[prev in list] [next in list] [prev in thread] [next in thread]
List: freeradius-users
Subject: Re: Certificate problems? Freeradius 2.1.10 on Debian squeeze
From: "John Dunning" <jodunni1 () wsc ! edu>
Date: 2011-08-30 21:45:10
Message-ID: 4E5D1399.97D9.0098.1 () wsc ! edu
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
On 05/08/2011 17:00, John Dunning wrote:
Greetings all,
We've been running freeradius 1.x on Debian Lenny for some time with great success \
authenticating against Novell eDirectory/LDAP.
Our Linux guru has moved on to exciting new opportunities and while the rest of us \
are decent at linux we're certainly missing his input here :)
We're trying to update the system to Squeeze and move from eDirectory to Active \
Directory authentication to stay more easily within the debian package scope.
I think I largely have the system setup to do EAP-TLS/PEAP/MS-CHAPv2 with Windows 7 \
supplicant but for some reason I can't seem to get the EAP-TLS tunnel to fire up.
I've tried going through http://wiki.freeradius.org/Certificate_Compatibility with \
the delivered certs (which are evidently supposed to be compatible) but I seem to be \
missing something.
I've got NTLM_AUTH working correctly (once I actually get that far), so I'm hoping \
that if I can get this cert issue figured out I'll be good to go.
Using a Cisco AIR1220 AP and have tried both Windows 7 and android supplicants and \
get the same problem (see -X log below).
Thanks in advance!!
JD
certificate_file = "/etc/freeradius/certs/server.pem"(1) Do:
openssl x509 -in /etc/freeradius/certs/server.pem -noout -text
Check that the output contains this:
X509v3 Extended Key Usage:
TLS Web Server Authentication
...If it doesn't see the "OIDs" comments in the FR wiki page.
(2) Check that Windows 7 is correctly configured to trust your certificates. Refer to \
15-19 on:http://www.wireless.bris.ac.uk/eduroam/instructions/go-vista/#wifi[obviously \
you need to trust your root CA, not mine though] For testing you can un-tick \
"Validate server certificate", but you should never do this with real credentials, or \
with real users.(3) Android probably isn't a good OS to use for AAA testing, because \
depending on which version you have there are various bugs with it's enterprise wi-fi \
support.Regards, James
James,
Thanks for the quick feedback and my apologies for a very delayed response. \
Unfortunately I wear a number of hats and this is an R&D project that got back \
burnered with school starting. So....the delivered key didn't have the TLS Web \
Server Authentication usage, so I looked at the certs in use on our production radius \
boxes and that cert did, in addition to being a domain wildcart cert so I could \
safely transfer it to my dev box. So....moved the working certs (both server and CA) \
to the dev box, made sure the configs pointed to them, checked the password to the \
private key and fired it back up. I also made sure Win 7 wasn't validating the CA \
cert just in case it wasn't happy with Globalsign. Still no love. Fresh logs \
attached....
FreeRADIUS Version 2.1.10, for host i486-pc-linux-gnu, built on Nov 14 2010 at \
20:41:03 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including files in directory /etc/freeradius/modules/
including configuration file /etc/freeradius/modules/ldap
including configuration file /etc/freeradius/modules/checkval
including configuration file /etc/freeradius/modules/unix
including configuration file /etc/freeradius/modules/mschap
including configuration file /etc/freeradius/modules/files
including configuration file /etc/freeradius/modules/digest
including configuration file /etc/freeradius/modules/ntlm_auth
including configuration file /etc/freeradius/modules/acct_unique
including configuration file /etc/freeradius/modules/perl
including configuration file /etc/freeradius/modules/mac2vlan
including configuration file /etc/freeradius/modules/chap
including configuration file /etc/freeradius/modules/passwd
including configuration file /etc/freeradius/modules/otp
including configuration file /etc/freeradius/modules/exec
including configuration file /etc/freeradius/modules/expr
including configuration file /etc/freeradius/modules/preprocess
including configuration file /etc/freeradius/modules/pam
including configuration file /etc/freeradius/modules/inner-eap
including configuration file /etc/freeradius/modules/opendirectory
including configuration file /etc/freeradius/modules/pap
including configuration file /etc/freeradius/modules/detail.log
including configuration file /etc/freeradius/modules/etc_group
including configuration file /etc/freeradius/modules/cui
including configuration file /etc/freeradius/modules/smbpasswd
including configuration file /etc/freeradius/modules/sradutmp
including configuration file /etc/freeradius/modules/dynamic_clients
including configuration file /etc/freeradius/modules/attr_rewrite
including configuration file /etc/freeradius/modules/counter
including configuration file /etc/freeradius/modules/policy
including configuration file /etc/freeradius/modules/detail
including configuration file /etc/freeradius/modules/ippool
including configuration file /etc/freeradius/modules/mac2ip
