RFC2865: (http://www.ietf.org/rfc/rfc2865.txt?number=2865)
5.24. State
Description
This Attribute is available to be sent by the server to the client
in an Access-Challenge and MUST be sent unmodified from the client
to the server in the new Access-Request reply to that challenge,
if any.so, update your firmware or insult the manufacturer?
ciao artur
Klemens Jaeger wrote:
Hi everybody!
I've configured freeradius 0.8.1 on suse 8.1 with openssl 0.9.7a to use EAP/TLS as the authentication mode. when i want to connect from winxp the following error appears in debug mode:
rlm_eap: State verification failed
the reason is that the client doesn't respond with the same challenge-string (it is much longer than the challenge string sent from the radius server)
has somebody an idea why the client sends this challenge string and how this can be solved?
thanks in advance kle
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/radius/etc/raddb/proxy.conf
Config: including file: /usr/local/radius/etc/raddb/clients.conf
Config: including file: /usr/local/radius/etc/raddb/snmp.conf
Config: including file: /usr/local/radius/etc/raddb/sql.conf
main: prefix = "/usr/local/radius"
main: localstatedir = "/usr/local/radius/var"
main: logdir = "/usr/local/radius/var/log/radius"
main: libdir = "/usr/local/radius/lib"
main: radacctdir = "/usr/local/radius/var/log/radius/radacct"
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = "/usr/local/radius/var/log/radius/radius.log"
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = "/usr/local/radius/var/run/radiusd/radiusd.pid"
main: user = "(null)"
main: group = "(null)"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/local/radius/sbin/checkrad"
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = yes
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/local/radius/lib
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded eap
eap: default_eap_type = "tls"
eap: timer_expire = 60
tls: rsa_key_exchange = no
tls: dh_key_exchange = yes
tls: rsa_key_length = 512
tls: dh_key_length = 512
tls: verify_depth = 0
tls: CA_path = "(null)"
tls: pem_file_type = yes
tls: private_key_file = "/etc/1x/serverKey.pem"
tls: certificate_file = "/etc/1x/serverCert.pem"
tls: CA_file = "/etc/1x/caCert.pem"
tls: private_key_password = "Wo43m7kq"
tls: dh_file = "/etc/1x/DH"
tls: random_file = "/etc/1x/random"
tls: fragment_size = 1024
tls: include_length = yes
rlm_eap_tls: conf N ctx stored
rlm_eap: Loaded and initialized the type tls
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = "/usr/local/radius/etc/raddb/huntgroups"
preprocess: hints = "/usr/local/radius/etc/raddb/hints"
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = "suffix"
realm: delimiter = "@"
Module: Instantiated realm (suffix)
Module: Loaded files
files: usersfile = "/usr/local/radius/etc/raddb/users"
files: acctusersfile = "/usr/local/radius/etc/raddb/acct_users"
files: preproxy_usersfile = "/usr/local/radius/etc/raddb/preproxy_users"
files: compat = "no"
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port-Id"
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
detail: detailfile = "/usr/local/radius/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded System
unix: cache = no
unix: passwd = "(null)"
unix: shadow = "(null)"
unix: group = "(null)"
unix: radwtmp = "/usr/local/radius/var/log/radius/radwtmp"
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded radutmp
radutmp: filename = "/usr/local/radius/var/log/radius/radutmp"
radutmp: username = "%{User-Name}"
radutmp: case_sensitive = yes
radutmp: check_with_nas = yes
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Listening on IP address *, ports 1812/udp and 1813/udp, with proxy on 1814/udp.
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.0.20:1025, id=0, length=124
User-Name = "klemens"
NAS-IP-Address = 192.168.0.20
Called-Station-Id = "00a0f850c00d"
Calling-Station-Id = "00a0f8443370"
NAS-Identifier = "Symbol_AP"
NAS-Port = 29
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
EAP-Message = "\002\001\000\014\001klemens"
Message-Authenticator = 0x1e4391896f8a97adc2a39593b6b523c5
modcall: entering group authorize
modcall[authorize]: module "preprocess" returns ok
modcall[authorize]: module "eap" returns updated
rlm_realm: No '@' in User-Name = "klemens", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop
users: Matched klemens at 97
modcall[authorize]: module "files" returns ok
modcall: group authorize returns updated
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
modcall: entering group authenticate
rlm_eap: processing type tls
modcall[authenticate]: module "eap" returns ok
modcall: group authenticate returns ok
Sending Access-Challenge of id 0 to 192.168.0.20:1025
EAP-Message = "\001\002\000\006\r "
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa8a1d4c00b4e36a5a7194f159b3e7f9c7775683e7a2bf3778439caf1a57325acb5d45cf1
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.0.20:1026, id=1, length=375
User-Name = "klemens"
NAS-IP-Address = 192.168.0.20
Called-Station-Id = "00a0f850c00d"
Calling-Station-Id = "00a0f8443370"
NAS-Identifier = "Symbol_AP"
NAS-Port = 29
Framed-MTU = 1300
State = 0xa8a1d4c00b4e36a5a7194f159b3e7f9c7775683e7a2bf3778439caf1a57325acb5005cf100000002000000010000000100000001000000000000000000000000000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000007000000000000000000000000000000000000000000000000000000000000000000
NAS-Port-Type = Wireless-802.11
EAP-Message = "\002\002\000P\r\200\000\000\000F\026\003\001\000A\001\000\000=\003\001>hZ^\351\241\222w\200=^\036a\330\020y\376\230"\006}\356\350e\223B\002\253\013|\263?\000\000\026\000\004\000\005\000\n\000\t\000d\000b\000\003\000\006\000\023\000\022\000c\001"
Message-Authenticator = 0x2abdf3748092867c8b1b697d80ffe14d modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok modcall[authorize]: module "eap" returns updated rlm_realm: No '@' in User-Name = "klemens", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop users: Matched klemens at 97 modcall[authorize]: module "files" returns ok modcall: group authorize returns updated rad_check_password: Found Auth-Type EAP auth: type "EAP" modcall: entering group authenticate rlm_eap: State verification failed. modcall[authenticate]: module "eap" returns invalid modcall: group authenticate returns invalid auth: Failed to validate the user. Delaying request 1 for 1 seconds Finished request 1 Going to the next request
_________________________________________________________________
MSN Messenger GEWINNSPIEL! Gewinn eine Reise zu den MTV Awards 2003 in L.A.! http://messenger.msn.at/promo
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Artur Hecker D�partement Informatique et R�seaux, ENST Paris http://www.infres.enst.fr/~hecker
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
