Arnauld, It almost looks like something in the supplicant is not configured properly to use the certificate sent from the server during the handshake phase... I have attached a copy of some of my notes (written to myself so some of the "meaning" in the notes may not be exactly correct - but heck - they were for me anyway [grin]) that show a EAP/TTLS session negotiation...
Take a look and compare to what you are doing to see if you can determine where things are going off the deep end... I would suggest setting up testing for EAP/TTLS in a simple configuration for user authorization first - then fold in the Ldap authorization.... Hope this helps.... gm... ----- Original Message ----- From: "Arnauld Dravet" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, June 23, 2004 8:40 AM Subject: Re: radius, 802.1x, eap/tls, and edirectory (ldap) > > Have you looked at the "make" output from the compile to see if there are > > any error or warning messages? > > yep it was my fault i have openssl 0.9.6 and 0.9.7 installed for certificate > generation, and of course i forgot to link freeradius-cvs against 0.9.7 =) works > much better now, at least radiusd is launching. > > But, still have a prob during TLS init (i'm trying to setup a TTLS connection): > > The client (Aegis - WinXP) is configured in TTLS Auth + MS-CHAP-V2 tunneled > protocol. Seems like i got a problem with certificates, but i don't understand > why since i'm not supposed to have one on the client-side .. > > Here is the output, sorry if a bit long: > > > > rad_recv: Access-Request packet from host 192.168.6.3:1794, id=79, length=242 > NAS-IP-Address = 192.168.6.3 > NAS-Port-Type = Wireless-802.11 > NAS-Port = 5 > Framed-MTU = 1400 > User-Name = "arnauld.dravet" > Calling-Station-Id = "00904b625711" > Called-Station-Id = "000d54fc1807" > NAS-Identifier = "EPSI AP1" > State = 0xfdd7e79f9bbab3286563325da5e5199a > EAP-Message = > 0x0203006a158000000060160301005b01000057030140d9772aeddf802406fe3f32167240a3 35e4 > 99126e92bb2f0423691ebb49fad900003000390038003500160013000a00330032002f006600 0500 > 040065006400630062006000150012000900140011000800030100 > Message-Authenticator = 0xfdb7fe56ea406a82a82906e64a1951a2 > Processing the authorize section of radiusd.conf > modcall: entering group authorize for request 2 > modcall[authorize]: module "preprocess" returns ok for request 2 > modcall[authorize]: module "chap" returns noop for request 2 > modcall[authorize]: module "mschap" returns noop for request 2 > rlm_realm: No '@' in User-Name = "arnauld.dravet", looking up realm NULL > rlm_realm: No such realm "NULL" > modcall[authorize]: module "suffix" returns noop for request 2 > rlm_eap: EAP packet type response id 3 length 106 > rlm_eap: No EAP Start, assuming it's an on-going EAP conversation > modcall[authorize]: module "eap" returns updated for request 2 > modcall[authorize]: module "files" returns notfound for request 2 > rlm_ldap: - authorize > rlm_ldap: performing user authorization for arnauld.dravet > radius_xlat: '(&(objectclass=posixAccount)(uid=arnauld.dravet))' > radius_xlat: 'ou=Users,dc=mtp,dc=epsi,dc=fr' > rlm_ldap: ldap_get_conn: Checking Id: 0 > rlm_ldap: ldap_get_conn: Got Id: 0 > rlm_ldap: performing search in ou=Users,dc=mtp,dc=epsi,dc=fr, with filter > (&(objectclass=posixAccount)(uid=arnauld.dravet)) > rlm_ldap: Added password {CRYPT}$16x5hPKP/.1c in check items > rlm_ldap: looking for check items in directory... > rlm_ldap: Adding acctFlags as SMB-Account-CTRL-TEXT, value [UX & op=21 > rlm_ldap: Adding ntPassword as NT-Password, value > EFAC11B52777F8D7A34BDC1A0F89228D & op=21 > rlm_ldap: Adding lmPassword as LM-Password, value > 136BE46417241D68AAD3B435B51404EE & op=21 > rlm_ldap: looking for reply items in directory... > rlm_ldap: user arnauld.dravet authorized to use remote access > rlm_ldap: ldap_release_conn: Release Id: 0 > modcall[authorize]: module "ldap" returns ok for request 2 > modcall: group authorize returns updated for request 2 > rad_check_password: Found Auth-Type EAP > auth: type "EAP" > Processing the authenticate section of radiusd.conf > modcall: entering group authenticate for request 2 > rlm_eap: Request found, released from the list > rlm_eap: EAP/ttls > rlm_eap: processing type ttls > rlm_eap_ttls: Authenticate > rlm_eap_tls: processing TLS > rlm_eap_tls: Length Included > eaptls_verify returned 11 > (other): before/accept initialization > TLS_accept: before/accept initialization > TLS_accept: SSLv3 read client hello A > TLS_accept: SSLv3 write server hello A > TLS_accept: SSLv3 write certificate A > TLS_accept: SSLv3 write key exchange A > TLS_accept: SSLv3 write server done A > TLS_accept: SSLv3 flush data > TLS_accept:error in SSLv3 read client certificate A > In SSL Handshake Phase > In SSL Accept mode > eaptls_process returned 13 > modcall[authenticate]: module "eap" returns handled for request 2 > modcall: group authenticate returns handled for request 2 > Sending Access-Challenge of id 79 to 192.168.6.3:1794 > EAP-Message = > 0x0104040a15c000000761160301004a02000046030140d97726d7480866aec454ff67f74505 234d > 669e72f26ff753fef0269dcb813e20bcf69fe6863b9922dec0ccf8b178896627f9e78227c3b3 8356 > 951ec41fafef6000160016030105f20b0005ee0005eb00028e3082028a308201f3a003020102 0201 > 02300d06092a864886f70d0101040500307f310b30090603550406130246523110300e060355 0408 > 130748657261756c74311430120603550407130b4d6f6e7470656c6c6965723111300f060355 040a > 130845505349204d5450311330110603550403130a776973686d61737465723120301e06092a 8648 > 86f70d010901161161646d696e40 > EAP-Message = > 0x6d74702e657073692e6672301e170d3034303632323136303934335a170d30353036323231 3630 > 3934335a307e310b30090603550406130246523110300e0603550408130748657261756c7431 1430 > 120603550407130b4d6f6e7470656c6c6965723111300f060355040a130845505349204d5450 3110 > 300e06035504031307736d75726669653122302006092a864886f70d0109011613736d757266 6965 > 406d74702e657073692e667230819f300d06092a864886f70d010101050003818d0030818902 8181 > 00c4a3f1a3dc9e47a45bca931537ff4f77a2e77beaf261e14214d3c30b539ccc4bb22b698859 4f81 > 043c6f0f8a61b9f2bac47185fa05 > EAP-Message = > 0xa33aa4f2e0dc38b1adfa45e789b3c21061525a4c8a9794c770687017f983b7b57706bdc7cd ba2e > fc575fbae4b1d70e5b8efb6a9ceb1ad550fe96674bcfff7b07c1eed34512fffd2697d0990203 0100 > 01a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101 0405 > 000381810074361731afc4ce970f4eee17c775dee7dabb38a17f62ec5341b2c39cc3f39f95b5 a007 > 757fbffc0f5ca5f160c2134eda35d4e4934486d4eda5227fce42f7454a2aaa7418f17856d730 a0ae > 0c55b4fdd83c72d834f12d971b87aa1d6fd47bc6b1ba1d652079850fa2d9c4eb211fa0b00b22 eb29 > 15aa09e2a593b0ce9ea5a6094100 > EAP-Message = > 0x035730820353308202bca003020102020100300d06092a864886f70d0101040500307f310b 3009 > 0603550406130246523110300e0603550408130748657261756c74311430120603550407130b 4d6f > 6e7470656c6c6965723111300f060355040a130845505349204d545031133011060355040313 0a77 > 6973686d61737465723120301e06092a864886f70d010901161161646d696e406d74702e6570 7369 > 2e6672301e170d3034303632323136303635395a170d3036303632323136303635395a307f31 0b30 > 090603550406130246523110300e0603550408130748657261756c7431143012060355040713 0b4d > 6f6e7470656c6c6965723111300f > EAP-Message = 0x060355040a130845505349204d545031133011060355 > Message-Authenticator = 0x00000000000000000000000000000000 > State = 0xe02853fdd6c7f24f5247285b43b09481 > Finished request 2 > Going to the next request > Waking up in 6 seconds... > rad_recv: Access-Request packet from host 192.168.6.3:1795, id=80, length=142 > NAS-IP-Address = 192.168.6.3 > NAS-Port-Type = Wireless-802.11 > NAS-Port = 5 > Framed-MTU = 1400 > User-Name = "arnauld.dravet" > Calling-Station-Id = "00904b625711" > Called-Station-Id = "000d54fc1807" > NAS-Identifier = "EPSI AP1" > State = 0xe02853fdd6c7f24f5247285b43b09481 > EAP-Message = 0x020400061500 > Message-Authenticator = 0x24a008ef0366b721e181dd062314f0ce > Processing the authorize section of radiusd.conf > modcall: entering group authorize for request 3 > modcall[authorize]: module "preprocess" returns ok for request 3 > modcall[authorize]: module "chap" returns noop for request 3 > modcall[authorize]: module "mschap" returns noop for request 3 > rlm_realm: No '@' in User-Name = "arnauld.dravet", looking up realm NULL > rlm_realm: No such realm "NULL" > modcall[authorize]: module "suffix" returns noop for request 3 > rlm_eap: EAP packet type response id 4 length 6 > rlm_eap: No EAP Start, assuming it's an on-going EAP conversation > modcall[authorize]: module "eap" returns updated for request 3 > modcall[authorize]: module "files" returns notfound for request 3 > rlm_ldap: - authorize > rlm_ldap: performing user authorization for arnauld.dravet > radius_xlat: '(&(objectclass=posixAccount)(uid=arnauld.dravet))' > radius_xlat: 'ou=Users,dc=mtp,dc=epsi,dc=fr' > rlm_ldap: ldap_get_conn: Checking Id: 0 > rlm_ldap: ldap_get_conn: Got Id: 0 > rlm_ldap: performing search in ou=Users,dc=mtp,dc=epsi,dc=fr, with filter > (&(objectclass=posixAccount)(uid=arnauld.dravet)) > rlm_ldap: Added password {CRYPT}$16x5hPKP/.1c in check items > rlm_ldap: looking for check items in directory... > rlm_ldap: Adding acctFlags as SMB-Account-CTRL-TEXT, value [UX & op=21 > rlm_ldap: Adding ntPassword as NT-Password, value > EFAC11B52777F8D7A34BDC1A0F89228D & op=21 > rlm_ldap: Adding lmPassword as LM-Password, value > 136BE46417241D68AAD3B435B51404EE & op=21 > rlm_ldap: looking for reply items in directory... > rlm_ldap: user arnauld.dravet authorized to use remote access > rlm_ldap: ldap_release_conn: Release Id: 0 > modcall[authorize]: module "ldap" returns ok for request 3 > modcall: group authorize returns updated for request 3 > rad_check_password: Found Auth-Type EAP > auth: type "EAP" > Processing the authenticate section of radiusd.conf > modcall: entering group authenticate for request 3 > rlm_eap: Request found, released from the list > rlm_eap: EAP/ttls > rlm_eap: processing type ttls > rlm_eap_ttls: Authenticate > rlm_eap_tls: processing TLS > rlm_eap_tls: Received EAP-TLS ACK message > rlm_eap_tls: No SSL info available. Waiting for more SSL data. > eaptls_verify returned 1 > eaptls_process returned 13 > modcall[authenticate]: module "eap" returns handled for request 3 > modcall: group authenticate returns handled for request 3 > Sending Access-Challenge of id 80 to 192.168.6.3:1795 > EAP-Message = > 0x0105036b1580000007610403130a776973686d61737465723120301e06092a864886f70d01 0901 > 161161646d696e406d74702e657073692e667230819f300d06092a864886f70d010101050003 818d > 0030818902818100a669eecaaa772141bbfbf79c08c7b5ce4a037c209db5aa556ad8a68b8359 