EAP-TLS does not send an access OK.
Patrice Oliver
patrice.oliver at ch-beaune.fr
Fri Nov 16 08:54:17 CET 2007
Hello,
Hello,
I work on a WIFI authentication project, dealing with EAP/TLS on Freeradius.
I allready read a lots of docs on the net
The certificats are created with xpextensions and installed.
I use freeradius.
My config files are joined.
Client : windows XP pro sp2.
Here is the freeradius log when I try to connect :
rad_recv: Access-Request packet from host 172.17.5.100:32778
<http://172.17.5.100:32778>, id=168, length=150
User-Name = "mobile"
NAS-IP-Address = 172.17.5.100 <http://172.17.5.100>
NAS-Identifier = "172.17.5.100 <http://172.17.5.100>"
NAS-Port = 1
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "000F20957BB7"
Called-Station-Id = "000B8641C660"
Framed-MTU = 1100
EAP-Message = 0x0201000b016d6f62696c65
Aruba-Essid-Name = "eole"
Aruba-Location-Id = "2.1.1"
Message-Authenticator = 0x4b5ee61553ec73cc454c403ec873ad24
rlm_pap: WARNING! No "known good" password found for the user.
Authentication may fail because of this.
Sending Access-Challenge of id 168 to 172.17.5.100 <http://172.17.5.100>
port 32778
Aruba-User-Vlan = 200
Aruba-User-Role = "eole"
EAP-Message = 0x010200060d20
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xf1d8d2c72aac139bb25089361b94918e
rad_recv: Access-Request packet from host 172.17.5.100:32778
<http://172.17.5.100:32778>, id=169, length=269
User-Name = "mobile"
NAS-IP-Address = 172.17.5.100 <http://172.17.5.100>
NAS-Identifier = "172.17.5.100 <http://172.17.5.100>"
NAS-Port = 1
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "000F20957BB7"
Called-Station-Id = "000B8641C660"
Framed-MTU = 1100
EAP-Message =
0x020200700d800000006616030100610100005d0301473c2a4b426528392f0efd1946172b375ed92f04360eb7068b276ad02f65df942002bc6aa8929e3855237d44cfed0de9e0eef6830330686250346b2a2141ff2f66001600040005000a000900640062000300060013001200630100
State = 0xf1d8d2c72aac139bb25089361b94918e
Aruba-Essid-Name = "eole"
Aruba-Location-Id = "2.1.1"
Message-Authenticator = 0xd4944b76a67263b3c6431530b33522d1
rlm_pap: WARNING! No "known good" password found for the user.
Authentication may fail because of this.
Sending Access-Challenge of id 169 to 172.17.5.100 <http://172.17.5.100>
port 32778
Aruba-User-Vlan = 200
Aruba-User-Role = "eole"
EAP-Message =
0x0103040a0dc000000411160301004a020000460301473c2a46804b2c3888c0fcb80af8456213cc201aedf4dbc513dcc2f8dc0d7a2520c39aea56359ef81ae4da7be8959b0abee59ccc86f23934883ad976089ed8db2700040016030102fa0b0002f60002f30002f0308202ec30820255a003020102020101300d06092a864886f70d01010405003081ab310b30090603550406130246523112301006035504081309426f7572676f676e65310f300d06035504071306426561756e6531153013060355040a130c63682d626561756e652e6672311b3019060355040b131273696e666f2e63682d626561756e652e667231193017060355040313104348
EAP-Message =
0x2d424541554e4520544c532043413128302606092a864886f70d010901161961646d696e2e7265736561754063682d626561756e652e6672301e170d3037313030343036303635395a170d3137313030313036303635395a3081b2310b30090603550406130246523112301006035504081309426f7572676f676e65310f300d06035504071306426561756e6531153013060355040a130c63682d626561756e652e6672311b3019060355040b131273696e666f2e63682d626561756e652e66723120301e06035504031317667265657261646975732e63682d626561756e652e66723128302606092a864886f70d010901161961646d696e2e726573
EAP-Message =
0x6561754063682d626561756e652e667230819f300d06092a864886f70d010101050003818d0030818902818100b0dbd8779b2d0041264551b5a97c4860c2fdec4c953a8d6f00839eadfccced93c100d3d832cb2e7432ebf8800008ccae4183baa244042116d38a5f31f31e475bfa0ada5047795d30b4b14b79585dc719f95eb361efecb1efef87b1c832dbf69380a46375e46f3eb88df40ab35ebed329e35978ab394989e7114ca11c1444ae1f0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010405000381810053a216c3ab1d7895dd006da7dbc281c4fd6159869c212aa97e72cf29c5b109
EAP-Message =
0x2468002d3c9d510561b12ce489d0bfb8e227fe9d02d96d7c740c57cbeac880d50d39983db03e46e9705ad0b915d2d9dd166fa746a7043e0af9f483213b43276d1822469d97c73074cb5d0225e8d9709a7a04303495279eda4dca1c44284997705216030100be0d0000b60301024000b000ae3081ab310b30090603550406130246523112301006035504081309426f7572676f676e65310f300d06035504071306426561756e6531153013060355040a130c63682d626561756e652e6672311b3019060355040b131273696e666f2e63682d626561756e652e6672311930170603550403131043482d424541554e4520544c532043413128302606092a
EAP-Message = 0x864886f70d010901161961646d696e2e726573656175
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x3086036a150a272bec4609fc740fdb2d
rad_recv: Access-Request packet from host 172.17.5.100:32778
<http://172.17.5.100:32778>, id=170, length=163
User-Name = "mobile"
NAS-IP-Address = 172.17.5.100 <http://172.17.5.100>
NAS-Identifier = "172.17.5.100 <http://172.17.5.100>"
NAS-Port = 1
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "000F20957BB7"
Called-Station-Id = "000B8641C660"
Framed-MTU = 1100
EAP-Message = 0x020300060d00
State = 0x3086036a150a272bec4609fc740fdb2d
Aruba-Essid-Name = "eole"
Aruba-Location-Id = "2.1.1"
Message-Authenticator = 0xb21a49657c022a70310f50e9eaaea067
rlm_pap: WARNING! No "known good" password found for the user.
Authentication may fail because of this.
rlm_eap_tls: No SSL info available. Waiting for more SSL data.
Sending Access-Challenge of id 170 to 172.17.5.100 <http://172.17.5.100>
port 32778
Aruba-User-Vlan = 200
Aruba-User-Role = "eole"
EAP-Message =
0x0104001b0d80000004114063682d626561756e652e66720e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xc8d232500b2a33696b274f085732a7ad
rad_recv: Access-Request packet from host 172.17.5.100:32778
<http://172.17.5.100:32778>, id=171,
length=1236
User-Name = "mobile"
NAS-IP-Address = 172.17.5.100 <http://172.17.5.100>
NAS-Identifier = "172.17.5.100 <http://172.17.5.100>"
NAS-Port = 1
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "000F20957BB7"
Called-Station-Id = "000B8641C660"
Framed-MTU = 1100
EAP-Message =
0x0204042f0d800000042516030103f50b0002e50002e20002df308202db30820244a003020102020102300d06092a864886f70d01010405003081ab310b30090603550406130246523112301006035504081309426f7572676f676e65310f300d06035504071306426561756e6531153013060355040a130c63682d626561756e652e6672311b3019060355040b131273696e666f2e63682d626561756e652e6672311930170603550403131043482d424541554e4520544c532043413128302606092a864886f70d010901161961646d696e2e7265736561754063682d626561756e652e6672301e170d3037313030343036303731345a170d31373130
EAP-Message =
0x30313036303731345a3081a1310b30090603550406130246523112301006035504081309426f7572676f676e65310f300d06035504071306426561756e6531153013060355040a130c63682d626561756e652e6672311b3019060355040b131273696e666f2e63682d626561756e652e6672310f300d060355040313066d6f62696c653128302606092a864886f70d010901161961646d696e2e7265736561754063682d626561756e652e667230819f300d06092a864886f70d010101050003818d0030818902818100c7e0561703a82682e303bc32ad8f092d170286ccb20925dfd0b0d2e9f0c58667b142544126c9a74f3a256a82d1e5dda7ecfe5b
EAP-Message =
0xb38fa2929f9e97027c7608bca14b30b865defb04d6bc5d4e419202b316fa621176751580a2611946ba54b8af076b8c412ec33db7870001d8fa22d203748a2b2e447c25f323d525cc096ba043bd0203010001a317301530130603551d25040c300a06082b06010505070302300d06092a864886f70d010104050003818100a0cce5db99b4618262044bb8211a71dc074e34bdcacb6d0082966715c2ede22e1278f7cc781c166f9a791b6f657022a91f5d38cee9526f0ae0c2da574b7aef62b6f867bc53a577dca3fcc19519e018a8c11b79471f899446f8b01dd42d0d669eede056e01659b84fe31ecc5e4237a3b2cf8d8e918540fc85bf133596ae2c84
EAP-Message =
0xaf1000008200802aaf3007c9a62cea5127aa63790a76002f40fc8905d02d0e263dbbccdb2828e5e7bf5f29b1e273e522d1034d3101144d21a318a4a3da6b1eb23afcca071a3eaf80a9d8d5689bb9b3167382f7b11ce74858a805dec8b7fe4de89c57a88292ab30c11eb906935cdc3088acc25d51efde2d52383072b173d681628e816541a502980f000082008002d36c0fd4caef08e1df313014ef3f2dec0d384e44ccc3e14270e0a8dbfba995a7a1ca12642a788038452c773f88ed50bb8702774d2602dcd2d2ef250c62b291ec0dcd153fd4aa52b507d67bfb7bdb6bdd125bdceb0faf3f1743236201193e1657752f2954088ee8dc4892579e50294f
EAP-Message =
0x4e7c27d59c78f90d2418a89251f0aca114030100010116030100205aecaefe538a1fd0ec6a1f4207aaed488d4a7753d73c152df6f6cf29c492074e
State = 0xc8d232500b2a33696b274f085732a7ad
Aruba-Essid-Name = "eole"
Aruba-Location-Id = "2.1.1"
Message-Authenticator = 0xcc6360144fd21b838bf72feda673bd28
rlm_pap: WARNING! No "known good" password found for the user.
