LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 03-07-2006, 08:18 AM   #1
tobi
LQ Newbie
 
Registered: Mar 2006
Posts: 1

Rep: Reputation: 0
freeRADIUS eap-tls authentification fails at winxp pro sp2


Hello,
first sorry for my english because I'm from germany(-:
my problem:

Hardware: SuSE linux 10 Server, Linksys WRT54GX Router and a Windows XP Pro SP2 client with Linksys WPC54GX 108mbit PCMCIA Card.

I'd like to setup a freeRADIUS eap-tls authentification. Therefore I found the following howto:
***.linuxjournal.com/article/8095 (3 different parts)

Everything went fine and i started my radius server with radiusd -X -A
SuSE reported "ready to process requests".
Then I set up my router and copied cacert.pem and server_keycert.p12 to my xp pc.
The installation of the certificates was also no problem(***.freeradius.org/doc/EAPTLS.pdf).

So I started to connect with with windows xp but after a few moments an error occurs "authentification failed".


radiusd -X -A reports:

starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/raddb/proxy.conf
Config: including file: /etc/raddb/clients.conf
Config: including file: /etc/raddb/snmp.conf
Config: including file: /etc/raddb/eap.conf
Config: including file: /etc/raddb/sql.conf
main: prefix = "/usr"
main: localstatedir = "/var"
main: logdir = "/var/log/radius"
main: libdir = "/usr/lib/freeradius"
main: radacctdir = "/var/log/radius/radacct"
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = "/var/log/radius/radius.log"
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = "/var/run/radiusd/radiusd.pid"
main: user = "radiusd"
main: group = "radiusd"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/sbin/checkrad"
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = yes
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/lib/freeradius
Module: Loaded exec
exec: wait = yes
exec: program = "(null)"
exec: input_pairs = "request"
exec: output_pairs = "(null)"
exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = "crypt"
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = no
mschap: passwd = "(null)"
mschap: authtype = "MS-CHAP"
mschap: ntlm_auth = "(null)"
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = "(null)"
unix: shadow = "(null)"
unix: group = "(null)"
unix: radwtmp = "/var/log/radius/radwtmp"
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
eap: default_eap_type = "tls"
eap: timer_expire = 60
eap: ignore_unknown_eap_types = yes
eap: cisco_accounting_username_bug = no
tls: rsa_key_exchange = no
tls: dh_key_exchange = yes
tls: rsa_key_length = 512
tls: dh_key_length = 512
tls: verify_depth = 0
tls: CA_path = "/etc/raddb/certs"
tls: pem_file_type = yes
tls: private_key_file = "/etc/raddb/certs/server_key.pem"
tls: certificate_file = "/etc/raddb/certs/server_cert.pem"
tls: CA_file = "/etc/raddb/certs/cacert.pem"
tls: private_key_password = "sx4927a12dyyh"
tls: dh_file = "/etc/raddb/certs/dh"
tls: random_file = "/etc/raddb/certs/random"
tls: fragment_size = 1024
tls: include_length = yes
tls: check_crl = yes
tls: check_cert_cn = "%{User-Name}"
rlm_eap: Loaded and initialized type tls
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = "/etc/raddb/huntgroups"
preprocess: hints = "/etc/raddb/hints"
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = "suffix"
realm: delimiter = "@"
realm: ignore_default = no
realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded files
files: usersfile = "/etc/raddb/users"
files: acctusersfile = "/etc/raddb/acct_users"
files: preproxy_usersfile = "/etc/raddb/preproxy_users"
files: compat = "no"
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
detail: detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
radutmp: filename = "/var/log/radius/radutmp"
radutmp: username = "%{User-Name}"
radutmp: case_sensitive = yes
radutmp: check_with_nas = yes
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Listening on authentication *:1812
Listening on accounting *:1813
Listening on proxy *:1814
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.0.111:1031, id=243, length=118
User-Name = "user.domain.com"
Calling-Station-Id = "00-13-10-ae-cb-f5"
EAP-Message = 0x02010013016576612e656c6c6572742e636f6d
Framed-MTU = 1287
NAS-IP-Address = 192.168.0.111
NAS-Port = 0
NAS-Port-Type = Wireless-802.11
Message-Authenticator = 0xaa133d169962b81402f4f60aea6b803f
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: No '@' in User-Name = "user.domain.com", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
rlm_eap: EAP packet type response id 1 length 19
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 0
users: Matched entry DEFAULT at line 152
modcall[authorize]: module "files" returns ok for request 0
modcall: group authorize returns updated for request 0
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
rlm_eap: EAP Identity
rlm_eap: processing type tls
rlm_eap_tls: Requiring client certificate
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
modcall[authenticate]: module "eap" returns handled for request 0
modcall: group authenticate returns handled for request 0
Sending Access-Challenge of id 243 to 192.168.0.111:1031
EAP-Message = 0x010200060d20
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x5535d0bc3f6dd4407547fbe87c43e062
Finished request 0
Going to the next request












I also tried odyssey as supplicant for windowsxp,then these errors occur:



Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.0.111:1034, id=55, length=136
User-Name = "user"
Calling-Station-Id = "00-13-10-ae-cb-f5"
EAP-Message = 0x020400110d800000000715030100020233
Framed-MTU = 1287
NAS-IP-Address = 192.168.0.111
NAS-Port = 0
NAS-Port-Type = Wireless-802.11
State = 0xc4ccca0d91b83d2a721c49a0c51e9bc9
Message-Authenticator = 0x40a71ca746ea0c7a933f93095a55e86a
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 52
modcall[authorize]: module "preprocess" returns ok for request 52
modcall[authorize]: module "chap" returns noop for request 52
modcall[authorize]: module "mschap" returns noop for request 52
rlm_realm: No '@' in User-Name = "user", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 52
rlm_eap: EAP packet type response id 4 length 17
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 52
users: Matched entry DEFAULT at line 152
modcall[authorize]: module "files" returns ok for request 52
modcall: group authorize returns updated for request 52
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 52
rlm_eap: Request found, released from the list
rlm_eap: EAP/tls
rlm_eap: processing type tls
rlm_eap_tls: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Length Included
eaptls_verify returned 11
rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal decrypt_error
TLS Alert read:fatal:decrypt error
TLS_accept:failed in SSLv3 read client certificate A
6699:error:1409441B:SSL routines:SSL3_READ_BYTES:tlsv1 alert decrypt error:s3_pkt.c:1052:SSL alert number 51
6699:error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure:s3_pkt.c:837:
rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails.
In SSL Handshake Phase
In SSL Accept mode
rlm_eap_tls: BIO_read failed in a system call (-1), TLS session fails.
eaptls_process returned 13
rlm_eap: Freeing handler
modcall[authenticate]: module "eap" returns reject for request 52
modcall: group authenticate returns reject for request 52
auth: Failed to validate the user.
Login incorrect: [Eva-Maria Ellert/<no User-Password attribute>] (from client wrt54gx port 0 cli 00-13-10-ae-cb-f5)
Delaying request 52 for 5 seconds
Finished request 52
Going to the next request
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 49 ID 52 with timestamp 440d8225
Cleaning up request 50 ID 53 with timestamp 440d8225
Cleaning up request 51 ID 54 with timestamp 440d8225
Sending Access-Reject of id 55 to 192.168.0.111:1034
EAP-Message = 0x04040004
Message-Authenticator = 0x00000000000000000000000000000000
Cleaning up request 52 ID 55 with timestamp 440d8225
Nothing to do. Sleeping until we see a request.




I have also installed winxp WPA2 update...
Thanks for your help!


greetings tobi
 
Old 03-10-2006, 03:52 PM   #2
cleidh_mor
Member
 
Registered: Mar 2005
Location: Glasgow, Scotland
Distribution: SuSE
Posts: 70

Rep: Reputation: 15
Hi tobi,

Quote:
modcall[authenticate]: module "eap" returns handled for request 0
modcall: group authenticate returns handled for request 0
Sending Access-Challenge of id 243 to 192.168.0.111:1031
EAP-Message = 0x010200060d20
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x5535d0bc3f6dd4407547fbe87c43e062
Finished request 0
Going to the next request
This is similar to a problem I have with a WinXP client using a Cisco Airnet PCI card. I couldn't get it working - I think the WinXP supplicant is broken for EAP-TLS. It doesn't respond to the Access-Challenge and the request times out.

Quote:
lm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal decrypt_error
TLS Alert read:fatal:decrypt error
TLS_accept:failed in SSLv3 read client certificate A
6699:error:1409441B:SSL routines:SSL3_READ_BYTES:tlsv1 alert decrypt error:s3_pkt.c:1052:SSL alert number 51
6699:error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure:s3_pkt.c:837:
rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails.
In SSL Handshake Phase
In SSL Accept mode
rlm_eap_tls: BIO_read failed in a system call (-1), TLS session fails.
eaptls_process returned 13
rlm_eap: Freeing handler
modcall[authenticate]: module "eap" returns reject for request 52
Ouch - Oddesey is clearly broken here as well. This is definitely an application error on the part of Oddesey.

I have managed to get freeRADIUS working with a Cisco Aironet PC card. It doesn't use the built-in Windows drivers and includes its own supplicant (which is why I think the other two are broken). Try and get your hands on a Cisco PC card even to test.

If you do get it working with the Windows supplicant, please post your solution
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
mandrake 10.0 and WinXP Pro sp2 ethernet networking aydindemirci Linux - Networking 1 03-05-2006 05:03 PM
mandrake 10.0 and WinXP sp2 ethernet networking aydindemirci Linux - Networking 1 03-05-2006 04:14 PM
Samba WinXP SP2 <---> FC3 Problems madballs64 Linux - Networking 1 12-16-2005 11:44 AM
WINXP SP2 / FC 4 dual boot ieduarte73 Linux - Newbie 3 08-26-2005 01:51 PM
Samba down since WinXP SP2 update naloxone Linux - Networking 1 08-22-2004 04:41 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 05:24 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration