Re: HELP: EAP/TLS - XP
hi philip thanks for the point, david probably just has to check the extensions and other things. however, it seems that the server certificate isn't accepted, not the client certificate. something has to be wrong, since in my case, too, it worked fine with cisco and orinoco equipment, since the 0.5 fr release, so... ciao artur Philip Blow wrote: David, Artur, This problem appears to be caused by having the Server Authentication and Client Authentication properties set in the certificate. If you disable all extended certificate properties except the Client Authentication in the Client certificate on the XP machine the EAP authentication should work. It worked for me via both Symbol and Orinoco APs with certificates that I generated with the OpenCA certificate authority. Cheers, Philip Blow Senior Technical Manager Simply Wireless [EMAIL PROTECTED] hi David ok, it's good news then... if you followed exactly the steps, it should work fine. to find the error, just put the same certificate which is available at the server side on your XP machine and open it using the crypto extensions (double-click). XP should say you what is missing. the most probable error would be imho an expiration date. the second possible would be the forgotten extension (as already said, both errors should not be there if you followed exactly the script, but still, check it). check the availability of the private key, check the certification path, XP should know the signing CA (meaning that the cert is signed by the CA whose certificate is installed under certification authorities). regards, artur David Baer wrote: The problem has been partially solved (or let's say: narrowed). Somehow the server's certificate is not accepted by the XP-supplicant. If the "Validate server certificate" check box is unchecked, the authentication succeeds. To leave the server's certificate unvalidated is not very desirbale though. I used the script by Ken Roser (http://www.freeradius.org/doc/EAPTLS.pdf) to generate the certificates. Any idea what I could have done wrong with the server's certificate? david - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Artur Hecker Département Informatique et Réseaux, ENST Paris http://www.infres.enst.fr/~hecker - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: HELP: EAP/TLS - XP
David, Artur, This problem appears to be caused by having the Server Authentication and Client Authentication properties set in the certificate. If you disable all extended certificate properties except the Client Authentication in the Client certificate on the XP machine the EAP authentication should work. It worked for me via both Symbol and Orinoco APs with certificates that I generated with the OpenCA certificate authority. Cheers, Philip Blow Senior Technical Manager Simply Wireless [EMAIL PROTECTED] > hi David > > ok, it's good news then... if you followed exactly the steps, it should > work fine. > > to find the error, just put the same certificate which is available at > the server side on your XP machine and open it using the crypto > extensions (double-click). XP should say you what is missing. the most > probable error would be imho an expiration date. the second possible > would be the forgotten extension (as already said, both errors should > not be there if you followed exactly the script, but still, check it). > check the availability of the private key, check the certification path, > XP should know the signing CA (meaning that the cert is signed by the CA > whose certificate is installed under certification authorities). > > regards, > artur > > > David Baer wrote: > > The problem has been partially solved (or let's say: narrowed). > > Somehow the server's certificate is not accepted by the XP-supplicant. > > If the "Validate server certificate" check box is unchecked, the authentication > > succeeds. To leave the server's certificate unvalidated is not very desirbale though. > > I used the script by Ken Roser (http://www.freeradius.org/doc/EAPTLS.pdf) to generate > > the certificates. > > Any idea what I could have done wrong with the server's certificate? > > david - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: HELP: EAP/TLS - XP
