I've followed the instructions to the best of my abilities from three
different howto sources:
http://www.impossiblereflex.com/8021x/eap-tls-HOWTO.htm
http://www.freeradius.org/doc/EAPTLS.pdf
http://3w.denobula.com:50000/EAPTLS.html
I've generated the certs, including the appropriate OID's and have
imported the root.der and User.p12 on the XP workstation.
I've configured the USR 8054 Wireless router by enabling 802.1X, have
tried all the choices of 64, 128, and 256 bit encryption between the
router and FreeRadius and have set the ip address, port address, and
have chosen a shared password that mirrors in the clients.conf file.
I've also modified the eap.conf file to accept EAP/TLS and have it
correctly set it to find the server certs and rootca.
When the xp workstation attempts to connect, radius -X shows the normal
communications (from what I can tell comparing the output to the examples
in the howtos):
rad_recv: Access-Request packet from host 192.168.1.254:1207, id=2,
length=119
User-Name = "User"
NAS-IP-Address = 192.168.1.254
NAS-Port = 0
Called-Station-Id = "00-c0-49-d9-ce-66"
Calling-Station-Id = "00-c0-49-cb-fe-75"
NAS-Identifier = ""
Framed-MTU = 1380
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020200090155736572
Message-Authenticator = 0x3dc82dc30328916e5ff709db86444758
(cut)
rlm_eap: EAP Identity
rlm_eap: processing type tls
rlm_eap_tls: Requiring client certificate
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
modcall[authenticate]: module "eap" returns handled for request 0
modcall: group authenticate returns handled for request 0
Sending Access-Challenge of id 2 to 192.168.1.254:1207
EAP-Message = 0x010300060d20
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xd4c8286effdadef1e7851329bb92de24
(cut)
rad_recv: Access-Request packet from host 192.168.1.254:1207, id=3,
length=208
User-Name = "User"
NAS-IP-Address = 192.168.1.254
NAS-Port = 0
Called-Station-Id = "00-c0-49-d9-ce-66"
Calling-Station-Id = "00-c0-49-cb-fe-75"
NAS-Identifier = ""
Framed-MTU = 1380
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020300500d800000004616030100410100003d0301etc
State = 0xd4c8286effdadef1e7851329bb92de24
Message-Authenticator = 0x3ad681c1d31e2cabb084800123d59853
(cut)
rlm_eap: Request found, released from the list
rlm_eap: EAP/tls
rlm_eap: processing type tls
rlm_eap_tls: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Length Included
eaptls_verify returned 11
(other): before/accept initialization
TLS_accept: before/accept initialization
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello
TLS_accept: SSLv3 read client hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
TLS_accept: SSLv3 write server hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0a2f], Certificate
TLS_accept: SSLv3 write certificate A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 00a1], CertificateRequest
TLS_accept: SSLv3 write certificate request A
TLS_accept: SSLv3 flush data
TLS_accept:error in SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
eaptls_process returned 13
modcall[authenticate]: module "eap" returns handled for request 1
modcall: group authenticate returns handled for request 1
Sending Access-Challenge of id 3 to 192.168.1.254:1207
EAP-Message = 0x0104040a0dc000000b29160301004a02000046030140bed.etc
EAP-Message = 0x864886f70d0109011612726f6f74407a65737479736f667.etc
EAP-Message = 0x730a5be16a9604acc62178fe543187e4a13751ea03e631b.etc
EAP-Message = 0x040c300a06082b06010505070301300d06092a864886f70.etc
EAP-Message = 0x792feb317a0b6c707de573b15f8daec1bf836d706f27
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x54128fe1327ae6bc6915b21ba40ab8af
Finished request 1
(cut)
rad_recv: Access-Request packet from host 192.168.1.254:1207, id=4,
length=134
User-Name = "User"
NAS-IP-Address = 192.168.1.254
NAS-Port = 0
Called-Station-Id = "00-c0-49-d9-ce-66"
Calling-Station-Id = "00-c0-49-cb-fe-75"
