Problem with EAP/TLS on winXP

[Jacob Clausen]

Hi   I have installed FreeRadius with EAP/TLS according to this howto http://www.impossiblereflex.com/8021x/eap-tls-HOWTO.htm   I have carefully, step by step, analysed the scripts and my settings, but keep getting this output :   rlm_eap: EAP_TYPE - tls rlm_eap: processing type tls rlm_eap_tls:  Length Included undefined: before/accept initialization TLS_accept: before/accept initialization <<< TLS 1.0 Handshake [length 0041], ClientHello   TLS_accept: SSLv3 read client hello A >>> TLS 1.0 Handshake [length 004a], ServerHello   TLS_accept: SSLv3 write server hello A >>> TLS 1.0 Handshake [length 06f2], Certificate   TLS_accept: SSLv3 write certificate A >>> TLS 1.0 Handshake [length 00cc], CertificateRequest   TLS_accept: SSLv3 write certificate request A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A rlm_eap_tls: SSL_read Error  Error code is ..... 2  SSL Error ..... 2   modcall[authenticate]: module "eap" returns ok modcall: group authenticate returns ok Sending Access-Challenge of id 34 to 192.168.1.2:1029         EAP-Message = "[EMAIL PROTECTED]/B\026\0239];\222\0266\003\236\237\275\371\275t \230\333\364|\262;\263\022,\367%\241\355-O\r\242W\3714\357\366\204y;[EMAIL PROTECTED]"         EAP-Message = "tive1\0360\034\006\003U\004\003\023\025Funnybone Wireless [EMAIL PROTECTED] Wireless [EMAIL PROTECTED]"         EAP-Message = "0\r\006\t*\206H\206\367\r\001\001\001\005\000\003\201\215\0000\201\211\002\201\201\000\323\3438\r;\362\352\030^\000\310w\373\004\202*\261+k!\324\323\257\351\223,\277k\252\347\245\367\263\261\335W\361Q(6\335\266\275&\353\265\224\311\211\307\372\231\314\314*\212\351\037\271\356\016\257\362aK+\337\231*\2714\3453\032\006\252\251}\306\235\275M\001\324M\305\245=?\356\325\017\315c\236\235\302\260\244\004$\236s\227*\0374A\027\312u\350ez\347\263\330\230\252\263ds\354QD\206\354\235\002\003\001\000\001\243\0270\0250"         EAP-Message = "\010\004\t\3537>%\344j2}\227\364\306\364\306V\301s\315 +\351O\245\354\262\267x\240Dh\350\272\217V&\236\003\251MkU\345\366\t\376\227\344\220~\036&\014L\3073J#;\310}z[\306\367\310\364P;\013\242\363\025\262\242}.\325\000\004\n0\202\004\0060\202\003o\240\003\002\001\002\002\001\0000\r\006\t*\206H\206\367\r\001\001\004\005\0000\201\2711\0130\t\006\003U\004\006\023\002DK1\0240\022\006\003U\004\010\023\013Connecticut1\0170\r\006\003U\004\007\023\006Canton1 0\036\006\003U\004\n\023\027Vivendi Universal Games1\036"         EAP-Message = "ne Wireless CA1!0\037\006\t*\206H\206\367\r"         Message-Authenticator = 0x00000000000000000000000000000000         State = 0xc5a77cd5cb16d97dd3921fac35138fcda535bc40922c84e496945a62dc0a8df2b0208183 Finished request 7 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.1.2:1029, id=35, length=107         User-Name = "Funnybone Wireless CA"         EAP-Message = "\002\003\000\006\r"         State = 0xc5a77cd5cb16d97dd3921fac35138fcda535bc40922c84e496945a62dc0a8df2b0208183         Message-Authenticator = 0x1808a12977364804b4c8cd3583f0e83a modcall: entering group authorize Invalid operator for item NAS-IP-Address: reverting to '=='   modcall[authorize]: module "preprocess" returns ok   modcall[authorize]: module "eap" returns updated     rlm_realm: No '@' in User-Name = "Funnybone Wireless CA", looking up realm NULL     