Cisco AP + MySql + EAPTLS

Esteban TALAVERA etalaveran at gmail.com
Tue Sep 14 00:53:47 CEST 2010 

Hi

I have installed freeradius recently with MySQL and tested  with success to
authenticate VTY session en cisco routers and switches.

However, my configuration with EAP_TLS is not working properly.

I use a Cisco AP

I create and copy the certificates  to a Windows XP SP3 laptop to test if
everything is OK, but in "freeradius -X" mode I got a lot of message and
none give me the reason of the problem.

The AP says authentication failed and the Radius server sends the challenge
an wait, and later clean all request an "becomes" ready to process requests.

here is a portion of the output of the radius activity

Its appears that certificates are accepted, but XP stations continue trying
to authenticated

THANKS

=====================================
rad_recv: Access-Request packet from host 10.10.10.5 port 1645, id=16,
length=176
User-Name = "prueba1 at mydomain"
Framed-MTU = 1400
Called-Station-Id = "a8b1.d422.d432"
Calling-Station-Id = "0019.d20c.4ed4"
Service-Type = Login-User
Message-Authenticator = 0x7c4ac4a412db3b9cfba443de50792eed
EAP-Message = 0x0202001b01707275656261314062616e636f706c617a612e636f6d
NAS-Port-Type = Wireless-802.11
NAS-Port = 19153
NAS-Port-Id = "19153"
NAS-IP-Address = 10.10.10.5
NAS-Identifier = "AP_CISCO"
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm "mydomain.com" for User-Name = "prueba1 at mydomain"
[suffix] No such realm "mydomain"
++[suffix] returns noop
[eap] EAP packet type response id 2 length 27
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
[sql] expand: %{User-Name} -> prueba1 at mydomain
[sql] sql_set_user escaped user --> 'prueba1 at mydomain'
rlm_sql (sql): Reserving sql socket id: 4
[sql] expand: SELECT id, username, attribute, value, op           FROM
radcheck           WHERE username = '%{SQL-User-Name}'           ORDER BY id
-> SELECT id, username, attribute, value, op           FROM
radcheck           WHERE username = 'prueba1 at mydomain'           ORDER BY id

[sql] expand: SELECT groupname           FROM radusergroup           WHERE
username = '%{SQL-User-Name}'           ORDER BY priority -> SELECT
groupname           FROM radusergroup           WHERE username =
'prueba1 at mydomain'           ORDER BY priority
[sql] expand: SELECT id, groupname, attribute,           Value, op
FROM radgroupcheck           WHERE groupname = '%{Sql-Group}'
ORDER BY id -> SELECT id, groupname, attribute,           Value,
op           FROM radgroupcheck           WHERE groupname = 'TI'
ORDER BY id
[sql] User found in group TI
[sql] expand: SELECT id, groupname, attribute,           value, op
FROM radgroupreply           WHERE groupname = '%{Sql-Group}'
ORDER BY id -> SELECT id, groupname, attribute,           value,
op           FROM radgroupreply           WHERE groupname = 'TI'
ORDER BY id
rlm_sql (sql): Released sql socket id: 4
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication
may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 16 to 10.10.10.5 port 1645
EAP-Message = 0x010300061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x765770697654693c62d8b4b34c9394a6
Finished request 0.
Going to the next request
.
.
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
  TLS Length 70
[tls] Length Included
[tls] eaptls_verify returned 11
[tls]     (other): before/accept initialization
[tls]     TLS_accept: before/accept initialization
[tls] <<< TLS 1.0 Handshake [length 0041], ClientHello
[tls]     TLS_accept: SSLv3 read client hello A
[tls] >>> TLS 1.0 Handshake [length 002a], ServerHello
[tls]     TLS_accept: SSLv3 write server hello A
[tls] >>> TLS 1.0 Handshake [length 05c7], Certificate
[tls]     TLS_accept: SSLv3 write certificate A
[tls] >>> TLS 1.0 Handshake [length 0082], CertificateRequest
[tls]     TLS_accept: SSLv3 write certificate request A
[tls]     TLS_accept: SSLv3 flush data
[tls]     TLS_accept: Need to read more data: SSLv3 read client certificate
A
In SSL Handshake Phase
In SSL Accept mode
[tls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 18 to 10.10.10.5 port 1645
.
.
.
[tls] --> verify return:1
[tls]     TLS_accept: SSLv3 read client certificate A
[tls] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
[tls]     TLS_accept: SSLv3 read client key exchange A
[tls] <<< TLS 1.0 Handshake [length 0086], CertificateVerify
[tls]     TLS_accept: SSLv3 read certificate verify A
[tls] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[tls] <<< TLS 1.0 Handshake [length 0010], Finished
[tls]     TLS_accept: SSLv3 read finished A
[tls] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[tls]     TLS_accept: SSLv3 write change cipher spec A
[tls] >>> TLS 1.0 Handshake [length 0010], Finished
[tls]     TLS_accept: SSLv3 write finished A
[tls]     TLS_accept: SSLv3 flush data
[tls]     (other): SSL negotiation finished successfully
SSL Connection Established
[tls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 20 to 10.10.10.5 port 1645
EAP-Message =
0x010700900099090099099999010001011603010020164176d954d98c1d1daf5753815c720f6ef0f6e55dc05b2d682f44342e259e66

Message-Authenticator = 0x00000000000000000000000000000000
State = 0x7657706972507d3c62d8b4b34c9394a6
Finished request 4.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 16 with timestamp +7
Cleaning up request 1 ID 17 with timestamp +7
Cleaning up request 2 ID 18 with timestamp +7
Cleaning up request 3 ID 19 with timestamp +7
Cleaning up request 4 ID 20 with timestamp +7
Ready to process requests.
=====================================

-- 

*Esteban Talavera*

*
*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20100913/097c7476/attachment.html>

More information about the Freeradius-Users mailing list