pb with peap/ldap

Arthur EBEL Wed, 25 Feb 2004 05:10:20 -0800

Hi, I try to authenticate my wireless users using peap and LDAP.

Firsts steps of authentication seems to be ok until

rlm_eap_tls: Received EAP-TLS ACK message
  eaptls_verify returned 3
  eaptls_process returned 3
    TLS_accept:error in SSLv3 read client certificate A
  rlm_eap_peap: EAPTLS_SUCCESS

Anyone can help me ? is there a pb with my AP (cisco 1100) ?

What does "TLS_accept:error in SSLv3 read client certificate A " means ????

Complete logs :

rad_recv: Access-Request packet from host 10.15.0.3:21645, id=197, length=135 User-Name = "ebel" Framed-MTU = 1400 Called-Station-Id = "0002.8a5b.38ad" Calling-Station-Id = "0090.4bb3.5df1" Message-Authenticator = 0x23f3a024b1f3aff4835a4577aadd1b18 EAP-Message = 0x02320009016562656c NAS-Port-Type = Wireless-802.11 NAS-Port = 260 State = 0x6fe8d40e73b12fff434b5cc04b60c7df Service-Type = Framed-User NAS-IP-Address = 10.15.0.3 modcall: entering group authorize for request 196 modcall[authorize]: module "preprocess" returns ok for request 196 radius_xlat: '/usr/local/radius/var/log/radius/radacct/10.15.0.3/auth-detail-20040217' rlm_detail: /usr/local/radius/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/radius/var/log/radius/radacct/10.15.0.3/auth-detail-20040217 modcall[authorize]: module "auth_log" returns ok for request 196 modcall[authorize]: module "mschap" returns noop for request 196 rlm_realm: No '@' in User-Name = "ebel", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 196 rlm_eap: EAP packet type response id 50 length 9 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 196 users: Matched DEFAULT at 157 users: Matched DEFAULT at 176 modcall[authorize]: module "files" returns ok for request 196 rlm_ldap: - authorize rlm_ldap: performing user authorization for ebel radius_xlat: '(uid=ebel)' radius_xlat: 'ou=people,ou=personnels,dc=utt,dc=fr' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=people,ou=personnels,dc=utt,dc=fr, with filter (uid=ebel) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user ebel authorized to use remote access ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 196 modcall: group authorize returns updated for request 196 rad_check_password: Found Auth-Type EAP auth: type "EAP" modcall: entering group authenticate for request 196 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 196 modcall: group authenticate returns handled for request 196 Sending Access-Challenge of id 197 to 10.15.0.3:21645 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User EAP-Message = 0x013300061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x64933dc2a41076421f1906ec230e54d6 Finished request 196 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.15.0.3:21645, id=198, length=206 User-Name = "ebel" Framed-MTU = 1400 Called-Station-Id = "0002.8a5b.38ad" Calling-Station-Id = "0090.4bb3.5df1" Message-Authenticator = 0x0b1e24f3897ba1e3a086d1c95114985d EAP-Message = 0x0233005019800000004616030100410100003d03014032351a2656d14062333ec8f7442bdcf14911cba5ee06ea3e5706783b26b9a400001600040005000a000900640062000300060013001200630100 NAS-Port-Type = Wireless-802.11 NAS-Port = 260 State = 0x64933dc2a41076421f1906ec230e54d6 Service-Type = Framed-User NAS-IP-Address = 10.15.0.3 modcall: entering group authorize for request 197 modcall[authorize]: module "preprocess" returns ok for request 197 radius_xlat: '/usr/local/radius/var/log/radius/radacct/10.15.0.3/auth-detail-20040217' rlm_detail: /usr/local/radius/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/radius/var/log/radius/radacct/10.15.0.3/auth-detail-20040217 modcall[authorize]: module "auth_log" returns ok for request 197 modcall[authorize]: module "mschap" returns noop for request 197 rlm_realm: No '@' in User-Name = "ebel", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 197 rlm_eap: EAP packet type response id 51 length 80 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 197 users: Matched DEFAULT at 157 users: Matched DEFAULT at 176 modcall[authorize]: module "files" returns ok for request 197 rlm_ldap: - authorize rlm_ldap: performing user authorization for ebel radius_xlat: '(uid=ebel)' radius_xlat: 'ou=people,ou=personnels,dc=utt,dc=fr' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=people,ou=personnels,dc=utt,dc=fr, with filter (uid=ebel) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user ebel