PEAP EAP-TLS not replying with Access-Accept message
Chris Studt
chris at mythdragon.com
Fri May 22 21:50:31 CEST 2009
I've been debugging this for awhile and I still can't find a solution to
the problems I'm having. I'm running freeradius in this pattern:
Active Directory <-> MS-CHAP <-> Freeradius <-> Cisco Switch <-> Windows
XP SP3
I seem to be getting the error that is described here:
http://wiki.freeradius.org/index.php/FAQ#PEAP_or_EAP-TLS_Doesn.27t_Work_with_a_Windows_machine
I've run through and created the SSL certificates as described with the
Windows OID's and I still seem to be getting the same issues. I have the
actual AD authentication setup as described here:
http://deployingradius.com/documents/configuration/active_directory.html
I've turned off certificate validation on the Windows XP host and still no
dice. I ran the EAP debugging as show here:
http://deployingradius.com/documents/configuration/eap-problems.html
and I have posted the results here:
http://www.mythdragon.com/freeradius-debug/
The output of freeradius -X when I attempt a connection is like this:
rad_recv: Access-Request packet from host 10.10.10.15 port 1645, id=76,
length=150
User-Name = "chris"
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "00-XX-XX-XX-XX-XX"
Calling-Station-Id = "00-YY-YY-YY-YY-YY"
EAP-Message = 0x0201000b01637374756474
Message-Authenticator = 0x8ffd4ec097ed474d2acfdbd06ce668ec
NAS-Port-Type = Ethernet
NAS-Port = 50110
NAS-Port-Id = "GigabitEthernet1/0/10"
NAS-IP-Address = 10.10.10.15
server routers-auth {
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[eap] EAP packet type response id 1 length 11
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
} # server routers-auth
Sending Access-Challenge of id 76 to 10.10.10.15 port 1645
EAP-Message = 0x010200061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x99671c6699650575d57e32307d8902b7
Finished request 36.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.10.10.15 port 1645, id=77,
length=237
User-Name = "chris"
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "00-XX-XX-XX-XX-XX"
Calling-Station-Id = "00-YY-YY-YY-YY-YY"
EAP-Message =
0x0202005019800000004616030100410100003d03014a16f9f81d590cd2812aba8c635f832ec313fc9cd6070f2bcdb13efd9f9c8543000010
Message-Authenticator = 0x852be4c5dbca1b2f6653ddaef5525a62
NAS-Port-Type = Ethernet
NAS-Port = 50110
NAS-Port-Id = "GigabitEthernet1/0/10"
State = 0x99671c6699650575d57e32307d8902b7
NAS-IP-Address = 10.10.10.15
server routers-auth {
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[eap] EAP packet type response id 2 length 80
[eap] Continuing tunnel setup.
++[eap] returns ok
++[files] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 70
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 0041], ClientHello
[peap] TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 002a], ServerHello
[peap] TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 085e], Certificate
[peap] TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: SSLv3 write server done A
[peap] TLS_accept: SSLv3 flush data
[peap] TLS_accept: Need to read more data: SSLv3 read client
certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
} # server routers-auth
Sending Access-Challenge of id 77 to 10.10.10.15 port 1645
EAP-Message =
0x0103040019c00000089b160301002a0200002603014a16f9f822ffc89286e662e0256b43e66215ad341c85a29e778755224a23e687000009
EAP-Message =
0x301e170d3039303532323138353235395a170d3130303532323138353235395a307c310b3009060355040613024652310f300d060355040e
EAP-Message =
0x16e1a3903966209e8ab8733cc6c04e80a7b972a847ad3b172844cfe65eb4080ce9170bc842dfb0a6c747fda85e5890ba53ccf0b16757e60b
EAP-Message =
0x4e837b84ca468c64275107fe93f5470153c858eb12e74f02ab7bd52ccf54add01488f9987b9a49a8ba1e8e2208c8ade2a727261a596bb4c4
EAP-Message = 0xa73082038fa0030201020209
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x99671c6698640575d57e32307d8902b7
Finished request 37.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.10.10.15 port 1645, id=78,
length=163
User-Name = "chris"
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "00-XX-XX-XX-XX-XX"
Calling-Station-Id = "00-YY-YY-YY-YY-YY"
EAP-Message = 0x020300061900
Message-Authenticator = 0xc8f1baef47c6a3668e41c12b29278edc
NAS-Port-Type = Ethernet
NAS-Port = 50110
NAS-Port-Id = "GigabitEthernet1/0/10"
State = 0x99671c6698640575d57e32307d8902b7
NAS-IP-Address = 10.10.10.15
server routers-auth {
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[eap] EAP packet type response id 3 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
++[files] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
} # server routers-auth
Sending Access-Challenge of id 78 to 10.10.10.15 port 1645
EAP-Message =
0x010403fc194000c245b84f58bde16c300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040814
EAP-Message =
0x071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d68
EAP-Message =
0x1bdaa4b461fa877807cfeb35b8c7db9a395c24818f3db57dd0f5d6f7c4437d6bf232fd2dccebe6c64210a6c8d380a758d51b5977b844a294
EAP-Message =
0x0813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e31203016
EAP-Message = 0xd38d9387a468419b
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x99671c669b630575d57e32307d8902b7
Finished request 38.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.10.10.15 port 1645, id=79,
length=163
User-Name = "chris"
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "00-XX-XX-XX-XX-XX"
Calling-Station-Id = "00-YY-YY-YY-YY-YY"
EAP-Message = 0x020400061900
Message-Authenticator = 0xd045350ba1ebd09fc6aa69d033f7e022
NAS-Port-Type = Ethernet
NAS-Port = 50110
NAS-Port-Id = "GigabitEthernet1/0/10"
State = 0x99671c669b630575d57e32307d8902b7
NAS-IP-Address = 10.10.10.15
server routers-auth {
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[eap] EAP packet type response id 4 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
++[files] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
} # server routers-auth
Sending Access-Challenge of id 79 to 10.10.10.15 port 1645
EAP-Message =
0x010500b51900b36564be63341757208d386f17c173f1915bf196936c35da2bdb889940fc633ab5960046b3e360595d0217ca1c4a587cbc70
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x99671c669a620575d57e32307d8902b7
Finished request 39.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.10.10.15 port 1645, id=80,
length=479
User-Name = "chris"
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "00-XX-XX-XX-XX-XX"
Calling-Station-Id = "00-YY-YY-YY-YY-YY"
EAP-Message =
0x0205014019800000013616030101061000010201005abafa67288b1050a9f42c9d521379eaa30a5d7927acaa6d5cb08c696aa724a733a39e
EAP-Message =
0xc79943d0ffbb934a2e561395636d71b516c108a409ed05c21403010001011603010020dccd71cdf582fc34be4e949e4a83a8e3cd43b214c2
Message-Authenticator = 0xbd6fecf99a5ff39317b2e3a76ee1ed01
NAS-Port-Type = Ethernet
NAS-Port = 50110
NAS-Port-Id = "GigabitEthernet1/0/10"
State = 0x99671c669a620575d57e32307d8902b7
NAS-IP-Address = 10.10.10.15
server routers-auth {
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[eap] EAP packet type response id 5 length 253
[eap] Continuing tunnel setup.
++[eap] returns ok
++[files] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 310
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange
[peap] TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap] TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 write finished A
[peap] TLS_accept: SSLv3 flush data
[peap] (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
} # server routers-auth
Sending Access-Challenge of id 80 to 10.10.10.15 port 1645
EAP-Message =
0x0106003119001403010001011603010020f17c1f67be3975c6810d3764208a8294ab2f5281c3b861884c4cf7cc22a275f8
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x99671c669d610575d57e32307d8902b7
Finished request 40.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.10.10.15 port 1645, id=81,
length=163
User-Name = "chris"
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "00-XX-XX-XX-XX-XX"
Calling-Station-Id = "00-YY-YY-YY-YY-YY"
EAP-Message = 0x020600061900
Message-Authenticator = 0x04bebaa5f8107e585937873550d1be1b
NAS-Port-Type = Ethernet
NAS-Port = 50110
NAS-Port-Id = "GigabitEthernet1/0/10"
State = 0x99671c669d610575d57e32307d8902b7
NAS-IP-Address = 10.10.10.15
server routers-auth {
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[eap] EAP packet type response id 6 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
++[files] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake is finished
[peap] eaptls_verify returned 3
[peap] eaptls_process returned 3
[peap] EAPTLS_SUCCESS
++[eap] returns handled
} # server routers-auth
Sending Access-Challenge of id 81 to 10.10.10.15 port 1645
EAP-Message =
0x01070020190017030100153af1e2ab4422d8623abc16220825b30286308dd3d8
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x99671c669c600575d57e32307d8902b7
Finished request 41.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.10.10.15 port 1645, id=82,
length=191
User-Name = "chris"
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "00-XX-XX-XX-XX-XX"
Calling-Station-Id = "00-YY-YY-YY-YY-YY"
EAP-Message =
0x0207002219001703010017d1d78d24d19c44335278dbf3b577ab1dc6e972c1625ac3
Message-Authenticator = 0x0d00514a34760c9ad0353b282e218722
NAS-Port-Type = Ethernet
NAS-Port = 50110
NAS-Port-Id = "GigabitEthernet1/0/10"
State = 0x99671c669c600575d57e32307d8902b7
NAS-IP-Address = 10.10.10.15
server routers-auth {
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[eap] EAP packet type response id 7 length 34
[eap] Continuing tunnel setup.
++[eap] returns ok
++[files] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Identity - chris
[peap] Got tunnled request
EAP-Message = 0x0207000b01637374756474
server routers-auth {
PEAP: Got tunneled identity of chris
PEAP: Setting default EAP type for tunneled EAP session.
PEAP: Setting User-Name to chris
Sending tunneled request
EAP-Message = 0x0207000b01637374756474
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "chris"
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns updated
[suffix] No '@' in User-Name = "chris", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 7 length 11
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
EAP-Message =
0x010800201a0108001b101195ce2c24ade78b1cf5aa059c23f088637374756474
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xb344cf36b34cd589c33f8244b7aca70a
[peap] Got tunneled reply RADIUS code 11
EAP-Message =
0x010800201a0108001b101195ce2c24ade78b1cf5aa059c23f088637374756474
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xb344cf36b34cd589c33f8244b7aca70a
[peap] Got tunneled Access-Challenge
++[eap] returns handled
} # server routers-auth
Sending Access-Challenge of id 82 to 10.10.10.15 port 1645
EAP-Message =
0x010800371900170301002c4ea2709917cd595f7940395816d8a688fd6ce44d2213388f7b00bc9c55b555c2957c56f4bd0a9439c9913367
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x99671c669f6f0575d57e32307d8902b7
Finished request 42.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.10.10.15 port 1645, id=83,
length=245
User-Name = "chris"
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "00-XX-XX-XX-XX-XX"
Calling-Station-Id = "00-YY-YY-YY-YY-YY"
EAP-Message =
0x020800581900170301004d73817b889d4fd7e2bf24fb538ad896be72097e0bc493430d917cf6d552b43ad7eaa6b6bc6cd039067e5ea70ecc
Message-Authenticator = 0x11f6fb0bafc3ee1abaabaf02120589cb
NAS-Port-Type = Ethernet
NAS-Port = 50110
NAS-Port-Id = "GigabitEthernet1/0/10"
State = 0x99671c669f6f0575d57e32307d8902b7
NAS-IP-Address = 10.10.10.15
server routers-auth {
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[eap] EAP packet type response id 8 length 88
[eap] Continuing tunnel setup.
++[eap] returns ok
++[files] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] EAP type mschapv2
[peap] Got tunnled request
EAP-Message =
0x020800411a0208003c3152dc3d0f74f672cab9f314e0aa326c86000000000000000035b488c0131cea6672253fe5e9a3b8e54aacc0c341f4
server routers-auth {
PEAP: Setting User-Name to chris
Sending tunneled request
EAP-Message =
0x020800411a0208003c3152dc3d0f74f672cab9f314e0aa326c86000000000000000035b488c0131cea6672253fe5e9a3b8e54aacc0c341f4
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "chris"
State = 0xb344cf36b34cd589c33f8244b7aca70a
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns updated
[suffix] No '@' in User-Name = "chris", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 8 length 65
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for chris with NT-Password
[mschap] No NT-Domain was found in the User-Name.
expand: --domain=%{mschap:NT-Domain:-MYDOMAINHERE} -> --domain=MYDOMAINHERE
expand: --username=%{mschap:User-Name:-None} -> --username=chris
[mschap] mschap2: 11
expand: --challenge=%{mschap:Challenge:-00} -> --challenge=4e97ec9325450dea
expand: --nt-response=%{mschap:NT-Response:-00} ->
--nt-response=35b488c0131cea6672253fe5e9a3b8e54aacc0c341fae031
Exec-Program output: NT_KEY: A09BCEDBCCD05FD0BEC38E5E663B2207
Exec-Program-Wait: plaintext: NT_KEY: A09BCEDBCCD05FD0BEC38E5E663B2207
Exec-Program: returned: 0
++[mschap] returns ok
MSCHAP Success
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
EAP-Message =
0x010900331a0308002e533d45334443373936373934363834394539454142413430423735354536323236333832314537464639
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xb344cf36b24dd589c33f8244b7aca70a
[peap] Got tunneled reply RADIUS code 11
EAP-Message =
0x010900331a0308002e533d45334443373936373934363834394539454142413430423735354536323236333832314537464639
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xb344cf36b24dd589c33f8244b7aca70a
[peap] Got tunneled Access-Challenge
++[eap] returns handled
} # server routers-auth
Sending Access-Challenge of id 83 to 10.10.10.15 port 1645
EAP-Message =
0x0109004a1900170301003f9831a816e378081f830ef42917053a509f826145b1c94885404f81f6f05985fbdaed9e0e6a5002ea5d72b9dba9
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x99671c669e6e0575d57e32307d8902b7
Finished request 43.
Going to the next request
Waking up in 4.8 seconds.
Cleaning up request 36 ID 76 with timestamp +422
Cleaning up request 37 ID 77 with timestamp +422
Cleaning up request 38 ID 78 with timestamp +422
Cleaning up request 39 ID 79 with timestamp +422
Cleaning up request 40 ID 80 with timestamp +422
Cleaning up request 41 ID 81 with timestamp +422
Cleaning up request 42 ID 82 with timestamp +422
Cleaning up request 43 ID 83 with timestamp +422
Ready to process requests.
Any help you guys can give me would be very appreciated. I know this issue
has been posted here before, but it seems like the results I'm getting
from all the solutions I've seen aren't fixing my problem.
Chris Studt
More information about the Freeradius-Users
mailing list