Problem with EAP-TLS.

Miguel Miralles miguel.miralles16 at gmail.com
Wed May 11 22:25:49 CEST 2011


Hi, i'm implementing authentication for 802.1X using Freeradius (version
2.1.6 ) in Fedora10. The supplicant is windows XP wiht Service pack 3. The
NAS is Switch cisco and the network is wire.
My problem is what the connection works good when the autentication is for
user and password, but if changing the configuration for authenticate using
certified the authentication the connection fails. In this case to use user
and password, validating the certificate server works good, is fact windows
xp requires the confirm the server certificate. The certificate server and
certificate client  have been generated by the same CA( this is own) y with
the OID's required for Windows. The problem is when the server ask for the
certified client the connection seems to cut, the question is: (considering
what the configuration is the recommended por varios documents and
tutorials, at least is what I mean) which could be the problem??? The final
in radius -X say:


rad_recv: Access-Request packet from host 192.168.101.254 port 49154, id=0,
length=124
Cleaning up request 81 ID 0 with timestamp +1769
 NAS-IP-Address = 192.168.101.254
 NAS-Port-Type = Ethernet
 NAS-Port = 5
 User-Name = "mz254.mtm"
 State = 0xe985bf0fef95a607b34238093b97add2
 EAP-Message =
0x021000251900170301001a11c6b5cf6d88c21a6758d861aa6d49e3a4686ffa5cb4a4380d20
 Message-Authenticator = 0x46f742c7927f46d42c9708a756a03bfd
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "mz254.mtm", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 16 length 37
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Identity - mz254.mtm
[peap] Got tunneled request
 EAP-Message = 0x0210000e016d7a3235342e6d746d
server  {
  PEAP: Got tunneled identity of mz254.mtm
  PEAP: Setting default EAP type for tunneled EAP session.
  PEAP: Setting User-Name to mz254.mtm
Sending tunneled request
 EAP-Message = 0x0210000e016d7a3235342e6d746d
 FreeRADIUS-Proxied-To = 127.0.0.1
 User-Name = "mz254.mtm"
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "mz254.mtm", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 16 length 14
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
 EAP-Message =
0x011100231a0111001e10a7a80a0d95340caaef928a607b6afaec6d7a3235342e6d746d
 Message-Authenticator = 0x00000000000000000000000000000000
 State = 0x0831d1c40820cb8cd5b8829097e99997
[peap] Got tunneled reply RADIUS code 11
 EAP-Message =
0x011100231a0111001e10a7a80a0d95340caaef928a607b6afaec6d7a3235342e6d746d
 Message-Authenticator = 0x00000000000000000000000000000000
 State = 0x0831d1c40820cb8cd5b8829097e99997
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 0 to 192.168.101.254 port 49154
 EAP-Message =
0x0111003a1900170301002fe48c43420e254b8de5958f35506d01a8077e703876321c1aac403281cf905c26fe5e4e8d17c412c32d2f6db08d876b
 Message-Authenticator = 0x00000000000000000000000000000000
 State = 0xe985bf0fee94a607b34238093b97add2
Finished request 82.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.101.254 port 49154, id=0,
length=116
Cleaning up request 82 ID 0 with timestamp +1769
 NAS-IP-Address = 192.168.101.254
 NAS-Port-Type = Ethernet
 NAS-Port = 5
 User-Name = "mz254.mtm"
 State = 0xe985bf0fee94a607b34238093b97add2
 EAP-Message = 0x0211001d19001703010012d4f65388faa55d96da4c39fd25a2781ab64d
 Message-Authenticator = 0x0ddd687b9218a2e5cb52ae4e06735fc8
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "mz254.mtm", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 17 length 29
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] EAP type nak
[peap] Got tunneled request
 EAP-Message = 0x02110006030d
server  {
  PEAP: Setting User-Name to mz254.mtm
Sending tunneled request
 EAP-Message = 0x02110006030d
