eap_peap: ERROR: (TLS) Alert read:fatal:unknown CA
Dave Funk
dbfunk at engineering.uiowa.edu
Fri Jan 5 17:01:53 UTC 2024
Dario,
you have a server configuration issue:
> (6) eap_peap: ERROR: (TLS) Session serialisation failed, failed opening session file
> /var/log/freeradius/tlscache/28598cb4ba77510a52abb1e63011f9c061077719c09a59908092e2ca6b9c1ffd.asn1:
> Permission denied
and an eap issue:
> (8) eap: Peer sent packet with method EAP Identity (1)
> (8) eap: ERROR: Tried to start unsupported EAP type MSCHAPv2 (26)
> (8) eap: Sending EAP Failure (code 4) ID 9 length 4
> (8) eap: Failed in EAP select
> (8) [eap] = invalid
> (8) } # authenticate = invalid
> (8) Failed to authenticate the user
> (8) Using Post-Auth-Type Reject
I don't know if that file permissions issue could cause the invalid eap
error but that would be the place that I would start and then look
for further eap errors.
On Fri, 5 Jan 2024, Dario Barbon wrote:
> Hi Alan, thanks for your patience.
>
> Il 05/01/2024 16:18, Alan DeKok ha scritto:
>> And the debug output says... what?
>> If it says "unknown CA", I already explained what the problem is, and
> what needs to be done to fix it.
>> Perhaps that's the issue. As I said, you have to configure the
> supplicant with the CA used to generate the server certificate.
>
> I installed the CA certificate and collected the entire log file content:
>
[snip..]
> (6) eap_peap: (TLS) Handshake state - Server SSLv3/TLS write finished
> (6) eap_peap: Serialising session
> 28598cb4ba77510a52abb1e63011f9c061077719c09a59908092e2ca6b9c1ffd, and
> storing in cache
> (6) eap_peap: ERROR: (TLS) Session serialisation failed, failed opening
> session file
> /var/log/freeradius/tlscache/28598cb4ba77510a52abb1e63011f9c061077719c09a59908092e2ca6b9c1ffd.asn1:
> Permission denied
> (6) eap_peap: (TLS) Handshake state - SSL negotiation finished successfully
> (6) eap_peap: (TLS) Connection Established
> (6) eap_peap: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES128-GCM-SHA256"
> (6) eap_peap: TLS-Session-Version = "TLS 1.2"
> (6) eap: Sending EAP Request (code 1) ID 8 length 57
> (6) eap: EAP session adding &reply:State = 0x0d11b4170b19ad2d
> (6) [eap] = handled
> (6) } # authenticate = handled
> (6) Using Post-Auth-Type Challenge
> (6) Post-Auth-Type sub-section not found. Ignoring.
> (6) # Executing group from file /etc/freeradius/sites-enabled/tlcamb-tag
> (6) session-state: Saving cached attributes
> (6) Framed-MTU = 994
> (6) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
> (6) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
> (6) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
> (6) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake,
> ServerKeyExchange"
> (6) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake,
> ServerHelloDone"
> (6) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake,
> ClientKeyExchange"
> (6) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished"
> (6) TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec"
> (6) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished"
> (6) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES128-GCM-SHA256"
> (6) TLS-Session-Version = "TLS 1.2"
> (6) Sent Access-Challenge Id 195 from 172.31.189.84:1812 to
> 172.31.190.2:32768 length 115
> (6) EAP-Message =
> 0x0108003919001403030001011603030028bbbeaeb45ef65e6016f7876f98fea4df4b8d349a44428864b8e4073deecc9d9fbf3c637baf2060ea
> (6) Message-Authenticator = 0x00000000000000000000000000000000
> (6) State = 0x0d11b4170b19ad2d61b96bcf376c045f
> (6) Finished request
> Waking up in 4.9 seconds.
