EAP failure when using production certificates
I am attempting to setup a freeRADIUS server in a lab environment on Ubuntu 18.04. This server is used to test a WPA supplicant implementation on a piece of portable hardware. I feel reasonably confident the supplicant and nas (Cisco 2950) are configured correctly. I am very much unfamiliar with freeradius - that means I could get pretty far using the available documentation until I ran into trouble. Now I have no idea what to do. Everything seems to be working according to the guide up until making production certs. I have performed eapol_test tests using the snakeoil certs. Note: I have created the user "bob" and still have the pwd "hello" at the top of my "users" file. I am using user "bob" and pwd: "hello" when I attempt to connect from the supplicant When I create production certs (deployingradius.com instructions) and attempt to authenticate I see the following error (log is followed by excerpts of my .cnf files): ________________________________________________________________________________________ (5) Received Access-Request Id 95 from 192.168.1.150:1812 to 192.168.1.77:1812 length 133 (5) NAS-IP-Address = 192.168.1.150 (5) NAS-Port = 50006 (5) NAS-Port-Type = Ethernet (5) User-Name = "anonymous" (5) Called-Station-Id = "00-19-55-14-71-86" (5) Calling-Station-Id = "00-0E-CC-01-00-12" (5) Service-Type = Framed-User (5) Framed-MTU = 1500 (5) EAP-Message = 0x0200000e01616e6f6e796d6f7573 (5) Message-Authenticator = 0xf874795e57a7144af1993e43a9137bb2 (5) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (5) authorize { (5) policy filter_username { (5) if (&User-Name) { (5) if (&User-Name) -> TRUE (5) if (&User-Name) { (5) if (&User-Name =~ / /) { (5) if (&User-Name =~ / /) -> FALSE (5) if (&User-Name =~ /@[^@]*@/ ) { (5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (5) if (&User-Name =~ /\.\./ ) { (5) if (&User-Name =~ /\.\./ ) -> FALSE (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (5) if (&User-Name =~ /\.$/) { (5) if (&User-Name =~ /\.$/) -> FALSE (5) if (&User-Name =~ /@\./) { (5) if (&User-Name =~ /@\./) -> FALSE (5) } # if (&User-Name) = notfound (5) } # policy filter_username = notfound (5) [preprocess] = ok (5) [chap] = noop (5) [mschap] = noop (5) [digest] = noop (5) suffix: Checking for suffix after "@" (5) suffix: No '@' in User-Name = "anonymous", looking up realm NULL (5) suffix: No such realm "NULL" (5) [suffix] = noop (5) eap: Peer sent EAP Response (code 2) ID 0 length 14 (5) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (5) [eap] = ok (5) } # authorize = ok (5) Found Auth-Type = eap (5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (5) authenticate { (5) eap: Peer sent packet with method EAP Identity (1) (5) eap: Calling submodule eap_md5 to process data (5) eap_md5: Issuing MD5 Challenge (5) eap: Sending EAP Request (code 1) ID 1 length 22 (5) eap: EAP session adding &reply:State = 0x4cc7d48a4cc6d040 (5) [eap] = handled (5) } # authenticate = handled (5) Using Post-Auth-Type Challenge (5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (5) Challenge { ... } # empty sub-section is ignored (5) Sent Access-Challenge Id 95 from 192.168.1.77:1812 to 192.168.1.150:1812 length 0 (5) EAP-Message = 0x01010016041080eea1bd20abc6b82a858b58e295682d (5) Message-Authenticator = 0x00000000000000000000000000000000 (5) State = 0x4cc7d48a4cc6d0402157ab210e499381 (5) Finished request Waking up in 4.9 seconds. (6) Received Access-Request Id 96 from 192.168.1.150:1812 to 192.168.1.77:1812 length 143 (6) NAS-IP-Address = 192.168.1.150 (6) NAS-Port = 50006 (6) NAS-Port-Type = Ethernet (6) User-Name = "anonymous" (6) Called-Station-Id = "00-19-55-14-71-86" (6) Calling-Station-Id = "00-0E-CC-01-00-12" (6) Service-Type = Framed-User (6) Framed-MTU = 1500 (6) State = 0x4cc7d48a4cc6d0402157ab210e499381 (6) EAP-Message = 0x020100060319 (6) Message-Authenticator = 0x879827383b947031784d9d31f879a0be (6) session-state: No cached attributes (6) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (6) authorize { (6) policy filter_username { (6) if (&User-Name) { (6) if (&User-Name) -> TRUE (6) if (&User-Name) { (6) if (&User-Name =~ / /) { (6) if (&User-Name =~ / /) -> FALSE (6) if (&User-Name =~ /@[^@]*@/ ) { (6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (6) if (&User-Name =~ /\.\./ ) { (6) if (&User-Name =~ /\.\./ ) -> FALSE (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (6) if (&User-Name =~ /\.$/) { (6) if (&User-Name =~ /\.$/) -> FALSE (6) if (&User-Name =~ /@\./) { (6) if (&User-Name =~ /@\./) -> FALSE (6) } # if (&User-Name) = notfound (6) } # policy filter_username = notfound (6) [preprocess] = ok (6) [chap] = noop (6) [mschap] = noop (6) [digest] = noop (6) suffix: Checking for suffix after "@" (6) suffix: No '@' in User-Name = "anonymous", looking up realm NULL (6) suffix: No such realm "NULL" (6) [suffix] = noop (6) eap: Peer sent EAP Response (code 2) ID 1 length 6 (6) eap: No EAP Start, assuming it's an on-going EAP conversation (6) [eap] = updated (6) [files] = noop (6) [expiration] = noop (6) [logintime] = noop Not doing PAP as Auth-Type is already set. (6) [pap] = noop (6) } # authorize = updated (6) Found Auth-Type = eap (6) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (6) authenticate { (6) eap: Expiring EAP session with state 0x4cc7d48a4cc6d040 (6) eap: Finished EAP session with state 0x4cc7d48a4cc6d040 (6) eap: Previous EAP request found for state 0x4cc7d48a4cc6d040, released from the list (6) eap: Peer sent packet with method EAP NAK (3) (6) eap: Found mutually acceptable type PEAP (25) (6) eap: Calling submodule eap_peap to process data (6) eap_peap: Initiating new TLS session (6) eap_peap: [eaptls start] = request (6) eap: Sending EAP Request (code 1) ID 2 length 6 (6) eap: EAP session adding &reply:State = 0x4cc7d48a4dc5cd40 (6) [eap] = handled (6) } # authenticate = handled (6) Using Post-Auth-Type Challenge (6) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (6) Challenge { ... } # empty sub-section is ignored (6) Sent Access-Challenge Id 96 from 192.168.1.77:1812 to 192.168.1.150:1812 length 0 (6) EAP-Message = 0x010200061920 (6) Message-Authenticator = 0x00000000000000000000000000000000 (6) State = 0x4cc7d48a4dc5cd402157ab210e499381 (6) Finished request Waking up in 4.9 seconds. (7) Received Access-Request Id 97 from 192.168.1.150:1812 to 192.168.1.77:1812 length 337 (7) NAS-IP-Address = 192.168.1.150 (7) NAS-Port = 50006 (7) NAS-Port-Type = Ethernet (7) User-Name = "anonymous" (7) Called-Station-Id = "00-19-55-14-71-86" (7) Calling-Station-Id = "00-0E-CC-01-00-12" (7) Service-Type = Framed-User (7) Framed-MTU = 1500 (7) State = 0x4cc7d48a4dc5cd402157ab210e499381 (7) EAP-Message = 0x020200c81980000000be16030100b9010000b50303cf55ef6b065e75187d44a00b78abdd5a9ee6ee2df1619e75404464ed71f1fe10000038c02cc030009fcca9cca8ccaac02bc02f009ec024c028006bc023c0270067c00ac0140039c009c0130033009d009c003d003c0035002f00ff01000054000b000403000102000a000c000a001d0017001e001900180016000000170000000d0030002e040305030603080708080809080a080b080408050806040105010601030302030301020103020202040205020602 (7) Message-Authenticator = 0x21101c165e65a656d50272c5b281668d (7) session-state: No cached attributes (7) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (7) authorize { (7) policy filter_username { (7) if (&User-Name) { (7) if (&User-Name) -> TRUE (7) if (&User-Name) { (7) if (&User-Name =~ / /) { (7) if (&User-Name =~ / /) -> FALSE (7) if (&User-Name =~ /@[^@]*@/ ) { (7) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (7) if (&User-Name =~ /\.\./ ) { (7) if (&User-Name =~ /\.\./ ) -> FALSE (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (7) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (7) if (&User-Name =~ /\.$/) { (7) if (&User-Name =~ /\.$/) -> FALSE (7) if (&User-Name =~ /@\./) { (7) if (&User-Name =~ /@\./) -> FALSE (7) } # if (&User-Name) = notfound (7) } # policy filter_username = notfound (7) [preprocess] = ok (7) [chap] = noop (7) [mschap] = noop (7) [digest] = noop (7) suffix: Checking for suffix after "@" (7) suffix: No '@' in User-Name = "anonymous", looking up realm NULL (7) suffix: No such realm "NULL" (7) [suffix] = noop (7) eap: Peer sent EAP Response (code 2) ID 2 length 200 (7) eap: Continuing tunnel setup (7) [eap] = ok (7) } # authorize = ok (7) Found Auth-Type = eap (7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (7) authenticate { (7) eap: Expiring EAP session with state 0x4cc7d48a4dc5cd40 (7) eap: Finished EAP session with state 0x4cc7d48a4dc5cd40 (7) eap: Previous EAP request found for state 0x4cc7d48a4dc5cd40, released from the list (7) eap: Peer sent packet with method EAP PEAP (25) (7) eap: Calling submodule eap_peap to process data (7) eap_peap: Continuing EAP-TLS (7) eap_peap: Peer indicated complete TLS record size will be 190 bytes (7) eap_peap: Got complete TLS record (190 bytes) (7) eap_peap: [eaptls verify] = length included (7) eap_peap: (other): before SSL initialization (7) eap_peap: TLS_accept: before SSL initialization (7) eap_peap: TLS_accept: before SSL initialization (7) eap_peap: <<< recv TLS 1.3 [length 00b9] (7) eap_peap: TLS_accept: SSLv3/TLS read client hello (7) eap_peap: >>> send TLS 1.2 [length 003d] (7) eap_peap: TLS_accept: SSLv3/TLS write server hello (7) eap_peap: >>> send TLS 1.2 [length 02de] (7) eap_peap: TLS_accept: SSLv3/TLS write certificate (7) eap_peap: >>> send TLS 1.2 [length 014d] (7) eap_peap: TLS_accept: SSLv3/TLS write key exchange (7) eap_peap: >>> send TLS 1.2 [length 0004] (7) eap_peap: TLS_accept: SSLv3/TLS write server done (7) eap_peap: TLS_accept: Need to read more data: SSLv3/TLS write server done (7) eap_peap: TLS - In Handshake Phase (7) eap_peap: TLS - got 1152 bytes of data (7) eap_peap: [eaptls process] = handled (7) eap: Sending EAP Request (code 1) ID 3 length 1004 (7) eap: EAP session adding &reply:State = 0x4cc7d48a4ec4cd40 (7) [eap] = handled (7) } # authenticate = handled (7) Using Post-Auth-Type Challenge (7) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (7) Challenge { ... } # empty sub-section is ignored (7) Sent Access-Challenge Id 97 from 192.168.1.77:1812 to 192.168.1.150:1812 length 0 (7) EAP-Message = 0x010303ec19c000000480160303003d020000390303a74cffbf343fd7c8b109ec3ea47ccc50fbb5149af11b6a32ca56d993ea01a8c900c030000011ff01000100000b0004030001020017000016030302de0b0002da0002d70002d4308202d0308201b8a003020102021419d6f93d1218741c7f2fa6ede241a78132b401ac300d06092a864886f70d01010b05003011310f300d06035504030c067562756e7475301e170d3232303132363031313931335a170d3332303132343031313931335a3011310f300d06035504030c067562756e747530820122300d06092a864886f70d01010105000382010f003082010a0282010100d656ad371181abcd6dc6f07509488dc77d22f6155af16aa35c5309c976fa9420fb38f8b8cbc39a1c2bb7eb1feabd7b240773e067e3b5549ffa3f5824a69b1b7784c8f4e63aa63a1cf9749dbc3bc5501053c57cb0a2e259cc980310d47f32f306a6606828c81f64df02505498228575742e23311a7b600705c40465800fe7b8ad76d948 (7) Message-Authenticator = 0x00000000000000000000000000000000 (7) State = 0x4cc7d48a4ec4cd402157ab210e499381 (7) Finished request Waking up in 4.9 seconds. (8) Received Access-Request Id 98 from 192.168.1.150:1812 to 192.168.1.77:1812 length 143 (8) NAS-IP-Address = 192.168.1.150 (8) NAS-Port = 50006 (8) NAS-Port-Type = Ethernet (8) User-Name = "anonymous" (8) Called-Station-Id = "00-19-55-14-71-86" (8) Calling-Station-Id = "00-0E-CC-01-00-12" (8) Service-Type = Framed-User (8) Framed-MTU = 1500 (8) State = 0x4cc7d48a4ec4cd402157ab210e499381 (8) EAP-Message = 0x020300061900 (8) Message-Authenticator = 0xb07b3ba30bd185c45325c3cbd8c40fdb (8) session-state: No cached attributes (8) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (8) authorize { (8) policy filter_username { (8) if (&User-Name) { (8) if (&User-Name) -> TRUE (8) if (&User-Name) { (8) if (&User-Name =~ / /) { (8) if (&User-Name =~ / /) -> FALSE (8) if (&User-Name =~ /@[^@]*@/ ) { (8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (8) if (&User-Name =~ /\.\./ ) { (8) if (&User-Name =~ /\.\./ ) -> FALSE (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (8) if (&User-Name =~ /\.$/) { (8) if (&User-Name =~ /\.$/) -> FALSE (8) if (&User-Name =~ /@\./) { (8) if (&User-Name =~ /@\./) -> FALSE (8) } # if (&User-Name) = notfound (8) } # policy filter_username = notfound (8) [preprocess] = ok (8) [chap] = noop (8) [mschap] = noop (8) [digest] = noop (8) suffix: Checking for suffix after "@" (8) suffix: No '@' in User-Name = "anonymous", looking up realm NULL (8) suffix: No such realm "NULL" (8) [suffix] = noop (8) eap: Peer sent EAP Response (code 2) ID 3 length 6 (8) eap: Continuing tunnel setup (8) [eap] = ok (8) } # authorize = ok (8) Found Auth-Type = eap (8) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (8) authenticate { (8) eap: Expiring EAP session with state 0x4cc7d48a4ec4cd40 (8) eap: Finished EAP session with state 0x4cc7d48a4ec4cd40 (8) eap: Previous EAP request found for state 0x4cc7d48a4ec4cd40, released from the list (8) eap: Peer sent packet with method EAP PEAP (25) (8) eap: Calling submodule eap_peap to process data (8) eap_peap: Continuing EAP-TLS (8) eap_peap: Peer ACKed our handshake fragment (8) eap_peap: [eaptls verify] = request (8) eap_peap: [eaptls process] = handled (8) eap: Sending EAP Request (code 1) ID 4 length 164 (8) eap: EAP session adding &reply:State = 0x4cc7d48a4fc3cd40 (8) [eap] = handled (8) } # authenticate = handled (8) Using Post-Auth-Type Challenge (8) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (8) Challenge { ... } # empty sub-section is ignored (8) Sent Access-Challenge Id 98 from 192.168.1.77:1812 to 192.168.1.150:1812 length 0 (8) EAP-Message = 0x010400a41900c352a5a55dc2ef5120ad94b21b7f13f48a2a0700d2267ad9686e4a0172d1de5157bb1ba0cd637466cdb079b9dcb60ff10f72686dd9c5a12d0ecfafdb4e1da0ccddc99fdff5eaf7f4a069e9f93bf10dcd4e90b13060ce5356ba7ebaf57a6f65f2bdcc2420a76d757d62e0c68016fac9fd9b511c8a01ec5ee2386b32f90bf900501e40fcc9b069dfc900a79eb8d43d3232129ec917b816030300040e000000 (8) Message-Authenticator = 0x00000000000000000000000000000000 (8) State = 0x4cc7d48a4fc3cd402157ab210e499381 (8) Finished request Waking up in 4.9 seconds. (9) Received Access-Request Id 99 from 192.168.1.150:1812 to 192.168.1.77:1812 length 154 (9) NAS-IP-Address = 192.168.1.150 (9) NAS-Port = 50006 (9) NAS-Port-Type = Ethernet (9) User-Name = "anonymous" (9) Called-Station-Id = "00-19-55-14-71-86" (9) Calling-Station-Id = "00-0E-CC-01-00-12" (9) Service-Type = Framed-User (9) Framed-MTU = 1500 (9) State = 0x4cc7d48a4fc3cd402157ab210e499381 (9) EAP-Message = 0x0204001119800000000715030300020230 (9) Message-Authenticator = 0xb989e88f0ff2acc6ccbde00cbd9deb8a (9) session-state: No cached attributes (9) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (9) authorize { (9) policy filter_username { (9) if (&User-Name) { (9) if (&User-Name) -> TRUE (9) if (&User-Name) { (9) if (&User-Name =~ / /) { (9) if (&User-Name =~ / /) -> FALSE (9) if (&User-Name =~ /@[^@]*@/ ) { (9) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (9) if (&User-Name =~ /\.\./ ) { (9) if (&User-Name =~ /\.\./ ) -> FALSE (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (9) if (&User-Name =~ /\.$/) { (9) if (&User-Name =~ /\.$/) -> FALSE (9) if (&User-Name =~ /@\./) { (9) if (&User-Name =~ /@\./) -> FALSE (9) } # if (&User-Name) = notfound (9) } # policy filter_username = notfound (9) [preprocess] = ok (9) [chap] = noop (9) [mschap] = noop (9) [digest] = noop (9) suffix: Checking for suffix after "@" (9) suffix: No '@' in User-Name = "anonymous", looking up realm NULL (9) suffix: No such realm "NULL" (9) [suffix] = noop (9) eap: Peer sent EAP Response (code 2) ID 4 length 17 (9) eap: Continuing tunnel setup (9) [eap] = ok (9) } # authorize = ok (9) Found Auth-Type = eap (9) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (9) authenticate { (9) eap: Expiring EAP session with state 0x4cc7d48a4fc3cd40 (9) eap: Finished EAP session with state 0x4cc7d48a4fc3cd40 (9) eap: Previous EAP request found for state 0x4cc7d48a4fc3cd40, released from the list (9) eap: Peer sent packet with method EAP PEAP (25) (9) eap: Calling submodule eap_peap to process data (9) eap_peap: Continuing EAP-TLS (9) eap_peap: Peer indicated complete TLS record size will be 7 bytes (9) eap_peap: Got complete TLS record (7 bytes) (9) eap_peap: [eaptls verify] = length included (9) eap_peap: <<< recv TLS 1.2 [length 0002] (9) eap_peap: ERROR: TLS Alert read:fatal:unknown CA (9) eap_peap: TLS_accept: Need to read more data: error (9) eap_peap: ERROR: Failed in __FUNCTION__ (SSL_read): error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca (9) eap_peap: TLS - In Handshake Phase (9) eap_peap: TLS - Application data. (9) eap_peap: ERROR: TLS failed during operation (9) eap_peap: ERROR: [eaptls process] = fail (9) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed (9) eap: Sending EAP Failure (code 4) ID 4 length 4 (9) eap: Failed in EAP select (9) [eap] = invalid (9) } # authenticate = invalid (9) Failed to authenticate the user (9) Using Post-Auth-Type Reject (9) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (9) Post-Auth-Type REJECT { (9) attr_filter.access_reject: EXPAND %{User-Name} (9) attr_filter.access_reject: --> anonymous (9) attr_filter.access_reject: Matched entry DEFAULT at line 11 (9) [attr_filter.access_reject] = updated (9) [eap] = noop (9) policy remove_reply_message_if_eap { (9) if (&reply:EAP-Message && &reply:Reply-Message) { (9) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (9) else { (9) [noop] = noop (9) } # else = noop (9) } # policy remove_reply_message_if_eap = noop (9) } # Post-Auth-Type REJECT = updated (9) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (9) Sending delayed response (9) Sent Access-Reject Id 99 from 192.168.1.77:1812 to 192.168.1.150:1812 length 44 (9) EAP-Message = 0x04040004 (9) Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.9 seconds. (5) Cleaning up request packet ID 95 with timestamp +891 (6) Cleaning up request packet ID 96 with timestamp +891 (7) Cleaning up request packet ID 97 with timestamp +891 (8) Cleaning up request packet ID 98 with timestamp +891 (9) Cleaning up request packet ID 99 with timestamp +891 Ready to process requests _____________________________________________________ CA.CNF: prompt = no distinguished_name = certificate_authority default_bits = 2048 input_password = whatever output_password = whatever x509_extensions = v3_ca [certificate_authority] countryName = US stateOrProvinceName = WI localityName = Waukesha organizationName = Company emailAddress = support@example.org commonName = "Certificate Authority" ____________________________________________________ SERVER.CNF: prompt = no distinguished_name = server default_bits = 2048 input_password = whatever output_password = whatever req_extensions = v3_req [server] countryName = US stateOrProvinceName = WI localityName = Waukesha organizationName = Company emailAddress = support@example.org commonName = "Server Certificate" _______________________________________________________ CLIENT.CNF: prompt = no distinguished_name = client default_bits = 2048 input_password = hello output_password = hello [client] countryName = US stateOrProvinceName = WI localityName = Waukesha organizationName = OpenText Corp emailAddress = support@example.org commonName = support@example.org _________________________________________________________ NAS info: Switch# show run | in 192.168.1 ip address 192.168.1.150 255.255.255.0 ip default-gateway 192.168.1.1 radius-server host 192.168.1.77 auth-port 1812 acct-port 1813 key testing123
On Feb 9, 2022, at 3:29 PM, Wayne Fillmer via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
I am attempting to setup a freeRADIUS server in a lab environment on Ubuntu 18.04. This server is used to test a WPA supplicant implementation on a piece of portable hardware. I feel reasonably confident the supplicant and nas (Cisco 2950) are configured correctly. I am very much unfamiliar with freeradius - that means I could get pretty far using the available documentation until I ran into trouble. Now I have no idea what to do.
Everything seems to be working according to the guide up until making production certs. I have performed eapol_test tests using the snakeoil certs.
Note: I have created the user "bob" and still have the pwd "hello" at the top of my "users" file. I am using user "bob" and pwd: "hello" when I attempt to connect from the supplicant
When I create production certs (deployingradius.com instructions) and attempt to authenticate I see the following error (log is followed by excerpts of my .cnf files):\\
You didn't install the correct CA on the supplicant.
(9) eap_peap: <<< recv TLS 1.2 [length 0002] (9) eap_peap: ERROR: TLS Alert read:fatal:unknown CA (9) eap_peap: TLS_accept: Need to read more data: error (9) eap_peap: ERROR: Failed in __FUNCTION__ (SSL_read): error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
The supplicant sent a TLS error to FreeRADIUS, saying "I don't know the CA used to sign your server certificate, so I don't trust you, and I won't talk to you". Install the production CA on the supplicant. Alan DeKok.