including configuration file /etc/freeradius/modules/krb5
including configuration file /etc/freeradius/modules/detail.example.com
including configuration file /etc/freeradius/modules/always
including configuration file /etc/freeradius/modules/wimax
including configuration file /etc/freeradius/modules/smsotp
including configuration file /etc/freeradius/modules/logintime
including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login
including configuration file /etc/freeradius/modules/expiration
including configuration file /etc/freeradius/modules/sql_log
including configuration file /etc/freeradius/modules/linelog
including configuration file /etc/freeradius/modules/realm
including configuration file /etc/freeradius/modules/attr_filter
including configuration file /etc/freeradius/modules/echo
including configuration file /etc/freeradius/modules/radutmp
including configuration file /etc/freeradius/eap.conf
including configuration file /etc/freeradius/policy.conf
including files in directory /etc/freeradius/sites-enabled/
including configuration file /etc/freeradius/sites-enabled/inner-tunnel
including configuration file /etc/freeradius/sites-enabled/default
main {
user = "freerad"
group = "freerad"
allow_core_dumps = no
}
including dictionary file /etc/freeradius/dictionary
main {
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/freeradius"
libdir = "/usr/lib/freeradius"
radacctdir = "/var/log/freeradius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = "/var/run/freeradius/freeradius.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
home_server localhost {
ipaddr = 127.0.0.1
port = 1812
type = "auth"
secret = "testing123"
response_window = 20
max_outstanding = 65536
require_message_authenticator = yes
zombie_period = 40
status_check = "status-server"
ping_interval = 30
check_interval = 30
num_answers_to_alive = 3
num_pings_to_alive = 3
revive_interval = 120
status_check_timeout = 4
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm LOCAL {
}
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "testing123"
nastype = "other"
}
client 10.45.0.11 {
require_message_authenticator = no
secret = "foobar21"
shortname = "4404-mgmt.wsc.edu"
}
client 10.47.249.248 {
require_message_authenticator = no
secret = "foobarness"
shortname = "WsC_Test"
}
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating module "exec" from file /etc/freeradius/modules/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating module "expr" from file /etc/freeradius/modules/expr
Module: Linked to module rlm_expiration
Module: Instantiating module "expiration" from file \
/etc/freeradius/modules/expiration expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating module "logintime" from file /etc/freeradius/modules/logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
}
radiusd: #### Loading Virtual Servers ####
server inner-tunnel { # from file /etc/freeradius/sites-enabled/inner-tunnel
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating module "pap" from file /etc/freeradius/modules/pap
pap {
encryption_scheme = "auto"
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating module "chap" from file /etc/freeradius/modules/chap
Module: Linked to module rlm_mschap
Module: Instantiating module "mschap" from file /etc/freeradius/modules/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = yes
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name} \
--domain=%{mschap:NT-Domain} --challenge=%{mschap:Challenge:-00} \
--nt-response=%{mschap:NT-Response:-00}" }
Module: Linked to module rlm_unix
Module: Instantiating module "unix" from file /etc/freeradius/modules/unix
unix {
radwtmp = "/var/log/freeradius/radwtmp"
}
Module: Linked to module rlm_eap
Module: Instantiating module "eap" from file /etc/freeradius/eap.conf
eap {
default_eap_type = "peap"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 4096
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
CA_path = "/etc/freeradius/certs"
pem_file_type = yes
private_key_file = "/etc/freeradius/certs/cert-srv.pem"
certificate_file = "/etc/freeradius/certs/cert-srv.pem"
CA_file = "/etc/freeradius/certs/cacert.pem"
private_key_password = "pepsione"
dh_file = "/etc/freeradius/certs/dh"
random_file = "/dev/urandom"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
make_cert_command = "/etc/freeradius/certs/bootstrap"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
}
}
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = "mschapv2"
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
}
Module: Instantiating module "ntlm_auth" from file /etc/freeradius/modules/ntlm_auth
exec ntlm_auth {
wait = yes
program = "/usr/bin/ntlm_auth --request-nt-key --domain=AD \
--username=%{mschap:User-Name} --password=%{User-Password}" input_pairs = "request"
shell_escape = yes
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_realm
Module: Instantiating module "suffix" from file /etc/freeradius/modules/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Linked to module rlm_files
Module: Instantiating module "files" from file /etc/freeradius/modules/files
files {
usersfile = "/etc/freeradius/users"
acctusersfile = "/etc/freeradius/acct_users"
preproxy_usersfile = "/etc/freeradius/preproxy_users"
compat = "no"
}