> (7) Received Access-Request Id 196 from 172.31.190.2:32768 to
> 172.31.189.84:1812 length 280
> (7) User-Name = "bob"
> (7) Chargeable-User-Identity = 0x00
> (7) Location-Capable = Civic-Location
> (7) Calling-Station-Id = "18-d6-1c-41-10-58"
> (7) Called-Station-Id = "04-5f-b9-81-69-80:PIT_Tag"
> (7) NAS-Port = 1
> (7) Cisco-AVPair = "audit-session-id=ac1fc7020000007a659828a7"
> (7) Acct-Session-Id = "659828a7/18:d6:1c:41:10:58/127"
> (7) NAS-IP-Address = 172.31.190.2
> (7) NAS-Identifier = "Cisco_b8:24:65"
> (7) Airespace-Wlan-Id = 2
> (7) Service-Type = Framed-User
> (7) Framed-MTU = 1300
> (7) NAS-Port-Type = Wireless-802.11
> (7) Tunnel-Type:0 = VLAN
> (7) Tunnel-Medium-Type:0 = IEEE-802
> (7) Tunnel-Private-Group-Id:0 = "190"
> (7) EAP-Message = 0x020800061900
> (7) State = 0x0d11b4170b19ad2d61b96bcf376c045f
> (7) Message-Authenticator = 0xd401e5af0b9a419fdaf417106d38614e
> (7) Restoring &session-state
> (7) &session-state:Framed-MTU = 994
> (7) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3
> Handshake, ClientHello"
> (7) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
> Handshake, ServerHello"
> (7) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
> Handshake, Certificate"
> (7) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
> Handshake, ServerKeyExchange"
> (7) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
> Handshake, ServerHelloDone"
> (7) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2
> Handshake, ClientKeyExchange"
> (7) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2
> Handshake, Finished"
> (7) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
> ChangeCipherSpec"
> (7) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
> Handshake, Finished"
> (7) &session-state:TLS-Session-Cipher-Suite =
> "ECDHE-RSA-AES128-GCM-SHA256"
> (7) &session-state:TLS-Session-Version = "TLS 1.2"
> (7) # Executing section authorize from file
> /etc/freeradius/sites-enabled/tlcamb-tag
> (7) authorize {
> (7) [preprocess] = ok
> (7) eap: Peer sent EAP Response (code 2) ID 8 length 6
> (7) eap: Continuing tunnel setup
> (7) [eap] = ok
> (7) } # authorize = ok
> (7) Found Auth-Type = eap
> (7) # Executing group from file /etc/freeradius/sites-enabled/tlcamb-tag
> (7) authenticate {
> (7) eap: Expiring EAP session with state 0x0d11b4170b19ad2d
> (7) eap: Finished EAP session with state 0x0d11b4170b19ad2d
> (7) eap: Previous EAP request found for state 0x0d11b4170b19ad2d,
> released from the list
> (7) eap: Peer sent packet with method EAP PEAP (25)
> (7) eap: Calling submodule eap_peap to process data
> (7) eap_peap: (TLS) Peer ACKed our handshake fragment. handshake is finished
> (7) eap_peap: Session established. Decoding tunneled attributes
> (7) eap_peap: PEAP state TUNNEL ESTABLISHED
> (7) eap: Sending EAP Request (code 1) ID 9 length 40
> (7) eap: EAP session adding &reply:State = 0x0d11b4170a18ad2d
> (7) [eap] = handled
> (7) } # authenticate = handled
> (7) Using Post-Auth-Type Challenge
> (7) Post-Auth-Type sub-section not found. Ignoring.
> (7) # Executing group from file /etc/freeradius/sites-enabled/tlcamb-tag
> (7) session-state: Saving cached attributes
> (7) Framed-MTU = 994
> (7) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
> (7) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
> (7) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
> (7) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake,
> ServerKeyExchange"
> (7) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake,
> ServerHelloDone"
> (7) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake,
> ClientKeyExchange"
> (7) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished"
> (7) TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec"
> (7) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished"
> (7) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES128-GCM-SHA256"
> (7) TLS-Session-Version = "TLS 1.2"
> (7) Sent Access-Challenge Id 196 from 172.31.189.84:1812 to
> 172.31.190.2:32768 length 98
> (7) EAP-Message =
> 0x010900281900170303001dbbbeaeb45ef65e6162b484726759166336c75ee2efa33fd3ef9823735f
> (7) Message-Authenticator = 0x00000000000000000000000000000000
> (7) State = 0x0d11b4170a18ad2d61b96bcf376c045f
> (7) Finished request
> Waking up in 4.9 seconds.
