Everything lookslike it works, but PC is not authentified
Alexandros Gougousoudis
gougousoudis at kh-berlin.de
Fri Sep 1 15:24:59 CEST 2006
Hi,
I'am running Freeradius 1.1.0 on Suse 10.1 with certificates. After a
lot of help from that list and a good FAQ I'am so far, that I generated
the certs for server and client and that the communication between
Client, Server and AP (Linksys Switch) works.
My problem is, that looking in the logs, the client should be
authentified, but it isn't. The AP doesn't open the port. I assume the
problem is windows, submitting the username as "host/computername" which
brakes the certs (but I have no hint on the logfile). The PC tries to
autheticate 13 times (I get at least 13 requests to the radius), but I
get no error...
My users files contains that:
testuser User-Password == "test2"
"host/vinfo-t1" Auth-Type:= EAP
"vinfo-t1" Auth-Type:= EAP
# On no match, the user is denied access.
DEFAULT Auth-Type := Reject
Reply-Message = "Bye"
Please have a short look on my debuglog. I don't know where to look further.
TIA
Alex
Debuglog:
radius:/etc/raddb # radiusd -A -X
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/raddb/clients.conf
Config: including file: /etc/raddb/snmp.conf
Config: including file: /etc/raddb/eap.conf
Config: including file: /etc/raddb/sql.conf
main: prefix = "/usr"
main: localstatedir = "/var"
main: logdir = "/var/log/radius"
main: libdir = "/usr/lib/freeradius"
main: radacctdir = "/var/log/radius/radacct"
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = "/var/log/radius/radius.log"
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = "/var/run/radiusd/radiusd.pid"
main: user = "radiusd"
main: group = "radiusd"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/sbin/checkrad"
main: proxy_requests = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = yes
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/lib/freeradius
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded eap
eap: default_eap_type = "tls"
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
gtc: challenge = "Password: "
gtc: auth_type = "PAP"
rlm_eap: Loaded and initialized type gtc
tls: rsa_key_exchange = no
tls: dh_key_exchange = yes
tls: rsa_key_length = 512
tls: dh_key_length = 512
tls: verify_depth = 0
tls: CA_path = "(null)"
tls: pem_file_type = yes
tls: private_key_file = "/etc/raddb/certs/ssl/radius-neuer-cert-key.pem"
tls: certificate_file = "/etc/raddb/certs/ssl/radius-neuer-cert-key.pem"
tls: CA_file =
"/etc/raddb/certs/ssl/ServiceCenter-IT_KHB_HfM_HfS-cacert.pem"
tls: private_key_password = "secret"
tls: dh_file = "/etc/raddb/certs/ssl/dh"
tls: random_file = "/etc/raddb/certs/ssl/random"
tls: fragment_size = 1024
tls: include_length = yes
tls: check_crl = no
tls: check_cert_cn = "(null)"
rlm_eap_tls: Loading the certificate file as a chain
rlm_eap: Loaded and initialized type tls
ttls: default_eap_type = "md5"
ttls: copy_request_to_tunnel = no
ttls: use_tunneled_reply = no
rlm_eap: Loaded and initialized type ttls
peap: default_eap_type = "mschapv2"
peap: copy_request_to_tunnel = no
peap: use_tunneled_reply = no
peap: proxy_tunneled_request_as_eap = yes
rlm_eap: Loaded and initialized type peap
mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = "/etc/raddb/huntgroups"
preprocess: hints = "/etc/raddb/hints"
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded files
files: usersfile = "/etc/raddb/users"
files: acctusersfile = "/etc/raddb/acct_users"
files: preproxy_usersfile = "/etc/raddb/preproxy_users"
files: compat = "no"
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
detail: detailfile =
"/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Listening on authentication *:1812
Listening on accounting *:1813
Ready to process requests.
