eapol_test with TLS fails (nothing sent to freeradius)
This command fails with timout: config file: rad_eap_test.txt network={ ssid="eduroam" key_mgmt=IEEE8021X eap=TLS ca_cert="ca.pem" identity="wlan_test" password="test" client_cert="client.pem" private_key="client.key" } Openssl verify is ok: # openssl verify -CAfile ca.pem client.pem client.pem: OK # bin/eapol_test -crad_eap_test.txt -a10.160.4.50 -p1812 -stesting123 -test -M70:6f:6c:69:73:68 Reading configuration file 'rad_eap_test.txt' Line: 1 - start of a new network block ssid - hexdump_ascii(len=7): 65 64 75 72 6f 61 6d eduroam key_mgmt: 0x8 eap methods - hexdump(len=16): 00 00 00 00 0d 00 00 00 00 00 00 00 00 00 00 00 ca_cert - hexdump_ascii(len=6): 63 61 2e 70 65 6d ca.pem identity - hexdump_ascii(len=9): 77 6c 61 6e 5f 74 65 73 74 wlan_test client_cert - hexdump_ascii(len=10): 63 6c 69 65 6e 74 2e 70 65 6d client.pem private_key - hexdump_ascii(len=10): 63 6c 69 65 6e 74 2e 6b 65 79 client.key Priority group 0 id=0 ssid='eduroam' Authentication server 10.160.4.50:1812 EAPOL: SUPP_PAE entering state DISCONNECTED EAPOL: KEY_RX entering state NO_KEY_RECEIVE EAPOL: SUPP_BE entering state INITIALIZE EAP: EAP entering state DISABLED EAPOL: External notification - portValid=0 EAPOL: External notification - portEnabled=1 EAPOL: SUPP_PAE entering state CONNECTING EAPOL: SUPP_BE entering state IDLE EAP: EAP entering state INITIALIZE EAP: EAP entering state IDLE EAPOL test timed out MPPE keys OK: 0 mismatch: 1 FAILURE Any help is appreciated. Thomas
On Sun, Jul 26, 2015 at 03:58:18PM +0200, freerad wrote:
This command fails with timout:
...
Any help is appreciated.
So what does FreeRADIUS debug say? Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
freeradius is running with freeradius -X But nothing comes to the server when running eapol_test. But when doing it with e.g. TTLS or PEAP requests are seen. Here is output of freereadius -X FreeRADIUS Version 2.1.12, for host x86_64-pc-linux-gnu, built on Feb 24 2014 at 14:57:57 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including files in directory /etc/freeradius/modules/ including configuration file /etc/freeradius/modules/smsotp including configuration file /etc/freeradius/modules/replicate including configuration file /etc/freeradius/modules/radutmp including configuration file /etc/freeradius/modules/attr_filter including configuration file /etc/freeradius/modules/echo including configuration file /etc/freeradius/modules/mschap including configuration file /etc/freeradius/modules/soh including configuration file /etc/freeradius/modules/detail including configuration file /etc/freeradius/modules/checkval including configuration file /etc/freeradius/modules/ldap including configuration file /etc/freeradius/modules/cui including configuration file /etc/freeradius/modules/always including configuration file /etc/freeradius/modules/etc_group including configuration file /etc/freeradius/modules/expiration including configuration file /etc/freeradius/modules/realm including configuration file /etc/freeradius/modules/perl including configuration file /etc/freeradius/modules/expr including configuration file /etc/freeradius/modules/sql_log including configuration file /etc/freeradius/modules/sradutmp including configuration file /etc/freeradius/modules/ippool including configuration file /etc/freeradius/modules/inner-eap including configuration file /etc/freeradius/modules/krb5 including configuration file /etc/freeradius/modules/smbpasswd including configuration file /etc/freeradius/modules/pap including configuration file /etc/freeradius/modules/counter including configuration file /etc/freeradius/modules/wimax including configuration file /etc/freeradius/modules/detail.example.com including configuration file /etc/freeradius/modules/files including configuration file /etc/freeradius/modules/redis including configuration file /etc/freeradius/modules/acct_unique including configuration file /etc/freeradius/modules/digest including configuration file /etc/freeradius/modules/passwd including configuration file /etc/freeradius/modules/exec including configuration file /etc/freeradius/modules/linelog including configuration file /etc/freeradius/modules/logintime including configuration file /etc/freeradius/modules/detail.log including configuration file /etc/freeradius/modules/rediswho including configuration file /etc/freeradius/modules/dynamic_clients including configuration file /etc/freeradius/modules/mac2vlan including configuration file /etc/freeradius/modules/mac2ip including configuration file /etc/freeradius/modules/ntlm_auth including configuration file /etc/freeradius/modules/chap including configuration file /etc/freeradius/modules/policy including configuration file /etc/freeradius/modules/otp including configuration file /etc/freeradius/modules/attr_rewrite including configuration file /etc/freeradius/modules/opendirectory including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login including configuration file /etc/freeradius/modules/preprocess including configuration file /etc/freeradius/modules/pam including configuration file /etc/freeradius/modules/unix including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/policy.conf including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/default including configuration file /etc/freeradius/sites-enabled/inner-tunnel main { user = "freerad" group = "freerad" allow_core_dumps = no } including dictionary file /etc/freeradius/dictionary main { name = "freeradius" prefix = "/usr" localstatedir = "/var" sbindir = "/usr/sbin" logdir = "/var/log/freeradius" run_dir = "/var/run/freeradius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/freeradius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/var/run/freeradius/freeradius.