EAP/TLS with DLink900 AP+

diomedes Sun, 20 Jul 2003 04:18:48 -0700

Hi,

My configuration:

Server: Debian 3.0 , Freeradius-snapshot-20021028, with openssl-snap-20021027, openssl-0.9.6g and openssl-0.9.7beta

Access point: Dlink 900AP+

Client: Windows XP


I have analysed the log and i have found the problem but i don't khnow
if is there any solution.
As you know the protocol is based in 5 access request from the client
and 5 responses form the server (4 access chalenges and the finally
responsed of accept/reject)

And i have seen that in my case, when the client has to send his
certificate (4º request), it doesn't send it, he start again with the
protocol ( it sends again the first request).
This is repeated all the time until you disconect it.

Is there any solution?
Is a problem of the version of FreeRadius?
Is an Access Point problem? ( I think so)

Thanks you very much.
Regards.

Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.0.100:1213, id=14,
length=242
User-Name = "cliente2"
NAS-IP-Address = 192.168.0.100
NAS-Port = 0
Called-Station-Id = "00-80-C8-03-48-69"
Calling-Station-Id = "00-02-2D-52-39-85"
NAS-Identifier = "DWL-900AP+"
Framed-MTU = 1380
NAS-Port-Type = Wireless-802.11
EAP-Message =
"\002\002\000P\r\200\000\000\000F\026\003\001\000A\001\000\000=\003\001?\031qu\305m\332gAT\341W-\241\336\371wq\362\316<O\354=\331\007(\231ia\212\000\000\026\000\004\000\005\000\n\000\t\000d\000b\000\003\000\006\000\023\000\022\000c\001"
State =
0xbcf6597eb4aee054aa8f6d169498fe9c137e193fcf3d7a2648173d7ed7aeaac6fedbddf6
Message-Authenticator = 0xc0b83ef748455b3243d4350fca4cd1d7
modcall: entering group authorize
modcall[authorize]: module "preprocess" returns ok
modcall[authorize]: module "eap" returns updated
rlm_realm: No '@' in User-Name = "cliente2", looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module "suffix" returns noop
users: Matched cliente2 at 100
modcall[authorize]: module "files" returns ok
modcall: group authorize returns updated
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
modcall: entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP_TYPE - tls
rlm_eap: processing type tls
rlm_eap_tls: Length Included
undefined: before/accept initialization
TLS_accept: before/accept initialization
<<< TLS 1.0 Handshake [length 0041], ClientHello

TLS_accept: SSLv3 read client hello A

TLS 1.0 Handshake [length 004a], ServerHello

TLS_accept: SSLv3 write server hello A

TLS 1.0 Handshake [length 054c], Certificate

TLS_accept: SSLv3 write certificate A

TLS 1.0 Handshake [length 0069], CertificateRequest

TLS_accept: SSLv3 write certificate request A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A rlm_eap_tls: SSL_read Error Error code is ..... 2 SSL Error ..... 2 modcall[authenticate]: module "eap" returns ok modcall: group authenticate returns ok Sending Access-Challenge of id 14 to 192.168.0.100:1213 EAP-Message = "\001\003\004\n\r\300\000\000\006\016\026\003\001\000J\002\000\000F\003\001?\031~\023\246\225\025[Od\315aU\250r\325\262\334\356\\u\031\321\036mA7\233;\277\326\340

\244E\2009[!#a\212E{e\033Y\376\315\312\250\023\034\365\202.\216#\004\227\006\262\000j\364\000\004\000\026\003\001\005L\013\000\005H\000\005E\000\002e0\202\002a0\202\001\312\240\003\002\001\002\002\001\0010\r\006\t*\206H\206\367\r\001\001\004\005\0000W1\0130\t\006\003U\004\006\023\002ES1\0230\021\006\003U\004\010\023\nPais

Vasco1\0350\033\006\003U" EAP-Message = "906Z0}1\0130\t\006\003U\004\006\023\002ES1\0230\021\006\003U\004\010\023\nPais

Vasco1\0210\017\006\003U\004\007\023\010Legazpia1\0350\033\006\003U\004\n\023\024Bellota

Herramientas1\0240\022\006\003U\004\013\023\013Informatica1\0210\017\006\003U\004\003\023\010servidor0\201\2370\r\006\t*\206H\206\367\r\001\001\001\005\000\003\201\215\0000\201\211\002\201\201\000\273]j\241\272aS\215vX:#\3377R\243\024\341\240T\022\326\021\210\014\256\210!Q\251G\217g\355\260X\313

Z\013\323\366\353\357\2429?`\nsf'Z\250\201\236" EAP-Message = "\003\025 <Fmn\277\357\336x9\024\362\240\345\213\255A\257\237\226\320\355|n,+\364\231S\342s2\355\002\003\001\000\001\243\0270\0250\023\006\003U\035%\004\0140\n\006\010+\006\001\005\005\007\003\0010\r\006\t*\206H\206\367\r\001\001\004\005\000\003\201\201\000%>\366\367T\232\205\353W&\251\020\355i\022\276\206b\202\353\346\275+'mzk\304\341\227\270\030\256\ts\255Be\037\266\313,\355\252\251\n\341O{\243\330da\347\300\206\311\366,i\026,\271\260s\345\366

lW\330)\210f\035\223\257W0\2179\324,\033\337\223n\261\007\206" EAP-Message = "\t\006\003U\004\006\023\002ES1\0230\021\006\003U\004\010\023\nPais Vasco1\0350\033\006\003U\004\n\023\024Bellota Herramientas1\0240\022\006\003U\004\013\023\013Informatica0\036\027\r030719152353Z\027\r030818152353Z0W1\0130\t\006\003U\004\006\023\002ES1\0230\021\006\003U\004\010\023\nPais

Vasco1\0350\033\006\003U\004\n\023\024Bellota Herramientas1\0240\022\006\003U\004\013\023\013Informatica0\201\2370\r\006\t*\206H\206\367\r\001\001\001\005\000\003\201\215\0000\201\211\002\201\201\000\312\354x2\362T\370\366" EAP-Message = "\311\272[B\240\237\312\001z([EMAIL PROTECTED]" Message-Authenticator = 0x00000000000000000000000000000000 State = 0xcd1298363a82ddd6319038bb4105d280137e193fe8aa405fca217e0102b1a0ef7570ac82 Finished request 1 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.0.100:1213, id=15, length=168 User-Name = "cliente2" NAS-IP-Address = 192.168.0.100 NAS-Port = 0 Called-Station-Id = "00-80-C8-03-48-69" Calling-Station-Id = "00-02-2D-52-39-85" NAS-Identifier = "DWL-900AP+" Framed-MTU = 1380 NAS-Port-Type = Wireless-802.11 EAP-Message = "\002\003\000\006\r" State = 0xcd1298363a82ddd6319038bb4105d280137e193fe8aa405fca217e0102b1a0ef7570ac82 Message-Authenticator = 0x20b6c8e303a33b2ab86d566e71511b91 modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok modcall[authorize]: module "eap" returns updated rlm_realm: No '@' in User-Name = "cliente2", looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module "suffix" returns noop users: Matched cliente2 at 100 modcall[authorize]: module "files" returns ok modcall: group authorize returns updated rad_check_password: Found Auth-Type EAP auth: type "EAP" modcall: entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP_TYPE - tls rlm_eap: processing type tls rlm_eap_tls: Received EAP-TLS ACK message modcall[authenticate]: module "eap" returns ok modcall: group authenticate returns ok Sending Access-Challenge of id 15 to 192.168.0.100:1213 EAP-Message = "\001\004\002\030\r\200\000\000\006\016\251\277\375\213y\235A\340o\273T\277\021\252\203\366\007\322\365\024\010b\301m\004\025\224\336>\262\367\335\026\275\226*\002z\244u\317\346\231\346\305\310\023Q]\343s\212\213c\021\303sr\254\365E\356\3714\326h\354\225\263\304\243/\346\326\231Kn\013\322\024\267\007\002\003\001\000\001\243\201\2610\201\2560\035\006\003U\035\016\004\026\004\024\036\325\220\302\225US\002^\253\026\255\036\231\361'\357r\317\2460\006\003U\035#\004x0v\200\024\036\325\220\302\225US\002^\253\026" EAP-Message = "nformatica\202\001\0000\014\006\003U\035\023\004\0050\003\001\001\3770\r\006\t*\206H\206\367\r\001\001\004\005\000\003\201\201\000r\266B\336\370a\315e\204\267\321Zz\032\340\325\006E:\262p#O|\230\347-\013\253D\357\201A`5\253\357P\231\276\3526\317\32553\376\300\342E\365\375D\3073\337


