I have a problem authenticating with Cisco Aironet 1200 access point. I have valid certificates on my laptop and on Freeradius. This is the output on AP: Interface Dot11Radio0, Deauthenticating Station 001e.4c8c.8406 Reason: Sending station has left the BSS Interface Dot11Radio0, Station NBD7FB3G3J 001e.4c8c.8406 Associated KEY_MGMT[NONE] 3 Interface Dot11Radio0, Deauthenticating Station 001e.4c8c.8406 Reason: Previous authentication no longer valid This is what I get on freeradius: [root@radius ~]# radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf main: prefix = "/usr" main: localstatedir = "/var" main: logdir = "/var/log/radius" main: libdir = "/usr/lib" main: radacctdir = "/var/log/radius/radacct" main: hostname_lookups = no main: snmp = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/var/log/radius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/var/run/radiusd/radiusd.pid" main: user = "root" main: group = "root" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "/etc/passwd" unix: shadow = "/etc/shadow" unix: group = "/etc/group" unix: radwtmp = "/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = "tls" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/etc/raddb/certs/server_keycert.pem" tls: certificate_file = "/etc/raddb/certs/server_keycert.pem" tls: CA_file = "/etc/raddb/certs/cacert.pem" tls: private_key_password = "freeradius" tls: dh_file = "/etc/raddb/certs/dh" tls: random_file = "/etc/raddb/certs/random" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = "(null)" tls: cipher_list = "(null)" tls: check_cert_issuer = "(null)" rlm_eap_tls: Loading the certificate file as a chain rlm_eap: Loaded and initialized type tls mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/etc/raddb/huntgroups" preprocess: hints = "/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no preprocess: with_alvarion_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "/etc/raddb/users" files: acctusersfile = "/etc/raddb/acct_users" files: preproxy_usersfile = "/etc/raddb/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = "/var/log/radius/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests.rad_recv: Access-Request packet from host 192.168.177.121:1645, id=23, length=149 rad_recv: Access-Request packet from host 192.168.177.121:1645, id=24, length=256 User-Name = "radius.rc.internal" Framed-MTU = 1400 Called-Station-Id = "000f.9093.b5c0" Calling-Station-Id = "001e.4c8c.8406" Service-Type = Login-User Message-Authenticator = 0x6fe0a230a00d77e3336c69daf8d5f435 EAP-Message = 0x020300700d800000006616030100610100005d030148f73a1b8c1dcc0750843f75c1f268c7dc1c034d6fb2487d406bcffe5d6cf4d600003600390038003500160013000a00330032002f0007006600050004006300620061001500120009006500640060001400110008000600030100 NAS-Port-Type = Wireless-802.11 NAS-Port = 261 State = 0x4f843413ae6144aacc887d596ec6161b NAS-IP-Address = 192.168.177.121 NAS-Identifier = "AP" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_realm: No '@' in User-Name = "radius.rc.internal", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 1 rlm_eap: EAP packet type response id 3 length 112 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 1 users: Matched entry DEFAULT at line 159 modcall[authorize]: module "files" returns ok for request 1 modcall: leaving group authorize (returns updated) for request 1 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0061], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0654], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 010d], ServerKeyExchange TLS_accept: SSLv3 write key exchange A rlm_eap_tls: >>> TLS 1.0 Handshake [length 00a5], CertificateRequest TLS_accept: SSLv3 write certificate request A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0) In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 1 modcall: leaving group authenticate (returns handled) for request 1 Sending Access-Challenge of id 24 to 192.168.177.121 port 1645 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "4091" EAP-Message = 0x0104040a0dc000000864160301004a02000046030148f73ae365e1f568fdc304f234482bb240a3a4c83815c22e71f46149d04fc67620cced767dfe705a0f1ff39a336f762a5982fbf84203e198293e429822cd1999b600390016030106540b00065000064d0002a7308202a33082020ca003020102020101300d06092a864886f70d0101050500308191310b300906035504061302706b311530130603550408130c70616b68746f6f6e6b687761311330110603550407130a6162626f747461626164310f300d060355040a0c06c29e63696974311b3019060355040313127261646975732e72632e696e7465726e616c3128302606092a864886f70d EAP-Message = 0x0109011619726e644070656163652e6e6f7440636969742e6e65742e706b301e170d3038303830343036333034365a170d3039303830343036333034365a308183310b300906035504061302706b311530130603550408130c70616b68746f6f6e6b687761311330110603550407130a6162626f747461626164310d300b060355040a130463696974311b3019060355040313127261646975732e72632e696e7465726e616c311c301a06092a864886f70d010901160d726e644070656163652e6e6f7430819f300d06092a864886f70d010101050003818d0030818902818100c5a299bdab568d9d2cd1d6e53c6af5e2baeec9ffb8c9b29a5031f256 EAP-Message = 0x37c92cc0751ee4787911dbdf4ec0e41c722f80c246da7276928b20cc8a803ee1ef33cf4debdf3bbf831d5f50d022362bfea7894c1099b5302255df7d8be28a1c3c540b6f97e6059a2ac5de07343358214d6b64c20f6bfd3d56324e1a2c9c372ecc4b0df70203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010505000381810013677557b079795d7bd6a10067bcb55a9ccb70ed11143aaed9e7678b0282ac72b05414c42b264b28d23b161758a4bdfab4456459fd5ff8c471be519168062a792e17e274140b9c0860d07e83aa7b2835365172967507debaffed053dd297138db5d8ec5d335655c9 EAP-Message = 0xdbff6196ad607f4b8af88bba741f77227c5b389b902bcd720003a03082039c30820305a003020102020900d0b963753ebde4ab300d06092a864886f70d0101050500308191310b300906035504061302706b311530130603550408130c70616b68746f6f6e6b687761311330110603550407130a6162626f747461626164310f300d060355040a0c06c29e63696974311b3019060355040313127261646975732e72632e696e7465726e616c3128302606092a864886f70d0109011619726e644070656163652e6e6f7440636969742e6e65742e706b301e170d3038303830313037303635325a170d3138303733303037303635325a308191310b3009 EAP-Message = 0x06035504061302706b311530130603550408130c7061 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x5dbbf6bd35b4c1f6c4bd34a2cd101387 Finished request 1 Going to the next request Waking up in 6 seconds...
Tomislav Goluza wrote:
I have a problem authenticating with Cisco Aironet 1200 access point. I have valid certificates on my laptop and on Freeradius.
Are you sure?
This is the output on AP:
Which is irrelevant.
This is what I get on freeradius: ... Sending Access-Challenge of id 24 to 192.168.177.121 port 1645 ... Finished request 1 Going to the next request Waking up in 6 seconds...
This is in the FAQ && in the comments in eap.conf. Please read them. If you think you have the right certificates, check again. Windows is telling you that you DO NOT have the right certificates. Alan DeKok.
participants (2)
-
Alan DeKok -
Tomislav Goluza