Hi, I am testing my radius client for eap-tls support. For that using Free radius server and mdc-ssd supplicant.
I referred the link http://www.impossiblereflex.com/8021x/eap-tls-HOWTO.htm for generating certificates, installing freeradius and running free radius. Now, my radius client could receive serverHello, Certificate, CertificateRequest, ServerHelloDone and sending the same to mdc-ssd supplicant. mdc-ssd supplicant is giving "handshake failed with error". What may be problem? whether I have generated ceriticates wrongly or my radius client is not forwarding correct packet to supplicant?? Please help me in this regard. Log output of supplicant and free radius server is attached below mdc-ssd supplicant log messages: ------------------------------------------------------------------------ mdc-ssd: mdc-ssd: new identity: guest mdc-ssd: mdc-ssd TLS: cert file: /etc/1x/client.pem mdc-ssd: mdc-ssd TLS: key file: mdc-ssd: 802.1X: txStart(port=1) (transmit an EAP start packet) mdc-ssd: 802.1X: supp state -> SSM_CONNECTING mdc-ssd: 802.1X: EAP failure received. mdc-ssd: 802.1X: supp state -> SSM_HELD mdc-ssd: 802.1X: EAP request-ID received. mdc-ssd: mdc-ssd: txRspId(Transmit our identity (guest) to authenticator) mdc-ssd: 802.1X: supp state -> SSM_ACQUIRED mdc-ssd: 802.1X: Received a authentication request packet with authentication type: 13. mdc-ssd: 802.1X: txRspAuth(Transmitting a reply to authenticator for authentication type=13 mdc-ssd: 802.1X: supp state -> SSM_AUTHENTICATING mdc-ssd: 802.1X: Received a authentication request packet with authentication type: 13. mdc-ssd: mdc-ssd TLS: depth=0 /C=IN/ST=Tamil Nadu/L=Chennai/O=Future Soft/OU=Products/CN=Future Radius/[EMAIL PROTECTED] mdc-ssd: mdc-ssd TLS: verify return:0 mdc-ssd: mdc-ssd TLS: Handshake failed with error -1(1(0)). mdc-ssd: mdc-ssd TLS, error: could not read packet from openSSL: 8 mdc-ssd: mdc-ssd TLS: sending alert packet with alert id 80. mdc-ssd: 802.1X: txRspAuth(Transmitting a reply to authenticator for authentication type=13 mdc-ssd: 802.1X: supp state -> SSM_AUTHENTICATING mdc-ssd: 802.1X: EAP failure received. mdc-ssd: 802.1X: supp state -> SSM_HELD mdc-ssd: 802.1X: EAP failure received. mdc-ssd: 802.1X: EAP request-ID received. mdc-ssd: mdc-ssd: txRspId(Transmit our identity (guest) to authenticator) mdc-ssd: 802.1X: supp state -> SSM_ACQUIRED mdc-ssd: 802.1X: Received a authentication request packet with authentication type: 13. mdc-ssd: mdc-ssd TLS: Handshake failed with error -1(1(0)). mdc-ssd: mdc-ssd TLS, receiving on false server mdc-ssd: mdc-ssd TLS: sending alert packet with alert id 80. mdc-ssd: 802.1X: txRspAuth(Transmitting a reply to authenticator for authentication type=13 mdc-ssd: 802.1X: supp state -> SSM_AUTHENTICATING mdc-ssd: 802.1X: EAP failure received. mdc-ssd: 802.1X: supp state -> SSM_HELD mdc-ssd: 802.1X: txLogoff(port=1) (transmit an EAP logoff packet) ------------------------------------------------------------------------ Free radius server log messages: ------------------------------------------------------------------------ Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/sql.conf main: prefix = "/usr/local" main: localstatedir = "/usr/local/var" main: logdir = "/usr/local/var/log/radius" main: libdir = "/usr/local/lib" main: radacctdir = "/usr/local/var/log/radius/radacct" main: hostname_lookups = no read_config_files: reading dictionary read_config_files: reading naslist read_config_files: reading clients read_config_files: reading realms main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/usr/local/var/log/radius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid" main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: servers_per_realm = 15 security: max_attributes = 200 security: reject_delay = 1 main: debug_level = 0 read_config_files: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded eap eap: default_eap_type = "tls" eap: timer_expire = 60 tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/etc/1x/server.pem" tls: certificate_file = "/etc/1x/server.pem" tls: CA_file = "/etc/1x/root.pem" tls: private_key_password = "guest" tls: dh_file = "/etc/1x/DH" tls: random_file = "/etc/1x/random" tls: fragment_size = 1024 tls: include_length = yes rlm_eap_tls: conf N ctx stored rlm_eap: Loaded and initialized the type tls Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/etc/raddb/huntgroups" preprocess: hints = "/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "/etc/raddb/users" files: acctusersfile = "/etc/raddb/acct_users" files: preproxy_usersfile = "/etc/raddb/preproxy_users" files: compat = "no" Module: Instantiated files (files) Listening on IP address *, ports 1812/udp and 1813/udp, with proxy on 1814/udp. Ready to process requests. rad_recv: Access-Request packet from host 20.0.0.1:1812, id=6, length=77 User-Name = "guest" EAP-Message = "\002\001\000\n\001guest" Message-Authenticator = 0x75a091367ad005f1cb17c333fcc13f58 NAS-Identifier = "fsNas1" NAS-Port = 2 NAS-Port-Type = Ethernet modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok modcall[authorize]: module "eap" returns updated rlm_realm: No '@' in User-Name = "guest", looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module "suffix" returns noop users: Matched DEFAULT at 152 users: Matched guest at 215 modcall[authorize]: module "files" returns ok modcall: group authorize returns updated rad_check_password: Found Auth-Type EAP auth: type "EAP" modcall: entering group authenticate rlm_eap: processing type tls modcall[authenticate]: module "eap" returns ok modcall: group authenticate returns ok Sending Access-Challenge of id 6 to 20.0.0.1:1812 EAP-Message = "\001\002\000\006\r " Message-Authenticator = 0x00000000000000000000000000000000 State = 0x8db8cb054f900b6a7ab49232068b44a93c5b683f99d7d1d80d2015aa81836ff8a910961f Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 20.0.0.1:1812, id=7, length=205 User-Name = "guest" EAP-Message = "\002\002\000d\r\200\000\000\000_\026\003\001\000U\001\000\000Q\003\001?hUi\353\377\006\241\220\241\305\304\346\234\017\247u\024\022\202\246\357 {\262\203'\356\210-b)\000\000*\000\026\000\023\000\n\000f\000\007\000\005\000\004\000e\000d\000c\000b\000a\000`\000\025\000\022\000\t\000\024\000\021\000\010\000\006\000\003\001" Message-Authenticator = 0x71ee0e82ac6732b29f38797422483011 NAS-Identifier = "fsNas1" NAS-Port = 2 NAS-Port-Type = Ethernet State = 0x8db8cb054f900b6a7ab49232068b44a93c5b683f99d7d1d80d2015aa81836ff8a910961f modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok modcall[authorize]: module "eap" returns updated rlm_realm: No '@' in User-Name = "guest", looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module "suffix" returns noop users: Matched DEFAULT at 152 users: Matched guest at 215 modcall[authorize]: module "files" returns ok modcall: group authorize returns updated rad_check_password: Found Auth-Type EAP auth: type "EAP" modcall: entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP_TYPE - tls rlm_eap: processing type tls rlm_eap_tls: Length Included Total Length Included undefined: before/accept initialization TLS_accept: before/accept initialization <<< TLS 1.0 Handshake [length 0055], ClientHello TLS_accept: SSLv3 read client hello A >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A >>> TLS 1.0 Handshake [length 02df], Certificate TLS_accept: SSLv3 write certificate A >>> TLS 1.0 Handshake [length 00b4], CertificateRequest TLS_accept: SSLv3 write certificate request A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A rlm_eap_tls: SSL_read Error Error code is ..... 2 SSL Error ..... 2 modcall[authenticate]: module "eap" returns ok modcall: group authenticate returns ok Sending Access-Challenge of id 7 to 20.0.0.1:1812 EAP-Message = "\001\003\003\366\r\200\000\000\003\354\026\003\001\000J\002\000\000F\003\001?h[?\275\276\270u\007S\327\340\356\276\334?\321\000_\0359;\013\3023\000\222\0005%\334\275 \373q\211\n\333\245q\322\027|[EMAIL PROTECTED]' \212\313\326\231*-6*\240\202\000\n\000\026\003\001\002\337\013\000\002\333\000\002\330\000\002\3250\202\002\3210\202\002:\240\003\002\001\002\002\001\0010\r\006\t*\206H\206\367\r\001\001\004\005\0000\201\2411\0130\t\006\003U\004\006\023\002IN1\0230\021\006\003U\004\010\023\nTamil Nadu1\0200" EAP-Message = "ius1*0([EMAIL PROTECTED] Nadu1\0200\016\006\003U\004\007\023\007Chennai1\0240\022\006\003U\004\n\023\013Future Soft1\0210\017\006\003U\004\013\023\010Products1\0260\024\006\003U\004\003\023\rFuture Radius1*0([EMAIL PROTECTED]" EAP-Message = "H\206\367\r\001\001\001\005\000\003\201\215\0000\201\211\002\201\201\000\254\024\001\005\256\007{\343\222\236\023\202\231\372\321D\225\345\317Z\352\216\302\220\203|\022,\332\234\351o\225\221\254\3116\377?\216\247\323\200\311z\217\016!\210\202\334q$\366\021\000\233\300XB8\317\344\370\214JB!\207\256\352E\316{\2759x<\333GZP\325i|\313o\363\232\266>@\n\200\241C \207\030\277\037#\210s\233\266\256\264\022\202\200\236\345~\np_\200TZ\036\002')\274\222`\375\002\003\001\000\001\243\0270\0250\023\006\003U\035%\004\014" EAP-Message = "B\3165\221\373\244\357-\236r\346\220\374\203Q\331jU\304f4{\027\2525\202=-\315\010Yu`\321\302??\235\377v;\210\302x\377,\3200\263\213}%\001\376\344\223^\016|\\\347\264;oN\311\347\341\000\237~\211\026\003\001\000\264\r\000\000\254\003\001\002\005\000\246\000\2440\201\2411\0130\t\006\003U\004\006\023\002IN1\0230\021\006\003U\004\010\023\nTamil Nadu1\0200\016\006\003U\004\007\023\007Chennai1\0240\022\006\003U\004\n\023\013Future Soft1\0210\017\006\003U\004\013\023\010Products1\0260\024\006\003U\004\003\023\rF" EAP-Message = "om\016\000\000" Message-Authenticator = 0x00000000000000000000000000000000 State = 0xbe4d799b0e46407d3d94a4a91bc771763f5b683f88e4888e65aed296019cb93179644860 Finished request 1 Going to the next request --- Walking the entire request list --- Waking up in 3 seconds... rad_recv: Access-Request packet from host 20.0.0.1:1812, id=8, length=122 User-Name = "guest" EAP-Message = "\002\003\000\021\r\200\000\000\000\007\025\003\001\000\002\002P" Message-Authenticator = 0x1caf2de4a5380fc6f7f5ae51c2c4d8f4 NAS-Identifier = "fsNas1" NAS-Port = 2 NAS-Port-Type = Ethernet State = 0xbe4d799b0e46407d3d94a4a91bc771763f5b683f88e4888e65aed296019cb93179644860 modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok modcall[authorize]: module "eap" returns updated rlm_realm: No '@' in User-Name = "guest", looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module "suffix" returns noop users: Matched DEFAULT at 152 users: Matched guest at 215 modcall[authorize]: module "files" returns ok modcall: group authorize returns updated rad_check_password: Found Auth-Type EAP auth: type "EAP" modcall: entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP_TYPE - tls rlm_eap: processing type tls rlm_eap_tls: Length Included <<< TLS 1.0 Alert [length 0002], fatal internal_error TLS Alert read:fatal:internal error TLS_accept:failed in SSLv3 read client certificate A rlm_eap_tls: SSL_read Error Error code is ..... 5 Error in SSL ..... 5 rlm_eap_tls: BIO_read Error Error code is ..... 5 Error in SSL ..... 5 modcall[authenticate]: module "eap" returns ok modcall: group authenticate returns ok Delaying request 2 for 1 seconds Finished request 2 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 6 with timestamp 3f685b3c Sending Access-Reject of id 8 to 20.0.0.1:1812 EAP-Message = "\004\003\000\004" Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3 seconds... --- Walking the entire request list --- Cleaning up request 1 ID 7 with timestamp 3f685b3f Waking up in 1 seconds... --- Walking the entire request list --- Cleaning up request 2 ID 8 with timestamp 3f685b40 Nothing to do. Sleeping until we see a request. MASTER: exit on signal (2) Exiting... ------------------------------------------------------------------------ Thanks and Regards, Lakshmi. ___________________________________________________ Interior meets Software; Rani Weds Gaurav. Rediff Matchmaker strikes another interesting match Visit http://matchmaker.rediff.com?1 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html