hi David ok, it's good news then... if you followed exactly the steps, it should work fine. to find the error, just put the same certificate which is available at the server side on your XP machine and open it using the crypto extensions (double-click). XP should say you what is missing. the most probable error would be imho an expiration date. the second possible would be the forgotten extension (as already said, both errors should not be there if you followed exactly the script, but still, check it). check the availability of the private key, check the certification path, XP should know the signing CA (meaning that the cert is signed by the CA whose certificate is installed under certification authorities). regards, artur David Baer wrote: The problem has been partially solved (or let's say: narrowed). Somehow the server's certificate is not accepted by the XP-supplicant. If the "Validate server certificate" check box is unchecked, the authentication succeeds. To leave the server's certificate unvalidated is not very desirbale though. I used the script by Ken Roser (http://www.freeradius.org/doc/EAPTLS.pdf) to generate the certificates. Any idea what I could have done wrong with the server's certificate? david -- Artur Hecker Département Informatique et Réseaux, ENST Paris http://www.infres.enst.fr/~hecker - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: HELP: EAP/TLS - XP
The problem has been partially solved (or let's say: narrowed). Somehow the server's certificate is not accepted by the XP-supplicant. If the "Validate server certificate" check box is unchecked, the authentication succeeds. To leave the server's certificate unvalidated is not very desirbale though. I used the script by Ken Roser (http://www.freeradius.org/doc/EAPTLS.pdf) to generate the certificates. Any idea what I could have done wrong with the server's certificate? david - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: HELP: EAP/TLS - XP
commenting on my own post: > effectively, it's a re-request since the id-number is the same. the TLS > error probably comes from the shortened message or something similar, > the data seems to be corrupted in some way. radius seems to just reject > from that moment on, it doesn't seem to check the second message for its > correctness (IMHO, it should however, since it's udp). what i want to say is: the first message can be wrong because it is UDP. freeradius doesn't answer to it with a Reject. this is correct IMHO. it should accept N ( N=? ) wrong re-requests (requests with same ID, same eap number, etc. but _different_ data) before rejecting a user. it now seems to reject immediately after the second message arrives or is it able to see that the messages are exactly the same? developers, could you say on the fly what the current behaviour is? thanks artur -- Artur Hecker De'partement Informatique et Re'seaux, ENST Paris http://www.infres.enst.fr/~hecker - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: HELP: EAP/TLS - XP
hi David Baer wrote: > hi, thanks for looking at the matter, Artur. > >> in fact, unless you shortened your post, there seems to be two >> requests one after another or am i wrong? because radius actually >> doesn't do anything about the wrong request. it denies the next >> one... well, it's perhaps normal. > > well strange is (or is it a normal retry?), that it has two rad_recv > of id=95. one at (*A*) and than the other one at (*B*). then he is > sending the reject message on the line (*E*) to id=95, but it is not > clear to which. However, I think the problem really is between line > (*C*) and (*D*) which prevents me from getting an Access-Accept This > error seems to happen from time to time, I've found another post in > the mailing list > (http://www.mail-archive.com/freeradius-users@lists.cistron.nl/msg115- > 98.html). But there isn't a solution (or even a guess, as to where it > comes from) around. Advice is appreciated. david it's probably a bug in your AP implementation. try the newest firmware, e.g. effectively, it's a re-request since the id-number is the same. the TLS error probably comes from the shortened message or something similar, the data seems to be corrupted in some way. radius seems to just reject from that moment on, it doesn't seem to check the second message for its correctness (IMHO, it should however, since it's udp). compare the two messages by snooping on the interface. if the error is always the same, try to change some parameters (framed-mtu value, perhaps even another user-name, etc.) ciao artur -- Artur Hecker De'partement Informatique et Re'seaux, ENST Paris http://www.infres.enst.fr/~hecker - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: HELP: EAP/TLS - XP
