On Fri, May 29, 2009 at 10:32 AM, Ivan Kalik <tnt@kalik.net> wrote:
Problem was solved thanks to Ivan assistance, Main problem was on switch side and its configuration, Second problem was - proper certificate to proper certificate store And third - in my head :).
OK. Now that you have established that client certificates signed by CA work with XP SP3, can you check if server signed certificates (made by original Makefile) also work, or is XP SP3 rejecting them. Could you report to the list with the result.
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
No, standard Makefile is no working freeradius -X output: Ready to process requests. rad_recv: Access-Request packet from host 192.168.5.206 port 1812, id=160, length=147 NAS-IP-Address = 192.168.5.206 NAS-Port = 50046 NAS-Port-Type = Ethernet User-Name = "user@example.com" Called-Station-Id = "00-0C-30-81-9B-EE" Calling-Station-Id = "00-0A-E4-13-1A-02" Service-Type = Framed-User Framed-MTU = 1500 EAP-Message = 0x020000150175736572406578616d706c652e636f6d Message-Authenticator = 0x3fa86bcca888e9174c33ff2206178e97 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm "example.com" for User-Name = "user@example.com" [suffix] No such realm "example.com" ++[suffix] returns noop [eap] EAP packet type response id 0 length 21 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 160 to 192.168.5.206 port 1812 EAP-Message = 0x010100061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0a8a026e0a8b1bea4f51a121d61eb2bf Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.5.206 port 1812, id=161, length=150 NAS-IP-Address = 192.168.5.206 NAS-Port = 50046 NAS-Port-Type = Ethernet User-Name = "user@example.com" Called-Station-Id = "00-0C-30-81-9B-EE" Calling-Station-Id = "00-0A-E4-13-1A-02" Service-Type = Framed-User Framed-MTU = 1500 State = 0x0a8a026e0a8b1bea4f51a121d61eb2bf EAP-Message = 0x02010006030d Message-Authenticator = 0xe1ef7b423be0a169598a253da36247c0 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm "example.com" for User-Name = "user@example.com" [suffix] No such realm "example.com" ++[suffix] returns noop [eap] EAP packet type response id 1 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP NAK [eap] EAP-NAK asked for EAP-Type/tls [eap] processing type tls [tls] Requiring client certificate [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 161 to 192.168.5.206 port 1812 EAP-Message = 0x010200060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0a8a026e0b880fea4f51a121d61eb2bf Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.5.206 port 1812, id=162, length=224 NAS-IP-Address = 192.168.5.206 NAS-Port = 50046 NAS-Port-Type = Ethernet User-Name = "user@example.com" Called-Station-Id = "00-0C-30-81-9B-EE" Calling-Station-Id = "00-0A-E4-13-1A-02" Service-Type = Framed-User Framed-MTU = 1500 State = 0x0a8a026e0b880fea4f51a121d61eb2bf EAP-Message = 0x020200500d800000004616030100410100003d03014a1fb693a40277392668182f296a92feb2a08a3e25a3c170dfa77f83d18f569400001600040005000a0009006400 62000300060013001200630100 Message-Authenticator = 0xca0d351030f630125dd9b87f5d39e7e9 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm "example.com" for User-Name = "user@example.com" [suffix] No such realm "example.com" ++[suffix] returns noop [eap] EAP packet type response id 2 length 80 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS TLS Length 70 [tls] Length Included [tls] eaptls_verify returned 11 [tls] (other): before/accept initialization [tls] TLS_accept: before/accept initialization [tls] <<< TLS 1.0 Handshake [length 0041], ClientHello [tls] TLS_accept: SSLv3 read client hello A [tls] >>> TLS 1.0 Handshake [length 002a], ServerHello [tls] TLS_accept: SSLv3 write server hello A [tls] >>> TLS 1.0 Handshake [length 085e], Certificate [tls] TLS_accept: SSLv3 write certificate A [tls] >>> TLS 1.0 Handshake [length 00a6], CertificateRequest [tls] TLS_accept: SSLv3 