Sorry...my first posting was not easy to read ;-(
Here the same subject in a readable format....
Hello!
I tried to use eap tls.
When I started radius everything looked fine.
Then radius receives an access request and answers with an access challenge containing EAP TLS START.
No problem so far. But when radius receives the TLS client hello in the next step it fails with
"rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request" and "rlm_eap: failed in handler".
I am rather confused now.
Perhaps one of the experts could give me hint concerning the cause.
Thanks in advance!
Greetings
Michael Heiart
Module: Loaded eap
eap: default_eap_type = "tls"
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
tls: rsa_key_exchange = no
tls: dh_key_exchange = yes
tls: rsa_key_length = 512
tls: dh_key_length = 512 tls: verify_depth = 0
tls: CA_path = "(null)" tls: pem_file_type = yes
tls: private_key_file = "/usr/local/etc/raddb/certs/cert-srv.pem"
tls: certificate_file = "/usr/local/etc/raddb/certs/cert-srv.pem"
tls: CA_file = "/usr/local/etc/raddb/certs/demoCA/cacert.pem"
tls: private_key_password = "whatever" tls: dh_file = "/usr/local/etc/raddb/certs/dh"
tls: random_file = "/usr/local/etc/raddb/certs/random" tls: fragment_size = 1024
tls: include_length = yes
tls: check_crl = no tls: check_cert_cn = "(null)"
rlm_eap: Loaded and initialized type tls
Module: Instantiated eap (eap)
...
Listening on authentication *:1812
Listening on accounting *:1813
Listening on proxy *:1814 Ready to process requests.
...
rad_recv: Access-Request packet from host 127.0.0.1:32858, id=167, length=95
User-Name = "Server certificate"
EAP-Message = 0x02b6001701536572766572206365727469666963617465
NAS-IP-Address = 127.0.0.2
NAS-Port = 0
Message-Authenticator = 0x0012efe996568bc1ca6419e4c07ce713
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
radius_xlat: '/usr/local/var/log/radius/radacct/127.0.0.1/auth-detail-20040709'
rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/127.0.0.1/auth-detail-20040709
modcall[authorize]: module "auth_log" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
rlm_realm: No '@' in User-Name = "Server certificate", looking up realm NULL
rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0
rlm_eap: EAP packet type response id 182 length 23
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 0
users: Matched DEFAULT at 154
modcall[authorize]: module "files" returns ok for request 0
modcall: group authorize returns updated for request 0
rad_check_password: Found Auth-Type EAP auth: type "EAP"
Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0
rlm_eap: EAP Identity rlm_eap: processing type tls
rlm_eap_tls: Requiring client certificate
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
modcall[authenticate]: module "eap" returns handled for request 0
modcall: group authenticate returns handled for request 0
Sending Access-Challenge of id 167 to 127.0.0.1:32858
EAP-Message = 0x01b700060d20
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x172cf45df81917d900bc7f4cd4353545
Finished request 0 Going to the next request
--- Walking the entire request list
--- Waking up in 6 seconds...
rad_recv: Access-Request packet from host 127.0.0.1:32858, id=168, length=152
User-Name = "Server certificate"
EAP-Message = 0x02b700500d800000004616030100410100003d030140ee5e798623d9c38b893a0d87ba4681324740e7f1b264453463058af5167c4a00001600040005000a000900640062000300060013001200630100
NAS-IP-Address = 127.0.0.2
NAS-Port = 0
Message-Authenticator = 0x2816e26924e7c987dc6ccb8e4729e0d4
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
modcall[authorize]: module "preprocess" returns ok for request 1
radius_xlat: '/usr/local/var/log/radius/radacct/127.0.0.1/auth-detail-20040709'
rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/127.0.0.1/auth-detail-20040709
modcall[authorize]: module "auth_log" returns ok for request 1
modcall[authorize]: module "chap" returns noop for request 1
rlm_realm: No '@' in User-Name = "Server certificate", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 1
rlm_eap: EAP packet type response id 183 length 80
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 1
users: Matched DEFAULT at 154
modcall[authorize]: module "files" returns ok for request 1
modcall: group authorize returns updated for request 1
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 1
rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request
rlm_eap: Failed in handler
modcall[authenticate]: module "eap" returns invalid for request 1
modcall: group authenticate returns invalid for request 1
auth: Failed to validate the user.
Delaying request 1 for 1 seconds
Finished request 1 Going to the next request
--- Walking the entire request list
--- Waking up in 1 seconds...
--- Walking the entire request list
--- Waking up in 1 seconds...
--- Walking the entire request list
--- Sending Access-Reject of id 168 to 127.0.0.1:32858
Waking up in 3 seconds...
--- Walking the entire request list
--- Cleaning up request 0 ID 167 with timestamp 40ee5fba
Waking up in 1 seconds...
