EAP/TTLS problem with Win XP and Linux
hello, i'am trying to use radius authenticate and authorise users by EAP/TTLS from XP and Linux ( Debian), i'am using only a « users » like database. i'am reading the documentation : http://wiki.freeradius.org i've imported root.pem both Windows XP and Linux this log to Linux: rad_recv: Access-Request packet from host 145.238.3.182:1026, id=191, length=208 Framed-MTU = 1480 NAS-IP-Address = 145.238.3.182 NAS-Identifier = "sw-test-radius-1" User-Name = "racha" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 17 NAS-Port-Type = Ethernet NAS-Port-Id = "17" Called-Station-Id = "00-14-38-fe-12-00" Calling-Station-Id = "00-12-3f-0e-99-6f" Connect-Info = "CONNECT Ethernet 100Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "301" EAP-Message = 0x0201000a017261636861 Message-Authenticator = 0xfae743fe55bca3b8b83a48a3f10ed3bc Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 rlm_eap: EAP packet type response id 1 length 10 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 users: Matched entry racha at line 86 modcall[authorize]: module "files" returns ok for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge modcall[authenticate]: module "eap" returns handled for request 0 modcall: group authenticate returns handled for request 0 Sending Access-Challenge of id 191 to 145.238.3.182:1026 EAP-Message = 0x0102001f1a0102001a105f4f4c366e47d80b1c27e30d08b4b0367261636861 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xfbee0cbaf20c360d6491c2b0b512304d Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 145.238.3.182:1026, id=192, length=222 Framed-MTU = 1480 NAS-IP-Address = 145.238.3.182 NAS-Identifier = "sw-test-radius-1" User-Name = "racha" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 17 NAS-Port-Type = Ethernet NAS-Port-Id = "17" Called-Station-Id = "00-14-38-fe-12-00" Calling-Station-Id = "00-12-3f-0e-99-6f" Connect-Info = "CONNECT Ethernet 100Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "301" State = 0xfbee0cbaf20c360d6491c2b0b512304d EAP-Message = 0x020200060315 Message-Authenticator = 0xd72410f740ae385523110d6defecb5f0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 rlm_eap: EAP packet type response id 2 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 1 users: Matched entry racha at line 86 modcall[authorize]: module "files" returns ok for request 1 modcall: group authorize returns updated for request 1 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: Request found, released from the list rlm_eap: EAP NAK rlm_eap: EAP-NAK asked for EAP-Type/ttls rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 1 modcall: group authenticate returns handled for request 1 Sending Access-Challenge of id 192 to 145.238.3.182:1026 EAP-Message = 0x010300061520 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x429c3c29e255f725c510981e01307d3e Finished request 1 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 145.238.3.182:1026, id=193, length=313 Framed-MTU = 1480 NAS-IP-Address = 145.238.3.182 NAS-Identifier = "sw-test-radius-1" User-Name = "racha" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 17 NAS-Port-Type = Ethernet NAS-Port-Id = "17" Called-Station-Id = "00-14-38-fe-12-00" Calling-Station-Id = "00-12-3f-0e-99-6f" Connect-Info = "CONNECT Ethernet 100Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "301" State = 0x429c3c29e255f725c510981e01307d3e EAP-Message = 0x0203006115800000005716030100520100004e0301470497b869826a1a156494e801e8ab8ebc88e444edbab8d5e7b9c890b9ce7d5c00002600390038003500160013000a00330032002f0005000400150012000900140011000800060003020100 Message-Authenticator = 0x69a1421041ecda03d67273a14054310d Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall[authorize]: module "preprocess" returns ok for request 2 modcall[authorize]: module "chap" returns noop for request 2 rlm_eap: EAP packet type response id 3 length 97 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 2 users: Matched entry racha at line 86 modcall[authorize]: module "files" returns ok for request 2 modcall: group authorize returns updated for request 2 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 2 rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0052], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0627], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 2 modcall: group authenticate returns handled for request 2 Sending Access-Challenge of id 193 to 145.238.3.182:1026 EAP-Message = 0x0104040a15c000000684160301004a02000046030147049795ea5f54b60ec1a963a6050cf321b373a5129b55236ceb8814646c656e2021397a7083f4b0e4ef289bb347da88c32d2538e9c0c5796afd72671ff95b43a800350116030106270b0006230006200002ad308202a930820212a00302010202090097d09903d21d9c53300d06092a864886f70d0101040500308180310b3009060355040613024652311330110603550408130a536f6d652d5374617465310f300d060355040713064d4555444f4e31133011060355040a130a4f4253204d4555444f4e31133011060355040b130a4465706172742053494f3121301f06092a864886f70d0109 EAP-Message = 0x0116127261636861383140686f746d61696c2e6672301e170d3037303932353131313234395a170d3038303932343131313234395a308192310b3009060355040613024652311330110603550408130a536f6d652d5374617465310f300d060355040713064d4555444f4e31133011060355040a130a4f4253204d4555444f4e31133011060355040b130a4465706172742053494f3110300e06035504031307736572766575723121301f06092a864886f70d01090116127261636861383140686f746d61696c2e667230819f300d06092a864886f70d010101050003818d0030818902818100bfb94bae23d4d4501336fc7fdb003812ab5c91411eed EAP-Message = 