EAP-TLS & computer account(not user)

Guk Victor v.guk at zaz.zp.ua
Wed Oct 8 14:58:08 CEST 2008


I use eap-tsl for the registration record of computer. It is necessary 
to open access to the network to pressure of Ctrl+Alt+Del.
I will not understand what is the matter:

rad_recv: Access-Request packet from host 10.0.1.2:5007, id=154, length=216
        User-Name = "host/cit44"
        EAP-Message = 0x0202000f01686f73742f6369743434
        Message-Authenticator = 0xda5f6a382f76e341ecd76c7fe2eda837
        NAS-IP-Address = 10.0.1.2
        NAS-Identifier = "001ac1d4ee42"
        NAS-Port = 117604353
        NAS-Port-Id = "unit=7;subslot=0;port=40;vlanid=1"
        NAS-Port-Type = Ethernet
        Service-Type = Framed-User
        Framed-Protocol = PPP
        Calling-Station-Id = "0013-7737-714e"
        Vendor-25506-Attr-26 = 0x0000001e
        Vendor-25506-Attr-255 = 0x353530302d4549
        Vendor-25506-Attr-60 = 
0x302e302e302e302030303a31333a37373a33373a37313a3465
        Vendor-25506-Attr-59 = 0x38e68c68
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
  modcall[authorize]: module "mschap" returns noop for request 0
    rlm_realm: No '\' in User-Name = "host/cit44", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "ntdomain" returns noop for request 0
  rlm_eap: EAP packet type response id 2 length 15
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 0
    users: Matched entry DEFAULT at line 152
    users: Matched entry host/cit44 at line 235
  modcall[authorize]: module "files" returns ok for request 0
modcall: leaving group authorize (returns updated) for request 0
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
  rlm_eap: EAP Identity
  rlm_eap: processing type tls
 rlm_eap_tls: Requiring client certificate
  rlm_eap_tls: Initiate
  rlm_eap_tls: Start returned 1
  modcall[authenticate]: module "eap" returns handled for request 0
modcall: leaving group authenticate (returns handled) for request 0
Sending Access-Challenge of id 154 to 10.0.1.2 port 5007
        Tunnel-Type:0 = VLAN
        Tunnel-Medium-Type:0 = IEEE-802
        Tunnel-Private-Group-Id:0 = "2"
        EAP-Message = 0x010300060d20
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x85f944d1ab810baf397561351f4da39d
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 10.0.1.2:5007, id=155, length=335
        User-Name = "host/cit44"
        EAP-Message = 
0x020300740d800000006a160301006501000061030148eca4801a94d16d54f4d65aa34134bcbd1fb96c22cd0e25ccbbcb4298d76bee000018002f00350005000ac009c00ac013c0140032003800130004010000200000000a00080000056369743434000a00080006001700180019000b00020100
        Message-Authenticator = 0x2e81df002f583a191f6f4845ac7caac4
        NAS-IP-Address = 10.0.1.2
        NAS-Identifier = "001ac1d4ee42"
        NAS-Port = 117604353
        NAS-Port-Id = "unit=7;subslot=0;port=40;vlanid=1"
        NAS-Port-Type = Ethernet
        Service-Type = Framed-User
        Framed-Protocol = PPP
        Calling-Station-Id = "0013-7737-714e"
        State = 0x85f944d1ab810baf397561351f4da39d
        Vendor-25506-Attr-26 = 0x0000001e
        Vendor-25506-Attr-255 = 0x353530302d4549
        Vendor-25506-Attr-60 = 
0x302e302e302e302030303a31333a37373a33373a37313a3465
        Vendor-25506-Attr-59 = 0x38e68c68
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
  modcall[authorize]: module "mschap" returns noop for request 1
    rlm_realm: No '\' in User-Name = "host/cit44", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "ntdomain" returns noop for request 1
  rlm_eap: EAP packet type response id 3 length 116
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 1
    users: Matched entry DEFAULT at line 152
    users: Matched entry host/cit44 at line 235
  modcall[authorize]: module "files" returns ok for request 1
modcall: leaving group authorize (returns updated) for request 1
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 1
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/tls
  rlm_eap: processing type tls
  rlm_eap_tls: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls:  Length Included
  eaptls_verify returned 11
    (other): before/accept initialization
    TLS_accept: before/accept initialization
  rlm_eap_tls: <<< TLS 1.0 Handshake [length 0065], ClientHello 
    TLS_accept: SSLv3 read client hello A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello 
    TLS_accept: SSLv3 write server hello A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 056e], Certificate 
    TLS_accept: SSLv3 write certificate A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 0074], CertificateRequest 
    TLS_accept: SSLv3 write certificate request A
    TLS_accept: SSLv3 flush data
    TLS_accept:error in SSLv3 read client certificate A
rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0)
In SSL Handshake Phase
In SSL Accept mode 
  eaptls_process returned 13
  modcall[authenticate]: module "eap" returns handled for request 1
modcall: leaving group authenticate (returns handled) for request 1
Sending Access-Challenge of id 155 to 10.0.1.2 port 5007
        Tunnel-Type:0 = VLAN
        Tunnel-Medium-Type:0 = IEEE-802
        Tunnel-Private-Group-Id:0 = "2"
        EAP-Message = 
0x0104040a0dc00000063b160301004a02000046030148eca6691c134aa5dcae49113ba12777f17184a40c5aa0006278ed9da3dadb3e20ead1859034d686e829341c20201db4c23929ba343e371ace1058d1c5025949f9002f00160301056e0b00056a0005670002503082024c308201b5a003020102020101300d06092a864886f70d01010505003063310b3009060355040613025541311330110603550408130a5a61706f726f7a736845310b3009060355040713025a50310c300a060355040a13035a415a310c300a060355040b13034d4953311630140603550403130d41646d696e6973747261746f72301e170d3038313030313037343430315a
        EAP-Message = 
0x170d3039313030313037343430315a305c310b3009060355040613025541311330110603550408130a5a61706f726f7a736865310b3009060355040713025a50310c300a060355040a13035a415a310c300a060355040b13034d4953310f300d0603550403130652414449555330819f300d06092a864886f70d010101050003818d0030818902818100ac35b8809afa0040f3ebc0af9fb56e2a4196f58fe6aee43df306d38e27a8d3da043dfffa300bf8e4b851e88612e6ddce19aaf601912a9a0cb400d736cef53ffdc07950598741653bd839b24e80399c02eaaa48627241d20b20be2df7311ce3b9f7524ffcb03045bcc56d3a0de7d3c382720512
        EAP-Message = 
0xbfb3d14e7b8418fcdd61f241930203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010505000381810037d0d8ed990d72b050cc7c62fb550e65ee8e6115634fa1cd470d344e19c5cf820e0de0c74db9da252d8c2dd9135c32311d9de10d77abe571ceb0c8e8451ba9f06a04aa12b18e917ccd85763f38d7daf3440f4c62c388019f79329d49fb8d2cae40d997db06a8ec8f5b02b92648fc7c9ebd8d75135e4fa4b804e33ec48db919400003113082030d30820276a003020102020900d603ee3f96fc604d300d06092a864886f70d01010505003063310b3009060355040613025541311330110603
        EAP-Message = 
0x550408130a5a61706f726f7a736845310b3009060355040713025a50310c300a060355040a13035a415a310c300a060355040b13034d4953311630140603550403130d41646d696e6973747261746f72301e170d3038313030313037343330345a170d3130313030313037343330345a3063310b3009060355040613025541311330110603550408130a5a61706f726f7a736845310b3009060355040713025a50310c300a060355040a13035a415a310c300a060355040b13034d4953311630140603550403130d41646d696e6973747261746f7230819f300d06092a864886f70d010101050003818d00308189028181009b2e0773ff8310e98addfa
        EAP-Message = 0xb3458c421c935ca651f8f7ca3899d6506d065de4f53f
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x475d38bc73179456ecabe627f4c349ab
Finished request 1
Going to the next request
--- Walking the entire request list ---
Waking up in 5 seconds...
rad_recv: Access-Request packet from host 10.0.1.2:5007, id=156, length=225
        User-Name = "host/cit44"
        EAP-Message = 0x020400060d00
        Message-Authenticator = 0x74221ef1383128241e231013179f3213
        NAS-IP-Address = 10.0.1.2
        NAS-Identifier = "001ac1d4ee42"
        NAS-Port = 117604353
        NAS-Port-Id = "unit=7;subslot=0;port=40;vlanid=1"
        NAS-Port-Type = Ethernet
        Service-Type = Framed-User
        Framed-Protocol = PPP
        Calling-Station-Id = "0013-7737-714e"
        State = 0x475d38bc73179456ecabe627f4c349ab
        Vendor-25506-Attr-26 = 0x0000001e
        Vendor-25506-Attr-255 = 0x353530302d4549
        Vendor-25506-Attr-60 = 
0x302e302e302e302030303a31333a37373a33373a37313a3465
        Vendor-25506-Attr-59 = 0x38e68c68
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
  modcall[authorize]: module "mschap" returns noop for request 2
    rlm_realm: No '\' in User-Name = "host/cit44", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "ntdomain" returns noop for request 2
  rlm_eap: EAP packet type response id 4 length 6
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 2
    users: Matched entry DEFAULT at line 152
    users: Matched entry host/cit44 at line 235
  modcall[authorize]: module "files" returns ok for request 2
modcall: leaving group authorize (returns updated) for request 2
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 2
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/tls
  rlm_eap: processing type tls
  rlm_eap_tls: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
  rlm_eap_tls: ack handshake fragment handler
  eaptls_verify returned 1
  eaptls_process returned 13
  modcall[authenticate]: module "eap" returns handled for request 2
modcall: leaving group authenticate (returns handled) for request 2
Sending Access-Challenge of id 156 to 10.0.1.2 port 5007
        Tunnel-Type:0 = VLAN
        Tunnel-Medium-Type:0 = IEEE-802
        Tunnel-Private-Group-Id:0 = "2"
        EAP-Message = 
0x010502450d800000063b4837ac2b653e806f55c44239a6b0fb8de79a837bfe337e34804ee812673f27d00c28fb9735b2e7833b7a4211be3fbb997b2010c63c845b310be1ffd7226f4e9a7a238604f59873c29b47eb3a94fc3255baf8e09bc4580e685d6cef61016acd0203010001a381c83081c5301d0603551d0e041604144883dff930ad8def715cc306a93b716ed1dfa2f03081950603551d2304818d30818a80144883dff930ad8def715cc306a93b716ed1dfa2f0a167a4653063310b3009060355040613025541311330110603550408130a5a61706f726f7a736845310b3009060355040713025a50310c300a060355040a13035a415a310c30
        EAP-Message = 
0x0a060355040b13034d4953311630140603550403130d41646d696e6973747261746f72820900d603ee3f96fc604d300c0603551d13040530030101ff300d06092a864886f70d010105050003818100798409d24a31663705ea77a113da2d5283a687cc78561854f7205ff9e565cb2cbd7a133b1361b3bd93f58a0ac03872ca5fefccd451b7e1c7a5827ebe061ec2259436b5c3006895e8c49b356052161f6d3e4b9f7001397ca581bae2b178fc0da21f774a85f1290f71b82ee10bf23604613a0d354556ebf6d1937267a94f3a96ac16030100740d00006c020102006700653063310b3009060355040613025541311330110603550408130a5a61706f
        EAP-Message = 
0x726f7a736845310b3009060355040713025a50310c300a060355040a13035a415a310c300a060355040b13034d4953311630140603550403130d41646d696e6973747261746f720e000000
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x83c05bad6798917fd36b49f983ccfcb8
Finished request 2
Going to the next request
Waking up in 5 seconds...
rad_recv: Access-Request packet from host 10.0.1.2:5007, id=157, length=1172
        User-Name = "host/cit44"
        EAP-Message = 
0x020503b30d80000003a916030103690b0002590002560002533082024f308201b8a003020102020105300d06092a864886f70d01010505003063310b3009060355040613025541311330110603550408130a5a61706f726f7a736845310b3009060355040713025a50310c300a060355040a13035a415a310c300a060355040b13034d4953311630140603550403130d41646d696e6973747261746f72301e170d3038313030383131303833375a170d3039313030383131303833375a305f310b300906035504061302554131123010060355040813094265726b73686972653110300e060355040713074e657762757279310c300a060355040a1303
        EAP-Message = 
0x7a617a310c300a060355040b13036d6973310e300c06035504031305636974343430819f300d06092a864886f70d010101050003818d0030818902818100b82b614adec29d80e4316eba19ee74db1f2ac3e542f25f193b28af28166a9c4e49321fce20195e01a1fe85977b0e86fa7836226953fff50f42d62d83d16555a0c7b48ab36a2c46edf58c9a1f4427e4a41c3e5e4f6d98cec0626fd0d6e16812ab9e469dd7000e738f037ab7f4c95c74eb627c1cf7adc4d7d42fb3e685ad5783e10203010001a317301530130603551d25040c300a06082b06010505070302300d06092a864886f70d010105050003818100610a54b441c6152b00fb776a8833
        EAP-Message = 
0xfa33aacc278fc6b1f419aecf639a3459edc7450b12285ce1e75053100b955f3012b3f88c7934e0a6016c9c28145b08e0aafb3f581913ee2f24c9c114d470adc9bf591b84e1b9e2d7f1ab04120536145683843cc767aa0589358dec9230469924abe314fa034e47527778eae154b4bdc0fe521000008200800802c992280a9400196f4f6462e392dbb711a5a55d31704ca9492cf35befc97df7d31a9a05de4a01a8c8865125e451412fdabae12a0e94b745535cbb3426f0bbb42961cac7f8952e1a0e847ec175bbfea2f55a419d351a8892cf8290f489df15c478389a1cebcd6a59701fb9fd847a55df834ecf3ed7fdca679becd740db41e60f00008200
        EAP-Message = 
0x809ff27f75ca3b3daee7c93342cb9535179e2412c5eb27364503da2cc3162abd6ee34e6a6c89c20323c7ed38a52ecb0ec9b48f90078df77a5079b39ac46395bb31fe846f7ad584da3d3cf9d1959e4d70ed4ecbffbcbb22d68f5bb8915fe16de9b2f7899a3d96053f77e586b586af49fab7a378a582f030b3716d5ddcaff33c5ecc14030100010116030100301a884c8358de9a72b0cb658bfe1ffce51786d194e5e2161065e41f350d1fcb6db0f5dcb0e3205984d70521571606f823
        Message-Authenticator = 0x0b3ffd5fd267d3e7de9d0ea79faf6edb
        NAS-IP-Address = 10.0.1.2
        NAS-Identifier = "001ac1d4ee42"
        NAS-Port = 117604353
        NAS-Port-Id = "unit=7;subslot=0;port=40;vlanid=1"
        NAS-Port-Type = Ethernet
        Service-Type = Framed-User
        Framed-Protocol = PPP
        Calling-Station-Id = "0013-7737-714e"
        State = 0x83c05bad6798917fd36b49f983ccfcb8
        Vendor-25506-Attr-26 = 0x0000001e
        Vendor-25506-Attr-255 = 0x353530302d4549
        Vendor-25506-Attr-60 = 
0x302e302e302e302030303a31333a37373a33373a37313a3465
        Vendor-25506-Attr-59 = 0x38e68c68
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 3
  modcall[authorize]: module "mschap" returns noop for request 3
    rlm_realm: No '\' in User-Name = "host/cit44", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "ntdomain" returns noop for request 3
  rlm_eap: EAP packet type response id 5 length 253
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 3
    users: Matched entry DEFAULT at line 152
    users: Matched entry host/cit44 at line 235
  modcall[authorize]: module "files" returns ok for request 3
modcall: leaving group authorize (returns updated) for request 3
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 3
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/tls
  rlm_eap: processing type tls
  rlm_eap_tls: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls:  Length Included
  eaptls_verify returned 11
  rlm_eap_tls: <<< TLS 1.0 Handshake [length 025d], Certificate 
chain-depth=1,
error=0
--> User-Name = host/cit44
--> BUF-Name = Administrator
--> subject = /C=UA/ST=ZaporozshE/L=ZP/O=ZAZ/OU=MIS/CN=Administrator
--> issuer  = /C=UA/ST=ZaporozshE/L=ZP/O=ZAZ/OU=MIS/CN=Administrator
--> verify return:1
radius_xlat:  'host/cit44'
    rlm_eap_tls: checking certificate CN (cit44) with xlat'ed value 
(host/cit44)
rlm_eap_tls: Certificate CN (cit44) does not match specified value 
(host/cit44)!
chain-depth=0,
error=0
--> User-Name = host/cit44
--> BUF-Name = cit44
--> subject = /C=UA/ST=Berkshire/L=Newbury/O=zaz/OU=mis/CN=cit44
--> issuer  = /C=UA/ST=ZaporozshE/L=ZP/O=ZAZ/OU=MIS/CN=Administrator
--> verify return:0
  rlm_eap_tls: >>> TLS 1.0 Alert [length 0002], fatal certificate_unknown 
TLS Alert write:fatal:certificate unknown
    TLS_accept:error in SSLv3 read client certificate B
rlm_eap: SSL error error:140890B2:SSL 
routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails.
In SSL Handshake Phase
In SSL Accept mode 
  eaptls_process returned 13
  modcall[authenticate]: module "eap" returns handled for request 3
modcall: leaving group authenticate (returns handled) for request 3
Sending Access-Challenge of id 157 to 10.0.1.2 port 5007
        Tunnel-Type:0 = VLAN
        Tunnel-Medium-Type:0 = IEEE-802
        Tunnel-Private-Group-Id:0 = "2"
        EAP-Message = 0x010600110d80000000071503010002022e
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x6422c1f11b093d41a5e6dd774b5b1cc8
Finished request 3
Going to the next request
Waking up in 5 seconds...
rad_recv: Access-Request packet from host 10.0.1.2:5007, id=158, length=225
        User-Name = "host/cit44"
        EAP-Message = 0x020600060d00
        Message-Authenticator = 0x6405c8b36bf1e85aa28b4856efba37d7
        NAS-IP-Address = 10.0.1.2
        NAS-Identifier = "001ac1d4ee42"
        NAS-Port = 117604353
        NAS-Port-Id = "unit=7;subslot=0;port=40;vlanid=1"
        NAS-Port-Type = Ethernet
        Service-Type = Framed-User
        Framed-Protocol = PPP
        Calling-Station-Id = "0013-7737-714e"
        State = 0x6422c1f11b093d41a5e6dd774b5b1cc8
        Vendor-25506-Attr-26 = 0x0000001e
        Vendor-25506-Attr-255 = 0x353530302d4549
        Vendor-25506-Attr-60 = 
0x302e302e302e302030303a31333a37373a33373a37313a3465
        Vendor-25506-Attr-59 = 0x38e68c68
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 4
  modcall[authorize]: module "mschap" returns noop for request 4
    rlm_realm: No '\' in User-Name = "host/cit44", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "ntdomain" returns noop for request 4
  rlm_eap: EAP packet type response id 6 length 6
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 4
    users: Matched entry DEFAULT at line 152
    users: Matched entry host/cit44 at line 235
  modcall[authorize]: module "files" returns ok for request 4
modcall: leaving group authorize (returns updated) for request 4
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 4
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/tls
  rlm_eap: processing type tls
  rlm_eap_tls: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
  rlm_eap_tls: ack alert
  eaptls_verify returned 4
  eaptls_process returned 4
 rlm_eap: Handler failed in EAP/tls
  rlm_eap: Failed in EAP select
  modcall[authenticate]: module "eap" returns invalid for request 4
modcall: leaving group authenticate (returns invalid) for request 4
auth: Failed to validate the user.
Login incorrect: [host/cit44/<no User-Password attribute>] (from client 
10.0.1.2 port 117604353 cli 0013-7737-714e)
Delaying request 4 for 1 seconds
Finished request 4



More information about the Freeradius-Users mailing list