Hi to all,
I have configured freeradius with EAP/TLS on debian for testing. I have also
create a CA and all necessary certificates.
The system works well in normal condition but when I try to use on the
supplicant a fake certificate (signed by another CA) freeradius get
segmentation fault.
I have tried to re-compile the server with another version of openssl but the
result is the same. Below a summary of my tests:
freeradius openssl
0.9.3 0.9.7d deb packages and, later, compiled from
source
1.0.0 pre1 0.9.7d source
1.0.0 pre2 0.9.7d and 0.9.6m source
The NAS are a Apple Airport extreme and a cisco aironet 350 but i think the
problem isn't here. On the supplicant side I have used a ibook with MacosX
10.3.4 and Windows XP SP1.
Any idea?
Thanks in advance,
Antonio Tamborino
mostro2:/home/tony# radiusd -X
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/etc/raddb/clients.conf
Config: including file: /usr/local/etc/raddb/snmp.conf
Config: including file: /usr/local/etc/raddb/eap.conf
Config: including file: /usr/local/etc/raddb/sql.conf
main: prefix = "/usr/local"
main: localstatedir = "/usr/local/var"
main: logdir = "/usr/local/var/log/radius"
main: libdir = "/usr/local/lib"
main: radacctdir = "/usr/local/var/log/radius/radacct"
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = yes
main: log_file = "/usr/local/var/log/radius/radius.log"
main: log_auth = yes
main: log_auth_badpass = yes
main: log_auth_goodpass = yes
main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid"
main: user = "(null)"
main: group = "(null)"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/local/sbin/checkrad"
main: proxy_requests = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded exec
exec: wait = yes
exec: program = "(null)"
exec: input_pairs = "request"
exec: output_pairs = "(null)"
exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded eap
eap: default_eap_type = "tls"
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
tls: rsa_key_exchange = no
tls: dh_key_exchange = yes
tls: rsa_key_length = 512
tls: dh_key_length = 512
tls: verify_depth = 0
tls: CA_path = "(null)"
tls: pem_file_type = yes
tls: private_key_file = "/usr/local/etc/raddb/certificati/mostro2.pem"
tls: certificate_file = "/usr/local/etc/raddb/certificati/mostro2.pem"
tls: CA_file = "/usr/local/etc/raddb/certificati/root.pem"
tls: private_key_password = "whatever"
tls: dh_file = "/usr/local/etc/raddb/certificati/dh"
tls: random_file = "/usr/local/etc/raddb/certificati/random"
tls: fragment_size = 1024
tls: include_length = yes
tls: check_crl = no
tls: check_cert_cn = "(null)"
rlm_eap: Loaded and initialized type tls
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups"
preprocess: hints = "/usr/local/etc/raddb/hints"
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded detail
detail: detailfile =
"/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (auth_log)
Module: Loaded files
files: usersfile = "/usr/local/etc/raddb/users"
files: acctusersfile = "/usr/local/etc/raddb/acct_users"
files: preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users"
files: compat = "no"
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port"
Module: Instantiated acct_unique (acct_unique)
detail: detailfile =
"/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded System
unix: cache = no
unix: passwd = "(null)"
unix: shadow = "(null)"
unix: group = "(null)"
unix: radwtmp = "/usr/local/var/log/radius/radwtmp"
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded radutmp
radutmp: filename = "/usr/local/var/log/radius/radutmp"
radutmp: username = "%{User-Name}"
radutmp: case_sensitive = yes
radutmp: check_with_nas = yes
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Listening on authentication *:1812
Listening on accounting *:1813
Ready to process requests.
