eap-ttls failing
Josh Hiner
josh at remc1.org
Tue Jan 27 14:59:33 CET 2009
Josh Hiner wrote:
>>> I have a Ruckus ZoneDirector 1025 with waps that I just installed.
>>> Testing out different EAP types I can use. I am using FreeRadius 2.1.3.
>>> I have eap-ttls and eap-peapv0 working perfectly (I am using windows to
>>> control the wireless card for peap and it works great). Was going to
>>> try
>>> eap-tls by assigning client certificate to the machine account so the
>>> computer account authenticates on the wireless and then the user can
>>> log
>>> into the domain. I did this and get errors. It kind-of looks to me that
>>> the Zone Director is not sending the correct eap message for eap-tls.
>>>
>>
>> No you are forcing Auth-Type Reject in users file:
>>
>>
>>> [files] users: Matched entry DEFAULT at line 226
>>>
>>
>> Ivan Kalik
>> Kalik Informatika ISP
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>>
> Ok thanks. I did take that out (whoops) and now I see no explicit
> failure but when it hits the authentication section it just stops
> (never authenticates the client). I tried sticking the common name
> (user-name) in /etc/raddb/users to see if I could rig it up to
> authenticate. It hits an "OK" for files section but still does not
> authenticate the XP client. I dont think I should need anything in the
> users file correct? Here is output from radiusd (version info etc.. at
> top of this message). Thanks for any help.
>
> -Josh
Oh, and to add, the certificate does have this: Client Authentication
purpose is 1.3.6.1.5.5.7.3.2 enabled (verified). Just wanted to clarify
that I did read the FreeRadius Wiki FAQ.
thanks -Josh
>>>
>>>
>>
>> Server is happy, supplicant isn't. Enable tracing and read the
>> eapol.log:
>>
>> http://support.microsoft.com/kb/894568
>>
>> Ivan Kalik
>> Kalik Informatika ISP
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>>
> Once again, thanks for the help. It was indeed the supplicant.
>
> -Josh
Whoops, I thought I solved this but I didnt. I tried setting up eap-tls
on a few different laptops each using windows xp to configure eap-tls
(not the wireless card client). I get the same results there. I have
nothing in my /etc/raddb/users file. I tried putting:
josh Auth-Type := eap
Auth-Type := Accept
to kind of see if I was missing somthing. Do I need anything in the
/etc/raddb/users for eap-tls?
On the XP client I also notice that even though I have the Certificate
Authority installed, the client certificate reports: Windows does not
have enough information to verify this certificate.
I figured that the certificate chain was broken. As a test, I imported
the server certificate and stuck it in the Trusted root authorities
section. This completed the chain (since the client cert was signed off
the server cert which is what the make client does in /etc/raddb/certs).
But, of course, the server cert is not meant to be a cert authority so
windows xp complains about this.
I turned off "Verify Certificate Authority" in the windows XP eap-tls
setup to see if that would help. It did not. Would this broken cert
chain cause the issue I am having of authentication just stopping? As
far as I can see, I've followed all instructions on making the certs,
verifying the right oid's in each cert, and configuring FreeRadius?
Here is another radiusd debug just in case anyone can see anything else.
I cannot see an error. I have turned debugging on for the windows xp
wireless supplicant but really cannot see anything in there that points
to a clear answer. I also tried a few laptops with different cards but
also using windows xp as the wireless client. Same thing so I must be
missing something.
thanks for any help
Here is the debug:
Ready to process requests.
rad_recv: Access-Request packet from host 172.17.10.108 port 1027,
id=19, length=172
User-Name = "josh"
NAS-IP-Address = 172.17.10.108
NAS-Identifier = "00:1f:41:3a:82:f9"
NAS-Port = 2
Called-Station-Id = "00-1F-41-3A-82-F9:CCISD-REMC1"
Calling-Station-Id = "00-16-B6-5C-AC-DD"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x02000009016a6f7368
Message-Authenticator = 0x0c726a7e3ac712cf547eebe096cf72c1
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "josh", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] No '\' in User-Name = "josh", looking up realm NULL
[ntdomain] No such realm "NULL"
++[ntdomain] returns noop
[eap] EAP packet type response id 0 length 9
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Requiring client certificate
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 19 to 172.17.10.108 port 1027
EAP-Message = 0x010100060d20
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x982efaa3982ff784f708f948bb823a0e
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 172.17.10.108 port 1027,
id=20, length=261
User-Name = "josh"
NAS-IP-Address = 172.17.10.108
NAS-Identifier = "00:1f:41:3a:82:f9"
NAS-Port = 2
Called-Station-Id = "00-1F-41-3A-82-F9:CCISD-REMC1"
Calling-Station-Id = "00-16-B6-5C-AC-DD"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message =
0x020100500d800000004616030100410100003d0301497f12c55aaab891840a5314f901341acd2d4dfb6cf3013dbeb9c284cbd7d28500001600040005000a000900640062000300060013001200630100
State = 0x982efaa3982ff784f708f948bb823a0e
Message-Authenticator = 0xf4a495a1dc517a2ea1ce79f466520039
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "josh", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] No '\' in User-Name = "josh", looking up realm NULL
[ntdomain] No such realm "NULL"
++[ntdomain] returns noop
[eap] EAP packet type response id 1 length 80
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
TLS Length 70
[tls] Length Included
[tls] eaptls_verify returned 11
[tls] (other): before/accept initialization
[tls] TLS_accept: before/accept initialization
[tls] <<< TLS 1.0 Handshake [length 0041], ClientHello
[tls] TLS_accept: SSLv3 read client hello A
[tls] >>> TLS 1.0 Handshake [length 002a], ServerHello
[tls] TLS_accept: SSLv3 write server hello A
[tls] >>> TLS 1.0 Handshake [length 0846], Certificate
[tls] TLS_accept: SSLv3 write certificate A
[tls] >>> TLS 1.0 Handshake [length 00a3], CertificateRequest
[tls] TLS_accept: SSLv3 write certificate request A
[tls] TLS_accept: SSLv3 flush data
[tls] TLS_accept: Need to read more data: SSLv3 read client
certificate A
In SSL Handshake Phase
In SSL Accept mode
[tls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 20 to 172.17.10.108 port 1027
EAP-Message =
0x010204000dc000000922160301002a020000260301497f12bc41a3134a837ab67e8bb4f9b211c20cc23b0e8820ff5d46ee000000000000040016030108460b00084200083f0003a4308203a030820288a003020102020101300d06092a864886f70d0101050500308191310b30090603550406130255533111300f060355040813084d6963686967616e3110300e0603550407130748616e636f636b310e300c060355040a130552454d43313120301e06092a864886f70d0109011611737570706f72744072656d63312e6e6574312b30290603550403132252454d43312052616469757320436572746966696361746520417574686f72697479301e
EAP-Message =
0x170d3039303132373034313133385a170d3239303132323034313133385a307c310b30090603550406130255533111300f060355040813084d6963686967616e310e300c060355040a130552454d4331312830260603550403131f52454d433120526164697573205365727665722043657274696669636174653120301e06092a864886f70d0109011611737570706f72744072656d63312e6e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100df5db79ac92e13bb06dd2458db371fa0c22ebd220440aa0747e98a13d64027fa10720c69b224d607bfd2a7b2836c224cefca5113d0c56cf7d97d25703bb05f8b
EAP-Message =
0xff12c9dfc2fd602271f2e9200e9c196d6e9018840e69c6c82a62e77d946ad60562c576c4b7206c8d2d378a7c84f99fb64dfa51a87021ccf234c76e91159c2dfbbeb1095cc81ea26d39dc0a078011b3c70bdd11f0800f8391737591b7bf005551bc4ba051cf7e83d2d883c946372059167cabb6514ab5068c7274662639825e37d705d415cb370df3aa1088e87d8c3bf7df5116dd61d589831dfe2e0d347ae15227c48900964d24fa574dab1166e4d5a100741f7cf4088e3e47ae88ae3793f7990203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010105050003820101003730d65b9ae051938bdd36
EAP-Message =
0x33b834dd5cef73a38bf01b1e9dead12841c954d04cb564c884b4529af0faf9a71b46ac5f554fcbe64e9c5be604392e8fd0b5f62aab2fe7155e828bb06e456fc26c30a90b417cb6b6fa68eda56eb29653514ba78c0f0852a7c17ade33eb38f9edf423f9d1fc72bba6549c3c4bf20bec437fcdca0d16a8f4e4bab8c8f82eddd48878165d383ea8291d4f0e922cdd4871ea92f72340e930efc3bb6ab917bccd92c95ec69575bde85e5bbd3e3c52285345881f4e758074df363d49dc044abd145ebc070aeec28dfb36341146c52a152bbd80a8833599c35caa44ed4c38ea2e6fecbadb59d0f487777f7d0bcec13bbb19bb93492b99e1c70004953082049130
EAP-Message = 0x820379a00302010202010030
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x982efaa3992cf784f708f948bb823a0e
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 172.17.10.108 port 1027,
id=21, length=187
User-Name = "josh"
NAS-IP-Address = 172.17.10.108
NAS-Identifier = "00:1f:41:3a:82:f9"
NAS-Port = 2
Called-Station-Id = "00-1F-41-3A-82-F9:CCISD-REMC1"
Calling-Station-Id = "00-16-B6-5C-AC-DD"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020200060d00
State = 0x982efaa3992cf784f708f948bb823a0e
Message-Authenticator = 0xd58793dae3bbbbf94990f6f834b36edc
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "josh", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] No '\' in User-Name = "josh", looking up realm NULL
[ntdomain] No such realm "NULL"
++[ntdomain] returns noop
[eap] EAP packet type response id 2 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
[tls] Received TLS ACK
[tls] ACK handshake fragment handler
[tls] eaptls_verify returned 1
[tls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 21 to 172.17.10.108 port 1027
EAP-Message =
0x010304000dc0000009220d06092a864886f70d0101040500308191310b30090603550406130255533111300f060355040813084d6963686967616e3110300e0603550407130748616e636f636b310e300c060355040a130552454d43313120301e06092a864886f70d0109011611737570706f72744072656d63312e6e6574312b30290603550403132252454d43312052616469757320436572746966696361746520417574686f72697479301e170d3039303132373034313131325a170d3239303132323034313131325a308191310b30090603550406130255533111300f060355040813084d6963686967616e3110300e0603550407130748616e
EAP-Message =
0x636f636b310e300c060355040a130552454d43313120301e06092a864886f70d0109011611737570706f72744072656d63312e6e6574312b30290603550403132252454d43312052616469757320436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100b49dd90b47ecf8f3f0cd3c5c925e8891da336543215709231a08521a69e856b5e1a5061417fc7b859738da4d81033c6b6149535830a03c2b4554a71d67c5e0694ad03f0708c818ebcb596cce15740a0053a7e41b24551c63efeb928664aadb3cbce4ada1867ef56926909bf1c5914b0463f681a8ce59283ba5
EAP-Message =
0x2316add0dfd36901ec2b2da655be187efe786c36cd9c9a09a51a065333dff65e991e3b88bd826f9f07b5c7bf0366dfaf1fd44870e4c8df99a987dab4d955c104ea5fb3a0dedaed2e758a75508b4a5bb88f06c9f80c5d4633057f6624247230a9ff3bf64adc9853f366f9d7c487825be1b0b5137b85a8ee4b07af87b6cfb8341fe5ff4b7780677d0203010001a381f13081ee301d0603551d0e04160414b0af659819810e066c1fae3a2f9a9fc3377af5693081be0603551d230481b63081b38014b0af659819810e066c1fae3a2f9a9fc3377af569a18197a48194308191310b30090603550406130255533111300f060355040813084d696368696761
EAP-Message =
0x6e3110300e0603550407130748616e636f636b310e300c060355040a130552454d43313120301e06092a864886f70d0109011611737570706f72744072656d63312e6e6574312b30290603550403132252454d43312052616469757320436572746966696361746520417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d010104050003820101007cac0b9cc3c3cb9405ff81979b7d8d746e09761c5f85ca3d313e8c2fe2faa361556fb274dc24f45e7573f78fe061582266430cc381196b92e326f2cf5ba7625549f2a9708e8150129eca8e033ecce9acdf069eb1615a3088039cd0dda72e7d73e7f5bd60a8a5
EAP-Message = 0xcbdf5f73170cd3ed1a52364e
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x982efaa39a2df784f708f948bb823a0e
Finished request 2.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 172.17.10.108 port 1027,
id=22, length=187
User-Name = "josh"
NAS-IP-Address = 172.17.10.108
NAS-Identifier = "00:1f:41:3a:82:f9"
NAS-Port = 2
Called-Station-Id = "00-1F-41-3A-82-F9:CCISD-REMC1"
Calling-Station-Id = "00-16-B6-5C-AC-DD"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020300060d00
State = 0x982efaa39a2df784f708f948bb823a0e
Message-Authenticator = 0x59fdc45f3eb465063f8b3b802a875cec
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "josh", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] No '\' in User-Name = "josh", looking up realm NULL
[ntdomain] No such realm "NULL"
++[ntdomain] returns noop
[eap] EAP packet type response id 3 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
[tls] Received TLS ACK
[tls] ACK handshake fragment handler
[tls] eaptls_verify returned 1
[tls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 22 to 172.17.10.108 port 1027
EAP-Message =
0x010401400d8000000922101bd464323e493c6bc2a2d48f905e1afede5f663de695fede560cd70864dca08c7078aec5299f07dcf4fb24c0274678071ce5a15b8e28b322b12b665ed600b782c6eefc624e851ac89390f929f19a7e26d494e730702c031e47e5f7dca498859b2c634abc1807eedcff4a5be51fed6c56c2ffb2db730e219cdc535d563752f23011f00d8bbb819fbb1e4a3cd14d16030100a30d00009b02010200960094308191310b30090603550406130255533111300f060355040813084d6963686967616e3110300e0603550407130748616e636f636b310e300c060355040a130552454d43313120301e06092a864886f70d01090116
EAP-Message =
0x11737570706f72744072656d63312e6e6574312b30290603550403132252454d43312052616469757320436572746966696361746520417574686f726974790e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x982efaa39b2af784f708f948bb823a0e
Finished request 3.
Going to the next request
Waking up in 4.8 seconds.
Cleaning up request 0 ID 19 with timestamp +7
Cleaning up request 1 ID 20 with timestamp +7
Cleaning up request 2 ID 21 with timestamp +7
Cleaning up request 3 ID 22 with timestamp +7
Ready to process requests.
More information about the Freeradius-Users
mailing list