Re: EAP-TLS problem

[Phil Mayers]

On 18/02/13 10:57, Muhammad Nadeem wrote:


ca_cert="/usr/local/etc/raddb/certs/ca.pem"
client_cert="/usr/local/etc/raddb/certs/client.pem"
private_kry="/usr/local/etc/raddb/certs/server.key"


^^^ typo - should be "client.key"

This is basic stuff; please read the docs for wpa_supplicant/eapol_test 
more carefully, and your own configs, before posting questions, 
particularly as others have pointed out, this is not the eapol_test 
support list...

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-TLS problem

[A . L . M . Buxey]

Hi,

> > (but this mailing list isnt a support forum for either of those tools!)


I guess you dont read what I post..which means I'm not likely to answer you.

alan

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-TLS problem

[Muhammad Nadeem]

On 2/18/13, a.l.m.bu...@lboro.ac.uk  wrote:
> Hi,
>
>> Thankfully, this isn't correct. You can use "eapol_test" which comes
>> with the "wpa_supplicant" source to test pretty much every EAP type
>> there is, including EAP-TLS.
>>
>> To the OP - download wpa_supplicant sources and build eapol_test.
>
> eapol_test is VERY powerful.and there are even little test scripts
> provided
> in the FreeRADIUS source
>
> however, if you want clicky GUI then also look at JRadius Simulator:
>
> http://www.coova.org/JRadius/Simulator
>
> (but this mailing list isnt a support forum for either of those tools!)
>
> alan
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
thanx A.L.M,,, but actually I am not aware of what to send in request
of EAP-TLS.
I have followed the README in /raddb/certs/  and make the CA, CLIENT
and SERVER certificate.
Now I request to the server with eapol_test, with following parameter
netwrok={
eap=TLS
eapol_flags=0
key_mgmt=IEEE8021X
identity="bob"
ca_cert="/usr/local/etc/raddb/certs/ca.pem"
client_cert="/usr/local/etc/raddb/certs/client.pem"
private_kry="/usr/local/etc/raddb/certs/server.key"
private_key_passwd="whatever"
}

but this request give me a FAILURE response.
I have googled a lot to find my appropriate answer, ( what need to
send in client request etc etc).
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-TLS problem

[Muhammad Nadeem]

On 2/18/13, Phil Mayers  wrote:
> On 02/18/2013 06:31 AM, Tobias Hachmer wrote:
>> Hello Muhammad,
>>
>> On 18.02.2013 07:17, Muhammad Nadeem wrote:
>>> Now I want to practically test EAP-TLS with freeradius on REDHAT 5. I
>>> have configured eap.confg to use EAP-TLS. But i don't know , how to
>>> send requests to freeradius server, so that he can authenticate the
>>> user using TLS (with digital certificate).
>>> Can anyone help me, thanks in advance..
>>
>> You will need a RADIUS Client, e.g.
>>- wireless access point
>>- lan switch
>>
>> which acts as the RADIUS Client (Authenticator in 802.1X terminology).
>> Both have to support 802.1X and RADIUS.
>> Without you won't be able to test EAP-TLS. I am not aware of a simulator
>> client program.
>
> Thankfully, this isn't correct. You can use "eapol_test" which comes
> with the "wpa_supplicant" source to test pretty much every EAP type
> there is, including EAP-TLS.
>
> To the OP - download wpa_supplicant sources and build eapol_test.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>

thanks phill, eapol_test really working . thanks a lot
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-TLS problem

[A . L . M . Buxey]

Hi,

> Thankfully, this isn't correct. You can use "eapol_test" which comes
> with the "wpa_supplicant" source to test pretty much every EAP type
> there is, including EAP-TLS.
> 
> To the OP - download wpa_supplicant sources and build eapol_test.

eapol_test is VERY powerful.and there are even little test scripts provided
in the FreeRADIUS source 

however, if you want clicky GUI then also look at JRadius Simulator:

http://www.coova.org/JRadius/Simulator

(but this mailing list isnt a support forum for either of those tools!)

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-TLS problem

[Phil Mayers]

On 02/18/2013 06:31 AM, Tobias Hachmer wrote:

Hello Muhammad,

On 18.02.2013 07:17, Muhammad Nadeem wrote:

Now I want to practically test EAP-TLS with freeradius on REDHAT 5. I
have configured eap.confg to use EAP-TLS. But i don't know , how to
send requests to freeradius server, so that he can authenticate the
user using TLS (with digital certificate).
Can anyone help me, thanks in advance..


You will need a RADIUS Client, e.g.
   - wireless access point
   - lan switch

which acts as the RADIUS Client (Authenticator in 802.1X terminology).
Both have to support 802.1X and RADIUS.
Without you won't be able to test EAP-TLS. I am not aware of a simulator
client program.


Thankfully, this isn't correct. You can use "eapol_test" which comes 
with the "wpa_supplicant" source to test pretty much every EAP type 
there is, including EAP-TLS.


To the OP - download wpa_supplicant sources and build eapol_test.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-TLS problem

[Tobias Hachmer]

Hello Muhammad,

On 18.02.2013 07:17, Muhammad Nadeem wrote:

Now I want to practically test EAP-TLS with freeradius on REDHAT 5. I
have configured eap.confg to use EAP-TLS. But i don't know , how to
send requests to freeradius server, so that he can authenticate the
user using TLS (with digital certificate).
Can anyone help me, thanks in advance..


You will need a RADIUS Client, e.g.
  - wireless access point
  - lan switch

which acts as the RADIUS Client (Authenticator in 802.1X terminology). 
Both have to support 802.1X and RADIUS.
Without you won't be able to test EAP-TLS. I am not aware of a 
simulator client program.


Regards,
Tobias
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: [SOLVED] 802.1x auth EAP-TLS problem

[Marco Londero]

On Wed, 29 Jun 2011 15:03:33 +0200, Alan DeKok 
wrote:

>> I thought it was some advanced chained root thing, but I never got it
to
>> work even once, so I wrote my own, but it sucks.  I think it may be a
bug,
>> and you just reminded me of that.  someone who knows what they're
actually
>> on about should investigate that and see if it needs fixin' or filin'.
> It's a bug. The simplest thing to do is to make the client cert signed
by
> the CA cert. This might have been done already, but I don't recall.
> 
> Patches are welcome.
I just checked 2.1.11 and that's fine. In raddb/certs/Makefile:

---
client.crt: client.csr ca.pem ca.key
openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr 
-key $(PASSWORD_CA) -out client.crt -extensions xpclient_ext -extfile
xpextensions -config ./client.cnf
---


-- 
mandi, Marco
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: [SOLVED] 802.1x auth EAP-TLS problem

[Alan DeKok]

Christ Schlacta wrote:
> I always thought it was odd that the default makefile tried to sign the
> client certificate with the server certificate without the server
> certificate being signed with CA properties of any sort.

  Yes, well...

>  I thought it
> was some advanced chained root thing, but I never got it to work even
> once, so I wrote my own, but it sucks.  I think it may be a bug, and you
> just reminded me of that.  someone who knows what they're actually on
> about should investigate that and see if it needs fixin' or filin'.

  It's a bug.  The simplest thing to do is to make the client cert
signed by the CA cert.  This might have been done already, but I don't
recall.

  Patches are welcome.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: [SOLVED] 802.1x auth EAP-TLS problem

[Christ Schlacta]

On 6/28/2011 01:52, Marco Londero wrote:

On Tue, 28 Jun 2011 10:28:45 +0200, Alan DeKok
wrote:


Use the correct certificates.

I re-generated client certificate and signed it w/ CA one instead of
server (default Makefile conf) and worked.

Sorry for the noise.


I always thought it was odd that the default makefile tried to sign the 
client certificate with the server certificate without the server 
certificate being signed with CA properties of any sort.  I thought it 
was some advanced chained root thing, but I never got it to work even 
once, so I wrote my own, but it sucks.  I think it may be a bug, and you 
just reminded me of that.  someone who knows what they're actually on 
about should investigate that and see if it needs fixin' or filin'.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: [SOLVED] 802.1x auth EAP-TLS problem

[Marco Londero]

On Tue, 28 Jun 2011 10:28:45 +0200, Alan DeKok 
wrote:

> Use the correct certificates.
I re-generated client certificate and signed it w/ CA one instead of
server (default Makefile conf) and worked.

Sorry for the noise.


-- 
mandi, Marco
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: 802.1x auth EAP-TLS problem

[Phil Mayers]

On 06/28/2011 08:41 AM, Marco Londero wrote:

Hi folks,

I have a problem in my freeradius setup and I'm looking for some hints
about that.

Scenario:

1) GNU/Linux client w/ WPA supplicant configured to request access through
EAP-TLS using a certificate (in order to achieve 802.1x ethernet
authentication)
2) 802.1x enabled switch where client is connected
3) user/pass 802.1x authentication works fine (MSCHAPv2 based)
4) freeradius authenticates users on LDAP

Freeradius debug log of the issue is here:


Debug logs should be a) not trimmed and b) gathered with "radiusd -X | 
tee log" for best effect. However:




---
http://pastie.org/2132916
---

All certificates should be ok (both on server and client):


Well, they're not. The debug says:

Mon Jun 27 15:42:13 2011 : Info: [tls] <<< TLS 1.0 Handshake [length 
0566], Certificate
Mon Jun 27 15:42:13 2011 : Error: --> verify error:num=20:unable to get 
local issuer certificate
Mon Jun 27 15:42:13 2011 : Info: [tls] >>> TLS 1.0 Alert [length 0002], 
fatal unknown_ca

Mon Jun 27 15:42:13 2011 : Error: TLS Alert write:fatal:unknown CA
Mon Jun 27 15:42:13 2011 : Error: TLS_accept:error in SSLv3 read 
client certificate B
Mon Jun 27 15:42:13 2011 : Error: rlm_eap: SSL error error:140890B2:SSL 
routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
Mon Jun 27 15:42:13 2011 : Error: SSL: SSL_read failed in a system call 
(-1), TLS session fails.



Since you've trimmed the debug I can't see the config for your tls { } 
module, but you're missing a CA somewhere.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: 802.1x auth EAP-TLS problem

[Alan DeKok]

Marco Londero wrote:
> Freeradius debug log of the issue is here:

  The certificate produced by the client is unknown to the server.

> Any tips? Thank you!

  Use the correct certificates.

  Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

802.1x auth EAP-TLS problem

[Marco Londero]

Hi folks,

I have a problem in my freeradius setup and I'm looking for some hints
about that.

Scenario:

1) GNU/Linux client w/ WPA supplicant configured to request access through
EAP-TLS using a certificate (in order to achieve 802.1x ethernet
authentication)
2) 802.1x enabled switch where client is connected
3) user/pass 802.1x authentication works fine (MSCHAPv2 based)
4) freeradius authenticates users on LDAP

Freeradius debug log of the issue is here:

---
http://pastie.org/2132916
---

All certificates should be ok (both on server and client):

---
FP42A certs # openssl verify ca.pem 
ca.pem: OK
FP42A certs # openssl verify server.pem 
server.pem: OK
FP42A certs # openssl verify 02.pem 
02.pem: OK
---

Any tips? Thank you!


-- 
mandi, Marco
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Freeradius 2.1.5 and LDAP+EAP-TLS problem.

[Ville Leinonen]

Hi,

Never mind i figure out my problem. I add this line in my configuration:

ldap {
   notfound = reject
}

So if user is not in my ldap. Then its rejected.

Br,

Ville


-Original Message-
From: freeradius-users-bounces+ville.leinonen=solodel@lists.freeradius.org 
on behalf of Ville Leinonen
Sent: Mon 30/03/2009 14:36
To: freeradius-users@lists.freeradius.org
Subject: Re: Freeradius 2.1.5 and LDAP+EAP-TLS problem.
 
Hi,

Maybe im not started this post clearly. So i try open again what i want to do.

I have a computer certificates. 
I also have openldap and that ldap includes my computer accounts.

Now I want to use those certificates to authenticate
computers and get authorization information inside my ldap. If
computers dont have account in my ldap it's rejected.

But if i put only ldap in my authorization section radius gives:

"No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user"

If i put also eap in authorization section, the radius uses eap
for authorization and give access-accept. Even if user not found
in ldap.

Br,

Ville


>Here is some other logs if i use only ldap for authorize section:
>

>You have butchered the configuration and now you are wondering why it's
>not working? If you don't know what you are doing - don't do it. If
>you feel the urge to disable something (disbling unused modules is
>hardly going to make any impact on preformance) get things working first
>- than remove things you feel you must one by one. If you remove
>something vital you will know what it was and will be able to put it
>back.

>Use default configuration. Configure *only* ldap module. Don't make
>*any* changes to virtual servers (authorize, authenticate etc.). And it
>will work.

>Ivan Kalik
>Kalik Informatika ISP


<>-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius 2.1.5 and LDAP+EAP-TLS problem.

[Ville Leinonen]

Hi,

Maybe im not started this post clearly. So i try open again what i want to do.

I have a computer certificates. 
I also have openldap and that ldap includes my computer accounts.

Now I want to use those certificates to authenticate
computers and get authorization information inside my ldap. If
computers dont have account in my ldap it's rejected.

But if i put only ldap in my authorization section radius gives:

"No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user"

If i put also eap in authorization section, the radius uses eap
for authorization and give access-accept. Even if user not found
in ldap.

Br,

Ville


>Here is some other logs if i use only ldap for authorize section:
>

>You have butchered the configuration and now you are wondering why it's
>not working? If you don't know what you are doing - don't do it. If
>you feel the urge to disable something (disbling unused modules is
>hardly going to make any impact on preformance) get things working first
>- than remove things you feel you must one by one. If you remove
>something vital you will know what it was and will be able to put it
>back.

>Use default configuration. Configure *only* ldap module. Don't make
>*any* changes to virtual servers (authorize, authenticate etc.). And it
>will work.

>Ivan Kalik
>Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius 2.1.5 and LDAP+EAP-TLS problem.

[tnt]

>Here is some other logs if i use only ldap for authorize section:
>

You have butchered the configuration and now you are wondering why it's
not working? If you don't know what you are doing - don't do it. If
you feel the urge to disable something (disbling unused modules is
hardly going to make any impact on preformance) get things working first
- than remove things you feel you must one by one. If you remove
something vital you will know what it was and will be able to put it
back.

Use default configuration. Configure *only* ldap module. Don't make
*any* changes to virtual servers (authorize, authenticate etc.). And it
will work.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius 2.1.5 and LDAP+EAP-TLS problem.

