free radius 1.1.6 -eap-tls authentication
tnt at kalik.co.yu
tnt at kalik.co.yu
Fri May 11 11:32:39 CEST 2007
They also say this:
"The most common problem with PEAP is that the client sends a series of
Access-Request messages, the server sends an series of Access-Challenge
responses, and then... nothing happens. After a little wait, it all
starts again.
If you see this happening STOP!
The RAIDUS server certificate has to have special OID's in it, or else
the Microsoft clients will silently fail. etc."
Ivan Kalik
Kalik Informatika ISP
Dana 11/5/2007, "anoop_c at sifycorp.com" <anoop_c at sifycorp.com> piše:
>>>>>>
>
>The FAQ, README, INSTALL, etc. all say to run the server in debugging
>mode to see what\'s going on.
>>>>>>
>
>Dear all
> I run the radius server in debug mode and the output is as follows.
>I didn;t get any clue for the problem.
>
>[root at anoop raddb]# radiusd -X
>Starting - reading configuration files ...
>reread_config: reading radiusd.conf
>Config: including file: /etc/raddb/proxy.conf
>Config: including file: /etc/raddb/clients.conf
>Config: including file: /etc/raddb/snmp.conf
>Config: including file: /etc/raddb/eap.conf
>Config: including file: /etc/raddb/sql.conf
> main: prefix = \"/usr/local\"
> main: localstatedir = \"/usr/local/var\"
> main: logdir = \"/usr/local/var/log/radius\"
> main: libdir = \"/usr/local/lib\"
> main: radacctdir = \"/usr/local/var/log/radius/radacct\"
> main: hostname_lookups = no
> main: snmp = no
> main: max_request_time = 30
> main: cleanup_delay = 5
> main: max_requests = 1024
> main: delete_blocked_requests = 0
> main: port = 0
> main: allow_core_dumps = no
> main: log_stripped_names = no
> main: log_file = \"/usr/local/var/log/radius/radius.log\"
> main: log_auth = no
> main: log_auth_badpass = no
> main: log_auth_goodpass = no
> main: pidfile = \"/usr/local/var/run/radiusd/radiusd.pid\"
> main: user = \"(null)\"
> main: group = \"(null)\"
> main: usercollide = no
> main: lower_user = \"no\"
> main: lower_pass = \"no\"
> main: nospace_user = \"no\"
> main: nospace_pass = \"no\"
> main: checkrad = \"/usr/local/sbin/checkrad\"
> main: proxy_requests = yes
> proxy: retry_delay = 5
> proxy: retry_count = 3
> proxy: synchronous = no
> proxy: default_fallback = yes
> proxy: dead_time = 120
> proxy: post_proxy_authorize = no
> proxy: wake_all_if_all_dead = no
> security: max_attributes = 200
> security: reject_delay = 1
> security: status_server = no
> main: debug_level = 0
>read_config_files: reading dictionary
>read_config_files: reading naslist
>Using deprecated naslist file. Support for this will go away soon.
