Hi, i installed the aktual version of freeradius on a debian system and generated a CA und server/client certificates with TinyCA2. I want to authenticate the clients using EAP/TLS. But now i get this output of freeradius and freeradius freezes at this point. Can someone tell me why this happens? Sending Access-Challenge of id 22 to 192.168.1.252:1326 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User EAP-Message = 0x0117040a0dc0000011da95300f0603551d130101ff040530030101ff301106096086480186 f842010104040302010630090603551d1204023000302b06096086480186f842010d041e161c 54696e7943412047656e65726174656420436572746966696361746530210603551d11041a30 18811643412d52616469757340616b2d7365727665722e6465300b0603551d0f040403020106 300d06092a864886f70d010105050003820201002cb7d2ab56adb9d5a348a6bc0391ecbd8f53 215ca3ad83c74730cba78bcb0f36800f71f9c9e672b5ad761fddb06f72075715ad686dd6e31c 496c015847927af98a5820860004122fd22eba64dbffe46d8def EAP-Message = 0x4dfd2195d70b313f472b31e0dec0d39f08e95d9c6ee43b060954e7cda70492fb473698daca 42a3a76e07601ecc9d746ea3eac2daa4da050dd21d1c8daebf845abc3daa199a3fb35c5fc6c8 76d312b8c90775a6de01092e337da7ccb155f9e67713b1e3a8c171b3663256e60f25e009c9aa 454db5299ed3de9ac280eca445f57ab53be98287d63540631085c9a166904842e44d4ff63e69 1c86590ff95319bf1370f7f5f1f8eaa331403588e2bda2bb2d6750e3a769fe878e9723ab0f89 03deab637a6d83fe77f79f89af7dbb7578d511033d01b0f5455b016503582ca56fcc79142ff1 551abab18e9f76a71e148838d7036db5de29a4f6bc4598daffd1 EAP-Message = 0x199ad4d07da7e11c82f03f6895c1b3941139eadf341ce19d3edbfd1bac3719b5f7eb22c5ba 729d58c553ce72adb9af2e92edc34381b42c83c755bafa8442f28d5c574c8a9827938605f397 110186c84e34d13bbd8fc322f58808f7f556518d19f93c42678f12acf01f3f1ab70834b2baa1 cc461bdc970e0f942ea57f1b3913e55cca966066c00c504d12e8d22a81d0daee14c4e08165a8 71d33373b49037fe596fc987f47dfbea4343b2cad19053e50d95160301028d0c0002890040be 4f362c2e1dd2744e7c980ee5d9a708e9075935767ee7fecb9a91b67b0e1611eb5acc1d7d3224 8195513d17734004d37cc721d59ed25d08a48a2164361419e300 EAP-Message = 0x010500400a294a0f089a763d7338d32e2f8c633b1e186a316091c678c314a1afb16ceb2b57 090b5a068d36c54ff061e5ab76b4a969c88a0f7590aefef1b56512aebf5c2e02006572fd3a81 faa03031a8dee67d18ee0625b873e37ede370854c4a7ee122ad3206d97e0ef365299eac3baa8 d8bf6af223058628d5660da500e81a906cc044ef2f3ec59a7373f447e46e5ad84aaa0d373a19 88f0cf6b647bcfb913d6607fc88e0287f201fc3ddc563921460daf1ed27988e407e65c2ea2b2 5173a95d2db5bda931ae2b9e8a5605d82e1331e3a091ee29029aa8218efb3c883da22208b556 120a3e85a96206a29a8951e050439b350e932836667981dbd617 EAP-Message = 0x6d69bed85ccfa622102bcfe18acfe16c40c119ba45dc Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd18c60556f39fcd47f7a825bbd1b5a27 Finished request 5 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.1.252:1327, id=23, length=130 User-Name = "Kraemer.Armin" NAS-IP-Address = 192.168.1.252 NAS-Identifier = "acess_point_siemens" NAS-Port = 29 Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 State = 0xd18c60556f39fcd47f7a825bbd1b5a27 EAP-Message = 0x021700060d00 Message-Authenticator = 0xe4c3119fa2de7a9cc9e9a4ec080c3826 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 6 modcall[authorize]: module "preprocess" returns ok for request 6 modcall[authorize]: module "chap" returns noop for request 6 modcall[authorize]: module "mschap" returns noop for request 6 rlm_realm: No '@' in User-Name = "Kraemer.Armin", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 6 rlm_eap: EAP packet type response id 23 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 6 users: Matched entry DEFAULT at line 152 users: Matched entry DEFAULT at line 171 modcall[authorize]: module "files" returns ok for request 6 modcall: group authorize returns updated for request 6 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 6 modcall: group authenticate returns handled for request 6 Sending Access-Challenge of id 23 to 192.168.1.252:1327 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User EAP-Message = 0x011801e40d80000011dae39d887a37fabeb64fa534c3ada7c58edf92a99adfde716787b84f ef17d5007ad72883d0fd743a1926baf7d95d062d8c5e337ede1f27d1101c6ab6b6a5d3991ba8 d127adf3c6464e91b48821d5e43e64a7901c76ce3e9a5da9e18cce9d73b2c7d6d4ddd72cffdc 348c2097f2fbbd393583873fc6a1b22addaa53d7839ded2b0f4a096b0d29280d894975dcdfc0 dd7bcf294fb1d4f11b7c7c1163ff7b72e9bd3b8a00327c13f7058160a7ea61ef7d1158f488f0 2e28882082469c1597b703c6c0627f70decff409e9ca4d113c11e9ee491600e317f08ca7ea67 a91a5f391c2bac855875743599ed715db1c1f638d4f36396ee08 EAP-Message = 0xf4107a7c5872a3ee6beeff50d48659237c3cae753cbf7a237fcbdd0ccf70d3b6dc357e8912 0931f0103a4f30b653acba303e12772b5b52c98354c22ffab4e50916030100a20d00009a0403 0401020093009130818e310b3009060355040613024445310e300c0603550408130542615775 65310d300b060355040713044b65686c31173015060355040a140e46616d6c69655f4b726165 6d6572310b3009060355040b13024954311330110603550403140a4541502d544c535f434131 25302306092a864886f70d010901161643412d52616469757340616b2d7365727665722e6465 0e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x54581dba1086732b25cb0cb40ef1191d Finished request 6 Going to the next request --- Walking the entire request list --- Waking up in 5 seconds... rad_recv: Access-Request packet from host 192.168.1.252:1328, id=24, length=141 User-Name = "Kraemer.Armin" NAS-IP-Address = 192.168.1.252 NAS-Identifier = "acess_point_siemens" NAS-Port = 29 Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 State = 0x54581dba1086732b25cb0cb40ef1191d EAP-Message = 0x021800110d80000000071503010002022e Message-Authenticator = 0xb63955ca477f1467fdb23903d11cfcda Processing the authorize section of radiusd.conf modcall: entering group authorize for request 7 modcall[authorize]: module "preprocess" returns ok for request 7 modcall[authorize]: module "chap" returns noop for request 7 modcall[authorize]: module "mschap" returns noop for request 7 rlm_realm: No '@' in User-Name = "Kraemer.Armin", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 7 rlm_eap: EAP packet type response id 24 length 17 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 7 users: Matched entry DEFAULT at line 152 users: Matched entry DEFAULT at line 171 modcall[authorize]: module "files" returns ok for request 7 modcall: group authorize returns updated for request 7 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 7 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal certificate_unknown TLS Alert read:fatal:certificate unknown TLS_accept:failed in SSLv3 read client certificate A 30107:error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown:s3_pkt.c:1052:SSL alert number 46 30107:error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure:s3_pkt.c:837: rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails. In SSL Handshake Phase In SSL Accept mode rlm_eap_tls: BIO_read failed in a system call (-1), TLS session fails. eaptls_process returned 13 rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns reject for request 7 modcall: group authenticate returns reject for request 7 auth: Failed to validate the user. Delaying request 7 for 1 seconds Finished request 7 Going to the next request Waking up in 5 seconds... rad_recv: Access-Request packet from host 192.168.1.252:1328, id=24, length=141 Sending Access-Reject of id 24 to 192.168.1.252:1328 EAP-Message = 