The problem manifests itself like this. My testing machine is a Linux box with open1x.org's Xsupplicant installed and a Cisco Aironet wireless card. The card gets an initial connection just fine from the WAP, but when I try to authenticate against RADIUS, xsupplicant spits this back after curState goes to AUTHENTICATING:
[ALL] Got EAP-Failure! Failure! [ALL] (TLS-FUNCS) Cleaning up (possible after a failure)! [AUTH TYPE] (EAP-TLS) Freeing mytls_vars->ctx! [ALL] (EAP-PEA) Failed. Resetting
I have the FreeRADIUS server in -X mode, and I see this at that point:
SSL Connection Established eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns reject for request 7 modcall: group authenticate returns reject for request 7 auth: Failed to validate the user.
I don't see any obvious errors on either client or server up to this point. The user is authenticated fine:
rad_recv: Access-Request packet from host 192.168.0.251:1207, id=1, length=123
User-Name = "skylar"
NAS-IP-Address = 192.168.0.251
NAS-Port = 0
Called-Station-Id = "00-c0-49-ee-4a-b2"
Calling-Station-Id = "00-40-96-44-c4-ec"
NAS-Identifier = ""
Framed-MTU = 1380
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x0201000b01736b796c6172
Message-Authenticator = 0x569ec933397b73cc649fe1d15cdf7af1
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: No '@' in User-Name = "skylar", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
rlm_eap: EAP packet type response id 1 length 11
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 0
users: Matched DEFAULT at 152
users: Matched skylar at 215
modcall[authorize]: module "files" returns ok for request 0
The only other possible error I can see on the server side is this:
modcall: entering group authenticate for request 1 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate TLS_accept:error in SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 1 modcall: group authenticate returns handled for request 1
But after some Google'ing, it appears that the TLS error isn't fatal.
Any ideas?
-- -- Skylar Thompson ([EMAIL PROTECTED]) -- http://www.cs.earlham.edu/~skylar/
signature.asc
Description: OpenPGP digital signature