I've upgraded FreeRadius to 2.1.10 and Samba to 3.5.6. I've got right through (again) to the final "Configuring FreeRADIUS to use ntlm_auth for MS-CHAP" stage but the command 'eapol_test -c peap-mschapv2-cert-ntlm_auth.conf -s testing123' fails. The 'radiusd -X' output finishes with : WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING: !! EAP session for state 0x89fe3c9f81f72525 did not finish! WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! http://wiki.freeradius.org/Certificate_Compatibility refers to a problem when the client is a Windows machine, but I'm running the 'eapol_test' command on the FreeRadius server which is Linux (CentOS). The following lines from the output of the 'eapol_test' command seem to indicate a problem with the root certificate.: OpenSSL: tls_connection_ca_cert - Failed to load root certificates error:00000000:lib(0):func(0):reason(0) OpenSSL: tls_connection_ca_cert - loaded DER format CA certificate I created the certificates using the method decsribed in http://deployingradius.com/documents/configuration/certificates.html I can supply the full output from the 'eapol_test' command and from 'radiusd -X' but they're too big to include in this email. Can anyone tell me what I'm doing wrong? Thanks Martin. ================================================================ Here are the errors/warnings section from the output of the 'eapol_test' command and from 'radiusd -X', and the full contents of peap-mschapv2-cert-ntlm_auth.conf, the ca.cnf, server.cnf & client.cnf files & eap.conf: 'eapol_test' errors/warnings ============================ : RADIUS packet matching with station decapsulated EAP packet (code=1 id=2 len=6) from RADIUS server: EAP-Request-PEAP (25) EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Request id=2 method=25 vendor=0 vendorMethod=0 EAP: EAP entering state GET_METHOD CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25 EAP: Initialize selected EAP method: vendor 0 method 25 (PEAP) TLS: Phase2 EAP types - hexdump(len=40): 00 00 00 00 04 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 11 00 00 00 TLS: using phase1 config options OpenSSL: tls_connection_ca_cert - Failed to load root certificates error:00000000:lib(0):func(0):reason(0) OpenSSL: tls_connection_ca_cert - loaded DER format CA certificate CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected EAP: EAP entering state METHOD SSL: Received packet(len=6) - Flags 0x20 EAP-PEAP: Start (server ver=0, own ver=1) EAP-PEAP: Using PEAP version 0 SSL: (where=0x10 ret=0x1) SSL: (where=0x1001 ret=0x1) SSL: SSL_connect:before/connect initialization SSL: (where=0x1001 ret=0x1) SSL: SSL_connect:SSLv3 write client hello A SSL: (where=0x1002 ret=0xffffffff) SSL: SSL_connect:error in SSLv3 read server hello A SSL: SSL_connect - want more data SSL: 112 bytes pending from ssl_out SSL: 112 bytes left to be sent out (of total 112 bytes) EAP: method process -> ignore=FALSE methodState=MAY_CONT decision=FAIL EAP: EAP entering state SEND_RESPONSE EAP: EAP entering state IDLE EAPOL: SUPP_BE entering state RESPONSE EAPOL: txSuppRsp WPA: eapol_test_eapol_send(type=0 len=122) : 'radiusd -X' errors/warnings ============================ : # Executing group from file /etc/raddb/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc/raddb/sites-enabled/inner-tunnel [mschapv2] +- entering group MS-CHAP {...