802.1x + freeradius authentication problem
Ramon Barquier
Ramon.Barquier at uab.es
Fri Feb 2 16:56:01 CET 2007
En/na Alan DeKok ha escrit:
>Ramon Barquier wrote:
>
>
>>We are trying to set up an environment with 802.1x + Freeradius for our
>>Wireless net. Our goal is to authenticate Windows XP clients using EAP.
>>
>>
>
> Then... configure EAP.
>
>
>
>> rlm_eap: EAP packet type response id 2 length 6
>> rlm_eap: Ignoring NAK with request for unknown EAP type
>>
>>
>
> The client is asking to do PEAP, and you haven't configured PEAP on
>the server.
>
> Alan DeKok.
>--
> http://deployingradius.com - The web site of the book
> http://deployingradius.com/blog/ - The blog
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
Alan,
Thanks for your response.
We have tried to configure ttls as you suggested in your mail.
Unfortunately we have not succeeded.
To make things easier, we have tried to set up a completely new
configuration, with just one local user called test. Our Windows XP
client is using now SecureW2 (with EAP-TTLS/PAP). We attach the
connection log.
We see the 'negotiation' messages, but no sign of "Success" at the end
(neither Wireless connection, of course).
Any ideas?
------------------------------------------------------------------------
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2007.02.02 16:42:42 =~=~=~=~=~=~=~=~=~=~=~=
find . -mtime -1 -printls -lafind . -mtime -1 -printcd ..etclscd raddblsvi radiusd.conffg/home/radmgr/freeradius/sbin/radiusd -X -A
Config: including file: /home/radmgr/freeradius/etc/raddb/radiusd.conf
Config: including file: /home/radmgr/freeradius/etc/raddb/proxy.conf
Config: including file: /home/radmgr/freeradius/etc/raddb/clients.conf
Config: including file: /home/radmgr/freeradius/etc/raddb/snmp.conf
Config: including file: /home/radmgr/freeradius/etc/raddb/eap.conf
Config: including file: /home/radmgr/freeradius/etc/raddb/sql.conf
Config: including file: /home/radmgr/freeradius/etc/raddb/sql/mysql-dialup.conf
FreeRADIUS Version 2.0.0-pre0, for host i686-pc-linux-gnu, built on Jan 16 2007 at 07:30:42
Starting - reading configuration files ...
read_config_files: reading dictionary
main: prefix = "/home/radmgr/freeradius"
main: localstatedir = "/home/radmgr/freeradius/var"
main: logdir = "/home/radmgr/freeradius/var/log/radius"
main: libdir = "/home/radmgr/freeradius/lib"
main: radacctdir = "/home/radmgr/freeradius/var/log/radius/radacct"
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = "/home/radmgr/freeradius/var/log/radius/radius.log"
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = "/home/radmgr/freeradius/var/run/radiusd/radiusd.pid"
main: user = "radmgr"
main: checkrad = "/home/radmgr/freeradius/sbin/checkrad"
main: debug_level = 0
main: proxy_requests = yes
log: syslog_facility = "daemon"
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
read_config_files: reading realms
main: port = 1812
listen: type = "auth"
listen: ipaddr = 10.0.0.11 IP address [10.0.0.11]
listen: port = 11812
listen: type = "acct"
listen: ipaddr = *
listen: port = 11813
client: secret = "testing"
client: shortname = "localhost"
client: nastype = "other"
client: secret = "testing"
client: shortname = "10.0.164.205"
client: secret = "testing"
client: shortname = "10.0.170.53"
radiusd: entering modules setup
Module: Library search path is /home/radmgr/freeradius/lib
Module: Loaded exec
exec: wait = yes
exec: input_pairs = "request"
exec: shell_escape = yes
rlm_exec: wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded expiration
expiration: reply-message = "Password Has Expired "
Module: Instantiated expiration (expiration)
Module: Loaded logintime
logintime: reply-message = "You are calling outside your allowed timespan "
logintime: minimum-timeout = 60
Module: Instantiated logintime (logintime)
Module: Loaded PAP
pap: encryption_scheme = "auto"
pap: auto_header = no
Module: Instantiated pap (pap)
Module: Loaded eap
eap: default_eap_type = "ttls"
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
gtc: challenge = "Password: "
gtc: auth_type = "PAP"
rlm_eap: Loaded and initialized type gtc
tls: rsa_key_exchange = no
tls: dh_key_exchange = yes
tls: rsa_key_length = 512
tls: dh_key_length = 512
tls: verify_depth = 0
tls: pem_file_type = yes
tls: private_key_file = "/home/radmgr/freeradius/etc/raddb/certs/server_keycert.pem"
tls: certificate_file = "/home/radmgr/freeradius/etc/raddb/certs/server_keycert.pem"
