Problem with EAP-TLS authentication in Freeradius

senthil kumar mailbsk at gmail.com
Tue Apr 26 07:38:34 CEST 2011 

 Hi All,
      I am using Freeradius 2.1.0
      PEAP/TTLS is working fine and I am facing problem in TLS
authentication. I am able to generate certificate but while connecting it
throws Authentication error.
     Can some one send me client.cnf and server.cnf. Also let me
know whether installing only client is enough or do we need to install
ca.pem also in client side.
     Please let me know how to debug it.






rad_recv: Access-Request packet from host 192.168.1.1 port 4906, id=6,
length=147

User-Name = "maemo at nokia.com"

NAS-IP-Address = 192.168.1.1

Called-Station-Id = "0023692c6f74"

Calling-Station-Id = "0025d05b72ab"

NAS-Identifier = "0023692c6f74"

NAS-Port = 2

Framed-MTU = 1400

State = 0xc0ff35f8c1fd389f4e860dc8a76c03f8

NAS-Port-Type = Wireless-802.11

EAP-Message = 0x020200060d00

Message-Authenticator = 0xcf453c67c6fe4f7695dbba231da2ba1e

+- entering group authorize {...}

++[preprocess] returns ok

++[chap] returns noop

++[mschap] returns noop

[suffix] Looking up realm "nokia.com" for User-Name = "maemo at nokia.com"

[suffix] Found realm "DEFAULT"

[suffix] Adding Stripped-User-Name = "maemo"

[suffix] Adding Realm = "DEFAULT"

[suffix] Authentication realm is LOCAL.

++[suffix] returns ok

[eap] EAP packet type response id 2 length 6

[eap] No EAP Start, assuming it's an on-going EAP conversation

++[eap] returns updated

++[unix] returns updated

[files] users: Matched entry maemo at line 74

++[files] returns ok

++[expiration] returns noop

++[logintime] returns noop

[pap] Found existing Auth-Type, not changing it.

++[pap] returns noop

Found Auth-Type = EAP

+- entering group authenticate {...}

[eap] Request found, released from the list

[eap] EAP/tls

[eap] processing type tls

[tls] Authenticate

[tls] processing EAP-TLS

[tls] Received TLS ACK

[tls] ACK handshake fragment handler

[tls] eaptls_verify returned 1

[tls] eaptls_process returned 13

++[eap] returns handled

Sending Access-Challenge of id 6 to 192.168.1.1 port 4906

EAP-Message =
0x010304000dc00000085b310e300c060355040a13054e6f6b6961311e301c06092a864886f70d010901160f6d616d656f406e6f6b69612e636f6d310e300c060355040313054d6565676f301e170d3131303430373038333135345a170d3132303430363038333135345a306e310b300906035504061302494e310b3009060355040813024b413112301006035504071309536f6d657768657265310e300c060355040a13054e6f6b6961311e301c06092a864886f70d010901160f6d616d656f406e6f6b69612e636f6d310e300c060355040313054d6565676f30820122300d06092a864886f70d01010105000382010f003082010a0282010100ebdf

EAP-Message =
0xbd5045d1129f68d6354ecaf6d0b003ba682e0399145d83af7d3f7baeac7b70278682f26b7a6cf02cb0f70d06c27cd5666f6acd0a6e1a05f14cbca9ee2ca06038289d718635789b9378b41d5d89d98c09528e5d75a7ed1210ab639c80a82bb7f727a6641b4ead338d36c98e4910f69add0990c1838bf1dd67d3ef00190a8c50afa3d267b4721eb24c9297eac37244c2f09bf5db1e864ed3e71d7b2f1523f957d040b88bdfbb50ffa7a1fcb77fe8f692faeaf4f26539f93d4b16fefd22576b63425a3b106d4100a7e606110980202629a14f721f576e7b57e94182c695034f33cc5cf153c08074379ee285a4800d30fcc3eeb9618e95b3298852c0e050cc

EAP-Message =
0x370203010001a381d33081d0301d0603551d0e041604146495968035da2071580d6554ff37f49f34a6a4fc3081a00603551d2304819830819580146495968035da2071580d6554ff37f49f34a6a4fca172a470306e310b300906035504061302494e310b3009060355040813024b413112301006035504071309536f6d657768657265310e300c060355040a13054e6f6b6961311e301c06092a864886f70d010901160f6d616d656f406e6f6b69612e636f6d310e300c060355040313054d6565676f82090088f0548531fc31df300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100c60eb4fe9642b5cf1a479ddd03

EAP-Message =
0x31954bd3c5a8c13dac220146915074390da01b0cf44950935ca2fad0bbca312ad8d1ac38a0ad88e51bc7bfc4df349d238aa9dee95ccc333e46e422da2fd67073a5fc1d6109e623efdf7be334a6746b4d3eb012ddb331600471732e961861980a4d0a146e56ee383e1717a209476a34d2ad7153a00f0729976f4d73d4979dc992ab8cc4515787e68afd1979038963882c5f55ed1d038c137689ef3e0fa52d63eabe0466ef126564ff4627776f31dba8bd91b9c486ddf6e8399c755bd29456cfed9bda7890851bfb23d3c381e5176a6b6c86ea9cefc5b7428409e35a794775d27f1664c06aeb46842f61c6145a71a7a0fdea54e316030100800d00007803

EAP-Message = 0x01024000720070306e310b30

Message-Authenticator = 0x00000000000000000000000000000000

State = 0xc0ff35f8c2fc389f4e860dc8a76c03f8

Finished request 156.

Going to the next request

Waking up in 0.4 seconds.

rad_recv: Access-Request packet from host 192.168.1.1 port 4908, id=6,
length=147

User-Name = "maemo at nokia.com"

NAS-IP-Address = 192.168.1.1

Called-Station-Id = "0023692c6f74"

Calling-Station-Id = "0025d05b72ab"

NAS-Identifier = "0023692c6f74"

NAS-Port = 2

Framed-MTU = 1400

State = 0xc0ff35f8c2fc389f4e860dc8a76c03f8

NAS-Port-Type = Wireless-802.11

EAP-Message = 0x020300060d00

Message-Authenticator = 0xdeea6893aacbe253ed951368cec20746

+- entering group authorize {...}

++[preprocess] returns ok

++[chap] returns noop

++[mschap] returns noop

[suffix] Looking up realm "nokia.com" for User-Name = "maemo at nokia.com"

[suffix] Found realm "DEFAULT"

[suffix] Adding Stripped-User-Name = "maemo"

[suffix] Adding Realm = "DEFAULT"

[suffix] Authentication realm is LOCAL.

++[suffix] returns ok

[eap] EAP packet type response id 3 length 6

[eap] No EAP Start, assuming it's an on-going EAP conversation

++[eap] returns updated

++[unix] returns updated

[files] users: Matched entry maemo at line 74

++[files] returns ok

++[expiration] returns noop

++[logintime] returns noop

[pap] Found existing Auth-Type, not changing it.

++[pap] returns noop

Found Auth-Type = EAP

+- entering group authenticate {...}

[eap] Request found, released from the list

[eap] EAP/tls

[eap] processing type tls

[tls] Authenticate

[tls] processing EAP-TLS

[tls] Received TLS ACK

[tls] ACK handshake fragment handler

[tls] eaptls_verify returned 1

[tls] eaptls_process returned 13

++[eap] returns handled

Sending Access-Challenge of id 6 to 192.168.1.1 port 4908

EAP-Message =
0x010400790d800000085b0906035504061302494e310b3009060355040813024b413112301006035504071309536f6d657768657265310e300c060355040a13054e6f6b6961311e301c06092a864886f70d010901160f6d616d656f406e6f6b69612e636f6d310e300c060355040313054d6565676f0e000000

Message-Authenticator = 0x00000000000000000000000000000000

State = 0xc0ff35f8c3fb389f4e860dc8a76c03f8

Finished request 157.

Going to the next request

Waking up in 0.4 seconds.

rad_recv: Access-Request packet from host 192.168.1.1 port 4910, id=6,
length=154

User-Name = "maemo at nokia.com"

NAS-IP-Address = 192.168.1.1

Called-Station-Id = "0023692c6f74"

Calling-Station-Id = "0025d05b72ab"

NAS-Identifier = "0023692c6f74"

NAS-Port = 2

Framed-MTU = 1400

State = 0xc0ff35f8c3fb389f4e860dc8a76c03f8

NAS-Port-Type = Wireless-802.11

EAP-Message = 0x0204000d0d001503010002012a

Message-Authenticator = 0x782f15b2fce0fe49f406f1cb224b1ccf

+- entering group authorize {...}

++[preprocess] returns ok

++[chap] returns noop

++[mschap] returns noop

[suffix] Looking up realm "nokia.com" for User-Name = "maemo at nokia.com"

[suffix] Found realm "DEFAULT"

[suffix] Adding Stripped-User-Name = "maemo"

[suffix] Adding Realm = "DEFAULT"

[suffix] Authentication realm is LOCAL.

++[suffix] returns ok

[eap] EAP packet type response id 4 length 13

[eap] No EAP Start, assuming it's an on-going EAP conversation

++[eap] returns updated

++[unix] returns updated

[files] users: Matched entry maemo at line 74

++[files] returns ok

++[expiration] returns noop

++[logintime] returns noop

[pap] Found existing Auth-Type, not changing it.

