I have a Ruckus ZoneDirector 1025 with waps that I just installed. Testing out different EAP types I can use. I am using FreeRadius 2.1.3. I have eap-ttls and eap-peapv0 working perfectly (I am using windows to control the wireless card for peap and it works great). Was going to try eap-tls by assigning client certificate to the machine account so the computer account authenticates on the wireless and then the user can log into the domain. I did this and get errors. It kind-of looks to me that the Zone Director is not sending the correct eap message for eap-tls. Maybe someone could point me in the right direction. Also, something is putting host/ in front of the User-Name field. In the certificate, I have the common name as joshhiner not host/joshhiner. Wonder if the zone director is mangling eap? Also, the wireless card is a mini-pci broadcom in a compaq 6710b. Thanks -Josh Error: Ready to process requests. rad_recv: Access-Request packet from host 172.17.10.108 port 1027, id=186, length=192 User-Name = "host/joshhiner" NAS-IP-Address = 172.17.10.108 NAS-Identifier = "00:1f:41:3a:82:f9" NAS-Port = 2 Called-Station-Id = "00-1F-41-3A-82-F9:CCISD-REMC1" Calling-Station-Id = "00-21-00-41-AE-4F" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x0200001301686f73742f6a6f736868696e6572 Message-Authenticator = 0x5a46b20a893c5d940dfacf2c35c1bd83 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "host/joshhiner", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ntdomain] No '\' in User-Name = "host/joshhiner", looking up realm NULL [ntdomain] No such realm "NULL" ++[ntdomain] returns noop [eap] EAP packet type response id 0 length 19 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [files] users: Matched entry DEFAULT at line 226 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = Reject Auth-Type = Reject, rejecting user Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> host/joshhiner attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 2 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 2 Sending Access-Reject of id 186 to 172.17.10.108 port 1027 Waking up in 4.9 seconds. Cleaning up request 2 ID 186 with timestamp +373 Ready to process requests.
I have a Ruckus ZoneDirector 1025 with waps that I just installed. Testing out different EAP types I can use. I am using FreeRadius 2.1.3. I have eap-ttls and eap-peapv0 working perfectly (I am using windows to control the wireless card for peap and it works great). Was going to try eap-tls by assigning client certificate to the machine account so the computer account authenticates on the wireless and then the user can log into the domain. I did this and get errors. It kind-of looks to me that the Zone Director is not sending the correct eap message for eap-tls.
No you are forcing Auth-Type Reject in users file:
[files] users: Matched entry DEFAULT at line 226
Ivan Kalik Kalik Informatika ISP
tnt@kalik.net wrote:
I have a Ruckus ZoneDirector 1025 with waps that I just installed. Testing out different EAP types I can use. I am using FreeRadius 2.1.3. I have eap-ttls and eap-peapv0 working perfectly (I am using windows to control the wireless card for peap and it works great). Was going to try eap-tls by assigning client certificate to the machine account so the computer account authenticates on the wireless and then the user can log into the domain. I did this and get errors. It kind-of looks to me that the Zone Director is not sending the correct eap message for eap-tls.
No you are forcing Auth-Type Reject in users file:
[files] users: Matched entry DEFAULT at line 226
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ok thanks. I did take that out (whoops) and now I see no explicit failure but when it hits the authentication section it just stops (never authenticates the client). I tried sticking the common name (user-name) in /etc/raddb/users to see if I could rig it up to authenticate. It hits an "OK" for files section but still does not authenticate the XP client. I dont think I should need anything in the users file correct? Here is output from radiusd (version info etc.. at top of this message). Thanks for any help. -Josh Ready to process requests. rad_recv: Access-Request packet from host 172.17.10.108 port 1027, id=243, length=182 User-Name = "joshhiner" NAS-IP-Address = 172.17.10.108 NAS-Identifier = "00:1f:41:3a:82:f9" NAS-Port = 1 Called-Station-Id = "00-1F-41-3A-82-F9:CCISD-REMC1" Calling-Station-Id = "00-0E-35-B6-74-AF" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x0200000e016a6f736868696e6572 Message-Authenticator = 0x799db1f3c98934494137e4e5b4864a7c +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "joshhiner", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ntdomain] No '\' in User-Name = "joshhiner", looking up realm NULL [ntdomain] No such realm "NULL" ++[ntdomain] returns noop [eap] EAP packet type response id 0 length 14 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Requiring client certificate [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 243 to 172.17.10.108 port 1027 EAP-Message = 0x010100060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2378b52b2379b8326de9be9acd701ac8 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.17.10.108 port 1027, id=244, length=266 User-Name = "joshhiner" NAS-IP-Address = 172.17.10.108 NAS-Identifier = "00:1f:41:3a:82:f9" NAS-Port = 1 Called-Station-Id = "00-1F-41-3A-82-F9:CCISD-REMC1" Calling-Station-Id = "00-0E-35-B6-74-AF" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020100500d800000004616030100410100003d0301497e1887cc6de7f31a97d6b5b5dc5a68fc69dd8ee1da12099866c719e54e209d00001600040005000a000900640062000300060013001200630100 State = 0x2378b52b2379b8326de9be9acd701ac8 Message-Authenticator = 0x1e56c72c8f7a8f9ea99c2e78fc74dab1 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "joshhiner", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ntdomain] No '\' in User-Name = "joshhiner", looking up realm NULL [ntdomain] No such realm "NULL" ++[ntdomain] returns noop [eap] EAP packet type response id 1 length 80 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS TLS Length 70 [tls] Length Included [tls] eaptls_verify returned 11 [tls] (other): before/accept initialization [tls] TLS_accept: before/accept initialization [tls] <<< TLS 1.0 Handshake [length 0041], ClientHello [tls] TLS_accept: SSLv3 read client hello A [tls] >>> TLS 1.0 Handshake [length 002a], ServerHello [tls] TLS_accept: SSLv3 write server hello A [tls] >>> TLS 1.0 Handshake [length 03c4], Certificate [tls] TLS_accept: SSLv3 write certificate A [tls] >>> TLS 1.0 Handshake [length 00a3], CertificateRequest [tls] TLS_accept: SSLv3 write certificate request A [tls] TLS_accept: SSLv3 flush data [tls] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [tls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 244 to 172.17.10.108 port 1027 EAP-Message = 0x010204000dc0000004a0160301002a020000260301497e188797e72d5161e32518e15cdf27e2ed3a7b56dc7c46d11c014f000000000000040016030103c40b0003c00003bd0003ba308203b63082029ea003020102020101300d06092a864886f70d0101050500308191310b30090603550406130255533111300f060355040813084d6963686967616e3110300e0603550407130748616e636f636b310e300c060355040a130552454d43313120301e06092a864886f70d0109011611737570706f72744072656d63312e6e6574312b30290603550403132252454d43312052616469757320436572746966696361746520417574686f72697479301e EAP-Message = 0x170d3039303132323230343932395a170d3239303131373230343932395a308191310b30090603550406130255533111300f060355040813084d6963686967616e3110300e0603550407130748616e636f636b310e300c060355040a130552454d43313120301e06092a864886f70d0109011611737570706f72744072656d63312e6e6574312b30290603550403132252454d43312052616469757320436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100ae7c4ed6f235d19b4598e3c66cab0d21ff2721a6d53c5189bc2193fe5b3d01a085240dc02b55786a7c34 EAP-Message = 0x01a628b1ccfae2c47c743be8e97e4d2c4ee2e1dacdabe860d21e661e4fc4788506a335ed3c39f24f6f611e3b74dbb5b169e0cd96e35c6c6992d405b010b111e6169ef783c0a39b71f01b9bfff8714b4e635cce807ff1e4a8878ccabf3ade9cafd57707a1ecae05b6966e45904971f51774073e0ab6647d4374ba53a347d89adff83b0466317dfb250556ea19bd38f625f6dcfb6a3036e4cde1a2c7ef248a5f3b8e2dd53a1ca37f2009cea5f42e31604686bcb5a099fb4125010e4cfe4e8391204dc9789686e027da770ec4a5e1a1ee9b0cc1185e31110203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f7 EAP-Message = 0x0d01010505000382010100a7d5ebc5fda95ce18768414d16a178a3b9ec9873221c398a4f394334548c4bb05dd14664a2197451d1d67f899ffcde4c244eccdae67fee8f7f347acacedd3a376c8b6cfc42cf975f09a2681372721cad0d52b487ca1d30a8c51d625516aa30e1394837d4e43d91a0b80c429d770f00526c40c4344c26cd156984f3efeb92615a4cab847cb2f7b6a1ce613c0cbf55e7e9aca10177b52612a80b257e120fa09124316de1dd269f0d83cb162b97cbe8da92a062505cb403245b42e60d8a4d350691809d855d1c4cf597cf4d9cfa0d588b750c513e434fa5b1b8d59d1bc208f01be48f07ce72d14a844c7fa1ec1d2191c7a2ab2b EAP-Message = 0x884f0c3489f47015e1ad876a Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2378b52b227ab8326de9be9acd701ac8 Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.17.10.108 port 1027, id=245, length=192 User-Name = "joshhiner" NAS-IP-Address = 172.17.10.108 NAS-Identifier = "00:1f:41:3a:82:f9" NAS-Port = 1 Called-Station-Id = "00-1F-41-3A-82-F9:CCISD-REMC1" Calling-Station-Id = "00-0E-35-B6-74-AF" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020200060d00 State = 0x2378b52b227ab8326de9be9acd701ac8 Message-Authenticator = 0x61aa5b710916c0ee4384c347547492da +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "joshhiner", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ntdomain] No '\' in User-Name = "joshhiner", looking up realm NULL [ntdomain] No such realm "NULL" ++[ntdomain] returns noop [eap] EAP packet type response id 2 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS [tls] Received TLS ACK [tls] ACK handshake fragment handler [tls] eaptls_verify returned 1 [tls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 245 to 172.17.10.108 port 1027 EAP-Message = 0x010300b40d80000004a067eb16030100a30d00009b02010200960094308191310b30090603550406130255533111300f060355040813084d6963686967616e3110300e0603550407130748616e636f636b310e300c060355040a130552454d43313120301e06092a864886f70d0109011611737570706f72744072656d63312e6e6574312b30290603550403132252454d43312052616469757320436572746966696361746520417574686f726974790e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2378b52b217bb8326de9be9acd701ac8 Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.17.10.108 port 1027, id=246, length=192 User-Name = "joshhiner" NAS-IP-Address = 172.17.10.108 NAS-Identifier = "00:1f:41:3a:82:f9" NAS-Port = 1 Called-Station-Id = "00-1F-41-3A-82-F9:CCISD-REMC1" Calling-Station-Id = "00-0E-35-B6-74-AF" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020300060d00 State = 0x2378b52b217bb8326de9be9acd701ac8 Message-Authenticator = 0x3ccd67f6b56a0fbcf45daf523f482b7b +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "joshhiner", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ntdomain] No '\' in User-Name = "joshhiner", looking up realm NULL [ntdomain] No such realm "NULL" ++[ntdomain] returns noop [eap] EAP packet type response id 3 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS [tls] Received TLS ACK [tls] ACK handshake fragment handler [tls] eaptls_verify returned 1 [tls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 246 to 172.17.10.108 port 1027 EAP-Message = 0x0104000a0d8000000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2378b52b207cb8326de9be9acd701ac8 Finished request 3. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 243 with timestamp +115 Cleaning up request 1 ID 244 with timestamp +115 Cleaning up request 2 ID 245 with timestamp +115 Cleaning up request 3 ID 246 with timestamp +115 Ready to process requests.
Josh Hiner wrote:
tnt@kalik.net wrote:
I have a Ruckus ZoneDirector 1025 with waps that I just installed. Testing out different EAP types I can use. I am using FreeRadius 2.1.3. I have eap-ttls and eap-peapv0 working perfectly (I am using windows to control the wireless card for peap and it works great). Was going to try eap-tls by assigning client certificate to the machine account so the computer account authenticates on the wireless and then the user can log into the domain. I did this and get errors. It kind-of looks to me that the Zone Director is not sending the correct eap message for eap-tls.
No you are forcing Auth-Type Reject in users file:
[files] users: Matched entry DEFAULT at line 226
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ok thanks. I did take that out (whoops) and now I see no explicit failure but when it hits the authentication section it just stops (never authenticates the client). I tried sticking the common name (user-name) in /etc/raddb/users to see if I could rig it up to authenticate. It hits an "OK" for files section but still does not authenticate the XP client. I dont think I should need anything in the users file correct? Here is output from radiusd (version info etc.. at top of this message). Thanks for any help.
