[EAP-TLS Windows 7] Problem with chain certificate on the client side

jinx_20 gabriel_skupien at o2.pl
Wed Apr 25 11:39:38 CEST 2012


Hi all,

My PKI infrastructure is hierarchical, meaning that client certificate path
looks like below:
ROOT_CA->Sub1_CA->Sub2_CA->Client_Cert

Client_Cert & Sub2_CA purposes are set correctly.

After I import client certificate (client.p12) into the Windows Cert Store
the following events occur:
-Root CA cert is imported into the Trusted Root CAs,
-every sub CA cert (Sub1 CA & Sub2 CA) is imported into the Intermediate
CAs,
-user's cert is imported into Personal Certificates,

I can't connect....

As soon as I delete Sub2 CA (that is, the CA certificate of the certificate
authority which issued client's certificate) I am able to connect
successfully. I suspect that Windows 7 supplicant sends entire chain of
client certificate to FreeRadius server what makes it confused. I suppose
that FreeRadius cannot verify Sub2_CA certificate received from the client
because its purpose is not "Client Auth". As a result FreeRadius outputs the
following message:

*--> verify error:num=26:unsupported certificate purpose 
[tls] >>> TLS 1.0 Alert [length 0002], fatal unsupported_certificate  
TLS Alert write:fatal:unsupported certificate
    TLS_accept: error in SSLv3 read client certificate B
rlm_eap: SSL error error:140890B2:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
SSL: SSL_read failed in a system call (-1), TLS session fails.
TLS receive handshake failed during operation*

Below you can find two debug outputs. First one represents situation when
Sub2 CA is present in the Intermediate CAs Store and another one shows the
case when Sub2 CA was deleted.

Additionally, CA_file in the eap.conf is set to
${cadir}/Sub2_CA_*entire_chain*.pem

When I try to connect from linux machine everything works great (wpa
supplicant doesn't send entire client's certificate chain toward radius
server, it sends only client cert - the last cert from the chain). The
problem arised while connecting from Windows 7 machine. 

Is there any way to configure FreeRadius server to explicitly accept
intermediate CAs received from the client supplicant?

Appreciate any hints.

Gabriel

###############################################
##################   FAILD  ######################
##################   FAILD  ######################
###############################################

