eap-tls not authenticating

Sandra H. ellbom1 at gmail.com
Tue Feb 24 17:16:53 CET 2009


Whats happening here? It's like the radius tries to send a request back to
the supplicant, but gives up...
The supplicant is NAT'ed behind 192.168.0.1   could that be causing a issue?
I have tried DMZ'ing the supplicant still with no success...

Any ideas? Thanks for the help



rad_recv: Access-Request packet from host 192.168.0.1 port 50334, id=4,
length=293
        User-Name = "user at example.com"
        NAS-IP-Address = 10.1.10.125
        Framed-MTU = 1488
        Service-Type = Framed-User
        NAS-Port = 101
        Called-Station-Id = "00:0d:67:0c:e4:b8:ssidradius"
        Calling-Station-Id = "00:1f:41:00:4c:f0"
        NAS-Port-Type = Wireless-802.11
        NAS-Identifier = "belair"
        Connect-Info = "CONNECT 11Mbps 802.11b"
        State = 0x6b173f2c6b153285c2b292790cdb3215
        EAP-Message =
0x0202006a0d00160301005f0100005b030148ab6bfe07adac217c9be3adfa4c0d81f59f6fc9c85de2f84ff594d9ef567d9b00003400390038003500160013000a00330032002f006600050004006300620061001500120009006500640060001400110008000600030100
        Message-Authenticator = 0xbdf917161b202095f4a13c0d9b4419ae
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm "example.com" for User-Name = "user at example.com"
[suffix] No such realm "example.com"
++[suffix] returns noop
[eap] EAP packet type response id 2 length 106
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
[tls] eaptls_verify returned 7
[tls] Done initial handshake
[tls]     (other): before/accept initialization
[tls]     TLS_accept: before/accept initialization
[tls] <<< TLS 1.0 Handshake [length 005f], ClientHello
[tls]     TLS_accept: SSLv3 read client hello A
[tls] >>> TLS 1.0 Handshake [length 002a], ServerHello
[tls]     TLS_accept: SSLv3 write server hello A
[tls] >>> TLS 1.0 Handshake [length 085e], Certificate
[tls]     TLS_accept: SSLv3 write certificate A
[tls] >>> TLS 1.0 Handshake [length 020d], ServerKeyExchange
[tls]     TLS_accept: SSLv3 write key exchange A
[tls] >>> TLS 1.0 Handshake [length 00a8], CertificateRequest
[tls]     TLS_accept: SSLv3 write certificate request A
[tls]     TLS_accept: SSLv3 flush data
[tls]     TLS_accept: Need to read more data: SSLv3 read client certificate
A
In SSL Handshake Phase
In SSL Accept mode
[tls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 4 to 68.62.165.40 port 50334
        EAP-Message =
0x010304000dc000000b51160301002a02000026030149a307eb390fe67471d54aaf899661654f00b98af8efed3bd1f7032485d4349600003900160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479
        EAP-Message =
0x301e170d3039303132373138333335395a170d3130303132373138333335395a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a02820101009f6535858b4f16fedb618bbd7afe5e46061ae229a67e5b21b5ef37ec36c06ffa8c9644be595648239589bcd2bbf7e20af425789e9ee4f5ee046b7e98df53
        EAP-Message =
0x717e573476a7206cd7bba64403d9b5538f63dcefb634613f8d79b774fa1a249035a94eb5639c26e48424bb3c304985c6b4e1508b01a8077c9e531a6d29d2c80ab96b56b7e709659d620e0f5328d8c5cb4a4b38b3f84ee8f61c0b03411b21a771aa662a40e53e64dcad6e1bb999f5bd6d229d5331e36bad1160ef09be09e28aa134670362e4d1507d9a97ce3d4a04b710e553ffaeec08bb3fff8bfb76e7aa0fb9322ff5cbf08541e61dc38245a3e66a3cfd393d5b49b0eec19086a1305fde730903f30203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010405000382010100a7dd61c264ef875880
        EAP-Message =
0xc065747a3cad29b4c31f0c82e78fc9318213601743e6bf1e347335756733b08ecb6759a9d318c35c60a99e8b7b6d2065b31fe8bbe9d1dfbaaa5ebcba7297ef10eb3974f131abd9c05ea0860152e8c9dd748e95a565fe006beff2790e67d74960468e1b4c6a37a31cf3da2173678d68ec154c45e813406a75996d0fc769d98a4108844288b777dc25d7fb41f45917d39f99feddd6dfcb7bd6c85e5e40764d8d1525148e7285ff5ae66f60074c29c15f6237a51285a1841dcd11c67e5a3b9cff2f2ac540b0831a1f4bdc5f66fe5d62d8d26f7648ab29ec2d5640e5c9cec245a8b441ad9dd9bc739fb3bd29384841c769506f09b69b2f2f8d0004ab308204
        EAP-Message = 0xa73082038fa0030201020209
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x6b173f2c6a143285c2b292790cdb3215
Finished request 5.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 192.168.0.1 port 50334, id=6,
length=193
        User-Name = "user at example.com"
        NAS-IP-Address = 10.1.10.125
        Framed-MTU = 1488
        Service-Type = Framed-User
        NAS-Port = 101
        Called-Station-Id = "00:0d:67:0c:e4:b8:ssidradius"
        Calling-Station-Id = "00:1f:41:00:4c:f0"
        NAS-Port-Type = Wireless-802.11
        NAS-Identifier = "belair"
        Connect-Info = "CONNECT 11Mbps 802.11b"
        State = 0x6b173f2c6a143285c2b292790cdb3215
        EAP-Message = 0x020300060d00
        Message-Authenticator = 0x07990d4d71ee1cadfeac32aa7d03bb45
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm "example.com" for User-Name = "user at example.com"
[suffix] No such realm "example.com"
++[suffix] returns noop
[eap] EAP packet type response id 3 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
[tls] Received TLS ACK
[tls] ACK handshake fragment handler
[tls] eaptls_verify returned 1
[tls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 6 to 68.62.165.40 port 50334
        EAP-Message =
0x010404000dc000000b5100ada7ac7e0e9301c3300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3039303132373138333335395a170d3130303132373138333335395a308193310b3009060355040613024652310f300d0603550408130652616469757331123010
        EAP-Message =
0x06035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100ad66c2397c4238343139ec2c745e348cd5c7f31afd47be3c68b0af9249674664887cbd0b8ebebc22725058376cf2ebb03149396ac087662d4350d2ebac732fdf38f87b4b495f904c8d9a932fe88c4072e2351d98ab2de5a65ffe9595fc32ed70ff664a105ac7da3f7aa4f6
        EAP-Message =
0x788b1489ee210a8c43a28f77e08cc68a2102cde410ffc18db0c4d6769b4bb2fb8fa45845af9e54034b798b7b2143d9505633fd6cdbaf0914c18c091b46f1506d3b18d6e2ee620250c8c55088eedd784d10a265433fa692a01790db5e8179433a9cf15bbcc3c4353d19cac05b1a7b025e3b7335e710f5f5a6d1303ea5e53d690d4a37b130e4e115b2ebaf71ab407e81ca4c7ec249730203010001a381fb3081f8301d0603551d0e04160414cfe665e5d5a6d5e46b855f1c8b5ec620e4bcfc673081c80603551d230481c03081bd8014cfe665e5d5a6d5e46b855f1c8b5ec620e4bcfc67a18199a48196308193310b3009060355040613024652310f300d
        EAP-Message =
0x060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820900ada7ac7e0e9301c3300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100426d2903e5a8c4cb064f6e9b1219fcfdf018f0cd8a4ad41503273d26a183958043479fc96efd426562129cfd223697c026b0774fdcc8a8e27c383fac168a0cf97875de746a68e3656ea1d4bab035
        EAP-Message = 0x200b05347340d93ae132357c
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x6b173f2c69133285c2b292790cdb3215
Finished request 6.
Going to the next request
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20090224/01bc7336/attachment.html>


More information about the Freeradius-Users mailing list