problems with EAP-TTLS with Intermec GUN 2415
Hi I'm trying to setup a freeradius server, to be able to authenticate some handheld devices (Intermec 2415). The auth protocol supported by the handheld is EAP-TTLS. I've Debian Sarge, and I compiled my self freeradius 1.0.5 with openssl-0.9.7e. (my compilation options ./configure --with-openssl-includes=/usr/include --with-openssl-libraries=/usr/lib/ssl -disable-shared -sysconfdir=/etc --prefix=/usr/local ) I got the certificates from Intermec for the server and the cacert. I cannot authenticate with the radius, I got this error when the handheld try to auth : Wed Feb 15 15:27:42 2006 : Info: Ready to process requests. Wed Feb 15 15:28:21 2006 : Error: TLS_accept:error in SSLv3 read client certificate A Wed Feb 15 15:28:21 2006 : Info: rlm_eap_tls: Received EAP-TLS ACK message However, if I enable the radius inside the access point, the handheld can authenticate. This tells me that the handheld has been configured properly. What is missing in my freeradius config ? Thanks in advance Johan The detailed debug log (radiusd -X) Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf Config: including file: /etc/raddb/sql.conf main: prefix = "/usr" main: localstatedir = "/var" main: logdir = "/var/log/radius" main: libdir = "/usr/lib" main: radacctdir = "/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = yes main: log_file = "/var/log/radius/radius.log" main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = yes main: pidfile = "/var/run/radiusd/radiusd.pid" main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: authtype = "MS-CHAPv2" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "(null)" unix: group = "(null)" unix: radwtmp = "/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = "ttls" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/etc/raddb/certs/intermec/server.pem" tls: certificate_file = "/etc/raddb/certs/intermec/server.pem" tls: CA_file = "/etc/raddb/certs/intermec/cacert.cer" tls: private_key_password = "BigSecretPass" tls: dh_file = "/dev/null" tls: random_file = "/dev/urandom" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = "(null)" rlm_eap: Loaded and initialized type tls ttls: default_eap_type = "mschapv2" ttls: copy_request_to_tunnel = no ttls: use_tunneled_reply = no rlm_eap: Loaded and initialized type ttls peap: default_eap_type = "mschapv2" peap: copy_request_to_tunnel = no peap: use_tunneled_reply = no peap: proxy_tunneled_request_as_eap = yes rlm_eap: Loaded and initialized type peap mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/etc/raddb/huntgroups" preprocess: hints = "/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded detail detail: detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (auth_log) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "/etc/raddb/users" files: acctusersfile = "/etc/raddb/acct_users" files: preproxy_usersfile = "/etc/raddb/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique) detail: detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = "/var/log/radius/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. rad_recv: Access-Request packet from host 192.168.0.1:1024, id=6, length=134 User-Name = "anonymous" NAS-IP-Address = 192.168.0.1 Called-Station-Id = "00-10-40-01-90-09" NAS-Identifier = "31100100221" NAS-Port-Type = Wireless-802.11 Framed-MTU = 1400 Calling-Station-Id = "00-02-2d-3c-ef-79" EAP-Message = 0x0200000e01616e6f6e796d6f7573 Message-Authenticator = 0x61efabf1e39ae3a5983e1b7c7ed39037 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 radius_xlat: '/var/log/radius/radacct/192.168.0.1/auth-detail-20060216' rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.0.1/auth-detail-20060216 modcall[authorize]: module "auth_log" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "anonymous", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: EAP packet type response id 0 length 14 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 modcall[authorize]: module "files" returns notfound for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 0 modcall: group authenticate returns handled for request 0 Sending Access-Challenge of id 6 to 192.168.0.1:1024 EAP-Message = 0x010100061520 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x8101bb02421a224e415fb643fd5a5a70 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 6 with timestamp 43f489f3 Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 192.168.0.1:1024, id=7, length=210 State = 0x8101bb02421a224e415fb643fd5a5a70 User-Name = "anonymous" NAS-IP-Address = 192.168.0.1 Called-Station-Id = "00-10-40-01-90-09" NAS-Identifier = "31100100221" NAS-Port-Type = Wireless-802.11 Framed-MTU = 1400 Calling-Station-Id = "00-02-2d-3c-ef-79" EAP-Message = 0x020100481500160301003d01000039030143ea8be941bd45d21f3b9c251cd225b597150a6d8b46a8ff186ca6f97e3436e5000012000a000500040064006200600009000800030100 Message-Authenticator = 0xd071d95101e82c9471633db7d877d373 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 radius_xlat: '/var/log/radius/radacct/192.168.0.1/auth-detail-20060216' rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.0.1/auth-detail-20060216 modcall[authorize]: module "auth_log" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_realm: No '@' in User-Name = "anonymous", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 1 rlm_eap: EAP packet type response id 1 length 72 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 1 modcall[authorize]: module "files" returns notfound for request 1 modcall: group authorize returns updated for request 1 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 003d], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0446], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 1 modcall: group authenticate returns handled for request 1 Sending Access-Challenge of id 7 to 192.168.0.1:1024 EAP-Message = 0x0102040a15c0000004a3160301004a02000046030143f489f93df161b2e89390e55fd234535674a79034f30794cb9c234a4c5f40ca20390aa743f1124ba1362817c3efd596cb723cf00ba4e087e110a48a95aae24e27000a0016030104460b00044200043f00043c30820438308203a1a003020102020200d7300d06092a864886f70d01010505003081af310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e0603550407130745766572657474312a3028060355040a1321496e7465726d656320546563686e6f6c6f6769657320436f72706f726174696f6e311d301b060355040b131453656375726974 EAP-Message = 0x7920456e67696e656572696e67312e302c060355040313254576657265747420496e7465726d65646961746520526f6f74204365727469666963617465301e170d3034313133303134313230355a170d3231313132363134313230355a308190310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e0603550407130745766572657474312a3028060355040a1321496e7465726d656320546563686e6f6c6f6769657320436f72706f726174696f6e311d301b060355040b1314536563757269747920456e67696e656572696e67310f300d0603550403130644372d49544330819f300d06092a864886f70d EAP-Message = 0x010101050003818d0030818902818100b211bc2380c6c9f07cc6f8e450d301f97eb9b5085f2d7b3d37e6f33e320f7c4becd44eb3e60d62b4e7bb9f9337c37e5840213d1f123937e45b061a14191891e9363386d4f014d4abecbaed6746e8dc9a125c2b3279547d975a033bf39aaa79ca2558b0d498db180620cdcde2f0b8cfa500e52c5c1378c0a6ff514531e9b2716d0203010001a382017e3082017a30090603551d1304023000300b0603551d0f0404030205e030270603551d250420301e06082b0601050507030306082b0601050507030206082b06010505070301302c06096086480186f842010d041f161d4f70656e53534c2047656e657261 EAP-Message = 0x746564204365727469666963617465301d0603551d0e04160414b7bbf4e9358908fc1b817d12dfb865725d5624053081e90603551d230481e13081de801427af545487c3c798e81afe4597a2b63ac07881f5a181c2a481bf3081bc310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e0603550407130745766572657474312a3028060355040a1321496e7465726d656320546563686e6f6c6f6769657320436f72706f726174696f6e311d301b060355040b1314536563757269747920456e67696e656572696e67313b303906035504031332496e7465726d656320546563686e6f6c6f6769657320436f EAP-Message = 0x72706f726174696f6e20526f6f742043657274696669 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd25d03bb73b96d7b492916c20bbf44c2 Finished request 1 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.0.1:1024, id=8, length=144 State = 0xd25d03bb73b96d7b492916c20bbf44c2 User-Name = "anonymous" NAS-IP-Address = 192.168.0.1 Called-Station-Id = "00-10-40-01-90-09" NAS-Identifier = "31100100221" NAS-Port-Type = Wireless-802.11 Framed-MTU = 1400 Calling-Station-Id = "00-02-2d-3c-ef-79" EAP-Message = 0x020200061500 Message-Authenticator = 0x32438ef113d8e8232b1ad69ffa9ef400 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall[authorize]: module "preprocess" returns ok for request 2 radius_xlat: '/var/log/radius/radacct/192.168.0.1/auth-detail-20060216' rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.0.1/auth-detail-20060216 modcall[authorize]: module "auth_log" returns ok for request 2 modcall[authorize]: module "chap" returns noop for request 2 modcall[authorize]: module "mschap" returns noop for request 2 rlm_realm: No '@' in User-Name = "anonymous", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 2 rlm_eap: EAP packet type response id 2 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 2 modcall[authorize]: module "files" returns notfound for request 2 modcall: group authorize returns updated for request 2 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 2 rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 2 modcall: group authenticate returns handled for request 2 Sending Access-Challenge of id 8 to 192.168.0.1:1024 EAP-Message = 0x010300ad1580000004a363617465820101300d06092a864886f70d01010505000381810017814c3dc897e685aee5e734509712728a2cf5d4cce575147bcc0f974af3477fbd8d202d1f173ac76c03925e6870be35567d27e84d8096458dad6b99cdcf66e6d5967e920a64e0a4dacb6cee087b3768725bae1784d29ad41311bfb9e4dc8ade93390fe481def6c25a60c3c3d1e883e024d279fc6cbbe3723af4a76cfc0c9d6c16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x8c3b86d02966b223e117138d5c1d946e Finished request 2 Going to the next request Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 1 ID 7 with timestamp 43f489f9 Cleaning up request 2 ID 8 with timestamp 43f489f9 Nothing to do. Sleeping until we see a request. My eap.conf eap { default_eap_type = ttls timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no md5 { } leap { } gtc { #challenge = "Password: " #auth_type = PAP } tls { private_key_password = BigSecretPassword private_key_file = ${raddbdir}/certs/intermec/server.pem certificate_file = ${raddbdir}/certs/intermec/server.pem CA_file = ${raddbdir}/certs/intermec/cacert.cer dh_file = /dev/null random_file = /dev/urandom fragment_size = 1024 include_length = yes check_crl = no #check_cert_cn = %{User-Name} } ttls { default_eap_type = mschapv2 #default_eap_type = md5 copy_request_to_tunnel = no use_tunneled_reply = no } Users gun Auth-Type := EAP, User-Password := "gun123"
Johan Arens <johan.arens@gmail.com> wrote:
I cannot authenticate with the radius, I got this error when the handheld try to auth :
Wed Feb 15 15:27:42 2006 : Info: Ready to process requests. Wed Feb 15 15:28:21 2006 : Error: TLS_accept:error in SSLv3 read client certificate A Wed Feb 15 15:28:21 2006 : Info: rlm_eap_tls: Received EAP-TLS ACK message
That error doesn't affect anything. The problem is something else. Stop reading the log file, and run the server in debugging mode. Alan DeKok.
I was on the impression that radiusd -X would produce the debug log, I pasted it in the previous mail. On 2/16/06, Alan DeKok <aland@ox.org> wrote:
Johan Arens <johan.arens@gmail.com> wrote:
I cannot authenticate with the radius, I got this error when the handheld try to auth :
Wed Feb 15 15:27:42 2006 : Info: Ready to process requests. Wed Feb 15 15:28:21 2006 : Error: TLS_accept:error in SSLv3 read client certificate A Wed Feb 15 15:28:21 2006 : Info: rlm_eap_tls: Received EAP-TLS ACK message
That error doesn't affect anything.
The problem is something else.
Stop reading the log file, and run the server in debugging mode.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Johan Arens <johan.arens@gmail.com> wrote:
I was on the impression that radiusd -X would produce the debug log, I pasted it in the previous mail.
<shrug> The message I responded to did not have the debug log. If you're not going to supply it, then good luck solving the problem. I wish you the best. Alan DeKok.
The debug log has been attached at the end of my first message. On 2/16/06, Alan DeKok <aland@ox.org> wrote:
Johan Arens <johan.arens@gmail.com> wrote:
I was on the impression that radiusd -X would produce the debug log, I pasted it in the previous mail.
<shrug> The message I responded to did not have the debug log.
If you're not going to supply it, then good luck solving the problem. I wish you the best.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Johan Arens wrote:
Hi
I cannot authenticate with the radius, I got this error when the handheld try to auth :
Wed Feb 15 15:27:42 2006 : Info: Ready to process requests. Wed Feb 15 15:28:21 2006 : Error: TLS_accept:error in SSLv3 read client certificate A Wed Feb 15 15:28:21 2006 : Info: rlm_eap_tls: Received EAP-TLS ACK message
That is not a significant error - it's just noise, ignore it.
However, if I enable the radius inside the access point, the handheld can authenticate. This tells me that the handheld has been configured properly.
What is missing in my freeradius config ?
Probably nothing. The last thing the server does is:
modcall: entering group authenticate for request 2 rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 2 modcall: group authenticate returns handled for request 2 Sending Access-Challenge of id 8 to 192.168.0.1:1024 EAP-Message = snip Message-Authenticator = 0x00000000000000000000000000000000 State = 0x8c3b86d02966b223e117138d5c1d946e Finished request 2 Going to the next request Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 1 ID 7 with timestamp 43f489f9 Cleaning up request 2 ID 8 with timestamp 43f489f9 Nothing to do. Sleeping until we see a request.
The supplicant or the AP stops sending EAP messages. Up to that point as far as FreeRadius is concerned it's all fine. Consult the logs on the supplicant or AP to determine why.
Users
gun Auth-Type := EAP, User-Password := "gun123"
Note, although it is not likely to be causing your current problems, it is ALMOST ALWAYS a bad idea to set Auth-Type to EAP. The default config is very specific on this. It will certainly fail later on when the inner request of the TTLS is handled and EAP gets forced for that username when in fact you want PAP or something.
Hi
To reply to Alan Dekok here is the debug log
Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf Config: including file: /etc/raddb/sql.conf main: prefix = "/usr" main: localstatedir = "/var" main: logdir = "/var/log/radius" main: libdir = "/usr/lib" main: radacctdir = "/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = yes main: log_file = "/var/log/radius/radius.log" main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = yes main: pidfile = "/var/run/radiusd/radiusd.pid" main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: authtype = "MS-CHAPv2" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "(null)" unix: group = "(null)" unix: radwtmp = "/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = "ttls" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/etc/raddb/certs/intermec/server.pem" tls: certificate_file = "/etc/raddb/certs/intermec/server.pem" tls: CA_file = "/etc/raddb/certs/intermec/cacert.cer" tls: private_key_password = "BigSecretPass" tls: dh_file = "/dev/null" tls: random_file = "/dev/urandom" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = "(null)" rlm_eap: Loaded and initialized type tls ttls: default_eap_type = "mschapv2" ttls: copy_request_to_tunnel = no ttls: use_tunneled_reply = no rlm_eap: Loaded and initialized type ttls peap: default_eap_type = "mschapv2" peap: copy_request_to_tunnel = no peap: use_tunneled_reply = no peap: proxy_tunneled_request_as_eap = yes rlm_eap: Loaded and initialized type peap mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/etc/raddb/huntgroups" preprocess: hints = "/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded detail detail: detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (auth_log) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "/etc/raddb/users" files: acctusersfile = "/etc/raddb/acct_users" files: preproxy_usersfile = "/etc/raddb/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique) detail: detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = "/var/log/radius/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. rad_recv: Access-Request packet from host 192.168.0.1:1024, id=6, length=134 User-Name = "anonymous" NAS-IP-Address = 192.168.0.1 Called-Station-Id = "00-10-40-01-90-09" NAS-Identifier = "31100100221" NAS-Port-Type = Wireless-802.11 Framed-MTU = 1400 Calling-Station-Id = "00-02-2d-3c-ef-79" EAP-Message = 0x0200000e01616e6f6e796d6f7573 Message-Authenticator = 0x61efabf1e39ae3a5983e1b7c7ed39037 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 radius_xlat: '/var/log/radius/radacct/192.168.0.1/auth-detail-20060216' rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.0.1/auth-detail-20060216 modcall[authorize]: module "auth_log" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "anonymous", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: EAP packet type response id 0 length 14 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 modcall[authorize]: module "files" returns notfound for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 0 modcall: group authenticate returns handled for request 0 Sending Access-Challenge of id 6 to 192.168.0.1:1024 EAP-Message = 0x010100061520 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x8101bb02421a224e415fb643fd5a5a70 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 6 with timestamp 43f489f3 Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 192.168.0.1:1024, id=7, length=210 State = 0x8101bb02421a224e415fb643fd5a5a70 User-Name = "anonymous" NAS-IP-Address = 192.168.0.1 Called-Station-Id = "00-10-40-01-90-09" NAS-Identifier = "31100100221" NAS-Port-Type = Wireless-802.11 Framed-MTU = 1400 Calling-Station-Id = "00-02-2d-3c-ef-79" EAP-Message = 0x020100481500160301003d01000039030143ea8be941bd45d21f3b9c251cd225b597150a6d8b46a8ff186ca6f97e3436e5000012000a000500040064006200600009000800030100 Message-Authenticator = 0xd071d95101e82c9471633db7d877d373 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 radius_xlat: '/var/log/radius/radacct/192.168.0.1/auth-detail-20060216' rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.0.1/auth-detail-20060216 modcall[authorize]: module "auth_log" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_realm: No '@' in User-Name = "anonymous", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 1 rlm_eap: EAP packet type response id 1 length 72 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 1 modcall[authorize]: module "files" returns notfound for request 1 modcall: group authorize returns updated for request 1 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 003d], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0446], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 1 modcall: group authenticate returns handled for request 1 Sending Access-Challenge of id 7 to 192.168.0.1:1024 EAP-Message = 0x0102040a15c0000004a3160301004a02000046030143f489f93df161b2e89390e55fd234535674a79034f30794cb9c234a4c5f40ca20390aa743f1124ba1362817c3efd596cb723cf00ba4e087e110a48a95aae24e27000a0016030104460b00044200043f00043c30820438308203a1a003020102020200d7300d06092a864886f70d01010505003081af310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e0603550407130745766572657474312a3028060355040a1321496e7465726d656320546563686e6f6c6f6769657320436f72706f726174696f6e311d301b060355040b131453656375726974
EAP-Message = 0x7920456e67696e656572696e67312e302c060355040313254576657265747420496e7465726d65646961746520526f6f74204365727469666963617465301e170d3034313133303134313230355a170d3231313132363134313230355a308190310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e0603550407130745766572657474312a3028060355040a1321496e7465726d656320546563686e6f6c6f6769657320436f72706f726174696f6e311d301b060355040b1314536563757269747920456e67696e656572696e67310f300d0603550403130644372d49544330819f300d06092a864886f70d
EAP-Message = 0x010101050003818d0030818902818100b211bc2380c6c9f07cc6f8e450d301f97eb9b5085f2d7b3d37e6f33e320f7c4becd44eb3e60d62b4e7bb9f9337c37e5840213d1f123937e45b061a14191891e9363386d4f014d4abecbaed6746e8dc9a125c2b3279547d975a033bf39aaa79ca2558b0d498db180620cdcde2f0b8cfa500e52c5c1378c0a6ff514531e9b2716d0203010001a382017e3082017a30090603551d1304023000300b0603551d0f0404030205e030270603551d250420301e06082b0601050507030306082b0601050507030206082b06010505070301302c06096086480186f842010d041f161d4f70656e53534c2047656e657261
EAP-Message = 0x746564204365727469666963617465301d0603551d0e04160414b7bbf4e9358908fc1b817d12dfb865725d5624053081e90603551d230481e13081de801427af545487c3c798e81afe4597a2b63ac07881f5a181c2a481bf3081bc310b3009060355040613025553311330110603550408130a57617368696e67746f6e3110300e0603550407130745766572657474312a3028060355040a1321496e7465726d656320546563686e6f6c6f6769657320436f72706f726174696f6e311d301b060355040b1314536563757269747920456e67696e656572696e67313b303906035504031332496e7465726d656320546563686e6f6c6f6769657320436f
EAP-Message = 0x72706f726174696f6e20526f6f742043657274696669 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd25d03bb73b96d7b492916c20bbf44c2 Finished request 1 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.0.1:1024, id=8, length=144 State = 0xd25d03bb73b96d7b492916c20bbf44c2 User-Name = "anonymous" NAS-IP-Address = 192.168.0.1 Called-Station-Id = "00-10-40-01-90-09" NAS-Identifier = "31100100221" NAS-Port-Type = Wireless-802.11 Framed-MTU = 1400 Calling-Station-Id = "00-02-2d-3c-ef-79" EAP-Message = 0x020200061500 Message-Authenticator = 0x32438ef113d8e8232b1ad69ffa9ef400 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall[authorize]: module "preprocess" returns ok for request 2 radius_xlat: '/var/log/radius/radacct/192.168.0.1/auth-detail-20060216' rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.0.1/auth-detail-20060216 modcall[authorize]: module "auth_log" returns ok for request 2 modcall[authorize]: module "chap" returns noop for request 2 modcall[authorize]: module "mschap" returns noop for request 2 rlm_realm: No '@' in User-Name = "anonymous", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 2 rlm_eap: EAP packet type response id 2 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 2 modcall[authorize]: module "files" returns notfound for request 2 modcall: group authorize returns updated for request 2 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 2 rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 2 modcall: group authenticate returns handled for request 2 Sending Access-Challenge of id 8 to 192.168.0.1:1024 EAP-Message = 0x010300ad1580000004a363617465820101300d06092a864886f70d01010505000381810017814c3dc897e685aee5e734509712728a2cf5d4cce575147bcc0f974af3477fbd8d202d1f173ac76c03925e6870be35567d27e84d8096458dad6b99cdcf66e6d5967e920a64e0a4dacb6cee087b3768725bae1784d29ad41311bfb9e4dc8ade93390fe481def6c25a60c3c3d1e883e024d279fc6cbbe3723af4a76cfc0c9d6c16030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000 State = 0x8c3b86d02966b223e117138d5c1d946e Finished request 2 Going to the next request Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 1 ID 7 with timestamp 43f489f9 Cleaning up request 2 ID 8 with timestamp 43f489f9 Nothing to do. Sleeping until we see a request.
My eap.conf
eap { default_eap_type = ttls timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no
md5 { }
leap { }
gtc { #challenge = "Password: " #auth_type = PAP }
tls { private_key_password = BigSecretPassword private_key_file = ${raddbdir}/certs/intermec/server.pem certificate_file = ${raddbdir}/certs/intermec/server.pem CA_file = ${raddbdir}/certs/intermec/cacert.cer dh_file = /dev/null random_file = /dev/urandom fragment_size = 1024 include_length = yes check_crl = no #check_cert_cn = %{User-Name} } ttls { default_eap_type = mschapv2 #default_eap_type = md5 copy_request_to_tunnel = no use_tunneled_reply = no }
Users
gun Auth-Type := EAP, User-Password := "gun123"
Johan Arens <johan.arens@gmail.com> wrote:
To reply to Alan Dekok here is the debug log
See Phil's comments. In short, the debug log you posted shows nothing going wrong. However, the EAP conversation stops. Since RADIUS is completely driven by packets sent from the client, the only reason for the EAP conversation to stop is because the client stopped sending packets. What can you do to FreeRADIUS to make the client send packets? Nothing. Alan DeKok.
Well thanks for the answers. What is puzzled me, is the error message error reading client certificate, it's like freeradius is waiting the client send it's certificate. However with TTLS, the client doen't have a client certificate. It only has a copy of the root certificate. I'm going to setup a wpa_supplicant with a linux client to try to make it work. Thanks for your time Johan On 2/17/06, Alan DeKok <aland@ox.org> wrote:
Johan Arens <johan.arens@gmail.com> wrote:
To reply to Alan Dekok here is the debug log
See Phil's comments.
In short, the debug log you posted shows nothing going wrong. However, the EAP conversation stops.
Since RADIUS is completely driven by packets sent from the client, the only reason for the EAP conversation to stop is because the client stopped sending packets.
What can you do to FreeRADIUS to make the client send packets? Nothing.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Johan Arens wrote:
Well thanks for the answers.
What is puzzled me, is the error message error reading client certificate, it's like freeradius is waiting the client send it's certificate.
Yes, it's a misleading error message, but trust me it's meaningless. Lots of people get it. My working PEAP server gets it.
However with TTLS, the client doen't have a client certificate. It only
Indeed. However you can still ask the TLS connection for it, you just don't get it AND it's not a problem. You're seeing the error because the code is generalised between the TLS and TTLS paths (I think - or maybe it was copy'n'pasted)
has a copy of the root certificate. I'm going to setup a wpa_supplicant with a linux client to try to make it work.
FWIW the "eapol_test" program that comes with wpa_supplicant is also very useful for verifying you've got the radius bit working without having to fiddle with APs.
Johan Arens <johan.arens@gmail.com> wrote:
What is puzzled me, is the error message error reading client certificate, it's like freeradius is waiting the client send it's certificate. However with TTLS, the client doen't have a client certificate.
TTLS has the *option* of using a client certificate. Since OpenSSL is such a wonderful piece of software, it prints "error" when it can't get a client cert, even when the cert is optional. Alan DeKok.
participants (3)
-
Alan DeKok -
Johan Arens -
Phil Mayers