Re: EAP advanced auth. methods problem
t...@kalik.net wrote: >> Permissions are now 600 for client.[pem|key] and [ca|server].pem (still >> using ca and also server certificate on client), but the result is >> similar. > > Does it still say "unknown ca" or something else? If it's something else > you need to poost a new debug. If it's still the same you need to go to > wpa_supplicant list and ask them to help you to configure their > supplicant. > Yes server says: rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca -- Tom - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP advanced auth. methods problem
t...@kalik.net wrote: >> t...@kalik.net wrote: Also tried modify wpa_supplicant conf: - ca_cert="ca.pem" + ca_cert="server.pem" But with the same result. >>> Because the path is wrong, ie. certificate is not there. Put the correct >>> path to where you have imported the certificate. >>> >>> Ivan Kalik >>> >>> - >>> List info/subscribe/unsubscribe? See >>> http://www.freeradius.org/list/users.html >> Sorry, but I'm still more than confused. >> >> Problem is on the server site, isn't it? > > No. Problem is missing ca certificate on the supplicant machine. > > Ivan Kalik > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Yea you are right, because without well verified certs on server site the server will never start. -- Tom - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP advanced auth. methods problem
Paul Ryszka wrote: > On Mon, 2009-11-23 at 20:37 +0100, Tomas Pelka wrote: >> t...@kalik.net wrote: >>>> Also tried modify wpa_supplicant conf: >>>> >>>> - ca_cert="ca.pem" >>>> + ca_cert="server.pem" >>>> >>>> But with the same result. >>> Because the path is wrong, ie. certificate is not there. Put the correct >>> path to where you have imported the certificate. >>> >>> Ivan Kalik >>> >>> - >>> List info/subscribe/unsubscribe? See >>> http://www.freeradius.org/list/users.html >> Sorry, but I'm still more than confused. >> >> Problem is on the server site, isn't it? CA and server certs are now in >> same dir as whole RADIUS configuration, is necessary put certs into >> "trusted" directory like /etc/ssl/certs? >> >> Thanks for advice. >> > > I think that the idea was to put the full path to certificates in the > conf file like : > ca_cert="/full/path/to/server.pem" > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Same result, full path on both sites (client/server). -- Tom - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP advanced auth. methods problem
t...@kalik.net wrote: >> Also tried modify wpa_supplicant conf: >> >> - ca_cert="ca.pem" >> + ca_cert="server.pem" >> >> But with the same result. > > Because the path is wrong, ie. certificate is not there. Put the correct > path to where you have imported the certificate. > > Ivan Kalik > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Sorry, but I'm still more than confused. Problem is on the server site, isn't it? CA and server certs are now in same dir as whole RADIUS configuration, is necessary put certs into "trusted" directory like /etc/ssl/certs? Thanks for advice. -- Tom - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP advanced auth. methods problem
t...@kalik.net wrote: >> So the problem is in certificate: >> >> [tls] <<< TLS 1.0 Handshake [length 038d], Certificate >> --> verify error:num=20:unable to get local issuer certificate >> [tls] >>> TLS 1.0 Alert [length 0002], fatal unknown_ca > > That means that you haven't imported self-signed ca certificate onto the > client. > >> # openssl verify -CApath ca.pem client.pem >> client.pem: /C=FR/ST=Radius/O=Example >> Inc./cn=u...@example.com/emailaddress=u...@example.com >> error 20 at 0 depth lookup:unable to get local issuer certificate >> >> >> I'm little bit confused, I created the client certificate using make >> client. > > Which uses server certificate to sign client certificates. > >> Isn't possible that freeradius Makefile is buggy? > > No. Try verify with server certificate (as it is done in Makefile). # c_rehash . # openssl verify -CApath . client.pem client.pem: OK # openssl verify -CApath . server.pem server.pem: OK Also tried modify wpa_supplicant conf: - ca_cert="ca.pem" + ca_cert="server.pem" But with the same result. -- Tom Key fingerprint = 06C0 23C6 9EB7 0761 9807 65F4 7F6F 7EAB 496B 28AA - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP advanced auth. methods problem
Tomas Pelka wrote: > t...@kalik.net wrote: >>> Alan DeKok wrote: >>>> Tomas Pelka wrote: >>>>> have a problem with "advanced" EAP authentication methods including >>>>> PEAP, EAP-TLS, EAP-TTLS-MD5/MSCHAPV2. >>>> I wouldn't call them "advanced..." >>>> >>>>> Certs was created with the makefile included in freeradius sources. >>>>> >>>>> All my experiments ending with: decapsulated EAP packet (code=4 id=4 >>>>> len=4) from RADIUS server: EAP Failure >> Authentication works fine - you are getting an initial Access-Accept. But >> then: >> >> [ttls] Skipping Phase2 due to session resumption >> [ttls] FAIL: Forcibly stopping session resumption as it is not allowed. >> >> Read cache section of eap.conf. >> >> Ivan Kalik >> >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html > > So if am I get it right, the problem is reauthentication, right? But > > #tls section > cache { > enable = yes > lifetime = 24 # hours > max_entries = 255 > } > and even no cache (enable=no) do not work. > > TTLS-md5/mschapv2 and PEAP, works with cache enabled (inside ttls section). > > Thanks. > So the problem is in certificate: [tls] <<< TLS 1.0 Handshake [length 038d], Certificate --> verify error:num=20:unable to get local issuer certificate [tls] >>> TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert write:fatal:unknown CA TLS_accept:error in SSLv3 read client certificate B rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned SSL: SSL_read failed in a system call (-1), TLS session fails. TLS receive handshake failed during operation [tls] eaptls_process returned 4 [eap] Handler failed in EAP/tls [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject # openssl verify -CApath ca.pem client.pem client.pem: /C=FR/ST=Radius/O=Example Inc./cn=u...@example.com/emailaddress=u...@example.com error 20 at 0 depth lookup:unable to get local issuer certificate I'm little bit confused, I created the client certificate using make client. Isn't possible that freeradius Makefile is buggy? Cheers -- Tom - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP advanced auth. methods problem
t...@kalik.net wrote: >> Alan DeKok wrote: >>> Tomas Pelka wrote: >>>> have a problem with "advanced" EAP authentication methods including >>>> PEAP, EAP-TLS, EAP-TTLS-MD5/MSCHAPV2. >>> I wouldn't call them "advanced..." >>> >>>> Certs was created with the makefile included in freeradius sources. >>>> >>>> All my experiments ending with: decapsulated EAP packet (code=4 id=4 >>>> len=4) from RADIUS server: EAP Failure > > Authentication works fine - you are getting an initial Access-Accept. But > then: > > [ttls] Skipping Phase2 due to session resumption > [ttls] FAIL: Forcibly stopping session resumption as it is not allowed. > > Read cache section of eap.conf. > > Ivan Kalik > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html So if am I get it right, the problem is reauthentication, right? But #tls section cache { enable = yes lifetime = 24 # hours max_entries = 255 } and even no cache (enable=no) do not work. TTLS-md5/mschapv2 and PEAP, works with cache enabled (inside ttls section). Thanks. -- Tom - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP advanced auth. methods problem
Alan DeKok wrote: > Tomas Pelka wrote: >> have a problem with "advanced" EAP authentication methods including >> PEAP, EAP-TLS, EAP-TTLS-MD5/MSCHAPV2. > > I wouldn't call them "advanced..." > >> Certs was created with the makefile included in freeradius sources. >> >> All my experiments ending with: decapsulated EAP packet (code=4 id=4 >> len=4) from RADIUS server: EAP Failure >> >> Runnin as, for example >> ./eapol_test -c test_tls.conf -a192.168.56.3 -p1812 -stesting123 -r1 >> >> Output, eap.conf and test_tls.conf attached. > > Can you explain why you sent: > > * config files > > * eapol_test outpiut > > And NOT the server debugging output, as suggested in the FAQ, README, > INSTALL, "man" page, web pages, and daily on this list? > > You have sent everything EXCEPT the information we need to help you. Yes you are right, shame on me! radiusd -X output is attached now. Sorry -- Tom FreeRADIUS Version 2.1.7, for host i486-pc-linux-gnu, built on Nov 18 2009 at 00:32:07 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including files in directory /etc/freeradius/modules/ including configuration file /etc/freeradius/modules/radutmp including configuration file /etc/freeradius/modules/acct_unique including configuration file /etc/freeradius/modules/perl including configuration file /etc/freeradius/modules/pam including configuration file /etc/freeradius/modules/detail.example.com including configuration file /etc/freeradius/modules/attr_filter including configuration file /etc/freeradius/modules/mac2ip including configuration file /etc/freeradius/modules/cui including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login including configuration file /etc/freeradius/modules/expr including configuration file /etc/freeradius/modules/smsotp including configuration file /etc/freeradius/modules/linelog including configuration file /etc/freeradius/modules/policy including configuration file /etc/freeradius/modules/checkval including configuration file /etc/freeradius/modules/preprocess including configuration file /etc/freeradius/modules/files including configuration file /etc/freeradius/modules/mac2vlan including configuration file /etc/freeradius/modules/counter including configuration file /etc/freeradius/modules/otp including configuration file /etc/freeradius/modules/chap including configuration file /etc/freeradius/modules/inner-eap including configuration file /etc/freeradius/modules/realm including configuration file /etc/freeradius/modules/sql_log including configuration file /etc/freeradius/modules/passwd including configuration file /etc/freeradius/modules/detail including configuration file /etc/freeradius/modules/detail.log including configuration file /etc/freeradius/modules/echo including configuration file /etc/freeradius/modules/always including configuration file /etc/freeradius/modules/sradutmp including configuration file /etc/freeradius/modules/pap including configuration file /etc/freeradius/modules/attr_rewrite including configuration file /etc/freeradius/modules/mschap including configuration file /etc/freeradius/modules/logintime including configuration file /etc/freeradius/modules/expiration including configuration file /etc/freeradius/modules/smbpasswd including configuration file /etc/freeradius/modules/krb5 including configuration file /etc/freeradius/modules/exec including configuration file /etc/freeradius/modules/digest including configuration file /etc/freeradius/modules/unix including configuration file /etc/freeradius/modules/etc_group including configuration file /etc/freeradius/modules/ippool including configuration file /etc/freeradius/modules/wimax including configuration file /etc/freeradius/modules/ldap including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/policy.conf including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/control-socket including configuration file /etc/freeradius/sites-enabled/inner-tunnel including configuration file /etc/freeradius/sites-enabled/default group = freerad user = freerad including dictionary file /etc/freeradius/dictionary main { prefix = "/usr" localstatedir = "/var" logdir = "/var/log/freeradius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/
Re: adding eap-tls/peap/ttls support to freeradius problem
On 11/17/2009 11:25 PM, Alan Buxey wrote: hi, its not a peap/ttls/eap problem - its a problem with linking to your SQL libraries. i guess you want to use postgresql? have you got the psqgl devel libraries etc installed? and 2.0.4 is very very old now alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Yea you are right, weird chance cause I probably uninstalled posgresql-dev package. Looks like it works. Thanks Alan -- Tom - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
adding eap-tls/peap/ttls support to freeradius problem
Hi guys, have some problems with compiling freeradius with eap-tls/peap/ttls support. configure running: ./configure --prefix=/usr \ --exec-prefix=/usr \ --mandir=$(mandir) \ --sysconfdir=/etc \ --libdir=$(libdir) \ --datadir=/usr/share \ --localstatedir=/var \ --with-raddbdir=$(raddbdir) \ --with-logdir=/var/log/$(package) \ --enable-ltdl-install=no --enable-strict-dependencies \ --with-large-files --with-udpfromto --with-edir \ --enable-developer \ --config-cache \ --with-rlm_eap_tls \ --with-rlm_eap_ttls \ --with-rlm_eap_peap \ --without-rlm_eap_tnc \ --without-rlm_otp \ --with-rlm_sql_postgresql_lib_dir=`pg_config --libdir` \ --with-rlm_sql_postgresql_include_dir=`pg_config --includedir` \ --with-openssl \ --without-rlm_eap_ikev2 \ --without-rlm_sql_oracle \ --without-rlm_sql_unixodbc \ --with-system-libtool \ --without-rlm_counter \ --without-rlm_ldap Gcc output: /usr/bin/libtool --mode=link gcc -release 2.0.4 \ -module -export-dynamic -o rlm_sql_log.la \ -rpath /usr/lib/freeradius rlm_sql_log.lo rlm_sql_log.c /usr/src/freeradius-2.0.4+dfsg/src/lib/libfreeradius-radius.la /usr/src/freeradius-2.0.4+dfsg/src/modules/rlm_sql/.libs/rlm_sql.la -lnsl -lresolv -lpthread libtool: link: cannot find the library `/usr/src/freeradius-2.0.4+dfsg/src/modules/rlm_sql/.libs/rlm_sql.la' or unhandled argument `/usr/src/freeradius-2.0.4+dfsg/src/modules/rlm_sql/.libs/rlm_sql.la' make[7]: *** [rlm_sql_log.la] Error 1 make[7]: Leaving directory `/usr/src/freeradius-2.0.4+dfsg/src/modules/rlm_sql_log' make[6]: *** [common] Error 2 make[6]: Leaving directory `/usr/src/freeradius-2.0.4+dfsg/src/modules' make[5]: *** [all] Error 2 make[5]: Leaving directory `/usr/src/freeradius-2.0.4+dfsg/src/modules' make[4]: *** [common] Error 2 make[4]: Leaving directory `/usr/src/freeradius-2.0.4+dfsg/src' make[3]: *** [all] Error 2 make[3]: Leaving directory `/usr/src/freeradius-2.0.4+dfsg/src' make[2]: *** [common] Error 2 make[2]: Leaving directory `/usr/src/freeradius-2.0.4+dfsg' make[1]: *** [all] Error 2 make[1]: Leaving directory `/usr/src/freeradius-2.0.4+dfsg' make: *** [build-arch-stamp] Error 2 Am I missing something? Thanks for advice. -- Tom - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html