0xb9725040db64c2a0e82e184b66da29d00c42a99b5c588f7de357d074b21a4ce8ed578bffb5f2b962dd2bfd8c6a60a3dc064acc9fedb3fad12fb92de22b0634430dc06a630879e4ea0448079ced1bc11c003ef63cc063bcb5a511c6f6fd2b5d8b0bae89d1b04c0985a1f70203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101040500038181009bb60795878ef9fd824caf95eda533eab41d75312f8af7420ca9045a4fed5c4999bb03caacd5f1074ba66ec9c401629f93b57709be7ab76188983f3f87b120536fdc626dbb5aed1b80e1473745421b7a867877073afc4394bae8579886ade7082f38 EAP-Message = 0x5284ead1564c79f6c83c07344ad50707bc67777485939021fd5c4fde550500036d30820369308202d2a00302010202090097d09903d21d9c52300d06092a864886f70d0101040500308180310b3009060355040613024652311330110603550408130a536f6d652d5374617465310f300d060355040713064d4555444f4e31133011060355040a130a4f4253204d4555444f4e31133011060355040b130a4465706172742053494f3121301f06092a864886f70d01090116127261636861383140686f746d61696c2e6672301e170d3037303932353131313130375a170d3037313032353131313130375a308180310b30090603550406130246523113 EAP-Message = 0x30110603550408130a536f6d652d5374617465310f30 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xcdb56b546410d47e8ad2dc8aa7e606f8 Finished request 2 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 145.238.3.182:1026, id=194, length=222 Framed-MTU = 1480 NAS-IP-Address = 145.238.3.182 NAS-Identifier = "sw-test-radius-1" User-Name = "racha" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 17 NAS-Port-Type = Ethernet NAS-Port-Id = "17" Called-Station-Id = "00-14-38-fe-12-00" Calling-Station-Id = "00-12-3f-0e-99-6f" Connect-Info = "CONNECT Ethernet 100Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "301" State = 0xcdb56b546410d47e8ad2dc8aa7e606f8 EAP-Message = 0x020400061500 Message-Authenticator = 0x78acfb7b5c5d9ba93dbf5fb16b853196 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 3 modcall[authorize]: module "preprocess" returns ok for request 3 modcall[authorize]: module "chap" returns noop for request 3 rlm_eap: EAP packet type response id 4 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 3 users: Matched entry racha at line 86 modcall[authorize]: module "files" returns ok for request 3 modcall: group authorize returns updated for request 3 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 3 rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 3 modcall: group authenticate returns handled for request 3 Sending Access-Challenge of id 194 to 145.238.3.182:1026 EAP-Message = 0x0105028e1580000006840d060355040713064d4555444f4e31133011060355040a130a4f4253204d4555444f4e31133011060355040b130a4465706172742053494f3121301f06092a864886f70d01090116127261636861383140686f746d61696c2e667230819f300d06092a864886f70d010101050003818d0030818902818100f2ce03feb0bbacd0c1b89ecea0621fa70d0c0dfd777f82b7da4b0c67908bdc72af35b501036b39c796fab274fe7c7098395139cd80c3def0e8ca65c3f1291a84a1f38342474758c9fa9aac36818b6626839b7f9a6673393d44940ebaea14cd662a0f5bd0487e27a29842095e7bd5309d75649205a5fad97bc41d75 EAP-Message = 0xec80d2fbab0203010001a381e83081e5301d0603551d0e04160414d8ca68899a3cf0402e89e9889f4f598ba2bec2513081b50603551d230481ad3081aa8014d8ca68899a3cf0402e89e9889f4f598ba2bec251a18186a48183308180310b3009060355040613024652311330110603550408130a536f6d652d5374617465310f300d060355040713064d4555444f4e31133011060355040a130a4f4253204d4555444f4e31133011060355040b130a4465706172742053494f3121301f06092a864886f70d01090116127261636861383140686f746d61696c2e667282090097d09903d21d9c52300c0603551d13040530030101ff300d06092a864886 EAP-Message = 0xf70d01010405000381810055e9fecdcd89146c84f21a7b232da59b1eee35c889d5eb07950d116f3baf9123308ea514daa6f7515e33994652f76748b981e7c5e5a00e6c5c4c03299318e812e100549970034482fef14fcaa937d71d79a6bfb4f0ce39b2bbe0f4028e1f90a2c7d1e1f6ded3df9e11af13c85fa10eaec4f6979f3010b4b5521d07e05e4a6ec916030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe701c94007f01d9882634f0432a6d114 Finished request 3 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 145.238.3.182:1026, id=195, length=424 Framed-MTU = 1480 NAS-IP-Address = 145.238.3.182 NAS-Identifier = "sw-test-radius-1" User-Name = "racha" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 17 NAS-Port-Type = Ethernet NAS-Port-Id = "17" Called-Station-Id = "00-14-38-fe-12-00" Calling-Station-Id = "00-12-3f-0e-99-6f" Connect-Info = "CONNECT Ethernet 100Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "301" State = 0xe701c94007f01d9882634f0432a6d114 EAP-Message = 0x020500d01580000000c61603010086100000820080507e96001f817c7dfce96e989e771b2f38902a81f66519d75d522508d6b663508f50ef374da3dfc95996083930080e5edc58248184dd494816913f65d647fde08f8b2db8a1e37422e4d9ff6dd65cbd60a5c21b5d7e66d015b9cc61e2ac46dc25de7c9f6e01be17dbbb0599d795f3aa77467f4354579881ff6240969e5e9f5a1414030100010116030100305b0059cfbe818835fc45399fb05c6c72596ce0ec8a4a0befa17575c6a10931c46c05cc777adf688c60a888f381a2e561 Message-Authenticator = 0xa55246d48162d9bc3e2842114589d25b Processing the authorize section of radiusd.conf modcall: entering group authorize for request 4 modcall[authorize]: module "preprocess" returns ok for request 4 modcall[authorize]: module "chap" returns noop for request 4 rlm_eap: EAP packet type response id 5 length 208 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 4 users: Matched entry racha at line 86 modcall[authorize]: module "files" returns ok for request 4 modcall: group authorize returns updated for request 4 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 4 rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange TLS_accept: SSLv3 read client key exchange A rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001] rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 read finished A rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001] TLS_accept: SSLv3 write change cipher spec A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 write finished A TLS_accept: SSLv3 flush data (other): SSL negotiation finished successfully SSL Connection Established eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 4 modcall: group authenticate returns handled for request 4 Sending Access-Challenge of id 195 to 145.238.3.182:1026 EAP-Message = 0x0106004515800000003b140301000101160301003058729f21c600df1c67c00c784ba7ecf50581a5b3657f8a24ebd96af0977e332430409dee3dfec98cb5786579ba3c9189 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x34c8b26e1d7071a34ec8210c3710baaa Finished request 4 Going to the next request Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 191 with timestamp 47049795 Cleaning up request 1 ID 192 with timestamp 47049795 Cleaning up request 2 ID 193 with timestamp 47049795 Cleaning up request 3 ID 194 with timestamp 47049795 Cleaning up request 4 ID 195 with timestamp 47049795 Nothing to do. Sleeping until we see a request. the server no sends response, why?? and this log by Windows XP rad_recv: Access-Request packet from host 145.238.3.182:1026, id=196, length=208 Framed-MTU = 1480 NAS-IP-Address = 145.238.3.182 NAS-Identifier = "sw-test-radius-1" User-Name = "racha" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 17 NAS-Port-Type = Ethernet NAS-Port-Id = "17" Called-Station-Id = "00-14-38-fe-12-00" Calling-Station-Id = "00-12-3f-0e-99-6f" Connect-Info = "CONNECT Ethernet 100Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "301" EAP-Message = 0x021b000a017261636861 Message-Authenticator = 0x54bacc36ad1175e684554c5f76c58832 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 rlm_eap: EAP packet type response id 27 length 10 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 users: Matched entry racha at line 86 modcall[authorize]: module "files" returns ok for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge modcall[authenticate]: module "eap" returns handled for request 0 modcall: group authenticate returns handled for request 0 Sending Access-Challenge of id 196 to 145.238.3.182:1026 EAP-Message = 0x011c001f1a011c001a105f4f4c366e47d80b1c27e30d08b4b0367261636861 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xfbee0cbaf20c360de5cb21cf55607e20 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 145.238.3.182:1026, id=197, length=222 Framed-MTU = 1480 NAS-IP-Address = 145.238.3.182 NAS-Identifier = "sw-test-radius-1" User-Name = "racha" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 17 NAS-Port-Type = Ethernet NAS-Port-Id = "17" Called-Station-Id = "00-14-38-fe-12-00" Calling-Station-Id = "00-12-3f-0e-99-6f" Connect-Info = "CONNECT Ethernet 100Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "301" State = 0xfbee0cbaf20c360de5cb21cf55607e20 EAP-Message = 0x021c00060315 Message-Authenticator = 0xb00f0ec480c5c36eb8a7110e87bde3b3 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 rlm_eap: EAP packet type response id 28 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 1 users: Matched entry racha at line 86 modcall[authorize]: module "files" returns ok for request 1 modcall: group authorize returns updated for request 1 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: Request found, released from the list rlm_eap: EAP NAK rlm_eap: EAP-NAK asked for EAP-Type/ttls rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 1 modcall: group authenticate returns handled for request 1 Sending Access-Challenge of id 197 to 145.238.3.182:1026 EAP-Message = 0x011d00061520 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x429c3c29e255f725e935b0e1db7a8a39 Finished request 1 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 145.238.3.182:1026, id=198, length=276 Framed-MTU = 1480 NAS-IP-Address = 145.238.3.182 NAS-Identifier = "sw-test-radius-1" User-Name = "racha" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 17 NAS-Port-Type = Ethernet NAS-Port-Id = "17" Called-Station-Id = "00-14-38-fe-12-00" Calling-Station-Id = "00-12-3f-0e-99-6f" Connect-Info = "CONNECT Ethernet 100Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "301" State = 0x429c3c29e255f725e935b0e1db7a8a39 EAP-Message = 0x021d003c158000000032160301002d010000290301e0dd816d595bd3edf0729c53c2953ffb3711cca4eb039cd0b2ac413175dfd9cd000002000a0100 Message-Authenticator = 0x842f4348b12e8e2bf0ce66965c711fc9 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall[authorize]: module "preprocess" returns ok for request 2 modcall[authorize]: module "chap" returns noop for request 2 rlm_eap: EAP packet type response id 29 length 60 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 2 users: Matched entry racha at line 86 modcall[authorize]: module "files" returns ok for request 2 modcall: group authorize returns updated for request 2 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 2 rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 002d], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0627], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 2 modcall: group authenticate returns handled for request 2 Sending Access-Challenge of id 198 to 145.238.3.182:1026 EAP-Message = 0x011e040a15c000000684160301004a02000046030147049daa9066df5b206f509c2daf785a039b3f290d1da1972b195d73c56b3fee20d5f2327a11b59ff3ae5d4e9d5faaa5a1e5941852291e3c28f8403f5658ff3bd0000a0016030106270b0006230006200002ad308202a930820212a00302010202090097d09903d21d9c53300d06092a864886f70d0101040500308180310b3009060355040613024652311330110603550408130a536f6d652d5374617465310f300d060355040713064d4555444f4e31133011060355040a130a4f4253204d4555444f4e31133011060355040b130a4465706172742053494f3121301f06092a864886f70d0109 EAP-Message = 0x0116127261636861383140686f746d61696c2e6672301e170d3037303932353131313234395a170d3038303932343131313234395a308192310b3009060355040613024652311330110603550408130a536f6d652d5374617465310f300d060355040713064d4555444f4e31133011060355040a130a4f4253204d4555444f4e31133011060355040b130a4465706172742053494f3110300e06035504031307736572766575723121301f06092a864886f70d01090116127261636861383140686f746d61696c2e667230819f300d06092a864886f70d010101050003818d0030818902818100bfb94bae23d4d4501336fc7fdb003812ab5c91411eed EAP-Message = 0xb9725040db64c2a0e82e184b66da29d00c42a99b5c588f7de357d074b21a4ce8ed578bffb5f2b962dd2bfd8c6a60a3dc064acc9fedb3fad12fb92de22b0634430dc06a630879e4ea0448079ced1bc11c003ef63cc063bcb5a511c6f6fd2b5d8b0bae89d1b04c0985a1f70203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101040500038181009bb60795878ef9fd824caf95eda533eab41d75312f8af7420ca9045a4fed5c4999bb03caacd5f1074ba66ec9c401629f93b57709be7ab76188983f3f87b120536fdc626dbb5aed1b80e1473745421b7a867877073afc4394bae8579886ade7082f38 EAP-Message = 0x5284ead1564c79f6c83c07344ad50707bc67777485939021fd5c4fde550500036d30820369308202d2a00302010202090097d09903d21d9c52300d06092a864886f70d0101040500308180310b3009060355040613024652311330110603550408130a536f6d652d5374617465310f300d060355040713064d4555444f4e31133011060355040a130a4f4253204d4555444f4e31133011060355040b130a4465706172742053494f3121301f06092a864886f70d01090116127261636861383140686f746d61696c2e6672301e170d3037303932353131313130375a170d3037313032353131313130375a308180310b30090603550406130246523113 EAP-Message = 0x30110603550408130a536f6d652d5374617465310f30 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xcdb56b546410d47ec20726810835dc55 Finished request 2 Going to the next request --- Walking the entire request list --- Waking up in 4 seconds... rad_recv: Access-Request packet from host 145.238.3.182:1026, id=199, length=222 Framed-MTU = 1480 NAS-IP-Address = 145.238.3.182 NAS-Identifier = "sw-test-radius-1" User-Name = "racha" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 17 NAS-Port-Type = Ethernet NAS-Port-Id = "17" Called-Station-Id = "00-14-38-fe-12-00" Calling-Station-Id = "00-12-3f-0e-99-6f" Connect-Info = "CONNECT Ethernet 100Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "301" State = 0xcdb56b546410d47ec20726810835dc55 EAP-Message = 0x021e00061500 Message-Authenticator = 0xabeaab3cbe7e553ebd43785cd5c25f86 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 3 modcall[authorize]: module "preprocess" returns ok for request 3 modcall[authorize]: module "chap" returns noop for request 3 rlm_eap: EAP packet type response id 30 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 3 users: Matched entry racha at line 86 modcall[authorize]: module "files" returns ok for request 3 modcall: group authorize returns updated for request 3 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 3 rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 3 modcall: group authenticate returns handled for request 3 Sending Access-Challenge of id 199 to 145.238.3.182:1026 EAP-Message = 0x011f028e1580000006840d060355040713064d4555444f4e31133011060355040a130a4f4253204d4555444f4e31133011060355040b130a4465706172742053494f3121301f06092a864886f70d01090116127261636861383140686f746d61696c2e667230819f300d06092a864886f70d010101050003818d0030818902818100f2ce03feb0bbacd0c1b89ecea0621fa70d0c0dfd777f82b7da4b0c67908bdc72af35b501036b39c796fab274fe7c7098395139cd80c3def0e8ca65c3f1291a84a1f38342474758c9fa9aac36818b6626839b7f9a6673393d44940ebaea14cd662a0f5bd0487e27a29842095e7bd5309d75649205a5fad97bc41d75 EAP-Message = 0xec80d2fbab0203010001a381e83081e5301d0603551d0e04160414d8ca68899a3cf0402e89e9889f4f598ba2bec2513081b50603551d230481ad3081aa8014d8ca68899a3cf0402e89e9889f4f598ba2bec251a18186a48183308180310b3009060355040613024652311330110603550408130a536f6d652d5374617465310f300d060355040713064d4555444f4e31133011060355040a130a4f4253204d4555444f4e31133011060355040b130a4465706172742053494f3121301f06092a864886f70d01090116127261636861383140686f746d61696c2e667282090097d09903d21d9c52300c0603551d13040530030101ff300d06092a864886 EAP-Message = 0xf70d01010405000381810055e9fecdcd89146c84f21a7b232da59b1eee35c889d5eb07950d116f3baf9123308ea514daa6f7515e33994652f76748b981e7c5e5a00e6c5c4c03299318e812e100549970034482fef14fcaa937d71d79a6bfb4f0ce39b2bbe0f4028e1f90a2c7d1e1f6ded3df9e11af13c85fa10eaec4f6979f3010b4b5521d07e05e4a6ec916030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe701c94007f01d98e348e2739e552ea6 Finished request 3 Going to the next request Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 196 with timestamp 47049da8 Cleaning up request 1 ID 197 with timestamp 47049da8 Waking up in 2 seconds... --- Walking the entire request list --- Cleaning up request 2 ID 198 with timestamp 47049daa Cleaning up request 3 ID 199 with timestamp 47049daa Nothing to do. Sleeping until we see a request. what's a problem? Please could you help me? thanks _________________________________________________________________ Gagnez des écrans plats avec Live.com http://www.image-addict.fr/
Read the explanation in eap.conf, FAQ, this list hundreds of times ... Ivan Kalik Kalik Informatika ISP Dana 4/10/2007, "elhammoud rachida" <racha81@hotmail.fr> piše:
hello, i'am trying to use radius authenticate and authorise users by EAP/TTLS from XP and Linux ( Debian), i'am using only a Ť users ť like database. i'am reading the documentation : http://wiki.freeradius.org i've imported root.pem both Windows XP and Linux
this log to Linux:
rad_recv: Access-Request packet from host 145.238.3.182:1026, id=191, length=208 Framed-MTU = 1480 NAS-IP-Address = 145.238.3.182 NAS-Identifier = "sw-test-radius-1" User-Name = "racha" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 17 NAS-Port-Type = Ethernet NAS-Port-Id = "17" Called-Station-Id = "00-14-38-fe-12-00" Calling-Station-Id = "00-12-3f-0e-99-6f" Connect-Info = "CONNECT Ethernet 100Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "301" EAP-Message = 0x0201000a017261636861 Message-Authenticator = 0xfae743fe55bca3b8b83a48a3f10ed3bc Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 rlm_eap: EAP packet type response id 1 length 10 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 users: Matched entry racha at line 86 modcall[authorize]: module "files" returns ok for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge modcall[authenticate]: module "eap" returns handled for request 0 modcall: group authenticate returns handled for request 0 Sending Access-Challenge of id 191 to 145.238.3.182:1026 EAP-Message = 0x0102001f1a0102001a105f4f4c366e47d80b1c27e30d08b4b0367261636861 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xfbee0cbaf20c360d6491c2b0b512304d Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 145.238.3.182:1026, id=192, length=222 Framed-MTU = 1480 NAS-IP-Address = 145.238.3.182 NAS-Identifier = "sw-test-radius-1" User-Name = "racha" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 17 NAS-Port-Type = Ethernet NAS-Port-Id = "17" Called-Station-Id = "00-14-38-fe-12-00" Calling-Station-Id = "00-12-3f-0e-99-6f" Connect-Info = "CONNECT Ethernet 100Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "301" State = 0xfbee0cbaf20c360d6491c2b0b512304d EAP-Message = 0x020200060315 Message-Authenticator = 0xd72410f740ae385523110d6defecb5f0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 rlm_eap: EAP packet type response id 2 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 1 users: Matched entry racha at line 86 modcall[authorize]: module "files" returns ok for request 1 modcall: group authorize returns updated for request 1 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: Request found, released from the list rlm_eap: EAP NAK rlm_eap: EAP-NAK asked for EAP-Type/ttls rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 1 modcall: group authenticate returns handled for request 1 Sending Access-Challenge of id 192 to 145.238.3.182:1026 EAP-Message = 0x010300061520 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x429c3c29e255f725c510981e01307d3e Finished request 1 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 145.238.3.182:1026, id=193, length=313 Framed-MTU = 1480 NAS-IP-Address = 145.238.3.182 NAS-Identifier = "sw-test-radius-1" User-Name = "racha" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 17 NAS-Port-Type = Ethernet NAS-Port-Id = "17" Called-Station-Id = "00-14-38-fe-12-00" Calling-Station-Id = "00-12-3f-0e-99-6f" Connect-Info = "CONNECT Ethernet 100Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "301" State = 0x429c3c29e255f725c510981e01307d3e EAP-Message = 0x0203006115800000005716030100520100004e0301470497b869826a1a156494e801e8ab8ebc88e444edbab8d5e7b9c890b9ce7d5c00002600390038003500160013000a00330032002f0005000400150012000900140011000800060003020100 Message-Authenticator = 0x69a1421041ecda03d67273a14054310d Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall[authorize]: module "preprocess" returns ok for request 2 modcall[authorize]: module "chap" returns noop for request 2 rlm_eap: EAP packet type response id 3 length 97 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 2 users: Matched entry racha at line 86 modcall[authorize]: module "files" returns ok for request 2 modcall: group authorize returns updated for request 2 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 2 rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0052], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0627], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 2 modcall: group authenticate returns handled for request 2 Sending Access-Challenge of id 193 to 145.238.3.182:1026 EAP-Message = 0x0104040a15c000000684160301004a02000046030147049795ea5f54b60ec1a963a6050cf321b373a5129b55236ceb8814646c656e2021397a7083f4b0e4ef289bb347da88c32d2538e9c0c5796afd72671ff95b43a800350116030106270b0006230006200002ad308202a930820212a00302010202090097d09903d21d9c53300d06092a864886f70d0101040500308180310b3009060355040613024652311330110603550408130a536f6d652d5374617465310f300d060355040713064d4555444f4e31133011060355040a130a4f4253204d4555444f4e31133011060355040b130a4465706172742053494f3121301f06092a864886f70d0109 EAP-Message = 0x0116127261636861383140686f746d61696c2e6672301e170d3037303932353131313234395a170d3038303932343131313234395a308192310b3009060355040613024652311330110603550408130a536f6d652d5374617465310f300d060355040713064d4555444f4e31133011060355040a130a4f4253204d4555444f4e31133011060355040b130a4465706172742053494f3110300e06035504031307736572766575723121301f06092a864886f70d01090116127261636861383140686f746d61696c2e667230819f300d06092a864886f70d010101050003818d0030818902818100bfb94bae23d4d4501336fc7fdb003812ab5c91411eed EAP-Message = 0xb9725040db64c2a0e82e184b66da29d00c42a99b5c588f7de357d074b21a4ce8ed578bffb5f2b962dd2bfd8c6a60a3dc064acc9fedb3fad12fb92de22b0634430dc06a630879e4ea0448079ced1bc11c003ef63cc063bcb5a511c6f6fd2b5d8b0bae89d1b04c0985a1f70203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101040500038181009bb60795878ef9fd824caf95eda533eab41d75312f8af7420ca9045a4fed5c4999bb03caacd5f1074ba66ec9c401629f93b57709be7ab76188983f3f87b120536fdc626dbb5aed1b80e1473745421b7a867877073afc4394bae8579886ade7082f38 EAP-Message = 0x5284ead1564c79f6c83c07344ad50707bc67777485939021fd5c4fde550500036d30820369308202d2a00302010202090097d09903d21d9c52300d06092a864886f70d0101040500308180310b3009060355040613024652311330110603550408130a536f6d652d5374617465310f300d060355040713064d4555444f4e31133011060355040a130a4f4253204d4555444f4e31133011060355040b130a4465706172742053494f3121301f06092a864886f70d01090116127261636861383140686f746d61696c2e6672301e170d3037303932353131313130375a170d3037313032353131313130375a308180310b30090603550406130246523113 EAP-Message = 0x30110603550408130a536f6d652d5374617465310f30 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xcdb56b546410d47e8ad2dc8aa7e606f8 Finished request 2 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 145.238.3.182:1026, id=194, length=222 Framed-MTU = 1480 NAS-IP-Address = 145.238.3.182 NAS-Identifier = "sw-test-radius-1" User-Name = "racha" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 17 NAS-Port-Type = Ethernet NAS-Port-Id = "17" Called-Station-Id = "00-14-38-fe-12-00" Calling-Station-Id = "00-12-3f-0e-99-6f" Connect-Info = "CONNECT Ethernet 100Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "301" State = 0xcdb56b546410d47e8ad2dc8aa7e606f8 EAP-Message = 0x020400061500 Message-Authenticator = 0x78acfb7b5c5d9ba93dbf5fb16b853196 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 3 modcall[authorize]: module "preprocess" returns ok for request 3 modcall[authorize]: module "chap" returns noop for request 3 rlm_eap: EAP packet type response id 4 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 3 users: Matched entry racha at line 86 modcall[authorize]: module "files" returns ok for request 3 modcall: group authorize returns updated for request 3 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 3 rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 3 modcall: group authenticate returns handled for request 3 Sending Access-Challenge of id 194 to 145.238.3.182:1026 EAP-Message = 0x0105028e1580000006840d060355040713064d4555444f4e31133011060355040a130a4f4253204d4555444f4e31133011060355040b130a4465706172742053494f3121301f06092a864886f70d01090116127261636861383140686f746d61696c2e667230819f300d06092a864886f70d010101050003818d0030818902818100f2ce03feb0bbacd0c1b89ecea0621fa70d0c0dfd777f82b7da4b0c67908bdc72af35b501036b39c796fab274fe7c7098395139cd80c3def0e8ca65c3f1291a84a1f38342474758c9fa9aac36818b6626839b7f9a6673393d44940ebaea14cd662a0f5bd0487e27a29842095e7bd5309d75649205a5fad97bc41d75 EAP-Message = 0xec80d2fbab0203010001a381e83081e5301d0603551d0e04160414d8ca68899a3cf0402e89e9889f4f598ba2bec2513081b50603551d230481ad3081aa8014d8ca68899a3cf0402e89e9889f4f598ba2bec251a18186a48183308180310b3009060355040613024652311330110603550408130a536f6d652d5374617465310f300d060355040713064d4555444f4e31133011060355040a130a4f4253204d4555444f4e31133011060355040b130a4465706172742053494f3121301f06092a864886f70d01090116127261636861383140686f746d61696c2e667282090097d09903d21d9c52300c0603551d13040530030101ff300d06092a864886 EAP-Message = 0xf70d01010405000381810055e9fecdcd89146c84f21a7b232da59b1eee35c889d5eb07950d116f3baf9123308ea514daa6f7515e33994652f76748b981e7c5e5a00e6c5c4c03299318e812e100549970034482fef14fcaa937d71d79a6bfb4f0ce39b2bbe0f4028e1f90a2c7d1e1f6ded3df9e11af13c85fa10eaec4f6979f3010b4b5521d07e05e4a6ec916030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe701c94007f01d9882634f0432a6d114 Finished request 3 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 145.238.3.182:1026, id=195, length=424 Framed-MTU = 1480 NAS-IP-Address = 145.238.3.182 NAS-Identifier = "sw-test-radius-1" User-Name = "racha" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 17 NAS-Port-Type = Ethernet NAS-Port-Id = "17" Called-Station-Id = "00-14-38-fe-12-00" Calling-Station-Id = "00-12-3f-0e-99-6f" Connect-Info = "CONNECT Ethernet 100Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "301" State = 0xe701c94007f01d9882634f0432a6d114 EAP-Message = 0x020500d01580000000c61603010086100000820080507e96001f817c7dfce96e989e771b2f38902a81f66519d75d522508d6b663508f50ef374da3dfc95996083930080e5edc58248184dd494816913f65d647fde08f8b2db8a1e37422e4d9ff6dd65cbd60a5c21b5d7e66d015b9cc61e2ac46dc25de7c9f6e01be17dbbb0599d795f3aa77467f4354579881ff6240969e5e9f5a1414030100010116030100305b0059cfbe818835fc45399fb05c6c72596ce0ec8a4a0befa17575c6a10931c46c05cc777adf688c60a888f381a2e561 Message-Authenticator = 0xa55246d48162d9bc3e2842114589d25b Processing the authorize section of radiusd.conf modcall: entering group authorize for request 4 modcall[authorize]: module "preprocess" returns ok for request 4 modcall[authorize]: module "chap" returns noop for request 4 rlm_eap: EAP packet type response id 5 length 208 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 4 users: Matched entry racha at line 86 modcall[authorize]: module "files" returns ok for request 4 modcall: group authorize returns updated for request 4 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 4 rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange TLS_accept: SSLv3 read client key exchange A rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001] rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 read finished A rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001] TLS_accept: SSLv3 write change cipher spec A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 write finished A TLS_accept: SSLv3 flush data (other): SSL negotiation finished successfully SSL Connection Established eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 4 modcall: group authenticate returns handled for request 4 Sending Access-Challenge of id 195 to 145.238.3.182:1026 EAP-Message = 0x0106004515800000003b140301000101160301003058729f21c600df1c67c00c784ba7ecf50581a5b3657f8a24ebd96af0977e332430409dee3dfec98cb5786579ba3c9189 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x34c8b26e1d7071a34ec8210c3710baaa Finished request 4 Going to the next request Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 191 with timestamp 47049795 Cleaning up request 1 ID 192 with timestamp 47049795 Cleaning up request 2 ID 193 with timestamp 47049795 Cleaning up request 3 ID 194 with timestamp 47049795 Cleaning up request 4 ID 195 with timestamp 47049795 Nothing to do. Sleeping until we see a request.
the server no sends response, why??
