LOGs of eap-tls authentication (inelec communication)
tnt at kalik.co.yu
tnt at kalik.co.yu
Mon Sep 10 19:08:31 CEST 2007
Does it write anything to the log? On startup or when you send a local
radtest request?
Ivan Kalik
Kalik Informatika ISP
Dana 10/9/2007, "anoop_c at sifycorp.com" <anoop_c at sifycorp.com> piše:
>
>> Message: 3
>> Date: Mon, 10 Sep 2007 10:23:19 +0200 (CEST)
>> From: inelec communication <inelec_communication at yahoo.fr>
>> Subject: RE : LOGs of eap-tls authentication
>> To: FreeRadius users mailing list
>Hi
> Please find my result.The authentication is working well.The problem is logs are not in radius.log file.
>
> [root at anoop fr1.1.7]# cat successlog
> Message-Authenticator = 0x96080298cf8084c0a353d72c9e82a3aa
> Service-Type = Framed-User
> User-Name = \"anoop07\"
> Framed-MTU = 1488
> Called-Station-Id = \"00-0F-3D-AF-DD-C1:default\"
> Calling-Station-Id = \"00-0E-35-F3-A1-67\"
> NAS-Identifier = \"D-Link Access Point\"
> NAS-Port-Type = Wireless-802.11
> Connect-Info = \"CONNECT 54Mbps 802.11g\"
> EAP-Message = 0x0200000c01616e6f6f703037
> NAS-IP-Address = 192.168.0.50
> NAS-Port = 1
> NAS-Port-Id = \"STA port # 1\"
> Processing the authorize section of radiusd.conf
>modcall: entering group authorize for request 0
> modcall[authorize]: module \"preprocess\" returns ok for request 0
> rlm_realm: No \'@\' in User-Name = \"anoop07\", looking up realm NULL
> rlm_realm: No such realm \"NULL\"
> modcall[authorize]: module \"suffix\" returns noop for request 0
> rlm_eap: EAP packet type response id 0 length 12
> rlm_eap: No EAP Start, assuming it\'s an on-going EAP conversation
> modcall[authorize]: module \"eap\" returns updated for request 0
> users: Matched entry DEFAULT at line 153
> users: Matched entry DEFAULT at line 172
> modcall[authorize]: module \"files\" returns ok for request 0
>modcall: leaving group authorize (returns updated) for request 0
> rad_check_password: Found Auth-Type EAP
>auth: type \"EAP\"
> Processing the authenticate section of radiusd.conf
>modcall: entering group authenticate for request 0
> rlm_eap: EAP Identity
> rlm_eap: processing type tls
> rlm_eap_tls: Requiring client certificate
> rlm_eap_tls: Initiate
> rlm_eap_tls: Start returned 1
> modcall[authenticate]: module \"eap\" returns handled for request 0
>modcall: leaving group authenticate (returns handled) for request 0
>Sending Access-Challenge of id 0 to 192.168.0.50 port 1033
> Framed-IP-Address = 255.255.255.254
> Framed-MTU = 576
> Service-Type = Framed-User
> EAP-Message = 0x010100060d20
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x8ab131c9d151752c61f18ffb09aa2c55
>Finished request 0
>Going to the next request
>--- Walking the entire request list ---
>Waking up in 6 seconds...