caf8 > 1a45e5c0339e293829e5a5fa7b2d1fd64454355be829d26d16000893bb65c9d5c390947c4870 908e > 081cdab5e63cacdcc372705185ed3ff9de55c59cdca20bc6a8f0274cea77b3b0ebfe0a3b3620 efd8 > 2b970e1b1d2991fbca901a83bfb911210203010001a381de3081db301d0603551d0e04160414 1a88 > 5f46e45cc423780c47a4cdb67677 > EAP-Message = > 0xd0879f883081ab0603551d230481a33081a080141a885f46e45cc423780c47a4cdb67677d0 879f > 88a18184a48181307f310b30090603550406130246523110300e060355040813074865726175 6c74 > 311430120603550407130b4d6f6e7470656c6c6965723111300f060355040a13084550534920 4d54 > 50311330110603550403130a776973686d61737465723120301e06092a864886f70d01090116 1161 > 646d696e406d74702e657073692e6672820100300c0603551d13040530030101ff300d06092a 8648 > 86f70d010104050003818100a314c893a467130abe28e4dcf23ac11faad0a2573d062c89c402 6849 > ed123b4ec51ad69af8e631543c24 > EAP-Message = > 0x303d252ee4bcdc1b86503a228344543139cf66c83c6af9eb70d533cd0862fece62228a82bf bbc6 > 3adae2613331f5f87ee1bb33157891c3c7c7a7bd0f6e7520e36612a91e03c9af99d647f3cd8c 2bec > 45f22b262218e3160301010d0c0001090040d2712a69f110be8995c41d6318f42b7431ea531b a482 > cfdbfef206f81615a23958ca49c577017588af07868507e1d61ba6bfece2c0ef6b009618c30c d102 > 8d630001050040ce7b6d3f1be04296ca2b649d087f8c7b8631fde574e33a248847939db133fe 6c14 > 6fc27ec649c76515e27fda61c9e74e74b6c8ad5c0032b406932d2f20c27ead00809287420b49 9379 > afcb7d5fa1ce22e5d44507002017 > EAP-Message = > 0xc76dc1173e5603eb6959bbf7888003db19ee09c5fdbe93d33f762f6e74f72f4c07bf8534e9 1877 > 84d10c7dd245ca3116668698d46d3b16a7cdb6aff091822916a21a0c368e313877b98c097e5f 043c > cd53b572aa440af4faa07713192d0132149c362e03b694b0f08575f116030100040e000000 > Message-Authenticator = 0x00000000000000000000000000000000 > State = 0xc23be259cc210d064ca36d99bdfd0341 > Finished request 3 > Going to the next request > Waking up in 6 seconds... > rad_recv: Access-Request packet from host 192.168.6.3:1796, id=81, length=153 > NAS-IP-Address = 192.168.6.3 > NAS-Port-Type = Wireless-802.11 > NAS-Port = 5 > Framed-MTU = 1400 > User-Name = "arnauld.dravet" > Calling-Station-Id = "00904b625711" > Called-Station-Id = "000d54fc1807" > NAS-Identifier = "EPSI AP1" > State = 0xc23be259cc210d064ca36d99bdfd0341 > EAP-Message = 0x0205001115800000000715030100020230 > Message-Authenticator = 0x0ac4f69914c15bc5e851c225bdde5884 > Processing the authorize section of radiusd.conf > modcall: entering group authorize for request 4 > modcall[authorize]: module "preprocess" returns ok for request 4 > modcall[authorize]: module "chap" returns noop for request 4 > modcall[authorize]: module "mschap" returns noop for request 4 > rlm_realm: No '@' in User-Name = "arnauld.dravet", looking up realm NULL > rlm_realm: No such realm "NULL" > modcall[authorize]: module "suffix" returns noop for request 4 > rlm_eap: EAP packet type response id 5 length 17 > rlm_eap: No EAP Start, assuming it's an on-going EAP conversation > modcall[authorize]: module "eap" returns updated for request 4 > modcall[authorize]: module "files" returns notfound for request 4 > rlm_ldap: - authorize > rlm_ldap: performing user authorization for arnauld.dravet > radius_xlat: '(&(objectclass=posixAccount)(uid=arnauld.dravet))' > radius_xlat: 'ou=Users,dc=mtp,dc=epsi,dc=fr' > rlm_ldap: ldap_get_conn: Checking Id: 0 > rlm_ldap: ldap_get_conn: Got Id: 0 > rlm_ldap: performing search in ou=Users,dc=mtp,dc=epsi,dc=fr, with filter > (&(objectclass=posixAccount)(uid=arnauld.dravet)) > rlm_ldap: Added password {CRYPT}$16x5hPKP/.1c in check items > rlm_ldap: looking for check items in directory... > rlm_ldap: Adding acctFlags as SMB-Account-CTRL-TEXT, value [UX & op=21 > rlm_ldap: Adding ntPassword as NT-Password, value > EFAC11B52777F8D7A34BDC1A0F89228D & op=21 > rlm_ldap: Adding lmPassword as LM-Password, value > 136BE46417241D68AAD3B435B51404EE & op=21 > rlm_ldap: looking for reply items in directory... > rlm_ldap: user arnauld.dravet authorized to use remote access > rlm_ldap: ldap_release_conn: Release Id: 0 > modcall[authorize]: module "ldap" returns ok for request 4 > modcall: group authorize returns updated for request 4 > rad_check_password: Found Auth-Type EAP > auth: type "EAP" > Processing the authenticate section of radiusd.conf > modcall: entering group authenticate for request 4 > rlm_eap: Request found, released from the list > rlm_eap: EAP/ttls > rlm_eap: processing type ttls > rlm_eap_ttls: Authenticate > rlm_eap_tls: processing TLS > rlm_eap_tls: Length Included > eaptls_verify returned 11 > TLS Alert read:fatal:unknown CA > TLS_accept:failed in SSLv3 read client certificate A > 9539:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt. > c:1046:SSL alert number 48 > 9539:error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure:s3_pkt.c: > 837: > rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails. > In SSL Handshake Phase > In SSL Accept mode > rlm_eap_tls: BIO_read failed in a system call (-1), TLS session fails. > eaptls_process returned 13 > rlm_eap: Freeing handler > modcall[authenticate]: module "eap" returns reject for request 4 > modcall: group authenticate returns reject for request 4 > auth: Failed to validate the user. > Delaying request 4 for 1 seconds > Finished request 4 > Going to the next request > Waking up in 6 seconds... > --- Walking