Problem with EAP-TLS, please give me a hint
_Stefan_H
stefanh007 at networld.at
Fri Dec 4 20:39:01 CET 2009
> I know that you don't like to waste you time on a newbie like me, but
> please
> give me only a hint where the problem could be.
Some XP versions won't allow server certificate to be intermediate
certificate. Try altering certs/Makefile to sign client certificates with
ca instead of server certificate.
Ivan Kalik
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
I think thats my problem too because the tutorial of Alan DeKok-2 led me to
the same problem, also with peap.
My server is running on vmware and I got the chance to try an switch with
different IOS and an different XP Client and the server output was different
and far longer:
_______________________________________________________________________
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.5.3 port 1812, id=5,
length=135
NAS-IP-Address = 192.168.5.3
NAS-Port = 50012
NAS-Port-Type = Ethernet
User-Name = "oss-radius"
Called-Station-Id = "00-0F-23-01-11-4C"
Calling-Station-Id = "00-15-60-52-1E-49"
Service-Type = Framed-User
Framed-MTU = 1500
EAP-Message = 0x0203000f016f73732d726164697573
Message-Authenticator = 0x83f50eceb4eb9b3f01b91cba34beda74
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "oss-radius", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 3 length 15
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
[files] users: Matched entry oss-radius at line 204
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Requiring client certificate
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 5 to 192.168.5.3 port 1812
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "5"
EAP-Message = 0x010400060d20
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xdc2c0ceadc2801a2909332f7877a5def
Finished request 7.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.5.3 port 1812, id=6,
length=218
NAS-IP-Address = 192.168.5.3
NAS-Port = 50012
NAS-Port-Type = Ethernet
User-Name = "oss-radius"
Called-Station-Id = "00-0F-23-01-11-4C"
Calling-Station-Id = "00-15-60-52-1E-49"
Service-Type = Framed-User
Framed-MTU = 1500
State = 0xdc2c0ceadc2801a2909332f7877a5def
EAP-Message =
0x020400500d800000004616030100410100003d03014b18f9f4d475c347b4c63e498b5588a54d7c3bcfaa54ed228482bbd8cdfb6a0700001600040005000a000900640062000300060013001200630100
Message-Authenticator = 0xef2ee3a18747120691d1554121d3647a
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "oss-radius", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 4 length 80
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
[files] users: Matched entry oss-radius at line 204
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
TLS Length 70
[tls] Length Included
[tls] eaptls_verify returned 11
[tls] (other): before/accept initialization
[tls] TLS_accept: before/accept initialization
[tls] <<< TLS 1.0 Handshake [length 0041], ClientHello
[tls] TLS_accept: SSLv3 read client hello A
[tls] >>> TLS 1.0 Handshake [length 002a], ServerHello
[tls] TLS_accept: SSLv3 write server hello A
[tls] >>> TLS 1.0 Handshake [length 085e], Certificate
[tls] TLS_accept: SSLv3 write certificate A
[tls] >>> TLS 1.0 Handshake [length 00a6], CertificateRequest
[tls] TLS_accept: SSLv3 write certificate request A
[tls] TLS_accept: SSLv3 flush data
[tls] TLS_accept: Need to read more data: SSLv3 read client certificate
A
In SSL Handshake Phase
In SSL Accept mode
[tls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 6 to 192.168.5.3 port 1812
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "5"
EAP-Message =
0x010504000dc00000093d160301002a0200002603014b18f9eecee5da441146eddde2ea8e016c2adb0db5c574b49514891d3931f97700000400160301085e0b00085a0008570003a6308203a23082028aa003020102020103300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479
EAP-Message =
0x301e170d3039313132323133343533305a170d3130313132323133343533305a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100ac980cc4c9ec4ad3e23bf9d75989232fb1b5014896413398e3361287de22a5b5c00cac1e0c1b72b2f991aa8c2eeb1e452a7c67950e6af12e31414acbf8a9
EAP-Message =
0x8b96c26e6408da5ca899b30f00799999610945ad89094441a7cafca4067557b4ed52070fdf54b386b2a7a1aa76f134a9b5e7bfdeef3e18bc3d8ba98b49f1f4bb156dd1bbb46ee09b466df0120593471c59acfcb7a2977219e6db535008526dda1f91c374f01bf392d909a1ecde7ec11f926cfd310b39171121228c528a5853524e62ba21f1006c56ef85aa0837bdb123a11a0664015e7b8176b20619e36204f7b7b75d6e445aa84a0cdc49c9a8a82ea97e5686a28a56eced48e43f9c471499d0604f0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010104050003820101009dc4e0c6f6e79b6e1c
EAP-Message =
0x330b69759c25ac74cef621f5e8115248b9ea758e5b2af73574bd81953c2b5beb514765bdf4b07d50586dded8cfaac20f6ece9b661938bec737d87348f061ea7e3cd2a7338e786cd765aa8f3db636291c10c041d790ab49fcbcf5b41e7ec1ae2f65495b975286e656b23fed0321284cd6643aa411da03918e148eab2b222aa462bb62d50491ba9a27773e297dc8a59b1b0aa1a6fd2e6a110b2d3f94e81563417a2a4f1127937d38a0c6376e25ec51a0eabcd289a6fdfbcbc6f5c708050d8fdc9ad61cade8fa2b90ce4a6f4ff2ef465a1d61bbeb9373f4ef0c6a9c3d558b8424c130052899aa96271e0a9db4beb254ffcda04e8546e544140004ab308204
EAP-Message = 0xa73082038fa0030201020209
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xdc2c0ceadd2901a2909332f7877a5def
Finished request 8.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 192.168.5.3 port 1812, id=7,
length=144
NAS-IP-Address = 192.168.5.3
NAS-Port = 50012
NAS-Port-Type = Ethernet
User-Name = "oss-radius"
Called-Station-Id = "00-0F-23-01-11-4C"
Calling-Station-Id = "00-15-60-52-1E-49"
Service-Type = Framed-User
Framed-MTU = 1500
State = 0xdc2c0ceadd2901a2909332f7877a5def
EAP-Message = 0x020500060d00
Message-Authenticator = 0xaef2f990f10c99234767d854d27b544a
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "oss-radius", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 5 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
[files] users: Matched entry oss-radius at line 204
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
[tls] Received TLS ACK
[tls] ACK handshake fragment handler
[tls] eaptls_verify returned 1
[tls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 7 to 192.168.5.3 port 1812
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "5"
EAP-Message =
0x010604000dc00000093d00909b9c83a43a1aeb300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3039313132323133343533305a170d3039313232323133343533305a308193310b3009060355040613024652310f300d0603550408130652616469757331123010
EAP-Message =
0x06035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100dca8cc215f2e66300d12c524db0ab7b4e9b3fae5ee90ce3b5d214b1d63f6b7b6e772605bc6ec64f4acac7bfcb7bd2106d2e02c9e2b1412c2ce2a7751741baaf3d73c2ccb496dd9daa8e105b70982c7f8a9326700f2d3ac0959c8f203d0896051427bd12def8761251afb6b
EAP-Message =
0x3f5fe90a66fc35542fefe55b7aed80b21304d744bb0407979eb907820a3181cf95df43d395d33eaa396964905162ca449d8e0cad35348272fc067d7b40ebf26382c14ff354886080252b32396b5745dfae39a73d73a10472403eeec68bca7f5ad923a7885fefe49040c86a9760fa62b9899a1908d5ddb4db6ea2d3eaa993e5525c9941d871a6d6618426def29ade4b3bb6f84c2f450203010001a381fb3081f8301d0603551d0e0416041452f2ff741f2d3bbb281fcad3e580b8d70c42650c3081c80603551d230481c03081bd801452f2ff741f2d3bbb281fcad3e580b8d70c42650ca18199a48196308193310b3009060355040613024652310f300d
EAP-Message =
0x060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820900909b9c83a43a1aeb300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100c27da3525cc2b702ef481f7c4e7073e22c39bcc870744adcce64e7006bb230f24ba9d45cad1c35de4810c1418e0925a35880097a958ea0a99011d89948490da61e782d41275ab4fa8086fc504684
