Problems with Authenticating Client!!
艳华 杨
helen_yyh23 at yahoo.com.cn
Thu Mar 2 03:50:07 CET 2006
Hi everybody,
I'm using RedHat 9.0 kernel 2.4.20, openssl 0.9.8a, hostapd 0.4.7, freeradius 1.0.2.
I want to use eap-tls in my wlan and over my own ap over linux. Now I have my certificates and programs running but when try to connect a windows client it always stops in this state:"Trying to authenticate", and any more happen. I generated certificates using winxp extensions.
Here is my hostap.conf
interface=wlan0logger_syslog=-1
logger_syslog_level=2
logger_stdout=-1
logger_stdout_level=2
debug=4
dump_file=/tmp/hostapd.dump
ctrl_interface=/var/run/hostapd
ctrl_interface_group=0
ssid=hostap
macaddr_acl=0
auth_algs=1
ieee8021x=1
eap_message=Welcome to essi hostapd!
eapol_key_index_workaround=0
eap_server=0
own_ip_addr=172.25.3.55
auth_server_addr=127.0.0.1
auth_server_port=1812
auth_server_shared_secret=yyh
acct_server_addr=127.0.0.1
acct_server_port=1813
acct_server_shared_secret=yyh
Here is my radiusd.conf
bind_address = *
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes
log_stripped_names = no
log_auth = yes
log_auth_badpass = yes
log_auth_goodpass = yes
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
proxy_requests = yes
proxy_requests = yes
modules {
chap {
authtype = CHAP
}
pam {
pam_auth = radiusd
}
unix {
cache = no
cache_reload = 600
radwtmp = ${logdir}/radwtmp
}
realm IPASS {
format = prefix
delimiter = "/"
ignore_default = no
ignore_null = no
}
realm suffix {
format = suffix
delimiter = "@"
ignore_default = no
ignore_null = no
}
realm realmpercent {
format = suffix
delimiter = "%"
ignore_default = no
ignore_null = no
}
realm ntdomain {
format = prefix
delimiter = "\\"
ignore_default = no
ignore_null = no
}
checkval {
item-name = Calling-Station-Id
check-name = Calling-Station-Id
data-type = string
}
preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_cisco_vsa_hack = no
}
files {
usersfile = ${confdir}/users
acctusersfile = ${confdir}/acct_users
compat = no
}
detail {
detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
detailperm = 0600
}
detail auth_log {
detailfile = ${radacctdir}/%{Client-IP-Address}/auth-detail-%Y%m%d
detailperm = 0600
}
detail reply_log {
detailfile = ${radacctdir}/%{Client-IP-Address}/reply-detail-%Y%m%d
detailperm = 0600
}
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP- Address, NAS-Port"
}
attr_filter {
attrsfile = ${confdir}/attrs
}
counter daily {
ilename = ${raddbdir}/db.daily
key = User-Name
count-attribute = Acct-Session-Time
reset = daily
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
allowed-servicetype = Framed-User
cache-size = 5000
}
always fail {
rcode = fail
}
always reject {
rcode = reject
}
always ok {
rcode = ok
simulcount = 0
mpp = no
}
}
preacct {
preprocess
suffix
file
}
accounting {
detail
radutmp
}
session {
radutmp
}
post-proxy {
eap
}
Here is my information about authentication on Radius Server:
rad_recv: Access-Request packet from host 127.0.0.1:32772, id=98, length=239
User-Name = "yhyang"
NAS-IP-Address = 172.25.3.55
NAS-Port = 1
Called-Station-Id = "00-40-05-AE-B7-7C:hostap"
Calling-Station-Id = "00-0C-F1-55-93-A5"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x02b300500d800000004616030100410100003d03014405bebdec65e585e2ff0780daabdb78f9fe367ae597a234fa5667ad836c6c7900001600040005000a000900640062000300060013001200630100
State = 0xd9cc14e85ea695ff35e607011110f98b
Message-Authenticator = 0x088d698d7be13be4328f9d8fad346047
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 866
modcall[authorize]: module "preprocess" returns ok for request 866
modcall[authorize]: module "chap" returns noop for request 866
rlm_eap: EAP packet type response id 179 length 80
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 866
users: Matched entry DEFAULT at line 152
users: Matched entry yhyang at line 215
modcall[authorize]: module "files" returns ok for request 866
modcall: group authorize returns updated for request 866
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 866
rlm_eap: Request found, released from the list
rlm_eap: EAP/tls
rlm_eap: processing type tls
rlm_eap_tls: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Length Included
eaptls_verify returned 11
(other): before/accept initialization
TLS_accept: before/accept initialization
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello
TLS_accept: SSLv3 read client hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
TLS_accept: SSLv3 write server hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 06c8], Certificate
TLS_accept: SSLv3 write certificate A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 00af], CertificateRequest
TLS_accept: SSLv3 write certificate request A
TLS_accept: SSLv3 flush data
TLS_accept:error in SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
eaptls_process returned 13
modcall[authenticate]: module "eap" returns handled for request 866
modcall: group authenticate returns handled for request 866
Sending Access-Challenge of id 98 to 127.0.0.1:32772
Service-Type = Login-User