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 require_message_authenticator = yes zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "WLAN4zyxel" nastype = "other" } client 10.160.199.11 { require_message_authenticator = no secret = "WLAN4zyxel" } client 10.160.4.5 { require_message_authenticator = no secret = "testing123" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating module "exec" from file /etc/freeradius/modules/exec exec { wait = no input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating module "expr" from file /etc/freeradius/modules/expr Module: Linked to module rlm_expiration Module: Instantiating module "expiration" from file /etc/freeradius/modules/expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating module "logintime" from file /etc/freeradius/modules/logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server { # from file /etc/freeradius/radiusd.conf modules { Module: Creating Auth-Type = Perl Module: Creating Auth-Type = digest Module: Creating Post-Auth-Type = Perl Module: Creating Post-Auth-Type = REJECT Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_perl Module: Instantiating module "perl" from file /etc/freeradius/modules/perl perl { module = "/etc/freeradius/tiri_rlm_perl.pl" func_authorize = "authorize" func_authenticate = "authenticate" func_accounting = "accounting" func_preacct = "preacct" func_checksimul = "checksimul" func_detach = "detach" func_xlat = "xlat" func_pre_proxy = "pre_proxy" func_post_proxy = "post_proxy" func_post_auth = "post_auth" func_recv_coa = "recv_coa" func_send_coa = "send_coa" } Module: Linked to module rlm_pap Module: Instantiating module "pap" from file /etc/freeradius/modules/pap pap { encryption_scheme = "auto" auto_header = yes } Module: Linked to module rlm_chap Module: Instantiating module "chap" from file /etc/freeradius/modules/chap Module: Linked to module rlm_mschap Module: Instantiating module "mschap" from file /etc/freeradius/modules/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{User-Name:-None}} --domain=%{%{mschap:NT-Domain}:-SWBT} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" allow_retry = yes } Module: Linked to module rlm_digest Module: Instantiating module "digest" from file /etc/freeradius/modules/digest Module: Linked to module rlm_unix Module: Instantiating module "unix" from file /etc/freeradius/modules/unix unix { radwtmp = "/var/log/freeradius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating module "eap" from file /etc/freeradius/eap.conf eap { default_eap_type = "peap" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 CA_path = "/etc/freeradius/certs" pem_file_type = yes private_key_file = "/etc/freeradius/certs/server.key" certificate_file = "/etc/freeradius/certs/server.pem" CA_file = "/etc/freeradius/certs/ca.pem" private_key_password = "WLAN4hotspot" dh_file = "/etc/freeradius/certs/dh" random_file = "/dev/urandom" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "/etc/freeradius/certs/bootstrap" ecdh_curve = "prime256v1" cache { enable = no lifetime = 24 max_entries = 255 } verify { tmpdir = "/tmp/freeradius" client = "/usr/bin/openssl verify -CAfile /etc/freeradius/certs/ca.pem -CApath /etc/freeradius/certs %{TLS-Client-Cert-Filename}" } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = yes use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = yes use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" soh = no } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating module "preprocess" from file /etc/freeradius/modules/preprocess preprocess { huntgroups = "/etc/freeradius/huntgroups" hints = "/etc/freeradius/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Linked to module rlm_detail Module: Instantiating module "auth_log" from file /etc/freeradius/modules/detail.log detail auth_log { detailfile = "/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Linked to module rlm_realm Module: Instantiating module "suffix" from file /etc/freeradius/modules/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating module "files" from file /etc/freeradius/modules/files files { usersfile = "/etc/freeradius/users" acctusersfile = "/etc/freeradius/acct_users" preproxy_usersfile = "/etc/freeradius/preproxy_users" compat = "no" } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating module "acct_unique" from file /etc/freeradius/modules/acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Instantiating module "detail" from file /etc/freeradius/modules/detail detail { detailfile = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Linked to module rlm_radutmp Module: Instantiating module "radutmp" from file /etc/freeradius/modules/radutmp radutmp { filename = "/var/log/freeradius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Linked to module rlm_attr_filter Module: Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/modules/attr_filter attr_filter attr_filter.accounting_response { attrsfile = "/etc/freeradius/attrs.accounting_response" key = "%{User-Name}" relaxed = no } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Instantiating module "attr_filter.access_reject" from file /etc/freeradius/modules/attr_filter attr_filter attr_filter.access_reject { attrsfile = "/etc/freeradius/attrs.access_reject" key = "%{User-Name}" relaxed = no } } # modules } # server server inner-tunnel { # from file /etc/freeradius/sites-enabled/inner-tunnel modules { Module: Creating Post-Proxy-Type = Fail Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } ... adding new socket proxy address * port 47219 Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address * port 1814 Ready to process requests. 2015-07-26 16:29 GMT+02:00 Matthew Newton <mcn4@leicester.ac.uk>:
On Sun, Jul 26, 2015 at 03:58:18PM +0200, freerad wrote:
This command fails with timout:
...
Any help is appreciated.
So what does FreeRADIUS debug say?
Matthew
-- Matthew Newton, Ph.D. <mcn4@le.ac.uk>
Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk> - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
# bin/eapol_test -crad_eap_test.txt -a10.160.4.50 -p1812 -stesting123 -test -M70:6f:6c:69:73:68 ^^^^^^^^^^^ On Sun, Jul 26, 2015 at 06:45:56PM +0200, freerad wrote:
client 10.160.4.5 { ^^^^^^^^^^ require_message_authenticator = no secret = "testing123" }
Fix up whichever IP address is wrong there. Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
Thank you, I fixed this connection issue, radtest works: # radtest testuser password 10.160.4.50:1812 0 testing123 Sending Access-Request of id 168 to 10.160.4.50 port 1812 User-Name = "testuser" User-Password = "password" NAS-IP-Address = 10.160.4.5 NAS-Port = 0 rad_recv: Access-Accept packet from host 10.160.4.50 port 1812, id=168, length=20 and this works as well: # ./rad_eap_test -H 10.160.4.50 -P 1812 -S testing123 -u wlan_test -p test -m IEEE8021X -e TTLS -2 MSCHAPV2 -v access-accept; 0 RADIUS message: code=2 (Access-Accept) identifier=7 length=171 Attribute 26 (Vendor-Specific) length=58 Value: 00 00 01 37 11 34 87 08 07 b4 32 1c a0 90 3d d0 2f 33 20 e7 9b ff 7b 57 e6 27 ca 60 5a ed 17 ad a4 bd 9d 36 dc 22 1b e6 e3 34 51 71 2d c0 18 dc 30 c1 a1 e4 30 2a 26 8d Attribute 26 (Vendor-Specific) length=58 Value: 00 00 01 37 10 34 88 6f bb bb 92 9a ab 8e c1 4b ef 05 50 2e 09 b4 21 7f 42 40 50 26 a4 03 79 c9 fc cd d4 52 78 9b 95 22 13 8d 24 0f 42 8c 55 a8 c6 9f a2 66 cc 9e 7d 8f Attribute 79 (EAP-Message) length=6 Value: 03 07 00 04 Attribute 80 (Message-Authenticator) length=18 Value: 1a 9e 14 93 ea 42 4c 5b 06 32 6e e2 18 93 b3 65 Attribute 1 (User-Name) length=11 Value: 'wlan_test' But only with the client-certs there I get another error.: # ./rad_eap_test -H 10.160.4.50 -P 1812 -S testing123 -u wlan_test -p test -m IEEE8021X -e TLS -2 MSCHAPV2 -v -j client.pem -k client.unenc.key -a ca.pem access-reject; 2 # bin/eapol_test -c rad_eap_test.txt -a10.160.4.50 -p1812 -stesting123 -t5 -M70:6f:6c:69:73:68 Reading configuration file 'rad_eap_test.txt' Line: 1 - start of a new network block ssid - hexdump_ascii(len=7): 65 64 75 72 6f 61 6d eduroam key_mgmt: 0x8 eap methods - hexdump(len=16): 00 00 00 00 0d 00 00 00 00 00 00 00 00 00 00 00 ca_cert - hexdump_ascii(len=6): 63 61 2e 70 65 6d ca.pem identity - hexdump_ascii(len=9): 77 6c 61 6e 5f 74 65 73 74 wlan_test client_cert - hexdump_ascii(len=10): 63 6c 69 65 6e 74 2e 70 65 6d client.pem private_key - hexdump_ascii(len=16): 63 6c 69 65 6e 74 2e 75 6e 65 6e 63 2e 6b 65 79 client.unenc.key Priority group 0 id=0 ssid='eduroam' Authentication server 10.160.4.50:1812 EAPOL: SUPP_PAE entering state DISCONNECTED EAPOL: KEY_RX entering state NO_KEY_RECEIVE EAPOL: SUPP_BE entering state INITIALIZE EAP: EAP entering state DISABLED EAPOL: External notification - portValid=0 EAPOL: External notification - portEnabled=1 EAPOL: SUPP_PAE entering state CONNECTING EAPOL: SUPP_BE entering state IDLE EAP: EAP entering state INITIALIZE EAP: EAP entering state IDLE Sending fake EAP-Request-Identity EAPOL: Received EAP-Packet frame EAPOL: SUPP_PAE entering state RESTART EAP: EAP entering state INITIALIZE EAP: EAP entering state IDLE EAPOL: SUPP_PAE entering state AUTHENTICATING EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Request id=0 method=1 vendor=0 vendorMethod=0 EAP: EAP entering state IDENTITY CTRL-EVENT-EAP-STARTED EAP authentication started EAP: EAP-Request Identity data - hexdump_ascii(len=0): EAP: using real identity - hexdump_ascii(len=9): 77 6c 61 6e 5f 74 65 73 74 wlan_test EAP: EAP entering state SEND_RESPONSE EAP: EAP entering state IDLE EAPOL: SUPP_BE entering state RESPONSE EAPOL: txSuppRsp WPA: eapol_test_eapol_send(type=0 len=14) TX EAP -> RADIUS - hexdump(len=14): 02 00 00 0e 01 77 6c 61 6e 5f 74 65 73 74 Encapsulating EAP message into a RADIUS packet Learned identity from EAP-Response-Identity - hexdump(len=9): 77 6c 61 6e 5f 74 65 73 74 Sending RADIUS message to authentication server RADIUS message: code=1 (Access-Request) identifier=0 length=126 Attribute 1 (User-Name) length=11 Value: 'wlan_test' Attribute 4 (NAS-IP-Address) length=6 Value: 127.0.0.1 Attribute 31 (Calling-Station-Id) length=19 Value: '70-6F-6C-69-73-68' Attribute 12 (Framed-MTU) length=6 Value: 1400 Attribute 61 (NAS-Port-Type) length=6 Value: 19 Attribute 77 (Connect-Info) length=24 Value: 'CONNECT 11Mbps 802.11b' Attribute 79 (EAP-Message) length=16 Value: 02 00 00 0e 01 77 6c 61 6e 5f 74 65 73 74 Attribute 80 (Message-Authenticator) length=18 Value: 23 92 e7 04 cb 9c 9b 24 df 26 f8 36 ca 3f 63 d2 Next RADIUS client retransmit in 3 seconds EAPOL: SUPP_BE entering state RECEIVE Received 93 bytes from RADIUS server Received RADIUS message RADIUS message: code=11 (Access-Challenge) identifier=0 length=93 Attribute 18 (?Unknown?) length=29 Attribute 79 (EAP-Message) length=8 Value: 01 01 00 06 19 20 Attribute 80 (Message-Authenticator) length=18 Value: 78 5c 04 dd fb c5 12 b0 60 fd d7 04 7b 13 1f 33 Attribute 24 (State) length=18 Value: 2b fd 86 79 2b fc 9f 32 b9 81 fa ab 41 70 b1 d3 STA 70:6f:6c:69:73:68: Received RADIUS packet matched with a pending request, round trip time 0.01 sec RADIUS packet matching with station decapsulated EAP packet (code=1 id=1 len=6) from RADIUS server: EAP-Request-PEAP (25) EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Request id=1 method=25 vendor=0 vendorMethod=0 EAP: EAP entering state GET_METHOD EAP: configuration does not allow: vendor 0 method 25 EAP: vendor 0 method 25 not allowed EAP: Building EAP-Nak (requested type 25 vendor=0 method=0 not allowed) EAP: allowed methods - hexdump(len=1): 0d EAP: EAP entering state SEND_RESPONSE EAP: EAP entering state IDLE EAPOL: SUPP_BE entering state RESPONSE EAPOL: txSuppRsp WPA: eapol_test_eapol_send(type=0 len=6) TX EAP -> RADIUS - hexdump(len=6): 02 01 00 06 03 0d Encapsulating EAP message into a RADIUS packet Copied RADIUS State Attribute Sending RADIUS message to authentication server RADIUS message: code=1 (Access-Request) identifier=1 length=136 Attribute 1 (User-Name) length=11 Value: 'wlan_test' Attribute 4 (NAS-IP-Address) length=6 Value: 127.0.0.1 Attribute 31 (Calling-Station-Id) length=19 Value: '70-6F-6C-69-73-68' Attribute 12 (Framed-MTU) length=6 Value: 1400 Attribute 61 (NAS-Port-Type) length=6 Value: 19 Attribute 77 (Connect-Info) length=24 Value: 'CONNECT 11Mbps 802.11b' Attribute 79 (EAP-Message) length=8 Value: 02 01 00 06 03 0d Attribute 24 (State) length=18 Value: 2b fd 86 79 2b fc 9f 32 b9 81 fa ab 41 70 b1 d3 Attribute 80 (Message-Authenticator) length=18 Value: bb 77 ac a8 bd 32 2b 71 88 0d 66 4e 0f 75 d4 9f Next RADIUS client retransmit in 3 seconds EAPOL: SUPP_BE entering state RECEIVE Received 93 bytes from RADIUS server Received RADIUS message RADIUS message: code=11 (Access-Challenge) identifier=1 length=93 Attribute 18 (?Unknown?) length=29 Attribute 79 (EAP-Message) length=8 Value: 01 02 00 06 0d 20 Attribute 80 (Message-Authenticator) length=18 Value: 4e a3 29 63 43 2c 68 cd 32 22 19 1f 90 03 21 7d Attribute 24 (State) length=18 Value: 2b fd 86 79 2a ff 8b 32 b9 81 fa ab 41 70 b1 d3 STA 70:6f:6c:69:73:68: Received RADIUS packet matched with a pending request, round trip time 0.00 sec RADIUS packet matching with station decapsulated EAP packet (code=1 id=2 len=6) from RADIUS server: EAP-Request-TLS (13) EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Request id=2 method=13 vendor=0 vendorMethod=0 EAP: EAP entering state GET_METHOD EAP: Initialize selected EAP method: vendor 0 method 13 (TLS) TLS: Trusted root certificate(s) loaded OpenSSL: tls_connection_client_cert - SSL_use_certificate_file (DER) failed error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag OpenSSL: pending error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error OpenSSL: pending error: error:140C800D:SSL routines:SSL_use_certificate_file:ASN1 lib OpenSSL: SSL_use_certificate_file (PEM) --> OK OpenSSL: tls_connection_private_key - SSL_use_PrivateKey_File (DER) failed error:0D094068:asn1 encoding routines:d2i_ASN1_SET:bad tag OpenSSL: pending error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag OpenSSL: pending error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error OpenSSL: pending error: error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1 lib OpenSSL: pending error: error:140CB00D:SSL routines:SSL_use_PrivateKey_file:ASN1 lib OpenSSL: SSL_use_PrivateKey_File (PEM) --> OK SSL: Private key loaded successfully CTRL-EVENT-EAP-METHOD EAP vendor 0 method 13 (TLS) selected EAP: EAP entering state METHOD SSL: Received packet(len=6) - Flags 0x20 EAP-TLS: Start SSL: (where=0x10 ret=0x1) SSL: (where=0x1001 ret=0x1) SSL: SSL_connect:before/connect initialization SSL: (where=0x1001 ret=0x1) SSL: SSL_connect:SSLv3 write client hello A SSL: (where=0x1002 ret=0xffffffff) SSL: SSL_connect:error in SSLv3 read server hello A SSL: SSL_connect - want more data SSL: 87 bytes pending from ssl_out SSL: 87 bytes left to be sent out (of total 87 bytes) EAP: method process -> ignore=FALSE methodState=MAY_CONT decision=FAIL EAP: EAP entering state SEND_RESPONSE EAP: EAP entering state IDLE EAPOL: SUPP_BE entering state RESPONSE EAPOL: txSuppRsp WPA: eapol_test_eapol_send(type=0 len=93) TX EAP -> RADIUS - hexdump(len=93): 02 02 00 5d 0d 00 16 03 01 00 52 01 00 00 4e 03 01 55 b5 14 c7 26 b9 84 25 8a 51 da 5a 9d d2 e4 6f 03 01 5f ca 25 cf 72 e7 bf a7 a0 60 5c 99 6a 75 00 00 26 00 39 00 38 00 35 00 16 00 13 00 0a 00 33 00 32 00 2f 00 05 00 04 00 15 00 12 00 09 00 14 00 11 00 08 00 06 00 03 02 01 00 Encapsulating EAP message into a RADIUS packet Copied RADIUS State Attribute Sending RADIUS message to authentication server RADIUS message: code=1 (Access-Request) identifier=2 length=223 Attribute 1 (User-Name) length=11 Value: 'wlan_test' Attribute 4 (NAS-IP-Address) length=6 Value: 127.0.0.1 Attribute 31 (Calling-Station-Id) length=19 Value: '70-6F-6C-69-73-68' Attribute 12 (Framed-MTU) length=6 Value: 1400 Attribute 61 (NAS-Port-Type) length=6 Value: 19 Attribute 77 (Connect-Info) length=24 Value: 'CONNECT 11Mbps 802.11b' Attribute 79 (EAP-Message) length=95 Value: 02 02 00 5d 0d 00 16 03 01 00 52 01 00 00 4e 03 01 55 b5 14 c7 26 b9 84 25 8a 51 da 5a 9d d2 e4 6f 03 01 5f ca 25 cf 72 e7 bf a7 a0 60 5c 99 6a 75 00 00 26 00 39 00 38 00 35 00 16 00 13 00 0a 00 33 00 32 00 2f 00 05 00 04 00 15 00 12 00 09 00 14 00 11 00 08 00 06 00 03 02 01 00 Attribute 24 (State) length=18 Value: 2b fd 86 79 2a ff 8b 32 b9 81 fa ab 41 70 b1 d3 Attribute 80 (Message-Authenticator) length=18 Value: 3c 66 64 f9 40 5a 2b fd f2 58 9c c5 22 04 79 d0 Next RADIUS client retransmit in 3 seconds EAPOL: SUPP_BE entering state RECEIVE Received 1119 bytes from RADIUS server Received RADIUS message RADIUS message: code=11 (Access-Challenge) identifier=2 length=1119 Attribute 18 (?Unknown?) length=29 Attribute 79 (EAP-Message) length=255 Value: 01 03 04 00 0d c0 00 00 0a e7 16 03 01 00 2a 02 00 00 26 03 01 07 79 5d af 37 90 bf b2 dd c3 0f c0 3a 48 e8 2d 48 b4 77 22 2d 35 ef 68 2d 09 98 39 19 24 b5 38 00 00 39 00 16 03 01 08 0a 0b 00 08 06 00 08 03 00 03 91 30 82 03 8d 30 82 02 75 a0 03 02 01 02 02 01 01 30 0d 06 09 2a 86 48 86 f7 0d 01 01 04 05 00 30 7f 31 0b 30 09 06 03 55 04 06 13 02 44 45 31 10 30 0e 06 03 55 04 08 13 07 48 61 6d 62 75 72 67 31 15 30 13 06 03 55 04 07 13 0c 53 63 68 77 61 72 7a 65 6e 62 65 6b 31 12 30 10 06 03 55 04 0a 13 09 74 69 72 69 20 47 6d 62 48 31 21 30 1f 06 09 2a 86 48 86 f7 0d 01 09 01 16 12 63 61 40 68 6f 74 73 70 6f 74 2e 74 69 72 69 2e 6c 69 31 10 30 0e 06 03 55 04 03 13 07 74 69 72 69 20 43 41 30 1e 17 0d 31 35 30 37 32 35 31 39 31 33 34 39 5a 17 0d 31 36 Attribute 79 (EAP-Message) length=255 Value: 30 37 32 34 31 39 31 33 34 39 5a 30 7c 31 0b 30 09 06 03 55 04 06 13 02 44 45 31 10 30 0e 06 03 55 04 08 13 07 48 61 6d 62 75 72 67 31 12 30 10 06 03 55 04 0a 13 09 74 69 72 69 20 47 6d 62 48 31 20 30 1e 06 03 55 04 03 13 17 74 69 72 69 20 52 61 64 69 75 73 20 43 65 72 74 69 66 69 63 61 74 65 31 25 30 23 06 09 2a 86 48 86 f7 0d 01 09 01 16 16 72 61 64 69 75 73 40 68 6f 74 73 70 6f 74 2e 74 69 72 69 2e 6c 69 30 82 01 22 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82 01 0f 00 30 82 01 0a 02 82 01 01 00 c1 d1 37 62 2c ec 8d 1f 14 60 36 14 80 4e a4 ca c9 bd e4 09 2f 50 87 45 a3 9a b6 1f 77 03 bc 2f 6f 97 e2 2e 59 d2 76 ec 58 9c 64 ab db 53 30 2e 95 dd 68 58 86 01 0b 9d 2f e5 0c 47 ae a9 77 dd e5 69 53 75 77 3c cc cd 13 86 a7 72 86 63 7e 34 e5 bc b4 Attribute 79 (EAP-Message) length=255 Value: 86 7f b4 5a 59 48 00 52 07 5c 1e ca a3 72 97 84 a2 01 f7 55 77 7a f2 68 7e 2e 96 81 04 d0 37 a6 c4 25 f6 bd f6 0a c8 cf e1 2a dc 6d 45 66 df 04 2d e3 59 e2 bf 89 a6 62 0e 15 11 98 65 1e 02 31 f0 1a cb dc 4b e2 7f 7b 5f f7 53 ff 00 ff b0 10 7b be ab 65 63 51 70 bb 85 68 3d 3d 08 08 f7 2d a5 a7 d8 1b 1f f0 1b 3a 1d 0c 93 9a b9 aa b4 01 95 24 60 3a 3b 8c 6f 9b ca 0b 8a 10 78 13 69 c9 b5 09 72 7a b9 3d 7e 32 74 62 82 8e c9 70 ae 02 c2 fa ec 4e a3 1d bd 0f e3 8f ce 71 76 21 9c 5c 5a 34 24 91 cd 48 85 59 65 49 11 fa 8b 02 03 01 00 01 a3 17 30 15 30 13 06 03 55 1d 25 04 0c 30 0a 06 08 2b 06 01 05 05 07 03 01 30 0d 06 09 2a 86 48 86 f7 0d 01 01 04 05 00 03 82 01 01 00 13 49 bf 30 e7 bc 3b 1e fc a2 07 0b 74 6e 26 88 98 bc c0 73 53 50 b5 8f 34 63 e4 f8 e7 a8 Attribute 79 (EAP-Message) length=255 Value: e9 09 98 ce b0 b1 68 1c 16 3e 10 74 2b 89 71 b0 17 9e e0 ef 7b 5c a7 b1 13 74 31 25 d2 65 3b d3 67 00 85 1a f4 3d dc 1f c4 94 0e d3 34 76 0f 69 1d 3e a2 64 11 55 e3 8f 7c 4f 5e 33 4f 76 cd fe 68 8f 03 2d ff f2 4a f3 41 d0 4c 85 c2 ab e6 21 56 00 3d 2c 44 bf be 27 6d 52 50 45 14 e3 84 3b 7d b0 eb 1c 74 5e be df 32 07 ff 5f 7e 49 af eb 3a 85 22 dd c9 76 98 74 b6 2b ce f9 8e e6 74 d6 6a 3c 24 2d e9 97 79 44 f7 0c 08 23 86 66 fe ca ec f6 f2 80 7e 9e 7d 5d f8 15 33 40 91 fe 52 05 05 02 e4 4f e1 b6 2c 32 c6 70 4b e9 44 26 28 5a eb 09 ef 08 93 63 86 a4 e0 e4 5f 5d b4 d6 75 43 0b 3b a5 45 b1 f0 22 b1 90 5b 36 98 2a bc 0a 8b f7 88 b8 e9 fa 95 89 06 14 e2 51 f4 45 a4 4c 80 10 2d 00 04 6c 30 82 04 68 30 82 03 50 a0 03 02 01 02 02 09 00 9d 28 85 27 5c ee bb c8 Attribute 79 (EAP-Message) length=14 Value: 30 0d 06 09 2a 86 48 86 f7 0d 01 01 Attribute 80 (Message-Authenticator) length=18 Value: 84 f7 52 cf 49 0c d3 ea 05 8f 1b c1 22 4d e9 f7 Attribute 24 (State) length=18 Value: 2b fd 86 79 29 fe 8b 32 b9 81 fa ab 41 70 b1 d3 STA 70:6f:6c:69:73:68: Received RADIUS packet matched with a pending request, round trip time 0.00 sec RADIUS packet matching with station decapsulated EAP packet (code=1 id=3 len=1024) from RADIUS server: EAP-Request-TLS (13) EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Request id=3 method=13 vendor=0 vendorMethod=0 EAP: EAP entering state METHOD SSL: Received packet(len=1024) - Flags 0xc0 SSL: TLS Message Length: 2791 SSL: Need 1777 bytes more input data SSL: Building ACK EAP: method process -> ignore=FALSE methodState=MAY_CONT decision=FAIL EAP: EAP entering state SEND_RESPONSE EAP: EAP entering state IDLE EAPOL: SUPP_BE entering state RESPONSE EAPOL: txSuppRsp WPA: eapol_test_eapol_send(type=0 len=6) TX EAP -> RADIUS - hexdump(len=6): 02 03 00 06 0d 00 Encapsulating EAP message into a RADIUS packet Copied RADIUS State Attribute Sending RADIUS message to authentication server RADIUS message: code=1 (Access-Request) identifier=3 length=136 Attribute 1 (User-Name) length=11 Value: 'wlan_test' Attribute 4 (NAS-IP-Address) length=6 Value: 127.0.0.1 Attribute 31 (Calling-Station-Id) length=19 Value: '70-6F-6C-69-73-68' Attribute 12 (Framed-MTU) length=6 Value: 1400 Attribute 61 (NAS-Port-Type) length=6 Value: 19 Attribute 77 (Connect-Info) length=24 Value: 'CONNECT 11Mbps 802.11b' Attribute 79 (EAP-Message) length=8 Value: 02 03 00 06 0d 00 Attribute 24 (State) length=18 Value: 2b fd 86 79 29 fe 8b 32 b9 81 fa ab 41 70 b1 d3 Attribute 80 (Message-Authenticator) length=18 Value: 92 f5 ba e4 8e ce aa 5c 2c e7 31 86 45 02 bd ac Next RADIUS client retransmit in 3 seconds EAPOL: SUPP_BE entering state RECEIVE Received 1119 bytes from RADIUS server Received RADIUS message RADIUS message: code=11 (Access-Challenge) identifier=3 length=1119 Attribute 18 (?Unknown?) length=29 Attribute 79 (EAP-Message) length=255 Value: 01 04 04 00 0d c0 00 00 0a e7 0b 05 00 30 7f 31 0b 30 09 06 03 55 04 06 13 02 44 45 31 10 30 0e 06 03 55 04 08 13 07 48 61 6d 62 75 72 67 31 15 30 13 06 03 55 04 07 13 0c 53 63 68 77 61 72 7a 65 6e 62 65 6b 31 12 30 10 06 03 55 04 0a 13 09 74 69 72 69 20 47 6d 62 48 31 21 30 1f 06 09 2a 86 48 86 f7 0d 01 09 01 16 12 63 61 40 68 6f 74 73 70 6f 74 2e 74 69 72 69 2e 6c 69 31 10 30 0e 06 03 55 04 03 13 07 74 69 72 69 20 43 41 30 1e 17 0d 31 35 30 37 32 35 31 39 31 33 34 39 5a 17 0d 31 36 30 37 32 34 31 39 31 33 34 39 5a 30 7f 31 0b 30 09 06 03 55 04 06 13 02 44 45 31 10 30 0e 06 03 55 04 08 13 07 48 61 6d 62 75 72 67 31 15 30 13 06 03 55 04 07 13 0c 53 63 68 77 61 72 7a 65 6e 62 65 6b 31 12 30 10 06 03 55 04 0a 13 09 74 69 72 69 20 47 6d 62 48 31 21 30 Attribute 79 (EAP-Message) length=255 Value: 1f 06 09 2a 86 48 86 f7 0d 01 09 01 16 12 63 61 40 68 6f 74 73 70 6f 74 2e 74 69 72 69 2e 6c 69 31 10 30 0e 06 03 55 04 03 13 07 74 69 72 69 20 43 41 30 82 01 22 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82 01 0f 00 30 82 01 0a 02 82 01 01 00 98 72 7c 23 ad ed 34 5a fa e7 57 54 ea 9b b3 a7 dc 79 49 f2 6b 69 44 f9 82 33 c2 e5 ed 1e 5c 72 0c 35 85 66 ae c7 cc f6 1f c4 57 98 26 ef ce 15 37 a4 65 eb 8e 02 df 12 4f f2 81 40 d4 ad 19 a5 57 3c 6d 0d 67 95 2f 2f ee cc fb 42 23 21 86 c0 0e b6 a0 59 0c d0 fa c2 3c 3e 87 35 15 20 b7 7c 0e 14 2e 02 10 52 2a 30 98 a5 03 ab 74 66 0d 61 80 1d 36 22 97 d8 a8 1c 56 21 4d 03 6d 60 f1 1d 43 81 9c fd ba a7 36 e3 b9 f1 0e 35 06 77 f5 e0 cf 14 e4 85 63 88 47 7f a7 a2 ea 15 20 b6 ac c4 95 ca 29 de 77 a1 a3 90 c1 ae Attribute 79 (EAP-Message) length=255 Value: 0a 0e 5b f6 c3 d6 f7 af 85 60 3b de 8a 61 62 2d 34 62 c9 c2 bd ba 96 89 3c fe 72 c3 f6 63 14 44 58 46 3a 20 1f 34 cf 6d 00 9c 03 91 6a 47 99 ae 50 04 8a a1 20 39 c3 b8 14 89 8a 23 c9 f1 05 37 f7 d8 f5 be 50 5e 87 3c 3e f5 a4 44 1d 08 f2 0d af 6f 17 ca 81 11 02 03 01 00 01 a3 81 e6 30 81 e3 30 1d 06 03 55 1d 0e 04 16 04 14 13 6c 09 d8 13 ec 30 d4 8c 30 f5 91 54 9d 15 26 d1 43 91 75 30 81 b3 06 03 55 1d 23 04 81 ab 30 81 a8 80 14 13 6c 09 d8 13 ec 30 d4 8c 30 f5 91 54 9d 15 26 d1 43 91 75 a1 81 84 a4 81 81 30 7f 31 0b 30 09 06 03 55 04 06 13 02 44 45 31 10 30 0e 06 03 55 04 08 13 07 48 61 6d 62 75 72 67 31 15 30 13 06 03 55 04 07 13 0c 53 63 68 77 61 72 7a 65 6e 62 65 6b 31 12 30 10 06 03 55 04 0a 13 09 74 69 72 69 20 47 6d 62 48 31 21 30 1f 06 09 2a Attribute 79 (EAP-Message) length=255 Value: 86 48 86 f7 0d 01 09 01 16 12 63 61 40 68 6f 74 73 70 6f 74 2e 74 69 72 69 2e 6c 69 31 10 30 0e 06 03 55 04 03 13 07 74 69 72 69 20 43 41 82 09 00 9d 28 85 27 5c ee bb c8 30 0c 06 03 55 1d 13 04 05 30 03 01 01 ff 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 03 82 01 01 00 55 5a ad e0 4c 2e f5 07 a9 0f 7a f3 48 30 86 a8 14 23 16 aa b2 7f 54 eb 95 df 32 eb 9e 0e e4 fd 30 c2 cf 9e 30 50 8a 85 13 1b da ca 42 cb 5c dd cd 5f f1 79 37 80 cb 71 b9 90 0b 1d e1 6b 2b 65 8d 39 33 ab 25 ae c0 85 bf ae 2c ed 2e 02 4a 3b 74 65 36 7e 09 af 5b 3f c0 32 38 53 51 71 02 74 fe 46 49 47 ab 19 78 4f ec 49 2c 62 ad a1 bf a2 b7 45 b8 cb cc 7d 58 f1 54 af 7b 39 6f 24 58 5f 80 a8 48 13 9c e3 7d 31 52 ed 3d 07 dc a6 56 fe 9f 0a cb 14 fd 43 74 e3 63 da 9d 4d a9 b4 de c4 7a f9 Attribute 79 (EAP-Message) length=14 Value: ef 98 a0 f8 74 f8 58 79 d1 44 1d b5 Attribute 80 (Message-Authenticator) length=18 Value: e7 45 fa 5e a1 d9 fc a9 4e ee 5e ad d4 4b 64 dd Attribute 24 (State) length=18 Value: 2b fd 86 79 28 f9 8b 32 b9 81 fa ab 41 70 b1 d3 STA 70:6f:6c:69:73:68: Received RADIUS packet matched with a pending request, round trip time 0.00 sec RADIUS packet matching with station decapsulated EAP packet (code=1 id=4 len=1024) from RADIUS server: EAP-Request-TLS (13) EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Request id=4 method=13 vendor=0 vendorMethod=0 EAP: EAP entering state METHOD SSL: Received packet(len=1024) - Flags 0xc0 SSL: TLS Message Length: 2791 SSL: Need 763 bytes more input data SSL: Building ACK EAP: method process -> ignore=FALSE methodState=MAY_CONT decision=FAIL EAP: EAP entering state SEND_RESPONSE EAP: EAP entering state IDLE EAPOL: SUPP_BE entering state RESPONSE EAPOL: txSuppRsp WPA: eapol_test_eapol_send(type=0 len=6) TX EAP -> RADIUS - hexdump(len=6): 02 04 00 06 0d 00 Encapsulating EAP message into a RADIUS packet Copied RADIUS State Attribute Sending RADIUS message to authentication server RADIUS message: code=1 (Access-Request) identifier=4 length=136 Attribute 1 (User-Name) length=11 Value: 'wlan_test' Attribute 4 (NAS-IP-Address) length=6 Value: 127.0.0.1 Attribute 31 (Calling-Station-Id) length=19 Value: '70-6F-6C-69-73-68' Attribute 12 (Framed-MTU) length=6 Value: 1400 Attribute 61 (NAS-Port-Type) length=6 Value: 19 Attribute 77 (Connect-Info) length=24 Value: 'CONNECT 11Mbps 802.11b' Attribute 79 (EAP-Message) length=8 Value: 02 04 00 06 0d 00 Attribute 24 (State) length=18 Value: 2b fd 86 79 28 f9 8b 32 b9 81 fa ab 41 70 b1 d3 Attribute 80 (Message-Authenticator) length=18 Value: 25 11 bc dc 14 92 5a a0 90 1a 46 fd 90 e0 4e 9a Next RADIUS client retransmit in 3 seconds EAPOL: SUPP_BE entering state RECEIVE Received 866 bytes from RADIUS server Received RADIUS message RADIUS message: code=11 (Access-Challenge) identifier=4 length=866 Attribute 18 (?Unknown?) length=29 Attribute 79 (EAP-Message) length=255 Value: 01 05 03 05 0d 80 00 00 0a e7 28 dd 70 b5 67 7c 5f b0 0c d4 f0 e6 00 89 c0 d7 6d ab a7 8b 91 d9 da 9a bc 6c e4 2a 5f 1d 30 91 29 1e 9f 7f 40 83 8c b4 b6 4c 0c 86 80 23 33 5b 65 64 8b d6 2f 96 ce 87 80 ad 2e 85 71 6a 7c 51 a2 b5 46 e4 ba 2a d7 dc a2 fb 81 76 78 c0 b8 8c 20 34 16 03 01 02 0c 0c 00 02 08 00 80 fe c9 bd c0 30 01 8a d3 d1 bc e0 42 0b fe c7 cf 29 62 9b 1b e5 44 a4 40 46 63 b3 1c d7 c1 75 f5 3b 80 76 78 0a 98 37 48 e7 6b 6d 7d 93 dd 22 5a c2 a4 b1 92 db d9 bc 34 f3 d4 1b 76 16 22 0c fe 01 06 0f f4 ae f7 9e 57 80 f8 f2 9e b8 2c 7f b3 31 