> (8) Received Access-Request Id 197 from 172.31.190.2:32768 to
> 172.31.189.84:1812 length 313
> (8) User-Name = "bob"
> (8) Chargeable-User-Identity = 0x00
> (8) Location-Capable = Civic-Location
> (8) Calling-Station-Id = "18-d6-1c-41-10-58"
> (8) Called-Station-Id = "04-5f-b9-81-69-80:PIT_Tag"
> (8) NAS-Port = 1
> (8) Cisco-AVPair = "audit-session-id=ac1fc7020000007a659828a7"
> (8) Acct-Session-Id = "659828a7/18:d6:1c:41:10:58/127"
> (8) NAS-IP-Address = 172.31.190.2
> (8) NAS-Identifier = "Cisco_b8:24:65"
> (8) Airespace-Wlan-Id = 2
> (8) Service-Type = Framed-User
> (8) Framed-MTU = 1300
> (8) NAS-Port-Type = Wireless-802.11
> (8) Tunnel-Type:0 = VLAN
> (8) Tunnel-Medium-Type:0 = IEEE-802
> (8) Tunnel-Private-Group-Id:0 = "190"
> (8) EAP-Message =
> 0x020900271900170303001c00000000000000010bfbfbf16742525071bfbbf45c50d4d0b12b3334
> (8) State = 0x0d11b4170a18ad2d61b96bcf376c045f
> (8) Message-Authenticator = 0x63b9cf54b21cfa3f30bd43a45677d8e4
> (8) Restoring &session-state
> (8) &session-state:Framed-MTU = 994
> (8) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3
> Handshake, ClientHello"
> (8) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
> Handshake, ServerHello"
> (8) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
> Handshake, Certificate"
> (8) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
> Handshake, ServerKeyExchange"
> (8) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
> Handshake, ServerHelloDone"
> (8) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2
> Handshake, ClientKeyExchange"
> (8) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2
> Handshake, Finished"
> (8) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
> ChangeCipherSpec"
> (8) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2
> Handshake, Finished"
> (8) &session-state:TLS-Session-Cipher-Suite =
> "ECDHE-RSA-AES128-GCM-SHA256"
> (8) &session-state:TLS-Session-Version = "TLS 1.2"
> (8) # Executing section authorize from file
> /etc/freeradius/sites-enabled/tlcamb-tag
> (8) authorize {
> (8) [preprocess] = ok
> (8) eap: Peer sent EAP Response (code 2) ID 9 length 39
> (8) eap: Continuing tunnel setup
> (8) [eap] = ok
> (8) } # authorize = ok
> (8) Found Auth-Type = eap
> (8) # Executing group from file /etc/freeradius/sites-enabled/tlcamb-tag
> (8) authenticate {
> (8) eap: Expiring EAP session with state 0x0d11b4170a18ad2d
> (8) eap: Finished EAP session with state 0x0d11b4170a18ad2d
> (8) eap: Previous EAP request found for state 0x0d11b4170a18ad2d,
> released from the list
> (8) eap: Peer sent packet with method EAP PEAP (25)
> (8) eap: Calling submodule eap_peap to process data
> (8) eap_peap: (TLS) EAP Done initial handshake
> (8) eap_peap: Session established. Decoding tunneled attributes
> (8) eap_peap: PEAP state WAITING FOR INNER IDENTITY
> (8) eap_peap: Identity - bob
> (8) eap_peap: Got inner identity 'bob'
> (8) eap_peap: Setting default EAP type for tunneled EAP session
> (8) eap_peap: Got tunneled request
> (8) eap_peap: EAP-Message = 0x0209000801626f62
> (8) eap_peap: Setting User-Name to bob
> (8) eap_peap: Sending tunneled request to inner-tunnel
> (8) eap_peap: EAP-Message = 0x0209000801626f62
> (8) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1
> (8) eap_peap: User-Name = "bob"
> (8) Virtual server inner-tunnel received request
> (8) EAP-Message = 0x0209000801626f62
> (8) FreeRADIUS-Proxied-To = 127.0.0.1
> (8) User-Name = "bob"
> (8) WARNING: Outer and inner identities are the same. User privacy is
> compromised.
> (8) server inner-tunnel {
> (8) # Executing section authorize from file
> /etc/freeradius/sites-enabled/inner-tunnel
> (8) authorize {
> (8) policy filter_username {
> (8) if (&User-Name) {
> (8) if (&User-Name) -> TRUE
> (8) if (&User-Name) {
> (8) if (&User-Name =~ / /) {
> (8) if (&User-Name =~ / /) -> FALSE
> (8) if (&User-Name =~ /@[^@]*@/ ) {
> (8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (8) if (&User-Name =~ /\.\./ ) {
> (8) if (&User-Name =~ /\.\./ ) -> FALSE
> (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
> (8) if ((&User-Name =~ /@/) && (&User-Name !~
> /@(.+)\.(.+)$/)) -> FALSE
> (8) if (&User-Name =~ /\.$/) {
> (8) if (&User-Name =~ /\.$/) -> FALSE
> (8) if (&User-Name =~ /@\./) {
> (8) if (&User-Name =~ /@\./) -> FALSE
> (8) } # if (&User-Name) = notfound
> (8) } # policy filter_username = notfound
> (8) [chap] = noop
> (8) [mschap] = noop
> (8) suffix: Checking for suffix after "@"
> (8) suffix: No '@' in User-Name = "bob", looking up realm NULL
> (8) suffix: No such realm "NULL"
> (8) [suffix] = noop
> (8) update control {
> (8) &Proxy-To-Realm := LOCAL
> (8) } # update control = noop
> (8) eap: Peer sent EAP Response (code 2) ID 9 length 8
> (8) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
> rest of authorize
> (8) [eap] = ok
> (8) } # authorize = ok
> (8) Found Auth-Type = eap
> (8) # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
> (8) authenticate {
> (8) eap: Peer sent packet with method EAP Identity (1)
> (8) eap: ERROR: Tried to start unsupported EAP type MSCHAPv2 (26)
> (8) eap: Sending EAP Failure (code 4) ID 9 length 4
> (8) eap: Failed in EAP select
> (8) [eap] = invalid
> (8) } # authenticate = invalid
> (8) Failed to authenticate the user
> (8) Using Post-Auth-Type Reject
> (8) # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
> (8) Post-Auth-Type REJECT {
> (8) attr_filter.access_reject: EXPAND %{User-Name}
> (8) attr_filter.access_reject: --> bob
> (8) attr_filter.access_reject: Matched entry DEFAULT at line 11
> (8) [attr_filter.access_reject] = updated
> (8) update outer.session-state {
> (8) &Module-Failure-Message := &request:Module-Failure-Message
> -> 'eap: Tried to start unsupported EAP type MSCHAPv2 (26)'
> (8) } # update outer.session-state = noop
> (8) } # Post-Auth-Type REJECT = updated
> (8) } # server inner-tunnel
> (8) Virtual server sending reply
> (8) EAP-Message = 0x04090004
> (8) Message-Authenticator = 0x00000000000000000000000000000000
> (8) eap_peap: Got tunneled reply code 3
> (8) eap_peap: EAP-Message = 0x04090004
> (8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
> (8) eap_peap: Got tunneled reply RADIUS code 3
> (8) eap_peap: EAP-Message = 0x04090004
> (8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
> (8) eap_peap: Tunneled authentication was rejected
> (8) eap_peap: FAILURE
[snip..]
>
> Thanks and best regards.
>
> Dario Barbon
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center, 103 S Capitol St.
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
More information about the Freeradius-Users
mailing list