the entire request list --- > Cleaning up request 0 ID 77 with timestamp 40d97726 > Cleaning up request 1 ID 78 with timestamp 40d97726 > Cleaning up request 2 ID 79 with timestamp 40d97726 > Cleaning up request 3 ID 80 with timestamp 40d97726 > Sending Access-Reject of id 81 to 192.168.6.3:1796 > EAP-Message = 0x04050004 > Message-Authenticator = 0x00000000000000000000000000000000 > Cleaning up request 4 ID 81 with timestamp 40d97726 > Nothing to do. Sleeping until we see a request. > > > -- > Arnauld Dravet > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radiusd debug output for successful connection using EAP/TTLS ---------------- Start of Debug output, items with *** are my notes to myself -------------- NOTE: My interpratation of what is actually occuring may not be 100% correct but, heck, these are notes to myself [grin]... nothing has been added or deleted to actual output. One thing to notice is the information sent to the radius server by the supplicant client does not actually send valid authorization request data until the TTLS link has been established and verified! Nice touch!!! *** Request from supplicant (client) for access to wireless system: rad_recv: Access-Request packet from host 207.203.64.244:2050, id=0, length=131 User-Name = "anonymous" NAS-IP-Address = 207.203.64.244 Called-Station-Id = "00e0b86bfc30" Calling-Station-Id = "000c41c9bcf8" NAS-Identifier = "00e0b86bfc30" NAS-Port = 141 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0200000e01616e6f6e796d6f7573 Message-Authenticator = 0x5c57ac02480292d782956ebbf3ee5280 *** Processing by Radius Server to determine authentication method: modcall: entering group authorize for request 1041 *** Perform preprocessing on request packet received from Wireless AP modcall[authorize]: module "preprocess" returns ok for request 1041 *** Perform CHAP test for authentication – returns no operation requested modcall[authorize]: module "chap" returns noop for request 1041 *** Perform MSCHAP test for authentication – returns no operation requested modcall[authorize]: module "mschap" returns noop for request 1041 *** Test to see if this request should proxy to a different Radius Server rlm_realm: No '@' in User-Name = "anonymous", looking up realm NULL *** Nope – this Radius Server is location to validate the packet request… rlm_realm: No such realm "NULL" *** Perform suffix processing if required on request packet – no operation required modcall[authorize]: module "suffix" returns noop for request 1041 *** Test for EAP packet processing request in packet rlm_eap: EAP packet type response id 0 length 14 *** Valid EAP packet – assume continuation packet (or start packet)… rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 1041 *** Check “users” file to see if username matches (we fall through to the DEFAULT normally) users: Matched DEFAULT at 154 modcall[authorize]: module "files" returns ok for request 1041 modcall: group authorize returns updated for request 1041 *** Check for authentication type of packet rad_check_password: Found Auth-Type EAP *** Authentication type requested = EAP auth: type "EAP" modcall: entering group authenticate for request 1041 *** EAP packet type = EAP Identity rlm_eap: EAP Identity *** EAP default packet password test type = MD5 rlm_eap: processing type md5 *** Try using default authentication type first! rlm_eap_md5: Issuing Challenge modcall[authenticate]: module "eap" returns handled for request 1041 modcall: group authenticate returns handled for request 1041 *** Send EAP MD5 hash password value to supplicant (client) for test verification Sending Access-Challenge of id 0 to 207.203.64.244:2050 EAP-Message = 0x010100160410f16d02e0e86179eacb0b6dffb4dcbc2b Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2734207d57878e6a797342bc40c2b3f4 Finished request 1041 *** Wait for supplicant (client) response to EAP MD-5 hash validation results… ***Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... *** Initial response from supplicant (client) for access to wireless system: *** (Setup temp session keys for transmission of server decryption certificate *** and supplicant encryption certificate information) rad_recv: Access-Request packet from host 207.203.64.244:2050, id=0, length=141 User-Name = "anonymous" NAS-IP-Address = 207.203.64.244 Called-Station-Id = "00e0b86bfc30" Calling-Station-Id = "000c41c9bcf8" NAS-Identifier = "00e0b86bfc30" NAS-Port = 141 Framed-MTU = 1400 State = 0x2734207d57878e6a797342bc40c2b3f4 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020100060315 Message-Authenticator = 0x5e69caf705d7edbc645fde43392e59f2 *** Processing by Radius Server: modcall: entering group authorize for request 1042 modcall[authorize]: module "preprocess" returns ok for request 1042 modcall[authorize]: module "chap" returns noop for request 1042 modcall[authorize]: module "mschap" returns noop for request 1042 rlm_realm: No '@' in User-Name = "anonymous", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 1042 rlm_eap: EAP packet type response id 1 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 1042 users: Matched DEFAULT at 154 modcall[authorize]: module "files" returns ok for request 1042 modcall: group authorize returns updated for request 1042 *** Check for authentication