21 b1 4a 17 8a 6b d8 70 d6 3f 84 0f fa 46 59 22 07 62 e8 9c ed a1 eb 7e 3f 2a 28 a6 31 48 75 cc a1 27 fc 95 e9 39 21 ac f7 2f 42 01 07 27 c3 00 01 02 00 7f e1 90 83 31 3a a8 7e 27 c5 f5 48 27 5e 78 79 62 95 Attribute 79 (EAP-Message) length=255 Value: 82 21 8b 67 12 39 8f 2f 36 6d 00 b5 64 56 1b 77 4e d8 db 62 97 e2 bc 67 a4 85 4c 4b 5e 5d 32 73 b9 4d 32 dd 16 98 4e e8 d0 6d 22 49 0b 42 48 ba bd 32 aa 3c 04 98 12 ad 00 42 b4 08 1e 3f 29 18 f6 b2 51 f9 de 44 56 5a ae 5f a9 0b ae f7 2b f8 4a 26 c4 2e 60 2c ce 12 b8 89 3a 6b f6 61 a5 e5 ac 9a 47 cc 1c 2a de 6c 44 84 e1 43 cb 77 01 00 b9 2c 13 29 81 8d 9a 92 a1 f5 be 9e bd 67 a9 de 7a 91 5d bf 62 5a 71 8e 1b ee 20 dd d4 99 d7 7d 50 4f 75 1f 6d fc 46 a8 98 14 51 d9 cd 7c c4 76 1f 69 08 a1 3a 70 fc f2 1f 1d 57 1c 01 24 fd 68 a4 4a 02 b0 c2 23 05 7d 8c 88 b2 4a 25 af ce 19 1a 91 f3 e0 c3 83 56 c6 27 bd c2 a3 fa 80 3d b3 b6 b6 06 cd 78 68 f1 ff 5e be db ae 55 f9 6d 42 2a 3f c2 c5 54 5e 6f da ca 81 ed 94 21 09 da 75 f1 48 ba 91 4f 03 57 71 d0 b6 3f 0f cf Attribute 79 (EAP-Message) length=255 Value: 09 31 b4 53 00 7f a5 70 e8 4d c5 da 0f 9e eb 43 5e e2 3c 47 20 b7 ad fe ca ed 75 e7 0e a6 bd 4f 44 13 18 09 07 17 2b d3 01 62 ca c3 b7 31 52 f3 ae 22 be e1 12 00 ad f5 c1 6b fb 8d 7c 26 76 77 9e bd 13 bb ee fb a8 70 39 3c d8 00 54 42 c2 c8 d7 66 bb b5 d4 79 7e 0f 62 91 71 7c db c1 9f f1 59 fa 1a 7a 0b 4e 42 39 98 af a3 85 5f 9a 8e 28 75 d3 a4 16 03 01 00 93 0d 00 00 8b 05 03 04 01 02 40 00 83 00 81 30 7f 31 0b 30 09 06 03 55 04 06 13 02 44 45 31 10 30 0e 06 03 55 04 08 13 07 48 61 6d 62 75 72 67 31 15 30 13 06 03 55 04 07 13 0c 53 63 68 77 61 72 7a 65 6e 62 65 6b 31 12 30 10 06 03 55 04 0a 13 09 74 69 72 69 20 47 6d 62 48 31 21 30 1f 06 09 2a 86 48 86 f7 0d 01 09 01 16 12 63 61 40 68 6f 74 73 70 6f 74 2e 74 69 72 69 2e 6c 69 31 10 30 0e 06 03 55 04 Attribute 79 (EAP-Message) length=16 Value: 03 13 07 74 69 72 69 20 43 41 0e 00 00 00 Attribute 80 (Message-Authenticator) length=18 Value: a8 b7 03 ec fd 3e b3 d7 8a e7 6d dd ff ce 69 77 Attribute 24 (State) length=18 Value: 2b fd 86 79 2f f8 8b 32 b9 81 fa ab 41 70 b1 d3 STA 70:6f:6c:69:73:68: Received RADIUS packet matched with a pending request, round trip time 0.00 sec RADIUS packet matching with station decapsulated EAP packet (code=1 id=5 len=773) from RADIUS server: EAP-Request-TLS (13) EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Request id=5 method=13 vendor=0 vendorMethod=0 EAP: EAP entering state METHOD SSL: Received packet(len=773) - Flags 0x80 SSL: TLS Message Length: 2791 SSL: (where=0x1001 ret=0x1) SSL: SSL_connect:SSLv3 read server hello A TLS: Certificate verification failed, error 7 (certificate signature failure) depth 1 for '/C=DE/ST=Hamburg/L=Schwarzenbek/O=tiri GmbH/emailAddress=ca@hotspot.tiri.li/CN=tiri CA' SSL: (where=0x4008 ret=0x233) SSL: SSL3 alert: write (local SSL3 detected an error):fatal:decrypt error SSL: (where=0x1002 ret=0xffffffff) SSL: SSL_connect:error in SSLv3 read server certificate B OpenSSL: tls_connection_handshake - SSL_connect error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message digest algorithm OpenSSL: pending error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed SSL: 7 bytes pending from ssl_out SSL: Failed - tls_out available to report error SSL: 7 bytes left to be sent out (of total 7 bytes) EAP-TLS: TLS processing failed EAP: method process -> ignore=FALSE methodState=DONE decision=FAIL EAP: EAP entering state SEND_RESPONSE EAP: EAP entering state IDLE EAPOL: SUPP_BE entering state RESPONSE EAPOL: txSuppRsp WPA: eapol_test_eapol_send(type=0 len=13) TX EAP -> RADIUS - hexdump(len=13): 02 05 00 0d 0d 00 15 03 01 00 02 02 33 Encapsulating EAP message into a RADIUS packet Copied RADIUS State Attribute Sending RADIUS message to authentication server RADIUS message: code=1 (Access-Request) identifier=5 length=143 Attribute 1 (User-Name) length=11 Value: 'wlan_test' Attribute 4 (NAS-IP-Address) length=6 Value: 127.0.0.1 Attribute 31 (Calling-Station-Id) length=19 Value: '70-6F-6C-69-73-68' Attribute 12 (Framed-MTU) length=6 Value: 1400 Attribute 61 (NAS-Port-Type) length=6 Value: 19 Attribute 77 (Connect-Info) length=24 Value: 'CONNECT 11Mbps 802.11b' Attribute 79 (EAP-Message) length=15 Value: 02 05 00 0d 0d 00 15 03 01 00 02 02 33 Attribute 24 (State) length=18 Value: 2b fd 86 79 2f f8 8b 32 b9 81 fa ab 41 70 b1 d3 Attribute 80 (Message-Authenticator) length=18 Value: 13 6e 38 a0 3a 44 e6 de 86 bf 1e c4 59 07 00 dc Next RADIUS client retransmit in 3 seconds EAPOL: SUPP_BE entering state RECEIVE Received 73 bytes from RADIUS server Received RADIUS message RADIUS message: code=3 (Access-Reject) identifier=5 length=73 Attribute 18 (?Unknown?) length=29 Attribute 79 (EAP-Message) length=6 Value: 04 05 00 04 Attribute 80 (Message-Authenticator) length=18 Value: 29 77 d1 81 e8 60 08 eb 22 84 e3 cf bc 48 94 d7 STA 70:6f:6c:69:73:68: Received RADIUS packet matched with a pending request, round trip time 1.00 sec RADIUS packet matching with station decapsulated EAP packet (code=4 id=5 len=4) from RADIUS server: EAP Failure EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Failure EAP: EAP entering state FAILURE CTRL-EVENT-EAP-FAILURE EAP authentication failed EAPOL: SUPP_PAE entering state HELD EAPOL: SUPP_BE entering state RECEIVE EAPOL: SUPP_BE entering state FAIL EAPOL: SUPP_BE entering state IDLE eapol_sm_cb: success=0 EAP: deinitialize previously used EAP method (13, TLS) at EAP deinit ENGINE: engine deinit MPPE keys OK: 0 mismatch: 1 FAILURE (see log09.txt) But there is still something missing. How is password for user "wlan_test" being transmitted? Best regards, Thomas.
