Whoops, I thought I solved this but I didnt. I tried setting up eap-tls on a few different laptops each using windows xp to configure eap-tls (not the wireless card client). I get the same results there. I have nothing in my /etc/raddb/users file. I tried putting: josh Auth-Type := eap Auth-Type := Accept
Don't do that. Don't force Auth-Type. It's not going to help and it will break everything else.
On the XP client I also notice that even though I have the Certificate Authority installed, the client certificate reports: Windows does not have enough information to verify this certificate.
I figured that the certificate chain was broken. As a test, I imported the server certificate and stuck it in the Trusted root authorities section. This completed the chain (since the client cert was signed off the server cert which is what the make client does in /etc/raddb/certs). But, of course, the server cert is not meant to be a cert authority so windows xp complains about this.
That is the problem. Windows won't recongnize server certificate as intermediate ca any more. The "cure" is to try signing client certificates with ca certificate instead. I have posted to the list an altered Makefile with make caclient.pem command added a few days ago. If you can't find it I will post another one this evening. Ivan Kalik Kalik Informatika ISP
I turned off "Verify Certificate Authority" in the windows XP eap-tls setup to see if that would help. It did not. Would this broken cert chain cause the issue I am having of authentication just stopping? As far as I can see, I've followed all instructions on making the certs, verifying the right oid's in each cert, and configuring FreeRadius?
Here is another radiusd debug just in case anyone can see anything else. I cannot see an error. I have turned debugging on for the windows xp wireless supplicant but really cannot see anything in there that points to a clear answer. I also tried a few laptops with different cards but also using windows xp as the wireless client. Same thing so I must be missing something.
thanks for any help
Here is the debug:
Ready to process requests. rad_recv: Access-Request packet from host 172.17.10.108 port 1027, id=19, length=172 User-Name = "josh" NAS-IP-Address = 172.17.10.108 NAS-Identifier = "00:1f:41:3a:82:f9" NAS-Port = 2 Called-Station-Id = "00-1F-41-3A-82-F9:CCISD-REMC1" Calling-Station-Id = "00-16-B6-5C-AC-DD" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x02000009016a6f7368 Message-Authenticator = 0x0c726a7e3ac712cf547eebe096cf72c1 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "josh", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ntdomain] No '\' in User-Name = "josh", looking up realm NULL [ntdomain] No such realm "NULL" ++[ntdomain] returns noop [eap] EAP packet type response id 0 length 9 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Requiring client certificate [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 19 to 172.17.10.108 port 1027 EAP-Message = 0x010100060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x982efaa3982ff784f708f948bb823a0e Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.17.10.108 port 1027, id=20, length=261 User-Name = "josh" NAS-IP-Address = 172.17.10.108 NAS-Identifier = "00:1f:41:3a:82:f9" NAS-Port = 2 Called-Station-Id = "00-1F-41-3A-82-F9:CCISD-REMC1" Calling-Station-Id = "00-16-B6-5C-AC-DD" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020100500d800000004616030100410100003d0301497f12c55aaab891840a5314f901341acd2d4dfb6cf3013dbeb9c284cbd7d28500001600040005000a000900640062000300060013001200630100 State = 0x982efaa3982ff784f708f948bb823a0e Message-Authenticator = 0xf4a495a1dc517a2ea1ce79f466520039 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "josh", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ntdomain] No '\' in User-Name = "josh", looking up realm NULL [ntdomain] No such realm "NULL" ++[ntdomain] returns noop [eap] EAP packet type response id 1 length 80 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS TLS Length 70 [tls] Length