freeradius and 802.1x troubleshooting
Vincent Chen
vctw at yahoo.com
Fri Apr 21 07:30:42 CEST 2006
Hi, all
I recently changed my firewall and move my dns server to the same host running
freeradius. The 802.1x connection between windows xp and my AP which works
perfectly now stop working. How can I troubleshooting this? 802.1x may be
secure, but definitely pain in the ass. Here is what I see in radius log.
BTW: Hardware, freeradius, certificates are all the same.
---
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 10.1.2.5:1024, id=67, length=166
User-Name = "Vincent Chen"
NAS-IP-Address = 10.1.2.5
NAS-Identifier = "AWL500"
State = 0xf6d7edea4e31a89cdd1e573b8e7f619c
EAP-Message =
0x021500500d800000004616030100410100003d030144482d535841e9b32d4e67beba62b2534c19d5a49d7a9f56d591282a9597af8600001600040005000a000900640062000300060013001200630100
Message-Authenticator = 0xf6f1d2620cddb7f2b187f79e91dff8dc
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 16
rlm_eap: EAP packet type response id 21 length 80
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 16
users: Matched entry Vincent Chen at line 19
modcall[authorize]: module "files" returns ok for request 16
modcall: leaving group authorize (returns updated) for request 16
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 16
rlm_eap: Request found, released from the list
rlm_eap: EAP/tls
rlm_eap: processing type tls
rlm_eap_tls: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Length Included
eaptls_verify returned 11
(other): before/accept initialization
TLS_accept: before/accept initialization
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello
TLS_accept: SSLv3 read client hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
TLS_accept: SSLv3 write server hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0ee9], Certificate
TLS_accept: SSLv3 write certificate A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 008b], CertificateRequest
TLS_accept: SSLv3 write certificate request A
TLS_accept: SSLv3 flush data
TLS_accept:error in SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
eaptls_process returned 13
modcall[authenticate]: module "eap" returns handled for request 16
modcall: leaving group authenticate (returns handled) for request 16
Sending Access-Challenge of id 67 to 10.1.2.5 port 1024
Termination-Action = RADIUS-Request
Session-Timeout = 1200
EAP-Message =
0x0116040a0dc000000fcd160301004a02000046030144482d544fab626b96135973511a6d2c7a3ca4375ecf30af715f751166aca50d20338a07507a2423dec32483c2c11d54669ffba33d3f829a3f7f27ea56047a96240004001603010ee90b000ee5000ee20006fa308206f6308204dea003020102020101300d06092a864886f70d0101050500307a310b300906035504061302545731163014060355040a130d416d4a6574204469676974616c310b3009060355040b130249543119301706035504031310416d4a6574204469676974616c204341312b302906092a864886f70d010901161c76696e63656e744069736f6c7574696f6e2e64796e64
EAP-Message =
0x6e732e62697a301e170d3036303330333131313233315a170d3131303330323131313233315a3057310b300906035504061302545731163014060355040a130d416d4a6574204469676974616c310b3009060355040b13024954311730150603550403130e76657264692e686f6d652e6e6574310a3008060355040513013130820122300d06092a864886f70d01010105000382010f003082010a0282010100d8819383482d847fda6b0d13bbc5dc6e6880d3b692076a19b3c1c9487505798e113454d8a8ed2c378c0743029eece31c989826592bafc121c43784d9b835105fdc89cc8e3df125573e76d56c2283e7803f2660a70e095d051ef4e2191c
EAP-Message =
0x997d0d69051c1383d82f5abba1a451ca886b0271a7ffd88b63da0b41c3aab3faf6b0a96584924466a11e0e13a19fb6fa7e31ff9f2edd01a7f8298b30152f7af49004860d8dfbf320f593fb1b4634bba64d558a75b851149007c21dbd665f81ee57c414a118b2697acfd5d5418a4e5d9dd7ce6f5356829d20bc0859c53cf9a09a444c278c85bd8a972e05b4e65da8db7ab1ae3c445d902ede58efea886cf0b16a7ec4dd0203010001a38202a8308202a430090603551d130402300030480603551d200441303f300606042a030304300606042a030305302d06042a0303063025302306082b060105050702011617687474703a2f2f736f6d652e75726c
EAP-Message =
0x2e6f72672f637073301106096086480186f8420101040403020640300b0603551d0f0404030204f030130603551d25040c300a06082b06010505070301302a06096086480186f842010d041d161b5757572d536572766572206f6620416d4a6574204469676974616c301d0603551d0e04160414a37a030823f727fd625ea3b2e772b37295f8acfc3081ac0603551d230481a43081a180148c3fd1b0c717607c67d8d845ece8741f4ff8ed60a17ea47c307a310b300906035504061302545731163014060355040a130d416d4a6574204469676974616c310b3009060355040b130249543119301706035504031310416d4a6574204469676974616c20
EAP-Message = 0x4341312b302906092a864886f70d010901161c76696e
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x4016d74af2be5576af501ab3faf576f1
Finished request 16
Going to the next request
--- Walking the entire request list ---
Waking up in 4 seconds...
