authentication without certification
Hi, I have a problem, (config: server: FreeRadius 2.1.3, ubuntu 8.10 nas: cisco AP client: win xp) The authentication with TLS works fine if i install the certificate on the client.(just for test) I cannot install the client certificate on all client system(some reason -no admin access-) = > i want use eap-ttls or peap for authentication cos it doesn't use certificate, no need install. how can I set it up? I try change the eap modul: default_eap_type = ttls or peap but not works, auth stops (no reject or accept) what is the problem? here is the debug: rad_recv: Access-Request packet from host 10.0.0.1 port 1645, id=161, length=121 User-Name = "hege" Framed-MTU = 1400 Called-Station-Id = "001f.6ca9.4240" Calling-Station-Id = "001f.3cae.fb9d" Service-Type = Login-User Message-Authenticator = 0xc15a502d4411ec8efd27ba0ea250c934 EAP-Message = 0x020200090168656765 NAS-Port-Type = Wireless-802.11 NAS-Port = 317 NAS-IP-Address = 10.0.0.1 NAS-Identifier = "ap" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "hege", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 2 length 9 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns updated [files] users: Matched entry hege at line 72 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 161 to 10.0.0.1 port 1645 EAP-Message = 0x010300061520 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xabc8abd1abcbbeb294a359e00e4a0280 Finished request 11. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.0.0.1 port 1645, id=162, length=136 User-Name = "hege" Framed-MTU = 1400 Called-Station-Id = "001f.6ca9.4240" Calling-Station-Id = "001f.3cae.fb9d" Service-Type = Login-User Message-Authenticator = 0x7b2402029dc54aa674b650a06c9c8d61 EAP-Message = 0x020300060319 NAS-Port-Type = Wireless-802.11 NAS-Port = 317 State = 0xabc8abd1abcbbeb294a359e00e4a0280 NAS-IP-Address = 10.0.0.1 NAS-Identifier = "ap" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "hege", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 3 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns updated [files] users: Matched entry hege at line 72 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP NAK [eap] EAP-NAK asked for EAP-Type/peap [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 162 to 10.0.0.1 port 1645 EAP-Message = 0x010400061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xabc8abd1aaccb2b294a359e00e4a0280 Finished request 12. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.0.0.1 port 1645, id=163, length=245 User-Name = "hege" Framed-MTU = 1400 Called-Station-Id = "001f.6ca9.4240" Calling-Station-Id = "001f.3cae.fb9d" Service-Type = Login-User Message-Authenticator = 0x3cf5569c00de9c5a2b62ea0c9b1de9c5 EAP-Message = 0x020400731980000000691603010064010000600301497086d0b8514dcd6d049d3c8152f6d220610810c0580de41e21b306d80495e3000018002f00350005000ac009c00ac013c01400320038001300040100001f00000009000700000468656765000a00080006001700180019000b00020100 NAS-Port-Type = Wireless-802.11 NAS-Port = 317 State = 0xabc8abd1aaccb2b294a359e00e4a0280 NAS-IP-Address = 10.0.0.1 NAS-Identifier = "ap" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "hege", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 4 length 115 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 105 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 0064], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 002a], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 07e5], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 163 to 10.0.0.1 port 1645 EAP-Message = 0x0105040019c000000822160301002a020000260301497086d6ba4997eed9e2dd68eebe9b96a913f5750773b4e9339a621550c5ae9800002f0016030107e50b0007e10007de00037d3082037930820261a003020102020101300d06092a864886f70d0101040500307a310b3009060355040613024855310f300d06035504081306526164697573310b300906035504071302425031123010060355040a13094575726f776179436f3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d311730150603550403130e4575726f776179202d2074657374301e170d3039303131343131343532325a170d31393031313231 EAP-Message = 0x31343532325a306d310b3009060355040613024855310f300d0603550408130652616469757331123010060355040a13094575726f776179436f311730150603550403130e4575726f776179202d20746573743120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100d28aa07953ca400f01cf32debbc9e44a34b6691ea0d130f7208e3b67addf8f4c375917c3e6cd5029eeafee298fc54dab97b0909967b77bde6eccecef7d9872c33f8b8a3dff873504ea02b2a114409ce3a82efdab4ad37bd21d8d1832e08a5fb4a84cf09e81a0c2 EAP-Message = 0x4916598ceee0d98ac4aaa54e1efe127b33d03895c3078dc1c03549403ee4ff4395e354d9a43d3bf54adf51a754ea7bbd9f1cdfb63320bcd838ab8e634a1d2c6185605a6b3d99ac5422f4c8dabea575caaeb2e3826849c4cf40344614e4e7cb7ddeaae82412a2c83dce36b7b356bbfbdfddba3245403954b53f23d0a7df58b5a4cefa4441dd1b9289c74c81d08433a5390f5f3a2a2b63a6aac50203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101040500038201010067ec221461a27d061d5b56b04dafc6abacb96bed188944064ed1dd20f786c59c4bab761106ee2f7e14786db9767b9dad77bd EAP-Message = 0xc28a44140e19ec0ac5dabb2a4b2e31287cd507e30259378e4ede0024256090a2c9a28be0e3278b4e94c92545c89f4c650b0dc2e51b6c651ac691cf83026ae629d71c81d09f122d5f004c1805e55dcf32220f934a7701da8c200d7462477fac41018103aed3eeca37916241296df05069991e4d4fb82eec1a86f81b6de6db1dc805ed9f023dc6a914990e48dbc2983baeb6c58469aeb85bad3f58affe1fb5fa51596213a45581af22a8a5c0bdc62f1d02041ea78cdd8b0481c3af9ce58903e376f79bbb6f61837ef3dfbad8e5c2e100045b308204573082033fa003020102020900beb5e5e3c2e2e2c7300d06092a864886f70d0101050500307a310b30 EAP-Message = 0x09060355040613024855310f Message-Authenticator = 0x00000000000000000000000000000000 State = 0xabc8abd1a9cdb2b294a359e00e4a0280 Finished request 13. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.0.0.1 port 1645, id=164, length=136 User-Name = "hege" Framed-MTU = 1400 Called-Station-Id = "001f.6ca9.4240" Calling-Station-Id = "001f.3cae.fb9d" Service-Type = Login-User Message-Authenticator = 0x668cc3c5df02a963ca45b4910d73e5a6 EAP-Message = 0x020500061900 NAS-Port-Type = Wireless-802.11 NAS-Port = 317 State = 0xabc8abd1a9cdb2b294a359e00e4a0280 NAS-IP-Address = 10.0.0.1 NAS-Identifier = "ap" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "hege", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 5 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 164 to 10.0.0.1 port 1645 EAP-Message = 0x010603fc1940300d06035504081306526164697573310b300906035504071302425031123010060355040a13094575726f776179436f3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d311730150603550403130e4575726f776179202d2074657374301e170d3039303131343131343531345a170d3139303131323131343531345a307a310b3009060355040613024855310f300d06035504081306526164697573310b300906035504071302425031123010060355040a13094575726f776179436f3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d311730150603550403 EAP-Message = 0x130e4575726f776179202d207465737430820122300d06092a864886f70d01010105000382010f003082010a0282010100bc9d773453aaedb311ec7dc7b7852ec03f93af8a86861b3f2328a3bc3cadcfb6f2a915d02c5731049e1518cd6a4bbb1174ff92e2bba1467e1c92c2de0c2fce122fcb66c84991ec9fa1c4889adf3bec2eaa5aa5049c36dccb7d35f5f1e5875e6d6159b23c928984a92acb3ae5f7993a24f8361e91539f81ed172f0cc8809d7296284cfc8ee01071afadbf69591aac279bfc2e322de8026928ce694460650a648cf05d02780daaa36de7c228c6642749778c465013d0473446e01e4ff54783ddd4ff420579650849cc01b36f8f EAP-Message = 0xb064292f52908af59613bb036d4fa9d4238fd2f16551c7858135f6c83d0e12ae11efc69893cf41ffea005da3ac74f072bbc0a3c70203010001a381df3081dc301d0603551d0e04160414bc5ec9fbde34a408aeda44ef1ecdbd6304016b3b3081ac0603551d230481a43081a18014bc5ec9fbde34a408aeda44ef1ecdbd6304016b3ba17ea47c307a310b3009060355040613024855310f300d06035504081306526164697573310b300906035504071302425031123010060355040a13094575726f776179436f3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d311730150603550403130e4575726f776179202d EAP-Message = 0x2074657374820900beb5e5e3c2e2e2c7300c0603551d13040530030101ff300d06092a864886f70d0101050500038201010094f59def54e587375833239b06ce0ea628a11bb58e12499fef6d20bfe3bac19d9ac3aadfff76d26c6f392474c732c527c235b837fa9fbba935359a08d780700461e497a14ffd764057e152fdee967b43f6c7415f100d6c4e66881438114ab7e412ce0adb505e596ac4122d8a0a659fd675c56f454af1ac26078503542be3a72aa435196164adcf5b5982cd11b34c37b125259fa1972af2ad72882c399d674ee93e1369fae737b202821d101770c874653b4f8e92e989eaf595c6d6d25f60bef66a1176165441646dbf4df2 EAP-Message = 0x11cab218fa8f4e66 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xabc8abd1a8ceb2b294a359e00e4a0280 Finished request 14. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.0.0.1 port 1645, id=165, length=136 User-Name = "hege" Framed-MTU = 1400 Called-Station-Id = "001f.6ca9.4240" Calling-Station-Id = "001f.3cae.fb9d" Service-Type = Login-User Message-Authenticator = 0x18b595cd27360479999f0e991c25c71d EAP-Message = 0x020600061900 NAS-Port-Type = Wireless-802.11 NAS-Port = 317 State = 0xabc8abd1a8ceb2b294a359e00e4a0280 NAS-IP-Address = 10.0.0.1 NAS-Identifier = "ap" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "hege", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 6 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 165 to 10.0.0.1 port 1645 EAP-Message = 0x0107003c1900a582e6941e00fef6b97e9eb7c20a7f351fc3c8189718bac754032bc32558e95901f3e92f70956a450525bf4c2a16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xabc8abd1afcfb2b294a359e00e4a0280 Finished request 15. Going to the next request Waking up in 4.9 seconds. Cleaning up request 11 ID 161 with timestamp +870 Cleaning up request 12 ID 162 with timestamp +870 Cleaning up request 13 ID 163 with timestamp +870 Cleaning up request 14 ID 164 with timestamp +870 Cleaning up request 15 ID 165 with timestamp +870 Ready to process requests. rad_recv: Access-Request packet from host 10.0.0.1 port 1645, id=166, length=121 User-Name = "hege" Framed-MTU = 1400 Called-Station-Id = "001f.6ca9.4240" Calling-Station-Id = "001f.3cae.fb9d" Service-Type = Login-User Message-Authenticator = 0x62f213196b686d5e823d949bab404a36 EAP-Message = 0x020800090168656765 NAS-Port-Type = Wireless-802.11 NAS-Port = 317 NAS-IP-Address = 10.0.0.1 NAS-Identifier = "ap" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "hege", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 8 length 9 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns updated [files] users: Matched entry hege at line 72 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 166 to 10.0.0.1 port 1645 EAP-Message = 0x010900061520 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x098c4fcb09855af82cd96723f3718fb6 Finished request 16. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.0.0.1 port 1645, id=167, length=136 User-Name = "hege" Framed-MTU = 1400 Called-Station-Id = "001f.6ca9.4240" Calling-Station-Id = "001f.3cae.fb9d" Service-Type = Login-User Message-Authenticator = 0x2983d4363303f824a476baa8782b692b EAP-Message = 0x020900060319 NAS-Port-Type = Wireless-802.11 NAS-Port = 317 State = 0x098c4fcb09855af82cd96723f3718fb6 NAS-IP-Address = 10.0.0.1 NAS-Identifier = "ap" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "hege", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 9 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns updated [files] users: Matched entry hege at line 72 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP NAK [eap] EAP-NAK asked for EAP-Type/peap [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 167 to 10.0.0.1 port 1645 EAP-Message = 0x010a00061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x098c4fcb088656f82cd96723f3718fb6 Finished request 17. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.0.0.1 port 1645, id=168, length=245 User-Name = "hege" Framed-MTU = 1400 Called-Station-Id = "001f.6ca9.4240" Calling-Station-Id = "001f.3cae.fb9d" Service-Type = Login-User Message-Authenticator = 0x99b461968278fe5a81b293c93aed0e28 EAP-Message = 0x020a00731980000000691603010064010000600301497086d5a0af3d70f0e565bf19123dac1c61592f51d53728637c6a778d93d432000018002f00350005000ac009c00ac013c01400320038001300040100001f00000009000700000468656765000a00080006001700180019000b00020100 NAS-Port-Type = Wireless-802.11 NAS-Port = 317 State = 0x098c4fcb088656f82cd96723f3718fb6 NAS-IP-Address = 10.0.0.1 NAS-Identifier = "ap" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "hege", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 10 length 115 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 105 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 0064], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 002a], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 07e5], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 168 to 10.0.0.1 port 1645 EAP-Message = 0x010b040019c000000822160301002a020000260301497086db60e12c9924404ff788961547d874e6363afae4b14f3b98fadc6ba7cb00002f0016030107e50b0007e10007de00037d3082037930820261a003020102020101300d06092a864886f70d0101040500307a310b3009060355040613024855310f300d06035504081306526164697573310b300906035504071302425031123010060355040a13094575726f776179436f3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d311730150603550403130e4575726f776179202d2074657374301e170d3039303131343131343532325a170d31393031313231 EAP-Message = 0x31343532325a306d310b3009060355040613024855310f300d0603550408130652616469757331123010060355040a13094575726f776179436f311730150603550403130e4575726f776179202d20746573743120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100d28aa07953ca400f01cf32debbc9e44a34b6691ea0d130f7208e3b67addf8f4c375917c3e6cd5029eeafee298fc54dab97b0909967b77bde6eccecef7d9872c33f8b8a3dff873504ea02b2a114409ce3a82efdab4ad37bd21d8d1832e08a5fb4a84cf09e81a0c2 EAP-Message = 0x4916598ceee0d98ac4aaa54e1efe127b33d03895c3078dc1c03549403ee4ff4395e354d9a43d3bf54adf51a754ea7bbd9f1cdfb63320bcd838ab8e634a1d2c6185605a6b3d99ac5422f4c8dabea575caaeb2e3826849c4cf40344614e4e7cb7ddeaae82412a2c83dce36b7b356bbfbdfddba3245403954b53f23d0a7df58b5a4cefa4441dd1b9289c74c81d08433a5390f5f3a2a2b63a6aac50203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101040500038201010067ec221461a27d061d5b56b04dafc6abacb96bed188944064ed1dd20f786c59c4bab761106ee2f7e14786db9767b9dad77bd EAP-Message = 0xc28a44140e19ec0ac5dabb2a4b2e31287cd507e30259378e4ede0024256090a2c9a28be0e3278b4e94c92545c89f4c650b0dc2e51b6c651ac691cf83026ae629d71c81d09f122d5f004c1805e55dcf32220f934a7701da8c200d7462477fac41018103aed3eeca37916241296df05069991e4d4fb82eec1a86f81b6de6db1dc805ed9f023dc6a914990e48dbc2983baeb6c58469aeb85bad3f58affe1fb5fa51596213a45581af22a8a5c0bdc62f1d02041ea78cdd8b0481c3af9ce58903e376f79bbb6f61837ef3dfbad8e5c2e100045b308204573082033fa003020102020900beb5e5e3c2e2e2c7300d06092a864886f70d0101050500307a310b30 EAP-Message = 0x09060355040613024855310f Message-Authenticator = 0x00000000000000000000000000000000 State = 0x098c4fcb0b8756f82cd96723f3718fb6 Finished request 18. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.0.0.1 port 1645, id=169, length=136 User-Name = "hege" Framed-MTU = 1400 Called-Station-Id = "001f.6ca9.4240" Calling-Station-Id = "001f.3cae.fb9d" Service-Type = Login-User Message-Authenticator = 0x5d5691d12dd6b1a4449785c5ddcaf5c5 EAP-Message = 0x020b00061900 NAS-Port-Type = Wireless-802.11 NAS-Port = 317 State = 0x098c4fcb0b8756f82cd96723f3718fb6 NAS-IP-Address = 10.0.0.1 NAS-Identifier = "ap" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "hege", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 11 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 169 to 10.0.0.1 port 1645 EAP-Message = 0x010c03fc1940300d06035504081306526164697573310b300906035504071302425031123010060355040a13094575726f776179436f3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d311730150603550403130e4575726f776179202d2074657374301e170d3039303131343131343531345a170d3139303131323131343531345a307a310b3009060355040613024855310f300d06035504081306526164697573310b300906035504071302425031123010060355040a13094575726f776179436f3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d311730150603550403 EAP-Message = 0x130e4575726f776179202d207465737430820122300d06092a864886f70d01010105000382010f003082010a0282010100bc9d773453aaedb311ec7dc7b7852ec03f93af8a86861b3f2328a3bc3cadcfb6f2a915d02c5731049e1518cd6a4bbb1174ff92e2bba1467e1c92c2de0c2fce122fcb66c84991ec9fa1c4889adf3bec2eaa5aa5049c36dccb7d35f5f1e5875e6d6159b23c928984a92acb3ae5f7993a24f8361e91539f81ed172f0cc8809d7296284cfc8ee01071afadbf69591aac279bfc2e322de8026928ce694460650a648cf05d02780daaa36de7c228c6642749778c465013d0473446e01e4ff54783ddd4ff420579650849cc01b36f8f