[Ville Leinonen]

Hi,

I read that, but what if user not found in ldap? Radius seems to need
some auth-type. How i can force auth-type using ldap?

My radius gives this message -> "No authenticate method (Auth-Type)
configuration found for the request: Rejecting the user"

Here is some other logs if i use only ldap for authorize section:

rad_recv: Access-Request packet from host 10.10.1.100 port 1024, id=198, 
length=224
Framed-MTU = 1466
NAS-IP-Address = 10.10.1.100
NAS-Identifier = "8021x"
User-Name = "lnx01.demo.local"
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 37
NAS-Port-Type = Ethernet
NAS-Port-Id = "37"
Called-Station-Id = "00-16-b9-55-48-c0"
Calling-Station-Id = "00-e0-00-1c-1e-c1"
Connect-Info = "CONNECT Ethernet 100Mbps Full duplex"
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = "1"
EAP-Message = 0x02330016017375736530312e64656d6f2e6c6f63616c
Message-Authenticator = 0x5c313918e00d0d385d435e3194c284ed
+- entering group authorize {...}
++[preprocess] returns ok
[suffix] No '@' in User-Name = "lnx01.demo.local", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[files] users: Matched entry DEFAULT at line 190
++[files] returns ok
[ldap] performing user authorization for lnx01.demo.local
[ldap]  expand: (cn=%u) -> (cn=lnx01.demo.local)
[ldap]  expand: ou=8021x,dc=demo,dc=local -> ou=8021x,dc=demo,dc=local
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 10.10.101.31:389, authentication 0
rlm_ldap: setting TLS CACert Directory to /path/to/ca/dir/
rlm_ldap: bind as cn=Directory Manager/ to 10.10.101.31:389
rlm_ldap: waiting for bind result ...
request done: ld 0x9ba2480 msgid 1
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=8021x,dc=demo,dc=local, with filter 
(cn=lnx01.demo.local)
request done: ld 0x9ba2480 msgid 2
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP.  Are you sure that the 
user is configured correctly?
[ldap] user suse01.demo.local authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
No authenticate method (Auth-Type) configuration found for the request: 
Rejecting the user
Failed to authenticate the user.
Login incorrect: [suse01.demo.local/] (from client 
8021x port 37 cli 00-e0-00-1c-1e-c1)
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> suse01.demo.local
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 198 to 10.10.1.100 port 1024
Waking up in 4.9 seconds.
Cleaning up request 0 ID 198 with timestamp +6
Ready to process requests.

Br,

Ville

>We have openldap which includes our machine accounts. We
>have also computer certificates. Now what i want to do that freeradius,
>checks authorization against ldap and authenticate against certificates.
>
>I have tested to put ldap to authorization section and eap to authentication
>section, but this wont work. I have also tested to put both ldap and eap to
>authorization section, but ldap wont return reject if user's noot found.
>
>Is there any method to return reject for authorization section if user not
>found in ldap and stop processing there? Or is there any other method to do 
>this?
>

>Read doc/rlm_ldap about access_attr.

>Ivan Kalik
>Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius 2.1.5 and LDAP+EAP-TLS problem.

[tnt]

>We have openldap which includes our machine accounts. We
>have also computer certificates. Now what i want to do that freeradius,
>checks authorization against ldap and authenticate against certificates.
>
>I have tested to put ldap to authorization section and eap to authentication
>section, but this wont work. I have also tested to put both ldap and eap to
>authorization section, but ldap wont return reject if user's noot found.
>
>Is there any method to return reject for authorization section if user not
>found in ldap and stop processing there? Or is there any other method to do 
>this?
>

Read doc/rlm_ldap about access_attr.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Freeradius 2.1.5 and LDAP+EAP-TLS problem.

[Ville Leinonen]

Hi,

We have openldap which includes our machine accounts. We
have also computer certificates. Now what i want to do that freeradius,
checks authorization against ldap and authenticate against certificates.

I have tested to put ldap to authorization section and eap to authentication
section, but this wont work. I have also tested to put both ldap and eap to
authorization section, but ldap wont return reject if user's noot found.

Is there any method to return reject for authorization section if user not
found in ldap and stop processing there? Or is there any other method to do 
this?

We also have printers, which uses 802.1x mac-auth.

Br,

Ville Leinonen
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

EAP-TLS problem

[shantanu choudhary]

hello all,
earlier i was having problem of segmentation fault for wpa supplicant, that i 
have resolved(at least i think so, it was because i was not using xauth module 
of ath card). but now i am having a problem of validating CA, i am not able to 
validate server certificate.
i am sending u my wpa_supplicant result i hope u can help me out.

EAP-TLS: Requesting private key passphrase
CTRL-REQ-PASSPHRASE-0:Private key passphrase needed for SSID ATH183
CTRL_IFACE monitor send - hexdump(len=21): 2f 74 6d 70 2f 77 70 61 5f 63 74 72 
6c 5f 37 30 39 36 2d 31 00
EAP: Failed to initialize EAP method: vendor 0 method 13 (TLS)
CTRL_IFACE monitor send - hexdump(len=21): 2f 74 6d 70 2f 77 70 61 5f 63 74 72 
6c 5f 37 30 39 36 2d 31 00
EAP: Pending PIN/passphrase request - skip Nak
EAP: EAP entering state SEND_RESPONSE
EAP: EAP entering state IDLE
RX ctrl_iface - hexdump_ascii(len=4):
 50 49 4e 47   PING
RX ctrl_iface - hexdump_ascii(len=6):
 53 54 41 54 55 53 STATUS  
ioctl[SIOCGIFADDR]: Cannot assign requested address
RX ctrl_iface - hexdump_ascii(len=13):
 4c 49 53 54 5f 4e 45 54 57 4f 52 4b 53LIST_NETWORKS   
RX ctrl_iface - hexdump_ascii(len=4):
 50 49 4e 47   PING
RX ctrl_iface - hexdump_ascii(len=4):
 50 49 4e 47   PING
EAPOL: startWhen --> 0
RX ctrl_iface - hexdump_ascii(len=4):
 50 49 4e 47   PING
RX ctrl_iface - hexdump_ascii(len=4):
 50 49 4e 47   PING
RX ctrl_iface - hexdump_ascii(len=30): [REMOVED]
CTRL_IFACE: field=PASSPHRASE id=0
CTRL_IFACE: value - hexdump_ascii(len=8): [REMOVED]
EAPOL: received control response (user input) notification - retrying pending 
EAP Request
EAP: EAP entering state RECEIVED
EAP: Received EAP-Request id=1 method=13 vendor=0 vendorMethod=0
EAP: EAP entering state GET_METHOD
EAP: Initialize selected EAP method: vendor 0 method 13 (TLS)
TLS: Trusted root certificate(s) loaded
TLS - SSL error: error:0B07C065:x509 certificate 
routines:X509_STORE_add_cert:cert already in hash table
OpenSSL: tls_connection_client_cert - SSL_use_certificate_file (DER) failed 
error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
OpenSSL: pending error: error:0D07803A:asn1 encoding 
routines:ASN1_ITEM_EX_D2I:nested asn1 error
OpenSSL: pending error: error:140C800D:SSL 
routines:SSL_use_certificate_file:ASN1 lib
OpenSSL: SSL_use_certificate_file (PEM) --> OK
OpenSSL: tls_connection_private_key - SSL_use_PrivateKey_File (DER) failed 
error:0D094065:asn1 encoding routines:d2i_ASN1_SET:bad class
OpenSSL: pending error: error:0D0680A8:asn1 encoding 
routines:ASN1_CHECK_TLEN:wrong tag
OpenSSL: pending error: error:0D07803A:asn1 encoding 
routines:ASN1_ITEM_EX_D2I:nested asn1 error
OpenSSL: pending error: error:0D09A00D:asn1 encoding 
routines:d2i_PrivateKey:ASN1 lib
OpenSSL: pending error: error:140CB00D:SSL 
routines:SSL_use_PrivateKey_file:ASN1 lib
OpenSSL: SSL_use_PrivateKey_File (PEM) --> OK
SSL: Private key loaded successfully
CTRL-EVENT-EAP-METHOD EAP vendor 0 method 13 (TLS) selected
CTRL_IFACE monitor send - hexdump(len=21): 2f 74 6d 70 2f 77 70 61 5f 63 74 72 
6c 5f 37 30 39 36 2d 31 00
EAP: EAP entering state METHOD
SSL: Received packet(len=6) - Flags 0x20
EAP-TLS: Start
SSL: SSL_connect - want more data
SSL: 101 bytes pending from ssl_out
SSL: 101 bytes left to be sent out (of total 101 bytes)
EAP: method process -> ignore=FALSE methodState=MAY_CONT decision=FAIL
EAP: EAP entering state SEND_RESPONSE
EAP: EAP entering state IDLE
EAPOL: SUPP_BE entering state RESPONSE
EAPOL: txSuppRsp
TX EAPOL - hexdump(len=111): 01 00 00 6b 02 01 00 6b 0d 00 16 03 01 00 60 01 00 
00 5c 03 01 46 6d 06 4b cc 4f b2 ae eb 76 1c 1a ab 4f 82 ee 2f bd fd 8e 83 a6 
c6 cd da 79 43 cb b4 07 97 13 00 00 34 00 39 00 38 00 35 00 16 00 13 00 0a 00 
33 00 32 00 2f 00 66 00 05 00 04 00 63 00 62 00 61 00 15 00 12 00 09 00 65 00 
64 00 60 00 14 00 11 00 08 00 06 00 03 02 01 00
EAPOL: SUPP_BE entering state RECEIVE
RX EAPOL from 00:03:7f:09:60:7e
RX EAPOL - hexdump(len=1038): 01 00 04 0a 01 02 04 0a 0d c0 00 00 07 9e 16 03 
01 00 4a 02 00 00 46 03 01 46 6d 03 13 c3 0c 81 a0 fe 19 5b 81 0d fd af 94 0e 
8c 1d 58 53 16 d8 50 c1 56 81 a8 f0 5f 9b 79 20 1e 0e 1c b8 b7 1d d9 94 7b 65 
46 61 7a 9c 22 74 cd 58 6c 80 b9 86 75 a0 21 a5 a4 bf a7 7c 3d b4 00 35 00 16 
03 01 06 94 0b 00 06 90 00 06 8d 00 02 cd 30 82 02 c9 30 82 02 32 a0 03 02 01 
02 02 01 02 30 0d 06 09 2a 86 48 86 f7 0d 01 01 04 05 00 30 81 9f 31 0b 30 09 
06 03 55 04 06 13 02 43 41 31 11 30 0f 06 03 55 04 08 13 08 50 72 6f 76 69 6e 
63 65 31 12 30 10 06 03 55 04 07 13 09 53 6f 6d 65 20 43 69 74 79 31 15 30 13 
06 03 55 04 0a 13 0c 4f 72 67 61 6e 69 7a 61 74 69 6f 6e 31 12 30 10 06 03 55 
04 0b 13 09 6c 6f 63 61 6c 68 6f 73 74 31 1b 30 19 06 03 55 04 0

Re: EAP-TLS problem

[tnt]

>problem is when i start my server and client server is showing output :-
>
>rad_recv: Access-Request packet from host 192.168.2.183:1026, id=2, length=177
>Ignoring request from unknown client 192.168.2.183:1026
>--- Walking the entire request list ---
>Nothing to do.  Sleeping until we see a request.

Check your entry for this clent in clients.conf. Most likely you have
mistyped the IP address.

Ivan Kalik
Kalik Informatika ISP

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-TLS problem

[A . L . M . Buxey]

Hi,

> i have created certificates using openssl and scripts provided on link 
> http://www.alphacore.net/contrib/nantes-wireless/eap-tls-HOWTO.html
> i have created root.der(this is self signed certificate) file and clt.pem and 
> using them with wpa_supplicant.

download the latest CVS version - eg 2.0pre-2 as this will do that work for you

> even when my server starts it shows default eap type = md5 while i have given 
> it to be TLS in my eap.conf file..
> apart from it
> problem is when i start my server and client server is showing output :-

misconfigured. check all your configs to see why md5 is being used.

alan
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-TLS problem

[shantanu choudhary]

hi all
thanks for support,
i have created certificates using openssl and scripts provided on link 
http://www.alphacore.net/contrib/nantes-wireless/eap-tls-HOWTO.html
i have created root.der(this is self signed certificate) file and clt.pem and 
using them with wpa_supplicant.

even when my server starts it shows default eap type = md5 while i have given 
it to be TLS in my eap.conf file..
apart from it
problem is when i start my server and client server is showing output :-

rad_recv: Access-Request packet from host 192.168.2.183:1026, id=2, length=177
Ignoring request from unknown client 192.168.2.183:1026
--- Walking the entire request list ---
Nothing to do.  Sleeping until we see a request.
rad_recv: Access-Request packet from host 192.168.2.183:1026, id=3, length=177
Ignoring request from unknown client 192.168.2.183:1026
--- Walking the entire request list ---
Nothing to do.  Sleeping until we see a request.
rad_recv: Access-Request packet from host 192.168.2.183:1026, id=3, length=177
Ignoring request from unknown client 192.168.2.183:1026
--- Walking the entire request list ---
Nothing to do.  Sleeping until we see a request.
rad_recv: Access-Request packet from host 192.168.2.183:1027, id=0, length=177
Ignoring request from unknown client 192.168.2.183:1027
--- Walking the entire request list ---
Nothing to do.  Sleeping until we see a request.
rad_recv: Access-Request packet from host 192.168.2.183:1027, id=0, length=177
Ignoring request from unknown client 192.168.2.183:1027
--- Walking the entire request list ---





  Looking for people who are YOUR TYPE? Find them at in.groups.yahoo.com- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: EAP-TLS problem

[Wolfgang Burger]

On Tue, 5 Jun 2007 17:37:23 +0100 (BST) shantanu choudhary
<[EMAIL PROTECTED]> wrote:
> If u know really gud online help
>available please let me kno

Try
http://homepage.mac.com/andreaswolf/public/wpaeap.html

It won´t make you understand certificates. But it allows you to set up
a running solution.
>From there, it´s easier to figure out, what you have actually done with
all those scripts.

Regards
  Wolfgang Burger

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-TLS problem

[deepak kumar]

hi shantunu
see my comments below..

On 6/5/07, shantanu choudhary <[EMAIL PROTECTED]> wrote:


hi all,
i m trying to get EAP-TLS working for free radius, but i m not able to
figure out how to handle all those certificates.



  You need one CA , one server certificate and one client certificate, both
the certificates must be signed from same CA.



