Version 3.0.4 Centos 7 EAP-TLS : EAP failure
Hello, I have been trying to freeRADIUS Version 3.0.4 worling with EAP-TLS for a while now. I was able to get PAP working using the guide athttp://deployingradius.com/documents/configuration/pap.html. However, getting EAP-TLS to work has been a pain. In my case I used the freeradius as installed by yum from the repos. Before doing the guide at the link posted below I built the certs in /etc/raddb/certs using make. No changes have been made to the .cnf files in the certs directory since this was a test. The eapol_test config is also posted below. I then moved to the trying to EAP-TLS working using the guide athttp://deployingradius.com/documents/configuration/eap.html. I followed this to the letter for the server. However, as will be shown in the eapol_test config, my test had been ran from the radius host itself. I have used radius as installed on pfsense in the past. However, I now wish to have a standalone host to take care of this. I have spent 3 days trying to get this to work. I am at a complete loss as what is wrong or how to even find out at this point. I have already ran radius with radius -XX and am not seeing that I know how to change. I would greatly appreciate some help on this. The settings I have used are EXACTLY what i slisted in the links. eapol_test configuration : network={ ssid="TEST-SSID" eap=TLS eapol_flags=0 key_mgmt=WPA-EAP identity="user@example.com" ca_cert="/etc/raddb/certs/ca_.pem" client_cert="/etc/raddb/certs/user.pem" private_key="/etc/raddb/certs/client.key" private_key_passwd="whatever" eapol_flags=3 } SERVER DEBUG : radiusd -X radiusd: FreeRADIUS Version 3.0.4, for host x86_64-redhat-linux-gnu, built on Mar 5 2015 at 23:41:36 Copyright (C) 1999-2014 The FreeRADIUS server project and contributors There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License For more information about these matters, see the file named COPYRIGHT Starting - reading configuration files ... including dictionary file /usr/share/freeradius/dictionary including dictionary file /usr/share/freeradius/dictionary.dhcp including dictionary file /usr/share/freeradius/dictionary.vqp including dictionary file /etc/raddb/dictionary including configuration file /etc/raddb/radiusd.conf including configuration file /etc/raddb/proxy.conf including configuration file /etc/raddb/clients.conf including files in directory /etc/raddb/mods-enabled/ including configuration file /etc/raddb/mods-enabled/always including configuration file /etc/raddb/mods-enabled/attr_filter including configuration file /etc/raddb/mods-enabled/cache_eap including configuration file /etc/raddb/mods-enabled/chap including configuration file /etc/raddb/mods-enabled/detail including configuration file /etc/raddb/mods-enabled/detail.log including configuration file /etc/raddb/mods-enabled/dhcp including configuration file /etc/raddb/mods-enabled/digest including configuration file /etc/raddb/mods-enabled/dynamic_clients including configuration file /etc/raddb/mods-enabled/eap including configuration file /etc/raddb/mods-enabled/echo including configuration file /etc/raddb/mods-enabled/exec including configuration file /etc/raddb/mods-enabled/expiration including configuration file /etc/raddb/mods-enabled/expr including configuration file /etc/raddb/mods-enabled/files including configuration file /etc/raddb/mods-enabled/linelog including configuration file /etc/raddb/mods-enabled/logintime including configuration file /etc/raddb/mods-enabled/mschap including configuration file /etc/raddb/mods-enabled/ntlm_auth including configuration file /etc/raddb/mods-enabled/pap including configuration file /etc/raddb/mods-enabled/passwd including configuration file /etc/raddb/mods-enabled/preprocess including configuration file /etc/raddb/mods-enabled/radutmp including configuration file /etc/raddb/mods-enabled/realm including configuration file /etc/raddb/mods-enabled/replicate including configuration file /etc/raddb/mods-enabled/soh including configuration file /etc/raddb/mods-enabled/sradutmp including configuration file /etc/raddb/mods-enabled/unix including configuration file /etc/raddb/mods-enabled/unpack including configuration file /etc/raddb/mods-enabled/utf8 including files in directory /etc/raddb/policy.d/ including configuration file /etc/raddb/policy.d/accounting including configuration file /etc/raddb/policy.d/canonicalization including configuration file /etc/raddb/policy.d/control including configuration file /etc/raddb/policy.d/cui including configuration file /etc/raddb/policy.d/debug including configuration file /etc/raddb/policy.d/dhcp including configuration file /etc/raddb/policy.d/eap including configuration file /etc/raddb/policy.d/filter including configuration file /etc/raddb/policy.d/operator-name including files in directory /etc/raddb/sites-enabled/ including configuration file /etc/raddb/sites-enabled/default including configuration file /etc/raddb/sites-enabled/inner-tunnel main { security { user = "radiusd" group = "radiusd" allow_core_dumps = no } } main { name = "radiusd" prefix = "/usr" localstatedir = "/var" sbindir = "/usr/sbin" logdir = "/var/log/radius" run_dir = "/var/run/radiusd" libdir = "/usr/lib64/freeradius" radacctdir = "/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/var/run/radiusd/radiusd.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no colourise = yes msg_denied = "You are already logged in - access denied" } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = <<< secret >>> response_window = 20.000000 response_timeouts = 1 max_outstanding = 65536 zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 check_timeout = 4 num_answers_to_alive = 3 revive_interval = 120 coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } limit { max_connections = 16 max_requests = 0 lifetime = 0 idle_timeout = 0 } } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = <<< secret >>> nas_type = "other" proto = "*" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client phobos { ipaddr = 192.168.1.112 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } radiusd: #### Instantiating modules #### instantiate { } modules { # Loaded module rlm_always # Instantiating module "reject" from file /etc/raddb/mods-enabled/always always reject { rcode = "reject" simulcount = 0 mpp = no } # Instantiating module "fail" from file /etc/raddb/mods-enabled/always always fail { rcode = "fail" simulcount = 0 mpp = no } # Instantiating module "ok" from file /etc/raddb/mods-enabled/always always ok { rcode = "ok" simulcount = 0 mpp = no } # Instantiating module "handled" from file /etc/raddb/mods-enabled/always always handled { rcode = "handled" simulcount = 0 mpp = no } # Instantiating module "invalid" from file /etc/raddb/mods-enabled/always always invalid { rcode = "invalid" simulcount = 0 mpp = no } # Instantiating module "userlock" from file /etc/raddb/mods-enabled/always always userlock { rcode = "userlock" simulcount = 0 mpp = no } # Instantiating module "notfound" from file /etc/raddb/mods-enabled/always always notfound { rcode = "notfound" simulcount = 0 mpp = no } # Instantiating module "noop" from file /etc/raddb/mods-enabled/always always noop { rcode = "noop" simulcount = 0 mpp = no } # Instantiating module "updated" from file /etc/raddb/mods-enabled/always always updated { rcode = "updated" simulcount = 0 mpp = no } # Loaded module rlm_attr_filter # Instantiating module "attr_filter.post-proxy" from file /etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.post-proxy { filename = "/etc/raddb/mods-config/attr_filter/post-proxy" key = "%{Realm}" relaxed = no } reading pairlist file /etc/raddb/mods-config/attr_filter/post-proxy # Instantiating module "attr_filter.pre-proxy" from file /etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.pre-proxy { filename = "/etc/raddb/mods-config/attr_filter/pre-proxy" key = "%{Realm}" relaxed = no } reading pairlist file /etc/raddb/mods-config/attr_filter/pre-proxy # Instantiating module "attr_filter.access_reject" from file /etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.access_reject { filename = "/etc/raddb/mods-config/attr_filter/access_reject" key = "%{User-Name}" relaxed = no } reading pairlist file /etc/raddb/mods-config/attr_filter/access_reject # Instantiating module "attr_filter.access_challenge" from file /etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.access_challenge { filename = "/etc/raddb/mods-config/attr_filter/access_challenge" key = "%{User-Name}" relaxed = no } reading pairlist file /etc/raddb/mods-config/attr_filter/access_challenge # Instantiating module "attr_filter.accounting_response" from file /etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.accounting_response { filename = "/etc/raddb/mods-config/attr_filter/accounting_response" key = "%{User-Name}" relaxed = no } reading pairlist file /etc/raddb/mods-config/attr_filter/accounting_response # Loaded module rlm_cache # Instantiating module "cache_eap" from file /etc/raddb/mods-enabled/cache_eap cache cache_eap { key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}" ttl = 15 max_entries = 16384 epoch = 0 add_stats = no } # Loaded module rlm_chap # Instantiating module "chap" from file /etc/raddb/mods-enabled/chap # Loaded module rlm_detail # Instantiating module "detail" from file /etc/raddb/mods-enabled/detail detail { filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d" header = "%t" permissions = 384 locking = no log_packet_header = no } # Instantiating module "auth_log" from file /etc/raddb/mods-enabled/detail.log detail auth_log { filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d" header = "%t" permissions = 384 locking = no log_packet_header = no } rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output # Instantiating module "reply_log" from file /etc/raddb/mods-enabled/detail.log detail reply_log { filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d" header = "%t" permissions = 384 locking = no log_packet_header = no } # Instantiating module "pre_proxy_log" from file /etc/raddb/mods-enabled/detail.log detail pre_proxy_log { filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d" header = "%t" permissions = 384 locking = no log_packet_header = no } # Instantiating module "post_proxy_log" from file /etc/raddb/mods-enabled/detail.log detail post_proxy_log { filename = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d" header = "%t" permissions = 384 locking = no log_packet_header = no } # Loaded module rlm_dhcp # Instantiating module "dhcp" from file /etc/raddb/mods-enabled/dhcp # Loaded module rlm_digest # Instantiating module "digest" from file /etc/raddb/mods-enabled/digest # Loaded module rlm_dynamic_clients # Instantiating module "dynamic_clients" from file /etc/raddb/mods-enabled/dynamic_clients # Loaded module rlm_eap # Instantiating module "eap" from file /etc/raddb/mods-enabled/eap eap { default_eap_type = "md5" timer_expire = 60 ignore_unknown_eap_types = no mod_accounting_username_bug = no max_sessions = 1024 } # Linked to sub-module rlm_eap_md5 # Linked to sub-module rlm_eap_leap # Linked to sub-module rlm_eap_gtc gtc { challenge = "Password: " auth_type = "PAP" } # Linked to sub-module rlm_eap_tls tls { tls = "tls-common" } tls-config tls-common { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 ca_path = "/etc/raddb/certs" pem_file_type = yes private_key_file = "/etc/raddb/certs/server.pem" certificate_file = "/etc/raddb/certs/server.pem" ca_file = "/etc/raddb/certs/ca.pem" private_key_password = <<< secret >>> dh_file = "/etc/raddb/certs/dh" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" ecdh_curve = "prime256v1" cache { enable = yes lifetime = 24 max_entries = 255 } verify { } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" use_nonce = yes timeout = 0 softfail = yes } } # Linked to sub-module rlm_eap_ttls ttls { tls = "tls-common" default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes require_client_cert = no } Using cached TLS configuration from previous invocation # Linked to sub-module rlm_eap_peap peap { tls = "tls-common" default_method = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" soh = no require_client_cert = no } Using cached TLS configuration from previous invocation # Linked to sub-module rlm_eap_mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } # Loaded module rlm_exec # Instantiating module "echo" from file /etc/raddb/mods-enabled/echo exec echo { wait = yes program = "/bin/echo %{User-Name}" input_pairs = "request" output_pairs = "reply" shell_escape = yes } # Instantiating module "exec" from file /etc/raddb/mods-enabled/exec exec { wait = no input_pairs = "request" shell_escape = yes timeout = 10 } # Loaded module rlm_expiration # Instantiating module "expiration" from file /etc/raddb/mods-enabled/expiration # Loaded module rlm_expr # Instantiating module "expr" from file /etc/raddb/mods-enabled/expr expr { safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /" } # Loaded module rlm_files # Instantiating module "files" from file /etc/raddb/mods-enabled/files files { filename = "/etc/raddb/mods-config/files/authorize" usersfile = "/etc/raddb/mods-config/files/authorize" acctusersfile = "/etc/raddb/mods-config/files/accounting" preproxy_usersfile = "/etc/raddb/mods-config/files/pre-proxy" compat = "cistron" } reading pairlist file /etc/raddb/mods-config/files/authorize [/etc/raddb/mods-config/files/authorize]:2 Cistron compatibility checks for entry test ... [/etc/raddb/mods-config/files/authorize]:182 Cistron compatibility checks for entry DEFAULT ... [/etc/raddb/mods-config/files/authorize]:189 Cistron compatibility checks for entry DEFAULT ... [/etc/raddb/mods-config/files/authorize]:196 Cistron compatibility checks for entry DEFAULT ... reading pairlist file /etc/raddb/mods-config/files/authorize [/etc/raddb/mods-config/files/authorize]:2 Cistron compatibility checks for entry test ... [/etc/raddb/mods-config/files/authorize]:182 Cistron compatibility checks for entry DEFAULT ... [/etc/raddb/mods-config/files/authorize]:189 Cistron compatibility checks for entry DEFAULT ... [/etc/raddb/mods-config/files/authorize]:196 Cistron compatibility checks for entry DEFAULT ... reading pairlist file /etc/raddb/mods-config/files/accounting reading pairlist file /etc/raddb/mods-config/files/pre-proxy # Loaded module rlm_linelog # Instantiating module "linelog" from file /etc/raddb/mods-enabled/linelog linelog { filename = "/var/log/radius/linelog" permissions = 384 format = "This is a log message for %{User-Name}" reference = "messages.%{%{Packet-Type}:-default}" } # Instantiating module "log_accounting" from file /etc/raddb/mods-enabled/linelog linelog log_accounting { filename = "/var/log/radius/linelog-accounting" permissions = 384 format = "" reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}" } # Loaded module rlm_logintime # Instantiating module "logintime" from file /etc/raddb/mods-enabled/logintime logintime { minimum_timeout = 60 } # Loaded module rlm_mschap # Instantiating module "mschap" from file /etc/raddb/mods-enabled/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = yes passchange { } allow_retry = yes } # Instantiating module "ntlm_auth" from file /etc/raddb/mods-enabled/ntlm_auth exec ntlm_auth { wait = yes program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}" shell_escape = yes } # Loaded module rlm_pap # Instantiating module "pap" from file /etc/raddb/mods-enabled/pap pap { normalise = yes } # Loaded module rlm_passwd # Instantiating module "etc_passwd" from file /etc/raddb/mods-enabled/passwd passwd etc_passwd { filename = "/etc/passwd" format = "*User-Name:Crypt-Password:" delimiter = ":" ignore_nislike = no ignore_empty = yes allow_multiple_keys = no hash_size = 100 } rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no # Loaded module rlm_preprocess # Instantiating module "preprocess" from file /etc/raddb/mods-enabled/preprocess preprocess { huntgroups = "/etc/raddb/mods-config/preprocess/huntgroups" hints = "/etc/raddb/mods-config/preprocess/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } reading pairlist file /etc/raddb/mods-config/preprocess/huntgroups reading pairlist file /etc/raddb/mods-config/preprocess/hints # Loaded module rlm_radutmp # Instantiating module "radutmp" from file /etc/raddb/mods-enabled/radutmp radutmp { filename = "/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 384 caller_id = yes } # Loaded module rlm_realm # Instantiating module "IPASS" from file /etc/raddb/mods-enabled/realm realm IPASS { format = "prefix" delimiter = "/" ignore_default = no ignore_null = no } # Instantiating module "suffix" from file /etc/raddb/mods-enabled/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } # Instantiating module "realmpercent" from file /etc/raddb/mods-enabled/realm realm realmpercent { format = "suffix" delimiter = "%" ignore_default = no ignore_null = no } # Instantiating module "ntdomain" from file /etc/raddb/mods-enabled/realm realm ntdomain { format = "prefix" delimiter = "\" ignore_default = no ignore_null = no } # Loaded module rlm_replicate # Instantiating module "replicate" from file /etc/raddb/mods-enabled/replicate # Loaded module rlm_soh # Instantiating module "soh" from file /etc/raddb/mods-enabled/soh soh { dhcp = yes } # Instantiating module "sradutmp" from file /etc/raddb/mods-enabled/sradutmp radutmp sradutmp { filename = "/var/log/radius/sradutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 420 caller_id = no } # Loaded module rlm_unix # Instantiating module "unix" from file /etc/raddb/mods-enabled/unix unix { radwtmp = "/var/log/radius/radwtmp" } # Loaded module rlm_unpack # Instantiating module "unpack" from file /etc/raddb/mods-enabled/unpack # Loaded module rlm_utf8 # Instantiating module "utf8" from file /etc/raddb/mods-enabled/utf8 } # modules radiusd: #### Loading Virtual Servers #### server { # from file /etc/raddb/radiusd.conf } # server server default { # from file /etc/raddb/sites-enabled/default # Creating Auth-Type = digest # Loading authenticate {...