TTLS w/MSCHAPv2 over Ubuntu 13.10 WiFi client failing
Problem ======= I've gone through the documentation for the setup and configuration of FreeRADIUS 2.2 to use Tunnelled TLS with MSCHAPv2 on my DD-WRT (Mega) router. All seems to be in good shape on the router end of things, kinda. In that artificial testing says that it's correctly configured and working correctly, but real world usage fails. So I'm a bit confused and could do with some other eyes to point me in the right direction. I'm having some issues connecting via the Ubuntu 13.10 WiFi client specifically when trying to connect using TTLS - other configurations (i.e. TLS, PEAP etc.) appear to function okay. Tests ===== 1). I've run radtest, both locally on the router and over the wire from my computer using: radtest MyTestUser MyTestPassword 192.168.1.1 1812 -sSharedSecretKey Result: Access-Accept for both tests. 2). I've run eapol_test over the wire from my computer using various configuration sets for peap-mschapv2, eap-tls, ttls-pap and ttls-eap-mschapv2 along with the certificates I'd generated and copied to the router. The following command and variations of the following configuration show SUCCESS: eapol_test -a192.168.1.1 -p1812 -c/path/to/eapol_test/eapol_test.conf -sSharedSecretKey Content of eapol_test.conf: network={ ssid="MyTestNetwork" key_mgmt=WPA-EAP eap=TTLS identity="MyTestUser" anonymous_identity="anonymous" password="MyTestUserPassword" phase2="autheap=MSCHAPv2" ca_cert="/etc/freeradius/certs/ca.pem" } Observations ============ If I attempt to connect using Ubuntu's built in Wi-Fi client using TLS or PEAP, everything is fine. However, if I attempt to connect using Tunnelled TLS, which is the protocol I'd prefer to use, that's when I get hit with the failure. It doesn't work at all, for PAP, CHAP, MSCHAPv1 or MSCHAPv2. Looking through the log to compare the ttls-eap-mschapv2 output from the eapol_test against the log generated by Ubuntu's wifi client, I notice that one of the requests (3 in log attached) appears to pass a dynamically generated username and the shared secret that I defined in my clients.conf file which gets summarily rejected (as detailed in the log attached) whereas looking at the eapol_test log the User-Name parameter in every Access-Request packet is *always* "Anonymous"; does that matter(?)... Questions ========= 1). Is there anything specific that needs to be done with FreeRADIUS in order for Ubuntu to connect using Tunnelled TLS and MSCHAPv2? i.e. are there any settings in FreeRADIUS that don't play well with Ubuntu - particularly 13.10 2). Do the certificates need the same grooming that Windows Certificates would need? Or would generating them from the command line on Ubuntu using OpenSSL suffice? i.e. Could I assume that Ubuntu's Wi-Fi client utilizes the same process as eapol_test when using the target configuration? 3). Is it a fair assumption that if the eapol_test results in SUCCESS using my targeted configuration (TTLS-EAP-MSCHAPv2) that the FreeRADIUS server is indeed set up correctly and that something else may be causing the problem? i.e. The router's Wi-Fi/RADIUS proxy, Ubuntu's Wi-Fi client etc. Log Output from radiusd -X ========================== root@DD-WRT:/jffs/etc/freeradius# radiusd -d /jffs/etc/freeradius -X FreeRADIUS Version 2.2.0, for host mipsel-unknown-linux-uclibc, built on May 11 2013 at 15:59:13 Copyright (C) 1999-2012 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /jffs/etc/freeradius/radiusd.conf including configuration file /jffs/etc/freeradius/clients.conf including configuration file /jffs/etc/freeradius/clients.manual including files in directory /jffs/etc/freeradius/modules/ including configuration file /jffs/etc/freeradius/modules/cui including configuration file /jffs/etc/freeradius/modules/pam including configuration file /jffs/etc/freeradius/modules/pap including configuration file /jffs/etc/freeradius/modules/otp including configuration file /jffs/etc/freeradius/modules/soh including configuration file /jffs/etc/freeradius/modules/chap including configuration file /jffs/etc/freeradius/modules/echo including configuration file /jffs/etc/freeradius/modules/exec including configuration file /jffs/etc/freeradius/modules/expr including configuration file /jffs/etc/freeradius/modules/ldap including configuration file /jffs/etc/freeradius/modules/krb5 including configuration file /jffs/etc/freeradius/modules/perl including configuration file /jffs/etc/freeradius/modules/unix including configuration file /jffs/etc/freeradius/modules/radutmp including configuration file /jffs/etc/freeradius/modules/counter including configuration file /jffs/etc/freeradius/modules/opendirectory including configuration file /jffs/etc/freeradius/modules/cache including configuration file /jffs/etc/freeradius/modules/files including configuration file /jffs/etc/freeradius/modules/realm including configuration file /jffs/etc/freeradius/modules/redis including configuration file /jffs/etc/freeradius/modules/wimax including configuration file /jffs/etc/freeradius/modules/mac2vlan including configuration file /jffs/etc/freeradius/modules/replicate including configuration file /jffs/etc/freeradius/modules/ntlm_auth including configuration file /jffs/etc/freeradius/modules/logintime including configuration file /jffs/etc/freeradius/modules/radrelay including configuration file /jffs/etc/freeradius/modules/sql_log including configuration file /jffs/etc/freeradius/modules/sradutmp including configuration file /jffs/etc/freeradius/modules/attr_rewrite including configuration file /jffs/etc/freeradius/modules/smbpasswd including configuration file /jffs/etc/freeradius/modules/etc_group including configuration file /jffs/etc/freeradius/modules/preprocess including configuration file /jffs/etc/freeradius/modules/attr_filter including configuration file /jffs/etc/freeradius/modules/rediswho including configuration file /jffs/etc/freeradius/modules/expiration including configuration file /jffs/etc/freeradius/modules/inner-eap including configuration file /jffs/etc/freeradius/modules/acct_unique including configuration file /jffs/etc/freeradius/modules/dhcp_sqlippool including configuration file /jffs/etc/freeradius/sql/mysql/ippool-dhcp.conf including configuration file /jffs/etc/freeradius/modules/linelog including configuration file /jffs/etc/freeradius/modules/sqlcounter_expire_on_login including configuration file /jffs/etc/freeradius/modules/detail.example.com including configuration file /jffs/etc/freeradius/modules/checkval including configuration file /jffs/etc/freeradius/modules/always including configuration file /jffs/etc/freeradius/modules/detail including configuration file /jffs/etc/freeradius/modules/digest including configuration file /jffs/etc/freeradius/modules/dynamic_clients including configuration file /jffs/etc/freeradius/modules/ippool including configuration file /jffs/etc/freeradius/modules/mac2ip including configuration file /jffs/etc/freeradius/modules/mschap including configuration file /jffs/etc/freeradius/modules/passwd including configuration file /jffs/etc/freeradius/modules/policy including configuration file /jffs/etc/freeradius/modules/smsotp including configuration file /jffs/etc/freeradius/modules/detail.log including configuration file /jffs/etc/freeradius/eap.conf including files in directory /jffs/etc/freeradius/sites-enabled/ including configuration file /jffs/etc/freeradius/sites-enabled/default including configuration file /jffs/etc/freeradius/sites-enabled/control-socket including configuration file /jffs/etc/freeradius/sites-enabled/inner-tunnel main { allow_core_dumps = no } including dictionary file /jffs/etc/freeradius/dictionary main { name = "radiusd" prefix = "/usr" localstatedir = "/var" sbindir = "/usr/sbin" logdir = "/var/log" run_dir = "/var/run" libdir = "/usr/lib" radacctdir = "/var/db/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/var/run/radiusd.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = no log { stripped_names = yes auth = yes auth_badpass = yes auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### radiusd: #### Loading Clients #### client 127.0.0.1 { ipaddr = 127.0.0.1 netmask = 32 require_message_authenticator = no secret = "SharedSecretKey" shortname = "localhost" } client 192.168.1.0 { ipaddr = 192.168.1.0 netmask = 24 require_message_authenticator = no secret = "SharedSecretKey" shortname = "private-network" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_expiration Module: Instantiating module "expiration" from file /jffs/etc/freeradius/modules/expiration expiration { reply-message = "Password Has Expired " } } radiusd: #### Loading Virtual Servers #### server { # from file /jffs/etc/freeradius/radiusd.conf modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating module "pap" from file /jffs/etc/freeradius/modules/pap pap { encryption_scheme = "auto" auto_header = yes } Module: Linked to module rlm_chap Module: Instantiating module "chap" from file /jffs/etc/freeradius/modules/chap Module: Linked to module rlm_mschap Module: Instantiating module "mschap" from file /jffs/etc/freeradius/modules/mschap mschap { use_mppe = yes require_encryption = yes require_strong = yes with_ntdomain_hack = no allow_retry = yes } Module: Linked to module rlm_eap Module: Instantiating module "eap" from file /jffs/etc/freeradius/eap.conf eap { default_eap_type = "peap" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 