allow both /etc/freeradius/users and LDAP authentification : DETAILLED
Hi, sorry for my first email wich was a bit short. Here is a new one with what I'd like to achieve, my conf and the server output. Thanks to everyone involved in helping me ! :) 1. WHAT I'D LIKE TO ACHIEVE : I'd like to allow authentification for our visitors by using the USERS file at the same time. WHen I add a local user, i receive an EAP/TLS error. First, I'd like to know if if it's even possible to do so. 2. MY SERVER CONFIGURATION /etc/freeradius/radiusd.conf max_requests = 38400 auth = yes auth_badpass = yes auth_badpass = yes /etc/freeradius/clients.conf ## RESEAU WIFI client IP/24 { secret = secretpwd shortname = brocaneurocampuswifi /etc/freeradius/users ## CREATION COMPTE TEST test Cleartext-Password := "test" Reply-Message = "Hello, %{User-Name}" /etc/freeradius/modules/ntlm_auth exec ntlm_auth { wait = yes program = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name} --password=%{User-Password}" } /etc/freeradius/sites-enabled/default and /etc/freeradius/sites-enabled/inner-tunnel authenticate { ntlm_auth ... } /etc/freeradius/users #DEFAULT Auth-Type = ntlm_auth freerad service freeradius stop usermod -a -G winbindd_priv freerad chown root:winbindd_priv /var/lib/samba/winbindd_privileged/ service freeradius start /etc/freeradius/modules/mschap with_ntdomain_hack = yes ... ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=DOMAIN_NAME --username=%{mschap:User-Name} --password=%{User-Password} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} " /etc/freeradius/eap.conf default_eap_type = peap ... default_eap_type = mschapv2 3. MY SERVER DEBUG WHEN I TRY TO CONNECT WITH AN ACCOUNT OF THE users files. (Connection with LDAP auth works fine on laptops, iphones, android phones) Ready to process requests. rad_recv: Access-Request packet from host xx.xx.xx.1 port 59771, id=108, length=364 User-Name = "host/HOSTNAME.DOMAIN" Chargeable-User-Identity = "\001" Location-Capable = Civix-Location Calling-Station-Id = "MACADDR" Called-Station-Id = "MACADDR:SSID" NAS-Port = 8 Cisco-AVPair = "audit-session-id=xxxxxxxxxxxxxxxxx" Acct-Session-Id = "ID/xx:xx:xx:xx:xx:xx/111111111" Cisco-AVPair = "mDNS=true" NAS-IP-Address = IP NAS-Identifier = "CiscoWLC" Airespace-Wlan-Id = 11 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "152" EAP-Message = 0x00000000000000000000000000000000aaaaaaaaaaa Message-Authenticator = 0x000000000000000000000 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "host/HOSTNAME.DOMAIN", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 2 length 38 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated ++[files] = noop ++[expiration] = noop ++[logintime] = noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 108 to IP port 59771 EAP-Message = 0x010300061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x11111111111111111111111111111111111111111 Finished request 34. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host IP port 59771, id=109, length=510 User-Name = "host/HOSTNAME.DOMAIN" Chargeable-User-Identity = "\001" Location-Capable = Civix-Location Calling-Station-Id = "MACADDR" Called-Station-Id = "MACADDR:SSID" NAS-Port = 8 Cisco-AVPair = "audit-session-id=xxxxxxxxxxxxxxxxx" Acct-Session-Id = "" Cisco-AVPair = "mDNS=true" NAS-IP-Address = 172.31.10.1 NAS-Identifier = "CiscoWLC" Airespace-Wlan-Id = 11 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "152" EAP-Message = 0x00000000000000000000000000000000 State = Message-Authenticator = # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "host/HOSTNAME.DOMAIN", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 3 length 166 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 156 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 0097], ClientHello [peap] TLS_accept: unknown state [peap] >>> TLS 1.0 Handshake [length 0039], ServerHello [peap] TLS_accept: unknown state [peap] >>> TLS 1.0 Handshake [length 02e4], Certificate [peap] TLS_accept: unknown state [peap] >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange [peap] TLS_accept: unknown state [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: unknown state [peap] TLS_accept: unknown state [peap] TLS_accept: Need to read more data: unknown state In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 109 to 172.31.10.1 port 59771 EAP-Message = 0x00000000000000000000000000000000 EAP-Message = 0x00000000000000000000000000000000 EAP-Message = 0x00000000000000000000000000000000 EAP-Message = 0x00000000000000000000000000000000 EAP-Message = 0xbcfe187aaa8a11b59a0d6a57 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd8dcb87ed9d8a1265676698e87672627 Finished request 35. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.31.10.1 port 59771, id=110, length=350 User-Name = "host/HOSTNAME.DOMAIN" Chargeable-User-Identity = "\001" Location-Capable = Civix-Location Calling-Station-Id = "MACADDR" Called-Station-Id = "MACADDR:SSID" NAS-Port = 8 Cisco-AVPair = "audit-session-id=00000000000" Acct-Session-Id = "ID/xx:xx:xx:xx:xx:xx/111111111" Cisco-AVPair = "mDNS=true" NAS-IP-Address = 172.31.10.1 NAS-Identifier = "CiscoWLC" Airespace-Wlan-Id = 11 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "152" EAP-Message = 0x020400061900 State = 0xd8dcb87ed9d8a1265676698e87672627 Message-Authenticator = 0x84bbb2c96c1d5b5500daa8aa4c6e83f9 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "host/HOSTNAME.DOMAIN", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 4 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 110 to IP port 59771 EAP-Message = 0x00000000000000000000000000000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x00000000000000000000000000000000 Finished request 36. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.31.10.1 port 59771, id=111, length=361 User-Name = "host/HOSTNAME.DOMAIN" Chargeable-User-Identity = "\001" Location-Capable = Civix-Location Calling-Station-Id = "MACADDR" Called-Station-Id = "MACADDR:SSID" NAS-Port = 8 Cisco-AVPair = "audit-session-id=010a1fac007199dcc0f9bc5a" Acct-Session-Id = "ID/xx:xx:xx:xx:xx:xx/111111111" Cisco-AVPair = "mDNS=true" NAS-IP-Address = 172.31.10.1 NAS-Identifier = "CiscoWLC" Airespace-Wlan-Id = 11 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "152" EAP-Message = 0x000000000000000000000 State = 0x000000000000000000000 Message-Authenticator = 0x55471ef471cea67863dcad3682750cef # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "host/HOSTNAME.DOMAIN", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 5 length 17 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 7 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert read:fatal:unknown CA TLS_accept: failed in unknown state rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca SSL: SSL_read failed inside of TLS (-1), TLS session fails. TLS receive handshake failed during operation [peap] eaptls_process returned 4 [peap] EAPTLS_OTHERS [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] = invalid +} # group authenticate = invalid Failed to authenticate the user. Login incorrect (TLS Alert read:fatal:unknown CA): [host/HOSTNAME.DOMAIN/<via Auth-Type = EAP>] (from client client_name port 8 cli MACADDR) Using Post-Auth-Type REJECT # Executing group from file /etc/freeradius/sites-enabled/default +group REJECT { [attr_filter.access_reject] expand: %{User-Name} -> host/HOSTNAME.DOMAIN attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] = updated +} # group REJECT = updated Delaying reject of request 37 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 37 Sending Access-Reject of id 111 to 172.31.10.1 port 59771 EAP-Message = 0x04050004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.9 seconds. Cleaning up request 34 ID 108 with timestamp +113 Cleaning up request 35 ID 109 with timestamp +113 Cleaning up request 36 ID 110 with timestamp +114 Waking up in 1.0 seconds. Cleaning up request 37 ID 111 with timestamp +114 Ready to process requests. -- Jean-François MONI Technicien Informatique Centre Broca Nouvelle-Aquitaine 146 rue Léo Saignat 33076 Bordeaux Cedex
On Mar 29, 2018, at 10:55 AM, jean-francois MONI <jean-francois.moni@u-bordeaux.fr> wrote:
sorry for my first email wich was a bit short. Here is a new one with what I'd like to achieve, my conf and the server output. Thanks to everyone involved in helping me ! :)
1. WHAT I'D LIKE TO ACHIEVE : I'd like to allow authentification for our visitors by using the USERS file at the same time. WHen I add a local user, i receive an EAP/TLS error.
That has nothing to do with the "users" file.
First, I'd like to know if if it's even possible to do so.
Please read the replies to your messages. I already said it was possible.
2. MY SERVER CONFIGURATION
https://wiki.freeradius.org/list-help We don't need that information.
rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
You didn't put the correct CA into the client machine. Go do that, and it will work. Alan DeKok.
The windows client isn't configured correctly. It's doing machine auth and using wrong CA What you are trying to do is achievable alan On Thu, 29 Mar 2018, 15:55 jean-francois MONI, < jean-francois.moni@u-bordeaux.fr> wrote:
Hi, sorry for my first email wich was a bit short. Here is a new one with what I'd like to achieve, my conf and the server output. Thanks to everyone involved in helping me ! :)
1. WHAT I'D LIKE TO ACHIEVE : I'd like to allow authentification for our visitors by using the USERS file at the same time. WHen I add a local user, i receive an EAP/TLS error. First, I'd like to know if if it's even possible to do so.
2. MY SERVER CONFIGURATION /etc/freeradius/radiusd.conf
max_requests = 38400 auth = yes auth_badpass = yes auth_badpass = yes
/etc/freeradius/clients.conf
## RESEAU WIFI client IP/24 { secret = secretpwd shortname = brocaneurocampuswifi
/etc/freeradius/users
## CREATION COMPTE TEST test Cleartext-Password := "test" Reply-Message = "Hello, %{User-Name}"
/etc/freeradius/modules/ntlm_auth
exec ntlm_auth { wait = yes program = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name} --password=%{User-Password}" }
/etc/freeradius/sites-enabled/default and /etc/freeradius/sites-enabled/inner-tunnel
authenticate {
ntlm_auth ... }
/etc/freeradius/users
#DEFAULT Auth-Type = ntlm_auth
freerad
service freeradius stop usermod -a -G winbindd_priv freerad chown root:winbindd_priv /var/lib/samba/winbindd_privileged/ service freeradius start
/etc/freeradius/modules/mschap
with_ntdomain_hack = yes ... ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=DOMAIN_NAME --username=%{mschap:User-Name} --password=%{User-Password} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} "
/etc/freeradius/eap.conf
default_eap_type = peap ... default_eap_type = mschapv2
3. MY SERVER DEBUG WHEN I TRY TO CONNECT WITH AN ACCOUNT OF THE users files. (Connection with LDAP auth works fine on laptops, iphones, android phones)
Ready to process requests. rad_recv: Access-Request packet from host xx.xx.xx.1 port 59771, id=108, length=364 User-Name = "host/HOSTNAME.DOMAIN" Chargeable-User-Identity = "\001" Location-Capable = Civix-Location Calling-Station-Id = "MACADDR" Called-Station-Id = "MACADDR:SSID" NAS-Port = 8 Cisco-AVPair = "audit-session-id=xxxxxxxxxxxxxxxxx" Acct-Session-Id = "ID/xx:xx:xx:xx:xx:xx/111111111" Cisco-AVPair = "mDNS=true" NAS-IP-Address = IP NAS-Identifier = "CiscoWLC" Airespace-Wlan-Id = 11 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "152" EAP-Message = 0x00000000000000000000000000000000aaaaaaaaaaa Message-Authenticator = 0x000000000000000000000 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "host/HOSTNAME.DOMAIN", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 2 length 38 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated ++[files] = noop ++[expiration] = noop ++[logintime] = noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 108 to IP port 59771 EAP-Message = 0x010300061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x11111111111111111111111111111111111111111 Finished request 34. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host IP port 59771, id=109, length=510 User-Name = "host/HOSTNAME.DOMAIN" Chargeable-User-Identity = "\001" Location-Capable = Civix-Location Calling-Station-Id = "MACADDR" Called-Station-Id = "MACADDR:SSID" NAS-Port = 8 Cisco-AVPair = "audit-session-id=xxxxxxxxxxxxxxxxx" Acct-Session-Id = "" Cisco-AVPair = "mDNS=true" NAS-IP-Address = 172.31.10.1 NAS-Identifier = "CiscoWLC" Airespace-Wlan-Id = 11 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "152" EAP-Message = 0x00000000000000000000000000000000 State = Message-Authenticator = # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "host/HOSTNAME.DOMAIN", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 3 length 166 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 156 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 0097], ClientHello [peap] TLS_accept: unknown state [peap] >>> TLS 1.0 Handshake [length 0039], ServerHello [peap] TLS_accept: unknown state [peap] >>> TLS 1.0 Handshake [length 02e4], Certificate [peap] TLS_accept: unknown state [peap] >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange [peap] TLS_accept: unknown state [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: unknown state [peap] TLS_accept: unknown state [peap] TLS_accept: Need to read more data: unknown state In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 109 to 172.31.10.1 port 59771 EAP-Message = 0x00000000000000000000000000000000 EAP-Message = 0x00000000000000000000000000000000 EAP-Message = 0x00000000000000000000000000000000 EAP-Message = 0x00000000000000000000000000000000 EAP-Message = 0xbcfe187aaa8a11b59a0d6a57 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd8dcb87ed9d8a1265676698e87672627 Finished request 35. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.31.10.1 port 59771, id=110, length=350 User-Name = "host/HOSTNAME.DOMAIN" Chargeable-User-Identity = "\001" Location-Capable = Civix-Location Calling-Station-Id = "MACADDR" Called-Station-Id = "MACADDR:SSID" NAS-Port = 8 Cisco-AVPair = "audit-session-id=00000000000" Acct-Session-Id = "ID/xx:xx:xx:xx:xx:xx/111111111" Cisco-AVPair = "mDNS=true" NAS-IP-Address = 172.31.10.1 NAS-Identifier = "CiscoWLC" Airespace-Wlan-Id = 11 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "152" EAP-Message = 0x020400061900 State = 0xd8dcb87ed9d8a1265676698e87672627 Message-Authenticator = 0x84bbb2c96c1d5b5500daa8aa4c6e83f9 # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "host/HOSTNAME.DOMAIN", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 4 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 110 to IP port 59771 EAP-Message = 0x00000000000000000000000000000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x00000000000000000000000000000000 Finished request 36. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.31.10.1 port 59771, id=111, length=361 User-Name = "host/HOSTNAME.DOMAIN" Chargeable-User-Identity = "\001" Location-Capable = Civix-Location Calling-Station-Id = "MACADDR" Called-Station-Id = "MACADDR:SSID" NAS-Port = 8 Cisco-AVPair = "audit-session-id=010a1fac007199dcc0f9bc5a" Acct-Session-Id = "ID/xx:xx:xx:xx:xx:xx/111111111" Cisco-AVPair = "mDNS=true" NAS-IP-Address = 172.31.10.1 NAS-Identifier = "CiscoWLC" Airespace-Wlan-Id = 11 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "152" EAP-Message = 0x000000000000000000000 State = 0x000000000000000000000 Message-Authenticator = 0x55471ef471cea67863dcad3682750cef # Executing section authorize from file /etc/freeradius/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "host/HOSTNAME.DOMAIN", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 5 length 17 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 7 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert read:fatal:unknown CA TLS_accept: failed in unknown state rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca SSL: SSL_read failed inside of TLS (-1), TLS session fails. TLS receive handshake failed during operation [peap] eaptls_process returned 4 [peap] EAPTLS_OTHERS [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] = invalid +} # group authenticate = invalid Failed to authenticate the user. Login incorrect (TLS Alert read:fatal:unknown CA): [host/HOSTNAME.DOMAIN/<via Auth-Type = EAP>] (from client client_name port 8 cli MACADDR) Using Post-Auth-Type REJECT # Executing group from file /etc/freeradius/sites-enabled/default +group REJECT { [attr_filter.access_reject] expand: %{User-Name} -> host/HOSTNAME.DOMAIN attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] = updated +} # group REJECT = updated Delaying reject of request 37 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 37 Sending Access-Reject of id 111 to 172.31.10.1 port 59771 EAP-Message = 0x04050004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.9 seconds. Cleaning up request 34 ID 108 with timestamp +113 Cleaning up request 35 ID 109 with timestamp +113 Cleaning up request 36 ID 110 with timestamp +114 Waking up in 1.0 seconds. Cleaning up request 37 ID 111 with timestamp +114 Ready to process requests.
-- Jean-François MONI Technicien Informatique Centre Broca Nouvelle-Aquitaine 146 rue Léo Saignat 33076 Bordeaux Cedex
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (3)
-
Alan Buxey -
Alan DeKok -
jean-francois MONI