} [mschap] Creating challenge hash with username: USERNAME [mschap] Told to do MS-CHAPv2 for USERNAME with NT-Password [mschap] expand: --username=%{mschap:User-Name:-None} -> --username=USERNAME [mschap] No NT-Domain was found in the User-Name. [mschap] expand: %{mschap:NT-Domain} -> [mschap] ... expanding second conditional [mschap] expand: --domain=%{%{mschap:NT-Domain}:-CAMPUS} -> --domain=CAMPUS [mschap] mschap2: 8a [mschap] Creating challenge hash with username: USERNAME [mschap] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=ee9182b1015b8ded [mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=69c37f86d6f44237a66d979b71072d9b874e0fd822ad f858 Exec-Program output: NT_KEY: 4600A59AAB67436A4D937233DEED28B7 Exec-Program-Wait: plaintext: NT_KEY: 4600A59AAB67436A4D937233DEED28B7 Exec-Program: returned: 0 [mschap] adding MS-CHAPv2 MPPE keys ++[mschap] returns ok MSCHAP Success ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x010900331a0308002e533d4343373038393531333746344638333338433834463437303836313636424637413735344643333 0 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9197308e909e2a67190d1c1ddd88b035 [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010900331a0308002e533d4343373038393531333746344638333338433834463437303836313636424637413735344643333 0 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9197308e909e2a67190d1c1ddd88b035 [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 8 to 127.0.0.1 port 50462 EAP-Message = 0x0109005b19001703010050ad7b5774ef100e1dd3a5c7a83b174202511c51378dc9f1932cf39dc92db9b588fa9f336d1aeb825 807e62e2cc34dd162d02aa28c9104381f52a86933e2b9e0f65927f00c2fb64b78a078cc5e8e79457b Message-Authenticator = 0x00000000000000000000000000000000 State = 0x20754327287c5ad31b57225dabc8b87e Finished request 8. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 0 with timestamp +76 Cleaning up request 1 ID 1 with timestamp +76 Cleaning up request 2 ID 2 with timestamp +76 Cleaning up request 3 ID 3 with timestamp +76 Cleaning up request 4 ID 4 with timestamp +76 Cleaning up request 5 ID 5 with timestamp +76 Cleaning up request 6 ID 6 with timestamp +76 Cleaning up request 7 ID 7 with timestamp +76 Cleaning up request 8 ID 8 with timestamp +76 WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING: !! EAP session for state 0x20754327287c5ad3 did not finish! WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Ready to process requests. peap-mschapv2-cert-ntlm_auth.conf ================================= # # eapol_test -c peap-mschapv2-cert-ntlm_auth.conf -s testing123 # # eapol_version=1 # fast_reauth=0 network={ key_mgmt=WPA-EAP eap=PEAP identity="USERNAME" password="PASSWORD" phase2="autheap=MSCHAPV2" # priority=10 ca_cert="/etc/raddb/certs/ca.der" } ca.cnf ====== [ ca ] default_ca = CA_default [ CA_default ] dir = ./ certs = $dir crl_dir = $dir/crl database = $dir/index.txt new_certs_dir = $dir certificate = $dir/ca.pem serial = $dir/serial crl = $dir/crl.pem private_key = $dir/ca.key RANDFILE = $dir/.rand name_opt = ca_default cert_opt = ca_default default_days = 3650 default_crl_days = 30 default_md = sha1 preserve = no policy = policy_match [ policy_match ] countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional [ policy_anything ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional [ req ] prompt = no distinguished_name = certificate_authority default_bits = 2048 input_password = inpass output_password = outpass x509_extensions = v3_ca [certificate_authority] countryName = UK stateOrProvinceName = United Kingdom localityName = Bristol organizationName = UWE emailAddress = email@uwe.ac.uk commonName = "UWE Certificate Authority" [v3_ca] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer:always basicConstraints = CA:true ================================================================ server.cnf ========== [ ca ] default_ca = CA_default [ CA_default ] dir = ./ certs = $dir crl_dir = $dir/crl database = $dir/index.txt new_certs_dir = $dir certificate = $dir/server.pem serial = $dir/serial crl = $dir/crl.pem private_key = $dir/server.key RANDFILE = $dir/.rand name_opt = ca_default cert_opt = ca_default default_days = 730 default_crl_days = 30 default_md = sha1 preserve = no policy = policy_match [ policy_match ] countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional [ policy_anything ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional [ req ] prompt = no distinguished_name = server default_bits = 2048 input_password = inpass output_password = outpass [server] countryName = UK stateOrProvinceName = United Kingdom localityName = Bristol organizationName = UWE emailAddress = email@uwe.ac.uk commonName = "UWE Server Certificate" ================================================================ client.cnf ========== [ ca ] default_ca = CA_default [ CA_default ] dir = ./ certs = $dir crl_dir = $dir/crl database = $dir/index.txt new_certs_dir = $dir certificate = $dir/server.pem serial = $dir/serial crl = $dir/crl.pem private_key = $dir/server.key RANDFILE = $dir/.rand name_opt = ca_default cert_opt = ca_default default_days = 730 default_crl_days = 30 default_md = sha1 preserve = no policy = policy_match [ policy_match ] countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional [ policy_anything ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional [ req ] prompt = no distinguished_name = client default_bits = 2048 input_password = inpass output_password = outpass [client] countryName = UK stateOrProvinceName = United Kingdom localityName = Bristol organizationName = UWE emailAddress = email@uwe.ac.uk commonName = "UWE Client Certificate" eap.conf ======== eap { default_eap_type = md5 timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 md5 { } leap { } gtc { auth_type = PAP } tls { certdir = ${confdir}/certs cadir = ${confdir}/certs private_key_password = outpass private_key_file = ${certdir}/server.pem certificate_file = ${certdir}/server.pem CA_file = ${cadir}/ca.pem dh_file = ${certdir}/dh random_file = ${certdir}/random cipher_list = "DEFAULT" cache { enable = no max_entries = 255 } } ttls { default_eap_type = md5 copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" } peap { default_eap_type = mschapv2 copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" } mschapv2 { } }
Ciao. We're also facing the same issue, but on a Windows box. We did a quick test using a rather old FR version (1.1.7), on the same PC and using the same certificates, and we get a successful result using eapol_test. We've also followed the steps available in http://wiki.freeradius.org/Certificate_Compatibility. However, no one seems to know the answer/solution to this issue. Just bear in mind I'm new to this project and my ignorance may contribute to ..... you know! Thanks in advance. Sergio.
From: Martin.Ubank@uwe.ac.uk To: freeradius-users@lists.freeradius.org Date: Mon, 24 Oct 2011 11:25:01 +0100 Subject: RADIUS certificate compatibility warning
I've upgraded FreeRadius to 2.1.10 and Samba to 3.5.6. I've got right through (again) to the final "Configuring FreeRADIUS to use ntlm_auth for MS-CHAP" stage but the command 'eapol_test -c peap-mschapv2-cert-ntlm_auth.conf -s testing123' fails.
The 'radiusd -X' output finishes with :
WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING: !! EAP session for state 0x89fe3c9f81f72525 did not finish! WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
http://wiki.freeradius.org/Certificate_Compatibility refers to a problem when the client is a Windows machine, but I'm running the 'eapol_test' command on the FreeRadius server which is Linux (CentOS).
The following lines from the output of the 'eapol_test' command seem to indicate a problem with the root certificate.:
OpenSSL: tls_connection_ca_cert - Failed to load root certificates error:00000000:lib(0):func(0):reason(0) OpenSSL: tls_connection_ca_cert - loaded DER format CA certificate
I created the certificates using the method decsribed in http://deployingradius.com/documents/configuration/certificates.html
I can supply the full output from the 'eapol_test' command and from 'radiusd -X' but they're too big to include in this email.
Can anyone tell me what I'm doing wrong?
Thanks
Martin.
