Generating a Microsoft compatible CSR for FreeRADIUS
Sallee, Stephen (Jake)
Jake.Sallee at umhb.edu
Fri Jan 21 15:10:52 CET 2011
Has anyone gotten windows clients to work WITHOUT having to do any manual config on the clients?
Is it even possible?
Also, I have my shiny new publicly signed cert from comodo but my clients are still rejecting the connection ... i think the error is here:
[peap] <<< TLS 1.0 Alert [length 0002], fatal access_denied
TLS Alert read:fatal:access denied
[peap] WARNING: No data inside of the tunnel.
But I don't know why i would be getting a read error, the certs that i installed have the same permissions as the test certs...
here is the full debug, any help is appreciated:
FreeRADIUS Version 2.1.10, for host x86_64-unknown-linux-gnu, built on Sep 28 2010 at 09:20:29
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /usr/local/etc/raddb/radiusd.conf
including configuration file /usr/local/etc/raddb/proxy.conf
including configuration file /usr/local/etc/raddb/clients.conf
including files in directory /usr/local/etc/raddb/modules/
including configuration file /usr/local/etc/raddb/modules/realm
including configuration file /usr/local/etc/raddb/modules/linelog
including configuration file /usr/local/etc/raddb/modules/etc_group
including configuration file /usr/local/etc/raddb/modules/pap
including configuration file /usr/local/etc/raddb/modules/detail
including configuration file /usr/local/etc/raddb/modules/pam
including configuration file /usr/local/etc/raddb/modules/detail.log
including configuration file /usr/local/etc/raddb/modules/ntlm_auth
including configuration file /usr/local/etc/raddb/modules/mac2vlan
including configuration file /usr/local/etc/raddb/modules/radutmp
including configuration file /usr/local/etc/raddb/modules/opendirectory
including configuration file /usr/local/etc/raddb/modules/smbpasswd
including configuration file /usr/local/etc/raddb/modules/digest
including configuration file /usr/local/etc/raddb/modules/checkval
including configuration file /usr/local/etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /usr/local/etc/raddb/modules/exec
including configuration file /usr/local/etc/raddb/modules/counter
including configuration file /usr/local/etc/raddb/modules/logintime
including configuration file /usr/local/etc/raddb/modules/cui
including configuration file /usr/local/etc/raddb/modules/mschap
including configuration file /usr/local/etc/raddb/modules/files
including configuration file /usr/local/etc/raddb/modules/detail.example.com
including configuration file /usr/local/etc/raddb/modules/dynamic_clients
including configuration file /usr/local/etc/raddb/modules/perl
including configuration file /usr/local/etc/raddb/modules/expiration
including configuration file /usr/local/etc/raddb/modules/inner-eap
including configuration file /usr/local/etc/raddb/modules/ippool
including configuration file /usr/local/etc/raddb/modules/otp
including configuration file /usr/local/etc/raddb/modules/sradutmp
including configuration file /usr/local/etc/raddb/modules/unix
including configuration file /usr/local/etc/raddb/modules/chap
including configuration file /usr/local/etc/raddb/modules/attr_filter
including configuration file /usr/local/etc/raddb/modules/preprocess
including configuration file /usr/local/etc/raddb/modules/passwd
including configuration file /usr/local/etc/raddb/modules/krb5
including configuration file /usr/local/etc/raddb/modules/acct_unique
including configuration file /usr/local/etc/raddb/modules/policy
including configuration file /usr/local/etc/raddb/modules/smsotp
including configuration file /usr/local/etc/raddb/modules/expr
including configuration file /usr/local/etc/raddb/modules/wimax
including configuration file /usr/local/etc/raddb/modules/mac2ip
including configuration file /usr/local/etc/raddb/modules/attr_rewrite
including configuration file /usr/local/etc/raddb/modules/ldap
including configuration file /usr/local/etc/raddb/modules/echo
including configuration file /usr/local/etc/raddb/modules/always
including configuration file /usr/local/etc/raddb/modules/sql_log
including configuration file /usr/local/etc/raddb/eap.conf
including configuration file /usr/local/etc/raddb/policy.conf
including files in directory /usr/local/etc/raddb/sites-enabled/
including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel
including configuration file /usr/local/etc/raddb/sites-enabled/UMHB
including configuration file /usr/local/etc/raddb/sites-available/default
including configuration file /usr/local/etc/raddb/sites-enabled/control-socket
including configuration file /usr/local/etc/raddb/sites-enabled/Cru
including configuration file /usr/local/etc/raddb/sites-available/default
including configuration file /usr/local/etc/raddb/sites-enabled/default
main {
allow_core_dumps = no
}
including dictionary file /usr/local/etc/raddb/dictionary
main {
prefix = "/usr/local"
localstatedir = "/usr/local/var"
logdir = "/usr/local/var/log/radius"
libdir = "/usr/local/lib"
radacctdir = "/usr/local/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 25600
pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
checkrad = "/usr/local/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "testing123"
response_window = 20
max_outstanding = 65536
require_message_authenticator = no
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
nostrip
}
realm LOCAL {
}
realm Cru {
}
realm Cru.umhb.edu {
}
realm umhb {
}
realm umhb.edu {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "testing123"
nastype = "other"
}
client 10.2.1.75/32 {
require_message_authenticator = no
secret = "Burg3rk1ng!"
shortname = "PacketFence"
}
client 10.11.30.0/24 {
require_message_authenticator = no
secret = "Burg3rk1ng!"
shortname = "Sanderford"
}
client 10.11.60.0/24 {
require_message_authenticator = no
secret = "Burg3rk1ng!"
shortname = "Sanderford"
}
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating module "exec" from file /usr/local/etc/raddb/modules/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating module "expr" from file /usr/local/etc/raddb/modules/expr
Module: Linked to module rlm_expiration
Module: Instantiating module "expiration" from file /usr/local/etc/raddb/modules/expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating module "logintime" from file /usr/local/etc/raddb/modules/logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
}
radiusd: #### Loading Virtual Servers ####
server inner-tunnel { # from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating module "pap" from file /usr/local/etc/raddb/modules/pap
pap {
encryption_scheme = "auto"
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating module "chap" from file /usr/local/etc/raddb/modules/chap
Module: Linked to module rlm_mschap
Module: Instantiating module "mschap" from file /usr/local/etc/raddb/modules/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{User-Name:-None}} --domain=%{outer.request:Realm} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
}
Module: Linked to module rlm_unix
Module: Instantiating module "unix" from file /usr/local/etc/raddb/modules/unix
unix {
radwtmp = "/usr/local/var/log/radius/radwtmp"
}
Module: Linked to module rlm_eap
Module: Instantiating module "eap" from file /usr/local/etc/raddb/eap.conf
eap {
default_eap_type = "peap"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 4096
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
pem_file_type = yes
private_key_file = "/usr/local/etc/raddb/certs/Production/myserver.key"
certificate_file = "/usr/local/etc/raddb/certs/Production/STAR_umhb_edu.crt"
CA_file = "/usr/local/etc/raddb/certs/Production/STAR_umhb_edu.ca-bundle"
private_key_password = "Burg3rk1ng!"