0x04180004 Message-Authenticator = 0x00000000000000000000000000000000 --- Walking the entire request list --- Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 1 ID 18 with timestamp 43afecd0 Cleaning up request 2 ID 19 with timestamp 43afecd0 Cleaning up request 3 ID 20 with timestamp 43afecd0 Cleaning up request 4 ID 21 with timestamp 43afecd0 Cleaning up request 5 ID 22 with timestamp 43afecd0 Waking up in 1 seconds... --- Walking the entire request list --- Cleaning up request 6 ID 23 with timestamp 43afecd1 Cleaning up request 7 ID 24 with timestamp 43afecd1 Nothing to do. Sleeping until we see a request. Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9831ff3ccc7728edaf1d4355ba4d86a3 Finished request 4 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.1.252:1326, id=22, length=130 User-Name = "Kraemer.Armin" NAS-IP-Address = 192.168.1.252 NAS-Identifier = "acess_point_siemens" NAS-Port = 29 Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 State = 0x9831ff3ccc7728edaf1d4355ba4d86a3 EAP-Message = 0x021600060d00 Message-Authenticator = 0xa2a46a1306f46b8c0c6fcce6b647e566 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 5 modcall[authorize]: module "preprocess" returns ok for request 5 modcall[authorize]: module "chap" returns noop for request 5 modcall[authorize]: module "mschap" returns noop for request 5 rlm_realm: No '@' in User-Name = "Kraemer.Armin", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 5 rlm_eap: EAP packet type response id 22 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 5 users: Matched entry DEFAULT at line 152 users: Matched entry DEFAULT at line 171 modcall[authorize]: module "files" returns ok for request 5 modcall: group authorize returns updated for request 5 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 5 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 5 modcall: group authenticate returns handled for request 5
=?iso-8859-1?Q?Armin_Kr=E4mer?= <Kraemer.Armin@web.de> wrote:
i installed the aktual version of freeradius on a debian system and generated a CA und server/client certificates with TinyCA2. I want to authenticate the clients using EAP/TLS. But now i get this output of freeradius and freeradius freezes at this point. Can someone tell me why this happens?
The client certificate isn't signed by the server cert. Alan DeKok.
Hmmm... like i said i generated that Certifikate with TinyCA2. If you generate the certifikates with TinyCA2 ist automatically signs it. I only have to export the Client Certifikate to PKCS12 format for my XP machine. Could you tell me what there could go wrong? Thanks, Armin =?iso-8859-1?Q?Armin_Kr=E4mer?= <Kraemer.Armin@web.de> wrote:
i installed the aktual version of freeradius on a debian system and generated a CA und server/client certificates with TinyCA2. I want to authenticate the clients using EAP/TLS. But now i get this output of freeradius and freeradius freezes at this point. Can someone tell me why this happens?
The client certificate isn't signed by the server cert. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
=?iso-8859-1?Q?Armin_Kr=E4mer?= <Kraemer.Armin@web.de> wrote:
generate the certifikates with TinyCA2 ist automatically signs it. I only have to export the Client Certifikate to PKCS12 format for my XP machine. Could you tell me what there could go wrong?
No idea, sorry. The "unknown certificate" error is generated by OpenSSL. I suggest reading their documentation to see when, and why, that error occurs. All I know is I use the scripts that come with FreeRADIUS to create certs, and EAP-TLS works. Alan DeKok.
participants (2)
-
Alan DeKok -
Armin Krämer