\302\332G\372\2358
VB\246\314\tY\200qD\032\362[\334nw\266\242:\036\2728\234j\334a{g-m\336q!\376\343j\256\001\320]\300JU4}\234\331\377\340\010J\311\321\033\343A\264\316\373\3015\001:f\354\026\003\001\000i\r\000\000a\003\001\002\005"
EAP-Message =
"ientas1\0240\022\006\003U\004\013\023\013Informatica\016\000\000"
Message-Authenticator = 0x00000000000000000000000000000000
State =
0x516b751715ee9daf694e364d449d56a3137e193f679e56ca9ec4ea2eae46751d9f331716
Finished request 2
Going to the next request
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 13 with timestamp 3f197e13
Cleaning up request 1 ID 14 with timestamp 3f197e13
Cleaning up request 2 ID 15 with timestamp 3f197e13
Nothing to do. Sleeping until we see a request.

/* Here start again ¿?¿?¿?¿?¿?¿?¿?¿?¿?¿?¿ */


rad_recv: Access-Request packet from host 192.168.0.100:1213, id=16,
length=137
User-Name = "cliente2"
NAS-IP-Address = 192.168.0.100
NAS-Port = 0
Called-Station-Id = "00-80-C8-03-48-69"
Calling-Station-Id = "00-02-2D-52-39-85"
NAS-Identifier = "DWL-900AP+"
Framed-MTU = 1380
NAS-Port-Type = Wireless-802.11
EAP-Message = "\002\005\000\r\001cliente2"
Message-Authenticator = 0x37bd92db86b6ca0f5a1a618ca017f739
modcall: entering group authorize
modcall[authorize]: module "preprocess" returns ok
modcall[authorize]: module "eap" returns updated
rlm_realm: No '@' in User-Name = "cliente2", looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module "suffix" returns noop
users: Matched cliente2 at 100
modcall[authorize]: module "files" returns ok
modcall: group authorize returns updated
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
modcall: entering group authenticate
rlm_eap: processing type tls
modcall[authenticate]: module "eap" returns ok
modcall: group authenticate returns ok
Sending Access-Challenge of id 16 to 192.168.0.100:1213
EAP-Message = "\001\006\000\006\r "
Message-Authenticator = 0x00000000000000000000000000000000
State =
0x66a0c7ff28036bd47733360059812050327e193f1419b99e8bad5aa83200bf6788542144
Finished request 3
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.0.100:1213, id=17,
length=242
User-Name = "cliente2"
NAS-IP-Address = 192.168.0.100
NAS-Port = 0
Called-Station-Id = "00-80-C8-03-48-69"
Calling-Station-Id = "00-02-2D-52-39-85"
NAS-Identifier = "DWL-900AP+"
Framed-MTU = 1380
NAS-Port-Type = Wireless-802.11
EAP-Message =
"\002\006\000P\r\200\000\000\000F\026\003\001\000A\001\000\000=\003\001?\031q\224\347\364\350im\347\002\026>\301\266l\251\222B;\000`\267\3455\325r\205A\005Z\031\000\000\026\000\004\000\005\000\n\000\t\000d\000b\000\003\000\006\000\023\000\022\000c\001"
State =
0x66a0c7ff28036bd47733360059812050327e193f1419b99e8bad5aa83200bf6788542144
Message-Authenticator = 0x2b6bcdb50b1a97915670d1e983a88054
modcall: entering group authorize
modcall[authorize]: module "preprocess" returns ok
modcall[authorize]: module "eap" returns updated
rlm_realm: No '@' in User-Name = "cliente2", looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module "suffix" returns noop
users: Matched cliente2 at 100
modcall[authorize]: module "files" returns ok
modcall: group authorize returns updated
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
modcall: entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP_TYPE - tls
rlm_eap: processing type tls
rlm_eap_tls: Length Included
undefined: before/accept initialization
TLS_accept: before/accept initialization
<<< TLS 1.0 Handshake [length 0041], ClientHello

TLS_accept: SSLv3 read client hello A

TLS 1.0 Handshake [length 004a], ServerHello

TLS_accept: SSLv3 write server hello A

TLS 1.0 Handshake [length 054c], Certificate

TLS_accept: SSLv3 write certificate A

TLS 1.0 Handshake [length 0069], CertificateRequest

TLS_accept: SSLv3 write certificate request A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A rlm_eap_tls: SSL_read Error Error code is ..... 2 /********** this error appear with the CISCO AP but finally it autenticate well ¿?¿?¿?****************/ SSL Error ..... 2 modcall[authenticate]: module "eap" returns ok modcall: group authenticate returns ok Sending Access-Challenge of id 17 to 192.168.0.100:1213 EAP-Message = "\001\007\004\n\r\300\000\000\006\016\026\003\001\000J\002\000\000F\003\001?\031~2\005J\365\350\246\347\257N\006`a\000\250S\223"\321!\212%\225\306\211\376\227\331\023K

Js\317A\377\214"\252\264\010\323-8_S\204\375\035T\275\023\317\213T\201\311\026\230\245P'\303\000\004\000\026\003\001\005L\013\000\005H\000\005E\000\002e0\202\002a0\202\001\312\240\003\002\001\002\002\001\0010\r\006\t*\206H\206\367\r\001\001\004\005\0000W1\0130\t\006\003U\004\006\023\002ES1\0230\021\006\003U\004\010\023\nPais

Vasco1\0350\033\006" EAP-Message = "906Z0}1\0130\t\006\003U\004\006\023\002ES1\0230\021\006\003U\004\010\023\nPais

Vasco1\0210\017\006\003U\004\007\023\010Legazpia1\0350\033\006\003U\004\n\023\024Bellota

Herramientas1\0240\022\006\003U\004\013\023\013Informatica1\0210\017\006\003U\004\003\023\010servidor0\201\2370\r\006\t*\206H\206\367\r\001\001\001\005\000\003\201\215\0000\201\211\002\201\201\000\273]j\241\272aS\215vX:#\3377R\243\024\341\240T\022\326\021\210\014\256\210!Q\251G\217g\355\260X\313

Z\013\323\366\353\357\2429?`\nsf'Z\250\201\236" EAP-Message = "\003\025 <Fmn\277\357\336x9\024\362\240\345\213\255A\257\237\226\320\355|n,+\364\231S\342s2\355\002\003\001\000\001\243\0270\0250\023\006\003U\035%\004\0140\n\006\010+\006\001\005\005\007\003\0010\r\006\t*\206H\206\367\r\001\001\004\005\000\003\201\201\000%>\366\367T\232\205\353W&\251\020\355i\022\276\206b\202\353\346\275+'mzk\304\341\227\270\030\256\ts\255Be\037\266\313,\355\252\251\n\341O{\243\330da\347\300\206\311\366,i\026,\271\260s\345\366

lW\330)\210f\035\223\257W0\2179\324,\033\337\223n\261\007\206" EAP-Message = "\t\006\003U\004\006\023\002ES1\0230\021\006\003U\004\010\023\nPais Vasco1\0350\033\006\003U\004\n\023\024Bellota Herramientas1\0240\022\006\003U\004\013\023\013Informatica0\036\027\r030719152353Z\027\r030818152353Z0W1\0130\t\006\003U\004\006\023\002ES1\0230\021\006\003U\004\010\023\nPais

