Re: FreeRadius EAP-TLS issue

[Brian A. Seklecki]

If it was regular TLS, i'd tell you to "openssl s_client -connect foo:123 
-cacert /blah".

Are you sure that you have imported and "trusted" your CA's cetificate on 
both the client and the server?

This is when I let the other guys make suggestions.

I was just curious of EAP-TLS with client certificates was simply a way of 
delivering the username to the client, letting the client authenticate the 
server and the server authenticate the identity of the client, and then 
providing for another password based mechanism.

Or if certificate TLS handshake was sufficient for authorization and 
authentication...

For example, Apache SSL can be told to verify client certificates, but 
htaccess would still be required.

With SMTP, client and server SSL verification can be compelled, but for 
SMTP AUTH for relay, username/password authentication would still be 
required.


~BAS

On Wed, 16 Nov 2005, Hamid Salim wrote:

It should not be asking/expecting any userid/password pair. I have
installed the certificates on the supplicant machine which should be
sufficient to authenticate without any password requirements. I am not
sure why the certs are not working???


Brian A. Seklecki wrote:



  rlm_eap_tls: Received unexpected tunneled data after successful
handshake.

...that's what I get when I try an invalid password in my EAP + Cisco
1200
+ LDAP + PEAP/MS-CHAPv2 configuration.

Let me ask...how is the client certificate method supposed to work?

Is the username embeded the CN/CommonName attribute of the certificate
and
the user is prompted for a password which you setup in authenticate {} ?

Is that any more secure than using PEAP/MS-CHAPv2 ?

~BAS


On Wed, 16 Nov 2005, Hamid Salim wrote:

Hi,
I am just wondering if anyone has encountered the same issue. I have
set up my enviornment for EAP-TLS, with windows XP SP2 as a supplicant.
For some reason I am getting:

auth: Failed to validate the user.
Login incorrect: [radiustst/<no User-Password attribute>] (from client
testradius-ap-1 port 0 cli 00-10-c6-38-af-7b)

complete listing is attached. I am using certificates and SSL session
is created successfully, then why FreeRadius is expecting a
userid/password?

Any help will be appreciated.

Thanks
Hamid.

============= Complete Listing =================
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 129.10.56.156:6001, id=71,
length=1247
       User-Name = "radiustst"
       NAS-IP-Address = 129.10.56.156
       Called-Station-Id = "00-20-a6-4a-12-21"
       Calling-Station-Id = "00-10-c6-38-af-7b"
       NAS-Identifier = "APtest3"
       State = 0xb9a67433435733a42f7cbd528aa6ae7a
       Framed-MTU = 1400
       NAS-Port-Type = Wireless-802.11
       EAP-Message =

0x020504510d800000044716030104170b000307000304000301308202fd30820266a003

020102020102300d06092a864886f70d01010405003054310b3009060355040613025553

310b3009060355040813024d413120301e060355040a13174e6f7274686561737465726e

20556e6976657273697479311630140603550403130d4543454175746853657276657230

1e170d3035313130353232323335345a170d3036313130353232323335345a3050310b30

09060355040613025553310b3009060355040813024d413120301e060355040a13174e6f

7274686561737465726e20556e6976657273697479311230100603550403130972616469
7573
       EAP-Message =

0x74737430819f300d06092a864886f70d010101050003818d0030818902818100b9983d

b3e72f80fd974f9bcd64081d573fdd27b19089405b696d873f87467ff80a312ef7b399c3

9e9e7018e1aa29203251c40dd6af46d060d1211405bea1888d058da35230f55d7dc27d76

9e0234824d78d5d1b5edf8d39f8ab78255e6cca753424cd0713339a02cf315fbcb6175a0

47fa233d9f64d6f936f5e3a403bcca93ab0203010001a381e23081df30090603551d1304

023000302c06096086480186f842010d041f161d4f70656e53534c2047656e6572617465

64204365727469666963617465301d0603551d0e04160414b77dd4b0207270418f828157
2f5e
       EAP-Message =