Can u tell me how are u using those certificates and are u using openssl for

generating those certificates and do need to run openssl explicitly along
with radius server to check client certifiates,



I have used  openssl  to generate  certificates ,
and u need not run openssl with radius server after you have prepared all
the certificates.
all you need to do is to configure  eap.conf  file  accordingly.






and how to transfere those certificates to client. there is lot of help

available and i tried few with some unsuccessful attempts. If u know really
gud online help available please let me know...




copy  CA  and  client certificate  on client machine.
there are lot of tutorials on net for this.
i used one given in linuxjournal .

-deepak




regards

shantanu

--
Download prohibited? No problem! 
CHATfrom
 any browser, without download.


-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

EAP-TLS problem

[shantanu choudhary]

hi all,
i m trying to get EAP-TLS working for free radius, but i m not able to figure 
out how to handle all those certificates. Can u tell me how are u using those 
certificates and are u using openssl for generating those certificates and do 
need to run openssl explicitly along with radius server to check client 
certifiates, and how to transfere those certificates to client. there is lot of 
help available and i tried few with some unsuccessful attempts. If u know 
really gud online help available please let me know...

 regards
 shantanu


   
-
 Download prohibited? No problem! CHAT from any browser, without download.- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Eap-Tls Problem

[Matteo Lazzarini]

K. Hoercher wrote:


Hi,

so Matteo is trying to setup wireless 8021x auth with freeradius.
Eventually most of the information happened to end in -devel, where I
asked him to stop mailing to, because I'm quite convinced that his
problems don't belong there.

That said, "dpkg -s freeradius openssl" should give you the
information you are seeking, which looks quite irrelevant to the
problem at hand.

In short, after the information you gave, I strongly suspect the XP
supplicant not responding to Challenges due to still improper OID's in
your certs. Please make double sure your windows cert store or however
it is called contains the rootCA and your certificate properly, and
those get into consideration when you test your wireless setup.
Exporting them from cert store and attaching them (provided they are
for test purposes and don't contain real crypto secrets) would be my
suggestion.
Something along this line should apply to your /etc/X1/jagger.pem.

ah and yes, just the default users file would suffice.

regards
K. Hoercher
- List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html



I do not succeed to find one solution to my problem.
I have verified exporting the certs stored in the client.
It's the same of original.
how I can make to generate certs that sure they go well for my case?
I must install of the appropriate libraries?
The XP supplicant could give of the problems… (SP2)
Would have to use of one various?
some ideas/helps

Matteo
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Eap-Tls Problem

[Matteo Lazzarini]

K. Hoercher wrote:


Hi,

so Matteo is trying to setup wireless 8021x auth with freeradius.
Eventually most of the information happened to end in -devel, where I
asked him to stop mailing to, because I'm quite convinced that his
problems don't belong there.

That said, "dpkg -s freeradius openssl" should give you the
information you are seeking, which looks quite irrelevant to the
problem at hand.

In short, after the information you gave, I strongly suspect the XP
supplicant not responding to Challenges due to still improper OID's in
your certs. Please make double sure your windows cert store or however
it is called contains the rootCA and your certificate properly, and
those get into consideration when you test your wireless setup.
Exporting them from cert store and attaching them (provided they are
for test purposes and don't contain real crypto secrets) would be my
suggestion.
Something along this line should apply to your /etc/X1/jagger.pem.

ah and yes, just the default users file would suffice.

regards
K. Hoercher
- List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html


I have not understood yours suggestion. But as I can be sure that the 
certs they are corrected for TLS?

Excuse me but it is from little that use freeradius.
If I use the CA.all script that I find in the scripts directory I obtain 
the same type of certs that use now!

Which thing is the cause of this problem?
I do not want to leave to lose!
Tomorrow I make the tests also with Peap and see with sniffer that what 
out from the client when I'm asking my access-request...

Thanks
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Eap-Tls Problem

[K. Hoercher]

Hi,

so Matteo is trying to setup wireless 8021x auth with freeradius.
Eventually most of the information happened to end in -devel, where I
asked him to stop mailing to, because I'm quite convinced that his
problems don't belong there.

That said, "dpkg -s freeradius openssl" should give you the
information you are seeking, which looks quite irrelevant to the
problem at hand.

In short, after the information you gave, I strongly suspect the XP
supplicant not responding to Challenges due to still improper OID's in
your certs. Please make double sure your windows cert store or however
it is called contains the rootCA and your certificate properly, and
those get into consideration when you test your wireless setup.
Exporting them from cert store and attaching them (provided they are
for test purposes and don't contain real crypto secrets) would be my
suggestion.
Something along this line should apply to your /etc/X1/jagger.pem.

ah and yes, just the default users file would suffice.

regards
K. Hoercher
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Eap-Tls Problem

[Matteo Lazzarini]

Freeradius I have installed last version available (1.1.2 that it
seems
to work!) but I know that there is also an August version
SNAPSHOT but
to me it has given problems in compile and did not install me module
EAP-TLS (bug Debian).
The lib I have installed to them with the command apt-get install
openssl libssl-dev and this is the command dphg - l|grep SSL

ii  libflac++5c2
1.1.2-1ubuntu2   Free Lossless Audio Codec - C++
runtime libr
ii  libflac7
1.1.2-1ubuntu2   Free Lossless Audio Codec -
runtime
C librar
ii  liboggflac3
1.1.2-1ubuntu2   Free Lossless Audio Codec -
runtime
C librar
ii  libssl-dev
0.9.7g-1ubuntu1.1SSL development libraries,
header
files and
ii  libssl0.9.7
0.9.7g-1ubuntu1.1SSL shared libraries
ii  libwww-ssl0
5.4.0-9ubuntu0.5.10  The W3C-WWW library (SSL
support)
ii  openssl
0.9.7g-1ubuntu1.1Secure Socket Layer (SSL)
binary
and related
ii  python-pyopenssl
0.6-2ubuntu1 Python wrapper around the
OpenSSL
library (d
ii  python2.4-pyopenssl
0.6-2ubuntu1 Python wrapper around the
OpenSSL
library, e
ii  ssl-cert
1.0-11   Simple debconf wrapper for
openssl

On the Openssl site many versions can be downloaded which
0.9.7a-x, 0.9.8a-x, ecc..
Which the correct version?
Someone knows gives to me of the information to care of  coupled
freeradius-version&Openssl-version?

anticipated thanks

Matteo


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Eap-Tls Problem

[Matteo Lazzarini]

Hello I'm a new user, and i'm trying to set an Eap-Tls authentication 
using freeradius 1.1.2.

My system is debian stable.

I installed freeradius 1.1.2 (./confidure, make ,make install) and 
libssl-dev (apt-get install libssl-dev) like here:

http://web.archive.org/web/20031206113912/http://www.impossiblereflex.com/8021x/eap-tls-HOWTO.htm#3
http://www.alphacore.net/spip/article.php3?id_article=33

When I turn on freeradius I can see this:

Starting - reading configuration files ...
reread_config:  reading radiusd.conf
Config:   including file: /etc/raddb/clients.conf
Config:   including file: /etc/raddb/eap.conf
Config:   including file: /etc/raddb/sql.conf
main: prefix = "/usr/local"
main: localstatedir = "/usr/local/var"
main: logdir = "/usr/local/var/log/radius"
main: libdir = "/usr/local/lib"
main: radacctdir = "/usr/local/var/log/radius/radacct"
main: hostname_lookups = yes
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = yes
main: log_file = "/usr/local/var/log/radius/radius.log"
main: log_auth = yes
main: log_auth_badpass = yes
main: log_auth_goodpass = yes
main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
main: user = "(null)"
main: group = "(null)"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/local/sbin/checkrad"
main: proxy_requests = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files:  reading dictionary
read_config_files:  reading naslist
Using deprecated naslist file.  Support for this will go away soon.
read_config_files:  reading clients
read_config_files:  reading realms
radiusd:  entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded exec
exec: wait = yes
exec: program = "(null)"
exec: input_pairs = "request"
exec: output_pairs = "(null)"
exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = "crypt"
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = no
mschap: passwd = "(null)"
mschap: ntlm_auth = "(null)"
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = "(null)"
unix: shadow = "(null)"
unix: group = "(null)"
unix: radwtmp = "/usr/local/var/log/radius/radwtmp"
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
eap: default_eap_type = "tls"
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
tls: rsa_key_exchange = no
tls: dh_key_exchange = yes
tls: rsa_key_length = 512
tls: dh_key_length = 512
tls: verify_depth = 0
tls: CA_path = "(null)"
tls: pem_file_type = yes
tls: private_key_file = "/etc/1x/jagger.pem"
tls: certificate_file = "/etc/1x/jagger.pem"
tls: CA_file = "/etc/1x/root.pem"
tls: private_key_password = "whatever"
tls: dh_file = "/etc/1x/dh"
tls: random_file = "/etc/1x/random"
tls: fragment_size = 1024
tls: include_length = yes
tls: check_crl = no
tls: check_cert_cn = "(null)"
tls: cipher_list = "(null)"
tls: check_cert_issuer = "(null)"
rlm_eap_tls: Loading the certificate file as a chain
rlm_eap: Loaded and initialized type tls
peap: default_eap_type = "mschapv2"
peap: copy_request_to_tunnel = no
peap: use_tunneled_reply = no
peap: proxy_tunneled_request_as_eap = yes
rlm_eap: Loaded and initialized type peap
mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = "/etc/raddb/huntgroups"
preprocess: hints = "/etc/raddb/hints"
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded detail
detail: detailfile = 
"/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d"

detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (auth_log)
Module: Loaded files
files: usersfile = "/etc/raddb/users"
files: acctusersfile = "/etc/raddb/acct_users"
files: preproxy_usersfile = "/etc/raddb/preproxy_users"
files: compat = "no"
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, 
Client-IP-Address, NAS-Port"

Module: Instantiated acct_unique (acct_unique)
Module: Loaded realm
realm: format = "suffix"
realm: delimiter = "@"
realm: ignore_default 

Re: Eap/TLS Problem !!

[Stefan Winter]

Hi!

> However Stefan, on this list, suggested me to user SecureW2 supplicant and
> all my problem is disappeared.
> See my post at the benginning of month.

While that's the best thing to do, there may be people forced to go with the 
built-in supplicant and that have to care about the ertificate extensions 
required by MSFT. For TLS, things are even a little worse than for TTLS, 
since also the client certificate needs to have an OID extension in place. 

There's a documentation on server and client OIDs on the FreeRADIUS website, 
see

http://www.freeradius.org/doc/EAPTLS.pdf

The OIDs are mentioned in chapter 10 (examples on cert generation earlier in 
the document); the server OID is the same for TTLS.

Greetings,

Stefan Winter

-- 
Stefan WINTER

Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de 
la Recherche
Ingenieur Forschung & Entwicklung

6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
E-Mail: [EMAIL PROTECTED]     Tel.:     +352 424409-1
http://www.restena.lu                Fax:      +352 422473


pgpfj6FLnVbKd.pgp
Description: PGP signature
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Eap/TLS Problem !!

[Alessandro Agostini]

Emerson ha scritto:

Dear Freeradius user's,


...


Anyone Can Help-me, i need this Radius Server Working.Thak's to 
all..


Emerson


I see your log. Seem an error similar to my one.
In my case, with AP 3Com, was a problem of my certificate on server radius, and 
also a problem with some extension Microsoft needed for the auth step, missing 
on my certificate.
However Stefan, on this list, suggested me to user SecureW2 supplicant and all 
my problem is disappeared.

See my post at the benginning of month.

Alessandro

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Eap/TLS Problem !!

[Emerson]

Dear Freeradius user's,

a cuple days i have a problem with my radius server, i can not 
authenticate clients.

Freeradius 1.1.1 with Eap/TLS + MYSQL running in slack 10.1
My radius client is a wl5460-AP and i use a pci wireless to auth in ap 
linked in my radius.


But now, my pci wireless link in AP, but nothing passes trought, "ping" 
not work for any local.


I try to execute freeradius in debug mode (radiusd -X), it only show 
this messages in loop.


I can not understand this errors.

Anyone Can Help-me, i need this Radius Server Working.Thak's to 
all..


Emerson

*
rlm_eap: EAP Identity
 rlm_eap: processing type tls
rlm_eap_tls: Requiring client certificate
 rlm_eap_tls: Initiate
 rlm_eap_tls: Start returned 1
 modcall[authenticate]: module "eap" returns handled for request 75
modcall: leaving group authenticate (returns handled) for request 75
Sending Access-Challenge of id 174 to 10.254.0.254 port 2053
   Framed-Compression := Van-Jacobson-TCP-IP
   Framed-Protocol := PPP
   Service-Type := Framed-User
   Framed-MTU := 1500
   EAP-Message = 0x014c00060d20
   Message-Authenticator = 0x
   State = 0xbdef72a1d8e3188e972218ab20f569f1
Finished request 75
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Cleaning up request 74 ID 173 with timestamp 4497f091
Waking up in 5 seconds...
rad_recv: Access-Request packet from host 10.254.0.254:2053, id=175, 
length=191

   User-Name = "usuario1"
   NAS-IP-Address = 10.254.0.254
   NAS-Port = 0
   Called-Station-Id = "004f62087474"
   Calling-Station-Id = "0014a53c478d"
   NAS-Identifier = "Realtek Access Point. 8181"
   Framed-MTU = 1400
   NAS-Port-Type = Wireless-802.11
   Service-Type = Framed-User
   Connect-Info = "CONNECT 11Mbps 802.11b"
   EAP-Message = 0x024c000d017573756172696f31
   State = 0xbdef72a1d8e3188e972218ab20f569f1
   Message-Authenticator = 0x75c255ea144b5d1a2864236a85e01e83
 Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 76
 modcall[authorize]: module "preprocess" returns ok for request 76
 rlm_eap: EAP packet type response id 76 length 13
 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
 modcall[authorize]: module "eap" returns updated for request 76
radius_xlat:  'usuario1'
rlm_sql (sql): sql_set_user escaped user --> 'usuario1'
radius_xlat:  'SELECT id, UserName, Attribute, Value, op   FROM 
radcheck   WHERE Username = 'usuario1'   ORDER BY id'

rlm_sql (sql): Reserving sql socket id: 3
radius_xlat:  'SELECT 
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op  
FROM radgroupcheck,usergroup WHERE usergroup.Username = 'usuario1' AND 
usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
radius_xlat:  'SELECT id, UserName, Attribute, Value, op   FROM 
radreply   WHERE Username = 'usuario1'   ORDER BY id'
radius_xlat:  'SELECT 
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op  
FROM radgroupreply,usergroup WHERE usergroup.Username = 'usuario1' AND 
usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'

rlm_sql (sql): Released sql socket id: 3
 modcall[authorize]: module "sql" returns ok for request 76
modcall: leaving group authorize (returns updated) for request 76
 rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
 Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 76
 rlm_eap: EAP Identity
 rlm_eap: processing type tls
rlm_eap_tls: Requiring client certificate
 rlm_eap_tls: Initiate
 rlm_eap_tls: Start returned 1
 modcall[authenticate]: module "eap" returns handled for request 76
modcall: leaving group authenticate (returns handled) for request 76
Sending Access-Challenge of id 175 to 10.254.0.254 port 2053
   Framed-Compression := Van-Jacobson-TCP-IP
   Framed-Protocol := PPP
   Service-Type := Framed-User
   Framed-MTU := 1500
   EAP-Message = 0x014d00060d20
   Message-Authenticator = 0x
   State = 0x8576b5091495b6b611506711da5f4530
Finished request 76
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Cleaning up request 75 ID 174 with timestamp 4497f096
Waking up in 5 seconds...

