9 Jan
2019
9 Jan
'19
7:51 p.m.
Here is the differences.
1. line 755
- Fail(Ubuntu Supplicant)
(1) eap_tls: Continuing EAP-TLS
(1) eap_tls: Got final TLS record fragment (172 bytes)
(1) eap_tls: WARNING: Total received TLS record fragments (172 bytes),
does not equal indicated TLS record length (0 bytes)
(1) eap_tls: [eaptls verify] = ok
(1) eap_tls: Done initial handshake
(1) eap_tls: (other): before SSL initialization
- Success(Win10 Supplicant)
(1) eap_tls: Continuing EAP-TLS
(1) eap_tls: Peer indicated complete TLS record size will be 156 bytes
(1) eap_tls: Got complete TLS record (156 bytes)
(1) eap_tls: [eaptls verify] = length included
(1) eap_tls: (other): before SSL initialization
2. line 1016~
- Fail(Ubuntu Supplicant)
..Cleaning up request .... After that, nothing more happens.
- Success(Win10 Supplicant)
(4) Cleaning up request packet ID 0 with timestamp +11
(5) Received Access-Request Id 0 from 223.171.35.38:6820 to
10.10.1.238:1812 length 1644
(5) User-Name = "user@example.org"
(5) NAS-IP-Address = 192.168.0.10
(5) Called-Station-Id = "704f573b432b"
(5) Calling-Station-Id = "701ce7ea7851"
(5) NAS-Identifier = "704f573b432b"
(5) NAS-Port = 67
(5) Framed-MTU = 1400
(5) State = 0x8e60f0b08a65fd23980d5523ba0ace4e
(5) NAS-Port-Type = Wireless-802.11
(5) EAP-Message =
0x020505d40dc000000863160303082b0b0005d90005d60005d3308205cf308203b7a003020102020102300d06092a864886f70d01010b0500308193310b3009060355040613024652310f300d06035504080c065261646975733112301006035504070c09536f6d65776865726531153013060355040a0c
(5) Message-Authenticator = 0xdc7992ea8fa49c9e68d4a1c633b8e72a
(5) session-state: No cached attributes
(5) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(5) authorize {
(5) policy filter_username {
(5) if (&User-Name) {
(5) if (&User-Name) -> TRUE
(5) if (&User-Name) {
(5) if (&User-Name =~ / /) {
(5) if (&User-Name =~ / /) -> FALSE
(5) if (&User-Name =~ /@[^@]*@/ ) {
(5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(5) if (&User-Name =~ /\.\./ ) {
(5) if (&User-Name =~ /\.\./ ) -> FALSE
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(5) if (&User-Name =~ /\.$/) {
(5) if (&User-Name =~ /\.$/) -> FALSE
(5) if (&User-Name =~ /@\./) {
(5) if (&User-Name =~ /@\./) -> FALSE
(5) } # if (&User-Name) = notfound
(5) } # policy filter_username = notfound
(5) [preprocess] = ok
(5) [chap] = noop
(5) [mschap] = noop
(5) [digest] = noop
(5) suffix: Checking for suffix after "@"
(5) suffix: Looking up realm "example.org" for User-Name = "user@example.org"
(5) suffix: No such realm "example.org"
(5) [suffix] = noop
(5) eap: Peer sent EAP Response (code 2) ID 5 length 1492
(5) eap: No EAP Start, assuming it's an on-going EAP conversation
(5) [eap] = updated
(5) [files] = noop
(5) [expiration] = noop
(5) [logintime] = noop
(5) [pap] = noop
(5) } # authorize = updated
(5) Found Auth-Type = eap
(5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(5) authenticate {
(5) eap: Expiring EAP session with state 0x8e60f0b08a65fd23
(5) eap: Finished EAP session with state 0x8e60f0b08a65fd23
(5) eap: Previous EAP request found for state 0x8e60f0b08a65fd23,
released from the list
(5) eap: Peer sent packet with method EAP TLS (13)
(5) eap: Calling submodule eap_tls to process data
(5) eap_tls: Continuing EAP-TLS
(5) eap_tls: Peer indicated complete TLS record size will be 2147 bytes
(5) eap_tls: Expecting 2 TLS record fragments
(5) eap_tls: Got first TLS record fragment (1482 bytes). Peer
indicated more fragments to follow
(5) eap_tls: [eaptls verify] = first fragment
(5) eap_tls: ACKing Peer's TLS record fragment
(5) eap_tls: [eaptls process] = handled
(5) eap: Sending EAP Request (code 1) ID 6 length 6
(5) eap: EAP session adding &reply:State = 0x8e60f0b08b66fd23
(5) [eap] = handled
(5) } # authenticate = handled
(5) Using Post-Auth-Type Challenge
(5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(5) Challenge { ... } # empty sub-section is ignored
(5) Sent Access-Challenge Id 0 from 10.10.1.238:1812 to
223.171.35.38:6820 length 0
(5) EAP-Message = 0x010600060d00
(5) Message-Authenticator = 0x00000000000000000000000000000000
(5) State = 0x8e60f0b08b66fd23980d5523ba0ace4e
(5) Finished request
Waking up in 4.9 seconds.