EAP-Message = 0xb064292f52908af59613bb036d4fa9d4238fd2f16551c7858135f6c83d0e12ae11efc69893cf41ffea005da3ac74f072bbc0a3c70203010001a381df3081dc301d0603551d0e04160414bc5ec9fbde34a408aeda44ef1ecdbd6304016b3b3081ac0603551d230481a43081a18014bc5ec9fbde34a408aeda44ef1ecdbd6304016b3ba17ea47c307a310b3009060355040613024855310f300d06035504081306526164697573310b300906035504071302425031123010060355040a13094575726f776179436f3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d311730150603550403130e4575726f776179202d EAP-Message = 0x2074657374820900beb5e5e3c2e2e2c7300c0603551d13040530030101ff300d06092a864886f70d0101050500038201010094f59def54e587375833239b06ce0ea628a11bb58e12499fef6d20bfe3bac19d9ac3aadfff76d26c6f392474c732c527c235b837fa9fbba935359a08d780700461e497a14ffd764057e152fdee967b43f6c7415f100d6c4e66881438114ab7e412ce0adb505e596ac4122d8a0a659fd675c56f454af1ac26078503542be3a72aa435196164adcf5b5982cd11b34c37b125259fa1972af2ad72882c399d674ee93e1369fae737b202821d101770c874653b4f8e92e989eaf595c6d6d25f60bef66a1176165441646dbf4df2 EAP-Message = 0x11cab218fa8f4e66 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x098c4fcb0a8056f82cd96723f3718fb6 Finished request 19. Going to the next request Waking up in 3.7 seconds. rad_recv: Access-Request packet from host 10.0.0.1 port 1645, id=170, length=136 User-Name = "hege" Framed-MTU = 1400 Called-Station-Id = "001f.6ca9.4240" Calling-Station-Id = "001f.3cae.fb9d" Service-Type = Login-User Message-Authenticator = 0xee115d56b2b421fb3b83d6291435142b EAP-Message = 0x020c00061900 NAS-Port-Type = Wireless-802.11 NAS-Port = 317 State = 0x098c4fcb0a8056f82cd96723f3718fb6 NAS-IP-Address = 10.0.0.1 NAS-Identifier = "ap" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "hege", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 12 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 170 to 10.0.0.1 port 1645 EAP-Message = 0x010d003c1900a582e6941e00fef6b97e9eb7c20a7f351fc3c8189718bac754032bc32558e95901f3e92f70956a450525bf4c2a16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x098c4fcb0d8156f82cd96723f3718fb6 Finished request 20. Going to the next request Waking up in 2.2 seconds. rad_recv: Access-Request packet from host 10.0.0.1 port 1645, id=171, length=136 User-Name = "hege" Framed-MTU = 1400 Called-Station-Id = "001f.6ca9.4240" Calling-Station-Id = "001f.3cae.fb9d" Service-Type = Login-User Message-Authenticator = 0xfea20039d4ddf45f02b0b94dfa8e4174 EAP-Message = 0x020d00061900 NAS-Port-Type = Wireless-802.11 NAS-Port = 317 State = 0x098c4fcb0d8156f82cd96723f3718fb6 NAS-IP-Address = 10.0.0.1 NAS-Identifier = "ap" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "hege", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 13 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 171 to 10.0.0.1 port 1645 EAP-Message = 0x010e00061900 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x098c4fcb0c8256f82cd96723f3718fb6 Finished request 21. Going to the next request Waking up in 0.6 seconds. Cleaning up request 16 ID 166 with timestamp +875 Cleaning up request 17 ID 167 with timestamp +875 Cleaning up request 18 ID 168 with timestamp +875 Waking up in 1.1 seconds. Cleaning up request 19 ID 169 with timestamp +876 Waking up in 1.4 seconds. Cleaning up request 20 ID 170 with timestamp +878 Waking up in 1.6 seconds. Cleaning up request 21 ID 171 with timestamp +879 Ready to process requests. If I use TLS in the eap module
The authentication with TLS works fine if i install the certificate on the client.(just for test)
I cannot install the client certificate on all client system(some reason -no admin access-) = > i want use eap-ttls or peap for authentication cos it doesn't use certificate, no need install.
how can I set it up? I try change the eap modul: default_eap_type = ttls or peap but not works, auth stops (no reject or accept)
what is the problem?
Well you do need CA certificate if it is self-signed. Or uncheck "Verify server certificate" in PEAP properties when you are creating the connection. Ivan Kalik Kalik Informatika ISP
participants (2)
-
Hegedus Gabor -
tnt@kalik.net