PEAP Server certificate problem
I am trying to get PEAP running with server certificate.
I am using freeRADIUS version 1.0.0.pre3. I get the following error. Can anyone tell me the reason for this. Here is the setup,
client -- AP -- freeRADIUS
radiusd output with -X -A option
.
Waking up in 6 seconds...rad_recv: Access-Request packet from host 192.168.10.202:3072, id=0, length=210 User-Name = "bill" NAS-IP-Address = 192.168.10.202 Called-Station-Id = "000f6618f78a" Calling-Station-Id = "000f661d2a27" NAS-Identifier = "000f6618f78a" NAS-Port = 16 Framed-MTU = 1400 State = 0x1c4e178e2bc98f392d7790f75b245fe3 NAS-Port-Type = Wireless-802.11 EAP-Message =
0x02010050198000461603010041013d030140d7a299b2f91538ee2ce9b0fe5733268ae1b5d3a91bdde1c5543688b308ce261600040005000a000900640062000300060013001200630100 Message-Authenticator = 0x54759471236cbc92ac2424359782dc6f Processing the authorize section of radiusd.confmodcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_realm: No '@' in User-Name = "bill", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 1 rlm_eap: EAP packet type response id 1 length 80 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 1 users: Matched bill at 106radius_xlat: 'Hello, I am Bill here --- (MS-CHAP) bill' modcall[authorize]: module "files" returns ok for request 1modcall: group authorize returns updated for request 1 rad_check_password: Found Auth-Type EAPauth: type "EAP" Processing the authenticate section of radiusd.confmodcall: entering group authenticate for request 1 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLSrlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: TLS 1.0 Handshake [length 0041], ClientHello
TLS_accept: SSLv3 read client hello A rlm_eap_tls: TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: TLS 1.0 Handshake [length 0694], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data
TLS_accept:error in SSLv3 read client certificate A
users file
-
"bill" User-Password == "hellobill" Reply-Message = "Hello, I am Bill here --- (MS-CHAP) %u"
eap.conf
...
tls { private_key_password = whatever private_key_file = ${raddbdir}/certs/cert-srv.pem
# If Private key Certificate are located in # the same file, then private_key_file # certificate_file must contain the same file # name. certificate_file = ${raddbdir}/certs/cert-srv.pem
# Trusted Root CA list CA_file = ${raddbdir}/certs/demoCA/cacert.pem
dh_file = ${raddbdir}/certs/dh random_file = ${raddbdir}/certs/random
# # This can never exceed the size of a RADIUS # packet (4096 bytes), and is preferably half # that, to accomodate other attributes in # RADIUS packet. On most APs the MAX
packet # length is configured between 1500 - 1600 # In these cases, fragment size should be # 1024 or less. # fragment_size = 1024
# include_length is a flag which is # by default set to yes If set to # yes, Total Length of the message is # included in EVERY packet we send. # If set to no, Total Length of
the # message is included ONLY in the # First packet of a fragment series. # include_length = yes
# Check the Certificate Revocation List # # 1) Copy CA certificates and CRLs to same directory. # 2) Execute 'c_rehash CA certsCRLs Directory'. # 'c_rehash' is OpenSSL's
command. # 3) Add 'CA_path=CA certsCRLs directory' # to radiusd.conf's tls section. # 4) uncomment the line below. # 5) Restart radiusd # check_crl = yes
# # If check_cert_cn is set, the value will # be xlat'ed and checked against the CN # in the client certificate. If the values # do not match, the certificate
verification # will fail rejecting the user. # # check_cert_cn = %{User-Name} }
peap { # The tunneled EAP session needs a default # EAP type which is separate from the one for # the non-tunneled EAP module. Inside of the # PEAP tunnel, we recommend using
MS-CHAPv2, # as that is the default type supported by # Windows clients. default_eap_type = mschapv2 }
.
Do you Yahoo!?
New and Improved Yahoo! Mail - Send 10MB messages!
LDAP configuration help
Hello again,
I am tryting to configure freeRADIUS for LDAP. The setup is as follows,
client--LinkSYS AP --Linux running freeRADIUS MS Windows (LDAP server)
192.168.10.5 192.168.10.212 192.168.10.200
I am tryting to configure linux system running freeRADIUS to forward LDAP request to MS Windows system. I did following configuration by following document on the web,
http://www.tldp.org/HOWTO/LDAP-Implementation-HOWTO/radius.html
I configured radiusd.conf as follows,
ldap { server = 192.168.10.200 # identity = "cn=admin,o=My Org,c=UA" # password = mypass basedn = "o=My Org,c=UA" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" # base_filter = "(objectclass=radiusprofile)"
# set this to 'yes' to use TLS encrypted connections # to the LDAP databa
..