write certificate request A [tls] TLS_accept: SSLv3 flush data [tls] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [tls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 162 to 192.168.5.206 port 1812 EAP-Message = 0x010304000dc00000093d160301002a0200002603014a1fb649f90a6e4db1414f2a91473940c7257976a7dbb0150b8771d1c403998300000400160301085e0b00085a00 08570003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d0603550408130652616469757331123010060355040713 09536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d45 78616d706c6520436572746966696361746520417574686f72697479 EAP-Message = 0x301e170d3039303532303133303535305a170d3130303532303133303535305a307c310b3009060355040613024652310f300d06035504081306526164697573311530 13060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e 406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100d1c880577d809eac3b12eeb843eaad382da99c2de125a840a49f25585bbb8186bb93 22a8dba7f08cfe901a0d85b6b0865e816b927a48f72d2e066f57f711 EAP-Message = 0xe6361d191beba216660aa6a1e4aa5fc2ab00aa67456586c42e40e8ecccb851425851581fbe189de1440b882ca86211a4c71ffb13823f942f0dc36af3b7fa38f2a59933 35dd63e56edef32a7eccc3054088fc2da16f50674092656c86e715c5582bfafd3dd4ff47c03ac93829f8a3db1acc30b55144788d6d77c9ddaab9006efe0deec77e93c0a449375491f79a7c68e7efeb 3b47d0b5c18496281016dad45ff47b34e172c445007c0151d73468807f131e2f433136061d6761f2450607fac932b6f90203010001a317301530130603551d25040c300a06082b0601050507030130 0d06092a864886f70d010104050003820101003f38caf011d81255ce EAP-Message = 0xe6aa7a0d3ba87fa4c7bae364e4f0329d1b193d7ba36ba7506af0eb0e783e88ccc4b6a34a346a578ec3d12edef4f0060a34f42d1163b33f950397ac5ff566d3a4ca3ff0 4169eae2baf3203a4cde15b30f774640d16727fb1ed7a189f518031bd482626199bd62d7f603f4d665fc2955e82fbf7fea03efb4a676c2deb868043cd4cd6bd0dba790b710406de0c68dada48b0327 1cd2153384e1a34b3d401edc3476a318f0b91febcb797e4f3da9e9a4e48bce8456bf2c950e767dac3e967835fa537e35adfaec26159f681911208c6e401147b85dd66842131b373483503d14a3c705 6560dcaa282bfdeb9a3b70447093641032cbad777eee0004ab308204 EAP-Message = 0xa73082038fa0030201020209 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0a8a026e08890fea4f51a121d61eb2bf Finished request 2. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 192.168.5.206 port 1812, id=163, length=150 NAS-IP-Address = 192.168.5.206 NAS-Port = 50046 NAS-Port-Type = Ethernet User-Name = "user@example.com" Called-Station-Id = "00-0C-30-81-9B-EE" Calling-Station-Id = "00-0A-E4-13-1A-02" Service-Type = Framed-User Framed-MTU = 1500 State = 0x0a8a026e08890fea4f51a121d61eb2bf EAP-Message = 0x020300060d00 Message-Authenticator = 0x528ebb6278cb97676edaa2345aaf2f10 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm "example.com" for User-Name = "user@example.com" [suffix] No such realm "example.com" ++[suffix] returns noop [eap] EAP packet type response id 3 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS [tls] Received TLS ACK [tls] ACK handshake fragment handler [tls] eaptls_verify returned 1 [tls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 163 to 192.168.5.206 port 1812 EAP-Message = 0x010404000dc00000093d00e274f9526898aa5c300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d06035504081306526164697573 3112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d3126 30240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3039303532303133303535305a170d3130303532303133303535305a308193310b30090603 55040613024652310f300d0603550408130652616469757331123010 EAP-Message = 0x06035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d70 6c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100 abfd23d2502cc6f6f29c367e592227c9b4ef02e40b02e8468d7c2087197a03bf4bab18c57c3c2501782b9c5a979b2806b42b6062e213319daaf4d5a27984953ebce5433a1be4a5716b94e8979cc24c 1dd525d86fc14543b1380ce3f8fc126780193e7ec5bf3abe590b970b EAP-Message = 0x4d5a1ea02ae515af74cfce42c5bb10d0cc620412a14f623c34fbca4fb9b8ee66b04b7cfff1a278a54ac69fa675a4a9ca6605689319fc5307c4b6f9fae8f653d9b7ecbd 