TLS fatal access_denied
Hi I am using eap-ttls and when I try to connect from Windows XP the ouput in radius server iis as follows: Waking up in 3 seconds... rad_recv: Access-Request packet from host 10.30.1.151:1031, id=55, length=113 User-Name = "test" Calling-Station-Id = "00-0e-35-bf-51-18" EAP-Message = 0x020200060319 Framed-MTU = 1287 NAS-IP-Address = 192.168.1.1 NAS-Port = 0 NAS-Port-Type = Wireless-802.11 State = 0x496c1c12e0905d753f98f90dc4b0c2b2 Message-Authenticator = 0x11ec47975956d7defc19bff62d79430e Processing the authorize section of radiusd.conf modcall: entering group authorize for request 26 modcall[authorize]: module "preprocess" returns ok for request 26 modcall[authorize]: module "chap" returns noop for request 26 modcall[authorize]: module "mschap" returns noop for request 26 rlm_realm: No '@' in User-Name = "test", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 26 rlm_eap: EAP packet type response id 2 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 26 users: Matched entry test at line 62 modcall[authorize]: module "files" returns ok for request 26 rlm_pap: Found existing Auth-Type, not changing it. modcall[authorize]: module "pap" returns noop for request 26 modcall: leaving group authorize (returns updated) for request 26 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 26 rlm_eap: Request found, released from the list rlm_eap: EAP NAK rlm_eap: EAP-NAK asked for EAP-Type/peap rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 26 modcall: leaving group authenticate (returns handled) for request 26 Sending Access-Challenge of id 55 to 10.30.1.151 port 1031 Reply-Message = "Hola test" EAP-Message = 0x010300061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xea0d4efbb9ef49d8de3c3f6d3ebc1769 Finished request 26 Going to the next request Waking up in 3 seconds... rad_recv: Access-Request packet from host 10.30.1.151:1031, id=56, length=187 User-Name = "test" Calling-Station-Id = "00-0e-35-bf-51-18" EAP-Message = 0x0203005019800000004616030100410100003d0301470fd5afa0768f1bf04970318849fc7a7839fb43ed9ed9cfe0317b2564ef140200001600040005000a000900640062000300060013001200630100 Framed-MTU = 1287 NAS-IP-Address = 192.168.1.1 NAS-Port = 0 NAS-Port-Type = Wireless-802.11 State = 0xea0d4efbb9ef49d8de3c3f6d3ebc1769 Message-Authenticator = 0x123ab7c62b0dcf0192516c84f15ed8a5 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 27 modcall[authorize]: module "preprocess" returns ok for request 27 modcall[authorize]: module "chap" returns noop for request 27 modcall[authorize]: module "mschap" returns noop for request 27 rlm_realm: No '@' in User-Name = "test", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 27 rlm_eap: EAP packet type response id 3 length 80 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 27 users: Matched entry test at line 62 modcall[authorize]: module "files" returns ok for request 27 rlm_pap: Found existing Auth-Type, not changing it. modcall[authorize]: module "pap" returns noop for request 27 modcall: leaving group authorize (returns updated) for request 27 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 27 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0516], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 27 modcall: leaving group authenticate (returns handled) for request 27 Sending Access-Challenge of id 56 to 10.30.1.151 port 1031 Reply-Message = "Hola test" EAP-Message = 0x0104040a19c000000573160301004a020000460301470e8458d181472ae6cb4c0cfd0aec460eabff70cefd31a7148291ed16b1d08720d5575fe66c35bfc84e095a83aa4e3a30c0134dc29308b7af2417fd43f32a0a9900040016030105160b00051200050f00050c30820508308203f0a003020102020109300d06092a864886f70d010104050030818e310b3009060355040613024152311530130603550407130c4275656e6f73204169726573311f301d060355040a1316556e6976657273696461642064652050616c65726d6f31273025060355040b131e446570617274616d656e746f20646520436f6d756e69636163696f6e6573311e301c06 EAP-Message = 0x035504031315436572746966696361746520417574686f72697479301e170d3037303130343230303132325a170d3131303130333230303132325a30818d310b3009060355040613024152311530130603550407130c4275656e6f73204169726573311f301d060355040a1316556e6976657273696461642064652050616c65726d6f31273025060355040b131e446570617274616d656e746f20646520436f6d756e69636163696f6e6573311d301b06035504031314737065637472756d2e70616c65726d6f2e65647530820122300d06092a864886f70d01010105000382010f003082010a02820101009fb7de37d68086cd8ddaccf857dc922a55 