tls: CA_file = "/home/radmgr/freeradius/etc/raddb/certs/demoCA/cacert.pem"
tls: private_key_password = "xxxxxxx"
tls: dh_file = "/home/radmgr/freeradius/etc/raddb/certs/dh"
tls: random_file = "/home/radmgr/freeradius/etc/raddb/certs/random"
tls: fragment_size = 1024
tls: include_length = yes
tls: check_crl = no
rlm_eap_tls: Loading the certificate file as a chain
rlm_eap: Loaded and initialized type tls
ttls: default_eap_type = "md5"
ttls: copy_request_to_tunnel = no
ttls: use_tunneled_reply = no
rlm_eap: Loaded and initialized type ttls
peap: default_eap_type = "mschapv2"
peap: copy_request_to_tunnel = no
peap: use_tunneled_reply = no
peap: proxy_tunneled_request_as_eap = yes
rlm_eap: Loaded and initialized type peap
mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = "/home/radmgr/freeradius/etc/raddb/huntgroups"
preprocess: hints = "/home/radmgr/freeradius/etc/raddb/hints"
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
preprocess: with_alvarion_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded detail
detail: detailfile = "/home/radmgr/freeradius/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d"
detail: header = "%t"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
detail: log_packet_header = no
Module: Instantiated detail (auth_log)
Module: Loaded files
files: usersfile = "/home/radmgr/freeradius/etc/raddb/users"
files: acctusersfile = "/home/radmgr/freeradius/etc/raddb/acct_users"
files: preproxy_usersfile = "/home/radmgr/freeradius/etc/raddb/preproxy_users"
files: compat = "no"
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
Module: Instantiated acct_unique (acct_unique)
Module: Loaded realm
realm: format = "suffix"
realm: delimiter = "@"
realm: ignore_default = no
realm: ignore_null = no
Module: Instantiated realm (suffix)
detail: detailfile = "/home/radmgr/freeradius/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
detail: header = "%t"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
detail: log_packet_header = no
Module: Instantiated detail (detail)
Module: Loaded System
unix: radwtmp = "/home/radmgr/freeradius/var/log/radius/radwtmp"
Module: Instantiated unix (unix)
Module: Loaded radutmp
radutmp: filename = "/home/radmgr/freeradius/var/log/radius/radutmp"
radutmp: username = "%{User-Name}"
radutmp: case_sensitive = yes
radutmp: check_with_nas = yes
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Module: Loaded attr_filter
attr_filter: attrsfile = "/home/radmgr/freeradius/etc/raddb/attrs.accounting_response"
attr_filter: key = "%{User-Name}"
Module: Instantiated attr_filter (attr_filter.accounting_response)
detail: detailfile = "/home/radmgr/freeradius/var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d"
detail: header = "%t"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
detail: log_packet_header = no
Module: Instantiated detail (reply_log)
attr_filter: attrsfile = "/home/radmgr/freeradius/etc/raddb/attrs.access_reject"
attr_filter: key = "%{User-Name}"
Module: Instantiated attr_filter (attr_filter.access_reject)
Initializing the thread pool...
Listening on authentication address 10.0.0.11 port 11812
Listening on accounting address * port 11813
Listening on proxy address 10.0.0.11 port 11814
Ready to process requests.
Nothing to do. Sleeping until we see a request.
rad_recv: Access-Request packet from host 10.0.1.15 port 1027, id=0, length=169
Message-Authenticator = 0x684003590372513db1c8c0172cce4e24
Service-Type = Framed-User
User-Name = "test"
Framed-MTU = 1488
Called-Station-Id = "00-12-CF-1A-15-80:Eduroam"
Calling-Station-Id = "00-0E-35-FE-1F-6D"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x020000090174657374
NAS-IP-Address = 1.0.1.2
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
radius_xlat: '/home/radmgr/freeradius/var/log/radius/radacct/10.0.1.15/auth-detail-20070202'
rlm_detail: /home/radmgr/freeradius/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /home/radmgr/freeradius/var/log/radius/radacct/10.0.1.15/auth-detail-20070202
radius_xlat: 'Fri Feb 2 16:42:56 2007'
modcall[authorize]: module "auth_log" returns ok for request 0
rlm_eap: EAP packet type response id 0 length 9
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 0
users: Matched entry test at line 93
modcall[authorize]: module "files" returns ok for request 0
rlm_pap: Found existing Auth-Type, not changing it.
modcall[authorize]: module "pap" returns noop for request 0
modcall: group authorize returns updated for request 0
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
rlm_eap: EAP Identity
rlm_eap: processing type tls
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
modcall[authenticate]: module "eap" returns handled for request 0
modcall: group authenticate returns handled for request 0
Sending Access-Challenge of id 0 to 10.0.1.15 port 1027
EAP-Message = 0x010100061520
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x125a0c9a48141a42f6dfbf6d92b85018
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 5 seconds...
rad_recv: Access-Request packet from host 10.0.1.15 port 1027, id=1, length=238
Message-Authenticator = 0xede79451101fbad4fbb1516c9a7d89e9
Service-Type = Framed-User
User-Name = "test"
Framed-MTU = 1488
State = 0x125a0c9a48141a42f6dfbf6d92b85018
Called-Station-Id = "00-12-CF-1A-15-80:Eduroam"
Calling-Station-Id = "00-0E-35-FE-1F-6D"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x0201003c158000000032160301002d0100002903014dd9269456336a81ed0e49e5c6d26e71262af49d73effbd2d1ad24236bbde800000002000a0100
NAS-IP-Address = 1.0.1.2
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
modcall[authorize]: module "preprocess" returns ok for request 1
radius_xlat: '/home/radmgr/freeradius/var/log/radius/radacct/10.0.1.15/auth-detail-20070202'
rlm_detail: /home/radmgr/freeradius/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /home/radmgr/freeradius/var/log/radius/radacct/10.0.1.15/auth-detail-20070202
radius_xlat: 'Fri Feb 2 16:42:56 2007'
modcall[authorize]: module "auth_log" returns ok for request 1
rlm_eap: EAP packet type response id 1 length 60
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 1
users: Matched entry test at line 93
modcall[authorize]: module "files" returns ok for request 1
rlm_pap: Found existing Auth-Type, not changing it.
modcall[authorize]: module "pap" returns noop for request 1
modcall: group authorize returns updated for request 1
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 1
rlm_eap: Request found, released from the list
rlm_eap: EAP/ttls
rlm_eap: processing type ttls
rlm_eap_ttls: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Length Included
eaptls_verify returned 11
(other): before/accept initialization
TLS_accept: before/accept initialization
rlm_eap_tls: <<< TLS 1.0 Handshake [length 002d], ClientHello
TLS_accept: SSLv3 read client hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
TLS_accept: SSLv3 write server hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 04f2], Certificate
TLS_accept: SSLv3 write certificate A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
TLS_accept: SSLv3 write server done A
TLS_accept: SSLv3 flush data
TLS_accept:error in SSLv3 read client certificate A
rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0)
In SSL Handshake Phase
In SSL Accept mode
eaptls_process returned 13
modcall[authenticate]: module "eap" returns handled for request 1
modcall: group authenticate returns handled for request 1
Sending Access-Challenge of id 1 to 10.0.1.15 port 1027
EAP-Message = 0x0102040a15c00000054f160301004a02000046030145c35c00c5dd3c92df539312bdf4cc2b0664e6679e57c6b8f85d5420cbde506220f4a62af3e1e21491cf118af4937886a28593ae4e5e88f94dcf2f77c16b9c753b000a0016030104f20b0004ee0004eb00024c30820248308201b1a003020102020101300d06092a864886f70d01010505003052310b3009060355040613024553311230100603550408130942617263656c6f6e61310c300a060355040a1303554142310b3009060355040b13025349311430120603550403130b70726f7661726164697573301e170d3037303131363138343330305a170d3038303131363138343330305a3069
EAP-Message = 0x310b3009060355040613024553311230100603550408130942617263656c6f6e61311330110603550407130a42656c6c617465727261310c300a060355040a1303554142310b3009060355040b13025349311630140603550403130d6a75616e616e2e7561622e657330819f300d06092a864886f70d010101050003818d0030818902818100bd889f95d9b0a16e6360088d62c7ff539ec2dd9c7115780c9d24d10cd89f9de6227db8aa6a97b898be86b46bb548c6891b28fceb1b06d2fe6d7395c4be05359996aedf01e01a0690074efd0234462b466014bc3d9afb321ae65ddb18e90165c12b411d1920bad1323ecd166c096be0a6148061110866c3
EAP-Message = 0x935c511cca72c94f030203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101050500038181002e4033d6f6f2668a451296510b35d267f9e77f99d605724905300b80bf852fd733add9a4cee9a71b00d3fa7a5b24148f9c185f30c7a2def8721b125d5af122a433b56e752bb527b514454d8dade7ed6eb27d7331313dac28568ed258363f48da3631aac660caef6baebcddfdca3a4a13d1c9e6a681b6fcfc40422e88c3ebb20000029930820295308201fea003020102020100300d06092a864886f70d01010505003052310b3009060355040613024553311230100603550408130942617263656c6f
EAP-Message = 0x6e61310c300a060355040a1303554142310b3009060355040b13025349311430120603550403130b70726f7661726164697573301e170d3037303131363138333933325a170d3130303131353138333933325a3052310b3009060355040613024553311230100603550408130942617263656c6f6e61310c300a060355040a1303554142310b3009060355040b13025349311430120603550403130b70726f766172616469757330819f300d06092a864886f70d010101050003818d0030818902818100c33d2b97f70df69f6bd19e0766a452aaf060523f9655a4d372729e34132d78e40df0aa3e8f615058964a97d88a89bfd2fb8654283bd12f1fbe
EAP-Message = 0xfcf08e632a72e724041fd9648cde4cbf35468267c805
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x9b073dc5a0997740cd7d044a6a88b433
Finished request 1
Going to the next request
Waking up in 5 seconds...
rad_recv: Access-Request packet from host 10.0.1.15 port 1027, id=2, length=184
Message-Authenticator = 0xa730084ccfaa9745119db3671a73f629
Service-Type = Framed-User
User-Name = "test"
Framed-MTU = 1488
State = 0x9b073dc5a0997740cd7d044a6a88b433
Called-Station-Id = "00-12-CF-1A-15-80:Eduroam"
Calling-Station-Id = "00-0E-35-FE-1F-6D"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x020200061500
NAS-IP-Address = 1.0.1.2
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
modcall[authorize]: module "preprocess" returns ok for request 2
radius_xlat: '/home/radmgr/freeradius/var/log/radius/radacct/10.0.1.15/auth-detail-20070202'
rlm_detail: /home/radmgr/freeradius/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /home/radmgr/freeradius/var/log/radius/radacct/10.0.1.15/auth-detail-20070202
radius_xlat: 'Fri Feb 2 16:42:56 2007'
modcall[authorize]: module "auth_log" returns ok for request 2
rlm_eap: EAP packet type response id 2 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 2
users: Matched entry test at line 93
modcall[authorize]: module "files" returns ok for request 2
rlm_pap: Found existing Auth-Type, not changing it.
modcall[authorize]: module "pap" returns noop for request 2
modcall: group authorize returns updated for request 2
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 2
rlm_eap: Request found, released from the list
rlm_eap: EAP/ttls
rlm_eap: processing type ttls
rlm_eap_ttls: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake fragment handler
eaptls_verify returned 1
eaptls_process returned 13
modcall[authenticate]: module "eap" returns handled for request 2
modcall: group authenticate returns handled for request 2
Sending Access-Challenge of id 2 to 10.0.1.15 port 1027
EAP-Message = 0x0103015915800000054f7697fbb421046882af2076df0805f1ca1bd01b849e20d3981eaa50948cc113beb0fccb08aef3be80fcee2454c8b2d2f50b0203010001a37b307930090603551d1304023000302c06096086480186f842010d041f161d4f70656e53534c2047656e657261746564204365727469666963617465301d0603551d0e04160414e9b3ffbf0cd121556b28b7bc4049d5eee649ddb9301f0603551d23041830168014e9b3ffbf0cd121556b28b7bc4049d5eee649ddb9300d06092a864886f70d01010505000381810041bf8430b618f3297290973694e4784a9181c6c6f0290cbaa5509e1836e99c69652b924105c0a76e949567e4d4
EAP-Message = 0x84a487f4336f7dc2cdd0632c375223dd02fcf62cb558e39ce5b3d1bf4045daa1d19057beabf65b0f14abbaadbff175a6e9fdfddcad77478f10b621751568ee3b7d97c38e91c25d0624b0ec6ec12503924a786f16030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x5cebe4a2ccb87aa9ab3d6385ae6ebea0
Finished request 2
Going to the next request
Waking up in 5 seconds...
--- Walking the entire request list ---
Cleaning up request 2 ID 2 with timestamp 45c35c00
Cleaning up request 1 ID 1 with timestamp 45c35c00
Cleaning up request 0 ID 0 with timestamp 45c35c00
Nothing to do. Sleeping until we see a request.
--
Ramón Barquier Montalbán
Comunicacions
Servei d'Informàtica
Edifici D
Campus de la UAB
08193 Bellaterra. Barcelona
Tel. +34 935 811 488 Fax: +34 935 812 094
Ramon.Barquier at uab.es
www.uab.es/si
More information about the Freeradius-Users
mailing list