windows7 machine authentication
Hello list We use freeradius with opendlap and machine-authentification (samba-pcs) for years with success. Windows xp and vista clients works fine. Now i wanted to authenticate a Windows 7 laptop and i get the following errors : [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 12 length 19 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop and then [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 7 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert read:fatal:unknown CA TLS_accept:failed in SSLv3 read client certificate A rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca SSL: SSL_read failed inside of TLS (-1), TLS session fails. TLS receive handshake failed during operation [peap] eaptls_process returned 4 I dont use certificates neither on the server and neither on the client side. I read in teh internet that also windows7 should work without certificates - is that true ? Wath can bee the problem ? Do you need more debug-output ? Thank you and by luis
On 24/08/10 15:19, alois blasbichler wrote:
Hello list
We use freeradius with opendlap and machine-authentification (samba-pcs) for years with success. Windows xp and vista clients works fine. Now i wanted to authenticate a Windows 7 laptop and i get the following errors :
[suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 12 length 19 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop
and then
[eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 7 [peap] Length Included [peap] eaptls_verify returned 11 [peap]<<< TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert read:fatal:unknown CA TLS_accept:failed in SSLv3 read client certificate A rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca SSL: SSL_read failed inside of TLS (-1), TLS session fails. TLS receive handshake failed during operation [peap] eaptls_process returned 4
I dont use certificates neither on the server and neither on the client side.
Yes you do. PEAP requires a server cert.
I read in teh internet that also windows7 should work without certificates - is that true ?
No it is not.
Wath can bee the problem ?
The clients don't know the server CA.
alois blasbichler wrote:
Now i wanted to authenticate a Windows 7 laptop and i get the following errors : ... [peap] <<< TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert read:fatal:unknown CA TLS_accept:failed in SSLv3 read client certificate A rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca SSL: SSL_read failed inside of TLS (-1), TLS session fails.
The laptop MUST have the CA certificate on it. http://deployingradius.com/documents/configuration/ca_import.html
I dont use certificates neither on the server
Nonsense. EAP-TLS and PEAP require a server certificate.
and neither on the client side.
Which is why it's failing.
I read in teh internet that also windows7 should work without certificates - is that true ?
No. Alan DeKok.
Now i wanted to authenticate a Windows 7 laptop and i get the following errors : ... [peap] <<< TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert read:fatal:unknown CA TLS_accept:failed in SSLv3 read client certificate A rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca SSL: SSL_read failed inside of TLS (-1), TLS session fails.
The laptop MUST have the CA certificate on it.
Thank you for the quick answer One other question : my windows xp and vista clients also use EAP-TLS and PEAP but i never have imported a certificate. Do they imported this automatically - what windows seven dont or they are working without a certificate ? Bye luis
I dont use certificates neither on the server and neither on the client side. I read in teh internet that also windows7 should work without certificates - is that true ?
Strictly speaking this is actually true, However! You need to understand what is happening: 1) Win7 will not connect to a wireless network that is secured with a certificate enabled protocol without some prior configuration, period. This means that is you set up an AP using 802.1x with FreeRADIUS (or any server) as your AAA server your windows 7 (and Vista AFAIK) WILL NOT Authenticate successfully unless you specifically configure the client to do so. Gone are the days of click through protected WiFi setups in Windows. I have purchased a cert from thawte hoping that my clients will trust it and allow the connection without manually touching each machine but alas, no. 2) once correctly configured (depending on the auth protocol you are using) the client will accept the server's cert (the reason the auth is failing now) and send back its own cert for the server to inspect (if needed by the protocol). So, you ARE using certs. Did you install them, no. Is that a problem, yes. When working with certs you should ALWAYS know them inside and out, they are your digital identity, and they do incur some legal implications. If you need assistance configuring the windows clients to accept the cert the server is sending, meet me on the IRC channel. That is really not a discussion for the list. ; ) Jake Sallee Godfather Of Bandwidth Network Engineer Fone: 254-295-4658 Phax: 254-295-4221 -----Original Message----- From: freeradius-users-bounces+jake.sallee=umhb.edu@lists.freeradius.org [mailto:freeradius-users-bounces+jake.sallee=umhb.edu@lists.freeradius.o rg] On Behalf Of alois blasbichler Sent: Tuesday, August 24, 2010 9:20 AM To: freeradius-users@lists.freeradius.org Subject: windows7 machine authentication Hello list We use freeradius with opendlap and machine-authentification (samba-pcs) for years with success. Windows xp and vista clients works fine. Now i wanted to authenticate a Windows 7 laptop and i get the following errors : [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 12 length 19 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop and then [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 7 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert read:fatal:unknown CA TLS_accept:failed in SSLv3 read client certificate A rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca SSL: SSL_read failed inside of TLS (-1), TLS session fails. TLS receive handshake failed during operation [peap] eaptls_process returned 4 I dont use certificates neither on the server and neither on the client side. I read in teh internet that also windows7 should work without certificates - is that true ? Wath can bee the problem ? Do you need more debug-output ? Thank you and by luis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hello My situation is : I dont want user certificates for the clients to authenticate. I configure my freeradius that only laptops in my domain can login to my wireless - safe enaugth - so all private laptops and strange laptops dont enter in my network. Only latops that a Administrator connect to the domain can login. So far all worked ok till windows 7. If i need i can create a server certificate and import this on my clients but i dont want use "client certificates". so Windows 7 works with EAP-TLS and PEAP only with a server zertificate ? Can you give me som link where can i read how to configure win7 for wlan? Bye luis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html a server
Strictly speaking this is actually true, However! You need to understand what is happening:
1) Win7 will not connect to a wireless network that is secured with a certificate enabled protocol without some prior configuration, period. This means that is you set up an AP using 802.1x with FreeRADIUS (or any server) as your AAA server your windows 7 (and Vista AFAIK) WILL NOT Authenticate successfully unless you specifically configure the client to do so. Gone are the days of click through protected WiFi setups in Windows. I have purchased a cert from thawte hoping that my clients will trust it and allow the connection without manually touching each machine but alas, no.
2) once correctly configured (depending on the auth protocol you are using) the client will accept the server's cert (the reason the auth is failing now) and send back its own cert for the server to inspect (if needed by the protocol).
On 08/24/2010 11:09 AM, alois blasbichler wrote:
My situation is :
I dont want user certificates
Nobody said anything about user certificates. The situation is no different than any other SSL server, if the cert presented by the server is not signed by a CA trusted by the client it *should* be rejected, this is identical to what happens with a web browser. -- John Dennis <jdennis@redhat.com> Looking to carve out IT costs? www.redhat.com/carveoutcosts/
Hi,
So far all worked ok till windows 7.
If i need i can create a server certificate and import this on my clients but i dont want use "client certificates".
you dont need to - you just need the CA that the server was signed with to be on your Win7 clients
so Windows 7 works with EAP-TLS and PEAP only with a server zertificate ?
same as winXP, vista... heck even win2k with SP4 alan
Hello list Thank you for all the hints. I have created a new certificate and installed the ca.der on my laptop. I alos upgraded my freeradius to the latest version 2.1.9 But no luck i get allways the same error. Wath can i do ? Maybe its a configuration problem ? Below my full log By luis rad_recv: Access-Request packet from host 10.53.240.10 port 32769, id=50, length=189 User-Name = "host/lap-med22" Calling-Station-Id = "70-F1-A1-49-50-41" Called-Station-Id = "00-0B-85-95-70-80:Info" NAS-Port = 29 NAS-IP-Address = 10.53.240.10 NAS-Identifier = "WS4404_Pri" Airespace-Wlan-Id = 3 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "156" EAP-Message = 0x0202001301686f73742f6c61702d6d65643232 Message-Authenticator = 0x4d6e3ece3717885ed203938b4b177a2c +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "host/lap-med22", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 2 length 19 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop ++? if (NAS-IP-Address == 10.53.240.10 && !Service-Type) ? Evaluating (NAS-IP-Address == 10.53.240.10 ) -> TRUE ? Evaluating !(Service-Type) -> FALSE ++? if (NAS-IP-Address == 10.53.240.10 && !Service-Type) -> FALSE ++? if (NAS-IP-Address == 10.53.240.12 && !Service-Type) ? Evaluating (NAS-IP-Address == 10.53.240.12 ) -> FALSE ? Skipping (Service-Type) ++? if (NAS-IP-Address == 10.53.240.12 && !Service-Type) -> FALSE ++? if (NAS-IP-Address != 10.53.240.1) ? Evaluating (NAS-IP-Address != 10.53.240.1) -> TRUE ++? if (NAS-IP-Address != 10.53.240.1) -> TRUE ++- entering if (NAS-IP-Address != 10.53.240.1) {...} [ldap-switch] performing user authorization for host/lap-med22 [ldap-switch] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [ldap-switch] ... expanding second conditional [ldap-switch] expand: %{User-Name} -> host/lap-med22 [ldap-switch] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=host/lap-med22) [ldap-switch] expand: ou=users,dc=sb-brixen,dc=it -> ou=users,dc=sb-brixen,dc=it [ldap-switch] ldap_get_conn: Checking Id: 0 [ldap-switch] ldap_get_conn: Got Id: 0 [ldap-switch] attempting LDAP reconnection [ldap-switch] (re)connect to titan:389, authentication 0 [ldap-switch] bind as uid=cyrus,dc=sb-brixen,dc=it/niko2006 to titan:389 [ldap-switch] waiting for bind result ... [ldap-switch] Bind was successful [ldap-switch] performing search in ou=users,dc=sb-brixen,dc=it, with filter (uid=host/lap-med22) [ldap-switch] object not found [ldap-switch] search failed [ldap-switch] ldap_release_conn: Release Id: 0 +++[ldap-switch] returns notfound ++- if (NAS-IP-Address != 10.53.240.1) returns notfound ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Sending Access-Challenge of id 50 to 10.53.240.10 port 32769 EAP-Message = 0x0103001604109802abd36e067bc4f583f77e64d7fd78 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa4b56f0aa4b66ba726c3f3167b686aac Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.53.240.10 port 32769, id=51, length=194 User-Name = "host/lap-med22" Calling-Station-Id = "70-F1-A1-49-50-41" Called-Station-Id = "00-0B-85-95-70-80:Info" NAS-Port = 29 NAS-IP-Address = 10.53.240.10 NAS-Identifier = "WS4404_Pri" Airespace-Wlan-Id = 3 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "156" EAP-Message = 0x020300060319 State = 0xa4b56f0aa4b66ba726c3f3167b686aac Message-Authenticator = 0x235cc52e5b1a1f50911c8fa4f061e070 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "host/lap-med22", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 3 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop ++? if (NAS-IP-Address == 10.53.240.10 && !Service-Type) ? Evaluating (NAS-IP-Address == 10.53.240.10 ) -> TRUE ? Evaluating !(Service-Type) -> FALSE ++? if (NAS-IP-Address == 10.53.240.10 && !Service-Type) -> FALSE ++? if (NAS-IP-Address == 10.53.240.12 && !Service-Type) ? Evaluating (NAS-IP-Address == 10.53.240.12 ) -> FALSE ? Skipping (Service-Type) ++? if (NAS-IP-Address == 10.53.240.12 && !Service-Type) -> FALSE ++? if (NAS-IP-Address != 10.53.240.1) ? Evaluating (NAS-IP-Address != 10.53.240.1) -> TRUE ++? if (NAS-IP-Address != 10.53.240.1) -> TRUE ++- entering if (NAS-IP-Address != 10.53.240.1) {...} [ldap-switch] performing user authorization for host/lap-med22 [ldap-switch] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [ldap-switch] ... expanding second conditional [ldap-switch] expand: %{User-Name} -> host/lap-med22 [ldap-switch] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=host/lap-med22) [ldap-switch] expand: ou=users,dc=sb-brixen,dc=it -> ou=users,dc=sb-brixen,dc=it [ldap-switch] ldap_get_conn: Checking Id: 0 [ldap-switch] ldap_get_conn: Got Id: 0 [ldap-switch] performing search in ou=users,dc=sb-brixen,dc=it, with filter (uid=host/lap-med22) [ldap-switch] object not found [ldap-switch] search failed [ldap-switch] ldap_release_conn: Release Id: 0 +++[ldap-switch] returns notfound ++- if (NAS-IP-Address != 10.53.240.1) returns notfound ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP NAK [eap] EAP-NAK asked for EAP-Type/peap [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 51 to 10.53.240.10 port 32769 EAP-Message = 0x010400061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa4b56f0aa5b176a726c3f3167b686aac Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.53.240.10 port 32769, id=52, length=311 User-Name = "host/lap-med22" Calling-Station-Id = "70-F1-A1-49-50-41" Called-Station-Id = "00-0B-85-95-70-80:Info" NAS-Port = 29 NAS-IP-Address = 10.53.240.10 NAS-Identifier = "WS4404_Pri" Airespace-Wlan-Id = 3 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "156" EAP-Message = 0x0204007b198000000071160301006c0100006803014c75110436e3af283bc4a944b96fcefb76c5acce50932a0229b8348d9a5ec2e7000018002f00350005000ac013c014c009c00a003200380013000401000027ff010001000000000e000c0000096c61702d6d65643232000a0006000400170018000b00020100 State = 0xa4b56f0aa5b176a726c3f3167b686aac Message-Authenticator = 0x7551f3a129c2ecbc72b403e8daef8139 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "host/lap-med22", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 4 length 123 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 113 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 006c], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 002a], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 0868], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 52 to 10.53.240.10 port 32769 EAP-Message = 0x0105040019c0000008a5160301002a0200002603014c7511040a1f47ebac9cdd8a749bb2432b217afe0f633a8be9daa03a576d98da00002f0016030108680b0008640008610003aa308203a63082028ea003020102020103300d06092a864886f70d0101040500308195310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312830260603550403131f4578616d706c6520436572746966696361746520417574686f72697479 EAP-Message = 0x2031301e170d3130303832353131353331395a170d3131303832353131353331395a307e310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312530230603550403131c4578616d706c652053657276657220436572746966696361746520313120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100b99b74ac48b6560e18a28400df7b6ab44d17c44b925cd3f717d09c4b2fffe153d098ac590428fa0b7573265b0a6b246ff6c58a3ee2246deb030c EAP-Message = 0xe1e8e89f4fbcc6f323e51cd8fd33c4d4479d7626f3b52dab8f1ae0a4df078438964def0780392356fff2d1e2e4f51bfb9ac7543550733c4cba8ae863aead42e07ec78c6adc414d2a60d5928447fb9995e687d4c2dfa0a3867232f615d5685d0e5b15c6130002bf9bcb5582af0096565f37d97989ce3d14d480dcdb2fa3f7185c935b44baaa76c9e8f5e418f10c6051db265fbf2b6645520ee8df360b2a3ecf4d33134e2132161dd510b48257f774e18cd889913d0bd33ec535b9bbb42ba76cbba5f97ae066a70203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010104050003820101009b7b9fb3df EAP-Message = 0x4157731ba38f645ef8c75197fb9ab855c315823d945ad4975a8d237c33d8736113b3f79845b1836f8882b7ab428782d378634093f67eca885a2d92543f2d25048e20ed3f447c8e4f401ef61f1fe2f5320c285f3c8fdc827a61f80c8c8544c24b6285d2e54b58c803108bb8e0849d93785b2a3d975d0c1f36f9fb96e9f7ae0543480758eb8144822637dc9e0ad00ad5ecb6c5d99ec8c355b83a61ef1aa62a3259248c495e84b3bf3d80ead7132eab7ab651709dec7d4ec58b41aa76bdbdc87a82f82446aa04212451e17f97d30d4f9c39dd2b922016e0abafb71d05c7101726a2270428e630375eabd07db5ef401af920deeae169871816e551da0a0004 EAP-Message = 0xb1308204ad30820395a00302 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa4b56f0aa6b076a726c3f3167b686aac Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.53.240.10 port 32769, id=53, length=194 User-Name = "host/lap-med22" Calling-Station-Id = "70-F1-A1-49-50-41" Called-Station-Id = "00-0B-85-95-70-80:Info" NAS-Port = 29 NAS-IP-Address = 10.53.240.10 NAS-Identifier = "WS4404_Pri" Airespace-Wlan-Id = 3 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "156" EAP-Message = 0x020500061900 State = 0xa4b56f0aa6b076a726c3f3167b686aac Message-Authenticator = 0x0f2cdc5ec561a12e183bf717069dd073 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "host/lap-med22", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 5 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 53 to 10.53.240.10 port 32769 EAP-Message = 0x010603fc19400102020900eeaafc003e703fe4300d06092a864886f70d0101050500308195310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312830260603550403131f4578616d706c6520436572746966696361746520417574686f726974792031301e170d3130303832353131353331395a170d3130303932343131353331395a308195310b3009060355040613024652310f300d060355040813065261646975733112 EAP-Message = 0x301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312830260603550403131f4578616d706c6520436572746966696361746520417574686f72697479203130820122300d06092a864886f70d01010105000382010f003082010a0282010100bb14fb8db7103d66f1b3980347b9d0c210d3a71e3936f66e162ce185c9baf3a6a6a3f31fa5655d2615266bd552b40fdf6f28d1f3a4bf5d24994c633b4bc3a3e662cba09170cb30e2ce10fa92142b35a115877a8b463cb95c2c623b17cf5cf53d88d976eaad0ef2 EAP-Message = 0x23c91253f1e74668de02cebbb996a2bf50ef4a309d19fd928d62a66d786c9c728056d9aa354299dcf03f787ba5b2a25d61a05b8b4662bf87805e98f73555acb96d96e422a0828db4d22009fb020948354f7b5d339c9f5ccd8932504ee0ddb572fa3a999fb6c155af648070321172c6927587e6112a73bec0d6673825a572076b8511b5ff06a2a9ba30368753612e2b27570d7a10097e76db610203010001a381fd3081fa301d0603551d0e04160414bc8ad8d21a2eaa6c110055055989038dbcdd6b0e3081ca0603551d230481c23081bf8014bc8ad8d21a2eaa6c110055055989038dbcdd6b0ea1819ba48198308195310b3009060355040613024652 EAP-Message = 0x310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312830260603550403131f4578616d706c6520436572746966696361746520417574686f726974792031820900eeaafc003e703fe4300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100046580d057157b6af87fd5d796ad99da0e144885fd99dccad5c3fe71be6371f3d95fd529c1fc453044235d565d59bd491613559a4ec29b24e893b3db0b82f835b060b23a9ecb73db EAP-Message = 0xcd98b5c404f42061 