What do you mean "explicitly REJECT"? How can I do it? Thanks a lot!
Ciao Tuan anh
Artur Hecker wrote:
yes, that's normal since the authentication works for ALL validly certified clients.
you have to explicitly REJECT the users NOT in your data base.
ciao artur
NGUYEN Tuan Anh wrote:
Hi, I'm trying to install a system with FreeRADIUS and MySQL and EAP-TLS as authentication protocol. Everything works, but I have a problem (I think it's a problem of configuration) : If I have a client with a valid certificate, even though the sql module doesn't regcognize the client (user-name doesn't existe in check list, the eap module always accept that client so the authorize section always return Acess-Accept!! Here 's part of the debug :
rad_recv: Access-Request packet from host 134.214.78.43:6001, id=134, length=1256
User-Name = "LEPILLEUR Benjamin"
NAS-IP-Address = 134.214.78.43
Called-Station-Id = "00-08-02-76-8d-32"
Calling-Station-Id = "00-04-23-71-13-4c"
NAS-Identifier = "PTSGSF3"
State = 0xc89112eb62ee9f6f95ca9d43f018c9378ff6b54098811a92e7909de796d82c6ebc2dc2c1
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x0205043d0d800000043316030104030b0002f30002f00002ed308202e930820252a00302010202020805300d06092a864886f70d01010505003045310b300906035504061302465231153013060355040a130c54454c45434f4d2d4c444150311f301d060355040313164944582d504b49204f7065726174696f6e616c204341301e170d3034303332323135343634345a170d3035303332323135343634345a3051310b3009060355040613024652310d300b060355040a1304494e534131163014060355040b130d54656c65636f6d202d20475346311b3019060355040313124c4550494c4c4555522042656e6a616d696e30819f300d06092a8648
EAP-Message = 0x86f70d010101050003818d0030818902818100b951865a184af898f572fe6c23e93fc536026799577ba60d5b81de327bc451a7ff1d6caac19770ff8a02e0f407263edd970ddd4e15249f664c1cbd1283fd24dead1267fb166db68dc2de9f1cf9af8c9c9d10029d73156bec314ca8e24687401757ac92da50e1fc43d042e509a63b528d24e48891251026e21a1a8a6a911be6eb0203010001a381db3081d8301d0603551d0e041604140a3e625d09037edccffca0b769f7036177330814301f0603551d230418301680146b8d4761901ff704c5d8b7dc07051d49447e30e930280603551d1f0421301f301da01ba0198617687474703a2f2f74632d706b
EAP-Message = 0x692f4f7043524c2e63726c302a0603551d1104233021811f62656e6a616d696e2e6c6570696c6c65757240696e73612d6c796f6e2e6672300e0603551d0f0101ff0404030205a0301d0603551d250416301406082b0601050507030406082b06010505070302301106096086480186f84201010404030205a0300d06092a864886f70d010105050003818100a891927dc519f6f67fec7ffa5d18d58a2715145d9107903b109bfc8b35bc9e554796f83daf95d20bdf00a5e914a84f34d1eeda29a9d7d5541db2b6e67d65479d892bc98a9ae342a6b17b54bf1f2218913dbbfeb6cc93514e02d703afa762df2d43ede10b2e23631b94673374fd8acf338a
EAP-Message = 0xde8fb4f97b3bb969e68e4ab80c73bc100000820080111d7cb9d30649cac83e726c7c0d3f2513824e554db91feb1cc0c6d9188c625dab13d21750a259d6e53f6375f1687e529d55ae80079b007e163bcff10a6eaac9832d3ec16341eecc335044436e40d9ae4c5011cb6b3fd6730283be164eb76e9c71d5776947acaebda2efef9f5f5712fb222bef84f2fa392505ab50523c04f40b0f0000820080904cb7af1212010b2d9377082c19aed35a83cdc9cc4a0f8d630c88d7996a86ec897f499caa6cb077b2d31d717211544d9c5e8e813c8b152d2d23f1de6b390873d62b33d2088eb3161acc5ed71c2d7df759c99d231f4af4e92671b30fbd545ebdde10
EAP-Message = 0x8121e1559fea1e3bffa3f781d173bc9147524762908effca4d1e6cb7d83914030100010116030100202e9086427690428d6a55f8e7e92f92a81884b32d074bb23725aca664aedbde6e
Message-Authenticator = 0xbd5a866d0c2167835c811f8122ff9ada
modcall: entering group authorize for request 3
radius_xlat: 'LEPILLEUR Benjamin'
rlm_sql (sql): sql_set_user escaped user --> 'LEPILLEUR Benjamin'
radius_xlat: 'SELECT id,UserName,Attribute,UserName,op FROM radcheck WHERE Username = 'LEPILLEUR Benjamin' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 1
rlm_sql_mysql: query: SELECT id,UserName,Attribute,UserName,op FROM radcheck WHERE Username = 'LEPILLEUR Benjamin' ORDER BY id
rlm_sql (sql): User LEPILLEUR Benjamin not found in radcheck
radius_xlat: ''
radius_xlat: ''
rlm_sql (sql): Released sql socket id: 1
modcall[authorize]: module "sql" returns ok for request 3
radius_xlat: '/usr/local/var/log/radius/radacct//auth-detail-20040527'
rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct//auth-detail-20040527
modcall[authorize]: module "auth_log" returns ok for request 3
rlm_eap: EAP packet type notification id 5 length 1085
rlm_eap: EAP Start not found
modcall[authorize]: module "eap" returns updated for request 3
modcall: group authorize returns updated for request 3
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
modcall: entering group authenticate for request 3
rlm_eap: EAP packet type notification id 5 length 1085
rlm_eap: EAP Start not found
rlm_eap: Request found, released from the list