Vasco1\0350\033\006\003U\004\n\023\024Bellota Herramientas1\0240\022\006\003U\004\013\023\013Informatica0\201\2370\r\006\t*\206H\206\367\r\001\001\001\005\000\003\201\215\0000\201\211\002\201\201\000\312\354x2\362T\370\366" EAP-Message = "\311\272[B\240\237\312\001z([EMAIL PROTECTED]" Message-Authenticator = 0x00000000000000000000000000000000 State = 0x64ad7fa9450cce25c1ea48402eeb162d327e193f32aad7425c58b95a2757820add53f8c5 Finished request 4 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.0.100:1213, id=18, length=168 User-Name = "cliente2" NAS-IP-Address = 192.168.0.100 NAS-Port = 0 Called-Station-Id = "00-80-C8-03-48-69" Calling-Station-Id = "00-02-2D-52-39-85" NAS-Identifier = "DWL-900AP+" Framed-MTU = 1380 NAS-Port-Type = Wireless-802.11 EAP-Message = "\002\007\000\006\r" State = 0x64ad7fa9450cce25c1ea48402eeb162d327e193f32aad7425c58b95a2757820add53f8c5 Message-Authenticator = 0x3e3208e020079879789d1e5f677772f8 modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok modcall[authorize]: module "eap" returns updated rlm_realm: No '@' in User-Name = "cliente2", looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module "suffix" returns noop users: Matched cliente2 at 100 modcall[authorize]: module "files" returns ok modcall: group authorize returns updated rad_check_password: Found Auth-Type EAP auth: type "EAP" modcall: entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP_TYPE - tls rlm_eap: processing type tls rlm_eap_tls: Received EAP-TLS ACK message modcall[authenticate]: module "eap" returns ok modcall: group authenticate returns ok Sending Access-Challenge of id 18 to 192.168.0.100:1213 EAP-Message = "\001\010\002\030\r\200\000\000\006\016\251\277\375\213y\235A\340o\273T\277\021\252\203\366\007\322\365\024\010b\301m\004\025\224\336>\262\367\335\026\275\226*\002z\244u\317\346\231\346\305\310\023Q]\343s\212\213c\021\303sr\254\365E\356\3714\326h\354\225\263\304\243/\346\326\231Kn\013\322\024\267\007\002\003\001\000\001\243\201\2610\201\2560\035\006\003U\035\016\004\026\004\024\036\325\220\302\225US\002^\253\026\255\036\231\361'\357r\317\2460\006\003U\035#\004x0v\200\024\036\325\220\302\225US\002^\253\026" EAP-Message = "nformatica\202\001\0000\014\006\003U\035\023\004\0050\003\001\001\3770\r\006\t*\206H\206\367\r\001\001\004\005\000\003\201\201\000r\266B\336\370a\315e\204\267\321Zz\032\340\325\006E:\262p#O|\230\347-\013\253D\357\201A`5\253\357P\231\276\3526\317\32553\376\300\342E\365\375D\3073\337


\302\332G\372\2358
VB\246\314\tY\200qD\032\362[\334nw\266\242:\036\2728\234j\334a{g-m\336q!\376\343j\256\001\320]\300JU4}\234\331\377\340\010J\311\321\033\343A\264\316\373\3015\001:f\354\026\003\001\000i\r\000\000a\003\001\002\005"
EAP-Message =
"ientas1\0240\022\006\003U\004\013\023\013Informatica\016\000\000"
Message-Authenticator = 0x00000000000000000000000000000000
State =
0x273dd9a387fd8b5dd70d5fc48aad866a327e193f88d653c128cf5653e2340c07bd6a3974
Finished request 5
Going to the next request
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 3 ID 16 with timestamp 3f197e32
Cleaning up request 4 ID 17 with timestamp 3f197e32
Cleaning up request 5 ID 18 with timestamp 3f197e32
Nothing to do. Sleeping until we see a request.
MASTER: exit on signal (2)
Exiting...

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

EAP/TLS with DLink900 AP+

Reply via email to