EAP-TLS can't get connected..etc.
Hi Everyone, I am newbie to linux and recently I try to implement wireless connnection with EAP-TLS encryption. I am using Freeradius-1.1.7 installed into Red Hat Enterprise 4. Here I encounter problems that I can't solve it alone hence I need advice guru from this forum. the problem is client just can't get connected and keep request.
/usr/src/sbin/radiusd -XA Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = "/usr/local" main: localstatedir = "/usr/local/var" main: logdir = "/usr/local/var/log/radius" main: libdir = "/usr/local/lib" main: radacctdir = "/usr/local/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = yes main: log_file = "/usr/local/var/log/radius/radius.log" main: log_auth = yes main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid" main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" pap: auto_header = yes Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "(null)" unix: group = "(null)" unix: radwtmp = "/usr/local/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = "tls" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/usr/local/etc/raddb/certs/cert-srv.pem" tls: certificate_file = "/usr/local/etc/raddb/certs/cert-srv.pem" tls: CA_file = "/usr/local/etc/raddb/certs/demoCA/cacert.pem" tls: private_key_password = "whatever" tls: dh_file = "/usr/local/etc/raddb/certs/dh" tls: random_file = "/usr/local/etc/raddb/certs/random" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = "(null)" tls: cipher_list = "(null)" tls: check_cert_issuer = "(null)" rlm_eap_tls: Loading the certificate file as a chain rlm_eap: Loaded and initialized type tls mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups" preprocess: hints = "/usr/local/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no preprocess: with_alvarion_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "/usr/local/etc/raddb/users" files: acctusersfile = "/usr/local/etc/raddb/acct_users" files: preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = "/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = "/usr/local/var/log/radius/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. ...... rad_recv: Access-Request packet from host 192.168.0.206:1025, id=15, length=249 User-Name = "mars1.marsindo.com" NAS-IP-Address = 0.0.0.0 Framed-MTU = 1488 Called-Station-Id = "00:30:1a:29:03:66" Calling-Station-Id = "00:1c:f0:10:56:b8" NAS-Port-Type = Wireless-802.11 NAS-Identifier = "127.0.0.1" Connect-Info = "CONNECT 11Mbps 802.11b" State = 0x67f83a14e00c0fa21121d8a0b508daa7 EAP-Message = 0x020200500d800000004616030100410100003d030148231c14867403f94c4d0185bb9c07d8f12ad07bf1980b9c9266979afcf15cc500001600040005000a000900640062000300060013001200630100 Message-Authenticator = 0xc493a17418b8010257a94b90bff667f1 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 5 modcall[authorize]: module "preprocess" returns ok for request 5 modcall[authorize]: module "chap" returns noop for request 5 modcall[authorize]: module "mschap" returns noop for request 5 rlm_realm: No '@' in User-Name = "mars1.marsindo.com", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 5 rlm_eap: EAP packet type response id 2 length 80 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 5 users: Matched entry DEFAULT at line 156 modcall[authorize]: module "files" returns ok for request 5 rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. modcall[authorize]: module "pap" returns noop for request 5 modcall: leaving group authorize (returns updated) for request 5 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 5 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0694], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 00b1], CertificateRequest TLS_accept: SSLv3 write certificate request A TLS_accept: SSLv3 flush data TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 5 modcall: leaving group authenticate (returns handled) for request 5 Sending Access-Challenge of id 15 to 192.168.0.206 port 1025 EAP-Message = 0x0103040a0dc00000079e160301004a02000046030148231c071178ca610d87b2928af55e7d91fd04ad8097a06a065fa5ec7379be762023997cd4b544591192d007f351bdddb0fe229f9332e060b87c101f2b55e80cb000040016030106940b00069000068d0002cd308202c930820232a003020102020102300d06092a864886f70d010104050030819f310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e31123010060355040b13096c6f63616c686f7374311b301906035504031312436c69656e74206365 EAP-Message = 0x7274696669636174653121301f06092a864886f70d0109011612636c69656e74406578616d706c652e636f6d301e170d3034303132353133323631305a170d3035303132343133323631305a30819b310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e31123010060355040b13096c6f63616c686f73743119301706035504031310526f6f74206365727469666963617465311f301d06092a864886f70d0109011610726f6f74406578616d706c652e636f6d30819f300d06092a864886f70d010101050003 EAP-Message = 0x818d0030818902818100dac525422bfedb082629a2cba44b3449c90d0ab462fb72c8434a782098863d7eb7d7e70028c2b7ad555a51cc756cf4fa1d7091615ab450d5289553ae6616aff014a55085d6b8fb4aee98638e426175cdd36c665c63cda177d34920eb30585edc8773999c2980f81ad4638bbbea1c82d054023db7ef24a3ec1c3f6241a903d7f30203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101040500038181007a2d921b1cf13bf2982a9178ec9ede6d88edc178a2e8bd40a0a06fb6f0769957884cd7084537083496fd184165293f583c8e8240eb68e042c94b15752e4c07e80d09 EAP-Message = 0x779afa3dd55c24fa54ac292d77205d1c2477ed30d59f57caf9bd21ff2a8d16cc0911c50e4f295763fcb60efa3c3d2d0e43850f6e6fbe284902f6e83503650003ba308203b63082031fa003020102020100300d06092a864886f70d010104050030819f310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e31123010060355040b13096c6f63616c686f7374311b301906035504031312436c69656e742063657274696669636174653121301f06092a864886f70d0109011612636c69656e74406578616d706c EAP-Message = 0x652e636f6d301e170d3034303132353133323630375a Message-Authenticator = 0x00000000000000000000000000000000 State = 0x59eb1d02dc1f6083321bcfbecf7ff5f6 Finished request 5 Going to the next request Waking up in 6 seconds...