} # Loading authorize {...} Ignoring "sql" (see raddb/mods-available/README.rst) Ignoring "ldap" (see raddb/mods-available/README.rst) # Loading preacct {...} # Loading accounting {...} # Loading post-proxy {...} # Loading post-auth {...} } # server default server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel # Loading authenticate {...} # Loading authorize {...} # Loading session {...} # Loading post-proxy {...} # Loading post-auth {...} } # server inner-tunnel radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "acct" ipaddr = * port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } Listening on auth address * port 1812 as server default Listening on acct address * port 1813 as server default Listening on auth address 127.0.0.1 port 18120 as server inner-tunnel Opening new proxy socket 'proxy address * port 0' Listening on proxy address * port 39462 Ready to process requests Received Access-Request Id 0 from 127.0.0.1:49705 to 127.0.0.1:1812 length 140 User-Name = 'user@example.com' NAS-IP-Address = 127.0.0.1 Calling-Station-Id = '02-00-00-00-00-01' Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = 'CONNECT 11Mbps 802.11b' EAP-Message = 0x020000150175736572406578616d706c652e636f6d Message-Authenticator = 0x76b26f355b7b52e26e30514efcc67e2e (0) Received Access-Request packet from host 127.0.0.1 port 49705, id=0, length=140 (0) User-Name = 'user@example.com' (0) NAS-IP-Address = 127.0.0.1 (0) Calling-Station-Id = '02-00-00-00-00-01' (0) Framed-MTU = 1400 (0) NAS-Port-Type = Wireless-802.11 (0) Connect-Info = 'CONNECT 11Mbps 802.11b' (0) EAP-Message = 0x020000150175736572406578616d706c652e636f6d (0) Message-Authenticator = 0x76b26f355b7b52e26e30514efcc67e2e (0) # Executing section authorize from file /etc/raddb/sites-enabled/default (0) authorize { (0) filter_username filter_username { (0) if (!&User-Name) (0) if (!&User-Name) -> FALSE (0) if (&User-Name =~ / /) (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@.*@/ ) (0) if (&User-Name =~ /@.*@/ ) -> FALSE (0) if (&User-Name =~ /\\.\\./ ) (0) if (&User-Name =~ /\\.\\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\\.$/) (0) if (&User-Name =~ /\\.$/) -> FALSE (0) if (&User-Name =~ /@\\./) (0) if (&User-Name =~ /@\\./) -> FALSE (0) } # filter_username filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix : Checking for suffix after "@" (0) suffix : Looking up realm "example.com" for User-Name = "user@example.com" (0) suffix : Found realm "example.com" (0) suffix : Adding Stripped-User-Name = "user" (0) suffix : Adding Realm = "example.com" (0) suffix : Proxying request from user user to realm example.com (0) suffix : Preparing to proxy authentication request to realm "example.com" (0) [suffix] = updated (0) eap : Request is supposed to be proxied to Realm example.com. Not doing EAP. (0) [eap] = noop (0) [files] = noop (0) [expiration] = noop (0) [logintime] = noop (0) [pap] = noop (0) } # authorize = updated Opening new proxy socket 'proxy address * port 0' Listening on proxy address * port 51413 (0) Proxying request to home server 127.0.0.1 port 1812 timeout 20.000000 (0) Sending Access-Request packet to host 127.0.0.1 port 1812, id=88, length=0 (0) User-Name = 'user' (0) NAS-IP-Address = 127.0.0.1 (0) Calling-Station-Id = '02-00-00-00-00-01' (0) Framed-MTU = 1400 (0) NAS-Port-Type = Wireless-802.11 (0) Connect-Info = 'CONNECT 11Mbps 802.11b' (0) EAP-Message = 0x020000150175736572406578616d706c652e636f6d (0) Message-Authenticator = 0x76b26f355b7b52e26e30514efcc67e2e (0) Event-Timestamp = 'Feb 6 2016 19:29:04 CST' (0) Stripped-User-Name = 'user' (0) Realm = 'example.com' (0) EAP-Type = Identity (0) Proxy-State = 0x30 Sending Access-Request Id 88 from 0.0.0.0:51413 to 127.0.0.1:1812 User-Name = 'user' NAS-IP-Address = 127.0.0.1 Calling-Station-Id = '02-00-00-00-00-01' Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = 'CONNECT 11Mbps 802.11b' EAP-Message = 0x020000150175736572406578616d706c652e636f6d Message-Authenticator = 0x76b26f355b7b52e26e30514efcc67e2e Event-Timestamp = 'Feb 6 2016 19:29:04 CST' Proxy-State = 0x30 Waking up in 0.3 seconds. Received Access-Request Id 88 from 127.0.0.1:51413 to 127.0.0.1:1812 length 137 User-Name = 'user' NAS-IP-Address = 127.0.0.1 Calling-Station-Id = '02-00-00-00-00-01' Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = 'CONNECT 11Mbps 802.11b' EAP-Message = 0x020000150175736572406578616d706c652e636f6d Message-Authenticator = 0xfb8d5412dd22bd658ba818ba16db12cc Event-Timestamp = 'Feb 6 2016 19:29:04 CST' Proxy-State = 0x30 (1) Received Access-Request packet from host 127.0.0.1 port 51413, id=88, length=137 (1) User-Name = 'user' (1) NAS-IP-Address = 127.0.0.1 (1) Calling-Station-Id = '02-00-00-00-00-01' (1) Framed-MTU = 1400 (1) NAS-Port-Type = Wireless-802.11 (1) Connect-Info = 'CONNECT 11Mbps 802.11b' (1) EAP-Message = 0x020000150175736572406578616d706c652e636f6d (1) Message-Authenticator = 0xfb8d5412dd22bd658ba818ba16db12cc (1) Event-Timestamp = 'Feb 6 2016 19:29:04 CST' (1) Proxy-State = 0x30 (1) # Executing section authorize from file /etc/raddb/sites-enabled/default (1) authorize { (1) filter_username filter_username { (1) if (!&User-Name) (1) if (!&User-Name) -> FALSE (1) if (&User-Name =~ / /) (1) if (&User-Name =~ / /) -> FALSE (1) if (&User-Name =~ /@.*@/ ) (1) if (&User-Name =~ /@.*@/ ) -> FALSE (1) if (&User-Name =~ /\\.\\./ ) (1) if (&User-Name =~ /\\.\\./ ) -> FALSE (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (1) if (&User-Name =~ /\\.$/) (1) if (&User-Name =~ /\\.$/) -> FALSE (1) if (&User-Name =~ /@\\./) (1) if (&User-Name =~ /@\\./) -> FALSE (1) } # filter_username filter_username = notfound (1) [preprocess] = ok (1) [chap] = noop (1) [mschap] = noop (1) [digest] = noop (1) suffix : Checking for suffix after "@" (1) suffix : No '@' in User-Name = "user", looking up realm NULL (1) suffix : No such realm "NULL" (1) [suffix] = noop (1) eap : Peer sent code Response (2) ID 0 length 21 (1) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (1) [eap] = ok (1) } # authorize = ok (1) Found Auth-Type = EAP (1) # Executing group from file /etc/raddb/sites-enabled/default (1) authenticate { (1) eap : Identity does not match User-Name, setting from EAP Identity (1) eap : Failed in handler (1) [eap] = invalid (1) } # authenticate = invalid (1) Failed to authenticate the user (1) Using Post-Auth-Type Reject (1) # Executing group from file /etc/raddb/sites-enabled/default (1) Post-Auth-Type REJECT { (1) attr_filter.access_reject : EXPAND %{User-Name} (1) attr_filter.access_reject : --> user (1) attr_filter.access_reject : Matched entry DEFAULT at line 11 (1) [attr_filter.access_reject] = updated (1) eap : Identity does not match User-Name, setting from EAP Identity (1) eap : Failed to get handler, probably already removed, not inserting EAP-Failure (1) [eap] = noop (1) remove_reply_message_if_eap remove_reply_message_if_eap { (1) if (&reply:EAP-Message && &reply:Reply-Message) (1) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (1) else else { (1) [noop] = noop (1) } # else else = noop (1) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop (1) } # Post-Auth-Type REJECT = updated (1) Delaying response for 1 seconds Waking up in 0.3 seconds. Waking up in 0.1 seconds. (0) Expecting proxy response no later than 19.499783 seconds