>rad_recv: Access-Request packet from host 192.168.0.50:1033, id=1, length=299
> Message-Authenticator = 0xe6d7ba1e4458e637c60740bc57383f9e
> Service-Type = Framed-User
> User-Name = \"anoop07\"
> Framed-MTU = 1488
> State = 0x8ab131c9d151752c61f18ffb09aa2c55
> Called-Station-Id = \"00-0F-3D-AF-DD-C1:default\"
> Calling-Station-Id = \"00-0E-35-F3-A1-67\"
> NAS-Identifier = \"D-Link Access Point\"
> NAS-Port-Type = Wireless-802.11
> Connect-Info = \"CONNECT 54Mbps 802.11g\"
> EAP-Message = 0x020100600d800000005616030100510100004d030146e4c9b422a11c 6b0c2a9c5e74b8a0de5e3eb0e1d8a15f49cb7cbf83ad04116a105892c006371829ccf94f1dcdc6d8 3e3d001600040005000a000900640062000300060013001200630100
> NAS-IP-Address = 192.168.0.50
> NAS-Port = 1
> NAS-Port-Id = \"STA port # 1\"
> Processing the authorize section of radiusd.conf
>modcall: entering group authorize for request 1
> modcall[authorize]: module \"preprocess\" returns ok for request 1
> rlm_realm: No \'@\' in User-Name = \"anoop07\", looking up realm NULL
> rlm_realm: No such realm \"NULL\"
> modcall[authorize]: module \"suffix\" returns noop for request 1
> rlm_eap: EAP packet type response id 1 length 96
> rlm_eap: No EAP Start, assuming it\'s an on-going EAP conversation
> modcall[authorize]: module \"eap\" returns updated for request 1
> users: Matched entry DEFAULT at line 153
> users: Matched entry DEFAULT at line 172
> modcall[authorize]: module \"files\" returns ok for request 1
>modcall: leaving group authorize (returns updated) for request 1
> rad_check_password: Found Auth-Type EAP
>auth: type \"EAP\"
> Processing the authenticate section of radiusd.conf
>modcall: entering group authenticate for request 1
> rlm_eap: Request found, released from the list
> rlm_eap: EAP/tls
> rlm_eap: processing type tls
> rlm_eap_tls: Authenticate
> rlm_eap_tls: processing TLS
>rlm_eap_tls: Length Included
> eaptls_verify returned 11
> (other): before/accept initialization
> TLS_accept: before/accept initialization
> rlm_eap_tls: <<< TLS 1.0 Handshake [length 0051], ClientHello
> TLS_accept: SSLv3 read client hello A
> rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
> TLS_accept: SSLv3 write server hello A
> rlm_eap_tls: >>> TLS 1.0 Handshake [length 04be], Certificate
> TLS_accept: SSLv3 write certificate A
> rlm_eap_tls: >>> TLS 1.0 Handshake [length 004c], CertificateRequest
> TLS_accept: SSLv3 write certificate request A
> TLS_accept: SSLv3 flush data
> TLS_accept: Need to read more data: SSLv3 read client certificate A
>In SSL Handshake Phase
>In SSL Accept mode
> eaptls_process returned 13
> modcall[authenticate]: module \"eap\" returns handled for request 1
>modcall: leaving group authenticate (returns handled) for request 1
>Sending Access-Challenge of id 1 to 192.168.0.50 port 1033
> Framed-IP-Address = 255.255.255.254
> Framed-MTU = 576
> Service-Type = Framed-User
> EAP-Message = 0x0102040a0dc000000563160301004a02000046030146e4c9b59eb2f0 eb1e4eff23a4604203f5da0d54bd36842f27464dc2af678d07203e33b80dee1b655fafab80ece953 ac778f9d578cced14cc8f23c7e0e2c4335b800040016030104be0b0004ba0004b700022b30820227 30820190a003020102020101300d06092a864886f70d0101040500303b310b300906035504061302 494e310b300906035504081302544e310d300b060355040a1304536966793110300e060355040313 0730377877696669301e170d3037303131333037353834305a170d3038303131333037353834305a 305f310b300906035504061302494e310b3009060355040813