================================================================
Here are the errors/warnings section from the output of the 'eapol_test' command and from 'radiusd -X', and the full contents of peap-mschapv2-cert-ntlm_auth.conf, the ca.cnf, server.cnf & client.cnf files & eap.conf:
'eapol_test' errors/warnings ============================
: RADIUS packet matching with station decapsulated EAP packet (code=1 id=2 len=6) from RADIUS server: EAP-Request-PEAP (25) EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Request id=2 method=25 vendor=0 vendorMethod=0 EAP: EAP entering state GET_METHOD CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25 EAP: Initialize selected EAP method: vendor 0 method 25 (PEAP) TLS: Phase2 EAP types - hexdump(len=40): 00 00 00 00 04 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 11 00 00 00 TLS: using phase1 config options OpenSSL: tls_connection_ca_cert - Failed to load root certificates error:00000000:lib(0):func(0):reason(0) OpenSSL: tls_connection_ca_cert - loaded DER format CA certificate CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected EAP: EAP entering state METHOD SSL: Received packet(len=6) - Flags 0x20 EAP-PEAP: Start (server ver=0, own ver=1) EAP-PEAP: Using PEAP version 0 SSL: (where=0x10 ret=0x1) SSL: (where=0x1001 ret=0x1) SSL: SSL_connect:before/connect initialization SSL: (where=0x1001 ret=0x1) SSL: SSL_connect:SSLv3 write client hello A SSL: (where=0x1002 ret=0xffffffff) SSL: SSL_connect:error in SSLv3 read server hello A SSL: SSL_connect - want more data SSL: 112 bytes pending from ssl_out SSL: 112 bytes left to be sent out (of total 112 bytes) EAP: method process -> ignore=FALSE methodState=MAY_CONT decision=FAIL EAP: EAP entering state SEND_RESPONSE EAP: EAP entering state IDLE EAPOL: SUPP_BE entering state RESPONSE EAPOL: txSuppRsp WPA: eapol_test_eapol_send(type=0 len=122) :
'radiusd -X' errors/warnings ============================
: # Executing group from file /etc/raddb/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc/raddb/sites-enabled/inner-tunnel [mschapv2] +- entering group MS-CHAP {...} [mschap] Creating challenge hash with username: USERNAME [mschap] Told to do MS-CHAPv2 for USERNAME with NT-Password [mschap] expand: --username=%{mschap:User-Name:-None} -> --username=USERNAME [mschap] No NT-Domain was found in the User-Name. [mschap] expand: %{mschap:NT-Domain} -> [mschap] ... expanding second conditional [mschap] expand: --domain=%{%{mschap:NT-Domain}:-CAMPUS} -> --domain=CAMPUS [mschap] mschap2: 8a [mschap] Creating challenge hash with username: USERNAME [mschap] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=ee9182b1015b8ded [mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=69c37f86d6f44237a66d979b71072d9b874e0fd822ad f858 Exec-Program output: NT_KEY: 4600A59AAB67436A4D937233DEED28B7 Exec-Program-Wait: plaintext: NT_KEY: 4600A59AAB67436A4D937233DEED28B7 Exec-Program: returned: 0 [mschap] adding MS-CHAPv2 MPPE keys ++[mschap] returns ok MSCHAP Success ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x010900331a0308002e533d4343373038393531333746344638333338433834463437303836313636424637413735344643333 0 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9197308e909e2a67190d1c1ddd88b035 [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010900331a0308002e533d4343373038393531333746344638333338433834463437303836313636424637413735344643333 0 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9197308e909e2a67190d1c1ddd88b035 [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 8 to 127.0.0.1 port 50462 EAP-Message = 0x0109005b19001703010050ad7b5774ef100e1dd3a5c7a83b174202511c51378dc9f1932cf39dc92db9b588fa9f336d1aeb825 807e62e2cc34dd162d02aa28c9104381f52a86933e2b9e0f65927f00c2fb64b78a078cc5e8e79457b Message-Authenticator = 0x00000000000000000000000000000000 State = 0x20754327287c5ad31b57225dabc8b87e Finished request 8. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 0 with timestamp +76 Cleaning up request 1 ID 1 with timestamp +76 Cleaning up request 2 ID 2 with timestamp +76 Cleaning up request 3 ID 3 with timestamp +76 Cleaning up request 4 ID 4 with timestamp +76 Cleaning up request 5 ID 5 with timestamp +76 Cleaning up request 6 ID 6 with timestamp +76 Cleaning up request 7 ID 7 with timestamp +76 Cleaning up request 8 ID 8 with timestamp +76 WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING: !! EAP session for state 0x20754327287c5ad3 did not finish! WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Ready to process requests.
