eap-tls not authenticating
Whats happening here? It's like the radius tries to send a request back to the supplicant, but gives up... The supplicant is NAT'ed behind 192.168.0.1 could that be causing a issue? I have tried DMZ'ing the supplicant still with no success... Any ideas? Thanks for the help rad_recv: Access-Request packet from host 192.168.0.1 port 50334, id=4, length=293 User-Name = "user@example.com" NAS-IP-Address = 10.1.10.125 Framed-MTU = 1488 Service-Type = Framed-User NAS-Port = 101 Called-Station-Id = "00:0d:67:0c:e4:b8:ssidradius" Calling-Station-Id = "00:1f:41:00:4c:f0" NAS-Port-Type = Wireless-802.11 NAS-Identifier = "belair" Connect-Info = "CONNECT 11Mbps 802.11b" State = 0x6b173f2c6b153285c2b292790cdb3215 EAP-Message = 0x0202006a0d00160301005f0100005b030148ab6bfe07adac217c9be3adfa4c0d81f59f6fc9c85de2f84ff594d9ef567d9b00003400390038003500160013000a00330032002f006600050004006300620061001500120009006500640060001400110008000600030100 Message-Authenticator = 0xbdf917161b202095f4a13c0d9b4419ae +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm "example.com" for User-Name = "user@example.com" [suffix] No such realm "example.com" ++[suffix] returns noop [eap] EAP packet type response id 2 length 106 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS [tls] eaptls_verify returned 7 [tls] Done initial handshake [tls] (other): before/accept initialization [tls] TLS_accept: before/accept initialization [tls] <<< TLS 1.0 Handshake [length 005f], ClientHello [tls] TLS_accept: SSLv3 read client hello A [tls] >>> TLS 1.0 Handshake [length 002a], ServerHello [tls] TLS_accept: SSLv3 write server hello A [tls] >>> TLS 1.0 Handshake [length 085e], Certificate [tls] TLS_accept: SSLv3 write certificate A [tls] >>> TLS 1.0 Handshake [length 020d], ServerKeyExchange [tls] TLS_accept: SSLv3 write key exchange A [tls] >>> TLS 1.0 Handshake [length 00a8], CertificateRequest [tls] TLS_accept: SSLv3 write certificate request A [tls] TLS_accept: SSLv3 flush data [tls] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [tls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 4 to 68.62.165.40 port 50334 EAP-Message = 0x010304000dc000000b51160301002a02000026030149a307eb390fe67471d54aaf899661654f00b98af8efed3bd1f7032485d4349600003900160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479 EAP-Message = 0x301e170d3039303132373138333335395a170d3130303132373138333335395a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a02820101009f6535858b4f16fedb618bbd7afe5e46061ae229a67e5b21b5ef37ec36c06ffa8c9644be595648239589bcd2bbf7e20af425789e9ee4f5ee046b7e98df53 EAP-Message = 0x717e573476a7206cd7bba64403d9b5538f63dcefb634613f8d79b774fa1a249035a94eb5639c26e48424bb3c304985c6b4e1508b01a8077c9e531a6d29d2c80ab96b56b7e709659d620e0f5328d8c5cb4a4b38b3f84ee8f61c0b03411b21a771aa662a40e53e64dcad6e1bb999f5bd6d229d5331e36bad1160ef09be09e28aa134670362e4d1507d9a97ce3d4a04b710e553ffaeec08bb3fff8bfb76e7aa0fb9322ff5cbf08541e61dc38245a3e66a3cfd393d5b49b0eec19086a1305fde730903f30203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010405000382010100a7dd61c264ef875880 EAP-Message = 0xc065747a3cad29b4c31f0c82e78fc9318213601743e6bf1e347335756733b08ecb6759a9d318c35c60a99e8b7b6d2065b31fe8bbe9d1dfbaaa5ebcba7297ef10eb3974f131abd9c05ea0860152e8c9dd748e95a565fe006beff2790e67d74960468e1b4c6a37a31cf3da2173678d68ec154c45e813406a75996d0fc769d98a4108844288b777dc25d7fb41f45917d39f99feddd6dfcb7bd6c85e5e40764d8d1525148e7285ff5ae66f60074c29c15f6237a51285a1841dcd11c67e5a3b9cff2f2ac540b0831a1f4bdc5f66fe5d62d8d26f7648ab29ec2d5640e5c9cec245a8b441ad9dd9bc739fb3bd29384841c769506f09b69b2f2f8d0004ab308204 EAP-Message = 0xa73082038fa0030201020209 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x6b173f2c6a143285c2b292790cdb3215 Finished request 5. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 192.168.0.1 port 50334, id=6, length=193 User-Name = "user@example.com" NAS-IP-Address = 10.1.10.125 Framed-MTU = 1488 Service-Type = Framed-User NAS-Port = 101 Called-Station-Id = "00:0d:67:0c:e4:b8:ssidradius" Calling-Station-Id = "00:1f:41:00:4c:f0" NAS-Port-Type = Wireless-802.11 NAS-Identifier = "belair" Connect-Info = "CONNECT 11Mbps 802.11b" State = 0x6b173f2c6a143285c2b292790cdb3215 EAP-Message = 0x020300060d00 Message-Authenticator = 0x07990d4d71ee1cadfeac32aa7d03bb45 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm "example.com" for User-Name = "user@example.com" [suffix] No such realm "example.com" ++[suffix] returns noop [eap] EAP packet type response id 3 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS [tls] Received TLS ACK [tls] ACK handshake fragment handler [tls] eaptls_verify returned 1 [tls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 6 to 68.62.165.40 port 50334 EAP-Message = 0x010404000dc000000b5100ada7ac7e0e9301c3300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3039303132373138333335395a170d3130303132373138333335395a308193310b3009060355040613024652310f300d0603550408130652616469757331123010 EAP-Message = 0x06035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100ad66c2397c4238343139ec2c745e348cd5c7f31afd47be3c68b0af9249674664887cbd0b8ebebc22725058376cf2ebb03149396ac087662d4350d2ebac732fdf38f87b4b495f904c8d9a932fe88c4072e2351d98ab2de5a65ffe9595fc32ed70ff664a105ac7da3f7aa4f6 EAP-Message = 0x788b1489ee210a8c43a28f77e08cc68a2102cde410ffc18db0c4d6769b4bb2fb8fa45845af9e54034b798b7b2143d9505633fd6cdbaf0914c18c091b46f1506d3b18d6e2ee620250c8c55088eedd784d10a265433fa692a01790db5e8179433a9cf15bbcc3c4353d19cac05b1a7b025e3b7335e710f5f5a6d1303ea5e53d690d4a37b130e4e115b2ebaf71ab407e81ca4c7ec249730203010001a381fb3081f8301d0603551d0e04160414cfe665e5d5a6d5e46b855f1c8b5ec620e4bcfc673081c80603551d230481c03081bd8014cfe665e5d5a6d5e46b855f1c8b5ec620e4bcfc67a18199a48196308193310b3009060355040613024652310f300d EAP-Message = 0x060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820900ada7ac7e0e9301c3300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100426d2903e5a8c4cb064f6e9b1219fcfdf018f0cd8a4ad41503273d26a183958043479fc96efd426562129cfd223697c026b0774fdcc8a8e27c383fac168a0cf97875de746a68e3656ea1d4bab035 EAP-Message = 0x200b05347340d93ae132357c Message-Authenticator = 0x00000000000000000000000000000000 State = 0x6b173f2c69133285c2b292790cdb3215 Finished request 6. Going to the next request
Sandra H. wrote:
Whats happening here? It's like the radius tries to send a request back to the supplicant, but gives up... The supplicant is NAT'ed behind 192.168.0.1 could that be causing a issue? I have tried DMZ'ing the supplicant still with no success...
Any ideas? Thanks for the help
This is in the FAQ, and in the comments in eap.conf. Please read the existing documentation. Alan DeKok.
participants (3)
-
Alan DeKok -
Sandra H. -
tnt@kalik.net