FreeRadius EAP-TLS issue

Hamid Salim salim.h at neu.edu
Wed Nov 16 18:10:32 CET 2005


I am not sure if I completly follow:
">If it was regular TLS, i'd tell you to "openssl s_client -connect 
foo:123 
>-cacert /blah".
>
>Are you sure that you have imported and "trusted" your CA's cetificate 
on 
>both the client and the server?"

But I used 'how to EAP/TLS' from the FreeRadius web site. It is my 
understanding (which may be incorrect) that I do not need a passoword. 
It is something real simple that i have overlooked, but ofcourse 
challenging to discover!

Any comments/help appreciated.

Hamid.


Brian A. Seklecki wrote:


>
>If it was regular TLS, i'd tell you to "openssl s_client -connect 
foo:123 
>-cacert /blah".
>
>Are you sure that you have imported and "trusted" your CA's cetificate 
on 
>both the client and the server?
>
>This is when I let the other guys make suggestions.
>
>I was just curious of EAP-TLS with client certificates was simply a way 
of 
>delivering the username to the client, letting the client authenticate 
the 
>server and the server authenticate the identity of the client, and then 
>providing for another password based mechanism.
>
>Or if certificate TLS handshake was sufficient for authorization and 
>authentication...
>
>For example, Apache SSL can be told to verify client certificates, but 
>htaccess would still be required.
>
>With SMTP, client and server SSL verification can be compelled, but for 
>SMTP AUTH for relay, username/password authentication would still be 
>required.
>
>
>~BAS
>
>On Wed, 16 Nov 2005, Hamid Salim wrote:
>
>> It should not be asking/expecting any userid/password pair. I have
>> installed the certificates on the supplicant machine which should be
>> sufficient to authenticate without any password requirements. I am not
>> sure why the certs are not working???
>>
>>
>> Brian A. Seklecki wrote:
>>
>>
>>>
>>>   rlm_eap_tls: Received unexpected tunneled data after successful
>>> handshake.
>>>
>>> ...that's what I get when I try an invalid password in my EAP + Cisco
>> 1200
>>> + LDAP + PEAP/MS-CHAPv2 configuration.
>>>
>>> Let me ask...how is the client certificate method supposed to work?
>>>
>>> Is the username embeded the CN/CommonName attribute of the certificate
>> and
>>> the user is prompted for a password which you setup in authenticate {} 
?
>>>
>>> Is that any more secure than using PEAP/MS-CHAPv2 ?
>>>
>>> ~BAS
>>>
>>>
>>> On Wed, 16 Nov 2005, Hamid Salim wrote:
>>>
>>>> Hi,
>>>> I am just wondering if anyone has encountered the same issue. I have
>>>> set up my enviornment for EAP-TLS, with windows XP SP2 as a supplicant.
>>>> For some reason I am getting:
>>>>
>>>> auth: Failed to validate the user.
>>>> Login incorrect: [radiustst/<no User-Password attribute>] (from client
>>>> testradius-ap-1 port 0 cli 00-10-c6-38-af-7b)
>>>>
>>>> complete listing is attached. I am using certificates and SSL session
>>>> is created successfully, then why FreeRadius is expecting a
>>>> userid/password?
>>>>
>>>> Any help will be appreciated.
>>>>
>>>> Thanks
>>>> Hamid.
>>>>
>>>> ============= Complete Listing =================
>>>> Going to the next request
>>>> Waking up in 6 seconds...
>>>> rad_recv: Access-Request packet from host 129.10.56.156:6001, id=71,
>>>> length=1247
>>>>        User-Name = "radiustst"
>>>>        NAS-IP-Address = 129.10.56.156
>>>>        Called-Station-Id = "00-20-a6-4a-12-21"
>>>>        Calling-Station-Id = "00-10-c6-38-af-7b"
>>>>        NAS-Identifier = "APtest3"
>>>>        State = 0xb9a67433435733a42f7cbd528aa6ae7a
>>>>        Framed-MTU = 1400
>>>>        NAS-Port-Type = Wireless-802.11
>>>>        EAP-Message =
>>>>
>> 
0x020504510d800000044716030104170b000307000304000301308202fd30820266a003
>>>>
>> 
020102020102300d06092a864886f70d01010405003054310b3009060355040613025553
>>>>
>> 
310b3009060355040813024d413120301e060355040a13174e6f7274686561737465726e
>>>>
>> 
20556e6976657273697479311630140603550403130d4543454175746853657276657230
>>>>
>> 
1e170d3035313130353232323335345a170d3036313130353232323335345a3050310b30
>>>>
>> 
09060355040613025553310b3009060355040813024d413120301e060355040a13174e6f
>>>>
>> 
7274686561737465726e20556e6976657273697479311230100603550403130972616469
>>>> 7573
>>>>        EAP-Message =
>>>>
>> 
0x74737430819f300d06092a864886f70d010101050003818d0030818902818100b9983d
>>>>
>> 
b3e72f80fd974f9bcd64081d573fdd27b19089405b696d873f87467ff80a312ef7b399c3
>>>>
>> 
9e9e7018e1aa29203251c40dd6af46d060d1211405bea1888d058da35230f55d7dc27d76
>>>>
>> 
9e0234824d78d5d1b5edf8d39f8ab78255e6cca753424cd0713339a02cf315fbcb6175a0
>>>>
>> 
47fa233d9f64d6f936f5e3a403bcca93ab0203010001a381e23081df30090603551d1304
>>>>
>> 
023000302c06096086480186f842010d041f161d4f70656e53534c2047656e6572617465
>>>>
>> 
64204365727469666963617465301d0603551d0e04160414b77dd4b0207270418f828157
>>>> 2f5e
>>>>        EAP-Message =
>>>>
>> 
0x3353216fe55f3081840603551d23047d307b801463d38ab984dc364e31383d1ecf3743
>>>>
>> 
0ee64b68e9a158a4563054310b3009060355040613025553310b3009060355040813024d
>>>>
>> 
413120301e060355040a13174e6f7274686561737465726e20556e697665727369747931
>>>>
>> 
1630140603550403130d45434541757468536572766572820900cab77a537cadfaf3300d
>>>>
>> 
06092a864886f70d0101040500038181003cbaf9e576319601ba75222ef4fed8cd584e2d
>>>>
>> 
8aea2f25788bff348f53a699ecab5cb50143f369e7a59da5ba5212105e4d1b642f56cf00
>>>>
>> 
d04efcb911239047393875024e5e4a17b0ac8f87d165c81a5fcfbe2f2a67ee6c7e57dae0
>>>> c423
>>>>        EAP-Message =
>>>>
>> 
0x4a3f81753b0817b63f117a0b28c1ca43e1cb31142b47103caef9f28c01860b49f27465
>>>>
>> 
1000008200805d53b3419d272d68175ae404a9a51774f148420e7832d39ceaa311a000f0
>>>>
>> 
70ebf121d27c6f8b15369ab4bc9a1edadd2abd1caace3378f6a9f6623e6f9cb95085df74
>>>>
>> 
830c3e22638bd8e3a63938c9ea8b93895aca23aa131f728ffab7c0cee86b7ed10ced5e2f
>>>>
>> 
30ad19df6cd83a0ac6564a9b833b284b52ff9355741efc7b3e360f0000820080131f2e69
>>>>
>> 
99c156d32b83cb27036db11e9c3571b66d7ab062208a03daf1afb9b3c4a326a09663c1a3
>>>>
>> 
25a3b846a2a34d4cfbdcbd432a18017a9ece2744de377c964649ac146466ee4b71fa5fdd
>>>> 8f7c
>>>>        EAP-Message =
>>>>
>> 
0x1272df4226eb2805f9268ae2a2e0d0664ced1a8868bada17475dc7889cb73634641d80
>>>>
>> 
af384311d0b2b9e87c7bde4227a47d14030100010116030100202a0a0a3102caaf869886
>>>> 11a6916269516c4e5b6bf006d943609a71740a4d3a60
>>>>        Message-Authenticator = 0x1e4e290a1071052212513c61bfa25dae
>>>>  Processing the authorize section of radiusd.conf
>>>> modcall: entering group authorize for request 8
>>>>  modcall[authorize]: module "preprocess" returns ok for request 8
>>>> radius_xlat:
>>>>
>> 
'/opt/radiusd/var/log/radius/radacct/129.10.56.156/auth-detail-20051115'
>>>> rlm_detail:
>>>>
>> 
/opt/radiusd/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%
>>>> m%d expands to
>>>> /opt/radiusd/var/log/radius/radacct/129.10.56.156/auth-detail-20051115
>>>>  modcall[authorize]: module "auth_log" returns ok for request 8
>>>>    rlm_realm: No '@' in User-Name = "radiustst", looking up realm NULL
>>>>    rlm_realm: No such realm "NULL"
>>>>  modcall[authorize]: module "suffix" returns noop for request 8
>>>>  rlm_eap: EAP packet type response id 5 length 253
>>>>  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
>>>>  modcall[authorize]: module "eap" returns updated for request 8
>>>>    users: Matched entry radiustst at line 54
>>>>  modcall[authorize]: module "files" returns ok for request 8
>>>> modcall: group authorize returns updated for request 8
>>>>  rad_check_password:  Found Auth-Type EAP
>>>> auth: type "EAP"
>>>>  Processing the authenticate section of radiusd.conf
>>>> modcall: entering group authenticate for request 8
>>>>  rlm_eap: Request found, released from the list
>>>>  rlm_eap: EAP/tls
>>>>  rlm_eap: processing type tls
>>>>  rlm_eap_tls: Authenticate
>>>>  rlm_eap_tls: processing TLS
>>>> rlm_eap_tls:  Length Included
>>>>  eaptls_verify returned 11
>>>>  rlm_eap_tls: <<< TLS 1.0 Handshake [length 030b], Certificate
>>>> chain-depth=1,
>>>> error=0
>>>> --> User-Name = radiustst
>>>> --> BUF-Name = ECEAuthServer
>>>> --> subject = /C=US/ST=MA/O=Northeastern University/CN=ECEAuthServer
>>>> --> issuer  = /C=US/ST=MA/O=Northeastern University/CN=ECEAuthServer
>>>> --> verify return:1
>>>> chain-depth=0,
>>>> error=0
>>>> --> User-Name = radiustst
>>>> --> BUF-Name = radiustst
>>>> --> subject = /C=US/ST=MA/O=Northeastern University/CN=radiustst
>>>> --> issuer  = /C=US/ST=MA/O=Northeastern University/CN=ECEAuthServer
>>>> --> verify return:1
>>>>    TLS_accept: SSLv3 read client certificate A
>>>>  rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
>>>>    TLS_accept: SSLv3 read client key exchange A
>>>>  rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], CertificateVerify
>>>>    TLS_accept: SSLv3 read certificate verify A
>>>>  rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001]
>>>>  rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished
>>>>    TLS_accept: SSLv3 read finished A
>>>>  rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001]
>>>>    TLS_accept: SSLv3 write change cipher spec A
>>>>  rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished
>>>>    TLS_accept: SSLv3 write finished A
>>>>    TLS_accept: SSLv3 flush data
>>>>    (other): SSL negotiation finished successfully
>>>> SSL Connection Established
>>>>  eaptls_process returned 13
>>>>  modcall[authenticate]: module "eap" returns handled for request 8
>>>> modcall: group authenticate returns handled for request 8
>>>> Sending Access-Challenge of id 71 to 129.10.56.156:6001
>>>>        EAP-Message =
>>>>
>> 
0x010600350d800000002b1403010001011603010020c76c26e20a3f56cdad1183c5e9c2
>>>> 4322bdbd6ca0af149ba46d197f153a7f4f32
>>>>        Message-Authenticator = 0x00000000000000000000000000000000
>>>>        State = 0x70ed13d02f1854999ba5b4513143d53d
>>>> Finished request 8
>>>> Going to the next request
>>>> Waking up in 6 seconds...
>>>> rad_recv: Access-Request packet from host 129.10.56.156:6001, id=72,
>>>> length=167
>>>>        User-Name = "radiustst"
>>>>        NAS-IP-Address = 129.10.56.156
>>>>        Called-Station-Id = "00-20-a6-4a-12-21"
>>>>        Calling-Station-Id = "00-10-c6-38-af-7b"
>>>>        NAS-Identifier = "APtest3"
