EAP-TLS
freeradius at zoftdev.com
freeradius at zoftdev.com
Sat Aug 13 00:57:45 CEST 2005
Hi all
conf eap-tls by
http://www.alphacore.net/spipen/article.php3?id_article=1
I don't understand why I got "TLS_accept:error in SSLv3 read client
certificate A "
TLS_accept: SSLv3 flush data
TLS_accept:error in SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
and some I got "SSL negotiation finished successfully "
but eaptls_process handled "modcall[authenticate]: module "eap" returns
handled for request 3" why not ok?
eaptls_verify returned 11
rlm_eap_tls: <<< TLS 1.0 Handshake [length 02e4], Certificate
chain-depth=1,
error=0
--> User-Name = mobile
--> BUF-Name = matilda
--> subject = /C=TH/ST=SongKhla/L=Hat-Yai/O=Jameslong IT
Solution/OU=Administrator/CN=matilda/emailAddress=matilda at zoftdev.com
--> issuer = /C=TH/ST=SongKhla/L=Hat-Yai/O=Jameslong IT
Solution/OU=Administrator/CN=matilda/emailAddress=matilda at zoftdev.com
--> verify return:1
chain-depth=0,
error=0
--> User-Name = mobile
--> BUF-Name = mobile
--> subject = /C=TH/ST=SongKhla/L=Hat-Yai/O=Jameslong IT
Solution/OU=Administrator/CN=mobile/emailAddress=matilda at zoftdev.com
--> issuer = /C=TH/ST=SongKhla/L=Hat-Yai/O=Jameslong IT
Solution/OU=Administrator/CN=matilda/emailAddress=matilda at zoftdev.com
--> verify return:1
TLS_accept: SSLv3 read client certificate A
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
TLS_accept: SSLv3 read client key exchange A
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], CertificateVerify
TLS_accept: SSLv3 read certificate verify A
rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001]
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished
TLS_accept: SSLv3 read finished A
rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001]
TLS_accept: SSLv3 write change cipher spec A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished
TLS_accept: SSLv3 write finished A
TLS_accept: SSLv3 flush data
(other): SSL negotiation finished successfully
SSL Connection Established
eaptls_process returned 13
modcall[authenticate]: module "eap" returns handled for request 3
modcall: group authenticate returns handled for request 3
Sending Access-Challenge of id 23 to 192.168.101.29:1239
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.101.29:1239, id=20,
length=143
User-Name = "mobile"
NAS-IP-Address = 192.168.101.29
NAS-Port = 0
Called-Station-Id = "00-80-C8-AC-A3-80"
Calling-Station-Id = "00-04-23-52-E4-10"
NAS-Identifier = "jameslong5 On Center"
Framed-MTU = 1380
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x0201000b016d6f62696c65
Message-Authenticator = 0xcc20399e49cf1b257bdf7d820424d89f
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: No '@' in User-Name = "mobile", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
rlm_eap: EAP packet type response id 1 length 11
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 0
users: Matched entry DEFAULT at line 152
users: Matched entry mobile at line 219
modcall[authorize]: module "files" returns ok for request 0
modcall: group authorize returns updated for request 0
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
rlm_eap: EAP Identity
rlm_eap: processing type tls
rlm_eap_tls: Requiring client certificate
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
modcall[authenticate]: module "eap" returns handled for request 0
modcall: group authenticate returns handled for request 0
Sending Access-Challenge of id 20 to 192.168.101.29:1239
EAP-Message = 0x010200060d20
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x34d599218f561dce9524e244c5cc874d
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.101.29:1239, id=21,
length=230
User-Name = "mobile"
NAS-IP-Address = 192.168.101.29
NAS-Port = 0
Called-Station-Id = "00-80-C8-AC-A3-80"
Calling-Station-Id = "00-04-23-52-E4-10"
NAS-Identifier = "jameslong5 On Center"
Framed-MTU = 1380
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x020200500d800000004616030100410100003d030142fd2917e892c20b68f495c58695ece35b355b986b0362d67237ab6a81446fe500001600040005000a000900640062000300060013001200630100
State = 0x34d599218f561dce9524e244c5cc874d
Message-Authenticator = 0x7dcff4d08c8b3ad1e6197c3b77b609c5
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
modcall[authorize]: module "preprocess" returns ok for request 1
modcall[authorize]: module "chap" returns noop for request 1
modcall[authorize]: module "mschap" returns noop for request 1
rlm_realm: No '@' in User-Name = "mobile", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 1
rlm_eap: EAP packet type response id 2 length 80
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 1
users: Matched entry DEFAULT at line 152
users: Matched entry mobile at line 219
modcall[authorize]: module "files" returns ok for request 1
modcall: group authorize returns updated for request 1
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 1
rlm_eap: Request found, released from the list
rlm_eap: EAP/tls
rlm_eap: processing type tls
rlm_eap_tls: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Length Included
eaptls_verify returned 11
(other): before/accept initialization
TLS_accept: before/accept initialization
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello
TLS_accept: SSLv3 read client hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
TLS_accept: SSLv3 write server hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 06bf], Certificate
TLS_accept: SSLv3 write certificate A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 00b2], CertificateRequest
TLS_accept: SSLv3 write certificate request A
TLS_accept: SSLv3 flush data
TLS_accept:error in SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
eaptls_process returned 13
modcall[authenticate]: module "eap" returns handled for request 1
modcall: group authenticate returns handled for request 1
Sending Access-Challenge of id 21 to 192.168.101.29:1239
EAP-Message =
0x0103040a0dc0000007ca160301004a02000046030142fcf5cfc634fe2d81399be7642dcf7214af445a6a5ac042a14aa0c20c494810201a5ae85b62771aa723a4e765710afd512aa1f6a664c0750f5b91f167532ed74a00040016030106bf0b0006bb0006b80002e3308202df30820248a003020102020900cd64af112d8e3f1f300d06092a864886f70d01010405003081a0310b30090603550406130254483111300f06035504081308536f6e674b686c613110300e060355040713074861742d596169311e301c060355040a13154a616d65736c6f6e6720495420536f6c7574696f6e31163014060355040b130d41646d696e6973747261746f7231
EAP-Message =
0x10300e060355040313076d6174696c64613122302006092a864886f70d01090116136d6174696c6461407a6f66746465762e636f6d301e170d3035303831323137353432355a170d3036303831323137353432355a3081a8310b30090603550406130254483111300f06035504081308536f6e674b686c613110300e060355040713074861742d596169311e301c060355040a13154a616d65736c6f6e6720495420536f6c7574696f6e31163014060355040b130d41646d696e6973747261746f72311830160603550403130f74656e2e7a6f66746465762e636f6d3122302006092a864886f70d01090116136d6174696c6461407a6f66746465762e
EAP-Message =
0x636f6d30819f300d06092a864886f70d010101050003818d0030818902818100a63944c8128ffdaf474ff0fb707a5e88d20f647325bfe3bf81508bb9010f3074d42e6c2d40fe889624ff567f2951cf7b1cdb8d6a549e229b4fb8a88b1c7e3cf4dc40d8fe83a6fe181807ffbb331280e78d31de9fe993c5fffe09147c0af7462b82c095e7d6a8c1bf6cd8184ec05ef6c4242285dc78396b292abc4f5dbdb7ca350203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010104050003818100af4faff4358d3b486b3d7aebd3b24cecfbdabafa534971317dcedddc8465ec45ab0727f63f11a60d9c119125
EAP-Message =
0x83468d9f66dc5589ca5eaba64a695bc0ae573404e39dca34da6afdc32a48da03bb11a65bf1b83147fcd4a3b3ae81fa10f4afd1e9e339a8787bf4a84ba80595c8e166faf977236cb47246225bdf6e8e0334fbce9f0003cf308203cb30820334a003020102020900cd64af112d8e3f1e300d06092a864886f70d01010405003081a0310b30090603550406130254483111300f06035504081308536f6e674b686c613110300e060355040713074861742d596169311e301c060355040a13154a616d65736c6f6e6720495420536f6c7574696f6e31163014060355040b130d41646d696e6973747261746f723110300e060355040313076d6174696c6461
EAP-Message = 0x3122302006092a864886f70d01090116136d6174696c
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x9b6a342a9b2b46b02bfc05030ae0b2ee
Finished request 1
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.101.29:1239, id=22,
length=156
User-Name = "mobile"
NAS-IP-Address = 192.168.101.29
NAS-Port = 0
Called-Station-Id = "00-80-C8-AC-A3-80"
Calling-Station-Id = "00-04-23-52-E4-10"
NAS-Identifier = "jameslong5 On Center"
Framed-MTU = 1380
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020300060d00
State = 0x9b6a342a9b2b46b02bfc05030ae0b2ee
Message-Authenticator = 0xec3d9e7d18a4299da1cdfb3d16e7865e
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
modcall[authorize]: module "preprocess" returns ok for request 2
modcall[authorize]: module "chap" returns noop for request 2
modcall[authorize]: module "mschap" returns noop for request 2
rlm_realm: No '@' in User-Name = "mobile", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 2
rlm_eap: EAP packet type response id 3 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 2
users: Matched entry DEFAULT at line 152
users: Matched entry mobile at line 219
modcall[authorize]: module "files" returns ok for request 2
modcall: group authorize returns updated for request 2
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 2
rlm_eap: Request found, released from the list
rlm_eap: EAP/tls
rlm_eap: processing type tls
rlm_eap_tls: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake fragment handler
eaptls_verify returned 1
eaptls_process returned 13
modcall[authenticate]: module "eap" returns handled for request 2
modcall: group authenticate returns handled for request 2
Sending Access-Challenge of id 22 to 192.168.101.29:1239
EAP-Message =
0x010403d40d80000007ca6461407a6f66746465762e636f6d301e170d3035303831323137343630375a170d3035303931313137343630375a3081a0310b30090603550406130254483111300f06035504081308536f6e674b686c613110300e060355040713074861742d596169311e301c060355040a13154a616d65736c6f6e6720495420536f6c7574696f6e31163014060355040b130d41646d696e6973747261746f723110300e060355040313076d6174696c64613122302006092a864886f70d01090116136d6174696c6461407a6f66746465762e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100cacc22cc5b
EAP-Message =
0xb26e326c07f5d1b00359f54fb940765ef3d99a17a76a0d94486558dae1f9cebd0381af8589fcf18ade7c592c61d450df8742409f040f33d60c8392d5dbc139b49021ccf39d0199c06d2f9cd11e36fffc930d73ad93dbe747fb7dd6b716320cd2a2a61c622de64aba9e133078b87ab539047ee56e5a511c3e2bd8390203010001a382010930820105301d0603551d0e04160414661d0391b297482e0b26a7b7418e028e9a053f413081d50603551d230481cd3081ca8014661d0391b297482e0b26a7b7418e028e9a053f41a181a6a481a33081a0310b30090603550406130254483111300f06035504081308536f6e674b686c613110300e0603550407
EAP-Message =
0x13074861742d596169311e301c060355040a13154a616d65736c6f6e6720495420536f6c7574696f6e31163014060355040b130d41646d696e6973747261746f723110300e060355040313076d6174696c64613122302006092a864886f70d01090116136d6174696c6461407a6f66746465762e636f6d820900cd64af112d8e3f1e300c0603551d13040530030101ff300d06092a864886f70d0101040500038181002fb6e51848a1ec69684ddcf13cc77f023b965ef6c1fd880ba2bf7118dca82337a32913af86b1f470499821291a31c87cd4fde06929a064258c3485de469605aa374506632a0c73e3bcdee091983b4511a4d9623c7233c252e3df
EAP-Message =
0xb16d5644a0400b266508ec52349e6c2b049bc69e2105508674a48ac502eee827ee5c67b71cb716030100b20d0000aa02010200a500a33081a0310b30090603550406130254483111300f06035504081308536f6e674b686c613110300e060355040713074861742d596169311e301c060355040a13154a616d65736c6f6e6720495420536f6c7574696f6e31163014060355040b130d41646d696e6973747261746f723110300e060355040313076d6174696c64613122302006092a864886f70d01090116136d6174696c6461407a6f66746465762e636f6d0e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x21cd9c86d8ccd5eeb592c3946879a337
Finished request 2
Going to the next request
--- Walking the entire request list ---
Waking up in 4 seconds...
rad_recv: Access-Request packet from host 192.168.101.29:1239, id=23,
length=1224
User-Name = "mobile"
NAS-IP-Address = 192.168.101.29
NAS-Port = 0
Called-Station-Id = "00-80-C8-AC-A3-80"
Calling-Station-Id = "00-04-23-52-E4-10"
NAS-Identifier = "jameslong5 On Center"
Framed-MTU = 1380
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x0204042a0d800000042016030103f00b0002e00002dd0002da308202d63082023fa003020102020900cd64af112d8e3f20300d06092a864886f70d01010405003081a0310b30090603550406130254483111300f06035504081308536f6e674b686c613110300e060355040713074861742d596169311e301c060355040a13154a616d65736c6f6e6720495420536f6c7574696f6e31163014060355040b130d41646d696e6973747261746f723110300e060355040313076d6174696c64613122302006092a864886f70d01090116136d6174696c6461407a6f66746465762e636f6d301e170d3035303831323137353530305a170d30363038313231
EAP-Message =
0x37353530305a30819f310b30090603550406130254483111300f06035504081308536f6e674b686c613110300e060355040713074861742d596169311e301c060355040a13154a616d65736c6f6e6720495420536f6c7574696f6e31163014060355040b130d41646d696e6973747261746f72310f300d060355040313066d6f62696c653122302006092a864886f70d01090116136d6174696c6461407a6f66746465762e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100d73522fe3322d18f1f7f0d6864b5a2dc662d02d3b0c7c91038872e4279521fd2ed1eeab519f6ef16c54aad5ca5077165f598734f6ca7705b
EAP-Message =
0xa492a60faefb84e50f2fb163c1d88c2d0f1c21754e47161b897e9e3f4b7d34fcd253ddc6b4c2b0a6b0bcb9e82c72c62e20d24c848d346e069fc7f7ebdd4d05a4e6f50fd5ed8fb3610203010001a317301530130603551d25040c300a06082b06010505070302300d06092a864886f70d010104050003818100a23cfac78c49c6bf4d7ee61bfd75fd59f48a1e038cd58245aa45342b7362f4677981833e979e1f1ce1f44e5caef7cb37ce46eaa6106a1b40aab92617f3ad23efda5f0f41700fcf0f91c49f5b3ea5a436f132fa1cb0d8d431379de9f5e854428149775a29c081228425fe2772f04b27911167959553729f003004e4e2c66dde0e10000082
EAP-Message =
0x00805bf6c6167f32b9af7c7722417a12d629e02761731b74bc49cf48c5592f12991478c7e57296eef758fdc96758abe9a12c6db656ff4f45d7cad505e3032ba4e0ee410148cc4bbdd1207e7a5be9fc62515d16aee1622879b67fa6a7aabc9d239cad6de544d6a11f0245fc0c90cd751d085d3cef029dd4ab05b2c0f2c83a8c44af3b0f0000820080aa2f7a1990af568dff5280930f2ec6acacc49abe1bc367401db835579068ef0aa4a76406820ffcb36a55124c1a1b59282ea4452ff033a88f3828c35e8c0fa74fb102fe03184819a25977d06ee5506e6a40e6fad9eba33793e9284419ed48dd53d900a04b1963438395e7df4b75b28a504716330a50
EAP-Message =
0xdb8eff69472bfc6fb927761403010001011603010020ad6706b7670f0b4de4e9c1cab4403e17fd15ec16aa437c6f181859051c330557
State = 0x21cd9c86d8ccd5eeb592c3946879a337
Message-Authenticator = 0x754db892f17e8d5624eb42e38996702c
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 3
modcall[authorize]: module "preprocess" returns ok for request 3
modcall[authorize]: module "chap" returns noop for request 3
modcall[authorize]: module "mschap" returns noop for request 3
rlm_realm: No '@' in User-Name = "mobile", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 3
rlm_eap: EAP packet type response id 4 length 253
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 3
users: Matched entry DEFAULT at line 152
users: Matched entry mobile at line 219
modcall[authorize]: module "files" returns ok for request 3
modcall: group authorize returns updated for request 3
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 3
rlm_eap: Request found, released from the list
rlm_eap: EAP/tls
rlm_eap: processing type tls
rlm_eap_tls: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Length Included
eaptls_verify returned 11
rlm_eap_tls: <<< TLS 1.0 Handshake [length 02e4], Certificate
chain-depth=1,
error=0
--> User-Name = mobile
--> BUF-Name = matilda
--> subject = /C=TH/ST=SongKhla/L=Hat-Yai/O=Jameslong IT
Solution/OU=Administrator/CN=matilda/emailAddress=matilda at zoftdev.com
--> issuer = /C=TH/ST=SongKhla/L=Hat-Yai/O=Jameslong IT
Solution/OU=Administrator/CN=matilda/emailAddress=matilda at zoftdev.com
--> verify return:1
chain-depth=0,
error=0
--> User-Name = mobile
--> BUF-Name = mobile
--> subject = /C=TH/ST=SongKhla/L=Hat-Yai/O=Jameslong IT
Solution/OU=Administrator/CN=mobile/emailAddress=matilda at zoftdev.com
--> issuer = /C=TH/ST=SongKhla/L=Hat-Yai/O=Jameslong IT
Solution/OU=Administrator/CN=matilda/emailAddress=matilda at zoftdev.com
--> verify return:1
TLS_accept: SSLv3 read client certificate A
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
TLS_accept: SSLv3 read client key exchange A
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], CertificateVerify
TLS_accept: SSLv3 read certificate verify A
rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001]
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished
TLS_accept: SSLv3 read finished A
rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001]
TLS_accept: SSLv3 write change cipher spec A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished
TLS_accept: SSLv3 write finished A
TLS_accept: SSLv3 flush data
(other): SSL negotiation finished successfully
SSL Connection Established
eaptls_process returned 13
modcall[authenticate]: module "eap" returns handled for request 3
modcall: group authenticate returns handled for request 3
thnaks you.
More information about the Freeradius-Users
mailing list