Cert Problem with EAP-TTSL, SecureW2 (1.0.5-->1.1.7)
Hi everybody, I'm trying to upgrade form 1.0.5 to 1.1.7. For a test run, I copied all the cert and key files (only server-side, it's TTLS) from the production server, and 1.1.7 starts up fine (well, almost, see below). When connecting with a SecureW2 client that goes along well with the 1.0.5 server, I get a dialog window presenting the cert, but SecureW2 complains it's unable to put it into the hierarchy (which is in place already). There is no way to go on then, installing manually won't work either. Have I missed some change in the cert handling? Thanks for any help Martin Here's the output: Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/freeradius/proxy.conf Config: including file: /etc/freeradius/clients.conf Config: including file: /etc/freeradius/snmp.conf Config: including file: /etc/freeradius/eap.conf Config: including file: /etc/freeradius/sql.conf main: prefix = "/usr" main: localstatedir = "/var" main: logdir = "/var/log/freeradius" main: libdir = "/usr/lib/freeradius" main: radacctdir = "/var/log/freeradius/radacct" main: hostname_lookups = no main: snmp = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/var/log/freeradius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/var/run/freeradius/freeradius.pid" main: user = "freerad" main: group = "freerad" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib/freeradius Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" pap: auto_header = yes Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "/etc/shadow" unix: group = "(null)" unix: radwtmp = "/var/log/freeradius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = "ttls" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/etc/freeradius/certs/key-radius-staff.pem" tls: certificate_file = "/etc/freeradius/certs/cert-radius-staff.pem" tls: CA_file = "/etc/freeradius/certs/unimr-ssl-ca.pem" tls: private_key_password = "omihnl" tls: dh_file = "/etc/freeradius/certs/dh" tls: random_file = "/dev/urandom" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = "(null)" tls: cipher_list = "(null)" tls: check_cert_issuer = "(null)" rlm_eap_tls: Loading the certificate file as a chain WARNING: rlm_eap_tls: Unable to set DH parameters. DH cipher suites may not work! WARNING: Fix this by running the OpenSSL command listed in eap.conf rlm_eap: Loaded and initialized type tls ttls: default_eap_type = "md5" ttls: copy_request_to_tunnel = yes ttls: use_tunneled_reply = yes rlm_eap: Loaded and initialized type ttls Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/etc/freeradius/huntgroups" preprocess: hints = "/etc/freeradius/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no preprocess: with_alvarion_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "/etc/freeradius/users" files: acctusersfile = "/etc/freeradius/acct_users" files: preproxy_usersfile = "/etc/freeradius/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = "/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = "/var/log/freeradius/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. --------------------------- Now the EAP conversation ---------------------------- rad_recv: Access-Request packet from host 192.168.75.247:1645, id=47, length=136 User-Name = "anonymous" Framed-MTU = 1400 Called-Station-Id = "0013.8011.9a60" Calling-Station-Id = "0018.decc.af5f" Service-Type = Login-User Message-Authenticator = 0xfca416db4cadc5cd8d623f4ffa044a8c EAP-Message = 0x0202000e01616e6f6e796d6f7573 NAS-Port-Type = Wireless-802.11 NAS-Port = 1077 NAS-IP-Address = 192.168.75.247 NAS-Identifier = "warz003" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 3 modcall[authorize]: module "preprocess" returns ok for request 3 modcall[authorize]: module "chap" returns noop for request 3 modcall[authorize]: module "mschap" returns noop for request 3 rlm_realm: No '@' in User-Name = "anonymous", looking up realm NULL rlm_realm: Found realm "NULL" rlm_realm: Adding Stripped-User-Name = "anonymous" rlm_realm: Proxying request from user anonymous to realm NULL rlm_realm: Adding Realm = "NULL" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop for request 3 rlm_eap: EAP packet type response id 2 length 14 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 3 modcall[authorize]: module "files" returns notfound for request 3 rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. modcall[authorize]: module "pap" returns noop for request 3 modcall: leaving group authorize (returns updated) for request 3 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 3 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 3 modcall: leaving group authenticate (returns handled) for request 3 Sending Access-Challenge of id 47 to 192.168.75.247 port 1645 EAP-Message = 0x010300061520 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x90e816dcec17882e035976d1081fbf9c