rad_recv: Access-Request packet from host 10.48.244.21:49154, id=0,
length=91
NAS-IP-Address = 10.48.244.21
NAS-Port-Type = Ethernet
NAS-Port = 3
User-Name = "host/vinfo-t1"
EAP-Message = 0x0202001201686f73742f76696e666f2d7431
Message-Authenticator = 0xc1f35f98d7fadcae44c1da0404dfb946
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
rlm_eap: EAP packet type response id 2 length 18
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 0
users: Matched entry host/vinfo-t1 at line 219
modcall[authorize]: module "files" returns ok for request 0
modcall: leaving group authorize (returns updated) for request 0
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
rlm_eap: EAP Identity
rlm_eap: processing type tls
rlm_eap_tls: Requiring client certificate
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
modcall[authenticate]: module "eap" returns handled for request 0
modcall: leaving group authenticate (returns handled) for request 0
Sending Access-Challenge of id 0 to 10.48.244.21 port 49154
EAP-Message = 0x010300060d20
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa888eb3548ccbf70991a8073e4917860
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 10.48.244.21:49154, id=0,
length=171
NAS-IP-Address = 10.48.244.21
NAS-Port-Type = Ethernet
NAS-Port = 3
User-Name = "host/vinfo-t1"
State = 0xa888eb3548ccbf70991a8073e4917860
EAP-Message =
0x020300500d800000004616030100410100003d030144f82ec02d87663894bd52ff81b6e458129ee76d422652e5d90c0184b3ab2c4b00001600040005000a000900640062000300060013001200630100
Message-Authenticator = 0x393361b2d5cc0e7f8caf5a584d4aab7d
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
modcall[authorize]: module "preprocess" returns ok for request 1
rlm_eap: EAP packet type response id 3 length 80
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 1
users: Matched entry host/vinfo-t1 at line 219
modcall[authorize]: module "files" returns ok for request 1
modcall: leaving group authorize (returns updated) for request 1
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 1
rlm_eap: Request found, released from the list
rlm_eap: EAP/tls
rlm_eap: processing type tls
rlm_eap_tls: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Length Included
eaptls_verify returned 11
(other): before/accept initialization
TLS_accept: before/accept initialization
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello
TLS_accept: SSLv3 read client hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
TLS_accept: SSLv3 write server hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0ef8], Certificate
TLS_accept: SSLv3 write certificate A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 00bd], CertificateRequest
TLS_accept: SSLv3 write certificate request A
TLS_accept: SSLv3 flush data
TLS_accept:error in SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
eaptls_process returned 13
modcall[authenticate]: module "eap" returns handled for request 1
modcall: leaving group authenticate (returns handled) for request 1
Sending Access-Challenge of id 0 to 10.48.244.21 port 49154
EAP-Message =
0x0104040a0dc00000100e160301004a02000046030144cbfc6ec473fda5a1d6059b489343f31dc6ce6ead7e88eaa9f0529253a6b97720dccbf137a27e973554fc428b8a2f075a212e34712e6ed1721fb1e456c90e62640004001603010ef80b000ef4000ef100077f3082077b30820563a003020102020128300d06092a864886f70d01010505003081aa310b3009060355040613024445310f300d060355040813064265726c696e310f300d060355040713064265726c696e31143012060355040a130b4b48422048664d2048665331193017060355040b13105365727669636543656e7465722d4954312530230603550403141c5365727669636543
EAP-Message =
0x656e7465722d49545f4b48425f48664d5f4866533121301f06092a864886f70d010901161273632d6974406b682d6265726c696e2e6465301e170d3036303831303039333334335a170d3037303831303039333334335a3081ac310b3009060355040613024445310f300d060355040813064265726c696e310f300d060355040713064265726c696e31143012060355040a130b4b48422048664d2048665331193017060355040b13105365727669636543656e7465722d4954312730250603550403131e7261646975732e76657277616c74756e672e6b682d6265726c696e2e64653121301f06092a864886f70d010901161273632d6974406b682d
EAP-Message =
0x6265726c696e2e646530820222300d06092a864886f70d01010105000382020f003082020a02820201009d061598c850223454cb70a58cae0a1ac2db0b6a963d25c96c632b1eb2a9177e3e8a066fa9c3596c4a1b035def3b6c589a12209a6d7ab7aa4144de890803c34cb5239cdb3b7266426049d475ed3e354fe494dee46a17e7478065c7332f6ac621d9b754d46812dc4ffda7a39bf33987fbe6951a591aee791c9468cc70f5a821683640675bafea24fe5291d6750c30a1b0a4c52cbeb6a18ce514038432f3dc83ce12657de67976dff9a7643b7ad340240e5e69385355b64d3e77f4bb0dfbc8fd63258a308c2a6e82f9c0c92e7e4ccadf848cc3bb
EAP-Message =
0x57d592dcf46930c794fa0b338c9db103b9a7162352ff8cac3b680d64ec0b865bf74778839cd1530d79ba553a2bd9ffb112534cd758bb3b3dba26037ed1c158089af8903e9f5b684061ddd413fb192cfc5024c03b177184101d68bc7111ccdcb6bee8c98d1642bbc547e8211dab2fd5d45488da089a17edaa9b4dd4357d4adcb0e33553210a5ad0e84edc9f9a769297649672d5f78e2f3687e99c411abea88e0363fe1afb7dcf05a8838ef07cec88337f903a94a6207893b5e9ff80441a12b6847ff008eb8c257878f6711a8f8c053315d4ae87b36661cdee73a3cbaca92d14f480804c7476d36665c417db9c954795423ca49de599eb3ed3a6cc55f03b
EAP-Message = 0xad529359b0a55e5bffa9cf65b3034d48c263c491b24a
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x8ada72f87d56fd2eeffabef3ec09dc62
Finished request 1
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 10.48.244.21:49154, id=0,
length=97
NAS-IP-Address = 10.48.244.21
NAS-Port-Type = Ethernet
NAS-Port = 3
User-Name = "host/vinfo-t1"
State = 0x8ada72f87d56fd2eeffabef3ec09dc62
EAP-Message = 0x020400060d00
Message-Authenticator = 0x8d34aa0b0247b80bb0bc1f1fcb163af7
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
modcall[authorize]: module "preprocess" returns ok for request 2
rlm_eap: EAP packet type response id 4 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 2
users: Matched entry host/vinfo-t1 at line 219
modcall[authorize]: module "files" returns ok for request 2
modcall: leaving group authorize (returns updated) for request 2
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 2
rlm_eap: Request found, released from the list
rlm_eap: EAP/tls
rlm_eap: processing type tls
rlm_eap_tls: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake fragment handler
eaptls_verify returned 1
eaptls_process returned 13
modcall[authenticate]: module "eap" returns handled for request 2
modcall: leaving group authenticate (returns handled) for request 2
Sending Access-Challenge of id 0 to 10.48.244.21 port 49154
EAP-Message =
0x0105040a0dc00000100ed9f9f74b6ea9cea17710efc22bc0d77f58b0a5d3589ab19f13f90203010001a38201a6308201a230090603551d1304023000301106096086480186f8420101040403020640302b06096086480186f842010d041e161c54696e7943412047656e657261746564204365727469666963617465301d0603551d0e0416041442a94a9f048871b178d41a5d00a5668e78c045ff3081df0603551d230481d73081d48014b939b6ce8a52912eaece162418b1f4d8303d042ea181b0a481ad3081aa310b3009060355040613024445310f300d060355040813064265726c696e310f300d060355040713064265726c696e311430120603
EAP-Message =