>read_config_files: reading clients
>read_config_files: reading realms
>radiusd: entering modules setup
>Module: Library search path is /usr/local/lib
>Module: Loaded MS-CHAP
> mschap: use_mppe = yes
> mschap: require_encryption = no
> mschap: require_strong = no
> mschap: with_ntdomain_hack = no
> mschap: passwd = \"(null)\"
> mschap: ntlm_auth = \"(null)\"
>Module: Instantiated mschap (mschap)
>Module: Loaded eap
> eap: default_eap_type = \"tls\"
> eap: timer_expire = 60
> eap: ignore_unknown_eap_types = no
> eap: cisco_accounting_username_bug = no
> tls: rsa_key_exchange = no
> tls: dh_key_exchange = yes
> tls: rsa_key_length = 512
> tls: dh_key_length = 512
> tls: verify_depth = 0
> tls: CA_path = \"(null)\"
> tls: pem_file_type = yes
> tls: private_key_file = \"/etc/raddb/certs/07xwifi.pem\"
> tls: certificate_file = \"/etc/raddb/certs/07xwifi.pem\"
> tls: CA_file = \"/etc/raddb/certs/root.pem\"
> tls: private_key_password = \"password\"
> tls: dh_file = \"/etc/raddb/certs/dh\"
> tls: random_file = \"/etc/raddb/certs/random\"
> tls: fragment_size = 1024
> tls: include_length = yes
> tls: check_crl = no
> tls: check_cert_cn = \"(null)\"
> tls: cipher_list = \"(null)\"
> tls: check_cert_issuer = \"(null)\"
>rlm_eap_tls: Loading the certificate file as a chain
>rlm_eap: Loaded and initialized type tls
> peap: default_eap_type = \"tls\"
> peap: copy_request_to_tunnel = no
> peap: use_tunneled_reply = no
> peap: proxy_tunneled_request_as_eap = yes
>rlm_eap: Loaded and initialized type peap
>Module: Instantiated eap (eap)
>Module: Loaded preprocess
> preprocess: huntgroups = \"/etc/raddb/huntgroups\"
> preprocess: hints = \"/etc/raddb/hints\"
> preprocess: with_ascend_hack = no
> preprocess: ascend_channels_per_line = 23
> preprocess: with_ntdomain_hack = no
> preprocess: with_specialix_jetstream_hack = no
> preprocess: with_cisco_vsa_hack = no
> preprocess: with_alvarion_vsa_hack = no
>Module: Instantiated preprocess (preprocess)
>Module: Loaded files
> files: usersfile = \"/etc/raddb/users\"
> files: acctusersfile = \"/etc/raddb/acct_users\"
> files: preproxy_usersfile = \"/etc/raddb/preproxy_users\"
> files: compat = \"no\"
>Module: Instantiated files (files)
>Module: Loaded Acct-Unique-Session-Id
> acct_unique: key = \"User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port\"
>Module: Instantiated acct_unique (acct_unique)
>Module: Loaded realm
> realm: format = \"suffix\"
> realm: delimiter = \"@\"
> realm: ignore_default = no
> realm: ignore_null = no
>Module: Instantiated realm (suffix)
>Module: Loaded detail
> detail: detailfile = \"/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d\"
> detail: detailperm = 384
> detail: dirperm = 493
> detail: locking = no
>Module: Instantiated detail (detail)
>Module: Loaded System
> unix: cache = no
> unix: passwd = \"(null)\"
> unix: shadow = \"(null)\"
> unix: group = \"(null)\"
> unix: radwtmp = \"/usr/local/var/log/radius/radwtmp\"
> unix: usegroup = no
> unix: cache_reload = 600
>Module: Instantiated unix (unix)
>Module: Loaded radutmp
> radutmp: filename = \"/usr/local/var/log/radius/radutmp\"
> radutmp: username = \"%{User-Name}\"
> radutmp: case_sensitive = yes
> radutmp: check_with_nas = yes
> radutmp: perm = 384
> radutmp: callerid = yes
>Module: Instantiated radutmp (radutmp)
>Listening on authentication *:1812
>Listening on accounting *:1813
>Ready to process requests.
>rad_recv: Access-Request packet from host 192.168.0.50:1031, id=0, length=197
> Message-Authenticator = 0xc7b1d7b5ec22e8aeb3d3c2a37c3b3a57
> Service-Type = Framed-User
> User-Name = \"anoop07\"
> Framed-MTU = 1488
> Called-Station-Id = \"00-0F-3D-AF-DD-C2:default\"
> Calling-Station-Id = \"00-0E-35-F3-A1-67\"
> NAS-Identifier = \"D-Link Access Point\"
> NAS-Port-Type = Wireless-802.11
> Connect-Info = \"CONNECT 54Mbps 802.11g\"
> EAP-Message = 0x0200000c01616e6f6f703037
> NAS-IP-Address = 192.168.0.50
> NAS-Port = 1
> NAS-Port-Id = \"STA port # 1\"
> Processing the authorize section of radiusd.conf
>modcall: entering group authorize for request 0
> modcall[authorize]: module \"preprocess\" returns ok for request 0
> modcall[authorize]: module \"mschap\" returns noop for request 0
> rlm_eap: EAP packet type response id 0 length 12
> rlm_eap: No EAP Start, assuming it\'s an on-going EAP conversation
> modcall[authorize]: module \"eap\" returns updated for request 0
> users: Matched entry DEFAULT at line 153
> modcall[authorize]: module \"files\" returns ok for request 0
>modcall: leaving group authorize (returns updated) for request 0
> rad_check_password: Found Auth-Type EAP
>auth: type \"EAP\"
> Processing the authenticate section of radiusd.conf
>modcall: entering group authenticate for request 0
> rlm_eap: EAP Identity
> rlm_eap: processing type tls
> rlm_eap_tls: Requiring client certificate
> rlm_eap_tls: Initiate
> rlm_eap_tls: Start returned 1
> modcall[authenticate]: module \"eap\" returns handled for request 0
>modcall: leaving group authenticate (returns handled) for request 0
>Sending Access-Challenge of id 0 to 192.168.0.50 port 1031
> EAP-Message = 0x010100060d20
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x002d8b408269eb13be9fe51557152e71
>Finished request 0
>Going to the next request
>--- Walking the entire request list ---
>Waking up in 6 seconds...
>rad_recv: Access-Request packet from host 192.168.0.50:1031, id=2, length=197
> Message-Authenticator = 0xd4ad8d1460fc72220a6f4977f5267e73
> Service-Type = Framed-User
> User-Name = \"anoop07\"
> Framed-MTU = 1488
> Called-Station-Id = \"00-0F-3D-AF-DD-C2:default\"
> Calling-Station-Id = \"00-0E-35-F3-A1-67\"
> NAS-Identifier = \"D-Link Access Point\"
> NAS-Port-Type = Wireless-802.11
> Connect-Info = \"CONNECT 54Mbps 802.11g\"
> EAP-Message = 0x0202000c01616e6f6f703037
> NAS-IP-Address = 192.168.0.50
> NAS-Port = 1
> NAS-Port-Id = \"STA port # 1\"
> Processing the authorize section of radiusd.conf
>modcall: entering group authorize for request 1
> modcall[authorize]: module \"preprocess\" returns ok for request 1
> modcall[authorize]: module \"mschap\" returns noop for request 1
> rlm_eap: EAP packet type response id 2 length 12
> rlm_eap: No EAP Start, assuming it\'s an on-going EAP conversation
> modcall[authorize]: module \"eap\" returns updated for request 1
> users: Matched entry DEFAULT at line 153
> modcall[authorize]: module \"files\" returns ok for request 1
>modcall: leaving group authorize (returns updated) for request 1
> rad_check_password: Found Auth-Type EAP
>auth: type \"EAP\"
> Processing the authenticate section of radiusd.conf
>modcall: entering group authenticate for request 1
> rlm_eap: EAP Identity
> rlm_eap: processing type tls
> rlm_eap_tls: Requiring client certificate
> rlm_eap_tls: Initiate
> rlm_eap_tls: Start returned 1
> modcall[authenticate]: module \"eap\" returns handled for request 1
>modcall: leaving group authenticate (returns handled) for request 1
>Sending Access-Challenge of id 2 to 192.168.0.50 port 1031
> EAP-Message = 0x010300060d20
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x317c46c3f86f28005a91c1f1980ab3ab
>Finished request 1
>Going to the next request
>--- Walking the entire request list ---
>Waking up in 4 seconds...