Finished request 3 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.75.247:1645, id=48, length=200 User-Name = "anonymous" Framed-MTU = 1400 Called-Station-Id = "0013.8011.9a60" Calling-Station-Id = "0018.decc.af5f" Service-Type = Login-User Message-Authenticator = 0x47f848aca44779c6fe8451fd18e46ec8 EAP-Message = 0x0203003c158000000032160301002d01000029030118e9b132c7808e219ee90a0861130998e95ddde2e6cc192ebf55af97907d967d000002000a0100 NAS-Port-Type = Wireless-802.11 NAS-Port = 1077 State = 0x90e816dcec17882e035976d1081fbf9c NAS-IP-Address = 192.168.75.247 NAS-Identifier = "warz003" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 4 modcall[authorize]: module "preprocess" returns ok for request 4 modcall[authorize]: module "chap" returns noop for request 4 modcall[authorize]: module "mschap" returns noop for request 4 rlm_realm: No '@' in User-Name = "anonymous", looking up realm NULL rlm_realm: Found realm "NULL" rlm_realm: Adding Stripped-User-Name = "anonymous" rlm_realm: Proxying request from user anonymous to realm NULL rlm_realm: Adding Realm = "NULL" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop for request 4 rlm_eap: EAP packet type response id 3 length 60 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 4 modcall[authorize]: module "files" returns notfound for request 4 rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. modcall[authorize]: module "pap" returns noop for request 4 modcall: leaving group authorize (returns updated) for request 4 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 4 rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 002d], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 06c4], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 4 modcall: leaving group authenticate (returns handled) for request 4 Sending Access-Challenge of id 48 to 192.168.75.247 port 1645 EAP-Message = 0x0104040a15c000000721160301004a020000460301472724a3f12ef9d27b81a1de39e0df087e3fe05bf25a3286f8f7c3b660f5c5b220bfee9fee4cbf509b91f36992d5e1064063ca128700a209fa5dd265ca771f3f0e000a0016030106c40b0006c00006bd0006ba308206b63082059ea003020102020200bb300d06092a864886f70d0101040500308181310b3009060355040613024445311d301b060355040a1314556e69766572736974616574204d617262757267312d302b06035504031324582e3530392043657274696669636174696f6e20417574686f72697479202832303034293124302206092a864886f70d010901161573736c2d6361 EAP-Message = 0x40756e692d6d6172627572672e6465301e170d3037303331393133313531305a170d3038303131333133313531305a3081c6310b3009060355040613024445310f300d0603550408130648657373656e3110300e060355040713074d617262757267311e301c060355040a13155068696c697070732d556e69766572736974616574311f301d060355040b1316486f6368736368756c72656368656e7a656e7472756d312430220603550403131b5261646975732e53746166662e556e692d4d6172627572672e4445312d302b06092a864886f70d010901161e756d726e65742d7465616d4068727a2e756e692d6d6172627572672e646530819f300d EAP-Message = 0x06092a864886f70d010101050003818d0030818902818100a7b25329a57dcf9f4045f7ca2582b5dfd6c8979bdf109e1cc8acd71fd527c570f0b01e088a4cd1ad922dfa7dece1be7cf36f8b6557008ecc84335d15a02852639b27f38ae4da2adcde274eb0c678c88b7fa1491f9aeda8c817362cf263c13fe3a93377eff7dfa5fda65aa8865f21a757c93c0352b1ea493994cbac1ad290687d0203010001a38203733082036f300c0603551d130101ff04023000300b0603551d0f0404030205a030130603551d25040c300a06082b06010505070301301d0603551d0e04160414a103cee748c398670ec57153cf72f7429b6568533081dc0603551d2304 EAP-Message = 0x81d43081d180142fd7076c8060bddab7344958057dd6211b9b6fd8a181b2a481af3081ac310b30090603550406130244453121301f060355040a131844657574736368657320466f72736368756e67736e65747a31163014060355040b130d44464e2d4345525420476d62483110300e060355040b130744464e2d504341312d302b0603550403132444464e20546f706c6576656c2043657274696669636174696f6e20417574686f726974793121301f06092a864886f70d010901161263657274696679407063612e64666e2e64658204042c914130290603551d1104223020811e756d726e65742d7465616d4068727a2e756e692d6d6172627572 EAP-Message = 0x672e646530090603551d12040230003081950603551d Message-Authenticator = 0x00000000000000000000000000000000 State = 0xbec9e2e7eaa839c8f4518fd18ce5812c Finished request 4 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.75.247:1645, id=49, length=146 User-Name = "anonymous" Framed-MTU = 1400 Called-Station-Id = "0013.8011.9a60" Calling-Station-Id = "0018.decc.af5f" Service-Type = Login-User Message-Authenticator = 0xcd6073f073f94d232526a17acdd917cf EAP-Message = 0x020400061500 NAS-Port-Type = Wireless-802.11 NAS-Port = 1077 State = 0xbec9e2e7eaa839c8f4518fd18ce5812c NAS-IP-Address = 192.168.75.247 NAS-Identifier = "warz003" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 5 modcall[authorize]: module "preprocess" returns ok for request 5 modcall[authorize]: module "chap" returns noop for request 5 modcall[authorize]: module "mschap" returns noop for request 5 rlm_realm: No '@' in User-Name = "anonymous", looking up realm NULL rlm_realm: Found realm "NULL" rlm_realm: Adding Stripped-User-Name = "anonymous" rlm_realm: Proxying request from user anonymous to realm NULL rlm_realm: Adding Realm = "NULL" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop for request 5 rlm_eap: EAP packet type response id 4 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 5 modcall[authorize]: module "files" returns notfound for request 5 rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. modcall[authorize]: module "pap" returns noop for request 5 modcall: leaving group authorize (returns updated) for request 5 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 5 rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 5 modcall: leaving group authenticate (returns handled) for request 5 Sending Access-Challenge of id 49 to 192.168.75.247 port 1645 EAP-Message = 0x0105032b1580000007211f04818d30818a3043a041a03f863d687474703a2f2f7777772e756e692d6d6172627572672e64652f68727a2f73657276696365732f73736c2d63612f323030342f73736c2d63612e6372783043a041a03f863d687474703a2f2f7777772e756e692d6d6172627572672e64652f68727a2f73657276696365732f73736c2d63612f323030342f73736c2d63612e63726c301106096086480186f8420101040403020640303d06096086480186f84201020430162e687474703a2f2f7777772e756e692d6d6172627572672e64652f68727a2f73657276696365732f73736c2d63612f304106096086480186f8420108043416 EAP-Message = 0x32687474703a2f2f7777772e7063612e64666e2e64652f64666e7063612f706f6c6963792f777777706f6c6963792e68746d6c3081db06096086480186f842010d0481cd1681ca546869732063657274696669636174652077617320697373756564206279207468652053534c2043410a6f6620746865205068696c6970707320556e6976657273697479204d6172627572672c204765726d616e792e0a466f72206675727468657220696e666f726d6174696f6e20706c6561736520706f696e7420796f7572206661766f75726974650a5765622042726f7773657220746f0a687474703a2f2f7777772e756e692d6d6172627572672e64652f6872 EAP-Message = 0x7a2f73657276696365732f73736c2d63612f202e300d06092a864886f70d010104050003820101007ff9ef1d9c04f8e22415b1f74c7a20f6865b231c7c12fc90064b14c4c3489b577b0b0e0b606091de3f3dc6e5d09237c6ed27969915479522009c73f666d306309e34398df72d4349ccae354b9e723ff03ddf1a2147a09dfab2cba0a2eebf0bced6278be2c305f75a3f09b5a39833f438d1e18ad58ee3da35d0d2fdc11c7ed822370bb0b368ee80e4e42143425661f20b18bbd458fb6cecf6237f9714af076ea338b45cf03a165741a81712e0127620789d2450233c6135700048148efa0d7dc46c4155905bdd89bf630524c960a288b47e254feaa5 EAP-Message = 0xe8c2de0a76e2259f3ad7b54afd7ec1420928d2d0dca289a121cba633073fcaa07fe0bd6b2293f42227d00f16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x8e7573394ea8f9f58ca7a725d6852aa4 Finished request 5 Going to the next request Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 3 ID 47 with timestamp 472724a3 Cleaning up request 4 ID 48 with timestamp 472724a3 Cleaning up request 5 ID 49 with timestamp 472724a3 Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 192.168.75.247:1645, id=50, length=136 User-Name = "anonymous" Framed-MTU = 1400 Called-Station-Id = "0013.8011.9a60" Calling-Station-Id = "0018.decc.af5f" Service-Type = Login-User Message-Authenticator = 0x992ff1c2c9770439d989157ffebd90e3 EAP-Message = 0x0201000e01616e6f6e796d6f7573 NAS-Port-Type = Wireless-802.11 NAS-Port = 1078 NAS-IP-Address = 192.168.75.247 NAS-Identifier = "warz003" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 6 modcall[authorize]: module "preprocess" returns ok for request 6 modcall[authorize]: module "chap" returns noop for request 6 modcall[authorize]: module "mschap" returns noop for request 6 rlm_realm: No '@' in User-Name = "anonymous", looking up realm NULL rlm_realm: Found realm "NULL" rlm_realm: Adding Stripped-User-Name = "anonymous" rlm_realm: Proxying request from user anonymous to realm NULL rlm_realm: Adding Realm = "NULL" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop for request 6 rlm_eap: EAP packet type response id 1 length 14 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 6 modcall[authorize]: module "files" returns notfound for request 6 rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. modcall[authorize]: module "pap" returns noop for request 6 modcall: leaving group authorize (returns updated) for request 6 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 6 modcall: leaving group authenticate (returns handled) for request 6 Sending Access-Challenge of id 50 to 192.168.75.247 port 1645 EAP-Message = 0x010200061520 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x16e504561504244a150659018be695aa Finished request 6 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.75.247:1645, id=51, length=136 User-Name = "anonymous" Framed-MTU = 1400 Called-Station-Id = "0013.8011.9a60" Calling-Station-Id = "0018.decc.af5f" Service-Type = Login-User Message-Authenticator = 0x0c100489fd8c2198b35376fa9a9e58ea EAP-Message = 0x0203000e01616e6f6e796d6f7573 