}
Authentication types is configured as follows,
authenticate { # # PAP authentication, when a back-end database listed # in the 'authorize' section supplies a password. The # password can be clear-text, or encrypted. Auth-Type PAP { pap }
# # Most people want CHAP authentication # A back-end database listed in the 'authorize' section # MUST supply a CLEAR TEXT password. Encrypted passwords # won't work. Auth-Type CHAP { chap }
# # MSCHAP authentication. Auth-Type MS-CHAP { mschap }
# # If you have a Cisco SIP server authenticating against # FreeRADIUS, uncomment the following line, and the 'digest' # line in the 'authorize' section.# digest
# # Pluggable Authentication Modules. pam
# # See 'man getpwent' for information on how the 'unix' # module checks the users password. Note that packets # containing CHAP-Password attributes CANNOT be authenticated # against /etc/passwd! See the FAQ for details. # unix
# Uncomment it if you want to use ldap for authentication # # Note that this means "check plain-text password against # the ldap database", which means that EAP won't work, # as it does not supply a plain-text password. Auth-Type LDAP { ldap }
# # Allow EAP authentication. eap}
Configured users file to support LDAP by default,
..
## First setup all accounts to be checked against the UNIX /etc/passwd.# (Unless a password was already given earlier in this file).#DEFAULT Auth-Type = LDAP Fall-Through = 1
.
Configuredclients.conf as follows,
client 192.168.10.5 { secret =testing123
shortname = linksys_ap}
I have not done any other configuration for freeradius-1.0.0-pre2 RADIUS configuration.
I get core dump if I start radiusd daemon,
# ./radiusd -X -AStarting - reading configuration files ...reread_config: reading radiusd.confConfig: including file: /usr/local/etc/raddb/proxy.confConfig: including file: /usr/local/etc/raddb/clients.confConfig: including file: /usr/local/etc/raddb/snmp.confConfig: including file: /usr/local/etc/raddb/eap.confConfig: including file: /usr/local/etc/raddb/sql.confmain: prefix = "/usr/local"main: localstatedir = "/usr/local/var"main: logdir = "/usr/local/var/log/radius"main: libdir = "/usr/local/lib"main: radacctdir = "/usr/local/var/log/radius/radacct"main: hostname_lookups = nomain: max_request_time = 30main: cleanup_delay = 5main: max_requests = 1024main: delete_blocked_requests = 0main: port = 0main: allow_core_dumps = nomain: log_stripped_names =
nomain: log_file = "/usr/local/var/log/radius/radius.log"main: log_auth = nomain: log_auth_badpass = nomain: log_auth_goodpass = nomain: pidfile = "/usr/local/var/run/radiusd/radiusd.pid"main: user = "(null)"main: group = "(null)"main: usercollide = nomain: lower_user = "no"main: lower_pass = "no"main: nospace_user = "no"main: nospace_pass = "no"main: checkrad = "/usr/local/sbin/checkrad"main: proxy_requests = yesproxy: retry_delay = 5proxy: retry_count = 3proxy: synchronous = noproxy: default_fallback = yesproxy: dead_time = 120proxy: post_proxy_authorize = yesproxy: wake_all_if_all_dead = nosecurity: max_attributes = 200security: reject_delay = 1security: status_server = nomain: debug_level = 0read_config_files: reading
dictionaryread_config_files: reading naslistUsing deprecated naslist file. Support for this will go away soon.read_config_files: reading clientsread_config_files: reading realmsradiusd: entering modules setupModule: Library search path is /usr/local/libModule: Loaded execexec: wait = yesexec: program = "(null)"exec: input_pairs = "request"exec: output_pairs = "(null)"exec: packet_type = "(null)"rlm_exec: Wait=yes but no output defined. Did you mean output=none?Module: Instantiated exec (exec)Module: Loaded exprModule: Instantiated expr (expr)Module: Loaded PAPpap: encryption_scheme = "crypt"Module: Instantiated pap (pap)Module: Loaded CHAPModule: Instantiated chap (chap)Module: Loaded MS-CHAPmschap: use_mppe = yesmschap: require_encryption = nomschap: require_strong = nomschap:
with_ntdomain_hack = nomschap: passwd = "(null)"mschap: authtype = "MS-CHAP"mschap: ntlm_auth = "(null)"Module: Instantiated mschap (mschap)Memory fault (core dumped)
Am I missing any configuration for LDAP?
Can someone point me to the
