Re: Authentication problems with EAP/TLS (and Enterasys)

[diomedes]

Hi,
Try to put in clients.conf, in the lines of the NAS the following attribute
nastype   = other
I had a similar problem and with that line all goes perfectly ( or nearly)

Good luck

Other possibility is to try authenticate with the same configuration but 
with other AP, if it's possible.

Regards.
Omar
Sevcik Berndt wrote:

I try to authenticate an XP Client via an Enterasys RoamaboutR2 Access
Point with freeradius. But the client get never authenticated. My
problem that I have no idea where I should search for the error. I used
the www.impossiblereflex.xom/8021x/eap-tls-HOWTO.htm Howto for setup.
Output from freeradius -X -A:
Ready to process requests.
rad_recv: Access-Request packet from host 10.0.4.14:1205, id=253,
length=116
       Message-Authenticator = 0x78a9e48d042ad1f7109083edf2b3146d
       User-Name = "Sevcik Berndt"
       NAS-IP-Address = 10.0.4.14
       NAS-Port = 2
       NAS-Port-Type = Wireless-802.11
       Calling-Station-Id = "00-01-f4-ec-3d-7c"
       EAP-Message = 0x024400120153657663696b204265726e6474
       Framed-MTU = 1000
modcall: entering group authorize
 modcall[authorize]: module "preprocess" returns ok
 rlm_eap: EAP packet type response id 68 length 18
 rlm_eap: EAP Start not found
 modcall[authorize]: module "eap" returns updated
   rlm_realm: No '@' in User-Name = "Sevcik Berndt", looking up realm
NULL
   rlm_realm: No such realm "NULL"
 modcall[authorize]: module "suffix" returns noop
   users: Matched DEFAULT at 152
   users: Matched Sevcik Berndt at 216
 modcall[authorize]: module "files" returns ok
modcall: group authorize returns updated
 rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
modcall: entering group authenticate
 rlm_eap: EAP Identity
 rlm_eap: processing type tls
 rlm_eap_tls: Initiate
 rlm_eap_tls: Start returned 1
 modcall[authenticate]: module "eap" returns handled
modcall: group authenticate returns handled
Sending Access-Challenge of id 253 to 10.0.4.14:1205
       EAP-Message = 0x014500060d20
       Message-Authenticator = 0x00000000000000000000000000000000
       State = 0x1c0ccba6d22ad97dab13096d340f0290
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 10.0.4.14:1205, id=254,
length=196
       Message-Authenticator = 0x31199cd93954566ea164f46ce86d6b59
       User-Name = "Sevcik Berndt"
       State = 0x1c0ccba6d22ad97dab13096d340f0290
       NAS-IP-Address = 10.0.4.14
       NAS-Port = 2
       NAS-Port-Type = Wireless-802.11
       Calling-Station-Id = "00-01-f4-ec-3d-7c"
       Framed-MTU = 1000
       EAP-Message =
0x024500500d800000004616030100410100003d03013f3371da3a9bab75032c2c86afd3288de5d42d63265b6afe930d235a87d1df9a00001600040005000a000900640062000300060013001200630100
modcall: entering group authorize
 modcall[authorize]: module "preprocess" returns ok
 rlm_eap: EAP packet type response id 69 length 80
 rlm_eap: EAP Start not found
 modcall[authorize]: module "eap" returns updated
   rlm_realm: No '@' in User-Name = "Sevcik Berndt", looking up realm
NULL
   rlm_realm: No such realm "NULL"
 modcall[authorize]: module "suffix" returns noop
   users: Matched DEFAULT at 152
   users: Matched Sevcik Berndt at 216
 modcall[authorize]: module "files" returns ok
modcall: group authorize returns updated
 rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
modcall: entering group authenticate
 rlm_eap: Request found, released from the list
 rlm_eap: EAP_TYPE - tls
 rlm_eap: processing type tls
 rlm_eap_tls: Authenticate
 rlm_eap_tls: processing TLS
rlm_eap_tls:  Length Included
 eaptls_verify returned 11
undefined: before/accept initialization
TLS_accept: before/accept initialization
 rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello
TLS_accept: SSLv3 read client hello A
 rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
TLS_accept: SSLv3 write server hello A
 rlm_eap_tls: >>> TLS 1.0 Handshake [length 063c], Certificate
TLS_accept: SSLv3 write certificate A
 rlm_eap_tls: >>> TLS 1.0 Handshake [length 00a0], CertificateRequest
TLS_accept: SSLv3 write certificate request A
TLS_accept: SSLv3 flush data
TLS_accept:error in SSLv3 read client certificate A
rlm_eap_tls: SSL_read Error
Error code is ..... 2
SSL Error ..... 2
In SSL Handshake Phase
In SSL Accept mode
 eaptls_process returned 13
 modcall[authenticate]: module "eap" returns handled
modcall: group authenticate returns handled
Sending Access-Challenge of id 254 to 10.0.4.14:1205
       EAP-Message =
0x0146040a0dc000000735160301004a0200004603013f3371d4fe8d552850335d9175f699f43cd56559f163ff0b5ff946dacb6a1374206ca02c80ec917fa450bd683bec1717b4a30e22a02f22c4415966534ce01d79ab000400160301063c0b0006380006350002a8308202a43082020da003020102020101300d06092a864886f70d010104050030818e310b3009060355040613024154310f300d060355040813065669656e6e613121301f060355040a131854474d202d20536368756c652064657220546563686e696b31133011060355040b130a49542d53657276696365311830160603550403130f54474d20576972656c657373204341311c30
       EAP-Message =
0x1a06092a864886f70d010901160d6974734074676d2e61632e6174301e170d3033303830383039323630335a170d3034303830373039323630335a308187310b3009060355040613024154310f300d060355040813065669656e6e613121301f060355040a131854474d202d20536368756c652064657220546563686e696b31133011060355040b130a49542d536572766963653111300f060355040313084954535465737431311c301a06092a864886f70d010901160d6974734074676d2e61632e617430819f300d06092a864886f70d010101050003818d0030818902818100cb0ef8ea95aa5b79098016fbdee45140e91cfed8e305ce95a5269b
       EAP-Message =
0x22fbb3918de0a0704e252054bcd7291c30e0746857da821c0824e91662e783d3854f384a8a16dbfa5e5b4391e11865491db3b48ace72895234de2f1b5bec0a17f72ae8dc0ea6014ae02df3d6edb7bcef7ee9c1275140d4b6f92de97d7ef47416a0c55975f30203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101040500038181006e96446ff593c6fec170c5aa95d2c2ed8ce02f1cd31b2773f1c2b857fed8b0832aa440901e04bb2cd81676aa51165ac9b3fec3e4037548f534c8764d61f506eae7654c65f50f66746ffa444553c1050839610d878da2a8ac12cb47e1925644f65db017c6205680
       EAP-Message =
0x1bfaa7a27a984f7df5a2f5e19240fdc9c44ad6ac98ca8be46800038730820383308202eca003020102020100300d06092a864886f70d010104050030818e310b3009060355040613024154310f300d060355040813065669656e6e613121301f060355040a131854474d202d20536368756c652064657220546563686e696b31133011060355040b130a49542d53657276696365311830160603550403130f54474d20576972656c657373204341311c301a06092a864886f70d010901160d6974734074676d2e61632e6174301e170d3033303830383039323532305a170d3033303930373039323532305a30818e310b300906035504061302415431
       EAP-Message = 0x0f300d060355040813065669656e6e613121301f0603
       Message-Authenticator = 0x00000000000000000000000000000000
       State = 0x0560864af2ffaf209e093f6ad07a9f47
Finished request 1
Going to the next request
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 253 with timestamp 3f3371d4
Cleaning up request 1 ID 254 with timestamp 3f3371d4
Nothing to do.  Sleeping until we see a request.
Output from radius.log:
ri Aug  8 10:52:28 2003 : Info: rlm_eap_tls:  Length Included
Fri Aug  8 10:52:28 2003 : Error: TLS_accept:error in SSLv3 read client
certificate A
Fri Aug  8 10:52:28 2003 : Info: rlm_eap_tls: SSL_read Error
Fri Aug  8 10:52:28 2003 : Error:  Error code is ..... 2
Fri Aug  8 10:52:28 2003 : Error:  SSL Error ..... 2
Thanks

Berndt

 



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html