>rad_recv: Access-Request packet from host 192.168.0.50:1031, id=3, length=283
> Message-Authenticator = 0x701e18b26592377cb69381a32d9b7549
> Service-Type = Framed-User
> User-Name = \"anoop07\"
> Framed-MTU = 1488
> State = 0x317c46c3f86f28005a91c1f1980ab3ab
> Called-Station-Id = \"00-0F-3D-AF-DD-C2:default\"
> Calling-Station-Id = \"00-0E-35-F3-A1-67\"
> NAS-Identifier = \"D-Link Access Point\"
> NAS-Port-Type = Wireless-802.11
> Connect-Info = \"CONNECT 54Mbps 802.11g\"
> EAP-Message = 0x020300500d800000004616030100410100003d0301464433995ca90757d734f0075c780c8f33eb9fdc362a96a9a3eee9d37cb4c71700001600040005000a000900640062000300060013001200630100
> NAS-IP-Address = 192.168.0.50
> NAS-Port = 1
> NAS-Port-Id = \"STA port # 1\"
> Processing the authorize section of radiusd.conf
>modcall: entering group authorize for request 2
> modcall[authorize]: module \"preprocess\" returns ok for request 2
> modcall[authorize]: module \"mschap\" returns noop for request 2
> rlm_eap: EAP packet type response id 3 length 80
> rlm_eap: No EAP Start, assuming it\'s an on-going EAP conversation
> modcall[authorize]: module \"eap\" returns updated for request 2
> users: Matched entry DEFAULT at line 153
> modcall[authorize]: module \"files\" returns ok for request 2
>modcall: leaving group authorize (returns updated) for request 2
> rad_check_password: Found Auth-Type EAP
>auth: type \"EAP\"
> Processing the authenticate section of radiusd.conf
>modcall: entering group authenticate for request 2
> rlm_eap: Request found, released from the list
> rlm_eap: EAP/tls
> rlm_eap: processing type tls
> rlm_eap_tls: Authenticate
> rlm_eap_tls: processing TLS
>rlm_eap_tls: Length Included
> eaptls_verify returned 11
> (other): before/accept initialization
> TLS_accept: before/accept initialization
> rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello
> TLS_accept: SSLv3 read client hello A
> rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
> TLS_accept: SSLv3 write server hello A
> rlm_eap_tls: >>> TLS 1.0 Handshake [length 04bf], Certificate
> TLS_accept: SSLv3 write certificate A
> rlm_eap_tls: >>> TLS 1.0 Handshake [length 004c], CertificateRequest
> TLS_accept: SSLv3 write certificate request A
> TLS_accept: SSLv3 flush data
> TLS_accept: Need to read more data: SSLv3 read client certificate A
>In SSL Handshake Phase
>In SSL Accept mode
> eaptls_process returned 13
> modcall[authenticate]: module \"eap\" returns handled for request 2
>modcall: leaving group authenticate (returns handled) for request 2
>Sending Access-Challenge of id 3 to 192.168.0.50 port 1031
> EAP-Message = 0x0104040a0dc000000564160301004a0200004603014644339a2a93e1117f8dc62c68b0c2051f4cb05aa4ee8bf4060d2e103cad32312021dad64d5e809b5721688753c3fa8c1a57936fe7e37a42293229abde363dc93100040016030104bf0b0004bb0004b800022c3082022830820191a003020102020101300d06092a864886f70d0101040500303b310b300906035504061302494e310b300906035504081302544e310d300b060355040a1304536966793110300e0603550403130730377877696669301e170d3037303131323135333533305a170d3038303131323135333533305a3060310b300906035504061302494e310b3009060355040813
> EAP-Message = 0x02544e310d300b060355040a1304536966793110300e06035504031307303778776966693123302106092a864886f70d0109011614616e6f6f705f634073696679636f72702e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100d2bbbe35bc8a47709632284aff484695385e69c3522f63da46834f9586a420bda380889693fa77fedd9ed4290e6f9ff4436721775294fc65a38fea098f18975b34b5063de27220e18a07d433cbb6e19aeb3f84b012f7c20071dd280457a932634bbe50f438cc2ee6f4d65fa395a10bdecc4bf9087979ec45af000940e186ed290203010001a317301530130603551d25040c300a06082b
