FreeBSD V5.3 FreeRadius V1.0.2 Windows XP Supplicant Dlink 2100 Access Point Dlink G132 USB Wireless Adapter self-signed server certificates using openssl v0.9.7e
The radiusd -X command shows no errors on startup. I'm having problems authenticating when using the "validate server certificate" option in the WinXP PEAP configuration menu. If I don't validate the server certificate I can connect to the radius server just fine. Someone else ran into a similar problem (freeradius-users/2004-September/036349.html) claiming the problem was "usage attributes accompanying the cert". I don't know what this means. I created my certs according to directions from austux.net/resources/network/eaptls.html The entire log is include below, but the relevant part seems to be the following section. I'm assuming "validating" the certificate is a good thing and an option I want to include in my WinXP configuration. My root CA installed fine on the WinXP machine. Can anyone give me some guidance on this issue? rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal access_denied TLS Alert read:fatal:access denied rlm_eap_peap: No data inside of the tunnel. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 53 modcall: group authenticate returns invalid for request 53 auth: Failed to validate the user. COMPLETE LOG -------------- rad_recv: Access-Request packet from host 192.168.1.9:1044, id=0, length=195 Message-Authenticator = 0x4f9ccbaf3ab3be2586f9b6f5094a77b1 Service-Type = Framed-User User-Name = "jon" Framed-MTU = 1488 Called-Station-Id = "00-11-95-BF-B6-F9:radius1" Calling-Station-Id = "00-11-95-94-4F-CB" NAS-Identifier = "D-Link Corp. Access Point" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x02000008016a6f6e NAS-IP-Address = 192.168.1.9 NAS-Port = 1 NAS-Port-Id = "STA port # 1" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 49 modcall[authorize]: module "preprocess" returns ok for request 49 modcall[authorize]: module "mschap" returns noop for request 49 rlm_realm: No '@' in User-Name = "jon", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 49 rlm_eap: EAP packet type response id 0 length 8 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 49 users: Matched entry jon at line 80 modcall[authorize]: module "files" returns ok for request 49 modcall: group authorize returns updated for request 49 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 49 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 49 modcall: group authenticate returns handled for request 49 Sending Access-Challenge of id 0 to 192.168.1.9:1044 EAP-Message = 0x010100061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x109fea2d826cbca009c3b29faa07d32c Finished request 49 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.1.9:1044, id=1, length=285 Message-Authenticator = 0xb476fe4ef81aa1687fc3be4696873ea2 Service-Type = Framed-User User-Name = "jon" Framed-MTU = 1488 State = 0x109fea2d826cbca009c3b29faa07d32c Called-Station-Id = "00-11-95-BF-B6-F9:radius1" Calling-Station-Id = "00-11-95-94-4F-CB" NAS-Identifier = "D-Link Corp. Access Point" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x0201005019800000004616030100410100003d03014260aa5d192deeca7552fd6ecd6ab3baa64d8c6b25c45e979cfcdf2fdac8c1b500001600040005000a000900640062000300060013001200630100 NAS-IP-Address = 192.168.1.9 NAS-Port = 1 NAS-Port-Id = "STA port # 1" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 50 modcall[authorize]: module "preprocess" returns ok for request 50 modcall[authorize]: module "mschap" returns noop for request 50 rlm_realm: No '@' in User-Name = "jon", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 50 rlm_eap: EAP packet type response id 1 length 80 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 50 users: Matched entry jon at line 80 modcall[authorize]: module "files" returns ok for request 50 modcall: group authorize returns updated for request 50 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 50 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0504], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 50 modcall: group authenticate returns handled for request 50 Sending Access-Challenge of id 1 to 192.168.1.9:1044 EAP-Message = 0x0102040a19c000000561160301004a0200004603014260a9f3686968fcad5dfb3887ec06628c08b7f5993ea6507af449cc9b02d7042035d45f3f2dba276e1005535d52595de3ef87e7a5546a498a769a8f8fc842e70700040016030105040b0005000004fd0004fa308204f6308203dea003020102020102300d06092a864886f70d010104050030819f310b3009060355040613025553311630140603550408130d4e65772048616d707368697265310e300c06035504071305576561726531193017060355040a1310694c696e6b204173736f63696174657331193017060355040b1310694c696e6b204173736f6369617465733116301406035504 