question about windows users
Bartosz Chodzinski
bartosz.c at gmail.com
Fri May 29 12:22:21 CEST 2009
On Fri, May 29, 2009 at 10:32 AM, Ivan Kalik <tnt at kalik.net> wrote:
> > Problem was solved thanks to Ivan assistance,
> > Main problem was on switch side and its configuration,
> > Second problem was - proper certificate to proper certificate store
> > And third - in my head :).
>
> OK. Now that you have established that client certificates signed by CA
> work with XP SP3, can you check if server signed certificates (made by
> original Makefile) also work, or is XP SP3 rejecting them. Could you
> report to the list with the result.
>
> Ivan Kalik
> Kalik Informatika ISP
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
No, standard Makefile is no working
freeradius -X output:
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.5.206 port 1812, id=160,
length=147
NAS-IP-Address = 192.168.5.206
NAS-Port = 50046
NAS-Port-Type = Ethernet
User-Name = "user at example.com"
Called-Station-Id = "00-0C-30-81-9B-EE"
Calling-Station-Id = "00-0A-E4-13-1A-02"
Service-Type = Framed-User
Framed-MTU = 1500
EAP-Message = 0x020000150175736572406578616d706c652e636f6d
Message-Authenticator = 0x3fa86bcca888e9174c33ff2206178e97
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm "example.com" for User-Name = "user at example.com"
[suffix] No such realm "example.com"
++[suffix] returns noop
[eap] EAP packet type response id 0 length 21
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication
may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 160 to 192.168.5.206 port 1812
EAP-Message = 0x010100061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0a8a026e0a8b1bea4f51a121d61eb2bf
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.5.206 port 1812, id=161,
length=150
NAS-IP-Address = 192.168.5.206
NAS-Port = 50046
NAS-Port-Type = Ethernet
User-Name = "user at example.com"
Called-Station-Id = "00-0C-30-81-9B-EE"
Calling-Station-Id = "00-0A-E4-13-1A-02"
Service-Type = Framed-User
Framed-MTU = 1500
State = 0x0a8a026e0a8b1bea4f51a121d61eb2bf
EAP-Message = 0x02010006030d
Message-Authenticator = 0xe1ef7b423be0a169598a253da36247c0
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm "example.com" for User-Name = "user at example.com"
[suffix] No such realm "example.com"
++[suffix] returns noop
[eap] EAP packet type response id 1 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication
may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP NAK
[eap] EAP-NAK asked for EAP-Type/tls
[eap] processing type tls
[tls] Requiring client certificate
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 161 to 192.168.5.206 port 1812
EAP-Message = 0x010200060d20
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0a8a026e0b880fea4f51a121d61eb2bf
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.5.206 port 1812, id=162,
length=224
NAS-IP-Address = 192.168.5.206
NAS-Port = 50046
NAS-Port-Type = Ethernet
User-Name = "user at example.com"
Called-Station-Id = "00-0C-30-81-9B-EE"
Calling-Station-Id = "00-0A-E4-13-1A-02"
Service-Type = Framed-User
Framed-MTU = 1500
State = 0x0a8a026e0b880fea4f51a121d61eb2bf
EAP-Message =
0x020200500d800000004616030100410100003d03014a1fb693a40277392668182f296a92feb2a08a3e25a3c170dfa77f83d18f569400001600040005000a0009006400
62000300060013001200630100
Message-Authenticator = 0xca0d351030f630125dd9b87f5d39e7e9
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm "example.com" for User-Name = "user at example.com"
[suffix] No such realm "example.com"
++[suffix] returns noop
[eap] EAP packet type response id 2 length 80
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
TLS Length 70
[tls] Length Included
[tls] eaptls_verify returned 11
[tls] (other): before/accept initialization
[tls] TLS_accept: before/accept initialization
[tls] <<< TLS 1.0 Handshake [length 0041], ClientHello
[tls] TLS_accept: SSLv3 read client hello A
[tls] >>> TLS 1.0 Handshake [length 002a], ServerHello
[tls] TLS_accept: SSLv3 write server hello A
[tls] >>> TLS 1.0 Handshake [length 085e], Certificate
[tls] TLS_accept: SSLv3 write certificate A
[tls] >>> TLS 1.0 Handshake [length 00a6], CertificateRequest
[tls] TLS_accept: SSLv3 write certificate request A
[tls] TLS_accept: SSLv3 flush data
[tls] TLS_accept: Need to read more data: SSLv3 read client certificate
A
In SSL Handshake Phase
In SSL Accept mode
[tls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 162 to 192.168.5.206 port 1812
EAP-Message =
0x010304000dc00000093d160301002a0200002603014a1fb649f90a6e4db1414f2a91473940c7257976a7dbb0150b8771d1c403998300000400160301085e0b00085a00
08570003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d0603550408130652616469757331123010060355040713
09536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d45
78616d706c6520436572746966696361746520417574686f72697479
EAP-Message =
0x301e170d3039303532303133303535305a170d3130303532303133303535305a307c310b3009060355040613024652310f300d06035504081306526164697573311530
13060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e
406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100d1c880577d809eac3b12eeb843eaad382da99c2de125a840a49f25585bbb8186bb93
22a8dba7f08cfe901a0d85b6b0865e816b927a48f72d2e066f57f711
EAP-Message =
0xe6361d191beba216660aa6a1e4aa5fc2ab00aa67456586c42e40e8ecccb851425851581fbe189de1440b882ca86211a4c71ffb13823f942f0dc36af3b7fa38f2a59933
35dd63e56edef32a7eccc3054088fc2da16f50674092656c86e715c5582bfafd3dd4ff47c03ac93829f8a3db1acc30b55144788d6d77c9ddaab9006efe0deec77e93c0a449375491f79a7c68e7efeb
3b47d0b5c18496281016dad45ff47b34e172c445007c0151d73468807f131e2f433136061d6761f2450607fac932b6f90203010001a317301530130603551d25040c300a06082b0601050507030130
0d06092a864886f70d010104050003820101003f38caf011d81255ce
EAP-Message =
0xe6aa7a0d3ba87fa4c7bae364e4f0329d1b193d7ba36ba7506af0eb0e783e88ccc4b6a34a346a578ec3d12edef4f0060a34f42d1163b33f950397ac5ff566d3a4ca3ff0
4169eae2baf3203a4cde15b30f774640d16727fb1ed7a189f518031bd482626199bd62d7f603f4d665fc2955e82fbf7fea03efb4a676c2deb868043cd4cd6bd0dba790b710406de0c68dada48b0327
1cd2153384e1a34b3d401edc3476a318f0b91febcb797e4f3da9e9a4e48bce8456bf2c950e767dac3e967835fa537e35adfaec26159f681911208c6e401147b85dd66842131b373483503d14a3c705
6560dcaa282bfdeb9a3b70447093641032cbad777eee0004ab308204
EAP-Message = 0xa73082038fa0030201020209
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0a8a026e08890fea4f51a121d61eb2bf
Finished request 2.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 192.168.5.206 port 1812, id=163,
length=150
NAS-IP-Address = 192.168.5.206
NAS-Port = 50046
NAS-Port-Type = Ethernet
User-Name = "user at example.com"
Called-Station-Id = "00-0C-30-81-9B-EE"
Calling-Station-Id = "00-0A-E4-13-1A-02"
Service-Type = Framed-User
Framed-MTU = 1500
State = 0x0a8a026e08890fea4f51a121d61eb2bf
EAP-Message = 0x020300060d00
Message-Authenticator = 0x528ebb6278cb97676edaa2345aaf2f10
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm "example.com" for User-Name = "user at example.com"
[suffix] No such realm "example.com"
++[suffix] returns noop
[eap] EAP packet type response id 3 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
[tls] Received TLS ACK
[tls] ACK handshake fragment handler
[tls] eaptls_verify returned 1
[tls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 163 to 192.168.5.206 port 1812
EAP-Message =
0x010404000dc00000093d00e274f9526898aa5c300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d06035504081306526164697573
3112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d3126
30240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3039303532303133303535305a170d3130303532303133303535305a308193310b30090603
55040613024652310f300d0603550408130652616469757331123010
EAP-Message =
0x06035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d70
6c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100
abfd23d2502cc6f6f29c367e592227c9b4ef02e40b02e8468d7c2087197a03bf4bab18c57c3c2501782b9c5a979b2806b42b6062e213319daaf4d5a27984953ebce5433a1be4a5716b94e8979cc24c
1dd525d86fc14543b1380ce3f8fc126780193e7ec5bf3abe590b970b
EAP-Message =
0x4d5a1ea02ae515af74cfce42c5bb10d0cc620412a14f623c34fbca4fb9b8ee66b04b7cfff1a278a54ac69fa675a4a9ca6605689319fc5307c4b6f9fae8f653d9b7ecbd
854cf4b667de8c895c7f849df8c9362711fa703b4ed0a8f63504ded0fda6ae0dd472793766c3124dcb42cdbb25dca397db3f841ce13dfbbc10c8848bd39d43a2620e8e0c95b1a35891fcce33359f38
0a29650203010001a381fb3081f8301d0603551d0e04160414123ff562737fc2d9bc6d96afae6f4337c08846a73081c80603551d230481c03081bd8014123ff562737fc2d9bc6d96afae6f4337c088
46a7a18199a48196308193310b3009060355040613024652310f300d
EAP-Message =
0x060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f7
0d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820900e274f9526898aa5c300c060355
1d13040530030101ff300d06092a864886f70d0101050500038201010043cf9119db5dd9fe4f21b6e809f5e244dbfc6aee7866316441a9db5f3c4abae403f9012c8a4348a12c9ba24e02b188746872
56dfd374cb8ccfe6cfd9932ce2f4a03f1f695b221f97550e9510185c
EAP-Message = 0x2c53e4c88640391d8a02fe15
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0a8a026e098e0fea4f51a121d61eb2bf
Finished request 3.
Going to the next request
Waking up in 4.7 seconds.
rad_recv: Access-Request packet from host 192.168.5.206 port 1812, id=164,
length=150
NAS-IP-Address = 192.168.5.206
NAS-Port = 50046
NAS-Port-Type = Ethernet
User-Name = "user at example.com"
Called-Station-Id = "00-0C-30-81-9B-EE"
Calling-Station-Id = "00-0A-E4-13-1A-02"
Service-Type = Framed-User
Framed-MTU = 1500
State = 0x0a8a026e098e0fea4f51a121d61eb2bf
EAP-Message = 0x020400060d00
Message-Authenticator = 0xc5e0fca3b00a3878caa40e8d9b79618a
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm "example.com" for User-Name = "user at example.com"
[suffix] No such realm "example.com"
++[suffix] returns noop
[eap] EAP packet type response id 4 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
[tls] Received TLS ACK
[tls] ACK handshake fragment handler
[tls] eaptls_verify returned 1
[tls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 164 to 192.168.5.206 port 1812
EAP-Message =
0x0105015b0d800000093de20bb9019906632f477573ee5ce336970857546c707151916f52825101b95c005509c9ba6c631dc4ed44105ec67210fff11968122772734826
f9998404c54b4c828a81726a1992a010b065e299b3cf573365d6d52f47285e9e2d27e39df13e75936e03eb9827f9b9b99747cdb9ce186baad8104b24275e45984252a2615f35d2f620510128bd0d6e
5071c1006aba908c75b5d13e2aba260bd84e7c40e9703eec9c02be07071a16030100a60d00009e0301024000980096308193310b3009060355040613024652310f300d060355040813065261646975
733112301006035504071309536f6d65776865726531153013060355
EAP-Message =
0x040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c
6520436572746966696361746520417574686f726974790e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0a8a026e0e8f0fea4f51a121d61eb2bf
Finished request 4.
Going to the next request
Waking up in 4.6 seconds.
rad_recv: Access-Request packet from host 192.168.5.206 port 1812, id=165,
length=1645
NAS-IP-Address = 192.168.5.206
NAS-Port = 50046
NAS-Port-Type = Ethernet
User-Name = "user at example.com"
Called-Station-Id = "00-0C-30-81-9B-EE"
Calling-Station-Id = "00-0A-E4-13-1A-02"
Service-Type = Framed-User
Framed-MTU = 1500
State = 0x0a8a026e0e8f0fea4f51a121d61eb2bf
EAP-Message =
0x020505d30d80000005c916030105990b0003890003860003833082037f30820267a003020102020104300d06092a864886f70d0101040500307c310b30090603550406
13024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c652053657276657220436572746966696361
74653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d301e170d3039303532393130313133385a170d3130303532393130313133385a3071310b30090603550406
13024652310f300d0603550408130652616469757331153013060355
EAP-Message =
0x040a130c4578616d706c6520496e632e311930170603550403141075736572406578616d706c652e636f6d311f301d06092a864886f70d010901161075736572406578
616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100bf797e10a06c11b69b3304655b17de55f2bbf74109065f46a5fc85f3d49432b7f9630ad995
94c793671ca8e6ee900dda23e4f384c5080c584e87c18935f83fe34340723e7062374a02ea13a82e0599f15f970c4b2249038b17779363caf16e77a273a29b3b4b27c63c04daa06dff67f09fe5c346
b9a634952197a7a378f588dbd13c9e70c94d125cfc263585872ec9dc
EAP-Message =
0xb7a1fdf853e5585bcc9b90a01181b757e54215196986c919ca8a09811f6bbd629417b8b108e316bdbc520d324a4ea0c84d7169036a4d134fbc5889e7cb5a00648a3869
a34b426482ca8721d57ed809afc580f78cabce08ede364da1604dd27c8ebc4b49ad210539a0b0452c77a84945f0203010001a317301530130603551d25040c300a06082b06010505070302300d0609
2a864886f70d01010405000382010100b824bac6618246aa3df9d6a50c2ee5161cac3b6979193f3a2b82017dd415abee24b0e3d45a7490b0bf73cea8125e6acbd364f910cd4fb76c813504ef819d49
53b840353c432536b7d9c6eabe1fd266a71e42f3efa0b685416aeec4
EAP-Message =
0x1c43c72fcfaa119600f722e0309cb3ee7358bf499eeb015ebb3f205258edaf49e8cd737d066acfc9172eff5d586171aca8b684ec3f2e3c9d2d4338600e43b6464f850f
c5f82537af003b3fd6af7458e8abc3f71b2981660f52f2ffd4c0f320c0f61268fad45021cc7a18134d4dd6c0f3909d2d9da7c79c1b35fa4abdc83d42f41c6be15cda3eae7a7f961ceae952db3f3ece
b2533471b9262285871b286198e5a994ceed7810000102010039799a4cff52d1c4e26c86166903bf17c9995b9ced533f0c9f8607a63095f6ac1b06aef1a43ae26cdf4efbff5ffa6be61c7a551cb888
6900003592ae9b0656db3188691c3685baa18351172711a7f3656d7f
EAP-Message =
0x541c37b660b38ca9b136e3a4a0446e9af1cfb098ae8b935edaec3423d12e666ccc7394988ba43de7aa7e59bc0c16830a822c9adb78b80190c7ee4ad5e85246d351cb23
e8ed045d5ba855191dd90784e5e06b435ee430709329b64e21dd1fed49ef235a759e68b7a7d31c04cda9d84362bcdecf6aba073cbcd70b0a4a0713a1488ab498cad52e8d937637d8990833fcc72573
178c254b45399a002b04374408e90bd023633f35c0a2593abfda231e0f0001020100097d445b7c7219aead21140d9101c9f7f9da2024b9d531cbd6e226fb458e51e350aeadb3b4cd04fc8edfd6ec9c
fd0fd89c556cfda7c8f9c259add11a4e338adebf2929678b78a4557c
EAP-Message =
0x33e61e8c1eb9208357b3188d97057cf314eed12077b984678370924b24909a62d0957b26d8757621f7f325fe3087b7a2a0e9d81bb19abe4e5a6ddf7cf6c526a536a2ab
c37815c8b4a95040805674491dbf3408cc4cb95f782a50afc5131d7560683e453ae98e0b873bd725fed496dc9305802fa79acb7b8de28e12962898174594d4c2685dc0f604b2a4cc6f39c4643e581e
f497d854bcec7c66c52961f02643bd97f57d4c7ab39ff1a018c4ff4e1eb6a76c8bf8adb1b414030100010116030100201a0a68bdcf37fc694fe9d7ed1bec7d348371c6ebe1612d3a28e43d3db5dc8b
28
Message-Authenticator = 0x15cf2cb082e9388a241090a905703ecc
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm "example.com" for User-Name = "user at example.com"
[suffix] No such realm "example.com"
++[suffix] returns noop
[eap] EAP packet type response id 5 length 253
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
TLS Length 1481
[tls] Length Included
[tls] eaptls_verify returned 11
[tls] <<< TLS 1.0 Handshake [length 038d], Certificate
--> verify error:num=20:unable to get local issuer certificate
[tls] >>> TLS 1.0 Alert [length 0002], fatal unknown_ca
TLS Alert write:fatal:unknown CA
TLS_accept:error in SSLv3 read client certificate B
rlm_eap: SSL error error:140890B2:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
SSL: SSL_read failed in a system call (-1), TLS session fails.
TLS receive handshake failed during operation
[tls] eaptls_process returned 4
[eap] Handler failed in EAP/tls
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Login incorrect: [user at example.com/<via Auth-Type = EAP>] (from client
private-network-2 port 50046 cli 00-0A-E4-13-1A-02)
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> user at example.com
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 5 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 5
Sending Access-Reject of id 165 to 192.168.5.206 port 1812
EAP-Message = 0x04050004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.5 seconds.
Cleaning up request 0 ID 160 with timestamp +10
Cleaning up request 1 ID 161 with timestamp +10
Cleaning up request 2 ID 162 with timestamp +10
Cleaning up request 3 ID 163 with timestamp +10
Cleaning up request 4 ID 164 with timestamp +10
Waking up in 1.1 seconds.
Cleaning up request 5 ID 165 with timestamp +10
Ready to process requests.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20090529/2e05739a/attachment.html>
More information about the Freeradius-Users
mailing list