Problem with EAP-TLS authentication in Freeradius 2.1.0
senthil kumar
mailbsk at gmail.com
Fri Apr 8 09:04:50 CEST 2011
Hi All,
I am using Freeradius 2.1.0
PEAP/TTLS is working fine and I am facing problem in TLS
authentication. I am able to generate certificate but while connecting it
throws Authentication error.
Please let me know how to debug it.
rad_recv: Access-Request packet from host 192.168.1.1 port 4906, id=6,
length=147
User-Name = "maemo at nokia.com"
NAS-IP-Address = 192.168.1.1
Called-Station-Id = "0023692c6f74"
Calling-Station-Id = "0025d05b72ab"
NAS-Identifier = "0023692c6f74"
NAS-Port = 2
Framed-MTU = 1400
State = 0xc0ff35f8c1fd389f4e860dc8a76c03f8
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020200060d00
Message-Authenticator = 0xcf453c67c6fe4f7695dbba231da2ba1e
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm "nokia.com" for User-Name = "maemo at nokia.com"
[suffix] Found realm "DEFAULT"
[suffix] Adding Stripped-User-Name = "maemo"
[suffix] Adding Realm = "DEFAULT"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] EAP packet type response id 2 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns updated
[files] users: Matched entry maemo at line 74
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
[tls] Received TLS ACK
[tls] ACK handshake fragment handler
[tls] eaptls_verify returned 1
[tls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 6 to 192.168.1.1 port 4906
EAP-Message =
0x010304000dc00000085b310e300c060355040a13054e6f6b6961311e301c06092a864886f70d010901160f6d616d656f406e6f6b69612e636f6d310e300c060355040313054d6565676f301e170d3131303430373038333135345a170d3132303430363038333135345a306e310b300906035504061302494e310b3009060355040813024b413112301006035504071309536f6d657768657265310e300c060355040a13054e6f6b6961311e301c06092a864886f70d010901160f6d616d656f406e6f6b69612e636f6d310e300c060355040313054d6565676f30820122300d06092a864886f70d01010105000382010f003082010a0282010100ebdf
EAP-Message =
0xbd5045d1129f68d6354ecaf6d0b003ba682e0399145d83af7d3f7baeac7b70278682f26b7a6cf02cb0f70d06c27cd5666f6acd0a6e1a05f14cbca9ee2ca06038289d718635789b9378b41d5d89d98c09528e5d75a7ed1210ab639c80a82bb7f727a6641b4ead338d36c98e4910f69add0990c1838bf1dd67d3ef00190a8c50afa3d267b4721eb24c9297eac37244c2f09bf5db1e864ed3e71d7b2f1523f957d040b88bdfbb50ffa7a1fcb77fe8f692faeaf4f26539f93d4b16fefd22576b63425a3b106d4100a7e606110980202629a14f721f576e7b57e94182c695034f33cc5cf153c08074379ee285a4800d30fcc3eeb9618e95b3298852c0e050cc
EAP-Message =
0x370203010001a381d33081d0301d0603551d0e041604146495968035da2071580d6554ff37f49f34a6a4fc3081a00603551d2304819830819580146495968035da2071580d6554ff37f49f34a6a4fca172a470306e310b300906035504061302494e310b3009060355040813024b413112301006035504071309536f6d657768657265310e300c060355040a13054e6f6b6961311e301c06092a864886f70d010901160f6d616d656f406e6f6b69612e636f6d310e300c060355040313054d6565676f82090088f0548531fc31df300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100c60eb4fe9642b5cf1a479ddd03
EAP-Message =
0x31954bd3c5a8c13dac220146915074390da01b0cf44950935ca2fad0bbca312ad8d1ac38a0ad88e51bc7bfc4df349d238aa9dee95ccc333e46e422da2fd67073a5fc1d6109e623efdf7be334a6746b4d3eb012ddb331600471732e961861980a4d0a146e56ee383e1717a209476a34d2ad7153a00f0729976f4d73d4979dc992ab8cc4515787e68afd1979038963882c5f55ed1d038c137689ef3e0fa52d63eabe0466ef126564ff4627776f31dba8bd91b9c486ddf6e8399c755bd29456cfed9bda7890851bfb23d3c381e5176a6b6c86ea9cefc5b7428409e35a794775d27f1664c06aeb46842f61c6145a71a7a0fdea54e316030100800d00007803
EAP-Message = 0x01024000720070306e310b30
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xc0ff35f8c2fc389f4e860dc8a76c03f8
Finished request 156.
Going to the next request
Waking up in 0.4 seconds.
rad_recv: Access-Request packet from host 192.168.1.1 port 4908, id=6,
length=147
User-Name = "maemo at nokia.com"
NAS-IP-Address = 192.168.1.1
Called-Station-Id = "0023692c6f74"
Calling-Station-Id = "0025d05b72ab"
NAS-Identifier = "0023692c6f74"
NAS-Port = 2
Framed-MTU = 1400
State = 0xc0ff35f8c2fc389f4e860dc8a76c03f8
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020300060d00
Message-Authenticator = 0xdeea6893aacbe253ed951368cec20746
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm "nokia.com" for User-Name = "maemo at nokia.com"
[suffix] Found realm "DEFAULT"
[suffix] Adding Stripped-User-Name = "maemo"
[suffix] Adding Realm = "DEFAULT"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] EAP packet type response id 3 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns updated
[files] users: Matched entry maemo at line 74
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
[tls] Received TLS ACK
[tls] ACK handshake fragment handler
[tls] eaptls_verify returned 1
[tls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 6 to 192.168.1.1 port 4908
EAP-Message =
0x010400790d800000085b0906035504061302494e310b3009060355040813024b413112301006035504071309536f6d657768657265310e300c060355040a13054e6f6b6961311e301c06092a864886f70d010901160f6d616d656f406e6f6b69612e636f6d310e300c060355040313054d6565676f0e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xc0ff35f8c3fb389f4e860dc8a76c03f8
Finished request 157.
Going to the next request
Waking up in 0.4 seconds.
rad_recv: Access-Request packet from host 192.168.1.1 port 4910, id=6,
length=154
User-Name = "maemo at nokia.com"
NAS-IP-Address = 192.168.1.1
Called-Station-Id = "0023692c6f74"
Calling-Station-Id = "0025d05b72ab"
NAS-Identifier = "0023692c6f74"
NAS-Port = 2
Framed-MTU = 1400
State = 0xc0ff35f8c3fb389f4e860dc8a76c03f8
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x0204000d0d001503010002012a
Message-Authenticator = 0x782f15b2fce0fe49f406f1cb224b1ccf
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm "nokia.com" for User-Name = "maemo at nokia.com"
[suffix] Found realm "DEFAULT"
[suffix] Adding Stripped-User-Name = "maemo"
[suffix] Adding Realm = "DEFAULT"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] EAP packet type response id 4 length 13
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns updated
[files] users: Matched entry maemo at line 74
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
[tls] eaptls_verify returned 7
[tls] Done initial handshake
[tls] <<< TLS 1.0 Alert [length 0002], warning bad_certificate
TLS Alert read:warning:bad certificate
[tls] TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
SSL Application Data
TLS failed during operation
[tls] eaptls_process returned 4
[eap] Handler failed in EAP/tls
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
expand: %{User-Name} -> maemo at nokia.com
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 158 for 1 seconds
Going to the next request
Waking up in 0.4 seconds.
rad_recv: Access-Request packet from host 192.168.1.1 port 4912, id=6,
length=136
User-Name = "maemo at nokia.com"
NAS-IP-Address = 192.168.1.1
Called-Station-Id = "0023692c6f74"
Calling-Station-Id = "0025d05b72ab"
NAS-Identifier = "0023692c6f74"
NAS-Port = 2
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x0204000d0d001503010002020a
Message-Authenticator = 0x542730d7c53937fe5e038692a71646ff
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm "nokia.com" for User-Name = "maemo at nokia.com"
[suffix] Found realm "DEFAULT"
[suffix] Adding Stripped-User-Name = "maemo"
[suffix] Adding Realm = "DEFAULT"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
[eap] EAP packet type response id 4 length 13
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns updated
[files] users: Matched entry maemo at line 74
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Either EAP-request timed out OR EAP-response to an unknown EAP-request
[eap] Failed in handler
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
expand: %{User-Name} -> maemo at nokia.com
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 159 for 1 seconds
Going to the next request
Waking up in 0.4 seconds.
Cleaning up request 146 ID 6 with timestamp +2141
Cleaning up request 147 ID 6 with timestamp +2141
Waking up in 0.5 seconds.
Sending delayed reject for request 158
Sending Access-Reject of id 6 to 192.168.1.1 port 4910
EAP-Message = 0x04040004
Message-Authenticator = 0x00000000000000000000000000000000
Sending delayed reject for request 159
Sending Access-Reject of id 6 to 192.168.1.1 port 4912
Waking up in 1.1 seconds.
Cleaning up request 148 ID 6 with timestamp +2143
Cleaning up request 149 ID 6 with timestamp +2143
Cleaning up request 150 ID 6 with timestamp +2143
Cleaning up request 151 ID 6 with timestamp +2143
Waking up in 1.0 seconds.
Cleaning up request 152 ID 6 with timestamp +2143
Cleaning up request 153 ID 6 with timestamp +2143
Waking up in 1.7 seconds.
Cleaning up request 154 ID 6 with timestamp +2146
Cleaning up request 155 ID 6 with timestamp +2146
Cleaning up request 156 ID 6 with timestamp +2146
Cleaning up request 157 ID 6 with timestamp +2146
Waking up in 1.0 seconds.
Cleaning up request 158 ID 6 with timestamp +2146
Cleaning up request 159 ID 6 with timestamp +2146
--
"Adversity always presents opportunity for Introspection"
Regards
Senthil
--
"Adversity always presents opportunity for Introspection"
Regards
Senthil
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20110408/21985ec1/attachment.html>
More information about the Freeradius-Users
mailing list