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-TLS problem with Intel PROSet 7.1.4.4

[Alan DeKok]

Michelle Lin <[EMAIL PROTECTED]> wrote:
> However, the same certifcate doesn't work with an
> older NIC card/NIC software on a different laptop.

  It's a software problem.  The supplicant is broken.

  Alan DeKok.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

EAP-TLS problem with Intel PROSet 7.1.4.4

[Michelle Lin]

Hi Experts,

I'm new to FreeRadius server. The version I installed
on my Linux box (RedHat 9.0) is 1.0.5.

I configured this FreeRadius server using EAP_TLS. And
the server works fine with following hardware/software
setup:

NIC card (built in): Intel(R)PRO/Wireless 2200BG
Network Connection
NIC software: Intel PROSet/Wireless, version 9.0.3.0
AP: DLink wireless router DI-624
Client System: Windows XP

However, the same certifcate doesn't work with an
older NIC card/NIC software on a different laptop.
Here is the info about NIC card and NIC software. This
laptop also runs Windows XP.

NIC card (built in): Intel (R) PRO/Wireless LAN 2100
3A Mini PCI Adapter
NIC software: Intel PROSet, version 7.1.4.4

I got following failure notification after trying to
connect to the AP:
802.1x Authentication has failed due to a Challenge
Failure. This may have happened because of wrong user
credentials.

Same certificate works fine with my first laptop.

The debugging trace from FreeRADIUS server is in the
attached file.

Thanks a lot in advance for your help...

- michelle







__ 
Yahoo! Music Unlimited 
Access over 1 million songs. Try it free. 
http://music.yahoo.com/unlimited/

radius5747.log
Description: 3805403912-radius5747.log
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: EAP/TLS Problem

[Thomas Tinsley]

 
Hamid,

> I have set up all components and I am getting following 
> message. any help will be appreciated. 
> 
> using openssl
>  fedora core 3
> radius latest release
> 
Q:  Was the fedora installation originally using the freeradius-1.0.2.rpm
package?  If so, then the /etc/init.d/radiusd script will need to be updated
with the proper binary and library directories.  This can easily be done by
the following command:  
$ cp /usr/local/sbin/rc.radiusd /etc/init.d/radiusd
***NOTE:  be certain the radiusd process is stopped prior to updating the
init.d script.

The RPM package installation passes different paths to radiusd on startup
and this would explain the "No such file or directory" error.  I ran into
this problem recently on fedora core 4.

> 
> Module: Loaded eap
>  eap: default_eap_type = "tls"
>  eap: timer_expire = 60
>  eap: ignore_unknown_eap_types = no
>  eap: cisco_accounting_username_bug = no
> rlm_eap: Failed to link EAP-Type/tls: rlm_eap_tls.so: cannot 
> open shared object file: No such file or directory
> radiusd.conf[9]: eap: Module instantiation failed.
> 


Tom Tinsley

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

EAP/TLS Problem

[Hamid Salim]

I have set up all components and I am getting following message. any 
help will be appreciated. 

using openssl
 fedora core 3
radius latest release


Module: Loaded eap 
 eap: default_eap_type = "tls"
 eap: timer_expire = 60
 eap: ignore_unknown_eap_types = no
 eap: cisco_accounting_username_bug = no
rlm_eap: Failed to link EAP-Type/tls: rlm_eap_tls.so: cannot open shared
object file: No such file or directory
radiusd.conf[9]: eap: Module instantiation failed.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: EAP/TLS Problem

[Mathias Röhl]

Am Mo, den 13.12.2004 schrieb Guy Davies um 17:27:
> Hi Mathias,
> 
Hi Guy
> Yep, build from source and configure with the --disable-shared option.
> 
oki, thx. But in my mind, is this the only option I need ? Nothing more
to do ? eg linking the openssl lib

regards

[EMAIL PROTECTED]



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: EAP/TLS Problem

[Guy Davies]

Hi Mathias,

Yep, build from source and configure with the --disable-shared option.

Regards,

Guy

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On 
> Behalf Of Mathias Röhl
> Sent: 13 December 2004 16:13
> To: [EMAIL PROTECTED]
> Subject: EAP/TLS Problem
> 
> 
> Hi
> 
> I tried FR now with EAP/TLS but after starting with -X -A the 
> output is 
> 
> rlm_eap: Failed to link EAP-Type/tls: rlm_eap_tls.so: cannot 
> open shared object file: No such file or directory
> radiusd.conf[9]: eap: Module instantiation failed.
> 
> I installed the debian package for openssl and also 
> freeradius with mysql and ldap. freeradius:/usr/tmp# dpkg 
> -l|grep freeradius
> ii  freeradius 1.0.1-1a high-performance and highly
> configurable R
> ii  freeradius-dia 1.0.1-1set of PHP scripts for 
> administering a
> FreeR
> ii  freeradius-lda 1.0.1-1LDAP module for FreeRADIUS server
> ii  freeradius-mys 1.0.1-1MySQL module for FreeRADIUS server
> 
> I wanna use the FR to authenticate a wireless client (ibook 
> with MACOSX), the NAS is a simple Accesspoint from a german vendor.
> 
> How can i fix the rlm_eap_tls.so problem, there is no one 
> file with this name at my system. Is it better to build all 
> this from source ?
> 
> thx in advance
> 
>   [EMAIL PROTECTED]
> 
> 
> - 
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
> 

This e-mail is private and may be confidential and is for the intended 
recipient only.  If misdirected, please notify us by telephone and confirm that 
it has been deleted from your system and any copies destroyed.  If you are not 
the intended recipient you are strictly prohibited from using, printing, 
copying, distributing or disseminating this e-mail or any information contained 
in it.  We use reasonable endeavours to virus scan all e-mails leaving the 
Company but no warranty is given that this e-mail and any attachments are virus 
free.  You should undertake your own virus checking.  The right to monitor 
e-mail communications through our network is reserved by us. 



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

EAP/TLS Problem

[Mathias Röhl]

Hi

I tried FR now with EAP/TLS but after starting with -X -A the output is 

rlm_eap: Failed to link EAP-Type/tls: rlm_eap_tls.so: cannot open shared
object file: No such file or directory
radiusd.conf[9]: eap: Module instantiation failed.

I installed the debian package for openssl and also freeradius with
mysql and ldap.
freeradius:/usr/tmp# dpkg -l|grep freeradius
ii  freeradius 1.0.1-1a high-performance and highly
configurable R
ii  freeradius-dia 1.0.1-1set of PHP scripts for administering a
FreeR
ii  freeradius-lda 1.0.1-1LDAP module for FreeRADIUS server
ii  freeradius-mys 1.0.1-1MySQL module for FreeRADIUS server

I wanna use the FR to authenticate a wireless client (ibook with
MACOSX), the NAS is a simple Accesspoint from a german vendor.

How can i fix the rlm_eap_tls.so problem, there is no one file with this
name at my system. Is it better to build all this from source ?

thx in advance

[EMAIL PROTECTED]


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-TLS problem

[Ester URUEÑA]

Hello Mohammed,
I've followed all your tips and it didn't work. Thank you anyway!!
But I've finally get FreeRADIUS working by adding to the ./configure
the --disable-shared flag. Now it works but I'm not sure that I understand
why it does...

- Original Message -
From: "Mohammed Petiwala" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, August 05, 2004 4:56 PM
Subject: Re: EAP-TLS problem


> hi ester:
> we use freeradius.1.0.0-pre3 for our internal testing
> and i haven't seen this problem.
> but i've seen similar problems in prior release. some
> pointers that COULD help (try it out what's the
> harm!!)
> 1. do a 'make distclean' and then reconfigure with the
> prefix you use openssl lib and include paths
> specified.
> 2. Turn off experimental modules during build if you
> have them on
> 3. Check to see that the CN in the cert doesn't have
> spaces (not sure if this was resolved in -pre3 but was
> an issue in earlier versions of freeRADIUS).
> hope this helps.
>
> regards,
> mohammed.
>
>
> Mohammed H. Petiwala
> Senior Staff Engineer,
> Motorola Inc.
> iDEN-Wireless LAN,
> Work: 1 (847) 538-7710
> Cell: 1 (847) 652-0127
>
>
>
> --- Ester Urueña <[EMAIL PROTECTED]> wrote:
>
> > --with-openssl-libraries=/home/uruena/monopenssl/lib
> >  (the lib and include directories of my OpenSSL
> > 0.9.7
> > version)
> >
> > I also use the definition of the following
> > environment
> > variables inside the wrapper of radiusd:
> > LD_LIBRARY_PATH=/home/uruena/monopenssl/lib
> > LD_RUN_PATH=/home/uruena/monopenssl/lib:
> > LD_PRELOAD=/home/uruena/monopenssl/lib/libcrypto.so
> >
> > And the problem is still the same, FreeRADIUS stops
> > at
> > the same point with the same message:
> >
> > modcall: entering group authenticate for request 1
> >   rlm_eap: Request found, released from the list
> >   rlm_eap: EAP/tls
> >   rlm_eap: processing type tls
> >   rlm_eap_tls: Authenticate
> >   rlm_eap_tls: processing TLS
> > rlm_eap_tls:  Length Included
> >   eaptls_verify returned 11
> > (other): before/accept initialization
> > TLS_accept: before/accept initialization
> > TLS_accept: SSLv3 read client hello A
> > TLS_accept: SSLv3 write server hello A
> > ./run-radius: line 9:  1537 Segmentation fault
> > /home/uruena/monradius/sbin/radiusd $@
> >
> > Could you please help me?
> > Thanks in advance!
> > ester
> >
> >
> >
> >
> > __
> > Renovamos el Correo Yahoo!: ¡100 MB GRATIS!
> > Nuevos servicios, más seguridad
> > http://correo.yahoo.es
> >
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> >
>
>
> __
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
>
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-TLS problem

[Ester Urueña]

> > - Original Message -
> > From: Ester URUEÑA <[EMAIL PROTECTED]>
> > Date: Mon, 2 Aug 2004 23:21:40 +0200
> > Subject: Re: EAP-TLS problem
> > To: [EMAIL PROTECTED]
> > 
> > 
> > > I am trying to authenticate Windows XP clients
> > (using
> > > EAP-TLS) through a Lucent WavePoint-II AP with
> > > freeradius (the third pre-release of version
> > 1.0.0) in
> > > a Linux Red Hat machine. The version of
> > > the openssl I am using is 0.9.7d.
> > 
> >   You've probably got two differnet versions of
> > OpenSSL on your
> > machine.  You've compiled FreeRADIUS against one,
> > but at run-time,
> > it's using another.  Because the internal data
> > structures in OpenSSL
> > don't match, it dies.
> > 
> >   Ensure you're using ONE version of OpenSSL.  See
> > the "./configure" flags.
> > 
> >   Alan DeKok.
> > 

As I said in a precedent mail, I have two versions of
OpenSSL, but I've used the ./configure flags to point
to the latest version:
./configure --prefix=/home/uruena/monradius
--with-openssl-includes=/home/uruena/monopenssl/include
 --with-openssl-libraries=/home/uruena/monopenssl/lib
 (the lib and include directories of my OpenSSL 0.9.7
version)

I also use the definition of the following environment
variables inside the wrapper of radiusd:
LD_LIBRARY_PATH=/home/uruena/monopenssl/lib
LD_RUN_PATH=/home/uruena/monopenssl/lib:
LD_PRELOAD=/home/uruena/monopenssl/lib/libcrypto.so

And the problem is still the same, FreeRADIUS stops at
the same point with the same message:

modcall: entering group authenticate for request 1
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/tls
  rlm_eap: processing type tls
  rlm_eap_tls: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls:  Length Included
  eaptls_verify returned 11 
(other): before/accept initialization 
TLS_accept: before/accept initialization 
TLS_accept: SSLv3 read client hello A 
TLS_accept: SSLv3 write server hello A 
./run-radius: line 9:  1537 Segmentation fault 
/home/uruena/monradius/sbin/radiusd $@

Could you please help me?
Thanks in advance!
ester




__
Renovamos el Correo Yahoo!: ¡100 MB GRATIS!
Nuevos servicios, más seguridad
http://correo.yahoo.es

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-TLS problem

[Mohammed Petiwala]

hi ester:
we use freeradius.1.0.0-pre3 for our internal testing
and i haven't seen this problem.
but i've seen similar problems in prior release. some
pointers that COULD help (try it out what's the
harm!!)
1. do a 'make distclean' and then reconfigure with the
prefix you use openssl lib and include paths
specified.
2. Turn off experimental modules during build if you
have them on
3. Check to see that the CN in the cert doesn't have
spaces (not sure if this was resolved in -pre3 but was
an issue in earlier versions of freeRADIUS).
hope this helps.

regards,
mohammed.


