I want to configure EAP-TLS on freeradius but it doesn’t work I hope the information below is enough. I am using freeradius 2.1.1. (openSUSE11.1), first I configured PAP using this tutorial( http://en.opensuse.org/RadiusServerHOWTO#Configuring_file_based_authentication http://en.opensuse.org/RadiusServerHOWTO#Configuring_file_based_authentication ) and it works with an xp supplicant. Then I wanted to configure EAP-TLS.
Well the tutorials I found said that there is not much to do and I guess that's wrong. I only edited pap to tls in the eap.conf: eap { default_eap_type = tls The Cisco2950 Switch was added in the clients.conf while the pap tutorial: client 192.168.5.3 { secret = testing123 shortname = cisco } Well I added some kind of attributes in the users file because of dynamic vlans but I think that's not relevant now, isn't it?: oss-radius Cleartext-Password:="hello" Auth-Type :=EAP, Tunnel-Type= 13, Tunnel-Medium-Type= 6, Tunnel-Private-Group-Id= 5 For testing i created the standard certificates from freeradius with this commands: cd /etc/raddb/certs/ make all make client.pem Before I did this I changed the commonName and the email address in the client.cnf: [client] countryName = FR stateOrProvinceName = Radius localityName = Somewhere organizationName = Example Inc. emailAddress = oss-radius commonName = oss-radius I imported the ca.der and the client.p12 on the XP Client and at last I configured the XP Client using EAP-TLS: http://old.nabble.com/file/p26515010/zertifikateinstellung.jpg The authentication doesn't work and that is the debugging output: rad_recv: Access-Request packet from host 192.168.5.3 port 1812, id=3, length=110 NAS-IP-Address = 192.168.5.3 NAS-Port = 50012 NAS-Port-Type = Ethernet User-Name = "oss-radius" Calling-Station-Id = "00-0B-6A-2B-DA-78" Service-Type = Framed-User EAP-Message = 0x0201000f016f73732d726164697573 Message-Authenticator = 0xf68cf58770b7aca2671434c718bc4fb9 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "oss-radius", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 1 length 15 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [files] users: Matched entry oss-radius at line 204 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Requiring client certificate [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 3 to 192.168.5.3 port 1812 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "5" EAP-Message = 0x010200060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x8f71f7ba8f73faff5e448e0442a84581 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.5.3 port 1812, id=4, length=193 NAS-IP-Address = 192.168.5.3 NAS-Port = 50012 NAS-Port-Type = Ethernet User-Name = "oss-radius" Calling-Station-Id = "00-0B-6A-2B-DA-78" Service-Type = Framed-User State = 0x8f71f7ba8f73faff5e448e0442a84581 EAP-Message = 0x020200500d800000004616030100410100003d03014b0d47720ea38e9c9e290d9e80220a921d82c0e9cb675bbf329d349ac5f22ec700001600040005000a000900640062000300060013001200630100 Message-Authenticator = 0x20c78201bedf353fa22ef5383779e476 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "oss-radius", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 2 length 80 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [files] users: Matched entry oss-radius at line 204 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS TLS Length 70 [tls] Length Included [tls] eaptls_verify returned 11 [tls] (other): before/accept initialization [tls] TLS_accept: before/accept initialization [tls] <<< TLS 1.0 Handshake [length 0041], ClientHello [tls] TLS_accept: SSLv3 read client hello A [tls] >>> TLS 1.0 Handshake [length 002a], ServerHello [tls] TLS_accept: SSLv3 write server hello A [tls] >>> TLS 1.0 Handshake [length 085e], Certificate [tls] TLS_accept: SSLv3 write certificate A [tls] >>> TLS 1.0 Handshake [length 00a6], CertificateRequest [tls] TLS_accept: SSLv3 write certificate request A [tls] TLS_accept: SSLv3 flush data [tls] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [tls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 4 to 192.168.5.3 port 1812 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "5" EAP-Message = 0x010304000dc00000093d160301002a0200002603014b128ce6a59c7cc44dc8e5dda195b7358a9511b32aee8be1c928dadb4091169200000400160301085e0b00085a0008570003a6308203a23082028aa003020102020103300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479 EAP-Message = 0x301e170d3039313132323133343533305a170d3130313132323133343533305a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100ac980cc4c9ec4ad3e23bf9d75989232fb1b5014896413398e3361287de22a5b5c00cac1e0c1b72b2f991aa8c2eeb1e452a7c67950e6af12e31414acbf8a9 EAP-Message = 0x8b96c26e6408da5ca899b30f00799999610945ad89094441a7cafca4067557b4ed52070fdf54b386b2a7a1aa76f134a9b5e7bfdeef3e18bc3d8ba98b49f1f4bb156dd1bbb46ee09b466df0120593471c59acfcb7a2977219e6db535008526dda1f91c374f01bf392d909a1ecde7ec11f926cfd310b39171121228c528a5853524e62ba21f1006c56ef85aa0837bdb123a11a0664015e7b8176b20619e36204f7b7b75d6e445aa84a0cdc49c9a8a82ea97e5686a28a56eced48e43f9c471499d0604f0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010104050003820101009dc4e0c6f6e79b6e1c EAP-Message = 0x330b69759c25ac74cef621f5e8115248b9ea758e5b2af73574bd81953c2b5beb514765bdf4b07d50586dded8cfaac20f6ece9b661938bec737d87348f061ea7e3cd2a7338e786cd765aa8f3db636291c10c041d790ab49fcbcf5b41e7ec1ae2f65495b975286e656b23fed0321284cd6643aa411da03918e148eab2b222aa462bb62d50491ba9a27773e297dc8a59b1b0aa1a6fd2e6a110b2d3f94e81563417a2a4f1127937d38a0c6376e25ec51a0eabcd289a6fdfbcbc6f5c708050d8fdc9ad61cade8fa2b90ce4a6f4ff2ef465a1d61bbeb9373f4ef0c6a9c3d558b8424c130052899aa96271e0a9db4beb254ffcda04e8546e544140004ab308204 EAP-Message = 0xa73082038fa0030201020209 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x8f71f7ba8e72faff5e448e0442a84581 Finished request 1. Going to the next request Waking up in 4.7 seconds. Cleaning up request 0 ID 3 with timestamp +66 Waking up in 0.2 seconds. Cleaning up request 1 ID 4 with timestamp +66 Ready to process requests. Well I use the standardcertificate only for testing, but am I right that the problem is caused by the certificates? If you need the full output or the configs please don’t hesitate to contact me. -- View this message in context: http://old.nabble.com/Problem-with-EAP-TLS-tp26515010p26515010.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html