Hello
I've got a problem with my eap-tls configuration
: the server is accepting the device ( rad_check_password: Auth-Type
= Accept, accepting the user), but it doesn't connect to the to access-point
(HP Procurve). The server is a virtual Suse linux enterprise and the client
is windows XP sp 3.
Any help would be great....
Here is the output on the server:
Starting - reading configuration files
...
reread_config: reading radiusd.conf
Config: including file: /etc/raddb/proxy.conf
Config: including file: /etc/raddb/clients.conf
Config: including file: /etc/raddb/snmp.conf
Config: including file: /etc/raddb/eap.conf
Config: including file: /etc/raddb/sql.conf
main: prefix = "/usr"
main: localstatedir = "/var"
main: logdir = "/var/log/radius"
main: libdir = "/usr/lib/freeradius"
main: radacctdir = "/var/log/radius/radacct"
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests
= 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = "/var/log/radius/radius.log"
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = "/var/run/radiusd/radiusd.pid"
main: user = "(null)"
main: group = "(null)"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/sbin/checkrad"
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize =
no
proxy: wake_all_if_all_dead =
no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
read_config_files: reading clients
Using deprecated clients file. Support
for this will go away soon.
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/lib/freeradius
Module: Loaded exec
exec: wait = yes
exec: program = "(null)"
exec: input_pairs = "request"
exec: output_pairs = "(null)"
exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined.
Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded eap
eap: default_eap_type = "tls"
eap: timer_expire = 60
eap: ignore_unknown_eap_types
= no
eap: cisco_accounting_username_bug
= no
rlm_eap: Loaded and initialized type
md5
rlm_eap: Loaded and initialized type
leap
gtc: challenge = "Password:
"
gtc: auth_type = "PAP"
rlm_eap: Loaded and initialized type
gtc
tls: rsa_key_exchange = no
tls: dh_key_exchange = yes
tls: rsa_key_length = 512
tls: dh_key_length = 512
tls: verify_depth = 0
tls: CA_path = "(null)"
tls: pem_file_type = yes
tls: private_key_file = "/sslcert/CAkey.pem"
tls: certificate_file = "/sslcert/sierrerad10.pem"
tls: CA_file = "/sslcert/CAcrt.pem"
tls: private_key_password = "novelis"
tls: dh_file = "/etc/raddb/certs/dh"
tls: random_file = "/etc/raddb/certs/random"
tls: fragment_size = 1024
tls: include_length = yes
tls: check_crl = no
tls: check_cert_cn = "(null)"
rlm_eap_tls: Loading the certificate
file as a chain
rlm_eap: Loaded and initialized type
tls
mschapv2: with_ntdomain_hack =
no
rlm_eap: Loaded and initialized type
mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = "/etc/raddb/huntgroups"
preprocess: hints = "/etc/raddb/hints"
preprocess: with_ascend_hack =
no
preprocess: ascend_channels_per_line
= 23
preprocess: with_ntdomain_hack
= no
preprocess: with_specialix_jetstream_hack
= no
preprocess: with_cisco_vsa_hack
= no
Module: Instantiated preprocess (preprocess)
Module: Loaded files
files: usersfile = "/etc/raddb/users"
files: acctusersfile = "/etc/raddb/acct_users"
files: preproxy_usersfile = "/etc/raddb/preproxy_users"
files: compat = "no"
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = "User-Name,
Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
Module: Instantiated acct_unique (acct_unique)
Module: Loaded realm
realm: format = "suffix"
realm: delimiter = "@"
realm: ignore_default = no
realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded detail
detail: detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded System
unix: cache = no
unix: passwd = "/etc/passwd"
unix: shadow = "(null)"
unix: group = "/etc/group"
unix: radwtmp = "/var/log/radius/radwtmp"
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded radutmp
radutmp: filename = "/var/log/radius/radutmp"
radutmp: username = "%{User-Name}"
radutmp: case_sensitive = yes
radutmp: check_with_nas = yes
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Listening on authentication *:1812
Listening on accounting *:1813
Ready to process requests.