EAP-Message = 0x03130d694c696e6b20526f6f74204341311a301806092a864886f70d010901160b636140756c696e6b2e7573301e170d3035303431363035323533345a170d3036303431363035323533345a3081a5310b3009060355040613025553311630140603550408130d4e65772048616d707368697265310e300c06035504071305576561726531193017060355040a1310694c696e6b204173736f63696174657331193017060355040b1310694c696e6b204173736f636961746573311c301a0603550403131377616c6c6163652e77656172652e6e682e7573311a301806092a864886f70d010901160b636140756c696e6b2e757330820122300d06092a EAP-Message = 0x864886f70d01010105000382010f003082010a0282010100b7bfb1e582d63c73623a3b0ac707fae4f76c437c2c3c3a4473a420c59c0759c2c1bb6324db7d79d84d8c8d3194ec226bd7f4891de70436b4f2a9e33e520a43ac11243454cc9e9d18f9c334bdbdaa1e19e58bf76bae98b61f35647b20127e79fc58d48cb14fa00ec039369b0ce1c372baadcfd65f22ec52f29419eb94370385d04ff7428264b16ae9f2d9a7ad7f449aa1027fac1dfb0bf4c6abfcf2c2814b3b673aa4698e2eb2e194a8e66c12abf94379ee33a017baa899424bf99a062c07c596a55e01a4c3dadd986fae23057fabff636cedee069f884b085c72d4becff5b4854f679203c6 EAP-Message = 0x07b80f611bd5df4b54a3d74df4fa22de433c0d828f0136a39954f10203010001a38201333082012f30090603551d1304023000302c06096086480186f842010d041f161d4f70656e53534c2047656e657261746564204365727469666963617465301d0603551d0e041604147cd6c7572063cc9042b2b1ffa86dfdfd22855aa83081d40603551d230481cc3081c98014b55a44ebf8cdfdfe62af922b9e599c09294aa0cfa181a5a481a230819f310b3009060355040613025553311630140603550408130d4e65772048616d707368697265310e300c06035504071305576561726531193017060355040a1310694c696e6b204173736f636961746573 EAP-Message = 0x31193017060355040b1310694c696e6b204173736f63 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb9fca96a56826001224d1dbec37c004f Finished request 50 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.1.9:1044, id=2, length=211 Message-Authenticator = 0x643889aab9ea747247cebc00e87f76f5 Service-Type = Framed-User User-Name = "jon" Framed-MTU = 1488 State = 0xb9fca96a56826001224d1dbec37c004f Called-Station-Id = "00-11-95-BF-B6-F9:radius1" Calling-Station-Id = "00-11-95-94-4F-CB" NAS-Identifier = "D-Link Corp. Access Point" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x020200061900 NAS-IP-Address = 192.168.1.9 NAS-Port = 1 NAS-Port-Id = "STA port # 1" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 51 modcall[authorize]: module "preprocess" returns ok for request 51 modcall[authorize]: module "mschap" returns noop for request 51 rlm_realm: No '@' in User-Name = "jon", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 51 rlm_eap: EAP packet type response id 2 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 51 users: Matched entry jon at line 80 modcall[authorize]: module "files" returns ok for request 51 modcall: group authorize returns updated for request 51 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 51 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 51 modcall: group authenticate returns handled for request 51 Sending Access-Challenge of id 2 to 192.168.1.9:1044 EAP-Message = 0x0103016719006961746573311630140603550403130d694c696e6b20526f6f74204341311a301806092a864886f70d010901160b636140756c696e6b2e7573820900d438688f86c0ff7e300d06092a864886f70d0101040500038201010014ddd7ebcd389f0a62d28d3a1534ef6774b64250bb7200d6744478959dcdfc9827c8aef411ab5560a580a17ac374c0d1e3177ce53ad68572bce66e88cf9c8fbc5fe989df666f7510223d843d45a27c70e5d1df65ceeca5b840e339f4816ee60f97cbd28a6665ddd629153d7f40a81e22c504c421524222ffd70baa84f9d821c86b942c0946eea98f8501979253ba0398424a102a2d7e821363061df72db34e EAP-Message = 0xaa60a63408f4324bc62e3e03e4300acc3f2e7019c7a45e60910a6c6277094847752f43f1091c2c2443928b5a2ba91504f0373054ba2ca0b9d257a60b3ca4f7b2a0d9aad7bebba84ad3ad636ffef61a787ba14589f8478495ac5a8ca88e68887c6316030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xeafcc1154fa2e16f63cf809071f3b519 Finished request 51 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.1.9:1044, id=3, length=527 Message-Authenticator = 0xfd2ea902cb0d2c4f13b76016b14d05fb Service-Type = Framed-User User-Name = "jon" Framed-MTU = 1488 State = 0xeafcc1154fa2e16f63cf809071f3b519 Called-Station-Id = "00-11-95-BF-B6-F9:radius1" Calling-Station-Id = "00-11-95-94-4F-CB" NAS-Identifier = "D-Link Corp. Access