Re: PEAP and "fatal unknown_ca"

[Artur Hecker]

hi
Dudley Atkinson wrote:
I have followed the instructions for creating self-signed server
certificates, and I think I have the config files and certs aligned.  But I
must have something wrong, because when my supplicant (Aironet 1200) gets a
request for PEAP from a Windows XP system, the radiusd debug shows "fatal
unknown_ca" when in the last phase of the PEAP authentication.
hmmm, sorry to be a nitpicker - but the supplicant _is_ windows XP. i 
suppose, the aironet 1200 is an access point, so it would be an 
authenticator then.


Is there some little gotcha I'm missing?  

Is the setup for PEAP different than EAP/TLS?  

Do I have to install something on the client (I thought not, since it is
PEAP).
i personally think that the root.pem file which your radiusd is using 
does not contain a correct certificate of the used CA. make sure:
- this file exists and is configured as such in the eap.conf / radiusd.conf
- freeradius finds and reads this file (file permissions, paths, etc.)
- this file and its content are valid (i.e. it's a valid pem file 
containing the CA certificate).

the used CA has to be known to the server at the moment when it starts 
TLS communications.

btw it is the same for the supplicant (your Windows XP) - i would 
suggest that you install the certificate. Windows used to kindly propose 
the installation of a new (unknown) CA certificate but i'm not quite 
sure it still works as expected and it definitly depends on a lot of 
other parameters. so just preinstall it locally.


ciao
artur

All help is appreciated; debug follows.
Thanks!
Atkinson
ad_recv: Access-Request packet from host 10.0.1.3:21645, id=151, length=180
        User-Name = "atkinsondu"
        Framed-MTU = 1400
        Called-Station-Id = "000f.9060.c140"
        Calling-Station-Id = "0040.96a2.8ef1"
        Cisco-AVPair = "ssid=eap-only"
        Service-Type = Login-User
        Message-Authenticator = 0xb7c8fd67a6fa635c21df964a0cbd2af5
        EAP-Message = 0x020300061900
        NAS-Port-Type = Wireless-802.11
        Cisco-NAS-Port = "369"
        NAS-Port = 369
        State = 0x21f31e4903806b3d170350fcd4a4a82a
        NAS-IP-Address = 10.0.1.3
        NAS-Identifier = "wifi-ap1"
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
  modcall[authorize]: module "preprocess" returns ok for request 2
    rlm_realm: No '\' in User-Name = "atkinsondu", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "ntdomain" returns noop for request 2
    rlm_realm: No '@' in User-Name = "atkinsondu", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 2
  rlm_eap: EAP packet type response id 3 length 6
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 2
modcall: entering group group for request 2
rlm_dbm: try open database file: /opt/local/etc/raddb/database/users 
rlm_dbm: Call parse_user: 
sm_parse_user.c: check for loops
Add atkinsondu to user list
rlm_dbm: User <atkinsondu> not foud in database 
Remove atkinsondu from user list
sm_parse_user.c: check for loops
Add DEFAULT to user list
rlm_dbm: User <DEFAULT> not foud in database 
Remove DEFAULT from user list
  modcall[authorize]: module "dbm" returns notfound for request 2
modcall: group group returns notfound for request 2
modcall: group authorize returns updated for request 2
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 2
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
  rlm_eap_tls: ack handshake fragment handler
  eaptls_verify returned 1 
  eaptls_process returned 13 
  rlm_eap_peap: EAPTLS_HANDLED
  modcall[authenticate]: module "eap" returns handled for request 2
modcall: group authenticate returns handled for request 2
Sending Access-Challenge of id 151 to 10.0.1.3:21645
        EAP-Message =
0x010403cc19005553311230100603550408130954656e6e6573736565311230100603550407
13094f616b205269646765310d300b060355040a130453414943310f300d060355040b13064e
4149534d43311830160603550403130f4e41535652313820526f6f74204341311a301806092a
864886f70d010901160b746d68406e61737672313830819f300d06092a864886f70d01010105
0003818d0030818902818100f53d6206d775bd27ecc7f41358590f88eba0114424ccfe8c75a1
735668a6506934cb4d1bae177cb9d130ce0b203d21ef9f5ff1eba850e6f1b80fa9b5162975f0
0e4ac2fc4b0b0fe2ae8a6bef2a2651abc1ede8e72cad24e2210e
        EAP-Message =
0xee6b46998af153a26274412e8e63816ecaa5bc997bf18ffaef66d42b98c0deb6f4db1ba0b0
150203010001a381f33081f0301d0603551d0e04160414552260d6dd4cebade9a0adacf4733a
bee5640ca33081c00603551d230481b83081b58014552260d6dd4cebade9a0adacf4733abee5
640ca3a18191a4818e30818b310b300906035504061302555331123010060355040813095465
6e6e657373656531123010060355040713094f616b205269646765310d300b060355040a1304
53414943310f300d060355040b13064e4149534d43311830160603550403130f4e4153565231
3820526f6f74204341311a301806092a864886f70d010901160b
        EAP-Message =
0x746d68406e617376723138820900aa339d443f523340300c0603551d13040530030101ff30
0d06092a864886f70d010104050003818100bd318788d5775b1446536c2cabe5031b72131346
177a421c930f4ffbf36ba1d516789335f29e984575ab736f350adecf1e437fc5f2a4b3be0a03
6c90abc5ac4689237bafc1cf0130ede334bacec4689fbacd52cb8f7c6412efa28c96827164ce
8f6dcbb4d8d09c19e8fdc71cad56d2d665e02c6dfdaab49b83fdc2de3d6e474c160301010d0c
0001090040d3706dbd315a1e6c6d31d7360a14069120fd6cd0de306332ac00d88280dbd81175
f1462cee6e4c0e58aa60e0190906edbf214e2bb7024043da0b66
        EAP-Message =
0xba7b8c5dc300010500404e9adcd06469e95f46852f53d7befb50802a71644dd633a501f6b4
82f01857af8a6de4056b27b1a9cbc8c9fc42a67354f698201690fd1d8bb8b58d415690d0c700
80d7c0706283d95cd56c5448bc3450fc6cbc7b63366fee4fbe37b5346453c42c2aa3eb857afe
a3ba215cecfaa471487fe7363549984a4b850b7e80601daa5c23e1baaaf727964cca749eb0c1
40d7e0967915c072c264ed51930825ab6020d45562b1c2e947933ef885759c0ac83611621d6c
0b31c0f9cc885fb587317227c972eb16030100040e000000
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x36cdeb1e4af1060e78512ffdc9c31264
Finished request 2
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 10.0.1.3:21645, id=152, length=191
        User-Name = "atkinsondu"
        Framed-MTU = 1400
        Called-Station-Id = "000f.9060.c140"
        Calling-Station-Id = "0040.96a2.8ef1"
        Cisco-AVPair = "ssid=eap-only"
        Service-Type = Login-User
        Message-Authenticator = 0xfeb6cd762306cd1a886420d036082cc8
        EAP-Message = 0x0204001119800000000715030100020230
        NAS-Port-Type = Wireless-802.11
        Cisco-NAS-Port = "369"
        NAS-Port = 369
        State = 0x36cdeb1e4af1060e78512ffdc9c31264
        NAS-IP-Address = 10.0.1.3
        NAS-Identifier = "wifi-ap1"
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 3
  modcall[authorize]: module "preprocess" returns ok for request 3
    rlm_realm: No '\' in User-Name = "atkinsondu", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "ntdomain" returns noop for request 3
    rlm_realm: No '@' in User-Name = "atkinsondu", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 3
  rlm_eap: EAP packet type response id 4 length 17
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 3
modcall: entering group group for request 3
rlm_dbm: try open database file: /opt/local/etc/raddb/database/users 
rlm_dbm: Call parse_user: 
sm_parse_user.c: check for loops
Add atkinsondu to user list
rlm_dbm: User <atkinsondu> not foud in database 
Remove atkinsondu from user list
sm_parse_user.c: check for loops
Add DEFAULT to user list
rlm_dbm: User <DEFAULT> not foud in database 
Remove DEFAULT from user list
  modcall[authorize]: module "dbm" returns notfound for request 3
modcall: group group returns notfound for request 3
modcall: group authorize returns updated for request 3
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 3
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/peap
  rlm_eap: processing type peap
  rlm_eap_peap: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls:  Length Included
  eaptls_verify returned 11 
  rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal unknown_ca  
TLS Alert read:fatal:unknown CA 
    TLS_accept:failed in SSLv3 read client certificate A 
24317:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown
ca:s3_pkt.c:1052:SSL alert number 48
24317:error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake
failure:s3_pkt.c:837:
rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails.
In SSL Handshake Phase 
In SSL Accept mode  
rlm_eap_tls: BIO_read failed in a system call (-1), TLS session fails.
  eaptls_process returned 13 
  rlm_eap_peap: EAPTLS_HANDLED
  rlm_eap: Freeing handler
  modcall[authenticate]: module "eap" returns reject for request 3
modcall: group authenticate returns reject for request 3
auth: Failed to validate the user.
Delaying request 3 for 1 seconds
Finished request 3
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 10.0.1.3:21645, id=152, length=191
Sending Access-Reject of id 152 to 10.0.1.3:21645

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
___________________________________________________________
Artur Hecker
http://www.enst.fr/~hecker
ENST Paris ________________________________________________
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html