311e301c060355040a13153830322e31782041757468656e7469636174696f6e3110 EAP-Message = 0x300e060355040b1307696d692073726c311630140603 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd61433c363fad2062dd0ed86dd317d38 Finished request 28 Going to the next request Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 27 ID 36 with timestamp 44ec6005 Cleaning up request 28 ID 37 with timestamp 44ec6005 Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 192.168.1.5:1214, id=38, length=139 User-Name = "marcello" NAS-IP-Address = 192.168.1.5 NAS-Port = 0 Called-Station-Id = "00-40-05-30-C5-86" Calling-Station-Id = "00-0C-F1-15-17-59" NAS-Identifier = "DLink-900AP+" Framed-MTU = 1380 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0226000d016d617263656c6c6f Message-Authenticator = 0xdc2e7392680a90e16f7675db392ae62a Processing the authorize section of radiusd.conf modcall: entering group authorize for request 29 modcall[authorize]: module "preprocess" returns ok for request 29 radius_xlat: '/usr/local/var/log/radius/radacct/192.168.1.5/auth-detail-20060823' rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/192.168.1.5/auth-detail-20060823 modcall[authorize]: module "auth_log" returns ok for request 29 rlm_eap: EAP packet type response id 38 length 13 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 29 users: Matched entry marcello at line 7 modcall[authorize]: module "files" returns ok for request 29 modcall: leaving group authorize (returns updated) for request 29 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 29 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Requiring client certificate rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 29 modcall: leaving group authenticate (returns handled) for request 29 Sending Access-Challenge of id 38 to 192.168.1.5 port 1214 EAP-Message = 0x012700060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xbe099fcd698213125f5c1f9b6f57edf0 Finished request 29 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.1.5:1214, id=39, length=224 User-Name = "marcello" NAS-IP-Address = 192.168.1.5 NAS-Port = 0 Called-Station-Id = "00-40-05-30-C5-86" Calling-Station-Id = "00-0C-F1-15-17-59" NAS-Identifier = "DLink-900AP+" Framed-MTU = 1380 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x022700500d800000004616030100410100003d030144ec5fc3b3c0a02d79dde2cbaee6994cb365bda0921afe69fea98cf513ae68be00001600040005000a000900640062000300060013001200630100 State = 0xbe099fcd698213125f5c1f9b6f57edf0 Message-Authenticator = 0xd6d1ed5825fe4c35f5a1d60b5898697c Processing the authorize section of radiusd.conf modcall: entering group authorize for request 30 modcall[authorize]: module "preprocess" returns ok for request 30 radius_xlat: '/usr/local/var/log/radius/radacct/192.168.1.5/auth-detail-20060823' rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/192.168.1.5/auth-detail-20060823 modcall[authorize]: module "auth_log" returns ok for request 30 rlm_eap: EAP packet type response id 39 length 80 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 30 users: Matched entry marcello at line 7 modcall[authorize]: module "files" returns ok for request 30 modcall: leaving group authorize (returns updated) for request 30 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 30 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0715], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 00c7], CertificateRequest TLS_accept: SSLv3 write certificate request A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0) In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 30 modcall: leaving group authenticate (returns handled) for request 30 Sending Access-Challenge of id 39 to 192.168.1.5 port 1214 EAP-Message = 0x0128040a0dc000000835160301004a02000046030144ec602379b9029259e24bf1b103bb550102f05bfed202c361b441e98891a58c20c0328494ad8c1af13e31715a0d7c244a442af30d449dd3b72f9811946120d00200040016030107150b00071100070e0002fa308202f63082025fa003020102020900f224c648347dc88c300d06092a864886f70d01010405003081b5310b3009060355040613024954310e300c060355040813054954414c593110300e0603550407130742657267616d6f31123010060355040a130947727570706f696d69311e301c060355040a13153830322e31782041757468656e7469636174696f6e3110300e06035504 EAP-Message = 