Hello,
I am trying to configure a wireless communication network using
authentication with Freeradius.
I have already configured one client, my access point (aironet cisco), and
my freeradius server to use TLS authentication.
I took the EAP/TLS authentication HOW-TO, and I tried to do exactly what
it was said inside (with the version of freeradius referenced there and
the 3 versions of openssl)
But it seem that I made a mistake somewhere, my authentication doesn't work!
I tried to understand and I seems to be in relation with SSL. I catch just
a little part of my logs, in order to show you.
If someone could tell me where I made a mistake, It would be great! thank
you for your help!
-----------------------
...
<<< TLS 1.0 Handshake [length 02af], Certificate
chain-depth=1,
error=0
--> User-Name = ourson
--> BUF-Name = server1
--> subject =
/C=FR/ST=France/L=Toulouse/O=Enseeiht/OU=CRI/CN=server1/[EMAIL PROTECTED]
--> issuer =
/C=FR/ST=France/L=Toulouse/O=Enseeiht/OU=CRI/CN=server1/[EMAIL PROTECTED]
--> verify return:1
chain-depth=0,
error=0
--> User-Name = ourson
--> BUF-Name = ourson
--> subject =
/C=FR/ST=France/L=Toulouse/O=Enseeiht/OU=CRI/CN=ourson/[EMAIL PROTECTED]
--> issuer =
/C=FR/ST=France/L=Toulouse/O=Enseeiht/OU=CRI/CN=server1/[EMAIL PROTECTED]
--> verify return:1
TLS_accept: SSLv3 read client certificate A
<<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
TLS_accept: SSLv3 read client key exchange A
<<< TLS 1.0 Handshake [length 0086], CertificateVerify
TLS_accept: SSLv3 read certificate verify A
<<< TLS 1.0 ChangeCipherSpec [length 0001]
<<< TLS 1.0 Handshake [length 0010], Finished
TLS_accept: SSLv3 read finished A
>>> TLS 1.0 ChangeCipherSpec [length 0001]
TLS_accept: SSLv3 write change cipher spec A
>>> TLS 1.0 Handshake [length 0010], Finished
TLS_accept: SSLv3 write finished A
TLS_accept: SSLv3 flush data
undefined: SSL negotiation finished successfully
rlm_eap_tls: SSL_read Error
Error code is ..... 2
SSL Error ..... 2
modcall[authenticate]: module "eap" returns ok
modcall: group authenticate returns ok
Login OK: [ourson/<no User-Password attribute>] (from client AP1 port 37
cli 000af49c507f)
Sending Access-Challenge of id 118 to 192.168.1.2:1142
EAP-Message =
"\001\254\0005\r\200\000\000\000+\024\003\001\000\001\001\026\003\001\000
\253d\\\300\247n!O\037\304\023\375\241\256$\202\304\257&ZJ\266\211\315\226\243V\221\246\274\345\375"
Message-Authenticator = 0x00000000000000000000000000000000
State =
0xac94e782d24993bfbb31ef873c7ce4086b9bd43fca08d61ec7662c58b4c5187074e9db3b
Finished request 15
Going to the next request
Waking up in 1 seconds...
rad_recv: Access-Request packet from host 192.168.1.2:1143, id=119,
length=208
User-Name = "ourson"
Cisco-AVPair = "ssid=bebe"
NAS-IP-Address = 192.168.1.2
Called-Station-Id = "00409656deff"
Calling-Station-Id = "000af49c507f"
NAS-Identifier = "AP350-56deff"
NAS-Port = 37
Framed-MTU = 1400
State =
0xac94e782d24993bfbb31ef873c7ce4086b9bd43fca08d61ec7662c58b4c5187074e9db3b
NAS-Port-Type = Wireless-802.11
Service-Type = Login-User
EAP-Message =
"\002\254\000!\r\200\000\000\000\027\025\003\001\000\022\334\207\370Z\010\276<y/\013\246\271\370\242tM]R"
Message-Authenticator = 0x6d785533c66ebb2b4d456cefd2121d94
modcall: entering group authorize
modcall[authorize]: module "preprocess" returns ok
rlm_chap: Could not find proper Chap-Password attribute in request
modcall[authorize]: module "chap" returns noop
modcall[authorize]: module "eap" returns updated
rlm_realm: No '@' in User-Name = "ourson", looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module "suffix" returns noop
users: Matched ourson at 157
modcall[authorize]: module "files" returns ok
modcall: group authorize returns updated
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
modcall: entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP_TYPE - tls
rlm_eap: processing type tls
rlm_eap_tls: Length Included
<<< TLS 1.0 Alert [length 0002], fatal access_denied
TLS Alert read:fatal:access denied
rlm_eap_tls: SSL_read Error
20083:error:14094419:SSL routines:SSL3_READ_BYTES:tlsv1 alert access
denied:s3_pkt.c:1037:SSL alert number 49
Error code is ..... 6
SSL Error ..... 6
rlm_eap_tls: BIO_read Error
Error code is ..... 5
Error in SSL ..... 5
modcall[authenticate]: module "eap" returns ok
modcall: group authenticate returns ok
Login OK: [ourson/<no User-Password attribute>] (from client AP1 port 37
cli 000af49c507f)
Delaying request 16 for 1 seconds
Finished request 16
Going to the next request
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 119 to 192.168.1.2:1143
EAP-Message = "\004\254\000\004"
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 11 ID 114 with timestamp 3fd49b6b
Cleaning up request 12 ID 115 with timestamp 3fd49b6b
Cleaning up request 13 ID 116 with timestamp 3fd49b6b
Cleaning up request 14 ID 117 with timestamp 3fd49b6b
Cleaning up request 15 ID 118 with timestamp 3fd49b6b
Cleaning up request 16 ID 119 with timestamp 3fd49b6b
Nothing to do. Sleeping until we see a request.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