from now Waking up in 0.4 seconds. (1) Sending delayed response (1) Sending Access-Reject packet to host 127.0.0.1 port 51413, id=88, length=0 (1) Proxy-State = 0x30 Sending Access-Reject Id 88 from 127.0.0.1:1812 to 127.0.0.1:51413 Proxy-State = 0x30 Waking up in 3.9 seconds. Received Access-Reject Id 88 from 127.0.0.1:1812 to 127.0.0.1:51413 length 23 Proxy-State = 0x30 (0) Received Access-Reject packet from host 127.0.0.1 port 1812, id=88, length=23 (0) Proxy-State = 0x30 (0) # Executing section post-proxy from file /etc/raddb/sites-enabled/default (0) post-proxy { (0) eap : No pre-existing handler found (0) [eap] = noop (0) } # post-proxy = noop (0) Using Post-Auth-Type Reject (0) # Executing group from file /etc/raddb/sites-enabled/default (0) Post-Auth-Type REJECT { (0) attr_filter.access_reject : EXPAND %{User-Name} (0) attr_filter.access_reject : --> user@example.com (0) attr_filter.access_reject : Matched entry DEFAULT at line 11 (0) [attr_filter.access_reject] = updated (0) eap : Request was previously rejected, inserting EAP-Failure (0) [eap] = updated (0) remove_reply_message_if_eap remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else else { (0) [noop] = noop (0) } # else else = noop (0) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop (0) } # Post-Auth-Type REJECT = updated (0) Delaying response for 1 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (0) Sending delayed response (0) Sending Access-Reject packet to host 127.0.0.1 port 49705, id=0, length=0 (0) EAP-Message = 0x04000004 (0) Message-Authenticator = 0x00000000000000000000000000000000 Sending Access-Reject Id 0 from 127.0.0.1:1812 to 127.0.0.1:49705 EAP-Message = 0x04000004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 2.9 seconds. (1) Cleaning up request packet ID 88 with timestamp +8 Waking up in 0.9 seconds. (0) Cleaning up request packet ID 0 with timestamp +8 Ready to process requests EAPOL_TEST OUTPUT : eapol_test -c /root/eapol_tls_test.tls -A127.0.0.1 -a127.0.0.1 -p1812 -stesting123 -r1 Reading configuration file '/root/eapol_tls_test.tls' Line: 1 - start of a new network block ssid - hexdump_ascii(len=9): 54 45 53 54 2d 53 53 49 44 TEST-SSID eap methods - hexdump(len=16): 00 00 00 00 0d 00 00 00 00 00 00 00 00 00 00 00 eapol_flags=0 (0x0) key_mgmt: 0x1 identity - hexdump_ascii(len=16): 75 73 65 72 40 65 78 61 6d 70 6c 65 2e 63 6f 6d user@example.com ca_cert - hexdump_ascii(len=24): 2f 65 74 63 2f 72 61 64 64 62 2f 63 65 72 74 73 /etc/raddb/certs 2f 63 61 5f 2e 70 65 6d /ca_.pem client_cert - hexdump_ascii(len=25): 2f 65 74 63 2f 72 61 64 64 62 2f 63 65 72 74 73 /etc/raddb/certs 2f 75 73 65 72 2e 70 65 6d /user.pem private_key - hexdump_ascii(len=27): 2f 65 74 63 2f 72 61 64 64 62 2f 63 65 72 74 73 /etc/raddb/certs 2f 63 6c 69 65 6e 74 2e 6b 65 79 /client.key private_key_passwd - hexdump_ascii(len=8): 77 68 61 74 65 76 65 72 whatever eapol_flags=3 (0x3) Priority group 0 id=0 ssid='TEST-SSID' Authentication server 127.0.0.1:1812 RADIUS local address: 127.0.0.1:49705 EAPOL: SUPP_PAE entering state DISCONNECTED EAPOL: KEY_RX entering state NO_KEY_RECEIVE EAPOL: SUPP_BE entering state INITIALIZE EAP: EAP entering state DISABLED EAPOL: External notification - portValid=0 EAPOL: External notification - portEnabled=1 EAPOL: SUPP_PAE entering state CONNECTING EAPOL: SUPP_BE entering state IDLE EAP: EAP entering state INITIALIZE EAP: EAP entering state IDLE Sending fake EAP-Request-Identity EAPOL: Received EAP-Packet frame EAPOL: SUPP_PAE entering state RESTART EAP: EAP entering state INITIALIZE EAP: EAP entering state IDLE EAPOL: SUPP_PAE entering state AUTHENTICATING EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Request id=0 method=1 vendor=0 vendorMethod=0 EAP: EAP entering state IDENTITY CTRL-EVENT-EAP-STARTED EAP authentication started EAP: EAP-Request Identity data - hexdump_ascii(len=0): EAP: using real identity - hexdump_ascii(len=16): 75 73 65 72 40 65 78 61 6d 70 6c 65 2e 63 6f 6d user@example.com EAP: EAP entering state SEND_RESPONSE EAP: EAP entering state IDLE EAPOL: SUPP_BE entering state RESPONSE EAPOL: txSuppRsp WPA: eapol_test_eapol_send(type=0 len=21) TX EAP -> RADIUS - hexdump(len=21): 02 00 00 15 01 75 73 65 72 40 65 78 61 6d 70 6c 65 2e 63 6f 6d Encapsulating EAP message into a RADIUS packet Learned identity from EAP-Response-Identity - hexdump(len=16): 75 73 65 72 40 65 78 61 6d 70 6c 65 2e 63 6f 6d Sending RADIUS message to authentication server RADIUS message: code=1 (Access-Request) identifier=0 length=140 Attribute 1 (User-Name) length=18 Value: 'user@example.com' Attribute 4 (NAS-IP-Address) length=6 Value: 127.0.0.1 Attribute 31 (Calling-Station-Id) length=19 Value: '02-00-00-00-00-01' Attribute 12 (Framed-MTU) length=6 Value: 1400 Attribute 61 (NAS-Port-Type) length=6 Value: 19 Attribute 77 (Connect-Info) length=24 Value: 'CONNECT 11Mbps 802.11b' Attribute 79 (EAP-Message) length=23 Value: 02 00 00 15 01 75 73 65 72 40 65 78 61 6d 70 6c 65 2e 63 6f 6d Attribute 80 (Message-Authenticator) length=18 Value: 76 b2 6f 35 5b 7b 52 e2 6e 30 51 4e fc c6 7e 2e Next RADIUS client retransmit in 3 seconds EAPOL: SUPP_BE entering state RECEIVE EAPOL: startWhen --> 0 Received 44 bytes from RADIUS server Received RADIUS message RADIUS message: code=3 (Access-Reject) identifier=0 length=44 Attribute 79 (EAP-Message) length=6 Value: 04 00 00 04 Attribute 80 (Message-Authenticator) length=18 Value: 90 9d b7 6e 9e 92 4f c4 85 ba de 03 31 30 3f 49 STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending request, round trip time 2.00 sec RADIUS packet matching with station decapsulated EAP packet (code=4 id=0 len=4) from RADIUS server: EAP Failure EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Failure EAP: Status notification: completion (param=failure) EAP: EAP entering state FAILURE CTRL-EVENT-EAP-FAILURE EAP authentication failed EAPOL: SUPP_PAE entering state HELD EAPOL: SUPP_BE entering state RECEIVE EAPOL: SUPP_BE entering state FAIL EAPOL: SUPP_BE entering state IDLE eapol_sm_cb: success=0 EAPOL: EAP key not available EAPOL: EAP key not available MPPE keys OK: 0 mismatch: 2 FAILURE Ollie Teasley Linux Administrator ISMELL.SHOES, LLC
On Feb 6, 2016, at 8:45 PM, John Teasley <ollieteasley@gmail.com> wrote:
I have been trying to freeRADIUS Version 3.0.4 worling with EAP-TLS for a while now.
Please don't. 3.0.11 was released recently. There are few reasons to use a version which is years out of date.
I was able to get PAP working using the guide athttp://deployingradius.com/documents/configuration/pap.html. However, getting EAP-TLS to work has been a pain.
3.0.11 has a sample config for eapol_test in src/tests/eap-tls.conf. It should pretty much work.
In my case I used the freeradius as installed by yum from the repos. Before doing the guide at the link posted below I built the certs in /etc/raddb/certs using make. No changes have been made to the .cnf files in the certs directory since this was a test. The eapol_test config is also posted below.
OK.
I have used radius as installed on pfsense in the past. However, I now wish to have a standalone host to take care of this. I have spent 3 days trying to get this to work. I am at a complete loss as what is wrong or how to even find out at this point. I have already ran radius with radius -XX and am not seeing that I know how to change. I would greatly appreciate some help on this. The settings I have used are EXACTLY what i slisted in the links.
That's good...
eapol_test configuration :
network={ ssid="TEST-SSID" eap=TLS eapol_flags=0 key_mgmt=WPA-EAP identity="user@example.com"
Which is the problem. If you read the debug output, you'll see it proxying requests. You probably don't want to do that.
(0) suffix : Looking up realm "example.com" for User-Name = "user@example.com" (0) suffix : Found realm "example.com" (0) suffix : Adding Stripped-User-Name = "user" (0) suffix : Adding Realm = "example.com" (0) suffix : Proxying request from user user to realm example.com (0) suffix : Preparing to proxy authentication request to realm "example.com" (0) [suffix] = updated (0) eap : Request is supposed to be proxied to Realm example.com. Not doing EAP.
Which is the issue. Change the eapol_test config file to use example.org, and edit proxy.conf to add: realm example.org { } Which says it's a local realm, and not to be proxied. This change is also available in 3.0.11, which is one reason why we suggest using the latest versions. Alan DeKok.
