TLS Error: unkown_CA

Jelle Langbroek jml at orkz.net
Mon Jun 16 17:00:25 CEST 2008


PEAP worked out fine for me with username/password logins (no certificates).
It's Microsoft's protocol and since I have a lot of Windows clients, it was
the obvious choice. Ofcourse it depends on what kind clients you have.
PEAP didn't work out very well with MacOSX clients though. I'm still testing
if MacOSX might work better with TTLS.

good luck!

Jelle



2008/6/16 Julian Stöver <julian_st at gmx.de>:

>
> Am 16.06.2008 um 16:14 schrieb Jelle Langbroek:
>
> Well, it looks like your client doesn't have a client-certificate
> installed. When using TLS your client needs a certificate installed. Radius
> gives you the following error:
>
> "rlm_eap: SSL error error:140890B2:SSL
> routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned"
>
>
> That's the problem. Do I have to use TTLS when I don't want client
> certificates, only server certificates, right? I think I mixed it up ;)
>
> thanks
> Julian
>
>
>
> 2008/6/16 Julian Stöver <julian_st at gmx.de>:
>
>> Hi
>> I'm running Freeradius2 with EAP-TLS. I've created new certificates and
>> putted them into my certs-dir. Radius starts with no errors. But if I try to
>> login, I get this TLS Error:
>>
>> rlm_sql (sql): Released sql socket id: 3
>>
>> ++[sql] returns ok
>>
>>  rad_check_password:  Found Auth-Type EAP
>>
>> auth: type "EAP"
>>
>> +- entering group authenticate
>>
>>  rlm_eap: Request found, released from the list
>>
>>  rlm_eap: EAP/tls
>>
>>  rlm_eap: processing type tls
>>
>>  rlm_eap_tls: Authenticate
>>
>>  rlm_eap_tls: processing TLS
>>
>>  eaptls_verify returned 7
>>
>>  rlm_eap_tls: Done initial handshake
>>
>>  rlm_eap_tls: <<< TLS 1.0 Handshake [length 0467], Certificate
>>
>> --> verify error:num=18:self signed certificate
>>
>>  rlm_eap_tls: >>> TLS 1.0 Alert [length 0002], fatal unknown_ca
>>
>> TLS Alert write:fatal:unknown CA
>>
>>    TLS_accept:error in SSLv3 read client certificate B
>>
>> rlm_eap: SSL error error:140890B2:SSL
>> routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
>>
>> rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails.
>>
>>  eaptls_process returned 13
>>
>>  rlm_eap: Freeing handler
>>
>> ++[eap] returns reject
>>
>> auth: Failed to validate the user.
>>
>> Login incorrect: [julian/<via Auth-Type = EAP>] (from client GFS-03-01
>> port 286 cli 001e.5280.15c6)
>>
>> Delaying reject of request 11 for 1 seconds
>>
>> Going to the next request
>>
>>
>> But I don't know why freeradius has a problem with the ca cert.
>>
>> thanks for helping me
>>
>>
>> Here's the startup log and the hole request:
>> startup.log
>>
>> Starting - reading configuration files ...
>>
>> including configuration file /etc/freeradius/radiusd.conf
>>
>> including configuration file /etc/freeradius/proxy.conf
>>
>> including configuration file /etc/freeradius/clients.conf
>>
>> including configuration file /etc/freeradius/snmp.conf
>>
>> including configuration file /etc/freeradius/eap.conf
>>
>> including configuration file /etc/freeradius/sql.conf
>>
>> including dictionary file /etc/freeradius/dictionary
>>
>> main {
>>
>> prefix = "/usr"
>>
>> localstatedir = "/var"
>>
>> logdir = "/var/log/freeradius"
>>
>> libdir = "/usr/lib/freeradius"
>>
>> radacctdir = "/var/log/freeradius/radacct"
>>
>> hostname_lookups = no
>>
>> max_request_time = 30
>>
>>  cleanup_delay = 5
>>
>> max_requests = 1024
>>
>> allow_core_dumps = no
>>
>> pidfile = "/var/run/freeradius/freeradius.pid"
>>
>> user = "freerad"
>>
>> group = "freerad"
>>
>> checkrad = "/usr/sbin/checkrad"
>>
>> debug_level = 0
>>
>> proxy_requests = no
>>
>> security {
>>
>> max_attributes = 200
>>
>> reject_delay = 1
>>
>>  status_server = no
>>
>> }
>>
>> }
>>
>> client localhost {
>>
>> ipaddr = 127.0.0.1
>>
>> require_message_authenticator = no
>>
>> secret = "testing123"
>>
>> nastype = "other"
>>
>> }
>>
>> client 172.17.255.1 {
>>
>> require_message_authenticator = no
>>
>> secret = "4n3kc092ldnS3mfL2ndL"
>>
>> shortname = "GFS-01-01"
>>
>> }
>>
>> client 172.17.255.2 {
>>
>> require_message_authenticator = no
>>
>> secret = "4n3kc092ldnS3mfL2ndL"
>>
>> shortname = "GFS-01-02"
>>
>> }
>>
>> client 172.17.255.3 {
>>
>> require_message_authenticator = no
>>
>> secret = "4n3kc092ldnS3mfL2ndL"
>>
>> shortname = "GFS-01-03"
>>
>> }
>>
>> client 172.17.255.4 {
>>
>> require_message_authenticator = no
>>
>> secret = "4n3kc092ldnS3mfL2ndL"
>>
>> shortname = "GFS-01-01"
>>
>> }
>>
>> client 172.17.255.5 {
>>
>> require_message_authenticator = no
>>
>> secret = "4n3kc092ldnS3mfL2ndL"
>>
>> shortname = "GFS-01-01"
>>
>> }
>>
>> client 172.17.255.6 {
>>
>> require_message_authenticator = no
>>
>> secret = "4n3kc092ldnS3mfL2ndL"
>>
>> shortname = "GFS-01-01"
>>
>> }
>>
>> client 172.17.255.11 {
>>
>> require_message_authenticator = no
>>
>> secret = "4n3kc092ldnS3mfL2ndL"
>>
>> shortname = "GFS-01-01"
>>
>> }
>>
>> client 172.17.255.12 {
>>
>> require_message_authenticator = no
>>
>> secret = "4n3kc092ldnS3mfL2ndL"
>>
>> shortname = "GFS-01-01"
>>
>> }
>>
>> client 172.17.255.13 {
>>
>> require_message_authenticator = no
>>
>> secret = "4n3kc092ldnS3mfL2ndL"
>>
>> shortname = "GFS-01-01"
>>
>> }
>>
>> client 172.17.255.14 {
>>
>> require_message_authenticator = no
>>
>> secret = "4n3kc092ldnS3mfL2ndL"
>>
>> shortname = "GFS-01-01"
>>
>> }
>>
>> client 172.17.255.15 {
>>
>> require_message_authenticator = no
>>
>> secret = "4n3kc092ldnS3mfL2ndL"
>>
>> shortname = "GFS-01-01"
>>
>> }
>>
>> client 172.17.255.16 {
>>
>> require_message_authenticator = no
>>
>> secret = "4n3kc092ldnS3mfL2ndL"
>>
>> shortname = "GFS-01-01"
>>
>> }
>>
>> client 172.17.255.21 {
>>
>> require_message_authenticator = no
>>
>> secret = "4n3kc092ldnS3mfL2ndL"
>>
>> shortname = "GFS-03-01"
>>
>> }
>>
>> client 172.17.255.22 {
>>
>> require_message_authenticator = no
>>
>> secret = "4n3kc092ldnS3mfL2ndL"
>>
>> shortname = "GFS-01-01"
>>
>> }
>>
>> radiusd: #### Loading Realms and Home Servers ####
>>
