EAP-PEAP fatal unknown_ca

westwood yczxwestwood at gmail.com
Sat Nov 6 08:21:41 CET 2010


*freeradius2.1.8
1、 win7+protected EAP(peap)+wpa-enterprise (laptop name :leeyu-laptop)
2、 i have install ca.der on the win7 and winxp
3、 winxp+**protected EAP(peap)**+ca testing successfully, but win7 fails
ERROR happened before win7 prompted me to enter
username&&password.....,freeradius debug: *


Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file
/usr/local/freeradius//var/run/radiusd/radiusd.sock
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.0.1 port 3075, id=144,
length=191
        User-Name = "host/Leeyu-Laptop"
        NAS-IP-Address = 192.168.0.1
        NAS-Port = 0
        Called-Station-Id = "00195b04c9e2"
        Calling-Station-Id = "001e659fc674"
        NAS-Identifier = "Realtek Access Point. 8181"
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        Service-Type = Framed-User
        Connect-Info = "CONNECT 11Mbps 802.11b"
        EAP-Message = 0x0200001601686f73742f4c656579752d4c6170746f70
        Message-Authenticator = 0x2cca1e2672315cf4764cc0fd2544dfe3
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[Capitek.com] No '@' in User-Name = "host/Leeyu-Laptop", looking up realm
NULL
[Capitek.com] No such realm "NULL"
++[Capitek.com] returns noop
[eap] EAP packet type response id 0 length 22
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[sql_oracle] WARNING: Deprecated conditional expansion ":-".  See "man
unlang" for details
[sql_oracle]    ... expanding second conditional
[sql_oracle] WARNING: Deprecated conditional expansion ":-".  See "man
unlang" for details
[sql_oracle]    expand: %{User-Name:-DEFAULT} -> host/Leeyu-Laptop
[sql_oracle]    expand: %{Stripped-User-Name:-%{User-Name:-DEFAULT}} ->
host/Leeyu-Laptop
[sql_oracle] sql_set_user escaped user --> 'host/Leeyu-Laptop'
rlm_sql (sql_oracle): Reserving sql socket id: 18
[sql_oracle]    expand: SELECT id,UserName,Attribute,Value,op FROM radcheck
WHERE Username = '%{SQL-User-Name}' ORDER BY id -> SELECT
id,UserName,Attribute,Value,op FROM radcheck WHERE Username =
'host/Leeyu-Laptop' ORDER BY id
[sql_oracle] User found in radcheck table
[sql_oracle]    expand: SELECT id,UserName,Attribute,Value,op FROM radreply
WHERE Username = '%{SQL-User-Name}' ORDER BY id -> SELECT
id,UserName,Attribute,Value,op FROM radreply WHERE Username =
'host/Leeyu-Laptop' ORDER BY id
[sql_oracle]    expand: SELECT GroupName FROM radusergroup WHERE
UserName='%{SQL-User-Name}' -> SELECT GroupName FROM radusergroup WHERE
UserName='host/Leeyu-Laptop'
rlm_sql (sql_oracle): Released sql socket id: 18
++[sql_oracle] returns ok
[bklist] No Max-Attempts defined.