Mohammed H. Petiwala
Senior Staff Engineer,
Motorola Inc.
iDEN-Wireless LAN,
Work: 1 (847) 538-7710
Cell: 1 (847) 652-0127



--- Ester Urueña <[EMAIL PROTECTED]> wrote:

> --with-openssl-libraries=/home/uruena/monopenssl/lib
>  (the lib and include directories of my OpenSSL
> 0.9.7
> version)
> 
> I also use the definition of the following
> environment
> variables inside the wrapper of radiusd:
> LD_LIBRARY_PATH=/home/uruena/monopenssl/lib
> LD_RUN_PATH=/home/uruena/monopenssl/lib:
> LD_PRELOAD=/home/uruena/monopenssl/lib/libcrypto.so
> 
> And the problem is still the same, FreeRADIUS stops
> at
> the same point with the same message:
> 
> modcall: entering group authenticate for request 1
>   rlm_eap: Request found, released from the list
>   rlm_eap: EAP/tls
>   rlm_eap: processing type tls
>   rlm_eap_tls: Authenticate
>   rlm_eap_tls: processing TLS
> rlm_eap_tls:  Length Included
>   eaptls_verify returned 11 
> (other): before/accept initialization 
> TLS_accept: before/accept initialization 
> TLS_accept: SSLv3 read client hello A 
> TLS_accept: SSLv3 write server hello A 
> ./run-radius: line 9:  1537 Segmentation fault 
> /home/uruena/monradius/sbin/radiusd $@
> 
> Could you please help me?
> Thanks in advance!
> ester
> 
> 
> 
>   
> __
> Renovamos el Correo Yahoo!: ¡100 MB GRATIS!
> Nuevos servicios, más seguridad
> http://correo.yahoo.es
> 
> - 
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> 


__
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-TLS problem

[Ester Urueña]

Hello,
I'm new in Linux world, and I don't know if my problem
is related with running Freeradius with only user
permissions?
Any advice?

 --- Ester Urueña <[EMAIL PROTECTED]> escribió: 
>  --- Nick Hall <[EMAIL PROTECTED]> escribió: 
> > Does freeradius run as a user with permissions to
> > /home/uruena/ ?
> > 
> > 
> 
> I run it as a user from
> /home/uruena/downloadrad/monradius/sbin/
> 
> 
> 
> > - Original Message -
> > From: Ester URUEÑA <[EMAIL PROTECTED]>
> > Date: Mon, 2 Aug 2004 23:21:40 +0200
> > Subject: Re: EAP-TLS problem
> > To: [EMAIL PROTECTED]
> > 
> > 
> >  
> > 
> > 
> > > I am trying to authenticate Windows XP clients
> > (using
> > > EAP-TLS) through a Lucent WavePoint-II AP with
> > > freeradius (the third pre-release of version
> > 1.0.0) in
> > > a Linux Red Hat machine. The version of
> > > the openssl I am using is 0.9.7d.
> > 
> >   You've probably got two differnet versions of
> > OpenSSL on your
> > machine.  You've compiled FreeRADIUS against one,
> > but at run-time,
> > it's using another.  Because the internal data
> > structures in OpenSSL
> > don't match, it dies.
> > 
> >   Ensure you're using ONE version of OpenSSL.  See
> > the "./configure" flags.
> > 
> >   Alan DeKok.
> > 
> >  
> > Yes, I've got two versions of OpensSSL on my
> machine
> > :
> > an old version (0.9.6b) and a new one, installed
> to
> > be used by
> > FreeRADIUS (0.9.7d).
> > 
> > OpenSSL 0.9.7d was compiled with:
> > ./config shared
> --prefix=/home/uruena/dwnld_openssl/monssl
> > 
> > For FreeRADIUS I've run ./configure with these
> > options:
> >
>
--with-openssl-includes=/home/uruena/dwnld_openssl/monssl/include
> >
>
--with-openssl-libraries=/home/uruena/dwnld_openssl/monssl/lib
> > (the lib and include directories of my OpenSSL
> 0.9.7
> > version)
> > 
> > I see in the config.log file:
> > configure:7077: checking for OpenSSL version >=
> > 0.9.7
> > (so it really takes into account my new version of
> > OpenSSL and not the old one)
> > 
> > My certificates were created with the 0.9.7
> version.
> > And finally, I run freeradius with the following
> > definition of
> > environment variables inside a script:
> > LD_LIBRARY_PATH=/home/uruena/monopenssl/lib
> > 
> > If I define
> >
> LD_PRELOAD=/home/uruena/monopenssl/lib/lybcrypto.so
> > when I run my script I have an error:
> > error while loading shared libraries:
> > /home/uruena/monopenssl/lib/lybcrypto.so: cannot
> > open shared object
> > file: No such file or directory
> > Maybe this is the problem, isn't it?
> > 
> > If it is really the problem I don't know how to
> > solve it, because
> > /home/uruena/monopenssl/lib/lybcrypto.so exists
> (and
> > points to
> > libcrypto.so.0 that points to libcrypto.so.0.9.7).
> > Could somebody help me, please?
> > 
> > Thank you!
> > 
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> >  




__
Renovamos el Correo Yahoo!: ¡100 MB GRATIS!
Nuevos servicios, más seguridad
http://correo.yahoo.es

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-TLS problem

[Ester Urueña]

 --- Nick Hall <[EMAIL PROTECTED]> escribió: 
> Does freeradius run as a user with permissions to
> /home/uruena/ ?
> 
> 

I run it as a user from
/home/uruena/downloadrad/monradius/sbin/



> - Original Message -
> From: Ester URUEÑA <[EMAIL PROTECTED]>
> Date: Mon, 2 Aug 2004 23:21:40 +0200
> Subject: Re: EAP-TLS problem
> To: [EMAIL PROTECTED]
> 
> 
>  
> 
> 
> > I am trying to authenticate Windows XP clients
> (using
> > EAP-TLS) through a Lucent WavePoint-II AP with
> > freeradius (the third pre-release of version
> 1.0.0) in
> > a Linux Red Hat machine. The version of
> > the openssl I am using is 0.9.7d.
> 
>   You've probably got two differnet versions of
> OpenSSL on your
> machine.  You've compiled FreeRADIUS against one,
> but at run-time,
> it's using another.  Because the internal data
> structures in OpenSSL
> don't match, it dies.
> 
>   Ensure you're using ONE version of OpenSSL.  See
> the "./configure" flags.
> 
>   Alan DeKok.
> 
>  
> Yes, I've got two versions of OpensSSL on my machine
> :
> an old version (0.9.6b) and a new one, installed to
> be used by
> FreeRADIUS (0.9.7d).
> 
> OpenSSL 0.9.7d was compiled with:
> ./config shared
--prefix=/home/uruena/dwnld_openssl/monssl
> 
> For FreeRADIUS I've run ./configure with these
> options:
>
--with-openssl-includes=/home/uruena/dwnld_openssl/monssl/include
>
--with-openssl-libraries=/home/uruena/dwnld_openssl/monssl/lib
> (the lib and include directories of my OpenSSL 0.9.7
> version)
> 
> I see in the config.log file:
> configure:7077: checking for OpenSSL version >=
> 0.9.7
> (so it really takes into account my new version of
> OpenSSL and not the old one)
> 
> My certificates were created with the 0.9.7 version.
> And finally, I run freeradius with the following
> definition of
> environment variables inside a script:
> LD_LIBRARY_PATH=/home/uruena/monopenssl/lib
> 
> If I define
> LD_PRELOAD=/home/uruena/monopenssl/lib/lybcrypto.so
> when I run my script I have an error:
> error while loading shared libraries:
> /home/uruena/monopenssl/lib/lybcrypto.so: cannot
> open shared object
> file: No such file or directory
> Maybe this is the problem, isn't it?
> 
> If it is really the problem I don't know how to
> solve it, because
> /home/uruena/monopenssl/lib/lybcrypto.so exists (and
> points to
> libcrypto.so.0 that points to libcrypto.so.0.9.7).
> Could somebody help me, please?
> 
> Thank you!
> 
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>  



__
Renovamos el Correo Yahoo!: ¡100 MB GRATIS!
Nuevos servicios, más seguridad
http://correo.yahoo.es

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-TLS problem

[Nick Hall]

Does freeradius run as a user with permissions to /home/uruena/ ?


- Original Message -
From: Ester URUEÑA <[EMAIL PROTECTED]>
Date: Mon, 2 Aug 2004 23:21:40 +0200
Subject: Re: EAP-TLS problem
To: [EMAIL PROTECTED]


 


> I am trying to authenticate Windows XP clients (using
> EAP-TLS) through a Lucent WavePoint-II AP with
> freeradius (the third pre-release of version 1.0.0) in
> a Linux Red Hat machine. The version of
> the openssl I am using is 0.9.7d.

  You've probably got two differnet versions of OpenSSL on your
machine.  You've compiled FreeRADIUS against one, but at run-time,
it's using another.  Because the internal data structures in OpenSSL
don't match, it dies.

  Ensure you're using ONE version of OpenSSL.  See the "./configure" flags.

  Alan DeKok.

 
Yes, I've got two versions of OpensSSL on my machine :
an old version (0.9.6b) and a new one, installed to be used by
FreeRADIUS (0.9.7d).

OpenSSL 0.9.7d was compiled with:
./config shared --prefix=/home/uruena/monopenssl

For FreeRADIUS I've run ./configure with these options:
--with-openssl-includes=/home/uruena/dwnld_openssl/monssl/include
--with-openssl-libraries=/home/uruena/dwnld_openssl/monssl/lib
(the lib and include directories of my OpenSSL 0.9.7 version)

I see in the config.log file:
configure:7077: checking for OpenSSL version >= 0.9.7
(so it really takes into account my new version of OpenSSL and not the old one)

My certificates were created with the 0.9.7 version.
And finally, I run freeradius with the following definition of
environment variables inside a script:
LD_LIBRARY_PATH=/home/uruena/monopenssl/lib

If I define
LD_PRELOAD=/home/uruena/monopenssl/lib/lybcrypto.so
when I run my script I have an error:
error while loading shared libraries:
/home/uruena/monopenssl/lib/lybcrypto.so: cannot open shared object
file: No such file or directory
Maybe this is the problem, isn't it?

If it is really the problem I don't know how to solve it, because
/home/uruena/monopenssl/lib/lybcrypto.so exists (and points to
libcrypto.so.0 that points to libcrypto.so.0.9.7).
Could somebody help me, please?

Thank you!

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-TLS problem

[Ester URUEÑA]

 


  > I am 
  trying to authenticate Windows XP clients (using> EAP-TLS) through a 
  Lucent WavePoint-II AP with> freeradius (the third pre-release of 
  version 1.0.0) in> a Linux Red Hat machine. The version of> the 
  openssl I am using is 0.9.7d.  You've probably got two differnet 
  versions of OpenSSL on yourmachine.  You've compiled FreeRADIUS 
  against one, but at run-time,it's using another.  Because the 
  internal data structures in OpenSSLdon't match, it dies.  
  Ensure you're using ONE version of OpenSSL.  See the "./configure" 
  flags.  Alan DeKok.
 
Yes, I've got 
two versions of OpensSSL on my machine :an old version (0.9.6b) and a 
new one, installed to be used by FreeRADIUS (0.9.7d).OpenSSL 0.9.7d was 
compiled with:./config shared --prefix=/home/uruena/monopensslFor 
FreeRADIUS I've run ./configure with these 
options:--with-openssl-includes=/home/uruena/dwnld_openssl/monssl/include--with-openssl-libraries=/home/uruena/dwnld_openssl/monssl/lib(the 
lib and include directories of my OpenSSL 0.9.7 version)I see in the 
config.log file:configure:7077: checking for OpenSSL version >= 
0.9.7(so it really takes into account my new version of OpenSSL and not 
the old one)My certificates were created with the 0.9.7 version.And 
finally, I run freeradius with the following definition of environment variables 
inside a script:LD_LIBRARY_PATH=/home/uruena/monopenssl/libIf I 
defineLD_PRELOAD=/home/uruena/monopenssl/lib/lybcrypto.sowhen I run my 
script I have an error:error while loading shared 
libraries:/home/uruena/monopenssl/lib/lybcrypto.so: cannot open shared 
object file: No such file or directoryMaybe this is the problem, isn't 
it?If it is really the problem I don't know how to solve it, because 
/home/uruena/monopenssl/lib/lybcrypto.so exists (and points to 
libcrypto.so.0 that points to libcrypto.so.0.9.7).Could somebody help 
me, please?Thank you!

Re: EAP-TLS problem

[Alan DeKok]

=?iso-8859-1?q?Ester=20Urue=F1a?= <[EMAIL PROTECTED]> wrote:
> I am trying to authenticate Windows XP clients (using
> EAP-TLS) through a Lucent WavePoint-II AP with
> freeradius (the third pre-release of version 1.0.0) in
> a Linux Red Hat machine. The version of
> the openssl I am using is 0.9.7d.

  You've probably got two differnet versions of OpenSSL on your
machine.  You've compiled FreeRADIUS against one, but at run-time,
it's using another.  Because the internal data structures in OpenSSL
don't match, it dies.

  Ensure you're using ONE version of OpenSSL.  See the "./configure" flags.

  Alan DeKok.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

EAP-TLS problem

[Ester Urueña]

Hello

I am trying to authenticate Windows XP clients (using
EAP-TLS) through a Lucent WavePoint-II AP with
freeradius (the third pre-release of version 1.0.0) in
a Linux Red Hat machine. The version of
the openssl I am using is 0.9.7d.

