Problem with FreeRadius EAP/TLS and 3com OfficeConnect Wireless AP
Eugenio Pasquariello
pasquariello at unimol.it
Thu Mar 30 12:26:49 CEST 2006
Hi,
we have installed freeradius in conjunction with a 3com OfficeConnect
Wireless AP, with WPA encryption.
Our system is a Slackware Linux with kernel ver. 2.4.28. The 3Com
OfficeConnect Wireless 11g Access Point model is 3CRWE454G72.
We've installed the version 1.1.1 of Freeradius, and we used openssl to
create the certificates for the server and the clients. We tried different
configuration, read faq, discussion groups etc., but the system fails.
The client start the EAP transaction, start TLS and receive the server
certifcate, we have used WinXp as client and then WIN requests to the user
the client certificate. After the choice of the certificate, the client
remain blocked.
Here we have posted the radius debug output:
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/etc/raddb/proxy.conf
Config: including file: /usr/local/etc/raddb/clients.conf
Config: including file: /usr/local/etc/raddb/snmp.conf
Config: including file: /usr/local/etc/raddb/eap.conf
Config: including file: /usr/local/etc/raddb/sql.conf
main: prefix = "/usr/local"
main: localstatedir = "/usr/local/var"
main: logdir = "/usr/local/var/log/radius"
main: libdir = "/usr/local/lib"
main: radacctdir = "/usr/local/var/log/radius/radacct"
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = "/usr/local/var/log/radius/radius.log"
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
main: user = "(null)"
main: group = "(null)"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/local/sbin/checkrad"
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = no
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded exec
exec: wait = yes
exec: program = "(null)"
exec: input_pairs = "request"
exec: output_pairs = "(null)"
exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = "crypt"
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = yes
mschap: require_strong = yes
mschap: with_ntdomain_hack = no
mschap: passwd = "(null)"
mschap: authtype = "MS-CHAP"
mschap: ntlm_auth = "(null)"
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = "(null)"
unix: shadow = "(null)"
unix: group = "(null)"
unix: radwtmp = "/usr/local/var/log/radius/radwtmp"
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
eap: default_eap_type = "tls"
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
gtc: challenge = "Password: "
gtc: auth_type = "PAP"
rlm_eap: Loaded and initialized type gtc
tls: rsa_key_exchange = no
tls: dh_key_exchange = yes
tls: rsa_key_length = 512
tls: dh_key_length = 512
tls: verify_depth = 0
tls: CA_path = "(null)"
tls: pem_file_type = yes
tls: private_key_file = "/usr/local/etc/raddb/certs/server.pem"
tls: certificate_file = "/usr/local/etc/raddb/certs/server.pem"
tls: CA_file = "/usr/local/etc/raddb/certs/root.pem"
tls: private_key_password = "whatever"
tls: dh_file = "/usr/local/etc/raddb/certs/dh"
tls: random_file = "/usr/local/etc/raddb/certs/random"
tls: fragment_size = 1024
tls: include_length = yes
tls: check_crl = no
tls: check_cert_cn = "(null)"
rlm_eap_tls: Loading the certificate file as a chain
rlm_eap: Loaded and initialized type tls
peap: default_eap_type = "mschapv2"
peap: copy_request_to_tunnel = no
peap: use_tunneled_reply = no
peap: proxy_tunneled_request_as_eap = yes
rlm_eap: Loaded and initialized type peap
mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups"
preprocess: hints = "/usr/local/etc/raddb/hints"
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = "suffix"
realm: delimiter = "@"
realm: ignore_default = no
realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded files
files: usersfile = "/usr/local/etc/raddb/users"
files: acctusersfile = "/usr/local/etc/raddb/acct_users"
files: preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users"
files: compat = "no"
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
detail: detailfile =
"/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
radutmp: filename = "/usr/local/var/log/radius/radutmp"
radutmp: username = "%{User-Name}"
radutmp: case_sensitive = yes
radutmp: check_with_nas = yes
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Listening on authentication *:1812
Listening on accounting *:1813
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.1.254:3544, id=142,
length=93
User-Name = "Roberto"
NAS-IP-Address = 192.168.1.254
NAS-Identifier = ""
NAS-Port = 29
Service-Type = Framed-User
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x028e000c01526f626572746f
Message-Authenticator = 0xb55a7cf8add654a3a2f627a983584a26
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: No '@' in User-Name = "Roberto", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
rlm_eap: EAP packet type response id 142 length 12
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 0
users: Matched entry Roberto at line 216
modcall[authorize]: module "files" returns ok for request 0
modcall: leaving group authorize (returns updated) for request 0
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
rlm_eap: EAP Identity
rlm_eap: processing type tls
rlm_eap_tls: Requiring client certificate
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
modcall[authenticate]: module "eap" returns handled for request 0
modcall: leaving group authenticate (returns handled) for request 0
Sending Access-Challenge of id 142 to 192.168.1.254 port 3544
EAP-Message = 0x018f00060d20
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xd31f2f5f5f870497aa396155166ca8fa
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.1.254:3545, id=143,
length=179
User-Name = "Roberto"
NAS-IP-Address = 192.168.1.254
NAS-Identifier = ""
NAS-Port = 29
Service-Type = Framed-User
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
