EAP/TTLS PEAP MSCHAP

Arran Cudbard-Bell A.Cudbard-Bell at sussex.ac.uk
Wed Apr 4 19:51:45 CEST 2007


Eshun Benjamin wrote:
> Mac connects but ms windows does not.  I am doing server side cert. 
> Error from ms windows.
>
>
> User-Name = "testgeneral"
>         NAS-IP-Address = 10.1.5.26
>         Called-Station-Id = "0016014d9158"
>         Calling-Station-Id = "0019e3034ceb"
>         NAS-Identifier = "0016014d9158"
>         NAS-Port = 36
>         Framed-MTU = 1400
>         State = 0x3d946123f5f422f576bed1eb52863e55
>         NAS-Port-Type = Wireless-802.11
>         EAP-Message = 
> 0x0202005019800000004616030100410100003d030146139aedbfdec7d57168bf7fdbe984cfd19f5d1e7c13ee839e4b0a55d34aa86600001600040005000a000900640062000300060013001200630100
>         Message-Authenticator = 0x3efce19c566f372e8744589f65d58401
> Wed Apr  4 14:32:48 2007 : Debug:   Processing the authorize section 
> of radiusd.conf
> Wed Apr  4 14:32:48 2007 : Debug: modcall: entering group authorize 
> for request 74
> Wed Apr  4 14:32:48 2007 : Debug:   modsingle[authorize]: calling 
> preprocess (rlm_preprocess) for request 74
> Wed Apr  4 14:32:48 2007 : Debug:   modsingle[authorize]: returned 
> from preprocess (rlm_preprocess) for request 74
> Wed Apr  4 14:32:48 2007 : Debug:   modcall[authorize]: module 
> "preprocess" returns ok for request 74
> Wed Apr  4 14:32:48 2007 : Debug:   modsingle[authorize]: calling 
> mschap (rlm_mschap) for request 74
> Wed Apr  4 14:32:48 2007 : Debug:   modsingle[authorize]: returned 
> from mschap (rlm_mschap) for request 74
> Wed Apr  4 14:32:48 2007 : Debug:   modcall[authorize]: module 
> "mschap" returns noop for request 74
> Wed Apr  4 14:32:48 2007 : Debug:   modsingle[authorize]: calling 
> suffix (rlm_realm) for request 74
> Wed Apr  4 14:32:48 2007 : Debug:     rlm_realm: No '@' in User-Name = 
> "testgeneral", looking up realm NULL
> Wed Apr  4 14:32:48 2007 : Debug:     rlm_realm: No such realm "NULL"
> Wed Apr  4 14:32:48 2007 : Debug:   modsingle[authorize]: returned 
> from suffix (rlm_realm) for request 74
> Wed Apr  4 14:32:48 2007 : Debug:   modcall[authorize]: module 
> "suffix" returns noop for request 74
> Wed Apr  4 14:32:48 2007 : Debug:   modsingle[authorize]: calling eap 
> (rlm_eap) for request 74
> Wed Apr  4 14:32:48 2007 : Debug:   rlm_eap: EAP packet type response 
> id 2 length 80
> Wed Apr  4 14:32:48 2007 : Debug:   rlm_eap: No EAP Start, assuming 
> it's an on-going EAP conversation
> Wed Apr  4 14:32:48 2007 : Debug:   modsingle[authorize]: returned 
> from eap (rlm_eap) for request 74
> Wed Apr  4 14:32:48 2007 : Debug:   modcall[authorize]: module "eap" 
> returns updated for request 74
> Wed Apr  4 14:32:48 2007 : Debug:   modsingle[authorize]: calling 
> files (rlm_files) for request 74
> Wed Apr  4 14:32:48 2007 : Debug:     users: Matched entry testgeneral 
> at line 216
> Wed Apr  4 14:32:48 2007 : Debug:   modsingle[authorize]: returned 
> from files (rlm_files) for request 74
> Wed Apr  4 14:32:48 2007 : Debug:   modcall[authorize]: module "files" 
> returns ok for request 74
> Wed Apr  4 14:32:48 2007 : Debug:   modsingle[authorize]: calling 
> etc_smbpasswd (rlm_passwd) for request 74
> Wed Apr  4 14:32:48 2007 : Debug:   modsingle[authorize]: returned 
> from etc_smbpasswd (rlm_passwd) for request 74
> Wed Apr  4 14:32:48 2007 : Debug:   modcall[authorize]: module 
> "etc_smbpasswd" returns notfound for request 74
> Wed Apr  4 14:32:48 2007 : Debug:   modsingle[authorize]: calling pap 
> (rlm_pap) for request 74
> Wed Apr  4 14:32:48 2007 : Debug: rlm_pap: Found existing Auth-Type, 
> not changing it.
> Wed Apr  4 14:32:48 2007 : Debug:   modsingle[authorize]: returned 
> from pap (rlm_pap) for request 74
> Wed Apr  4 14:32:48 2007 : Debug:   modcall[authorize]: module "pap" 
> returns noop for request 74
> Wed Apr  4 14:32:48 2007 : Debug: modcall: leaving group authorize 
> (returns updated) for request 74
> Wed Apr  4 14:32:48 2007 : Debug:   rad_check_password:  Found 
> Auth-Type EAP
> Wed Apr  4 14:32:48 2007 : Debug: auth: type "EAP"
> Wed Apr  4 14:32:48 2007 : Debug:   Processing the authenticate 
> section of radiusd.conf
> Wed Apr  4 14:32:48 2007 : Debug: modcall: entering group authenticate 
> for request 74
> Wed Apr  4 14:32:48 2007 : Debug:   modsingle[authenticate]: calling 
> eap (rlm_eap) for request 74
> Wed Apr  4 14:32:48 2007 : Debug:   rlm_eap: Request found, released 
> from the list
> Wed Apr  4 14:32:48 2007 : Debug:   rlm_eap: EAP/peap
> Wed Apr  4 14:32:48 2007 : Debug:   rlm_eap: processing type peap
> Wed Apr  4 14:32:48 2007 : Debug:   rlm_eap_peap: Authenticate
> Wed Apr  4 14:32:48 2007 : Debug:   rlm_eap_tls: processing TLS
> Wed Apr  4 14:32:48 2007 : Debug: rlm_eap_tls:  Length Included
> Wed Apr  4 14:32:48 2007 : Debug:   eaptls_verify returned 11
> Wed Apr  4 14:32:48 2007 : Debug:     (other): before/accept 
> initialization
> Wed Apr  4 14:32:48 2007 : Debug:     TLS_accept: before/accept 
> initialization
> Wed Apr  4 14:32:48 2007 : Debug:   rlm_eap_tls: <<< TLS 1.0 Handshake 
> [length 0041], ClientHello 
> Wed Apr  4 14:32:48 2007 : Debug:     TLS_accept: SSLv3 read client 
> hello A
> Wed Apr  4 14:32:48 2007 : Debug:   rlm_eap_tls: >>> TLS 1.0 Handshake 
> [length 004a], ServerHello 
> Wed Apr  4 14:32:48 2007 : Debug:     TLS_accept: SSLv3 write server 
> hello A
> Wed Apr  4 14:32:48 2007 : Debug:   rlm_eap_tls: >>> TLS 1.0 Handshake 
> [length 038f], Certificate 
> Wed Apr  4 14:32:48 2007 : Debug:     TLS_accept: SSLv3 write 
> certificate A
> Wed Apr  4 14:32:48 2007 : Debug:   rlm_eap_tls: >>> TLS 1.0 Handshake 
> [length 0004], ServerHelloDone 
> Wed Apr  4 14:32:48 2007 : Debug:     TLS_accept: SSLv3 write server 
> done A
> Wed Apr  4 14:32:48 2007 : Debug:     TLS_accept: SSLv3 flush data
> Wed Apr  4 14:32:48 2007 : Error:     TLS_accept:error in SSLv3 read 
> client certificate A
> Wed Apr  4 14:32:48 2007 : Error: rlm_eap: SSL error 
> error:00000000:lib(0):func(0):reason(0)
> Wed Apr  4 14:32:48 2007 : Debug: In SSL Handshake Phase
> Wed Apr  4 14:32:48 2007 : Debug: In SSL Accept mode 
> Wed Apr  4 14:32:48 2007 : Debug:   eaptls_process returned 13
> Wed Apr  4 14:32:48 2007 : Debug:   rlm_eap_peap: EAPTLS_HANDLED
> Wed Apr  4 14:32:48 2007 : Debug:   modsingle[authenticate]: returned 
> from eap (rlm_eap) for request 74
> Wed Apr  4 14:32:48 2007 : Debug:   modcall[authenticate]: module 
> "eap" returns handled for request 74
> Wed Apr  4 14:32:48 2007 : Debug: modcall: leaving group authenticate 
> (returns handled) for request 74
> Sending Access-Challenge of id 0 to 10.1.5.26 port 2048
>         EAP-Message = 
> 0x010303f21900160301004a02000046030146139af0c3e704b47f4b6b436a8b07d916c60b21a951af6c2918a39cadca6aa22013971c62e79c9f9f6e232f6d035b7705438843f46c8e38f788750500db6621bf000400160301038f0b00038b00038800038530820381308202eaa003020102020900e8e427c494215d09300d06092a864886f70d0101050500308188310b30090603550406130244453110300e060355040813075361636873656e3110300e060355040713074472657364656e3110300e060355040a13074d50492d4342473111300f060355040b1308436f6d7075746572310f300d06035504031306736572766572311f301d06092a86
>         EAP-Message = 
> 0x4886f70d010901161061646d696e406d70692d6362672e6465301e170d3037303332343131313731395a170d3130303332333131313731395a308188310b30090603550406130244453110300e060355040813075361636873656e3110300e060355040713074472657364656e3110300e060355040a13074d50492d4342473111300f060355040b1308436f6d7075746572310f300d06035504031306736572766572311f301d06092a864886f70d010901161061646d696e406d70692d6362672e646530819f300d06092a864886f70d010101050003818d0030818902818100ac1158639bcdf711751f54bdf25c666d6f3a532967a7cba624a5167b
>         EAP-Message = 
> 0xfb5c89d5a3f9d86fe9a7a2b0899925a4373725bed9eb20d41f05019541ee096201bb57b8f01646ac62884f36d54ea32620a11c760e769ace49d8d7dc42b3ba35c6d410b2fddbc2d689536f66646e94f594b516cb5b312f96f562529bcd7015540fd2be7d0203010001a381f03081ed301d0603551d0e041604141acd4d6d72dc026df7d0a5e77ea636e2c9bcfd4f3081bd0603551d230481b53081b280141acd4d6d72dc026df7d0a5e77ea636e2c9bcfd4fa1818ea4818b308188310b30090603550406130244453110300e060355040813075361636873656e3110300e060355040713074472657364656e3110300e060355040a13074d50492d4342
>         EAP-Message = 
> 0x473111300f060355040b1308436f6d7075746572310f300d06035504031306736572766572311f301d06092a864886f70d010901161061646d696e406d70692d6362672e6465820900e8e427c494215d09300c0603551d13040530030101ff300d06092a864886f70d0101050500038181009e5e89fa8a5e26ce9710bfde499a2b36d412f5acff40b544eec4839a67b768e6a778a5b8d54c8ad8b3ec8f438e96e0740103cbdb3e64c751e722e2c3538dccac3a993b94824ba4e48ba40ebc5c7b37c5c6048616f3b10d7f3d4b23cd84cd1e3e4b318e75d4fcd637ee1b5f263cd4adb006a80f62639825f6fb1a284e254a89be16030100040e000000
>         Message-Authenticator = 0x00000000000000000000000000000000
>         State = 0x4e138cc588a831123b8c899c1e03c4fc
> Wed Apr  4 14:32:48 2007 : Debug: Finished request 74
> Wed Apr  4 14:32:48 2007 : Debug: Going to the next request
> Wed Apr  4 14:32:48 2007 : Debug: rl_next:  returning NULL
> Wed Apr  4 14:32:48 2007 : Debug: Waking up in 6 seconds...
> rad_recv: Access-Request packet from host 10.1.5.26:2048, id=0, length=143
>         User-Name = "testgeneral"
>         NAS-IP-Address = 10.1.5.26
>         Called-Station-Id = "0016014d9158"
>         Calling-Station-Id = "0019e3034ceb"
>         NAS-Identifier = "0016014d9158"
>         NAS-Port = 36
>         Framed-MTU = 1400
>         State = 0x4e138cc588a831123b8c899c1e03c4fc
>         NAS-Port-Type = Wireless-802.11
>         EAP-Message = 0x020300061900
>         Message-Authenticator = 0xf89ebcfef5ea8e2a15b9fc63884890df
> Wed Apr  4 14:32:48 2007 : Debug:   Processing the authorize section 
> of radiusd.conf
> Wed Apr  4 14:32:48 2007 : Debug: modcall: entering group authorize 
> for request 75
> Wed Apr  4 14:32:48 2007 : Debug:   modsingle[authorize]: calling 
> preprocess (rlm_preprocess) for request 75
> Wed Apr  4 14:32:48 2007 : Debug:   modsingle[authorize]: returned 
> from preprocess (rlm_preprocess) for request 75
> Wed Apr  4 14:32:48 2007 : Debug:   modcall[authorize]: module 
> "preprocess" returns ok for request 75
> Wed Apr  4 14:32:48 2007 : Debug:   modsingle[authorize]: calling 
> mschap (rlm_mschap) for request 75
> Wed Apr  4 14:32:48 2007 : Debug:   modsingle[authorize]: returned 
> from mschap (rlm_mschap) for request 75
> Wed Apr  4 14:32:48 2007 : Debug:   modcall[authorize]: module 
> "mschap" returns noop for request 75
> Wed Apr  4 14:32:48 2007 : Debug:   modsingle[authorize]: calling 
> suffix (rlm_realm) for request 75
> Wed Apr  4 14:32:48 2007 : Debug:     rlm_realm: No '@' in User-Name = 
> "testgeneral", looking up realm NULL
> Wed Apr  4 14:32:48 2007 : Debug:     rlm_realm: No such realm "NULL"
> Wed Apr  4 14:32:48 2007 : Debug:   modsingle[authorize]: returned 
> from suffix (rlm_realm) for request 75
> Wed Apr  4 14:32:48 2007 : Debug:   modcall[authorize]: module 
> "suffix" returns noop for request 75
> Wed Apr  4 14:32:48 2007 : Debug:   modsingle[authorize]: calling eap 
> (rlm_eap) for request 75
> Wed Apr  4 14:32:48 2007 : Debug:   rlm_eap: EAP packet type response 
> id 3 length 6
> Wed Apr  4 14:32:48 2007 : Debug:   rlm_eap: No EAP Start, assuming 
> it's an on-going EAP conversation
> Wed Apr  4 14:32:48 2007 : Debug:   modsingle[authorize]: returned 
> from eap (rlm_eap) for request 75
> Wed Apr  4 14:32:48 2007 : Debug:   modcall[authorize]: module "eap" 
> returns updated for request 75
> Wed Apr  4 14:32:48 2007 : Debug:   modsingle[authorize]: calling 
> files (rlm_files) for request 75
> Wed Apr  4 14:32:48 2007 : Debug:     users: Matched entry testgeneral 
> at line 216
> Wed Apr  4 14:32:48 2007 : Debug:   modsingle[authorize]: returned 
> from files (rlm_files) for request 75
> Wed Apr  4 14:32:48 2007 : Debug:   modcall[authorize]: module "files" 
> returns ok for request 75
> Wed Apr  4 14:32:48 2007 : Debug:   modsingle[authorize]: calling 
> etc_smbpasswd (rlm_passwd) for request 75
> Wed Apr  4 14:32:48 2007 : Debug:   modsingle[authorize]: returned 
> from etc_smbpasswd (rlm_passwd) for request 75
> Wed Apr  4 14:32:48 2007 : Debug:   modcall[authorize]: module 
> "etc_smbpasswd" returns notfound for request 75
> Wed Apr  4 14:32:48 2007 : Debug:   modsingle[authorize]: calling pap 
> (rlm_pap) for request 75
> Wed Apr  4 14:32:48 2007 : Debug: rlm_pap: Found existing Auth-Type, 
> not changing it.
> Wed Apr  4 14:32:48 2007 : Debug:   modsingle[authorize]: returned 
> from pap (rlm_pap) for request 75
> Wed Apr  4 14:32:48 2007 : Debug:   modcall[authorize]: module "pap" 
> returns noop for request 75
> Wed Apr  4 14:32:48 2007 : Debug: modcall: leaving group authorize 
> (returns updated) for request 75
> Wed Apr  4 14:32:48 2007 : Debug:   rad_check_password:  Found 
> Auth-Type EAP
> Wed Apr  4 14:32:48 2007 : Debug: auth: type "EAP"
> Wed Apr  4 14:32:48 2007 : Debug:   Processing the authenticate 
> section of radiusd.conf
> Wed Apr  4 14:32:48 2007 : Debug: modcall: entering group authenticate 
> for request 75
> Wed Apr  4 14:32:48 2007 : Debug:   modsingle[authenticate]: calling 
> eap (rlm_eap) for request 75
> Wed Apr  4 14:32:48 2007 : Debug:   rlm_eap: Request found, released 
> from the list
> Wed Apr  4 14:32:48 2007 : Debug:   rlm_eap: EAP/peap
> Wed Apr  4 14:32:48 2007 : Debug:   rlm_eap: processing type peap
> Wed Apr  4 14:32:48 2007 : Debug:   rlm_eap_peap: Authenticate
> Wed Apr  4 14:32:48 2007 : Debug:   rlm_eap_tls: processing TLS
> Wed Apr  4 14:32:48 2007 : Debug: rlm_eap_tls: Received EAP-TLS ACK 
> message
> Wed Apr  4 14:32:48 2007 : Debug:   rlm_eap_tls: ack handshake 
> fragment handler
> Wed Apr  4 14:32:48 2007 : Debug:   eaptls_verify returned 1
> Wed Apr  4 14:32:48 2007 : Debug:   eaptls_process returned 13
> Wed Apr  4 14:32:48 2007 : Debug:   rlm_eap_peap: EAPTLS_HANDLED
> Wed Apr  4 14:32:48 2007 : Debug:   modsingle[authenticate]: returned 
> from eap (rlm_eap) for request 75
> Wed Apr  4 14:32:48 2007 : Debug:   modcall[authenticate]: module 
> "eap" returns handled for request 75
> Wed Apr  4 14:32:48 2007 : Debug: modcall: leaving group authenticate 
> (returns handled) for request 75
>
>  
> ==================================================
>
> Benjamin K. Eshun
>
>
> Découvrez une nouvelle façon d'obtenir des réponses à toutes vos 
> questions ! Profitez des connaissances, des opinions et des 
> expériences des internautes sur Yahoo! Questions/Réponses 
> <http://fr.rd.yahoo.com/evt=42054/*http://fr.answers.yahoo.com>.
> ------------------------------------------------------------------------
>
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Your sever side certificate needs to have special OIDS, which the peap 
section of the eap.conf file warns you about. Windows will check that 
these OIDS are present in the certificate sent from the server, if they 
are not it will fail silently.





More information about the Freeradius-Users mailing list