[ttls] <<< TLS 1.0 Alert [length 0002], fatal bad_certificate
Hi all, In my quest to get TTLS working I'm making slow and painful progress. I've now reached this stage, I can see what Freeradius is complaining about but don't know how to fix it. I've tried putting the root cert on the client, the intermediate cert on the client, the chain of intermediate+root on the client... nothing works !!!! What certificate am I supposed to be putting on the client to get TTLS working ????? This is all with the current 2.2.x version and the auth user just in the radb/users file. Thanks rad_recv: Access-Request packet from host 172.16.100.254 port 32771, id=25, length=166 User-Name = "bob" NAS-IP-Address = 172.16.100.254 NAS-Identifier = "hello" NAS-Port = 0 Called-Station-Id = "84-1B-FF-FF-FF-FF:XXXXXXXXX" Calling-Station-Id = "10-AE-FF-FF-FF-FF" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11b" EAP-Message = 0x0200000801626f62 Message-Authenticator = 0x3b90b7bce827872043429fc5d3c4d4fa # Executing section authorize from file /usr/local/freeradius_new/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "bob", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 0 length 8 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated [files] users: Matched entry bob at line 1 ++[files] = ok ++[expiration] = noop ++[logintime] = noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /usr/local/freeradius_new/etc/raddb/sites-enabled/default +group authenticate { [eap] EAP Identity [eap] processing type tls [tls] Requiring client certificate [tls] Initiate [tls] Start returned 1 ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 25 to 172.16.100.254 port 32771 EAP-Message = 0x010100060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xfce0cbcffce1c61e13af06a62b033add Finished request 99. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.16.100.254 port 32771, id=26, length=182 User-Name = "bob" NAS-IP-Address = 172.16.100.254 NAS-Identifier = "hello" NAS-Port = 0 Called-Station-Id = "84-1B-FF-FF-FF-FF:XXXXXXXXX" Calling-Station-Id = "10-AE-FF-FF-FF-FF" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11b" EAP-Message = 0x020100060315 State = 0xfce0cbcffce1c61e13af06a62b033add Message-Authenticator = 0x544d5ecfbb5fcfea7fc92c6af9995988 # Executing section authorize from file /usr/local/freeradius_new/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "bob", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 1 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated [files] users: Matched entry bob at line 1 ++[files] = ok ++[expiration] = noop ++[logintime] = noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /usr/local/freeradius_new/etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP NAK [eap] EAP-NAK asked for EAP-Type/ttls [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 26 to 172.16.100.254 port 32771 EAP-Message = 0x010200061520 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xfce0cbcffde2de1e13af06a62b033add Finished request 100. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.16.100.254 port 32771, id=27, length=409 User-Name = "bob" NAS-IP-Address = 172.16.100.254 NAS-Identifier = "hello" NAS-Port = 0 Called-Station-Id = "84-1B-FF-FF-FF-FF:XXXXXXXXX" Calling-Station-Id = "10-AE-FF-FF-FF-FF" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11b" EAP-Message = 0xXXXX State = 0xfce0cbcffde2de1e13af06a62b033add Message-Authenticator = 0x51c1fa9a013d0796e3c69e73feacaee9 # Executing section authorize from file /usr/local/freeradius_new/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "bob", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 2 length 233 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /usr/local/freeradius_new/etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] eaptls_verify returned 7 [ttls] Done initial handshake [ttls] (other): before/accept initialization [ttls] TLS_accept: before/accept initialization [ttls] <<< TLS 1.0 Handshake [length 00de], ClientHello [ttls] TLS_accept: SSLv3 read client hello A [ttls] >>> TLS 1.0 Handshake [length 003e], ServerHello [ttls] TLS_accept: SSLv3 write server hello A [ttls] >>> TLS 1.0 Handshake [length 0d03], Certificate [ttls] TLS_accept: SSLv3 write certificate A [ttls] >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange [ttls] TLS_accept: SSLv3 write key exchange A [ttls] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [ttls] TLS_accept: SSLv3 write server done A [ttls] TLS_accept: SSLv3 flush data [ttls] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [ttls] eaptls_process returned 13 ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 27 to 172.16.100.254 port 32771 EAP-Message = 0xXXXXX EAP-Message = 0xXXXX EAP-Message = 0xXXXXX EAP-Message = 0xXXXXX EAP-Message = 0x54563bfc875ead29ea258ceb Message-Authenticator = 0x00000000000000000000000000000000 State = 0xfce0cbcffee3de1e13af06a62b033add Finished request 101. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 172.16.100.254 port 32771, id=28, length=182 User-Name = "bob" NAS-IP-Address = 172.16.100.254 NAS-Identifier = "hello" NAS-Port = 0 Called-Station-Id = "84-1B-FF-FF-FF-FF:XXXXXXXXX" Calling-Station-Id = "10-AE-FF-FF-FF-FF" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11b" EAP-Message = 0x020300061500 State = 0xfce0cbcffee3de1e13af06a62b033add Message-Authenticator = 0x0b7f096f4fc0c8acb5407c07e58c4f13 # Executing section authorize from file /usr/local/freeradius_new/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "bob", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 3 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /usr/local/freeradius_new/etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] Received TLS ACK [ttls] ACK handshake fragment handler [ttls] eaptls_verify returned 1 [ttls] eaptls_process returned 13 ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 28 to 172.16.100.254 port 32771 EAP-Message = 0xXXXXX EAP-Message = 0xXXXXX EAP-Message = 0xXXXXXX EAP-Message = 0xXXXXXX EAP-Message = 0x010056212ec4da360bb41484 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xfce0cbcfffe4de1e13af06a62b033add Finished request 102. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 172.16.100.254 port 32771, id=29, length=182 User-Name = "bob" NAS-IP-Address = 172.16.100.254 NAS-Identifier = "hello" NAS-Port = 0 Called-Station-Id = "84-1B-FF-FF-FF-FF:XXXXXXXXX" Calling-Station-Id = "10-AE-FF-FF-FF-FF" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11b" EAP-Message = 0x020400061500 State = 0xfce0cbcfffe4de1e13af06a62b033add Message-Authenticator = 0x94688416253b77d96df25b1c2f7d9a1f # Executing section authorize from file /usr/local/freeradius_new/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "bob", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 4 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /usr/local/freeradius_new/etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] Received TLS ACK [ttls] ACK handshake fragment handler [ttls] eaptls_verify returned 1 [ttls] eaptls_process returned 13 ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 29 to 172.16.100.254 port 32771 EAP-Message = 0xXXXXX EAP-Message = 0xXXXXX EAP-Message = 0xxXXXX EAP-Message = 0xXXXXX EAP-Message = 0x0e06035504081307456e676c Message-Authenticator = 0x00000000000000000000000000000000 State = 0xfce0cbcff8e5de1e13af06a62b033add Finished request 103. Going to the next request Waking up in 4.7 seconds. rad_recv: Access-Request packet from host 172.16.100.254 port 32771, id=30, length=182 User-Name = "bob" NAS-IP-Address = 172.16.100.254 NAS-Identifier = "hello" NAS-Port = 0 Called-Station-Id = "84-1B-FF-FF-FF-FF:XXXXXXXXX" Calling-Station-Id = "10-AE-FF-FF-FF-FF" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11b" EAP-Message = 0x020500061500 State = 0xfce0cbcff8e5de1e13af06a62b033add Message-Authenticator = 0x4ab77dde9316429ec01785aea3bf8f23 # Executing section authorize from file /usr/local/freeradius_new/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "bob", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 5 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /usr/local/freeradius_new/etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] Received TLS ACK [ttls] ACK handshake fragment handler [ttls] eaptls_verify returned 1 [ttls] eaptls_process returned 13 ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 30 to 172.16.100.254 port 32771 EAP-Message = 0xXXXXXX EAP-Message = 0xXXXXXX EAP-Message = 0xXXXXXX Message-Authenticator = 0x00000000000000000000000000000000 State = 0xfce0cbcff9e6de1e13af06a62b033add Finished request 104. Going to the next request Waking up in 4.7 seconds. rad_recv: Access-Request packet from host 172.16.100.254 port 32771, id=31, length=189 User-Name = "bob" NAS-IP-Address = 172.16.100.254 NAS-Identifier = "hello" NAS-Port = 0 