Everything lookslike it works, but PC is not authentified
Hi, I'am running Freeradius 1.1.0 on Suse 10.1 with certificates. After a lot of help from that list and a good FAQ I'am so far, that I generated the certs for server and client and that the communication between Client, Server and AP (Linksys Switch) works. My problem is, that looking in the logs, the client should be authentified, but it isn't. The AP doesn't open the port. I assume the problem is windows, submitting the username as "host/computername" which brakes the certs (but I have no hint on the logfile). The PC tries to autheticate 13 times (I get at least 13 requests to the radius), but I get no error... My users files contains that: testuser User-Password == "test2" "host/vinfo-t1" Auth-Type:= EAP "vinfo-t1" Auth-Type:= EAP # On no match, the user is denied access. DEFAULT Auth-Type := Reject Reply-Message = "Bye" Please have a short look on my debuglog. I don't know where to look further. TIA Alex Debuglog: radius:/etc/raddb # radiusd -A -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf Config: including file: /etc/raddb/sql.conf main: prefix = "/usr" main: localstatedir = "/var" main: logdir = "/var/log/radius" main: libdir = "/usr/lib/freeradius" main: radacctdir = "/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/var/log/radius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/var/run/radiusd/radiusd.pid" main: user = "radiusd" main: group = "radiusd" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/sbin/checkrad" main: proxy_requests = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = yes main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib/freeradius Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded eap eap: default_eap_type = "tls" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/etc/raddb/certs/ssl/radius-neuer-cert-key.pem" tls: certificate_file = "/etc/raddb/certs/ssl/radius-neuer-cert-key.pem" tls: CA_file = "/etc/raddb/certs/ssl/ServiceCenter-IT_KHB_HfM_HfS-cacert.pem" tls: private_key_password = "secret" tls: dh_file = "/etc/raddb/certs/ssl/dh" tls: random_file = "/etc/raddb/certs/ssl/random" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = "(null)" rlm_eap_tls: Loading the certificate file as a chain rlm_eap: Loaded and initialized type tls ttls: default_eap_type = "md5" ttls: copy_request_to_tunnel = no ttls: use_tunneled_reply = no rlm_eap: Loaded and initialized type ttls peap: default_eap_type = "mschapv2" peap: copy_request_to_tunnel = no peap: use_tunneled_reply = no peap: proxy_tunneled_request_as_eap = yes rlm_eap: Loaded and initialized type peap mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/etc/raddb/huntgroups" preprocess: hints = "/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded files files: usersfile = "/etc/raddb/users" files: acctusersfile = "/etc/raddb/acct_users" files: preproxy_usersfile = "/etc/raddb/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. rad_recv: Access-Request packet from host 10.48.244.21:49154, id=0, length=91 NAS-IP-Address = 10.48.244.21 NAS-Port-Type = Ethernet NAS-Port = 3 User-Name = "host/vinfo-t1" EAP-Message = 0x0202001201686f73742f76696e666f2d7431 Message-Authenticator = 0xc1f35f98d7fadcae44c1da0404dfb946 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 rlm_eap: EAP packet type response id 2 length 18 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 users: Matched entry host/vinfo-t1 at line 219 modcall[authorize]: module "files" returns ok for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Requiring client certificate rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 0 modcall: leaving group authenticate (returns handled) for request 0 Sending Access-Challenge of id 0 to 10.48.244.21 port 49154 EAP-Message = 0x010300060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa888eb3548ccbf70991a8073e4917860 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.48.244.21:49154, id=0, length=171 NAS-IP-Address = 10.48.244.21 NAS-Port-Type = Ethernet NAS-Port = 3 User-Name = "host/vinfo-t1" State = 0xa888eb3548ccbf70991a8073e4917860 EAP-Message = 0x020300500d800000004616030100410100003d030144f82ec02d87663894bd52ff81b6e458129ee76d422652e5d90c0184b3ab2c4b00001600040005000a000900640062000300060013001200630100 Message-Authenticator = 0x393361b2d5cc0e7f8caf5a584d4aab7d Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 rlm_eap: EAP packet type response id 3 length 80 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 1 users: Matched entry host/vinfo-t1 at line 219 modcall[authorize]: module "files" returns ok for request 1 modcall: leaving group authorize (returns updated) for request 1 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0ef8], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 00bd], CertificateRequest TLS_accept: SSLv3 write certificate request A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 1 modcall: leaving group authenticate (returns handled) for request 1 Sending Access-Challenge of id 0 to 10.48.244.21 port 49154 EAP-Message = 0x0104040a0dc00000100e160301004a02000046030144cbfc6ec473fda5a1d6059b489343f31dc6ce6ead7e88eaa9f0529253a6b97720dccbf137a27e973554fc428b8a2f075a212e34712e6ed1721fb1e456c90e62640004001603010ef80b000ef4000ef100077f3082077b30820563a003020102020128300d06092a864886f70d01010505003081aa310b3009060355040613024445310f300d060355040813064265726c696e310f300d060355040713064265726c696e31143012060355040a130b4b48422048664d2048665331193017060355040b13105365727669636543656e7465722d4954312530230603550403141c5365727669636543 EAP-Message = 0x656e7465722d49545f4b48425f48664d5f4866533121301f06092a864886f70d010901161273632d6974406b682d6265726c696e2e6465301e170d3036303831303039333334335a170d3037303831303039333334335a3081ac310b3009060355040613024445310f300d060355040813064265726c696e310f300d060355040713064265726c696e31143012060355040a130b4b48422048664d2048665331193017060355040b13105365727669636543656e7465722d4954312730250603550403131e7261646975732e76657277616c74756e672e6b682d6265726c696e2e64653121301f06092a864886f70d010901161273632d6974406b682d EAP-Message = 0x6265726c696e2e646530820222300d06092a864886f70d01010105000382020f003082020a02820201009d061598c850223454cb70a58cae0a1ac2db0b6a963d25c96c632b1eb2a9177e3e8a066fa9c3596c4a1b035def3b6c589a12209a6d7ab7aa4144de890803c34cb5239cdb3b7266426049d475ed3e354fe494dee46a17e7478065c7332f6ac621d9b754d46812dc4ffda7a39bf33987fbe6951a591aee791c9468cc70f5a821683640675bafea24fe5291d6750c30a1b0a4c52cbeb6a18ce514038432f3dc83ce12657de67976dff9a7643b7ad340240e5e69385355b64d3e77f4bb0dfbc8fd63258a308c2a6e82f9c0c92e7e4ccadf848cc3bb EAP-Message = 0x57d592dcf46930c794fa0b338c9db103b9a7162352ff8cac3b680d64ec0b865bf74778839cd1530d79ba553a2bd9ffb112534cd758bb3b3dba26037ed1c158089af8903e9f5b684061ddd413fb192cfc5024c03b177184101d68bc7111ccdcb6bee8c98d1642bbc547e8211dab2fd5d45488da089a17edaa9b4dd4357d4adcb0e33553210a5ad0e84edc9f9a769297649672d5f78e2f3687e99c411abea88e0363fe1afb7dcf05a8838ef07cec88337f903a94a6207893b5e9ff80441a12b6847ff008eb8c257878f6711a8f8c053315d4ae87b36661cdee73a3cbaca92d14f480804c7476d36665c417db9c954795423ca49de599eb3ed3a6cc55f03b EAP-Message = 0xad529359b0a55e5bffa9cf65b3034d48c263c491b24a Message-Authenticator = 0x00000000000000000000000000000000 State = 0x8ada72f87d56fd2eeffabef3ec09dc62 Finished request 1 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.48.244.21:49154, id=0, length=97 NAS-IP-Address = 10.48.244.21 NAS-Port-Type = Ethernet NAS-Port = 3 User-Name = "host/vinfo-t1" State = 0x8ada72f87d56fd2eeffabef3ec09dc62 EAP-Message = 0x020400060d00 Message-Authenticator = 0x8d34aa0b0247b80bb0bc1f1fcb163af7 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall[authorize]: module "preprocess" returns ok for request 2 rlm_eap: EAP packet type response id 4 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 2 users: Matched entry host/vinfo-t1 at line 219 modcall[authorize]: module "files" returns ok for request 2 modcall: leaving group authorize (returns updated) for request 2 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 2 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 2 modcall: leaving group authenticate (returns handled) for request 2 Sending Access-Challenge of id 0 to 10.48.244.21 port 49154 EAP-Message = 0x0105040a0dc00000100ed9f9f74b6ea9cea17710efc22bc0d77f58b0a5d3589ab19f13f90203010001a38201a6308201a230090603551d1304023000301106096086480186f8420101040403020640302b06096086480186f842010d041e161c54696e7943412047656e657261746564204365727469666963617465301d0603551d0e0416041442a94a9f048871b178d41a5d00a5668e78c045ff3081df0603551d230481d73081d48014b939b6ce8a52912eaece162418b1f4d8303d042ea181b0a481ad3081aa310b3009060355040613024445310f300d060355040813064265726c696e310f300d060355040713064265726c696e311430120603 EAP-Message = 0x55040a130b4b48422048664d2048665331193017060355040b13105365727669636543656e7465722d4954312530230603550403141c5365727669636543656e7465722d49545f4b48425f48664d5f4866533121301f06092a864886f70d010901161273632d6974406b682d6265726c696e2e6465820900890d6f61ac0ce005301d0603551d1204163014811273632d6974406b682d6265726c696e2e6465301d0603551d1104163014811273632d6974406b682d6265726c696e2e646530160603551d250101ff040c300a06082b06010505070301300d06092a864886f70d01010505000382020100c0925f1aa48825e5c192abc4a792cb36b69953 EAP-Message = 0x782adc04d3e24436b4322312505087f51371012554b69768c152ed7083dba76437cc2bd09ed94b2a08a9ce1ad303a04ee2459c219c6e8341c44175cdcf5426ab7d10b9512877be1cd89204061f78c7f9296b5c73bcc315b281029163cd1f05d9fff0f772fd26964959a4493ef045f91dda761420537f2845a12d7a0f7f04502390dd6fb1e7cbff2891d8eee5abcf7da435ab6b163e2475fad3ccf8cfdc7ad019fbbe1deb47fbcad40dd4f57d2ed127665ca99cc035d93bf5df6ad79529fa142cb7f03eedd1aca47ad648db900e6dcd1966efb52a2c9dfa5ce5148ad4bd37716414c3a82bcb9a8cd805f1ea4e66f0171174e8099310d720186c2774cdc2 EAP-Message = 0xf80283f897fa84a1281e34c77148ca68508cd2eaf3f9167f76b41df115df8bcf02746dac891da3f58b4a45e5085dcbb3e9129106bb999f2b6b4722b86a32e18732260fa1093643a982b52951d7011141f3ea9ec18429482b3977620aa50aa40cd30eb3ed16f1a1c77d07df0672abdf64d608ff85a9076b95afb5a12a3a1fc231024403628b1db8cf04d474be335f83e230d506eb574b91fd672e092dd86088ea95edbe95aaecc00f4610520cd6a624103c64d1e8f6ebb8027ec42fa27ff3fdad82731a8511b8a68751452ebcbd13e11a0abe6d1f82fd5ce98af910ce7e62a69e9ac2383ee9b3dc0a973af95706a3a1c700076c3082076830820550a003 EAP-Message = 0x020102020900890d6f61ac0ce005300d06092a864886 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9a47ab7f9de113ebbe793cdba4b8eac5 Finished request 2 [...] Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.48.244.21:49154, id=0, length=97 NAS-IP-Address = 10.48.244.21 NAS-Port-Type = Ethernet NAS-Port = 3 User-Name = "host/vinfo-t1" State = 0x02e56d8de12a870049b3b02e1f4ad162 EAP-Message = 0x021100060d00 Message-Authenticator = 0x8a9e680cc21b98a2835861c9ef08faea Processing the authorize section of radiusd.conf modcall: entering group authorize for request 13 modcall[authorize]: module "preprocess" returns ok for request 13 rlm_eap: EAP packet type response id 17 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 13 users: Matched entry host/vinfo-t1 at line 219 modcall[authorize]: module "files" returns ok for request 13 modcall: leaving group authorize (returns updated) for request 13 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 13 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 13 modcall: leaving group authenticate (returns handled) for request 13 Sending Access-Challenge of id 0 to 10.48.244.21 port 49154 EAP-Message = 0x0112000a0d8000000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x3f9387f3adb41ddea578c30fd328358f Finished request 13 Going to the next request Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 13 ID 0 with timestamp 44cbfc94 Nothing to do. Sleeping until we see a request. -- ServiceCenter IT - Alexandros Gougousoudis (Leiter) Gemeinsame Einrichtung der Kunsthochschule Berlin-Weissensee, Hochschule für Musik "Hanns Eisler" und der Hochschule für Schauspielkunst "Ernst Busch". Tel.: 030 / 477 05 - 444 * Fax.: 030 / 477 05 - 445
Hi,
Sending Access-Challenge of id 0 to 10.48.244.21 port 49154 EAP-Message = 0x0112000a0d8000000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x3f9387f3adb41ddea578c30fd328358f Finished request 13 Going to the next request Waking up in 6 seconds...
This *doesn't* look like it works. The server sends a packet to the client, and the client refuses to answer thereafter. The usual cause of this, which generates the same question and the same answers multiple times a week in this list, is that the server cert doesn't have the MS TLS Web Server Authentication OID in the cert. Please read the various documentation about this topic that exists both here in the list archives and "n" HOWTOs throughout the web. Greetings, Stefan Winter -- Stefan WINTER Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche - Ingénieur de recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg
Stefan Winter wrote:
Hi,
Sending Access-Challenge of id 0 to 10.48.244.21 port 49154 EAP-Message = 0x0112000a0d8000000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x3f9387f3adb41ddea578c30fd328358f Finished request 13 Going to the next request Waking up in 6 seconds...
This *doesn't* look like it works. The server sends a packet to the client, and the client refuses to answer thereafter. The usual cause of this, which generates the same question and the same answers multiple times a week in this list, is that the server cert doesn't have the MS TLS Web Server Authentication OID in the cert. Please read the various documentation about
I wonder if it would be possible to have the PEAP, TLS and TTLS EAP sub-modules print a VERY LOUD WARNING if that OID is missing from the certificate on startup? A quick 60 second scan of the OpenSSL API doesn't show the obvious call, but given how incomprehensible the OpenSSL API is in general, that's not surprising...
Phil Mayers <p.mayers@imperial.ac.uk> wrote:
I wonder if it would be possible to have the PEAP, TLS and TTLS EAP sub-modules print a VERY LOUD WARNING if that OID is missing from the certificate on startup?
I think so. X509_print_ex, I believe. Dump the certificate to a string buffer, and do "strstr" for the OID. Yucky, but it will work. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
Hi, Stefan Winter schrieb:
this list, is that the server cert doesn't have the MS TLS Web Server Authentication OID in the cert. Please read the various documentation about
Nope, the cert has this extension. I checked that again and again. Server is in DNS and the CN of the cert is the FQDN of the server. The CN of the PC is the netbios-name. Both certs have their extenstion (Webserver and Client). Maybe it's something else? TIA Alex -- ServiceCenter IT - Alexandros Gougousoudis (Leiter) Gemeinsame Einrichtung der Kunsthochschule Berlin-Weissensee, Hochschule für Musik "Hanns Eisler" und der Hochschule für Schauspielkunst "Ernst Busch". Tel.: 030 / 477 05 - 444 * Fax.: 030 / 477 05 - 445
Hi, On 9/1/06, Alexandros Gougousoudis <gougousoudis@kh-berlin.de> wrote:
My users files contains that:
testuser User-Password == "test2"
"host/vinfo-t1" Auth-Type:= EAP
"vinfo-t1" Auth-Type:= EAP
# On no match, the user is denied access. DEFAULT Auth-Type := Reject Reply-Message = "Bye"
1. Don't set Auth-Type. See http://deployingradius.com/documents/configuration/auth_type.html 2. Further action depends on what you want (eap-tls or eap-peap/mschapv2), eventually the CN in your client's certificates and finally what the supplicant sends. What is "host/vinfo-t1" supposed to be? regards K. Hoercher
Hi, K. Hoercher schrieb:
1. Don't set Auth-Type. See http://deployingradius.com/documents/configuration/auth_type.html
Thanks to your reply. The problem is, there are now a lot of partial howtos in the net, but not even one covers all. I did that, because it was in an howto... I'll try something else. and finally what the supplicant sends. What is "host/vinfo-t1"
supposed to be?
vinfo-t1 is the netbiosname of the client, the realm(?) host/ comes from Windows or the AP, I don't know. Probably it breaks the cert, because the name differs and this bothers EAP/TLS. But I don't know how to handle or shorten this. Maybe somebody has a good idea to handle that. TIA Alex -- ServiceCenter IT - Alexandros Gougousoudis (Leiter) Gemeinsame Einrichtung der Kunsthochschule Berlin-Weissensee, Hochschule für Musik "Hanns Eisler" und der Hochschule für Schauspielkunst "Ernst Busch". Tel.: 030 / 477 05 - 444 * Fax.: 030 / 477 05 - 445
Alexandros Gougousoudis <gougousoudis@kh-berlin.de> wrote:
vinfo-t1 is the netbiosname of the client, the realm(?) host/ comes from Windows or the AP, I don't know. Probably it breaks the cert, because the name differs and this bothers EAP/TLS. But I don't know how to handle or shorten this. Maybe somebody has a good idea to handle that.
It looks like it is doing machine authentication, in which case the certs (both client and server) need the machine authentication OIDs, and not the normal user OIDs. From the CVS head version of 'xpextensions': # # Add this to the PKCS#7 keybag attributes holding the client's private key # for machine authentication. # # the presence of this OID tells Windows XP that the cert is intended # for use by the computer itself, and not by an end-user. # # The other solution is to use Microsoft's web certificate server # to generate these certs. # # 1.3.6.1.4.1.311.17.2 Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
Hi Alan,
It looks like it is doing machine authentication, in which case the
Correct.
certs (both client and server) need the machine authentication OIDs,
I read that again and again, but I already have these OID in the certs. Here a dump of my server-cert: Certificate: Data: Version: 3 (0x2) Serial Number: 40 (0x28) Signature Algorithm: sha1WithRSAEncryption Issuer: C=DE, ST=Berlin, L=Berlin, O=KHB HfM HfS, OU=ServiceCenter-IT, CN=ServiceCenter-IT_KHB_HfM_HfS/emailAddress=sc-it@kh-berlin.de Validity Not Before: Aug 10 09:33:43 2006 GMT Not After : Aug 10 09:33:43 2007 GMT Subject: C=DE, ST=Berlin, L=Berlin, O=KHB HfM HfS, OU=ServiceCenter-IT, CN=radius.verwaltung.kh-berlin.de/emailAddress=sc-it@kh-berlin.de Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (4096 bit) Modulus (4096 bit): [...] Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Cert Type: SSL Server Netscape Comment: TinyCA Generated Certificate X509v3 Subject Key Identifier: 42:A9:4A:9F:04:88:71:B1:78:D4:1A:5D:00:A5:66:8E:78:C0:45:FF X509v3 Authority Key Identifier: keyid:B9:39:B6:CE:8A:52:91:2E:AE:CE:16:24:18:B1:F4:D8:30:3D:04:2E DirName:/C=DE/ST=Berlin/L=Berlin/O=KHB HfM HfS/OU=ServiceCenter-IT/CN=ServiceCenter-IT_KHB_HfM_HfS/emailAddress=sc-it@kh-berlin.de serial:89:0D:6F:61:AC:0C:E0:05 X509v3 Issuer Alternative Name: email:sc-it@kh-berlin.de X509v3 Subject Alternative Name: email:sc-it@kh-berlin.de X509v3 Extended Key Usage: critical TLS Web Server Authentication !!!!!!!!!!!!!! Signature Algorithm: sha1WithRSAEncryption [...] Isn't that exactly what it should like? And here the client: Certificate: Data: Version: 3 (0x2) Serial Number: 42 (0x2a) Signature Algorithm: sha1WithRSAEncryption Issuer: C=DE, ST=Berlin, L=Berlin, O=KHB HfM HfS, OU=ServiceCenter-IT, CN=ServiceCenter-IT_KHB_HfM_HfS/emailAddress=sc-it@kh-berlin.de Validity Not Before: Sep 1 11:18:32 2006 GMT Not After : Sep 1 11:18:32 2007 GMT Subject: C=DE, ST=Berlin, L=Berlin, O=KHB HfM HfS, OU=ServiceCenter-IT, CN=vinfo-t1/emailAddress=vinfo-t1-neuer@local Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (4096 bit) Modulus (4096 bit): [...] Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Cert Type: SSL Client, S/MIME, Object Signing Netscape Comment: TinyCA Generated Certificate X509v3 Subject Key Identifier: C0:72:0A:91:71:D9:E7:A9:73:CC:B4:B0:AD:17:B4:ED:61:AF:06:B9 X509v3 Authority Key Identifier: keyid:B9:39:B6:CE:8A:52:91:2E:AE:CE:16:24:18:B1:F4:D8:30:3D:04:2E DirName:/C=DE/ST=Berlin/L=Berlin/O=KHB HfM HfS/OU=ServiceCenter-IT/CN=ServiceCenter-IT_KHB_HfM_HfS/emailAddress=sc-it@kh-berlin.de serial:89:0D:6F:61:AC:0C:E0:05 X509v3 Issuer Alternative Name: email:sc-it@kh-berlin.de X509v3 Subject Alternative Name: email:vinfo-t1-neuer@local X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: critical TLS Web Client Authentication !!!!!!!!! Signature Algorithm: sha1WithRSAEncryption [...] What else could be a problem? How do you guys handle the "host/<netbiosname>" problem? Could that brake the cert? TIA Alex -- ServiceCenter IT - Alexandros Gougousoudis (Leiter) Gemeinsame Einrichtung der Kunsthochschule Berlin-Weissensee, Hochschule für Musik "Hanns Eisler" und der Hochschule für Schauspielkunst "Ernst Busch". Tel.: 030 / 477 05 - 444 * Fax.: 030 / 477 05 - 445
On 9/4/06, Alexandros Gougousoudis <gougousoudis@kh-berlin.de> wrote:
I read that again and again, but I already have these OID in the certs. Here a dump of my server-cert: No, you don't. from Alan's post: # 1.3.6.1.4.1.311.17.2
while "TLS Web Server Authentication" is 1.3.6.1.5.5.7.3.1 and "TLS Web Client Authentication" is 1.3.6.1.5.5.7.3.2
What else could be a problem? How do you guys handle the "host/<netbiosname>" problem? Could that brake the cert?
Currently that doesn't even get considered, as according to your log you don't check for the CN. Afaik you might strip it by using the with_ntdomain_hack directive. Further changes changes depend on the eap type you want to use. I have already asked about that. regards K. Hoercher
Hi, K. Hoercher schrieb:
No, you don't. from Alan's post: # 1.3.6.1.4.1.311.17.2 and "TLS Web Client Authentication" is 1.3.6.1.5.5.7.3.2
Hm, with Alans OID there is no communication between Radius and the client. If I use the OID indicated in most HowTOs (like http://www.hep.phys.soton.ac.uk/~jhe/documents/WPA-Authentication+RADIUS-HOW...) there is a conversation between them. Ok the authentification fails at last. To write it again, I use W2k not XP, maybe the problem is somewhere in there, but I doubt it, because menus and functions are the same as in XP.
you don't check for the CN. Afaik you might strip it by using the with_ntdomain_hack directive.
I've seen that directive, but exactly where should it be enabled in the config? I think it can't be set in the eap.conf, where it makes the most sense.
Further changes changes depend on the eap type you want to use. I have already asked about that.
I didn't understand that question. I want to make a machine-based authentification based on certificates on the clients. If the cert is ok, the Ethernet-Port will be switched through. AFAIK this is done with Windows-CLients using EAP-TLS. Thats all auth I need, the user at the client must not be checked, even the clients name must not be checked against an sql or ldap (maybe later). The HowTO says AuthType := EAP would be right. Ok, here on the list everybody says "Don't use AuthType", but nobody says what to use else... :-) TIA Alex -- ServiceCenter IT - Alexandros Gougousoudis (Leiter) Gemeinsame Einrichtung der Kunsthochschule Berlin-Weissensee, Hochschule für Musik "Hanns Eisler" und der Hochschule für Schauspielkunst "Ernst Busch". Tel.: 030 / 477 05 - 444 * Fax.: 030 / 477 05 - 445
Hi, I'am a step ahead. One problem was, that the Root-CA-cert must be put manually in the Trusted-Rootcertificate place (I use a german Windows, so I try to retranslate that into english) on the Windows-Client. It is not enough to import that automatically, although the cert shows up in the list of "Trusted Rootcertificates" in the "Authentification" menu of the network-settings. If made this running the mmc manually, opening the Certificate-dialog. But it shows, that the problem is deeper. The netbiosname of the windows machine is "vinfo-t1", also the cert has this name as a CN. If the PC tries to authenticate the username comes as "host/vinfo-t1" to the radius server. Which makes the TLS verify fail. How can the name be truncated? My setup is like mentioned in this HowTo: http://www.hep.phys.soton.ac.uk/~jhe/documents/WPA-Authentication+RADIUS-HOW... Here an Debug Output of the conversation: rad_recv: Access-Request packet from host 10.48.244.21:49154, id=0, length=91 NAS-IP-Address = 10.48.244.21 NAS-Port-Type = Ethernet NAS-Port = 2 User-Name = "host/vinfo-t1" EAP-Message = 0x0201001201686f73742f76696e666f2d7431 Message-Authenticator = 0xe009fb46107ee76bfc27e1f91b7e73f6 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 rlm_eap: EAP packet type response id 1 length 18 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 users: Matched entry host/vinfo-t1 at line 219 modcall[authorize]: module "files" returns ok for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Requiring client certificate rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 0 modcall: leaving group authenticate (returns handled) for request 0 Sending Access-Challenge of id 0 to 10.48.244.21 port 49154 EAP-Message = 0x010200060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1eb9189838f31fb0cf1d343419acb2c0 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.48.244.21:49154, id=0, length=171 NAS-IP-Address = 10.48.244.21 NAS-Port-Type = Ethernet NAS-Port = 2 User-Name = "host/vinfo-t1" State = 0x1eb9189838f31fb0cf1d343419acb2c0 EAP-Message = 0x020200500d800000004616030100410100003d030144fbf552d25bafa630d83452a204d465d2a0109f469f18439264173b484f30f200001600040005000a000900640062000300060013001200630100 Message-Authenticator = 0x5acdcdfd4719f93fd54efbec8632096f Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 rlm_eap: EAP packet type response id 2 length 80 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 1 users: Matched entry host/vinfo-t1 at line 219 modcall[authorize]: module "files" returns ok for request 1 modcall: leaving group authorize (returns updated) for request 1 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0ef8], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 00bd], CertificateRequest TLS_accept: SSLv3 write certificate request A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 1 modcall: leaving group authenticate (returns handled) for request 1 Sending Access-Challenge of id 0 to 10.48.244.21 port 49154 EAP-Message = 0x0103040a0dc00000100e160301004a02000046030144cdf6a1a045a15119c1630490570a6d0cb0643391b0aa45060563037e3c819b204cc1d2c1737bdea821ed36527e98a814a656e3e578af9e0976f33b31fd9c5cc30004001603010ef80b000ef4000ef100077f3082077b30820563a003020102020128300d06092a864886f70d01010505003081aa310b3009060355040613024445310f300d060355040813064265726c696e310f300d060355040713064265726c696e31143012060355040a130b4b48422048664d2048665331193017060355040b13105365727669636543656e7465722d4954312530230603550403141c5365727669636543 EAP-Message = 0x656e7465722d49545f4b48425f48664d5f4866533121301f06092a864886f70d010901161273632d6974406b682d6265726c696e2e6465301e170d3036303831303039333334335a170d3037303831303039333334335a3081ac310b3009060355040613024445310f300d060355040813064265726c696e310f300d060355040713064265726c696e31143012060355040a130b4b48422048664d2048665331193017060355040b13105365727669636543656e7465722d4954312730250603550403131e7261646975732e76657277616c74756e672e6b682d6265726c696e2e64653121301f06092a864886f70d010901161273632d6974406b682d EAP-Message = 0x6265726c696e2e646530820222300d06092a864886f70d01010105000382020f003082020a02820201009d061598c850223454cb70a58cae0a1ac2db0b6a963d25c96c632b1eb2a9177e3e8a066fa9c3596c4a1b035def3b6c589a12209a6d7ab7aa4144de890803c34cb5239cdb3b7266426049d475ed3e354fe494dee46a17e7478065c7332f6ac621d9b754d46812dc4ffda7a39bf33987fbe6951a591aee791c9468cc70f5a821683640675bafea24fe5291d6750c30a1b0a4c52cbeb6a18ce514038432f3dc83ce12657de67976dff9a7643b7ad340240e5e69385355b64d3e77f4bb0dfbc8fd63258a308c2a6e82f9c0c92e7e4ccadf848cc3bb EAP-Message = 0x57d592dcf46930c794fa0b338c9db103b9a7162352ff8cac3b680d64ec0b865bf74778839cd1530d79ba553a2bd9ffb112534cd758bb3b3dba26037ed1c158089af8903e9f5b684061ddd413fb192cfc5024c03b177184101d68bc7111ccdcb6bee8c98d1642bbc547e8211dab2fd5d45488da089a17edaa9b4dd4357d4adcb0e33553210a5ad0e84edc9f9a769297649672d5f78e2f3687e99c411abea88e0363fe1afb7dcf05a8838ef07cec88337f903a94a6207893b5e9ff80441a12b6847ff008eb8c257878f6711a8f8c053315d4ae87b36661cdee73a3cbaca92d14f480804c7476d36665c417db9c954795423ca49de599eb3ed3a6cc55f03b EAP-Message = 0xad529359b0a55e5bffa9cf65b3034d48c263c491b24a Message-Authenticator = 0x00000000000000000000000000000000 State = 0x62ac8299666f9397864e61d8e04a1f3e Finished request 1 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.48.244.21:49154, id=0, length=97 NAS-IP-Address = 10.48.244.21 NAS-Port-Type = Ethernet NAS-Port = 2 User-Name = "host/vinfo-t1" State = 0x62ac8299666f9397864e61d8e04a1f3e EAP-Message = 0x020300060d00 Message-Authenticator = 0x2d9b3872003fc09e22bb4d9f6056991a Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall[authorize]: module "preprocess" returns ok for request 2 rlm_eap: EAP packet type response id 3 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 2 users: Matched entry host/vinfo-t1 at line 219 modcall[authorize]: module "files" returns ok for request 2 modcall: leaving group authorize (returns updated) for request 2 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 2 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 2 modcall: leaving group authenticate (returns handled) for request 2 Sending Access-Challenge of id 0 to 10.48.244.21 port 49154 EAP-Message = 0x0104040a0dc00000100ed9f9f74b6ea9cea17710efc22bc0d77f58b0a5d3589ab19f13f90203010001a38201a6308201a230090603551d1304023000301106096086480186f8420101040403020640302b06096086480186f842010d041e161c54696e7943412047656e657261746564204365727469666963617465301d0603551d0e0416041442a94a9f048871b178d41a5d00a5668e78c045ff3081df0603551d230481d73081d48014b939b6ce8a52912eaece162418b1f4d8303d042ea181b0a481ad3081aa310b3009060355040613024445310f300d060355040813064265726c696e310f300d060355040713064265726c696e311430120603 EAP-Message = 0x55040a130b4b48422048664d2048665331193017060355040b13105365727669636543656e7465722d4954312530230603550403141c5365727669636543656e7465722d49545f4b48425f48664d5f4866533121301f06092a864886f70d010901161273632d6974406b682d6265726c696e2e6465820900890d6f61ac0ce005301d0603551d1204163014811273632d6974406b682d6265726c696e2e6465301d0603551d1104163014811273632d6974406b682d6265726c696e2e646530160603551d250101ff040c300a06082b06010505070301300d06092a864886f70d01010505000382020100c0925f1aa48825e5c192abc4a792cb36b69953 EAP-Message = 0x782adc04d3e24436b4322312505087f51371012554b69768c152ed7083dba76437cc2bd09ed94b2a08a9ce1ad303a04ee2459c219c6e8341c44175cdcf5426ab7d10b9512877be1cd89204061f78c7f9296b5c73bcc315b281029163cd1f05d9fff0f772fd26964959a4493ef045f91dda761420537f2845a12d7a0f7f04502390dd6fb1e7cbff2891d8eee5abcf7da435ab6b163e2475fad3ccf8cfdc7ad019fbbe1deb47fbcad40dd4f57d2ed127665ca99cc035d93bf5df6ad79529fa142cb7f03eedd1aca47ad648db900e6dcd1966efb52a2c9dfa5ce5148ad4bd37716414c3a82bcb9a8cd805f1ea4e66f0171174e8099310d720186c2774cdc2 EAP-Message = 0xf80283f897fa84a1281e34c77148ca68508cd2eaf3f9167f76b41df115df8bcf02746dac891da3f58b4a45e5085dcbb3e9129106bb999f2b6b4722b86a32e18732260fa1093643a982b52951d7011141f3ea9ec18429482b3977620aa50aa40cd30eb3ed16f1a1c77d07df0672abdf64d608ff85a9076b95afb5a12a3a1fc231024403628b1db8cf04d474be335f83e230d506eb574b91fd672e092dd86088ea95edbe95aaecc00f4610520cd6a624103c64d1e8f6ebb8027ec42fa27ff3fdad82731a8511b8a68751452ebcbd13e11a0abe6d1f82fd5ce98af910ce7e62a69e9ac2383ee9b3dc0a973af95706a3a1c700076c3082076830820550a003 EAP-Message = 0x020102020900890d6f61ac0ce005300d06092a864886 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd16ad97d1f76b6e6878fff568b2c4c2e Finished request 2 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.48.244.21:49154, id=0, length=97 NAS-IP-Address = 10.48.244.21 NAS-Port-Type = Ethernet NAS-Port = 2 User-Name = "host/vinfo-t1" State = 0xd16ad97d1f76b6e6878fff568b2c4c2e EAP-Message = 0x020400060d00 Message-Authenticator = 0xd3cac87903c299148d8aee901bb87d85 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 3 modcall[authorize]: module "preprocess" returns ok for request 3 rlm_eap: EAP packet type response id 4 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 3 users: Matched entry host/vinfo-t1 at line 219 modcall[authorize]: module "files" returns ok for request 3 modcall: leaving group authorize (returns updated) for request 3 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 3 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 3 modcall: leaving group authenticate (returns handled) for request 3 Sending Access-Challenge of id 0 to 10.48.244.21 port 49154 EAP-Message = 0x0105040a0dc00000100ef70d01010505003081aa310b3009060355040613024445310f300d060355040813064265726c696e310f300d060355040713064265726c696e31143012060355040a130b4b48422048664d2048665331193017060355040b13105365727669636543656e7465722d4954312530230603550403141c5365727669636543656e7465722d49545f4b48425f48664d5f4866533121301f06092a864886f70d010901161273632d6974406b682d6265726c696e2e6465301e170d3035303930353038303532355a170d3135303930333038303532355a3081aa310b3009060355040613024445310f300d060355040813064265726c EAP-Message = 0x696e310f300d060355040713064265726c696e31143012060355040a130b4b48422048664d2048665331193017060355040b13105365727669636543656e7465722d4954312530230603550403141c5365727669636543656e7465722d49545f4b48425f48664d5f4866533121301f06092a864886f70d010901161273632d6974406b682d6265726c696e2e646530820222300d06092a864886f70d01010105000382020f003082020a0282020100c4e58d7b46104aaed067a7f4e2c0bce5fd30388b52102731e8ae991947c14547ca41753f07ee2f50c4374b00950c83165fce3e38cdf4b4749dce3641ce01e450a7f1e53de6997ac4a19b93cc212b EAP-Message = 0x2cfb5425c7b1421b89951478dadba32ce7c00421c9791d1af1b38e9ce04141c724d866fb11c06bd13a626f830825d002beccae484fcaa3840fdab94afdd1e454155451678ecb4ae36c1628afce08a8622736e5f29360512174ffa60a3a713794d781efa85d83c6df6cc78262910cb757c515450569cd668cdb29a709e3f8d52dde54c69e2b84b0be385347948e360e4095499957b42d0a918cbc647a2377c0c26e0925f386d520f0bc2f25b206a93075e9382d590f4724352edc61a0e497dece898c31ca22c4320d02b55bb519c90f228fcbd6f1d72057245e35a3170a354b207ef1f2a61585256e493bff8b363075452e21cbb5cb26167d8d1201c419 EAP-Message = 0x11569768a99eea5cff0fb0458e5615e42e8aec5417f2493f5b81cf7b9cdb4ad1995c0c8bced370d073ee8eefb21f833372027c4fcb84c23c73d1b44df6f5ca34e0d9f674900f9ddf1340179016868a3697a807624dd8f0ff7aea8460241df0a8a74eb8b0151171395155db1fd0b87be63c7047fda731126880bf2228332a38f11ac024cb944d68ce72da5f43d73609e82f92486f4eaad235b104ae3c93061600b3a54e895841eac966309ad0c18cccf17453210f450203010001a382018d30820189301d0603551d0e04160414b939b6ce8a52912eaece162418b1f4d8303d042e3081df0603551d230481d73081d48014b939b6ce8a52912eaece1624 EAP-Message = 0x18b1f4d8303d042ea181b0a481ad3081aa310b300906 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xba5a2b49ec81141bc1deb21c9792c137 Finished request 3 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.48.244.21:49154, id=0, length=97 NAS-IP-Address = 10.48.244.21 NAS-Port-Type = Ethernet NAS-Port = 2 User-Name = "host/vinfo-t1" State = 0xba5a2b49ec81141bc1deb21c9792c137 EAP-Message = 0x020500060d00 Message-Authenticator = 0xf7f1738e59b02e648c5cce4946e9df9c Processing the authorize section of radiusd.conf modcall: entering group authorize for request 4 modcall[authorize]: module "preprocess" returns ok for request 4 rlm_eap: EAP packet type response id 5 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 4 users: Matched entry host/vinfo-t1 at line 219 modcall[authorize]: module "files" returns ok for request 4 modcall: leaving group authorize (returns updated) for request 4 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 4 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 4 modcall: leaving group authenticate (returns handled) for request 4 Sending Access-Challenge of id 0 to 10.48.244.21 port 49154 EAP-Message = 0x0106040a0dc00000100e0355040613024445310f300d060355040813064265726c696e310f300d060355040713064265726c696e31143012060355040a130b4b48422048664d2048665331193017060355040b13105365727669636543656e7465722d4954312530230603550403141c5365727669636543656e7465722d49545f4b48425f48664d5f4866533121301f06092a864886f70d010901161273632d6974406b682d6265726c696e2e6465820900890d6f61ac0ce005300f0603551d130101ff040530030101ff301106096086480186f842010104040302010630090603551d1204023000302b06096086480186f842010d041e161c54696e EAP-Message = 0x7943412047656e657261746564204365727469666963617465301d0603551d1104163014811273632d6974406b682d6265726c696e2e6465300b0603551d0f040403020106300d06092a864886f70d0101050500038202010060f0ab4236cda26ba7ceaedfd61052c52b73e1e028ffe29171395f9074e4beee7eab73afc427c17cd0f37e96c7af6eda553a92b2b426f723c283c8ea027f3ab17c93d1ffa7c8a29fedbc83f11f8731a140393c56aceffae318f7ebbca367fed9280513ce2cfad1257c59f056e3898e928f968baa6c3cc094ca50b9072674b8fa43ab0e31c4a7a54eb8f96ad4d275011a449807c3abe4865d8f837ee4d8db0c081af218c0 EAP-Message = 0x0a878d4c7e30268282034b35a666b8295eb53ee41bcda9345a7d48fdb7dc306180df06ec546e826d73d7dd62bf449c6eb948aa85c808893b308a32636cb151b044b839fc382f8623863d7ac78b7bf3e0f2c1ac4c8a69b9184e58733d966120ce334ab7212f23b85a8e8d5b2ada0f4cc7cb981fafd3585c398b351a06870271c71e537b4010a7d2914151b076a5f4094d1ab64e46a93dbba7456fa75be4006a172f6824219fad1b4c95322c6b9a1703515545ebbdae485fa994ac81fb8d308cdb58038d6c95c15d29f0a317e03877225eebe3647f28dc2361d7fb1894231e475805ec5e95ab5a37c96c70b000695caee3562f474af69b11fc67ccf54e9f EAP-Message = 0x0f1d1adc2c9038d56a9fa3454320444843fe38e00de285cb9120b24416fa909c259b52d069e64d0d9faa37c336f8bd3a8128a8f5e244029a5ded25e10bfc551dc08730e133a4e4b744cf3d8c038d38b1692c1d4876f92d109efcf136355c2216030100bd0d0000b50301020500af00ad3081aa310b3009060355040613024445310f300d060355040813064265726c696e310f300d060355040713064265726c696e31143012060355040a130b4b48422048664d2048665331193017060355040b13105365727669636543656e7465722d4954312530230603550403141c5365727669636543656e7465722d49545f4b48425f48664d5f486653312130 EAP-Message = 0x1f06092a864886f70d010901161273632d6974406b68 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf231b7f39c1572d02d39ff49f54d210e Finished request 4 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.48.244.21:49154, id=0, length=97 NAS-IP-Address = 10.48.244.21 NAS-Port-Type = Ethernet NAS-Port = 2 User-Name = "host/vinfo-t1" State = 0xf231b7f39c1572d02d39ff49f54d210e EAP-Message = 0x020600060d00 Message-Authenticator = 0x6ed026eb8c4fb95b5977cf6883d7f3ff Processing the authorize section of radiusd.conf modcall: entering group authorize for request 5 modcall[authorize]: module "preprocess" returns ok for request 5 rlm_eap: EAP packet type response id 6 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 5 users: Matched entry host/vinfo-t1 at line 219 modcall[authorize]: module "files" returns ok for request 5 modcall: leaving group authorize (returns updated) for request 5 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 5 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 5 modcall: leaving group authenticate (returns handled) for request 5 Sending Access-Challenge of id 0 to 10.48.244.21 port 49154 EAP-Message = 0x010700180d800000100e2d6265726c696e2e64650e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x3c5f8b0008d1f3af6b3943916a23e2ff Finished request 5 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.48.244.21:49154, id=0, length=1591 NAS-IP-Address = 10.48.244.21 NAS-Port-Type = Ethernet NAS-Port = 2 User-Name = "host/vinfo-t1" State = 0x3c5f8b0008d1f3af6b3943916a23e2ff EAP-Message = 0x020705d20dc000000bc31603010b930b00078300078000077d3082077930820561a00302010202012a300d06092a864886f70d01010505003081aa310b3009060355040613024445310f300d060355040813064265726c696e310f300d060355040713064265726c696e31143012060355040a130b4b48422048664d2048665331193017060355040b13105365727669636543656e7465722d4954312530230603550403141c5365727669636543656e7465722d49545f4b48425f48664d5f4866533121301f06092a864886f70d010901161273632d6974406b682d6265726c696e2e6465301e170d3036303930313131313833325a170d3037303930 EAP-Message = 0x313131313833325a308198310b3009060355040613024445310f300d060355040813064265726c696e310f300d060355040713064265726c696e31143012060355040a130b4b48422048664d2048665331193017060355040b13105365727669636543656e7465722d49543111300f0603550403130876696e666f2d74313123302106092a864886f70d010901161476696e666f2d74312d6e65756572406c6f63616c30820222300d06092a864886f70d01010105000382020f003082020a0282020100b18a3f0af2253a6b7b341ff99f9e24a6609f6d713a4fb201bdd54cbed3071b162b1539c66654db5499ca640321d6546b94cf03be2a8b99354c EAP-Message = 0xc6440e479e13c5e2351cff190d88fdc18729807d495d0d965e52f9e55c9edf96d7fb09b045a018610f657c26730ca6ad79f3f9b54ddfe4477697a92d10127515e3a1c384e8d6d1aa93dc3435aa7387412a66e66afcc38671c806889034450f131a40d93d8056f047884aea4c4aa227f868adc26909dfc61f0dea21e8ea55ff831d12b415a24a3aa15de0871ed034da8743b089664377b4269297aadba01e6f88e1d314f37951fe71e61ea5da38523f7a69aff0334649a49b1a1fa42da2ced0b83c39785f5a791682a6b19b8fe69487622f5e1ec3d9ceaf8bb3211e6a81c252e16ce15767656c58beb13bc0cae1de938c1900f1ee727eed5870fc1901c9 EAP-Message = 0xe546349574e7b49ef07d47123e10535807e8186ba7f41656fe19bd54c36c04799eb7367550d27836cb3f229f648b139767e29364164123ec379969ec6ffd7c40e6c93c32d00b6c4976b183051b45e35ba08cb674739be00808809ed6582184753e871bccb1068664dafe46bb0b20cc4885a463294a28502c694c1577f5e66b28cae490a7234d2cd5407d119673335e2a3f24726bf077d68aa92fdc4fc8aa9eca709bd9637dee65ee966de96b99ff8693c4b07362734b73057c6cb638e0463e536a250ef429eaddd63ea30203010001a38201b8308201b430090603551d1304023000301106096086480186f84201010404030204b0302b060960864801 EAP-Message = 0x86f842010d041e161c54696e7943412047656e657261746564204365727469666963617465301d0603551d0e04160414c0720a9171d9e7a973ccb4b0ad17b4ed61af06b93081df0603551d230481d73081d48014b939b6ce8a52912eaece162418b1f4d8303d042ea181b0a481ad3081aa310b3009060355040613024445310f300d060355040813064265726c696e310f300d060355040713064265726c696e31143012060355040a130b4b48422048664d2048665331193017060355040b13105365727669636543656e7465722d4954312530230603550403141c5365727669636543656e7465722d49545f4b48425f48664d5f4866533121301f06 EAP-Message = 0x092a864886f70d010901161273632d6974406b682d6265726c696e2e6465820900890d6f61ac0ce005301d0603551d1204163014811273632d6974406b682d6265726c696e2e6465301f0603551d1104183016811476696e666f2d74312d6e65756572406c6f63616c300e0603551d0f0101ff0404030205a030160603551d250101ff040c300a06082b06010505070302300d06092a864886f70d010105050003820201002b8b5adf8cddd67cfa0571cd173867feca7ac917203321554e8f41f953189df68b435d9416427009c7c6f1304ea086ff5717599c2c58b991bcc544fc Message-Authenticator = 0x74fd373b468d81483b5c29000421eea7 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 6 modcall[authorize]: module "preprocess" returns ok for request 6 rlm_eap: EAP packet type response id 7 length 253 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 6 users: Matched entry host/vinfo-t1 at line 219 modcall[authorize]: module "files" returns ok for request 6 modcall: leaving group authorize (returns updated) for request 6 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS First Fragment of the message eaptls_verify returned 9 eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 6 modcall: leaving group authenticate (returns handled) for request 6 Sending Access-Challenge of id 0 to 10.48.244.21 port 49154 EAP-Message = 0x010800060d00 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x359ee7405de06aa7a6b8c2e7169a6014 Finished request 6 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.48.244.21:49154, id=0, length=1591 NAS-IP-Address = 10.48.244.21 NAS-Port-Type = Ethernet NAS-Port = 2 User-Name = "host/vinfo-t1" State = 0x359ee7405de06aa7a6b8c2e7169a6014 EAP-Message = 0x020805d20d4086beba4b46ca59a277fbc153a403766ff039c6fca35370d848d69f938ff19037f6b6d341f9692327f3833585b67c45c19a108c0343f2fb69c6eb19ed624f2a2cbfdca3e2d64860327a7a4768a7cac2804f7beaf7db967260203e53d1863ca7599484e29d0261eeb21bdd6e718370c6518e249f57fc3977ab0fd47900b6efb8a57c3359cf81c9c5b26b4f566a494686078fb6e904a35569c17d4873c36f74fdb47d7b57f9441e8c33d76d0241ace6e7f1c3d28b96a8a1c7b8035ec87ea197480fa41e7ba093866ee476f9d6e20d6aa701826ef468f4370d41582fc63bd550bbffaf4f98025183be1aa8d2a5d2dba0e6cff53969744b1fcf EAP-Message = 0x449a43d3a8addf3d68b4a14c4171a80d7312bfe9a1e9b3486810e41a75848895d3f29b2f51a79c522197628709276de510791b49f31aeafb44d452433eab636f3e46c3df5823e29e91cd832c45d6d2e69a9054a2a420f6bac3c403e1af36e8ba0fa0d4b1b6f4a2709b105257bea66fad471ef2678043b66ee14170754bce551ccb2b237177673e42b7cd8b11c135ca72c57df7cd1e741d3801df735927781da8776bb19786aeee2775fb8d9d74eb335196403c57629519dfeb599815230d97825bfd0655aa7ee88c6baf2d91b91000020202002aea80d0990edde01b74574abb253276a3dae7b2f2598871abb0c263c9a7187ef5b5ac34f4a56f12478d EAP-Message = 0xbfd50b9a35788de43df3f7a7e18f3fdd650fd65cbdeccf00edd545546450a0f1604980546880abf63bcd65544bb17d6bbcf8340fa6052d2c5f8d10e74b73d90d02efe863fc9e61f6122d06e5d5d95d1e3e5951bc7c20edb043c70b531e9b5d739bb313774e0bde1891ae03872a6ecc463c8a3597aef29a8820a48bf7b626fe5530ababf965d8bd1997b01cd23b8b6bdca98da8aff8082de1ba7c07d566dc2fa054ac0ee55f928b587b1e94474655c9bd28ddb2bd8ce6a93e507e3729b30a3a2b81a2413c244a2a8f7f8fbfda98dc7f813d8d03cb41830e39be756acdf07e8b1be302780b3fa5d0596fbdfa9159ffb25f975a75fd7f54dc8f7cef6b2660 EAP-Message = 0x2361f8394ba18d76313d4eb2fdae74c1cc2ee19630748e4272ea7074687fb7980e4aff71e3e6b43a1a4ddeee90b0787bc8e6410a4ec1e90d342f53769da1e0802989bba6abb18e59dcc3c9f35b9ad2ff871aef69063b1eaafa095931d9a0dce611976ed726c9782b5573f0ad30b18561e69db7d61458e7757c73a69756ec937abff25019c0d9846dae4a05ac3342cb0705c57f302afad433ce9960fe5403b98209ad7adc7b8767e831c3e4af7a5d53ba775e4032dc9ebd7beb589aadfbb19818d7130dca7e39ec93c149107adea129c2b06af3f9983a6225df0f000202020011e0a1abca0165911964c287c77120adf9b19b4f77b21b21a05427924e28 EAP-Message = 0xb0e23d003215ba80dce06177c17848d450c46115113f274a6ee45912b23b8f7878f6f375d7fef9fa8896c1288720589bba7e5392b9b045307031fc69c4bd4962e6198e2cc640f373c3e4cda6203667a57a0652fb742af62da2e0860b32335d7caaaefe873e186e125cf5cdf8ea8f1ba95b9aa1684dde9fce5762485a38ed725b79f1461068319966572f4b2d7886ec6572ecf4c94408b6a7708a2ab37c766f77ba4af9aba59aee2aa94c29562d61d653071913d6bb3a69a25140427ef8d28aefefb411bbbe5b9beba21c12e8fbfc87f38e2008c3138915b1140f8c74e5f2db4114a6bf6fdd4e13423241296ae022b21ff95305eca6284e302721a17cfa EAP-Message = 0x358a88c665ac350fd228dc7fc3983efb2280855be8b829d3fc63a0acd3d6b0af5d42964eff7b75024579a4486a876b937bd15f15f937cde01be66d07e6fe0a739fe81e6a23b38065a404f32a8c4f6b24cbb3407a0dea6897e8a11219051a75c5ad04a424ff90eaa26eedec224f685f6eca3968b322bd4897de1a311a37ab20da9690a1dac10217e22a29b6dbbc55f967d56645ecd9daa87d449a3e0a0d7e96028e497bc36f53106d7b6bf903db8b50691814c3b2d515cfa62d1b40bad9ab4f7ad898e238da4d63a36edbae2e915d5d59a7bb668090efcdc56a1a3478d12662dc1b Message-Authenticator = 0x5d5a7d2d57f2a52f1f13358c8966b470 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 7 modcall[authorize]: module "preprocess" returns ok for request 7 rlm_eap: EAP packet type response id 8 length 253 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 7 users: Matched entry host/vinfo-t1 at line 219 modcall[authorize]: module "files" returns ok for request 7 modcall: leaving group authorize (returns updated) for request 7 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 7 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: More fragments to follow eaptls_verify returned 10 eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 7 modcall: leaving group authenticate (returns handled) for request 7 Sending Access-Challenge of id 0 to 10.48.244.21 port 49154 EAP-Message = 0x010900060d00 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa9ec0e19c31f5fe70aedb7f7d0e88a2f Finished request 7 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.48.244.21:49154, id=0, length=144 NAS-IP-Address = 10.48.244.21 NAS-Port-Type = Ethernet NAS-Port = 2 User-Name = "host/vinfo-t1" State = 0xa9ec0e19c31f5fe70aedb7f7d0e88a2f EAP-Message = 0x020900350d00ccd800061403010001011603010020e56699f0f810201b2552cc0601a31099f48fa7103f4ee354d59246fc367dbffd Message-Authenticator = 0x696632f38a12e60fab75e2c8e5bc62ff Processing the authorize section of radiusd.conf modcall: entering group authorize for request 8 modcall[authorize]: module "preprocess" returns ok for request 8 rlm_eap: EAP packet type response id 9 length 53 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 8 users: Matched entry host/vinfo-t1 at line 219 modcall[authorize]: module "files" returns ok for request 8 modcall: leaving group authorize (returns updated) for request 8 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 8 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake rlm_eap_tls: <<< TLS 1.0 Handshake [length 0787], Certificate chain-depth=1, error=0 --> User-Name = host/vinfo-t1 --> BUF-Name = ServiceCenter-IT_KHB_HfM_HfS --> subject = /C=DE/ST=Berlin/L=Berlin/O=KHB HfM HfS/OU=ServiceCenter-IT/CN=ServiceCenter-IT_KHB_HfM_HfS/emailAddress=sc-it@kh-berlin.de --> issuer = /C=DE/ST=Berlin/L=Berlin/O=KHB HfM HfS/OU=ServiceCenter-IT/CN=ServiceCenter-IT_KHB_HfM_HfS/emailAddress=sc-it@kh-berlin.de --> verify return:1 --> verify error:num=9:certificate is not yet valid rlm_eap_tls: >>> TLS 1.0 Alert [length 0002], fatal bad_certificate TLS Alert write:fatal:bad certificate TLS_accept:error in SSLv3 read client certificate B 9054:error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned:s3_srvr.c:2482: rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails. In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 8 modcall: leaving group authenticate (returns handled) for request 8 Sending Access-Challenge of id 0 to 10.48.244.21 port 49154 EAP-Message = 0x010a00110d80000000071503010002022a Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2234f2a04eac43d7190c2eb599db66dc Finished request 8 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.48.244.21:49154, id=0, length=97 NAS-IP-Address = 10.48.244.21 NAS-Port-Type = Ethernet NAS-Port = 2 User-Name = "host/vinfo-t1" State = 0x2234f2a04eac43d7190c2eb599db66dc EAP-Message = 0x020a00060d00 Message-Authenticator = 0x58ed75061e4f8f0db896ce17b4ec179b Processing the authorize section of radiusd.conf modcall: entering group authorize for request 9 modcall[authorize]: module "preprocess" returns ok for request 9 rlm_eap: EAP packet type response id 10 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 9 users: Matched entry host/vinfo-t1 at line 219 modcall[authorize]: module "files" returns ok for request 9 modcall: leaving group authorize (returns updated) for request 9 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 9 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack alert eaptls_verify returned 4 eaptls_process returned 4 rlm_eap: Handler failed in EAP/tls rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 9 modcall: leaving group authenticate (returns invalid) for request 9 auth: Failed to validate the user. Delaying request 9 for 1 seconds Finished request 9 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.48.244.21:49154, id=0, length=97 Sending Access-Reject of id 0 to 10.48.244.21 port 49154 EAP-Message = 0x040a0004 Message-Authenticator = 0x00000000000000000000000000000000 --- Walking the entire request list --- Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 9 ID 0 with timestamp 44cdf6a1 Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 10.48.244.21:49154, id=0, length=91 NAS-IP-Address = 10.48.244.21 NAS-Port-Type = Ethernet NAS-Port = 2 User-Name = "host/vinfo-t1" EAP-Message = 0x020c001201686f73742f76696e666f2d7431 Message-Authenticator = 0x896b213f641e21cae37d8783ed92a6af Processing the authorize section of radiusd.conf modcall: entering group authorize for request 10 modcall[authorize]: module "preprocess" returns ok for request 10 rlm_eap: EAP packet type response id 12 length 18 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 10 users: Matched entry host/vinfo-t1 at line 219 modcall[authorize]: module "files" returns ok for request 10 modcall: leaving group authorize (returns updated) for request 10 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 10 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Requiring client certificate rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 10 modcall: leaving group authenticate (returns handled) for request 10 Sending Access-Challenge of id 0 to 10.48.244.21 port 49154 EAP-Message = 0x010d00060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1bb29fa8bf1aa2e286207b6fdd44a0f4 Finished request 10 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.48.244.21:49154, id=0, length=171 NAS-IP-Address = 10.48.244.21 NAS-Port-Type = Ethernet NAS-Port = 2 User-Name = "host/vinfo-t1" State = 0x1bb29fa8bf1aa2e286207b6fdd44a0f4 EAP-Message = 0x020d00500d800000004616030100410100003d030144fbf55fb99ce5e0c2448e35dd6e6182389b0ef9dd3923ca49d265ccf02b904000001600040005000a000900640062000300060013001200630100 Message-Authenticator = 0x3c9e43262511932f1695d966d717783b Processing the authorize section of radiusd.conf modcall: entering group authorize for request 11 modcall[authorize]: module "preprocess" returns ok for request 11 rlm_eap: EAP packet type response id 13 length 80 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 11 users: Matched entry host/vinfo-t1 at line 219 modcall[authorize]: module "files" returns ok for request 11 modcall: leaving group authorize (returns updated) for request 11 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 11 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0ef8], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 00bd], CertificateRequest TLS_accept: SSLv3 write certificate request A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 11 modcall: leaving group authenticate (returns handled) for request 11 Sending Access-Challenge of id 0 to 10.48.244.21 port 49154 EAP-Message = 0x010e040a0dc00000100e160301004a02000046030144cdf6a8aeea8bc6b691f8ed21ddfeca67497f07df94855d23328c9ae25d58d520ecdfed5d550b26ac321d92acf4c01975ebb9c4e6bb16485379f5355d702ffcd30004001603010ef80b000ef4000ef100077f3082077b30820563a003020102020128300d06092a864886f70d01010505003081aa310b3009060355040613024445310f300d060355040813064265726c696e310f300d060355040713064265726c696e31143012060355040a130b4b48422048664d2048665331193017060355040b13105365727669636543656e7465722d4954312530230603550403141c5365727669636543 EAP-Message = 0x656e7465722d49545f4b48425f48664d5f4866533121301f06092a864886f70d010901161273632d6974406b682d6265726c696e2e6465301e170d3036303831303039333334335a170d3037303831303039333334335a3081ac310b3009060355040613024445310f300d060355040813064265726c696e310f300d060355040713064265726c696e31143012060355040a130b4b48422048664d2048665331193017060355040b13105365727669636543656e7465722d4954312730250603550403131e7261646975732e76657277616c74756e672e6b682d6265726c696e2e64653121301f06092a864886f70d010901161273632d6974406b682d EAP-Message = 0x6265726c696e2e646530820222300d06092a864886f70d01010105000382020f003082020a02820201009d061598c850223454cb70a58cae0a1ac2db0b6a963d25c96c632b1eb2a9177e3e8a066fa9c3596c4a1b035def3b6c589a12209a6d7ab7aa4144de890803c34cb5239cdb3b7266426049d475ed3e354fe494dee46a17e7478065c7332f6ac621d9b754d46812dc4ffda7a39bf33987fbe6951a591aee791c9468cc70f5a821683640675bafea24fe5291d6750c30a1b0a4c52cbeb6a18ce514038432f3dc83ce12657de67976dff9a7643b7ad340240e5e69385355b64d3e77f4bb0dfbc8fd63258a308c2a6e82f9c0c92e7e4ccadf848cc3bb EAP-Message = 0x57d592dcf46930c794fa0b338c9db103b9a7162352ff8cac3b680d64ec0b865bf74778839cd1530d79ba553a2bd9ffb112534cd758bb3b3dba26037ed1c158089af8903e9f5b684061ddd413fb192cfc5024c03b177184101d68bc7111ccdcb6bee8c98d1642bbc547e8211dab2fd5d45488da089a17edaa9b4dd4357d4adcb0e33553210a5ad0e84edc9f9a769297649672d5f78e2f3687e99c411abea88e0363fe1afb7dcf05a8838ef07cec88337f903a94a6207893b5e9ff80441a12b6847ff008eb8c257878f6711a8f8c053315d4ae87b36661cdee73a3cbaca92d14f480804c7476d36665c417db9c954795423ca49de599eb3ed3a6cc55f03b EAP-Message = 0xad529359b0a55e5bffa9cf65b3034d48c263c491b24a Message-Authenticator = 0x00000000000000000000000000000000 State = 0x042d4a21986c4743a484d2db89cd0c33 Finished request 11 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.48.244.21:49154, id=0, length=97 NAS-IP-Address = 10.48.244.21 NAS-Port-Type = Ethernet NAS-Port = 2 User-Name = "host/vinfo-t1" State = 0x042d4a21986c4743a484d2db89cd0c33 EAP-Message = 0x020e00060d00 Message-Authenticator = 0x7540ade5dc60f3209b713f2a001bb519 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 12 modcall[authorize]: module "preprocess" returns ok for request 12 rlm_eap: EAP packet type response id 14 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 12 users: Matched entry host/vinfo-t1 at line 219 modcall[authorize]: module "files" returns ok for request 12 modcall: leaving group authorize (returns updated) for request 12 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 12 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 12 modcall: leaving group authenticate (returns handled) for request 12 Sending Access-Challenge of id 0 to 10.48.244.21 port 49154 EAP-Message = 0x010f040a0dc00000100ed9f9f74b6ea9cea17710efc22bc0d77f58b0a5d3589ab19f13f90203010001a38201a6308201a230090603551d1304023000301106096086480186f8420101040403020640302b06096086480186f842010d041e161c54696e7943412047656e657261746564204365727469666963617465301d0603551d0e0416041442a94a9f048871b178d41a5d00a5668e78c045ff3081df0603551d230481d73081d48014b939b6ce8a52912eaece162418b1f4d8303d042ea181b0a481ad3081aa310b3009060355040613024445310f300d060355040813064265726c696e310f300d060355040713064265726c696e311430120603 EAP-Message = 0x55040a130b4b48422048664d2048665331193017060355040b13105365727669636543656e7465722d4954312530230603550403141c5365727669636543656e7465722d49545f4b48425f48664d5f4866533121301f06092a864886f70d010901161273632d6974406b682d6265726c696e2e6465820900890d6f61ac0ce005301d0603551d1204163014811273632d6974406b682d6265726c696e2e6465301d0603551d1104163014811273632d6974406b682d6265726c696e2e646530160603551d250101ff040c300a06082b06010505070301300d06092a864886f70d01010505000382020100c0925f1aa48825e5c192abc4a792cb36b69953 EAP-Message = 0x782adc04d3e24436b4322312505087f51371012554b69768c152ed7083dba76437cc2bd09ed94b2a08a9ce1ad303a04ee2459c219c6e8341c44175cdcf5426ab7d10b9512877be1cd89204061f78c7f9296b5c73bcc315b281029163cd1f05d9fff0f772fd26964959a4493ef045f91dda761420537f2845a12d7a0f7f04502390dd6fb1e7cbff2891d8eee5abcf7da435ab6b163e2475fad3ccf8cfdc7ad019fbbe1deb47fbcad40dd4f57d2ed127665ca99cc035d93bf5df6ad79529fa142cb7f03eedd1aca47ad648db900e6dcd1966efb52a2c9dfa5ce5148ad4bd37716414c3a82bcb9a8cd805f1ea4e66f0171174e8099310d720186c2774cdc2 EAP-Message = 0xf80283f897fa84a1281e34c77148ca68508cd2eaf3f9167f76b41df115df8bcf02746dac891da3f58b4a45e5085dcbb3e9129106bb999f2b6b4722b86a32e18732260fa1093643a982b52951d7011141f3ea9ec18429482b3977620aa50aa40cd30eb3ed16f1a1c77d07df0672abdf64d608ff85a9076b95afb5a12a3a1fc231024403628b1db8cf04d474be335f83e230d506eb574b91fd672e092dd86088ea95edbe95aaecc00f4610520cd6a624103c64d1e8f6ebb8027ec42fa27ff3fdad82731a8511b8a68751452ebcbd13e11a0abe6d1f82fd5ce98af910ce7e62a69e9ac2383ee9b3dc0a973af95706a3a1c700076c3082076830820550a003 EAP-Message = 0x020102020900890d6f61ac0ce005300d06092a864886 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb9b86fc0e4881bcc45520f173812f948 Finished request 12 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.48.244.21:49154, id=0, length=97 NAS-IP-Address = 10.48.244.21 NAS-Port-Type = Ethernet NAS-Port = 2 User-Name = "host/vinfo-t1" State = 0xb9b86fc0e4881bcc45520f173812f948 EAP-Message = 0x020f00060d00 Message-Authenticator = 0x324813d2519a1143af74caf29d6e4cc4 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 13 modcall[authorize]: module "preprocess" returns ok for request 13 rlm_eap: EAP packet type response id 15 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 13 users: Matched entry host/vinfo-t1 at line 219 modcall[authorize]: module "files" returns ok for request 13 modcall: leaving group authorize (returns updated) for request 13 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 13 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 13 modcall: leaving group authenticate (returns handled) for request 13 Sending Access-Challenge of id 0 to 10.48.244.21 port 49154 EAP-Message = 0x0110040a0dc00000100ef70d01010505003081aa310b3009060355040613024445310f300d060355040813064265726c696e310f300d060355040713064265726c696e31143012060355040a130b4b48422048664d2048665331193017060355040b13105365727669636543656e7465722d4954312530230603550403141c5365727669636543656e7465722d49545f4b48425f48664d5f4866533121301f06092a864886f70d010901161273632d6974406b682d6265726c696e2e6465301e170d3035303930353038303532355a170d3135303930333038303532355a3081aa310b3009060355040613024445310f300d060355040813064265726c EAP-Message = 0x696e310f300d060355040713064265726c696e31143012060355040a130b4b48422048664d2048665331193017060355040b13105365727669636543656e7465722d4954312530230603550403141c5365727669636543656e7465722d49545f4b48425f48664d5f4866533121301f06092a864886f70d010901161273632d6974406b682d6265726c696e2e646530820222300d06092a864886f70d01010105000382020f003082020a0282020100c4e58d7b46104aaed067a7f4e2c0bce5fd30388b52102731e8ae991947c14547ca41753f07ee2f50c4374b00950c83165fce3e38cdf4b4749dce3641ce01e450a7f1e53de6997ac4a19b93cc212b EAP-Message = 0x2cfb5425c7b1421b89951478dadba32ce7c00421c9791d1af1b38e9ce04141c724d866fb11c06bd13a626f830825d002beccae484fcaa3840fdab94afdd1e454155451678ecb4ae36c1628afce08a8622736e5f29360512174ffa60a3a713794d781efa85d83c6df6cc78262910cb757c515450569cd668cdb29a709e3f8d52dde54c69e2b84b0be385347948e360e4095499957b42d0a918cbc647a2377c0c26e0925f386d520f0bc2f25b206a93075e9382d590f4724352edc61a0e497dece898c31ca22c4320d02b55bb519c90f228fcbd6f1d72057245e35a3170a354b207ef1f2a61585256e493bff8b363075452e21cbb5cb26167d8d1201c419 EAP-Message = 0x11569768a99eea5cff0fb0458e5615e42e8aec5417f2493f5b81cf7b9cdb4ad1995c0c8bced370d073ee8eefb21f833372027c4fcb84c23c73d1b44df6f5ca34e0d9f674900f9ddf1340179016868a3697a807624dd8f0ff7aea8460241df0a8a74eb8b0151171395155db1fd0b87be63c7047fda731126880bf2228332a38f11ac024cb944d68ce72da5f43d73609e82f92486f4eaad235b104ae3c93061600b3a54e895841eac966309ad0c18cccf17453210f450203010001a382018d30820189301d0603551d0e04160414b939b6ce8a52912eaece162418b1f4d8303d042e3081df0603551d230481d73081d48014b939b6ce8a52912eaece1624 EAP-Message = 0x18b1f4d8303d042ea181b0a481ad3081aa310b300906 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x6179ba5cc238e25da7d0bbfaa7f48ec2 Finished request 13 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.48.244.21:49154, id=0, length=97 NAS-IP-Address = 10.48.244.21 NAS-Port-Type = Ethernet NAS-Port = 2 User-Name = "host/vinfo-t1" State = 0x6179ba5cc238e25da7d0bbfaa7f48ec2 EAP-Message = 0x021000060d00 Message-Authenticator = 0xc4de36b8d15b71d6503d44e5064b1ac5 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 14 modcall[authorize]: module "preprocess" returns ok for request 14 rlm_eap: EAP packet type response id 16 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 14 users: Matched entry host/vinfo-t1 at line 219 modcall[authorize]: module "files" returns ok for request 14 modcall: leaving group authorize (returns updated) for request 14 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 14 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 14 modcall: leaving group authenticate (returns handled) for request 14 Sending Access-Challenge of id 0 to 10.48.244.21 port 49154 EAP-Message = 0x0111040a0dc00000100e0355040613024445310f300d060355040813064265726c696e310f300d060355040713064265726c696e31143012060355040a130b4b48422048664d2048665331193017060355040b13105365727669636543656e7465722d4954312530230603550403141c5365727669636543656e7465722d49545f4b48425f48664d5f4866533121301f06092a864886f70d010901161273632d6974406b682d6265726c696e2e6465820900890d6f61ac0ce005300f0603551d130101ff040530030101ff301106096086480186f842010104040302010630090603551d1204023000302b06096086480186f842010d041e161c54696e EAP-Message = 0x7943412047656e657261746564204365727469666963617465301d0603551d1104163014811273632d6974406b682d6265726c696e2e6465300b0603551d0f040403020106300d06092a864886f70d0101050500038202010060f0ab4236cda26ba7ceaedfd61052c52b73e1e028ffe29171395f9074e4beee7eab73afc427c17cd0f37e96c7af6eda553a92b2b426f723c283c8ea027f3ab17c93d1ffa7c8a29fedbc83f11f8731a140393c56aceffae318f7ebbca367fed9280513ce2cfad1257c59f056e3898e928f968baa6c3cc094ca50b9072674b8fa43ab0e31c4a7a54eb8f96ad4d275011a449807c3abe4865d8f837ee4d8db0c081af218c0 EAP-Message = 0x0a878d4c7e30268282034b35a666b8295eb53ee41bcda9345a7d48fdb7dc306180df06ec546e826d73d7dd62bf449c6eb948aa85c808893b308a32636cb151b044b839fc382f8623863d7ac78b7bf3e0f2c1ac4c8a69b9184e58733d966120ce334ab7212f23b85a8e8d5b2ada0f4cc7cb981fafd3585c398b351a06870271c71e537b4010a7d2914151b076a5f4094d1ab64e46a93dbba7456fa75be4006a172f6824219fad1b4c95322c6b9a1703515545ebbdae485fa994ac81fb8d308cdb58038d6c95c15d29f0a317e03877225eebe3647f28dc2361d7fb1894231e475805ec5e95ab5a37c96c70b000695caee3562f474af69b11fc67ccf54e9f EAP-Message = 0x0f1d1adc2c9038d56a9fa3454320444843fe38e00de285cb9120b24416fa909c259b52d069e64d0d9faa37c336f8bd3a8128a8f5e244029a5ded25e10bfc551dc08730e133a4e4b744cf3d8c038d38b1692c1d4876f92d109efcf136355c2216030100bd0d0000b50301020500af00ad3081aa310b3009060355040613024445310f300d060355040813064265726c696e310f300d060355040713064265726c696e31143012060355040a130b4b48422048664d2048665331193017060355040b13105365727669636543656e7465722d4954312530230603550403141c5365727669636543656e7465722d49545f4b48425f48664d5f486653312130 EAP-Message = 0x1f06092a864886f70d010901161273632d6974406b68 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x5d9d8b0057df148fc651bc9a2285fa89 Finished request 14 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.48.244.21:49154, id=0, length=97 NAS-IP-Address = 10.48.244.21 NAS-Port-Type = Ethernet NAS-Port = 2 User-Name = "host/vinfo-t1" State = 0x5d9d8b0057df148fc651bc9a2285fa89 EAP-Message = 0x021100060d00 Message-Authenticator = 0xd0f7bb33b488d0184214011d45f441cd Processing the authorize section of radiusd.conf modcall: entering group authorize for request 15 modcall[authorize]: module "preprocess" returns ok for request 15 rlm_eap: EAP packet type response id 17 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 15 users: Matched entry host/vinfo-t1 at line 219 modcall[authorize]: module "files" returns ok for request 15 modcall: leaving group authorize (returns updated) for request 15 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 15 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 15 modcall: leaving group authenticate (returns handled) for request 15 Sending Access-Challenge of id 0 to 10.48.244.21 port 49154 EAP-Message = 0x011200180d800000100e2d6265726c696e2e64650e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa933742c9668ad2c0113a94a7260b40b Finished request 15 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.48.244.21:49154, id=0, length=1591 NAS-IP-Address = 10.48.244.21 NAS-Port-Type = Ethernet NAS-Port = 2 User-Name = "host/vinfo-t1" State = 0xa933742c9668ad2c0113a94a7260b40b EAP-Message = 0x021205d20dc000000bc31603010b930b00078300078000077d3082077930820561a00302010202012a300d06092a864886f70d01010505003081aa310b3009060355040613024445310f300d060355040813064265726c696e310f300d060355040713064265726c696e31143012060355040a130b4b48422048664d2048665331193017060355040b13105365727669636543656e7465722d4954312530230603550403141c5365727669636543656e7465722d49545f4b48425f48664d5f4866533121301f06092a864886f70d010901161273632d6974406b682d6265726c696e2e6465301e170d3036303930313131313833325a170d3037303930 EAP-Message = 0x313131313833325a308198310b3009060355040613024445310f300d060355040813064265726c696e310f300d060355040713064265726c696e31143012060355040a130b4b48422048664d2048665331193017060355040b13105365727669636543656e7465722d49543111300f0603550403130876696e666f2d74313123302106092a864886f70d010901161476696e666f2d74312d6e65756572406c6f63616c30820222300d06092a864886f70d01010105000382020f003082020a0282020100b18a3f0af2253a6b7b341ff99f9e24a6609f6d713a4fb201bdd54cbed3071b162b1539c66654db5499ca640321d6546b94cf03be2a8b99354c EAP-Message = 0xc6440e479e13c5e2351cff190d88fdc18729807d495d0d965e52f9e55c9edf96d7fb09b045a018610f657c26730ca6ad79f3f9b54ddfe4477697a92d10127515e3a1c384e8d6d1aa93dc3435aa7387412a66e66afcc38671c806889034450f131a40d93d8056f047884aea4c4aa227f868adc26909dfc61f0dea21e8ea55ff831d12b415a24a3aa15de0871ed034da8743b089664377b4269297aadba01e6f88e1d314f37951fe71e61ea5da38523f7a69aff0334649a49b1a1fa42da2ced0b83c39785f5a791682a6b19b8fe69487622f5e1ec3d9ceaf8bb3211e6a81c252e16ce15767656c58beb13bc0cae1de938c1900f1ee727eed5870fc1901c9 EAP-Message = 0xe546349574e7b49ef07d47123e10535807e8186ba7f41656fe19bd54c36c04799eb7367550d27836cb3f229f648b139767e29364164123ec379969ec6ffd7c40e6c93c32d00b6c4976b183051b45e35ba08cb674739be00808809ed6582184753e871bccb1068664dafe46bb0b20cc4885a463294a28502c694c1577f5e66b28cae490a7234d2cd5407d119673335e2a3f24726bf077d68aa92fdc4fc8aa9eca709bd9637dee65ee966de96b99ff8693c4b07362734b73057c6cb638e0463e536a250ef429eaddd63ea30203010001a38201b8308201b430090603551d1304023000301106096086480186f84201010404030204b0302b060960864801 EAP-Message = 0x86f842010d041e161c54696e7943412047656e657261746564204365727469666963617465301d0603551d0e04160414c0720a9171d9e7a973ccb4b0ad17b4ed61af06b93081df0603551d230481d73081d48014b939b6ce8a52912eaece162418b1f4d8303d042ea181b0a481ad3081aa310b3009060355040613024445310f300d060355040813064265726c696e310f300d060355040713064265726c696e31143012060355040a130b4b48422048664d2048665331193017060355040b13105365727669636543656e7465722d4954312530230603550403141c5365727669636543656e7465722d49545f4b48425f48664d5f4866533121301f06 EAP-Message = 0x092a864886f70d010901161273632d6974406b682d6265726c696e2e6465820900890d6f61ac0ce005301d0603551d1204163014811273632d6974406b682d6265726c696e2e6465301f0603551d1104183016811476696e666f2d74312d6e65756572406c6f63616c300e0603551d0f0101ff0404030205a030160603551d250101ff040c300a06082b06010505070302300d06092a864886f70d010105050003820201002b8b5adf8cddd67cfa0571cd173867feca7ac917203321554e8f41f953189df68b435d9416427009c7c6f1304ea086ff5717599c2c58b991bcc544fc Message-Authenticator = 0x240fcaee4fe2f6c8b3b0202f5614b8fe Processing the authorize section of radiusd.conf modcall: entering group authorize for request 16 modcall[authorize]: module "preprocess" returns ok for request 16 rlm_eap: EAP packet type response id 18 length 253 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 16 users: Matched entry host/vinfo-t1 at line 219 modcall[authorize]: module "files" returns ok for request 16 modcall: leaving group authorize (returns updated) for request 16 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 16 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS First Fragment of the message eaptls_verify returned 9 eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 16 modcall: leaving group authenticate (returns handled) for request 16 Sending Access-Challenge of id 0 to 10.48.244.21 port 49154 EAP-Message = 0x011300060d00 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xbbe78aa63952e446ebe9ab5174aac8e8 Finished request 16 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.48.244.21:49154, id=0, length=1591 NAS-IP-Address = 10.48.244.21 NAS-Port-Type = Ethernet NAS-Port = 2 User-Name = "host/vinfo-t1" State = 0xbbe78aa63952e446ebe9ab5174aac8e8 EAP-Message = 0x021305d20d4086beba4b46ca59a277fbc153a403766ff039c6fca35370d848d69f938ff19037f6b6d341f9692327f3833585b67c45c19a108c0343f2fb69c6eb19ed624f2a2cbfdca3e2d64860327a7a4768a7cac2804f7beaf7db967260203e53d1863ca7599484e29d0261eeb21bdd6e718370c6518e249f57fc3977ab0fd47900b6efb8a57c3359cf81c9c5b26b4f566a494686078fb6e904a35569c17d4873c36f74fdb47d7b57f9441e8c33d76d0241ace6e7f1c3d28b96a8a1c7b8035ec87ea197480fa41e7ba093866ee476f9d6e20d6aa701826ef468f4370d41582fc63bd550bbffaf4f98025183be1aa8d2a5d2dba0e6cff53969744b1fcf EAP-Message = 0x449a43d3a8addf3d68b4a14c4171a80d7312bfe9a1e9b3486810e41a75848895d3f29b2f51a79c522197628709276de510791b49f31aeafb44d452433eab636f3e46c3df5823e29e91cd832c45d6d2e69a9054a2a420f6bac3c403e1af36e8ba0fa0d4b1b6f4a2709b105257bea66fad471ef2678043b66ee14170754bce551ccb2b237177673e42b7cd8b11c135ca72c57df7cd1e741d3801df735927781da8776bb19786aeee2775fb8d9d74eb335196403c57629519dfeb599815230d97825bfd0655aa7ee88c6baf2d91b91000020202001ea3e0bbf3015ac3219593585bba603031281b916e9bc828b843b62eb22a5979032d6a2379bb698c7801 EAP-Message = 0x11fd752a28fd02d36754eb59732321b0bd7598aff2a33495e83df0bbeab1afe571e2cb833456506b8a6a46e8bf58331a4298496a797c439808fdd3fd48488444e371fb53d6e884a216c3455886b286a645c29f534fcb9b35a88988c90fb4cad5a390642ea323477f20d423992b2aabba48ed5e4b8cb171749923d913f8c8257f55963246bca0680511ad850248171a7a893635da58800fc162672582d4ce63c9fefe709d823c95cde4188e20d67b0e3197b4d887323062d71159e3b53be1c096c7f2e2f2906068eef5add2f22490492ca17190d6121926659ad25a4b5af8244404e365b2ad8e3fe5ba13f8642faaf29eea17501be86654ecbd6ccee4e7 EAP-Message = 0xeb3dbb86081087a7152915fb646c2a99796acc5150308ef7acac69d932fe95152af57317965f7037c12f7bec6fe249270c8534d01a6717d9ff15d914013b5ce3de0a34be1377b7a689a5cc7e74c7275e2ff50a81ef29622724e849ce727463734a9e2bc36f49da6913ba42c426085262d192ac00d5ed9b0016ba52491280a8f06cc61981de2c4a317bd6d3e7e0a1840e1e1f3b3b9532febde01abef099cbd56d990263b95ae12968175cb1b8f49de89dc8d35f7ae21b861537ed825f991186e2686d4aa701d9a54862c57610d9023981a291174537d7f21e940f00020202009792e38bf589b15d51e235d7e4b7257c240ef2197cbc523e7f1f06a91ad8 EAP-Message = 0x3f0a0d8c8a9ba88f16828710e99d04857a5e92cd77114769d1fba958fbd494cf280160a32b957b07ed4d5ea39107f0f04a28e0c9baae9023742de671b6416a28324230cee591653416fbed023ebcd3beb5dc7e9b653f9a696e3da64e47ce694b4c2e3390d73c73a2ed67f6205d4a790fca40d5f253cff5d1c07ed099384b237225182d2f7a3de28cea7dea2228bb05a54c00a406c60bfa4e98a65bb0c9109f49865b4ec10dee17f1d24d391eaaa8dc5221ae496f2a13598e2872a8d960b1d6c765663f2e87fd7d772a04f19f44a26edbb9f9b8435360e0a67a2be45ac06c34f43060af15cec606a1b8391ef4f7c6470c853d127a6939793eaf2e360935 