Hi Something strange came up. after posting this, I tried it again one night, and strangely everything worked out just fine. (with the two Ubiquiti devices (http://www.ubnt.com/nanobridge) (one as AP and one as the client) and I wanted to be sure, so I tested it with a WRT120N Wireless router, and my laptop with ubuntu 10.10, worked OK again, I even tried it with my iPad and after confirming a certificate warning, it succeeded in connecting to the AP. So everything was ok I thought, but today when I wanted to run the test again, I got the same errors I got before
WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING: !! EAP session for state 0x829fae86829ebb1a did not finish! WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
I thought maybe it's a time related issue for the certificates, so I set up a ntp server and sync the times and dates, but the WARNING showed up again. does this situation seem familiar to anybody? I'm helpless now! I didn't change ANYTHING! not before it was working fine, and not after, I just didn't use it for maybe about 2 weeks Here's the log when it was working fine. Thank you guys Milosh droxy Listening on accounting address * port 1813 Listening on command file /usr/local/var/run/radiusd/radiusd.sock Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 10.10.10.145 port 2048, id=0, length=138 User-Name = "test" NAS-Port = 0 Called-Station-Id = "00-15-6D-1C-A8-C5:TEST" Calling-Station-Id = "00-15-6D-1C-A8-D3" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11" EAP-Message = 0x026700090174657374 Message-Authenticator = 0x966c9a3758421ff32156e186c61eb76e # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 103 length 9 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [sql] expand: %{User-Name} -> test [sql] sql_set_user escaped user --> 'test' rlm_sql (sql): Reserving sql socket id: 3 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'test' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'test' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'test' ORDER BY priority rlm_sql (sql): Released sql socket id: 3 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 0 to 10.10.10.145 port 2048 EAP-Message = 0x016800061520 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xfed3ffabfebbeaab3449a6464e99ebae Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.10.10.145 port 2048, id=1, length=209 User-Name = "test" NAS-Port = 0 Called-Station-Id = "00-15-6D-1C-A8-C5:TEST" Calling-Station-Id = "00-15-6D-1C-A8-D3" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11" EAP-Message = 0x0268003e150016030100330100002f03014d9a098bf0978c355df4d62fa42b17d3cc0eeae6fc276fe6dff9b29393f367db000008002f000a000500040100 State = 0xfed3ffabfebbeaab3449a6464e99ebae Message-Authenticator = 0x4b1efe6eb985fe421236644cbdb113f5 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 104 length 62 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] eaptls_verify returned 7 [ttls] Done initial handshake [ttls] (other): before/accept initialization [ttls] TLS_accept: before/accept initialization [ttls] <<< TLS 1.0 Handshake [length 0033], ClientHello [ttls] TLS_accept: SSLv3 read client hello A [ttls] >>> TLS 1.0 Handshake [length 002a], ServerHello [ttls] TLS_accept: SSLv3 write server hello A [ttls] >>> TLS 1.0 Handshake [length 02ad], Certificate [ttls] TLS_accept: SSLv3 write certificate A [ttls] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [ttls] TLS_accept: SSLv3 write server done A [ttls] TLS_accept: SSLv3 flush data [ttls] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [ttls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 1 to 10.10.10.145 port 2048 EAP-Message = 0x016902f41580000002ea160301002a0200002603014d9a098b3b9e8bb3deeb97793284e56d45d2323870a337d1f35cdf94c179278c00002f0016030102ad0b0002a90002a60002a33082029f30820208a003020102020107300d06092a864886f70d0101050500308188310b3009060355040613024952310f300d0603550408130654656872616e310f300d0603550407130654656872616e3111300f060355040a13084b69616e614e65743111300f060355040b1308576972656c657373310e300c0603550403130541646d696e3121301f06092a864886f70d010901161261646d696e406b69616e616e65742e6e6574301e170d31313033323931 EAP-Message = 0x30343634315a170d3132303332383130343634315a308188310b3009060355040613024952310f300d0603550408130654656872616e310f300d0603550407130654656872616e3111300f060355040a13084b69616e614e65743111300f060355040b1308576972656c657373310e300c0603550403130561646d696e3121301f06092a864886f70d010901161261646d696e406b69616e616e65742e6e657430819f300d06092a864886f70d010101050003818d0030818902818100b17583c61048d5da1d5fa392f432e3207d26738046b521ee303b4a79d49622e2317fc5e308cd43b47518c6a6b4af3f94657298ce34da415a2739e0fd8ac5ae3e