Arnauld,
It almost looks like something in the supplicant is not configured properly
to use the certificate sent from the server during the handshake phase... I
have attached a copy of some of my notes (written to myself so some of the
"meaning" in the notes may not be exactly correct - but heck - they were for
me anyway [grin]) that show a EAP/TTLS session negotiation...
Take a look and compare to what you are doing to see if you can determine
where things are going off the deep end... I would suggest setting up
testing for EAP/TTLS in a simple configuration for user authorization
first - then fold in the Ldap authorization....
Hope this helps....
gm...
----- Original Message -----
From: "Arnauld Dravet" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, June 23, 2004 8:40 AM
Subject: Re: radius, 802.1x, eap/tls, and edirectory (ldap)
> > Have you looked at the "make" output from the compile to see if there
are
> > any error or warning messages?
>
> yep it was my fault i have openssl 0.9.6 and 0.9.7 installed for
certificate
> generation, and of course i forgot to link freeradius-cvs against 0.9.7 =)
works
> much better now, at least radiusd is launching.
>
> But, still have a prob during TLS init (i'm trying to setup a TTLS
connection):
>
> The client (Aegis - WinXP) is configured in TTLS Auth + MS-CHAP-V2
tunneled
> protocol. Seems like i got a problem with certificates, but i don't
understand
> why since i'm not supposed to have one on the client-side ..
>
> Here is the output, sorry if a bit long:
>
>
>
> rad_recv: Access-Request packet from host 192.168.6.3:1794, id=79,
length=242
> NAS-IP-Address = 192.168.6.3
> NAS-Port-Type = Wireless-802.11
> NAS-Port = 5
> Framed-MTU = 1400
> User-Name = "arnauld.dravet"
> Calling-Station-Id = "00904b625711"
> Called-Station-Id = "000d54fc1807"
> NAS-Identifier = "EPSI AP1"
> State = 0xfdd7e79f9bbab3286563325da5e5199a
> EAP-Message =
>
0x0203006a158000000060160301005b01000057030140d9772aeddf802406fe3f32167240a3
35e4
>
99126e92bb2f0423691ebb49fad900003000390038003500160013000a00330032002f006600
0500
> 040065006400630062006000150012000900140011000800030100
> Message-Authenticator = 0xfdb7fe56ea406a82a82906e64a1951a2
> Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 2
> modcall[authorize]: module "preprocess" returns ok for request 2
> modcall[authorize]: module "chap" returns noop for request 2
> modcall[authorize]: module "mschap" returns noop for request 2
> rlm_realm: No '@' in User-Name = "arnauld.dravet", looking up realm
NULL
> rlm_realm: No such realm "NULL"
> modcall[authorize]: module "suffix" returns noop for request 2
> rlm_eap: EAP packet type response id 3 length 106
> rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
> modcall[authorize]: module "eap" returns updated for request 2
> modcall[authorize]: module "files" returns notfound for request 2
> rlm_ldap: - authorize
> rlm_ldap: performing user authorization for arnauld.dravet
> radius_xlat: '(&(objectclass=posixAccount)(uid=arnauld.dravet))'
> radius_xlat: 'ou=Users,dc=mtp,dc=epsi,dc=fr'
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: performing search in ou=Users,dc=mtp,dc=epsi,dc=fr, with filter
> (&(objectclass=posixAccount)(uid=arnauld.dravet))
> rlm_ldap: Added password {CRYPT}$16x5hPKP/.1c in check items
> rlm_ldap: looking for check items in directory...
> rlm_ldap: Adding acctFlags as SMB-Account-CTRL-TEXT, value [UX & op=21
> rlm_ldap: Adding ntPassword as NT-Password, value
> EFAC11B52777F8D7A34BDC1A0F89228D & op=21
> rlm_ldap: Adding lmPassword as LM-Password, value
> 136BE46417241D68AAD3B435B51404EE & op=21
> rlm_ldap: looking for reply items in directory...