> EAP-Message = 0x02544e310d300b060355040a1304536966793110300e060355040313 07303778776966693122302006092a864886f70d01090116136a65796b756d61725f734073696679 2e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100c6f366d39a74d8 b66b561628be123f18f9b0a71f09b98d21b990e9a987d9acf3ceabd01df377e13da987a23f244496 dfc0609e99ee03a9f44e51033cbb84c814d9d3225aacc7c67786fcd193d57c3f5ac16d7d1b835701 52edca9ba9ff99ca4feffcb244551292fad52026afda1f876205e84a26b81cebd89fa03fd97e5f7f db0203010001a317301530130603551d25040c300a06082b06
> EAP-Message = 0x010505070301300d06092a864886f70d010104050003818100a4cbb4 e6e8190d840edc9e61637a38ffa423b2a67e8d308c3005b8ec18318e94ddddbac0ccb1a15780c285 de01622608f4caded74bab6f0c9d44dfdeb648e46bdd4de3606e4c7f86e5f86472722db409baffdb 78eb6c7ad267a623e1155af13de26e83f3ce29b4f82baf551b756d2f49e5691cc1d80f6fb253b11e 7a15bf296000028630820282308201eba003020102020100300d06092a864886f70d010104050030 3b310b300906035504061302494e310b300906035504081302544e310d300b060355040a13045369 66793110300e0603550403130730377877696669301e170d30
> EAP-Message = 0x37303131333037353830305a170d3038303131333037353830305a30 3b310b300906035504061302494e310b300906035504081302544e310d300b060355040a13045369 66793110300e060355040313073037787769666930819f300d06092a864886f70d01010105000381 8d0030818902818100ec232cf24bd548a586d614994a3f3b9ee699eb64a3bf9a0c90d7bc8afb3984 2c767c3613757b8d38a78ceaa6a499be55dcf997abb9963b3ef406b39f766054d8e37d35859e6bd5 ce686c01eb63a25684afb79cd6796193355bd3ae67eae642701a34d1bc93426ade87434dadfbc8a8 b0cae8137d97d2a267973f2213ebeefcfd0203010001a38195
> EAP-Message = 0x308192301d0603551d0e04160414095ab44cec0cb80f
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0xf4654b6a22307d938c91831ef0396b8e
>Finished request 1
>Going to the next request
>Waking up in 6 seconds...
>rad_recv: Access-Request packet from host 192.168.0.50:1033, id=2, length=209
> Message-Authenticator = 0x5dc14e6f1f5361ad60a06d2bffa9e4a9
> Service-Type = Framed-User
> User-Name = \"anoop07\"
> Framed-MTU = 1488
> State = 0xf4654b6a22307d938c91831ef0396b8e
> Called-Station-Id = \"00-0F-3D-AF-DD-C1:default\"
> Calling-Station-Id = \"00-0E-35-F3-A1-67\"
> NAS-Identifier = \"D-Link Access Point\"
> NAS-Port-Type = Wireless-802.11
> Connect-Info = \"CONNECT 54Mbps 802.11g\"
> EAP-Message = 0x020200060d00
> NAS-IP-Address = 192.168.0.50
> NAS-Port = 1
> NAS-Port-Id = \"STA port # 1\"
> Processing the authorize section of radiusd.conf
>modcall: entering group authorize for request 2
> modcall[authorize]: module \"preprocess\" returns ok for request 2
> rlm_realm: No \'@\' in User-Name = \"anoop07\", looking up realm NULL
> rlm_realm: No such realm \"NULL\"
> modcall[authorize]: module \"suffix\" returns noop for request 2
> rlm_eap: EAP packet type response id 2 length 6
> rlm_eap: No EAP Start, assuming it\'s an on-going EAP conversation
> modcall[authorize]: module \"eap\" returns updated for request 2
> users: Matched entry DEFAULT at line 153
> users: Matched entry DEFAULT at line 172
> modcall[authorize]: module \"files\" returns ok for request 2
>modcall: leaving group authorize (returns updated) for request 2
> rad_check_password: Found Auth-Type EAP
>auth: type \"EAP\"
> Processing the authenticate section of radiusd.conf
>modcall: entering group authenticate for request 2
> rlm_eap: Request found, released from the list
> rlm_eap: EAP/tls
> rlm_eap: processing type tls
> rlm_eap_tls: Authenticate
> rlm_eap_tls: processing TLS
>rlm_eap_tls: Received EAP-TLS ACK message
> rlm_eap_tls: ack handshake fragment handler
> eaptls_verify returned 1
> eaptls_process returned 13
> modcall[authenticate]: module \"eap\" returns handled for request 2
>modcall: leaving group authenticate (returns handled) for request 2
>Sending Access-Challenge of id 2 to 192.168.0.50 port 1033
> Framed-IP-Address = 255.255.255.254
> Framed-MTU = 576
> Service-Type = Framed-User
> EAP-Message = 0x0103016d0d80000005638c150861ea8bc609ed3cfbc030630603551d 23045c305a8014095ab44cec0cb80f8c150861ea8bc609ed3cfbc0a13fa43d303b310b3009060355 04061302494e310b300906035504081302544e310d300b060355040a1304536966793110300e0603 550403130730377877696669820100300c0603551d13040530030101ff300d06092a864886f70d01 010405000381810019a69104ce7b395ddbb7a05ae632f71c590ba34e71b9a57cbe952eabed153fda cb07eb1c8d6db397f1f47a687103025a91b0431e73beac6e788de0af02e7d49e35808652dc4b2db6 0ccbcef9245239c47c785fb5c78c79ed7dd22d60ab6c19727e
> EAP-Message = 0xaa68ec38e3fc5b6e7716741e1f56eba981970face974b560ba07450e cdf817160301004c0d000044020102003f003d303b310b300906035504061302494e310b30090603 5504081302544e310d300b060355040a1304536966793110300e0603550403130730377877696669 0e000000
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x378a0c3727565af6c193024a8be476bc
>Finished request 2
>Going to the next request
>Waking up in 6 seconds...
>rad_recv: Access-Request packet from host 192.168.0.50:1033, id=3, length=1100
> Message-Authenticator = 0x2261a2046965f5b6c67629831b5ef1f5
> Service-Type = Framed-User
> User-Name = \"anoop07\"
> Framed-MTU = 1488
> State = 0x378a0c3727565af6c193024a8be476bc
> Called-Station-Id = \"00-0F-3D-AF-DD-C1:default\"
> Calling-Station-Id = \"00-0E-35-F3-A1-67\"
> NAS-Identifier = \"D-Link Access Point\"
> NAS-Port-Type = Wireless-802.11
> Connect-Info = \"CONNECT 54Mbps 802.11g\"
> EAP-Message = 0x0203037b0d800000037116030103410b00023100022e00022b308202 2730820190a003020102020106300d06092a864886f70d0101040500303b310b3009060355040613 02494e310b300906035504081302544e310d300b060355040a1304536966793110300e0603550403 130730377877696669301e170d3037303131373033303230385a170d303830313137303330323038 5a305f310b300906035504061302494e310b300906035504081302544e310d300b060355040a1304 536966793110300e06035504031307616e6f6f7030373122302006092a864886f70d01090116136a 65796b756d61725f7340736966792e636f6d30819f300d0609
> EAP-Message = 0x2a864886f70d010101050003818d0030818902818100c530f10ae7bd 0f0fbd6bbafbcd48532c054b9afd474b7cd7ce6aa0291d664476bb1d9d143cfb4c713f5b47b5e636 3f6ceed4c3bc51ef1a35c84a100bb17b262f38923947a12f1e288ffe57fccfa92e6d12da42d9016a 8da5c07c7705c2156da206d76fd569ca589fdca309fd1703fec4b5fa77ee1257b5b9514e39b4d79d 601f0203010001a317301530130603551d25040c300a06082b06010505070302300d06092a864886 f70d01010405000381810089c51110b91d0135f1a99f29ea922ff1a7738195963017d2d9dd32c81d 2782210b1329644559fc746cb77ce6f707f50efe3aa155b3d9
> EAP-Message = 0x36f15183865793097ff4207baac2d26153f81f177377493db3d2a52d b063b7668b57bc0e575401a6da093e5abd9a0f147810eaf1ee2967bc2252afe0bf8b7b678914895c c3190f22eb7a1000008200803ea26a8f1b684b4c6f76f7ca07e3b3d0dd71dd459cd90f96868faf38 253fc9970fbc3e19efb321e353e982314b42e8bb66aa5b1ee540a4810d8a48a1615b8af8657a9b38 cc1caf7da1966813de8f59f372c63c4cbac4dd3ad7877bcc8fba80ca799f52efcdee1b541461ef7e 65948840305e0dbcc845d069765955affbf8b41e0f0000820080588771eb658b2403ce711f921da6 27e0b633993385a5dc7d249503ecc0c84f7bdefc5bf34c20a9