authorized to use remote access ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 197 modcall: group authorize returns updated for request 197 rad_check_password: Found Auth-Type EAP auth: type "EAP" modcall: entering group authenticate for request 197 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 05b3], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 197 modcall: group authenticate returns handled for request 197 Sending Access-Challenge of id 198 to 10.15.0.3:21645 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User EAP-Message = 0x0134040a19c000000610160301004a0200004603014032351d9a33734832e27b45ca96ca936212ff92b7984126469f1313d5b312482007d9596314f2e08d114a98fa621860aed31e30b421471aaadc2eb3c3e83bd73100040016030105b30b0005af0005ac00027830820274308201dda003020102020101300d06092a864886f70d01010405003072310b3009060355040613024652310d300b0603550408130441756265310f300d0603550407130654726f796573310c300a060355040a1303555454310c300a060355040b1303435249310c300a060355040313035554543119301706092a864886f70d010901160a637269407574742e4672301e EAP-Message = 0x170d3034303131343133343031365a170d3035303131333133343031365a3075310b3009060355040613024652310d300b0603550408130441756265310f300d0603550407130654726f796573310c300a060355040a1303555454310c300a060355040b1303435249310f300d06035504031306636861726f6e3119301706092a864886f70d010901160a637269407574742e667230819f300d06092a864886f70d010101050003818d0030818902818100a94cc31674f340d8f53e23159c54e8786dcca06a93faaee58c88f3257c11c046e8d9146a432bce6672d8ca88aa018a7c41a3be4dde89f9563774f2f6927384823b47e78e386cdcdf30e927 EAP-Message = 0x34d77846476aec0b00feba5f44ce3682648ab2fd59cd34dc5b62597b5e14b4ebe3c9016c1754795fee4387726cb751217d14b609ab0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010104050003818100ae03d06f5764e5dbb3865d8d31933221ff86f4575cf7563562006041482ba829a3d6e93bb7ee566fb4c5fdbc7ea7fedc3ec17a2e8b10eefc82e83128b692863b42120b7854dfc6bf5d4b961b0ccded18daa2cf7e2b848783536467704c1bf0fa97169c44609e7cb22e8f330c19e4bfdee6145bf739b6643a586b1901f084b8d300032e3082032a30820293a003020102020100300d0609 EAP-Message = 0x2a864886f70d01010405003072310b3009060355040613024652310d300b0603550408130441756265310f300d0603550407130654726f796573310c300a060355040a1303555454310c300a060355040b1303435249310c300a060355040313035554543119301706092a864886f70d010901160a637269407574742e4672301e170d3034303131343133333732345a170d3034303231333133333732345a3072310b3009060355040613024652310d300b0603550408130441756265310f300d0603550407130654726f796573310c300a060355040a1303555454310c300a060355040b1303435249310c300a060355040313035554543119301706 EAP-Message = 0x092a864886f70d010901160a637269407574742e4672 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x43cc0d62e592b7cc7268cee597e05634 Finished request 197 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.15.0.3:21645, id=199, length=132 User-Name = "ebel" Framed-MTU = 1400 Called-Station-Id = "0002.8a5b.38ad" Calling-Station-Id = "0090.4bb3.5df1" Message-Authenticator = 0x8489d490fdb3593faff4990de29cd93b EAP-Message = 0x023400061900 NAS-Port-Type = Wireless-802.11 NAS-Port = 260 State = 0x43cc0d62e592b7cc7268cee597e05634 Service-Type = Framed-User NAS-IP-Address = 10.15.0.3 modcall: entering group authorize for request 198 modcall[authorize]: module "preprocess" returns ok for request 198 radius_xlat: '/usr/local/radius/var/log/radius/radacct/10.15.0.3/auth-detail-20040217' rlm_detail: /usr/local/radius/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/radius/var/log/radius/radacct/10.15.0.3/auth-detail-20040217 modcall[authorize]: module "auth_log" returns ok for request 198 modcall[authorize]: module "mschap" returns noop for request 198 rlm_realm: No '@' in User-Name = "ebel", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 198 rlm_eap: EAP packet type response id 52 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 198 users: Matched DEFAULT at 157 users: Matched DEFAULT at 176 modcall[authorize]: module "files" returns ok for request 198 rlm_ldap: - authorize rlm_ldap: performing user authorization for ebel radius_xlat: '(uid=ebel)' radius_xlat: 'ou=people,ou=personnels,dc=utt,dc=fr' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=people,ou=personnels,dc=utt,dc=fr, with filter (uid=ebel) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user ebel authorized to use remote access ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 