type of packet rad_check_password: Found Auth-Type EAP *** Authentication type requested = EAP auth: type "EAP" modcall: entering group authenticate for request 1042 rlm_eap: Request found, released from the list *** Initial test for MD-5 hash password verification rejected – *** not the correct requested authentication test type rlm_eap: EAP NAK *** Actual authentication test type for verification is EAP/TTLS rlm_eap: EAP-NAK asked for EAP-Type/ttls *** We are using Transport Layer Protocol (encrypted) for authentication configuration Subset of TLS processing rlm_eap: processing type tls *** Setup for TLS activation to process the authentication request rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 1042 modcall: group authenticate returns handled for request 1042 *** Send TLS activation response to the supplicant (client) on the *** wireless device requesting authentication Sending Access-Challenge of id 0 to 207.203.64.244:2050 EAP-Message = 0x010200061520 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa98b18a8f23d34a6a2ff244fc9e62388 *** Wait for supplicant to reply to the TLS initialization to continue activation steps Finished request 1042 Going to the next request rl_next: returning NULL Waking up in 6 seconds... *** Response from supplicant (client) for TLS configured access to wireless system: *** (Send server certificate to supplicant for decoding of the server generated *** supplicant encryption certificate) rad_recv: Access-Request packet from host 207.203.64.244:2050, id=0, length=233 User-Name = "anonymous" NAS-IP-Address = 207.203.64.244 Called-Station-Id = "00e0b86bfc30" Calling-Station-Id = "000c41c9bcf8" NAS-Identifier = "00e0b86bfc30" NAS-Port = 141 Framed-MTU = 1400 State = 0xa98b18a8f23d34a6a2ff244fc9e62388 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0202006215800000005816030100530100004f03014033b88a628fc5032600279b97cb4330dc339fce54dee11c4b119d580fe5bbcd00002800160013006600150012000a000500040009006300650060006200610064001400110003000600080100 Message-Authenticator = 0x9ae0637cd6b8081668a4992be06f25d1 *** Processing by Radius Server: modcall: entering group authorize for request 1043 modcall[authorize]: module "preprocess" returns ok for request 1043 modcall[authorize]: module "chap" returns noop for request 1043 modcall[authorize]: module "mschap" returns noop for request 1043 rlm_realm: No '@' in User-Name = "anonymous", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 1043 rlm_eap: EAP packet type response id 2 length 98 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 1043 users: Matched DEFAULT at 154 modcall[authorize]: module "files" returns ok for request 1043 modcall: group authorize returns updated for request 1043 *** Authentication type requested = EAP rad_check_password: Found Auth-Type EAP auth: type "EAP" modcall: entering group authenticate for request 1043 rlm_eap: Request found, released from the list *** Authentication test type for verification is EAP/TTLS rlm_eap: EAP/ttls *** We are using Tunneling Transport Layer Protocol (encrypted tunnel) *** for authentication and data transport rlm_eap: processing type ttls *** TTLS Action requested is Authenticate rlm_eap_ttls: Authenticate *** We are using Transport Layer Protocol (encrypted ) for authentication configuration rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization *** Perform the TLS handshake to send the encryption certificate to the supplicant *** (client) for session key generation TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0053], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 06b4], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone *** TLS handshake and server certificate completed with supplicant (client) TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data *** We do not use a client certificate in TTLS mode – the server certificate is used *** to generate a certificate for the supplicant's use in the temp key generation TLS_accept:error in SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 1043 modcall: group authenticate returns handled for request 1043 *** The TTLS certificate information sent to the supplicant (client) – *** debug info for verification check (each transmission block limited to *** 1024 bytes so as not to over-run supplicant buffers per the RFC) Sending Access-Challenge of id 0 to 207.203.64.244:2050 EAP-Message = 0x0103040a15c000000711160301004a0200004603014033924a1f6839f27f009d563b82423ee14294eb9cc418194d8ef0a31625155b2091089f5d662af697c0dca728935378ef4ee3a6bf893f908072c905535dbe8b01000a0016030106b40b0006b00006ad0002d9308202d53082023ea003020102020102300d06092a864886f70d01010405003081a5310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e31183016060355040b130f7261646975732e627265762e6f7267311b301906035504031312436c69 EAP-Message = 0x656e742063657274696669636174653121301f06092a864886f70d0109011612636c69656e74406578616d706c652e636f6d301e170d3034303231373139343834385a170d3035303231363139343834385a3081a1310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e31183016060355040b130f7261646975732e627265762e6f72673119301706035504031310526f6f74206365727469666963617465311f301d06092a864886f70d0109011610726f6f74406578616d706c652e636f6d30819f300d0609 EAP-Message = 0x2a864886f70d010101050003818d0030818902818100d9c4847e2614991367c3774e34ff9eaa3b81ba3bd1a9943cfbe5e90e13f298a8ffe7fa0143fe8c6c8f3cc00c2d9a18f04d3ce36481e0169d400bc3515314e5f863298c431201fb868d0b4d8ba0bb550e7f3aac85db6979346e1d7ab91feb49468341e28a86e354a0a7cd60c35ea07d466647f7093b8a47e321279126ee6601470203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010405000381810033614ec593cc5f24c98d57dc882d91e23edf0c6f3a50648fb9d64d7a965111c1b8fd9c858090446c900aa5805c99114e1b54eeafc00b EAP-Message = 0x53cc174ce068709998fe24c357f79af20f08135a060a21e24ab14fd97438ca258018044860eeb99a3c74fa6120460eb1141971e0b483eadb6f0e39ce1e614ea79b8298bf835d6d86fbf30003ce308203ca30820333a003020102020100300d06092a864886f70d01010405003081a5310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e31183016060355040b130f7261646975732e627265762e6f7267311b301906035504031312436c69656e742063657274696669636174653121301f06092a864886f70d EAP-Message = 0x0109011612636c69656e74406578616d706c652e636f Message-Authenticator = 0x00000000000000000000000000000000 State = 0x28aeb900fd176aa22feb06c932cb9dc7 *** Wait for supplicant to reply to the TTLS initialization to continue activation steps Finished request 1043 Going to the next request rl_next: returning NULL Waking up in 6 seconds... *** Response from supplicant (client) for TTLS configured access to wireless system: *** (Send server generated supplicant encryption certificate to the supplicant) rad_recv: Access-Request packet from host 207.203.64.244:2050, id=0, length=141 User-Name = "anonymous" NAS-IP-Address = 207.203.64.244 Called-Station-Id = "00e0b86bfc30" Calling-Station-Id = "000c41c9bcf8" NAS-Identifier = "00e0b86bfc30" NAS-Port = 141 Framed-MTU = 1400 State = 0x28aeb900fd176aa22feb06c932cb9dc7 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020300061500 Message-Authenticator = 0xcecd46ded2cdc649c6f92fc0b608146a *** Processing by Radius Server: modcall: entering group authorize for request 1044 modcall[authorize]: module "preprocess" returns ok for request 1044 modcall[authorize]: module "chap" returns noop for request 1044 modcall[authorize]: module "mschap" returns noop for request 1044 rlm_realm: No '@' in User-Name = "anonymous", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 1044 rlm_eap: EAP packet type response id 3 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 1044 users: Matched DEFAULT at 154 modcall[authorize]: module "files" returns ok for request 1044 modcall: group authorize returns updated for request 1044 *** Authentication type requested = EAP rad_check_password: Found Auth-Type EAP auth: type "EAP" modcall: entering group authenticate for request 1044 *** Radius table clean-up – we found the current response from the supplicant for this action rlm_eap: Request found, released from the list *** Authentication test type for verification is EAP/TTLS rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS *** Received the Acknowledgement from the supplicant of the security certificate and *** verified the MD-5 Checksum rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 1044 modcall: group authenticate returns handled for request 1044 *** The TTLS certificate information sent to the supplicant (client) – *** debug info for verification check (each transmission block limited to *** 1024 bytes so as not to over-run supplicant buffers per the RFC) Sending Access-Challenge of id 0 to 207.203.64.244:2050 EAP-Message = 0x0104031b1580000007116d301e170d3034303231373139343834365a170d3036303231363139343834365a3081a5310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e31183016060355040b130f7261646975732e627265762e6f7267311b301906035504031312436c69656e742063657274696669636174653121301f06092a864886f70d0109011612636c69656e74406578616d706c652e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100c2bbfe92045103e57fe155eeed EAP-Message = 0x877cf82379e15d7bb603d99b550c113221ccab6ab1f7ff2d4a77fe38a294b860620a8982607d6fa108d8907e8cecdafbeb99a7e9c7752443c3653b1e9024c6ec8563a5ee852614eef380bb2bfbd1ef3412df1146e6fdf905fabb49da3a011f168f56a66d8563f56d0fd0a115f6e5c856c52db70203010001a382010630820102301d0603551d0e0416041462d7ec215e55f381348203d495045831352ea8663081d20603551d230481ca3081c7801462d7ec215e55f381348203d495045831352ea866a181aba481a83081a5310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d652043 EAP-Message = 0x69747931153013060355040a130c4f7267616e697a6174696f6e31183016060355040b130f7261646975732e627265762e6f7267311b301906035504031312436c69656e742063657274696669636174653121301f06092a864886f70d0109011612636c69656e74406578616d706c652e636f6d820100300c0603551d13040530030101ff300d06092a864886f70d01010405000381810093be83353608c565a82f2d0ef9169bcef7b017d9183396e22cdbdfcd399c958ea6b69d5515dbef398e33d65dd8115965b36090ad922a02b21bba5170e0ff0f412bcacd527ef8df8d37be1615c071475cd9b7c963c12444dcb743904b1e22b655bca32e82b0 EAP-Message = 0x7ea14f54045cf7f00ce627202b15e1a31d69183728f4d894d1172816030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf3eced8eb6725121d601973e926d7281 Finished request 1044 *** Wait for supplicant to reply to the TTLS initialization to continue activation steps Going to the next request rl_next: returning NULL Waking up in 6 seconds... *** Response from supplicant (client) for TTLS configured access to wireless system (phase II): (Instruct supplicant to install and activate