-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 hi, please, help me to be sure I understand `radiusd -X' output right way ... some period of time, FR with EAP-TLS + LDAP was working in "test mode" ... now it is not and I'm trying to understand why FR: server is v.2.2.6 on FreeBSD 10.1R WS: wpa_supplicant client on FreeBSD 10.1R network (LAN) topology: FR <-> 100Mb Switch <-> WS FR configured with EAP + LDAP and EAP/md5 for MAC auth works fine. but EAP/tls spawns: WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING: !! EAP session for state 0x8c1a57f7885a5afa did not finish! WARNING: !! Please read http://wiki.freeradius.org/guide/Certificate_Compatibility WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! on this wiki page for this case it is told: - - - Follow the instructions given above. it is what I have folowed - - - Consider to decreasing the tunnel MTU there is no tunnel, but decreasing MTU on NIC didn't help last time I faced this very problem on my VPN and MTU decreasing to 1250 helped well, but now it is not ... in `radiusd -X' I see this: - - ---[ quotation start ]------------------------------------------- ... [files] expand: %{User-Name}, you have came from %{NAS-IP-Address} copper port %{NAS-Port}. -> jdoe-eap, you have came from 192.168.0.1 copper port 14. ++[files] = ok ++[expiration] = noop ++[logintime] = noop ++[pap] = noop [ldap] performing user authorization for jdoe-eap [ldap] expand: %{Stripped-User-Name} -> [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> jdoe-eap [ldap] expand: (&(cn=%{%{Stripped-User-Name}:-%{User-Name}})(|(authorizedService=802.1x-mac@xyz)(authorizedService=802.1x-eap@xyz)(authorizedService=802.1x@xyz))) -> (&(cn=jdoe-eap)(|(autho rizedService=802.1x-mac@xyz)(authorizedService=802.1x-eap@xyz)(authorizedService=802.1x@xyz))) [ldap] expand: ou=People,dc=xyz -> ou=People,dc=xyz [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in ou=People,dc=xyz, with filter (&(cn=jdoe-eap)(|(authorizedService=802.1x-mac@xyz)(authorizedService=802.1x-eap@xyz)(authorizedService=802.1x@xyz))) [ldap] performing search in cn=ethernet,ou=rad-profiles,dc=xyz, with filter (objectclass=radiusprofile) [ldap] radiusTunnelMediumType -> Tunnel-Medium-Type:0 = IEEE-802 [ldap] radiusTunnelType -> Tunnel-Type:0 = VLAN [ldap] radiusSessionTimeout -> Session-Timeout = 900 [ldap] looking for check items in directory... [ldap] userPassword -> Cleartext-Password == "jdoe-eap" [ldap] userPassword -> Password-With-Header == "jdoe-eap" [ldap] looking for reply items in directory... [ldap] radiusTunnelPrivateGroupId -> Tunnel-Private-Group-Id:0 = "3495" [ldap] radiusTunnelMediumType -> Tunnel-Medium-Type:0 = IEEE-802 [ldap] radiusTunnelType -> Tunnel-Type:0 = VLAN [ldap] radiusServiceType -> Service-Type = Framed-User [ldap] ldap_release_conn: Release Id: 0 ++[ldap] = ok - - ---[ quotation end ]------------------------------------------- so, am I correct? here it is written that LDAP auth performed successfully further: - - ---[ quotation start ]------------------------------------------- ++? if (notfound) ? Evaluating (notfound) -> FALSE ++? if (notfound) -> FALSE ++? if (reject) ? Evaluating (reject) -> FALSE ++? if (reject) -> FALSE +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS [tls] Received TLS ACK [tls] ACK handshake fragment handler [tls] eaptls_verify returned 1 [tls] eaptls_process returned 13 ++[eap] = handled +} # group authenticate = handled ... - - ---[ quotation end ]------------------------------------------- what does these rows mean? - - ---[ quotation start ]------------------------------------------- [tls] eaptls_verify returned 1 [tls] eaptls_process returned 13 ++[eap] = handled +} # group authenticate = handled - - ---[ quotation end ]------------------------------------------- wpa_supplicant debug shows this: - - ---[ quotation start ]------------------------------------------- ... 