LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 11-21-2012, 04:53 PM   #1
muhamed.ahmovic
LQ Newbie
 
Registered: Sep 2012
Location: Bosnia and Hercegovina
Distribution: CentOS
Posts: 21

Rep: Reputation: Disabled
Freeradius and EAP=TLS


Hello,

i am tring to implement EAP=TLS wired authentication. I have confgured my own openssl CA, created RADIUS and client certificates. Also, configured freeradius for TLS but have no success authenticate client. When EAP=PEAP is used everything works fine, but TLS not. Here is freeradius debugging message:

rad_recv: Access-Request packet from host 192.168.10.200 port 1645, id=23, lengt h=169
User-Name = "tc1.thinclient.net"
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "00-18-18-67-05-17"
Calling-Station-Id = "00-21-5A-6F-AC-80"
EAP-Message = 0x02040017017463312e7468696e636c69656e742e6e6574
Message-Authenticator = 0xc65be5a18d60a837260b67996bb095f0
NAS-Port-Type = Ethernet
NAS-Port = 50023
NAS-Port-Id = "FastEthernet0/23"
NAS-IP-Address = 192.168.10.200
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "tc1.thinclient.net", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 4 length 23
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Requiring client certificate
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 23 to 192.168.10.200 port 1645
EAP-Message = 0x010500060d20
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x8397801d83928deadd90f2f851618245
Finished request 12.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.10.200 port 1645, id=24, lengt h=170
User-Name = "tc1.thinclient.net"
Service-Type = Framed-User
Framed-MTU = 1500
Called-Station-Id = "00-18-18-67-05-17"
Calling-Station-Id = "00-21-5A-6F-AC-80"
EAP-Message = 0x020500060300
Message-Authenticator = 0xfff555d6b8162796a6b800d64f31dfa2
NAS-Port-Type = Ethernet
NAS-Port = 50023
NAS-Port-Id = "FastEthernet0/23"
State = 0x8397801d83928deadd90f2f851618245
NAS-IP-Address = 192.168.10.200
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "tc1.thinclient.net", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 5 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP NAK
[eap] NAK asked for bad type 0
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> tc1.thinclient.net
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 13 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 13
Sending Access-Reject of id 24 to 192.168.10.200 port 1645
EAP-Message = 0x04050004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.9 seconds.
Cleaning up request 12 ID 23 with timestamp +360
Waking up in 1.0 seconds.
Cleaning up request 13 ID 24 with timestamp +360


Can anyone point me into right direction please?

Thank you in advance
Muhamed
 
Old 11-26-2012, 07:41 AM   #2
muhamed.ahmovic
LQ Newbie
 
Registered: Sep 2012
Location: Bosnia and Hercegovina
Distribution: CentOS
Posts: 21

Original Poster
Rep: Reputation: Disabled
SOLVED,

my root certificate at the client was in wrong place :-)
 
Old 02-07-2016, 02:12 PM   #3
Ali One
LQ Newbie
 
Registered: Feb 2016
Posts: 1

Rep: Reputation: Disabled
I'm getting the same error. where should I place the root certificate?.
 
Old 02-20-2016, 03:54 PM   #4
muhamed.ahmovic
LQ Newbie
 
Registered: Sep 2012
Location: Bosnia and Hercegovina
Distribution: CentOS
Posts: 21

Original Poster
Rep: Reputation: Disabled
Hi Ali,

in my case CA root certificate should be at /etc/pki/CA/ location, client public certificate should be at /etc/pki/CA/certs/ and client private key should be at /etc/pki/CA/private/ location.
BTW check your /etc/wpa_supplicat.conf settings....

Regards
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Freeradius and EAP/TLS Help Needed! ? Yow Linux - Networking 0 05-29-2010 12:11 PM
FreeRadius and PEAP with EAP-MD5 Queenie245 Linux - Wireless Networking 0 11-18-2008 07:32 AM
Configuring freeradius with wap-eap authentication nathan_sas Linux - Newbie 0 06-26-2008 02:49 AM
RHEL4 + Redhat Directory 7.1 + FreeRadius + EAP-MD5 dauz Linux - Enterprise 0 03-07-2007 08:24 AM
freeRADIUS eap-tls authentification fails at winxp pro sp2 tobi Linux - Networking 1 03-10-2006 04:52 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 12:39 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration