Need help setting up PEAP authentication
Hi, I'm trying to setup freeradius to authenticate users of my wireless networks and I'm facing some problems. I've tried to follow the guide located at http://www.tldp.org/HOWTO/8021X-HOWTO/ , which explains exactly the setup I would like (that is, authentication with username / password credentials). So I've setup freeradius like explained (I've already have everything needed for ssl, CA root certificate and server certificate), and I've configured my access point to use my radius server. So when I try to login, for example with wpa_supplicant, it tolds me that authentication with MSCHAPv2 went ok, and then 30 seconds later it says "Authentication timed out", and it tries to re authenticate. So I'm able to use my wireless network 30 seconds only (for example if I start up a dhcp client then I get an IP) before I'm re authenticated. I've also tried with a Windows XP client, and it continues asking me my credentials. Here is what is displayed in the logs (without verbose mode): Error: TLS_accept:error in SSLv3 read client certificate A Error: rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0) Error: rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0) Info: rlm_eap_mschapv2: Issuing Challenge So does someone have a working freeradius configuration to share with me ? Or some tips to get it working ? Thanks in advance, Reynald Borer P.S: I'm using debian so I've recompiled freeradius to link against libssl P.S2: I've attached my freeradius config files (modified parts only). Complete files are available at http://www.borer.name/files/index.php?dir=radius/ eap { default_eap_type = peap ## default_eap_type = tls timer_expire = 60 ignore_unknown_eap_types = yes cisco_accounting_username_bug = no tls { #private_key_password = whatever private_key_file = ${raddbdir}/certs/bob.keyunsecure.pem certificate_file = ${raddbdir}/certs/newcert.pem CA_file = ${raddbdir}/certs/cacert.pem dh_file = ${raddbdir}/certs/dh random_file = /dev/urandom fragment_size = 1024 include_length = yes } ttls { default_eap_type = md5 use_tunneled_reply = no } peap { default_eap_type = mschapv2 } mschapv2 { } } mschap { use_mppe = yes require_encryption = yes require_strong = yes #with_ntdomain_hack = no #ntlm_auth = "/path/to/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" authtype = MS-CHAP } authorize { preprocess mschap suffix # ntdomain eap files } authenticate { Auth-Type MS-CHAP { mschap } eap }
Reynald Borer <r.borer@citycable.ch> wrote:
So when I try to login, for example with wpa_supplicant, it tolds me that authentication with MSCHAPv2 went ok, and then 30 seconds later it says "Authentication timed out", and it tries to re authenticate.
And what does debugging mode on the server say?
Here is what is displayed in the logs (without verbose mode):
So.... why are you not running in debugging mode?
P.S2: I've attached my freeradius config files (modified parts only).
Why? The documentation, FAQ, README, and INSTALL say to run the server in debugging mode. Why are you not doing that? Alan DeKok.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hey Reynald, Independent of FreeRADIUS, have you checked the following: - - Does your client and RADIUS server have the correct CA certificate installed and trusted? Looks like you are getting a certificate error... - - Have you tried temporarily disabling certificate validation on the XP client to rule out other problems? (I know this defeats the purpose, but can help in troubleshooting) Paul On Jul 19, 2006, at 10:55 AM, Reynald Borer wrote:
Here is what is displayed in the logs (without verbose mode): Error: TLS_accept:error in SSLv3 read client certificate A Error: rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0) Error: rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0) Info: rlm_eap_mschapv2: Issuing Challenge
- -- Paul Asadoorian Email: paul@pauldotcom.com Web: http://pauldotcom.com IRC: #pauldotcom | irc.freenode.net Fingerprint: 2693 0204 8497 2E5F 4853 11D5 1153 6151 487F E094 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (Darwin) iD8DBQFEvlKaEVNhUUh/4JQRAnthAJ93ksq3YLf6AZmxcUBe/7iZHQsFPgCeND4F Tzlx3qVvLBFH05OgrNLFlPA= =KiET -----END PGP SIGNATURE-----
Hi,
I'm trying to setup freeradius to authenticate users of my wireless networks and I'm facing some problems. I've tried to follow the guide located at http://www.tldp.org/HOWTO/8021X-HOWTO/ , which explains exactly the setup I would like (that is, authentication with username / password credentials).
Fair enough, a common thing to do.
So I've setup freeradius like explained (I've already have everything needed for ssl, CA root certificate and server certificate), and I've configured my access point to use my radius server.
Great.
So when I try to login, for example with wpa_supplicant, it tolds me that authentication with MSCHAPv2 went ok, and then 30 seconds later it says "Authentication timed out", and it tries to re authenticate. So I'm able to use my wireless network 30 seconds only (for example if I start up a dhcp client then I get an IP) before I'm re authenticated.
I've also tried with a Windows XP client, and it continues asking me my credentials.
You did think of adding the Microsoft TLS Web Server Authentication OID?
