Hi, I am just wondering if anyone has encountered the same issue. I have set up my enviornment for EAP-TLS, with windows XP SP2 as a supplicant. For some reason I am getting: auth: Failed to validate the user. Login incorrect: [radiustst/<no User-Password attribute>] (from client testradius-ap-1 port 0 cli 00-10-c6-38-af-7b) complete listing is attached. I am using certificates and SSL session is created successfully, then why FreeRadius is expecting a userid/password? Any help will be appreciated. Thanks Hamid. ============= Complete Listing ================= Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 129.10.56.156:6001, id=71, length=1247 User-Name = "radiustst" NAS-IP-Address = 129.10.56.156 Called-Station-Id = "00-20-a6-4a-12-21" Calling-Station-Id = "00-10-c6-38-af-7b" NAS-Identifier = "APtest3" State = 0xb9a67433435733a42f7cbd528aa6ae7a Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020504510d800000044716030104170b000307000304000301308202fd30820266a003 020102020102300d06092a864886f70d01010405003054310b3009060355040613025553 310b3009060355040813024d413120301e060355040a13174e6f7274686561737465726e 20556e6976657273697479311630140603550403130d4543454175746853657276657230 1e170d3035313130353232323335345a170d3036313130353232323335345a3050310b30 09060355040613025553310b3009060355040813024d413120301e060355040a13174e6f 7274686561737465726e20556e6976657273697479311230100603550403130972616469 7573 EAP-Message = 0x74737430819f300d06092a864886f70d010101050003818d0030818902818100b9983d b3e72f80fd974f9bcd64081d573fdd27b19089405b696d873f87467ff80a312ef7b399c3 9e9e7018e1aa29203251c40dd6af46d060d1211405bea1888d058da35230f55d7dc27d76 9e0234824d78d5d1b5edf8d39f8ab78255e6cca753424cd0713339a02cf315fbcb6175a0 47fa233d9f64d6f936f5e3a403bcca93ab0203010001a381e23081df30090603551d1304 023000302c06096086480186f842010d041f161d4f70656e53534c2047656e6572617465 64204365727469666963617465301d0603551d0e04160414b77dd4b0207270418f828157 2f5e EAP-Message = 0x3353216fe55f3081840603551d23047d307b801463d38ab984dc364e31383d1ecf3743 0ee64b68e9a158a4563054310b3009060355040613025553310b3009060355040813024d 413120301e060355040a13174e6f7274686561737465726e20556e697665727369747931 1630140603550403130d45434541757468536572766572820900cab77a537cadfaf3300d 06092a864886f70d0101040500038181003cbaf9e576319601ba75222ef4fed8cd584e2d 8aea2f25788bff348f53a699ecab5cb50143f369e7a59da5ba5212105e4d1b642f56cf00 d04efcb911239047393875024e5e4a17b0ac8f87d165c81a5fcfbe2f2a67ee6c7e57dae0 c423 EAP-Message = 0x4a3f81753b0817b63f117a0b28c1ca43e1cb31142b47103caef9f28c01860b49f27465 1000008200805d53b3419d272d68175ae404a9a51774f148420e7832d39ceaa311a000f0 70ebf121d27c6f8b15369ab4bc9a1edadd2abd1caace3378f6a9f6623e6f9cb95085df74 830c3e22638bd8e3a63938c9ea8b93895aca23aa131f728ffab7c0cee86b7ed10ced5e2f 30ad19df6cd83a0ac6564a9b833b284b52ff9355741efc7b3e360f0000820080131f2e69 99c156d32b83cb27036db11e9c3571b66d7ab062208a03daf1afb9b3c4a326a09663c1a3 25a3b846a2a34d4cfbdcbd432a18017a9ece2744de377c964649ac146466ee4b71fa5fdd 8f7c EAP-Message = 0x1272df4226eb2805f9268ae2a2e0d0664ced1a8868bada17475dc7889cb73634641d80 af384311d0b2b9e87c7bde4227a47d14030100010116030100202a0a0a3102caaf869886 11a6916269516c4e5b6bf006d943609a71740a4d3a60 Message-Authenticator = 0x1e4e290a1071052212513c61bfa25dae Processing the authorize section of radiusd.conf modcall: entering group authorize for request 8 modcall[authorize]: module "preprocess" returns ok for request 8 radius_xlat: '/opt/radiusd/var/log/radius/radacct/129.10.56.156/auth-detail-20051115' rlm_detail: /opt/radiusd/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y% m%d expands to /opt/radiusd/var/log/radius/radacct/129.10.56.156/auth-detail-20051115 modcall[authorize]: module "auth_log" returns ok for request 8 rlm_realm: No '@' in User-Name = "radiustst", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 8 rlm_eap: EAP packet type response id 5 length 253 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 8 users: Matched entry radiustst at line 54 modcall[authorize]: module "files" returns ok for request 8 modcall: group authorize returns updated for request 8 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 8 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 rlm_eap_tls: <<< TLS 1.0 Handshake [length 030b], Certificate chain-depth=1, error=0 --> User-Name = radiustst --> BUF-Name = ECEAuthServer --> subject = /C=US/ST=MA/O=Northeastern University/CN=ECEAuthServer --> issuer = /C=US/ST=MA/O=Northeastern University/CN=ECEAuthServer --> verify return:1 chain-depth=0, error=0 --> User-Name = radiustst --> BUF-Name = radiustst --> subject = /C=US/ST=MA/O=Northeastern University/CN=radiustst --> issuer = /C=US/ST=MA/O=Northeastern University/CN=ECEAuthServer --> verify return:1 TLS_accept: SSLv3 read client certificate A rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange TLS_accept: SSLv3 read client key exchange A rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], CertificateVerify TLS_accept: SSLv3 read certificate verify A rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001] rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 read finished A rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001] TLS_accept: SSLv3 write change cipher spec A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 write finished A TLS_accept: SSLv3 flush data (other): SSL negotiation finished successfully SSL Connection Established eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 8 modcall: group authenticate returns handled for request 8 Sending Access-Challenge of id 71 to 129.10.56.156:6001 EAP-Message = 0x010600350d800000002b1403010001011603010020c76c26e20a3f56cdad1183c5e9c2 4322bdbd6ca0af149ba46d197f153a7f4f32 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x70ed13d02f1854999ba5b4513143d53d Finished request 8 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 129.10.56.156:6001, id=72, length=167 User-Name = "radiustst" NAS-IP-Address = 129.10.56.156 Called-Station-Id = "00-20-a6-4a-12-21" Calling-Station-Id = "00-10-c6-38-af-7b" NAS-Identifier = "APtest3" State = 0x70ed13d02f1854999ba5b4513143d53d Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020600210d8000000017150301001267dd17534e604a647897732130f58409b115 Message-Authenticator = 0xce216e15de7058166ce90f8cde7d5094 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 9 modcall[authorize]: module "preprocess" returns ok for request 9 radius_xlat: '/opt/radiusd/var/log/radius/radacct/129.10.56.156/auth-detail-20051115' rlm_detail: /opt/radiusd/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y% m%d expands to /opt/radiusd/var/log/radius/radacct/129.10.56.156/auth-detail-20051115 modcall[authorize]: module "auth_log" returns ok for request 9 rlm_realm: No '@' in User-Name = "radiustst", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 9 rlm_eap: EAP packet type response id 6 length 33 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 9 users: Matched entry radiustst at line 54 modcall[authorize]: module "files" returns ok for request 9 modcall: group authorize returns updated for request 9 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 9 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 eaptls_process returned 7 rlm_eap_tls: Received unexpected tunneled data after successful handshake. rlm_eap: Handler failed in EAP/tls rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 9 modcall: group authenticate returns invalid for request 9 auth: Failed to validate the user. Login incorrect: [radiustst/<no User-Password attribute>] (from client testradius-ap-1 port 0 cli 00-10-c6-38-af-7b) Delaying request 9 for 1 seconds Finished request 9 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 129.10.56.156:6001, id=72, length=167 Sending Access-Reject of id 72 to 129.10.56.156:6001 EAP-Message = 0x04060004 Message-Authenticator = 0x00000000000000000000000000000000 --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Cleaning up request 5 ID 68 with timestamp 437a661d Cleaning up request 6 ID 69 with timestamp 437a661d Cleaning up request 7 ID 70 with timestamp 437a661d Cleaning up request 8 ID 71 with timestamp 437a661d Cleaning up request 9 ID 72 with timestamp 437a661d Nothing to do. Sleeping until we see a request.
rlm_eap_tls: Received unexpected tunneled data after successful handshake. ...that's what I get when I try an invalid password in my EAP + Cisco 1200 + LDAP + PEAP/MS-CHAPv2 configuration. Let me ask...how is the client certificate method supposed to work? Is the username embeded the CN/CommonName attribute of the certificate and the user is prompted for a password which you setup in authenticate {} ? Is that any more secure than using PEAP/MS-CHAPv2 ? ~BAS On Wed, 16 Nov 2005, Hamid Salim wrote:
Hi, I am just wondering if anyone has encountered the same issue. I have set up my enviornment for EAP-TLS, with windows XP SP2 as a supplicant. For some reason I am getting:
auth: Failed to validate the user. Login incorrect: [radiustst/<no User-Password attribute>] (from client testradius-ap-1 port 0 cli 00-10-c6-38-af-7b)
complete listing is attached. I am using certificates and SSL session is created successfully, then why FreeRadius is expecting a userid/password?
Any help will be appreciated.
Thanks Hamid.
============= Complete Listing ================= Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 129.10.56.156:6001, id=71, length=1247 User-Name = "radiustst" NAS-IP-Address = 129.10.56.156 Called-Station-Id = "00-20-a6-4a-12-21" Calling-Station-Id = "00-10-c6-38-af-7b" NAS-Identifier = "APtest3" State = 0xb9a67433435733a42f7cbd528aa6ae7a Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020504510d800000044716030104170b000307000304000301308202fd30820266a003 020102020102300d06092a864886f70d01010405003054310b3009060355040613025553 310b3009060355040813024d413120301e060355040a13174e6f7274686561737465726e 20556e6976657273697479311630140603550403130d4543454175746853657276657230 1e170d3035313130353232323335345a170d3036313130353232323335345a3050310b30 09060355040613025553310b3009060355040813024d413120301e060355040a13174e6f 7274686561737465726e20556e6976657273697479311230100603550403130972616469 7573 EAP-Message = 0x74737430819f300d06092a864886f70d010101050003818d0030818902818100b9983d b3e72f80fd974f9bcd64081d573fdd27b19089405b696d873f87467ff80a312ef7b399c3 9e9e7018e1aa29203251c40dd6af46d060d1211405bea1888d058da35230f55d7dc27d76 9e0234824d78d5d1b5edf8d39f8ab78255e6cca753424cd0713339a02cf315fbcb6175a0 47fa233d9f64d6f936f5e3a403bcca93ab0203010001a381e23081df30090603551d1304 023000302c06096086480186f842010d041f161d4f70656e53534c2047656e6572617465 64204365727469666963617465301d0603551d0e04160414b77dd4b0207270418f828157 2f5e EAP-Message = 0x3353216fe55f3081840603551d23047d307b801463d38ab984dc364e31383d1ecf3743 0ee64b68e9a158a4563054310b3009060355040613025553310b3009060355040813024d 413120301e060355040a13174e6f7274686561737465726e20556e697665727369747931 1630140603550403130d45434541757468536572766572820900cab77a537cadfaf3300d 06092a864886f70d0101040500038181003cbaf9e576319601ba75222ef4fed8cd584e2d 8aea2f25788bff348f53a699ecab5cb50143f369e7a59da5ba5212105e4d1b642f56cf00 d04efcb911239047393875024e5e4a17b0ac8f87d165c81a5fcfbe2f2a67ee6c7e57dae0 c423 EAP-Message = 0x4a3f81753b0817b63f117a0b28c1ca43e1cb31142b47103caef9f28c01860b49f27465 1000008200805d53b3419d272d68175ae404a9a51774f148420e7832d39ceaa311a000f0 70ebf121d27c6f8b15369ab4bc9a1edadd2abd1caace3378f6a9f6623e6f9cb95085df74 830c3e22638bd8e3a63938c9ea8b93895aca23aa131f728ffab7c0cee86b7ed10ced5e2f 30ad19df6cd83a0ac6564a9b833b284b52ff9355741efc7b3e360f0000820080131f2e69 99c156d32b83cb27036db11e9c3571b66d7ab062208a03daf1afb9b3c4a326a09663c1a3 25a3b846a2a34d4cfbdcbd432a18017a9ece2744de377c964649ac146466ee4b71fa5fdd 8f7c EAP-Message = 0x1272df4226eb2805f9268ae2a2e0d0664ced1a8868bada17475dc7889cb73634641d80 af384311d0b2b9e87c7bde4227a47d14030100010116030100202a0a0a3102caaf869886 11a6916269516c4e5b6bf006d943609a71740a4d3a60 Message-Authenticator = 0x1e4e290a1071052212513c61bfa25dae Processing the authorize section of radiusd.conf modcall: entering group authorize for request 8 modcall[authorize]: module "preprocess" returns ok for request 8 radius_xlat: '/opt/radiusd/var/log/radius/radacct/129.10.56.156/auth-detail-20051115' rlm_detail: /opt/radiusd/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y% m%d expands to /opt/radiusd/var/log/radius/radacct/129.10.56.156/auth-detail-20051115 modcall[authorize]: module "auth_log" returns ok for request 8 rlm_realm: No '@' in User-Name = "radiustst", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 8 rlm_eap: EAP packet type response id 5 length 253 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 8 users: Matched entry radiustst at line 54 modcall[authorize]: module "files" returns ok for request 8 modcall: group authorize returns updated for request 8 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 8 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 rlm_eap_tls: <<< TLS 1.0 Handshake [length 030b], Certificate chain-depth=1, error=0 --> User-Name = radiustst --> BUF-Name = ECEAuthServer --> subject = /C=US/ST=MA/O=Northeastern University/CN=ECEAuthServer --> issuer = /C=US/ST=MA/O=Northeastern University/CN=ECEAuthServer --> verify return:1 chain-depth=0, error=0 --> User-Name = radiustst --> BUF-Name = radiustst --> subject = /C=US/ST=MA/O=Northeastern University/CN=radiustst --> issuer = /C=US/ST=MA/O=Northeastern University/CN=ECEAuthServer --> verify return:1 TLS_accept: SSLv3 read client certificate A rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange TLS_accept: SSLv3 read client key exchange A rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], CertificateVerify TLS_accept: SSLv3 read certificate verify A rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001] rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 read finished A rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001] TLS_accept: SSLv3 write change cipher spec A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 write finished A TLS_accept: SSLv3 flush data (other): SSL negotiation finished successfully SSL Connection Established eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 8 modcall: group authenticate returns handled for request 8 Sending Access-Challenge of id 71 to 129.10.56.156:6001 EAP-Message = 0x010600350d800000002b1403010001011603010020c76c26e20a3f56cdad1183c5e9c2 4322bdbd6ca0af149ba46d197f153a7f4f32 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x70ed13d02f1854999ba5b4513143d53d Finished request 8 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 129.10.56.156:6001, id=72, length=167 User-Name = "radiustst" NAS-IP-Address = 129.10.56.156 Called-Station-Id = "00-20-a6-4a-12-21" Calling-Station-Id = "00-10-c6-38-af-7b" NAS-Identifier = "APtest3" State = 0x70ed13d02f1854999ba5b4513143d53d Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020600210d8000000017150301001267dd17534e604a647897732130f58409b115 Message-Authenticator = 0xce216e15de7058166ce90f8cde7d5094 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 9 modcall[authorize]: module "preprocess" returns ok for request 9 radius_xlat: '/opt/radiusd/var/log/radius/radacct/129.10.56.156/auth-detail-20051115' rlm_detail: /opt/radiusd/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y% m%d expands to /opt/radiusd/var/log/radius/radacct/129.10.56.156/auth-detail-20051115 modcall[authorize]: module "auth_log" returns ok for request 9 rlm_realm: No '@' in User-Name = "radiustst", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 9 rlm_eap: EAP packet type response id 6 length 33 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 9 users: Matched entry radiustst at line 54 modcall[authorize]: module "files" returns ok for request 9 modcall: group authorize returns updated for request 9 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 9 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 eaptls_process returned 7 rlm_eap_tls: Received unexpected tunneled data after successful handshake. rlm_eap: Handler failed in EAP/tls rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 9 modcall: group authenticate returns invalid for request 9 auth: Failed to validate the user. Login incorrect: [radiustst/<no User-Password attribute>] (from client testradius-ap-1 port 0 cli 00-10-c6-38-af-7b) Delaying request 9 for 1 seconds Finished request 9 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 129.10.56.156:6001, id=72, length=167 Sending Access-Reject of id 72 to 129.10.56.156:6001 EAP-Message = 0x04060004 Message-Authenticator = 0x00000000000000000000000000000000 --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Cleaning up request 5 ID 68 with timestamp 437a661d Cleaning up request 6 ID 69 with timestamp 437a661d Cleaning up request 7 ID 70 with timestamp 437a661d Cleaning up request 8 ID 71 with timestamp 437a661d Cleaning up request 9 ID 72 with timestamp 437a661d Nothing to do. Sleeping until we see a request. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
l8* -lava x.25 - minix - bitnet - plan9 - 110 bps - ASR 33 - base8
"Brian A. Seklecki" <lavalamp@spiritual-machines.org> wrote:
rlm_eap_tls: Received unexpected tunneled data after successful handshake.
...that's what I get when I try an invalid password in my EAP + Cisco 1200 + LDAP + PEAP/MS-CHAPv2 configuration.
You need the magic Windows OID's in the certificates. See the "scripts" directory, which includes scripts to create certificates with those OIDs Alan DeKok.
participants (3)
-
Alan DeKok -
Brian A. Seklecki -
Hamid Salim