EAP-Message = 0x9bf522f89a2a96ad3583c3c234403f0973a33910f788ead6bb7cd18b0979d3989168da37f8c4461267166b9239ef0fcb4ecc0dc113eb8872e1b91b7b9c1102e10203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010105050003818100a8e736361a28260f8e1f2a42d670a642a5f3af562e2186cff8cda7e8ffa67e1a691dc014c48353514366a7c2932196a414344a707f9334607714793b599de63b5a17e5a3f437fc6a4d52d209e00593a6cfe55ac93f9c1d70f56f9e75b4a20ef8741810eb15d2ee57671e840bb8575ddc958f76e36d5ec69c9a35b760a2f17a9816030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xfed3ffabffbaeaab3449a6464e99ebae Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.10.10.145 port 2048, id=2, length=351 User-Name = "test" NAS-Port = 0 Called-Station-Id = "00-15-6D-1C-A8-C5:TEST" Calling-Station-Id = "00-15-6D-1C-A8-D3" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11" EAP-Message = 0x026900cc1500160301008610000082008025a0c342d0e03d47cb83602f52d86a1abb8815964c220e763f7fdc7a34c46837658aaee06710e87e2f3de0d787291be6766a76dbb3fcf9285ad86f3e7b558234e7645f1804a955538e58b2e3db10af4cf80c3bd3d8f20d465cf8982bcec8e7ac844c6a1474295376f003cb9ed7c056319b9cccf830ecff5591a1e62b3174ac0f1403010001011603010030a4355f74e35bdfc0c09c3c285e5df2cf789ba51763df8e3dccc78c057614106aa975e5f63ad0f70f38d16bea623310df State = 0xfed3ffabffbaeaab3449a6464e99ebae Message-Authenticator = 0xdf7a9d7fffbfbbc12e23d0aedccc657e # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 105 length 204 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] eaptls_verify returned 7 [ttls] Done initial handshake [ttls] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange [ttls] TLS_accept: SSLv3 read client key exchange A [ttls] <<< TLS 1.0 ChangeCipherSpec [length 0001] [ttls] <<< TLS 1.0 Handshake [length 0010], Finished [ttls] TLS_accept: SSLv3 read finished A [ttls] >>> TLS 1.0 ChangeCipherSpec [length 0001] [ttls] TLS_accept: SSLv3 write change cipher spec A [ttls] >>> TLS 1.0 Handshake [length 0010], Finished [ttls] TLS_accept: SSLv3 write finished A [ttls] TLS_accept: SSLv3 flush data [ttls] (other): SSL negotiation finished successfully SSL Connection Established [ttls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 2 to 10.10.10.145 port 2048 EAP-Message = 0x016a004515800000003b1403010001011603010030515c28dbb9af01c5df68db5c9a79160a7bb650284637d9ad7aee4db1e2d7ef9f94f84dba9b6551dad2a422e0ebe39b61 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xfed3ffabfcb9eaab3449a6464e99ebae Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.10.10.145 port 2048, id=3, length=286 User-Name = "test" NAS-Port = 0 Called-Station-Id = "00-15-6D-1C-A8-C5:TEST" Calling-Station-Id = "00-15-6D-1C-A8-D3" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11" EAP-Message = 0x026a008b15001703010080db0fe23fd8479d2c92cb1c1ae0ccea708a4822cb2a37ea0648890d1b813e64e1a1875c8f5147c2621e0a325f2eba540a622567f058a8d27923a91df622869b617677fb0ed76e24d4e5ee4eb9da78d4367d7f121593b04d66577734f3a839f3b15ae2b56160224a9078a614f50c6f0b18129384b48d95dc93cf9119c1da2960d0 State = 0xfed3ffabfcb9eaab3449a6464e99ebae Message-Authenticator = 0x9366d77282650efe70a69d65f9dfc957 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 106 length 139 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] eaptls_verify returned 7 [ttls] Done initial handshake [ttls] eaptls_process returned 7 [ttls] Session established. Proceeding to decode tunneled attributes. [ttls] Got tunneled request User-Name = "test" MS-CHAP-Challenge = 0xf35244302cde5941bf59400d3db2610b MS-CHAP2-Response = 0xd50025cd28a00db1f559c2571e91efcba6fb00000000000000007f75cc7e81573e9f3de6fc54397693cea0dd3458dce84b8f FreeRADIUS-Proxied-To = 127.0.0.1 [ttls] Sending tunneled request User-Name = "test" MS-CHAP-Challenge = 0xf35244302cde5941bf59400d3db2610b MS-CHAP2-Response = 0xd50025cd28a00db1f559c2571e91efcba6fb00000000000000007f75cc7e81573e9f3de6fc54397693cea0dd3458dce84b8f FreeRADIUS-Proxied-To = 127.0.0.1 server { # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap' ++[mschap] returns ok ++[digest] returns noop [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop [sql] expand: %{User-Name} -> test [sql] sql_set_user escaped user --> 'test' rlm_sql (sql): Reserving sql socket id: 2 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'test' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'test' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'test' ORDER BY priority rlm_sql (sql): Released sql socket id: 2 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = MSCHAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group MS-CHAP {...