[EAP-PEAP] PEAP Authentication failed

Khalid Staili khalidstaili at gmail.com
Wed May 4 21:27:38 CEST 2011


I am using freeradius in a wired network. Th authentication protocol I'm
using is PEAP.
I have configured the server like described in many different sites, but I
have a problem. This is the debug output I have :

rad_recv: Access-Request packet from host 192.168.0.1 port 1024, id=192,
length=204
    Framed-MTU = 1480
    NAS-IP-Address = 192.168.0.1
    NAS-Identifier = "kskhaled"
    User-Name = "kskhaled"
    Service-Type = Framed-User
    Framed-Protocol = PPP
    NAS-Port = 17
    NAS-Port-Type = Ethernet
    NAS-Port-Id = "17"
    Called-Station-Id = "00-1f-fe-02-58-80"
    Calling-Station-Id = "00-26-55-b7-7c-bf"
    Connect-Info = "CONNECT Ethernet 100Mbps Full duplex"
    Tunnel-Type:0 = VLAN
    Tunnel-Medium-Type:0 = IEEE-802
    Tunnel-Private-Group-Id:0 = "1"
    EAP-Message = 0x02a0000d016b736b68616c6564
    Message-Authenticator = 0x74cb8a1036cbc1836786bc29d6d0f75e
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
[eap] EAP packet type response id 160 length 13
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry kskhaled at line 86
++[files] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 192 to 192.168.0.1 port 1024
    Tunnel-Type:0 = VLAN
    Tunnel-Medium-Type:0 = IEEE-802
    Tunnel-Private-Group-Id:0 = "22"
    EAP-Message = 0x01a100061920
    Message-Authenticator = 0x00000000000000000000000000000000
    State = 0x5a2fd5015a8ecc31b9ba37ff7858d5ab
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.0.1 port 1024, id=193,
length=314
    Framed-MTU = 1480
    NAS-IP-Address = 192.168.0.1
    NAS-Identifier = "kskhaled"
    User-Name = "kskhaled"
    Service-Type = Framed-User
    Framed-Protocol = PPP
    NAS-Port = 17
    NAS-Port-Type = Ethernet
    NAS-Port-Id = "17"
    Called-Station-Id = "00-1f-fe-02-58-80"
    Calling-Station-Id = "00-26-55-b7-7c-bf"
    Connect-Info = "CONNECT Ethernet 100Mbps Full duplex"
    Tunnel-Type:0 = VLAN
    Tunnel-Medium-Type:0 = IEEE-802
    Tunnel-Private-Group-Id:0 = "1"
    State = 0x5a2fd5015a8ecc31b9ba37ff7858d5ab
    EAP-Message =
0x02a1006919800000005f160301005a0100005603014dc19e9f979a3af96e33b19d0c62732513034307abf20b2a001cf13bda8125ab00002800390038003500160013000a00330032002f000500040015001200090014001100080006000300ff020100000400230000
    Message-Authenticator = 0x27bfd0a5516047d0700ade8abfb74e62
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
[eap] EAP packet type response id 161 length 105
[eap] Continuing tunnel setup.
++[eap] returns ok
[files] users: Matched entry kskhaled at line 86
++[files] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
  TLS Length 95
[peap] Length Included
[peap] eaptls_verify returned 11
[peap]     (other): before/accept initialization
[peap]     TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 005a], ClientHello
[peap]     TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 0035], ServerHello
[peap]     TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 0615], Certificate
[peap]     TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 010d], ServerKeyExchange
[peap]     TLS_accept: SSLv3 write key exchange A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap]     TLS_accept: SSLv3 write server done A
[peap]     TLS_accept: SSLv3 flush data
[peap]     TLS_accept: Need to read more data: SSLv3 read client certificate
A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 193 to 192.168.0.1 port 1024
    Tunnel-Type:0 = VLAN
    Tunnel-Medium-Type:0 = IEEE-802
    Tunnel-Private-Group-Id:0 = "22"
    EAP-Message =
0x01a2040019c00000076f16030100350200003103014dc19e9fcc1c052070b54096a0918e33a7adb2f7d48503cf2305061f12f94cb5000039010009ff010001000023000016030106150b00061100060e00025f3082025b308201c4020101300d06092a864886f70d0101040500308194310e300c060355040a1305454e5349423111300f060355040b13084e6574776f726b733129302706092a864886f70d010901161a6672656572616469757340656e73692d626f75726765732e66723110300e06035504071307426f75726765733110300e06035504081307426f7572676573310b3009060355040613024652311330110603550403130a667265
    EAP-Message =
0x65726164697573301e170d3131303530323230343135385a170d3132303530313230343135385a3057310b30090603550406130246523110300e06035504081307426f7572676573310e300c060355040a1305454e5349423111300f060355040b13084e6574776f726b73311330110603550403130a6672656572616469757330819f300d06092a864886f70d010101050003818d0030818902818100e5911c94b2f80950c32d2b576d999b66c0737868415f229afd8111ba61210d3d392bcd57e564cdcf9846effdd74acb6cae84df6d184dde37eb7d8e4acca51049b37b45e988b243776a892989f1b07ae6993c3ed726c8c5abc610232b9f11509c
    EAP-Message =
0xdfa85d229441058d31a8d529bd55e87ab4a3a8b93d0e08f3a6843de62b5d192d0203010001300d06092a864886f70d01010405000381810086ccd85809f82b506c45ae8a9b6114e3abb876c544cd3288f0e9451f4b52ec9e7ed0dd29383e09452570d711fc7b59bdd632a29ad007932602c743920eeb7e53022fc4eaea70699b49094fd4d56b62074ac3b760d907c19f6f2cf3b4c86fd124d89ba0c458629ad634f5ea139bb88e8cc13b2b0e4323b5e7c03aeb33aa05f2a00003a9308203a53082030ea003020102020900df846a35de47bd40300d06092a864886f70d0101040500308194310e300c060355040a1305454e5349423111300f06035504
    EAP-Message =
0x0b13084e6574776f726b733129302706092a864886f70d010901161a6672656572616469757340656e73692d626f75726765732e66723110300e06035504071307426f75726765733110300e06035504081307426f7572676573310b3009060355040613024652311330110603550403130a66726565726164697573301e170d3131303530323230333630305a170d3133303432313230333630305a308194310e300c060355040a1305454e5349423111300f060355040b13084e6574776f726b733129302706092a864886f70d010901161a6672656572616469757340656e73692d626f75726765732e66723110300e06035504071307426f757267
    EAP-Message = 0x65733110300e060355040813
    Message-Authenticator = 0x00000000000000000000000000000000
    State = 0x5a2fd5015b8dcc31b9ba37ff7858d5ab
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.0.1 port 1024, id=194,
length=215
    Framed-MTU = 1480
    NAS-IP-Address = 192.168.0.1
    NAS-Identifier = "kskhaled"
    User-Name = "kskhaled"
    Service-Type = Framed-User
    Framed-Protocol = PPP
    NAS-Port = 17
    NAS-Port-Type = Ethernet
    NAS-Port-Id = "17"
    Called-Station-Id = "00-1f-fe-02-58-80"
    Calling-Station-Id = "00-26-55-b7-7c-bf"
    Connect-Info = "CONNECT Ethernet 100Mbps Full duplex"
    Tunnel-Type:0 = VLAN
    Tunnel-Medium-Type:0 = IEEE-802
    Tunnel-Private-Group-Id:0 = "1"
    State = 0x5a2fd5015b8dcc31b9ba37ff7858d5ab
    EAP-Message = 0x02a200061900
    Message-Authenticator = 0x49f78f5e3bcb0dfb4ad97a2400e8c816
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
[eap] EAP packet type response id 162 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
[files] users: Matched entry kskhaled at line 86
++[files] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 194 to 192.168.0.1 port 1024
    Tunnel-Type:0 = VLAN
    Tunnel-Medium-Type:0 = IEEE-802
    Tunnel-Private-Group-Id:0 = "22"
    EAP-Message =
0x01a3037f190007426f7572676573310b3009060355040613024652311330110603550403130a6672656572616469757330819f300d06092a864886f70d010101050003818d0030818902818100d545774be4fa25bc43f80ffa33007a504bbbad54eb34d3c46b6424e31f1d4295f1c166d2ab252547c700d5a8e006c15b7171454cf076adb5a019b167b076e2bc5da0e46ad9b9618a4b7503287dd1d3604999dc404d14d84f007bc5daa8004cc79c438ad49f268ce97f023492d6c222d1caab71f695daf2246fd281c39ddf910b0203010001a381fc3081f9300c0603551d13040530030101ff301d0603551d0e04160414f309a1552b739845194d0353
    EAP-Message =
0xa9404fd9c4edd8e53081c90603551d230481c13081be8014f309a1552b739845194d0353a9404fd9c4edd8e5a1819aa48197308194310e300c060355040a1305454e5349423111300f060355040b13084e6574776f726b733129302706092a864886f70d010901161a6672656572616469757340656e73692d626f75726765732e66723110300e06035504071307426f75726765733110300e06035504081307426f7572676573310b3009060355040613024652311330110603550403130a66726565726164697573820900df846a35de47bd40300d06092a864886f70d010104050003818100567ea66dc5be2f09acc9e6c37f57ef0b7f3caa070f5c
    EAP-Message =
0x46853f11daa418e21402ff832134d925eac2e2bba50c8a67d7c75ac0ec45c0fac45db3a691715260eee5bfa005658e088f53cf7070b7e79781f0d863efbc1a6943f92f43c0dd97d090e5d9f1d234a30484842a95b0d35450025e2041c296e390c2df7b71bb1132a2b87c160301010d0c00010900408859401f8896730ccee6a57588a6124a20e3fd421942e87b0edc4d4232503f8a038f9d7e8d8b4347aefed2b208ace134ff1e2bcce7a1fe844b42e1fff9c60e1300010500403c17cdd4387305ca4f4a13564b99221c914d7de42c0b26c90d6a344e41527afab631e3f93613266d590f72ae81c533a344e0cb05d2cf9de8a446fb971f429e970080c0
    EAP-Message =
0x8fb9a0e2db1ab56253f2aa1b44674272aecd2c701d755d5162d100f849318f4deadd39f5693e9afb377f17d49de9b475fe56522f96f86aadf78a79683c1e9a13eef5959409b2a299ac0cf23f535b96e57a65a64fa9d53e135a8a21db4d0481e9d58754bdfe8928a7bf5481d2a0dfac2ee3d76551d2c596aa5ba7548e08d99116030100040e000000
    Message-Authenticator = 0x00000000000000000000000000000000
    State = 0x5a2fd501588ccc31b9ba37ff7858d5ab
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.0.1 port 1024, id=195,
length=226
    Framed-MTU = 1480
    NAS-IP-Address = 192.168.0.1
    NAS-Identifier = "kskhaled"
    User-Name = "kskhaled"
    Service-Type = Framed-User
    Framed-Protocol = PPP
    NAS-Port = 17
    NAS-Port-Type = Ethernet
    NAS-Port-Id = "17"
    Called-Station-Id = "00-1f-fe-02-58-80"
    Calling-Station-Id = "00-26-55-b7-7c-bf"
    Connect-Info = "CONNECT Ethernet 100Mbps Full duplex"
    Tunnel-Type:0 = VLAN
    Tunnel-Medium-Type:0 = IEEE-802
    Tunnel-Private-Group-Id:0 = "1"
    State = 0x5a2fd501588ccc31b9ba37ff7858d5ab
    EAP-Message = 0x02a3001119800000000715030100020233
    Message-Authenticator = 0x11829099870303de8e36ce50cee21288
+- entering group authorize {...}
++[preprocess] returns ok
++[mschap] returns noop
[eap] EAP packet type response id 163 length 17
[eap] Continuing tunnel setup.
++[eap] returns ok
[files] users: Matched entry kskhaled at line 86
++[files] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
  TLS Length 7
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Alert [length 0002], fatal decrypt_error
TLS Alert read:fatal:decrypt error
    TLS_accept:failed in SSLv3 read client certificate A
rlm_eap: SSL error error:1409441B:SSL routines:SSL3_READ_BYTES:tlsv1 alert
decrypt error
SSL: SSL_read failed inside of TLS (-1), TLS session fails.
TLS receive handshake failed during operation
[peap] eaptls_process returned 4
[peap] EAPTLS_OTHERS
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> kskhaled
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 3 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 3
Sending Access-Reject of id 195 to 192.168.0.1 port 1024
    EAP-Message = 0x04a30004
    Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.9 seconds.
Cleaning up request 0 ID 192 with timestamp +32
Cleaning up request 1 ID 193 with timestamp +32
Cleaning up request 2 ID 194 with timestamp +32
Waking up in 1.0 seconds.
Cleaning up request 3 ID 195 with timestamp +32
Ready to process requests.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20110504/e354cc1b/attachment.html>


More information about the Freeradius-Users mailing list