The configuration I have in the radiusd.conf is the
default one. My eap.conf configuration file is:

eap {

default_eap_type = tls
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
md5 {
}
leap {
}
gtc {

auth_type = PAP
}
tls {
private_key_password = whatever
private_key_file = ${raddbdir}/certs/cert-srv.pem
certificate_file = ${raddbdir}/certs/cert-srv.pem
CA_file = ${raddbdir}/certs/root.pem
dh_file = ${raddbdir}/certs/dh
random_file = ${raddbdir}/certs/random
fragment_size = 1024
include_length = yes
}

peap {
default_eap_type = mschapv2
}

mschapv2 {
}
}


All certificates are at the right place. I have a user
on the users file(without user password and EAP type):
tai


When I try to authenticate my user, I have the
following debug information:

Starting - reading configuration files ...
reread_config:  reading radiusd.conf
Config:   including file:
/home/uruena/downloadrad/monradius/etc/raddb/proxy.conf
Config:   including file:
/home/uruena/downloadrad/monradius/etc/raddb/clients.conf
Config:   including file:
/home/uruena/downloadrad/monradius/etc/raddb/snmp.conf
Config:   including file:
/home/uruena/downloadrad/monradius/etc/raddb/eap.conf
Config:   including file:
/home/uruena/downloadrad/monradius/etc/raddb/sql.conf
 main: prefix = "/home/uruena/downloadrad/monradius"
 main: localstatedir =
"/home/uruena/downloadrad/monradius/var"
 main: logdir =
"/home/uruena/downloadrad/monradius/var/log/radius"
 main: libdir =
"/home/uruena/downloadrad/monradius/lib"
 main: radacctdir =
"/home/uruena/downloadrad/monradius/var/log/radius/radacct"
 main: hostname_lookups = no
 main: max_request_time = 30
 main: cleanup_delay = 5
 main: max_requests = 1024
 main: delete_blocked_requests = 0
 main: port = 0
 main: allow_core_dumps = no
 main: log_stripped_names = no
 main: log_file =
"/home/uruena/downloadrad/monradius/var/log/radius/radius.log"
 main: log_auth = no
 main: log_auth_badpass = no
 main: log_auth_goodpass = no
 main: pidfile =
"/home/uruena/downloadrad/monradius/var/run/radiusd/radiusd.pid"
 main: user = "(null)"
 main: group = "(null)"
 main: usercollide = no
 main: lower_user = "no"
 main: lower_pass = "no"
 main: nospace_user = "no"
 main: nospace_pass = "no"
 main: checkrad =
"/home/uruena/downloadrad/monradius/sbin/checkrad"
 main: proxy_requests = yes
 proxy: retry_delay = 5
 proxy: retry_count = 3
 proxy: synchronous = no
 proxy: default_fallback = yes
 proxy: dead_time = 120
 proxy: post_proxy_authorize = yes
 proxy: wake_all_if_all_dead = no
 security: max_attributes = 200
 security: reject_delay = 1
 security: status_server = no
 main: debug_level = 0
read_config_files:  reading dictionary
read_config_files:  reading naslist
Using deprecated naslist file.  Support for this will
go away soon.
read_config_files:  reading clients
read_config_files:  reading realms
radiusd:  entering modules setup
Module: Library search path is
/home/uruena/downloadrad/monradius/lib
Module: Loaded exec 
 exec: wait = yes
 exec: program = "(null)"
 exec: input_pairs = "request"
 exec: output_pairs = "(null)"
 exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean
output=none?
Module: Instantiated exec (exec) 
Module: Loaded expr 
Module: Instantiated expr (expr) 
Module: Loaded PAP 
 pap: encryption_scheme = "crypt"
Module: Instantiated pap (pap) 
Module: Loaded CHAP 
Module: Instantiated chap (chap) 
Module: Loaded MS-CHAP 
 mschap: use_mppe = yes
 mschap: require_encryption = no
 mschap: require_strong = no
 mschap: with_ntdomain_hack = no
 mschap: passwd = "(null)"
 mschap: authtype = "MS-CHAP"
 mschap: ntlm_auth = "(null)"
Module: Instantiated mschap (mschap) 
Module: Loaded System 
 unix: cache = no
 unix: passwd = "(null)"
 unix: shadow = "(null)"
 unix: group = "(null)"
 unix: radwtmp =
"/home/uruena/downloadrad/monradius/var/log/radius/radwtmp"
 unix: usegroup = no
 unix: cache_reload = 600
Module: Instantiated unix (unix) 
Module: Loaded eap 
 eap: default_eap_type = "tls"
 eap: timer_expire = 60
 eap: ignore_unknown_eap_types = no
 eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized ty

Re: freeradius snap EAP//TLS problem

[Rinaldo Bergamini]

Alan DeKok wrote:
>   The debug messages do tell you what's going wrong:
>
>>   rlm_eap_tls: Received unexpected tunneled data after successful
>>  handshake. rlm_eap: Handler failed in EAP/tls
>>   rlm_eap: Failed in EAP select
>>   modcall[authenticate]: module "eap" returns invalid for request 4
>
>   See the list archives for causes.  It's generally a certificate
> problem.

In fact it was a certificate problem on the winxp supplicant. The
certificates I had were not generated with the xpextensions, as I found on
the archives I made new certificates and now everything works fine.

Thanks a lot for the support Alan.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeradius snap EAP//TLS problem

[Alan DeKok]

<[EMAIL PROTECTED]> wrote:
> I get this   "eaptls_process returned 13" but SSL negotiation finished successfully.
> I also tried to limit fragment_size in eap.conf and NASTYPE in clients.
> conf unsuccessfully.

  The debug messages do tell you what's going wrong:

>   rlm_eap_tls: Received unexpected tunneled data after successful handshake.
>  rlm_eap: Handler failed in EAP/tls
>   rlm_eap: Failed in EAP select
>   modcall[authenticate]: module "eap" returns invalid for request 4

  See the list archives for causes.  It's generally a certificate
problem.

  Alan DeKok.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

freeradius snap EAP//TLS problem

[rinaldo.bergamini]

Hi everybody , i'm in a serious trouble :-(
Can't get accept with eap/tls.
My setup is: 
freeradius snapshot  20040405
openssl latest snapshot 0.9.7
cisco ap 350 series
supplicant: win xp sp1,pcmcia card cisco aironet 350

I followed http://www.impossiblereflex.com/8021x/eap-tls-HOWTO.htm  and 
http://www.dslreports.com/forum/remark,9286052.

I get this   "eaptls_process returned 13" but SSL negotiation finished successfully.
I also tried to limit fragment_size in eap.conf and NASTYPE in clients.
conf unsuccessfully.

It's very important to me to work it out. Thanks a lot!

---


Listening on IP address *, ports 1812/udp and 1813/udp, with proxy on 1814/udp.
Ready to process requests.
rad_recv: Access-Request packet from host 160.78.27.14:1631, id=95, length=172
Thread 1 got semaphore
Thread 1 handling request 0, (1 handled so far)
--- Walking the entire request list ---
Waking up in 5 seconds...
User-Name = "Rinaldo Bergamini"
Cisco-AVPair = "ssid=qosnet"
NAS-IP-Address = 160.78.27.14
Called-Station-Id = "004096586593"
Calling-Station-Id = "000bbe371047"
NAS-Identifier = "AP350-586593"
Threads: total/active/spare threads = 5/1/4
NAS-Port = 38
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Service-Type = Login-User
EAP-Message = 0x020b00160152696e616c646f2042657267616d696e69
Message-Authenticator = 0x145cf7a6e04df58ac9728d3bc182dc64
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
  modcall[authorize]: module "preprocess" returns ok for request 0
rlm_realm: No '@' in User-Name = "Rinaldo Bergamini", looking up realm 
NULL
rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 0
  rlm_eap: EAP packet type response id 11 length 22
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 0
users: Matched Rinaldo Bergamini at 97
  modcall[authorize]: module "files" returns ok for request 0
modcall: group authorize returns updated for request 0
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
  rlm_eap: EAP Identity
  rlm_eap: processing type tls
 rlm_eap_tls: Requiring client certificate
  rlm_eap_tls: Initiate
  rlm_eap_tls: Start returned 1
  modcall[authenticate]: module "eap" returns handled for request 0
modcall: group authenticate returns handled for request 0
Sending Access-Challenge of id 95 to 160.78.27.14:1631
EAP-Message = 0x010c00060d20
Message-Authenticator = 0x
State = 0x99f405885345311f5f4500694fda302b
Finished request 0
Going to the next request
Thread 1 waiting to be assigned a request
rad_recv: Access-Request packet from host 160.78.27.14:1632, id=96, length=248
Thread 2 got semaphore
Thread 2 handling request 1, (1 handled so far)
User-Name = "Rinaldo Bergamini"
Waking up in 5 seconds...
Cisco-AVPair = "ssid=qosnet"
NAS-IP-Address = 160.78.27.14
Called-Station-Id = "004096586593"
Calling-Station-Id = "000bbe371047"
NAS-Identifier = "AP350-586593"
NAS-Port = 38
Framed-MTU = 1400
State = 0x99f405885345311f5f4500694fda302b
NAS-Port-Type = Wireless-802.11
Service-Type = Login-User
EAP-Message = 
0x020c00500d8000461603010041013d0301407274b9cc82fcd51f27098da5c30c2afdc0d6c8e0f85fec407d8044b3b83f061600040005000a000900640062000300060013001200630100
Message-Authenticator = 0x42da5e037024afa4f67e98bda17cdba4
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
  modcall[authorize]: module "preprocess" returns ok for request 1
rlm_realm: No '@' in User-Name = "Rinaldo Bergamini", looking up realm 
NULL
rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 1
  rlm_eap: EAP packet type response id 12 length 80
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 1
users: Matched Rinaldo Bergamini at 97
  modcall[authorize]: module "files" returns ok for request 1
modcall: group authorize returns updated for request 1
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 1
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/tls
  rlm_eap: processing type tls
  rlm_eap_tls: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls:  Length Included
  eaptls_verify returned 11 
(other): before/accept initialization 
TLS_accept: before/accept initialization 
  rlm_eap_tls: <<< TLS 1.0 Handshake [l

Re: EAP/TLS problem: Received unexpected tunneled data after successful handshake

[Lefteris St]

> "rlm_eap_tls: Received unexpected tunneled data
> after successful handshake."
> 

I had the same problem a while ago. It turned out the
error lay with the generated certificates.

I never pinpointed the exact problem (i fiddled with
the scripts a lot), so i can't give any detailed
solution but i'd try to recreate them (the certs) if i
were you.

Hope i helped,
Lefteris

__
Do you Yahoo!?
Yahoo! Search - Find what you’re looking for faster
http://search.yahoo.com

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP/TLS problem: Received unexpected tunneled data after successful handshake

[Pavol Zibrita]

Hi!

> "rlm_eap_tls: Received unexpected tunneled data after successful
handshake."
>
> The conf file is default for the build apart from the location of the
certs,
> and tls is uncommented to enable. I have attempted to run the server as
root
> as ssl can be difficult with permissions. Below is debug output.
>
> Any advice or recommendations would be gratefully accepted.

Well. I don't really now. Maybe try the demo certificates that are shipped
with radius.

P.Zibrita


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

EAP/TLS problem: Received unexpected tunneled data after successf ul handshake

[Badger David]

I was hoping the list could assist with a particular problem using EAP/TLS.
The version of freeradius is : FreeRADIUS Version 1.0.0-pre0, for host ,
built on Mar  3 2004 at 01:53:39.
The setup involves an XP supplicant, Cisco AP and freeradius. 
System authentication using PEAP is successful.
>From what I can gather the offending line is contained the output bellow 

"rlm_eap_tls: Received unexpected tunneled data after successful handshake."

The conf file is default for the build apart from the location of the certs,
and tls is uncommented to enable. I have attempted to run the server as root
as ssl can be difficult with permissions. Below is debug output.
 
Any advice or recommendations would be gratefully accepted.

"TLS_accept: SSLv3 read client certificate A
  rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
TLS_accept: SSLv3 read client key exchange A
  rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], CertificateVerify
TLS_accept: SSLv3 read certificate verify A
  rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001]
  rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished
TLS_accept: SSLv3 read finished A
  rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001]
TLS_accept: SSLv3 write change cipher spec A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished
TLS_accept: SSLv3 write finished A
TLS_accept: SSLv3 flush data
(other): SSL negotiation finished successfully
SSL Connection Established
  eaptls_process returned 13
  modcall[authenticate]: module "eap" returns handled for request 5
modcall: group authenticate returns handled for request 5
Sending Access-Challenge of id 64 to 10.10.10.254:21652
EAP-Message =
0x010800350d80002b14030100010116030100209dfd8bc53fa8444a4a9d9111804f7f14
91b7cfb701d9e0c39f2e266f31f55737
Message-Authenticator = 0x
State = 0xda17dfc5bd199eb14f67eb06c0cfa66c
Finished request 5
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 10.10.10.254:21652, id=65,
length=171
User-Name = "client"
Framed-MTU = 1400
Called-Station-Id = "00-0E-83-6C-96-50"
Calling-Station-Id = "00-90-4B-62-48-D2"
Message-Authenticator = 0xc5b007418aeac597be88cc16ea23f590
EAP-Message =
0x020800210d8000171503010012b1753ee493034fdaff7fd754388038f61719
NAS-Port-Type = Wireless-802.11
NAS-Port = 363
State = 0xda17dfc5bd199eb14f67eb06c0cfa66c
Service-Type = Framed-User
NAS-IP-Address = 10.10.10.254
NAS-Identifier = "ap"
modcall: entering group authorize for request 6
  modcall[authorize]: module "preprocess" returns ok for request 6
  modcall[authorize]: module "chap" returns noop for request 6
  modcall[authorize]: module "mschap" returns noop for request 6
rlm_realm: No '@' in User-Name = "client", looking up realm NULL
rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 6
  rlm_eap: EAP packet type response id 8 length 33
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 6
users: Matched DEFAULT at 154
users: Matched client at 157
  modcall[authorize]: module "files" returns ok for request 6
modcall: group authorize returns updated for request 6
  rad_check_password:  Found Auth-Type eap
auth: type "EAP"
modcall: entering group authenticate for request 6
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/tls
  rlm_eap: processing type tls
  rlm_eap_tls: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls:  Length Included
  eaptls_verify returned 11
  eaptls_process returned 7
  rlm_eap_tls: Received unexpected tunneled data after successful handshake.
 rlm_eap: Handler failed in EAP/tls
  rlm_eap: Failed in EAP select
  modcall[authenticate]: module "eap" returns invalid for request 6
modcall: group authenticate returns invalid for request 6
auth: Failed to validate the user.
Delaying request 6 for 1 seconds
Finished request 6
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 10.10.10.254:21652, id=65,
length=171
Sending Access-Reject of id 65 to 10.10.10.254:21652
EAP-Message = 0x04080004
  Message-Authenticator = 0x
"






- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP/TLS problem: Received unexpected tunneled data after

[Alan DeKok]

Lefteris St <[EMAIL PROTECTED]> wrote:
> I noticed someone else having from with TLV i am not
> sure what that is, but i got a 
> 
> rlm_eap_peap:  Had sent TLV failure, rejecting.
> 
> Any hints there?

  PLEASE read the ENTIRE debugging output.  I know it's large, but
it's the ONLY WAY to see what's going on.

  In this case, we have:

>   rlm_eap_peap: EAPTLS_OK
>   rlm_eap_peap: Session established.  Proceeding to decode tunneled attributes.
> 
>   rlm_eap_peap: Identity - tester4
>   rlm_eap_peap: Tunneled data is valid.
>   PEAP: Got tunneled EAP-Message
>   EAP-Message = 0x0207000c0174657374657234
>   PEAP: Got tunneled identity of tester4
>   PEAP: Setting default EAP type for tunneled EAP session.
>   PEAP: Sending tunneled request
>   EAP-Message = 0x0207000c0174657374657234
>   Freeradius-Proxied-To = 127.0.0.1
>   User-Name = "tester4"

  So the tunneled data is OK.  A little while later, we see:

> modcall: entering group authenticate for request 7
>   rlm_eap: EAP Identity
>  rlm_eap: No such EAP type 26

  Which would appear to be a problem.  It continues with:

>   modcall[authenticate]: module "eap" returns invalid for request 7
> modcall: group authenticate returns invalid for request 7
> auth: Failed to validate the user.
>   PEAP: Got tunneled reply RADIUS code 3
>   EAP-Message = 0x04070004
>   Message-Authenticator = 0x
>   PEAP: Tunneled authentication was rejected.
>   rlm_eap_peap: FAILURE

  Which would appear to mean that the authentication failed.  Much
later, we see the message you were concerned about.

