Help with non-compliant client (TLS issue)

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Help with non-compliant client (TLS issue)

Users mailing list
Hi,

I am trying to use an ESP8266 to connect to a network using freeradius,
I have confirmed that the fault is not due to freeradius but since the
code in the SDK for the device is closed, I am limited in what I can do
to resolve the problem.

The server is configured and is working fine with EAP-PEAP using
MSCHAPv2 auth, which the device is supposed to support. Other devices
and eapol_test confirm that the radius server is setup correctly.

When the device attempts to authenticate the following in the freeradius
debug output is observed.

[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
  TLS Length 7
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Alert [length 0002], fatal bad_certificate  
TLS Alert read:fatal:bad certificate
    TLS_accept: failed in unknown state
rlm_eap: SSL error error:14094412:SSL routines:SSL3_READ_BYTES:sslv3
alert bad certificate
SSL: SSL_read failed inside of TLS (-1), TLS session fails.

My assumption is that the device is erroneously trying to tell the
server that it is providing a client certificate, which it obviously is
not, but I do not know enough about TLS to verify this and would love
some feedback if anyone is a guru in this area.

Even if I provide a client certificate the above error still occurs,
clearly the fault is in the binary blob that Espressif provides.

--
Kind Regards,
Geoffrey McRae

HostFission
Server Management & Monitoring
W: https://hostfission.com
P: +61 2 9037 0321




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reply | Threaded
Open this post in threaded view
|

Re: Help with non-compliant client (TLS issue)

Users mailing list
Follow up with complete authentication log:

rad_recv: Access-Request packet from host 192.168.50.253 port 33005,
id=61, length=213
        User-Name = "office.power.accounting"
        NAS-Identifier = "OpenWRT"
        Called-Station-Id = "74-EA-3A-E4-BF-CE:spacevs.com"
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 1
        Calling-Station-Id = "A0-20-A6-18-6F-D4"
        Connect-Info = "CONNECT 54Mbps 802.11g"
        Acct-Session-Id = "5583280D-00001ECC"
        Framed-MTU = 1400
        EAP-Message =
0x0270001c016f66666963652e706f7765722e6163636f756e74696e67
        Message-Authenticator = 0x89bac36f11fc19def9cf51a7e3e9ca95
# Executing section authorize from
file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
[auth_log] expand: %{Packet-Src-IP-Address} -> 192.168.50.253
[auth_log]
expand: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/192.168.50.253/auth-detail-20170517
[auth_log] /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.50.253/auth-detail-20170517
[auth_log] expand: %t -> Wed May 17 17:24:09 2017
++[auth_log] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "office.power.accounting", looking up
realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 112 length 28
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
++[expiration] = noop
++[logintime] = noop
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 61 to 192.168.50.253 port 33005
        EAP-Message = 0x017100061920
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x06e4b92c0695a0e7583a5ad1e4b3e5ec
Finished request 56.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.50.253 port 33005,
id=62, length=275
        User-Name = "office.power.accounting"
        NAS-Identifier = "OpenWRT"
        Called-Station-Id = "74-EA-3A-E4-BF-CE:spacevs.com"
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 1
        Calling-Station-Id = "A0-20-A6-18-6F-D4"
        Connect-Info = "CONNECT 54Mbps 802.11g"
        Acct-Session-Id = "5583280D-00001ECC"
        Framed-MTU = 1400
        EAP-Message =
0x0271004819800000003e1603020039010000350302572068748f17c6ace6f3126cc7befac5eddf2d1cc893df1b2ead55eb3cb62c9800000e003d0035003c002f000a000500040100
        State = 0x06e4b92c0695a0e7583a5ad1e4b3e5ec
        Message-Authenticator = 0x560dc60831b0fa342cd1b39f5fded0d0
# Executing section authorize from
file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
[auth_log] expand: %{Packet-Src-IP-Address} -> 192.168.50.253
[auth_log]
expand: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/192.168.50.253/auth-detail-20170517
[auth_log] /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.50.253/auth-detail-20170517
[auth_log] expand: %t -> Wed May 17 17:24:09 2017
++[auth_log] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "office.power.accounting", looking up
realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 113 length 72
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
  TLS Length 62
[peap] Length Included
[peap] eaptls_verify returned 11
[peap]     (other): before/accept initialization
[peap]     TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 0039], ClientHello  
[peap]     TLS_accept: unknown state
[peap] >>> TLS 1.0 Handshake [length 002a], ServerHello  
[peap]     TLS_accept: unknown state
[peap] >>> TLS 1.0 Handshake [length 0ad4], Certificate  
[peap]     TLS_accept: unknown state
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone  
[peap]     TLS_accept: unknown state
[peap]     TLS_accept: unknown state
[peap]     TLS_accept: Need to read more data: unknown state
In SSL Handshake Phase
In SSL Accept mode  
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 62 to 192.168.50.253 port 33005
        EAP-Message =
0x0172040019c000000b11160301002a020000260301312e84aae4c09a6aee14557c0394a0fb817bd2fdf30fe8480ff3866390d2cdbf000035001603010ad40b000ad0000acd0005243082052030820308a003020102020117300d06092a864886f70d01010d05003059310b3009060355040613024155311830160603550408130f4e657720536f7574682057616c65733111300f060355040713084b61746f6f6d6261311d301b0603550403131453565320496e7472616e657420526f6f74204341301e170d3137303131313035353930305a170d3335303631353233353930305a3027312530230603550403131c526164697573202867772e686f6d
        EAP-Message =
0x652e737061636576732e636f6d2930820222300d06092a864886f70d01010105000382020f003082020a0282020100bec565c37302f5a1f3f227c5005bfe7f58f0f1eb7b9d50268f577013854424c0746e2b93c3322363c53ccd3cde4638d9e6a6054db5ec9c6668714f461a5a9e7713f1bd273a3d4295cf11966d4b0d119c5fa6e2d63e81bf571a09beffd557ab8135fdf041d3ddc4ed836835ddd4b5357d05850e36bb80e92f18d0896c0c3396a087e733ccaf65f4223e1ebea23d7d6ec9185f4737cb1dd42e91c1c5363f3e6f631c17d00fcd000c88fa5db04b3a9c1e9ee8679c8e335375c9c9f620b564d331c2bbebda2772871a7ac0dbfa389af2
        EAP-Message =
0x779deb793cc81a51370838d00ef1c084d97877891942304d28063f7f213b111a67959ee680f72c0e03bf9836a2b855df4e7e2ff4de272627be5c4d69b9741a5c46e37e8c749305bd085a2da344da6470b9b19d83a2f40fd9ec94750c0c36f6facf2f9e7ffc0f1560bbabb433563cd94a7d0b4878a01cab3038adc8fc39cbb3a1770358222baf763a501f49efd9c4a6c876527c7aae9bfc5378c1a9dd380b1e9015a89cd721797fd7b5fc3c119769dc78bcd39e9f17e02979a9e88bd20dc0c8c9208c978c3f42870e3791090db10bb8a579bbf75ea511e09e89b7370bab7cd641d3de283e8f64249435fe6515707e87e15cd2a30f1a1f40e897aa7ec3ee
        EAP-Message =
0xc67fb9bf99a82b0aaf71835bc7fab0b5dfd43d99a0fb8f721176fccc01c6711911277641d1de1ad4d908f407b39687ce77aabf12890203010001a3253023300c0603551d130101ff0402300030130603551d25040c300a06082b06010505070301300d06092a864886f70d01010d05000382020100a07c7f1f95937ac12218a6612a846c48ac909c37ba3b0f893b5d4f6bcb1c06f6818f09d701a5d4986e081f602c585bb7e7c0441d3f8bbc4ad0a75a2058e9453c9f9ddd8bf675f9e73c01ceb817a18a1f1fe223360fe7a19fadf17a2c2217c96857de3e775f7f74ee504206923f953170593742646c22cea414681af5751d494b4e7004a43523da87
        EAP-Message = 0x061f85b9da0b385ce0b787b3
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x06e4b92c0796a0e7583a5ad1e4b3e5ec
Finished request 57.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.50.253 port 33005,
id=63, length=209
        User-Name = "office.power.accounting"
        NAS-Identifier = "OpenWRT"
        Called-Station-Id = "74-EA-3A-E4-BF-CE:spacevs.com"
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 1
        Calling-Station-Id = "A0-20-A6-18-6F-D4"
        Connect-Info = "CONNECT 54Mbps 802.11g"
        Acct-Session-Id = "5583280D-00001ECC"
        Framed-MTU = 1400
        EAP-Message = 0x027200061900
        State = 0x06e4b92c0796a0e7583a5ad1e4b3e5ec
        Message-Authenticator = 0xf99ffa56b22071a5b6849102d0a6c1f9
# Executing section authorize from
file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
[auth_log] expand: %{Packet-Src-IP-Address} -> 192.168.50.253
[auth_log]
expand: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/192.168.50.253/auth-detail-20170517
[auth_log] /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.50.253/auth-detail-20170517
[auth_log] expand: %t -> Wed May 17 17:24:09 2017
++[auth_log] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "office.power.accounting", looking up
realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 114 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 63 to 192.168.50.253 port 33005
        EAP-Message =
0x017303fc1940afeb0f78225dbf9a7725d984d8b756ee605059925e58d245bc2bb5aace172b22148e151d71ab70730cf8e1298aa800197d8d385f32572da27bf892a694c5a39bfbb57a9074e63c0eed27f60e5449df531ea804c07508b25f20da962bfe92b9ae0a2a93eb9d5e78dfad359e41b9c2aaad26e5b23311ece60fe1af47ea58dc20f315efec877bbf65fe846ddf723b1c202e11c51d54cfae348cfdc00444fb5d6742f3c736f70e09ec21220070b3f09db06d5fe8283ce763086638fc2f79759aced7b9c0169179acc67723a6e8dc02097b6415580b84b460ac1a4f5ca5760e8ef77f102cedd26418b6b185b6c44eed08de4b9027c00cb6cfd7
        EAP-Message =
0x85c16303892c764a6502f724d8ed375b2353a57dadf1c3ccef714ffb3aa483a7059a901f9f2816fabe57558dffccb6e5265d77bfaa478be536cff37adc9b6f9184e06faeb5731385dcff2ef77af4d6e94cb4b338b34d413f2356c5ce188c068ddd6dae505bb85c87410e9b4ad7d4648244439a279a0005a33082059f30820387a003020102020101300d06092a864886f70d01010d05003059310b3009060355040613024155311830160603550408130f4e657720536f7574682057616c65733111300f060355040713084b61746f6f6d6261311d301b0603550403131453565320496e7472616e657420526f6f74204341301e170d31353036313630
        EAP-Message =
0x30303030305a170d3335303631353233353935395a3059310b3009060355040613024155311830160603550408130f4e657720536f7574682057616c65733111300f060355040713084b61746f6f6d6261311d301b0603550403131453565320496e7472616e657420526f6f7420434130820222300d06092a864886f70d01010105000382020f003082020a0282020100b3a3f9aab5bac705830441d0bec3f2b12e8f2828cf14238b42aedd8e62f52e2751b4f89c0124022bda7a863a937177563cabca1fd27911830d80e7fa5f323a3b81ffac47e76828296ac3ecb0ae13b28182b9082438dd078d55303b490435abe776dfd4c64166eccef6899469
        EAP-Message =
0xae7c8bb28d33d47ae1bf3d3554654f919a9d5ee7322232315bce08e3014b91602f41a8447f5635c6e7cea20cda5ce62668298bfec986211289b2b37e53c58ade4fe1606681b6f97d25fefd8490a4365f765d021ec8f329609ba2ae739e4706728e2a1455ad3ca101504dd19721908e61a467876f1c01374aacb777cbaf0697b04875b9029c97a642d73225ac7d3cd28266a5a5c7bca2ff59bc9dd933908687fd5f4b661d2e9083a6da59319cd5340955ba3b317eff2558740da438962dee7ac42f8aed3dab51a70ef9672aa98dfdee9cee5ff886adc040872f0b5310de7823d4e63e1d0aa8be808da6173f7a5e478c5e66d61082feda0fec4f16b771fe
        EAP-Message = 0x5d0e86558c0b467d
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x06e4b92c0497a0e7583a5ad1e4b3e5ec
Finished request 58.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.50.253 port 33005,
id=64, length=209
        User-Name = "office.power.accounting"
        NAS-Identifier = "OpenWRT"
        Called-Station-Id = "74-EA-3A-E4-BF-CE:spacevs.com"
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 1
        Calling-Station-Id = "A0-20-A6-18-6F-D4"
        Connect-Info = "CONNECT 54Mbps 802.11g"
        Acct-Session-Id = "5583280D-00001ECC"
        Framed-MTU = 1400
        EAP-Message = 0x027300061900
        State = 0x06e4b92c0497a0e7583a5ad1e4b3e5ec
        Message-Authenticator = 0xcf8da5e0de6e6911640cac00e68741a9
# Executing section authorize from
file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
[auth_log] expand: %{Packet-Src-IP-Address} -> 192.168.50.253
[auth_log]
expand: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/192.168.50.253/auth-detail-20170517
[auth_log] /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.50.253/auth-detail-20170517
[auth_log] expand: %t -> Wed May 17 17:24:09 2017
++[auth_log] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "office.power.accounting", looking up
realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 115 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 64 to 192.168.50.253 port 33005
        EAP-Message =
0x0174032b19009c2fdba754b1d148d6279ce364711dd12d68525c32f979a94fac099639eca233e51aba4359c32cc5cbf6043602e1251c1d25f7246d84577bbbab67b2b9affa9f8ad4aa01ef468da9773beee865505ae2501f9b373dc4165764745f778f76ff2be2b5deb70c46d71f8338710d082f3e4345af844a9f53fee6a16cc18f316fe9e577ab66207525181fec73978603dd030203010001a3723070300f0603551d130101ff040530030101ff301d0603551d0e04160414b7c17edc21e626d8297c93a827bbf6b16aa2557f300b0603551d0f040403020106301106096086480186f8420101040403020007301e06096086480186f842010d0411
        EAP-Message =
0x160f786361206365727469666963617465300d06092a864886f70d01010d0500038202010037d15182d4db682f480e8bc12cd74f8648218f4e9f92f40a69e4847aed7db19042a7fa79f5639fd2c0576e9f46d46514816d75f056edcc27327981f726b5a7136c4cf2654af17889753ac1c7cffa8394fd274dd027e3c1cc163e9fb74580027281907d5d3acb13e409fc76bc0f73bbef386de80381962eed04bdaad47db7f9d7c15388669e165c3f64ae171d256ca1cae698c36125ec52b10804575069d6a281ee49821fa999d875a6afaf36b2d607fa0a339bbb3e77813566805029087188a6cb80fe9cc9b2782380ab3b5be5ecc8463021069c892dbf23
        EAP-Message =
0xa0e6ae9473b66aa5dd4cdc14473b0798019f215f127f7585945105f338b7624793f75e415d62f240db4912c4f24c19647c374ec5dc7cf44f7a9a17b6e49bc6e38d15a9497a3b21c9ae12fa4e11c217261fbcaf6925fb073e64468aae539926c08c35b1de249c5182d92a97fbc6636dfb4f22e7c7ef4fa90c4b934d5cf6c095fc8359f766b752046b83095d211d682d88b1fda7b591d2913e48a82fc5664052be49cd8edde079fe8939311c630beaaebd6739d84e353c47c81d18cd2fa860c38edd7889eb96e0f98efdf92c8597fa4a9e2a28e85ce68f18dbc1681abfee34075348c52041769d8879918f93926e93b509788e0182b92eaa24881d7ad1d6
        EAP-Message =
0x4bd1b7c07a522d0d95d8d66e8bb99b2f44b0a043e61f6bdf6b82b869132d6a1051c37c6bd696631d0699d416030100040e000000
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x06e4b92c0590a0e7583a5ad1e4b3e5ec
Finished request 59.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.50.253 port 33005,
id=65, length=220
        User-Name = "office.power.accounting"
        NAS-Identifier = "OpenWRT"
        Called-Station-Id = "74-EA-3A-E4-BF-CE:spacevs.com"
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 1
        Calling-Station-Id = "A0-20-A6-18-6F-D4"
        Connect-Info = "CONNECT 54Mbps 802.11g"
        Acct-Session-Id = "5583280D-00001ECC"
        Framed-MTU = 1400
        EAP-Message = 0x027400111980000000071503010002022a
        State = 0x06e4b92c0590a0e7583a5ad1e4b3e5ec
        Message-Authenticator = 0x9580deaf1ada4b60f7a7e6c2312f6a0c
# Executing section authorize from
file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
[auth_log] expand: %{Packet-Src-IP-Address} -> 192.168.50.253
[auth_log]
expand: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/192.168.50.253/auth-detail-20170517
[auth_log] /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.50.253/auth-detail-20170517
[auth_log] expand: %t -> Wed May 17 17:24:10 2017
++[auth_log] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "office.power.accounting", looking up
realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 116 length 17
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
  TLS Length 7
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Alert [length 0002], fatal bad_certificate  
TLS Alert read:fatal:bad certificate
    TLS_accept: failed in unknown state
rlm_eap: SSL error error:14094412:SSL routines:SSL3_READ_BYTES:sslv3
alert bad certificate
SSL: SSL_read failed inside of TLS (-1), TLS session fails.
TLS receive handshake failed during operation
[peap] eaptls_process returned 4
[peap] EAPTLS_OTHERS
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] = invalid
+} # group authenticate = invalid
Failed to authenticate the user.
Login incorrect (TLS Alert read:fatal:bad certificate):
[office.power.accounting/<via Auth-Type = EAP>] (from client
192.168.50.253 port 1 cli A0-20-A6-18-6F-D4)
Using Post-Auth-Type REJECT
# Executing group from file /etc/freeradius/sites-enabled/default
+group REJECT {
[attr_filter.access_reject] expand: %{User-Name} ->
office.power.accounting
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] = updated
+} # group REJECT = updated
Delaying reject of request 60 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 60
Sending Access-Reject of id 65 to 192.168.50.253 port 33005
        EAP-Message = 0x04740004
        Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.3 seconds.
Cleaning up request 56 ID 61 with timestamp +2171
Cleaning up request 57 ID 62 with timestamp +2171
Cleaning up request 58 ID 63 with timestamp +2171
Cleaning up request 59 ID 64 with timestamp +2171
Waking up in 1.6 seconds.
Cleaning up request 60 ID 65 with timestamp +2172
Ready to process requests.


