wpa_supplicant(eapol_test) with freeradius: error coming in TLS
Hi I am trying to use EAP-TLS between wpa_supplicant and freeradius. I created the certificates (ca/server/client) as mentioned in freeradius-server-2.0.5/raddb/certs/README. In freeradius-server-2.0.5/raddb/users, following line is added at end: testuser Cleartext-Password := "password" On wpa_supplicant-0.5.10, created eapol_test.conf.tls with following contents: network={ eap=TLS eapol_flags=0 key_mgmt=IEEE8021X identity="testuser" ca_cert="/usr/local/etc/raddb/certs/ca.pem" client_cert="/usr/local/etc/raddb/certs/testuser@example.com.pem" private_key="/usr/local/etc/raddb/certs/client.key" private_key_passwd="whatever" } Executed wpa_supplicant (eapol_test) with following command (wpa_supplicant side logs are after radius logs at end): eapol_test -c eapol_test.conf.tls -a127.0.0.1 -p1812 -stesting123 -r1 On executing /usr/local/sbin/radiusd -X, I get following log and error too: rad_recv: Access-Request packet from host 127.0.0.1 port 32770, id=0, length=124 User-Name = "testuser" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x0200000d017465737475736572 Message-Authenticator = 0x0e5f593f30507d677e8d7e68b072b55f +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 0 length 13 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: EAP Identity rlm_eap: processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Sending Access-Challenge of id 0 to 127.0.0.1 port 32770 EAP-Message = 0x01010016041017695d19037d705af68ca37a7262ddcb Message-Authenticator = 0x00000000000000000000000000000000 State = 0x267673582677771a69809cb3876d58ea Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 32770, id=1, length=135 User-Name = "testuser" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x02010006030d State = 0x267673582677771a69809cb3876d58ea Message-Authenticator = 0x6dd1d34467725c79f19b72ff9612e3ce +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 1 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP NAK rlm_eap: EAP-NAK asked for EAP-Type/tls rlm_eap: processing type tls rlm_eap_tls: Requiring client certificate rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 1 to 127.0.0.1 port 32770 EAP-Message = 0x010200060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2676735827747e1a69809cb3876d58ea Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 32770, id=2, length=236 User-Name = "testuser" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x0202006b0d0016030100600100005c03014874ff7ae4659071f23a8aac506f1f25b7c9f1272eca 77a38aaea1b9788b532d00003400390038003500160013000a00330032002f006600050004006300 62006100150012000900650064006000140011000800060003020100 State = 0x2676735827747e1a69809cb3876d58ea Message-Authenticator = 0x1a18c152c7a7d0032d7876c2e02214d3 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 2 length 107 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0060], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 085e], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 020d], ServerKeyExchange TLS_accept: SSLv3 write key exchange A rlm_eap_tls: >>> TLS 1.0 Handshake [length 00a7], CertificateRequest TLS_accept: SSLv3 write certificate request A TLS_accept: SSLv3 flush data TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 2 to 127.0.0.1 port 32770 EAP-Message = 0x010304000dc000000b70160301004a0200004603014874ff7af840e0ce0c0562387841cbf363e6 be64f8dd2def0915579fb271a7d320bc89e200ccdb1ad9ae9498442013c69878623fb1e470357891 b9df6651cbf029003901160301085e0b00085a0008570003a6308203a23082028aa0030201020201 01300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d06035504 0813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c 4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d70 6c652e636f6d3126302406035504 EAP-Message = 0x03131d4578616d706c6520436572746966696361746520417574686f72697479301e170d303830 3730393138313131375a170d3039303730393138313131375a307c310b3009060355040613024652 310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e 312330210603550403131a4578616d706c6520536572766572204365727469666963617465312030 1e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a 864886f70d01010105000382010f003082010a0282010100c296eb2d169b654435a174fd8ead1b26 d65b1298d9a7bcc561a051d2b667 EAP-Message = 0x28a6c693620ce3c06c032ebe4dbeedff9020f24d06430433091b7e9762575c12fdb988ad5d6dfe e570df9a0aa1ce55de2d308c162bbcf917c8441071ea895cfb102721f2a5059f402317457a104650 b4fea1975e04fb83fc4d0a2cf72167830d5281398c981ac2f27370a34aa49b07e007fa955ebf187a 8fd476174e7493ffa02bf466b07846382b4eaf03551fef5ca60ab3fc3aa19983aeb5015147ed3317 f659f0355a43091eb19ab0c4a8d07651627d1fad596cc5ee44fa2ccfcd92d6c63d778a9d958a6ca4 a02409c546d3b8400928e1b635c26ef5ab7fc54b68b8aa2e98b2830203010001a317301530130603 551d25040c300a06082b06010505 EAP-Message = 0x070301300d06092a864886f70d01010405000382010100095935837d63c395fca941ae947c03fa c66f843b37c9969c2f46cb8b26348bfbd6348ac0d13b6a752886f1e83579122942dd8d0ab6b27578 49735dccfd82d06d3a07d1a2de3097c76cbb431042062e26df240d5d40ada6bc999bade14ebc0661 362f9a7f8644943e78a29e329c67ec32cf393205408021e56e461ce3320127b27df474f4c37be7cc cf46754c32ee8243500a194759ba6c5b2fcd563117b2ea94b9c63eb1678ff836afd92118a98b93fc 51992e9de619a9c7576fe3cae6a1e9988a2b10b0685ca7e58e5b100ec0817d511f34f59f794bcde2 5c247259a57ab8b1d686fce7c7cd EAP-Message = 0x3f8d16472d4a3eb1ee492fd3 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2676735824757e1a69809cb3876d58ea Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 32770, id=3, length=135 User-Name = "testuser" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020300060d00 State = 0x2676735824757e1a69809cb3876d58ea Message-Authenticator = 0x86f3e31b265162f7716d461a9aae98f2 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 3 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 3 to 127.0.0.1 port 32770 EAP-Message = 0x010404000dc000000b70bf312a81c68194ac03b073abf2410004ab308204a73082038fa0030201 02020900ac4ad85feeea230a300d06092a864886f70d0101050500308193310b3009060355040613 024652310f300d060355040813065261646975733112301006035504071309536f6d657768657265 31153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d0109011611 61646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c652043657274 6966696361746520417574686f72697479301e170d3038303730393138313131325a170d30383038 30383138313131325a308193310b EAP-Message = 0x3009060355040613024652310f300d060355040813065261646975733112301006035504071309 536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a86 4886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d457861 6d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d 01010105000382010f003082010a0282010100ccff47e75ebf3d06a9472810c0352b254cca71cbb5 2cb8202d29ae967c715640e4d2b6c3e60641c4d54fdc03fe6ebdfb1953dc1b8c1f44202cf488249d 37f2b7902efdf546fabb283a9653 EAP-Message = 0xfa065f9b063843f36456ac437df7cefeaad4d44004939d63ae9c4df03f1b856d8340ab4e6317a1 11aecfd860639f0056069404c4d2f9f10e9048b10f4bd65dfe2a61470543b7b323895dfbb54053f8 4cb0417f5eafdf8aa236a2afea06047be624e1f7b85e757be3749e6946439ad4e85de0d4f66f35e1 a4ee8258727033035877b43232c0697a2baf3d09e8aa337366b1cbbccf72a509b977d426d546c7b1 65f873308f0a6964f430ee01b74cc0a561d9869fd84f0203010001a381fb3081f8301d0603551d0e 041604141c71c3ab8dbd86f36bbf4b24d5b72d291bc88aaf3081c80603551d230481c03081bd8014 1c71c3ab8dbd86f36bbf4b24d5b7 EAP-Message = 0x2d291bc88aafa18199a48196308193310b3009060355040613024652310f300d06035504081306 5261646975733112301006035504071309536f6d65776865726531153013060355040a130c457861 6d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e 636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72 697479820900ac4ad85feeea230a300c0603551d13040530030101ff300d06092a864886f70d0101 05050003820101005925971768cfc1bb8f4b1dd4b9d0abd84cca91dc19d344451da159ae0925f192 4022b20ea548d56947a26c987dc0 EAP-Message = 0xfb36d1078bef2f36de91d2b5 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2676735825727e1a69809cb3876d58ea Finished request 3. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 32770, id=4, length=135 User-Name = "testuser" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020400060d00 State = 0x2676735825727e1a69809cb3876d58ea Message-Authenticator = 0xd88cda63a2776910572007659978dff0 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 4 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 4 to 127.0.0.1 port 32770 EAP-Message = 0x0105038e0d8000000b7083ce8bd2a2e5a3df721979638d83518a19e079bf804773b82753a039b6 b053a357acb9d1954ecb25330390d4d54583a6fdeb74f039f492238f8d93bdc53d3acc2366af2771 253c218dbc3a006b911f1e4bb6fd491b99ed05b1520cf14d08d12119b177f754cae89d065edb4868 0f35d8df3c0e7fcec9c6e84d52a1136f7a56a90f539addc1ad3c44e25de731f0443844dbfe83d043 2ad61f7ed89184a407e0b41a9ffbc0389637071d937e63e136311e467b914839fd7382c216734b1d e93368e4fb6b2303f4160301020d0c0002090080b3afe7fd33f61741e813a2a82d3e2e44f4e3a6cb a8ba274ff2a14cdee764e7ec4e45 EAP-Message = 0x4df9c4b18aa0bb45b4dcbe5022790ed79559ec10e6b017165192ca92ee664df49dd6de389d1eba 0400804b550239ffca80cdd27f3cc0ce1fc851463b672a8e260e415d3d3a40e8ae5102105bddc30b 8c1a3031af0bc0a78b4ea69f5e66630001020080a0cc4357af8865d129c3e7c20c4283e7a4a4c522 e23e0f3cb9b462c2923ea92c3a2781665e6d1fe4096f9832e39c33424106d2429f569da06ac67c9b 0800351a1b7c512cd541edf0a135330412dbccd37885e35ce75111476fe045e0a85c70abf40a3008 9c4d4302179e1f084bffe853b1845c99010515a1970a03a87449615a010060149cd09ea980ec82c5 5cfe09857dbb7c5811f45c64e0fe EAP-Message = 0x9d59d03e704806e99f1cb29f0286c1015c81d7824e617a53bd69dacefe51425fec76315ad4861b 81d8aff93491a3b7a18988a9a9ee16acba071272b143c7bb8106d29ac8e6087a066498b3f47cf216 fb2a96f19d7ccd8459646ed27ce02852c2c402000778e68ec419b9f14059fea1eaaad700a5c1d71f 8ba516d820a6b0520e9a808736de80b97588f6b72b6b405b1f8a5a8779e01cd882c352aabb41e4a6 0fd2e4c64382e2a12deb09e8fb2caaa26a86aec4606044a283b9d20b0bf2637a953e8716d0b90958 aebeb9995898714edb927fb52e51c4a1a2ff1157ae26402265dbbbb03f99e23f2416030100a70d00 009f040304010200980096308193 EAP-Message = 0x310b3009060355040613024652310f300d06035504081306526164697573311230100603550407 1309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e0609 2a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d45 78616d706c6520436572746966696361746520417574686f726974790e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2676735822737e1a69809cb3876d58ea Finished request 4. Going to the next request Waking up in 4.7 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 32770, id=5, length=1532 User-Name = "testuser" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020505710d0016030103950b00039100038e00038b308203873082026fa003020102020102300d 06092a864886f70d0101040500307c310b3009060355040613024652310f300d0603550408130652 616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a45 78616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901 161161646d696e406578616d706c652e636f6d301e170d3038303730393138313132345a170d3039 303730393138313132345a3079310b3009060355040613024652310f300d06035504081306526164 69757331153013060355040a130c EAP-Message = 0x4578616d706c6520496e632e311d301b060355040314147465737475736572406578616d706c65 2e636f6d3123302106092a864886f70d01090116147465737475736572406578616d706c652e636f 6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100b510efbf58ad 201585beac3f327bba71b761612df254a3e44ffe4f5a182852e2a64d11912ca27013be01dae059ef 3d8a9b2ca7a81c9da01b2291b6e38f07339c7668c6b7ce6c936bef181c33c16d5c34e17b0c878648 bb73199645bb81febb577aff69f4881080ea593f31b5efcccebd3772dda5666a5e139a38e89b9ca1 3712462098dbfc5c526253985609 EAP-Message = 0x583e54d9d74b9b263cda9647c523d9922c1992736d176c3b869b373a9824a8c046dfd49118a90d 5c8e9504cae9209d8254c31f98c3979a307f0515e88e820c29c9092c0de6c9af76c9a1bc8eee37ae a8d047bf8c1af257f42b550932995e5083364a7e185a62de08976e2ca45d334231109eeaf7020301 0001a317301530130603551d25040c300a06082b06010505070302300d06092a864886f70d010104 0500038201010085cf673c6dd1deb8648e0589573c0e55e286ba9f3ef23a3882fbe024a5c54aeef5 10e96f36291f0172deb8bcf2b8ce9e6517a143c658e8fb24c80a7936138c5e6f7dda3ca8b33e4600 a1cb92c2f079793304c0ddc296c4 EAP-Message = 0x015d6d73cdae8f32eea68667d9cf33a6ad8c5e38a0ffbda541b5b789ffd0cd2b4de23592384ee2 3e154ea629f1a3743fcba443f8e6d355411d310f787d6551c413af2eccfabc2b28e9e786fd78cb32 50a0ca2cd0adf11d8045d03ea0cca6b28d5c498c0965a238b05ccf7cadc3946ee0c42d65594ca337 8ecd205c74b42b5f9c060287639e4cf76f5003ec0d3723abd391f4693556553f5aaac2684a2bb808 e2a2cf16b425c9736e1c16030100861000008200803d7d38a765634fe46cd97911bbb0826fd6bb31 7dc04dbb7ca60c2d352f4a9be2f147f261ccf2d7c5e05b85783810260ddaed3c3772fcceab264dd8 daf8a4467e6a6729a7152dabe5a4 EAP-Message = 0x4c2375c148a15096de5c28842d80507318656b36edc71772326fd6fddbc6dbb9d5476332d561de 95d1a40b59779113ada15e6b466977eb16030101060f00010201003fcdbdf9a53a3f14ce87dbc345 68e1cc53d78b24457c12a7be38fc6e07932f6a253fc07cf73579bc7dbb98eeaf91076ba912ff6fe2 f6bfc1d2803974757922cd8fa5142f870aae126053adf7b4c7456bb431a174446775b7e9f78fcfb0 925edee9a12cf5a76fc6ef7fdf983adeb3ec234d89af9e7298602df31a4febaa1c9aa039c3142ec5 7416c3771b1ae8934b1444dda9e28b932ae8ff1a22aae98ceb9f2d7a9caac9efb16c01a4cd3dadda 86513428a3bd3a11b262eaa750dc EAP-Message = 0xd50749f461997927394171b785ff74c98d883674fc8035287993a279f1ffa72b9c4cbc6b96fcaa d6e5daaca7bd9aca988c6a8b3c487bd1e5cc73dd3c3c59f8ec39549ebeb614030100010116030100 30f1c1d6ee34104fca2869c989529493079d85690315b83299b5d9567823fea467b507af2267dd69 305c7d35d7809adf12 State = 0x2676735822737e1a69809cb3876d58ea Message-Authenticator = 0xcc6ace4662072c78666cb7d873d7a354 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 5 length 253 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake rlm_eap_tls: <<< TLS 1.0 Handshake [length 0395], Certificate --> verify error:num=20:unable to get local issuer certificate rlm_eap_tls: >>> TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert write:fatal:unknown CA TLS_accept:error in SSLv3 read client certificate B rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails. eaptls_process returned 13 rlm_eap: Freeing handler ++[eap] returns reject auth: Failed to validate the user. Found Post-Auth-Type Reject +- entering group REJECT expand: %{User-Name} -> testuser attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Sending Access-Reject of id 5 to 127.0.0.1 port 32770 EAP-Message = 0x04050004 Message-Authenticator = 0x00000000000000000000000000000000 Finished request 5. Going to the next request Waking up in 4.4 seconds. Cleaning up request 0 ID 0 with timestamp +4 Cleaning up request 1 ID 1 with timestamp +4 Cleaning up request 2 ID 2 with timestamp +4 Cleaning up request 3 ID 3 with timestamp +4 Waking up in 0.1 seconds. Cleaning up request 4 ID 4 with timestamp +4 Waking up in 0.2 seconds. Cleaning up request 5 ID 5 with timestamp +5 Ready to process requests. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ wpa_supplicant logs (copying only FAILURE logs seen at end) ++++++++++++++++++++++++++++++++++++++++++++++++++++++ EAPOL: SUPP_BE entering state RECEIVE Received 44 bytes from RADIUS server Received RADIUS message RADIUS message: code=3 (Access-Reject) identifier=5 length=44 Attribute 79 (EAP-Message) length=6 Value: 04 05 00 04 Attribute 80 (Message-Authenticator) length=18 Value: 7a 61 25 5b 8e cd 44 3b 18 b1 af e3 82 fd 32 5d STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending request, round trip time 0.00 sec RADIUS packet matching with station decapsulated EAP packet (code=4 id=5 len=4) from RADIUS server: EAP Failure EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Failure EAP: EAP entering state FAILURE CTRL-EVENT-EAP-FAILURE EAP authentication failed EAPOL: SUPP_PAE entering state HELD EAPOL: SUPP_BE entering state RECEIVE EAPOL: SUPP_BE entering state FAIL EAPOL: SUPP_BE entering state IDLE eapol_sm_cb: success=0 EAP: deinitialize previously used EAP method (13, TLS) at EAP deinit ENGINE: engine deinit MPPE keys OK: 0 mismatch: 2 FAILURE Regards, Gaurav Kansal
Gaurav Kansal escribió:
Hi
I am trying to use EAP-TLS between wpa_supplicant and freeradius. I created the certificates (ca/server/client) as mentioned in freeradius-server-2.0.5/raddb/certs/README. In freeradius-server-2.0.5/raddb/users, following line is added at end: testuser Cleartext-Password := "password"
On wpa_supplicant-0.5.10, created eapol_test.conf.tls with following contents:
network={
eap=TLS
eapol_flags=0
key_mgmt=IEEE8021X
identity="testuser"
ca_cert="/usr/local/etc/raddb/certs/ca.pem"
client_cert="/usr/local/etc/raddb/certs/testuser@example.com.pem"
private_key="/usr/local/etc/raddb/certs/client.key"
private_key_passwd="whatever"
}
Executed wpa_supplicant (eapol_test) with following command (wpa_supplicant side logs are after radius logs at end):
eapol_test -c eapol_test.conf.tls -a127.0.0.1 -p1812 -stesting123 -r1
On executing /usr/local/sbin/radiusd -X, I get following log and error too:
rad_recv: Access-Request packet from host 127.0.0.1 port 32770, id=0, length=124
User-Name = "testuser"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x0200000d017465737475736572
Message-Authenticator = 0x0e5f593f30507d677e8d7e68b072b55f
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 0 length 13
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: EAP Identity
rlm_eap: processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
Sending Access-Challenge of id 0 to 127.0.0.1 port 32770
EAP-Message = 0x01010016041017695d19037d705af68ca37a7262ddcb
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x267673582677771a69809cb3876d58ea
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 32770, id=1, length=135
User-Name = "testuser"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x02010006030d
State = 0x267673582677771a69809cb3876d58ea
Message-Authenticator = 0x6dd1d34467725c79f19b72ff9612e3ce
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 1 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP NAK
rlm_eap: EAP-NAK asked for EAP-Type/tls
rlm_eap: processing type tls
rlm_eap_tls: Requiring client certificate
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 1 to 127.0.0.1 port 32770
EAP-Message = 0x010200060d20
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x2676735827747e1a69809cb3876d58ea
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 32770, id=2, length=236
User-Name = "testuser"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x0202006b0d0016030100600100005c03014874ff7ae4659071f23a8aac506f1f25b7c9f1272eca77a38aaea1b9788b532d00003400390038003500160013000a00330032002f00660005000400630062006100150012000900650064006000140011000800060003020100
State = 0x2676735827747e1a69809cb3876d58ea
Message-Authenticator = 0x1a18c152c7a7d0032d7876c2e02214d3
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 2 length 107
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/tls
rlm_eap: processing type tls
rlm_eap_tls: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
(other): before/accept initialization
TLS_accept: before/accept initialization
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0060], ClientHello
TLS_accept: SSLv3 read client hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
TLS_accept: SSLv3 write server hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 085e], Certificate
TLS_accept: SSLv3 write certificate A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 020d], ServerKeyExchange
TLS_accept: SSLv3 write key exchange A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 00a7], CertificateRequest
TLS_accept: SSLv3 write certificate request A
TLS_accept: SSLv3 flush data
TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 2 to 127.0.0.1 port 32770
EAP-Message = 0x010304000dc000000b70160301004a0200004603014874ff7af840e0ce0c0562387841cbf363e6be64f8dd2def0915579fb271a7d320bc89e200ccdb1ad9ae9498442013c69878623fb1e470357891b9df6651cbf029003901160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d3126302406035504
EAP-Message = 0x03131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3038303730393138313131375a170d3039303730393138313131375a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100c296eb2d169b654435a174fd8ead1b26d65b1298d9a7bcc561a051d2b667
EAP-Message = 0x28a6c693620ce3c06c032ebe4dbeedff9020f24d06430433091b7e9762575c12fdb988ad5d6dfee570df9a0aa1ce55de2d308c162bbcf917c8441071ea895cfb102721f2a5059f402317457a104650b4fea1975e04fb83fc4d0a2cf72167830d5281398c981ac2f27370a34aa49b07e007fa955ebf187a8fd476174e7493ffa02bf466b07846382b4eaf03551fef5ca60ab3fc3aa19983aeb5015147ed3317f659f0355a43091eb19ab0c4a8d07651627d1fad596cc5ee44fa2ccfcd92d6c63d778a9d958a6ca4a02409c546d3b8400928e1b635c26ef5ab7fc54b68b8aa2e98b2830203010001a317301530130603551d25040c300a06082b06010505
EAP-Message = 0x070301300d06092a864886f70d01010405000382010100095935837d63c395fca941ae947c03fac66f843b37c9969c2f46cb8b26348bfbd6348ac0d13b6a752886f1e83579122942dd8d0ab6b2757849735dccfd82d06d3a07d1a2de3097c76cbb431042062e26df240d5d40ada6bc999bade14ebc0661362f9a7f8644943e78a29e329c67ec32cf393205408021e56e461ce3320127b27df474f4c37be7cccf46754c32ee8243500a194759ba6c5b2fcd563117b2ea94b9c63eb1678ff836afd92118a98b93fc51992e9de619a9c7576fe3cae6a1e9988a2b10b0685ca7e58e5b100ec0817d511f34f59f794bcde25c247259a57ab8b1d686fce7c7cd
EAP-Message = 0x3f8d16472d4a3eb1ee492fd3
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x2676735824757e1a69809cb3876d58ea
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 32770, id=3, length=135
User-Name = "testuser"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020300060d00
State = 0x2676735824757e1a69809cb3876d58ea
Message-Authenticator = 0x86f3e31b265162f7716d461a9aae98f2
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 3 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/tls
rlm_eap: processing type tls
rlm_eap_tls: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake fragment handler
eaptls_verify returned 1
eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 3 to 127.0.0.1 port 32770
EAP-Message = 0x010404000dc000000b70bf312a81c68194ac03b073abf2410004ab308204a73082038fa003020102020900ac4ad85feeea230a300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3038303730393138313131325a170d3038303830383138313131325a308193310b
EAP-Message = 0x3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100ccff47e75ebf3d06a9472810c0352b254cca71cbb52cb8202d29ae967c715640e4d2b6c3e60641c4d54fdc03fe6ebdfb1953dc1b8c1f44202cf488249d37f2b7902efdf546fabb283a9653
EAP-Message = 0xfa065f9b063843f36456ac437df7cefeaad4d44004939d63ae9c4df03f1b856d8340ab4e6317a111aecfd860639f0056069404c4d2f9f10e9048b10f4bd65dfe2a61470543b7b323895dfbb54053f84cb0417f5eafdf8aa236a2afea06047be624e1f7b85e757be3749e6946439ad4e85de0d4f66f35e1a4ee8258727033035877b43232c0697a2baf3d09e8aa337366b1cbbccf72a509b977d426d546c7b165f873308f0a6964f430ee01b74cc0a561d9869fd84f0203010001a381fb3081f8301d0603551d0e041604141c71c3ab8dbd86f36bbf4b24d5b72d291bc88aaf3081c80603551d230481c03081bd80141c71c3ab8dbd86f36bbf4b24d5b7
EAP-Message = 0x2d291bc88aafa18199a48196308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820900ac4ad85feeea230a300c0603551d13040530030101ff300d06092a864886f70d010105050003820101005925971768cfc1bb8f4b1dd4b9d0abd84cca91dc19d344451da159ae0925f1924022b20ea548d56947a26c987dc0
EAP-Message = 0xfb36d1078bef2f36de91d2b5
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x2676735825727e1a69809cb3876d58ea
Finished request 3.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 32770, id=4, length=135
User-Name = "testuser"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020400060d00
State = 0x2676735825727e1a69809cb3876d58ea
Message-Authenticator = 0xd88cda63a2776910572007659978dff0
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 4 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/tls
rlm_eap: processing type tls
rlm_eap_tls: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake fragment handler
eaptls_verify returned 1
eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 4 to 127.0.0.1 port 32770
EAP-Message = 0x0105038e0d8000000b7083ce8bd2a2e5a3df721979638d83518a19e079bf804773b82753a039b6b053a357acb9d1954ecb25330390d4d54583a6fdeb74f039f492238f8d93bdc53d3acc2366af2771253c218dbc3a006b911f1e4bb6fd491b99ed05b1520cf14d08d12119b177f754cae89d065edb48680f35d8df3c0e7fcec9c6e84d52a1136f7a56a90f539addc1ad3c44e25de731f0443844dbfe83d0432ad61f7ed89184a407e0b41a9ffbc0389637071d937e63e136311e467b914839fd7382c216734b1de93368e4fb6b2303f4160301020d0c0002090080b3afe7fd33f61741e813a2a82d3e2e44f4e3a6cba8ba274ff2a14cdee764e7ec4e45
EAP-Message = 0x4df9c4b18aa0bb45b4dcbe5022790ed79559ec10e6b017165192ca92ee664df49dd6de389d1eba0400804b550239ffca80cdd27f3cc0ce1fc851463b672a8e260e415d3d3a40e8ae5102105bddc30b8c1a3031af0bc0a78b4ea69f5e66630001020080a0cc4357af8865d129c3e7c20c4283e7a4a4c522e23e0f3cb9b462c2923ea92c3a2781665e6d1fe4096f9832e39c33424106d2429f569da06ac67c9b0800351a1b7c512cd541edf0a135330412dbccd37885e35ce75111476fe045e0a85c70abf40a30089c4d4302179e1f084bffe853b1845c99010515a1970a03a87449615a010060149cd09ea980ec82c55cfe09857dbb7c5811f45c64e0fe
EAP-Message = 0x9d59d03e704806e99f1cb29f0286c1015c81d7824e617a53bd69dacefe51425fec76315ad4861b81d8aff93491a3b7a18988a9a9ee16acba071272b143c7bb8106d29ac8e6087a066498b3f47cf216fb2a96f19d7ccd8459646ed27ce02852c2c402000778e68ec419b9f14059fea1eaaad700a5c1d71f8ba516d820a6b0520e9a808736de80b97588f6b72b6b405b1f8a5a8779e01cd882c352aabb41e4a60fd2e4c64382e2a12deb09e8fb2caaa26a86aec4606044a283b9d20b0bf2637a953e8716d0b90958aebeb9995898714edb927fb52e51c4a1a2ff1157ae26402265dbbbb03f99e23f2416030100a70d00009f040304010200980096308193
EAP-Message = 0x310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f726974790e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x2676735822737e1a69809cb3876d58ea
Finished request 4.
Going to the next request
Waking up in 4.7 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 32770, id=5, length=1532
User-Name = "testuser"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020505710d0016030103950b00039100038e00038b308203873082026fa003020102020102300d06092a864886f70d0101040500307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d301e170d3038303730393138313132345a170d3039303730393138313132345a3079310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c
EAP-Message = 0x4578616d706c6520496e632e311d301b060355040314147465737475736572406578616d706c652e636f6d3123302106092a864886f70d01090116147465737475736572406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100b510efbf58ad201585beac3f327bba71b761612df254a3e44ffe4f5a182852e2a64d11912ca27013be01dae059ef3d8a9b2ca7a81c9da01b2291b6e38f07339c7668c6b7ce6c936bef181c33c16d5c34e17b0c878648bb73199645bb81febb577aff69f4881080ea593f31b5efcccebd3772dda5666a5e139a38e89b9ca13712462098dbfc5c526253985609
EAP-Message = 0x583e54d9d74b9b263cda9647c523d9922c1992736d176c3b869b373a9824a8c046dfd49118a90d5c8e9504cae9209d8254c31f98c3979a307f0515e88e820c29c9092c0de6c9af76c9a1bc8eee37aea8d047bf8c1af257f42b550932995e5083364a7e185a62de08976e2ca45d334231109eeaf70203010001a317301530130603551d25040c300a06082b06010505070302300d06092a864886f70d0101040500038201010085cf673c6dd1deb8648e0589573c0e55e286ba9f3ef23a3882fbe024a5c54aeef510e96f36291f0172deb8bcf2b8ce9e6517a143c658e8fb24c80a7936138c5e6f7dda3ca8b33e4600a1cb92c2f079793304c0ddc296c4
EAP-Message = 0x015d6d73cdae8f32eea68667d9cf33a6ad8c5e38a0ffbda541b5b789ffd0cd2b4de23592384ee23e154ea629f1a3743fcba443f8e6d355411d310f787d6551c413af2eccfabc2b28e9e786fd78cb3250a0ca2cd0adf11d8045d03ea0cca6b28d5c498c0965a238b05ccf7cadc3946ee0c42d65594ca3378ecd205c74b42b5f9c060287639e4cf76f5003ec0d3723abd391f4693556553f5aaac2684a2bb808e2a2cf16b425c9736e1c16030100861000008200803d7d38a765634fe46cd97911bbb0826fd6bb317dc04dbb7ca60c2d352f4a9be2f147f261ccf2d7c5e05b85783810260ddaed3c3772fcceab264dd8daf8a4467e6a6729a7152dabe5a4
EAP-Message = 0x4c2375c148a15096de5c28842d80507318656b36edc71772326fd6fddbc6dbb9d5476332d561de95d1a40b59779113ada15e6b466977eb16030101060f00010201003fcdbdf9a53a3f14ce87dbc34568e1cc53d78b24457c12a7be38fc6e07932f6a253fc07cf73579bc7dbb98eeaf91076ba912ff6fe2f6bfc1d2803974757922cd8fa5142f870aae126053adf7b4c7456bb431a174446775b7e9f78fcfb0925edee9a12cf5a76fc6ef7fdf983adeb3ec234d89af9e7298602df31a4febaa1c9aa039c3142ec57416c3771b1ae8934b1444dda9e28b932ae8ff1a22aae98ceb9f2d7a9caac9efb16c01a4cd3dadda86513428a3bd3a11b262eaa750dc
EAP-Message = 0xd50749f461997927394171b785ff74c98d883674fc8035287993a279f1ffa72b9c4cbc6b96fcaad6e5daaca7bd9aca988c6a8b3c487bd1e5cc73dd3c3c59f8ec39549ebeb61403010001011603010030f1c1d6ee34104fca2869c989529493079d85690315b83299b5d9567823fea467b507af2267dd69305c7d35d7809adf12
State = 0x2676735822737e1a69809cb3876d58ea
Message-Authenticator = 0xcc6ace4662072c78666cb7d873d7a354
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 5 length 253
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/tls
rlm_eap: processing type tls
rlm_eap_tls: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0395], Certificate
--> verify error:num=20:unable to get local issuer certificate
rlm_eap_tls: >>> TLS 1.0 Alert [length 0002], fatal unknown_ca
TLS Alert write:fatal:unknown CA
TLS_accept:error in SSLv3 read client certificate B
rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails.
eaptls_process returned 13
rlm_eap: Freeing handler
++[eap] returns reject
auth: Failed to validate the user.
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} -> testuser
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Sending Access-Reject of id 5 to 127.0.0.1 port 32770
EAP-Message = 0x04050004
Message-Authenticator = 0x00000000000000000000000000000000
Finished request 5.
Going to the next request
Waking up in 4.4 seconds.
Cleaning up request 0 ID 0 with timestamp +4
Cleaning up request 1 ID 1 with timestamp +4
Cleaning up request 2 ID 2 with timestamp +4
Cleaning up request 3 ID 3 with timestamp +4
Waking up in 0.1 seconds.
Cleaning up request 4 ID 4 with timestamp +4
Waking up in 0.2 seconds.
Cleaning up request 5 ID 5 with timestamp +5
Ready to process requests.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
wpa_supplicant logs (copying only FAILURE logs seen at end)
++++++++++++++++++++++++++++++++++++++++++++++++++++++
EAPOL: SUPP_BE entering state RECEIVE
Received 44 bytes from RADIUS server
Received RADIUS message
RADIUS message: code=3 (Access-Reject) identifier=5 length=44
Attribute 79 (EAP-Message) length=6
Value: 04 05 00 04
Attribute 80 (Message-Authenticator) length=18
Value: 7a 61 25 5b 8e cd 44 3b 18 b1 af e3 82 fd 32 5d
STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending request, round trip time 0.00 sec
RADIUS packet matching with station
decapsulated EAP packet (code=4 id=5 len=4) from RADIUS server: EAP Failure
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Failure
EAP: EAP entering state FAILURE
CTRL-EVENT-EAP-FAILURE EAP authentication failed
EAPOL: SUPP_PAE entering state HELD
EAPOL: SUPP_BE entering state RECEIVE
EAPOL: SUPP_BE entering state FAIL
EAPOL: SUPP_BE entering state IDLE
eapol_sm_cb: success=0
EAP: deinitialize previously used EAP method (13, TLS) at EAP deinit
ENGINE: engine deinit
MPPE keys OK: 0 mismatch: 2
FAILURE
Regards, Gaurav Kansal
------------------------------------------------------------------------
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I think that PKI that comes with freeradius by default are shit (./bootstrap). I had the same problem. If you see the certification route in firefox, for example, you will see that client certificate are signed by SERVER CERTIFICATE and this by ca certificate. Probably you put ca_cert="/usr/local/etc/raddb/certs/ca.pem" at eap.conf rlm_eap_tls: <<< TLS 1.0 Handshake [length 0395], Certificate --> verify error:num=20:unable to get local issuer certificate rlm_eap_tls: >>> TLS 1.0 Alert [length 0002], fatal unknown_ca) , and should be server.pem, or make your own ca, that signs clients and servers certificates.
Sergio Yébenes Moreno wrote:
I think that PKI that comes with freeradius by default are shit
Feel free to submit fixes. Most people don't have problems with the defaults. Perhaps because they realize that the defaults are for testing, and not for production use.
(./bootstrap). I had the same problem. If you see the certification route in firefox, for example, you will see that client certificate are signed by SERVER CERTIFICATE and this by ca certificate.
Which shouldn't be a problem.
Probably you put ca_cert="/usr/local/etc/raddb/certs/ca.pem" at eap.conf
There is no configuration entry called 'ca_cert'.
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0395], Certificate --> verify error:num=20:unable to get local issuer certificate
rlm_eap_tls: >>> TLS 1.0 Alert [length 0002], fatal unknown_ca)
, and should be server.pem, or make your own ca, that signs clients and servers certificates.
The default configuration works. Perhaps you could try explaining why you think it doesn't, or why it's wrong. Alan DeKok.
Hi I made the following change and it worked for me. In Makefile (/usr/local/etc/raddb/certs/), I passed the input files of that of ca rather than server while creating the client certificate. Regards, Gaurav Kansal Velankani Software Private Limited, 43, Electronics City, Phase - 2, Hosur Road, Bangalore - 560100 Phone : +91 80 4037 5300/01 Extn. # 5401 Direct: +91 80 4037 5401 Fax : +91 80 4037 5303 Mobile: +91 98454 22400 gkansal@velankani.com www.velankani.com "Every Customer is a Reference Customer" -----Original Message----- From: freeradius-users-bounces+gkansal=velankani.com@lists.freeradius.org [mailto:freeradius-users-bounces+gkansal=velankani.com@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Wednesday, July 09, 2008 8:58 PM To: FreeRadius users mailing list Subject: Re: wpa_supplicant(eapol_test) with freeradius: error coming in TLS Sergio Yébenes Moreno wrote:
I think that PKI that comes with freeradius by default are shit
Feel free to submit fixes. Most people don't have problems with the defaults. Perhaps because they realize that the defaults are for testing, and not for production use.
(./bootstrap). I had the same problem. If you see the certification route in firefox, for example, you will see that client certificate are signed by SERVER CERTIFICATE and this by ca certificate.
Which shouldn't be a problem.
Probably you put ca_cert="/usr/local/etc/raddb/certs/ca.pem" at eap.conf
There is no configuration entry called 'ca_cert'.
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0395], Certificate --> verify error:num=20:unable to get local issuer certificate
rlm_eap_tls: >>> TLS 1.0 Alert [length 0002], fatal unknown_ca)
, and should be server.pem, or make your own ca, that signs clients and servers certificates.
The default configuration works. Perhaps you could try explaining why you think it doesn't, or why it's wrong. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi, I am currently using version 2.1.1 of freeRadius. I am sending wimax attribute WiMAX-Capability using radclient. WiMAX-Capability has 4 TLVs as specified by Wimax stage3 specification -- WiMAX Release, Accounting Capabilities, Hot Lining Capabilities and WiMAX-Idle-Mode-Notification-Cap. Radclient is sending these TLVs separately, though each as part of WiMAX-Capability. Shouldn't these multiple TLVs be grouped together in WiMAX-Capability and sent as one AVP? Please help me to clear my doubt. Regards, Gaurav Kansal Velankani Software Private Limited, 43, Electronics City, Phase - 2, Hosur Road, Bangalore - 560100 Phone : +91 80 4037 5300/01 Extn. # 5401 Direct: +91 80 4037 5401 Fax : +91 80 4037 5303 Mobile: +91 98454 22400 gkansal@velankani.com www.velankani.com "Every Customer is a Reference Customer"
Gaurav Kansal wrote:
I am sending wimax attribute WiMAX-Capability using radclient. WiMAX-Capability has 4 TLVs as specified by Wimax stage3 specification -- WiMAX Release, Accounting Capabilities, Hot Lining Capabilities and WiMAX-Idle-Mode-Notification-Cap.
Radclient is sending these TLVs separately, though each as part of WiMAX-Capability. Shouldn't these multiple TLVs be grouped together in WiMAX-Capability and sent as one AVP?
Yes. You will need to send the attributes consecutively, in order. i.e. from the lowest number VSA to the highest. See dictionary.wimax for the numbers. Alan DeKok.
participants (3)
-
Alan DeKok -
Gaurav Kansal -
Sergio Yébenes Moreno