} [mschap] Creating challenge hash with username: test [mschap] Told to do MS-CHAPv2 for test with NT-Password [mschap] adding MS-CHAPv2 MPPE keys ++[mschap] returns ok # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop } # server [ttls] Got tunneled reply code 2 MS-CHAP2-Success = 0xd5533d43383734464446363634433839434441413845314345323846423435433331313431394139313337 MS-MPPE-Recv-Key = 0x3ea88b59cb73a3001d3ee04ac5dab228 MS-MPPE-Send-Key = 0x64126ac7c2ec499c8f52925316357c84 MS-MPPE-Encryption-Policy = 0x00000002 MS-MPPE-Encryption-Types = 0x00000004 [ttls] Got tunneled Access-Accept [ttls] Got MS-CHAP2-Success, tunneling it to the client in a challenge. ++[eap] returns handled Sending Access-Challenge of id 3 to 10.10.10.145 port 2048 EAP-Message = 0x016b005f1580000000551703010050f2fa45a56374155384f5693a65a4375b1f1557f4569f084c1bcd9be825add2c16dd4e50a02e21ef0b15f2d3ac7268bfa4f5be0dbecaacf063376ca4591b2f5bff75228372ca28baf2f7ba8019cb419d5 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xfed3ffabfdb8eaab3449a6464e99ebae Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.10.10.145 port 2048, id=4, length=153 User-Name = "test" NAS-Port = 0 Called-Station-Id = "00-15-6D-1C-A8-C5:TEST" Calling-Station-Id = "00-15-6D-1C-A8-D3" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11" EAP-Message = 0x026b00061500 State = 0xfed3ffabfdb8eaab3449a6464e99ebae Message-Authenticator = 0x65aa0dd598e522b5a35c067571ac497c # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 107 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] Received TLS ACK [ttls] ACK handshake is finished [ttls] eaptls_verify returned 3 [ttls] eaptls_process returned 3 [ttls] Using saved attributes from the original Access-Accept [eap] Freeing handler ++[eap] returns ok # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 4 to 10.10.10.145 port 2048 MS-MPPE-Recv-Key = 0x597a4ceb752b01e71e733ddebf986d224906a62e975163479148f1f185a4dbee MS-MPPE-Send-Key = 0x3c7bbc2bea16305f5d1bcc22f9bd795fe6e50571d9ebf90939949d0bea7bcf2d EAP-Message = 0x036b0004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "test" Finished request 4. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 0 with timestamp +5 Cleaning up request 1 ID 1 with timestamp +5 Cleaning up request 2 ID 2 with timestamp +5 Cleaning up request 3 ID 3 with timestamp +5 Cleaning up request 4 ID 4 with timestamp +5 Ready to process requests.
Send Freeradius-Users mailing list submissions to freeradius-users@lists.freeradius.org
To subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to freeradius-users-request@lists.freeradius.org
You can reach the person managing the list at freeradius-users-owner@lists.freeradius.org
When replying, please edit your Subject line so it is more specific than "Re: Contents of Freeradius-Users digest..."
Today's Topics:
1. EAP-TTLS Problem (Milosh Droxy)
------------------------------
Message: 1 Date: Tue, 29 Mar 2011 16:10:41 +0430 From: Milosh Droxy <droxy.net@gmail.com> Subject: EAP-TTLS Problem To: freeradius-users@lists.freeradius.org Message-ID: <AANLkTim1pbcg7w30RLQj-iMTW7BTVCxtHGN_Nc3xS6Rm@mail.gmail.com> Content-Type: text/plain; charset="iso-8859-1"
Hi
ok, I've been searching and testing for about a week now. I'm quite sure I've read almost every topic related to my problem on this mailing-list
and
others. and I was afraid to ask for help because I've never posted on a mailing list or a forum and I was really afraid of Alan DeKoK. The Problem: I'm trying to use Freeradius to authenticate users using EAP-TTLS MSCHAP, with no success. I use "FreeRADIUS Version 2.1.10, for host x86_64-unknown-linux-gnu". on a Ubuntu 10.04 64bit Server. I've used these devices as clients two Ubiquiti devices (http://www.ubnt.com/nanobridge) (one as AP and one as client) A TP-Link TL-WR542G as AP and my laptop (running ubuntu 10.10) as client. (and an iPad) (There were NO Windows XP in any of my tests, so it's not a Microsoft issue)
and I've used eapol_test, with successful results, the problem only shows when I try to authenticate remotely. since the eapol_test results were fine I wont post the output here. (or should I ?)
and here is the output for when I try to authenticate remotely (the output is exactly the same with any combination I've tried)
participants (1)
-
Milosh Droxy