FreeRadius EAP-TLS issue
Brian A. Seklecki
lavalamp at spiritual-machines.org
Wed Nov 16 18:02:29 CET 2005
If it was regular TLS, i'd tell you to "openssl s_client -connect foo:123
-cacert /blah".
Are you sure that you have imported and "trusted" your CA's cetificate on
both the client and the server?
This is when I let the other guys make suggestions.
I was just curious of EAP-TLS with client certificates was simply a way of
delivering the username to the client, letting the client authenticate the
server and the server authenticate the identity of the client, and then
providing for another password based mechanism.
Or if certificate TLS handshake was sufficient for authorization and
authentication...
For example, Apache SSL can be told to verify client certificates, but
htaccess would still be required.
With SMTP, client and server SSL verification can be compelled, but for
SMTP AUTH for relay, username/password authentication would still be
required.
~BAS
On Wed, 16 Nov 2005, Hamid Salim wrote:
> It should not be asking/expecting any userid/password pair. I have
> installed the certificates on the supplicant machine which should be
> sufficient to authenticate without any password requirements. I am not
> sure why the certs are not working???
>
>
> Brian A. Seklecki wrote:
>
>
>>
>> rlm_eap_tls: Received unexpected tunneled data after successful
>> handshake.
>>
>> ...that's what I get when I try an invalid password in my EAP + Cisco
> 1200
>> + LDAP + PEAP/MS-CHAPv2 configuration.
>>
>> Let me ask...how is the client certificate method supposed to work?
>>
>> Is the username embeded the CN/CommonName attribute of the certificate
> and
>> the user is prompted for a password which you setup in authenticate {} ?
>>
>> Is that any more secure than using PEAP/MS-CHAPv2 ?
>>
>> ~BAS
>>
>>
>> On Wed, 16 Nov 2005, Hamid Salim wrote:
>>
>>> Hi,
>>> I am just wondering if anyone has encountered the same issue. I have
>>> set up my enviornment for EAP-TLS, with windows XP SP2 as a supplicant.
>>> For some reason I am getting:
>>>
>>> auth: Failed to validate the user.
>>> Login incorrect: [radiustst/<no User-Password attribute>] (from client
>>> testradius-ap-1 port 0 cli 00-10-c6-38-af-7b)
>>>
>>> complete listing is attached. I am using certificates and SSL session
>>> is created successfully, then why FreeRadius is expecting a
>>> userid/password?
>>>
>>> Any help will be appreciated.
>>>
>>> Thanks
>>> Hamid.
>>>
>>> ============= Complete Listing =================
>>> Going to the next request
>>> Waking up in 6 seconds...
>>> rad_recv: Access-Request packet from host 129.10.56.156:6001, id=71,
>>> length=1247
>>> User-Name = "radiustst"
>>> NAS-IP-Address = 129.10.56.156
>>> Called-Station-Id = "00-20-a6-4a-12-21"
>>> Calling-Station-Id = "00-10-c6-38-af-7b"
>>> NAS-Identifier = "APtest3"
>>> State = 0xb9a67433435733a42f7cbd528aa6ae7a
>>> Framed-MTU = 1400
>>> NAS-Port-Type = Wireless-802.11
>>> EAP-Message =
>>>
> 0x020504510d800000044716030104170b000307000304000301308202fd30820266a003
>>>
> 020102020102300d06092a864886f70d01010405003054310b3009060355040613025553
>>>
> 310b3009060355040813024d413120301e060355040a13174e6f7274686561737465726e
>>>
> 20556e6976657273697479311630140603550403130d4543454175746853657276657230
>>>
> 1e170d3035313130353232323335345a170d3036313130353232323335345a3050310b30
>>>
> 09060355040613025553310b3009060355040813024d413120301e060355040a13174e6f
>>>
> 7274686561737465726e20556e6976657273697479311230100603550403130972616469
>>> 7573
>>> EAP-Message =
>>>
> 0x74737430819f300d06092a864886f70d010101050003818d0030818902818100b9983d
>>>
> b3e72f80fd974f9bcd64081d573fdd27b19089405b696d873f87467ff80a312ef7b399c3
>>>
> 9e9e7018e1aa29203251c40dd6af46d060d1211405bea1888d058da35230f55d7dc27d76
>>>
> 9e0234824d78d5d1b5edf8d39f8ab78255e6cca753424cd0713339a02cf315fbcb6175a0
>>>
> 47fa233d9f64d6f936f5e3a403bcca93ab0203010001a381e23081df30090603551d1304
>>>
> 023000302c06096086480186f842010d041f161d4f70656e53534c2047656e6572617465
>>>
> 64204365727469666963617465301d0603551d0e04160414b77dd4b0207270418f828157
>>> 2f5e
>>> EAP-Message =
>>>
> 0x3353216fe55f3081840603551d23047d307b801463d38ab984dc364e31383d1ecf3743
>>>
> 0ee64b68e9a158a4563054310b3009060355040613025553310b3009060355040813024d
>>>
> 413120301e060355040a13174e6f7274686561737465726e20556e697665727369747931
>>>
> 1630140603550403130d45434541757468536572766572820900cab77a537cadfaf3300d
>>>
> 06092a864886f70d0101040500038181003cbaf9e576319601ba75222ef4fed8cd584e2d
>>>
> 8aea2f25788bff348f53a699ecab5cb50143f369e7a59da5ba5212105e4d1b642f56cf00
>>>
> d04efcb911239047393875024e5e4a17b0ac8f87d165c81a5fcfbe2f2a67ee6c7e57dae0
>>> c423
>>> EAP-Message =
>>>
> 0x4a3f81753b0817b63f117a0b28c1ca43e1cb31142b47103caef9f28c01860b49f27465
>>>
> 1000008200805d53b3419d272d68175ae404a9a51774f148420e7832d39ceaa311a000f0
>>>
> 70ebf121d27c6f8b15369ab4bc9a1edadd2abd1caace3378f6a9f6623e6f9cb95085df74
>>>
> 830c3e22638bd8e3a63938c9ea8b93895aca23aa131f728ffab7c0cee86b7ed10ced5e2f
>>>
> 30ad19df6cd83a0ac6564a9b833b284b52ff9355741efc7b3e360f0000820080131f2e69
>>>
> 99c156d32b83cb27036db11e9c3571b66d7ab062208a03daf1afb9b3c4a326a09663c1a3
>>>
> 25a3b846a2a34d4cfbdcbd432a18017a9ece2744de377c964649ac146466ee4b71fa5fdd
>>> 8f7c
>>> EAP-Message =
>>>
> 0x1272df4226eb2805f9268ae2a2e0d0664ced1a8868bada17475dc7889cb73634641d80
>>>
> af384311d0b2b9e87c7bde4227a47d14030100010116030100202a0a0a3102caaf869886
>>> 11a6916269516c4e5b6bf006d943609a71740a4d3a60
>>> Message-Authenticator = 0x1e4e290a1071052212513c61bfa25dae
>>> Processing the authorize section of radiusd.conf
>>> modcall: entering group authorize for request 8
>>> modcall[authorize]: module "preprocess" returns ok for request 8
>>> radius_xlat:
>>>
> '/opt/radiusd/var/log/radius/radacct/129.10.56.156/auth-detail-20051115'
>>> rlm_detail:
>>>
> /opt/radiusd/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%
>>> m%d expands to
>>> /opt/radiusd/var/log/radius/radacct/129.10.56.156/auth-detail-20051115
>>> modcall[authorize]: module "auth_log" returns ok for request 8
>>> rlm_realm: No '@' in User-Name = "radiustst", looking up realm NULL
>>> rlm_realm: No such realm "NULL"
>>> modcall[authorize]: module "suffix" returns noop for request 8
>>> rlm_eap: EAP packet type response id 5 length 253
>>> rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
>>> modcall[authorize]: module "eap" returns updated for request 8
>>> users: Matched entry radiustst at line 54
>>> modcall[authorize]: module "files" returns ok for request 8
>>> modcall: group authorize returns updated for request 8
>>> rad_check_password: Found Auth-Type EAP
>>> auth: type "EAP"
>>> Processing the authenticate section of radiusd.conf
>>> modcall: entering group authenticate for request 8
>>> rlm_eap: Request found, released from the list
>>> rlm_eap: EAP/tls
>>> rlm_eap: processing type tls
>>> rlm_eap_tls: Authenticate
>>> rlm_eap_tls: processing TLS
>>> rlm_eap_tls: Length Included
>>> eaptls_verify returned 11
>>> rlm_eap_tls: <<< TLS 1.0 Handshake [length 030b], Certificate
>>> chain-depth=1,
>>> error=0
>>> --> User-Name = radiustst
>>> --> BUF-Name = ECEAuthServer
>>> --> subject = /C=US/ST=MA/O=Northeastern University/CN=ECEAuthServer
>>> --> issuer = /C=US/ST=MA/O=Northeastern University/CN=ECEAuthServer
>>> --> verify return:1
>>> chain-depth=0,
>>> error=0
>>> --> User-Name = radiustst
>>> --> BUF-Name = radiustst
>>> --> subject = /C=US/ST=MA/O=Northeastern University/CN=radiustst
>>> --> issuer = /C=US/ST=MA/O=Northeastern University/CN=ECEAuthServer
>>> --> verify return:1
>>> TLS_accept: SSLv3 read client certificate A
>>> rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
>>> TLS_accept: SSLv3 read client key exchange A
>>> rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], CertificateVerify
>>> TLS_accept: SSLv3 read certificate verify A
>>> rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001]
>>> rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished
>>> TLS_accept: SSLv3 read finished A
>>> rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001]
>>> TLS_accept: SSLv3 write change cipher spec A
>>> rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished
>>> TLS_accept: SSLv3 write finished A
>>> TLS_accept: SSLv3 flush data
>>> (other): SSL negotiation finished successfully
>>> SSL Connection Established
>>> eaptls_process returned 13
>>> modcall[authenticate]: module "eap" returns handled for request 8
>>> modcall: group authenticate returns handled for request 8
>>> Sending Access-Challenge of id 71 to 129.10.56.156:6001
>>> EAP-Message =
>>>
> 0x010600350d800000002b1403010001011603010020c76c26e20a3f56cdad1183c5e9c2
>>> 4322bdbd6ca0af149ba46d197f153a7f4f32
>>> Message-Authenticator = 0x00000000000000000000000000000000
>>> State = 0x70ed13d02f1854999ba5b4513143d53d
>>> Finished request 8
>>> Going to the next request
>>> Waking up in 6 seconds...
