Hi all,
I am new to the list and to radius. I am using:
-Laptop1: AP/hostap with 802.1x and free-radius snapshot-20021028(Ver.0.8
pre). OpenSSL ver-0.9.7-beta3, ver-0.9.6g, SNAP-20021027.
I followed the tutorial from impossiblereflex.com.
Using WPA, EAP-TLS.
-Desktop: Windows XP.
I get the error: unable to get local issuer certificate.
Attacched to this email is the full radius log by running: radius -X -A
Thank you all for your help,
Andrea
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/raddb/proxy.conf
Config: including file: /etc/raddb/clients.conf
Config: including file: /etc/raddb/snmp.conf
Config: including file: /etc/raddb/sql.conf
main: prefix = "/usr/local"
main: localstatedir = "/usr/local/var"
main: logdir = "/usr/local/var/log/radius"
main: libdir = "/usr/local/lib"
main: radacctdir = "/usr/local/var/log/radius/radacct"
main: hostname_lookups = no
read_config_files: reading dictionary
read_config_files: reading naslist
read_config_files: reading clients
read_config_files: reading realms
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = "/usr/local/var/log/radius/radius.log"
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
main: bind_address = 127.0.0.1 IP address [127.0.0.1]
main: user = "(null)"
main: group = "(null)"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/local/sbin/checkrad"
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: servers_per_realm = 15
security: max_attributes = 200
security: reject_delay = 1
main: debug_level = 0
read_config_files: entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded System
unix: cache = no
unix: passwd = "(null)"
unix: shadow = "(null)"
unix: group = "(null)"
unix: radwtmp = "/usr/local/var/log/radius/radwtmp"
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
eap: default_eap_type = "tls"
eap: timer_expire = 60
tls: rsa_key_exchange = no
tls: dh_key_exchange = yes
tls: rsa_key_length = 512
tls: dh_key_length = 512
tls: verify_depth = 0
tls: CA_path = "(null)"
tls: pem_file_type = yes
tls: private_key_file = "/etc/1x/radius_server.pem"
tls: certificate_file = "/etc/1x/radius_server.pem"
tls: CA_file = "/etc/1x/root.pem"
tls: private_key_password = "root45"
tls: dh_file = "/etc/1x/DH"
tls: random_file = "/etc/1x/random"
tls: fragment_size = 1024
tls: include_length = yes
rlm_eap_tls: conf N ctx stored
rlm_eap: Loaded and initialized the type tls
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = "/etc/raddb/huntgroups"
preprocess: hints = "/etc/raddb/hints"
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = "suffix"
realm: delimiter = "@"
Module: Instantiated realm (suffix)
Module: Loaded files
files: usersfile = "/etc/raddb/users"
files: acctusersfile = "/etc/raddb/acct_users"
files: preproxy_usersfile = "/etc/raddb/preproxy_users"
files: compat = "no"
Module: Instantiated files (files)
Module: Loaded detail
detail: detailfile =
"/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
radutmp: filename = "/usr/local/var/log/radius/radutmp"
radutmp: username = "%{User-Name}"
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Listening on IP address 127.0.0.1, ports 1812/udp and 1813/udp, with proxy on 1814/udp.