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa4b56f0aa7b376a726c3f3167b686aac Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.53.240.10 port 32769, id=54, length=194 User-Name = "host/lap-med22" Calling-Station-Id = "70-F1-A1-49-50-41" Called-Station-Id = "00-0B-85-95-70-80:Info" NAS-Port = 29 NAS-IP-Address = 10.53.240.10 NAS-Identifier = "WS4404_Pri" Airespace-Wlan-Id = 3 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "156" EAP-Message = 0x020600061900 State = 0xa4b56f0aa7b376a726c3f3167b686aac Message-Authenticator = 0x3a249f23d32b56aa04e052b05bccf654 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "host/lap-med22", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 6 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 54 to 10.53.240.10 port 32769 EAP-Message = 0x010700bf19003d27993820693a246572680ce31e26e01560ed876cefb1fb622ad56b2d329c800af4ce229afce81561597ef797cbc618308623af786a5dc8e9594168f283c10464d91b3fb37d9d97f55380fb67c04e759705f3f158d6753467f9f2afc201119071697daea6dc83396f5b41d08c740c7891bc6c8dbbccdd4e7fcf37ab63faac552fe972d3dfed0dd0688f2a2217ad437eb3e45bdd44079a9f954095ab6143353e9398c2b57b1dcc7c1d325d308d38158816030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa4b56f0aa0b276a726c3f3167b686aac Finished request 4. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.53.240.10 port 32769, id=55, length=205 User-Name = "host/lap-med22" Calling-Station-Id = "70-F1-A1-49-50-41" Called-Station-Id = "00-0B-85-95-70-80:Info" NAS-Port = 29 NAS-IP-Address = 10.53.240.10 NAS-Identifier = "WS4404_Pri" Airespace-Wlan-Id = 3 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "156" EAP-Message = 0x0207001119800000000715030100020230 State = 0xa4b56f0aa0b276a726c3f3167b686aac Message-Authenticator = 0xf43e6a6a20f23d5df0a151325c5d1711 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "host/lap-med22", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 7 length 17 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 7 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert read:fatal:unknown CA TLS_accept:failed in SSLv3 read client certificate A rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca SSL: SSL_read failed inside of TLS (-1), TLS session fails. TLS receive handshake failed during operation [peap] eaptls_process returned 4 [peap] EAPTLS_OTHERS [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Login incorrect: [host/lap-med22] (from client ciscosw port 29 cli 70-F1-A1-49-50-41) Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> host/lap-med22 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 5 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 5 Sending Access-Reject of id 55 to 10.53.240.10 port 32769 EAP-Message = 0x04070004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.9 seconds. Cleaning up request 0 ID 50 with timestamp +9 Cleaning up request 1 ID 51 with timestamp +9 Cleaning up request 2 ID 52 with timestamp +9 Cleaning up request 3 ID 53 with timestamp +9 Cleaning up request 4 ID 54 with timestamp +9 Waking up in 1.0 seconds. Cleaning up request 5 ID 55 with timestamp +9 Ready to process requests.
You need to import two certificate, first is the root certificate (ca.der) and second is the client certificate (client.pem). Once you have already imported the certificates, define what authentication protocol you wish to use. If your users have a cleartext password or nt-hash password, then choose peap for the default_eap_type in you eap.conf and your server will perform MS-CHAPv2 authentication that windows support. If your users doesn't have this type of password format, then it is advisable to install a supplicant that support EAP-TTLS / EAP-GTC as a workaround. alois blasbichler wrote:
Hello list
Thank you for all the hints. I have created a new certificate and installed the ca.der on my laptop. I alos upgraded my freeradius to the latest version 2.1.9 But no luck i get allways the same error.
Wath can i do ? Maybe its a configuration problem ?
Below my full log
By luis
rad_recv: Access-Request packet from host 10.53.240.10 port 32769, id=50, length=189 User-Name = "host/lap-med22" Calling-Station-Id = "70-F1-A1-49-50-41" Called-Station-Id = "00-0B-85-95-70-80:Info" NAS-Port = 29 NAS-IP-Address = 10.53.240.10 NAS-Identifier = "WS4404_Pri" Airespace-Wlan-Id = 3 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "156" EAP-Message = 0x0202001301686f73742f6c61702d6d65643232 Message-Authenticator = 0x4d6e3ece3717885ed203938b4b177a2c +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "host/lap-med22", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 2 length 19 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop ++? if (NAS-IP-Address == 10.53.240.10 && !Service-Type) ? Evaluating (NAS-IP-Address == 10.53.240.10 ) -> TRUE ? Evaluating !(Service-Type) -> FALSE ++? if (NAS-IP-Address == 10.53.240.10 && !Service-Type) -> FALSE ++? if (NAS-IP-Address == 10.53.240.12 && !Service-Type) ? Evaluating (NAS-IP-Address == 10.53.240.12 ) -> FALSE ? Skipping (Service-Type) ++? if (NAS-IP-Address == 10.53.240.12 && !Service-Type) -> FALSE ++? if (NAS-IP-Address != 10.53.240.1) ? Evaluating (NAS-IP-Address != 10.53.240.1) -> TRUE ++? if (NAS-IP-Address != 10.53.240.1) -> TRUE ++- entering if (NAS-IP-Address != 10.53.240.1) {...} [ldap-switch] performing user authorization for host/lap-med22 [ldap-switch] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [ldap-switch] ... expanding second conditional [ldap-switch] expand: %{User-Name} -> host/lap-med22 [ldap-switch] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=host/lap-med22) [ldap-switch] expand: ou=users,dc=sb-brixen,dc=it -> ou=users,dc=sb-brixen,dc=it [ldap-switch] ldap_get_conn: Checking Id: 0 [ldap-switch] ldap_get_conn: Got Id: 0 [ldap-switch] attempting LDAP reconnection [ldap-switch] (re)connect to titan:389, authentication 0 [ldap-switch] bind as uid=cyrus,dc=sb-brixen,dc=it/niko2006 to titan:389 [ldap-switch] waiting for bind result ... [ldap-switch] Bind was successful [ldap-switch] performing search in ou=users,dc=sb-brixen,dc=it, with filter (uid=host/lap-med22) [ldap-switch] object not found [ldap-switch] search failed [ldap-switch] ldap_release_conn: Release Id: 0 +++[ldap-switch] returns notfound ++- if (NAS-IP-Address != 10.53.240.1) returns notfound ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Sending Access-Challenge of id 50 to 10.53.240.10 port 32769 EAP-Message = 0x0103001604109802abd36e067bc4f583f77e64d7fd78 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa4b56f0aa4b66ba726c3f3167b686aac Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.53.240.10 port 32769, id=51, length=194 User-Name = "host/lap-med22" Calling-Station-Id = "70-F1-A1-49-50-41" Called-Station-Id = "00-0B-85-95-70-80:Info" NAS-Port = 29 NAS-IP-Address = 10.53.240.10 NAS-Identifier = "WS4404_Pri" Airespace-Wlan-Id = 3 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "156" EAP-Message = 0x020300060319 State = 0xa4b56f0aa4b66ba726c3f3167b686aac Message-Authenticator = 0x235cc52e5b1a1f50911c8fa4f061e070 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "host/lap-med22", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 3 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop ++? if (NAS-IP-Address == 10.53.240.10 && !Service-Type) ? Evaluating (NAS-IP-Address == 10.53.240.10 ) -> TRUE ? Evaluating !(Service-Type) -> FALSE ++? if (NAS-IP-Address == 10.53.240.10 && !Service-Type) -> FALSE ++? if (NAS-IP-Address == 10.53.240.12 && !Service-Type) ? Evaluating (NAS-IP-Address == 10.53.240.12 ) -> FALSE ? Skipping (Service-Type) ++? if (NAS-IP-Address == 10.53.240.12 && !Service-Type) -> FALSE ++? if (NAS-IP-Address != 10.53.240.1) ? Evaluating (NAS-IP-Address != 10.53.240.1) -> TRUE ++? if (NAS-IP-Address != 10.53.240.1) -> TRUE ++- entering if (NAS-IP-Address != 10.53.240.1) {...} [ldap-switch] performing user authorization for host/lap-med22 [ldap-switch] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [ldap-switch] ... expanding second conditional [ldap-switch] expand: %{User-Name} -> host/lap-med22 [ldap-switch] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=host/lap-med22) [ldap-switch] expand: ou=users,dc=sb-brixen,dc=it -> ou=users,dc=sb-brixen,dc=it [ldap-switch] ldap_get_conn: Checking Id: 0 [ldap-switch] ldap_get_conn: Got Id: 0 [ldap-switch] performing search in ou=users,dc=sb-brixen,dc=it, with filter (uid=host/lap-med22) [ldap-switch] object not found [ldap-switch] search failed [ldap-switch] ldap_release_conn: Release Id: 0 +++[ldap-switch] returns notfound ++- if (NAS-IP-Address != 10.53.240.1) returns notfound ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP NAK [eap] EAP-NAK asked for EAP-Type/peap [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 51 to 10.53.240.10 port 32769 EAP-Message = 0x010400061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa4b56f0aa5b176a726c3f3167b686aac Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.53.240.10 port 32769, id=52, length=311 User-Name = "host/lap-med22" Calling-Station-Id = "70-F1-A1-49-50-41" Called-Station-Id = "00-0B-85-95-70-80:Info" NAS-Port = 29 NAS-IP-Address = 10.53.240.10 NAS-Identifier = "WS4404_Pri" Airespace-Wlan-Id = 3 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "156" EAP-Message = 0x0204007b198000000071160301006c0100006803014c75110436e3af283bc4a944b96fcefb76c5acce50932a0229b8348d9a5ec2e7000018002f00350005000ac013c014c009c00a003200380013000401000027ff010001000000000e000c0000096c61702d6d65643232000a0006000400170018000b00020100 State = 0xa4b56f0aa5b176a726c3f3167b686aac Message-Authenticator = 0x7551f3a129c2ecbc72b403e8daef8139 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "host/lap-med22", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 4 length 123 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 113 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 006c], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 002a], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 0868], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 52 to 10.53.240.10 port 32769 EAP-Message = 0x0105040019c0000008a5160301002a0200002603014c7511040a1f47ebac9cdd8a749bb2432b217afe0f633a8be9daa03a576d98da00002f0016030108680b0008640008610003aa308203a63082028ea003020102020103300d06092a864886f70d0101040500308195310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312830260603550403131f4578616d706c6520436572746966696361746520417574686f72697479 EAP-Message = 0x2031301e170d3130303832353131353331395a170d3131303832353131353331395a307e310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312530230603550403131c4578616d706c652053657276657220436572746966696361746520313120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100b99b74ac48b6560e18a28400df7b6ab44d17c44b925cd3f717d09c4b2fffe153d098ac590428fa0b7573265b0a6b246ff6c58a3ee2246deb030c EAP-Message = 0xe1e8e89f4fbcc6f323e51cd8fd33c4d4479d7626f3b52dab8f1ae0a4df078438964def0780392356fff2d1e2e4f51bfb9ac7543550733c4cba8ae863aead42e07ec78c6adc414d2a60d5928447fb9995e687d4c2dfa0a3867232f615d5685d0e5b15c6130002bf9bcb5582af0096565f37d97989ce3d14d480dcdb2fa3f7185c935b44baaa76c9e8f5e418f10c6051db265fbf2b6645520ee8df360b2a3ecf4d33134e2132161dd510b48257f774e18cd889913d0bd33ec535b9bbb42ba76cbba5f97ae066a70203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010104050003820101009b7b9fb3df EAP-Message = 0x4157731ba38f645ef8c75197fb9ab855c315823d945ad4975a8d237c33d8736113b3f79845b1836f8882b7ab428782d378634093f67eca885a2d92543f2d25048e20ed3f447c8e4f401ef61f1fe2f5320c285f3c8fdc827a61f80c8c8544c24b6285d2e54b58c803108bb8e0849d93785b2a3d975d0c1f36f9fb96e9f7ae0543480758eb8144822637dc9e0ad00ad5ecb6c5d99ec8c355b83a61ef1aa62a3259248c495e84b3bf3d80ead7132eab7ab651709dec7d4ec58b41aa76bdbdc87a82f82446aa04212451e17f97d30d4f9c39dd2b922016e0abafb71d05c7101726a2270428e630375eabd07db5ef401af920deeae169871816e551da0a0004 EAP-Message = 0xb1308204ad30820395a00302 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa4b56f0aa6b076a726c3f3167b686aac Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.53.240.10 port 32769, id=53, length=194 User-Name = "host/lap-med22" Calling-Station-Id = "70-F1-A1-49-50-41" Called-Station-Id = "00-0B-85-95-70-80:Info" NAS-Port = 29 NAS-IP-Address = 10.53.240.10 NAS-Identifier = "WS4404_Pri" Airespace-Wlan-Id = 3 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "156" EAP-Message = 0x020500061900 State = 0xa4b56f0aa6b076a726c3f3167b686aac Message-Authenticator = 0x0f2cdc5ec561a12e183bf717069dd073 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "host/lap-med22", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 5 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 53 to 10.53.240.10 port 32769 EAP-Message = 0x010603fc19400102020900eeaafc003e703fe4300d06092a864886f70d0101050500308195310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312830260603550403131f4578616d706c6520436572746966696361746520417574686f726974792031301e170d3130303832353131353331395a170d3130303932343131353331395a308195310b3009060355040613024652310f300d060355040813065261646975733112 EAP-Message = 0x301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312830260603550403131f4578616d706c6520436572746966696361746520417574686f72697479203130820122300d06092a864886f70d01010105000382010f003082010a0282010100bb14fb8db7103d66f1b3980347b9d0c210d3a71e3936f66e162ce185c9baf3a6a6a3f31fa5655d2615266bd552b40fdf6f28d1f3a4bf5d24994c633b4bc3a3e662cba09170cb30e2ce10fa92142b35a115877a8b463cb95c2c623b17cf5cf53d88d976eaad0ef2 EAP-Message = 0x23c91253f1e74668de02cebbb996a2bf50ef4a309d19fd928d62a66d786c9c728056d9aa354299dcf03f787ba5b2a25d61a05b8b4662bf87805e98f73555acb96d96e422a0828db4d22009fb020948354f7b5d339c9f5ccd8932504ee0ddb572fa3a999fb6c155af648070321172c6927587e6112a73bec0d6673825a572076b8511b5ff06a2a9ba30368753612e2b27570d7a10097e76db610203010001a381fd3081fa301d0603551d0e04160414bc8ad8d21a2eaa6c110055055989038dbcdd6b0e3081ca0603551d230481c23081bf8014bc8ad8d21a2eaa6c110055055989038dbcdd6b0ea1819ba48198308195310b3009060355040613024652 EAP-Message = 0x310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312830260603550403131f4578616d706c6520436572746966696361746520417574686f726974792031820900eeaafc003e703fe4300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100046580d057157b6af87fd5d796ad99da0e144885fd99dccad5c3fe71be6371f3d95fd529c1fc453044235d565d59bd491613559a4ec29b24e893b3db0b82f835b060b23a9ecb73db EAP-Message = 0xcd98b5c404f42061 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa4b56f0aa7b376a726c3f3167b686aac Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.53.240.10 port 32769, id=54, length=194 User-Name = "host/lap-med22" Calling-Station-Id = "70-F1-A1-49-50-41" Called-Station-Id = "00-0B-85-95-70-80:Info" NAS-Port = 29 NAS-IP-Address = 10.53.240.10 NAS-Identifier = "WS4404_Pri" Airespace-Wlan-Id = 3 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "156" EAP-Message = 0x020600061900 State = 0xa4b56f0aa7b376a726c3f3167b686aac Message-Authenticator = 0x3a249f23d32b56aa04e052b05bccf654 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "host/lap-med22", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 6 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 54 to 10.53.240.10 port 32769 EAP-Message = 0x010700bf19003d27993820693a246572680ce31e26e01560ed876cefb1fb622ad56b2d329c800af4ce229afce81561597ef797cbc618308623af786a5dc8e9594168f283c10464d91b3fb37d9d97f55380fb67c04e759705f3f158d6753467f9f2afc201119071697daea6dc83396f5b41d08c740c7891bc6c8dbbccdd4e7fcf37ab63faac552fe972d3dfed0dd0688f2a2217ad437eb3e45bdd44079a9f954095ab6143353e9398c2b57b1dcc7c1d325d308d38158816030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa4b56f0aa0b276a726c3f3167b686aac Finished request 4. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.53.240.10 port 32769, id=55, length=205 User-Name = "host/lap-med22" Calling-Station-Id = "70-F1-A1-49-50-41" Called-Station-Id = "00-0B-85-95-70-80:Info" NAS-Port = 29 NAS-IP-Address = 10.53.240.10 NAS-Identifier = "WS4404_Pri" Airespace-Wlan-Id = 3 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "156" EAP-Message = 0x0207001119800000000715030100020230 State = 0xa4b56f0aa0b276a726c3f3167b686aac Message-Authenticator = 0xf43e6a6a20f23d5df0a151325c5d1711 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "host/lap-med22", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 7 length 17 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 7 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert read:fatal:unknown CA TLS_accept:failed in SSLv3 read client certificate A rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca SSL: SSL_read failed inside of TLS (-1), TLS session fails. TLS receive handshake failed during operation [peap] eaptls_process returned 4 [peap] EAPTLS_OTHERS [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Login incorrect: [host/lap-med22] (from client ciscosw port 29 cli 70-F1-A1-49-50-41) Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> host/lap-med22 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 5 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 5 Sending Access-Reject of id 55 to 10.53.240.10 port 32769 EAP-Message = 0x04070004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.9 seconds. Cleaning up request 0 ID 50 with timestamp +9 Cleaning up request 1 ID 51 with timestamp +9 Cleaning up request 2 ID 52 with timestamp +9 Cleaning up request 3 ID 53 with timestamp +9 Cleaning up request 4 ID 54 with timestamp +9 Waking up in 1.0 seconds. Cleaning up request 5 ID 55 with timestamp +9 Ready to process requests.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- View this message in context: http://old.nabble.com/windows7-machine-authentication-tp29522542p29538908.ht... Sent from the FreeRadius - User mailing list archive at Nabble.com.
Hello Thank you all for the tips - one put me in the rigth direction : "keeping in mind that SSIDs ARE case sensitive." And this was my problem - that i created a wireless-lan on the laptop with false cases and so windows ignores this one and used allways the default settings. Also it was not a Radius problem ! Thanks and bye luis
participants (7)
-
Alan Buxey -
Alan DeKok -
alois blasbichler -
John Dennis -
Phil Mayers -
rrperez -
Sallee, Stephen (Jake)