Upgrade 2.1 to 2.2 and EAP-TLS Problem
Oliver Werner
oliver.werner at kontrast.de
Wed Mar 23 16:13:35 CET 2016
Hi Alan,
Now i habe running version 3.0.11.
i got for eap-tls requests but not Accept.
Ready to process requests
(9) Received Access-Request Id 155 from 192.168.10.167:39133 to 192.168.70.35:1810 length 263
(9) Acct-Session-Id = "75d427d5"
(9) NAS-Port = 40
(9) NAS-Port-Type = Wireless-802.11
(9) User-Name = "Oliver Werner"
(9) Calling-Station-Id = "D0-03-4B-8F-37-CC"
(9) Called-Station-Id = "98-4B-E1-25-EF-00"
(9) EAP-Message = 0x021b0012014f6c69766572205765726e6572
(9) NAS-Identifier = "SG047GG0322"
(9) NAS-IP-Address = 192.168.10.167
(9) Framed-MTU = 1496
(9) Connect-Info = "IEEE802.1X"
(9) Framed-Protocol = PPP
(9) Service-Type = Framed-User
(9) Colubris-AVPair = "ssid=TestOliver"
(9) Colubris-AVPair = "group=Default Group"
(9) Colubris-AVPair = "incoming-vlan-id=2"
(9) Colubris-AVPair = "vsc-unique-id=7"
(9) Message-Authenticator = 0x68c0c2482cd8dc3dfc72fec86a3bac26
(9) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/kontrast
(9) authorize {
(9) eapcert: Peer sent EAP Response (code 2) ID 27 length 18
(9) eapcert: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(9) [eapcert] = ok
(9) } # authorize = ok
(9) Found Auth-Type = eapcert
(9) # Executing group from file /usr/local/etc/raddb/sites-enabled/kontrast
(9) authenticate {
(9) eapcert: Peer sent packet with method EAP Identity (1)
(9) eapcert: Calling submodule eap_tls to process data
(9) eap_tls: Initiating new EAP-TLS session
(9) eap_tls: Setting verify mode to require certificate from client
(9) eap_tls: [eaptls start] = request
(9) eapcert: Sending EAP Request (code 1) ID 28 length 6
(9) eapcert: EAP session adding &reply:State = 0x842794b5843b9965
(9) [eapcert] = handled
(9) } # authenticate = handled
(9) Using Post-Auth-Type Challenge
(9) Post-Auth-Type sub-section not found. Ignoring.
(9) Sent Access-Challenge Id 155 from 192.168.70.35:1810 to 192.168.10.167:39133 length 0
(9) EAP-Message = 0x011c00060d20
(9) Message-Authenticator = 0x00000000000000000000000000000000
(9) State = 0x842794b5843b99652f4dda048d4c31ef
(9) Finished request
eap-module:
eap eapcert {
default_eap_type = tls
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = ${max_requests}
tls-config tls-common {
private_key_password = <secret>
private_key_file = ${certdir}/Freeradius.pem
certificate_file = ${certdir}/Freeradius.pem
cadir = ${certdir}/ca
ca_file = ${cadir}/cacert.crt
dh_file = ${certdir}/dh
random_file = /dev/urandom
fragment_size = 1024
include_length = yes
check_crl = yes
#check_all_crl = yes
ca_path = ${cadir}
check_cert_cn = %{User-Name}
cipher_list = "DEFAULT"
# OpenSSL 1.0.1f and 1.0.1g do not calculate
# the EAP keys correctly. The fix is to upgrade
# OpenSSL, or disable TLS 1.2 here.
#disable_tlsv1_2 = no
ecdh_curve = "secp384r1"
cache {
enable = yes
lifetime = 24 # hours
max_entries = 255
persist_dir = "${logdir}/tlscache"
}
verify {
}
}
tls {
tls = tls-common
virtual_server = kontrast
}
}
site-enable/kontrast:
server kontrast {
listen {
ipaddr = *
port = 1810
type = auth
virtual_server = kontrast
}
authorize {
eapcert {
ok = return
}
}
authenticate {
eapcert
}
post-auth{
}
}
OLIVER WERNER
System-Administrator
Kontrast Communication Services GmbH
Grafenberger Allee 100, 40237 Düsseldorf, Germany
Fon +49-211-91505-500
Fax +49-211-91505-530
www.kontrast.de <http://www.kontrast.de/>
Amtsgericht Düsseldorf: HRB 26934
Geschäftsführer: Joachim Fischer, Anja Grote-Lutter, Leontine van der Vlist
<https://www.facebook.com/kontrast.communication> <https://twitter.com/KONTRAST_de> <http://www.xing.com/companies/kontrastcommunicationservicesgmbh> <http://www.linkedin.com/company/kontrast-communication-services-gmbh> <https://vimeo.com/kontrastcs> <http://instagram.com/kontrast_de>
> Am 23.03.2016 um 13:55 schrieb Alan DeKok <aland at deployingradius.com>:
>
> On Mar 23, 2016, at 5:21 AM, Oliver Werner <oliver.werner at kontrast.de> wrote:
>>
>> i will test upgrade my Freeradius 2.1.12 (Debian Wheezy) to 2.2.5 (Debian Jessie).
>
> Which also changes OpenSSL, among other things. Recent versions of the 2.2 have fixes which work around OpenSSL bugs.
>
>> So my configured sites for MAC authentication and sql module look like working right now.
>>
>> But also i have configured a eap-tls site where i can’t auth anymore.
>
> Try 2.2.9 before doing anything else.
>
> Or, upgrade to 3.0. It's *much* nicer.
>
> Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20160323/093703dc/attachment.sig>
More information about the Freeradius-Users
mailing list