198 modcall: group authorize returns updated for request 198 rad_check_password: Found Auth-Type EAP auth: type "EAP" modcall: entering group authenticate for request 198 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 198 modcall: group authenticate returns handled for request 198 Sending Access-Challenge of id 199 to 10.15.0.3:21645 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User EAP-Message = 0x01350216190030819f300d06092a864886f70d010101050003818d0030818902818100b4a3a000d60532ddd07ff2189a94b9a33a9dfdfd6c6034713ec74984624f93e0641e1eafb9fc51b5fa181cc213c0d9616a76bbfa3c19c7ef53bc1aff4c699e48f6fcaec92ed8157c9a8f921add0b736f936b1102b7844f3cd3b194cc1c0173426a77ee3dd9630b7e96ef31dee1b956d9a8bdc967e5382ee838a09afb512d32dd0203010001a381cf3081cc301d0603551d0e0416041405bf704ca6e52626c2963c4ba188888d48d5a1bc30819c0603551d23048194308191801405bf704ca6e52626c2963c4ba188888d48d5a1bca176a4743072310b30090603 EAP-Message = 0x55040613024652310d300b0603550408130441756265310f300d0603550407130654726f796573310c300a060355040a1303555454310c300a060355040b1303435249310c300a060355040313035554543119301706092a864886f70d010901160a637269407574742e4672820100300c0603551d13040530030101ff300d06092a864886f70d0101040500038181007a12372d3c0bd1a8177cc9be5482c8f8ef8c1174275d37ebbc6ae32b04f5b5ceb390f96c44f988dcebac73ca7fe15dd12479bc729bb75793b1baf807be71589bbc2c2fef5a89ac758c164ab10d3ed3d45b5a9339ef1e9ba64c4c9fae2cc45bd59733cb99d037b910f07941e857 EAP-Message = 0x0788b765538a7125dcd5da8ad137433532fe8016030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x84d29a3d07c7dac6a277f30812bbaaaf Finished request 198 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.15.0.3:21645, id=200, length=132 User-Name = "ebel" Framed-MTU = 1400 Called-Station-Id = "0002.8a5b.38ad" Calling-Station-Id = "0090.4bb3.5df1" Message-Authenticator = 0x3a0b0f9f900db79244d5763a7729cac5 EAP-Message = 0x023500061900 NAS-Port-Type = Wireless-802.11 NAS-Port = 260 State = 0x84d29a3d07c7dac6a277f30812bbaaaf Service-Type = Framed-User NAS-IP-Address = 10.15.0.3 modcall: entering group authorize for request 199 modcall[authorize]: module "preprocess" returns ok for request 199 radius_xlat: '/usr/local/radius/var/log/radius/radacct/10.15.0.3/auth-detail-20040217' rlm_detail: /usr/local/radius/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/radius/var/log/radius/radacct/10.15.0.3/auth-detail-20040217 modcall[authorize]: module "auth_log" returns ok for request 199 modcall[authorize]: module "mschap" returns noop for request 199 rlm_realm: No '@' in User-Name = "ebel", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 199 rlm_eap: EAP packet type response id 53 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 199 users: Matched DEFAULT at 157 users: Matched DEFAULT at 176 modcall[authorize]: module "files" returns ok for request 199 rlm_ldap: - authorize rlm_ldap: performing user authorization for ebel radius_xlat: '(uid=ebel)' radius_xlat: 'ou=people,ou=personnels,dc=utt,dc=fr' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=people,ou=personnels,dc=utt,dc=fr, with filter (uid=ebel) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user ebel authorized to use remote access ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 199 modcall: group authorize returns updated for request 199 rad_check_password: Found Auth-Type EAP auth: type "EAP" modcall: entering group authenticate for request 199 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message eaptls_verify returned 3 eaptls_process returned 3 TLS_accept:error in SSLv3 read client certificate A rlm_eap_peap: EAPTLS_SUCCESS modcall[authenticate]: module "eap" returns handled for request 199 modcall: group authenticate returns handled for request 199 Sending Access-Challenge of id 200 to 10.15.0.3:21645 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User EAP-Message = 0x013600061900 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x9e1f0bb1cef10043855c534bf3bfc1be Finished request 199 Going to the next request Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 196 ID 197 with timestamp 4032351d Cleaning up request 197 ID 198 with timestamp 4032351d Cleaning up request 198 ID 199 with timestamp 4032351d Cleaning up request 199 ID 200 with timestamp 4032351d Nothing to do. Sleeping until we see a request.

- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

pb with peap/ldap

Reply via email to