EAP-Message = 0x69d7105ec847db6bbe727aea4e583562dbc26949b48ef40cb17c256cf16ed6f6c3f5a605300ecc9329eaaee6e885a29d0078a07f3e436bed28c75db21f09f5ea85e6e8f65d00082ca44e7778f490ef7bbec2c6180d537dae3efec79ad3729a2410969902b3a92912e41e18294937c985e87c3f3504b039d84af22c0ab958a2104d41a299fcf28ee2c400ebc2d3b4e4071d697e2454b05e9145f3b87b806b50f4cd0efb13039c33ed3829cbf25f9af6a1a9537aa97ed42882694511cfc27014a7ce9d36cfdb93a0f68af3662823b2d70dbedd445b15f5e07444fc105e4a257548cce119b14166b663b4f68245c1191f0203010001a382016e3082016a30 EAP-Message = 0x090603551d1304023000301106096086480186f8420101040403020640300b0603551d0f0404030205e0302c06096086480186f842010d041f161d50616c65726d6f2047656e657261746564204365727469666963617465301d0603551d0e0416041424fcec6f0e868f46fc8e3d117be23c01307355203081bb0603551d230481b33081b08014fd77533bb6a66d1e3b48bfb5d21501d829ddf469a18194a4819130818e310b3009060355040613024152311530130603550407130c4275656e6f73204169726573311f301d060355040a1316556e6976657273696461642064652050616c65726d6f31273025060355040b131e446570617274616d65 EAP-Message = 0x6e746f20646520436f6d756e69636163696f6e657331 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xfed980e3ba92486eab6d27db87544c2d Finished request 27 Going to the next request Waking up in 3 seconds... rad_recv: Access-Request packet from host 10.30.1.151:1031, id=57, length=113 User-Name = "test" Calling-Station-Id = "00-0e-35-bf-51-18" EAP-Message = 0x020400061900 Framed-MTU = 1287 NAS-IP-Address = 192.168.1.1 NAS-Port = 0 NAS-Port-Type = Wireless-802.11 State = 0xfed980e3ba92486eab6d27db87544c2d Message-Authenticator = 0x5915220b581acc2913bea0a58a74cc9e Processing the authorize section of radiusd.conf modcall: entering group authorize for request 28 modcall[authorize]: module "preprocess" returns ok for request 28 modcall[authorize]: module "chap" returns noop for request 28 modcall[authorize]: module "mschap" returns noop for request 28 rlm_realm: No '@' in User-Name = "test", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 28 rlm_eap: EAP packet type response id 4 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 28 users: Matched entry test at line 62 modcall[authorize]: module "files" returns ok for request 28 rlm_pap: Found existing Auth-Type, not changing it. modcall[authorize]: module "pap" returns noop for request 28 modcall: leaving group authorize (returns updated) for request 28 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 28 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 28 modcall: leaving group authenticate (returns handled) for request 28 Sending Access-Challenge of id 57 to 10.30.1.151 port 1031 Reply-Message = "Hola test" EAP-Message = 0x0105017919001e301c06035504031315436572746966696361746520417574686f72697479820101303206096086480186f84201040425162368747470733a2f2f777777732e70616c65726d6f2e6564752f63612f63726c2e70656d300d06092a864886f70d01010405000382010100b2f0e85d815bfc024ef1b5269faa0a99de6bcbd537ab0f36e2bbf79afa4d1d958901c0a6df5fda13dd248cc05421f38b3aa82aede606a05ab6808ea86c631ce3d6a91fc2d3a2d956671c5014adc013c264e18e7fef1b82fa8f5e965b5f112888b10f416d4ce35a37bea4486d9f2060a5c541421d2ca1d0546423ad507ad67219a2f5a3459719204113de574dc7 EAP-Message = 0x1a1e154877647e7d5110a038d05249277e7db298b4f5929ae3075bcb26a2de63d0fcb0bb09d93909e8ed2cc4bec19e499b5891750feb425d1f9dbafb9fcae681a02b0d683e72bfd0bd27c5abbf893cb51802f952165410eeb912f334863f020c800f061227a39529cf7c65bb81ae508610ca7b16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x93350c01179beee7339c64d8cb40746f Finished request 28 Going to the next request Waking up in 3 seconds... rad_recv: Access-Request packet from host 10.30.1.151:1031, id=58, length=429 User-Name = "test" Calling-Station-Id = "00-0e-35-bf-51-18" EAP-Message = 0x0205014019800000013616030101061000010201004f6f2b51d96df9fbce202c27dd64b32fe239c2a7b872b49ecf206faa1fb11ae27d604a3092aa39bccf5f27bdabaf03cf119a217884a1b1611d8251a084dbe9a0e3968f17de1e27aa49398f5e5f10990c64be22a7d770e16e0682ab0e17092e1670c19fa1cba57d818c5f2da5af546eafec6d8d1852763970120e3ad1fc5df15e55fc6e086384280137f2208411f01816d81f4042a954efd8355e9f0ee89cd174e3d00438e89589b9bdf10d4a5851c51c738a5489a47ee5bcf3664f79b67a64949ef50dcfc382917654f1c6da2faa96e8b3d91212a589f65a7f4cc7c6d06b06604af7de927d28f6d4 EAP-Message = 0xd9ac56a2752efc9126c03a21226807ea7faa601a37a3c56a1403010001011603010020f8b221aeffd0aa7bcad9675b55a4d07cdc6c363cd9a5b4a10da12349cd425557 Framed-MTU = 1287 NAS-IP-Address = 192.168.1.1 NAS-Port = 0 NAS-Port-Type = Wireless-802.11 State = 0x93350c01179beee7339c64d8cb40746f Message-Authenticator = 0x4469eb9d0d17398edd90a2e638bf0b99 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 29 modcall[authorize]: module "preprocess" returns ok for request 29 modcall[authorize]: module "chap" returns noop for request 29 modcall[authorize]: module "mschap" returns noop for request 29 rlm_realm: No '@' in User-Name = "test", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 29 rlm_eap: EAP packet type response id 5 length 253 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 29 users: Matched entry test at line 62 modcall[authorize]: module "files" returns ok for request 29 rlm_pap: Found existing Auth-Type, not changing it. modcall[authorize]: module "pap" returns noop for request 29 modcall: leaving group authorize (returns updated) for request 29 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 29 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 rlm_eap_tls: <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange TLS_accept: SSLv3 read client key exchange A rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001] rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 read finished A rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001] TLS_accept: SSLv3 write change cipher spec A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 write finished A TLS_accept: SSLv3 flush data (other): SSL negotiation finished successfully SSL Connection Established eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 29 modcall: leaving group authenticate (returns handled) for request 29 Sending Access-Challenge of id 58 to 10.30.1.151 port 1031 Reply-Message = "Hola test" EAP-Message = 0x01060031190014030100010116030100209b2cb1197db813a76c4e9ba9e135b4ae047a186da5890006b757c6f3f387f10c Message-Authenticator = 0x00000000000000000000000000000000 State = 0xad86ab92847abf65daa2c4174fcaa327 Finished request 29 Going to the next request Waking up in 3 seconds... rad_recv: Access-Request packet from host 10.30.1.151:1031, id=59, length=140 User-Name = "test" Calling-Station-Id = "00-0e-35-bf-51-18" EAP-Message = 0x0206002119800000001715030100121e4a51c221fd4fcdf3d307619f1676963db5 Framed-MTU = 1287 NAS-IP-Address = 192.168.1.1 NAS-Port = 0 NAS-Port-Type = Wireless-802.11 State = 0xad86ab92847abf65daa2c4174fcaa327 Message-Authenticator = 0x4a9ed2d5270ef65cd5444a241c322946 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 30 modcall[authorize]: module "preprocess" returns ok for request 30 modcall[authorize]: module "chap" returns noop for request 30 modcall[authorize]: module "mschap" returns noop for request 30 rlm_realm: No '@' in User-Name = "test", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 30 rlm_eap: EAP packet type response id 6 length 33 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 30 users: Matched entry test at line 62 modcall[authorize]: module "files" returns ok for request 30 rlm_pap: Found existing Auth-Type, not changing it. modcall[authorize]: module "pap" returns noop for request 30 modcall: leaving group authorize (returns updated) for request 30 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 30 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal access_denied TLS Alert read:fatal:access denied rlm_eap_peap: No data inside of the tunnel. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 30 modcall: leaving group authenticate (returns invalid) for request 30 auth: Failed to validate the user. Delaying request 30 for 1 seconds Finished request 30 Going to the next request Waking up in 3 seconds... Why can this happen? Thanks in advance! -- -- Sergio Belkin -
2007/10/11, tnt@kalik.co.yu <tnt@kalik.co.yu>:
How sure are you that you are using EAP-TTLS?
rlm_eap: EAP NAK rlm_eap: EAP-NAK asked for EAP-Type/peap <==
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I am pretty sure because I has default_eap_type = ttls. I've just fixed, it was a problem of certificates... thanks- -- -- Sergio Belkin -
participants (2)
-
Sergio Belkin -
tnt@kalik.co.yu