Re: TLS handshaking problem

[K. Hoercher]

Hi,

maybe a few helpful notes:

On 10/12/06, Giuseppina Venezia <[EMAIL PROTECTED]> wrote:

I've seen that in the firts request, TLS give an error (
TLS_accept:error in SSLv3 read client certificate A ) but in the third
request (whit the same login) it works.
What's wrong?


"TLS_accept:error" isn't really an error here, just an error message
not to worry about (see the list archives).

The different reuqests/challenges are part of the ongoing EAP
mechanism (normally consisting of approx. 5-15 in either direction).
So after the third one:


SSL Connection Established


means just that, it's not a successful auth yet.
If configured/working correctly, the next challenge sent by freeradius
would be the requiring the client (meaning supplicant) to provide the
users's credentials inside the now established SSL layer (inside EAP
transmitted inside RADIUS protocol from the client (here meaning nas,
i.e. apparently chillispot)).

Apparently you cut the freeradius debug here, as the chillispot claims:


Received access reject from radius server


which doesn't show up in freeradius debug output as being sent.

So, whatever (really) fails, is further down the line. You should check that.

regards
K. Hoercher
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

TLS handshaking problem

[Giuseppina Venezia]

Hi all,
my configuration is FreeRadius (1.0.5) with Chillispot in proxy mode
(and WPA-Enterprise-Auto), when i try to connect with a client, it
accepts the certificate, but authentication failed.
FreeRadius communicate with Chillispot and all seems work fine.
I've seen that in the firts request, TLS give an error (
TLS_accept:error in SSLv3 read client certificate A ) but in the third
request (whit the same login) it works.
What's wrong?
Best regards.

These are radius and chilli log:

rad_recv: Access-Request packet from host 192.168.181.1:1026, id=0, length=118
User-Name = "prof1"
EAP-Message = 0x020a0170726f6631
Message-Authenticator = 0xa755e14d8f738a60ad50681a848c4d27
Calling-Station-Id = "00-17-F2-44-11-C2"
Called-Station-Id = "00-50-BF-E3-E8-2A"
NAS-Port-Type = Wireless-802.11
NAS-Port = 1
NAS-IP-Address = 192.168.181.1
NAS-Identifier = "14"
 Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
 modcall[authorize]: module "preprocess" returns ok for request 0
 modcall[authorize]: module "chap" returns noop for request 0
 modcall[authorize]: module "mschap" returns noop for request 0
   rlm_realm: No '@' in User-Name = "prof1", looking up realm NULL
   rlm_realm: Found realm "NULL"
   rlm_realm: Adding Stripped-User-Name = "prof1"
   rlm_realm: Proxying request from user prof1 to realm NULL
   rlm_realm: Adding Realm = "NULL"
   rlm_realm: Authentication realm is LOCAL.
 modcall[authorize]: module "suffix" returns noop for request 0
 rlm_eap: EAP packet type response id 0 length 10
 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
 modcall[authorize]: module "eap" returns updated for request 0
   users: Matched entry DEFAULT at line 154
rlm_ldap: Entering ldap_groupcmp()
radius_xlat:  'ou=mydepartment,dc=mydomain,dc=it'
radius_xlat:  '(uid=prof1)'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to localhost:389, authentication 0
rlm_ldap: bind as cn=Manager,dc=mydomain,dc=it/password to localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=mydepartment,dc=mydomain,dc=it, with
filter (uid=prof1)
rlm_ldap: ldap_release_conn: Release Id: 0
radius_xlat:  '(|(&(objectClass=GroupOfNames)(member=cn=Maurizio
Costanzo,ou=faculty,ou=dspsa,ou=mydepartment,dc=mydomain,dc=it))(&(objectClass=GroupOfUniqueNames)(uniquemember=cn=Maurizio
Costanzo,ou=faculty,ou=dspsa,ou=mydepartment,dc=mydomain,dc=it)))'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=mydepartment,dc=mydomain,dc=it, with
filter (&(cn=student)(|(&(objectClass=GroupOfNames)(member=cn=Maurizio
Costanzo,ou=faculty,ou=dspsa,ou=mydepartment,dc=mydomain,dc=it))(&(objectClass=GroupOfUniqueNames)(uniquemember=cn=Maurizio
Costanzo,ou=faculty,ou=dspsa,ou=mydepartment,dc=mydomain,dc=it
rlm_ldap: object not found or got ambiguous search result
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in cn=Maurizio
Costanzo,ou=faculty,ou=dspsa,ou=mydepartment,dc=mydomain,dc=it, with
filter (objectclass=*)
rlm_ldap::groupcmp: Group student not found or user not a member
rlm_ldap: ldap_release_conn: Release Id: 0
 modcall[authorize]: module "files" returns ok for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for prof1
radius_xlat:  '(uid=prof1)'
radius_xlat:  'ou=mydepartment,dc=mydomain,dc=it'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=mydepartment,dc=mydomain,dc=it, with
filter (uid=prof1)
rlm_ldap: checking if remote access for prof1 is allowed by userPassword
rlm_ldap: Added password a in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding radiusGroupName as Ldap-Group, value professor & op=21
rlm_ldap: Adding radiusCallingStationId as Calling-Station-Id, value
00-05-5D-25-12-5B & op=21
rlm_ldap: Adding radiusCallingStationId as Calling-Station-Id, value
00-02-C7-8F-A0-16 & op=21
rlm_ldap: Adding radiusCallingStationId as Calling-Station-Id, value
00-0B-6B-4A-22-E8 & op=21
rlm_ldap: Adding radiusCallingStationId as Calling-Station-Id, value
00-17-F2-44-11-C2 & op=21
rlm_ldap: Adding userPassword as User-Password, value a & op=21
rlm_ldap: looking for reply items in directory...
rlm_ldap: Adding radiusFilterId as Filter-Id, value 98 & op=11
rlm_ldap: user prof1 authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
 modcall[authorize]: module "ldap" returns ok for request 0
rlm_checkval: Item Name: Calling-Station-Id, Value: 00-17-F2-44-11-C2
rlm_checkval: Value Name: Calling-Station-Id, Value: 00-05-5D-25-12-5B
rlm_checkval: Value Name: Calling-Station-Id, Value: 00-02-C7-8F-A0-16
rlm_che