RADIUS certificate compatibility warning
Martin Ubank
Martin.Ubank at uwe.ac.uk
Mon Oct 24 12:25:01 CEST 2011
I've upgraded FreeRadius to 2.1.10 and Samba to 3.5.6.
I've got right through (again) to the final "Configuring FreeRADIUS to use ntlm_auth for MS-CHAP" stage but the command 'eapol_test -c peap-mschapv2-cert-ntlm_auth.conf -s testing123' fails.
The 'radiusd -X' output finishes with :
WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
WARNING: !! EAP session for state 0x89fe3c9f81f72525 did not finish!
WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility
WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
http://wiki.freeradius.org/Certificate_Compatibility refers to a problem when the client is a Windows machine, but I'm running the 'eapol_test' command on the FreeRadius server which is Linux (CentOS).
The following lines from the output of the 'eapol_test' command seem to indicate a problem with the root certificate.:
OpenSSL: tls_connection_ca_cert - Failed to load root certificates error:00000000:lib(0):func(0):reason(0)
OpenSSL: tls_connection_ca_cert - loaded DER format CA certificate
I created the certificates using the method decsribed in http://deployingradius.com/documents/configuration/certificates.html
I can supply the full output from the 'eapol_test' command and from 'radiusd -X' but they're too big to include in this email.
Can anyone tell me what I'm doing wrong?
Thanks
Martin.
================================================================
Here are the errors/warnings section from the output of the 'eapol_test' command and from 'radiusd -X', and the full contents of peap-mschapv2-cert-ntlm_auth.conf, the ca.cnf, server.cnf & client.cnf files & eap.conf:
'eapol_test' errors/warnings
============================
:
RADIUS packet matching with station
decapsulated EAP packet (code=1 id=2 len=6) from RADIUS server: EAP-Request-PEAP (25)
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Request id=2 method=25 vendor=0 vendorMethod=0
EAP: EAP entering state GET_METHOD
CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25
EAP: Initialize selected EAP method: vendor 0 method 25 (PEAP)
TLS: Phase2 EAP types - hexdump(len=40): 00 00 00 00 04 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00
05 00 00 00 00 00 00 00 11 00 00 00
TLS: using phase1 config options
OpenSSL: tls_connection_ca_cert - Failed to load root certificates error:00000000:lib(0):func(0):reason(0)
OpenSSL: tls_connection_ca_cert - loaded DER format CA certificate
CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected
EAP: EAP entering state METHOD
SSL: Received packet(len=6) - Flags 0x20
EAP-PEAP: Start (server ver=0, own ver=1)
EAP-PEAP: Using PEAP version 0
SSL: (where=0x10 ret=0x1)
SSL: (where=0x1001 ret=0x1)
SSL: SSL_connect:before/connect initialization
SSL: (where=0x1001 ret=0x1)
SSL: SSL_connect:SSLv3 write client hello A
SSL: (where=0x1002 ret=0xffffffff)
SSL: SSL_connect:error in SSLv3 read server hello A
SSL: SSL_connect - want more data
SSL: 112 bytes pending from ssl_out
SSL: 112 bytes left to be sent out (of total 112 bytes)
EAP: method process -> ignore=FALSE methodState=MAY_CONT decision=FAIL
EAP: EAP entering state SEND_RESPONSE
EAP: EAP entering state IDLE
EAPOL: SUPP_BE entering state RESPONSE
EAPOL: txSuppRsp
WPA: eapol_test_eapol_send(type=0 len=122)
:
'radiusd -X' errors/warnings
============================
:
# Executing group from file /etc/raddb/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
[mschapv2] +- entering group MS-CHAP {...}
[mschap] Creating challenge hash with username: USERNAME
[mschap] Told to do MS-CHAPv2 for USERNAME with NT-Password
[mschap] expand: --username=%{mschap:User-Name:-None} -> --username=USERNAME
[mschap] No NT-Domain was found in the User-Name.
[mschap] expand: %{mschap:NT-Domain} ->
[mschap] ... expanding second conditional
[mschap] expand: --domain=%{%{mschap:NT-Domain}:-CAMPUS} -> --domain=CAMPUS
[mschap] mschap2: 8a
[mschap] Creating challenge hash with username: USERNAME
[mschap] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=ee9182b1015b8ded
[mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=69c37f86d6f44237a66d979b71072d9b874e0fd822ad
f858
Exec-Program output: NT_KEY: 4600A59AAB67436A4D937233DEED28B7
Exec-Program-Wait: plaintext: NT_KEY: 4600A59AAB67436A4D937233DEED28B7
Exec-Program: returned: 0
[mschap] adding MS-CHAPv2 MPPE keys
++[mschap] returns ok
MSCHAP Success
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
EAP-Message = 0x010900331a0308002e533d4343373038393531333746344638333338433834463437303836313636424637413735344643333
0
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x9197308e909e2a67190d1c1ddd88b035
[peap] Got tunneled reply RADIUS code 11
EAP-Message = 0x010900331a0308002e533d4343373038393531333746344638333338433834463437303836313636424637413735344643333
0
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x9197308e909e2a67190d1c1ddd88b035
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 8 to 127.0.0.1 port 50462
EAP-Message = 0x0109005b19001703010050ad7b5774ef100e1dd3a5c7a83b174202511c51378dc9f1932cf39dc92db9b588fa9f336d1aeb825
807e62e2cc34dd162d02aa28c9104381f52a86933e2b9e0f65927f00c2fb64b78a078cc5e8e79457b
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x20754327287c5ad31b57225dabc8b87e
Finished request 8.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 0 with timestamp +76
Cleaning up request 1 ID 1 with timestamp +76
Cleaning up request 2 ID 2 with timestamp +76
Cleaning up request 3 ID 3 with timestamp +76
Cleaning up request 4 ID 4 with timestamp +76
Cleaning up request 5 ID 5 with timestamp +76
Cleaning up request 6 ID 6 with timestamp +76
Cleaning up request 7 ID 7 with timestamp +76
Cleaning up request 8 ID 8 with timestamp +76
WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
WARNING: !! EAP session for state 0x20754327287c5ad3 did not finish!
WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility
WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Ready to process requests.
peap-mschapv2-cert-ntlm_auth.conf
=================================
#
# eapol_test -c peap-mschapv2-cert-ntlm_auth.conf -s testing123
#
# eapol_version=1
# fast_reauth=0
network={
key_mgmt=WPA-EAP
eap=PEAP
identity="USERNAME"
password="PASSWORD"
phase2="autheap=MSCHAPV2"
# priority=10
ca_cert="/etc/raddb/certs/ca.der"
}
ca.cnf
======
[ ca ]
default_ca = CA_default
[ CA_default ]
dir = ./
certs = $dir
crl_dir = $dir/crl
database = $dir/index.txt
new_certs_dir = $dir
certificate = $dir/ca.pem
serial = $dir/serial
crl = $dir/crl.pem
private_key = $dir/ca.key
RANDFILE = $dir/.rand
name_opt = ca_default
cert_opt = ca_default
default_days = 3650
default_crl_days = 30
default_md = sha1
preserve = no
policy = policy_match
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
prompt = no
distinguished_name = certificate_authority
default_bits = 2048
input_password = inpass
output_password = outpass
x509_extensions = v3_ca
[certificate_authority]
countryName = UK
stateOrProvinceName = United Kingdom
localityName = Bristol
organizationName = UWE
emailAddress = email at uwe.ac.uk
commonName = "UWE Certificate Authority"
[v3_ca]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
basicConstraints = CA:true
================================================================
server.cnf
==========
[ ca ]
default_ca = CA_default
[ CA_default ]
dir = ./
certs = $dir
crl_dir = $dir/crl
database = $dir/index.txt
new_certs_dir = $dir
certificate = $dir/server.pem
serial = $dir/serial
crl = $dir/crl.pem
private_key = $dir/server.key
RANDFILE = $dir/.rand
name_opt = ca_default
cert_opt = ca_default
default_days = 730
default_crl_days = 30
default_md = sha1
preserve = no
policy = policy_match
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
prompt = no
distinguished_name = server
default_bits = 2048
input_password = inpass
output_password = outpass
[server]
countryName = UK
stateOrProvinceName = United Kingdom
localityName = Bristol
organizationName = UWE
emailAddress = email at uwe.ac.uk
commonName = "UWE Server Certificate"
================================================================
client.cnf
==========
[ ca ]
default_ca = CA_default
[ CA_default ]
dir = ./
certs = $dir
crl_dir = $dir/crl
database = $dir/index.txt
new_certs_dir = $dir
certificate = $dir/server.pem
serial = $dir/serial
crl = $dir/crl.pem
private_key = $dir/server.key
RANDFILE = $dir/.rand
name_opt = ca_default
cert_opt = ca_default
default_days = 730
default_crl_days = 30
default_md = sha1
preserve = no
policy = policy_match
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
prompt = no
distinguished_name = client
default_bits = 2048
input_password = inpass
output_password = outpass
[client]
countryName = UK
stateOrProvinceName = United Kingdom
localityName = Bristol
organizationName = UWE
emailAddress = email at uwe.ac.uk
commonName = "UWE Client Certificate"
eap.conf
========
eap {
default_eap_type = md5
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 4096
md5 {
}
leap {
}
gtc {
auth_type = PAP
}
tls {
certdir = ${confdir}/certs
cadir = ${confdir}/certs
private_key_password = outpass
private_key_file = ${certdir}/server.pem
certificate_file = ${certdir}/server.pem
CA_file = ${cadir}/ca.pem
dh_file = ${certdir}/dh
random_file = ${certdir}/random
cipher_list = "DEFAULT"
cache {
enable = no
max_entries = 255
}
}
ttls {
default_eap_type = md5
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
}
peap {
default_eap_type = mschapv2
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
}
mschapv2 {
}
}
More information about the Freeradius-Users
mailing list