Included [tls] eaptls_verify returned 11 [tls] (other): before/accept initialization [tls] TLS_accept: before/accept initialization [tls] <<< TLS 1.0 Handshake [length 0041], ClientHello [tls] TLS_accept: SSLv3 read client hello A [tls] >>> TLS 1.0 Handshake [length 002a], ServerHello [tls] TLS_accept: SSLv3 write server hello A [tls] >>> TLS 1.0 Handshake [length 0846], Certificate [tls] TLS_accept: SSLv3 write certificate A [tls] >>> TLS 1.0 Handshake [length 00a3], CertificateRequest [tls] TLS_accept: SSLv3 write certificate request A [tls] TLS_accept: SSLv3 flush data [tls] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [tls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 20 to 172.17.10.108 port 1027 EAP-Message = 0x010204000dc000000922160301002a020000260301497f12bc41a3134a837ab67e8bb4f9b211c20cc23b0e8820ff5d46ee000000000000040016030108460b00084200083f0003a4308203a030820288a003020102020101300d06092a864886f70d0101050500308191310b30090603550406130255533111300f060355040813084d6963686967616e3110300e0603550407130748616e636f636b310e300c060355040a130552454d43313120301e06092a864886f70d0109011611737570706f72744072656d63312e6e6574312b30290603550403132252454d43312052616469757320436572746966696361746520417574686f72697479301e EAP-Message = 0x170d3039303132373034313133385a170d3239303132323034313133385a307c310b30090603550406130255533111300f060355040813084d6963686967616e310e300c060355040a130552454d4331312830260603550403131f52454d433120526164697573205365727665722043657274696669636174653120301e06092a864886f70d0109011611737570706f72744072656d63312e6e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100df5db79ac92e13bb06dd2458db371fa0c22ebd220440aa0747e98a13d64027fa10720c69b224d607bfd2a7b2836c224cefca5113d0c56cf7d97d25703bb05f8b EAP-Message = 0xff12c9dfc2fd602271f2e9200e9c196d6e9018840e69c6c82a62e77d946ad60562c576c4b7206c8d2d378a7c84f99fb64dfa51a87021ccf234c76e91159c2dfbbeb1095cc81ea26d39dc0a078011b3c70bdd11f0800f8391737591b7bf005551bc4ba051cf7e83d2d883c946372059167cabb6514ab5068c7274662639825e37d705d415cb370df3aa1088e87d8c3bf7df5116dd61d589831dfe2e0d347ae15227c48900964d24fa574dab1166e4d5a100741f7cf4088e3e47ae88ae3793f7990203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010105050003820101003730d65b9ae051938bdd36 EAP-Message = 0x33b834dd5cef73a38bf01b1e9dead12841c954d04cb564c884b4529af0faf9a71b46ac5f554fcbe64e9c5be604392e8fd0b5f62aab2fe7155e828bb06e456fc26c30a90b417cb6b6fa68eda56eb29653514ba78c0f0852a7c17ade33eb38f9edf423f9d1fc72bba6549c3c4bf20bec437fcdca0d16a8f4e4bab8c8f82eddd48878165d383ea8291d4f0e922cdd4871ea92f72340e930efc3bb6ab917bccd92c95ec69575bde85e5bbd3e3c52285345881f4e758074df363d49dc044abd145ebc070aeec28dfb36341146c52a152bbd80a8833599c35caa44ed4c38ea2e6fecbadb59d0f487777f7d0bcec13bbb19bb93492b99e1c70004953082049130 EAP-Message = 0x820379a00302010202010030 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x982efaa3992cf784f708f948bb823a0e Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.17.10.108 port 1027, id=21, length=187 User-Name = "josh" NAS-IP-Address = 172.17.10.108 NAS-Identifier = "00:1f:41:3a:82:f9" NAS-Port = 2 Called-Station-Id = "00-1F-41-3A-82-F9:CCISD-REMC1" Calling-Station-Id = "00-16-B6-5C-AC-DD" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020200060d00 State = 0x982efaa3992cf784f708f948bb823a0e Message-Authenticator = 0xd58793dae3bbbbf94990f6f834b36edc +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "josh", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ntdomain] No '\' in User-Name = "josh", looking up realm NULL [ntdomain] No such realm "NULL" ++[ntdomain] returns noop [eap] EAP packet type response id 2 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS [tls] Received TLS ACK [tls] ACK handshake fragment handler [tls] eaptls_verify returned 1 [tls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 21 to 172.17.10.108 port 1027 EAP-Message = 