hi, thanks for looking at the matter, Artur. > in fact, unless you shortened your post, there seems to be two requests > one after another or am i wrong? because radius actually doesn't do > anything about the wrong request. it denies the next one... well, it's > perhaps normal. well strange is (or is it a normal retry?), that it has two rad_recv of id=95. one at (*A*) and than the other one at (*B*). then he is sending the reject message on the line (*E*) to id=95, but it is not clear to which. However, I think the problem really is between line (*C*) and (*D*) which prevents me from getting an Access-Accept This error seems to happen from time to time, I've found another post in the mailing list (http://www.mail-archive.com/freeradius-users@lists.cistron.nl/msg11598.html). But there isn't a solution (or even a guess, as to where it comes from) around. Advice is appreciated. david rad_recv: Access-Request packet from host 10.56.56.201:6001, id=95, length=180 (*A*) User-Name = "Hera" NAS-IP-Address = 10.56.56.201 Called-Station-Id = "00-02-2d-48-6d-89" Calling-Station-Id = "00-05-3c-06-6e-61" NAS-Identifier = "hercules" State = 0xcbc90276b2c75bcf69c846a00bbb35e62f922b3ea0b9afaf4605a59f14b2fa8fc483abdc Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = "\002\007\000!\r\200\000\000\000\027\025\003\001\000\022^\333$,\363"\275\010\010\374\234\204y\337\306U-g" Message-Authenticator = 0x9095e69b06f47161b67f54139c32e1ef modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok modcall[authorize]: module "eap" returns updated rlm_realm: No '@' in User-Name = "Hera", looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module "suffix" returns noop users: Matched Hera at 98 modcall[authorize]: module "files" returns ok modcall: group authorize returns updated rad_check_password: Found Auth-Type EAP auth: type "EAP" modcall: entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP_TYPE - tls rlm_eap: processing type tls rlm_eap_tls: Length Included <<< TLS 1.0 Alert [length 0002], fatal access_denied (*C*) TLS Alert read:fatal:access denied 2727:error:14094419:SSL routines:SSL3_READ_BYTES:tlsv1 alert access denied:s3_pkt.c:1037:SSL alert number 49 rlm_eap_tls: SSL_read Error Error code is . 6 SSL Error . 6 rlm_eap_tls: BIO_read Error Error code is . 5 Error in SSL . 5 (*D*) modcall[authenticate]: module "eap" returns ok modcall: group authenticate returns ok Delaying request 10 for 1 seconds Finished request 10 Going to the next request Waking up in 5 seconds... rad_recv: Access-Request packet from host 10.56.56.201:6001, id=95, length=180(*B*) Sending Access-Reject of id 95 to 10.56.56.201:6001 (*E*) EAP-Message = "\004\007\000\004" Message-Authenticator = 0x --- Walking the entire request list --- Waking up in 2 seconds... --- Walking the entire request list --- Cleaning up request 6 ID 91 with timestamp 3e2b922e Cleaning up request 7 ID 92 with timestamp 3e2b922e Cleaning up request 8 ID 93 with timestamp 3e2b922e Waking up in 1 seconds... --- Walking the entire request list --- Cleaning up request 9 ID 94 with timestamp 3e2b922f Cleaning up request 10 ID 95 with timestamp 3e2b922f Nothing to do. Sleeping until we see a request. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: HELP: EAP/TLS - XP
hi > I don't think it's an AP problem, because Raymon McKey > (http://www.impossiblereflex.com/8021x/eap-tls-HOWTO.htm) is working > with the same AP. i never tried with md5, did it work with you? and you probably can't since you use XP SP1 which does not offer EAP/MD5 for wireless anymore :) > do you work with an english XP? (just asking, because I have japanese > XP and the other person that had this problem also had an asian > name.) I don't know nothing about XP, but could it be possible, that > this is some japanese-XP bug? I'm trying to get into the source code, > but this might take some time (I'm not very good in C). however, it > seems that the radius server did not get the expected message. it > would have needed an ACK-response, but received something else... in fact, unless you shortened your post, there seems to be two requests one after another or am i wrong? because radius actually doesn't do anything about the wrong request. it denies the next one... well, it's perhaps normal. some developers here? :-) ciao artur -- Artur Hecker Groupe Acce`s et Mobilite' hecker[at]enst[dot]fr De'partement Informatique et Re'seaux +33 1 45 81 750746, rue Barrault 75634 Paris cedex 13 http://www.infres.enst.fr ENST Paris - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: HELP: EAP/TLS - XP
