EAP-TLS Authentication
Hi, I am facing some issues with 802.1x EAP-TLS Authentication. Please suggest any document which can help in better understanding on TLS Authentication. Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS Authentication
--Please suggest any document which can help in better understanding on TLS Authentication. Arvind, I also faced the same issue at beginning , but I would suggest to read Freeradius own documentation. That is probably the best. On Mon, Sep 23, 2013 at 7:45 PM, arvind132 . arvind...@gmail.com wrote: Hi, I am facing some issues with 802.1x EAP-TLS Authentication. Please suggest any document which can help in better understanding on TLS Authentication. Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Best Regards Muhammad Nadeem Muhammad Ali Jinnah University - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
windows 7 eap-tls authentication
hi list, i want to authenticate windows 7 computers with tls certificates. the certs have the special windows OIDs, but i still get the error from below. on the website http://wiki.freeradius.org/Certificate_Compatibility there is only winxp mentioned. is there maybe any difference with windows 7? has anyone done this or a hint whats going wrong? thanks in advance, chris --- rad_recv: Access-Request packet from host 172.16.64.240 port 1645, id=133, length=153 User-Name = host/cb-nb Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = 00-12-01-1B-2A-40 Calling-Station-Id = 00-24-7E-6B-E4-BE EAP-Message = 0x0202000f01686f73742f63622d6e62 Message-Authenticator = 0xdfa853b693abac5cede3b893dac561ba NAS-Port-Type = Ethernet NAS-Port = 50217 NAS-Port-Id = FastEthernet2/17 NAS-IP-Address = 172.16.64.240 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} [eap] EAP packet type response id 2 length 15 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Requiring client certificate [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 133 to 172.16.64.240 port 1645 EAP-Message = 0x010300060d20 Message-Authenticator = 0x State = 0xebeac82aebe9c52b6c542d897c25837b Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 133 with timestamp +15 WARNING: !! WARNING: !! EAP session for state 0xebeac82aebe9c52b did not finish! WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility WARNING: !! Ready to process requests. --- smime.p7s Description: S/MIME cryptographic signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: windows 7 eap-tls authentication
Hi On Wed, Apr 04, 2012 at 01:47:54PM +0200, Christian Bösch wrote: the certs have the special windows OIDs, but i still get the error from below. The oids are only one reason for that error, but it is a very common reason for this issue. The basic problem is that, for some reason, Windows gave up and just didn't reply to the EAP-TLS start. If in doubt, use the default FR config, get it to generate the certs (which will be done properly) and install and test with that. Then you should know that the FR/cert side is 100% ok, and it must be your Windows settings. Then tweak from there. on the website http://wiki.freeradius.org/Certificate_Compatibility there is only winxp mentioned. is there maybe any difference with windows 7? has anyone done this or a hint whats going wrong? EAP-TLS definitely works with Windows 7. Check it's set for 'computer' authentication, and the certificates are all installed in the right places, including any intermediate certs (although you're not getting as far as that, it seems). Also make sure you have just one client cert in the computer account personal cert store - more than one can confuse things, as it probably won't pick the one you want. Make sure you've set the connection to 'certificate', rather than 'PEAP'. FR is correctly sending EAP type 0d (eap-tls) back, and I'm not sure what Windows does if it's incorrectly expecting to do peap here. Generally, though, it just works. Unfortunately I've not yet found any way to get decent debugging info out of Windows, such as you can get from things like wpa-supplicant. Matthew --- rad_recv: Access-Request packet from host 172.16.64.240 port 1645, id=133, length=153 User-Name = host/cb-nb Service-Type = Framed-User Framed-MTU = 1500 Called-Station-Id = 00-12-01-1B-2A-40 Calling-Station-Id = 00-24-7E-6B-E4-BE EAP-Message = 0x0202000f01686f73742f63622d6e62 eap response/identity Message-Authenticator = 0xdfa853b693abac5cede3b893dac561ba NAS-Port-Type = Ethernet NAS-Port = 50217 NAS-Port-Id = FastEthernet2/17 NAS-IP-Address = 172.16.64.240 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} [eap] EAP packet type response id 2 length 15 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Requiring client certificate [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 133 to 172.16.64.240 port 1645 EAP-Message = 0x010300060d20 eap request, type=eap-tls, start. Message-Authenticator = 0x State = 0xebeac82aebe9c52b6c542d897c25837b Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 133 with timestamp +15 WARNING: !! WARNING: !! EAP session for state 0xebeac82aebe9c52b did not finish! WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility WARNING: !! windows never responds. Ready to process requests. --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP/TLS authentication in 2050
why? really, why? wat purpose does testing these dates have - you really think your current infrastructure, and techologies such as 802.1X are going to be around in the same format in even 20 years time? No, of course not:) This is my curiosity led me to test such date. anywayI'm guessing these are 32 bit server and client OS ? you may find, in that case, that your tests will work until you set the date beyond 2037 - 32bit OS have problems with dates after 2038 so, try this with KNOWN parameters - eg 2020 , within the 2038 timeframe and things should work. The server is running SLES 11 SP1 (x86_64), a workstation running Windows XP SP3 (32bit). Authentication is successful until February 1, 2050, ie for example if you logged in December 31, 2049, then the authentication is successful. A little later, try the client computer under the control of 64bit. the results announced later. I tried on a 64 bit computer. The same result. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP/TLS authentication in 2050
Victor Guk wrote: I tried on a 64 bit computer. The same result. Ask the OpenSSL people why their library can't handle dates after 2050. FreeRADIUS can't handle dates after 2038, due to 32-bit limitations of the timestamp in RADIUS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP/TLS authentication in 2050
Hello I have SLES 11 SP1(64bit), freeradius 2.1.12 and openssl 0.9.8r. I set up authentication with EAP/TLS. Server and client certificates are valid until 3011 year. Here they are: Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Dec 5 07:05:02 2011 GMT Not After : Apr 7 07:05:02 3011 GMT Subject: countryName = AU stateOrProvinceName = Some-State organizationName = Internet Widgits Pty Ltd commonName = Root X509v3 extensions: X509v3 Extended Key Usage: TLS Web Server Authentication Certificate is to be certified until Apr 7 07:05:02 3011 GMT (365000 days) Certificate Details: Serial Number: 2 (0x2) Validity Not Before: Dec 5 07:06:57 2011 GMT Not After : Apr 7 07:06:57 3011 GMT Subject: countryName = AU stateOrProvinceName = Some-State organizationName = Internet Widgits Pty Ltd commonName = testuser X509v3 extensions: X509v3 Extended Key Usage: TLS Web Client Authentication Certificate is to be certified until Apr 7 07:06:57 3011 GMT (365000 days) Now client like authentication is successful. About this show freeradius: Login OK: [host/testuser] (from client private-network port 33566721 cli 0022-15ef-ab87) # Executing section post-auth from file /etc/raddb/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 67 to 10.2.2.240 port 5002 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 3 MS-MPPE-Recv-Key = 0xca7449798f0f957fe8e03542d1b9a5ef6291756644f4e392a60f078a3c858cba MS-MPPE-Send-Key = 0xcfffb577e162ba2111b253f1f969e46e39521626f4669704e367502640f368a7 EAP-Message = 0x03050004 Message-Authenticator = 0x User-Name = host/testuser Finished request 3. After that, I wanted to check as to be the case in 2050, as we recall certificates are valid until 3011. Set the time on the server freeradius August 1, 2050 (01/08/2050) and the same thing on a client running on Windows XP SP3. Authentication fails (slightly below records cite the radius). I have a question for all who can help, this is the mistake of freeradius, which can not correctly identify the validity of the certificate. Or somewhere I made a mistake when setting up. Maybe this one is already experienced. I'll be glad for your help. test#radiusd -X .. rad_recv: Access-Request packet from host 10.2.2.240 port 5002, id=68, length=221 User-Name = host/testuser EAP-Message = 0x0202001201686f73742f7465737475736572 Message-Authenticator = 0xe394bda2df7b6ff808bd0079cb5620cd NAS-IP-Address = 10.2.2.240 NAS-Identifier = 001ac1d4d442 NAS-Port = 33566721 NAS-Port-Id = unit=2;subslot=0;port=3;vlanid=1 NAS-Port-Type = Ethernet Service-Type = Framed-User Framed-Protocol = PPP Calling-Station-Id = 0022-15ef-ab87 H3C-Connect_Id = 18 H3C-Product-ID = 5500-EI H3C-Ip-Host-Addr = 0.0.0.0 00:22:15:ef:ab:87 H3C-NAS-Startup-Timestamp = 954640520 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = host/testuser, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] EAP packet type response id 2 length 18 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry DEFAULT at line 152 [files] users: Matched entry host/testuser at line 234 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Requiring client certificate [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 68 to 10.2.2.240 port 5002 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 3 EAP-Message = 0x010300060d20 Message-Authenticator = 0x State = 0x905a520890595f1e7244e69c58c3b630 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.2.2.240 port 5002, id=69, length=301 User-Name = host/testuser EAP-Message = 0x020300500d8000461603010041013d030198387b2b15bc66925793a2b08aec38827730edb90a98238b1f8967ad5b0e5a301600040005000a000900640062000300060013001200630100 Message-Authenticator = 0x57f352efbff4566bed7422e481a95c1e NAS-IP-Address = 10.2.2.240 NAS-Identifier = 001ac1d4d442 NAS-Port = 33566721 NAS-Port-Id = unit=2;subslot=0;port=3;vlanid=1 NAS-Port-Type = Ethernet Service-Type = Framed-User Framed-Protocol = PPP Calling-Station-Id = 0022-15ef-ab87 State = 0x905a520890595f1e7244e69c58c3b630 H3C-Connect_Id = 18 H3C-Product-ID = 5500-EI H3C-Ip-Host-Addr = 0.0.0.0 00:22:15:ef:ab:87
Re: EAP/TLS authentication in 2050
On 12/05/2011 08:25 AM, Victor Guk wrote: [tls] TLS 1.0 Handshake [length 0249], Certificate -- verify error:num=9:certificate is not yet valid [tls] TLS 1.0 Alert [length 0002], fatal bad_certificate TLS Alert write:fatal:bad certificate This error comes from within OpenSSL. FreeRADIUS just does what OpenSSL tells it. Can you verify the cert with the openssl verify ... test command? e.g. try this: openssl verify -CAfile ca.pem -purpose sslserver server.pem If this fails as well, then it's either a problem in OpenSSL or your system libraries with dates 2050. If it succeeds (which I doubt) then FreeRADIUS should work too. I sort of admire your effort to future-proof your certs though! ;o) Cheers, Phil - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP/TLS authentication in 2050
hi, why? really, why? wat purpose does testing these dates have - you really think your current infrastructure, and techologies such as 802.1X are going to be around in the same format in even 20 years time? anywayI'm guessing these are 32 bit server and client OS ? you may find, in that case, that your tests will work until you set the date beyond 2037 - 32bit OS have problems with dates after 2038 so, try this with KNOWN parameters - eg 2020 , within the 2038 timeframe and things should work. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP/TLS authentication in 2050
Hi, why? really, why? wat purpose does testing these dates have - you really think your current infrastructure, and techologies such as 802.1X are going to be around in the same format in even 20 years time? To be honest, I'm thinking of a similar thing. Given how painful a CA rollover can be, I'm planning to rollover to a CA with validity somewhere beyond Stefan's retirement date, which is unfortunately later than 2037. Given that the extra effort to extend the lifetime of a CA is *zero* (just enter a different date in openssl.cnf) and the pain to eventually stumble over an expiring CA is non-zero - I prefer to do the zero work. Of course things might change, my CA keys might get too short, and I might be forced to roll over anyway - there is at least a *chance* that I can prevent a need to rollover, and so I'll do it. 3011 is stretching it though, admitted. Stefan anywayI'm guessing these are 32 bit server and client OS ? you may find, in that case, that your tests will work until you set the date beyond 2037 - 32bit OS have problems with dates after 2038 so, try this with KNOWN parameters - eg 2020 , within the 2038 timeframe and things should work. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP/TLS authentication in 2050
This error comes from within OpenSSL. FreeRADIUS just does what OpenSSL tells it. Can you verify the cert with the openssl verify ... test command? e.g. try this: openssl verify -CAfile ca.pem -purpose sslserver server.pem freeradius:/usr/local/CA # openssl verify -CAfile cacert.pem -purpose sslserver cert-srv.pem cert-srv.pem: OK If this fails as well, then it's either a problem in OpenSSL or your system libraries with dates2050. If it succeeds (which I doubt) then FreeRADIUS should work too. I sort of admire your effort to future-proof your certs though! ;o) why? really, why? wat purpose does testing these dates have - you really think your current infrastructure, and techologies such as 802.1X are going to be around in the same format in even 20 years time? No, of course not :) This is my curiosity led me to test such date. anywayI'm guessing these are 32 bit server and client OS ? you may find, in that case, that your tests will work until you set the date beyond 2037 - 32bit OS have problems with dates after 2038 so, try this with KNOWN parameters - eg 2020 , within the 2038 timeframe and things should work. The server is running SLES 11 SP1 (x86_64), a workstation running Windows XP SP3 (32bit). Authentication is successful until February 1, 2050, ie for example if you logged in December 31, 2049, then the authentication is successful. A little later, try the client computer under the control of 64bit. the results announced later. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with EAP-TLS authentication in Freeradius
Hi All, I am using Freeradius 2.1.0 PEAP/TTLS is working fine and I am facing problem in TLS authentication. I am able to generate certificate but while connecting it throws Authentication error. Can some one send me client.cnf and server.cnf. Also let me know whether installing only client is enough or do we need to install ca.pem also in client side. Please let me know how to debug it. rad_recv: Access-Request packet from host 192.168.1.1 port 4906, id=6, length=147 User-Name = ma...@nokia.com NAS-IP-Address = 192.168.1.1 Called-Station-Id = 0023692c6f74 Calling-Station-Id = 0025d05b72ab NAS-Identifier = 0023692c6f74 NAS-Port = 2 Framed-MTU = 1400 State = 0xc0ff35f8c1fd389f4e860dc8a76c03f8 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020200060d00 Message-Authenticator = 0xcf453c67c6fe4f7695dbba231da2ba1e +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm nokia.com for User-Name = ma...@nokia.com [suffix] Found realm DEFAULT [suffix] Adding Stripped-User-Name = maemo [suffix] Adding Realm = DEFAULT [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 2 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns updated [files] users: Matched entry maemo at line 74 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS [tls] Received TLS ACK [tls] ACK handshake fragment handler [tls] eaptls_verify returned 1 [tls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 6 to 192.168.1.1 port 4906 EAP-Message = 0x010304000dc0085b310e300c060355040a13054e6f6b6961311e301c06092a864886f70d010901160f6d616d656f406e6f6b69612e636f6d310e300c060355040313054d6565676f301e170d3131303430373038333135345a170d3132303430363038333135345a306e310b300906035504061302494e310b3009060355040813024b413112301006035504071309536f6d657768657265310e300c060355040a13054e6f6b6961311e301c06092a864886f70d010901160f6d616d656f406e6f6b69612e636f6d310e300c060355040313054d6565676f30820122300d06092a864886f70d01010105000382010f003082010a0282010100ebdf EAP-Message = 0xbd5045d1129f68d6354ecaf6d0b003ba682e0399145d83af7d3f7baeac7b70278682f26b7a6cf02cb0f70d06c27cd5666f6acd0a6e1a05f14cbca9ee2ca06038289d718635789b9378b41d5d89d98c09528e5d75a7ed1210ab639c80a82bb7f727a6641b4ead338d36c98e4910f69add0990c1838bf1dd67d3ef00190a8c50afa3d267b4721eb24c9297eac37244c2f09bf5db1e864ed3e71d7b2f1523f957d040b88bdfbb50ffa7a1fcb77fe8f692faeaf4f26539f93d4b16fefd22576b63425a3b106d4100a7e606110980202629a14f721f576e7b57e94182c695034f33cc5cf153c08074379ee285a4800d30fcc3eeb9618e95b3298852c0e050cc EAP-Message = 0x370203010001a381d33081d0301d0603551d0e041604146495968035da2071580d6554ff37f49f34a6a4fc3081a00603551d2304819830819580146495968035da2071580d6554ff37f49f34a6a4fca172a470306e310b300906035504061302494e310b3009060355040813024b413112301006035504071309536f6d657768657265310e300c060355040a13054e6f6b6961311e301c06092a864886f70d010901160f6d616d656f406e6f6b69612e636f6d310e300c060355040313054d6565676f82090088f0548531fc31df300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100c60eb4fe9642b5cf1a479ddd03 EAP-Message = 0x31954bd3c5a8c13dac220146915074390da01b0cf44950935ca2fad0bbca312ad8d1ac38a0ad88e51bc7bfc4df349d238aa9dee95ccc333e46e422da2fd67073a5fc1d6109e623efdf7be334a6746b4d3eb012ddb331600471732e961861980a4d0a146e56ee383e1717a209476a34d2ad7153a00f0729976f4d73d4979dc992ab8cc4515787e68afd1979038963882c5f55ed1d038c137689ef3e0fa52d63eabe0466ef126564ff4627776f31dba8bd91b9c486ddf6e8399c755bd29456cfed9bda7890851bfb23d3c381e5176a6b6c86ea9cefc5b7428409e35a794775d27f1664c06aeb46842f61c6145a71a7a0fdea54e316030100800d7803 EAP-Message = 0x01024000720070306e310b30 Message-Authenticator = 0x State = 0xc0ff35f8c2fc389f4e860dc8a76c03f8 Finished request 156. Going to the next request Waking up in 0.4 seconds. rad_recv: Access-Request packet from host 192.168.1.1 port 4908, id=6, length=147 User-Name = ma...@nokia.com NAS-IP-Address = 192.168.1.1 Called-Station-Id = 0023692c6f74 Calling-Station-Id = 0025d05b72ab NAS-Identifier = 0023692c6f74 NAS-Port = 2 Framed-MTU = 1400 State = 0xc0ff35f8c2fc389f4e860dc8a76c03f8 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020300060d00 Message-Authenticator = 0xdeea6893aacbe253ed951368cec20746 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm nokia.com for User-Name = ma...@nokia.com [suffix] Found realm DEFAULT [suffix] Adding Stripped-User-Name = maemo
Re: Problem with EAP-TLS authentication in Freeradius 2.1.0
Hi, Can anyone please give some solution or idea to debug it. Regards Senthil On Mon, Apr 11, 2011 at 5:57 PM, senthil kumar mail...@gmail.com wrote: Hi Alan, Any solution or debug to this problem. Please let me know. Regards Senthil On Fri, Apr 8, 2011 at 1:43 PM, senthil kumar mail...@gmail.com wrote: Hi Alan, Earlier I have faced the same problem and after changing Make file it was working fine. Now certificate got expired and I tried to generate new certificate. Problem is I am not able to connect with the new certificate. So please let me know how to solve this problem. Regards Senthil On Fri, Apr 8, 2011 at 12:40 PM, Alan DeKok al...@deployingradius.comwrote: senthil kumar wrote: I am using Freeradius 2.1.0 PEAP/TTLS is working fine and I am facing problem in TLS authentication. I am able to generate certificate but while connecting it throws Authentication error. Please let me know how to debug it. *Read* the debug log. There's a lot of text, but looking for warning or error or failure or reject is simple. [tls] TLS 1.0 Alert [length 0002], warning bad_certificate TLS Alert read:warning:bad certificate See? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Adversity always presents opportunity for Introspection Regards Senthil -- Adversity always presents opportunity for Introspection Regards Senthil -- Adversity always presents opportunity for Introspection Regards Senthil - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with EAP-TLS authentication in Freeradius 2.1.0
Hi Alan, Any solution or debug to this problem. Please let me know. Regards Senthil On Fri, Apr 8, 2011 at 1:43 PM, senthil kumar mail...@gmail.com wrote: Hi Alan, Earlier I have faced the same problem and after changing Make file it was working fine. Now certificate got expired and I tried to generate new certificate. Problem is I am not able to connect with the new certificate. So please let me know how to solve this problem. Regards Senthil On Fri, Apr 8, 2011 at 12:40 PM, Alan DeKok al...@deployingradius.comwrote: senthil kumar wrote: I am using Freeradius 2.1.0 PEAP/TTLS is working fine and I am facing problem in TLS authentication. I am able to generate certificate but while connecting it throws Authentication error. Please let me know how to debug it. *Read* the debug log. There's a lot of text, but looking for warning or error or failure or reject is simple. [tls] TLS 1.0 Alert [length 0002], warning bad_certificate TLS Alert read:warning:bad certificate See? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Adversity always presents opportunity for Introspection Regards Senthil -- Adversity always presents opportunity for Introspection Regards Senthil - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with EAP-TLS authentication in Freeradius 2.1.0
Hi All, I am using Freeradius 2.1.0 PEAP/TTLS is working fine and I am facing problem in TLS authentication. I am able to generate certificate but while connecting it throws Authentication error. Please let me know how to debug it. rad_recv: Access-Request packet from host 192.168.1.1 port 4906, id=6, length=147 User-Name = ma...@nokia.com NAS-IP-Address = 192.168.1.1 Called-Station-Id = 0023692c6f74 Calling-Station-Id = 0025d05b72ab NAS-Identifier = 0023692c6f74 NAS-Port = 2 Framed-MTU = 1400 State = 0xc0ff35f8c1fd389f4e860dc8a76c03f8 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020200060d00 Message-Authenticator = 0xcf453c67c6fe4f7695dbba231da2ba1e +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm nokia.com for User-Name = ma...@nokia.com [suffix] Found realm DEFAULT [suffix] Adding Stripped-User-Name = maemo [suffix] Adding Realm = DEFAULT [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 2 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns updated [files] users: Matched entry maemo at line 74 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS [tls] Received TLS ACK [tls] ACK handshake fragment handler [tls] eaptls_verify returned 1 [tls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 6 to 192.168.1.1 port 4906 EAP-Message = 0x010304000dc0085b310e300c060355040a13054e6f6b6961311e301c06092a864886f70d010901160f6d616d656f406e6f6b69612e636f6d310e300c060355040313054d6565676f301e170d3131303430373038333135345a170d3132303430363038333135345a306e310b300906035504061302494e310b3009060355040813024b413112301006035504071309536f6d657768657265310e300c060355040a13054e6f6b6961311e301c06092a864886f70d010901160f6d616d656f406e6f6b69612e636f6d310e300c060355040313054d6565676f30820122300d06092a864886f70d01010105000382010f003082010a0282010100ebdf EAP-Message = 0xbd5045d1129f68d6354ecaf6d0b003ba682e0399145d83af7d3f7baeac7b70278682f26b7a6cf02cb0f70d06c27cd5666f6acd0a6e1a05f14cbca9ee2ca06038289d718635789b9378b41d5d89d98c09528e5d75a7ed1210ab639c80a82bb7f727a6641b4ead338d36c98e4910f69add0990c1838bf1dd67d3ef00190a8c50afa3d267b4721eb24c9297eac37244c2f09bf5db1e864ed3e71d7b2f1523f957d040b88bdfbb50ffa7a1fcb77fe8f692faeaf4f26539f93d4b16fefd22576b63425a3b106d4100a7e606110980202629a14f721f576e7b57e94182c695034f33cc5cf153c08074379ee285a4800d30fcc3eeb9618e95b3298852c0e050cc EAP-Message = 0x370203010001a381d33081d0301d0603551d0e041604146495968035da2071580d6554ff37f49f34a6a4fc3081a00603551d2304819830819580146495968035da2071580d6554ff37f49f34a6a4fca172a470306e310b300906035504061302494e310b3009060355040813024b413112301006035504071309536f6d657768657265310e300c060355040a13054e6f6b6961311e301c06092a864886f70d010901160f6d616d656f406e6f6b69612e636f6d310e300c060355040313054d6565676f82090088f0548531fc31df300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100c60eb4fe9642b5cf1a479ddd03 EAP-Message = 0x31954bd3c5a8c13dac220146915074390da01b0cf44950935ca2fad0bbca312ad8d1ac38a0ad88e51bc7bfc4df349d238aa9dee95ccc333e46e422da2fd67073a5fc1d6109e623efdf7be334a6746b4d3eb012ddb331600471732e961861980a4d0a146e56ee383e1717a209476a34d2ad7153a00f0729976f4d73d4979dc992ab8cc4515787e68afd1979038963882c5f55ed1d038c137689ef3e0fa52d63eabe0466ef126564ff4627776f31dba8bd91b9c486ddf6e8399c755bd29456cfed9bda7890851bfb23d3c381e5176a6b6c86ea9cefc5b7428409e35a794775d27f1664c06aeb46842f61c6145a71a7a0fdea54e316030100800d7803 EAP-Message = 0x01024000720070306e310b30 Message-Authenticator = 0x State = 0xc0ff35f8c2fc389f4e860dc8a76c03f8 Finished request 156. Going to the next request Waking up in 0.4 seconds. rad_recv: Access-Request packet from host 192.168.1.1 port 4908, id=6, length=147 User-Name = ma...@nokia.com NAS-IP-Address = 192.168.1.1 Called-Station-Id = 0023692c6f74 Calling-Station-Id = 0025d05b72ab NAS-Identifier = 0023692c6f74 NAS-Port = 2 Framed-MTU = 1400 State = 0xc0ff35f8c2fc389f4e860dc8a76c03f8 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020300060d00 Message-Authenticator = 0xdeea6893aacbe253ed951368cec20746 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm nokia.com for User-Name = ma...@nokia.com [suffix] Found realm DEFAULT [suffix] Adding Stripped-User-Name = maemo [suffix] Adding Realm = DEFAULT [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 3 length 6 [eap] No EAP Start, assuming
Re: Problem with EAP-TLS authentication in Freeradius 2.1.0
senthil kumar wrote: I am using Freeradius 2.1.0 PEAP/TTLS is working fine and I am facing problem in TLS authentication. I am able to generate certificate but while connecting it throws Authentication error. Please let me know how to debug it. *Read* the debug log. There's a lot of text, but looking for warning or error or failure or reject is simple. [tls] TLS 1.0 Alert [length 0002], warning bad_certificate TLS Alert read:warning:bad certificate See? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with EAP-TLS authentication in Freeradius 2.1.0
Hi Alan, Earlier I have faced the same problem and after changing Make file it was working fine. Now certificate got expired and I tried to generate new certificate. Problem is I am not able to connect with the new certificate. So please let me know how to solve this problem. Regards Senthil On Fri, Apr 8, 2011 at 12:40 PM, Alan DeKok al...@deployingradius.comwrote: senthil kumar wrote: I am using Freeradius 2.1.0 PEAP/TTLS is working fine and I am facing problem in TLS authentication. I am able to generate certificate but while connecting it throws Authentication error. Please let me know how to debug it. *Read* the debug log. There's a lot of text, but looking for warning or error or failure or reject is simple. [tls] TLS 1.0 Alert [length 0002], warning bad_certificate TLS Alert read:warning:bad certificate See? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Adversity always presents opportunity for Introspection Regards Senthil - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with EAP-TLS authentication in Freeradius 2.1.0
Hi All, I am using Freeradius 2.1.0 PEAP/TTLS is working fine and I am facing problem in TLS authentication. I am able to generate certificate but while connecting it throws Authentication error. Please let me know how to debug it. rad_recv: Access-Request packet from host 192.168.1.1 port 4906, id=6, length=147 User-Name = ma...@nokia.com NAS-IP-Address = 192.168.1.1 Called-Station-Id = 0023692c6f74 Calling-Station-Id = 0025d05b72ab NAS-Identifier = 0023692c6f74 NAS-Port = 2 Framed-MTU = 1400 State = 0xc0ff35f8c1fd389f4e860dc8a76c03f8 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020200060d00 Message-Authenticator = 0xcf453c67c6fe4f7695dbba231da2ba1e +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm nokia.com for User-Name = ma...@nokia.com [suffix] Found realm DEFAULT [suffix] Adding Stripped-User-Name = maemo [suffix] Adding Realm = DEFAULT [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 2 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns updated [files] users: Matched entry maemo at line 74 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS [tls] Received TLS ACK [tls] ACK handshake fragment handler [tls] eaptls_verify returned 1 [tls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 6 to 192.168.1.1 port 4906 EAP-Message = 0x010304000dc0085b310e300c060355040a13054e6f6b6961311e301c06092a864886f70d010901160f6d616d656f406e6f6b69612e636f6d310e300c060355040313054d6565676f301e170d3131303430373038333135345a170d3132303430363038333135345a306e310b300906035504061302494e310b3009060355040813024b413112301006035504071309536f6d657768657265310e300c060355040a13054e6f6b6961311e301c06092a864886f70d010901160f6d616d656f406e6f6b69612e636f6d310e300c060355040313054d6565676f30820122300d06092a864886f70d01010105000382010f003082010a0282010100ebdf EAP-Message = 0xbd5045d1129f68d6354ecaf6d0b003ba682e0399145d83af7d3f7baeac7b70278682f26b7a6cf02cb0f70d06c27cd5666f6acd0a6e1a05f14cbca9ee2ca06038289d718635789b9378b41d5d89d98c09528e5d75a7ed1210ab639c80a82bb7f727a6641b4ead338d36c98e4910f69add0990c1838bf1dd67d3ef00190a8c50afa3d267b4721eb24c9297eac37244c2f09bf5db1e864ed3e71d7b2f1523f957d040b88bdfbb50ffa7a1fcb77fe8f692faeaf4f26539f93d4b16fefd22576b63425a3b106d4100a7e606110980202629a14f721f576e7b57e94182c695034f33cc5cf153c08074379ee285a4800d30fcc3eeb9618e95b3298852c0e050cc EAP-Message = 0x370203010001a381d33081d0301d0603551d0e041604146495968035da2071580d6554ff37f49f34a6a4fc3081a00603551d2304819830819580146495968035da2071580d6554ff37f49f34a6a4fca172a470306e310b300906035504061302494e310b3009060355040813024b413112301006035504071309536f6d657768657265310e300c060355040a13054e6f6b6961311e301c06092a864886f70d010901160f6d616d656f406e6f6b69612e636f6d310e300c060355040313054d6565676f82090088f0548531fc31df300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100c60eb4fe9642b5cf1a479ddd03 EAP-Message = 0x31954bd3c5a8c13dac220146915074390da01b0cf44950935ca2fad0bbca312ad8d1ac38a0ad88e51bc7bfc4df349d238aa9dee95ccc333e46e422da2fd67073a5fc1d6109e623efdf7be334a6746b4d3eb012ddb331600471732e961861980a4d0a146e56ee383e1717a209476a34d2ad7153a00f0729976f4d73d4979dc992ab8cc4515787e68afd1979038963882c5f55ed1d038c137689ef3e0fa52d63eabe0466ef126564ff4627776f31dba8bd91b9c486ddf6e8399c755bd29456cfed9bda7890851bfb23d3c381e5176a6b6c86ea9cefc5b7428409e35a794775d27f1664c06aeb46842f61c6145a71a7a0fdea54e316030100800d7803 EAP-Message = 0x01024000720070306e310b30 Message-Authenticator = 0x State = 0xc0ff35f8c2fc389f4e860dc8a76c03f8 Finished request 156. Going to the next request Waking up in 0.4 seconds. rad_recv: Access-Request packet from host 192.168.1.1 port 4908, id=6, length=147 User-Name = ma...@nokia.com NAS-IP-Address = 192.168.1.1 Called-Station-Id = 0023692c6f74 Calling-Station-Id = 0025d05b72ab NAS-Identifier = 0023692c6f74 NAS-Port = 2 Framed-MTU = 1400 State = 0xc0ff35f8c2fc389f4e860dc8a76c03f8 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020300060d00 Message-Authenticator = 0xdeea6893aacbe253ed951368cec20746 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm nokia.com for User-Name = ma...@nokia.com [suffix] Found realm DEFAULT [suffix] Adding Stripped-User-Name = maemo [suffix] Adding Realm = DEFAULT [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 3 length 6 [eap] No EAP Start, assuming
Re: EAP-TLS authentication allows me to authenticate with invalid certificate.
Terry Simons wrote: I'm running into an issue where FreeRADIUS allows an invalid certificate (one not signed by my configured CA) to successfully authenticate to EAP-TLS. Well... the code which prints the error verify error:num=20: is in the verify certificate callback function. It's returning FALSE to OpenSSL. OpenSSL *should* return that error back up the call chain to the functions in src/modules/libeap/. They look for error returns from OpenSSL, and stop the conversation if so. There's a message in the log that clearly indicates that the CA wasn't found (-- verify error:num=20:unable to get local issuer certificate) , yet my authentication succeeds. I'm using FreeRADIUS version 2.1.10 with a largely default configuration (home-grown certificates). Does it fail authentication with another version of FreeRADIUS? If not, it's an OpenSSL problem. I want this authentication to fail because the certificate that the client is using was not signed by the CA that I have configured with the CA_file directive, therefore it should be considered an invalid EAP-TLS attempt. Has anyone seen this before? Nope. I'm not a crypto person. FreeRADIUS hands the SSL stuff to OpenSSL, which does it's magic to verify the certs. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TLS authentication allows me to authenticate with invalid certificate.
Hi, I'm running into an issue where FreeRADIUS allows an invalid certificate (one not signed by my configured CA) to successfully authenticate to EAP-TLS. There's a message in the log that clearly indicates that the CA wasn't found (-- verify error:num=20:unable to get local issuer certificate) , yet my authentication succeeds. I'm using FreeRADIUS version 2.1.10 with a largely default configuration (home-grown certificates). I want this authentication to fail because the certificate that the client is using was not signed by the CA that I have configured with the CA_file directive, therefore it should be considered an invalid EAP-TLS attempt. Has anyone seen this before? I couldn't find any related messages in the FreeRADIUS archive. Thanks, Here's the log: rad_recv: Access-Request packet from host 192.168.19.12 port 1035, id=39, length=189 User-Name = AutomationUser NAS-IP-Address = 192.168.19.12 NAS-Identifier = honeybutter NAS-Port = 0 Called-Station-Id = 00-19-77-1F-8A-D1:HiveAP120-WPA2 Calling-Station-Id = 00-25-00-43-5E-13 Framed-MTU = 1500 NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 11Mbps 802.11b EAP-Message = 0x0213014175746f6d6174696f6e55736572 Message-Authenticator = 0xebf0b398f32dc38984552b06634ef90e # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = AutomationUser, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] EAP packet type response id 0 length 19 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [opendirectory] The host 192.168.19.12 does not have an access group. ++[opendirectory] returns ok ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Requiring client certificate [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 39 to 192.168.19.12 port 1035 EAP-Message = 0x010100060d20 Message-Authenticator = 0x State = 0xd2fcae5dd2fda306cc163ff247674563 Finished request 37. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.19.12 port 1035, id=40, length=352 User-Name = AutomationUser NAS-IP-Address = 192.168.19.12 NAS-Identifier = honeybutter NAS-Port = 0 Called-Station-Id = 00-19-77-1F-8A-D1:HiveAP120-WPA2 Calling-Station-Id = 00-25-00-43-5E-13 Framed-MTU = 1500 NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 11Mbps 802.11b EAP-Message = 0x020100a40d80009a1603010095019103014cb5184f29200ee95888008e509e4cf7d61e39b9688acd0a179f3f12fd982b0356c00ac009c007c008c013c014c011c012c004c005c002c003c00ec00fc00cc00d002f000500040035000a000900030008000600320033003800390016001500140013001200110034003a0018001b001a0017001900010112000a00080006001700180019000b00020100 State = 0xd2fcae5dd2fda306cc163ff247674563 Message-Authenticator = 0xbaf4c3763aa24c9f8ecb1bc1695bfbe4 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = AutomationUser, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] EAP packet type response id 1 length 164 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [opendirectory] The host 192.168.19.12 does not have an access group. ++[opendirectory] returns ok ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS TLS Length 154 [tls] Length Included [tls] eaptls_verify returned 11 [tls] (other): before/accept initialization [tls] TLS_accept: before/accept initialization [tls] TLS 1.0 Handshake [length 0095], ClientHello [tls] TLS_accept: SSLv3 read client hello A [tls] TLS 1.0 Handshake [length 002a], ServerHello [tls] TLS_accept: SSLv3 write server hello A [tls] TLS 1.0 Handshake [length 069f], Certificate [tls] TLS_accept: SSLv3 write certificate A [tls]
Re: Trouble migrating EAP TLS authentication from Free Radius 1.1.8 to 2.1.9
SEELEMANN, Sven wrote: I've been trying to migrate the FreeRadius server from 1.1.8 to the latest (stable) release (2.1.9 at the last try, 2.1.8 before that). The configurations should be largely similar. i.e. minimal changes should be required. I'm using EAP TLS to authenticate modem connection to our DSLAM (using 2 way authentication). The 1.1.8 server has no trouble performing the task, however, the 2.1.x server doesn't ever complete the authentication process. From what I can tell, once the 1.1.8 server gets the final TLS ACK it allows the connection, but the 2.1.x server is looking for something else. No. The server sends a challenge, and the supplicant (PC) fails to continue the EAP conversation. Is this a FreeRadius issue or a DSLAM problem? If DSLAM, where is the best place to start looking for description of what should be happening? Check that the certificates, etc. are the same between the two configurations. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Trouble migrating EAP TLS authentication from Free Radius 1.1.8 to 2.1.9
Hi, I've been trying to migrate the FreeRadius server from 1.1.8 to the latest (stable) release (2.1.9 at the last try, 2.1.8 before that). I'm using EAP TLS to authenticate modem connection to our DSLAM (using 2 way authentication). The 1.1.8 server has no trouble performing the task, however, the 2.1.x server doesn't ever complete the authentication process. From what I can tell, once the 1.1.8 server gets the final TLS ACK it allows the connection, but the 2.1.x server is looking for something else. Is this a FreeRadius issue or a DSLAM problem? If DSLAM, where is the best place to start looking for description of what should be happening? I have openssl 1.0.0 installed on the sparc Solaris 10 server that is running FreeRadius. Using a single modem and debug mode, I've got the following log snippets (from the end of the session each): Version 1.1.8: Waking up in 5 seconds... rad_recv: Access-Request packet from host 138.120.206.110:1, id=56, length=158 NAS-Identifier = SSL-7330-3 NAS-IP-Address = 138.120.206.110 User-Name = 00:18:3F:5E:57:B0 NAS-Port = 136383488 NAS-Port-Type = xDSL Acct-Session-Id = 173:26:18::0075 NAS-Port-Id = atm 1/1/04/13:0:32 Calling-Station-Id = \000\030?^W\260 EAP-Message = 0x020700060d00 Message-Authenticator = 0x778fd2a832af2ac150c6df5119a51f88 State = 0x2638193a96b23d3b2ac39fe35dff53cb Processing the authorize section of radiusd.conf modcall: entering group authorize for request 49 modcall[authorize]: module preprocess returns ok for request 49 radius_xlat: '/usr/local/etc/raddb/var/log/radius/radacct/138.120.206.110/auth-detail-20100306' rlm_detail: /usr/local/etc/raddb/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/etc/raddb/var/log/radius/radacct/138.120.206.110/auth-detail-20100306 modcall[authorize]: module auth_log returns ok for request 49 modcall[authorize]: module chap returns noop for request 49 modcall[authorize]: module mschap returns noop for request 49 rlm_realm: No '@' in User-Name = 00:18:3F:5E:57:B0, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 49 rlm_eap: EAP packet type response id 7 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 49 modcall[authorize]: module files returns notfound for request 49 modcall: group authorize returns updated for request 49 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 49 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake is finished eaptls_verify returned 3 eaptls_process returned 3 rlm_eap: Freeing handler modcall[authenticate]: module eap returns ok for request 49 modcall: group authenticate returns ok for request 49 Sending Access-Accept of id 56 to 138.120.206.110:1 MS-MPPE-Recv-Key = 0x7b94ecfc920b6cd85506aee431a4d876e4af891c3dc51c433af623302ace6490 MS-MPPE-Send-Key = 0x370e00c44f3145ad3eaa77720d9e48a102750fcefdb44f980156c67c2dc790ee EAP-Message = 0x03070004 Message-Authenticator = 0x User-Name = 00:18:3F:5E:57:B0 Finished request 49 Going to the next request Waking up in 5 seconds... Version 2.1.9: Waking up in 4.2 seconds. rad_recv: Access-Request packet from host 138.120.206.113 port 1, id=202, length=158 NAS-Identifier = SSL-7330-4 NAS-IP-Address = 138.120.206.113 User-Name = 00:1B:5B:10:97:88 NAS-Port = 136392448 NAS-Port-Type = xDSL Acct-Session-Id = 157:52:37::0371 NAS-Port-Id = atm 1/1/04/48:0:32 Calling-Station-Id = \000\033[\020\227\210 EAP-Message = 0x020e00060d00 Message-Authenticator = 0xdffd259e9fa9cef084a12d640fb51073 State = 0x056b0543006508967ef0ed7dafcf0427 +- entering group authorize {...} ++[preprocess] returns ok [eap] EAP packet type response id 14 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS [tls] Received TLS ACK [tls] No SSL info available. Waiting for more SSL data. [tls] eaptls_verify returned 1 [tls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 202 to 138.120.206.113 port 1 EAP-Message = 0x010f000a0d80 Message-Authenticator = 0x State =
