eap/tls authentication problem

[Mike Zoeteweij]

Hello all,

I'm relatively new with freeradius. I got freeradius running fine as aaa 
server and want to extend t authenticate my wireless.
I'm testing with a linksys wrt54g ap.
I've done a lot of reading on how to configure eap/tls but for some 
reason I can't get it to work. Can anybody give me a some advise how to 
get this to work
see below a screen dump of the freeradius server.

rad_recv: Access-Request packet from host 192.168.100.5:2689, id=3, 
length=1660
       Message-Authenticator = 0x9a0b07611fd6b83251839c544b3552e6
       Service-Type = Framed-User
       User-Name = "mike"
       Framed-MTU = 1488
       State = 0x55654869c3d2859237b430d6df9b6c0f
       Called-Station-Id = "00-18-F8-F5-87-53:mikiemike"
       Calling-Station-Id = "00-13-E8-94-F3-B5"
       NAS-Port-Type = Wireless-802.11
       Connect-Info = "CONNECT 54Mbps 802.11g"
       EAP-Message = 
0x020305bd0d80000005b316030105830b00037300037000036d3082036930820251a003020102020102300d06092a864886f70d0101040500306f310b3009060355040613024e4c311430120603550408130b4e65746865726c616e6473310c300a060355040a1303433243311430120603550403140b4244485a5f7365727665723126302406092a864886f70d01090116176d696b657a6f6574657765696a40787334616c6c2e6e6c301e170d3038303631353134313631345a170d3138303631333134313631345a3068310b3009060355040613024e4c311430120603550408130b4e65746865726c616e6473310c300a060355040a130343324331
       EAP-Message = 
0x0d300b060355040313046d696b653126302406092a864886f70d01090116176d696b657a6f6574657765696a40787334616c6c2e6e6c30820122300d06092a864886f70d01010105000382010f003082010a0282010100bac91ea21483736d4ca48b54b168a5229d13a7ddcd80190d4750ee218205c3f6397f5b8eea79445a5d437a73d410c859a20bfc644e0206ce908da874121c9d69590aa83bc2404888aac12ae25ff3e24044250fd561db44f67665e045003573e8947281cf8d80aee261dabf81e6f78a88cd43ca38331885376a721aac7c05aee70f34d96fc398e6972a537b0c6501b1fe22f2b0f3fa149ff8e422525eb29f19d0a9f57cc038ad
       EAP-Message = 
0xa733d1602b38b3be04facc7bcded7ca463e73a71a81473a4945b9433386d27552486daf2d7e6bfc819b0a3b4f6d13478283f708cde5c27a971d437fafa8ffcb497760356a323c1b30db74bb49a3dd2595a99901372aca4a275b70203010001a317301530130603551d25040c300a06082b06010505070302300d06092a864886f70d01010405000382010100a1b1b2c313a2e1dcc24890ecb7588685013ad95f251dd26520a1daedda01d42aeab38de1208c5a10937eac44d8da4c1ecc172305208ff5c03b02e3cffbc56612e3d955b321a92f9effe38a2ee36127b42fca94d301e5d75ea75eda87fc884ebfde5d4a5e36eb07d66d22e54642eb723ccf
       EAP-Message = 
0x882cf68d006f95eaebacb76a20f0c7dd0fd9cd5c33e304eaeff3d18eae8d1e665271bd74df7d9d865137d8f43d542305b9a1b7fb4a16802b3b96aaa4a81828cf1a77562a20b7710884d63ea99f77827ea8e1373aa498679014534e368da0cff2e186b0cd038211f08f6c285266e4e199443c00cb8a51e17b604b247e79c5f16fa74652ac4b28c8af492628d956282c100001020100bcb70f84cee2d4911947254be3f37f02bffc406614b4f24ef905978ce58d4e7025681ba2d212a3c0cb7c3eb7b5cf2818cc4881b5d7088fd733e27752aaecf83e6ed9086cc321648b2ff45de5ab49405a15aab6bd4c44e8f94ead2efe9e48e495709c16ae271321de
       EAP-Message = 
0x4c198ef3cf6f92dd9db5f021910519398c3b4af7b0262cfeac2d65c33ed66590d5d2ca9ee4e9289849678999d5a0312131f2e910c928e65a8b4f25f8c62a80f779cb73ebb8fe1ae3ea8f73fed556405bc72c5acefa02c6ab68f03f7141a73cbc16ab4f25eea36c9d196d008c62e915d5809b559d373cc2761d213063f4130fd0ed168f1de8c7e626f2c96de3d4a1913562c003f905baf9fd0f00010201002d5ebac6936362606db083d15e8b40fe93cd5b7247267736bf5bffcc7160024853488dc14440ef4b8c42ff80f86e525edd21072e4777e429e40293d8e7e3d0f8403bd5bc31dbb43b6c056b858f24f677ac2cc6eda35ba26db247dedd25d813
       EAP-Message = 
0x7ce49d2f89daca63bb3559bd962e798378a495188528527b4fc3024a7bb03cb2bbd35185a43df406aaa4f9bbee0fd1476c79036890bae4a15ef849c012cb317cb653f20044c1a2551074b8dc6587f74fea698120e3c9b660f3c877c147ccc7b06fab427f809a92aa68b6f087d4e7b5f9a8af070ad62829f83d7ffa41c85325ec2febccf83bd9f202a05864788b887568f28084475331515aa9d8e2042bba7ad81514030100010116030100200599856b69ece58d8f82454916c6fcab3f13833e107f17f8967c3c6c8cd061ad
       NAS-IP-Address = 192.168.100.5
       NAS-Port = 1
       NAS-Port-Id = "STA port # 1"
 Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 13
 modcall[authorize]: module "preprocess" returns ok for request 13
 modcall[authorize]: module "chap" returns noop for request 13
 modcall[authorize]: module "mschap" returns noop for request 13
   rlm_realm: No '@' in User-Name = "mike", looking up realm NULL
   rlm_realm: No such realm "NULL"
 modcall[authorize]: module "suffix" returns noop for request 13
 rlm_eap: EAP packet type response id 3 length 253