dh_file = "/usr/local/etc/raddb/certs/Production/dh"
random_file = "/usr/local/etc/raddb/certs/Production/random"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
make_cert_command = "/usr/local/etc/raddb/certs/Production/bootstrap"
cache {
enable = no
lifetime = 24
max_entries = 255
}
}
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = "md5"
copy_request_to_tunnel = yes
use_tunneled_reply = yes
virtual_server = "inner-tunnel"
include_length = yes
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = yes
use_tunneled_reply = yes
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_realm
Module: Instantiating module "suffix" from file /usr/local/etc/raddb/modules/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_files
Module: Instantiating module "files" from file /usr/local/etc/raddb/modules/files
files {
usersfile = "/usr/local/etc/raddb/users"
acctusersfile = "/usr/local/etc/raddb/acct_users"
preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users"
compat = "no"
}
Module: Linked to module rlm_perl
Module: Instantiating module "perl" from file /usr/local/etc/raddb/modules/perl
perl {
module = "/usr/local/etc/raddb/packetfence.pm"
func_authorize = "authorize"
func_authenticate = "authenticate"
func_accounting = "accounting"
func_preacct = "preacct"
func_checksimul = "checksimul"
func_detach = "detach"
func_xlat = "xlat"
func_pre_proxy = "pre_proxy"
func_post_proxy = "post_proxy"
func_post_auth = "post_auth"
func_recv_coa = "recv_coa"
func_send_coa = "send_coa"
}
Module: Checking session {...} for more modules to load
Module: Linked to module rlm_radutmp
Module: Instantiating module "radutmp" from file /usr/local/etc/raddb/modules/radutmp
radutmp {
filename = "/usr/local/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Linked to module rlm_attr_filter
Module: Instantiating module "attr_filter.access_reject" from file /usr/local/etc/raddb/modules/attr_filter
attr_filter attr_filter.access_reject {
attrsfile = "/usr/local/etc/raddb/attrs.access_reject"
key = "%{User-Name}"
}
} # modules
} # server
server UMHB { # from file /usr/local/etc/raddb/sites-enabled/UMHB
modules {
Module: Checking authenticate {...} for more modules to load
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating module "preprocess" from file /usr/local/etc/raddb/modules/preprocess
preprocess {
huntgroups = "/usr/local/etc/raddb/huntgroups"
hints = "/usr/local/etc/raddb/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating module "acct_unique" from file /usr/local/etc/raddb/modules/acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
}
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating module "detail" from file /usr/local/etc/raddb/modules/detail
detail {
detailfile = "/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Instantiating module "attr_filter.accounting_response" from file /usr/local/etc/raddb/modules/attr_filter
attr_filter attr_filter.accounting_response {
attrsfile = "/usr/local/etc/raddb/attrs.accounting_response"
key = "%{User-Name}"
}
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
} # modules
} # server
server Cru { # from file /usr/local/etc/raddb/sites-enabled/Cru
modules {
Module: Checking authenticate {...} for more modules to load
Module: Checking authorize {...} for more modules to load
Module: Checking preacct {...} for more modules to load
Module: Checking accounting {...} for more modules to load
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
} # modules
} # server
server { # from file /usr/local/etc/raddb/radiusd.conf
modules {
Module: Checking authenticate {...} for more modules to load
Module: Checking authorize {...} for more modules to load
Module: Checking preacct {...} for more modules to load
Module: Checking accounting {...} for more modules to load
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
} # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
}
listen {
type = "acct"
ipaddr = *
port = 0
}
listen {
type = "control"
listen {
socket = "/usr/local/var/run/radiusd/radiusd.sock"
}
}
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /usr/local/var/run/radiusd/radiusd.sock
