Hello All, I am trying to authenticate a Windows XP Client with the username and password configured in the Users file on the Radius Server. I have tried saveral changes, but I am not able to get rid of this error. I am running freeradius 2.1.1 on Suse 10 SP1. Kindly Help, I am in urgent need of making this radius server up and running. Below is the error I am receiving. rad_recv: Access-Request packet from host 130.1.254.174 port 20000, id=212, length=182 NAS-Port-Id = "2049/1" Calling-Station-Id = "00-1F-3B-70-5B-7F" Called-Station-Id = "00-18-6E-30-70-C0:NYCC_TEST" Service-Type = Framed-User User-Name = "jaswinder" State = 0x2aaca71b29aabed260fc846046180105 EAP-Message = 0x02060021198000000017150301001294659677442f8e7a361ee8ee93374c90ed53 NAS-Port-Type = Wireless-802.11 NAS-Identifier = "3Com" NAS-IP-Address = 130.1.254.174 Message-Authenticator = 0xe42d1530c16b34c5b74bfb4c486083aa +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "jaswinder", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 6 length 33 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 23 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Alert [length 0002], fatal access_denied TLS Alert read:fatal:access denied [peap] WARNING: No data inside of the tunnel. [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Tunneled data is invalid. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> jaswinder attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 5 for 1 seconds Going to the next request Any help is greatly appreciated. Thanks, Jas -- View this message in context: http://www.nabble.com/Mschapv2-not-working%21-Please-help%21-tp20015619p2001... Sent from the FreeRadius - User mailing list archive at Nabble.com.
Hi, PEAP MSCHAPv2 works well with Active Directory Backend. I am not sure of its Authentication Process with users file. Try with EAP MD5, it works well with Users file. SYED On Thu, Oct 16, 2008 at 5:21 PM, saini_jas16 < jaswinder.kaur@northyorks.gov.uk> wrote:
Hello All,
I am trying to authenticate a Windows XP Client with the username and password configured in the Users file on the Radius Server. I have tried saveral changes, but I am not able to get rid of this error. I am running freeradius 2.1.1 on Suse 10 SP1.
Kindly Help, I am in urgent need of making this radius server up and running. Below is the error I am receiving.
rad_recv: Access-Request packet from host 130.1.254.174 port 20000, id=212, length=182 NAS-Port-Id = "2049/1" Calling-Station-Id = "00-1F-3B-70-5B-7F" Called-Station-Id = "00-18-6E-30-70-C0:NYCC_TEST" Service-Type = Framed-User User-Name = "jaswinder" State = 0x2aaca71b29aabed260fc846046180105 EAP-Message = 0x02060021198000000017150301001294659677442f8e7a361ee8ee93374c90ed53 NAS-Port-Type = Wireless-802.11 NAS-Identifier = "3Com" NAS-IP-Address = 130.1.254.174 Message-Authenticator = 0xe42d1530c16b34c5b74bfb4c486083aa +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "jaswinder", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 6 length 33 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 23 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Alert [length 0002], fatal access_denied TLS Alert read:fatal:access denied [peap] WARNING: No data inside of the tunnel. [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Tunneled data is invalid. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> jaswinder attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 5 for 1 seconds Going to the next request
Any help is greatly appreciated. Thanks, Jas -- View this message in context: http://www.nabble.com/Mschapv2-not-working%21-Please-help%21-tp20015619p2001... Sent from the FreeRadius - User mailing list archive at Nabble.com.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hello, I am sure it works well with Users file as well. I remember doing it in the university. But I do not know y its not working this time. I will be integrating this freeradius with Novell's edirectory in few days time, but I wanted to test if its working or not before integrating with edirectory, as that will be complex structure. I have a tight dealine to finish it in. Kindly help me in eliminating the error its showing. Many Thanks, Jas Syed Anwarul Hasan wrote:
Hi, PEAP MSCHAPv2 works well with Active Directory Backend. I am not sure of its Authentication Process with users file.
Try with EAP MD5, it works well with Users file.
SYED On Thu, Oct 16, 2008 at 5:21 PM, saini_jas16 < jaswinder.kaur@northyorks.gov.uk> wrote:
Hello All,
I am trying to authenticate a Windows XP Client with the username and password configured in the Users file on the Radius Server. I have tried saveral changes, but I am not able to get rid of this error. I am running freeradius 2.1.1 on Suse 10 SP1.
Kindly Help, I am in urgent need of making this radius server up and running. Below is the error I am receiving.
rad_recv: Access-Request packet from host 130.1.254.174 port 20000, id=212, length=182 NAS-Port-Id = "2049/1" Calling-Station-Id = "00-1F-3B-70-5B-7F" Called-Station-Id = "00-18-6E-30-70-C0:NYCC_TEST" Service-Type = Framed-User User-Name = "jaswinder" State = 0x2aaca71b29aabed260fc846046180105 EAP-Message = 0x02060021198000000017150301001294659677442f8e7a361ee8ee93374c90ed53 NAS-Port-Type = Wireless-802.11 NAS-Identifier = "3Com" NAS-IP-Address = 130.1.254.174 Message-Authenticator = 0xe42d1530c16b34c5b74bfb4c486083aa +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "jaswinder", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 6 length 33 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 23 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Alert [length 0002], fatal access_denied TLS Alert read:fatal:access denied [peap] WARNING: No data inside of the tunnel. [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Tunneled data is invalid. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> jaswinder attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 5 for 1 seconds Going to the next request
Any help is greatly appreciated. Thanks, Jas -- View this message in context: http://www.nabble.com/Mschapv2-not-working%21-Please-help%21-tp20015619p2001... Sent from the FreeRadius - User mailing list archive at Nabble.com.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- View this message in context: http://www.nabble.com/Mschapv2-not-working%21-Please-help%21-tp20015619p2002... Sent from the FreeRadius - User mailing list archive at Nabble.com.
[peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Alert [length 0002], fatal access_denied TLS Alert read:fatal:access denied [peap] WARNING: No data inside of the tunnel.
Something is badly broken here. XP rejected CA certificate. It tends to do that if certificate doesn't have xpextensions. Are you using the CA certificate generated by freeradius? Were there any errors when you were making certificates? Is your XP patched up-to-date? Ivan Kalik Kalik Informatika ISP
My certificate generation went really well, no errors at all. I generated the certificates with openssl. My windowsd is also upto date. One thing I would like to drew your attention is, which even myself has just noticed, that it is going through an ongoing EAP conversation, I do not know what this means, I am attaching below the complete complete conversation, which is just one request, but consists of almost 7 pages. rad_recv: Access-Request packet from host 130.1.254.174 port 20000, id=207, length=145 NAS-Port-Id = "2049/1" Calling-Station-Id = "00-1F-3B-70-5B-7F" Called-Station-Id = "00-18-6E-30-70-C0:NYCC_TEST" Service-Type = Framed-User EAP-Message = 0x0201000e016a617377696e646572 User-Name = "jaswinder" NAS-Port-Type = Wireless-802.11 NAS-Identifier = "3Com" NAS-IP-Address = 130.1.254.174 Message-Authenticator = 0xf63ccec115958bf26b31d981d45e74fc +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "jaswinder", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 1 length 14 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [files] users: Matched entry jaswinder at line 92 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 207 to 130.1.254.174 port 20000 EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x42ade4d942affde10d0318327cc26cf5 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 130.1.254.174 port 20000, id=208, length=145 NAS-Port-Id = "2049/1" Calling-Station-Id = "00-1F-3B-70-5B-7F" Called-Station-Id = "00-18-6E-30-70-C0:NYCC_TEST" Service-Type = Framed-User EAP-Message = 0x0202000e016a617377696e646572 User-Name = "jaswinder" NAS-Port-Type = Wireless-802.11 NAS-Identifier = "3Com" NAS-IP-Address = 130.1.254.174 Message-Authenticator = 0x6ce51603d385790a48f26b8f8b8ced74 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "jaswinder", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 2 length 14 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [files] users: Matched entry jaswinder at line 92 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 208 to 130.1.254.174 port 20000 EAP-Message = 0x010300061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2aaca71b2aafbed260fc846046180105 Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 130.1.254.174 port 20000, id=209, length=229 NAS-Port-Id = "2049/1" Calling-Station-Id = "00-1F-3B-70-5B-7F" Called-Station-Id = "00-18-6E-30-70-C0:NYCC_TEST" Service-Type = Framed-User User-Name = "jaswinder" State = 0x2aaca71b2aafbed260fc846046180105 EAP-Message = 0x0203005019800000004616030100410100003d030148f74ff6fe78ad4a45efb2be837bc5286bbf40fd69482e1455cf68232482fe2600001600040005000a000900640062000300060013001200630100 NAS-Port-Type = Wireless-802.11 NAS-Identifier = "3Com" NAS-IP-Address = 130.1.254.174 Message-Authenticator = 0x891f4b7fd81806810ba67094f50d2e72 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "jaswinder", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 3 length 80 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 70 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 0041], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 002a], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 057f], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 209 to 130.1.254.174 port 20000 EAP-Message = 0x0104040019c0000005bc160301002a02000026030148f741e17de2bfc1097ed5b10abf43f984fa0df49da2e88cff388b7eed48895200000400160301057f0b00057b0005780005753082057130820359020101300d06092a864886f70d01010505003076310b300906035504061302554b311330110603550408130a4e6f7274682045617374310d300b06035504071304596f726b3121301f060355040a1318496e7465726e6574205769646769747320507479204c74643120301e0603550403131753656c66205369676e6564204365727469666963617465301e170d3038313031353135323832315a170d3138313031333135323832315a308186 EAP-Message = 0x310b300906035504061302554b311830160603550408130f4e6f72746820596f726b7368697265311630140603550407130d4e6f727468616c6c6572746f6e310d300b060355040a13044e594343310c300a060355040313034943543128302606092a864886f70d0109011619667761646d696e406e6f727468796f726b732e676f762e756b30820222300d06092a864886f70d01010105000382020f003082020a0282020100bed98962fe36a547055100ea062bc27e267b07ce8a2ed8c8c54741e1f566f8a67e5c6240964f1e97596604064390207cb46bca566b548ff52f7223b627787916bde8578ffae1348d45a2d35f9e75f2e81b188a13c146 EAP-Message = 0x65b07552f3ee034b02d5b804e54f502d50f7ac23af35f04314a1a76f4626b03499303320cde2786460e70983dba8d208970f5b07ea2b42b197851bd874bfee47489b000209a7f4ff49b781db8ad91985c5c6505d2f0f3f3ee074689045852182b3d38886e34113c41016820dfe5eab673578d46eb57fa2e560947c72d26ce56d7031d24830eeafcd9651632d8dd5f763131cb3616ce8d284079ac502bb13d05e8f4c5cbc8b80d3e8697aa460d19284adaca07ee6cffa512335f865f1f02334aa9fb189a2649e0de2d07112c8bbd6973e7a880405b32f5e51d0bd31472189e58d9bee7293e16d7d522872b5d94efb1104ba2a7fc34c8997ce5d0eeca3f3 EAP-Message = 0x4761f8760c1376e9b229e9eb056c1be0164b1be2d60620ef21bf0c47404768cfacecc675cd0a36bead65473853410ee9a1ccce01918deca06651890652326146b4b1c4ffbe3ee1745f37b616fe0f520daa878e26c981309f1a6997eb16317c72aeb9c63b36b7cf6be31f42aef27e02998da39be123b1ce7f52582bd6ad84e0550cefa028365c76b8e29e8755935639228cb8287cfa63359a1a788c547d6b2c0bb23bbad9efb23cd590feefbd210203010001300d06092a864886f70d0101050500038202010006f65a65a21f16e7bdf65f6b7b13403f7bbebd7329ffdce2de70327474ce63572e56bdad6fc935d0df75ff1c0582a855cd02135b2c8252 EAP-Message = 0xf79ea04b8da213dba5afb4a1 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2aaca71b2ba8bed260fc846046180105 Finished request 2. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 130.1.254.174 port 20000, id=210, length=155 NAS-Port-Id = "2049/1" Calling-Station-Id = "00-1F-3B-70-5B-7F" Called-Station-Id = "00-18-6E-30-70-C0:NYCC_TEST" Service-Type = Framed-User User-Name = "jaswinder" State = 0x2aaca71b2ba8bed260fc846046180105 EAP-Message = 0x020400061900 NAS-Port-Type = Wireless-802.11 NAS-Identifier = "3Com" NAS-IP-Address = 130.1.254.174 Message-Authenticator = 0xedfc96cee46cd1ae4c2bb2edb58beb6d +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "jaswinder", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 4 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 210 to 130.1.254.174 port 20000 EAP-Message = 