Hi,
EAP: Initialize selected EAP method: vendor 0 method 13 (TLS) TLS: Trusted root certificate(s) loaded OpenSSL: tls_connection_client_cert - SSL_use_certificate_file (DER) failed error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag OpenSSL: pending error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error OpenSSL: pending error: error:140C800D:SSL routines:SSL_use_certificate_file:ASN1 lib OpenSSL: SSL_use_certificate_file (PEM) --> OK OpenSSL: tls_connection_private_key - SSL_use_PrivateKey_File (DER) failed error:0D094068:asn1 encoding routines:d2i_ASN1_SET:bad tag OpenSSL: pending error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag OpenSSL: pending error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error OpenSSL: pending error: error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1 lib OpenSSL: pending error: error:140CB00D:SSL routines:SSL_use_PrivateKey_file:ASN1 lib OpenSSL: SSL_use_PrivateKey_File (PEM) --> OK SSL: Private key loaded successfully CTRL-EVENT-EAP-METHOD EAP vendor 0 method 13 (TLS) selected EAP: EAP entering state METHOD
so client not too happy about certs... but looks like it loaded them okay still anyway (if they were DER format these error messages would probably go)
SSL: SSL_connect:SSLv3 read server hello A TLS: Certificate verification failed, error 7 (certificate signature failure) depth 1 for '/C=DE/ST=Hamburg/L=Schwarzenbek/O=tiri GmbH/emailAddress=ca@hotspot.tiri.li/CN=tiri CA' SSL: (where=0x4008 ret=0x233) SSL: SSL3 alert: write (local SSL3 detected an error):fatal:decrypt error SSL: (where=0x1002 ret=0xffffffff) SSL: SSL_connect:error in SSLv3 read server certificate B OpenSSL: tls_connection_handshake - SSL_connect error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message digest algorithm OpenSSL: pending error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed SSL: 7 bytes pending from ssl_out SSL: Failed - tls_out available to report error SSL: 7 bytes left to be sent out (of total 7 bytes)
so client didnt like what the RADIUS server sent. ensure that the client is using the correct CA details. ensure that the server is using the correct details! and ensure that the client is also sending out any intermediate certs that the client needs to built the trust chain from server cert to the root CA
But there is still something missing. How is password for user "wlan_test" being transmitted?
the missing thing is just your knowledge about EAP-TLS protocol. there is no password - the client is authenicated based on mutual trust of the certificate that it is using...and the clients certificzte is protected by the private-key component of the certificate that only the authorised client/user would know to allow that certificate to be loaded/read for use with EAP-TLS EAP-TLS works very much like you showing a passport at the security section of airport. the security guard will recognise the document...and know that they have an agreement with your country...they will check the contents of your passport...ensure its all present and correct and hasnt expired. alan
Hi Alan, thanks for clarification. Now I will get further. Best regards, Thomas 2015-07-27 10:05 GMT+02:00 <A.L.M.Buxey@lboro.ac.uk>:
Hi,
EAP: Initialize selected EAP method: vendor 0 method 13 (TLS) TLS: Trusted root certificate(s) loaded OpenSSL: tls_connection_client_cert - SSL_use_certificate_file (DER) failed error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag OpenSSL: pending error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error OpenSSL: pending error: error:140C800D:SSL routines:SSL_use_certificate_file:ASN1 lib OpenSSL: SSL_use_certificate_file (PEM) --> OK OpenSSL: tls_connection_private_key - SSL_use_PrivateKey_File (DER) failed error:0D094068:asn1 encoding routines:d2i_ASN1_SET:bad tag OpenSSL: pending error: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag OpenSSL: pending error: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error OpenSSL: pending error: error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1 lib OpenSSL: pending error: error:140CB00D:SSL routines:SSL_use_PrivateKey_file:ASN1 lib OpenSSL: SSL_use_PrivateKey_File (PEM) --> OK SSL: Private key loaded successfully CTRL-EVENT-EAP-METHOD EAP vendor 0 method 13 (TLS) selected EAP: EAP entering state METHOD
so client not too happy about certs... but looks like it loaded them okay still anyway (if they were DER format these error messages would probably go)
SSL: SSL_connect:SSLv3 read server hello A TLS: Certificate verification failed, error 7 (certificate signature failure) depth 1 for '/C=DE/ST=Hamburg/L=Schwarzenbek/O=tiri GmbH/emailAddress=ca@hotspot.tiri.li/CN=tiri CA' SSL: (where=0x4008 ret=0x233) SSL: SSL3 alert: write (local SSL3 detected an error):fatal:decrypt error SSL: (where=0x1002 ret=0xffffffff) SSL: SSL_connect:error in SSLv3 read server certificate B OpenSSL: tls_connection_handshake - SSL_connect error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message digest algorithm OpenSSL: pending error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed SSL: 7 bytes pending from ssl_out SSL: Failed - tls_out available to report error SSL: 7 bytes left to be sent out (of total 7 bytes)
so client didnt like what the RADIUS server sent.
ensure that the client is using the correct CA details. ensure that the server is using the correct details! and ensure that the client is also sending out any intermediate certs that the client needs to built the trust chain from server cert to the root CA
But there is still something missing. How is password for user "wlan_test" being transmitted?
the missing thing is just your knowledge about EAP-TLS protocol. there is no password - the client is authenicated based on mutual trust of the certificate that it is using...and the clients certificzte is protected by the private-key component of the certificate that only the authorised client/user would know to allow that certificate to be loaded/read for use with EAP-TLS
EAP-TLS works very much like you showing a passport at the security section of airport. the security guard will recognise the document...and know that they have an agreement with your country...they will check the contents of your passport...ensure its all present and correct and hasnt expired.
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (3)
-
A.L.M.Buxey@lboro.ac.uk -
freerad -
Matthew Newton