peap-mschapv2-cert-ntlm_auth.conf =================================
# # eapol_test -c peap-mschapv2-cert-ntlm_auth.conf -s testing123 #
# eapol_version=1 # fast_reauth=0
network={ key_mgmt=WPA-EAP eap=PEAP identity="USERNAME" password="PASSWORD" phase2="autheap=MSCHAPV2"
# priority=10
ca_cert="/etc/raddb/certs/ca.der" }
ca.cnf ======
[ ca ] default_ca = CA_default
[ CA_default ] dir = ./ certs = $dir crl_dir = $dir/crl database = $dir/index.txt new_certs_dir = $dir certificate = $dir/ca.pem serial = $dir/serial crl = $dir/crl.pem private_key = $dir/ca.key RANDFILE = $dir/.rand name_opt = ca_default cert_opt = ca_default default_days = 3650 default_crl_days = 30 default_md = sha1 preserve = no policy = policy_match
[ policy_match ] countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional
[ policy_anything ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional
[ req ] prompt = no distinguished_name = certificate_authority default_bits = 2048 input_password = inpass output_password = outpass x509_extensions = v3_ca
[certificate_authority] countryName = UK stateOrProvinceName = United Kingdom localityName = Bristol organizationName = UWE emailAddress = email@uwe.ac.uk commonName = "UWE Certificate Authority"
[v3_ca] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer:always basicConstraints = CA:true
================================================================
server.cnf ==========
[ ca ] default_ca = CA_default
[ CA_default ] dir = ./ certs = $dir crl_dir = $dir/crl database = $dir/index.txt new_certs_dir = $dir certificate = $dir/server.pem serial = $dir/serial crl = $dir/crl.pem private_key = $dir/server.key RANDFILE = $dir/.rand name_opt = ca_default cert_opt = ca_default default_days = 730 default_crl_days = 30 default_md = sha1 preserve = no policy = policy_match
[ policy_match ] countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional
[ policy_anything ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional
[ req ] prompt = no distinguished_name = server default_bits = 2048 input_password = inpass output_password = outpass
[server] countryName = UK stateOrProvinceName = United Kingdom localityName = Bristol organizationName = UWE emailAddress = email@uwe.ac.uk commonName = "UWE Server Certificate"
================================================================
client.cnf ==========
[ ca ] default_ca = CA_default
[ CA_default ] dir = ./ certs = $dir crl_dir = $dir/crl database = $dir/index.txt new_certs_dir = $dir certificate = $dir/server.pem serial = $dir/serial crl = $dir/crl.pem private_key = $dir/server.key RANDFILE = $dir/.rand name_opt = ca_default cert_opt = ca_default default_days = 730 default_crl_days = 30 default_md = sha1 preserve = no policy = policy_match
[ policy_match ] countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional
[ policy_anything ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional
[ req ] prompt = no distinguished_name = client default_bits = 2048 input_password = inpass output_password = outpass
[client] countryName = UK stateOrProvinceName = United Kingdom localityName = Bristol organizationName = UWE emailAddress = email@uwe.ac.uk commonName = "UWE Client Certificate"
eap.conf ========
eap { default_eap_type = md5 timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 md5 { } leap { } gtc { auth_type = PAP } tls { certdir = ${confdir}/certs cadir = ${confdir}/certs private_key_password = outpass private_key_file = ${certdir}/server.pem certificate_file = ${certdir}/server.pem CA_file = ${cadir}/ca.pem dh_file = ${certdir}/dh random_file = ${certdir}/random cipher_list = "DEFAULT" cache { enable = no max_entries = 255 } } ttls { default_eap_type = md5 copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" } peap { default_eap_type = mschapv2 copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" } mschapv2 { } }
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Sergio NNX wrote:
Ciao.
We're also facing the same issue, but on a Windows box. We did a quick test using a rather old FR version (1.1.7), on the same PC and using the same certificates, and we get a successful result using eapol_test.
Please send the debug output for 1.1.7 && the version you're running. If you find an issue, it helps to know more than "it doesn't work" Alan DeKok.
