EAP-TLS suddenly broken
John Mok
a9121431 at gmail.com
Sun Feb 14 03:26:12 CET 2016
Hi,
I had been using EAP-TLS authentication with FreeRADIUS 2.1.12 on
Debian Wheezy (OpenSSL 1.0.1e) and it worked fine, until I upgraded
the Debian Wheezy packages (using apt-get dist-upgrade) several weeks
ago. Then, the EAP-TLS authentication suddenly failed and became
broken (see attached log).
Is there anyone knows what go wrong ?
Thanks a lot.
John Mok
-------------- next part --------------
rad_recv: Access-Request packet from host 192.168.16.41 port 1024, id=23, length=289
User-Name = "johnmok.gibeon.org"
Framed-MTU = 1450
EAP-Message = 0x02010017016a6f686e6d6f6b2e676962656f6e2e6f7267
Message-Authenticator = 0x64c11e93961909538417384ef83e99a1
NAS-IP-Address = 192.168.16.41
NAS-Identifier = "ap101-192.168.16.41"
NAS-Port = 16936961
NAS-Port-Id = "slot=1;subslot=0;port=39;vlanid=1"
NAS-Port-Type = Wireless-802.11
Service-Type = Framed-User
Framed-Protocol = PPP
Calling-Station-Id = "18-5E-0F-89-06-B1"
Called-Station-Id = "00-24-73-4E-13-71:Gibeon"
Framed-IP-Address = 192.168.16.152
3Com-Connect_Id = 18
3Com-Product-ID = "3COM 9552"
3Com-Ip-Host-Addr = "192.168.16.152 18:5e:0f:89:06:b1"
3Com-NAS-Startup-Timestamp = 1454130505
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "johnmok.gibeon.org", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 1 length 23
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry DEFAULT at line 172
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 23 to 192.168.16.41 port 1024
Framed-Protocol = PPP
Framed-Compression = Van-Jacobson-TCP-IP
EAP-Message = 0x010200061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x05ec7e1705ee67e0d4ea3e35fb142997
Finished request 0.
Going to the next request
Waking up in 5.0 seconds.
rad_recv: Access-Request packet from host 192.168.16.41 port 1024, id=24, length=290
User-Name = "johnmok.gibeon.org"
Framed-MTU = 1450
EAP-Message = 0x02020006030d
Message-Authenticator = 0xcc0ab7c12dac6c395bfc5eb1f464fb11
NAS-IP-Address = 192.168.16.41
NAS-Identifier = "ap101-192.168.16.41"
NAS-Port = 16936961
NAS-Port-Id = "slot=1;subslot=0;port=39;vlanid=1"
NAS-Port-Type = Wireless-802.11
Service-Type = Framed-User
Framed-Protocol = PPP
Calling-Station-Id = "18-5E-0F-89-06-B1"
Called-Station-Id = "00-24-73-4E-13-71:Gibeon"
Framed-IP-Address = 192.168.16.152
State = 0x05ec7e1705ee67e0d4ea3e35fb142997
3Com-Connect_Id = 18
3Com-Product-ID = "3COM 9552"
3Com-Ip-Host-Addr = "192.168.16.152 18:5e:0f:89:06:b1"
3Com-NAS-Startup-Timestamp = 1454130505
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "johnmok.gibeon.org", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 2 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry DEFAULT at line 172
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP NAK
[eap] EAP-NAK asked for EAP-Type/tls
[eap] processing type tls
[tls] Requiring client certificate
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 24 to 192.168.16.41 port 1024
Framed-Protocol = PPP
Framed-Compression = Van-Jacobson-TCP-IP
EAP-Message = 0x010300060d20
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x05ec7e1704ef73e0d4ea3e35fb142997
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.16.41 port 1024, id=25, length=393
User-Name = "johnmok.gibeon.org"
Framed-MTU = 1450
EAP-Message = 0x0203006d0d8000000063160301005e0100005a030156bfe126da1fe9a06c5ed6e73436f4411c6deec8c4b6735b4ffcf9afb24f3774000018c014c0130035002fc00ac00900380032000a00130005000401000019000a0006000400170018000b0002010000170000ff01000100
Message-Authenticator = 0x5997b4aa1dd485d8ca5f927aba2bf147
NAS-IP-Address = 192.168.16.41