++[bklist] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication
may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 144 to 192.168.0.1 port 3075
        EAP-Message = 0x010100061920
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x246ddb0b246cc225aad5e24c6756cf9c
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.0.1 port 3075, id=145,
length=307
        User-Name = "host/Leeyu-Laptop"
        NAS-IP-Address = 192.168.0.1
        NAS-Port = 0
        Called-Station-Id = "00195b04c9e2"
        Calling-Station-Id = "001e659fc674"
        NAS-Identifier = "Realtek Access Point. 8181"
        NAS-Port-Type = Wireless-802.11
        Service-Type = Framed-User
        Connect-Info = "CONNECT 11Mbps 802.11b"
        EAP-Message =
0x0201007e198000000074160301006f0100006b03014cd4fdcd261077436d24f643f2f64fd5b4c4cb53d980a2f2400f17f2fd6205e8000018002f00350005000ac013c014c009c00a00320038001300040100002aff0100010000000011000f00000c6c656579752d6c6170746f70000a0006000400170018000b00020100
        State = 0x246ddb0b246cc225aad5e24c6756cf9c
        Message-Authenticator = 0x08b295f4b9501d45e89fda21cf14c8ad
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[Capitek.com] No '@' in User-Name = "host/Leeyu-Laptop", looking up realm
NULL
[Capitek.com] No such realm "NULL"
++[Capitek.com] returns noop
[eap] EAP packet type response id 1 length 126
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
  TLS Length 116
[peap] Length Included
[peap] eaptls_verify returned 11
[peap]     (other): before/accept initialization
[peap]     TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 006f], ClientHello
[peap]     TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 0031], ServerHello
[peap]     TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 085c], Certificate
[peap]     TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap]     TLS_accept: SSLv3 write server done A
[peap]     TLS_accept: SSLv3 flush data
[peap]     TLS_accept: Need to read more data: SSLv3 read client certificate
A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 145 to 192.168.0.1 port 3075
        EAP-Message =
0x0102040019c0000008a016030100310200002d03014cd4fe1b8df7a54a84f7cb54ee98830b53c41dd5275195bb31ca2bdf975ff9d200002f000005ff01000100160301085c0b0008580008550003a7308203a33082028ba003020102020101300d06092a864886f70d0101040500308192310b300906035504061302434e3110300e060355040813074361706974656b3110300e060355040713074265696a696e6731153013060355040a130c4361706974656b20496e632e3120301e06092a864886f70d010901161161646d696e404361706974656b2e636f6d312630240603550403131d4361706974656b20436572746966696361746520417574
        EAP-Message =
0x686f72697479301e170d3130313032333039333530305a170d3131313032333039333530305a307e310b300906035504061302434e3110300e060355040813074361706974656b31153013060355040a130c4361706974656b20496e632e312330210603550403131a4361706974656b205365727665722043657274696669636174653121301f06092a864886f70d010901161261646d696e40654361706974656b2e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100cdaab3f206b6cfc36821760b21090968cca6f8342aeb2ad8d1dd45e93b419a2c635a196c4ed6474947d5093a914c84ee21111bf134a3
        EAP-Message =
0x43f31ceede8c211b49965710ac8ce6e362addd4d741bdf59fa081bfe86fe3e43cf8289e8ed4e151da4460204318b808959194ba8196e0e6af6d15bd032b1d87a3a34ad2e62982cef6534d7b364afe0241ca534984b2d8d770795fed8e5857bd155a2cc7207d81012fe262344ff32882baa32713ebb2ed1b5d246bcee1dfc31faa51392a1b9578091814034b56bb39fa012062352b08aae929a508b4ec41fe06a071ed6216a360d14253023e52e327bf1b0ebdd2cf0e67b3edc72a134750781b41558f23b9e5cca09558d0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101040500038201010045
        EAP-Message =
0x3a993396c01ab3e963bd6f828ece8d30a9e4783015a3c2fff68c0ac81506ba39520977b7b2c111d64b0da28081fb018e6de7ee2f4ca76271ecff6f3e59b36825d9e1d5c3141fb8e05ff230e16de497169f25a7e62a207b0f231ca98a16154894e02cf279e59ed4f165149775a1eaaa52d6ed58f555684d84b0b3caca3227068bf2591434fce17120f5b4c90d687eb9d7b0e77007f98d4c7751432e2c5e71cfa7ff2ceb8f1a2a05f1e20e8a4d639b091a814059665db63b843c207d5c7e4ab13d572224fbb28fe822e1d1a316af5ecee361cffc24143ff40331b2eb5868d5f751299e7ef832297caf99c1f8a199442ee3e7f0375a492cebfde4c1729001