rad_recv: Access-Request packet from
host 10.166.42.30:1024, id=1, length=159
User-Name
= "sierre08015"
NAS-IP-Address
= 10.166.42.30
NAS-Port
= 1
Called-Station-Id
= "00-14-C2-BB-FF-70:test"
Calling-Station-Id
= "00-1F-3C-13-1A-1F"
Framed-MTU
= 1400
NAS-Port-Type
= Wireless-802.11
Connect-Info
= "CONNECT 0Mbps 802.11g"
EAP-Message
= 0x02010010017369657272653038303135
Message-Authenticator
= 0x4cc4a961e5aae9b990d400eab9ec0a8e
Processing the authorize section
of radiusd.conf
modcall: entering group authorize for
request 0
modcall[authorize]: module "preprocess"
returns ok for request 0
rlm_eap: EAP packet type response
id 1 length 16
rlm_eap: No EAP Start, assuming
it's an on-going EAP conversation
modcall[authorize]: module "eap"
returns updated for request 0
users: Matched entry sierre08015
at line 97
modcall[authorize]: module "files"
returns ok for request 0
modcall: leaving group authorize (returns
updated) for request 0
rad_check_password: Found
Auth-Type Accept
rad_check_password: Auth-Type
= Accept, accepting the user
Sending Access-Accept of id 1 to 10.166.42.30
port 1024
Finished request 0
Going to the next request
The eap.conf file :
# -*- text -*-
#
# Whatever you do, do NOT set
'Auth-Type := EAP'. The server
# is smart enough to figure this
out on its own. The most
# common side effect of setting
'Auth-Type := EAP' is that the
# users then cannot use ANY other
authentication method.
#
# $Id:
eap.conf,v 1.4.4.1 2006/01/04 14:29:29 nbk Exp $
#
eap
{
# Invoke the default supported EAP type
when
# EAP-Identity response is received.
#
# The incoming EAP messages DO NOT specify
which EAP
# type they will be using, so it MUST
be set here.
#
# For now, only one default EAP type
may be used at a time.
#
# If the EAP-Type attribute is set by
another module,
# then that EAP type takes precedence
over the
# default type configured here.
#
#
default_eap_type = md5
default_eap_type = tls
# A list is maintained to correlate
EAP-Response
# packets with EAP-Request packets.
After a
# configurable length of time, entries
in the list
# expire, and are deleted.
#
timer_expire = 60
# There are many EAP types, but the
server has support
# for only a limited subset. If
the server receives
# a request for an EAP type it does
not support, then
# it normally rejects the request. By
setting this
# configuration to "yes",
you can tell the server to
# instead keep processing the request.
Another module
# MUST then be configured to proxy the
request to
# another RADIUS server which supports
that EAP type.
#
# If another module is NOT configured
to handle the
# request, then the request will still
end up being
# rejected.
ignore_unknown_eap_types = no
# Cisco AP1230B firmware 12.2(13)JA1 has a
bug. When given
# a User-Name attribute in an Access-Accept,
it copies one
# more byte than it should.
#
# We can work around it by configurably adding
an extra
# zero byte.
cisco_accounting_username_bug = no
# Supported EAP-types
#
# We do NOT recommend using EAP-MD5
authentication
# for wireless connections. It
is insecure, and does
# not provide for dynamic WEP keys.
#
md5 {
}
# Cisco LEAP
#
# We do not recommend using LEAP in
new deployments. See:
# http://www.securiteam.com/tools/5TP012ACKE.html
#
# Cisco LEAP uses the MS-CHAP algorithm
(but not
# the MS-CHAP attributes) to perform
it's authentication.
#
# As a result, LEAP *requires* access
to the plain-text
# User-Password, or the NT-Password
attributes.
# 'System' authentication is impossible
with LEAP.