 FreeRADIUS-Proxied-To = 127.0.0.1
 User-Name = "mz254.mtm"
 State = 0x0831d1c40820cb8cd5b8829097e99997
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "mz254.mtm", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 17 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP NAK
[eap] EAP-NAK asked for EAP-Type/tls
[eap] processing type tls
[tls] Requiring client certificate
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
 EAP-Message = 0x011200060d20
 Message-Authenticator = 0x00000000000000000000000000000000
 State = 0x0831d1c40923dc8cd5b8829097e99997
[peap] Got tunneled reply RADIUS code 11
 EAP-Message = 0x011200060d20
 Message-Authenticator = 0x00000000000000000000000000000000
 State = 0x0831d1c40923dc8cd5b8829097e99997
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 0 to 192.168.101.254 port 49154
 EAP-Message = 0x0112001d19001703010012cae867eb763daa542fc65b9c67ab94c4fe21
 Message-Authenticator = 0x00000000000000000000000000000000
 State = 0xe985bf0fe197a607b34238093b97add2
Finished request 83.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.101.254 port 49154, id=0,
length=190
Cleaning up request 83 ID 0 with timestamp +1769
 NAS-IP-Address = 192.168.101.254
 NAS-Port-Type = Ethernet
 NAS-Port = 5
 User-Name = "mz254.mtm"
 State = 0xe985bf0fe197a607b34238093b97add2
 EAP-Message =
0x021200671900170301005ce0549b2a1b945c71e5696bd5b46950b5958ac040274a4217e3ff26d685a74594049fea12d4bae4e09c7119bad31cea81699dd953c79b536dd53dfead7281499ace37ff9cdbf342a5c7803673b2f09883b16fabbe5b3ca8fc81e6ac81
 Message-Authenticator = 0xe50342f509c7d70a7a40b733653658fd
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "mz254.mtm", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 18 length 103
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] EAP type tls
[peap] Got tunneled request
 EAP-Message =
0x021200500d800000004616030100410100003d03014dc01a18f6c3d3a9524dc7896df274307ebd918011714be32204ce96e3108ff600001600040005000a000900640062000300060013001200630100
server  {
  PEAP: Setting User-Name to mz254.mtm
Sending tunneled request
 EAP-Message =
0x021200500d800000004616030100410100003d03014dc01a18f6c3d3a9524dc7896df274307ebd918011714be32204ce96e3108ff600001600040005000a000900640062000300060013001200630100
 FreeRADIUS-Proxied-To = 127.0.0.1
 User-Name = "mz254.mtm"
 State = 0x0831d1c40923dc8cd5b8829097e99997
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "mz254.mtm", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 18 length 80
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
  TLS Length 70
[tls] Length Included
[tls] eaptls_verify returned 11
[tls]     (other): before/accept initialization
[tls]     TLS_accept: before/accept initialization
[tls] <<< TLS 1.0 Handshake [length 0041], ClientHello
[tls]     TLS_accept: SSLv3 read client hello A
[tls] >>> TLS 1.0 Handshake [length 002a], ServerHello
[tls]     TLS_accept: SSLv3 write server hello A
[tls] >>> TLS 1.0 Handshake [length 081a], Certificate
[tls]     TLS_accept: SSLv3 write certificate A
[tls] >>> TLS 1.0 Handshake [length 007c], CertificateRequest
[tls]     TLS_accept: SSLv3 write certificate request A
[tls]     TLS_accept: SSLv3 flush data
[tls]     TLS_accept: Need to read more data: SSLv3 read client certificate
A
In SSL Handshake Phase
In SSL Accept mode
[tls] eaptls_process returned 13
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
 EAP-Message =
0x011304000dc0000008cf160301002a0200002603014dc014ba69a4e4904b4864f80ed6cf43eea65370906c43feb609f3234613502000000400160301081a0b0008160008130003ef308203eb308202d3a00302010202010b300d06092a864886f70d0101050500306b310b30090603550406130241523110300e060355040813074d656e646f7a6131183016060355040a130f4d6f6e74656d61722050727565626131133011060355040b130a534c4720507275656261311b3019060355040313124341204d6f6e74656d617220507275656261301e170d3131303432373136333734375a170d3133303432363136333734375a3073310b3009060355