--
Kind Regards,
Geoffrey McRae

HostFission
Server Management & Monitoring
W: https://hostfission.com
P: +61 2 9037 0321



On Wed, 2017-05-17 at 16:16 +1000, Geoffrey McRae via Freeradius-Users
wrote:

> Hi,
>
> I am trying to use an ESP8266 to connect to a network using freeradius,
> I have confirmed that the fault is not due to freeradius but since the
> code in the SDK for the device is closed, I am limited in what I can do
> to resolve the problem.
>
> The server is configured and is working fine with EAP-PEAP using
> MSCHAPv2 auth, which the device is supposed to support. Other devices
> and eapol_test confirm that the radius server is setup correctly.
>
> When the device attempts to authenticate the following in the freeradius
> debug output is observed.
>
> [eap] Request found, released from the list
> [eap] EAP/peap
> [eap] processing type peap
> [peap] processing EAP-TLS
>   TLS Length 7
> [peap] Length Included
> [peap] eaptls_verify returned 11
> [peap] <<< TLS 1.0 Alert [length 0002], fatal bad_certificate  
> TLS Alert read:fatal:bad certificate
>     TLS_accept: failed in unknown state
> rlm_eap: SSL error error:14094412:SSL routines:SSL3_READ_BYTES:sslv3
> alert bad certificate
> SSL: SSL_read failed inside of TLS (-1), TLS session fails.
>
> My assumption is that the device is erroneously trying to tell the
> server that it is providing a client certificate, which it obviously is
> not, but I do not know enough about TLS to verify this and would love
> some feedback if anyone is a guru in this area.
>
> Even if I provide a client certificate the above error still occurs,
> clearly the fault is in the binary blob that Espressif provides.
>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reply | Threaded
Open this post in threaded view
|

Re: Help with non-compliant client (TLS issue)

Users mailing list
I just figured out that I had the log backwards..

[peap] <<< TLS 1.0 Alert [length 0002], fatal bad_certificate  
TLS Alert read:fatal:bad certificate
    TLS_accept: failed in unknown state
rlm_eap: SSL error error:14094412:SSL routines:SSL3_READ_BYTES:sslv3
alert bad certificate

This means the client sent a rejection due to the server's certificate
being invalid, I thought it was the server rejecting the client's
certificate.

Perhaps this little device is not capable of handling a 4096bit key with
SHA512.

--
Kind Regards,
Geoffrey McRae

HostFission
Server Management & Monitoring
W: https://hostfission.com
P: +61 2 9037 0321



On Wed, 2017-05-17 at 17:26 +1000, Geoffrey McRae via Freeradius-Users
wrote:

> Follow up with complete authentication log:
>
> rad_recv: Access-Request packet from host 192.168.50.253 port 33005,
> id=61, length=213
> User-Name = "office.power.accounting"
> NAS-Identifier = "OpenWRT"
> Called-Station-Id = "74-EA-3A-E4-BF-CE:spacevs.com"
> NAS-Port-Type = Wireless-802.11
> NAS-Port = 1
> Calling-Station-Id = "A0-20-A6-18-6F-D4"
> Connect-Info = "CONNECT 54Mbps 802.11g"
> Acct-Session-Id = "5583280D-00001ECC"
> Framed-MTU = 1400
> EAP-Message =
> 0x0270001c016f66666963652e706f7765722e6163636f756e74696e67
> Message-Authenticator = 0x89bac36f11fc19def9cf51a7e3e9ca95
> # Executing section authorize from
> file /etc/freeradius/sites-enabled/default
> +group authorize {
> ++[preprocess] = ok
> [auth_log] expand: %{Packet-Src-IP-Address} -> 192.168.50.253
> [auth_log]
> expand: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/192.168.50.253/auth-detail-20170517
> [auth_log] /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.50.253/auth-detail-20170517
> [auth_log] expand: %t -> Wed May 17 17:24:09 2017
> ++[auth_log] = ok
> ++[chap] = noop
> ++[mschap] = noop
> ++[digest] = noop
> [suffix] No '@' in User-Name = "office.power.accounting", looking up
> realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] = noop
> [eap] EAP packet type response id 112 length 28
> [eap] No EAP Start, assuming it's an on-going EAP conversation
> ++[eap] = updated
> ++[files] = noop
> ++[expiration] = noop
> ++[logintime] = noop
> [pap] WARNING! No "known good" password found for the user.
> Authentication may fail because of this.
> ++[pap] = noop
> +} # group authorize = updated
> Found Auth-Type = EAP
> # Executing group from file /etc/freeradius/sites-enabled/default
> +group authenticate {
> [eap] EAP Identity
> [eap] processing type tls
> [tls] Initiate
> [tls] Start returned 1
> ++[eap] = handled
> +} # group authenticate = handled
> Sending Access-Challenge of id 61 to 192.168.50.253 port 33005
> EAP-Message = 0x017100061920
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x06e4b92c0695a0e7583a5ad1e4b3e5ec
> Finished request 56.
> Going to the next request
> Waking up in 4.9 seconds.
> rad_recv: Access-Request packet from host 192.168.50.253 port 33005,
> id=62, length=275
> User-Name = "office.power.accounting"
> NAS-Identifier = "OpenWRT"
> Called-Station-Id = "74-EA-3A-E4-BF-CE:spacevs.com"
> NAS-Port-Type = Wireless-802.11
> NAS-Port = 1
> Calling-Station-Id = "A0-20-A6-18-6F-D4"
> Connect-Info = "CONNECT 54Mbps 802.11g"
> Acct-Session-Id = "5583280D-00001ECC"
> Framed-MTU = 1400
> EAP-Message =
> 0x0271004819800000003e1603020039010000350302572068748f17c6ace6f3126cc7befac5eddf2d1cc893df1b2ead55eb3cb62c9800000e003d0035003c002f000a000500040100
> State = 0x06e4b92c0695a0e7583a5ad1e4b3e5ec
> Message-Authenticator = 0x560dc60831b0fa342cd1b39f5fded0d0
> # Executing section authorize from
> file /etc/freeradius/sites-enabled/default
> +group authorize {
> ++[preprocess] = ok
> [auth_log] expand: %{Packet-Src-IP-Address} -> 192.168.50.253
> [auth_log]
> expand: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/192.168.50.253/auth-detail-20170517
> [auth_log] /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.50.253/auth-detail-20170517
> [auth_log] expand: %t -> Wed May 17 17:24:09 2017
> ++[auth_log] = ok
> ++[chap] = noop
> ++[mschap] = noop
> ++[digest] = noop
> [suffix] No '@' in User-Name = "office.power.accounting", looking up
> realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] = noop
> [eap] EAP packet type response id 113 length 72
> [eap] Continuing tunnel setup.
> ++[eap] = ok
> +} # group authorize = ok
> Found Auth-Type = EAP
> # Executing group from file /etc/freeradius/sites-enabled/default
> +group authenticate {
> [eap] Request found, released from the list
> [eap] EAP/peap
> [eap] processing type peap
> [peap] processing EAP-TLS
>   TLS Length 62
> [peap] Length Included
> [peap] eaptls_verify returned 11
> [peap]     (other): before/accept initialization
> [peap]     TLS_accept: before/accept initialization
> [peap] <<< TLS 1.0 Handshake [length 0039], ClientHello  
> [peap]     TLS_accept: unknown state
> [peap] >>> TLS 1.0 Handshake [length 002a], ServerHello  
> [peap]     TLS_accept: unknown state
> [peap] >>> TLS 1.0 Handshake [length 0ad4], Certificate  
> [peap]     TLS_accept: unknown state
> [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone  
> [peap]     TLS_accept: unknown state
> [peap]     TLS_accept: unknown state
> [peap]     TLS_accept: Need to read more data: unknown state
> In SSL Handshake Phase
> In SSL Accept mode  
> [peap] eaptls_process returned 13
> [peap] EAPTLS_HANDLED
> ++[eap] = handled
> +} # group authenticate = handled
> Sending Access-Challenge of id 62 to 192.168.50.253 port 33005
> EAP-Message =
> 0x0172040019c000000b11160301002a020000260301312e84aae4c09a6aee14557c0394a0fb817bd2fdf30fe8480ff3866390d2cdbf000035001603010ad40b000ad0000acd0005243082052030820308a003020102020117300d06092a864886f70d01010d05003059310b3009060355040613024155311830160603550408130f4e657720536f7574682057616c65733111300f060355040713084b61746f6f6d6261311d301b0603550403131453565320496e7472616e657420526f6f74204341301e170d3137303131313035353930305a170d3335303631353233353930305a3027312530230603550403131c526164697573202867772e686f6d
> EAP-Message =
> 0x652e737061636576732e636f6d2930820222300d06092a864886f70d01010105000382020f003082020a0282020100bec565c37302f5a1f3f227c5005bfe7f58f0f1eb7b9d50268f577013854424c0746e2b93c3322363c53ccd3cde4638d9e6a6054db5ec9c6668714f461a5a9e7713f1bd273a3d4295cf11966d4b0d119c5fa6e2d63e81bf571a09beffd557ab8135fdf041d3ddc4ed836835ddd4b5357d05850e36bb80e92f18d0896c0c3396a087e733ccaf65f4223e1ebea23d7d6ec9185f4737cb1dd42e91c1c5363f3e6f631c17d00fcd000c88fa5db04b3a9c1e9ee8679c8e335375c9c9f620b564d331c2bbebda2772871a7ac0dbfa389af2
> EAP-Message =
> 0x779deb793cc81a51370838d00ef1c084d97877891942304d28063f7f213b111a67959ee680f72c0e03bf9836a2b855df4e7e2ff4de272627be5c4d69b9741a5c46e37e8c749305bd085a2da344da6470b9b19d83a2f40fd9ec94750c0c36f6facf2f9e7ffc0f1560bbabb433563cd94a7d0b4878a01cab3038adc8fc39cbb3a1770358222baf763a501f49efd9c4a6c876527c7aae9bfc5378c1a9dd380b1e9015a89cd721797fd7b5fc3c119769dc78bcd39e9f17e02979a9e88bd20dc0c8c9208c978c3f42870e3791090db10bb8a579bbf75ea511e09e89b7370bab7cd641d3de283e8f64249435fe6515707e87e15cd2a30f1a1f40e897aa7ec3ee
> EAP-Message =
> 0xc67fb9bf99a82b0aaf71835bc7fab0b5dfd43d99a0fb8f721176fccc01c6711911277641d1de1ad4d908f407b39687ce77aabf12890203010001a3253023300c0603551d130101ff0402300030130603551d25040c300a06082b06010505070301300d06092a864886f70d01010d05000382020100a07c7f1f95937ac12218a6612a846c48ac909c37ba3b0f893b5d4f6bcb1c06f6818f09d701a5d4986e081f602c585bb7e7c0441d3f8bbc4ad0a75a2058e9453c9f9ddd8bf675f9e73c01ceb817a18a1f1fe223360fe7a19fadf17a2c2217c96857de3e775f7f74ee504206923f953170593742646c22cea414681af5751d494b4e7004a43523da87
> EAP-Message = 0x061f85b9da0b385ce0b787b3
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x06e4b92c0796a0e7583a5ad1e4b3e5ec
> Finished request 57.
> Going to the next request
> Waking up in 4.9 seconds.
> rad_recv: Access-Request packet from host 192.168.50.253 port 33005,
> id=63, length=209
> User-Name = "office.power.accounting"
> NAS-Identifier = "OpenWRT"
> Called-Station-Id = "74-EA-3A-E4-BF-CE:spacevs.com"
> NAS-Port-Type = Wireless-802.11
> NAS-Port = 1
> Calling-Station-Id = "A0-20-A6-18-6F-D4"
> Connect-Info = "CONNECT 54Mbps 802.11g"
> Acct-Session-Id = "5583280D-00001ECC"
> Framed-MTU = 1400
> EAP-Message = 0x027200061900
> State = 0x06e4b92c0796a0e7583a5ad1e4b3e5ec
> Message-Authenticator = 0xf99ffa56b22071a5b6849102d0a6c1f9
> # Executing section authorize from
> file /etc/freeradius/sites-enabled/default
> +group authorize {
> ++[preprocess] = ok
> [auth_log] expand: %{Packet-Src-IP-Address} -> 192.168.50.253
> [auth_log]
> expand: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/192.168.50.253/auth-detail-20170517
> [auth_log] /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.50.253/auth-detail-20170517
> [auth_log] expand: %t -> Wed May 17 17:24:09 2017
> ++[auth_log] = ok
> ++[chap] = noop
> ++[mschap] = noop
> ++[digest] = noop
> [suffix] No '@' in User-Name = "office.power.accounting", looking up
> realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] = noop
> [eap] EAP packet type response id 114 length 6
> [eap] Continuing tunnel setup.
> ++[eap] = ok
> +} # group authorize = ok
> Found Auth-Type = EAP
> # Executing group from file /etc/freeradius/sites-enabled/default
> +group authenticate {
> [eap] Request found, released from the list
> [eap] EAP/peap
> [eap] processing type peap
> [peap] processing EAP-TLS
> [peap] Received TLS ACK
> [peap] ACK handshake fragment handler
> [peap] eaptls_verify returned 1
> [peap] eaptls_process returned 13
> [peap] EAPTLS_HANDLED
> ++[eap] = handled
> +} # group authenticate = handled
> Sending Access-Challenge of id 63 to 192.168.50.253 port 33005
> EAP-Message =
> 0x017303fc1940afeb0f78225dbf9a7725d984d8b756ee605059925e58d245bc2bb5aace172b22148e151d71ab70730cf8e1298aa800197d8d385f32572da27bf892a694c5a39bfbb57a9074e63c0eed27f60e5449df531ea804c07508b25f20da962bfe92b9ae0a2a93eb9d5e78dfad359e41b9c2aaad26e5b23311ece60fe1af47ea58dc20f315efec877bbf65fe846ddf723b1c202e11c51d54cfae348cfdc00444fb5d6742f3c736f70e09ec21220070b3f09db06d5fe8283ce763086638fc2f79759aced7b9c0169179acc67723a6e8dc02097b6415580b84b460ac1a4f5ca5760e8ef77f102cedd26418b6b185b6c44eed08de4b9027c00cb6cfd7