> EAP-Message = 0x4b18930f40b19d87ea7d1819aa00d2e42ea7fed5f4ad7d327a0a6eee 2b2c5915e86f5c4399e75af08982a3462b8b65478ef1c88592679fd3de147e0b1153e54c4e97c8e5 3119db0b0c62b47ec818386db914820c02f63071781403010001011603010020761ad2fae86d1219 94064ff99a0de5bc0eb15df5bafe1a75fcfa20f285db803a
> NAS-IP-Address = 192.168.0.50
> NAS-Port = 1
> NAS-Port-Id = \"STA port # 1\"
> Processing the authorize section of radiusd.conf
>modcall: entering group authorize for request 3
> modcall[authorize]: module \"preprocess\" returns ok for request 3
> rlm_realm: No \'@\' in User-Name = \"anoop07\", looking up realm NULL
> rlm_realm: No such realm \"NULL\"
> modcall[authorize]: module \"suffix\" returns noop for request 3
> rlm_eap: EAP packet type response id 3 length 253
> rlm_eap: No EAP Start, assuming it\'s an on-going EAP conversation
> modcall[authorize]: module \"eap\" returns updated for request 3
> users: Matched entry DEFAULT at line 153
> users: Matched entry DEFAULT at line 172
> modcall[authorize]: module \"files\" returns ok for request 3
>modcall: leaving group authorize (returns updated) for request 3
> rad_check_password: Found Auth-Type EAP
>auth: type \"EAP\"
> Processing the authenticate section of radiusd.conf
>modcall: entering group authenticate for request 3
> rlm_eap: Request found, released from the list
> rlm_eap: EAP/tls
> rlm_eap: processing type tls
> rlm_eap_tls: Authenticate
> rlm_eap_tls: processing TLS
>rlm_eap_tls: Length Included
> eaptls_verify returned 11
> rlm_eap_tls: <<< TLS 1.0 Handshake [length 0235], Certificate
>chain-depth=1,
>error=0
>--> User-Name = anoop07
>--> BUF-Name = 07xwifi
>--> subject = /C=IN/ST=TN/O=Sify/CN=07xwifi
>--> issuer = /C=IN/ST=TN/O=Sify/CN=07xwifi
>--> verify return:1
>chain-depth=0,
>error=0
>--> User-Name = anoop07
>--> BUF-Name = anoop07
>--> subject = /C=IN/ST=TN/O=Sify/CN=anoop07/emailAddress=jeykumar_s at sify.com
>--> issuer = /C=IN/ST=TN/O=Sify/CN=07xwifi
>--> verify return:1
> TLS_accept: SSLv3 read client certificate A
> rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
> TLS_accept: SSLv3 read client key exchange A
> rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], CertificateVerify
> TLS_accept: SSLv3 read certificate verify A
> rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001]
> rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished
> TLS_accept: SSLv3 read finished A
> rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001]
> TLS_accept: SSLv3 write change cipher spec A
> rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished
> TLS_accept: SSLv3 write finished A
> TLS_accept: SSLv3 flush data
> (other): SSL negotiation finished successfully
>SSL Connection Established
> eaptls_process returned 13
> modcall[authenticate]: module \"eap\" returns handled for request 3
>modcall: leaving group authenticate (returns handled) for request 3
>Sending Access-Challenge of id 3 to 192.168.0.50 port 1033
> Framed-IP-Address = 255.255.255.254
> Framed-MTU = 576
> Service-Type = Framed-User
> EAP-Message = 0x010400350d800000002b1403010001011603010020324ac90185d18d e8ead736d798e140ed642aeb31ff52849b3aa5b6f021c5aec0
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x5ffef94eee0c0123922689d2e6c2fe8e
>Finished request 3
>Going to the next request
>Waking up in 6 seconds...
>--- Walking the entire request list ---
>Cleaning up request 0 ID 0 with timestamp 46e4c9b5
>Cleaning up request 1 ID 1 with timestamp 46e4c9b5
>Cleaning up request 2 ID 2 with timestamp 46e4c9b5
>Cleaning up request 3 ID 3 with timestamp 46e4c9b5
>Nothing to do. Sleeping until we see a request.