>> proxy server {
>>
>>  retry_delay = 5
>>
>> retry_count = 3
>>
>> default_fallback = no
>>
>> dead_time = 120
>>
>> wake_all_if_all_dead = no
>>
>> }
>>
>> home_server localhost {
>>
>> ipaddr = 127.0.0.1
>>
>>  port = 1812
>>
>> type = "auth"
>>
>> secret = "testing123"
>>
>> response_window = 20
>>
>> max_outstanding = 65536
>>
>>  zombie_period = 40
>>
>> status_check = "status-server"
>>
>> ping_check = "none"
>>
>> ping_interval = 30
>>
>> check_interval = 30
>>
>>  num_answers_to_alive = 3
>>
>> num_pings_to_alive = 3
>>
>> revive_interval = 120
>>
>> status_check_timeout = 4
>>
>> }
>>
>> home_server_pool my_auth_failover {
>>
>> type = fail-over
>>
>> home_server = localhost
>>
>> }
>>
>> realm example.com {
>>
>> auth_pool = my_auth_failover
>>
>> }
>>
>> realm LOCAL {
>>
>> }
>>
>> radiusd: #### Instantiating modules ####
>>
>> instantiate {
>>
>> Module: Linked to module rlm_exec
>>
>> Module: Instantiating exec
>>
>>  exec {
>>
>> wait = yes
>>
>> input_pairs = "request"
>>
>>  shell_escape = yes
>>
>>  }
>>
>> Module: Linked to module rlm_expr
>>
>> Module: Instantiating expr
>>
>> }
>>
>> radiusd: #### Loading Virtual Servers ####
>>
>> server {
>>
>> modules {
>>
>> Module: Checking authenticate {...} for more modules to load
>>
>> Module: Linked to module rlm_pap
>>
>> Module: Instantiating pap
>>
>>  pap {
>>
>> encryption_scheme = "crypt"
>>
>> auto_header = no
>>
>>  }
>>
>> Module: Linked to module rlm_chap
>>
>> Module: Instantiating chap
>>
>> Module: Linked to module rlm_mschap
>>
>> Module: Instantiating mschap
>>
>>  mschap {
>>
>> use_mppe = yes
>>
>> require_encryption = no
>>
>> require_strong = no
>>
>>  with_ntdomain_hack = yes
>>
>>  }
>>
>> Module: Linked to module rlm_unix
>>
>> Module: Instantiating unix
>>
>>  unix {
>>
>> radwtmp = "/var/log/freeradius/radwtmp"
>>
>>  }
>>
>> Module: Linked to module rlm_eap
>>
>> Module: Instantiating eap
>>
>>  eap {
>>
>>  default_eap_type = "tls"
>>
>> timer_expire = 60
>>
>>  ignore_unknown_eap_types = no
>>
>> cisco_accounting_username_bug = no
>>
>>  }
>>
>> Module: Linked to sub-module rlm_eap_md5
>>
>> Module: Instantiating eap-md5
>>
>> Module: Linked to sub-module rlm_eap_leap
>>
>> Module: Instantiating eap-leap
>>
>> Module: Linked to sub-module rlm_eap_gtc
>>
>> Module: Instantiating eap-gtc
>>
>>   gtc {
>>
>> challenge = "Password: "
>>
>> auth_type = "PAP"
>>
>>   }
>>
>> Module: Linked to sub-module rlm_eap_tls
>>
>> Module: Instantiating eap-tls
>>
>>   tls {
>>
>> rsa_key_exchange = no
>>
>> dh_key_exchange = yes
>>
>>  rsa_key_length = 512
>>
>> dh_key_length = 512
>>
>>  verify_depth = 0
>>
>> pem_file_type = yes
>>
>> private_key_file = "/etc/freeradius/certs2/server.key"
>>
>> certificate_file = "/etc/freeradius/certs2/server.pem"
>>
>> CA_file = "/etc/freeradius/certs2/ca.pem"
>>
>> private_key_password = "whatever"
>>
>> dh_file = "/etc/freeradius/certs2/dh"
>>
>> random_file = "/etc/freeradius/certs2/random"
>>
>> fragment_size = 1024
>>
>> include_length = yes
>>
>> check_crl = no
>>
>>  cipher_list = "DEFAULT"
>>
>>   }
>>
>> Module: Linked to sub-module rlm_eap_ttls
>>
>> Module: Instantiating eap-ttls
>>
>>   ttls {
>>
>> default_eap_type = "md5"
>>
>>  copy_request_to_tunnel = no
>>
>> use_tunneled_reply = no
>>
>> virtual_server = "inner-tunnel"
