Hello, I am trying to configure a wireless communication network using authentication with Freeradius. I have already configured one client, my access point (aironet cisco), and my freeradius server to use TLS authentication. I took the EAP/TLS authentication HOW-TO, and I tried to do exactly what it was said inside (with the version of freeradius referenced there and the 3 versions of openssl) But it seem that I made a mistake somewhere, my authentication doesn't work! I tried to understand and I seems to be in relation with SSL. I catch just a little part of my logs, in order to show you. If someone could tell me where I made a mistake, It would be great! thank you for your help! ----------------------- ...
<<< TLS 1.0 Handshake [length 02af], Certificate chain-depth=1, error=0 --> User-Name = ourson --> BUF-Name = server1 --> subject = /C=FR/ST=France/L=Toulouse/O=Enseeiht/OU=CRI/CN=server1/[EMAIL PROTECTED] --> issuer = /C=FR/ST=France/L=Toulouse/O=Enseeiht/OU=CRI/CN=server1/[EMAIL PROTECTED] --> verify return:1 chain-depth=0, error=0 --> User-Name = ourson --> BUF-Name = ourson --> subject = /C=FR/ST=France/L=Toulouse/O=Enseeiht/OU=CRI/CN=ourson/[EMAIL PROTECTED] --> issuer = /C=FR/ST=France/L=Toulouse/O=Enseeiht/OU=CRI/CN=server1/[EMAIL PROTECTED] --> verify return:1 TLS_accept: SSLv3 read client certificate A <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange TLS_accept: SSLv3 read client key exchange A <<< TLS 1.0 Handshake [length 0086], CertificateVerify TLS_accept: SSLv3 read certificate verify A <<< TLS 1.0 ChangeCipherSpec [length 0001] <<< TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 read finished A >>> TLS 1.0 ChangeCipherSpec [length 0001] TLS_accept: SSLv3 write change cipher spec A >>> TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 write finished A TLS_accept: SSLv3 flush data undefined: SSL negotiation finished successfully rlm_eap_tls: SSL_read Error Error code is ..... 2 SSL Error ..... 2 modcall[authenticate]: module "eap" returns ok modcall: group authenticate returns ok Login OK: [ourson/<no User-Password attribute>] (from client AP1 port 37 cli 000af49c507f) Sending Access-Challenge of id 118 to 192.168.1.2:1142 EAP-Message = "\001\254\0005\r\200\000\000\000+\024\003\001\000\001\001\026\003\001\000 \253d\\\300\247n!O\037\304\023\375\241\256$\202\304\257&ZJ\266\211\315\226\243V\221\246\274\345\375" Message-Authenticator = 0x00000000000000000000000000000000 State = 0xac94e782d24993bfbb31ef873c7ce4086b9bd43fca08d61ec7662c58b4c5187074e9db3b Finished request 15 Going to the next request Waking up in 1 seconds... rad_recv: Access-Request packet from host 192.168.1.2:1143, id=119, length=208 User-Name = "ourson" Cisco-AVPair = "ssid=bebe" NAS-IP-Address = 192.168.1.2 Called-Station-Id = "00409656deff" Calling-Station-Id = "000af49c507f" NAS-Identifier = "AP350-56deff" NAS-Port = 37 Framed-MTU = 1400 State = 0xac94e782d24993bfbb31ef873c7ce4086b9bd43fca08d61ec7662c58b4c5187074e9db3b NAS-Port-Type = Wireless-802.11 Service-Type = Login-User EAP-Message = "\002\254\000!\r\200\000\000\000\027\025\003\001\000\022\334\207\370Z\010\276<y/\013\246\271\370\242tM]R" Message-Authenticator = 0x6d785533c66ebb2b4d456cefd2121d94 modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok rlm_chap: Could not find proper Chap-Password attribute in request modcall[authorize]: module "chap" returns noop modcall[authorize]: module "eap" returns updated rlm_realm: No '@' in User-Name = "ourson", looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module "suffix" returns noop users: Matched ourson at 157 modcall[authorize]: module "files" returns ok modcall: group authorize returns updated rad_check_password: Found Auth-Type EAP auth: type "EAP" modcall: entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP_TYPE - tls rlm_eap: processing type tls rlm_eap_tls: Length Included <<< TLS 1.0 Alert [length 0002], fatal access_denied TLS Alert read:fatal:access denied rlm_eap_tls: SSL_read Error 20083:error:14094419:SSL routines:SSL3_READ_BYTES:tlsv1 alert access denied:s3_pkt.c:1037:SSL alert number 49 Error code is ..... 6 SSL Error ..... 6 rlm_eap_tls: BIO_read Error Error code is ..... 5 Error in SSL ..... 5 modcall[authenticate]: module "eap" returns ok modcall: group authenticate returns ok Login OK: [ourson/<no User-Password attribute>] (from client AP1 port 37 cli 000af49c507f) Delaying request 16 for 1 seconds Finished request 16 Going to the next request Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 119 to 192.168.1.2:1143 EAP-Message = "\004\254\000\004" Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 11 ID 114 with timestamp 3fd49b6b Cleaning up request 12 ID 115 with timestamp 3fd49b6b Cleaning up request 13 ID 116 with timestamp 3fd49b6b Cleaning up request 14 ID 117 with timestamp 3fd49b6b Cleaning up request 15 ID 118 with timestamp 3fd49b6b Cleaning up request 16 ID 119 with timestamp 3fd49b6b Nothing to do. Sleeping until we see a request. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html