  Again, reading only the LAST few lines of the debugging output is
insufficient.

  The problem is that you told the server to do EAP-PEAP, but you did
*not* enable the 'mschapv2' sub-module for 'eap'.  The default
configuration shipped with the server DOES enable this by default.
Please don't change it.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP/TLS problem: Received unexpected tunneled data after

[Lefteris St]

>If you have a Cisco AP you should use AAA,
>For a Cisco client you don't need AAA.

Ok, I'll try using the commands found in the cisco
file in the docs. I'm not sure what you mean by Cisco
client though.

>The errors should have been different, at least...

That is correct, have a look at what i get from peap:

I noticed someone else having from with TLV i am not
sure what that is, but i got a 

rlm_eap_peap:  Had sent TLV failure, rejecting.

Any hints there?

Anyway the entire output is attached.

__
Do you Yahoo!?
Yahoo! SiteBuilder - Free web site building tool. Try it!
http://webhosting.yahoo.com/ps/sb/Starting - reading configuration files ...
reread_config:  reading radiusd.conf
Config:   including file: /usr/local/etc/raddb/proxy.conf
Config:   including file: /usr/local/etc/raddb/clients.conf
Config:   including file: /usr/local/etc/raddb/snmp.conf
Config:   including file: /usr/local/etc/raddb/sql.conf
 main: prefix = "/usr/local"
 main: localstatedir = "/usr/local/var"
 main: logdir = "/usr/local/var/log/radius"
 main: libdir = "/usr/local/lib"
 main: radacctdir = "/usr/local/var/log/radius/radacct"
 main: hostname_lookups = no
 main: max_request_time = 30
 main: cleanup_delay = 5
 main: max_requests = 1024
 main: delete_blocked_requests = 0
 main: port = 0
 main: allow_core_dumps = no
 main: log_stripped_names = no
 main: log_file = "/usr/local/var/log/radius/radius.log"
 main: log_auth = no
 main: log_auth_badpass = no
 main: log_auth_goodpass = no
 main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
 main: bind_address = 195.251.248.176 IP address [195.251.248.176]
 main: user = "(null)"
 main: group = "(null)"
 main: usercollide = no
 main: lower_user = "no"
 main: lower_pass = "no"
 main: nospace_user = "no"
 main: nospace_pass = "no"
 main: checkrad = "/usr/local/sbin/checkrad"
 main: proxy_requests = yes
 proxy: retry_delay = 5
 proxy: retry_count = 3
 proxy: synchronous = no
 proxy: default_fallback = yes
 proxy: dead_time = 120
 proxy: post_proxy_authorize = yes
 proxy: wake_all_if_all_dead = no
 security: max_attributes = 200
 security: reject_delay = 1
 security: status_server = no
 main: debug_level = 0
read_config_files:  reading dictionary
read_config_files:  reading naslist
Using deprecated naslist file.  Support for this will go away soon.
read_config_files:  reading clients
Using deprecated clients file.  Support for this will go away soon.
read_config_files:  reading realms
Using deprecated realms file.  Support for this will go away soon.
radiusd:  entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded expr 
Module: Instantiated expr (expr) 
Module: Loaded PAP 
 pap: encryption_scheme = "crypt"
Module: Instantiated pap (pap) 
Module: Loaded CHAP 
Module: Instantiated chap (chap) 
Module: Loaded MS-CHAP 
 mschap: use_mppe = yes
 mschap: require_encryption = no
 mschap: require_strong = no
 mschap: passwd = "(null)"
 mschap: authtype = "MS-CHAP"
Module: Instantiated mschap (mschap) 
Module: Loaded eap 
 eap: default_eap_type = "tls"
 eap: timer_expire = 60
 eap: ignore_unknown_eap_types = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
 tls: rsa_key_exchange = no
 tls: dh_key_exchange = yes
 tls: rsa_key_length = 512
 tls: dh_key_length = 512
 tls: verify_depth = 0
 tls: CA_path = "(null)"
 tls: pem_file_type = yes
 tls: private_key_file = "/home/gela/keys/cert-srv.pem"
 tls: certificate_file = "/home/gela/keys/cert-srv.pem"
 tls: CA_file = "/home/gela/keys/root.pem"
 tls: private_key_password = "whatever"
 tls: dh_file = "/home/gela/keys/dh1024.pem"
 tls: random_file = "/home/gela/keys/random.pem"
 tls: fragment_size = 1024
 tls: include_length = yes
 tls: check_crl = no
rlm_eap: Loaded and initialized type tls
 peap: default_eap_type = "mschapv2"
 peap: copy_request_to_tunnel = no
 peap: use_tunneled_reply = no
rlm_eap: Loaded and initialized type peap
 ttls: default_eap_type = "md5"
 ttls: copy_request_to_tunnel = no
 ttls: use_tunneled_reply = no
rlm_eap: Loaded and initialized type ttls
Module: Instantiated eap (eap) 
Module: Loaded preprocess 
 preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups"
 preprocess: hints = "/usr/local/etc/raddb/hints"
 preprocess: with_ascend_hack = no
 preprocess: ascend_channels_per_line = 23
 preprocess: with_ntdomain_hack = no
 preprocess: with_specialix_jetstream_hack = no
 preprocess: with_cisco_vsa_hack = yes
Module: Instantiated preprocess (preprocess) 
Module: Loaded realm 
 realm: format = "suffix"
 realm: delimiter = "@"
Module: Instantiated realm (suffix) 
Module: Loaded SQL 
 sql: driver = "rlm_sql_mysql"
 sql: server = "localhost"
 sql: port = ""
 sql: login = "gela"
 sql: password = "lesgeo"
 sql: radius_db = "radius"
 sql: acct_table = "radacct"
 sql: acct_table2 = "radacct"
 sql: authcheck_table = "radcheck"
 sql: authreply_table = "radreply"
 sql: groupcheck_table = "radgroupcheck"
 sql: groupreply_table = "radgrouprep

Re: EAP/TLS problem: Received unexpected tunneled data after

[Alan DeKok]

Lefteris St <[EMAIL PROTECTED]> wrote:
> Note that since i don't have winXP, i use my card's
> software to detect and connect to my AP.

  Hmm... I'm not sure if that software has been tested with
FreeRADIUS.

> I have also tried using PEAP and TTLS(SecureW2) but
> (as was expected) to no avail.

  The errors should have been different, at least...

> As far as the client(Cisco) is concerned, there aren't
> much more to be said. I didn't use the aaa commands in
> the documentation, since it didn't seem necessary in
> the How-To's (should I?). 

  Probably.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-TLS problem.

[Alan DeKok]

"Yiannis Samouhos" <[EMAIL PROTECTED]> wrote:
> Funny, everything compiles except radeapclient.c and the installer brakes
>  there ..

  Ok.  I've fixed it in the latest CVS.

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP/TLS problem: Received unexpected tunneled data after

[Yiannis Samouhos]

Lefteri,

Rule of thumb.

If you have a Cisco AP you should use AAA,
For a Cisco client you don't need AAA.

-Yiannis


*** REPLY SEPARATOR  ***

On 27/1/2004 at 2:13 ìì Lefteris St wrote:

>Ok, here's some more info about my configuration on
>the user-side:
>
>I have installed the client and CA certificates
>(cert-clt.p12, root.der) which I created using the
>script described in Ken Roser's How-To
>(doc/EAP/TLS.pdf). They seem to be working fine (the
>TLS handshake doesn't complain about any of them).
>In the authentication tab i selected "Use Smart Card
>or Certificate".
>When i try to connect i get a popup prompting me to
>choose the (client)certificate i want to use.
>Note that since i don't have winXP, i use my card's
>software to detect and connect to my AP. I have tried
>two different cards so far with the same result(PCMCIA
>AmbiCom and ZoomAir with PCI adapter).
>
>I have also tried using PEAP and TTLS(SecureW2) but
>(as was expected) to no avail.
>
>As far as the client(Cisco) is concerned, there aren't
>much more to be said. I didn't use the aaa commands in
>the documentation, since it didn't seem necessary in
>the How-To's (should I?).
>I just added a radius server (providing ip address ,
>shared secret and selecting "EAP authentication") and
>changed the authentication option for my SSID from
>"Open Authentication " to "Open
>authentication with EAP".
>
>Tomorrow i am going to try and use HostAp as a client
>for freeradius and i'll tell you if there this any
>progress.
>
>Thanks again for taking an interest.
>
>__
>Do you Yahoo!?
>Yahoo! SiteBuilder - Free web site building tool. Try it!
>http://webhosting.yahoo.com/ps/sb/
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html





-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP/TLS problem: Received unexpected tunneled data after

[Lefteris St]

Ok, here's some more info about my configuration on
the user-side:

I have installed the client and CA certificates
(cert-clt.p12, root.der) which I created using the
script described in Ken Roser's How-To
(doc/EAP/TLS.pdf). They seem to be working fine (the
TLS handshake doesn't complain about any of them).
In the authentication tab i selected "Use Smart Card
or Certificate".
When i try to connect i get a popup prompting me to
choose the (client)certificate i want to use.
Note that since i don't have winXP, i use my card's
software to detect and connect to my AP. I have tried
two different cards so far with the same result(PCMCIA
AmbiCom and ZoomAir with PCI adapter).

I have also tried using PEAP and TTLS(SecureW2) but
(as was expected) to no avail.

As far as the client(Cisco) is concerned, there aren't
much more to be said. I didn't use the aaa commands in
the documentation, since it didn't seem necessary in
the How-To's (should I?). 
I just added a radius server (providing ip address ,
shared secret and selecting "EAP authentication") and
changed the authentication option for my SSID from
"Open Authentication " to "Open
authentication with EAP".

Tomorrow i am going to try and use HostAp as a client
for freeradius and i'll tell you if there this any
progress.

Thanks again for taking an interest.

__
Do you Yahoo!?
Yahoo! SiteBuilder - Free web site building tool. Try it!
http://webhosting.yahoo.com/ps/sb/

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-TLS problem.

[Yiannis Samouhos]

Funny, everything compiles except radeapclient.c and the installer brakes there ..

gmake[11]: Leaving directory 
`/var/3com/freeradius-snapshot-20040126/src/modules/rlm_eap/types/rlm_eap_ttls'
gmake[10]: Leaving directory 
`/var/3com/freeradius-snapshot-20040126/src/modules/rlm_eap/types'
gmake[9]: Leaving directory 
`/var/3com/freeradius-snapshot-20040126/src/modules/rlm_eap/types'
gmake[8]: Leaving directory 
`/var/3com/freeradius-snapshot-20040126/src/modules/rlm_eap'
/var/3com/freeradius-snapshot-20040126/install-sh -c -m 755 radeapclient
/usr/local/bin
install:  radeapclient does not exist
gmake[7]: *** [install-types] Error 1
.


*** REPLY SEPARATOR  ***

On 27/1/2004 at 11:31 ìì Yiannis Samouhos wrote:

>Yes indeed what I meant is that there were no crash brakes on the
>compilation.
>
>/usr/local/lib/rlm_eap_tls.la
>
>for 0.9.3 it looks like it's there, there's no mschapv2 and peap in the
>release though. :(
>
>I am recompiling the snapshot again to look it up a bit closer..
>
>
>
>*** REPLY SEPARATOR  ***
>
>On 27/1/2004 at 3:52 ìì Alan DeKok wrote:
>
>>"Yiannis Samouhos" <[EMAIL PROTECTED]> wrote:
>>> I have a problem configuring EAP with TLS. EAP with no TLS works fine.
>>>
>>> This is the message I see even tho all files under certs are there and
>>the
>>>  compilation was errorless.
>>
>>  That doesn't mean everything compiled.  It meant that nothing had
>>*errors* when compiling.
>>
>>> rlm_eap: Failed to link EAP-Type/tls: file not found
>>> radiusd.conf[617]: eap: Module instantiation failed.
>>
>>  The rlm_eap_tls.la library, and associated libraries, were not
>>found.
>>
>>> I compiled  freeradius-snapshot-20040126 with openssl-0.9.7c in my RH7.3
>>>  with 2.4.18-3 kernel.
>>
>>  Did you watch the output of "configure" and "make", to see if it
>>found OpenSSL, and then built rlm_eap_tls?
>>
>>  Try this:
>>
>>$ ./configure --with-openssl-includes=/path/to/ssl/include
>>--with-openssl-libraries=/path/to/ssl/lib
>>
>>  check that it finds  !
>>
>>$ make
>>
>>  check the rlm_eap_tls.c is compiling!
>>
>>$ make install
>>
>>  check that rlm_eap_tls.la is installed!
>>
>>  Alan DeKok.
>>
>>-
>>List info/subscribe/unsubscribe? See
>http://www.freeradius.org/list/users.html
>
>
>
>
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html





-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-TLS problem.

[Yiannis Samouhos]

Yes indeed what I meant is that there were no crash brakes on the compilation.

/usr/local/lib/rlm_eap_tls.la

for 0.9.3 it looks like it's there, there's no mschapv2 and peap in the release 
though. :(

I am recompiling the snapshot again to look it up a bit closer..



*** REPLY SEPARATOR  ***

On 27/1/2004 at 3:52 ìì Alan DeKok wrote:

>"Yiannis Samouhos" <[EMAIL PROTECTED]> wrote:
>> I have a problem configuring EAP with TLS. EAP with no TLS works fine.
>>
>> This is the message I see even tho all files under certs are there and
>the
>>  compilation was errorless.
>
>  That doesn't mean everything compiled.  It meant that nothing had
>*errors* when compiling.
>
>> rlm_eap: Failed to link EAP-Type/tls: file not found
>> radiusd.conf[617]: eap: Module instantiation failed.
>
>  The rlm_eap_tls.la library, and associated libraries, were not
>found.
>
>> I compiled  freeradius-snapshot-20040126 with openssl-0.9.7c in my RH7.3
>>  with 2.4.18-3 kernel.
>
>  Did you watch the output of "configure" and "make", to see if it
>found OpenSSL, and then built rlm_eap_tls?
>
>  Try this:
>
>$ ./configure --with-openssl-includes=/path/to/ssl/include
>--with-openssl-libraries=/path/to/ssl/lib
>
>  check that it finds  !
>
>$ make
>
>  check the rlm_eap_tls.c is compiling!
>
>$ make install
>
>  check that rlm_eap_tls.la is installed!
>
>  Alan DeKok.
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html





-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-TLS problem.