> EAP-Message =
> 0x85c16303892c764a6502f724d8ed375b2353a57dadf1c3ccef714ffb3aa483a7059a901f9f2816fabe57558dffccb6e5265d77bfaa478be536cff37adc9b6f9184e06faeb5731385dcff2ef77af4d6e94cb4b338b34d413f2356c5ce188c068ddd6dae505bb85c87410e9b4ad7d4648244439a279a0005a33082059f30820387a003020102020101300d06092a864886f70d01010d05003059310b3009060355040613024155311830160603550408130f4e657720536f7574682057616c65733111300f060355040713084b61746f6f6d6261311d301b0603550403131453565320496e7472616e657420526f6f74204341301e170d31353036313630
> EAP-Message =
> 0x30303030305a170d3335303631353233353935395a3059310b3009060355040613024155311830160603550408130f4e657720536f7574682057616c65733111300f060355040713084b61746f6f6d6261311d301b0603550403131453565320496e7472616e657420526f6f7420434130820222300d06092a864886f70d01010105000382020f003082020a0282020100b3a3f9aab5bac705830441d0bec3f2b12e8f2828cf14238b42aedd8e62f52e2751b4f89c0124022bda7a863a937177563cabca1fd27911830d80e7fa5f323a3b81ffac47e76828296ac3ecb0ae13b28182b9082438dd078d55303b490435abe776dfd4c64166eccef6899469
> EAP-Message =
> 0xae7c8bb28d33d47ae1bf3d3554654f919a9d5ee7322232315bce08e3014b91602f41a8447f5635c6e7cea20cda5ce62668298bfec986211289b2b37e53c58ade4fe1606681b6f97d25fefd8490a4365f765d021ec8f329609ba2ae739e4706728e2a1455ad3ca101504dd19721908e61a467876f1c01374aacb777cbaf0697b04875b9029c97a642d73225ac7d3cd28266a5a5c7bca2ff59bc9dd933908687fd5f4b661d2e9083a6da59319cd5340955ba3b317eff2558740da438962dee7ac42f8aed3dab51a70ef9672aa98dfdee9cee5ff886adc040872f0b5310de7823d4e63e1d0aa8be808da6173f7a5e478c5e66d61082feda0fec4f16b771fe
> EAP-Message = 0x5d0e86558c0b467d
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x06e4b92c0497a0e7583a5ad1e4b3e5ec
> Finished request 58.
> Going to the next request
> Waking up in 4.9 seconds.
> rad_recv: Access-Request packet from host 192.168.50.253 port 33005,
> id=64, length=209
> User-Name = "office.power.accounting"
> NAS-Identifier = "OpenWRT"
> Called-Station-Id = "74-EA-3A-E4-BF-CE:spacevs.com"
> NAS-Port-Type = Wireless-802.11
> NAS-Port = 1
> Calling-Station-Id = "A0-20-A6-18-6F-D4"
> Connect-Info = "CONNECT 54Mbps 802.11g"
> Acct-Session-Id = "5583280D-00001ECC"
> Framed-MTU = 1400
> EAP-Message = 0x027300061900
> State = 0x06e4b92c0497a0e7583a5ad1e4b3e5ec
> Message-Authenticator = 0xcf8da5e0de6e6911640cac00e68741a9
> # Executing section authorize from
> file /etc/freeradius/sites-enabled/default
> +group authorize {
> ++[preprocess] = ok
> [auth_log] expand: %{Packet-Src-IP-Address} -> 192.168.50.253
> [auth_log]
> expand: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/192.168.50.253/auth-detail-20170517
> [auth_log] /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.50.253/auth-detail-20170517
> [auth_log] expand: %t -> Wed May 17 17:24:09 2017
> ++[auth_log] = ok
> ++[chap] = noop
> ++[mschap] = noop
> ++[digest] = noop
> [suffix] No '@' in User-Name = "office.power.accounting", looking up
> realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] = noop
> [eap] EAP packet type response id 115 length 6
> [eap] Continuing tunnel setup.
> ++[eap] = ok
> +} # group authorize = ok
> Found Auth-Type = EAP
> # Executing group from file /etc/freeradius/sites-enabled/default
> +group authenticate {
> [eap] Request found, released from the list
> [eap] EAP/peap
> [eap] processing type peap
> [peap] processing EAP-TLS
> [peap] Received TLS ACK
> [peap] ACK handshake fragment handler
> [peap] eaptls_verify returned 1
> [peap] eaptls_process returned 13
> [peap] EAPTLS_HANDLED
> ++[eap] = handled
> +} # group authenticate = handled
> Sending Access-Challenge of id 64 to 192.168.50.253 port 33005
> EAP-Message =
> 0x0174032b19009c2fdba754b1d148d6279ce364711dd12d68525c32f979a94fac099639eca233e51aba4359c32cc5cbf6043602e1251c1d25f7246d84577bbbab67b2b9affa9f8ad4aa01ef468da9773beee865505ae2501f9b373dc4165764745f778f76ff2be2b5deb70c46d71f8338710d082f3e4345af844a9f53fee6a16cc18f316fe9e577ab66207525181fec73978603dd030203010001a3723070300f0603551d130101ff040530030101ff301d0603551d0e04160414b7c17edc21e626d8297c93a827bbf6b16aa2557f300b0603551d0f040403020106301106096086480186f8420101040403020007301e06096086480186f842010d0411
> EAP-Message =
> 0x160f786361206365727469666963617465300d06092a864886f70d01010d0500038202010037d15182d4db682f480e8bc12cd74f8648218f4e9f92f40a69e4847aed7db19042a7fa79f5639fd2c0576e9f46d46514816d75f056edcc27327981f726b5a7136c4cf2654af17889753ac1c7cffa8394fd274dd027e3c1cc163e9fb74580027281907d5d3acb13e409fc76bc0f73bbef386de80381962eed04bdaad47db7f9d7c15388669e165c3f64ae171d256ca1cae698c36125ec52b10804575069d6a281ee49821fa999d875a6afaf36b2d607fa0a339bbb3e77813566805029087188a6cb80fe9cc9b2782380ab3b5be5ecc8463021069c892dbf23
> EAP-Message =
> 0xa0e6ae9473b66aa5dd4cdc14473b0798019f215f127f7585945105f338b7624793f75e415d62f240db4912c4f24c19647c374ec5dc7cf44f7a9a17b6e49bc6e38d15a9497a3b21c9ae12fa4e11c217261fbcaf6925fb073e64468aae539926c08c35b1de249c5182d92a97fbc6636dfb4f22e7c7ef4fa90c4b934d5cf6c095fc8359f766b752046b83095d211d682d88b1fda7b591d2913e48a82fc5664052be49cd8edde079fe8939311c630beaaebd6739d84e353c47c81d18cd2fa860c38edd7889eb96e0f98efdf92c8597fa4a9e2a28e85ce68f18dbc1681abfee34075348c52041769d8879918f93926e93b509788e0182b92eaa24881d7ad1d6
> EAP-Message =
> 0x4bd1b7c07a522d0d95d8d66e8bb99b2f44b0a043e61f6bdf6b82b869132d6a1051c37c6bd696631d0699d416030100040e000000
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x06e4b92c0590a0e7583a5ad1e4b3e5ec
> Finished request 59.
> Going to the next request
> Waking up in 4.9 seconds.
> rad_recv: Access-Request packet from host 192.168.50.253 port 33005,
> id=65, length=220
> User-Name = "office.power.accounting"
> NAS-Identifier = "OpenWRT"
> Called-Station-Id = "74-EA-3A-E4-BF-CE:spacevs.com"
> NAS-Port-Type = Wireless-802.11
> NAS-Port = 1
> Calling-Station-Id = "A0-20-A6-18-6F-D4"
> Connect-Info = "CONNECT 54Mbps 802.11g"
> Acct-Session-Id = "5583280D-00001ECC"
> Framed-MTU = 1400
> EAP-Message = 0x027400111980000000071503010002022a
> State = 0x06e4b92c0590a0e7583a5ad1e4b3e5ec
> Message-Authenticator = 0x9580deaf1ada4b60f7a7e6c2312f6a0c
> # Executing section authorize from
> file /etc/freeradius/sites-enabled/default
> +group authorize {
> ++[preprocess] = ok
> [auth_log] expand: %{Packet-Src-IP-Address} -> 192.168.50.253
> [auth_log]
> expand: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/192.168.50.253/auth-detail-20170517
> [auth_log] /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.50.253/auth-detail-20170517
> [auth_log] expand: %t -> Wed May 17 17:24:10 2017
> ++[auth_log] = ok
> ++[chap] = noop
> ++[mschap] = noop
> ++[digest] = noop
> [suffix] No '@' in User-Name = "office.power.accounting", looking up
> realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] = noop
> [eap] EAP packet type response id 116 length 17
> [eap] Continuing tunnel setup.
> ++[eap] = ok
> +} # group authorize = ok
> Found Auth-Type = EAP
> # Executing group from file /etc/freeradius/sites-enabled/default
> +group authenticate {
> [eap] Request found, released from the list
> [eap] EAP/peap
> [eap] processing type peap
> [peap] processing EAP-TLS
>   TLS Length 7
> [peap] Length Included
> [peap] eaptls_verify returned 11
> [peap] <<< TLS 1.0 Alert [length 0002], fatal bad_certificate  
> TLS Alert read:fatal:bad certificate
>     TLS_accept: failed in unknown state
> rlm_eap: SSL error error:14094412:SSL routines:SSL3_READ_BYTES:sslv3
> alert bad certificate
> SSL: SSL_read failed inside of TLS (-1), TLS session fails.
> TLS receive handshake failed during operation
> [peap] eaptls_process returned 4
> [peap] EAPTLS_OTHERS
> [eap] Handler failed in EAP/peap
> [eap] Failed in EAP select
> ++[eap] = invalid
> +} # group authenticate = invalid
> Failed to authenticate the user.
> Login incorrect (TLS Alert read:fatal:bad certificate):
> [office.power.accounting/<via Auth-Type = EAP>] (from client
> 192.168.50.253 port 1 cli A0-20-A6-18-6F-D4)
> Using Post-Auth-Type REJECT
> # Executing group from file /etc/freeradius/sites-enabled/default
> +group REJECT {
> [attr_filter.access_reject] expand: %{User-Name} ->
> office.power.accounting
> attr_filter: Matched entry DEFAULT at line 11
> ++[attr_filter.access_reject] = updated
> +} # group REJECT = updated
> Delaying reject of request 60 for 1 seconds
> Going to the next request
> Waking up in 0.9 seconds.
> Sending delayed reject for request 60
> Sending Access-Reject of id 65 to 192.168.50.253 port 33005
> EAP-Message = 0x04740004
> Message-Authenticator = 0x00000000000000000000000000000000
> Waking up in 3.3 seconds.
> Cleaning up request 56 ID 61 with timestamp +2171
> Cleaning up request 57 ID 62 with timestamp +2171
> Cleaning up request 58 ID 63 with timestamp +2171
> Cleaning up request 59 ID 64 with timestamp +2171
> Waking up in 1.6 seconds.
> Cleaning up request 60 ID 65 with timestamp +2172
> Ready to process requests.
>
>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Reply | Threaded
Open this post in threaded view
|