rad_recv: Access-Request packet from host 10.1.2.5:1024, id=68, length=92
User-Name = "Vincent Chen"
NAS-IP-Address = 10.1.2.5
NAS-Identifier = "AWL500"
State = 0x4016d74af2be5576af501ab3faf576f1
EAP-Message = 0x021600060d00
Message-Authenticator = 0x5a66fb7be4afdcbc9547bcfb1f6f906e
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 17
rlm_eap: EAP packet type response id 22 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 17
users: Matched entry Vincent Chen at line 19
modcall[authorize]: module "files" returns ok for request 17
modcall: leaving group authorize (returns updated) for request 17
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 17
rlm_eap: Request found, released from the list
rlm_eap: EAP/tls
rlm_eap: processing type tls
rlm_eap_tls: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake fragment handler
eaptls_verify returned 1
eaptls_process returned 13
modcall[authenticate]: module "eap" returns handled for request 17
modcall: leaving group authenticate (returns handled) for request 17
Sending Access-Challenge of id 68 to 10.1.2.5 port 1024
Termination-Action = RADIUS-Request
Session-Timeout = 1200
EAP-Message =
0x0117040a0dc000000fcd63656e744069736f6c7574696f6e2e64796e646e732e62697a820900f3bd792c9c40ec4c30270603551d110420301e811c76696e63656e744069736f6c7574696f6e2e64796e646e732e62697a30270603551d120420301e811c76696e63656e744069736f6c7574696f6e2e64796e646e732e62697a304206096086480186f842010404351633687474703a2f2f69736572766963652e64796e646e732e62697a2f6f70656e63612f7075622f63726c2f636163726c2e63726c304206096086480186f842010304351633687474703a2f2f69736572766963652e64796e646e732e62697a2f6f70656e63612f7075622f6372
EAP-Message =
0x6c2f636163726c2e63726c30440603551d1f043d303b3039a037a0358633687474703a2f2f69736572766963652e64796e646e732e62697a2f6f70656e63612f7075622f63726c2f636163726c2e63726c300d06092a864886f70d01010505000382020100a55af54cb3ad70b6d429de93b37b49e161f7975473a3727c1209267f59512eedd04741b77231661d8e45c1479955536ef14648a504ad00252e2d9c8315a60ba9f2604491e965e3c47f00c3355b06d7b6da6cf06ec622b40765f6e6da3390a09ffb5f6dd3cd790cf479b21d504e0be8e135cfeda486dd2febb632a3796f4ae94d949ecb64677b50aa1e754d3158e2738df2fbd94d4837ce6d
EAP-Message =
0xb719302a99ad583e26ac0f231ab772db7cbef0a4aecebd056f2d333322d94565217603b022e08043c999eecb9d9543771e4beffc7d0a17fee3706b76dde92da5acf134d8f4795ca72864fc39b71cb9cdf1867bcffca3b195206636ce3e6c714951cbb323cd38e9b876c3668c8a5ba6d3b1201a54bd98d44d77e8e308ddc60a4a8cbebbb87454a31ec031edc09100bf2fc9060950ba6e2da98f8bfbb58ee1a14e89808e773bf6075c0c153ba0a76552957e515a6461fbda579090c57eba1a58d303d40b384fc39b8f7fafd72991a00352d3e0ed144ba679d92117784a18d734530c33d453453908039860106acdb00cfeb8a76b2da25ff0b032e7e9a8b3
EAP-Message =
0x3a57b0787ceb145d8a3a2c82477944d2159d8d3614095e5b618a6e86b69dbac307867c5ffe2e719d90b918260eb685cb3ce1e112a31fa2c234af91fda883b26ad1e60c0d57efc2b2cdc1c129f19e9129a40543fcdd4ee0c9a12b9abfdf46c88aac46ecce3b0ff12d6d3fd20007e2308207de308205c6a003020102020900f3bd792c9c40ec4c300d06092a864886f70d0101050500307a310b300906035504061302545731163014060355040a130d416d4a6574204469676974616c310b3009060355040b130249543119301706035504031310416d4a6574204469676974616c204341312b302906092a864886f70d010901161c76696e63656e7440
EAP-Message = 0x69736f6c7574696f6e2e64796e646e732e62697a301e
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xf0f9b620b8316abaee0c3ccac9df0bc4
Finished request 17
Going to the next request
---
___________________________________________________ 最新版 Yahoo!奇摩即時通訊
7.0,免費網路電話任你打! http://messenger.yahoo.com.tw/
___________________________________________________ 最新版 Yahoo!奇摩即時通訊 7.0,免費網路電話任你打! http://messenger.yahoo.com.tw/
More information about the Freeradius-Users
mailing list