>>>>        State = 0x70ed13d02f1854999ba5b4513143d53d
>>>>        Framed-MTU = 1400
>>>>        NAS-Port-Type = Wireless-802.11
>>>>        EAP-Message =
>>>> 0x020600210d8000000017150301001267dd17534e604a647897732130f58409b115
>>>>        Message-Authenticator = 0xce216e15de7058166ce90f8cde7d5094
>>>>  Processing the authorize section of radiusd.conf
>>>> modcall: entering group authorize for request 9
>>>>  modcall[authorize]: module "preprocess" returns ok for request 9
>>>> radius_xlat:
>>>>
>> 
'/opt/radiusd/var/log/radius/radacct/129.10.56.156/auth-detail-20051115'
>>>> rlm_detail:
>>>>
>> 
/opt/radiusd/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%
>>>> m%d expands to
>>>> /opt/radiusd/var/log/radius/radacct/129.10.56.156/auth-detail-20051115
>>>>  modcall[authorize]: module "auth_log" returns ok for request 9
>>>>    rlm_realm: No '@' in User-Name = "radiustst", looking up realm NULL
>>>>    rlm_realm: No such realm "NULL"
>>>>  modcall[authorize]: module "suffix" returns noop for request 9
>>>>  rlm_eap: EAP packet type response id 6 length 33
>>>>  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
>>>>  modcall[authorize]: module "eap" returns updated for request 9
>>>>    users: Matched entry radiustst at line 54
>>>>  modcall[authorize]: module "files" returns ok for request 9
>>>> modcall: group authorize returns updated for request 9
>>>>  rad_check_password:  Found Auth-Type EAP
>>>> auth: type "EAP"
>>>>  Processing the authenticate section of radiusd.conf
>>>> modcall: entering group authenticate for request 9
>>>>  rlm_eap: Request found, released from the list
>>>>  rlm_eap: EAP/tls
>>>>  rlm_eap: processing type tls
>>>>  rlm_eap_tls: Authenticate
>>>>  rlm_eap_tls: processing TLS
>>>> rlm_eap_tls:  Length Included
>>>>  eaptls_verify returned 11
>>>>  eaptls_process returned 7
>>>>  rlm_eap_tls: Received unexpected tunneled data after successful
>>>> handshake.
>>>> rlm_eap: Handler failed in EAP/tls
>>>>  rlm_eap: Failed in EAP select
>>>>  modcall[authenticate]: module "eap" returns invalid for request 9
>>>> modcall: group authenticate returns invalid for request 9
>>>> auth: Failed to validate the user.
>>>> Login incorrect: [radiustst/<no User-Password attribute>] (from client
>>>> testradius-ap-1 port 0 cli 00-10-c6-38-af-7b)
>>>> Delaying request 9 for 1 seconds
>>>> Finished request 9
>>>> Going to the next request
>>>> Waking up in 6 seconds...
>>>> rad_recv: Access-Request packet from host 129.10.56.156:6001, id=72,
>>>> length=167
>>>> Sending Access-Reject of id 72 to 129.10.56.156:6001
>>>>        EAP-Message = 0x04060004
>>>>        Message-Authenticator = 0x00000000000000000000000000000000
>>>> --- Walking the entire request list ---
>>>> Waking up in 1 seconds...
>>>> --- Walking the entire request list ---
>>>> Cleaning up request 5 ID 68 with timestamp 437a661d
>>>> Cleaning up request 6 ID 69 with timestamp 437a661d
>>>> Cleaning up request 7 ID 70 with timestamp 437a661d
>>>> Cleaning up request 8 ID 71 with timestamp 437a661d
>>>> Cleaning up request 9 ID 72 with timestamp 437a661d
>>>> Nothing to do.  Sleeping until we see a request.
>>>> -
>>>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>>>
>>>
>>> l8*
>>> 	-lava
>>>
>>> x.25 - minix - bitnet - plan9 - 110 bps - ASR 33 - base8
>>>
>>
>
>l8*
> 	-lava
>
>x.25 - minix - bitnet - plan9 - 110 bps - ASR 33 - base8
>



More information about the Freeradius-Users mailing list