*freeradius2.1.8 1、 win7+protected EAP(peap)+wpa-enterprise (laptop name :leeyu-laptop) 2、 i have install ca.der on the win7 and winxp 3、 winxp+**protected EAP(peap)**+ca testing successfully, but win7 fails ERROR happened before win7 prompted me to enter username&&password.....,freeradius debug: *
Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on command file /usr/local/freeradius//var/run/radiusd/radiusd.sock Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 192.168.0.1 port 3075, id=144, length=191 User-Name = "host/Leeyu-Laptop" NAS-IP-Address = 192.168.0.1 NAS-Port = 0 Called-Station-Id = "00195b04c9e2" Calling-Station-Id = "001e659fc674" NAS-Identifier = "Realtek Access Point. 8181" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Service-Type = Framed-User Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x0200001601686f73742f4c656579752d4c6170746f70 Message-Authenticator = 0x2cca1e2672315cf4764cc0fd2544dfe3 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [Capitek.com] No '@' in User-Name = "host/Leeyu-Laptop", looking up realm NULL [Capitek.com] No such realm "NULL" ++[Capitek.com] returns noop [eap] EAP packet type response id 0 length 22 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [sql_oracle] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [sql_oracle] ... expanding second conditional [sql_oracle] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [sql_oracle] expand: %{User-Name:-DEFAULT} -> host/Leeyu-Laptop [sql_oracle] expand: %{Stripped-User-Name:-%{User-Name:-DEFAULT}} -> host/Leeyu-Laptop [sql_oracle] sql_set_user escaped user --> 'host/Leeyu-Laptop' rlm_sql (sql_oracle): Reserving sql socket id: 18 [sql_oracle] expand: SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id -> SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'host/Leeyu-Laptop' ORDER BY id [sql_oracle] User found in radcheck table [sql_oracle] expand: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = '%{SQL-User-Name}' ORDER BY id -> SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'host/Leeyu-Laptop' ORDER BY id [sql_oracle] expand: SELECT GroupName FROM radusergroup WHERE UserName='%{SQL-User-Name}' -> SELECT GroupName FROM radusergroup WHERE UserName='host/Leeyu-Laptop' rlm_sql (sql_oracle): Released sql socket id: 18 ++[sql_oracle] returns ok [bklist] No Max-Attempts defined. ++[bklist] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 144 to 192.168.0.1 port 3075 EAP-Message = 0x010100061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x246ddb0b246cc225aad5e24c6756cf9c Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.0.1 port 3075, id=145, length=307 User-Name = "host/Leeyu-Laptop" NAS-IP-Address = 192.168.0.1 NAS-Port = 0 Called-Station-Id = "00195b04c9e2" Calling-Station-Id = "001e659fc674" NAS-Identifier = "Realtek Access Point. 8181" NAS-Port-Type = Wireless-802.11 Service-Type = Framed-User Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x0201007e198000000074160301006f0100006b03014cd4fdcd261077436d24f643f2f64fd5b4c4cb53d980a2f2400f17f2fd6205e8000018002f00350005000ac013c014c009c00a00320038001300040100002aff0100010000000011000f00000c6c656579752d6c6170746f70000a0006000400170018000b00020100 State = 0x246ddb0b246cc225aad5e24c6756cf9c Message-Authenticator = 0x08b295f4b9501d45e89fda21cf14c8ad +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [Capitek.com] No '@' in User-Name = "host/Leeyu-Laptop", looking up realm NULL [Capitek.com] No such realm "NULL" ++[Capitek.com] returns noop [eap] EAP packet type response id 1 length 126 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 116 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 006f], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 0031], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 085c], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 145 to 192.168.0.1 port 3075 EAP-Message = 0x0102040019c0000008a016030100310200002d03014cd4fe1b8df7a54a84f7cb54ee98830b53c41dd5275195bb31ca2bdf975ff9d200002f000005ff01000100160301085c0b0008580008550003a7308203a33082028ba003020102020101300d06092a864886f70d0101040500308192310b300906035504061302434e3110300e060355040813074361706974656b3110300e060355040713074265696a696e6731153013060355040a130c4361706974656b20496e632e3120301e06092a864886f70d010901161161646d696e404361706974656b2e636f6d312630240603550403131d4361706974656b20436572746966696361746520417574 EAP-Message = 