Listening on proxy address * port 1814
Ready to process requests.
======================================================
rad_recv: Access-Request packet from host 10.11.60.2 port 32777, id=226, length=193
User-Name = "host/Lappy.umhb.edu"
NAS-IP-Address = 10.11.60.2
NAS-Port = 129
Called-Station-Id = "00-0F-7D-05-0E-81:UMHB Secure WiFi"
Calling-Station-Id = "C4-17-FE-33-C6-A7"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 1Mbps/1Mbps 802.11b"
EAP-Message = 0x0201001801686f73742f4c617070792e756d68622e656475
Message-Authenticator = 0x1ad7a675b5cb39b96e23f60e5340e801
# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "host/Lappy.umhb.edu", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 1 length 24
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
rlm_perl: Added pair NAS-Port-Type = Wireless-802.11
rlm_perl: Added pair Calling-Station-Id = C4-17-FE-33-C6-A7
rlm_perl: Added pair Called-Station-Id = 00-0F-7D-05-0E-81:UMHB Secure WiFi
rlm_perl: Added pair Message-Authenticator = 0x1ad7a675b5cb39b96e23f60e5340e801
rlm_perl: Added pair User-Name = host/Lappy.umhb.edu
rlm_perl: Added pair EAP-Message = 0x0201001801686f73742f4c617070792e756d68622e656475
rlm_perl: Added pair Connect-Info = CONNECT 1Mbps/1Mbps 802.11b
rlm_perl: Added pair EAP-Type = Identity
rlm_perl: Added pair NAS-IP-Address = 10.11.60.2
rlm_perl: Added pair NAS-Port = 129
rlm_perl: Added pair Framed-MTU = 1400
rlm_perl: Added pair Auth-Type = EAP
++[perl] returns noop
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 226 to 10.11.60.2 port 32777
EAP-Message = 0x010200061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x330f4dc9330d546872b9f993281128fc
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.11.60.2 port 32777, id=227, length=315
User-Name = "host/Lappy.umhb.edu"
NAS-IP-Address = 10.11.60.2
NAS-Port = 129
Called-Station-Id = "00-0F-7D-05-0E-81:UMHB Secure WiFi"
Calling-Station-Id = "C4-17-FE-33-C6-A7"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 1Mbps/1Mbps 802.11b"
EAP-Message = 0x0202008019800000007616030100710100006d03014d39919676cd85f8dcfe3f2afef335ec7a98b2eb9095d964891b3484c06fc78e000018002f00350005000ac013c014c009c00a00320038001300040100002cff0100010000000013001100000e6c617070792e756d68622e656475000a0006000400170018000b00020100
State = 0x330f4dc9330d546872b9f993281128fc
Message-Authenticator = 0x9165fc9281fe451bdcf9db8487dd8e79
# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "host/Lappy.umhb.edu", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 2 length 128
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 118
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 0071], ClientHello
[peap] TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 0031], ServerHello
[peap] TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 0ad8], Certificate
[peap] TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap] TLS_accept: SSLv3 write server done A
[peap] TLS_accept: SSLv3 flush data
[peap] TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 227 to 10.11.60.2 port 32777
EAP-Message = 0x0103040019c000000b1c16030100310200002d03014d399195fd2d232a53dfee5dce680c057cfc54fe9686405232871c57112f6efa00002f000005ff010001001603010ad80b000ad4000ad10005cb308205c7308204afa003020102021012949e4e96f5c2b15c9a16c71c4cc811300d06092a864886f70d0101050500308189310b3009060355040613024742311b30190603550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312f302d06035504031326434f4d4f444f20486967682d4173737572616e63652053656375
EAP-Message = 0x726520536572766572204341301e170d3130303831393030303030305a170d3135303831393233353935395a3081db310b3009060355040613025553310e300c060355041113053736353133310b3009060355040813025458310f300d0603550407130642656c746f6e311e301c06035504091315554d48422053746174696f6e20426f782038303035311b30190603550409131239303020436f6c6c6567652053747265657431293027060355040a1320556e6976657273697479206f66204d6172792048617264696e2d4261796c6f723121301f060355040b1318506c6174696e756d53534c205347432057696c64636172643113301106035504
