EAP-TLS default config
Hello, I started to learn network authentication and I want to setup a litle poc with Freeradius and EAP-TLS. I have previously tested my working configuration with the bob user as in the freeradius docker example. I use freeradius docker image https://hub.docker.com/r/freeradius/freeradius-server/ in a container. The configs files have been extracted to be configured in my host system and mounted at container's start. I have follow this tutorial for the radiusd.conf file : https://www.dslreports.com/forum/r9286052-FreeRADIUS-WinXP-Authentication-Se... As I use the container's default keys, the user file is just a line : user@example.org Auth-Type := EAP, EAP-Type := EAP-TLS On my android phone, I connect to a dlink wifi access point (DWL-2100AP) configured for 802.1X. The ca.pem has been installed on my phone in order to use it for EAP-TLS when I select it. The username I use on the phone side is "user@example.org", the domain is "example.org". When I click on connect on my phone, I get an access reject as shown in the debug output below. I wanted to know if I am doing wrong somewhere and possibly where ? (Freeradius Version 3.2.0) (0) Received Access-Request Id 0 from 10.17.30.60:1061 to 172.17.0.2:1812 length 212 (0) Message-Authenticator = 0x46c9071611e746712984ef9165b516eb (0) Service-Type = Framed-User (0) User-Name = "user@example.org" (0) Framed-MTU = 1488 (0) Called-Station-Id = "00-26-5A-84-0D-89:dlink" (0) Calling-Station-Id = "22-85-59-7C-27-7A" (0) NAS-Identifier = "D-Link Access Point" (0) NAS-Port-Type = Wireless-802.11 (0) Connect-Info = "CONNECT 54Mbps 802.11g" (0) EAP-Message = 0x020000150175736572406578616d706c652e6f7267 (0) NAS-IP-Address = 10.17.30.60 (0) NAS-Port = 1 (0) NAS-Port-Id = "STA port # 1" (0) # Executing section authorize from file /etc/freeradius/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: Looking up realm "example.org" for User-Name = "user@example.org" (0) suffix: No such realm "example.org" (0) [suffix] = noop (0) eap: Peer sent EAP Response (code 2) ID 0 length 21 (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # authorize = ok (0) Found Auth-Type = eap (0) # Executing group from file /etc/freeradius/sites-enabled/default (0) authenticate { (0) eap: Peer sent packet with method EAP Identity (1) (0) eap: Calling submodule eap_tls to process data (0) eap_tls: (TLS) Initiating new session (0) eap_tls: (TLS) Setting verify mode to require certificate from client (0) eap: Sending EAP Request (code 1) ID 1 length 6 (0) eap: EAP session adding &reply:State = 0xbced3a8cbcec3700 (0) [eap] = handled (0) } # authenticate = handled (0) Using Post-Auth-Type Challenge (0) # Executing group from file /etc/freeradius/sites-enabled/default (0) Challenge { ... } # empty sub-section is ignored (0) session-state: Saving cached attributes (0) Framed-MTU = 994 (0) Sent Access-Challenge Id 0 from 172.17.0.2:1812 to 10.17.30.60:1061 length 64 (0) EAP-Message = 0x010100060d20 (0) Message-Authenticator = 0x00000000000000000000000000000000 (0) State = 0xbced3a8cbcec37005a032dcfba50bf3a (0) Finished request Waking up in 4.9 seconds. (1) Received Access-Request Id 1 from 10.17.30.60:1061 to 172.17.0.2:1812 length 215 (1) Message-Authenticator = 0x2660937420c3367bd057db626b743cc5 (1) Service-Type = Framed-User (1) User-Name = "user@example.org" (1) Framed-MTU = 1488 (1) State = 0xbced3a8cbcec37005a032dcfba50bf3a (1) Called-Station-Id = "00-26-5A-84-0D-89:dlink" (1) Calling-Station-Id = "22-85-59-7C-27-7A" (1) NAS-Identifier = "D-Link Access Point" (1) NAS-Port-Type = Wireless-802.11 (1) Connect-Info = "CONNECT 54Mbps 802.11g" (1) EAP-Message = 0x020100060300 (1) NAS-IP-Address = 10.17.30.60 (1) NAS-Port = 1 (1) NAS-Port-Id = "STA port # 1" (1) Restoring &session-state (1) &session-state:Framed-MTU = 994 (1) # Executing section authorize from file /etc/freeradius/sites-enabled/default (1) authorize { (1) policy filter_username { (1) if (&User-Name) { (1) if (&User-Name) -> TRUE (1) if (&User-Name) { (1) if (&User-Name =~ / /) { (1) if (&User-Name =~ / /) -> FALSE (1) if (&User-Name =~ /@[^@]*@/ ) { (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (1) if (&User-Name =~ /\.\./ ) { (1) if (&User-Name =~ /\.\./ ) -> FALSE (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (1) if (&User-Name =~ /\.$/) { (1) if (&User-Name =~ /\.$/) -> FALSE (1) if (&User-Name =~ /@\./) { (1) if (&User-Name =~ /@\./) -> FALSE (1) } # if (&User-Name) = notfound (1) } # policy filter_username = notfound (1) [preprocess] = ok (1) [chap] = noop (1) [mschap] = noop (1) [digest] = noop (1) suffix: Checking for suffix after "@" (1) suffix: Looking up realm "example.org" for User-Name = "user@example.org" (1) suffix: No such realm "example.org" (1) [suffix] = noop (1) eap: Peer sent EAP Response (code 2) ID 1 length 6 (1) eap: No EAP Start, assuming it's an on-going EAP conversation (1) [eap] = updated (1) files: users: Matched entry user@example.org at line 2 (1) [files] = ok (1) [expiration] = noop (1) [logintime] = noop Not doing PAP as Auth-Type is already set. (1) [pap] = noop (1) } # authorize = updated (1) Found Auth-Type = eap (1) # Executing group from file /etc/freeradius/sites-enabled/default (1) authenticate { (1) eap: Expiring EAP session with state 0xbced3a8cbcec3700 (1) eap: Finished EAP session with state 0xbced3a8cbcec3700 (1) eap: Previous EAP request found for state 0xbced3a8cbcec3700, released from the list (1) eap: Peer sent packet with method EAP NAK (3) (1) eap: Peer NAK'd indicating it is not willing to continue (1) eap: Sending EAP Failure (code 4) ID 1 length 4 (1) eap: Failed in EAP select (1) [eap] = invalid (1) } # authenticate = invalid (1) Failed to authenticate the user (1) Using Post-Auth-Type Reject (1) # Executing group from file /etc/freeradius/sites-enabled/default (1) Post-Auth-Type REJECT { (1) attr_filter.access_reject: EXPAND %{User-Name} (1) attr_filter.access_reject: --> user@example.org (1) attr_filter.access_reject: Matched entry DEFAULT at line 11 (1) [attr_filter.access_reject] = updated (1) [eap] = noop (1) policy remove_reply_message_if_eap { (1) if (&reply:EAP-Message && &reply:Reply-Message) { (1) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (1) else { (1) [noop] = noop (1) } # else = noop (1) } # policy remove_reply_message_if_eap = noop (1) } # Post-Auth-Type REJECT = updated (1) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (1) Sending delayed response (1) Sent Access-Reject Id 1 from 172.17.0.2:1812 to 10.17.30.60:1061 length 44 (1) EAP-Message = 0x04010004 (1) Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.9 seconds. (2) Received Access-Request Id 0 from 10.17.30.60:1063 to 172.17.0.2:1812 length 212 (2) Message-Authenticator = 0x10dad86d8ca96900ee9e41a3f3215e04 (2) Service-Type = Framed-User (2) User-Name = "user@example.org" (2) Framed-MTU = 1488 (2) Called-Station-Id = "00-26-5A-84-0D-89:dlink" (2) Calling-Station-Id = "22-85-59-7C-27-7A" (2) NAS-Identifier = "D-Link Access Point" (2) NAS-Port-Type = Wireless-802.11 (2) Connect-Info = "CONNECT 54Mbps 802.11g" (2) EAP-Message = 0x020000150175736572406578616d706c652e6f7267 (2) NAS-IP-Address = 10.17.30.60 (2) NAS-Port = 1 (2) NAS-Port-Id = "STA port # 1" (2) # Executing section authorize from file /etc/freeradius/sites-enabled/default (2) authorize { (2) policy filter_username { (2) if (&User-Name) { (2) if (&User-Name) -> TRUE (2) if (&User-Name) { (2) if (&User-Name =~ / /) { (2) if (&User-Name =~ / /) -> FALSE (2) if (&User-Name =~ /@[^@]*@/ ) { (2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (2) if (&User-Name =~ /\.\./ ) { (2) if (&User-Name =~ /\.\./ ) -> FALSE (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (2) if (&User-Name =~ /\.$/) { (2) if (&User-Name =~ /\.$/) -> FALSE (2) if (&User-Name =~ /@\./) { (2) if (&User-Name =~ /@\./) -> FALSE (2) } # if (&User-Name) = notfound (2) } # policy filter_username = notfound (2) [preprocess] = ok (2) [chap] = noop (2) [mschap] = noop (2) [digest] = noop (2) suffix: Checking for suffix after "@" (2) suffix: Looking up realm "example.org" for User-Name = "user@example.org" (2) suffix: No such realm "example.org" (2) [suffix] = noop (2) eap: Peer sent EAP Response (code 2) ID 0 length 21 (2) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (2) [eap] = ok (2) } # authorize = ok (2) Found Auth-Type = eap (2) # Executing group from file /etc/freeradius/sites-enabled/default (2) authenticate { (2) eap: Peer sent packet with method EAP Identity (1) (2) eap: Calling submodule eap_tls to process data (2) eap_tls: (TLS) Initiating new session (2) eap_tls: (TLS) Setting verify mode to require certificate from client (2) eap: Sending EAP Request (code 1) ID 1 length 6 (2) eap: EAP session adding &reply:State = 0x61a7200961a62df0 (2) [eap] = handled (2) } # authenticate = handled (2) Using Post-Auth-Type Challenge (2) # Executing group from file /etc/freeradius/sites-enabled/default (2) Challenge { ... } # empty sub-section is ignored (2) session-state: Saving cached attributes (2) Framed-MTU = 994 (2) Sent Access-Challenge Id 0 from 172.17.0.2:1812 to 10.17.30.60:1063 length 64 (2) EAP-Message = 0x010100060d20 (2) Message-Authenticator = 0x00000000000000000000000000000000 (2) State = 0x61a7200961a62df0743c98b3a07aed8f (2) Finished request Waking up in 1.9 seconds. (3) Received Access-Request Id 1 from 10.17.30.60:1063 to 172.17.0.2:1812 length 215 (3) Message-Authenticator = 0x2946bae5a640bdd89ef938aa738b4b94 (3) Service-Type = Framed-User (3) User-Name = "user@example.org" (3) Framed-MTU = 1488 (3) State = 0x61a7200961a62df0743c98b3a07aed8f (3) Called-Station-Id = "00-26-5A-84-0D-89:dlink" (3) Calling-Station-Id = "22-85-59-7C-27-7A" (3) NAS-Identifier = "D-Link Access Point" (3) NAS-Port-Type = Wireless-802.11 (3) Connect-Info = "CONNECT 54Mbps 802.11g" (3) EAP-Message = 0x020100060300 (3) NAS-IP-Address = 10.17.30.60 (3) NAS-Port = 1 (3) NAS-Port-Id = "STA port # 1" (3) Restoring &session-state (3) &session-state:Framed-MTU = 994 (3) # Executing section authorize from file /etc/freeradius/sites-enabled/default (3) authorize { (3) policy filter_username { (3) if (&User-Name) { (3) if (&User-Name) -> TRUE (3) if (&User-Name) { (3) if (&User-Name =~ / /) { (3) if (&User-Name =~ / /) -> FALSE (3) if (&User-Name =~ /@[^@]*@/ ) { (3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (3) if (&User-Name =~ /\.\./ ) { (3) if (&User-Name =~ /\.\./ ) -> FALSE (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (3) if (&User-Name =~ /\.$/) { (3) if (&User-Name =~ /\.$/) -> FALSE (3) if (&User-Name =~ /@\./) { (3) if (&User-Name =~ /@\./) -> FALSE (3) } # if (&User-Name) = notfound (3) } # policy filter_username = notfound (3) [preprocess] = ok (3) [chap] = noop (3) [mschap] = noop (3) [digest] = noop (3) suffix: Checking for suffix after "@" (3) suffix: Looking up realm "example.org" for User-Name = "user@example.org" (3) suffix: No such realm "example.org" (3) [suffix] = noop (3) eap: Peer sent EAP Response (code 2) ID 1 length 6 (3) eap: No EAP Start, assuming it's an on-going EAP conversation (3) [eap] = updated (3) files: users: Matched entry user@example.org at line 2 (3) [files] = ok (3) [expiration] = noop (3) [logintime] = noop Not doing PAP as Auth-Type is already set. (3) [pap] = noop (3) } # authorize = updated (3) Found Auth-Type = eap (3) # Executing group from file /etc/freeradius/sites-enabled/default (3) authenticate { (3) eap: Expiring EAP session with state 0x61a7200961a62df0 (3) eap: Finished EAP session with state 0x61a7200961a62df0 (3) eap: Previous EAP request found for state 0x61a7200961a62df0, released from the list (3) eap: Peer sent packet with method EAP NAK (3) (3) eap: Peer NAK'd indicating it is not willing to continue (3) eap: Sending EAP Failure (code 4) ID 1 length 4 (3) eap: Failed in EAP select (3) [eap] = invalid (3) } # authenticate = invalid (3) Failed to authenticate the user (3) Using Post-Auth-Type Reject (3) # Executing group from file /etc/freeradius/sites-enabled/default (3) Post-Auth-Type REJECT { (3) attr_filter.access_reject: EXPAND %{User-Name} (3) attr_filter.access_reject: --> user@example.org (3) attr_filter.access_reject: Matched entry DEFAULT at line 11 (3) [attr_filter.access_reject] = updated (3) [eap] = noop (3) policy remove_reply_message_if_eap { (3) if (&reply:EAP-Message && &reply:Reply-Message) { (3) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (3) else { (3) [noop] = noop (3) } # else = noop (3) } # policy remove_reply_message_if_eap = noop (3) } # Post-Auth-Type REJECT = updated (3) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (3) Sending delayed response (3) Sent Access-Reject Id 1 from 172.17.0.2:1812 to 10.17.30.60:1063 length 44 (3) EAP-Message = 0x04010004 (3) Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 0.8 seconds. (0) Cleaning up request packet ID 0 with timestamp +74 due to cleanup_delay was