EAP-Message = 0x35cc4eacbe8a90671537715d
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xdc2c0ceade2a01a2909332f7877a5def
Finished request 9.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 192.168.5.3 port 1812, id=8,
length=144
NAS-IP-Address = 192.168.5.3
NAS-Port = 50012
NAS-Port-Type = Ethernet
User-Name = "oss-radius"
Called-Station-Id = "00-0F-23-01-11-4C"
Calling-Station-Id = "00-15-60-52-1E-49"
Service-Type = Framed-User
Framed-MTU = 1500
State = 0xdc2c0ceade2a01a2909332f7877a5def
EAP-Message = 0x020600060d00
Message-Authenticator = 0xc92addcb64acecf03702578e45472430
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "oss-radius", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 6 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
[files] users: Matched entry oss-radius at line 204
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
[tls] Received TLS ACK
[tls] ACK handshake fragment handler
[tls] eaptls_verify returned 1
[tls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 8 to 192.168.5.3 port 1812
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "5"
EAP-Message =
0x0107015b0d800000093de1275d07e1318b3e3f3e38b4e742f948efa0d251272389d58a2a4cbe1c74bddb6d584f384cf715e49bac5c13bce7719c9947c27edfa52b7693b39367b3123c99871549a2f7c63f946d9fde67f403a031f67c05e4327a5e4af1385dd48bb9dcb4105565ada8137083c6c9db74e4c66d6c3e06431c345cdfbd678431dd0ea80b6576955f1c8a40273c5351ae7ff243c98bc9b2a423d0b1f4c5ca5c4a597bad4990e33e1d359a7816030100a60d00009e0301024000980096308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355
EAP-Message =
0x040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f726974790e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xdc2c0ceadf2b01a2909332f7877a5def
Finished request 10.
Going to the next request
Waking up in 4.7 seconds.
rad_recv: Access-Request packet from host 192.168.5.3 port 1812, id=9,
length=1627
NAS-IP-Address = 192.168.5.3
NAS-Port = 50012
NAS-Port-Type = Ethernet
User-Name = "oss-radius"
Called-Station-Id = "00-0F-23-01-11-4C"
Calling-Station-Id = "00-15-60-52-1E-49"
Service-Type = Framed-User
Framed-MTU = 1500
State = 0xdc2c0ceadf2b01a2909332f7877a5def
EAP-Message =
0x020705c70d80000005bd160301058d0b00037d00037a000377308203733082025ba003020102020104300d06092a864886f70d0101040500307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d301e170d3039313132323133343633385a170d3130313132323133343633385a3065310b3009060355040613024652310f300d0603550408130652616469757331153013060355
EAP-Message =
0x040a130c4578616d706c6520496e632e311330110603550403130a6f73732d7261646975733119301706092a864886f70d010901160a6f73732d72616469757330820122300d06092a864886f70d01010105000382010f003082010a0282010100e1d40ac149204b59321c6251b567611368612d917fa99a21e38fde2fa875f727613c91eda857169f467800fe2a5c72eb58781189a03e3d1ff82c8b98f87197583afc5a299875f45d9fb7dda8e306b6f7afdcea661ef8b9a638096739a836ed6a7e3379bba6093c5ac04770106c08492f08edce25e71bbc27b3ece097abff30d3df8f21e095699fa3735d186cc7ac490556fdeba6bc5df04bc8a30f96
EAP-Message =
0x8f69fc9b535f21fd923cc408072972265dea7743f217eeffeed4dab6e7809915f4c195bfb9d9c5fe1329c83fd9d6fa26f63a775d82e0354e6bc885d6793f38ba95d55558fe623e103581e064d802572914d9596e46fd2fe5a581e27e04538ec74379455b0203010001a317301530130603551d25040c300a06082b06010505070302300d06092a864886f70d010104050003820101000f9716f57efb977d4030add0ed9757bc150e13e37949185a3898a4d5ba802076e8a2e7c011986ccef252b01b386679590330c8cbee366e6437a466ec51b264af9b91086545629b5a6063ba7aa4750af6649ecdf6b5a38b74a0725aaa091379626fccf3fecc6b50
EAP-Message =
0x2b0106225fa8434d2ab807e12dae14bee9eab2ca911e6a1654b900a5e18098469fb718302c594e81fca97d4294f1fad1522a86dba911a4e291579b8f7fc119906cafab8dde63be367dbfb18aa44492ffe2bb0393c231618f71c19cc460d9a53e50f109d1fdf9686b1ca3652b94bffd27d6b0c671b0b1c5b4287ffc135c5a6b3545843aa05e052c881c190490bc51afc74bb1e05d6fe49e13cd1000010201008fe1f9547a012f8094d3609471041d46ffba1642eac3ef7c1579b3b36c0f758470d9615e859ce9b9a170fee2b1c3b5fd43d31b698828ba709310b1dac307aff136bb191f8cce7c05bcbbaeee4400ae46a7740f8d69e737796bf36709f40f
EAP-Message =
0x7d29cc4e2a3563c55aa83bbe8d8209e609ea778208c586625af13a5cc772fd67928a6a499cb6899a5fcedfe6636cefaf25c0a46f9e9cd1d7bd5ae3b4e4d79714c7f048074caee86149f678149dd14cecb22a9a505189ca92894863d69500249f1f736fa285319d87e708e72fee68074067a73ab5841f3aee440e3355a447c74559ac9719037069e4df858dfcbb7841dfdabc27b67d8cd103e30b09637745a5186ff20f00010201003b30a7e1ae8d7d4a826c489d34cfcd32d8d5a9773e45ea2bda2298340281b7ccacea41d108f54ff8bcddda958ece15d82af72ede186b93fffff769294b2af6df7d412e4fff6da4a08a47ba423f0f39dd9066de8696
EAP-Message =
0x5b87e12df25b0538042938aa61557bffa40ddf164236590e9f55e9010b681c5f87f2199cd6cddd5e3b6a7de6ae8b00db96b713fbf60688965f857b4238ef9c140bee0321e2c8190aa27b816743d750a22d3a958bda25f739e4521b3f3d2eba5a20b7236d35d706b09be354a3f21377de68cf54228ebf300167775314dda9dfd8e7b1390ff609467b5ac703e26130fdd6519b148409a4be7c44f57f4c7e87461581a4ce8820f2e38561ece614030100010116030100205c40fd19e50ab899199364162f97f139fb524181835a55a83964d818e8ac3076
Message-Authenticator = 0x4b471a16eae8e42d0c58b78e95297293
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "oss-radius", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 7 length 253
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
[files] users: Matched entry oss-radius at line 204
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
TLS Length 1469
[tls] Length Included
[tls] eaptls_verify returned 11
[tls] <<< TLS 1.0 Handshake [length 0381], Certificate
--> verify error:num=20:unable to get local issuer certificate
[tls] >>> TLS 1.0 Alert [length 0002], fatal unknown_ca
TLS Alert write:fatal:unknown CA
TLS_accept:error in SSLv3 read client certificate B
rlm_eap: SSL error error:140890B2:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
SSL: SSL_read failed in a system call (-1), TLS session fails.
TLS receive handshake failed during operation
[tls] eaptls_process returned 4
[eap] Handler failed in EAP/tls
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> oss-radius
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 11 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 11
Sending Access-Reject of id 9 to 192.168.5.3 port 1812
EAP-Message = 0x04070004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.6 seconds.
rad_recv: Access-Request packet from host 192.168.5.3 port 1812, id=10,
length=135
NAS-IP-Address = 192.168.5.3
NAS-Port = 50012
NAS-Port-Type = Ethernet
User-Name = "oss-radius"
Called-Station-Id = "00-0F-23-01-11-4C"
Calling-Station-Id = "00-15-60-52-1E-49"
Service-Type = Framed-User
Framed-MTU = 1500
EAP-Message = 0x0200000f016f73732d726164697573
Message-Authenticator = 0xa6abf14fc79a6a2a3bab1c7da1a574f8
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "oss-radius", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 0 length 15
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
[files] users: Matched entry oss-radius at line 204
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Requiring client certificate
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 10 to 192.168.5.3 port 1812
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "5"
EAP-Message = 0x010100060d20
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xc1758d8dc17480a17ea88a729c3ffa64
Finished request 12.
Going to the next request
Waking up in 2.3 seconds.
rad_recv: Access-Request packet from host 192.168.5.3 port 1812, id=11,
length=218
NAS-IP-Address = 192.168.5.3
NAS-Port = 50012
NAS-Port-Type = Ethernet
User-Name = "oss-radius"
Called-Station-Id = "00-0F-23-01-11-4C"
Calling-Station-Id = "00-15-60-52-1E-49"
Service-Type = Framed-User
Framed-MTU = 1500
State = 0xc1758d8dc17480a17ea88a729c3ffa64
EAP-Message =
0x020100500d800000004616030100410100003d03014b18f9f6af7d3ffe4b3887242954843428771b6af2fdc46e52714e7cc4cacb8500001600040005000a000900640062000300060013001200630100
Message-Authenticator = 0xb1d532e53fec6922f1e8030c4f8e39e2
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "oss-radius", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 1 length 80
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
[files] users: Matched entry oss-radius at line 204
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
TLS Length 70
[tls] Length Included
[tls] eaptls_verify returned 11
[tls] (other): before/accept initialization
[tls] TLS_accept: before/accept initialization
[tls] <<< TLS 1.0 Handshake [length 0041], ClientHello
[tls] TLS_accept: SSLv3 read client hello A
[tls] >>> TLS 1.0 Handshake [length 002a], ServerHello
[tls] TLS_accept: SSLv3 write server hello A
[tls] >>> TLS 1.0 Handshake [length 085e], Certificate
[tls] TLS_accept: SSLv3 write certificate A
[tls] >>> TLS 1.0 Handshake [length 00a6], CertificateRequest
[tls] TLS_accept: SSLv3 write certificate request A
[tls] TLS_accept: SSLv3 flush data
[tls] TLS_accept: Need to read more data: SSLv3 read client certificate
A
In SSL Handshake Phase
In SSL Accept mode
[tls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 11 to 192.168.5.3 port 1812
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "5"
EAP-Message =
0x010204000dc00000093d160301002a0200002603014b18f9f1d4e09ac9a9cb137294e433a251f940e98cfab9111ea2f2a059aa127500000400160301085e0b00085a0008570003a6308203a23082028aa003020102020103300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479
EAP-Message =
0x301e170d3039313132323133343533305a170d3130313132323133343533305a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100ac980cc4c9ec4ad3e23bf9d75989232fb1b5014896413398e3361287de22a5b5c00cac1e0c1b72b2f991aa8c2eeb1e452a7c67950e6af12e31414acbf8a9
EAP-Message =
0x8b96c26e6408da5ca899b30f00799999610945ad89094441a7cafca4067557b4ed52070fdf54b386b2a7a1aa76f134a9b5e7bfdeef3e18bc3d8ba98b49f1f4bb156dd1bbb46ee09b466df0120593471c59acfcb7a2977219e6db535008526dda1f91c374f01bf392d909a1ecde7ec11f926cfd310b39171121228c528a5853524e62ba21f1006c56ef85aa0837bdb123a11a0664015e7b8176b20619e36204f7b7b75d6e445aa84a0cdc49c9a8a82ea97e5686a28a56eced48e43f9c471499d0604f0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010104050003820101009dc4e0c6f6e79b6e1c
EAP-Message =
0x330b69759c25ac74cef621f5e8115248b9ea758e5b2af73574bd81953c2b5beb514765bdf4b07d50586dded8cfaac20f6ece9b661938bec737d87348f061ea7e3cd2a7338e786cd765aa8f3db636291c10c041d790ab49fcbcf5b41e7ec1ae2f65495b975286e656b23fed0321284cd6643aa411da03918e148eab2b222aa462bb62d50491ba9a27773e297dc8a59b1b0aa1a6fd2e6a110b2d3f94e81563417a2a4f1127937d38a0c6376e25ec51a0eabcd289a6fdfbcbc6f5c708050d8fdc9ad61cade8fa2b90ce4a6f4ff2ef465a1d61bbeb9373f4ef0c6a9c3d558b8424c130052899aa96271e0a9db4beb254ffcda04e8546e544140004ab308204
EAP-Message = 0xa73082038fa0030201020209
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xc1758d8dc07780a17ea88a729c3ffa64
Finished request 13.
Going to the next request
Waking up in 2.2 seconds.
rad_recv: Access-Request packet from host 192.168.5.3 port 1812, id=12,
length=144
NAS-IP-Address = 192.168.5.3
NAS-Port = 50012
NAS-Port-Type = Ethernet
User-Name = "oss-radius"
Called-Station-Id = "00-0F-23-01-11-4C"
Calling-Station-Id = "00-15-60-52-1E-49"
Service-Type = Framed-User
Framed-MTU = 1500
State = 0xc1758d8dc07780a17ea88a729c3ffa64
EAP-Message = 0x020200060d00
Message-Authenticator = 0xbee4c0a1276cce1934909d7485a45127
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "oss-radius", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 2 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
[files] users: Matched entry oss-radius at line 204
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
[tls] Received TLS ACK
[tls] ACK handshake fragment handler
[tls] eaptls_verify returned 1
[tls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 12 to 192.168.5.3 port 1812
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "5"
EAP-Message =
0x010304000dc00000093d00909b9c83a43a1aeb300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3039313132323133343533305a170d3039313232323133343533305a308193310b3009060355040613024652310f300d0603550408130652616469757331123010
EAP-Message =
0x06035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100dca8cc215f2e66300d12c524db0ab7b4e9b3fae5ee90ce3b5d214b1d63f6b7b6e772605bc6ec64f4acac7bfcb7bd2106d2e02c9e2b1412c2ce2a7751741baaf3d73c2ccb496dd9daa8e105b70982c7f8a9326700f2d3ac0959c8f203d0896051427bd12def8761251afb6b
EAP-Message =
0x3f5fe90a66fc35542fefe55b7aed80b21304d744bb0407979eb907820a3181cf95df43d395d33eaa396964905162ca449d8e0cad35348272fc067d7b40ebf26382c14ff354886080252b32396b5745dfae39a73d73a10472403eeec68bca7f5ad923a7885fefe49040c86a9760fa62b9899a1908d5ddb4db6ea2d3eaa993e5525c9941d871a6d6618426def29ade4b3bb6f84c2f450203010001a381fb3081f8301d0603551d0e0416041452f2ff741f2d3bbb281fcad3e580b8d70c42650c3081c80603551d230481c03081bd801452f2ff741f2d3bbb281fcad3e580b8d70c42650ca18199a48196308193310b3009060355040613024652310f300d
EAP-Message =
0x060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820900909b9c83a43a1aeb300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100c27da3525cc2b702ef481f7c4e7073e22c39bcc870744adcce64e7006bb230f24ba9d45cad1c35de4810c1418e0925a35880097a958ea0a99011d89948490da61e782d41275ab4fa8086fc504684
EAP-Message = 0x35cc4eacbe8a90671537715d
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xc1758d8dc37680a17ea88a729c3ffa64
Finished request 14.
Going to the next request
Waking up in 2.2 seconds.
rad_recv: Access-Request packet from host 192.168.5.3 port 1812, id=13,
length=144
NAS-IP-Address = 192.168.5.3
NAS-Port = 50012
NAS-Port-Type = Ethernet
User-Name = "oss-radius"
Called-Station-Id = "00-0F-23-01-11-4C"
Calling-Station-Id = "00-15-60-52-1E-49"
Service-Type = Framed-User
Framed-MTU = 1500
State = 0xc1758d8dc37680a17ea88a729c3ffa64
EAP-Message = 0x020300060d00
Message-Authenticator = 0xc9ec1a2a313c897c3d546b1e17a21e62
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "oss-radius", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 3 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
[files] users: Matched entry oss-radius at line 204
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
[tls] Received TLS ACK
[tls] ACK handshake fragment handler
[tls] eaptls_verify returned 1
[tls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 13 to 192.168.5.3 port 1812
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "5"
EAP-Message =
0x0104015b0d800000093de1275d07e1318b3e3f3e38b4e742f948efa0d251272389d58a2a4cbe1c74bddb6d584f384cf715e49bac5c13bce7719c9947c27edfa52b7693b39367b3123c99871549a2f7c63f946d9fde67f403a031f67c05e4327a5e4af1385dd48bb9dcb4105565ada8137083c6c9db74e4c66d6c3e06431c345cdfbd678431dd0ea80b6576955f1c8a40273c5351ae7ff243c98bc9b2a423d0b1f4c5ca5c4a597bad4990e33e1d359a7816030100a60d00009e0301024000980096308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355
EAP-Message =
0x040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f726974790e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xc1758d8dc27180a17ea88a729c3ffa64
Finished request 15.
Going to the next request
Waking up in 2.2 seconds.
rad_recv: Access-Request packet from host 192.168.5.3 port 1812, id=14,
length=1627
NAS-IP-Address = 192.168.5.3
NAS-Port = 50012
NAS-Port-Type = Ethernet
User-Name = "oss-radius"
Called-Station-Id = "00-0F-23-01-11-4C"
Calling-Station-Id = "00-15-60-52-1E-49"
Service-Type = Framed-User
Framed-MTU = 1500
State = 0xc1758d8dc27180a17ea88a729c3ffa64
EAP-Message =
0x020405c70d80000005bd160301058d0b00037d00037a000377308203733082025ba003020102020104300d06092a864886f70d0101040500307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d301e170d3039313132323133343633385a170d3130313132323133343633385a3065310b3009060355040613024652310f300d0603550408130652616469757331153013060355
EAP-Message =
0x040a130c4578616d706c6520496e632e311330110603550403130a6f73732d7261646975733119301706092a864886f70d010901160a6f73732d72616469757330820122300d06092a864886f70d01010105000382010f003082010a0282010100e1d40ac149204b59321c6251b567611368612d917fa99a21e38fde2fa875f727613c91eda857169f467800fe2a5c72eb58781189a03e3d1ff82c8b98f87197583afc5a299875f45d9fb7dda8e306b6f7afdcea661ef8b9a638096739a836ed6a7e3379bba6093c5ac04770106c08492f08edce25e71bbc27b3ece097abff30d3df8f21e095699fa3735d186cc7ac490556fdeba6bc5df04bc8a30f96
EAP-Message =
0x8f69fc9b535f21fd923cc408072972265dea7743f217eeffeed4dab6e7809915f4c195bfb9d9c5fe1329c83fd9d6fa26f63a775d82e0354e6bc885d6793f38ba95d55558fe623e103581e064d802572914d9596e46fd2fe5a581e27e04538ec74379455b0203010001a317301530130603551d25040c300a06082b06010505070302300d06092a864886f70d010104050003820101000f9716f57efb977d4030add0ed9757bc150e13e37949185a3898a4d5ba802076e8a2e7c011986ccef252b01b386679590330c8cbee366e6437a466ec51b264af9b91086545629b5a6063ba7aa4750af6649ecdf6b5a38b74a0725aaa091379626fccf3fecc6b50
EAP-Message =
0x2b0106225fa8434d2ab807e12dae14bee9eab2ca911e6a1654b900a5e18098469fb718302c594e81fca97d4294f1fad1522a86dba911a4e291579b8f7fc119906cafab8dde63be367dbfb18aa44492ffe2bb0393c231618f71c19cc460d9a53e50f109d1fdf9686b1ca3652b94bffd27d6b0c671b0b1c5b4287ffc135c5a6b3545843aa05e052c881c190490bc51afc74bb1e05d6fe49e13cd1000010201005e3aefc7d60eee0c2378e4faaa28aec136ce78769b625949c4f7fed69e720b4e38f9e37b035b298b7cea3a85ca410ffd72d2b853c8afc5742ca05956b4a7b38d592f2686a2d3a0de245a48ef84103107be0f93761fab3fdc02c01b1796ca
EAP-Message =
0x500a7374042d37199de10997b7f70c648dbf7b93290d3ec638b201fea8f8b2942cb05db8b87783165f1446c9893fe74cf5aa7aaca6c07f7c08a0d9923f133fdf912a3a25a4133a95ba387e1d00893485ac5bf1cb66920e3ef29c36c3e25d97a1e12f5b5f6f0e1830b1e23c008379b00c3a205775162e6ed24a9182d9f75546389809a817f7cc1d4dffcc67dec692d4a63a0f6c9ff2b82bb829b56723ff2f80ad79ed0f0001020100d02e9c4475d354b4b159779f4b5232c1518ae7bc92555afba9bb255998cc85b163a379c19f29425a4a209d611f28d0f44dfa813963b228d3a61617ef4db9d800ecd57e6b43796fb89f16abaa1a2500ebc762958538
EAP-Message =
0xfb7468f5a51fb74e25f9797e2558882a3db6128557e1bbbcb08833404496c0ea4e57e7ec846a9a38f81f75a255edba3e15dffa0ec8b04d07ea9bcae2947b24dbe34b4bd01b9eafd15b463db3130afa3e98f0bc58fa36608104207eeb78488708d24c8b7e93e629e4134e282c72020bc47cff40ec8351fe303c905f61e7fbef781193915691403ecb945ae625c692705df1e27dfd3a4b22f0a5f1e60bb6180021c022f5a2f4021280cd3e2c1403010001011603010020849bf86551030b13023b06784ee2f662244e52dba0d38da35803b72742e7b6bc
Message-Authenticator = 0x842fdcc9d3a304697a8b444fea294886
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "oss-radius", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 4 length 253
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
[files] users: Matched entry oss-radius at line 204
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
TLS Length 1469
[tls] Length Included
[tls] eaptls_verify returned 11
[tls] <<< TLS 1.0 Handshake [length 0381], Certificate
--> verify error:num=20:unable to get local issuer certificate
[tls] >>> TLS 1.0 Alert [length 0002], fatal unknown_ca
TLS Alert write:fatal:unknown CA
TLS_accept:error in SSLv3 read client certificate B
rlm_eap: SSL error error:140890B2:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
SSL: SSL_read failed in a system call (-1), TLS session fails.
TLS receive handshake failed during operation
[tls] eaptls_process returned 4
[eap] Handler failed in EAP/tls
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> oss-radius
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 16 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 16
Sending Access-Reject of id 14 to 192.168.5.3 port 1812
EAP-Message = 0x04040004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 1.1 seconds.
Cleaning up request 7 ID 5 with timestamp +807
Waking up in 0.1 seconds.
Cleaning up request 8 ID 6 with timestamp +807
Cleaning up request 9 ID 7 with timestamp +807
Cleaning up request 10 ID 8 with timestamp +807
Waking up in 1.0 seconds.
Cleaning up request 11 ID 9 with timestamp +807
Waking up in 1.3 seconds.
Cleaning up request 12 ID 10 with timestamp +810
Cleaning up request 13 ID 11 with timestamp +810
Cleaning up request 14 ID 12 with timestamp +810
Cleaning up request 15 ID 13 with timestamp +810
Waking up in 1.0 seconds.
Cleaning up request 16 ID 14 with timestamp +810
Ready to process requests.
_______________________________________________________________________
Well after i read your post i tried to sign the client certificates with the
ca. I make some changes in the makefile but it think I made something wrong
because it doesn't work:
old:
client.csr client.key: client.cnf
openssl req -new -out client.csr -keyout client.key -config ./client.cnf
client.crt: client.csr server.crt server.key index.txt serial
openssl ca -batch -keyfile server.key -cert server.crt -in client.csr -key
$(PASSWORD_SERVER) -out client.crt -extensions xpclient_ext -extfile
xpextensions -config ./client.cnf
client.p12: client.crt
openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12
-passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT)
client.pem: client.p12
openssl pkcs12 -in client.p12 -out client.pem -passin
pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT)
cp client.pem $(USER_NAME).pem
.PHONY: server.vrfy
client.vrfy: server.pem client.pem
c_rehash .
openssl verify -CApath . client.pem
new:
client.csr client.key: client.cnf
openssl req -new -out client.csr -keyout client.key -config ./client.cnf
client.crt: client.csr ca.key ca.pem index.txt serial
openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr -key
$(PASSWORD_SERVER) -out client.crt -extensions xpclient_ext -extfile
xpextensions -config ./client.cnf
client.p12: client.crt
openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12
-passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT)
client.pem: client.p12
openssl pkcs12 -in client.p12 -out client.pem -passin
pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT)
cp client.pem $(USER_NAME).pem
.PHONY: server.vrfy
client.vrfy: ca.pem client.pem
c_rehash .
openssl verify -CApath . client.pem
--
View this message in context: http://old.nabble.com/Problem-with-EAP-TLS%2C-please-give-me-a-hint-tp26515010p26636380.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
More information about the Freeradius-Users
mailing list