Re: Windows XP keeps verifying identity
Klaas De Craemer [EMAIL PROTECTED] wrote: Below is RASTLS.LOG and EAPOL.LOG, which I believe are the most important. I can't find any apparent error in it though, it just keeps repeating the same request over and over again... Any ideas? Errors follow: [872] 11:24:14:815: SecurityContextFunction [872] 11:24:14:815: InitializeSecurityContext returned 0x80090327 [872] 11:24:14:815: State change to RecdFinished. Error: 0x80090327 That looks like an error to me. The previous packet it received was: [872] 11:24:14:815: Received Request (Code: 1) packet: Id: 4, Length: 587, Type: 13, TLS blob length: 1601. Flags: L You can correlate that information with the FreeRADIUS debug logs to see what's going on. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Windows XP keeps verifying identity
make appropriate changes in radiusd.conf eap.conf for the authentication method you want to use Pradeep--Message: 3Date: Sat, 8 Jul 2006 15:27:31 +0200From: Klaas De Craemer [EMAIL PROTECTED]Subject: Re: Windows XP keeps verifying identity To: freeradius-users@lists.freeradius.orgMessage-ID:[EMAIL PROTECTED] Content-Type: text/plain; charset=ISO-8859-1; format=flowedOw, I forgot to say that I'm trying to use EAP-TLS...2006/7/8, Klaas De Craemer [EMAIL PROTECTED] ...---List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.htmlEnd of Freeradius-Users Digest, Vol 15, Issue 23 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Windows XP keeps verifying identity
Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = crypt Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = (null) mschap: authtype = MS-CHAP mschap: ntlm_auth = (null) Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = (null) unix: shadow = /etc/shadow unix: group = (null) unix: radwtmp = /var/log/freeradius/radwtmp unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = tls eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = (null) tls: pem_file_type = yes tls: private_key_file = /etc/freeradius/certs/server_key.pem tls: certificate_file = /etc/freeradius/certs/server_cert.pem tls: CA_file = /etc/freeradius/certs/cacert.pem tls: private_key_password = whatever tls: dh_file = /etc/freeradius/certs/dh tls: random_file = /etc/freeradius/certs/random tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = (null) rlm_eap: Loaded and initialized type tls Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = /etc/freeradius/huntgroups preprocess: hints = /etc/freeradius/hints preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = suffix realm: delimiter = @ realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = /etc/freeradius/users files: acctusersfile = /etc/freeradius/acct_users files: preproxy_usersfile = /etc/freeradius/preproxy_users files: compat = no Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = /var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = /var/log/freeradius/radutmp radutmp: username = %{User-Name} radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on authentication *:1812 Listening on accounting *:1813 Listening on proxy *:1814 Ready to process requests. == make appropriate changes in radiusd.conf eap.conf for the authentication method you want to use Pradeep -- Message: 3 Date: Sat, 8 Jul 2006 15:27:31 +0200 From: Klaas De Craemer klaasdc at gmail.com Subject: Re: Windows XP keeps verifying identity To: freeradius-users at lists.freeradius.org Message-ID: f59e60020607080627r344aad2bia7fc636a141fba6c at mail.gmail.com Content-Type: text/plain; charset=ISO-8859-1; format=flowed Ow, I forgot to say that I'm trying to use EAP-TLS... 2006/7/8, Klaas De Craemer klaasdc at gmail.com ... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Windows XP keeps verifying identity
Sending Access-Challenge of id 15 to 127.0.0.1:1027 snip rad_recv: Access-Request packet from host 127.0.0.1:1027, id=0, length=159 snip It's receiving the request from a loopback address. Is the client the same machine as the FreeRadius server? Are you really connecting to an Access Point? If so, what is its IP address? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Windows XP keeps verifying identity
Garber, Neal wrote: Sending Access-Challenge of id 15 to 127.0.0.1:1027 snip rad_recv: Access-Request packet from host 127.0.0.1:1027, id=0, length=159 snip It's receiving the request from a loopback address. Is the client the same machine as the FreeRadius server? Are you really connecting to an Access Point? If so, what is its IP address? That's the EAP inner request. It's proxied internally to FreeRadius, and 127.0.0.1 is just put in there to fill the IP address in. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Windows XP keeps verifying identity
Klaas De Craemer wrote: Do you mean the so-called xpextensions (1.3.6.1.5.5.7.3.2 for the client and .1 for the server)? I have used them to generate the certificates... Since the client is stopping, and you say you have the OIDs, you'll have to debug the client. Try: netsh ras set tracing * enabled ...and then look for the relevant logs in c:\windows\whereverthehelltheygo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Windows XP keeps verifying identity