rad_recv: Access-Request packet from host 193.204.77.19:1024, id=229,
length=192
Framed-MTU = 1466
NAS-IP-Address = 10.0.1.1
NAS-Identifier = "stecca2"
User-Name = "ibook_vecchio"
Service-Type = Framed-User
NAS-Port = 255
NAS-Port-Type = Ethernet
NAS-Port-Id = "wl0"
Called-Station-Id = "00-03-93-ea-4a-94"
Calling-Station-Id = "00-30-65-13-a4-45"
Connect-Info = "CONNECT Ethernet 54Mbps Half duplex"
EAP-Message = 0x020100120169626f6f6b5f7665636368696f
Message-Authenticator = 0xd408e082a45244b5c1a3446acff3820f
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
radius_xlat:
'/usr/local/var/log/radius/radacct/193.204.77.19/auth-detail-20040615'
rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands
to /usr/local/var/log/radius/radacct/193.204.77.19/auth-detail-20040615
modcall[authorize]: module "auth_log" returns ok for request 0
rlm_eap: EAP packet type response id 1 length 18
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 0
modcall[authorize]: module "files" returns notfound for request 0
modcall: group authorize returns updated for request 0
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
rlm_eap: EAP Identity
rlm_eap: processing type tls
rlm_eap_tls: Requiring client certificate
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
modcall[authenticate]: module "eap" returns handled for request 0
modcall: group authenticate returns handled for request 0
Sending Access-Challenge of id 229 to 193.204.77.19:1024
EAP-Message = 0x010200060d20
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x83eab2ee569aefc3149e9dfacd789400
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 193.204.77.19:1024, id=230,
length=294
Framed-MTU = 1466
NAS-IP-Address = 10.0.1.1
NAS-Identifier = "stecca2"
User-Name = "ibook_vecchio"
Service-Type = Framed-User
NAS-Port = 255
NAS-Port-Type = Ethernet
NAS-Port-Id = "wl0"
Called-Station-Id = "00-03-93-ea-4a-94"
Calling-Station-Id = "00-30-65-13-a4-45"
Connect-Info = "CONNECT Ethernet 54Mbps Half duplex"
State = 0x83eab2ee569aefc3149e9dfacd789400
EAP-Message =
0x020200660d800000005c160301005701000053030140ceaf630bb681e0908db6d6aa2fd4dd8e6239b41980c496c4bfdc712089309d00002c00050004000aff830009ff82000300080006ff8000010016001500140013001200110018001b001a001700190100
Message-Authenticator = 0x47edfe2a1c5c9b092447666fa8d37337
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
modcall[authorize]: module "preprocess" returns ok for request 1
radius_xlat:
'/usr/local/var/log/radius/radacct/193.204.77.19/auth-detail-20040615'
rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands
to /usr/local/var/log/radius/radacct/193.204.77.19/auth-detail-20040615
modcall[authorize]: module "auth_log" returns ok for request 1
rlm_eap: EAP packet type response id 2 length 102
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 1
modcall[authorize]: module "files" returns notfound for request 1
modcall: group authorize returns updated for request 1
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 1
rlm_eap: Request found, released from the list
rlm_eap: EAP/tls
rlm_eap: processing type tls
rlm_eap_tls: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Length Included
eaptls_verify returned 11
(other): before/accept initialization
TLS_accept: before/accept initialization
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0057], ClientHello
TLS_accept: SSLv3 read client hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
TLS_accept: SSLv3 write server hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0699], Certificate
TLS_accept: SSLv3 write certificate A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 00b0], CertificateRequest
TLS_accept: SSLv3 write certificate request A