-Josh
Oh, and to add, the certificate does have this: Client Authentication purpose is 1.3.6.1.5.5.7.3.2 enabled (verified). Just wanted to clarify that I did read the FreeRadius Wiki FAQ. thanks -Josh
Ready to process requests. rad_recv: Access-Request packet from host 172.17.10.108 port 1027, id=243, length=182 User-Name = "joshhiner" NAS-IP-Address = 172.17.10.108 NAS-Identifier = "00:1f:41:3a:82:f9" NAS-Port = 1 Called-Station-Id = "00-1F-41-3A-82-F9:CCISD-REMC1" Calling-Station-Id = "00-0E-35-B6-74-AF" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x0200000e016a6f736868696e6572 Message-Authenticator = 0x799db1f3c98934494137e4e5b4864a7c +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "joshhiner", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ntdomain] No '\' in User-Name = "joshhiner", looking up realm NULL [ntdomain] No such realm "NULL" ++[ntdomain] returns noop [eap] EAP packet type response id 0 length 14 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Requiring client certificate [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 243 to 172.17.10.108 port 1027 EAP-Message = 0x010100060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2378b52b2379b8326de9be9acd701ac8 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.17.10.108 port 1027, id=244, length=266 User-Name = "joshhiner" NAS-IP-Address = 172.17.10.108 NAS-Identifier = "00:1f:41:3a:82:f9" NAS-Port = 1 Called-Station-Id = "00-1F-41-3A-82-F9:CCISD-REMC1" Calling-Station-Id = "00-0E-35-B6-74-AF" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020100500d800000004616030100410100003d0301497e1887cc6de7f31a97d6b5b5dc5a68fc69dd8ee1da12099866c719e54e209d00001600040005000a000900640062000300060013001200630100
State = 0x2378b52b2379b8326de9be9acd701ac8 Message-Authenticator = 0x1e56c72c8f7a8f9ea99c2e78fc74dab1 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "joshhiner", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ntdomain] No '\' in User-Name = "joshhiner", looking up realm NULL [ntdomain] No such realm "NULL" ++[ntdomain] returns noop [eap] EAP packet type response id 1 length 80 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS TLS Length 70 [tls] Length Included [tls] eaptls_verify returned 11 [tls] (other): before/accept initialization [tls] TLS_accept: before/accept initialization [tls] <<< TLS 1.0 Handshake [length 0041], ClientHello [tls] TLS_accept: SSLv3 read client hello A [tls] >>> TLS 1.0 Handshake [length 002a], ServerHello [tls] TLS_accept: SSLv3 write server hello A [tls] >>> TLS 1.0 Handshake [length 03c4], Certificate [tls] TLS_accept: SSLv3 write certificate A [tls] >>> TLS 1.0 Handshake [length 00a3], CertificateRequest [tls] TLS_accept: SSLv3 write certificate request A [tls] TLS_accept: SSLv3 flush data [tls] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [tls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 244 to 172.17.10.108 port 1027 EAP-Message = 0x010204000dc0000004a0160301002a020000260301497e188797e72d5161e32518e15cdf27e2ed3a7b56dc7c46d11c014f000000000000040016030103c40b0003c00003bd0003ba308203b63082029ea003020102020101300d06092a864886f70d0101050500308191310b30090603550406130255533111300f060355040813084d6963686967616e3110300e0603550407130748616e636f636b310e300c060355040a130552454d43313120301e06092a864886f70d0109011611737570706f72744072656d63312e6e6574312b30290603550403132252454d43312052616469757320436572746966696361746520417574686f72697479301e
EAP-Message = 0x170d3039303132323230343932395a170d3239303131373230343932395a308191310b30090603550406130255533111300f060355040813084d6963686967616e3110300e0603550407130748616e636f636b310e300c060355040a130552454d43313120301e06092a864886f70d0109011611737570706f72744072656d63312e6e6574312b30290603550403132252454d43312052616469757320436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100ae7c4ed6f235d19b4598e3c66cab0d21ff2721a6d53c5189bc2193fe5b3d01a085240dc02b55786a7c34
EAP-Message = 0x01a628b1ccfae2c47c743be8e97e4d2c4ee2e1dacdabe860d21e661e4fc4788506a335ed3c39f24f6f611e3b74dbb5b169e0cd96e35c6c6992d405b010b111e6169ef783c0a39b71f01b9bfff8714b4e635cce807ff1e4a8878ccabf3ade9cafd57707a1ecae05b6966e45904971f51774073e0ab6647d4374ba53a347d89adff83b0466317dfb250556ea19bd38f625f6dcfb6a3036e4cde1a2c7ef248a5f3b8e2dd53a1ca37f2009cea5f42e31604686bcb5a099fb4125010e4cfe4e8391204dc9789686e027da770ec4a5e1a1ee9b0cc1185e31110203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f7
EAP-Message = 0x0d01010505000382010100a7d5ebc5fda95ce18768414d16a178a3b9ec9873221c398a4f394334548c4bb05dd14664a2197451d1d67f899ffcde4c244eccdae67fee8f7f347acacedd3a376c8b6cfc42cf975f09a2681372721cad0d52b487ca1d30a8c51d625516aa30e1394837d4e43d91a0b80c429d770f00526c40c4344c26cd156984f3efeb92615a4cab847cb2f7b6a1ce613c0cbf55e7e9aca10177b52612a80b257e120fa09124316de1dd269f0d83cb162b97cbe8da92a062505cb403245b42e60d8a4d350691809d855d1c4cf597cf4d9cfa0d588b750c513e434fa5b1b8d59d1bc208f01be48f07ce72d14a844c7fa1ec1d2191c7a2ab2b
EAP-Message = 0x884f0c3489f47015e1ad876a Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2378b52b227ab8326de9be9acd701ac8 Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.17.10.108 port 1027, id=245, length=192 User-Name = "joshhiner" NAS-IP-Address = 172.17.10.108 NAS-Identifier = "00:1f:41:3a:82:f9" NAS-Port = 1 Called-Station-Id = "00-1F-41-3A-82-F9:CCISD-REMC1" Calling-Station-Id = "00-0E-35-B6-74-AF" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020200060d00 State = 0x2378b52b227ab8326de9be9acd701ac8 Message-Authenticator = 0x61aa5b710916c0ee4384c347547492da +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "joshhiner", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ntdomain] No '\' in User-Name = "joshhiner", looking up realm NULL [ntdomain] No such realm "NULL" ++[ntdomain] returns noop [eap] EAP packet type response id 2 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS [tls] Received TLS ACK [tls] ACK handshake fragment handler [tls] eaptls_verify returned 1 [tls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 245 to 172.17.10.108 port 1027 EAP-Message = 0x010300b40d80000004a067eb16030100a30d00009b02010200960094308191310b30090603550406130255533111300f060355040813084d6963686967616e3110300e0603550407130748616e636f636b310e300c060355040a130552454d43313120301e06092a864886f70d0109011611737570706f72744072656d63312e6e6574312b30290603550403132252454d43312052616469757320436572746966696361746520417574686f726974790e000000
Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2378b52b217bb8326de9be9acd701ac8 Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.17.10.108 port 1027, id=246, length=192 User-Name = "joshhiner" NAS-IP-Address = 172.17.10.108 NAS-Identifier = "00:1f:41:3a:82:f9" NAS-Port = 1 Called-Station-Id = "00-1F-41-3A-82-F9:CCISD-REMC1" Calling-Station-Id = "00-0E-35-B6-74-AF" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020300060d00 State = 0x2378b52b217bb8326de9be9acd701ac8 Message-Authenticator = 0x3ccd67f6b56a0fbcf45daf523f482b7b +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "joshhiner", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ntdomain] No '\' in User-Name = "joshhiner", looking up realm NULL [ntdomain] No such realm "NULL" ++[ntdomain] returns noop [eap] EAP packet type response id 3 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS [tls] Received TLS ACK [tls] ACK handshake fragment handler [tls] eaptls_verify returned 1 [tls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 246 to 172.17.10.108 port 1027 EAP-Message = 0x0104000a0d8000000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2378b52b207cb8326de9be9acd701ac8 Finished request 3. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 243 with timestamp +115 Cleaning up request 1 ID 244 with timestamp +115 Cleaning up request 2 ID 245 with timestamp +115 Cleaning up request 3 ID 246 with timestamp +115 Ready to process requests.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Oh, and to add, the certificate does have this: Client Authentication purpose is 1.3.6.1.5.5.7.3.2 enabled (verified). Just wanted to clarify that I did read the FreeRadius Wiki FAQ.
thanks -Josh
Server is happy, supplicant isn't. Enable tracing and read the eapol.log: http://support.microsoft.com/kb/894568 Ivan Kalik Kalik Informatika ISP
tnt@kalik.net wrote:
Oh, and to add, the certificate does have this: Client Authentication purpose is 1.3.6.1.5.5.7.3.2 enabled (verified). Just wanted to clarify that I did read the FreeRadius Wiki FAQ.
thanks -Josh
Server is happy, supplicant isn't. Enable tracing and read the eapol.log:
http://support.microsoft.com/kb/894568
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Once again, thanks for the help. It was indeed the supplicant. -Josh
Josh Hiner wrote:
I have a Ruckus ZoneDirector 1025 with waps that I just installed. Testing out different EAP types I can use. I am using FreeRadius 2.1.3. I have eap-ttls and eap-peapv0 working perfectly (I am using windows to control the wireless card for peap and it works great). Was going to try eap-tls by assigning client certificate to the machine account so the computer account authenticates on the wireless and then the user can log into the domain. I did this and get errors. It kind-of looks to me that the Zone Director is not sending the correct eap message for eap-tls.
No you are forcing Auth-Type Reject in users file:
[files] users: Matched entry DEFAULT at line 226
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ok thanks. I did take that out (whoops) and now I see no explicit failure but when it hits the authentication section it just stops (never authenticates the client). I tried sticking the common name (user-name) in /etc/raddb/users to see if I could rig it up to authenticate. It hits an "OK" for files section but still does not authenticate the XP client. I dont think I should need anything in the users file correct? Here is output from radiusd (version info etc.. at top of this message). Thanks for any help.
-Josh
Oh, and to add, the certificate does have this: Client Authentication purpose is 1.3.6.1.5.5.7.3.2 enabled (verified). Just wanted to clarify that I did read the FreeRadius Wiki FAQ. thanks -Josh
Server is happy, supplicant isn't. Enable tracing and read the eapol.log:
http://support.microsoft.com/kb/894568
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Once again, thanks for the help. It was indeed the supplicant.
-Josh Whoops, I thought I solved this but I didnt. I tried setting up eap-tls on a few different laptops each using windows xp to configure eap-tls (not the wireless card client). I get the same results there. I have nothing in my /etc/raddb/users file. I tried putting: josh Auth-Type := eap Auth-Type := Accept
to kind of see if I was missing somthing. Do I need anything in the /etc/raddb/users for eap-tls? On the XP client I also notice that even though I have the Certificate Authority installed, the client certificate reports: Windows does not have enough information to verify this certificate. I figured that the certificate chain was broken. As a test, I imported the server certificate and stuck it in the Trusted root authorities section. This completed the chain (since the client cert was signed off the server cert which is what the make client does in /etc/raddb/certs). But, of course, the server cert is not meant to be a cert authority so windows xp complains about this. I turned off "Verify Certificate Authority" in the windows XP eap-tls setup to see if that would help. It did not. Would this broken cert chain cause the issue I am having of authentication just stopping? As far as I can see, I've followed all instructions on making the certs, verifying the right oid's in each cert, and configuring FreeRadius? Here is another radiusd debug just in case anyone can see anything else. I cannot see an error. I have turned debugging on for the windows xp wireless supplicant but really cannot see anything in there that points to a clear answer. I also tried a few laptops with different cards but also using windows xp as the wireless client. Same thing so I must be missing something. thanks for any help Here is the debug: Ready to process requests. rad_recv: Access-Request packet from host 172.17.10.108 port 1027, id=19, length=172 User-Name = "josh" NAS-IP-Address = 172.17.10.108 NAS-Identifier = "00:1f:41:3a:82:f9" NAS-Port = 2 Called-Station-Id = "00-1F-41-3A-82-F9:CCISD-REMC1" Calling-Station-Id = "00-16-B6-5C-AC-DD" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x02000009016a6f7368 Message-Authenticator = 0x0c726a7e3ac712cf547eebe096cf72c1 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "josh", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ntdomain] No '\' in User-Name = "josh", looking up realm NULL [ntdomain] No such realm "NULL" ++[ntdomain] returns noop [eap] EAP packet type response id 0 length 9 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Requiring client certificate [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 19 to 172.17.10.108 port 1027 EAP-Message = 0x010100060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x982efaa3982ff784f708f948bb823a0e Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.17.10.108 port 1027, id=20, length=261 User-Name = "josh" NAS-IP-Address = 172.17.10.108 NAS-Identifier = "00:1f:41:3a:82:f9" NAS-Port = 2 Called-Station-Id = "00-1F-41-3A-82-F9:CCISD-REMC1" Calling-Station-Id = "00-16-B6-5C-AC-DD" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020100500d800000004616030100410100003d0301497f12c55aaab891840a5314f901341acd2d4dfb6cf3013dbeb9c284cbd7d28500001600040005000a000900640062000300060013001200630100 State = 0x982efaa3982ff784f708f948bb823a0e Message-Authenticator = 0xf4a495a1dc517a2ea1ce79f466520039 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "josh", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ntdomain] No '\' in User-Name = "josh", looking up realm NULL [ntdomain] No such realm "NULL" ++[ntdomain] returns noop [eap] EAP packet type response id 1 length 80 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS TLS Length 70 [tls] Length Included [tls] eaptls_verify returned 11 [tls] (other): before/accept initialization [tls] TLS_accept: before/accept initialization [tls] <<< TLS 1.0 Handshake [length 0041], ClientHello [tls] TLS_accept: SSLv3 read client hello A [tls] >>> TLS 1.0 Handshake [length 002a], ServerHello [tls] TLS_accept: SSLv3 write server hello A [tls] >>> TLS 1.0 Handshake [length 0846], Certificate [tls] TLS_accept: SSLv3 write certificate A [tls] >>> TLS 1.0 Handshake [length 00a3], CertificateRequest [tls] TLS_accept: SSLv3 write certificate request A [tls] TLS_accept: SSLv3 flush data [tls] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [tls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 20 to 172.17.10.108 port 1027 EAP-Message = 0x010204000dc000000922160301002a020000260301497f12bc41a3134a837ab67e8bb4f9b211c20cc23b0e8820ff5d46ee000000000000040016030108460b00084200083f0003a4308203a030820288a003020102020101300d06092a864886f70d0101050500308191310b30090603550406130255533111300f060355040813084d6963686967616e3110300e0603550407130748616e636f636b310e300c060355040a130552454d43313120301e06092a864886f70d0109011611737570706f72744072656d63312e6e6574312b30290603550403132252454d43312052616469757320436572746966696361746520417574686f72697479301e EAP-Message = 0x170d3039303132373034313133385a170d3239303132323034313133385a307c310b30090603550406130255533111300f060355040813084d6963686967616e310e300c060355040a130552454d4331312830260603550403131f52454d433120526164697573205365727665722043657274696669636174653120301e06092a864886f70d0109011611737570706f72744072656d63312e6e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100df5db79ac92e13bb06dd2458db371fa0c22ebd220440aa0747e98a13d64027fa10720c69b224d607bfd2a7b2836c224cefca5113d0c56cf7d97d25703bb05f8b EAP-Message = 0xff12c9dfc2fd602271f2e9200e9c196d6e9018840e69c6c82a62e77d946ad60562c576c4b7206c8d2d378a7c84f99fb64dfa51a87021ccf234c76e91159c2dfbbeb1095cc81ea26d39dc0a078011b3c70bdd11f0800f8391737591b7bf005551bc4ba051cf7e83d2d883c946372059167cabb6514ab5068c7274662639825e37d705d415cb370df3aa1088e87d8c3bf7df5116dd61d589831dfe2e0d347ae15227c48900964d24fa574dab1166e4d5a100741f7cf4088e3e47ae88ae3793f7990203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010105050003820101003730d65b9ae051938bdd36 EAP-Message = 0x33b834dd5cef73a38bf01b1e9dead12841c954d04cb564c884b4529af0faf9a71b46ac5f554fcbe64e9c5be604392e8fd0b5f62aab2fe7155e828bb06e456fc26c30a90b417cb6b6fa68eda56eb29653514ba78c0f0852a7c17ade33eb38f9edf423f9d1fc72bba6549c3c4bf20bec437fcdca0d16a8f4e4bab8c8f82eddd48878165d383ea8291d4f0e922cdd4871ea92f72340e930efc3bb6ab917bccd92c95ec69575bde85e5bbd3e3c52285345881f4e758074df363d49dc044abd145ebc070aeec28dfb36341146c52a152bbd80a8833599c35caa44ed4c38ea2e6fecbadb59d0f487777f7d0bcec13bbb19bb93492b99e1c70004953082049130 EAP-Message = 0x820379a00302010202010030 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x982efaa3992cf784f708f948bb823a0e Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.17.10.108 port 1027, id=21, length=187 User-Name = "josh" NAS-IP-Address = 172.17.10.108 NAS-Identifier = "00:1f:41:3a:82:f9" NAS-Port = 2 Called-Station-Id = "00-1F-41-3A-82-F9:CCISD-REMC1" Calling-Station-Id = "00-16-B6-5C-AC-DD" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020200060d00 State = 0x982efaa3992cf784f708f948bb823a0e Message-Authenticator = 0xd58793dae3bbbbf94990f6f834b36edc +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "josh", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ntdomain] No '\' in User-Name = "josh", looking up realm NULL [ntdomain] No such realm "NULL" ++[ntdomain] returns noop [eap] EAP packet type response id 2 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS [tls] Received TLS ACK [tls] ACK handshake fragment handler [tls] eaptls_verify returned 1 [tls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 21 to 172.17.10.108 port 1027 EAP-Message = 0x010304000dc0000009220d06092a864886f70d0101040500308191310b30090603550406130255533111300f060355040813084d6963686967616e3110300e0603550407130748616e636f636b310e300c060355040a130552454d43313120301e06092a864886f70d0109011611737570706f72744072656d63312e6e6574312b30290603550403132252454d43312052616469757320436572746966696361746520417574686f72697479301e170d3039303132373034313131325a170d3239303132323034313131325a308191310b30090603550406130255533111300f060355040813084d6963686967616e3110300e0603550407130748616e EAP-Message = 0x636f636b310e300c060355040a130552454d43313120301e06092a864886f70d0109011611737570706f72744072656d63312e6e6574312b30290603550403132252454d43312052616469757320436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100b49dd90b47ecf8f3f0cd3c5c925e8891da336543215709231a08521a69e856b5e1a5061417fc7b859738da4d81033c6b6149535830a03c2b4554a71d67c5e0694ad03f0708c818ebcb596cce15740a0053a7e41b24551c63efeb928664aadb3cbce4ada1867ef56926909bf1c5914b0463f681a8ce59283ba5 EAP-Message = 0x2316add0dfd36901ec2b2da655be187efe786c36cd9c9a09a51a065333dff65e991e3b88bd826f9f07b5c7bf0366dfaf1fd44870e4c8df99a987dab4d955c104ea5fb3a0dedaed2e758a75508b4a5bb88f06c9f80c5d4633057f6624247230a9ff3bf64adc9853f366f9d7c487825be1b0b5137b85a8ee4b07af87b6cfb8341fe5ff4b7780677d0203010001a381f13081ee301d0603551d0e04160414b0af659819810e066c1fae3a2f9a9fc3377af5693081be0603551d230481b63081b38014b0af659819810e066c1fae3a2f9a9fc3377af569a18197a48194308191310b30090603550406130255533111300f060355040813084d696368696761 EAP-Message = 0x6e3110300e0603550407130748616e636f636b310e300c060355040a130552454d43313120301e06092a864886f70d0109011611737570706f72744072656d63312e6e6574312b30290603550403132252454d43312052616469757320436572746966696361746520417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d010104050003820101007cac0b9cc3c3cb9405ff81979b7d8d746e09761c5f85ca3d313e8c2fe2faa361556fb274dc24f45e7573f78fe061582266430cc381196b92e326f2cf5ba7625549f2a9708e8150129eca8e033ecce9acdf069eb1615a3088039cd0dda72e7d73e7f5bd60a8a5 EAP-Message = 0xcbdf5f73170cd3ed1a52364e Message-Authenticator = 0x00000000000000000000000000000000 State = 0x982efaa39a2df784f708f948bb823a0e Finished request 2. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 172.17.10.108 port 1027, id=22, length=187 User-Name = "josh" NAS-IP-Address = 172.17.10.108 NAS-Identifier = "00:1f:41:3a:82:f9" NAS-Port = 2 Called-Station-Id = "00-1F-41-3A-82-F9:CCISD-REMC1" Calling-Station-Id = "00-16-B6-5C-AC-DD" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020300060d00 State = 0x982efaa39a2df784f708f948bb823a0e Message-Authenticator = 0x59fdc45f3eb465063f8b3b802a875cec +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "josh", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ntdomain] No '\' in User-Name = "josh", looking up realm NULL [ntdomain] No such realm "NULL" ++[ntdomain] returns noop [eap] EAP packet type response id 3 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS [tls] Received TLS ACK [tls] ACK handshake fragment handler [tls] eaptls_verify returned 1 [tls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 22 to 172.17.10.108 port 1027 EAP-Message = 0x010401400d8000000922101bd464323e493c6bc2a2d48f905e1afede5f663de695fede560cd70864dca08c7078aec5299f07dcf4fb24c0274678071ce5a15b8e28b322b12b665ed600b782c6eefc624e851ac89390f929f19a7e26d494e730702c031e47e5f7dca498859b2c634abc1807eedcff4a5be51fed6c56c2ffb2db730e219cdc535d563752f23011f00d8bbb819fbb1e4a3cd14d16030100a30d00009b02010200960094308191310b30090603550406130255533111300f060355040813084d6963686967616e3110300e0603550407130748616e636f636b310e300c060355040a130552454d43313120301e06092a864886f70d01090116 EAP-Message = 0x11737570706f72744072656d63312e6e6574312b30290603550403132252454d43312052616469757320436572746966696361746520417574686f726974790e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x982efaa39b2af784f708f948bb823a0e Finished request 3. Going to the next request Waking up in 4.8 seconds. Cleaning up request 0 ID 19 with timestamp +7 Cleaning up request 1 ID 20 with timestamp +7 Cleaning up request 2 ID 21 with timestamp +7 Cleaning up request 3 ID 22 with timestamp +7 Ready to process requests.
Whoops, I thought I solved this but I didnt. I tried setting up eap-tls on a few different laptops each using windows xp to configure eap-tls (not the wireless card client). I get the same results there. I have nothing in my /etc/raddb/users file. I tried putting: josh Auth-Type := eap Auth-Type := Accept
Don't do that. Don't force Auth-Type. It's not going to help and it will break everything else.
On the XP client I also notice that even though I have the Certificate Authority installed, the client certificate reports: Windows does not have enough information to verify this certificate.
I figured that the certificate chain was broken. As a test, I imported the server certificate and stuck it in the Trusted root authorities section. This completed the chain (since the client cert was signed off the server cert which is what the make client does in /etc/raddb/certs). But, of course, the server cert is not meant to be a cert authority so windows xp complains about this.
That is the problem. Windows won't recongnize server certificate as intermediate ca any more. The "cure" is to try signing client certificates with ca certificate instead. I have posted to the list an altered Makefile with make caclient.pem command added a few days ago. If you can't find it I will post another one this evening. Ivan Kalik Kalik Informatika ISP
I turned off "Verify Certificate Authority" in the windows XP eap-tls setup to see if that would help. It did not. Would this broken cert chain cause the issue I am having of authentication just stopping? As far as I can see, I've followed all instructions on making the certs, verifying the right oid's in each cert, and configuring FreeRadius?
Here is another radiusd debug just in case anyone can see anything else. I cannot see an error. I have turned debugging on for the windows xp wireless supplicant but really cannot see anything in there that points to a clear answer. I also tried a few laptops with different cards but also using windows xp as the wireless client. Same thing so I must be missing something.
thanks for any help
Here is the debug:
Ready to process requests. rad_recv: Access-Request packet from host 172.17.10.108 port 1027, id=19, length=172 User-Name = "josh" NAS-IP-Address = 172.17.10.108 NAS-Identifier = "00:1f:41:3a:82:f9" NAS-Port = 2 Called-Station-Id = "00-1F-41-3A-82-F9:CCISD-REMC1" Calling-Station-Id = "00-16-B6-5C-AC-DD" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x02000009016a6f7368 Message-Authenticator = 0x0c726a7e3ac712cf547eebe096cf72c1 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "josh", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ntdomain] No '\' in User-Name = "josh", looking up realm NULL [ntdomain] No such realm "NULL" ++[ntdomain] returns noop [eap] EAP packet type response id 0 length 9 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Requiring client certificate [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 19 to 172.17.10.108 port 1027 EAP-Message = 0x010100060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x982efaa3982ff784f708f948bb823a0e Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.17.10.108 port 1027, id=20, length=261 User-Name = "josh" NAS-IP-Address = 172.17.10.108 NAS-Identifier = "00:1f:41:3a:82:f9" NAS-Port = 2 Called-Station-Id = "00-1F-41-3A-82-F9:CCISD-REMC1" Calling-Station-Id = "00-16-B6-5C-AC-DD" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020100500d800000004616030100410100003d0301497f12c55aaab891840a5314f901341acd2d4dfb6cf3013dbeb9c284cbd7d28500001600040005000a000900640062000300060013001200630100 State = 0x982efaa3982ff784f708f948bb823a0e Message-Authenticator = 0xf4a495a1dc517a2ea1ce79f466520039 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "josh", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ntdomain] No '\' in User-Name = "josh", looking up realm NULL [ntdomain] No such realm "NULL" ++[ntdomain] returns noop [eap] EAP packet type response id 1 length 80 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS TLS Length 70 [tls] Length Included [tls] eaptls_verify returned 11 [tls] (other): before/accept initialization [tls] TLS_accept: before/accept initialization [tls] <<< TLS 1.0 Handshake [length 0041], ClientHello [tls] TLS_accept: SSLv3 read client hello A [tls] >>> TLS 1.0 Handshake [length 002a], ServerHello [tls] TLS_accept: SSLv3 write server hello A [tls] >>> TLS 1.0 Handshake [length 0846], Certificate [tls] TLS_accept: SSLv3 write certificate A [tls] >>> TLS 1.0 Handshake [length 00a3], CertificateRequest [tls] TLS_accept: SSLv3 write certificate request A [tls] TLS_accept: SSLv3 flush data [tls] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [tls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 20 to 172.17.10.108 port 1027 EAP-Message = 0x010204000dc000000922160301002a020000260301497f12bc41a3134a837ab67e8bb4f9b211c20cc23b0e8820ff5d46ee000000000000040016030108460b00084200083f0003a4308203a030820288a003020102020101300d06092a864886f70d0101050500308191310b30090603550406130255533111300f060355040813084d6963686967616e3110300e0603550407130748616e636f636b310e300c060355040a130552454d43313120301e06092a864886f70d0109011611737570706f72744072656d63312e6e6574312b30290603550403132252454d43312052616469757320436572746966696361746520417574686f72697479301e EAP-Message = 0x170d3039303132373034313133385a170d3239303132323034313133385a307c310b30090603550406130255533111300f060355040813084d6963686967616e310e300c060355040a130552454d4331312830260603550403131f52454d433120526164697573205365727665722043657274696669636174653120301e06092a864886f70d0109011611737570706f72744072656d63312e6e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100df5db79ac92e13bb06dd2458db371fa0c22ebd220440aa0747e98a13d64027fa10720c69b224d607bfd2a7b2836c224cefca5113d0c56cf7d97d25703bb05f8b EAP-Message = 0xff12c9dfc2fd602271f2e9200e9c196d6e9018840e69c6c82a62e77d946ad60562c576c4b7206c8d2d378a7c84f99fb64dfa51a87021ccf234c76e91159c2dfbbeb1095cc81ea26d39dc0a078011b3c70bdd11f0800f8391737591b7bf005551bc4ba051cf7e83d2d883c946372059167cabb6514ab5068c7274662639825e37d705d415cb370df3aa1088e87d8c3bf7df5116dd61d589831dfe2e0d347ae15227c48900964d24fa574dab1166e4d5a100741f7cf4088e3e47ae88ae3793f7990203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010105050003820101003730d65b9ae051938bdd36 