Thank you kindly. After reading your email I performed the following: 1 - removed existing certs in /etc/freeradius/3.0/certs using: rm -f *.pem *.der *.csr *.crt *.key .p12 serial* index.txt* 2 - Using the .cnf I included excerpts for I ran: make ca.pem make client.pem make server.pem 3 - I copied the new files from /etc/freeradius/3.0/certs to a freshly formatted USB drive 4 - rebooted the system 5 - start the server: sudo freeradius -X 6 - factory reset WPA system to clear possibility of stale certificates 6 - imported the new ca and client certificates from the USB into the WPA supplicant (linux platfom) 7 - attempt PEAP with bob/hello (also tried TLS/TTLS). I am seeing the following error (looks same/similar): (0) Received Access-Request Id 115 from 192.168.1.150:1812 to 192.168.1.77:1812 length 133 (0) NAS-IP-Address = 192.168.1.150 (0) NAS-Port = 50006 (0) NAS-Port-Type = Ethernet (0) User-Name = "anonymous" (0) Called-Station-Id = "00-19-55-14-71-86" (0) Calling-Station-Id = "00-0E-CC-01-00-12" (0) Service-Type = Framed-User (0) Framed-MTU = 1500 (0) EAP-Message = 0x020f000e01616e6f6e796d6f7573 (0) Message-Authenticator = 0xc8f986ea7efc49fe7e246a7f030bd60c (0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "anonymous", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) eap: Peer sent EAP Response (code 2) ID 15 length 14 (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # authorize = ok (0) Found Auth-Type = eap (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (0) authenticate { (0) eap: Peer sent packet with method EAP Identity (1) (0) eap: Calling submodule eap_md5 to process data (0) eap_md5: Issuing MD5 Challenge (0) eap: Sending EAP Request (code 1) ID 16 length 22 (0) eap: EAP session adding &reply:State = 0xacfcce85aceccab2 (0) [eap] = handled (0) } # authenticate = handled (0) Using Post-Auth-Type Challenge (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (0) Challenge { ... } # empty sub-section is ignored (0) Sent Access-Challenge Id 115 from 192.168.1.77:1812 to 192.168.1.150:1812 length 0 (0) EAP-Message = 0x0110001604105eb0aa70cca2a2ea15954f30fb2553b1 (0) Message-Authenticator = 0x00000000000000000000000000000000 (0) State = 0xacfcce85aceccab2345ee891f7e86332 (0) Finished request Waking up in 4.9 seconds. (1) Received Access-Request Id 116 from 192.168.1.150:1812 to 192.168.1.77:1812 length 143 (1) NAS-IP-Address = 192.168.1.150 (1) NAS-Port = 50006 (1) NAS-Port-Type = Ethernet (1) User-Name = "anonymous" (1) Called-Station-Id = "00-19-55-14-71-86" (1) Calling-Station-Id = "00-0E-CC-01-00-12" (1) Service-Type = Framed-User (1) Framed-MTU = 1500 (1) State = 0xacfcce85aceccab2345ee891f7e86332 (1) EAP-Message = 0x021000060319 (1) Message-Authenticator = 0x24c93442f8f474cabdcaf9478e94388b (1) session-state: No cached attributes (1) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (1) authorize { (1) policy filter_username { (1) if (&User-Name) { (1) if (&User-Name) -> TRUE (1) if (&User-Name) { (1) if (&User-Name =~ / /) { (1) if (&User-Name =~ / /) -> FALSE (1) if (&User-Name =~ /@[^@]*@/ ) { (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (1) if (&User-Name =~ /\.\./ ) { (1) if (&User-Name =~ /\.\./ ) -> FALSE (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (1) if (&User-Name =~ /\.$/) { (1) if (&User-Name =~ /\.$/) -> FALSE (1) if (&User-Name =~ /@\./) { (1) if (&User-Name =~ /@\./) -> FALSE (1) } # if (&User-Name) = notfound (1) } # policy filter_username = notfound (1) [preprocess] = ok (1) [chap] = noop (1) [mschap] = noop (1) [digest] = noop (1) suffix: Checking for suffix after "@" (1) suffix: No '@' in User-Name = "anonymous", looking up realm NULL (1) suffix: No such realm "NULL" (1) [suffix] = noop (1) eap: Peer sent EAP Response (code 2) ID 16 length 6 (1) eap: No EAP Start, assuming it's an on-going EAP conversation (1) [eap] = updated (1) [files] = noop (1) [expiration] = noop (1) [logintime] = noop Not doing PAP as Auth-Type is already set. (1) [pap] = noop (1) } # authorize = updated (1) Found Auth-Type = eap (1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (1) authenticate { (1) eap: Expiring EAP session with state 0xacfcce85aceccab2 (1) eap: Finished EAP session with state 0xacfcce85aceccab2 (1) eap: Previous EAP request found for state 0xacfcce85aceccab2, released from the list (1) eap: Peer sent packet with method EAP NAK (3) (1) eap: Found mutually acceptable type PEAP (25) (1) eap: Calling submodule eap_peap to process data (1) eap_peap: Initiating new TLS session (1) eap_peap: [eaptls start] = request (1) eap: Sending EAP Request (code 1) ID 17 length 6 (1) eap: EAP session adding &reply:State = 0xacfcce85adedd7b2 (1) [eap] = handled (1) } # authenticate = handled (1) Using Post-Auth-Type Challenge (1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (1) Challenge { ... } # empty sub-section is ignored (1) Sent Access-Challenge Id 116 from 192.168.1.77:1812 to 192.168.1.150:1812 length 0 (1) EAP-Message = 0x011100061920 (1) Message-Authenticator = 0x00000000000000000000000000000000 (1) State = 0xacfcce85adedd7b2345ee891f7e86332 (1) Finished request Waking up in 4.9 seconds. (2) Received Access-Request Id 117 from 192.168.1.150:1812 to 192.168.1.77:1812 length 337 (2) NAS-IP-Address = 192.168.1.150 (2) NAS-Port = 50006 (2) NAS-Port-Type = Ethernet (2) User-Name = "anonymous" (2) Called-Station-Id = "00-19-55-14-71-86" (2) Calling-Station-Id = "00-0E-CC-01-00-12" (2) Service-Type = Framed-User (2) Framed-MTU = 1500 (2) State = 0xacfcce85adedd7b2345ee891f7e86332 (2) EAP-Message = 0x021100c81980000000be16030100b9010000b5030353b89ef43885f37e7b872705585bd8da8b56d0d60d22d3af5f2e00a082d18862000038c02cc030009fcca9cca8ccaac02bc02f009ec024c028006bc023c0270067c00ac0140039c009c0130033009d009c003d003c0035002f00ff01000054000b000403000102000a000c000a001d0017001e001900180016000000170000000d0030002e040305030603080708080809080a080b080408050806040105010601030302030301020103020202040205020602 (2) Message-Authenticator = 0x5365a6fd3d09cd64d01bc0bdb8f3172e (2) session-state: No cached attributes (2) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (2) authorize { (2) policy filter_username { (2) if (&User-Name) { (2) if (&User-Name) -> TRUE (2) if (&User-Name) { (2) if (&User-Name =~ / /) { (2) if (&User-Name =~ / /) -> FALSE (2) if (&User-Name =~ /@[^@]*@/ ) { (2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (2) if (&User-Name =~ /\.\./ ) { (2) if (&User-Name =~ /\.\./ ) -> FALSE (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (2) if (&User-Name =~ /\.$/) { (2) if (&User-Name =~ /\.$/) -> FALSE (2) if (&User-Name =~ /@\./) { (2) if (&User-Name =~ /@\./) -> FALSE (2) } # if (&User-Name) = notfound (2) } # policy filter_username = notfound (2) [preprocess] = ok (2) [chap] = noop (2) [mschap] = noop (2) [digest] = noop (2) suffix: Checking for suffix after "@" (2) suffix: No '@' in User-Name = "anonymous", looking up realm NULL (2) suffix: No such realm "NULL" (2) [suffix] = noop (2) eap: Peer sent EAP Response (code 2) ID 17 length 200 (2) eap: Continuing tunnel setup (2) [eap] = ok (2) } # authorize = ok (2) Found Auth-Type = eap (2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (2) authenticate { (2) eap: Expiring EAP session with state 0xacfcce85adedd7b2 (2) eap: Finished EAP session with state 0xacfcce85adedd7b2 (2) eap: Previous EAP request found for state 0xacfcce85adedd7b2, released from the list (2) eap: Peer sent packet with method EAP PEAP (25) (2) eap: Calling submodule eap_peap to process data (2) eap_peap: Continuing EAP-TLS (2) eap_peap: Peer indicated complete TLS record size will be 190 bytes (2) eap_peap: Got complete TLS record (190 bytes) (2) eap_peap: [eaptls verify] = length included (2) eap_peap: (other): before SSL initialization (2) eap_peap: TLS_accept: before SSL initialization (2) eap_peap: TLS_accept: before SSL initialization (2) eap_peap: <<< recv TLS 1.3 [length 00b9] (2) eap_peap: TLS_accept: SSLv3/TLS read client hello (2) eap_peap: >>> send TLS 1.2 [length 003d] (2) eap_peap: TLS_accept: SSLv3/TLS write server hello (2) eap_peap: >>> send TLS 1.2 [length 02de] (2) eap_peap: TLS_accept: SSLv3/TLS write certificate (2) eap_peap: >>> send TLS 1.2 [length 014d] (2) eap_peap: TLS_accept: SSLv3/TLS write key exchange (2) eap_peap: >>> send TLS 1.2 [length 0004] (2) eap_peap: TLS_accept: SSLv3/TLS write server done (2) eap_peap: TLS_accept: Need to read more data: SSLv3/TLS write server done (2) eap_peap: TLS - In Handshake Phase (2) eap_peap: TLS - got 1152 bytes of data (2) eap_peap: [eaptls process] = handled (2) eap: Sending EAP Request (code 1) ID 18 length 1004 (2) eap: EAP session adding &reply:State = 0xacfcce85aeeed7b2 (2) [eap] = handled (2) } # authenticate = handled (2) Using Post-Auth-Type Challenge (2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (2) Challenge { ... } # empty sub-section is ignored (2) Sent Access-Challenge Id 117 from 192.168.1.77:1812 to 192.168.1.150:1812 length 0 (2) EAP-Message = 0x011203ec19c000000480160303003d020000390303cab82678ca39bd453c5259c52b0b4927337460ffc1279bd40ba712cc682a8c7600c030000011ff01000100000b0004030001020017000016030302de0b0002da0002d70002d4308202d0308201b8a003020102021419d6f93d1218741c7f2fa6ede241a78132b401ac300d06092a864886f70d01010b05003011310f300d06035504030c067562756e7475301e170d3232303132363031313931335a170d3332303132343031313931335a3011310f300d06035504030c067562756e747530820122300d06092a864886f70d01010105000382010f003082010a0282010100d656ad371181abcd6dc6f07509488dc77d22f6155af16aa35c5309c976fa9420fb38f8b8cbc39a1c2bb7eb1feabd7b240773e067e3b5549ffa3f5824a69b1b7784c8f4e63aa63a1cf9749dbc3bc5501053c57cb0a2e259cc980310d47f32f306a6606828c81f64df02505498228575742e23311a7b600705c40465800fe7b8ad76d948 (2) Message-Authenticator = 0x00000000000000000000000000000000 (2) State = 0xacfcce85aeeed7b2345ee891f7e86332 (2) Finished request Waking up in 4.9 seconds. (3) Received Access-Request Id 118 from 192.168.1.150:1812 to 192.168.1.77:1812 length 143 (3) NAS-IP-Address = 192.168.1.150 (3) NAS-Port = 50006 (3) NAS-Port-Type = Ethernet (3) User-Name = "anonymous" (3) Called-Station-Id = "00-19-55-14-71-86" (3) Calling-Station-Id = "00-0E-CC-01-00-12" (3) Service-Type = Framed-User (3) Framed-MTU = 1500 (3) State = 0xacfcce85aeeed7b2345ee891f7e86332 (3) EAP-Message = 0x021200061900 (3) Message-Authenticator = 0xa1ebca1864e223eb64a0967689d7d8a2 (3) session-state: No cached attributes (3) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (3) authorize { (3) policy filter_username { (3) if (&User-Name) { (3) if (&User-Name) -> TRUE (3) if (&User-Name) { (3) if (&User-Name =~ / /) { (3) if (&User-Name =~ / /) -> FALSE (3) if (&User-Name =~ /@[^@]*@/ ) { (3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (3) if (&User-Name =~ /\.\./ ) { (3) if (&User-Name =~ /\.\./ ) -> FALSE (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (3) if (&User-Name =~ /\.$/) { (3) if (&User-Name =~ /\.$/) -> FALSE (3) if (&User-Name =~ /@\./) { (3) if (&User-Name =~ /@\./) -> FALSE (3) } # if (&User-Name) = notfound (3) } # policy filter_username = notfound (3) [preprocess] = ok (3) [chap] = noop (3) [mschap] = noop (3) [digest] = noop (3) suffix: Checking for suffix after "@" (3) suffix: No '@' in User-Name = "anonymous", looking up realm NULL (3) suffix: No such realm "NULL" (3) [suffix] = noop (3) eap: Peer sent EAP Response (code 2) ID 18 length 6 (3) eap: Continuing tunnel setup (3) [eap] = ok (3) } # authorize = ok (3) Found Auth-Type = eap (3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (3) authenticate { (3) eap: Expiring EAP session with state 0xacfcce85aeeed7b2 (3) eap: Finished EAP session with state 0xacfcce85aeeed7b2 (3) eap: Previous EAP request found for state 0xacfcce85aeeed7b2, released from the list (3) eap: Peer sent packet with method EAP PEAP (25) (3) eap: Calling submodule eap_peap to process data (3) eap_peap: Continuing EAP-TLS (3) eap_peap: Peer ACKed our handshake fragment (3) eap_peap: [eaptls verify] = request (3) eap_peap: [eaptls process] = handled (3) eap: Sending EAP Request (code 1) ID 19 length 164 (3) eap: EAP session adding &reply:State = 0xacfcce85afefd7b2 (3) [eap] = handled (3) } # authenticate = handled (3) Using Post-Auth-Type Challenge (3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (3) Challenge { ... } # empty sub-section is ignored (3) Sent Access-Challenge Id 118 from 192.168.1.77:1812 to 192.168.1.150:1812 length 0 (3) EAP-Message = 0x011300a41900c3c29b31548e4280270048dc264893dcd9b7f970128deecaabb8796693ae5a8abf3354be8c9a61ad2053c7177b8758ca6d9783e86b8c2165a4307bf76c21a7ee238792ee9ee3a14193db877284603f6164408f4774f84b7a3a1152b7bd64742d9d98415cb33f14c7a104266c21b81a05414db70dbb4c76964e3ccdd92771ea5eda07a3346d5dc6fecf7458b9fcf420bb0245d74c0f16030300040e000000 (3) Message-Authenticator = 0x00000000000000000000000000000000 (3) State = 0xacfcce85afefd7b2345ee891f7e86332 (3) Finished request Waking up in 4.9 seconds. (4) Received Access-Request Id 119 from 192.168.1.150:1812 to 192.168.1.77:1812 length 154 (4) NAS-IP-Address = 192.168.1.150 (4) NAS-Port = 50006 (4) NAS-Port-Type = Ethernet (4) User-Name = "anonymous" (4) Called-Station-Id = "00-19-55-14-71-86" (4) Calling-Station-Id = "00-0E-CC-01-00-12" (4) Service-Type = Framed-User (4) Framed-MTU = 1500 (4) State = 0xacfcce85afefd7b2345ee891f7e86332 (4) EAP-Message = 0x0213001119800000000715030300020230 (4) Message-Authenticator = 0x9eef9c9a4980071b07836d6398333e0d (4) session-state: No cached attributes (4) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (4) authorize { (4) policy filter_username { (4) if (&User-Name) { (4) if (&User-Name) -> TRUE (4) if (&User-Name) { (4) if (&User-Name =~ / /) { (4) if (&User-Name =~ / /) -> FALSE (4) if (&User-Name =~ /@[^@]*@/ ) { (4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (4) if (&User-Name =~ /\.\./ ) { (4) if (&User-Name =~ /\.\./ ) -> FALSE (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (4) if (&User-Name =~ /\.$/) { (4) if (&User-Name =~ /\.$/) -> FALSE (4) if (&User-Name =~ /@\./) { (4) if (&User-Name =~ /@\./) -> FALSE (4) } # if (&User-Name) = notfound (4) } # policy filter_username = notfound (4) [preprocess] = ok (4) [chap] = noop (4) [mschap] = noop (4) [digest] = noop (4) suffix: Checking for suffix after "@" (4) suffix: No '@' in User-Name = "anonymous", looking up realm NULL (4) suffix: No such realm "NULL" (4) [suffix] = noop (4) eap: Peer sent EAP Response (code 2) ID 19 length 17 (4) eap: Continuing tunnel setup (4) [eap] = ok (4) } # authorize = ok (4) Found Auth-Type = eap (4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (4) authenticate { (4) eap: Expiring EAP session with state 0xacfcce85afefd7b2 (4) eap: Finished EAP session with state 0xacfcce85afefd7b2 (4) eap: Previous EAP request found for state 0xacfcce85afefd7b2, released from the list (4) eap: Peer sent packet with method EAP PEAP (25) (4) eap: Calling submodule eap_peap to process data (4) eap_peap: Continuing EAP-TLS (4) eap_peap: Peer indicated complete TLS record size will be 7 bytes (4) eap_peap: Got complete TLS record (7 bytes) (4) eap_peap: [eaptls verify] = length included (4) eap_peap: <<< recv TLS 1.2 [length 0002] (4) eap_peap: ERROR: TLS Alert read:fatal:unknown CA (4) eap_peap: TLS_accept: Need to read more data: error (4) eap_peap: ERROR: Failed in __FUNCTION__ (SSL_read): error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca (4) eap_peap: TLS - In Handshake Phase (4) eap_peap: TLS - Application data. (4) eap_peap: ERROR: TLS failed during operation (4) eap_peap: ERROR: [eaptls process] = fail (4) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed (4) eap: Sending EAP Failure (code 4) ID 19 length 4 (4) eap: Failed in EAP select (4) [eap] = invalid (4) } # authenticate = invalid (4) Failed to authenticate the user (4) Using Post-Auth-Type Reject (4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (4) Post-Auth-Type REJECT { (4) attr_filter.access_reject: EXPAND %{User-Name} (4) attr_filter.access_reject: --> anonymous (4) attr_filter.access_reject: Matched entry DEFAULT at line 11 (4) [attr_filter.access_reject] = updated (4) [eap] = noop (4) policy remove_reply_message_if_eap { (4) if (&reply:EAP-Message && &reply:Reply-Message) { (4) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (4) else { (4) [noop] = noop (4) } # else = noop (4) } # policy remove_reply_message_if_eap = noop (4) } # Post-Auth-Type REJECT = updated (4) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (4) Sending delayed response (4) Sent Access-Reject Id 119 from 192.168.1.77:1812 to 192.168.1.150:1812 length 44 (4) EAP-Message = 0x04130004 (4) Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.9 seconds. (0) Cleaning up request packet ID 115 with timestamp +4 (1) Cleaning up request packet ID 116 with timestamp +4 (2) Cleaning up request packet ID 117 with timestamp +4 (3) Cleaning up request packet ID 118 with timestamp +4 (4) Cleaning up request packet ID 119 with timestamp +4 Ready to process requests -----Original Message----- From: Alan DeKok <aland@deployingradius.com> Sent: Wednesday, February 9, 2022 2:43 PM To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Cc: Wayne Fillmer <wfillmer@opentext.com> Subject: [EXTERNAL] - Re: EAP failure when using production certificates CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. If you feel that the email is suspicious, please report it using PhishAlarm. On Feb 9, 2022, at 3:29 PM, Wayne Fillmer via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
I am attempting to setup a freeRADIUS server in a lab environment on Ubuntu 18.04. This server is used to test a WPA supplicant implementation on a piece of portable hardware. I feel reasonably confident the supplicant and nas (Cisco 2950) are configured correctly. I am very much unfamiliar with freeradius - that means I could get pretty far using the available documentation until I ran into trouble. Now I have no idea what to do.