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1:32770, id=6, length=152
User-Name = "Andrea2"
NAS-IP-Address = 127.0.0.1
NAS-Port = 1
Called-Station-Id = "00-06-25-18-E2-35:test"
Calling-Station-Id = "00-05-5D-96-47-0B"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = "\002\000\000\014\001Andrea2"
Message-Authenticator = 0xac4f3a27dcc688a9feb4831acd1f3600
modcall: entering group authorize
modcall[authorize]: module "preprocess" returns ok
modcall[authorize]: module "eap" returns updated
rlm_realm: No '@' in User-Name = "Andrea2", looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module "suffix" returns noop
users: Matched DEFAULT at 152
users: Matched Andrea2 at 224
modcall[authorize]: module "files" returns ok
modcall: group authorize returns updated
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
modcall: entering group authenticate
rlm_eap: processing type tls
modcall[authenticate]: module "eap" returns ok
modcall: group authenticate returns ok
Sending Access-Challenge of id 6 to 127.0.0.1:32770
EAP-Message = "\001\001\000\006\r "
Message-Authenticator = 0x00000000000000000000000000000000
State =
0x16cc302295abb74307bec334dc72339023cfaa40ff0e98074ff1c43a5b68cdb12aadbb88
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 127.0.0.1:32770, id=7, length=258
User-Name = "Andrea2"
NAS-IP-Address = 127.0.0.1
NAS-Port = 1
Called-Station-Id = "00-06-25-18-E2-35:test"
Calling-Station-Id = "00-05-5D-96-47-0B"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = "[EMAIL
PROTECTED]>\323\3047\201\255\344IB\275\347\270\000\000\026\000\004\000\005\000\n\000\t\000d\000b\000\003\000\006\000\023\000\022\000c\001"
State =
0x16cc302295abb74307bec334dc72339023cfaa40ff0e98074ff1c43a5b68cdb12aadbb88
Message-Authenticator = 0x8e36541604cc97e37366e593fb10fa19
modcall: entering group authorize
modcall[authorize]: module "preprocess" returns ok
modcall[authorize]: module "eap" returns updated
rlm_realm: No '@' in User-Name = "Andrea2", looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module "suffix" returns noop
users: Matched DEFAULT at 152
users: Matched Andrea2 at 224
modcall[authorize]: module "files" returns ok
modcall: group authorize returns updated
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
modcall: entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP_TYPE - tls
rlm_eap: processing type tls
rlm_eap_tls: Length Included
undefined: before/accept initialization
TLS_accept: before/accept initialization
<<< TLS 1.0 Handshake [length 0041], ClientHello
TLS_accept: SSLv3 read client hello A
>>> TLS 1.0 Handshake [length 004a], ServerHello
TLS_accept: SSLv3 write server hello A
>>> TLS 1.0 Handshake [length 0687], Certificate
TLS_accept: SSLv3 write certificate A
>>> TLS 1.0 Handshake [length 00b4], CertificateRequest
TLS_accept: SSLv3 write certificate request A
TLS_accept: SSLv3 flush data
TLS_accept:error in SSLv3 read client certificate A
rlm_eap_tls: SSL_read Error
Error code is ..... 2
SSL Error ..... 2
modcall[authenticate]: module "eap" returns ok
modcall: group authenticate returns ok
Sending Access-Challenge of id 7 to 127.0.0.1:32770
EAP-Message = "[EMAIL PROTECTED]@4G\252\321\004%\275\222&+`\254Cc\251zk
\274\341\375I\037\001\212o\3477\345\213\223\310w\260\016\327\320\261Z\020PV\315\320\223E\3228W\247\000\004\000\026\003\001\006\207\013\000\006\203\000\006\200\000\002\2710\202\002\2650\202\002\036\240\003\002\001\002\002\001\0020\r\006\t*\206H\206\367\r\001\001\004\005\0000\201\2411\0130\t\006\003U\004\006\023\002US1\0210\017\006\003U\004\010\023\010New
York1\021"
EAP-Message = " [EMAIL PROTECTED] York1\0210\017\006\003U\004\007\023\010New
York1\0340\032\006\003U\004\n\023\023Columbia [EMAIL PROTECTED]"
EAP-Message =
"\r\001\001\001\005\000\003\201\215\0000\201\211\002\201\201\000\306\275|Q<\217\362!b\370k4<\231\2443`\035\031\242\226\306e\017\230\236\216o\000U\017e\2038F4\252\363:[EMAIL
PROTECTED]'\367\036\337ZRm&\214\314!\236\304\343\3174$\021d\004\000\260\252L\001
[EMAIL PROTECTED]"
EAP-Message = "[EMAIL
