No luck connecting from a ZyXEL NWA3160-N AP
Erich Titl
erich.titl at think.ch
Fri Nov 2 15:56:46 CET 2012
Hi everybody
I am running a freshly compiled
FreeRADIUS Version 2.2.0, for host i686-pc-linux-gnu, built on Oct 31
2012 at 16:56:00
Copyright (C) 1999-2012 The FreeRADIUS server project and contributors.
authenticating against a MySQL database appeast to work fine using radtest
luna:/usr/local/etc/raddb # radtest test 1234 localhost 1812 testing123
Sending Access-Request of id 104 to 127.0.0.1 port 1812
User-Name = "test"
User-Password = "1234"
NAS-IP-Address = 194.124.158.51
NAS-Port = 1812
Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=104,
length=20
I connected a ZyXEL NWA 3160-N (latest Firmware), generated a
certificate request, signed it using XCA and reimported it on the AP. I
also installed a certificate signed by the same CA in the
..../raddb/certs directory and of course the CA cert to be able to
verify the client cert.
If I try now to connect to the AP using the same credentials as before,
I am getting the following in the output of radiusd -X
....
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
CA_path = "/usr/local/etc/raddb/certs"
pem_file_type = yes
private_key_file = "/usr/local/etc/raddb/certs/luna.think.ch.key"
certificate_file = "/usr/local/etc/raddb/certs/luna.think.ch.pem"
CA_file = "/usr/local/etc/raddb/certs/Think_CA.pem"
private_key_password = ""
dh_file = "/usr/local/etc/raddb/certs/dh"
random_file = "/usr/local/etc/raddb/certs/random"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
ecdh_curve = "prime256v1"
cache {
enable = no
lifetime = 24
max_entries = 255
}
.....
Found Auth-Type = EAP
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
Sending Access-Challenge of id 7 to 194.124.158.62 port 59115
EAP-Message = 0x0102001604106133379bfac030f9a2efcf9a2e3e9641
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0c2c33890c2e3790fae8bf762d1a9802
Finished request 0.
Waking up in 4.9 seconds.
Going to the next request
rad_recv: Access-Request packet from host 194.124.158.62 port 59115,
id=8, length=162
User-Name = "test"
NAS-Port = 0
Called-Station-Id = "50-67-F0-38-A9-E5:ZyXEL"
Vendor-Specific = 0x000000000402
Calling-Station-Id = "74-F0-6D-07-9B-91"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11"
EAP-Message = 0x020200060319
State = 0x0c2c33890c2e3790fae8bf762d1a9802
Message-Authenticator = 0x2ad76dbb03af18776e0c10b36df81895
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "test", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 2 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
......
......
......
[peap] <<< TLS 1.0 Alert [length 0002], fatal unknown_ca
TLS Alert read:fatal:unknown CA
TLS_accept: failed in SSLv3 read client certificate A
rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1
alert unknown ca
.....
There appears to be something wrong with the client certificate passed
by the AP in the eap conversation. I doublechecked the certificates and
googled my fingers raw on this.
This is the server cert
luna:/usr/local/etc/raddb/certs # openssl x509 -in luna.think.ch.pem
-noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 29 (0x1d)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=CH, L=Stallikon, O=THINK, OU=CA Section, CN=Think
CA/emailAddress=ca at think.ch
Validity
Not Before: Nov 2 00:00:00 2012 GMT
Not After : Sep 14 23:59:59 2014 GMT
Subject: C=CH, L=Stallikon, O=THINK, OU=Mail Service,
CN=luna.think.ch
....
and the client cert
luna:/usr/local/etc/raddb/certs # openssl x509 -in 194.124.158.62.pem
-noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 28 (0x1c)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=CH, L=Stallikon, O=THINK, OU=CA Section, CN=Think
CA/emailAddress=ca at think.ch
Validity
Not Before: Nov 1 00:00:00 2012 GMT
Not After : Oct 31 23:59:59 2013 GMT
Subject: C=CH, L=Stallikon, O=THINK, OU=AP, CN=194.124.158.62
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
.....
and the CA cert
luna:/usr/local/etc/raddb/certs # openssl x509 -in Think_CA.pem -noout
-text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=CH, L=Stallikon, O=THINK, OU=CA Section, CN=Think
CA/emailAddress=ca at think.ch
Validity
Not Before: Sep 16 17:00:07 2004 GMT
Not After : Sep 14 17:00:07 2014 GMT
Subject: C=CH, L=Stallikon, O=THINK, OU=CA Section, CN=Think
CA/emailAddress=ca at think.ch
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
...
If you need the full output of radiusd, let me know.
Maybe someone can give me a push in the right direction.
Thanks
Erich Titl
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 1877 bytes
Desc: S/MIME Kryptografische Unterschrift
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20121102/caa42681/attachment.bin>
More information about the Freeradius-Users
mailing list