Problem with EAP/TLS and XP SP2
Hal Pomeranz
hal at deer-run.com
Fri Nov 4 22:24:13 CET 2005
Is there anybody on the mailing list who has Freeradius working as an
EAP/TLS authentication server for Windows XP SP2 supplicants? What
procedure did you use for creating and installing the server and
client certs?
--
Hal Pomeranz, Founder/CEO Deer Run Associates hal at deer-run.com
Network Connectivity and Security, Systems Management, Training
On Wed Nov 02 09:22, Hal Pomeranz wrote:
> Radius Server: Freeradius 1.0.5 on Solaris 8 (Sparc)
> Client: Windows XP (SP2), Intel PRO/Wireless 2915 (a/b/g)
> Access Point: DLink DI-784
>
> I'm having trouble getting my laptop (running Windows XP SP2) to
> authenticate to my access point using EAP/TLS. XP shows the wireless
> interface hung forever in "Attempting to authenticate" state. I've
> been beating my head against this all day without success, although I
> think I'm close and just missing something stupid and obvious.
>
> In the debugging log from "radiusd -X" below, I can see my laptop
> communicating with the radius server. I'm definitely seeing the
> correct username ("HalPomeranz") from the certificate I installed
> on the laptop. The radius server is finding the username entry
> in my "users" file. The only thing that looks like an error is
> the lines that read:
>
> rlm_eap_tls: >>> TLS 1.0 Handshake [length 005e], CertificateRequest
> TLS_accept: SSLv3 write certificate request A
> TLS_accept: SSLv3 flush data
> TLS_accept:error in SSLv3 read client certificate A
>
> I Googled a bit for this error message and turned up some mailing list
> traffic describing similar problems, but no solutions. Perhaps this
> is a red herring, however.
>
> Note that I am successfully using this same radius server to
> authenticate some older clients which use LEAP to connect via a
> different access point, so I'm thinking my radius config is basically
> sound.
>
> Does anybody have any suggestions for how to resolve my problem?
> Anybody seen anything like this before? Thanks in advance...
>
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> Hal Pomeranz, Founder/CEO Deer Run Associates hal at deer-run.com
> Network Connectivity and Security, Systems Management, Training
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
>
> Starting - reading configuration files ...
> reread_config: reading radiusd.conf
> Config: including file: /var/freeradius/etc/raddb/proxy.conf
> Config: including file: /var/freeradius/etc/raddb/clients.conf
> Config: including file: /var/freeradius/etc/raddb/snmp.conf
> Config: including file: /var/freeradius/etc/raddb/eap.conf
> Config: including file: /var/freeradius/etc/raddb/sql.conf
> main: prefix = "/var/freeradius"
> main: localstatedir = "/var/freeradius/var"
> main: logdir = "/var/freeradius/var/log/radius"
> main: libdir = "/var/freeradius/lib"
> main: radacctdir = "/var/freeradius/var/log/radius/radacct"
> main: hostname_lookups = no
> main: max_request_time = 30
> main: cleanup_delay = 5
> main: max_requests = 1024
> main: delete_blocked_requests = 0
> main: port = 1812
> main: allow_core_dumps = no
> main: log_stripped_names = no
> main: log_file = "/var/freeradius/var/log/radius/radius.log"
> main: log_auth = no
> main: log_auth_badpass = no
> main: log_auth_goodpass = no
> main: pidfile = "/var/freeradius/var/run/radiusd/radiusd.pid"
> main: user = "radiusd"
> main: group = "radiusd"
> main: usercollide = no
> main: lower_user = "no"
> main: lower_pass = "no"
> main: nospace_user = "no"
> main: nospace_pass = "no"
> main: checkrad = "/var/freeradius/sbin/checkrad"
> main: proxy_requests = yes
> proxy: retry_delay = 5
> proxy: retry_count = 3
> proxy: synchronous = no
> proxy: default_fallback = yes
> proxy: dead_time = 120
> proxy: post_proxy_authorize = yes
> proxy: wake_all_if_all_dead = no
> security: max_attributes = 200
> security: reject_delay = 1
> security: status_server = no
> main: debug_level = 0
> read_config_files: reading dictionary
> read_config_files: reading naslist
> Using deprecated naslist file. Support for this will go away soon.
> read_config_files: reading clients
> read_config_files: reading realms
> radiusd: entering modules setup
> Module: Library search path is /var/freeradius/lib
> Module: Loaded exec
> exec: wait = yes
> exec: program = "(null)"
> exec: input_pairs = "request"
> exec: output_pairs = "(null)"
> exec: packet_type = "(null)"
> rlm_exec: Wait=yes but no output defined. Did you mean output=none?
> Module: Instantiated exec (exec)
> Module: Loaded expr
> Module: Instantiated expr (expr)
> Module: Loaded PAP
> pap: encryption_scheme = "crypt"
> Module: Instantiated pap (pap)
> Module: Loaded CHAP
> Module: Instantiated chap (chap)
> Module: Loaded MS-CHAP
> mschap: use_mppe = yes
> mschap: require_encryption = no
> mschap: require_strong = no
> mschap: with_ntdomain_hack = no
> mschap: passwd = "(null)"
> mschap: authtype = "MS-CHAP"
> mschap: ntlm_auth = "(null)"
> Module: Instantiated mschap (mschap)
> Module: Loaded System
> unix: cache = no
> unix: passwd = "(null)"
> unix: shadow = "(null)"
> unix: group = "(null)"
> unix: radwtmp = "/var/freeradius/var/log/radius/radwtmp"
> unix: usegroup = no
> unix: cache_reload = 600
> Module: Instantiated unix (unix)
> Module: Loaded eap
> eap: default_eap_type = "tls"
> eap: timer_expire = 60
> eap: ignore_unknown_eap_types = no
> eap: cisco_accounting_username_bug = no
> rlm_eap: Loaded and initialized type md5
> rlm_eap: Loaded and initialized type leap
> gtc: challenge = "Password: "
> gtc: auth_type = "PAP"
> rlm_eap: Loaded and initialized type gtc
> tls: rsa_key_exchange = no
> tls: dh_key_exchange = yes
> tls: rsa_key_length = 512
> tls: dh_key_length = 512
> tls: verify_depth = 0
> tls: CA_path = "(null)"
> tls: pem_file_type = yes
> tls: private_key_file = "/var/freeradius/etc/raddb/certs/server_key.pem"
> tls: certificate_file = "/var/freeradius/etc/raddb/certs/server_cert.pem"
> tls: CA_file = "/var/freeradius/etc/raddb/certs/cacert.pem"
> tls: private_key_password = ""
> tls: dh_file = "/var/freeradius/etc/raddb/certs/dh"
> tls: random_file = "/var/freeradius/etc/raddb/certs/random"
> tls: fragment_size = 1024
> tls: include_length = yes
> tls: check_crl = yes
> tls: check_cert_cn = "%{User-Name}"
> rlm_eap: Loaded and initialized type tls
> peap: default_eap_type = "mschapv2"
> peap: copy_request_to_tunnel = no
> peap: use_tunneled_reply = no
> peap: proxy_tunneled_request_as_eap = yes
> rlm_eap: Loaded and initialized type peap
> mschapv2: with_ntdomain_hack = no
> rlm_eap: Loaded and initialized type mschapv2
> Module: Instantiated eap (eap)
> Module: Loaded preprocess
> preprocess: huntgroups = "/var/freeradius/etc/raddb/huntgroups"
> preprocess: hints = "/var/freeradius/etc/raddb/hints"
> preprocess: with_ascend_hack = no
> preprocess: ascend_channels_per_line = 23
> preprocess: with_ntdomain_hack = no
> preprocess: with_specialix_jetstream_hack = no
> preprocess: with_cisco_vsa_hack = no
> Module: Instantiated preprocess (preprocess)
> Module: Loaded realm
> realm: format = "suffix"
> realm: delimiter = "@"
> realm: ignore_default = no
> realm: ignore_null = no
> Module: Instantiated realm (suffix)
> Module: Loaded files
> files: usersfile = "/var/freeradius/etc/raddb/users"
> files: acctusersfile = "/var/freeradius/etc/raddb/acct_users"
> files: preproxy_usersfile = "/var/freeradius/etc/raddb/preproxy_users"
> files: compat = "no"
> Module: Instantiated files (files)
> Module: Loaded Acct-Unique-Session-Id
> acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
> Module: Instantiated acct_unique (acct_unique)
> Module: Loaded detail
> detail: detailfile = "/var/freeradius/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
> detail: detailperm = 384
> detail: dirperm = 493
> detail: locking = no
> Module: Instantiated detail (detail)
> Module: Loaded radutmp
> radutmp: filename = "/var/freeradius/var/log/radius/radutmp"
> radutmp: username = "%{User-Name}"
> radutmp: case_sensitive = yes
> radutmp: check_with_nas = yes
> radutmp: perm = 384
> radutmp: callerid = yes
> Module: Instantiated radutmp (radutmp)
> Listening on authentication *:1812
> Listening on accounting *:1813
> Ready to process requests.
> rad_recv: Access-Request packet from host 192.168.100.4:1435, id=199, length=139
> User-Name = "HalPomeranz"
> NAS-IP-Address = 192.168.100.4
> NAS-Port = 0
> Called-Station-Id = "00-0D-88-C5-20-71"
> Calling-Station-Id = "00-15-00-0E-F4-F5"
> NAS-Identifier = "DI-784"
> Framed-MTU = 1380
> NAS-Port-Type = Wireless-802.11
> EAP-Message = 0x020100100148616c506f6d6572616e7a
> Message-Authenticator = 0xe476642b4d621276fdcfa07fc848c5d6
> Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 0
> modcall[authorize]: module "preprocess" returns ok for request 0
> modcall[authorize]: module "chap" returns noop for request 0
> modcall[authorize]: module "mschap" returns noop for request 0
> rlm_realm: No '@' in User-Name = "HalPomeranz", looking up realm NULL
> rlm_realm: No such realm "NULL"
> modcall[authorize]: module "suffix" returns noop for request 0
> rlm_eap: EAP packet type response id 1 length 16
> rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
> modcall[authorize]: module "eap" returns updated for request 0
> users: Matched entry HalPomeranz at line 101
> modcall[authorize]: module "files" returns ok for request 0
> modcall: group authorize returns updated for request 0
> rad_check_password: Found Auth-Type EAP
> auth: type "EAP"
> Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 0
> rlm_eap: EAP Identity
> rlm_eap: processing type tls
> rlm_eap_tls: Requiring client certificate
> rlm_eap_tls: Initiate
> rlm_eap_tls: Start returned 1
> modcall[authenticate]: module "eap" returns handled for request 0
> modcall: group authenticate returns handled for request 0
> Sending Access-Challenge of id 199 to 192.168.100.4:1435
> EAP-Message = 0x010200060d20
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0xf5332abd7af77b9911176ec9aa69e0e8
> Finished request 0
> Going to the next request
> --- Walking the entire request list ---
> Waking up in 6 seconds...
> rad_recv: Access-Request packet from host 192.168.100.4:1435, id=200, length=221
> User-Name = "HalPomeranz"
> NAS-IP-Address = 192.168.100.4
> NAS-Port = 0
> Called-Station-Id = "00-0D-88-C5-20-71"
> Calling-Station-Id = "00-15-00-0E-F4-F5"
> NAS-Identifier = "DI-784"
> Framed-MTU = 1380
> NAS-Port-Type = Wireless-802.11
> EAP-Message = 0x020200500d800000004616030100410100003d030143696dabf9029fc190693ca4dc70364a394a56ff89289a020122f2e7346c770500001600040005000a000900640062000300060013001200630100
> State = 0xf5332abd7af77b9911176ec9aa69e0e8
> Message-Authenticator = 0x438ea47659b46e7e17bb9a54f66f02be
> Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 1
> modcall[authorize]: module "preprocess" returns ok for request 1
> modcall[authorize]: module "chap" returns noop for request 1
> modcall[authorize]: module "mschap" returns noop for request 1
> rlm_realm: No '@' in User-Name = "HalPomeranz", looking up realm NULL
> rlm_realm: No such realm "NULL"
> modcall[authorize]: module "suffix" returns noop for request 1
> rlm_eap: EAP packet type response id 2 length 80
> rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
> modcall[authorize]: module "eap" returns updated for request 1
> users: Matched entry HalPomeranz at line 101
> modcall[authorize]: module "files" returns ok for request 1
> modcall: group authorize returns updated for request 1
> rad_check_password: Found Auth-Type EAP
> auth: type "EAP"
> Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 1
> rlm_eap: Request found, released from the list
> rlm_eap: EAP/tls
> rlm_eap: processing type tls
> rlm_eap_tls: Authenticate
> rlm_eap_tls: processing TLS
> rlm_eap_tls: Length Included
> eaptls_verify returned 11
> (other): before/accept initialization
> TLS_accept: before/accept initialization
> rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello
> TLS_accept: SSLv3 read client hello A
> rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
> TLS_accept: SSLv3 write server hello A
> rlm_eap_tls: >>> TLS 1.0 Handshake [length 0510], Certificate
> TLS_accept: SSLv3 write certificate A
> rlm_eap_tls: >>> TLS 1.0 Handshake [length 005e], CertificateRequest
> TLS_accept: SSLv3 write certificate request A
> TLS_accept: SSLv3 flush data
> TLS_accept:error in SSLv3 read client certificate A
> In SSL Handshake Phase
> In SSL Accept mode
> eaptls_process returned 13
> modcall[authenticate]: module "eap" returns handled for request 1
> modcall: group authenticate returns handled for request 1
> Sending Access-Challenge of id 200 to 192.168.100.4:1435
> EAP-Message = 0x0103040a0dc0000005c7160301004a02000046030143696da6a2b012e765aa3f113c4c1ed6e28c40f51807859cd4394962388ae6e0202f9cf584c484b68b3aa0eb66ee1d1edec787b87407a2bf043891da3dc798f42b00040016030105100b00050c00050900024730820243308201aca003020102020101300d06092a864886f70d0101040500304d310b3009060355040613025553310f300d060355040813064f7265676f6e310f300d06035504071306457567656e65311c301a060355040a1313446565722052756e204173736f636961746573301e170d3035313130323139323533385a170d3036313130323139323533385a3069310b300906
> EAP-Message = 0x0355040613025553310f300d060355040813064f7265676f6e310f300d06035504071306457567656e65311c301a060355040a1313446565722052756e204173736f636961746573311a301806035504031311646565722e646565722d72756e2e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100c0511b635bded2881c4db827a89c521fbcc5a06b435b4ad56cd1b9b8ad0e78815ef2bd5d1e60e7a4c7f6b1a154cde960cf5de365fdd2fa462b3b90934d252245e87996b4031326e118dc68f9c9f6e3efb08958ba388f7677c47ecbf35514a74f27926b6a39d7f452c9caa2fb9d98fd3bdde64c4aa8f1b81228f502d1
> EAP-Message = 0x117dcd5f0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010104050003818100243b1d366876ce82374e51d6e84e0a7e93a70558baad71a2a43ddc3602bc87df8c8d96fc2e903e1b68ae3bfdd5e1e8e1764d7d636d7bcdd0aa4a2f33598115ad1b6d90d43596654f4f956f26ad6cfc6d47330bc0d2a57e8e1998b9fc6da570c117a643bb699091f80f5aff0c44f6bb875ef27e0d79fbfda8ca01763debfff8960002bc308202b830820221a003020102020100300d06092a864886f70d0101040500304d310b3009060355040613025553310f300d060355040813064f7265676f6e310f300d0603
> EAP-Message = 0x5504071306457567656e65311c301a060355040a1313446565722052756e204173736f636961746573301e170d3035313130323139313931355a170d3036313130323139313931355a304d310b3009060355040613025553310f300d060355040813064f7265676f6e310f300d06035504071306457567656e65311c301a060355040a1313446565722052756e204173736f63696174657330819f300d06092a864886f70d010101050003818d0030818902818100c16d27eab105d0e179e6a58207dd1b7d0c1a5a64f761506275abebf495254f4e242f9d13926e56bfe0bb8d9130afca9287746c12c5eed4f0ae5233ecc412bba6693cf9fad4e1db0f
> EAP-Message = 0x4f4b39c0f47ed5293975a9448d479ca38fbddeef68e1
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0xf608c3c340e7dcd273e77d1ca5afd315
> Finished request 1
> Going to the next request
> Waking up in 6 seconds...
> rad_recv: Access-Request packet from host 192.168.100.4:1435, id=201, length=147
> User-Name = "HalPomeranz"
> NAS-IP-Address = 192.168.100.4
> NAS-Port = 0
> Called-Station-Id = "00-0D-88-C5-20-71"
> Calling-Station-Id = "00-15-00-0E-F4-F5"
> NAS-Identifier = "DI-784"
> Framed-MTU = 1380
> NAS-Port-Type = Wireless-802.11
> EAP-Message = 0x020300060d00
> State = 0xf608c3c340e7dcd273e77d1ca5afd315
> Message-Authenticator = 0x399bf08221ad337dec5353e34d1f3f9e
> Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 2
> modcall[authorize]: module "preprocess" returns ok for request 2
> modcall[authorize]: module "chap" returns noop for request 2
> modcall[authorize]: module "mschap" returns noop for request 2
> rlm_realm: No '@' in User-Name = "HalPomeranz", looking up realm NULL
> rlm_realm: No such realm "NULL"
> modcall[authorize]: module "suffix" returns noop for request 2
> rlm_eap: EAP packet type response id 3 length 6
> rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
> modcall[authorize]: module "eap" returns updated for request 2
> users: Matched entry HalPomeranz at line 101
> modcall[authorize]: module "files" returns ok for request 2
> modcall: group authorize returns updated for request 2
> rad_check_password: Found Auth-Type EAP
> auth: type "EAP"
> Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 2
> rlm_eap: Request found, released from the list
> rlm_eap: EAP/tls
> rlm_eap: processing type tls
> rlm_eap_tls: Authenticate