Re: Problem with EAP TLS authentication in Freeradius
Hi I have copied MAKE file from the 2.1.8 pre version.But not able to generate certificates. When I try to run ./bootstrap , it throws error related to MAKE.in file Please let me know the procedure to generate a certificate. Regards Senthil On Wed, Dec 9, 2009 at 1:00 AM, t...@kalik.net wrote: Actually I copied the file from /usr/share/doc/freeradius/examples/certs folder But I didnt change any in MAKE file From which version? 2.1.7 or 2.1.8? 2.1.8 has the new Makefile which signs client certificates with ca certificate. Is there anyother way to debug it??? That's openSSL stuff. Ask them. Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Adversity always presents opportunity for Introspection Regards Senthil - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with EAP TLS authentication in Freeradius
I have copied MAKE file from the 2.1.8 pre version.But not able to generate certificates. When I try to run ./bootstrap , it throws error related to MAKE.in file Please let me know the procedure to generate a certificate. Read the README file in certs directory. Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with EAP TLS authentication in Freeradius
Where I could get the makefile v.2.1.8-pre Probably it also solves the problem that I have. regards, Fernando. t...@kalik.net wrote: Below is the complete Log.. Please let me know how to solve/debug it.. [tls] Done initial handshake [tls] TLS 1.0 Alert [length 0002], warning bad_certificate TLS Alert read:warning:bad certificate It's adifferent error. Quite clear what is wrong. Did you try to alter Makefile yourself? If you don't know how to do it, try the Makefile from 2.1.8-pre or wait a few days for 2.1.8 release which will have client certificates signed by ca. Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with EAP TLS authentication in Freeradius
Fernando Calvelo Vazquez wrote: Where I could get the makefile v.2.1.8-pre Probably it also solves the problem that I have. http://git.freeradius.org/pre/ Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with EAP TLS authentication in Freeradius
Actually I copied the file from /usr/share/doc/freeradius/examples/certs folder But I didnt change any in MAKE file Is there anyother way to debug it??? On Tue, Dec 8, 2009 at 3:40 AM, t...@kalik.net wrote: Below is the complete Log.. Please let me know how to solve/debug it.. [tls] Done initial handshake [tls] TLS 1.0 Alert [length 0002], warning bad_certificate TLS Alert read:warning:bad certificate It's adifferent error. Quite clear what is wrong. Did you try to alter Makefile yourself? If you don't know how to do it, try the Makefile from 2.1.8-pre or wait a few days for 2.1.8 release which will have client certificates signed by ca. Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Adversity always presents opportunity for Introspection Regards Senthil - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with EAP TLS authentication in Freeradius
Where I could get the makefile v.2.1.8-pre Probably it also solves the problem that I have. Get the whole thing and take what you want: http://git.freeradius.org/pre/ Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with EAP TLS authentication in Freeradius
Where I could get the makefile v.2.1.8-pre Probably it also solves the problem that I have. PS. I would take the whole certs directory. Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with EAP TLS authentication in Freeradius
Actually I copied the file from /usr/share/doc/freeradius/examples/certs folder But I didnt change any in MAKE file From which version? 2.1.7 or 2.1.8? 2.1.8 has the new Makefile which signs client certificates with ca certificate. Is there anyother way to debug it??? That's openSSL stuff. Ask them. Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with EAP TLS authentication in Freeradius
Hi All, Below is the complete Log.. Please let me know how to solve/debug it.. Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.1.1 port 4991, id=2, length=144 User-Name = maemo NAS-IP-Address = 192.168.1.1 Called-Station-Id = 0023692c6f74 Calling-Station-Id = 0026cc77eec0 NAS-Identifier = 0023692c6f74 NAS-Port = 25 Framed-MTU = 1400 State = 0x45582910465c24fb98a2f4e05021adb4 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0204000d0d001503010002012a Message-Authenticator = 0x931254661785b3d79fa3b2f098878921 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = maemo, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] EAP packet type response id 4 length 13 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns updated [files] users: Matched entry maemo at line 75 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS [tls] eaptls_verify returned 7 [tls] Done initial handshake [tls] TLS 1.0 Alert [length 0002], warning bad_certificate TLS Alert read:warning:bad certificate [tls] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode SSL Application Data TLS failed during operation [tls] eaptls_process returned 4 [eap] Handler failed in EAP/tls [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} expand: %{User-Name} - maemo attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 4 for 1 seconds Going to the next request Waking up in 0.9 seconds. rad_recv: Access-Request packet from host 192.168.1.1 port 4993, id=2, length=126 User-Name = maemo NAS-IP-Address = 192.168.1.1 Called-Station-Id = 0023692c6f74 Calling-Station-Id = 0026cc77eec0 NAS-Identifier = 0023692c6f74 NAS-Port = 25 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0204000d0d001503010002020a Message-Authenticator = 0x59f824b9b0758f49f85a716af1c7654f +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = maemo, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] EAP packet type response id 4 length 13 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns updated [files] users: Matched entry maemo at line 75 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Either EAP-request timed out OR EAP-response to an unknown EAP-request [eap] Failed in handler ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} expand: %{User-Name} - maemo attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 5 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 4 Sending Access-Reject of id 2 to 192.168.1.1 port 4991 EAP-Message = 0x04040004 Message-Authenticator = 0x Sending delayed reject for request 5 Sending Access-Reject of id 2 to 192.168.1.1 port 4993 Waking up in 3.9 seconds. Cleaning up request 0 ID 2 with timestamp +364 Cleaning up request 1 ID 2 with timestamp +364 Cleaning up request 2 ID 2 with timestamp +364 Cleaning up request 3 ID 2 with timestamp +364 Waking up in 1.0 seconds. Cleaning up request 4 ID 2 with timestamp +364 Cleaning up request 5 ID 2 with timestamp +364 Ready to process requests. rad_recv: Access-Request packet from host 192.168.1.1 port 1124, id=2, length=123 User-Name = maemo NAS-IP-Address = 192.168.1.1 Called-Station-Id = 0023692c6f74 Calling-Station-Id = 0026cc77eec0 NAS-Identifier = 0023692c6f74 NAS-Port = 25 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020a016d61656d6f Message-Authenticator = 0x596ea2d6b93bd2f361c9eeb9553a4df9 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = maemo, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] EAP packet type response id 0 length 10 [eap] No EAP Start, assuming it's an on-going EAP conversation
Re: Problem with EAP TLS authentication in Freeradius
Below is the complete Log.. Please let me know how to solve/debug it.. [tls] Done initial handshake [tls] TLS 1.0 Alert [length 0002], warning bad_certificate TLS Alert read:warning:bad certificate It's adifferent error. Quite clear what is wrong. Did you try to alter Makefile yourself? If you don't know how to do it, try the Makefile from 2.1.8-pre or wait a few days for 2.1.8 release which will have client certificates signed by ca. Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with EAP TLS authentication in Freeradius
Iam using Freeeadius 2.1.0. The setup is working fine with EAP-TTLS, PEAP method.But for EAP TLS, it gives the below error.. Please let me know how to solve.. [eap] Handler failed in EAP/tls [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Well, post the rest of the debug. Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with EAP TLS authentication in Freeradius
Hi, Iam using Freeeadius 2.1.0. The setup is working fine with EAP-TTLS, PEAP method.But for EAP TLS, it gives the below error.. Please let me know how to solve.. [eap] Handler failed in EAP/tls [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Regards Senthil - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP/TLS authentication timeout
Hi, I'm trying to establish a EAP/TLS authentication. The certificates are created by the freeradius scripts. rad_eap_test v0.22 is used for testing. Somehow the authentication request runs into to timeout, but I can't see what's wrong. Any suggestions ? # ~/rad_eap_test -S testing123 -u wied...@edcllc.net -m IEEE8021X -e TLS -H localhost -P 1812 -j client.pem -k client.pem -p hello -c timeout; 6 Sending RADIUS message to authentication server RADIUS message: code=1 (Access-Request) identifier=0 length=147 Attribute 1 (User-Name) length=20 Value: 'wied...@edcllc.net' Attribute 4 (NAS-IP-Address) length=6 Value: 127.0.0.1 Attribute 31 (Calling-Station-Id) length=19 Value: '70-6F-6C-69-73-68' Attribute 12 (Framed-MTU) length=6 Value: 1400 Attribute 61 (NAS-Port-Type) length=6 Value: 19 Attribute 77 (Connect-Info) length=27 Value: 'rad_eap_test + eapol_test' Attribute 79 (EAP-Message) length=25 Value: 02 00 00 17 01 77 69 65 64 65 6d 6a 40 65 64 63 6c 6c 63 2e 6e 65 74 Attribute 80 (Message-Authenticator) length=18 Value: cb 31 3e 88 24 e8 1a 10 cc b4 d2 12 6e bf 8c 68 Received RADIUS message RADIUS message: code=11 (Access-Challenge) identifier=0 length=80 Attribute 79 (EAP-Message) length=24 Value: 01 01 00 16 04 10 89 18 38 04 bb 3d d5 df 53 ef 55 cb 64 5b 52 9b Attribute 80 (Message-Authenticator) length=18 Value: d8 85 a6 2f e9 11 da 62 f9 a3 43 1b 04 21 70 90 Attribute 24 (State) length=18 Value: be 60 98 38 be 61 9c a1 ab 26 38 fa 49 90 77 88 Copied RADIUS State Attribute Sending RADIUS message to authentication server RADIUS message: code=1 (Access-Request) identifier=1 length=148 Attribute 1 (User-Name) length=20 Value: 'wied...@edcllc.net' Attribute 4 (NAS-IP-Address) length=6 Value: 127.0.0.1 Attribute 31 (Calling-Station-Id) length=19 Value: '70-6F-6C-69-73-68' Attribute 12 (Framed-MTU) length=6 Value: 1400 Attribute 61 (NAS-Port-Type) length=6 Value: 19 Attribute 77 (Connect-Info) length=27 Value: 'rad_eap_test + eapol_test' Attribute 79 (EAP-Message) length=8 Value: 02 01 00 06 03 0d Attribute 24 (State) length=18 Value: be 60 98 38 be 61 9c a1 ab 26 38 fa 49 90 77 88 Attribute 80 (Message-Authenticator) length=18 Value: e4 1a c5 34 14 71 94 0c 2b 7c 4b ad 9b 3f c6 ae Received RADIUS message RADIUS message: code=11 (Access-Challenge) identifier=1 length=64 Attribute 79 (EAP-Message) length=8 Value: 01 02 00 06 0d 20 Attribute 80 (Message-Authenticator) length=18 Value: 55 fa ee 1b 05 ce 82 83 ed ea 1c 98 a6 0e 52 2d Attribute 24 (State) length=18 Value: be 60 98 38 bf 62 95 a1 ab 26 38 fa 49 90 77 88 -- FreeRADIUS Version 2.1.3, for host i486-pc-linux-gnu, built on Feb 25 2009 at 14:17:43 Starting - reading configuration files ... group = freerad user = freerad including dictionary file /etc/freeradius/dictionary main { prefix = /usr localstatedir = /var logdir = /var/log/freeradius libdir = /usr/lib/freeradius radacctdir = /var/log/freeradius/radacct hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = /var/run/freeradius/freeradius.pid checkrad = /usr/sbin/checkrad debug_level = 0 proxy_requests = yes log { stripped_names = no auth = yes auth_badpass = yes auth_goodpass = yes } security { max_attributes = 200 reject_delay = 1 status_server = yes } } client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = testing123 nastype = other } radiusd: Loading Realms and Home Servers proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = auth secret = testing123 response_window = 20 max_outstanding = 65536 zombie_period = 40 status_check = status-server ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: Instantiating modules instantiate { Module: Linked to module rlm_exec Module: Instantiating exec exec { wait = no input_pairs = request shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating expr Module: Linked
AW: EAP/TLS authentication timeout
Hi, I got a little further in using eapol_test. Now the radius server reports the following. FreeRADIUS Version 2.1.3, for host i486-pc-linux-gnu, built on Feb 25 2009 at 14:17:43 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including files in directory /etc/freeradius/modules/ including configuration file /etc/freeradius/modules/pap including configuration file /etc/freeradius/modules/policy including configuration file /etc/freeradius/modules/digest including configuration file /etc/freeradius/modules/files including configuration file /etc/freeradius/modules/mac2vlan including configuration file /etc/freeradius/modules/exec including configuration file /etc/freeradius/modules/mac2ip including configuration file /etc/freeradius/modules/counter including configuration file /etc/freeradius/modules/wimax including configuration file /etc/freeradius/modules/sradutmp including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login including configuration file /etc/freeradius/modules/echo including configuration file /etc/freeradius/modules/smbpasswd including configuration file /etc/freeradius/modules/checkval including configuration file /etc/freeradius/modules/passwd including configuration file /etc/freeradius/modules/always including configuration file /etc/freeradius/modules/unix including configuration file /etc/freeradius/modules/preprocess including configuration file /etc/freeradius/modules/perl including configuration file /etc/freeradius/modules/chap including configuration file /etc/freeradius/modules/realm including configuration file /etc/freeradius/modules/etc_group including configuration file /etc/freeradius/modules/krb5 including configuration file /etc/freeradius/modules/ldap including configuration file /etc/freeradius/modules/sql_log including configuration file /etc/freeradius/modules/detail.example.com including configuration file /etc/freeradius/modules/attr_rewrite including configuration file /etc/freeradius/modules/detail including configuration file /etc/freeradius/modules/attr_filter including configuration file /etc/freeradius/modules/expr including configuration file /etc/freeradius/modules/expiration including configuration file /etc/freeradius/modules/pam including configuration file /etc/freeradius/modules/ippool including configuration file /etc/freeradius/modules/acct_unique including configuration file /etc/freeradius/modules/detail.log including configuration file /etc/freeradius/modules/mschap including configuration file /etc/freeradius/modules/inner-eap including configuration file /etc/freeradius/modules/logintime including configuration file /etc/freeradius/modules/radutmp including configuration file /etc/freeradius/modules/linelog including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/sql.conf including configuration file /etc/freeradius/sql/mysql/dialup.conf including configuration file /etc/freeradius/sql/mysql/counter.conf including configuration file /etc/freeradius/policy.conf including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/inner-tunnel including configuration file /etc/freeradius/sites-enabled/default group = freerad user = freerad including dictionary file /etc/freeradius/dictionary main { prefix = /usr localstatedir = /var logdir = /var/log/freeradius libdir = /usr/lib/freeradius radacctdir = /var/log/freeradius/radacct hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = /var/run/freeradius/freeradius.pid checkrad = /usr/sbin/checkrad debug_level = 0 proxy_requests = yes log { stripped_names = no auth = yes auth_badpass = yes auth_goodpass = yes } security { max_attributes = 200 reject_delay = 1 status_server = yes } } client dehanxp-8453 { ipaddr = 10.149.123.111 require_message_authenticator = no secret = 123 } client dehanrf-22201 { ipaddr = 10.149.10.68 require_message_authenticator = no secret = Blu0DojNa } client dehansw { ipaddr = 10.149.10.0 netmask = 24 require_message_authenticator = no secret = RyftOnji } client Sinus { ipaddr = 10.149.12.222 require_message_authenticator = no secret = tcom } client dehanrf-222c { ipaddr = 10.149.10.50
Re: AW: EAP/TLS authentication timeout
Wiedemann, Joerg wrote: I got a little further in using eapol_test. Now the radius server reports the following. There is a lot... but reading it for error and failure doesn't hurt, either. ... [tls] TLS 1.0 Handshake [length 0382], Certificate -- verify error:num=20:unable to get local issuer certificate [tls] TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert write:fatal:unknown CA TLS_accept:error in SSLv3 read client certificate B rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned SSL: SSL_read failed in a system call (-1), TLS session fails. TLS receive handshake failed during operation [tls] eaptls_process returned 4 [eap] Handler failed in EAP/tls [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. The certs you are using are wrong or non-existent. Follow the guide on http://deployingradius.com to get EAP working. There is also an EAP-TLS howto on freeradius.org, and on the wiki. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AW: EAP/TLS authentication timeout
I got a little further in using eapol_test. Now the radius server reports the following. ... [tls] TLS 1.0 Handshake [length 0382], Certificate -- verify error:num=20:unable to get local issuer certificate [tls] TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert write:fatal:unknown CA And what is unclear about that message? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Is WLAN IEEE802.1x EAP-TLS authentication with ESSID selection possible?
Hi FreeRADIUS user community I'm in search for some ideas for the following situation: Given are several WLANS controlled by a Siemens Hipath C2400 WLAN Controller with Siemens APs. The controller provides different WLANs identified by different ESSIDs. All WLAN Clients use IEEE802.1x authentication with EAP-TLS and client certificates. The authentication is done by FreeRADIUS 1.0.1 on Redhat EL AS4. At the moment, all clients use certificates and inside the FreeRADIUS eap-tls section the ca certificates are trusted. All Windows clients use a MS CA an have certificates with the Windows system name as the certificates common name. Other devices like mobile scanners or WLAN mobile phones (VoIP) have manually generated certificates with the device type as the certificates common name like phone, mobile scanner or else. So long, it works. But now I was asked if it is possible to restrict the association of several device types to defined ESSIDs. There shoul be a WLAN office where all devices are allowed to connect if they have a valid certificate. Other ESSIDs should only accept special devices, eg. only devices with the certificates common name phone should be allowed to connect to the ESSID voice. I know, the Siemens controller is able to send the ESSID the device is trying to connect inside the RADIUS request as vendor specific attribute. Is it possible with FreeRADIUS to match these requirements? To select based on the ESSID the device is connecting to? If the connecting ESSID is office, all devices with a valid certificate are allowed to connect. If the ESSID is voice, only devices with a valid certificate and with a certificates common name that contains *phone* are allowed to connect. If the ESSID is production-1, only devices with a valid certificate and with a certificates common name that contains *mobile scanner* are allowed to connect. I've googled a lot, without success. All Freeradius documentation I've found about eap-tls only descibes how to accept all devices with a valid certificate. I've seen this scenario running with commercial RADIUS servers but I guess it might also be possible using FreeRADIUS. Any tip oder idea is welcome. -- Ulf Leichsenring u...@leichsenring.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Is WLAN IEEE802.1x EAP-TLS authentication with ESSID selection possible?
