As a followup to my previous msg. I guess I should have added the debug log already there. Anyway, here is the debug log and as you can see I get an unknown CA error. However I got all certs in the correct location on the freeradius server. Anyone know how to fix this? Running freeradius 1.0.5 with PEAP/MS-CHAPv2 rad_recv: Access-Request packet from host 192.168.2.4:21665, id=181, length=138 User-Name = "anonymous" Framed-MTU = 1400 Called-Station-Id = "000e.8401.cd50" Calling-Station-Id = "0004.2357.ab9d" Message-Authenticator = 0xa284452031cc71ac7722c75272190189 EAP-Message = 0x0201000e01616e6f6e796d6f7573 NAS-Port-Type = Wireless-802.11 NAS-Port = 497 Service-Type = Framed-User NAS-IP-Address = 192.168.2.4 NAS-Identifier = "AP1100-D2" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "anonymous", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: EAP packet type response id 1 length 14 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 users: Matched entry DEFAULT at line 165 users: Matched entry DEFAULT at line 184 modcall[authorize]: module "files" returns ok for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 0 modcall: group authenticate returns handled for request 0 Sending Access-Challenge of id 181 to 192.168.2.4:21665 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x45fc39656c1e7d8704c7761797a46146 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.2.4:21665, id=182, length=248 User-Name = "anonymous" Framed-MTU = 1400 Called-Station-Id = "000e.8401.cd50" Calling-Station-Id = "0004.2357.ab9d" Message-Authenticator = 0x1b57e23083b00190c6267515556bb225 EAP-Message = 0x0202006a198000000060160301005b01000057030143fb10d40a705517a5520974d156590946932ddea339e2527d91f3e0bf30400200003000390038003500160013000a00330032002f0066000500040065006400630062006000150012000900140011000800030100 NAS-Port-Type = Wireless-802.11 NAS-Port = 497 State = 0x45fc39656c1e7d8704c7761797a46146 Service-Type = Framed-User NAS-IP-Address = 192.168.2.4 NAS-Identifier = "AP1100-D2" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_realm: No '@' in User-Name = "anonymous", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 1 rlm_eap: EAP packet type response id 2 length 106 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 1 users: Matched entry DEFAULT at line 165 users: Matched entry DEFAULT at line 184 modcall[authorize]: module "files" returns ok for request 1 modcall: group authorize returns updated for request 1 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 005b], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0654], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 010d], ServerKeyExchange TLS_accept: SSLv3 write key exchange A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 1 modcall: group authenticate returns handled for request 1 Sending Access-Challenge of id 182 to 192.168.2.4:21665 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User EAP-Message = 0x0103040a19c0000007c3160301004a02000046030143fb125a187c9d3e464e794df8ba58186389c1dd88c02f3d863cf77d8cd02d5f203da3113d0277508494cd6bd10c8e20eb05da7032de148ca065b4b3801f168c6c00390016030106540b00065000064d0002b3308202af30820218a003020102020900b646b246bff02a86300d06092a864886f70d010104050030818d310b3009060355040613024e4f310d300b060355040813044f534c4f310d300b060355040713044f534c4f310f300d060355040a130642425320415331133011060355040b130a66726565726164697573311b301906035504031312436c69656e74206365727469666963 EAP-Message = 0x617465311d301b06092a864886f70d010901160e726f6f74406c6f63616c686f7374301e170d3035313032363132333432385a170d3036313032363132333432385a30818b310b3009060355040613024e4f310d300b060355040813044f534c4f310d300b060355040713044f534c4f310f300d060355040a130642425320415331133011060355040b130a667265657261646975733119301706035504031310526f6f74206365727469666963617465311d301b06092a864886f70d010901160e726f6f74406c6f63616c686f737430819f300d06092a864886f70d010101050003818d0030818902818100eead5285b5e9f7b939a2dfc1b7fef60a EAP-Message = 0xbd055de0ba27b2ef81244e0eabad60241727ff5fc724f36147d08ea5f9e3f0110dfb5a2397c3906a00ab8eb28509e4a672b2c948c0b8007785f550b3908c2f49d7a113d6e7198d9606e567fc38be816fb2acf60f18bfe56d0617ff7e651439ce9c8ed40363b5b1e4d0d96f59a468a6650203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010405000381810050aa5f1713a5025d21f128094104579eb85a9ded57072baf72b2c0e3fbea766eb53c62e9bc2a5d1bc22f2615cc1fe88487e2d0b7e5eaa045a8ae1734a85f28e6cd70d3340c2a51bfe7b974c13b9a1a4abebe373312d1d4b987e32368 EAP-Message = 0x1edad7e4a54456fd7989e901485e9f2fcf7e8ed8e57fae97fb2fdd1fba5a50c683b7da7f00039430820390308202f9a003020102020900b646b246bff02a84300d06092a864886f70d010104050030818d310b3009060355040613024e4f310d300b060355040813044f534c4f310d300b060355040713044f534c4f310f300d060355040a130642425320415331133011060355040b130a66726565726164697573311b301906035504031312436c69656e74206365727469666963617465311d301b06092a864886f70d010901160e726f6f74406c6f63616c686f7374301e170d3035313032363132333432335a170d303731303236313233343233 EAP-Message = 0x5a30818d310b3009060355040613024e4f310d300b06 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x515242558a4574a078cacb1b266de363 Finished request 1 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.2.4:21665, id=183, length=148 User-Name = "anonymous" Framed-MTU = 1400 Called-Station-Id = "000e.8401.cd50" Calling-Station-Id = "0004.2357.ab9d" Message-Authenticator = 0x017aef237dc27ad66de21013a4da5bdc EAP-Message = 0x020300061900 NAS-Port-Type = Wireless-802.11 NAS-Port = 497 State = 0x515242558a4574a078cacb1b266de363 Service-Type = Framed-User NAS-IP-Address = 192.168.2.4 NAS-Identifier = "AP1100-D2" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall[authorize]: module "preprocess" returns ok for request 2 modcall[authorize]: module "mschap" returns noop for request 2 rlm_realm: No '@' in User-Name = "anonymous", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 2 rlm_eap: EAP packet type response id 3 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 2 users: Matched entry DEFAULT at line 165 users: Matched entry DEFAULT at line 184 modcall[authorize]: module "files" returns ok for request 2 modcall: group authorize returns updated for request 2 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 2 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 2 modcall: group authenticate returns handled for request 2 Sending Access-Challenge of id 183 to 192.168.2.4:21665 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User EAP-Message = 0x010403c919000355040813044f534c4f310d300b060355040713044f534c4f310f300d060355040a130642425320415331133011060355040b130a66726565726164697573311b301906035504031312436c69656e74206365727469666963617465311d301b06092a864886f70d010901160e726f6f74406c6f63616c686f737430819f300d06092a864886f70d010101050003818d0030818902818100bb9dc7f9a6b879ddde091ded35f3137693d1a9fa9d2e2f1e20e1e49c9daf077fd1c4066e8e409eda68baac046ff390baedad93e603fdde73046df106c9c3775eb0e024a2682faf6469e778758b9c782a11ad0dcc25edca8f9efdee96ccc1bc EAP-Message = 0x84850d853d4435da9ab22ec6c3dc4e6d9137e0ec36d705c923055aa8b900d833350203010001a381f53081f2301d0603551d0e04160414227f0709429785a3169b9817627cd456d617f2283081c20603551d230481ba3081b78014227f0709429785a3169b9817627cd456d617f228a18193a4819030818d310b3009060355040613024e4f310d300b060355040813044f534c4f310d300b060355040713044f534c4f310f300d060355040a130642425320415331133011060355040b130a66726565726164697573311b301906035504031312436c69656e74206365727469666963617465311d301b06092a864886f70d010901160e726f6f74406c EAP-Message = 0x6f63616c686f7374820900b646b246bff02a84300c0603551d13040530030101ff300d06092a864886f70d0101040500038181001fb7ec3488fd3b6349d6cc33b5c6451ce1c2e8ef8db6f4818cd017991f9649141c1767553c20303e262fec4bb351cda19b403bab78aa37236ffc78dace1a39089ff037eb911a5133bc6b1f0275cc9e68bc4c8f487a4d2cdc8e706134e512d7e715ca81c5a7bb6cc668ca8181e898befeab40773de8f3eb6629ecd2c79d5f74f1160301010d0c0001090040bd26276ade89a82c9cc4fa1af559608f7824b64ef630bdf0368d885e300720c516da851d828b40f658ffbd6060bb0b6d23e138a280c51e9944d23bc69d73 EAP-Message = 0xe66f0001050040092d106c2ef3689a643d3fd076a14b3f75be6fbdd0c08e7950f20922dc73fa64fea8a5f44012c4af669f46185e95158f91ad4e170982febc5766ebf47a7a13cc008005fa59ad40eaf289554204e2db05a7e7c535bc610447faaadf40f28ac719adf683be4ef8296ff9cc0ab7f51ce6965d39d278572fb8be1525d6ad57fa5fa44c34451ee24c7922a06fdc1faef6e6a75bd403f4e9944f30095956efc433833743448b80cec60e0d066a9b15f4b1d34c8565f43b8bb68504359ae2c972524473e56216030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9d32410c0e854c04a4f03aacb11e72d7 