cert bootstrap bug? (was Re: definitively, I have a problem with eap-tls)

Sat Jul 26 15:43:14 CEST 2008

Reveal MAP escribió:
>
>
> > installing ca.der and putting user && pass into client machine, the
> authentication doesn't work?
>
>   -- no, it doesn't!
>
> > you only need ca.der but, if you have an active directory like LDAP,
> check if your comunication with AD server also have tls authentication.
> Into ldap module you can configurate another tls block, which it's
> different than tls block into eap module.
>
>   -- Well, the howto espalaining how freeradius has to authenticate 
> users against Active Directory says nothing about ldap config files on 
> linux server. it just gives tips about samba, using winbind, 
> ntlm_auth, krb5.conf, nsswitch.conf and mschap module in freeradius.
> I ever success this kind of authentication without reading or changing 
> a line of ldap module in freeradius.
> and i think, authenticating users against Openldap won't be managed 
> like authentication of freeradius using active directory.
>
> >I don't know if it is your problem, but I suppose that  comunication
> between ldap server and radius can have different certificates, from
> different ca's than  eap comunication.
>
>
> my wireless network is secured with wpa/wpa2 entreprise, requiring a 
> RADIUS server to perform authentication. so i am doing 802.1x 
> authentication which exploit a valid PKI,regardless of the base of 
> users. this is how i understand it.
>
>  > If it is your problem, I would
> check it. also would be good you post de debug of radius to see which
> certificate can't validate.
>
> see the logf there: http://tinypaste.com/5b99b
> active and valid user is:
>     login: glouglou
>     password: glouglou
>
> aaa:~ # ntlm_auth --username=glouglou --request-nt-key --domain=PLUTON
> password:
> NT_STATUS_OK: Success (0x0)
> aaa:~ #                    
>
>
> :/ Any help will be appreciated. these days i am wondering about 
> validity of the Server certificate!
> I have to tell you that, in my case, if i try a peap authentication 
> against Active Directoiry with wrong users credentials, i have an 
> error message saying that login or password is incorrect. with good 
> users credential, i just obtain what you can see in the Radiusd -X 
> output (http://tinypaste.com/5b99b)
>
> thank you
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
>
> ------------------------------------------------------------------------
>
but I think you don't have any problem with certificates, looking at 
radius debug:

rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
    TLS_accept: SSLv3 read client key exchange A
  rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001]
  rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished
    TLS_accept: SSLv3 read finished A
  rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001]
    TLS_accept: SSLv3 write change cipher spec A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished
    TLS_accept: SSLv3 write finished A
    TLS_accept: SSLv3 flush data
    (other): SSL negotiation finished successfully
SSL Connection Established

the client is telling you that has verified the server cert (against 
ca.der). Then, the server writes ChangeCipherSpec and Fin, and tls phase 
is finished. I think you have problems with mschapv2 phase, assuming 
your sql querys working.
Your problem begin here:

rlm_eap: Request found, released from the list
  rlm_eap: EAP/mschapv2
  rlm_eap: processing type mschapv2
+- entering group MS-CHAP
  rlm_mschap: No Cleartext-Password configured.  Cannot create LM-Password.
  rlm_mschap: No Cleartext-Password configured.  Cannot create NT-Password.
  rlm_mschap: Told to do MS-CHAPv2 for glouglou with NT-Password
        expand: --username=%{mschap:User-Name} -> --username=glouglou

I think......
I've never configured peap/mschapv2 but sometimes i've read, not 
carefully, about some dependencies between mschap module and mschapv2 or 
something like that.
hope this help you