> rlm_ldap: user arnauld.dravet authorized to use remote access
> rlm_ldap: ldap_release_conn: Release Id: 0
> modcall[authorize]: module "ldap" returns ok for request 2
> modcall: group authorize returns updated for request 2
> rad_check_password: Found Auth-Type EAP
> auth: type "EAP"
> Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 2
> rlm_eap: Request found, released from the list
> rlm_eap: EAP/ttls
> rlm_eap: processing type ttls
> rlm_eap_ttls: Authenticate
> rlm_eap_tls: processing TLS
> rlm_eap_tls: Length Included
> eaptls_verify returned 11
> (other): before/accept initialization
> TLS_accept: before/accept initialization
> TLS_accept: SSLv3 read client hello A
> TLS_accept: SSLv3 write server hello A
> TLS_accept: SSLv3 write certificate A
> TLS_accept: SSLv3 write key exchange A
> TLS_accept: SSLv3 write server done A
> TLS_accept: SSLv3 flush data
> TLS_accept:error in SSLv3 read client certificate A
> In SSL Handshake Phase
> In SSL Accept mode
> eaptls_process returned 13
> modcall[authenticate]: module "eap" returns handled for request 2
> modcall: group authenticate returns handled for request 2
> Sending Access-Challenge of id 79 to 192.168.6.3:1794
> EAP-Message =
>
0x0104040a15c000000761160301004a02000046030140d97726d7480866aec454ff67f74505
234d
>
669e72f26ff753fef0269dcb813e20bcf69fe6863b9922dec0ccf8b178896627f9e78227c3b3
8356
>
951ec41fafef6000160016030105f20b0005ee0005eb00028e3082028a308201f3a003020102
0201
>
02300d06092a864886f70d0101040500307f310b30090603550406130246523110300e060355
0408
>
130748657261756c74311430120603550407130b4d6f6e7470656c6c6965723111300f060355
040a
>
130845505349204d5450311330110603550403130a776973686d61737465723120301e06092a
8648
> 86f70d010901161161646d696e40
> EAP-Message =
>
0x6d74702e657073692e6672301e170d3034303632323136303934335a170d30353036323231
3630
>
3934335a307e310b30090603550406130246523110300e0603550408130748657261756c7431
1430
>
120603550407130b4d6f6e7470656c6c6965723111300f060355040a130845505349204d5450
3110
>
300e06035504031307736d75726669653122302006092a864886f70d0109011613736d757266
6965
>
406d74702e657073692e667230819f300d06092a864886f70d010101050003818d0030818902
8181
>
00c4a3f1a3dc9e47a45bca931537ff4f77a2e77beaf261e14214d3c30b539ccc4bb22b698859
4f81
> 043c6f0f8a61b9f2bac47185fa05
> EAP-Message =
>
0xa33aa4f2e0dc38b1adfa45e789b3c21061525a4c8a9794c770687017f983b7b57706bdc7cd
ba2e
>
fc575fbae4b1d70e5b8efb6a9ceb1ad550fe96674bcfff7b07c1eed34512fffd2697d0990203
0100
>
01a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101
0405
>
000381810074361731afc4ce970f4eee17c775dee7dabb38a17f62ec5341b2c39cc3f39f95b5
a007
>
757fbffc0f5ca5f160c2134eda35d4e4934486d4eda5227fce42f7454a2aaa7418f17856d730
a0ae
>
0c55b4fdd83c72d834f12d971b87aa1d6fd47bc6b1ba1d652079850fa2d9c4eb211fa0b00b22
eb29
> 15aa09e2a593b0ce9ea5a6094100
> EAP-Message =
>
0x035730820353308202bca003020102020100300d06092a864886f70d0101040500307f310b
3009
>
0603550406130246523110300e0603550408130748657261756c74311430120603550407130b
4d6f
>
6e7470656c6c6965723111300f060355040a130845505349204d545031133011060355040313
0a77
>
6973686d61737465723120301e06092a864886f70d010901161161646d696e406d74702e6570
7369
>
2e6672301e170d3034303632323136303635395a170d3036303632323136303635395a307f31
0b30
>
090603550406130246523110300e0603550408130748657261756c7431143012060355040713
0b4d
> 6f6e7470656c6c6965723111300f
> EAP-Message = 0x060355040a130845505349204d545031133011060355
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0xe02853fdd6c7f24f5247285b43b09481
> Finished request 2
> Going to the next request
> Waking up in 6 seconds...
> rad_recv: Access-Request packet from host 192.168.6.3:1795, id=80,
length=142
> NAS-IP-Address = 192.168.6.3
> NAS-Port-Type = Wireless-802.11
> NAS-Port = 5
> Framed-MTU = 1400
> User-Name = "arnauld.dravet"
> Calling-Station-Id = "00904b625711"
> Called-Station-Id = "000d54fc1807"
> NAS-Identifier = "EPSI AP1"
> State = 0xe02853fdd6c7f24f5247285b43b09481
> EAP-Message = 0x020400061500
> Message-Authenticator = 0x24a008ef0366b721e181dd062314f0ce
> Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 3
> modcall[authorize]: module "preprocess" returns ok for request 3
> modcall[authorize]: module "chap" returns noop for request 3
> modcall[authorize]: module "mschap" returns noop for request 3
> rlm_realm: No '@' in User-Name = "arnauld.dravet", looking up realm
NULL
> rlm_realm: No such realm "NULL"
> modcall[authorize]: module "suffix" returns noop for request 3
> rlm_eap: EAP packet type response id 4 length 6
> rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
> modcall[authorize]: module "eap" returns updated for request 3
> modcall[authorize]: module "files" returns notfound for request 3
> rlm_ldap: - authorize
> rlm_ldap: performing user authorization for arnauld.dravet
> radius_xlat: '(&(objectclass=posixAccount)(uid=arnauld.dravet))'
> radius_xlat: 'ou=Users,dc=mtp,dc=epsi,dc=fr'
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: performing search in ou=Users,dc=mtp,dc=epsi,dc=fr, with filter
> (&(objectclass=posixAccount)(uid=arnauld.dravet))
> rlm_ldap: Added password {CRYPT}$16x5hPKP/.1c in check items
> rlm_ldap: looking for check items in directory...
> rlm_ldap: Adding acctFlags as SMB-Account-CTRL-TEXT, value [UX & op=21
> rlm_ldap: Adding ntPassword as NT-Password, value
> EFAC11B52777F8D7A34BDC1A0F89228D & op=21
> rlm_ldap: Adding lmPassword as LM-Password, value
> 136BE46417241D68AAD3B435B51404EE & op=21
> rlm_ldap: looking for reply items in directory...
> rlm_ldap: user arnauld.dravet authorized to use remote access
> rlm_ldap: ldap_release_conn: Release Id: 0
> modcall[authorize]: module "ldap" returns ok for request 3
> modcall: group authorize returns updated for request 3
> rad_check_password: Found Auth-Type EAP
> auth: type "EAP"
> Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 3
> rlm_eap: Request found, released from the list
> rlm_eap: EAP/ttls
> rlm_eap: processing type ttls
> rlm_eap_ttls: Authenticate
> rlm_eap_tls: processing TLS
> rlm_eap_tls: Received EAP-TLS ACK message
> rlm_eap_tls: No SSL info available. Waiting for more SSL data.
