Authenication with certifiactes

Andreas Meyer anmeyer at anup.de
Mon Jul 2 22:57:58 CEST 2012 

Hello!

alan buxey <A.L.M.Buxey at lboro.ac.uk> wrote:

> Hi,
> 
> 1) you are getting an access-accept - which suggest the client is using the values
> you mention - that is 'miles' with 'davis45' as the password - hence you are using PEAP or
> PAP or somesuch and not EAP-TLS certificate

I have no luck with this. I read in some articles to make an AP with
Radius-Authentication, one should create cerificates with 'make all'
in the certs-directory after editing the ca.cnf and server.cnf and 
copy the ca.pem to the client.

Where can I read what other possibilites there are to authorize a client
for an AP using a radiusserver as backend.

> 2) your access-accept should mean that the client gets an address on the network it is put
> on via the AP - unless you havent got that bit configured right (VLAN or DHCP server etc) - not
> a FreeRADIUS issue

I just attached the AP to eth0 accesible with 192.168.1.254, activated the
DHCP-Server and tried to get authorization with a notebook using WPA-Enterprise
and the ca.cert. I disabled sql now in the Radius-Server and get this, when
I access from the notebool with TTLS and PAP:

rad_recv: Access-Request packet from host 192.168.1.254 port 2048, id=3, length=159
        User-Name = "christiane"
        NAS-IP-Address = 192.168.1.254
        NAS-Port = 0
        Called-Station-Id = "B0-48-7A-F8-A1-19:gehackt"
        Calling-Station-Id = "00-22-B0-E7-D9-9B"
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        Connect-Info = "CONNECT 0Mbps 802.11"
        EAP-Message = 0x0200000f0163687269737469616e65
        Message-Authenticator = 0x63fa52067e6106e6299499e8e42249ee
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "christiane", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 0 length 15
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry christiane at line 95
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
Sending Access-Challenge of id 3 to 192.168.1.254 port 2048
        EAP-Message = 0x010100160410cde74bbeeec3a19a037d5b4fe57f4c97
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x4fb647db4fb74330423119a23041222a
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.1.254 port 2048, id=4, length=168
        User-Name = "christiane"
        NAS-IP-Address = 192.168.1.254
        NAS-Port = 0
        Called-Station-Id = "B0-48-7A-F8-A1-19:gehackt"
        Calling-Station-Id = "00-22-B0-E7-D9-9B"
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        Connect-Info = "CONNECT 0Mbps 802.11"
        EAP-Message = 0x020100060315
        State = 0x4fb647db4fb74330423119a23041222a
        Message-Authenticator = 0x64f323aa1f0f8335cc75e1ec3690a536
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "christiane", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 1 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry christiane at line 95
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP NAK
[eap] EAP-NAK asked for EAP-Type/ttls
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 4 to 192.168.1.254 port 2048
        EAP-Message = 0x010200061520
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x4fb647db4eb45230423119a23041222a
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 2 ID 3 with timestamp +130
Cleaning up request 3 ID 4 with timestamp +130
Ready to process requests.

But I do not get a lease from the AP.

> 3) clients dont use ca.pem to authentication using certificates - clients get their own client cert

Strange, where can I read about this?

> 4) EAP-TLS is plain/simple method - thus checking against SQL for passwords is wrong

Ok, disabled SQL and made entries in the users file.

miles<->Cleartext-Password := "davis45"
christiane<---->Cleartext-Password := "chr17!"

> 
> 5) upgrade - 2.1.9 is hideously old, 2.1.12 contains bug fixes and security fixes.

allright, will do that if I can see some land in this ocean

> 
> alan

Thank you for your help with this! I am a bit lost.

  Andreas

More information about the Freeradius-Users mailing list