I've set up EAP-TLS along with SQL for user/group management. I generated a new set of certificates tonight with all the x509 extensions. the server fires right up, with a possible catch:
when entering the authenticate phase for eap:
modcall: entering group authenticate for request 67 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 undefined: before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0c4c], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A In SSL Handshake Phase
i don't know if the "error in SSLv3 read client certificate A" is the issue, but i wouldn't be too surprised. it *seems* like the server continues doing its job though.
--- Walking the entire request list --- In SSL Accept mode Cleaning up request 65 ID 148 with timestamp 3fee5c8e eaptls_process returned 13 Cleaning up request 66 ID 149 with timestamp 3fee5c8e rlm_eap_peap: EAPTLS_HANDLED
radius_xlat: 'fakeAcctTwo'
+++ snipped SQL logging info +++
rlm_sql (sql): No matching entry in the database for request from user [fakeAcctTwo]
but the user's in the DB:
mysql> SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username = 'fakeAcctTwo' ORDER BY id;
+----+-------------+---------------+----------------+----+
| id | UserName | Attribute | Value | op |
+----+-------------+---------------+----------------+----+
| 6 | fakeAcctTwo | User-Password | anotherBadPass | == |
+----+-------------+---------------+----------------+----+
1 row in set (0.00 sec)
mysql> SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op FROM radgroupcheck,usergroup WHERE usergroup.Username = 'fakeAcctTwo' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id;
+----+-----------+-----------------+-------+----+
| id | GroupName | Attribute | Value | op |
+----+-----------+-----------------+-------+----+
| 5 | paidUsers | Framed-Protocol | ppp | == |
+----+-----------+-----------------+-------+----+
1 row in set (0.00 sec)
mysql> SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username = 'fakeAcctTwo' ORDER BY id;
+----+-------------+-------------------+-----------------+----+
| id | UserName | Attribute | Value | op |
+----+-------------+-------------------+-----------------+----+
| 2 | fakeAcctTwo | Framed-IP-Address | 255.255.255.254 | == |
+----+-------------+-------------------+-----------------+----+
1 row in set (0.00 sec)
mysql> SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'fakeAcctTwo' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id;
+----+-----------+-----------------+-------+------+
| id | GroupName | Attribute | Value | op |
+----+-----------+-----------------+-------+------+
| 36 | paidUsers | Framed-Protocol | PPP | := |
+----+-----------+-----------------+-------+------+
1 row in set (0.00 sec)
mysql> SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op FROM radgroupreply,usergroup WHERE usergroup.Username = 'fakeAcctTwo' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id;
+----+-----------+-----------------+-------+------+
| id | GroupName | Attribute | Value | op |
+----+-----------+-----------------+-------+------+
| 36 | paidUsers | Framed-Protocol | PPP | := |
+----+-----------+-----------------+-------+------+
1 row in set (0.00 sec)
so where am i going wrong? I realize I'm repeating elements in radreply and radgroupreply ... but is that the issue?
the SSL handshake seems to be happening, so i don't think that's the issue.
--brian
--brian
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
