Freeradius + EAP_TLS + Cisco AP
Hi I configured a freeradius server with EAP_TLS to authenticate clients that connects to Cisco AP. When I run freeradius -X I got a lot of activity output but the client is still trying to authenticate I post last lines from the server's output I see the port of Access-request es 1645 but I did configure 1812 in both server and Cisco AP The line "[tls] eaptls_process returned 13 " means something wrong? What should be the correct output when successful authentication occurs? Thanks ==== rad_recv: Access-Request packet from host 192.168.X.X port 1645, id=51, length=143 User-Name = "etalaveran" Framed-MTU = 1400 Called-Station-Id = "aca0.16ba.89f2" Calling-Station-Id = "0021.63ca.fdbe" Service-Type = Login-User Message-Authenticator = 0x32824bc17cf2b4b4920577cc57e00177 EAP-Message = 0x020700060d00 NAS-Port-Type = Wireless-802.11 NAS-Port = 285 NAS-Port-Id = "285" State = 0x732b0744702c0abef63c2dd8a2b9de35 NAS-IP-Address = 192.168.1.82 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "etalaveran", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 7 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [files] users: Matched entry etalaveran at line 2 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS [tls] Received TLS ACK [tls] ACK handshake fragment handler [tls] eaptls_verify returned 1 [tls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 51 to 192.168.X.X port 1645 EAP-Message = 0x0108000a0d8000000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x732b074477230abef63c2dd8a2b9de35 Finished request 19. Going to the next request Waking up in 4.8 seconds. Cleaning up request 15 ID 47 with timestamp +117 Cleaning up request 16 ID 48 with timestamp +117 Cleaning up request 17 ID 49 with timestamp +117 Cleaning up request 18 ID 50 with timestamp +117 Cleaning up request 19 ID 51 with timestamp +117 Ready to process requests. ================= -- *Esteban Talavera*
Esteban TALAVERA wrote:
I configured a freeradius server with EAP_TLS to authenticate clients that connects to Cisco AP.
When I run freeradius -X I got a lot of activity output but the client is still trying to authenticate
Which says:
Sending Access-Challenge of id 51 to 192.168.X.X port 1645 EAP-Message = 0x0108000a0d8000000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x732b074477230abef63c2dd8a2b9de35 Finished request 19. Going to the next request Waking up in 4.8 seconds. Cleaning up request 15 ID 47 with timestamp +117 Cleaning up request 16 ID 48 with timestamp +117 Cleaning up request 17 ID 49 with timestamp +117 Cleaning up request 18 ID 50 with timestamp +117 Cleaning up request 19 ID 51 with timestamp +117 Ready to process requests.
This is in the FAQ, and in the comments in eap.conf. Please read them. Alan DeKok.
I still can't find solution to my problem in documentation. The microsoft documentation refers to a XP SP2 issue, but I'm testing with XP SP3. I made my own CA certificate, I don't know if this is the problem. Someone can help me? Thanks On Fri, Sep 24, 2010 at 5:38 AM, Alan DeKok <aland@deployingradius.com>wrote:
Esteban TALAVERA wrote:
I configured a freeradius server with EAP_TLS to authenticate clients that connects to Cisco AP.
When I run freeradius -X I got a lot of activity output but the client is still trying to authenticate
Which says:
Sending Access-Challenge of id 51 to 192.168.X.X port 1645 EAP-Message = 0x0108000a0d8000000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x732b074477230abef63c2dd8a2b9de35 Finished request 19. Going to the next request Waking up in 4.8 seconds. Cleaning up request 15 ID 47 with timestamp +117 Cleaning up request 16 ID 48 with timestamp +117 Cleaning up request 17 ID 49 with timestamp +117 Cleaning up request 18 ID 50 with timestamp +117 Cleaning up request 19 ID 51 with timestamp +117 Ready to process requests.
This is in the FAQ, and in the comments in eap.conf. Please read them.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- *Esteban Talavera* * * *Proyectos ITW* Tel. +(58)212 7623035 +(58)212 7620504 Cel. +(58)412 2892006 Fax +(58)212 7615965
I tried to apply the hotfix but it was included in SP3. The laptop has Windows XP SP3. xpextensions is added to the certificate. What's mean [tls] eaptls_process returned 13? default_eap_type = peap must be set tp peap or tls? Thanks On Tue, Sep 28, 2010 at 8:30 AM, Esteban TALAVERA <etalaveran@gmail.com>wrote:
I still can't find solution to my problem in documentation.
The microsoft documentation refers to a XP SP2 issue, but I'm testing with XP SP3.
I made my own CA certificate, I don't know if this is the problem.
Someone can help me?
Thanks
On Fri, Sep 24, 2010 at 5:38 AM, Alan DeKok <aland@deployingradius.com>wrote:
Esteban TALAVERA wrote:
I configured a freeradius server with EAP_TLS to authenticate clients that connects to Cisco AP.
When I run freeradius -X I got a lot of activity output but the client is still trying to authenticate
Which says:
Sending Access-Challenge of id 51 to 192.168.X.X port 1645 EAP-Message = 0x0108000a0d8000000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x732b074477230abef63c2dd8a2b9de35 Finished request 19. Going to the next request Waking up in 4.8 seconds. Cleaning up request 15 ID 47 with timestamp +117 Cleaning up request 16 ID 48 with timestamp +117 Cleaning up request 17 ID 49 with timestamp +117 Cleaning up request 18 ID 50 with timestamp +117 Cleaning up request 19 ID 51 with timestamp +117 Ready to process requests.
This is in the FAQ, and in the comments in eap.conf. Please read them.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
*Esteban Talavera*
* *
*Proyectos ITW*
Tel. +(58)212 7623035
+(58)212 7620504
Cel. +(58)412 2892006
Fax +(58)212 7615965
-- *Esteban Talavera* * * *Proyectos ITW* Tel. +(58)212 7623035 +(58)212 7620504 Cel. +(58)412 2892006 Fax +(58)212 7615965
You say you are trying to setup eap-tls and you have client certs - so you probably also want to set client to eap-tls (smart card or other certificate in windows world). Check you installed proper CA certs on both client and server if you are checking them (which I guess you should). 'PEAP or EAP-TLS Doesn't Work with a Windows machine' part of faq really includes useful info. Bye, M.
Esteban TALAVERA <etalaveran@gmail.com> 28.9.2010 16:40 >>> I tried to apply the hotfix but it was included in SP3. The laptop has Windows XP SP3.
xpextensions is added to the certificate. What's mean [tls] eaptls_process returned 13? default_eap_type = peap must be set tp peap or tls? Thanks
Thanks Hi After multiple issues I found a partial solution, but not the best. I unselect "validate server certificate" in the XP client. After doing that, the client authenticates. I know that this is a very dangerous practice. Is mandatory for an XP machine to authenticate the server certificate to a valid CA? I copied only the client certificate on XP machine. Copying server`s certificate or my homemade CA certs into XP client will works? Gracias, Merci, thanks On Wed, Sep 29, 2010 at 2:27 AM, Matija Levec <Matija.Levec@astec.si> wrote:
You say you are trying to setup eap-tls and you have client certs - so you probably also want to set client to eap-tls (smart card or other certificate in windows world). Check you installed proper CA certs on both client and server if you are checking them (which I guess you should). 'PEAP or EAP-TLS Doesn't Work with a Windows machine' part of faq really includes useful info.
Bye, M.
Esteban TALAVERA <etalaveran@gmail.com> 28.9.2010 16:40 >>> I tried to apply the hotfix but it was included in SP3. The laptop has Windows XP SP3.
xpextensions is added to the certificate.
What's mean [tls] eaptls_process returned 13?
default_eap_type = peap must be set tp peap or tls?
Thanks
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- *Esteban Talavera* * * *Proyectos ITW* Tel. +(58)212 7623035 +(58)212 7620504 Cel. +(58)412 2892006 Fax +(58)212 7615965
Thanks I have to import root CA certificate or server certificate to XP CA trusted lists? On Fri, Oct 1, 2010 at 9:22 AM, Matija Levec <Matija.Levec@astec.si> wrote:
Hi. Valid CA is the one that issued radius server certificate. Just import it to trusted CAs list.
Bye, M.
Is mandatory for an XP machine to authenticate the server certificate to a valid CA?
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- *Esteban Talavera* * *
participants (3)
-
Alan DeKok -
Esteban TALAVERA -
Matija Levec