tobi_
Goto Top

freeRADIUS EAP-TLS keine Verbindung mit WinXP Prof SP2

Hallo,
mein Hardware SuSE 10 Server, Linksys WRT54GX Router und Windows XP Prof SP2 Rechner mit Linksys WPC54GX 108mbit WlanKarte.

Nun möchte ich mir gerne eine RADIUS Authentifizierung (EAP-TLS) einrichten. Dazu hab ich diese Tutorial befolgt:
http://www.linuxjournal.com/article/8095 (sind insgesamt 3 Teile)
Soweit so gut, das Tutorial habe ich nach einiger Zeit erfolgreich durchlaufen und konnte den radius server per radiusd -X -A erfolgreich starten (Meldung "ready to process requests").
Auch das Router Setup war kein problem, dann kam der xp client an die Reihe.
Dort habe ich mein cacert.pem und server_keycert.p12 ohne Probleme installiert (www.freeradius.org/doc/EAPTLS.pdf ). Meine 2 Zertifikate sahen dann auch so aus wie auf Seite 18 von EAPTLS.pdf abgebildet.
...Netzwerkverbindung eingestellt (WPA, TKIP), gleich mal einen verbindungsversuch gestartet:
Irgendwie funktioniert es aber nicht.
radiusd meldet TLS_accept:error in SSLv3 read client certificate A.

Zuerst dachte ich das wäre eine Fehlermeldung nach langem googeln ist mir plötzlich aufgefallen das in dem EAPTLS.pdf die selbe Meldung auftaucht(Seite21). Am Ende meiner radiusd ausgabe taucht ebenfalls wie in EAPTLS.pdf "Nothing to do. Sleeping until we see a request." auf. Also funktioniert mein Radius server anscheinend?
Leider bekomm ich unter WinXP aber keine Verbindung zusammen, nach dem authentifizierungsversuch bricht winxp ab und ich seh das rote kreuz unten rechts in der leiste... An was kann es noch liegen? Routereinstellungen? XP? Linux? Also meine WLAN verbindung is stabil, volle signalstärke!

radiusd -X -A Ausgabe:
Finished request 14
Going to the next request
--- Walking the entire request list ---
Waking up in 3 seconds...
rad_recv: Access-Request packet from host 192.168.0.111:1028, id=71, length=197
User-Name = "eva.ellert.com"
Calling-Station-Id = "00-13-10-ae-cb-f5"
EAP-Message = 0x020700500d800000004616030100410100003d0301440b20514d137f086708c80ff6517e925521ddd8921f7270534667d7bd27bd2500001600040005000a000900640062000300060013001200630100
Framed-MTU = 1287
NAS-IP-Address = 192.168.0.111
NAS-Port = 0
NAS-Port-Type = Wireless-802.11
State = 0x52173c1d5989ce3ca4376f0cf62f7458
Message-Authenticator = 0x6f3c2dae3475832073d1ba406b585de3
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 15
modcall[authorize]: module "preprocess" returns ok for request 15
modcall[authorize]: module "chap" returns noop for request 15
modcall[authorize]: module "mschap" returns noop for request 15
rlm_realm: No '@' in User-Name = "eva.ellert.com", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 15
rlm_eap: EAP packet type response id 7 length 80
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 15
users: Matched entry DEFAULT at line 152
modcall[authorize]: module "files" returns ok for request 15
modcall: group authorize returns updated for request 15
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 15
rlm_eap: Request found, released from the list
rlm_eap: EAP/tls
rlm_eap: processing type tls
rlm_eap_tls: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Length Included
eaptls_verify returned 11
(other): before/accept initialization
TLS_accept: before/accept initialization
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello
TLS_accept: SSLv3 read client hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
TLS_accept: SSLv3 write server hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 024d], Certificate
TLS_accept: SSLv3 write certificate A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 006a], CertificateRequest
TLS_accept: SSLv3 write certificate request A
TLS_accept: SSLv3 flush data
TLS_accept:error in SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
eaptls_process returned 13
modcall[authenticate]: module "eap" returns handled for request 15
modcall: group authenticate returns handled for request 15
Sending Access-Challenge of id 71 to 192.168.0.111:1028
EAP-Message = 0x0108031a0d8000000310160301004a020000460301440b20747e72a4e489dc281dab37523231503451e9a5dc388b5c5db02eac7c10202f83da7ff4f3ec4d1b8342826b5f4e726312c14ea328032692464f55aa64a985000400160301024d0b0002490002460002433082023f308201a8a003020102020101300d06092a864886f70d01010405003059310b3009060355040613024445310f300d0603550408130642617965726e31173015060355040a130e4b6c617066656e626572672e64653120301e060355040313176c696e75782d7365727665722e656c6c6572742e636f6d301e170d3036303330353136323531345a170d3037303330353136
EAP-Message = 0x323531345a3059310b3009060355040613024445310f300d0603550408130642617965726e31173015060355040a130e4b6c617066656e626572672e64653120301e060355040313176c696e75782d7365727665722e656c6c6572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100d9bfdd0a201ae98041d3e7c77ab2c99797b9c44176a32663c224a5905cedcc7fcb3289d913de1a8341ed96d234b970e23bdf1c83dd852fb052954b97009a426a0392f8a54dac890ddc952588e6430666d0c7c622af964dabede11a0f532b0cea03a936b42901944bba361bde7b878c8147b4c4d1b94d3a4efb13a76ab68de82d
EAP-Message = 0x0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101040500038181004a885bab72c3c904b4a2617cc4fe2734b4dee635ad4a16234bc18b2408f95230b91f4478e1f27b1855dcfc6ec86a87798976503a19fe7df5c4aa2eded2551720b4324c9fec24a1530dda84a0b15ab338d0dbc4ddba7f8fe68baf354bbf946ab4a2902fb04d7415579cb2e60ec365ecb009e89b98064e57e06568df3c05ba183f160301006a0d000062020102005d005b3059310b3009060355040613024445310f300d0603550408130642617965726e31173015060355040a130e4b6c617066656e626572672e6465312030
EAP-Message = 0x1e060355040313176c696e75782d7365727665722e656c6c6572742e636f6d0e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x7ed6fec6d0ab15d5d4e780177c561d50
Finished request 15
Going to the next request
Waking up in 3 seconds...
rad_recv: Access-Request packet from host 192.168.0.111:1028, id=72, length=123
User-Name = "eva.ellert.com"
Calling-Station-Id = "00-13-10-ae-cb-f5"
EAP-Message = 0x020800060d00
Framed-MTU = 1287
NAS-IP-Address = 192.168.0.111
NAS-Port = 0
NAS-Port-Type = Wireless-802.11
State = 0x7ed6fec6d0ab15d5d4e780177c561d50
Message-Authenticator = 0x68a434455d474afbd4f93cefde616063
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 16
modcall[authorize]: module "preprocess" returns ok for request 16
modcall[authorize]: module "chap" returns noop for request 16
modcall[authorize]: module "mschap" returns noop for request 16
rlm_realm: No '@' in User-Name = "eva.ellert.com", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 16
rlm_eap: EAP packet type response id 8 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 16
users: Matched entry DEFAULT at line 152
modcall[authorize]: module "files" returns ok for request 16
modcall: group authorize returns updated for request 16
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 16
rlm_eap: Request found, released from the list
rlm_eap: EAP/tls
rlm_eap: processing type tls
rlm_eap_tls: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake fragment handler
eaptls_verify returned 1
eaptls_process returned 13
modcall[authenticate]: module "eap" returns handled for request 16
modcall: group authenticate returns handled for request 16
Sending Access-Challenge of id 72 to 192.168.0.111:1028
EAP-Message = 0x0109000a0d8000000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x2ca8347091d861f78951787328cd421e
Finished request 16
Going to the next request
Waking up in 3 seconds...
--- Walking the entire request list ---
Cleaning up request 11 ID 67 with timestamp 440b2071
Cleaning up request 12 ID 68 with timestamp 440b2071
Cleaning up request 13 ID 69 with timestamp 440b2071
Waking up in 3 seconds...
--- Walking the entire request list ---
Cleaning up request 14 ID 70 with timestamp 440b2074
Cleaning up request 15 ID 71 with timestamp 440b2074
Cleaning up request 16 ID 72 with timestamp 440b2074
Nothing to do. Sleeping until we see a request.


Bin am verzweifeln!!! Hoffentlich kann mir wer helfen....
MfG Tobi

Content-ID: 27442

Url: https://administrator.de/forum/freeradius-eap-tls-keine-verbindung-mit-winxp-prof-sp2-27442.html

Ausgedruckt am: 24.12.2024 um 00:12 Uhr

BartSimpson
BartSimpson 05.03.2006 um 22:59:21 Uhr
Goto Top
haste du das WPA2 update für SP2 eingespielt?
Tobi_
Tobi_ 06.03.2006 um 14:32:52 Uhr
Goto Top
nein hatte ich noch nicht drauf! Jetzt is es drauf aber eine Verbindung bekomme ich immer noch nicht!
BartSimpson
BartSimpson 06.03.2006 um 14:52:39 Uhr
Goto Top
ok. dann der test ob es am Windows oder am radiusserver liegt.
Installieren mal auf deinem Windowssystem den odysses Client von Funkwerk.
Das ist ein Supplicant. Da dieser alles selber mitbringt, eignet er sich prima zum testen.
Den nutzte ich auch manchmal. Wenn es damit auch nicht geht trotz richtiger konfiguration, dann liegt es warscheinlich am Radiusserver oder AP. Haste in diesem auch die neuste Firmware din?
Tobi_
Tobi_ 06.03.2006 um 16:11:24 Uhr
Goto Top
geht wieder nicht, hab die selben probleme wie ohne odyssey....
auf dem ap ist die neueste firmware vom 22.12 drauf.
wird wohl doch an linux liegen....
BartSimpson
BartSimpson 06.03.2006 um 16:27:43 Uhr
Goto Top
du kannste und ja mal den Imhalt der eap.conf und radiusd.conf zeigen.
Tobi_
Tobi_ 06.03.2006 um 16:28:47 Uhr
Goto Top
mit odyssey hatte ich ein neue radius ausgabe:
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.0.111:1031, id=227, length=136
User-Name = "test"
Calling-Station-Id = "00-13-10-ae-cb-f5"
EAP-Message = 0x020400110d800000000715030100020233
Framed-MTU = 1287
NAS-IP-Address = 192.168.0.111
NAS-Port = 0
NAS-Port-Type = Wireless-802.11
State = 0x5d59b1e944230b4be67355e132d9ee13
Message-Authenticator = 0x2585289c086570d7e5a13c81e57bb087
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 125
modcall[authorize]: module "preprocess" returns ok for request 125
modcall[authorize]: module "chap" returns noop for request 125
modcall[authorize]: module "mschap" returns noop for request 125
rlm_realm: No '@' in User-Name = "test", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 125
rlm_eap: EAP packet type response id 4 length 17
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 125
users: Matched entry DEFAULT at line 152
modcall[authorize]: module "files" returns ok for request 125
modcall: group authorize returns updated for request 125
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 125
rlm_eap: Request found, released from the list
rlm_eap: EAP/tls
rlm_eap: processing type tls
rlm_eap_tls: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Length Included
eaptls_verify returned 11
rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal decrypt_error
TLS Alert read:fatal:decrypt error
TLS_accept:failed in SSLv3 read client certificate A
6227:error:1409441B:SSL routines:SSL3_READ_BYTES:tlsv1 alert decrypt error:s3_pkt.c:1052:SSL alert number 51
6227:error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure:s3_pkt.c:837:
rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails.
In SSL Handshake Phase
In SSL Accept mode
rlm_eap_tls: BIO_read failed in a system call (-1), TLS session fails.
eaptls_process returned 13
rlm_eap: Freeing handler
modcall[authenticate]: module "eap" returns reject for request 125
modcall: group authenticate returns reject for request 125
auth: Failed to validate the user.
Delaying request 125 for 1 seconds
Finished request 125
Tobi_
Tobi_ 06.03.2006 um 16:42:55 Uhr
Goto Top
#
  1. Whatever you do, do NOT set 'Auth-Type := EAP'. The server
  2. is smart enough to figure this out on its own. The most
  3. common side effect of setting 'Auth-Type := EAP' is that the
  4. users then cannot use ANY other authentication method.
#
#
eap {
#
#
#
#
default_eap_type = tls

#
timer_expire = 60

#
ignore_unknown_eap_types = no

#
cisco_accounting_username_bug = no


#
#
md5 {
}

#
#
#
#
leap {
}

#
#
gtc {
#challenge = "Password: "

#
#
auth_type = PAP
}

## EAP-TLS
#
#
#
#
#
#whatever
tls {
private_key_password =
private_key_file = ${raddbdir}/certs/server_keycert.pem

certificate_file = ${raddbdir}/certs/server_keycert.pem

CA_file = ${raddbdir}/certs/linux-serverCA/cacert.pem

dh_file = ${raddbdir}/certs/dh
random_file = ${raddbdir}/certs/random

#
#
#fragment_size = 1024

#


#
                                                1. If check_cert_cn is set, the value will
                                                2. be xlat'ed and checked against the CN
                                                3. in the client certificate. If the values
                                                4. do not match, the certificate verification
                                                5. will fail rejecting the user.
#
                                1. check_cert_cn = %{User-Name}
                                #}

                                #
                                #
                                #
                                #ttls {

                                #
                                #

                              1. usually based on the name of the user
                              2. #

                                #}

                                #
                                #
                                #
                                #}

                                #
                                #
                                #
                                #
                                #
                                mschapv2 {
                                }
                                }
                                }


                                in der radiusd.conf ist nichts vertellt worden, alles default!


                                #
                                1. clients.conf - client configuration directives
                                #

                                #
                                1. Definition of a RADIUS client (usually a NAS).
                                #
                                1. The information given here over rides anything given in the
                                2. 'clients' file, or in the 'naslist' file. The configuration here
                                3. contains all of the information from those two files, and allows
                                4. for more configuration items.
                                #
                                1. The "shortname" is be used for logging. The "nastype", "login" and
                                2. "password" fields are mainly used for checkrad and are optional.
                                #

                                #
                                1. Defines a RADIUS client. The format is 'client [hostname|ip-address]'
                                #
                                1. '127.0.0.1' is another name for 'localhost'. It is enabled by default,
                                2. to allow testing of the server after an initial installation. If you
                                3. are not going to be permitting RADIUS queries from localhost, we suggest
                                4. that you delete, or comment out, this entry.
                                #
                                client 127.0.0.1 {
                                #
                                #
                                #
                                secret = testing123

                                #
                                #
                                shortname = localhost

                                #
                                #

                                #
                                #
                                #

                                #
                                nastype = other # localhost isn't usually a NAS...

                                #
                                #
                                }

                                #client some.host.org {
                                #}

                                #
                                1. You can now specify one secret for a network of clients.
                                2. When a client request comes in, the BEST match is chosen.
                                3. i.e. The entry from the smallest possible network.
                                #
                                #client 192.168.0.0/24 {
                                #}
                                #
                                #client 192.168.0.0/16 {
                                #}

                                client 192.168.0.111/32 {
                                secret = test
                                shortname = wrt54gx
                                }

                                #client 10.10.10.10 {
                              3. # the following three fields are optional, but may be used by
                              4. # checkrad.pl for simultaneous usage checks
                              5. #}
BartSimpson
BartSimpson 06.03.2006 um 19:13:30 Uhr
Goto Top
also das mit dem fatal decrypt error ist nicht gut. In deiner eap.conf haste du dich auch etwas mit den Klammern vertan. Ich muste bei mir auch die radiusd.conf anpassen. wenn du mir per pm deine e-mai schickt, dann kann ich dir meine ganze radiusconf schicken.
Tobi_
Tobi_ 08.03.2006 um 11:44:51 Uhr
Goto Top
problem ist gelöst!!!!!!!!!! (((((((((((((((-:
lag an den zertifikaten, dese hab ich jetzt mit tinyCA erstellt nach einem Tutorial von Chaos Computer Club
http://www.ccc.de/congress/2004/fahrplan/files/330-sicherheit-fuer-host ...
Trotzdem Danke für Euere Bemühungen!
mfg tobi
Tobi_
Tobi_ 28.03.2006 um 20:37:55 Uhr
Goto Top
hallo,
ich hatte es mit den selben befehlen probiert... auch ohne erfolg!
bezühlich der linux fehlermeldung, da würd ich mich an ein linux forum wenden, auf meinem suse 10 konnte ich tinyCA fehlerlos installieren!

der link für das ccc tutoiral is doch oben gepostet! einfach anclicken!
mfg tobi