TLS_accept: SSLv3 flush data
TLS_accept:error in SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
eaptls_process returned 13
modcall[authenticate]: module "eap" returns handled for request 1
modcall: group authenticate returns handled for request 1
Sending Access-Challenge of id 230 to 193.204.77.19:1024
EAP-Message =
0x0103040a0dc0000007a2160301004a02000046030140ceaf33b136876cb99d046681f65963542341fc66d95df60113e39dff89761020c361febea352e311976dc7e8884ede7ed3b0c2aa66fc5b4671caa822d25628c000050016030106990b0006950006920002d5308202d13082023aa003020102020101300d06092a864886f70d010104050030819e310b3009060355040613024954310e300c060355040813054974616c79310e300c060355040713054c6563636531153013060355040a130c556e694c652d4e65744c6162310f300d060355040b13064e65744c6162311c301a060355040313134341207065722070726f766520726164697573
EAP-Message =
0x3129302706092a864886f70d010901161a616e746f6e696f2e74616d626f72696e6f40756e696c652e6974301e170d3034303631343130343532385a170d3035303631343130343532385a3081a4310b3009060355040613024954310e300c060355040813054974616c79310e300c060355040713054c6563636531153013060355040a130c556e694c652d4e65744c6162310f300d060355040b13064e65744c61623122302006035504031319436572746966696361746f20736572766572207261646975733129302706092a864886f70d010901161a616e746f6e696f2e74616d626f72696e6f40756e696c652e697430819f300d06092a864886
EAP-Message =
0xf70d010101050003818d0030818902818100b58166331849138fb4de36763a7810349e7c688cd9ed16834a1eaa0f4b917283b9751867ca67674ed8f546008b26fac10a1f67d3b0903875d798e296a6705f94dc200a5c9f875688b3ab3f72810749e2c56cbf765e5bd686501711fe0f59a5c27b02d8de9cc83e327871930c43e665907e735cc70e2874ecff5e1847b1bb8ced0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010104050003818100486917bec0e1df157e0fc1e8c7952d7c4fa91edcce6409dba15c7807f6e88db7d90073ef43d0266f7de8f22974660dc8bc349cf4a304922093a1
EAP-Message =
0xddf1c8088224228c6b2ed9014b80c2e41e9ecb12702abfdb81abe4da019b37d93d5c2f8f586e3d70b517172c574fb917df6f691bc2c9abacc1c8230d05744a50184f61bb7e940003b7308203b33082031ca003020102020100300d06092a864886f70d010104050030819e310b3009060355040613024954310e300c060355040813054974616c79310e300c060355040713054c6563636531153013060355040a130c556e694c652d4e65744c6162310f300d060355040b13064e65744c6162311c301a060355040313134341207065722070726f7665207261646975733129302706092a864886f70d010901161a616e746f6e696f2e74616d626f72
EAP-Message = 0x696e6f40756e696c652e6974301e170d303430363134
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x14e65dceea49c5e9e7a74c8fefb1117a
Finished request 1
Going to the next request
--- Walking the entire request list ---
Waking up in 5 seconds...
rad_recv: Access-Request packet from host 193.204.77.19:1024, id=231,
length=198
Framed-MTU = 1466
NAS-IP-Address = 10.0.1.1
NAS-Identifier = "stecca2"
User-Name = "ibook_vecchio"
Service-Type = Framed-User
NAS-Port = 255
NAS-Port-Type = Ethernet
NAS-Port-Id = "wl0"
Called-Station-Id = "00-03-93-ea-4a-94"
Calling-Station-Id = "00-30-65-13-a4-45"
Connect-Info = "CONNECT Ethernet 54Mbps Half duplex"
State = 0x14e65dceea49c5e9e7a74c8fefb1117a
EAP-Message = 0x020300060d00
Message-Authenticator = 0x9a867f5ee419693c76dfcd9fa474c152
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
modcall[authorize]: module "preprocess" returns ok for request 2
radius_xlat:
'/usr/local/var/log/radius/radacct/193.204.77.19/auth-detail-20040615'
rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands
to /usr/local/var/log/radius/radacct/193.204.77.19/auth-detail-20040615
modcall[authorize]: module "auth_log" returns ok for request 2
rlm_eap: EAP packet type response id 3 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 2
modcall[authorize]: module "files" returns notfound for request 2
modcall: group authorize returns updated for request 2
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 2
rlm_eap: Request found, released from the list
rlm_eap: EAP/tls
rlm_eap: processing type tls
rlm_eap_tls: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake fragment handler
eaptls_verify returned 1
eaptls_process returned 13
modcall[authenticate]: module "eap" returns handled for request 2
modcall: group authenticate returns handled for request 2
Sending Access-Challenge of id 231 to 193.204.77.19:1024
EAP-Message =
0x010403ac0d80000007a23130343334325a170d3034303731343130343334325a30819e310b3009060355040613024954310e300c060355040813054974616c79310e300c060355040713054c6563636531153013060355040a130c556e694c652d4e65744c6162310f300d060355040b13064e65744c6162311c301a060355040313134341207065722070726f7665207261646975733129302706092a864886f70d010901161a616e746f6e696f2e74616d626f72696e6f40756e696c652e697430819f300d06092a864886f70d010101050003818d0030818902818100be7aabfea761ff860c97cd5e48bbe9d8b7d0ec882f783bee2552a57e5a4c0c
EAP-Message =
0xcc308fc2fe23177b7bdf0192ad7b405eb04f4cb7e6c2b576c6dd413ca94df9b1bb6a6ca6e4118cc89a2da9bba5aa324a44a97340755e06555ef01d56755eb07cb247e94981c8d76ef05cc38b1469176ff01808b5bd26d84b0a2745e57a662e827b0203010001a381fe3081fb301d0603551d0e04160414ec633853a9326bd2bcc3cfb09b24f25a996b556d3081cb0603551d230481c33081c08014ec633853a9326bd2bcc3cfb09b24f25a996b556da181a4a481a130819e310b3009060355040613024954310e300c060355040813054974616c79310e300c060355040713054c6563636531153013060355040a130c556e694c652d4e65744c616231
EAP-Message =
0x0f300d060355040b13064e65744c6162311c301a060355040313134341207065722070726f7665207261646975733129302706092a864886f70d010901161a616e746f6e696f2e74616d626f72696e6f40756e696c652e6974820100300c0603551d13040530030101ff300d06092a864886f70d01010405000381810088a057d1b6d32dfbffd3407cbf9e0ff7928b0377c799bdf02207a8980257677f609b90bd947d39cf582dd079b6af8536892f2dd3d6ba049e6e3c0e6344a3d28d54192f2d4ab74850ff41b8e20f67f513b9af4a4c8c1ad5ee67e06c93511e33035d58a52f4d256102171386739fd0167dba3ed40b61f44064b0598e504adcaaca
EAP-Message =
0x16030100b00d0000a802010200a300a130819e310b3009060355040613024954310e300c060355040813054974616c79310e300c060355040713054c6563636531153013060355040a130c556e694c652d4e65744c6162310f300d060355040b13064e65744c6162311c301a060355040313134341207065722070726f7665207261646975733129302706092a864886f70d010901161a616e746f6e696f2e74616d626f72696e6f40756e696c652e69740e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xf3b45296b70ed4d5c910a66316390662
Finished request 2
Going to the next request
Waking up in 5 seconds...
rad_recv: Access-Request packet from host 193.204.77.19:1024, id=232,
length=1598
Framed-MTU = 1466
NAS-IP-Address = 10.0.1.1
NAS-Identifier = "stecca2"
User-Name = "ibook_vecchio"
Service-Type = Framed-User
NAS-Port = 255
NAS-Port-Type = Ethernet
NAS-Port-Id = "wl0"
Called-Station-Id = "00-03-93-ea-4a-94"
Calling-Station-Id = "00-30-65-13-a4-45"
Connect-Info = "CONNECT Ethernet 54Mbps Half duplex"
State = 0xf3b45296b70ed4d5c910a66316390662
EAP-Message =
0x020405740dc0000005db16030104910b00048d00048a0002423082023e308201a7a003020102020104300d06092a864886f70d01010405003056310b3009060355040613024954310f300d060355040813064974616c6961310e300c060355040713054c6563636531153013060355040a130c556e694c652d4e65744c6162310f300d060355040b13064e65744c6162301e170d3034303630393039323734375a170d3035303630393039323734375a305b310b3009060355040613024954310f300d060355040813064974616c6961310e300c060355040713054c6563636531153013060355040a130c556e694c652d4e65744c6162311430120603
EAP-Message =
0x550403140b69626f6f6b5f66616c736530819f300d06092a864886f70d010101050003818d0030818902818100bc97392d2a641da0481421d9f903abcbd6d326388ee3775f73b5f377af6d7e3043cb27b170ec192e24e1aaf2419af70ce671b1a09e59985579a7511c9857263da5129aeb1f58fbaa0e3cde62f58c30f94d6ffe7fcef8ea5284878e57ae2cbab864b298f716ebf4b587d792773b17c416acb85c011e4ebaf80076972ee090e9330203010001a317301530130603551d25040c300a06082b06010505070302300d06092a864886f70d010104050003818100299affa8a9e214b30174baf60c964d377c63910aee12dc741e1494e4252cf1
EAP-Message =
0x9ea0b18d33dee9bac94c58d449df9e1b5dd1eb13313e9c3f526a30ce8eb2dbbe1b254cdd2c6c96d678173019c17e1b532e72b9ad51f73f5e4f07b7326fa3393f9747f8a367f05b190a9fd4a0043db92ae45bf41ea696c49c1a5885c49b1929d8c00002423082023e308201a7a003020102020104300d06092a864886f70d01010405003056310b3009060355040613024954310f300d060355040813064974616c6961310e300c060355040713054c6563636531153013060355040a130c556e694c652d4e65744c6162310f300d060355040b13064e65744c6162301e170d3034303630393039323734375a170d3035303630393039323734375a305b
EAP-Message =
0x310b3009060355040613024954310f300d060355040813064974616c6961310e300c060355040713054c6563636531153013060355040a130c556e694c652d4e65744c6162311430120603550403140b69626f6f6b5f66616c736530819f300d06092a864886f70d010101050003818d0030818902818100bc97392d2a641da0481421d9f903abcbd6d326388ee3775f73b5f377af6d7e3043cb27b170ec192e24e1aaf2419af70ce671b1a09e59985579a7511c9857263da5129aeb1f58fbaa0e3cde62f58c30f94d6ffe7fcef8ea5284878e57ae2cbab864b298f716ebf4b587d792773b17c416acb85c011e4ebaf80076972ee090e9330203010001
EAP-Message =
0xa317301530130603551d25040c300a06082b06010505070302300d06092a864886f70d010104050003818100299affa8a9e214b30174baf60c964d377c63910aee12dc741e1494e4252cf19ea0b18d33dee9bac94c58d449df9e1b5dd1eb13313e9c3f526a30ce8eb2dbbe1b254cdd2c6c96d678173019c17e1b532e72b9ad51f73f5e4f07b7326fa3393f9747f8a367f05b190a9fd4a0043db92ae45bf41ea696c49c1a5885c49b1929d8c016030100861000008200809b36b774cb2e70e307b92c4fadacc53024d448af1e2b256a23404eb41bda16810ff8164c9815399a6f282caa4621a72b30e8e1919b69ef1ef2474250eeeca622ddbc192aa41a
EAP-Message =
0x2b15bad47338d545310083c4d19e29422ff5ff0ac7307f52d372fb817d35f6f9fdae48f69515ee56e0bb4e3531bb6b1711958a5461c3b8af4fd416030100860f000082008049e9e34ebe049b1fe219e6c4d0581e1cbfa4408bf211345f61a1e53c8e386fdc03d1d378c98a1cf0cefe66caed532c10fefd13f20c16c63710424e23f9d0
Message-Authenticator = 0x7c62551c7b1384ad883a581a3eff6179
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 3
modcall[authorize]: module "preprocess" returns ok for request 3
radius_xlat:
'/usr/local/var/log/radius/radacct/193.204.77.19/auth-detail-20040615'
rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands
to /usr/local/var/log/radius/radacct/193.204.77.19/auth-detail-20040615
modcall[authorize]: module "auth_log" returns ok for request 3
rlm_eap: EAP packet type response id 4 length 253
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 3
modcall[authorize]: module "files" returns notfound for request 3
modcall: group authorize returns updated for request 3
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 3
rlm_eap: Request found, released from the list
rlm_eap: EAP/tls
rlm_eap: processing type tls
rlm_eap_tls: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS First Fragment of the message
eaptls_verify returned 9
eaptls_process returned 13
modcall[authenticate]: module "eap" returns handled for request 3
modcall: group authenticate returns handled for request 3
Sending Access-Challenge of id 232 to 193.204.77.19:1024
EAP-Message = 0x010500060d00
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xf3bba11344c604da5bffb8377d961d5e
Finished request 3
Going to the next request
--- Walking the entire request list ---
Waking up in 3 seconds...
