I think this is probably a bug.
Maybe it's not from radius side, but probably should be checked, as it
appear in what actually seems to be the standard configuration for EAP:
winXp supplicant ( SP1 + WPA patch 815485 )
Cisco AP ( 1230 ios version 12.2(13)JA2
Freeradius. ( cvs snapshot 03-08-2004 )
Here my details:
i have a working setup with those three actors, which is working correctly
for EAP-TLS and PEAP.
On supplicant side I've installed the certificates generated from the
certs.sh script, and so I did on freeradius.
I'm able to authenticate checking the user on an external LDAP server
either in EAP-TLS ( extracting the username from certificate ) that in
PEAP using the microsoft window for user and password.
I decided then to give a more high level of security, double-checking the
certificate against the root certificate, on client-side.
I've then imported the root certificate ( the same I've installed on
radius ) but as soon I activate the "validate server certificate" and
restart the authentication, on the radius log I get the error :
rlm_eap_tls: Received unexpected tunneled data after successful handshake
Here the relevant part of the log:
...
...
Debug: rad_check_password: Found Auth-Type EAP
Debug: auth: type "EAP"
Debug: Processing the authenticate section of radiusd.conf
Debug: modcall: entering group authenticate for request 4
Debug: modsingle[authenticate]: calling eap (rlm_eap) for request 4
Debug: rlm_eap: Request found, released from the list
Debug: rlm_eap: EAP/tls
Debug: rlm_eap: processing type tls
Debug: rlm_eap_tls: Authenticate
Debug: rlm_eap_tls: processing TLS
Info: rlm_eap_tls: Length Included
Debug: eaptls_verify returned 11
Debug: rlm_eap_tls: <<< TLS 1.0 Handshake [length 03b2], Certificate
Info: chain-depth=1,
Info: error=0
Info: --> User-Name = testuser
Info: --> BUF-Name = Pierluigi
Info: --> subject = /C=IT/ST=Italy/L=Milano/O=R-IT.SPA/OU=Security
Office/CN=Pierluigi/[EMAIL PROTECTED]
Info: --> issuer = /C=IT/ST=Italy/L=Milano/O=R-IT.SPA/OU=Security
Office/CN=Pierluigi/[EMAIL PROTECTED]
Info: --> verify return:1
Info: chain-depth=0,
Info: error=0
Info: --> User-Name = testuser
Info: --> BUF-Name = testuser
Info: --> subject = /C=IT/ST=Italy/L=Milan/O=R-IT.SPA/OU=User
Wifi/CN=testuser/[EMAIL PROTECTED]
Info: --> issuer = /C=IT/ST=Italy/L=Milano/O=R-IT.SPA/OU=Security
Office/CN=Pierluigi/[EMAIL PROTECTED]
Info: --> verify return:1
Info: TLS_accept: SSLv3 read client certificate A
Debug: rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
Info: TLS_accept: SSLv3 read client key exchange A
Debug: rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], CertificateVerify
Info: TLS_accept: SSLv3 read certificate verify A
Debug: rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001]
Debug: rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished
Info: TLS_accept: SSLv3 read finished A
Debug: rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001]
Info: TLS_accept: SSLv3 write change cipher spec A
Debug: rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished
Info: TLS_accept: SSLv3 write finished A
Info: TLS_accept: SSLv3 flush data
Info: (other): SSL negotiation finished successfully
Debug: SSL Connection Established
Debug: eaptls_process returned 13
Debug: modsingle[authenticate]: returned from eap (rlm_eap) for request 4
Debug: modcall[authenticate]: module "eap" returns handled for request 4
Debug: modcall: group authenticate returns handled for request 4
Sending Access-Challenge of id 153 to 10.128.255.3:21645
Framed-MTU = 576
Service-Type = Framed-User
EAP-Message =
0x010700350d800000002b14030100010116030100207223dd51362cd36caca76901e7d3535467e547af436be89e5a02f50498ddf4d7
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xed6fed8c05cb3ec79c6c31406ac05e9c
Debug: Finished request 4
Debug: Going to the next request
Debug: Thread 5 waiting to be assigned a request
rad_recv: Access-Request packet from host 10.128.255.3:21645, id=154,
length=166
Debug: Waking up in 5 seconds...
Debug: Thread 1 got semaphore
Debug: Thread 1 handling request 5, (2 handled so far)
User-Name = "testuser"
Framed-MTU = 1400
Called-Station-Id = "000e.380d.0e5f"
Calling-Station-Id = "000e.38ee.0e28"
Message-Authenticator = 0xe4f4d3ed725a77a902c35252e2b7cff0
EAP-Message =
0x020700210d8000000017150301001272ee05fb3c18fc4cfd0db2b207f26ed87f7c
NAS-Port-Type = Wireless-802.11
NAS-Port = 279
State = 0xed6fed8c05cb3ec79c6c31406ac05e9c
Service-Type = Framed-User
NAS-IP-Address = 10.128.255.3
NAS-Identifier = "ap"
...
...
Debug: modcall: group authorize returns updated for request 5
Debug: rad_check_password: Found Auth-Type EAP
Debug: auth: type "EAP"
Debug: Processing the authenticate section of radiusd.conf
Debug: modcall: entering group authenticate for request 5
Debug: modsingle[authenticate]: calling eap (rlm_eap) for request 5
Debug: rlm_eap: Request found, released from the list
Debug: rlm_eap: EAP/tls
Debug: rlm_eap: processing type tls
Debug: rlm_eap_tls: Authenticate
Debug: rlm_eap_tls: processing TLS
Info: rlm_eap_tls: Length Included
Debug: eaptls_verify returned 11
Debug: eaptls_process returned 7
Debug: rlm_eap_tls: Received unexpected tunneled data after successful
handshake.
Debug: Tunneled data (23 bytes)
0: 15 03 01 00 12 72 ee 05 fb 3c 18 fc 4c fd 0d
b2 16: b2 07 f2 6e d8 7f 7c Debug: rlm_eap: Handler failed in EAP/tls
Debug: rlm_eap: Failed in EAP select
Debug: modsingle[authenticate]: returned from eap (rlm_eap) for request 5
Debug: modcall[authenticate]: module "eap" returns invalid for request 5
Debug: modcall: group authenticate returns invalid for request 5
Debug: auth: Failed to validate the user.
Auth: Login incorrect: [testuser/<no User-Password attribute>] (from
client vpnrit1 port 279 cli 000e.38ee.0e28)
Debug: Delaying request 5 for 1 seconds
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