Hello i have a similar Problem, my radiusd-X output looks like # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "cgm\tbo", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 9 length 15 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] Got NOTIFICATION, Ignoring the packet [eap] Failed in handler ++[eap] returns invalid Failed to authenticate the user. } # server inner-tunnel [peap] Got tunneled reply code 3 [peap] Got tunneled reply RADIUS code 3 [peap] Tunneled authentication was rejected. [peap] FAILURE ++[eap] returns handled Sending Access-Challenge of id 244 to 10.0.36.41 port 3072 EAP-Message = 0x010a002b19001703010020e019fc95e209627352b29edd33d227d443a15aeecd787493059b5566efab092e Message-Authenticator = 0x00000000000000000000000000000000 State = 0x63acb9bd6ba6a03bf05f3a0c0d7486f9 Finished request 8. Going to the next request Waking up in 2.8 seconds. Cleaning up request 0 ID 11 with timestamp +27 Cleaning up request 1 ID 54 with timestamp +27 Cleaning up request 2 ID 89 with timestamp +27 Cleaning up request 3 ID 149 with timestamp +27 Cleaning up request 4 ID 250 with timestamp +27 Waking up in 2.1 seconds. Cleaning up request 5 ID 0 with timestamp +29 Cleaning up request 6 ID 238 with timestamp +29 Cleaning up request 7 ID 158 with timestamp +29 Cleaning up request 8 ID 244 with timestamp +29 WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING: !! EAP session for state 0x63acb9bd6ba6a03b did not finish! WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! -- View this message in context: http://freeradius.1045715.n5.nabble.com/RADIUS-certificate-compatibility-war... Sent from the FreeRadius - User mailing list archive at Nabble.com.
Thomas Brighton wrote:
Hello i have a similar Problem, my radiusd-X output looks like
# Executing section authorize from file ... +- entering group authenticate {...} [eap] Got NOTIFICATION, Ignoring the packet
Well, that's stupid. I don't recall seeing that before. EAP notifications inside of the PEAP tunnel? The PC is doing something wrong. It's sending the wrong data in the tunnel. What software / OS / etc. is it running? Alan DeKok.
On 24 Oct 2011, at 16:19, Alan DeKok wrote:
Thomas Brighton wrote:
Hello i have a similar Problem, my radiusd-X output looks like
# Executing section authorize from file ... +- entering group authenticate {...} [eap] Got NOTIFICATION, Ignoring the packet
Well, that's stupid. I don't recall seeing that before. EAP notifications inside of the PEAP tunnel?
The PC is doing something wrong. It's sending the wrong data in the tunnel.
What software / OS / etc. is it running?
Could you include the request EAP-Message so we can see what the Notification actually was (it's meant to be humanly readable...) -Arran Arran Cudbard-Bell a.cudbardb@freeradius.org Betelwiki, Betelwiki, Betelwiki.... http://wiki.freeradius.org/ !
On 24 Oct 2011, at 16:19, Alan DeKok wrote:
Thomas Brighton wrote:
Hello i have a similar Problem, my radiusd-X output looks like
# Executing section authorize from file ... +- entering group authenticate {...} [eap] Got NOTIFICATION, Ignoring the packet
Well, that's stupid. I don't recall seeing that before. EAP notifications inside of the PEAP tunnel?
The PC is doing something wrong. It's sending the wrong data in the tunnel.
What software / OS / etc. is it running?
Could you include the request EAP-Message so we can see what the Notification actually was (it's >meant to be humanly readable...)
-Arran
Arran Cudbard-Bell a.cudbardb@
Hey, thanks for your reply, I spent about 3 hours on reading debugging outputs an 1 Minute before I will post it to you I thought "let's restart the Server" and "plop everything works fine. -- View this message in context: http://freeradius.1045715.n5.nabble.com/RADIUS-certificate-compatibility-war... Sent from the FreeRadius - User mailing list archive at Nabble.com.
Martin Ubank wrote:
The following lines from the output of the 'eapol_test' command seem to indicate a problem with the root certificate.:
OpenSSL: tls_connection_ca_cert - Failed to load root certificates error:00000000:lib(0):func(0):reason(0)
Fix that and it should work.
