Hi all,
I know I'm not the first to post this topic, but I can't find in the archive
any resolution.
I have followed the instructions for creating self-signed server
certificates, and I think I have the config files and certs aligned. But I
must have something wrong, because when my supplicant (Aironet 1200) gets a
request for PEAP from a Windows XP system, the radiusd debug shows "fatal
unknown_ca" when in the last phase of the PEAP authentication.
Is there some little gotcha I'm missing?
Is the setup for PEAP different than EAP/TLS?
Do I have to install something on the client (I thought not, since it is
PEAP).
All help is appreciated; debug follows.
Thanks!
Atkinson
ad_recv: Access-Request packet from host 10.0.1.3:21645, id=151, length=180
User-Name = "atkinsondu"
Framed-MTU = 1400
Called-Station-Id = "000f.9060.c140"
Calling-Station-Id = "0040.96a2.8ef1"
Cisco-AVPair = "ssid=eap-only"
Service-Type = Login-User
Message-Authenticator = 0xb7c8fd67a6fa635c21df964a0cbd2af5
EAP-Message = 0x020300061900
NAS-Port-Type = Wireless-802.11
Cisco-NAS-Port = "369"
NAS-Port = 369
State = 0x21f31e4903806b3d170350fcd4a4a82a
NAS-IP-Address = 10.0.1.3
NAS-Identifier = "wifi-ap1"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
modcall[authorize]: module "preprocess" returns ok for request 2
rlm_realm: No '\' in User-Name = "atkinsondu", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "ntdomain" returns noop for request 2
rlm_realm: No '@' in User-Name = "atkinsondu", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 2
rlm_eap: EAP packet type response id 3 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 2
modcall: entering group group for request 2
rlm_dbm: try open database file: /opt/local/etc/raddb/database/users
rlm_dbm: Call parse_user:
sm_parse_user.c: check for loops
Add atkinsondu to user list
rlm_dbm: User <atkinsondu> not foud in database
Remove atkinsondu from user list
sm_parse_user.c: check for loops
Add DEFAULT to user list
rlm_dbm: User <DEFAULT> not foud in database
Remove DEFAULT from user list
modcall[authorize]: module "dbm" returns notfound for request 2
modcall: group group returns notfound for request 2
modcall: group authorize returns updated for request 2
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 2
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake fragment handler
eaptls_verify returned 1
eaptls_process returned 13
rlm_eap_peap: EAPTLS_HANDLED
modcall[authenticate]: module "eap" returns handled for request 2
modcall: group authenticate returns handled for request 2
Sending Access-Challenge of id 151 to 10.0.1.3:21645
EAP-Message =
0x010403cc19005553311230100603550408130954656e6e6573736565311230100603550407
13094f616b205269646765310d300b060355040a130453414943310f300d060355040b13064e
4149534d43311830160603550403130f4e41535652313820526f6f74204341311a301806092a
864886f70d010901160b746d68406e61737672313830819f300d06092a864886f70d01010105
0003818d0030818902818100f53d6206d775bd27ecc7f41358590f88eba0114424ccfe8c75a1
735668a6506934cb4d1bae177cb9d130ce0b203d21ef9f5ff1eba850e6f1b80fa9b5162975f0
0e4ac2fc4b0b0fe2ae8a6bef2a2651abc1ede8e72cad24e2210e
EAP-Message =
0xee6b46998af153a26274412e8e63816ecaa5bc997bf18ffaef66d42b98c0deb6f4db1ba0b0
150203010001a381f33081f0301d0603551d0e04160414552260d6dd4cebade9a0adacf4733a
bee5640ca33081c00603551d230481b83081b58014552260d6dd4cebade9a0adacf4733abee5
640ca3a18191a4818e30818b310b300906035504061302555331123010060355040813095465
6e6e657373656531123010060355040713094f616b205269646765310d300b060355040a1304
53414943310f300d060355040b13064e4149534d43311830160603550403130f4e4153565231
3820526f6f74204341311a301806092a864886f70d010901160b
EAP-Message =
0x746d68406e617376723138820900aa339d443f523340300c0603551d13040530030101ff30
0d06092a864886f70d010104050003818100bd318788d5775b1446536c2cabe5031b72131346
177a421c930f4ffbf36ba1d516789335f29e984575ab736f350adecf1e437fc5f2a4b3be0a03
6c90abc5ac4689237bafc1cf0130ede334bacec4689fbacd52cb8f7c6412efa28c96827164ce
8f6dcbb4d8d09c19e8fdc71cad56d2d665e02c6dfdaab49b83fdc2de3d6e474c160301010d0c
0001090040d3706dbd315a1e6c6d31d7360a14069120fd6cd0de306332ac00d88280dbd81175
f1462cee6e4c0e58aa60e0190906edbf214e2bb7024043da0b66
EAP-Message =
0xba7b8c5dc300010500404e9adcd06469e95f46852f53d7befb50802a71644dd633a501f6b4
82f01857af8a6de4056b27b1a9cbc8c9fc42a67354f698201690fd1d8bb8b58d415690d0c700
80d7c0706283d95cd56c5448bc3450fc6cbc7b63366fee4fbe37b5346453c42c2aa3eb857afe
a3ba215cecfaa471487fe7363549984a4b850b7e80601daa5c23e1baaaf727964cca749eb0c1
40d7e0967915c072c264ed51930825ab6020d45562b1c2e947933ef885759c0ac83611621d6c
0b31c0f9cc885fb587317227c972eb16030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x36cdeb1e4af1060e78512ffdc9c31264
Finished request 2
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 10.0.1.3:21645, id=152, length=191
User-Name = "atkinsondu"
Framed-MTU = 1400
Called-Station-Id = "000f.9060.c140"
Calling-Station-Id = "0040.96a2.8ef1"
Cisco-AVPair = "ssid=eap-only"
Service-Type = Login-User
Message-Authenticator = 0xfeb6cd762306cd1a886420d036082cc8
EAP-Message = 0x0204001119800000000715030100020230
NAS-Port-Type = Wireless-802.11
Cisco-NAS-Port = "369"
NAS-Port = 369
State = 0x36cdeb1e4af1060e78512ffdc9c31264
NAS-IP-Address = 10.0.1.3
NAS-Identifier = "wifi-ap1"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 3
modcall[authorize]: module "preprocess" returns ok for request 3
rlm_realm: No '\' in User-Name = "atkinsondu", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "ntdomain" returns noop for request 3
rlm_realm: No '@' in User-Name = "atkinsondu", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 3
rlm_eap: EAP packet type response id 4 length 17
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 3
modcall: entering group group for request 3
rlm_dbm: try open database file: /opt/local/etc/raddb/database/users
rlm_dbm: Call parse_user:
sm_parse_user.c: check for loops
Add atkinsondu to user list
rlm_dbm: User <atkinsondu> not foud in database
Remove atkinsondu from user list
sm_parse_user.c: check for loops
Add DEFAULT to user list
rlm_dbm: User <DEFAULT> not foud in database
Remove DEFAULT from user list
modcall[authorize]: module "dbm" returns notfound for request 3
modcall: group group returns notfound for request 3
modcall: group authorize returns updated for request 3
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 3
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Length Included
eaptls_verify returned 11
rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal unknown_ca
TLS Alert read:fatal:unknown CA
TLS_accept:failed in SSLv3 read client certificate A
24317:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown
ca:s3_pkt.c:1052:SSL alert number 48
24317:error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake
failure:s3_pkt.c:837:
rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails.
In SSL Handshake Phase
In SSL Accept mode
rlm_eap_tls: BIO_read failed in a system call (-1), TLS session fails.
eaptls_process returned 13
rlm_eap_peap: EAPTLS_HANDLED
rlm_eap: Freeing handler
modcall[authenticate]: module "eap" returns reject for request 3
modcall: group authenticate returns reject for request 3
auth: Failed to validate the user.
Delaying request 3 for 1 seconds
Finished request 3
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 10.0.1.3:21645, id=152, length=191
Sending Access-Reject of id 152 to 10.0.1.3:21645
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