CA_path = "/jffs/etc/freeradius/certs" pem_file_type = yes private_key_file = "/jffs/etc/freeradius/keys/server.key" certificate_file = "/jffs/etc/freeradius/certs/server.pem" CA_file = "/jffs/etc/freeradius/certs/ca.pem" private_key_password = "ServerKeyPrivatePassword" dh_file = "/jffs/etc/freeradius/certs/dh" random_file = "/jffs/etc/freeradius/certs/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" verify { } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" use_nonce = yes timeout = 0 softfail = no } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = yes use_tunneled_reply = yes proxy_tunneled_request_as_eap = no soh = no } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_files Module: Instantiating module "files" from file /jffs/etc/freeradius/modules/files files { usersfile = "/jffs/etc/freeradius/users" acctusersfile = "/jffs/etc/freeradius/acct_users" preproxy_usersfile = "/jffs/etc/freeradius/preproxy_users" compat = "no" } reading pairlist file /jffs/etc/freeradius/users reading pairlist file /jffs/etc/freeradius/acct_users reading pairlist file /jffs/etc/freeradius/preproxy_users Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_exec Module: Instantiating module "exec" from file /jffs/etc/freeradius/modules/exec exec { wait = no input_pairs = "request" shell_escape = yes } Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating module "radutmp" from file /jffs/etc/freeradius/modules/radutmp radutmp { filename = "/var/db/radacct/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } } # modules } # server server inner-tunnel { # from file /jffs/etc/freeradius/sites-enabled/inner-tunnel modules { Module: Creating Post-Auth-Type = REJECT Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_unix Module: Instantiating module "unix" from file /jffs/etc/freeradius/modules/unix unix { radwtmp = "/var/log/radwtmp" } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_realm Module: Instantiating module "suffix" from file /jffs/etc/freeradius/modules/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_logintime Module: Instantiating module "logintime" from file /jffs/etc/freeradius/modules/logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Linked to module rlm_attr_filter Module: Instantiating module "attr_filter.access_reject" from file /jffs/etc/freeradius/modules/attr_filter attr_filter attr_filter.access_reject { attrsfile = "/jffs/etc/freeradius/attrs.access_reject" key = "%{User-Name}" relaxed = no } reading pairlist file /jffs/etc/freeradius/attrs.access_reject } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 1812 } listen { type = "control" listen { socket = "/var/run/radiusd.sock" } } listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } Listening on authentication address * port 1812 Listening on command file /var/run/radiusd.sock Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Ready to process requests. rad_recv: Access-Request packet from host 192.168.1.1 port 49754, id=0, length=131 User-Name = "anonymous" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "20e52a2a793a" Calling-Station-Id = "c48508cf0a6c" NAS-Identifier = "20e52a2a793a" NAS-Port = 41 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0200000e01616e6f6e796d6f7573 Message-Authenticator = 0xc70c9e74f630a26989839d46dae518d4 # Executing section authorize from file /jffs/etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[mschap] returns noop [eap] EAP packet type response id 0 length 14 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /jffs/etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 0 to 192.168.1.1 port 49754 EAP-Message = 0x010100061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1adf95c31ade8ccbe71eeea3b01778ba Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.1.1 port 49754, id=0, length=141 Cleaning up request 0 ID 0 with timestamp +23 User-Name = "anonymous" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "20e52a2a793a" Calling-Station-Id = "c48508cf0a6c" NAS-Identifier = "20e52a2a793a" NAS-Port = 41 Framed-MTU = 1400 State = 0x1adf95c31ade8ccbe71eeea3b01778ba NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020100060315 Message-Authenticator = 0x70787601f401ba18203452a341d36ce6 # Executing section authorize from file /jffs/etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[mschap] returns noop [eap] EAP packet type response id 1 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /jffs/etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP NAK [eap] EAP-NAK asked for EAP-Type/ttls [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 0 to 192.168.1.1 port 49754 EAP-Message = 0x010200061520 