OpenSSL: tls_connection_ca_cert - loaded DER format CA certificate
I created the certificates using the method decsribed in http://deployingradius.com/documents/configuration/certificates.html
It works for me... Alan DeKok.
Thanks for your reply.
The following lines from the output of the 'eapol_test' command seem to indicate a problem with the root certificate.:
OpenSSL: tls_connection_ca_cert - Failed to load root certificates error:00000000:lib(0):func(0):reason(0)
Fix that and it should work.
Understood. By enclosing my .cnf files, I was hoping someone on the list might point out what I'd done wrong.
OpenSSL: tls_connection_ca_cert - loaded DER format CA certificate
I created the certificates using the method decsribed in http://deployingradius.com/documents/configuration/certificates.html
It works for me...
Can you supply the content of the .cnf files you used (obviously with site information disguised) to deplot FreeRADIUS so I can compare? Any assistance gratefully received. Cheers Martin.
Martin Ubank wrote:
Understood. By enclosing my .cnf files, I was hoping someone on the list might point out what I'd done wrong.
Honestly... I don't read that stuff. It's OpenSSL magic that I try to avoid.
Can you supply the content of the .cnf files you used (obviously with site information disguised) to deplot FreeRADIUS so I can compare?
I work with the cnf files distributed with the server. I change 2-3 fields (subject, name, location), and it works for me. Alan DeKok.
Martin Ubank wrote:
The following lines from the output of the 'eapol_test' command seem to indicate a problem with the root certificate.:
OpenSSL: tls_connection_ca_cert - Failed to load root certificates error:00000000:lib(0):func(0):reason(0)
Fix that and it should work.
I've not been able to fix it yet. The Openssl-Users list hasn't been able to suggest anything. I am running 'eapol_test -c test.conf -s testing123' from the CentOS VM on which FreeRadius is installed. test.conf contains: # # eapol_test -c peap-mschapv2-cert-ntlm_auth.conf -s testing123 # # eapol_version=1 # fast_reauth=0 network={ key_mgmt=WPA-EAP eap=PEAP identity="USERNAME" # anonymous_identity="anonymous" password="PASSWORD" phase2="autheap=MSCHAPV2" # priority=10 # # Uncomment the following to perform server certificate validation. ca_cert="/etc/raddb/certs/ca.der" } /etc/raddb/certs/ca.der was created by running 'make' which, I believe, executes the 'bootstrap' script. The 'bootstrap' script contains: #!/bin/sh # # This is a wrapper script to create default certificates when the # server first starts in debugging mode. Once the certificates have been # created, this file should be deleted. # # Ideally, this program should be run as part of the installation of any # binary package. The installation should also ensure that the permissions # and owners are correct for the files generated by this script. # # $Id$ # umask 027 cd `dirname $0` make -h > /dev/null 2>&1 # # If we have a working "make", then use it. Otherwise, run the commands # manually. # if [ "$?" = "0" ]; then make all exit $? fi # # The following commands were created by running "make -n", and edited # to remove the trailing backslash, and to add "exit 1" after the commands. # # Don't edit the following text. Instead, edit the Makefile, and # re-generate these commands. # if [ ! -f dh ]; then openssl dhparam -out dh 1024 || exit 1 if [ -e /dev/urandom ] ; then dd if=/dev/urandom of=./random count=10 >/dev/null 2>&1; else date > ./random; fi fi if [ ! -f server.key ]; then openssl req -new -out server.csr -keyout server.key -config ./server.cnf || exit 1 fi if [ ! -f ca.key ]; then openssl req -new -x509 -keyout ca.key -out ca.pem -days `grep default_days ca.cnf | sed 's/.*=//;s/^ *//'` -config ./ca.cnf || exit 1 fi if [ ! -f index.txt ]; then touch index.txt fi if [ ! -f serial ]; then echo '01' > serial fi if [ ! -f server.crt ]; then openssl ca -batch -keyfile ca.key -cert ca.pem -in server.csr -key `grep output_password ca.cnf | sed 's/.*=//;s/^ *//'` - out server.crt -extensions xpserver_ext -extfile xpextensions -config ./server.cnf || exit 1 fi if [ ! -f server.p12 ]; then openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 -passin pass:`grep output_password server.cnf | se d 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` || exit 1 fi if [ ! -f server.pem ]; then openssl pkcs12 -in server.p12 -out server.pem -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passo ut pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` || exit 1 fi if [ ! -f ca.der ]; then openssl x509 -inform PEM -outform DER -in ca.pem -out ca.der || exit 1 fi if [ ! -f client.key ]; then openssl req -new -out client.csr -keyout client.key -config ./client.cnf fi if [ ! -f client.crt ]; then openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr -key `grep output_password ca.cnf | sed 's/.*=//;s/^ *//'` - out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf fi
From this script, I understand that: ca.der is created by 'openssl x509 -inform PEM -outform DER -in ca.pem -out ca.der'; ca.key & ca.pem are created by 'openssl req -new -x509 -keyout ca.key -out ca.pem -days `grep default_days ca.cnf | sed 's/.*=//;s/^ *//'` -config ./ca.cnf'.
