Hi all. I'm sure some of you are right away thinking "not this again", since this is probably something very simple, but I cannot figure this out. I've got an XP SP3 client, a Windows 7 SP1 client, and an iPad all trying to sign in to a WPA2 wireless network, that I have setup to auth with FreeRadius. The iPad works 100% of the time. The Windows XP client & Windows 7 do not. The most obvious thing in the debug log (whole snippit below) is the "EAP session for the state 0x.... did not finish!". I've followed the directions to disable certificate checking on Windows, and this continues to happen. I've re-ran "make" in the certs directory, and checked that the openssl lines do infact include the "xpextensions" file. Is there something else I should be doing here? I've been following the directions @ http://deployingradius.com/documents/configuration/pap.html , along with the FAQs at http://wiki.freeradius.org/Certificate_Compatibility . Thanks, --Brian
Forgot to add the log: rad_recv: Access-Request packet from host 192.168.100.31 port 2052, id=2, length=123 User-Name = "brian" NAS-IP-Address = 192.168.100.31 Called-Station-Id = "00259c5266d8" Calling-Station-Id = "00225f72869d" NAS-Identifier = "00259c5266d8" NAS-Port = 41 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0200000a01627269616e Message-Authenticator = 0x82509800bfcd7af4872121571a69559e # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "brian", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 0 length 10 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry brian at line 1 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Sending Access-Challenge of id 2 to 192.168.100.31 port 2052 EAP-Message = 0x01010016041089ed766f4e691575ade990b9e1599b06 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x73f9ed2473f8e9b7c2be9cff1f046e18 Finished request 22. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.100.31 port 2052, id=2, length=137 Cleaning up request 22 ID 2 with timestamp +539 User-Name = "brian" NAS-IP-Address = 192.168.100.31 Called-Station-Id = "00259c5266d8" Calling-Station-Id = "00225f72869d" NAS-Identifier = "00259c5266d8" NAS-Port = 41 Framed-MTU = 1400 State = 0x73f9ed2473f8e9b7c2be9cff1f046e18 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020100060319 Message-Authenticator = 0x361aec66d89fee7ccb80c53d901599cc # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "brian", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 1 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry brian at line 1 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP NAK [eap] EAP-NAK asked for EAP-Type/peap [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 2 to 192.168.100.31 port 2052 EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x73f9ed2472fbf4b7c2be9cff1f046e18 Finished request 23. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.100.31 port 2052, id=2, length=218 Cleaning up request 23 ID 2 with timestamp +539 WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING: !! EAP session for state 0x73f9ed2472fbf4b7 did not finish! WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! User-Name = "brian" NAS-IP-Address = 192.168.100.31 Called-Station-Id = "00259c5266d8" Calling-Station-Id = "00225f72869d" NAS-Identifier = "00259c5266d8" NAS-Port = 41 Framed-MTU = 1400 State = 0x73f9ed2472fbf4b7c2be9cff1f046e18 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0202005719800000004d16030100480100004403014d126b52be5f4e9805e5cf1c09f3085ce9ab466e4b67f48695f1ec650e867b4300001600040005000a0009006400620003000600130012006301000005ff01000100 Message-Authenticator = 0x6d65cb3a63f0462e17072eac5c8534ae # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "brian", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 2 length 87 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 77 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 0048], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 002a], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 086f], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 2 to 192.168.100.31 port 2052 EAP-Message = 0x0103040019c0000008ac160301002a0200002603014d126b52392681329f3967c957148f06de6c636f5cc57a5b610c1cf12673497700000400160301086f0b00086b0008680003ae308203aa30820292a003020102020102300d06092a864886f70d0101040500308196310b3009060355040613025553311330110603550408130a4e6577204a6572736579311730150603550407130e49736c616e64204865696768747331183016060355040a130f4b31325553412057694669204465763122302006092a864886f70d0109011613626d6363616e6e40616e646d6f72652e636f6d311b3019060355040313124b3132555341205769466920446576 EAP-Message = 0x204341301e170d3130313232323230323834375a170d3131313232323230323834375a308180310b3009060355040613025553311330110603550408130a4e6577204a657273657931183016060355040a130f4b3132555341205769466920446576311e301c060355040313154b313255534120536563757265204e6574776f726b3122302006092a864886f70d0109011613626d6363616e6e40616e646d6f72652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100c480df0056754f55385fc40baecd3ee63e8697c48e960fef4bad0819728974edf0cfd3fb50601cefd348b5fcd8e6f4c5d07d9937fb91 EAP-Message = 0xe4df955ae0e8c1bf9f5274e0dfd069d298b25e57c536d8188aba8463a9ce2ce5592b1f73ed488ff57f4544ca8fd179615e06b092e7ce795038c24c117688d0cc18d1dc3de85a912a5874ce86967f14b7b75d0c4174dc15995e9cbc1d354c656296aafdf9bb1b7a60c1f7e00bf013a9e03874521d0ada7b8ec6094f20bc220c0d6e534eb6d7334aee94aa86fd01d65714804e38360bf7802e39c2325494f40a1567c9c9118bbd61b9d4abde81c900aadf9734c53918e094e83fb6d96b5e02f9b0918f1783ea6741ba792b0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010405000382010100af EAP-Message = 0xa25fc5cd8eb1660a5f4ef56bca050331c518f31b0dfce3493cbd556a097601808f86b8621d57962c76d79158c498a44a0da0a37c5e2b79849b440b65bc4b2dbd61152e78218e95411b35643794ba38631b9fbd923ac7a698675b4546a8f4009863594c00ac4b6c29702ff95f0f0addfb279cf7751e96f068ceebe46b942be160a9eae7e188afaff584baebfd62fb8ee31493e5ae6be9e02dc5376a5a3461d0f10928da5a5872fc9a6708da7ddff55445466c5833d530e099ca401e3306b36de736decb7a88cff79c98635b730c595bdbf0bce0081c5aa4bfc39ecfad8510689775647bb8c47aa669c435de3a53455f91c6a9b70f85b423cddad6962c50 EAP-Message = 0xc4660004b4308204b0308203 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x73f9ed2471faf4b7c2be9cff1f046e18 Finished request 24. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.100.31 port 2052, id=2, length=137 Cleaning up request 24 ID 2 with timestamp +539 WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING: !! EAP session for state 0x73f9ed2471faf4b7 did not finish! WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! User-Name = "brian" NAS-IP-Address = 192.168.100.31 Called-Station-Id = "00259c5266d8" Calling-Station-Id = "00225f72869d" NAS-Identifier = "00259c5266d8" NAS-Port = 41 Framed-MTU = 1400 State = 0x73f9ed2471faf4b7c2be9cff1f046e18 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020300061900 Message-Authenticator = 0xa27b16694354600b2fa19d07b34f48c7 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "brian", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 3 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 2 to 192.168.100.31 port 2052 EAP-Message = 0x010403fc194098a00302010202090084a645f254976ef3300d06092a864886f70d0101050500308196310b3009060355040613025553311330110603550408130a4e6577204a6572736579311730150603550407130e49736c616e64204865696768747331183016060355040a130f4b31325553412057694669204465763122302006092a864886f70d0109011613626d6363616e6e40616e646d6f72652e636f6d311b3019060355040313124b3132555341205769466920446576204341301e170d3130313232323230323834375a170d3131313232323230323834375a308196310b3009060355040613025553311330110603550408130a4e6577 EAP-Message = 0x204a6572736579311730150603550407130e49736c616e64204865696768747331183016060355040a130f4b31325553412057694669204465763122302006092a864886f70d0109011613626d6363616e6e40616e646d6f72652e636f6d311b3019060355040313124b313255534120576946692044657620434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e378bcf1ed8456e7206c82cc4d6eaf5b97d3515cbfe563126c299516531d30d05ec6373010909f7db529bc177df778a94cbef9956b142f0912b60eeb05047839346b3c2b84c48429b671abf341f2dba7592246cb067a84061bdd523eebad5f2b5a EAP-Message = 0xadd4d18b8d3bf7dc5199191d3a08ba22d8f2ad302325a14bbebf2e8185ef554961b81e1aab1d66cdf4fb0f952f5c755c9eab2232649bebca0104294c2d97cf1d9aa939bcc00a712e7689880b1ab24134f1381ff03b15df55cde5da04d2a451c3c5e4f2f9378cedce1c57d57a2a838c28cfddf86e3191828f5ace7cfe9599f17193d2740cf20462de9bf2ec27b898a4f3629bc2f4969e3a60b8190db87a7ae30203010001a381fe3081fb301d0603551d0e0416041478b8d9e76dd4dfa361c86e87a2691c5e3dbb78d53081cb0603551d230481c33081c0801478b8d9e76dd4dfa361c86e87a2691c5e3dbb78d5a1819ca48199308196310b3009060355 EAP-Message = 0x040613025553311330110603550408130a4e6577204a6572736579311730150603550407130e49736c616e64204865696768747331183016060355040a130f4b31325553412057694669204465763122302006092a864886f70d0109011613626d6363616e6e40616e646d6f72652e636f6d311b3019060355040313124b313255534120576946692044657620434182090084a645f254976ef3300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100818c0bee681e432f1ba78fde93ad14545ac8dc7846780244827a30bdf3e87a78259f876ebc87cb124d010f59782aa3eecb8d68c73f6bba7a738fa2a23c98c6b20e EAP-Message = 0x520baa021c80b531 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x73f9ed2470fdf4b7c2be9cff1f046e18 Finished request 25. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.100.31 port 2052, id=2, length=137 Cleaning up request 25 ID 2 with timestamp +539 WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING: !! EAP session for state 0x73f9ed2470fdf4b7 did not finish! WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! User-Name = "brian" NAS-IP-Address = 192.168.100.31 Called-Station-Id = "00259c5266d8" Calling-Station-Id = "00225f72869d" NAS-Identifier = "00259c5266d8" NAS-Port = 41 Framed-MTU = 1400 State = 0x73f9ed2470fdf4b7c2be9cff1f046e18 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020400061900 Message-Authenticator = 0x3e196bcf1b83f07e379a570fa50813d9 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "brian", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 4 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 2 to 192.168.100.31 port 2052 EAP-Message = 0x010500c61900b1136a783587e16f83dcf46f2c326adbc168d049a2f6e501a2e37a0aef489f7c3eab64b3efd0905c148a66747c5f70ca4d1d87dc490f03b59eb8ae04720e07e836cf279e6bc9c5cd0738fac2bc0a88a9ee5a874b7e51fc0100702d512077c497b216035aad340d9aa531a7224813decce0eab4495c8648596f21072ace98bd8050405d371eba86bae0b834b203149c531c511c7dd9c37837b95bf1a6ad7e8b4f9b75d7075bc4dffcfe44f00b2cd3e7c65604a0ee97d8d916030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x73f9ed2477fcf4b7c2be9cff1f046e18 Finished request 26. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.100.31 port 2052, id=2, length=453 Cleaning up request 26 ID 2 with timestamp +539 WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING: !! EAP session for state 0x73f9ed2477fcf4b7 did not finish! WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! User-Name = "brian" NAS-IP-Address = 192.168.100.31 Called-Station-Id = "00259c5266d8" Calling-Station-Id = "00225f72869d" NAS-Identifier = "00259c5266d8" NAS-Port = 41 Framed-MTU = 1400 State = 0x73f9ed2477fcf4b7c2be9cff1f046e18 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0205014019800000013616030101061000010201000fcc7daa6c00ab8b5fa678f2cfc032624ec13d0c600bfb4f12acc6741a9115490ce48505fa89b2021891d2b77d8e5d25ab4af250b5de80d19b09ab43d35287958fbc9f8943a9153eeb507318896ad4a78ce07403e13938d486192daa7e23ea4114ccf1167b290c1da028e44b41956d123d03efb67d0b8211fa567f08f384c257bc1718227a93b597fb8de3586f9051990016cca5d3e2feae395cba789251e4245cf79ec4cff96c15799658592bc4b228ad5c2b566ea7ef5422ac74f1226b9857f3090ecb750a818f534907ac9c224f4ea9be90b408bd0be957fe56bd7a07e718ca5adc6066c66799 EAP-Message = 0xb7a945951c9629e63ee8212c7788d2ff043c67fe1599856e1403010001011603010020df6ae58d1055e58afaef85f4f651fe1bec6308eec943f59dc9205c31f986c923 Message-Authenticator = 0xc835a2d1a886289b8a0558353cc600db # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "brian", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 5 length 253 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 310 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 2 to 192.168.100.31 port 2052 EAP-Message = 0x0106003119001403010001011603010020a6d5ead78991d28a9c05446c988d7f34f5e7912b975669d278d3d18c8e6955f4 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x73f9ed2476fff4b7c2be9cff1f046e18 Finished request 27. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.100.31 port 2052, id=2, length=137 Cleaning up request 27 ID 2 with timestamp +539 WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING: !! EAP session for state 0x73f9ed2476fff4b7 did not finish! WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! User-Name = "brian" NAS-IP-Address = 192.168.100.31 Called-Station-Id = "00259c5266d8" Calling-Station-Id = "00225f72869d" NAS-Identifier = "00259c5266d8" NAS-Port = 41 Framed-MTU = 1400 State = 0x73f9ed2476fff4b7c2be9cff1f046e18 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020600061900 Message-Authenticator = 0xaa14f8b221bcd00cd9ae692884e579ef # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "brian", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 6 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake is finished [peap] eaptls_verify returned 3 [peap] eaptls_process returned 3 [peap] EAPTLS_SUCCESS [peap] Session established. Decoding tunneled attributes. [peap] Peap state TUNNEL ESTABLISHED ++[eap] returns handled Sending Access-Challenge of id 2 to 192.168.100.31 port 2052 EAP-Message = 0x010700201900170301001529f01f0f98421d03e94ad9aab050be66925b96c52e Message-Authenticator = 0x00000000000000000000000000000000 State = 0x73f9ed2475fef4b7c2be9cff1f046e18 Finished request 28. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.100.31 port 2052, id=2, length=164 Cleaning up request 28 ID 2 with timestamp +539 WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING: !! EAP session for state 0x73f9ed2475fef4b7 did not finish! WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! User-Name = "brian" NAS-IP-Address = 192.168.100.31 Called-Station-Id = "00259c5266d8" Calling-Station-Id = "00225f72869d" NAS-Identifier = "00259c5266d8" NAS-Port = 41 Framed-MTU = 1400 State = 0x73f9ed2475fef4b7c2be9cff1f046e18 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0207002119001703010016831971c0c91f73799d38655e5510508475fb44a52cdf Message-Authenticator = 0x66cda1b06c4f76e1c7597f2beb41091d # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "brian", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 7 length 33 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state WAITING FOR INNER IDENTITY [peap] Identity - brian [peap] Got inner identity 'brian' [peap] Setting default EAP type for tunneled EAP session. [peap] Got tunneled request EAP-Message = 0x0207000a01627269616e server { PEAP: Setting User-Name to brian Sending tunneled request EAP-Message = 0x0207000a01627269616e FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "brian" server inner-tunnel { # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "brian", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 7 length 10 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry brian at line 1 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] EAP Identity [eap] processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x0108001f1a0108001a10436b17da9d5a9d992f2ada08be92a225627269616e Message-Authenticator = 0x00000000000000000000000000000000 State = 0x36d47f7836dc650e959d62628e1199da [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x0108001f1a0108001a10436b17da9d5a9d992f2ada08be92a225627269616e Message-Authenticator = 0x00000000000000000000000000000000 State = 0x36d47f7836dc650e959d62628e1199da [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 2 to 192.168.100.31 port 2052 EAP-Message = 0x010800361900170301002bd5d8a1c52e9dfcccea6d283e855751fa46afaf9f0908b7720d3f81bac9d48935e98195d6083d06e34d9a92 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x73f9ed2474f1f4b7c2be9cff1f046e18 Finished request 29. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.100.31 port 2052, id=2, length=218 Cleaning up request 29 ID 2 with timestamp +539 WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING: !! EAP session for state 0x73f9ed2474f1f4b7 did not finish! WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! User-Name = "brian" NAS-IP-Address = 192.168.100.31 Called-Station-Id = "00259c5266d8" Calling-Station-Id = "00225f72869d" NAS-Identifier = "00259c5266d8" NAS-Port = 41 Framed-MTU = 1400 State = 0x73f9ed2474f1f4b7c2be9cff1f046e18 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020800571900170301004c33b0b0f4ab967c210855eaf55f0eb38734e3e099965fe9e5d690b94df401f0d35a206706cecd55273dc3293fb0a85665f9962d30b0834dcee6c83736677e88da28860117333e9e5d9f524b11 Message-Authenticator = 0xd57efa09c01d8b25afdcb5f41017a5ea # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "brian", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 8 length 87 