854cf4b667de8c895c7f849df8c9362711fa703b4ed0a8f63504ded0fda6ae0dd472793766c3124dcb42cdbb25dca397db3f841ce13dfbbc10c8848bd39d43a2620e8e0c95b1a35891fcce33359f38 0a29650203010001a381fb3081f8301d0603551d0e04160414123ff562737fc2d9bc6d96afae6f4337c08846a73081c80603551d230481c03081bd8014123ff562737fc2d9bc6d96afae6f4337c088 46a7a18199a48196308193310b3009060355040613024652310f300d EAP-Message = 0x060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f7 0d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820900e274f9526898aa5c300c060355 1d13040530030101ff300d06092a864886f70d0101050500038201010043cf9119db5dd9fe4f21b6e809f5e244dbfc6aee7866316441a9db5f3c4abae403f9012c8a4348a12c9ba24e02b188746872 56dfd374cb8ccfe6cfd9932ce2f4a03f1f695b221f97550e9510185c EAP-Message = 0x2c53e4c88640391d8a02fe15 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0a8a026e098e0fea4f51a121d61eb2bf Finished request 3. Going to the next request Waking up in 4.7 seconds. rad_recv: Access-Request packet from host 192.168.5.206 port 1812, id=164, length=150 NAS-IP-Address = 192.168.5.206 NAS-Port = 50046 NAS-Port-Type = Ethernet User-Name = "user@example.com" Called-Station-Id = "00-0C-30-81-9B-EE" Calling-Station-Id = "00-0A-E4-13-1A-02" Service-Type = Framed-User Framed-MTU = 1500 State = 0x0a8a026e098e0fea4f51a121d61eb2bf EAP-Message = 0x020400060d00 Message-Authenticator = 0xc5e0fca3b00a3878caa40e8d9b79618a +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm "example.com" for User-Name = "user@example.com" [suffix] No such realm "example.com" ++[suffix] returns noop [eap] EAP packet type response id 4 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS [tls] Received TLS ACK [tls] ACK handshake fragment handler [tls] eaptls_verify returned 1 [tls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 164 to 192.168.5.206 port 1812 EAP-Message = 0x0105015b0d800000093de20bb9019906632f477573ee5ce336970857546c707151916f52825101b95c005509c9ba6c631dc4ed44105ec67210fff11968122772734826 f9998404c54b4c828a81726a1992a010b065e299b3cf573365d6d52f47285e9e2d27e39df13e75936e03eb9827f9b9b99747cdb9ce186baad8104b24275e45984252a2615f35d2f620510128bd0d6e 5071c1006aba908c75b5d13e2aba260bd84e7c40e9703eec9c02be07071a16030100a60d00009e0301024000980096308193310b3009060355040613024652310f300d060355040813065261646975 733112301006035504071309536f6d65776865726531153013060355 EAP-Message = 0x040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c 6520436572746966696361746520417574686f726974790e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0a8a026e0e8f0fea4f51a121d61eb2bf Finished request 4. Going to the next request Waking up in 4.6 seconds. rad_recv: Access-Request packet from host 192.168.5.206 port 1812, id=165, length=1645 NAS-IP-Address = 192.168.5.206 NAS-Port = 50046 NAS-Port-Type = Ethernet User-Name = "user@example.com" Called-Station-Id = "00-0C-30-81-9B-EE" Calling-Station-Id = "00-0A-E4-13-1A-02" Service-Type = Framed-User Framed-MTU = 1500 State = 0x0a8a026e0e8f0fea4f51a121d61eb2bf EAP-Message = 0x020505d30d80000005c916030105990b0003890003860003833082037f30820267a003020102020104300d06092a864886f70d0101040500307c310b30090603550406 13024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c652053657276657220436572746966696361 74653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d301e170d3039303532393130313133385a170d3130303532393130313133385a3071310b30090603550406 13024652310f300d0603550408130652616469757331153013060355 EAP-Message = 0x040a130c4578616d706c6520496e632e311930170603550403141075736572406578616d706c652e636f6d311f301d06092a864886f70d010901161075736572406578 616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100bf797e10a06c11b69b3304655b17de55f2bbf74109065f46a5fc85f3d49432b7f9630ad995 94c793671ca8e6ee900dda23e4f384c5080c584e87c18935f83fe34340723e7062374a02ea13a82e0599f15f970c4b2249038b17779363caf16e77a273a29b3b4b27c63c04daa06dff67f09fe5c346 