>rad_recv: Access-Request packet from host 192.168.0.50:1033, id=4, length=209
> Message-Authenticator = 0x221fc85bf9fb820395d9c8484a3fdabc
> Service-Type = Framed-User
> User-Name = \"anoop07\"
> Framed-MTU = 1488
> State = 0x5ffef94eee0c0123922689d2e6c2fe8e
> Called-Station-Id = \"00-0F-3D-AF-DD-C1:default\"
> Calling-Station-Id = \"00-0E-35-F3-A1-67\"
> NAS-Identifier = \"D-Link Access Point\"
> NAS-Port-Type = Wireless-802.11
> Connect-Info = \"CONNECT 54Mbps 802.11g\"
> EAP-Message = 0x020400060d00
> NAS-IP-Address = 192.168.0.50
> NAS-Port = 1
> NAS-Port-Id = \"STA port # 1\"
> Processing the authorize section of radiusd.conf
>modcall: entering group authorize for request 4
> modcall[authorize]: module \"preprocess\" returns ok for request 4
> rlm_realm: No \'@\' in User-Name = \"anoop07\", looking up realm NULL
> rlm_realm: No such realm \"NULL\"
> modcall[authorize]: module \"suffix\" returns noop for request 4
> rlm_eap: EAP packet type response id 4 length 6
> rlm_eap: No EAP Start, assuming it\'s an on-going EAP conversation
> modcall[authorize]: module \"eap\" returns updated for request 4
> users: Matched entry DEFAULT at line 153
> users: Matched entry DEFAULT at line 172
> modcall[authorize]: module \"files\" returns ok for request 4
>modcall: leaving group authorize (returns updated) for request 4
> rad_check_password: Found Auth-Type EAP
>auth: type \"EAP\"
> Processing the authenticate section of radiusd.conf
>modcall: entering group authenticate for request 4
> rlm_eap: Request found, released from the list
> rlm_eap: EAP/tls
> rlm_eap: processing type tls
> rlm_eap_tls: Authenticate
> rlm_eap_tls: processing TLS
>rlm_eap_tls: Received EAP-TLS ACK message
> rlm_eap_tls: ack handshake is finished
> eaptls_verify returned 3
> eaptls_process returned 3
> rlm_eap: Freeing handler
> modcall[authenticate]: module \"eap\" returns ok for request 4
>modcall: leaving group authenticate (returns ok) for request 4
>Sending Access-Accept of id 4 to 192.168.0.50 port 1033
> Framed-IP-Address = 255.255.255.254
> Framed-MTU = 576
> Service-Type = Framed-User
> MS-MPPE-Recv-Key = 0x428d07c24a61cd12f49c7b51f54e36b19dce6fa5e42d393221d 043784abdc995
> MS-MPPE-Send-Key = 0x55f256119e8b41171ac594ea1a871d302fff183d06365a3505b 6a6786eee1fc5
> EAP-Message = 0x03040004
> Message-Authenticator = 0x00000000000000000000000000000000
> User-Name = \"anoop07\"
>Finished request 4
>Going to the next request
>--- Walking the entire request list ---
>Waking up in 6 seconds...
>--- Walking the entire request list ---
>Cleaning up request 4 ID 4 with timestamp 46e4c9bc
>Nothing to do. Sleeping until we see a request.
>
>
>
>[root at anoop fr1.1.7]#
>
>
>
>
>> <freeradius-users at lists.freeradius.org>
>> Message-ID: <60722.76768.qm at web26011.mail.ukl.yahoo.com>
>> Content-Type: text/plain; charset=\"iso-8859-1\"
>>
>> hello,
>> running radius in debug mode doesn\'t give any log file ,i meen it
>> doesn\'t give logs in radiusd.log ; if you give me your result when you
>> have rubn radiusd -X -A perhaps i can help
>>
>> regards
>>
>>
>
More information about the Freeradius-Users
mailing list