Hello i would kindly ask you for a little help regarding tls as I do not know how to debug this and if this is ok. I have enabled tls under eap (before it was md5) and i have add CA. here i am pasting log from freeradius. Is this is ok is not:) Ready to process requests (0) Received Access-Request Id 15 from 172.31.1.120:1812 to 172.31.1.124:1812 length 92 (0) NAS-IP-Address = 172.31.1.120 (0) NAS-Port = 50022 (0) NAS-Port-Type = Ethernet (0) User-Name = "y" (0) Calling-Station-Id = "00-90-33-46-04-AD" (0) Service-Type = Framed-User (0) EAP-Message = 0x020400060179 (0) Message-Authenticator = 0x605db39095dcdbe2e0b5efc1ada118f1 (0) # Executing section authorize from file /etc/raddb/sites- enabled/default (0) authorize { (0) policy filter_username { (0) if (!&User-Name) { (0) if (!&User-Name) -> FALSE (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@.*@/ ) { (0) if (&User-Name =~ /@.*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "y", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) eap: Peer sent EAP Response (code 2) ID 4 length 6 (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # authorize = ok (0) Found Auth-Type = EAP (0) # Executing group from file /etc/raddb/sites-enabled/default (0) authenticate { (0) eap: Peer sent packet with method EAP Identity (1) (0) eap: Calling submodule eap_tls to process data (0) eap_tls: Initiating new EAP-TLS session (0) eap_tls: Flushing SSL sessions (of #0) (0) eap_tls: Setting verify mode to require certificate from client (0) eap_tls: [eaptls start] = request (0) eap: Sending EAP Request (code 1) ID 5 length 6 (0) eap: EAP session adding &reply:State = 0xfba9e51efbace8c4 (0) [eap] = handled (0) } # authenticate = handled (0) Using Post-Auth-Type Challenge (0) Post-Auth-Type sub-section not found. Ignoring. (0) # Executing group from file /etc/raddb/sites-enabled/default (0) Sent Access-Challenge Id 15 from 172.31.1.124:1812 to 172.31.1.120:1812 length 0 (0) EAP-Message = 0x010500060d20 (0) Message-Authenticator = 0x00000000000000000000000000000000 (0) State = 0xfba9e51efbace8c410d4292907198e26 (0) Finished request Waking up in 4.9 seconds. (1) Received Access-Request Id 16 from 172.31.1.120:1812 to 172.31.1.124:1812 length 164 (1) NAS-IP-Address = 172.31.1.120 (1) NAS-Port = 50022 (1) NAS-Port-Type = Ethernet (1) User-Name = "y" (1) Calling-Station-Id = "00-90-33-46-04-AD" (1) Service-Type = Framed-User (1) State = 0xfba9e51efbace8c410d4292907198e26 (1) EAP-Message = 0x0205003c0d0016030100310100002d030200002534152332c149557c927d87c699b1b a10d7e5ec5b4b1a1ea5f64e50f0d70000060035002f000a0100 (1) Message-Authenticator = 0x26446079a357c5cedc89cf1c8c2c6d7b (1) session-state: No cached attributes (1) # Executing section authorize from file /etc/raddb/sites- enabled/default (1) authorize { (1) policy filter_username { (1) if (!&User-Name) { (1) if (!&User-Name) -> FALSE (1) if (&User-Name =~ / /) { (1) if (&User-Name =~ / /) -> FALSE (1) if (&User-Name =~ /@.*@/ ) { (1) if (&User-Name =~ /@.*@/ ) -> FALSE (1) if (&User-Name =~ /\.\./ ) { (1) if (&User-Name =~ /\.\./ ) -> FALSE (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (1) if (&User-Name =~ /\.$/) { (1) if (&User-Name =~ /\.