Am Mittwoch, 1. April 2009 13:43:30 schrieb Ulf Leichsenring: Hi FreeRADIUS user community I'm in search for some ideas for the following situation: Given are several WLANS controlled by a Siemens Hipath C2400 WLAN Controller with Siemens APs. The controller provides different WLANs identified by different ESSIDs. All WLAN Clients use IEEE802.1x authentication with EAP-TLS and client certificates. The authentication is done by FreeRADIUS 1.0.1 on Redhat EL AS4. At the moment, all clients use certificates and inside the FreeRADIUS eap-tls section the ca certificates are trusted. All Windows clients use a MS CA an have certificates with the Windows system name as the certificates common name. Other devices like mobile scanners or WLAN mobile phones (VoIP) have manually generated certificates with the device type as the certificates common name like phone, mobile scanner or else. So long, it works. But now I was asked if it is possible to restrict the association of several device types to defined ESSIDs. There shoul be a WLAN office where all devices are allowed to connect if they have a valid certificate. Other ESSIDs should only accept special devices, eg. only devices with the certificates common name phone should be allowed to connect to the ESSID voice. I know, the Siemens controller is able to send the ESSID the device is trying to connect inside the RADIUS request as vendor specific attribute. Is it possible with FreeRADIUS to match these requirements? To select based on the ESSID the device is connecting to? If the connecting ESSID is office, all devices with a valid certificate are allowed to connect. If the ESSID is voice, only devices with a valid certificate and with a certificates common name that contains *phone* are allowed to connect. If the ESSID is production-1, only devices with a valid certificate and with a certificates common name that contains *mobile scanner* are allowed to connect. I've googled a lot, without success. All Freeradius documentation I've found about eap-tls only descibes how to accept all devices with a valid certificate. I've seen this scenario running with commercial RADIUS servers but I guess it might also be possible using FreeRADIUS. Any tip oder idea is welcome. Hi, 1) Upgrade to an actual version of FR. 2.1.4 should do. 2) Edit your dictionary so that your FR understands the Siemens vendor spec attributes. 3) create a unlang (only FR version 2!) config to also check for the new essid attribute and according group membership should do the job. Greetings, -- Dr. Michael Schwartzkopff MultiNET Services GmbH Addresse: Bretonischer Ring 7; 85630 Grasbrunn; Germany Tel: +49 - 89 - 45 69 11 0 Fax: +49 - 89 - 45 69 11 21 mob: +49 - 174 - 343 28 75 mail: mi...@multinet.de web: www.multinet.de Sitz der Gesellschaft: 85630 Grasbrunn Registergericht: Amtsgericht München HRB 114375 Geschäftsführer: Günter Jurgeneit, Hubert Martens --- PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B Skype: misch42 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Is WLAN IEEE802.1x EAP-TLS authentication with ESSID selectionpossible?
I know, the Siemens controller is able to send the ESSID the device is trying to connect inside the RADIUS request as vendor specific attribute. And what VSA would it be? If you can find that attribute in the dictionaries - it is possible. If you can't - you can add it yourself to raddb/dictionary. It would be better to get the dictionary from Siemens and post it to this list so it can be included in freeradius distribution (I don't see dictionary.siemens in current server dictionaries). Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Is WLAN IEEE802.1x EAP-TLS authentication with ESSID selection possible?
Michael Schwartzkopff schrieb: 1) Upgrade to an actual version of FR. 2.1.4 should do. 2) Edit your dictionary so that your FR understands the Siemens vendor spec attributes. 3) create a unlang (only FR version 2!) config to also check for the new essid attribute and according group membership should do the job. Thanks. I will update and study how to create a ulang config. -- Ulf Leichsenring u...@leichsenring.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Is WLAN IEEE802.1x EAP-TLS authentication with ESSID selectionpossible?
t...@kalik.net schrieb: And what VSA would it be? If you can find that attribute in the dictionaries - it is possible. If you can't - you can add it yourself to raddb/dictionary. It would be better to get the dictionary from Siemens and post it to this list so it can be included in freeradius distribution (I don't see dictionary.siemens in current server dictionaries). I will ask Siemens to get their VSA dictionary and post it to the list if Siemens doesn't mind. -- Ulf Leichsenring u...@leichsenring.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
eap/tls authentication problem
Hello all, I'm relatively new with freeradius. I got freeradius running fine as aaa server and want to extend t authenticate my wireless. I'm testing with a linksys wrt54g ap. I've done a lot of reading on how to configure eap/tls but for some reason I can't get it to work. Can anybody give me a some advise how to get this to work see below a screen dump of the freeradius server. rad_recv: Access-Request packet from host 192.168.100.5:2689, id=3, length=1660 Message-Authenticator = 0x9a0b07611fd6b83251839c544b3552e6 Service-Type = Framed-User User-Name = mike Framed-MTU = 1488 State = 0x55654869c3d2859237b430d6df9b6c0f Called-Station-Id = 00-18-F8-F5-87-53:mikiemike Calling-Station-Id = 00-13-E8-94-F3-B5 NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 54Mbps 802.11g EAP-Message = 0x020305bd0d8005b316030105830b0003730003736d3082036930820251a003020102020102300d06092a864886f70d0101040500306f310b3009060355040613024e4c311430120603550408130b4e65746865726c616e6473310c300a060355040a1303433243311430120603550403140b4244485a5f7365727665723126302406092a864886f70d01090116176d696b657a6f6574657765696a40787334616c6c2e6e6c301e170d3038303631353134313631345a170d3138303631333134313631345a3068310b3009060355040613024e4c311430120603550408130b4e65746865726c616e6473310c300a060355040a130343324331 EAP-Message = 0x0d300b060355040313046d696b653126302406092a864886f70d01090116176d696b657a6f6574657765696a40787334616c6c2e6e6c30820122300d06092a864886f70d01010105000382010f003082010a0282010100bac91ea21483736d4ca48b54b168a5229d13a7ddcd80190d4750ee218205c3f6397f5b8eea79445a5d437a73d410c859a20bfc644e0206ce908da874121c9d69590aa83bc2404888aac12ae25ff3e24044250fd561db44f67665e045003573e8947281cf8d80aee261dabf81e6f78a88cd43ca38331885376a721aac7c05aee70f34d96fc398e6972a537b0c6501b1fe22f2b0f3fa149ff8e422525eb29f19d0a9f57cc038ad EAP-Message = 0xa733d1602b38b3be04facc7bcded7ca463e73a71a81473a4945b9433386d27552486daf2d7e6bfc819b0a3b4f6d13478283f708cde5c27a971d437fafa8ffcb497760356a323c1b30db74bb49a3dd2595a99901372aca4a275b70203010001a317301530130603551d25040c300a06082b06010505070302300d06092a864886f70d01010405000382010100a1b1b2c313a2e1dcc24890ecb7588685013ad95f251dd26520a1daedda01d42aeab38de1208c5a10937eac44d8da4c1ecc172305208ff5c03b02e3cffbc56612e3d955b321a92f9effe38a2ee36127b42fca94d301e5d75ea75eda87fc884ebfde5d4a5e36eb07d66d22e54642eb723ccf EAP-Message = 0x882cf68d006f95eaebacb76a20f0c7dd0fd9cd5c33e304eaeff3d18eae8d1e665271bd74df7d9d865137d8f43d542305b9a1b7fb4a16802b3b96aaa4a81828cf1a77562a20b7710884d63ea99f77827ea8e1373aa498679014534e368da0cff2e186b0cd038211f08f6c285266e4e199443c00cb8a51e17b604b247e79c5f16fa74652ac4b28c8af492628d956282c11020100bcb70f84cee2d4911947254be3f37f02bffc406614b4f24ef905978ce58d4e7025681ba2d212a3c0cb7c3eb7b5cf2818cc4881b5d7088fd733e27752aaecf83e6ed9086cc321648b2ff45de5ab49405a15aab6bd4c44e8f94ead2efe9e48e495709c16ae271321de EAP-Message = 0x4c198ef3cf6f92dd9db5f021910519398c3b4af7b0262cfeac2d65c33ed66590d5d2ca9ee4e9289849678999d5a0312131f2e910c928e65a8b4f25f8c62a80f779cb73ebb8fe1ae3ea8f73fed556405bc72c5acefa02c6ab68f03f7141a73cbc16ab4f25eea36c9d196d008c62e915d5809b559d373cc2761d213063f4130fd0ed168f1de8c7e626f2c96de3d4a1913562c003f905baf9fd0f00010201002d5ebac6936362606db083d15e8b40fe93cd5b7247267736bf5bffcc7160024853488dc14440ef4b8c42ff80f86e525edd21072e4777e429e40293d8e7e3d0f8403bd5bc31dbb43b6c056b858f24f677ac2cc6eda35ba26db247dedd25d813 EAP-Message = 0x7ce49d2f89daca63bb3559bd962e798378a495188528527b4fc3024a7bb03cb2bbd35185a43df406aaa4f9bbee0fd1476c79036890bae4a15ef849c012cb317cb653f20044c1a2551074b8dc6587f74fea698120e3c9b660f3c877c147ccc7b06fab427f809a92aa68b6f087d4e7b5f9a8af070ad62829f83d7ffa41c85325ec2febccf83bd9f202a05864788b887568f28084475331515aa9d8e2042bba7ad81514030100010116030100200599856b69ece58d8f82454916c6fcab3f13833e107f17f8967c3c6c8cd061ad NAS-IP-Address = 192.168.100.5 NAS-Port = 1 NAS-Port-Id = STA port # 1 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 13 modcall[authorize]: module preprocess returns ok for request 13 modcall[authorize]: module chap returns noop for request 13 modcall[authorize]: module mschap returns noop for request 13 rlm_realm: No '@' in User-Name = mike, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 13 rlm_eap: EAP packet type response id 3 length 253 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 13 users: Matched DEFAULT at 152 users: Matched DEFAULT at 171 users: Matched mike at 219 modcall[authorize]: module files returns ok for request 13 modcall: group authorize returns updated for request 13 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall:
Re: eap/tls authentication problem
So, you should probably create a new certificate with a certified CA or a correct own CA. Install openssl and follow a howto on creating new certificates. Make sure you match Common Name to server.domainname Furthermore change certificate options (like password) in eap.conf. gr, jelle rlm_eap_tls: TLS 1.0 Handshake [length 0377], Certificate -- verify error:num=20:unable to get local issuer certificate chain-depth=0, error=20 -- User-Name = mike -- BUF-Name = mike -- subject = /C=NL/ST=Netherlands/O=C2C/CN=mike/[EMAIL PROTECTED] -- issuer = /C=NL/ST=Netherlands/O=C2C/CN=BDHZ_server/[EMAIL PROTECTED] -- verify return:0 rlm_eap_tls: TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert write:fatal:unknown CA TLS_accept:error in SSLv3 read client certificate B 6996:error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned:s3_srvr.c:2004: rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap/tls authentication problem
Oh, and when using TLS, install client certificate on client. 2008/6/15 Jelle Langbroek [EMAIL PROTECTED]: So, you should probably create a new certificate with a certified CA or a correct own CA. Install openssl and follow a howto on creating new certificates. Make sure you match Common Name to server.domainname Furthermore change certificate options (like password) in eap.conf. gr, jelle rlm_eap_tls: TLS 1.0 Handshake [length 0377], Certificate -- verify error:num=20:unable to get local issuer certificate chain-depth=0, error=20 -- User-Name = mike -- BUF-Name = mike -- subject = /C=NL/ST=Netherlands/O=C2C/CN=mike/[EMAIL PROTECTED] -- issuer = /C=NL/ST=Netherlands/O=C2C/CN=BDHZ_server/[EMAIL PROTECTED] -- verify return:0 rlm_eap_tls: TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert write:fatal:unknown CA TLS_accept:error in SSLv3 read client certificate B 6996:error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned:s3_srvr.c:2004: rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP TLS Authentication failing!!!! Unknown CA
I'm happy to be wrong about this, but in my experience, this parameter: -CApath ca.pem Needs to be an actual path, not a PEM CA file, where you have performed these steps: download certificate authority cert in PEM format run c_rehash . (openssl script) On Thu, May 15, 2008 at 10:37 AM, Avinash Patil [EMAIL PROTECTED] wrote: Hi All, I am trying to use authenticate one embedded WLAN device with using freeRadius server 2.0.4 I have radiusd.conf,client.conf files as per my configuration. I have created certificates using bootstrap script.Values in ca.cnf,client.cnf and server.cnf have been modified accordingly. I have copied ca.pem, client.pem to device filesystem.Private key has been extracted from client.pem. Since last week I am trying to authenticate freeradius server but I am getting error like Unknown CA. Please see attached radius logs. When I verify client certificate using openssl verify -CApath ca.pem client.pem I see following error: Error 20 at depth 0 lookup : unable to get local issuer certificate. Device is already tested with Windows 2003 server's TLS(of course with different set of certificates :) ) and it is working fine. What will be possible reason behind this and where am I going wrong? Appreciate your help. Thanks and Regards, Avinash. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP TLS Authentication failing!!!! Unknown CA
Hi All, I am trying to use authenticate one embedded WLAN device with using freeRadius server 2.0.4 I have radiusd.conf,client.conf files as per my configuration. I have created certificates using bootstrap script.Values in ca.cnf,client.cnf and server.cnf have been modified accordingly. I have copied ca.pem, client.pem to device filesystem.Private key has been extracted from client.pem. Since last week I am trying to authenticate freeradius server but I am getting error like Unknown CA. Please see attached radius logs. When I verify client certificate using openssl verify -CApath ca.pem client.pem I see following error: Error 20 at depth 0 lookup : unable to get local issuer certificate. Device is already tested with Windows 2003 server's TLS(of course with different set of certificates :) ) and it is working fine. What will be possible reason behind this and where am I going wrong? Appreciate your help. Thanks and Regards, Avinash. NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 54Mbps 802.11g EAP-Message = 0x020300060d00 NAS-IP-Address = 192.168.1.202 NAS-Port = 1 NAS-Port-Id = STA port # 1 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = ttls, looking up realm NULL rlm_realm: No such realm NULL ++[suffix] returns noop rlm_eap: EAP packet type response id 3 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type EAP +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 ++[eap] returns handled EAP-Message = 0x010402cd0d800aafccf9020b49263d2310a488bfd9b0fceb00498420a91d0649a4d9b0304ca8bf905e575fef160301020d0c0002090080b2f72f8891aa3dc35f1f4a7b84720c2231420c19d1ef3ed9c370cf15998c23f6154717aa1fa1dbc41eeeb2e849c67ec8a33153af1a89b9176e5b77219c7ad7a60a3711c8ef905b7f4f6c58f8f906d7d3ca47f336f9dd02a881fe26df88ef5061598810cb84de6af73246509e36b9bbe5009ebe4fd34a6a32fda99269054d4deb00010200802d3b669985b1de62a5963f89ed45302508f9b470eb4bfc14e8402ebfe818bdde521d2f8fa6045622ff544e00fde1f2d8f15f5af148cc3b0c961f565caeb440 EAP-Message = 0x6ece3b151f16aba0c5a5d00b65daa3fe6632eafe3eb1cd1397e84bc1fde8e7828764df86a10a4f3873f0e548b68deee887e908ee11b948ac1b03fc113f948f870d010015b933dc4a3ba5de954761525aff75ba8b48905029632c38ee64c07655a2a7f38f6ce47a141a8d08c64048d478a506fefbc8c6ed5dee82cec8ac3dc11ec2bf5da4eec7a38ac61ba22c457aff03a5cdbef5a65973f56ed168b2cc7adae11e3ec062aa16ed29816dab34dbc9a6ba66868261712a052a4e7d104c806c302f1ceaebe360d5163350f98f657985c3019315a2838428867d96dd05ffd25b03af9f743a0d89f20e9f0f5b1d24dc7b43bc15c75948d4d638ac8d3309b6e6 EAP-Message = 0x0d69ef9682c3799b8f937862abc892f9c762390a0636243884e4a19f82cee525441b702668c8324f65d6873ea2e66da74e2f0315ea3140ea4a697ef579582a06c1878fd704a816030100880d800403040102007900773075310b3009060355040613024b52310f300d06035504081306526164697573310e300c0603550407130553656f756c310c300a060355040a13034c47453122302006092a864886f70d0109011613726f6f74407261646975732e6663702e636f6d311330110603550403130a4578616d706c652043410e00 Message-Authenticator = 0x State = 0xc12f5c20c22b515967037c6c5beccf92 Finished request 125. Going to the next request Waking up in 4.0 seconds. Message-Authenticator = 0x166c2b12ab14ab768f5610222b8ba289 Service-Type = Framed-User User-Name = ttls\000 Framed-MTU = 1488 State = 0xc12f5c20c22b515967037c6c5beccf92 Called-Station-Id = 00-1E-C1-2D-D7-40:FCP_3COM Calling-Station-Id = 00-05-C9-A1-C9-70 NAS-Identifier = 3Com Access Point 7760 NAS-Port-Type = Wireless-802.11 Connect-Info = CONNECT 54Mbps 802.11g EAP-Message = 0x020405340d0016030103580b00035400035100034e3082034a30820232020102300d06092a864886f70d01010405003076310b3009060355040613024b52310f300d06035504081306526164697573310c300a060355040a13034c4745312330210603550403131a4578616d706c65205365727665722043657274696669636174653123302106092a864886f70d010901161461646d696e407261646975732e6663702e636f6d301e170d3038303531343037343431335a170d3039303531343037343431335a3060310b3009060355040613024b52310f300d06035504081306526164697573310c300a060355040a13034c4745310d300b06035504 EAP-Message =
EAP TLS Authentication with eToken
Hello, anyone has used eToken Aladdin 64k with EAP-TLS authentication using wpa_supplicant ? thank you Rick - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TLS authentication with FreeRADIUS 2.0
Hi: I run FreeRADIUS 2.0 for EAP-TLS authentication on my wireless network, it works fine in my test setup but there are some pieces missing I can't figure out: 1. I'd like to add support for more than one root certificate 2. I'd like to log the certificate's distinguished name 3. I'd like to add a LDAP backend for further authentication The point is that I don't mind sharing my network as long as I know who people are, and it would release me of some certificate management if I can just add CA certificates. I'd like to log the distinguished name, as it is better when multiple CAs are used. It would be nice too, also to store a copy of any user certificate submitted, or log both email, distinguished name and possibly certificate serial number. I'd like the LDAP backend in order to add extra information for each user and possibly block a user without revoking the certificate, and other management tasks. Is this possible? Thanks, Erik -- Erik Nørgaard Ph: +34.666334818 http://www.locolomo.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS authentication
No. But you can create a script that monitors accounting data and alerts you when there are multiple CallingStationIds per username. You can then ban those users (CRL) or discipline them in any way you see fit. Ivan Kalik Kalik Informatika ISP Dana 14/12/2007, [EMAIL PROTECTED] [EMAIL PROTECTED] piše: HI I am using EAP_TLS authentication ie certificate based authentication with free radius.The setup is working fine . I have one query.Is there any way to lock the client certificate to a particular laptop MAC address so that the certificate cannot be used in another machine..Is there any config in Free radius for this purpose so that one certificate should not be used by another user Regards Anoop ** DISCLAIMER ** Information contained and transmitted by this E-MAIL is proprietary to Sify Limited and is intended for use only by the individual or entity to which it is addressed, and may contain information that is privileged, confidential or exempt from disclosure under applicable law. If this is a forwarded message, the content of this E-MAIL may not have been sent with the authority of the Company. If you are not the intended recipient, an agent of the intended recipient or a person responsible for delivering the information to the named recipient, you are notified that any use, distribution, transmission, printing, copying or dissemination of this information in any way or in any manner is strictly prohibited. If you have received this communication in error, please delete this mail notify us immediately at [EMAIL PROTECTED] Complete Coverage of the ICC World Cup '07! Log on to www.sify.com/khel for latest updates, expert columns, schedule, desktop scorecard, photo galleries and more! Watch the hottest videos from Bollywood, Fashion, News and more only on www.sifymax.com For the Expert view of the ICC World Cup log on to www.sify.com/khel. Read exclusive interviews with Sachin, Ganguly, Yuvraj, Sreesanth, Expert Columns by Gavaskar, Web chat with Dhoni and more! . - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TLS authentication
HI I am using EAP_TLS authentication ie certificate based authentication with free radius.The setup is working fine . I have one query.Is there any way to lock the client certificate to a particular laptop MAC address so that the certificate cannot be used in another machine..Is there any config in Free radius for this purpose so that one certificate should not be used by another user Regards Anoop ** DISCLAIMER ** Information contained and transmitted by this E-MAIL is proprietary to Sify Limited and is intended for use only by the individual or entity to which it is addressed, and may contain information that is privileged, confidential or exempt from disclosure under applicable law. If this is a forwarded message, the content of this E-MAIL may not have been sent with the authority of the Company. If you are not the intended recipient, an agent of the intended recipient or a person responsible for delivering the information to the named recipient, you are notified that any use, distribution, transmission, printing, copying or dissemination of this information in any way or in any manner is strictly prohibited. If you have received this communication in error, please delete this mail notify us immediately at [EMAIL PROTECTED] Complete Coverage of the ICC World Cup '07! Log on to www.sify.com/khel for latest updates, expert columns, schedule, desktop scorecard, photo galleries and more! Watch the hottest videos from Bollywood, Fashion, News and more only on www.sifymax.com For the Expert view of the ICC World Cup log on to www.sify.com/khel. Read exclusive interviews with Sachin, Ganguly, Yuvraj, Sreesanth, Expert Columns by Gavaskar, Web chat with Dhoni and more! . - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: peap/eap tls authentication