#
leap {
}
# Generic Token Card.
#
# Currently, this is only permitted
inside of EAP-TTLS,
# or EAP-PEAP. The module "challenges"
the user with
# text, and the response from the user
is taken to be
# the User-Password.
#
# Proxying the tunneled EAP-GTC session
is a bad idea,
# the users password will go over the
wire in plain-text,
# for anyone to see.
#
gtc {
# The
default challenge, which many clients
# ignore..
#challenge
= "Password: "
# The
plain-text response which comes back
# is
put into a User-Password attribute,
# and
passed to another module for
# authentication.
This allows the EAP-GTC
# response
to be checked against plain-text,
# or
crypt'd passwords.
#
# If
you say "Local" instead of "PAP", then
# the
module will look for a User-Password
# configured
for the request, and do the
# authentication
itself.
#
auth_type
= PAP
}
## EAP-TLS
#
# To generate ctest certificates, run
the script
#
# ../scripts/certs.sh
#
# The documents on http://www.freeradius.org/doc
# are old, but may be helpful.
#
# See also:
#
# http://www.dslreports.com/forum/remark,9286052~mode=flat
#
tls {
private_key_password
= novelis
# private_key_file
= ${raddbdir}/certs/cert-srv.pem
private_key_file
= /sslcert/CAkey.pem
# If
Private key & Certificate are located in
# the
same file, then private_key_file &
# certificate_file
must contain the same file
# name.
# certificate_file
= ${raddbdir}/certs/cert-srv.pem
certificate_file
= /sslcert/sierrerad10.pem
# Trusted
Root CA list
# CA_file
= ${raddbdir}/certs/demoCA/cacert.pem
CA_file
= /sslcert/CAcrt.pem
# CA_path
= ${raddbdir}/certs/demoCA/cacert.pem
dh_file
= ${raddbdir}/certs/dh
random_file
= ${raddbdir}/certs/random
#
# This
can never exceed the size of a RADIUS
# packet
(4096 bytes), and is preferably half
# that,
to accomodate other attributes in
# RADIUS
packet. On most APs the MAX packet
# length
is configured between 1500 - 1600
# In
these cases, fragment size should be
# 1024
or less.
#
fragment_size
= 1024
# include_length
is a flag which is
# by
default set to yes If set to
# yes,
Total Length of the message is
# included
in EVERY packet we send.
# If
set to no, Total Length of the
# message
is included ONLY in the
# First
packet of a fragment series.
#
include_length
= yes
# Check
the Certificate Revocation List
#
# 1)
Copy CA certificates and CRLs to same directory.
# 2)
Execute 'c_rehash <CA certs&CRLs Directory>'.
#
'c_rehash' is OpenSSL's command.
# 3)
Add 'CA_path=<CA certs&CRLs directory>'
#
to radiusd.conf's tls section.
# 4)
uncomment the line below.
# 5)
Restart radiusd
# check_crl
= yes
#
# If check_cert_cn
is set, the value will
# be xlat'ed
and checked against the CN
# in the
client certificate. If the values
# do not
match, the certificate verification
# will fail
rejecting the user.
#
# check_cert_cn
= %{User-Name}
}
#
# This takes no configuration.
#
# Note that it is the EAP MS-CHAPv2
sub-module, not
# the main 'mschap' module.
#
# Note also that in order for this sub-module
to work,
# the main 'mschap' module MUST ALSO
be configured.
#
# This module is the *Microsoft* implementation
of MS-CHAPv2
# in EAP. There is another (incompatible)
implementation
# of MS-CHAPv2 in EAP by Cisco, which
FreeRADIUS does not
# currently support.
#
mschapv2 {
}
}
NOVELIS
Fabien Crettaz
IT System and Infrastructure
Novelis Automotive, Painted & Specialities
Novelis Switzerland SA
CH - 3960 Sierre, Switzerland
phone: +41 (0)27 457 7164
fax: +41 (0)27 457 7105
e-mail:
fabien.crettaz@novelis.com
http://www.novelis.ch
P Please
consider the environment before printing this email.