eap-ttls failing
Josh Hiner
josh at remc1.org
Mon Jan 26 21:14:24 CET 2009
tnt at kalik.net wrote:
>> I have a Ruckus ZoneDirector 1025 with waps that I just installed.
>> Testing out different EAP types I can use. I am using FreeRadius 2.1.3.
>> I have eap-ttls and eap-peapv0 working perfectly (I am using windows to
>> control the wireless card for peap and it works great). Was going to try
>> eap-tls by assigning client certificate to the machine account so the
>> computer account authenticates on the wireless and then the user can log
>> into the domain. I did this and get errors. It kind-of looks to me that
>> the Zone Director is not sending the correct eap message for eap-tls.
>>
>
> No you are forcing Auth-Type Reject in users file:
>
>
>> [files] users: Matched entry DEFAULT at line 226
>>
>
> Ivan Kalik
> Kalik Informatika ISP
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
Ok thanks. I did take that out (whoops) and now I see no explicit
failure but when it hits the authentication section it just stops (never
authenticates the client). I tried sticking the common name (user-name)
in /etc/raddb/users to see if I could rig it up to authenticate. It hits
an "OK" for files section but still does not authenticate the XP client.
I dont think I should need anything in the users file correct? Here is
output from radiusd (version info etc.. at top of this message). Thanks
for any help.
-Josh
Ready to process requests.
rad_recv: Access-Request packet from host 172.17.10.108 port 1027,
id=243, length=182
User-Name = "joshhiner"
NAS-IP-Address = 172.17.10.108
NAS-Identifier = "00:1f:41:3a:82:f9"
NAS-Port = 1
Called-Station-Id = "00-1F-41-3A-82-F9:CCISD-REMC1"
Calling-Station-Id = "00-0E-35-B6-74-AF"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x0200000e016a6f736868696e6572
Message-Authenticator = 0x799db1f3c98934494137e4e5b4864a7c
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "joshhiner", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] No '\' in User-Name = "joshhiner", looking up realm NULL
[ntdomain] No such realm "NULL"
++[ntdomain] returns noop
[eap] EAP packet type response id 0 length 14
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Requiring client certificate
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 243 to 172.17.10.108 port 1027
EAP-Message = 0x010100060d20
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x2378b52b2379b8326de9be9acd701ac8
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 172.17.10.108 port 1027,
id=244, length=266
User-Name = "joshhiner"
NAS-IP-Address = 172.17.10.108
NAS-Identifier = "00:1f:41:3a:82:f9"
NAS-Port = 1
Called-Station-Id = "00-1F-41-3A-82-F9:CCISD-REMC1"
Calling-Station-Id = "00-0E-35-B6-74-AF"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message =
0x020100500d800000004616030100410100003d0301497e1887cc6de7f31a97d6b5b5dc5a68fc69dd8ee1da12099866c719e54e209d00001600040005000a000900640062000300060013001200630100
State = 0x2378b52b2379b8326de9be9acd701ac8
Message-Authenticator = 0x1e56c72c8f7a8f9ea99c2e78fc74dab1
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "joshhiner", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] No '\' in User-Name = "joshhiner", looking up realm NULL
[ntdomain] No such realm "NULL"
++[ntdomain] returns noop
[eap] EAP packet type response id 1 length 80
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
TLS Length 70
[tls] Length Included
[tls] eaptls_verify returned 11
[tls] (other): before/accept initialization
[tls] TLS_accept: before/accept initialization
[tls] <<< TLS 1.0 Handshake [length 0041], ClientHello
[tls] TLS_accept: SSLv3 read client hello A
[tls] >>> TLS 1.0 Handshake [length 002a], ServerHello
[tls] TLS_accept: SSLv3 write server hello A
[tls] >>> TLS 1.0 Handshake [length 03c4], Certificate
[tls] TLS_accept: SSLv3 write certificate A
[tls] >>> TLS 1.0 Handshake [length 00a3], CertificateRequest
[tls] TLS_accept: SSLv3 write certificate request A
[tls] TLS_accept: SSLv3 flush data
[tls] TLS_accept: Need to read more data: SSLv3 read client
certificate A
In SSL Handshake Phase
In SSL Accept mode
[tls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 244 to 172.17.10.108 port 1027
EAP-Message =
0x010204000dc0000004a0160301002a020000260301497e188797e72d5161e32518e15cdf27e2ed3a7b56dc7c46d11c014f000000000000040016030103c40b0003c00003bd0003ba308203b63082029ea003020102020101300d06092a864886f70d0101050500308191310b30090603550406130255533111300f060355040813084d6963686967616e3110300e0603550407130748616e636f636b310e300c060355040a130552454d43313120301e06092a864886f70d0109011611737570706f72744072656d63312e6e6574312b30290603550403132252454d43312052616469757320436572746966696361746520417574686f72697479301e
EAP-Message =
0x170d3039303132323230343932395a170d3239303131373230343932395a308191310b30090603550406130255533111300f060355040813084d6963686967616e3110300e0603550407130748616e636f636b310e300c060355040a130552454d43313120301e06092a864886f70d0109011611737570706f72744072656d63312e6e6574312b30290603550403132252454d43312052616469757320436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100ae7c4ed6f235d19b4598e3c66cab0d21ff2721a6d53c5189bc2193fe5b3d01a085240dc02b55786a7c34
EAP-Message =
0x01a628b1ccfae2c47c743be8e97e4d2c4ee2e1dacdabe860d21e661e4fc4788506a335ed3c39f24f6f611e3b74dbb5b169e0cd96e35c6c6992d405b010b111e6169ef783c0a39b71f01b9bfff8714b4e635cce807ff1e4a8878ccabf3ade9cafd57707a1ecae05b6966e45904971f51774073e0ab6647d4374ba53a347d89adff83b0466317dfb250556ea19bd38f625f6dcfb6a3036e4cde1a2c7ef248a5f3b8e2dd53a1ca37f2009cea5f42e31604686bcb5a099fb4125010e4cfe4e8391204dc9789686e027da770ec4a5e1a1ee9b0cc1185e31110203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f7
EAP-Message =
0x0d01010505000382010100a7d5ebc5fda95ce18768414d16a178a3b9ec9873221c398a4f394334548c4bb05dd14664a2197451d1d67f899ffcde4c244eccdae67fee8f7f347acacedd3a376c8b6cfc42cf975f09a2681372721cad0d52b487ca1d30a8c51d625516aa30e1394837d4e43d91a0b80c429d770f00526c40c4344c26cd156984f3efeb92615a4cab847cb2f7b6a1ce613c0cbf55e7e9aca10177b52612a80b257e120fa09124316de1dd269f0d83cb162b97cbe8da92a062505cb403245b42e60d8a4d350691809d855d1c4cf597cf4d9cfa0d588b750c513e434fa5b1b8d59d1bc208f01be48f07ce72d14a844c7fa1ec1d2191c7a2ab2b
EAP-Message = 0x884f0c3489f47015e1ad876a
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x2378b52b227ab8326de9be9acd701ac8
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 172.17.10.108 port 1027,
id=245, length=192
User-Name = "joshhiner"
NAS-IP-Address = 172.17.10.108
NAS-Identifier = "00:1f:41:3a:82:f9"
NAS-Port = 1
Called-Station-Id = "00-1F-41-3A-82-F9:CCISD-REMC1"
Calling-Station-Id = "00-0E-35-B6-74-AF"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020200060d00
State = 0x2378b52b227ab8326de9be9acd701ac8
Message-Authenticator = 0x61aa5b710916c0ee4384c347547492da
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "joshhiner", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] No '\' in User-Name = "joshhiner", looking up realm NULL
[ntdomain] No such realm "NULL"
++[ntdomain] returns noop
[eap] EAP packet type response id 2 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
[tls] Received TLS ACK
[tls] ACK handshake fragment handler
[tls] eaptls_verify returned 1
[tls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 245 to 172.17.10.108 port 1027
EAP-Message =
0x010300b40d80000004a067eb16030100a30d00009b02010200960094308191310b30090603550406130255533111300f060355040813084d6963686967616e3110300e0603550407130748616e636f636b310e300c060355040a130552454d43313120301e06092a864886f70d0109011611737570706f72744072656d63312e6e6574312b30290603550403132252454d43312052616469757320436572746966696361746520417574686f726974790e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x2378b52b217bb8326de9be9acd701ac8
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 172.17.10.108 port 1027,
id=246, length=192
User-Name = "joshhiner"
NAS-IP-Address = 172.17.10.108
NAS-Identifier = "00:1f:41:3a:82:f9"
NAS-Port = 1
Called-Station-Id = "00-1F-41-3A-82-F9:CCISD-REMC1"
Calling-Station-Id = "00-0E-35-B6-74-AF"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020300060d00
State = 0x2378b52b217bb8326de9be9acd701ac8
Message-Authenticator = 0x3ccd67f6b56a0fbcf45daf523f482b7b
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "joshhiner", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] No '\' in User-Name = "joshhiner", looking up realm NULL
[ntdomain] No such realm "NULL"
++[ntdomain] returns noop
[eap] EAP packet type response id 3 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
[tls] Received TLS ACK
[tls] ACK handshake fragment handler
[tls] eaptls_verify returned 1
[tls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 246 to 172.17.10.108 port 1027
EAP-Message = 0x0104000a0d8000000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x2378b52b207cb8326de9be9acd701ac8
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 243 with timestamp +115
Cleaning up request 1 ID 244 with timestamp +115
Cleaning up request 2 ID 245 with timestamp +115
Cleaning up request 3 ID 246 with timestamp +115
Ready to process requests.
More information about the Freeradius-Users
mailing list