Problems with Authenticating Client!!
Hi everybody, I'm using RedHat 9.0 kernel 2.4.20, openssl 0.9.8a, hostapd 0.4.7, freeradius 1.0.2. I want to use eap-tls in my wlan and over my own ap over linux. Now I have my certificates and programs running but when try to connect a windows client it always stops in this state:"Trying to authenticate", and any more happen. I generated certificates using winxp extensions. Here is my hostap.conf interface=wlan0logger_syslog=-1 logger_syslog_level=2 logger_stdout=-1 logger_stdout_level=2 debug=4 dump_file=/tmp/hostapd.dump ctrl_interface=/var/run/hostapd ctrl_interface_group=0 ssid=hostap macaddr_acl=0 auth_algs=1 ieee8021x=1 eap_message=Welcome to essi hostapd! eapol_key_index_workaround=0 eap_server=0 own_ip_addr=172.25.3.55 auth_server_addr=127.0.0.1 auth_server_port=1812 auth_server_shared_secret=yyh acct_server_addr=127.0.0.1 acct_server_port=1813 acct_server_shared_secret=yyh Here is my radiusd.conf bind_address = * hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions = yes log_stripped_names = no log_auth = yes log_auth_badpass = yes log_auth_goodpass = yes lower_user = no lower_pass = no nospace_user = no nospace_pass = no proxy_requests = yes proxy_requests = yes modules { chap { authtype = CHAP } pam { pam_auth = radiusd } unix { cache = no cache_reload = 600 radwtmp = ${logdir}/radwtmp } realm IPASS { format = prefix delimiter = "/" ignore_default = no ignore_null = no } realm suffix { format = suffix delimiter = "@" ignore_default = no ignore_null = no } realm realmpercent { format = suffix delimiter = "%" ignore_default = no ignore_null = no } realm ntdomain { format = prefix delimiter = "\\" ignore_default = no ignore_null = no } checkval { item-name = Calling-Station-Id check-name = Calling-Station-Id data-type = string } preprocess { huntgroups = ${confdir}/huntgroups hints = ${confdir}/hints with_ascend_hack = no ascend_channels_per_line = 23 with_cisco_vsa_hack = no } files { usersfile = ${confdir}/users acctusersfile = ${confdir}/acct_users compat = no } detail { detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d detailperm = 0600 } detail auth_log { detailfile = ${radacctdir}/%{Client-IP-Address}/auth-detail-%Y%m%d detailperm = 0600 } detail reply_log { detailfile = ${radacctdir}/%{Client-IP-Address}/reply-detail-%Y%m%d detailperm = 0600 } acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP- Address, NAS-Port" } attr_filter { attrsfile = ${confdir}/attrs } counter daily { ilename = ${raddbdir}/db.daily key = User-Name count-attribute = Acct-Session-Time reset = daily counter-name = Daily-Session-Time check-name = Max-Daily-Session allowed-servicetype = Framed-User cache-size = 5000 } always fail { rcode = fail } always reject { rcode = reject } always ok { rcode = ok simulcount = 0 mpp = no } } preacct { preprocess suffix file } accounting { detail radutmp } session { radutmp } post-proxy { eap } Here is my information about authentication on Radius Server: rad_recv: Access-Request packet from host 127.0.0.1:32772, id=98, length=239 User-Name = "yhyang" NAS-IP-Address = 172.25.3.55 NAS-Port = 1 Called-Station-Id = "00-40-05-AE-B7-7C:hostap" Calling-Station-Id = "00-0C-F1-55-93-A5" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x02b300500d800000004616030100410100003d03014405bebdec65e585e2ff0780daabdb78f9fe367ae597a234fa5667ad836c6c7900001600040005000a000900640062000300060013001200630100 State = 0xd9cc14e85ea695ff35e607011110f98b Message-Authenticator = 0x088d698d7be13be4328f9d8fad346047 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 866 modcall[authorize]: module "preprocess" returns ok for request 866 modcall[authorize]: module "chap" returns noop for request 866 rlm_eap: EAP packet type response id 179 length 80 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 866 users: Matched entry DEFAULT at line 152 users: Matched entry yhyang at line 215 modcall[authorize]: module "files" returns ok for request 866 modcall: group authorize returns updated for request 866 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 866 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 06c8], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 00af], CertificateRequest TLS_accept: SSLv3 write certificate request A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 866 modcall: group authenticate returns handled for request 866 Sending Access-Challenge of id 98 to 127.0.0.1:32772 Service-Type = Login-User EAP-Message = 0x01b4040a0dc0000007d0160301004a0200004603014405c0388847c271909eca9a0f9104e1bbcada4432e72048aa72e86fa12bb74f2013834d041d4660c52b10e8ebb8be0c7cf622442730e40cc3164a2ec1e157ffd600040016030106c80b0006c40006c10002da308202d63082023fa003020102020101300d06092a864886f70d010104050030819d310b300906035504061302434e3110300e060355040813074265696a696e6731293027060355040a13204265696a696e6720556e6976657273697479206f6620546563686e6f6c6f6779310d300b060355040b130445535349311430120603550403130b626a75742e6564752e636e312c302a EAP-Message = 0x06092a864886f70d010901161d68656c656e797968323340656d61696c732e626a75742e6564752e636e301e170d3036303232383036323933345a170d3136303232363036323933345a3081aa310b300906035504061302434e3110300e060355040813074265696a696e673110300e060355040713074265696a696e6731293027060355040a13204265696a696e6720556e6976657273697479206f6620546563686e6f6c6f6779310d300b060355040b130445535349310f300d06035504031306726164697573312c302a06092a864886f70d010901161d68656c656e797968323340656d61696c732e626a75742e6564752e636e30819f300d06 EAP-Message = 0x092a864886f70d010101050003818d0030818902818100d04a53db2b75e9c7aeb78bb81cfa679c7517a7a1660b275282b429015cc962f5eebd8135a3039e47624a4342ca7d7feacb6b75c6f0dd76a162fb8269ffbb08086a4ec630d3c7ee86065bed8b14a93dfaebee9e2d30c511cd8473e5e0c311047f0fe51a818a598c0e724de9175841269329eed84282492bf0f057063145e8d1130203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101040500038181005807ef0e556901e1767f4c694f195139ac009562292b7201c55ef8d61cfd86593ff770b19b801c1ea9853378e9676ba23cd43f5767 EAP-Message = 0x7c113234a38685bb4b8c1dd30aaf3d3e1f16b781851eaffb743083c337b455ddaae53a9f996a51468c8c7f5e7c93960b9acb442fde05405a1c26a5ae0df5c7b9e70758ea90055b8524f3c90003e1308203dd30820346a003020102020100300d06092a864886f70d010104050030819d310b300906035504061302434e3110300e060355040813074265696a696e6731293027060355040a13204265696a696e6720556e6976657273697479206f6620546563686e6f6c6f6779310d300b060355040b130445535349311430120603550403130b626a75742e6564752e636e312c302a06092a864886f70d010901161d68656c656e797968323340656d