Module: Checking session {...} for more modules to load
Module: Linked to module rlm_radutmp
Module: Instantiating module "radutmp" from file /etc/freeradius/modules/radutmp
radutmp {
filename = "/var/log/freeradius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Linked to module rlm_attr_filter
Module: Instantiating module "attr_filter.access_reject" from file \
/etc/freeradius/modules/attr_filter attr_filter attr_filter.access_reject {
attrsfile = "/etc/freeradius/attrs.access_reject"
key = "%{User-Name}"
}
} # modules
} # server
server { # from file /etc/freeradius/radiusd.conf
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_digest
Module: Instantiating module "digest" from file /etc/freeradius/modules/digest
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating module "preprocess" from file \
/etc/freeradius/modules/preprocess preprocess {
huntgroups = "/etc/freeradius/huntgroups"
hints = "/etc/freeradius/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating module "acct_unique" from file \
/etc/freeradius/modules/acct_unique acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
}
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating module "detail" from file /etc/freeradius/modules/detail
detail {
detailfile = "/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Instantiating module "attr_filter.accounting_response" from file \
/etc/freeradius/modules/attr_filter attr_filter attr_filter.accounting_response {
attrsfile = "/etc/freeradius/attrs.accounting_response"
key = "%{User-Name}"
}
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
} # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
}
listen {
type = "acct"
ipaddr = *
port = 0
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 10.47.249.248 port 1645, id=3, length=125
User-Name = "jodunni1"
Framed-MTU = 1400
Called-Station-Id = "0017.9581.ba20"
Calling-Station-Id = "0016.eaa1.ef80"
Service-Type = Login-User
Message-Authenticator = 0x62c5abdc2f124f235a025a0b3926a475
EAP-Message = 0x0202000d016a6f64756e6e6931
NAS-Port-Type = Wireless-802.11
NAS-Port = 274
NAS-IP-Address = 10.47.249.248
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "jodunni1", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 2 length 13
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry DEFAULT at line 70
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail \
because of this. ++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 3 to 10.47.249.248 port 1645
EAP-Message = 0x010300061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x201ac69e2019dfd218ecaf2edcbd7b2b
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 3 with timestamp +17
WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
WARNING: !! EAP session for state 0x201ac69e2019dfd2 did not finish!
WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility
WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Ready to process requests.
rad_recv: Access-Request packet from host 10.47.249.248 port 1645, id=3, length=125
User-Name = "jodunni1"
Framed-MTU = 1400
Called-Station-Id = "0017.9581.ba20"
Calling-Station-Id = "0016.eaa1.ef80"
Service-Type = Login-User
Message-Authenticator = 0x62c5abdc2f124f235a025a0b3926a475
EAP-Message = 0x0202000d016a6f64756e6e6931
NAS-Port-Type = Wireless-802.11
NAS-Port = 274
NAS-IP-Address = 10.47.249.248
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "jodunni1", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 2 length 13
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry DEFAULT at line 70
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail \
because of this. ++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 3 to 10.47.249.248 port 1645
EAP-Message = 0x010300061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0783ab680780b2759bf5759da4154a21
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 1 ID 3 with timestamp +23
WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
WARNING: !! EAP session for state 0x0783ab680780b275 did not finish!
WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility
WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Ready to process requests.
rad_recv: Access-Request packet from host 10.47.249.248 port 1645, id=3, length=125
User-Name = "jodunni1"
Framed-MTU = 1400
Called-Station-Id = "0017.9581.ba20"
Calling-Station-Id = "0016.eaa1.ef80"
Service-Type = Login-User
Message-Authenticator = 0x62c5abdc2f124f235a025a0b3926a475
EAP-Message = 0x0202000d016a6f64756e6e6931
NAS-Port-Type = Wireless-802.11
NAS-Port = 274
NAS-IP-Address = 10.47.249.248
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "jodunni1", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 2 length 13
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry DEFAULT at line 70
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail \
because of this. ++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 3 to 10.47.249.248 port 1645
EAP-Message = 0x010300061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x2d944b052d975263e1fa8e20b39558a4
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 2 ID 3 with timestamp +28
WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
WARNING: !! EAP session for state 0x2d944b052d975263 did not finish!
WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility
WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Ready to process requests.
rad_recv: Access-Request packet from host 10.47.249.248 port 1645, id=3, length=125
User-Name = "jodunni1"
Framed-MTU = 1400
Called-Station-Id = "0017.9581.ba20"
Calling-Station-Id = "0016.eaa1.ef80"
Service-Type = Login-User
Message-Authenticator = 0x62c5abdc2f124f235a025a0b3926a475
EAP-Message = 0x0202000d016a6f64756e6e6931
NAS-Port-Type = Wireless-802.11
NAS-Port = 274
NAS-IP-Address = 10.47.249.248
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "jodunni1", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 2 length 13
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry DEFAULT at line 70
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail \
because of this. ++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 3 to 10.47.249.248 port 1645
EAP-Message = 0x010300061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x7c71d8b17c72c1390d2bf0470b87d69e
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 3 ID 3 with timestamp +34
WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
WARNING: !! EAP session for state 0x7c71d8b17c72c139 did not finish!
WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility
WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Ready to process requests.
[Attachment #5 (text/html)]
<HTML><HEAD>
<META content="text/html; charset=utf-8" http-equiv=Content-Type>
<META name=GENERATOR content="MSHTML 9.00.8112.16434"></HEAD>
<BODY style="MARGIN: 4px 4px 1px; FONT: 10pt Segoe UI"><SPAN style="WIDOWS: 2; \
TEXT-TRANSFORM: none; TEXT-INDENT: 0px; LETTER-SPACING: normal; FONT: medium 'Times \
New Roman'; WHITE-SPACE: normal; ORPHANS: 2; COLOR: rgb(0,0,0); WORD-SPACING: 0px; \
-webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; \
-webkit-text-stroke-width: 0px" class=Apple-style-span><PRE style="MARGIN: 0em">On \
05/08/2011 17:00, John Dunning wrote: </PRE>
<BLOCKQUOTE style="BORDER-LEFT: rgb(85,85,238) 0.2em solid; MARGIN: 0em; \
PADDING-LEFT: 0.85em"><PRE style="MARGIN: 0em">Greetings all,
We've been running freeradius 1.x on Debian Lenny for some time with great success \
authenticating against Novell eDirectory/LDAP.
Our Linux guru has moved on to exciting new opportunities and while the rest of us \
are decent at linux we're certainly missing his input here :)
We're trying to update the system to Squeeze and move from eDirectory to Active \
Directory authentication to stay more easily within the debian package scope.
I think I largely have the system setup to do EAP-TLS/PEAP/MS-CHAPv2 with Windows 7 \
supplicant but for some reason I can't seem to get the EAP-TLS tunnel to fire up.
I've tried going through <A \
href="http://wiki.freeradius.org/Certificate_Compatibility" \
rel=nofollow>http://wiki.freeradius.org/Certificate_Compatibility</A> with the \
delivered certs (which are evidently supposed to be compatible) but I seem to be \
missing something.
I've got NTLM_AUTH working correctly (once I actually get that far), so I'm hoping \
that if I can get this cert issue figured out I'll be good to go.
Using a Cisco AIR1220 AP and have tried both Windows 7 and android supplicants and \
get the same problem (see -X log below).
Thanks in advance!!
JD
</PRE></BLOCKQUOTE><PRE style="MARGIN: 0em">
</PRE>
<BLOCKQUOTE style="BORDER-LEFT: rgb(85,85,238) 0.2em solid; MARGIN: 0em; \
PADDING-LEFT: 0.85em"><PRE style="MARGIN: 0em"> certificate_file = \
"/etc/freeradius/certs/server.pem" </PRE></BLOCKQUOTE><PRE style="MARGIN: 0em">(1) \
Do: openssl x509 -in /etc/freeradius/certs/server.pem -noout -text
Check that the output contains this:
X509v3 Extended Key Usage:
TLS Web Server Authentication
...If it doesn't see the "OIDs" comments in the FR wiki page.
