EAP-TLS does not send an access OK.

Patrice Oliver patrice.oliver at ch-beaune.fr
Fri Nov 16 08:54:17 CET 2007


Hello,

Hello,

I work on a WIFI authentication project, dealing with EAP/TLS on Freeradius.
I allready read a lots of docs on the net

The certificats are created with xpextensions and installed.
I use freeradius.

My config files are joined.
Client : windows XP pro sp2.

Here is the freeradius log when I try to connect :

rad_recv: Access-Request packet from host 172.17.5.100:32778 
<http://172.17.5.100:32778>, id=168, length=150
       User-Name = "mobile"
       NAS-IP-Address = 172.17.5.100 <http://172.17.5.100>
       NAS-Identifier = "172.17.5.100 <http://172.17.5.100>"
       NAS-Port = 1
       NAS-Port-Type = Wireless-802.11
       Calling-Station-Id = "000F20957BB7"
       Called-Station-Id = "000B8641C660"
       Framed-MTU = 1100
       EAP-Message = 0x0201000b016d6f62696c65
       Aruba-Essid-Name = "eole"
       Aruba-Location-Id = "2.1.1"
       Message-Authenticator = 0x4b5ee61553ec73cc454c403ec873ad24
rlm_pap: WARNING! No "known good" password found for the user.
Authentication may fail because of this.
Sending Access-Challenge of id 168 to 172.17.5.100 <http://172.17.5.100> 
port 32778
       Aruba-User-Vlan = 200
       Aruba-User-Role = "eole"
       EAP-Message = 0x010200060d20
       Message-Authenticator = 0x00000000000000000000000000000000
       State = 0xf1d8d2c72aac139bb25089361b94918e
rad_recv: Access-Request packet from host 172.17.5.100:32778 
<http://172.17.5.100:32778>, id=169, length=269
       User-Name = "mobile"
       NAS-IP-Address = 172.17.5.100 <http://172.17.5.100>
       NAS-Identifier = "172.17.5.100 <http://172.17.5.100>"
       NAS-Port = 1
       NAS-Port-Type = Wireless-802.11
       Calling-Station-Id = "000F20957BB7"
       Called-Station-Id = "000B8641C660"
       Framed-MTU = 1100
       EAP-Message = 
0x020200700d800000006616030100610100005d0301473c2a4b426528392f0efd1946172b375ed92f04360eb7068b276ad02f65df942002bc6aa8929e3855237d44cfed0de9e0eef6830330686250346b2a2141ff2f66001600040005000a000900640062000300060013001200630100
       State = 0xf1d8d2c72aac139bb25089361b94918e
       Aruba-Essid-Name = "eole"
       Aruba-Location-Id = "2.1.1"
       Message-Authenticator = 0xd4944b76a67263b3c6431530b33522d1
rlm_pap: WARNING! No "known good" password found for the user.
Authentication may fail because of this.
Sending Access-Challenge of id 169 to 172.17.5.100 <http://172.17.5.100> 
port 32778
       Aruba-User-Vlan = 200
       Aruba-User-Role = "eole"
       EAP-Message = 
0x0103040a0dc000000411160301004a020000460301473c2a46804b2c3888c0fcb80af8456213cc201aedf4dbc513dcc2f8dc0d7a2520c39aea56359ef81ae4da7be8959b0abee59ccc86f23934883ad976089ed8db2700040016030102fa0b0002f60002f30002f0308202ec30820255a003020102020101300d06092a864886f70d01010405003081ab310b30090603550406130246523112301006035504081309426f7572676f676e65310f300d06035504071306426561756e6531153013060355040a130c63682d626561756e652e6672311b3019060355040b131273696e666f2e63682d626561756e652e667231193017060355040313104348
       EAP-Message = 
0x2d424541554e4520544c532043413128302606092a864886f70d010901161961646d696e2e7265736561754063682d626561756e652e6672301e170d3037313030343036303635395a170d3137313030313036303635395a3081b2310b30090603550406130246523112301006035504081309426f7572676f676e65310f300d06035504071306426561756e6531153013060355040a130c63682d626561756e652e6672311b3019060355040b131273696e666f2e63682d626561756e652e66723120301e06035504031317667265657261646975732e63682d626561756e652e66723128302606092a864886f70d010901161961646d696e2e726573
       EAP-Message = 
0x6561754063682d626561756e652e667230819f300d06092a864886f70d010101050003818d0030818902818100b0dbd8779b2d0041264551b5a97c4860c2fdec4c953a8d6f00839eadfccced93c100d3d832cb2e7432ebf8800008ccae4183baa244042116d38a5f31f31e475bfa0ada5047795d30b4b14b79585dc719f95eb361efecb1efef87b1c832dbf69380a46375e46f3eb88df40ab35ebed329e35978ab394989e7114ca11c1444ae1f0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010405000381810053a216c3ab1d7895dd006da7dbc281c4fd6159869c212aa97e72cf29c5b109
       EAP-Message = 
0x2468002d3c9d510561b12ce489d0bfb8e227fe9d02d96d7c740c57cbeac880d50d39983db03e46e9705ad0b915d2d9dd166fa746a7043e0af9f483213b43276d1822469d97c73074cb5d0225e8d9709a7a04303495279eda4dca1c44284997705216030100be0d0000b60301024000b000ae3081ab310b30090603550406130246523112301006035504081309426f7572676f676e65310f300d06035504071306426561756e6531153013060355040a130c63682d626561756e652e6672311b3019060355040b131273696e666f2e63682d626561756e652e6672311930170603550403131043482d424541554e4520544c532043413128302606092a
       EAP-Message = 0x864886f70d010901161961646d696e2e726573656175
       Message-Authenticator = 0x00000000000000000000000000000000
       State = 0x3086036a150a272bec4609fc740fdb2d
rad_recv: Access-Request packet from host 172.17.5.100:32778 
<http://172.17.5.100:32778>, id=170, length=163
       User-Name = "mobile"
       NAS-IP-Address = 172.17.5.100 <http://172.17.5.100>
       NAS-Identifier = "172.17.5.100 <http://172.17.5.100>"
       NAS-Port = 1
       NAS-Port-Type = Wireless-802.11
       Calling-Station-Id = "000F20957BB7"
       Called-Station-Id = "000B8641C660"
       Framed-MTU = 1100
       EAP-Message = 0x020300060d00
       State = 0x3086036a150a272bec4609fc740fdb2d
       Aruba-Essid-Name = "eole"
       Aruba-Location-Id = "2.1.1"
       Message-Authenticator = 0xb21a49657c022a70310f50e9eaaea067
rlm_pap: WARNING! No "known good" password found for the user.
Authentication may fail because of this.
 rlm_eap_tls: No SSL info available. Waiting for more SSL data.
Sending Access-Challenge of id 170 to 172.17.5.100 <http://172.17.5.100> 
port 32778
       Aruba-User-Vlan = 200
       Aruba-User-Role = "eole"
       EAP-Message = 
0x0104001b0d80000004114063682d626561756e652e66720e000000
       Message-Authenticator = 0x00000000000000000000000000000000
       State = 0xc8d232500b2a33696b274f085732a7ad
rad_recv: Access-Request packet from host 172.17.5.100:32778 
<http://172.17.5.100:32778>, id=171,
length=1236
       User-Name = "mobile"
       NAS-IP-Address = 172.17.5.100 <http://172.17.5.100>
       NAS-Identifier = "172.17.5.100 <http://172.17.5.100>"
       NAS-Port = 1
       NAS-Port-Type = Wireless-802.11
       Calling-Station-Id = "000F20957BB7"
       Called-Station-Id = "000B8641C660"
       Framed-MTU = 1100
       EAP-Message = 
0x0204042f0d800000042516030103f50b0002e50002e20002df308202db30820244a003020102020102300d06092a864886f70d01010405003081ab310b30090603550406130246523112301006035504081309426f7572676f676e65310f300d06035504071306426561756e6531153013060355040a130c63682d626561756e652e6672311b3019060355040b131273696e666f2e63682d626561756e652e6672311930170603550403131043482d424541554e4520544c532043413128302606092a864886f70d010901161961646d696e2e7265736561754063682d626561756e652e6672301e170d3037313030343036303731345a170d31373130
       EAP-Message = 
0x30313036303731345a3081a1310b30090603550406130246523112301006035504081309426f7572676f676e65310f300d06035504071306426561756e6531153013060355040a130c63682d626561756e652e6672311b3019060355040b131273696e666f2e63682d626561756e652e6672310f300d060355040313066d6f62696c653128302606092a864886f70d010901161961646d696e2e7265736561754063682d626561756e652e667230819f300d06092a864886f70d010101050003818d0030818902818100c7e0561703a82682e303bc32ad8f092d170286ccb20925dfd0b0d2e9f0c58667b142544126c9a74f3a256a82d1e5dda7ecfe5b
       EAP-Message = 