(5) Cleaning up request packet ID 0 with timestamp +12
(6) Received Access-Request Id 0 from 223.171.35.38:6820 to
10.10.1.238:1812 length 817
(6) User-Name = "user@example.org"
(6) NAS-IP-Address = 192.168.0.10
(6) Called-Station-Id = "704f573b432b"
(6) Calling-Station-Id = "701ce7ea7851"
(6) NAS-Identifier = "704f573b432b"
(6) NAS-Port = 67
(6) Framed-MTU = 1400
(6) State = 0x8e60f0b08b66fd23980d5523ba0ace4e
(6) NAS-Port-Type = Wireless-802.11
(6) EAP-Message =
0x0206029f0d00a06ba6d17bb2b23af5592f7869f3944354812009850aa10a1000004241040621ae2eeb0e919d182c58c1a0b6418597140a8126dfb072d53a71a3aedc4f5bb694102ce204a9feabf416d66b3d1774c9b0008f8e29b7e3604c92229068d59d0f00020404010200986749316e430239a36533
(6) Message-Authenticator = 0x26d43af12e94d7f008ff4f11f2778327
(6) session-state: No cached attributes
(6) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(6) authorize {
(6) policy filter_username {
(6) if (&User-Name) {
(6) if (&User-Name) -> TRUE
(6) if (&User-Name) {
(6) if (&User-Name =~ / /) {
(6) if (&User-Name =~ / /) -> FALSE
(6) if (&User-Name =~ /@[^@]*@/ ) {
(6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(6) if (&User-Name =~ /\.\./ ) {
(6) if (&User-Name =~ /\.\./ ) -> FALSE
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(6) if (&User-Name =~ /\.$/) {
(6) if (&User-Name =~ /\.$/) -> FALSE
(6) if (&User-Name =~ /@\./) {
(6) if (&User-Name =~ /@\./) -> FALSE
(6) } # if (&User-Name) = notfound
(6) } # policy filter_username = notfound
(6) [preprocess] = ok
(6) [chap] = noop
(6) [mschap] = noop
(6) [digest] = noop
(6) suffix: Checking for suffix after "@"
(6) suffix: Looking up realm "example.org" for User-Name = "user@example.org"
(6) suffix: No such realm "example.org"
(6) [suffix] = noop
(6) eap: Peer sent EAP Response (code 2) ID 6 length 671
(6) eap: No EAP Start, assuming it's an on-going EAP conversation
(6) [eap] = updated
(6) [files] = noop
(6) [expiration] = noop
(6) [logintime] = noop
(6) [pap] = noop
(6) } # authorize = updated
(6) Found Auth-Type = eap
(6) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(6) authenticate {
(6) eap: Expiring EAP session with state 0x8e60f0b08b66fd23
(6) eap: Finished EAP session with state 0x8e60f0b08b66fd23
(6) eap: Previous EAP request found for state 0x8e60f0b08b66fd23,
released from the list
(6) eap: Peer sent packet with method EAP TLS (13)
(6) eap: Calling submodule eap_tls to process data
(6) eap_tls: Continuing EAP-TLS
(6) eap_tls: Got final TLS record fragment (665 bytes)
(6) eap_tls: [eaptls verify] = ok
(6) eap_tls: Done initial handshake
(6) eap_tls: TLS_accept: SSLv3/TLS write server done
(6) eap_tls: <<< recv TLS 1.2 [length 05dd]
(6) eap_tls: Creating attributes from certificate OIDs
(6) eap_tls: TLS-Cert-Serial := "9b8908b10ad4e429"
(6) eap_tls: TLS-Cert-Expiration := "240107092124Z"
(6) eap_tls: TLS-Cert-Subject :=
"/C=FR/ST=Radius/L=Somewhere/O=Example
Inc./emailAddress=admin@example.org/CN=Example Certificate Authority"
(6) eap_tls: TLS-Cert-Issuer :=
"/C=FR/ST=Radius/L=Somewhere/O=Example
Inc./emailAddress=admin@example.org/CN=Example Certificate Authority"
(6) eap_tls: TLS-Cert-Common-Name := "Example Certificate Authority"
(6) eap_tls: Creating attributes from certificate OIDs
(6) eap_tls: TLS-Client-Cert-Serial := "02"
(6) eap_tls: TLS-Client-Cert-Expiration := "200108092126Z"
(6) eap_tls: TLS-Client-Cert-Subject := "/C=FR/ST=Radius/O=Example
Inc./CN=user@example.org/emailAddress=user@example.org"
(6) eap_tls: TLS-Client-Cert-Issuer :=
"/C=FR/ST=Radius/L=Somewhere/O=Example
Inc./emailAddress=admin@example.org/CN=Example Certificate Authority"
(6) eap_tls: TLS-Client-Cert-Common-Name := "user@example.org"
(6) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage += "TLS Web
Client Authentication"
(6) eap_tls: TLS_accept: SSLv3/TLS read client certificate
(6) eap_tls: <<< recv TLS 1.2 [length 0046]
(6) eap_tls: TLS_accept: SSLv3/TLS read client key exchange
(6) eap_tls: <<< recv TLS 1.2 [length 0208]
(6) eap_tls: TLS_accept: SSLv3/TLS read certificate verify
(6) eap_tls: TLS_accept: SSLv3/TLS read change cipher spec
(6) eap_tls: <<< recv TLS 1.2 [length 0010]
(6) eap_tls: TLS_accept: SSLv3/TLS read finished
(6) eap_tls: >>> send TLS 1.2 [length 0001]
(6) eap_tls: TLS_accept: SSLv3/TLS write change cipher spec
(6) eap_tls: >>> send TLS 1.2 [length 0010]
(6) eap_tls: TLS_accept: SSLv3/TLS write finished
(6) eap_tls: (other): SSL negotiation finished successfully
(6) eap_tls: SSL Connection Established
(6) eap_tls: [eaptls process] = handled
(6) eap: Sending EAP Request (code 1) ID 7 length 61
(6) eap: EAP session adding &reply:State = 0x8e60f0b08867fd23
(6) [eap] = handled
(6) } # authenticate = handled
(6) Using Post-Auth-Type Challenge
(6) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(6) Challenge { ... } # empty sub-section is ignored
(6) Sent Access-Challenge Id 0 from 10.10.1.238:1812 to
223.171.35.38:6820 length 0
(6) EAP-Message =
0x0107003d0d800000003314030300010116030300281e6973755166a35a1fdc4433b72897e6f4492a9e36844c22d602e69b19ce4d21245dd0780f1ddd8e
(6) Message-Authenticator = 0x00000000000000000000000000000000
(6) State = 0x8e60f0b08867fd23980d5523ba0ace4e
(6) Finished request
Waking up in 4.9 seconds.
(6) Cleaning up request packet ID 0 with timestamp +12
(7) Received Access-Request Id 0 from 223.171.35.38:6820 to
10.10.1.238:1812 length 148
(7) User-Name = "user@example.org"
(7) NAS-IP-Address = 192.168.0.10
(7) Called-Station-Id = "704f573b432b"
(7) Calling-Station-Id = "701ce7ea7851"
(7) NAS-Identifier = "704f573b432b"
(7) NAS-Port = 67
(7) Framed-MTU = 1400
(7) State = 0x8e60f0b08867fd23980d5523ba0ace4e
(7) NAS-Port-Type = Wireless-802.11
(7) EAP-Message = 0x020700060d00
(7) Message-Authenticator = 0x35a41bd0f2f81394fee838c720f96214
(7) session-state: No cached attributes
(7) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(7) authorize {
(7) policy filter_username {
(7) if (&User-Name) {
(7) if (&User-Name) -> TRUE
(7) if (&User-Name) {
(7) if (&User-Name =~ / /) {
(7) if (&User-Name =~ / /) -> FALSE
(7) if (&User-Name =~ /@[^@]*@/ ) {
(7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(7) if (&User-Name =~ /\.\./ ) {
(7) if (&User-Name =~ /\.\./ ) -> FALSE
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(7) if (&User-Name =~ /\.$/) {
(7) if (&User-Name =~ /\.$/) -> FALSE
(7) if (&User-Name =~ /@\./) {
(7) if (&User-Name =~ /@\./) -> FALSE
(7) } # if (&User-Name) = notfound
(7) } # policy filter_username = notfound
(7) [preprocess] = ok
(7) [chap] = noop
(7) [mschap] = noop
(7) [digest] = noop
(7) suffix: Checking for suffix after "@"
(7) suffix: Looking up realm "example.org" for User-Name = "user@example.org"
(7) suffix: No such realm "example.org"
(7) [suffix] = noop
(7) eap: Peer sent EAP Response (code 2) ID 7 length 6
(7) eap: No EAP Start, assuming it's an on-going EAP conversation
(7) [eap] = updated
(7) [files] = noop
(7) [expiration] = noop
(7) [logintime] = noop
(7) [pap] = noop
(7) } # authorize = updated