</PRE><TT>(2) Check that Windows 7 is correctly configured to trust your<SPAN \
class=Apple-converted-space> </SPAN></TT><TT>certificates. Refer to 15-19 \
on:</TT><PRE style="MARGIN: 0em"><A \
href="http://www.wireless.bris.ac.uk/eduroam/instructions/go-vista/#wifi" \
rel=nofollow>http://www.wireless.bris.ac.uk/eduroam/instructions/go-vista/#wifi</A> \
[obviously you need to trust your root CA, not mine though]
</PRE><TT>For testing you can un-tick "Validate server certificate", but you \
should<SPAN class=Apple-converted-space> </SPAN></TT><TT>never do this with real \
credentials, or with real users.</TT><PRE style="MARGIN: 0em"></PRE><TT>(3) Android \
probably isn't a good OS to use for AAA testing, because<SPAN \
class=Apple-converted-space> </SPAN></TT><TT>depending on which version you have \
there are various bugs with it's<SPAN \
class=Apple-converted-space> </SPAN></TT><TT>enterprise wi-fi support.</TT><PRE \
style="MARGIN: 0em">Regards, James
</PRE>
<DIV></SPAN> </DIV>
<DIV>James,</DIV>
<DIV> </DIV>
<DIV>Thanks for the quick feedback and my apologies for a very delayed \
response. Unfortunately I wear a number of hats and this is an R&D project \
that got back burnered with school starting. So....the delivered key didn't \
have the TLS Web Server Authentication usage, so I looked at the certs in use on our \
production radius boxes and that cert did, in addition to being a domain wildcart \
cert so I could safely transfer it to my dev box. So....moved the working certs \
(both server and CA) to the dev box, made sure the configs pointed to them, checked \
the password to the private key and fired it back up. I also made sure Win 7 \
wasn't validating the CA cert just in case it wasn't happy with Globalsign. \
Still no love. Fresh logs attached....</DIV> <DIV> </DIV>
<DIV>FreeRADIUS Version 2.1.10, for host i486-pc-linux-gnu, built on Nov 14 2010 at \
20:41:03<BR>Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. \
<BR>There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A \
<BR>PARTICULAR PURPOSE. <BR>You may redistribute copies of FreeRADIUS under the terms \
of the <BR>GNU General Public License v2. <BR>Starting - reading configuration files \
...<BR>including configuration file /etc/freeradius/radiusd.conf<BR>including \
configuration file /etc/freeradius/proxy.conf<BR>including configuration file \
/etc/freeradius/clients.conf<BR>including files in directory \
/etc/freeradius/modules/<BR>including configuration file \
/etc/freeradius/modules/ldap<BR>including configuration file \
/etc/freeradius/modules/checkval<BR>including configuration file \
/etc/freeradius/modules/unix<BR>including configuration file \
/etc/freeradius/modules/mschap<BR>including configuration file \
/etc/freeradius/modules/files<BR>including configuration file \
/etc/freeradius/modules/digest<BR>including configuration file \
/etc/freeradius/modules/ntlm_auth<BR>including configuration file \
/etc/freeradius/modules/acct_unique<BR>including configuration file \
/etc/freeradius/modules/perl<BR>including configuration file \
/etc/freeradius/modules/mac2vlan<BR>including configuration file \
/etc/freeradius/modules/chap<BR>including configuration file \
/etc/freeradius/modules/passwd<BR>including configuration file \
/etc/freeradius/modules/otp<BR>including configuration file \
/etc/freeradius/modules/exec<BR>including configuration file \
/etc/freeradius/modules/expr<BR>including configuration file \
/etc/freeradius/modules/preprocess<BR>including configuration file \
/etc/freeradius/modules/pam<BR>including configuration file \
/etc/freeradius/modules/inner-eap<BR>including configuration file \
/etc/freeradius/modules/opendirectory<BR>including configuration file \
