Any Trusted CA problem
Torkel Mathisen
torkel.mathisen at bbs.no
Tue Feb 21 14:28:21 CET 2006
As a followup to my previous msg. I guess I should have added the debug log already there.
Anyway, here is the debug log and as you can see I get an unknown CA error. However I got all certs in the correct location on the freeradius server.
Anyone know how to fix this?
Running freeradius 1.0.5 with PEAP/MS-CHAPv2
rad_recv: Access-Request packet from host 192.168.2.4:21665, id=181,
length=138
User-Name = "anonymous"
Framed-MTU = 1400
Called-Station-Id = "000e.8401.cd50"
Calling-Station-Id = "0004.2357.ab9d"
Message-Authenticator = 0xa284452031cc71ac7722c75272190189
EAP-Message = 0x0201000e01616e6f6e796d6f7573
NAS-Port-Type = Wireless-802.11
NAS-Port = 497
Service-Type = Framed-User
NAS-IP-Address = 192.168.2.4
NAS-Identifier = "AP1100-D2"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: No '@' in User-Name = "anonymous", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
rlm_eap: EAP packet type response id 1 length 14
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 0
users: Matched entry DEFAULT at line 165
users: Matched entry DEFAULT at line 184
modcall[authorize]: module "files" returns ok for request 0
modcall: group authorize returns updated for request 0
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
rlm_eap: EAP Identity
rlm_eap: processing type tls
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
modcall[authenticate]: module "eap" returns handled for request 0
modcall: group authenticate returns handled for request 0 Sending Access-Challenge of id 181 to 192.168.2.4:21665
Framed-IP-Address = 255.255.255.254
Framed-MTU = 576
Service-Type = Framed-User
EAP-Message = 0x010200061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x45fc39656c1e7d8704c7761797a46146
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.2.4:21665, id=182,
length=248
User-Name = "anonymous"
Framed-MTU = 1400
Called-Station-Id = "000e.8401.cd50"
Calling-Station-Id = "0004.2357.ab9d"
Message-Authenticator = 0x1b57e23083b00190c6267515556bb225
EAP-Message =
0x0202006a198000000060160301005b01000057030143fb10d40a705517a5520974d156590946932ddea339e2527d91f3e0bf30400200003000390038003500160013000a00330032002f0066000500040065006400630062006000150012000900140011000800030100
NAS-Port-Type = Wireless-802.11
NAS-Port = 497
State = 0x45fc39656c1e7d8704c7761797a46146
Service-Type = Framed-User
NAS-IP-Address = 192.168.2.4
NAS-Identifier = "AP1100-D2"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
modcall[authorize]: module "preprocess" returns ok for request 1
modcall[authorize]: module "mschap" returns noop for request 1
rlm_realm: No '@' in User-Name = "anonymous", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 1
rlm_eap: EAP packet type response id 2 length 106
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 1
users: Matched entry DEFAULT at line 165
users: Matched entry DEFAULT at line 184
modcall[authorize]: module "files" returns ok for request 1
modcall: group authorize returns updated for request 1
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 1
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Length Included
eaptls_verify returned 11
(other): before/accept initialization
TLS_accept: before/accept initialization
rlm_eap_tls: <<< TLS 1.0 Handshake [length 005b], ClientHello
TLS_accept: SSLv3 read client hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
TLS_accept: SSLv3 write server hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0654], Certificate
TLS_accept: SSLv3 write certificate A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 010d], ServerKeyExchange
TLS_accept: SSLv3 write key exchange A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
TLS_accept: SSLv3 write server done A
TLS_accept: SSLv3 flush data
TLS_accept:error in SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode
eaptls_process returned 13
rlm_eap_peap: EAPTLS_HANDLED
modcall[authenticate]: module "eap" returns handled for request 1
modcall: group authenticate returns handled for request 1 Sending Access-Challenge of id 182 to 192.168.2.4:21665
Framed-IP-Address = 255.255.255.254
Framed-MTU = 576
Service-Type = Framed-User
EAP-Message =
0x0103040a19c0000007c3160301004a02000046030143fb125a187c9d3e464e794df8ba58186389c1dd88c02f3d863cf77d8cd02d5f203da3113d0277508494cd6bd10c8e20eb05da7032de148ca065b4b3801f168c6c00390016030106540b00065000064d0002b3308202af30820218a003020102020900b646b246bff02a86300d06092a864886f70d010104050030818d310b3009060355040613024e4f310d300b060355040813044f534c4f310d300b060355040713044f534c4f310f300d060355040a130642425320415331133011060355040b130a66726565726164697573311b301906035504031312436c69656e74206365727469666963
EAP-Message =
0x617465311d301b06092a864886f70d010901160e726f6f74406c6f63616c686f7374301e170d3035313032363132333432385a170d3036313032363132333432385a30818b310b3009060355040613024e4f310d300b060355040813044f534c4f310d300b060355040713044f534c4f310f300d060355040a130642425320415331133011060355040b130a667265657261646975733119301706035504031310526f6f74206365727469666963617465311d301b06092a864886f70d010901160e726f6f74406c6f63616c686f737430819f300d06092a864886f70d010101050003818d0030818902818100eead5285b5e9f7b939a2dfc1b7fef60a
EAP-Message =
0xbd055de0ba27b2ef81244e0eabad60241727ff5fc724f36147d08ea5f9e3f0110dfb5a2397c3906a00ab8eb28509e4a672b2c948c0b8007785f550b3908c2f49d7a113d6e7198d9606e567fc38be816fb2acf60f18bfe56d0617ff7e651439ce9c8ed40363b5b1e4d0d96f59a468a6650203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010405000381810050aa5f1713a5025d21f128094104579eb85a9ded57072baf72b2c0e3fbea766eb53c62e9bc2a5d1bc22f2615cc1fe88487e2d0b7e5eaa045a8ae1734a85f28e6cd70d3340c2a51bfe7b974c13b9a1a4abebe373312d1d4b987e32368
EAP-Message =
0x1edad7e4a54456fd7989e901485e9f2fcf7e8ed8e57fae97fb2fdd1fba5a50c683b7da7f00039430820390308202f9a003020102020900b646b246bff02a84300d06092a864886f70d010104050030818d310b3009060355040613024e4f310d300b060355040813044f534c4f310d300b060355040713044f534c4f310f300d060355040a130642425320415331133011060355040b130a66726565726164697573311b301906035504031312436c69656e74206365727469666963617465311d301b06092a864886f70d010901160e726f6f74406c6f63616c686f7374301e170d3035313032363132333432335a170d303731303236313233343233
EAP-Message = 0x5a30818d310b3009060355040613024e4f310d300b06
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x515242558a4574a078cacb1b266de363
Finished request 1
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.2.4:21665, id=183,
length=148
User-Name = "anonymous"
Framed-MTU = 1400
Called-Station-Id = "000e.8401.cd50"
Calling-Station-Id = "0004.2357.ab9d"
Message-Authenticator = 0x017aef237dc27ad66de21013a4da5bdc
EAP-Message = 0x020300061900
NAS-Port-Type = Wireless-802.11
NAS-Port = 497
State = 0x515242558a4574a078cacb1b266de363
Service-Type = Framed-User
NAS-IP-Address = 192.168.2.4
NAS-Identifier = "AP1100-D2"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
modcall[authorize]: module "preprocess" returns ok for request 2
modcall[authorize]: module "mschap" returns noop for request 2
rlm_realm: No '@' in User-Name = "anonymous", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 2
rlm_eap: EAP packet type response id 3 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 2
users: Matched entry DEFAULT at line 165
users: Matched entry DEFAULT at line 184
modcall[authorize]: module "files" returns ok for request 2
modcall: group authorize returns updated for request 2
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 2
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake fragment handler
eaptls_verify returned 1
eaptls_process returned 13
rlm_eap_peap: EAPTLS_HANDLED
modcall[authenticate]: module "eap" returns handled for request 2
modcall: group authenticate returns handled for request 2 Sending Access-Challenge of id 183 to 192.168.2.4:21665
Framed-IP-Address = 255.255.255.254
Framed-MTU = 576
Service-Type = Framed-User
EAP-Message =
0x010403c919000355040813044f534c4f310d300b060355040713044f534c4f310f300d060355040a130642425320415331133011060355040b130a66726565726164697573311b301906035504031312436c69656e74206365727469666963617465311d301b06092a864886f70d010901160e726f6f74406c6f63616c686f737430819f300d06092a864886f70d010101050003818d0030818902818100bb9dc7f9a6b879ddde091ded35f3137693d1a9fa9d2e2f1e20e1e49c9daf077fd1c4066e8e409eda68baac046ff390baedad93e603fdde73046df106c9c3775eb0e024a2682faf6469e778758b9c782a11ad0dcc25edca8f9efdee96ccc1bc
EAP-Message =
0x84850d853d4435da9ab22ec6c3dc4e6d9137e0ec36d705c923055aa8b900d833350203010001a381f53081f2301d0603551d0e04160414227f0709429785a3169b9817627cd456d617f2283081c20603551d230481ba3081b78014227f0709429785a3169b9817627cd456d617f228a18193a4819030818d310b3009060355040613024e4f310d300b060355040813044f534c4f310d300b060355040713044f534c4f310f300d060355040a130642425320415331133011060355040b130a66726565726164697573311b301906035504031312436c69656e74206365727469666963617465311d301b06092a864886f70d010901160e726f6f74406c
EAP-Message =
0x6f63616c686f7374820900b646b246bff02a84300c0603551d13040530030101ff300d06092a864886f70d0101040500038181001fb7ec3488fd3b6349d6cc33b5c6451ce1c2e8ef8db6f4818cd017991f9649141c1767553c20303e262fec4bb351cda19b403bab78aa37236ffc78dace1a39089ff037eb911a5133bc6b1f0275cc9e68bc4c8f487a4d2cdc8e706134e512d7e715ca81c5a7bb6cc668ca8181e898befeab40773de8f3eb6629ecd2c79d5f74f1160301010d0c0001090040bd26276ade89a82c9cc4fa1af559608f7824b64ef630bdf0368d885e300720c516da851d828b40f658ffbd6060bb0b6d23e138a280c51e9944d23bc69d73
EAP-Message =
0xe66f0001050040092d106c2ef3689a643d3fd076a14b3f75be6fbdd0c08e7950f20922dc73fa64fea8a5f44012c4af669f46185e95158f91ad4e170982febc5766ebf47a7a13cc008005fa59ad40eaf289554204e2db05a7e7c535bc610447faaadf40f28ac719adf683be4ef8296ff9cc0ab7f51ce6965d39d278572fb8be1525d6ad57fa5fa44c34451ee24c7922a06fdc1faef6e6a75bd403f4e9944f30095956efc433833743448b80cec60e0d066a9b15f4b1d34c8565f43b8bb68504359ae2c972524473e56216030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x9d32410c0e854c04a4f03aacb11e72d7
Finished request 2
Going to the next request
--- Walking the entire request list ---
Waking up in 5 seconds...
rad_recv: Access-Request packet from host 192.168.2.4:21665, id=184,
length=159
User-Name = "anonymous"
Framed-MTU = 1400
Called-Station-Id = "000e.8401.cd50"
Calling-Station-Id = "0004.2357.ab9d"
Message-Authenticator = 0x0f8b658442d58b4085f9b405518cdf41
EAP-Message = 0x0204001119800000000715030100020230
NAS-Port-Type = Wireless-802.11
NAS-Port = 497
State = 0x9d32410c0e854c04a4f03aacb11e72d7
Service-Type = Framed-User
NAS-IP-Address = 192.168.2.4
NAS-Identifier = "AP1100-D2"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 3
modcall[authorize]: module "preprocess" returns ok for request 3
modcall[authorize]: module "mschap" returns noop for request 3
rlm_realm: No '@' in User-Name = "anonymous", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 3
rlm_eap: EAP packet type response id 4 length 17
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 3
users: Matched entry DEFAULT at line 165
users: Matched entry DEFAULT at line 184
modcall[authorize]: module "files" returns ok for request 3
modcall: group authorize returns updated for request 3
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 3
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Length Included
eaptls_verify returned 11
rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert read:fatal:unknown CA
TLS_accept:failed in SSLv3 read client certificate A 11457:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c:1052:SSL alert number 48 11457:error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake
failure:s3_pkt.c:837:
rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails.
In SSL Handshake Phase
In SSL Accept mode
rlm_eap_tls: BIO_read failed in a system call (-1), TLS session fails.
eaptls_process returned 13
rlm_eap_peap: EAPTLS_HANDLED
rlm_eap: Freeing handler
modcall[authenticate]: module "eap" returns reject for request 3
modcall: group authenticate returns reject for request 3
auth: Failed to validate the user.
Delaying request 3 for 1 seconds
Finished request 3
Going to the next request
Waking up in 5 seconds...
rad_recv: Access-Request packet from host 192.168.2.4:21665, id=184,
length=159
Sending Access-Reject of id 184 to 192.168.2.4:21665
EAP-Message = 0x04040004
Message-Authenticator = 0x00000000000000000000000000000000
--- Walking the entire request list ---
Cleaning up request 0 ID 181 with timestamp 43fb125a Cleaning up request 1 ID 182 with timestamp 43fb125a Waking up in 1 seconds...
--- Walking the entire request list ---
Cleaning up request 2 ID 183 with timestamp 43fb125b Cleaning up request 3 ID 184 with timestamp 43fb125b Nothing to do. Sleeping until we see a request.
Regards,
Torkel
-----Opprinnelig melding-----
Fra: freeradius-users-bounces+torkel.mathisen=bbs.no at lists.freeradius.org [mailto:freeradius-users-bounces+torkel.mathisen=bbs.no at lists.freeradius.org] På vegne av Torkel Mathisen
Sendt: 17. februar 2006 09:59
Til: FreeRadius users mailing list
Emne: Any Trusted CA problem
Hi,
I run freeradius 1.0.5 with PEAP/MS-CHAPv2 authentication through the
users file.
I got a problem with the "Any Trusted CA" part on some of my clients.
Some of the clients can't uncheck that option in the driver and then
they won't be able to use the WLAN, because it tries to contact a CA.
Is there any way around this problem?
Regards,
Torkel
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list