RE: Generating a Microsoft compatible CSR for FreeRADIUS
Hi Jake, Have you tried enabling Tunnelled reply's on the freeradius server, believe it is in the eap.conf file? Not exactly sure of your config or what you are doing but some of the data in the debug looks like ciphertext, which indicates to me that something is not decrypting the packets or does not know that the information it is getting is encrypted. I was seeing similar stuff on a debug on a Cisco switch I was configuring for dynamic vlan switching with Radius, turned out I had to enable tunneled replies for PEAP, eap worked just fine. Brett Littrell Network Manager Milpitas Unified School District blittrell@musd.org Ph# (408)635-2600 X6086 Fax# (408)635-2632
On Friday, January 21, 2011 at 6:10 AM, in message <3A9815D880FBAF41A523B3A35AF3C3DF06B0D246@AVATAR.umhb.edu>, "Sallee, Stephen (Jake)" <Jake.Sallee@umhb.edu> wrote:
Has anyone gotten windows clients to work WITHOUT having to do any manual config on the clients? Is it even possible? Also, I have my shiny new publicly signed cert from comodo but my clients are still rejecting the connection ... i think the error is here: [peap] <<< TLS 1.0 Alert [length 0002], fatal access_denied TLS Alert read:fatal:access denied [peap] WARNING: No data inside of the tunnel. But I don't know why i would be getting a read error, the certs that i installed have the same permissions as the test certs... here is the full debug, any help is appreciated: FreeRADIUS Version 2.1.10, for host x86_64-unknown-linux-gnu, built on Sep 28 2010 at 09:20:29 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /usr/local/etc/raddb/radiusd.conf including configuration file /usr/local/etc/raddb/proxy.conf including configuration file /usr/local/etc/raddb/clients.conf including files in directory /usr/local/etc/raddb/modules/ including configuration file /usr/local/etc/raddb/modules/realm including configuration file /usr/local/etc/raddb/modules/linelog including configuration file /usr/local/etc/raddb/modules/etc_group including configuration file /usr/local/etc/raddb/modules/pap including configuration file /usr/local/etc/raddb/modules/detail including configuration file /usr/local/etc/raddb/modules/pam including configuration file /usr/local/etc/raddb/modules/detail.log including configuration file /usr/local/etc/raddb/modules/ntlm_auth including configuration file /usr/local/etc/raddb/modules/mac2vlan including configuration file /usr/local/etc/raddb/modules/radutmp including configuration file /usr/local/etc/raddb/modules/opendirectory including configuration file /usr/local/etc/raddb/modules/smbpasswd including configuration file /usr/local/etc/raddb/modules/digest including configuration file /usr/local/etc/raddb/modules/checkval including configuration file /usr/local/etc/raddb/modules/sqlcounter_expire_on_login including configuration file /usr/local/etc/raddb/modules/exec including configuration file /usr/local/etc/raddb/modules/counter including configuration file /usr/local/etc/raddb/modules/logintime including configuration file /usr/local/etc/raddb/modules/cui including configuration file /usr/local/etc/raddb/modules/mschap including configuration file /usr/local/etc/raddb/modules/files including configuration file /usr/local/etc/raddb/modules/detail.example.com including configuration file /usr/local/etc/raddb/modules/dynamic_clients including configuration file /usr/local/etc/raddb/modules/perl including configuration file /usr/local/etc/raddb/modules/expiration including configuration file /usr/local/etc/raddb/modules/inner-eap including configuration file /usr/local/etc/raddb/modules/ippool including configuration file /usr/local/etc/raddb/modules/otp including configuration file /usr/local/etc/raddb/modules/sradutmp including configuration file /usr/local/etc/raddb/modules/unix including configuration file /usr/local/etc/raddb/modules/chap including configuration file /usr/local/etc/raddb/modules/attr_filter including configuration file /usr/local/etc/raddb/modules/preprocess including configuration file /usr/local/etc/raddb/modules/passwd including configuration file /usr/local/etc/raddb/modules/krb5 including configuration file /usr/local/etc/raddb/modules/acct_unique including configuration file /usr/local/etc/raddb/modules/policy including configuration file /usr/local/etc/raddb/modules/smsotp including configuration file /usr/local/etc/raddb/modules/expr including configuration file /usr/local/etc/raddb/modules/wimax including configuration file /usr/local/etc/raddb/modules/mac2ip including configuration file /usr/local/etc/raddb/modules/attr_rewrite including configuration file /usr/local/etc/raddb/modules/ldap including configuration file /usr/local/etc/raddb/modules/echo including configuration file /usr/local/etc/raddb/modules/always including configuration file /usr/local/etc/raddb/modules/sql_log including configuration file /usr/local/etc/raddb/eap.conf including configuration file /usr/local/etc/raddb/policy.conf including files in directory /usr/local/etc/raddb/sites-enabled/ including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel including configuration file /usr/local/etc/raddb/sites-enabled/UMHB including configuration file /usr/local/etc/raddb/sites-available/default including configuration file /usr/local/etc/raddb/sites-enabled/control-socket including configuration file /usr/local/etc/raddb/sites-enabled/Cru including configuration file /usr/local/etc/raddb/sites-available/default including configuration file /usr/local/etc/raddb/sites-enabled/default main { allow_core_dumps = no } including dictionary file /usr/local/etc/raddb/dictionary main { prefix = "/usr/local" localstatedir = "/usr/local/var" logdir = "/usr/local/var/log/radius" libdir = "/usr/local/lib" radacctdir = "/usr/local/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 25600 pidfile = "/usr/local/var/run/radiusd/radiusd.pid" checkrad = "/usr/local/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 require_message_authenticator = no zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 irt = 2 mrt = 16 mrc = 5 mrd = 30 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover nostrip } realm LOCAL { } realm Cru { } realm Cru.umhb.edu { } realm umhb { } realm umhb.edu { } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" } client 10.2.1.75/32 { require_message_authenticator = no secret = "Burg3rk1ng!" shortname = "PacketFence" } client 10.11.30.0/24 { require_message_authenticator = no secret = "Burg3rk1ng!" shortname = "Sanderford" } client 10.11.60.0/24 { require_message_authenticator = no secret = "Burg3rk1ng!" shortname = "Sanderford" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating module "exec" from file /usr/local/etc/raddb/modules/exec exec { wait = no input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating module "expr" from file /usr/local/etc/raddb/modules/expr Module: Linked to module rlm_expiration Module: Instantiating module "expiration" from file /usr/local/etc/raddb/modules/expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating module "logintime" from file /usr/local/etc/raddb/modules/logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server inner-tunnel { # from file /usr/local/etc/raddb/sites-enabled/inner-tunnel modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating module "pap" from file /usr/local/etc/raddb/modules/pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating module "chap" from file /usr/local/etc/raddb/modules/chap Module: Linked to module rlm_mschap Module: Instantiating module "mschap" from file /usr/local/etc/raddb/modules/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = yes ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{User-Name:-None}} --domain=%{outer.request:Realm} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" } Module: Linked to module rlm_unix Module: Instantiating module "unix" from file /usr/local/etc/raddb/modules/unix unix { radwtmp = "/usr/local/var/log/radius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating module "eap" from file /usr/local/etc/raddb/eap.conf eap { default_eap_type = "peap" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = "/usr/local/etc/raddb/certs/Production/myserver.key" certificate_file = "/usr/local/etc/raddb/certs/Production/STAR_umhb_edu.crt" CA_file = "/usr/local/etc/raddb/certs/Production/STAR_umhb_edu.ca-bundle" private_key_password = "Burg3rk1ng!" dh_file = "/usr/local/etc/raddb/certs/Production/dh" random_file = "/usr/local/etc/raddb/certs/Production/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "/usr/local/etc/raddb/certs/Production/bootstrap" cache { enable = no lifetime = 24 max_entries = 255 } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = yes use_tunneled_reply = yes virtual_server = "inner-tunnel" include_length = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = yes use_tunneled_reply = yes proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_realm Module: Instantiating module "suffix" from file /usr/local/etc/raddb/modules/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating module "files" from file /usr/local/etc/raddb/modules/files files { usersfile = "/usr/local/etc/raddb/users" acctusersfile = "/usr/local/etc/raddb/acct_users" preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users" compat = "no" } Module: Linked to module rlm_perl Module: Instantiating module "perl" from file /usr/local/etc/raddb/modules/perl perl { module = "/usr/local/etc/raddb/packetfence.pm" func_authorize = "authorize" func_authenticate = "authenticate" func_accounting = "accounting" func_preacct = "preacct" func_checksimul = "checksimul" func_detach = "detach" func_xlat = "xlat" func_pre_proxy = "pre_proxy" func_post_proxy = "post_proxy" func_post_auth = "post_auth" func_recv_coa = "recv_coa" func_send_coa = "send_coa" } Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating module "radutmp" from file /usr/local/etc/raddb/modules/radutmp radutmp { filename = "/usr/local/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Linked to module rlm_attr_filter Module: Instantiating module "attr_filter.access_reject" from file /usr/local/etc/raddb/modules/attr_filter attr_filter attr_filter.access_reject { attrsfile = "/usr/local/etc/raddb/attrs.access_reject" key = "%{User-Name}" } } # modules } # server server UMHB { # from file /usr/local/etc/raddb/sites-enabled/UMHB modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating module "preprocess" from file /usr/local/etc/raddb/modules/preprocess preprocess { huntgroups = "/usr/local/etc/raddb/huntgroups" hints = "/usr/local/etc/raddb/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating module "acct_unique" from file /usr/local/etc/raddb/modules/acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating module "detail" from file /usr/local/etc/raddb/modules/detail detail { detailfile = "/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating module "attr_filter.accounting_response" from file /usr/local/etc/raddb/modules/attr_filter attr_filter attr_filter.accounting_response { attrsfile = "/usr/local/etc/raddb/attrs.accounting_response" key = "%{User-Name}" } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server server Cru { # from file /usr/local/etc/raddb/sites-enabled/Cru modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Checking preacct {...} for more modules to load Module: Checking accounting {...} for more modules to load Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server server { # from file /usr/local/etc/raddb/radiusd.conf modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Checking preacct {...} for more modules to load Module: Checking accounting {...} for more modules to load Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } listen { type = "control" listen { socket = "/usr/local/var/run/radiusd/radiusd.sock" } } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on command file /usr/local/var/run/radiusd/radiusd.sock Listening on proxy address * port 1814 Ready to process requests. ====================================================== rad_recv: Access-Request packet from host 10.11.60.2 port 32777, id=226, length=193 User-Name = "host/Lappy.umhb.edu" NAS-IP-Address = 10.11.60.2 NAS-Port = 129 Called-Station-Id = "00-0F-7D-05-0E-81:UMHB Secure WiFi" Calling-Station-Id = "C4-17-FE-33-C6-A7" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 1Mbps/1Mbps 802.11b" EAP-Message = 0x0201001801686f73742f4c617070792e756d68622e656475 Message-Authenticator = 0x1ad7a675b5cb39b96e23f60e5340e801 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "host/Lappy.umhb.edu", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 1 length 24 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop rlm_perl: Added pair NAS-Port-Type = Wireless-802.11 rlm_perl: Added pair Calling-Station-Id = C4-17-FE-33-C6-A7 rlm_perl: Added pair Called-Station-Id = 00-0F-7D-05-0E-81:UMHB Secure WiFi rlm_perl: Added pair Message-Authenticator = 0x1ad7a675b5cb39b96e23f60e5340e801 rlm_perl: Added pair User-Name = host/Lappy.umhb.edu rlm_perl: Added pair EAP-Message = 0x0201001801686f73742f4c617070792e756d68622e656475 rlm_perl: Added pair Connect-Info = CONNECT 1Mbps/1Mbps 802.11b rlm_perl: Added pair EAP-Type = Identity rlm_perl: Added pair NAS-IP-Address = 10.11.60.2 rlm_perl: Added pair NAS-Port = 129 rlm_perl: Added pair Framed-MTU = 1400 rlm_perl: Added pair Auth-Type = EAP ++[perl] returns noop Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 226 to 10.11.60.2 port 32777 EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x330f4dc9330d546872b9f993281128fc Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.11.60.2 port 32777, id=227, length=315 User-Name = "host/Lappy.umhb.edu" NAS-IP-Address = 10.11.60.2 NAS-Port = 129 Called-Station-Id = "00-0F-7D-05-0E-81:UMHB Secure WiFi" Calling-Station-Id = "C4-17-FE-33-C6-A7" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 1Mbps/1Mbps 802.11b" EAP-Message = 0x0202008019800000007616030100710100006d03014d39919676cd85f8dcfe3f2afef335ec7a98b2eb9095d964891b3484c06fc78e000018002f00350005000ac013c014c009c00a00320038001300040100002cff0100010000000013001100000e6c617070792e756d68622e656475000a0006000400170018000b00020100 State = 0x330f4dc9330d546872b9f993281128fc Message-Authenticator = 0x9165fc9281fe451bdcf9db8487dd8e79 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "host/Lappy.umhb.edu", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 2 length 128 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 118 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 0071], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 0031], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 0ad8], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 227 to 10.11.60.2 port 32777 EAP-Message = 0x0103040019c000000b1c16030100310200002d03014d399195fd2d232a53dfee5dce680c057cfc54fe9686405232871c57112f6efa00002f000005ff010001001603010ad80b000ad4000ad10005cb308205c7308204afa003020102021012949e4e96f5c2b15c9a16c71c4cc811300d06092a864886f70d0101050500308189310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312f302d06035504031326434f4d4f444f20486967682d4173737572616e63652053656375 EAP-Message = 0x726520536572766572204341301e170d3130303831393030303030305a170d3135303831393233353935395a3081db310b3009060355040613025553310e300c060355041113053736353133310b3009060355040813025458310f300d0603550407130642656c746f6e311e301c06035504091315554d48422053746174696f6e20426f782038303035311b30190603550409131239303020436f6c6c6567652053747265657431293027060355040a1320556e6976657273697479206f66204d6172792048617264696e2d4261796c6f723121301f060355040b1318506c6174696e756d53534c205347432057696c64636172643113301106035504 EAP-Message = 0x03140a2a2e756d68622e65647530820122300d06092a864886f70d01010105000382010f003082010a0282010100dc8dbc42609826a3a26f48356951f40c4bf97815080528e6445fc6f8e9dfe2d260b1f3202c3e418654e8da0499ea4830c6ef7e1a5525575f1f70e0fe795af97b3774896016f3d275f8e27478e8b49ac8e03122822a72df6c6d4c988ffd456672849e9b62bd1e62f5bf1d24228190e3ca3153391cdd8797a685faaa35446f2dc33d64c4dbd310200ead4d58b2c3de92cf086b1de8a16a8f005feb688574c9cafe87bf878a9d2427ab8f273e533016a63ba4f8addfd6c9f2211052ee9e96e58e3b5e5d9c106e17c47d83a8e0216bf7dc EAP-Message = 0xd1174db8f8a566c3448912b2dd88413518c160c52b92ee57d46bff425ddd7ae381ad9b66e9448c485322fcff4d13c25e7b0203010001a38201d5308201d1301f0603551d230418301680143fd5b5d0d64479504a17a39b8c4adcb8b022646b301d0603551d0e0416041414a0d258941febc0b7d8a8b40c94615afa260bd4300e0603551d0f0101ff0404030205a0300c0603551d130101ff0402300030340603551d25042d302b06082b0601050507030106082b06010505070302060a2b0601040182370a030306096086480186f842040130460603551d20043f303d303b060c2b06010401b2310102010304302b302906082b06010505070201161d EAP-Message = 0x68747470733a2f2f73656375 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x330f4dc9320c546872b9f993281128fc Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.11.60.2 port 32777, id=228, length=193 User-Name = "host/Lappy.umhb.edu" NAS-IP-Address = 10.11.60.2 NAS-Port = 129 Called-Station-Id = "00-0F-7D-05-0E-81:UMHB Secure WiFi" Calling-Station-Id = "C4-17-FE-33-C6-A7" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 1Mbps/1Mbps 802.11b" EAP-Message = 0x020300061900 State = 0x330f4dc9320c546872b9f993281128fc Message-Authenticator = 0x735474693c2ad02c4b885b94ea32aad5 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "host/Lappy.umhb.edu", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 3 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 228 to 10.11.60.2 port 32777 EAP-Message = 0x010403fc194072652e636f6d6f646f2e636f6d2f435053304f0603551d1f044830463044a042a040863e687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f434f4d4f444f486967682d4173737572616e636553656375726553657276657243412e63726c30818006082b0601050507010104743072304a06082b06010505073002863e687474703a2f2f6372742e636f6d6f646f63612e636f6d2f434f4d4f444f486967682d4173737572616e636553656375726553657276657243412e637274302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d301f0603551d1104183016820a2a2e756d68 EAP-Message = 0x622e6564758208756d68622e656475300d06092a864886f70d010105050003820101003fc66065745e65bd58ad5b11aff73555ce334a1fa9b4329d126e4cf335956d58485ed85ec47fff9d8abb5e903319ec7a53384059f3b7c7a23638a843d56e38bf98d0a2cb1c21fc9de26e2cbeb25c855dd196304b6772c3d80da0cce7c8f14f969c375b4f72e729d1422f86114ae73824a06269fb092c6644d0a12997f72071c234a6354b7cbccf4c4887eee1a79dc8f4ee70e32f2aa1a97e0b1c1e8f9d016bffd1f4f6e90a478a89224190d6626787c20285398e54a521ad2faa65b0cf6813b1aa8cfba7ab8c997f9139e01040dd4af899604318f5a2167ce53c EAP-Message = 0x937c7e72ae0becce9621763408bc6467b4bf05f59a3fd5752c181d52aff7d71026296804930b000500308204fc308203e4a00302010202101690c329b6780607511f05b0344846cb300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3130303431363030303030305a170d3230303533303130343833385a308189310b3009060355040613024742311b301906 EAP-Message = 0x03550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312f302d06035504031326434f4d4f444f20486967682d4173737572616e6365205365637572652053657276657220434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e787dac077e4bb3afa6a24c88041acd21613153dfaf7f82a76dca82d3908ce484abe0f7df0debabb47d5bd2dd71bab0f2081230872b1c011950de6eaa987ffc76e1e4f6632ba53bc05aa1c2c0cef4d37476b100cdbc5a0987e58db37d6aee906bdd7a865f3 EAP-Message = 0x37b9c76dce77c726 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x330f4dc9310b546872b9f993281128fc Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.11.60.2 port 32777, id=229, length=193 User-Name = "host/Lappy.umhb.edu" NAS-IP-Address = 10.11.60.2 NAS-Port = 129 Called-Station-Id = "00-0F-7D-05-0E-81:UMHB Secure WiFi" Calling-Station-Id = "C4-17-FE-33-C6-A7" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 1Mbps/1Mbps 802.11b" EAP-Message = 0x020400061900 State = 0x330f4dc9310b546872b9f993281128fc Message-Authenticator = 0x61212145984f95fcd4339ef828985296 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "host/Lappy.umhb.edu", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 4 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 229 to 10.11.60.2 port 32777 EAP-Message = 0x010503361900e0d7741fa69816bb0c6bc8be77d0ef58a729a0b9b8690536cbb2da58a30b75ad3d8b2282203e7086991cb94fcf77a4071a2363d1385684ecbf8fc54ef418969b1ae893ec8daf159c24f05a3be80fb9a85a01d3b21c60c99c5204dd92a7fe0cace2458d0361bc79e0772e87413c585fcbf5c577f258c84d28d09afaf37309246874bc204cd82cb0aae8d94e6df28c24d3935d910203010001a382017730820173301f0603551d23041830168014adbd987a34b426f7fac42654ef03bde024cb541a301d0603551d0e041604143fd5b5d0d64479504a17a39b8c4adcb8b022646b300e0603551d0f0101ff04040302010630120603551d13 EAP-Message = 0x0101ff040830060101ff02010030110603551d20040a300830060604551d200030440603551d1f043d303b3039a037a0358633687474703a2f2f63726c2e7573657274727573742e636f6d2f416464547275737445787465726e616c4341526f6f742e63726c3081b306082b060105050701010481a63081a3303f06082b060105050730028633687474703a2f2f6372742e7573657274727573742e636f6d2f416464547275737445787465726e616c4341526f6f742e703763303906082b06010505073002862d687474703a2f2f6372742e7573657274727573742e636f6d2f416464547275737455544e53474343412e637274302506082b060105 EAP-Message = 0x050730018619687474703a2f2f6f6373702e7573657274727573742e636f6d300d06092a864886f70d0101050500038201010013851f528018c953f7fe2e1aafccd90b3cc2d3858110f0288db9407e2c9e8fd636860a4c142dd69743924119374b969eeba930791295b3023657ed2bb91d981aa3180a3f9b398bcda149294c2ff9d0958cc84d95baa843cf33aa252a5a0eaa27c94e6bb1e6731fb37404c3f34ce2a8eb67b75db808051a569a542985f5294e803b95d07b53961156c102d3eab27fca8f9c704a148d5ab9166075d6cd271e16cd5b338e7940cf2848e7dc71164e749175b92a8cf170ac26dd04b940c285de1c9340d0cc6ec39baaef6065 EAP-Message = 0xdf6022f05aa57aa22fe47073ee3cd4262b6807c1207ae8985a3e7b9f028b62c085818060357ea51d0cd29cdf62450ddbfc37fbf5252216030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x330f4dc9300a546872b9f993281128fc Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.11.60.2 port 32777, id=230, length=525 User-Name = "host/Lappy.umhb.edu" NAS-IP-Address = 10.11.60.2 NAS-Port = 129 Called-Station-Id = "00-0F-7D-05-0E-81:UMHB Secure WiFi" Calling-Station-Id = "C4-17-FE-33-C6-A7" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 1Mbps/1Mbps 802.11b" EAP-Message = 0x020501501980000001461603010106100001020100d39af533c76344574a1afcff8cf5711ac18414345e29b157f02d808735c6214f74e1701e2163b79beaf3e584d3b7b1d6ef308efd0d1f6ca4f9d64ebe55229852a91e97de906b67813e0bd504510f7d5f80a0b083349314274566ce4ff387c95b4c82fc18b5abfda9feb7f893fe9bebe3572dfa2f5c4fe71abc08d95b10c88d4634ea8bdb9e2e946ec4f165c99deeffdee5a075cab3c1390b71713a5b7f2b77c5c1b0aeef836bfeda5840941c675bd32d04bc7d09017b5763310b4adb16a43833559624612363ea18f63e5e654ad1b255fb2ced330453a06516aabbb6550e5a409286363cef5e7661 EAP-Message = 0x1163bb4e662da80dabf30e1455b1be69bd55c68de35bcb7d1403010001011603010030f378c58fc4f96e96bf4aba29aa08962242ce0e3007898a99849af855f11f5116f7ecea3850db2d6561b4599c404e627a State = 0x330f4dc9300a546872b9f993281128fc Message-Authenticator = 0x06d78d3c33e3d757129782abcb1d3133 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "host/Lappy.umhb.edu", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 5 length 253 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 326 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 230 to 10.11.60.2 port 32777 EAP-Message = 0x010600411900140301000101160301003005369ff6b06a4224824062f6fcfe0092357c4da2fd59baab8c1c5b071e939e71e83b578bd081ee5fa8d3ac3566b8a1bd Message-Authenticator = 0x00000000000000000000000000000000 State = 0x330f4dc93709546872b9f993281128fc Finished request 4. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.11.60.2 port 32777, id=231, length=234 User-Name = "host/Lappy.umhb.edu" NAS-IP-Address = 10.11.60.2 NAS-Port = 129 Called-Station-Id = "00-0F-7D-05-0E-81:UMHB Secure WiFi" Calling-Station-Id = "C4-17-FE-33-C6-A7" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 1Mbps/1Mbps 802.11b" EAP-Message = 0x0206002f198000000025150301002071521862587c6d52360e98091cd5d99f81ea6febe82fd2a7401f8b1970c3cf65 State = 0x330f4dc93709546872b9f993281128fc Message-Authenticator = 0xe0cebdb5cdcd98a378bd88f15213b843 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "host/Lappy.umhb.edu", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 6 length 47 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 37 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Alert [length 0002], fatal access_denied TLS Alert read:fatal:access denied [peap] WARNING: No data inside of the tunnel. [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state ? [peap] FAILED processing PEAP: Tunneled data is invalid. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> host/Lappy.umhb.edu attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 5 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 5 Sending Access-Reject of id 231 to 10.11.60.2 port 32777 EAP-Message = 0x04060004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.9 seconds. Cleaning up request 0 ID 226 with timestamp +18 Cleaning up request 1 ID 227 with timestamp +18 Cleaning up request 2 ID 228 with timestamp +18 Cleaning up request 3 ID 229 with timestamp +18 Cleaning up request 4 ID 230 with timestamp +18 Waking up in 1.0 seconds. Cleaning up request 5 ID 231 with timestamp +18 Ready to process requests. Jake Sallee Godfather of Bandwidth Network Engineer University of Mary Hardin-Baylor 900 College St. Belton, Texas 76513 Fone: 254-295-4658 Phax: 254-295-4221 ________________________________ From: freeradius-users-bounces+jake.sallee=umhb.edu@lists.freeradius.org [freeradius-users-bounces+jake.sallee=umhb.edu@lists.freeradius.org] on behalf of Peter Lambrechtsen [plambrechtsen@gmail.com] Sent: Friday, January 21, 2011 7:11 AM To: FreeRadius users mailing list Subject: Re: Generating a Microsoft compatible CSR for FreeRADIUS On Fri, Jan 21, 2011 at 10:33 PM, Alan Buxey <A.L.M.Buxey@lboro.ac.uk<mailto:A.L.M.Buxey@lboro.ac.uk>> wrote:
2) Issuing client certs isn't that difficult.? with windows vista/7, installing a cert is a simple double-click operation, so if they have a usb flash, you can use linux to zip a copy of their private key and a .doc with instructions (including screenies!) on configuring their OS in a matter of seconds, all they have to do is stop by IT to request a key once, and it's good for as long as you honour it.