/etc/freeradius/modules/pap<BR>including configuration file \
/etc/freeradius/modules/detail.log<BR>including configuration file \
/etc/freeradius/modules/etc_group<BR>including configuration file \
/etc/freeradius/modules/cui<BR>including configuration file \
/etc/freeradius/modules/smbpasswd<BR>including configuration file \
/etc/freeradius/modules/sradutmp<BR>including configuration file \
/etc/freeradius/modules/dynamic_clients<BR>including configuration file \
/etc/freeradius/modules/attr_rewrite<BR>including configuration file \
/etc/freeradius/modules/counter<BR>including configuration file \
/etc/freeradius/modules/policy<BR>including configuration file \
/etc/freeradius/modules/detail<BR>including configuration file \
/etc/freeradius/modules/ippool<BR>including configuration file \
/etc/freeradius/modules/mac2ip<BR>including configuration file \
/etc/freeradius/modules/krb5<BR>including configuration file \
/etc/freeradius/modules/detail.example.com<BR>including configuration file \
/etc/freeradius/modules/always<BR>including configuration file \
/etc/freeradius/modules/wimax<BR>including configuration file \
/etc/freeradius/modules/smsotp<BR>including configuration file \
/etc/freeradius/modules/logintime<BR>including configuration file \
/etc/freeradius/modules/sqlcounter_expire_on_login<BR>including configuration file \
/etc/freeradius/modules/expiration<BR>including configuration file \
/etc/freeradius/modules/sql_log<BR>including configuration file \
/etc/freeradius/modules/linelog<BR>including configuration file \
/etc/freeradius/modules/realm<BR>including configuration file \
/etc/freeradius/modules/attr_filter<BR>including configuration file \
/etc/freeradius/modules/echo<BR>including configuration file \
/etc/freeradius/modules/radutmp<BR>including configuration file \
/etc/freeradius/eap.conf<BR>including configuration file \
/etc/freeradius/policy.conf<BR>including files in directory \
/etc/freeradius/sites-enabled/<BR>including configuration file \
/etc/freeradius/sites-enabled/inner-tunnel<BR>including configuration file \
/etc/freeradius/sites-enabled/default<BR>main {<BR> user = \
"freerad"<BR> group = "freerad"<BR> allow_core_dumps = no<BR>}<BR>including \
dictionary file /etc/freeradius/dictionary<BR>main {<BR> prefix = \
"/usr"<BR> localstatedir = "/var"<BR> logdir = \
"/var/log/freeradius"<BR> libdir = "/usr/lib/freeradius"<BR> radacctdir = \
"/var/log/freeradius/radacct"<BR> hostname_lookups = \
no<BR> max_request_time = 30<BR> cleanup_delay = 5<BR> max_requests = \
1024<BR> pidfile = "/var/run/freeradius/freeradius.pid"<BR> checkrad = \
"/usr/sbin/checkrad"<BR> debug_level = 0<BR> proxy_requests = \
yes<BR> log {<BR> stripped_names = no<BR> auth = \
no<BR> auth_badpass = no<BR> auth_goodpass = \
no<BR> }<BR> security {<BR> max_attributes = 200<BR> reject_delay \
= 1<BR> status_server = yes<BR> }<BR>}<BR>radiusd: #### Loading Realms and \
Home Servers ####<BR> proxy server {<BR> retry_delay = \
5<BR> retry_count = 3<BR> default_fallback = no<BR> dead_time = \
120<BR> wake_all_if_all_dead = no<BR> }<BR> home_server localhost \
{<BR> ipaddr = 127.0.0.1<BR> port = 1812<BR> type = \
"auth"<BR> secret = "testing123"<BR> response_window = \
20<BR> max_outstanding = 65536<BR> require_message_authenticator = \
yes<BR> zombie_period = 40<BR> status_check = \
"status-server"<BR> ping_interval = 30<BR> check_interval = \
30<BR> num_answers_to_alive = 3<BR> num_pings_to_alive = \
3<BR> revive_interval = 120<BR> status_check_timeout = 4<BR> irt = \
2<BR> mrt = 16<BR> mrc = 5<BR> mrd = \
30<BR> }<BR> home_server_pool my_auth_failover {<BR> type = \
fail-over<BR> home_server = localhost<BR> }<BR> realm example.com \
