Well, I think my TLS session is getting created. From what I can tell, it's
the password part of it that's hurting me. I've attached output of my radius
server debugging and my eap.conf file as well in hopes that someone could
tell me what I'm doing wrong.
Any helpful comments are appreaciated.
Thanks
Matt
[EMAIL PROTECTED]
-----Original Message-----
From: Zoltan Ori [mailto:[EMAIL PROTECTED]
Sent: July 11, 2006 12:33 PM
To: [EMAIL PROTECTED]; 'FreeRadius users mailing list'
Subject: Re: an infamous LDAP-FreeRadius question
On Tuesday 11 July 2006 10:10, Matt Ashfield wrote:
> When I try to connect via 802.1x from a wireless client my Radius server
> debgging looks like below. Obviously the TLS session is not being setup
> correctly. I'm wondering about the private_key_password attribute. I just
> set it to "whatever" but that needs to correspond to a user on the LDAP
> server doesn't it? I'm not sure that's been set up.
You might try not using an ldaps connection if your LDAP server allows it.
Comment out all the TLS in the ldap section. This TLS/SSL connection to your
LDAP server is a separate issue from 802.1x. That's just between the RADIUS
server and LDAP. Once you've got everything else going, go back and work
with
the ldaps.
The main thing is to change only one thing at a time. Then you'll know
exactly
what broke it and what didn't. I believe you had LDAP working before, didn't
you?
Zoltan Ori
rad_recv: Access-Request packet from host x.x.x.201:6001, id=9, length=117
User-Name = "mda"
NAS-IP-Address = x.x.x.201
Called-Station-Id = "00-02-2d-47-01-c4"
Calling-Station-Id = "00-0e-35-36-48-f2"
NAS-Identifier = "AP3WJD"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x02020008016d6461
Message-Authenticator = 0xed8b747d2337a8e91d9d695c7a538032
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: No '@' in User-Name = "mda", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
rlm_eap: EAP packet type response id 2 length 8
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 0
users: Matched DEFAULT at 153
modcall[authorize]: module "files" returns ok for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for mda
radius_xlat: '(uid=mda)'
radius_xlat: 'ou=people,dc=xxx,dc=ca'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ldap2.xxx.ca:389, authentication 0
rlm_ldap: setting TLS CACert File to
/etc/openldap/cacerts/20060206_ldap2_xxx_ca.crt
rlm_ldap: setting TLS Require Cert to demand
rlm_ldap: bind as uid=authentication,dc=xxx,dc=ca/xxxxxxxx to ldap2.xxx.ca:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=people,dc=xxx,dc=ca, with filter (uid=mda)
rlm_ldap: Added password {SSHA}sBKY63Qm0H8T/Rx25tveoZfGaYd9Rjk45TCrWA== in
check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user mda authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 0
modcall: group authorize returns updated for request 0
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
rlm_eap: EAP Identity
rlm_eap: processing type tls
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
modcall[authenticate]: module "eap" returns handled for request 0
modcall: group authenticate returns handled for request 0
Sending Access-Challenge of id 9 to x.x.x.201:6001
EAP-Message = 0x010300061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x12781dbe4ad8a8b6a39a6b1a10a66ff3
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host x.x.x.201:6001, id=10, length=207
User-Name = "mda"
NAS-IP-Address = x.x.x.201
Called-Station-Id = "00-02-2d-47-01-c4"
Calling-Station-Id = "00-0e-35-36-48-f2"
NAS-Identifier = "AP3WJD"
State = 0x12781dbe4ad8a8b6a39a6b1a10a66ff3
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x0203005019800000004616030100410100003d030144b4f47a9fe11441f57ca9dd26d559c7c46019c948498eda8473ea16c02bb7f400001600040005000a000900640062000300060013001200630100
Message-Authenticator = 0x0da3857c6f17213069273929fbadb4a1
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
modcall[authorize]: module "preprocess" returns ok for request 1
modcall[authorize]: module "chap" returns noop for request 1
modcall[authorize]: module "mschap" returns noop for request 1
rlm_realm: No '@' in User-Name = "mda", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 1
rlm_eap: EAP packet type response id 3 length 80
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 1
users: Matched DEFAULT at 153
modcall[authorize]: module "files" returns ok for request 1
rlm_ldap: - authorize
rlm_ldap: performing user authorization for mda
radius_xlat: '(uid=mda)'
radius_xlat: 'ou=people,dc=xxx,dc=ca'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=people,dc=xxx,dc=ca, with filter (uid=mda)