0x0b1307696d692073726c311630140603550403130d43412d467265657261646975733126302406092a864886f70d0109011617667265657261646975734067727570706f696d692e6974301e170d3036303832323136333935375a170d3037303832323136333935375a3081aa310b3009060355040613024954310e300c060355040813054954414c593110300e0603550407130742657267616d6f31123010060355040a130947727570706f696d69311e301c060355040a13153830322e31782041757468656e7469636174696f6e3110300e060355040b1307696d692073726c310f300d060355040313066a61676765723122302006092a864886 EAP-Message = 0xf70d01090116136a61676765724067727570706f696d692e697430819f300d06092a864886f70d010101050003818d0030818902818100c2889e425836d09f8235751e0ff076778dfad149ef3ef3f5d474375ad07c6d7d8924c1626b2c5478638564287fb4023b5ce68bcd0ffd7c21ac57d06ef8ef98f5ab9d5de84379f4f64bdef487a93350102d22f58200f16000756e3e98a677881f171155a679058c72d7a23d88e9d29daa1be63a014dca55ab45ac4383f04dbf610203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010104050003818100b2288be7befe02ede8b87a2965337aaa586ac346be EAP-Message = 0x14150f8914a326d60ec602e4e2076441b2266b013a2a5a6a083adf3abad567d1581e42fe22dfba9ae4b1a6e08333fe84d50950a5ff6a918f1bdcde276c6563d208ab5b6e95128e38e9454314e3a8be08896e031ef2f1332347d9b93e6caa8761ef5e9758ef6618946f816e00040e3082040a30820373a003020102020900f224c648347dc88a300d06092a864886f70d01010405003081b5310b3009060355040613024954310e300c060355040813054954414c593110300e0603550407130742657267616d6f31123010060355040a130947727570706f696d69311e301c060355040a13153830322e31782041757468656e7469636174696f6e3110 EAP-Message = 0x300e060355040b1307696d692073726c311630140603 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x20848349a7d8931898eab18b497b7eaa Finished request 30 Going to the next request Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 29 ID 38 with timestamp 44ec6023 Cleaning up request 30 ID 39 with timestamp 44ec6023 Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 192.168.1.5:1214, id=40, length=139 User-Name = "marcello" NAS-IP-Address = 192.168.1.5 NAS-Port = 0 Called-Station-Id = "00-40-05-30-C5-86" Calling-Station-Id = "00-0C-F1-15-17-59" NAS-Identifier = "DLink-900AP+" Framed-MTU = 1380 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0229000d016d617263656c6c6f Message-Authenticator = 0xa1721cbe7301b0520d0be5a419388965 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 31 modcall[authorize]: module "preprocess" returns ok for request 31 radius_xlat: '/usr/local/var/log/radius/radacct/192.168.1.5/auth-detail-20060823' rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/192.168.1.5/auth-detail-20060823 modcall[authorize]: module "auth_log" returns ok for request 31 rlm_eap: EAP packet type response id 41 length 13 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 31 users: Matched entry marcello at line 7 modcall[authorize]: module "files" returns ok for request 31 modcall: leaving group authorize (returns updated) for request 31 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 31 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Requiring client certificate rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 31 modcall: leaving group authenticate (returns handled) for request 31 Sending Access-Challenge of id 40 to 192.168.1.5 port 1214 EAP-Message = 0x012a00060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x6e1434ca3d57d931af8880e288a906a5 Finished request 31 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.1.5:1214, id=41, length=224 User-Name = "marcello" NAS-IP-Address = 192.168.1.5 NAS-Port = 0 Called-Station-Id = "00-40-05-30-C5-86" Calling-Station-Id = "00-0C-F1-15-17-59" NAS-Identifier = "DLink-900AP+" Framed-MTU = 1380 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x022a00500d800000004616030100410100003d030144ec5fe1afe282c139685d0cc920d57ec74fadd16301b2b11d962a4c48167e9a00001600040005000a000900640062000300060013001200630100 State = 0x6e1434ca3d57d931af8880e288a906a5 Message-Authenticator = 0x562492cb1ddbe4fe6e6f26676b04641a Processing the authorize section of radiusd.conf modcall: entering group authorize for request 32 modcall[authorize]: module "preprocess" returns ok for request 32 radius_xlat: '/usr/local/var/log/radius/radacct/192.168.1.5/auth-detail-20060823' rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/192.168.1.5/auth-detail-20060823 modcall[authorize]: module "auth_log" returns ok for request 32 rlm_eap: EAP packet type response id 42 length 80 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 32 users: Matched entry marcello at line 7 modcall[authorize]: module "files" returns ok for request 32 modcall: leaving group authorize (returns updated) for request 32 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 32 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0715], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 00c7], CertificateRequest TLS_accept: SSLv3 write certificate request A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0) In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 32 modcall: leaving group authenticate (returns handled) for request 32 Sending Access-Challenge of id 41 to 192.168.1.5 port 1214 EAP-Message = 0x012b040a0dc000000835160301004a02000046030144ec6041b7dd765e8e8522dafce7f647e1e3f83e07194d2445c0e8ed0f6eb448205e608aec3f12e3763220cc2838cfe79c1a371553d637835c640b8cf3fa9ea46c00040016030107150b00071100070e0002fa308202f63082025fa003020102020900f224c648347dc88c300d06092a864886f70d01010405003081b5310b3009060355040613024954310e300c060355040813054954414c593110300e0603550407130742657267616d6f31123010060355040a130947727570706f696d69311e301c060355040a13153830322e31782041757468656e7469636174696f6e3110300e06035504 EAP-Message = 0x0b1307696d692073726c311630140603550403130d43412d467265657261646975733126302406092a864886f70d0109011617667265657261646975734067727570706f696d692e6974301e170d3036303832323136333935375a170d3037303832323136333935375a3081aa310b3009060355040613024954310e300c060355040813054954414c593110300e0603550407130742657267616d6f31123010060355040a130947727570706f696d69311e301c060355040a13153830322e31782041757468656e7469636174696f6e3110300e060355040b1307696d692073726c310f300d060355040313066a61676765723122302006092a864886 EAP-Message = 0xf70d01090116136a61676765724067727570706f696d692e697430819f300d06092a864886f70d010101050003818d0030818902818100c2889e425836d09f8235751e0ff076778dfad149ef3ef3f5d474375ad07c6d7d8924c1626b2c5478638564287fb4023b5ce68bcd0ffd7c21ac57d06ef8ef98f5ab9d5de84379f4f64bdef487a93350102d22f58200f16000756e3e98a677881f171155a679058c72d7a23d88e9d29daa1be63a014dca55ab45ac4383f04dbf610203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010104050003818100b2288be7befe02ede8b87a2965337aaa586ac346be EAP-Message = 0x14150f8914a326d60ec602e4e2076441b2266b013a2a5a6a083adf3abad567d1581e42fe22dfba9ae4b1a6e08333fe84d50950a5ff6a918f1bdcde276c6563d208ab5b6e95128e38e9454314e3a8be08896e031ef2f1332347d9b93e6caa8761ef5e9758ef6618946f816e00040e3082040a30820373a003020102020900f224c648347dc88a300d06092a864886f70d01010405003081b5310b3009060355040613024954310e300c060355040813054954414c593110300e0603550407130742657267616d6f31123010060355040a130947727570706f696d69311e301c060355040a13153830322e31782041757468656e7469636174696f6e3110 EAP-Message = 0x300e060355040b1307696d692073726c311630140603 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc9750d7b7c4f4c25d35382ef3c495bf3 Finished request 32 Going to the next request Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 31 ID 40 with timestamp 44ec6041 Cleaning up request 32 ID 41 with timestamp 44ec6041 Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 192.168.1.5:1214, id=42, length=139 User-Name = "marcello" NAS-IP-Address = 192.168.1.5 NAS-Port = 0 Called-Station-Id = "00-40-05-30-C5-86" Calling-Station-Id = "00-0C-F1-15-17-59" NAS-Identifier = "DLink-900AP+" Framed-MTU = 1380 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x022c000d016d617263656c6c6f Message-Authenticator = 0x490a18c23fc91fdc1c9b8e643b1e369c Processing the authorize section of radiusd.conf modcall: entering group authorize for request 33 modcall[authorize]: module "preprocess" returns ok for request 33 radius_xlat: '/usr/local/var/log/radius/radacct/192.168.1.5/auth-detail-20060823' rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/192.168.1.5/auth-detail-20060823 modcall[authorize]: module "auth_log" returns ok for request 33 rlm_eap: EAP packet type response id 44 length 13 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 33 users: Matched entry marcello at line 7 modcall[authorize]: module "files" returns ok for request 33 modcall: leaving group authorize (returns updated) for request 33 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 33 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Requiring client certificate rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 33 modcall: leaving group authenticate (returns handled) for request 33 Sending Access-Challenge