Re: freeradius 2.1.10 WARNING: Internal sanity check failed
Hi, I have followed your advise and I went back to the default config. I have read the: http://deployingradius.com/documents/configuration/certificates.html And I have followed it step by step. Testing first the PAP auth with an entry in users.conf and it worked fine. Next I add the Wireless LAN Controller in clients.conf and change the default eap_type with peap. I get the next warning: Debug: WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Debug: WARNING: !! EAP session for state 0xc729a88ac72ab1dd did not finish! Debug: WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility Debug: WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Testing with an WinXP and Win7 client, so I do not think its a Supplicant issue. The supplicant config is PEAP with MSCHAPv2, and no certificate validation. I have a look to certs/README file, and I have studied the ./bootstrap script I make sure xpextensions are applied.I also launch rm -f *.pem *.der *.csr *.crt *.key *.p12 serial* index.txt* Before modifying the server.cnf and ca.cnf and launch bootstrap script again. I always get the same warning, I do no undestand why. In http://deployingradius.com says it just worked, but not in my enviorment. I attach the output: Thu Mar 31 13:14:25 2011 : Info: Ready to process requests. rad_recv: Access-Request packet from host 10.118.249.20 port 32768, id=51, length=173 User-Name = "bob" Calling-Station-Id = "00-1B-77-8E-1E-A4" Called-Station-Id = "00-1E-4A-90-5F-30:eduroam" NAS-Port = 29 NAS-IP-Address = 10.118.249.20 NAS-Identifier = "WLC_2_SCC_LAB" Airespace-Wlan-Id = 1 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "911" EAP-Message = 0x0202000801626f62 Message-Authenticator = 0xfabf4ce8269ee315494653e616f244ce Thu Mar 31 13:14:26 2011 : Info: # Executing section authorize from file /etc/raddb/sites-enabled/default Thu Mar 31 13:14:26 2011 : Info: +- entering group authorize {...} Thu Mar 31 13:14:26 2011 : Info: ++[preprocess] returns ok Thu Mar 31 13:14:26 2011 : Info: ++[chap] returns noop Thu Mar 31 13:14:26 2011 : Info: ++[mschap] returns noop Thu Mar 31 13:14:26 2011 : Info: ++[digest] returns noop Thu Mar 31 13:14:26 2011 : Info: [suffix] No '@' in User-Name = "bob", looking up realm NULL Thu Mar 31 13:14:26 2011 : Info: [suffix] No such realm "NULL" Thu Mar 31 13:14:26 2011 : Info: ++[suffix] returns noop Thu Mar 31 13:14:26 2011 : Info: [eap] EAP packet type response id 2 length 8 Thu Mar 31 13:14:26 2011 : Info: [eap] No EAP Start, assuming it's an on-going EAP conversation Thu Mar 31 13:14:26 2011 : Info: ++[eap] returns updated Thu Mar 31 13:14:26 2011 : Info: [files] users: Matched entry bob at line 1 Thu Mar 31 13:14:26 2011 : Info: ++[files] returns ok Thu Mar 31 13:14:26 2011 : Info: ++[expiration] returns noop Thu Mar 31 13:14:26 2011 : Info: ++[logintime] returns noop Thu Mar 31 13:14:26 2011 : Info: [pap] WARNING: Auth-Type already set. Not setting to PAP Thu Mar 31 13:14:26 2011 : Info: ++[pap] returns noop Thu Mar 31 13:14:26 2011 : Info: Found Auth-Type = EAP Thu Mar 31 13:14:26 2011 : Info: # Executing group from file /etc/raddb/sites-enabled/default Thu Mar 31 13:14:26 2011 : Info: +- entering group authenticate {...} Thu Mar 31 13:14:26 2011 : Info: [eap] EAP Identity Thu Mar 31 13:14:26 2011 : Info: [eap] processing type tls Thu Mar 31 13:14:26 2011 : Info: [tls] Initiate Thu Mar 31 13:14:26 2011 : Info: [tls] Start returned 1 Thu Mar 31 13:14:26 2011 : Info: ++[eap] returns handled Sending Access-Challenge of id 51 to 10.118.249.20 port 32768 EAP-Message = 0x010300061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc729a88ac72ab1dd3e4f8d4fc2851f1c Thu Mar 31 13:14:26 2011 : Info: Finished request 9. Thu Mar 31 13:14:26 2011 : Debug: Going to the next request Thu Mar 31 13:14:26 2011 : Debug: Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.118.249.20 port 32768, id=51, length=173 Thu Mar 31 13:14:28 2011 : Info: Sending duplicate reply to client WiSM port 32768 - ID: 51 Sending Access-Challenge of id 51 to 10.118.249.20 port 32768 Thu Mar 31 13:14:28 2011 : Debug: Waking up in 2.9 seconds. rad_recv: Access-Request packet from host 10.118.249.20 port 32768, id=51, length=173 Thu Mar 31 13:14:30 2011 : Info: Sending duplicate reply to client WiSM port 32768 - ID: 51 Sending Access-Challenge of id 51 to 10.118.249.20 port 32768 Thu Mar 31 13:14:30 2011 : Debug: Waking up in 0.9 seconds. Thu Mar 31 13:14:31 2011 : Info: Cleaning up request 9 ID 51 with timestamp +60 Thu Mar 31 13:14:31 2011 : Debug: WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Thu Mar 31 13:14:31 2011 : Debug: WARNING: !! EAP session for state 0xc729a88ac72ab1dd did not finish! Thu Mar 31 13:14:31 2011 : Debug: WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility Thu Mar 31 13:14:31 2011 : Debug: WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Thu Mar 31 13:14:31 2011 : Info: Ready to process requests. Thanks in advance. -- View this message in context: http://freeradius.1045715.n5.nabble.com/freeradius-2-1-10-WARNING-Internal-s... Sent from the FreeRadius - User mailing list archive at Nabble.com.
joanroldan wrote:
I have followed your advise and I went back to the default config. I have read the:
http://deployingradius.com/documents/configuration/certificates.html
And I have followed it step by step. Testing first the PAP auth with an entry in users.conf and it worked fine. Next I add the Wireless LAN Controller in clients.conf and change the default eap_type with peap.
That is *not* the next step in the guide. Follow the steps in the guide, there's a *reason* there is more than one step.
I get the next warning:
Debug: WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Debug: WARNING: !! EAP session for state 0xc729a88ac72ab1dd did not finish! Debug: WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility Debug: WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Testing with an WinXP and Win7 client, so I do not think its a Supplicant issue.
You're wrong. It's almost *always* a supplicant issue.
The supplicant config is PEAP with MSCHAPv2, and no certificate validation.
I have a look to certs/README file, and I have studied the ./bootstrap script I make sure xpextensions are applied.I also launch
rm -f *.pem *.der *.csr *.crt *.key *.p12 serial* index.txt*
Before modifying the server.cnf and ca.cnf and launch bootstrap script again.
I always get the same warning, I do no undestand why. In http://deployingradius.com says it just worked, but not in my enviorment.
Make sure that the root certificate is on the Windows machine, too. Alan DeKok.
I have make sure that root certificate is installed on Windows client but I still got the same warning. Could anyone tell me how to fix it? Thanks in advance. -- View this message in context: http://freeradius.1045715.n5.nabble.com/freeradius-2-1-10-WARNING-Internal-s... Sent from the FreeRadius - User mailing list archive at Nabble.com.
I have grabbed the 2.1.11 from git.freeradius.org, and unfortunally I get the same warning: Debug: WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Debug: WARNING: !! EAP session for state 0xc729a88ac72ab1dd did not finish! Debug: WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility Debug: WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! I have tried with several EAP types, such PEAP-MSCHAPv2, TTLS, TLS with Windows, Cisco and Intel supplicants and always get the same warning. I always install the CA on Windows client, even the server.crt and server.p12 with no success. Has anyone face with this issue? Thanks a lot. -- View this message in context: http://freeradius.1045715.n5.nabble.com/freeradius-2-1-10-WARNING-Internal-s... Sent from the FreeRadius - User mailing list archive at Nabble.com.
Hi, After failing to set an EAP-MSCHAP environment with certificates by default, I have handled a production certified by a CA signer. With these certificates I do not get the warning of compatibility with Windows. But the warning which I opened this post appears again: Info: WARNING: Internal sanity check failed in event handler for request 1: Discarding the request! The purpose of freeradius server is configured to implement eduroam in an institution with PEAP-MSCHAPv2 using windows supplicant. The changes I made in the configuration have been minimal: - The command "hello bob localhost 0 radtest testing123" working properly - configuration of all Wireless LAN Controller in clients.conf - definition as the default eap PEAP type in eap.conf - CA configuration file, key and certificate in tls in eap.conf - configuration of the proxy RADIUS realm DEFAULT When I try to authenticate a user to test the request goes to a higher radius, the request is sent to proxy radius but after a few tries before I get the warning again. I attach the outputs. http://freeradius.1045715.n5.nabble.com/file/n4461876/warning.txt warning.txt http://freeradius.1045715.n5.nabble.com/file/n4461876/radiusd-Xx.txt radiusd-Xx.txt Thanks in advance. -- View this message in context: http://freeradius.1045715.n5.nabble.com/freeradius-2-1-10-WARNING-Internal-s... Sent from the FreeRadius - User mailing list archive at Nabble.com.
joanroldan wrote:
Info: WARNING: Internal sanity check failed in event handler for request 1: Discarding the request!
See http://git.freeradius.org/ and grab the v2.1.x branch Alan DeKok.
participants (2)
-
Alan DeKok -
joanroldan