Re: EAP advanced auth. methods problem
t...@kalik.net wrote: >> Permissions are now 600 for client.[pem|key] and [ca|server].pem (still >> using ca and also server certificate on client), but the result is >> similar. > > Does it still say "unknown ca" or something else? If it's something else > you need to poost a new debug. If it's still the same you need to go to > wpa_supplicant list and ask them to help you to configure their > supplicant. > Yes server says: rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca -- Tom - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP advanced auth. methods problem
t...@kalik.net wrote: >> t...@kalik.net wrote: Also tried modify wpa_supplicant conf: - ca_cert="ca.pem" + ca_cert="server.pem" But with the same result. >>> Because the path is wrong, ie. certificate is not there. Put the correct >>> path to where you have imported the certificate. >>> >>> Ivan Kalik >>> >>> - >>> List info/subscribe/unsubscribe? See >>> http://www.freeradius.org/list/users.html >> Sorry, but I'm still more than confused. >> >> Problem is on the server site, isn't it? > > No. Problem is missing ca certificate on the supplicant machine. > > Ivan Kalik > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Yea you are right, because without well verified certs on server site the server will never start. -- Tom - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP advanced auth. methods problem
Paul Ryszka wrote: > On Mon, 2009-11-23 at 20:37 +0100, Tomas Pelka wrote: >> t...@kalik.net wrote: >>>> Also tried modify wpa_supplicant conf: >>>> >>>> - ca_cert="ca.pem" >>>> + ca_cert="server.pem" >>>> >>>> But with the same result. >>> Because the path is wrong, ie. certificate is not there. Put the correct >>> path to where you have imported the certificate. >>> >>> Ivan Kalik >>> >>> - >>> List info/subscribe/unsubscribe? See >>> http://www.freeradius.org/list/users.html >> Sorry, but I'm still more than confused. >> >> Problem is on the server site, isn't it? CA and server certs are now in >> same dir as whole RADIUS configuration, is necessary put certs into >> "trusted" directory like /etc/ssl/certs? >> >> Thanks for advice. >> > > I think that the idea was to put the full path to certificates in the > conf file like : > ca_cert="/full/path/to/server.pem" > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Same result, full path on both sites (client/server). -- Tom - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP advanced auth. methods problem
t...@kalik.net wrote: >> Also tried modify wpa_supplicant conf: >> >> - ca_cert="ca.pem" >> + ca_cert="server.pem" >> >> But with the same result. > > Because the path is wrong, ie. certificate is not there. Put the correct > path to where you have imported the certificate. > > Ivan Kalik > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Sorry, but I'm still more than confused. Problem is on the server site, isn't it? CA and server certs are now in same dir as whole RADIUS configuration, is necessary put certs into "trusted" directory like /etc/ssl/certs? Thanks for advice. -- Tom - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP advanced auth. methods problem
t...@kalik.net wrote: >> So the problem is in certificate: >> >> [tls] <<< TLS 1.0 Handshake [length 038d], Certificate >> --> verify error:num=20:unable to get local issuer certificate >> [tls] >>> TLS 1.0 Alert [length 0002], fatal unknown_ca > > That means that you haven't imported self-signed ca certificate onto the > client. > >> # openssl verify -CApath ca.pem client.pem >> client.pem: /C=FR/ST=Radius/O=Example >> Inc./cn=u...@example.com/emailaddress=u...@example.com >> error 20 at 0 depth lookup:unable to get local issuer certificate >> >> >> I'm little bit confused, I created the client certificate using make >> client. > > Which uses server certificate to sign client certificates. > >> Isn't possible that freeradius Makefile is buggy? > > No. Try verify with server certificate (as it is done in Makefile). # c_rehash . # openssl verify -CApath . client.pem client.pem: OK # openssl verify -CApath . server.pem server.pem: OK Also tried modify wpa_supplicant conf: - ca_cert="ca.pem" + ca_cert="server.pem" But with the same result. -- Tom Key fingerprint = 06C0 23C6 9EB7 0761 9807 65F4 7F6F 7EAB 496B 28AA - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP advanced auth. methods problem
Tomas Pelka wrote:
> t...@kalik.net wrote:
>>> Alan DeKok wrote:
>>>> Tomas Pelka wrote:
>>>>> have a problem with "advanced" EAP authentication methods including
>>>>> PEAP, EAP-TLS, EAP-TTLS-MD5/MSCHAPV2.
>>>> I wouldn't call them "advanced..."
>>>>
>>>>> Certs was created with the makefile included in freeradius sources.
>>>>>
>>>>> All my experiments ending with: decapsulated EAP packet (code=4 id=4
>>>>> len=4) from RADIUS server: EAP Failure
>> Authentication works fine - you are getting an initial Access-Accept. But
>> then:
>>
>> [ttls] Skipping Phase2 due to session resumption
>> [ttls] FAIL: Forcibly stopping session resumption as it is not allowed.
>>
>> Read cache section of eap.conf.
