Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[freeradius] EAP-TLS Problem mit XP WLAN-Client
View unanswered posts
View posts from last 24 hours
View posts from last 7 days

 
Reply to topic    Gentoo Forums Forum Index Deutsches Forum (German)
View previous topic :: View next topic  
Author Message
SilentWarrior
n00b
n00b


Joined: 16 Dec 2005
Posts: 32

PostPosted: Mon Jun 14, 2010 7:42 am    Post subject: [freeradius] EAP-TLS Problem mit XP WLAN-Client Reply with quote

Hi,

ich versuche nun schon seit einiger Zeit meinen Radius-Server (freeradius 2.0.5) mit meinem WLAN-Client (WinXP mit Intel PROSet) über EAP-TLS sprechen zu lassen. Doch leider scheitert die Sache immer am Clientzertifikat (-austausch) zumindest lese ich das so aus dem LOG. Im Vorfeld habe ich bereits mit PEAP getestet und den WLAN-Client über username/passwort authentifiziert, geht auch wunderbar. Daraus folgere ich, dass CA und Server Zertifikat i.O. sind. Bei TLS kommt dann ja nun das Client Zertifikat ins Spiel.
Beim Zertifikataustausch erhalte ich u.a. die Meldung:

rlm_eap_tls: >>> TLS 1.0 Handshake [length 00a8], CertificateRequest
TLS_accept: SSLv3 write certificate request A
TLS_accept: SSLv3 flush data
TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode

Scheinbar ist das Clientzertifikat nicht vollständig beim Radius angekommen, wahrscheinlich durch Fragmentierung oder ähnliches. Scheinbar scheint das System auch nicht in der Lage zu sein, den anderen Teil nachzuliefern, woran wohl die endgültige Authentifizierung scheitert.
Habe jetzt schon probiert gegoogelt und gemacht, komm dem Problem aber nicht auf die Schliche.

Hat hierzu von euch einer eine Idee, an welcher Stelle genau zu suchen ist ?

Zum System:
freeradius 2.0.5 läuft auf gentoo
LANCOM AP (WPA2 Enterprise)
WLAN-Client mit Intel PROSet WLAN-Software (unter XP Pro)
Für den Test verwende ich die test-Zertifikate, die ich unter raddb/certs mit make und make client erstellt habe (cnf-files unverändert)


Danke für eure Hilfe !