of id 42 to 192.168.1.5 port 1214 EAP-Message = 0x012d00060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x03c28905812b5b3f6b129e967146cf6f Finished request 33 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.1.5:1214, id=43, length=224 User-Name = "marcello" NAS-IP-Address = 192.168.1.5 NAS-Port = 0 Called-Station-Id = "00-40-05-30-C5-86" Calling-Station-Id = "00-0C-F1-15-17-59" NAS-Identifier = "DLink-900AP+" Framed-MTU = 1380 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x022d00500d800000004616030100410100003d030144ec5fff1ddc76fd1cd92cf4a616ed25f594f37b078d23151e633e7adbaa807d00001600040005000a000900640062000300060013001200630100 State = 0x03c28905812b5b3f6b129e967146cf6f Message-Authenticator = 0x7d908821b7b8043f3af46b45ea38b038 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 34 modcall[authorize]: module "preprocess" returns ok for request 34 radius_xlat: '/usr/local/var/log/radius/radacct/192.168.1.5/auth-detail-20060823' rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/192.168.1.5/auth-detail-20060823 modcall[authorize]: module "auth_log" returns ok for request 34 rlm_eap: EAP packet type response id 45 length 80 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 34 users: Matched entry marcello at line 7 modcall[authorize]: module "files" returns ok for request 34 modcall: leaving group authorize (returns updated) for request 34 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 34 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0715], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 00c7], CertificateRequest TLS_accept: SSLv3 write certificate request A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0) In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 34 modcall: leaving group authenticate (returns handled) for request 34 Sending Access-Challenge of id 43 to 192.168.1.5 port 1214 EAP-Message = 0x012e040a0dc000000835160301004a02000046030144ec605fb82c174431ef92debba911fd499931199bf231f28652609ac0b808f6200f53f7874c685ad093cdc266a254182b21efc28655f8deb62304a41f7a23f9d500040016030107150b00071100070e0002fa308202f63082025fa003020102020900f224c648347dc88c300d06092a864886f70d01010405003081b5310b3009060355040613024954310e300c060355040813054954414c593110300e0603550407130742657267616d6f31123010060355040a130947727570706f696d69311e301c060355040a13153830322e31782041757468656e7469636174696f6e3110300e06035504 EAP-Message = 0x0b1307696d692073726c311630140603550403130d43412d467265657261646975733126302406092a864886f70d0109011617667265657261646975734067727570706f696d692e6974301e170d3036303832323136333935375a170d3037303832323136333935375a3081aa310b3009060355040613024954310e300c060355040813054954414c593110300e0603550407130742657267616d6f31123010060355040a130947727570706f696d69311e301c060355040a13153830322e31782041757468656e7469636174696f6e3110300e060355040b1307696d692073726c310f300d060355040313066a61676765723122302006092a864886 EAP-Message = 0xf70d01090116136a61676765724067727570706f696d692e697430819f300d06092a864886f70d010101050003818d0030818902818100c2889e425836d09f8235751e0ff076778dfad149ef3ef3f5d474375ad07c6d7d8924c1626b2c5478638564287fb4023b5ce68bcd0ffd7c21ac57d06ef8ef98f5ab9d5de84379f4f64bdef487a93350102d22f58200f16000756e3e98a677881f171155a679058c72d7a23d88e9d29daa1be63a014dca55ab45ac4383f04dbf610203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010104050003818100b2288be7befe02ede8b87a2965337aaa586ac346be EAP-Message = 0x14150f8914a326d60ec602e4e2076441b2266b013a2a5a6a083adf3abad567d1581e42fe22dfba9ae4b1a6e08333fe84d50950a5ff6a918f1bdcde276c6563d208ab5b6e95128e38e9454314e3a8be08896e031ef2f1332347d9b93e6caa8761ef5e9758ef6618946f816e00040e3082040a30820373a003020102020900f224c648347dc88a300d06092a864886f70d01010405003081b5310b3009060355040613024954310e300c060355040813054954414c593110300e0603550407130742657267616d6f31123010060355040a130947727570706f696d69311e301c060355040a13153830322e31782041757468656e7469636174696f6e3110 EAP-Message = 0x300e060355040b1307696d692073726c311630140603 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xeacc5432cc73aaa14a0bb9aae4a1c3cb Finished request 34 Going to the next request Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 33 ID 42 with timestamp 44ec605f Cleaning up request 34 ID 43 with timestamp 44ec605f Probably it is like you said; "If the cut off parts show the same as in the attached file, the same problem exists: your client isn't responding properly."