EAP-Message = 0x01b4040a0dc0000007d0160301004a0200004603014405c0388847c271909eca9a0f9104e1bbcada4432e72048aa72e86fa12bb74f2013834d041d4660c52b10e8ebb8be0c7cf622442730e40cc3164a2ec1e157ffd600040016030106c80b0006c40006c10002da308202d63082023fa003020102020101300d06092a864886f70d010104050030819d310b300906035504061302434e3110300e060355040813074265696a696e6731293027060355040a13204265696a696e6720556e6976657273697479206f6620546563686e6f6c6f6779310d300b060355040b130445535349311430120603550403130b626a75742e6564752e636e312c302a
EAP-Message = 0x06092a864886f70d010901161d68656c656e797968323340656d61696c732e626a75742e6564752e636e301e170d3036303232383036323933345a170d3136303232363036323933345a3081aa310b300906035504061302434e3110300e060355040813074265696a696e673110300e060355040713074265696a696e6731293027060355040a13204265696a696e6720556e6976657273697479206f6620546563686e6f6c6f6779310d300b060355040b130445535349310f300d06035504031306726164697573312c302a06092a864886f70d010901161d68656c656e797968323340656d61696c732e626a75742e6564752e636e30819f300d06
EAP-Message = 0x092a864886f70d010101050003818d0030818902818100d04a53db2b75e9c7aeb78bb81cfa679c7517a7a1660b275282b429015cc962f5eebd8135a3039e47624a4342ca7d7feacb6b75c6f0dd76a162fb8269ffbb08086a4ec630d3c7ee86065bed8b14a93dfaebee9e2d30c511cd8473e5e0c311047f0fe51a818a598c0e724de9175841269329eed84282492bf0f057063145e8d1130203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101040500038181005807ef0e556901e1767f4c694f195139ac009562292b7201c55ef8d61cfd86593ff770b19b801c1ea9853378e9676ba23cd43f5767
EAP-Message = 0x7c113234a38685bb4b8c1dd30aaf3d3e1f16b781851eaffb743083c337b455ddaae53a9f996a51468c8c7f5e7c93960b9acb442fde05405a1c26a5ae0df5c7b9e70758ea90055b8524f3c90003e1308203dd30820346a003020102020100300d06092a864886f70d010104050030819d310b300906035504061302434e3110300e060355040813074265696a696e6731293027060355040a13204265696a696e6720556e6976657273697479206f6620546563686e6f6c6f6779310d300b060355040b130445535349311430120603550403130b626a75742e6564752e636e312c302a06092a864886f70d010901161d68656c656e797968323340656d
EAP-Message = 0x61696c732e626a75742e6564752e636e301e170d3036
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xca11386375f850d8beb767ab5e87ed9d
Finished request 866
And the Hostapd:
wlan0: STA 00:40:05:23:3b:f6 IEEE 802.1X: EAP timeout
IEEE 802.1X: 00:40:05:23:3b:f6 BE_AUTH entering state TIMEOUT
IEEE 802.1X: 00:40:05:23:3b:f6 REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:40:05:23:3b:f6 AUTH_PAE entering state ABORTING
IEEE 802.1X: 00:40:05:23:3b:f6 BE_AUTH entering state INITIALIZE
wlan0: STA 00:40:05:23:3b:f6 IEEE 802.1X: aborting authentication
IEEE 802.1X: 00:40:05:23:3b:f6 REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:40:05:23:3b:f6 AUTH_PAE entering state RESTART
IEEE 802.1X: station 00:40:05:23:3b:f6 - new auth session, clearing State
IEEE 802.1X: Generated EAP Request-Identity for 00:40:05:23:3b:f6 (identifier 28, timeout 30)
IEEE 802.1X: 00:40:05:23:3b:f6 BE_AUTH entering state IDLE
IEEE 802.1X: 00:40:05:23:3b:f6 REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:40:05:23:3b:f6 AUTH_PAE entering state CONNECTING
IEEE 802.1X: 00:40:05:23:3b:f6 REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:40:05:23:3b:f6 AUTH_PAE entering state AUTHENTICATING
IEEE 802.1X: 00:40:05:23:3b:f6 BE_AUTH entering state REQUEST
IEEE 802.1X: Sending EAP Packet to 00:40:05:23:3b:f6 (identifier 28)
IEEE 802.1X: 00:40:05:23:3b:f6 REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:40:05:23:3b:f6 REAUTH_TIMER entering state INITIALIZE
Received 65 bytes management frame
RX frame - hexdump(len=65): 0a 0a 02 01 00 40 05 23 3b f6 00 40 05 ae b7 7c 00 40 05 ae b7 7c f0 a7 aa aa 03 00 00 00 88 8e 02 00 00 1d 01 1c 00 1d 01 57 65 6c 63 6f 6d 65 20 74 6f 20 65 73 73 69 20 68 6f 73 74 61 70 64 21
DATA (TX callback) ACK
IEEE 802.1X: 00:40:05:23:3b:f6 TX status - version=2 type=0 length=29 - ack=1
IEEE 802.1X: 00:40:05:23:3b:f6 REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:40:05:23:3b:f6 REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:40:05:23:3b:f6 REAUTH_TIMER entering state INITIALIZE
Checking STA 00:40:05:23:3b:f6 inactivity:
Station has been active
IEEE 802.1X: 00:40:05:23:3b:f6 REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:40:05:23:3b:f6 REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:40:05:23:3b:f6 REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:40:05:23:3b:f6 REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:40:05:23:3b:f6 REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:40:05:23:3b:f6 REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:40:05:23:3b:f6 REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:40:05:23:3b:f6 REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:40:05:23:3b:f6 REAUTH_TIMER entering state INITIALIZE
IEEE 802.1X: 00:40:05:23:3b:f6 REAUTH_TIMER entering state INITIALIZE
So, my questions are:
1.Is there anything wrong in hostapd.conf and radiusd.conf?(I made hostap and Freeradius on the same machine)
2.Why there appears error "TLS_accept:error in SSLv3 read client certificate A"? What does this mean?
Anyone could help me?
Thanks a lot!
Helen
---------------------------------
雅虎1G免费邮箱百分百防垃圾信
雅虎助手-搜索、杀毒、防骚扰
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20060302/310723ac/attachment.html>
More information about the Freeradius-Users
mailing list