reached (1) Cleaning up request packet ID 1 with timestamp +74 due to cleanup_delay was reached Waking up in 3.0 seconds. (4) Received Access-Request Id 0 from 10.17.30.60:1065 to 172.17.0.2:1812 length 212 (4) Message-Authenticator = 0x7e90cef35650d96b0188a6bcc9040100 (4) Service-Type = Framed-User (4) User-Name = "user@example.org" (4) Framed-MTU = 1488 (4) Called-Station-Id = "00-26-5A-84-0D-89:dlink" (4) Calling-Station-Id = "22-85-59-7C-27-7A" (4) NAS-Identifier = "D-Link Access Point" (4) NAS-Port-Type = Wireless-802.11 (4) Connect-Info = "CONNECT 54Mbps 802.11g" (4) EAP-Message = 0x020000150175736572406578616d706c652e6f7267 (4) NAS-IP-Address = 10.17.30.60 (4) NAS-Port = 1 (4) NAS-Port-Id = "STA port # 1" (4) # Executing section authorize from file /etc/freeradius/sites-enabled/default (4) authorize { (4) policy filter_username { (4) if (&User-Name) { (4) if (&User-Name) -> TRUE (4) if (&User-Name) { (4) if (&User-Name =~ / /) { (4) if (&User-Name =~ / /) -> FALSE (4) if (&User-Name =~ /@[^@]*@/ ) { (4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (4) if (&User-Name =~ /\.\./ ) { (4) if (&User-Name =~ /\.\./ ) -> FALSE (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (4) if (&User-Name =~ /\.$/) { (4) if (&User-Name =~ /\.$/) -> FALSE (4) if (&User-Name =~ /@\./) { (4) if (&User-Name =~ /@\./) -> FALSE (4) } # if (&User-Name) = notfound (4) } # policy filter_username = notfound (4) [preprocess] = ok (4) [chap] = noop (4) [mschap] = noop (4) [digest] = noop (4) suffix: Checking for suffix after "@" (4) suffix: Looking up realm "example.org" for User-Name = "user@example.org" (4) suffix: No such realm "example.org" (4) [suffix] = noop (4) eap: Peer sent EAP Response (code 2) ID 0 length 21 (4) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (4) [eap] = ok (4) } # authorize = ok (4) Found Auth-Type = eap (4) # Executing group from file /etc/freeradius/sites-enabled/default (4) authenticate { (4) eap: Peer sent packet with method EAP Identity (1) (4) eap: Calling submodule eap_tls to process data (4) eap_tls: (TLS) Initiating new session (4) eap_tls: (TLS) Setting verify mode to require certificate from client (4) eap: Sending EAP Request (code 1) ID 1 length 6 (4) eap: EAP session adding &reply:State = 0x10b8d47310b9d97a (4) [eap] = handled (4) } # authenticate = handled (4) Using Post-Auth-Type Challenge (4) # Executing group from file /etc/freeradius/sites-enabled/default (4) Challenge { ... } # empty sub-section is ignored (4) session-state: Saving cached attributes (4) Framed-MTU = 994 (4) Sent Access-Challenge Id 0 from 172.17.0.2:1812 to 10.17.30.60:1065 length 64 (4) EAP-Message = 0x010100060d20 (4) Message-Authenticator = 0x00000000000000000000000000000000 (4) State = 0x10b8d47310b9d97a65ed29a95486330e (4) Finished request Waking up in 1.8 seconds. (5) Received Access-Request Id 1 from 10.17.30.60:1065 to 172.17.0.2:1812 length 215 (5) Message-Authenticator = 0x4024c8a365e14657a651ceb71b9f5f61 (5) Service-Type = Framed-User (5) User-Name = "user@example.org" (5) Framed-MTU = 1488 (5) State = 0x10b8d47310b9d97a65ed29a95486330e (5) Called-Station-Id = "00-26-5A-84-0D-89:dlink" (5) Calling-Station-Id = "22-85-59-7C-27-7A" (5) NAS-Identifier = "D-Link Access Point" (5) NAS-Port-Type = Wireless-802.11 (5) Connect-Info = "CONNECT 54Mbps 802.11g" (5) EAP-Message = 0x020100060300 (5) NAS-IP-Address = 10.17.30.60 (5) NAS-Port = 1 (5) NAS-Port-Id = "STA port # 1" (5) Restoring &session-state (5) &session-state:Framed-MTU = 994 (5) # Executing section authorize from file /etc/freeradius/sites-enabled/default (5) authorize { (5) policy filter_username { (5) if (&User-Name) { (5) if (&User-Name) -> TRUE (5) if (&User-Name) { (5) if (&User-Name =~ / /) { (5) if (&User-Name =~ / /) -> FALSE (5) if (&User-Name =~ /@[^@]*@/ ) { (5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (5) if (&User-Name =~ /\.\./ ) { (5) if (&User-Name =~ /\.\./ ) -> FALSE (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (5) if (&User-Name =~ /\.$/) { (5) if (&User-Name =~ /\.$/) -> FALSE (5) if (&User-Name =~ /@\./) { (5) if (&User-Name =~ /@\./) -> FALSE (5) } # if (&User-Name) = notfound (5) } # policy filter_username = notfound (5) [preprocess] = ok (5) [chap] = noop (5) [mschap] = noop (5) [digest] = noop (5) suffix: Checking for suffix after "@" (5) suffix: Looking up realm "example.org" for User-Name = "user@example.org" (5) suffix: No such realm "example.org" (5) [suffix] = noop (5) eap: Peer sent EAP Response (code 2) ID 1 length 6 (5) eap: No EAP Start, assuming it's an on-going EAP conversation (5) [eap] = updated (5) files: users: Matched entry user@example.org at line 2 (5) [files] = ok (5) [expiration] = noop (5) [logintime] = noop Not doing PAP as Auth-Type is already set. (5) [pap] = noop (5) } # authorize = updated (5) Found Auth-Type = eap (5) # Executing group from file /etc/freeradius/sites-enabled/default (5) authenticate { (5) eap: Expiring EAP session with state 0x10b8d47310b9d97a (5) eap: Finished EAP session with state 0x10b8d47310b9d97a (5) eap: Previous EAP request found for state 0x10b8d47310b9d97a, released from the list (5) eap: Peer sent packet with method EAP NAK (3) (5) eap: Peer NAK'd indicating it is not willing to continue (5) eap: Sending EAP Failure (code 4) ID 1 length 4 (5) eap: Failed in EAP select (5) [eap] = invalid (5) } # authenticate = invalid (5) Failed to authenticate the user (5) Using Post-Auth-Type Reject (5) # Executing group from file /etc/freeradius/sites-enabled/default (5) Post-Auth-Type REJECT { (5) attr_filter.access_reject: EXPAND %{User-Name} (5) attr_filter.access_reject: --> user@example.org (5) attr_filter.access_reject: Matched entry DEFAULT at line 11 (5) [attr_filter.access_reject] = updated (5) [eap] = noop (5) policy remove_reply_message_if_eap { (5) if (&reply:EAP-Message && &reply:Reply-Message) { (5) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (5) else { (5) [noop] = noop (5) } # else = noop (5) } # policy remove_reply_message_if_eap = noop (5) } # Post-Auth-Type REJECT = updated (5) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (5) Sending delayed response (5) Sent Access-Reject Id 1 from 172.17.0.2:1812 to 10.17.30.60:1065 length 44 (5) EAP-Message = 0x04010004 (5) Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 0.8 seconds. (2) Cleaning up request packet ID 0 with timestamp +77 due to cleanup_delay was reached (3) Cleaning up request packet ID 1 with timestamp +77 due to cleanup_delay was reached Waking up in 3.1 seconds. (4) Cleaning up request packet ID 0 with timestamp +80 due to cleanup_delay was reached (5) Cleaning up request packet ID 1 with timestamp +80 due to cleanup_delay was reached Ready to process requests Thanks, Clément Ce message et toutes les pieces jointes (ci-apres le "message") sont etablis a l'intention exclusive de ses destinataires. Si vous recevez ce message par erreur, merci de le detruire et d'en avertir immediatement l'expediteur par e-mail. Toute utilisation de ce message non conforme a sa destination, toute diffusion ou toute publication, totale ou partielle, est interdite, sauf autorisation expresse. Les communications sur Internet n'etant pas securisees, l'expediteur informe qu'il ne peut accepter aucune responsabilite quant au contenu de ce message. This mail message and attachments (the "message") are solely intended for the addresses. It is confidential in nature. If you receive this message in error, please delete it and immediately notify the sender by e-mail. Any use other than its intended purpose, dissemination or disclosure, either whole or partial, is prohibited except if formal approval is granted. As communication on the Internet is not secure, the sender does not accept responsibility for the content of this message.
On Feb 28, 2023, at 5:44 AM, clement.legoffic@kelio.com wrote:
... On my android phone, I connect to a dlink wifi access point (DWL-2100AP) configured for 802.1X. The ca.pem has been installed on my phone in order to use it for EAP-TLS when I select it. ... (5) eap: Peer NAK'd indicating it is not willing to continue
The android phone is not configured to do EAP-TLS. Alan DeKok.
I change the end device and now it works. Thanks ! Clément De : Freeradius-Users <freeradius-users-bounces+clement.legoffic=kelio.com@lists.freeradius.org> De la part de Alan DeKok Envoyé : mardi 28 février 2023 15:32 À : FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Objet : Re: EAP-TLS default config On Feb 28, 2023, at 5:44 AM, clement.legoffic@kelio.com wrote:
... On my android phone, I connect to a dlink wifi access point (DWL-2100AP) configured for 802.1X. The ca.pem has been installed on my phone in order to use it for EAP-TLS when I select it. ... (5) eap: Peer NAK'd indicating it is not willing to continue
The android phone is not configured to do EAP-TLS. Alan DeKok.
The android phone is not configured to do EAP-TLS.
Hello, I have manage to setup 2 different android device to connect to my 802.1X network. The "user" certs are installed in each device. When I initiate the EAP-TLS I get the below debug output. The EAP-TLS communication seems to works well, but the communication is end up due to internal error. I have not figured out how to manage this error. Does I need to change my TLS version ? What exactly the debug output means here : "eap_tls: ERROR: (TLS) Failed reading from OpenSSL: error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error" Full output : Ready to process requests (30) Received Access-Request Id 0 from 10.17.30.60:1197 to 172.17.0.2:1812 length 212 (30) Message-Authenticator = 0xa6ec9e72ad06b4bad0c1728ed82b339c (30) Service-Type = Framed-User (30) User-Name = "user@example.org" (30) Framed-MTU = 1488 (30) Called-Station-Id = "00-26-5A-84-0D-89:dlink" (30) Calling-Station-Id = "72-87-6D-9E-D2-0F" (30) NAS-Identifier = "D-Link Access Point" (30) NAS-Port-Type = Wireless-802.11 (30) Connect-Info = "CONNECT 54Mbps 802.11g" (30) EAP-Message = 0x020000150175736572406578616d706c652e6f7267 (30) NAS-IP-Address = 10.17.30.60 (30) NAS-Port = 1 (30) NAS-Port-Id = "STA port # 1" (30) # Executing section authorize from file /etc/freeradius/sites-enabled/default (30) authorize { (30) policy filter_username { (30) if (&User-Name) { (30) if (&User-Name) -> TRUE (30) if (&User-Name) { (30) if (&User-Name =~ / /) { (30) if (&User-Name =~ / /) -> FALSE (30) if (&User-Name =~ /@[^@]*@/ ) { (30) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (30) if (&User-Name =~ /\.\./ ) { (30) if (&User-Name =~ /\.\./ ) -> FALSE (30) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (30) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (30) if (&User-Name =~ /\.$/) { (30) if (&User-Name =~ /\.$/) -> FALSE (30) if (&User-Name =~ /@\./) { (30) if (&User-Name =~ /@\./) -> FALSE (30) } # if (&User-Name) = notfound (30) } # policy filter_username = notfound (30) [preprocess] = ok (30) [chap] = noop (30) [mschap] = noop (30) [digest] = noop (30) suffix: Checking for suffix after "@" (30) suffix: Looking up realm "example.org" for User-Name = "user@example.org" (30) suffix: No such realm "example.org" (30) [suffix] = noop (30) eap: Peer sent EAP Response (code 2) ID 0 length 21 (30) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (30) [eap] = ok (30) } # authorize = ok (30) Found Auth-Type = eap (30) # Executing group from file /etc/freeradius/sites-enabled/default (30) authenticate { (30) eap: Peer sent packet with method EAP Identity (1) (30) eap: Calling submodule eap_tls to process data (30) eap_tls: (TLS) Initiating new session (30) eap_tls: (TLS) Setting verify mode to require certificate from client (30) eap: Sending EAP Request (code 1) ID 1 length 6 (30) eap: EAP session adding &reply:State = 0x6504b08b6505bd57 (30) [eap] = handled (30) } # authenticate = handled (30) Using Post-Auth-Type Challenge (30) # Executing group from file /etc/freeradius/sites-enabled/default (30) Challenge { ... } # empty sub-section is ignored (30) session-state: Saving cached attributes (30) Framed-MTU = 994 (30) Sent Access-Challenge Id 0 from 172.17.0.2:1812 to 10.17.30.60:1197 length 64 (30) EAP-Message = 0x010100060d20 (30) Message-Authenticator = 0x00000000000000000000000000000000 (30) State = 0x6504b08b6505bd57d78f3f37308b4458 (30) Finished request Waking up in 4.9 seconds. (31) Received Access-Request Id 1 from 10.17.30.60:1197 to 172.17.0.2:1812 length 346 (31) Message-Authenticator = 0xaa9a768bc1bc6b1a26a9031785c2e3b4 (31) Service-Type = Framed-User (31) User-Name = "user@example.org" (31) Framed-MTU = 1488 (31) State = 0x6504b08b6505bd57d78f3f37308b4458 (31) Called-Station-Id = "00-26-5A-84-0D-89:dlink" (31) Calling-Station-Id = "72-87-6D-9E-D2-0F" (31) NAS-Identifier = "D-Link Access Point" (31) NAS-Port-Type = Wireless-802.11 (31) Connect-Info = "CONNECT 54Mbps 802.11g" (31) EAP-Message = 0x020100890d00160301007e0100007a0303e44ff5fb591c7700c7a3ae0c54b2f8bd7989a300554ac911a84733b16d1e652700001ec02bc02fc02cc030cca9cca8c009c013c00ac014009c009d002f0035000a0100003300170000ff01000100000a00080006001d00170018000b00020100000d00140012040308040401050308050501080606010201 (31) NAS-IP-Address = 10.17.30.60 (31) NAS-Port = 1 (31) NAS-Port-Id = "STA port # 1" (31) Restoring &session-state (31) &session-state:Framed-MTU = 994 (31) # Executing section authorize from file /etc/freeradius/sites-enabled/default (31) authorize { (31) policy filter_username { (31) if (&User-Name) { (31) if (&User-Name) -> TRUE (31) if (&User-Name) { (31) if (&User-Name =~ / /) { (31) if (&User-Name =~ / /) -> FALSE (31) if (&User-Name =~ /@[^@]*@/ ) { (31) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (31) if (&User-Name =~ /\.\./ ) { (31) if (&User-Name =~ /\.\./ ) -> FALSE (31) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (31) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (31) if (&User-Name =~ /\.$/) { (31) if (&User-Name =~ /\.$/) -> FALSE (31) if (&User-Name =~ /@\./) { (31) if (&User-Name =~ /@\./) -> FALSE (31) } # if (&User-Name) = notfound (31) } # policy filter_username = notfound (31) [preprocess] = ok (31) [chap] = noop (31) [mschap] = noop (31) [digest] = noop (31) suffix: Checking for suffix after "@" (31) suffix: Looking up realm "example.org" for User-Name = "user@example.org" (31) suffix: No such realm "example.org" (31) [suffix] = noop (31) eap: Peer sent EAP Response (code 2) ID 1 length 137 (31) eap: No EAP Start, assuming it's an on-going EAP conversation (31) [eap] = updated (31) files: users: Matched entry user@example.org at line 2 (31) [files] = ok (31) [expiration] = noop (31) [logintime] = noop (31) [pap] = noop (31) } # authorize = updated (31) Found Auth-Type = eap (31) # Executing group from file /etc/freeradius/sites-enabled/default (31) authenticate { (31) eap: Expiring EAP session with state 0x6504b08b6505bd57 (31) eap: Finished EAP session with state 0x6504b08b6505bd57 (31) eap: Previous EAP request found for state 0x6504b08b6505bd57, released from the list (31) eap: Peer sent packet with method EAP TLS (13) (31) eap: Calling submodule eap_tls to process data (31) eap_tls: (TLS) EAP Got final fragment (131 bytes) (31) eap_tls: WARNING: (TLS) EAP Total received record fragments (131 bytes), does not equal expected expected data length (0 bytes) (31) eap_tls: (TLS) EAP Done initial handshake (31) eap_tls: (TLS) Handshake state - before SSL initialization (31) eap_tls: (TLS) Handshake state - Server before SSL initialization (31) eap_tls: (TLS) Handshake state - Server before SSL initialization (31) eap_tls: (TLS) recv TLS 1.3 Handshake, ClientHello (31) eap_tls: (TLS) Handshake state - Server SSLv3/TLS read client hello (31) eap_tls: (TLS) send TLS 1.2 Handshake, ServerHello (31) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write server hello (31) eap_tls: (TLS) send TLS 1.2 Handshake, Certificate (31) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write certificate (31) eap_tls: (TLS) send TLS 1.2 Handshake, ServerKeyExchange (31) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write key exchange (31) eap_tls: (TLS) send TLS 1.2 Handshake, CertificateRequest (31) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write certificate request (31) eap_tls: (TLS) send TLS 1.2 Handshake, ServerHelloDone (31) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write server done (31) eap_tls: (TLS) Server : Need to read more data: SSLv3/TLS write server done (31) eap_tls: (TLS) In Handshake Phase (31) eap: Sending EAP Request (code 1) ID 2 length 1004 (31) eap: EAP session adding &reply:State = 0x6504b08b6406bd57 (31) [eap] = handled (31) } # authenticate = handled (31) Using Post-Auth-Type Challenge (31) # Executing group from file /etc/freeradius/sites-enabled/default (31) Challenge { ... } # empty sub-section is ignored (31) session-state: Saving cached attributes (31) Framed-MTU = 994 (31) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (31) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (31) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (31) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (31) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest" (31) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (31) Sent Access-Challenge Id 1 from 172.17.0.2:1812 to 10.17.30.60:1197 length 1068 (31) EAP-Message = 0x010203ec0dc000000b97160303003d020000390303f29f622d180458fa14a91132f177a4d8ef046372693508507424cb1c54c0034700c02f000011ff01000100000b0004030001020017000016030309450b00094100093e00043a308204363082031ea003020102020101300d06092a864886f70d01010b0500308193310b3009060355040613024652310f300d06035504080c065261646975733112301006035504070c09536f6d65776865726531153013060355040a0c0c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e6f72673126302406035504030c1d4578616d706c6520436572746966696361746520417574686f72697479301e170d3233303232383135353035395a170d3233303432393135353035395a307c310b3009060355040613024652310f300d06035504080c0652616469757331153013060355040a0c0c4578616d706c6520496e632e3123302106035504030c1a4578616d70 (31) Message-Authenticator = 0x00000000000000000000000000000000 (31) State = 0x6504b08b6406bd57d78f3f37308b4458 (31) Finished request Waking up in 4.9 seconds. (32) Received Access-Request Id 2 from 10.17.30.60:1197 to 172.17.0.2:1812 length 215 (32) Message-Authenticator = 0x5fe578dcf59a3710251051f46ad445c3 (32) Service-Type = Framed-User (32) User-Name = "user@example.org" (32) Framed-MTU = 1488 (32) State = 0x6504b08b6406bd57d78f3f37308b4458 (32) Called-Station-Id = "00-26-5A-84-0D-89:dlink" (32) Calling-Station-Id = "72-87-6D-9E-D2-0F" (32) NAS-Identifier = "D-Link Access Point" (32) NAS-Port-Type = Wireless-802.11 (32) Connect-Info = "CONNECT 54Mbps 802.11g" (32) EAP-Message = 0x020200060d00 (32) NAS-IP-Address = 10.17.30.60 (32) NAS-Port = 1 (32) NAS-Port-Id = "STA port # 1" (32) Restoring &session-state (32) &session-state:Framed-MTU = 994 (32) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (32) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (32) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (32) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (32) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest" (32) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (32) # Executing section authorize from file /etc/freeradius/sites-enabled/default (32) authorize { (32) policy filter_username { (32) if (&User-Name) { (32) if (&User-Name) -> TRUE (32) if (&User-Name) { (32) if (&User-Name =~ / /) { (32) if (&User-Name =~ / /) -> FALSE (32) if (&User-Name =~ /@[^@]*@/ ) { (32) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (32) if (&User-Name =~ /\.