2007/10/1, tnt@kalik.co.yu <tnt@kalik.co.yu>:
Yes. This is still the certificate problem. You haven't got to the password check yet. Chack that you have imported the correct certificates (as per previous post).
Ivan Kalik Kalik Informatika ISP
It's a bit strange, I think that I created and imported it well. I did so: cd /usr/local/etc/raddb /etc/pki/tls/misc/CA -newca openssl req -new -nodes -keyout privadaradius.pem -out pedidoradius.pem -days 730 -config /etc/pki/tls/openssl.cnf openssl ca -config /etc/pki/tls/openssl.cnf -policy policy_anything -out publicaradius.pem -extensions xpserver_ext -extfile /etc/pki/tls/xpextensions -infiles pedidoradius.pem I edited publicaradius.pem in order to delete lines above "BEGIN CERTIFICATE" and joined with key file. previously I backuped certificate file: cp publicaradius.pem publicaradius.pem.bkp cat privadaradius.pem publicaradius.pem > privandpubradius.pem DH file creation: openssl dhparam -check -text -5 512 -out dh Random file: dd if=/dev/urandom of=random count=2 Then I copied cacert.pem to pendrive and imported in Windows as Trusted Certificate in mmc. OK, you can say pem is not the right format, ok, I've created the der file: openssl x509 -inform PEM -outform DER -in CA/cacert.pem -out CA/cacert.der Ok, you say, der is not the format but p12 is, so: openssl pkcs12 -export -in certs/CA/cacert.pem -inkey certs/CA/private/cakey.pem -out certs/CA/cacert.p12 -clcerts In each case I imported the certificate but never worked :( What's wrong about all of this? Thanks in advance
Dana 1/10/2007, "Sergio Belkin" <sebelk@gmail.com> piše:
2007/10/1, tnt@kalik.co.yu <tnt@kalik.co.yu>:
Because conversation hasn't got to password checking. Probably, since this debug doesn't mean much to me.
Ivan Kalik Kalik Informatika ISP
These are Debug messages (using a wrong password)
rad_recv: Access-Request packet from host 10.30.1.151:1036, id=66, length=98 User-Name = "test" Calling-Station-Id = "00-0e-35-bf-51-18" EAP-Message = 0x020100090174657374 Framed-MTU = 1287 NAS-IP-Address = 192.168.1.1 NAS-Port = 0 NAS-Port-Type = Wireless-802.11 Message-Authenticator = 0xb8d1b41830e1a2edc1ecf677b3936c68 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall[authorize]: module "preprocess" returns ok for request 2 modcall[authorize]: module "chap" returns noop for request 2 modcall[authorize]: module "mschap" returns noop for request 2 rlm_realm: No '@' in User-Name = "test", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 2 rlm_eap: EAP packet type response id 1 length 9 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 2 users: Matched entry test at line 79 modcall[authorize]: module "files" returns ok for request 2 rlm_pap: Found existing Auth-Type, not changing it. modcall[authorize]: module "pap" returns noop for request 2 modcall: leaving group authorize (returns updated) for request 2 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 2 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 2 modcall: leaving group authenticate (returns handled) for request 2 Sending Access-Challenge of id 66 to 10.30.1.151 port 1036 Reply-Message = "Hola test" EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0554162407c62e4d26c570bf0dc3a4aa Finished request 2 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.30.1.151:1036, id=67, length=187 User-Name = "test" Calling-Station-Id = "00-0e-35-bf-51-18" EAP-Message = 0x0202005019800000004616030100410100003d030147015317f20f33b39cf4163f4dc7389a82b29787664c80850600d8173d387a8c00001600040005000a000900640062000300060013001200630100 Framed-MTU = 1287 NAS-IP-Address = 192.168.1.1 NAS-Port = 0 NAS-Port-Type = Wireless-802.11 State = 0x0554162407c62e4d26c570bf0dc3a4aa Message-Authenticator = 0x772f0fcf0b9095b3987366da2b8b0eec Processing the authorize section of radiusd.conf modcall: entering group authorize for request 3 modcall[authorize]: module "preprocess" returns ok for request 3 modcall[authorize]: module "chap" returns noop for request 3 modcall[authorize]: module "mschap" returns noop for request 3 rlm_realm: No '@' in User-Name = "test", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 3 rlm_eap: EAP packet type response id 2 length 80 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 3 users: Matched entry test at line 79 modcall[authorize]: module "files" returns ok for request 3 rlm_pap: Found existing Auth-Type, not changing it. modcall[authorize]: module "pap" returns noop for request 3 modcall: leaving group authorize (returns updated) for request 3 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 3 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0323], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 3 modcall: leaving group authenticate (returns handled) for request 3 Sending Access-Challenge of id 67 to 10.30.1.151 port 1036 Reply-Message = "Hola test" EAP-Message = 0x010303861900160301004a020000460301470153c12f6418b0890a37d1b2a4cfaa6cf53f2f68558a1e44b1de861ade5d0120a9a82dee78a91db7e7cb55ae09dfce0e555f7c9c3fe0a52bb80632a2f6be001a00040016030103230b00031f00031c000319308203153082027ea003020102020101300d06092a864886f70d01010405003081c3310b3009060355040613024152311530130603550408130c4275656e6f73204169726573312b302906035504070c2243697564616420417574c383c2b36e6f6d61206465204275656e6f73204169726573311f301d060355040a1316556e6976657273696461642064652050616c65726d6f3111300f06 EAP-Message = 0x0355040b1308496e7465726e657431193017060355040313106c616c612e70616c65726d6f2e6564753121301f06092a864886f70d01090116127362656c6b694070616c65726d6f2e656475301e170d3037303932363139333435395a170d3038303932353139333435395a3081c3310b3009060355040613024152311530130603550408130c4275656e6f73204169726573312b302906035504070c2243697564616420417574c383c2b36e6f6d61206465204275656e6f73204169726573311f301d060355040a1316556e6976657273696461642064652050616c65726d6f3111300f060355040b1308496e7465726e6574311930170603550403 EAP-Message = 0x13106c616c612e70616c65726d6f2e6564753121301f06092a864886f70d01090116127362656c6b694070616c65726d6f2e65647530819f300d06092a864886f70d010101050003818d0030818902818100eae88c4ee5755bcff546c3a68bab7b736e6f65d8606c1aadecf6992e59f340adddb323e7a3400a65e50cc80d7dd9ad58d86e50755c9e7e16640cd216ce68ce368aa37792817f1fc9aa30a016a3ee11ef5ab0b70d75543ec1aa8786d84caa7e6fe65bd4d9717cbf419d04f08181a24aa3591b1254bd78c4493f7424ccce2c1f150203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010104 EAP-Message = 0x050003818100b0496218dcda605d85723a61b574fe1254e2d9a02fcc7c635099f663609b0e5c4507497ed3ee2b15082bdc3ad578060c015ed439a6072eb1e6f418a7a0394442afbf6465258a1afd677343c6a71f9a4cf79d34f28d1c074053e2f7a9de236dbe7d7ea9a2150b26643b95e33f83172a0e36805e9ee185e5d2f8a914843a8647f516030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa1e27c380c18bfa0a712fb53b701d612 Finished request 3 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.30.1.151:1036, id=68, length=113 User-Name = "test" Calling-Station-Id = "00-0e-35-bf-51-18" EAP-Message = 0x020300061900 Framed-MTU = 1287 NAS-IP-Address = 192.168.1.1 NAS-Port = 0 NAS-Port-Type = Wireless-802.11 State = 0xa1e27c380c18bfa0a712fb53b701d612 Message-Authenticator = 0xad3e26570e7fb8ad2e80b1107a777ee1 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 4 modcall[authorize]: module "preprocess" returns ok for request 4 modcall[authorize]: module "chap" returns noop for request 4 modcall[authorize]: module "mschap" returns noop for request 4 rlm_realm: No '@' in User-Name = "test", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 4 rlm_eap: EAP packet type response id 3 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 4 users: Matched entry test at line 79 modcall[authorize]: module "files" returns ok for request 4 rlm_pap: Found existing Auth-Type, not changing it. modcall[authorize]: module "pap" returns noop for request 4 modcall: leaving group authorize (returns updated) for request 4 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 4 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 4 modcall: leaving group authenticate (returns handled) for request 4 Sending Access-Challenge of id 68 to 10.30.1.151 port 1036 Reply-Message = "Hola test" EAP-Message = 0x010400061900 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf791ee30348d584c274257c11d454e39 Finished request 4 Going to the next request Waking up in 6 seconds...
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- -- Sergio Belkin -