FreeRADIUS EAP/TLS problem
Hello everybody,
my Radius server crashes everytime when the supplicant is trying to
authenticate.
I use Freeradius 0.9.1 on a Linux (Redhat8 Kernel 2.4.20) machine. The supplicant
is also installed on a Linux machine (Xsupplicant 0.7), the authentication
protocol is EAP-TLS. The access point is a workstation with HostAP.
After starting FreeRadius I get this sequence of messages:
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/etc/raddb/proxy.conf
Config: including file: /usr/local/etc/raddb/clients.conf
Config: including file: /usr/local/etc/raddb/snmp.conf
Config: including file: /usr/local/etc/raddb/sql.conf
main: prefix = /usr/local
main: localstatedir = /usr/local/var
main: logdir = /usr/local/var/log/radius
main: libdir = /usr/local/lib
main: radacctdir = /usr/local/var/log/radius/radacct
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = /usr/local/var/log/radius/radius.log
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = /usr/local/var/run/radiusd/radiusd.pid
main: user = root
main: group = root
main: usercollide = no
main: lower_user = no
main: lower_pass = no
main: nospace_user = no
main: nospace_pass = no
main: checkrad = /usr/local/sbin/checkrad
main: proxy_requests = no
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = yes
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
Using deprecated clients file. Support for this will go away soon.
read_config_files: reading realms
Using deprecated realms file. Support for this will go away soon.
radiusd: entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = crypt
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: passwd = (null)
mschap: authtype = MS-CHAP
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = (null)
unix: shadow = (null)
unix: group = (null)
unix: radwtmp = /usr/local/var/log/radius/radwtmp
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
eap: default_eap_type = tls
eap: timer_expire = 60
rlm_eap: Loaded and initialized the type md5
rlm_eap: Loaded and initialized the type leap
tls: rsa_key_exchange = no
tls: dh_key_exchange = yes
tls: rsa_key_length = 512
tls: dh_key_length = 512
tls: verify_depth = 0
tls: CA_path = (null)
tls: pem_file_type = yes
tls: private_key_file = /etc/1x/r/cert-srv.pem
tls: certificate_file = /etc/1x/r/cert-srv.pem
tls: CA_file = /etc/1x/r/root.pem
tls: private_key_password = whatever
tls: dh_file = /etc/1x/r/dh
tls: random_file = /etc/1x/r/random
tls: fragment_size = 1750
tls: include_length = yes
rlm_eap_tls: conf N ctx stored
rlm_eap: Loaded and initialized the type tls
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = /usr/local/etc/raddb/huntgroups
preprocess: hints = /usr/local/etc/raddb/hints
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = suffix
realm: delimiter = @
Module: Instantiated realm (suffix)
Module: Loaded files
files: usersfile = /usr/local/etc/raddb/users
files: acctusersfile = /usr/local/etc/raddb/acct_users
files: preproxy_usersfile = /usr/local/etc/raddb/preproxy_users
files: compat = no
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address,
NAS-Port-Id
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
detail: detailfile =
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
radutmp: filename = /usr/local/var/log/radius/radutmp
radutmp: username = %{User-Name}
radutmp: case_sensitive = yes
radutmp: check_with_nas = yes
radutmp: perm = 384
radutmp: callerid = yes
Module:
Re: FreeRADIUS EAP/TLS problem
i can't say you what the problem is, but it looks like it is NOT linked against the correct library, since the function which is not found is NOT part of the 0.9.6 openssl BUT of the 0.9.7b. you probably compiled with the good version (otherwise it wouldn't compile in the first place) but the runtime is loading the old version. try an explicit LD_PRELOAD ciao artur [EMAIL PROTECTED] wrote: Hello everybody, my Radius server crashes everytime when the supplicant is trying to authenticate. I use Freeradius 0.9.1 on a Linux (Redhat8 Kernel 2.4.20) machine. The supplicant is also installed on a Linux machine (Xsupplicant 0.7), the authentication protocol is EAP-TLS. The access point is a workstation with HostAP. After starting FreeRadius I get this sequence of messages: Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = /usr/local main: localstatedir = /usr/local/var main: logdir = /usr/local/var/log/radius main: libdir = /usr/local/lib main: radacctdir = /usr/local/var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /usr/local/var/log/radius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /usr/local/var/run/radiusd/radiusd.pid main: user = root main: group = root main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/local/sbin/checkrad main: proxy_requests = no proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients Using deprecated clients file. Support for this will go away soon. read_config_files: reading realms Using deprecated realms file. Support for this will go away soon. radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = crypt Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: passwd = (null) mschap: authtype = MS-CHAP Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = (null) unix: shadow = (null) unix: group = (null) unix: radwtmp = /usr/local/var/log/radius/radwtmp unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = tls eap: timer_expire = 60 rlm_eap: Loaded and initialized the type md5 rlm_eap: Loaded and initialized the type leap tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = (null) tls: pem_file_type = yes tls: private_key_file = /etc/1x/r/cert-srv.pem tls: certificate_file = /etc/1x/r/cert-srv.pem tls: CA_file = /etc/1x/r/root.pem tls: private_key_password = whatever tls: dh_file = /etc/1x/r/dh tls: random_file = /etc/1x/r/random tls: fragment_size = 1750 tls: include_length = yes rlm_eap_tls: conf N ctx stored rlm_eap: Loaded and initialized the type tls Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = /usr/local/etc/raddb/huntgroups preprocess: hints = /usr/local/etc/raddb/hints preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = suffix realm: delimiter = @ Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = /usr/local/etc/raddb/users files: acctusersfile = /usr/local/etc/raddb/acct_users files: preproxy_usersfile = /usr/local/etc/raddb/preproxy_users files: compat = no Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port-Id Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile =
RE: FreeRADIUS EAP/TLS problem
From: [EMAIL PROTECTED] Sent: Wednesday, 17 September 2003 8:33 PM /usr/local/sbin/radiusd: relocation error: /usr/local/lib/rlm_eap_tls-0.9.1.so: undefined symbol: SSL_set_msg_callback_arg Try ldd /usr/local/lib/rlm_eap_tls-0.9.1.so, and see if it's linking to the correct OpenSSL library. -- = Paul TBBle Hampson Bubblesworth Pty Ltd (ABN: 51 095 284 361) [EMAIL PROTECTED] This is a one line proof...if we start sufficiently far to the left. -- Cambridge University Math Department - Random signature generator 3.0 by Paul TBBle Hampson = - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TLS problem
Hi, I use WinXP supplicant to authenticate with FreeRADIUS server by EAP-TLS. OnRADIUS server debug mode "run-radiusd -X -A", I see Access-Accept log, and my network adaptor status is authenticated successfully. ping AP, I got reply from message, but, after 5 sec, I got request timeout message. What's wrong about this? Thanks in advance. Sincerely, Yu-Ping Wang
Re: EAP-TLS problem
Jason Haar [EMAIL PROTECTED] wrote: The only way I've found to get it to work is to manually ... There must be a cleaner way... Besides moving to another distro ;-) Find out what is in 0.9.7b, which isn't in 0.9.6, and create patches for FreeRADIUS to work with 0.9.6. The server can get better only if people submit patches. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TLS problem
Hi,
I was succesfully using eap-tls with freeradius
version 0.8.1. Last week I checkedout the latest CVS
version as there have been some changes in EAP-TLS
module in the latest Version. I re-configured it only
to run into some problems. It breaks dowm before
starting the TLS Handshake.
I again got it to work if I go back to version 0.8.1.
I do not know whats going wrong with the CVS version ?
Thanks in advance,
Pankaj
PS : The output with the CVS version is :
[EMAIL PROTECTED] root]# /usr/local/sbin/radiusd -X -A
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file:
/usr/local/etc/raddb/proxy.conf
Config: including file:
/usr/local/etc/raddb/clients.conf
Config: including file:
/usr/local/etc/raddb/snmp.conf
Config: including file:
/usr/local/etc/raddb/sql.conf
main: prefix = /usr/local
main: localstatedir = /usr/local/var
main: logdir = /usr/local/var/log/radius
main: libdir = /usr/local/lib
main: radacctdir =
/usr/local/var/log/radius/radacct
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file =
/usr/local/var/log/radius/radius.log
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile =
/usr/local/var/run/radiusd/radiusd.pid
main: user = (null)
main: group = (null)
main: usercollide = no
main: lower_user = no
main: lower_pass = no
main: nospace_user = no
main: nospace_pass = no
main: checkrad = /usr/local/sbin/checkrad
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = yes
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will
go away soon.
read_config_files: reading clients
Using deprecated clients file. Support for this will
go away soon.
read_config_files: reading realms
Using deprecated realms file. Support for this will
go away soon.