... The clients system is Windows XP SP2 and I used the default supplicant. It is subject to particular problems? Many guides speak about as to configure an win xp supplicant and I have made like they without to change nothing. They could be the certs not-compatible? It could be AP not to send the messages correctly? The AP's log are very poors. Only see the Access-Request from the user "marcello". Aug/23/2006 16:48:48 Send Accounting logout message marcello Aug/23/2006 16:48:48 EAP-Failure 00-0C-F1-15-17-59 Aug/23/2006 16:48:48 state: paeDISCONNECTED Aug/23/2006 16:48:43 EAP-Request/Identity Aug/23/2006 16:48:38 EAP-Request/Identity Aug/23/2006 16:48:33 EAP-Request/Identity Aug/23/2006 16:48:28 EAP-Request/Identity Aug/23/2006 16:48:23 EAP-Request/Identity Aug/23/2006 16:48:18 EAP-Request/Identity Aug/23/2006 16:48:13 EAP-Request/Identity Aug/23/2006 16:48:08 EAP-Request/Identity Aug/23/2006 16:48:04 Authentication timeout 00-0C-F1-15-17-59 Aug/23/2006 16:48:04 EAP-Request/Identity Aug/23/2006 16:48:04 EAP-Failure 00-0C-F1-15-17-59 Aug/23/2006 16:48:04 EAP-Request/Identity Aug/23/2006 16:48:04 EAP-Failure 00-0C-F1-15-17-59 Aug/23/2006 16:48:00 EAP-Response/Identity marcello Aug/23/2006 16:48:00 EAP-Request/Identity Aug/23/2006 16:47:56 Authentication timeout 00-0C-F1-15-17-59 Aug/23/2006 16:47:56 EAP-Request/Identity Aug/23/2006 16:47:56 EAP-Failure 00-0C-F1-15-17-59 Aug/23/2006 16:47:52 EAP-Response/Identity marcello Aug/23/2006 16:47:52 EAP-Request/Identity This is a .../radacct/192.168.1.5/auth-detail-20060823 log file: Packet-Type = Access-Request Wed Aug 23 16:04:15 2006 User-Name = "marcello" NAS-IP-Address = 192.168.1.5 NAS-Port = 0 Called-Station-Id = "00-40-05-30-C5-86" Calling-Station-Id = "00-0C-F1-15-17-59" NAS-Identifier = "DLink-900AP+" Framed-MTU = 1380 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x022d00500d800000004616030100410100003d030144ec5fff1ddc7$ State = 0x03c28905812b5b3f6b129e967146cf6f Message-Authenticator = 0x7d908821b7b8043f3af46b45ea38b038 Packet-Type = Access-Request Wed Aug 23 16:04:15 2006 User-Name = "marcello" NAS-IP-Address = 192.168.1.5 NAS-Port = 0 Called-Station-Id = "00-40-05-30-C5-86" Calling-Station-Id = "00-0C-F1-15-17-59" NAS-Identifier = "DLink-900AP+" Framed-MTU = 1380 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x022d00500d800000004616030100410100003d030144ec5fff1ddc76fd1cd92cf4a616ed25f594f37b078d23151e633e7adbaa807d00001600040005000a0009006$ State = 0x03c28905812b5b3f6b129e967146cf6f Message-Authenticator = 0x7d908821b7b8043f3af46b45ea38b038 Client-IP-Address = 192.168.1.5 Packet-Type = Access-Request Wed Aug 23 16:54:41 2006 User-Name = "marcello" NAS-IP-Address = 192.168.1.5 NAS-Port = 0 Called-Station-Id = "00-40-05-30-C5-86" Calling-Station-Id = "00-0C-F1-15-17-59" NAS-Identifier = "DLink-900AP+" Framed-MTU = 1380 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0207000d016d617263656c6c6f Message-Authenticator = 0x35dce2ba502963e6a55781a6863ee665 Client-IP-Address = 192.168.1.5 Packet-Type = Access-Request Wed Aug 23 16:54:41 2006 User-Name = "marcello" NAS-IP-Address = 192.168.1.5 NAS-Port = 0 Called-Station-Id = "00-40-05-30-C5-86" Calling-Station-Id = "00-0C-F1-15-17-59" NAS-Identifier = "DLink-900AP+" Framed-MTU = 1380 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020800500d800000004616030100410100003d030144ec6bd18e05eb916c88e10b9cc8e5b620271365a5b4ea1f40965f1b1d18a19600001600040005000a0009006$ State = 0xfd9cd50d382b9c1e0da734eb064d896d Message-Authenticator = 0xb4f18cd8d063fcdc0b2291f37307a047 Client-IP-Address = 192.168.1.5
K. Hoercher wrote:
Ok, starting to sort this out.
1. This doesn't look like something for -devel. Please consider starting a new thread in -user with a brief write-up of the problem. But see below.
2. Stop asking for action (especially here, but nonetheless in -user). This will discourage people from answering you.
3. I more or less duplicated your setup from <44EB5C4F.2040504@crema.unimi.it>and tested it here with freeradius-1.1.2, hostapd-0.5.3, wpa_supplicant-0.5.4. It worked as you wish and should be expected.
Can I know for what uses hostapd-0.5.3? Thanks
regards K. Hoercher - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html
participants (6)
-
Alan DeKok -
K. Hoercher -
Lazzarini Matteo -
Matteo Lazzarini -
Michael Joosten -
Stefan Winter