Supplicant seems not to send password user

tnt at kalik.co.yu tnt at kalik.co.yu
Tue Oct 2 15:55:36 CEST 2007


I can't go through this riow. Perhaps later this evening. Anything wrong
with using provided and tested CA.all script? Or you just like things
complicated? At first glance you are using cacert as a root certificate
instead of creating one.

Ivan Kalik
Kalik Informatika ISP


Dana 2/10/2007, "Sergio Belkin" <sebelk at gmail.com> piše:

>2007/10/1, tnt at kalik.co.yu <tnt at kalik.co.yu>:
>> Yes. This is still the certificate problem. You haven't got to the
>> password check yet. Chack that you have imported the correct
>> certificates (as per previous post).
>>
>> Ivan Kalik
>> Kalik Informatika ISP
>
>It's a bit strange, I think that I created and imported it well. I did so:
>
>cd /usr/local/etc/raddb
>
>/etc/pki/tls/misc/CA -newca
>
>openssl req -new -nodes -keyout privadaradius.pem -out
>pedidoradius.pem -days 730 -config /etc/pki/tls/openssl.cnf
>
>openssl ca -config /etc/pki/tls/openssl.cnf -policy policy_anything
>-out publicaradius.pem -extensions xpserver_ext -extfile
>/etc/pki/tls/xpextensions -infiles pedidoradius.pem
>
>I edited publicaradius.pem in order to delete lines above "BEGIN
>CERTIFICATE" and joined with key file. previously I backuped
>certificate file:
>
>cp publicaradius.pem publicaradius.pem.bkp
>
>cat privadaradius.pem publicaradius.pem > privandpubradius.pem
>
>DH file creation:
>
>openssl dhparam -check -text -5 512 -out dh
>
>Random file:
>
>dd if=/dev/urandom of=random count=2
>
>Then I copied cacert.pem to pendrive and imported in Windows as
>Trusted Certificate in mmc. OK, you can say pem is not the right
>format, ok, I've created the der file:
>
> openssl x509 -inform PEM -outform DER -in CA/cacert.pem -out CA/cacert.der
>
>Ok, you say, der is not the format but p12 is, so:
>
>openssl pkcs12 -export -in certs/CA/cacert.pem -inkey
>certs/CA/private/cakey.pem -out certs/CA/cacert.p12 -clcerts
>
>In each case I imported the certificate but never worked :(
>
>What's wrong about all of this?
>
>Thanks in advance
>
>>
>>
>> Dana 1/10/2007, "Sergio Belkin" <sebelk at gmail.com> piše:
>>
>> >2007/10/1, tnt at kalik.co.yu <tnt at kalik.co.yu>:
>> >> Because conversation hasn't got to password checking. Probably, since
>> >> this debug doesn't mean much to me.
>> >>
>> >> Ivan Kalik
>> >> Kalik Informatika ISP
>> >
>> >These are Debug messages (using a wrong password)
>> >
>> >rad_recv: Access-Request packet from host 10.30.1.151:1036, id=66, length=98
>> >        User-Name = "test"
>> >        Calling-Station-Id = "00-0e-35-bf-51-18"
>> >        EAP-Message = 0x020100090174657374
>> >        Framed-MTU = 1287
>> >        NAS-IP-Address = 192.168.1.1
>> >        NAS-Port = 0
>> >        NAS-Port-Type = Wireless-802.11
>> >        Message-Authenticator = 0xb8d1b41830e1a2edc1ecf677b3936c68
>> >  Processing the authorize section of radiusd.conf
>> >modcall: entering group authorize for request 2
>> >  modcall[authorize]: module "preprocess" returns ok for request 2
>> >  modcall[authorize]: module "chap" returns noop for request 2
>> >  modcall[authorize]: module "mschap" returns noop for request 2
>> >    rlm_realm: No '@' in User-Name = "test", looking up realm NULL
>> >    rlm_realm: No such realm "NULL"
>> >  modcall[authorize]: module "suffix" returns noop for request 2
>> >  rlm_eap: EAP packet type response id 1 length 9
>> >  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
>> >  modcall[authorize]: module "eap" returns updated for request 2
>> >    users: Matched entry test at line 79
>> >  modcall[authorize]: module "files" returns ok for request 2
>> >rlm_pap: Found existing Auth-Type, not changing it.
>> >  modcall[authorize]: module "pap" returns noop for request 2
>> >modcall: leaving group authorize (returns updated) for request 2
>> >  rad_check_password:  Found Auth-Type EAP
>> >auth: type "EAP"
>> >  Processing the authenticate section of radiusd.conf
>> >modcall: entering group authenticate for request 2
>> >  rlm_eap: EAP Identity
>> >  rlm_eap: processing type tls
>> >  rlm_eap_tls: Initiate
>> >  rlm_eap_tls: Start returned 1
>> >  modcall[authenticate]: module "eap" returns handled for request 2
