WPA-Enterprise with TTLS fails to authenticate (from Windows ok, but Linux fails).
Janusz Syrytczyk
janusz at uni.opole.pl
Mon Sep 24 12:00:10 CEST 2007
Hello,
I'm running WPA-Enterprise with TTLS authentication and LDAP backend. Config
was running fine since 1,5 year.
Problem is that I cannot authenticate to my network with wpa_supplicant,
although I could, and from Windows & Secure2w TTLS wrapper - I can. I use
Gentoo and did some upgrades (but nothing special I guess, kernel is the
same, and wpa_supplicant also)
My eap.conf:
eap {
default_eap_type = mschapv2
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
md5 {
}
tls {
private_key_file = ${raddbdir}/certs/radius1.uni.opole.pl.key
certificate_file = ${raddbdir}/certs/radius1.uni.opole.pl.pem
CA_path = ${raddbdir}/certs/
CA_file = ${raddbdir}/certs/ca.uni.opole.pl.pem
dh_file = ${raddbdir}/certs/dh
random_file = ${raddbdir}/certs/random
fragment_size = 1024
check_cert_cn = %{User-Name}
#check_crl = yes
crl_dir = /etc/raddb/certs
proxy_tunneled_request_as_eap = yes
}
peap {
default_eap_type = mschapv2
}
ttls {
default_eap_type = md5
copy_request_to_tunnel = yes
use_tunneled_reply = yes
}
mschapv2 {
}
}
My wpa_supplicant.conf
ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=0
eapol_version=1
fast_reauth=1
update_config=0
network={
ssid="eduroam"
scan_ssid=1
proto=WPA
key_mgmt=WPA-EAP
pairwise=TKIP
eap=TTLS
identity="jsyrytczyk at uni.opole.pl"
password="mycorrectpassword"
ca_cert="/etc/wpa_supplicant/ca.uni.opole.pl.pem"
phase2="auth=PAP"
}
My error:
Ready to process requests.
rad_recv: Access-Request packet from host 217.173.193.40:4347, id=89,
length=205
User-Name = "jsyrytczyk at uni.opole.pl"
Framed-MTU = 1400
Called-Station-Id = "0019.a9b5.3a01"
Calling-Station-Id = "0002.7258.7f14"
Cisco-AVPair = "ssid=eduroam"
Service-Type = Login-User
Message-Authenticator = 0x2e72d462f1fb588c9674049e6b61e580
EAP-Message =
0x0201001c016a7379727974637a796b40756e692e6f706f6c652e706c
NAS-Port-Type = Wireless-802.11
Cisco-NAS-Port = "461"
NAS-Port = 461
NAS-IP-Address = 10.59.223.247
NAS-Identifier = "AP1242_eduroam_CI"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
rlm_realm: Looking up realm "uni.opole.pl" for User-Name
= "jsyrytczyk at uni.opole.pl"
rlm_realm: Found realm "uni.opole.pl"
rlm_realm: Proxying request from user jsyrytczyk to realm uni.opole.pl
rlm_realm: Adding Realm = "uni.opole.pl"
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module "suffix" returns noop for request 0
rlm_acct_unique: WARNING: Attribute Acct-Session-Id was not found in request,
unique ID MAY be inconsistent
rlm_acct_unique: Hashing 'NAS-Port = 461,Client-IP-Address =
217.173.193.40,NAS-IP-Address = 10.59.223.247,,User-Name
= "jsyrytczyk at uni.opole.pl"'
rlm_acct_unique: Acct-Unique-Session-ID = "0e208dc42b670eee".
modcall[authorize]: module "acct_unique" returns ok for request 0
radius_xlat: 'jsyrytczyk at uni.opole.pl'
rlm_attr_rewrite: Added attribute Stripped-User-Name with
value 'jsyrytczyk at uni.opole.pl'
modcall[authorize]: module "copy.user-name" returns ok for request 0
radius_xlat: '@.*$'
rlm_attr_rewrite: Changed value for attribute Stripped-User-Name
from 'jsyrytczyk at uni.opole.pl' to 'jsyrytczyk'
modcall[authorize]: module "strip.user-name" returns ok for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for jsyrytczyk at uni.opole.pl
radius_xlat: '(&(objectClass=VirtualMailAccount)
(mail=jsyrytczyk at uni.opole.pl)(accountActive=TRUE)(delete=FALSE))'
radius_xlat: 'o=hosting,dc=uo,dc=opole,dc=pl'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 217.173.193.3:389, authentication 0
rlm_ldap: bind as cn=dovecot,dc=uo,dc=opole,dc=pl/hereismyldapdatabasepass to
217.173.193.3:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in o=hosting,dc=uo,dc=opole,dc=pl, with filter
(&(objectClass=VirtualMailAccount)(mail=jsyrytczyk at uni.opole.pl)
(accountActive=TRUE)(delete=FALSE))
rlm_ldap: checking if remote access for jsyrytczyk at uni.opole.pl is allowed by
dialupAccess
rlm_ldap: Password header not found in password {CRYPT}hash for user
jsyrytczyk at uni.opole.pl
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding userPassword as User-Password == "{CRYPT}hash"
rlm_ldap: looking for reply items in directory...