server generated supplicant encryption certificate) rad_recv: Access-Request packet from host 207.203.64.244:2050, id=0, length=335 User-Name = "anonymous" NAS-IP-Address = 207.203.64.244 Called-Station-Id = "00e0b86bfc30" Calling-Station-Id = "000c41c9bcf8" NAS-Identifier = "00e0b86bfc30" NAS-Port = 141 Framed-MTU = 1400 State = 0xf3eced8eb6725121d601973e926d7281 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020400c81580000000be16030100861000008200801e437eeebe80e5162906b8d131432df678f8c2f5106bd198a5c9e66977d7e6ffae471b8b10411d7bf9ca3002f114fa13cf31181c043a44008597bc701dfd0903de50386ad14630d1b99f075ca615f779d19ec6328cd3f90c20ebcaa0afae412a474d6611df7c525481c8a25f2d1a139733839e0fc597209574ecb239e21e50f01403010001011603010028754d48c23f6ac35c25f1335b015d508f59e218be81a1053375e47dcfa68323af3073d79e19c06f61 Message-Authenticator = 0x493ef77d0857f745feeaf9734e408e32 *** Processing by Radius Server: modcall: entering group authorize for request 1045 modcall[authorize]: module "preprocess" returns ok for request 1045 modcall[authorize]: module "chap" returns noop for request 1045 modcall[authorize]: module "mschap" returns noop for request 1045 rlm_realm: No '@' in User-Name = "anonymous", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 1045 rlm_eap: EAP packet type response id 4 length 200 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 1045 users: Matched DEFAULT at 154 modcall[authorize]: module "files" returns ok for request 1045 modcall: group authorize returns updated for request 1045 *** Authentication type requested = EAP rad_check_password: Found Auth-Type EAP auth: type "EAP" modcall: entering group authenticate for request 1045 *** Radius table clean-up – we found the current response from the supplicant for this action rlm_eap: Request found, released from the list *** Authentication test type for verification is EAP/TTLS rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 *** Steps performed by supplicant to enable server generated supplicant key certificate sent previously rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange TLS_accept: SSLv3 read client key exchange A rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001] rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 read finished A rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001] TLS_accept: SSLv3 write change cipher spec A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 write finished A TLS_accept: SSLv3 flush data (other): SSL negotiation finished successfully SSL Connection Established eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 1045 modcall: group authenticate returns handled for request 1045 Sending Access-Challenge of id 0 to 207.203.64.244:2050 EAP-Message = 0x0105003d15800000003314030100010116030100289c550e5ba15d369cd35d8fe56b1d567d9e1fec730d2b0e278602feb2b121fe8450c273d1291d8537 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc9820bf0ef198c7091036e436531dfaf *** Wait for supplicant to reply to the TLS certificate activation to continue activation steps Finished request 1045 Going to the next request rl_next: returning NULL Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 1045 ID 0 with timestamp 4033924a Nothing to do. Sleeping until we see a request. *** Response from supplicant (client) for TTLS configured access to wireless system (phase III): (Perform actual activation – verify the username and password and if valid setup session keys for supplicant and server) rad_recv: Access-Request packet from host 207.203.64.244:2050, id=0, length=214 User-Name = "anonymous" NAS-IP-Address = 207.203.64.244 Called-Station-Id = "00e0b86bfc30" Calling-Station-Id = "000c41c9bcf8" NAS-Identifier = "00e0b86bfc30" NAS-Port = 141 Framed-MTU = 1400 State = 0xc9820bf0ef198c7091036e436531dfaf NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0205004f1580000000451703010040b42e43c84ba475805d91ff00bb500b2d1160fa6cd2654863e502299eaf6d4aae50b8b0b0f3c4f7b04c44871391fd0ea2241b99be65e8678cbc67061dbe178398 Message-Authenticator = 0x97a2964972524b98441af1b060627fb9 *** Processing by Radius Server: modcall: entering group authorize for request 1046 modcall[authorize]: module "preprocess" returns ok for request 1046 modcall[authorize]: module "chap" returns noop for request 1046 modcall[authorize]: module "mschap" returns noop for request 1046 rlm_realm: No '@' in User-Name = "anonymous", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 1046 rlm_eap: EAP packet type response id 5 length 79 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 1046 users: Matched DEFAULT at 154 modcall[authorize]: module "files" returns ok for request 1046 modcall: group authorize returns updated for request 1046 *** Authentication type requested = EAP rad_check_password: Found Auth-Type EAP auth: type "EAP" modcall: entering group authenticate for request 1046 rlm_eap: Request found, released from the list *** Authentication test type for verification is EAP/TTLS rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 eaptls_process returned 7 *** Supplicant returned actual username and password for authorization through *** the established TTLS encrypted tunnel. We are finally to the point where we *** can securely send the actual authorization request info... rlm_eap_ttls: Session established. Proceeding