Authenication with certifiactes
Andreas Meyer
anmeyer at anup.de
Mon Jul 2 19:56:26 CEST 2012
Hello!
# radiusd -v
radiusd: FreeRADIUS Version 2.1.9, for host i686-pc-linux-gnu
I could need some help with authenticating users per certificate
to a freeradius server.
I created the certificates and copied the ca.pem the testing supplicant.
Startet freeradius with radius -X and a local executed
radtest miles davis45 192.168.1.220 1812 testing123 gives this result:
Sending Access-Request of id 206 to 192.168.1.220 port 1812
User-Name = "miles"
User-Password = "davis45"
NAS-IP-Address = 192.168.3.1
NAS-Port = 1812
rad_recv: Access-Accept packet from host 192.168.1.220 port 1812, id=206, length=20
I have this in the sqltrace.sql then:
INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'miles', 'davis45',
'Access-Accept', '2012-07-02 19:31:45');
I tried all kind of settings on the supplicant but I cannot get access using the ca.pem
and get no lease from the DHCP-Server of the AP, TL-WA901ND
I post the following output of a radius -X session:
rad_recv: Access-Request packet from host 192.168.1.254 port 2048, id=155, length=153
User-Name = "andreas"
NAS-IP-Address = 192.168.1.254
NAS-Port = 0
Called-Station-Id = "B0-48-7A-F8-A1-19:gehackt"
Calling-Station-Id = "00-22-B0-E7-EF-98"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11"
EAP-Message = 0x0200000c01616e6472656173
Message-Authenticator = 0xcfc9907d0444926482192aafdcaba630
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "andreas", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 0 length 12
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[sql] expand: %{User-Name} -> andreas
[sql] sql_set_user escaped user --> 'andreas'
rlm_sql (sql): Reserving sql socket id: 4
[sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'andreas' ORDER BY id
rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'andreas' ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'andreas' ORDER BY id
rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'andreas' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'andreas' ORDER BY priority
rlm_sql_mysql: query: SELECT groupname FROM radusergroup WHERE username = 'andreas' ORDER BY priority
rlm_sql (sql): Released sql socket id: 4
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
Sending Access-Challenge of id 155 to 192.168.1.254 port 2048
EAP-Message = 0x010100160410627ca484105a5653ea83eec8c11115b0
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0f58029d0f5906e7a9d59b95861c72dd
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.1.254 port 2048, id=156, length=165
User-Name = "andreas"
NAS-IP-Address = 192.168.1.254
NAS-Port = 0
Called-Station-Id = "B0-48-7A-F8-A1-19:gehackt"
Calling-Station-Id = "00-22-B0-E7-EF-98"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11"
EAP-Message = 0x020100060315
State = 0x0f58029d0f5906e7a9d59b95861c72dd
Message-Authenticator = 0x764f23c23137bd2125a294f54ca21ac1
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "andreas", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 1 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[sql] expand: %{User-Name} -> andreas
[sql] sql_set_user escaped user --> 'andreas'
rlm_sql (sql): Reserving sql socket id: 3
[sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'andreas' ORDER BY id
rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'andreas' ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'andreas' ORDER BY id
rlm_sql_mysql: query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'andreas' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'andreas' ORDER BY priority
rlm_sql_mysql: query: SELECT groupname FROM radusergroup WHERE username = 'andreas' ORDER BY priority
rlm_sql (sql): Released sql socket id: 3
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP NAK
[eap] EAP-NAK asked for EAP-Type/ttls
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 156 to 192.168.1.254 port 2048
EAP-Message = 0x010200061520
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0f58029d0e5a17e7a9d59b95861c72dd
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 155 with timestamp +25
Cleaning up request 1 ID 156 with timestamp +25
Ready to process requests.
Can somebody help and tell me what to look for next?
Thank you for every hint!
Andreas
More information about the Freeradius-Users
mailing list