FreeBSD V5.3
FreeRadius V1.0.2
Windows XP Supplicant
Dlink 2100 Access Point
Dlink G132 USB Wireless Adapter
self-signed server certificates using openssl v0.9.7e
The radiusd -X command shows no errors on startup.
I'm having problems authenticating when using the "validate server certificate"
option in the WinXP PEAP configuration menu. If I don't validate the server
certificate I can connect to the radius server just fine. Someone else ran
into a similar problem (freeradius-users/2004-September/036349.html) claiming
the problem was "usage attributes accompanying the cert". I don't know what
this means. I created my certs according to directions from
austux.net/resources/network/eaptls.html
The entire log is include below, but the relevant part seems to be the
following section. I'm assuming "validating" the certificate is a good
thing and an option I want to include in my WinXP configuration. My root
CA installed fine on the WinXP machine. Can anyone give me some guidance
on this issue?
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal access_denied
TLS Alert read:fatal:access denied
rlm_eap_peap: No data inside of the tunnel.
rlm_eap: Handler failed in EAP/peap
rlm_eap: Failed in EAP select
modcall[authenticate]: module "eap" returns invalid for request 53
modcall: group authenticate returns invalid for request 53
auth: Failed to validate the user.
COMPLETE LOG
--------------
rad_recv: Access-Request packet from host 192.168.1.9:1044, id=0, length=195
Message-Authenticator = 0x4f9ccbaf3ab3be2586f9b6f5094a77b1
Service-Type = Framed-User
User-Name = "jon"
Framed-MTU = 1488
Called-Station-Id = "00-11-95-BF-B6-F9:radius1"
Calling-Station-Id = "00-11-95-94-4F-CB"
NAS-Identifier = "D-Link Corp. Access Point"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x02000008016a6f6e
NAS-IP-Address = 192.168.1.9
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 49
modcall[authorize]: module "preprocess" returns ok for request 49
modcall[authorize]: module "mschap" returns noop for request 49
rlm_realm: No '@' in User-Name = "jon", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 49
rlm_eap: EAP packet type response id 0 length 8
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 49
users: Matched entry jon at line 80
modcall[authorize]: module "files" returns ok for request 49
modcall: group authorize returns updated for request 49
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 49
rlm_eap: EAP Identity
rlm_eap: processing type tls
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
modcall[authenticate]: module "eap" returns handled for request 49
modcall: group authenticate returns handled for request 49
Sending Access-Challenge of id 0 to 192.168.1.9:1044
EAP-Message = 0x010100061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x109fea2d826cbca009c3b29faa07d32c
Finished request 49
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.1.9:1044, id=1, length=285
Message-Authenticator = 0xb476fe4ef81aa1687fc3be4696873ea2
Service-Type = Framed-User
User-Name = "jon"
Framed-MTU = 1488
State = 0x109fea2d826cbca009c3b29faa07d32c
Called-Station-Id = "00-11-95-BF-B6-F9:radius1"
Calling-Station-Id = "00-11-95-94-4F-CB"
NAS-Identifier = "D-Link Corp. Access Point"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message =
0x0201005019800000004616030100410100003d03014260aa5d192deeca7552fd6ecd6ab3baa64d8c6b25c45e979cfcdf2fdac8c1b500001600040005000a000900640062000300060013001200630100
NAS-IP-Address = 192.168.1.9
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 50
modcall[authorize]: module "preprocess" returns ok for request 50
modcall[authorize]: module "mschap" returns noop for request 50
rlm_realm: No '@' in User-Name = "jon", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 50
rlm_eap: EAP packet type response id 1 length 80
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 50
users: Matched entry jon at line 80
modcall[authorize]: module "files" returns ok for request 50
modcall: group authorize returns updated for request 50
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 50
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Length Included
eaptls_verify returned 11
(other): before/accept initialization
TLS_accept: before/accept initialization
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello
TLS_accept: SSLv3 read client hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
TLS_accept: SSLv3 write server hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0504], Certificate
TLS_accept: SSLv3 write certificate A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
TLS_accept: SSLv3 write server done A
TLS_accept: SSLv3 flush data
TLS_accept:error in SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
eaptls_process returned 13
rlm_eap_peap: EAPTLS_HANDLED
modcall[authenticate]: module "eap" returns handled for request 50
modcall: group authenticate returns handled for request 50
Sending Access-Challenge of id 1 to 192.168.1.9:1044
EAP-Message =
0x0102040a19c000000561160301004a0200004603014260a9f3686968fcad5dfb3887ec06628c08b7f5993ea6507af449cc9b02d7042035d45f3f2dba276e1005535d52595de3ef87e7a5546a498a769a8f8fc842e70700040016030105040b0005000004fd0004fa308204f6308203dea003020102020102300d06092a864886f70d010104050030819f310b3009060355040613025553311630140603550408130d4e65772048616d707368697265310e300c06035504071305576561726531193017060355040a1310694c696e6b204173736f63696174657331193017060355040b1310694c696e6b204173736f6369617465733116301406035504
EAP-Message =
0x03130d694c696e6b20526f6f74204341311a301806092a864886f70d010901160b636140756c696e6b2e7573301e170d3035303431363035323533345a170d3036303431363035323533345a3081a5310b3009060355040613025553311630140603550408130d4e65772048616d707368697265310e300c06035504071305576561726531193017060355040a1310694c696e6b204173736f63696174657331193017060355040b1310694c696e6b204173736f636961746573311c301a0603550403131377616c6c6163652e77656172652e6e682e7573311a301806092a864886f70d010901160b636140756c696e6b2e757330820122300d06092a
EAP-Message =
0x864886f70d01010105000382010f003082010a0282010100b7bfb1e582d63c73623a3b0ac707fae4f76c437c2c3c3a4473a420c59c0759c2c1bb6324db7d79d84d8c8d3194ec226bd7f4891de70436b4f2a9e33e520a43ac11243454cc9e9d18f9c334bdbdaa1e19e58bf76bae98b61f35647b20127e79fc58d48cb14fa00ec039369b0ce1c372baadcfd65f22ec52f29419eb94370385d04ff7428264b16ae9f2d9a7ad7f449aa1027fac1dfb0bf4c6abfcf2c2814b3b673aa4698e2eb2e194a8e66c12abf94379ee33a017baa899424bf99a062c07c596a55e01a4c3dadd986fae23057fabff636cedee069f884b085c72d4becff5b4854f679203c6
EAP-Message =
0x07b80f611bd5df4b54a3d74df4fa22de433c0d828f0136a39954f10203010001a38201333082012f30090603551d1304023000302c06096086480186f842010d041f161d4f70656e53534c2047656e657261746564204365727469666963617465301d0603551d0e041604147cd6c7572063cc9042b2b1ffa86dfdfd22855aa83081d40603551d230481cc3081c98014b55a44ebf8cdfdfe62af922b9e599c09294aa0cfa181a5a481a230819f310b3009060355040613025553311630140603550408130d4e65772048616d707368697265310e300c06035504071305576561726531193017060355040a1310694c696e6b204173736f636961746573
EAP-Message = 0x31193017060355040b1310694c696e6b204173736f63
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xb9fca96a56826001224d1dbec37c004f
Finished request 50
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.1.9:1044, id=2, length=211
Message-Authenticator = 0x643889aab9ea747247cebc00e87f76f5
Service-Type = Framed-User
User-Name = "jon"
Framed-MTU = 1488
State = 0xb9fca96a56826001224d1dbec37c004f
Called-Station-Id = "00-11-95-BF-B6-F9:radius1"
Calling-Station-Id = "00-11-95-94-4F-CB"
NAS-Identifier = "D-Link Corp. Access Point"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message = 0x020200061900
NAS-IP-Address = 192.168.1.9
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 51
modcall[authorize]: module "preprocess" returns ok for request 51
modcall[authorize]: module "mschap" returns noop for request 51
rlm_realm: No '@' in User-Name = "jon", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 51
rlm_eap: EAP packet type response id 2 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 51
users: Matched entry jon at line 80
modcall[authorize]: module "files" returns ok for request 51
modcall: group authorize returns updated for request 51
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 51
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake fragment handler
eaptls_verify returned 1
eaptls_process returned 13
rlm_eap_peap: EAPTLS_HANDLED
modcall[authenticate]: module "eap" returns handled for request 51
modcall: group authenticate returns handled for request 51
Sending Access-Challenge of id 2 to 192.168.1.9:1044
EAP-Message =
0x0103016719006961746573311630140603550403130d694c696e6b20526f6f74204341311a301806092a864886f70d010901160b636140756c696e6b2e7573820900d438688f86c0ff7e300d06092a864886f70d0101040500038201010014ddd7ebcd389f0a62d28d3a1534ef6774b64250bb7200d6744478959dcdfc9827c8aef411ab5560a580a17ac374c0d1e3177ce53ad68572bce66e88cf9c8fbc5fe989df666f7510223d843d45a27c70e5d1df65ceeca5b840e339f4816ee60f97cbd28a6665ddd629153d7f40a81e22c504c421524222ffd70baa84f9d821c86b942c0946eea98f8501979253ba0398424a102a2d7e821363061df72db34e
EAP-Message =
0xaa60a63408f4324bc62e3e03e4300acc3f2e7019c7a45e60910a6c6277094847752f43f1091c2c2443928b5a2ba91504f0373054ba2ca0b9d257a60b3ca4f7b2a0d9aad7bebba84ad3ad636ffef61a787ba14589f8478495ac5a8ca88e68887c6316030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xeafcc1154fa2e16f63cf809071f3b519
Finished request 51
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.1.9:1044, id=3, length=527
Message-Authenticator = 0xfd2ea902cb0d2c4f13b76016b14d05fb
Service-Type = Framed-User
User-Name = "jon"
Framed-MTU = 1488
State = 0xeafcc1154fa2e16f63cf809071f3b519