rlm_eap: EAP_TYPE - tls
rlm_eap: processing type tls
rlm_eap_tls: Authenticate
rlm_eap_tls: Length Included
rlm_eap_tls: <<< TLS 1.0 Handshake [length 02f7], Certificate
chain-depth=1,
error=0
--> User-Name = LEPILLEUR Benjamin
--> BUF-Name = IDX-PKI Operational CA
--> subject = /C=FR/O=TELECOM-LDAP/CN=IDX-PKI Operational CA
--> issuer = /C=FR/O=TELECOM-LDAP/CN=IDX-PKI Operational CA
--> verify return:1
chain-depth=0,
error=0
--> User-Name = LEPILLEUR Benjamin
--> BUF-Name = LEPILLEUR Benjamin
--> subject = /C=FR/O=INSA/OU=Telecom - GSF/CN=LEPILLEUR Benjamin
--> issuer = /C=FR/O=TELECOM-LDAP/CN=IDX-PKI Operational CA
--> verify return:1
TLS_accept: SSLv3 read client certificate A
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
TLS_accept: SSLv3 read client key exchange A
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], CertificateVerify
TLS_accept: SSLv3 read certificate verify A
rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001]
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished
TLS_accept: SSLv3 read finished A
rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001]
TLS_accept: SSLv3 write change cipher spec A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished
TLS_accept: SSLv3 write finished A
TLS_accept: SSLv3 flush data
undefined: SSL negotiation finished successfully
rlm_eap_tls: SSL_read Error
Error code is ..... 2
SSL Error ..... 2
modcall[authenticate]: module "eap" returns ok for request 3
modcall: group authenticate returns ok for request 3
Sending Access-Challenge of id 134 to 134.214.78.43:6001
EAP-Message = 0x010600350d800000002b1403010001011603010020de594f0d8a3c4e890ebc851dd0606065d93bec85e288446adcfda0cde8b17aa5
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x3105876e2eed4cedf334d0a27cc1cbc18ff6b54082707c416cc0524e218148dbfa8e1ef9
Finished request 3
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 134.214.78.43:6001, id=135, length=169
User-Name = "LEPILLEUR Benjamin"
NAS-IP-Address = 134.214.78.43
Called-Station-Id = "00-08-02-76-8d-32"
Calling-Station-Id = "00-04-23-71-13-4c"
NAS-Identifier = "PTSGSF3"
State = 0x3105876e2eed4cedf334d0a27cc1cbc18ff6b54082707c416cc0524e218148dbfa8e1ef9
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020600060d00
Message-Authenticator = 0xc56076023a86e56d0719b0ccf3288505
modcall: entering group authorize for request 4
radius_xlat: 'LEPILLEUR Benjamin'
rlm_sql (sql): sql_set_user escaped user --> 'LEPILLEUR Benjamin'
radius_xlat: 'SELECT id,UserName,Attribute,UserName,op FROM radcheck WHERE Username = 'LEPILLEUR Benjamin' ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 0
rlm_sql_mysql: query: SELECT id,UserName,Attribute,UserName,op FROM radcheck WHERE Username = 'LEPILLEUR Benjamin' ORDER BY id
rlm_sql (sql): User LEPILLEUR Benjamin not found in radcheck
radius_xlat: ''
radius_xlat: ''
rlm_sql (sql): Released sql socket id: 0
modcall[authorize]: module "sql" returns ok for request 4
radius_xlat: '/usr/local/var/log/radius/radacct//auth-detail-20040527'
rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct//auth-detail-20040527
modcall[authorize]: module "auth_log" returns ok for request 4
rlm_eap: EAP packet type notification id 6 length 6
rlm_eap: EAP Start not found
modcall[authorize]: module "eap" returns updated for request 4
modcall: group authorize returns updated for request 4
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
modcall: entering group authenticate for request 4
rlm_eap: EAP packet type notification id 6 length 6
rlm_eap: EAP Start not found
rlm_eap: Request found, released from the list
rlm_eap: EAP_TYPE - tls
rlm_eap: processing type tls
rlm_eap_tls: Authenticate
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap: Freeing handler
modcall[authenticate]: module "eap" returns ok for request 4
modcall: group authenticate returns ok for request 4
Sending Access-Accept of id 135 to 134.214.78.43:6001
MS-MPPE-Recv-Key = 0x0b8a9050cf92e7f27bd2b3c2f669d77a3d5aa6f4465d9e2d741eb74a93e921a6
MS-MPPE-Send-Key = 0x8cb2f6e450e16a84826a6ff22769c5fa9c576aae97a52a0f97899bab893ce9a5
EAP-Message = 0x03060004
Message-Authenticator = 0x00000000000000000000000000000000
Finished request 4
Going to the next request
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 131 with timestamp 40b5f68f
Cleaning up request 1 ID 132 with timestamp 40b5f68f
Cleaning up request 2 ID 133 with timestamp 40b5f68f
Cleaning up request 3 ID 134 with timestamp 40b5f68f
Cleaning up request 4 ID 135 with timestamp 40b5f68f
Nothing to do. Sleeping until we see a request.
What is the problem?? Can anybody help me? Thanks Tuan Anh
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
