Cert Problem with EAP-TTSL, SecureW2 (1.0.5-->1.1.7)
Martin Pauly
pauly at hrz.uni-marburg.de
Fri Nov 2 09:36:28 CET 2007
On Tuesday 30 October 2007 18:35, Alan DeKok wrote:
> So... did you run the command to set the DH parameters?
yeah, stupid me: I had looked for it in my own eap.conf,
not in the one provided with the 1.1.5 package.
No DH gets initialized, but the cert problem remains.
Here's the debug output again (startup + 1 connection trial):
pcrz322:/etc/freeradius# freeradius -X | tee /tmp/freerad.debug.log
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/freeradius/proxy.conf
Config: including file: /etc/freeradius/clients.conf
Config: including file: /etc/freeradius/snmp.conf
Config: including file: /etc/freeradius/eap.conf
Config: including file: /etc/freeradius/sql.conf
main: prefix = "/usr"
main: localstatedir = "/var"
main: logdir = "/var/log/freeradius"
main: libdir = "/usr/lib/freeradius"
main: radacctdir = "/var/log/freeradius/radacct"
main: hostname_lookups = no
main: snmp = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = "/var/log/freeradius/radius.log"
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = "/var/run/freeradius/freeradius.pid"
main: user = "freerad"
main: group = "freerad"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/sbin/checkrad"
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = no
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/lib/freeradius
Module: Loaded exec
exec: wait = yes
exec: program = "(null)"
exec: input_pairs = "request"
exec: output_pairs = "(null)"
exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = "crypt"
pap: auto_header = yes
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = no
mschap: passwd = "(null)"
mschap: ntlm_auth = "(null)"
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = "(null)"
unix: shadow = "/etc/shadow"
unix: group = "(null)"
unix: radwtmp = "/var/log/freeradius/radwtmp"
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
eap: default_eap_type = "ttls"
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
tls: rsa_key_exchange = no
tls: dh_key_exchange = yes
tls: rsa_key_length = 512
tls: dh_key_length = 512
tls: verify_depth = 0
tls: CA_path = "(null)"
tls: pem_file_type = yes
tls: private_key_file = "/etc/freeradius/certs/key-radius-staff.pem"
tls: certificate_file = "/etc/freeradius/certs/cert-radius-staff.pem"
tls: CA_file = "/etc/freeradius/certs/unimr-ssl-ca.pem"
tls: private_key_password = "omihnl"
tls: dh_file = "/etc/freeradius/certs/dh"
tls: random_file = "/dev/urandom"
tls: fragment_size = 1024
tls: include_length = yes
tls: check_crl = no
tls: check_cert_cn = "(null)"
tls: cipher_list = "(null)"
tls: check_cert_issuer = "(null)"
rlm_eap_tls: Loading the certificate file as a chain
rlm_eap: Loaded and initialized type tls
ttls: default_eap_type = "md5"
ttls: copy_request_to_tunnel = yes
ttls: use_tunneled_reply = yes
rlm_eap: Loaded and initialized type ttls
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = "/etc/freeradius/huntgroups"
preprocess: hints = "/etc/freeradius/hints"
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
preprocess: with_alvarion_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = "suffix"
realm: delimiter = "@"
realm: ignore_default = no
realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded files
files: usersfile = "/etc/freeradius/users"
files: acctusersfile = "/etc/freeradius/acct_users"
files: preproxy_usersfile = "/etc/freeradius/preproxy_users"
files: compat = "no"
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
detail: detailfile = "/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
radutmp: filename = "/var/log/freeradius/radutmp"
radutmp: username = "%{User-Name}"
radutmp: case_sensitive = yes
radutmp: check_with_nas = yes
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Listening on authentication *:1812
Listening on accounting *:1813
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.75.247:1645, id=101, length=136
User-Name = "Anonymous"
Framed-MTU = 1400
Called-Station-Id = "0013.8011.9a60"
Calling-Station-Id = "0011.24c9.25f2"
Service-Type = Login-User
Message-Authenticator = 0xce6c8c91570936e0f7a5a6aea1062eb4
EAP-Message = 0x0201000e01416e6f6e796d6f7573
NAS-Port-Type = Wireless-802.11
NAS-Port = 44155
NAS-IP-Address = 192.168.75.247
NAS-Identifier = "warz003"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: No '@' in User-Name = "Anonymous", looking up realm NULL
rlm_realm: Found realm "NULL"
rlm_realm: Adding Stripped-User-Name = "Anonymous"
rlm_realm: Proxying request from user Anonymous to realm NULL
rlm_realm: Adding Realm = "NULL"
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module "suffix" returns noop for request 0
rlm_eap: EAP packet type response id 1 length 14
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 0
modcall[authorize]: module "files" returns notfound for request 0
rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this.
modcall[authorize]: module "pap" returns noop for request 0
modcall: leaving group authorize (returns updated) for request 0
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
rlm_eap: EAP Identity
rlm_eap: processing type tls
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
modcall[authenticate]: module "eap" returns handled for request 0
modcall: leaving group authenticate (returns handled) for request 0
Sending Access-Challenge of id 101 to 192.168.75.247 port 1645
EAP-Message = 0x010200061520
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xb498dc282c22e1d8ff34a0b827819af9
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 101 with timestamp 4729bd78
Nothing to do. Sleeping until we see a request.
rad_recv: Access-Request packet from host 192.168.75.247:1645, id=102, length=136
User-Name = "Anonymous"
Framed-MTU = 1400
Called-Station-Id = "0013.8011.9a60"
Calling-Station-Id = "0011.24c9.25f2"
Service-Type = Login-User
Message-Authenticator = 0x8abd328569f979c1d4d3f259dcdd0c3e
EAP-Message = 0x0201000e01416e6f6e796d6f7573
NAS-Port-Type = Wireless-802.11
NAS-Port = 44157
NAS-IP-Address = 192.168.75.247
NAS-Identifier = "warz003"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
modcall[authorize]: module "preprocess" returns ok for request 1
modcall[authorize]: module "chap" returns noop for request 1
modcall[authorize]: module "mschap" returns noop for request 1
rlm_realm: No '@' in User-Name = "Anonymous", looking up realm NULL
rlm_realm: Found realm "NULL"
rlm_realm: Adding Stripped-User-Name = "Anonymous"
rlm_realm: Proxying request from user Anonymous to realm NULL
rlm_realm: Adding Realm = "NULL"
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module "suffix" returns noop for request 1
rlm_eap: EAP packet type response id 1 length 14
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 1
modcall[authorize]: module "files" returns notfound for request 1
rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this.
modcall[authorize]: module "pap" returns noop for request 1
modcall: leaving group authorize (returns updated) for request 1
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 1
rlm_eap: EAP Identity
rlm_eap: processing type tls
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
modcall[authenticate]: module "eap" returns handled for request 1
modcall: leaving group authenticate (returns handled) for request 1
Sending Access-Challenge of id 102 to 192.168.75.247 port 1645
EAP-Message = 0x010200061520
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x97b372c376a7a44695056802e010064c
Finished request 1
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.75.247:1645, id=103, length=258
User-Name = "Anonymous"
Framed-MTU = 1400
Called-Station-Id = "0013.8011.9a60"
Calling-Station-Id = "0011.24c9.25f2"
Service-Type = Login-User
Message-Authenticator = 0xb2829ef0df4d913c93e7fd30a46426b6
EAP-Message = 0x0202007615800000006c16030100670100006303014729bd9bb248a47e3cbcec267904a4ee52b135a56e1881c169240e7a7107d1c200003c002f000500040035000aff830009ff82000300080006ff8000320033003400380039003a0016001500140013001200110018001b001a0017001900010100
NAS-Port-Type = Wireless-802.11
NAS-Port = 44157
State = 0x97b372c376a7a44695056802e010064c
NAS-IP-Address = 192.168.75.247
NAS-Identifier = "warz003"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
modcall[authorize]: module "preprocess" returns ok for request 2
modcall[authorize]: module "chap" returns noop for request 2
modcall[authorize]: module "mschap" returns noop for request 2
rlm_realm: No '@' in User-Name = "Anonymous", looking up realm NULL
rlm_realm: Found realm "NULL"
rlm_realm: Adding Stripped-User-Name = "Anonymous"
rlm_realm: Proxying request from user Anonymous to realm NULL
rlm_realm: Adding Realm = "NULL"
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module "suffix" returns noop for request 2
rlm_eap: EAP packet type response id 2 length 118
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 2
modcall[authorize]: module "files" returns notfound for request 2
rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this.