1434988426.933490: SSL: (where=0x1001 ret=0x1) 1434988426.933492: SSL: SSL_connect:SSLv3 read server hello A 1434988426.933731: TLS: tls_verify_cb - preverify_ok=1 err=0 (ok) ca_cert_verify=1 depth=1 buf='/C=AU/ST=SDN/L=Sidney/O=RADIUS/OU=RADIUS/CN=changeme/emailAddress=security@xyz' 1434988426.933736: igb0: CTRL-EVENT-EAP-PEER-CERT depth=1 subject='/C=AU/ST=SDN/L=Sidney/O=RADIUS/OU=RADIUS/CN=xyz-ca/emailAddress=security@xyz' 1434988426.933738: EAP: Status notification: remote certificate verification (param=success) 1434988426.933814: TLS: tls_verify_cb - preverify_ok=1 err=0 (ok) ca_cert_verify=1 depth=0 buf='/C=AU/ST=SDN/L=Sidney/O=RADIUS/OU=RADIUS/CN=office1.xyz/emailAddress=security@xyz' 1434988426.933818: igb0: CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/C=AU/ST=SDN/L=Sidney/O=RADIUS/OU=RADIUS/CN=office1.xyz/emailAddress=security@xyz' 1434988426.934102: EAP: Status notification: remote certificate verification (param=success) 1434988426.934106: SSL: (where=0x1001 ret=0x1) 1434988457.029252: SSL: SSL_connect:SSLv3 write finished A 1434988457.029254: SSL: (where=0x1001 ret=0x1) 1434988457.029255: SSL: SSL_connect:SSLv3 flush data 1434988457.029257: SSL: (where=0x1002 ret=0xffffffff) 1434988457.029258: SSL: SSL_connect:error in SSLv3 read finished A 1434988457.029260: SSL: SSL_connect - want more data 1434988457.029262: SSL: 2750 bytes pending from ssl_out 1434988457.029264: SSL: 2750 bytes left to be sent out (of total 2750 bytes) 1434988457.029266: SSL: sending 1398 bytes, more fragments will follow 1434988457.029268: EAP: method process -> ignore=FALSE methodState=MAY_CONT decision=FAIL 1434988457.029270: EAP: EAP entering state SEND_RESPONSE 1434988457.029272: EAP: EAP entering state IDLE 1434988457.029273: EAPOL: SUPP_BE entering state RESPONSE 1434988457.029274: EAPOL: txSuppRsp 1434988457.029276: TX EAPOL: dst=01:80:c2:00:00:03 1434988457.029278: TX EAPOL - hexdump(len=1412): 01 00 ... ... 1 09 01 16 0c 73 65 63 75 72 69 74 79 40 69 62 73 30 1e 17 0d 31 34 30 33 31 30 31 1434988457.030267: EAPOL: SUPP_BE entering state RECEIVE ... 1434989781.980570: igb0: RX EAPOL from 34:db:fd:81:43:2b 1434989781.980571: RX EAPOL - hexdump(len=46): 01 00 00 04 04 cf 00 04 00 00 ... 1434989781.980579: EAPOL: Received EAP-Packet frame 1434989781.980580: EAPOL: SUPP_BE entering state REQUEST 1434989781.980581: EAPOL: getSuppRsp 1434989781.980582: EAP: EAP entering state RECEIVED 1434989781.980584: EAP: Received EAP-Failure 1434989781.980585: EAP: Status notification: completion (param=failure) 1434989781.980587: EAP: EAP entering state FAILURE 1434989781.980589: igb0: CTRL-EVENT-EAP-FAILURE EAP authentication failed 1434989781.980590: EAPOL: SUPP_PAE entering state HELD 1434989781.980591: EAPOL: Supplicant port status: Unauthorized 1434989781.980593: EAPOL: SUPP_BE entering state RECEIVE 1434989781.980594: EAPOL: SUPP_BE entering state FAIL 1434989781.980595: EAPOL: SUPP_BE entering state IDLE 1434989781.980596: EAPOL authentication completed unsuccessfully ... - - ---[ quotation end ]------------------------------------------- looks like OpenSSL related something, is it? so, may somebody advise where to look at? how to know who is guilty? - -- Zeus V. Panchenko jid:zeus@im.ibs.dn.ua IT Dpt., I.B.S. LLC GMT+2 (EET) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAlWIPtsACgkQr3jpPg/3oyoZIwCg5AcO12uDdmpWBPvLskHTp4ct X3IAn0QOx/e0dLm+6erzEMKeTW6LB5Z2 =DtVP -----END PGP SIGNATURE-----