radiusd: entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded System
unix: cache = no
unix: passwd = /etc/passwd
unix: shadow = /etc/shadow
unix: group = /etc/group
unix: radwtmp = /usr/local/var/log/radius/radwtmp
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
eap: default_eap_type = tls
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
tls: rsa_key_exchange = no
tls: dh_key_exchange = yes
tls: rsa_key_length = 512
tls: dh_key_length = 512
tls: verify_depth = 0
tls: CA_path = (null)
tls: pem_file_type = yes
tls: private_key_file =
/root/Eap-Setup/EAP-TLS-SERVER.pem
tls: certificate_file =
/root/Eap-Setup/EAP-TLS-SERVER.pem
tls: CA_file = /root/Eap-Setup/root.pem
tls: private_key_password = whatever
tls: dh_file = /root/Eap-Setup/DH
tls: random_file = /root/Eap-Setup/random
tls: fragment_size = 1024
tls: include_length = yes
rlm_eap: Loaded and initialized type tls
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups =
/usr/local/etc/raddb/huntgroups
preprocess: hints = /usr/local/etc/raddb/hints
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = suffix
realm: delimiter = @
Module: Instantiated realm (suffix)
Module: Loaded files
files: usersfile = /usr/local/etc/raddb/users
files: acctusersfile =
/usr/local/etc/raddb/acct_users
files: preproxy_usersfile =
/usr/local/etc/raddb/preproxy_users
files: compat = no
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = User-Name, Acct-Session-Id,
NAS-IP-Address, Client-IP-Addre
ss, NAS-Port-Id
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
detail: detailfile =
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/de
tail-%Y%m%d
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
radutmp: filename =
/usr/local/var/log/radius/radutmp
radutmp: username = %{User-Name}
radutmp: case_sensitive = yes
radutmp: check_with_nas = yes
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Listening on IP address *, ports 1812/udp and
1813/udp, with proxy on
Re: EAP-TLS problem
pankaj Goel wrote: TLS_accept: before/accept initialization Segmentation fault I got the same thing with using wrong libcrypto (0.9.6 instead 0.9.7) shared library. Check your LD_LIBRARY_PATH - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: EAP-TLS problem
From: Fabrice Beauvir Sent: Thursday, 28 August 2003 12:47 AM pankaj Goel wrote: TLS_accept: before/accept initialization Segmentation fault I got the same thing with using wrong libcrypto (0.9.6 instead 0.9.7) shared library. Check your LD_LIBRARY_PATH Was this because you linked against one, but tried to run against the other, or is there a problem between OpenSSL 0.9.6 and FreeRADIUS's EAP-TLS? -- = Paul TBBle Hampson Bubblesworth Pty Ltd (ABN: 51 095 284 361) [EMAIL PROTECTED] This is a one line proof...if we start sufficiently far to the left. -- Cambridge University Math Department - Random signature generator 3.0 by Paul TBBle Hampson = - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: EAP-TLS problem
--- Paul Hampson [EMAIL PROTECTED] wrote: From: Fabrice Beauvir Sent: Thursday, 28 August 2003 12:47 AM pankaj Goel wrote: TLS_accept: before/accept initialization Segmentation fault I got the same thing with using wrong libcrypto (0.9.6 instead 0.9.7) shared library. Check your LD_LIBRARY_PATH Was this because you linked against one, but tried to run against the other, or is there a problem between OpenSSL 0.9.6 and FreeRADIUS's EAP-TLS? -- Yeah it makes sense, but I am using the same compilation and run-time varibales for both the 0.8.1 and cvs version like LD_LIBRAY_PATH=/usr/local/openssl/lib THe following libs are inluded when i do a ldd /usr/local/sbin/radiusd /lib/libssl.so.0.9.7a = /lib/libssl.so.0.9.7a (0x40017000) /lib/libcrypto.so.0.9.7a = /lib/libcrypto.so.0.9.7a (0x4004c000) libcrypt.so.1 = /lib/libcrypt.so.1 (0x40151000) libnsl.so.1 = /lib/libnsl.so.1 (0x4017e000) libresolv.so.2 = /lib/libresolv.so.2 (0x40193000) libpthread.so.0 = /lib/tls/libpthread.so.0 (0x401a6000) libradius-0.9-pre.so = /usr/local//lib/libradius-0.9-pre.so (0x401b3000) libltdl.so.3 = /usr/lib/libltdl.so.3 (0x401c5000) libdl.so.2 = /lib/libdl.so.2 (0x401cc000) libc.so.6 = /lib/tls/libc.so.6 (0x4200) libgssapi_krb5.so.2 = /usr/kerberos/lib/libgssapi_krb5.so.2 (0x401cf000) libkrb5.so.3 = /usr/kerberos/lib/libkrb5.so.3 (0x401e3000) libk5crypto.so.3 = /usr/kerberos/lib/libk5crypto.so.3 (0x40241000) libcom_err.so.3 = /usr/kerberos/lib/libcom_err.so.3 (0x40251000) libz.so.1 = /usr/lib/libz.so.1 (0x40253000) /lib/ld-linux.so.2 = /lib/ld-linux.so.2 (0x4000) Pankaj. = Paul TBBle Hampson Bubblesworth Pty Ltd (ABN: 51 095 284 361) [EMAIL PROTECTED] This is a one line proof...if we start sufficiently far to the left. -- Cambridge University Math Department - Random signature generator 3.0 by Paul TBBle Hampson = - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html __ Do you Yahoo!? The New Yahoo! Search - Faster. Easier. Bingo. http://search.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS problem
pankaj Goel [EMAIL PROTECTED] wrote: Yeah it makes sense, but I am using the same compilation and run-time varibales for both the 0.8.1 and cvs version like LD_LIBRAY_PATH=/usr/local/openssl/lib THe following libs are inluded when i do a ldd /usr/local/sbin/radiusd /lib/libssl.so.0.9.7a = /lib/libssl.so.0.9.7a You need 0.9.7b, don't ask me why. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS problem
On Thu, Aug 28, 2003 at 01:16:18AM +1000, Paul Hampson wrote: Was this because you linked against one, but tried to run against the other, or is there a problem between OpenSSL 0.9.6 and FreeRADIUS's EAP-TLS? This wouldn't be a Redhat machine would it? For better or worse, Redhat still insists on pushing out patched openssl-0.96 stuff instead of the current 0.97 tree - which FreeRADIUS docs as being a REQUIREMENT to get it working. As just about every third app these days is linked against OpenSSL, it's basically impossible to replace the RH OpenSSL install with 0.97 - leaving FreeRADIUS in a hard place. The only way I've found to get it to work is to manually compile and install 0.97 under (say) /usr/local/ssl-0.97b, then move all the /usr/lib 0.96 libraries aside, rename /usr/include/openssl to something else, and put symlinks in to the 0.97 stuff. Then compile FreeRADIUS, but run it under LD_LIBRARY_PATH=/usr/local/ssl-0.97b/lib. Oh yeah, and don't forget to reverse out all those renames afterwards otherwise you'll have one hell of a broken system There must be a cleaner way... Besides moving to another distro ;-) -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP/TLS problem solved (almost...)
I tried certificates from Adam Sulmicki's cert.tgz packet. I set the server date to 28.2 and on the laptop to 28.2. (the certificate is valid from and expires on that day). And the EAP/TLS authentication worked! I finally got: Sending Access-Accept of id 50 to 194.142.202.102:6001 MS-MPPE-Recv-Key = 0x60b16b18235e7a9fde64aabf7ddb3248540cb7dcaff967454af4c39270ae1607 MS-MPPE-Send-Key = 0x7236809f4cc3667478644304136783a2604a5a3607d9215f279aa97edcfeac2c EAP-Message = 0x03090004 Message-Authenticator = 0x But the certificate problem still remains. The certificate generated with the script which came from Freeradius package says on the w2k machine(on the certificate path):The certificate has a non-valid digital signature I think this is the problem. The Adam's certificate seems fine on the computer. We will try different OpenSSL versions (we used the versions required in Ken Roser's guide, the SNAP was of course newer) but if this doesn't work we'll try to generate the certificates with Novell Certificate server that we are using. If it doesn't produce certificate files needed for Freeradius we need to buy somebody to make the certificates with OpenSSL for us. Fortunately the certificates must be generated only once. So if we get a working certificate set we don't have to buy a consultant to do the stuff ever again. Best regards: Antti Mattila - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP/TLS problem solved (almost...)
you can DEFINITLY use openssl in order to produce valid certificates, both for windows AND freeradius (which uses openssl). the certification path is not valid probably because the root certificate which you installed under windows expired. ciao artur I know that many people have managed to get working certificates for Freeradius with OpenSSL and more importantly with the same exact script I'm using. I wonder what could go wrong maybe it is the OpenSSL version. My own generated certificate has valid date as of today and expires after 3 years. Windows 2000 shows it correctly under Authentication tab which it doesn't do if the certificate has expired. Well have to keep trying, and if I don't get it working we'll have to use somebody else. After all I'm just a 21 year old summer worker ;-) Best re - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TLS PROBLEM
Fri Aug 8 14:13:30 2003 : Info: Using deprecated naslist file. Support for this will go away soon.Fri Aug 8 14:13:30 2003 : Info: Using deprecated clients file. Support for this will go away soon.Fri Aug 8 14:13:30 2003 : Info: Using deprecated realms file. Support for this will go away soon.Fri Aug 8 14:13:30 2003 : Error: rlm_eap: Failed to link EAP-Type/tls: file not foundFri Aug 8 14:13:30 2003 : Error: radiusd.conf[596]: eap: Module instantiation failed. why it can not link to eap-tls¡H Please help me,thanks...
Re: EAP/TLS problem solved (almost...)
that's why i'm trying to reassure you. it probably has nothing to do with the version of openssl. every suite has to produce compliant certificates. the certificate format is mandated by its form. just verify all the certificates you installed. it's a small error somewhere. ciao artur Antti Mattila wrote: you can DEFINITLY use openssl in order to produce valid certificates, both for windows AND freeradius (which uses openssl). the certification path is not valid probably because the root certificate which you installed under windows expired. ciao artur I know that many people have managed to get working certificates for Freeradius with OpenSSL and more importantly with the same exact script I'm using. I wonder what could go wrong maybe it is the OpenSSL version. My own generated certificate has valid date as of today and expires after 3 years. Windows 2000 shows it correctly under Authentication tab which it doesn't do if the certificate has expired. Well have to keep trying, and if I don't get it working we'll have to use somebody else. After all I'm just a 21 year old summer worker ;-) Best re - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP/TLS problem solved (almost...)
you can DEFINITLY use openssl in order to produce valid certificates, both for windows AND freeradius (which uses openssl). the certification path is not valid probably because the root certificate which you installed under windows expired. ciao artur Antti Mattila wrote: I tried certificates from Adam Sulmicki's cert.tgz packet. I set the server date to 28.2 and on the laptop to 28.2. (the certificate is valid from and expires on that day). And the EAP/TLS authentication worked! I finally got: Sending Access-Accept of id 50 to 194.142.202.102:6001 MS-MPPE-Recv-Key = 0x60b16b18235e7a9fde64aabf7ddb3248540cb7dcaff967454af4c39270ae1607 MS-MPPE-Send-Key = 0x7236809f4cc3667478644304136783a2604a5a3607d9215f279aa97edcfeac2c EAP-Message = 0x03090004 Message-Authenticator = 0x But the certificate problem still remains. The certificate generated with the script which came from Freeradius package says on the w2k machine(on the certificate path):The certificate has a non-valid digital signature I think this is the problem. The Adam's certificate seems fine on the computer. We will try different OpenSSL versions (we used the versions required in Ken Roser's guide, the SNAP was of course newer) but if this doesn't work we'll try to generate the certificates with Novell Certificate server that we are using. If it doesn't produce certificate files needed for Freeradius we need to buy somebody to make the certificates with OpenSSL for us. Fortunately the certificates must be generated only once. So if we get a working certificate set we don't have to buy a consultant to do the stuff ever again. Best regards: Antti Mattila - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS PROBLEM
Hi, Follow the steps of this articule abaut dinamic libraries http://www.impossiblereflex.com/8021x/eap-tls-HOWTO.htm good luck omar. wen-hong wrote: Fri Aug 8 14:13:30 2003 : Info: Using deprecated naslist file. Support for this will go away soon. Fri Aug 8 14:13:30 2003 : Info: Using deprecated clients file. Support for this will go away soon. Fri Aug 8 14:13:30 2003 : Info: Using deprecated realms file. Support for this will go away soon. Fri Aug 8 14:13:30 2003 : Error: rlm_eap: Failed to link EAP-Type/tls: file not found Fri Aug 8 14:13:30 2003 : Error: radiusd.conf[596]: eap: Module instantiation failed. why it can not link to eap-tls¡H Please help me,thanks... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP/TLS problem continued again...
