Hi,
I just upgrade FR 1.1.4 to 1.1.6 on FreeBSD
6.1. And FR has always worked wonderfully for me in the past.
I saw in the changelog something about terminating
the SSL session in EAP on errors.
What can I do to fix this error?
Regards,
Remy.
--- Walking the
entire request list ---
Waking up in 6
seconds...
rad_recv:
Access-Request packet from host 10.0.1.250:3072, id=1, length=256
User-Name = "monique@unix-asp.com"
NAS-IP-Address = 10.0.1.250
Called-Station-Id = "0012176fb399"
Calling-Station-Id = "0013022105d3"
NAS-Identifier = "0012176fb399"
NAS-Port = 55
Framed-MTU = 1400
State = 0x99e6bf386c1693ffe99cc51011c78c22
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x0201006e0d8000000064160301005f0100005b030146338b7df93bc3ecee992b73b782861fb83b032ad4e5d0e367a50e96a5f4d07e00003400390038003500160013000a00330032002f006600050004006500640063006200610060001500120009001400110008000600030100
Message-Authenticator = 0xd1dcd23d54281665000ddf314423cf61
Processing the
authorize section of radiusd.conf
modcall: entering
group authorize for request 1
modcall[authorize]: module "preprocess" returns ok for request 1
radius_xlat:
'/var/log/radacct/10.0.1.250/auth-detail-20070428'
rlm_detail:
/var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to
/var/log/radacct/10.0.1.250/auth-detail-20070428
modcall[authorize]: module "auth_log" returns ok for request 1
modcall[authorize]: module "chap" returns noop for request 1
modcall[authorize]: module "mschap" returns noop for request 1
rlm_realm: Looking up realm "unix-asp.com" for User-Name =
"monique@unix-asp.com"
rlm_realm: No such realm "unix-asp.com"
modcall[authorize]: module "suffix" returns noop for request 1
rlm_eap: EAP
packet type response id 1 length 110
rlm_eap: No
EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 1
users: Matched entry DEFAULT at line 152
modcall[authorize]: module "files" returns ok for request 1
modcall: leaving
group authorize (returns updated) for request 1
rad_check_password: Found Auth-Type EAP
auth: type
"EAP"
Processing the
authenticate section of radiusd.conf
modcall: entering
group authenticate for request 1
rlm_eap:
Request found, released from the list
rlm_eap:
EAP/tls
rlm_eap:
processing type tls
rlm_eap_tls:
Authenticate
rlm_eap_tls:
processing TLS
rlm_eap_tls:
Length Included
eaptls_verify
returned 11
(other): before/accept initialization
TLS_accept: before/accept initialization
rlm_eap_tls:
<<< TLS 1.0 Handshake [length 005f], ClientHello
TLS_accept: SSLv3 read client hello A
rlm_eap_tls:
>>> TLS 1.0 Handshake [length 004a], ServerHello
TLS_accept: SSLv3 write server hello A
rlm_eap_tls:
>>> TLS 1.0 Handshake [length 02ca], Certificate
TLS_accept: SSLv3 write certificate A
rlm_eap_tls:
>>> TLS 1.0 Handshake [length 00a9], CertificateRequest
TLS_accept: SSLv3 write certificate request A
TLS_accept: SSLv3 flush data
TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake
Phase
In SSL Accept mode
eaptls_process
returned 13
modcall[authenticate]:
module "eap" returns handled for request 1
modcall: leaving
group authenticate (returns handled) for request 1
Sending
Access-Challenge of id 1 to 10.0.1.250 port 3072
EAP-Message = 0x010203d60d80000003cc160301004a02000046030146338b7ad2b5446adeec2e4c5dbeebbf060ca75333f41f2cd07136ceb4f1e16020c03cc6c37f378e3a121feb1d2b2ff0720a723115309f56d0f8db9efb1334024f00350016030102ca0b0002c60002c30002c0308202bc30820225a00302010202020122300d06092a864886f70d0101050500308196310b3009060355040613024e4c3110300e06035504081307557472656368743110300e060355040713075574726563687431153013060355040a130c554e49582d4153502e434f4d3110300e060355040b1307537570706f7274311530130603550403130c756e69782d6173702e636f6d31
EAP-Message = 0x23302106092a864886f70d0109011614737570706f727440756e69782d6173702e636f6d301e170d3037303432383137343331325a170d3038303432373137343331325a308196310b3009060355040613024e4c3110300e06035504081307557472656368743110300e060355040713075574726563687431153013060355040a130c554e49582d4153502e434f4d3110300e060355040b1307537570706f7274311530130603550403130c756e69782d6173702e636f6d3123302106092a864886f70d0109011614737570706f727440756e69782d6173702e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100c4d9ff
