Microsoft: SmardCard or Certificate Auth

swatzy fernando.calvelo at esrf.fr
Thu Nov 12 08:43:49 CET 2009 

Hi:

I'm trying to configure a FreeRadius server to perform a certification
authentication from a Windows Laptop.
I have follow the steps at
http://wiki.freeradius.org/WPA_HOWTO#HOWTO_Do_It:_An_Outline
But when I try to do the connection, it never ends... and I get peridical
messeges at the FreeRadius server ouput in this way...

rad_recv: Access-Request packet from host 160.103.180.252:32769, id=0,
length=176
        User-Name = "radiusserv"
        Calling-Station-Id = "00-1d-e0-7f-c7-bd"
        Called-Station-Id = "00-26-cb-4c-f7-c0:Bidon"
        NAS-Port = 13
        NAS-IP-Address = 160.103.180.252
        NAS-Identifier = "wlc01"
        Airespace-Wlan-Id = 6
        Service-Type = Framed-User
        Framed-MTU = 1300
        NAS-Port-Type = Wireless-802.11
        Tunnel-Type:0 = VLAN
        Tunnel-Medium-Type:0 = IEEE-802
        Tunnel-Private-Group-Id:0 = "82"
        EAP-Message = 0x0202000f0172616469757373657276
        Message-Authenticator = 0x978d232412c863306539d3ad92c9d6b8
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
  modcall[authorize]: module "preprocess" returns ok for request 0
  modcall[authorize]: module "chap" returns noop for request 0
  modcall[authorize]: module "mschap" returns noop for request 0
    rlm_realm: No '@' in User-Name = "radiusserv", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 0
    users: Matched entry DEFAULT at line 179
  modcall[authorize]: module "files" returns ok for request 0
modcall: leaving group authorize (returns ok) for request 0
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
  rlm_eap: EAP Identity
  rlm_eap: processing type tls
 rlm_eap_tls: Requiring client certificate
  rlm_eap_tls: Initiate
  rlm_eap_tls: Start returned 1
  modcall[authenticate]: module "eap" returns handled for request 0
modcall: leaving group authenticate (returns handled) for request 0
Sending Access-Challenge of id 0 to 160.103.180.252 port 32769
        EAP-Message = 0x010300060d20
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xc321c12ede0c59624273d465195058be
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 160.103.180.252:32769, id=1,
length=300
        User-Name = "radiusserv"
        Calling-Station-Id = "00-1d-e0-7f-c7-bd"
        Called-Station-Id = "00-26-cb-4c-f7-c0:Bidon"
        NAS-Port = 13
        NAS-IP-Address = 160.103.180.252
        NAS-Identifier = "wlc01"
        Airespace-Wlan-Id = 6
        Service-Type = Framed-User
        Framed-MTU = 1300
        NAS-Port-Type = Wireless-802.11
        Tunnel-Type:0 = VLAN
        Tunnel-Medium-Type:0 = IEEE-802
        Tunnel-Private-Group-Id:0 = "82"
        EAP-Message =
0x020300790d800000006f160301006a0100006603014af93134b45308b2252422bb395d6ce641bfdc48695e46696178ab4d4b407442000018002f00350005000ac009c00ac013c0140032003800130004010000250000000f000d00000a72616469757373657276000a00080006001700180019000b00020100
        State = 0xc321c12ede0c59624273d465195058be
        Message-Authenticator = 0x209186e1eb149efd3ce2e8796100a977
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
  modcall[authorize]: module "preprocess" returns ok for request 1
  modcall[authorize]: module "chap" returns noop for request 1
  modcall[authorize]: module "mschap" returns noop for request 1
    rlm_realm: No '@' in User-Name = "radiusserv", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 1
    users: Matched entry DEFAULT at line 179
  modcall[authorize]: module "files" returns ok for request 1
modcall: leaving group authorize (returns ok) for request 1
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 1
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/tls
  rlm_eap: processing type tls
  rlm_eap_tls: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls:  Length Included
  eaptls_verify returned 11
    (other): before/accept initialization
    TLS_accept: before/accept initialization
  rlm_eap_tls: <<< TLS 1.0 Handshake [length 006a], ClientHello
    TLS_accept: SSLv3 read client hello A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
    TLS_accept: SSLv3 write server hello A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 0283], Certificate
    TLS_accept: SSLv3 write certificate A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 0085], CertificateRequest
    TLS_accept: SSLv3 write certificate request A
    TLS_accept: SSLv3 flush data
    TLS_accept:error in SSLv3 read client certificate A
rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0)
In SSL Handshake Phase
In SSL Accept mode
  eaptls_process returned 13
  modcall[authenticate]: module "eap" returns handled for request 1
modcall: leaving group authenticate (returns handled) for request 1
Sending Access-Challenge of id 1 to 160.103.180.252 port 32769
        EAP-Message =
0x0104036b0d8000000361160301004a0200004603014af93134a0ad2fc9103447a6a53e1bd7b8e1a2581b8e10093af80ed2eb04a3b420561e9f8d80da1f899a98dce9e25e4ee70e780ba01becdc9ba1deb915f60224a4002f0016030102830b00027f00027c00027930820275308201dea003020102020100300d06092a864886f70d01010505003074310b3009060355040613024652310e300c0603550408130549736572653111300f060355040713084772656e6f626c65310d300b060355040a130445535246311330110603550403130a72616469757373657276311e301c06092a864886f70d010901160f6e6574776f726b40657372662e6672
        EAP-Message =
0x301e170d3039313130333136353833315a170d3130313130333136353833315a3074310b3009060355040613024652310e300c0603550408130549736572653111300f060355040713084772656e6f626c65310d300b060355040a130445535246311330110603550403130a72616469757373657276311e301c06092a864886f70d010901160f6e6574776f726b40657372662e667230819f300d06092a864886f70d010101050003818d0030818902818100b8fd3330a5f8ed59944b0ab8f162332223f749059609e5dd68c5efeced0434e500b7178aa3d9ffe32679034200952f14c64f321c851ee7254e78210ad1b8b0420980fb43fa1adf2f89b8
        EAP-Message =
0x56fadc8092ef42b1f507a02fc81ab60ed258c3fb079f8d709d8821164011516b7d4d4589ff86306ce61f98130a360ebb3182983900c30203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010505000381810091d8dca090d57b08a7731dd90db757ed0da0e534cfda5565b6220528e37edadf12944d2fc1c6398e418a99b636904e2b1c4152f614bc5f0b3c4309cf264f27b794e28242ee02bb6ea48d0e3b1440b69ad926bb080ccebc20c3f1ef3b23a9e7868b2a86303b82ee891e9829dd1d6750837c8d533df59899ddaf9c2350b46992ae16030100850d00007d020102007800763074310b3009
        EAP-Message =
0x060355040613024652310e300c0603550408130549736572653111300f060355040713084772656e6f626c65310d300b060355040a130445535246311330110603550403130a72616469757373657276311e301c06092a864886f70d010901160f6e6574776f726b40657372662e66720e000000
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xa8f213a60ac152b2e7e42048e94461f9
Finished request 1
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 160.103.180.252:32769, id=2,
length=185
        User-Name = "radiusserv"
        Calling-Station-Id = "00-1d-e0-7f-c7-bd"
        Called-Station-Id = "00-26-cb-4c-f7-c0:Bidon"
        NAS-Port = 13
        NAS-IP-Address = 160.103.180.252
        NAS-Identifier = "wlc01"
        Airespace-Wlan-Id = 6
        Service-Type = Framed-User
        Framed-MTU = 1300
        NAS-Port-Type = Wireless-802.11
        Tunnel-Type:0 = VLAN
        Tunnel-Medium-Type:0 = IEEE-802
        Tunnel-Private-Group-Id:0 = "82"
        EAP-Message = 0x020400060d00
        State = 0xa8f213a60ac152b2e7e42048e94461f9
        Message-Authenticator = 0xe9f04c151b954deb2b5e5c1ca7032f53
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
  modcall[authorize]: module "preprocess" returns ok for request 2
  modcall[authorize]: module "chap" returns noop for request 2
  modcall[authorize]: module "mschap" returns noop for request 2
    rlm_realm: No '@' in User-Name = "radiusserv", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 2
    users: Matched entry DEFAULT at line 179
  modcall[authorize]: module "files" returns ok for request 2
modcall: leaving group authorize (returns ok) for request 2
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 2
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/tls
  rlm_eap: processing type tls
  rlm_eap_tls: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
  rlm_eap_tls: ack handshake fragment handler
  eaptls_verify returned 1
  eaptls_process returned 13
  modcall[authenticate]: module "eap" returns handled for request 2
modcall: leaving group authenticate (returns handled) for request 2
Sending Access-Challenge of id 2 to 160.103.180.252 port 32769
        EAP-Message = 0x0105000a0d8000000000
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x09770a67d71842c41d63756db81b29fc
Finished request 2
Going to the next request
Waking up in 6 seconds...
-------------------------------------

Any ideas what i'm doing wrong?
-- 
View this message in context: http://old.nabble.com/Microsoft%3A-SmardCard-or-Certificate-Auth-tp26280525p26280525.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.

More information about the Freeradius-Users mailing list