$/) -> FALSE (1) if (&User-Name =~ /@\./) { (1) if (&User-Name =~ /@\./) -> FALSE (1) } # policy filter_username = notfound (1) [preprocess] = ok (1) [chap] = noop (1) [mschap] = noop (1) [digest] = noop (1) suffix: Checking for suffix after "@" (1) suffix: No '@' in User-Name = "y", looking up realm NULL (1) suffix: No such realm "NULL" (1) [suffix] = noop (1) eap: Peer sent EAP Response (code 2) ID 5 length 60 (1) eap: No EAP Start, assuming it's an on-going EAP conversation (1) [eap] = updated (1) [files] = noop (1) [expiration] = noop (1) [logintime] = noop (1) [pap] = noop (1) } # authorize = updated (1) Found Auth-Type = EAP (1) # Executing group from file /etc/raddb/sites-enabled/default (1) authenticate { (1) eap: Expiring EAP session with state 0xfba9e51efbace8c4 (1) eap: Finished EAP session with state 0xfba9e51efbace8c4 (1) eap: Previous EAP request found for state 0xfba9e51efbace8c4, released from the list (1) eap: Peer sent packet with method EAP TLS (13) (1) eap: Calling submodule eap_tls to process data (1) eap_tls: Continuing EAP-TLS (1) eap_tls: Got final TLS record fragment (54 bytes) (1) eap_tls: WARNING: Total received TLS record fragments (54 bytes), does not equal indicated TLS record length (0 bytes) (1) eap_tls: [eaptls verify] = ok (1) eap_tls: Done initial handshake (1) eap_tls: (other): before/accept initialization (1) eap_tls: TLS_accept: before/accept initialization (1) eap_tls: <<< UNKNOWN TLS VERSION ?0000? [length 0005] (1) eap_tls: <<< TLS 1.1 [length 0031] (1) eap_tls: TLS_accept: SSLv3 read client hello A (1) eap_tls: >>> UNKNOWN TLS VERSION ?0000? [length 0005] (1) eap_tls: >>> TLS 1.1 [length 004a] (1) eap_tls: TLS_accept: SSLv3 write server hello A (1) eap_tls: >>> UNKNOWN TLS VERSION ?0000? [length 0005] (1) eap_tls: >>> TLS 1.1 [length 03e8] (1) eap_tls: TLS_accept: SSLv3 write certificate A (1) eap_tls: >>> UNKNOWN TLS VERSION ?0000? [length 0005] (1) eap_tls: >>> TLS 1.1 [length 006a] (1) eap_tls: TLS_accept: SSLv3 write certificate request A (1) eap_tls: TLS_accept: SSLv3 flush data (1) eap_tls: TLS_accept: Need to read more data: SSLv3 read client certificate A (1) eap_tls: TLS_accept: Need to read more data: SSLv3 read client certificate A (1) eap_tls: In SSL Handshake Phase (1) eap_tls: In SSL Accept mode (1) eap_tls: [eaptls process] = handled (1) eap: Sending EAP Request (code 1) ID 6 length 1004 (1) eap: EAP session adding &reply:State = 0xfba9e51efaafe8c4 (1) [eap] = handled (1) } # authenticate = handled (1) Using Post-Auth-Type Challenge (1) Post-Auth-Type sub-section not found. Ignoring. (1) # Executing group from file /etc/raddb/sites-enabled/default (1) Sent Access-Challenge Id 16 from 172.31.1.124:1812 to 172.31.1.120:1812 length 0 (1) EAP-Message = 0x010603ec0dc0000004ab160302004a02000046030258004f0a64cff924337d9ed0f50 0fb5489194fc4fbaa32a0d311de2ab53251002077853703cfefd060585ada2b1ccce810 bce4905b2744bd062170f5c8e84e8aa000350016030203e80b0003e40003e10003de308 203da308202c2a0030201020201 (1) Message-Authenticator = 0x00000000000000000000000000000000 (1) State = 0xfba9e51efaafe8c410d4292907198e26 (1) Finished request Waking up in 4.9 seconds. tnx so much! miha
On Jul 18, 2017, at 7:23 AM, Miha <miha@softnet.si> wrote:
i would kindly ask you for a little help regarding tls as I do not know how to debug this and if this is ok. I have enabled tls under eap (before it was md5) and i have add CA.
here i am pasting log from freeradius. Is this is ok is not:)
The log you posted doesn't show any real errors. To set up EAP-TLS, follow my guide: http://deployingradius.com/ Alan DeKok.
participants (2)
-
Alan DeKok -
Miha