> eaptls_verify returned 1
> eaptls_process returned 13
> modcall[authenticate]: module "eap" returns handled for request 3
> modcall: group authenticate returns handled for request 3
> Sending Access-Challenge of id 80 to 192.168.6.3:1795
> EAP-Message =
>
0x0105036b1580000007610403130a776973686d61737465723120301e06092a864886f70d01
0901
>
161161646d696e406d74702e657073692e667230819f300d06092a864886f70d010101050003
818d
>
0030818902818100a669eecaaa772141bbfbf79c08c7b5ce4a037c209db5aa556ad8a68b8359
caf8
>
1a45e5c0339e293829e5a5fa7b2d1fd64454355be829d26d16000893bb65c9d5c390947c4870
908e
>
081cdab5e63cacdcc372705185ed3ff9de55c59cdca20bc6a8f0274cea77b3b0ebfe0a3b3620
efd8
>
2b970e1b1d2991fbca901a83bfb911210203010001a381de3081db301d0603551d0e04160414
1a88
> 5f46e45cc423780c47a4cdb67677
> EAP-Message =
>
0xd0879f883081ab0603551d230481a33081a080141a885f46e45cc423780c47a4cdb67677d0
879f
>
88a18184a48181307f310b30090603550406130246523110300e060355040813074865726175
6c74
>
311430120603550407130b4d6f6e7470656c6c6965723111300f060355040a13084550534920
4d54
>
50311330110603550403130a776973686d61737465723120301e06092a864886f70d01090116
1161
>
646d696e406d74702e657073692e6672820100300c0603551d13040530030101ff300d06092a
8648
>
86f70d010104050003818100a314c893a467130abe28e4dcf23ac11faad0a2573d062c89c402
6849
> ed123b4ec51ad69af8e631543c24
> EAP-Message =
>
0x303d252ee4bcdc1b86503a228344543139cf66c83c6af9eb70d533cd0862fece62228a82bf
bbc6
>
3adae2613331f5f87ee1bb33157891c3c7c7a7bd0f6e7520e36612a91e03c9af99d647f3cd8c
2bec
>
45f22b262218e3160301010d0c0001090040d2712a69f110be8995c41d6318f42b7431ea531b
a482
>
cfdbfef206f81615a23958ca49c577017588af07868507e1d61ba6bfece2c0ef6b009618c30c
d102
>
8d630001050040ce7b6d3f1be04296ca2b649d087f8c7b8631fde574e33a248847939db133fe
6c14
>
6fc27ec649c76515e27fda61c9e74e74b6c8ad5c0032b406932d2f20c27ead00809287420b49
9379
> afcb7d5fa1ce22e5d44507002017
> EAP-Message =
>
0xc76dc1173e5603eb6959bbf7888003db19ee09c5fdbe93d33f762f6e74f72f4c07bf8534e9
1877
>
84d10c7dd245ca3116668698d46d3b16a7cdb6aff091822916a21a0c368e313877b98c097e5f
043c
> cd53b572aa440af4faa07713192d0132149c362e03b694b0f08575f116030100040e000000
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0xc23be259cc210d064ca36d99bdfd0341
> Finished request 3
> Going to the next request
> Waking up in 6 seconds...
> rad_recv: Access-Request packet from host 192.168.6.3:1796, id=81,
length=153
> NAS-IP-Address = 192.168.6.3
> NAS-Port-Type = Wireless-802.11
> NAS-Port = 5
> Framed-MTU = 1400
> User-Name = "arnauld.dravet"
> Calling-Station-Id = "00904b625711"
> Called-Station-Id = "000d54fc1807"
> NAS-Identifier = "EPSI AP1"
> State = 0xc23be259cc210d064ca36d99bdfd0341
> EAP-Message = 0x0205001115800000000715030100020230
> Message-Authenticator = 0x0ac4f69914c15bc5e851c225bdde5884
> Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 4
> modcall[authorize]: module "preprocess" returns ok for request 4
> modcall[authorize]: module "chap" returns noop for request 4
> modcall[authorize]: module "mschap" returns noop for request 4
> rlm_realm: No '@' in User-Name = "arnauld.dravet", looking up realm
NULL
> rlm_realm: No such realm "NULL"
> modcall[authorize]: module "suffix" returns noop for request 4
> rlm_eap: EAP packet type response id 5 length 17
> rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
> modcall[authorize]: module "eap" returns updated for request 4
> modcall[authorize]: module "files" returns notfound for request 4
> rlm_ldap: - authorize
> rlm_ldap: performing user authorization for arnauld.dravet
> radius_xlat: '(&(objectclass=posixAccount)(uid=arnauld.dravet))'
> radius_xlat: 'ou=Users,dc=mtp,dc=epsi,dc=fr'
> rlm_ldap: ldap_get_conn: Checking Id: 0
> rlm_ldap: ldap_get_conn: Got Id: 0
> rlm_ldap: performing search in ou=Users,dc=mtp,dc=epsi,dc=fr, with filter
> (&(objectclass=posixAccount)(uid=arnauld.dravet))
> rlm_ldap: Added password {CRYPT}$16x5hPKP/.1c in check items
> rlm_ldap: looking for check items in directory...
> rlm_ldap: Adding acctFlags as SMB-Account-CTRL-TEXT, value [UX & op=21
> rlm_ldap: Adding ntPassword as NT-Password, value
> EFAC11B52777F8D7A34BDC1A0F89228D & op=21
> rlm_ldap: Adding lmPassword as LM-Password, value
> 136BE46417241D68AAD3B435B51404EE & op=21
> rlm_ldap: looking for reply items in directory...