\./ ) { (32) if (&User-Name =~ /\.\./ ) -> FALSE (32) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (32) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (32) if (&User-Name =~ /\.$/) { (32) if (&User-Name =~ /\.$/) -> FALSE (32) if (&User-Name =~ /@\./) { (32) if (&User-Name =~ /@\./) -> FALSE (32) } # if (&User-Name) = notfound (32) } # policy filter_username = notfound (32) [preprocess] = ok (32) [chap] = noop (32) [mschap] = noop (32) [digest] = noop (32) suffix: Checking for suffix after "@" (32) suffix: Looking up realm "example.org" for User-Name = "user@example.org" (32) suffix: No such realm "example.org" (32) [suffix] = noop (32) eap: Peer sent EAP Response (code 2) ID 2 length 6 (32) eap: No EAP Start, assuming it's an on-going EAP conversation (32) [eap] = updated (32) files: users: Matched entry user@example.org at line 2 (32) [files] = ok (32) [expiration] = noop (32) [logintime] = noop (32) [pap] = noop (32) } # authorize = updated (32) Found Auth-Type = eap (32) # Executing group from file /etc/freeradius/sites-enabled/default (32) authenticate { (32) eap: Expiring EAP session with state 0x6504b08b6406bd57 (32) eap: Finished EAP session with state 0x6504b08b6406bd57 (32) eap: Previous EAP request found for state 0x6504b08b6406bd57, released from the list (32) eap: Peer sent packet with method EAP TLS (13) (32) eap: Calling submodule eap_tls to process data (32) eap_tls: (TLS) Peer ACKed our handshake fragment (32) eap: Sending EAP Request (code 1) ID 3 length 1004 (32) eap: EAP session adding &reply:State = 0x6504b08b6707bd57 (32) [eap] = handled (32) } # authenticate = handled (32) Using Post-Auth-Type Challenge (32) # Executing group from file /etc/freeradius/sites-enabled/default (32) Challenge { ... } # empty sub-section is ignored (32) session-state: Saving cached attributes (32) Framed-MTU = 994 (32) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (32) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (32) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (32) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (32) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest" (32) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (32) Sent Access-Challenge Id 2 from 172.17.0.2:1812 to 10.17.30.60:1197 length 1068 (32) EAP-Message = 0x010303ec0dc000000b9739c511820dffd845488537b44057b4d4dd85d5e6e6eae53d369feaecb50fb2b8d8c5ccb0e795e8c868228f4f8b9910ba0f7ed2a047c098c98325f80e264ba86c53948ade85d1ffdf010886fec27ab99731041848b33a1da630279b4ebc265bfcfa1aef22cf2172d15cfcc80b6b3f01b3bec3b98cbe678abd92da4e4c2d625de911912ccc123df90b98465ffa6dc9ea6d0a42b65e8a416b51a18881d3a321e060ea9e1ce9fc94aef76f0004fe308204fa308203e2a0030201020214063c2615870dc518cfe2e2bba0164fd660669d24300d06092a864886f70d01010b0500308193310b3009060355040613024652310f300d06035504080c065261646975733112301006035504070c09536f6d65776865726531153013060355040a0c0c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e6f72673126302406035504030c1d4578616d706c65204365727469666963617465204175 (32) Message-Authenticator = 0x00000000000000000000000000000000 (32) State = 0x6504b08b6707bd57d78f3f37308b4458 (32) Finished request Waking up in 4.9 seconds. (33) Received Access-Request Id 3 from 10.17.30.60:1197 to 172.17.0.2:1812 length 215 (33) Message-Authenticator = 0xe065dbb565280ef42143f9d09f9952e6 (33) Service-Type = Framed-User (33) User-Name = "user@example.org" (33) Framed-MTU = 1488 (33) State = 0x6504b08b6707bd57d78f3f37308b4458 (33) Called-Station-Id = "00-26-5A-84-0D-89:dlink" (33) Calling-Station-Id = "72-87-6D-9E-D2-0F" (33) NAS-Identifier = "D-Link Access Point" (33) NAS-Port-Type = Wireless-802.11 (33) Connect-Info = "CONNECT 54Mbps 802.11g" (33) EAP-Message = 0x020300060d00 (33) NAS-IP-Address = 10.17.30.60 (33) NAS-Port = 1 (33) NAS-Port-Id = "STA port # 1" (33) Restoring &session-state (33) &session-state:Framed-MTU = 994 (33) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (33) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (33) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (33) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (33) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest" (33) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (33) # Executing section authorize from file /etc/freeradius/sites-enabled/default (33) authorize { (33) policy filter_username { (33) if (&User-Name) { (33) if (&User-Name) -> TRUE (33) if (&User-Name) { (33) if (&User-Name =~ / /) { (33) if (&User-Name =~ / /) -> FALSE (33) if (&User-Name =~ /@[^@]*@/ ) { (33) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (33) if (&User-Name =~ /\.\./ ) { (33) if (&User-Name =~ /\.\./ ) -> FALSE (33) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (33) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (33) if (&User-Name =~ /\.$/) { (33) if (&User-Name =~ /\.$/) -> FALSE (33) if (&User-Name =~ /@\./) { (33) if (&User-Name =~ /@\./) -> FALSE (33) } # if (&User-Name) = notfound (33) } # policy filter_username = notfound (33) [preprocess] = ok (33) [chap] = noop (33) [mschap] = noop (33) [digest] = noop (33) suffix: Checking for suffix after "@" (33) suffix: Looking up realm "example.org" for User-Name = "user@example.org" (33) suffix: No such realm "example.org" (33) [suffix] = noop (33) eap: Peer sent EAP Response (code 2) ID 3 length 6 (33) eap: No EAP Start, assuming it's an on-going EAP conversation (33) [eap] = updated (33) files: users: Matched entry user@example.org at line 2 (33) [files] = ok (33) [expiration] = noop (33) [logintime] = noop (33) [pap] = noop (33) } # authorize = updated (33) Found Auth-Type = eap (33) # Executing group from file /etc/freeradius/sites-enabled/default (33) authenticate { (33) eap: Expiring EAP session with state 0x6504b08b6707bd57 (33) eap: Finished EAP session with state 0x6504b08b6707bd57 (33) eap: Previous EAP request found for state 0x6504b08b6707bd57, released from the list (33) eap: Peer sent packet with method EAP TLS (13) (33) eap: Calling submodule eap_tls to process data (33) eap_tls: (TLS) Peer ACKed our handshake fragment (33) eap: Sending EAP Request (code 1) ID 4 length 989 (33) eap: EAP session adding &reply:State = 0x6504b08b6600bd57 (33) [eap] = handled (33) } # authenticate = handled (33) Using Post-Auth-Type Challenge (33) # Executing group from file /etc/freeradius/sites-enabled/default (33) Challenge { ... } # empty sub-section is ignored (33) session-state: Saving cached attributes (33) Framed-MTU = 994 (33) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (33) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (33) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (33) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (33) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest" (33) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (33) Sent Access-Challenge Id 3 from 172.17.0.2:1812 to 10.17.30.60:1197 length 1053 (33) EAP-Message = 0x010403dd0d8000000b9778616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e6f72673126302406035504030c1d4578616d706c6520436572746966696361746520417574686f726974798214063c2615870dc518cfe2e2bba0164fd660669d24300f0603551d130101ff040530030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e6f72672f6578616d706c655f63612e63726c300d06092a864886f70d01010b05000382010100cf68f241d458b89c56759bf85344b58cd5f746d473a8875a2ad387ba29119f9ef2259377f107fff5f9779ca759bf5b4c7880fb10e3d7df34d5bf5bccabd8d392aa0d436251debc1059dab3172be448379a5e7d3c06e3c67db7b55212a6ce7ea3f0ce5d9c5a2eb3a2f29c45a8ebbd4bc9c0d367ffa8a0b4e482d0f767954cf8f9e155b5f285146d835b8a70bedc2180957ac217160d10b74ae6db16ef51834baa6fa6f957d0 (33) Message-Authenticator = 0x00000000000000000000000000000000 (33) State = 0x6504b08b6600bd57d78f3f37308b4458 (33) Finished request Waking up in 4.9 seconds. (34) Received Access-Request Id 4 from 10.17.30.60:1197 to 172.17.0.2:1812 length 222 (34) Message-Authenticator = 0xb2905e57775d4e42a7e828a09212dcde (34) Service-Type = Framed-User (34) User-Name = "user@example.org" (34) Framed-MTU = 1488 (34) State = 0x6504b08b6600bd57d78f3f37308b4458 (34) Called-Station-Id = "00-26-5A-84-0D-89:dlink" (34) Calling-Station-Id = "72-87-6D-9E-D2-0F" (34) NAS-Identifier = "D-Link Access Point" (34) NAS-Port-Type = Wireless-802.11 (34) Connect-Info = "CONNECT 54Mbps 802.11g" (34) EAP-Message = 0x0204000d0d0015030300020250 (34) NAS-IP-Address = 10.17.30.60 (34) NAS-Port = 1 (34) NAS-Port-Id = "STA port # 1" (34) Restoring &session-state (34) &session-state:Framed-MTU = 994 (34) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (34) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (34) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (34) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (34) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest" (34) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (34) # Executing section authorize from file /etc/freeradius/sites-enabled/default (34) authorize { (34) policy filter_username { (34) if (&User-Name) { (34) if (&User-Name) -> TRUE (34) if (&User-Name) { (34) if (&User-Name =~ / /) { (34) if (&User-Name =~ / /) -> FALSE (34) if (&User-Name =~ /@[^@]*@/ ) { (34) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (34) if (&User-Name =~ /\.\./ ) { (34) if (&User-Name =~ /\.\./ ) -> FALSE (34) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (34) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (34) if (&User-Name =~ /\.$/) { (34) if (&User-Name =~ /\.$/) -> FALSE (34) if (&User-Name =~ /@\./) { (34) if (&User-Name =~ /@\./) -> FALSE (34) } # if (&User-Name) = notfound (34) } # policy filter_username = notfound (34) [preprocess] = ok (34) [chap] = noop (34) [mschap] = noop (34) [digest] = noop (34) suffix: Checking for suffix after "@" (34) suffix: Looking up realm "example.org" for User-Name = "user@example.org" (34) suffix: No such realm "example.org" (34) [suffix] = noop (34) eap: Peer sent EAP Response (code 2) ID 4 length 13 (34) eap: No EAP Start, assuming it's an on-going EAP conversation (34) [eap] = updated (34) files: users: Matched entry user@example.org at line 2 (34) [files] = ok (34) [expiration] = noop (34) [logintime] = noop (34) [pap] = noop (34) } # authorize = updated (34) Found Auth-Type = eap (34) # Executing group from file /etc/freeradius/sites-enabled/default (34) authenticate { (34) eap: Expiring EAP session with state 0x6504b08b6600bd57 (34) eap: Finished EAP session with state 0x6504b08b6600bd57 (34) eap: Previous EAP request found for state 0x6504b08b6600bd57, released from the list (34) eap: Peer sent packet with method EAP TLS (13) (34) eap: Calling submodule eap_tls to process data (34) eap_tls: (TLS) EAP Done initial handshake (34) eap_tls: (TLS) recv TLS 1.2 Alert, fatal internal_error (34) eap_tls: (TLS) The client is informing us that there is a failure inside the TLS protocol exchange. (34) eap_tls: ERROR: (TLS) Alert read:fatal:internal error (34) eap_tls: (TLS) Server : Need to read more data: error (34) eap_tls: ERROR: (TLS) Failed reading from OpenSSL: error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error (34) eap_tls: (TLS) In Handshake Phase (34) eap_tls: (TLS) Application data. (34) eap_tls: ERROR: (TLS) Cannot continue, as the peer is misbehaving. (34) eap_tls: ERROR: [eaptls process] = fail (34) eap: ERROR: Failed continuing EAP TLS (13) session. EAP sub-module failed (34) eap: Sending EAP Failure (code 4) ID 4 length 4 (34) eap: Failed in EAP select (34) [eap] = invalid (34) } # authenticate = invalid (34) Failed to authenticate the user (34) Using Post-Auth-Type Reject (34) # Executing group from file /etc/freeradius/sites-enabled/default (34) Post-Auth-Type REJECT { (34) attr_filter.access_reject: EXPAND %{User-Name} (34) attr_filter.access_reject: --> user@example.org (34) attr_filter.access_reject: Matched entry DEFAULT at line 11 (34) [attr_filter.access_reject] = updated (34) [eap] = noop (34) policy remove_reply_message_if_eap { (34) if (&reply:EAP-Message && &reply:Reply-Message) { (34) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (34) else { (34) [noop] = noop (34) } # else = noop (34) } # policy remove_reply_message_if_eap = noop (34) } # Post-Auth-Type REJECT = updated (34) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (34) Sending delayed response (34) Sent Access-Reject Id 4 from 172.17.0.2:1812 to 10.17.30.60:1197 length 44 (34) EAP-Message = 0x04040004 (34) Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.8 seconds. (30) Cleaning up request packet ID 0 with timestamp +1674 due to cleanup_delay was reached (31) Cleaning up request packet ID 1 with timestamp +1674 due to cleanup_delay was reached (32) Cleaning up request packet ID 2 with timestamp +1674 due to cleanup_delay was reached (33) Cleaning up request packet ID 3 with timestamp +1674 due to cleanup_delay was reached (34) Cleaning up request packet ID 4 with timestamp +1674 due to cleanup_delay was reached Ready to process requests -----Message d'origine----- De : Freeradius-Users <freeradius-users-bounces+clement.legoffic=kelio.com@lists.freeradius.org> De la part de Alan DeKok Envoyé : mardi 28 février 2023 15:32 À : FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Objet : Re: EAP-TLS default config On Feb 28, 2023, at 5:44 AM, clement.legoffic@kelio.com wrote:
... On my android phone, I connect to a dlink wifi access point (DWL-2100AP) configured for 802.1X. The ca.pem has been installed on my phone in order to use it for EAP-TLS when I select it. ... (5) eap: Peer NAK'd indicating it is not willing to continue
The android phone is not configured to do EAP-TLS. Alan DeKok. -
On Mar 7, 2023, at 9:58 AM, clement.legoffic@kelio.com wrote:
The android phone is not configured to do EAP-TLS.
Hello, I have manage to setup 2 different android device to connect to my 802.1X network. The "user" certs are installed in each device. When I initiate the EAP-TLS I get the below debug output. The EAP-TLS communication seems to works well, but the communication is end up due to internal error. I have not figured out how to manage this error. Does I need to change my TLS version ? What exactly the debug output means here : "eap_tls: ERROR: (TLS) Failed reading from OpenSSL: error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error"
It's OpenSSL magic. :(
... (34) eap: Calling submodule eap_tls to process data (34) eap_tls: (TLS) EAP Done initial handshake (34) eap_tls: (TLS) recv TLS 1.2 Alert, fatal internal_error (34) eap_tls: (TLS) The client is informing us that there is a failure inside the TLS protocol exchange.
That's the android device saying that it doesn't want to talk to FreeRADIUS. Why? See the logs on the android device. You can't debug this by looking at the FreeRADIUS logs. The general advice here is to make sure that you aren't doing anything unusual with the certificates. So how were the certificates created? Where did you get them from? You can typically use web certs (and a web CA) for 802.1X, and it will work. That is well tested. But if you're creating the certificates yourself, and doing something special "for security", there's a good chance it won't work. Use standard certs. It's what everyone else does, and it works. Alan DeKok.
The android phone is not configured to do EAP-TLS.
Hello, I have manage to setup 2 different android device to connect to my 802.1X network. The "user" certs are installed in each device. When I initiate the EAP-TLS I get the below debug output. The EAP-TLS communication seems to works well, but the communication is end up due to internal error. I have not figured out how to manage this error. Does I need to change my TLS version ? What exactly the debug output means here : "eap_tls: ERROR: (TLS) Failed reading from OpenSSL: error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error"
It's OpenSSL magic. :(
Sad, even on android side I get unintelligible log output :(
... (34) eap: Calling submodule eap_tls to process data (34) eap_tls: (TLS) EAP Done initial handshake (34) eap_tls: (TLS) recv TLS 1.2 Alert, fatal internal_error (34) eap_tls: (TLS) The client is informing us that there is a failure inside the TLS protocol exchange.
That's the android device saying that it doesn't want to talk to FreeRADIUS.
Why? See the logs on the android device. You can't debug this by looking at the FreeRADIUS logs.
The general advice here is to make sure that you aren't doing anything unusual with the certificates. So how were the certificates created? Where did you get them from?
I get the certificates from the freeradius certs folder that is inside the freeradius dockerfile. They are legit and seems to work as they work on an Embedded Linux Device. The point is that I can't import the original p12 file format provided by the freeradius container. I am against this error : https://stackoverflow.com/questions/71872900/installing-pcks12-certificate-i... I followed the solutions exposed by the two main answer (to test them) and so I get two more p12 files that contains the same certificate and key (I can import them in Android). I still got the above error on freeradius side and unintelligible logs on Android side. Is there any specifications for making freeradius working natively with recent Android version or do I have to struggle with OpenSSL ? My objective is to use EAP-TLS with Android Phone.
You can typically use web certs (and a web CA) for 802.1X, and it will work. That is well tested.
But if you're creating the certificates yourself, and doing something special "for security", there's a good chance it won't work.
Use standard certs. It's what everyone else does, and it works.
Alan DeKok.
-
On Mar 8, 2023, at 8:45 AM, clement.legoffic@kelio.com wrote:
Sad, even on android side I get unintelligible log output :(
That is all too common. The logs are usually created by programmers, for programmers. There's usually not a lot of effort put into making them usable for end users.
I get the certificates from the freeradius certs folder that is inside the freeradius dockerfile. They are legit and seems to work as they work on an Embedded Linux Device.
That's good.
The point is that I can't import the original p12 file format provided by the freeradius container.
If you can't import the certs, then EAP-TLS won't work. There really isn't any reason to debug EAP-TLS if the Android device doesn't have the correct certs.
I am against this error : https://stackoverflow.com/questions/71872900/installing-pcks12-certificate-i... I followed the solutions exposed by the two main answer (to test them) and so I get two more p12 files that contains the same certificate and key (I can import them in Android). I still got the above error on freeradius side and unintelligible logs on Android side.
Then the certificates weren't imported correctly into the android system.
Is there any specifications for making freeradius working natively with recent Android version or do I have to struggle with OpenSSL ?
I have no idea. I haven't heard of anyone having this issue before. Everyone just imports the certs, and they work. Alan DeKok.
participants (2)
-
Alan DeKok -
clement.legoffic@kelio.com