NAS-Port-Type = Wireless-802.11 NAS-Port = 1078 NAS-IP-Address = 192.168.75.247 NAS-Identifier = "warz003" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 7 modcall[authorize]: module "preprocess" returns ok for request 7 modcall[authorize]: module "chap" returns noop for request 7 modcall[authorize]: module "mschap" returns noop for request 7 rlm_realm: No '@' in User-Name = "anonymous", looking up realm NULL rlm_realm: Found realm "NULL" rlm_realm: Adding Stripped-User-Name = "anonymous" rlm_realm: Proxying request from user anonymous to realm NULL rlm_realm: Adding Realm = "NULL" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop for request 7 rlm_eap: EAP packet type response id 3 length 14 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 7 modcall[authorize]: module "files" returns notfound for request 7 rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. modcall[authorize]: module "pap" returns noop for request 7 modcall: leaving group authorize (returns updated) for request 7 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 7 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 7 modcall: leaving group authenticate (returns handled) for request 7 Sending Access-Challenge of id 51 to 192.168.75.247 port 1645 EAP-Message = 0x010400061520 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0e968b1d48e923f2d0f659205a8734fc Finished request 7 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.75.247:1645, id=52, length=200 User-Name = "anonymous" Framed-MTU = 1400 Called-Station-Id = "0013.8011.9a60" Calling-Station-Id = "0018.decc.af5f" Service-Type = Login-User Message-Authenticator = 0x0bd73c4dafc4b09b305e403cc6f0b8f8 EAP-Message = 0x0204003c158000000032160301002d0100002903019034a3764181867ef4d75ce71605ce439dcbe684c9eccae4acd8cf15fc9e07ea000002000a0100 NAS-Port-Type = Wireless-802.11 NAS-Port = 1078 State = 0x0e968b1d48e923f2d0f659205a8734fc NAS-IP-Address = 192.168.75.247 NAS-Identifier = "warz003" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 8 modcall[authorize]: module "preprocess" returns ok for request 8 modcall[authorize]: module "chap" returns noop for request 8 modcall[authorize]: module "mschap" returns noop for request 8 rlm_realm: No '@' in User-Name = "anonymous", looking up realm NULL rlm_realm: Found realm "NULL" rlm_realm: Adding Stripped-User-Name = "anonymous" rlm_realm: Proxying request from user anonymous to realm NULL rlm_realm: Adding Realm = "NULL" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop for request 8 rlm_eap: EAP packet type response id 4 length 60 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 8 modcall[authorize]: module "files" returns notfound for request 8 rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. modcall[authorize]: module "pap" returns noop for request 8 modcall: leaving group authorize (returns updated) for request 8 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 8 rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 002d], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 06c4], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 8 modcall: leaving group authenticate (returns handled) for request 8 Sending Access-Challenge of id 52 to 192.168.75.247 port 1645 EAP-Message = 0x0105040a15c000000721160301004a020000460301472724c19cf50e6bd75f97c0fc3859f33f37b69424d5bd7bce85bdd37ff989a220a44484ec21d75b10cfa8f6bf2ab7334a07c9ec560f963aa1c462a33a50808772000a0016030106c40b0006c00006bd0006ba308206b63082059ea003020102020200bb300d06092a864886f70d0101040500308181310b3009060355040613024445311d301b060355040a1314556e69766572736974616574204d617262757267312d302b06035504031324582e3530392043657274696669636174696f6e20417574686f72697479202832303034293124302206092a864886f70d010901161573736c2d6361 EAP-Message = 0x40756e692d6d6172627572672e6465301e170d3037303331393133313531305a170d3038303131333133313531305a3081c6310b3009060355040613024445310f300d0603550408130648657373656e3110300e060355040713074d617262757267311e301c060355040a13155068696c697070732d556e69766572736974616574311f301d060355040b1316486f6368736368756c72656368656e7a656e7472756d312430220603550403131b5261646975732e53746166662e556e692d4d6172627572672e4445312d302b06092a864886f70d010901161e756d726e65742d7465616d4068727a2e756e692d6d6172627572672e646530819f300d EAP-Message = 0x06092a864886f70d010101050003818d0030818902818100a7b25329a57dcf9f4045f7ca2582b5dfd6c8979bdf109e1cc8acd71fd527c570f0b01e088a4cd1ad922dfa7dece1be7cf36f8b6557008ecc84335d15a02852639b27f38ae4da2adcde274eb0c678c88b7fa1491f9aeda8c817362cf263c13fe3a93377eff7dfa5fda65aa8865f21a757c93c0352b1ea493994cbac1ad290687d0203010001a38203733082036f300c0603551d130101ff04023000300b0603551d0f0404030205a030130603551d25040c300a06082b06010505070301301d0603551d0e04160414a103cee748c398670ec57153cf72f7429b6568533081dc0603551d2304 EAP-Message = 