>> >modcall: leaving group authenticate (returns handled) for request 2
>> >Sending Access-Challenge of id 66 to 10.30.1.151 port 1036
>> >        Reply-Message = "Hola test"
>> >        EAP-Message = 0x010200061920
>> >        Message-Authenticator = 0x00000000000000000000000000000000
>> >        State = 0x0554162407c62e4d26c570bf0dc3a4aa
>> >Finished request 2
>> >Going to the next request
>> >--- Walking the entire request list ---
>> >Waking up in 6 seconds...
>> >rad_recv: Access-Request packet from host 10.30.1.151:1036, id=67, length=187
>> >        User-Name = "test"
>> >        Calling-Station-Id = "00-0e-35-bf-51-18"
>> >        EAP-Message =
>> >0x0202005019800000004616030100410100003d030147015317f20f33b39cf4163f4dc7389a82b29787664c80850600d8173d387a8c00001600040005000a000900640062000300060013001200630100
>> >        Framed-MTU = 1287
>> >        NAS-IP-Address = 192.168.1.1
>> >        NAS-Port = 0
>> >        NAS-Port-Type = Wireless-802.11
>> >        State = 0x0554162407c62e4d26c570bf0dc3a4aa
>> >        Message-Authenticator = 0x772f0fcf0b9095b3987366da2b8b0eec
>> >  Processing the authorize section of radiusd.conf
>> >modcall: entering group authorize for request 3
>> >  modcall[authorize]: module "preprocess" returns ok for request 3
>> >  modcall[authorize]: module "chap" returns noop for request 3
>> >  modcall[authorize]: module "mschap" returns noop for request 3
>> >    rlm_realm: No '@' in User-Name = "test", looking up realm NULL
>> >    rlm_realm: No such realm "NULL"
>> >  modcall[authorize]: module "suffix" returns noop for request 3
>> >  rlm_eap: EAP packet type response id 2 length 80
>> >  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
>> >  modcall[authorize]: module "eap" returns updated for request 3
>> >    users: Matched entry test at line 79
>> >  modcall[authorize]: module "files" returns ok for request 3
>> >rlm_pap: Found existing Auth-Type, not changing it.
>> >  modcall[authorize]: module "pap" returns noop for request 3
>> >modcall: leaving group authorize (returns updated) for request 3
>> >  rad_check_password:  Found Auth-Type EAP
>> >auth: type "EAP"
>> >  Processing the authenticate section of radiusd.conf
>> >modcall: entering group authenticate for request 3
>> >  rlm_eap: Request found, released from the list
>> >  rlm_eap: EAP/peap
>> >  rlm_eap: processing type peap
>> >  rlm_eap_peap: Authenticate
>> >  rlm_eap_tls: processing TLS
>> >rlm_eap_tls:  Length Included
>> >  eaptls_verify returned 11
>> >    (other): before/accept initialization
>> >    TLS_accept: before/accept initialization
>> >  rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello
>> >    TLS_accept: SSLv3 read client hello A
>> >  rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
>> >    TLS_accept: SSLv3 write server hello A
>> >  rlm_eap_tls: >>> TLS 1.0 Handshake [length 0323], Certificate
>> >    TLS_accept: SSLv3 write certificate A
>> >  rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
>> >    TLS_accept: SSLv3 write server done A
>> >    TLS_accept: SSLv3 flush data
>> >    TLS_accept: Need to read more data: SSLv3 read client certificate A
>> >In SSL Handshake Phase
>> >In SSL Accept mode
>> >  eaptls_process returned 13
>> >  rlm_eap_peap: EAPTLS_HANDLED
>> >  modcall[authenticate]: module "eap" returns handled for request 3
>> >modcall: leaving group authenticate (returns handled) for request 3
>> >Sending Access-Challenge of id 67 to 10.30.1.151 port 1036
>> >        Reply-Message = "Hola test"
>> >        EAP-Message =
>> >0x010303861900160301004a020000460301470153c12f6418b0890a37d1b2a4cfaa6cf53f2f68558a1e44b1de861ade5d0120a9a82dee78a91db7e7cb55ae09dfce0e555f7c9c3fe0a52bb80632a2f6be001a00040016030103230b00031f00031c000319308203153082027ea003020102020101300d06092a864886f70d01010405003081c3310b3009060355040613024152311530130603550408130c4275656e6f73204169726573312b302906035504070c2243697564616420417574c383c2b36e6f6d61206465204275656e6f73204169726573311f301d060355040a1316556e6976657273696461642064652050616c65726d6f3111300f06
>> >        EAP-Message =
>> >0x0355040b1308496e7465726e657431193017060355040313106c616c612e70616c65726d6f2e6564753121301f06092a864886f70d01090116127362656c6b694070616c65726d6f2e656475301e170d3037303932363139333435395a170d3038303932353139333435395a3081c3310b3009060355040613024152311530130603550408130c4275656e6f73204169726573312b302906035504070c2243697564616420417574c383c2b36e6f6d61206465204275656e6f73204169726573311f301d060355040a1316556e6976657273696461642064652050616c65726d6f3111300f060355040b1308496e7465726e6574311930170603550403
>> >        EAP-Message =
>> >0x13106c616c612e70616c65726d6f2e6564753121301f06092a864886f70d01090116127362656c6b694070616c65726d6f2e65647530819f300d06092a864886f70d010101050003818d0030818902818100eae88c4ee5755bcff546c3a68bab7b736e6f65d8606c1aadecf6992e59f340adddb323e7a3400a65e50cc80d7dd9ad58d86e50755c9e7e16640cd216ce68ce368aa37792817f1fc9aa30a016a3ee11ef5ab0b70d75543ec1aa8786d84caa7e6fe65bd4d9717cbf419d04f08181a24aa3591b1254bd78c4493f7424ccce2c1f150203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010104
>> >        EAP-Message =
>> >0x050003818100b0496218dcda605d85723a61b574fe1254e2d9a02fcc7c635099f663609b0e5c4507497ed3ee2b15082bdc3ad578060c015ed439a6072eb1e6f418a7a0394442afbf6465258a1afd677343c6a71f9a4cf79d34f28d1c074053e2f7a9de236dbe7d7ea9a2150b26643b95e33f83172a0e36805e9ee185e5d2f8a914843a8647f516030100040e000000
>> >        Message-Authenticator = 0x00000000000000000000000000000000
>> >        State = 0xa1e27c380c18bfa0a712fb53b701d612
>> >Finished request 3
>> >Going to the next request
>> >Waking up in 6 seconds...
>> >rad_recv: Access-Request packet from host 10.30.1.151:1036, id=68, length=113
>> >        User-Name = "test"
>> >        Calling-Station-Id = "00-0e-35-bf-51-18"
>> >        EAP-Message = 0x020300061900
>> >        Framed-MTU = 1287
>> >        NAS-IP-Address = 192.168.1.1
>> >        NAS-Port = 0
>> >        NAS-Port-Type = Wireless-802.11
>> >        State = 0xa1e27c380c18bfa0a712fb53b701d612
>> >        Message-Authenticator = 0xad3e26570e7fb8ad2e80b1107a777ee1
>> >  Processing the authorize section of radiusd.conf
>> >modcall: entering group authorize for request 4
>> >  modcall[authorize]: module "preprocess" returns ok for request 4
>> >  modcall[authorize]: module "chap" returns noop for request 4
>> >  modcall[authorize]: module "mschap" returns noop for request 4
>> >    rlm_realm: No '@' in User-Name = "test", looking up realm NULL
>> >    rlm_realm: No such realm "NULL"
>> >  modcall[authorize]: module "suffix" returns noop for request 4
>> >  rlm_eap: EAP packet type response id 3 length 6
>> >  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
>> >  modcall[authorize]: module "eap" returns updated for request 4
>> >    users: Matched entry test at line 79
>> >  modcall[authorize]: module "files" returns ok for request 4
>> >rlm_pap: Found existing Auth-Type, not changing it.
>> >  modcall[authorize]: module "pap" returns noop for request 4
>> >modcall: leaving group authorize (returns updated) for request 4
>> >  rad_check_password:  Found Auth-Type EAP
>> >auth: type "EAP"
>> >  Processing the authenticate section of radiusd.conf
>> >modcall: entering group authenticate for request 4
>> >  rlm_eap: Request found, released from the list
>> >  rlm_eap: EAP/peap
>> >  rlm_eap: processing type peap
>> >  rlm_eap_peap: Authenticate
>> >  rlm_eap_tls: processing TLS
>> >rlm_eap_tls: Received EAP-TLS ACK message
>> >  rlm_eap_tls: ack handshake fragment handler
>> >  eaptls_verify returned 1
>> >  eaptls_process returned 13
>> >  rlm_eap_peap: EAPTLS_HANDLED
>> >  modcall[authenticate]: module "eap" returns handled for request 4
>> >modcall: leaving group authenticate (returns handled) for request 4
>> >Sending Access-Challenge of id 68 to 10.30.1.151 port 1036
>> >        Reply-Message = "Hola test"
>> >        EAP-Message = 0x010400061900
>> >        Message-Authenticator = 0x00000000000000000000000000000000
>> >        State = 0xf791ee30348d584c274257c11d454e39
>> >Finished request 4
>> >Going to the next request
>> >Waking up in 6 seconds...
>> >
>> >
>>
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>>
>
>
>-- 
>--
>Sergio Belkin -
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>




More information about the Freeradius-Users mailing list