Hello, Thanks for the reply Alan! Made all the changes you indicated. However, I am still having issues. Also, is it required to run a proxy if I only use the radius host? This is just for a small home lab. Please see below results. I really appreciate the help. Also, while I can build from source, would doing so fix this? It seems more like something I have done wrong. A rebuild would just reflect the same misconfigurations if that is what the issue is. SERVER DEBUG : ( listing DEBUG AFTER server came up using radiusd -X ) Received Access-Request Id 0 from 127.0.0.1:52104 to 127.0.0.1:1812 length 140 User-Name = 'user@example.org' NAS-IP-Address = 127.0.0.1 Calling-Station-Id = '02-00-00-00-00-01' Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = 'CONNECT 11Mbps 802.11b' EAP-Message = 0x020000150175736572406578616d706c652e6f7267 Message-Authenticator = 0xbd9fa940f7dd27fd9abc4aa6e9bd9615 (0) Received Access-Request packet from host 127.0.0.1 port 52104, id=0, length=140 (0) User-Name = 'user@example.org' (0) NAS-IP-Address = 127.0.0.1 (0) Calling-Station-Id = '02-00-00-00-00-01' (0) Framed-MTU = 1400 (0) NAS-Port-Type = Wireless-802.11 (0) Connect-Info = 'CONNECT 11Mbps 802.11b' (0) EAP-Message = 0x020000150175736572406578616d706c652e6f7267 (0) Message-Authenticator = 0xbd9fa940f7dd27fd9abc4aa6e9bd9615 (0) # Executing section authorize from file /etc/raddb/sites-enabled/default (0) authorize { (0) filter_username filter_username { (0) if (!&User-Name) (0) if (!&User-Name) -> FALSE (0) if (&User-Name =~ / /) (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@.*@/ ) (0) if (&User-Name =~ /@.*@/ ) -> FALSE (0) if (&User-Name =~ /\\.\\./ ) (0) if (&User-Name =~ /\\.\\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\\.$/) (0) if (&User-Name =~ /\\.$/) -> FALSE (0) if (&User-Name =~ /@\\./) (0) if (&User-Name =~ /@\\./) -> FALSE (0) } # filter_username filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix : Checking for suffix after "@" (0) suffix : Looking up realm "example.org" for User-Name = " user@example.org" (0) suffix : Found realm "example.org" (0) suffix : Adding Stripped-User-Name = "user" (0) suffix : Adding Realm = "example.org" (0) suffix : Authentication realm is LOCAL (0) [suffix] = ok (0) eap : Peer sent code Response (2) ID 0 length 21 (0) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # authorize = ok (0) Found Auth-Type = EAP (0) # Executing group from file /etc/raddb/sites-enabled/default (0) authenticate { (0) eap : Peer sent method Identity (1) (0) eap : Calling eap_md5 to process EAP data (0) eap_md5 : Issuing MD5 Challenge (0) eap : New EAP session, adding 'State' attribute to reply 0x4bf773f04bf67754 (0) [eap] = handled (0) } # authenticate = handled (0) Sending Access-Challenge packet to host 127.0.0.1 port 52104, id=0, length=0 (0) EAP-Message = 0x0101001604106ca31f737c07bba501ae819fa3fffc2f (0) Message-Authenticator = 0x00000000000000000000000000000000 (0) State = 0x4bf773f04bf67754734c0cd3aa7a1f2e Sending Access-Challenge Id 0 from 127.0.0.1:1812 to 127.0.0.1:52104 EAP-Message = 0x0101001604106ca31f737c07bba501ae819fa3fffc2f Message-Authenticator = 0x00000000000000000000000000000000 State = 0x4bf773f04bf67754734c0cd3aa7a1f2e (0) Finished request Waking up in 0.3 seconds. Received Access-Request Id 1 from 127.0.0.1:52104 to 127.0.0.1:1812 length 143 User-Name = 'user@example.org' NAS-IP-Address = 127.0.0.1 Calling-Station-Id = '02-00-00-00-00-01' Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = 'CONNECT 11Mbps 802.11b' EAP-Message = 0x02010006030d State = 0x4bf773f04bf67754734c0cd3aa7a1f2e Message-Authenticator = 0xa16f90d8ae45de1cdf7f0d503d820a2e (1) Received Access-Request packet from host 127.0.0.1 port 52104, id=1, length=143 (1) User-Name = 'user@example.org' (1) NAS-IP-Address = 127.0.0.1 (1) Calling-Station-Id = '02-00-00-00-00-01' (1) Framed-MTU = 1400 (1) NAS-Port-Type = Wireless-802.11 (1) Connect-Info = 'CONNECT 11Mbps 802.11b' (1) EAP-Message = 0x02010006030d (1) State = 0x4bf773f04bf67754734c0cd3aa7a1f2e (1) Message-Authenticator = 0xa16f90d8ae45de1cdf7f0d503d820a2e (1) # Executing section authorize from file /etc/raddb/sites-enabled/default (1) authorize { (1) filter_username filter_username { (1) if (!&User-Name) (1) if (!&User-Name) -> FALSE (1) if (&User-Name =~ / /) (1) if (&User-Name =~ / /) -> FALSE (1) if (&User-Name =~ /@.*@/ ) (1) if (&User-Name =~ /@.*@/ ) -> FALSE (1) if (&User-Name =~ /\\.\\./ ) (1) if (&User-Name =~ /\\.\\./ ) -> FALSE (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (1) if (&User-Name =~ /\\.$/) (1) if (&User-Name =~ /\\.$/) -> FALSE (1) if (&User-Name =~ /@\\./) (1) if (&User-Name =~ /@\\./) -> FALSE (1) } # filter_username filter_username = notfound (1) [preprocess] = ok (1) [chap] = noop (1) [mschap] = noop (1) [digest] = noop (1) suffix : Checking for suffix after "@" (1) suffix : Looking up realm "example.org" for User-Name = " user@example.org" (1) suffix : Found realm "example.org" (1) suffix : Adding Stripped-User-Name = "user" (1) suffix : Adding Realm = "example.org" (1) suffix : Authentication realm is LOCAL (1) [suffix] = ok (1) eap : Peer sent code Response (2) ID 1 length 6 (1) eap : No EAP Start, assuming it's an on-going EAP conversation (1) [eap] = updated (1) [files] = noop (1) [expiration] = noop (1) [logintime] = noop (1) WARNING: pap : No "known good" password found for the user. Not setting Auth-Type (1) WARNING: pap : Authentication will fail unless a "known good" password is available (1) [pap] = noop (1) } # authorize = updated (1) Found Auth-Type = EAP (1) # Executing group from file /etc/raddb/sites-enabled/default (1) authenticate { (1) eap : Expiring EAP session with state 0x4bf773f04bf67754 (1) eap : Finished EAP session with state 0x4bf773f04bf67754 (1) eap : Previous EAP request found for state 0x4bf773f04bf67754, released from the list (1) eap : Peer sent method NAK (3) (1) eap : Found mutually acceptable type TLS (13) (1) eap : Calling eap_tls to process EAP data (1) eap_tls : Flushing SSL sessions (of #0) (1) eap_tls : Requiring client certificate (1) eap_tls : Initiate (1) eap_tls : Requiring client certificate (1) eap_tls : Start returned 1 (1) eap : New EAP session, adding 'State' attribute to reply 0x4bf773f04af57e54 (1) [eap] = handled (1) } # authenticate = handled (1) Sending Access-Challenge packet to host 127.0.0.1 port 52104, id=1, length=0 (1) EAP-Message = 0x010200060d20 (1) Message-Authenticator = 0x00000000000000000000000000000000 (1) State = 0x4bf773f04af57e54734c0cd3aa7a1f2e Sending Access-Challenge Id 1 from 127.0.0.1:1812 to 127.0.0.1:52104 EAP-Message = 0x010200060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x4bf773f04af57e54734c0cd3aa7a1f2e (1) Finished request Waking up in 0.3 seconds. Received Access-Request Id 2 from 127.0.0.1:52104 to 127.0.0.1:1812 length 143 User-Name = 'user@example.org' NAS-IP-Address = 127.0.0.1 Calling-Station-Id = '02-00-00-00-00-01' Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = 'CONNECT 11Mbps 802.11b' EAP-Message = 0x020200060300 State = 0x4bf773f04af57e54734c0cd3aa7a1f2e Message-Authenticator = 0xb1da50c5d4bdd5bb67f32dec997d2d3a (2) Received Access-Request packet from host 127.0.0.1 port 52104, id=2, length=143 (2) User-Name = 'user@example.org' (2) NAS-IP-Address = 127.0.0.1 (2) Calling-Station-Id = '02-00-00-00-00-01' (2) Framed-MTU = 1400 (2) NAS-Port-Type = Wireless-802.11 (2) Connect-Info = 'CONNECT 11Mbps 802.11b' (2) EAP-Message = 0x020200060300 (2) State = 0x4bf773f04af57e54734c0cd3aa7a1f2e (2) Message-Authenticator = 0xb1da50c5d4bdd5bb67f32dec997d2d3a (2) # Executing section authorize from file /etc/raddb/sites-enabled/default (2) authorize { (2) filter_username filter_username { (2) if (!