Dario, you have a server configuration issue:
(6) eap_peap: ERROR: (TLS) Session serialisation failed, failed opening session file /var/log/freeradius/tlscache/28598cb4ba77510a52abb1e63011f9c061077719c09a59908092e2ca6b9c1ffd.asn1: Permission denied
and an eap issue:
(8) eap: Peer sent packet with method EAP Identity (1) (8) eap: ERROR: Tried to start unsupported EAP type MSCHAPv2 (26) (8) eap: Sending EAP Failure (code 4) ID 9 length 4 (8) eap: Failed in EAP select (8) [eap] = invalid (8) } # authenticate = invalid (8) Failed to authenticate the user (8) Using Post-Auth-Type Reject
I don't know if that file permissions issue could cause the invalid eap error but that would be the place that I would start and then look for further eap errors. On Fri, 5 Jan 2024, Dario Barbon wrote:
Hi Alan, thanks for your patience.
Il 05/01/2024 16:18, Alan DeKok ha scritto:
And the debug output says... what? If it says "unknown CA", I already explained what the problem is, and what needs to be done to fix it. Perhaps that's the issue. As I said, you have to configure the supplicant with the CA used to generate the server certificate.
I installed the CA certificate and collected the entire log file content:
[snip..]
(6) eap_peap: (TLS) Handshake state - Server SSLv3/TLS write finished (6) eap_peap: Serialising session 28598cb4ba77510a52abb1e63011f9c061077719c09a59908092e2ca6b9c1ffd, and storing in cache (6) eap_peap: ERROR: (TLS) Session serialisation failed, failed opening session file /var/log/freeradius/tlscache/28598cb4ba77510a52abb1e63011f9c061077719c09a59908092e2ca6b9c1ffd.asn1: Permission denied (6) eap_peap: (TLS) Handshake state - SSL negotiation finished successfully (6) eap_peap: (TLS) Connection Established (6) eap_peap: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES128-GCM-SHA256" (6) eap_peap: TLS-Session-Version = "TLS 1.2" (6) eap: Sending EAP Request (code 1) ID 8 length 57 (6) eap: EAP session adding &reply:State = 0x0d11b4170b19ad2d (6) [eap] = handled (6) } # authenticate = handled (6) Using Post-Auth-Type Challenge (6) Post-Auth-Type sub-section not found. Ignoring. (6) # Executing group from file /etc/freeradius/sites-enabled/tlcamb-tag (6) session-state: Saving cached attributes (6) Framed-MTU = 994 (6) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (6) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (6) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (6) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (6) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (6) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange" (6) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished" (6) TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec" (6) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished" (6) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES128-GCM-SHA256" (6) TLS-Session-Version = "TLS 1.2" (6) Sent Access-Challenge Id 195 from 172.31.189.84:1812 to 172.31.190.2:32768 length 115 (6) EAP-Message = 0x0108003919001403030001011603030028bbbeaeb45ef65e6016f7876f98fea4df4b8d349a44428864b8e4073deecc9d9fbf3c637baf2060ea (6) Message-Authenticator = 0x00000000000000000000000000000000 (6) State = 0x0d11b4170b19ad2d61b96bcf376c045f (6) Finished request Waking up in 4.9 seconds. (7) Received Access-Request Id 196 from 172.31.190.2:32768 to 172.31.189.84:1812 length 280 (7) User-Name = "bob" (7) Chargeable-User-Identity = 0x00 (7) Location-Capable = Civic-Location (7) Calling-Station-Id = "18-d6-1c-41-10-58" (7) Called-Station-Id = "04-5f-b9-81-69-80:PIT_Tag" (7) NAS-Port = 1 (7) Cisco-AVPair = "audit-session-id=ac1fc7020000007a659828a7" (7) Acct-Session-Id = "659828a7/18:d6:1c:41:10:58/127" (7) NAS-IP-Address = 172.31.190.2 (7) NAS-Identifier = "Cisco_b8:24:65" (7) Airespace-Wlan-Id = 2 (7) Service-Type = Framed-User (7) Framed-MTU = 1300 (7) NAS-Port-Type = Wireless-802.11 (7) Tunnel-Type:0 = VLAN (7) Tunnel-Medium-Type:0 = IEEE-802 (7) Tunnel-Private-Group-Id:0 = "190" (7) EAP-Message = 0x020800061900 (7) State = 0x0d11b4170b19ad2d61b96bcf376c045f (7) Message-Authenticator = 0xd401e5af0b9a419fdaf417106d38614e (7) Restoring &session-state (7) &session-state:Framed-MTU = 994 (7) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (7) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (7) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (7) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (7) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (7) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange" (7) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished" (7) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec" (7) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished" (7) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES128-GCM-SHA256" (7) &session-state:TLS-Session-Version = "TLS 1.2" (7) # Executing section authorize from file /etc/freeradius/sites-enabled/tlcamb-tag (7) authorize { (7) [preprocess] = ok (7) eap: Peer sent EAP Response (code 2) ID 8 length 6 (7) eap: Continuing tunnel setup (7) [eap] = ok (7) } # authorize = ok (7) Found Auth-Type = eap (7) # Executing group from file /etc/freeradius/sites-enabled/tlcamb-tag (7) authenticate { (7) eap: Expiring EAP session with state 0x0d11b4170b19ad2d (7) eap: Finished EAP session with state 0x0d11b4170b19ad2d (7) eap: Previous EAP request found for state 0x0d11b4170b19ad2d, released from the list (7) eap: Peer sent packet with method EAP PEAP (25) (7) eap: Calling submodule eap_peap to process data (7) eap_peap: (TLS) Peer ACKed our handshake fragment. handshake is finished (7) eap_peap: Session established. Decoding tunneled attributes (7) eap_peap: PEAP state TUNNEL ESTABLISHED (7) eap: Sending EAP Request (code 1) ID 9 length 40 (7) eap: EAP session adding &reply:State = 0x0d11b4170a18ad2d (7) [eap] = handled (7) } # authenticate = handled (7) Using Post-Auth-Type Challenge (7) Post-Auth-Type sub-section not found. Ignoring. (7) # Executing group from file /etc/freeradius/sites-enabled/tlcamb-tag (7) session-state: Saving cached attributes (7) Framed-MTU = 994 (7) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (7) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (7) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (7) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (7) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (7) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange" (7) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished" (7) TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec" (7) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished" (7) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES128-GCM-SHA256" (7) TLS-Session-Version = "TLS 1.2" (7) Sent Access-Challenge Id 196 from 172.31.189.84:1812 to 172.31.190.2:32768 length 98 (7) EAP-Message = 0x010900281900170303001dbbbeaeb45ef65e6162b484726759166336c75ee2efa33fd3ef9823735f (7) Message-Authenticator = 0x00000000000000000000000000000000 (7) State = 0x0d11b4170a18ad2d61b96bcf376c045f (7) Finished request Waking up in 4.9 seconds. (8) Received Access-Request Id 197 from 172.31.190.2:32768 to 172.31.189.84:1812 length 313 (8) User-Name = "bob" (8) Chargeable-User-Identity = 0x00 (8) Location-Capable = Civic-Location (8) Calling-Station-Id = "18-d6-1c-41-10-58" (8) Called-Station-Id = "04-5f-b9-81-69-80:PIT_Tag" (8) NAS-Port = 1 (8) Cisco-AVPair = "audit-session-id=ac1fc7020000007a659828a7" (8) Acct-Session-Id = "659828a7/18:d6:1c:41:10:58/127" (8) NAS-IP-Address = 172.31.190.2 (8) NAS-Identifier = "Cisco_b8:24:65" (8) Airespace-Wlan-Id = 2 (8) Service-Type = Framed-User (8) Framed-MTU = 1300 (8) NAS-Port-Type = Wireless-802.11 (8) Tunnel-Type:0 = VLAN (8) Tunnel-Medium-Type:0 = IEEE-802 (8) Tunnel-Private-Group-Id:0 = "190" (8) EAP-Message = 0x020900271900170303001c00000000000000010bfbfbf16742525071bfbbf45c50d4d0b12b3334 (8) State = 0x0d11b4170a18ad2d61b96bcf376c045f (8) Message-Authenticator = 0x63b9cf54b21cfa3f30bd43a45677d8e4 (8) Restoring &session-state (8) &session-state:Framed-MTU = 994 (8) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (8) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (8) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (8) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (8) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (8) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange" (8) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished" (8) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec" (8) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished" (8) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES128-GCM-SHA256" (8) &session-state:TLS-Session-Version = "TLS 1.2" (8) # Executing section authorize from file /etc/freeradius/sites-enabled/tlcamb-tag (8) authorize { (8) [preprocess] = ok (8) eap: Peer sent EAP Response (code 2) ID 9 length 39 (8) eap: Continuing tunnel setup (8) [eap] = ok (8) } # authorize = ok (8) Found Auth-Type = eap (8) # Executing group from file /etc/freeradius/sites-enabled/tlcamb-tag (8) authenticate { (8) eap: Expiring EAP session with state 0x0d11b4170a18ad2d (8) eap: Finished EAP session with state 0x0d11b4170a18ad2d (8) eap: Previous EAP request found for state 0x0d11b4170a18ad2d, released from the list (8) eap: Peer sent packet with method EAP PEAP (25) (8) eap: Calling submodule eap_peap to process data (8) eap_peap: (TLS) EAP Done initial handshake (8) eap_peap: Session established. Decoding tunneled attributes (8) eap_peap: PEAP state WAITING FOR INNER IDENTITY (8) eap_peap: Identity - bob (8) eap_peap: Got inner identity 'bob' (8) eap_peap: Setting default EAP type for tunneled EAP session (8) eap_peap: Got tunneled request (8) eap_peap: EAP-Message = 0x0209000801626f62 (8) eap_peap: Setting User-Name to bob (8) eap_peap: Sending tunneled request to inner-tunnel (8) eap_peap: EAP-Message = 0x0209000801626f62 (8) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (8) eap_peap: User-Name = "bob" (8) Virtual server inner-tunnel received request (8) EAP-Message = 0x0209000801626f62 (8) FreeRADIUS-Proxied-To = 127.0.0.1 (8) User-Name = "bob" (8) WARNING: Outer and inner identities are the same. User privacy is compromised. (8) server inner-tunnel { (8) # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel (8) authorize { (8) policy filter_username { (8) if (&User-Name) { (8) if (&User-Name) -> TRUE (8) if (&User-Name) { (8) if (&User-Name =~ / /) { (8) if (&User-Name =~ / /) -> FALSE (8) if (&User-Name =~ /@[^@]*@/ ) { (8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (8) if (&User-Name =~ /\.\./ ) { (8) if (&User-Name =~ /\.\./ ) -> FALSE (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (8) if (&User-Name =~ /\.$/) { (8) if (&User-Name =~ /\.$/) -> FALSE (8) if (&User-Name =~ /@\./) { (8) if (&User-Name =~ /@\./) -> FALSE (8) } # if (&User-Name) = notfound (8) } # policy filter_username = notfound (8) [chap] = noop (8) [mschap] = noop (8) suffix: Checking for suffix after "@" (8) suffix: No '@' in User-Name = "bob", looking up realm NULL (8) suffix: No such realm "NULL" (8) [suffix] = noop (8) update control { (8) &Proxy-To-Realm := LOCAL (8) } # update control = noop (8) eap: Peer sent EAP Response (code 2) ID 9 length 8 (8) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (8) [eap] = ok (8) } # authorize = ok (8) Found Auth-Type = eap (8) # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel (8) authenticate { (8) eap: Peer sent packet with method EAP Identity (1) (8) eap: ERROR: Tried to start unsupported EAP type MSCHAPv2 (26) (8) eap: Sending EAP Failure (code 4) ID 9 length 4 (8) eap: Failed in EAP select (8) [eap] = invalid (8) } # authenticate = invalid (8) Failed to authenticate the user (8) Using Post-Auth-Type Reject (8) # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel (8) Post-Auth-Type REJECT { (8) attr_filter.access_reject: EXPAND %{User-Name} (8) attr_filter.access_reject: --> bob (8) attr_filter.access_reject: Matched entry DEFAULT at line 11 (8) [attr_filter.access_reject] = updated (8) update outer.session-state { (8) &Module-Failure-Message := &request:Module-Failure-Message -> 'eap: Tried to start unsupported EAP type MSCHAPv2 (26)' (8) } # update outer.session-state = noop (8) } # Post-Auth-Type REJECT = updated (8) } # server inner-tunnel (8) Virtual server sending reply (8) EAP-Message = 0x04090004 (8) Message-Authenticator = 0x00000000000000000000000000000000 (8) eap_peap: Got tunneled reply code 3 (8) eap_peap: EAP-Message = 0x04090004 (8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (8) eap_peap: Got tunneled reply RADIUS code 3 (8) eap_peap: EAP-Message = 0x04090004 (8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (8) eap_peap: Tunneled authentication was rejected (8) eap_peap: FAILURE [snip..]
Thanks and best regards.
Dario Barbon
-- Dave Funk University of Iowa <dbfunk (at) engineering.uiowa.edu> College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center, 103 S Capitol St. Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527 #include <std_disclaimer.h> Better is not better, 'standard' is better. B{