> rlm_ldap: user arnauld.dravet authorized to use remote access
> rlm_ldap: ldap_release_conn: Release Id: 0
> modcall[authorize]: module "ldap" returns ok for request 4
> modcall: group authorize returns updated for request 4
> rad_check_password: Found Auth-Type EAP
> auth: type "EAP"
> Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 4
> rlm_eap: Request found, released from the list
> rlm_eap: EAP/ttls
> rlm_eap: processing type ttls
> rlm_eap_ttls: Authenticate
> rlm_eap_tls: processing TLS
> rlm_eap_tls: Length Included
> eaptls_verify returned 11
> TLS Alert read:fatal:unknown CA
> TLS_accept:failed in SSLv3 read client certificate A
> 9539:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown
ca:s3_pkt.
> c:1046:SSL alert number 48
> 9539:error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake
failure:s3_pkt.c:
> 837:
> rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails.
> In SSL Handshake Phase
> In SSL Accept mode
> rlm_eap_tls: BIO_read failed in a system call (-1), TLS session fails.
> eaptls_process returned 13
> rlm_eap: Freeing handler
> modcall[authenticate]: module "eap" returns reject for request 4
> modcall: group authenticate returns reject for request 4
> auth: Failed to validate the user.
> Delaying request 4 for 1 seconds
> Finished request 4
> Going to the next request
> Waking up in 6 seconds...
> --- Walking the entire request list ---
> Cleaning up request 0 ID 77 with timestamp 40d97726
> Cleaning up request 1 ID 78 with timestamp 40d97726
> Cleaning up request 2 ID 79 with timestamp 40d97726
> Cleaning up request 3 ID 80 with timestamp 40d97726
> Sending Access-Reject of id 81 to 192.168.6.3:1796
> EAP-Message = 0x04050004
> Message-Authenticator = 0x00000000000000000000000000000000
> Cleaning up request 4 ID 81 with timestamp 40d97726
> Nothing to do. Sleeping until we see a request.
>
>
> --
> Arnauld Dravet
>
>
>
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
Radiusd debug output for successful connection using EAP/TTLS
---------------- Start of Debug output, items with *** are my notes to myself
--------------
NOTE: My interpratation of what is actually occuring may not be 100% correct but, heck,
these are notes to myself [grin]... nothing has been added or deleted to actual
output.
One thing to notice is the information sent to the radius server by the
supplicant
client does not actually send valid authorization request data until the TTLS
link has
been established and verified! Nice touch!!!
*** Request from supplicant (client) for access to wireless system:
rad_recv: Access-Request packet from host 207.203.64.244:2050, id=0, length=131
User-Name = "anonymous"
NAS-IP-Address = 207.203.64.244
Called-Station-Id = "00e0b86bfc30"
Calling-Station-Id = "000c41c9bcf8"
NAS-Identifier = "00e0b86bfc30"
NAS-Port = 141
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x0200000e01616e6f6e796d6f7573
Message-Authenticator = 0x5c57ac02480292d782956ebbf3ee5280
*** Processing by Radius Server to determine authentication method:
modcall: entering group authorize for request 1041
*** Perform preprocessing on request packet received from Wireless AP
modcall[authorize]: module "preprocess" returns ok for request 1041
*** Perform CHAP test for authentication – returns no operation requested
modcall[authorize]: module "chap" returns noop for request 1041
*** Perform MSCHAP test for authentication – returns no operation requested
modcall[authorize]: module "mschap" returns noop for request 1041
*** Test to see if this request should proxy to a different Radius Server
rlm_realm: No '@' in User-Name = "anonymous", looking up realm NULL
*** Nope – this Radius Server is location to validate the packet request…
rlm_realm: No such realm "NULL"
*** Perform suffix processing if required on request packet – no operation required
modcall[authorize]: module "suffix" returns noop for request 1041
*** Test for EAP packet processing request in packet
rlm_eap: EAP packet type response id 0 length 14
*** Valid EAP packet – assume continuation packet (or start packet)…
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 1041
*** Check “users” file to see if username matches (we fall through to the DEFAULT
normally)
users: Matched DEFAULT at 154
modcall[authorize]: module "files" returns ok for request 1041
modcall: group authorize returns updated for request 1041
*** Check for authentication type of packet
rad_check_password: Found Auth-Type EAP
*** Authentication type requested = EAP
auth: type "EAP"
modcall: entering group authenticate for request 1041
*** EAP packet type = EAP Identity
rlm_eap: EAP Identity
*** EAP default packet password test type = MD5
rlm_eap: processing type md5
*** Try using default authentication type first!
rlm_eap_md5: Issuing Challenge
modcall[authenticate]: module "eap" returns handled for request 1041
modcall: group authenticate returns handled for request 1041
*** Send EAP MD5 hash password value to supplicant (client) for test verification
Sending Access-Challenge of id 0 to 207.203.64.244:2050
EAP-Message = 0x010100160410f16d02e0e86179eacb0b6dffb4dcbc2b
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x2734207d57878e6a797342bc40c2b3f4
Finished request 1041
*** Wait for supplicant (client) response to EAP MD-5 hash validation results…
***Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
�*** Initial response from supplicant (client) for access to wireless system:
*** (Setup temp session keys for transmission of server decryption certificate
*** and supplicant encryption certificate information)
rad_recv: Access-Request packet from host 207.203.64.244:2050, id=0, length=141
User-Name = "anonymous"
NAS-IP-Address = 207.203.64.244
Called-Station-Id = "00e0b86bfc30"
Calling-Station-Id = "000c41c9bcf8"
NAS-Identifier = "00e0b86bfc30"
NAS-Port = 141
Framed-MTU = 1400
State = 0x2734207d57878e6a797342bc40c2b3f4
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020100060315
Message-Authenticator = 0x5e69caf705d7edbc645fde43392e59f2
*** Processing by Radius Server:
modcall: entering group authorize for request 1042
modcall[authorize]: module "preprocess" returns ok for request 1042
modcall[authorize]: module "chap" returns noop for request 1042
modcall[authorize]: module "mschap" returns noop for request 1042
rlm_realm: No '@' in User-Name = "anonymous", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 1042
rlm_eap: EAP packet type response id 1 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 1042
users: Matched DEFAULT at 154
modcall[authorize]: module "files" returns ok for request 1042
modcall: group authorize returns updated for request 1042
*** Check for authentication type of packet
rad_check_password: Found Auth-Type EAP
*** Authentication type requested = EAP
auth: type "EAP"
modcall: entering group authenticate for request 1042
rlm_eap: Request found, released from the list
*** Initial test for MD-5 hash password verification rejected –
*** not the correct requested authentication test type
rlm_eap: EAP NAK
*** Actual authentication test type for verification is EAP/TTLS
rlm_eap: EAP-NAK asked for EAP-Type/ttls
*** We are using Transport Layer Protocol (encrypted) for authentication configuration
Subset of TLS processing
rlm_eap: processing type tls
*** Setup for TLS activation to process the authentication request
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
modcall[authenticate]: module "eap" returns handled for request 1042
modcall: group authenticate returns handled for request 1042
*** Send TLS activation response to the supplicant (client) on the
*** wireless device requesting authentication
Sending Access-Challenge of id 0 to 207.203.64.244:2050
EAP-Message = 0x010200061520
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa98b18a8f23d34a6a2ff244fc9e62388
*** Wait for supplicant to reply to the TLS initialization to continue activation steps
Finished request 1042
Going to the next request
rl_next: returning NULL
Waking up in 6 seconds...
*** Response from supplicant (client) for TLS configured access to wireless system:
*** (Send server certificate to supplicant for decoding of the server generated
*** supplicant encryption certificate)
rad_recv: Access-Request packet from host 207.203.64.244:2050, id=0, length=233
User-Name = "anonymous"
NAS-IP-Address = 207.203.64.244
Called-Station-Id = "00e0b86bfc30"
Calling-Station-Id = "000c41c9bcf8"
NAS-Identifier = "00e0b86bfc30"
NAS-Port = 141
Framed-MTU = 1400
State = 0xa98b18a8f23d34a6a2ff244fc9e62388
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x0202006215800000005816030100530100004f03014033b88a628fc5032600279b97cb4330dc339fce54dee11c4b119d580fe5bbcd00002800160013006600150012000a000500040009006300650060006200610064001400110003000600080100
Message-Authenticator = 0x9ae0637cd6b8081668a4992be06f25d1
*** Processing by Radius Server:
modcall: entering group authorize for request 1043
modcall[authorize]: module "preprocess" returns ok for request 1043
modcall[authorize]: module "chap" returns noop for request 1043
modcall[authorize]: module "mschap" returns noop for request 1043
rlm_realm: No '@' in User-Name = "anonymous", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 1043
rlm_eap: EAP packet type response id 2 length 98
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 1043
users: Matched DEFAULT at 154
modcall[authorize]: module "files" returns ok for request 1043
modcall: group authorize returns updated for request 1043
*** Authentication type requested = EAP
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
modcall: entering group authenticate for request 1043
rlm_eap: Request found, released from the list
*** Authentication test type for verification is EAP/TTLS
rlm_eap: EAP/ttls
*** We are using Tunneling Transport Layer Protocol (encrypted tunnel)
*** for authentication and data transport
rlm_eap: processing type ttls
*** TTLS Action requested is Authenticate
rlm_eap_ttls: Authenticate
*** We are using Transport Layer Protocol (encrypted ) for authentication configuration
rlm_eap_tls: processing TLS
rlm_eap_tls: Length Included
eaptls_verify returned 11
(other): before/accept initialization
*** Perform the TLS handshake to send the encryption certificate to the supplicant
*** (client) for session key generation
TLS_accept: before/accept initialization
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0053], ClientHello
TLS_accept: SSLv3 read client hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
TLS_accept: SSLv3 write server hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 06b4], Certificate
TLS_accept: SSLv3 write certificate A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
*** TLS handshake and server certificate completed with supplicant (client)
TLS_accept: SSLv3 write server done A
TLS_accept: SSLv3 flush data
*** We do not use a client certificate in TTLS mode – the server certificate is used
*** to generate a certificate for the supplicant's use in the temp key generation
TLS_accept:error in SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
eaptls_process returned 13