rlm_ldap: user jsyrytczyk at uni.opole.pl authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 0
rlm_eap: EAP packet type response id 1 length 28
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 0
modcall[authorize]: module "files" returns notfound for request 0
modcall: leaving group authorize (returns updated) for request 0
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
rlm_eap: EAP Identity
rlm_eap: processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
modcall[authenticate]: module "eap" returns handled for request 0
modcall: leaving group authenticate (returns handled) for request 0
Sending Access-Challenge of id 89 to 217.173.193.40 port 4347
EAP-Message =
0x010200311a0102002c10124897b1c632a0dd9edec5d89e10c5bc6a7379727974637a796b40756e692e6f706f6c652e706c
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xcdc132917ef520c9537ed9cbb1481929
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 217.173.193.40:4347, id=90,
length=201
User-Name = "jsyrytczyk at uni.opole.pl"
Framed-MTU = 1400
Called-Station-Id = "0019.a9b5.3a01"
Calling-Station-Id = "0002.7258.7f14"
Cisco-AVPair = "ssid=eduroam"
Service-Type = Login-User
Message-Authenticator = 0x1290a4533963f73ed925dec295cbefdf
EAP-Message = 0x020200060315
NAS-Port-Type = Wireless-802.11
Cisco-NAS-Port = "461"
NAS-Port = 461
State = 0xcdc132917ef520c9537ed9cbb1481929
NAS-IP-Address = 10.59.223.247
NAS-Identifier = "AP1242_eduroam_CI"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
modcall[authorize]: module "preprocess" returns ok for request 1
rlm_realm: Looking up realm "uni.opole.pl" for User-Name
= "jsyrytczyk at uni.opole.pl"
rlm_realm: Found realm "uni.opole.pl"
rlm_realm: Proxying request from user jsyrytczyk to realm uni.opole.pl
rlm_realm: Adding Realm = "uni.opole.pl"
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module "suffix" returns noop for request 1
rlm_acct_unique: WARNING: Attribute Acct-Session-Id was not found in request,
unique ID MAY be inconsistent
rlm_acct_unique: Hashing 'NAS-Port = 461,Client-IP-Address =
217.173.193.40,NAS-IP-Address = 10.59.223.247,,User-Name
= "jsyrytczyk at uni.opole.pl"'
rlm_acct_unique: Acct-Unique-Session-ID = "0e208dc42b670eee".
modcall[authorize]: module "acct_unique" returns ok for request 1
radius_xlat: 'jsyrytczyk at uni.opole.pl'
rlm_attr_rewrite: Added attribute Stripped-User-Name with
value 'jsyrytczyk at uni.opole.pl'
modcall[authorize]: module "copy.user-name" returns ok for request 1
radius_xlat: '@.*$'
rlm_attr_rewrite: Changed value for attribute Stripped-User-Name
from 'jsyrytczyk at uni.opole.pl' to 'jsyrytczyk'
modcall[authorize]: module "strip.user-name" returns ok for request 1
rlm_ldap: - authorize
rlm_ldap: performing user authorization for jsyrytczyk at uni.opole.pl
radius_xlat: '(&(objectClass=VirtualMailAccount)
(mail=jsyrytczyk at uni.opole.pl)(accountActive=TRUE)(delete=FALSE))'
radius_xlat: 'o=hosting,dc=uo,dc=opole,dc=pl'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in o=hosting,dc=uo,dc=opole,dc=pl, with filter
(&(objectClass=VirtualMailAccount)(mail=jsyrytczyk at uni.opole.pl)
(accountActive=TRUE)(delete=FALSE))
rlm_ldap: checking if remote access for jsyrytczyk at uni.opole.pl is allowed by
dialupAccess
rlm_ldap: Password header not found in password {CRYPT}hashed for user
jsyrytczyk at uni.opole.pl
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding userPassword as User-Password == "{CRYPT}hashed"
rlm_ldap: looking for reply items in directory...