b9a634952197a7a378f588dbd13c9e70c94d125cfc263585872ec9dc EAP-Message = 0xb7a1fdf853e5585bcc9b90a01181b757e54215196986c919ca8a09811f6bbd629417b8b108e316bdbc520d324a4ea0c84d7169036a4d134fbc5889e7cb5a00648a3869 a34b426482ca8721d57ed809afc580f78cabce08ede364da1604dd27c8ebc4b49ad210539a0b0452c77a84945f0203010001a317301530130603551d25040c300a06082b06010505070302300d0609 2a864886f70d01010405000382010100b824bac6618246aa3df9d6a50c2ee5161cac3b6979193f3a2b82017dd415abee24b0e3d45a7490b0bf73cea8125e6acbd364f910cd4fb76c813504ef819d49 53b840353c432536b7d9c6eabe1fd266a71e42f3efa0b685416aeec4 EAP-Message = 0x1c43c72fcfaa119600f722e0309cb3ee7358bf499eeb015ebb3f205258edaf49e8cd737d066acfc9172eff5d586171aca8b684ec3f2e3c9d2d4338600e43b6464f850f c5f82537af003b3fd6af7458e8abc3f71b2981660f52f2ffd4c0f320c0f61268fad45021cc7a18134d4dd6c0f3909d2d9da7c79c1b35fa4abdc83d42f41c6be15cda3eae7a7f961ceae952db3f3ece b2533471b9262285871b286198e5a994ceed7810000102010039799a4cff52d1c4e26c86166903bf17c9995b9ced533f0c9f8607a63095f6ac1b06aef1a43ae26cdf4efbff5ffa6be61c7a551cb888 6900003592ae9b0656db3188691c3685baa18351172711a7f3656d7f EAP-Message = 0x541c37b660b38ca9b136e3a4a0446e9af1cfb098ae8b935edaec3423d12e666ccc7394988ba43de7aa7e59bc0c16830a822c9adb78b80190c7ee4ad5e85246d351cb23 e8ed045d5ba855191dd90784e5e06b435ee430709329b64e21dd1fed49ef235a759e68b7a7d31c04cda9d84362bcdecf6aba073cbcd70b0a4a0713a1488ab498cad52e8d937637d8990833fcc72573 178c254b45399a002b04374408e90bd023633f35c0a2593abfda231e0f0001020100097d445b7c7219aead21140d9101c9f7f9da2024b9d531cbd6e226fb458e51e350aeadb3b4cd04fc8edfd6ec9c fd0fd89c556cfda7c8f9c259add11a4e338adebf2929678b78a4557c EAP-Message = 0x33e61e8c1eb9208357b3188d97057cf314eed12077b984678370924b24909a62d0957b26d8757621f7f325fe3087b7a2a0e9d81bb19abe4e5a6ddf7cf6c526a536a2ab c37815c8b4a95040805674491dbf3408cc4cb95f782a50afc5131d7560683e453ae98e0b873bd725fed496dc9305802fa79acb7b8de28e12962898174594d4c2685dc0f604b2a4cc6f39c4643e581e f497d854bcec7c66c52961f02643bd97f57d4c7ab39ff1a018c4ff4e1eb6a76c8bf8adb1b414030100010116030100201a0a68bdcf37fc694fe9d7ed1bec7d348371c6ebe1612d3a28e43d3db5dc8b 28 Message-Authenticator = 0x15cf2cb082e9388a241090a905703ecc +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm "example.com" for User-Name = "user@example.com" [suffix] No such realm "example.com" ++[suffix] returns noop [eap] EAP packet type response id 5 length 253 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS TLS Length 1481 [tls] Length Included [tls] eaptls_verify returned 11 [tls] <<< TLS 1.0 Handshake [length 038d], Certificate --> verify error:num=20:unable to get local issuer certificate [tls] >>> TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert write:fatal:unknown CA TLS_accept:error in SSLv3 read client certificate B rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned SSL: SSL_read failed in a system call (-1), TLS session fails. TLS receive handshake failed during operation [tls] eaptls_process returned 4 [eap] Handler failed in EAP/tls [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Login incorrect: [user@example.com/<via Auth-Type = EAP>] (from client private-network-2 port 50046 cli 00-0A-E4-13-1A-02) Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> user@example.com attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 5 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 5 Sending Access-Reject of id 165 to 192.168.5.206 port 1812 EAP-Message = 0x04050004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.5 seconds. Cleaning up request 0 ID 160 with timestamp +10 Cleaning up request 1 ID 161 with timestamp +10 Cleaning up request 2 ID 162 with timestamp +10 Cleaning up request 3 ID 163 with timestamp +10 Cleaning up request 4 ID 164 with timestamp +10 Waking up in 1.1 seconds. Cleaning up request 5 ID 165 with timestamp +10 Ready to process requests.