{<BR> auth_pool = my_auth_failover<BR> }<BR> realm LOCAL \
{<BR> }<BR>radiusd: #### Loading Clients ####<BR> client localhost \
{<BR> ipaddr = 127.0.0.1<BR> require_message_authenticator = \
no<BR> secret = "testing123"<BR> nastype = \
"other"<BR> }<BR> client 10.45.0.11 \
{<BR> require_message_authenticator = no<BR> secret = \
"foobar21"<BR> shortname = "4404-mgmt.wsc.edu"<BR> }<BR> client \
10.47.249.248 {<BR> require_message_authenticator = no<BR> secret = \
"foobarness"<BR> shortname = "WsC_Test"<BR> }<BR>radiusd: #### \
Instantiating modules ####<BR> instantiate {<BR> Module: Linked to module \
rlm_exec<BR> Module: Instantiating module "exec" from file \
/etc/freeradius/modules/exec<BR> exec {<BR> wait = no<BR> input_pairs \
= "request"<BR> shell_escape = yes<BR> }<BR> Module: Linked to module \
rlm_expr<BR> Module: Instantiating module "expr" from file \
/etc/freeradius/modules/expr<BR> Module: Linked to module \
rlm_expiration<BR> Module: Instantiating module "expiration" from file \
/etc/freeradius/modules/expiration<BR> expiration {<BR> reply-message = \
"Password Has Expired "<BR> }<BR> Module: Linked to module \
rlm_logintime<BR> Module: Instantiating module "logintime" from file \
/etc/freeradius/modules/logintime<BR> logintime {<BR> reply-message = "You \
are calling outside your allowed timespan "<BR> minimum-timeout = \
60<BR> }<BR> }<BR>radiusd: #### Loading Virtual Servers ####<BR>server \
inner-tunnel { # from file \
/etc/freeradius/sites-enabled/inner-tunnel<BR> modules {<BR> Module: \
Checking authenticate {...} for more modules to load<BR> Module: Linked to \
module rlm_pap<BR> Module: Instantiating module "pap" from file \
/etc/freeradius/modules/pap<BR> pap {<BR> encryption_scheme = \
"auto"<BR> auto_header = no<BR> }<BR> Module: Linked to module \
rlm_chap<BR> Module: Instantiating module "chap" from file \
/etc/freeradius/modules/chap<BR> Module: Linked to module \
rlm_mschap<BR> Module: Instantiating module "mschap" from file \
/etc/freeradius/modules/mschap<BR> mschap {<BR> use_mppe = \
yes<BR> require_encryption = no<BR> require_strong = \
no<BR> with_ntdomain_hack = yes<BR> ntlm_auth = "/usr/bin/ntlm_auth \
--request-nt-key --username=%{mschap:User-Name} --domain=%{mschap:NT-Domain} \
--challenge=%{mschap:Challenge:-00} \
--nt-response=%{mschap:NT-Response:-00}"<BR> }<BR> Module: Linked to \
module rlm_unix<BR> Module: Instantiating module "unix" from file \
/etc/freeradius/modules/unix<BR> unix {<BR> radwtmp = \
"/var/log/freeradius/radwtmp"<BR> }<BR> Module: Linked to module \
rlm_eap<BR> Module: Instantiating module "eap" from file \
/etc/freeradius/eap.conf<BR> eap {<BR> default_eap_type = \
"peap"<BR> timer_expire = 60<BR> ignore_unknown_eap_types = \
no<BR> cisco_accounting_username_bug = no<BR> max_sessions = 4096<BR> \
}<BR> Module: Linked to sub-module rlm_eap_md5<BR> Module: Instantiating \
eap-md5<BR> Module: Linked to sub-module rlm_eap_leap<BR> Module: \
Instantiating eap-leap<BR> Module: Linked to sub-module \
rlm_eap_gtc<BR> Module: Instantiating eap-gtc<BR> gtc \
{<BR> challenge = "Password: "<BR> auth_type = "PAP"<BR> \
}<BR> Module: Linked to sub-module rlm_eap_tls<BR> Module: Instantiating \
eap-tls<BR> tls {<BR> rsa_key_exchange = no<BR> dh_key_exchange \
= yes<BR> rsa_key_length = 512<BR> dh_key_length = \
512<BR> verify_depth = 0<BR> CA_path = \
"/etc/freeradius/certs"<BR> pem_file_type = yes<BR> private_key_file = \
"/etc/freeradius/certs/cert-srv.pem"<BR> certificate_file = \
"/etc/freeradius/certs/cert-srv.pem"<BR> CA_file = \
"/etc/freeradius/certs/cacert.pem"<BR> private_key_password = \
"pepsione"<BR> dh_file = "/etc/freeradius/certs/dh"<BR> random_file = \
"/dev/urandom"<BR> fragment_size = 1024<BR> include_length = \
