Certificate Compatibility

Ben Wiechman wiechman.lists at gmail.com
Wed Mar 30 15:02:56 CEST 2011


You still don't have the certificates set up correctly.

Find the ca certificate you have configured in eap.conf.

# openssl x509 -text -in {ca certificate from step 1}

Now compare that to the certificates on your SM. They don't match. You
either are using the wrong certificate on the server, or the wrong
certificate on the SM.

Ben

On Tue, Mar 29, 2011 at 2:51 PM, Jim Rice <jmrice6640 at yahoo.com> wrote:
> Looks like it got a bit further this time.
> If I am looking at this right, it got throught the TTLS part.
> But now what?  The SM is just "Registering".
>
> I am hoping that this is something simple and obvious to you guys...
> (Just the tail end for now):
>
> ...
> rad_recv: Access-Request packet from host 10.111.4.254 port 1273, id=0, length=439
> Cleaning up request 4 ID 0 with timestamp +41
> WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> WARNING: !! EAP session for state 0xf2937007f695654f did not finish!
> WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility
> WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
>        User-Name = "0a-00-3e-f0-11-34"
>        State = 0xf2937007f695654f37c0362b1499c219
>        NAS-IP-Address = 10.111.4.254
>        NAS-Port = 5
>        NAS-Port-Type = Wireless-802.11
>        Framed-MTU = 1020
>        EAP-Message = 0x020601501580000001461603010106100001020100b208c439d0d90984cce915a82a4455cfcd9088e55760daeb8ff2e4b2bd5115bf3fe2b8e1270daf4dca4cf81a7392
> bbf684e2de7147ef4b7bc5dd54a9dd5d682f77959c1b0d7b5af3e64835e4e0e8bc2c76da431b0ff2d36fb94cb4a964da32027c46c54ea060de1a75e0a9e9ad8fac1e810af9a6b82c9e37353afc4aab
> 0126e19f18d7e6d3998534e364fbeab676acb4eb98b71b3afdf5f850fda7b7d1952e67de3abff875519824c3bd7f91ea33a6e9db3b5132c4947a9128c156f20b809211586ba7961c20edcb9e1bbc81
> 818b25c499288cd11014ea181eb05c2e0fd566a41121df762993fd0a
>        EAP-Message = 0x10d47398e6dfe27ced7bf9082d0cbb8261315423405c9b2d14030100010116030100303b8f5f207e14a34c814835a671de3025cf69c55a20976e348d692f622b1f8182
> e619567c8b8866c571c1ac6df11adb0d
>        Message-Authenticator = 0x0940909b598c4170a6f820374c4adf48
> # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> ++[digest] returns noop
> [suffix] No '@' in User-Name = "0a-00-3e-f0-11-34", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] EAP packet type response id 6 length 253
> [eap] Continuing tunnel setup.
> ++[eap] returns ok
> Found Auth-Type = EAP
> # Executing group from file /usr/local/etc/raddb/sites-enabled/default
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP/ttls
> [eap] processing type ttls
> [ttls] Authenticate
> [ttls] processing EAP-TLS
>  TLS Length 326
> [ttls] Length Included
> [ttls] eaptls_verify returned 11
> [ttls] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange
> [ttls]     TLS_accept: SSLv3 read client key exchange A
> [ttls] <<< TLS 1.0 ChangeCipherSpec [length 0001]
> [ttls] <<< TLS 1.0 Handshake [length 0010], Finished
> [ttls]     TLS_accept: SSLv3 read finished A
> [ttls] >>> TLS 1.0 ChangeCipherSpec [length 0001]
> [ttls]     TLS_accept: SSLv3 write change cipher spec A
> [ttls] >>> TLS 1.0 Handshake [length 0010], Finished
> [ttls]     TLS_accept: SSLv3 write finished A
> [ttls]     TLS_accept: SSLv3 flush data
> [ttls]     (other): SSL negotiation finished successfully
> SSL Connection Established
> [ttls] eaptls_process returned 13
> ++[eap] returns handled
> Sending Access-Challenge of id 0 to 10.111.4.254 port 1273
>        EAP-Message = 0x0107004515800000003b1403010001011603010030e9d5415f2dab4d08d3188d183d0c4dc68f65eae604b877e87fc28021e38c48e39ad145595d4cbbbcc00bcd4a5eb6
> 17f2
>        Message-Authenticator = 0x00000000000000000000000000000000
>        State = 0xf2937007f794654f37c0362b1499c219
> Finished request 5.
> Going to the next request
> Waking up in 4.9 seconds.
> Cleaning up request 5 ID 0 with timestamp +42
> WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> WARNING: !! EAP session for state 0xf2937007f794654f did not finish!
> WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility
> WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> Ready to process requests.
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>




More information about the Freeradius-Users mailing list