certificate expired with PEAP/MSCHAPv2/Android 11 in WiFi
Olivier
oza.4h07 at gmail.com
Tue Jun 28 14:54:33 UTC 2022
Hello,
For some times now, Android 11 requires cert validation in WiFi
connections (see [1]).
At the same time, Android 11 also makes it much harder for end users
to import self-signed root CA (see [2]).
As I provide WiFi connectivity in BYOD environments and can't help end
users when they import certs, I choosed to test PEAP/MSCHAPv2 with
LetsEncrypt certs though I know this would be less secure than with
self-signed root CA.
I'm planning to generate and renew LetsEncrypt cert on a remote
Internet-connected host, and then copy both privkey.pem and
fullchain.pem files to Freeradius instance, as suggested by [3].
In my lab setup, I'm using a Samsung Galaxy Tab A7 Lite to test.
Though being Android 11-powered, this device also allows
Do-Not-Validate pre-Android 11 option !
When I connect to WiFi with this device, I'm using the following settings:
Identity: bar
Password: whateverneeded
CA Certificate: use system certificate
Online cert status: do not validate
Domain: the exact CN value
My lab setup includes:
- a Freeradius 3.0.21 on Debian Bullseye
- a Unifi WiFi Network 6.5.55 with WiFi AP
- a Samsung Galaxy Tab A7 Lite
- valid LetsEncrypt certs
My certs files are copied into Freeradius host as:
# ls -l /etc/freeradius/3.0/certs/letsencrypt/
total 12
-rw-r----- 1 freerad freerad 5604 27 juin 19:04 fullchain.pem
-rw------- 1 freerad freerad 1704 27 juin 19:04 privkey.pem
# openssl x509 -dates -noout -in
/etc/freeradius/3.0/certs/letsencrypt/fullchain.pem
notBefore=May 28 17:32:21 2022 GMT
notAfter=Aug 26 17:32:20 2022 GMT
[1] https://internet-access-guide.com/android-wifi-ca-certificate-do-not-validate/
[2] https://httptoolkit.tech/blog/android-11-trust-ca-certificates/
[3] https://framebyframewifi.net/2017/01/29/use-lets-encrypt-certificates-with-freeradius/
When I connect to WiFi, this is part of freeradius -X output:
# Loaded module rlm_realm
# Loading module "IPASS" from file /etc/freeradius/3.0/mods-enabled/realm
realm IPASS {
format = "prefix"
delimiter = "/"
ignore_default = no
ignore_null = no
}
...
rlm_mschap (mschap): using internal authentication
# Instantiating module "eap" from file /etc/freeradius/3.0/mods-enabled/eap
# Linked to sub-module rlm_eap_md5
# Linked to sub-module rlm_eap_leap
# Linked to sub-module rlm_eap_gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
# Linked to sub-module rlm_eap_tls
tls {
tls = "tls-common"
}
tls-config tls-common {
verify_depth = 0
ca_path = "/etc/freeradius/3.0/certs"
pem_file_type = yes
private_key_file = "/etc/freeradius/3.0/certs/letsencrypt/privkey.pem"
certificate_file = "/etc/freeradius/3.0/certs/letsencrypt/fullchain.pem"
ca_file = "/etc/ssl/certs/ca-certificates.crt"
private_key_password = <<< secret >>>
dh_file = "/etc/freeradius/3.0/certs/dh"
fragment_size = 1024
include_length = yes
auto_chain = yes
check_crl = no
check_all_crl = no
cipher_list = "DEFAULT"
cipher_server_preference = no
ecdh_curve = "prime256v1"
disable_tlsv1 = yes
disable_tlsv1_1 = yes
tls_max_version = "1.2"
tls_min_version = "1.2"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
skip_if_ocsp_ok = no
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
use_nonce = yes
timeout = 0
softfail = no
}
}
Please use tls_min_version and tls_max_version instead of disable_tlsv1
Please use tls_min_version and tls_max_version instead of disable_tlsv1_2
# Linked to sub-module rlm_eap_ttls
ttls {
tls = "tls-common"
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_peap
peap {
tls = "tls-common"
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = no
}
# Instantiating module "cache_eap" from file
/etc/freeradius/3.0/mods-enabled/cache_eap
rlm_cache (cache_eap): Driver rlm_cache_rbtree (module
rlm_cache_rbtree) loaded and linked
# Instantiating module "reject" from file
/etc/freeradius/3.0/mods-enabled/always
# Instantiating module "fail" from file
/etc/freeradius/3.0/mods-enabled/always
# Instantiating module "ok" from file /etc/freeradius/3.0/mods-enabled/always
# Instantiating module "handled" from file
/etc/freeradius/3.0/mods-enabled/always
# Instantiating module "invalid" from file
/etc/freeradius/3.0/mods-enabled/always
# Instantiating module "userlock" from file
/etc/freeradius/3.0/mods-enabled/always
# Instantiating module "notfound" from file
/etc/freeradius/3.0/mods-enabled/always
# Instantiating module "noop" from file
/etc/freeradius/3.0/mods-enabled/always
# Instantiating module "updated" from file
/etc/freeradius/3.0/mods-enabled/always
# Instantiating module "etc_passwd" from file
/etc/freeradius/3.0/mods-enabled/passwd
rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
} # modules
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/freeradius/3.0/radiusd.conf
} # server
server inner-tunnel { # from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
# Loading authenticate {...}
# Loading authorize {...}
Ignoring "sql" (see raddb/mods-available/README.rst)
Ignoring "ldap" (see raddb/mods-available/README.rst)
# Loading session {...}
# Loading post-proxy {...}
# Loading post-auth {...}
# Skipping contents of 'if' as it is always 'false' --
/etc/freeradius/3.0/sites-enabled/inner-tunnel:336
} # server inner-tunnel
server default { # from file /etc/freeradius/3.0/sites-enabled/default
# Loading authenticate {...}
# Loading authorize {...}
# Loading preacct {...}
# Loading accounting {...}
# Loading post-proxy {...}
# Loading post-auth {...}
} # server default
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
listen {
type = "auth"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipaddr = *
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "auth"
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
listen {
type = "acct"
ipv6addr = ::
port = 0
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on proxy address * port 56401
Listening on proxy address :: port 45775
Ready to process requests
(26) eap: Peer sent EAP Response (code 2) ID 1 length 141
(26) eap: Continuing tunnel setup
(26) [eap] = ok
(26) } # authorize = ok
(26) Found Auth-Type = eap
(26) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(26) authenticate {
(26) eap: Expiring EAP session with state 0xc733062dc6321fce
(26) eap: Finished EAP session with state 0xc733062dc6321fce
(26) eap: Previous EAP request found for state 0xc733062dc6321fce,
released from the list
(26) eap: Peer sent packet with method EAP PEAP (25)
(26) eap: Calling submodule eap_peap to process data
(26) eap_peap: Continuing EAP-TLS
(26) eap_peap: Peer indicated complete TLS record size will be 131 bytes
(26) eap_peap: Got complete TLS record (131 bytes)
(26) eap_peap: [eaptls verify] = length included
(26) eap_peap: (other): before SSL initialization
(26) eap_peap: TLS_accept: before SSL initialization
(26) eap_peap: TLS_accept: before SSL initialization
(26) eap_peap: <<< recv TLS 1.3 [length 007e]
(26) eap_peap: TLS_accept: SSLv3/TLS read client hello
(26) eap_peap: >>> send TLS 1.2 [length 003d]
(26) eap_peap: TLS_accept: SSLv3/TLS write server hello
(26) eap_peap: >>> send TLS 1.2 [length 0fbe]
(26) eap_peap: TLS_accept: SSLv3/TLS write certificate
(26) eap_peap: >>> send TLS 1.2 [length 014d]
(26) eap_peap: TLS_accept: SSLv3/TLS write key exchange
(26) eap_peap: >>> send TLS 1.2 [length 0004]
(26) eap_peap: TLS_accept: SSLv3/TLS write server done
(26) eap_peap: TLS_accept: Need to read more data: SSLv3/TLS write server done
(26) eap_peap: TLS - In Handshake Phase
(26) eap_peap: TLS - got 4448 bytes of data
(26) eap_peap: [eaptls process] = handled
(26) eap: Sending EAP Request (code 1) ID 2 length 1004
(26) eap: EAP session adding &reply:State = 0xc733062dc5311fce
(26) [eap] = handled
(26) } # authenticate = handled
(26) Using Post-Auth-Type Challenge
(26) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(26) Challenge { ... } # empty sub-section is ignored
(26) Sent Access-Challenge Id 43 from 192.168.1.244:1812 to
192.168.1.50:58452 length 0
(26) EAP-Message =
0x010203ec19c000001160160303003d020000390303af5657898d92eefe5085a4ad3604bed4f0f0b48e39cd7ada954fbee1b104098800c02f000011ff01000100000b000403000102001700001603030fbe0b000fba000fb70005303082052c30820414a003020102021203734b50cf2bcbeb7c22ada836c00a3f624f300d06092a864886f70d01010b05003032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b3009060355040313025233301e170d3232303532383137333232315a170d3232303832363137333232305a301e311c301a06035504031313686f7374332e706572656e69702e636c6f756430820122300d06092a864886f70d01010105000382010f003082010a0282010100e653da7ed722cc166a21b4055852edc8973b7daa624eb8897805f735be194e49d231f0d04e2d091679c8a1f9075bf6051d24661042467c293e77827ed8de02eacf8132699f9aac89cb9471f1857c292dca4cc9d69608d7
(26) Message-Authenticator = 0x00000000000000000000000000000000
(26) State = 0xc733062dc5311fceda200d98107c2728
(26) Finished request
Waking up in 4.9 seconds.
(27) Received Access-Request Id 44 from 192.168.1.50:58452 to
192.168.1.244:1812 length 231
(27) User-Name = "bar"
(27) NAS-IP-Address = 192.168.1.50
(27) NAS-Identifier = "f09fc2f50d43"
(27) Called-Station-Id = "F0-9F-C2-F5-0D-43:MyCompany"
(27) NAS-Port-Type = Wireless-802.11
(27) Service-Type = Framed-User
(27) Calling-Station-Id = "2E-9A-17-FA-78-FA"
(27) Connect-Info = "CONNECT 0Mbps 802.11b"
(27) Acct-Session-Id = "2087B41CCAAC0F74"
(27) Acct-Multi-Session-Id = "C546EF77BB09F037"
(27) WLAN-Pairwise-Cipher = 1027076
(27) WLAN-Group-Cipher = 1027076
(27) WLAN-AKM-Suite = 1027073
(27) Framed-MTU = 1400
(27) EAP-Message = 0x020200061900
(27) State = 0xc733062dc5311fceda200d98107c2728
(27) Message-Authenticator = 0x39f4e95b5909f1152843a2e02fbaffde
(27) session-state: No cached attributes
(27) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(27) authorize {
(27) policy filter_username {
(27) if (&User-Name) {
(27) if (&User-Name) -> TRUE
(27) if (&User-Name) {
(27) if (&User-Name =~ / /) {
(27) if (&User-Name =~ / /) -> FALSE
(27) if (&User-Name =~ /@[^@]*@/ ) {
(27) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(27) if (&User-Name =~ /\.\./ ) {
(27) if (&User-Name =~ /\.\./ ) -> FALSE
(27) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(27) if ((&User-Name =~ /@/) && (&User-Name !~
/@(.+)\.(.+)$/)) -> FALSE
(27) if (&User-Name =~ /\.$/) {
(27) if (&User-Name =~ /\.$/) -> FALSE
(27) if (&User-Name =~ /@\./) {
(27) if (&User-Name =~ /@\./) -> FALSE
(27) } # if (&User-Name) = notfound
(27) } # policy filter_username = notfound
(27) [preprocess] = ok
(27) [chap] = noop
(27) [mschap] = noop
(27) [digest] = noop
(27) suffix: Checking for suffix after "@"
(27) suffix: No '@' in User-Name = "bar", looking up realm NULL
(27) suffix: No such realm "NULL"
(27) [suffix] = noop
(27) eap: Peer sent EAP Response (code 2) ID 2 length 6
(27) eap: Continuing tunnel setup
(27) [eap] = ok
(27) } # authorize = ok
(27) Found Auth-Type = eap
(27) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(27) authenticate {
(27) eap: Expiring EAP session with state 0xc733062dc5311fce
(27) eap: Finished EAP session with state 0xc733062dc5311fce
(27) eap: Previous EAP request found for state 0xc733062dc5311fce,
released from the list
(27) eap: Peer sent packet with method EAP PEAP (25)
(27) eap: Calling submodule eap_peap to process data
(27) eap_peap: Continuing EAP-TLS
(27) eap_peap: Peer ACKed our handshake fragment
(27) eap_peap: [eaptls verify] = request
(27) eap_peap: [eaptls process] = handled
(27) eap: Sending EAP Request (code 1) ID 3 length 1000
(27) eap: EAP session adding &reply:State = 0xc733062dc4301fce
(27) [eap] = handled
(27) } # authenticate = handled
(27) Using Post-Auth-Type Challenge
(27) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(27) Challenge { ... } # empty sub-section is ignored
(27) Sent Access-Challenge Id 44 from 192.168.1.244:1812 to
192.168.1.50:58452 length 0
(27) EAP-Message =
0x010303e81940cca15e2a9dd6bfa61b4d866fdcc7284c9a6a860076002979bef09e393921f056739f63a577e5be577d9c600af8f94d5d265c255dc784000001810bf0d4030000040300473045022037d7b0385f16f2b16e8903082d51bb15604c0262cd7473239d165e5ca5a858740221009c92c932de42f9d7883a89cd8ddc171d91a0f5b0d2e77b6886d1ea473f7fbe17300d06092a864886f70d01010b05000382010100731334fe1bbdc145631a0ddd0e7174e87df1da2cf6b032521bba82995c0460886e5b751c5f0b417ad32fa987caac9f61be48ec68673e33bc5a1deebe1004c5546cb3ef098495ab393bd60c614e132ad13e5fe0ca56106aeb92cf1f4e6de2f8f736bc1e94b7659439b711b931ba2174abb85ef05347b7d82f18411fe147f74939fbe311977c50c90b7c7720e890b59300fef66c0c7b84cd536cbde1aee6231f21550751613cba3ad52f48c82b2cc0de8e38764ba3c988a8cd37994500c1233288e294319b95c4600a48b3094eadf3ac1d68bf
(27) Message-Authenticator = 0x00000000000000000000000000000000
(27) State = 0xc733062dc4301fceda200d98107c2728
(27) Finished request
Waking up in 4.9 seconds.
(28) Received Access-Request Id 45 from 192.168.1.50:58452 to
192.168.1.244:1812 length 231
(28) User-Name = "bar"
(28) NAS-IP-Address = 192.168.1.50
(28) NAS-Identifier = "f09fc2f50d43"
(28) Called-Station-Id = "F0-9F-C2-F5-0D-43:MyCompany"
(28) NAS-Port-Type = Wireless-802.11
(28) Service-Type = Framed-User
(28) Calling-Station-Id = "2E-9A-17-FA-78-FA"
(28) Connect-Info = "CONNECT 0Mbps 802.11b"
(28) Acct-Session-Id = "2087B41CCAAC0F74"
(28) Acct-Multi-Session-Id = "C546EF77BB09F037"
(28) WLAN-Pairwise-Cipher = 1027076
(28) WLAN-Group-Cipher = 1027076
(28) WLAN-AKM-Suite = 1027073
(28) Framed-MTU = 1400
(28) EAP-Message = 0x020300061900
(28) State = 0xc733062dc4301fceda200d98107c2728
(28) Message-Authenticator = 0x441e1d2d2df0e955fe4065c44cb93a6b
(28) session-state: No cached attributes
(28) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(28) authorize {
(28) policy filter_username {
(28) if (&User-Name) {
(28) if (&User-Name) -> TRUE
(28) if (&User-Name) {
(28) if (&User-Name =~ / /) {
(28) if (&User-Name =~ / /) -> FALSE
(28) if (&User-Name =~ /@[^@]*@/ ) {
(28) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(28) if (&User-Name =~ /\.\./ ) {
(28) if (&User-Name =~ /\.\./ ) -> FALSE
(28) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(28) if ((&User-Name =~ /@/) && (&User-Name !~
/@(.+)\.(.+)$/)) -> FALSE
(28) if (&User-Name =~ /\.$/) {
(28) if (&User-Name =~ /\.$/) -> FALSE
(28) if (&User-Name =~ /@\./) {
(28) if (&User-Name =~ /@\./) -> FALSE
(28) } # if (&User-Name) = notfound
(28) } # policy filter_username = notfound
(28) [preprocess] = ok
(28) [chap] = noop
(28) [mschap] = noop
(28) [digest] = noop
(28) suffix: Checking for suffix after "@"
(28) suffix: No '@' in User-Name = "bar", looking up realm NULL
(28) suffix: No such realm "NULL"
(28) [suffix] = noop
(28) eap: Peer sent EAP Response (code 2) ID 3 length 6
(28) eap: Continuing tunnel setup
(28) [eap] = ok
(28) } # authorize = ok
(28) Found Auth-Type = eap
(28) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(28) authenticate {
(28) eap: Expiring EAP session with state 0xc733062dc4301fce
(28) eap: Finished EAP session with state 0xc733062dc4301fce
(28) eap: Previous EAP request found for state 0xc733062dc4301fce,
released from the list
(28) eap: Peer sent packet with method EAP PEAP (25)
(28) eap: Calling submodule eap_peap to process data
(28) eap_peap: Continuing EAP-TLS
(28) eap_peap: Peer ACKed our handshake fragment
(28) eap_peap: [eaptls verify] = request
(28) eap_peap: [eaptls process] = handled
(28) eap: Sending EAP Request (code 1) ID 4 length 1000
(28) eap: EAP session adding &reply:State = 0xc733062dc3371fce
(28) [eap] = handled
(28) } # authenticate = handled
(28) Using Post-Auth-Type Challenge
(28) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(28) Challenge { ... } # empty sub-section is ignored
(28) Sent Access-Challenge Id 45 from 192.168.1.244:1812 to
192.168.1.50:58452 length 0
(28) EAP-Message =
0x010403e8194001ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10
(28) Message-Authenticator = 0x00000000000000000000000000000000
(28) State = 0xc733062dc3371fceda200d98107c2728
(28) Finished request
Waking up in 4.9 seconds.
(29) Received Access-Request Id 46 from 192.168.1.50:58452 to
192.168.1.244:1812 length 231
(29) User-Name = "bar"
(29) NAS-IP-Address = 192.168.1.50
(29) NAS-Identifier = "f09fc2f50d43"
(29) Called-Station-Id = "F0-9F-C2-F5-0D-43:MyCompany"
(29) NAS-Port-Type = Wireless-802.11
(29) Service-Type = Framed-User
(29) Calling-Station-Id = "2E-9A-17-FA-78-FA"
(29) Connect-Info = "CONNECT 0Mbps 802.11b"
(29) Acct-Session-Id = "2087B41CCAAC0F74"
(29) Acct-Multi-Session-Id = "C546EF77BB09F037"
(29) WLAN-Pairwise-Cipher = 1027076
(29) WLAN-Group-Cipher = 1027076
(29) WLAN-AKM-Suite = 1027073
(29) Framed-MTU = 1400
(29) EAP-Message = 0x020400061900
(29) State = 0xc733062dc3371fceda200d98107c2728
(29) Message-Authenticator = 0x662064b545b5aa385ea1ebd63c5d881b
(29) session-state: No cached attributes
(29) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(29) authorize {
(29) policy filter_username {
(29) if (&User-Name) {
(29) if (&User-Name) -> TRUE
(29) if (&User-Name) {
(29) if (&User-Name =~ / /) {
(29) if (&User-Name =~ / /) -> FALSE
(29) if (&User-Name =~ /@[^@]*@/ ) {
(29) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(29) if (&User-Name =~ /\.\./ ) {
(29) if (&User-Name =~ /\.\./ ) -> FALSE
(29) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(29) if ((&User-Name =~ /@/) && (&User-Name !~
/@(.+)\.(.+)$/)) -> FALSE
(29) if (&User-Name =~ /\.$/) {
(29) if (&User-Name =~ /\.$/) -> FALSE
(29) if (&User-Name =~ /@\./) {
(29) if (&User-Name =~ /@\./) -> FALSE
(29) } # if (&User-Name) = notfound
(29) } # policy filter_username = notfound
(29) [preprocess] = ok
(29) [chap] = noop
(29) [mschap] = noop
(29) [digest] = noop
(29) suffix: Checking for suffix after "@"
(29) suffix: No '@' in User-Name = "bar", looking up realm NULL
(29) suffix: No such realm "NULL"
(29) [suffix] = noop
(29) eap: Peer sent EAP Response (code 2) ID 4 length 6
(29) eap: Continuing tunnel setup
(29) [eap] = ok
(29) } # authorize = ok
(29) Found Auth-Type = eap
(29) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(29) authenticate {
(29) eap: Expiring EAP session with state 0xc733062dc3371fce
(29) eap: Finished EAP session with state 0xc733062dc3371fce
(29) eap: Previous EAP request found for state 0xc733062dc3371fce,
released from the list
(29) eap: Peer sent packet with method EAP PEAP (25)
(29) eap: Calling submodule eap_peap to process data
(29) eap_peap: Continuing EAP-TLS
(29) eap_peap: Peer ACKed our handshake fragment
(29) eap_peap: [eaptls verify] = request
(29) eap_peap: [eaptls process] = handled
(29) eap: Sending EAP Request (code 1) ID 5 length 1000
(29) eap: EAP session adding &reply:State = 0xc733062dc2361fce
(29) [eap] = handled
(29) } # authenticate = handled
(29) Using Post-Auth-Type Challenge
(29) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(29) Challenge { ... } # empty sub-section is ignored
(29) Sent Access-Challenge Id 46 from 192.168.1.244:1812 to
192.168.1.50:58452 length 0
(29) EAP-Message =
0x010503e81940f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd0
(29) Message-Authenticator = 0x00000000000000000000000000000000
(29) State = 0xc733062dc2361fceda200d98107c2728
(29) Finished request
Waking up in 4.8 seconds.
(30) Received Access-Request Id 47 from 192.168.1.50:58452 to
192.168.1.244:1812 length 231
(30) User-Name = "bar"
(30) NAS-IP-Address = 192.168.1.50
(30) NAS-Identifier = "f09fc2f50d43"
(30) Called-Station-Id = "F0-9F-C2-F5-0D-43:MyCompany"
(30) NAS-Port-Type = Wireless-802.11
(30) Service-Type = Framed-User
(30) Calling-Station-Id = "2E-9A-17-FA-78-FA"
(30) Connect-Info = "CONNECT 0Mbps 802.11b"
(30) Acct-Session-Id = "2087B41CCAAC0F74"
(30) Acct-Multi-Session-Id = "C546EF77BB09F037"
(30) WLAN-Pairwise-Cipher = 1027076
(30) WLAN-Group-Cipher = 1027076
(30) WLAN-AKM-Suite = 1027073
(30) Framed-MTU = 1400
(30) EAP-Message = 0x020500061900
(30) State = 0xc733062dc2361fceda200d98107c2728
(30) Message-Authenticator = 0xdb1a11eda65bfd28f2bae8a4467c4bea
(30) session-state: No cached attributes
(30) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(30) authorize {
(30) policy filter_username {
(30) if (&User-Name) {
(30) if (&User-Name) -> TRUE
(30) if (&User-Name) {
(30) if (&User-Name =~ / /) {
(30) if (&User-Name =~ / /) -> FALSE
(30) if (&User-Name =~ /@[^@]*@/ ) {
(30) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(30) if (&User-Name =~ /\.\./ ) {
(30) if (&User-Name =~ /\.\./ ) -> FALSE
(30) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(30) if ((&User-Name =~ /@/) && (&User-Name !~
/@(.+)\.(.+)$/)) -> FALSE
(30) if (&User-Name =~ /\.$/) {
(30) if (&User-Name =~ /\.$/) -> FALSE
(30) if (&User-Name =~ /@\./) {
(30) if (&User-Name =~ /@\./) -> FALSE
(30) } # if (&User-Name) = notfound
(30) } # policy filter_username = notfound
(30) [preprocess] = ok
(30) [chap] = noop
(30) [mschap] = noop
(30) [digest] = noop
(30) suffix: Checking for suffix after "@"
(30) suffix: No '@' in User-Name = "bar", looking up realm NULL
(30) suffix: No such realm "NULL"
(30) [suffix] = noop
(30) eap: Peer sent EAP Response (code 2) ID 5 length 6
(30) eap: Continuing tunnel setup
(30) [eap] = ok
(30) } # authorize = ok
(30) Found Auth-Type = eap
(30) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(30) authenticate {
(30) eap: Expiring EAP session with state 0xc733062dc2361fce
(30) eap: Finished EAP session with state 0xc733062dc2361fce
(30) eap: Previous EAP request found for state 0xc733062dc2361fce,
released from the list
(30) eap: Peer sent packet with method EAP PEAP (25)
(30) eap: Calling submodule eap_peap to process data
(30) eap_peap: Continuing EAP-TLS
(30) eap_peap: Peer ACKed our handshake fragment
(30) eap_peap: [eaptls verify] = request
(30) eap_peap: [eaptls process] = handled
(30) eap: Sending EAP Request (code 1) ID 6 length 478
(30) eap: EAP session adding &reply:State = 0xc733062dc1351fce
(30) [eap] = handled
(30) } # authenticate = handled
(30) Using Post-Auth-Type Challenge
(30) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(30) Challenge { ... } # empty sub-section is ignored
(30) Sent Access-Challenge Id 47 from 192.168.1.244:1812 to
192.168.1.50:58452 length 0
(30) EAP-Message =
0x010601de1900676dc257c5463941cf8a5883586d99fe57e8360ef00e23aafd8897d0e35c0e9449b5b51735d22ebf4e85ef18e08592eb063b6c29230960dc45024c12183be9fb0ededc44f85898aeeabd4545a1885d66cafe10e96f82c811420dfbe9ece38600de9d10e338faa47db1d8e8498284069b2be86b4f010c38772ef9dde739160303014d0c0001490300174104182d51bb94eedf8e4d45ba672b11c1683550862e7b3cbcc4c060eeb4bb6a788ba97e3226321cf8ba7055f70228fd8fbd726b203aaecea3297f2f15e87c0e13190804010065efa44cf7b89671f95ce0791208321c652e630ca175e1c4c11946ffa99a7ecddf6f6e5bc8b7689bca97ea17a48c085474e867dc62b2102a477c4a022336e02e2e4e38d5542a7c69276d22fd961b4022e88c54c7fe6fad2d1176b734f007a2af32ae3fd62b53a6fcd2da0b78040ee68241e4435189e87093b227e4f4f9ebb3c1b3da591bd3c129f70dcd71fca22d92ceaa6318dfcf6397a92d127e2a999be84a9be8
(30) Message-Authenticator = 0x00000000000000000000000000000000
(30) State = 0xc733062dc1351fceda200d98107c2728
(30) Finished request
Waking up in 4.8 seconds.
(31) Received Access-Request Id 48 from 192.168.1.50:58452 to
192.168.1.244:1812 length 242
(31) User-Name = "bar"
(31) NAS-IP-Address = 192.168.1.50
(31) NAS-Identifier = "f09fc2f50d43"
(31) Called-Station-Id = "F0-9F-C2-F5-0D-43:MyCompany"
(31) NAS-Port-Type = Wireless-802.11
(31) Service-Type = Framed-User
(31) Calling-Station-Id = "2E-9A-17-FA-78-FA"
(31) Connect-Info = "CONNECT 0Mbps 802.11b"
(31) Acct-Session-Id = "2087B41CCAAC0F74"
(31) Acct-Multi-Session-Id = "C546EF77BB09F037"
(31) WLAN-Pairwise-Cipher = 1027076
(31) WLAN-Group-Cipher = 1027076
(31) WLAN-AKM-Suite = 1027073
(31) Framed-MTU = 1400
(31) EAP-Message = 0x020600111980000000071503030002022d
(31) State = 0xc733062dc1351fceda200d98107c2728
(31) Message-Authenticator = 0x96fa48935246587652cd6219e8243639
(31) session-state: No cached attributes
(31) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(31) authorize {
(31) policy filter_username {
(31) if (&User-Name) {
(31) if (&User-Name) -> TRUE
(31) if (&User-Name) {
(31) if (&User-Name =~ / /) {
(31) if (&User-Name =~ / /) -> FALSE
(31) if (&User-Name =~ /@[^@]*@/ ) {
(31) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(31) if (&User-Name =~ /\.\./ ) {
(31) if (&User-Name =~ /\.\./ ) -> FALSE
(31) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(31) if ((&User-Name =~ /@/) && (&User-Name !~
/@(.+)\.(.+)$/)) -> FALSE
(31) if (&User-Name =~ /\.$/) {
(31) if (&User-Name =~ /\.$/) -> FALSE
(31) if (&User-Name =~ /@\./) {
(31) if (&User-Name =~ /@\./) -> FALSE
(31) } # if (&User-Name) = notfound
(31) } # policy filter_username = notfound
(31) [preprocess] = ok
(31) [chap] = noop
(31) [mschap] = noop
(31) [digest] = noop
(31) suffix: Checking for suffix after "@"
(31) suffix: No '@' in User-Name = "bar", looking up realm NULL
(31) suffix: No such realm "NULL"
(31) [suffix] = noop
(31) eap: Peer sent EAP Response (code 2) ID 6 length 17
(31) eap: Continuing tunnel setup
(31) [eap] = ok
(31) } # authorize = ok
(31) Found Auth-Type = eap
(31) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(31) authenticate {
(31) eap: Expiring EAP session with state 0xc733062dc1351fce
(31) eap: Finished EAP session with state 0xc733062dc1351fce
(31) eap: Previous EAP request found for state 0xc733062dc1351fce,
released from the list
(31) eap: Peer sent packet with method EAP PEAP (25)
(31) eap: Calling submodule eap_peap to process data
(31) eap_peap: Continuing EAP-TLS
(31) eap_peap: Peer indicated complete TLS record size will be 7 bytes
(31) eap_peap: Got complete TLS record (7 bytes)
(31) eap_peap: [eaptls verify] = length included
(31) eap_peap: <<< recv TLS 1.2 [length 0002]
(31) eap_peap: ERROR: TLS Alert read:fatal:certificate expired
(31) eap_peap: TLS_accept: Need to read more data: error
(31) eap_peap: ERROR: Failed in __FUNCTION__ (SSL_read):
error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate
expired
(31) eap_peap: TLS - In Handshake Phase
(31) eap_peap: TLS - Application data.
(31) eap_peap: ERROR: TLS failed during operation
(31) eap_peap: ERROR: [eaptls process] = fail
(31) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed
(31) eap: Sending EAP Failure (code 4) ID 6 length 4
(31) eap: Failed in EAP select
(31) [eap] = invalid
(31) } # authenticate = invalid
(31) Failed to authenticate the user
(31) Using Post-Auth-Type Reject
(31) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(31) Post-Auth-Type REJECT {
(31) attr_filter.access_reject: EXPAND %{User-Name}
(31) attr_filter.access_reject: --> bar
(31) attr_filter.access_reject: Matched entry DEFAULT at line 11
(31) [attr_filter.access_reject] = updated
(31) [eap] = noop
(31) policy remove_reply_message_if_eap {
(31) if (&reply:EAP-Message && &reply:Reply-Message) {
(31) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(31) else {
(31) [noop] = noop
(31) } # else = noop
(31) } # policy remove_reply_message_if_eap = noop
(31) } # Post-Auth-Type REJECT = updated
(31) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(31) Sending delayed response
(31) Sent Access-Reject Id 48 from 192.168.1.244:1812 to
192.168.1.50:58452 length 44
(31) EAP-Message = 0x04060004
(31) Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.8 seconds.
(24) Cleaning up request packet ID 41 with timestamp +308
How can I correct this ?
Best regards
More information about the Freeradius-Users
mailing list