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1adf95c31bdd80cbe71eeea3b01778ba Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.1.1 port 49754, id=0, length=362 Cleaning up request 1 ID 0 with timestamp +23 User-Name = "anonymous" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "20e52a2a793a" Calling-Station-Id = "c48508cf0a6c" NAS-Identifier = "20e52a2a793a" NAS-Port = 41 Framed-MTU = 1400 State = 0x1adf95c31bdd80cbe71eeea3b01778ba NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020200e3150016030100d8010000d4030152701e5945f504b1715698b334a194cf4a238da9f242f1def3c17fc8bb108cc3000066c014c00ac022c0210039003800880087c00fc00500350084c012c008c01cc01b00160013c00dc003000ac013c009c01fc01e00330032009a009900450044c00ec004002f00960041c011c007c00cc002000500040015001200090014001100080006000300ff01000045000b000403000102000a00340032000e000d0019000b000c00180009000a00160017000800060007001400150004000500120013000100020003000f00100011000f000101 Message-Authenticator = 0x27639a839218b4b6da378a05bb2ed49d # Executing section authorize from file /jffs/etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[mschap] returns noop [eap] EAP packet type response id 2 length 227 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /jffs/etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] eaptls_verify returned 7 [ttls] Done initial handshake [ttls] (other): before/accept initialization [ttls] TLS_accept: before/accept initialization [ttls] <<< TLS 1.0 Handshake [length 00d8], ClientHello [ttls] TLS_accept: SSLv3 read client hello A [ttls]>>> TLS 1.0 Handshake [length 0036], ServerHello [ttls] TLS_accept: SSLv3 write server hello A [ttls]>>> TLS 1.0 Handshake [length 0916], Certificate [ttls] TLS_accept: SSLv3 write certificate A [ttls]>>> TLS 1.0 Handshake [length 030d], ServerKeyExchange [ttls] TLS_accept: SSLv3 write key exchange A [ttls]>>> TLS 1.0 Handshake [length 0004], ServerHelloDone [ttls] TLS_accept: SSLv3 write server done A [ttls] TLS_accept: SSLv3 flush data [ttls] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [ttls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 0 to 192.168.1.1 port 49754 EAP-Message = 0x0103040015c000000c71160301003602000032030152701e5a14a4a10dfae714e8cb8b3579bb15e7c6ed443fba26290e659171b3e500003900000aff01000100000f00010116030109160b00091200090f0004d6308204d2308203ba020101300d06092a864886f70d01010505003081ad310b30090603550406130243413110300e06035504080c074f6e746172696f3110300e06035504070c07546f726f6e746f31173015060355040a0c0e54686520416c616261737465727331193017060355040b0c104e6574776f726b205365637572697479311f301d06035504030c166e7365632e746865616c61626173746572732e636f6d312530230609 EAP-Message = 0x2a864886f70d01090116166e73656340746865616c61626173746572732e636f6d301e170d3133313032373231313431315a170d3133313132363231313431315a3081af310b30090603550406130243413110300e06035504080c074f6e746172696f3110300e06035504070c07546f726f6e746f31173015060355040a0c0e54686520416c616261737465727331193017060355040b0c104e6574776f726b2053656375726974793121301f06035504030c187261646975732e746865616c61626173746572732e636f6d3125302306092a864886f70d01090116166e73656340746865616c61626173746572732e636f6d30820222300d06092a86 EAP-Message = 0x4886f70d01010105000382020f003082020a02820201009b2737ac47ee37f8389bd8af0a145ff290e7c08ebe054ec9b01c63e3370e0270d67d81bfe8cad72ace89b11e32024f84c43cbc82c6b96b307c9034446a77ad0d22d84ce1474d3fe2e90d07b300f3c694d2d4d87f5819ae16a0ea56fd3eed73d351785dbebbab81c927f583764c524c946097f85e5cf8e57acff474b2ca1128e894badfa645ce2c079912f34cfdb41c11b13fe20ff67110388b808e8e0b45a7277cee00f3a7ccfbf60c134e1511f4221a76d073a547bf3f68a4815c9c3decdb18d29450375517d9293b3fbbac42332a85d8cbf8fb9000912c0c12a09a59ed76b5b915cf8a3586 EAP-Message = 0x6021559f7d4a664b0769d228d75c04e854bbbe1d808d8db275c6bca0d29527539b8ac0e1aab52a24d303a930f83d1cdbee50431b70ab490297db3a46e08413956a00bdeee059583fe2f7c7cc367b2099d48522707d487c0319ccd8fdf5d9bb6f2fdedca571a93f490f505e376a038d59bd4f38712701811025bb84ee8c940201d885523bf87b8f35952650095c9eb7a0f5fd4326da26ccb8c68cde3bffe20d940373ccd50849e76d69f48f3e449ca2e187feedb74d3a98305629abf1570b760a2bf8b470853b1d9bcb07b599560ee902e336f78398ab712b6abae0422aa56280b8faa8d7c5de1bb178c2e55f39dfe0023d5bd280d650930b23359c84ee EAP-Message = 0x77d7df97d4375e9a00c5c8ac Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1adf95c318dc80cbe71eeea3b01778ba Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.1.1 port 58076, id=11, length=80 User-Name = "c48508cf0a6c" NAS-Port = 1 NAS-Port-Type = Wireless-802.11 User-Password = "SharedSecretKey" # Executing section authorize from file /jffs/etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[mschap] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. Login incorrect: [c48508cf0a6c/SharedSecretKey] (from client private-network port 