yes<BR> check_crl = no<BR> cipher_list = \
"DEFAULT"<BR> make_cert_command = \
"/etc/freeradius/certs/bootstrap"<BR> cache {<BR> enable = \
no<BR> lifetime = 24<BR> max_entries = 255<BR> \
}<BR> verify {<BR> }<BR> \
}<BR> Module: Linked to sub-module rlm_eap_ttls<BR> Module: Instantiating \
eap-ttls<BR> ttls {<BR> default_eap_type = \
"md5"<BR> copy_request_to_tunnel = no<BR> use_tunneled_reply = \
no<BR> virtual_server = "inner-tunnel"<BR> include_length = \
yes<BR> }<BR> Module: Linked to sub-module \
rlm_eap_peap<BR> Module: Instantiating eap-peap<BR> peap \
{<BR> default_eap_type = "mschapv2"<BR> copy_request_to_tunnel = \
no<BR> use_tunneled_reply = no<BR> proxy_tunneled_request_as_eap = \
yes<BR> virtual_server = "inner-tunnel"<BR> }<BR> Module: \
Linked to sub-module rlm_eap_mschapv2<BR> Module: Instantiating \
eap-mschapv2<BR> mschapv2 {<BR> with_ntdomain_hack = \
no<BR> }<BR> Module: Instantiating module "ntlm_auth" from file \
/etc/freeradius/modules/ntlm_auth<BR> exec ntlm_auth {<BR> wait = \
yes<BR> program = "/usr/bin/ntlm_auth --request-nt-key --domain=AD \
--username=%{mschap:User-Name} --password=%{User-Password}"<BR> input_pairs = \
"request"<BR> shell_escape = yes<BR> }<BR> Module: Checking authorize \
{...} for more modules to load<BR> Module: Linked to module \
rlm_realm<BR> Module: Instantiating module "suffix" from file \
/etc/freeradius/modules/realm<BR> realm suffix {<BR> format = \
"suffix"<BR> delimiter = "@"<BR> ignore_default = no<BR> ignore_null = \
no<BR> }<BR> Module: Linked to module rlm_files<BR> Module: \
Instantiating module "files" from file /etc/freeradius/modules/files<BR> files \
{<BR> usersfile = "/etc/freeradius/users"<BR> acctusersfile = \
"/etc/freeradius/acct_users"<BR> preproxy_usersfile = \
"/etc/freeradius/preproxy_users"<BR> compat = "no"<BR> }<BR> Module: \
Checking session {...} for more modules to load<BR> Module: Linked to module \
rlm_radutmp<BR> Module: Instantiating module "radutmp" from file \
/etc/freeradius/modules/radutmp<BR> radutmp {<BR> filename = \
"/var/log/freeradius/radutmp"<BR> username = \
"%{User-Name}"<BR> case_sensitive = yes<BR> check_with_nas = \
yes<BR> perm = 384<BR> callerid = yes<BR> }<BR> Module: Checking \
post-proxy {...} for more modules to load<BR> Module: Checking post-auth {...} \
for more modules to load<BR> Module: Linked to module \
rlm_attr_filter<BR> Module: Instantiating module "attr_filter.access_reject" \
from file /etc/freeradius/modules/attr_filter<BR> attr_filter \
attr_filter.access_reject {<BR> attrsfile = \
"/etc/freeradius/attrs.access_reject"<BR> key = "%{User-Name}"<BR> \
}<BR> } # modules<BR>} # server<BR>server { # from file \
/etc/freeradius/radiusd.conf<BR> modules {<BR> Module: Checking \
authenticate {...} for more modules to load<BR> Module: Linked to module \
rlm_digest<BR> Module: Instantiating module "digest" from file \
/etc/freeradius/modules/digest<BR> Module: Checking authorize {...} for more \
modules to load<BR> Module: Linked to module rlm_preprocess<BR> Module: \
Instantiating module "preprocess" from file \
/etc/freeradius/modules/preprocess<BR> preprocess {<BR> huntgroups = \
"/etc/freeradius/huntgroups"<BR> hints = \
"/etc/freeradius/hints"<BR> with_ascend_hack = \
no<BR> ascend_channels_per_line = 23<BR> with_ntdomain_hack = \
no<BR> with_specialix_jetstream_hack = no<BR> with_cisco_vsa_hack = \
no<BR> with_alvarion_vsa_hack = no<BR> }<BR> Module: Checking preacct \
{...} for more modules to load<BR> Module: Linked to module \
rlm_acct_unique<BR> Module: Instantiating module "acct_unique" from file \
/etc/freeradius/modules/acct_unique<BR> acct_unique {<BR> key = \
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic