Hi All, I am using Freeradius 2.1.0 PEAP/TTLS is working fine and I am facing problem in TLS authentication. I am able to generate certificate but while connecting it throws Authentication error. Can some one send me client.cnf and server.cnf. Also let me know whether installing only client is enough or do we need to install ca.pem also in client side. Please let me know how to debug it.
rad_recv: Access-Request packet from host 192.168.1.1 port 4906, id=6, length=147 User-Name = "ma...@nokia.com" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "0023692c6f74" Calling-Station-Id = "0025d05b72ab" NAS-Identifier = "0023692c6f74" NAS-Port = 2 Framed-MTU = 1400 State = 0xc0ff35f8c1fd389f4e860dc8a76c03f8 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020200060d00 Message-Authenticator = 0xcf453c67c6fe4f7695dbba231da2ba1e +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm "nokia.com" for User-Name = "ma...@nokia.com" [suffix] Found realm "DEFAULT" [suffix] Adding Stripped-User-Name = "maemo" [suffix] Adding Realm = "DEFAULT" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 2 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns updated [files] users: Matched entry maemo at line 74 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS [tls] Received TLS ACK [tls] ACK handshake fragment handler [tls] eaptls_verify returned 1 [tls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 6 to 192.168.1.1 port 4906 EAP-Message = 0x010304000dc00000085b310e300c060355040a13054e6f6b6961311e301c06092a864886f70d010901160f6d616d656f406e6f6b69612e636f6d310e300c060355040313054d6565676f301e170d3131303430373038333135345a170d3132303430363038333135345a306e310b300906035504061302494e310b3009060355040813024b413112301006035504071309536f6d657768657265310e300c060355040a13054e6f6b6961311e301c06092a864886f70d010901160f6d616d656f406e6f6b69612e636f6d310e300c060355040313054d6565676f30820122300d06092a864886f70d01010105000382010f003082010a0282010100ebdf EAP-Message = 0xbd5045d1129f68d6354ecaf6d0b003ba682e0399145d83af7d3f7baeac7b70278682f26b7a6cf02cb0f70d06c27cd5666f6acd0a6e1a05f14cbca9ee2ca06038289d718635789b9378b41d5d89d98c09528e5d75a7ed1210ab639c80a82bb7f727a6641b4ead338d36c98e4910f69add0990c1838bf1dd67d3ef00190a8c50afa3d267b4721eb24c9297eac37244c2f09bf5db1e864ed3e71d7b2f1523f957d040b88bdfbb50ffa7a1fcb77fe8f692faeaf4f26539f93d4b16fefd22576b63425a3b106d4100a7e606110980202629a14f721f576e7b57e94182c695034f33cc5cf153c08074379ee285a4800d30fcc3eeb9618e95b3298852c0e050cc EAP-Message = 0x370203010001a381d33081d0301d0603551d0e041604146495968035da2071580d6554ff37f49f34a6a4fc3081a00603551d2304819830819580146495968035da2071580d6554ff37f49f34a6a4fca172a470306e310b300906035504061302494e310b3009060355040813024b413112301006035504071309536f6d657768657265310e300c060355040a13054e6f6b6961311e301c06092a864886f70d010901160f6d616d656f406e6f6b69612e636f6d310e300c060355040313054d6565676f82090088f0548531fc31df300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100c60eb4fe9642b5cf1a479ddd03 EAP-Message = 0x31954bd3c5a8c13dac220146915074390da01b0cf44950935ca2fad0bbca312ad8d1ac38a0ad88e51bc7bfc4df349d238aa9dee95ccc333e46e422da2fd67073a5fc1d6109e623efdf7be334a6746b4d3eb012ddb331600471732e961861980a4d0a146e56ee383e1717a209476a34d2ad7153a00f0729976f4d73d4979dc992ab8cc4515787e68afd1979038963882c5f55ed1d038c137689ef3e0fa52d63eabe0466ef126564ff4627776f31dba8bd91b9c486ddf6e8399c755bd29456cfed9bda7890851bfb23d3c381e5176a6b6c86ea9cefc5b7428409e35a794775d27f1664c06aeb46842f61c6145a71a7a0fdea54e316030100800d00007803 EAP-Message = 0x01024000720070306e310b30 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc0ff35f8c2fc389f4e860dc8a76c03f8 Finished request 156. Going to the next request Waking up in 0.4 seconds. rad_recv: Access-Request packet from host 192.168.1.1 port 4908, id=6, length=147 User-Name = "ma...@nokia.com" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "0023692c6f74" Calling-Station-Id = "0025d05b72ab" NAS-Identifier = "0023692c6f74" NAS-Port = 2 Framed-MTU = 1400 State = 0xc0ff35f8c2fc389f4e860dc8a76c03f8 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020300060d00 Message-Authenticator = 0xdeea6893aacbe253ed951368cec20746 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm "nokia.com" for User-Name = "ma...