You are setting up Auth-Type System. Post the entry in users file: users: Matched entry dkupis at line 1 Ivan Kalik Kalik Informatika ISP Dana 12/10/2007, Dorota Kupis [EMAIL PROTECTED] piše: Hello, I'm not familiar with freeradius yet. I read some HOWTOs and I do try to make wireless Windows XP talk to Radius server. I have an AP 1131. I have managed to make this configuration work with cisco ACS in the past, so AP part should be OK. I do send the output from radiusd -X Hope somebody can help me to point out which parts of configuration should I look into and what possible problems could be. Thanks for your understanding. Dorota - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: peap/eap tls authentication
Hi, I do post users thanks dkupis Auth-Type := system Service-Type = NAS-Prompt-User, cisco-avpair == shell:priv-lvl=15, idle-timeout = 1800 okay. from this it looks like your attempting to configure FR to do some form of Cisco device login authentication. is the user 'dkupis' in /etc/passwd and /etc/shadow etc? if not, then how can the password be tested? also, cisco-avpair == shell:priv-lvl=15 is a (broken) comparison, if you want to set that value you need cisco-avpair = shell:priv-lvl=15 alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: peap/eap tls authentication
Hi, I'm not familiar with freeradius yet. I read some HOWTOs and I do try to make wireless Windows XP talk to Radius server. I have an AP 1131. I have managed to make this configuration work with cisco ACS in the past, so AP part should be OK. you're authenticating, or trying to, from the system passwd file. if this is intentional then sorry, somethings wrong. if its accidental then you need to edit your users file - remove the line that says DEFAULT Auth-Type := System I also think that the first line or so should print out the version of the FreeRADIUS being run as soo many people neglect to pass on those details. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: peap/eap tls authentication
You are using an old version of the server. Which one? Why don't you use the latest? dkupis Auth-Type := system Service-Type = NAS-Prompt-User, cisco-avpair == shell:priv-lvl=15, idle-timeout = 1800 1. How sure are you that you can get to the command prompt over a wireless interface? I don't think that will work. 2. Try something like: dkupis User-Password == whatever[, Auth-Type := EAP] try without Auth-Type first. If it doesn't start EAP convesation add it. Ivan Kalik Kalik Informatika ISP With this you should try to put User-Password instead of Auth-Type on the first line. Dana 12/10/2007, Dorota Kupis [EMAIL PROTECTED] piše: I do post users thanks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, October 12, 2007 12:03 PM To: FreeRadius users mailing list Subject: Re: peap/eap tls authentication You are setting up Auth-Type System. Post the entry in users file: users: Matched entry dkupis at line 1 Ivan Kalik Kalik Informatika ISP Dana 12/10/2007, Dorota Kupis [EMAIL PROTECTED] piše: Hello, I'm not familiar with freeradius yet. I read some HOWTOs and I do try to make wireless Windows XP talk to Radius server. I have an AP 1131. I have managed to make this configuration work with cisco ACS in the past, so AP part should be OK. I do send the output from radiusd -X Hope somebody can help me to point out which parts of configuration should I look into and what possible problems could be. Thanks for your understanding. Dorota - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: peap/eap tls authentication
1.1.3 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, October 12, 2007 12:50 PM To: FreeRadius users mailing list Subject: RE: peap/eap tls authentication You are using an old version of the server. Which one? Why don't you use the latest? dkupis Auth-Type := system Service-Type = NAS-Prompt-User, cisco-avpair == shell:priv-lvl=15, idle-timeout = 1800 1. How sure are you that you can get to the command prompt over a wireless interface? I don't think that will work. 2. Try something like: dkupis User-Password == whatever[, Auth-Type := EAP] try without Auth-Type first. If it doesn't start EAP convesation add it. Ivan Kalik Kalik Informatika ISP With this you should try to put User-Password instead of Auth-Type on the first line. Dana 12/10/2007, Dorota Kupis [EMAIL PROTECTED] piše: I do post users thanks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, October 12, 2007 12:03 PM To: FreeRadius users mailing list Subject: Re: peap/eap tls authentication You are setting up Auth-Type System. Post the entry in users file: users: Matched entry dkupis at line 1 Ivan Kalik Kalik Informatika ISP Dana 12/10/2007, Dorota Kupis [EMAIL PROTECTED] piše: Hello, I'm not familiar with freeradius yet. I read some HOWTOs and I do try to make wireless Windows XP talk to Radius server. I have an AP 1131. I have managed to make this configuration work with cisco ACS in the past, so AP part should be OK. I do send the output from radiusd -X Hope somebody can help me to point out which parts of configuration should I look into and what possible problems could be. Thanks for your understanding. Dorota - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : LOGs of eap-tls authentication
hello, To restart the radius I knew only one command which is service radiusd restart;all what you have to do when you are in debuce mode is stoping it by using service radiusd stop, then you can restart it . I hope that this can help you. regards habiba [EMAIL PROTECTED] a écrit : DearThanks for the information.I am getting the logs when stopped server in debug mode. But the commands service radiusd stop and service radiusd restart is not working.So i killed the process radiusd using kill command.Pls let me know the commands to stop and start the server in normal mode.Regards AnoopMessage: 2 Date: Tue, 11 Sep 2007 10:39:38 +0200 (CEST) From: inelec communicationSubject: RE : LOGs of eap-tls authentication (inelec communication) To: FreeRadius users mailing list Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=\iso-8859-1\ Hello, you have no logs in your radius.log file because you are running in debug mode , you have to run in normal mode to get the logs, so what you have to do is the following: first stop your debug mode by this command: service radiusd stop; then restart the service radius by: service radiusd restart; doing that you are in normal mode and you can do your wlan loging without any problem and you get your log. regards - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - Ne gardez plus qu'une seule adresse mail ! Copiez vos mails vers Yahoo! Mail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : LOGs of eap-tls authentication
hi I am not able to start server by service radiusd restart command/. I used to start by simply typing radiusd command Pls anyone no the command to stop the server Regards Anoop -- Message: 6 Date: Thu, 13 Sep 2007 10:01:53 +0200 (CEST) From: HBA BOX [EMAIL PROTECTED] Subject: RE : LOGs of eap-tls authentication To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=\iso-8859-1\ hello, To restart the radius I knew only one command which is service radiusd restart;all what you have to do when you are in debuce mode is stoping it by using service radiusd stop, then you can restart it . I hope that this can help you. regards habiba [EMAIL PROTECTED] a ?crit : DearThanks for the information.I am getting the logs when stopped server in debug mode. But the commands service radiusd stop and service radiusd restart is not working.So i killed the process radiusd using kill command.Pls let me know the commands to stop and start the server in normal mode.Regards AnoopMessage: 2 Date: Tue, 11 Sep 2007 10:39:38 +0200 (CEST) From: inelec communicationSubject: RE : LOGs of eap-tls authentication (inelec communication) To: FreeRadius users mailing list Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=\iso-8859-1\ Hello, you have no logs in your radius.log file because you are running in debug mode , you have to run in normal mode to get the logs, so what you have to do is the following: first stop your debug mode by this command: service radiusd stop; thenrestart the service radius by: service radiusd restart; doing that you are in normal mode and you can do your wlan loging without any problem and you get your log. regards - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - Ne gardez plus qu\'une seule adresse mail ! Copiez vos mails vers Yahoo! Mail -- next part -- An HTML attachment was scrubbed... URL: https://lists.freeradius.org/pipermail/freeradius-users/attachments/20070913/866809ee/attachment-0001.html -- Message: 7 Date: Thu, 13 Sep 2007 01:25:12 -0700 (PDT) From: fuki [EMAIL PROTECTED] Subject: Terminate TLS and proxy PEAP To: freeradius-users@lists.freeradius.org Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=us-ascii Hi At the moment I use FreeRADIUS to proxy eap peap mschapv2 request to a RADIUS server for authentication. The connecting machine submits in addition to the authentication information, some information about it\'s health state encrypted in the PEAP packets. Is there a possibility to decrypt the packets on the FreeRADIUS Proxy, to get the health state, and forward the PEAP packets for authentication to the RADIUS server. Or in other words is there a possibility to determine the TLS-Connection on the FreeRADIUS proxy and to forward the PEAP packets to the RADIUS Server and how the FreeRADIUS proxy has to be configured? Your help would be much appreciated, Thanks Fuki -- View this message in context: http://www.nabble.com/Terminate-TLS-and-proxy-PEAP-tf4434055.html#a1264 Sent from the FreeRadius - User mailing list archive at Nabble.com. -- Message: 8 Date: Thu, 13 Sep 2007 12:10:29 +0330 From: \Parham Beheshti\ [EMAIL PROTECTED] Subject: RE: sometimes double records in radacct To: \FreeRadius users mailing list\ freeradius-users@lists.freeradius.org Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=\utf-8\ I?ve seen this happening too, We have some nases that are not on local network and they are sending packets on sometimes unstable networks(VPN,Internet)... I think what happens is that since the nas doesn\'t get the reply in the given time, it will resend the last packet... Sometimes interim packet and stop packets are sent almost at the same time, but stop packet gets to the radius server first and then the interim packet ... Parham From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nelson Serafica Sent: Wednesday, September 12, 2007 9:20 AM To: freeradius-users@lists.freeradius.org Subject: Re: sometimes double records in radacct Is it advisable that I uncomment the accounting_start_query_alt? Would there be conflict to other query commands like accounting_stop_query_alt, accounting_stop_query, etc. - Original Message From: Nelson Serafica [EMAIL PROTECTED] To: freeradius-users@lists.freeradius.org Sent: Wednesday, September 12, 2007 1:33:30 PM Subject: sometimes double records in radacct I notice in my radacct that there are double records. See sample below
Re: RE : LOGs of eap-tls authentication
On Thu, 2007-09-13 at 14:40 +0500, [EMAIL PROTECTED] wrote: hi I am not able to start server by service radiusd restart command/. I used to start by simply typing radiusd command Pls anyone no the command to stop the server If you are on Unix, radiusd is just an ordinary process, which you stop the ordinary way for your OS. I can think of dozens of ways. Usually you would wrap the low-level methods in a script to do some housekeeping, but you could try: pkill -TERM radiusd It sounds like you're not very familiar with your operating system; I'd learn more about it if I were you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RE : LOGs of eap-tls authentication (inelec communication)
Does it write anything to the log? On startup or when you send a local radtest request? Ivan Kalik Kalik Informatika ISP Dana 10/9/2007, [EMAIL PROTECTED] [EMAIL PROTECTED] piše: Message: 3 Date: Mon, 10 Sep 2007 10:23:19 +0200 (CEST) From: inelec communication [EMAIL PROTECTED] Subject: RE : LOGs of eap-tls authentication To: FreeRadius users mailing list Hi Please find my result.The authentication is working well.The problem is logs are not in radius.log file. [EMAIL PROTECTED] fr1.1.7]# cat successlog Message-Authenticator = 0x96080298cf8084c0a353d72c9e82a3aa Service-Type = Framed-User User-Name = \anoop07\ Framed-MTU = 1488 Called-Station-Id = \00-0F-3D-AF-DD-C1:default\ Calling-Station-Id = \00-0E-35-F3-A1-67\ NAS-Identifier = \D-Link Access Point\ NAS-Port-Type = Wireless-802.11 Connect-Info = \CONNECT 54Mbps 802.11g\ EAP-Message = 0x020c01616e6f6f703037 NAS-IP-Address = 192.168.0.50 NAS-Port = 1 NAS-Port-Id = \STA port # 1\ Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module \preprocess\ returns ok for request 0 rlm_realm: No \'@\' in User-Name = \anoop07\, looking up realm NULL rlm_realm: No such realm \NULL\ modcall[authorize]: module \suffix\ returns noop for request 0 rlm_eap: EAP packet type response id 0 length 12 rlm_eap: No EAP Start, assuming it\'s an on-going EAP conversation modcall[authorize]: module \eap\ returns updated for request 0 users: Matched entry DEFAULT at line 153 users: Matched entry DEFAULT at line 172 modcall[authorize]: module \files\ returns ok for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type EAP auth: type \EAP\ Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Requiring client certificate rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module \eap\ returns handled for request 0 modcall: leaving group authenticate (returns handled) for request 0 Sending Access-Challenge of id 0 to 192.168.0.50 port 1033 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User EAP-Message = 0x010100060d20 Message-Authenticator = 0x State = 0x8ab131c9d151752c61f18ffb09aa2c55 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.0.50:1033, id=1, length=299 Message-Authenticator = 0xe6d7ba1e4458e637c60740bc57383f9e Service-Type = Framed-User User-Name = \anoop07\ Framed-MTU = 1488 State = 0x8ab131c9d151752c61f18ffb09aa2c55 Called-Station-Id = \00-0F-3D-AF-DD-C1:default\ Calling-Station-Id = \00-0E-35-F3-A1-67\ NAS-Identifier = \D-Link Access Point\ NAS-Port-Type = Wireless-802.11 Connect-Info = \CONNECT 54Mbps 802.11g\ EAP-Message = 0x020100600d8000561603010051014d030146e4c9b422a11c 6b0c2a9c5e74b8a0de5e3eb0e1d8a15f49cb7cbf83ad04116a105892c006371829ccf94f1dcdc6d8 3e3d001600040005000a000900640062000300060013001200630100 NAS-IP-Address = 192.168.0.50 NAS-Port = 1 NAS-Port-Id = \STA port # 1\ Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module \preprocess\ returns ok for request 1 rlm_realm: No \'@\' in User-Name = \anoop07\, looking up realm NULL rlm_realm: No such realm \NULL\ modcall[authorize]: module \suffix\ returns noop for request 1 rlm_eap: EAP packet type response id 1 length 96 rlm_eap: No EAP Start, assuming it\'s an on-going EAP conversation modcall[authorize]: module \eap\ returns updated for request 1 users: Matched entry DEFAULT at line 153 users: Matched entry DEFAULT at line 172 modcall[authorize]: module \files\ returns ok for request 1 modcall: leaving group authorize (returns updated) for request 1 rad_check_password: Found Auth-Type EAP auth: type \EAP\ Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: TLS 1.0 Handshake [length 0051], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: TLS 1.0 Handshake [length
RE : LOGs of eap-tls authentication (inelec communication)
Hello, you have no logs in your radius.log file because you are running in debug mode , you have to run in normal mode to get the logs, so what you have to do is the following: first stop your debug mode by this command: service radiusd stop; then restart the service radius by: service radiusd restart; doing that you are in normal mode and you can do your wlan loging without any problem and you get your log. regards [EMAIL PROTECTED] a écrit : Message: 3 Date: Mon, 10 Sep 2007 10:23:19 +0200 (CEST) From: inelec communicationSubject: RE : LOGs of eap-tls authentication To: FreeRadius users mailing list HiPlease find my result.The authentication is working well.The problem is logs are not in radius.log file. [EMAIL PROTECTED] fr1.1.7]# cat successlog Message-Authenticator = 0x96080298cf8084c0a353d72c9e82a3aa Service-Type = Framed-User User-Name = \anoop07\ Framed-MTU = 1488 Called-Station-Id = \00-0F-3D-AF-DD-C1:default\ Calling-Station-Id = \00-0E-35-F3-A1-67\ NAS-Identifier = \D-Link Access Point\ NAS-Port-Type = Wireless-802.11 Connect-Info = \CONNECT 54Mbps 802.11g\ EAP-Message = 0x020c01616e6f6f703037 NAS-IP-Address = 192.168.0.50 NAS-Port = 1 NAS-Port-Id = \STA port # 1\Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0modcall[authorize]: module \preprocess\ returns ok for request 0 rlm_realm: No \'@\' in User-Name = \anoop07\, looking up realm NULL rlm_realm: No such realm \NULL\modcall[authorize]: module \suffix\ returns noop for request 0rlm_eap: EAP packet type response id 0 length 12 rlm_eap: No EAP Start, assuming it\'s an on-going EAP conversation modcall[authorize]: module \eap\ returns updated for request 0 users: Matched entry DEFAULT at line 153 users: Matched entry DEFAULT at line 172 modcall[authorize]: module \files\ returns ok for request 0 modcall: leaving group authorize (returns updated) for request 0rad_check_password: Found Auth-Type EAP auth: type \EAP\Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0rlm_eap: EAP Identityrlm_eap: processing type tls rlm_eap_tls: Requiring client certificaterlm_eap_tls: Initiaterlm_eap_tls: Start returned 1modcall[authenticate]: module \eap\ returns handled for request 0 modcall: leaving group authenticate (returns handled) for request 0 Sending Access-Challenge of id 0 to 192.168.0.50 port 1033 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User EAP-Message = 0x010100060d20 Message-Authenticator = 0x State = 0x8ab131c9d151752c61f18ffb09aa2c55 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.0.50:1033, id=1, length=299 Message-Authenticator = 0xe6d7ba1e4458e637c60740bc57383f9e Service-Type = Framed-User User-Name = \anoop07\ Framed-MTU = 1488 State = 0x8ab131c9d151752c61f18ffb09aa2c55 Called-Station-Id = \00-0F-3D-AF-DD-C1:default\ Calling-Station-Id = \00-0E-35-F3-A1-67\ NAS-Identifier = \D-Link Access Point\ NAS-Port-Type = Wireless-802.11 Connect-Info = \CONNECT 54Mbps 802.11g\ EAP-Message = 0x020100600d8000561603010051014d030146e4c9b422a11c 6b0c2a9c5e74b8a0de5e3eb0e1d8a15f49cb7cbf83ad04116a105892c006371829ccf94f1dcdc6d8 3e3d001600040005000a000900640062000300060013001200630100 NAS-IP-Address = 192.168.0.50 NAS-Port = 1 NAS-Port-Id = \STA port # 1\Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1modcall[authorize]: module \preprocess\ returns ok for request 1 rlm_realm: No \'@\' in User-Name = \anoop07\, looking up realm NULL rlm_realm: No such realm \NULL\ modcall[authorize]: module \suffix\ returns noop for request 1rlm_eap: EAP packet type response id 1 length 96rlm_eap: No EAP Start, assuming it\'s an on-going EAP conversationmodcall[authorize]: module \eap\ returns updated for request 1 users: Matched entry DEFAULT at line 153 users: Matched entry DEFAULT at line 172 modcall[authorize]: module \files\ returns ok for request 1 modcall: leaving group authorize (returns updated) for request 1rad_check_password: Found Auth-Type EAP auth: type \EAP\Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1rlm_eap: Request found, released from the listrlm_eap: EAP/tlsrlm_eap: processing type tlsrlm_eap_tls
RE : LOGs of eap-tls authentication
Dear Thanks for the information.I am getting the logs when stopped server in debug mode. But the commands service radiusd stop and service radiusd restart is not working.So i killed the process radiusd using kill command.Pls let me know the commands to stop and start the server in normal mode. Regards Anoop Message: 2 Date: Tue, 11 Sep 2007 10:39:38 +0200 (CEST) From: inelec communication [EMAIL PROTECTED] Subject: RE : LOGs of eap-tls authentication (inelec communication) To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=\iso-8859-1\ Hello, you have no logs in your radius.log file because you are running in debug mode , you have to run in normal mode to get the logs, so what you have to do is the following: first stop your debug mode by this command: service radiusd stop; then restart the service radius by: service radiusd restart; doing that you are in normal mode and you can do your wlan loging without any problem and you get your log. regards - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE : LOGs of eap-tls authentication