rlm_ldap: user jsyrytczyk at uni.opole.pl authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 1
rlm_eap: EAP packet type response id 2 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 1
modcall[authorize]: module "files" returns notfound for request 1
modcall: leaving group authorize (returns updated) for request 1
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 1
rlm_eap: Request found, released from the list
rlm_eap: EAP NAK
rlm_eap: EAP-NAK asked for EAP-Type/ttls
rlm_eap: processing type tls
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
modcall[authenticate]: module "eap" returns handled for request 1
modcall: leaving group authenticate (returns handled) for request 1
Sending Access-Challenge of id 90 to 217.173.193.40 port 4347
EAP-Message = 0x010300061520
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xf7496deb8d0573d9ee6c13a2b51ba8bc
Finished request 1
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 217.173.193.40:4347, id=91,
length=201
User-Name = "jsyrytczyk at uni.opole.pl"
Framed-MTU = 1400
Called-Station-Id = "0019.a9b5.3a01"
Calling-Station-Id = "0002.7258.7f14"
Cisco-AVPair = "ssid=eduroam"
Service-Type = Login-User
Message-Authenticator = 0xed18d300aabdabba014117f1b2bca527
EAP-Message = 0x020200060315
NAS-Port-Type = Wireless-802.11
Cisco-NAS-Port = "461"
NAS-Port = 461
State = 0xf7496deb8d0573d9ee6c13a2b51ba8bc
NAS-IP-Address = 10.59.223.247
NAS-Identifier = "AP1242_eduroam_CI"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
modcall[authorize]: module "preprocess" returns ok for request 2
rlm_realm: Looking up realm "uni.opole.pl" for User-Name
= "jsyrytczyk at uni.opole.pl"
rlm_realm: Found realm "uni.opole.pl"
rlm_realm: Proxying request from user jsyrytczyk to realm uni.opole.pl
rlm_realm: Adding Realm = "uni.opole.pl"
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module "suffix" returns noop for request 2
rlm_acct_unique: WARNING: Attribute Acct-Session-Id was not found in request,
unique ID MAY be inconsistent
rlm_acct_unique: Hashing 'NAS-Port = 461,Client-IP-Address =
217.173.193.40,NAS-IP-Address = 10.59.223.247,,User-Name
= "jsyrytczyk at uni.opole.pl"'
rlm_acct_unique: Acct-Unique-Session-ID = "0e208dc42b670eee".
modcall[authorize]: module "acct_unique" returns ok for request 2
radius_xlat: 'jsyrytczyk at uni.opole.pl'
rlm_attr_rewrite: Added attribute Stripped-User-Name with
value 'jsyrytczyk at uni.opole.pl'
modcall[authorize]: module "copy.user-name" returns ok for request 2
radius_xlat: '@.*$'
rlm_attr_rewrite: Changed value for attribute Stripped-User-Name
from 'jsyrytczyk at uni.opole.pl' to 'jsyrytczyk'
modcall[authorize]: module "strip.user-name" returns ok for request 2
rlm_ldap: - authorize
rlm_ldap: performing user authorization for jsyrytczyk at uni.opole.pl
radius_xlat: '(&(objectClass=VirtualMailAccount)
(mail=jsyrytczyk at uni.opole.pl)(accountActive=TRUE)(delete=FALSE))'
radius_xlat: 'o=hosting,dc=uo,dc=opole,dc=pl'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in o=hosting,dc=uo,dc=opole,dc=pl, with filter
(&(objectClass=VirtualMailAccount)(mail=jsyrytczyk at uni.opole.pl)
(accountActive=TRUE)(delete=FALSE))
rlm_ldap: checking if remote access for jsyrytczyk at uni.opole.pl is allowed by
dialupAccess
rlm_ldap: Password header not found in password {CRYPT}hashed for user
jsyrytczyk at uni.opole.pl
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding userPassword as User-Password == "{CRYPT}hashed"
rlm_ldap: looking for reply items in directory...
rlm_ldap: user jsyrytczyk at uni.opole.pl authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 2
rlm_eap: EAP packet type response id 2 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 2
modcall[authorize]: module "files" returns notfound for request 2
modcall: leaving group authorize (returns updated) for request 2
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 2
rlm_eap: Request not found in the list
rlm_eap: Either EAP-request timed out OR EAP-response to an unknown
EAP-request
rlm_eap: Failed in handler
modcall[authenticate]: module "eap" returns invalid for request 2
modcall: leaving group authenticate (returns invalid) for request 2
auth: Failed to validate the user.
Login incorrect: [jsyrytczyk at uni.opole.pl] (from client UniNet port 461 cli
0002.7258.7f14)
Delaying request 2 for 1 seconds
Finished request 2
Going to the next request
Waking up in 6 seconds...
Freeradius writes my password is incorrect, but of course it is correct. It
also complains about bad {crypt} header, but it performs well with it when
using Windows. Anyway, when I pass correct header or change it to any other
in radiusd.conf it changes nothing.
I substituted all passwords of course.
--
Syrytczyk Janusz - Administrator serwerów
Centrum Informatyczne Uniwersytetu Opolskiego
Nr telefonu: +48 77 452-70-91
E-mail: jsyrytczyk at uni.opole.pl
--
Syrytczyk Janusz - Administrator serwerów
Centrum Informatyczne Uniwersytetu Opolskiego
Nr telefonu: +48 77 452-70-91
E-mail: jsyrytczyk at uni.opole.pl
More information about the Freeradius-Users
mailing list