Multiple radius servers with the same CA

sphaero arnaud at sphaero.org
Wed Mar 24 17:24:17 CET 2010 



John Dennis wrote:
> 
> [snip]
> Did you edit your eap.conf file to point to radius2.pem? Did you set 
> your private_key_password in eap.conf to match $PASSWORD_CA used above? 
> BTW, don't use the same password as in the example ;-)
> 
> Did you verify the certs as suggested above?
> 
> Saying something doesn't work isn't helpful, the log output would be 
> helpful.
> 
> -- 
> John Dennis <jdennis at redhat.com>
> 
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> 
> 

Yep did all that. I think I was working on this too long, starting to see
double.

On the machine where I generate the certificate:
openssl verify -CAfile ca.pem lx0008.pem 
lx0008.pem: OK

However if I copy the file over to the other machine:
openssl verify -CAfile ca.pem lx0008.pem 
lx0008.pem: /C=NL/ST=Radius/O=AOg/CN=Radius
Certificate/emailAddress=nw at aog.nl
error 9 at 0 depth lookup:certificate is not yet valid

But I discoverd a time sync issue here. Clocks are 10 min. apart. This was a
bit of clue, right. So I checked the client I was testing this on, and it
was a day behind. So it could never validate the certificate. So setting up
some time synchronisation resolved this.

openssl verify -CAfile ca.pem lx0008.pem 
lx0008.pem: OK

Here's the log output of the failed attempt. The eap exchange stops at:
Sending Access-Challenge
After setting time right it works as expected.

Thanks for all help!

Rg,

Arnaud

rad_recv: Access-Request packet from host 10.6.254.189:1024, id=51,
length=214
	Framed-MTU = 1480
	NAS-IP-Address = 10.6.254.189
	NAS-Identifier = "ENNR"
	User-Name = "lsa at aog.nl"
	Service-Type = Framed-User
	Framed-Protocol = PPP
	NAS-Port = 1
	NAS-Port-Type = Ethernet
	NAS-Port-Id = "1"
	Called-Station-Id = "00-18-fe-57-b7-60"
	Calling-Station-Id = "00-d0-59-9d-9a-3c"
	Connect-Info = "CONNECT Ethernet 100Mbps Full duplex"
	Tunnel-Type:0 = VLAN
	Tunnel-Medium-Type:0 = IEEE-802
	Tunnel-Private-Group-Id:0 = "138"
	State = 0x271f405150fffa1a648249140e571065
	EAP-Message = 0x022200061500
	Message-Authenticator = 0xd9de91ff01317e671b475cdf3125a11a
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 3
  modcall[authorize]: module "preprocess" returns ok for request 3
  modcall[authorize]: module "chap" returns noop for request 3
  modcall[authorize]: module "mschap" returns noop for request 3
    rlm_realm: Looking up realm "aog.nl" for User-Name = "lsa at aog.nl"
    rlm_realm: Found realm "DEFAULT"
    rlm_realm: Adding Stripped-User-Name = "lsa"
    rlm_realm: Proxying request from user lsa to realm DEFAULT
    rlm_realm: Adding Realm = "DEFAULT"
    rlm_realm: Authentication realm is LOCAL.
  modcall[authorize]: module "suffix" returns noop for request 3
  rlm_eap: EAP packet type response id 34 length 6
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 3
    users: Matched entry DEFAULT at line 156
  modcall[authorize]: module "files" returns ok for request 3
rlm_pap: WARNING! No "known good" password found for the user. 
Authentication may fail because of this.
  modcall[authorize]: module "pap" returns noop for request 3
modcall: leaving group authorize (returns updated) for request 3
  Found Autz-Type asa
  Processing the authorize section of radiusd.conf
modcall: entering group asa for request 3
radius_xlat:  'lsa'
rlm_sql (asa): sql_set_user escaped user --> 'lsa'
radius_xlat:  'SELECT UserID,Usernaam,'SHA-Password' AS Attribute,
Wachtwoord, ':=' AS Op FROM bas_user WHERE Usernaam = 'lsa' AND Actief = 1
ORDER BY UserID'
rlm_sql (asa): Reserving sql socket id: 1
radius_xlat:  ''
radius_xlat:  'SELECT UserID,Usernaam,'Reply-Message' AS Attribute,
Achternaam, '=' AS Op from bas_user WHERE Usernaam = 'lsa' AND Actief = 1
ORDER BY UserID '
radius_xlat:  ''
rlm_sql (asa): Released sql socket id: 1
  modcall[authorize]: module "asa" returns ok for request 3
rlm_pap: Normalizing SHA-Password from hex encoding
rlm_pap: Found existing Auth-Type, not changing it.
  modcall[authorize]: module "pap" returns noop for request 3
modcall: leaving group asa (returns ok) for request 3
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 3
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/ttls
  rlm_eap: processing type ttls
  rlm_eap_ttls: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
  rlm_eap_tls: ack handshake fragment handler
  eaptls_verify returned 1 
  eaptls_process returned 13 
  modcall[authenticate]: module "eap" returns handled for request 3
modcall: leaving group authenticate (returns handled) for request 3
Sending Access-Challenge of id 51 to 10.6.254.189 port 1024
	Service-Type = Framed-User
	Tunnel-Type:0 = VLAN
	Tunnel-Medium-Type:0 = IEEE-802
	Tunnel-Private-Group-Id:0 = "132"
	Reply-Message = "Loonstra"
	EAP-Message =
0x0123040a15c000000969c8049aa1fa621dd38e41b929518a3c23d2fd05e03097c2956b56307195bb23fef70dc1288f83798a26c511427a6226b15e62cbe20135878672c254894d8b5cac9600051c3082051830820400a003020102020900d7489a39739dc2be300d06092a864886f70d01010505003081b8310b3009060355040613024e4c310f300d060355040813065261646975733119301706035504071310416d6172616e746973205261646975733121301f060355040a1318416d6172616e746973204f6e64657277696a7367726f65703129302706092a864886f70d010901161a6e65747765726b62656865657240616d6172616e7469732e
	EAP-Message =
0x6e6c312f302d06035504031326416d6172616e7469732052616469757320436572746966696361746520417574686f72697479301e170d3038303932323133323131395a170d3138303932303133323131395a3081b8310b3009060355040613024e4c310f300d060355040813065261646975733119301706035504071310416d6172616e746973205261646975733121301f060355040a1318416d6172616e746973204f6e64657277696a7367726f65703129302706092a864886f70d010901161a6e65747765726b62656865657240616d6172616e7469732e6e6c312f302d06035504031326416d6172616e746973205261646975732043657274
	EAP-Message =
0x6966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100b638d7f91164627f1f26b1b9c6b80c60d0f5f09788d12f7f8e05f4d5c56d3e7c12d45c07c7d4c6549924ffa6f89ffbb8e05c27479f62c7829d11eb919da7756ae3fa7d04b0830838c664c9b36be9621932cd6c212135c0c390942d191fe61d6aa63c41db73c2ff9590bc551547b5ef43cdd433a85ff6d012573eb4a6d1597c900ef9117eb0ae006b41649b4ab71e1243c8e4cf3abee6f062494669453f9619b0f4815684380f3bedda3b66ca5cfe47f57e9f272fa1e3f4a7d5945c439e92ddd2d5a037caedd024b98b846a
	EAP-Message =
0xd1671051f441d970f0424d695f96cb1336d5225febae79a91606fecfe2be75698c6c4fc512edc155f6d7ec2556f01d325126cee3ef0203010001a38201213082011d301d0603551d0e0416041439c24dc7a03a56dacbc5217ae8deaabbe13a1c193081ed0603551d230481e53081e2801439c24dc7a03a56dacbc5217ae8deaabbe13a1c19a181bea481bb3081b8310b3009060355040613024e4c310f300d060355040813065261646975733119301706035504071310416d6172616e746973205261646975733121301f060355040a1318416d6172616e746973204f6e64657277696a7367726f65703129302706092a864886f70d010901161a6e65
	EAP-Message = 0x747765726b62656865657240616d6172616e7469732e
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x9e7aef98290aab34c5bdeffbf332c930
Finished request 3
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 10.6.254.189:1024, id=52,
length=214
	Framed-MTU = 1480
	NAS-IP-Address = 10.6.254.189
	NAS-Identifier = "ENNR"
	User-Name = "lsa at aog.nl"
	Service-Type = Framed-User
	Framed-Protocol = PPP
	NAS-Port = 1
	NAS-Port-Type = Ethernet
	NAS-Port-Id = "1"
	Called-Station-Id = "00-18-fe-57-b7-60"
	Calling-Station-Id = "00-d0-59-9d-9a-3c"
	Connect-Info = "CONNECT Ethernet 100Mbps Full duplex"
	Tunnel-Type:0 = VLAN
	Tunnel-Medium-Type:0 = IEEE-802
	Tunnel-Private-Group-Id:0 = "138"
	State = 0x9e7aef98290aab34c5bdeffbf332c930
	EAP-Message = 0x022300061500
	Message-Authenticator = 0x4290459647a474c647d2bf8a6fef24f8
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 4
  modcall[authorize]: module "preprocess" returns ok for request 4
  modcall[authorize]: module "chap" returns noop for request 4
  modcall[authorize]: module "mschap" returns noop for request 4
    rlm_realm: Looking up realm "aog.nl" for User-Name = "lsa at aog.nl"
    rlm_realm: Found realm "DEFAULT"
    rlm_realm: Adding Stripped-User-Name = "lsa"
    rlm_realm: Proxying request from user lsa to realm DEFAULT
    rlm_realm: Adding Realm = "DEFAULT"
    rlm_realm: Authentication realm is LOCAL.
  modcall[authorize]: module "suffix" returns noop for request 4
  rlm_eap: EAP packet type response id 35 length 6
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 4
    users: Matched entry DEFAULT at line 156
  modcall[authorize]: module "files" returns ok for request 4
rlm_pap: WARNING! No "known good" password found for the user. 
Authentication may fail because of this.
  modcall[authorize]: module "pap" returns noop for request 4
modcall: leaving group authorize (returns updated) for request 4
  Found Autz-Type asa
  Processing the authorize section of radiusd.conf
modcall: entering group asa for request 4
radius_xlat:  'lsa'
rlm_sql (asa): sql_set_user escaped user --> 'lsa'
radius_xlat:  'SELECT UserID,Usernaam,'SHA-Password' AS Attribute,
Wachtwoord, ':=' AS Op FROM bas_user WHERE Usernaam = 'lsa' AND Actief = 1
ORDER BY UserID'
rlm_sql (asa): Reserving sql socket id: 0
radius_xlat:  ''
radius_xlat:  'SELECT UserID,Usernaam,'Reply-Message' AS Attribute,
Achternaam, '=' AS Op from bas_user WHERE Usernaam = 'lsa' AND Actief = 1
ORDER BY UserID '
radius_xlat:  ''
rlm_sql (asa): Released sql socket id: 0
  modcall[authorize]: module "asa" returns ok for request 4
rlm_pap: Normalizing SHA-Password from hex encoding
rlm_pap: Found existing Auth-Type, not changing it.
  modcall[authorize]: module "pap" returns noop for request 4
modcall: leaving group asa (returns ok) for request 4
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 4
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/ttls
  rlm_eap: processing type ttls
  rlm_eap_ttls: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
  rlm_eap_tls: ack handshake fragment handler
  eaptls_verify returned 1 
  eaptls_process returned 13 
  modcall[authenticate]: module "eap" returns handled for request 4
modcall: leaving group authenticate (returns handled) for request 4
Sending Access-Challenge of id 52 to 10.6.254.189 port 1024
	Service-Type = Framed-User
	Tunnel-Type:0 = VLAN
	Tunnel-Medium-Type:0 = IEEE-802
	Tunnel-Private-Group-Id:0 = "132"
	Reply-Message = "Loonstra"
	EAP-Message =
0x012401731580000009696e6c312f302d06035504031326416d6172616e7469732052616469757320436572746966696361746520417574686f72697479820900d7489a39739dc2be300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100454dfc9bb4cbcf95b5f701246176fd230f70bea0564a0197a28047390ac07c4d77609834f9a422361f4ede51bd4ea30d051893ff236b6cc7b41c7499535829221400d18a177b680caff00689e1db909167f5d5331d5c239a164b9b0731ff047b8317771b5cd9a3d41b80b4be974c13d6718e2cbeed6de3f20b3c4828d76ddd3d22667f2bc119dae184b60fb0b4d9bf5377d1b0
	EAP-Message =
0xc01469c020e470c2d300264d2eaed55c7d81257cc14baeba7df5f6b1b255603a91e6bdfa9c7ecccee3c2e370084d807db1e8bdb0113de9ad8a744601813b8c9a9819007d6ce46ace182c9b410274b8b6facd3b085ca4b8e07424aca602afc83df29e78cbe45d4c2de4e825595d16030100040e000000
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x8645d7e4f090233c4a654c8cbbfec31e
Finished request 4
Going to the next request
--- Walking the entire request list ---
Waking up in 5 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 48 with timestamp 4baa367f
Cleaning up request 1 ID 49 with timestamp 4baa367f
Cleaning up request 2 ID 50 with timestamp 4baa367f
Cleaning up request 3 ID 51 with timestamp 4baa367f
Waking up in 1 seconds...
--- Walking the entire request list ---
Cleaning up request 4 ID 52 with timestamp 4baa3680
Nothing to do.  Sleeping until we see a request.

-- 
View this message in context: http://old.nabble.com/Multiple-radius-servers-with-the-same-CA-tp28013061p28017061.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.

More information about the Freeradius-Users mailing list