rlm_ldap: Added password {SSHA}sBKY63Qm0H8T/Rx25tveoZfGaYd9Rjk45TCrWA== in
check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user mda authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 1
modcall: group authorize returns updated for request 1
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 1
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Length Included
eaptls_verify returned 11
(other): before/accept initialization
TLS_accept: before/accept initialization
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello
TLS_accept: SSLv3 read client hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
TLS_accept: SSLv3 write server hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0694], Certificate
TLS_accept: SSLv3 write certificate A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
TLS_accept: SSLv3 write server done A
TLS_accept: SSLv3 flush data
TLS_accept:error in SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
eaptls_process returned 13
rlm_eap_peap: EAPTLS_HANDLED
modcall[authenticate]: module "eap" returns handled for request 1
modcall: group authenticate returns handled for request 1
Sending Access-Challenge of id 10 to x.x.x.201:6001
EAP-Message =
0x0104040a19c0000006f1160301004a02000046030144b4f47ba93a119f2d2ca1613cb3f08c8a9fe0db667a1622acb58570b55858a6204150e416543cea766dc12b78e24faab769af35ae391e3ae3782b1532e4e7bd7700040016030106940b00069000068d0002cd308202c930820232a003020102020102300d06092a864886f70d010104050030819f310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e31123010060355040b13096c6f63616c686f7374311b301906035504031312436c69656e74206365
EAP-Message =
0x7274696669636174653121301f06092a864886f70d0109011612636c69656e74406578616d706c652e636f6d301e170d3034303132353133323631305a170d3035303132343133323631305a30819b310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e31123010060355040b13096c6f63616c686f73743119301706035504031310526f6f74206365727469666963617465311f301d06092a864886f70d0109011610726f6f74406578616d706c652e636f6d30819f300d06092a864886f70d010101050003
EAP-Message =
0x818d0030818902818100dac525422bfedb082629a2cba44b3449c90d0ab462fb72c8434a782098863d7eb7d7e70028c2b7ad555a51cc756cf4fa1d7091615ab450d5289553ae6616aff014a55085d6b8fb4aee98638e426175cdd36c665c63cda177d34920eb30585edc8773999c2980f81ad4638bbbea1c82d054023db7ef24a3ec1c3f6241a903d7f30203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101040500038181007a2d921b1cf13bf2982a9178ec9ede6d88edc178a2e8bd40a0a06fb6f0769957884cd7084537083496fd184165293f583c8e8240eb68e042c94b15752e4c07e80d09
EAP-Message =
0x779afa3dd55c24fa54ac292d77205d1c2477ed30d59f57caf9bd21ff2a8d16cc0911c50e4f295763fcb60efa3c3d2d0e43850f6e6fbe284902f6e83503650003ba308203b63082031fa003020102020100300d06092a864886f70d010104050030819f310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e31123010060355040b13096c6f63616c686f7374311b301906035504031312436c69656e742063657274696669636174653121301f06092a864886f70d0109011612636c69656e74406578616d706c
EAP-Message = 0x652e636f6d301e170d3034303132353133323630375a
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x92e1680de0365fa7ccdc2c10224b98cd
Finished request 1
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host x.x.x.201:6001, id=11, length=133
User-Name = "mda"
NAS-IP-Address = x.x.x.201
Called-Station-Id = "00-02-2d-47-01-c4"
Calling-Station-Id = "00-0e-35-36-48-f2"
NAS-Identifier = "AP3WJD"
State = 0x92e1680de0365fa7ccdc2c10224b98cd
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020400061900
Message-Authenticator = 0xa87759b9c3c8951e8a09935669088f1f
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
modcall[authorize]: module "preprocess" returns ok for request 2
modcall[authorize]: module "chap" returns noop for request 2
modcall[authorize]: module "mschap" returns noop for request 2
rlm_realm: No '@' in User-Name = "mda", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 2
rlm_eap: EAP packet type response id 4 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 2
users: Matched DEFAULT at 153
modcall[authorize]: module "files" returns ok for request 2
rlm_ldap: - authorize
rlm_ldap: performing user authorization for mda
radius_xlat: '(uid=mda)'
radius_xlat: 'ou=people,dc=xxx,dc=ca'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=people,dc=xxx,dc=ca, with filter (uid=mda)
rlm_ldap: Added password {SSHA}sBKY63Qm0H8T/Rx25tveoZfGaYd9Rjk45TCrWA== in
check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user mda authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 2
modcall: group authorize returns updated for request 2