Das komplette freeradius log:
Code:
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.4.200 port 3072, id=48, length=182
   User-Name = "testuser"
   Service-Type = Framed-User
   NAS-IP-Address = 192.168.4.200
   NAS-Port = 6
   NAS-Port-Id = "6"
   Called-Station-Id = "00-0B-6B-B0-2B-28:Wireless-Home"
   Calling-Station-Id = "00-12-F0-66-52-BC"
   Connect-Info = "CONNECT 54 Mbps 802.11g"
   NAS-Identifier = "Wireless-AP-1"
   NAS-Port-Type = Wireless-802.11
   EAP-Message = 0x0201000d017465737475736572
   Message-Authenticator = 0xf61dad5c5e230e78fab4a5d6e31712be
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
    rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL
    rlm_realm: No such realm "NULL"
++[suffix] returns noop
  rlm_eap: EAP packet type response id 1 length 13
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
    users: Matched entry testuser at line 204
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
  rlm_eap: EAP Identity
  rlm_eap: processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
Sending Access-Challenge of id 48 to 192.168.4.200 port 3072
   EAP-Message = 0x010200160410f7df58ad60bce4803d853dd05b2cce3a
   Message-Authenticator = 0x00000000000000000000000000000000
   State = 0x97c2de1a97c0da38d66ab46a092483d5
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.4.200 port 3072, id=68, length=193
   User-Name = "testuser"
   Service-Type = Framed-User
   NAS-IP-Address = 192.168.4.200
   NAS-Port = 6
   NAS-Port-Id = "6"
   State = 0x97c2de1a97c0da38d66ab46a092483d5
   Called-Station-Id = "00-0B-6B-B0-2B-28:Wireless-Home"
   Calling-Station-Id = "00-12-F0-66-52-BC"
   Connect-Info = "CONNECT 54 Mbps 802.11g"
   NAS-Identifier = "Wireless-AP-1"
   NAS-Port-Type = Wireless-802.11
   EAP-Message = 0x02020006030d
   Message-Authenticator = 0x5cf298ca2db568a537613cffd154e3c4
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
    rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL
    rlm_realm: No such realm "NULL"
++[suffix] returns noop
  rlm_eap: EAP packet type response id 2 length 6
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
    users: Matched entry testuser at line 204
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
  rlm_eap: Request found, released from the list
  rlm_eap: EAP NAK
 rlm_eap: EAP-NAK asked for EAP-Type/tls
  rlm_eap: processing type tls
 rlm_eap_tls: Requiring client certificate
  rlm_eap_tls: Initiate
  rlm_eap_tls: Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 68 to 192.168.4.200 port 3072
   EAP-Message = 0x010300060d20
   Message-Authenticator = 0x00000000000000000000000000000000
   State = 0x97c2de1a96c1d338d66ab46a092483d5
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.4.200 port 3072, id=41, length=295
   User-Name = "testuser"
   Service-Type = Framed-User
   NAS-IP-Address = 192.168.4.200
   NAS-Port = 6
   NAS-Port-Id = "6"
   State = 0x97c2de1a96c1d338d66ab46a092483d5
   Called-Station-Id = "00-0B-6B-B0-2B-28:Wireless-Home"
   Calling-Station-Id = "00-12-F0-66-52-BC"
   Connect-Info = "CONNECT 54 Mbps 802.11g"
   NAS-Identifier = "Wireless-AP-1"
   NAS-Port-Type = Wireless-802.11
   EAP-Message = 0x0203006c0d0016030100610100005d03014c1146ee834980748179aab2a5810f38430a78cabe811d28b1d5bd55f3ade7a000003600390038003500160013000a00330032002f0007006600050004006300620061001500120009006500640060001400110008000600030100
   Message-Authenticator = 0x521099c1f76af4dcee95d49dd3a74a85
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
    rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL
    rlm_realm: No such realm "NULL"
++[suffix] returns noop
  rlm_eap: EAP packet type response id 3 length 108
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
    users: Matched entry testuser at line 204
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/tls
  rlm_eap: processing type tls
  rlm_eap_tls: Authenticate
  rlm_eap_tls: processing TLS
  eaptls_verify returned 7
  rlm_eap_tls: Done initial handshake
    (other): before/accept initialization
    TLS_accept: before/accept initialization
  rlm_eap_tls: <<< TLS 1.0 Handshake [length 0061], ClientHello 
    TLS_accept: SSLv3 read client hello A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello 
    TLS_accept: SSLv3 write server hello A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 085e], Certificate 
    TLS_accept: SSLv3 write certificate A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 020d], ServerKeyExchange 
    TLS_accept: SSLv3 write key exchange A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 00a8], CertificateRequest 
    TLS_accept: SSLv3 write certificate request A
    TLS_accept: SSLv3 flush data
    TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode 
  eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 41 to 192.168.4.200 port 3072
   EAP-Message = 0x010404000dc000000b71160301004a0200004603014c1146ef78cbd5103adc3ca1518cfe70be8a5a7072a5c2247c3b4a4991ada380206bc46ec0745d847d2bf7313f0cab8c3e852789e92c6dbc03b8773b4a0372ebcd003900160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d3126302406035504
   EAP-Message = 0x03131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3130303631303132343134355a170d3131303631303132343134355a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100bd968225cb38dd1e86ade818d7ea4258cf560b0e8710bfd5c6f5e29f73f3
   EAP-Message = 0xd01574fb1dab0a97ff0a9add9c53b7cc2adcb52407bfc391be458648947df7dc7a9cdd8f2a207280a7dd38033bc9989b6f6f19592f7bcd428a0bad6a0584800161d1e3a7603144ba637142804af94c9c05684675ef226b18b4d815bc733e62e35bfa96a7c92c9187fed4ffec68fd96d160a9ae2b4ec5de37c3dea536fc0e9c9e7dba1679f83fd38730f238cedd27b08341f06e40e64659b4d78fe8d7c810aaefbe253cdc4679a1d177bb6388d144680dac2b7e2bbeae8377100fa3be75992f54dd8761a94367f667bb372743daa9f97df4cd45dc71362d0dd612f5973202b837511d0203010001a317301530130603551d25040c300a06082b06010505
   EAP-Message = 0x070301300d06092a864886f70d010104050003820101008bb91fa7912b2f8ea379639a2ea21f106602b7b8cc73581c237c3a503368c8a163c93a0769fb76602a3f9dfdba062a4f23aae21f5d3d5edb24aa4c24a459b251e2eaab398f41b442560eec61e145a9ee88d98f3e011d6d1cf50164666042f070d1281b898d01a2a53bf1db2f20bacc9c3afaf470a285343f8886b2d048c06f85ad479f3327c1d77f42d448a8f06bba822bc2305e50501f8bbbcfbf7fd0f4211ed929f7861238a1f13f886d433c8b2c87b4c1e21b06886b7f05661c97db28d6c4bfb45eb17b75e63f6f135d156c94dfb3d78a545b4af77f7c7f3242fd94c052f278c4880fb9ca
   EAP-Message = 0x83367206357b3b063f1f5971
   Message-Authenticator = 0x00000000000000000000000000000000
   State = 0x97c2de1a95c6d338d66ab46a092483d5
Finished request 2.
Going to the next request
Waking up in 4.6 seconds.
rad_recv: Access-Request packet from host 192.168.4.200 port 3072, id=109, length=193
   User-Name = "testuser"
   Service-Type = Framed-User
   NAS-IP-Address = 192.168.4.200
   NAS-Port = 6
   NAS-Port-Id = "6"
   State = 0x97c2de1a95c6d338d66ab46a092483d5
   Called-Station-Id = "00-0B-6B-B0-2B-28:Wireless-Home"
   Calling-Station-Id = "00-12-F0-66-52-BC"
   Connect-Info = "CONNECT 54 Mbps 802.11g"
   NAS-Identifier = "Wireless-AP-1"
   NAS-Port-Type = Wireless-802.11
   EAP-Message = 0x020400060d00
   Message-Authenticator = 0x42651247b7a8defe6968c78b551bafb0
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
    rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL
    rlm_realm: No such realm "NULL"
++[suffix] returns noop
  rlm_eap: EAP packet type response id 4 length 6
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
    users: Matched entry testuser at line 204
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/tls
  rlm_eap: processing type tls
  rlm_eap_tls: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
  rlm_eap_tls: ack handshake fragment handler
  eaptls_verify returned 1
  eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 109 to 192.168.4.200 port 3072
   EAP-Message = 0x010504000dc000000b71a5c1aa63a960f8b7e566244ac9020004ab308204a73082038fa003020102020900e4b7b675e9a5b5e6300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3130303631303132343134345a170d3131303631303132343134345a308193310b
   EAP-Message = 0x3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100b033572e706588d09dc857175a17aeaa47f6fb60b1502124448e6bff93143a4ef7700ca2f4abaab5541fc69219288c33b957eef7cb70a89133946784f951464d1e39c35130e0f496ce96bd