Called-Station-Id = "00-11-95-BF-B6-F9:radius1"
Calling-Station-Id = "00-11-95-94-4F-CB"
NAS-Identifier = "D-Link Corp. Access Point"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message =
0x020301401980000001361603010106100001020100606da052f8b1564301d936aeb5f2f2a4e06570d41bcabd5c3536e27a283cc8b1dbb6bfec56a619e01b860ab910c7f1bcb222ba9e95e40daaa1a9bae839da7498cbc6c8398aac376d1203cd4ab3213f2ad4d9693430bf3071d6f3f94a752050d3d3a9d31aa321ef385714cfe3400900b8c511a3dfbafd3249d0a86c556c6365bd4e159397ecc88c54e98ee7df1c5c5e3304f858176e5daf908cdb1d355f47c7797344f3e931cec9a7fdab49552b2413733912afd8067e663158ec09ecc8cbab72898eb1deddf2a6748573e5037bb449dee2deeb837e0ad989a915e245087c6e6d6713b5a3b1498f28
EAP-Message =
0x7bb4546999fa0a687cde8b78859e90f0440889cedc6f77341403010001011603010020f5b713e1971f60307619f28521cbf591b484deae171ee0aa8116f59b19124313
NAS-IP-Address = 192.168.1.9
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 52
modcall[authorize]: module "preprocess" returns ok for request 52
modcall[authorize]: module "mschap" returns noop for request 52
rlm_realm: No '@' in User-Name = "jon", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 52
rlm_eap: EAP packet type response id 3 length 253
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 52
users: Matched entry jon at line 80
modcall[authorize]: module "files" returns ok for request 52
modcall: group authorize returns updated for request 52
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 52
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Length Included
eaptls_verify returned 11
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange
TLS_accept: SSLv3 read client key exchange A
rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001]
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished
TLS_accept: SSLv3 read finished A
rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001]
TLS_accept: SSLv3 write change cipher spec A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished
TLS_accept: SSLv3 write finished A
TLS_accept: SSLv3 flush data
(other): SSL negotiation finished successfully
SSL Connection Established
eaptls_process returned 13
rlm_eap_peap: EAPTLS_HANDLED
modcall[authenticate]: module "eap" returns handled for request 52
modcall: group authenticate returns handled for request 52
Sending Access-Challenge of id 3 to 192.168.1.9:1044
EAP-Message =
0x01040031190014030100010116030100209a1336ce69d5c73b4b8512de5e6c6b531b1f5828b3992dd26a0563299c8c1173
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x1669f53b74e07a6c4e2f35374921a557
Finished request 52
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.1.9:1044, id=4, length=238
Message-Authenticator = 0x66290b8daee901d8e5ec39de473e9dcd
Service-Type = Framed-User
User-Name = "jon"
Framed-MTU = 1488
State = 0x1669f53b74e07a6c4e2f35374921a557
Called-Station-Id = "00-11-95-BF-B6-F9:radius1"
Calling-Station-Id = "00-11-95-94-4F-CB"
NAS-Identifier = "D-Link Corp. Access Point"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 54Mbps 802.11g"
EAP-Message =
0x020400211980000000171503010012f519c8875b84289cceb66891079646a8dc1f
NAS-IP-Address = 192.168.1.9
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 53
modcall[authorize]: module "preprocess" returns ok for request 53
modcall[authorize]: module "mschap" returns noop for request 53
rlm_realm: No '@' in User-Name = "jon", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 53
rlm_eap: EAP packet type response id 4 length 33
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 53
users: Matched entry jon at line 80
modcall[authorize]: module "files" returns ok for request 53
modcall: group authorize returns updated for request 53
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 53
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Length Included
eaptls_verify returned 11
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal access_denied
TLS Alert read:fatal:access denied
rlm_eap_peap: No data inside of the tunnel.
rlm_eap: Handler failed in EAP/peap
rlm_eap: Failed in EAP select
modcall[authenticate]: module "eap" returns invalid for request 53
modcall: group authenticate returns invalid for request 53
auth: Failed to validate the user.
Delaying request 53 for 1 seconds
Finished request 53
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.1.9:1044, id=4, length=238
Sending Access-Reject of id 4 to 192.168.1.9:1044
EAP-Message = 0x04040004
Message-Authenticator = 0x00000000000000000000000000000000
--- Walking the entire request list ---
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 49 ID 0 with timestamp 4260a9f3
Cleaning up request 50 ID 1 with timestamp 4260a9f3
Cleaning up request 51 ID 2 with timestamp 4260a9f3
Cleaning up request 52 ID 3 with timestamp 4260a9f3
Cleaning up request 53 ID 4 with timestamp 4260a9f3
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