hello, running radius in debug mode doesn't give any log file ,i meen it doesn't give logs in radiusd.log ; if you give me your result when you have rubn radiusd -X -A perhaps i can help regards [EMAIL PROTECTED] a écrit : Hi 1 I am using eap-tls authentication.My setup is working well with certificates.I am unable to get logs of user login ok or denied in the radius.log file[EMAIL PROTECTED] sbin]# radiusd -X -A Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf Config: including file: /etc/raddb/sql.conf main: prefix = \/usr/local\ main: localstatedir = \/usr/local/var\ main: logdir = \/usr/local/var/log/radius\ main: libdir = \/usr/local/lib\ main: radacctdir = \/usr/local/var/log/radius/radacct\ main: hostname_lookups = no main: snmp = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = yes main: log_file = \/usr/local/var/log/radius/radius.log\ main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = yes main: pidfile = \/usr/local/var/run/radiusd/radiusd.pid\ main: user = \(null)\ main: group = \(null)\ main: usercollide = no main: lower_user = \no\ main: lower_pass = \no\ main: nospace_user = \no\ main: nospace_pass = \no\ main: checkrad = \/usr/local/sbin/checkrad\ main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded exec exec: wait = yes exec: program = \(null)\ exec: input_pairs = \request\ exec: output_pairs = \(null)\ exec: packet_type = \(null)\ rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded System unix: cache = no unix: passwd = \(null)\ unix: shadow = \(null)\ unix: group = \(null)\ unix: radwtmp = \/usr/local/var/log/radius/radwtmp\ unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = \tls\ eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = \Password: \ gtc: auth_type = \PAP\ rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = \(null)\ tls: pem_file_type = yes tls: private_key_file = \/etc/1x/07xwifi.pem\ tls: certificate_file = \/etc/1x/07xwifi.pem\ tls: CA_file = \/etc/1x/root.pem\ tls: private_key_password = \password\ tls: dh_file = \/etc/1x/DH\ tls: random_file = \/etc/1x/random\ tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = \(null)\ tls: cipher_list = \(null)\ tls: check_cert_issuer = \(null)\ rlm_eap_tls: Loading the certificate file as a chain WARNING: rlm_eap_tls: Unable to set DH parameters. DH cipher suites may not work! WARNING: Fix this by running the OpenSSL command listed in eap.conf rlm_eap: Loaded and initialized type tls mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = \/etc/raddb/huntgroups\ preprocess: hints = \/etc/raddb/hints\ preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no preprocess: with_alvarion_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = \suffix\ realm: delimiter = \@\ realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = \/etc/raddb/users\ files: acctusersfile = \/etc/raddb/acct_users\ files: preproxy_usersfile =
RE : LOGs of eap-tls authentication (inelec communication)
Message: 3 Date: Mon, 10 Sep 2007 10:23:19 +0200 (CEST) From: inelec communication [EMAIL PROTECTED] Subject: RE : LOGs of eap-tls authentication To: FreeRadius users mailing list Hi Please find my result.The authentication is working well.The problem is logs are not in radius.log file. [EMAIL PROTECTED] fr1.1.7]# cat successlog Message-Authenticator = 0x96080298cf8084c0a353d72c9e82a3aa Service-Type = Framed-User User-Name = \anoop07\ Framed-MTU = 1488 Called-Station-Id = \00-0F-3D-AF-DD-C1:default\ Calling-Station-Id = \00-0E-35-F3-A1-67\ NAS-Identifier = \D-Link Access Point\ NAS-Port-Type = Wireless-802.11 Connect-Info = \CONNECT 54Mbps 802.11g\ EAP-Message = 0x020c01616e6f6f703037 NAS-IP-Address = 192.168.0.50 NAS-Port = 1 NAS-Port-Id = \STA port # 1\ Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module \preprocess\ returns ok for request 0 rlm_realm: No \'@\' in User-Name = \anoop07\, looking up realm NULL rlm_realm: No such realm \NULL\ modcall[authorize]: module \suffix\ returns noop for request 0 rlm_eap: EAP packet type response id 0 length 12 rlm_eap: No EAP Start, assuming it\'s an on-going EAP conversation modcall[authorize]: module \eap\ returns updated for request 0 users: Matched entry DEFAULT at line 153 users: Matched entry DEFAULT at line 172 modcall[authorize]: module \files\ returns ok for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type EAP auth: type \EAP\ Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Requiring client certificate rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module \eap\ returns handled for request 0 modcall: leaving group authenticate (returns handled) for request 0 Sending Access-Challenge of id 0 to 192.168.0.50 port 1033 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User EAP-Message = 0x010100060d20 Message-Authenticator = 0x State = 0x8ab131c9d151752c61f18ffb09aa2c55 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.0.50:1033, id=1, length=299 Message-Authenticator = 0xe6d7ba1e4458e637c60740bc57383f9e Service-Type = Framed-User User-Name = \anoop07\ Framed-MTU = 1488 State = 0x8ab131c9d151752c61f18ffb09aa2c55 Called-Station-Id = \00-0F-3D-AF-DD-C1:default\ Calling-Station-Id = \00-0E-35-F3-A1-67\ NAS-Identifier = \D-Link Access Point\ NAS-Port-Type = Wireless-802.11 Connect-Info = \CONNECT 54Mbps 802.11g\ EAP-Message = 0x020100600d8000561603010051014d030146e4c9b422a11c 6b0c2a9c5e74b8a0de5e3eb0e1d8a15f49cb7cbf83ad04116a105892c006371829ccf94f1dcdc6d8 3e3d001600040005000a000900640062000300060013001200630100 NAS-IP-Address = 192.168.0.50 NAS-Port = 1 NAS-Port-Id = \STA port # 1\ Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module \preprocess\ returns ok for request 1 rlm_realm: No \'@\' in User-Name = \anoop07\, looking up realm NULL rlm_realm: No such realm \NULL\ modcall[authorize]: module \suffix\ returns noop for request 1 rlm_eap: EAP packet type response id 1 length 96 rlm_eap: No EAP Start, assuming it\'s an on-going EAP conversation modcall[authorize]: module \eap\ returns updated for request 1 users: Matched entry DEFAULT at line 153 users: Matched entry DEFAULT at line 172 modcall[authorize]: module \files\ returns ok for request 1 modcall: leaving group authorize (returns updated) for request 1 rad_check_password: Found Auth-Type EAP auth: type \EAP\ Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: TLS 1.0 Handshake [length 0051], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: TLS 1.0 Handshake [length 04be], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: TLS 1.0 Handshake [length 004c], CertificateRequest TLS_accept: SSLv3 write certificate request
LOGs of eap-tls authentication
Hi 1 I am using eap-tls authentication.My setup is working well with certificates. I am unable to get logs of user login ok or denied in the radius.log file [EMAIL PROTECTED] sbin]# radiusd -X -A Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf Config: including file: /etc/raddb/sql.conf main: prefix = \/usr/local\ main: localstatedir = \/usr/local/var\ main: logdir = \/usr/local/var/log/radius\ main: libdir = \/usr/local/lib\ main: radacctdir = \/usr/local/var/log/radius/radacct\ main: hostname_lookups = no main: snmp = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = yes main: log_file = \/usr/local/var/log/radius/radius.log\ main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = yes main: pidfile = \/usr/local/var/run/radiusd/radiusd.pid\ main: user = \(null)\ main: group = \(null)\ main: usercollide = no main: lower_user = \no\ main: lower_pass = \no\ main: nospace_user = \no\ main: nospace_pass = \no\ main: checkrad = \/usr/local/sbin/checkrad\ main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded exec exec: wait = yes exec: program = \(null)\ exec: input_pairs = \request\ exec: output_pairs = \(null)\ exec: packet_type = \(null)\ rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded System unix: cache = no unix: passwd = \(null)\ unix: shadow = \(null)\ unix: group = \(null)\ unix: radwtmp = \/usr/local/var/log/radius/radwtmp\ unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = \tls\ eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = \Password: \ gtc: auth_type = \PAP\ rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = \(null)\ tls: pem_file_type = yes tls: private_key_file = \/etc/1x/07xwifi.pem\ tls: certificate_file = \/etc/1x/07xwifi.pem\ tls: CA_file = \/etc/1x/root.pem\ tls: private_key_password = \password\ tls: dh_file = \/etc/1x/DH\ tls: random_file = \/etc/1x/random\ tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = \(null)\ tls: cipher_list = \(null)\ tls: check_cert_issuer = \(null)\ rlm_eap_tls: Loading the certificate file as a chain WARNING: rlm_eap_tls: Unable to set DH parameters. DH cipher suites may not work! WARNING: Fix this by running the OpenSSL command listed in eap.conf rlm_eap: Loaded and initialized type tls mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = \/etc/raddb/huntgroups\ preprocess: hints = \/etc/raddb/hints\ preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no preprocess: with_alvarion_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = \suffix\ realm: delimiter = \@\ realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = \/etc/raddb/users\ files: acctusersfile = \/etc/raddb/acct_users\ files: preproxy_usersfile = \/etc/raddb/preproxy_users\ files: compat = \no\ Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = \User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port\ Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = \/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d\ detail: detailperm = 384 detail: dirperm = 493 detail: locking = no
problem with eap-tls authentication
Hello, I'm using radius server and and linksys access point configured to use radius security mode and windows xp in my laptop as wlan client configured like that: network authentication: open data encryption: WEP enable IEEE 802.1x authentication for this NW EAP type: smartcard or other certificate use a certificateon this computer use a simple certificate selection for the configuration of the radius server and certificate creation i have followed the EAP/TLS HOWTO .when I start connection I'm having the following problem in radius.log: Tue Aug 28 09:05:26 2007 : Info: rlm_eap_tls: Length Included Tue Aug 28 09:05:26 2007 : Error: TLS_accept:error in SSLv3 read client certificate A Tue Aug 28 09:05:26 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:05:26 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:05:26 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:05:26 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:05:26 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:05:26 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:05:26 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:05:26 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:05:26 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:05:26 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:05:26 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:05:26 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:05:26 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:05:26 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:05:26 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:05:26 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:05:56 2007 : Info: rlm_eap_tls: Length Included Tue Aug 28 09:05:56 2007 : Error: TLS_accept:error in SSLv3 read client certificate A Tue Aug 28 09:05:56 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:05:56 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:05:56 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:05:56 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:05:56 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:05:56 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:05:56 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:05:56 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:05:56 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:05:56 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:05:56 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:05:56 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:05:56 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:05:56 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:05:56 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:05:56 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:06:26 2007 : Info: rlm_eap_tls: Length Included Tue Aug 28 09:06:26 2007 : Error: TLS_accept:error in SSLv3 read client certificate A Tue Aug 28 09:06:26 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:06:26 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:06:26 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:06:26 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:06:26 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:06:26 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:06:26 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:06:27 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:06:27 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:06:27 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:06:27 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:06:27 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:06:27 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:06:27 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:06:27 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:06:27 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:06:57 2007 : Info: rlm_eap_tls: Length Included Tue Aug 28 09:06:57 2007 : Error: TLS_accept:error in SSLv3 read client certificate A Tue Aug 28 09:06:57 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:06:57 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:06:57 2007 : Info: rlm_eap_tls:
eap-tls authentication
Hello, I'm using radius server and and linksys access point configured to use radius security mode and windows xp in my laptop as wlan client configured like that: network authentication: open data encryption: WEP enable IEEE 802.1x authentication for this NW EAP type: smartcard or other certificate use a certificateon this computer use a simple certificate selection for the configuration of the radius server and certificate creation i have followed the EAP/TLS HOWTO .when I start connection I'm having the following problem in radius.log: Tue Aug 28 09:05:26 2007 : Info: rlm_eap_tls: Length Included Tue Aug 28 09:05:26 2007 : Error: TLS_accept:error in SSLv3 read client certificate A Tue Aug 28 09:05:26 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:05:26 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:05:26 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:05:26 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:05:26 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:05:26 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:05:26 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:05:26 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:05:26 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:05:26 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:05:26 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:05:26 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:05:26 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:05:26 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:05:26 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:05:26 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:05:56 2007 : Info: rlm_eap_tls: Length Included Tue Aug 28 09:05:56 2007 : Error: TLS_accept:error in SSLv3 read client certificate A Tue Aug 28 09:05:56 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:05:56 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:05:56 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:05:56 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:05:56 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:05:56 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:05:56 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:05:56 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:05:56 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:05:56 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:05:56 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:05:56 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:05:56 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:05:56 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:05:56 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:05:56 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:06:26 2007 : Info: rlm_eap_tls: Length Included Tue Aug 28 09:06:26 2007 : Error: TLS_accept:error in SSLv3 read client certificate A Tue Aug 28 09:06:26 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:06:26 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:06:26 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:06:26 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:06:26 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:06:26 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:06:26 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:06:27 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:06:27 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:06:27 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:06:27 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:06:27 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:06:27 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:06:27 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:06:27 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:06:27 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:06:57 2007 : Info: rlm_eap_tls: Length Included Tue Aug 28 09:06:57 2007 : Error: TLS_accept:error in SSLv3 read client certificate A Tue Aug 28 09:06:57 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:06:57 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message Tue Aug 28 09:06:57 2007 : Info: rlm_eap_tls: Received EAP-TLS ACK message
Re: Problem in EAP-TLS Authentication
Govardhana K N wrote: I was trying to configure EAP with TLS/TTlS. After enabling TLS/TTLS in eap.conf, I tried sending an Radius Access-Request with EAP-Identitye response. The Server is crashing becoz of segmentation fault. The debug lod from the server is given below. See doc/bugs The problem is most likely that the dynamic linker can't find the libraries it needs. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem in EAP-TLS Authentication
Hi, I was trying to configure EAP with TLS/TTlS. After enabling TLS/TTLS in eap.conf, I tried sending an Radius Access-Request with EAP-Identitye response. The Server is crashing becoz of segmentation fault. The debug lod from the server is given below. - cheux301:/etc/freeradius# freeradius -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/freeradius/proxy.conf Config: including file: /etc/freeradius/clients.conf Config: including file: /etc/freeradius/snmp.conf Config: including file: /etc/freeradius/eap.conf Config: including file: /etc/freeradius/sql.conf main: prefix = /usr main: localstatedir = /var main: logdir = /var/log/freeradius main: libdir = /usr/lib/freeradius:/usr/local/lib main: radacctdir = /var/log/freeradius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = yes main: log_file = /var/log/freeradius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /var/run/freeradius/freeradius.pid main: bind_address = 127.0.0.1 IP address [127.0.0.1] main: user = freerad main: group = freerad main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/sbin/checkrad main: proxy_requests = no proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib/freeradius:/usr/local/lib Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = crypt Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = yes mschap: require_strong = yes mschap: with_ntdomain_hack = no mschap: passwd = (null) mschap: ntlm_auth = (null) Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = /etc/passwd unix: shadow = /etc/shadow unix: group = /etc/group unix: radwtmp = /var/log/freeradius/radwtmp unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = md5 eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = Password: gtc: auth_type = PAP rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = (null) tls: pem_file_type = yes tls: private_key_file = /etc/freeradius/certs/cert-srv.pem tls: certificate_file = /etc/freeradius/certs/cert-srv.pem tls: CA_file = /etc/freeradius/certs/demoCA/cacert.pem tls: private_key_password = whatever tls: dh_file = /etc/freeradius/certs/dh tls: random_file = /etc/freeradius/certs/random tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = yes tls: check_cert_cn = %{User-Name} tls: cipher_list = DEFAULT tls: check_cert_issuer = /C=GB/ST=Berkshire/L=Newbury/O=My Company Ltd rlm_eap_tls: Loading the certificate file as a chain rlm_eap: Loaded and initialized type tls ttls: default_eap_type = md5 ttls: copy_request_to_tunnel = no ttls: use_tunneled_reply = no rlm_eap: Loaded and initialized type ttls mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = /etc/freeradius/huntgroups preprocess: hints = /etc/freeradius/hints preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no preprocess: with_alvarion_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = suffix realm:
Re: EAP-TLS authentication (Alan DeKok)
[EMAIL PROTECTED] wrote: Everything is working fine.But the logs are not coming when user authenticates. What logs? Accounting? If so, see the FAQ. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS authentication
Dear Alan I have been using Navis radius.Now i decided to move to free radius.In the navis radius there is a log file .So it will be shown as \Username\ login ok or \user login failed due to..\ So these logs will be very helpful for troubleshooting. In free radius thers is no log file is getting updated. This is not accounting. Regards Anoop Content-Type: text/plain; charset=ISO-8859-1 [EMAIL PROTECTED] wrote: Everything is working fine.But the logs are not coming when user authenticates. What logs? Accounting? If so, see the FAQ. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS authentication
I have been using Navis radius.Now i decided to move to free radius.In the navis radius there is a log file .So it will be shown as \Username\ login ok or \user login failed due to..\ So these logs will be very helpful for troubleshooting. In free radius thers is no log file is getting updated. This is not accounting. Exactly this information goes into /var/log/radius/radius.log if you enabled it in the config - as is per default. That is, only if you *NOT* running with -X. Stefan -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 signature.asc Description: This is a digitally signed message part. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS authentication (Alan DeKok)
Message: 6 Date: Fri, 13 Jul 2007 14:25:43 +0200 From: Alan DeKok [EMAIL PROTECTED] Subject: Re: EAP-TLS authentication (Alan DeKok) To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Hi Everything is working fine.But the logs are not coming when user authenticates. Regards Anoop Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=ISO-8859-1 [EMAIL PROTECTED] wrote: pls find the attached ... Sending Access-Accept of id 4 to 192.168.0.50 port 1026 The RADIUS server thinks everything is OK. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re : EAP-TLS authentication