>>> rad_recv: Access-Request packet from host 129.10.56.156:6001, id=72,
>>> length=167
>>> User-Name = "radiustst"
>>> NAS-IP-Address = 129.10.56.156
>>> Called-Station-Id = "00-20-a6-4a-12-21"
>>> Calling-Station-Id = "00-10-c6-38-af-7b"
>>> NAS-Identifier = "APtest3"
>>> State = 0x70ed13d02f1854999ba5b4513143d53d
>>> Framed-MTU = 1400
>>> NAS-Port-Type = Wireless-802.11
>>> EAP-Message =
>>> 0x020600210d8000000017150301001267dd17534e604a647897732130f58409b115
>>> Message-Authenticator = 0xce216e15de7058166ce90f8cde7d5094
>>> Processing the authorize section of radiusd.conf
>>> modcall: entering group authorize for request 9
>>> modcall[authorize]: module "preprocess" returns ok for request 9
>>> radius_xlat:
>>>
> '/opt/radiusd/var/log/radius/radacct/129.10.56.156/auth-detail-20051115'
>>> rlm_detail:
>>>
> /opt/radiusd/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%
>>> m%d expands to
>>> /opt/radiusd/var/log/radius/radacct/129.10.56.156/auth-detail-20051115
>>> modcall[authorize]: module "auth_log" returns ok for request 9
>>> rlm_realm: No '@' in User-Name = "radiustst", looking up realm NULL
>>> rlm_realm: No such realm "NULL"
>>> modcall[authorize]: module "suffix" returns noop for request 9
>>> rlm_eap: EAP packet type response id 6 length 33
>>> rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
>>> modcall[authorize]: module "eap" returns updated for request 9
>>> users: Matched entry radiustst at line 54
>>> modcall[authorize]: module "files" returns ok for request 9
>>> modcall: group authorize returns updated for request 9
>>> rad_check_password: Found Auth-Type EAP
>>> auth: type "EAP"
>>> Processing the authenticate section of radiusd.conf
>>> modcall: entering group authenticate for request 9
>>> rlm_eap: Request found, released from the list
>>> rlm_eap: EAP/tls
>>> rlm_eap: processing type tls
>>> rlm_eap_tls: Authenticate
>>> rlm_eap_tls: processing TLS
>>> rlm_eap_tls: Length Included
>>> eaptls_verify returned 11
>>> eaptls_process returned 7
>>> rlm_eap_tls: Received unexpected tunneled data after successful
>>> handshake.
>>> rlm_eap: Handler failed in EAP/tls
>>> rlm_eap: Failed in EAP select
>>> modcall[authenticate]: module "eap" returns invalid for request 9
>>> modcall: group authenticate returns invalid for request 9
>>> auth: Failed to validate the user.
>>> Login incorrect: [radiustst/<no User-Password attribute>] (from client
>>> testradius-ap-1 port 0 cli 00-10-c6-38-af-7b)
>>> Delaying request 9 for 1 seconds
>>> Finished request 9
>>> Going to the next request
>>> Waking up in 6 seconds...
>>> rad_recv: Access-Request packet from host 129.10.56.156:6001, id=72,
>>> length=167
>>> Sending Access-Reject of id 72 to 129.10.56.156:6001
>>> EAP-Message = 0x04060004
>>> Message-Authenticator = 0x00000000000000000000000000000000
>>> --- Walking the entire request list ---
>>> Waking up in 1 seconds...
>>> --- Walking the entire request list ---
>>> Cleaning up request 5 ID 68 with timestamp 437a661d
>>> Cleaning up request 6 ID 69 with timestamp 437a661d
>>> Cleaning up request 7 ID 70 with timestamp 437a661d
>>> Cleaning up request 8 ID 71 with timestamp 437a661d
>>> Cleaning up request 9 ID 72 with timestamp 437a661d
>>> Nothing to do. Sleeping until we see a request.
>>> -
>>> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>>>
>>
>> l8*
>> -lava
>>
>> x.25 - minix - bitnet - plan9 - 110 bps - ASR 33 - base8
>>
>
l8*
-lava
x.25 - minix - bitnet - plan9 - 110 bps - ASR 33 - base8
More information about the Freeradius-Users
mailing list