1) Using Post-Auth-Type REJECT WARNING: Unknown value specified for Post-Auth-Type. Cannot perform requested action. Delaying reject of request 3 for 1 seconds Going to the next request Waking up in 0.9 seconds. rad_recv: Access-Request packet from host 192.168.1.1 port 49754, id=0, length=141 Cleaning up request 2 ID 0 with timestamp +23 User-Name = "anonymous" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "20e52a2a793a" Calling-Station-Id = "c48508cf0a6c" NAS-Identifier = "20e52a2a793a" NAS-Port = 41 Framed-MTU = 1400 State = 0x1adf95c318dc80cbe71eeea3b01778ba NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020300061500 Message-Authenticator = 0xefd93e4a71ef938a86a2fc810f7cde7d # Executing section authorize from file /jffs/etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[mschap] returns noop [eap] EAP packet type response id 3 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /jffs/etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] Received TLS ACK [ttls] ACK handshake fragment handler [ttls] eaptls_verify returned 1 [ttls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 0 to 192.168.1.1 port 49754 EAP-Message = 0x0104040015c000000c719d6a3c286c5514c06fcfb4a6bbe064e5350203010001300d06092a864886f70d01010505000382010100d10b16b34b288091b53f489858be958db7a57fd0c2073fad37955ff0267ca937159207f0c55b068caff3b01b81b457c272902249c54907a788c6a356eb952e8a30c535ecd5ea2aea0d32a4b221ba271123d954ca70cbce8e15fde7a7e55518c3be3aa3af302c2603fc93548f51fd372b13be14dcf0988ee0cb2a33fd28b0fe61ad648b49961895e30dfb36e8afb0e76a348843972bbb1bb742ecd28779129067a4020e66c28d32189f596870a5cb68e4d3ef29c30d5ee989acdfbe1a0e31daac5545d65b7a9a1c851f EAP-Message = 0xf67cdf215b0262bac65181baba695aade5fa0e6ae5b90ff13812364c59ac75fd17e9ba58914a9777096a6f2c23c97fa175d5195e1f98bc0004333082042f30820317a0030201020209008c4552f6b737955e300d06092a864886f70d01010505003081ad310b30090603550406130243413110300e06035504080c074f6e746172696f3110300e06035504070c07546f726f6e746f31173015060355040a0c0e54686520416c616261737465727331193017060355040b0c104e6574776f726b205365637572697479311f301d06035504030c166e7365632e746865616c61626173746572732e636f6d3125302306092a864886f70d01090116166e73 EAP-Message = 0x656340746865616c61626173746572732e636f6d301e170d3133313032373231303834325a170d3133313132363231303834325a3081ad310b30090603550406130243413110300e06035504080c074f6e746172696f3110300e06035504070c07546f726f6e746f31173015060355040a0c0e54686520416c616261737465727331193017060355040b0c104e6574776f726b205365637572697479311f301d06035504030c166e7365632e746865616c61626173746572732e636f6d3125302306092a864886f70d01090116166e73656340746865616c61626173746572732e636f6d30820122300d06092a864886f70d01010105000382010f0030 EAP-Message = 0x82010a0282010100d1f36f8ab2748661c1775f4d50efcba339e695bbf6d331c384e2617d4cf5cc1e85e39877a5e053717b53729e3c327dda877d8622e249938bd61768d81e7f395beb92f542c58f38863d63d1c5a98f774d27d719ab9aa41b50d619bb3d773449d4429c4fe3d797e912ec13222cc3a6e8727b367355f6fe2006a4b4d4cd32b66f163c5fb2452946adedb05e6207a92496f5a985ad072fd580a51e3f975ab62ef9135d7c51201782a224f003b1341f7b5785a466ce1a93646c29a2b84715c5dcd5cce47376fa2cece76400d248bda6b7c60b36d56cc13964110c58fcf60b4a03045a3ab04e14e71ccee09e93f4d331cdf1ded2e7118ea6 EAP-Message = 0xc40e1988e87cd2ee9c04bb02 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1adf95c319db80cbe71eeea3b01778ba Finished request 4. Going to the next request Waking up in 0.9 seconds. rad_recv: Access-Request packet from host 192.168.1.1 port 49754, id=0, length=141 Cleaning up request 4 ID 0 with timestamp +24 User-Name = "anonymous" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "20e52a2a793a" Calling-Station-Id = "c48508cf0a6c" NAS-Identifier = "20e52a2a793a" NAS-Port = 41 Framed-MTU = 1400 State = 0x1adf95c319db80cbe71eeea3b01778ba NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020400061500 Message-Authenticator = 0x90f7afd16242e369e84021f0ccf71b3f # Executing section authorize from file /jffs/etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[mschap] returns noop [eap] EAP packet type response id 4 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /jffs/etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] Received TLS ACK [ttls] ACK handshake fragment handler [ttls] eaptls_verify returned 1 [ttls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 0 to 192.168.1.1 port 49754 EAP-Message = 0x0105040015c000000c7103010001a350304e301d0603551d0e0416041481f46bfa968cfcbbed8330ae18132e215cd5399e301f0603551d2304183016801481f46bfa968cfcbbed8330ae18132e215cd5399e300c0603551d13040530030101ff300d06092a864886f70d0101050500038201010074e952157ebb701eba65d1865806a41de3ece08c320d8c08e6158e5e00d458536f362ee687f848e7062415658337a5dcb8c51bd680bfa72f34e8f9d46d5601a913ea79c5669606762c353662528b541d503aeb42b954ae5f38f9fb044e221fc8f2702d984694ba082a7a26fc236101ac8ee6b4f96953e6635cc2ef613f0e43678e3881e7840c86e1d7 EAP-Message = 0x9c61f2f4bec58db2da7f735e0dee94d7cb04fda169f8bc3ef10d9424df4b69464ff7f9287852c3dc13d95b1e6ed7e86e6c3083a23704b1cea0bff6b9d09851300ccc45b6c93ab36b2b6506d4724585a6977ad4967d6d3b75fec09f17e19166b3c79ebd3e9ae9ca591b3ff14737903ad3aa8e9305747fe1160301030d0c0003090080854d39aee87745ea2a107a239e31f16cf0b5c3e1c48b72e15a85d76c7eaa4e026770747cbcb0a278426c873d4047494d4b37a2aafb600cece45d163ec6065e6627d50925abfa4aa1b05055b247ac06396542e08dd5a80cec3138340850c8acbfe72893b9344535a68e77ebe19d5203be97c3d8d937b98d7894be12 EAP-Message = 0x340ff219b3000102008042be0fe72bc5e9812855bc188c9a16a8d4a62096b8a50c8f672200a5750dd3269a412cfd0f0160afc14795500ab6990a3c306896071d7dd5020d79bba8b60835cd71c6915e2e0d81fc1b902aab46a2bfd56fdd6db1f2e43886d5d854b1925817e12175ea38e8f6843e8b1b4c79464b877a289ab76f31cc5144febc8a1050963302004b15d75faea9b427495eab5da8ba060f3d9abfb2af66f80697ff9a99e920f5ddb04c9cb96b4ed7e0abeb40ce3373f9c159dbbf140bb1aec0cfaa6cb20d400a43e166a59dc8c89326184adcb33db6d54d701358827d80179ed3ef53d22bdba62fe8ae4c848c49d837eccf2fb8e0f4f55cab EAP-Message = 0xed4b78b5757f5548d010e73dad5b3115145b03464bce84f2457445d617ecd7422c12235a80d8a0a3409e58cac9771af702ecd6698404c9aab53fa67f9035ce6391b5dd7610c40e4127bf52dfa49b5f7a0ce53defced4961cbd9c0143874444489a722402e4be9d8e3efff68d6ec4a2aeb92fa9978bf1dbe06afb60690638349966836169e1331a6b30e661f72dd8d12c06eac4dad7f452d1866a016b367e9f5b943b126c1f7b4d8f77ffb535c748537d2bc81751b052d2e5d3299ee16d585e3b7a7b289b6baf88789494071cfca7e8ca0c99831fbdb8a5d1f12f6aed5e421a1135c7b6f5f4cffb0a0c8866d8882a428361de19d915b858eb407c194f95 EAP-Message = 0xc2a56f964c63cb568664b0c8 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1adf95c31eda80cbe71eeea3b01778ba Finished request 5. Going to the next request Waking up in 0.9 seconds. rad_recv: Access-Request packet from host 192.168.1.1 port 49754, id=0, length=141 Cleaning up request 5 ID 0 with timestamp +24 User-Name = "anonymous" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "20e52a2a793a" Calling-Station-Id = "c48508cf0a6c" NAS-Identifier = "20e52a2a793a" NAS-Port = 41 Framed-MTU = 1400 State = 0x1adf95c31eda80cbe71eeea3b01778ba NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020500061500 Message-Authenticator = 0x72932bf113a5c9002ecdcb5c17016f73 # Executing section authorize from file /jffs/etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[mschap] returns noop [eap] EAP packet type response id 5 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /jffs/etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] Received TLS ACK [ttls] ACK handshake fragment handler [ttls] eaptls_verify returned 1 [ttls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 0 to 192.168.1.1 port 49754 EAP-Message = 0x01060099158000000c71c24732acb37286d316120e1f97ac15f9488c69e1e0a6291455e74073ad8c2f26f1b40a446a660d3043620ca020ef7be1c5365c8e88a77f35b302ab4613fc4fe2316e22eb36c1d09d01ed0149fe8f56be9874ecfff02dc85ccf42d1c24b3d236fa946b0a8e4d5f2ec26f3ffba88f1e5881b07a88f8e1b5b74ec289537acbb7694f4859ae211f216030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1adf95c31fd980cbe71eeea3b01778ba Finished request 6. Going to the next request Waking up in 0.9 seconds. rad_recv: Access-Request packet from host 192.168.1.1 port 49754, id=0, length=339 Cleaning up request 6 ID 0 with timestamp +24 User-Name = "anonymous" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "20e52a2a793a" Calling-Station-Id = "c48508cf0a6c" NAS-Identifier = "20e52a2a793a" NAS-Port = 41 Framed-MTU = 1400 State = 0x1adf95c31fd980cbe71eeea3b01778ba NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020600cc150016030100861000008200800f5091091fbeaab2cfe280451883911d498e9910ff6f4c593deb48b646df05d5830fd079e6e6e9c1c07dd20effb975a23975962a23a83564dd6d40255b8322959e779395687e51cc85ec4ec6fba4153cb5aea31d4aab17b2d8e925f5c930c712934c9d2bf6e9a0ffb4b339b4f431248cba01acb9d443d77a4a5eddbc4df1c6261403010001011603010030a3fffc11ed28f49e3345093a54fb00d6c839b7143902555a81b3a384250d64816bbd40411fa52547c00c35fa536560e9 Message-Authenticator = 0x50f0866ef17b77061e7d20bf78febff4 # Executing section authorize from file /jffs/etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[mschap] returns noop [eap] EAP packet type response id 6 length 204 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /jffs/etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] eaptls_verify returned 7 [ttls] Done initial handshake [ttls] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange [ttls] TLS_accept: SSLv3 read client key exchange A [ttls] <<< TLS 1.0 ChangeCipherSpec [length 