>>
>> Ivan Kalik
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>
> So if am I get it right, the problem is reauthentication, right? But
>
> #tls section
> cache {
> enable = yes
> lifetime = 24 # hours
> max_entries = 255
> }
> and even no cache (enable=no) do not work.
>
> TTLS-md5/mschapv2 and PEAP, works with cache enabled (inside ttls section).
>
> Thanks.
>
So the problem is in certificate:
[tls] <<< TLS 1.0 Handshake [length 038d], Certificate
--> verify error:num=20:unable to get local issuer certificate
[tls] >>> TLS 1.0 Alert [length 0002], fatal unknown_ca
TLS Alert write:fatal:unknown CA
TLS_accept:error in SSLv3 read client certificate B
rlm_eap: SSL error error:140890B2:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
SSL: SSL_read failed in a system call (-1), TLS session fails.
TLS receive handshake failed during operation
[tls] eaptls_process returned 4
[eap] Handler failed in EAP/tls
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
# openssl verify -CApath ca.pem client.pem
client.pem: /C=FR/ST=Radius/O=Example
Inc./cn=u...@example.com/emailaddress=u...@example.com
error 20 at 0 depth lookup:unable to get local issuer certificate
I'm little bit confused, I created the client certificate using make
client. Isn't possible that freeradius Makefile is buggy?
Cheers
--
Tom
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP advanced auth. methods problem
t...@kalik.net wrote:
>> Alan DeKok wrote:
>>> Tomas Pelka wrote:
>>>> have a problem with "advanced" EAP authentication methods including
>>>> PEAP, EAP-TLS, EAP-TTLS-MD5/MSCHAPV2.
>>> I wouldn't call them "advanced..."
>>>
>>>> Certs was created with the makefile included in freeradius sources.
>>>>
>>>> All my experiments ending with: decapsulated EAP packet (code=4 id=4
>>>> len=4) from RADIUS server: EAP Failure
>
> Authentication works fine - you are getting an initial Access-Accept. But
> then:
>
> [ttls] Skipping Phase2 due to session resumption
> [ttls] FAIL: Forcibly stopping session resumption as it is not allowed.
>
> Read cache section of eap.conf.
>
> Ivan Kalik
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
So if am I get it right, the problem is reauthentication, right? But
#tls section
cache {
enable = yes
lifetime = 24 # hours
max_entries = 255
}
and even no cache (enable=no) do not work.
TTLS-md5/mschapv2 and PEAP, works with cache enabled (inside ttls section).
Thanks.
--
Tom
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP advanced auth. methods problem
Alan DeKok wrote:
> Tomas Pelka wrote:
>> have a problem with "advanced" EAP authentication methods including
>> PEAP, EAP-TLS, EAP-TTLS-MD5/MSCHAPV2.
>
> I wouldn't call them "advanced..."
>
>> Certs was created with the makefile included in freeradius sources.
>>
>> All my experiments ending with: decapsulated EAP packet (code=4 id=4
>> len=4) from RADIUS server: EAP Failure
>>
>> Runnin as, for example
>> ./eapol_test -c test_tls.conf -a192.168.56.3 -p1812 -stesting123 -r1
>>
>> Output, eap.conf and test_tls.conf attached.
>
> Can you explain why you sent:
>
> * config files
>
> * eapol_test outpiut
>
> And NOT the server debugging output, as suggested in the FAQ, README,
> INSTALL, "man" page, web pages, and daily on this list?
>
> You have sent everything EXCEPT the information we need to help you.
Yes you are right, shame on me! radiusd -X output is attached now.
