Help in Working EAP-TTLS (TTS and MD5 working fine)
This is a discussion on Help in Working EAP-TTLS (TTS and MD5 working fine) within the FreeRADIUS Users forums, part of the Networking and Network Related category; Hi=20 I have successfully used Freeradius1.0.1 to authenticate my clients using EAP-MD5 and EAP-TLS. But ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
05-18-2005
|
|||
|
|||
Help in Working EAP-TTLS (TTS and MD5 working fine)
Hi=20
I have successfully used Freeradius1.0.1 to authenticate my clients using EAP-MD5 and EAP-TLS. But i am not able to get EAP -TTLS working.=20 I have the same username password (users file) used in case of EAP-TTLS phase2 as that used in EAP-MD5 which is successful and also I have the same server cert being used for EAP -TTLS as that used in EAP-TLS which is successful Just that making the EAP-TTLS work is causing problems although with these credentials already working for EAP TLS and EAP -MD5 ... Following is the log i have attached for a single EAP-TTLS Authentication session initiated by xsupplicant. Can any one suggest me how to work it ... regards arun =20 Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc//raddb/clients.conf Config: including file: /usr/local/etc//raddb/snmp.conf Config: including file: /usr/local/etc//raddb/eap.conf Config: including file: /usr/local/etc//raddb/sql.conf main: prefix =3D "/usr/local" main: localstatedir =3D "/usr/local/var" main: logdir =3D "/usr/local/var/log/radius" main: libdir =3D "/usr/local/lib" main: radacctdir =3D "/usr/local/var/log/radius/radacct" main: hostname_lookups =3D no main: max_request_time =3D 30 main: cleanup_delay =3D 5 main: max_requests =3D 1024 main: delete_blocked_requests =3D 0 main: port =3D 0 main: allow_core_dumps =3D no main: log_stripped_names =3D no main: log_file =3D "/usr/local/var/log/radius/radius.log" main: log_auth =3D yes main: log_auth_badpass =3D no main: log_auth_goodpass =3D no main: pidfile =3D "/usr/local/var/run/radiusd/radiusd.pid" main: user =3D "(null)" main: group =3D "(null)" main: usercollide =3D no main: lower_user =3D "no" main: lower_pass =3D "no" main: nospace_user =3D "no" main: nospace_pass =3D "no" main: checkrad =3D "/usr/local/sbin/checkrad" main: proxy_requests =3D no security: max_attributes =3D 200 security: reject_delay =3D 1 security: status_server =3D no main: debug_level =3D 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded exec=20 exec: wait =3D yes exec: program =3D "(null)" exec: input_pairs =3D "request" exec: output_pairs =3D "(null)" exec: packet_type =3D "(null)" rlm_exec: Wait=3Dyes but no output defined. Did you mean output=3Dnone? Module: Instantiated exec (exec)=20 Module: Loaded expr=20 Module: Instantiated expr (expr)=20 Module: Loaded PAP=20 pap: encryption_scheme =3D "crypt" Module: Instantiated pap (pap)=20 Module: Loaded CHAP=20 Module: Instantiated chap (chap)=20 Module: Loaded MS-CHAP=20 mschap: use_mppe =3D yes mschap: require_encryption =3D no mschap: require_strong =3D no mschap: with_ntdomain_hack =3D no mschap: passwd =3D "(null)" mschap: authtype =3D "MS-CHAP" mschap: ntlm_auth =3D "(null)" Module: Instantiated mschap (mschap)=20 Module: Loaded System=20 unix: cache =3D no unix: passwd =3D "(null)" unix: shadow =3D "(null)" unix: group =3D "(null)" unix: radwtmp =3D "/usr/local/var/log/radius/radwtmp" unix: usegroup =3D no unix: cache_reload =3D 600 Module: Instantiated unix (unix)=20 Module: Loaded eap=20 eap: default_eap_type =3D "ttls" eap: timer_expire =3D 60 eap: ignore_unknown_eap_types =3D no eap: cisco_accounting_username_bug =3D no rlm_eap: Loaded and initialized type md5 tls: rsa_key_exchange =3D no tls: dh_key_exchange =3D yes tls: rsa_key_length =3D 512 tls: dh_key_length =3D 512 tls: verify_depth =3D 0 tls: CA_path =3D "(null)" tls: pem_file_type =3D yes tls: private_key_file =3D "/home/vpn/certs/ca_radius.pem" tls: certificate_file =3D "/home/vpn/certs/ca_radius.pem" tls: CA_file =3D "/home/vpn/certs/root.pem" tls: private_key_password =3D "test" tls: dh_file =3D "/etc/1x/dh" tls: random_file =3D "/etc/1x/random" tls: fragment_size =3D 1398 tls: include_length =3D yes tls: check_crl =3D no tls: check_cert_cn =3D "(null)" rlm_eap: Loaded and initialized type tls ttls: default_eap_type =3D "md5" ttls: copy_request_to_tunnel =3D no ttls: use_tunneled_reply =3D no rlm_eap: Loaded and initialized type ttls mschapv2: with_ntdomain_hack =3D no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap)=20 Module: Loaded preprocess=20 preprocess: huntgroups =3D "/usr/local/etc//raddb/huntgroups" preprocess: hints =3D "/usr/local/etc//raddb/hints" preprocess: with_ascend_hack =3D no preprocess: ascend_channels_per_line =3D 23 preprocess: with_ntdomain_hack =3D no preprocess: with_specialix_jetstream_hack =3D no preprocess: with_cisco_vsa_hack =3D no Module: Instantiated preprocess (preprocess)=20 Module: Loaded detail=20 detail: detailfile =3D "/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d" detail: detailperm =3D 384 detail: dirperm =3D 493 detail: locking =3D no Module: Instantiated detail (auth_log)=20 Module: Loaded realm=20 realm: format =3D "suffix" realm: delimiter =3D "@" realm: ignore_default =3D no realm: ignore_null =3D no Module: Instantiated realm (suffix)=20 Module: Loaded files=20 files: usersfile =3D "/usr/local/etc//raddb/users" files: acctusersfile =3D "/usr/local/etc//raddb/acct_users" files: preproxy_usersfile =3D "/usr/local/etc//raddb/preproxy_users" files: compat =3D "no" Module: Instantiated files (files)=20 Module: Loaded Acct-Unique-Session-Id=20 acct_unique: key =3D "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique)=20 detail: detailfile =3D "/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" detail: detailperm =3D 384 detail: dirperm =3D 493 detail: locking =3D no Module: Instantiated detail (detail)=20 Module: Loaded radutmp=20 radutmp: filename =3D "/usr/local/var/log/radius/radutmp" radutmp: username =3D "%{User-Name}" radutmp: case_sensitive =3D yes radutmp: check_with_nas =3D yes radutmp: perm =3D 384 radutmp: callerid =3D yes Module: Instantiated radutmp (radutmp)=20 Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. rad_recv: Access-Request packet from host 192.168.0.1:1812, id=3D60, length= =3D75 =09User-Name =3D "futsoft" =09EAP-Message =3D 0x0201000c01667574736f6674 =09Message-Authenticator =3D 0xdba241a0bf22259046efb275150c0713 =09NAS-Identifier =3D "fsNas1" =09NAS-Port =3D 2 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 radius_xlat: '/usr/local/var/log/radius/radacct/192.168.0.1/auth-detail-20= 050518' rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-det= ail-%Y%m%d expands to /usr/local/var/log/radius/radacct/192.168.0.1/auth-detail-200505= 18 modcall[authorize]: module "auth_log" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 rlm_realm: No '@' in User-Name =3D "futsoft", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: EAP packet type response id 1 length 12 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 users: Matched futsoft at 62 modcall[authorize]: module "files" returns ok for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 0 modcall: group authenticate returns handled for request 0 Sending Access-Challenge of id 60 to 192.168.0.1:1812 =09Reply-Message =3D " Futsoft request recieved" =09EAP-Message =3D 0x010200061520 =09Message-Authenticator =3D 0x00000000000000000000000000000000 =09State =3D 0xc2b72c7219277248b0cdbf99bbe3b9fb Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.0.1:1812, id=3D61, length= =3D179 =09User-Name =3D "futsoft" =09EAP-Message =3D 0x0202006215800000005816030100530100004f0301428c83 6c2bf4= 0f432995fd2ba0fb61677ee422214d37697336bf93deb790d1 e300002800160013000a00660= 00500040065006400630062006100600015001200090014001 10008000600030100 =09Message-Authenticator =3D 0x74c9649dcda6f1462af801217399a8da =09NAS-Identifier =3D "fsNas1" =09NAS-Port =3D 2 =09State =3D 0xc2b72c7219277248b0cdbf99bbe3b9fb Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 radius_xlat: '/usr/local/var/log/radius/radacct/192.168.0.1/auth-detail-20= 050518' rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-det= ail-%Y%m%d expands to /usr/local/var/log/radius/radacct/192.168.0.1/auth-detail-200505= 18 modcall[authorize]: module "auth_log" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 rlm_realm: No '@' in User-Name =3D "futsoft", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 1 rlm_eap: EAP packet type response id 2 length 98 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 1 users: Matched futsoft at 62 modcall[authorize]: module "files" returns ok for request 1 modcall: group authorize returns updated for request 1 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11=20 (other): before/accept initialization=20 TLS_accept: before/accept initialization=20 rlm_eap_tls: <<< TLS 1.0 Handshake [length 0053], ClientHello =20 TLS_accept: SSLv3 read client hello A=20 rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello =20 TLS_accept: SSLv3 write server hello A=20 rlm_eap_tls: >>> TLS 1.0 Handshake [length 061f], Certificate =20 TLS_accept: SSLv3 write certificate A=20 rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone =20 TLS_accept: SSLv3 write server done A=20 TLS_accept: SSLv3 flush data=20 TLS_accept:error in SSLv3 read client certificate A=20 In SSL Handshake Phase=20 In SSL Accept mode =20 eaptls_process returned 13=20 modcall[authenticate]: module "eap" returns handled for request 1 modcall: group authenticate returns handled for request 1 Sending Access-Challenge of id 61 to 192.168.0.1:1812 =09Reply-Message =3D " Futsoft request recieved" =09EAP-Message =3D 0x0103058015c00000067c160301004a020000460301428a4a e64524= e781e05e6039cd6bfccac7f91212cef8b8c7006d1b7e363ecc fd20bc97ca26f06e3cfc76f7e= b973285b90e9d9854cbf779ed8940a5fdd3c4a5e828000a001 60301061f0b00061b00061800= 02a33082029f30820208a003020102020102300d06092a8648 86f70d0101040500308186310= b300906035504061302494e310b300906035504081302544e3 110300e060355040713074368= 656e6e61693110300e060355040a1307667574736f66743110 300e060355040b13076675747= 36f66743110300e0603550403140763615f726f6f743122302 006092a864886f70d01090116= 13 =09EAP-Message =3D 0x63615f726f6f7440667574736f66742e636f6d301e170d30 343132= 30363036313235395a170d3035313230363036313235395a30 818a310b30090603550406130= 2494e310b300906035504081302544e3110300e06035504071 3074368656e6e61693110300e= 060355040a1307667574736f66743110300e060355040b1307 667574736f667431123010060= 3550403140963615f7261646975733124302206092a864886f 70d010901161563615f726164= 69757340667574736f66742e636f6d30819f300d06092a8648 86f70d010101050003818d003= 0818902818100b7a257a1fdaf51b78860d3c1720e5cdbc596c 0281c97c4d797b37123a4224b= fc =09EAP-Message =3D 0x263121b9cf882d46300f0bf17e154179ed200bd104c382c7 3c1e6a= b5014a3f7aca696e5767df84fd271d0e567916081974b7a033 8e048d17554883b16550f7dd4= 3ab8ebef684bbee5bc47cbe074564db20ed0d551a73ea5682c d51a676c7f4030203010001a3= 17301530130603551d25040c300a06082b0601050507030130 0d06092a864886f70d0101040= 500038181008d0f088c348e2055c68641b4d33e6555281fc80 6c2baacb17843ef87895aadb8= 34e828d875d2883669a13b7dddcdb53d1bd0481fffd2749b5c 27c3719bd63ed6fe066902438= fac5e1dccc7f95601d085fa1d2243b02ab01e14c55c434d749 f46d64cabddca2dcc14f2af33= 90 =09EAP-Message =3D 