I want to configure EAP-TLS on freeradius but it doesn’t work I hope the
information below is enough.
I am using freeradius 2.1.1. (openSUSE11.1), first I configured PAP using
this tutorial(
http://en.opensuse.org/RadiusServerHOWTO#Configuring_file_based_authentication
http://en.opensuse.org/RadiusServerHOWTO#Configuring_file_based_authentication
) and it works with an xp supplicant. Then I wanted to configure EAP-TLS.
Well the tutorials I found said that there is not much to do and I guess
that's wrong.
I only edited pap to tls in the eap.conf:
eap {
default_eap_type = tls
The Cisco2950 Switch was added in the clients.conf while the pap tutorial:
client 192.168.5.3 {
secret = testing123
shortname = cisco
}
Well I added some kind of attributes in the users file because of dynamic
vlans but I think that's not relevant now, isn't it?:
oss-radius Cleartext-Password:="hello"
Auth-Type :=EAP,
Tunnel-Type= 13,
Tunnel-Medium-Type= 6,
Tunnel-Private-Group-Id= 5
For testing i created the standard certificates from freeradius with this
commands:
cd /etc/raddb/certs/
make all
make client.pem
Before I did this I changed the commonName and the email address in the
client.cnf:
[client]
countryName = FR
stateOrProvinceName = Radius
localityName = Somewhere
organizationName = Example Inc.
emailAddress = oss-radius
commonName = oss-radius
I imported the ca.der and the client.p12 on the XP Client and at last I
configured the XP Client using EAP-TLS:
http://old.nabble.com/file/p26515010/zertifikateinstellung.jpg
The authentication doesn't work and that is the debugging output:
rad_recv: Access-Request packet from host 192.168.5.3 port 1812, id=3,
length=110
NAS-IP-Address = 192.168.5.3
NAS-Port = 50012
NAS-Port-Type = Ethernet
User-Name = "oss-radius"
Calling-Station-Id = "00-0B-6A-2B-DA-78"
Service-Type = Framed-User
EAP-Message = 0x0201000f016f73732d726164697573
Message-Authenticator = 0xf68cf58770b7aca2671434c718bc4fb9
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "oss-radius", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 1 length 15
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
[files] users: Matched entry oss-radius at line 204
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Requiring client certificate
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 3 to 192.168.5.3 port 1812
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "5"
EAP-Message = 0x010200060d20
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x8f71f7ba8f73faff5e448e0442a84581
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.5.3 port 1812, id=4,
length=193
NAS-IP-Address = 192.168.5.3
NAS-Port = 50012
NAS-Port-Type = Ethernet
User-Name = "oss-radius"
Calling-Station-Id = "00-0B-6A-2B-DA-78"
Service-Type = Framed-User
State = 0x8f71f7ba8f73faff5e448e0442a84581
EAP-Message =
0x020200500d800000004616030100410100003d03014b0d47720ea38e9c9e290d9e80220a921d82c0e9cb675bbf329d349ac5f22ec700001600040005000a000900640062000300060013001200630100
Message-Authenticator = 0x20c78201bedf353fa22ef5383779e476
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "oss-radius", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 2 length 80
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
[files] users: Matched entry oss-radius at line 204
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
TLS Length 70
[tls] Length Included
[tls] eaptls_verify returned 11
[tls] (other): before/accept initialization
[tls] TLS_accept: before/accept initialization
[tls] <<< TLS 1.0 Handshake [length 0041], ClientHello
[tls] TLS_accept: SSLv3 read client hello A
[tls] >>> TLS 1.0 Handshake [length 002a], ServerHello
[tls] TLS_accept: SSLv3 write server hello A
[tls] >>> TLS 1.0 Handshake [length 085e], Certificate
[tls] TLS_accept: SSLv3 write certificate A
[tls] >>> TLS 1.0 Handshake [length 00a6], CertificateRequest
[tls] TLS_accept: SSLv3 write certificate request A
[tls] TLS_accept: SSLv3 flush data
[tls] TLS_accept: Need to read more data: SSLv3 read client certificate
A
In SSL Handshake Phase
In SSL Accept mode
[tls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 4 to 192.168.5.3 port 1812
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "5"
EAP-Message =
0x010304000dc00000093d160301002a0200002603014b128ce6a59c7cc44dc8e5dda195b7358a9511b32aee8be1c928dadb4091169200000400160301085e0b00085a0008570003a6308203a23082028aa003020102020103300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479
EAP-Message =
0x301e170d3039313132323133343533305a170d3130313132323133343533305a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100ac980cc4c9ec4ad3e23bf9d75989232fb1b5014896413398e3361287de22a5b5c00cac1e0c1b72b2f991aa8c2eeb1e452a7c67950e6af12e31414acbf8a9
EAP-Message =
0x8b96c26e6408da5ca899b30f00799999610945ad89094441a7cafca4067557b4ed52070fdf54b386b2a7a1aa76f134a9b5e7bfdeef3e18bc3d8ba98b49f1f4bb156dd1bbb46ee09b466df0120593471c59acfcb7a2977219e6db535008526dda1f91c374f01bf392d909a1ecde7ec11f926cfd310b39171121228c528a5853524e62ba21f1006c56ef85aa0837bdb123a11a0664015e7b8176b20619e36204f7b7b75d6e445aa84a0cdc49c9a8a82ea97e5686a28a56eced48e43f9c471499d0604f0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010104050003820101009dc4e0c6f6e79b6e1c
EAP-Message =
0x330b69759c25ac74cef621f5e8115248b9ea758e5b2af73574bd81953c2b5beb514765bdf4b07d50586dded8cfaac20f6ece9b661938bec737d87348f061ea7e3cd2a7338e786cd765aa8f3db636291c10c041d790ab49fcbcf5b41e7ec1ae2f65495b975286e656b23fed0321284cd6643aa411da03918e148eab2b222aa462bb62d50491ba9a27773e297dc8a59b1b0aa1a6fd2e6a110b2d3f94e81563417a2a4f1127937d38a0c6376e25ec51a0eabcd289a6fdfbcbc6f5c708050d8fdc9ad61cade8fa2b90ce4a6f4ff2ef465a1d61bbeb9373f4ef0c6a9c3d558b8424c130052899aa96271e0a9db4beb254ffcda04e8546e544140004ab308204
EAP-Message = 0xa73082038fa0030201020209
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x8f71f7ba8e72faff5e448e0442a84581
Finished request 1.
Going to the next request
Waking up in 4.7 seconds.
Cleaning up request 0 ID 3 with timestamp +66
Waking up in 0.2 seconds.
Cleaning up request 1 ID 4 with timestamp +66
Ready to process requests.
Well I use the standardcertificate only for testing, but am I right that the
problem is caused by the certificates?
If you need the full output or the configs please don’t hesitate to contact
me.
--
View this message in context:
http://old.nabble.com/Problem-with-EAP-TLS-tp26515010p26515010.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