modcall[authorize]: module "pap" returns noop for request 2
modcall: leaving group authorize (returns updated) for request 2
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 2
rlm_eap: Request found, released from the list
rlm_eap: EAP/ttls
rlm_eap: processing type ttls
rlm_eap_ttls: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Length Included
eaptls_verify returned 11
(other): before/accept initialization
TLS_accept: before/accept initialization
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0067], ClientHello
TLS_accept: SSLv3 read client hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
TLS_accept: SSLv3 write server hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 06c4], Certificate
TLS_accept: SSLv3 write certificate A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
TLS_accept: SSLv3 write server done A
TLS_accept: SSLv3 flush data
TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
eaptls_process returned 13
modcall[authenticate]: module "eap" returns handled for request 2
modcall: leaving group authenticate (returns handled) for request 2
Sending Access-Challenge of id 103 to 192.168.75.247 port 1645
EAP-Message = 0x0103040a15c000000721160301004a0200004603014729bd9a826d7a6a639a81e6b80d00d7d50159968bccf9e9e80069cf95ea13c6204db006ad17d2fde22de652279f3098e49a743178787a8585fe9474a28fc524d1002f0016030106c40b0006c00006bd0006ba308206b63082059ea003020102020200bb300d06092a864886f70d0101040500308181310b3009060355040613024445311d301b060355040a1314556e69766572736974616574204d617262757267312d302b06035504031324582e3530392043657274696669636174696f6e20417574686f72697479202832303034293124302206092a864886f70d010901161573736c2d6361
EAP-Message = 0x40756e692d6d6172627572672e6465301e170d3037303331393133313531305a170d3038303131333133313531305a3081c6310b3009060355040613024445310f300d0603550408130648657373656e3110300e060355040713074d617262757267311e301c060355040a13155068696c697070732d556e69766572736974616574311f301d060355040b1316486f6368736368756c72656368656e7a656e7472756d312430220603550403131b5261646975732e53746166662e556e692d4d6172627572672e4445312d302b06092a864886f70d010901161e756d726e65742d7465616d4068727a2e756e692d6d6172627572672e646530819f300d
EAP-Message = 0x06092a864886f70d010101050003818d0030818902818100a7b25329a57dcf9f4045f7ca2582b5dfd6c8979bdf109e1cc8acd71fd527c570f0b01e088a4cd1ad922dfa7dece1be7cf36f8b6557008ecc84335d15a02852639b27f38ae4da2adcde274eb0c678c88b7fa1491f9aeda8c817362cf263c13fe3a93377eff7dfa5fda65aa8865f21a757c93c0352b1ea493994cbac1ad290687d0203010001a38203733082036f300c0603551d130101ff04023000300b0603551d0f0404030205a030130603551d25040c300a06082b06010505070301301d0603551d0e04160414a103cee748c398670ec57153cf72f7429b6568533081dc0603551d2304
EAP-Message = 0x81d43081d180142fd7076c8060bddab7344958057dd6211b9b6fd8a181b2a481af3081ac310b30090603550406130244453121301f060355040a131844657574736368657320466f72736368756e67736e65747a31163014060355040b130d44464e2d4345525420476d62483110300e060355040b130744464e2d504341312d302b0603550403132444464e20546f706c6576656c2043657274696669636174696f6e20417574686f726974793121301f06092a864886f70d010901161263657274696679407063612e64666e2e64658204042c914130290603551d1104223020811e756d726e65742d7465616d4068727a2e756e692d6d6172627572
EAP-Message = 0x672e646530090603551d12040230003081950603551d
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x20f6d86d4e6ca6fb2bfaad3de7d5adff
Finished request 2
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.75.247:1645, id=104, length=146
User-Name = "Anonymous"
Framed-MTU = 1400
Called-Station-Id = "0013.8011.9a60"
Calling-Station-Id = "0011.24c9.25f2"
Service-Type = Login-User
Message-Authenticator = 0xc4c739bc2266065dddda17966d40c3c5
EAP-Message = 0x020300061500
NAS-Port-Type = Wireless-802.11
NAS-Port = 44157
State = 0x20f6d86d4e6ca6fb2bfaad3de7d5adff
NAS-IP-Address = 192.168.75.247
NAS-Identifier = "warz003"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 3
modcall[authorize]: module "preprocess" returns ok for request 3
modcall[authorize]: module "chap" returns noop for request 3
modcall[authorize]: module "mschap" returns noop for request 3
rlm_realm: No '@' in User-Name = "Anonymous", looking up realm NULL
rlm_realm: Found realm "NULL"
rlm_realm: Adding Stripped-User-Name = "Anonymous"
rlm_realm: Proxying request from user Anonymous to realm NULL
rlm_realm: Adding Realm = "NULL"
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module "suffix" returns noop for request 3
rlm_eap: EAP packet type response id 3 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 3
modcall[authorize]: module "files" returns notfound for request 3
rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this.
modcall[authorize]: module "pap" returns noop for request 3
modcall: leaving group authorize (returns updated) for request 3
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 3
rlm_eap: Request found, released from the list
rlm_eap: EAP/ttls
rlm_eap: processing type ttls
rlm_eap_ttls: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake fragment handler
eaptls_verify returned 1
eaptls_process returned 13
modcall[authenticate]: module "eap" returns handled for request 3
modcall: leaving group authenticate (returns handled) for request 3
Sending Access-Challenge of id 104 to 192.168.75.247 port 1645
EAP-Message = 0x0104032b1580000007211f04818d30818a3043a041a03f863d687474703a2f2f7777772e756e692d6d6172627572672e64652f68727a2f73657276696365732f73736c2d63612f323030342f73736c2d63612e6372783043a041a03f863d687474703a2f2f7777772e756e692d6d6172627572672e64652f68727a2f73657276696365732f73736c2d63612f323030342f73736c2d63612e63726c301106096086480186f8420101040403020640303d06096086480186f84201020430162e687474703a2f2f7777772e756e692d6d6172627572672e64652f68727a2f73657276696365732f73736c2d63612f304106096086480186f8420108043416
EAP-Message = 0x32687474703a2f2f7777772e7063612e64666e2e64652f64666e7063612f706f6c6963792f777777706f6c6963792e68746d6c3081db06096086480186f842010d0481cd1681ca546869732063657274696669636174652077617320697373756564206279207468652053534c2043410a6f6620746865205068696c6970707320556e6976657273697479204d6172627572672c204765726d616e792e0a466f72206675727468657220696e666f726d6174696f6e20706c6561736520706f696e7420796f7572206661766f75726974650a5765622042726f7773657220746f0a687474703a2f2f7777772e756e692d6d6172627572672e64652f6872
EAP-Message = 0x7a2f73657276696365732f73736c2d63612f202e300d06092a864886f70d010104050003820101007ff9ef1d9c04f8e22415b1f74c7a20f6865b231c7c12fc90064b14c4c3489b577b0b0e0b606091de3f3dc6e5d09237c6ed27969915479522009c73f666d306309e34398df72d4349ccae354b9e723ff03ddf1a2147a09dfab2cba0a2eebf0bced6278be2c305f75a3f09b5a39833f438d1e18ad58ee3da35d0d2fdc11c7ed822370bb0b368ee80e4e42143425661f20b18bbd458fb6cecf6237f9714af076ea338b45cf03a165741a81712e0127620789d2450233c6135700048148efa0d7dc46c4155905bdd89bf630524c960a288b47e254feaa5
EAP-Message = 0xe8c2de0a76e2259f3ad7b54afd7ec1420928d2d0dca289a121cba633073fcaa07fe0bd6b2293f42227d00f16030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa145d9de8019bae046f8849b2f1edf14
Finished request 3
Going to the next request
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 1 ID 102 with timestamp 4729bd9a
Cleaning up request 2 ID 103 with timestamp 4729bd9a
Cleaning up request 3 ID 104 with timestamp 4729bd9a
Nothing to do. Sleeping until we see a request.
--
Dr. Martin Pauly Fax: 49-6421-28-26994
HRZ Univ. Marburg Phone: 49-6421-28-23527
Hans-Meerwein-Str. E-Mail: pauly at HRZ.Uni-Marburg.DE
D-35032 Marburg
More information about the Freeradius-Users
mailing list