Sorry
--
Tom
FreeRADIUS Version 2.1.7, for host i486-pc-linux-gnu, built on Nov 18 2009 at
00:32:07
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including files in directory /etc/freeradius/modules/
including configuration file /etc/freeradius/modules/radutmp
including configuration file /etc/freeradius/modules/acct_unique
including configuration file /etc/freeradius/modules/perl
including configuration file /etc/freeradius/modules/pam
including configuration file /etc/freeradius/modules/detail.example.com
including configuration file /etc/freeradius/modules/attr_filter
including configuration file /etc/freeradius/modules/mac2ip
including configuration file /etc/freeradius/modules/cui
including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login
including configuration file /etc/freeradius/modules/expr
including configuration file /etc/freeradius/modules/smsotp
including configuration file /etc/freeradius/modules/linelog
including configuration file /etc/freeradius/modules/policy
including configuration file /etc/freeradius/modules/checkval
including configuration file /etc/freeradius/modules/preprocess
including configuration file /etc/freeradius/modules/files
including configuration file /etc/freeradius/modules/mac2vlan
including configuration file /etc/freeradius/modules/counter
including configuration file /etc/freeradius/modules/otp
including configuration file /etc/freeradius/modules/chap
including configuration file /etc/freeradius/modules/inner-eap
including configuration file /etc/freeradius/modules/realm
including configuration file /etc/freeradius/modules/sql_log
including configuration file /etc/freeradius/modules/passwd
including configuration file /etc/freeradius/modules/detail
including configuration file /etc/freeradius/modules/detail.log
including configuration file /etc/freeradius/modules/echo
including configuration file /etc/freeradius/modules/always
including configuration file /etc/freeradius/modules/sradutmp
including configuration file /etc/freeradius/modules/pap
including configuration file /etc/freeradius/modules/attr_rewrite
including configuration file /etc/freeradius/modules/mschap
including configuration file /etc/freeradius/modules/logintime
including configuration file /etc/freeradius/modules/expiration
including configuration file /etc/freeradius/modules/smbpasswd
including configuration file /etc/freeradius/modules/krb5
including configuration file /etc/freeradius/modules/exec
including configuration file /etc/freeradius/modules/digest
including configuration file /etc/freeradius/modules/unix
including configuration file /etc/freeradius/modules/etc_group
including configuration file /etc/freeradius/modules/ippool
including configuration file /etc/freeradius/modules/wimax
including configuration file /etc/freeradius/modules/ldap
including configuration file /etc/freeradius/eap.conf
including configuration file /etc/freeradius/policy.conf
including files in directory /etc/freeradius/sites-enabled/
including configuration file /etc/freeradius/sites-enabled/control-socket
including configuration file /etc/freeradius/sites-enabled/inner-tunnel
including configuration file /etc/freeradius/sites-enabled/default
group = freerad
user = freerad
including dictionary file /etc/freeradius/dictionary
main {
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/freeradius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/
Re: adding eap-tls/peap/ttls support to freeradius problem
On 11/17/2009 11:25 PM, Alan Buxey wrote: hi, its not a peap/ttls/eap problem - its a problem with linking to your SQL libraries. i guess you want to use postgresql? have you got the psqgl devel libraries etc installed? and 2.0.4 is very very old now alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Yea you are right, weird chance cause I probably uninstalled posgresql-dev package. Looks like it works. Thanks Alan -- Tom - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
adding eap-tls/peap/ttls support to freeradius problem
Hi guys, have some problems with compiling freeradius with eap-tls/peap/ttls support. configure running: ./configure --prefix=/usr \ --exec-prefix=/usr \ --mandir=$(mandir) \ --sysconfdir=/etc \ --libdir=$(libdir) \ --datadir=/usr/share \ --localstatedir=/var \ --with-raddbdir=$(raddbdir) \ --with-logdir=/var/log/$(package) \ --enable-ltdl-install=no --enable-strict-dependencies \ --with-large-files --with-udpfromto --with-edir \ --enable-developer \ --config-cache \ --with-rlm_eap_tls \ --with-rlm_eap_ttls \ --with-rlm_eap_peap \ --without-rlm_eap_tnc \ --without-rlm_otp \ --with-rlm_sql_postgresql_lib_dir=`pg_config --libdir` \ --with-rlm_sql_postgresql_include_dir=`pg_config --includedir` \ --with-openssl \ --without-rlm_eap_ikev2 \ --without-rlm_sql_oracle \ --without-rlm_sql_unixodbc \ --with-system-libtool \ --without-rlm_counter \ --without-rlm_ldap Gcc output: /usr/bin/libtool --mode=link gcc -release 2.0.4 \ -module -export-dynamic -o rlm_sql_log.la \ -rpath /usr/lib/freeradius rlm_sql_log.lo rlm_sql_log.c /usr/src/freeradius-2.0.4+dfsg/src/lib/libfreeradius-radius.la /usr/src/freeradius-2.0.4+dfsg/src/modules/rlm_sql/.libs/rlm_sql.la -lnsl -lresolv -lpthread libtool: link: cannot find the library `/usr/src/freeradius-2.0.4+dfsg/src/modules/rlm_sql/.libs/rlm_sql.la' or unhandled argument `/usr/src/freeradius-2.0.4+dfsg/src/modules/rlm_sql/.libs/rlm_sql.la' make[7]: *** [rlm_sql_log.la] Error 1 make[7]: Leaving directory `/usr/src/freeradius-2.0.4+dfsg/src/modules/rlm_sql_log' make[6]: *** [common] Error 2 make[6]: Leaving directory `/usr/src/freeradius-2.0.4+dfsg/src/modules' make[5]: *** [all] Error 2 make[5]: Leaving directory `/usr/src/freeradius-2.0.4+dfsg/src/modules' make[4]: *** [common] Error 2 make[4]: Leaving directory `/usr/src/freeradius-2.0.4+dfsg/src' make[3]: *** [all] Error 2 make[3]: Leaving directory `/usr/src/freeradius-2.0.4+dfsg/src' make[2]: *** [common] Error 2 make[2]: Leaving directory `/usr/src/freeradius-2.0.4+dfsg' make[1]: *** [all] Error 2 make[1]: Leaving directory `/usr/src/freeradius-2.0.4+dfsg' make: *** [build-arch-stamp] Error 2 Am I missing something? Thanks for advice. -- Tom - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
