reauth-problem with WPA2-tls
Andreas Hartmann
andihartmann at 01019freenet.de
Fri Jun 4 10:20:19 CEST 2010
Alan DeKok schrieb:
> Andreas Hartmann wrote:
>> I have one basic question:
>> There are now two different caches: one in eap (based on ssl) and the
>> extern cache, rlm_caching.
>
> rlm_caching has nothing to do with EAP.
>
>> If I want to use fast_reauth, is it necessary to enable both caches or
>> must the ssl-cache in eap.conf be disabled to run fast_reauth
>> successfully with rlm_caching?
>
> The EAP configuration explains what you need to do for fast re-auth.
>
>> Meanwhile, I have a configuration, which does a User-Name-based
>> rlm_caching at the end of the last fragment of the initial
>> authentication with an originaly empty database.
>
> What is it supposed to do?
>
>> But the problem is:
>>
>> If the user reconnects or wants to connect initial again, the process is
>> stopped (with success returned) at the moment, the client sends the
>> User-Name.
>> This is wrong. The process can't be interrupted before the key exchange
>> has been done successfully.
>> How can this be written in the config-file (authorize-section)?
>
> What do you want to do?
>
> I have no idea why you configured the caching module, and you haven't
> explained why you configured it.
Thanks for your reply,
I configured it, because fast-reauth doesn't work for me.
- In the wpa_supplicant, fast_reauth is switched to 1.
- In eap.conf, the cache under tls is enabled.
Now, wpa_supplicant is started and the client got authenticated. But
there is a warning nearly at the end of the successfull authentication:
Fri Jun 4 09:42:11 2010 : Info: [tls] eaptls_verify returned 3
Fri Jun 4 09:42:11 2010 : Info: [tls] eaptls_process returned 3
Fri Jun 4 09:42:11 2010 : Info: [tls] Adding user data to cached session
Fri Jun 4 09:42:11 2010 : Info: [tls] Saving response in the cache
Fri Jun 4 09:42:11 2010 : Info: [tls] WARNING: No information to
^^^^^^^^^^^^^^^^^^^^^^^^^^
cache: session caching will be disabled for this session.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Fri Jun 4 09:42:11 2010 : Info: [eap] Freeing handler
Fri Jun 4 09:42:11 2010 : Info: ++[eap] returns ok
Fri Jun 4 09:42:11 2010 : Auth: Login OK: [myuser at mydom] (from client
WAP610N port 0 cli 00-13-.....)
Fri Jun 4 09:42:11 2010 : Info: +- entering group post-auth {...}
Fri Jun 4 09:42:11 2010 : Info: ++[exec] returns noop
Sending Access-Accept of id 238 to 192.168.... port 2048
....
Some time later, the fast_reauth follows, which breaks, because of
missing datas in the cache.
My question is: How must the client or the server be configured, that
there are cached datas in order to get a working fast_reauth?
rad_recv: Access-Request packet from host 192.168.1.9 port 2048, id=240,
length=177
User-Name = "myuser at mydom"
NAS-Port = 0
Called-Station-Id = "00-25-...:mywlan"
Calling-Station-Id = "00-13-...."
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x02000017016e6f7465626f6f6b31406d6179612e6f7267
Message-Authenticator = 0xc7d7831bf74eb29cc2862fbf9c1164f8
Fri Jun 4 10:05:37 2010 : Info: +- entering group authorize {...}
Fri Jun 4 10:05:37 2010 : Info: ++[preprocess] returns ok
Fri Jun 4 10:05:37 2010 : Info: [suffix] Looking up realm "mydom" for
User-Name = "myuser at mydom"
Fri Jun 4 10:05:37 2010 : Info: [suffix] No such realm "mydom"
Fri Jun 4 10:05:37 2010 : Info: ++[suffix] returns noop
Fri Jun 4 10:05:37 2010 : Info: [eap] EAP packet type response id 0
length 23
Fri Jun 4 10:05:37 2010 : Info: [eap] No EAP Start, assuming it's an
on-going EAP conversation
Fri Jun 4 10:05:37 2010 : Info: ++[eap] returns updated
Fri Jun 4 10:05:37 2010 : Info: ++[unix] returns notfound
Fri Jun 4 10:05:37 2010 : Info: [files] users: Matched entry
myuser at mydom at line 203
Fri Jun 4 10:05:37 2010 : Info: ++[files] returns ok
Fri Jun 4 10:05:37 2010 : Info: ++[expiration] returns noop
Fri Jun 4 10:05:37 2010 : Info: ++[logintime] returns noop
Fri Jun 4 10:05:37 2010 : Info: Found Auth-Type = EAP
Fri Jun 4 10:05:37 2010 : Info: +- entering group authenticate {...}
Fri Jun 4 10:05:37 2010 : Info: [eap] EAP Identity
Fri Jun 4 10:05:37 2010 : Info: [eap] processing type tls
Fri Jun 4 10:05:37 2010 : Info: [tls] Requiring client certificate
Fri Jun 4 10:05:37 2010 : Info: [tls] Initiate
Fri Jun 4 10:05:37 2010 : Info: [tls] Start returned 1
Fri Jun 4 10:05:37 2010 : Info: ++[eap] returns handled
Sending Access-Challenge of id 240 to 192.168.... port 2048
EAP-Message = 0x010100060d20
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xbc40ebedbc41e6950bd358ee7ea3ba57
Fri Jun 4 10:05:37 2010 : Info: Finished request 9.
Fri Jun 4 10:05:37 2010 : Debug: Going to the next request
Fri Jun 4 10:05:37 2010 : Debug: Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168..... port 2048,
id=241, length=1516
User-Name = "myuser at mydom"
NAS-Port = 0
Called-Station-Id = "00-25-....:mywlan"
Calling-Station-Id = "00-13-...."
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020105360d00160301052b....
EAP-Message = 0xc19621437c240ee8........
EAP-Message = d1b03b4d9ba1a79b324d237c3b8c8ef1806597ec8 ...
EAP-Message = 0x77f505a88ea15af0e517....
EAP-Message = 0x39e23c539c6250cf89bc10dbbfb48c3bb5f2fecf...
EAP-Message = 0xae584e899f3de05f54edcc.....
State = 0xbc40ebedbc41e6950bd358ee7ea3ba57
Message-Authenticator = 0x99433479c1d2750ac02738bcb5e629a9
Fri Jun 4 10:05:37 2010 : Info: +- entering group authorize {...}
Fri Jun 4 10:05:37 2010 : Info: ++[preprocess] returns ok
Fri Jun 4 10:05:37 2010 : Info: [suffix] Looking up realm "mydom" for
User-Name = "myuser at mydom"
Fri Jun 4 10:05:37 2010 : Info: [suffix] No such realm "mydom"
Fri Jun 4 10:05:37 2010 : Info: ++[suffix] returns noop
Fri Jun 4 10:05:37 2010 : Info: [eap] EAP packet type response id 1
length 253
Fri Jun 4 10:05:37 2010 : Info: [eap] No EAP Start, assuming it's an
on-going EAP conversation
Fri Jun 4 10:05:37 2010 : Info: ++[eap] returns updated
Fri Jun 4 10:05:37 2010 : Info: ++[unix] returns notfound
Fri Jun 4 10:05:37 2010 : Info: [files] users: Matched entry
myuser at mydom at line 203
Fri Jun 4 10:05:37 2010 : Info: ++[files] returns ok
Fri Jun 4 10:05:37 2010 : Info: ++[expiration] returns noop
Fri Jun 4 10:05:37 2010 : Info: ++[logintime] returns noop
Fri Jun 4 10:05:37 2010 : Info: Found Auth-Type = EAP
Fri Jun 4 10:05:37 2010 : Info: +- entering group authenticate {...}
Fri Jun 4 10:05:37 2010 : Info: [eap] Request found, released from the list
Fri Jun 4 10:05:37 2010 : Info: [eap] EAP/tls
Fri Jun 4 10:05:37 2010 : Info: [eap] processing type tls
Fri Jun 4 10:05:37 2010 : Info: [tls] Authenticate
Fri Jun 4 10:05:37 2010 : Info: [tls] processing EAP-TLS
Fri Jun 4 10:05:37 2010 : Info: [tls] eaptls_verify returned 7
Fri Jun 4 10:05:37 2010 : Info: [tls] Done initial handshake
Fri Jun 4 10:05:37 2010 : Info: [tls] (other): before/accept
initialization
Fri Jun 4 10:05:37 2010 : Info: [tls] TLS_accept: before/accept
initialization
Fri Jun 4 10:05:37 2010 : Info: [tls] <<< TLS 1.0 Handshake [length
052b], ClientHello
Fri Jun 4 10:05:37 2010 : Info: [tls] TLS_accept: SSLv3 read client
hello A
Fri Jun 4 10:05:37 2010 : Info: [tls] >>> TLS 1.0 Handshake [length
0051], ServerHello
Fri Jun 4 10:05:37 2010 : Info: [tls] TLS_accept: SSLv3 write
server hello A
Fri Jun 4 10:05:37 2010 : Info: [tls] >>> TLS 1.0 ChangeCipherSpec
[length 0001]
Fri Jun 4 10:05:37 2010 : Info: [tls] TLS_accept: SSLv3 write
change cipher spec A
Fri Jun 4 10:05:37 2010 : Info: [tls] >>> TLS 1.0 Handshake [length
0010], Finished
Fri Jun 4 10:05:37 2010 : Info: [tls] TLS_accept: SSLv3 write
finished A
Fri Jun 4 10:05:37 2010 : Info: [tls] TLS_accept: SSLv3 flush data
Fri Jun 4 10:05:37 2010 : Info: [tls] TLS_accept: Need to read more
data: SSLv3 read finished A
Fri Jun 4 10:05:37 2010 : Debug: In SSL Handshake Phase
Fri Jun 4 10:05:37 2010 : Debug: In SSL Accept mode
Fri Jun 4 10:05:37 2010 : Info: [tls] eaptls_process returned 13
Fri Jun 4 10:05:37 2010 : Info: ++[eap] returns handled
Sending Access-Challenge of id 241 to 192.168.... port 2048
EAP-Message = 0x0102009b0d8000000091160301005......
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xbc40ebedbd42e6950bd358ee7ea3ba57
Fri Jun 4 10:05:37 2010 : Info: Finished request 10.
Fri Jun 4 10:05:37 2010 : Debug: Going to the next request
Fri Jun 4 10:05:37 2010 : Debug: Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.1.9 port 2048, id=242,
length=237
User-Name = "myuser at mydom"
NAS-Port = 0
Called-Station-Id = "00-25-....:mywlan"
Calling-Station-Id = "00-13-...."
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020200410d001403010001011603010....
State = 0xbc40ebedbd42e6950bd358ee7ea3ba57
Message-Authenticator = 0x21f2e35898da2e8b85b5d916baab5237
Fri Jun 4 10:05:37 2010 : Info: +- entering group authorize {...}
Fri Jun 4 10:05:37 2010 : Info: ++[preprocess] returns ok
Fri Jun 4 10:05:37 2010 : Info: [suffix] Looking up realm "mydom" for
User-Name = "myuser at mydom"
Fri Jun 4 10:05:37 2010 : Info: [suffix] No such realm "mydom"
Fri Jun 4 10:05:37 2010 : Info: ++[suffix] returns noop
Fri Jun 4 10:05:37 2010 : Info: [eap] EAP packet type response id 2
length 65
Fri Jun 4 10:05:37 2010 : Info: [eap] No EAP Start, assuming it's an
on-going EAP conversation
Fri Jun 4 10:05:37 2010 : Info: ++[eap] returns updated
Fri Jun 4 10:05:37 2010 : Info: ++[unix] returns notfound
Fri Jun 4 10:05:37 2010 : Info: [files] users: Matched entry
myuser at mydom at line 203
Fri Jun 4 10:05:37 2010 : Info: ++[files] returns ok
Fri Jun 4 10:05:37 2010 : Info: ++[expiration] returns noop
Fri Jun 4 10:05:37 2010 : Info: ++[logintime] returns noop
Fri Jun 4 10:05:37 2010 : Info: Found Auth-Type = EAP
Fri Jun 4 10:05:37 2010 : Info: +- entering group authenticate {...}
Fri Jun 4 10:05:37 2010 : Info: [eap] Request found, released from the list
Fri Jun 4 10:05:37 2010 : Info: [eap] EAP/tls
Fri Jun 4 10:05:37 2010 : Info: [eap] processing type tls
Fri Jun 4 10:05:37 2010 : Info: [tls] Authenticate
Fri Jun 4 10:05:37 2010 : Info: [tls] processing EAP-TLS
Fri Jun 4 10:05:37 2010 : Info: [tls] eaptls_verify returned 7
Fri Jun 4 10:05:37 2010 : Info: [tls] Done initial handshake
Fri Jun 4 10:05:37 2010 : Info: [tls] <<< TLS 1.0 ChangeCipherSpec
[length 0001]
Fri Jun 4 10:05:37 2010 : Info: [tls] <<< TLS 1.0 Handshake [length
0010], Finished
Fri Jun 4 10:05:37 2010 : Info: [tls] TLS_accept: SSLv3 read finished A
Fri Jun 4 10:05:37 2010 : Info: [tls] (other): SSL negotiation
finished successfully
Fri Jun 4 10:05:37 2010 : Debug: SSL Connection Established
Fri Jun 4 10:05:37 2010 : Debug: SSL Application Data
Fri Jun 4 10:05:37 2010 : Info: [tls] eaptls_process returned 3
Fri Jun 4 10:05:37 2010 : Info: [tls] Retrieved session data from
cached session
Fri Jun 4 10:05:37 2010 : Info: [tls] WARNING: No information in
^^^^^^^^^^^^^^^^^^^^^^^^^^
cached session!
^^^^^^^^^^^^^^^
Fri Jun 4 10:05:37 2010 : Info: [eap] Freeing handler
Fri Jun 4 10:05:37 2010 : Info: ++[eap] returns reject
Fri Jun 4 10:05:37 2010 : Info: Failed to authenticate the user.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Fri Jun 4 10:05:37 2010 : Auth: Login incorrect: [myuser at mydom] (from
client WAP610N port 0 cli 00-13-....)
Fri Jun 4 10:05:37 2010 : Info: Using Post-Auth-Type Reject
Fri Jun 4 10:05:37 2010 : Info: +- entering group REJECT {...}
Fri Jun 4 10:05:37 2010 : Info: [attr_filter.access_reject] expand:
%{User-Name} -> myuser at mydom
Fri Jun 4 10:05:37 2010 : Debug: attr_filter: Matched entry DEFAULT at
line 11
Fri Jun 4 10:05:37 2010 : Info: ++[attr_filter.access_reject] returns
updated
Fri Jun 4 10:05:37 2010 : Info: Delaying reject of request 11 for 1 seconds
Fri Jun 4 10:05:37 2010 : Debug: Going to the next request
Fri Jun 4 10:05:37 2010 : Debug: Waking up in 0.9 seconds.
Fri Jun 4 10:05:38 2010 : Info: Sending delayed reject for request 11
Sending Access-Reject of id 242 to 192.168.... port 2048
EAP-Message = 0x04020004
Message-Authenticator = 0x00000000000000000000000000000000
Fri Jun 4 10:05:38 2010 : Debug: Waking up in 3.9 seconds.
Fri Jun 4 10:05:42 2010 : Info: Cleaning up request 9 ID 240 with
timestamp +1415
Fri Jun 4 10:05:42 2010 : Info: Cleaning up request 10 ID 241 with
timestamp +1415
Fri Jun 4 10:05:42 2010 : Debug: Waking up in 1.0 seconds.
Fri Jun 4 10:05:43 2010 : Info: Cleaning up request 11 ID 242 with
timestamp +1415
Fri Jun 4 10:05:43 2010 : Info: Ready to process requests.
Thank you very much for your help,
kind regards,
Andreas
More information about the Freeradius-Users
mailing list