troubles with eap-peap mschapv2
Bertrand Poulet
bertrand.poulet at pasteur-lille.fr
Mon Mar 11 16:38:11 CET 2013
Hi all ,
i try to migrate from FreeRADIUS 1.1.6 (Mandrake)
to FreeRADIUS 2.2.0 (from source) on ubuntu12.04.
The same supplicant and same AP with old FR is ok,
but not with new FR 2.2.0.
What i've done :
I've installed with ./configure; make; make install
root at myhost:/usr/local/etc/raddb/certs# make
openssl dhparam -out dh 1024
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
.......................+.................+........................................................................+........................................+...............................................................+.................................+...............+.......+...........................++*++*++*
openssl req -new -out server.csr -keyout server.key -config ./server.cnf
Generating a 2048 bit RSA private key
......................................................................+++
..........................................................+++
writing new private key to 'server.key'
-----
openssl req -new -x509 -keyout ca.key -out ca.pem \
-days `grep default_days ca.cnf | sed 's/.*=//;s/^ *//'`
-config ./ca.cnf
Generating a 2048 bit RSA private key
.................................+++
.............................................................................................................+++
writing new private key to 'ca.key'
-----
openssl ca -batch -keyfile ca.key -cert ca.pem -in server.csr -key
`grep output_password ca.cnf | sed 's/.*=//;s/^ *//'` -out server.crt
-extensions xpserver_ext -extfile xpextensions -config ./server.cnf
Using configuration from ./server.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Mar 11 13:18:05 2013 GMT
Not After : Mar 11 13:18:05 2014 GMT
Subject:
countryName = FR
stateOrProvinceName = Radius
organizationName = Example Inc.
commonName = Example Server Certificate
emailAddress = admin at example.com
X509v3 extensions:
X509v3 Extended Key Usage:
TLS Web Server Authentication
Certificate is to be certified until Mar 11 13:18:05 2014 GMT (365 days)
Write out database with 1 new entries
Data Base Updated
openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12
-passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'`
-passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'`
openssl pkcs12 -in server.p12 -out server.pem -passin pass:`grep
output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep
output_password server.cnf | sed 's/.*=//;s/^ *//'`
MAC verified OK
openssl verify -CAfile ca.pem server.pem
server.pem: OK
openssl x509 -inform PEM -outform DER -in ca.pem -out ca.der
root at myhost:/usr/local/etc/raddb/certs# ll -tr
total 116
drwxr-xr-x 8 root root 4096 mars 11 14:10 ../
-rwxr-x--- 1 root root 2693 mars 11 14:10 bootstrap*
-rw-r----- 1 root root 4287 mars 11 14:10 Makefile
-rw-r----- 1 root root 7847 mars 11 14:10 README
-rw-r----- 1 root root 578 mars 11 14:10 xpextensions
-rw-r----- 1 root root 1289 mars 11 14:10 ca.cnf
-rw-r----- 1 root root 1124 mars 11 14:10 server.cnf
-rw-r----- 1 root root 1102 mars 11 14:10 client.cnf
-rw-r--r-- 1 root root 3 mars 11 14:18 serial.old
-rw-r--r-- 1 root root 0 mars 11 14:18 index.txt.old
-rw-r--r-- 1 root root 245 mars 11 14:18 dh
-rw-r--r-- 1 root root 5120 mars 11 14:18 random
-rw-r--r-- 1 root root 1834 mars 11 14:18 server.key
-rw-r--r-- 1 root root 1062 mars 11 14:18 server.csr
-rw-r--r-- 1 root root 1675 mars 11 14:18 ca.pem
-rw-r--r-- 1 root root 1834 mars 11 14:18 ca.key
-rw-r--r-- 1 root root 4212 mars 11 14:18 server.crt
-rw-r--r-- 1 root root 3 mars 11 14:18 serial
-rw-r--r-- 1 root root 21 mars 11 14:18 index.txt.attr
-rw-r--r-- 1 root root 120 mars 11 14:18 index.txt
-rw-r--r-- 1 root root 4212 mars 11 14:18 01.pem
-rw-r--r-- 1 root root 2533 mars 11 14:18 server.p12
-rw-r--r-- 1 root root 3586 mars 11 14:18 server.pem
-rw-r--r-- 1 root root 1195 mars 11 14:18 ca.der
drwxr-x--- 2 root root 4096 mars 11 14:18 ./
i got this known problem of certificates (default).
freeradius -XXX
....
Mon Mar 11 16:35:47 2013 : Debug: Module: Instantiating eap-tls
Mon Mar 11 16:35:47 2013 : Debug: tls {
Mon Mar 11 16:35:47 2013 : Debug: rsa_key_exchange = no
Mon Mar 11 16:35:47 2013 : Debug: dh_key_exchange = yes
Mon Mar 11 16:35:47 2013 : Debug: rsa_key_length = 512
Mon Mar 11 16:35:47 2013 : Debug: dh_key_length = 512
Mon Mar 11 16:35:47 2013 : Debug: verify_depth = 0
Mon Mar 11 16:35:47 2013 : Debug: CA_path =
"/usr/local/etc/raddb/certs"
Mon Mar 11 16:35:47 2013 : Debug: pem_file_type = yes
Mon Mar 11 16:35:47 2013 : Debug: private_key_file =
"/usr/local/etc/raddb/certs/server.pem"
Mon Mar 11 16:35:47 2013 : Debug: certificate_file =
"/usr/local/etc/raddb/certs/server.pem"
Mon Mar 11 16:35:47 2013 : Debug: CA_file =
"/usr/local/etc/raddb/certs/ca.pem"
Mon Mar 11 16:35:47 2013 : Debug: private_key_password = "whatever"
Mon Mar 11 16:35:47 2013 : Debug: dh_file =
"/usr/local/etc/raddb/certs/dh"
Mon Mar 11 16:35:47 2013 : Debug: random_file =
"/usr/local/etc/raddb/certs/random"
Mon Mar 11 16:35:47 2013 : Debug: fragment_size = 1024
Mon Mar 11 16:35:47 2013 : Debug: include_length = yes
Mon Mar 11 16:35:47 2013 : Debug: check_crl = no
Mon Mar 11 16:35:47 2013 : Debug: cipher_list = "DEFAULT"
Mon Mar 11 16:35:47 2013 : Debug: ecdh_curve = "prime256v1"
....
Sending Access-Challenge of id 202 to 172.20.100.53 port 1645
EAP-Message = 0x010300061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x9ee5af279ee6b6b6ef02d416f50f62d3
Mon Mar 11 15:59:05 2013 : Info: Finished request 0.
Mon Mar 11 15:59:05 2013 : Debug: Going to the next request
Mon Mar 11 15:59:05 2013 : Debug: Waking up in 4.9 seconds.
Mon Mar 11 15:59:10 2013 : Info: Cleaning up request 0 ID 202 with
timestamp +8
Mon Mar 11 15:59:10 2013 : Debug: WARNING:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Mon Mar 11 15:59:10 2013 : Debug: WARNING: !! EAP session for state
0x9ee5af279ee6b6b6 did not finish!
Mon Mar 11 15:59:10 2013 : Debug: WARNING: !! Please read
http://wiki.freeradius.org/Certificate_Compatibility
Mon Mar 11 15:59:10 2013 : Debug: WARNING:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Mon Mar 11 15:59:10 2013 : Info: Ready to process requests.
....
The supplicant :Windows 7, with no certifcates validated, with PEAP,
EAP-MSCHAPV2 .
What's wrong
More information about the Freeradius-Users
mailing list