(7) Found Auth-Type = eap
(7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(7) authenticate {
(7) eap: Expiring EAP session with state 0x8e60f0b08867fd23
(7) eap: Finished EAP session with state 0x8e60f0b08867fd23
(7) eap: Previous EAP request found for state 0x8e60f0b08867fd23,
released from the list
(7) eap: Peer sent packet with method EAP TLS (13)
(7) eap: Calling submodule eap_tls to process data
(7) eap_tls: Continuing EAP-TLS
(7) eap_tls: Peer ACKed our handshake fragment. handshake is finished
(7) eap_tls: [eaptls verify] = success
(7) eap_tls: [eaptls process] = success
(7) eap: Sending EAP Success (code 3) ID 7 length 4
(7) eap: Freeing handler
(7) [eap] = ok
(7) } # authenticate = ok
(7) # Executing section post-auth from file
/etc/freeradius/3.0/sites-enabled/default
(7) post-auth {
(7) update {
(7) No attributes updated
(7) } # update = noop
(7) [exec] = noop
(7) policy remove_reply_message_if_eap {
(7) if (&reply:EAP-Message && &reply:Reply-Message) {
(7) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(7) else {
(7) [noop] = noop
(7) } # else = noop
(7) } # policy remove_reply_message_if_eap = noop
(7) } # post-auth = noop
(7) Sent Access-Accept Id 0 from 10.10.1.238:1812 to 223.171.35.38:6820 length 0
(7) MS-MPPE-Recv-Key =
0x6851bd68488149beb6175757297429d2c5fbf2ba7fb9745df4f2803ddc2b8b6f
(7) MS-MPPE-Send-Key =
0x115def9e214dd9a1c76bd12f4f31bfafc118723403846d253703224b9b334733
(7) EAP-Message = 0x03070004
(7) Message-Authenticator = 0x00000000000000000000000000000000
(7) User-Name = "user@example.org"
(7) Finished request
Waking up in 4.9 seconds.
(7) Cleaning up request packet ID 0 with timestamp +12
Ready to process requests
2019년 1월 10일 (목) 오전 5:07, Alan Buxey <alan.buxey@gmail.com>님이 작성:
>
> run a debug when connecting from either from windows or eapol_test and
> check for any difference in output.
>
> alan
>
> On Wed, 9 Jan 2019 at 12:52, Alan DeKok <aland@deployingradius.com> wrote:
>
> > On Jan 9, 2019, at 7:46 AM, Sunho Lee <shlee@wonikrobotics.com> wrote:
> > >
> > > 1. Before connection trial, i have created wifi connection using
> > > Network Manager GUI as below:
> > > - NetworkManager - Create Wifi Connection - Security Tab
> > > Security: WPA & WPA2 Enterprise
> > > Authentication: TLS
> > > Identity: user@example.org (client.cnf default)
> > > User certificate: client.pem or client.p12
> > > CA certificate: ca.pem
> > > Private key: client.p12
> > > Private key password: whatever (client.cnf default)
> > >
> > > 2. Connection trial started and after my log was printed on radius
> > > server, dialog like below was popped up
> > > Title: Authentication required by wireless network
> > > Contents:
> > > Passwords or encryption keys are required to access the wireless
> > > network "xxx"
> > > Identity: user@example.org
> > > Private key password: ********* (whatever?)
> >
> > This is the password to the client.pem file.
> >
> > > [Cancel] [Connect]
> > >
> > > 3. I click the "connect" button (whether re-typing Private key password
> > or not)
> > > then the above(#2) was repeated about 1~2 times
> >
> > Well, there isn't much we can do. The problem isn't FreeRADIUS. It's
> > on the client side. You'll have to ask the Network Manager people how
> > their software works.
> >
> > Alan DeKok.
> >
> >
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
(주)원익로보틱스
연구개발팀 과장 이 선 호
(13486)경기도 성남시 분당구 판교로255번길 20 원익빌딩 5층
T: 031-8038-9175 M:010-9871-7173 F: 031-8038-9190
www.wonikrobotics.com