if dealing with client keys - most of the times its just PEAP with user/pass and its the CA thats an issue. even then there are ways of doing this quite easily... eg https://su1x.sf.net I also quite like using the root certificates tool which happily imports certificates into the root certificate store in windows. Go to here: http://support.microsoft.com/kb/931125 Download the "rootsupd.exe<http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/rootsupd.exe>" from there and expand it with winzip or winrar. Then convert your DER file into a P7B using OpenSSL: openssl crl2pkcs7 -nocrl -certfile internalca1.der -certfile internalca2.der -out internalca.p7b Then use "updroots.exe" included in the exe to import the certificate into your local certificate chain: updroots -l internalca.p7b And you're done You can even use "iexpress" if you're running windows XP to re-package everything back into a self extracting exe. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
@ Brett I do have tunneled replies enabled, I was able to find the cause of the TLS Error, I was using the wrong cert : ( typo on my part. However after MUCH searching and calling of the experts, I am abandoning the public cert route because it is apparently impossible to have the windows clients auto configure without purchasing extra software, I will leave my true thoughts about this unspoken. @ all Thanks for all the assistance. Jake Sallee Godfather Of Bandwidth Network Engineer Fone: 254-295-4658 Phax: 254-295-4221 From: freeradius-users-bounces+jake.sallee=umhb.edu@lists.freeradius.org [mailto:freeradius-users-bounces+jake.sallee=umhb.edu@lists.freeradius.org] On Behalf Of Brett Littrell Sent: Friday, January 21, 2011 3:01 PM To: FreeRadius users mailing list Subject: RE: Generating a Microsoft compatible CSR for FreeRADIUS Hi Jake, Have you tried enabling Tunnelled reply's on the freeradius server, believe it is in the eap.conf file? Not exactly sure of your config or what you are doing but some of the data in the debug looks like ciphertext, which indicates to me that something is not decrypting the packets or does not know that the information it is getting is encrypted. I was seeing similar stuff on a debug on a Cisco switch I was configuring for dynamic vlan switching with Radius, turned out I had to enable tunneled replies for PEAP, eap worked just fine. Brett Littrell Network Manager Milpitas Unified School District blittrell@musd.org<mailto:blittrell@musd.org> Ph# (408)635-2600 X6086 Fax# (408)635-2632
On Friday, January 21, 2011 at 6:10 AM, in message <3A9815D880FBAF41A523B3A35AF3C3DF06B0D246@AVATAR.umhb.edu<mailto:3A9815D880FBAF41A523B3A35AF3C3DF06B0D246@AVATAR.umhb.edu>>, "Sallee, Stephen (Jake)" <Jake.Sallee@umhb.edu<mailto:Jake.Sallee@umhb.edu>> wrote: Has anyone gotten windows clients to work WITHOUT having to do any manual config on the clients?
Is it even possible? Also, I have my shiny new publicly signed cert from comodo but my clients are still rejecting the connection ... i think the error is here: [peap] <<< TLS 1.0 Alert [length 0002], fatal access_denied TLS Alert read:fatal:access denied [peap] WARNING: No data inside of the tunnel. But I don't know why i would be getting a read error, the certs that i installed have the same permissions as the test certs... here is the full debug, any help is appreciated: FreeRADIUS Version 2.1.10, for host x86_64-unknown-linux-gnu, built on Sep 28 2010 at 09:20:29 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /usr/local/etc/raddb/radiusd.conf including configuration file /usr/local/etc/raddb/proxy.conf including configuration file /usr/local/etc/raddb/clients.conf including files in directory /usr/local/etc/raddb/modules/ including configuration file /usr/local/etc/raddb/modules/realm including configuration file /usr/local/etc/raddb/modules/linelog including configuration file /usr/local/etc/raddb/modules/etc_group including configuration file /usr/local/etc/raddb/modules/pap including configuration file /usr/local/etc/raddb/modules/detail including configuration file /usr/local/etc/raddb/modules/pam including configuration file /usr/local/etc/raddb/modules/detail.log including configuration file /usr/local/etc/raddb/modules/ntlm_auth including configuration file /usr/local/etc/raddb/modules/mac2vlan including configuration file /usr/local/etc/raddb/modules/radutmp including configuration file /usr/local/etc/raddb/modules/opendirectory including configuration file /usr/local/etc/raddb/modules/smbpasswd including configuration file /usr/local/etc/raddb/modules/digest including configuration file /usr/local/etc/raddb/modules/checkval including configuration file /usr/local/etc/raddb/modules/sqlcounter_expire_on_login including configuration file /usr/local/etc/raddb/modules/exec including configuration file /usr/local/etc/raddb/modules/counter including configuration file /usr/local/etc/raddb/modules/logintime including configuration file /usr/local/etc/raddb/modules/cui including configuration file /usr/local/etc/raddb/modules/mschap including configuration file /usr/local/etc/raddb/modules/files including configuration file /usr/local/etc/raddb/modules/detail.example.com including configuration file /usr/local/etc/raddb/modules/dynamic_clients including configuration file /usr/local/etc/raddb/modules/perl including configuration file /usr/local/etc/raddb/modules/expiration including configuration file /usr/local/etc/raddb/modules/inner-eap including configuration file /usr/local/etc/raddb/modules/ippool including configuration file /usr/local/etc/raddb/modules/otp including configuration file /usr/local/etc/raddb/modules/sradutmp including configuration file /usr/local/etc/raddb/modules/unix including configuration file /usr/local/etc/raddb/modules/chap including configuration file /usr/local/etc/raddb/modules/attr_filter including configuration file /usr/local/etc/raddb/modules/preprocess including configuration file /usr/local/etc/raddb/modules/passwd including configuration file /usr/local/etc/raddb/modules/krb5 including configuration file /usr/local/etc/raddb/modules/acct_unique including configuration file /usr/local/etc/raddb/modules/policy including configuration file /usr/local/etc/raddb/modules/smsotp including configuration file /usr/local/etc/raddb/modules/expr including configuration file /usr/local/etc/raddb/modules/wimax including configuration file /usr/local/etc/raddb/modules/mac2ip including configuration file /usr/local/etc/raddb/modules/attr_rewrite including configuration file /usr/local/etc/raddb/modules/ldap including configuration file /usr/local/etc/raddb/modules/echo including configuration file /usr/local/etc/raddb/modules/always including configuration file /usr/local/etc/raddb/modules/sql_log including configuration file /usr/local/etc/raddb/eap.conf including configuration file /usr/local/etc/raddb/policy.conf including files in directory /usr/local/etc/raddb/sites-enabled/ including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel including configuration file /usr/local/etc/raddb/sites-enabled/UMHB including configuration file /usr/local/etc/raddb/sites-available/default including configuration file /usr/local/etc/raddb/sites-enabled/control-socket including configuration file /usr/local/etc/raddb/sites-enabled/Cru including configuration file /usr/local/etc/raddb/sites-available/default including configuration file /usr/local/etc/raddb/sites-enabled/default main { allow_core_dumps = no } including dictionary file /usr/local/etc/raddb/dictionary main { prefix = "/usr/local" localstatedir = "/usr/local/var" logdir = "/usr/local/var/log/radius" libdir = "/usr/local/lib" radacctdir = "/usr/local/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 25600 pidfile = "/usr/local/var/run/radiusd/radiusd.pid" checkrad = "/usr/local/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 require_message_authenticator = no zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 irt = 2 mrt = 16 mrc = 5 mrd = 30 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover nostrip } realm LOCAL { } realm Cru { } realm Cru.umhb.edu { } realm umhb { } realm umhb.edu { } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" } client 10.2.1.75/32 { require_message_authenticator = no secret = "Burg3rk1ng!" shortname = "PacketFence" } client 10.11.30.0/24 { require_message_authenticator = no secret = "Burg3rk1ng!" shortname = "Sanderford" } client 10.11.60.0/24 { require_message_authenticator = no secret = "Burg3rk1ng!" shortname = "Sanderford" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating module "exec" from file /usr/local/etc/raddb/modules/exec exec { wait = no input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating module "expr" from file /usr/local/etc/raddb/modules/expr Module: Linked to module rlm_expiration Module: Instantiating module "expiration" from file /usr/local/etc/raddb/modules/expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating module "logintime" from file /usr/local/etc/raddb/modules/logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server inner-tunnel { # from file /usr/local/etc/raddb/sites-enabled/inner-tunnel modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating module "pap" from file /usr/local/etc/raddb/modules/pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating module "chap" from file /usr/local/etc/raddb/modules/chap Module: Linked to module rlm_mschap Module: Instantiating module "mschap" from file /usr/local/etc/raddb/modules/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = yes ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{User-Name:-None}} --domain=%{outer.request:Realm} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" } Module: Linked to module rlm_unix Module: Instantiating module "unix" from file /usr/local/etc/raddb/modules/unix unix { radwtmp = "/usr/local/var/log/radius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating module "eap" from file /usr/local/etc/raddb/eap.conf eap { default_eap_type = "peap" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = "/usr/local/etc/raddb/certs/Production/myserver.key" certificate_file = "/usr/local/etc/raddb/certs/Production/STAR_umhb_edu.crt" CA_file = "/usr/local/etc/raddb/certs/Production/STAR_umhb_edu.ca-bundle" private_key_password = "Burg3rk1ng!" dh_file = "/usr/local/etc/raddb/certs/Production/dh" random_file = "/usr/local/etc/raddb/certs/Production/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "/usr/local/etc/raddb/certs/Production/bootstrap" cache { enable = no lifetime = 24 max_entries = 255 } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = yes use_tunneled_reply = yes virtual_server = "inner-tunnel" include_length = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = yes use_tunneled_reply = yes proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_realm Module: Instantiating module "suffix" from file /usr/local/etc/raddb/modules/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating module "files" from file /usr/local/etc/raddb/modules/files files { usersfile = "/usr/local/etc/raddb/users" acctusersfile = "/usr/local/etc/raddb/acct_users" preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users" compat = "no" } Module: Linked to module rlm_perl Module: Instantiating module "perl" from file /usr/local/etc/raddb/modules/perl perl { module = "/usr/local/etc/raddb/packetfence.pm" func_authorize = "authorize" func_authenticate = "authenticate" func_accounting = "accounting" func_preacct = "preacct" func_checksimul = "checksimul" func_detach = "detach" func_xlat = "xlat" func_pre_proxy = "pre_proxy" func_post_proxy = "post_proxy" func_post_auth = "post_auth" func_recv_coa = "recv_coa" func_send_coa = "send_coa" } Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating module "radutmp" from file /usr/local/etc/raddb/modules/radutmp radutmp { filename = "/usr/local/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Linked to module rlm_attr_filter Module: Instantiating module "attr_filter.access_reject" from file /usr/local/etc/raddb/modules/attr_filter attr_filter attr_filter.access_reject { attrsfile = "/usr/local/etc/raddb/attrs.access_reject" key = "%{User-Name}" } } # modules } # server server UMHB { # from file /usr/local/etc/raddb/sites-enabled/UMHB modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating module "preprocess" from file /usr/local/etc/raddb/modules/preprocess preprocess { huntgroups = "/usr/local/etc/raddb/huntgroups" hints = "/usr/local/etc/raddb/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating module "acct_unique" from file /usr/local/etc/raddb/modules/acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating module "detail" from file /usr/local/etc/raddb/modules/detail detail { detailfile = "/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating module "attr_filter.accounting_response" from file /usr/local/etc/raddb/modules/attr_filter attr_filter attr_filter.accounting_response { attrsfile = "/usr/local/etc/raddb/attrs.accounting_response" key = "%{User-Name}" } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server server Cru { # from file /usr/local/etc/raddb/sites-enabled/Cru modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Checking preacct {...} for more modules to load Module: Checking accounting {...} for more modules to load Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server server { # from file /usr/local/etc/raddb/radiusd.conf modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Checking preacct {...} for more modules to load Module: Checking accounting {...} for more modules to load Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } listen { type = "control" listen { socket = "/usr/local/var/run/radiusd/radiusd.sock" } } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on command file /usr/local/var/run/radiusd/radiusd.sock Listening on proxy address * port 1814 Ready to process requests. ====================================================== rad_recv: Access-Request packet from host 10.11.60.2 port 32777, id=226, length=193 User-Name = "host/Lappy.umhb.edu" NAS-IP-Address = 10.11.60.2 NAS-Port = 129 Called-Station-Id = "00-0F-7D-05-0E-81:UMHB Secure WiFi" Calling-Station-Id = "C4-17-FE-33-C6-A7" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 1Mbps/1Mbps 802.11b" EAP-Message = 0x0201001801686f73742f4c617070792e756d68622e656475 Message-Authenticator = 0x1ad7a675b5cb39b96e23f60e5340e801 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "host/Lappy.umhb.edu", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 1 length 24 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop rlm_perl: Added pair NAS-Port-Type = Wireless-802.11 rlm_perl: Added pair Calling-Station-Id = C4-17-FE-33-C6-A7 rlm_perl: Added pair Called-Station-Id = 00-0F-7D-05-0E-81:UMHB Secure WiFi rlm_perl: Added pair Message-Authenticator = 0x1ad7a675b5cb39b96e23f60e5340e801 rlm_perl: Added pair User-Name = host/Lappy.umhb.edu rlm_perl: Added pair EAP-Message = 0x0201001801686f73742f4c617070792e756d68622e656475 rlm_perl: Added pair Connect-Info = CONNECT 1Mbps/1Mbps 802.11b rlm_perl: Added pair EAP-Type = Identity rlm_perl: Added pair NAS-IP-Address = 10.11.60.2 rlm_perl: Added pair NAS-Port = 129 rlm_perl: Added pair Framed-MTU = 1400 rlm_perl: Added pair Auth-Type = EAP ++[perl] returns noop Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 226 to 10.11.60.2 port 32777 EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x330f4dc9330d546872b9f993281128fc Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.11.60.2 port 32777, id=227, length=315 User-Name = "host/Lappy.umhb.edu" NAS-IP-Address = 10.11.60.2 NAS-Port = 129 Called-Station-Id = "00-0F-7D-05-0E-81:UMHB Secure WiFi" Calling-Station-Id = "C4-17-FE-33-C6-A7" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 1Mbps/1Mbps 802.11b" EAP-Message = 0x0202008019800000007616030100710100006d03014d39919676cd85f8dcfe3f2afef335ec7a98b2eb9095d964891b3484c06fc78e000018002f00350005000ac013c014c009c00a00320038001300040100002cff0100010000000013001100000e6c617070792e756d68622e656475000a0006000400170018000b00020100 State = 0x330f4dc9330d546872b9f993281128fc Message-Authenticator = 0x9165fc9281fe451bdcf9db8487dd8e79 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "host/Lappy.umhb.edu", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 2 length 128 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 118 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 0071], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 0031], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 0ad8], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 227 to 10.11.60.2 port 32777 EAP-Message = 0x0103040019c000000b1c16030100310200002d03014d399195fd2d232a53dfee5dce680c057cfc54fe9686405232871c57112f6efa00002f000005ff010001001603010ad80b000ad4000ad10005cb308205c7308204afa003020102021012949e4e96f5c2b15c9a16c71c4cc811300d06092a864886f70d0101050500308189310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312f302d06035504031326434f4d4f444f20486967682d4173737572616e63652053656375 EAP-Message = 0x726520536572766572204341301e170d3130303831393030303030305a170d3135303831393233353935395a3081db310b3009060355040613025553310e300c060355041113053736353133310b3009060355040813025458310f300d0603550407130642656c746f6e311e301c06035504091315554d48422053746174696f6e20426f782038303035311b30190603550409131239303020436f6c6c6567652053747265657431293027060355040a1320556e6976657273697479206f66204d6172792048617264696e2d4261796c6f723121301f060355040b1318506c6174696e756d53534c205347432057696c64636172643113301106035504 EAP-Message = 0x03140a2a2e756d68622e65647530820122300d06092a864886f70d01010105000382010f003082010a0282010100dc8dbc42609826a3a26f48356951f40c4bf97815080528e6445fc6f8e9dfe2d260b1f3202c3e418654e8da0499ea4830c6ef7e1a5525575f1f70e0fe795af97b3774896016f3d275f8e27478e8b49ac8e03122822a72df6c6d4c988ffd456672849e9b62bd1e62f5bf1d24228190e3ca3153391cdd8797a685faaa35446f2dc33d64c4dbd310200ead4d58b2c3de92cf086b1de8a16a8f005feb688574c9cafe87bf878a9d2427ab8f273e533016a63ba4f8addfd6c9f2211052ee9e96e58e3b5e5d9c106e17c47d83a8e0216bf7dc EAP-Message = 0xd1174db8f8a566c3448912b2dd88413518c160c52b92ee57d46bff425ddd7ae381ad9b66e9448c485322fcff4d13c25e7b0203010001a38201d5308201d1301f0603551d230418301680143fd5b5d0d64479504a17a39b8c4adcb8b022646b301d0603551d0e0416041414a0d258941febc0b7d8a8b40c94615afa260bd4300e0603551d0f0101ff0404030205a0300c0603551d130101ff0402300030340603551d25042d302b06082b0601050507030106082b06010505070302060a2b0601040182370a030306096086480186f842040130460603551d20043f303d303b060c2b06010401b2310102010304302b302906082b06010505070201161d EAP-Message = 0x68747470733a2f2f73656375 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x330f4dc9320c546872b9f993281128fc Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.11.60.2 port 32777, id=228, length=193 User-Name = "host/Lappy.umhb.edu" NAS-IP-Address = 10.11.60.2 NAS-Port = 129 Called-Station-Id = "00-0F-7D-05-0E-81:UMHB Secure WiFi" Calling-Station-Id = "C4-17-FE-33-C6-A7" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 1Mbps/1Mbps 802.11b" EAP-Message = 0x020300061900 State = 0x330f4dc9320c546872b9f993281128fc Message-Authenticator = 0x735474693c2ad02c4b885b94ea32aad5 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "host/Lappy.umhb.edu", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 3 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 228 to 10.11.60.2 port 32777 EAP-Message = 0x010403fc194072652e636f6d6f646f2e636f6d2f435053304f0603551d1f044830463044a042a040863e687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f434f4d4f444f486967682d4173737572616e636553656375726553657276657243412e63726c30818006082b0601050507010104743072304a06082b06010505073002863e687474703a2f2f6372742e636f6d6f646f63612e636f6d2f434f4d4f444f486967682d4173737572616e636553656375726553657276657243412e637274302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d301f0603551d1104183016820a2a2e756d68 EAP-Message = 0x622e6564758208756d68622e656475300d06092a864886f70d010105050003820101003fc66065745e65bd58ad5b11aff73555ce334a1fa9b4329d126e4cf335956d58485ed85ec47fff9d8abb5e903319ec7a53384059f3b7c7a23638a843d56e38bf98d0a2cb1c21fc9de26e2cbeb25c855dd196304b6772c3d80da0cce7c8f14f969c375b4f72e729d1422f86114ae73824a06269fb092c6644d0a12997f72071c234a6354b7cbccf4c4887eee1a79dc8f4ee70e32f2aa1a97e0b1c1e8f9d016bffd1f4f6e90a478a89224190d6626787c20285398e54a521ad2faa65b0cf6813b1aa8cfba7ab8c997f9139e01040dd4af899604318f5a2167ce53c EAP-Message = 0x937c7e72ae0becce9621763408bc6467b4bf05f59a3fd5752c181d52aff7d71026296804930b000500308204fc308203e4a00302010202101690c329b6780607511f05b0344846cb300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3130303431363030303030305a170d3230303533303130343833385a308189310b3009060355040613024742311b301906 EAP-Message = 0x03550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312f302d06035504031326434f4d4f444f20486967682d4173737572616e6365205365637572652053657276657220434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e787dac077e4bb3afa6a24c88041acd21613153dfaf7f82a76dca82d3908ce484abe0f7df0debabb47d5bd2dd71bab0f2081230872b1c011950de6eaa987ffc76e1e4f6632ba53bc05aa1c2c0cef4d37476b100cdbc5a0987e58db37d6aee906bdd7a865f3 EAP-Message = 0x37b9c76dce77c726 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x330f4dc9310b546872b9f993281128fc Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.11.60.2 port 32777, id=229, length=193 User-Name = "host/Lappy.umhb.edu" NAS-IP-Address = 10.11.60.2 NAS-Port = 129 Called-Station-Id = "00-0F-7D-05-0E-81:UMHB Secure WiFi" Calling-Station-Id = "C4-17-FE-33-C6-A7" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 1Mbps/1Mbps 802.11b" EAP-Message = 0x020400061900 State = 0x330f4dc9310b546872b9f993281128fc Message-Authenticator = 0x61212145984f95fcd4339ef828985296 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "host/Lappy.umhb.edu", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 4 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 229 to 10.11.60.2 