There is log file. Check your configure log to find out the path you specified for the log. You can also run in debug mode. radiusd -X == Benjamin K. Eshun - Message d'origine De : [EMAIL PROTECTED] [EMAIL PROTECTED] À : freeradius-users@lists.freeradius.org Envoyé le : Lundi, 16 Juillet 2007, 11h41mn 05s Objet : Re: EAP-TLS authentication Dear Alan I have been using Navis radius.Now i decided to move to free radius.In the navis radius there is a log file .So it will be shown as \Username\ login ok or \user login failed due to..\ So these logs will be very helpful for troubleshooting. In free radius thers is no log file is getting updated. This is not accounting. Regards Anoop Content-Type: text/plain; charset=ISO-8859-1 [EMAIL PROTECTED] wrote: Everything is working fine.But the logs are not coming when user authenticates. What logs? Accounting? If so, see the FAQ. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Ne gardez plus qu'une seule adresse mail ! Copiez vos mails vers Yahoo! Mail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re : EAP-TLS authentication
hi [EMAIL PROTECTED] sbin]# radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf Config: including file: /etc/raddb/sql.conf main: prefix = \/usr/local\ main: localstatedir = \/usr/local/var\ main: logdir = \/usr/local/var/log/radius\ SO my log directory is /usr/local/var/log/radius But in that file i am not getting any logs.Do i need to configure anything other than this. To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=\iso-8859-1\ There is log file. Check your configure log to find out the path you specified for the log. You can also run in debug mode. radiusd - Regards Anoop Quoting [EMAIL PROTECTED]: Send Freeradius-Users mailing list submissions to freeradius-users@lists.freeradius.org To subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/freeradius-users or, via email, send a message with subject or body \'help\' to [EMAIL PROTECTED] You can reach the person managing the list at [EMAIL PROTECTED] When replying, please edit your Subject line so it is more specific than \Re: Contents of Freeradius-Users digest...\ Today\'s Topics: 1. FreeRadius and User-Password from Cisco Device ([EMAIL PROTECTED]) 2. How to configure EAP Identity in 1.1.3 (Govardhana K N) 3. Re: FreeRadius and User-Password from Cisco Device (Stefan Winter) 4. Re : EAP-TLS authentication (Eshun Benjamin) -- Message: 1 Date: Mon, 16 Jul 2007 12:16:22 +0200 From: [EMAIL PROTECTED] Subject: FreeRadius and User-Password from Cisco Device To: freeradius-users@lists.freeradius.org Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=ISO-8859-1 Hello, Here a access-request packet from a Cisco Router (2621) : NAS-IP-Address = \IP_NAS\ NAS-Port = 66 NAS-Port-Type = Virtual User-Name = \MyUserLogin\ Calling-Station-Id = \IP NAS\ User-Password = \ryMyPass/WordHashNotPlainText`\ Why is my password not in plain text ? With other cisco devices (Switch 2960 for example), the User-Password is in plain text.. If I receive a hashed password, the authentication doesn\'t work.. My AAA configuration : aaa new-model aaa authentication login default group radius line aaa authentication login console line aaa authorization exec default group radius none aaa authorization network default group radius aaa accounting exec default start-stop group radius aaa accounting connection default start-stop group radius What can I do ? Thanks for your help ! Nicos. -- Message: 2 Date: Mon, 16 Jul 2007 15:54:09 +0530 From: \Govardhana K N\ [EMAIL PROTECTED] Subject: How to configure EAP Identity in 1.1.3 To: FreeRadius freeradius-users@lists.freeradius.org Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=\iso-8859-1\ Hi, I was trying to configure FreeRadius server with EAP authentication. AS mentioned in \eap.conf\, I didn\'t change the Auth-Type, but I was sending a EAP message, and Message-Authenticator attributes in Access-Request. When i tried sending an Access-Request with EAP-Message, I got the following error \rlm_eap: Identity Unknown, authentication failed\. How to configure the Identity for EAP? debug log from server: - Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/freeradius/proxy.conf Config: including file: /etc/freeradius/clients.conf Config: including file: /etc/freeradius/snmp.conf Config: including file: /etc/freeradius/eap.conf Config: including file: /etc/freeradius/sql.conf main: prefix = \/usr\ main: localstatedir = \/var\ main: logdir = \/var/log/freeradius\ main: libdir = \/usr/lib/freeradius\ main: radacctdir = \/var/log/freeradius/radacct\ main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 1812 main: allow_core_dumps = no main: log_stripped_names = yes main: log_file = \/var/log/freeradius/radius.log\ main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = \/var/run/freeradius/freeradius.pid\ main: bind_address = 127.0.0.1 IP address [127.0.0.1] main: user = \freerad\ main: group = \freerad\ main: usercollide = no main: lower_user = \no\ main: lower_pass = \no\ main
Re: Re : EAP-TLS authentication
Perhaps because of this: main: log_auth = no Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS authentication (Alan DeKok)
pls find the attached n: lower_user = \no\ main: lower_pass = \no\ main: nospace_user = \no\ main: nospace_pass = \no\ main: checkrad = \/usr/local/sbin/checkrad\ main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded exec exec: wait = yes exec: program = \(null)\ exec: input_pairs = \request\ exec: output_pairs = \(null)\ exec: packet_type = \(null)\ rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded System unix: cache = no unix: passwd = \(null)\ unix: shadow = \(null)\ unix: group = \(null)\ unix: radwtmp = \/usr/local/var/log/radius/radwtmp\ unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = \tls\ eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = \(null)\ tls: pem_file_type = yes tls: private_key_file = \/etc/1x/07xwifi.pem\ tls: certificate_file = \/etc/1x/07xwifi.pem\ tls: CA_file = \/etc/1x/root.pem\ tls: private_key_password = \password\ tls: dh_file = \/etc/1x/DH\ tls: random_file = \/etc/1x/random\ tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = \(null)\ tls: cipher_list = \(null)\ tls: check_cert_issuer = \(null)\ rlm_eap_tls: Loading the certificate file as a chain rlm_eap: Loaded and initialized type tls Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = \/etc/raddb/huntgroups\ preprocess: hints = \/etc/raddb/hints\ preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no preprocess: with_alvarion_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = \suffix\ realm: delimiter = \@\ realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = \/etc/raddb/users\ files: acctusersfile = \/etc/raddb/acct_users\ files: preproxy_usersfile = \/etc/raddb/preproxy_users\ files: compat = \no\ Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = \User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Addre ss, NAS-Port\ Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = \/usr/local/var/log/radius/radacct/%{Client-IP-Address}/de tail-%Y%m%d\ detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = \/usr/local/var/log/radius/radutmp\ radutmp: username = \%{User-Name}\ radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. rad_recv: Access-Request packet from host 192.168.0.50:1026, id=0, length=213 Message-Authenticator = 0x9877b96e876b381f2c9d3bf7ae2e Service-Type = Framed-User User-Name = \saravanakumar07\ Framed-MTU = 1488 Called-Station-Id = \00-0F-3D-AF-DD-C2:default\ Calling-Station-Id = \00-0E-35-F3-A1-67\ NAS-Identifier = \D-Link Access Point\ NAS-Port-Type = Wireless-802.11 Connect-Info = \CONNECT 54Mbps 802.11g\ EAP-Message = 0x0214017361726176616e616b756d61723037 NAS-IP-Address = 192.168.0.50 NAS-Port = 1 NAS-Port-Id = \STA port # 1\ Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module \preprocess\ returns ok for request 0 rlm_realm: No \'@\' in User-Name = \saravanakumar07\, looking up realm NULL rlm_realm: No such realm \NULL\ modcall[authorize]: module \suffix\ returns noop for request 0 rlm_eap: EAP packet type response id 0 length 20 rlm_eap: No EAP Start, assuming it\'s an on-going EAP conversation modcall[authorize]: module \eap\ returns updated for request 0 users: Matched entry DEFAULT at line 153
Re: EAP-TLS authentication (Alan DeKok)
[EMAIL PROTECTED] wrote: pls find the attached ... Sending Access-Accept of id 4 to 192.168.0.50 port 1026 The RADIUS server thinks everything is OK. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS authentication
[EMAIL PROTECTED] wrote: Hi I have a set up of 802.1x authentication with free radius server .I am using EAP_TLS certificate based authentication.The certificates i generated was using OPENSSL tool.The setup is working fine. In my log file no logs are displaying.Pls help. pls find the server in debug mode ... main: user = \(null)\ You've deleted most of the debugging output. This makes it rather difficult to help you. 1) Don't edit it if you don't know what it means 2) include an authentication session for ONE user. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TLS authentication
Hi I have a set up of 802.1x authentication with free radius server .I am using EAP_TLS certificate based authentication.The certificates i generated was using OPENSSL tool.The setup is working fine. In my log file no logs are displaying.Pls help. pls find the server in debug mode [EMAIL PROTECTED] sbin]# radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf Config: including file: /etc/raddb/sql.conf main: prefix = \/usr/local\ main: localstatedir = \/usr/local/var\ main: logdir = \/usr/local/var/log/radius\ main: libdir = \/usr/local/lib\ main: radacctdir = \/usr/local/var/log/radius/radacct\ main: hostname_lookups = no main: snmp = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = \/usr/local/var/log/radius/radius.log\ main: log_auth = yes main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = \/usr/local/var/run/radiusd/radiusd.pid\ main: user = \(null)\ \\ Regards Anoop - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: log file for free radius 1.1.6 eap-tls authentication
Hi I am getting the following message in log first it satatrts (radiud -X) [EMAIL PROTECTED] radius]# cat radius.log Wed May 30 11:24:14 2007 : Info: Using deprecated naslist file. Support for this will go away soon. Wed May 30 11:24:14 2007 : Info: rlm_exec: Wait=yes but no output defined. Did you mean output=none? Wed May 30 11:24:14 2007 : Info: rlm_eap_tls: Loading the certificate file as a chain Wed May 30 11:24:14 2007 : Info: Ready to process requests. But if again start the server no logs and nothing other than this is coming in the log. regarding users file in navisradius i uesd to do that in EAP_TLS thats why i asked. Regards Anoop -- Message: 5 Date: Tue, 29 May 2007 09:42:52 +0100 From: [EMAIL PROTECTED] Subject: Re: log file for free radius 1.1.6 eap-tls authentication To: \FreeRadius users mailing list\ freeradius-users@lists.freeradius.org Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=ISO-8859-2 1. That\'s not how certificates work. You add those that you want to PREVENT from connecting (for whatever reason) to Certificate Revocation List (CRL). You suposedly do have control over who are certificates issued to. If you have no control over CA then you shouldn\'t be using them. 2. Is anything (reading config files etc.) written to the log when you restart the server? Ivan Kalik Kalik Informatika ISP Dana 29/5/2007, \[EMAIL PROTECTED] [EMAIL PROTECTED] pi?e: Hi 1 I know its eap-tls and certificate based. Earlier i was using Navis radius .In that for eap-tls we have to add certificate name to a specific user file. Like that here also user file is there can i make use of the user file so that only that user get authenticated, 2 Logs are not happening.In config changes required to get the same? Regards Anoop Message: 2 Date: Mon, 28 May 2007 15:07:06 +0100 From: [EMAIL PROTECTED] Subject: Re: log file for free radius 1.1.6 eap-tls authentication To: \FreeRadius users mailing list\ freeradius-users@lists.freeradius.org Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=ISO-8859-2 This is EAP-TLS. This user has a valid user certificate and is accepted. If you don\'t want to go via certificates but use user/password, use EAP-TTLS with MS-CHAPv2 (or PAP or any other auth protocol). Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: log file for free radius 1.1.6 eap-tls authentication
1. RE: Gigaword support ([EMAIL PROTECTED]) 2. Re : Multiple server certificates in EAP-TLS or EAP-TTLS (Eshun Benjamin) 3. Re: log file for free radius 1.1.6 eap-tls authentication ([EMAIL PROTECTED]) 4. problem in autehtication with EAP-MD5 (shantanu choudhary) Hi 2 I am getting the following message in log first it satatrts (radiud -X) [EMAIL PROTECTED] radius]# cat radius.log Wed May 30 11:24:14 2007 : Info: Using deprecated naslist file. Support for this will go away soon. Wed May 30 11:24:14 2007 : Info: rlm_exec: Wait=yes but no output defined. Did you mean output=none? Wed May 30 11:24:14 2007 : Info: rlm_eap_tls: Loading the certificate file as a chain Wed May 30 11:24:14 2007 : Info: Ready to process requests. But if again start the server no logs and nothing other than this is coming in the log. regarding users file in navisradius i uesd to do that in EAP_TLS thats why i asked. Regards Anoop -- Message: 5 Date: Tue, 29 May 2007 09:42:52 +0100 From: [EMAIL PROTECTED] Subject: Re: log file for free radius 1.1.6 eap-tls authentication To: \FreeRadius users mailing list\ freeradius-users@lists.freeradius.org Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=ISO-8859-2 1. That\'s not how certificates work. You add those that you want to PREVENT from connecting (for whatever reason) to Certificate Revocation List (CRL). You suposedly do have control over who are certificates issued to. If you have no control over CA then you shouldn\'t be using them. 2. Is anything (reading config files etc.) written to the log when you restart the server? Ivan Kalik Kalik Informatika ISP Dana 29/5/2007, \[EMAIL PROTECTED] [EMAIL PROTECTED] pi?e: Hi 1 I know its eap-tls and certificate based. Earlier i was using Navis radius .In that for eap-tls we have to add certificate name to a specific user file. Like that here also user file is there can i make use of the user file so that only that user get authenticated, 2 Logs are not happening.In config changes required to get the same? Regards Anoop Message: 2 Date: Mon, 28 May 2007 15:07:06 +0100 From: [EMAIL PROTECTED] Subject: Re: log file for free radius 1.1.6 eap-tls authentication To: \FreeRadius users mailing list\ freeradius-users@lists.freeradius.org Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=ISO-8859-2 This is EAP-TLS. This user has a valid user certificate and is accepted. If you don\'t want to go via certificates but use user/password, use EAP-TTLS with MS-CHAPv2 (or PAP or any other auth protocol). Ivan Kalik Kalik Informatika ISP -- Message: 4 Date: Wed, 30 May 2007 09:23:21 +0100 (BST) From: shantanu choudhary [EMAIL PROTECTED] Subject: problem in autehtication with EAP-MD5 To: freeradius-users@lists.freeradius.org Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=iso-8859-1 hi all, i am trying to get autheticated by radius server using EAP-MD5 but i always get FAILURE and i m not able to figure out the problem, can anyone help me out! my client side shows out put like this:- EAPOL: SUPP_BE entering state RESPONSE EAPOL: txSuppRsp TX EAPOL - hexdump(len=17): 01 00 00 0d 02 00 00 0d 01 74 65 73 74 75 73 65 72 EAPOL: SUPP_BE entering state RECEIVE RX EAPOL from 00:03:7f:09:60:a0 RX EAPOL - hexdump(len=26): 01 00 00 16 01 01 00 16 04 10 e5 b2 63 cb 4e 4f e7 d1 b1 4f 30 95 6c 21 cd a9 EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Request id=1 method=4 vendor=0 vendorMethod=0 EAP: EAP entering state GET_METHOD EAP: Initialize selected EAP method: vendor 0 method 4 (MD5) CTRL-EVENT-EAP-METHOD EAP vendor 0 method 4 (MD5) selected CTRL_IFACE monitor send - hexdump(len=22): 2f 74 6d 70 2f 77 70 61 5f 63 74 72 6c 5f 31 36 32 37 35 2d 31 00 EAP: EAP entering state METHOD EAP-MD5: Challenge - hexdump(len=16): e5 b2 63 cb 4e 4f e7 d1 b1 4f 30 95 6c 21 cd a9 EAP-MD5: Generating Challenge Response EAP-MD5: Response - hexdump(len=16): 4a f8 0b fc 31 7e 27 47 ac 95 4c 77 56 30 bf c6 EAP: method process - ignore=FALSE methodState=DONE decision=UNCOND_SUCC EAP: EAP entering state SEND_RESPONSE EAP: EAP entering state IDLE EAPOL: SUPP_BE entering state RESPONSE EAPOL: txSuppRsp TX EAPOL - hexdump(len=26): 01 00 00 16 02 01 00 16 04 10 4a f8 0b fc 31 7e 27 47 ac 95 4c 77 56 30 bf c6 EAPOL: SUPP_BE entering state RECEIVE RX ctrl_iface - hexdump_ascii(len=4): 50 49 4e 47 PING RX ctrl_iface - hexdump_ascii(len=6): 53 54 41 54 55 53 STATUS ioctl[SIOCGIFADDR]: Cannot assign requested address RX ctrl_iface - hexdump_ascii(len=13): 4c 49 53 54 5f 4e 45 54 57 4f 52 4b 53LIST_NETWORKS RX ctrl_iface - hexdump_ascii(len=4): 50 49 4e 47 PING RX
Re: log file for free radius 1.1.6 eap-tls authentication
1. That's not how certificates work. You add those that you want to PREVENT from connecting (for whatever reason) to Certificate Revocation List (CRL). You suposedly do have control over who are certificates issued to. If you have no control over CA then you shouldn't be using them. 2. Is anything (reading config files etc.) written to the log when you restart the server? Ivan Kalik Kalik Informatika ISP Dana 29/5/2007, [EMAIL PROTECTED] [EMAIL PROTECTED] piše: Hi 1 I know its eap-tls and certificate based. Earlier i was using Navis radius .In that for eap-tls we have to add certificate name to a specific user file. Like that here also user file is there can i make use of the user file so that only that user get authenticated, 2 Logs are not happening.In config changes required to get the same? Regards Anoop Message: 2 Date: Mon, 28 May 2007 15:07:06 +0100 From: [EMAIL PROTECTED] Subject: Re: log file for free radius 1.1.6 eap-tls authentication To: \FreeRadius users mailing list\ freeradius-users@lists.freeradius.org Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=ISO-8859-2 This is EAP-TLS. This user has a valid user certificate and is accepted. If you don\'t want to go via certificates but use user/password, use EAP-TTLS with MS-CHAPv2 (or PAP or any other auth protocol). Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: log file for free radius 1.1.6 eap-tls authentication
Hi all I have two quieres 1 I have changed the log_auth= yes Still i am not able to get logs.Pls find my configs prefix = /usr/local exec_prefix = ${prefix} sysconfdir = /etc localstatedir = ${prefix}/var sbindir = ${exec_prefix}/sbin logdir = /usr/local/var/log/radius raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct # Location of config and logfiles. confdir = ${raddbdir} run_dir = ${localstatedir}/run/radiusd # # The logging messages for the server are appended to the # tail of this file. # log_file = /usr/local/var/log/radius/radius.log log_stripped_names = no # Log authentication requests to the log file. # # allowed values: {no, yes} # log_auth = yes # Log passwords with the authentication requests. # log_auth_badpass - logs password if it\'s rejected # log_auth_goodpass - logs password if it\'s correct 2 While i am using Navis radius, ther will be one user file where you have to add all usernames.In free radius without adding the username also the authentication is working.I would like to have users file so that only the users specified in that will authenticate. Wat config change i should make for the same - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: log file for free radius 1.1.6 eap-tls authentication
Post the radiusd -X output of user not in users file being accepted. Ivan Kalik Kalik Informatika ISP Dana 28/5/2007, [EMAIL PROTECTED] [EMAIL PROTECTED] piše: Hi all I have two quieres 1 I have changed the log_auth= yes Still i am not able to get logs.Pls find my configs prefix = /usr/local exec_prefix = ${prefix} sysconfdir = /etc localstatedir = ${prefix}/var sbindir = ${exec_prefix}/sbin logdir = /usr/local/var/log/radius raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct # Location of config and logfiles. confdir = ${raddbdir} run_dir = ${localstatedir}/run/radiusd # # The logging messages for the server are appended to the # tail of this file. # log_file = /usr/local/var/log/radius/radius.log log_stripped_names = no # Log authentication requests to the log file. # # allowed values: {no, yes} # log_auth = yes # Log passwords with the authentication requests. # log_auth_badpass - logs password if it\'s rejected # log_auth_goodpass - logs password if it\'s correct 2 While i am using Navis radius, ther will be one user file where you have to add all usernames.In free radius without adding the username also the authentication is working.I would like to have users file so that only the users specified in that will authenticate. Wat config change i should make for the same - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: log file for free radius 1.1.6 eap-tls authentication
