Microsoft: SmardCard or Certificate Auth
Hi: I'm trying to configure a FreeRadius server to perform a certification authentication from a Windows Laptop. I have follow the steps at http://wiki.freeradius.org/WPA_HOWTO#HOWTO_Do_It:_An_Outline But when I try to do the connection, it never ends... and I get peridical messeges at the FreeRadius server ouput in this way... rad_recv: Access-Request packet from host 160.103.180.252:32769, id=0, length=176 User-Name = "radiusserv" Calling-Station-Id = "00-1d-e0-7f-c7-bd" Called-Station-Id = "00-26-cb-4c-f7-c0:Bidon" NAS-Port = 13 NAS-IP-Address = 160.103.180.252 NAS-Identifier = "wlc01" Airespace-Wlan-Id = 6 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "82" EAP-Message = 0x0202000f0172616469757373657276 Message-Authenticator = 0x978d232412c863306539d3ad92c9d6b8 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "radiusserv", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 users: Matched entry DEFAULT at line 179 modcall[authorize]: module "files" returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Requiring client certificate rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 0 modcall: leaving group authenticate (returns handled) for request 0 Sending Access-Challenge of id 0 to 160.103.180.252 port 32769 EAP-Message = 0x010300060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc321c12ede0c59624273d465195058be Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 160.103.180.252:32769, id=1, length=300 User-Name = "radiusserv" Calling-Station-Id = "00-1d-e0-7f-c7-bd" Called-Station-Id = "00-26-cb-4c-f7-c0:Bidon" NAS-Port = 13 NAS-IP-Address = 160.103.180.252 NAS-Identifier = "wlc01" Airespace-Wlan-Id = 6 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "82" EAP-Message = 0x020300790d800000006f160301006a0100006603014af93134b45308b2252422bb395d6ce641bfdc48695e46696178ab4d4b407442000018002f00350005000ac009c00ac013c0140032003800130004010000250000000f000d00000a72616469757373657276000a00080006001700180019000b00020100 State = 0xc321c12ede0c59624273d465195058be Message-Authenticator = 0x209186e1eb149efd3ce2e8796100a977 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_realm: No '@' in User-Name = "radiusserv", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 1 users: Matched entry DEFAULT at line 179 modcall[authorize]: module "files" returns ok for request 1 modcall: leaving group authorize (returns ok) for request 1 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 006a], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0283], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0085], CertificateRequest TLS_accept: SSLv3 write certificate request A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0) In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 1 modcall: leaving group authenticate (returns handled) for request 1 Sending Access-Challenge of id 1 to 160.103.180.252 port 32769 EAP-Message = 0x0104036b0d8000000361160301004a0200004603014af93134a0ad2fc9103447a6a53e1bd7b8e1a2581b8e10093af80ed2eb04a3b420561e9f8d80da1f899a98dce9e25e4ee70e780ba01becdc9ba1deb915f60224a4002f0016030102830b00027f00027c00027930820275308201dea003020102020100300d06092a864886f70d01010505003074310b3009060355040613024652310e300c0603550408130549736572653111300f060355040713084772656e6f626c65310d300b060355040a130445535246311330110603550403130a72616469757373657276311e301c06092a864886f70d010901160f6e6574776f726b40657372662e6672 EAP-Message = 0x301e170d3039313130333136353833315a170d3130313130333136353833315a3074310b3009060355040613024652310e300c0603550408130549736572653111300f060355040713084772656e6f626c65310d300b060355040a130445535246311330110603550403130a72616469757373657276311e301c06092a864886f70d010901160f6e6574776f726b40657372662e667230819f300d06092a864886f70d010101050003818d0030818902818100b8fd3330a5f8ed59944b0ab8f162332223f749059609e5dd68c5efeced0434e500b7178aa3d9ffe32679034200952f14c64f321c851ee7254e78210ad1b8b0420980fb43fa1adf2f89b8 EAP-Message = 0x56fadc8092ef42b1f507a02fc81ab60ed258c3fb079f8d709d8821164011516b7d4d4589ff86306ce61f98130a360ebb3182983900c30203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010505000381810091d8dca090d57b08a7731dd90db757ed0da0e534cfda5565b6220528e37edadf12944d2fc1c6398e418a99b636904e2b1c4152f614bc5f0b3c4309cf264f27b794e28242ee02bb6ea48d0e3b1440b69ad926bb080ccebc20c3f1ef3b23a9e7868b2a86303b82ee891e9829dd1d6750837c8d533df59899ddaf9c2350b46992ae16030100850d00007d020102007800763074310b3009 EAP-Message = 0x060355040613024652310e300c0603550408130549736572653111300f060355040713084772656e6f626c65310d300b060355040a130445535246311330110603550403130a72616469757373657276311e301c06092a864886f70d010901160f6e6574776f726b40657372662e66720e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa8f213a60ac152b2e7e42048e94461f9 Finished request 1 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 160.103.180.252:32769, id=2, length=185 User-Name = "radiusserv" Calling-Station-Id = "00-1d-e0-7f-c7-bd" Called-Station-Id = "00-26-cb-4c-f7-c0:Bidon" NAS-Port = 13 NAS-IP-Address = 160.103.180.252 NAS-Identifier = "wlc01" Airespace-Wlan-Id = 6 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "82" EAP-Message = 0x020400060d00 State = 0xa8f213a60ac152b2e7e42048e94461f9 Message-Authenticator = 0xe9f04c151b954deb2b5e5c1ca7032f53 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall[authorize]: module "preprocess" returns ok for request 2 modcall[authorize]: module "chap" returns noop for request 2 modcall[authorize]: module "mschap" returns noop for request 2 rlm_realm: No '@' in User-Name = "radiusserv", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 2 users: Matched entry DEFAULT at line 179 modcall[authorize]: module "files" returns ok for request 2 modcall: leaving group authorize (returns ok) for request 2 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 2 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 2 modcall: leaving group authenticate (returns handled) for request 2 Sending Access-Challenge of id 2 to 160.103.180.252 port 32769 EAP-Message = 0x0105000a0d8000000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x09770a67d71842c41d63756db81b29fc Finished request 2 Going to the next request Waking up in 6 seconds... ------------------------------------- Any ideas what i'm doing wrong? -- View this message in context: http://old.nabble.com/Microsoft%3A-SmardCard-or-Certificate-Auth-tp26280525p... Sent from the FreeRadius - User mailing list archive at Nabble.com.
swatzy wrote:
I'm trying to configure a FreeRadius server to perform a certification authentication from a Windows Laptop. I have follow the steps at http://wiki.freeradius.org/WPA_HOWTO#HOWTO_Do_It:_An_Outline
Ugh. That is WAY out of date.
But when I try to do the connection, it never ends... and I get peridical messeges at the FreeRadius server ouput in this way... ... Sending Access-Challenge of id 2 to 160.103.180.252 port 32769 EAP-Message = 0x0105000a0d8000000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x09770a67d71842c41d63756db81b29fc Finished request 2 Going to the next request Waking up in 6 seconds... -------------------------------------
Any ideas what i'm doing wrong?
This is in the FAQ and in the comments in eap.conf. The certificates don't have the "magic" OID values. OR, the client doesn't have the CA certificate. I've corrected the Wiki page by deleting most of it. Much of it is simply unnecessary in 2.x. See also http://deployingradius.com/. My web pages contain detailed instructions for getting EAP to work. Alan DeKok.
Thanks a lot Alan... I'm going to try your suggestion... ;-) Alan DeKok-2 wrote:
swatzy wrote:
I'm trying to configure a FreeRadius server to perform a certification authentication from a Windows Laptop. I have follow the steps at http://wiki.freeradius.org/WPA_HOWTO#HOWTO_Do_It:_An_Outline
Ugh. That is WAY out of date.
But when I try to do the connection, it never ends... and I get peridical messeges at the FreeRadius server ouput in this way... ... Sending Access-Challenge of id 2 to 160.103.180.252 port 32769 EAP-Message = 0x0105000a0d8000000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x09770a67d71842c41d63756db81b29fc Finished request 2 Going to the next request Waking up in 6 seconds... -------------------------------------
Any ideas what i'm doing wrong?
This is in the FAQ and in the comments in eap.conf.
The certificates don't have the "magic" OID values. OR, the client doesn't have the CA certificate.
I've corrected the Wiki page by deleting most of it. Much of it is simply unnecessary in 2.x.
See also http://deployingradius.com/. My web pages contain detailed instructions for getting EAP to work.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- View this message in context: http://old.nabble.com/Microsoft%3A-SmardCard-or-Certificate-Auth-tp26280525p... Sent from the FreeRadius - User mailing list archive at Nabble.com.
participants (2)
-
Alan DeKok -
swatzy