EAP-Message = 0x33b834dd5cef73a38bf01b1e9dead12841c954d04cb564c884b4529af0faf9a71b46ac5f554fcbe64e9c5be604392e8fd0b5f62aab2fe7155e828bb06e456fc26c30a90b417cb6b6fa68eda56eb29653514ba78c0f0852a7c17ade33eb38f9edf423f9d1fc72bba6549c3c4bf20bec437fcdca0d16a8f4e4bab8c8f82eddd48878165d383ea8291d4f0e922cdd4871ea92f72340e930efc3bb6ab917bccd92c95ec69575bde85e5bbd3e3c52285345881f4e758074df363d49dc044abd145ebc070aeec28dfb36341146c52a152bbd80a8833599c35caa44ed4c38ea2e6fecbadb59d0f487777f7d0bcec13bbb19bb93492b99e1c70004953082049130 EAP-Message = 0x820379a00302010202010030 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x982efaa3992cf784f708f948bb823a0e Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.17.10.108 port 1027, id=21, length=187 User-Name = "josh" NAS-IP-Address = 172.17.10.108 NAS-Identifier = "00:1f:41:3a:82:f9" NAS-Port = 2 Called-Station-Id = "00-1F-41-3A-82-F9:CCISD-REMC1" Calling-Station-Id = "00-16-B6-5C-AC-DD" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020200060d00 State = 0x982efaa3992cf784f708f948bb823a0e Message-Authenticator = 0xd58793dae3bbbbf94990f6f834b36edc +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "josh", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ntdomain] No '\' in User-Name = "josh", looking up realm NULL [ntdomain] No such realm "NULL" ++[ntdomain] returns noop [eap] EAP packet type response id 2 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS [tls] Received TLS ACK [tls] ACK handshake fragment handler [tls] eaptls_verify returned 1 [tls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 21 to 172.17.10.108 port 1027 EAP-Message = 0x010304000dc0000009220d06092a864886f70d0101040500308191310b30090603550406130255533111300f060355040813084d6963686967616e3110300e0603550407130748616e636f636b310e300c060355040a130552454d43313120301e06092a864886f70d0109011611737570706f72744072656d63312e6e6574312b30290603550403132252454d43312052616469757320436572746966696361746520417574686f72697479301e170d3039303132373034313131325a170d3239303132323034313131325a308191310b30090603550406130255533111300f060355040813084d6963686967616e3110300e0603550407130748616e EAP-Message = 0x636f636b310e300c060355040a130552454d43313120301e06092a864886f70d0109011611737570706f72744072656d63312e6e6574312b30290603550403132252454d43312052616469757320436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100b49dd90b47ecf8f3f0cd3c5c925e8891da336543215709231a08521a69e856b5e1a5061417fc7b859738da4d81033c6b6149535830a03c2b4554a71d67c5e0694ad03f0708c818ebcb596cce15740a0053a7e41b24551c63efeb928664aadb3cbce4ada1867ef56926909bf1c5914b0463f681a8ce59283ba5 EAP-Message = 0x2316add0dfd36901ec2b2da655be187efe786c36cd9c9a09a51a065333dff65e991e3b88bd826f9f07b5c7bf0366dfaf1fd44870e4c8df99a987dab4d955c104ea5fb3a0dedaed2e758a75508b4a5bb88f06c9f80c5d4633057f6624247230a9ff3bf64adc9853f366f9d7c487825be1b0b5137b85a8ee4b07af87b6cfb8341fe5ff4b7780677d0203010001a381f13081ee301d0603551d0e04160414b0af659819810e066c1fae3a2f9a9fc3377af5693081be0603551d230481b63081b38014b0af659819810e066c1fae3a2f9a9fc3377af569a18197a48194308191310b30090603550406130255533111300f060355040813084d696368696761 EAP-Message = 0x6e3110300e0603550407130748616e636f636b310e300c060355040a130552454d43313120301e06092a864886f70d0109011611737570706f72744072656d63312e6e6574312b30290603550403132252454d43312052616469757320436572746966696361746520417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d010104050003820101007cac0b9cc3c3cb9405ff81979b7d8d746e09761c5f85ca3d313e8c2fe2faa361556fb274dc24f45e7573f78fe061582266430cc381196b92e326f2cf5ba7625549f2a9708e8150129eca8e033ecce9acdf069eb1615a3088039cd0dda72e7d73e7f5bd60a8a5 EAP-Message = 0xcbdf5f73170cd3ed1a52364e Message-Authenticator = 0x00000000000000000000000000000000 State = 0x982efaa39a2df784f708f948bb823a0e Finished request 2. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 172.17.10.108 port 1027, id=22, length=187 User-Name = "josh" NAS-IP-Address = 172.17.10.108 NAS-Identifier = "00:1f:41:3a:82:f9" NAS-Port = 2 Called-Station-Id = "00-1F-41-3A-82-F9:CCISD-REMC1" Calling-Station-Id = "00-16-B6-5C-AC-DD" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020300060d00 State = 0x982efaa39a2df784f708f948bb823a0e Message-Authenticator = 0x59fdc45f3eb465063f8b3b802a875cec +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "josh", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [ntdomain] No '\' in User-Name = "josh", looking up realm NULL [ntdomain] No such realm "NULL" ++[ntdomain] returns noop [eap] EAP packet type response id 3 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS [tls] Received TLS ACK [tls] ACK handshake fragment handler [tls] eaptls_verify returned 1 [tls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 22 to 172.17.10.108 port 1027 EAP-Message = 0x010401400d8000000922101bd464323e493c6bc2a2d48f905e1afede5f663de695fede560cd70864dca08c7078aec5299f07dcf4fb24c0274678071ce5a15b8e28b322b12b665ed600b782c6eefc624e851ac89390f929f19a7e26d494e730702c031e47e5f7dca498859b2c634abc1807eedcff4a5be51fed6c56c2ffb2db730e219cdc535d563752f23011f00d8bbb819fbb1e4a3cd14d16030100a30d00009b02010200960094308191310b30090603550406130255533111300f060355040813084d6963686967616e3110300e0603550407130748616e636f636b310e300c060355040a130552454d43313120301e06092a864886f70d01090116 EAP-Message = 0x11737570706f72744072656d63312e6e6574312b30290603550403132252454d43312052616469757320436572746966696361746520417574686f726974790e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x982efaa39b2af784f708f948bb823a0e Finished request 3. Going to the next request Waking up in 4.8 seconds. Cleaning up request 0 ID 19 with timestamp +7 Cleaning up request 1 ID 20 with timestamp +7 Cleaning up request 2 ID 21 with timestamp +7 Cleaning up request 3 ID 22 with timestamp +7 Ready to process requests.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
tnt@kalik.net wrote:
Whoops, I thought I solved this but I didnt. I tried setting up eap-tls on a few different laptops each using windows xp to configure eap-tls (not the wireless card client). I get the same results there. I have nothing in my /etc/raddb/users file. I tried putting: josh Auth-Type := eap Auth-Type := Accept
Don't do that. Don't force Auth-Type. It's not going to help and it will break everything else.
