Setting up RADIUS with EAP

Keith Osburn kosburn at sea-turtle.net
Sun Oct 23 19:20:35 CEST 2005


Hello everyone,

I'm having trouble setting up my RADIUS to use EAP.  Everthing appears
normal but the client never gets past "Attempting to Authenticate"

If anyone has experience solving this problem I'd appreciate any help
provided :-)

Regards,


************ Log File***********

Here is the log file from running /usr/sbin/radius -X -A

rad_recv: Access-Request packet from host 192.168.2.253:2049, id=0,
length=127
        User-Name = "kosburn"
        NAS-IP-Address = 192.168.2.253
        Called-Station-Id = "0013109e63c9"
        Calling-Station-Id = "00904b624e10"
        NAS-Identifier = "0013109e63c9"
        NAS-Port = 60
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        EAP-Message = 0x0201000c016b6f736275726e
        Message-Authenticator = 0x3fe229ff76ac5518897afd4bbacaade2
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 12
  modcall[authorize]: module "preprocess" returns ok for request 12
  rlm_eap: EAP packet type response id 1 length 12
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 12
    rlm_realm: No '/' in User-Name = "kosburn", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "realmslash" returns noop for request 12
    rlm_realm: No '@' in User-Name = "kosburn", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 12
    users: Matched entry kosburn at line 1
  modcall[authorize]: module "files" returns ok for request 12
modcall: group authorize returns updated for request 12
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 12
  rlm_eap: EAP Identity
  rlm_eap: processing type tls
 rlm_eap_tls: Requiring client certificate
  rlm_eap_tls: Initiate
  rlm_eap_tls: Start returned 1
  modcall[authenticate]: module "eap" returns handled for request 12
modcall: group authenticate returns handled for request 12
Sending Access-Challenge of id 0 to 192.168.2.253:2049
        EAP-Message = 0x010200060d20
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xbf80de34653e25d74ea49b2f2debeda9
Finished request 12
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.2.253:2049, id=0,
length=139
        User-Name = "kosburn"
        NAS-IP-Address = 192.168.2.253
        Called-Station-Id = "0013109e63c9"
        Calling-Station-Id = "00904b624e10"
        NAS-Identifier = "0013109e63c9"
        NAS-Port = 60
        Framed-MTU = 1400
        State = 0xbf80de34653e25d74ea49b2f2debeda9
        NAS-Port-Type = Wireless-802.11
        EAP-Message = 0x020200060319
        Message-Authenticator = 0x65415f904ea823671c9fcdf5859edb5d
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 13
  modcall[authorize]: module "preprocess" returns ok for request 13
  rlm_eap: EAP packet type response id 2 length 6
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 13
    rlm_realm: No '/' in User-Name = "kosburn", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "realmslash" returns noop for request 13
    rlm_realm: No '@' in User-Name = "kosburn", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 13
    users: Matched entry kosburn at line 1
  modcall[authorize]: module "files" returns ok for request 13
modcall: group authorize returns updated for request 13
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 13
  rlm_eap: Request found, released from the list
  rlm_eap: EAP NAK
 rlm_eap: EAP-NAK asked for EAP-Type/peap
  rlm_eap: processing type tls
  rlm_eap_tls: Initiate
  rlm_eap_tls: Start returned 1
  modcall[authenticate]: module "eap" returns handled for request 13
modcall: group authenticate returns handled for request 13
Sending Access-Challenge of id 0 to 192.168.2.253:2049
        EAP-Message = 0x010300061920
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x0280af636895c756212430579c4c13bd
Finished request 13
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.2.253:2049, id=0,
length=213
        User-Name = "kosburn"
        NAS-IP-Address = 192.168.2.253
        Called-Station-Id = "0013109e63c9"
        Calling-Station-Id = "00904b624e10"
        NAS-Identifier = "0013109e63c9"
        NAS-Port = 60
        Framed-MTU = 1400
        State = 0x0280af636895c756212430579c4c13bd
        NAS-Port-Type = Wireless-802.11
        EAP-Message =
0x0203005019800000004616030100410100003d0301435bc1b6fb8a0e3748685ba7bd6ae2215b5c83ce5f6a895681366253ccf0ecdc00001600040005000a000900640062000300060013001200630100
        Message-Authenticator = 0x89d0841ecd460f7ec92fda23a85cbe61
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 14
  modcall[authorize]: module "preprocess" returns ok for request 14
  rlm_eap: EAP packet type response id 3 length 80
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 14
    rlm_realm: No '/' in User-Name = "kosburn", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "realmslash" returns noop for request 14
    rlm_realm: No '@' in User-Name = "kosburn", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 14
    users: Matched entry kosburn at line 1
  modcall[authorize]: module "files" returns ok for request 14
modcall: group authorize returns updated for request 14
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 14
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls:  Length Included
  eaptls_verify returned 11
    (other): before/accept initialization
    TLS_accept: before/accept initialization
  rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello
    TLS_accept: SSLv3 read client hello A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
    TLS_accept: SSLv3 write server hello A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 0694], Certificate
    TLS_accept: SSLv3 write certificate A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
    TLS_accept: SSLv3 write server done A
    TLS_accept: SSLv3 flush data
    TLS_accept:error in SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
  eaptls_process returned 13
  rlm_eap_peap: EAPTLS_HANDLED
  modcall[authenticate]: module "eap" returns handled for request 14
modcall: group authenticate returns handled for request 14
Sending Access-Challenge of id 0 to 192.168.2.253:2049
        EAP-Message =
0x0104040a19c0000006f1160301004a020000460301435bba463b3a0cf4b3866aeed9db8d18fd66fd4fe13a9e9badeec8eefe1b2d9a203867409260e1ba8fa0a62c2b2e54bae71cd5ee46b6723e571311dc2ea5b95ad300040016030106940b00069000068d0002cd308202c930820232a003020102020102300d06092a864886f70d010104050030819f310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e31123010060355040b13096c6f63616c686f7374311b301906035504031312436c69656e74206365
        EAP-Message =
0x7274696669636174653121301f06092a864886f70d0109011612636c69656e74406578616d706c652e636f6d301e170d3034303132353133323631305a170d3035303132343133323631305a30819b310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e31123010060355040b13096c6f63616c686f73743119301706035504031310526f6f74206365727469666963617465311f301d06092a864886f70d0109011610726f6f74406578616d706c652e636f6d30819f300d06092a864886f70d010101050003
        EAP-Message =
0x818d0030818902818100dac525422bfedb082629a2cba44b3449c90d0ab462fb72c8434a782098863d7eb7d7e70028c2b7ad555a51cc756cf4fa1d7091615ab450d5289553ae6616aff014a55085d6b8fb4aee98638e426175cdd36c665c63cda177d34920eb30585edc8773999c2980f81ad4638bbbea1c82d054023db7ef24a3ec1c3f6241a903d7f30203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101040500038181007a2d921b1cf13bf2982a9178ec9ede6d88edc178a2e8bd40a0a06fb6f0769957884cd7084537083496fd184165293f583c8e8240eb68e042c94b15752e4c07e80d09
        EAP-Message =
0x779afa3dd55c24fa54ac292d77205d1c2477ed30d59f57caf9bd21ff2a8d16cc0911c50e4f295763fcb60efa3c3d2d0e43850f6e6fbe284902f6e83503650003ba308203b63082031fa003020102020100300d06092a864886f70d010104050030819f310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e31123010060355040b13096c6f63616c686f7374311b301906035504031312436c69656e742063657274696669636174653121301f06092a864886f70d0109011612636c69656e74406578616d706c
        EAP-Message = 0x652e636f6d301e170d3034303132353133323630375a
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x21a771d3dace9f2ac15015b2ca11ba9e
Finished request 14
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.2.253:2049, id=0,
length=139
        User-Name = "kosburn"
        NAS-IP-Address = 192.168.2.253
        Called-Station-Id = "0013109e63c9"
        Calling-Station-Id = "00904b624e10"
        NAS-Identifier = "0013109e63c9"
        NAS-Port = 60
        Framed-MTU = 1400
        State = 0x21a771d3dace9f2ac15015b2ca11ba9e
        NAS-Port-Type = Wireless-802.11
        EAP-Message = 0x020400061900
        Message-Authenticator = 0x888309fd2c450a9ac12dd4bb75ef6d66
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 15
  modcall[authorize]: module "preprocess" returns ok for request 15
