No EAP/TLS with XP SP3 since End December
Alexandros Gougousoudis
gougousoudis-list at servicecenter-khs.de
Mon Jan 3 10:40:38 CET 2011
Hi,
I had a working FreeRadius 1.1.6 installation and running XP Pro SP3
with EAP/TLS on an Ethernet-Port. I use Linksys switches as
authenticators. I think since end December (after I went into the xmas
holidays) the Radius-Auth stopped working. I changed nothing at the
Freeradius-Server. I suspect an MS-Update, major-security updates are
rolled out automatically here. But I don't know which one.
I made a debug with radiusd -X -A. The conversation looks normal, but at
the end, I miss the "Login OK" Statement, it looks like the conversation
is not finished and falls asleep. I don't see an error. Can anyone look
over it please to give me a hint, where to look?
TIA
Alex
Debug:
rad_recv: Access-Request packet from host 10.48.250.10:49154, id=0,
length=101
NAS-IP-Address = 10.48.250.10
NAS-Port-Type = Ethernet
NAS-Port = 7
User-Name = "host/hfs-080806-02"
EAP-Message = 0x0217001701686f73742f6866732d3038303830362d3032
Message-Authenticator = 0xcd421dbdb5fcc2e7692fe75fcbfd5892
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 6
modcall[authorize]: module "preprocess" returns ok for request 6
modcall[authorize]: module "mschap" returns noop for request 6
rlm_eap: EAP packet type response id 23 length 23
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 6
users: Matched entry host/hfs-080806-02 at line 3
modcall[authorize]: module "files" returns ok for request 6
modcall: leaving group authorize (returns updated) for request 6
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 6
rlm_eap: EAP Identity
rlm_eap: processing type tls
rlm_eap_tls: Requiring client certificate
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
modcall[authenticate]: module "eap" returns handled for request 6
modcall: leaving group authenticate (returns handled) for request 6
Sending Access-Challenge of id 0 to 10.48.250.10 port 49154
EAP-Message = 0x011800060d20
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x793054942f9417f5a0886c08dd4a0e4e
Finished request 6
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 10.48.250.10:49154, id=0,
length=183
NAS-IP-Address = 10.48.250.10
NAS-Port-Type = Ethernet
NAS-Port = 7
User-Name = "host/hfs-080806-02"
State = 0x793054942f9417f5a0886c08dd4a0e4e
EAP-Message =
0x021800570d800000004d16030100480100004403014d219685836869e950cfbb8e7ae7a18a95c8871d059171695d24fd163d12cec600001600040005000a0009006400620003000600130012006301000005ff01000100
Message-Authenticator = 0x714b3ff58781c8329f0cebcbf99bc3e2
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 7
modcall[authorize]: module "preprocess" returns ok for request 7
modcall[authorize]: module "mschap" returns noop for request 7
rlm_eap: EAP packet type response id 24 length 87
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 7
users: Matched entry host/hfs-080806-02 at line 3
modcall[authorize]: module "files" returns ok for request 7
modcall: leaving group authorize (returns updated) for request 7
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 7
rlm_eap: Request found, released from the list
rlm_eap: EAP/tls
rlm_eap: processing type tls
rlm_eap_tls: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Length Included
eaptls_verify returned 11
(other): before/accept initialization
TLS_accept: before/accept initialization
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0048], ClientHello
TLS_accept: SSLv3 read client hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
TLS_accept: SSLv3 write server hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0ed5], Certificate
TLS_accept: SSLv3 write certificate A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 00bd], CertificateRequest
TLS_accept: SSLv3 write certificate request A
TLS_accept: SSLv3 flush data
TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
eaptls_process returned 13
modcall[authenticate]: module "eap" returns handled for request 7
modcall: leaving group authenticate (returns handled) for request 7
Sending Access-Challenge of id 0 to 10.48.250.10 port 49154
EAP-Message =
0x0119040a0dc000000feb160301004a0200004603014d2195c9e75e9057262ca89fcdd70206a44718c85887fd8a1ee0267568b1cee120013b9c1ff336b6d8838eeb017dbf377c9c69f6e387eeda5ee9daedd8336849600004001603010ed50b000ed1000ece00075c3082075830820540a003020102020162300d06092a864886f70d01010505003081aa310b3009060355040613024445310f300d060355040813064265726c696e310f300d060355040713064265726c696e31143012060355040a130b4b48422048664d2048665331193017060355040b13105365727669636543656e7465722d4954312530230603550403141c5365727669636543
EAP-Message =
0x656e7465722d49545f4b48425f48664d5f4866533121301f06092a864886f70d010901161273632d6974406b682d6265726c696e2e6465301e170d3037303831333038333434385a170d3132303831313038333434385a308189310b3009060355040613024445310f300d060355040813064265726c696e310f300d060355040713064265726c696e31143012060355040a130b4b48422048664d2048665331193017060355040b13105365727669636543656e7465722d4954312730250603550403131e7261646975732e76657277616c74756e672e6b682d6265726c696e2e646530820222300d06092a864886f70d01010105000382020f003082
EAP-Message =
0x020a02820201009d061598c850223454cb70a58cae0a1ac2db0b6a963d25c96c632b1eb2a9177e3e8a066fa9c3596c4a1b035def3b6c589a12209a6d7ab7aa4144de890803c34cb5239cdb3b7266426049d475ed3e354fe494dee46a17e7478065c7332f6ac621d9b754d46812dc4ffda7a39bf33987fbe6951a591aee791c9468cc70f5a821683640675bafea24fe5291d6750c30a1b0a4c52cbeb6a18ce514038432f3dc83ce12657de67976dff9a7643b7ad340240e5e69385355b64d3e77f4bb0dfbc8fd63258a308c2a6e82f9c0c92e7e4ccadf848cc3bb57d592dcf46930c794fa0b338c9db103b9a7162352ff8cac3b680d64ec0b865bf74778
EAP-Message =
0x839cd1530d79ba553a2bd9ffb112534cd758bb3b3dba26037ed1c158089af8903e9f5b684061ddd413fb192cfc5024c03b177184101d68bc7111ccdcb6bee8c98d1642bbc547e8211dab2fd5d45488da089a17edaa9b4dd4357d4adcb0e33553210a5ad0e84edc9f9a769297649672d5f78e2f3687e99c411abea88e0363fe1afb7dcf05a8838ef07cec88337f903a94a6207893b5e9ff80441a12b6847ff008eb8c257878f6711a8f8c053315d4ae87b36661cdee73a3cbaca92d14f480804c7476d36665c417db9c954795423ca49de599eb3ed3a6cc55f03bad529359b0a55e5bffa9cf65b3034d48c263c491b24ad9f9f74b6ea9cea17710efc22b
EAP-Message = 0xc0d77f58b0a5d3589ab19f13f90203010001a38201a6
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xdd9f396cf15641e0754754ce9e335224
Finished request 7
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 10.48.250.10:49154, id=0,
length=102
NAS-IP-Address = 10.48.250.10
NAS-Port-Type = Ethernet
NAS-Port = 7
User-Name = "host/hfs-080806-02"
State = 0xdd9f396cf15641e0754754ce9e335224
EAP-Message = 0x021900060d00
Message-Authenticator = 0x575c7e249430d63e09b6143649ca5d05
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 8
modcall[authorize]: module "preprocess" returns ok for request 8
modcall[authorize]: module "mschap" returns noop for request 8
rlm_eap: EAP packet type response id 25 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 8
users: Matched entry host/hfs-080806-02 at line 3
modcall[authorize]: module "files" returns ok for request 8
modcall: leaving group authorize (returns updated) for request 8
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 8
rlm_eap: Request found, released from the list
rlm_eap: EAP/tls
rlm_eap: processing type tls
rlm_eap_tls: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake fragment handler
eaptls_verify returned 1
eaptls_process returned 13
modcall[authenticate]: module "eap" returns handled for request 8
modcall: leaving group authenticate (returns handled) for request 8
Sending Access-Challenge of id 0 to 10.48.250.10 port 49154
EAP-Message =
0x011a040a0dc000000feb308201a230090603551d1304023000301106096086480186f8420101040403020640302b06096086480186f842010d041e161c54696e7943412047656e657261746564204365727469666963617465301d0603551d0e0416041442a94a9f048871b178d41a5d00a5668e78c045ff3081df0603551d230481d73081d48014b939b6ce8a52912eaece162418b1f4d8303d042ea181b0a481ad3081aa310b3009060355040613024445310f300d060355040813064265726c696e310f300d060355040713064265726c696e31143012060355040a130b4b48422048664d2048665331193017060355040b13105365727669636543
EAP-Message =
0x656e7465722d4954312530230603550403141c5365727669636543656e7465722d49545f4b48425f48664d5f4866533121301f06092a864886f70d010901161273632d6974406b682d6265726c696e2e6465820900890d6f61ac0ce005301d0603551d1204163014811273632d6974406b682d6265726c696e2e6465301d0603551d1104163014811273632d6974406b682d6265726c696e2e646530160603551d250101ff040c300a06082b06010505070301300d06092a864886f70d0101050500038202010027ddc002c4835bb38b2152a1b93fc65419a91436bcd3e9e4f37b0eaf35498333305a12229d454d797f8cd3e678f0e73467237638ddec
EAP-Message =
0x79c4e1f00fc72f18d51dc7658843c2855f5dcb3cc13b10730a5d9f99992e4924d9e28e1f7d12d285d815c734f8c63815124e5cc49d15777d233f7e3b1133c0773d3703e10a70203dc3557185bf629d1d2482d548d3b56f6ca28b7555b971c00899395a5c23a1378f495acbfe162b6929e63bd5c3bb20bb4268d9269235451378e34fde7df5a9392595a3d8c8d889e90a7dc934dce6d61b5cdec3f6652de92ba8786f4a0dffb00a0306873ecd695681eef4ec7cd5861dace26b6504f1ad1899f199ce4a121a3a37197ffe8145e4aee40b6a3fd627088908db8650557b984d447f3c65a6a697672bd242e260493073ee5532d2f4e3c6907332808995a54f
EAP-Message =
0xa0c690bd3bdc09c2872280185e5a1e4b999241374ceaf16233fd91b124a65652bfd76cdc0735a06c4fb0197a919ad53d4f2953194e5c8def3884a10e95905dbe338dd2fdb9b997114a023866731016ed5195940ff9f8b1c85994c3fc52e6226d93e8bdebefed24376bae1c923813ea1b7c1d8bc5547a82258696ee03b2ee3b03bff43f28bd340219aaa58bfd28d6767c54269fe907b196157db92c807c693e3f01c81af0145b66af36ae839b4d8add58891ee3a64428c285942cc38c151b113084e252c094f196ab2927078fd100076c3082076830820550a003020102020900890d6f61ac0ce005300d06092a864886f70d01010505003081aa310b30
EAP-Message = 0x09060355040613024445310f300d0603550408130642
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x805e028e859aa0f88cfd562748aaba95
Finished request 8
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 10.48.250.10:49154, id=0,
length=102
NAS-IP-Address = 10.48.250.10
NAS-Port-Type = Ethernet
NAS-Port = 7
User-Name = "host/hfs-080806-02"
State = 0x805e028e859aa0f88cfd562748aaba95
EAP-Message = 0x021a00060d00
Message-Authenticator = 0xb2e0f50abf1596f8862ed87864157eda
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 9
modcall[authorize]: module "preprocess" returns ok for request 9
modcall[authorize]: module "mschap" returns noop for request 9
rlm_eap: EAP packet type response id 26 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 9
users: Matched entry host/hfs-080806-02 at line 3
modcall[authorize]: module "files" returns ok for request 9
modcall: leaving group authorize (returns updated) for request 9
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 9
rlm_eap: Request found, released from the list
rlm_eap: EAP/tls
rlm_eap: processing type tls
rlm_eap_tls: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake fragment handler
eaptls_verify returned 1
eaptls_process returned 13
modcall[authenticate]: module "eap" returns handled for request 9
modcall: leaving group authenticate (returns handled) for request 9
Sending Access-Challenge of id 0 to 10.48.250.10 port 49154
EAP-Message =
0x011b040a0dc000000feb65726c696e310f300d060355040713064265726c696e31143012060355040a130b4b48422048664d2048665331193017060355040b13105365727669636543656e7465722d4954312530230603550403141c5365727669636543656e7465722d49545f4b48425f48664d5f4866533121301f06092a864886f70d010901161273632d6974406b682d6265726c696e2e6465301e170d3035303930353038303532355a170d3135303930333038303532355a3081aa310b3009060355040613024445310f300d060355040813064265726c696e310f300d060355040713064265726c696e31143012060355040a130b4b48422048
EAP-Message =
0x664d2048665331193017060355040b13105365727669636543656e7465722d4954312530230603550403141c5365727669636543656e7465722d49545f4b48425f48664d5f4866533121301f06092a864886f70d010901161273632d6974406b682d6265726c696e2e646530820222300d06092a864886f70d01010105000382020f003082020a0282020100c4e58d7b46104aaed067a7f4e2c0bce5fd30388b52102731e8ae991947c14547ca41753f07ee2f50c4374b00950c83165fce3e38cdf4b4749dce3641ce01e450a7f1e53de6997ac4a19b93cc212b2cfb5425c7b1421b89951478dadba32ce7c00421c9791d1af1b38e9ce04141c724d866
EAP-Message =
0xfb11c06bd13a626f830825d002beccae484fcaa3840fdab94afdd1e454155451678ecb4ae36c1628afce08a8622736e5f29360512174ffa60a3a713794d781efa85d83c6df6cc78262910cb757c515450569cd668cdb29a709e3f8d52dde54c69e2b84b0be385347948e360e4095499957b42d0a918cbc647a2377c0c26e0925f386d520f0bc2f25b206a93075e9382d590f4724352edc61a0e497dece898c31ca22c4320d02b55bb519c90f228fcbd6f1d72057245e35a3170a354b207ef1f2a61585256e493bff8b363075452e21cbb5cb26167d8d1201c41911569768a99eea5cff0fb0458e5615e42e8aec5417f2493f5b81cf7b9cdb4ad1995c0c
EAP-Message =
0x8bced370d073ee8eefb21f833372027c4fcb84c23c73d1b44df6f5ca34e0d9f674900f9ddf1340179016868a3697a807624dd8f0ff7aea8460241df0a8a74eb8b0151171395155db1fd0b87be63c7047fda731126880bf2228332a38f11ac024cb944d68ce72da5f43d73609e82f92486f4eaad235b104ae3c93061600b3a54e895841eac966309ad0c18cccf17453210f450203010001a382018d30820189301d0603551d0e04160414b939b6ce8a52912eaece162418b1f4d8303d042e3081df0603551d230481d73081d48014b939b6ce8a52912eaece162418b1f4d8303d042ea181b0a481ad3081aa310b3009060355040613024445310f300d06
EAP-Message = 0x0355040813064265726c696e310f300d060355040713
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xb6b3d2f0a12aec39a8b4f8e2aec32085
Finished request 9
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 10.48.250.10:49154, id=0,
length=102
NAS-IP-Address = 10.48.250.10
NAS-Port-Type = Ethernet
NAS-Port = 7
User-Name = "host/hfs-080806-02"
State = 0xb6b3d2f0a12aec39a8b4f8e2aec32085
EAP-Message = 0x021b00060d00
Message-Authenticator = 0xf2d26dcc1e1b911c078c3a416ea3c8a1
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 10
modcall[authorize]: module "preprocess" returns ok for request 10
modcall[authorize]: module "mschap" returns noop for request 10
rlm_eap: EAP packet type response id 27 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 10
users: Matched entry host/hfs-080806-02 at line 3
modcall[authorize]: module "files" returns ok for request 10
modcall: leaving group authorize (returns updated) for request 10
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 10
rlm_eap: Request found, released from the list
rlm_eap: EAP/tls
rlm_eap: processing type tls
rlm_eap_tls: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake fragment handler
eaptls_verify returned 1
eaptls_process returned 13
modcall[authenticate]: module "eap" returns handled for request 10
modcall: leaving group authenticate (returns handled) for request 10
Sending Access-Challenge of id 0 to 10.48.250.10 port 49154
EAP-Message =
0x011c03f50d8000000feb064265726c696e31143012060355040a130b4b48422048664d2048665331193017060355040b13105365727669636543656e7465722d4954312530230603550403141c5365727669636543656e7465722d49545f4b48425f48664d5f4866533121301f06092a864886f70d010901161273632d6974406b682d6265726c696e2e6465820900890d6f61ac0ce005300f0603551d130101ff040530030101ff301106096086480186f842010104040302010630090603551d1204023000302b06096086480186f842010d041e161c54696e7943412047656e657261746564204365727469666963617465301d0603551d11041630
EAP-Message =
0x14811273632d6974406b682d6265726c696e2e6465300b0603551d0f040403020106300d06092a864886f70d0101050500038202010060f0ab4236cda26ba7ceaedfd61052c52b73e1e028ffe29171395f9074e4beee7eab73afc427c17cd0f37e96c7af6eda553a92b2b426f723c283c8ea027f3ab17c93d1ffa7c8a29fedbc83f11f8731a140393c56aceffae318f7ebbca367fed9280513ce2cfad1257c59f056e3898e928f968baa6c3cc094ca50b9072674b8fa43ab0e31c4a7a54eb8f96ad4d275011a449807c3abe4865d8f837ee4d8db0c081af218c00a878d4c7e30268282034b35a666b8295eb53ee41bcda9345a7d48fdb7dc306180df06
EAP-Message =
0xec546e826d73d7dd62bf449c6eb948aa85c808893b308a32636cb151b044b839fc382f8623863d7ac78b7bf3e0f2c1ac4c8a69b9184e58733d966120ce334ab7212f23b85a8e8d5b2ada0f4cc7cb981fafd3585c398b351a06870271c71e537b4010a7d2914151b076a5f4094d1ab64e46a93dbba7456fa75be4006a172f6824219fad1b4c95322c6b9a1703515545ebbdae485fa994ac81fb8d308cdb58038d6c95c15d29f0a317e03877225eebe3647f28dc2361d7fb1894231e475805ec5e95ab5a37c96c70b000695caee3562f474af69b11fc67ccf54e9f0f1d1adc2c9038d56a9fa3454320444843fe38e00de285cb9120b24416fa909c259b52
EAP-Message =
0xd069e64d0d9faa37c336f8bd3a8128a8f5e244029a5ded25e10bfc551dc08730e133a4e4b744cf3d8c038d38b1692c1d4876f92d109efcf136355c2216030100bd0d0000b50301020500af00ad3081aa310b3009060355040613024445310f300d060355040813064265726c696e310f300d060355040713064265726c696e31143012060355040a130b4b48422048664d2048665331193017060355040b13105365727669636543656e7465722d4954312530230603550403141c5365727669636543656e7465722d49545f4b48425f48664d5f4866533121301f06092a864886f70d010901161273632d6974406b682d6265726c696e2e64650e0000
EAP-Message = 0x00
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xb96e1a3a059b60b96d74ce260c86a0c5
Finished request 10
Going to the next request
Waking up in 6 seconds...
More information about the Freeradius-Users
mailing list