Setting up RADIUS with EAP
Keith Osburn
kosburn at sea-turtle.net
Sun Oct 23 19:20:35 CEST 2005
Hello everyone,
I'm having trouble setting up my RADIUS to use EAP. Everthing appears
normal but the client never gets past "Attempting to Authenticate"
If anyone has experience solving this problem I'd appreciate any help
provided :-)
Regards,
************ Log File***********
Here is the log file from running /usr/sbin/radius -X -A
rad_recv: Access-Request packet from host 192.168.2.253:2049, id=0,
length=127
User-Name = "kosburn"
NAS-IP-Address = 192.168.2.253
Called-Station-Id = "0013109e63c9"
Calling-Station-Id = "00904b624e10"
NAS-Identifier = "0013109e63c9"
NAS-Port = 60
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x0201000c016b6f736275726e
Message-Authenticator = 0x3fe229ff76ac5518897afd4bbacaade2
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 12
modcall[authorize]: module "preprocess" returns ok for request 12
rlm_eap: EAP packet type response id 1 length 12
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 12
rlm_realm: No '/' in User-Name = "kosburn", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "realmslash" returns noop for request 12
rlm_realm: No '@' in User-Name = "kosburn", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 12
users: Matched entry kosburn at line 1
modcall[authorize]: module "files" returns ok for request 12
modcall: group authorize returns updated for request 12
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 12
rlm_eap: EAP Identity
rlm_eap: processing type tls
rlm_eap_tls: Requiring client certificate
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
modcall[authenticate]: module "eap" returns handled for request 12
modcall: group authenticate returns handled for request 12
Sending Access-Challenge of id 0 to 192.168.2.253:2049
EAP-Message = 0x010200060d20
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xbf80de34653e25d74ea49b2f2debeda9
Finished request 12
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.2.253:2049, id=0,
length=139
User-Name = "kosburn"
NAS-IP-Address = 192.168.2.253
Called-Station-Id = "0013109e63c9"
Calling-Station-Id = "00904b624e10"
NAS-Identifier = "0013109e63c9"
NAS-Port = 60
Framed-MTU = 1400
State = 0xbf80de34653e25d74ea49b2f2debeda9
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020200060319
Message-Authenticator = 0x65415f904ea823671c9fcdf5859edb5d
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 13
modcall[authorize]: module "preprocess" returns ok for request 13
rlm_eap: EAP packet type response id 2 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 13
rlm_realm: No '/' in User-Name = "kosburn", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "realmslash" returns noop for request 13
rlm_realm: No '@' in User-Name = "kosburn", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 13
users: Matched entry kosburn at line 1
modcall[authorize]: module "files" returns ok for request 13
modcall: group authorize returns updated for request 13
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 13
rlm_eap: Request found, released from the list
rlm_eap: EAP NAK
rlm_eap: EAP-NAK asked for EAP-Type/peap
rlm_eap: processing type tls
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
modcall[authenticate]: module "eap" returns handled for request 13
modcall: group authenticate returns handled for request 13
Sending Access-Challenge of id 0 to 192.168.2.253:2049
EAP-Message = 0x010300061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0280af636895c756212430579c4c13bd
Finished request 13
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.2.253:2049, id=0,
length=213
User-Name = "kosburn"
NAS-IP-Address = 192.168.2.253
Called-Station-Id = "0013109e63c9"
Calling-Station-Id = "00904b624e10"
NAS-Identifier = "0013109e63c9"
NAS-Port = 60
Framed-MTU = 1400
State = 0x0280af636895c756212430579c4c13bd
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x0203005019800000004616030100410100003d0301435bc1b6fb8a0e3748685ba7bd6ae2215b5c83ce5f6a895681366253ccf0ecdc00001600040005000a000900640062000300060013001200630100
Message-Authenticator = 0x89d0841ecd460f7ec92fda23a85cbe61
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 14
modcall[authorize]: module "preprocess" returns ok for request 14
rlm_eap: EAP packet type response id 3 length 80
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 14
rlm_realm: No '/' in User-Name = "kosburn", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "realmslash" returns noop for request 14
rlm_realm: No '@' in User-Name = "kosburn", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 14
users: Matched entry kosburn at line 1
modcall[authorize]: module "files" returns ok for request 14
modcall: group authorize returns updated for request 14
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 14
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Length Included
eaptls_verify returned 11
(other): before/accept initialization
TLS_accept: before/accept initialization
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello
TLS_accept: SSLv3 read client hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
TLS_accept: SSLv3 write server hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0694], Certificate
TLS_accept: SSLv3 write certificate A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
TLS_accept: SSLv3 write server done A
TLS_accept: SSLv3 flush data
TLS_accept:error in SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
eaptls_process returned 13
rlm_eap_peap: EAPTLS_HANDLED
modcall[authenticate]: module "eap" returns handled for request 14
modcall: group authenticate returns handled for request 14
Sending Access-Challenge of id 0 to 192.168.2.253:2049
EAP-Message =
0x0104040a19c0000006f1160301004a020000460301435bba463b3a0cf4b3866aeed9db8d18fd66fd4fe13a9e9badeec8eefe1b2d9a203867409260e1ba8fa0a62c2b2e54bae71cd5ee46b6723e571311dc2ea5b95ad300040016030106940b00069000068d0002cd308202c930820232a003020102020102300d06092a864886f70d010104050030819f310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e31123010060355040b13096c6f63616c686f7374311b301906035504031312436c69656e74206365
EAP-Message =
0x7274696669636174653121301f06092a864886f70d0109011612636c69656e74406578616d706c652e636f6d301e170d3034303132353133323631305a170d3035303132343133323631305a30819b310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e31123010060355040b13096c6f63616c686f73743119301706035504031310526f6f74206365727469666963617465311f301d06092a864886f70d0109011610726f6f74406578616d706c652e636f6d30819f300d06092a864886f70d010101050003
EAP-Message =
0x818d0030818902818100dac525422bfedb082629a2cba44b3449c90d0ab462fb72c8434a782098863d7eb7d7e70028c2b7ad555a51cc756cf4fa1d7091615ab450d5289553ae6616aff014a55085d6b8fb4aee98638e426175cdd36c665c63cda177d34920eb30585edc8773999c2980f81ad4638bbbea1c82d054023db7ef24a3ec1c3f6241a903d7f30203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101040500038181007a2d921b1cf13bf2982a9178ec9ede6d88edc178a2e8bd40a0a06fb6f0769957884cd7084537083496fd184165293f583c8e8240eb68e042c94b15752e4c07e80d09
EAP-Message =
0x779afa3dd55c24fa54ac292d77205d1c2477ed30d59f57caf9bd21ff2a8d16cc0911c50e4f295763fcb60efa3c3d2d0e43850f6e6fbe284902f6e83503650003ba308203b63082031fa003020102020100300d06092a864886f70d010104050030819f310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e31123010060355040b13096c6f63616c686f7374311b301906035504031312436c69656e742063657274696669636174653121301f06092a864886f70d0109011612636c69656e74406578616d706c
EAP-Message = 0x652e636f6d301e170d3034303132353133323630375a
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x21a771d3dace9f2ac15015b2ca11ba9e
Finished request 14
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.2.253:2049, id=0,
length=139
User-Name = "kosburn"
NAS-IP-Address = 192.168.2.253
Called-Station-Id = "0013109e63c9"
Calling-Station-Id = "00904b624e10"
NAS-Identifier = "0013109e63c9"
NAS-Port = 60
Framed-MTU = 1400
State = 0x21a771d3dace9f2ac15015b2ca11ba9e
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020400061900
Message-Authenticator = 0x888309fd2c450a9ac12dd4bb75ef6d66
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 15
modcall[authorize]: module "preprocess" returns ok for request 15