rlm_realm: No such realm NULL   modcall[authorize]: module "suffix" returns noop     users: Matched Funnybone Wireless CA at 96   modcall[authorize]: module "files" returns ok modcall: group authorize returns updated   rad_check_password:  Found Auth-Type EAP auth: type "EAP" modcall: entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP_TYPE - tls rlm_eap: processing type tls rlm_eap_tls: Received EAP-TLS ACK message   modcall[authenticate]: module "eap" returns ok modcall: group authenticate returns ok Sending Access-Challenge of id 35 to 192.168.1.2:1029         EAP-Message = "[EMAIL PROTECTED] 0\036\006\003U\004\n\023\027Vivendi Universal Games1\0360\034\006\003U\004\013\023\025Funnybone Interactive1\0360\034\006\003U\004\003\023\025Funnybone Wireless [EMAIL PROTECTED]"         EAP-Message = "m0\201\2370\r\006\t*\206H\206\367\r\001\001\001\005\000\003\201\215\0000\201\211\002\201\201\000\316\253\250\317\2337\300\313\201\220\313u\340D\025\rd}+P\036gZ\246\373\267\233x\323\277\204e\374o\036\013\347hf\273]|2\020\335\316\316\321^u*\265\225\360\325H<t\226\312m\000!gnQ\275\340d\207\365\335\317a!4\201|X\005\337\307\021Y\311\323b\231*\016bR'E\032,\247\212\333\356/\332m}\253\200\377\214\301a\nZ\rY\254\257JgZ\343\376\364\240\031\221h\002\003\001\000\001\243\202\001\0320\202\001\0260\035\006\003U\035\016"         EAP-Message = "\003U\004\006\023\002DK1\0240\022\006\003U\004\010\023\013Connecticut1\0170\r\006\003U\004\007\023\006Canton1 0\036\006\003U\004\n\023\027Vivendi Universal Games1\0360\034\006\003U\004\013\023\025Funnybone Interactive1\0360\034\006\003U\004\003\023\025Funnybone Wireless [EMAIL PROTECTED]/\365k\2760Q\267"         EAP-Message = "\264oPJ\366\363U\020\247U\310\352St\2072c\273\310\021C\3275\262b\322\277k\202\230\272y\215\256\tN\237\212\237\027\236Hl\206\264\2753\255ZU\377\336\361\237\013\253\214\223\205\237\375\240\002Q\200rf9Fp\022\035)\253j\374G\017\001\366\234\364\245c!#\302:r~\230\243\026\003\001\000\314\r\000\000\304\003\001\002\005\000\276\000\2740\201\2711\0130\t\006\003U\004\006\023\002DK1\0240\022\006\003U\004\010\023\013Connecticut1\0170\r\006\003U\004\007\023\006Canton1 0\036\006\003U\004\n\023\027Vivendi Universal Games1"         EAP-Message = "ireless CA1!0\037\006\t*\206H\206\367\r\001\t\001\026"         Message-Authenticator = 0x00000000000000000000000000000000         State = 0x899de4e41bd81238920be4d238876294a535bc40f7de03931624dcc5281ce1c963595db6 Finished request 8 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.1.2:1029, id=36, length=107         User-Name = "Funnybone Wireless CA"         EAP-Message = "\002\004\000\006\r"         State = 0x899de4e41bd81238920be4d238876294a535bc40f7de03931624dcc5281ce1c963595db6         Message-Authenticator = 0xcbbc46f4f191c047f8ca1706fc5f2880 modcall: entering group authorize Invalid operator for item NAS-IP-Address: reverting to '=='   modcall[authorize]: module "preprocess" returns ok   modcall[authorize]: module "eap" returns updated     rlm_realm: No '@' in User-Name = "Funnybone Wireless CA", looking up realm NULL     rlm_realm: No such realm NULL   modcall[authorize]: module "suffix" returns noop     users: Matched Funnybone Wireless CA at 96   modcall[authorize]: module "files" returns ok modcall: group authorize returns updated   rad_check_password:  Found Auth-Type EAP auth: type "EAP" modcall: entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP_TYPE - tls rlm_eap: processing type tls rlm_eap_tls: Received EAP-TLS ACK message   modcall[authenticate]: module "eap" returns ok modcall: group authenticate returns ok Sending Access-Challenge of id 36 to 192.168.1.2:1029         EAP-Message = "[EMAIL PROTECTED]"         Message-Authenticator = 0x00000000000000000000000000000000         State = 0x875e23c678606049d752d9df2d23b99ca535bc403010e521091a25d7ad0d48bdca9a385d Finished request 9 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.1.2:1029, id=37, length=1218         User-Name = "Funnybone Wireless CA"         EAP-Message = "\002\005\004U\r\200\000\000\004K\026\003\001\004\033\013\000\003\013\000\003\010\000\003\0050\202\003\0010\202\002j\240\003\002\001\002\002\001\0010\r\006\t*\206H\206\367\r\001\001\004\005\0000\201\2711\0130\t\006\003U\004\006\023\002DK1\0240\022\006\003U\004\010\023\013Connecticut1\0170\r\006\003U\004\007\023\006Canton1 0\036\006\003U\004\n\023\027Vivendi Universal Games1\0360\034\006\003U\004\013\023\025Funnybone Interactive1\0360\034\006\003U\004\003\023\025Funnybone Wireless CA1!0\037\006\t*\206H\206\367"         EAP-Message = "1175818Z\027\r050531175818Z0\201\2711\0130\t\006\003U\004\006\023\002DK1\0240\022\006\003U\004\010\023\013Connecticut1\0170\r\006\003U\004\007\023\006Canton1 0\036\006\003U\004\n\023\027Vivendi Universal Games1\0360\034\006\003U\004\013\023\025Funnybone Interactive1\0360\034\006\003U\004\003\023\025Funnybone Wireless [EMAIL PROTECTED]"         EAP-Message = "\324\006\233;_%\002p\300n{\271B\022F)\033\\\236v\226J\221\211\2319\345\0174\252\335\267\032\016\222\250\344\312|\347\273\242\216>w^W\356\033\336\270\326\374\303f\304Q\242\263\215\313m\377K\332\022\344\\333\022\233\272\221\237\226\211_\024\373\212 $:\351\375\t\317\223\262N^\3267\322p\\\352\217h#\313]\334\022\206a4\351\201\361\274\275\255\227\002\003\001\000\001\243\0270\0250\023\006\003U\035%\004\0140\n\006\010+\006\001\005\005\007\003\0020\r\006\t*\206H\206\367\r\001\001\004\005\000\003\201\201\000p\037"         EAP-Message = "\232\201\247\243*\234\tkk\323\325\214\341\212\007\243\342/\255.\371G\353UFp\004\010\211\000\315K\246T\313:[EMAIL PROTECTED] \032\262\017\321\3446\202\306\366\214s/O\314\200U\001\335`\204nm\374\362\307\205>\006PU\271\013#\225DKG\271\017\000\000\202\000"         EAP-Message = "\311\034\362S\326\362\305\255\347(1\203\301\260\337\0362L\032^\016\3468\274\276.\034M\305}\277\372\24\022\236\215\375+\341\3139\232\201=\007e\304 U1ZF>\024\003\001\000\001\001\026\003\001\000 \310\237\020R\005\262\212mp\250k\t\023\264\267\253X0\310M\215\316\370\271(\277\223\004$\013\343\031"         State = 0x875e23c678606049d752d9df2d23b99ca535bc403010e521091a25d7ad0d48bdca9a385d         Message-Authenticator = 0xf728ea5e330aaa6a5185a020f259a2d9 modcall: entering group authorize Invalid operator for item NAS-IP-Address: reverting to '=='   modcall[authorize]: module "preprocess" returns ok   modcall[authorize]: module "eap" returns updated     rlm_realm: No '@' in User-Name = "Funnybone Wireless CA", looking up realm NULL     rlm_realm: No such realm NULL   modcall[authorize]: module "suffix" returns noop     users: Matched Funnybone Wireless CA at 96   modcall[authorize]: module "files" returns ok modcall: group authorize returns updated   rad_check_password:  Found Auth-Type EAP auth: type "EAP" modcall: entering group authenticate rlm_eap: Multiple EAP_Message attributes found rlm_eap: Request found, released from the list rlm_eap: EAP_TYPE - tls rlm_eap: processing type tls rlm_eap_tls:  Length Included <<< TLS 1.0 Handshake [length 030f], Certificate   --> verify error:num=18:self signed certificate chain-depth=0, error=18 --> User-Name = Funnybone Wireless CA --> BUF-Name = Funnybone Wireless CA --> subject = /C=DK/ST=Connecticut/L=Canton/O=Vivendi Universal Games/OU=Funnybone Interactive/CN=Funnybone Wireless CA/[EMAIL PROTECTED] --> issuer  = /C=DK/ST=Connecticut/L=Canton/O=Vivendi Universal Games/OU=Funnybone Interactive/CN=Funnybone Wireless CA/[EMAIL PROTECTED] --> verify return:0 >>> TLS 1.0 Alert [length 0002], fatal unknown_ca   TLS Alert write:fatal:unknown CA TLS_accept:error in SSLv3 read client certificate B rlm_eap_tls: SSL_read Error 11587:error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned:s3_srvr.c:2386:  Error code is ..... 5  Error in SSL ..... 5   modcall[authenticate]: module "eap" returns ok modcall: group authenticate returns ok Sending Access-Challenge of id 37 to 192.168.1.2:1029         EAP-Message = "\001\006\000\021\r\200\000\000\000\007\025\003\001\000\002\0020"         Message-Authenticator = 0x00000000000000000000000000000000         State = 0x88011a3569c0a1eab77e7a88d47e0170a535bc404476f7c7e448f762d5135c8dc14e5ddf Finished request 10 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.1.2:1029, id=38, length=107         User-Name = "Funnybone Wireless CA"         EAP-Message = "\002\006\000\006\r"         State = 0x88011a3569c0a1eab77e7a88d47e0170a535bc404476f7c7e448f762d5135c8dc14e5ddf         Message-Authenticator = 0x004f5d033b34d4d130734db451b73cc5 modcall: entering group authorize Invalid operator for item NAS-IP-Address: reverting to '=='   modcall[authorize]: module "preprocess" returns ok   modcall[authorize]: module "eap" returns updated     rlm_realm: No '@' in User-Name = "Funnybone Wireless CA", looking up realm NULL     rlm_realm: No such realm NULL   modcall[authorize]: module "suffix" returns noop     users: Matched Funnybone Wireless CA at 96   modcall[authorize]: module "files" returns ok modcall: group authorize returns updated   rad_check_password:  Found Auth-Type EAP auth: type "EAP" modcall: entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP_TYPE - tls rlm_eap: processing type tls rlm_eap_tls: Received EAP-TLS ACK message   modcall[authenticate]: module "eap" returns ok modcall: group authenticate returns ok Delaying request 11 for 1 seconds Finished request 11 Going to the next request Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 6 ID 33 with timestamp 40bc35a5 Cleaning up request 7 ID 34 with timestamp 40bc35a5 Cleaning up request 8 ID 35 with timestamp 40bc35a5 Cleaning up request 9 ID 36 with timestamp 40bc35a5 Cleaning up request 10 ID 37 with timestamp 40bc35a5 Sending Access-Reject of id 38 to 192.168.1.2:1029         EAP-Message = "\004\006\000\004"         Message-Authenticator = 0x00000000000000000000000000000000 Cleaning up request 11 ID 38 with timestamp 40bc35a5 Nothing to do.  Sleeping until we see a request.   Any thaughts on how to resolve this problem ??   Regards   Jacob