NAS-Identifier = ""
Framed-MTU = 1380
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020400060d00
State = 0x54128fe1327ae6bc6915b21ba40ab8af
Message-Authenticator = 0xa8bb67caf83341f30dba40116add0f8f
(cut)
rlm_eap: Request found, released from the list
rlm_eap: EAP/tls
rlm_eap: processing type tls
rlm_eap_tls: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake fragment handler
eaptls_verify returned 1
eaptls_process returned 13
modcall[authenticate]: module "eap" returns handled for request 2
modcall: group authenticate returns handled for request 2
Sending Access-Challenge of id 4 to 192.168.1.254:1207
EAP-Message = 0x0105040a0dc000000b29d7814d25b146f73b102etc
EAP-Message = 0x311330110603550408130a43616c69666f726e6etc
EAP-Message = 0x040e6af4f947e4241a33b0758c65fde6436f126etc
EAP-Message = 0x818f310b3009060355040613025553311330110etc
EAP-Message = 0x3a2f2f7777772e7a65737479736f66742e636f6d2f73
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xce36fe57b7dff58cd0e5a3860694ea06
(cut)
rad_recv: Access-Request packet from host 192.168.1.254:1207, id=5,
length=134
User-Name = "User"
NAS-IP-Address = 192.168.1.254
NAS-Port = 0
Called-Station-Id = "00-c0-49-d9-ce-66"
Calling-Station-Id = "00-c0-49-cb-fe-75"
NAS-Identifier = ""
Framed-MTU = 1380
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020500060d00
State = 0xce36fe57b7dff58cd0e5a3860694ea06
Message-Authenticator = 0x695fd2aecc928f727c0eba2f1f75cd25
(cut)
rlm_eap: Request found, released from the list
rlm_eap: EAP/tls
rlm_eap: processing type tls
rlm_eap_tls: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake fragment handler
eaptls_verify returned 1
eaptls_process returned 13
modcall[authenticate]: module "eap" returns handled for request 3
modcall: group authenticate returns handled for request 3
Sending Access-Challenge of id 5 to 192.168.1.254:1207
EAP-Message = 0x010603330d8000000b29736c2f7a65737479736f60.etc
EAP-Message = 0x746d6c30360603551d12042f302d862b6874747077.etc
EAP-Message = 0xd2400e5e15fd434148f8bac72a9470758e78ed124d.etc
EAP-Message = 0x737479736f6674205472757374204e6574776f726b.etc
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xabefc4c5382977f73087e53d81d3275d
(just more of the "waiting" messages at this point)
So I never get to the TLS certificate handshake part.
Is the problem with this?:
rlm_eap_tls: ack handshake fragment handler
eaptls_verify returned 1
eaptls_process returned 13
I've tried setting the fragment_size to 1024, 2048, and 1000 without any
help. I also know that normally it's a bad thing when processes return
something other than 1, so perhaps the 13 is signficant?
Details about the linux server:
Fedora 2 x86 distro.
three nics. One for external, one for lan, and one for wan.
lan and wan nics are bridged. (br0 is the interface name)
dhcpd runs off the linux box only, and wireless router is not using the
wan port so it just acts like a regular switch.
internal network is 192.168.1.0/24 and radius is set with:
listen=192.168.1.1 which is the ip address of the bridged interface (br0).
I used the default openssl rpm that comes with fedora 2. The version
shows as 0.9.7a.
There was one thing I had to tweak to get Freeradius to compile correctly:
In one of the module files:
on line 40 of rlm_krb5.c I changed:
#include <com_err.h>
to
#include </usr/include/et/com_err.h>
This is probably a fedora 2 issue and since I'm not using kerberos with
this anyway, I don't think this is related, but I just thought I'd mention it
just in case.
Finally, my certs are created with sha1 instead of md5 (root cert was
create a while ago for other services like imapd, smptd, web.. etc). Is
there perhaps a compatibility issue here as well?
Thanks, and I apologize if this question has already been answered...
googling didn't come up with much at least for the keywords I chose to
search with.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