rad_recv: Access-Request packet from host 172.16.16.1 port 32770, id=182,
length=193
	User-Name = "2762_hd.test6"
	Calling-Station-Id = "AA-AA-AA-AA-AA-AA"
	Called-Station-Id = "XX-XX-XX-XX-XX-XX:SSID"
	NAS-Port = 1
	NAS-IP-Address = 172.16.16.1
	NAS-Identifier = "wlc.intra"
	Airespace-Wlan-Id = 4
	Service-Type = Framed-User
	Framed-MTU = 1300
	NAS-Port-Type = Wireless-802.11
	Tunnel-Type:0 = VLAN
	Tunnel-Medium-Type:0 = IEEE-802
	Tunnel-Private-Group-Id:0 = "2"
	EAP-Message = 0xFF
	Message-Authenticator = 0xFF
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "2762_hd.test6", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 1 length 18
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication
may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Requiring client certificate
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 182 to 172.16.16.1 port 32770
	EAP-Message = 0xFF
	Message-Authenticator = 0xFF
	State = 0xFF
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 172.16.16.1 port 32770, id=183,
length=298
	User-Name = "2762_hd.test6"
	Calling-Station-Id = "AA-AA-AA-AA-AA-AA"
	Called-Station-Id = "XX-XX-XX-XX-XX-XX:SSID"
	NAS-Port = 1
	NAS-IP-Address = 172.16.16.1
	NAS-Identifier = "wlc.intra"
	Airespace-Wlan-Id = 4
	Service-Type = Framed-User
	Framed-MTU = 1300
	NAS-Port-Type = Wireless-802.11
	Tunnel-Type:0 = VLAN
	Tunnel-Medium-Type:0 = IEEE-802
	Tunnel-Private-Group-Id:0 = "2"
	EAP-Message = 0xFF
	State = 0xFF
	Message-Authenticator = 0xFF
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "2762_hd.test6", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 2 length 105
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
  TLS Length 95
[tls] Length Included
[tls] eaptls_verify returned 11 
[tls]     (other): before/accept initialization
[tls]     TLS_accept: before/accept initialization
[tls] <<< TLS 1.0 Handshake [length 005a], ClientHello  
[tls]     TLS_accept: SSLv3 read client hello A
[tls] >>> TLS 1.0 Handshake [length 0031], ServerHello  
[tls]     TLS_accept: SSLv3 write server hello A
[tls] >>> TLS 1.0 Handshake [length 0578], Certificate  
[tls]     TLS_accept: SSLv3 write certificate A
[tls] >>> TLS 1.0 Handshake [length 00f9], CertificateRequest  
[tls]     TLS_accept: SSLv3 write certificate request A
[tls]     TLS_accept: SSLv3 flush data
[tls]     TLS_accept: Need to read more data: SSLv3 read client certificate
A
In SSL Handshake Phase 
In SSL Accept mode  
[tls] eaptls_process returned 13 
++[eap] returns handled
Sending Access-Challenge of id 183 to 172.16.16.1 port 32770
	EAP-Message = 0xFF
	EAP-Message = 0xFF
	EAP-Message = 0xFF
	EAP-Message = 0xFF
	EAP-Message = 0xFF
	Message-Authenticator = 0xFF
	State = 0xFF
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 172.16.16.1 port 32770, id=184,
length=199
	User-Name = "2762_hd.test6"
	Calling-Station-Id = "AA-AA-AA-AA-AA-AA"
	Called-Station-Id = "XX-XX-XX-XX-XX-XX:SSID"
	NAS-Port = 1
	NAS-IP-Address = 172.16.16.1
	NAS-Identifier = "wlc.intra"
	Airespace-Wlan-Id = 4
	Service-Type = Framed-User
	Framed-MTU = 1300
	NAS-Port-Type = Wireless-802.11
	Tunnel-Type:0 = VLAN
	Tunnel-Medium-Type:0 = IEEE-802
	Tunnel-Private-Group-Id:0 = "2"
	EAP-Message = 0xFF
	State = 0xFF
	Message-Authenticator = 0xFF
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "2762_hd.test6", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 3 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
[tls] Received TLS ACK
[tls] ACK handshake fragment handler
[tls] eaptls_verify returned 1 
[tls] eaptls_process returned 13 
++[eap] returns handled
Sending Access-Challenge of id 184 to 172.16.16.1 port 32770
	EAP-Message = 0xFF
	EAP-Message = 0xFF
	EAP-Message = 0xFF
	Message-Authenticator = 0xFF
	State = 0xFF
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 172.16.16.1 port 32770, id=185,
length=1695
	User-Name = "2762_hd.test6"
	Calling-Station-Id = "AA-AA-AA-AA-AA-AA"
	Called-Station-Id = "XX-XX-XX-XX-XX-XX:SSID"
	NAS-Port = 1
	NAS-IP-Address = 172.16.16.1
	NAS-Identifier = "wlc.intra"
	Airespace-Wlan-Id = 4
	Service-Type = Framed-User
	Framed-MTU = 1300
	NAS-Port-Type = Wireless-802.11
	Tunnel-Type:0 = VLAN
	Tunnel-Medium-Type:0 = IEEE-802
	Tunnel-Private-Group-Id:0 = "2"
	EAP-Message = 0xFF
	EAP-Message = 0xFF
	EAP-Message = 0xFF
	EAP-Message = 0xFF
	EAP-Message = 0xFF
	EAP-Message = 0xFF
	State = 0xFF
	Message-Authenticator = 0xFF
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "2762_hd.test6", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 4 length 253
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
  TLS Length 5695