   EAP-Message = 0xcd7a9842d6f9380a096fe2fc8410a802829225f703fc9e5ea39b52bb0c87b3239643f4545804173afb3a9fdcd5c43f3a05211f32c6073951a606589464b05276a330a63bfded3e355a2768b22211ae9d4675d9303a8adf6fe9a111f383fdbb01d59bfa18e1900b760bd33a5336a4fd025fe0289f71d72f0693342b13d6d3889519eeaee5164c133e435f4f001b2060ecf01187a70f55ec2a1798b0d2eea4f96d2eef58bf2f1323354c2d3f4c52b61a44a96391411d0203010001a381fb3081f8301d0603551d0e041604143d766fb4865b3a4d218f1074239c4db0df184e1c3081c80603551d230481c03081bd80143d766fb4865b3a4d218f1074239c
   EAP-Message = 0x4db0df184e1ca18199a48196308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820900e4b7b675e9a5b5e6300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100301ebcbd8940dec66c645a6fc665854e5d45ac6443287969276764c7f36f3fce1a7a8c007ec6dcd81d65784d8b81
   EAP-Message = 0x2fe3a7ef9a23f787befa7bae
   Message-Authenticator = 0x00000000000000000000000000000000
   State = 0x97c2de1a94c7d338d66ab46a092483d5
Finished request 3.
Going to the next request
Waking up in 4.5 seconds.
rad_recv: Access-Request packet from host 192.168.4.200 port 3072, id=133, length=193
   User-Name = "testuser"
   Service-Type = Framed-User
   NAS-IP-Address = 192.168.4.200
   NAS-Port = 6
   NAS-Port-Id = "6"
   State = 0x97c2de1a94c7d338d66ab46a092483d5
   Called-Station-Id = "00-0B-6B-B0-2B-28:Wireless-Home"
   Calling-Station-Id = "00-12-F0-66-52-BC"
   Connect-Info = "CONNECT 54 Mbps 802.11g"
   NAS-Identifier = "Wireless-AP-1"
   NAS-Port-Type = Wireless-802.11
   EAP-Message = 0x020500060d00
   Message-Authenticator = 0xdfc4c29217187c3f9cd47048533fd167
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
    rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL
    rlm_realm: No such realm "NULL"
++[suffix] returns noop
  rlm_eap: EAP packet type response id 5 length 6
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
    users: Matched entry testuser at line 204
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/tls
  rlm_eap: processing type tls
  rlm_eap_tls: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
  rlm_eap_tls: ack handshake fragment handler
  eaptls_verify returned 1
  eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 133 to 192.168.4.200 port 3072
   EAP-Message = 0x0106038f0d8000000b711bc56f15202560b77288f9efae549e22a7245dfa0ee137b3f88c868c095e9cd928a2af97ee7c1e1c6ebb29dc439c6643bc389ef9d92f831a50868494f271d357ef20e6f134a05f062a5865ec79e1e36983ce25dc190d25ce8b2b79a9d938c36bfd0f59fe7091193d6cdcce4e330c72f9c9beb1f77ceaef361f2ee13b00d40aa3f13b617cac8c00efad1f39adcaffff8a13c6a0367e3d980a84197a25852c5ed76df6a6a13785c516578b0462379d61d444f493fef872c3011998d417f2fa8691de4ba7ecb983160301020d0c00020900809cd9b3313c82fe0c30f8905c911998e3154c14b0f23b03de40bb6b3d8c6459fc9664
   EAP-Message = 0x4a49b6916ea1486fd7a7b864ac7f1507735bb4bb2776dad4de46481856f3202f9b831d2d05d5da96815299610c9fbbb3760089c3b5b7fb935e30b274ee72c3de29a2e3bb60db408e03e8347ac74f271776b4ab4ca2504f27c3467902fb83000102008076f4b85cadcbd82825b95333d6975896a89761feb09acc510b04b6d6bd665611193493565d8689030f4ab6413d5022a0b093ac0d79a5a4573b4bdbf9a9d5f4b1c292221aa6dd483b193b462d668bb2e3e0a50e20360c3dce9f7e15922c9c3361f7f5733748c9e41b2cab92c9c81629469edb0e5da8615469cd1018db0620a5cd0100b6cf51b6bf38b8a1a259c4bb6fe3fbf7a07bd53498998a49
   EAP-Message = 0xe2f84144b16b2d33cfc65e380e71e6f71f959e8d2364742abd3e25a3ed37c46c0b84a7bfb1517bd2dc6cbdb88569692803923381dcd58bd8147363ae4d883f2c37a2cf8be66c41e71a361d53066dc3d1381a4774a3503cd885e47347cb879e94e5983bf88d3b769055bbbb0e764d03a0be0803c0b4f0709076de6aee266a2de5c24807bf9682b98c9c1fcedb4a155a7d115223817287323297737dab72d15050eb4d8ffa06b9d0178dc4eb6858d4119d9df6dce3666ad86da8fb0fe5c45f5df7ea65d451a873192cbe05fb20b14435539efbf2455ee7c41f52ac85e7333ded280a08a3b9a2cfe6ba16030100a80d0000a0050304010240009800963081
   EAP-Message = 0x93310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f726974790e000000
   Message-Authenticator = 0x00000000000000000000000000000000
   State = 0x97c2de1a93c4d338d66ab46a092483d5
Finished request 4.
Going to the next request
Waking up in 4.5 seconds.
Cleaning up request 0 ID 48 with timestamp +53
Cleaning up request 1 ID 68 with timestamp +53
Waking up in 0.3 seconds.
Cleaning up request 2 ID 41 with timestamp +53
Cleaning up request 3 ID 109 with timestamp +53
Cleaning up request 4 ID 133 with timestamp +53
Ready to process requests.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Deutsches Forum (German) All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum