Certificate Compatibility
Trying to test EAP-TTLS with Canopy AP. Getting this: (FR 2.1.10)... WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING: !! EAP session for state 0x2f1a7f7f2b1c6afb did not finish! WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Unfortunately the wiki is down... FreeRADIUS Wiki has a problem Sorry! This site is experiencing technical difficulties. Try waiting a few minutes and reloading. It's been down for a while now. Does anyone have this info in another form? Thanks!
Jim Rice wrote:
Getting this: (FR 2.1.10)...
WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING: !! EAP session for state 0x2f1a7f7f2b1c6afb did not finish! WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
It means that the PC didn't like the server certificate. Follow the instructions on http://deployingradius.com/ for configuring EAP. It's a bit long, but it's *guaranteed* to work.
Unfortunately the wiki is down...
Hmm... I hadn't seen that. I'll take a look. Alan DeKok.
Those intructions worked fine for a PC. But this time I am trying to test a Canopy AP and an SM. It seems to be stopping after the server hello. It is possible that the AP does not like the server certificate (or its encryption method), but I don't think MS MIBs will help ;-) Looks like the wiki is still down... --- On Mon, 3/28/11, Alan DeKok <aland@deployingradius.com> wrote:
From: Alan DeKok <aland@deployingradius.com> Subject: Re: Certificate Compatibility To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Date: Monday, March 28, 2011, 10:46 PM Jim Rice wrote:
Getting this: (FR 2.1.10)...
WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING: !! EAP session for state 0x2f1a7f7f2b1c6afb did not finish! WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
It means that the PC didn't like the server certificate.
Follow the instructions on http://deployingradius.com/ for configuring EAP. It's a bit long, but it's *guaranteed* to work.
Unfortunately the wiki is down...
Hmm... I hadn't seen that. I'll take a look.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
You don't have the right CA certificate installed on the SM. Check the certificates listed under the Security tab in the SM and make sure that YOUR CA cert is shown in one of the two available slots. You might also be running into an issue with the issue date on the certificate if the AP doesn't have the proper time. (I don't recall what error gets spit out in that case.) If the AP doesn't have NTP or the proper time set it reverts to starting from 1/1/2001 so your certificate may not have a valid issue date if it was recently created. Ben On Tue, Mar 29, 2011 at 9:17 AM, Jim Rice <jmrice6640@yahoo.com> wrote:
Those intructions worked fine for a PC.
But this time I am trying to test a Canopy AP and an SM. It seems to be stopping after the server hello. It is possible that the AP does not like the server certificate (or its encryption method), but I don't think MS MIBs will help ;-)
Looks like the wiki is still down...
--- On Mon, 3/28/11, Alan DeKok <aland@deployingradius.com> wrote:
From: Alan DeKok <aland@deployingradius.com> Subject: Re: Certificate Compatibility To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Date: Monday, March 28, 2011, 10:46 PM Jim Rice wrote:
Getting this: (FR 2.1.10)...
WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING: !! EAP session for state 0x2f1a7f7f2b1c6afb did not finish! WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
It means that the PC didn't like the server certificate.
Follow the instructions on http://deployingradius.com/ for configuring EAP. It's a bit long, but it's *guaranteed* to work.
Unfortunately the wiki is down...
Hmm... I hadn't seen that. I'll take a look.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I believe that installing a certificate on the SM removes both of the defaults. Does this mean then that one slot is for the CA cert, and the other is for a client cert? Do we need to generate and install client certificates for every SM? I thought the AP was the Radius Client in this case, and was handling the TLS handshake? Or does the SM provide its certificates to the AP along with the "user identity" and MAC address when it connects? (Just when I thought I was beginning to understand all of this...) --- On Tue, 3/29/11, Ben Wiechman <wiechman.lists@gmail.com> wrote:
You don't have the right CA certificate installed on the SM. Check the certificates listed under the Security tab in the SM and make sure that YOUR CA cert is shown in one of the two available slots.
The SM is bucky. To deploy a new certificate you need to delete at least one of the existing certificates and reboot the SM. That slot should now be empty and should say "Certificate X not present in the system." At this point you can import your new certificate. Some SMs however are cranky about actually deleting the certificates. After a reboot the deleted certificate is still present. CNUT seems to work much better when deploying the certificates for some reason. I haven't had it fail yet. Don't ask me. See the Tools menu. Alternatively you could use the aaasvr* certificates included with the firmware. Every SM should have that cacert_aaasvr.pem certificate pre-loaded. I'd recommend generating your own certificates however. You need to generate a CA certificate and use that to sign your server certificate. Configure both of these appropriately in your eap.conf file. If the AP doesn't have a time source it starts its clock at 1/1/2001, so you may want to generate both certificates with a valid start date before 1/1/2001. If your AP believes the time is prior to the issuing date in your certificates authentication will fail and the SM will be locked out for 15 minutes... You need to install a copy of that CA certificate on every SM. You do not need to generate a different certificate for each device. See the limitations on self signed certificates and third party certificates in the release notes. In general you can just use the procedures outlined for EAP in the wiki/deployingradius.org to generate your CA certificate, with the caveat that those certificates will be valid from the time you generate them forward. Logging is basic and essentially worthless in the AP and SM. The underlying RADIUS implementation doesn't provide visibility or better logging, which Moto says they are hoping to rectify at some point, but that doesn't help today. Oh, and if you're using vlans you'll want to wait to deploy the forthcoming patch in production. There is a memory leak in 11.0 that will cause the SM to crash when it has to filter downstream broadcast traffic. Ben On Tue, Mar 29, 2011 at 12:38 PM, Jim Rice <jmrice6640@yahoo.com> wrote:
I believe that installing a certificate on the SM removes both of the defaults.
Does this mean then that one slot is for the CA cert, and the other is for a client cert?
Do we need to generate and install client certificates for every SM?
I thought the AP was the Radius Client in this case, and was handling the TLS handshake? Or does the SM provide its certificates to the AP along with the "user identity" and MAC address when it connects?
(Just when I thought I was beginning to understand all of this...)
--- On Tue, 3/29/11, Ben Wiechman <wiechman.lists@gmail.com> wrote:
You don't have the right CA certificate installed on the SM. Check the certificates listed under the Security tab in the SM and make sure that YOUR CA cert is shown in one of the two available slots.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Thanks Ben, I'll try installing the CA cert on the SM. I had already been through the EAP notes when testing auth with a PC. Baby steps ... The AP is running NTP, so time is not an issue. We were aware of the vlan problem with 11.0. (Of course, no one uses those ;-) Jim
Note that time might be an issue if the AP pushes the auth request through after a reboot before it has received a response from the NTP server and correctly configured the time. I'm not sure how much danger there is that this will happen. I haven't seen it in production that I am aware of, however we ran the beta on a site that is connected via fiber so has minimal latency to the ntp servers. Ben On Tue, Mar 29, 2011 at 1:30 PM, Jim Rice <jmrice6640@yahoo.com> wrote:
Thanks Ben,
I'll try installing the CA cert on the SM. I had already been through the EAP notes when testing auth with a PC. Baby steps ...
The AP is running NTP, so time is not an issue.
We were aware of the vlan problem with 11.0. (Of course, no one uses those ;-)
Jim
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Looks like it got a bit further this time. If I am looking at this right, it got throught the TTLS part. But now what? The SM is just "Registering". I am hoping that this is something simple and obvious to you guys... (Just the tail end for now): ... rad_recv: Access-Request packet from host 10.111.4.254 port 1273, id=0, length=439 Cleaning up request 4 ID 0 with timestamp +41 WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING: !! EAP session for state 0xf2937007f695654f did not finish! WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! User-Name = "0a-00-3e-f0-11-34" State = 0xf2937007f695654f37c0362b1499c219 NAS-IP-Address = 10.111.4.254 NAS-Port = 5 NAS-Port-Type = Wireless-802.11 Framed-MTU = 1020 EAP-Message = 0x020601501580000001461603010106100001020100b208c439d0d90984cce915a82a4455cfcd9088e55760daeb8ff2e4b2bd5115bf3fe2b8e1270daf4dca4cf81a7392 bbf684e2de7147ef4b7bc5dd54a9dd5d682f77959c1b0d7b5af3e64835e4e0e8bc2c76da431b0ff2d36fb94cb4a964da32027c46c54ea060de1a75e0a9e9ad8fac1e810af9a6b82c9e37353afc4aab 0126e19f18d7e6d3998534e364fbeab676acb4eb98b71b3afdf5f850fda7b7d1952e67de3abff875519824c3bd7f91ea33a6e9db3b5132c4947a9128c156f20b809211586ba7961c20edcb9e1bbc81 818b25c499288cd11014ea181eb05c2e0fd566a41121df762993fd0a EAP-Message = 0x10d47398e6dfe27ced7bf9082d0cbb8261315423405c9b2d14030100010116030100303b8f5f207e14a34c814835a671de3025cf69c55a20976e348d692f622b1f8182 e619567c8b8866c571c1ac6df11adb0d Message-Authenticator = 0x0940909b598c4170a6f820374c4adf48 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "0a-00-3e-f0-11-34", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 6 length 253 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS TLS Length 326 [ttls] Length Included [ttls] eaptls_verify returned 11 [ttls] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange [ttls] TLS_accept: SSLv3 read client key exchange A [ttls] <<< TLS 1.0 ChangeCipherSpec [length 0001] [ttls] <<< TLS 1.0 Handshake [length 0010], Finished [ttls] TLS_accept: SSLv3 read finished A [ttls] >>> TLS 1.0 ChangeCipherSpec [length 0001] [ttls] TLS_accept: SSLv3 write change cipher spec A [ttls] >>> TLS 1.0 Handshake [length 0010], Finished [ttls] TLS_accept: SSLv3 write finished A [ttls] TLS_accept: SSLv3 flush data [ttls] (other): SSL negotiation finished successfully SSL Connection Established [ttls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 0 to 10.111.4.254 port 1273 EAP-Message = 0x0107004515800000003b1403010001011603010030e9d5415f2dab4d08d3188d183d0c4dc68f65eae604b877e87fc28021e38c48e39ad145595d4cbbbcc00bcd4a5eb6 17f2 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf2937007f794654f37c0362b1499c219 Finished request 5. Going to the next request Waking up in 4.9 seconds. Cleaning up request 5 ID 0 with timestamp +42 WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING: !! EAP session for state 0xf2937007f794654f did not finish! WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Ready to process requests.
You still don't have the certificates set up correctly. Find the ca certificate you have configured in eap.conf. # openssl x509 -text -in {ca certificate from step 1} Now compare that to the certificates on your SM. They don't match. You either are using the wrong certificate on the server, or the wrong certificate on the SM. Ben On Tue, Mar 29, 2011 at 2:51 PM, Jim Rice <jmrice6640@yahoo.com> wrote:
Looks like it got a bit further this time. If I am looking at this right, it got throught the TTLS part. But now what? The SM is just "Registering".
I am hoping that this is something simple and obvious to you guys... (Just the tail end for now):
... rad_recv: Access-Request packet from host 10.111.4.254 port 1273, id=0, length=439 Cleaning up request 4 ID 0 with timestamp +41 WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING: !! EAP session for state 0xf2937007f695654f did not finish! WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! User-Name = "0a-00-3e-f0-11-34" State = 0xf2937007f695654f37c0362b1499c219 NAS-IP-Address = 10.111.4.254 NAS-Port = 5 NAS-Port-Type = Wireless-802.11 Framed-MTU = 1020 EAP-Message = 0x020601501580000001461603010106100001020100b208c439d0d90984cce915a82a4455cfcd9088e55760daeb8ff2e4b2bd5115bf3fe2b8e1270daf4dca4cf81a7392 bbf684e2de7147ef4b7bc5dd54a9dd5d682f77959c1b0d7b5af3e64835e4e0e8bc2c76da431b0ff2d36fb94cb4a964da32027c46c54ea060de1a75e0a9e9ad8fac1e810af9a6b82c9e37353afc4aab 0126e19f18d7e6d3998534e364fbeab676acb4eb98b71b3afdf5f850fda7b7d1952e67de3abff875519824c3bd7f91ea33a6e9db3b5132c4947a9128c156f20b809211586ba7961c20edcb9e1bbc81 818b25c499288cd11014ea181eb05c2e0fd566a41121df762993fd0a EAP-Message = 0x10d47398e6dfe27ced7bf9082d0cbb8261315423405c9b2d14030100010116030100303b8f5f207e14a34c814835a671de3025cf69c55a20976e348d692f622b1f8182 e619567c8b8866c571c1ac6df11adb0d Message-Authenticator = 0x0940909b598c4170a6f820374c4adf48 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "0a-00-3e-f0-11-34", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 6 length 253 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS TLS Length 326 [ttls] Length Included [ttls] eaptls_verify returned 11 [ttls] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange [ttls] TLS_accept: SSLv3 read client key exchange A [ttls] <<< TLS 1.0 ChangeCipherSpec [length 0001] [ttls] <<< TLS 1.0 Handshake [length 0010], Finished [ttls] TLS_accept: SSLv3 read finished A [ttls] >>> TLS 1.0 ChangeCipherSpec [length 0001] [ttls] TLS_accept: SSLv3 write change cipher spec A [ttls] >>> TLS 1.0 Handshake [length 0010], Finished [ttls] TLS_accept: SSLv3 write finished A [ttls] TLS_accept: SSLv3 flush data [ttls] (other): SSL negotiation finished successfully SSL Connection Established [ttls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 0 to 10.111.4.254 port 1273 EAP-Message = 0x0107004515800000003b1403010001011603010030e9d5415f2dab4d08d3188d183d0c4dc68f65eae604b877e87fc28021e38c48e39ad145595d4cbbbcc00bcd4a5eb6 17f2 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf2937007f794654f37c0362b1499c219 Finished request 5. Going to the next request Waking up in 4.9 seconds. Cleaning up request 5 ID 0 with timestamp +42 WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING: !! EAP session for state 0xf2937007f794654f did not finish! WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Ready to process requests.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (3)
-
Alan DeKok -
Ben Wiechman -
Jim Rice