PROTECTED]'\240\326k=Rma\240c\267\344\273\306\216\021\247\237\207\005\373AmZ\274\217z\000\003\3010\202\003\2750\202\003&\240\003\002\001\002\002\001\0000\r\006\t*\206H\206\367\r\001\001\004\005\0000\201\2411\0130\t\006\003U\004\006\023\002US1\0210\017\006\003U\004\010\023\010New
York1\0210\017\006\003U\004\007\023\010New
York1\0340\032\006\003U\004\n\023\023Columbia
University1\0140\n\006\003U\004\013\023\003IRT1\0310\027\006\003U\004\003\023\020Compute"
EAP-Message = "5190813Z\027\r040604190813Z0\201\241"
Message-Authenticator = 0x00000000000000000000000000000000
State =
0x5899c165eb62c3c8a557a6b670654eb223cfaa401338446cab9e2a0acb507be23e6c3c00
Finished request 1
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 127.0.0.1:32770, id=8, length=184
User-Name = "Andrea2"
NAS-IP-Address = 127.0.0.1
NAS-Port = 1
Called-Station-Id = "00-06-25-18-E2-35:test"
Calling-Station-Id = "00-05-5D-96-47-0B"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = "\002\002\000\006\r"
State =
0x5899c165eb62c3c8a557a6b670654eb223cfaa401338446cab9e2a0acb507be23e6c3c00
Message-Authenticator = 0x8d5638deb020371530519003ad77c070
modcall: entering group authorize
modcall[authorize]: module "preprocess" returns ok
modcall[authorize]: module "eap" returns updated
rlm_realm: No '@' in User-Name = "Andrea2", looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module "suffix" returns noop
users: Matched DEFAULT at 152
users: Matched Andrea2 at 224
modcall[authorize]: module "files" returns ok
modcall: group authorize returns updated
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
modcall: entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP_TYPE - tls
rlm_eap: processing type tls
rlm_eap_tls: Received EAP-TLS ACK message
modcall[authenticate]: module "eap" returns ok
modcall: group authenticate returns ok
Sending Access-Challenge of id 8 to 127.0.0.1:32770
EAP-Message =
"\001\003\003\236\r\200\000\000\007\2241\0130\t\006\003U\004\006\023\002US1\0210\017\006\003U\004\010\023\010New
York1\0210\017\006\003U\004\007\023\010New
York1\0340\032\006\003U\004\n\023\023Columbia
University1\0140\n\006\003U\004\013\023\003IRT1\0310\027\006\003U\004\003\023\020Computer
[EMAIL PROTECTED]"
EAP-Message =
"\304,\250O\367\232K\202\343s\317\234\365\311,\264\2358"\233\346\237\367{g\033\007\347'\306l\024\260\260\227\306l\365\026<\211>\236\250U{!\264\225u&4
"\3204\245cJY\021\0266\322\240\305O\014G\324\241\255V(\353\265\002\003\001\000\001\243\202\001\0010\201\3760\035\006\003U\035\016\004\026\004\024+\302\327U\216\264\267x6K\320\314\237D#\375\255\205a0\201\316\006\003U\035#\004\201\3060\201\303\200\024+\302\327U\216\264\267x6K\320\314\237D#\375\255\205a\241\201\247\244\201\2440\201\2411\0130\t\006\003U\004\006"
EAP-Message = "\004\013\023\003IRT1\0310\027\006\003U\004\003\023\020Computer
[EMAIL
PROTECTED](V\365\021\026bk\373\016\310-I\244`|\227%c\242\022\246N\036]\274\204\r\003"\232\213\324e\2634w\316\327\276\353\347\227\262M\310\2242\336a\325\271\312s\305X\t\215"
EAP-Message =
"\000\2440\201\2411\0130\t\006\003U\004\006\023\002US1\0210\017\006\003U\004\010\023\010New
York1\0210\017\006\003U\004\007\023\010New
York1\0340\032\006\003U\004\n\023\023Columbia
University1\0140\n\006\003U\004\013\023\003IRT1\0310\027\006\003U\004\003\023\020Computer
[EMAIL PROTECTED]"
Message-Authenticator = 0x00000000000000000000000000000000
State =
0x63cf7a8712ea93671dee49f2dd14831723cfaa40bac4ad45696fe034b6f5dbfa991f0242
Finished request 2
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 127.0.0.1:32770, id=9, length=1240
User-Name = "Andrea2"
NAS-IP-Address = 127.0.0.1
NAS-Port = 1
Called-Station-Id = "00-06-25-18-E2-35:test"
Calling-Station-Id = "00-05-5D-96-47-0B"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message =
"\002\003\004\036\r\200\000\000\004\024\026\003\001\003\344\013\000\002\324\000\002\321\000\002\3160\202\002\3120\202\0023\240\003\002\001\002\002\001\0010\r\006\t*\206H\206\367\r\001\001\004\005\0000\201\2421\0130\t\006\003U\004\006\023\002US1\0210\017\006\003U\004\010\023\010New