0xd6c1ab1f320a51a470f63692725fabf035ff01ab00036f30 82036b= 308202d4a003020102020100300d06092a864886f70d010104 0500308186310b30090603550= 4061302494e310b300906035504081302544e3110300e06035 5040713074368656e6e616931= 10300e060355040a1307667574736f66743110300e06035504 0b1307667574736f667431103= 00e0603550403140763615f726f6f743122302006092a86488 6f70d010901161363615f726f= 6f7440667574736f66742e636f6d301e170d30343132303630 36303033385a170d303531323= 0373036303033385a308186310b300906035504061302494e3 10b300906035504081302544e= 31 =09EAP-Message =3D 0x10300e060355040713074368656e6e61693110300e060355 040a13= 07667574736f66743110300e060355040b1307667574736f66 743110300e060355040314076= 3615f726f6f743122302006092a864886f70d0109011613636 15f726f6f7440667574736f66= 742e636f6d30819f300d06092a864886f70d01010105000381 8d0030818902818100a27e2c6= d15dd85d6f5925c1520bff37013df553baec13973d60a56caf a2ab9774d89f6b5949970c955= 7f9e6f66bac4ba52a68e90275aa09d501b788762a5517b601e c6a500f6320bffb555f154020= d58ad3f35ae35af13ce598eb018c9e57e6a826171b7f64f669 155ba0355dc0dc0671ef51fad= 63 =09EAP-Message =3D 0x66541f01fbae6c558e119d0203010001a381e63081e3301d 060355= 1d0e04160414cb9cc50d3407e63693439af032fae10fc997eb 453081b30603551d230481ab3= 081a88014cb9cc50d3407e63693439af032fae10fc997eb45a 1818ca48189308186310b3009= 06035504061302494e310b300906035504081302544e311030 0e060355040713074368656e6= e616931 =09Message-Authenticator =3D 0x00000000000000000000000000000000 =09State =3D 0x4e21012d8278263aa6d41f58ddeb3e51 Finished request 1 Going to the next request Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 60 with timestamp 428a4ae6 Cleaning up request 1 ID 61 with timestamp 428a4ae6 Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 192.168.0.1:1812, id=3D61, length= =3D179 =09User-Name =3D "futsoft" =09EAP-Message =3D 0x0202006215800000005816030100530100004f0301428c83 6c2bf4= 0f432995fd2ba0fb61677ee422214d37697336bf93deb790d1 e300002800160013000a00660= 00500040065006400630062006100600015001200090014001 10008000600030100 =09Message-Authenticator =3D 0x74c9649dcda6f1462af801217399a8da =09NAS-Identifier =3D "fsNas1" =09NAS-Port =3D 2 =09State =3D 0xc2b72c7219277248b0cdbf99bbe3b9fb Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall[authorize]: module "preprocess" returns ok for request 2 radius_xlat: '/usr/local/var/log/radius/radacct/192.168.0.1/auth-detail-20= 050518' rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-det= ail-%Y%m%d expands to /usr/local/var/log/radius/radacct/192.168.0.1/auth-detail-200505= 18 modcall[authorize]: module "auth_log" returns ok for request 2 modcall[authorize]: module "chap" returns noop for request 2 rlm_realm: No '@' in User-Name =3D "futsoft", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 2 rlm_eap: EAP packet type response id 2 length 98 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 2 users: Matched futsoft at 62 modcall[authorize]: module "files" returns ok for request 2 modcall: group authorize returns updated for request 2 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 2 rlm_eap: Request not found in the list rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-req= uest rlm_eap: Failed in handler modcall[authenticate]: module "eap" returns invalid for request 2 modcall: group authenticate returns invalid for request 2 auth: Failed to validate the user. Login incorrect: [futsoft] (from client FutureNAS port 2) Delaying request 2 for 1 seconds Finished request 2 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 61 to 192.168.0.1:1812 =09Reply-Message =3D " Futsoft request recieved" Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 2 ID 61 with timestamp 428a4af0 Nothing to do. Sleeping until we see a request. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html 
|
Linear Mode