0x55040a130b4b48422048664d2048665331193017060355040b13105365727669636543656e7465722d4954312530230603550403141c5365727669636543656e7465722d49545f4b48425f48664d5f4866533121301f06092a864886f70d010901161273632d6974406b682d6265726c696e2e6465820900890d6f61ac0ce005301d0603551d1204163014811273632d6974406b682d6265726c696e2e6465301d0603551d1104163014811273632d6974406b682d6265726c696e2e646530160603551d250101ff040c300a06082b06010505070301300d06092a864886f70d01010505000382020100c0925f1aa48825e5c192abc4a792cb36b69953
EAP-Message =
0x782adc04d3e24436b4322312505087f51371012554b69768c152ed7083dba76437cc2bd09ed94b2a08a9ce1ad303a04ee2459c219c6e8341c44175cdcf5426ab7d10b9512877be1cd89204061f78c7f9296b5c73bcc315b281029163cd1f05d9fff0f772fd26964959a4493ef045f91dda761420537f2845a12d7a0f7f04502390dd6fb1e7cbff2891d8eee5abcf7da435ab6b163e2475fad3ccf8cfdc7ad019fbbe1deb47fbcad40dd4f57d2ed127665ca99cc035d93bf5df6ad79529fa142cb7f03eedd1aca47ad648db900e6dcd1966efb52a2c9dfa5ce5148ad4bd37716414c3a82bcb9a8cd805f1ea4e66f0171174e8099310d720186c2774cdc2
EAP-Message =
0xf80283f897fa84a1281e34c77148ca68508cd2eaf3f9167f76b41df115df8bcf02746dac891da3f58b4a45e5085dcbb3e9129106bb999f2b6b4722b86a32e18732260fa1093643a982b52951d7011141f3ea9ec18429482b3977620aa50aa40cd30eb3ed16f1a1c77d07df0672abdf64d608ff85a9076b95afb5a12a3a1fc231024403628b1db8cf04d474be335f83e230d506eb574b91fd672e092dd86088ea95edbe95aaecc00f4610520cd6a624103c64d1e8f6ebb8027ec42fa27ff3fdad82731a8511b8a68751452ebcbd13e11a0abe6d1f82fd5ce98af910ce7e62a69e9ac2383ee9b3dc0a973af95706a3a1c700076c3082076830820550a003
EAP-Message = 0x020102020900890d6f61ac0ce005300d06092a864886
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x9a47ab7f9de113ebbe793cdba4b8eac5
Finished request 2
[...]
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 10.48.244.21:49154, id=0,
length=97
NAS-IP-Address = 10.48.244.21
NAS-Port-Type = Ethernet
NAS-Port = 3
User-Name = "host/vinfo-t1"
State = 0x02e56d8de12a870049b3b02e1f4ad162
EAP-Message = 0x021100060d00
Message-Authenticator = 0x8a9e680cc21b98a2835861c9ef08faea
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 13
modcall[authorize]: module "preprocess" returns ok for request 13
rlm_eap: EAP packet type response id 17 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 13
users: Matched entry host/vinfo-t1 at line 219
modcall[authorize]: module "files" returns ok for request 13
modcall: leaving group authorize (returns updated) for request 13
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 13
rlm_eap: Request found, released from the list
rlm_eap: EAP/tls
rlm_eap: processing type tls
rlm_eap_tls: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake fragment handler
eaptls_verify returned 1
eaptls_process returned 13
modcall[authenticate]: module "eap" returns handled for request 13
modcall: leaving group authenticate (returns handled) for request 13
Sending Access-Challenge of id 0 to 10.48.244.21 port 49154
EAP-Message = 0x0112000a0d8000000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x3f9387f3adb41ddea578c30fd328358f
Finished request 13
Going to the next request
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 13 ID 0 with timestamp 44cbfc94
Nothing to do. Sleeping until we see a request.
--
ServiceCenter IT - Alexandros Gougousoudis (Leiter)
Gemeinsame Einrichtung der Kunsthochschule Berlin-Weissensee, Hochschule
für Musik "Hanns Eisler" und der Hochschule für Schauspielkunst "Ernst
Busch".
Tel.: 030 / 477 05 - 444 * Fax.: 030 / 477 05 - 445
More information about the Freeradius-Users
mailing list