group authenticate (returns handled) for request 3 Sending Access-Challenge of id 3 to 192.168.0.50 port 1026 EAP-Message = 0x010400350d80002b14030100010116030100204162186f236f12a6774a934742937f8d6653973dbce3f01ee4c223e78617f9d4 Message-Authenticator = 0x State = 0x5edb6911600c27ccf2a62bd801e114ab Finished request 3 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.0.50:1026, id=4, length=217 Message-Authenticator = 0x885b78f58d62d0eec96b2535b1e9bfb1 Service-Type = Framed-User User-Name = \saravanakumar07\ Framed-MTU = 1488 State = 0x5edb6911600c27ccf2a62bd801e114ab Called-Station-Id = \00-0F-3D-AF-DD-C2:default\ Calling-Station-Id = \00-0E-35-F3-A1-67\ NAS-Identifier = \D-Link Access Point\ NAS-Port-Type = Wireless-802.11 Connect-Info = \CONNECT 54Mbps 802.11g\ EAP-Message = 0x020400060d00 NAS-IP-Address = 192.168.0.50 NAS-Port = 1 NAS-Port-Id = \STA port # 1\ Processing the authorize section of radiusd.conf modcall: entering group authorize for request 4 modcall[authorize]: module \preprocess\ returns ok for request 4 rlm_realm: No \'@\' in User-Name = \saravanakumar07\, looking up realm NULL rlm_realm: No such realm \NULL\ modcall[authorize]: module \suffix\ returns noop for request 4 rlm_eap: EAP packet type response id 4 length 6 rlm_eap: No EAP Start, assuming it\'s an on-going EAP conversation modcall[authorize]: module \eap\ returns updated for request 4 modcall[authorize]: module \files\ returns notfound for request 4 modcall: leaving group authorize (returns updated) for request 4 rad_check_password: Found Auth-Type EAP auth: type \EAP\ Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 4 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake is finished eaptls_verify returned 3 eaptls_process returned 3 rlm_eap: Freeing handler modcall[authenticate]: module \eap\ returns ok for request 4 modcall: leaving group authenticate (returns ok) for request 4 Login OK: [saravanakumar07] (from client private-network-1 port 1 cli 00-0E-35-F3-A1-67) Sending Access-Accept of id 4 to 192.168.0.50 port 1026 MS-MPPE-Recv-Key = 0xb6e9159f33592da50de909d1f12d8cdfa9b866be2d2b12f90f7edefa4c7af054 MS-MPPE-Send-Key = 0xca94e3cdf69257d148b01ccb582dbb3e45b06dbc4450b07850fb47288111daf0 EAP-Message = 0x03040004 Message-Authenticator = 0x User-Name = \saravanakumar07\ Finished request 4 Going to the next request --- Walking the entire request list --- Waking up in 5 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 0 with timestamp 465ac5ef Cleaning up request 1 ID 1 with timestamp 465ac5ef Cleaning up request 2 ID 2 with timestamp 465ac5ef Cleaning up request 3 ID 3 with timestamp 465ac5ef Waking up in 1 seconds... --- Walking the entire request list --- Cleaning up request 4 ID 4 with timestamp 465ac5f0 Nothing to do. Sleeping until we see a request. [EMAIL PROTECTED] sbin]# Message: 5 Date: Mon, 28 May 2007 12:08:21 +0100 From: [EMAIL PROTECTED] Subject: Re: log file for free radius 1.1.6 eap-tls authentication To: \FreeRadius users mailing list\ freeradius-users@lists.freeradius.org Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=ISO-8859-2 Post the radiusd -X output of user not in users file being accepted. Ivan Kalik Kalik Informatika ISP Dana 28/5/2007, \[EMAIL PROTECTED] [EMAIL PROTECTED] pi?e: Hi all I have two quieres 1 I have changed the log_auth= yes Still i am not able to get logs.Pls find my configs prefix = /usr/local exec_prefix = ${prefix} sysconfdir = /etc localstatedir = ${prefix}/var sbindir = ${exec_prefix}/sbin logdir = /usr/local/var/log/radius raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct # Location of config and logfiles. confdir = ${raddbdir} run_dir = ${localstatedir}/run/radiusd # # The logging messages for the server are appended to the # tail of this file. # log_file = /usr/local/var/log/radius/radius.log log_stripped_names = no # Log authentication requests to the log file. # # allowed values: {no, yes} # log_auth = yes # Log passwords with the authentication requests. # log_auth_badpass - logs password if it\'s rejected # log_auth_goodpass - logs password if it\'s correct 2 While i am using Navis radius, ther will be one user file where you have to add all usernames.In free radius without adding the username also the authentication is working.I would like to have users file so that only
Re: log file for free radius 1.1.6 eap-tls authentication
A rlm_eap_tls: TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 write finished A TLS_accept: SSLv3 flush data (other): SSL negotiation finished successfully SSL Connection Established eaptls_process returned 13 modcall[authenticate]: module \eap\ returns handled for request 3 modcall: leaving group authenticate (returns handled) for request 3 Sending Access-Challenge of id 3 to 192.168.0.50 port 1026 EAP-Message = 0x010400350d80002b14030100010116030100204162186f236f12a6774a934742937f8d6653973dbce3f01ee4c223e78617f9d4 Message-Authenticator = 0x State = 0x5edb6911600c27ccf2a62bd801e114ab Finished request 3 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.0.50:1026, id=4, length=217 Message-Authenticator = 0x885b78f58d62d0eec96b2535b1e9bfb1 Service-Type = Framed-User User-Name = \saravanakumar07\ Framed-MTU = 1488 State = 0x5edb6911600c27ccf2a62bd801e114ab Called-Station-Id = \00-0F-3D-AF-DD-C2:default\ Calling-Station-Id = \00-0E-35-F3-A1-67\ NAS-Identifier = \D-Link Access Point\ NAS-Port-Type = Wireless-802.11 Connect-Info = \CONNECT 54Mbps 802.11g\ EAP-Message = 0x020400060d00 NAS-IP-Address = 192.168.0.50 NAS-Port = 1 NAS-Port-Id = \STA port # 1\ Processing the authorize section of radiusd.conf modcall: entering group authorize for request 4 modcall[authorize]: module \preprocess\ returns ok for request 4 rlm_realm: No \'@\' in User-Name = \saravanakumar07\, looking up realm NULL rlm_realm: No such realm \NULL\ modcall[authorize]: module \suffix\ returns noop for request 4 rlm_eap: EAP packet type response id 4 length 6 rlm_eap: No EAP Start, assuming it\'s an on-going EAP conversation modcall[authorize]: module \eap\ returns updated for request 4 modcall[authorize]: module \files\ returns notfound for request 4 modcall: leaving group authorize (returns updated) for request 4 rad_check_password: Found Auth-Type EAP auth: type \EAP\ Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 4 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake is finished eaptls_verify returned 3 eaptls_process returned 3 rlm_eap: Freeing handler modcall[authenticate]: module \eap\ returns ok for request 4 modcall: leaving group authenticate (returns ok) for request 4 Login OK: [saravanakumar07] (from client private-network-1 port 1 cli 00-0E-35-F3-A1-67) Sending Access-Accept of id 4 to 192.168.0.50 port 1026 MS-MPPE-Recv-Key = 0xb6e9159f33592da50de909d1f12d8cdfa9b866be2d2b12f90f7edefa4c7af054 MS-MPPE-Send-Key = 0xca94e3cdf69257d148b01ccb582dbb3e45b06dbc4450b07850fb47288111daf0 EAP-Message = 0x03040004 Message-Authenticator = 0x User-Name = \saravanakumar07\ Finished request 4 Going to the next request --- Walking the entire request list --- Waking up in 5 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 0 with timestamp 465ac5ef Cleaning up request 1 ID 1 with timestamp 465ac5ef Cleaning up request 2 ID 2 with timestamp 465ac5ef Cleaning up request 3 ID 3 with timestamp 465ac5ef Waking up in 1 seconds... --- Walking the entire request list --- Cleaning up request 4 ID 4 with timestamp 465ac5f0 Nothing to do. Sleeping until we see a request. [EMAIL PROTECTED] sbin]# Message: 5 Date: Mon, 28 May 2007 12:08:21 +0100 From: [EMAIL PROTECTED] Subject: Re: log file for free radius 1.1.6 eap-tls authentication To: \FreeRadius users mailing list\ freeradius-users@lists.freeradius.org Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=ISO-8859-2 Post the radiusd -X output of user not in users file being accepted. Ivan Kalik Kalik Informatika ISP Dana 28/5/2007, \[EMAIL PROTECTED] [EMAIL PROTECTED] pi?e: Hi all I have two quieres 1 I have changed the log_auth= yes Still i am not able to get logs.Pls find my configs prefix = /usr/local exec_prefix = ${prefix} sysconfdir = /etc localstatedir = ${prefix}/var sbindir = ${exec_prefix}/sbin logdir = /usr/local/var/log/radius raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct # Location of config and logfiles. confdir = ${raddbdir} run_dir = ${localstatedir}/run/radiusd # # The logging messages for the server are appended to the # tail of this file. # log_file = /usr/local/var/log/radius/radius.log log_stripped_names = no # Log authentication requests to the log file. # # allowed values: {no, yes} # log_auth = yes # Log passwords with the authentication requests. # log_auth_badpass
Re: log file for free radius 1.1.6 eap-tls authentication
Hi 1 I know its eap-tls and certificate based. Earlier i was using Navis radius .In that for eap-tls we have to add certificate name to a specific user file. Like that here also user file is there can i make use of the user file so that only that user get authenticated, 2 Logs are not happening.In config changes required to get the same? Regards Anoop Message: 2 Date: Mon, 28 May 2007 15:07:06 +0100 From: [EMAIL PROTECTED] Subject: Re: log file for free radius 1.1.6 eap-tls authentication To: \FreeRadius users mailing list\ freeradius-users@lists.freeradius.org Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=ISO-8859-2 This is EAP-TLS. This user has a valid user certificate and is accepted. If you don\'t want to go via certificates but use user/password, use EAP-TTLS with MS-CHAPv2 (or PAP or any other auth protocol). Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: log file for free radius 1.1.6 eap-tls authentication
Default radiusd.conf: # Log authentication requests to the log file. # # allowed values: {no, yes} # log_auth = no Change it to yes. Ivan Kalik Kalik Informatika ISP Dana 24/5/2007, Anoop [EMAIL PROTECTED] piše: Hi I am using free raidus 1.1.6 with eap-tls authentication.The whole set up is working fine. But i am not getting any logs .like user login ok..login filef etc Pls giude me How will i get logs and wat configurtion i need to do in the configuration files. Regards Anoop ** DISCLAIMER ** Information contained and transmitted by this E-MAIL is proprietary to Sify Limited and is intended for use only by the individual or entity to which it is addressed, and may contain information that is privileged, confidential or exempt from disclosure under applicable law. If this is a forwarded message, the content of this E-MAIL may not have been sent with the authority of the Company. If you are not the intended recipient, an agent of the intended recipient or a person responsible for delivering the information to the named recipient, you are notified that any use, distribution, transmission, printing, copying or dissemination of this information in any way or in any manner is strictly prohibited. If you have received this communication in error, please delete this mail notify us immediately at [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
log file for free radius 1.1.6 eap-tls authentication
Hi I am using free raidus 1.1.6 with eap-tls authentication.The whole set up is working fine. But i am not getting any logs .like user login ok..login filef etc Pls giude me How will i get logs and wat configurtion i need to do in the configuration files. Regards Anoop ** DISCLAIMER ** Information contained and transmitted by this E-MAIL is proprietary to Sify Limited and is intended for use only by the individual or entity to which it is addressed, and may contain information that is privileged, confidential or exempt from disclosure under applicable law. If this is a forwarded message, the content of this E-MAIL may not have been sent with the authority of the Company. If you are not the intended recipient, an agent of the intended recipient or a person responsible for delivering the information to the named recipient, you are notified that any use, distribution, transmission, printing, copying or dissemination of this information in any way or in any manner is strictly prohibited. If you have received this communication in error, please delete this mail notify us immediately at [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: free radius 1.1.6 -eap-tls authentication
CRL's are not the best way to conduct authorization for EAP-TLS, their control is too coarse when the goal is to enable/disable the use of valid certificates use for different purposes and don't let you assign other authorization info like what VLAN a user should be assigned to. The only option that currently works for access to real authorization with EAP-TLS is to use the: check_cert_cn = %{User-Name} option in the tls section of eap.conf so you can be sure the outer identity (User-Name) matches the inner identity in the certificate, its then valid to check User-Name against another source for authorization. If you don't perform this check you can't be sure the outer identity (User-Name) has any relation to the the identity represented by the certificate. This is only an option if your user certificates contain the unique user id you will lookup for authorization in the Common Name field, not in the Subject Alternative Name - Principle Name field (which many organizations use as their User certificate Common Names are not unique user identifiers). -Keith On May 17, 2007, at 1:49 AM, Alan DeKok wrote: [EMAIL PROTECTED] wrote: 1 Where will i find the log of the authentication like username login ok...or login failed It's in radius.log 2 One user\'s certificate if I installed in other user\'s laptop it works.I want one user certificate should work in one laptop only. There's no real way of doing that. You *could* put the MAC address into the certificate, and have the RADIUS server check that against the MAC address in the RADIUS request, but there's no guarantee that will work. It can be spoofed, and it can break valid configurations. 3 In users file i havn\'t added any certificate name as it is eap-tls.So if i want to remove the user from n/w i don\'t have control.Is ther any method like i can add the certificate names in users file then only it should work Certificate revocation lists. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
free radius 1.1.6 -eap-tls authentication
Dear all My EAPTLS is working with free radisu 1.1.6 as i did every installation starts from zero Thanks for all for the help. I have few quires for free radius as i was using navis radius. 1 Where will i find the log of the authentication like username login ok...or login failed 2 One user\'s certificate if I installed in other user\'s laptop it works.I want one user certificate should work in one laptop only. 3 In users file i havn\'t added any certificate name as it is eap-tls.So if i want to remove the user from n/w i don\'t have control.Is ther any method like i can add the certificate names in users file then only it should work Regards Anoop - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: free radius 1.1.6 -eap-tls authentication
[EMAIL PROTECTED] wrote: 1 Where will i find the log of the authentication like username login ok...or login failed It's in radius.log 2 One user\'s certificate if I installed in other user\'s laptop it works.I want one user certificate should work in one laptop only. There's no real way of doing that. You *could* put the MAC address into the certificate, and have the RADIUS server check that against the MAC address in the RADIUS request, but there's no guarantee that will work. It can be spoofed, and it can break valid configurations. 3 In users file i havn\'t added any certificate name as it is eap-tls.So if i want to remove the user from n/w i don\'t have control.Is ther any method like i can add the certificate names in users file then only it should work Certificate revocation lists. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: free radius 1.1.6 -eap-tls authentication
[EMAIL PROTECTED] wrote: Dear all I am using the same AP,same widows client and same root certificate for testing navis as well as free raduis .Root certificate is also installed. Is ther any clue in the debug message? No. If there was, you would have been told. All I know is that the symptoms you're seeing usually have the same cause. And other people get it to work, so I'm not sure what else to say. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
free radius 1.1.6 -eap-tls authentication
Dear all I am using the same AP,same widows client and same root certificate for testing navis as well as free raduis .Root certificate is also installed. Is ther any clue in the debug message? [EMAIL PROTECTED] wrote: Dear all Thank you for the responses I am using openssl tool for certificate generation.I have inclided the file xpextensions while generating certificates.The same certificates worked well with Navis radius server and windows xp as client.So this may not be the problem here Is it the SAME windows client, with the SAME root certificate, with the SAME access point, going to FreeRADIUS using the SAME certificate? If it really works for Navis using the same certificate, my guess is that your tests for FreeRADIUS are using a different Windows machine, without the root certificate installed. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
free radius 1.1.6 -eap-tls authentication
Hi list While doing eap-tls authentication i am getting the following debug message.Anybody please clarify. TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 eaptls_verify returned 1 eaptls_process returned 13 What is these debug messages indicate... Anoop - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: free radius 1.1.6 -eap-tls authentication
[EMAIL PROTECTED] wrote: While doing eap-tls authentication i am getting the following debug message.Anybody please clarify. ... What is these debug messages indicate... That the server is working as expected. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: free radius 1.1.6 -eap-tls authentication
Dear all Thanks for the information.I am not able to do successful authentication still. These are my configurations I have copied my root.pem and server.pem to /etc/raddb/certs directory 1.My eap.conf file is like this eap { default_eap_type = tls timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no ## EAP-TLS tls { private_key_password = password private_key_file = /etc/raddb/certs/07xwifi.pem certificate_file = /etc/raddb/certs/07xwifi.pem CA_file = /etc/raddb/certs/root.pem dh_file = /etc/raddb/certs/dh random_file = /etc/raddb/certs/random fragment_size = 1024 include_length = yes } peap { default_eap_type = tls } } 2 radiusd.conf (only authorize and authentication section) nstantiate { } authorize { preprocess mschap eap files } # Authentication. authenticate { Auth-Type MS-CHAP { mschap } eap } 3 I havn;t modified users file since its eap-tls authentication Giude me any modification required further for eap-tls certificate based authentication. Regards Anoop That the server is working as expected. Alan DeKok. TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 eaptls_verify returned 1 eaptls_process returned 13 What is these debug messages indicate... Anoop - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: free radius 1.1.6 -eap-tls authentication
The FAQ, README, INSTALL, etc. all say to run the server in debugging mode to see what\'s going on. Dear all I run the radius server in debug mode and the output is as follows. I didn;t get any clue for the problem. [EMAIL PROTECTED] raddb]# radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf Config: including file: /etc/raddb/sql.conf main: prefix = \/usr/local\ main: localstatedir = \/usr/local/var\ main: logdir = \/usr/local/var/log/radius\ main: libdir = \/usr/local/lib\ main: radacctdir = \/usr/local/var/log/radius/radacct\ main: hostname_lookups = no main: snmp = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = \/usr/local/var/log/radius/radius.log\ main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = \/usr/local/var/run/radiusd/radiusd.pid\ main: user = \(null)\ main: group = \(null)\ main: usercollide = no main: lower_user = \no\ main: lower_pass = \no\ main: nospace_user = \no\ main: nospace_pass = \no\ main: checkrad = \/usr/local/sbin/checkrad\ main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = \(null)\ mschap: ntlm_auth = \(null)\ Module: Instantiated mschap (mschap) Module: Loaded eap eap: default_eap_type = \tls\ eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = \(null)\ tls: pem_file_type = yes tls: private_key_file = \/etc/raddb/certs/07xwifi.pem\ tls: certificate_file = \/etc/raddb/certs/07xwifi.pem\ tls: CA_file = \/etc/raddb/certs/root.pem\ tls: private_key_password = \password\ tls: dh_file = \/etc/raddb/certs/dh\ tls: random_file = \/etc/raddb/certs/random\ tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = \(null)\ tls: cipher_list = \(null)\ tls: check_cert_issuer = \(null)\ rlm_eap_tls: Loading the certificate file as a chain rlm_eap: Loaded and initialized type tls peap: default_eap_type = \tls\ peap: copy_request_to_tunnel = no peap: use_tunneled_reply = no peap: proxy_tunneled_request_as_eap = yes rlm_eap: Loaded and initialized type peap Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = \/etc/raddb/huntgroups\ preprocess: hints = \/etc/raddb/hints\ preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no preprocess: with_alvarion_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded files files: usersfile = \/etc/raddb/users\ files: acctusersfile = \/etc/raddb/acct_users\ files: preproxy_usersfile = \/etc/raddb/preproxy_users\ files: compat = \no\ Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = \User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port\ Module: Instantiated acct_unique (acct_unique) Module: Loaded realm realm: format = \suffix\ realm: delimiter = \@\ realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded detail detail: detailfile = \/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d\ detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded System unix: cache = no unix: passwd = \(null)\ unix: shadow = \(null)\ unix: group = \(null)\ unix: radwtmp = \/usr/local/var/log/radius/radwtmp\ unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded radutmp radutmp: filename = \/usr/local/var/log/radius/radutmp\ radutmp: username = \%{User-Name}\ radutmp: case_sensitive = yes radutmp: