Supplicant seems not to send password user

Sergio Belkin sebelk at gmail.com
Tue Oct 2 14:50:07 CEST 2007


2007/10/1, tnt at kalik.co.yu <tnt at kalik.co.yu>:
> Yes. This is still the certificate problem. You haven't got to the
> password check yet. Chack that you have imported the correct
> certificates (as per previous post).
>
> Ivan Kalik
> Kalik Informatika ISP

It's a bit strange, I think that I created and imported it well. I did so:

cd /usr/local/etc/raddb

/etc/pki/tls/misc/CA -newca

openssl req -new -nodes -keyout privadaradius.pem -out
pedidoradius.pem -days 730 -config /etc/pki/tls/openssl.cnf

openssl ca -config /etc/pki/tls/openssl.cnf -policy policy_anything
-out publicaradius.pem -extensions xpserver_ext -extfile
/etc/pki/tls/xpextensions -infiles pedidoradius.pem

I edited publicaradius.pem in order to delete lines above "BEGIN
CERTIFICATE" and joined with key file. previously I backuped
certificate file:

cp publicaradius.pem publicaradius.pem.bkp

cat privadaradius.pem publicaradius.pem > privandpubradius.pem

DH file creation:

openssl dhparam -check -text -5 512 -out dh

Random file:

dd if=/dev/urandom of=random count=2

Then I copied cacert.pem to pendrive and imported in Windows as
Trusted Certificate in mmc. OK, you can say pem is not the right
format, ok, I've created the der file:

 openssl x509 -inform PEM -outform DER -in CA/cacert.pem -out CA/cacert.der

Ok, you say, der is not the format but p12 is, so:

openssl pkcs12 -export -in certs/CA/cacert.pem -inkey
certs/CA/private/cakey.pem -out certs/CA/cacert.p12 -clcerts

In each case I imported the certificate but never worked :(

What's wrong about all of this?

Thanks in advance

>
>
> Dana 1/10/2007, "Sergio Belkin" <sebelk at gmail.com> piše:
>
> >2007/10/1, tnt at kalik.co.yu <tnt at kalik.co.yu>:
> >> Because conversation hasn't got to password checking. Probably, since
> >> this debug doesn't mean much to me.
> >>
> >> Ivan Kalik
> >> Kalik Informatika ISP
> >
> >These are Debug messages (using a wrong password)
> >
> >rad_recv: Access-Request packet from host 10.30.1.151:1036, id=66, length=98
> >        User-Name = "test"
> >        Calling-Station-Id = "00-0e-35-bf-51-18"
> >        EAP-Message = 0x020100090174657374
> >        Framed-MTU = 1287
> >        NAS-IP-Address = 192.168.1.1
> >        NAS-Port = 0
> >        NAS-Port-Type = Wireless-802.11
> >        Message-Authenticator = 0xb8d1b41830e1a2edc1ecf677b3936c68
> >  Processing the authorize section of radiusd.conf
> >modcall: entering group authorize for request 2
> >  modcall[authorize]: module "preprocess" returns ok for request 2
> >  modcall[authorize]: module "chap" returns noop for request 2
> >  modcall[authorize]: module "mschap" returns noop for request 2
> >    rlm_realm: No '@' in User-Name = "test", looking up realm NULL
> >    rlm_realm: No such realm "NULL"
> >  modcall[authorize]: module "suffix" returns noop for request 2
> >  rlm_eap: EAP packet type response id 1 length 9
> >  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
> >  modcall[authorize]: module "eap" returns updated for request 2
> >    users: Matched entry test at line 79
> >  modcall[authorize]: module "files" returns ok for request 2
> >rlm_pap: Found existing Auth-Type, not changing it.
> >  modcall[authorize]: module "pap" returns noop for request 2
> >modcall: leaving group authorize (returns updated) for request 2
> >  rad_check_password:  Found Auth-Type EAP
> >auth: type "EAP"
> >  Processing the authenticate section of radiusd.conf
> >modcall: entering group authenticate for request 2
> >  rlm_eap: EAP Identity
> >  rlm_eap: processing type tls
> >  rlm_eap_tls: Initiate
> >  rlm_eap_tls: Start returned 1
> >  modcall[authenticate]: module "eap" returns handled for request 2
> >modcall: leaving group authenticate (returns handled) for request 2
> >Sending Access-Challenge of id 66 to 10.30.1.151 port 1036
> >        Reply-Message = "Hola test"
> >        EAP-Message = 0x010200061920
> >        Message-Authenticator = 0x00000000000000000000000000000000
> >        State = 0x0554162407c62e4d26c570bf0dc3a4aa
> >Finished request 2
> >Going to the next request
> >--- Walking the entire request list ---
> >Waking up in 6 seconds...
> >rad_recv: Access-Request packet from host 10.30.1.151:1036, id=67, length=187
> >        User-Name = "test"
> >        Calling-Station-Id = "00-0e-35-bf-51-18"
> >        EAP-Message =
> >0x0202005019800000004616030100410100003d030147015317f20f33b39cf4163f4dc7389a82b29787664c80850600d8173d387a8c00001600040005000a000900640062000300060013001200630100
> >        Framed-MTU = 1287
> >        NAS-IP-Address = 192.168.1.1
> >        NAS-Port = 0
> >        NAS-Port-Type = Wireless-802.11
> >        State = 0x0554162407c62e4d26c570bf0dc3a4aa
> >        Message-Authenticator = 0x772f0fcf0b9095b3987366da2b8b0eec
> >  Processing the authorize section of radiusd.conf
> >modcall: entering group authorize for request 3
> >  modcall[authorize]: module "preprocess" returns ok for request 3
> >  modcall[authorize]: module "chap" returns noop for request 3
> >  modcall[authorize]: module "mschap" returns noop for request 3
> >    rlm_realm: No '@' in User-Name = "test", looking up realm NULL
> >    rlm_realm: No such realm "NULL"
> >  modcall[authorize]: module "suffix" returns noop for request 3
> >  rlm_eap: EAP packet type response id 2 length 80
> >  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
> >  modcall[authorize]: module "eap" returns updated for request 3
> >    users: Matched entry test at line 79
> >  modcall[authorize]: module "files" returns ok for request 3
> >rlm_pap: Found existing Auth-Type, not changing it.
> >  modcall[authorize]: module "pap" returns noop for request 3
> >modcall: leaving group authorize (returns updated) for request 3
> >  rad_check_password:  Found Auth-Type EAP
> >auth: type "EAP"
> >  Processing the authenticate section of radiusd.conf
> >modcall: entering group authenticate for request 3
> >  rlm_eap: Request found, released from the list
> >  rlm_eap: EAP/peap
> >  rlm_eap: processing type peap
> >  rlm_eap_peap: Authenticate
> >  rlm_eap_tls: processing TLS
> >rlm_eap_tls:  Length Included
> >  eaptls_verify returned 11
> >    (other): before/accept initialization
> >    TLS_accept: before/accept initialization
> >  rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello
> >    TLS_accept: SSLv3 read client hello A
> >  rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
> >    TLS_accept: SSLv3 write server hello A
> >  rlm_eap_tls: >>> TLS 1.0 Handshake [length 0323], Certificate
> >    TLS_accept: SSLv3 write certificate A
> >  rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
> >    TLS_accept: SSLv3 write server done A
> >    TLS_accept: SSLv3 flush data