EAP-Message = 0x25696b959b20ce440ea32876f9083badb184a2a86c2269205ca4442c6c386546face2e2ec05b6a0af3d11094e0fe389198023ee39fafb456de6832483e99c29231034840334c91ccafeb80f7bd019f3493977c03b7e8ed7824395ec401a2f5eb1540db144670038cc6ca8308c982ac30381da8228a479740e4049ef8870203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010105050003818100741dcc0890f8e7cb9651648a76005c9382030b41b9ac3d6d09fe32f7e0dedaa25c34e6a970a4c92666c3dc1a96096b824871a31b4315d065bdcad0f8bf8d77a6e00afd76bf9c924b91741c36142c49
EAP-Message =
0x1c9aa8bd1665c0bda3edc5e3b9dd9c95c3d5d304204d55c2876cf0265837fd68c9c92a181ac73e0e208975d3bffa7a37c016030100a90d0000a103010240009b0099308196310b3009060355040613024e4c3110300e06035504081307557472656368743110300e060355040713075574726563687431153013060355040a130c554e49582d4153502e434f4d3110300e060355040b1307537570706f7274311530130603550403130c756e69782d6173702e636f6d3123302106092a864886f70d0109011614737570706f727440756e69782d6173702e636f6d0e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xcb376b4b0ff5456ba9300ec08c5b69aa
Finished request 1
Going to the next
request
Waking up in 6
seconds...
rad_recv:
Access-Request packet from host 10.0.1.250:3072, id=1, length=163
User-Name = "monique@unix-asp.com"
NAS-IP-Address = 10.0.1.250
Called-Station-Id = "0012176fb399"
Calling-Station-Id = "0013022105d3"
NAS-Identifier = "0012176fb399"
NAS-Port = 55
Framed-MTU = 1400
State = 0xcb376b4b0ff5456ba9300ec08c5b69aa
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020200110d80000000071503010002022a
Message-Authenticator = 0x73d8ae0eec89244e63a52fa4e5fc8e7f
Processing the
authorize section of radiusd.conf
modcall: entering
group authorize for request 2
modcall[authorize]: module "preprocess" returns ok for request 2
radius_xlat:
'/var/log/radacct/10.0.1.250/auth-detail-20070428'
rlm_detail:
/var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to
/var/log/radacct/10.0.1.250/auth-detail-20070428
modcall[authorize]: module "auth_log" returns ok for request 2
modcall[authorize]: module "chap" returns noop for request 2
modcall[authorize]: module "mschap" returns noop for request 2
rlm_realm: Looking up realm "unix-asp.com" for User-Name =
"monique@unix-asp.com"
rlm_realm: No such realm "unix-asp.com"
modcall[authorize]: module "suffix" returns noop for request 2
rlm_eap: EAP
packet type response id 2 length 17
rlm_eap: No
EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 2
users: Matched entry DEFAULT at line 152
modcall[authorize]: module "files" returns ok for request 2
modcall: leaving
group authorize (returns updated) for request 2
rad_check_password: Found Auth-Type EAP
auth: type
"EAP"
Processing the
authenticate section of radiusd.conf
modcall: entering
group authenticate for request 2
rlm_eap:
Request found, released from the list
rlm_eap:
EAP/tls
rlm_eap:
processing type tls
rlm_eap_tls:
Authenticate
rlm_eap_tls:
processing TLS
rlm_eap_tls:
Length Included
eaptls_verify
returned 11
rlm_eap_tls:
<<< TLS 1.0 Alert [length 0002], fatal bad_certificate
TLS Alert
read:fatal:bad certificate
TLS_accept:failed in SSLv3 read client certificate A
rlm_eap: SSL error
error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate
rlm_eap_tls: SSL_read
failed inside of TLS (-1), TLS session fails.
eaptls_process
returned 13
rlm_eap:
Freeing handler
modcall[authenticate]:
module "eap" returns reject for request 2
modcall: leaving
group authenticate (returns reject) for request 2
auth: Failed to
validate the user.
Delaying request 2
for 1 seconds
Finished request 2
Going to the next
request
Waking up in 6 seconds...
--- Walking the
entire request list ---
Sending Access-Reject
of id 1 to 10.0.1.250 port 3072
EAP-Message = 0x04020004
Message-Authenticator = 0x00000000000000000000000000000000
Cleaning up request 2
ID 1 with timestamp 46338b7a
Nothing to do.
Sleeping until we see a request.