Conf PEAP
Martin Silvero
silvero.martin at gmail.com
Wed Dec 17 19:57:08 CET 2008
Hello gentlemen
I am configuring PEAP and there is not much information about it,
Should I add a user in the user file alone?
If default is configured with EAP, what should I modify another file?
thanks.
logout:
rad_recv: Access-Request packet from host 10.10.1.21 port 1645,
id=220, length=156
User-Name = "DOMINIO\\msilvero"
Framed-MTU = 1400
Called-Station-Id = "0019.2fdb.9e00"
Calling-Station-Id = "001f.3c22.44c5"
Service-Type = Login-User
Message-Authenticator = 0x8cc6da388d8df7f5ec4355457fe64969
EAP-Message = 0x020100130149504c414e5c6d73696c7665726f
NAS-Port-Type = Wireless-802.11
NAS-Port = 474
NAS-IP-Address = 10.10.1.21
NAS-Identifier = "ap-ap"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "DOMINIO\msilvero", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 1 length 19
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 220 to 10.10.1.21 port 1645
EAP-Message = 0x010200061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x34d23a2734d023bc90d78d0fbe96492c
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.10.1.21 port 1645,
id=221, length=263
User-Name = "DOMINIO\\msilvero"
Framed-MTU = 1400
Called-Station-Id = "0019.2fdb.9e00"
Calling-Station-Id = "001f.3c22.44c5"
Service-Type = Login-User
Message-Authenticator = 0x3491a2750461cd5efdc8648bf46aa49a
EAP-Message =
0x0202006c190016030100610100005d030149493f85acfcc0f2c2c47fe6fa7a57d6e421cff26116506231b3776199ed10e200003600390038003500160013000a00330032002f0007006600050004006300620061001500120009006500640060001400110008000600030100
NAS-Port-Type = Wireless-802.11
NAS-Port = 474
State = 0x34d23a2734d023bc90d78d0fbe96492c
NAS-IP-Address = 10.10.1.21
NAS-Identifier = "ap-ap"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "DOMINIO\msilvero", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 2 length 108
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 0061], ClientHello
[peap] TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 002a], ServerHello
[peap] TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 085e], Certificate
[peap] TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 020d], ServerKeyExchange
[peap] TLS_accept: SSLv3 write key exchange A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: SSLv3 write server done A
[peap] TLS_accept: SSLv3 flush data
[peap] TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 221 to 10.10.1.21 port 1645
[...]
Going to the next request
Waking up in 4.8 seconds.
Cleaning up request 0 ID 220 with timestamp +68
Waking up in 0.1 seconds.
Cleaning up request 1 ID 221 with timestamp +68
Ready to process requests.
rad_recv: Access-Request packet from host 10.10.1.21 port 1645,
id=222, length=156
User-Name = "DOMINIO\\msilvero"
Framed-MTU = 1400
Called-Station-Id = "0019.2fdb.9e00"
Calling-Station-Id = "001f.3c22.44c5"
Service-Type = Login-User
Message-Authenticator = 0x862b4eedab979983e604c4836e8ac526
EAP-Message = 0x020100130149504c414e5c6d73696c7665726f
NAS-Port-Type = Wireless-802.11
NAS-Port = 475
NAS-IP-Address = 10.10.1.21
NAS-Identifier = "ap-ap"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "DOMINIO\msilvero", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 1 length 19
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 222 to 10.10.1.21 port 1645
EAP-Message = 0x010200061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x8f11b52d8f13ac786b16694f681d2fd0
Finished request 2.
[...]
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 223 to 10.10.1.21 port 1645
[...]
Finished request 3.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 10.10.1.21 port 1645,
id=224, length=161
User-Name = "DOMINIO\\msilvero"
Framed-MTU = 1400
Called-Station-Id = "0019.2fdb.9e00"
Calling-Station-Id = "001f.3c22.44c5"
Service-Type = Login-User
Message-Authenticator = 0x9f0db2567149250ed92295734e004b44
EAP-Message = 0x020300061900
NAS-Port-Type = Wireless-802.11
NAS-Port = 475
State = 0x8f11b52d8e12ac786b16694f681d2fd0
NAS-IP-Address = 10.10.1.21
NAS-Identifier = "ap-ap"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "DOMINIO\msilvero", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 3 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 224 to 10.10.1.21 port 1645
[...]
Finished request 4.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 10.10.1.21 port 1645,
id=225, length=161
User-Name = "DOMINIO\\msilvero"
Framed-MTU = 1400
Called-Station-Id = "0019.2fdb.9e00"
Calling-Station-Id = "001f.3c22.44c5"
Service-Type = Login-User
Message-Authenticator = 0x65d2bab3cdae40b237ce9837d9a3eacf
EAP-Message = 0x020400061900
NAS-Port-Type = Wireless-802.11
NAS-Port = 475
State = 0x8f11b52d8d15ac786b16694f681d2fd0
NAS-IP-Address = 10.10.1.21
NAS-Identifier = "ap-ap"
[...]
Sending Access-Challenge of id 225 to 10.10.1.21 port 1645
[...]
Finished request 5.
Going to the next request
waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 10.10.1.21 port 1645,
id=226, length=168
User-Name = "DOMINIO\\msilvero"
Framed-MTU = 1400
Called-Station-Id = "0019.2fdb.9e00"
Calling-Station-Id = "001f.3c22.44c5"
Service-Type = Login-User
Message-Authenticator = 0xcb5badb43459e8a2770683bef095543b
EAP-Message = 0x0205000d190015030100020230
NAS-Port-Type = Wireless-802.11
NAS-Port = 475
State = 0x8f11b52d8c14ac786b16694f681d2fd0
NAS-IP-Address = 10.10.1.21
NAS-Identifier = "ap-ap"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "DOMINIO\msilvero", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 5 length 13
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] <<< TLS 1.0 Alert [length 0002], fatal unknown_ca
TLS Alert read:fatal:unknown CA
TLS_accept:failed in SSLv3 read client certificate A
rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1
alert unknown ca
SSL: SSL_read failed inside of TLS (-1), TLS session fails.
TLS receive handshake failed during operation
[peap] eaptls_process returned 4
[peap] EAPTLS_OTHERS
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> DOMINIO\msilvero
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 6 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 6
Sending Access-Reject of id 226 to 10.10.1.21 port 1645
EAP-Message = 0x04050004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.7 seconds.
Cleaning up request 2 ID 222 with timestamp +74
Waking up in 0.1 seconds.
Cleaning up request 3 ID 223 with timestamp +74
Cleaning up request 4 ID 224 with timestamp +74
Cleaning up request 5 ID 225 with timestamp +74
Waking up in 1.0 seconds.
Cleaning up request 6 ID 226 with timestamp +74
Ready to process requests.
More information about the Freeradius-Users
mailing list