Hello gentlemen I am configuring PEAP and there is not much information about it, Should I add a user in the user file alone? If default is configured with EAP, what should I modify another file? thanks. logout: rad_recv: Access-Request packet from host 10.10.1.21 port 1645, id=220, length=156 User-Name = "DOMINIO\\msilvero" Framed-MTU = 1400 Called-Station-Id = "0019.2fdb.9e00" Calling-Station-Id = "001f.3c22.44c5" Service-Type = Login-User Message-Authenticator = 0x8cc6da388d8df7f5ec4355457fe64969 EAP-Message = 0x020100130149504c414e5c6d73696c7665726f NAS-Port-Type = Wireless-802.11 NAS-Port = 474 NAS-IP-Address = 10.10.1.21 NAS-Identifier = "ap-ap" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "DOMINIO\msilvero", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 1 length 19 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 220 to 10.10.1.21 port 1645 EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x34d23a2734d023bc90d78d0fbe96492c Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.10.1.21 port 1645, id=221, length=263 User-Name = "DOMINIO\\msilvero" Framed-MTU = 1400 Called-Station-Id = "0019.2fdb.9e00" Calling-Station-Id = "001f.3c22.44c5" Service-Type = Login-User Message-Authenticator = 0x3491a2750461cd5efdc8648bf46aa49a EAP-Message = 0x0202006c190016030100610100005d030149493f85acfcc0f2c2c47fe6fa7a57d6e421cff26116506231b3776199ed10e200003600390038003500160013000a00330032002f0007006600050004006300620061001500120009006500640060001400110008000600030100 NAS-Port-Type = Wireless-802.11 NAS-Port = 474 State = 0x34d23a2734d023bc90d78d0fbe96492c NAS-IP-Address = 10.10.1.21 NAS-Identifier = "ap-ap" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "DOMINIO\msilvero", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 2 length 108 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 0061], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 002a], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 085e], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 020d], ServerKeyExchange [peap] TLS_accept: SSLv3 write key exchange A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 221 to 10.10.1.21 port 1645 [...] Going to the next request Waking up in 4.8 seconds. Cleaning up request 0 ID 220 with timestamp +68 Waking up in 0.1 seconds. Cleaning up request 1 ID 221 with timestamp +68 Ready to process requests. rad_recv: Access-Request packet from host 10.10.1.21 port 1645, id=222, length=156 User-Name = "DOMINIO\\msilvero" Framed-MTU = 1400 Called-Station-Id = "0019.2fdb.9e00" Calling-Station-Id = "001f.3c22.44c5" Service-Type = Login-User Message-Authenticator = 0x862b4eedab979983e604c4836e8ac526 EAP-Message = 0x020100130149504c414e5c6d73696c7665726f NAS-Port-Type = Wireless-802.11 NAS-Port = 475 NAS-IP-Address = 10.10.1.21 NAS-Identifier = "ap-ap" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "DOMINIO\msilvero", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 1 length 19 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 222 to 10.10.1.21 port 1645 EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x8f11b52d8f13ac786b16694f681d2fd0 Finished request 2. [...] [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 223 to 10.10.1.21 port 1645 [...] Finished request 3. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 10.10.1.21 port 1645, id=224, length=161 User-Name = "DOMINIO\\msilvero" Framed-MTU = 1400 Called-Station-Id = "0019.2fdb.9e00" Calling-Station-Id = "001f.3c22.44c5" Service-Type = Login-User Message-Authenticator = 0x9f0db2567149250ed92295734e004b44 EAP-Message = 0x020300061900 NAS-Port-Type = Wireless-802.11 NAS-Port = 475 State = 0x8f11b52d8e12ac786b16694f681d2fd0 NAS-IP-Address = 10.10.1.21 NAS-Identifier = "ap-ap" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "DOMINIO\msilvero", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 3 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 224 to 10.10.1.21 port 1645 [...] Finished request 4. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 10.10.1.21 port 1645, id=225, length=161 User-Name = "DOMINIO\\msilvero" Framed-MTU = 1400 Called-Station-Id = "0019.2fdb.9e00" Calling-Station-Id = "001f.3c22.44c5" Service-Type = Login-User Message-Authenticator = 0x65d2bab3cdae40b237ce9837d9a3eacf EAP-Message = 0x020400061900 NAS-Port-Type = Wireless-802.11 NAS-Port = 475 State = 0x8f11b52d8d15ac786b16694f681d2fd0 NAS-IP-Address = 10.10.1.21 NAS-Identifier = "ap-ap" [...] Sending Access-Challenge of id 225 to 10.10.1.21 port 1645 [...] Finished request 5. Going to the next request waking up in 4.8 seconds. rad_recv: Access-Request packet from host 10.10.1.21 port 1645, id=226, length=168 User-Name = "DOMINIO\\msilvero" Framed-MTU = 1400 Called-Station-Id = "0019.2fdb.9e00" Calling-Station-Id = "001f.3c22.44c5" Service-Type = Login-User Message-Authenticator = 0xcb5badb43459e8a2770683bef095543b EAP-Message = 0x0205000d190015030100020230 NAS-Port-Type = Wireless-802.11 NAS-Port = 475 State = 0x8f11b52d8c14ac786b16694f681d2fd0 NAS-IP-Address = 10.10.1.21 NAS-Identifier = "ap-ap" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "DOMINIO\msilvero", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 5 length 13 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] <<< TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert read:fatal:unknown CA TLS_accept:failed in SSLv3 read client certificate A rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca SSL: SSL_read failed inside of TLS (-1), TLS session fails. TLS receive handshake failed during operation [peap] eaptls_process returned 4 [peap] EAPTLS_OTHERS [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> DOMINIO\msilvero attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 6 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 6 Sending Access-Reject of id 226 to 10.10.1.21 port 1645 EAP-Message = 0x04050004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.7 seconds. Cleaning up request 2 ID 222 with timestamp +74 Waking up in 0.1 seconds. Cleaning up request 3 ID 223 with timestamp +74 Cleaning up request 4 ID 224 with timestamp +74 Cleaning up request 5 ID 225 with timestamp +74 Waking up in 1.0 seconds. Cleaning up request 6 ID 226 with timestamp +74 Ready to process requests.
I am configuring PEAP and there is not much information about it,
Maily because there is nothing to configure. It "just works" with default configuration.
Should I add a user in the user file alone?
That's best for testing - user entry at the top of the users file.
If default is configured with EAP, what should I modify another file?
Nothing.
[peap] <<< TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert read:fatal:unknown CA TLS_accept:failed in SSLv3 read client certificate A
But your problem has nothing to do with the user. You haven't imported the ca certificate onto the users machine. At least not the correct one. Ivan Kalik Kalik Informatika ISP
Martin Silvero wrote:
I am configuring PEAP and there is not much information about it,
http://deployingradius.com There is a complete and detailed set of instructions for configuring EAP. Alan DeKok.
participants (3)
-
Alan DeKok -
Martin Silvero -
tnt@kalik.net