Authentication may fail because of this.
chain-depth=1,
error=0
--> User-Name = mobile
--> BUF-Name = CH-BEAUNE TLS CA
--> subject =
/C=FR/ST=Bourgogne/L=Beaune/O=ch-beaune.fr/OU=sinfo.ch-beaune.fr/CN=CH-BEAUNE
<http://ch-beaune.fr/OU=sinfo.ch-beaune.fr/CN=CH-BEAUNE>
TLS CA/emailAddress=admin.reseau at ch-beaune.fr
<mailto:admin.reseau at ch-beaune.fr>
--> issuer =
/C=FR/ST=Bourgogne/L=Beaune/O=ch-beaune.fr/OU=sinfo.ch-beaune.fr/CN=CH-BEAUNE
<http://ch-beaune.fr/OU=sinfo.ch-beaune.fr/CN=CH-BEAUNE>
TLS CA/emailAddress=admin.reseau at ch-beaune.fr
<mailto:admin.reseau at ch-beaune.fr>
--> verify return:1
chain-depth=0,
error=0
--> User-Name = mobile
--> BUF-Name = mobile
--> subject =
/C=FR/ST=Bourgogne/L=Beaune/O=ch-beaune.fr/OU=sinfo.ch-beaune.fr/CN=mobile/emailAddress=admin.reseau at ch-beaune.fr
<http://ch-beaune.fr/OU=sinfo.ch-beaune.fr/CN=mobile/emailAddress=admin.reseau@ch-beaune.fr>
--> issuer =
/C=FR/ST=Bourgogne/L=Beaune/O=ch-beaune.fr/OU=sinfo.ch-beaune.fr/CN=CH-BEAUNE
<http://ch-beaune.fr/OU=sinfo.ch-beaune.fr/CN=CH-BEAUNE>
TLS CA/emailAddress=admin.reseau at ch-beaune.fr
<mailto:admin.reseau at ch-beaune.fr>
--> verify return:1
Sending Access-Challenge of id 171 to 172.17.5.100 <http://172.17.5.100>
port 32778
Aruba-User-Vlan = 200
Aruba-User-Role = "eole"
EAP-Message =
0x010500350d800000002b1403010001011603010020c42bc430a3603bfb36e8b8fd046b0e9c5f9d27efb22fb1826a0794f8939e72b5
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x182de49cc578ef73f4090ae54adb586c
rad_recv: Access-Request packet from host 172.17.5.100:32778
<http://172.17.5.100:32778>, id=172, length=163
User-Name = "mobile"
NAS-IP-Address = 172.17.5.100 <http://172.17.5.100>
NAS-Identifier = "172.17.5.100 <http://172.17.5.100>"
NAS-Port = 1
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "000F20957BB7"
Called-Station-Id = "000B8641C660"
Framed-MTU = 1100
EAP-Message = 0x020500060d00
State = 0x182de49cc578ef73f4090ae54adb586c
Aruba-Essid-Name = "eole"
Aruba-Location-Id = "2.1.1"
Message-Authenticator = 0xc93dcf66036b55d88e0f8b087237572b
rlm_pap: WARNING! No "known good" password found for the user.
Authentication may fail because of this.
rlm_eap_tls: No SSL info available. Waiting for more SSL data.
Sending Access-Challenge of id 172 to 172.17.5.100 <http://172.17.5.100>
port 32778
Aruba-User-Vlan = 200
Aruba-User-Role = "eole"
EAP-Message = 0x0106000a0d8000000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x7434fc4a00a7c70dde94fc0ede886654
I see no OK, and no 'not OK'.
I don't understand why 'rlm_eap_tls: No SSL info available. Waiting for
more SSL data.'
I don't understand why freeradius sends an access challenge instead of
an access ok since the certificates are OK.
I have to deploy on next monday.
May you help me ?
Best regards,
--
*Hospices Civils de Beaune*
*Patrice OLIVER*
/Chef de Projet Ville Hôpital/
/Responsable Réseau & Sécurité/
BP 104
21203 BEAUNE Cedex Tél. 03 80 24 44 09
Fax. 03 80 24 45 90
------------------------------------------------------------------------
Ce message, y compris les pièces jointes, est établi à l'attention
exclusive de son ou ses destinataires et est confidentiel. Toute
utilisation non conforme à sa destination, toute diffusion ou
publication, totale ou partielle, est interdite sauf autorisation
expresse de l'expéditeur. Si vous n'êtes pas le destinataire de ce
message, merci d'avertir l'expéditeur de l'erreur de distribution puis
de le détruire.
Tout message électronique est susceptible d'altération et son intégrité
ne peut être assurée. L'expéditeur décline toute responsabilité dans
l'hypothèse où il aurait été modifié ou falsifié.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20071116/9f64c27b/attachment.html>
More information about the Freeradius-Users
mailing list