to decode tunneled attributes. TTLS: Got tunneled request User-Name = "gmckinney" User-Password = "Testing123!" FreeRADIUS-Proxied-To = 127.0.0.1 *** Server processing the actual request to authorize user for access to the wireless system TTLS: Sending tunneled request User-Name = "gmckinney" User-Password = "Testing123!" FreeRADIUS-Proxied-To = 127.0.0.1 NAS-IP-Address = 207.203.64.244 Called-Station-Id = "00e0b86bfc30" Calling-Station-Id = "000c41c9bcf8" NAS-Identifier = "00e0b86bfc30" NAS-Port = 141 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 *** Processing by Radius Server: modcall: entering group authorize for request 1046 modcall[authorize]: module "preprocess" returns ok for request 1046 modcall[authorize]: module "chap" returns noop for request 1046 modcall[authorize]: module "mschap" returns noop for request 1046 rlm_realm: No '@' in User-Name = "gmckinney", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 1046 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 1046 users: Matched DEFAULT at 154 modcall[authorize]: module "files" returns ok for request 1046 modcall: group authorize returns ok for request 1046 *** The test setup is using the UNIX system’s password database for authentication – *** this can be handled by many different methods for user authentication which are allowed *** for in using eap/ttls... *** Processing by Radius Server – found valid username and password in the system’s password files rad_check_password: Found Auth-Type System auth: type "System" modcall: entering group authenticate for request 1046 modcall[authenticate]: module "unix" returns ok for request 1046 modcall: group authenticate returns ok for request 1046 modcall: entering group post-auth for request 1046 *** Save copy of information in the reply logfile radius_xlat: '/usr/local/var/log/radius/radacct/127.0.0.1/reply-detail-20040218' rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/127.0.0.1/reply-detail-20040218 modcall[post-auth]: module "reply_log" returns ok for request 1046 modcall: group post-auth returns ok for request 1046 TTLS: Got tunneled reply RADIUS code 2 TTLS: Got tunneled Access-Accept rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns ok for request 1046 modcall: group authenticate returns ok for request 1046 modcall: entering group post-auth for request 1046 radius_xlat: '/usr/local/var/log/radius/radacct/207.203.64.244/reply-detail-20040218' rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/207.203.64.244/reply-detail-20040218 modcall[post-auth]: module "reply_log" returns ok for request 1046 modcall: group post-auth returns ok for request 1046 *** Send the Access-Accept Command to the wireless AP along with the transmission *** and reception keys for the current supplicant / wireless router session – *** the keys are updated on a regular basis set by the wireless router configuration. Sending Access-Accept of id 0 to 207.203.64.244:2050 MS-MPPE-Recv-Key = 0x7bee4816525b07484e5697c4545b691e82181c91fa73577ca6549b1b2b4e4476 MS-MPPE-Send-Key = 0xe6083ba1cb6ea7b8f400b3fd47ced01876b1a4c973c109f7c9db85b75d36cf33 EAP-Message = 0x03050004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "anonymous" *** The Supplicant now has access to the wireless network with server generated keys – *** the keys are based on the AES Standard and are 168 bits in length. They keys are *** renewed on a regular basis (5-minute intervals is the setting in the test router). Finished request 1046 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 1046 ID 0 with timestamp 40339251 Nothing to do. Sleeping until we see a request. ------------------------ end of debug text ------------------------- NOTES: Since EAP/TTLS is not dependent on the actual access authorization method I chose to use the easy method (basic authorization). Other forms of authorization such as Ldap or sql would only add layers and would not help in debugging any problems in the initial testing of the EAP/TTLS protocol method of connection. The use of Ldap or sql authorization will work just as well as the unix password or users file authorization methods. 1. Each supplicant has it’s own set of transmission and reception keys for the session. They are not shared with other supplicants on the same wireless router. 2. The Radius Server is the only server which requires a security certificate – it can either be a commercial security certificate or a self-signed certificate created locally. 3. The supplicant (client) device MUST use a wireless network interface device that has current WPA enabled hardware drivers. 4. The radius server is configured to use the unix password system for user verification – this will work with any of the user verification methods supported by the radius server and eap/ttls… 5. Total time to establish the wireless link : Less than 2 seconds with the equipment used for testing. · WRT54G Linksys Wireless Access Router running latest software · Linksys wireless access PCMCIA network card with latest software WPA enabled driver. · Odyssey Supplicant software (came with the PCMCIA wireless network card). · Freeradius version 1.X pre release 6. This file generated with a CVS version from Feb 2004, It may be 'dated' but the method is basically the same for eap/ttls operation.