0x81d43081d180142fd7076c8060bddab7344958057dd6211b9b6fd8a181b2a481af3081ac310b30090603550406130244453121301f060355040a131844657574736368657320466f72736368756e67736e65747a31163014060355040b130d44464e2d4345525420476d62483110300e060355040b130744464e2d504341312d302b0603550403132444464e20546f706c6576656c2043657274696669636174696f6e20417574686f726974793121301f06092a864886f70d010901161263657274696679407063612e64666e2e64658204042c914130290603551d1104223020811e756d726e65742d7465616d4068727a2e756e692d6d6172627572 EAP-Message = 0x672e646530090603551d12040230003081950603551d Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf64bcd7ab184104b28fe791bc4534cc7 Finished request 8 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.75.247:1645, id=53, length=146 User-Name = "anonymous" Framed-MTU = 1400 Called-Station-Id = "0013.8011.9a60" Calling-Station-Id = "0018.decc.af5f" Service-Type = Login-User Message-Authenticator = 0xfce71b18a6dc790150378ea46f150da9 EAP-Message = 0x020500061500 NAS-Port-Type = Wireless-802.11 NAS-Port = 1078 State = 0xf64bcd7ab184104b28fe791bc4534cc7 NAS-IP-Address = 192.168.75.247 NAS-Identifier = "warz003" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 9 modcall[authorize]: module "preprocess" returns ok for request 9 modcall[authorize]: module "chap" returns noop for request 9 modcall[authorize]: module "mschap" returns noop for request 9 rlm_realm: No '@' in User-Name = "anonymous", looking up realm NULL rlm_realm: Found realm "NULL" rlm_realm: Adding Stripped-User-Name = "anonymous" rlm_realm: Proxying request from user anonymous to realm NULL rlm_realm: Adding Realm = "NULL" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop for request 9 rlm_eap: EAP packet type response id 5 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 9 modcall[authorize]: module "files" returns notfound for request 9 rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. modcall[authorize]: module "pap" returns noop for request 9 modcall: leaving group authorize (returns updated) for request 9 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 9 rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 9 modcall: leaving group authenticate (returns handled) for request 9 Sending Access-Challenge of id 53 to 192.168.75.247 port 1645 EAP-Message = 0x0106032b1580000007211f04818d30818a3043a041a03f863d687474703a2f2f7777772e756e692d6d6172627572672e64652f68727a2f73657276696365732f73736c2d63612f323030342f73736c2d63612e6372783043a041a03f863d687474703a2f2f7777772e756e692d6d6172627572672e64652f68727a2f73657276696365732f73736c2d63612f323030342f73736c2d63612e63726c301106096086480186f8420101040403020640303d06096086480186f84201020430162e687474703a2f2f7777772e756e692d6d6172627572672e64652f68727a2f73657276696365732f73736c2d63612f304106096086480186f8420108043416 EAP-Message = 0x32687474703a2f2f7777772e7063612e64666e2e64652f64666e7063612f706f6c6963792f777777706f6c6963792e68746d6c3081db06096086480186f842010d0481cd1681ca546869732063657274696669636174652077617320697373756564206279207468652053534c2043410a6f6620746865205068696c6970707320556e6976657273697479204d6172627572672c204765726d616e792e0a466f72206675727468657220696e666f726d6174696f6e20706c6561736520706f696e7420796f7572206661766f75726974650a5765622042726f7773657220746f0a687474703a2f2f7777772e756e692d6d6172627572672e64652f6872 EAP-Message = 0x7a2f73657276696365732f73736c2d63612f202e300d06092a864886f70d010104050003820101007ff9ef1d9c04f8e22415b1f74c7a20f6865b231c7c12fc90064b14c4c3489b577b0b0e0b606091de3f3dc6e5d09237c6ed27969915479522009c73f666d306309e34398df72d4349ccae354b9e723ff03ddf1a2147a09dfab2cba0a2eebf0bced6278be2c305f75a3f09b5a39833f438d1e18ad58ee3da35d0d2fdc11c7ed822370bb0b368ee80e4e42143425661f20b18bbd458fb6cecf6237f9714af076ea338b45cf03a165741a81712e0127620789d2450233c6135700048148efa0d7dc46c4155905bdd89bf630524c960a288b47e254feaa5 EAP-Message = 0xe8c2de0a76e2259f3ad7b54afd7ec1420928d2d0dca289a121cba633073fcaa07fe0bd6b2293f42227d00f16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x194813969de6dafbfed1a83597dc3f1b Finished request 9 -- Dr. Martin Pauly Fax: 49-6421-28-26994 HRZ Univ. Marburg Phone: 49-6421-28-23527 Hans-Meerwein-Str. E-Mail: pauly@HRZ.Uni-Marburg.DE D-35032 Marburg
Martin Pauly wrote:
I'm trying to upgrade form 1.0.5 to 1.1.7. For a test run, I copied all the cert and key files (only server-side, it's TTLS) from the production server, and 1.1.7 starts up fine (well, almost, see below).
So... did you run the command to set the DH parameters?
When connecting with a SecureW2 client that goes along well with the 1.0.5 server, I get a dialog window presenting the cert, but SecureW2 complains it's unable to put it into the hierarchy (which is in place already). There is no way to go on then, installing manually won't work either.
It *should* work. Most people who upgrade just upgrade... and have it work.
Have I missed some change in the cert handling?
Nope. Alan DeKok.
On Tuesday 30 October 2007 18:35, Alan DeKok wrote:
So... did you run the command to set the DH parameters? yeah, stupid me: I had looked for it in my own eap.conf, not in the one provided with the 1.1.5 package. No DH gets initialized, but the cert problem remains. Here's the debug output again (startup + 1 connection trial):
pcrz322:/etc/freeradius# freeradius -X | tee /tmp/freerad.debug.log Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/freeradius/proxy.conf Config: including file: /etc/freeradius/clients.conf Config: including file: /etc/freeradius/snmp.conf Config: including file: /etc/freeradius/eap.conf Config: including file: /etc/freeradius/sql.conf main: prefix = "/usr" main: localstatedir = "/var" main: logdir = "/var/log/freeradius" main: libdir = "/usr/lib/freeradius" main: radacctdir = "/var/log/freeradius/radacct" main: hostname_lookups = no main: snmp = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/var/log/freeradius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/var/run/freeradius/freeradius.pid" main: user = "freerad" main: group = "freerad" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib/freeradius Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" pap: auto_header = yes Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "/etc/shadow" unix: group = "(null)" unix: radwtmp = "/var/log/freeradius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = "ttls" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/etc/freeradius/certs/key-radius-staff.pem" tls: certificate_file = "/etc/freeradius/certs/cert-radius-staff.pem" tls: CA_file = "/etc/freeradius/certs/unimr-ssl-ca.pem" tls: private_key_password = "omihnl" tls: dh_file = "/etc/freeradius/certs/dh" tls: random_file = "/dev/urandom" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = "(null)" tls: cipher_list = "(null)" tls: check_cert_issuer = "(null)" rlm_eap_tls: Loading the certificate file as a chain rlm_eap: Loaded and initialized type tls ttls: default_eap_type = "md5" ttls: copy_request_to_tunnel = yes ttls: use_tunneled_reply = yes rlm_eap: Loaded and initialized type ttls Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/etc/freeradius/huntgroups" preprocess: hints = "/etc/freeradius/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no preprocess: with_alvarion_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "/etc/freeradius/users" files: acctusersfile = "/etc/freeradius/acct_users" files: preproxy_usersfile = "/etc/freeradius/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = "/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = "/var/log/freeradius/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. rad_recv: Access-Request packet from host 192.168.75.247:1645, id=101, length=136 User-Name = "Anonymous" Framed-MTU = 1400 Called-Station-Id = "0013.8011.9a60" Calling-Station-Id = "0011.24c9.25f2" Service-Type = Login-User Message-Authenticator = 0xce6c8c91570936e0f7a5a6aea1062eb4 EAP-Message = 0x0201000e01416e6f6e796d6f7573 NAS-Port-Type = Wireless-802.11 NAS-Port = 44155 NAS-IP-Address = 192.168.75.247 NAS-Identifier = "warz003" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "Anonymous", looking up realm NULL rlm_realm: Found realm "NULL" rlm_realm: Adding Stripped-User-Name = "Anonymous" rlm_realm: Proxying request from user Anonymous to realm NULL rlm_realm: Adding Realm = "NULL" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: EAP packet type response id 1 length 14 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 modcall[authorize]: module "files" returns notfound for request 0 rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. modcall[authorize]: module "pap" returns noop for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 0 modcall: leaving group authenticate (returns handled) for request 0 Sending Access-Challenge of id 101 to 192.168.75.247 port 1645 EAP-Message = 0x010200061520 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb498dc282c22e1d8ff34a0b827819af9 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 101 with timestamp 4729bd78 Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 192.168.75.247:1645, id=102, length=136 User-Name = "Anonymous" Framed-MTU = 1400 Called-Station-Id = "0013.8011.9a60" Calling-Station-Id = "0011.24c9.25f2" Service-Type = Login-User Message-Authenticator = 0x8abd328569f979c1d4d3f259dcdd0c3e EAP-Message = 0x0201000e01416e6f6e796d6f7573 NAS-Port-Type = Wireless-802.11 NAS-Port = 44157 NAS-IP-Address = 192.168.75.247 NAS-Identifier = "warz003" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_realm: No '@' in User-Name = "Anonymous", looking up realm NULL rlm_realm: Found realm "NULL" rlm_realm: Adding Stripped-User-Name = "Anonymous" rlm_realm: Proxying request from user Anonymous to realm NULL rlm_realm: Adding Realm = "NULL" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop for request 1 rlm_eap: EAP packet type response id 1 length 14 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 1 modcall[authorize]: module "files" returns notfound for request 1 rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. modcall[authorize]: module "pap" returns noop for request 1 modcall: leaving group authorize (returns updated) for request 1 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 1 modcall: leaving group authenticate (returns handled) for request 1 Sending Access-Challenge of id 102 to 192.168.75.247 port 1645 EAP-Message = 0x010200061520 