NAS-Identifier = "ap101-192.168.16.41"
NAS-Port = 16936961
NAS-Port-Id = "slot=1;subslot=0;port=39;vlanid=1"
NAS-Port-Type = Wireless-802.11
Service-Type = Framed-User
Framed-Protocol = PPP
Calling-Station-Id = "18-5E-0F-89-06-B1"
Called-Station-Id = "00-24-73-4E-13-71:Gibeon"
Framed-IP-Address = 192.168.16.152
State = 0x05ec7e1704ef73e0d4ea3e35fb142997
3Com-Connect_Id = 18
3Com-Product-ID = "3COM 9552"
3Com-Ip-Host-Addr = "192.168.16.152 18:5e:0f:89:06:b1"
3Com-NAS-Startup-Timestamp = 1454130505
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "johnmok.gibeon.org", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 3 length 109
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry DEFAULT at line 172
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
TLS Length 99
[tls] Length Included
[tls] eaptls_verify returned 11
[tls] (other): before/accept initialization
[tls] TLS_accept: before/accept initialization
[tls] <<< TLS 1.0 Handshake [length 005e], ClientHello
[tls] TLS_accept: SSLv3 read client hello A
[tls] >>> TLS 1.0 Handshake [length 0039], ServerHello
[tls] TLS_accept: SSLv3 write server hello A
[tls] >>> TLS 1.0 Handshake [length 09ab], Certificate
[tls] TLS_accept: SSLv3 write certificate A
[tls] >>> TLS 1.0 Handshake [length 00cb], ServerKeyExchange
[tls] TLS_accept: SSLv3 write key exchange A
[tls] >>> TLS 1.0 Handshake [length 000e], CertificateRequest
[tls] TLS_accept: SSLv3 write certificate request A
[tls] TLS_accept: SSLv3 flush data
[tls] TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
[tls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 25 to 192.168.16.41 port 1024
Framed-Protocol = PPP
Framed-Compression = Van-Jacobson-TCP-IP
EAP-Message = 0x010404000dc000000ad1160301003902000035030156bfe127dc5b57874636e97c33257bcbdc65b49153710c3109be5d1280e6876300c01400000dff01000100000b00040300010216030109ab0b0009a70009a400055f3082055b30820443a003020102020105300d06092a864886f70d01010505003081b3310b300906035504061302484b3119301706035504080c10486f6e67204b6f6e6720532e412e522e3112301006035504070c09486f6e67204b6f6e67311c301a060355040a0c13476962656f6e204f7267616e697a6174696f6e31253023060355040b0c1c476962656f6e20436572746966696361746520417574686f72697479311230
EAP-Message = 0x1006035504030c09476962656f6e204341311c301a06092a864886f70d010901160d636140676962656f6e2e6f7267301e170d3134303631323134323530335a170d3231303631303134323530335a308193310b300906035504061302484b3119301706035504080c10486f6e67204b6f6e6720532e412e522e311c301a060355040a0c13476962656f6e204f7267616e697a6174696f6e31123010060355040b0c09476962656f6e2043413117301506035504030c0e6574612e676962656f6e2e6f7267311e301c06092a864886f70d010901160f6a6f686e40676962656f6e2e6f726730819f300d06092a864886f70d010101050003818d003081
EAP-Message = 0x8902818100c9eb38ad52e1dfe0e5e0263dbe42b732b04dfb28b59e6c4df942a644dc9415082366aaa5eb54c626eb3106a8822695f4f5a822955d76a316ebebf5111cc4467a8cfbae99053c32a7549684250ced17050bb86cdbf7ca24317ee5ec3265b7210a55b656b9995f8f67953e73b03ab6b605263ad03a3b48acde450cbfaae831c3290203010001a382021a30820216300c0603551d13040530030101ff302c06096086480186f842010d041f161d4f70656e53534c2047656e657261746564204365727469666963617465301d0603551d0e041604141bb5c441e10b2000b963792a12f2dd5c56180cde3081e80603551d230481e03081dd8014
EAP-Message = 0x703147f20245fce00f76c3b19ad3ceef68e52786a181b9a481b63081b3310b300906035504061302484b3119301706035504080c10486f6e67204b6f6e6720532e412e522e3112301006035504070c09486f6e67204b6f6e67311c301a060355040a0c13476962656f6e204f7267616e697a6174696f6e31253023060355040b0c1c476962656f6e20436572746966696361746520417574686f726974793112301006035504030c09476962656f6e204341311c301a06092a864886f70d010901160d636140676962656f6e2e6f7267820900f672226afbb9a3d1300b0603551d0f0404030201a6301d0603551d250416301406082b06010505070302