Testing
radtest MarsindoNet testing123-1 localhost 0 testing123 the result is accept-accept..ok will no problem
Here I post the CA.certs execution result as I suppect that the errors might be due to certificate error. When I run ./CA.certs and I got a few errors. ################## create CA use just created 'newreq.pem' private key as filename CA.pl -newca ################## ################## exporting ROOT CA CA.pl -newreq CA.pl -signreq openssl pkcs12 -export -in demoCA/cacert.pem -inkey newreq.pem -out root.pem openssl pkcs12 -in root.cer -out root.pem ################## Error opening input file demoCA/cacert.pem demoCA/cacert.pem: No such file or directory Error opening input file root.p12 root.p12: No such file or directory Error opening Certificate root.pem 3937:error:02001002:system library:fopen:No such file or directory:bss_file.c:259:fopen('root.pem','r') 3937:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:261: unable to load certificate ################## creating client certificate name : name-clt client certificate stored as cert-clt.pem CA.pl -newreq CA.pl -signreq ################## Generating a 1024 bit RSA private key .......++++++ ..................................................++++++ writing new private key to 'newreq.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) []:State or Province Name (full name) [Kepri]:Locality Name (eg, city) []:Organization Name (eg, company) []:Organizational Unit Name (eg, section) []:Common Name (eg, your name or your server's hostname) []: Please enter the following 'extra' attributes to be sent with your certificate request Using configuration from /usr/share/ssl/openssl.cnf Error opening CA private key ./demoCA/private/cakey.pem 3941:error:02001002:system library:fopen:No such file or directory:bss_file.c:259:fopen('./demoCA/private/cakey.pem','r') 3941:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:261: unable to load CA private key Failed to do sign certificate I'll be appreciated if anyone could help me solve such problem. Thanks in advance. ____________________________________________________________________________________ Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
Kwok Sianbin wrote:
I am newbie to linux and recently I try to implement wireless connnection with EAP-TLS encryption. I am using Freeradius-1.1.7 installed into Red Hat Enterprise 4.
You should really use 2.0.4.
Here I encounter problems that I can't solve it alone hence I need advice guru from this forum. the problem is client just can't get connected and keep request.
... Sending Access-Challenge of id 15 to 192.168.0.206 port 1025 ... Going to the next request Waking up in 6 seconds...
This is in the FAQ. It's also documented in the "eap.conf" file in 2.0.4.
Here I post the CA.certs execution result as I suppect that the errors might be due to certificate error. When I run ./CA.certs and I got a few errors.
2.0.4 also contains new scripts for certificate creation. They're MUCH better than what's in 1.1.7. Alan DeKok.
Hi, I've installed FreeRadius-2.0.4 and run fine. Here a few thing I had editted. Clients.conf client 192.168.0.0/24 { secret = testing123-1 shortname = private-network-1 } eap { default_eap_type = tls } .... tls { fragment_size =1024 include_lenght = yes } users MarsindNet Cleartext_Password := "hello" Reply-Message = "Hello, %{User-Name}" Now..I want to test connecting with Windows XP but I could not find root.der or cert-clt.p12 like previous version has. What files should I copy and install into Windows XP as client certificate? Thanks in advance. Alan DeKok <aland@deployingradius.com> wrote: Kwok Sianbin wrote:
I am newbie to linux and recently I try to implement wireless connnection with EAP-TLS encryption. I am using Freeradius-1.1.7 installed into Red Hat Enterprise 4.
You should really use 2.0.4.
Here I encounter problems that I can't solve it alone hence I need advice guru from this forum. the problem is client just can't get connected and keep request.
... Sending Access-Challenge of id 15 to 192.168.0.206 port 1025 ... Going to the next request Waking up in 6 seconds...
This is in the FAQ. It's also documented in the "eap.conf" file in 2.0.4.
Here I post the CA.certs execution result as I suppect that the errors might be due to certificate error. When I run ./CA.certs and I got a few errors.
2.0.4 also contains new scripts for certificate creation. They're MUCH better than what's in 1.1.7. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
I've installed FreeRadius-2.0.4 and run fine. Here a few thing I had editted.
Clients.conf client 192.168.0.0/24 { secret = testing123-1 shortname = private-network-1 }
eap { default_eap_type = tls } ....
tls { fragment_size =1024 include_lenght = yes }
users MarsindNet Cleartext_Password := "hello" Reply-Message = "Hello, %{User-Name}"
Now..I want to test connecting with Windows XP but I could not find root.der or cert-clt.p12 like previous version has.
when you installed FR 2.0.x, if you did not supply your own certs, then the first thing it would have done upon running is create its own new ones. they'll be in $RADDB/certs - see the documentation for the files to use. if you DID let FR generate them, they'll be snakeoil dummy certs that only last 30 days. so you'll need to read the Makefile in the certs directory edit client.cnf and server.cnf appopriately and remake them(!) alan
participants (3)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Kwok Sianbin