[tls] Received EAP-TLS First Fragment of the message
[tls] eaptls_verify returned 9 
[tls] eaptls_process returned 13 
++[eap] returns handled
Sending Access-Challenge of id 185 to 172.16.16.1 port 32770
	EAP-Message = 0xFF
	Message-Authenticator = 0xFF
	State = 0xFF
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 172.16.16.1 port 32770, id=186,
length=1695
	User-Name = "2762_hd.test6"
	Calling-Station-Id = "AA-AA-AA-AA-AA-AA"
	Called-Station-Id = "XX-XX-XX-XX-XX-XX:SSID"
	NAS-Port = 1
	NAS-IP-Address = 172.16.16.1
	NAS-Identifier = "wlc.intra"
	Airespace-Wlan-Id = 4
	Service-Type = Framed-User
	Framed-MTU = 1300
	NAS-Port-Type = Wireless-802.11
	Tunnel-Type:0 = VLAN
	Tunnel-Medium-Type:0 = IEEE-802
	Tunnel-Private-Group-Id:0 = "2"
	EAP-Message = 0xFF
	EAP-Message = 0xFF
	EAP-Message = 0xFF
	EAP-Message = 0xFF
	EAP-Message = 0xFF
	EAP-Message = 0xFF
	State = 0xFF
	Message-Authenticator = 0xFF
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "2762_hd.test6", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 5 length 253
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
[tls] More fragments to follow
[tls] eaptls_verify returned 10 
[tls] eaptls_process returned 13 
++[eap] returns handled
Sending Access-Challenge of id 186 to 172.16.16.1 port 32770
	EAP-Message = 0xFF
	Message-Authenticator = 0xFF
	State = 0xFF
Finished request 4.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 172.16.16.1 port 32770, id=187,
length=1695
	User-Name = "2762_hd.test6"
	Calling-Station-Id = "AA-AA-AA-AA-AA-AA"
	Called-Station-Id = "XX-XX-XX-XX-XX-XX:SSID"
	NAS-Port = 1
	NAS-IP-Address = 172.16.16.1
	NAS-Identifier = "wlc.intra"
	Airespace-Wlan-Id = 4
	Service-Type = Framed-User
	Framed-MTU = 1300
	NAS-Port-Type = Wireless-802.11
	Tunnel-Type:0 = VLAN
	Tunnel-Medium-Type:0 = IEEE-802
	Tunnel-Private-Group-Id:0 = "2"
	EAP-Message = 0xFF
	EAP-Message = 0xFF
	EAP-Message = 0xFF
	EAP-Message = 0xFF
	EAP-Message = 0xFF
	EAP-Message = 0xFF
	State = 0xFF
	Message-Authenticator = 0xFF
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "2762_hd.test6", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 6 length 253
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
[tls] More fragments to follow
[tls] eaptls_verify returned 10 
[tls] eaptls_process returned 13 
++[eap] returns handled
Sending Access-Challenge of id 187 to 172.16.16.1 port 32770
	EAP-Message = 0xFF
	Message-Authenticator = 0xFF
	State = 0xFF
Finished request 5.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 172.16.16.1 port 32770, id=188,
length=1448
	User-Name = "2762_hd.test6"
	Calling-Station-Id = "AA-AA-AA-AA-AA-AA"
	Called-Station-Id = "XX-XX-XX-XX-XX-XX:SSID"
	NAS-Port = 1
	NAS-IP-Address = 172.16.16.1
	NAS-Identifier = "wlc.intra"
	Airespace-Wlan-Id = 4
	Service-Type = Framed-User
	Framed-MTU = 1300
	NAS-Port-Type = Wireless-802.11
	Tunnel-Type:0 = VLAN
	Tunnel-Medium-Type:0 = IEEE-802
	Tunnel-Private-Group-Id:0 = "2"
	EAP-Message = 0xFF
	EAP-Message = 0xFF
	EAP-Message = 0xFF
	EAP-Message = 0xFF
	EAP-Message = 0xFF
	State = 0xFF
	Message-Authenticator = 0xFF
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "2762_hd.test6", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 7 length 253
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
[tls] eaptls_verify returned 7 
[tls] Done initial handshake
[tls] <<< TLS 1.0 Handshake [length 13f3], Certificate  
--> verify error:num=26:unsupported certificate purpose 
[tls] >>> TLS 1.0 Alert [length 0002], fatal unsupported_certificate  
TLS Alert write:fatal:unsupported certificate
    TLS_accept: error in SSLv3 read client certificate B
rlm_eap: SSL error error:140890B2:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
SSL: SSL_read failed in a system call (-1), TLS session fails.
TLS receive handshake failed during operation
[tls] eaptls_process returned 4 
[eap] Handler failed in EAP/tls
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] 	expand: %{User-Name} -> 2762_hd.test6
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 6 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 6
Sending Access-Reject of id 188 to 172.16.16.1 port 32770
	EAP-Message = 0xFF
	Message-Authenticator = 0xFF
Waking up in 3.9 seconds.
Cleaning up request 0 ID 182 with timestamp +23
Cleaning up request 1 ID 183 with timestamp +23
Cleaning up request 2 ID 184 with timestamp +23
Cleaning up request 3 ID 185 with timestamp +23
Cleaning up request 4 ID 186 with timestamp +23
Cleaning up request 5 ID 187 with timestamp +23
Waking up in 1.0 seconds.
Cleaning up request 6 ID 188 with timestamp +23
Ready to process requests.



###############################################
##################   ACCEPT  ######################
##################   ACCEPT  ######################
###############################################

rad_recv: Access-Request packet from host 172.16.16.1 port 32770, id=189,
length=193
	User-Name = "2762_hd.test6"
	Calling-Station-Id = "AA-AA-AA-AA-AA-AA"
	Called-Station-Id = "XX-XX-XX-XX-XX-XX:SSID"
	NAS-Port = 1
	NAS-IP-Address = 172.16.16.1
	NAS-Identifier = "wlc.intra"
	Airespace-Wlan-Id = 4
	Service-Type = Framed-User
	Framed-MTU = 1300
	NAS-Port-Type = Wireless-802.11
	Tunnel-Type:0 = VLAN
	Tunnel-Medium-Type:0 = IEEE-802
	Tunnel-Private-Group-Id:0 = "2"
	EAP-Message = 0xFF
	Message-Authenticator = 0xFF
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "2762_hd.test6", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 2 length 18
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication
may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Requiring client certificate
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 189 to 172.16.16.1 port 32770
	EAP-Message = 0xFF
	Message-Authenticator = 0xFF
	State = 0xFF
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 172.16.16.1 port 32770, id=190,
length=298
	User-Name = "2762_hd.test6"
	Calling-Station-Id = "AA-AA-AA-AA-AA-AA"
	Called-Station-Id = "XX-XX-XX-XX-XX-XX:SSID"
	NAS-Port = 1
	NAS-IP-Address = 172.16.16.1
	NAS-Identifier = "wlc.intra"
	Airespace-Wlan-Id = 4
	Service-Type = Framed-User
	Framed-MTU = 1300
	NAS-Port-Type = Wireless-802.11
	Tunnel-Type:0 = VLAN
	Tunnel-Medium-Type:0 = IEEE-802
	Tunnel-Private-Group-Id:0 = "2"
	EAP-Message = 0xFF
	State = 0xFF
	Message-Authenticator = 0xFF
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "2762_hd.test6", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 3 length 105
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
  TLS Length 95
[tls] Length Included
[tls] eaptls_verify returned 11 
[tls]     (other): before/accept initialization
[tls]     TLS_accept: before/accept initialization
[tls] <<< TLS 1.0 Handshake [length 005a], ClientHello  
[tls]     TLS_accept: SSLv3 read client hello A
[tls] >>> TLS 1.0 Handshake [length 0031], ServerHello  
[tls]     TLS_accept: SSLv3 write server hello A
[tls] >>> TLS 1.0 Handshake [length 0578], Certificate  
[tls]     TLS_accept: SSLv3 write certificate A
[tls] >>> TLS 1.0 Handshake [length 00f9], CertificateRequest  
[tls]     TLS_accept: SSLv3 write certificate request A
[tls]     TLS_accept: SSLv3 flush data
[tls]     TLS_accept: Need to read more data: SSLv3 read client certificate
A
In SSL Handshake Phase 
In SSL Accept mode  
[tls] eaptls_process returned 13 
++[eap] returns handled
Sending Access-Challenge of id 190 to 172.16.16.1 port 32770
	EAP-Message = 0xFF
	EAP-Message = 0xFF
	EAP-Message = 0xFF
	EAP-Message = 0xFF
	EAP-Message = 0xFF
	Message-Authenticator = 0xFF
	State = 0xFF
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 172.16.16.1 port 32770, id=191,
length=199
	User-Name = "2762_hd.test6"
	Calling-Station-Id = "AA-AA-AA-AA-AA-AA"
	Called-Station-Id = "XX-XX-XX-XX-XX-XX:SSID"
	NAS-Port = 1
	NAS-IP-Address = 172.16.16.1
	NAS-Identifier = "wlc.intra"
	Airespace-Wlan-Id = 4
	Service-Type = Framed-User
	Framed-MTU = 1300
	NAS-Port-Type = Wireless-802.11
	Tunnel-Type:0 = VLAN
	Tunnel-Medium-Type:0 = IEEE-802
	Tunnel-Private-Group-Id:0 = "2"
	EAP-Message = 0xFF
	State = 0xFF
	Message-Authenticator = 0xFF
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "2762_hd.test6", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 4 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
[tls] Received TLS ACK
[tls] ACK handshake fragment handler
[tls] eaptls_verify returned 1 
[tls] eaptls_process returned 13 
++[eap] returns handled
Sending Access-Challenge of id 191 to 172.16.16.1 port 32770
	EAP-Message = 0xFF
	EAP-Message = 0xFF
	EAP-Message = 0xFF
	Message-Authenticator = 0xFF
	State = 0xFF
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 172.16.16.1 port 32770, id=192,
length=1695
	User-Name = "2762_hd.test6"
	Calling-Station-Id = "AA-AA-AA-AA-AA-AA"
	Called-Station-Id = "XX-XX-XX-XX-XX-XX:SSID"
	NAS-Port = 1
	NAS-IP-Address = 172.16.16.1
	NAS-Identifier = "wlc.intra"
	Airespace-Wlan-Id = 4
	Service-Type = Framed-User
	Framed-MTU = 1300
	NAS-Port-Type = Wireless-802.11
	Tunnel-Type:0 = VLAN
	Tunnel-Medium-Type:0 = IEEE-802
	Tunnel-Private-Group-Id:0 = "2"
	EAP-Message = 0xFF
	EAP-Message = 0xFF
	EAP-Message = 0xFF
	EAP-Message = 0xFF
	EAP-Message = 0xFF
	EAP-Message = 0xFF
	State = 0xFF
	Message-Authenticator = 0xFF
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "2762_hd.test6", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 5 length 253
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
  TLS Length 2193
[tls] Received EAP-TLS First Fragment of the message
[tls] eaptls_verify returned 9 
[tls] eaptls_process returned 13 
++[eap] returns handled
Sending Access-Challenge of id 192 to 172.16.16.1 port 32770
	EAP-Message = 0xFF
	Message-Authenticator = 0xFF
	State = 0xFF
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 172.16.16.1 port 32770, id=193,
length=914
	User-Name = "2762_hd.test6"
	Calling-Station-Id = "AA-AA-AA-AA-AA-AA"
	Called-Station-Id = "XX-XX-XX-XX-XX-XX:SSID"
	NAS-Port = 1
	NAS-IP-Address = 172.16.16.1
	NAS-Identifier = "wlc.intra"
	Airespace-Wlan-Id = 4
	Service-Type = Framed-User
	Framed-MTU = 1300
	NAS-Port-Type = Wireless-802.11
	Tunnel-Type:0 = VLAN
	Tunnel-Medium-Type:0 = IEEE-802
	Tunnel-Private-Group-Id:0 = "2"
	EAP-Message = 0xFF
	EAP-Message = 0xFF
	EAP-Message = 0xFF
	State = 0xFF
	Message-Authenticator = 0xFF
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "2762_hd.test6", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 6 length 253
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
[tls] eaptls_verify returned 7 
[tls] Done initial handshake
[tls] <<< TLS 1.0 Handshake [length 0645], Certificate  
[tls] chain-depth=3, 
[tls] error=0
[tls] --> User-Name = 2762_hd.test6
[tls] --> BUF-Name = SNAKE OIL ROOT CA
[tls] --> subject = /CN=SNAKE OIL ROOT CA/OU=Digital Certificate
Services/O=Snake Oil Company/C=PL
[tls] --> issuer  = /CN=SNAKE OIL ROOT CA/OU=Digital Certificate
Services/O=Snake Oil Company/C=PL
[tls] --> verify return:1
[tls] chain-depth=2, 
[tls] error=0
[tls] --> User-Name = 2762_hd.test6
[tls] --> BUF-Name = SNAKE OIL CA
[tls] --> subject = /CN=SNAKE OIL CA/O=Snake Oil Company 2/C=PL
[tls] --> issuer  = /CN=SNAKE OIL ROOT CA/OU=Digital Certificate
Services/O=Snake Oil Company/C=PL
[tls] --> verify return:1
[tls] chain-depth=1, 
[tls] error=0
[tls] --> User-Name = 2762_hd.test6
[tls] --> BUF-Name = SNAKE OIL WIFI CA
[tls] --> subject = /CN=SNAKE OIL WIFI CA/O=Snake Oil Company 2/C=PL
[tls] --> issuer  = /CN=SNAKE OIL CA/O=Snake Oil Company 2/C=PL
[tls] --> verify return:1
[tls] Verifying client certificate: /etc/freeradius/geppetto.sh
%{TLS-Client-Cert-Filename} %{Called-Station-Id}
[tls] 	expand: %{TLS-Client-Cert-Filename} ->
/tmp/radiusd/freeradius.client.XXnI1oCe
[tls] 	expand: %{Called-Station-Id} -> XX-XX-XX-XX-XX-XX:SSID
+ GREP=/bin/grep
+ LDAP=/usr/bin/ldapsearch
+ OPENSSL=/usr/bin/openssl
+ cp /tmp/radiusd/freeradius.client.XXnI1oCe /tmp/
+ exit 0
Exec-Program output: 
Exec-Program: returned: 0
[tls] Client certificate CN 2762_hd.test6 passed external validation
[tls] chain-depth=0, 
[tls] error=0
[tls] --> User-Name = 2762_hd.test6
[tls] --> BUF-Name = 2762_hd.test6
[tls] --> subject =
/emailAddress=2762_hd.test6 at snakeoil.com/CN=2762_hd.test6/GN=HD/SN=Test6/OU=Operations/OU=HelpDesk/O=Snake
Oil Company
[tls] --> issuer  = /CN=SNAKE OIL WIFI CA/O=Snake Oil Company 2/C=PL
[tls] --> verify return:1
[tls]     TLS_accept: SSLv3 read client certificate A
[tls] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange  
[tls]     TLS_accept: SSLv3 read client key exchange A
[tls] <<< TLS 1.0 Handshake [length 0106], CertificateVerify  
[tls]     TLS_accept: SSLv3 read certificate verify A
[tls] <<< TLS 1.0 ChangeCipherSpec [length 0001]  
[tls] <<< TLS 1.0 Handshake [length 0010], Finished  
[tls]     TLS_accept: SSLv3 read finished A
[tls] >>> TLS 1.0 ChangeCipherSpec [length 0001]  
[tls]     TLS_accept: SSLv3 write change cipher spec A
[tls] >>> TLS 1.0 Handshake [length 0010], Finished  
[tls]     TLS_accept: SSLv3 write finished A
[tls]     TLS_accept: SSLv3 flush data
[tls]     (other): SSL negotiation finished successfully
SSL Connection Established 
[tls] eaptls_process returned 13 
++[eap] returns handled
Sending Access-Challenge of id 193 to 172.16.16.1 port 32770
	EAP-Message = 0xFF
	Message-Authenticator = 0xFF
	State = 0xFF
Finished request 4.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 172.16.16.1 port 32770, id=194,
length=199
	User-Name = "2762_hd.test6"
	Calling-Station-Id = "AA-AA-AA-AA-AA-AA"
	Called-Station-Id = "XX-XX-XX-XX-XX-XX:SSID"
	NAS-Port = 1
	NAS-IP-Address = 172.16.16.1
	NAS-Identifier = "wlc.intra"
	Airespace-Wlan-Id = 4
	Service-Type = Framed-User
	Framed-MTU = 1300
	NAS-Port-Type = Wireless-802.11
	Tunnel-Type:0 = VLAN
	Tunnel-Medium-Type:0 = IEEE-802
	Tunnel-Private-Group-Id:0 = "2"
	EAP-Message = 0xFF
	State = 0xFF
	Message-Authenticator = 0xFF
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "2762_hd.test6", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 7 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
[tls] Received TLS ACK
[tls] ACK handshake is finished
[tls] eaptls_verify returned 3 
[tls] eaptls_process returned 3 
[tls] Adding user data to cached session
[eap] Freeing handler
++[eap] returns ok
# Executing section post-auth from file
/etc/freeradius/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 194 to 172.16.16.1 port 32770
	MS-MPPE-Recv-Key = 0xFF
	MS-MPPE-Send-Key = 0xFF
	EAP-Message = 0xFF
	Message-Authenticator = 0xFF
	User-Name = "2762_hd.test6"
Finished request 5.
Going to the next request
Waking up in 4.9 seconds.


--
View this message in context: http://freeradius.1045715.n5.nabble.com/EAP-TLS-Windows-7-Problem-with-chain-certificate-on-the-client-side-tp5664334p5664334.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.


More information about the Freeradius-Users mailing list