&User-Name) (2) if (!&User-Name) -> FALSE (2) if (&User-Name =~ / /) (2) if (&User-Name =~ / /) -> FALSE (2) if (&User-Name =~ /@.*@/ ) (2) if (&User-Name =~ /@.*@/ ) -> FALSE (2) if (&User-Name =~ /\\.\\./ ) (2) if (&User-Name =~ /\\.\\./ ) -> FALSE (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (2) if (&User-Name =~ /\\.$/) (2) if (&User-Name =~ /\\.$/) -> FALSE (2) if (&User-Name =~ /@\\./) (2) if (&User-Name =~ /@\\./) -> FALSE (2) } # filter_username filter_username = notfound (2) [preprocess] = ok (2) [chap] = noop (2) [mschap] = noop (2) [digest] = noop (2) suffix : Checking for suffix after "@" (2) suffix : Looking up realm "example.org" for User-Name = " user@example.org" (2) suffix : Found realm "example.org" (2) suffix : Adding Stripped-User-Name = "user" (2) suffix : Adding Realm = "example.org" (2) suffix : Authentication realm is LOCAL (2) [suffix] = ok (2) eap : Peer sent code Response (2) ID 2 length 6 (2) eap : No EAP Start, assuming it's an on-going EAP conversation (2) [eap] = updated (2) [files] = noop (2) [expiration] = noop (2) [logintime] = noop (2) WARNING: pap : No "known good" password found for the user. Not setting Auth-Type (2) WARNING: pap : Authentication will fail unless a "known good" password is available (2) [pap] = noop (2) } # authorize = updated (2) Found Auth-Type = EAP (2) # Executing group from file /etc/raddb/sites-enabled/default (2) authenticate { (2) eap : Expiring EAP session with state 0x4bf773f04af57e54 (2) eap : Finished EAP session with state 0x4bf773f04af57e54 (2) eap : Previous EAP request found for state 0x4bf773f04af57e54, released from the list (2) eap : Peer sent method NAK (3) (2) eap : Peer NAK'd indicating it is not willing to continue (2) eap : Failed in EAP select (2) [eap] = invalid (2) } # authenticate = invalid (2) Failed to authenticate the user (2) Using Post-Auth-Type Reject (2) # Executing group from file /etc/raddb/sites-enabled/default (2) Post-Auth-Type REJECT { (2) attr_filter.access_reject : EXPAND %{User-Name} (2) attr_filter.access_reject : --> user@example.org (2) attr_filter.access_reject : Matched entry DEFAULT at line 11 (2) [attr_filter.access_reject] = updated (2) eap : Reply already contained an EAP-Message, not inserting EAP-Failure (2) [eap] = noop (2) remove_reply_message_if_eap remove_reply_message_if_eap { (2) if (&reply:EAP-Message && &reply:Reply-Message) (2) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (2) else else { (2) [noop] = noop (2) } # else else = noop (2) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop (2) } # Post-Auth-Type REJECT = updated (2) Delaying response for 1 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (2) Sending delayed response (2) Sending Access-Reject packet to host 127.0.0.1 port 52104, id=2, length=0 (2) EAP-Message = 0x04020004 (2) Message-Authenticator = 0x00000000000000000000000000000000 Sending Access-Reject Id 2 from 127.0.0.1:1812 to 127.0.0.1:52104 EAP-Message = 0x04020004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.9 seconds. (0) Cleaning up request packet ID 0 with timestamp +22 (1) Cleaning up request packet ID 1 with timestamp +22 (2) Cleaning up request packet ID 2 with timestamp +22 Ready to process requests EAPOL_TEST OUTPUT : eapol_test -c /root/eapol_tls_test.tls -A127.0.0.1 -a127.0.0.1 -p1812 -stesting123 -r1 Reading configuration file '/root/eapol_tls_test.tls' Line: 1 - start of a new network block ssid - hexdump_ascii(len=9): 54 45 53 54 2d 53 53 49 44 TEST-SSID eap methods - hexdump(len=16): 00 00 00 00 0d 00 00 00 00 00 00 00 00 00 00 00 eapol_flags=0 (0x0) key_mgmt: 0x1 identity - hexdump_ascii(len=16): 75 73 65 72 40 65 78 61 6d 70 6c 65 2e 6f 72 67 user@example.org ca_cert - hexdump_ascii(len=24): 2f 65 74 63 2f 72 61 64 64 62 2f 63 65 72 74 73 /etc/raddb/certs 2f 63 61 5f 2e 70 65 6d /ca_.pem client_cert - hexdump_ascii(len=25): 2f 65 74 63 2f 72 61 64 64 62 2f 63 65 72 74 73 /etc/raddb/certs 2f 75 73 65 72 2e 70 65 6d /user.pem private_key - hexdump_ascii(len=27): 2f 65 74 63 2f 72 61 64 64 62 2f 63 65 72 74 73 /etc/raddb/certs 2f 63 6c 69 65 6e 74 2e 6b 65 79 /client.key private_key_passwd - hexdump_ascii(len=8): 77 68 61 74 65 76 65 72 whatever eapol_flags=3 (0x3) Priority group 0 id=0 ssid='TEST-SSID' Authentication server 127.0.0.1:1812 RADIUS local address: 127.0.0.1:52104 EAPOL: SUPP_PAE entering state DISCONNECTED EAPOL: KEY_RX entering state NO_KEY_RECEIVE EAPOL: SUPP_BE entering state INITIALIZE EAP: EAP entering state DISABLED EAPOL: External notification - portValid=0 EAPOL: External notification - portEnabled=1 EAPOL: SUPP_PAE entering state CONNECTING EAPOL: SUPP_BE entering state IDLE EAP: EAP entering state INITIALIZE EAP: EAP entering state IDLE Sending fake EAP-Request-Identity EAPOL: Received EAP-Packet frame EAPOL: SUPP_PAE entering state RESTART EAP: EAP entering state INITIALIZE EAP: EAP entering state IDLE EAPOL: SUPP_PAE entering state AUTHENTICATING EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Request id=0 method=1 vendor=0 vendorMethod=0 EAP: EAP entering state IDENTITY CTRL-EVENT-EAP-STARTED EAP authentication started EAP: EAP-Request Identity data - hexdump_ascii(len=0): EAP: using real identity - hexdump_ascii(len=16): 75 73 65 72 40 65 78 61 6d 70 6c 65 2e 6f 72 67 user@example.org EAP: EAP entering state SEND_RESPONSE EAP: EAP entering state IDLE EAPOL: SUPP_BE entering state RESPONSE EAPOL: txSuppRsp WPA: eapol_test_eapol_send(type=0 len=21) TX EAP -> RADIUS - hexdump(len=21): 02 00 00 15 01 75 73 65 72 40 65 78 61 6d 70 6c 65 2e 6f 72 67 Encapsulating EAP message into a RADIUS packet Learned identity from EAP-Response-Identity - hexdump(len=16): 75 73 65 72 40 65 78 61 6d 70 6c 65 2e 6f 72 67 Sending RADIUS message to authentication server RADIUS message: code=1 (Access-Request) identifier=0 length=140 Attribute 1 (User-Name) length=18 Value: 'user@example.org' Attribute 4 (NAS-IP-Address) length=6 Value: 127.0.0.1 Attribute 31 (Calling-Station-Id) length=19 Value: '02-00-00-00-00-01' Attribute 12 (Framed-MTU) length=6 Value: 1400 Attribute 61 (NAS-Port-Type) length=6 Value: 19 Attribute 77 (Connect-Info) length=24 Value: 'CONNECT 11Mbps 802.11b' Attribute 79 (EAP-Message) length=23 Value: 02 00 00 15 01 75 73 65 72 40 65 78 61 6d 70 6c 65 2e 6f 72 67 Attribute 80 (Message-Authenticator) length=18 Value: bd 9f a9 40 f7 dd 27 fd 9a bc 4a a6 e9 bd 96 15 Next RADIUS client retransmit in 3 seconds EAPOL: SUPP_BE entering state RECEIVE Received 80 bytes from RADIUS server Received RADIUS message RADIUS message: code=11 (Access-Challenge) identifier=0 length=80 Attribute 79 (EAP-Message) length=24 Value: 01 01 00 16 04 10 6c a3 1f 73 7c 07 bb a5 01 ae 81 9f a3 ff fc 2f Attribute 80 (Message-Authenticator) length=18 Value: f2 bf 89 14 05 06 6f 04 17 5e 85 a8 0d 5f db b0 Attribute 24 (State) length=18 Value: 4b f7 73 f0 4b f6 77 54 73 4c 0c d3 aa 7a 1f 2e STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending request, round trip time 0.00 sec RADIUS packet matching with station decapsulated EAP packet (code=1 id=1 len=22) from