Finished request 2 Going to the next request --- Walking the entire request list --- Waking up in 5 seconds... rad_recv: Access-Request packet from host 192.168.2.4:21665, id=184, length=159 User-Name = "anonymous" Framed-MTU = 1400 Called-Station-Id = "000e.8401.cd50" Calling-Station-Id = "0004.2357.ab9d" Message-Authenticator = 0x0f8b658442d58b4085f9b405518cdf41 EAP-Message = 0x0204001119800000000715030100020230 NAS-Port-Type = Wireless-802.11 NAS-Port = 497 State = 0x9d32410c0e854c04a4f03aacb11e72d7 Service-Type = Framed-User NAS-IP-Address = 192.168.2.4 NAS-Identifier = "AP1100-D2" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 3 modcall[authorize]: module "preprocess" returns ok for request 3 modcall[authorize]: module "mschap" returns noop for request 3 rlm_realm: No '@' in User-Name = "anonymous", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 3 rlm_eap: EAP packet type response id 4 length 17 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 3 users: Matched entry DEFAULT at line 165 users: Matched entry DEFAULT at line 184 modcall[authorize]: module "files" returns ok for request 3 modcall: group authorize returns updated for request 3 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 3 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert read:fatal:unknown CA TLS_accept:failed in SSLv3 read client certificate A 11457:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1052:SSL alert number 48 11457:error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure:s3_pkt.c:837: rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails. In SSL Handshake Phase In SSL Accept mode rlm_eap_tls: BIO_read failed in a system call (-1), TLS session fails. eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns reject for request 3 modcall: group authenticate returns reject for request 3 auth: Failed to validate the user. Delaying request 3 for 1 seconds Finished request 3 Going to the next request Waking up in 5 seconds... rad_recv: Access-Request packet from host 192.168.2.4:21665, id=184, length=159 Sending Access-Reject of id 184 to 192.168.2.4:21665 EAP-Message = 0x04040004 Message-Authenticator = 0x00000000000000000000000000000000 --- Walking the entire request list --- Cleaning up request 0 ID 181 with timestamp 43fb125a Cleaning up request 1 ID 182 with timestamp 43fb125a Waking up in 1 seconds... --- Walking the entire request list --- Cleaning up request 2 ID 183 with timestamp 43fb125b Cleaning up request 3 ID 184 with timestamp 43fb125b Nothing to do. Sleeping until we see a request. Regards, Torkel -----Opprinnelig melding----- Fra: freeradius-users-bounces+torkel.mathisen=bbs.no@lists.freeradius.org [mailto:freeradius-users-bounces+torkel.mathisen=bbs.no@lists.freeradius.org] På vegne av Torkel Mathisen Sendt: 17. februar 2006 09:59 Til: FreeRadius users mailing list Emne: Any Trusted CA problem Hi, I run freeradius 1.0.5 with PEAP/MS-CHAPv2 authentication through the users file. I got a problem with the "Any Trusted CA" part on some of my clients. Some of the clients can't uncheck that option in the driver and then they won't be able to use the WLAN, because it tries to contact a CA. Is there any way around this problem? Regards, Torkel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
"Torkel Mathisen" <torkel.mathisen@bbs.no> wrote:
Anyway, here is the debug log and as you can see I get an unknown CA error. However I got all certs in the correct location on the freeradius server.
The issue isn't the server certificates.
rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert read:fatal:unknown CA TLS_accept:failed in SSLv3 read client certificate A ...
The client certificate isn't signed by any CA that the RADIUS server knows about. The solution is to not use client certificates for PEAP. Or, to ensure that the CA cert that the server has is the one you used to sign the client certs. Alan DeKok.
participants (2)
-
Alan DeKok -
Torkel Mathisen