EAP - TLS Free Radius Configuration question.

Jeff Ausfeld jeffausfeld at gmail.com
Mon Jan 25 13:26:02 CET 2016 

I have been trying to debug this configuration for quite some time and I
think it's almost correct but I'm missing something and could really use
your help.

*****Versions:*******

freeradius: FreeRADIUS Version 2.1.12, for host x86_64-pc-linux-gnu, built
on Aug 26 2015 at 14:47:03

mysql  Ver 14.14 Distrib 5.5.46, for debian-linux-gnu (x86_64) using
readline 6.3

Ubuntu 14.04 kernel 4.3 64 bit.

******freeradius -XXX********

Sun Jan 24 23:19:39 2016 : Info: Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 44707, id=0,
length=128
        User-Name = "chillispot"
        NAS-IP-Address = 127.0.0.1
        Calling-Station-Id = "02-00-00-00-00-01"
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        Connect-Info = "CONNECT 11Mbps 802.11b"
        EAP-Message = 0x0200000f016368696c6c6973706f74
        Message-Authenticator = 0xe86fc9d356c87144c7d115539c17172b
Sun Jan 24 23:45:40 2016 : Info: # Executing section authorize from file
/etc/freeradius/sites-enabled/XXXXXXXX
Sun Jan 24 23:45:40 2016 : Info: +- entering group authorize {...}
Sun Jan 24 23:45:40 2016 : Info: ++[preprocess] returns ok
Sun Jan 24 23:45:40 2016 : Info: [eap] EAP packet type response id 0 length
15
Sun Jan 24 23:45:40 2016 : Info: [eap] No EAP Start, assuming it's an
on-going EAP conversation
Sun Jan 24 23:45:40 2016 : Info: ++[eap] returns updated
Sun Jan 24 23:45:40 2016 : Debug: rlm_sql (sql): Reserving sql socket id: 1
Sun Jan 24 23:45:40 2016 : Info: [sql]  expand:  ->
Sun Jan 24 23:45:40 2016 : Error: [sql] Error generating query; rejecting
user
Sun Jan 24 23:45:40 2016 : Debug: rlm_sql (sql): Released sql socket id: 1
Sun Jan 24 23:45:40 2016 : Info: ++[sql] returns fail
Sun Jan 24 23:45:40 2016 : Info: Using Post-Auth-Type Reject
Sun Jan 24 23:45:40 2016 : Info: # Executing group from file
/etc/freeradius/sites-enabled/XXXXXXX
Sun Jan 24 23:45:40 2016 : Info: +- entering group REJECT {...}
Sun Jan 24 23:45:40 2016 : Info: [attr_filter.access_reject]    expand:
%{User-Name} -> chillispot
Sun Jan 24 23:45:40 2016 : Debug: attr_filter: Matched entry DEFAULT at
line 11
Sun Jan 24 23:45:40 2016 : Info: ++[attr_filter.access_reject] returns
updated
Sun Jan 24 23:45:40 2016 : Info: Delaying reject of request 7 for 1 seconds
Sun Jan 24 23:45:40 2016 : Debug: Going to the next request
Sun Jan 24 23:45:40 2016 : Debug: Waking up in 0.9 seconds.
Sun Jan 24 23:45:41 2016 : Info: Sending delayed reject for request 7
Sending Access-Reject of id 0 to 127.0.0.1 port 44707
Sun Jan 24 23:45:41 2016 : Debug: Waking up in 4.9 seconds.
Sun Jan 24 23:45:46 2016 : Info: Cleaning up request 7 ID 0 with timestamp
+3210
Sun Jan 24 23:45:46 2016 : Info: Ready to process requests.

****** eapol response *********

root at XXXXXXX:/etc/freeradius/sites-available# eapol_test -c
/etc/freeradius/eapol_test/eap-tls -a 127.0.0.1 -p 1812 -s
testing123Reading configuration file '/etc/freeradius/eapol_test/eap-tls'
Line: 7 - start of a new network block
key_mgmt: 0x1
eap methods - hexdump(len=16): 00 00 00 00 0d 00 00 00 00 00 00 00 00 00 00
00
identity - hexdump_ascii(len=10):

**** HEX DUMPS REMOVED ****

Authentication server 127.0.0.1:1812
RADIUS local address: 127.0.0.1:44707
ENGINE: Loading dynamic engine
ENGINE: Loading dynamic engine
EAPOL: SUPP_PAE entering state DISCONNECTED
EAPOL: KEY_RX entering state NO_KEY_RECEIVE
EAPOL: SUPP_BE entering state INITIALIZE
EAP: EAP entering state DISABLED
EAPOL: External notification - portValid=0
EAPOL: External notification - portEnabled=1
EAPOL: SUPP_PAE entering state CONNECTING
EAPOL: SUPP_BE entering state IDLE
EAP: EAP entering state INITIALIZE
EAP: EAP entering state IDLE
Sending fake EAP-Request-Identity
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_PAE entering state RESTART
EAP: EAP entering state INITIALIZE
EAP: EAP entering state IDLE
EAPOL: SUPP_PAE entering state AUTHENTICATING
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Request id=0 method=1 vendor=0 vendorMethod=0
EAP: EAP entering state IDENTITY
CTRL-EVENT-EAP-STARTED EAP authentication started
EAP: Status notification: started (param=)
EAP: EAP-Request Identity data - hexdump_ascii(len=0):
EAP: using real identity - hexdump_ascii(len=10):
     63 68 69 6c 6c 69 73 70 6f 74                     chillispot
EAP: EAP entering state SEND_RESPONSE
EAP: EAP entering state IDLE
EAPOL: SUPP_BE entering state RESPONSE
EAPOL: txSuppRsp
WPA: eapol_test_eapol_send(type=0 len=15)
TX EAP -> RADIUS - hexdump(len=15): 02 00 00 0f 01 63 68 69 6c 6c 69 73 70
6f 74
Encapsulating EAP message into a RADIUS packet
Learned identity from EAP-Response-Identity - hexdump(len=10): 63 68 69 6c
6c 69 73 70 6f 74
Sending RADIUS message to authentication server
RADIUS message: code=1 (Access-Request) identifier=0 length=128
   Attribute 1 (User-Name) length=12
      Value: 'chillispot'
   Attribute 4 (NAS-IP-Address) length=6
      Value: 127.0.0.1
   Attribute 31 (Calling-Station-Id) length=19
      Value: '02-00-00-00-00-01'
   Attribute 12 (Framed-MTU) length=6
      Value: 1400
   Attribute 61 (NAS-Port-Type) length=6
      Value: 19
   Attribute 77 (Connect-Info) length=24
      Value: 'CONNECT 11Mbps 802.11b'
   Attribute 79 (EAP-Message) length=17
      Value: 0200000f016368696c6c6973706f74
   Attribute 80 (Message-Authenticator) length=18
      Value: e86fc9d356c87144c7d115539c17172b
Next RADIUS client retransmit in 3 seconds
EAPOL: SUPP_BE entering state RECEIVE
Received 20 bytes from RADIUS server
Received RADIUS message
RADIUS message: code=3 (Access-Reject) identifier=0 length=20
STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending
request, round trip time 1.00 sec

Allowing RADIUS Access-Reject without Message-Authenticator since it does
not include EAP-Message

RADIUS packet matching with station
could not extract EAP-Message from RADIUS message
EAPOL: EAP key not available
EAPOL: EAP Session-Id not available
WPA: Clear old PMK and PTK
MPPE keys OK: 0  mismatch: 1
FAILURE

***** eap-tls.conf ******

#   eapol_test -c eap-tls.conf -s testing123
#
#   Set also "nostrip" in raddb/proxy.conf, realm "example.com"
#   And make it a LOCAL realm.
#
network={
        key_mgmt=WPA-EAP
        eap=TLS
        identity="chillispot"
        ca_cert="etc/freeradius/certs/ca.pem"
        client_cert="etc/freeradius/certs/client.crt"
        private_key="etc/freeradius/certs/client.key"
        private_key_passwd="XXXXXXXXXXXXXXXXXX"
}

mysql, freeradius, and the eapol command were all run from within the same
physical server box via ssh.

When I expose the file option instead of sql it calls from the users file
and it works fine.  I have traced mysql and it does not seem to be
generating any query.  So my guess is this is getting stopped or discarded
in the initial security checks before sql somewhere.

I have tried this with every permutation I can think of including disabling
firewalls.  There is not much information I could find on the authenticator
but my guess is the packet is not getting formatting correctly as a result
of my configuration/setup, or there is something odd with the certs, or
something similar and since I have restricted this down to only eap-tls it
is causing the failure.

If anybody wants the tshark output, just let me know what switches / or how
you want it sent.  It can get fairly verbose, and I was trying to keep the
initial email to under the size of a novel.

I am very thankful for your time and for any advice or help you can provide.

Regards with thanks,
Jeff.

More information about the Freeradius-Users mailing list