0001] [ttls] <<< TLS 1.0 Handshake [length 0010], Finished [ttls] TLS_accept: SSLv3 read finished A [ttls]>>> TLS 1.0 ChangeCipherSpec [length 0001] [ttls] TLS_accept: SSLv3 write change cipher spec A [ttls]>>> TLS 1.0 Handshake [length 0010], Finished [ttls] TLS_accept: SSLv3 write finished A [ttls] TLS_accept: SSLv3 flush data [ttls] (other): SSL negotiation finished successfully SSL Connection Established [ttls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 0 to 192.168.1.1 port 49754 EAP-Message = 0x0107004515800000003b1403010001011603010030080642e3113c98e7678f8398c3a27b985ba0244f737e2f74e650df6653468c7008e5050878966bdb5c9a00d6148afcdf Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1adf95c31cd880cbe71eeea3b01778ba Finished request 7. Going to the next request Waking up in 0.7 seconds. rad_recv: Access-Request packet from host 192.168.1.1 port 49754, id=0, length=327 Cleaning up request 7 ID 0 with timestamp +24 User-Name = "anonymous" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "20e52a2a793a" Calling-Station-Id = "c48508cf0a6c" NAS-Identifier = "20e52a2a793a" NAS-Port = 41 Framed-MTU = 1400 State = 0x1adf95c31cd880cbe71eeea3b01778ba NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020700c015001703010020436b3861d680d218559d40b40b8c86afc39b52e04568b34f57bc35bfb423f6591703010090859716887d09b035c922e2bbd7148d91c7bf6b985a71954cbe70ff7a931241e9c34a6d131bab5548dca13e8766f3bef97952fd732f3e55c4765c1326d23ebf827c58f852d595fd383c3a04bf46ac3e85fe1d5b9312cf61cca3e66380245debca48f589d6b39ec9acba7ee8bc1eb514d1d55ccc5fef6ac1cf052e512ad2cc8cc5b2b27af8444fdd45f840c7ee591054ea Message-Authenticator = 0x2ba000d8cd9824a97525413fd368bfea # Executing section authorize from file /jffs/etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[mschap] returns noop [eap] EAP packet type response id 7 length 192 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /jffs/etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] eaptls_verify returned 7 [ttls] Done initial handshake [ttls] eaptls_process returned 7 [ttls] Session established. Proceeding to decode tunneled attributes. [ttls] Got tunneled request User-Name = "MyTestUser" MS-CHAP-Challenge = 0xcafa30c4547fe57b00e923a19388afd8 MS-CHAP2-Response = 0x900098f355d7bcbb5d0861893e660022759b000000000000000085ce464eda88f0c15d3eedbf01367d97804dc62aeb7aad4d FreeRADIUS-Proxied-To = 127.0.0.1 [ttls] Sending tunneled request User-Name = "MyTestUser" MS-CHAP-Challenge = 0xcafa30c4547fe57b00e923a19388afd8 MS-CHAP2-Response = 0x900098f355d7bcbb5d0861893e660022759b000000000000000085ce464eda88f0c15d3eedbf01367d97804dc62aeb7aad4d FreeRADIUS-Proxied-To = 127.0.0.1 server inner-tunnel { # Executing section authorize from file /jffs/etc/freeradius/sites-enabled/inner-tunnel +- entering group authorize {...} ++[chap] returns noop [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap' ++[mschap] returns ok [suffix] No '@' in User-Name = "MyTestUser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [files] users: Matched entry DEFAULT at line 2 [files] expand: %{User-Name} -> MyTestUser [files] users: Matched entry MyTestUser at line 8 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop WARNING: You set Proxy-To-Realm = LOCAL, but the realm does not exist! Cancelling invalid proxy request. Found Auth-Type = MSCHAP # Executing group from file /jffs/etc/freeradius/sites-enabled/inner-tunnel +- entering group MS-CHAP {...} [mschap] Creating challenge hash with username: MyTestUser [mschap] Client is using MS-CHAPv2 for MyTestUser, we need NT-Password [mschap] adding MS-CHAPv2 MPPE keys ++[mschap] returns ok Login OK: [MyTestUser] (from client private-network port 0 via TLS tunnel) WARNING: Empty post-auth section. Using default return values. # Executing section post-auth from file /jffs/etc/freeradius/sites-enabled/inner-tunnel } # server inner-tunnel [ttls] Got tunneled reply code 2 Session-Timeout := 3600 User-Name := "MyTestUser" Acct-Interim-Interval := 300 MS-CHAP2-Success = 0x90533d38323138413832323034463143454439433936394536393133363534323037424646433841304642 MS-MPPE-Recv-Key = 0x8ce0cc626543b14adead1abfb93ed5cf MS-MPPE-Send-Key = 0x005ba204b07f699046f4ac1c3a188076 MS-MPPE-Encryption-Policy = 0x00000002 MS-MPPE-Encryption-Types = 0x00000004 [ttls] Got tunneled Access-Accept [ttls] Got MS-CHAP2-Success, tunneling it to the client in a challenge. ++[eap] returns handled Sending Access-Challenge of id 0 to 192.168.1.1 port 49754 EAP-Message = 0x0108005f1580000000551703010050d1ef8159c074e3e88c6816a20d2d622234f56ccdbeb0eafdf8de56b85a8d897de8e6f98dbb945ea941cef9c8bcb0d4d3c4b7f0b48b756fff97a2ab4355d98a8c277eda652de295baca8fd5b3623c4c74 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1adf95c31dd780cbe71eeea3b01778ba