Called-Station-Id = "84-1B-FF-FF-FF-FF:XXXXXXXXX" Calling-Station-Id = "10-AE-FF-FF-FF-FF" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11b" EAP-Message = 0x0206000d15001503010002022a State = 0xfce0cbcff9e6de1e13af06a62b033add Message-Authenticator = 0xd3580f9793092740ddc482652114e45a # Executing section authorize from file /usr/local/freeradius_new/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "bob", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 6 length 13 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /usr/local/freeradius_new/etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] eaptls_verify returned 7 [ttls] Done initial handshake [ttls] <<< TLS 1.0 Alert [length 0002], fatal bad_certificate TLS Alert read:fatal:bad certificate TLS_accept: failed in SSLv3 read client certificate A rlm_eap: SSL error error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate SSL: SSL_read failed inside of TLS (-1), TLS session fails. TLS receive handshake failed during operation [ttls] eaptls_process returned 4 [eap] Handler failed in EAP/ttls [eap] Failed in EAP select ++[eap] = invalid +} # group authenticate = invalid Failed to authenticate the user. Using Post-Auth-Type REJECT # Executing group from file /usr/local/freeradius_new/etc/raddb/sites-enabled/default +group REJECT { [attr_filter.access_reject] expand: %{User-Name} -> bob attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] = updated +} # group REJECT = updated Delaying reject of request 105 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 105 Sending Access-Reject of id 31 to 172.16.100.254 port 32771 EAP-Message = 0x04060004 Message-Authenticator = 0x00000000000000000000000000000000 rad_recv: Access-Request packet from host 172.16.100.254 port 32771, id=31, length=189 Sending duplicate reply to client XYZwifi2 port 32771 - ID: 31 Sending Access-Reject of id 31 to 172.16.100.254 port 32771 EAP-Message = 0x04060004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.7 seconds. rad_recv: Access-Request packet from host 172.16.100.254 port 32771, id=32, length=166 User-Name = "bob" NAS-IP-Address = 172.16.100.254 NAS-Identifier = "hello" NAS-Port = 0 Called-Station-Id = "84-1B-FF-FF-FF-FF:XXXXXXXXX" Calling-Station-Id = "10-AE-FF-FF-FF-FF" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11b" EAP-Message = 0x0200000801626f62 Message-Authenticator = 0xe1dae59cd99e96df6fa5959228d8ed52 # Executing section authorize from file /usr/local/freeradius_new/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "bob", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 0 length 8 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated [files] users: Matched entry bob at line 1 ++[files] = ok ++[expiration] = noop ++[logintime] = noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /usr/local/freeradius_new/etc/raddb/sites-enabled/default +group authenticate { [eap] EAP Identity [eap] processing type tls [tls] Requiring client certificate [tls] Initiate [tls] Start returned 1 ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 32 to 172.16.100.254 port 32771 EAP-Message = 0x010100060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1bfbd3351bfade698a8490efd3984a5c Finished request 106. Going to the next request Waking up in 1.5 seconds. rad_recv: Access-Request packet from host 172.16.100.254 port 32771, id=33, length=182 User-Name = "bob" NAS-IP-Address = 172.16.100.254 NAS-Identifier = "hello" NAS-Port = 0 Called-Station-Id = "84-1B-FF-FF-FF-FF:XXXXXXXXX" Calling-Station-Id = "10-AE-FF-FF-FF-FF" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11b" EAP-Message = 0x020100060315 State = 0x1bfbd3351bfade698a8490efd3984a5c Message-Authenticator = 0x680c5830cb9579e83b610caf7bf1f22d # Executing section authorize from file /usr/local/freeradius_new/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "bob", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 1 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated [files] users: Matched entry bob at line 1 ++[files] = ok ++[expiration] = noop ++[logintime] = noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /usr/local/freeradius_new/etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP NAK [eap] EAP-NAK asked for EAP-Type/ttls [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 33 to 172.16.100.254 port 32771 EAP-Message = 0x010200061520 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1bfbd3351af9c6698a8490efd3984a5c Finished request 107. Going to the next request Waking up in 1.5 seconds. rad_recv: Access-Request packet from host 172.16.100.254 port 32771, id=34, length=409 User-Name = "bob" NAS-IP-Address = 172.16.100.254 NAS-Identifier = "hello" NAS-Port = 0 Called-Station-Id = "84-1B-FF-FF-FF-FF:XXXXXXXXX" Calling-Station-Id = "10-AE-FF-FF-FF-FF" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11b" EAP-Message = 0xXXXXXXX State = 0x1bfbd3351af9c6698a8490efd3984a5c Message-Authenticator = 0x0e0248858e573f5236dbc87ccc0ba636 # Executing section authorize from file /usr/local/freeradius_new/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "bob", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 2 length 233 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /usr/local/freeradius_new/etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] eaptls_verify returned 7 [ttls] Done initial handshake [ttls] (other): before/accept initialization [ttls] TLS_accept: before/accept initialization [ttls] <<< TLS 1.0 Handshake [length 00de], ClientHello [ttls] TLS_accept: SSLv3 read client hello A [ttls] >>> TLS 1.0 Handshake [length 003e], ServerHello [ttls] TLS_accept: SSLv3 write server hello A [ttls] >>> TLS 1.0 Handshake [length 0d03], Certificate [ttls] TLS_accept: SSLv3 write certificate A [ttls] >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange [ttls] TLS_accept: SSLv3 write key exchange A [ttls] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [ttls] TLS_accept: SSLv3 write server done A [ttls] TLS_accept: SSLv3 flush data [ttls] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [ttls] eaptls_process returned 13 ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 34 to 172.16.100.254 port 32771 EAP-Message = 0xXXXXXXX EAP-Message = 0xXXXXXXX EAP-Message = 0xXXXXXXX EAP-Message = 0xXXXXXXX EAP-Message = 0x54563bfc875ead29ea258ceb Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1bfbd33519f8c6698a8490efd3984a5c Finished request 108. Going to the next request Waking up in 1.4 seconds. rad_recv: Access-Request packet from host 172.16.100.254 port 32771, id=35, length=182 User-Name = "bob" NAS-IP-Address = 172.16.100.254 NAS-Identifier = "hello" NAS-Port = 0 Called-Station-Id = "84-1B-FF-FF-FF-FF:XXXXXXXXX" Calling-Station-Id = "10-AE-FF-FF-FF-FF" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11b" EAP-Message = 0x020300061500 State = 0x1bfbd33519f8c6698a8490efd3984a5c Message-Authenticator = 0x6ef912f386d9451add40ddb6eab06618 # Executing section authorize from file /usr/local/freeradius_new/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "bob", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 3 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /usr/local/freeradius_new/etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] Received TLS ACK [ttls] ACK handshake fragment handler [ttls] eaptls_verify returned 1 [ttls] eaptls_process returned 13 ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 35 to 172.16.100.254 port 32771 EAP-Message = 0xXXXXXX EAP-Message = 0xXXXXXX EAP-Message = 0xXXXXXX EAP-Message = 0xXXXXXX EAP-Message = 0x010056212ec4da360bb41484 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1bfbd33518ffc6698a8490efd3984a5c Finished request 109. Going to the next request Waking up in 1.3 seconds. rad_recv: Access-Request packet from host 172.16.100.254 port 32771, id=36, length=182 User-Name = "bob" NAS-IP-Address = 172.16.100.254 NAS-Identifier = "hello" NAS-Port = 0 Called-Station-Id = "84-1B-FF-FF-FF-FF:XXXXXXXXX" Calling-Station-Id = "10-AE-FF-FF-FF-FF" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11b" EAP-Message = 0x020400061500 State = 0x1bfbd33518ffc6698a8490efd3984a5c Message-Authenticator = 0x9c6e329e9225bce68c8aff6c2e6c91a1 # Executing section authorize from file /usr/local/freeradius_new/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "bob", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 4 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /usr/local/freeradius_new/etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] Received TLS ACK [ttls] ACK handshake fragment handler [ttls] eaptls_verify returned 1 [ttls] eaptls_process returned 13 ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 36 to 172.16.100.254 port 32771 EAP-Message = 0xXXXXXX EAP-Message = 0xXXXXX EAP-Message = 0xXXXXX EAP-Message = 0xXXXXX EAP-Message = 