unknown certificate??

Armin Krämer Kraemer.Armin at web.de
Mon Dec 26 14:17:41 CET 2005 

Hi,

 

i installed the aktual version of freeradius on a debian system and
generated a CA und server/client certificates with TinyCA2. I want to
authenticate the clients using EAP/TLS. But now i get this output of
freeradius and freeradius freezes at this point. Can someone tell me why
this happens? 

 

 

Sending Access-Challenge of id 22 to 192.168.1.252:1326

        Framed-IP-Address = 255.255.255.254

        Framed-MTU = 576

        Service-Type = Framed-User

        EAP-Message =
0x0117040a0dc0000011da95300f0603551d130101ff040530030101ff301106096086480186
f842010104040302010630090603551d1204023000302b06096086480186f842010d041e161c
54696e7943412047656e65726174656420436572746966696361746530210603551d11041a30
18811643412d52616469757340616b2d7365727665722e6465300b0603551d0f040403020106
300d06092a864886f70d010105050003820201002cb7d2ab56adb9d5a348a6bc0391ecbd8f53
215ca3ad83c74730cba78bcb0f36800f71f9c9e672b5ad761fddb06f72075715ad686dd6e31c
496c015847927af98a5820860004122fd22eba64dbffe46d8def

        EAP-Message =
0x4dfd2195d70b313f472b31e0dec0d39f08e95d9c6ee43b060954e7cda70492fb473698daca
42a3a76e07601ecc9d746ea3eac2daa4da050dd21d1c8daebf845abc3daa199a3fb35c5fc6c8
76d312b8c90775a6de01092e337da7ccb155f9e67713b1e3a8c171b3663256e60f25e009c9aa
454db5299ed3de9ac280eca445f57ab53be98287d63540631085c9a166904842e44d4ff63e69
1c86590ff95319bf1370f7f5f1f8eaa331403588e2bda2bb2d6750e3a769fe878e9723ab0f89
03deab637a6d83fe77f79f89af7dbb7578d511033d01b0f5455b016503582ca56fcc79142ff1
551abab18e9f76a71e148838d7036db5de29a4f6bc4598daffd1

        EAP-Message =
0x199ad4d07da7e11c82f03f6895c1b3941139eadf341ce19d3edbfd1bac3719b5f7eb22c5ba
729d58c553ce72adb9af2e92edc34381b42c83c755bafa8442f28d5c574c8a9827938605f397
110186c84e34d13bbd8fc322f58808f7f556518d19f93c42678f12acf01f3f1ab70834b2baa1
cc461bdc970e0f942ea57f1b3913e55cca966066c00c504d12e8d22a81d0daee14c4e08165a8
71d33373b49037fe596fc987f47dfbea4343b2cad19053e50d95160301028d0c0002890040be
4f362c2e1dd2744e7c980ee5d9a708e9075935767ee7fecb9a91b67b0e1611eb5acc1d7d3224
8195513d17734004d37cc721d59ed25d08a48a2164361419e300

        EAP-Message =
0x010500400a294a0f089a763d7338d32e2f8c633b1e186a316091c678c314a1afb16ceb2b57
090b5a068d36c54ff061e5ab76b4a969c88a0f7590aefef1b56512aebf5c2e02006572fd3a81
faa03031a8dee67d18ee0625b873e37ede370854c4a7ee122ad3206d97e0ef365299eac3baa8
d8bf6af223058628d5660da500e81a906cc044ef2f3ec59a7373f447e46e5ad84aaa0d373a19
88f0cf6b647bcfb913d6607fc88e0287f201fc3ddc563921460daf1ed27988e407e65c2ea2b2
5173a95d2db5bda931ae2b9e8a5605d82e1331e3a091ee29029aa8218efb3c883da22208b556
120a3e85a96206a29a8951e050439b350e932836667981dbd617

        EAP-Message = 0x6d69bed85ccfa622102bcfe18acfe16c40c119ba45dc

        Message-Authenticator = 0x00000000000000000000000000000000

        State = 0xd18c60556f39fcd47f7a825bbd1b5a27

Finished request 5

Going to the next request

Waking up in 6 seconds...

rad_recv: Access-Request packet from host 192.168.1.252:1327, id=23,
length=130

        User-Name = "Kraemer.Armin"

        NAS-IP-Address = 192.168.1.252

        NAS-Identifier = "acess_point_siemens"

        NAS-Port = 29

        Service-Type = Framed-User

        Framed-MTU = 1400

        NAS-Port-Type = Wireless-802.11

        State = 0xd18c60556f39fcd47f7a825bbd1b5a27

        EAP-Message = 0x021700060d00

        Message-Authenticator = 0xe4c3119fa2de7a9cc9e9a4ec080c3826

  Processing the authorize section of radiusd.conf

modcall: entering group authorize for request 6

  modcall[authorize]: module "preprocess" returns ok for request 6

  modcall[authorize]: module "chap" returns noop for request 6

  modcall[authorize]: module "mschap" returns noop for request 6

    rlm_realm: No '@' in User-Name = "Kraemer.Armin", looking up realm NULL

    rlm_realm: No such realm "NULL"

  modcall[authorize]: module "suffix" returns noop for request 6

  rlm_eap: EAP packet type response id 23 length 6

  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation

  modcall[authorize]: module "eap" returns updated for request 6

    users: Matched entry DEFAULT at line 152

    users: Matched entry DEFAULT at line 171

  modcall[authorize]: module "files" returns ok for request 6

modcall: group authorize returns updated for request 6

  rad_check_password:  Found Auth-Type EAP

auth: type "EAP"

  Processing the authenticate section of radiusd.conf

modcall: entering group authenticate for request 6

  rlm_eap: Request found, released from the list

  rlm_eap: EAP/tls

  rlm_eap: processing type tls

  rlm_eap_tls: Authenticate

  rlm_eap_tls: processing TLS

rlm_eap_tls: Received EAP-TLS ACK message

  rlm_eap_tls: ack handshake fragment handler

  eaptls_verify returned 1

  eaptls_process returned 13

  modcall[authenticate]: module "eap" returns handled for request 6

modcall: group authenticate returns handled for request 6

Sending Access-Challenge of id 23 to 192.168.1.252:1327

        Framed-IP-Address = 255.255.255.254

        Framed-MTU = 576

        Service-Type = Framed-User

        EAP-Message =
0x011801e40d80000011dae39d887a37fabeb64fa534c3ada7c58edf92a99adfde716787b84f
ef17d5007ad72883d0fd743a1926baf7d95d062d8c5e337ede1f27d1101c6ab6b6a5d3991ba8
d127adf3c6464e91b48821d5e43e64a7901c76ce3e9a5da9e18cce9d73b2c7d6d4ddd72cffdc
348c2097f2fbbd393583873fc6a1b22addaa53d7839ded2b0f4a096b0d29280d894975dcdfc0
dd7bcf294fb1d4f11b7c7c1163ff7b72e9bd3b8a00327c13f7058160a7ea61ef7d1158f488f0
2e28882082469c1597b703c6c0627f70decff409e9ca4d113c11e9ee491600e317f08ca7ea67
a91a5f391c2bac855875743599ed715db1c1f638d4f36396ee08

        EAP-Message =
0xf4107a7c5872a3ee6beeff50d48659237c3cae753cbf7a237fcbdd0ccf70d3b6dc357e8912
0931f0103a4f30b653acba303e12772b5b52c98354c22ffab4e50916030100a20d00009a0403
0401020093009130818e310b3009060355040613024445310e300c0603550408130542615775
65310d300b060355040713044b65686c31173015060355040a140e46616d6c69655f4b726165
6d6572310b3009060355040b13024954311330110603550403140a4541502d544c535f434131
25302306092a864886f70d010901161643412d52616469757340616b2d7365727665722e6465
0e000000

        Message-Authenticator = 0x00000000000000000000000000000000

        State = 0x54581dba1086732b25cb0cb40ef1191d

Finished request 6

Going to the next request

--- Walking the entire request list ---

Waking up in 5 seconds...

rad_recv: Access-Request packet from host 192.168.1.252:1328, id=24,
length=141

        User-Name = "Kraemer.Armin"

        NAS-IP-Address = 192.168.1.252

        NAS-Identifier = "acess_point_siemens"

        NAS-Port = 29

        Service-Type = Framed-User

        Framed-MTU = 1400

        NAS-Port-Type = Wireless-802.11

        State = 0x54581dba1086732b25cb0cb40ef1191d

        EAP-Message = 0x021800110d80000000071503010002022e

        Message-Authenticator = 0xb63955ca477f1467fdb23903d11cfcda

  Processing the authorize section of radiusd.conf

modcall: entering group authorize for request 7

  modcall[authorize]: module "preprocess" returns ok for request 7

  modcall[authorize]: module "chap" returns noop for request 7

  modcall[authorize]: module "mschap" returns noop for request 7

    rlm_realm: No '@' in User-Name = "Kraemer.Armin", looking up realm NULL

    rlm_realm: No such realm "NULL"

  modcall[authorize]: module "suffix" returns noop for request 7

  rlm_eap: EAP packet type response id 24 length 17

  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation

  modcall[authorize]: module "eap" returns updated for request 7

    users: Matched entry DEFAULT at line 152

    users: Matched entry DEFAULT at line 171

  modcall[authorize]: module "files" returns ok for request 7

modcall: group authorize returns updated for request 7

  rad_check_password:  Found Auth-Type EAP

auth: type "EAP"