Point" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x020301401980000001361603010106100001020100606da052f8b1564301d936aeb5f2f2a4e06570d41bcabd5c3536e27a283cc8b1dbb6bfec56a619e01b860ab910c7f1bcb222ba9e95e40daaa1a9bae839da7498cbc6c8398aac376d1203cd4ab3213f2ad4d9693430bf3071d6f3f94a752050d3d3a9d31aa321ef385714cfe3400900b8c511a3dfbafd3249d0a86c556c6365bd4e159397ecc88c54e98ee7df1c5c5e3304f858176e5daf908cdb1d355f47c7797344f3e931cec9a7fdab49552b2413733912afd8067e663158ec09ecc8cbab72898eb1deddf2a6748573e5037bb449dee2deeb837e0ad989a915e245087c6e6d6713b5a3b1498f28 EAP-Message = 0x7bb4546999fa0a687cde8b78859e90f0440889cedc6f77341403010001011603010020f5b713e1971f60307619f28521cbf591b484deae171ee0aa8116f59b19124313 NAS-IP-Address = 192.168.1.9 NAS-Port = 1 NAS-Port-Id = "STA port # 1" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 52 modcall[authorize]: module "preprocess" returns ok for request 52 modcall[authorize]: module "mschap" returns noop for request 52 rlm_realm: No '@' in User-Name = "jon", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 52 rlm_eap: EAP packet type response id 3 length 253 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 52 users: Matched entry jon at line 80 modcall[authorize]: module "files" returns ok for request 52 modcall: group authorize returns updated for request 52 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 52 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 rlm_eap_tls: <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange TLS_accept: SSLv3 read client key exchange A rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001] rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 read finished A rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001] TLS_accept: SSLv3 write change cipher spec A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 write finished A TLS_accept: SSLv3 flush data (other): SSL negotiation finished successfully SSL Connection Established eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 52 modcall: group authenticate returns handled for request 52 Sending Access-Challenge of id 3 to 192.168.1.9:1044 EAP-Message = 0x01040031190014030100010116030100209a1336ce69d5c73b4b8512de5e6c6b531b1f5828b3992dd26a0563299c8c1173 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1669f53b74e07a6c4e2f35374921a557 Finished request 52 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.1.9:1044, id=4, length=238 Message-Authenticator = 0x66290b8daee901d8e5ec39de473e9dcd Service-Type = Framed-User User-Name = "jon" Framed-MTU = 1488 State = 0x1669f53b74e07a6c4e2f35374921a557 Called-Station-Id = "00-11-95-BF-B6-F9:radius1" Calling-Station-Id = "00-11-95-94-4F-CB" NAS-Identifier = "D-Link Corp. Access Point" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x020400211980000000171503010012f519c8875b84289cceb66891079646a8dc1f NAS-IP-Address = 192.168.1.9 NAS-Port = 1 NAS-Port-Id = "STA port # 1" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 53 modcall[authorize]: module "preprocess" returns ok for request 53 modcall[authorize]: module "mschap" returns noop for request 53 rlm_realm: No '@' in User-Name = "jon", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 53 rlm_eap: EAP packet type response id 4 length 33 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 53 users: Matched entry jon at line 80 modcall[authorize]: module "files" returns ok for request 53 modcall: group authorize returns updated for request 53 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 53 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal access_denied TLS Alert read:fatal:access denied rlm_eap_peap: No data inside of the tunnel. rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 53 modcall: group authenticate returns invalid for request 53 auth: Failed to validate the user. Delaying request 53 for 1 seconds Finished request 53 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.1.9:1044, id=4, length=238 Sending Access-Reject of id 4 to 192.168.1.9:1044 EAP-Message = 0x04040004 Message-Authenticator = 0x00000000000000000000000000000000 --- Walking the entire request list --- Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 49 ID 0 with timestamp 4260a9f3 Cleaning up request 50 ID 1 with timestamp 4260a9f3 Cleaning up request 51 ID 2 with timestamp 4260a9f3 Cleaning up request 52 ID 3 with timestamp 4260a9f3 Cleaning up request 53 ID 4 with timestamp 4260a9f3 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html