port 32777 EAP-Message = 0x010503361900e0d7741fa69816bb0c6bc8be77d0ef58a729a0b9b8690536cbb2da58a30b75ad3d8b2282203e7086991cb94fcf77a4071a2363d1385684ecbf8fc54ef418969b1ae893ec8daf159c24f05a3be80fb9a85a01d3b21c60c99c5204dd92a7fe0cace2458d0361bc79e0772e87413c585fcbf5c577f258c84d28d09afaf37309246874bc204cd82cb0aae8d94e6df28c24d3935d910203010001a382017730820173301f0603551d23041830168014adbd987a34b426f7fac42654ef03bde024cb541a301d0603551d0e041604143fd5b5d0d64479504a17a39b8c4adcb8b022646b300e0603551d0f0101ff04040302010630120603551d13 EAP-Message = 0x0101ff040830060101ff02010030110603551d20040a300830060604551d200030440603551d1f043d303b3039a037a0358633687474703a2f2f63726c2e7573657274727573742e636f6d2f416464547275737445787465726e616c4341526f6f742e63726c3081b306082b060105050701010481a63081a3303f06082b060105050730028633687474703a2f2f6372742e7573657274727573742e636f6d2f416464547275737445787465726e616c4341526f6f742e703763303906082b06010505073002862d687474703a2f2f6372742e7573657274727573742e636f6d2f416464547275737455544e53474343412e637274302506082b060105 EAP-Message = 0x050730018619687474703a2f2f6f6373702e7573657274727573742e636f6d300d06092a864886f70d0101050500038201010013851f528018c953f7fe2e1aafccd90b3cc2d3858110f0288db9407e2c9e8fd636860a4c142dd69743924119374b969eeba930791295b3023657ed2bb91d981aa3180a3f9b398bcda149294c2ff9d0958cc84d95baa843cf33aa252a5a0eaa27c94e6bb1e6731fb37404c3f34ce2a8eb67b75db808051a569a542985f5294e803b95d07b53961156c102d3eab27fca8f9c704a148d5ab9166075d6cd271e16cd5b338e7940cf2848e7dc71164e749175b92a8cf170ac26dd04b940c285de1c9340d0cc6ec39baaef6065 EAP-Message = 0xdf6022f05aa57aa22fe47073ee3cd4262b6807c1207ae8985a3e7b9f028b62c085818060357ea51d0cd29cdf62450ddbfc37fbf5252216030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x330f4dc9300a546872b9f993281128fc Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.11.60.2 port 32777, id=230, length=525 User-Name = "host/Lappy.umhb.edu" NAS-IP-Address = 10.11.60.2 NAS-Port = 129 Called-Station-Id = "00-0F-7D-05-0E-81:UMHB Secure WiFi" Calling-Station-Id = "C4-17-FE-33-C6-A7" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 1Mbps/1Mbps 802.11b" EAP-Message = 0x020501501980000001461603010106100001020100d39af533c76344574a1afcff8cf5711ac18414345e29b157f02d808735c6214f74e1701e2163b79beaf3e584d3b7b1d6ef308efd0d1f6ca4f9d64ebe55229852a91e97de906b67813e0bd504510f7d5f80a0b083349314274566ce4ff387c95b4c82fc18b5abfda9feb7f893fe9bebe3572dfa2f5c4fe71abc08d95b10c88d4634ea8bdb9e2e946ec4f165c99deeffdee5a075cab3c1390b71713a5b7f2b77c5c1b0aeef836bfeda5840941c675bd32d04bc7d09017b5763310b4adb16a43833559624612363ea18f63e5e654ad1b255fb2ced330453a06516aabbb6550e5a409286363cef5e7661 EAP-Message = 0x1163bb4e662da80dabf30e1455b1be69bd55c68de35bcb7d1403010001011603010030f378c58fc4f96e96bf4aba29aa08962242ce0e3007898a99849af855f11f5116f7ecea3850db2d6561b4599c404e627a State = 0x330f4dc9300a546872b9f993281128fc Message-Authenticator = 0x06d78d3c33e3d757129782abcb1d3133 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "host/Lappy.umhb.edu", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 5 length 253 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 326 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 230 to 10.11.60.2 port 32777 EAP-Message = 0x010600411900140301000101160301003005369ff6b06a4224824062f6fcfe0092357c4da2fd59baab8c1c5b071e939e71e83b578bd081ee5fa8d3ac3566b8a1bd Message-Authenticator = 0x00000000000000000000000000000000 State = 0x330f4dc93709546872b9f993281128fc Finished request 4. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.11.60.2 port 32777, id=231, length=234 User-Name = "host/Lappy.umhb.edu" NAS-IP-Address = 10.11.60.2 NAS-Port = 129 Called-Station-Id = "00-0F-7D-05-0E-81:UMHB Secure WiFi" Calling-Station-Id = "C4-17-FE-33-C6-A7" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 1Mbps/1Mbps 802.11b" EAP-Message = 0x0206002f198000000025150301002071521862587c6d52360e98091cd5d99f81ea6febe82fd2a7401f8b1970c3cf65 State = 0x330f4dc93709546872b9f993281128fc Message-Authenticator = 0xe0cebdb5cdcd98a378bd88f15213b843 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "host/Lappy.umhb.edu", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 6 length 47 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 37 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Alert [length 0002], fatal access_denied TLS Alert read:fatal:access denied [peap] WARNING: No data inside of the tunnel. [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state ? [peap] FAILED processing PEAP: Tunneled data is invalid. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> host/Lappy.umhb.edu attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 5 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 5 Sending Access-Reject of id 231 to 10.11.60.2 port 32777 EAP-Message = 0x04060004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.9 seconds. Cleaning up request 0 ID 226 with timestamp +18 Cleaning up request 1 ID 227 with timestamp +18 Cleaning up request 2 ID 228 with timestamp +18 Cleaning up request 3 ID 229 with timestamp +18 Cleaning up request 4 ID 230 with timestamp +18 Waking up in 1.0 seconds. Cleaning up request 5 ID 231 with timestamp +18 Ready to process requests. Jake Sallee Godfather of Bandwidth Network Engineer University of Mary Hardin-Baylor 900 College St. Belton, Texas 76513 Fone: 254-295-4658 Phax: 254-295-4221 ________________________________ From: freeradius-users-bounces+jake.sallee=umhb.edu@lists.freeradius.org [freeradius-users-bounces+jake.sallee=umhb.edu@lists.freeradius.org] on behalf of Peter Lambrechtsen [plambrechtsen@gmail.com] Sent: Friday, January 21, 2011 7:11 AM To: FreeRadius users mailing list Subject: Re: Generating a Microsoft compatible CSR for FreeRADIUS On Fri, Jan 21, 2011 at 10:33 PM, Alan Buxey <A.L.M.Buxey@lboro.ac.uk<mailto:A.L.M.Buxey@lboro.ac.uk<mailto:A.L.M.Buxey@lboro.ac.uk%3cmailto:A.L.M.Buxey@lboro.ac.uk>>> wrote:
2) Issuing client certs isn't that difficult.? with windows vista/7, installing a cert is a simple double-click operation, so if they have a usb flash, you can use linux to zip a copy of their private key and a .doc with instructions (including screenies!) on configuring their OS in a matter of seconds, all they have to do is stop by IT to request a key once, and it's good for as long as you honour it.
if dealing with client keys - most of the times its just PEAP with user/pass and its the CA thats an issue. even then there are ways of doing this quite easily... eg https://su1x.sf.net I also quite like using the root certificates tool which happily imports certificates into the root certificate store in windows. Go to here: http://support.microsoft.com/kb/931125 Download the "rootsupd.exe<http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/rootsupd.exe>" from there and expand it with winzip or winrar. Then convert your DER file into a P7B using OpenSSL: openssl crl2pkcs7 -nocrl -certfile internalca1.der -certfile internalca2.der -out internalca.p7b Then use "updroots.exe" included in the exe to import the certificate into your local certificate chain: updroots -l internalca.p7b And you're done You can even use "iexpress" if you're running windows XP to re-package everything back into a self extracting exe. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (2)
-
Brett Littrell -
Sallee, Stephen (Jake)