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 2
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake fragment handler
eaptls_verify returned 1
eaptls_process returned 13
rlm_eap_peap: EAPTLS_HANDLED
modcall[authenticate]: module "eap" returns handled for request 2
modcall: group authenticate returns handled for request 2
Sending Access-Challenge of id 11 to x.x.x.201:6001
EAP-Message =
0x010502f71900170d3036303132343133323630375a30819f310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e31123010060355040b13096c6f63616c686f7374311b301906035504031312436c69656e742063657274696669636174653121301f06092a864886f70d0109011612636c69656e74406578616d706c652e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100d4c5b19724f164acf1ffb189db1c8fbff4f14396ea7cb1e90f78d69451725377895dfe52ccb99b41e8
EAP-Message =
0x0ddeb58b127a943f4f58cbc562878192fbdc6fece9f871e7c130d35cf5188817e9b133249edd2a1c75d31043ae87553cec7a77ef26aa7d74281db9b77e17c6446c5dd9b188b43250ca0229963722a123a726b00b4027fd0203010001a381ff3081fc301d0603551d0e0416041468d36d3e1ee7bc9d5a057021c363da1365d1ade33081cc0603551d230481c43081c1801468d36d3e1ee7bc9d5a057021c363da1365d1ade3a181a5a481a230819f310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e31123010
EAP-Message =
0x060355040b13096c6f63616c686f7374311b301906035504031312436c69656e742063657274696669636174653121301f06092a864886f70d0109011612636c69656e74406578616d706c652e636f6d820100300c0603551d13040530030101ff300d06092a864886f70d01010405000381810033c00b66b1e579ef73a06798252dab8d5e5511fc00fd276d80d12f834777c6743fdc2743fca1507704e4bc0979e4f60ac3ad9ee83e6f347369229d1f77229ba2e982359da563024a00163dba6d6c986c0bad28af85132ff8f0d76501bf1b7c2dff658ce1e62c01997b6e64e3e8d4373354ce9912847651539063b85bbc5485c516030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xcd5883b45381fb77022fa9cd640ab4f9
Finished request 2
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host x.x.x.201:6001, id=12, length=133
User-Name = "mda"
NAS-IP-Address = x.x.x.201
Called-Station-Id = "00-02-2d-47-01-c4"
Calling-Station-Id = "00-0e-35-36-48-f2"
NAS-Identifier = "AP3WJD"
State = 0xcd5883b45381fb77022fa9cd640ab4f9
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020500061900
Message-Authenticator = 0x177838ed1ee82197042b39326bf4806b
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 3
modcall[authorize]: module "preprocess" returns ok for request 3
modcall[authorize]: module "chap" returns noop for request 3
modcall[authorize]: module "mschap" returns noop for request 3
rlm_realm: No '@' in User-Name = "mda", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 3
rlm_eap: EAP packet type response id 5 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 3
users: Matched DEFAULT at 153
modcall[authorize]: module "files" returns ok for request 3
rlm_ldap: - authorize
rlm_ldap: performing user authorization for mda
radius_xlat: '(uid=mda)'
radius_xlat: 'ou=people,dc=xxx,dc=ca'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=people,dc=xxx,dc=ca, with filter (uid=mda)
rlm_ldap: Added password {SSHA}sBKY63Qm0H8T/Rx25tveoZfGaYd9Rjk45TCrWA== in
check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user mda authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 3
modcall: group authorize returns updated for request 3
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 3
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake fragment handler
eaptls_verify returned 1
eaptls_process returned 13
rlm_eap_peap: EAPTLS_HANDLED
modcall[authenticate]: module "eap" returns handled for request 3
modcall: group authenticate returns handled for request 3
Sending Access-Challenge of id 12 to x.x.x.201:6001
EAP-Message = 0x010600061900
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa90d5a6ff16743b093dced6b12351837
Finished request 3
Going to the next request
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 9 with timestamp 44b4f47b
Cleaning up request 1 ID 10 with timestamp 44b4f47b
Cleaning up request 2 ID 11 with timestamp 44b4f47b
Cleaning up request 3 ID 12 with timestamp 44b4f47b
Nothing to do. Sleeping until we see a request.
eap {
default_eap_type = peap
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
md5 {
}
leap {
}
gtc {
auth_type = PAP
}
tls {
private_key_password = whatever
private_key_file = /etc/raddb/certs/cert-srv.pem
certificate_file = /etc/raddb/certs/cert-srv.pem
CA_file = /etc/raddb/certs/demoCA/cacert.pem
dh_file = /etc/raddb/certs/dh
random_file = /etc/raddb/certs/random
fragment_size = 1024
include_length = yes
}
peap {
default_eap_type = gtc
}
mschapv2 {
}
}-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