0x0e06035504081307456e676c Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1bfbd3351ffec6698a8490efd3984a5c Finished request 110. Going to the next request Waking up in 1.3 seconds. rad_recv: Access-Request packet from host 172.16.100.254 port 32771, id=37, length=182 User-Name = "bob" NAS-IP-Address = 172.16.100.254 NAS-Identifier = "hello" NAS-Port = 0 Called-Station-Id = "84-1B-FF-FF-FF-FF:XXXXXXXXX" Calling-Station-Id = "10-AE-FF-FF-FF-FF" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11b" EAP-Message = 0x020500061500 State = 0x1bfbd3351ffec6698a8490efd3984a5c Message-Authenticator = 0xe496aa258d721f863cba6a3fcf4eb638 # Executing section authorize from file /usr/local/freeradius_new/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "bob", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 5 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /usr/local/freeradius_new/etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] Received TLS ACK [ttls] ACK handshake fragment handler [ttls] eaptls_verify returned 1 [ttls] eaptls_process returned 13 ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 37 to 172.16.100.254 port 32771 EAP-Message = 0xXXXXXXX EAP-Message = 0xXXXXXXX EAP-Message = 0xXXXXXXX Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1bfbd3351efdc6698a8490efd3984a5c Finished request 111. Going to the next request Waking up in 1.3 seconds. rad_recv: Access-Request packet from host 172.16.100.254 port 32771, id=38, length=189 User-Name = "bob" NAS-IP-Address = 172.16.100.254 NAS-Identifier = "hello" NAS-Port = 0 Called-Station-Id = "84-1B-FF-FF-FF-FF:XXXXXXXXX" Calling-Station-Id = "10-AE-FF-FF-FF-FF" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11b" EAP-Message = 0x0206000d15001503010002022a State = 0x1bfbd3351efdc6698a8490efd3984a5c Message-Authenticator = 0xfd05c1a5ced3bc05e5a969aad7e6c316 # Executing section authorize from file /usr/local/freeradius_new/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "bob", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 6 length 13 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /usr/local/freeradius_new/etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] eaptls_verify returned 7 [ttls] Done initial handshake [ttls] <<< TLS 1.0 Alert [length 0002], fatal bad_certificate TLS Alert read:fatal:bad certificate TLS_accept: failed in SSLv3 read client certificate A rlm_eap: SSL error error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate SSL: SSL_read failed inside of TLS (-1), TLS session fails. TLS receive handshake failed during operation [ttls] eaptls_process returned 4 [eap] Handler failed in EAP/ttls [eap] Failed in EAP select ++[eap] = invalid +} # group authenticate = invalid Failed to authenticate the user. Using Post-Auth-Type REJECT # Executing group from file /usr/local/freeradius_new/etc/raddb/sites-enabled/default +group REJECT { [attr_filter.access_reject] expand: %{User-Name} -> bob attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] = updated +} # group REJECT = updated Delaying reject of request 112 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 112 Sending Access-Reject of id 38 to 172.16.100.254 port 32771 EAP-Message = 0x04060004 Message-Authenticator = 0x00000000000000000000000000000000 rad_recv: Access-Request packet from host 172.16.100.254 port 32771, id=38, length=189 Sending duplicate reply to client XYZwifi2 port 32771 - ID: 38 Sending Access-Reject of id 38 to 172.16.100.254 port 32771 EAP-Message = 0x04060004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 0.3 seconds. Cleaning up request 99 ID 25 with timestamp +564 Cleaning up request 100 ID 26 with timestamp +564 Waking up in 0.1 seconds. Cleaning up request 101 ID 27 with timestamp +564 Cleaning up request 102 ID 28 with timestamp +565 Cleaning up request 103 ID 29 with timestamp +565 Cleaning up request 104 ID 30 with timestamp +565 Waking up in 1.0 seconds. Cleaning up request 105 ID 31 with timestamp +565 Waking up in 2.1 seconds. Cleaning up request 106 ID 32 with timestamp +568 Cleaning up request 107 ID 33 with timestamp +568 Waking up in 0.1 seconds. Cleaning up request 108 ID 34 with timestamp +568 Cleaning up request 109 ID 35 with timestamp +568 Cleaning up request 110 ID 36 with timestamp +568 Cleaning up request 111 ID 37 with timestamp +568 Waking up in 1.0 seconds. Cleaning up request 112 ID 38 with timestamp +568 Ready to process requests.