modcall[authenticate]: module "eap" returns handled for request 1043
modcall: group authenticate returns handled for request 1043
*** The TTLS certificate information sent to the supplicant (client) –
*** debug info for verification check (each transmission block limited to
*** 1024 bytes so as not to over-run supplicant buffers per the RFC)
Sending Access-Challenge of id 0 to 207.203.64.244:2050
EAP-Message =
0x0103040a15c000000711160301004a0200004603014033924a1f6839f27f009d563b82423ee14294eb9cc418194d8ef0a31625155b2091089f5d662af697c0dca728935378ef4ee3a6bf893f908072c905535dbe8b01000a0016030106b40b0006b00006ad0002d9308202d53082023ea003020102020102300d06092a864886f70d01010405003081a5310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e31183016060355040b130f7261646975732e627265762e6f7267311b301906035504031312436c69
EAP-Message =
0x656e742063657274696669636174653121301f06092a864886f70d0109011612636c69656e74406578616d706c652e636f6d301e170d3034303231373139343834385a170d3035303231363139343834385a3081a1310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e31183016060355040b130f7261646975732e627265762e6f72673119301706035504031310526f6f74206365727469666963617465311f301d06092a864886f70d0109011610726f6f74406578616d706c652e636f6d30819f300d0609
EAP-Message =
0x2a864886f70d010101050003818d0030818902818100d9c4847e2614991367c3774e34ff9eaa3b81ba3bd1a9943cfbe5e90e13f298a8ffe7fa0143fe8c6c8f3cc00c2d9a18f04d3ce36481e0169d400bc3515314e5f863298c431201fb868d0b4d8ba0bb550e7f3aac85db6979346e1d7ab91feb49468341e28a86e354a0a7cd60c35ea07d466647f7093b8a47e321279126ee6601470203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010405000381810033614ec593cc5f24c98d57dc882d91e23edf0c6f3a50648fb9d64d7a965111c1b8fd9c858090446c900aa5805c99114e1b54eeafc00b
EAP-Message =
0x53cc174ce068709998fe24c357f79af20f08135a060a21e24ab14fd97438ca258018044860eeb99a3c74fa6120460eb1141971e0b483eadb6f0e39ce1e614ea79b8298bf835d6d86fbf30003ce308203ca30820333a003020102020100300d06092a864886f70d01010405003081a5310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e31183016060355040b130f7261646975732e627265762e6f7267311b301906035504031312436c69656e742063657274696669636174653121301f06092a864886f70d
EAP-Message = 0x0109011612636c69656e74406578616d706c652e636f
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x28aeb900fd176aa22feb06c932cb9dc7
*** Wait for supplicant to reply to the TTLS initialization to continue activation
steps
Finished request 1043
Going to the next request
rl_next: returning NULL
Waking up in 6 seconds...
*** Response from supplicant (client) for TTLS configured access to wireless system:
*** (Send server generated supplicant encryption certificate to the supplicant)
rad_recv: Access-Request packet from host 207.203.64.244:2050, id=0, length=141
User-Name = "anonymous"
NAS-IP-Address = 207.203.64.244
Called-Station-Id = "00e0b86bfc30"
Calling-Station-Id = "000c41c9bcf8"
NAS-Identifier = "00e0b86bfc30"
NAS-Port = 141
Framed-MTU = 1400
State = 0x28aeb900fd176aa22feb06c932cb9dc7
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020300061500
Message-Authenticator = 0xcecd46ded2cdc649c6f92fc0b608146a
*** Processing by Radius Server:
modcall: entering group authorize for request 1044
modcall[authorize]: module "preprocess" returns ok for request 1044
modcall[authorize]: module "chap" returns noop for request 1044
modcall[authorize]: module "mschap" returns noop for request 1044
rlm_realm: No '@' in User-Name = "anonymous", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 1044
rlm_eap: EAP packet type response id 3 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 1044
users: Matched DEFAULT at 154
modcall[authorize]: module "files" returns ok for request 1044
modcall: group authorize returns updated for request 1044
*** Authentication type requested = EAP
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
modcall: entering group authenticate for request 1044
*** Radius table clean-up – we found the current response from the supplicant for this
action
rlm_eap: Request found, released from the list
*** Authentication test type for verification is EAP/TTLS
rlm_eap: EAP/ttls
rlm_eap: processing type ttls
rlm_eap_ttls: Authenticate
rlm_eap_tls: processing TLS
*** Received the Acknowledgement from the supplicant of the security certificate and
*** verified the MD-5 Checksum
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake fragment handler
eaptls_verify returned 1
eaptls_process returned 13
modcall[authenticate]: module "eap" returns handled for request 1044
modcall: group authenticate returns handled for request 1044
*** The TTLS certificate information sent to the supplicant (client) –
*** debug info for verification check (each transmission block limited to
*** 1024 bytes so as not to over-run supplicant buffers per the RFC)
Sending Access-Challenge of id 0 to 207.203.64.244:2050
EAP-Message =
0x0104031b1580000007116d301e170d3034303231373139343834365a170d3036303231363139343834365a3081a5310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e31183016060355040b130f7261646975732e627265762e6f7267311b301906035504031312436c69656e742063657274696669636174653121301f06092a864886f70d0109011612636c69656e74406578616d706c652e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100c2bbfe92045103e57fe155eeed
EAP-Message =
0x877cf82379e15d7bb603d99b550c113221ccab6ab1f7ff2d4a77fe38a294b860620a8982607d6fa108d8907e8cecdafbeb99a7e9c7752443c3653b1e9024c6ec8563a5ee852614eef380bb2bfbd1ef3412df1146e6fdf905fabb49da3a011f168f56a66d8563f56d0fd0a115f6e5c856c52db70203010001a382010630820102301d0603551d0e0416041462d7ec215e55f381348203d495045831352ea8663081d20603551d230481ca3081c7801462d7ec215e55f381348203d495045831352ea866a181aba481a83081a5310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d652043
EAP-Message =
0x69747931153013060355040a130c4f7267616e697a6174696f6e31183016060355040b130f7261646975732e627265762e6f7267311b301906035504031312436c69656e742063657274696669636174653121301f06092a864886f70d0109011612636c69656e74406578616d706c652e636f6d820100300c0603551d13040530030101ff300d06092a864886f70d01010405000381810093be83353608c565a82f2d0ef9169bcef7b017d9183396e22cdbdfcd399c958ea6b69d5515dbef398e33d65dd8115965b36090ad922a02b21bba5170e0ff0f412bcacd527ef8df8d37be1615c071475cd9b7c963c12444dcb743904b1e22b655bca32e82b0
EAP-Message =
0x7ea14f54045cf7f00ce627202b15e1a31d69183728f4d894d1172816030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xf3eced8eb6725121d601973e926d7281
Finished request 1044
*** Wait for supplicant to reply to the TTLS initialization to continue activation
steps
Going to the next request
rl_next: returning NULL
Waking up in 6 seconds...
*** Response from supplicant (client) for TTLS configured access to wireless system
(phase II):
(Instruct supplicant to install and activate server generated supplicant encryption
certificate)
rad_recv: Access-Request packet from host 207.203.64.244:2050, id=0, length=335
User-Name = "anonymous"
NAS-IP-Address = 207.203.64.244
Called-Station-Id = "00e0b86bfc30"
Calling-Station-Id = "000c41c9bcf8"
NAS-Identifier = "00e0b86bfc30"
NAS-Port = 141
Framed-MTU = 1400
State = 0xf3eced8eb6725121d601973e926d7281
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x020400c81580000000be16030100861000008200801e437eeebe80e5162906b8d131432df678f8c2f5106bd198a5c9e66977d7e6ffae471b8b10411d7bf9ca3002f114fa13cf31181c043a44008597bc701dfd0903de50386ad14630d1b99f075ca615f779d19ec6328cd3f90c20ebcaa0afae412a474d6611df7c525481c8a25f2d1a139733839e0fc597209574ecb239e21e50f01403010001011603010028754d48c23f6ac35c25f1335b015d508f59e218be81a1053375e47dcfa68323af3073d79e19c06f61
Message-Authenticator = 0x493ef77d0857f745feeaf9734e408e32
*** Processing by Radius Server:
modcall: entering group authorize for request 1045
modcall[authorize]: module "preprocess" returns ok for request 1045
modcall[authorize]: module "chap" returns noop for request 1045
modcall[authorize]: module "mschap" returns noop for request 1045
rlm_realm: No '@' in User-Name = "anonymous", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 1045
rlm_eap: EAP packet type response id 4 length 200
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 1045
users: Matched DEFAULT at 154
modcall[authorize]: module "files" returns ok for request 1045
modcall: group authorize returns updated for request 1045
*** Authentication type requested = EAP
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
modcall: entering group authenticate for request 1045
*** Radius table clean-up – we found the current response from the supplicant for this
action
rlm_eap: Request found, released from the list
*** Authentication test type for verification is EAP/TTLS
rlm_eap: EAP/ttls
rlm_eap: processing type ttls
rlm_eap_ttls: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Length Included
eaptls_verify returned 11
*** Steps performed by supplicant to enable server generated supplicant key
certificate sent previously
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
TLS_accept: SSLv3 read client key exchange A
rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001]
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished
TLS_accept: SSLv3 read finished A
rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001]
TLS_accept: SSLv3 write change cipher spec A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished
TLS_accept: SSLv3 write finished A
TLS_accept: SSLv3 flush data
(other): SSL negotiation finished successfully
SSL Connection Established
eaptls_process returned 13
modcall[authenticate]: module "eap" returns handled for request 1045
modcall: group authenticate returns handled for request 1045
Sending Access-Challenge of id 0 to 207.203.64.244:2050
EAP-Message =
0x0105003d15800000003314030100010116030100289c550e5ba15d369cd35d8fe56b1d567d9e1fec730d2b0e278602feb2b121fe8450c273d1291d8537
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xc9820bf0ef198c7091036e436531dfaf
*** Wait for supplicant to reply to the TLS certificate activation to continue
activation steps
Finished request 1045
Going to the next request
rl_next: returning NULL
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 1045 ID 0 with timestamp 4033924a
Nothing to do. Sleeping until we see a request.
*** Response from supplicant (client) for TTLS configured access to wireless system
(phase III):
(Perform actual activation – verify the username and password and if valid setup
session keys for supplicant and server)
rad_recv: Access-Request packet from host 207.203.64.244:2050, id=0, length=214
User-Name = "anonymous"
NAS-IP-Address = 207.203.64.244
Called-Station-Id = "00e0b86bfc30"
Calling-Station-Id = "000c41c9bcf8"
NAS-Identifier = "00e0b86bfc30"
NAS-Port = 141
Framed-MTU = 1400
State = 0xc9820bf0ef198c7091036e436531dfaf
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x0205004f1580000000451703010040b42e43c84ba475805d91ff00bb500b2d1160fa6cd2654863e502299eaf6d4aae50b8b0b0f3c4f7b04c44871391fd0ea2241b99be65e8678cbc67061dbe178398
Message-Authenticator = 0x97a2964972524b98441af1b060627fb9
*** Processing by Radius Server:
modcall: entering group authorize for request 1046
modcall[authorize]: module "preprocess" returns ok for request 1046
modcall[authorize]: module "chap" returns noop for request 1046
modcall[authorize]: module "mschap" returns noop for request 1046
rlm_realm: No '@' in User-Name = "anonymous", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 1046
rlm_eap: EAP packet type response id 5 length 79
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 1046
users: Matched DEFAULT at 154
modcall[authorize]: module "files" returns ok for request 1046
modcall: group authorize returns updated for request 1046
*** Authentication type requested = EAP
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
modcall: entering group authenticate for request 1046
rlm_eap: Request found, released from the list
*** Authentication test type for verification is EAP/TTLS
rlm_eap: EAP/ttls
rlm_eap: processing type ttls
rlm_eap_ttls: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Length Included
eaptls_verify returned 11
eaptls_process returned 7
*** Supplicant returned actual username and password for authorization through
*** the established TTLS encrypted tunnel. We are finally to the point where we
*** can securely send the actual authorization request info...
rlm_eap_ttls: Session established. Proceeding to decode tunneled attributes.
