Upgrade 2.1 to 2.2 and EAP-TLS Problem

Oliver Werner oliver.werner at kontrast.de
Wed Mar 23 16:13:35 CET 2016


Hi Alan,

Now i habe running version 3.0.11.

i got for eap-tls requests but not Accept.


Ready to process requests
(9) Received Access-Request Id 155 from 192.168.10.167:39133 to 192.168.70.35:1810 length 263
(9)   Acct-Session-Id = "75d427d5"
(9)   NAS-Port = 40
(9)   NAS-Port-Type = Wireless-802.11
(9)   User-Name = "Oliver Werner"
(9)   Calling-Station-Id = "D0-03-4B-8F-37-CC"
(9)   Called-Station-Id = "98-4B-E1-25-EF-00"
(9)   EAP-Message = 0x021b0012014f6c69766572205765726e6572
(9)   NAS-Identifier = "SG047GG0322"
(9)   NAS-IP-Address = 192.168.10.167
(9)   Framed-MTU = 1496
(9)   Connect-Info = "IEEE802.1X"
(9)   Framed-Protocol = PPP
(9)   Service-Type = Framed-User
(9)   Colubris-AVPair = "ssid=TestOliver"
(9)   Colubris-AVPair = "group=Default Group"
(9)   Colubris-AVPair = "incoming-vlan-id=2"
(9)   Colubris-AVPair = "vsc-unique-id=7"
(9)   Message-Authenticator = 0x68c0c2482cd8dc3dfc72fec86a3bac26
(9) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/kontrast
(9)   authorize {
(9) eapcert: Peer sent EAP Response (code 2) ID 27 length 18
(9) eapcert: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(9)     [eapcert] = ok
(9)   } # authorize = ok
(9) Found Auth-Type = eapcert
(9) # Executing group from file /usr/local/etc/raddb/sites-enabled/kontrast
(9)   authenticate {
(9) eapcert: Peer sent packet with method EAP Identity (1)
(9) eapcert: Calling submodule eap_tls to process data
(9) eap_tls: Initiating new EAP-TLS session
(9) eap_tls: Setting verify mode to require certificate from client
(9) eap_tls: [eaptls start] = request
(9) eapcert: Sending EAP Request (code 1) ID 28 length 6
(9) eapcert: EAP session adding &reply:State = 0x842794b5843b9965
(9)     [eapcert] = handled
(9)   } # authenticate = handled
(9) Using Post-Auth-Type Challenge
(9) Post-Auth-Type sub-section not found.  Ignoring.
(9) Sent Access-Challenge Id 155 from 192.168.70.35:1810 to 192.168.10.167:39133 length 0
(9)   EAP-Message = 0x011c00060d20
(9)   Message-Authenticator = 0x00000000000000000000000000000000
(9)   State = 0x842794b5843b99652f4dda048d4c31ef
(9) Finished request


eap-module:

eap eapcert {
	default_eap_type = tls
	timer_expire     = 60
	ignore_unknown_eap_types = no
	cisco_accounting_username_bug = no
	max_sessions = ${max_requests}

	tls-config tls-common {
		private_key_password = <secret>
		private_key_file = ${certdir}/Freeradius.pem
		certificate_file = ${certdir}/Freeradius.pem
		cadir = ${certdir}/ca
		ca_file = ${cadir}/cacert.crt
		dh_file = ${certdir}/dh
		random_file = /dev/urandom

		fragment_size = 1024
		include_length = yes
		check_crl = yes
		#check_all_crl = yes
		ca_path = ${cadir}
		check_cert_cn = %{User-Name}
		cipher_list = "DEFAULT"
		# OpenSSL 1.0.1f and 1.0.1g do not calculate
		# the EAP keys correctly.  The fix is to upgrade
		# OpenSSL, or disable TLS 1.2 here.
		#disable_tlsv1_2 = no

		ecdh_curve = "secp384r1"

		cache {
			enable = yes
			lifetime = 24 # hours
			max_entries = 255
			persist_dir = "${logdir}/tlscache"
		}
		verify {
		}
	}
	tls {
		tls = tls-common
		virtual_server = kontrast
	}
}


site-enable/kontrast:

server kontrast {
	listen {
   	ipaddr = *
   	port = 1810
   	type = auth
   	virtual_server = kontrast
	}

	authorize {
   	eapcert {
      	ok = return
   	}
	}

	authenticate {
   	eapcert
	}
	post-auth{
	}
}
OLIVER WERNER
System-Administrator




Kontrast Communication Services GmbH
Grafenberger Allee 100, 40237 Düsseldorf, Germany

Fon  +49-211-91505-500
Fax +49-211-91505-530
www.kontrast.de <http://www.kontrast.de/>

Amtsgericht Düsseldorf: HRB 26934
Geschäftsführer: Joachim Fischer, Anja Grote-Lutter, Leontine van der Vlist

 <https://www.facebook.com/kontrast.communication>     <https://twitter.com/KONTRAST_de>     <http://www.xing.com/companies/kontrastcommunicationservicesgmbh>     <http://www.linkedin.com/company/kontrast-communication-services-gmbh>     <https://vimeo.com/kontrastcs>     <http://instagram.com/kontrast_de>

> Am 23.03.2016 um 13:55 schrieb Alan DeKok <aland at deployingradius.com>:
> 
> On Mar 23, 2016, at 5:21 AM, Oliver Werner <oliver.werner at kontrast.de> wrote:
>> 
>> i will test upgrade my Freeradius 2.1.12 (Debian Wheezy) to 2.2.5 (Debian Jessie).
> 
>  Which also changes OpenSSL, among other things.  Recent versions of the 2.2 have fixes which work around OpenSSL bugs.
> 
>> So my configured sites for MAC authentication and sql module look like working right now.
>> 
>> But also i have configured a eap-tls site where i can’t auth anymore.
> 
>  Try 2.2.9 before doing anything else.
> 
>  Or, upgrade to 3.0.  It's *much* nicer.
> 
>  Alan DeKok.
> 
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20160323/093703dc/attachment.sig>


More information about the Freeradius-Users mailing list