RADIUS server: EAP-Request-MD5 (4) EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Request id=1 method=4 vendor=0 vendorMethod=0 EAP: EAP entering state GET_METHOD EAP: configuration does not allow: vendor 0 method 4 EAP: vendor 0 method 4 not allowed CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=4 -> NAK EAP: Status notification: refuse proposed method (param=MD5) EAP: Building EAP-Nak (requested type 4 vendor=0 method=0 not allowed) EAP: allowed methods - hexdump(len=1): 0d EAP: EAP entering state SEND_RESPONSE EAP: EAP entering state IDLE EAPOL: SUPP_BE entering state RESPONSE EAPOL: txSuppRsp WPA: eapol_test_eapol_send(type=0 len=6) TX EAP -> RADIUS - hexdump(len=6): 02 01 00 06 03 0d Encapsulating EAP message into a RADIUS packet Copied RADIUS State Attribute Sending RADIUS message to authentication server RADIUS message: code=1 (Access-Request) identifier=1 length=143 Attribute 1 (User-Name) length=18 Value: 'user@example.org' Attribute 4 (NAS-IP-Address) length=6 Value: 127.0.0.1 Attribute 31 (Calling-Station-Id) length=19 Value: '02-00-00-00-00-01' Attribute 12 (Framed-MTU) length=6 Value: 1400 Attribute 61 (NAS-Port-Type) length=6 Value: 19 Attribute 77 (Connect-Info) length=24 Value: 'CONNECT 11Mbps 802.11b' Attribute 79 (EAP-Message) length=8 Value: 02 01 00 06 03 0d Attribute 24 (State) length=18 Value: 4b f7 73 f0 4b f6 77 54 73 4c 0c d3 aa 7a 1f 2e Attribute 80 (Message-Authenticator) length=18 Value: a1 6f 90 d8 ae 45 de 1c df 7f 0d 50 3d 82 0a 2e Next RADIUS client retransmit in 3 seconds EAPOL: SUPP_BE entering state RECEIVE Received 64 bytes from RADIUS server Received RADIUS message RADIUS message: code=11 (Access-Challenge) identifier=1 length=64 Attribute 79 (EAP-Message) length=8 Value: 01 02 00 06 0d 20 Attribute 80 (Message-Authenticator) length=18 Value: 46 0f 99 22 0c 12 9d 9d 15 b2 62 54 73 a2 1e 80 Attribute 24 (State) length=18 Value: 4b f7 73 f0 4a f5 7e 54 73 4c 0c d3 aa 7a 1f 2e STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending request, round trip time 0.00 sec RADIUS packet matching with station decapsulated EAP packet (code=1 id=2 len=6) from RADIUS server: EAP-Request-TLS (13) EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Request id=2 method=13 vendor=0 vendorMethod=0 EAP: EAP entering state GET_METHOD CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13 EAP: Status notification: accept proposed method (param=TLS) EAP: Initialize selected EAP method: vendor 0 method 13 (TLS) TLS: using phase1 config options OpenSSL: tls_connection_ca_cert - Failed to load root certificates error:02001002:system library:fopen:No such file or directory OpenSSL: pending error: error:2006D080:BIO routines:BIO_new_file:no such file OpenSSL: pending error: error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib OpenSSL: tls_load_ca_der - Failed load CA in DER format error:02001002:system library:fopen:No such file or directory OpenSSL: pending error: error:20074002:BIO routines:FILE_CTRL:system lib OpenSSL: pending error: error:0B06F002:x509 certificate routines:X509_load_cert_file:system lib TLS: Failed to set TLS connection parameters ENGINE: engine deinit EAP-TLS: Failed to initialize SSL. EAP: Failed to initialize EAP method: vendor 0 method 13 (TLS) EAP: Building EAP-Nak (requested type 13 vendor=0 method=0 not allowed) EAP: allowed methods - hexdump(len=0): EAP: EAP entering state SEND_RESPONSE EAP: EAP entering state IDLE EAPOL: SUPP_BE entering state RESPONSE EAPOL: txSuppRsp WPA: eapol_test_eapol_send(type=0 len=6) TX EAP -> RADIUS - hexdump(len=6): 02 02 00 06 03 00 Encapsulating EAP message into a RADIUS packet Copied RADIUS State Attribute Sending RADIUS message to authentication server RADIUS message: code=1 (Access-Request) identifier=2 length=143 Attribute 1 (User-Name) length=18 Value: 'user@example.org' Attribute 4 (NAS-IP-Address) length=6 Value: 127.0.0.1 Attribute 31 (Calling-Station-Id) length=19 Value: '02-00-00-00-00-01' Attribute 12 (Framed-MTU) length=6 Value: 1400 Attribute 61 (NAS-Port-Type) length=6 Value: 19 Attribute 77 (Connect-Info) length=24 Value: 'CONNECT 11Mbps 802.11b' Attribute 79 (EAP-Message) length=8 Value: 02 02 00 06 03 00 Attribute 24 (State) length=18 Value: 4b f7 73 f0 4a f5 7e 54 73 4c 0c d3 aa 7a 1f 2e Attribute 80 (Message-Authenticator) length=18 Value: b1 da 50 c5 d4 bd d5 bb 67 f3 2d ec 99 7d 2d 3a Next RADIUS client retransmit in 3 seconds EAPOL: SUPP_BE entering state RECEIVE EAPOL: startWhen --> 0 Received 44 bytes from RADIUS server Received RADIUS message RADIUS message: code=3 (Access-Reject) identifier=2 length=44 Attribute 79 (EAP-Message) length=6 Value: 04 02 00 04 Attribute 80 (Message-Authenticator) length=18 Value: fc 84 e6 2f ec ab 4f 8b 78 0d a8 32 37 03 18 99 STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending request, round trip time 1.00 sec RADIUS packet matching with station decapsulated EAP packet (code=4 id=2 len=4) from RADIUS server: EAP Failure EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Failure EAP: Status notification: completion (param=failure) EAP: EAP entering state FAILURE CTRL-EVENT-EAP-FAILURE EAP authentication failed EAPOL: SUPP_PAE entering state HELD EAPOL: SUPP_BE entering state RECEIVE EAPOL: SUPP_BE entering state FAIL EAPOL: SUPP_BE entering state IDLE eapol_sm_cb: success=0 EAPOL: EAP key not available EAPOL: EAP key not available MPPE keys OK: 0 mismatch: 2 FAILURE EAPOL_CONFIG : cat /root/eapol_tls_test.tls network={ ssid="TEST-SSID" eap=TLS eapol_flags=0 key_mgmt=WPA-EAP identity="user@example.org" ca_cert="/etc/raddb/certs/ca_.pem" client_cert="/etc/raddb/certs/user.pem" private_key="/etc/raddb/certs/client.key" private_key_passwd="whatever" eapol_flags=3 } Ollie Teasley Linux Administrator ISMELL.SHOES, LLC On Sat, Feb 6, 2016 at 8:09 PM, Alan DeKok <aland@deployingradius.com> wrote:
On Feb 6, 2016, at 8:45 PM, John Teasley <ollieteasley@gmail.com> wrote:
I have been trying to freeRADIUS Version 3.0.4 worling with EAP-TLS for a while now.
Please don't. 3.0.11 was released recently. There are few reasons to use a version which is years out of date.
I was able to get PAP working using the guide athttp://deployingradius.com/documents/configuration/pap.html. However, getting EAP-TLS to work has been a pain.
3.0.11 has a sample config for eapol_test in src/tests/eap-tls.conf. It should pretty much work.
In my case I used the freeradius as installed by yum from the repos. Before doing the guide at the link posted below I built the certs in /etc/raddb/certs using make. No changes have been made to the .cnf files in the certs directory since this was a test. The eapol_test config is also posted below.
OK.
I have used radius as installed on pfsense in the past. However, I now wish to have a standalone host to take care of this. I have spent 3 days trying to get this to work. I am at a complete loss as what is wrong or how to even find out at this point. I have already ran radius with radius -XX and am not seeing that I know how to change. I would greatly appreciate some help on this. The settings I have used are EXACTLY what i slisted in the links.
That's good...
eapol_test configuration :
network={ ssid="TEST-SSID" eap=TLS eapol_flags=0 key_mgmt=WPA-EAP identity="user@example.com"
Which is the problem. If you read the debug output, you'll see it proxying requests. You probably don't want to do that.
