Hi again, I am trying to configure FreeRadius to require a Certificate AND a username/password to accept a User. My clients are Macs (10.4.11). I want TTLS to require a certificate so I've set: EAP-TLS-Require-Client-Cert := Yes in the control items of the request. If I configure the client to do TLS only, it works fine. See -X log at: http://www.beutelfrosch.de/ReqTLS.txt So the certs seem OK to me. If I configure the client to do TTLS only (after disabling the "EAP-TLS-Require-Client-Cert" control item), it works fine. See -X log at: http://www.beutelfrosch.de/TTLS.txt So the user/password-part seems OK to me. Now I set the client to do TLS (for the cert) and TTLS (for the password). What I get is the log below. The Client does'nt send the certificate. My wild speculation, which is a pure guess of a newbie: Is the Client in some sort of "TTLS-Mode", where he can't send a client-certificate, because Sending Access-Challenge of id 183 to 192.168.1.24 port 1104 EAP-Message = 0x011000061520 tells him to do TTLS (Type 0x15)? And how do I tell the server, that a valid certificate is not enough to get in? In the first log-file, you see that the client can disable ttls and still is accepted. Thank you very much for any hint. Regards Wolfgang Burger FreeRADIUS Version 2.0.2, for host powerpc-apple-darwin8.11.0, built on Feb 14 2008 at 15:25:18 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License. Starting - reading configuration files ... including configuration file //etc/raddb/radiusd.conf including configuration file //etc/raddb/proxy.conf including configuration file //etc/raddb/clients.conf including configuration file //etc/raddb/snmp.conf including configuration file //etc/raddb/eap.conf including configuration file //etc/raddb/sql.conf including configuration file //etc/raddb/sql/mysql/dialup.conf including configuration file //etc/raddb/sql/mysql/counter.conf including configuration file //etc/raddb/policy.conf including files in directory //etc/raddb/sites-enabled/ including configuration file //etc/raddb/sites-enabled/default including dictionary file //etc/raddb/dictionary main { prefix = "/" localstatedir = "//var" logdir = "//var/log/radius" libdir = "//lib" radacctdir = "//var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = "//var/run/radiusd/radiusd.pid" checkrad = "//sbin/checkrad" debug_level = 0 proxy_requests = yes security { max_attributes = 200 reject_delay = 1 status_server = yes } } client 192.168.1.24 { require_message_authenticator = no secret = "testing123" shortname = "netgear1" } client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 zombie_period = 40 status_check = "status-server" ping_check = "none" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating exec exec { wait = yes input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating expr Module: Linked to module rlm_expiration Module: Instantiating expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server { modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating chap Module: Linked to module rlm_mschap Module: Instantiating mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no use_open_directory = yes } Module: Linked to module rlm_unix Module: Instantiating unix unix { radwtmp = "//var/log/radius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating eap eap { default_eap_type = "ttls" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = "//etc/raddb/mpiibcerts/Mac339.pem" certificate_file = "//etc/raddb/mpiibcerts/Mac339.pem" CA_file = "//etc/raddb/mpiibcerts/root.pem" private_key_password = "password" dh_file = "//etc/raddb/mpiibcerts/dh" random_file = "//etc/raddb/mpiibcerts/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "//etc/raddb/mpiibcerts/bootstrap" } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = yes use_tunneled_reply = no } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating preprocess preprocess { huntgroups = "//etc/raddb/huntgroups" hints = "//etc/raddb/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Linked to module rlm_realm Module: Instantiating suffix realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Instantiating eapguest eap eapguest { default_eap_type = "ttls" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = "//etc/raddb/mpiibcerts/Mac339.pem" certificate_file = "//etc/raddb/mpiibcerts/Mac339.pem" CA_file = "//etc/raddb/mpiibcerts/root.pem" private_key_password = "password" dh_file = "//etc/raddb/mpiibcerts/dh" random_file = "//etc/raddb/mpiibcerts/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "//etc/raddb/mpiibcerts/bootstrap" } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = yes use_tunneled_reply = no } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } Module: Linked to module rlm_passwd Module: Instantiating guestlist passwd guestlist { filename = "/etc/raddb/guestlist" format = "*User-Name:Cleartext-Password" delimiter = ":" ignorenislike = yes ignoreempty = yes allowmultiplekeys = no hashsize = 100 } rlm_passwd: nfields: 2 keyfield 0(User-Name) listable: no Module: Instantiating eapuser eap eapuser { default_eap_type = "tls" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = "//etc/raddb/mpiibcerts/Mac339.pem" certificate_file = "//etc/raddb/mpiibcerts/Mac339.pem" CA_file = "//etc/raddb/mpiibcerts/root.pem" private_key_password = "password" dh_file = "//etc/raddb/mpiibcerts/DH" random_file = "//etc/raddb/mpiibcerts/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = yes use_tunneled_reply = no } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } Module: Linked to module rlm_files Module: Instantiating files files { usersfile = "//etc/raddb/users" acctusersfile = "//etc/raddb/acct_users" preproxy_usersfile = "//etc/raddb/preproxy_users" compat = "no" } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating detail detail { detailfile = "//var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Linked to module rlm_radutmp Module: Instantiating radutmp radutmp { filename = "//var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Linked to module rlm_attr_filter Module: Instantiating attr_filter.accounting_response attr_filter attr_filter.accounting_response { attrsfile = "//etc/raddb/attrs.accounting_response" key = "%{User-Name}" } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Instantiating attr_filter.access_reject attr_filter attr_filter.access_reject { attrsfile = "//etc/raddb/attrs.access_reject" key = "%{User-Name}" } } } radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 192.168.1.24 port 1106, id=216, length=170 Message-Authenticator = 0x913ef4c34c0f80839a70351ae8eb6834 Service-Type = Framed-User User-Name = "testuser" Framed-MTU = 1488 Called-Station-Id = "00184DFCC7B8:Test-U" Calling-Station-Id = "0017F2ECCC75" NAS-Identifier = "netgear1" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0205000a01776f6c6c65 NAS-IP-Address = 192.168.1.24 NAS-Port = 1 NAS-Port-Id = "STA port # 1" +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop ++? if (Called-Station-ID =~ /:Test-G$/) ? Evaluating (Called-Station-ID =~ /:Test-G$/) -> FALSE ++? if (Called-Station-ID =~ /:Test-G$/) -> FALSE ++? if (Called-Station-ID =~ /:Test-U$/) ? Evaluating (Called-Station-ID =~ /:Test-U$/) -> TRUE ++? if (Called-Station-ID =~ /:Test-U$/) -> TRUE ++- entering if (Called-Station-ID =~ /:Test-U$/) rlm_eap: EAP packet type response id 5 length 10 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation +++[eapuser] returns updated rlm_passwd: Added Cleartext-Password: 'testpass' to config_items +++[guestlist] returns ok ++- if (Called-Station-ID =~ /:Test-U$/) returns updated ++[unix] returns notfound expand: %{Called-Station-Id} -> 00184DFCC7B8:Test-U users: Matched entry DEFAULT at line 1 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Requiring client certificate rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 216 to 192.168.1.24 port 1106 EAP-Message = 0x010600061520 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1f2598221f238d94c802e19d0ec60b5d Finished request 0. Going to the next request Waking up in 0.9 seconds. rad_recv: Access-Request packet from host 192.168.1.24 port 1106, id=217, length=296 Message-Authenticator = 0x460a3c952cafdd2107e36a413f3ad6c1 Service-Type = Framed-User User-Name = "testuser" Framed-MTU = 1488 State = 0x1f2598221f238d94c802e19d0ec60b5d Called-Station-Id = "00184DFCC7B8:Test-U" Calling-Station-Id = "0017F2ECCC75" NAS-Identifier = "netgear1" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0206007615800000006c160301006701000063030147ceb8eb288253896e35e7a251c8 da7950171d5d832eb698dbd5db48ab4b2c5600003c002f000500040035000aff830009ff 82000300080006ff8000320033003400380039003a001600150014001300120011001800 1b001a0017001900010100 NAS-IP-Address = 192.168.1.24 NAS-Port = 1 NAS-Port-Id = "STA port # 1" +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop ++? if (Called-Station-ID =~ /:Test-G$/) ? Evaluating (Called-Station-ID =~ /:Test-G$/) -> FALSE ++? if (Called-Station-ID =~ /:Test-G$/) -> FALSE ++? if (Called-Station-ID =~ /:Test-U$/) ? Evaluating (Called-Station-ID =~ /:Test-U$/) -> TRUE ++? if (Called-Station-ID =~ /:Test-U$/) -> TRUE ++- entering if (Called-Station-ID =~ /:Test-U$/) rlm_eap: EAP packet type response id 6 length 118 rlm_eap: Continuing tunnel setup. +++[eapuser] returns ok ++- if (Called-Station-ID =~ /:Test-U$/) returns ok ++[unix] returns notfound expand: %{Called-Station-Id} -> 00184DFCC7B8:Test-U users: Matched entry DEFAULT at line 1 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS TLS Length 108 rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0067], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0719], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 00c6], CertificateRequest TLS_accept: SSLv3 write certificate request A TLS_accept: SSLv3 flush data TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 217 to 192.168.1.24 port 1106 EAP-Message = 0x0107040015c000000838160301004a02000046030147ceb8ec1d13a000cfd0e9896d6e 83deb6fe0ce6ad96b9b2a30540e409bba1be202d747526607c2a6b447509e47e164e3d4f cc7af2378732f100e838063ff4374b002f0016030107190b000715000712000301308202 fd30820266a003020102020900de377817340de54b300d06092a864886f70d0101040500 3081b4310b3009060355040613024445311b301906035504081312426164656e2d577565 727474656d626572673111300f060355040713084672656962757267312d302b06035504 0a13244d61782d506c616e636b2d496e73746974757420662e20496d6d756e62696f6c6f 6769 EAP-Message = 0x65310c300a060355040b13034544563111300f060355040313084d504949422d434131 25302306092a864886f70d010901161673797374656d40696d6d756e62696f2e6d70672e 6465301e170d3038303330333135343134375a170d3039303330333135343134375a3081 b2310b3009060355040613024445311b301906035504081312426164656e2d5775657274 74656d626572673111300f060355040713084672656962757267312d302b060355040a13 244d61782d506c616e636b2d496e73746974757420662e20496d6d756e62696f6c6f6769 65310c300a060355040b1303454456310f300d060355040313064d616333333931253023 0609 EAP-Message = 0x2a864886f70d010901161673797374656d40696d6d756e62696f2e6d70672e64653081 9f300d06092a864886f70d010101050003818d00308189028181009b0c3f1c54dda34fce 85f6abd123b8d9c93b1e6ce46e3a05fc4f64cf15e164717fa863e1a920f3b24ab9574af2 749b0b9b647bfe37b27c2a0ea0ec252865aeb0b9de8dab965ede3a528dd07543092d2cd0 6f6a00dafa726f70b3198c2ec381fab1077897dfdeb920a7399697d0f6b3ae2544f8a2a0 1eb00bdcfecf3d7536acdd0203010001a317301530130603551d25040c300a06082b0601 0505070301300d06092a864886f70d0101040500038181007428219fda7670c04068e341 0c2e EAP-Message = 0xf3e47e1c57e4f53b16c78038601f68de6bd9736e5500b3cc1a8f4bc4d27c16651b6ac9 a0186a76108cf36e62a5ce16a4ca311e4c97741f1dfe47f0c4867d8d217e8bf4b21ba07f 5a361039c00e3935ca18480788d4b8f38cb3c759bdc8c279cc17aedf9a364c0e8645f64e 371154cc20f5f700040b3082040730820370a003020102020900de377817340de54a300d 06092a864886f70d01010405003081b4310b3009060355040613024445311b3019060355 04081312426164656e2d577565727474656d626572673111300f06035504071308467265 6962757267312d302b060355040a13244d61782d506c616e636b2d496e73746974757420 662e EAP-Message = 0x20496d6d756e62696f6c6f67 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1f2598221e228d94c802e19d0ec60b5d Finished request 1. Going to the next request Waking up in 0.9 seconds. rad_recv: Access-Request packet from host 