[ Re: eap-ttls failing]
Josh Hiner
josh at remc1.org
Tue Jan 27 18:00:35 CET 2009
-------- Original Message --------
Subject: Re: eap-ttls failing
Date: Tue, 27 Jan 2009 11:58:54 -0500
From: Josh Hiner <josh at remc1.org>
To: Josh Hiner <josh at remc1.org>
References: <O6ukdVry.1233065929.9664600.tnt at kalik.net>
<497F230B.1050103 at remc1.org> <497F237C.7020306 at remc1.org>
Josh Hiner wrote:
> Josh Hiner wrote:
>> tnt at kalik.net wrote:
>>>> Whoops, I thought I solved this but I didnt. I tried setting up
>>>> eap-tls
>>>> on a few different laptops each using windows xp to configure eap-tls
>>>> (not the wireless card client). I get the same results there. I have
>>>> nothing in my /etc/raddb/users file. I tried putting:
>>>> josh Auth-Type := eap
>>>> Auth-Type := Accept
>>>>
>>>
>>> Don't do that. Don't force Auth-Type. It's not going to help and it
>>> will break everything else.
>>>
>>>
>>>> On the XP client I also notice that even though I have the Certificate
>>>> Authority installed, the client certificate reports: Windows does not
>>>> have enough information to verify this certificate.
>>>>
>>>> I figured that the certificate chain was broken. As a test, I imported
>>>> the server certificate and stuck it in the Trusted root authorities
>>>> section. This completed the chain (since the client cert was signed
>>>> off
>>>> the server cert which is what the make client does in
>>>> /etc/raddb/certs).
>>>> But, of course, the server cert is not meant to be a cert authority so
>>>> windows xp complains about this.
>>>>
>>>
>>> That is the problem. Windows won't recongnize server certificate as
>>> intermediate ca any more. The "cure" is to try signing client
>>> certificates with ca certificate instead. I have posted to the list an
>>> altered Makefile with make caclient.pem command added a few days
>>> ago. If
>>> you can't find it I will post another one this evening.
>>>
>>> Ivan Kalik
>>> Kalik Informatika ISP
>>>
>> I did find the Makefile. Thanks! I tried to do a make caclient.pem
>> but it threw this error:
>>
>> openssl req -new -out caclient.csr -keyout caclient.key -config
>> ./client.cnf
>> Generating a 2048 bit RSA private key
>> ...........+++
>> .......+++
>> writing new private key to 'caclient.key'
>> -----
>> openssl ca -batch -keyfile ca.key -cert ca.pem -in caclient.csr -key
>> `grep output_password ca.cnf | sed 's/.*=//;s/^ *//'` -out
>> caclient.crt -extensions xpclient_ext -extfile xpextensions -config
>> ./client.cnf
>> Using configuration from ./client.cnf
>> wrong number of fields on line 1 (looking for field 6, got 1, '' left)
>> make: *** [caclient.crt] Error 1
>>
>> I dont need to re-do my CA and server cert prior to making the client
>> certs do I?
> Ha, never mind. My index.txt file was messed up. -josh
>
Ok, made new client cert and now it shows valid and displays "Provides
your identity to a remote Computer" as the intended purpose and on the
Details tab displays the correct info etc... The Certification Path
displays valid. Still same problem though (exact same problem) of just
sitting there at "Attempting to authenticate".
Here is what just loops over and over:
Ready to process requests.
rad_recv: Access-Request packet from host 172.17.10.108 port 1027,
id=66, length=172
User-Name = "josh"
NAS-IP-Address = 172.17.10.108
NAS-Identifier = "00:1f:41:3a:82:f9"
NAS-Port = 1
Called-Station-Id = "00-1F-41-3A-82-F9:CCISD-REMC1"
Calling-Station-Id = "00-16-B6-5C-AC-DD"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x02050009016a6f7368
Message-Authenticator = 0x864461492a35fa412e30d0f27ea0cbf3
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "josh", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] No '\' in User-Name = "josh", looking up realm NULL
[ntdomain] No such realm "NULL"
++[ntdomain] returns noop
[eap] EAP packet type response id 5 length 9
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Requiring client certificate
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 66 to 172.17.10.108 port 1027
EAP-Message = 0x010600060d20
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xca0fec0fca09e1323ddcba98066d48ce
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 172.17.10.108 port 1027,
id=67, length=261
User-Name = "josh"
NAS-IP-Address = 172.17.10.108
NAS-Identifier = "00:1f:41:3a:82:f9"
NAS-Port = 1
Called-Station-Id = "00-1F-41-3A-82-F9:CCISD-REMC1"
Calling-Station-Id = "00-16-B6-5C-AC-DD"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message =
0x020600500d800000004616030100410100003d0301497f27683f3a7573ff79fcadddfc58dc798d58ccc564e5c7b41ce43a496553e400001600040005000a000900640062000300060013001200630100
State = 0xca0fec0fca09e1323ddcba98066d48ce
Message-Authenticator = 0x05b1b4bffe53467521d36730cbdcb0c5
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "josh", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] No '\' in User-Name = "josh", looking up realm NULL
[ntdomain] No such realm "NULL"
++[ntdomain] returns noop
[eap] EAP packet type response id 6 length 80
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
TLS Length 70
[tls] Length Included
[tls] eaptls_verify returned 11
[tls] (other): before/accept initialization
[tls] TLS_accept: before/accept initialization
[tls] <<< TLS 1.0 Handshake [length 0041], ClientHello
[tls] TLS_accept: SSLv3 read client hello A
[tls] >>> TLS 1.0 Handshake [length 002a], ServerHello
[tls] TLS_accept: SSLv3 write server hello A
[tls] >>> TLS 1.0 Handshake [length 0846], Certificate
[tls] TLS_accept: SSLv3 write certificate A
[tls] >>> TLS 1.0 Handshake [length 00a3], CertificateRequest
[tls] TLS_accept: SSLv3 write certificate request A
[tls] TLS_accept: SSLv3 flush data
[tls] TLS_accept: Need to read more data: SSLv3 read client
certificate A
In SSL Handshake Phase
In SSL Accept mode
[tls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 67 to 172.17.10.108 port 1027
EAP-Message =
0x010704000dc000000922160301002a020000260301497f275f1e637695516efe671e6034f85e39ab843b20fc5997cd278f000000000000040016030108460b00084200083f0003a4308203a030820288a003020102020101300d06092a864886f70d0101050500308191310b30090603550406130255533111300f060355040813084d6963686967616e3110300e0603550407130748616e636f636b310e300c060355040a130552454d43313120301e06092a864886f70d0109011611737570706f72744072656d63312e6e6574312b30290603550403132252454d43312052616469757320436572746966696361746520417574686f72697479301e
EAP-Message =
0x170d3039303132373034313133385a170d3239303132323034313133385a307c310b30090603550406130255533111300f060355040813084d6963686967616e310e300c060355040a130552454d4331312830260603550403131f52454d433120526164697573205365727665722043657274696669636174653120301e06092a864886f70d0109011611737570706f72744072656d63312e6e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100df5db79ac92e13bb06dd2458db371fa0c22ebd220440aa0747e98a13d64027fa10720c69b224d607bfd2a7b2836c224cefca5113d0c56cf7d97d25703bb05f8b
EAP-Message =
0xff12c9dfc2fd602271f2e9200e9c196d6e9018840e69c6c82a62e77d946ad60562c576c4b7206c8d2d378a7c84f99fb64dfa51a87021ccf234c76e91159c2dfbbeb1095cc81ea26d39dc0a078011b3c70bdd11f0800f8391737591b7bf005551bc4ba051cf7e83d2d883c946372059167cabb6514ab5068c7274662639825e37d705d415cb370df3aa1088e87d8c3bf7df5116dd61d589831dfe2e0d347ae15227c48900964d24fa574dab1166e4d5a100741f7cf4088e3e47ae88ae3793f7990203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010105050003820101003730d65b9ae051938bdd36
EAP-Message =
0x33b834dd5cef73a38bf01b1e9dead12841c954d04cb564c884b4529af0faf9a71b46ac5f554fcbe64e9c5be604392e8fd0b5f62aab2fe7155e828bb06e456fc26c30a90b417cb6b6fa68eda56eb29653514ba78c0f0852a7c17ade33eb38f9edf423f9d1fc72bba6549c3c4bf20bec437fcdca0d16a8f4e4bab8c8f82eddd48878165d383ea8291d4f0e922cdd4871ea92f72340e930efc3bb6ab917bccd92c95ec69575bde85e5bbd3e3c52285345881f4e758074df363d49dc044abd145ebc070aeec28dfb36341146c52a152bbd80a8833599c35caa44ed4c38ea2e6fecbadb59d0f487777f7d0bcec13bbb19bb93492b99e1c70004953082049130
EAP-Message = 0x820379a00302010202010030
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xca0fec0fcb08e1323ddcba98066d48ce
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 172.17.10.108 port 1027,
id=68, length=187
User-Name = "josh"
NAS-IP-Address = 172.17.10.108
NAS-Identifier = "00:1f:41:3a:82:f9"
NAS-Port = 1
Called-Station-Id = "00-1F-41-3A-82-F9:CCISD-REMC1"
Calling-Station-Id = "00-16-B6-5C-AC-DD"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020700060d00
State = 0xca0fec0fcb08e1323ddcba98066d48ce
Message-Authenticator = 0x9799f67311b1f6aef50af33fc748ba4e
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "josh", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] No '\' in User-Name = "josh", looking up realm NULL
[ntdomain] No such realm "NULL"
++[ntdomain] returns noop
[eap] EAP packet type response id 7 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
[tls] Received TLS ACK
[tls] ACK handshake fragment handler
[tls] eaptls_verify returned 1
[tls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 68 to 172.17.10.108 port 1027
EAP-Message =
0x010804000dc0000009220d06092a864886f70d0101040500308191310b30090603550406130255533111300f060355040813084d6963686967616e3110300e0603550407130748616e636f636b310e300c060355040a130552454d43313120301e06092a864886f70d0109011611737570706f72744072656d63312e6e6574312b30290603550403132252454d43312052616469757320436572746966696361746520417574686f72697479301e170d3039303132373034313131325a170d3239303132323034313131325a308191310b30090603550406130255533111300f060355040813084d6963686967616e3110300e0603550407130748616e
EAP-Message =
0x636f636b310e300c060355040a130552454d43313120301e06092a864886f70d0109011611737570706f72744072656d63312e6e6574312b30290603550403132252454d43312052616469757320436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100b49dd90b47ecf8f3f0cd3c5c925e8891da336543215709231a08521a69e856b5e1a5061417fc7b859738da4d81033c6b6149535830a03c2b4554a71d67c5e0694ad03f0708c818ebcb596cce15740a0053a7e41b24551c63efeb928664aadb3cbce4ada1867ef56926909bf1c5914b0463f681a8ce59283ba5
EAP-Message =
0x2316add0dfd36901ec2b2da655be187efe786c36cd9c9a09a51a065333dff65e991e3b88bd826f9f07b5c7bf0366dfaf1fd44870e4c8df99a987dab4d955c104ea5fb3a0dedaed2e758a75508b4a5bb88f06c9f80c5d4633057f6624247230a9ff3bf64adc9853f366f9d7c487825be1b0b5137b85a8ee4b07af87b6cfb8341fe5ff4b7780677d0203010001a381f13081ee301d0603551d0e04160414b0af659819810e066c1fae3a2f9a9fc3377af5693081be0603551d230481b63081b38014b0af659819810e066c1fae3a2f9a9fc3377af569a18197a48194308191310b30090603550406130255533111300f060355040813084d696368696761
EAP-Message =
0x6e3110300e0603550407130748616e636f636b310e300c060355040a130552454d43313120301e06092a864886f70d0109011611737570706f72744072656d63312e6e6574312b30290603550403132252454d43312052616469757320436572746966696361746520417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d010104050003820101007cac0b9cc3c3cb9405ff81979b7d8d746e09761c5f85ca3d313e8c2fe2faa361556fb274dc24f45e7573f78fe061582266430cc381196b92e326f2cf5ba7625549f2a9708e8150129eca8e033ecce9acdf069eb1615a3088039cd0dda72e7d73e7f5bd60a8a5
EAP-Message = 0xcbdf5f73170cd3ed1a52364e
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xca0fec0fc807e1323ddcba98066d48ce
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 172.17.10.108 port 1027,
id=69, length=187
User-Name = "josh"
NAS-IP-Address = 172.17.10.108
NAS-Identifier = "00:1f:41:3a:82:f9"
NAS-Port = 1
Called-Station-Id = "00-1F-41-3A-82-F9:CCISD-REMC1"
Calling-Station-Id = "00-16-B6-5C-AC-DD"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020800060d00
State = 0xca0fec0fc807e1323ddcba98066d48ce
Message-Authenticator = 0x07dba943335930dd66ff91cc53f3a302
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "josh", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] No '\' in User-Name = "josh", looking up realm NULL
[ntdomain] No such realm "NULL"
++[ntdomain] returns noop
[eap] EAP packet type response id 8 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
[tls] Received TLS ACK
[tls] ACK handshake fragment handler
[tls] eaptls_verify returned 1
[tls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 69 to 172.17.10.108 port 1027
EAP-Message =
0x010901400d8000000922101bd464323e493c6bc2a2d48f905e1afede5f663de695fede560cd70864dca08c7078aec5299f07dcf4fb24c0274678071ce5a15b8e28b322b12b665ed600b782c6eefc624e851ac89390f929f19a7e26d494e730702c031e47e5f7dca498859b2c634abc1807eedcff4a5be51fed6c56c2ffb2db730e219cdc535d563752f23011f00d8bbb819fbb1e4a3cd14d16030100a30d00009b02010200960094308191310b30090603550406130255533111300f060355040813084d6963686967616e3110300e0603550407130748616e636f636b310e300c060355040a130552454d43313120301e06092a864886f70d01090116
EAP-Message =
0x11737570706f72744072656d63312e6e6574312b30290603550403132252454d43312052616469757320436572746966696361746520417574686f726974790e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xca0fec0fc906e1323ddcba98066d48ce
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 66 with timestamp +18
Cleaning up request 1 ID 67 with timestamp +18
Cleaning up request 2 ID 68 with timestamp +18
Cleaning up request 3 ID 69 with timestamp +18
Ready to process requests.
More information about the Freeradius-Users
mailing list