(0) suffix : Looking up realm "example.com" for User-Name = "
user@example.com"
(0) suffix : Found realm "example.com" (0) suffix : Adding Stripped-User-Name = "user" (0) suffix : Adding Realm = "example.com" (0) suffix : Proxying request from user user to realm example.com (0) suffix : Preparing to proxy authentication request to realm " example.com" (0) [suffix] = updated (0) eap : Request is supposed to be proxied to Realm example.com. Not doing EAP.
Which is the issue.
Change the eapol_test config file to use example.org, and edit proxy.conf to add:
realm example.org { }
Which says it's a local realm, and not to be proxied.
This change is also available in 3.0.11, which is one reason why we suggest using the latest versions.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Feb 6, 2016, at 9:22 PM, John Teasley <ollieteasley@gmail.com> wrote:
Thanks for the reply Alan! Made all the changes you indicated. However, I am still having issues. Also, is it required to run a proxy if I only use the radius host? This is just for a small home lab. Please see below results. I really appreciate the help.
It's what I do, despite what some people think. :)
Also, while I can build from source, would doing so fix this? It seems more like something I have done wrong. A rebuild would just reflect the same misconfigurations if that is what the issue is.
Again, a careful reading of the output is useful: From eapol_test:
OpenSSL: tls_connection_ca_cert - Failed to load root certificates error:02001002:system library:fopen:No such file or directory OpenSSL: pending error: error:2006D080:BIO routines:BIO_new_file:no such file OpenSSL: pending error: error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib OpenSSL: tls_load_ca_der - Failed load CA in DER format error:02001002:system library:fopen:No such file or directory OpenSSL: pending error: error:20074002:BIO routines:FILE_CTRL:system lib
You need to be sure that the certificate exists. Check the path in the eapol_test configuration file. Alan DeKok.
Thanks again Alan. Looks like I had a ton of typos in the test config. Wow. Sorry I wasted your time with this one. Must have been staring at it to long or something. Thanks again. I guess now I can read up setting up a better way to manage all the certs! NEW RESULTS : EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Success EAP: Status notification: completion (param=success) EAP: EAP entering state SUCCESS CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully EAPOL: SUPP_PAE entering state AUTHENTICATED EAPOL: SUPP_BE entering state RECEIVE EAPOL: SUPP_BE entering state SUCCESS EAPOL: SUPP_BE entering state IDLE eapol_sm_cb: success=1 EAPOL: Successfully fetched key (len=32) PMK from EAPOL - hexdump(len=32): d8 6e 87 d3 3c 12 2e b8 83 21 72 3b cd c0 ae c2 8a 9a 4a 6c 28 62 2d 25 f4 22 b2 2c 3e c3 18 92 EAP: deinitialize previously used EAP method (13, TLS) at EAP deinit ENGINE: engine deinit MPPE keys OK: 2 mismatch: 0 SUCCESS Ollie Teasley Linux Administrator ISMELL.SHOES, LLC On Sat, Feb 6, 2016 at 9:53 PM, Alan DeKok <aland@deployingradius.com> wrote:
On Feb 6, 2016, at 9:22 PM, John Teasley <ollieteasley@gmail.com> wrote:
Thanks for the reply Alan! Made all the changes you indicated. However, I am still having issues. Also, is it required to run a proxy if I only use the radius host? This is just for a small home lab. Please see below results. I really appreciate the help.
It's what I do, despite what some people think. :)
Also, while I can build from source, would doing so fix this? It seems more like something I have done wrong. A rebuild would just reflect the same misconfigurations if that is what the issue is.
Again, a careful reading of the output is useful:
From eapol_test:
OpenSSL: tls_connection_ca_cert - Failed to load root certificates error:02001002:system library:fopen:No such file or directory OpenSSL: pending error: error:2006D080:BIO routines:BIO_new_file:no such file OpenSSL: pending error: error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib OpenSSL: tls_load_ca_der - Failed load CA in DER format error:02001002:system library:fopen:No such file or directory OpenSSL: pending error: error:20074002:BIO routines:FILE_CTRL:system lib
You need to be sure that the certificate exists. Check the path in the eapol_test configuration file.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Well looks like from this point it maybe NetworkManager and how it deals with the certs. Using wpa_supplicant I am able to connect using the WPA_SUPPLICANT_CONFIG block below. Once I get everything sorted out I will redo the certs. However, I dont get why this is not working with NetworkManager. That will be for another forum I guess. I am curious though if my traffic is now encrypted ( even though the certs are just the snake-oil certs) when connecting using wpa_supplicant outside of network manager. WPA_SUPPLICANT CONFIG : ctrl_interface=/var/run/wpa_supplicant ctrl_interface_group=wheel network={ ssid="trunk2" scan_ssid=1 key_mgmt=WPA-EAP pairwise=TKIP CCMP group=TKIP CCMP eap=TLS identity="user@example.org" ca_cert="/home/loper/NetworkManager_CERTS/ca.pem" client_cert="/home/loper/NetworkManager_CERTS/user.pem" private_key="/home/loper/NetworkManager_CERTS/client.key" private_key_passwd="whatever" eapol_flags=3 } Ollie Teasley Linux Administrator ISMELL.SHOES, LLC On Sun, Feb 7, 2016 at 12:17 PM, John Teasley <ollieteasley@gmail.com> wrote:
Thanks again Alan. Looks like I had a ton of typos in the test config. Wow. Sorry I wasted your time with this one. Must have been staring at it to long or something. Thanks again. I guess now I can read up setting up a better way to manage all the certs!
NEW RESULTS :
EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Success EAP: Status notification: completion (param=success) EAP: EAP entering state SUCCESS CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully EAPOL: SUPP_PAE entering state AUTHENTICATED EAPOL: SUPP_BE entering state RECEIVE EAPOL: SUPP_BE entering state SUCCESS EAPOL: SUPP_BE entering state IDLE eapol_sm_cb: success=1 EAPOL: Successfully fetched key (len=32) PMK from EAPOL - hexdump(len=32): d8 6e 87 d3 3c 12 2e b8 83 21 72 3b cd c0 ae c2 8a 9a 4a 6c 28 62 2d 25 f4 22 b2 2c 3e c3 18 92 EAP: deinitialize previously used EAP method (13, TLS) at EAP deinit ENGINE: engine deinit MPPE keys OK: 2 mismatch: 0 SUCCESS
Ollie Teasley Linux Administrator ISMELL.SHOES, LLC
On Sat, Feb 6, 2016 at 9:53 PM, Alan DeKok <aland@deployingradius.com> wrote:
On Feb 6, 2016, at 9:22 PM, John Teasley <ollieteasley@gmail.com> wrote:
Thanks for the reply Alan! Made all the changes you indicated. However, I am still having issues. Also, is it required to run a proxy if I only use the radius host? This is just for a small home lab. Please see below results. I really appreciate the help.
It's what I do, despite what some people think. :)
Also, while I can build from source, would doing so fix this? It seems more like something I have done wrong. A rebuild would just reflect the same misconfigurations if that is what the issue is.
Again, a careful reading of the output is useful:
From eapol_test:
OpenSSL: tls_connection_ca_cert - Failed to load root certificates error:02001002:system library:fopen:No such file or directory OpenSSL: pending error: error:2006D080:BIO routines:BIO_new_file:no such file OpenSSL: pending error: error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib OpenSSL: tls_load_ca_der - Failed load CA in DER format error:02001002:system library:fopen:No such file or directory OpenSSL: pending error: error:20074002:BIO routines:FILE_CTRL:system lib
You need to be sure that the certificate exists. Check the path in the eapol_test configuration file.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Feb 7, 2016, at 7:07 PM, John Teasley <ollieteasley@gmail.com> wrote:
Well looks like from this point it maybe NetworkManager and how it deals with the certs. Using wpa_supplicant I am able to connect using the WPA_SUPPLICANT_CONFIG block below. Once I get everything sorted out I will redo the certs. However, I dont get why this is not working with NetworkManager.
Look at the debug logs.
That will be for another forum I guess. I am curious though if my traffic is now encrypted ( even though the certs are just the snake-oil certs) when connecting using wpa_supplicant outside of network manager.
The WiFi encryption depends on EAP completing successfully. It doesn't depend on the contents of the certificates. The "snake oil" certificates are just normal certificates. The only unusual thing about them is that they're not created from a well-known certificate authority. Alan DeKok.
Hi,
NetworkManager. That will be for another forum I guess. I am curious though if my traffic is now encrypted ( even though the certs are just the snake-oil certs) when connecting using wpa_supplicant outside of network manager.
if AAA/802.1X has succeeded - then yes..... please dont call the local certs 'snake-oil' its a mis-term - they are local CA/certs alan
participants (3)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
John Teasley