Hi Jeffrey, > Do you work well via md5? I cannot work fine with ap-2000 too? :( > I guess it is AP problem! I don't think it's an AP problem, because Raymon McKey (http://www.impossiblereflex.com/8021x/eap-tls-HOWTO.htm) is working with the same AP. i never tried with md5, did it work with you? do you work with an english XP? (just asking, because I have japanese XP and the other person that had this problem also had an asian name.) I don't know nothing about XP, but could it be possible, that this is some japanese-XP bug? I'm trying to get into the source code, but this might take some time (I'm not very good in C). however, it seems that the radius server did not get the expected message. it would have needed an ACK-response, but received something else... david - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: HELP: EAP/TLS - XP
Dear David, Do you work well via md5? I cannot work fine with ap-2000 too? :( I guess it is AP problem! ¦b ¶g¤@, 2003-01-20 14:39, David Baer ¼g¹D¡G > I'm trying to get XP and freeRADIUS working together. I encountered a problem that >has been reported here before > (http://lists.cistron.nl/pipermail/freeradius-users/2002-August/009650.html), but no >solution has been posted. > Maybe someone else has an stumbled accross it or has an idea. > > The thing is that all tls handshake passed and then it seems that the supplicant >backs off... > I'm using Service Pack 1 and a Orinoco 2000 AP with img 2.0.10 installed. > > thanks for any help, > david > > > > rad_recv: Access-Request packet from host 10.56.56.201:6001, id=95, length=180 > User-Name = "Hera" > NAS-IP-Address = 10.56.56.201 > Called-Station-Id = "00-02-2d-48-6d-89" > Calling-Station-Id = "00-05-3c-06-6e-61" > NAS-Identifier = "hercules" > State = >0xcbc90276b2c75bcf69c846a00bbb35e62f922b3ea0b9afaf4605a59f14b2fa8fc483abdc > Framed-MTU = 1400 > NAS-Port-Type = Wireless-802.11 > EAP-Message = >"\002\007\000!\r\200\000\000\000\027\025\003\001\000\022^\333$,\363"\275\010\010\374\234\204y\337\306U-g" > Message-Authenticator = 0x9095e69b06f47161b67f54139c32e1ef > modcall: entering group authorize > modcall[authorize]: module "preprocess" returns ok > modcall[authorize]: module "eap" returns updated > rlm_realm: No '@' in User-Name = "Hera", looking up realm NULL > rlm_realm: No such realm NULL > modcall[authorize]: module "suffix" returns noop > users: Matched Hera at 98 > modcall[authorize]: module "files" returns ok > modcall: group authorize returns updated > rad_check_password: Found Auth-Type EAP > auth: type "EAP" > modcall: entering group authenticate > rlm_eap: Request found, released from the list > rlm_eap: EAP_TYPE - tls > rlm_eap: processing type tls > rlm_eap_tls: Length Included > <<< TLS 1.0 Alert [length 0002], fatal access_denied > > TLS Alert read:fatal:access denied > 2727:error:14094419:SSL routines:SSL3_READ_BYTES:tlsv1 alert access >denied:s3_pkt.c:1037:SSL alert number 49 > rlm_eap_tls: SSL_read Error > Error code is . 6 > SSL Error . 6 > rlm_eap_tls: BIO_read Error > Error code is . 5 > Error in SSL . 5 > modcall[authenticate]: module "eap" returns ok > modcall: group authenticate returns ok > Delaying request 10 for 1 seconds > Finished request 10 > Going to the next request > Waking up in 5 seconds... > rad_recv: Access-Request packet from host 10.56.56.201:6001, id=95, length=180 > Sending Access-Reject of id 95 to 10.56.56.201:6001 > EAP-Message = "\004\007\000\004" > Message-Authenticator = 0x > --- Walking the entire request list --- > Waking up in 2 seconds... > --- Walking the entire request list --- > Cleaning up request 6 ID 91 with timestamp 3e2b922e > Cleaning up request 7 ID 92 with timestamp 3e2b922e > Cleaning up request 8 ID 93 with timestamp 3e2b922e > Waking up in 1 seconds... > --- Walking the entire request list --- > Cleaning up request 9 ID 94 with timestamp 3e2b922f > Cleaning up request 10 ID 95 with timestamp 3e2b922f > Nothing to do. Sleeping until we see a request. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Regard, Jeffery Huang iMining Technology Inc., Addr: 8F-4 No.432, Sec. 1, Keelung Rd., Taipei,Taiwan Tel: 886-2-27235122 ext 20 Fax: 886-2-27232287 mail:[EMAIL PROTECTED] http://www.imining.com.tw - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html