0x3353216fe55f3081840603551d23047d307b801463d38ab984dc364e31383d1ecf3743

0ee64b68e9a158a4563054310b3009060355040613025553310b3009060355040813024d

413120301e060355040a13174e6f7274686561737465726e20556e697665727369747931

1630140603550403130d45434541757468536572766572820900cab77a537cadfaf3300d

06092a864886f70d0101040500038181003cbaf9e576319601ba75222ef4fed8cd584e2d

8aea2f25788bff348f53a699ecab5cb50143f369e7a59da5ba5212105e4d1b642f56cf00

d04efcb911239047393875024e5e4a17b0ac8f87d165c81a5fcfbe2f2a67ee6c7e57dae0
c423
       EAP-Message =

0x4a3f81753b0817b63f117a0b28c1ca43e1cb31142b47103caef9f28c01860b49f27465

1000008200805d53b3419d272d68175ae404a9a51774f148420e7832d39ceaa311a000f0

70ebf121d27c6f8b15369ab4bc9a1edadd2abd1caace3378f6a9f6623e6f9cb95085df74

830c3e22638bd8e3a63938c9ea8b93895aca23aa131f728ffab7c0cee86b7ed10ced5e2f

30ad19df6cd83a0ac6564a9b833b284b52ff9355741efc7b3e360f0000820080131f2e69

99c156d32b83cb27036db11e9c3571b66d7ab062208a03daf1afb9b3c4a326a09663c1a3

25a3b846a2a34d4cfbdcbd432a18017a9ece2744de377c964649ac146466ee4b71fa5fdd
8f7c
       EAP-Message =

0x1272df4226eb2805f9268ae2a2e0d0664ced1a8868bada17475dc7889cb73634641d80

af384311d0b2b9e87c7bde4227a47d14030100010116030100202a0a0a3102caaf869886
11a6916269516c4e5b6bf006d943609a71740a4d3a60
       Message-Authenticator = 0x1e4e290a1071052212513c61bfa25dae
 Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 8
 modcall[authorize]: module "preprocess" returns ok for request 8
radius_xlat:

'/opt/radiusd/var/log/radius/radacct/129.10.56.156/auth-detail-20051115'
rlm_detail:

/opt/radiusd/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%
m%d expands to
/opt/radiusd/var/log/radius/radacct/129.10.56.156/auth-detail-20051115
 modcall[authorize]: module "auth_log" returns ok for request 8
   rlm_realm: No '@' in User-Name = "radiustst", looking up realm NULL
   rlm_realm: No such realm "NULL"
 modcall[authorize]: module "suffix" returns noop for request 8
 rlm_eap: EAP packet type response id 5 length 253
 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
 modcall[authorize]: module "eap" returns updated for request 8
   users: Matched entry radiustst at line 54
 modcall[authorize]: module "files" returns ok for request 8
modcall: group authorize returns updated for request 8
 rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
 Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 8
 rlm_eap: Request found, released from the list
 rlm_eap: EAP/tls
 rlm_eap: processing type tls
 rlm_eap_tls: Authenticate
 rlm_eap_tls: processing TLS
rlm_eap_tls:  Length Included
 eaptls_verify returned 11
 rlm_eap_tls: <<< TLS 1.0 Handshake [length 030b], Certificate
chain-depth=1,
error=0
--> User-Name = radiustst
--> BUF-Name = ECEAuthServer
--> subject = /C=US/ST=MA/O=Northeastern University/CN=ECEAuthServer
--> issuer  = /C=US/ST=MA/O=Northeastern University/CN=ECEAuthServer
--> verify return:1
chain-depth=0,
error=0
--> User-Name = radiustst
--> BUF-Name = radiustst
--> subject = /C=US/ST=MA/O=Northeastern University/CN=radiustst
--> issuer  = /C=US/ST=MA/O=Northeastern University/CN=ECEAuthServer
--> verify return:1
   TLS_accept: SSLv3 read client certificate A
 rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
   TLS_accept: SSLv3 read client key exchange A
 rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], CertificateVerify
   TLS_accept: SSLv3 read certificate verify A
 rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001]
 rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished
   TLS_accept: SSLv3 read finished A
 rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001]
   TLS_accept: SSLv3 write change cipher spec A
 rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished
   TLS_accept: SSLv3 write finished A
   TLS_accept: SSLv3 flush data
   (other): SSL negotiation finished successfully
SSL Connection Established
 eaptls_process returned 13
 modcall[authenticate]: module "eap" returns handled for request 8
modcall: group authenticate returns handled for request 8
Sending Access-Challenge of id 71 to 129.10.56.156:6001
       EAP-Message =

