authentication failure

pelusa vali pelusitavali at hotmail.com
Tue Feb 28 16:57:23 CET 2006


hi everybody, i'm using debian sarge kernel 2.6.13, openssl 0.9.8a, hostapd 
0.5.1, freeradius 1.0.5, madwifi-ng-r1406, i want to use eap-tls in my wlan 
and over my own ap over linux. so i can install and configure all programs 
(except hostapd, so instead compile myself i installed it from .deb format),
now i have my certificates and programs running but when try to connect a 
windows client it always stops in this state:

"Trying to authenticate", and any more happen. i generate certificates using 
winxp extensions and try to export and install them in winxp but always same 
behavior.  clients cann't get ip direction, but  before implementing this 
they could.

here you have an extract from freeradius messages:

--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.50.1:32771, id=14, 
length=250
        User-Name = "Administrador"
        NAS-IP-Address = 192.168.50.1
        NAS-Port = 0
        Called-Station-Id = "00-0F-66-11-C1-97:WLAN1"
        Calling-Station-Id = "00-12-F0-BC-C1-68"
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        Connect-Info = "CONNECT 11Mbps 802.11b"
        EAP-Message = 
0x021400500d800000004616030100410100003d03014403d116c1beab0d54a 
903ac411f6de1bd9eaf339bf5ac89f9e0ff0a7410c68800001600040005000a0009006400620003000600 
13001200630100
        State = 0x6780e9b9e7fd2c531421b8437d11c9db
        Message-Authenticator = 0x11d975fb9373293a13b5a0b3ad2f6f1f
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 19
  modcall[authorize]: module "preprocess" returns ok for request 19
  modcall[authorize]: module "chap" returns noop for request 19
  modcall[authorize]: module "mschap" returns noop for request 19
    rlm_realm: No '@' in User-Name = "Administrador", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 19
  rlm_eap: EAP packet type response id 20 length 80
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 19
    users: Matched entry Administrador at line 97
  modcall[authorize]: module "files" returns ok for request 19
modcall: group authorize returns updated for request 19
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 19
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/tls
  rlm_eap: processing type tls
  rlm_eap_tls: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls:  Length Included
  eaptls_verify returned 11
    (other): before/accept initialization
    TLS_accept: before/accept initialization
  rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello
    TLS_accept: SSLv3 read client hello A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
    TLS_accept: SSLv3 write server hello A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 025c], Certificate
    TLS_accept: SSLv3 write certificate A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 0070], CertificateRequest
    TLS_accept: SSLv3 write certificate request A
    TLS_accept: SSLv3 flush data
    TLS_accept:error in SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
  eaptls_process returned 13
  modcall[authenticate]: module "eap" returns handled for request 19
modcall: group authenticate returns handled for request 19
Sending Access-Challenge of id 14 to 192.168.50.1:32771
        EAP-Message = 
0x0115032f0d8000000325160301004a02000046030144038ac7e0a94b5017e 
c7050d18c3b7c7de8ae1b639249257f1753c48bc3ddee2014ad227cbde60e2c63a6cf9f2a85ae8ff8ba6a 
d0b3bca15b0ad6cc8e5e90703d000400160301025c0b0002580002550002523082024e308201b7a003020 
102020428022006300d06092a864886f70d0101050500305f310b30090603550406130245433113301106 
03550408130a4368696d626f72617a6f3111300f0603550407130852696f62616d6261310f300d0603550 
40a13064553504f4348311730150603550403130e7777772e61706d6167612e636f6d301e170d30363032 
32373135303735335a17
        EAP-Message = 
0x0d3037303232373135303735335a305f310b3009060355040613024543311 
330110603550408130a4368696d626f72617a6f3111300f0603550407130852696f62616d6261310f300d 
060355040a13064553504f4348311730150603550403130e7777772e61706d6167612e636f6d30819f300 
d06092a864886f70d010101050003818d0030818902818100b94ddf014e77cbcc5b23133a98b77090353f 
7b9fba6db33b2cd1510e8f8c8f533bcec923900dad61e3a0c02e04700c9c95856bdf7d559147a4afc8cb5 
c38d410178d9552d322aedcce46483f7dd761e7583b1e6d075cd10727c0941416b9accb097baaec90b46c 
04aef567ffd08c4acff6
        EAP-Message = 
0x88252d81a766ce4e63d9a21c774d970203010001a317301530130603551d2 
5040c300a06082b06010505070301300d06092a864886f70d0101050500038181007f41e4ef50c1c77d45 
0dee7b0b4372c3cb68163fec851512100ac72fc77d70a83fe87d93d1447842eb919bac6a0ad112b687550 
ad520f50e4651cfde1246343e6f458a1501de2e4018dbfbb5658b9da522e6283e3d0ab083e8e344befc06 
28d3ec0245dc672333ace70c8d44d0f1cfce9571c74a4ead43597c4567322e09954e16030100700d00006 
802010200630061305f310b3009060355040613024543311330110603550408130a4368696d626f72617a 
6f3111300f0603550407
        EAP-Message = 
0x130852696f62616d6261310f300d060355040a13064553504f43483117301 
50603550403130e7777772e61706d6167612e636f6d0e000000
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xa544f4d0d0e97f26a36b397073d84dfc
Finished request 19

and here is hostapd output:

IEEE 802.1X: 00:12:f0:bc:c1:68 REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:12:f0:bc:c1:68 REAUTH_TIMER entering state INITIALIZE
ath0: RADIUS Received 68 bytes from RADIUS server
ath0: RADIUS Received RADIUS message
RADIUS message: code=11 (Access-Challenge) identifier=12 length=68
   Attribute 79 (EAP-Message) length=12
      Value: 01 12 00 0a 0d 80 00 00 00 00
   Attribute 80 (Message-Authenticator) length=18
      Value: 27 c2 5d 33 9e 5a 62 db bc 26 d5 c6 5c 7f 62 4c
   Attribute 24 (State) length=18
      Value: 39 24 c3 3e ed 0b 61 bd c2 95 36 bc 86 1e 47 bc
ath0: STA 00:12:f0:bc:c1:68 RADIUS: Received RADIUS packet matched with a 
pendin g request, round trip time 0.00 sec
RADIUS packet matching with station 00:12:f0:bc:c1:68
ath0: STA 00:12:f0:bc:c1:68 IEEE 802.1X: using EAP timeout of 30 seconds
ath0: STA 00:12:f0:bc:c1:68 IEEE 802.1X: decapsulated EAP packet (code=1 
id=18 l en=10) from RADIUS server: EAP-Request-TLS (13)
IEEE 802.1X: 00:12:f0:bc:c1:68 BE_AUTH entering state REQUEST
IEEE 802.1X: Sending EAP Packet to 00:12:f0:bc:c1:68 (identifier 18)
TX EAPOL - hexdump(len=28): 00 12 f0 bc c1 68 00 0f 66 11 c1 97 88 8e 02 00 
00 0 a 01 12 00 0a 0d 80 00 00 00 00
IEEE 802.1X: 00:12:f0:bc:c1:68 REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:12:f0:bc:c1:68 REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:12:f0:bc:c1:68 REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:12:f0:bc:c1:68 REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:12:f0:bc:c1:68 REAUTH_TIMER entering state INITIALIZE
ath0: RADIUS Next RADIUS client retransmit in 75 seconds
IEEE 802.1X: 00:12:f0:bc:c1:68 REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:12:f0:bc:c1:68 REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:12:f0:bc:c1:68 REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:12:f0:bc:c1:68 REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:12:f0:bc:c1:68 REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:12:f0:bc:c1:68 REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:12:f0:bc:c1:68 REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:12:f0:bc:c1:68 REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:12:f0:bc:c1:68 REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:12:f0:bc:c1:68 REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:12:f0:bc:c1:68 REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:12:f0:bc:c1:68 REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:12:f0:bc:c1:68 REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:12:f0:bc:c1:68 REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:12:f0:bc:c1:68 REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:12:f0:bc:c1:68 REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:12:f0:bc:c1:68 REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:12:f0:bc:c1:68 REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:12:f0:bc:c1:68 REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:12:f0:bc:c1:68 REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:12:f0:bc:c1:68 REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:12:f0:bc:c1:68 REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:12:f0:bc:c1:68 REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:12:f0:bc:c1:68 REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:12:f0:bc:c1:68 REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:12:f0:bc:c1:68 REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:12:f0:bc:c1:68 - aWhile --> 0
IEEE 802.1X: 00:12:f0:bc:c1:68 REAUTH_TIMER entering state INITIALIZE
ath0: STA 00:12:f0:bc:c1:68 IEEE 802.1X: EAP timeout
IEEE 802.1X: 5 bytes from 00:12:f0:bc:c1:68
   IEEE 802.1X: version=1 type=1 length=0
   ignoring 1 extra octets after IEEE 802.1X packet
ath0: STA 00:12:f0:bc:c1:68 IEEE 802.1X: received EAPOL-Start from STA
