Ciao. We're also facing the same issue, but on a Windows box. We did a quick test using a rather old FR version (1.1.7), on the same PC and using the same certificates, and we get a successful result using eapol_test. We've also followed the steps available in http://wiki.freeradius.org/Certificate_Compatibility. However, no one seems to know the answer/solution to this issue. Just bear in mind I'm new to this project and my ignorance may contribute to ..... you know!
Thanks in advance. Sergio. > From: [email protected] > To: [email protected] > Date: Mon, 24 Oct 2011 11:25:01 +0100 > Subject: RADIUS certificate compatibility warning > > I've upgraded FreeRadius to 2.1.10 and Samba to 3.5.6. > I've got right through (again) to the final "Configuring FreeRADIUS to use > ntlm_auth for MS-CHAP" stage but the command 'eapol_test -c > peap-mschapv2-cert-ntlm_auth.conf -s testing123' fails. > > The 'radiusd -X' output finishes with : > > WARNING: > !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! > WARNING: !! EAP session for state 0x89fe3c9f81f72525 did not finish! > WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility > WARNING: > !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! > > http://wiki.freeradius.org/Certificate_Compatibility refers to a problem when > the client is a Windows machine, but I'm running the 'eapol_test' command on > the FreeRadius server which is Linux (CentOS). > > The following lines from the output of the 'eapol_test' command seem to > indicate a problem with the root certificate.: > > OpenSSL: tls_connection_ca_cert - Failed to load root certificates > error:00000000:lib(0):func(0):reason(0) > OpenSSL: tls_connection_ca_cert - loaded DER format CA certificate > > I created the certificates using the method decsribed in > http://deployingradius.com/documents/configuration/certificates.html > > I can supply the full output from the 'eapol_test' command and from 'radiusd > -X' but they're too big to include in this email. > > Can anyone tell me what I'm doing wrong? > > Thanks > > Martin. > > ================================================================ > > Here are the errors/warnings section from the output of the 'eapol_test' > command and from 'radiusd -X', and the full contents of > peap-mschapv2-cert-ntlm_auth.conf, the ca.cnf, server.cnf & client.cnf files > & eap.conf: > > 'eapol_test' errors/warnings > ============================ > > : > RADIUS packet matching with station > decapsulated EAP packet (code=1 id=2 len=6) from RADIUS server: > EAP-Request-PEAP (25) > EAPOL: Received EAP-Packet frame > EAPOL: SUPP_BE entering state REQUEST > EAPOL: getSuppRsp > EAP: EAP entering state RECEIVED > EAP: Received EAP-Request id=2 method=25 vendor=0 vendorMethod=0 > EAP: EAP entering state GET_METHOD > CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=25 > EAP: Initialize selected EAP method: vendor 0 method 25 (PEAP) > TLS: Phase2 EAP types - hexdump(len=40): 00 00 00 00 04 00 00 00 00 00 00 00 > 1a 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 > 05 00 00 00 00 00 00 00 11 00 00 00 > TLS: using phase1 config options > OpenSSL: tls_connection_ca_cert - Failed to load root certificates > error:00000000:lib(0):func(0):reason(0) > OpenSSL: tls_connection_ca_cert - loaded DER format CA certificate > CTRL-EVENT-EAP-METHOD EAP vendor 0 method 25 (PEAP) selected > EAP: EAP entering state METHOD > SSL: Received packet(len=6) - Flags 0x20 > EAP-PEAP: Start (server ver=0, own ver=1) > EAP-PEAP: Using PEAP version 0 > SSL: (where=0x10 ret=0x1) > SSL: (where=0x1001 ret=0x1) > SSL: SSL_connect:before/connect initialization > SSL: (where=0x1001 ret=0x1) > SSL: SSL_connect:SSLv3 write client hello A > SSL: (where=0x1002 ret=0xffffffff) > SSL: SSL_connect:error in SSLv3 read server hello A > SSL: SSL_connect - want more data > SSL: 112 bytes pending from ssl_out > SSL: 112 bytes left to be sent out (of total 112 bytes) > EAP: method process -> ignore=FALSE methodState=MAY_CONT decision=FAIL > EAP: EAP entering state SEND_RESPONSE > EAP: EAP entering state IDLE > EAPOL: SUPP_BE entering state RESPONSE > EAPOL: txSuppRsp > WPA: eapol_test_eapol_send(type=0 len=122) > : > > 'radiusd -X' errors/warnings > ============================ > > : > # Executing group from file /etc/raddb/sites-enabled/inner-tunnel > +- entering group authenticate {...