  Processing the authenticate section of radiusd.conf

modcall: entering group authenticate for request 7

  rlm_eap: Request found, released from the list

  rlm_eap: EAP/tls

  rlm_eap: processing type tls

  rlm_eap_tls: Authenticate

  rlm_eap_tls: processing TLS

rlm_eap_tls:  Length Included

  eaptls_verify returned 11

  rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal certificate_unknown

TLS Alert read:fatal:certificate unknown

    TLS_accept:failed in SSLv3 read client certificate A

30107:error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate
unknown:s3_pkt.c:1052:SSL alert number 46

30107:error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake
failure:s3_pkt.c:837:

rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails.

In SSL Handshake Phase

In SSL Accept mode

rlm_eap_tls: BIO_read failed in a system call (-1), TLS session fails.

  eaptls_process returned 13

  rlm_eap: Freeing handler

  modcall[authenticate]: module "eap" returns reject for request 7

modcall: group authenticate returns reject for request 7

auth: Failed to validate the user.

Delaying request 7 for 1 seconds

Finished request 7

Going to the next request

Waking up in 5 seconds...

rad_recv: Access-Request packet from host 192.168.1.252:1328, id=24,
length=141

Sending Access-Reject of id 24 to 192.168.1.252:1328

        EAP-Message = 0x04180004

        Message-Authenticator = 0x00000000000000000000000000000000

--- Walking the entire request list ---

Waking up in 4 seconds...

--- Walking the entire request list ---

Cleaning up request 1 ID 18 with timestamp 43afecd0

Cleaning up request 2 ID 19 with timestamp 43afecd0

Cleaning up request 3 ID 20 with timestamp 43afecd0

Cleaning up request 4 ID 21 with timestamp 43afecd0

Cleaning up request 5 ID 22 with timestamp 43afecd0

Waking up in 1 seconds...

--- Walking the entire request list ---

Cleaning up request 6 ID 23 with timestamp 43afecd1

Cleaning up request 7 ID 24 with timestamp 43afecd1

Nothing to do.  Sleeping until we see a request.

        Message-Authenticator = 0x00000000000000000000000000000000

        State = 0x9831ff3ccc7728edaf1d4355ba4d86a3

Finished request 4

Going to the next request

Waking up in 6 seconds...

rad_recv: Access-Request packet from host 192.168.1.252:1326, id=22,
length=130

        User-Name = "Kraemer.Armin"

        NAS-IP-Address = 192.168.1.252

        NAS-Identifier = "acess_point_siemens"

        NAS-Port = 29

        Service-Type = Framed-User

        Framed-MTU = 1400

        NAS-Port-Type = Wireless-802.11

        State = 0x9831ff3ccc7728edaf1d4355ba4d86a3

        EAP-Message = 0x021600060d00

        Message-Authenticator = 0xa2a46a1306f46b8c0c6fcce6b647e566

  Processing the authorize section of radiusd.conf

modcall: entering group authorize for request 5

  modcall[authorize]: module "preprocess" returns ok for request 5

  modcall[authorize]: module "chap" returns noop for request 5

  modcall[authorize]: module "mschap" returns noop for request 5

    rlm_realm: No '@' in User-Name = "Kraemer.Armin", looking up realm NULL

    rlm_realm: No such realm "NULL"

  modcall[authorize]: module "suffix" returns noop for request 5

  rlm_eap: EAP packet type response id 22 length 6

  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation

  modcall[authorize]: module "eap" returns updated for request 5

    users: Matched entry DEFAULT at line 152

    users: Matched entry DEFAULT at line 171

  modcall[authorize]: module "files" returns ok for request 5

modcall: group authorize returns updated for request 5

  rad_check_password:  Found Auth-Type EAP

auth: type "EAP"

  Processing the authenticate section of radiusd.conf

modcall: entering group authenticate for request 5

  rlm_eap: Request found, released from the list

  rlm_eap: EAP/tls

  rlm_eap: processing type tls

  rlm_eap_tls: Authenticate

  rlm_eap_tls: processing TLS

rlm_eap_tls: Received EAP-TLS ACK message

  rlm_eap_tls: ack handshake fragment handler

  eaptls_verify returned 1

  eaptls_process returned 13

  modcall[authenticate]: module "eap" returns handled for request 5

modcall: group authenticate returns handled for request 5

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20051226/952a45dc/attachment.html>

More information about the Freeradius-Users mailing list