EAP-Message = 0x03140a2a2e756d68622e65647530820122300d06092a864886f70d01010105000382010f003082010a0282010100dc8dbc42609826a3a26f48356951f40c4bf97815080528e6445fc6f8e9dfe2d260b1f3202c3e418654e8da0499ea4830c6ef7e1a5525575f1f70e0fe795af97b3774896016f3d275f8e27478e8b49ac8e03122822a72df6c6d4c988ffd456672849e9b62bd1e62f5bf1d24228190e3ca3153391cdd8797a685faaa35446f2dc33d64c4dbd310200ead4d58b2c3de92cf086b1de8a16a8f005feb688574c9cafe87bf878a9d2427ab8f273e533016a63ba4f8addfd6c9f2211052ee9e96e58e3b5e5d9c106e17c47d83a8e0216bf7dc
EAP-Message = 0xd1174db8f8a566c3448912b2dd88413518c160c52b92ee57d46bff425ddd7ae381ad9b66e9448c485322fcff4d13c25e7b0203010001a38201d5308201d1301f0603551d230418301680143fd5b5d0d64479504a17a39b8c4adcb8b022646b301d0603551d0e0416041414a0d258941febc0b7d8a8b40c94615afa260bd4300e0603551d0f0101ff0404030205a0300c0603551d130101ff0402300030340603551d25042d302b06082b0601050507030106082b06010505070302060a2b0601040182370a030306096086480186f842040130460603551d20043f303d303b060c2b06010401b2310102010304302b302906082b06010505070201161d
EAP-Message = 0x68747470733a2f2f73656375
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x330f4dc9320c546872b9f993281128fc
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.11.60.2 port 32777, id=228, length=193
User-Name = "host/Lappy.umhb.edu"
NAS-IP-Address = 10.11.60.2
NAS-Port = 129
Called-Station-Id = "00-0F-7D-05-0E-81:UMHB Secure WiFi"
Calling-Station-Id = "C4-17-FE-33-C6-A7"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 1Mbps/1Mbps 802.11b"
EAP-Message = 0x020300061900
State = 0x330f4dc9320c546872b9f993281128fc
Message-Authenticator = 0x735474693c2ad02c4b885b94ea32aad5
# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "host/Lappy.umhb.edu", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 3 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 228 to 10.11.60.2 port 32777
EAP-Message = 0x010403fc194072652e636f6d6f646f2e636f6d2f435053304f0603551d1f044830463044a042a040863e687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f434f4d4f444f486967682d4173737572616e636553656375726553657276657243412e63726c30818006082b0601050507010104743072304a06082b06010505073002863e687474703a2f2f6372742e636f6d6f646f63612e636f6d2f434f4d4f444f486967682d4173737572616e636553656375726553657276657243412e637274302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d301f0603551d1104183016820a2a2e756d68
EAP-Message = 0x622e6564758208756d68622e656475300d06092a864886f70d010105050003820101003fc66065745e65bd58ad5b11aff73555ce334a1fa9b4329d126e4cf335956d58485ed85ec47fff9d8abb5e903319ec7a53384059f3b7c7a23638a843d56e38bf98d0a2cb1c21fc9de26e2cbeb25c855dd196304b6772c3d80da0cce7c8f14f969c375b4f72e729d1422f86114ae73824a06269fb092c6644d0a12997f72071c234a6354b7cbccf4c4887eee1a79dc8f4ee70e32f2aa1a97e0b1c1e8f9d016bffd1f4f6e90a478a89224190d6626787c20285398e54a521ad2faa65b0cf6813b1aa8cfba7ab8c997f9139e01040dd4af899604318f5a2167ce53c
EAP-Message = 0x937c7e72ae0becce9621763408bc6467b4bf05f59a3fd5752c181d52aff7d71026296804930b000500308204fc308203e4a00302010202101690c329b6780607511f05b0344846cb300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3130303431363030303030305a170d3230303533303130343833385a308189310b3009060355040613024742311b301906
EAP-Message = 0x03550408131247726561746572204d616e636865737465723110300e0603550407130753616c666f7264311a3018060355040a1311434f4d4f444f204341204c696d69746564312f302d06035504031326434f4d4f444f20486967682d4173737572616e6365205365637572652053657276657220434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e787dac077e4bb3afa6a24c88041acd21613153dfaf7f82a76dca82d3908ce484abe0f7df0debabb47d5bd2dd71bab0f2081230872b1c011950de6eaa987ffc76e1e4f6632ba53bc05aa1c2c0cef4d37476b100cdbc5a0987e58db37d6aee906bdd7a865f3
EAP-Message = 0x37b9c76dce77c726
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x330f4dc9310b546872b9f993281128fc
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.11.60.2 port 32777, id=229, length=193
User-Name = "host/Lappy.umhb.edu"
NAS-IP-Address = 10.11.60.2
NAS-Port = 129
Called-Station-Id = "00-0F-7D-05-0E-81:UMHB Secure WiFi"
Calling-Station-Id = "C4-17-FE-33-C6-A7"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 1Mbps/1Mbps 802.11b"
EAP-Message = 0x020400061900
State = 0x330f4dc9310b546872b9f993281128fc
Message-Authenticator = 0x61212145984f95fcd4339ef828985296
# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "host/Lappy.umhb.edu", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 4 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 229 to 10.11.60.2 port 32777
EAP-Message = 0x010503361900e0d7741fa69816bb0c6bc8be77d0ef58a729a0b9b8690536cbb2da58a30b75ad3d8b2282203e7086991cb94fcf77a4071a2363d1385684ecbf8fc54ef418969b1ae893ec8daf159c24f05a3be80fb9a85a01d3b21c60c99c5204dd92a7fe0cace2458d0361bc79e0772e87413c585fcbf5c577f258c84d28d09afaf37309246874bc204cd82cb0aae8d94e6df28c24d3935d910203010001a382017730820173301f0603551d23041830168014adbd987a34b426f7fac42654ef03bde024cb541a301d0603551d0e041604143fd5b5d0d64479504a17a39b8c4adcb8b022646b300e0603551d0f0101ff04040302010630120603551d13
EAP-Message = 0x0101ff040830060101ff02010030110603551d20040a300830060604551d200030440603551d1f043d303b3039a037a0358633687474703a2f2f63726c2e7573657274727573742e636f6d2f416464547275737445787465726e616c4341526f6f742e63726c3081b306082b060105050701010481a63081a3303f06082b060105050730028633687474703a2f2f6372742e7573657274727573742e636f6d2f416464547275737445787465726e616c4341526f6f742e703763303906082b06010505073002862d687474703a2f2f6372742e7573657274727573742e636f6d2f416464547275737455544e53474343412e637274302506082b060105
EAP-Message = 0x050730018619687474703a2f2f6f6373702e7573657274727573742e636f6d300d06092a864886f70d0101050500038201010013851f528018c953f7fe2e1aafccd90b3cc2d3858110f0288db9407e2c9e8fd636860a4c142dd69743924119374b969eeba930791295b3023657ed2bb91d981aa3180a3f9b398bcda149294c2ff9d0958cc84d95baa843cf33aa252a5a0eaa27c94e6bb1e6731fb37404c3f34ce2a8eb67b75db808051a569a542985f5294e803b95d07b53961156c102d3eab27fca8f9c704a148d5ab9166075d6cd271e16cd5b338e7940cf2848e7dc71164e749175b92a8cf170ac26dd04b940c285de1c9340d0cc6ec39baaef6065
EAP-Message = 0xdf6022f05aa57aa22fe47073ee3cd4262b6807c1207ae8985a3e7b9f028b62c085818060357ea51d0cd29cdf62450ddbfc37fbf5252216030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x330f4dc9300a546872b9f993281128fc
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.11.60.2 port 32777, id=230, length=525
User-Name = "host/Lappy.umhb.edu"
NAS-IP-Address = 10.11.60.2
NAS-Port = 129
Called-Station-Id = "00-0F-7D-05-0E-81:UMHB Secure WiFi"
Calling-Station-Id = "C4-17-FE-33-C6-A7"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 1Mbps/1Mbps 802.11b"
EAP-Message = 0x020501501980000001461603010106100001020100d39af533c76344574a1afcff8cf5711ac18414345e29b157f02d808735c6214f74e1701e2163b79beaf3e584d3b7b1d6ef308efd0d1f6ca4f9d64ebe55229852a91e97de906b67813e0bd504510f7d5f80a0b083349314274566ce4ff387c95b4c82fc18b5abfda9feb7f893fe9bebe3572dfa2f5c4fe71abc08d95b10c88d4634ea8bdb9e2e946ec4f165c99deeffdee5a075cab3c1390b71713a5b7f2b77c5c1b0aeef836bfeda5840941c675bd32d04bc7d09017b5763310b4adb16a43833559624612363ea18f63e5e654ad1b255fb2ced330453a06516aabbb6550e5a409286363cef5e7661
EAP-Message = 0x1163bb4e662da80dabf30e1455b1be69bd55c68de35bcb7d1403010001011603010030f378c58fc4f96e96bf4aba29aa08962242ce0e3007898a99849af855f11f5116f7ecea3850db2d6561b4599c404e627a
State = 0x330f4dc9300a546872b9f993281128fc
Message-Authenticator = 0x06d78d3c33e3d757129782abcb1d3133
# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "host/Lappy.umhb.edu", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 5 length 253
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 326
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange
[peap] TLS_accept: SSLv3 read client key exchange A
[peap] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[peap] <<< TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 read finished A
[peap] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[peap] TLS_accept: SSLv3 write change cipher spec A
[peap] >>> TLS 1.0 Handshake [length 0010], Finished
[peap] TLS_accept: SSLv3 write finished A
[peap] TLS_accept: SSLv3 flush data
[peap] (other): SSL negotiation finished successfully
SSL Connection Established
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 230 to 10.11.60.2 port 32777