EAP-Message = 0x61696c732e626a75742e6564752e636e301e170d3036 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xca11386375f850d8beb767ab5e87ed9d Finished request 866 And the Hostapd: wlan0: STA 00:40:05:23:3b:f6 IEEE 802.1X: EAP timeout IEEE 802.1X: 00:40:05:23:3b:f6 BE_AUTH entering state TIMEOUT IEEE 802.1X: 00:40:05:23:3b:f6 REAUTH_TIMER entering state INITIALIZE IEEE 802.1X: 00:40:05:23:3b:f6 AUTH_PAE entering state ABORTING IEEE 802.1X: 00:40:05:23:3b:f6 BE_AUTH entering state INITIALIZE wlan0: STA 00:40:05:23:3b:f6 IEEE 802.1X: aborting authentication IEEE 802.1X: 00:40:05:23:3b:f6 REAUTH_TIMER entering state INITIALIZE IEEE 802.1X: 00:40:05:23:3b:f6 AUTH_PAE entering state RESTART IEEE 802.1X: station 00:40:05:23:3b:f6 - new auth session, clearing State IEEE 802.1X: Generated EAP Request-Identity for 00:40:05:23:3b:f6 (identifier 28, timeout 30) IEEE 802.1X: 00:40:05:23:3b:f6 BE_AUTH entering state IDLE IEEE 802.1X: 00:40:05:23:3b:f6 REAUTH_TIMER entering state INITIALIZE IEEE 802.1X: 00:40:05:23:3b:f6 AUTH_PAE entering state CONNECTING IEEE 802.1X: 00:40:05:23:3b:f6 REAUTH_TIMER entering state INITIALIZE IEEE 802.1X: 00:40:05:23:3b:f6 AUTH_PAE entering state AUTHENTICATING IEEE 802.1X: 00:40:05:23:3b:f6 BE_AUTH entering state REQUEST IEEE 802.1X: Sending EAP Packet to 00:40:05:23:3b:f6 (identifier 28) IEEE 802.1X: 00:40:05:23:3b:f6 REAUTH_TIMER entering state INITIALIZE IEEE 802.1X: 00:40:05:23:3b:f6 REAUTH_TIMER entering state INITIALIZE Received 65 bytes management frame RX frame - hexdump(len=65): 0a 0a 02 01 00 40 05 23 3b f6 00 40 05 ae b7 7c 00 40 05 ae b7 7c f0 a7 aa aa 03 00 00 00 88 8e 02 00 00 1d 01 1c 00 1d 01 57 65 6c 63 6f 6d 65 20 74 6f 20 65 73 73 69 20 68 6f 73 74 61 70 64 21 DATA (TX callback) ACK IEEE 802.1X: 00:40:05:23:3b:f6 TX status - version=2 type=0 length=29 - ack=1 IEEE 802.1X: 00:40:05:23:3b:f6 REAUTH_TIMER entering state INITIALIZE IEEE 802.1X: 00:40:05:23:3b:f6 REAUTH_TIMER entering state INITIALIZE IEEE 802.1X: 00:40:05:23:3b:f6 REAUTH_TIMER entering state INITIALIZE Checking STA 00:40:05:23:3b:f6 inactivity: Station has been active IEEE 802.1X: 00:40:05:23:3b:f6 REAUTH_TIMER entering state INITIALIZE IEEE 802.1X: 00:40:05:23:3b:f6 REAUTH_TIMER entering state INITIALIZE IEEE 802.1X: 00:40:05:23:3b:f6 REAUTH_TIMER entering state INITIALIZE IEEE 802.1X: 00:40:05:23:3b:f6 REAUTH_TIMER entering state INITIALIZE IEEE 802.1X: 00:40:05:23:3b:f6 REAUTH_TIMER entering state INITIALIZE IEEE 802.1X: 00:40:05:23:3b:f6 REAUTH_TIMER entering state INITIALIZE IEEE 802.1X: 00:40:05:23:3b:f6 REAUTH_TIMER entering state INITIALIZE IEEE 802.1X: 00:40:05:23:3b:f6 REAUTH_TIMER entering state INITIALIZE IEEE 802.1X: 00:40:05:23:3b:f6 REAUTH_TIMER entering state INITIALIZE IEEE 802.1X: 00:40:05:23:3b:f6 REAUTH_TIMER entering state INITIALIZE So, my questions are: 1.Is there anything wrong in hostapd.conf and radiusd.conf?(I made hostap and Freeradius on the same machine) 2.Why there appears error "TLS_accept:error in SSLv3 read client certificate A"? What does this mean? Anyone could help me? Thanks a lot! Helen --------------------------------- 雅虎1G免费邮箱百分百防垃圾信 雅虎助手-搜索、杀毒、防骚扰
participants (1)
-
艳华 杨