ath0: STA 00:12:f0:bc:c1:68 WPA: event 5 notification
WPA: 00:12:f0:bc:c1:68 WPA_PTK entering state AUTHENTICATION2
IEEE 802.1X: 00:12:f0:bc:c1:68 AUTH_PAE entering state ABORTING
IEEE 802.1X: 00:12:f0:bc:c1:68 BE_AUTH entering state INITIALIZE
ath0: STA 00:12:f0:bc:c1:68 IEEE 802.1X: aborting authentication
IEEE 802.1X: 00:12:f0:bc:c1:68 REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:12:f0:bc:c1:68 AUTH_PAE entering state RESTART
IEEE 802.1X: station 00:12:f0:bc:c1:68 - new auth session, clearing State
IEEE 802.1X: Generated EAP Request-Identity for 00:12:f0:bc:c1:68 
(identifier 19 , timeout 30)
IEEE 802.1X: 00:12:f0:bc:c1:68 BE_AUTH entering state IDLE
IEEE 802.1X: 00:12:f0:bc:c1:68 REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:12:f0:bc:c1:68 AUTH_PAE entering state CONNECTING
IEEE 802.1X: 00:12:f0:bc:c1:68 REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:12:f0:bc:c1:68 AUTH_PAE entering state AUTHENTICATING
IEEE 802.1X: 00:12:f0:bc:c1:68 BE_AUTH entering state REQUEST
IEEE 802.1X: Sending EAP Packet to 00:12:f0:bc:c1:68 (identifier 19)
TX EAPOL - hexdump(len=36): 00 12 f0 bc c1 68 00 0f 66 11 c1 97 88 8e 02 00 
00 1 2 01 13 00 12 01 68 65 6c 6c 6f 5f 63 6c 69 65 6e 74 73
IEEE 802.1X: 00:12:f0:bc:c1:68 REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:12:f0:bc:c1:68 REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:12:f0:bc:c1:68 REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 22 bytes from 00:12:f0:bc:c1:68
   IEEE 802.1X: version=1 type=0 length=18
   EAP: code=2 identifier=19 length=18 (response)
ath0: STA 00:12:f0:bc:c1:68 IEEE 802.1X: received EAP packet (code=2 id=19 
len=1 8) from STA: EAP Response-Identity (1)
ath0: STA 00:12:f0:bc:c1:68 IEEE 802.1X: STA identity 'Administrador'
IEEE 802.1X: 00:12:f0:bc:c1:68 BE_AUTH entering state RESPONSE
Encapsulating EAP message into a RADIUS packet
ath0: RADIUS Sending RADIUS message to authentication server
RADIUS message: code=1 (Access-Request) identifier=13 length=170
   Attribute 1 (User-Name) length=15
      Value: 'Administrador'
   Attribute 4 (NAS-IP-Address) length=6
      Value: 192.168.50.1
   Attribute 5 (NAS-Port) length=6
      Value: 0
   Attribute 30 (Called-Station-Id) length=30
      Value: '00-0F-66-11-C1-97:WLANESPOCH'
   Attribute 31 (Calling-Station-Id) length=19
      Value: '00-12-F0-BC-C1-68'
   Attribute 12 (Framed-MTU) length=6
      Value: 1400
   Attribute 61 (NAS-Port-Type) length=6
      Value: 19
   Attribute 77 (Connect-Info) length=24
      Value: 'CONNECT 11Mbps 802.11b'
   Attribute 79 (EAP-Message) length=20
      Value: 02 13 00 12 01 41 64 6d 69 6e 69 73 74 72 61 64 6f 72
   Attribute 80 (Message-Authenticator) length=18
      Value: 41 7b 75 d3 c0 21 4b 3e 18 3e 40 10 62 37 3c 9a
ath0: RADIUS Next RADIUS client retransmit in 3 seconds

so my questions are:
1) why client cann't authenticate to freeradius? maybe i'm missing any 
configuration or freeradius and hostapd aren't working well together?
2) as you can see in freeradius and hostapd output, they say: "CONNECT 
11Mbps 802.11b", but my ap and clients are configured to work with 802.11g, 
why freeradius and hostapd detects 11b?
3) what does this mean: "TLS_accept:error in SSLv3 read client certificate 
A"?
4) is there any way i can test my certificates from freeradius?? any 
command?
or may be install wpa-supplicant over my debian and test from there 
(authenticator and supplicant in same machine??).

could any body try to help?  i know these are many questions but i'm lost 
and don't know what to do. thanks in advance for your help and time.

_________________________________________________________________
Charla con tus amigos en línea mediante MSN Messenger: 
http://messenger.latam.msn.com/




More information about the Freeradius-Users mailing list