>>
>>   }
>>
>> Module: Linked to sub-module rlm_eap_peap
>>
>> Module: Instantiating eap-peap
>>
>>   peap {
>>
>> default_eap_type = "mschapv2"
>>
>> copy_request_to_tunnel = no
>>
>> use_tunneled_reply = no
>>
>> proxy_tunneled_request_as_eap = yes
>>
>>  virtual_server = "inner-tunnel"
>>
>>   }
>>
>> Module: Linked to sub-module rlm_eap_mschapv2
>>
>> Module: Instantiating eap-mschapv2
>>
>>   mschapv2 {
>>
>> with_ntdomain_hack = no
>>
>>   }
>>
>> Module: Checking authorize {...} for more modules to load
>>
>> Module: Linked to module rlm_preprocess
>>
>> Module: Instantiating preprocess
>>
>>  preprocess {
>>
>> huntgroups = "/etc/freeradius/huntgroups"
>>
>> hints = "/etc/freeradius/hints"
>>
>> with_ascend_hack = no
>>
>> ascend_channels_per_line = 23
>>
>> with_ntdomain_hack = no
>>
>>  with_specialix_jetstream_hack = no
>>
>> with_cisco_vsa_hack = no
>>
>>  with_alvarion_vsa_hack = no
>>
>>  }
>>
>> Module: Linked to module rlm_realm
>>
>> Module: Instantiating suffix
>>
>>  realm suffix {
>>
>> format = "suffix"
>>
>>  delimiter = "@"
>>
>> ignore_default = no
>>
>> ignore_null = no
>>
>>  }
>>
>> Module: Linked to module rlm_sql
>>
>> Module: Instantiating sql
>>
>>  sql {
>>
>> driver = "rlm_sql_mysql"
>>
>> server = "172.19.1.2"
>>
>> port = ""
>>
>> login = "user"
>>
>>  password = "9L2xWq"
>>
>> radius_db = "user"
>>
>> read_groups = yes
>>
>> sqltrace = no
>>
>> sqltracefile = "/var/log/freeradius/sqltrace.sql"
>>
>> readclients = no
>>
>> deletestalesessions = yes
>>
>>  num_sql_socks = 5
>>
>> sql_user_name = "%{User-Name}"
>>
>> default_user_profile = ""
>>
>> nas_query = "SELECT id,nasname,shortname,type,secret FROM nas"
>>
>> authorize_check_query = "SELECT id, UserName, Attribute, Value, op
>>           FROM radcheck           WHERE Username = '%{SQL-User-Name}'
>>           ORDER BY id"
>>
>> authorize_reply_query = "SELECT id, UserName, Attribute, Value, op
>>           FROM radreply           WHERE Username = '%{SQL-User-Name}'
>>           ORDER BY id"
>>
>> authorize_group_check_query = "SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
>>  FROM radgroupcheck,usergroup WHERE usergroup.Username = '%{SQL-User-Name}'
>> AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY
>> radgroupcheck.id"
>>
>> authorize_group_reply_query = "SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
>>  FROM radgroupreply,usergroup WHERE usergroup.Username = '%{SQL-User-Name}'
>> AND usergroup.GroupName = radgroupreply.GroupName ORDER BY
>> radgroupreply.id"
>>
>> accounting_onoff_query = "UPDATE radacct SET AcctStopTime='%S',
>> AcctSessionTime=unix_timestamp('%S') - unix_timestamp(AcctStartTime),
>> AcctTerminateCause='%{Acct-Terminate-Cause}', AcctStopDelay =
>> '%{Acct-Delay-Time}' WHERE AcctSessionTime=0 AND AcctStopTime=0 AND
>> NASIPAddress= '%{NAS-IP-Address}' AND AcctStartTime <= '%S'"
>>
>> accounting_update_query = "UPDATE radacct           SET FramedIPAddress =
>> '%{Framed-IP-Address}',           AcctSessionTime = '%{Acct-Session-Time}',
>>           AcctInputOctets = '%{Acct-Input-Octets}',
>>           AcctOutputOctets = '%{Acct-Output-Octets}'           WHERE
>> AcctSessionId = '%{Acct-Session-Id}'           AND UserName =
>> '%{SQL-User-Name}'           AND NASIPAddress= '%{NAS-IP-Address}'"
>>
>> accounting_update_query_alt = "INSERT into radacct (AcctSessionId,
>> AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType,
>> AcctStartTime, AcctSessionTime, AcctAuthentic, ConnectInfo_start,
>> AcctInputOctets, AcctOutputOctets, CalledStationId, CallingStationId,
>> ServiceType, FramedProtocol, FramedIPAddress, AcctStartDelay)
>> values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',
>> '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}',
>> '%{NAS-Port-Type}', DATE_SUB('%S',INTERVAL (%{Acct-Session-Time:-0} +
>> %{Acct-Delay-Time:-0}) SECOND), '%{Acct-Session-Time}', '%{Acct-Authentic}',
>> '', '%{Acct-Input-Octets}', '%{Acct-Output-Octets}', '%{Called-Station-Id}',
>> '%{Calling-Station-Id}', '%{Service-Type}', '%{Framed-Protocol}',
>> '%{Framed-IP-Address}', '0')"
>>
>> accounting_start_query = "INSERT into radacct (AcctSessionId,
>> AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType,
>> AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic,
>> ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets,
>> CalledStationId, CallingStationId, AcctTerminateCause, ServiceType,
>> FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay)
>> values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',
>> '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}',
>> '%{NAS-Port-Type}', '%S', '0', '0', '%{Acct-Authentic}', '%{Connect-Info}',
>> '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '',
>> '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}',
>> '%{Acct-Delay-Time}', '0')"
>>
>> accounting_start_query_alt = "UPDATE radacct SET AcctStartTime = '%S',
>> AcctStartDelay = '%{Acct-Delay-Time}', ConnectInfo_start = '%{Connect-Info}'
>> WHERE AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}'
>> AND NASIPAddress = '%{NAS-IP-Address}'"
>>
>> accounting_stop_query = "UPDATE radacct SET AcctStopTime = '%S',
>> AcctSessionTime = '%{Acct-Session-Time}', AcctInputOctets =
>> '%{Acct-Input-Octets}', AcctOutputOctets = '%{Acct-Output-Octets}',
>> AcctTerminateCause = '%{Acct-Terminate-Cause}', AcctStopDelay =
>> '%{Acct-Delay-Time}', ConnectInfo_stop = '%{Connect-Info}' WHERE
>> AcctSessionId = '%{Acct-Session-Id}' AND UserName = '%{SQL-User-Name}' AND
>> NASIPAddress = '%{NAS-IP-Address}'"
>>
>> accounting_stop_query_alt = "INSERT into radacct (AcctSessionId,
>> AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType,
>> AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic,
>> ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets,
>> CalledStationId, CallingStationId, AcctTerminateCause, ServiceType,
>> FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay)
>> values('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}',
>> '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}',
>> '%{NAS-Port-Type}', DATE_SUB('%S', INTERVAL (%{Acct-Session-Time:-0} +
>> %{Acct-Delay-Time:-0}) SECOND), '%S', '%{Acct-Session-Time}',
>> '%{Acct-Authentic}', '', '%{Connect-Info}', '%{Acct-Input-Octets}',
>> '%{Acct-Output-Octets}', '%{Called-Station-Id}', '%{Calling-Station-Id}',
>> '%{Acct-Terminate-Cause}', '%{Service-Type}', '%{Framed-Protocol}',
>> '%{Framed-IP-Address}', '0', '%{Acct-Delay-Time}')"
>>
>> group_membership_query = "SELECT GroupName FROM usergroup WHERE
>> UserName='%{SQL-User-Name}'"
>>
>>  connect_failure_retry_delay = 60
>>
>> simul_count_query = ""
>>
>>  simul_verify_query = "SELECT RadAcctId, AcctSessionId, UserName,
>> NASIPAddress, NASPortId, FramedIPAddress, CallingStationId, FramedProtocol
>> FROM radacct WHERE UserName='%{SQL-User-Name}' AND AcctStopTime = 0"
>>
>> postauth_query = "INSERT into radpostauth (id, user, pass, reply, date)
>> values ('', '%{User-Name}', '%{User-Password:-Chap-Password}',
>> '%{reply:Packet-Type}', NOW())"
>>
>> safe-characters =
>> "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
>>
>>  }
>>
>> rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and
>> linked
>>
>> rlm_sql (sql): Attempting to connect to user at 172.19.1.2:/user
>>
>> rlm_sql (sql): starting 0
>>
>> rlm_sql (sql): Attempting to connect rlm_sql_mysql #0
>>
>> rlm_sql_mysql: Starting connect to MySQL server for #0
>>
>> rlm_sql (sql): Connected new DB handle, #0
>>
>> rlm_sql (sql): starting 1
>>
>> rlm_sql (sql): Attempting to connect rlm_sql_mysql #1
>>
>> rlm_sql_mysql: Starting connect to MySQL server for #1
>>
>> rlm_sql (sql): Connected new DB handle, #1
>>
>> rlm_sql (sql): starting 2
>>
>> rlm_sql (sql): Attempting to connect rlm_sql_mysql #2
>>
>> rlm_sql_mysql: Starting connect to MySQL server for #2
>>
>> rlm_sql (sql): Connected new DB handle, #2
>>
>> rlm_sql (sql): starting 3
>>
>> rlm_sql (sql): Attempting to connect rlm_sql_mysql #3
>>
>> rlm_sql_mysql: Starting connect to MySQL server for #3
>>
>> rlm_sql (sql): Connected new DB handle, #3
>>
>> rlm_sql (sql): starting 4
>>
>> rlm_sql (sql): Attempting to connect rlm_sql_mysql #4
>>
>> rlm_sql_mysql: Starting connect to MySQL server for #4
>>
>> rlm_sql (sql): Connected new DB handle, #4
>>
>> Module: Checking preacct {...} for more modules to load
>>
>> Module: Linked to module rlm_acct_unique
>>
>> Module: Instantiating acct_unique
>>
>>  acct_unique {
>>
>> key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address,
>> NAS-Port"
>>
>>  }
>>
>> Module: Checking accounting {...} for more modules to load
>>
>> Module: Linked to module rlm_detail
>>
>> Module: Instantiating detail
>>
>>  detail {
>>
>> detailfile =
>> "/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
>>
>> header = "%t"
>>
>> detailperm = 384
>>
>>  dirperm = 493
>>
>> locking = no
>>
>> log_packet_header = no
>>
>>  }
>>
>> Module: Linked to module rlm_radutmp
>>
>> Module: Instantiating radutmp
>>
>>  radutmp {
>>
>> filename = "/var/log/freeradius/radutmp"
>>
>> username = "%{User-Name}"
>>
>> case_sensitive = yes
>>
>> check_with_nas = yes
>>
>>  perm = 384
>>
>> callerid = yes
>>
>>  }
>>
>> Module: Checking session {...} for more modules to load
>>
>> Module: Checking post-proxy {...} for more modules to load
>>
>> Module: Checking post-auth {...} for more modules to load
>>
>> }
>>
>> }
>>
>> radiusd: #### Opening IP addresses and Ports ####
>>
>> bind_address = *
>>
>> WARNING: The directive 'bind_adress' is deprecated, and will be removed in
>> future versions of FreeRADIUS. Please edit the configuration files to use
>> the directive 'listen'.
>>
>> main {
>>
>> snmp = no
>>
>> smux_password = ""
>>
>> snmp_write_access = no
>>
>> }
>>
>> Listening on authentication address * port 1812
>>
>> Listening on accounting address * port 1813
>>
>> Ready to process requests.