Re: Help with non-compliant client (TLS issue)

Stefan Winter-4
In reply to this post by Users mailing list
Hello,

on your client, do you validate the server certificate against the
correct CA, and if you specify the server name, did you specify the
*server certificate's* CN / subjectAltName (notably not the name of the
CA)?

Greetings,

Stefan Winter

Am 17.05.2017 um 09:26 schrieb Geoffrey McRae via Freeradius-Users:

> Follow up with complete authentication log:
>
> rad_recv: Access-Request packet from host 192.168.50.253 port 33005,
> id=61, length=213
> User-Name = "office.power.accounting"
> NAS-Identifier = "OpenWRT"
> Called-Station-Id = "74-EA-3A-E4-BF-CE:spacevs.com"
> NAS-Port-Type = Wireless-802.11
> NAS-Port = 1
> Calling-Station-Id = "A0-20-A6-18-6F-D4"
> Connect-Info = "CONNECT 54Mbps 802.11g"
> Acct-Session-Id = "5583280D-00001ECC"
> Framed-MTU = 1400
> EAP-Message =
> 0x0270001c016f66666963652e706f7765722e6163636f756e74696e67
> Message-Authenticator = 0x89bac36f11fc19def9cf51a7e3e9ca95
> # Executing section authorize from
> file /etc/freeradius/sites-enabled/default
> +group authorize {
> ++[preprocess] = ok
> [auth_log] expand: %{Packet-Src-IP-Address} -> 192.168.50.253
> [auth_log]
> expand: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/192.168.50.253/auth-detail-20170517
> [auth_log] /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.50.253/auth-detail-20170517
> [auth_log] expand: %t -> Wed May 17 17:24:09 2017
> ++[auth_log] = ok
> ++[chap] = noop
> ++[mschap] = noop
> ++[digest] = noop
> [suffix] No '@' in User-Name = "office.power.accounting", looking up
> realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] = noop
> [eap] EAP packet type response id 112 length 28
> [eap] No EAP Start, assuming it's an on-going EAP conversation
> ++[eap] = updated
> ++[files] = noop
> ++[expiration] = noop
> ++[logintime] = noop
> [pap] WARNING! No "known good" password found for the user.
> Authentication may fail because of this.
> ++[pap] = noop
> +} # group authorize = updated
> Found Auth-Type = EAP
> # Executing group from file /etc/freeradius/sites-enabled/default
> +group authenticate {
> [eap] EAP Identity
> [eap] processing type tls
> [tls] Initiate
> [tls] Start returned 1
> ++[eap] = handled
> +} # group authenticate = handled
> Sending Access-Challenge of id 61 to 192.168.50.253 port 33005
> EAP-Message = 0x017100061920
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x06e4b92c0695a0e7583a5ad1e4b3e5ec
> Finished request 56.
> Going to the next request
> Waking up in 4.9 seconds.
> rad_recv: Access-Request packet from host 192.168.50.253 port 33005,
> id=62, length=275
> User-Name = "office.power.accounting"
> NAS-Identifier = "OpenWRT"
> Called-Station-Id = "74-EA-3A-E4-BF-CE:spacevs.com"
> NAS-Port-Type = Wireless-802.11
> NAS-Port = 1
> Calling-Station-Id = "A0-20-A6-18-6F-D4"
> Connect-Info = "CONNECT 54Mbps 802.11g"
> Acct-Session-Id = "5583280D-00001ECC"
> Framed-MTU = 1400
> EAP-Message =
> 0x0271004819800000003e1603020039010000350302572068748f17c6ace6f3126cc7befac5eddf2d1cc893df1b2ead55eb3cb62c9800000e003d0035003c002f000a000500040100
> State = 0x06e4b92c0695a0e7583a5ad1e4b3e5ec
> Message-Authenticator = 0x560dc60831b0fa342cd1b39f5fded0d0
> # Executing section authorize from
> file /etc/freeradius/sites-enabled/default
> +group authorize {
> ++[preprocess] = ok
> [auth_log] expand: %{Packet-Src-IP-Address} -> 192.168.50.253
> [auth_log]
> expand: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/192.168.50.253/auth-detail-20170517
> [auth_log] /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.50.253/auth-detail-20170517
> [auth_log] expand: %t -> Wed May 17 17:24:09 2017
> ++[auth_log] = ok
> ++[chap] = noop
> ++[mschap] = noop
> ++[digest] = noop
> [suffix] No '@' in User-Name = "office.power.accounting", looking up
> realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] = noop
> [eap] EAP packet type response id 113 length 72
> [eap] Continuing tunnel setup.
> ++[eap] = ok
> +} # group authorize = ok
> Found Auth-Type = EAP
> # Executing group from file /etc/freeradius/sites-enabled/default
> +group authenticate {
> [eap] Request found, released from the list
> [eap] EAP/peap
> [eap] processing type peap
> [peap] processing EAP-TLS
>   TLS Length 62
> [peap] Length Included
> [peap] eaptls_verify returned 11
> [peap]     (other): before/accept initialization
> [peap]     TLS_accept: before/accept initialization
> [peap] <<< TLS 1.0 Handshake [length 0039], ClientHello  
> [peap]     TLS_accept: unknown state
> [peap] >>> TLS 1.0 Handshake [length 002a], ServerHello  
> [peap]     TLS_accept: unknown state
> [peap] >>> TLS 1.0 Handshake [length 0ad4], Certificate  
> [peap]     TLS_accept: unknown state
> [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone  
> [peap]     TLS_accept: unknown state
> [peap]     TLS_accept: unknown state
> [peap]     TLS_accept: Need to read more data: unknown state
> In SSL Handshake Phase
> In SSL Accept mode  
> [peap] eaptls_process returned 13
> [peap] EAPTLS_HANDLED
> ++[eap] = handled
> +} # group authenticate = handled
> Sending Access-Challenge of id 62 to 192.168.50.253 port 33005
> EAP-Message =
> 0x0172040019c000000b11160301002a020000260301312e84aae4c09a6aee14557c0394a0fb817bd2fdf30fe8480ff3866390d2cdbf000035001603010ad40b000ad0000acd0005243082052030820308a003020102020117300d06092a864886f70d01010d05003059310b3009060355040613024155311830160603550408130f4e657720536f7574682057616c65733111300f060355040713084b61746f6f6d6261311d301b0603550403131453565320496e7472616e657420526f6f74204341301e170d3137303131313035353930305a170d3335303631353233353930305a3027312530230603550403131c526164697573202867772e686f6d
> EAP-Message =
> 0x652e737061636576732e636f6d2930820222300d06092a864886f70d01010105000382020f003082020a0282020100bec565c37302f5a1f3f227c5005bfe7f58f0f1eb7b9d50268f577013854424c0746e2b93c3322363c53ccd3cde4638d9e6a6054db5ec9c6668714f461a5a9e7713f1bd273a3d4295cf11966d4b0d119c5fa6e2d63e81bf571a09beffd557ab8135fdf041d3ddc4ed836835ddd4b5357d05850e36bb80e92f18d0896c0c3396a087e733ccaf65f4223e1ebea23d7d6ec9185f4737cb1dd42e91c1c5363f3e6f631c17d00fcd000c88fa5db04b3a9c1e9ee8679c8e335375c9c9f620b564d331c2bbebda2772871a7ac0dbfa389af2
> EAP-Message =
> 0x779deb793cc81a51370838d00ef1c084d97877891942304d28063f7f213b111a67959ee680f72c0e03bf9836a2b855df4e7e2ff4de272627be5c4d69b9741a5c46e37e8c749305bd085a2da344da6470b9b19d83a2f40fd9ec94750c0c36f6facf2f9e7ffc0f1560bbabb433563cd94a7d0b4878a01cab3038adc8fc39cbb3a1770358222baf763a501f49efd9c4a6c876527c7aae9bfc5378c1a9dd380b1e9015a89cd721797fd7b5fc3c119769dc78bcd39e9f17e02979a9e88bd20dc0c8c9208c978c3f42870e3791090db10bb8a579bbf75ea511e09e89b7370bab7cd641d3de283e8f64249435fe6515707e87e15cd2a30f1a1f40e897aa7ec3ee
> EAP-Message =
> 0xc67fb9bf99a82b0aaf71835bc7fab0b5dfd43d99a0fb8f721176fccc01c6711911277641d1de1ad4d908f407b39687ce77aabf12890203010001a3253023300c0603551d130101ff0402300030130603551d25040c300a06082b06010505070301300d06092a864886f70d01010d05000382020100a07c7f1f95937ac12218a6612a846c48ac909c37ba3b0f893b5d4f6bcb1c06f6818f09d701a5d4986e081f602c585bb7e7c0441d3f8bbc4ad0a75a2058e9453c9f9ddd8bf675f9e73c01ceb817a18a1f1fe223360fe7a19fadf17a2c2217c96857de3e775f7f74ee504206923f953170593742646c22cea414681af5751d494b4e7004a43523da87
> EAP-Message = 0x061f85b9da0b385ce0b787b3
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x06e4b92c0796a0e7583a5ad1e4b3e5ec
> Finished request 57.
> Going to the next request
> Waking up in 4.9 seconds.
> rad_recv: Access-Request packet from host 192.168.50.253 port 33005,
> id=63, length=209
> User-Name = "office.power.accounting"
> NAS-Identifier = "OpenWRT"
> Called-Station-Id = "74-EA-3A-E4-BF-CE:spacevs.com"
> NAS-Port-Type = Wireless-802.11
> NAS-Port = 1
> Calling-Station-Id = "A0-20-A6-18-6F-D4"
> Connect-Info = "CONNECT 54Mbps 802.11g"
> Acct-Session-Id = "5583280D-00001ECC"
> Framed-MTU = 1400
> EAP-Message = 0x027200061900
> State = 0x06e4b92c0796a0e7583a5ad1e4b3e5ec
> Message-Authenticator = 0xf99ffa56b22071a5b6849102d0a6c1f9
> # Executing section authorize from
> file /etc/freeradius/sites-enabled/default
> +group authorize {
> ++[preprocess] = ok
> [auth_log] expand: %{Packet-Src-IP-Address} -> 192.168.50.253
> [auth_log]
> expand: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/192.168.50.253/auth-detail-20170517
> [auth_log] /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.50.253/auth-detail-20170517
> [auth_log] expand: %t -> Wed May 17 17:24:09 2017
> ++[auth_log] = ok
> ++[chap] = noop
> ++[mschap] = noop
> ++[digest] = noop
> [suffix] No '@' in User-Name = "office.power.accounting", looking up
> realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] = noop
> [eap] EAP packet type response id 114 length 6
> [eap] Continuing tunnel setup.
> ++[eap] = ok
> +} # group authorize = ok
> Found Auth-Type = EAP
> # Executing group from file /etc/freeradius/sites-enabled/default
> +group authenticate {
> [eap] Request found, released from the list
> [eap] EAP/peap
> [eap] processing type peap
> [peap] processing EAP-TLS
> [peap] Received TLS ACK
> [peap] ACK handshake fragment handler
> [peap] eaptls_verify returned 1
> [peap] eaptls_process returned 13
> [peap] EAPTLS_HANDLED
> ++[eap] = handled
> +} # group authenticate = handled
> Sending Access-Challenge of id 63 to 192.168.50.253 port 33005
> EAP-Message =