On the XP client I also notice that even though I have the Certificate Authority installed, the client certificate reports: Windows does not have enough information to verify this certificate.
I figured that the certificate chain was broken. As a test, I imported the server certificate and stuck it in the Trusted root authorities section. This completed the chain (since the client cert was signed off the server cert which is what the make client does in /etc/raddb/certs). But, of course, the server cert is not meant to be a cert authority so windows xp complains about this.
That is the problem. Windows won't recongnize server certificate as intermediate ca any more. The "cure" is to try signing client certificates with ca certificate instead. I have posted to the list an altered Makefile with make caclient.pem command added a few days ago. If you can't find it I will post another one this evening.
Ivan Kalik Kalik Informatika ISP
I did find the Makefile. Thanks! I tried to do a make caclient.pem but it threw this error: openssl req -new -out caclient.csr -keyout caclient.key -config ./client.cnf Generating a 2048 bit RSA private key ...........+++ .......+++ writing new private key to 'caclient.key' ----- openssl ca -batch -keyfile ca.key -cert ca.pem -in caclient.csr -key `grep output_password ca.cnf | sed 's/.*=//;s/^ *//'` -out caclient.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf Using configuration from ./client.cnf wrong number of fields on line 1 (looking for field 6, got 1, '' left) make: *** [caclient.crt] Error 1 I dont need to re-do my CA and server cert prior to making the client certs do I? Here is my client.cnf. Its almost as if it doesnt understand that it needs to take the values from [ CA_default ] [ ca ] default_ca = CA_default [ CA_default ] dir = ./ certs = $dir crl_dir = $dir/crl database = $dir/index.txt new_certs_dir = $dir certificate = $dir/server.pem serial = $dir/serial crl = $dir/crl.pem private_key = $dir/server.key RANDFILE = $dir/.rand name_opt = ca_default cert_opt = ca_default default_days = 7300 default_crl_days = 30 default_md = sha1 preserve = no policy = policy_match [ policy_match ] countryName = match stateOrProvinceName = match organizationName = match localityName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional [ policy_anything ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional [ req ] prompt = no distinguished_name = client default_bits = 2048 input_password = <hidden> output_password = <hidden> [client] countryName = US stateOrProvinceName = Michigan localityName = Hancock organizationName = REMC1 emailAddress = support@remc1.net
Josh Hiner wrote:
tnt@kalik.net wrote:
Whoops, I thought I solved this but I didnt. I tried setting up eap-tls on a few different laptops each using windows xp to configure eap-tls (not the wireless card client). I get the same results there. I have nothing in my /etc/raddb/users file. I tried putting: josh Auth-Type := eap Auth-Type := Accept
Don't do that. Don't force Auth-Type. It's not going to help and it will break everything else.
On the XP client I also notice that even though I have the Certificate Authority installed, the client certificate reports: Windows does not have enough information to verify this certificate.
I figured that the certificate chain was broken. As a test, I imported the server certificate and stuck it in the Trusted root authorities section. This completed the chain (since the client cert was signed off the server cert which is what the make client does in /etc/raddb/certs). But, of course, the server cert is not meant to be a cert authority so windows xp complains about this.
That is the problem. Windows won't recongnize server certificate as intermediate ca any more. The "cure" is to try signing client certificates with ca certificate instead. I have posted to the list an altered Makefile with make caclient.pem command added a few days ago. If you can't find it I will post another one this evening.
Ivan Kalik Kalik Informatika ISP
I did find the Makefile. Thanks! I tried to do a make caclient.pem but it threw this error:
openssl req -new -out caclient.csr -keyout caclient.key -config ./client.cnf Generating a 2048 bit RSA private key ...........+++ .......+++ writing new private key to 'caclient.key' ----- openssl ca -batch -keyfile ca.key -cert ca.pem -in caclient.csr -key `grep output_password ca.cnf | sed 's/.*=//;s/^ *//'` -out caclient.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf Using configuration from ./client.cnf wrong number of fields on line 1 (looking for field 6, got 1, '' left) make: *** [caclient.crt] Error 1
I dont need to re-do my CA and server cert prior to making the client certs do I? Ha, never mind. My index.txt file was messed up. -josh
I did find the Makefile. Thanks! I tried to do a make caclient.pem but it threw this error:
openssl req -new -out caclient.csr -keyout caclient.key -config ../client.cnf Generating a 2048 bit RSA private key ............+++ ........+++ writing new private key to 'caclient.key' ----- openssl ca -batch -keyfile ca.key -cert ca.pem -in caclient.csr -key `grep output_password ca.cnf | sed 's/.*=//;s/^ *//'` -out caclient.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf Using configuration from ./client.cnf wrong number of fields on line 1 (looking for field 6, got 1, '' left) make: *** [caclient.crt] Error 1
I dont need to re-do my CA and server cert prior to making the client certs do I?
Here is my client.cnf. Its almost as if it doesnt understand that it needs to take the values from [ CA_default ]
[ ca ] default_ca = CA_default
[ CA_default ] dir = ./ certs = $dir crl_dir = $dir/crl database = $dir/index.txt new_certs_dir = $dir certificate = $dir/server.pem serial = $dir/serial crl = $dir/crl.pem private_key = $dir/server.key RANDFILE = $dir/.rand name_opt = ca_default cert_opt = ca_default default_days = 7300 default_crl_days = 30 default_md = sha1 preserve = no policy = policy_match
[ policy_match ] countryName = match stateOrProvinceName = match organizationName = match localityName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional
[ policy_anything ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional
[ req ] prompt = no distinguished_name = client default_bits = 2048 input_password = <hidden> output_password = <hidden>
[client] countryName = US stateOrProvinceName = Michigan localityName = Hancock organizationName = REMC1 emailAddress = support@remc1.net
I'll check again. You cant make both client and caclient certificates for the same user (you have to revoke one in order to make the other). You don't need new CA and server certificates. Ivan Kalik Kalik Informatika ISP
participants (2)
-
Josh Hiner -
tnt@kalik.net