>>
>>
>> request.log
>>
>> rad_recv: Access-Request packet from host 172.17.255.21 port 1645, id=68,
>> length=364
>>
>> User-Name = "julian"
>>
>> Framed-MTU = 1400
>>
>>  Called-Station-Id = "0016.9cbf.bc40"
>>
>> Calling-Station-Id = "001e.5280.15c6"
>>
>> Service-Type = Login-User
>>
>> Message-Authenticator = 0xb8af69f5c41127d504fdbc11340ef77e
>>
>> EAP-Message =
>> 0x020600d90d006ad75a8c33f431e52eb13d606916030100860f0000820080568392759081ec75c2e4ee2a000dbb18333895a786a217118fafd1e5c951c5845875cf1b37c9d271ef74447c5794ce6c49ddc0b93a7f70f6da7f4b92c388dc70dccb81cf00e0ef86be7b41ac0c3e06371d85def74b99c2b74e4ff45f39a8c2f3ae755b4cfc6ca2324a79ec2bbd9ba117d1fb4ca6a6f316eb99a07685ac4ad78114030100010116030100308f3fbc37134291724f1f6981dd100ad3c9fe8b77a57e94e11e59b89f738ed960768395779b6176a4443f1b98815e85b4
>>
>> NAS-Port-Type = Wireless-802.11
>>
>> NAS-Port = 290
>>
>>  NAS-Port-Id = "290"
>>
>> State = 0x81153e8b851333f6401c7fc382b600a0
>>
>>  NAS-IP-Address = 172.17.255.21
>>
>> NAS-Identifier = "gfs-wl-03-01"
>>
>> +- entering group authorize
>>
>> ++[preprocess] returns ok
>>
>> ++[chap] returns noop
>>
>> ++[mschap] returns noop
>>
>>    rlm_realm: No '@' in User-Name = "julian", looking up realm NULL
>>
>>    rlm_realm: No such realm "NULL"
>>
>> ++[suffix] returns noop
>>
>>  rlm_eap: EAP packet type response id 6 length 217
>>
>>  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
>>
>> ++[eap] returns updated
>>
>> expand: %{User-Name} -> julian
>>
>> rlm_sql (sql): sql_set_user escaped user --> 'julian'
>>
>> rlm_sql (sql): Reserving sql socket id: 4
>>
>> expand: SELECT id, UserName, Attribute, Value, op           FROM radcheck
>>           WHERE Username = '%{SQL-User-Name}'           ORDER BY id ->
>> SELECT id, UserName, Attribute, Value, op           FROM radcheck
>>           WHERE Username = 'julian'           ORDER BY id
>>
>> rlm_sql (sql): User found in radcheck table
>>
>> expand: SELECT id, UserName, Attribute, Value, op           FROM radreply
>>           WHERE Username = '%{SQL-User-Name}'           ORDER BY id ->
>> SELECT id, UserName, Attribute, Value, op           FROM radreply
>>           WHERE Username = 'julian'           ORDER BY id
>>
>> expand: SELECT GroupName FROM usergroup WHERE UserName='%{SQL-User-Name}'
>> -> SELECT GroupName FROM usergroup WHERE UserName='julian'
>>
>> rlm_sql (sql): Released sql socket id: 4
>>
>> ++[sql] returns ok
>>
>>  rad_check_password:  Found Auth-Type EAP
>>
>> auth: type "EAP"
>>
>> +- entering group authenticate
>>
>>  rlm_eap: Request found, released from the list
>>
>>  rlm_eap: EAP/tls
>>
>>  rlm_eap: processing type tls
>>
>>  rlm_eap_tls: Authenticate
>>
>>  rlm_eap_tls: processing TLS
>>
>>  eaptls_verify returned 7
>>
>>  rlm_eap_tls: Done initial handshake
>>
>>  rlm_eap_tls: <<< TLS 1.0 Handshake [length 0467], Certificate
>>
>> --> verify error:num=18:self signed certificate
>>
>>  rlm_eap_tls: >>> TLS 1.0 Alert [length 0002], fatal unknown_ca
>>
>> TLS Alert write:fatal:unknown CA
>>
>>    TLS_accept:error in SSLv3 read client certificate B
>>
>> rlm_eap: SSL error error:140890B2:SSL
>> routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
>>
>> rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails.
>>
>>  eaptls_process returned 13
>>
>>  rlm_eap: Freeing handler
>>
>> ++[eap] returns reject
>>
>> auth: Failed to validate the user.
>>
>> Login incorrect: [julian/<via Auth-Type = EAP>] (from client GFS-03-01
>> port 290 cli 001e.5280.15c6)
>>
>> Delaying reject of request 10 for 1 seconds
>>
>> Going to the next request
>>
>> Waking up in 0.9 seconds.
>>
>> Sending delayed reject for request 10
>>
>> Sending Access-Reject of id 68 to 172.17.255.21 port 1645
>>
>>  Framed-IP-Address = 172.17.8.165
>>
>> EAP-Message = 0x04060004
>>
>> Message-Authenticator = 0x00000000000000000000000000000000
>>
>> Waking up in 3.9 seconds.
>>
>> Cleaning up request 9 ID 67 with timestamp +45
>>
>> Waking up in 1.0 seconds.
>>
>> Cleaning up request 10 ID 68 with timestamp +45
>>
>> Ready to process requests.
>>
>>
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20080616/371a87d6/attachment.html>


More information about the Freeradius-Users mailing list