> 0x017303fc1940afeb0f78225dbf9a7725d984d8b756ee605059925e58d245bc2bb5aace172b22148e151d71ab70730cf8e1298aa800197d8d385f32572da27bf892a694c5a39bfbb57a9074e63c0eed27f60e5449df531ea804c07508b25f20da962bfe92b9ae0a2a93eb9d5e78dfad359e41b9c2aaad26e5b23311ece60fe1af47ea58dc20f315efec877bbf65fe846ddf723b1c202e11c51d54cfae348cfdc00444fb5d6742f3c736f70e09ec21220070b3f09db06d5fe8283ce763086638fc2f79759aced7b9c0169179acc67723a6e8dc02097b6415580b84b460ac1a4f5ca5760e8ef77f102cedd26418b6b185b6c44eed08de4b9027c00cb6cfd7
> EAP-Message =
> 0x85c16303892c764a6502f724d8ed375b2353a57dadf1c3ccef714ffb3aa483a7059a901f9f2816fabe57558dffccb6e5265d77bfaa478be536cff37adc9b6f9184e06faeb5731385dcff2ef77af4d6e94cb4b338b34d413f2356c5ce188c068ddd6dae505bb85c87410e9b4ad7d4648244439a279a0005a33082059f30820387a003020102020101300d06092a864886f70d01010d05003059310b3009060355040613024155311830160603550408130f4e657720536f7574682057616c65733111300f060355040713084b61746f6f6d6261311d301b0603550403131453565320496e7472616e657420526f6f74204341301e170d31353036313630
> EAP-Message =
> 0x30303030305a170d3335303631353233353935395a3059310b3009060355040613024155311830160603550408130f4e657720536f7574682057616c65733111300f060355040713084b61746f6f6d6261311d301b0603550403131453565320496e7472616e657420526f6f7420434130820222300d06092a864886f70d01010105000382020f003082020a0282020100b3a3f9aab5bac705830441d0bec3f2b12e8f2828cf14238b42aedd8e62f52e2751b4f89c0124022bda7a863a937177563cabca1fd27911830d80e7fa5f323a3b81ffac47e76828296ac3ecb0ae13b28182b9082438dd078d55303b490435abe776dfd4c64166eccef6899469
> EAP-Message =
> 0xae7c8bb28d33d47ae1bf3d3554654f919a9d5ee7322232315bce08e3014b91602f41a8447f5635c6e7cea20cda5ce62668298bfec986211289b2b37e53c58ade4fe1606681b6f97d25fefd8490a4365f765d021ec8f329609ba2ae739e4706728e2a1455ad3ca101504dd19721908e61a467876f1c01374aacb777cbaf0697b04875b9029c97a642d73225ac7d3cd28266a5a5c7bca2ff59bc9dd933908687fd5f4b661d2e9083a6da59319cd5340955ba3b317eff2558740da438962dee7ac42f8aed3dab51a70ef9672aa98dfdee9cee5ff886adc040872f0b5310de7823d4e63e1d0aa8be808da6173f7a5e478c5e66d61082feda0fec4f16b771fe
> EAP-Message = 0x5d0e86558c0b467d
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x06e4b92c0497a0e7583a5ad1e4b3e5ec
> Finished request 58.
> Going to the next request
> Waking up in 4.9 seconds.
> rad_recv: Access-Request packet from host 192.168.50.253 port 33005,
> id=64, length=209
> User-Name = "office.power.accounting"
> NAS-Identifier = "OpenWRT"
> Called-Station-Id = "74-EA-3A-E4-BF-CE:spacevs.com"
> NAS-Port-Type = Wireless-802.11
> NAS-Port = 1
> Calling-Station-Id = "A0-20-A6-18-6F-D4"
> Connect-Info = "CONNECT 54Mbps 802.11g"
> Acct-Session-Id = "5583280D-00001ECC"
> Framed-MTU = 1400
> EAP-Message = 0x027300061900
> State = 0x06e4b92c0497a0e7583a5ad1e4b3e5ec
> Message-Authenticator = 0xcf8da5e0de6e6911640cac00e68741a9
> # Executing section authorize from
> file /etc/freeradius/sites-enabled/default
> +group authorize {
> ++[preprocess] = ok
> [auth_log] expand: %{Packet-Src-IP-Address} -> 192.168.50.253
> [auth_log]
> expand: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/192.168.50.253/auth-detail-20170517
> [auth_log] /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.50.253/auth-detail-20170517
> [auth_log] expand: %t -> Wed May 17 17:24:09 2017
> ++[auth_log] = ok
> ++[chap] = noop
> ++[mschap] = noop
> ++[digest] = noop
> [suffix] No '@' in User-Name = "office.power.accounting", looking up
> realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] = noop
> [eap] EAP packet type response id 115 length 6
> [eap] Continuing tunnel setup.
> ++[eap] = ok
> +} # group authorize = ok
> Found Auth-Type = EAP
> # Executing group from file /etc/freeradius/sites-enabled/default
> +group authenticate {
> [eap] Request found, released from the list
> [eap] EAP/peap
> [eap] processing type peap
> [peap] processing EAP-TLS
> [peap] Received TLS ACK
> [peap] ACK handshake fragment handler
> [peap] eaptls_verify returned 1
> [peap] eaptls_process returned 13
> [peap] EAPTLS_HANDLED
> ++[eap] = handled
> +} # group authenticate = handled
> Sending Access-Challenge of id 64 to 192.168.50.253 port 33005
> EAP-Message =
> 0x0174032b19009c2fdba754b1d148d6279ce364711dd12d68525c32f979a94fac099639eca233e51aba4359c32cc5cbf6043602e1251c1d25f7246d84577bbbab67b2b9affa9f8ad4aa01ef468da9773beee865505ae2501f9b373dc4165764745f778f76ff2be2b5deb70c46d71f8338710d082f3e4345af844a9f53fee6a16cc18f316fe9e577ab66207525181fec73978603dd030203010001a3723070300f0603551d130101ff040530030101ff301d0603551d0e04160414b7c17edc21e626d8297c93a827bbf6b16aa2557f300b0603551d0f040403020106301106096086480186f8420101040403020007301e06096086480186f842010d0411
> EAP-Message =
> 0x160f786361206365727469666963617465300d06092a864886f70d01010d0500038202010037d15182d4db682f480e8bc12cd74f8648218f4e9f92f40a69e4847aed7db19042a7fa79f5639fd2c0576e9f46d46514816d75f056edcc27327981f726b5a7136c4cf2654af17889753ac1c7cffa8394fd274dd027e3c1cc163e9fb74580027281907d5d3acb13e409fc76bc0f73bbef386de80381962eed04bdaad47db7f9d7c15388669e165c3f64ae171d256ca1cae698c36125ec52b10804575069d6a281ee49821fa999d875a6afaf36b2d607fa0a339bbb3e77813566805029087188a6cb80fe9cc9b2782380ab3b5be5ecc8463021069c892dbf23
> EAP-Message =
> 0xa0e6ae9473b66aa5dd4cdc14473b0798019f215f127f7585945105f338b7624793f75e415d62f240db4912c4f24c19647c374ec5dc7cf44f7a9a17b6e49bc6e38d15a9497a3b21c9ae12fa4e11c217261fbcaf6925fb073e64468aae539926c08c35b1de249c5182d92a97fbc6636dfb4f22e7c7ef4fa90c4b934d5cf6c095fc8359f766b752046b83095d211d682d88b1fda7b591d2913e48a82fc5664052be49cd8edde079fe8939311c630beaaebd6739d84e353c47c81d18cd2fa860c38edd7889eb96e0f98efdf92c8597fa4a9e2a28e85ce68f18dbc1681abfee34075348c52041769d8879918f93926e93b509788e0182b92eaa24881d7ad1d6
> EAP-Message =
> 0x4bd1b7c07a522d0d95d8d66e8bb99b2f44b0a043e61f6bdf6b82b869132d6a1051c37c6bd696631d0699d416030100040e000000
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x06e4b92c0590a0e7583a5ad1e4b3e5ec
> Finished request 59.
> Going to the next request
> Waking up in 4.9 seconds.
> rad_recv: Access-Request packet from host 192.168.50.253 port 33005,
> id=65, length=220
> User-Name = "office.power.accounting"
> NAS-Identifier = "OpenWRT"
> Called-Station-Id = "74-EA-3A-E4-BF-CE:spacevs.com"
> NAS-Port-Type = Wireless-802.11
> NAS-Port = 1
> Calling-Station-Id = "A0-20-A6-18-6F-D4"
> Connect-Info = "CONNECT 54Mbps 802.11g"
> Acct-Session-Id = "5583280D-00001ECC"
> Framed-MTU = 1400
> EAP-Message = 0x027400111980000000071503010002022a
> State = 0x06e4b92c0590a0e7583a5ad1e4b3e5ec
> Message-Authenticator = 0x9580deaf1ada4b60f7a7e6c2312f6a0c
> # Executing section authorize from
> file /etc/freeradius/sites-enabled/default
> +group authorize {
> ++[preprocess] = ok
> [auth_log] expand: %{Packet-Src-IP-Address} -> 192.168.50.253
> [auth_log]
> expand: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/192.168.50.253/auth-detail-20170517
> [auth_log] /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.50.253/auth-detail-20170517
> [auth_log] expand: %t -> Wed May 17 17:24:10 2017
> ++[auth_log] = ok
> ++[chap] = noop
> ++[mschap] = noop
> ++[digest] = noop
> [suffix] No '@' in User-Name = "office.power.accounting", looking up
> realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] = noop
> [eap] EAP packet type response id 116 length 17
> [eap] Continuing tunnel setup.
> ++[eap] = ok
> +} # group authorize = ok
> Found Auth-Type = EAP
> # Executing group from file /etc/freeradius/sites-enabled/default
> +group authenticate {
> [eap] Request found, released from the list
> [eap] EAP/peap
> [eap] processing type peap
> [peap] processing EAP-TLS
>   TLS Length 7
> [peap] Length Included
> [peap] eaptls_verify returned 11
> [peap] <<< TLS 1.0 Alert [length 0002], fatal bad_certificate  
> TLS Alert read:fatal:bad certificate
>     TLS_accept: failed in unknown state
> rlm_eap: SSL error error:14094412:SSL routines:SSL3_READ_BYTES:sslv3
> alert bad certificate
> SSL: SSL_read failed inside of TLS (-1), TLS session fails.
> TLS receive handshake failed during operation
> [peap] eaptls_process returned 4
> [peap] EAPTLS_OTHERS
> [eap] Handler failed in EAP/peap
> [eap] Failed in EAP select
> ++[eap] = invalid
> +} # group authenticate = invalid
> Failed to authenticate the user.
> Login incorrect (TLS Alert read:fatal:bad certificate):
> [office.power.accounting/<via Auth-Type = EAP>] (from client
> 192.168.50.253 port 1 cli A0-20-A6-18-6F-D4)
> Using Post-Auth-Type REJECT
> # Executing group from file /etc/freeradius/sites-enabled/default
> +group REJECT {
> [attr_filter.access_reject] expand: %{User-Name} ->
> office.power.accounting
> attr_filter: Matched entry DEFAULT at line 11
> ++[attr_filter.access_reject] = updated
> +} # group REJECT = updated
> Delaying reject of request 60 for 1 seconds
> Going to the next request
> Waking up in 0.9 seconds.
> Sending delayed reject for request 60
> Sending Access-Reject of id 65 to 192.168.50.253 port 33005
> EAP-Message = 0x04740004
> Message-Authenticator = 0x00000000000000000000000000000000
> Waking up in 3.3 seconds.
> Cleaning up request 56 ID 61 with timestamp +2171
> Cleaning up request 57 ID 62 with timestamp +2171
> Cleaning up request 58 ID 63 with timestamp +2171
> Cleaning up request 59 ID 64 with timestamp +2171
> Waking up in 1.6 seconds.
> Cleaning up request 60 ID 65 with timestamp +2172
> Ready to process requests.
>
>