rlm_eap: EAP packet type response id 4 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 15
rlm_realm: No '/' in User-Name = "kosburn", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "realmslash" returns noop for request 15
rlm_realm: No '@' in User-Name = "kosburn", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 15
users: Matched entry kosburn at line 1
modcall[authorize]: module "files" returns ok for request 15
modcall: group authorize returns updated for request 15
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 15
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake fragment handler
eaptls_verify returned 1
eaptls_process returned 13
rlm_eap_peap: EAPTLS_HANDLED
modcall[authenticate]: module "eap" returns handled for request 15
modcall: group authenticate returns handled for request 15
Sending Access-Challenge of id 0 to 192.168.2.253:2049
EAP-Message =
0x010502f71900170d3036303132343133323630375a30819f310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e31123010060355040b13096c6f63616c686f7374311b301906035504031312436c69656e742063657274696669636174653121301f06092a864886f70d0109011612636c69656e74406578616d706c652e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100d4c5b19724f164acf1ffb189db1c8fbff4f14396ea7cb1e90f78d69451725377895dfe52ccb99b41e8
EAP-Message =
0x0ddeb58b127a943f4f58cbc562878192fbdc6fece9f871e7c130d35cf5188817e9b133249edd2a1c75d31043ae87553cec7a77ef26aa7d74281db9b77e17c6446c5dd9b188b43250ca0229963722a123a726b00b4027fd0203010001a381ff3081fc301d0603551d0e0416041468d36d3e1ee7bc9d5a057021c363da1365d1ade33081cc0603551d230481c43081c1801468d36d3e1ee7bc9d5a057021c363da1365d1ade3a181a5a481a230819f310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e31123010
EAP-Message =
0x060355040b13096c6f63616c686f7374311b301906035504031312436c69656e742063657274696669636174653121301f06092a864886f70d0109011612636c69656e74406578616d706c652e636f6d820100300c0603551d13040530030101ff300d06092a864886f70d01010405000381810033c00b66b1e579ef73a06798252dab8d5e5511fc00fd276d80d12f834777c6743fdc2743fca1507704e4bc0979e4f60ac3ad9ee83e6f347369229d1f77229ba2e982359da563024a00163dba6d6c986c0bad28af85132ff8f0d76501bf1b7c2dff658ce1e62c01997b6e64e3e8d4373354ce9912847651539063b85bbc5485c516030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x75ae22788c4e9f61f3bc83014ea1e657
Finished request 15
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.2.253:2049, id=0,
length=139
User-Name = "kosburn"
NAS-IP-Address = 192.168.2.253
Called-Station-Id = "0013109e63c9"
Calling-Station-Id = "00904b624e10"
NAS-Identifier = "0013109e63c9"
NAS-Port = 60
Framed-MTU = 1400
State = 0x75ae22788c4e9f61f3bc83014ea1e657
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020500061900
Message-Authenticator = 0x9bb1bdbc7a23d8f43a42c8ba50add01e
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 16
modcall[authorize]: module "preprocess" returns ok for request 16
rlm_eap: EAP packet type response id 5 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 16
rlm_realm: No '/' in User-Name = "kosburn", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "realmslash" returns noop for request 16
rlm_realm: No '@' in User-Name = "kosburn", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 16
users: Matched entry kosburn at line 1
modcall[authorize]: module "files" returns ok for request 16
modcall: group authorize returns updated for request 16
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 16
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake fragment handler
eaptls_verify returned 1
eaptls_process returned 13
rlm_eap_peap: EAPTLS_HANDLED
modcall[authenticate]: module "eap" returns handled for request 16
modcall: group authenticate returns handled for request 16
Sending Access-Challenge of id 0 to 192.168.2.253:2049
EAP-Message = 0x010600061900
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x1a49638ee4935ae625ddcd34927e721d
Finished request 16
Going to the next request
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 16 ID 0 with timestamp 435bba46
Nothing to do. Sleeping until we see a request.
More information about the Freeradius-Users
mailing list