York1\0210\017\006\003U\004\007\023\010New
York1\0340\032\006\003U\004\n\023\023Columbia
University1\0140\n\006\003U\004\013\023\003IRT1\0310\027\006\003U\004\003\023\020Computer
Science1&0$\006\t*\206H\206\367\r\001\t\001\026\027"
EAP-Message =
"0\201\2311\0130\t\006\003U\004\006\023\002US1\0210\017\006\003U\004\010\023\010New
York1\0210\017\006\003U\004\007\023\010New
York1\0340\032\006\003U\004\n\023\023Columbia
University1\0140\n\006\003U\004\013\023\003IRT1\0200\016\006\003U\004\003\023\007Andrea21&[EMAIL
PROTECTED]"
EAP-Message =
"L\352:ej\r\304\013"\207\274\r\240\003\n\233\002\031\025\346\301"\367\252\006\352\225:\353\354\242\347\230\237f\005=\214\273[\016\355T\343\324\214\345~2K\251Z\276\035\0046\220\211\261\002\003\001\000\001\243\0270\0250\023\006\003U\035%\004\0140\n\006\010+\006\001\005\005\007\003\0020\r\006\t*\206H\206\367\r\001\001\004\005\000\003\201\201\000\277\262\002\337\304\330TK\263\325\366\255=\305tM#`+\234\340\312\215\362G\317\257#\024\321\335\277\375\377\2175X\260\010\266\347l\322\314\336\377\031_q'\021E\367\236K"
EAP-Message = "\371C\262\376\340p\273\032\004y\245\224u [EMAIL PROTECTED]
\366\016\305-\335\341\343B\007\005`/\271\361D
eb\270Vh\265V\347\230\220\255\261\341\242\253Y\270\267\265`\266\017!\311\351j\300N\337"\241\273k\347\315c\0241|Z\325s7\3164\333Q$\275QYx$\305\010\2517e<\333\357E\007x\357\024SX\005*\017\000\000\202\000\200\013\253m\331R\361G]\366\250\222\ne\310\314\221w!f\270\004;y\261CW\241\364\253\016\373\t\300Z\227\371\375\263)\267T\367q\031b0<A\374\262\337\321\026\021\213\2777\220\367\274\352\233"
EAP-Message = "\003\001\000\001\001\026\003\001\000
\203,\255\354\375z\242yBe$\235\356\235cW\013\246\013h\225L0n\030\263\303\371Q,\233\t"
State =
0x63cf7a8712ea93671dee49f2dd14831723cfaa40bac4ad45696fe034b6f5dbfa991f0242
Message-Authenticator = 0x101d3281e0ec83516ab0c39e21033af8
modcall: entering group authorize
modcall[authorize]: module "preprocess" returns ok
modcall[authorize]: module "eap" returns updated
rlm_realm: No '@' in User-Name = "Andrea2", looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module "suffix" returns noop
users: Matched DEFAULT at 152
users: Matched Andrea2 at 224
modcall[authorize]: module "files" returns ok
modcall: group authorize returns updated
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
modcall: entering group authenticate
rlm_eap: Multiple EAP_Message attributes found
rlm_eap: Request found, released from the list
rlm_eap: EAP_TYPE - tls
rlm_eap: processing type tls
rlm_eap_tls: Length Included
<<< TLS 1.0 Handshake [length 02d8], Certificate
--> verify error:num=20:unable to get local issuer certificate
chain-depth=0,
error=20
--> User-Name = Andrea2
--> BUF-Name = Andrea2
--> subject = /C=US/ST=New York/L=New York/O=Columbia
University/OU=IRT/CN=Andrea2/[EMAIL PROTECTED]
--> issuer = /C=US/ST=New York/L=New York/O=Columbia University/OU=IRT/CN=Computer
Science/[EMAIL PROTECTED]
--> verify return:0
>>> TLS 1.0 Alert [length 0002], fatal unknown_ca
TLS Alert write:fatal:unknown CA
TLS_accept:error in SSLv3 read client certificate B
rlm_eap_tls: SSL_read Error
Error code is ..... 5
Error in SSL ..... 5
modcall[authenticate]: module "eap" returns ok
modcall: group authenticate returns ok
Sending Access-Challenge of id 9 to 127.0.0.1:32770
EAP-Message = "\001\004\000\021\r\200\000\000\000\007\025\003\001\000\002\0020"
Message-Authenticator = 0x00000000000000000000000000000000
State =
0xe07bfb930c6cd1a0a6935b2536d378f324cfaa40dfbc580d64179fe7273c0c15528faa72
Finished request 3
Going to the next request
--- Walking the entire request list ---
Waking up in 5 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 6 with timestamp 40aacf23
Cleaning up request 1 ID 7 with timestamp 40aacf23
Cleaning up request 2 ID 8 with timestamp 40aacf23
Waking up in 1 seconds...
--- Walking the entire request list ---
Cleaning up request 3 ID 9 with timestamp 40aacf24
Nothing to do. Sleeping until we see a request.
MASTER: exit on signal (2)
Exiting...