Everything seems to be working according to the guide up until making production certs. I have performed eapol_test tests using the snakeoil certs.
Note: I have created the user "bob" and still have the pwd "hello" at the top of my "users" file. I am using user "bob" and pwd: "hello" when I attempt to connect from the supplicant
When I create production certs (deployingradius.com instructions) and attempt to authenticate I see the following error (log is followed by excerpts of my .cnf files):\\
You didn't install the correct CA on the supplicant.
(9) eap_peap: <<< recv TLS 1.2 [length 0002] (9) eap_peap: ERROR: TLS Alert read:fatal:unknown CA (9) eap_peap: TLS_accept: Need to read more data: error (9) eap_peap: ERROR: Failed in __FUNCTION__ (SSL_read): error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
The supplicant sent a TLS error to FreeRADIUS, saying "I don't know the CA used to sign your server certificate, so I don't trust you, and I won't talk to you". Install the production CA on the supplicant. Alan DeKok.
On Feb 9, 2022, at 4:17 PM, Wayne Fillmer <wfillmer@opentext.com> wrote:
Thank you kindly. After reading your email I performed the following:
1 - removed existing certs in /etc/freeradius/3.0/certs using: rm -f *.pem *.der *.csr *.crt *.key .p12 serial* index.txt*
Why? I said that the supplicant was misconfigured. Changing FeeeRADIUS won't help, unless you figure out which CA is used on the supplicant, and then configure FreeRADIUS to use the same CA.
2 - Using the .cnf I included excerpts for I ran: make ca.pem make client.pem make server.pem 3 - I copied the new files from /etc/freeradius/3.0/certs to a freshly formatted USB drive 4 - rebooted the system
So... lots of extra work, for no real benefit.
5 - start the server: sudo freeradius -X 6 - factory reset WPA system to clear possibility of stale certificates 6 - imported the new ca and client certificates from the USB into the WPA supplicant (linux platfom)
Apparently not. Because you're still getting the "unknown CA" error.
7 - attempt PEAP with bob/hello (also tried TLS/TTLS).
Because EAP-TLS, TTLS, and PEAP all use the same CA configuration. You won't fix the problem by randomly changing the FreeRADIUS configuration, or by randomly creating new certificates. You have to find out WHY the supplicant is not using the certificates you've configured. Import the correct CA into the supplicant, in the right location, and verify that the supplicant is using it. How do you do this? See the OS documentation for how to do this. Well, there's a million different supplicants, Linux distributions, etc. We can't document (or even keep up with) every possible Linux distribution. Alan DeKok.
1 - removed existing certs in /etc/freeradius/3.0/certs using: rm -f *.pem *.der *.csr *.crt *.key .p12 serial* index.txt*
Why? I said that the supplicant was misconfigured. Changing FeeeRADIUS won't help, unless you figure out which CA is used on the supplicant, and then configure FreeRADIUS to use the same CA.
My mistake I thought you were implying that I imported the wrong CA from my USB stick. The certificate import routine on the supplicant was already working and has not changed so when you said I did not install the correct CA on the supplicant I misunderstood the meaning.
2 - Using the .cnf I included excerpts for I ran: make ca.pem make client.pem make server.pem 3 - I copied the new files from /etc/freeradius/3.0/certs to a freshly formatted USB drive 4 - rebooted the system
So... lots of extra work, for no real benefit.
Correct. I have been doing similarly busy but unproductive work for several days.
5 - start the server: sudo freeradius -X 6 - factory reset WPA system to clear possibility of stale certificates 6 - imported the new ca and client certificates from the USB into the WPA supplicant (linux platfom)
Apparently not. Because you're still getting the "unknown CA" error.
Until this moment I have been focused on troubleshooting the freeRADIUS implementation and new production certificates because that is what is new. I had a server on this network that was working but the certificates expired. Since we had to update the system hardware anyway, I used to opportunity to install a new instance of freeRADIUS. The WPA supplicant implementation has not changed other than the newly created/imported certificates.
You won't fix the problem by randomly changing the FreeRADIUS configuration, or by randomly creating new certificates. You have to find out WHY the supplicant is not using the certificates you've configured.
key info, cheers.
Import the correct CA into the supplicant, in the right location, and verify that the supplicant is using it.
Ok - I can do this. Maybe we have a bug in the way our supplicant is handling expired certificates. I will take a close look. I appreciate your super fast responsiveness with this.
participants (2)
-
Alan DeKok -
Wayne Fillmer