0x010304000dc0000009220d06092a864886f70d0101040500308191310b30090603550406130255533111300f060355040813084d6963686967616e3110300e0603550407130748616e636f636b310e300c060355040a130552454d43313120301e06092a864886f70d0109011611737570706f72744072656d63312e6e6574312b30290603550403132252454d43312052616469757320436572746966696361746520417574686f72697479301e170d3039303132373034313131325a170d3239303132323034313131325a308191310b30090603550406130255533111300f060355040813084d6963686967616e3110300e0603550407130748616e EAP-Message = 0x636f636b310e300c060355040a130552454d43313120301e06092a864886f70d0109011611737570706f72744072656d63312e6e6574312b30290603550403132252454d43312052616469757320436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100b49dd90b47ecf8f3f0cd3c5c925e8891da336543215709231a08521a69e856b5e1a5061417fc7b859738da4d81033c6b6149535830a03c2b4554a71d67c5e0694ad03f0708c818ebcb596cce15740a0053a7e41b24551c63efeb928664aadb3cbce4ada1867ef56926909bf1c5914b0463f681a8ce59283ba5 EAP-Message = 0x2316add0dfd36901ec2b2da655be187efe786c36cd9c9a09a51a065333dff65e991e3b88bd826f9f07b5c7bf0366dfaf1fd44870e4c8df99a987dab4d955c104ea5fb3a0dedaed2e758a75508b4a5bb88f06c9f80c5d4633057f6624247230a9ff3bf64adc9853f366f9d7c487825be1b0b5137b85a8ee4b07af87b6cfb8341fe5ff4b7780677d0203010001a381f13081ee301d0603551d0e04160414b0af659819810e066c1fae3a2f9a9fc3377af5693081be0603551d230481b63081b38014b0af659819810e066c1fae3a2f9a9fc3377af569a18197a48194308191310b30090603550406130255533111300f060355040813084d696368696761 EAP-Message = 0x6e3110300e0603550407130748616e636f636b310e300c060355040a130552454d43313120301e06092a864886f70d0109011611737570706f72744072656d63312e6e6574312b30290603550403132252454d43312052616469757320436572746966696361746520417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d010104050003820101007cac0b9cc3c3cb9405ff81979b7d8d746e09761c5f85ca3d313e8c2fe2faa361556fb274dc24f45e7573f78fe061582266430cc381196b92e326f2cf5ba7625549f2a9708e8150129eca8e033ecce9acdf069eb1615a3088039cd0dda72e7d73e7f5bd60a8a5 EAP-Message = 0xcbdf5f73170cd3ed1a52364e Message-Authenticator = 0x00000000000000000000000000000000 State = 0x982efaa39a2df784f708f948bb823a0e Finished request 2. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 172.17.10.108 port 1027, id=22, length=187 User-Name = "josh" NAS-IP-Address = 172.17.10.108 NAS-Identifier = "00:1f:41:3a:82:f9" NAS-Port = 2 Called-Station-Id = "00-1F-41-3A-82-F9:CCISD-REMC1" Calling-Station-Id = "00-16-B6-5C-AC-DD" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020300060d00 State = 0x982efaa39a2df784f708f948bb823a0e Message-Authenticator = 0x59fdc45f3eb465063f8b3b802a875cec +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "josh", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ntdomain] No '\' in User-Name = "josh", looking up realm NULL [ntdomain] No such realm "NULL" ++[ntdomain] returns noop [eap] EAP packet type response id 3 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS [tls] Received TLS ACK [tls] ACK handshake fragment handler [tls] eaptls_verify returned 1 [tls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 22 to 172.17.10.108 port 1027 EAP-Message = 0x010401400d8000000922101bd464323e493c6bc2a2d48f905e1afede5f663de695fede560cd70864dca08c7078aec5299f07dcf4fb24c0274678071ce5a15b8e28b322b12b665ed600b782c6eefc624e851ac89390f929f19a7e26d494e730702c031e47e5f7dca498859b2c634abc1807eedcff4a5be51fed6c56c2ffb2db730e219cdc535d563752f23011f00d8bbb819fbb1e4a3cd14d16030100a30d00009b02010200960094308191310b30090603550406130255533111300f060355040813084d6963686967616e3110300e0603550407130748616e636f636b310e300c060355040a130552454d43313120301e06092a864886f70d01090116 EAP-Message = 0x11737570706f72744072656d63312e6e6574312b30290603550403132252454d43312052616469757320436572746966696361746520417574686f726974790e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x982efaa39b2af784f708f948bb823a0e Finished request 3. Going to the next request Waking up in 4.8 seconds. Cleaning up request 0 ID 19 with timestamp +7 Cleaning up request 1 ID 20 with timestamp +7 Cleaning up request 2 ID 21 with timestamp +7 Cleaning up request 3 ID 22 with timestamp +7 Ready to process requests.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html