What's the client? Its not just a case of putting the root/intermediate CA onto the client. .. its WHERE you put it on the client and trust settings for the certs. You need to ensure that the server cert has required extensions in it (some new clients are even fussier eg windows phone which needs CRLDP too!) . You also need to make sure your freeradius server is actually serving out the server/root certs that you think it is and that the certs are still valid (!) What happens if you run the tests locally with eapol_test (from wpa_supplicant package) using config that can be adapted from the conf files available in the src/tests directory of the freeradius source code? alan
On 01/03/14 09:08, Ben wrote:
Hi all,
In my quest to get TTLS working I'm making slow and painful progress.
I've now reached this stage, I can see what Freeradius is complaining
Note: FreeRADIUS isn't complaining. It's printing an error that the client sent it, "bad certificate". Subtle but important.
about but don't know how to fix it. I've tried putting the root cert on the client, the intermediate cert on the client, the chain of intermediate+root on the client... nothing works !!!!
What certificate am I supposed to be putting on the client to get TTLS working ?????
The CA root, if it isn't already present. You also need to ensure that the "certificate_file" option under the eap{} module contains the server and all intermediate certs (you don't need to put the root on there). If you've done that, then either there's something wrong with the certs, or something wrong with the client. Since it's the client complaining, you'll need to debug the client. What is the client?
The CA root, if it isn't already present.
Have already tried that, as mentioned. Hence my approaching the list for further advice.
You also need to ensure that the "certificate_file" option under the eap{} module contains the server and all intermediate certs (you don't need to put the root on there).
Will go double check....
If you've done that, then either there's something wrong with the certs, or something wrong with the client. Since it's the client complaining, you'll need to debug the client.
There's nothing wrong with the certs, they work perfectly well with EAP-TLS. If you've got ideas for debugging an Amazon Paperwhite, I'd love to hear them !
What is the client?
Amazon Paperwhite. I'm broadly trying to follow the hints here (https://tribut.de/blog/amazon-kindle-and-eduroam/) although this isn't being connected to Eduroam.
There's nothing wrong with the certs, they work perfectly well with EAP-TLS.
If you've got ideas for debugging an Amazon Paperwhite, I'd love to hear them !
a brick. -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2
Ben wrote:
There's nothing wrong with the certs, they work perfectly well with EAP-TLS.
That doesn't necessarily mean anything. Some vendors have completely different implementations for the various EAP methods. If they were sane, they would all just use wpa_supplicant, which is BSD licensed. It's about as perfect as software gets.
If you've got ideas for debugging an Amazon Paperwhite, I'd love to hear them !
Change the certs. Make test certs. SIMPLE ones. Small keys. See if that works. The problem may be that the device doesn't like the certs. I've seen that before. The vendor tests with *their* idea of the certs, and "it works, so ship it". Then people use different certs, and nothing works. But as always, don't blame FR. It's just passing SSL stuff between the device and OpenSSL. If the SSL magic doesn't work, then (a) the client is broken, or (b) OpenSSL is broken. Alan DeKok.
participants (6)
-
A.L.M.Buxey@lboro.ac.uk -
Alan Buxey -
Alan DeKok -
Arran Cudbard-Bell -
Ben -
Phil Mayers