--- Walking the entire request list
--- Cleaning up request 1 ID 168 with timestamp 40ee5fbb
Nothing to do. Sleeping until we see a request.
--
--
Hello!
I tried to use eap tls.
When I started radius everything looked fine.
Then radius receives an access request and answers with an
access challenge containing EAP TLS START. No problem so far.
But when radius receives the TLS client hello in the next step
it fails with "rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request"
and "rlm_eap: failed in handler".
I am rather confused now.
Perhaps one of the experts could give me hint concerning the cause.
Thanks in advance!
Greetings
Michael Heiart
Module: Loaded eap
eap: default_eap_type = "tls"
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
tls: rsa_key_exchange = no
tls: dh_key_exchange = yes
tls: rsa_key_length = 512
tls: dh_key_length = 512
tls: verify_depth = 0
tls: CA_path = "(null)"
tls: pem_file_type = yes
tls: private_key_file = "/usr/local/etc/raddb/certs/cert-srv.pem"
tls: certificate_file = "/usr/local/etc/raddb/certs/cert-srv.pem"
tls: CA_file = "/usr/local/etc/raddb/certs/demoCA/cacert.pem"
tls: private_key_password = "whatever"
tls: dh_file = "/usr/local/etc/raddb/certs/dh"
tls: random_file = "/usr/local/etc/raddb/certs/random"
tls: fragment_size = 1024
tls: include_length = yes
tls: check_crl = no
tls: check_cert_cn = "(null)"
rlm_eap: Loaded and initialized type tls
Module: Instantiated eap (eap)
...
Listening on authentication *:1812
Listening on accounting *:1813
Listening on proxy *:1814
Ready to process requests.
...
rad_recv: Access-Request packet from host 127.0.0.1:32858, id=167, length=95
User-Name = "Server certificate"
EAP-Message = 0x02b6001701536572766572206365727469666963617465
NAS-IP-Address = 127.0.0.2
NAS-Port = 0
Message-Authenticator = 0x0012efe996568bc1ca6419e4c07ce713
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
radius_xlat: '/usr/local/var/log/radius/radacct/127.0.0.1/auth-detail-20040709'
rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/127.0.0.1/auth-detail-20040709
modcall[authorize]: module "auth_log" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
rlm_realm: No '@' in User-Name = "Server certificate", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
rlm_eap: EAP packet type response id 182 length 23
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 0
users: Matched DEFAULT at 154
modcall[authorize]: module "files" returns ok for request 0
modcall: group authorize returns updated for request 0
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
rlm_eap: EAP Identity
rlm_eap: processing type tls
rlm_eap_tls: Requiring client certificate
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
modcall[authenticate]: module "eap" returns handled for request 0
modcall: group authenticate returns handled for request 0
Sending Access-Challenge of id 167 to 127.0.0.1:32858
EAP-Message = 0x01b700060d20
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x172cf45df81917d900bc7f4cd4353545
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 127.0.0.1:32858, id=168, length=152
User-Name = "Server certificate"
EAP-Message = 0x02b700500d800000004616030100410100003d030140ee5e798623d9c38b893a0d87ba4681324740e7f1b264453463058af5167c4a00001600040005000a000900640062000300060013001200630100
NAS-IP-Address = 127.0.0.2
NAS-Port = 0
Message-Authenticator = 0x2816e26924e7c987dc6ccb8e4729e0d4
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
modcall[authorize]: module "preprocess" returns ok for request 1
radius_xlat: '/usr/local/var/log/radius/radacct/127.0.0.1/auth-detail-20040709'
rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/127.0.0.1/auth-detail-20040709
modcall[authorize]: module "auth_log" returns ok for request 1
modcall[authorize]: module "chap" returns noop for request 1
rlm_realm: No '@' in User-Name = "Server certificate", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 1
rlm_eap: EAP packet type response id 183 length 80
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 1
users: Matched DEFAULT at 154
modcall[authorize]: module "files" returns ok for request 1
modcall: group authorize returns updated for request 1
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 1
rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request
rlm_eap: Failed in handler
modcall[authenticate]: module "eap" returns invalid for request 1
modcall: group authenticate returns invalid for request 1
auth: Failed to validate the user.
Delaying request 1 for 1 seconds
Finished request 1
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 168 to 127.0.0.1:32858
Waking up in 3 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 167 with timestamp 40ee5fba
Waking up in 1 seconds...
--- Walking the entire request list ---
Cleaning up request 1 ID 168 with timestamp 40ee5fbb
Nothing to do. Sleeping until we see a request.
--
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- EAP TLS: rlm_eap: Failed in handler michael . heiart
- Re: EAP TLS: rlm_eap: Failed in handler michael . heiart
- Re: EAP TLS: rlm_eap: Failed in handler Gary McKinney
- Re: Re: EAP TLS: rlm_eap: Failed in handler michael . heiart
- Re: EAP TLS: rlm_eap: Failed in handler michael . heiart