0x010501cc1900ad8f81aacc1c1ea3293108bad29497af6488aace454af4ae5cfe840dcbfe98af8028cbf26cf947d56b4d0d6aeb9a9b019fc21277a76632808e3f154dd0794e3ea7908b0e277e9e2b26a0969622a04bf5bd8d1bb52e3391bb06c878659db0529f1659fa5593aa58fba0c11c149e00d83fdaab2452fa32aff4175beedf74e4387c268408bc1bc643c0e4c5662245fadd1c12d01bb10f633321c390bd0957810c9e3aaacf5f4a73636a226b2fefa76c4856a154fb840dfb59a411fe15580854a4ad78b63f84e240b12655b7a6971665cc6ab040f1b8fb38c5ad52dd142018776ed575f1576a7c13501bf849d573341b99fc80ef6fdc649fa2 EAP-Message = 0x270eb9001d46851f7c2b3952c24edaae2443a81107bb833c09281bacf591d9916c07575605100a21467d4530690e77a4f725a9b216ca755b8d0cd893922fe36b8837c9e8ec081c46f9f4eed2fc9838415ff9fd44c5e2efc04a9037bbd68af38bb76859c79de8c55f689efb8816db1b09b51ba5d6518416b4796263ef38976e33a268920afb4a8e00d28a041133e4c472c44372ee427f00cf1fbc044447054c22025e7fa95392d70a78aae166cca57ac97ff24309543a20ca5389b652b3e8789d11ce199ee1d216030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2aaca71b28a9bed260fc846046180105 Finished request 3. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 130.1.254.174 port 20000, id=211, length=729 NAS-Port-Id = "2049/1" Calling-Station-Id = "00-1F-3B-70-5B-7F" Called-Station-Id = "00-18-6E-30-70-C0:NYCC_TEST" Service-Type = Framed-User User-Name = "jaswinder" State = 0x2aaca71b28a9bed260fc846046180105 EAP-Message = 0x02050240198000000236160301020610000202020023086e39ea84810380a80a421d7846158936dcd4d4c521625afabf1a9945dea981e5c27294816d1034b060f8c96a71fa434ba1a91ad5f2bd8beb9513f93d0d7dbcdaab113931907ff95ebe05c628d90ba8b0adf41c2b74a47ece8a9f6ff09354d4ec36d7a04da07b3bb221f90c811a0eb908b9a67fdd81db14e7bec64beaee466938ef9355214a004096f053c0f6d5afd85b393ea9ae205ddfa3400fe66728b10a24c3e4f234588b15436437cc43277e0512fc2346d3fa788b3e8a67d74917a18dcca8ce934594e4475de0254c9248eadea22e468765b8e1cedf529f109f02c7148ba081c1d01d EAP-Message = 0x5013f21536cd80c635dc39f2167476ecc42687792d6374c6bb23847bcfee92aa732393a7734baac02a0dbd5530a84196d0adca485436a896aeb553a32ecba4033c9a5baec9bba8d13eb2f98365f9f3ec48e5e53e75881a96fd1b20c42bacbe5cea1f9188de61f97cb6b4ec6b62c4993ec2ac5174bc428cbb43ee1f16c0b00661fba9834fdfb26136b02ea82419a375a682d5373455514876c41727da3f2b8f97a67e6ec057cd6ad21f359c8df7ba913995a989fcd6137fa6a3f4add6d1e3f4255688174f2d155baeb9ed1cdb9ddc6824f621412eaf48e226b6a01ac97caee423bd7af1c89751bf5c725ab79f981da9659eaab12ae9080f3920e971d7 EAP-Message = 0xeed4e752b463889892048fb908fbb9e3aa007f818dbd748f52757d122e1403010001011603010020ce5fb7cdcc8e3e0d7d94e85912776bfc213cbd1712f3cb886c58a737608a4f55 NAS-Port-Type = Wireless-802.11 NAS-Identifier = "3Com" NAS-IP-Address = 130.1.254.174 Message-Authenticator = 0x76d3b1109f1d3b8742d0d48a3d5b6287 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "jaswinder", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 5 length 252 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 566 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0206], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 211 to 130.1.254.174 port 20000 EAP-Message = 0x0106003119001403010001011603010020b117ea55275553e890ee4de849ea7d495a46e8c5e63d7b80e1a369d181ff8020 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2aaca71b29aabed260fc846046180105 Finished request 4. Going to the next request Waking up in 4.5 seconds. rad_recv: Access-Request packet from host 130.1.254.174 port 20000, id=212, length=182 NAS-Port-Id = "2049/1" Calling-Station-Id = "00-1F-3B-70-5B-7F" Called-Station-Id = "00-18-6E-30-70-C0:NYCC_TEST" Service-Type = Framed-User User-Name = "jaswinder" State = 0x2aaca71b29aabed260fc846046180105 EAP-Message = 0x02060021198000000017150301001294659677442f8e7a361ee8ee93374c90ed53 NAS-Port-Type = Wireless-802.11 NAS-Identifier = "3Com" NAS-IP-Address = 130.1.254.174 Message-Authenticator = 0xe42d1530c16b34c5b74bfb4c486083aa +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "jaswinder", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 6 length 33 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 23 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Alert [length 0002], fatal access_denied TLS Alert read:fatal:access denied [peap] WARNING: No data inside of the tunnel. [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Tunneled data is invalid. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> jaswinder attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 5 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 5 Sending Access-Reject of id 212 to 130.1.254.174 port 20000 EAP-Message = 0x04060004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.4 seconds. Cleaning up request 0 ID 207 with timestamp +46 Cleaning up request 1 ID 208 with timestamp +46 Cleaning up request 2 ID 209 with timestamp +46 Cleaning up request 3 ID 210 with timestamp +46 Waking up in 0.3 seconds. Cleaning up request 4 ID 211 with timestamp +46 Waking up in 1.0 seconds. Cleaning up request 5 ID 212 with timestamp +47 Ready to process requests. Thanks, Jas tnt-4 wrote:
[peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Alert [length 0002], fatal access_denied TLS Alert read:fatal:access denied [peap] WARNING: No data inside of the tunnel.
Something is badly broken here. XP rejected CA certificate. It tends to do that if certificate doesn't have xpextensions. Are you using the CA certificate generated by freeradius? Were there any errors when you were making certificates? Is your XP patched up-to-date?
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- View this message in context: http://www.nabble.com/Mschapv2-not-working%21-Please-help%21-tp20015619p2003... Sent from the FreeRadius - User mailing list archive at Nabble.com.
I made them myself. Following were the commands I used. openssl genrsa -des3 -out ca.key 4096 openssl req -new -x509 -days 3650 -key ca.key -out ca.crt openssl genrsa -des3 -out server.key 4096 openssl req -new -key server.key -out server.csr openssl x509 -req -days 3650 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt openssl dhparam -out dh2048.pem 2048 Jas tnt-4 wrote:
My certificate generation went really well, no errors at all. I generated
the
certificates with openssl.
Did you use Makefile provided in raddb/certs directory? Or did you make them yourself?
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- View this message in context: http://www.nabble.com/Mschapv2-not-working%21-Please-help%21-tp20015619p2003... Sent from the FreeRadius - User mailing list archive at Nabble.com.
So you haven't used xpextensions and your certificates are useless for connecting XP clients. Use certificate creation provided with the server: raddb/certs/README Ivan Kalik Kalik Informatika ISP Dana 17/10/2008, "saini_jas16" <jaswinder.kaur@northyorks.gov.uk> piše:
I made them myself. Following were the commands I used.
openssl genrsa -des3 -out ca.key 4096 openssl req -new -x509 -days 3650 -key ca.key -out ca.crt openssl genrsa -des3 -out server.key 4096 openssl req -new -key server.key -out server.csr openssl x509 -req -days 3650 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt openssl dhparam -out dh2048.pem 2048
Jas
tnt-4 wrote:
My certificate generation went really well, no errors at all. I generated
the
certificates with openssl.
Did you use Makefile provided in raddb/certs directory? Or did you make them yourself?
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- View this message in context: http://www.nabble.com/Mschapv2-not-working%21-Please-help%21-tp20015619p2003... Sent from the FreeRadius - User mailing list archive at Nabble.com.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I created the certificates in the way as explained in the readme file. But when I try to open or import the ca.der in the XP machine, it say that "the file type is not recognized. What wrong am I doing here? Jas tnt-4 wrote:
So you haven't used xpextensions and your certificates are useless for connecting XP clients. Use certificate creation provided with the server:
raddb/certs/README
Ivan Kalik Kalik Informatika ISP
Dana 17/10/2008, "saini_jas16" <jaswinder.kaur@northyorks.gov.uk> piše:
I made them myself. Following were the commands I used.
openssl genrsa -des3 -out ca.key 4096 openssl req -new -x509 -days 3650 -key ca.key -out ca.crt openssl genrsa -des3 -out server.key 4096 openssl req -new -key server.key -out server.csr openssl x509 -req -days 3650 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt openssl dhparam -out dh2048.pem 2048
Jas
tnt-4 wrote:
My certificate generation went really well, no errors at all. I
generated
the
certificates with openssl.