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020800401a0208003b310f5e48ff04c526b3be1b0ebae4db028d00000000000000004fbbcd324f826e1889bb474cadf0344518af8a0a98be944000627269616e server { PEAP: Setting User-Name to brian Sending tunneled request EAP-Message = 0x020800401a0208003b310f5e48ff04c526b3be1b0ebae4db028d00000000000000004fbbcd324f826e1889bb474cadf0344518af8a0a98be944000627269616e FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "brian" State = 0x36d47f7836dc650e959d62628e1199da server inner-tunnel { # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "brian", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 8 length 64 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry brian at line 1 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel [mschapv2] +- entering group MS-CHAP {...} [mschap] Creating challenge hash with username: brian [mschap] Told to do MS-CHAPv2 for brian with NT-Password [mschap] adding MS-CHAPv2 MPPE keys ++[mschap] returns ok MSCHAP Success ++[eap] returns handled } # server inner-tunnel [peap] Got tunneled reply code 11 EAP-Message = 0x010900331a0308002e533d35424230323439364246434142363633324246313233414533434534344541353144343034413030 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x36d47f7837dd650e959d62628e1199da [peap] Got tunneled reply RADIUS code 11 EAP-Message = 0x010900331a0308002e533d35424230323439364246434142363633324246313233414533434534344541353144343034413030 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x36d47f7837dd650e959d62628e1199da [peap] Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 2 to 192.168.100.31 port 2052 EAP-Message = 0x0109004a1900170301003f7d0509a6338f227609bd6516cf28976ba43c7353d36631e1781e256dfd2698257b193aec136a2a0f4d6b17ce907734cf0a602b14781418aaa1eb9a25a7c030 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x73f9ed247bf0f4b7c2be9cff1f046e18 Finished request 30. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.100.31 port 2052, id=2, length=160 Cleaning up request 30 ID 2 with timestamp +539 WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING: !! EAP session for state 0x73f9ed247bf0f4b7 did not finish! WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! User-Name = "brian" NAS-IP-Address = 192.168.100.31 Called-Station-Id = "00259c5266d8" Calling-Station-Id = "00225f72869d" NAS-Identifier = "00259c5266d8" NAS-Port = 41 Framed-MTU = 1400 State = 0x73f9ed247bf0f4b7c2be9cff1f046e18 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0209001d190017030100129b7436ea86fc0d667258335a9278479ee71e Message-Authenticator = 0xb3aff80044d1fab201c229ef26a62eeb # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "brian", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 9 length 29 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020900061a03 server { PEAP: Setting User-Name to brian Sending tunneled request EAP-Message = 0x020900061a03 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "brian" State = 0x36d47f7837dd650e959d62628e1199da server inner-tunnel { # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "brian", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop ++[control] returns noop [eap] EAP packet type response id 9 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry brian at line 1 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [eap] Freeing handler ++[eap] returns ok WARNING: Empty post-auth section. Using default return values. # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/inner-tunnel } # server inner-tunnel [peap] Got tunneled reply code 2 MS-MPPE-Encryption-Policy = 0x00000001 MS-MPPE-Encryption-Types = 0x00000006 MS-MPPE-Send-Key = 0x39f106ca036530b8023fad5a94a2fcdd MS-MPPE-Recv-Key = 0x8dab006b54c91dffce48dd52eb1baf63 EAP-Message = 0x03090004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "brian" [peap] Got tunneled reply RADIUS code 2 MS-MPPE-Encryption-Policy = 0x00000001 MS-MPPE-Encryption-Types = 0x00000006 MS-MPPE-Send-Key = 0x39f106ca036530b8023fad5a94a2fcdd MS-MPPE-Recv-Key = 0x8dab006b54c91dffce48dd52eb1baf63 EAP-Message = 0x03090004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "brian" [peap] Tunneled authentication was successful. [peap] SUCCESS ++[eap] returns handled Sending Access-Challenge of id 2 to 192.168.100.31 port 2052 EAP-Message = 0x010a00261900170301001b577408bb89d085a90c64f051ddf981a97be4d3459ae0217b7e6201 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x73f9ed247af3f4b7c2be9cff1f046e18 Finished request 31. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.100.31 port 2052, id=2, length=169 Cleaning up request 31 ID 2 with timestamp +539 WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING: !! EAP session for state 0x73f9ed247af3f4b7 did not finish! WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! User-Name = "brian" NAS-IP-Address = 192.168.100.31 Called-Station-Id = "00259c5266d8" Calling-Station-Id = "00225f72869d" NAS-Identifier = "00259c5266d8" NAS-Port = 41 Framed-MTU = 1400 State = 0x73f9ed247af3f4b7c2be9cff1f046e18 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020a00261900170301001b2720b3df93cd3b541cf48870356131d4128e9ab1e9c68cad02b201 Message-Authenticator = 0x3a7d762165f7afafbfe34d11868897a4 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "brian", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 10 length 38 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state send tlv success [peap] Received EAP-TLV response. [peap] Success [eap] Freeing handler ++[eap] returns ok # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 2 to 192.168.100.31 port 2052 MS-MPPE-Recv-Key = 0xcc08e36dfbdf32282d1af7c61ed07b98a4405e1ff068e3247f360af5819fe977 MS-MPPE-Send-Key = 0x1f35fe2715d026f1268b668bd6ca1786db2c87b8192186accebcdb3a9f240306 EAP-Message = 0x030a0004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "brian" Finished request 32. Going to the next request Waking up in 4.9 seconds. -----Original Message----- From: freeradius-users-bounces+bmccann=andmore.com@lists.freeradius.org [mailto:freeradius-users-bounces+bmccann=andmore.com@lists.freeradius.org] On Behalf Of McCann, Brian Sent: Wednesday, December 22, 2010 3:54 PM To: freeradius-users@lists.freeradius.org Subject: Windows Client Hi all. I'm sure some of you are right away thinking "not this again", since this is probably something very simple, but I cannot figure this out. I've got an XP SP3 client, a Windows 7 SP1 client, and an iPad all trying to sign in to a WPA2 wireless network, that I have setup to auth with FreeRadius. The iPad works 100% of the time. The Windows XP client & Windows 7 do not. The most obvious thing in the debug log (whole snippit below) is the "EAP session for the state 0x.... did not finish!". I've followed the directions to disable certificate checking on Windows, and this continues to happen. I've re-ran "make" in the certs directory, and checked that the openssl lines do infact include the "xpextensions" file. Is there something else I should be doing here? I've been following the directions @ http://deployingradius.com/documents/configuration/pap.html , along with the FAQs at http://wiki.freeradius.org/Certificate_Compatibility . Thanks, --Brian - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
McCann, Brian wrote:
Hi all. I'm sure some of you are right away thinking "not this again", since this is probably something very simple, but I cannot figure this out. I've got an XP SP3 client, a Windows 7 SP1 client, and an iPad all trying to sign in to a WPA2 wireless network, that I have setup to auth with FreeRadius. The iPad works 100% of the time. The Windows XP client & Windows 7 do not. The most obvious thing in the debug log (whole snippit below) is the "EAP session for the state 0x.... did not finish!".
Yup. The iPad works because Apple isn't completely bonkers.
I've followed the directions to disable certificate checking on Windows, and this continues to happen. I've re-ran "make" in the certs directory, and checked that the openssl lines do infact include the "xpextensions" file.
Has the "ca.der" file bee uploaded to the Windows machine?
Is there something else I should be doing here? I've been following the directions @ http://deployingradius.com/documents/configuration/pap.html , along with the FAQs at http://wiki.freeradius.org/Certificate_Compatibility .
Well.. if you follow the EAP guide on my web page, it *should* work with Windows. The guide contains a long series of small steps, and every step is important. If one is missed... Windows won't work. Alan DeKok.
participants (3)
-
Alan Buxey -
Alan DeKok -
McCann, Brian