[Alan DeKok]

"Yiannis Samouhos" <[EMAIL PROTECTED]> wrote:
> I have a problem configuring EAP with TLS. EAP with no TLS works fine.
> 
> This is the message I see even tho all files under certs are there and the
>  compilation was errorless.

  That doesn't mean everything compiled.  It meant that nothing had
*errors* when compiling.

> rlm_eap: Failed to link EAP-Type/tls: file not found
> radiusd.conf[617]: eap: Module instantiation failed. 

  The rlm_eap_tls.la library, and associated libraries, were not
found.

> I compiled  freeradius-snapshot-20040126 with openssl-0.9.7c in my RH7.3
>  with 2.4.18-3 kernel.

  Did you watch the output of "configure" and "make", to see if it
found OpenSSL, and then built rlm_eap_tls?

  Try this:

$ ./configure --with-openssl-includes=/path/to/ssl/include 
--with-openssl-libraries=/path/to/ssl/lib

  check that it finds  !

$ make

  check the rlm_eap_tls.c is compiling!

$ make install

  check that rlm_eap_tls.la is installed!

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-TLS problem.

[Yiannis Samouhos]

Yes the problem is on the Snapshot. I just compiled 0.9.3 release and it works fine.

-Yiannis

*** REPLY SEPARATOR  ***

On 27/1/2004 at 10:36 μμ Yiannis Samouhos wrote:

>Hi all gurus of the world.
>
>Very Sorry for this HUGE Email but
>
>I have a problem configuring EAP with TLS. EAP with no TLS works fine.
>
>This is the message I see even tho all files under certs are there and the
>compilation was errorless.
>
>
>---cut text
>Module: Loaded eap
> eap: default_eap_type = "md5"
> eap: timer_expire = 60
> eap: ignore_unknown_eap_types = no
>rlm_eap: Loaded and initialized type md5
>rlm_eap: Loaded and initialized type leap
>rlm_eap: Failed to link EAP-Type/tls: file not found
>radiusd.conf[617]: eap: Module instantiation failed.
>
>the config file is this..
>
>cut text--
>
>eap {
>default_eap_type = md5
>timer_expire = 60
>ignore_unknown_eap_types = no
>md5 {
>}
>leap {
>}
>tls {
>private_key_password = mykeyhere
>private_key_file = ${raddbdir}/certs/cert-srv.pem
>certificate_file = ${raddbdir}/certs/cert-srv.pem
>CA_file = ${raddbdir}/certs/demoCA/cacert.pem
>dh_file = ${raddbdir}/certs/dh
>random_file = ${raddbdir}/certs/random
>fragment_size = 1024
>include_length = yes
>check_crl = yes
>}
>peap {
>default_eap_type = mschapv2
>}
>mschapv2 {
>}
>}
>
>and the files reside on /usr/local/etc/raddb/certs
>
>[EMAIL PROTECTED] certs]# pwd
>/usr/local/etc/raddb/certs
>[EMAIL PROTECTED] certs]# ls -al
>total 60
>drwxr-xr-x3 root root 4096 Jan 27 02:34 .
>drwxr-xr-x3 root root 4096 Jan 27 22:15 ..
>-rw-r--r--1 root root  681 Jan 27 02:34 cert-clt.der
>-rw-r--r--1 root root 1701 Jan 27 02:34 cert-clt.p12
>-rw-r--r--1 root root 2343 Jan 27 02:34 cert-clt.pem
>-rw-r--r--1 root root  679 Jan 27 02:34 cert-srv.der
>-rw-r--r--1 root root 1693 Jan 27 02:34 cert-srv.p12
>-rw-r--r--1 root root 2353 Jan 27 02:34 cert-srv.pem
>drwxr-xr-x6 root root 4096 Jan 27 02:34 demoCA
>-rw-r--r--1 root root0 Jan 27 02:34 dh
>-rw-r--r--1 root root 2831 Jan 27 02:34 newcert.pem
>-rw-r--r--1 root root 1724 Jan 27 02:34 newreq.pem
>-rw-r--r--1 root root 1024 Jan 27 02:34 random
>-rw-r--r--1 root root  894 Jan 27 02:34 root.der
>-rw-r--r--1 root root 1909 Jan 27 02:34 root.p12
>-rw-r--r--1 root root 2643 Jan 27 02:34 root.pem
>
>
>I compiled  freeradius-snapshot-20040126 with openssl-0.9.7c in my RH7.3
>with 2.4.18-3 kernel.
>
>Anyone has a clue?
>
>I will also try 0.9.3 and see if I get the same problem but if it's a
>known issue then please say so.
>
>Kind Regards to all,
>
>-Yiannis
>
>
>
>
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html





-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

EAP-TLS problem.

[Yiannis Samouhos]

Hi all gurus of the world.

Very Sorry for this HUGE Email but

I have a problem configuring EAP with TLS. EAP with no TLS works fine.

This is the message I see even tho all files under certs are there and the compilation 
was errorless.


---cut text
Module: Loaded eap
 eap: default_eap_type = "md5"
 eap: timer_expire = 60
 eap: ignore_unknown_eap_types = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
rlm_eap: Failed to link EAP-Type/tls: file not found
radiusd.conf[617]: eap: Module instantiation failed.

the config file is this..

cut text--

eap {
default_eap_type = md5
timer_expire = 60
ignore_unknown_eap_types = no
md5 {
}
leap {
}
tls {
private_key_password = mykeyhere
private_key_file = ${raddbdir}/certs/cert-srv.pem
certificate_file = ${raddbdir}/certs/cert-srv.pem
CA_file = ${raddbdir}/certs/demoCA/cacert.pem
dh_file = ${raddbdir}/certs/dh
random_file = ${raddbdir}/certs/random
fragment_size = 1024
include_length = yes
check_crl = yes
}
peap {
default_eap_type = mschapv2
}
mschapv2 {
}
}

and the files reside on /usr/local/etc/raddb/certs

[EMAIL PROTECTED] certs]# pwd
/usr/local/etc/raddb/certs
[EMAIL PROTECTED] certs]# ls -al
total 60
drwxr-xr-x3 root root 4096 Jan 27 02:34 .
drwxr-xr-x3 root root 4096 Jan 27 22:15 ..
-rw-r--r--1 root root  681 Jan 27 02:34 cert-clt.der
-rw-r--r--1 root root 1701 Jan 27 02:34 cert-clt.p12
-rw-r--r--1 root root 2343 Jan 27 02:34 cert-clt.pem
-rw-r--r--1 root root  679 Jan 27 02:34 cert-srv.der
-rw-r--r--1 root root 1693 Jan 27 02:34 cert-srv.p12
-rw-r--r--1 root root 2353 Jan 27 02:34 cert-srv.pem
drwxr-xr-x6 root root 4096 Jan 27 02:34 demoCA
-rw-r--r--1 root root0 Jan 27 02:34 dh
-rw-r--r--1 root root 2831 Jan 27 02:34 newcert.pem
-rw-r--r--1 root root 1724 Jan 27 02:34 newreq.pem
-rw-r--r--1 root root 1024 Jan 27 02:34 random
-rw-r--r--1 root root  894 Jan 27 02:34 root.der
-rw-r--r--1 root root 1909 Jan 27 02:34 root.p12
-rw-r--r--1 root root 2643 Jan 27 02:34 root.pem


I compiled  freeradius-snapshot-20040126 with openssl-0.9.7c in my RH7.3 with 2.4.18-3 
kernel.

Anyone has a clue?

I will also try 0.9.3 and see if I get the same problem but if it's a known issue then 
please say so.

Kind Regards to all,

-Yiannis




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP/TLS problem: Received unexpected tunneled data after successful handshake

[Alan DeKok]

Lefteris St <[EMAIL PROTECTED]> wrote:
> On the user side were running window 2000 with SP4 and
> the authentication patch.

  Ok... but the configuration is more than just "use EAP-TLS".  Please
describe *exactly* the configuration you used.

  Alan DeKok.


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP/TLS problem: Received unexpected tunneled data after successful handshake

[Lefteris St]

>What client are you using, and how have you
configured >it?

I am using a Cisco Aironet 1200.
I configured it to use "Open Authentication with EAP",
set the radius server IP and shared secret.
I did all these through the AP's html interface.

On the user side were running window 2000 with SP4 and
the authentication patch.


__
Do you Yahoo!?
Yahoo! SiteBuilder - Free web site building tool. Try it!
http://webhosting.yahoo.com/ps/sb/

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP/TLS problem: Received unexpected tunneled data after successful handshake

[Alan DeKok]

Lefteris St <[EMAIL PROTECTED]> wrote:
> I think i have configured everything properly (openssl
> certs and stuff) but i still can't get freeradius to
> authenticate EAP users properly.

  It succeeds, which means you've got it working right.

  The problem is that it goes "too far".  I'm not sure why, but it's
probably due to the client you're using.  So...

  What client are you using, and how have you configured it?

  Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

EAP/TLS problem: Received unexpected tunneled data after successful handshake

[Lefteris St]

Hi all,

I've been having some problems with EAP/TLS (and
subsequently with TTLS and PEAP).
I've been working with the two How-to's from /doc (by
the way thanks guys).

I think i have configured everything properly (openssl
certs and stuff) but i still can't get freeradius to
authenticate EAP users properly.

I'm attaching the stuff i get from the
server(debugging mode)

Thanks in advance!

__
Do you Yahoo!?
Yahoo! SiteBuilder - Free web site building tool. Try it!
http://webhosting.yahoo.com/ps/sb/Starting - reading configuration files ...
reread_config:  reading radiusd.conf
Config:   including file: /usr/local/etc/raddb/proxy.conf
Config:   including file: /usr/local/etc/raddb/clients.conf
Config:   including file: /usr/local/etc/raddb/snmp.conf
Config:   including file: /usr/local/etc/raddb/sql.conf
 main: prefix = "/usr/local"
 main: localstatedir = "/usr/local/var"
 main: logdir = "/usr/local/var/log/radius"
 main: libdir = "/usr/local/lib"
 main: radacctdir = "/usr/local/var/log/radius/radacct"
 main: hostname_lookups = no
 main: max_request_time = 30
 main: cleanup_delay = 5
 main: max_requests = 1024
 main: delete_blocked_requests = 0
 main: port = 0
 main: allow_core_dumps = no
 main: log_stripped_names = no
 main: log_file = "/usr/local/var/log/radius/radius.log"
 main: log_auth = no
 main: log_auth_badpass = no
 main: log_auth_goodpass = no
 main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
 main: bind_address = 195.251.248.176 IP address [195.251.248.176]
 main: user = "(null)"
 main: group = "(null)"
 main: usercollide = no
 main: lower_user = "no"
 main: lower_pass = "no"
 main: nospace_user = "no"
 main: nospace_pass = "no"
 main: checkrad = "/usr/local/sbin/checkrad"
 main: proxy_requests = yes
 proxy: retry_delay = 5
 proxy: retry_count = 3
 proxy: synchronous = no
 proxy: default_fallback = yes
 proxy: dead_time = 120
 proxy: post_proxy_authorize = yes
 proxy: wake_all_if_all_dead = no
 security: max_attributes = 200
 security: reject_delay = 1
 security: status_server = no
 main: debug_level = 0
read_config_files:  reading dictionary
read_config_files:  reading naslist
Using deprecated naslist file.  Support for this will go away soon.
read_config_files:  reading clients
Using deprecated clients file.  Support for this will go away soon.
read_config_files:  reading realms
Using deprecated realms file.  Support for this will go away soon.
radiusd:  entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded expr 
Module: Instantiated expr (expr) 
Module: Loaded PAP 
 pap: encryption_scheme = "crypt"
Module: Instantiated pap (pap) 
Module: Loaded CHAP 
Module: Instantiated chap (chap) 
Module: Loaded MS-CHAP 
 mschap: use_mppe = yes
 mschap: require_encryption = no
 mschap: require_strong = no
 mschap: passwd = "(null)"
 mschap: authtype = "MS-CHAP"
Module: Instantiated mschap (mschap) 
Module: Loaded eap 
 eap: default_eap_type = "tls"
 eap: timer_expire = 60
 eap: ignore_unknown_eap_types = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
 tls: rsa_key_exchange = no
 tls: dh_key_exchange = yes
 tls: rsa_key_length = 512
 tls: dh_key_length = 512
 tls: verify_depth = 0
 tls: CA_path = "(null)"
 tls: pem_file_type = yes
 tls: private_key_file = "/home/gela/keys/cert-srv.pem"
 tls: certificate_file = "/home/gela/keys/cert-srv.pem"
 tls: CA_file = "/home/gela/keys/root.pem"
 tls: private_key_password = "whatever"
 tls: dh_file = "/home/gela/keys/dh1024.pem"
 tls: random_file = "/home/gela/keys/random.pem"
 tls: fragment_size = 4096
 tls: include_length = yes
 tls: check_crl = no
rlm_eap: Loaded and initialized type tls
 peap: default_eap_type = "mschapv2"
 peap: copy_request_to_tunnel = no
 peap: use_tunneled_reply = no
rlm_eap: Loaded and initialized type peap
 ttls: default_eap_type = "md5"
 ttls: copy_request_to_tunnel = no
 ttls: use_tunneled_reply = no
rlm_eap: Loaded and initialized type ttls
Module: Instantiated eap (eap) 
Module: Loaded preprocess 
 preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups"
 preprocess: hints = "/usr/local/etc/raddb/hints"
 preprocess: with_ascend_hack = no
 preprocess: ascend_channels_per_line = 23
 preprocess: with_ntdomain_hack = no
 preprocess: with_specialix_jetstream_hack = no
 preprocess: with_cisco_vsa_hack = yes
Module: Instantiated preprocess (preprocess) 
Module: Loaded realm 
 realm: format = "suffix"
 realm: delimiter = "@"
Module: Instantiated realm (suffix) 
Module: Loaded SQL 
 sql: driver = "rlm_sql_mysql"
 sql: server = "localhost"
 sql: port = ""
 sql: login = "gela"
 sql: password = "lesgeo"
 sql: radius_db = "radius"
 sql: acct_table = "radacct"
 sql: acct_table2 = "radacct"
 sql: authcheck_table = "radcheck"
 sql: authreply_table = "radreply"
 sql: groupcheck_table = "radgroupcheck"
 sql: groupreply_table = "radgroupreply"
 sql: usergroup_table = "usergroup"
 sql: nas_table = "nas"
 sql: dict_table = "dictionary"
 sql: sqltrace =