TTLS: Got tunneled request
User-Name = "gmckinney"
User-Password = "Testing123!"
FreeRADIUS-Proxied-To = 127.0.0.1
*** Server processing the actual request to authorize user for access to the wireless
system
TTLS: Sending tunneled request
User-Name = "gmckinney"
User-Password = "Testing123!"
FreeRADIUS-Proxied-To = 127.0.0.1
NAS-IP-Address = 207.203.64.244
Called-Station-Id = "00e0b86bfc30"
Calling-Station-Id = "000c41c9bcf8"
NAS-Identifier = "00e0b86bfc30"
NAS-Port = 141
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
*** Processing by Radius Server:
modcall: entering group authorize for request 1046
modcall[authorize]: module "preprocess" returns ok for request 1046
modcall[authorize]: module "chap" returns noop for request 1046
modcall[authorize]: module "mschap" returns noop for request 1046
rlm_realm: No '@' in User-Name = "gmckinney", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 1046
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 1046
users: Matched DEFAULT at 154
modcall[authorize]: module "files" returns ok for request 1046
modcall: group authorize returns ok for request 1046
*** The test setup is using the UNIX system’s password database for authentication –
*** this can be handled by many different methods for user authentication which are
allowed
*** for in using eap/ttls...
*** Processing by Radius Server – found valid username and password in the system’s
password files
rad_check_password: Found Auth-Type System
auth: type "System"
modcall: entering group authenticate for request 1046
modcall[authenticate]: module "unix" returns ok for request 1046
modcall: group authenticate returns ok for request 1046
modcall: entering group post-auth for request 1046
*** Save copy of information in the reply logfile
radius_xlat: '/usr/local/var/log/radius/radacct/127.0.0.1/reply-detail-20040218'
rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d
expands to /usr/local/var/log/radius/radacct/127.0.0.1/reply-detail-20040218
modcall[post-auth]: module "reply_log" returns ok for request 1046
modcall: group post-auth returns ok for request 1046
TTLS: Got tunneled reply RADIUS code 2
TTLS: Got tunneled Access-Accept
rlm_eap: Freeing handler
modcall[authenticate]: module "eap" returns ok for request 1046
modcall: group authenticate returns ok for request 1046
modcall: entering group post-auth for request 1046
radius_xlat: '/usr/local/var/log/radius/radacct/207.203.64.244/reply-detail-20040218'
rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d
expands to /usr/local/var/log/radius/radacct/207.203.64.244/reply-detail-20040218
modcall[post-auth]: module "reply_log" returns ok for request 1046
modcall: group post-auth returns ok for request 1046
*** Send the Access-Accept Command to the wireless AP along with the transmission
*** and reception keys for the current supplicant / wireless router session –
*** the keys are updated on a regular basis set by the wireless router configuration.
Sending Access-Accept of id 0 to 207.203.64.244:2050
MS-MPPE-Recv-Key =
0x7bee4816525b07484e5697c4545b691e82181c91fa73577ca6549b1b2b4e4476
MS-MPPE-Send-Key =
0xe6083ba1cb6ea7b8f400b3fd47ced01876b1a4c973c109f7c9db85b75d36cf33
EAP-Message = 0x03050004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "anonymous"
*** The Supplicant now has access to the wireless network with server generated keys –
*** the keys are based on the AES Standard and are 168 bits in length. They keys are
*** renewed on a regular basis (5-minute intervals is the setting in the test router).
Finished request 1046
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 1046 ID 0 with timestamp 40339251
Nothing to do. Sleeping until we see a request.
------------------------ end of debug text -------------------------
NOTES: Since EAP/TTLS is not dependent on the actual access authorization method I
chose to use
the easy method (basic authorization). Other forms of authorization such as
Ldap
or sql would only add layers and would not help in debugging any problems in
the
initial testing of the EAP/TTLS protocol method of connection. The use of
Ldap or
sql authorization will work just as well as the unix password or users file
authorization methods.
1. Each supplicant has it’s own set of transmission and reception keys for
the session. They are not shared with other supplicants on the same wireless
router.
2. The Radius Server is the only server which requires a security certificate –
it can
either be a commercial security certificate or a self-signed certificate created
locally.
3. The supplicant (client) device MUST use a wireless network interface device
that has current
WPA enabled hardware drivers.
4. The radius server is configured to use the unix password system for user
verification – this
will work with any of the user verification methods supported by the radius
server and eap/ttls…
5. Total time to establish the wireless link : Less than 2 seconds with the
equipment used for
testing.
· WRT54G Linksys Wireless Access Router running latest software
· Linksys wireless access PCMCIA network card with latest software WPA enabled
driver.
· Odyssey Supplicant software (came with the PCMCIA wireless network card).
· Freeradius version 1.X pre release
6. This file generated with a CVS version from Feb 2004, It may be 'dated' but the
method is
basically the same for eap/ttls operation.