@nokia.com" [suffix] Found realm "DEFAULT" [suffix] Adding Stripped-User-Name = "maemo" [suffix] Adding Realm = "DEFAULT" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 3 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns updated [files] users: Matched entry maemo at line 74 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS [tls] Received TLS ACK [tls] ACK handshake fragment handler [tls] eaptls_verify returned 1 [tls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 6 to 192.168.1.1 port 4908 EAP-Message = 0x010400790d800000085b0906035504061302494e310b3009060355040813024b413112301006035504071309536f6d657768657265310e300c060355040a13054e6f6b6961311e301c06092a864886f70d010901160f6d616d656f406e6f6b69612e636f6d310e300c060355040313054d6565676f0e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc0ff35f8c3fb389f4e860dc8a76c03f8 Finished request 157. Going to the next request Waking up in 0.4 seconds. rad_recv: Access-Request packet from host 192.168.1.1 port 4910, id=6, length=154 User-Name = "ma...@nokia.com" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "0023692c6f74" Calling-Station-Id = "0025d05b72ab" NAS-Identifier = "0023692c6f74" NAS-Port = 2 Framed-MTU = 1400 State = 0xc0ff35f8c3fb389f4e860dc8a76c03f8 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0204000d0d001503010002012a Message-Authenticator = 0x782f15b2fce0fe49f406f1cb224b1ccf +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm "nokia.com" for User-Name = "ma...@nokia.com" [suffix] Found realm "DEFAULT" [suffix] Adding Stripped-User-Name = "maemo" [suffix] Adding Realm = "DEFAULT" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 4 length 13 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns updated [files] users: Matched entry maemo at line 74 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS [tls] eaptls_verify returned 7 [tls] Done initial handshake [tls] <<< TLS 1.0 Alert [length 0002], warning bad_certificate TLS Alert read:warning:bad certificate [tls] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode SSL Application Data TLS failed during operation [tls] eaptls_process returned 4 [eap] Handler failed in EAP/tls [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} expand: %{User-Name} -> ma...@nokia.com attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 158 for 1 seconds Going to the next request Waking up in 0.4 seconds. rad_recv: Access-Request packet from host 192.168.1.1 port 4912, id=6, length=136 User-Name = "ma...@nokia.com" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "0023692c6f74" Calling-Station-Id = "0025d05b72ab" NAS-Identifier = "0023692c6f74" NAS-Port = 2 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0204000d0d001503010002020a Message-Authenticator = 0x542730d7c53937fe5e038692a71646ff +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm "nokia.com" for User-Name = "ma...@nokia.com" [suffix] Found realm "DEFAULT" [suffix] Adding Stripped-User-Name = "maemo" [suffix] Adding Realm = "DEFAULT" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 4 length 13 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns updated [files] users: Matched entry maemo at line 74 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Either EAP-request timed out OR EAP-response to an unknown EAP-request [eap] Failed in handler ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} expand: %{User-Name} -> ma...@nokia.com attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 159 for 1 seconds Going to the next request Waking up in 0.4 seconds. Cleaning up request 146 ID 6 with timestamp +2141 Cleaning up request 147 ID 6 with timestamp +2141 Waking up in 0.5 seconds. Sending delayed reject for request 158 Sending Access-Reject of id 6 to 192.168.1.1 port 4910 EAP-Message = 0x04040004 Message-Authenticator = 0x00000000000000000000000000000000 Sending delayed reject for request 159 Sending Access-Reject of id 6 to 192.168.1.1 port 4912 Waking up in 1.1 seconds. Cleaning up request 148 ID 6 with timestamp +2143 Cleaning up request 149 ID 6 with timestamp +2143 Cleaning up request 150 ID 6 with timestamp +2143 Cleaning up request 151 ID 6 with timestamp +2143 Waking up in 1.0 seconds. Cleaning up request 152 ID 6 with timestamp +2143 Cleaning up request 153 ID 6 with timestamp +2143 Waking up in 1.7 seconds. Cleaning up request 154 ID 6 with timestamp +2146 Cleaning up request 155 ID 6 with timestamp +2146 Cleaning up request 156 ID 6 with timestamp +2146 Cleaning up request 157 ID 6 with timestamp +2146 Waking up in 1.0 seconds. Cleaning up request 158 ID 6 with timestamp +2146 Cleaning up request 159 ID 6 with timestamp +2146 Regards Senthil
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html