  rlm_eap: EAP packet type response id 4 length 6
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 15
    rlm_realm: No '/' in User-Name = "kosburn", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "realmslash" returns noop for request 15
    rlm_realm: No '@' in User-Name = "kosburn", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 15
    users: Matched entry kosburn at line 1
  modcall[authorize]: module "files" returns ok for request 15
modcall: group authorize returns updated for request 15
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 15
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
  rlm_eap_tls: ack handshake fragment handler
  eaptls_verify returned 1
  eaptls_process returned 13
  rlm_eap_peap: EAPTLS_HANDLED
  modcall[authenticate]: module "eap" returns handled for request 15
modcall: group authenticate returns handled for request 15
Sending Access-Challenge of id 0 to 192.168.2.253:2049
        EAP-Message =
0x010502f71900170d3036303132343133323630375a30819f310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e31123010060355040b13096c6f63616c686f7374311b301906035504031312436c69656e742063657274696669636174653121301f06092a864886f70d0109011612636c69656e74406578616d706c652e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100d4c5b19724f164acf1ffb189db1c8fbff4f14396ea7cb1e90f78d69451725377895dfe52ccb99b41e8
        EAP-Message =
0x0ddeb58b127a943f4f58cbc562878192fbdc6fece9f871e7c130d35cf5188817e9b133249edd2a1c75d31043ae87553cec7a77ef26aa7d74281db9b77e17c6446c5dd9b188b43250ca0229963722a123a726b00b4027fd0203010001a381ff3081fc301d0603551d0e0416041468d36d3e1ee7bc9d5a057021c363da1365d1ade33081cc0603551d230481c43081c1801468d36d3e1ee7bc9d5a057021c363da1365d1ade3a181a5a481a230819f310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e31123010
        EAP-Message =
0x060355040b13096c6f63616c686f7374311b301906035504031312436c69656e742063657274696669636174653121301f06092a864886f70d0109011612636c69656e74406578616d706c652e636f6d820100300c0603551d13040530030101ff300d06092a864886f70d01010405000381810033c00b66b1e579ef73a06798252dab8d5e5511fc00fd276d80d12f834777c6743fdc2743fca1507704e4bc0979e4f60ac3ad9ee83e6f347369229d1f77229ba2e982359da563024a00163dba6d6c986c0bad28af85132ff8f0d76501bf1b7c2dff658ce1e62c01997b6e64e3e8d4373354ce9912847651539063b85bbc5485c516030100040e000000
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x75ae22788c4e9f61f3bc83014ea1e657
Finished request 15
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.2.253:2049, id=0,
length=139
        User-Name = "kosburn"
        NAS-IP-Address = 192.168.2.253
        Called-Station-Id = "0013109e63c9"
        Calling-Station-Id = "00904b624e10"
        NAS-Identifier = "0013109e63c9"
        NAS-Port = 60
        Framed-MTU = 1400
        State = 0x75ae22788c4e9f61f3bc83014ea1e657
        NAS-Port-Type = Wireless-802.11
        EAP-Message = 0x020500061900
        Message-Authenticator = 0x9bb1bdbc7a23d8f43a42c8ba50add01e
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 16
  modcall[authorize]: module "preprocess" returns ok for request 16
  rlm_eap: EAP packet type response id 5 length 6
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 16
    rlm_realm: No '/' in User-Name = "kosburn", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "realmslash" returns noop for request 16
    rlm_realm: No '@' in User-Name = "kosburn", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 16
    users: Matched entry kosburn at line 1
  modcall[authorize]: module "files" returns ok for request 16
modcall: group authorize returns updated for request 16
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 16
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
  rlm_eap_tls: ack handshake fragment handler
  eaptls_verify returned 1
  eaptls_process returned 13
  rlm_eap_peap: EAPTLS_HANDLED
  modcall[authenticate]: module "eap" returns handled for request 16
modcall: group authenticate returns handled for request 16
Sending Access-Challenge of id 0 to 192.168.2.253:2049
        EAP-Message = 0x010600061900
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x1a49638ee4935ae625ddcd34927e721d
Finished request 16
Going to the next request
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 16 ID 0 with timestamp 435bba46
Nothing to do.  Sleeping until we see a request.




More information about the Freeradius-Users mailing list