> rlm_eap_tls: processing TLS
> rlm_eap_tls: Received EAP-TLS ACK message
> rlm_eap_tls: ack handshake fragment handler
> eaptls_verify returned 1
> eaptls_process returned 13
> modcall[authenticate]: module "eap" returns handled for request 2
> modcall: group authenticate returns handled for request 2
> Sending Access-Challenge of id 201 to 192.168.100.4:1435
> EAP-Message = 0x010401d10d80000005c709eeaeeb99893a248df35086a268947b61542d3988e761db738040976f08e84fd7830203010001a381a73081a4301d0603551d0e0416041400b41eff09bcce9ad9f1b04ba50419a7db44a7f030750603551d23046e306c801400b41eff09bcce9ad9f1b04ba50419a7db44a7f0a151a44f304d310b3009060355040613025553310f300d060355040813064f7265676f6e310f300d06035504071306457567656e65311c301a060355040a1313446565722052756e204173736f636961746573820100300c0603551d13040530030101ff300d06092a864886f70d010104050003818100b8ddea1e6f5851b78cca0feab23bd8
> EAP-Message = 0x9b7d268ab9250ccd7a7d720d6c2cf103477a6445773dca5be28fd44611b9e4a2a9a6331550fbad950e21fea1ff8e70a3d178c9d1ebf13b12cd80d6ce561be9699a922a722207d4950140bb0aeb3d8b3e22021a83c91948f1903b4eaedb66a1288837436871f1a57bda39f374a3fb8af28b160301005e0d0000560201020051004f304d310b3009060355040613025553310f300d060355040813064f7265676f6e310f300d06035504071306457567656e65311c301a060355040a1313446565722052756e204173736f6369617465730e000000
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x86870d983715d15f6919bdba762433c2
> Finished request 2
> Going to the next request
> --- Walking the entire request list ---
> Waking up in 5 seconds...
> rad_recv: Access-Request packet from host 192.168.100.4:1435, id=202, length=147
> User-Name = "HalPomeranz"
> NAS-IP-Address = 192.168.100.4
> NAS-Port = 0
> Called-Station-Id = "00-0D-88-C5-20-71"
> Calling-Station-Id = "00-15-00-0E-F4-F5"
> NAS-Identifier = "DI-784"
> Framed-MTU = 1380
> NAS-Port-Type = Wireless-802.11
> EAP-Message = 0x020400060d00
> State = 0x86870d983715d15f6919bdba762433c2
> Message-Authenticator = 0xeda680bdf69e5dd588260e1c36169581
> Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 3
> modcall[authorize]: module "preprocess" returns ok for request 3
> modcall[authorize]: module "chap" returns noop for request 3
> modcall[authorize]: module "mschap" returns noop for request 3
> rlm_realm: No '@' in User-Name = "HalPomeranz", looking up realm NULL
> rlm_realm: No such realm "NULL"
> modcall[authorize]: module "suffix" returns noop for request 3
> rlm_eap: EAP packet type response id 4 length 6
> rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
> modcall[authorize]: module "eap" returns updated for request 3
> users: Matched entry HalPomeranz at line 101
> modcall[authorize]: module "files" returns ok for request 3
> modcall: group authorize returns updated for request 3
> rad_check_password: Found Auth-Type EAP
> auth: type "EAP"
> Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 3
> rlm_eap: Request found, released from the list
> rlm_eap: EAP/tls
> rlm_eap: processing type tls
> rlm_eap_tls: Authenticate
> rlm_eap_tls: processing TLS
> rlm_eap_tls: Received EAP-TLS ACK message
> rlm_eap_tls: ack handshake fragment handler
> eaptls_verify returned 1
> eaptls_process returned 13
> modcall[authenticate]: module "eap" returns handled for request 3
> modcall: group authenticate returns handled for request 3
> Sending Access-Challenge of id 202 to 192.168.100.4:1435
> EAP-Message = 0x0105000a0d8000000000
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x2b04eed7fe0be0ec28fbba826e52b47c
> Finished request 3
> Going to the next request
> --- Walking the entire request list ---
> Waking up in 4 seconds...
> --- Walking the entire request list ---
> Cleaning up request 0 ID 199 with timestamp 43696da6
> Cleaning up request 1 ID 200 with timestamp 43696da6
> Waking up in 1 seconds...
> --- Walking the entire request list ---
> Cleaning up request 2 ID 201 with timestamp 43696da7
> Waking up in 1 seconds...
> --- Walking the entire request list ---
> Cleaning up request 3 ID 202 with timestamp 43696da8
> Nothing to do. Sleeping until we see a request.
More information about the Freeradius-Users
mailing list