State = 0xd31f2f5f5f870497aa396155166ca8fa
EAP-Message =
0x028f00500d800000004616030100410100003d0301442baf2655b72d4ab025b2d05ef8360e73f8ab6bf8fae204c1d19927387adafc00001600040005000a000900640062000300060013001200630100
Message-Authenticator = 0xe91e302630229d5e42eab44b6622c911
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
modcall[authorize]: module "preprocess" returns ok for request 1
modcall[authorize]: module "chap" returns noop for request 1
modcall[authorize]: module "mschap" returns noop for request 1
rlm_realm: No '@' in User-Name = "Roberto", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 1
rlm_eap: EAP packet type response id 143 length 80
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 1
users: Matched entry Roberto at line 216
modcall[authorize]: module "files" returns ok for request 1
modcall: leaving group authorize (returns updated) for request 1
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 1
rlm_eap: Request found, released from the list
rlm_eap: EAP/tls
rlm_eap: processing type tls
rlm_eap_tls: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Length Included
eaptls_verify returned 11
(other): before/accept initialization
TLS_accept: before/accept initialization
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello
TLS_accept: SSLv3 read client hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
TLS_accept: SSLv3 write server hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 027f], Certificate
TLS_accept: SSLv3 write certificate A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 007f], CertificateRequest
TLS_accept: SSLv3 write certificate request A
TLS_accept: SSLv3 flush data
TLS_accept:error in SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
eaptls_process returned 13
modcall[authenticate]: module "eap" returns handled for request 1
modcall: leaving group authenticate (returns handled) for request 1
Sending Access-Challenge of id 143 to 192.168.1.254 port 3545
EAP-Message =
0x019003610d8000000357160301004a020000460301442b8e5b6233434e31e800ab8a715ae577fa51d24f619d7ae5319bda5caa03c220ad755d37d34c5c822ea79225b05c557391c03a273ebc10acaaab6c0dfa976b0b000400160301027f0b00027b00027800027530820271308201daa003020102020900aa4ba0044b60a2cb300d06092a864886f70d0101040500306e310b3009060355040613024954310c300a060355040813036d6974310c300a060355040713036d6974310c300a060355040a13036d6974310c300a060355040b13036d6974310c300a060355040313036d69743119301706092a864886f70d010901160a6d6974406d69742e
EAP-Message =
0x6974301e170d3036303332383038313430375a170d3037303332383038313430375a306e310b3009060355040613024954310c300a060355040813036d6974310c300a060355040713036d6974310c300a060355040a13036d6974310c300a060355040b13036d6974310c300a060355040313036d69743119301706092a864886f70d010901160a6d6974406d69742e697430819f300d06092a864886f70d010101050003818d0030818902818100d0b8d6c7706f408c87fe35a34030d908520460b43cd34fdfde0566b9e75602f45f65b30846e8a7d5ca2ff3237fc916c2c40b726de40ca004ea68bf6d3d1f106ed4584ea7f5d80fcbca7379059323
EAP-Message =
0x9a1a72a34b33d5b0cec0624543558c46e2b216e16ce47770465d55dcd9500cf70eb59f4ba70c7da4d2a7dea55419e700aa0d0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010405000381810046fb8261e93111d30d2b1f794ef922d114f67a16eaef27c054589d013b37de7508ddcc26580852bcdfdd688ebf664f4e5fa04d2e45686268e1585556c57d70bbb17255d7d0dee55e8cdf20dd86850c9cc8b3c08ace49e46728e13c71641b78e1e8ab24b88401d1e04e574a07b272692f8ae0290e9178c8507f65296f03418435160301007f0d00007702010200720070306e310b300906035504
EAP-Message =
0x0613024954310c300a060355040813036d6974310c300a060355040713036d6974310c300a060355040a13036d6974310c300a060355040b13036d6974310c300a060355040313036d69743119301706092a864886f70d010901160a6d6974406d69742e69740e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xc317b1f0947b3868a6ce76d9107a6308
Finished request 1
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.1.254:3546, id=144,
length=105
User-Name = "Roberto"
NAS-IP-Address = 192.168.1.254
NAS-Identifier = ""
NAS-Port = 29
Service-Type = Framed-User
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
State = 0xc317b1f0947b3868a6ce76d9107a6308
EAP-Message = 0x029000060d00
Message-Authenticator = 0x80e0d9154111b75e2f24f084b9bd4d6a
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
modcall[authorize]: module "preprocess" returns ok for request 2
modcall[authorize]: module "chap" returns noop for request 2
modcall[authorize]: module "mschap" returns noop for request 2
rlm_realm: No '@' in User-Name = "Roberto", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 2
rlm_eap: EAP packet type response id 144 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 2
users: Matched entry Roberto at line 216
modcall[authorize]: module "files" returns ok for request 2
modcall: leaving group authorize (returns updated) for request 2
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 2
rlm_eap: Request found, released from the list
rlm_eap: EAP/tls
rlm_eap: processing type tls
rlm_eap_tls: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake fragment handler
eaptls_verify returned 1
eaptls_process returned 13
modcall[authenticate]: module "eap" returns handled for request 2
modcall: leaving group authenticate (returns handled) for request 2
Sending Access-Challenge of id 144 to 192.168.1.254 port 3546
EAP-Message = 0x0191000a0d8000000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x75ac3a428d93b0ba22431963a01bd5fd
Finished request 2
Going to the next request
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 142 with timestamp 442b8e5b
Cleaning up request 1 ID 143 with timestamp 442b8e5b
Cleaning up request 2 ID 144 with timestamp 442b8e5b
Nothing to do. Sleeping until we see a request.
Have you some idea on how can we solve the problem?
thanks for any support
More information about the Freeradius-Users
mailing list