} > [eap] Request found, released from the list > [eap] EAP/mschapv2 > [eap] processing type mschapv2 > [mschapv2] # Executing group from file /etc/raddb/sites-enabled/inner-tunnel > [mschapv2] +- entering group MS-CHAP {...} > [mschap] Creating challenge hash with username: USERNAME > [mschap] Told to do MS-CHAPv2 for USERNAME with NT-Password > [mschap] expand: --username=%{mschap:User-Name:-None} -> > --username=USERNAME > [mschap] No NT-Domain was found in the User-Name. > [mschap] expand: %{mschap:NT-Domain} -> > [mschap] ... expanding second conditional > [mschap] expand: --domain=%{%{mschap:NT-Domain}:-CAMPUS} -> > --domain=CAMPUS > [mschap] mschap2: 8a > [mschap] Creating challenge hash with username: USERNAME > [mschap] expand: --challenge=%{mschap:Challenge:-00} -> > --challenge=ee9182b1015b8ded > [mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> > --nt-response=69c37f86d6f44237a66d979b71072d9b874e0fd822ad > f858 > Exec-Program output: NT_KEY: 4600A59AAB67436A4D937233DEED28B7 > Exec-Program-Wait: plaintext: NT_KEY: 4600A59AAB67436A4D937233DEED28B7 > Exec-Program: returned: 0 > [mschap] adding MS-CHAPv2 MPPE keys > ++[mschap] returns ok > MSCHAP Success > ++[eap] returns handled > } # server inner-tunnel > [peap] Got tunneled reply code 11 > EAP-Message = > 0x010900331a0308002e533d4343373038393531333746344638333338433834463437303836313636424637413735344643333 > 0 > Message-Authenticator = 0x00000000000000000000000000000000 > State = 0x9197308e909e2a67190d1c1ddd88b035 > [peap] Got tunneled reply RADIUS code 11 > EAP-Message = > 0x010900331a0308002e533d4343373038393531333746344638333338433834463437303836313636424637413735344643333 > 0 > Message-Authenticator = 0x00000000000000000000000000000000 > State = 0x9197308e909e2a67190d1c1ddd88b035 > [peap] Got tunneled Access-Challenge > ++[eap] returns handled > Sending Access-Challenge of id 8 to 127.0.0.1 port 50462 > EAP-Message = > 0x0109005b19001703010050ad7b5774ef100e1dd3a5c7a83b174202511c51378dc9f1932cf39dc92db9b588fa9f336d1aeb825 > 807e62e2cc34dd162d02aa28c9104381f52a86933e2b9e0f65927f00c2fb64b78a078cc5e8e79457b > Message-Authenticator = 0x00000000000000000000000000000000 > State = 0x20754327287c5ad31b57225dabc8b87e > Finished request 8. > Going to the next request > Waking up in 4.9 seconds. > Cleaning up request 0 ID 0 with timestamp +76 > Cleaning up request 1 ID 1 with timestamp +76 > Cleaning up request 2 ID 2 with timestamp +76 > Cleaning up request 3 ID 3 with timestamp +76 > Cleaning up request 4 ID 4 with timestamp +76 > Cleaning up request 5 ID 5 with timestamp +76 > Cleaning up request 6 ID 6 with timestamp +76 > Cleaning up request 7 ID 7 with timestamp +76 > Cleaning up request 8 ID 8 with timestamp +76 > WARNING: > !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! > WARNING: !! EAP session for state 0x20754327287c5ad3 did not finish! > WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility > WARNING: > !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! > Ready to process requests. > > peap-mschapv2-cert-ntlm_auth.conf > ================================= > > # > # eapol_test -c peap-mschapv2-cert-ntlm_auth.conf -s testing123 > # > > # eapol_version=1 > # fast_reauth=0 > > network={ > key_mgmt=WPA-EAP > eap=PEAP > identity="USERNAME" > password="PASSWORD" > phase2="autheap=MSCHAPV2" > > # priority=10 > > ca_cert="/etc/raddb/certs/ca.der" > } > > ca.cnf > ====== > > [ ca ] > default_ca = CA_default > > [ CA_default ] > dir = ./ > certs = $dir > crl_dir = $dir/crl > database = $dir/index.txt > new_certs_dir = $dir > certificate = $dir/ca.pem > serial = $dir/serial > crl = $dir/crl.pem > private_key = $dir/ca.key > RANDFILE = $dir/.rand > name_opt = ca_default > cert_opt = ca_default > default_days = 3650 > default_crl_days = 30 > default_md = sha1 > preserve = no > policy = policy_match > > [ policy_match ] > countryName = match > stateOrProvinceName = match > organizationName = match > organizationalUnitName = optional > commonName = supplied > emailAddress = optional > > [ policy_anything ] > countryName = optional > stateOrProvinceName = optional > localityName = optional > organizationName = optional > organizationalUnitName = optional > commonName = supplied > emailAddress = optional > > [ req ] > prompt = no > distinguished_name = certificate_authority > default_bits = 2048 > input_password = inpass > output_password = outpass > x509_extensions = v3_ca > > [certificate_authority] > countryName = UK > stateOrProvinceName = United Kingdom > localityName = Bristol > organizationName = UWE > emailAddress = [email protected] > commonName = "UWE Certificate Authority" > > [v3_ca] > subjectKeyIdentifier = hash > authorityKeyIdentifier = keyid:always,issuer:always > basicConstraints = CA:true > > ================================================================ > > server.cnf > ========== > > [ ca ] > default_ca = CA_default > > [ CA_default ] > dir = ./ > certs = $dir > crl_dir = $dir/crl > database = $dir/index.txt > new_certs_dir = $dir > certificate = $dir/server.pem > serial = $dir/serial > crl = $dir/crl.pem > private_key = $dir/server.key > RANDFILE = $dir/.rand > name_opt = ca_default > cert_opt = ca_default > default_days = 730 > default_crl_days = 30 > default_md = sha1 > preserve = no > policy = policy_match > > [ policy_match ] > countryName = match > stateOrProvinceName = match > organizationName = match > organizationalUnitName = optional > commonName = supplied > emailAddress = optional > > [ policy_anything ] > countryName = optional > stateOrProvinceName = optional > localityName = optional > organizationName = optional > organizationalUnitName = optional > commonName = supplied > emailAddress = optional > > [ req ] > prompt = no > distinguished_name = server > default_bits = 2048 > input_password = inpass > output_password = outpass > > [server] > countryName = UK > stateOrProvinceName = United Kingdom > localityName = Bristol > organizationName = UWE > emailAddress = [email protected] > commonName = "UWE Server Certificate" > > ================================================================ > > client.cnf > ========== > > [ ca ] > default_ca = CA_default > > [ CA_default ] > dir = ./ > certs = $dir > crl_dir = $dir/crl > database = $dir/index.txt > new_certs_dir = $dir > certificate = $dir/server.pem > serial = $dir/serial > crl = $dir/crl.pem > private_key = $dir/server.key > RANDFILE = $dir/.rand > name_opt = ca_default > cert_opt = ca_default > default_days = 730 > default_crl_days = 30 > default_md = sha1 > preserve = no > policy = policy_match > > [ policy_match ] > countryName = match > stateOrProvinceName = match > organizationName = match > organizationalUnitName = optional > commonName = supplied > emailAddress = optional > > [ policy_anything ] > countryName = optional > stateOrProvinceName = optional > localityName = optional > organizationName = optional > organizationalUnitName = optional > commonName = supplied > emailAddress = optional > > [ req ] > prompt = no > distinguished_name = client > default_bits = 2048 > input_password = inpass > output_password = outpass > > [client] > countryName = UK > stateOrProvinceName = United Kingdom > localityName = Bristol > organizationName = UWE > emailAddress = [email protected] > commonName = "UWE Client Certificate" > > eap.conf > ======== > > eap { > default_eap_type = md5 > timer_expire = 60 > ignore_unknown_eap_types = no > cisco_accounting_username_bug = no > max_sessions = 4096 > md5 { > } > leap { > } > gtc { > auth_type = PAP > } > tls { > certdir = ${confdir}/certs > cadir = ${confdir}/certs > private_key_password = outpass > private_key_file = ${certdir}/server.pem > certificate_file = ${certdir}/server.pem > CA_file = ${cadir}/ca.pem > dh_file = ${certdir}/dh > random_file = ${certdir}/random > cipher_list = "DEFAULT" > cache { > enable = no > max_entries = 255 > } > } > ttls { > default_eap_type = md5 > copy_request_to_tunnel = no > use_tunneled_reply = no > virtual_server = "inner-tunnel" > } > peap { > default_eap_type = mschapv2 > copy_request_to_tunnel = no > use_tunneled_reply = no > virtual_server = "inner-tunnel" > } > mschapv2 { > } > } > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