rad_recv: Access-Request packet from host 193.204.77.19:1024, id=233,
length=311
Framed-MTU = 1466
NAS-IP-Address = 10.0.1.1
NAS-Identifier = "stecca2"
User-Name = "ibook_vecchio"
Service-Type = Framed-User
NAS-Port = 255
NAS-Port-Type = Ethernet
NAS-Port-Id = "wl0"
Called-Station-Id = "00-03-93-ea-4a-94"
Calling-Station-Id = "00-30-65-13-a4-45"
Connect-Info = "CONNECT Ethernet 54Mbps Half duplex"
State = 0xf3bba11344c604da5bffb8377d961d5e
EAP-Message =
0x020500770d00e025a7cbdda6123246cb7381ab122fdc18326cfc7b6337eba6a2a3d9a8b0179d3edbe75c406f828bfda759a5a736cd5f97f5b80a63ce9673f09cdd41d1ddd730d1a5140301000101160301002428700db788bc7767eb2e733b905211103036c536a3dc625f4c96ec4a443414f4e0a87d30
Message-Authenticator = 0xdd7bdc97f8fb39f9f34c8a9c505d1a49
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 4
modcall[authorize]: module "preprocess" returns ok for request 4
radius_xlat:
'/usr/local/var/log/radius/radacct/193.204.77.19/auth-detail-20040615'
rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands
to /usr/local/var/log/radius/radacct/193.204.77.19/auth-detail-20040615
modcall[authorize]: module "auth_log" returns ok for request 4
rlm_eap: EAP packet type response id 5 length 119
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 4
modcall[authorize]: module "files" returns notfound for request 4
modcall: group authorize returns updated for request 4
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 4
rlm_eap: Request found, released from the list
rlm_eap: EAP/tls
rlm_eap: processing type tls
rlm_eap_tls: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0491], Certificate
--> verify error:num=20:unable to get local issuer certificate
chain-depth=0,
error=20
--> User-Name = ibook_vecchio
--> BUF-Name = ibook_false
--> subject = /C=IT/ST=Italia/L=Lecce/O=UniLe-NetLab/CN=ibook_false
--> issuer = /C=IT/ST=Italia/L=Lecce/O=UniLe-NetLab/OU=NetLab
--> verify return:0
rlm_eap_tls: >>> TLS 1.0 Alert [length 0002], fatal unknown_ca
TLS Alert write:fatal:unknown CA
TLS_accept:error in SSLv3 read client certificate B
781:error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate
returned:s3_srvr.c:2010:
rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails.
In SSL Handshake Phase
In SSL Accept mode
eaptls_process returned 13
modcall[authenticate]: module "eap" returns handled for request 4
modcall: group authenticate returns handled for request 4
Sending Access-Challenge of id 233 to 193.204.77.19:1024
EAP-Message = 0x010600110d800000000715030100020230
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x177edb0d7c8e28bb246f8e30d52828e7
Finished request 4
Going to the next request
Waking up in 3 seconds...
rad_recv: Access-Request packet from host 193.204.77.19:1024, id=234,
length=229
Framed-MTU = 1466
NAS-IP-Address = 10.0.1.1
NAS-Identifier = "stecca2"
User-Name = "ibook_vecchio"
Service-Type = Framed-User
NAS-Port = 255
NAS-Port-Type = Ethernet
NAS-Port-Id = "wl0"
Called-Station-Id = "00-03-93-ea-4a-94"
Calling-Station-Id = "00-30-65-13-a4-45"
Connect-Info = "CONNECT Ethernet 54Mbps Half duplex"
State = 0x177edb0d7c8e28bb246f8e30d52828e7
EAP-Message =
0x020600250d800000001b1503010016aaa857011e0fee0834a0ef59cbb75f0f187aa6b29270
Message-Authenticator = 0xbfe1cb82b24f2854b7273a0be0ac5836
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 5
modcall[authorize]: module "preprocess" returns ok for request 5
radius_xlat:
'/usr/local/var/log/radius/radacct/193.204.77.19/auth-detail-20040615'
rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands
to /usr/local/var/log/radius/radacct/193.204.77.19/auth-detail-20040615
modcall[authorize]: module "auth_log" returns ok for request 5
rlm_eap: EAP packet type response id 6 length 37
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 5
modcall[authorize]: module "files" returns notfound for request 5
modcall: group authorize returns updated for request 5
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 5
rlm_eap: Request found, released from the list
rlm_eap: EAP/tls
rlm_eap: processing type tls
rlm_eap_tls: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Length Included
eaptls_verify returned 11
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0491], Certificate
--> verify error:num=20:unable to get local issuer certificate
chain-depth=0,
error=20
Segmentation fault
the report above is with FR 1.0.0pre2 compiled with Openssl 0.9.7d and 0.9.6m
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