0x686f72697479301e170d3130313032333039333530305a170d3131313032333039333530305a307e310b300906035504061302434e3110300e060355040813074361706974656b31153013060355040a130c4361706974656b20496e632e312330210603550403131a4361706974656b205365727665722043657274696669636174653121301f06092a864886f70d010901161261646d696e40654361706974656b2e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100cdaab3f206b6cfc36821760b21090968cca6f8342aeb2ad8d1dd45e93b419a2c635a196c4ed6474947d5093a914c84ee21111bf134a3 EAP-Message = 0x43f31ceede8c211b49965710ac8ce6e362addd4d741bdf59fa081bfe86fe3e43cf8289e8ed4e151da4460204318b808959194ba8196e0e6af6d15bd032b1d87a3a34ad2e62982cef6534d7b364afe0241ca534984b2d8d770795fed8e5857bd155a2cc7207d81012fe262344ff32882baa32713ebb2ed1b5d246bcee1dfc31faa51392a1b9578091814034b56bb39fa012062352b08aae929a508b4ec41fe06a071ed6216a360d14253023e52e327bf1b0ebdd2cf0e67b3edc72a134750781b41558f23b9e5cca09558d0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101040500038201010045 EAP-Message = 0x3a993396c01ab3e963bd6f828ece8d30a9e4783015a3c2fff68c0ac81506ba39520977b7b2c111d64b0da28081fb018e6de7ee2f4ca76271ecff6f3e59b36825d9e1d5c3141fb8e05ff230e16de497169f25a7e62a207b0f231ca98a16154894e02cf279e59ed4f165149775a1eaaa52d6ed58f555684d84b0b3caca3227068bf2591434fce17120f5b4c90d687eb9d7b0e77007f98d4c7751432e2c5e71cfa7ff2ceb8f1a2a05f1e20e8a4d639b091a814059665db63b843c207d5c7e4ab13d572224fbb28fe822e1d1a316af5ecee361cffc24143ff40331b2eb5868d5f751299e7ef832297caf99c1f8a199442ee3e7f0375a492cebfde4c1729001 EAP-Message = 0x0ac70004a8308204a4308203 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x246ddb0b256fc225aad5e24c6756cf9c Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.0.1 port 3075, id=146, length=187 User-Name = "host/Leeyu-Laptop" NAS-IP-Address = 192.168.0.1 NAS-Port = 0 Called-Station-Id = "00195b04c9e2" Calling-Station-Id = "001e659fc674" NAS-Identifier = "Realtek Access Point. 8181" NAS-Port-Type = Wireless-802.11 Service-Type = Framed-User Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020200061900 State = 0x246ddb0b256fc225aad5e24c6756cf9c Message-Authenticator = 0xafa36e7177fb2841b5512080ba8fa1f6 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [Capitek.com] No '@' in User-Name = "host/Leeyu-Laptop", looking up realm NULL [Capitek.com] No such realm "NULL" ++[Capitek.com] returns noop [eap] EAP packet type response id 2 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 146 to 192.168.0.1 port 3075 EAP-Message = 0x010303fc19408ca003020102020900a82c41eeeb4a4d37300d06092a864886f70d0101050500308192310b300906035504061302434e3110300e060355040813074361706974656b3110300e060355040713074265696a696e6731153013060355040a130c4361706974656b20496e632e3120301e06092a864886f70d010901161161646d696e404361706974656b2e636f6d312630240603550403131d4361706974656b20436572746966696361746520417574686f72697479301e170d3130313032333039333434365a170d3131313032333039333434365a308192310b300906035504061302434e3110300e060355040813074361706974656b EAP-Message = 0x3110300e060355040713074265696a696e6731153013060355040a130c4361706974656b20496e632e3120301e06092a864886f70d010901161161646d696e404361706974656b2e636f6d312630240603550403131d4361706974656b20436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100b2d3f0c5f84705f3b0aec33fdcc4d9a052e18fbe093c2a3e147725a85f48153b57bb2cdd3d664a2882e49283cb928f0d7433dbed09bc6f8ed1082bd63ed64e8d6325181bc1124cecb84b9a9e2a143b9fc7562848c826476367e476f530d7d320d774218490b24b0d54 EAP-Message = 0x0d725d80646614ed1ff8f074950ab5b3591857ea0a7a6b96ff6088f38ad60a9aec2afc811468d592ae6f0daa3505b4a771c76cb2e95c849b1606372f2d2eb2c860570eaa98d162f411c0fd6e620912f8f58a44a96376fa7ce14b576fe127a57810128fcd25e63706bb41dee082c5aeeba98d6d650276daa7520d0bd5280cc96c998d68cbe9e0ade80efb32e844b927418d9fdb96865ae90203010001a381fa3081f7301d0603551d0e04160414e411bcc416724dfec735b59ffe5b25952ffe185b3081c70603551d230481bf3081bc8014e411bcc416724dfec735b59ffe5b25952ffe185ba18198a48195308192310b300906035504061302434e3110 EAP-Message = 0x300e060355040813074361706974656b3110300e060355040713074265696a696e6731153013060355040a130c4361706974656b20496e632e3120301e06092a864886f70d010901161161646d696e404361706974656b2e636f6d312630240603550403131d4361706974656b20436572746966696361746520417574686f72697479820900a82c41eeeb4a4d37300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100359ee20c5583cf62b6e23e2986ffc80212677987b02b22ef7bf81e52c6a83ea14a09b12736a0c94d1f6f9fe6ba982abe033a1fab74b1398695263ad861a1ab176498c2ebadcca488a078893acf EAP-Message = 0x6d1762af9cc32f77 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x246ddb0b266ec225aad5e24c6756cf9c Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.0.1 port 3075, id=147, length=187 User-Name = "host/Leeyu-Laptop" NAS-IP-Address = 192.168.0.1 NAS-Port = 0 Called-Station-Id = "00195b04c9e2" Calling-Station-Id = "001e659fc674" NAS-Identifier = "Realtek Access Point. 8181" NAS-Port-Type = Wireless-802.11 Service-Type = Framed-User Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020300061900 State = 0x246ddb0b266ec225aad5e24c6756cf9c Message-Authenticator = 0x09cd348a564b11f4a1a5ee3f8aad59a8 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [Capitek.com] No '@' in User-Name = "host/Leeyu-Laptop", looking up realm NULL [Capitek.com] No such realm "NULL" ++[Capitek.com] returns noop [eap] EAP packet type response id 3 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 147 to 192.168.0.1 port 3075 EAP-Message = 0x010400ba1900f2af5e0bbbca5b63619eda4eafebcc8ce7dd49123dec621a9ee82327050c940e017b605759c85305c408f8e295be432e983bc762c496a9d45daa7044bfb8914236f4a38e213c5f16ac998128ca6f463e57823c7ed2e85ede9522f53be56f523460033146a70d509fa700ea0d7b139040adece74cd15c33064e4604d955a0cdbdfca05de47f8dd88d49935506ed4e61e8beb817af9ba7b135faa8ed6f63239f855d144a1887b38ee114f4a916030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x246ddb0b2769c225aad5e24c6756cf9c Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.0.1 port 3075, id=148, length=198 User-Name = "host/Leeyu-Laptop" NAS-IP-Address = 192.168.0.1 NAS-Port = 0 Called-Station-Id = "00195b04c9e2" Calling-Station-Id = "001e659fc674" NAS-Identifier = "Realtek Access Point. 8181" NAS-Port-Type = Wireless-802.11 Service-Type = Framed-User Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x0204001119800000000715030100020230 State = 0x246ddb0b2769c225aad5e24c6756cf9c Message-Authenticator = 0x540a124a43aaa2b5ab81e6c6c5ae9452 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [Capitek.com] No '@' in User-Name = "host/Leeyu-Laptop", looking up realm NULL [Capitek.com] No such realm "NULL" ++[Capitek.com] returns noop [eap] EAP packet type response id 4 length 17 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 7 [peap] Length Included [peap] eaptls_verify returned 11 *[peap] <<< TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert read:fatal:unknown CA TLS_accept:failed in SSLv3 read client certificate A rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca SSL: SSL_read failed inside of TLS (-1), TLS session fails. TLS receive handshake failed during operation* [peap] eaptls_process returned 4 [peap] EAPTLS_OTHERS [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} ++[bklist] returns noop [sql_oracle] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [sql_oracle] ... expanding second conditional [sql_oracle] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [sql_oracle] expand: %{User-Name:-DEFAULT} -> host/Leeyu-Laptop [sql_oracle] expand: %{Stripped-User-Name:-%{User-Name:-DEFAULT}} -> host/Leeyu-Laptop [sql_oracle] sql_set_user escaped user --> 'host/Leeyu-Laptop' [sql_oracle] expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '<Crypted>', '%{reply:Packet-Type}', TO_DATE('%S','yyyy-mm-dd hh24:mi:ss')) -> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'host/Leeyu-Laptop', '<Crypted>', 'Access-Reject', TO_DATE('2010-11-06 15:04:59','yyyy-mm-dd hh24:mi:ss')) rlm_sql (sql_oracle) in sql_postauth: query is INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'host/Leeyu-Laptop', '<Crypted>', 'Access-Reject', TO_DATE('2010-11-06 15:04:59','yyyy-mm-dd hh24:mi:ss')) rlm_sql (sql_oracle): Reserving sql socket id: 17 rlm_sql (sql_oracle): Released sql socket id: 17 ++[sql_oracle] returns ok [attr_filter.access_reject] expand: %{User-Name} -> host/Leeyu-Laptop attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 4 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 4 Sending Access-Reject of id 148 to 192.168.0.1 port 3075 EAP-Message = 0x04040004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.9 seconds. Cleaning up request 0 ID 144 with timestamp +3 Cleaning up request 1 ID 145 with timestamp +3 Cleaning up request 2 ID 146 with timestamp +3 Cleaning up request 3 ID 147 with timestamp +3 Waking up in 1.0 seconds. Cleaning up request 4 ID 148 with timestamp +3 Ready to process requests. * winxp do not send its hostname to radius server,but win7 will...,and how this happened ?*
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html