> >    TLS_accept: Need to read more data: SSLv3 read client certificate A
> >In SSL Handshake Phase
> >In SSL Accept mode
> >  eaptls_process returned 13
> >  rlm_eap_peap: EAPTLS_HANDLED
> >  modcall[authenticate]: module "eap" returns handled for request 3
> >modcall: leaving group authenticate (returns handled) for request 3
> >Sending Access-Challenge of id 67 to 10.30.1.151 port 1036
> >        Reply-Message = "Hola test"
> >        EAP-Message =
> >0x010303861900160301004a020000460301470153c12f6418b0890a37d1b2a4cfaa6cf53f2f68558a1e44b1de861ade5d0120a9a82dee78a91db7e7cb55ae09dfce0e555f7c9c3fe0a52bb80632a2f6be001a00040016030103230b00031f00031c000319308203153082027ea003020102020101300d06092a864886f70d01010405003081c3310b3009060355040613024152311530130603550408130c4275656e6f73204169726573312b302906035504070c2243697564616420417574c383c2b36e6f6d61206465204275656e6f73204169726573311f301d060355040a1316556e6976657273696461642064652050616c65726d6f3111300f06
> >        EAP-Message =
> >0x0355040b1308496e7465726e657431193017060355040313106c616c612e70616c65726d6f2e6564753121301f06092a864886f70d01090116127362656c6b694070616c65726d6f2e656475301e170d3037303932363139333435395a170d3038303932353139333435395a3081c3310b3009060355040613024152311530130603550408130c4275656e6f73204169726573312b302906035504070c2243697564616420417574c383c2b36e6f6d61206465204275656e6f73204169726573311f301d060355040a1316556e6976657273696461642064652050616c65726d6f3111300f060355040b1308496e7465726e6574311930170603550403
> >        EAP-Message =
> >0x13106c616c612e70616c65726d6f2e6564753121301f06092a864886f70d01090116127362656c6b694070616c65726d6f2e65647530819f300d06092a864886f70d010101050003818d0030818902818100eae88c4ee5755bcff546c3a68bab7b736e6f65d8606c1aadecf6992e59f340adddb323e7a3400a65e50cc80d7dd9ad58d86e50755c9e7e16640cd216ce68ce368aa37792817f1fc9aa30a016a3ee11ef5ab0b70d75543ec1aa8786d84caa7e6fe65bd4d9717cbf419d04f08181a24aa3591b1254bd78c4493f7424ccce2c1f150203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010104
> >        EAP-Message =
> >0x050003818100b0496218dcda605d85723a61b574fe1254e2d9a02fcc7c635099f663609b0e5c4507497ed3ee2b15082bdc3ad578060c015ed439a6072eb1e6f418a7a0394442afbf6465258a1afd677343c6a71f9a4cf79d34f28d1c074053e2f7a9de236dbe7d7ea9a2150b26643b95e33f83172a0e36805e9ee185e5d2f8a914843a8647f516030100040e000000
> >        Message-Authenticator = 0x00000000000000000000000000000000
> >        State = 0xa1e27c380c18bfa0a712fb53b701d612
> >Finished request 3
> >Going to the next request
> >Waking up in 6 seconds...
> >rad_recv: Access-Request packet from host 10.30.1.151:1036, id=68, length=113
> >        User-Name = "test"
> >        Calling-Station-Id = "00-0e-35-bf-51-18"
> >        EAP-Message = 0x020300061900
> >        Framed-MTU = 1287
> >        NAS-IP-Address = 192.168.1.1
> >        NAS-Port = 0
> >        NAS-Port-Type = Wireless-802.11
> >        State = 0xa1e27c380c18bfa0a712fb53b701d612
> >        Message-Authenticator = 0xad3e26570e7fb8ad2e80b1107a777ee1
> >  Processing the authorize section of radiusd.conf
> >modcall: entering group authorize for request 4
> >  modcall[authorize]: module "preprocess" returns ok for request 4
> >  modcall[authorize]: module "chap" returns noop for request 4
> >  modcall[authorize]: module "mschap" returns noop for request 4
> >    rlm_realm: No '@' in User-Name = "test", looking up realm NULL
> >    rlm_realm: No such realm "NULL"
> >  modcall[authorize]: module "suffix" returns noop for request 4
> >  rlm_eap: EAP packet type response id 3 length 6
> >  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
> >  modcall[authorize]: module "eap" returns updated for request 4
> >    users: Matched entry test at line 79
> >  modcall[authorize]: module "files" returns ok for request 4
> >rlm_pap: Found existing Auth-Type, not changing it.
> >  modcall[authorize]: module "pap" returns noop for request 4
> >modcall: leaving group authorize (returns updated) for request 4
> >  rad_check_password:  Found Auth-Type EAP
> >auth: type "EAP"
> >  Processing the authenticate section of radiusd.conf
> >modcall: entering group authenticate for request 4
> >  rlm_eap: Request found, released from the list
> >  rlm_eap: EAP/peap
> >  rlm_eap: processing type peap
> >  rlm_eap_peap: Authenticate
> >  rlm_eap_tls: processing TLS
> >rlm_eap_tls: Received EAP-TLS ACK message
> >  rlm_eap_tls: ack handshake fragment handler
> >  eaptls_verify returned 1
> >  eaptls_process returned 13
> >  rlm_eap_peap: EAPTLS_HANDLED
> >  modcall[authenticate]: module "eap" returns handled for request 4
> >modcall: leaving group authenticate (returns handled) for request 4
> >Sending Access-Challenge of id 68 to 10.30.1.151 port 1036
> >        Reply-Message = "Hola test"
> >        EAP-Message = 0x010400061900
> >        Message-Authenticator = 0x00000000000000000000000000000000
> >        State = 0xf791ee30348d584c274257c11d454e39
> >Finished request 4
> >Going to the next request
> >Waking up in 6 seconds...
> >
> >
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>


-- 
--
Sergio Belkin -




More information about the Freeradius-Users mailing list