++[pap] returns noop

Found Auth-Type = EAP

+- entering group authenticate {...}

[eap] Request found, released from the list

[eap] EAP/tls

[eap] processing type tls

[tls] Authenticate

[tls] processing EAP-TLS

[tls] eaptls_verify returned 7

[tls] Done initial handshake

[tls] <<< TLS 1.0 Alert [length 0002], warning bad_certificate

TLS Alert read:warning:bad certificate

[tls] TLS_accept: Need to read more data: SSLv3 read client certificate A

In SSL Handshake Phase

In SSL Accept mode

SSL Application Data

TLS failed during operation

[tls] eaptls_process returned 4

[eap] Handler failed in EAP/tls

[eap] Failed in EAP select

++[eap] returns invalid

Failed to authenticate the user.

Using Post-Auth-Type Reject

+- entering group REJECT {...}

expand: %{User-Name} -> maemo at nokia.com

attr_filter: Matched entry DEFAULT at line 11

++[attr_filter.access_reject] returns updated

Delaying reject of request 158 for 1 seconds

Going to the next request

Waking up in 0.4 seconds.

rad_recv: Access-Request packet from host 192.168.1.1 port 4912, id=6,
length=136

User-Name = "maemo at nokia.com"

NAS-IP-Address = 192.168.1.1

Called-Station-Id = "0023692c6f74"

Calling-Station-Id = "0025d05b72ab"

NAS-Identifier = "0023692c6f74"

NAS-Port = 2

Framed-MTU = 1400

NAS-Port-Type = Wireless-802.11

EAP-Message = 0x0204000d0d001503010002020a

Message-Authenticator = 0x542730d7c53937fe5e038692a71646ff

+- entering group authorize {...}

++[preprocess] returns ok

++[chap] returns noop

++[mschap] returns noop

[suffix] Looking up realm "nokia.com" for User-Name = "maemo at nokia.com"

[suffix] Found realm "DEFAULT"

[suffix] Adding Stripped-User-Name = "maemo"

[suffix] Adding Realm = "DEFAULT"

[suffix] Authentication realm is LOCAL.

++[suffix] returns ok

[eap] EAP packet type response id 4 length 13

[eap] No EAP Start, assuming it's an on-going EAP conversation

++[eap] returns updated

++[unix] returns updated

[files] users: Matched entry maemo at line 74

++[files] returns ok

++[expiration] returns noop

++[logintime] returns noop

[pap] Found existing Auth-Type, not changing it.

++[pap] returns noop

Found Auth-Type = EAP

+- entering group authenticate {...}

[eap] Either EAP-request timed out OR EAP-response to an unknown EAP-request

[eap] Failed in handler

++[eap] returns invalid

Failed to authenticate the user.

Using Post-Auth-Type Reject

+- entering group REJECT {...}

expand: %{User-Name} -> maemo at nokia.com

attr_filter: Matched entry DEFAULT at line 11

++[attr_filter.access_reject] returns updated

Delaying reject of request 159 for 1 seconds

Going to the next request

Waking up in 0.4 seconds.

Cleaning up request 146 ID 6 with timestamp +2141

Cleaning up request 147 ID 6 with timestamp +2141

Waking up in 0.5 seconds.

Sending delayed reject for request 158

Sending Access-Reject of id 6 to 192.168.1.1 port 4910

EAP-Message = 0x04040004

Message-Authenticator = 0x00000000000000000000000000000000

Sending delayed reject for request 159

Sending Access-Reject of id 6 to 192.168.1.1 port 4912

Waking up in 1.1 seconds.

Cleaning up request 148 ID 6 with timestamp +2143

Cleaning up request 149 ID 6 with timestamp +2143

Cleaning up request 150 ID 6 with timestamp +2143

Cleaning up request 151 ID 6 with timestamp +2143

Waking up in 1.0 seconds.

Cleaning up request 152 ID 6 with timestamp +2143

Cleaning up request 153 ID 6 with timestamp +2143

Waking up in 1.7 seconds.

Cleaning up request 154 ID 6 with timestamp +2146

Cleaning up request 155 ID 6 with timestamp +2146

Cleaning up request 156 ID 6 with timestamp +2146

Cleaning up request 157 ID 6 with timestamp +2146

Waking up in 1.0 seconds.

Cleaning up request 158 ID 6 with timestamp +2146

Cleaning up request 159 ID 6 with timestamp +2146

Regards
Senthil
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20110426/77593d8a/attachment.html>

More information about the Freeradius-Users mailing list