eap-ttls failing

tnt at kalik.net tnt at kalik.net
Tue Jan 27 15:18:49 CET 2009 

>Whoops, I thought I solved this but I didnt. I tried setting up eap-tls
>on a few different laptops each using windows xp to configure eap-tls
>(not the wireless card client). I get the same results there. I have
>nothing in my /etc/raddb/users file. I tried putting:
>josh Auth-Type := eap
>    Auth-Type := Accept

Don't do that. Don't force Auth-Type. It's not going to help and it
will break everything else.

>On the XP client I also notice that even though I have the Certificate
>Authority installed, the client certificate reports: Windows does not
>have enough information to verify this certificate.
>
>I figured that the certificate chain was broken. As a test, I imported
>the server certificate and stuck it in the Trusted root authorities
>section. This completed the chain (since the client cert was signed off
>the server cert which is what the make client does in /etc/raddb/certs).
>But, of course, the server cert is not meant to be a cert authority so
>windows xp complains about this.

That is the problem. Windows won't recongnize server certificate as
intermediate ca any more. The "cure" is to try signing client
certificates with ca certificate instead. I have posted to the list an
altered Makefile with make caclient.pem command added a few days ago. If
you can't find it I will post another one this evening.

Ivan Kalik
Kalik Informatika ISP
>
>I turned off "Verify Certificate Authority" in the windows XP eap-tls
>setup to see if that would help. It did not. Would this broken cert
>chain cause the issue I am having of authentication just stopping? As
>far as I can see, I've followed all instructions on making the certs,
>verifying the right oid's in each cert, and configuring FreeRadius?
>
>Here is another radiusd debug just in case anyone can see anything else.
>I cannot see an error. I have turned debugging on for the windows xp
>wireless supplicant but really cannot see anything in there that points
>to a clear answer. I also tried a few laptops with different cards but
>also using windows xp as the wireless client. Same thing so I must be
>missing something.
>
>
>thanks for any help
>
>Here is the debug:
>
>Ready to process requests.
>rad_recv: Access-Request packet from host 172.17.10.108 port 1027,
>id=19, length=172
>    User-Name = "josh"
>    NAS-IP-Address = 172.17.10.108
>    NAS-Identifier = "00:1f:41:3a:82:f9"
>    NAS-Port = 2
>    Called-Station-Id = "00-1F-41-3A-82-F9:CCISD-REMC1"
>    Calling-Station-Id = "00-16-B6-5C-AC-DD"
>    Framed-MTU = 1400
>    NAS-Port-Type = Wireless-802.11
>    Connect-Info = "CONNECT 11Mbps 802.11b"
>    EAP-Message = 0x02000009016a6f7368
>    Message-Authenticator = 0x0c726a7e3ac712cf547eebe096cf72c1
>+- entering group authorize {...}
>++[preprocess] returns ok
>++[chap] returns noop
>++[mschap] returns noop
>[suffix] No '@' in User-Name = "josh", looking up realm NULL
>[suffix] No such realm "NULL"
>++[suffix] returns noop
>[ntdomain] No '\' in User-Name = "josh", looking up realm NULL
>[ntdomain] No such realm "NULL"
>++[ntdomain] returns noop
>[eap] EAP packet type response id 0 length 9
>[eap] No EAP Start, assuming it's an on-going EAP conversation
>++[eap] returns updated
>++[unix] returns updated
>++[files] returns noop
>++[expiration] returns noop
>++[logintime] returns noop
>[pap] Found existing Auth-Type, not changing it.
>++[pap] returns noop
>Found Auth-Type = EAP
>+- entering group authenticate {...}
>[eap] EAP Identity
>[eap] processing type tls
>[tls] Requiring client certificate
>[tls] Initiate
>[tls] Start returned 1
>++[eap] returns handled
>Sending Access-Challenge of id 19 to 172.17.10.108 port 1027
>    EAP-Message = 0x010100060d20
>    Message-Authenticator = 0x00000000000000000000000000000000
>    State = 0x982efaa3982ff784f708f948bb823a0e
>Finished request 0.
>Going to the next request
>Waking up in 4.9 seconds.
>rad_recv: Access-Request packet from host 172.17.10.108 port 1027,
>id=20, length=261
>    User-Name = "josh"
>    NAS-IP-Address = 172.17.10.108
>    NAS-Identifier = "00:1f:41:3a:82:f9"
>    NAS-Port = 2
>    Called-Station-Id = "00-1F-41-3A-82-F9:CCISD-REMC1"
>    Calling-Station-Id = "00-16-B6-5C-AC-DD"
>    Framed-MTU = 1400
>    NAS-Port-Type = Wireless-802.11
>    Connect-Info = "CONNECT 11Mbps 802.11b"
>    EAP-Message =
>0x020100500d800000004616030100410100003d0301497f12c55aaab891840a5314f901341acd2d4dfb6cf3013dbeb9c284cbd7d28500001600040005000a000900640062000300060013001200630100
>    State = 0x982efaa3982ff784f708f948bb823a0e
>    Message-Authenticator = 0xf4a495a1dc517a2ea1ce79f466520039
>+- entering group authorize {...}
>++[preprocess] returns ok
>++[chap] returns noop
>++[mschap] returns noop
>[suffix] No '@' in User-Name = "josh", looking up realm NULL
>[suffix] No such realm "NULL"
>++[suffix] returns noop
>[ntdomain] No '\' in User-Name = "josh", looking up realm NULL
>[ntdomain] No such realm "NULL"
>++[ntdomain] returns noop
>[eap] EAP packet type response id 1 length 80
>[eap] No EAP Start, assuming it's an on-going EAP conversation
>++[eap] returns updated
>++[unix] returns updated
>++[files] returns noop
>++[expiration] returns noop
>++[logintime] returns noop
>[pap] Found existing Auth-Type, not changing it.
>++[pap] returns noop
>Found Auth-Type = EAP
>+- entering group authenticate {...}
>[eap] Request found, released from the list
>[eap] EAP/tls
>[eap] processing type tls
>[tls] Authenticate
>[tls] processing EAP-TLS
>  TLS Length 70
>[tls] Length Included
>[tls] eaptls_verify returned 11
>[tls]     (other): before/accept initialization
>[tls]     TLS_accept: before/accept initialization
>[tls] <<< TLS 1.0 Handshake [length 0041], ClientHello
>[tls]     TLS_accept: SSLv3 read client hello A
>[tls] >>> TLS 1.0 Handshake [length 002a], ServerHello
>[tls]     TLS_accept: SSLv3 write server hello A
>[tls] >>> TLS 1.0 Handshake [length 0846], Certificate
>[tls]     TLS_accept: SSLv3 write certificate A
>[tls] >>> TLS 1.0 Handshake [length 00a3], CertificateRequest
>[tls]     TLS_accept: SSLv3 write certificate request A
>[tls]     TLS_accept: SSLv3 flush data
>[tls]     TLS_accept: Need to read more data: SSLv3 read client
>certificate A
>In SSL Handshake Phase
>In SSL Accept mode
>[tls] eaptls_process returned 13
>++[eap] returns handled
>Sending Access-Challenge of id 20 to 172.17.10.108 port 1027
>    EAP-Message =
>0x010204000dc000000922160301002a020000260301497f12bc41a3134a837ab67e8bb4f9b211c20cc23b0e8820ff5d46ee000000000000040016030108460b00084200083f0003a4308203a030820288a003020102020101300d06092a864886f70d0101050500308191310b30090603550406130255533111300f060355040813084d6963686967616e3110300e0603550407130748616e636f636b310e300c060355040a130552454d43313120301e06092a864886f70d0109011611737570706f72744072656d63312e6e6574312b30290603550403132252454d43312052616469757320436572746966696361746520417574686f72697479301e
>    EAP-Message =
>0x170d3039303132373034313133385a170d3239303132323034313133385a307c310b30090603550406130255533111300f060355040813084d6963686967616e310e300c060355040a130552454d4331312830260603550403131f52454d433120526164697573205365727665722043657274696669636174653120301e06092a864886f70d0109011611737570706f72744072656d63312e6e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100df5db79ac92e13bb06dd2458db371fa0c22ebd220440aa0747e98a13d64027fa10720c69b224d607bfd2a7b2836c224cefca5113d0c56cf7d97d25703bb05f8b
>    EAP-Message =
>0xff12c9dfc2fd602271f2e9200e9c196d6e9018840e69c6c82a62e77d946ad60562c576c4b7206c8d2d378a7c84f99fb64dfa51a87021ccf234c76e91159c2dfbbeb1095cc81ea26d39dc0a078011b3c70bdd11f0800f8391737591b7bf005551bc4ba051cf7e83d2d883c946372059167cabb6514ab5068c7274662639825e37d705d415cb370df3aa1088e87d8c3bf7df5116dd61d589831dfe2e0d347ae15227c48900964d24fa574dab1166e4d5a100741f7cf4088e3e47ae88ae3793f7990203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010105050003820101003730d65b9ae051938bdd36
>    EAP-Message =
>0x33b834dd5cef73a38bf01b1e9dead12841c954d04cb564c884b4529af0faf9a71b46ac5f554fcbe64e9c5be604392e8fd0b5f62aab2fe7155e828bb06e456fc26c30a90b417cb6b6fa68eda56eb29653514ba78c0f0852a7c17ade33eb38f9edf423f9d1fc72bba6549c3c4bf20bec437fcdca0d16a8f4e4bab8c8f82eddd48878165d383ea8291d4f0e922cdd4871ea92f72340e930efc3bb6ab917bccd92c95ec69575bde85e5bbd3e3c52285345881f4e758074df363d49dc044abd145ebc070aeec28dfb36341146c52a152bbd80a8833599c35caa44ed4c38ea2e6fecbadb59d0f487777f7d0bcec13bbb19bb93492b99e1c70004953082049130
>    EAP-Message = 0x820379a00302010202010030
>    Message-Authenticator = 0x00000000000000000000000000000000
>    State = 0x982efaa3992cf784f708f948bb823a0e
>Finished request 1.
>Going to the next request
>Waking up in 4.9 seconds.
>rad_recv: Access-Request packet from host 172.17.10.108 port 1027,
>id=21, length=187
>    User-Name = "josh"
>    NAS-IP-Address = 172.17.10.108
>    NAS-Identifier = "00:1f:41:3a:82:f9"
>    NAS-Port = 2
>    Called-Station-Id = "00-1F-41-3A-82-F9:CCISD-REMC1"
>    Calling-Station-Id = "00-16-B6-5C-AC-DD"
>    Framed-MTU = 1400
>    NAS-Port-Type = Wireless-802.11
>    Connect-Info = "CONNECT 11Mbps 802.11b"
>    EAP-Message = 0x020200060d00
>    State = 0x982efaa3992cf784f708f948bb823a0e
>    Message-Authenticator = 0xd58793dae3bbbbf94990f6f834b36edc
>+- entering group authorize {...}
>++[preprocess] returns ok
>++[chap] returns noop
>++[mschap] returns noop
>[suffix] No '@' in User-Name = "josh", looking up realm NULL
>[suffix] No such realm "NULL"
>++[suffix] returns noop
>[ntdomain] No '\' in User-Name = "josh", looking up realm NULL
>[ntdomain] No such realm "NULL"
>++[ntdomain] returns noop
>[eap] EAP packet type response id 2 length 6
>[eap] No EAP Start, assuming it's an on-going EAP conversation
>++[eap] returns updated
>++[unix] returns updated
>++[files] returns noop
>++[expiration] returns noop
>++[logintime] returns noop
>[pap] Found existing Auth-Type, not changing it.
>++[pap] returns noop
>Found Auth-Type = EAP
>+- entering group authenticate {...}
>[eap] Request found, released from the list
>[eap] EAP/tls
>[eap] processing type tls
>[tls] Authenticate
>[tls] processing EAP-TLS
>[tls] Received TLS ACK
>[tls] ACK handshake fragment handler
>[tls] eaptls_verify returned 1
>[tls] eaptls_process returned 13
>++[eap] returns handled
>Sending Access-Challenge of id 21 to 172.17.10.108 port 1027
>    EAP-Message =
>0x010304000dc0000009220d06092a864886f70d0101040500308191310b30090603550406130255533111300f060355040813084d6963686967616e3110300e0603550407130748616e636f636b310e300c060355040a130552454d43313120301e06092a864886f70d0109011611737570706f72744072656d63312e6e6574312b30290603550403132252454d43312052616469757320436572746966696361746520417574686f72697479301e170d3039303132373034313131325a170d3239303132323034313131325a308191310b30090603550406130255533111300f060355040813084d6963686967616e3110300e0603550407130748616e
>    EAP-Message =
>0x636f636b310e300c060355040a130552454d43313120301e06092a864886f70d0109011611737570706f72744072656d63312e6e6574312b30290603550403132252454d43312052616469757320436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100b49dd90b47ecf8f3f0cd3c5c925e8891da336543215709231a08521a69e856b5e1a5061417fc7b859738da4d81033c6b6149535830a03c2b4554a71d67c5e0694ad03f0708c818ebcb596cce15740a0053a7e41b24551c63efeb928664aadb3cbce4ada1867ef56926909bf1c5914b0463f681a8ce59283ba5
>    EAP-Message =
>0x2316add0dfd36901ec2b2da655be187efe786c36cd9c9a09a51a065333dff65e991e3b88bd826f9f07b5c7bf0366dfaf1fd44870e4c8df99a987dab4d955c104ea5fb3a0dedaed2e758a75508b4a5bb88f06c9f80c5d4633057f6624247230a9ff3bf64adc9853f366f9d7c487825be1b0b5137b85a8ee4b07af87b6cfb8341fe5ff4b7780677d0203010001a381f13081ee301d0603551d0e04160414b0af659819810e066c1fae3a2f9a9fc3377af5693081be0603551d230481b63081b38014b0af659819810e066c1fae3a2f9a9fc3377af569a18197a48194308191310b30090603550406130255533111300f060355040813084d696368696761
>    EAP-Message =
>0x6e3110300e0603550407130748616e636f636b310e300c060355040a130552454d43313120301e06092a864886f70d0109011611737570706f72744072656d63312e6e6574312b30290603550403132252454d43312052616469757320436572746966696361746520417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d010104050003820101007cac0b9cc3c3cb9405ff81979b7d8d746e09761c5f85ca3d313e8c2fe2faa361556fb274dc24f45e7573f78fe061582266430cc381196b92e326f2cf5ba7625549f2a9708e8150129eca8e033ecce9acdf069eb1615a3088039cd0dda72e7d73e7f5bd60a8a5
>    EAP-Message = 0xcbdf5f73170cd3ed1a52364e
>    Message-Authenticator = 0x00000000000000000000000000000000
>    State = 0x982efaa39a2df784f708f948bb823a0e
>Finished request 2.
>Going to the next request
>Waking up in 4.8 seconds.
>rad_recv: Access-Request packet from host 172.17.10.108 port 1027,
>id=22, length=187
>    User-Name = "josh"
>    NAS-IP-Address = 172.17.10.108
>    NAS-Identifier = "00:1f:41:3a:82:f9"
>    NAS-Port = 2
>    Called-Station-Id = "00-1F-41-3A-82-F9:CCISD-REMC1"
>    Calling-Station-Id = "00-16-B6-5C-AC-DD"
>    Framed-MTU = 1400
>    NAS-Port-Type = Wireless-802.11
>    Connect-Info = "CONNECT 11Mbps 802.11b"
>    EAP-Message = 0x020300060d00
>    State = 0x982efaa39a2df784f708f948bb823a0e
>    Message-Authenticator = 0x59fdc45f3eb465063f8b3b802a875cec
>+- entering group authorize {...}
>++[preprocess] returns ok
>++[chap] returns noop
>++[mschap] returns noop
>[suffix] No '@' in User-Name = "josh", looking up realm NULL
>[suffix] No such realm "NULL"
>++[suffix] returns noop
>[ntdomain] No '\' in User-Name = "josh", looking up realm NULL
>[ntdomain] No such realm "NULL"
>++[ntdomain] returns noop
>[eap] EAP packet type response id 3 length 6
>[eap] No EAP Start, assuming it's an on-going EAP conversation
>++[eap] returns updated
>++[unix] returns updated
>++[files] returns noop
>++[expiration] returns noop
>++[logintime] returns noop
>[pap] Found existing Auth-Type, not changing it.
>++[pap] returns noop
>Found Auth-Type = EAP
>+- entering group authenticate {...}
>[eap] Request found, released from the list
>[eap] EAP/tls
>[eap] processing type tls
>[tls] Authenticate
>[tls] processing EAP-TLS
>[tls] Received TLS ACK
>[tls] ACK handshake fragment handler
>[tls] eaptls_verify returned 1
>[tls] eaptls_process returned 13
>++[eap] returns handled
>Sending Access-Challenge of id 22 to 172.17.10.108 port 1027
>    EAP-Message =
>0x010401400d8000000922101bd464323e493c6bc2a2d48f905e1afede5f663de695fede560cd70864dca08c7078aec5299f07dcf4fb24c0274678071ce5a15b8e28b322b12b665ed600b782c6eefc624e851ac89390f929f19a7e26d494e730702c031e47e5f7dca498859b2c634abc1807eedcff4a5be51fed6c56c2ffb2db730e219cdc535d563752f23011f00d8bbb819fbb1e4a3cd14d16030100a30d00009b02010200960094308191310b30090603550406130255533111300f060355040813084d6963686967616e3110300e0603550407130748616e636f636b310e300c060355040a130552454d43313120301e06092a864886f70d01090116
>    EAP-Message =
>0x11737570706f72744072656d63312e6e6574312b30290603550403132252454d43312052616469757320436572746966696361746520417574686f726974790e000000
>    Message-Authenticator = 0x00000000000000000000000000000000
>    State = 0x982efaa39b2af784f708f948bb823a0e
>Finished request 3.
>Going to the next request
>Waking up in 4.8 seconds.
>Cleaning up request 0 ID 19 with timestamp +7
>Cleaning up request 1 ID 20 with timestamp +7
>Cleaning up request 2 ID 21 with timestamp +7
>Cleaning up request 3 ID 22 with timestamp +7
>Ready to process requests.
>
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>

More information about the Freeradius-Users mailing list