0x010600350d800000002b1403010001011603010020c76c26e20a3f56cdad1183c5e9c2
4322bdbd6ca0af149ba46d197f153a7f4f32
       Message-Authenticator = 0x00000000000000000000000000000000
       State = 0x70ed13d02f1854999ba5b4513143d53d
Finished request 8
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 129.10.56.156:6001, id=72,
length=167
       User-Name = "radiustst"
       NAS-IP-Address = 129.10.56.156
       Called-Station-Id = "00-20-a6-4a-12-21"
       Calling-Station-Id = "00-10-c6-38-af-7b"
       NAS-Identifier = "APtest3"
       State = 0x70ed13d02f1854999ba5b4513143d53d
       Framed-MTU = 1400
       NAS-Port-Type = Wireless-802.11
       EAP-Message =
0x020600210d8000000017150301001267dd17534e604a647897732130f58409b115
       Message-Authenticator = 0xce216e15de7058166ce90f8cde7d5094
 Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 9
 modcall[authorize]: module "preprocess" returns ok for request 9
radius_xlat:

'/opt/radiusd/var/log/radius/radacct/129.10.56.156/auth-detail-20051115'
rlm_detail:

/opt/radiusd/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%
m%d expands to
/opt/radiusd/var/log/radius/radacct/129.10.56.156/auth-detail-20051115
 modcall[authorize]: module "auth_log" returns ok for request 9
   rlm_realm: No '@' in User-Name = "radiustst", looking up realm NULL
   rlm_realm: No such realm "NULL"
 modcall[authorize]: module "suffix" returns noop for request 9
 rlm_eap: EAP packet type response id 6 length 33
 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
 modcall[authorize]: module "eap" returns updated for request 9
   users: Matched entry radiustst at line 54
 modcall[authorize]: module "files" returns ok for request 9
modcall: group authorize returns updated for request 9
 rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
 Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 9
 rlm_eap: Request found, released from the list
 rlm_eap: EAP/tls
 rlm_eap: processing type tls
 rlm_eap_tls: Authenticate
 rlm_eap_tls: processing TLS
rlm_eap_tls:  Length Included
 eaptls_verify returned 11
 eaptls_process returned 7
 rlm_eap_tls: Received unexpected tunneled data after successful
handshake.
rlm_eap: Handler failed in EAP/tls
 rlm_eap: Failed in EAP select
 modcall[authenticate]: module "eap" returns invalid for request 9
modcall: group authenticate returns invalid for request 9
auth: Failed to validate the user.
Login incorrect: [radiustst/<no User-Password attribute>] (from client
testradius-ap-1 port 0 cli 00-10-c6-38-af-7b)
Delaying request 9 for 1 seconds
Finished request 9
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 129.10.56.156:6001, id=72,
length=167
Sending Access-Reject of id 72 to 129.10.56.156:6001
       EAP-Message = 0x04060004
       Message-Authenticator = 0x00000000000000000000000000000000
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Cleaning up request 5 ID 68 with timestamp 437a661d
Cleaning up request 6 ID 69 with timestamp 437a661d
Cleaning up request 7 ID 70 with timestamp 437a661d
Cleaning up request 8 ID 71 with timestamp 437a661d
Cleaning up request 9 ID 72 with timestamp 437a661d
Nothing to do.  Sleeping until we see a request.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html


l8*
        -lava

x.25 - minix - bitnet - plan9 - 110 bps - ASR 33 - base8



l8*
        -lava

x.25 - minix - bitnet - plan9 - 110 bps - ASR 33 - base8
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html