Here is what is displayed in the logs (without verbose mode): Error: TLS_accept:error in SSLv3 read client certificate A Error: rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0) Error: rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0) Info: rlm_eap_mschapv2: Issuing Challenge
Which is completely useless for debugging. This is *normal* with PEAP. If you want people here to help, you should do as the FAQ tells you and send a *complete* *debug* log.
So does someone have a working freeradius configuration to share with me ? Or some tips to get it working ?
I would exchange tipps for a decent debug log. Greetings, Stefan Winter -- Stefan WINTER Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche - Ingénieur de recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg
Reynald Borer wrote:
Here is what is displayed in the logs (without verbose mode): Error: TLS_accept:error in SSLv3 read client certificate A Error: rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0) Error: rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0) Info: rlm_eap_mschapv2: Issuing Challenge
These logs are useless I'm afraid. Please run the server under debugging (with the -X argument) and examine the debugging output - the cause is in there. If you can't figure it out, post the debug output (or a link to it) here.
Hi, Sorry to be so newbee, I cannot remember why I decided not to send the full debugging log. Anyway, it is available online at http://www.borer.name/files/radius/radius.log I used wpa_supplicant to try to connect, and as explained in my first email the client says that authentication went ok, then 30 seconds later it displays an authentication timeout message and tries to reconnect. The 30 seconds gap can be seen in the log when it displays "Nothing to do. Sleeping until we see a request.". As far as I can understand these logs the authentication seems to correctly work (I've added a test user inside clients.conf and log says "users: Matched entry test at line 216"). But what seems strange to me is that wpa_supplicant seems to send 6 requets at the same time... Anyway, as asked I also tried to disable certificate validation on Windows XP and it is still not working. Regards, Reynald Borer On Wednesday 19 July 2006 18:14, Phil Mayers wrote:
Reynald Borer wrote:
Here is what is displayed in the logs (without verbose mode): Error: TLS_accept:error in SSLv3 read client certificate A Error: rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0) Error: rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0) Info: rlm_eap_mschapv2: Issuing Challenge
These logs are useless I'm afraid. Please run the server under debugging (with the -X argument) and examine the debugging output - the cause is in there. If you can't figure it out, post the debug output (or a link to it) here.
Reynald Borer <r.borer@citycable.ch> wrote:
As far as I can understand these logs the authentication seems to correctly work (I've added a test user inside clients.conf and log says "users: Matched entry test at line 216").
That's meaningless. Is there an Access-Accept?
But what seems strange to me is that wpa_supplicant seems to send 6 requets at the same time...
That's how EAP works. Alan DeKok.
Hello,
Sorry to be so newbee, I cannot remember why I decided not to send the full debugging log. Anyway, it is available online at http://www.borer.name/files/radius/radius.log
Much better :-) Indeed, the authentication completes successfully. You are using PEAP with client certificates, that's why there are so many packets going back and forth (2 certificates + MS-CHAPv2 credentials need to be exchanged, too much data for a single packet).
I used wpa_supplicant to try to connect, and as explained in my first email the client says that authentication went ok, then 30 seconds later it displays an authentication timeout message and tries to reconnect. The 30 seconds gap can be seen in the log when it displays "Nothing to do. Sleeping until we see a request.".
Since this is no FreeRADIUS problem (authentication worked well), just a wild shot: is this a recent Centrino chipset and your client is using Linux? I experienced problems as well until I loaded the ipw2200 module with the option "hwcrypto=0" (or was it hw_crypto=0 ?), because otherwise the ipw2200 f*cks up the exchanged encryption key after a short while, the Access Point detects this and disconnects the client, which then tries to authenticate again...
Anyway, as asked I also tried to disable certificate validation on Windows XP and it is still not working.
Since you didn't also include the debug log of the failed attempt, this is just another wild guess: since you are using client certificates, your certificate needs to have another OID present: Microsoft Web Client Authentication. So even if you don't validate the server credentials, you'll have to have an MS-friendly certificate on the client side. Greetings, Stefan Winter -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung & Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: stefan.winter@restena.lu Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473
On 7/19/06, Reynald Borer <r.borer@citycable.ch> wrote:
Error: TLS_accept:error in SSLv3 read client certificate A Error: rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0) Error: rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0) Info: rlm_eap_mschapv2: Issuing Challenge
That's no problem, provided you really try PEAP. It's just openssl complaining that it can't verify the non-mandatory client's certificate.
So does someone have a working freeradius configuration to share with me ? Or some tips to get it working ?
Assuming you really listed all modified conf files, you should check http://www.tldp.org/HOWTO/8021X-HOWTO/freeradius.html#confradius #5. (cited out of context)
Here is what is displayed in the logs (without verbose mode):
Anything else leads to much more if's and perhaps' an assuming's so you should provide the debug output as mentioned in various docs. regards K. Hoercher
participants (6)
-
Alan DeKok -
K. Hoercher -
Paul Asadoorian -
Phil Mayers -
Reynald Borer -
Stefan Winter