# An example configuration for using /etc/smbpasswd.
#
#passwd etc_smbpasswd {
# filename = /etc/smbpasswd
# format =
*User-Name::LM-Password:NT-Password:SMB-Account-CTRL-TEXT::
# authtype = MS-CHAP
# hashsize = 100
# ignorenislike = no
# allowmultiplekeys = no
#}
# Similar configuration, for the /etc/group file. Adds a
Group-Name
# attribute for every group that the user is member of.
#
#passwd etc_group {
# filename = /etc/group
# format = =Group-Name:::*,User-Name
# hashsize = 50
# ignorenislike = yes
# allowmultiplekeys = yes
# delimiter = :
#}
# Realm module, for proxying.
#
# You can have multiple instances of the realm module to
# support multiple realm syntaxs at the same time. The
# search order is defined the order in the authorize and
# preacct blocks after the module config block.
#
# Two config options:
# format - must be 'prefix' or 'suffix'
# delimiter - must be a single character
# 'realm/username'
#
# Using this entry, IPASS users have their realm set to
IPASS.
#realm realmslash {
# format = prefix
# delimiter = /
#}
# '[EMAIL PROTECTED]'
#
realm suffix {
format = suffix
delimiter = @
}
# 'username%realm'
#
#realm realmpercent {
# format = suffix
# delimiter = %
#}
# rewrite arbitrary packets. Useful in accounting and
authorization.
#
## This module is highly experimental at the moment. Please
give
## feedback to the mailing list.
#
# The module can also use the Rewrite-Rule attribute. If it
# is set and matches the name of the module instance, then
# that module instance will be the only one which runs.
#
# Also if new_attribute is set to yes then a new attribute
# will be created containing the value replacewith and it
# will be added to searchin (packet, reply or config).
# searchfor,ignore_case and max_matches will be ignored in that
case.
#
#attr_rewrite sanecallerid {
# attribute = Called-Station-Id
# may be packet, reply, or config
# searchin = packet
# searchfor = [+ ]
# replacewith =
# ignore_case = no
# new_attribute = no
# max_matches = 10
# ## If set to yes then the replace string will be
appended to the original string
# append = no
#}
# Preprocess the incoming RADIUS request, before handing it off
# to other modules.
#
# This module processes the 'huntgroups' and 'hints' files.
# In addition, it re-writes some weird attributes created
# by some NASes, and converts the attributes into a form which
# is a little more standard.
#
preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints
# This hack changes Ascend's wierd port numberings
# to standard 0-??? port numbers so that the + works
# for IP address assignments.
# with_ascend_hack = no
# ascend_channels_per_line = 23
# Windows NT machines often authenticate themselves as
# NT_DOMAIN\username
#
# If this is set to 'yes', then the NT_DOMAIN portion
# of the user-name is silently discarded.
# with_ntdomain_hack = no
# Specialix Jetstream 8500 24 port access server.
#
# If the user name is 10 characters or longer, a /
# and the excess characters after the 10th are
# appended to the user name.
#
# If you're not running that NAS, you don't need
# this hack.
# with_specialix_jetstream_hack = no
# Cisco sends it's VSA attributes with the attribute
# name *again* in the string, like:
#
# H323-Attribute = h323-attribute=value.
#
# If this configuration item is set to 'yes', then
# the redundant data in the the attribute text is
stripped
# out. The result is:
#
# H323-Attribute = value
#
# If you're not running a Cisco NAS, you don't need
# this hack.
#
EAP-TLS Problem
Hi, I have a wireless network with cisco aironet 350 AP and a cisco card and I use win xp as supplicant. If I don't use (in win XP) the the key is provided for me automatically it's all ok. When I enable that option I have same problems, the authentication is ok the cisco ap write status=EAP Authenticated, BOOTP/DHCP but it's not possible take the ip address with the DHCP and the connection is not enable, the cisco aironet client utilities indicate that the radio connection is good. I have read that in the authentication exchange freeradius send the session key (with MPPE) at the AP. It's possible that I have not configured the cisco AP or Freeradius in the right manner. Thanks Daniele Brevi - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS Problem