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x97b372c376a7a44695056802e010064c Finished request 1 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.75.247:1645, id=103, length=258 User-Name = "Anonymous" Framed-MTU = 1400 Called-Station-Id = "0013.8011.9a60" Calling-Station-Id = "0011.24c9.25f2" Service-Type = Login-User Message-Authenticator = 0xb2829ef0df4d913c93e7fd30a46426b6 EAP-Message = 0x0202007615800000006c16030100670100006303014729bd9bb248a47e3cbcec267904a4ee52b135a56e1881c169240e7a7107d1c200003c002f000500040035000aff830009ff82000300080006ff8000320033003400380039003a0016001500140013001200110018001b001a0017001900010100 NAS-Port-Type = Wireless-802.11 NAS-Port = 44157 State = 0x97b372c376a7a44695056802e010064c NAS-IP-Address = 192.168.75.247 NAS-Identifier = "warz003" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall[authorize]: module "preprocess" returns ok for request 2 modcall[authorize]: module "chap" returns noop for request 2 modcall[authorize]: module "mschap" returns noop for request 2 rlm_realm: No '@' in User-Name = "Anonymous", looking up realm NULL rlm_realm: Found realm "NULL" rlm_realm: Adding Stripped-User-Name = "Anonymous" rlm_realm: Proxying request from user Anonymous to realm NULL rlm_realm: Adding Realm = "NULL" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop for request 2 rlm_eap: EAP packet type response id 2 length 118 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 2 modcall[authorize]: module "files" returns notfound for request 2 rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. modcall[authorize]: module "pap" returns noop for request 2 modcall: leaving group authorize (returns updated) for request 2 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 2 rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0067], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 06c4], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 2 modcall: leaving group authenticate (returns handled) for request 2 Sending Access-Challenge of id 103 to 192.168.75.247 port 1645 EAP-Message = 0x0103040a15c000000721160301004a0200004603014729bd9a826d7a6a639a81e6b80d00d7d50159968bccf9e9e80069cf95ea13c6204db006ad17d2fde22de652279f3098e49a743178787a8585fe9474a28fc524d1002f0016030106c40b0006c00006bd0006ba308206b63082059ea003020102020200bb300d06092a864886f70d0101040500308181310b3009060355040613024445311d301b060355040a1314556e69766572736974616574204d617262757267312d302b06035504031324582e3530392043657274696669636174696f6e20417574686f72697479202832303034293124302206092a864886f70d010901161573736c2d6361 EAP-Message = 0x40756e692d6d6172627572672e6465301e170d3037303331393133313531305a170d3038303131333133313531305a3081c6310b3009060355040613024445310f300d0603550408130648657373656e3110300e060355040713074d617262757267311e301c060355040a13155068696c697070732d556e69766572736974616574311f301d060355040b1316486f6368736368756c72656368656e7a656e7472756d312430220603550403131b5261646975732e53746166662e556e692d4d6172627572672e4445312d302b06092a864886f70d010901161e756d726e65742d7465616d4068727a2e756e692d6d6172627572672e646530819f300d EAP-Message = 0x06092a864886f70d010101050003818d0030818902818100a7b25329a57dcf9f4045f7ca2582b5dfd6c8979bdf109e1cc8acd71fd527c570f0b01e088a4cd1ad922dfa7dece1be7cf36f8b6557008ecc84335d15a02852639b27f38ae4da2adcde274eb0c678c88b7fa1491f9aeda8c817362cf263c13fe3a93377eff7dfa5fda65aa8865f21a757c93c0352b1ea493994cbac1ad290687d0203010001a38203733082036f300c0603551d130101ff04023000300b0603551d0f0404030205a030130603551d25040c300a06082b06010505070301301d0603551d0e04160414a103cee748c398670ec57153cf72f7429b6568533081dc0603551d2304 EAP-Message = 0x81d43081d180142fd7076c8060bddab7344958057dd6211b9b6fd8a181b2a481af3081ac310b30090603550406130244453121301f060355040a131844657574736368657320466f72736368756e67736e65747a31163014060355040b130d44464e2d4345525420476d62483110300e060355040b130744464e2d504341312d302b0603550403132444464e20546f706c6576656c2043657274696669636174696f6e20417574686f726974793121301f06092a864886f70d010901161263657274696679407063612e64666e2e64658204042c914130290603551d1104223020811e756d726e65742d7465616d4068727a2e756e692d6d6172627572 EAP-Message = 0x672e646530090603551d12040230003081950603551d Message-Authenticator = 0x00000000000000000000000000000000 State = 0x20f6d86d4e6ca6fb2bfaad3de7d5adff Finished request 2 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.75.247:1645, id=104, length=146 User-Name = "Anonymous" Framed-MTU = 1400 Called-Station-Id = "0013.8011.9a60" Calling-Station-Id = "0011.24c9.25f2" Service-Type = Login-User Message-Authenticator = 0xc4c739bc2266065dddda17966d40c3c5 EAP-Message = 0x020300061500 NAS-Port-Type = Wireless-802.11 NAS-Port = 44157 State = 0x20f6d86d4e6ca6fb2bfaad3de7d5adff NAS-IP-Address = 192.168.75.247 NAS-Identifier = "warz003" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 3 modcall[authorize]: module "preprocess" returns ok for request 3 modcall[authorize]: module "chap" returns noop for request 3 modcall[authorize]: module "mschap" returns noop for request 3 rlm_realm: No '@' in User-Name = "Anonymous", looking up realm NULL rlm_realm: Found realm "NULL" rlm_realm: Adding Stripped-User-Name = "Anonymous" rlm_realm: Proxying request from user Anonymous to realm NULL rlm_realm: Adding Realm = "NULL" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop for request 3 rlm_eap: EAP packet type response id 3 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 3 modcall[authorize]: module "files" returns notfound for request 3 rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. modcall[authorize]: module "pap" returns noop for request 3 modcall: leaving group authorize (returns updated) for request 3 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 3 rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 3 modcall: leaving group authenticate (returns handled) for request 3 Sending Access-Challenge of id 104 to 192.168.75.247 port 1645 EAP-Message = 0x0104032b1580000007211f04818d30818a3043a041a03f863d687474703a2f2f7777772e756e692d6d6172627572672e64652f68727a2f73657276696365732f73736c2d63612f323030342f73736c2d63612e6372783043a041a03f863d687474703a2f2f7777772e756e692d6d6172627572672e64652f68727a2f73657276696365732f73736c2d63612f323030342f73736c2d63612e63726c301106096086480186f8420101040403020640303d06096086480186f84201020430162e687474703a2f2f7777772e756e692d6d6172627572672e64652f68727a2f73657276696365732f73736c2d63612f304106096086480186f8420108043416 EAP-Message = 0x32687474703a2f2f7777772e7063612e64666e2e64652f64666e7063612f706f6c6963792f777777706f6c6963792e68746d6c3081db06096086480186f842010d0481cd1681ca546869732063657274696669636174652077617320697373756564206279207468652053534c2043410a6f6620746865205068696c6970707320556e6976657273697479204d6172627572672c204765726d616e792e0a466f72206675727468657220696e666f726d6174696f6e20706c6561736520706f696e7420796f7572206661766f75726974650a5765622042726f7773657220746f0a687474703a2f2f7777772e756e692d6d6172627572672e64652f6872 EAP-Message = 0x7a2f73657276696365732f73736c2d63612f202e300d06092a864886f70d010104050003820101007ff9ef1d9c04f8e22415b1f74c7a20f6865b231c7c12fc90064b14c4c3489b577b0b0e0b606091de3f3dc6e5d09237c6ed27969915479522009c73f666d306309e34398df72d4349ccae354b9e723ff03ddf1a2147a09dfab2cba0a2eebf0bced6278be2c305f75a3f09b5a39833f438d1e18ad58ee3da35d0d2fdc11c7ed822370bb0b368ee80e4e42143425661f20b18bbd458fb6cecf6237f9714af076ea338b45cf03a165741a81712e0127620789d2450233c6135700048148efa0d7dc46c4155905bdd89bf630524c960a288b47e254feaa5 EAP-Message = 0xe8c2de0a76e2259f3ad7b54afd7ec1420928d2d0dca289a121cba633073fcaa07fe0bd6b2293f42227d00f16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa145d9de8019bae046f8849b2f1edf14 Finished request 3 Going to the next request Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 1 ID 102 with timestamp 4729bd9a Cleaning up request 2 ID 103 with timestamp 4729bd9a Cleaning up request 3 ID 104 with timestamp 4729bd9a Nothing to do. Sleeping until we see a request. -- Dr. Martin Pauly Fax: 49-6421-28-26994 HRZ Univ. Marburg Phone: 49-6421-28-23527 Hans-Meerwein-Str. E-Mail: pauly@HRZ.Uni-Marburg.DE D-35032 Marburg
Martin Pauly wrote:
On Tuesday 30 October 2007 18:35, Alan DeKok wrote:
So... did you run the command to set the DH parameters? yeah, stupid me: I had looked for it in my own eap.conf, not in the one provided with the 1.1.5 package. No DH gets initialized, but the cert problem remains. Here's the debug output again (startup + 1 connection trial): ... Sending Access-Challenge of id 104 to 192.168.75.247 port 1645 EAP-Message = 0x0104032b1580000007211f04818d30818a3043a041a03f863d687474703a2f2f7777772e756e692d6d6172627572672e64652f68727a2f73657276696365732f73736c2d63612f323030342f73736c2d63612e6372783043a041a03f863d687474703a2f2f7777772e756e692d6d6172627572672e64652f68727a2f73657276696365732f73736c2d63612f323030342f73736c2d63612e63726c301106096086480186f8420101040403020640303d06096086480186f84201020430162e687474703a2f2f7777772e756e692d6d6172627572672e64652f68727a2f73657276696365732f73736c2d63612f304106096086480186f8420108043416 EAP-Message = 0x32687474703a2f2f7777772e7063612e64666e2e64652f64666e7063612f706f6c6963792f777777706f6c6963792e68746d6c3081db06096086480186f842010d0481cd1681ca546869732063657274696669636174652077617320697373756564206279207468652053534c2043410a6f6620746865205068696c6970707320556e6976657273697479204d6172627572672c204765726d616e792e0a466f72206675727468657220696e666f726d6174696f6e20706c6561736520706f696e7420796f7572206661766f75726974650a5765622042726f7773657220746f0a687474703a2f2f7777772e756e692d6d6172627572672e64652f6872 EAP-Message = 0x7a2f73657276696365732f73736c2d63612f202e300d06092a864886f70d010104050003820101007ff9ef1d9c04f8e22415b1f74c7a20f6865b231c7c12fc90064b14c4c3489b577b0b0e0b606091de3f3dc6e5d09237c6ed27969915479522009c73f666d306309e34398df72d4349ccae354b9e723ff03ddf1a2147a09dfab2cba0a2eebf0bced6278be2c305f75a3f09b5a39833f438d1e18ad58ee3da35d0d2fdc11c7ed822370bb0b368ee80e4e42143425661f20b18bbd458fb6cecf6237f9714af076ea338b45cf03a165741a81712e0127620789d2450233c6135700048148efa0d7dc46c4155905bdd89bf630524c960a288b47e254feaa5 EAP-Message = 0xe8c2de0a76e2259f3ad7b54afd7ec1420928d2d0dca289a121cba633073fcaa07fe0bd6b2293f42227d00f16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa145d9de8019bae046f8849b2f1edf14 Finished request 3 Going to the next request Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 1 ID 102 with timestamp 4729bd9a
See the logs on the client for why it has stopped talking to the server. Alan DeKok.
No DH gets initialized, but the cert problem remains. sorry for ma late response: I had indeed confused two files and included the wrong CA cert file. The supplicant was perfectly right in its complaint
Thanks, Martin -- Dr. Martin Pauly Fax: 49-6421-28-26994 HRZ Univ. Marburg Phone: 49-6421-28-23527 Hans-Meerwein-Str. E-Mail: pauly@HRZ.Uni-Marburg.DE D-35032 Marburg
participants (2)
-
Alan DeKok -
Martin Pauly