EAP-TLS -- first timer
Joseph S. Dietz, Jr.
joedietzjr at is-s.com
Wed May 28 22:32:10 CEST 2008
Hi,
I am new to FR...
I was able to get freeradius to work with EAP-MD5 passwords using an XP
client.
I can not seem to get free raidus working with Certs. I need some help
debugging the issue.
radiusd -v
radiusd: FreeRADIUS Version 2.0.1, for host i386-pc-solaris2.9, built on
May 1 2008 at 16:01:29
version
OpenSSL 0.9.8g 19 Oct 2007
I have patched the XP system per the FR howto...
I seem to have certs created right? But no authentication...
I've tried googl'n the issue, but I need a little more help
understanding what is happening.
thanks in advance for your time,
Joe
Module: Linked to module rlm_eap
Module: Instantiating eap
eap {
default_eap_type = "tls"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
pem_file_type = yes
private_key_file = "/usr/local/etc/raddb/certs/server.pem"
certificate_file = "/usr/local/etc/raddb/certs/server.pem"
CA_file = "/usr/local/etc/raddb/certs/ca.pem"
private_key_password = "abc123"
dh_file = "/usr/local/etc/raddb/certs/dh"
random_file = "/usr/local/etc/raddb/certs/random"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
}
...
...
...
rad_recv: Access-Request packet from host 1.2.3.126 port 1024, id=28,
length=167 User-Name = "joe"
NAS-IP-Address = 1.2.3.126
NAS-Identifier = "00:08:da:57:3f:63"
NAS-Port = 0
Called-Station-Id = "00-08-DA-57-3F-61:"
Calling-Station-Id = "00-1A-4B-61-9C-C8"
Framed-MTU = 1400
NAS-Port-Type = Ethernet
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x0200000c016a73646965747a
Message-Authenticator = 0x4f6d8dd3b1012bc9f500b915421a8fe3
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "joe", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 0 length 12
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
rad_recv: Access-Request packet from host 1.2.3.126 port 1024, id=28,
length=167 User-Name = "joe"
NAS-IP-Address = 1.2.3.126
NAS-Identifier = "00:08:da:57:3f:63"
NAS-Port = 0
Called-Station-Id = "00-08-DA-57-3F-61:"
Calling-Station-Id = "00-1A-4B-61-9C-C8"
Framed-MTU = 1400
NAS-Port-Type = Ethernet
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x0200000c016a73646965747a
Message-Authenticator = 0x4f6d8dd3b1012bc9f500b915421a8fe3
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "joe", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 0 length 12
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Request packet from host 1.2.3.126 port 1024, id=29,
length=253 User-Name = "joe"
NAS-IP-Address = 1.2.3.126
NAS-Identifier = "00:08:da:57:3f:63"
NAS-Port = 0
Called-Station-Id = "00-08-DA-57-3F-61:"
Calling-Station-Id = "00-1A-4B-61-9C-C8"
Framed-MTU = 1400
NAS-Port-Type = Ethernet
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message =
0x020100500d800000004616030100410100003d03014829bb9f9cfe85aa6ac13f1df8fff02e7c2ce116dcee5d0847a173bddd4fab7d00001600040005000a000900640062000300060013001200630100
State = 0xbbdf20d6bbde2d9285f320de1e094fc7
Message-Authenticator = 0xcfd61b81787d9db0dbc4487e94abba8d
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "joe", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 1 length 80
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/tls
rlm_eap: processing type tls
rlm_eap_tls: Authenticate
rlm_eap_tls: processing TLS
TLS Length 70
rlm_eap_tls: Length Included
eaptls_verify returned 11
(other): before/accept initialization
TLS_accept: before/accept initialization
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello
TLS_accept: SSLv3 read client hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
TLS_accept: SSLv3 write server hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 06f6], Certificate
TLS_accept: SSLv3 write certificate A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 008b], CertificateRequest
TLS_accept: SSLv3 write certificate request A
TLS_accept: SSLv3 flush data
TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 29 to 1.2.3.126 port 1024
EAP-Message = 0x010204000dc0000007...
EAP-Message = 0x83300d06092a864886f70d01
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xbbdf20d6badd2d9285f320de1e094fc7
Finished request 5.
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Request packet from host 1.2.3.126 port 1024, id=30,
length=179 User-Name = "joe"
NAS-IP-Address = 1.2.3.126
NAS-Identifier = "00:08:da:57:3f:63"
NAS-Port = 0
Called-Station-Id = "00-08-DA-57-3F-61:"
Calling-Station-Id = "00-1A-4B-61-9C-C8"
Framed-MTU = 1400
NAS-Port-Type = Ethernet
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020200060d00
State = 0xbbdf20d6badd2d9285f320de1e094fc7
Message-Authenticator = 0x199602f63d262136de69a50907a837a2
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "joe", looking up r
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 2 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP c
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/tls
rlm_eap: processing type tls
rlm_eap_tls: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake fragment handler
eaptls_verify returned 1
eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 30 to 1.2.3.126 port 1024
EAP-Message = 0x010303ee0d80000007...
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xbbdf20d6b9dc2d9285f320de1e094fc7
Finished request 6.
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Request packet from host 1.2.3.126 port 1024, id=31,
length=179
User-Name = "joe"
NAS-IP-Address = 1.2.3.126
NAS-Identifier = "00:08:da:57:3f:63"
NAS-Port = 0
Called-Station-Id = "00-08-DA-57-3F-61:"
Calling-Station-Id = "00-1A-4B-61-9C-C8"
Framed-MTU = 1400
NAS-Port-Type = Ethernet
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020300060d00
State = 0xbbdf20d6b9dc2d9285f320de1e094fc7
Message-Authenticator = 0xd5780baba7af2999a85f8234b3c06fc5
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "joe", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 3 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
rad_check_password: Found Auth-Type
etc...
More information about the Freeradius-Users
mailing list