hi the thread name is actually wrong since this is not a problem in EAP-TLS. I have a wireless network with cisco aironet 350 AP and a cisco card and I use win xp as supplicant. If I don't use (in win XP) the the key is provided for me automatically it's all ok. nice, so EAP-TLS is working just fine. what you want is dynamic wep keys. When I enable that option I have same problems, the authentication is ok the cisco ap write status=EAP Authenticated, BOOTP/DHCP but it's not possible take the ip address with the DHCP and the connection is not enable, the cisco aironet client utilities indicate that the radio connection is good. exactly, because the WEP keys are not the same at the supplicant and the client (ap). I have read that in the authentication exchange freeradius send the session key (with MPPE) at the AP. It's possible that I have not configured the cisco AP or Freeradius in the right manner. very probably even. in the future requests, please provide the version of freeradius and the complete debug output (radiusd -s -X). however, you have a good basis for succeeding, so further requests might not be necessary :-) your EAP-TLS authentication works fine, you say. congratulation, since that's the difficult part of the whole story. now just grab the newest version of FR available, compile the rlm_eap_tls, verify that you have some *mppe*.c files in the concerned directory and that there are no compilation/linking errors. then, start the new server and look at the radiusd -s -X output. if the Access-Accept sent to the AP350 contains two MPPE-*-Key attributes with values, everything should be ok for freeradius so far (when updating, update the dictionaries too). then, you only need to alter the config of the AP350 appropriately (activate encryption and either provide a wep-key in the Slot1 or set the broadcast key rotation interval to 0). greetings artur -- Artur Hecker artur[at]hecker.info - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Odyssey Client EAP/TLS problem
Here's some more info on the problem I have: The client has a valid certificate, as well as the server. Both of them can validate each others certificate using a valid root certificate. However, the states of the second rad-access-cha packet of the server and the rad-access-req answer packet from the client do not match. The server cannot find a handler for the request (mem.c), more or less ignores this request, and does not receive any other answer, thus sends a rad-access-rej packet. How is the states of the two packets calculated? I guess the certificates are involved here, but they do not seem to be the problem anyway. In the first rad-access-req - rad-access-cha packet pair, the states do match, but I'm not sure if the certs are involved here already. Could the client (Odyssey) be the problem? I highly appreciate any comments. Klaus - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Odyssey Client EAP/TLS problem
I have freeradius up and running. on the client side I use a odyssey client manager (newest version). Once I try the authentication messages are sent back and forth as I could see from the tcpdump trace. In short it looks like: radius: rad-access-req 198 [id 1] rad-access-cha 84 [id 1] rad-access-req 321 [id 0] rad-access-cha 1120 [id 0] rad-access-req 229 [id 1] rad-access-reject 20 [id 1] The debugging information from the radius server tell rlm_eap: Request not found in the list rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request modcall[authenticate]: module eap returns invalid modcall: group authenticate returns invalid auth: Failed to validate the user. Login incorrect Did anybody see this before and find a solution? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TLS problem - rlm_eap: State verification failed
Hi there! I've got a big prob. Thanks to the excellent howto of Adam Sulmicki, I finally managed to move back from my Win2k RADIUS towards freeRADIUS. I'm using freeRADIUS with eap tls enabled (cvs snaptshot 2002-04-08), a 3Com 8000 WLAN AP and xsupplicant under Linux to auth via 802.1x/EAP-TLS. The messages look quite ok, but as soon as the secand request is handeled EAP is complainig about rlm_eap: State verification failed.. As I looked out for the State Attribute of the last message, I found it some chars shorter than it was in the message before. I tried to adjust the fragment size, but could'nt solve the problem. The packet has a length of 144 bytes, so it should not be a big deal with (standard) 1024 byte fragments. Thank's a lot for your help! Here's what I get: Ready to process requests. rad_recv: Access-Request packet from host 134.76.4.7:1812, id=11, length=67 EAP-Message = \002\010\000\t\001flex Message-Authenticator = 0x783038983e2b972451718f233530d296 NAS-IP-Address = 134.76.4.7 User-Name = flex Framed-MTU = 1400 modcall: entering group authorize modcall[authorize]: module preprocess returns ok modcall[authorize]: module eap returns updated modcall[authorize]: module suffix returns ok users: Matched flex at 54 modcall[authorize]: module files returns ok modcall: group authorize returns updated rad_check_password: Found Auth-Type EAP auth: type EAP modcall: entering group authenticate rlm_eap: processing type tls modcall[authenticate]: module eap returns ok modcall: group authenticate returns ok Sending Access-Challenge of id 11 to 134.76.4.7:1812 EAP-Message = \001\t\000\006\r Message-Authenticator = 0x State = 0x3df30ad930886ee1c76b2ec405f54c47455db43c219ab001a93e6b8dfbf601baf54db839 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 134.76.4.7:1812, id=12, length=144 EAP-Message = \002\t\000\r\200\000\000\0004\026\003\001\000/\001\000\000+\003\001\264]ENJ\247\210_l/\227\347\256$O\211\255\031X\231\256\363\206\031\347mPSM\257\000\000\004\000\004\000\005\001 Message-Authenticator = 0xcd0dfea408b14674f367809b305f7c5c NAS-IP-Address = 134.76.4.7 User-Name = flex State = 0x3df30ad930886ee1c76b2ec405f54c47455db43c219a Framed-MTU = 1400 modcall: entering group authorize modcall[authorize]: module preprocess returns ok modcall[authorize]: module eap returns updated modcall[authorize]: module suffix returns ok users: Matched flex at 54 modcall[authorize]: module files returns ok modcall: group authorize returns updated rad_check_password: Found Auth-Type EAP auth: type EAP modcall: entering group authenticate rlm_eap: State verification failed. modcall[authenticate]: module eap returns invalid modcall: group authenticate returns invalid auth: Failed to validate the user. Delaying request 1 for 1 seconds Finished request 1 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 134.76.4.7:1812, id=12, length=144 Sending duplicate authentication reply to client 134.76.4.7:1812 - ID: 12 Sending Access-Reject of id 12 to 134.76.4.7:1812 --- Walking the entire request list --- Sending Access-Reject of id 12 to 134.76.4.7 Waking up in 1 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 11 with timestamp 3cb45d45 Cleaning up request 1 ID 12 with timestamp 3cb45d45 Nothing to do. Sleeping until we see a request. before all this - the server start's up with: [root@caladan flex]# /usr/local/sbin/rc.radiusd -A -X + LD_LIBRARY_PATH=/usr/local/ssleap/lib + LD_PRELOAD=/usr/local/ssleap/lib/libcrypto.so + export LD_LIBRARY_PATH LD_PRELOAD + /usr/local/radiuseap/sbin/radiusd -A -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/radiuseap/etc/raddb/proxy.conf Config: including file: /usr/local/radiuseap/etc/raddb/clients.conf Config: including file: /usr/local/radiuseap/etc/raddb/snmp.conf Config: including file: /usr/local/radiuseap/etc/raddb/sql.conf main: prefix = /usr/local/radiuseap main: localstatedir = /usr/local/radiuseap/var main: logdir = /usr/local/radiuseap/var/log/radius main: libdir = /usr/local/radiuseap/lib main: radacctdir = /usr/local/radiuseap/var/log/radius/radacct main: hostname_lookups = no read_config_files: reading dictionary read_config_files: reading clients read_config_files: reading realms read_config_files: reading naslist main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main:
Re: EAP-TLS problem - rlm_eap: State verification failed
Sebastian Rieger wrote: Hi there! I've got a big prob. Thanks to the excellent howto of Adam Sulmicki, I finally managed to move back from my Win2k RADIUS towards freeRADIUS. I'm using freeRADIUS with eap tls enabled (cvs snaptshot 2002-04-08), a 3Com 8000 WLAN AP and xsupplicant under Linux to auth via 802.1x/EAP-TLS. The messages look quite ok, but as soon as the secand request is handeled EAP is complainig about rlm_eap: State verification failed.. As I looked out for the State Attribute of the last message, I found it some chars shorter than it was in the message before. I tried to adjust the fragment size, but could'nt solve the problem. The packet has a length of 144 bytes, so it should not be a big deal with (standard) 1024 byte fragments. State Attribute has nothing to do with the Fragment size. Fragment size is meant for EAP-TLS packet only. State = 0x3df30ad930886ee1c76b2ec405f54c47455db43c219ab001a93e6b8dfbf601baf54db839 rad_recv: Access-Request packet from host 134.76.4.7:1812, id=12, length=144 State = 0x3df30ad930886ee1c76b2ec405f54c47455db43c219a The problem is here. Radius Server is sending Access-Challenge packet with State Attribute. During the Challenge response, Your AP should send the same State Attribute UN-MODIFIED. Find out why your AP is truncating this Value. -Raghu - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS problem - rlm_eap: State verification failed
Sebastian Rieger [EMAIL PROTECTED] wrote: The messages look quite ok, but as soon as the secand request is handeled EAP is complainig about rlm_eap: State verification failed.. As I looked out for the State Attribute of the last message, I found it some chars shorter than it was in the message before. That's the problem. tried to adjust the fragment size, but could'nt solve the problem. The packet has a length of 144 bytes, so it should not be a big deal with (standard) 1024 byte fragments. The fragment size isn't the problem. The problem is that the RADIUS client is chopping the state off at 16 bytes. This means that the RADIUS client isn't implementing the RFC's properly. You have two choices: 1. Edit the rlm_eap code so that it generates a state which is only 16 bytes. This MAY be feasible. 2. Complain to whoever wrote the RADIUS client, and tell them to fix their software so that it actually implements the RADIUS RFC's, instead of being broken. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