and this log by Windows XP
rad_recv: Access-Request packet from host 145.238.3.182:1026, id=196, length=208 Framed-MTU = 1480 NAS-IP-Address = 145.238.3.182 NAS-Identifier = "sw-test-radius-1" User-Name = "racha" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 17 NAS-Port-Type = Ethernet NAS-Port-Id = "17" Called-Station-Id = "00-14-38-fe-12-00" Calling-Station-Id = "00-12-3f-0e-99-6f" Connect-Info = "CONNECT Ethernet 100Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "301" EAP-Message = 0x021b000a017261636861 Message-Authenticator = 0x54bacc36ad1175e684554c5f76c58832 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 rlm_eap: EAP packet type response id 27 length 10 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 users: Matched entry racha at line 86 modcall[authorize]: module "files" returns ok for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge modcall[authenticate]: module "eap" returns handled for request 0 modcall: group authenticate returns handled for request 0 Sending Access-Challenge of id 196 to 145.238.3.182:1026 EAP-Message = 0x011c001f1a011c001a105f4f4c366e47d80b1c27e30d08b4b0367261636861 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xfbee0cbaf20c360de5cb21cf55607e20 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 145.238.3.182:1026, id=197, length=222 Framed-MTU = 1480 NAS-IP-Address = 145.238.3.182 NAS-Identifier = "sw-test-radius-1" User-Name = "racha" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 17 NAS-Port-Type = Ethernet NAS-Port-Id = "17" Called-Station-Id = "00-14-38-fe-12-00" Calling-Station-Id = "00-12-3f-0e-99-6f" Connect-Info = "CONNECT Ethernet 100Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "301" State = 0xfbee0cbaf20c360de5cb21cf55607e20 EAP-Message = 0x021c00060315 Message-Authenticator = 0xb00f0ec480c5c36eb8a7110e87bde3b3 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 rlm_eap: EAP packet type response id 28 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 1 users: Matched entry racha at line 86 modcall[authorize]: module "files" returns ok for request 1 modcall: group authorize returns updated for request 1 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: Request found, released from the list rlm_eap: EAP NAK rlm_eap: EAP-NAK asked for EAP-Type/ttls rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 1 modcall: group authenticate returns handled for request 1 Sending Access-Challenge of id 197 to 145.238.3.182:1026 EAP-Message = 0x011d00061520 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x429c3c29e255f725e935b0e1db7a8a39 Finished request 1 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 145.238.3.182:1026, id=198, length=276 Framed-MTU = 1480 NAS-IP-Address = 145.238.3.182 NAS-Identifier = "sw-test-radius-1" User-Name = "racha" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 17 NAS-Port-Type = Ethernet NAS-Port-Id = "17" Called-Station-Id = "00-14-38-fe-12-00" Calling-Station-Id = "00-12-3f-0e-99-6f" Connect-Info = "CONNECT Ethernet 100Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "301" State = 0x429c3c29e255f725e935b0e1db7a8a39 EAP-Message = 0x021d003c158000000032160301002d010000290301e0dd816d595bd3edf0729c53c2953ffb3711cca4eb039cd0b2ac413175dfd9cd000002000a0100 Message-Authenticator = 0x842f4348b12e8e2bf0ce66965c711fc9 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall[authorize]: module "preprocess" returns ok for request 2 modcall[authorize]: module "chap" returns noop for request 2 rlm_eap: EAP packet type response id 29 length 60 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 2 users: Matched entry racha at line 86 modcall[authorize]: module "files" returns ok for request 2 modcall: group authorize returns updated for request 2 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 2 rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 002d], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0627], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 2 modcall: group authenticate returns handled for request 2 Sending Access-Challenge of id 198 to 145.238.3.182:1026 EAP-Message = 0x011e040a15c000000684160301004a02000046030147049daa9066df5b206f509c2daf785a039b3f290d1da1972b195d73c56b3fee20d5f2327a11b59ff3ae5d4e9d5faaa5a1e5941852291e3c28f8403f5658ff3bd0000a0016030106270b0006230006200002ad308202a930820212a00302010202090097d09903d21d9c53300d06092a864886f70d0101040500308180310b3009060355040613024652311330110603550408130a536f6d652d5374617465310f300d060355040713064d4555444f4e31133011060355040a130a4f4253204d4555444f4e31133011060355040b130a4465706172742053494f3121301f06092a864886f70d0109 EAP-Message = 0x0116127261636861383140686f746d61696c2e6672301e170d3037303932353131313234395a170d3038303932343131313234395a308192310b3009060355040613024652311330110603550408130a536f6d652d5374617465310f300d060355040713064d4555444f4e31133011060355040a130a4f4253204d4555444f4e31133011060355040b130a4465706172742053494f3110300e06035504031307736572766575723121301f06092a864886f70d01090116127261636861383140686f746d61696c2e667230819f300d06092a864886f70d010101050003818d0030818902818100bfb94bae23d4d4501336fc7fdb003812ab5c91411eed EAP-Message = 0xb9725040db64c2a0e82e184b66da29d00c42a99b5c588f7de357d074b21a4ce8ed578bffb5f2b962dd2bfd8c6a60a3dc064acc9fedb3fad12fb92de22b0634430dc06a630879e4ea0448079ced1bc11c003ef63cc063bcb5a511c6f6fd2b5d8b0bae89d1b04c0985a1f70203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101040500038181009bb60795878ef9fd824caf95eda533eab41d75312f8af7420ca9045a4fed5c4999bb03caacd5f1074ba66ec9c401629f93b57709be7ab76188983f3f87b120536fdc626dbb5aed1b80e1473745421b7a867877073afc4394bae8579886ade7082f38 EAP-Message = 0x5284ead1564c79f6c83c07344ad50707bc67777485939021fd5c4fde550500036d30820369308202d2a00302010202090097d09903d21d9c52300d06092a864886f70d0101040500308180310b3009060355040613024652311330110603550408130a536f6d652d5374617465310f300d060355040713064d4555444f4e31133011060355040a130a4f4253204d4555444f4e31133011060355040b130a4465706172742053494f3121301f06092a864886f70d01090116127261636861383140686f746d61696c2e6672301e170d3037303932353131313130375a170d3037313032353131313130375a308180310b30090603550406130246523113 EAP-Message = 0x30110603550408130a536f6d652d5374617465310f30 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xcdb56b546410d47ec20726810835dc55 Finished request 2 Going to the next request --- Walking the entire request list --- Waking up in 4 seconds... rad_recv: Access-Request packet from host 145.238.3.182:1026, id=199, length=222 Framed-MTU = 1480 NAS-IP-Address = 145.238.3.182 NAS-Identifier = "sw-test-radius-1" User-Name = "racha" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 17 NAS-Port-Type = Ethernet NAS-Port-Id = "17" Called-Station-Id = "00-14-38-fe-12-00" Calling-Station-Id = "00-12-3f-0e-99-6f" Connect-Info = "CONNECT Ethernet 100Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "301" State = 0xcdb56b546410d47ec20726810835dc55 EAP-Message = 0x021e00061500 Message-Authenticator = 0xabeaab3cbe7e553ebd43785cd5c25f86 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 3 modcall[authorize]: module "preprocess" returns ok for request 3 modcall[authorize]: module "chap" returns noop for request 3 rlm_eap: EAP packet type response id 30 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 3 users: Matched entry racha at line 86 modcall[authorize]: module "files" returns ok for request 3 modcall: group authorize returns updated for request 3 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 3 rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 3 modcall: group authenticate returns handled for request 3 Sending Access-Challenge of id 199 to 145.238.3.182:1026 EAP-Message = 0x011f028e1580000006840d060355040713064d4555444f4e31133011060355040a130a4f4253204d4555444f4e31133011060355040b130a4465706172742053494f3121301f06092a864886f70d01090116127261636861383140686f746d61696c2e667230819f300d06092a864886f70d010101050003818d0030818902818100f2ce03feb0bbacd0c1b89ecea0621fa70d0c0dfd777f82b7da4b0c67908bdc72af35b501036b39c796fab274fe7c7098395139cd80c3def0e8ca65c3f1291a84a1f38342474758c9fa9aac36818b6626839b7f9a6673393d44940ebaea14cd662a0f5bd0487e27a29842095e7bd5309d75649205a5fad97bc41d75 EAP-Message = 0xec80d2fbab0203010001a381e83081e5301d0603551d0e04160414d8ca68899a3cf0402e89e9889f4f598ba2bec2513081b50603551d230481ad3081aa8014d8ca68899a3cf0402e89e9889f4f598ba2bec251a18186a48183308180310b3009060355040613024652311330110603550408130a536f6d652d5374617465310f300d060355040713064d4555444f4e31133011060355040a130a4f4253204d4555444f4e31133011060355040b130a4465706172742053494f3121301f06092a864886f70d01090116127261636861383140686f746d61696c2e667282090097d09903d21d9c52300c0603551d13040530030101ff300d06092a864886 EAP-Message = 0xf70d01010405000381810055e9fecdcd89146c84f21a7b232da59b1eee35c889d5eb07950d116f3baf9123308ea514daa6f7515e33994652f76748b981e7c5e5a00e6c5c4c03299318e812e100549970034482fef14fcaa937d71d79a6bfb4f0ce39b2bbe0f4028e1f90a2c7d1e1f6ded3df9e11af13c85fa10eaec4f6979f3010b4b5521d07e05e4a6ec916030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe701c94007f01d98e348e2739e552ea6 Finished request 3 Going to the next request Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 196 with timestamp 47049da8 Cleaning up request 1 ID 197 with timestamp 47049da8 Waking up in 2 seconds... --- Walking the entire request list --- Cleaning up request 2 ID 198 with timestamp 47049daa Cleaning up request 3 ID 199 with timestamp 47049daa Nothing to do. Sleeping until we see a request.
what's a problem?
Please could you help me? thanks
_________________________________________________________________ Gagnez des écrans plats avec Live.com http://www.image-addict.fr/
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
elhammoud rachida wrote:
hello, i'am trying to use radius authenticate and authorise users by EAP/TTLS from XP and Linux ( Debian), i'am using only a « users » like database. i'am reading the documentation : http://wiki.freeradius.org i've imported root.pem both Windows XP and Linux ... the server no sends response, why??
You are not reading the debug log correctly. The server IS sending a challenge. The NAS (or supplicant) then does not continue with the next EAP packet. Odds are you don't have the root certificates configured correctly.
and this log by Windows XP ...
The same thing. It's a certificate problem. The supplicants have decided that they don't like the servers certificate. They then stop doing EAP. Look at the logs on the supplicant to see why they're stopping EAP. Alan DeKok.
hello, i'am trying to use radius authenticate and authorise users by EAP/TTLS from XP and Linux ( Debian), i'am using only a « users » like database. i'am reading the documentation : http://wiki.freeradius.org i've imported root.pem both Windows XP and Linux ... the server no sends response, why??
You are not reading the debug log correctly. The server IS sending a challenge. The NAS (or supplicant) then does not continue with the next EAP packet. yes it's exactly,
Odds are you don't have the root certificates configured correctly. I'am using openssl-0.9.7 to generate the certificats, and i'am importing root.pem to Linux
and this log by Windows XP ...
The same thing.
It's a certificate problem. The supplicants have decided that they don't like the servers certificate. They then stop doing EAP.
can'i use the certificats existing in the freeradius-1.1.7 ? it's sufficient.
Look at the logs on the supplicant to see why they're stopping EAP.
by linux, I put this wireshark -i eth0 but any response by windows, I'va this start Request, Identity Response,MS-EAP-Authentication Response, NAK (response only) Request, EAP-TTLS Client Hello Request, EAP-TTLS Response, EAP-TTLS Server Hello, Certificate, Server Hello Done Continuation Data Start Failure
Alan DeKok. - thanks List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
_________________________________________________________________ Découvrez le Blog heroic Fantaisy d'Eragon! http://eragon-heroic-fantasy.spaces.live.com/
elhammoud rachida wrote:
It's a certificate problem. The supplicants have decided that they don't like the servers certificate. They then stop doing EAP.
can'i use the certificats existing in the freeradius-1.1.7 ? it's sufficient.
What I mean is that the supplicants do not accept the certificate that the server sends. To find out why, LOOK AT THE SUPPLICANT LOGS.
Look at the logs on the supplicant to see why they're stopping EAP.
by linux, I put this wireshark -i eth0 but any response
eth0 isn't usually a wireless device. And using wireshark isn't looking at the supplicant logs. Go read the supplicant documentation for it's certificate needs. Go read the supplicant documentation for how to enable extended logging. Ask supplicant questions on the mailing lists for the supplicants. Do not ask supplicant questions on this list. Alan DeKok.
by linux, I put this wireshark -i eth0 but any response
eth0 isn't usually a wireless device. because i make test in wired, not in wireless
one question, i should use openssl to generate the certificats? I have difficulty in understanding the implementation of EAP / TTLS with Windows XP? In the case of EAP / TTLS PAP I need only the server certificate. and the client used his password and login to authenticate? i don't found many the explanation about the certificates in a documentation
Go read the supplicant documentation for it's certificate needs.
Go read the supplicant documentation for how to enable extended logging.
thanks
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
_________________________________________________________________ Découvrez le Blog heroic Fantaisy d'Eragon! http://eragon-heroic-fantasy.spaces.live.com/
one question, i should use openssl to generate the certificats?
You can also use scripts provided with the distribution (certs.sh and CA.all).
I have difficulty in understanding the implementation of EAP / TTLS with Windows XP?
Not difficult at all - there isn't one. You have to download SecureW2, install and configure it. Then select the connection on which you want to implement this, Properties, Authentication, tick 802.1x box and select SecureW2 for the EAP type from the list.
In the case of EAP / TTLS PAP I need only the server certificate. and the client used his password and login to authenticate?
Yes.
participants (3)
-
Alan DeKok -
elhammoud rachida -
tnt@kalik.co.yu