Hi everyone, I have a trouble building an auth chain for a wireless network using PEAP. In general, it seems that Part 1 (creating the tunnel) of the conversation is successful, but that I get stuck at the beginning of Part 2 (exchanging further EAP through the tunnel).
- No client certificate should be required (thus PEAP) - Current supplicant is the one that comes with Windows XP SP2 (of course, it's set to do PEAP, without client cert) - Wireless AP is a Cisco AP 1210 with firmware 12.2.15 XR1 the users file is a 1-liner: testuser Auth-Type := EAP, User-Password == "blabla" I know Auth-Type := EAP is not recommended, but for testing purposes this should be ok? eap.conf looks like: eap { default_eap_type = peap timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no tls { private_key_password = ***** private_key_file = ${raddbdir}/certs/key-radius-testserver.pem certificate_file = ${raddbdir}/certs/cert-radius-testserver.pem CA_file = ${raddbdir}/certs/unimr-ssl-ca.pem dh_file = ${raddbdir}/certs/dh random_file = /dev/urandom } peap { # The tunneled EAP session needs a default # EAP type which is separate from the one for # the non-tunneled EAP module. Inside of the # PEAP tunnel, we recommend using MS-CHAPv2, # as that is the default type supported by # Windows clients. default_eap_type = mschapv2 copy_request_to_tunnel = yes use_tunneled_reply = no proxy_tunneled_request_as_eap = yes } mschapv2 { } } Now the (hopefully) relevant parts from freeradius -X: [...] Module: Loaded eap eap: default_eap_type = "peap" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/etc/freeradius/certs/key-radius-testserver.pem" tls: certificate_file = "/etc/freeradius/certs/cert-radius-testserver.pem" tls: CA_file = "/etc/freeradius/certs/unimr-ssl-ca.pem" tls: private_key_password = "omihnl" tls: dh_file = "/etc/freeradius/certs/dh" tls: random_file = "/dev/urandom" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = "(null)" rlm_eap: Loaded and initialized type tls peap: default_eap_type = "mschapv2" peap: copy_request_to_tunnel = yes peap: use_tunneled_reply = yes peap: proxy_tunneled_request_as_eap = yes rlm_eap: Loaded and initialized type peap mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) [...] Ready to process requests. [several EAP roundtrips to establish TLS tunnel, including cert exchange] rad_recv: Access-Request packet from host 192.168.3.246:21645, id=33, length=331 User-Name = "testuser" Framed-MTU = 1400 Called-Station-Id = "000d.295f.8f7d" Calling-Station-Id = "000d.2911.9aea" Service-Type = Login-User Message-Authenticator = 0xb16f4e42c1a73a707e80bac33259fdbe EAP-Message = 0x020600c01980000000b61603010086100000820080126d2f1d87e507a1c90fb4a1b6f7a4566b6c2e0a41fe5658c88db97c2206e9fd6c9e02677fda6b7cf36a7f10e3cc916568206014da6bc36ee40bb0dedeb766a258fd43534304879deda3b9e3079e93b297b363f11b9e0f633654b6438607c149f4377f6cf268dc8ebab8cbb47d20b67d9fbf4274c31b2d56ee18ab5c96c86790140301000101160301002089707ff0e94f554b6169353940e4f67ba2e9928eecdfcb3f2f9b37a621b01387 NAS-Port-Type = Wireless-802.11 NAS-Port = 40 State = 0x5783c0c3fa13b02b175cf3614fb74d7d NAS-IP-Address = 192.168.3.246 NAS-Identifier = "warz001" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 5 modcall[authorize]: module "preprocess" returns ok for request 5 modcall[authorize]: module "mschap" returns noop for request 5 rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 5 rlm_eap: EAP packet type response id 6 length 192 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 5 users: Matched testuser at 1 modcall[authorize]: module "files" returns ok for request 5 modcall: group authorize returns updated for request 5 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 5 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange TLS_accept: SSLv3 read client key exchange A rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001] rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 read finished A rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001] TLS_accept: SSLv3 write change cipher spec A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 write finished A TLS_accept: SSLv3 flush data (other): SSL negotiation finished successfully SSL Connection Established eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 5 modcall: group authenticate returns handled for request 5 Sending Access-Challenge of id 33 to 192.168.3.246:21645 EAP-Message = 0x0107003119001403010001011603010020fc68cdae657b71421e8bcdef9a6d3507fc4feea540e897e360e085108d5f9989 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x23280f4fc46231f36cdaf71794f3cb09 Finished request 5 Going to the next request --- Walking the entire request list --- Waking up in 3 seconds... rad_recv: Access-Request packet from host 192.168.3.246:21645, id=34, length=172 User-Name = "testuser" Framed-MTU = 1400 Called-Station-Id = "000d.295f.8f7d" Calling-Station-Id = "000d.2911.9aea" Service-Type = Login-User Message-Authenticator = 0xd324542513d19f3d9e78e1efca904c77 EAP-Message = 0x02070021198000000017150301001241cdef1148ae6a67de93dff47a67850d1b79 NAS-Port-Type = Wireless-802.11 NAS-Port = 40 State = 0x23280f4fc46231f36cdaf71794f3cb09 NAS-IP-Address = 192.168.3.246 NAS-Identifier = "warz001" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 6 modcall[authorize]: module "preprocess" returns ok for request 6 modcall[authorize]: module "mschap" returns noop for request 6 rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 6 rlm_eap: EAP packet type response id 7 length 33 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 6 users: Matched testuser at 1 modcall[authorize]: module "files" returns ok for request 6 modcall: group authorize returns updated for request 6 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal access_denied TLS Alert read:fatal:access denied rlm_eap_peap: No data inside of the tunnel. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 6 modcall: group authenticate returns invalid for request 6 auth: Failed to validate the user. So what's missing? Thanks for any hints Martin -- Dr. Martin Pauly Fax: 49-6421-28-26994 HRZ Univ. Marburg Phone: 49-6421-28-23527 Hans-Meerwein-Str. E-Mail: [EMAIL PROTECTED] D-35032 Marburg - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html