 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
 modcall[authorize]: module "eap" returns updated for request 13
   users: Matched DEFAULT at 152
   users: Matched DEFAULT at 171
   users: Matched mike at 219
 modcall[authorize]: module "files" returns ok for request 13
modcall: group authorize returns updated for request 13
 rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
 Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 13
 rlm_eap: Request found, released from the list
 rlm_eap: EAP/tls
 rlm_eap: processing type tls
 rlm_eap_tls: Authenticate
 rlm_eap_tls: processing TLS
rlm_eap_tls:  Length Included
 eaptls_verify returned 11
 rlm_eap_tls: <<< TLS 1.0 Handshake [length 0377], Certificate  
--> verify error:num=20:unable to get local issuer certificate
chain-depth=0,
error=20
--> User-Name = mike
--> BUF-Name = mike
--> subject = /C=NL/ST=Netherlands/O=C2C/CN=mike/[EMAIL PROTECTED]
--> issuer  = 
/C=NL/ST=Netherlands/O=C2C/CN=BDHZ_server/[EMAIL PROTECTED]
--> verify return:0
 rlm_eap_tls: >>> TLS 1.0 Alert [length 0002], fatal unknown_ca  
TLS Alert write:fatal:unknown CA
   TLS_accept:error in SSLv3 read client certificate B
6996:error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no 
certificate returned:s3_srvr.c:2004:
rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails.
In SSL Handshake Phase
In SSL Accept mode  
 eaptls_process returned 13
 modcall[authenticate]: module "eap" returns handled for request 13
modcall: group authenticate returns handled for request 13
Sending Access-Challenge of id 3 to 192.168.100.5:2689
       Framed-IP-Address = 255.255.255.254
       Framed-MTU = 576
       Service-Type = Framed-User
       EAP-Message = 0x010400110d800000000715030100020230
       Message-Authenticator = 0x00000000000000000000000000000000
       State = 0xa6541df7517449f2bd7e2604271974c9
Finished request 13
Going to the next request
Waking up in 3 seconds...
rad_recv: Access-Request packet from host 192.168.100.5:2689, id=4, 
length=187
       Message-Authenticator = 0x8bcace05bb96496c05ea2f310c463505
       Service-Type = Framed-User
       User-Name = "mike"
       Framed-MTU = 1488
       State = 0xa6541df7517449f2bd7e2604271974c9
       Called-Station-Id = "00-18-F8-F5-87-53:mikiemike"
       Calling-Station-Id = "00-13-E8-94-F3-B5"
       NAS-Port-Type = Wireless-802.11
       Connect-Info = "CONNECT 54Mbps 802.11g"
       EAP-Message = 0x020400060d00
       NAS-IP-Address = 192.168.100.5
       NAS-Port = 1
       NAS-Port-Id = "STA port # 1"
 Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 14
 modcall[authorize]: module "preprocess" returns ok for request 14
 modcall[authorize]: module "chap" returns noop for request 14
 modcall[authorize]: module "mschap" returns noop for request 14
   rlm_realm: No '@' in User-Name = "mike", looking up realm NULL
   rlm_realm: No such realm "NULL"
 modcall[authorize]: module "suffix" returns noop for request 14
 rlm_eap: EAP packet type response id 4 length 6
 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
 modcall[authorize]: module "eap" returns updated for request 14
   users: Matched DEFAULT at 152
   users: Matched DEFAULT at 171
   users: Matched mike at 219
 modcall[authorize]: module "files" returns ok for request 14
modcall: group authorize returns updated for request 14
 rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
 Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 14
 rlm_eap: Request found, released from the list
 rlm_eap: EAP/tls
 rlm_eap: processing type tls
 rlm_eap_tls: Authenticate
 rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
 rlm_eap_tls: ack alert
 eaptls_verify returned 4
 eaptls_process returned 4
rlm_eap: Handler failed in EAP/tls
 rlm_eap: Failed in EAP select
 modcall[authenticate]: module "eap" returns invalid for request 14
modcall: group authenticate returns invalid for request 14
auth: Failed to validate the user.
Login incorrect: [mike/<no User-Password attribute>] (from client 
mikiemike.net port 1 cli 00-13-E8-94-F3-B5)
Delaying request 14 for 1 seconds
Finished request 14
Going to the next request
Waking up in 3 seconds...
rad_recv: Access-Request packet from host 192.168.100.5:2689, id=4, 
length=187
Sending Access-Reject of id 4 to 192.168.100.5:2689
       EAP-Message = 0x04040004
       Message-Authenticator = 0x00000000000000000000000000000000
--- Walking the entire request list ---
Cleaning up request 5 ID 0 with timestamp 48552e1d

Can anybody help me?


Thanks in advance
regards,
Mike
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html