> EAP-Message = 0x06010505070301300d06092a864886f70d0101040500038181000afea7f2a8a9cffe60baa8f779353c523457f8237faeff81ba5f2c22664c70b6b2fb58c8967ca4a4c847b80e1d5a6cc4558ffa1d161614f374d8b5efd565aa66045b192b3ac3da82c81c4a99fc10cfe473f9ac258ef99b16cbd335004677694a05addae48c6a9dcdb26b86ddb56c635266c33c7de7586543532692e5220d30b100028630820282308201eba003020102020100300d06092a864886f70d0101040500303b310b300906035504061302494e310b300906035504081302544e310d300b060355040a1304536966793110300e0603550403130730377877696669301e170d
> EAP-Message = 0x3037303131323135333435305a170d3038303131323135333435305a303b310b300906035504061302494e310b300906035504081302544e310d300b060355040a1304536966793110300e060355040313073037787769666930819f300d06092a864886f70d010101050003818d0030818902818100ba8b07a479bb6ce9adf2d8bc6ac9cf214506dfc039cb10c3b4d27d1bbc082caff0bb77424819728977f04b32e231a3c4755a65823b366f1a604f15ce6c499883ab7d2757a5a2c07a11e75b7a00d6c55a8fb7443b202a25a3cdaad39579b2d8f4c09c974056f0c8666fff754d574836fcaf105200fcd5df5158e2b387310c4ed90203010001a381
> EAP-Message = 0x95308192301d0603551d0e041604149eda6f69065423
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x19754bedc30572111832212fcc84191e
>Finished request 2
>Going to the next request
>Waking up in 4 seconds...
>rad_recv: Access-Request packet from host 192.168.0.50:1031, id=4, length=209
> Message-Authenticator = 0xcb2030e901c7f1526ddac51af57e4dba
> Service-Type = Framed-User
> User-Name = \"anoop07\"
> Framed-MTU = 1488
> State = 0x19754bedc30572111832212fcc84191e
> Called-Station-Id = \"00-0F-3D-AF-DD-C2:default\"
> Calling-Station-Id = \"00-0E-35-F3-A1-67\"
> NAS-Identifier = \"D-Link Access Point\"
> NAS-Port-Type = Wireless-802.11
> Connect-Info = \"CONNECT 54Mbps 802.11g\"
> EAP-Message = 0x020400060d00
> NAS-IP-Address = 192.168.0.50
> NAS-Port = 1
> NAS-Port-Id = \"STA port # 1\"
> Processing the authorize section of radiusd.conf
>modcall: entering group authorize for request 3
> modcall[authorize]: module \"preprocess\" returns ok for request 3
> modcall[authorize]: module \"mschap\" returns noop for request 3
> rlm_eap: EAP packet type response id 4 length 6
> rlm_eap: No EAP Start, assuming it\'s an on-going EAP conversation
> modcall[authorize]: module \"eap\" returns updated for request 3
> users: Matched entry DEFAULT at line 153
> modcall[authorize]: module \"files\" returns ok for request 3
>modcall: leaving group authorize (returns updated) for request 3
> rad_check_password: Found Auth-Type EAP
>auth: type \"EAP\"
> Processing the authenticate section of radiusd.conf
>modcall: entering group authenticate for request 3
> rlm_eap: Request found, released from the list
> rlm_eap: EAP/tls
> rlm_eap: processing type tls
> rlm_eap_tls: Authenticate
> rlm_eap_tls: processing TLS
>rlm_eap_tls: Received EAP-TLS ACK message
> rlm_eap_tls: ack handshake fragment handler
> eaptls_verify returned 1
> eaptls_process returned 13
> modcall[authenticate]: module \"eap\" returns handled for request 3
>modcall: leaving group authenticate (returns handled) for request 3
>Sending Access-Challenge of id 4 to 192.168.0.50 port 1031
> EAP-Message = 0x0105016e0d80000005647ec1c9e4d07a608e0e6dcd730f30630603551d23045c305a80149eda6f690654237ec1c9e4d07a608e0e6dcd730fa13fa43d303b310b300906035504061302494e310b300906035504081302544e310d300b060355040a1304536966793110300e0603550403130730377877696669820100300c0603551d13040530030101ff300d06092a864886f70d0101040500038181006b514f008b6a77757fc73ddbe9d54e4ea925a1ab9ce80ad7895d6d19661d8b8558d0e359876aac023aa52d4273e00407b9b588b30dbc35c5911bc89d2d99677e0ec8dea17fece35d0b4dfab8775ba73eaeb0a0998bcdf1437cff0a1031f6a5b1
> EAP-Message = 0x7e8bcdc01e2e964cb256f49d947eea2cfd42989aef397fa438be294fa3dc7a3d160301004c0d000044020102003f003d303b310b300906035504061302494e310b300906035504081302544e310d300b060355040a1304536966793110300e06035504031307303778776966690e000000 Message-Authenticator = 0x00000000000000000000000000000000
> State = 0xdc59784c151c5f91316f8ad08591688c
>Finished request 3
>Going to the next request
>Waking up in 4 seconds...
>rad_recv: Access-Request packet from host 192.168.0.50:1031, id=5, length=209
> Message-Authenticator = 0x25ded394258af7d7d4a0822acf32fbf7
> Service-Type = Framed-User
> User-Name = \"anoop07\"
> Framed-MTU = 1488
> State = 0xdc59784c151c5f91316f8ad08591688c
> Called-Station-Id = \"00-0F-3D-AF-DD-C2:default\"
> Calling-Station-Id = \"00-0E-35-F3-A1-67\"
> NAS-Identifier = \"D-Link Access Point\"
> NAS-Port-Type = Wireless-802.11
> Connect-Info = \"CONNECT 54Mbps 802.11g\"
> EAP-Message = 0x020500060d00
> NAS-IP-Address = 192.168.0.50
> NAS-Port = 1
> NAS-Port-Id = \"STA port # 1\"
> Processing the authorize section of radiusd.conf
>modcall: entering group authorize for request 4
> modcall[authorize]: module \"preprocess\" returns ok for request 4
> modcall[authorize]: module \"mschap\" returns noop for request 4
> rlm_eap: EAP packet type response id 5 length 6
> rlm_eap: No EAP Start, assuming it\'s an on-going EAP conversation
> modcall[authorize]: module \"eap\" returns updated for request 4
> users: Matched entry DEFAULT at line 153
> modcall[authorize]: module \"files\" returns ok for request 4
>modcall: leaving group authorize (returns updated) for request 4
> rad_check_password: Found Auth-Type EAP
>auth: type \"EAP\"
> Processing the authenticate section of radiusd.conf
>modcall: entering group authenticate for request 4
> rlm_eap: Request found, released from the list
> rlm_eap: EAP/tls
> rlm_eap: processing type tls
> rlm_eap_tls: Authenticate
> rlm_eap_tls: processing TLS
>rlm_eap_tls: Received EAP-TLS ACK message
> rlm_eap_tls: ack handshake fragment handler
> eaptls_verify returned 1
> eaptls_process returned 13
> modcall[authenticate]: module \"eap\" returns handled for request 4
>modcall: leaving group authenticate (returns handled) for request 4
>Sending Access-Challenge of id 5 to 192.168.0.50 port 1031
> EAP-Message = 0x0106000a0d8000000000
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0xfc4dda99d8ba977e9954c938dac93595
>Finished request 4
>Going to the next request
>Waking up in 4 seconds...
>--- Walking the entire request list ---
>Cleaning up request 0 ID 0 with timestamp 46443398
>Waking up in 2 seconds...
>--- Walking the entire request list ---
>Cleaning up request 1 ID 2 with timestamp 4644339a
>Cleaning up request 2 ID 3 with timestamp 4644339a
>Cleaning up request 3 ID 4 with timestamp 4644339a
>Cleaning up request 4 ID 5 with timestamp 4644339a
>Nothing to do. Sleeping until we see a request.
>
>
>Anoop
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
More information about the Freeradius-Users
mailing list