Did you use Makefile provided in raddb/certs directory? Or did you make them yourself?
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- View this message in context: http://www.nabble.com/Mschapv2-not-working%21-Please-help%21-tp20015619p2003... Sent from the FreeRadius - User mailing list archive at Nabble.com.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- View this message in context: http://www.nabble.com/Mschapv2-not-working%21-Please-help%21-tp20015619p2003... Sent from the FreeRadius - User mailing list archive at Nabble.com.
I created the certificates in the way as explained in the readme file. But when I try to open or import the ca.der in the XP machine, it say that "the file type is not recognized. What wrong am I doing here?
Your XP is broken. Mine knows what .der file is. Go to Control Panel/Folders/File Types and see if der is listed. Ivan Kalik Kalik Informatika ISP
Hi,
I made them myself. Following were the commands I used.
openssl genrsa -des3 -out ca.key 4096 openssl req -new -x509 -days 3650 -key ca.key -out ca.crt openssl genrsa -des3 -out server.key 4096 openssl req -new -key server.key -out server.csr openssl x509 -req -days 3650 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt openssl dhparam -out dh2048.pem 2048
well, thats wrong then. the docs havent been read and you havent followed the guides or the current cert gen script. you need to ensure that the certs have the required extensions alan
Jas
tnt-4 wrote:
My certificate generation went really well, no errors at all. I generated
the
certificates with openssl.
Did you use Makefile provided in raddb/certs directory? Or did you make them yourself?
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- View this message in context: http://www.nabble.com/Mschapv2-not-working%21-Please-help%21-tp20015619p2003... Sent from the FreeRadius - User mailing list archive at Nabble.com.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Can you please guide me in this regard. What guidlines shall I follow? Many Thanks, Jas A.L.M.Buxey wrote:
Hi,
I made them myself. Following were the commands I used.
openssl genrsa -des3 -out ca.key 4096 openssl req -new -x509 -days 3650 -key ca.key -out ca.crt openssl genrsa -des3 -out server.key 4096 openssl req -new -key server.key -out server.csr openssl x509 -req -days 3650 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt openssl dhparam -out dh2048.pem 2048
well, thats wrong then. the docs havent been read and you havent followed the guides or the current cert gen script.
you need to ensure that the certs have the required extensions
alan
Jas
tnt-4 wrote:
My certificate generation went really well, no errors at all. I
generated the
certificates with openssl.
Did you use Makefile provided in raddb/certs directory? Or did you make them yourself?
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- View this message in context: http://www.nabble.com/Mschapv2-not-working%21-Please-help%21-tp20015619p2003... Sent from the FreeRadius - User mailing list archive at Nabble.com.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- View this message in context: http://www.nabble.com/Mschapv2-not-working%21-Please-help%21-tp20015619p2003... Sent from the FreeRadius - User mailing list archive at Nabble.com.
Hi,
[peap] <<< TLS 1.0 Alert [length 0002], fatal access_denied TLS Alert read:fatal:access denied [peap] WARNING: No data inside of the tunnel. [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Tunneled data is invalid. [eap] Handler failed in EAP/peap [eap] Failed in EAP select
all gone wonky here - your certs are readable by the correct group/user daemon process.... what version of openssl do you have? alan
Hi The version is 0.9.8a - 18.15 - i586 Jas A.L.M.Buxey wrote:
Hi,
[peap] <<< TLS 1.0 Alert [length 0002], fatal access_denied TLS Alert read:fatal:access denied [peap] WARNING: No data inside of the tunnel. [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Tunneled data is invalid. [eap] Handler failed in EAP/peap [eap] Failed in EAP select
all gone wonky here - your certs are readable by the correct group/user daemon process.... what version of openssl do you have?
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- View this message in context: http://www.nabble.com/Mschapv2-not-working%21-Please-help%21-tp20015619p2003... Sent from the FreeRadius - User mailing list archive at Nabble.com.
participants (5)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
saini_jas16 -
Syed Anwarul Hasan -
tnt@kalik.net