 EAP-Message =
0x0406130241523110300e060355040813074d656e646f7a613110300e060355040713074d656e646f7a6131183016060355040a130f4d6f6e74656d61722050727565626131133011060355040b130a534c47205072756562613111300f060355040313086665646f7261303130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6deee09048786218bf3e874398aa662c6f61b9298eddf33d3663a8d85e51b3031a70046ba1c15695976ff4dc78498f6e27f432d6df5c42349a29241a955d07c813a6ef8690ddf16eefb5fa414f3e2ecc29eacf9224660361dd7839431f85106bc5e8f890e236705f4afb860bc7d22fd
 EAP-Message =
0x146f9aeffc1404a8f961a297ecca08d38554f3e0ac75940614a7765893f0da2bbd0a4382b76a742d97be8fb014e6c397668877a140bf69537fe526af59194c876b008b5187bb56d5a8b30abbd2d746b029d1b528eb844db590fcb48da7a186c9faf0e691a25b233434e2713afde902236a3393c16b22c756ff1ba0ee75036f8cca897cce5edd7166f6644d5dda79e3ab0203010001a3819130818e30130603551d25040c300a06082b0601050507030130090603551d1304023000302c06096086480186f842010d041f161d4f70656e53534c2047656e657261746564204365727469666963617465301d0603551d0e041604148929112c325ec9491b
 EAP-Message =
0xda7461f9df24f3a0d26cc8301f0603551d23041830168014e6a44a4b3671560188d79e38de3e6c523ec2979a300d06092a864886f70d01010505000382010100272aaa1e38409b4ccee282d77457651dae1d93892fea8d4e0d5617e84637870806c313c3fc1c625beb7b4d00276dbfaddaae0ccc8958c968dda5ac507b2b9aa08821fdbe6275f928ca9dfdb36ade702778b65800947aabba3921d7d3fda04d2565cd41835cbc243435bdd012c62d59ee3dfeec2a39a6aef03668620a1657e4617264abbc72073a8a093012f40c61735d118bcf66596df8943f2f7c448d89423fda29e43ed1983cdfe07a2f435a4ff406a716ab22f67ba400f653b2b74b
 EAP-Message = 0xacd7d2074a502468df7e7963
 Message-Authenticator = 0x00000000000000000000000000000000
 State = 0x0831d1c40a22dc8cd5b8829097e99997
[peap] Got tunneled reply RADIUS code 11
 EAP-Message =
0x011304000dc0000008cf160301002a0200002603014dc014ba69a4e4904b4864f80ed6cf43eea65370906c43feb609f3234613502000000400160301081a0b0008160008130003ef308203eb308202d3a00302010202010b300d06092a864886f70d0101050500306b310b30090603550406130241523110300e060355040813074d656e646f7a6131183016060355040a130f4d6f6e74656d61722050727565626131133011060355040b130a534c4720507275656261311b3019060355040313124341204d6f6e74656d617220507275656261301e170d3131303432373136333734375a170d3133303432363136333734375a3073310b3009060355
 EAP-Message =
0x0406130241523110300e060355040813074d656e646f7a613110300e060355040713074d656e646f7a6131183016060355040a130f4d6f6e74656d61722050727565626131133011060355040b130a534c47205072756562613111300f060355040313086665646f7261303130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6deee09048786218bf3e874398aa662c6f61b9298eddf33d3663a8d85e51b3031a70046ba1c15695976ff4dc78498f6e27f432d6df5c42349a29241a955d07c813a6ef8690ddf16eefb5fa414f3e2ecc29eacf9224660361dd7839431f85106bc5e8f890e236705f4afb860bc7d22fd
 EAP-Message =
0x146f9aeffc1404a8f961a297ecca08d38554f3e0ac75940614a7765893f0da2bbd0a4382b76a742d97be8fb014e6c397668877a140bf69537fe526af59194c876b008b5187bb56d5a8b30abbd2d746b029d1b528eb844db590fcb48da7a186c9faf0e691a25b233434e2713afde902236a3393c16b22c756ff1ba0ee75036f8cca897cce5edd7166f6644d5dda79e3ab0203010001a3819130818e30130603551d25040c300a06082b0601050507030130090603551d1304023000302c06096086480186f842010d041f161d4f70656e53534c2047656e657261746564204365727469666963617465301d0603551d0e041604148929112c325ec9491b
 EAP-Message =
0xda7461f9df24f3a0d26cc8301f0603551d23041830168014e6a44a4b3671560188d79e38de3e6c523ec2979a300d06092a864886f70d01010505000382010100272aaa1e38409b4ccee282d77457651dae1d93892fea8d4e0d5617e84637870806c313c3fc1c625beb7b4d00276dbfaddaae0ccc8958c968dda5ac507b2b9aa08821fdbe6275f928ca9dfdb36ade702778b65800947aabba3921d7d3fda04d2565cd41835cbc243435bdd012c62d59ee3dfeec2a39a6aef03668620a1657e4617264abbc72073a8a093012f40c61735d118bcf66596df8943f2f7c448d89423fda29e43ed1983cdfe07a2f435a4ff406a716ab22f67ba400f653b2b74b
 EAP-Message = 0xacd7d2074a502468df7e7963
 Message-Authenticator = 0x00000000000000000000000000000000
 State = 0x0831d1c40a22dc8cd5b8829097e99997
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 0 to 192.168.101.254 port 49154
 EAP-Message =
0x0113040019c000000411170301040c0a26e6079ff37415887c6e864dbd7b3b93a29852b3a0143f07a8409f3f94620de9084bb6aafda166ef99945d4f51acf414b02543a15a55f60e418d7624b73f431f5fd023c8986bc0a889304bc68a0e333b8d431b0e6a84c06e8b9fdb782e175e03e6c9d8107ae3f4d1df94e2df4b719f67d0406304a53e8041e9ba18cee4c91521c57846e3327b4a2c73f4c787efc359a15d6ed82fa319c0aa724c9c521712231365e20a1e8d4b041494fd0193fd2c015a7091a0fb5ff693a4dfb94ff8c75ad7260300ee2619364f2e0db579a6ce831bb3dd816113b547a79f173c3dc5a01336704d9a63af0e290cd9518c27b682
 EAP-Message =
0x71df0c5e2d1e95ef2f49647a42369c8be08448f5c5c8de03eaabfd4db90ca1dfacbd497f191fa1e6799b06dbb3f560fe7ef7e5d8c76581a09c860f9127c1dbfff4286db4af3bb405d3c20d7846828136ef1f164784786cb44933add06fff29457d058b7785683d39e41965ecb1b96ee6fd5d908cc5c62142858b958ad641304b74fd5d272633f7ce4dd61a01383ce6db3e0f80d06b00668a925038cec0c638efadc27f01aa50c4f3d17ef7204da74ddf17096e347f1d4f511895b58ccf7e4d2e7a09de3a36f19e1ff345e9e784620c13f2cdbd0cff512bf77f8c28878b5074c7cbbe43647dc45cbfb681950dc6e9a0502202c044276683359662e6b0ca
 EAP-Message =
0x330b19a685b14bddafcc997a81e82534c5a69f2b5c498b01fda904ce743d8c7c523906aed3b76cee8b0fe1bcede93aef85aa0adbc4b6657710f0e7a2a72a285abc13a2d9b5ffb8bc99d28235e1db82373bd8660b015aa504b7a2c0db198b4f8dcd6fc42c73af72854125d18f8cb03ccd96979982db76c4b4752a5aa5f83782e570806d882a3c7d01f633ad8b733650709304ee76a146c75ef2344dc701f974ef882a7939aa0662814637db4798c8d471a9332656dacff4aa05930e2919c50ffc317e094986e557f5247860d227607676a99252b53d08e4364a81f85deb3d9fb7deb93fb1eda64c9fbd1811828eb11e82b3d27d032664d6ca8f5fe818d2
 EAP-Message =
0xcdc91b24b32d3cb7941a25a4fe03ff434755f898bb5fa1c1d695c9ddeda1cb008573525bd6b46b134138672c0afde2337d5c282de83ac2c08795319a7fc6e07b92736796bec8749aa4082dfa7cf66f706102c334f6773dd0ca9ebf759f565bafe4c4292261ffedf19bec22aa1eced2d6ed61a6c28b6ef5cdc37ac18a523071d9e9e23475d36cb4cfbe034b72ecccb17b0bfaecd7839b96baba4ba4be20b02eda7ca728d016eaa5e4098bed3bd0c3bfdd9c393170e0c1799062670ca8cda12a904bdfb4974c248d696f577754da2057f9167eaca632bc4e73c79e58db0d69a7ea8ac9a8942aaf6e6a5f086eeb7dbeca84a2cc9d63c5e9fe4d26fd87ecd4
 EAP-Message = 0x21fadae229d18ab0506ef141
 Message-Authenticator = 0x00000000000000000000000000000000
 State = 0xe985bf0fe096a607b34238093b97add2
Finished request 84.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 84 ID 0 with timestamp +1769
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.101.254 port 49154, id=0,
length=83
 NAS-IP-Address = 192.168.101.254
 NAS-Port-Type = Ethernet
 NAS-Port = 5
 User-Name = "mz254.mtm"
 EAP-Message = 0x0214000e016d7a3235342e6d746d
 Message-Authenticator = 0x78f7a34500a508c5078c6c93779f7575
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "mz254.mtm", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 20 length 14
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication
may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Requiring client certificate
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 0 to 192.168.101.254 port 49154
 EAP-Message = 0x011500060d20
 Message-Authenticator = 0x00000000000000000000000000000000
 State = 0x0ff1a38a0fe4ae700e5cfd450ee7a44f
Finished request 85.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 85 ID 0 with timestamp +1787
Ready to process requests.



Thanks.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20110511/8529ff90/attachment.html>


More information about the Freeradius-Users mailing list