I am using EAP for authenticating WiFi Clients with Certificate on their machines. However RADIUS won't authenticate. Any help is appreciated. Thanks. Rad_recv: Access-Request packet from host 10.238.250.50 port 1645, id=56, length=210 User-Name = "host/Loaner751.darden.com" Framed-MTU = 1400 Called-Station-Id = "0019.aaab.5af5" Calling-Station-Id = "100b.a988.b5a0" Cisco-AVPair = "ssid=DRI_test" WISPr-Location-Name = "4441-NC-AP1" Service-Type = Login-User Message-Authenticator = 0x0e316ee8b533416251694ad185583409 EAP-Message = 0x0202001e01686f73742f4c6f616e65723735312e64617264656e2e636f6d NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = "102" NAS-Port = 102 NAS-IP-Address = 10.238.250.50 # Executing section authorize from file /etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "host/Loaner751.darden.com", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 2 length 30 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated ++[files] = noop ++[expiration] = noop ++[logintime] = noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +group eap { [eap] EAP Identity [eap] processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] = handled +} # group eap = handled Sending Access-Challenge of id 56 to 10.238.250.50 port 1645 EAP-Message = 0x010300160410bfd16c1dfa600bd36fa2eb08ba9b5618 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xcc8a4efdcc894a61cff43991e0926e2a Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.238.250.50 port 1645, id=57, length=204 User-Name = "host/Loaner751.darden.com" Framed-MTU = 1400 Called-Station-Id = "0019.aaab.5af5" Calling-Station-Id = "100b.a988.b5a0" Cisco-AVPair = "ssid=DRI_test" WISPr-Location-Name = "4441-NC-AP1" Service-Type = Login-User Message-Authenticator = 0x54d5aec97fd76f4282e2eac636980031 EAP-Message = 0x020300060319 NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = "102" NAS-Port = 102 State = 0xcc8a4efdcc894a61cff43991e0926e2a NAS-IP-Address = 10.238.250.50 # Executing section authorize from file /etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "host/Loaner751.darden.com", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 3 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated ++[files] = noop ++[expiration] = noop ++[logintime] = noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +group eap { [eap] Request found, released from the list [eap] EAP NAK [eap] EAP-NAK asked for EAP-Type/peap [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] = handled +} # group eap = handled Sending Access-Challenge of id 57 to 10.238.250.50 port 1645 EAP-Message = 0x010400061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xcc8a4efdcd8e5761cff43991e0926e2a Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.238.250.50 port 1645, id=58, length=303 User-Name = "host/Loaner751.darden.com" Framed-MTU = 1400 Called-Station-Id = "0019.aaab.5af5" Calling-Station-Id = "100b.a988.b5a0" Cisco-AVPair = "ssid=DRI_test" WISPr-Location-Name = "4441-NC-AP1" Service-Type = Login-User Message-Authenticator = 0x9b2daf305bb49a270834f943e0206af9 EAP-Message = 0x0204006919800000005f160301005a01000056030155de2777bb843e994ac509c2e8cbb6b78411ee24c71e69bbc547a17566e65bc9000018002f00350005000ac013c014c009c00a003200380013000401000015ff01000100000a0006000400170018000b00020100 NAS-Port-Type = Wireless-802.11 Cisco-NAS-Port = "102" NAS-Port = 102 State = 0xcc8a4efdcd8e5761cff43991e0926e2a NAS-IP-Address = 10.238.250.50 # Executing section authorize from file /etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "host/Loaner751.darden.com", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 4 length 105 Eventually I get: Cleaning up request 6 ID 62 with timestamp +12 WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING: !! EAP session for state 0xcc8a4efdca835761 did not finish! WARNING: !! Please read http://wiki.freeradius.org/guide/Certificate_Compatibility WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! rad_recv: Access-Request packet from host 10.238.250.50 port 1645, id=62, length=204 This e-mail message is for the sole use of the intended recipient and may contain information that is confidential, proprietary or privileged. Any unauthorized review, use, distribution, copying or disclosure is strictly prohibited. If you are not the intended recipient, or the employee or agent responsible for delivering it to the intended recipient, please notify sender of the delivery error by replying to this message and then delete it from your system. Receipt by anyone other than the intended recipient is not a waiver of confidentiality or privilege.
On Aug 26, 2015, at 5:02 PM, Syed Rais Ahmad NON DRI <SAhmad@darden.com> wrote:
I am using EAP for authenticating WiFi Clients with Certificate on their machines. However RADIUS won't authenticate. Any help is appreciated. ... Eventually I get:
Cleaning up request 6 ID 62 with timestamp +12 WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING: !! EAP session for state 0xcc8a4efdca835761 did not finish! WARNING: !! Please read http://wiki.freeradius.org/guide/Certificate_Compatibility
What part of that message is unclear? Alan DeKok.
I have installed the certs all in PEM format. Still I get.... [suffix] No such realm "darden.com" ++[suffix] = noop [eap] EAP packet type response id 11 length 253 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated ++[files] = noop ++[expiration] = noop ++[logintime] = noop ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +group eap { [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS [tls] eaptls_verify returned 7 [tls] Done initial handshake [tls] <<< TLS 1.0 Handshake [length 0d64], Certificate --> verify error:num=20:unable to get local issuer certificate [tls] >>> TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert write:fatal:unknown CA TLS_accept: error in SSLv3 read client certificate B rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned SSL: SSL_read failed in a system call (-1), TLS session fails. Any help is appreciated. Thanks. -----Original Message----- From: Freeradius-Users [mailto:freeradius-users-bounces+sahmad=darden.com@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Wednesday, August 26, 2015 8:47 PM To: FreeRadius users mailing list Subject: Re: EAP Not Authenticating On Aug 26, 2015, at 5:02 PM, Syed Rais Ahmad NON DRI <SAhmad@darden.com> wrote:
I am using EAP for authenticating WiFi Clients with Certificate on their machines. However RADIUS won't authenticate. Any help is appreciated. ... Eventually I get:
Cleaning up request 6 ID 62 with timestamp +12 WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING: !! EAP session for state 0xcc8a4efdca835761 did not finish! WARNING: !! Please read http://wiki.freeradius.org/guide/Certificate_Compatibility
What part of that message is unclear? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html This e-mail message is for the sole use of the intended recipient and may contain information that is confidential, proprietary or privileged. Any unauthorized review, use, distribution, copying or disclosure is strictly prohibited. If you are not the intended recipient, or the employee or agent responsible for delivering it to the intended recipient, please notify sender of the delivery error by replying to this message and then delete it from your system. Receipt by anyone other than the intended recipient is not a waiver of confidentiality or privilege.
On Aug 31, 2015, at 11:34 AM, Syed Rais Ahmad NON DRI <SAhmad@darden.com> wrote:
I have installed the certs all in PEM format. Still I get.... ... [tls] <<< TLS 1.0 Handshake [length 0d64], Certificate --> verify error:num=20:unable to get local issuer certificate [tls] >>> TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert write:fatal:unknown CA TLS_accept: error in SSLv3 read client certificate B rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned SSL: SSL_read failed in a system call (-1), TLS session fails.
The client has sent a message saying it doesn't know the CA which signed the servers certificate. Install the CA on the client. Alan DeKok/
participants (2)
-
Alan DeKok -
Syed Rais Ahmad NON DRI