Hello, I have been trying to set up an Access Point on a soekris-board for some days now, but I keep getting stuck. The certificates are all in place, Freeradius starts up nicely, hostapd seems to work... But the trouble starts in Windows XP SP2: When I try to associate with the AP, it keeps sitting in a Attempting Verification-loop. In my freeradius-window, the authentication messages keep scrolling by, but it seems like the Windows-client doesn't listen to them I am using freeradius 1.0.2 built from source on kernel 2.6.15 Below is some of the Radius-output (radiusd -X -A) and some of that from hostapd: =Freeradius== rad_recv: Access-Request packet from host 127.0.0.1:1026, id=74, length=245 User-Name = KlaasDC NAS-IP-Address = 127.0.0.1 NAS-Port = 1 Called-Station-Id = 00-02-6F-3C-37-D7:soekris4521 Calling-Station-Id = 00-02-6F-3C-37-D8 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 11Mbps 802.11b EAP-Message = 0x026800500d8000461603010041013d030144afac86153ed083623ea17e4a82459787262b54cdb6eb6b33603567da79e7861600040005000a000900640062000300060013001200630100 State = 0xe1ca3273104420e8f3fa797348da4fbf Message-Authenticator = 0xb662295a5ab68423baa41ed3e1976b0f Processing the authorize section of radiusd.conf modcall: entering group authorize for request 74 modcall[authorize]: module preprocess returns ok for request 74 modcall[authorize]: module chap returns noop for request 74 modcall[authorize]: module mschap returns noop for request 74 rlm_realm: No '@' in User-Name = KlaasDC, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 74 rlm_eap: EAP packet type response id 104 length 80 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 74 users: Matched entry KlaasDC at line 97 modcall[authorize]: module files returns ok for request 74 modcall: group authorize returns updated for request 74 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 74 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: TLS 1.0 Handshake [length 0041], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: TLS 1.0 Handshake [length 057b], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: TLS 1.0 Handshake [length 006d], CertificateRequest TLS_accept: SSLv3 write certificate request A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 modcall[authenticate]: module eap returns handled for request 74 modcall: group authenticate returns handled for request 74 Sending Access-Challenge of id 74 to 127.0.0.1:1026 EAP-Message = 0x0169040a0dc00641160301004a0246030144afaba4db9800c241c6097bfa7eb313e6b163c2c1db2a249c781b6c7e2648f3206bb401df913de39db66c828301156e1d7429bfd2b70632a98e371577d7a57871000400160301057b0b00057700057400025930820255308201bea003020102020101300d06092a864886f70d0101040500305c310b3009060355040613024245310c300a0603550408130357564c310b3009060355040a13024e413110300e060355040313074b6c61617344433120301e06092a864886f70d01090116116b6c616173646340676d61696c2e636f6d301e170d3036303730383039313133395a170d3037303730 EAP-Message = 0x383039313133395a306c310b3009060355040613024245310c300a0603550408130357564c310e300c060355040713055469656c74310b3009060355040a13024e413110300e060355040313074b6c61617344433120301e06092a864886f70d01090116116b6c616173646340676d61696c2e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100af6bd5feb703ca2b30d6cecb02524a0fcb8bc364a2c2bc39400561629844d18a24c448656f1cf6964c9a064c82cc3616264e2419e073093ab7289e8688c656f652f8e4e63a9a54dd1492a5757df04bc0ecd4441868f158da2fdadcb4bd31a07243fe8bce413f7fbf85f0 EAP-Message = 0xd006ecbcd62019e26e8c58290e1fe1ccd2189e2c53450203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010405000381810052b4fd21f12d8d14ffd712d100fb12a3daa5e681a44b0e2dda3762829611171cfd8d5828a6f1db3216cce98190a1f6a110a66848e8b2846a2da6254a5a42ad21731004b858723fbf9651bdae4915d167ce8b8be8c9167ee7c78b1de730334035d321ceb8196873e73d8ae15c5e6d974d2cca62bff234a117561c16408e25bde9000315308203113082027aa003020102020100300d06092a864886f70d0101040500305c310b3009060355040613024245310c300a06 EAP-Message =
Re: Windows XP keeps verifying identity
Ow, I forgot to say that I'm trying to use EAP-TLS... 2006/7/8, Klaas De Craemer [EMAIL PROTECTED] ... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Windows XP keeps verifying identity
Klaas De Craemer [EMAIL PROTECTED] wrote: I have been trying to set up an Access Point on a soekris-board for some days now, but I keep getting stuck. The certificates are all in place, Freeradius starts up nicely, hostapd seems to work... But the trouble starts in Windows XP SP2: When I try to associate with the AP, it keeps sitting in a Attempting Verification-loop. You don't have the Microsoft OID's in the server certificate. See the documentation for details. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re: Windows XP keeps verifying identity
Do you mean the so-called xpextensions (1.3.6.1.5.5.7.3.2 for the client and .1 for the server)? I have used them to generate the certificates... Klaas De Craemer klaasdc at gmail.com wrote: I have been trying to set up an Access Point on a soekris-board for some days now, but I keep getting stuck. The certificates are all in place, Freeradius starts up nicely, hostapd seems to work... But the trouble starts in Windows XP SP2: When I try to associate with the AP, it keeps sitting in a Attempting Verification-loop. You don't have the Microsoft OID's in the server certificate. See the documentation for details. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html