EAP-Message = 0x010600411900140301000101160301003005369ff6b06a4224824062f6fcfe0092357c4da2fd59baab8c1c5b071e939e71e83b578bd081ee5fa8d3ac3566b8a1bd
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x330f4dc93709546872b9f993281128fc
Finished request 4.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.11.60.2 port 32777, id=231, length=234
User-Name = "host/Lappy.umhb.edu"
NAS-IP-Address = 10.11.60.2
NAS-Port = 129
Called-Station-Id = "00-0F-7D-05-0E-81:UMHB Secure WiFi"
Calling-Station-Id = "C4-17-FE-33-C6-A7"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 1Mbps/1Mbps 802.11b"
EAP-Message = 0x0206002f198000000025150301002071521862587c6d52360e98091cd5d99f81ea6febe82fd2a7401f8b1970c3cf65
State = 0x330f4dc93709546872b9f993281128fc
Message-Authenticator = 0xe0cebdb5cdcd98a378bd88f15213b843
# Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "host/Lappy.umhb.edu", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 6 length 47
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 37
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Alert [length 0002], fatal access_denied
TLS Alert read:fatal:access denied
[peap] WARNING: No data inside of the tunnel.
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established. Decoding tunneled attributes.
[peap] Peap state ?
[peap] FAILED processing PEAP: Tunneled data is invalid.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> host/Lappy.umhb.edu
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 5 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 5
Sending Access-Reject of id 231 to 10.11.60.2 port 32777
EAP-Message = 0x04060004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.9 seconds.
Cleaning up request 0 ID 226 with timestamp +18
Cleaning up request 1 ID 227 with timestamp +18
Cleaning up request 2 ID 228 with timestamp +18
Cleaning up request 3 ID 229 with timestamp +18
Cleaning up request 4 ID 230 with timestamp +18
Waking up in 1.0 seconds.
Cleaning up request 5 ID 231 with timestamp +18
Ready to process requests.
Jake Sallee
Godfather of Bandwidth
Network Engineer
University of Mary Hardin-Baylor
900 College St.
Belton, Texas
76513
Fone: 254-295-4658
Phax: 254-295-4221
________________________________
From: freeradius-users-bounces+jake.sallee=umhb.edu at lists.freeradius.org [freeradius-users-bounces+jake.sallee=umhb.edu at lists.freeradius.org] on behalf of Peter Lambrechtsen [plambrechtsen at gmail.com]
Sent: Friday, January 21, 2011 7:11 AM
To: FreeRadius users mailing list
Subject: Re: Generating a Microsoft compatible CSR for FreeRADIUS
On Fri, Jan 21, 2011 at 10:33 PM, Alan Buxey <A.L.M.Buxey at lboro.ac.uk<mailto:A.L.M.Buxey at lboro.ac.uk>> wrote:
> 2) Issuing client certs isn't that difficult.? with windows vista/7,
> installing a cert is a simple double-click operation, so if they have a
> usb flash, you can use linux to zip a copy of their private key and a .doc
> with instructions (including screenies!) on configuring their OS in a
> matter of seconds, all they have to do is stop by IT to request a key
> once, and it's good for as long as you honour it.
if dealing with client keys - most of the times its just PEAP with user/pass
and its the CA thats an issue. even then there are ways of doing this quite
easily... eg https://su1x.sf.net
I also quite like using the root certificates tool which happily imports certificates into the root certificate store in windows.
Go to here: http://support.microsoft.com/kb/931125
Download the "rootsupd.exe<http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/rootsupd.exe>" from there and expand it with winzip or winrar.
Then convert your DER file into a P7B using OpenSSL:
openssl crl2pkcs7 -nocrl -certfile internalca1.der -certfile internalca2.der -out internalca.p7b
Then use "updroots.exe" included in the exe to import the certificate into your local certificate chain:
updroots -l internalca.p7b
And you're done
You can even use "iexpress" if you're running windows XP to re-package everything back into a self extracting exe.
More information about the Freeradius-Users
mailing list