0xb38fa2929f9e97027c7608bca14b30b865defb04d6bc5d4e419202b316fa621176751580a2611946ba54b8af076b8c412ec33db7870001d8fa22d203748a2b2e447c25f323d525cc096ba043bd0203010001a317301530130603551d25040c300a06082b06010505070302300d06092a864886f70d010104050003818100a0cce5db99b4618262044bb8211a71dc074e34bdcacb6d0082966715c2ede22e1278f7cc781c166f9a791b6f657022a91f5d38cee9526f0ae0c2da574b7aef62b6f867bc53a577dca3fcc19519e018a8c11b79471f899446f8b01dd42d0d669eede056e01659b84fe31ecc5e4237a3b2cf8d8e918540fc85bf133596ae2c84
       EAP-Message = 
0xaf1000008200802aaf3007c9a62cea5127aa63790a76002f40fc8905d02d0e263dbbccdb2828e5e7bf5f29b1e273e522d1034d3101144d21a318a4a3da6b1eb23afcca071a3eaf80a9d8d5689bb9b3167382f7b11ce74858a805dec8b7fe4de89c57a88292ab30c11eb906935cdc3088acc25d51efde2d52383072b173d681628e816541a502980f000082008002d36c0fd4caef08e1df313014ef3f2dec0d384e44ccc3e14270e0a8dbfba995a7a1ca12642a788038452c773f88ed50bb8702774d2602dcd2d2ef250c62b291ec0dcd153fd4aa52b507d67bfb7bdb6bdd125bdceb0faf3f1743236201193e1657752f2954088ee8dc4892579e50294f
       EAP-Message = 
0x4e7c27d59c78f90d2418a89251f0aca114030100010116030100205aecaefe538a1fd0ec6a1f4207aaed488d4a7753d73c152df6f6cf29c492074e
       State = 0xc8d232500b2a33696b274f085732a7ad
       Aruba-Essid-Name = "eole"
       Aruba-Location-Id = "2.1.1"
       Message-Authenticator = 0xcc6360144fd21b838bf72feda673bd28
rlm_pap: WARNING! No "known good" password found for the user.
Authentication may fail because of this.
chain-depth=1,
error=0
--> User-Name = mobile
--> BUF-Name = CH-BEAUNE TLS CA
--> subject = 
/C=FR/ST=Bourgogne/L=Beaune/O=ch-beaune.fr/OU=sinfo.ch-beaune.fr/CN=CH-BEAUNE 
<http://ch-beaune.fr/OU=sinfo.ch-beaune.fr/CN=CH-BEAUNE>
TLS CA/emailAddress=admin.reseau at ch-beaune.fr 
<mailto:admin.reseau at ch-beaune.fr>
--> issuer  = 
/C=FR/ST=Bourgogne/L=Beaune/O=ch-beaune.fr/OU=sinfo.ch-beaune.fr/CN=CH-BEAUNE 
<http://ch-beaune.fr/OU=sinfo.ch-beaune.fr/CN=CH-BEAUNE>
TLS CA/emailAddress=admin.reseau at ch-beaune.fr 
<mailto:admin.reseau at ch-beaune.fr>
--> verify return:1
chain-depth=0,
error=0
--> User-Name = mobile
--> BUF-Name = mobile
--> subject = 
/C=FR/ST=Bourgogne/L=Beaune/O=ch-beaune.fr/OU=sinfo.ch-beaune.fr/CN=mobile/emailAddress=admin.reseau at ch-beaune.fr 
<http://ch-beaune.fr/OU=sinfo.ch-beaune.fr/CN=mobile/emailAddress=admin.reseau@ch-beaune.fr>
--> issuer  = 
/C=FR/ST=Bourgogne/L=Beaune/O=ch-beaune.fr/OU=sinfo.ch-beaune.fr/CN=CH-BEAUNE 
<http://ch-beaune.fr/OU=sinfo.ch-beaune.fr/CN=CH-BEAUNE>
TLS CA/emailAddress=admin.reseau at ch-beaune.fr 
<mailto:admin.reseau at ch-beaune.fr>
--> verify return:1
Sending Access-Challenge of id 171 to 172.17.5.100 <http://172.17.5.100> 
port 32778
       Aruba-User-Vlan = 200
       Aruba-User-Role = "eole"
       EAP-Message = 
0x010500350d800000002b1403010001011603010020c42bc430a3603bfb36e8b8fd046b0e9c5f9d27efb22fb1826a0794f8939e72b5
       Message-Authenticator = 0x00000000000000000000000000000000
       State = 0x182de49cc578ef73f4090ae54adb586c
rad_recv: Access-Request packet from host 172.17.5.100:32778 
<http://172.17.5.100:32778>, id=172, length=163
       User-Name = "mobile"
       NAS-IP-Address = 172.17.5.100 <http://172.17.5.100>
       NAS-Identifier = "172.17.5.100 <http://172.17.5.100>"
       NAS-Port = 1
       NAS-Port-Type = Wireless-802.11
       Calling-Station-Id = "000F20957BB7"
       Called-Station-Id = "000B8641C660"
       Framed-MTU = 1100
       EAP-Message = 0x020500060d00
       State = 0x182de49cc578ef73f4090ae54adb586c
       Aruba-Essid-Name = "eole"
       Aruba-Location-Id = "2.1.1"
       Message-Authenticator = 0xc93dcf66036b55d88e0f8b087237572b
rlm_pap: WARNING! No "known good" password found for the user.
Authentication may fail because of this.
 rlm_eap_tls: No SSL info available. Waiting for more SSL data.
Sending Access-Challenge of id 172 to 172.17.5.100 <http://172.17.5.100> 
port 32778
       Aruba-User-Vlan = 200
       Aruba-User-Role = "eole"
       EAP-Message = 0x0106000a0d8000000000
       Message-Authenticator = 0x00000000000000000000000000000000
       State = 0x7434fc4a00a7c70dde94fc0ede886654


I see no OK, and no 'not OK'.
I don't understand why 'rlm_eap_tls: No SSL info available. Waiting for 
more SSL data.'
I don't understand why freeradius sends an access challenge instead of 
an access ok since the certificates are OK.

I have to deploy on next monday.
May you help me ?

Best regards,

-- 
*Hospices Civils de Beaune*
*Patrice OLIVER*
/Chef de Projet Ville Hôpital/
/Responsable Réseau & Sécurité/
BP 104
21203 BEAUNE Cedex 	Tél. 03 80 24 44 09
Fax. 03 80 24 45 90

------------------------------------------------------------------------
Ce message, y compris les pièces jointes, est établi à l'attention 
exclusive de son ou ses destinataires et est confidentiel. Toute 
utilisation non conforme à sa destination, toute diffusion ou 
publication, totale ou partielle, est interdite sauf autorisation 
expresse de l'expéditeur. Si vous n'êtes pas le destinataire de ce 
message, merci d'avertir l'expéditeur de l'erreur de distribution puis 
de le détruire.
Tout message électronique est susceptible d'altération et son intégrité 
ne peut être assurée. L'expéditeur décline toute responsabilité dans 
l'hypothèse où il aurait été modifié ou falsifié.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20071116/9f64c27b/attachment.html>


More information about the Freeradius-Users mailing list