Hi Alan, Now i habe running version 3.0.11. i got for eap-tls requests but not Accept. Ready to process requests (9) Received Access-Request Id 155 from 192.168.10.167:39133 to 192.168.70.35:1810 length 263 (9) Acct-Session-Id = "75d427d5" (9) NAS-Port = 40 (9) NAS-Port-Type = Wireless-802.11 (9) User-Name = "Oliver Werner" (9) Calling-Station-Id = "D0-03-4B-8F-37-CC" (9) Called-Station-Id = "98-4B-E1-25-EF-00" (9) EAP-Message = 0x021b0012014f6c69766572205765726e6572 (9) NAS-Identifier = "SG047GG0322" (9) NAS-IP-Address = 192.168.10.167 (9) Framed-MTU = 1496 (9) Connect-Info = "IEEE802.1X" (9) Framed-Protocol = PPP (9) Service-Type = Framed-User (9) Colubris-AVPair = "ssid=TestOliver" (9) Colubris-AVPair = "group=Default Group" (9) Colubris-AVPair = "incoming-vlan-id=2" (9) Colubris-AVPair = "vsc-unique-id=7" (9) Message-Authenticator = 0x68c0c2482cd8dc3dfc72fec86a3bac26 (9) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/kontrast (9) authorize { (9) eapcert: Peer sent EAP Response (code 2) ID 27 length 18 (9) eapcert: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (9) [eapcert] = ok (9) } # authorize = ok (9) Found Auth-Type = eapcert (9) # Executing group from file /usr/local/etc/raddb/sites-enabled/kontrast (9) authenticate { (9) eapcert: Peer sent packet with method EAP Identity (1) (9) eapcert: Calling submodule eap_tls to process data (9) eap_tls: Initiating new EAP-TLS session (9) eap_tls: Setting verify mode to require certificate from client (9) eap_tls: [eaptls start] = request (9) eapcert: Sending EAP Request (code 1) ID 28 length 6 (9) eapcert: EAP session adding &reply:State = 0x842794b5843b9965 (9) [eapcert] = handled (9) } # authenticate = handled (9) Using Post-Auth-Type Challenge (9) Post-Auth-Type sub-section not found. Ignoring. (9) Sent Access-Challenge Id 155 from 192.168.70.35:1810 to 192.168.10.167:39133 length 0 (9) EAP-Message = 0x011c00060d20 (9) Message-Authenticator = 0x00000000000000000000000000000000 (9) State = 0x842794b5843b99652f4dda048d4c31ef (9) Finished request eap-module: eap eapcert { default_eap_type = tls timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = ${max_requests} tls-config tls-common { private_key_password = <secret> private_key_file = ${certdir}/Freeradius.pem certificate_file = ${certdir}/Freeradius.pem cadir = ${certdir}/ca ca_file = ${cadir}/cacert.crt dh_file = ${certdir}/dh random_file = /dev/urandom fragment_size = 1024 include_length = yes check_crl = yes #check_all_crl = yes ca_path = ${cadir} check_cert_cn = %{User-Name} cipher_list = "DEFAULT" # OpenSSL 1.0.1f and 1.0.1g do not calculate # the EAP keys correctly. The fix is to upgrade # OpenSSL, or disable TLS 1.2 here. #disable_tlsv1_2 = no ecdh_curve = "secp384r1" cache { enable = yes lifetime = 24 # hours max_entries = 255 persist_dir = "${logdir}/tlscache" } verify { } } tls { tls = tls-common virtual_server = kontrast } } site-enable/kontrast: server kontrast { listen { ipaddr = * port = 1810 type = auth virtual_server = kontrast } authorize { eapcert { ok = return } } authenticate { eapcert } post-auth{ } } OLIVER WERNER System-Administrator Kontrast Communication Services GmbH Grafenberger Allee 100, 40237 Düsseldorf, Germany Fon +49-211-91505-500 Fax +49-211-91505-530 www.kontrast.de <http://www.kontrast.de/> Amtsgericht Düsseldorf: HRB 26934 Geschäftsführer: Joachim Fischer, Anja Grote-Lutter, Leontine van der Vlist <https://www.facebook.com/kontrast.communication> <https://twitter.com/KONTRAST_de> <http://www.xing.com/companies/kontrastcommunicationservicesgmbh> <http://www.linkedin.com/company/kontrast-communication-services-gmbh> <https://vimeo.com/kontrastcs> <http://instagram.com/kontrast_de>
Am 23.03.2016 um 13:55 schrieb Alan DeKok <aland@deployingradius.com>:
On Mar 23, 2016, at 5:21 AM, Oliver Werner <oliver.werner@kontrast.de> wrote:
i will test upgrade my Freeradius 2.1.12 (Debian Wheezy) to 2.2.5 (Debian Jessie).
Which also changes OpenSSL, among other things. Recent versions of the 2.2 have fixes which work around OpenSSL bugs.
So my configured sites for MAC authentication and sql module look like working right now.
But also i have configured a eap-tls site where i can’t auth anymore.
Try 2.2.9 before doing anything else.
Or, upgrade to 3.0. It's *much* nicer.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html