freeRADIUS EAP-TLS keine Verbindung mit WinXP Prof SP2
Hallo,
mein Hardware SuSE 10 Server, Linksys WRT54GX Router und Windows XP Prof SP2 Rechner mit Linksys WPC54GX 108mbit WlanKarte.
Nun möchte ich mir gerne eine RADIUS Authentifizierung (EAP-TLS) einrichten. Dazu hab ich diese Tutorial befolgt:
http://www.linuxjournal.com/article/8095 (sind insgesamt 3 Teile)
Soweit so gut, das Tutorial habe ich nach einiger Zeit erfolgreich durchlaufen und konnte den radius server per radiusd -X -A erfolgreich starten (Meldung "ready to process requests").
Auch das Router Setup war kein problem, dann kam der xp client an die Reihe.
Dort habe ich mein cacert.pem und server_keycert.p12 ohne Probleme installiert (www.freeradius.org/doc/EAPTLS.pdf ). Meine 2 Zertifikate sahen dann auch so aus wie auf Seite 18 von EAPTLS.pdf abgebildet.
...Netzwerkverbindung eingestellt (WPA, TKIP), gleich mal einen verbindungsversuch gestartet:
Irgendwie funktioniert es aber nicht.
radiusd meldet TLS_accept:error in SSLv3 read client certificate A.
Zuerst dachte ich das wäre eine Fehlermeldung nach langem googeln ist mir plötzlich aufgefallen das in dem EAPTLS.pdf die selbe Meldung auftaucht(Seite21). Am Ende meiner radiusd ausgabe taucht ebenfalls wie in EAPTLS.pdf "Nothing to do. Sleeping until we see a request." auf. Also funktioniert mein Radius server anscheinend?
Leider bekomm ich unter WinXP aber keine Verbindung zusammen, nach dem authentifizierungsversuch bricht winxp ab und ich seh das rote kreuz unten rechts in der leiste... An was kann es noch liegen? Routereinstellungen? XP? Linux? Also meine WLAN verbindung is stabil, volle signalstärke!
radiusd -X -A Ausgabe:
Finished request 14
Going to the next request
--- Walking the entire request list ---
Waking up in 3 seconds...
rad_recv: Access-Request packet from host 192.168.0.111:1028, id=71, length=197
User-Name = "eva.ellert.com"
Calling-Station-Id = "00-13-10-ae-cb-f5"
EAP-Message = 0x020700500d800000004616030100410100003d0301440b20514d137f086708c80ff6517e925521ddd8921f7270534667d7bd27bd2500001600040005000a000900640062000300060013001200630100
Framed-MTU = 1287
NAS-IP-Address = 192.168.0.111
NAS-Port = 0
NAS-Port-Type = Wireless-802.11
State = 0x52173c1d5989ce3ca4376f0cf62f7458
Message-Authenticator = 0x6f3c2dae3475832073d1ba406b585de3
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 15
modcall[authorize]: module "preprocess" returns ok for request 15
modcall[authorize]: module "chap" returns noop for request 15
modcall[authorize]: module "mschap" returns noop for request 15
rlm_realm: No '@' in User-Name = "eva.ellert.com", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 15
rlm_eap: EAP packet type response id 7 length 80
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 15
users: Matched entry DEFAULT at line 152
modcall[authorize]: module "files" returns ok for request 15
modcall: group authorize returns updated for request 15
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 15
rlm_eap: Request found, released from the list
rlm_eap: EAP/tls
rlm_eap: processing type tls
rlm_eap_tls: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Length Included
eaptls_verify returned 11
(other): before/accept initialization
TLS_accept: before/accept initialization
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello
TLS_accept: SSLv3 read client hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
TLS_accept: SSLv3 write server hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 024d], Certificate
TLS_accept: SSLv3 write certificate A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 006a], CertificateRequest
TLS_accept: SSLv3 write certificate request A
TLS_accept: SSLv3 flush data
TLS_accept:error in SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
eaptls_process returned 13
modcall[authenticate]: module "eap" returns handled for request 15
modcall: group authenticate returns handled for request 15
Sending Access-Challenge of id 71 to 192.168.0.111:1028
EAP-Message = 0x0108031a0d8000000310160301004a020000460301440b20747e72a4e489dc281dab37523231503451e9a5dc388b5c5db02eac7c10202f83da7ff4f3ec4d1b8342826b5f4e726312c14ea328032692464f55aa64a985000400160301024d0b0002490002460002433082023f308201a8a003020102020101300d06092a864886f70d01010405003059310b3009060355040613024445310f300d0603550408130642617965726e31173015060355040a130e4b6c617066656e626572672e64653120301e060355040313176c696e75782d7365727665722e656c6c6572742e636f6d301e170d3036303330353136323531345a170d3037303330353136
EAP-Message = 0x323531345a3059310b3009060355040613024445310f300d0603550408130642617965726e31173015060355040a130e4b6c617066656e626572672e64653120301e060355040313176c696e75782d7365727665722e656c6c6572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100d9bfdd0a201ae98041d3e7c77ab2c99797b9c44176a32663c224a5905cedcc7fcb3289d913de1a8341ed96d234b970e23bdf1c83dd852fb052954b97009a426a0392f8a54dac890ddc952588e6430666d0c7c622af964dabede11a0f532b0cea03a936b42901944bba361bde7b878c8147b4c4d1b94d3a4efb13a76ab68de82d
EAP-Message = 0x0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101040500038181004a885bab72c3c904b4a2617cc4fe2734b4dee635ad4a16234bc18b2408f95230b91f4478e1f27b1855dcfc6ec86a87798976503a19fe7df5c4aa2eded2551720b4324c9fec24a1530dda84a0b15ab338d0dbc4ddba7f8fe68baf354bbf946ab4a2902fb04d7415579cb2e60ec365ecb009e89b98064e57e06568df3c05ba183f160301006a0d000062020102005d005b3059310b3009060355040613024445310f300d0603550408130642617965726e31173015060355040a130e4b6c617066656e626572672e6465312030
EAP-Message = 0x1e060355040313176c696e75782d7365727665722e656c6c6572742e636f6d0e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x7ed6fec6d0ab15d5d4e780177c561d50
Finished request 15
Going to the next request
Waking up in 3 seconds...
rad_recv: Access-Request packet from host 192.168.0.111:1028, id=72, length=123
User-Name = "eva.ellert.com"
Calling-Station-Id = "00-13-10-ae-cb-f5"
EAP-Message = 0x020800060d00
Framed-MTU = 1287
NAS-IP-Address = 192.168.0.111
NAS-Port = 0
NAS-Port-Type = Wireless-802.11
State = 0x7ed6fec6d0ab15d5d4e780177c561d50
Message-Authenticator = 0x68a434455d474afbd4f93cefde616063
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 16
modcall[authorize]: module "preprocess" returns ok for request 16
modcall[authorize]: module "chap" returns noop for request 16
modcall[authorize]: module "mschap" returns noop for request 16
rlm_realm: No '@' in User-Name = "eva.ellert.com", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 16
rlm_eap: EAP packet type response id 8 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 16
users: Matched entry DEFAULT at line 152
modcall[authorize]: module "files" returns ok for request 16
modcall: group authorize returns updated for request 16
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 16
rlm_eap: Request found, released from the list
rlm_eap: EAP/tls
rlm_eap: processing type tls
rlm_eap_tls: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake fragment handler
eaptls_verify returned 1
eaptls_process returned 13
modcall[authenticate]: module "eap" returns handled for request 16
modcall: group authenticate returns handled for request 16
Sending Access-Challenge of id 72 to 192.168.0.111:1028
EAP-Message = 0x0109000a0d8000000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x2ca8347091d861f78951787328cd421e
Finished request 16
Going to the next request
Waking up in 3 seconds...
--- Walking the entire request list ---
Cleaning up request 11 ID 67 with timestamp 440b2071
Cleaning up request 12 ID 68 with timestamp 440b2071
Cleaning up request 13 ID 69 with timestamp 440b2071
Waking up in 3 seconds...
--- Walking the entire request list ---
Cleaning up request 14 ID 70 with timestamp 440b2074
Cleaning up request 15 ID 71 with timestamp 440b2074
Cleaning up request 16 ID 72 with timestamp 440b2074
Nothing to do. Sleeping until we see a request.
Bin am verzweifeln!!! Hoffentlich kann mir wer helfen....
MfG Tobi
mein Hardware SuSE 10 Server, Linksys WRT54GX Router und Windows XP Prof SP2 Rechner mit Linksys WPC54GX 108mbit WlanKarte.
Nun möchte ich mir gerne eine RADIUS Authentifizierung (EAP-TLS) einrichten. Dazu hab ich diese Tutorial befolgt:
http://www.linuxjournal.com/article/8095 (sind insgesamt 3 Teile)
Soweit so gut, das Tutorial habe ich nach einiger Zeit erfolgreich durchlaufen und konnte den radius server per radiusd -X -A erfolgreich starten (Meldung "ready to process requests").
Auch das Router Setup war kein problem, dann kam der xp client an die Reihe.
Dort habe ich mein cacert.pem und server_keycert.p12 ohne Probleme installiert (www.freeradius.org/doc/EAPTLS.pdf ). Meine 2 Zertifikate sahen dann auch so aus wie auf Seite 18 von EAPTLS.pdf abgebildet.
...Netzwerkverbindung eingestellt (WPA, TKIP), gleich mal einen verbindungsversuch gestartet:
Irgendwie funktioniert es aber nicht.
radiusd meldet TLS_accept:error in SSLv3 read client certificate A.
Zuerst dachte ich das wäre eine Fehlermeldung nach langem googeln ist mir plötzlich aufgefallen das in dem EAPTLS.pdf die selbe Meldung auftaucht(Seite21). Am Ende meiner radiusd ausgabe taucht ebenfalls wie in EAPTLS.pdf "Nothing to do. Sleeping until we see a request." auf. Also funktioniert mein Radius server anscheinend?
Leider bekomm ich unter WinXP aber keine Verbindung zusammen, nach dem authentifizierungsversuch bricht winxp ab und ich seh das rote kreuz unten rechts in der leiste... An was kann es noch liegen? Routereinstellungen? XP? Linux? Also meine WLAN verbindung is stabil, volle signalstärke!
radiusd -X -A Ausgabe:
Finished request 14
Going to the next request
--- Walking the entire request list ---
Waking up in 3 seconds...
rad_recv: Access-Request packet from host 192.168.0.111:1028, id=71, length=197
User-Name = "eva.ellert.com"
Calling-Station-Id = "00-13-10-ae-cb-f5"
EAP-Message = 0x020700500d800000004616030100410100003d0301440b20514d137f086708c80ff6517e925521ddd8921f7270534667d7bd27bd2500001600040005000a000900640062000300060013001200630100
Framed-MTU = 1287
NAS-IP-Address = 192.168.0.111
NAS-Port = 0
NAS-Port-Type = Wireless-802.11
State = 0x52173c1d5989ce3ca4376f0cf62f7458
Message-Authenticator = 0x6f3c2dae3475832073d1ba406b585de3
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 15
modcall[authorize]: module "preprocess" returns ok for request 15
modcall[authorize]: module "chap" returns noop for request 15
modcall[authorize]: module "mschap" returns noop for request 15
rlm_realm: No '@' in User-Name = "eva.ellert.com", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 15
rlm_eap: EAP packet type response id 7 length 80
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 15
users: Matched entry DEFAULT at line 152
modcall[authorize]: module "files" returns ok for request 15
modcall: group authorize returns updated for request 15
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 15
rlm_eap: Request found, released from the list
rlm_eap: EAP/tls
rlm_eap: processing type tls
rlm_eap_tls: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Length Included
eaptls_verify returned 11
(other): before/accept initialization
TLS_accept: before/accept initialization
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello
TLS_accept: SSLv3 read client hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
TLS_accept: SSLv3 write server hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 024d], Certificate
TLS_accept: SSLv3 write certificate A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 006a], CertificateRequest
TLS_accept: SSLv3 write certificate request A
TLS_accept: SSLv3 flush data
TLS_accept:error in SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
eaptls_process returned 13
modcall[authenticate]: module "eap" returns handled for request 15
modcall: group authenticate returns handled for request 15
Sending Access-Challenge of id 71 to 192.168.0.111:1028
EAP-Message = 0x0108031a0d8000000310160301004a020000460301440b20747e72a4e489dc281dab37523231503451e9a5dc388b5c5db02eac7c10202f83da7ff4f3ec4d1b8342826b5f4e726312c14ea328032692464f55aa64a985000400160301024d0b0002490002460002433082023f308201a8a003020102020101300d06092a864886f70d01010405003059310b3009060355040613024445310f300d0603550408130642617965726e31173015060355040a130e4b6c617066656e626572672e64653120301e060355040313176c696e75782d7365727665722e656c6c6572742e636f6d301e170d3036303330353136323531345a170d3037303330353136
EAP-Message = 0x323531345a3059310b3009060355040613024445310f300d0603550408130642617965726e31173015060355040a130e4b6c617066656e626572672e64653120301e060355040313176c696e75782d7365727665722e656c6c6572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100d9bfdd0a201ae98041d3e7c77ab2c99797b9c44176a32663c224a5905cedcc7fcb3289d913de1a8341ed96d234b970e23bdf1c83dd852fb052954b97009a426a0392f8a54dac890ddc952588e6430666d0c7c622af964dabede11a0f532b0cea03a936b42901944bba361bde7b878c8147b4c4d1b94d3a4efb13a76ab68de82d
EAP-Message = 0x0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101040500038181004a885bab72c3c904b4a2617cc4fe2734b4dee635ad4a16234bc18b2408f95230b91f4478e1f27b1855dcfc6ec86a87798976503a19fe7df5c4aa2eded2551720b4324c9fec24a1530dda84a0b15ab338d0dbc4ddba7f8fe68baf354bbf946ab4a2902fb04d7415579cb2e60ec365ecb009e89b98064e57e06568df3c05ba183f160301006a0d000062020102005d005b3059310b3009060355040613024445310f300d0603550408130642617965726e31173015060355040a130e4b6c617066656e626572672e6465312030
EAP-Message = 0x1e060355040313176c696e75782d7365727665722e656c6c6572742e636f6d0e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x7ed6fec6d0ab15d5d4e780177c561d50
Finished request 15
Going to the next request
Waking up in 3 seconds...
rad_recv: Access-Request packet from host 192.168.0.111:1028, id=72, length=123
User-Name = "eva.ellert.com"
Calling-Station-Id = "00-13-10-ae-cb-f5"
EAP-Message = 0x020800060d00
Framed-MTU = 1287
NAS-IP-Address = 192.168.0.111
NAS-Port = 0
NAS-Port-Type = Wireless-802.11
State = 0x7ed6fec6d0ab15d5d4e780177c561d50
Message-Authenticator = 0x68a434455d474afbd4f93cefde616063
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 16
modcall[authorize]: module "preprocess" returns ok for request 16
modcall[authorize]: module "chap" returns noop for request 16
modcall[authorize]: module "mschap" returns noop for request 16
rlm_realm: No '@' in User-Name = "eva.ellert.com", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 16
rlm_eap: EAP packet type response id 8 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 16
users: Matched entry DEFAULT at line 152
modcall[authorize]: module "files" returns ok for request 16
modcall: group authorize returns updated for request 16
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 16
rlm_eap: Request found, released from the list
rlm_eap: EAP/tls
rlm_eap: processing type tls
rlm_eap_tls: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake fragment handler
eaptls_verify returned 1
eaptls_process returned 13
modcall[authenticate]: module "eap" returns handled for request 16
modcall: group authenticate returns handled for request 16
Sending Access-Challenge of id 72 to 192.168.0.111:1028
EAP-Message = 0x0109000a0d8000000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x2ca8347091d861f78951787328cd421e
Finished request 16
Going to the next request
Waking up in 3 seconds...
--- Walking the entire request list ---
Cleaning up request 11 ID 67 with timestamp 440b2071
Cleaning up request 12 ID 68 with timestamp 440b2071
Cleaning up request 13 ID 69 with timestamp 440b2071
Waking up in 3 seconds...
--- Walking the entire request list ---
Cleaning up request 14 ID 70 with timestamp 440b2074
Cleaning up request 15 ID 71 with timestamp 440b2074
Cleaning up request 16 ID 72 with timestamp 440b2074
Nothing to do. Sleeping until we see a request.
Bin am verzweifeln!!! Hoffentlich kann mir wer helfen....
MfG Tobi
Bitte markiere auch die Kommentare, die zur Lösung des Beitrags beigetragen haben
Content-ID: 27442
Url: https://administrator.de/contentid/27442
Ausgedruckt am: 08.11.2024 um 11:11 Uhr
10 Kommentare
Neuester Kommentar
ok. dann der test ob es am Windows oder am radiusserver liegt.
Installieren mal auf deinem Windowssystem den odysses Client von Funkwerk.
Das ist ein Supplicant. Da dieser alles selber mitbringt, eignet er sich prima zum testen.
Den nutzte ich auch manchmal. Wenn es damit auch nicht geht trotz richtiger konfiguration, dann liegt es warscheinlich am Radiusserver oder AP. Haste in diesem auch die neuste Firmware din?
Installieren mal auf deinem Windowssystem den odysses Client von Funkwerk.
Das ist ein Supplicant. Da dieser alles selber mitbringt, eignet er sich prima zum testen.
Den nutzte ich auch manchmal. Wenn es damit auch nicht geht trotz richtiger konfiguration, dann liegt es warscheinlich am Radiusserver oder AP. Haste in diesem auch die neuste Firmware din?