        EAP-Message = 0x0ac70004a8308204a4308203
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x246ddb0b256fc225aad5e24c6756cf9c
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.0.1 port 3075, id=146,
length=187
        User-Name = "host/Leeyu-Laptop"
        NAS-IP-Address = 192.168.0.1
        NAS-Port = 0
        Called-Station-Id = "00195b04c9e2"
        Calling-Station-Id = "001e659fc674"
        NAS-Identifier = "Realtek Access Point. 8181"
        NAS-Port-Type = Wireless-802.11
        Service-Type = Framed-User
        Connect-Info = "CONNECT 11Mbps 802.11b"
        EAP-Message = 0x020200061900
        State = 0x246ddb0b256fc225aad5e24c6756cf9c
        Message-Authenticator = 0xafa36e7177fb2841b5512080ba8fa1f6
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[Capitek.com] No '@' in User-Name = "host/Leeyu-Laptop", looking up realm
NULL
[Capitek.com] No such realm "NULL"
++[Capitek.com] returns noop
[eap] EAP packet type response id 2 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 146 to 192.168.0.1 port 3075
        EAP-Message =
0x010303fc19408ca003020102020900a82c41eeeb4a4d37300d06092a864886f70d0101050500308192310b300906035504061302434e3110300e060355040813074361706974656b3110300e060355040713074265696a696e6731153013060355040a130c4361706974656b20496e632e3120301e06092a864886f70d010901161161646d696e404361706974656b2e636f6d312630240603550403131d4361706974656b20436572746966696361746520417574686f72697479301e170d3130313032333039333434365a170d3131313032333039333434365a308192310b300906035504061302434e3110300e060355040813074361706974656b
        EAP-Message =
0x3110300e060355040713074265696a696e6731153013060355040a130c4361706974656b20496e632e3120301e06092a864886f70d010901161161646d696e404361706974656b2e636f6d312630240603550403131d4361706974656b20436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100b2d3f0c5f84705f3b0aec33fdcc4d9a052e18fbe093c2a3e147725a85f48153b57bb2cdd3d664a2882e49283cb928f0d7433dbed09bc6f8ed1082bd63ed64e8d6325181bc1124cecb84b9a9e2a143b9fc7562848c826476367e476f530d7d320d774218490b24b0d54
        EAP-Message =
0x0d725d80646614ed1ff8f074950ab5b3591857ea0a7a6b96ff6088f38ad60a9aec2afc811468d592ae6f0daa3505b4a771c76cb2e95c849b1606372f2d2eb2c860570eaa98d162f411c0fd6e620912f8f58a44a96376fa7ce14b576fe127a57810128fcd25e63706bb41dee082c5aeeba98d6d650276daa7520d0bd5280cc96c998d68cbe9e0ade80efb32e844b927418d9fdb96865ae90203010001a381fa3081f7301d0603551d0e04160414e411bcc416724dfec735b59ffe5b25952ffe185b3081c70603551d230481bf3081bc8014e411bcc416724dfec735b59ffe5b25952ffe185ba18198a48195308192310b300906035504061302434e3110
        EAP-Message =
0x300e060355040813074361706974656b3110300e060355040713074265696a696e6731153013060355040a130c4361706974656b20496e632e3120301e06092a864886f70d010901161161646d696e404361706974656b2e636f6d312630240603550403131d4361706974656b20436572746966696361746520417574686f72697479820900a82c41eeeb4a4d37300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100359ee20c5583cf62b6e23e2986ffc80212677987b02b22ef7bf81e52c6a83ea14a09b12736a0c94d1f6f9fe6ba982abe033a1fab74b1398695263ad861a1ab176498c2ebadcca488a078893acf
        EAP-Message = 0x6d1762af9cc32f77
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x246ddb0b266ec225aad5e24c6756cf9c
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.0.1 port 3075, id=147,
length=187
        User-Name = "host/Leeyu-Laptop"
        NAS-IP-Address = 192.168.0.1
        NAS-Port = 0
        Called-Station-Id = "00195b04c9e2"
        Calling-Station-Id = "001e659fc674"
        NAS-Identifier = "Realtek Access Point. 8181"
        NAS-Port-Type = Wireless-802.11
        Service-Type = Framed-User
        Connect-Info = "CONNECT 11Mbps 802.11b"
        EAP-Message = 0x020300061900
        State = 0x246ddb0b266ec225aad5e24c6756cf9c
        Message-Authenticator = 0x09cd348a564b11f4a1a5ee3f8aad59a8
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[Capitek.com] No '@' in User-Name = "host/Leeyu-Laptop", looking up realm
NULL
[Capitek.com] No such realm "NULL"
++[Capitek.com] returns noop
[eap] EAP packet type response id 3 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 147 to 192.168.0.1 port 3075
        EAP-Message =
0x010400ba1900f2af5e0bbbca5b63619eda4eafebcc8ce7dd49123dec621a9ee82327050c940e017b605759c85305c408f8e295be432e983bc762c496a9d45daa7044bfb8914236f4a38e213c5f16ac998128ca6f463e57823c7ed2e85ede9522f53be56f523460033146a70d509fa700ea0d7b139040adece74cd15c33064e4604d955a0cdbdfca05de47f8dd88d49935506ed4e61e8beb817af9ba7b135faa8ed6f63239f855d144a1887b38ee114f4a916030100040e000000
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x246ddb0b2769c225aad5e24c6756cf9c
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.0.1 port 3075, id=148,
length=198
        User-Name = "host/Leeyu-Laptop"
        NAS-IP-Address = 192.168.0.1
        NAS-Port = 0
        Called-Station-Id = "00195b04c9e2"
        Calling-Station-Id = "001e659fc674"
        NAS-Identifier = "Realtek Access Point. 8181"
        NAS-Port-Type = Wireless-802.11
        Service-Type = Framed-User
        Connect-Info = "CONNECT 11Mbps 802.11b"
        EAP-Message = 0x0204001119800000000715030100020230
        State = 0x246ddb0b2769c225aad5e24c6756cf9c
        Message-Authenticator = 0x540a124a43aaa2b5ab81e6c6c5ae9452
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[Capitek.com] No '@' in User-Name = "host/Leeyu-Laptop", looking up realm
NULL
[Capitek.com] No such realm "NULL"
++[Capitek.com] returns noop
[eap] EAP packet type response id 4 length 17
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
  TLS Length 7
[peap] Length Included
[peap] eaptls_verify returned 11
*[peap] <<< TLS 1.0 Alert [length 0002], fatal unknown_ca
TLS Alert read:fatal:unknown CA
    TLS_accept:failed in SSLv3 read client certificate A
rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert
unknown ca
SSL: SSL_read failed inside of TLS (-1), TLS session fails.
TLS receive handshake failed during operation*
[peap] eaptls_process returned 4
[peap] EAPTLS_OTHERS
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
++[bklist] returns noop
[sql_oracle] WARNING: Deprecated conditional expansion ":-".  See "man
unlang" for details
[sql_oracle]    ... expanding second conditional
[sql_oracle] WARNING: Deprecated conditional expansion ":-".  See "man
unlang" for details
[sql_oracle]    expand: %{User-Name:-DEFAULT} -> host/Leeyu-Laptop
[sql_oracle]    expand: %{Stripped-User-Name:-%{User-Name:-DEFAULT}} ->
host/Leeyu-Laptop
[sql_oracle] sql_set_user escaped user --> 'host/Leeyu-Laptop'
[sql_oracle]    expand:  INSERT INTO radpostauth
(username, pass, reply, authdate)                           VALUES
(                           '%{SQL-User-Name}',
'<Crypted>',                             '%{reply:Packet-Type}',
TO_DATE('%S','yyyy-mm-dd hh24:mi:ss')) ->  INSERT INTO
radpostauth                          (username, pass, reply,
authdate)                           VALUES (
'host/Leeyu-Laptop',
'<Crypted>',                             'Access-Reject',
TO_DATE('2010-11-06 15:04:59','yyyy-mm-dd hh24:mi:ss'))
rlm_sql (sql_oracle) in sql_postauth: query is  INSERT INTO
radpostauth                          (username, pass, reply,
authdate)                           VALUES (
'host/Leeyu-Laptop',
'<Crypted>',                            'Access-Reject', TO_DATE('2010-11-06
15:04:59','yyyy-mm-dd hh24:mi:ss'))
rlm_sql (sql_oracle): Reserving sql socket id: 17
rlm_sql (sql_oracle): Released sql socket id: 17
++[sql_oracle] returns ok
[attr_filter.access_reject]     expand: %{User-Name} -> host/Leeyu-Laptop
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 4 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 4
Sending Access-Reject of id 148 to 192.168.0.1 port 3075
        EAP-Message = 0x04040004
        Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.9 seconds.
Cleaning up request 0 ID 144 with timestamp +3
Cleaning up request 1 ID 145 with timestamp +3
Cleaning up request 2 ID 146 with timestamp +3
Cleaning up request 3 ID 147 with timestamp +3
Waking up in 1.0 seconds.
Cleaning up request 4 ID 148 with timestamp +3
Ready to process requests.
*
winxp do not send its hostname to radius server,but win7 will...,and how
this happened ?*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20101106/06ed3cf2/attachment.html>


More information about the Freeradius-Users mailing list