EAP-Message = 0x06082b060105050703013034
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x05ec7e1707e873e0d4ea3e35fb142997
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.16.41 port 1024, id=26, length=290
User-Name = "johnmok.gibeon.org"
Framed-MTU = 1450
EAP-Message = 0x020400060d00
Message-Authenticator = 0xc68e219a58a3e2cc9b5e8cc038ad829f
NAS-IP-Address = 192.168.16.41
NAS-Identifier = "ap101-192.168.16.41"
NAS-Port = 16936961
NAS-Port-Id = "slot=1;subslot=0;port=39;vlanid=1"
NAS-Port-Type = Wireless-802.11
Service-Type = Framed-User
Framed-Protocol = PPP
Calling-Station-Id = "18-5E-0F-89-06-B1"
Called-Station-Id = "00-24-73-4E-13-71:Gibeon"
Framed-IP-Address = 192.168.16.152
State = 0x05ec7e1707e873e0d4ea3e35fb142997
3Com-Connect_Id = 18
3Com-Product-ID = "3COM 9552"
3Com-Ip-Host-Addr = "192.168.16.152 18:5e:0f:89:06:b1"
3Com-NAS-Startup-Timestamp = 1454130505
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "johnmok.gibeon.org", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 4 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry DEFAULT at line 172
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
[tls] Received TLS ACK
[tls] ACK handshake fragment handler
[tls] eaptls_verify returned 1
[tls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 26 to 192.168.16.41 port 1024
Framed-Protocol = PPP
Framed-Compression = Van-Jacobson-TCP-IP
EAP-Message = 0x010504000dc000000ad106096086480186f842010404271625687474703a2f2f6974732e676962656f6e2e6f72672f63612f676962656f6e63612e63726c306c0603551d110465306382617261646975732e676962656f6e2e6f72673b444e533a696d61702e676962656f6e2e6f72673b444e533a6d61696c2e676962656f6e2e6f72673b444e533a736d74702e676962656f6e2e6f72673b444e533a6c6461702e676962656f6e2e6f7267300d06092a864886f70d0101050500038201010073cd39d52af1ec12c02d6213fea2e6b7115de0e9c8f51d038ad618c49ac2a89d50c5f5fee2f56f237765094a2bff0787248cebffd972b7a35c0b5fb71a
EAP-Message = 0xb9e5607ab1d4ad8fadba40f04d1352d29bd6dae81cff9056b45fef92f083ebcb1d6ec03f6c39b88c4b6ca0d23e7e6b5fe705a695db74f5256d4f3380648262e3f42073e27dc06029220038f6bee547f552a20fffaef56af186136579085b6a4efa7df1e00f2df76785f569ff4c4cb307083f2f15b149f618e4f23483fb60d34a033eb92b94a0be0db7bdb7696dc6f5aba423975fcca694fa6047fa0d4e838fad2993bd7f098f6b9dc7e6d4b4be8346f34a182577bd942f3246ce4f4577c9f003e6b1d000043f3082043b30820323a003020102020900f672226afbb9a3d1300d06092a864886f70d01010505003081b3310b300906035504061302484b
EAP-Message = 0x3119301706035504080c10486f6e67204b6f6e6720532e412e522e3112301006035504070c09486f6e67204b6f6e67311c301a060355040a0c13476962656f6e204f7267616e697a6174696f6e31253023060355040b0c1c476962656f6e20436572746966696361746520417574686f726974793112301006035504030c09476962656f6e204341311c301a06092a864886f70d010901160d636140676962656f6e2e6f7267301e170d3133303131333133353532315a170d3337303130373133353532315a3081b3310b300906035504061302484b3119301706035504080c10486f6e67204b6f6e6720532e412e522e3112301006035504070c0948
EAP-Message = 0x6f6e67204b6f6e67311c301a060355040a0c13476962656f6e204f7267616e697a6174696f6e31253023060355040b0c1c476962656f6e20436572746966696361746520417574686f726974793112301006035504030c09476962656f6e204341311c301a06092a864886f70d010901160d636140676962656f6e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100d85600a4641970d9d6154047e0f67c0f4e152bf04ea43e48aec22b3bb1543e1cb8933c5b42a271961aa49315637dbc1116268f252c0e9e46941edef3fe0369bee4599898be257aa56156266b401c220cb6e98f03cd062a92d098869679
EAP-Message = 0xe73005360261486051c58d37
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x05ec7e1706e973e0d4ea3e35fb142997
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.16.41 port 1024, id=27, length=290
User-Name = "johnmok.gibeon.org"
Framed-MTU = 1450
EAP-Message = 0x020500060d00
Message-Authenticator = 0x24a7b28996ef8e2755d4b840c7475642
NAS-IP-Address = 192.168.16.41
NAS-Identifier = "ap101-192.168.16.41"
NAS-Port = 16936961
NAS-Port-Id = "slot=1;subslot=0;port=39;vlanid=1"
NAS-Port-Type = Wireless-802.11
Service-Type = Framed-User
Framed-Protocol = PPP
Calling-Station-Id = "18-5E-0F-89-06-B1"
Called-Station-Id = "00-24-73-4E-13-71:Gibeon"
Framed-IP-Address = 192.168.16.152
State = 0x05ec7e1706e973e0d4ea3e35fb142997
3Com-Connect_Id = 18
3Com-Product-ID = "3COM 9552"
3Com-Ip-Host-Addr = "192.168.16.152 18:5e:0f:89:06:b1"
3Com-NAS-Startup-Timestamp = 1454130505
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "johnmok.gibeon.org", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 5 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry DEFAULT at line 172
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
[tls] Received TLS ACK
[tls] ACK handshake fragment handler
[tls] eaptls_verify returned 1
[tls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 27 to 192.168.16.41 port 1024
Framed-Protocol = PPP
Framed-Compression = Van-Jacobson-TCP-IP
EAP-Message = 0x010602ef0d8000000ad1328f3ba1a86f871a07a4c498150098e316c4d3d588f02bab192472d0d755ba2e755581727043870d88e413b238c4e15ebaba9ace786b27c1fada6b8ef3142117f3c2721cfc2187967b1102ec4013759a8c26ff166399770f702938d582baf05b5b3a4c2999b298c496907d250ac50587c9ca74e3bd63f7caca77954b7e8c44ddfd97ee8bd61267970796b34345604331edca43f5e40cdb0203010001a350304e301d0603551d0e04160414703147f20245fce00f76c3b19ad3ceef68e52786301f0603551d23041830168014703147f20245fce00f76c3b19ad3ceef68e52786300c0603551d13040530030101ff300d06092a
EAP-Message = 0x864886f70d01010505000382010100bc071697b9fe6b67c240d546f62772501d08598bcabf08793e65c5f85a6bf2f392666cdd676dcaee4caa0f16b79bdff7d0fb75001bad582836f7176f36808354823587a9256396f9ff29616babf484000ad44a1f2ef74ef80836c4f994ea442d175e907d0a2517bf18a617db0e06c17795cdf8799f87e2cf7baf4db70333bbfb2170a6d9d563c860b12046a092d04cf300fffbaf33e3df13bd049a9cbf6761458cd4773d191575abff63966c953e354769a1e72c1744ec02bb46ea5298a96af7d5d72b32f52f282da21b4280d2f878e714fd9ca87d7413d91c31c9ccba00cc8252c3d0acd8df60bc9ad7e08848e5
EAP-Message = 0x6fa8f0bf546ce2fc6646de1d74289ccc305d16030100cb0c0000c703001741043d4493563b6ff53673e84cad118244a34ac6e44776de863b40267c5cd9d5c258301de959c900e1db61695e02e166eceb36b8c41f49f130e4cba2b492d8b17a2f00801480e07a1266d33028b7b301558db660a32390fd4c1153bd4887d6f21b176d68e0edfd4700e6e17f86de2c2e9b54cef12c6a43a14666007da86702b9dc5d9ddf04630138dbda5b85d35fb3bc22393f723e35cdde1d956fe457162ffdb9f7751bc9819317a6205787a5066e7293ea94765fd961186fa82babd464f11b2da5aaf9160301000e0d0000060301024000000e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x05ec7e1701ea73e0d4ea3e35fb142997
Finished request 4.
Going to the next request
Waking up in 4.9 seconds.
Waking up in 4.8 seconds.
Waking up in 1.8 seconds.
Cleaning up request 0 ID 23 with timestamp +9
Cleaning up request 1 ID 24 with timestamp +9
Cleaning up request 2 ID 25 with timestamp +9
Cleaning up request 3 ID 26 with timestamp +9
Cleaning up request 4 ID 27 with timestamp +9
WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
WARNING: !! EAP session for state 0x05ec7e1701ea73e0 did not finish!
WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility
WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Ready to process requests.
More information about the Freeradius-Users
mailing list