So, how does FreeRadius expect to load the root certificate from ca.der? If it can't, then what file should be in the ca_cert directive in my test.conf file? Or, is 'eapol_test' not the correct way to test "Configuring FreeRADIUS to use ntlm_auth for MS-CHAP"? In which case, how should I test it? Thanks for any help anyone can give. Let me know if any more information would be useful. Martin.
Martin Ubank wrote:
Martin Ubank wrote:
The following lines from the output of the 'eapol_test' command seem to indicate a problem with the root certificate.: OpenSSL: tls_connection_ca_cert - Failed to load root certificates error:00000000:lib(0):func(0):reason(0)
Fix that and it should work.
I've not been able to fix it yet. The Openssl-Users list hasn't been able to suggest anything.
I am running 'eapol_test -c test.conf -s testing123' from the CentOS VM on which FreeRadius is installed.
If it's an error from eapol_test, ask on the hostap list. I really don't know enough about OpenSSL to say more.
The 'bootstrap' script contains:
Yes... we know.
From this script, I understand that: ca.der is created by 'openssl x509 -inform PEM -outform DER -in ca.pem -out ca.der'; ca.key & ca.pem are created by 'openssl req -new -x509 -keyout ca.key -out ca.pem -days `grep default_days ca.cnf | sed 's/.*=//;s/^ *//'` -config ./ca.cnf'.
So, how does FreeRadius expect to load the root certificate from ca.der?
It uses OpenSSL/
If it can't, then what file should be in the ca_cert directive in my test.conf file?
No idea.
Or, is 'eapol_test' not the correct way to test "Configuring FreeRADIUS to use ntlm_auth for MS-CHAP"?
It is one way to test. In 2.1.12, you can use radclient to send MS-CHAP packets to the server. See raddb/sites-available/inner-tunnel Alan DeKok.
On Fri, Oct 28, 2011 at 5:50 PM, Martin Ubank <Martin.Ubank@uwe.ac.uk> wrote:
I've not been able to fix it yet. The Openssl-Users list hasn't been able to suggest anything.
I am running 'eapol_test -c test.conf -s testing123' from the CentOS VM on which FreeRadius is installed.
Could you please send me the full output of the eapol_test run? Without that, it is very difficult to try to figure out what could have happened. For example, the excerpt you included in the beginning of this thread seemed to be conveniently cut just before the actual failure would show up. - Jouni
Hi,
OpenSSL: tls_connection_ca_cert - Failed to load root certificates error:00000000:lib(0):func(0):reason(0)
permissions of the /etc/raddb/certs/ directory? can eapol_test (which is a fine tool for checking EAP methods - eg for your ntlm_auth with MSCHAPv2) read the cert? is FreeRADIUS configured to read the cert? you can also point a basic tool such as radtest to the inner-tunnel port listener to check the workings of what would happen once the client has negotiated an EAP tunnel alan
participants (7)
-
Alan Buxey -
Alan DeKok -
Arran Cudbard-Bell -
Jouni Malinen -
Martin Ubank -
Sergio NNX -
Thomas Brighton