EAP-Message = 0xcc8c98aecb44d1825aa263916d3a0b55e5d3b07fbe852c1b6f4b366697abbf6b4d6dcaac944904cc427223dbbced82a7c343ea7d1cf544d4b97072b35d86e890d34457e3c6b5856a936ce72406fc917bef33cfef0bfd33da369a6716f61c85206993e247bd986fac906c07d5ae1aea59411146820a616061498407db0cdc0f3218cec84e8ce742f014215676054efa12837c3673f3a2d33ae046539953dfadae8736590e1e13417643ab60216f631867cae1aa8332aded73f2211c13f72063ed01eb21b0f3e701bad68e3480cf67e3f4af6077e801f7871f6c845f465b87ee9c02 Message-Authenticator = 0x3676aa85809613a74f958ade4f0e6964 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 17 modcall[authorize]: module "preprocess" returns ok for request 17 rlm_eap: EAP packet type response id 19 length 253 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 17 users: Matched entry host/vinfo-t1 at line 219 modcall[authorize]: module "files" returns ok for request 17 modcall: leaving group authorize (returns updated) for request 17 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 17 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: More fragments to follow eaptls_verify returned 10 eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 17 modcall: leaving group authenticate (returns handled) for request 17 Sending Access-Challenge of id 0 to 10.48.244.21 port 49154 EAP-Message = 0x011400060d00 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x036b51ce3711c4403dc51cc5df01ecd9 Finished request 17 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.48.244.21:49154, id=0, length=144 NAS-IP-Address = 10.48.244.21 NAS-Port-Type = Ethernet NAS-Port = 2 User-Name = "host/vinfo-t1" State = 0x036b51ce3711c4403dc51cc5df01ecd9 EAP-Message = 0x021400350d000232e0771403010001011603010020331c53d76ee43f4db7107be4c3bb09b47a5c7b0b2c4da02e8b59a2988eebf2e6 Message-Authenticator = 0x5edd3cd7421da0315efade97535b61ce Processing the authorize section of radiusd.conf modcall: entering group authorize for request 18 modcall[authorize]: module "preprocess" returns ok for request 18 rlm_eap: EAP packet type response id 20 length 53 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 18 users: Matched entry host/vinfo-t1 at line 219 modcall[authorize]: module "files" returns ok for request 18 modcall: leaving group authorize (returns updated) for request 18 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 18 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake rlm_eap_tls: <<< TLS 1.0 Handshake [length 0787], Certificate chain-depth=1, error=0 --> User-Name = host/vinfo-t1 --> BUF-Name = ServiceCenter-IT_KHB_HfM_HfS --> subject = /C=DE/ST=Berlin/L=Berlin/O=KHB HfM HfS/OU=ServiceCenter-IT/CN=ServiceCenter-IT_KHB_HfM_HfS/emailAddress=sc-it@kh-berlin.de --> issuer = /C=DE/ST=Berlin/L=Berlin/O=KHB HfM HfS/OU=ServiceCenter-IT/CN=ServiceCenter-IT_KHB_HfM_HfS/emailAddress=sc-it@kh-berlin.de --> verify return:1 --> verify error:num=9:certificate is not yet valid rlm_eap_tls: >>> TLS 1.0 Alert [length 0002], fatal bad_certificate TLS Alert write:fatal:bad certificate TLS_accept:error in SSLv3 read client certificate B 9054:error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned:s3_srvr.c:2482: rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails. In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 18 modcall: leaving group authenticate (returns handled) for request 18 Sending Access-Challenge of id 0 to 10.48.244.21 port 49154 EAP-Message = 0x011500110d80000000071503010002022a Message-Authenticator = 0x00000000000000000000000000000000 State = 0x79296886e86472d17b3281f8b1a77d17 Finished request 18 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.48.244.21:49154, id=0, length=97 NAS-IP-Address = 10.48.244.21 NAS-Port-Type = Ethernet NAS-Port = 2 User-Name = "host/vinfo-t1" State = 0x79296886e86472d17b3281f8b1a77d17 EAP-Message = 0x021500060d00 Message-Authenticator = 0x537f24238453a140d4f6d3d21c17be71 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 19 modcall[authorize]: module "preprocess" returns ok for request 19 rlm_eap: EAP packet type response id 21 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 19 users: Matched entry host/vinfo-t1 at line 219 modcall[authorize]: module "files" returns ok for request 19 modcall: leaving group authorize (returns updated) for request 19 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 19 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack alert eaptls_verify returned 4 eaptls_process returned 4 rlm_eap: Handler failed in EAP/tls rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 19 modcall: leaving group authenticate (returns invalid) for request 19 auth: Failed to validate the user. Delaying request 19 for 1 seconds Finished request 19 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.48.244.21:49154, id=0, length=97 Sending Access-Reject of id 0 to 10.48.244.21 port 49154 EAP-Message = 0x04150004 Message-Authenticator = 0x00000000000000000000000000000000 --- Walking the entire request list --- Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 19 ID 0 with timestamp 44cdf6a8 Nothing to do. Sleeping until we see a request. I don't know why the request ist send over again and again. Please help... Thanks Alex -- ServiceCenter IT - Alexandros Gougousoudis (Leiter) Gemeinsame Einrichtung der Kunsthochschule Berlin-Weissensee, Hochschule für Musik "Hanns Eisler" und der Hochschule für Schauspielkunst "Ernst Busch". Tel.: 030 / 477 05 - 444 * Fax.: 030 / 477 05 - 445
Ok, so we might conclude, that you're trying eap-tls. On 9/4/06, Alexandros Gougousoudis <gougousoudis@kh-berlin.de> wrote:
Hi,
I'am a step ahead. One problem was, that the Root-CA-cert must be put manually in the Trusted-Rootcertificate place (I use a german Windows, so I try to retranslate that into english) on the Windows-Client. It is not enough to import that automatically, although the cert shows up in the list of "Trusted Rootcertificates" in the "Authentification" menu of the network-settings. If made this running the mmc manually, opening the Certificate-dialog.
But it shows, that the problem is deeper. The netbiosname of the windows machine is "vinfo-t1", also the cert has this name as a CN. If the PC tries to authenticate the username comes as "host/vinfo-t1" to the radius server. Which makes the TLS verify fail. How can the name be truncated?
I can't even remotely unstand why you seem to look for help on one hand, but on the other one keep declining answers to questions put to you and insisting on false assumptions.
--> subject = /C=DE/ST=Berlin/L=Berlin/O=KHB HfM HfS/OU=ServiceCenter-IT/CN=ServiceCenter-IT_KHB_HfM_HfS/emailAddress=sc-it@kh-berlin.de --> issuer = /C=DE/ST=Berlin/L=Berlin/O=KHB HfM HfS/OU=ServiceCenter-IT/CN=ServiceCenter-IT_KHB_HfM_HfS/emailAddress=sc-it@kh-berlin.de --> verify return:1 --> verify error:num=9:certificate is not yet valid rlm_eap_tls: >>> TLS 1.0 Alert [length 0002], fatal bad_certificate TLS Alert write:fatal:bad certificate
So this (assuming it's even the right one) rootCA is rejected by the server for the reason stated. Would you please explain how you come to the conclusion about the tls verify failing because of a CN/Username mismatch, when one would expect to read line like: radius_xlat: 'host/wbh' rlm_eap_tls: checking certificate CN (wbh) with xlat'ed value (host/wbh) in such a case. In your setup the server doesn't even reach that point. On a side note, if in some distant future it does, you might find check_cert_cn interesting. And while it doesn't cause any problem for now, would you please get rid of the "host/vinfo-t1" and "vinfo-t1" stanzas in your users file and use the default one, as that is a, at least, misguided setting, which could be the source of problems further down the road. (For the time being you don't need anything set there, esp no User-Password, as we, just now, can guess, you don't want eap-peap) regards K. Hoercher
Hi,
I can't even remotely unstand why you seem to look for help on one hand, but on the other one keep declining answers to questions put to you and insisting on false assumptions.
That's why I might not understand what you're asking. :-)
--> verify error:num=9:certificate is not yet valid rlm_eap_tls: >>> TLS 1.0 Alert [length 0002], fatal bad_certificate TLS Alert write:fatal:bad certificate
I fixed that problem. The time on the certificate issueing server, the radius server and the client was different. So the cert wasn't valid, because the create-time was in the future. I've put all now in my NTP-server. The "check_cert_cn" was a test to check if the username has something to do the failing certs and is disabled now again. I found, if the certs are valid, the username is not important. I used the OIDs mentionend in the HowTOs, not Alans.
And while it doesn't cause any problem for now, would you please get rid of the "host/vinfo-t1" and "vinfo-t1" stanzas in your users file
The idea of that was to control the logon of already authorized clients, i.e. to not accept a client with a valid cert. This could be done more elegant with the CRL of SSL, but for now it's easier to maintain in the users file. Of course passwords are useless if nothing like PEAP is done (this entry was for testing). I conclude, it works now with W2K SP4. The main problem were different times on all participating computers. If confs and certs are done according to the ealier mentioned HowTo it'll work. Although the setting of the users file still stays unclear for me, because I don't know how to handle the acceptance of the clients, if the client can not be described via AuthType in the users file. Maybe somebody could enlighten me. I still have to check, if I really need the registry hack ( Set the "HKEY_LOCAL_MACHINE\Software\Microsoft\EAPOL\Parameters \General\Global\AuthMode" value to '2) mentioned by Thibault LeMeur earlier on the list. Next I'll try to check the clients name against our LDAP-Database (for the samba domain) in the users file to allow only these clients, which are in our domain. Thanks for help Alex -- ServiceCenter IT - Alexandros Gougousoudis (Leiter) Gemeinsame Einrichtung der Kunsthochschule Berlin-Weissensee, Hochschule für Musik "Hanns Eisler" und der Hochschule für Schauspielkunst "Ernst Busch". Tel.: 030 / 477 05 - 444 * Fax.: 030 / 477 05 - 445
participants (5)
-
Alan DeKok -
Alexandros Gougousoudis -
K. Hoercher -
Phil Mayers -
Stefan Winter