Fwd: SSL issues
Martin v. Wittich
martin.von.wittich at iserv.eu
Mon May 31 20:06:58 CEST 2010
> I am using a radius-openldap-EAP/TTLS|EAP/PEAP scheme and often I've got
> the following error from a Windows 7 client trying to connect using
> EAP/PEAP. Client lacked CA cert, but I've found clients that are able to
> import it. Finally client connected using EAP/TTLS with SecureW2. But I
> wonder if there was a problem with the client or there are a
> misconfiguration or a failing certificate. Below my data, thanks in advance!
>
> /var/log/radius/radius.log
>
> Thu May 13 11:18:07 2010 : Error: TLS Alert read:fatal:unknown CA
> Thu May 13 11:18:07 2010 : Error: TLS_accept:failed in SSLv3 read
> client certificate A
> Thu May 13 11:18:07 2010 : Error: rlm_eap: SSL error error:14094418:SSL
> routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
> Thu May 13 11:18:07 2010 : Error: SSL: SSL_read failed inside of TLS
> (-1), TLS session fails.
> Thu May 13 11:18:49 2010 : Error: TLS Alert read:fatal:unknown CA
> Thu May 13 11:18:49 2010 : Error: TLS_accept:failed in SSLv3 read
> client certificate A
> Thu May 13 11:18:49 2010 : Error: rlm_eap: SSL error error:14094418:SSL
> routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
> Thu May 13 11:18:49 2010 : Error: SSL: SSL_read failed inside of TLS
> (-1), TLS session fails.
I believe I have exactly the same issue; only Windows 7 clients are
affected. Windows XP, Windows Vista and iPhone all work fine.
I believe that the issue is my unsigned server certificate. In the
previous Windows versions I can do an initially unsuccessful connect to
the network, then disable the checkbox "validate server certificate",
reconnect and it will work. When I connect with Windows 7, it will fail
just like in XP, but the network won't be added to the list and I never
get to uncheck that checkbox.
I'm currently trying to set the network up manually, but I'm not getting
this to work either atm. I'll attach the full debug log from the initial
attempt below.
---- debug log --------------------------------------
FreeRADIUS Version 2.0.4, for host i486-pc-linux-gnu, built on Sep 7
2008 at 23:35:34
Copyright (C) 1999-2008 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/listen.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including configuration file /etc/freeradius/eap.conf
including files in directory /etc/freeradius/sites-enabled/
including configuration file /etc/freeradius/sites-enabled/default
including configuration file /etc/freeradius/sites-enabled/inner-tunnel
including dictionary file /etc/freeradius/dictionary
main {
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/freeradius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/freeradius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 25600
allow_core_dumps = no
pidfile = "/var/run/freeradius/freeradius.pid"
user = "freerad"
group = "freerad"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = no
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
client 192.168.90.0/24 {
require_message_authenticator = no
secret = "foobar"
}
client 127.0.0.0/8 {
require_message_authenticator = no
secret = "foobar"
}
radiusd: #### Loading Realms and Home Servers ####
realm LOCAL {
}
radiusd: #### Instantiating modules ####
instantiate {
}
radiusd: #### Loading Virtual Servers ####
server inner-tunnel {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_mschap
Module: Instantiating mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = no
}
Module: Linked to module rlm_eap
Module: Instantiating eap
eap {
default_eap_type = "peap"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
pem_file_type = yes
private_key_file = "/etc/freeradius/certs/server.key"
certificate_file = "/etc/freeradius/certs/server.crt"
CA_file = "/etc/freeradius/certs/ca.pem"
dh_file = "/etc/freeradius/certs/dh"
random_file = "/etc/freeradius/certs/random"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
}
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = yes
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_files
Module: Instantiating files
files {
usersfile = "/etc/freeradius/users"
acctusersfile = "/dev/null"
preproxy_usersfile = "/dev/null"
compat = "no"
}
Module: Linked to module rlm_passwd
Module: Instantiating etc_smbpasswd
passwd etc_smbpasswd {
filename = "/etc/freeradius/smbpasswd"
format = "*User-Name::LM-Password:NT-Password:SMB-Account-CTRL-TEXT::"
delimiter = ":"
ignorenislike = no
ignoreempty = yes
allowmultiplekeys = no
hashsize = 0
}
rlm_passwd: nfields: 7 keyfield 0(User-Name) listable: no
Module: Checking post-auth {...} for more modules to load
Module: Linked to module rlm_attr_filter
Module: Instantiating attr_filter.access_reject
attr_filter attr_filter.access_reject {
attrsfile = "/etc/freeradius/attrs.access_reject"
key = "%{User-Name}"
}
}
}
server {
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating pap
pap {
encryption_scheme = "auto"
auto_header = no
}
Module: Checking authorize {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Linked to module rlm_exec
Module: Instantiating log_reject
exec log_reject {
wait = yes
program = "/usr/lib/iserv/radius_log REJECT %{User-Name}"
input_pairs = "request"
output_pairs = "none"
shell_escape = yes
}
Module: Instantiating log_accept
exec log_accept {
wait = yes
program = "/usr/lib/iserv/radius_log ACCEPT %{User-Name}"
input_pairs = "request"
output_pairs = "none"
shell_escape = yes
}
}
}
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = 192.168.90.13
port = 0
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 0
}
main {
snmp = no
smux_password = ""
snmp_write_access = no
}
Listening on authentication address 192.168.90.13 port 1812
Listening on authentication address 127.0.0.1 port 1812
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.90.98 port 3072, id=0,
length=125
User-Name = "martin"
NAS-IP-Address = 192.168.90.98
Called-Station-Id = "001d7ea22ebc"
Calling-Station-Id = "0026c6c479bc"
NAS-Identifier = "001d7ea22ebc"
NAS-Port = 1
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x0200000b016d617274696e
Message-Authenticator = 0x92ec68158ead6ecf1b0491c7fa27024b
+- entering group authorize
rlm_eap: EAP packet type response id 0 length 11
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
rlm_pap: WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: EAP Identity
rlm_eap: processing type tls
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 0 to 192.168.90.98 port 3072
EAP-Message = 0x010100061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x7c1635d37c172cabbfed43f879d27e85
Finished request 0.
Going to the next request
Waking up in 5.0 seconds.
rad_recv: Access-Request packet from host 192.168.90.98 port 3072, id=0,
length=247
Cleaning up request 0 ID 0 with timestamp +23
User-Name = "martin"
NAS-IP-Address = 192.168.90.98
Called-Station-Id = "001d7ea22ebc"
Calling-Station-Id = "0026c6c479bc"
NAS-Identifier = "001d7ea22ebc"
NAS-Port = 1
Framed-MTU = 1400
State = 0x7c1635d37c172cabbfed43f879d27e85
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x0201007319800000006916030100640100006003014c03f848577401a841bd8e334e027c0676df1fc03a46a87e20441b00ff17942c000018002f00350005000ac013c014c009c00a00320038001300040100001f0000000b00090000066d617274696e000a0006000400170018000b00020100
Message-Authenticator = 0x132e26d65dac71087c2a041de66be471
+- entering group authorize
rlm_eap: EAP packet type response id 1 length 115
rlm_eap: Continuing tunnel setup.
++[eap] returns ok
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
TLS Length 105
rlm_eap_tls: Length Included
eaptls_verify returned 11
(other): before/accept initialization
TLS_accept: before/accept initialization
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0064], ClientHello
TLS_accept: SSLv3 read client hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
TLS_accept: SSLv3 write server hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 035f], Certificate
TLS_accept: SSLv3 write certificate A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
TLS_accept: SSLv3 write server done A
TLS_accept: SSLv3 flush data
TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
eaptls_process returned 13
rlm_eap_peap: EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 0 to 192.168.90.98 port 3072
EAP-Message =
0x010203c21900160301004a0200004603014c03f84a0ab5ea96777e47928530e0032b1382b4f3d6d4b39b692e6ba2f5cc3e20cd59375eba386e96927a59db5e77dab6d622d8f57439a1795a61b68a96f026a1002f00160301035f0b00035b00035800017c3082017830820122a003020102020101300d06092a864886f70d01010405003070310b3009060355040613026465310a3008060355040813012e310a3008060355040713012e310e300c060355040a13054953657276311630140603550403130d646576322e69736572762e65753121301f06092a864886f70d0109011612726f6f7440646576322e69736572762e6575301e170d30393130
EAP-Message =
0x32303134313835375a170d3239313031353134313835375a3000305c300d06092a864886f70d0101010500034b003048024100c9700bc841f1478e3fe397a66b41f22a03fd01c109ac65b53795692ed128a98ba56b7af45ade912d4dd28536d74a4af08e89cb2209551cd8842b84a0f7c52f3f0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101040500034100b569c59b84c0ffcd3ce981c9a6fc6e8cd9c1ce410f53e9f5d287ba76ddda725707e30e6b7b9a031a927d60b1f7ec7572355bd80f7c9f5c954f232bddff70be750001d6308201d23082017c020900b43505be3ef45000300d0609
EAP-Message =
0x2a864886f70d01010505003070310b3009060355040613026465310a3008060355040813012e310a3008060355040713012e310e300c060355040a13054953657276311630140603550403130d646576322e69736572762e65753121301f06092a864886f70d0109011612726f6f7440646576322e69736572762e6575301e170d3039313032303134313835375a170d3039313131393134313835375a3070310b3009060355040613026465310a3008060355040813012e310a3008060355040713012e310e300c060355040a13054953657276311630140603550403130d646576322e69736572762e65753121301f06092a864886f70d0109011612
EAP-Message =
0x726f6f7440646576322e69736572762e6575305c300d06092a864886f70d0101010500034b003048024100db6318cc3896336b22f774da30a94cf067b19e41f1252009857cd4f602b31a2e01924965f09f72ea06caf05a90703839b9db5d612c1e4801633909b8cc1c31c70203010001300d06092a864886f70d0101050500034100346403a767744cb21a8095d2f2e9da53dda88f0b30a77803a3babbae5d80b2942ef3e74d4b97084f2eb89280aadcbf7411562ddedaf4093e4a2102996e7bfa5d16030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x7c1635d37d142cabbfed43f879d27e85
Finished request 1.
Going to the next request
Waking up in 5.0 seconds.
rad_recv: Access-Request packet from host 192.168.90.98 port 3072, id=0,
length=149
Cleaning up request 1 ID 0 with timestamp +23
User-Name = "martin"
NAS-IP-Address = 192.168.90.98
Called-Station-Id = "001d7ea22ebc"
Calling-Station-Id = "0026c6c479bc"
NAS-Identifier = "001d7ea22ebc"
NAS-Port = 1
Framed-MTU = 1400
State = 0x7c1635d37d142cabbfed43f879d27e85
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x0202001119800000000715030100020230
Message-Authenticator = 0x8db878e93c0f7d6931687e39c5ae3b06
+- entering group authorize
rlm_eap: EAP packet type response id 2 length 17
rlm_eap: Continuing tunnel setup.
++[eap] returns ok
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
TLS Length 7
rlm_eap_tls: Length Included
eaptls_verify returned 11
rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal unknown_ca
TLS Alert read:fatal:unknown CA
TLS_accept:failed in SSLv3 read client certificate A
rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1
alert unknown ca
rlm_eap_tls: SSL_read failed inside of TLS (-1), TLS session fails.
eaptls_process returned 13
rlm_eap_peap: EAPTLS_HANDLED
rlm_eap: Freeing handler
++[eap] returns reject
auth: Failed to validate the user.
Login incorrect: [martin/<via Auth-Type = EAP>] (from client
192.168.90.0/24 port 1 cli 0026c6c479bc)
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} -> martin
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
expand: %{User-Name} -> martin
Exec-Program output:
Exec-Program: returned: 0
++[log_reject] returns ok
Delaying reject of request 2 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 2
Sending Access-Reject of id 0 to 192.168.90.98 port 3072
EAP-Message = 0x04020004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 4.9 seconds.
Cleaning up request 2 ID 0 with timestamp +23
Ready to process requests.
--
Mit freundlichen Grüßen,
Martin v. Wittich
IServ GmbH
Rebenring 33
38106 Braunschweig
Telefon: +49 531 380 4450
E-Mail: martin.von.wittich at iserv.eu
Internet: http://www.iserv.eu
More information about the Freeradius-Users
mailing list