Francois:
My apologies for not contacting you sooner, I was doing some more
testing. This is wireless 802.1x.
I was testing multiple clients just to make sure I was not doing
something foolish on the client side. Same results.
The EAP type must be getting set SOMEWHERE in the RADIUS server, but
for the life of me I cannot figure out where. I'm off to look at the virtual
servers again ... if anyone has any ideas I am all ears.
See log:
rad_recv: Access-Request packet from host 10.11.40.180 port 32887, id=53,
length=207
User-Name = "[email protected]"
NAS-IP-Address = 10.11.40.180
NAS-Identifier = "Sanderford-3"
NAS-Port = 656
Called-Station-Id = "00-0F-7D-31-67-A3:UMHB SecureNet"
Calling-Station-Id = "90-4C-E5-BE-77-AF"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 6Mbps/6Mbps 802.11g"
EAP-Message = 0x020400060d00
State = 0x82c8a90480cca43bf4984f827c0da5de
Message-Authenticator = 0xc3124d5e300bb15393e7e6c1c93f930c
server packetfence {
# Executing section authorize from file /etc/raddb/sites-enabled/packetfence
+- entering group authorize {...}
[suffix] Looking up realm "umhb.edu" for User-Name = "[email protected]"
[suffix] Found realm "~.*umhb\.edu$"
[suffix] Adding Stripped-User-Name = "tommy.moore"
[suffix] Adding Realm = "umhb.edu"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
++[preprocess] returns ok
[eap] EAP packet type response id 4 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
rlm_perl: Added pair NAS-Port-Type = Wireless-802.11
rlm_perl: Added pair State = 0x82c8a90480cca43bf4984f827c0da5de
rlm_perl: Added pair Calling-Station-Id = 90-4C-E5-BE-77-AF
rlm_perl: Added pair Called-Station-Id = 00-0F-7D-31-67-A3:UMHB SecureNet
rlm_perl: Added pair Message-Authenticator = 0xc3124d5e300bb15393e7e6c1c93f930c
rlm_perl: Added pair User-Name = [email protected]
rlm_perl: Added pair NAS-Identifier = Sanderford-3
rlm_perl: Added pair EAP-Message = 0x020400060d00
rlm_perl: Added pair Connect-Info = CONNECT 6Mbps/6Mbps 802.11g
rlm_perl: Added pair Realm = umhb.edu
rlm_perl: Added pair EAP-Type = EAP-TLS
rlm_perl: Added pair Stripped-User-Name = tommy.moore
rlm_perl: Added pair NAS-IP-Address = 10.11.40.180
rlm_perl: Added pair NAS-Port = 656
rlm_perl: Added pair Framed-MTU = 1400
rlm_perl: Added pair Auth-Type = EAP
++[packetfence] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/packetfence
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
[tls] Received TLS ACK
[tls] ACK handshake fragment handler
[tls] eaptls_verify returned 1
[tls] eaptls_process returned 13
++[eap] returns handled
} # server packetfence
Sending Access-Challenge of id 53 to 10.11.40.180 port 32887
EAP-Message = 0x010500100d80000003fc00000e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x82c8a90481cda43bf4984f827c0da5de
Finished request 74.
Going to the next request
Waking up in 0.5 seconds.
rad_recv: Access-Request packet from host 10.11.40.180 port 32887, id=54,
length=218
User-Name = "[email protected]"
NAS-IP-Address = 10.11.40.180
NAS-Identifier = "Sanderford-3"
NAS-Port = 656
Called-Station-Id = "00-0F-7D-31-67-A3:UMHB SecureNet"
Calling-Station-Id = "90-4C-E5-BE-77-AF"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 6Mbps/6Mbps 802.11g"
EAP-Message = 0x020500110d800000000715030100020230
State = 0x82c8a90481cda43bf4984f827c0da5de
Message-Authenticator = 0x419a427e92646925a7b40307cd5254df
server packetfence {
# Executing section authorize from file /etc/raddb/sites-enabled/packetfence
+- entering group authorize {...}
[suffix] Looking up realm "umhb.edu" for User-Name = "[email protected]"
[suffix] Found realm "~.*umhb\.edu$"
[suffix] Adding Stripped-User-Name = "tommy.moore"
[suffix] Adding Realm = "umhb.edu"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
++[preprocess] returns ok
[eap] EAP packet type response id 5 length 17
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
rlm_perl: Added pair NAS-Port-Type = Wireless-802.11
rlm_perl: Added pair State = 0x82c8a90481cda43bf4984f827c0da5de
rlm_perl: Added pair Calling-Station-Id = 90-4C-E5-BE-77-AF
rlm_perl: Added pair Called-Station-Id = 00-0F-7D-31-67-A3:UMHB SecureNet
rlm_perl: Added pair Message-Authenticator = 0x419a427e92646925a7b40307cd5254df
rlm_perl: Added pair User-Name = [email protected]
rlm_perl: Added pair NAS-Identifier = Sanderford-3
rlm_perl: Added pair EAP-Message = 0x020500110d800000000715030100020230
rlm_perl: Added pair Connect-Info = CONNECT 6Mbps/6Mbps 802.11g
rlm_perl: Added pair Realm = umhb.edu
rlm_perl: Added pair EAP-Type = EAP-TLS
rlm_perl: Added pair Stripped-User-Name = tommy.moore
rlm_perl: Added pair NAS-IP-Address = 10.11.40.180
rlm_perl: Added pair NAS-Port = 656
rlm_perl: Added pair Framed-MTU = 1400
rlm_perl: Added pair Auth-Type = EAP
++[packetfence] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/packetfence
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
TLS Length 7
[tls] Length Included
[tls] eaptls_verify returned 11
[tls] <<< TLS 1.0 Alert [length 0002], fatal unknown_ca
TLS Alert read:fatal:unknown CA
TLS_accept: failed in SSLv3 read client certificate A
rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert
unknown ca
SSL: SSL_read failed inside of TLS (-1), TLS session fails.
TLS receive handshake failed during operation
[tls] eaptls_process returned 4
[eap] Handler failed in EAP/tls
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Login incorrect (TLS Alert read:fatal:unknown CA): [[email protected]] (from
client 10.11.40.180 port 656 cli 90-4C-E5-BE-77-AF)
} # server packetfence
Using Post-Auth-Type Reject
# Executing group from file /etc/raddb/sites-enabled/packetfence
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> [email protected]
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 75 for 1 seconds
Going to the next request
Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
900 College St.
Belton TX. 76513
Fone: 254-295-4658
Phax: 254-295-4221
HTTP://WWW.UMHB.EDU
-----Original Message-----
From: Francois Gaudreault [mailto:[email protected]]
Sent: Monday, May 07, 2012 9:40 AM
To: [email protected]
Subject: Re: [PacketFence-users] EAP type getting set to EAP-TLS
The eap.conf default_eap_type is properly set, so it's not FreeRADIUS.
Is this wired or wireless 802.1X? Maybe you can try to connect on another
switch or AP?
--
Francois Gaudreault, ing. jr
[email protected] :: +1.514.447.4918 (x130) :: www.inverse.ca Inverse
inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and threat
landscape has changed and how IT managers can respond. Discussions will include
endpoint security, mobile security and the latest in malware threats.
http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