Finished request 8. Going to the next request Waking up in 0.7 seconds. rad_recv: Access-Request packet from host 192.168.1.1 port 49754, id=0, length=141 Cleaning up request 8 ID 0 with timestamp +24 User-Name = "anonymous" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "20e52a2a793a" Calling-Station-Id = "c48508cf0a6c" NAS-Identifier = "20e52a2a793a" NAS-Port = 41 Framed-MTU = 1400 State = 0x1adf95c31dd780cbe71eeea3b01778ba NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020800061500 Message-Authenticator = 0xd9169c88982c8ba1456566add1d260e4 # Executing section authorize from file /jffs/etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[mschap] returns noop [eap] EAP packet type response id 8 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /jffs/etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] Received TLS ACK [ttls] ACK handshake is finished [ttls] eaptls_verify returned 3 [ttls] eaptls_process returned 3 [ttls] Using saved attributes from the original Access-Accept [eap] Freeing handler ++[eap] returns ok Login OK: [anonymous] (from client private-network port 41 cli c48508cf0a6c) WARNING: Empty post-auth section. Using default return values. Sending Access-Accept of id 0 to 192.168.1.1 port 49754 MS-MPPE-Recv-Key = 0x00e38d49949eda0340ea8188cfec315208941fc6e99f6b627f2aea410c25dcb4 MS-MPPE-Send-Key = 0xa45d9bbc09a890de1bc2cc509ccc48b00a2eebfeb812eab8b5cbc4f9a97cd303 EAP-Message = 0x03080004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "anonymous" Finished request 9. Going to the next request Waking up in 0.7 seconds. Sending delayed reject for request 3 Sending Access-Reject of id 11 to 192.168.1.1 port 58076 Waking up in 4.2 seconds. Cleaning up request 9 ID 0 with timestamp +24 Waking up in 0.7 seconds. Cleaning up request 3 ID 11 with timestamp +24 Ready to process requests.
Mailing Lists wrote:
1). I've run radtest, both locally on the router and over the wire from my computer using:
radtest MyTestUser MyTestPassword 192.168.1.1 1812 -sSharedSecretKey
Result: Access-Accept for both tests.
That isn't always indicative. See the top of raddb/sites-available/inner-tunnel for instructions on testing the inner-tunnel virtual server.
2). I've run eapol_test over the wire from my computer using various configuration sets for peap-mschapv2, eap-tls, ttls-pap and ttls-eap-mschapv2 along with the certificates I'd generated and copied to the router. The following command and variations of the following configuration show SUCCESS:
If eapol_test works, then FreeRADIUS is fine.
If I attempt to connect using Ubuntu's built in Wi-Fi client using TLS or PEAP, everything is fine. However, if I attempt to connect using Tunnelled TLS, which is the protocol I'd prefer to use, that's when I get hit with the failure. It doesn't work at all, for PAP, CHAP, MSCHAPv1 or MSCHAPv2.
The the Ubuntu client is broken. Which is weird, because I *thought* it was based on wpa_supplicate. (i.e. using the same code base as eapol_test).
Looking through the log to compare the ttls-eap-mschapv2 output from the eapol_test against the log generated by Ubuntu's wifi client, I notice that one of the requests (3 in log attached) appears to pass a dynamically generated username and the shared secret that I defined in my clients.conf file
What does that mean? "dynamically generated user name"? The debug log you posted shows no such thing.
1). Is there anything specific that needs to be done with FreeRADIUS in order for Ubuntu to connect using Tunnelled TLS and MSCHAPv2? i.e. are there any settings in FreeRADIUS that don't play well with Ubuntu - particularly 13.10
No. If eapol_test works, FreeRADIUS is fine.
2). Do the certificates need the same grooming that Windows Certificates would need?
No. Only Windows needs that idiocy. The documentation says this.
Or would generating them from the command line on Ubuntu using OpenSSL suffice?
Don't. Use the scripts in raddb/certs. That directory has a README, too.
i.e. Could I assume that Ubuntu's Wi-Fi client utilizes the same process as eapol_test when using the target configuration?
It should.
3). Is it a fair assumption that if the eapol_test results in SUCCESS using my targeted configuration (TTLS-EAP-MSCHAPv2) that the FreeRADIUS server is indeed set up correctly and that something else may be causing the problem i.e. The router's Wi-Fi/RADIUS proxy, Ubuntu's Wi-Fi client etc.
Yes.
Log Output from radiusd -X ==========================
Which shows a success, but no failure. Making it impossible to debug any failure. Alan DeKok.
Thanks for your help Alan, your responses were super helpful. I will try and debug what's going on with the Ubuntu WiFi client.
participants (2)
-
Alan DeKok -
Mailing Lists