192.168.1.24 port 1106, id=218, length=184 Message-Authenticator = 0xe53c465131756f24b24c53e007a46747 Service-Type = Framed-User User-Name = "testuser" Framed-MTU = 1488 State = 0x1f2598221e228d94c802e19d0ec60b5d Called-Station-Id = "00184DFCC7B8:Test-U" Calling-Station-Id = "0017F2ECCC75" NAS-Identifier = "netgear1" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x020700061500 NAS-IP-Address = 192.168.1.24 NAS-Port = 1 NAS-Port-Id = "STA port # 1" +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop ++? if (Called-Station-ID =~ /:Test-G$/) ? Evaluating (Called-Station-ID =~ /:Test-G$/) -> FALSE ++? if (Called-Station-ID =~ /:Test-G$/) -> FALSE ++? if (Called-Station-ID =~ /:Test-U$/) ? Evaluating (Called-Station-ID =~ /:Test-U$/) -> TRUE ++? if (Called-Station-ID =~ /:Test-U$/) -> TRUE ++- entering if (Called-Station-ID =~ /:Test-U$/) rlm_eap: EAP packet type response id 7 length 6 rlm_eap: Continuing tunnel setup. +++[eapuser] returns ok ++- if (Called-Station-ID =~ /:Test-U$/) returns ok ++[unix] returns notfound expand: %{Called-Station-Id} -> 00184DFCC7B8:Test-U users: Matched entry DEFAULT at line 1 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 218 to 192.168.1.24 port 1106 EAP-Message = 0x0108040015c0000008386965310c300a060355040b13034544563111300f0603550403 13084d504949422d43413125302306092a864886f70d010901161673797374656d40696d 6d756e62696f2e6d70672e6465301e170d3038303330333135343131305a170d31383033 30313135343131305a3081b4310b3009060355040613024445311b301906035504081312 426164656e2d577565727474656d626572673111300f0603550407130846726569627572 67312d302b060355040a13244d61782d506c616e636b2d496e73746974757420662e2049 6d6d756e62696f6c6f676965310c300a060355040b13034544563111300f060355040313 084d EAP-Message = 0x504949422d43413125302306092a864886f70d010901161673797374656d40696d6d75 6e62696f2e6d70672e646530819f300d06092a864886f70d010101050003818d00308189 02818100d88f0fc2064b0964747d6e93a2e5e8210f29b03c4f59c3a17f20e3a014aa236e b2e7a0dd7b42ec38e46d60ffe5ba22780af5f96e7d777566b566917925d56d4921a6d610 d0900314fd5e4106d4310f333dc2cc03357da3e48fd05cb50f0a031c98a448cb39d1795b 5de9f5e4647ce2b97aefc10edc63c39249ef2a14daf7ca9d0203010001a382011d308201 19301d0603551d0e04160414f286c59fa1ed8050fe30064d247303a0472b143c3081e906 0355 EAP-Message = 0x1d230481e13081de8014f286c59fa1ed8050fe30064d247303a0472b143ca181baa481 b73081b4310b3009060355040613024445311b301906035504081312426164656e2d5775 65727474656d626572673111300f060355040713084672656962757267312d302b060355 040a13244d61782d506c616e636b2d496e73746974757420662e20496d6d756e62696f6c 6f676965310c300a060355040b13034544563111300f060355040313084d504949422d43 413125302306092a864886f70d010901161673797374656d40696d6d756e62696f2e6d70 672e6465820900de377817340de54a300c0603551d13040530030101ff300d06092a8648 86f7 EAP-Message = 0x0d0101040500038181000d9c69e325f19a11f2f57ededc9a9d752a6bc9f3fd9b0ea58d 1fdac2a7eb51a3f67a39bcfa63df7f3a7052657365508be4d8e734caec7578e179cd80ae b49fc5d83f67039b3ad82c5dba6c6bc4b669be77ab8d69cc7b933fd58e08d888ef7be814 e6f0cbf1b179aa2a7e80c729c581f31881ad9498af35594060f4349a9bf5b216030100c6 0d0000be02010200b900b73081b4310b3009060355040613024445311b30190603550408 1312426164656e2d577565727474656d626572673111300f060355040713084672656962 757267312d302b060355040a13244d61782d506c616e636b2d496e73746974757420662e 2049 EAP-Message = 0x6d6d756e62696f6c6f676965 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1f2598221d2d8d94c802e19d0ec60b5d Finished request 2. Going to the next request Waking up in 0.9 seconds. rad_recv: Access-Request packet from host 192.168.1.24 port 1106, id=219, length=184 Message-Authenticator = 0x10021b18c69f6674b4c22b5df88ac275 Service-Type = Framed-User User-Name = "testuser" Framed-MTU = 1488 State = 0x1f2598221d2d8d94c802e19d0ec60b5d Called-Station-Id = "00184DFCC7B8:Test-U" Calling-Station-Id = "0017F2ECCC75" NAS-Identifier = "netgear1" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x020800061500 NAS-IP-Address = 192.168.1.24 NAS-Port = 1 NAS-Port-Id = "STA port # 1" +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop ++? if (Called-Station-ID =~ /:Test-G$/) ? Evaluating (Called-Station-ID =~ /:Test-G$/) -> FALSE ++? if (Called-Station-ID =~ /:Test-G$/) -> FALSE ++? if (Called-Station-ID =~ /:Test-U$/) ? Evaluating (Called-Station-ID =~ /:Test-U$/) -> TRUE ++? if (Called-Station-ID =~ /:Test-U$/) -> TRUE ++- entering if (Called-Station-ID =~ /:Test-U$/) rlm_eap: EAP packet type response id 8 length 6 rlm_eap: Continuing tunnel setup. +++[eapuser] returns ok ++- if (Called-Station-ID =~ /:Test-U$/) returns ok ++[unix] returns notfound expand: %{Called-Station-Id} -> 00184DFCC7B8:Test-U users: Matched entry DEFAULT at line 1 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 219 to 192.168.1.24 port 1106 EAP-Message = 0x01090056158000000838310c300a060355040b13034544563111300f06035504031308 4d504949422d43413125302306092a864886f70d010901161673797374656d40696d6d75 6e62696f2e6d70672e64650e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1f2598221c2c8d94c802e19d0ec60b5d Finished request 3. Going to the next request Waking up in 0.9 seconds. rad_recv: Access-Request packet from host 192.168.1.24 port 1106, id=220, length=398 Message-Authenticator = 0xf8d34b0f029f66155f8d4f2342d049fe Service-Type = Framed-User User-Name = "testuser" Framed-MTU = 1488 State = 0x1f2598221c2c8d94c802e19d0ec60b5d Called-Station-Id = "00184DFCC7B8:Test-U" Calling-Station-Id = "0017F2ECCC75" NAS-Identifier = "netgear1" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x020900dc1580000000d216030100070b00000300000016030100861000008200803dc4 432d3ec3d26bab634466e4e08d43679c147f48139ebfacf3e77cb047fd585c192d53abf9 f1594b0bfdf10aeecf2bbeab9544047b911c6b387ef0038e9302e544564e6212bce27dea 4d905da64183b2a29c73237eda2d28fcf455bfa83cb969c1be7beacf2acf77494d3721f8 54f66845c53b1f4dcd8dfd8cdb37f5c4acd41403010001011603010030b18484fd108ed5 68b015b74200fd01bcb52b3896be8abfbeb9301e7ef7bd1eb7d4ddc150b648697379fca4 441fff4429 NAS-IP-Address = 192.168.1.24 NAS-Port = 1 NAS-Port-Id = "STA port # 1" +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop ++? if (Called-Station-ID =~ /:Test-G$/) ? Evaluating (Called-Station-ID =~ /:Test-G$/) -> FALSE ++? if (Called-Station-ID =~ /:Test-G$/) -> FALSE ++? if (Called-Station-ID =~ /:Test-U$/) ? Evaluating (Called-Station-ID =~ /:Test-U$/) -> TRUE ++? if (Called-Station-ID =~ /:Test-U$/) -> TRUE ++- entering if (Called-Station-ID =~ /:Test-U$/) rlm_eap: EAP packet type response id 9 length 220 rlm_eap: Continuing tunnel setup. +++[eapuser] returns ok ++- if (Called-Station-ID =~ /:Test-U$/) returns ok ++[unix] returns notfound expand: %{Called-Station-Id} -> 00184DFCC7B8:Test-U users: Matched entry DEFAULT at line 1 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS TLS Length 210 rlm_eap_tls: Length Included eaptls_verify returned 11 rlm_eap_tls: <<< TLS 1.0 Handshake [length 0007], Certificate rlm_eap_tls: >>> TLS 1.0 Alert [length 0002], fatal handshake_failure TLS Alert write:fatal:handshake failure TLS_accept:error in SSLv3 read client certificate B rlm_eap: SSL error error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails. eaptls_process returned 13 rlm_eap: Freeing handler ++[eap] returns reject auth: Failed to validate the user. Login incorrect: [testuser/<via Auth-Type = EAP>] (from client netgear1 port 1 cli 0017F2ECCC75) Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> testuser attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 4 for 1 seconds Going to the next request Waking up in 0.9 seconds. rad_recv: Access-Request packet from host 192.168.1.24 port 1106, id=220, length=398 Waiting to send Access-Reject to client netgear1 port 1106 - ID: 220 Sending delayed reject for request 4 Sending Access-Reject of id 220 to 192.168.1.24 port 1106 EAP-Message = 0x04090004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.9 seconds. Cleaning up request 0 ID 216 with timestamp +13 Cleaning up request 1 ID 217 with timestamp +13 Cleaning up request 2 ID 218 with timestamp +13 Cleaning up request 3 ID 219 with timestamp +13 Waking up in 1.0 seconds. Cleaning up request 4 ID 220 with timestamp +13 Ready to process requests.
Wolfgang Burger wrote:
I am trying to configure FreeRadius to require a Certificate AND a username/password to accept a User. My clients are Macs (10.4.11).
I want TTLS to require a certificate so I've set: EAP-TLS-Require-Client-Cert := Yes in the control items of the request.
That should work, *if* the Mac client supports TTLS with a client certificate.
Now I set the client to do TLS (for the cert) and TTLS (for the password).
Can this even be done on a Mac?
What I get is the log below.
The Client does'nt send the certificate.
Well, that would mean that the client doesn't support sending a certificate for TTLS. I'm not surprised, this is a fairly rare requirement.
And how do I tell the server, that a valid certificate is not enough to get in? In the first log-file, you see that the client can disable ttls and still is accepted.
If you want to disable EAP-TLS, then do that: ... DEFAULT EAP-Type == EAP-TLS, Auth-Type := Reject ...
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0007], Certificate rlm_eap_tls: >>> TLS 1.0 Alert [length 0002], fatal handshake_failure TLS Alert write:fatal:handshake failure TLS_accept:error in SSLv3 read client certificate B rlm_eap: SSL error error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
That's up to the client. If it doesn't give the server a certificate, there's not much more that it can do. Alan DeKok.
Am 05.03.2008 um 17:13 schrieb Alan DeKok:
Wolfgang Burger wrote:
I am trying to configure FreeRadius to require a Certificate AND a username/password to accept a User. My clients are Macs (10.4.11).
I want TTLS to require a certificate so I've set: EAP-TLS-Require-Client-Cert := Yes in the control items of the request.
That should work, *if* the Mac client supports TTLS with a client certificate.
Now I set the client to do TLS (for the cert) and TTLS (for the password).
Can this even be done on a Mac?
On the Mac, I create a profile. Then I can choose, wich protocols are included in this profile. So I enable TLS and configure it to use the valid certificate that is already installed. Then I enable TTLS also and configure it to use PAP as internal identification method.
Well, that would mean that the client doesn't support sending a certificate for TTLS. I'm not surprised, this is a fairly rare requirement.
Yes. It does`nt support sending a cert for TTLS. I thougt I it would figure out what to do (like FreeRadius does) because both protocols are enabled for this profile. TLS with the cert and TTLS with the password. My settings on the Mac look like: On Protocol [x] TLS [x] TTLS [ ] EAP-FAST [ ] PEAP [ ] LEAP [ ] MD5 My hope was, that this means: "Accept server communications for both". But now it looks more like "Do TLS or TTLS, whatever the server asks FIRST"
And how do I tell the server, that a valid certificate is not enough to get in? In the first log-file, you see that the client can disable ttls and still is accepted.
If you want to disable EAP-TLS, then do that:
... DEFAULT EAP-Type == EAP-TLS, Auth-Type := Reject ...
Thank you for that one.
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0007], Certificate rlm_eap_tls: >>> TLS 1.0 Alert [length 0002], fatal handshake_failure TLS Alert write:fatal:handshake failure TLS_accept:error in SSLv3 read client certificate B rlm_eap: SSL error error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate
That's up to the client. If it doesn't give the server a certificate, there's not much more that it can do.
OK. So I have to do some more experiments. Sigh. I have the server running to secure a WLAN. What I have now, is that the users can connect to one SSID, they got asked for a username and password and can connect with the default settings of the Mac (TTLS, PAP and passwd on the server). They get into a special low-security VLAN. Nice. What I'm triying to do is to have a second SSID. To connect you need a certificate. I can do that with TLS and it works. But the Mac still asks me for a username and password. I want to use this data. My favourite setup would be to proxy the username and password request to another RADIUS-server. That request should be the simplest RADIUS-Request that is possible. Just username and passowrd, without the EAP stuff, as the other server does'nt understand it anyway.
Alan DeKok
Thank you again for your help Regards Wolfgang Burger
Wolfgang Burger wrote:
So I enable TLS and configure it to use the valid certificate that is already installed. Then I enable TTLS also and configure it to use PAP as internal identification method.
That does NOT enable TTLS with client certificates.
What I'm triying to do is to have a second SSID. To connect you need a certificate. I can do that with TLS and it works. But the Mac still asks me for a username and password. I want to use this data.
I don't see how. Alan DeKok.
participants (2)
-
Alan DeKok -
Wolfgang Burger