eap/tls authentication problem
Hello all, I'm relatively new with freeradius. I got freeradius running fine as aaa server and want to extend t authenticate my wireless. I'm testing with a linksys wrt54g ap. I've done a lot of reading on how to configure eap/tls but for some reason I can't get it to work. Can anybody give me a some advise how to get this to work see below a screen dump of the freeradius server. rad_recv: Access-Request packet from host 192.168.100.5:2689, id=3, length=1660 Message-Authenticator = 0x9a0b07611fd6b83251839c544b3552e6 Service-Type = Framed-User User-Name = mike Framed-MTU = 1488 State = 0x55654869c3d2859237b430d6df9b6c0f Called-Station-Id = 00-18-F8-F5-87-53:mikiemike Calling-Station-Id = 00-13-E8-94-F3-B5 NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 54Mbps 802.11g EAP-Message = 0x020305bd0d8005b316030105830b0003730003736d3082036930820251a003020102020102300d06092a864886f70d0101040500306f310b3009060355040613024e4c311430120603550408130b4e65746865726c616e6473310c300a060355040a1303433243311430120603550403140b4244485a5f7365727665723126302406092a864886f70d01090116176d696b657a6f6574657765696a40787334616c6c2e6e6c301e170d3038303631353134313631345a170d3138303631333134313631345a3068310b3009060355040613024e4c311430120603550408130b4e65746865726c616e6473310c300a060355040a130343324331 EAP-Message = 0x0d300b060355040313046d696b653126302406092a864886f70d01090116176d696b657a6f6574657765696a40787334616c6c2e6e6c30820122300d06092a864886f70d01010105000382010f003082010a0282010100bac91ea21483736d4ca48b54b168a5229d13a7ddcd80190d4750ee218205c3f6397f5b8eea79445a5d437a73d410c859a20bfc644e0206ce908da874121c9d69590aa83bc2404888aac12ae25ff3e24044250fd561db44f67665e045003573e8947281cf8d80aee261dabf81e6f78a88cd43ca38331885376a721aac7c05aee70f34d96fc398e6972a537b0c6501b1fe22f2b0f3fa149ff8e422525eb29f19d0a9f57cc038ad EAP-Message = 0xa733d1602b38b3be04facc7bcded7ca463e73a71a81473a4945b9433386d27552486daf2d7e6bfc819b0a3b4f6d13478283f708cde5c27a971d437fafa8ffcb497760356a323c1b30db74bb49a3dd2595a99901372aca4a275b70203010001a317301530130603551d25040c300a06082b06010505070302300d06092a864886f70d01010405000382010100a1b1b2c313a2e1dcc24890ecb7588685013ad95f251dd26520a1daedda01d42aeab38de1208c5a10937eac44d8da4c1ecc172305208ff5c03b02e3cffbc56612e3d955b321a92f9effe38a2ee36127b42fca94d301e5d75ea75eda87fc884ebfde5d4a5e36eb07d66d22e54642eb723ccf EAP-Message = 0x882cf68d006f95eaebacb76a20f0c7dd0fd9cd5c33e304eaeff3d18eae8d1e665271bd74df7d9d865137d8f43d542305b9a1b7fb4a16802b3b96aaa4a81828cf1a77562a20b7710884d63ea99f77827ea8e1373aa498679014534e368da0cff2e186b0cd038211f08f6c285266e4e199443c00cb8a51e17b604b247e79c5f16fa74652ac4b28c8af492628d956282c11020100bcb70f84cee2d4911947254be3f37f02bffc406614b4f24ef905978ce58d4e7025681ba2d212a3c0cb7c3eb7b5cf2818cc4881b5d7088fd733e27752aaecf83e6ed9086cc321648b2ff45de5ab49405a15aab6bd4c44e8f94ead2efe9e48e495709c16ae271321de EAP-Message = 0x4c198ef3cf6f92dd9db5f021910519398c3b4af7b0262cfeac2d65c33ed66590d5d2ca9ee4e9289849678999d5a0312131f2e910c928e65a8b4f25f8c62a80f779cb73ebb8fe1ae3ea8f73fed556405bc72c5acefa02c6ab68f03f7141a73cbc16ab4f25eea36c9d196d008c62e915d5809b559d373cc2761d213063f4130fd0ed168f1de8c7e626f2c96de3d4a1913562c003f905baf9fd0f00010201002d5ebac6936362606db083d15e8b40fe93cd5b7247267736bf5bffcc7160024853488dc14440ef4b8c42ff80f86e525edd21072e4777e429e40293d8e7e3d0f8403bd5bc31dbb43b6c056b858f24f677ac2cc6eda35ba26db247dedd25d813 EAP-Message = 0x7ce49d2f89daca63bb3559bd962e798378a495188528527b4fc3024a7bb03cb2bbd35185a43df406aaa4f9bbee0fd1476c79036890bae4a15ef849c012cb317cb653f20044c1a2551074b8dc6587f74fea698120e3c9b660f3c877c147ccc7b06fab427f809a92aa68b6f087d4e7b5f9a8af070ad62829f83d7ffa41c85325ec2febccf83bd9f202a05864788b887568f28084475331515aa9d8e2042bba7ad81514030100010116030100200599856b69ece58d8f82454916c6fcab3f13833e107f17f8967c3c6c8cd061ad NAS-IP-Address = 192.168.100.5 NAS-Port = 1 NAS-Port-Id = STA port # 1 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 13 modcall[authorize]: module preprocess returns ok for request 13 modcall[authorize]: module chap returns noop for request 13 modcall[authorize]: module mschap returns noop for request 13 rlm_realm: No '@' in User-Name = mike, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 13 rlm_eap: EAP packet type response id 3 length 253 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 13 users: Matched DEFAULT at 152 users: Matched DEFAULT at 171 users: Matched mike at 219 modcall[authorize]: module files returns ok for request 13 modcall: group authorize returns updated for request 13 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall:
Re: eap/tls authentication problem
So, you should probably create a new certificate with a certified CA or a correct own CA. Install openssl and follow a howto on creating new certificates. Make sure you match Common Name to server.domainname Furthermore change certificate options (like password) in eap.conf. gr, jelle rlm_eap_tls: TLS 1.0 Handshake [length 0377], Certificate -- verify error:num=20:unable to get local issuer certificate chain-depth=0, error=20 -- User-Name = mike -- BUF-Name = mike -- subject = /C=NL/ST=Netherlands/O=C2C/CN=mike/[EMAIL PROTECTED] -- issuer = /C=NL/ST=Netherlands/O=C2C/CN=BDHZ_server/[EMAIL PROTECTED] -- verify return:0 rlm_eap_tls: TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert write:fatal:unknown CA TLS_accept:error in SSLv3 read client certificate B 6996:error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned:s3_srvr.c:2004: rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap/tls authentication problem
Oh, and when using TLS, install client certificate on client. 2008/6/15 Jelle Langbroek [EMAIL PROTECTED]: So, you should probably create a new certificate with a certified CA or a correct own CA. Install openssl and follow a howto on creating new certificates. Make sure you match Common Name to server.domainname Furthermore change certificate options (like password) in eap.conf. gr, jelle rlm_eap_tls: TLS 1.0 Handshake [length 0377], Certificate -- verify error:num=20:unable to get local issuer certificate chain-depth=0, error=20 -- User-Name = mike -- BUF-Name = mike -- subject = /C=NL/ST=Netherlands/O=C2C/CN=mike/[EMAIL PROTECTED] -- issuer = /C=NL/ST=Netherlands/O=C2C/CN=BDHZ_server/[EMAIL PROTECTED] -- verify return:0 rlm_eap_tls: TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert write:fatal:unknown CA TLS_accept:error in SSLv3 read client certificate B 6996:error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned:s3_srvr.c:2004: rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TLS authentication problem
hi All ! i have one problem for wireless connection after authentication procedure using EAP-TLS authentication method through a radius server . i have not solved this problem for about two week .. :-) wondering is that after xsupplicant print out AUTHENTICATED message , my wireless card even can't connect to AP or other links i cant get a any ping reply from other host ! but during athentication prcedure, radius server sent Access-Accept message with MS-MPPE-Recv-Key and MS-MPPE-Send-Key to AP, then xsupplicant display authentication success message like below -[ALL] Got EAP-Success! -Authenticated! [ testbed ] WN(192.168.1.2)-- wireless network -- AP (192.168.1.1) - LAN - Authentication Server (192.168.1.3) - WN [hardware] : thinkpad R52 [OS]: debian3.1, kernel 2.6.11.11 [software] : xsupplicant 1.2pre and 1.2.1 configuration file - openssl 0.9.7a ieee802 v1.0.3 ipw2200 v1.0.6 ( intel pro/wireless 2915ABG ) xsupplication configuration : http://jhpark.guideline.co.kr/project/mds/xsupplicant/xsupplicant-tls.conf - AP [hardware] : ASUS wl500g, firmware v 1.9.4 configuration info : http://jhpark.guideline.co.kr/project/mds/AP/ap_config_info.txt - Authentication Server [hardware] : toshiba tecra m3 [OS]: debian3.1, kernel 2.6.13 [software]: freeradius v1.0.4, openssl v0.9.7e ( /usr/lib is base install path ) freeradius configuration : radiud.conf - http://jhpark.guideline.co.kr/project/mds/freeradius/radiusd.conf eap.conf - http://jhpark.guideline.co.kr/project/mds/freeradius/eap.conf other config - http://jhpark.guideline.co.kr/project/mds/freeradius/ 1. association command with iwconfig [EMAIL PROTECTED] eth1 essid asus key [x: 26 hex key which was setup in AP wep key] open 2. xsupplicant exec command [EMAIL PROTECTED]/usr/local/sbin/xsupplicant -i eth1 -d 7 -f -c /root/xsupplicant-tls.conf 3. interface up [EMAIL PROTECTED] eth1 92.168.1.3 netmask 255.255.255.0 up and as a result, i got this xsupplicant result message -snip Stats for Interface eth1 : EAPOL Frames RX: 8 EAPOL Frames TX: 8 EAPOL Starts TX: 1 EAPOL Logoff TX: 0 EAPOL Resp. ID TX : 1 EAPOL Resp. TX : 6 EAPOL Req. ID RX : 1 EAPOL Req. RX : 6 EAPOL Invalid Frame: 0 EAP Length Error : 0 Last EAPOL Version : 1 Last EAPOL Src.:00 11 D8 24 69 AA EAPOL Success : 1 EAPOL Failure : 0 [STATE] Backend State : RECEIVE - SUCCESS [STATE] Backend State : SUCCESS - IDLE [ALL] Got Frame : snip - Processing EAPoL-Key! [INT] Key Descriptor = 1 [INT] Key Length = 13 [INT] Replay Counter = 83 AA 80 92 94 9F 62 2A [INT] Key IV = B9 11 F5 37 D3 57 75 DB C4 F7 F1 47 98 BB 55 58 [INT] Key Index (RAW) = 83 [INT] Key Signature= C2 76 90 CD 97 20 AA CF 8A EB 12 C8 DD 45 BC B9 [INT] EAPoL Key Processed: unicast [4] 13 bytes. [INT] Using peer key! *WARNING* This AP uses the key generated during the authentication process. If reauthentication doesn't happen frequently enough your connection may not be very secure! [INT] Successfully set WEP key [4] [INT] Successfully set the WEP transmit key [4] [INT] Got an RTM_NEWLINK! [INT] Wireless event: cmd=0x8b2a len=12 [INT] Encryption key set [STATE] AUTHENTICATING - AUTHENTICATED [ALL] Canceled timer for 'authentication timer'! [INT] Got an RTM_NEWLINK! [INT] Wireless event: cmd=0x8b2a len=12 [INT] Encryption key set -- Full xsupplicant message is this ( http://jhpark.guideline.co.kr/project/mds/xsupplicant/xsupplicant.result ) above all, i can't sure AP and WN (client) have successed in making a right pairwise transient key. if pairwise transient key was made perfectly, why Wn node can't connect other network links ? here is radiusd message during processing above client request. [EMAIL PROTECTED] -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = /usr/local main: localstatedir = /usr/local/var main: logdir = /usr/local/var/log/radius main: libdir = /usr/local/lib main: radacctdir = /usr/local/var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /usr/local/var/log/radius/radius.log main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = yes main: pidfile
