FR 1.1.6 EAP - TLS rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal bad_certificate

Remy de Ruysscher remy at unix-asp.com
Sat Apr 28 20:48:36 CEST 2007 

Hi,

 

I just upgrade FR 1.1.4 to 1.1.6 on FreeBSD 6.1. And FR has always worked
wonderfully for me in the past. 

I saw in the changelog something about terminating the SSL session in EAP on
errors. 

 

What can I do to fix this error?

 

Regards,

Remy.

 

 

--- Walking the entire request list ---

Waking up in 6 seconds...

rad_recv: Access-Request packet from host 10.0.1.250:3072, id=1, length=256

        User-Name = "monique at unix-asp.com"

        NAS-IP-Address = 10.0.1.250

        Called-Station-Id = "0012176fb399"

        Calling-Station-Id = "0013022105d3"

        NAS-Identifier = "0012176fb399"

        NAS-Port = 55

        Framed-MTU = 1400

        State = 0x99e6bf386c1693ffe99cc51011c78c22

        NAS-Port-Type = Wireless-802.11

        EAP-Message =
0x0201006e0d8000000064160301005f0100005b030146338b7df93bc3ecee992b73b782861f
b83b032ad4e5d0e367a50e96a5f4d07e00003400390038003500160013000a00330032002f00
6600050004006500640063006200610060001500120009001400110008000600030100

        Message-Authenticator = 0xd1dcd23d54281665000ddf314423cf61

  Processing the authorize section of radiusd.conf

modcall: entering group authorize for request 1

  modcall[authorize]: module "preprocess" returns ok for request 1

radius_xlat:  '/var/log/radacct/10.0.1.250/auth-detail-20070428'

rlm_detail: /var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands
to /var/log/radacct/10.0.1.250/auth-detail-20070428

  modcall[authorize]: module "auth_log" returns ok for request 1

  modcall[authorize]: module "chap" returns noop for request 1

  modcall[authorize]: module "mschap" returns noop for request 1

    rlm_realm: Looking up realm "unix-asp.com" for User-Name =
"monique at unix-asp.com"

    rlm_realm: No such realm "unix-asp.com"

  modcall[authorize]: module "suffix" returns noop for request 1

  rlm_eap: EAP packet type response id 1 length 110

  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation

  modcall[authorize]: module "eap" returns updated for request 1

    users: Matched entry DEFAULT at line 152

  modcall[authorize]: module "files" returns ok for request 1

modcall: leaving group authorize (returns updated) for request 1

  rad_check_password:  Found Auth-Type EAP

auth: type "EAP"

  Processing the authenticate section of radiusd.conf

modcall: entering group authenticate for request 1

  rlm_eap: Request found, released from the list

  rlm_eap: EAP/tls

  rlm_eap: processing type tls

  rlm_eap_tls: Authenticate

  rlm_eap_tls: processing TLS

rlm_eap_tls:  Length Included

  eaptls_verify returned 11

    (other): before/accept initialization

    TLS_accept: before/accept initialization

  rlm_eap_tls: <<< TLS 1.0 Handshake [length 005f], ClientHello

    TLS_accept: SSLv3 read client hello A

  rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello

    TLS_accept: SSLv3 write server hello A

  rlm_eap_tls: >>> TLS 1.0 Handshake [length 02ca], Certificate

    TLS_accept: SSLv3 write certificate A

  rlm_eap_tls: >>> TLS 1.0 Handshake [length 00a9], CertificateRequest

    TLS_accept: SSLv3 write certificate request A

    TLS_accept: SSLv3 flush data

    TLS_accept: Need to read more data: SSLv3 read client certificate A

In SSL Handshake Phase

In SSL Accept mode

  eaptls_process returned 13

  modcall[authenticate]: module "eap" returns handled for request 1

modcall: leaving group authenticate (returns handled) for request 1

Sending Access-Challenge of id 1 to 10.0.1.250 port 3072

        EAP-Message =
0x010203d60d80000003cc160301004a02000046030146338b7ad2b5446adeec2e4c5dbeebbf
060ca75333f41f2cd07136ceb4f1e16020c03cc6c37f378e3a121feb1d2b2ff0720a72311530
9f56d0f8db9efb1334024f00350016030102ca0b0002c60002c30002c0308202bc30820225a0
0302010202020122300d06092a864886f70d0101050500308196310b3009060355040613024e
4c3110300e06035504081307557472656368743110300e060355040713075574726563687431
153013060355040a130c554e49582d4153502e434f4d3110300e060355040b1307537570706f
7274311530130603550403130c756e69782d6173702e636f6d31

        EAP-Message =
0x23302106092a864886f70d0109011614737570706f727440756e69782d6173702e636f6d30
1e170d3037303432383137343331325a170d3038303432373137343331325a308196310b3009
060355040613024e4c3110300e06035504081307557472656368743110300e06035504071307
5574726563687431153013060355040a130c554e49582d4153502e434f4d3110300e06035504
0b1307537570706f7274311530130603550403130c756e69782d6173702e636f6d3123302106
092a864886f70d0109011614737570706f727440756e69782d6173702e636f6d30819f300d06
092a864886f70d010101050003818d0030818902818100c4d9ff

        EAP-Message =
0x25696b959b20ce440ea32876f9083badb184a2a86c2269205ca4442c6c386546face2e2ec0
5b6a0af3d11094e0fe389198023ee39fafb456de6832483e99c29231034840334c91ccafeb80
f7bd019f3493977c03b7e8ed7824395ec401a2f5eb1540db144670038cc6ca8308c982ac3038
1da8228a479740e4049ef8870203010001a317301530130603551d25040c300a06082b060105
05070301300d06092a864886f70d010105050003818100741dcc0890f8e7cb9651648a76005c
9382030b41b9ac3d6d09fe32f7e0dedaa25c34e6a970a4c92666c3dc1a96096b824871a31b43
15d065bdcad0f8bf8d77a6e00afd76bf9c924b91741c36142c49

        EAP-Message =
0x1c9aa8bd1665c0bda3edc5e3b9dd9c95c3d5d304204d55c2876cf0265837fd68c9c92a181a
c73e0e208975d3bffa7a37c016030100a90d0000a103010240009b0099308196310b30090603
55040613024e4c3110300e06035504081307557472656368743110300e060355040713075574
726563687431153013060355040a130c554e49582d4153502e434f4d3110300e060355040b13
07537570706f7274311530130603550403130c756e69782d6173702e636f6d3123302106092a
864886f70d0109011614737570706f727440756e69782d6173702e636f6d0e000000

        Message-Authenticator = 0x00000000000000000000000000000000

        State = 0xcb376b4b0ff5456ba9300ec08c5b69aa

Finished request 1

Going to the next request

Waking up in 6 seconds...

rad_recv: Access-Request packet from host 10.0.1.250:3072, id=1, length=163

        User-Name = "monique at unix-asp.com"

        NAS-IP-Address = 10.0.1.250

        Called-Station-Id = "0012176fb399"

        Calling-Station-Id = "0013022105d3"

        NAS-Identifier = "0012176fb399"

        NAS-Port = 55

        Framed-MTU = 1400

        State = 0xcb376b4b0ff5456ba9300ec08c5b69aa

        NAS-Port-Type = Wireless-802.11

        EAP-Message = 0x020200110d80000000071503010002022a

        Message-Authenticator = 0x73d8ae0eec89244e63a52fa4e5fc8e7f

  Processing the authorize section of radiusd.conf

modcall: entering group authorize for request 2

  modcall[authorize]: module "preprocess" returns ok for request 2

radius_xlat:  '/var/log/radacct/10.0.1.250/auth-detail-20070428'

rlm_detail: /var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands
to /var/log/radacct/10.0.1.250/auth-detail-20070428

  modcall[authorize]: module "auth_log" returns ok for request 2

  modcall[authorize]: module "chap" returns noop for request 2

  modcall[authorize]: module "mschap" returns noop for request 2

    rlm_realm: Looking up realm "unix-asp.com" for User-Name =
"monique at unix-asp.com"

    rlm_realm: No such realm "unix-asp.com"

  modcall[authorize]: module "suffix" returns noop for request 2

  rlm_eap: EAP packet type response id 2 length 17

  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation

  modcall[authorize]: module "eap" returns updated for request 2

    users: Matched entry DEFAULT at line 152

  modcall[authorize]: module "files" returns ok for request 2

modcall: leaving group authorize (returns updated) for request 2

  rad_check_password:  Found Auth-Type EAP

auth: type "EAP"

  Processing the authenticate section of radiusd.conf

modcall: entering group authenticate for request 2

  rlm_eap: Request found, released from the list

  rlm_eap: EAP/tls

  rlm_eap: processing type tls

  rlm_eap_tls: Authenticate

  rlm_eap_tls: processing TLS

rlm_eap_tls:  Length Included

  eaptls_verify returned 11

  rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal bad_certificate

TLS Alert read:fatal:bad certificate

    TLS_accept:failed in SSLv3 read client certificate A

rlm_eap: SSL error error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert
bad certificate

rlm_eap_tls: SSL_read failed inside of TLS (-1), TLS session fails.

  eaptls_process returned 13

  rlm_eap: Freeing handler

  modcall[authenticate]: module "eap" returns reject for request 2

modcall: leaving group authenticate (returns reject) for request 2

auth: Failed to validate the user.

Delaying request 2 for 1 seconds

Finished request 2

Going to the next request

Waking up in 6 seconds...

--- Walking the entire request list ---

Sending Access-Reject of id 1 to 10.0.1.250 port 3072

        EAP-Message = 0x04020004

        Message-Authenticator = 0x00000000000000000000000000000000

Cleaning up request 2 ID 1 with timestamp 46338b7a

Nothing to do.  Sleeping until we see a request.

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20070428/b1983ae4/attachment.html>

More information about the Freeradius-Users mailing list