--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

signature.asc (836 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Help with non-compliant client (TLS issue)

Users mailing list
The client isn't that intelligent, it is only looking for a valid
certificate, it doesn't verify the CN at any point.

I just confirmed the problem, the device doesn't support SHA512,
dropping back go SHA256 fixes the issue. Thanks for your time.

--
Kind Regards,
Geoffrey McRae

HostFission
Server Management & Monitoring
W: https://hostfission.com
P: +61 2 9037 0321



On Wed, 2017-05-17 at 10:51 +0200, Stefan Winter wrote:

> Hello,
>
> on your client, do you validate the server certificate against the
> correct CA, and if you specify the server name, did you specify the
> *server certificate's* CN / subjectAltName (notably not the name of the
> CA)?
>
> Greetings,
>
> Stefan Winter
>
> Am 17.05.2017 um 09:26 schrieb Geoffrey McRae via Freeradius-Users:
> > Follow up with complete authentication log:
> >
> > rad_recv: Access-Request packet from host 192.168.50.253 port 33005,
> > id=61, length=213
> > User-Name = "office.power.accounting"
> > NAS-Identifier = "OpenWRT"
> > Called-Station-Id = "74-EA-3A-E4-BF-CE:spacevs.com"
> > NAS-Port-Type = Wireless-802.11
> > NAS-Port = 1
> > Calling-Station-Id = "A0-20-A6-18-6F-D4"
> > Connect-Info = "CONNECT 54Mbps 802.11g"
> > Acct-Session-Id = "5583280D-00001ECC"
> > Framed-MTU = 1400
> > EAP-Message =
> > 0x0270001c016f66666963652e706f7765722e6163636f756e74696e67
> > Message-Authenticator = 0x89bac36f11fc19def9cf51a7e3e9ca95
> > # Executing section authorize from
> > file /etc/freeradius/sites-enabled/default
> > +group authorize {
> > ++[preprocess] = ok
> > [auth_log] expand: %{Packet-Src-IP-Address} -> 192.168.50.253
> > [auth_log]
> > expand: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/192.168.50.253/auth-detail-20170517
> > [auth_log] /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.50.253/auth-detail-20170517
> > [auth_log] expand: %t -> Wed May 17 17:24:09 2017
> > ++[auth_log] = ok
> > ++[chap] = noop
> > ++[mschap] = noop
> > ++[digest] = noop
> > [suffix] No '@' in User-Name = "office.power.accounting", looking up
> > realm NULL
> > [suffix] No such realm "NULL"
> > ++[suffix] = noop
> > [eap] EAP packet type response id 112 length 28
> > [eap] No EAP Start, assuming it's an on-going EAP conversation
> > ++[eap] = updated
> > ++[files] = noop
> > ++[expiration] = noop
> > ++[logintime] = noop
> > [pap] WARNING! No "known good" password found for the user.
> > Authentication may fail because of this.
> > ++[pap] = noop
> > +} # group authorize = updated
> > Found Auth-Type = EAP
> > # Executing group from file /etc/freeradius/sites-enabled/default
> > +group authenticate {
> > [eap] EAP Identity
> > [eap] processing type tls
> > [tls] Initiate
> > [tls] Start returned 1
> > ++[eap] = handled
> > +} # group authenticate = handled
> > Sending Access-Challenge of id 61 to 192.168.50.253 port 33005
> > EAP-Message = 0x017100061920
> > Message-Authenticator = 0x00000000000000000000000000000000
> > State = 0x06e4b92c0695a0e7583a5ad1e4b3e5ec
> > Finished request 56.
> > Going to the next request
> > Waking up in 4.9 seconds.
> > rad_recv: Access-Request packet from host 192.168.50.253 port 33005,
> > id=62, length=275
> > User-Name = "office.power.accounting"
> > NAS-Identifier = "OpenWRT"
> > Called-Station-Id = "74-EA-3A-E4-BF-CE:spacevs.com"
> > NAS-Port-Type = Wireless-802.11
> > NAS-Port = 1
> > Calling-Station-Id = "A0-20-A6-18-6F-D4"
> > Connect-Info = "CONNECT 54Mbps 802.11g"
> > Acct-Session-Id = "5583280D-00001ECC"
> > Framed-MTU = 1400
> > EAP-Message =
> > 0x0271004819800000003e1603020039010000350302572068748f17c6ace6f3126cc7befac5eddf2d1cc893df1b2ead55eb3cb62c9800000e003d0035003c002f000a000500040100
> > State = 0x06e4b92c0695a0e7583a5ad1e4b3e5ec
> > Message-Authenticator = 0x560dc60831b0fa342cd1b39f5fded0d0
> > # Executing section authorize from
> > file /etc/freeradius/sites-enabled/default
> > +group authorize {
> > ++[preprocess] = ok
> > [auth_log] expand: %{Packet-Src-IP-Address} -> 192.168.50.253
> > [auth_log]
> > expand: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/192.168.50.253/auth-detail-20170517
> > [auth_log] /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.50.253/auth-detail-20170517
> > [auth_log] expand: %t -> Wed May 17 17:24:09 2017
> > ++[auth_log] = ok
> > ++[chap] = noop
> > ++[mschap] = noop
> > ++[digest] = noop
> > [suffix] No '@' in User-Name = "office.power.accounting", looking up
> > realm NULL
> > [suffix] No such realm "NULL"
> > ++[suffix] = noop
> > [eap] EAP packet type response id 113 length 72
> > [eap] Continuing tunnel setup.
> > ++[eap] = ok
> > +} # group authorize = ok
> > Found Auth-Type = EAP
> > # Executing group from file /etc/freeradius/sites-enabled/default
> > +group authenticate {
> > [eap] Request found, released from the list
> > [eap] EAP/peap
> > [eap] processing type peap
> > [peap] processing EAP-TLS
> >   TLS Length 62
> > [peap] Length Included
> > [peap] eaptls_verify returned 11
> > [peap]     (other): before/accept initialization
> > [peap]     TLS_accept: before/accept initialization
> > [peap] <<< TLS 1.0 Handshake [length 0039], ClientHello  
> > [peap]     TLS_accept: unknown state
> > [peap] >>> TLS 1.0 Handshake [length 002a], ServerHello  
> > [peap]     TLS_accept: unknown state
> > [peap] >>> TLS 1.0 Handshake [length 0ad4], Certificate  
> > [peap]     TLS_accept: unknown state
> > [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone  
> > [peap]     TLS_accept: unknown state
> > [peap]     TLS_accept: unknown state
> > [peap]     TLS_accept: Need to read more data: unknown state
> > In SSL Handshake Phase
> > In SSL Accept mode  
> > [peap] eaptls_process returned 13
> > [peap] EAPTLS_HANDLED
> > ++[eap] = handled
> > +} # group authenticate = handled
> > Sending Access-Challenge of id 62 to 192.168.50.253 port 33005
> > EAP-Message =
> > 0x0172040019c000000b11160301002a020000260301312e84aae4c09a6aee14557c0394a0fb817bd2fdf30fe8480ff3866390d2cdbf000035001603010ad40b000ad0000acd0005243082052030820308a003020102020117300d06092a864886f70d01010d05003059310b3009060355040613024155311830160603550408130f4e657720536f7574682057616c65733111300f060355040713084b61746f6f6d6261311d301b0603550403131453565320496e7472616e657420526f6f74204341301e170d3137303131313035353930305a170d3335303631353233353930305a3027312530230603550403131c526164697573202867772e686f6d
> > EAP-Message =
> > 0x652e737061636576732e636f6d2930820222300d06092a864886f70d01010105000382020f003082020a0282020100bec565c37302f5a1f3f227c5005bfe7f58f0f1eb7b9d50268f577013854424c0746e2b93c3322363c53ccd3cde4638d9e6a6054db5ec9c6668714f461a5a9e7713f1bd273a3d4295cf11966d4b0d119c5fa6e2d63e81bf571a09beffd557ab8135fdf041d3ddc4ed836835ddd4b5357d05850e36bb80e92f18d0896c0c3396a087e733ccaf65f4223e1ebea23d7d6ec9185f4737cb1dd42e91c1c5363f3e6f631c17d00fcd000c88fa5db04b3a9c1e9ee8679c8e335375c9c9f620b564d331c2bbebda2772871a7ac0dbfa389af2
> > EAP-Message =
> > 0x779deb793cc81a51370838d00ef1c084d97877891942304d28063f7f213b111a67959ee680f72c0e03bf9836a2b855df4e7e2ff4de272627be5c4d69b9741a5c46e37e8c749305bd085a2da344da6470b9b19d83a2f40fd9ec94750c0c36f6facf2f9e7ffc0f1560bbabb433563cd94a7d0b4878a01cab3038adc8fc39cbb3a1770358222baf763a501f49efd9c4a6c876527c7aae9bfc5378c1a9dd380b1e9015a89cd721797fd7b5fc3c119769dc78bcd39e9f17e02979a9e88bd20dc0c8c9208c978c3f42870e3791090db10bb8a579bbf75ea511e09e89b7370bab7cd641d3de283e8f64249435fe6515707e87e15cd2a30f1a1f40e897aa7ec3ee
> > EAP-Message =
> > 0xc67fb9bf99a82b0aaf71835bc7fab0b5dfd43d99a0fb8f721176fccc01c6711911277641d1de1ad4d908f407b39687ce77aabf12890203010001a3253023300c0603551d130101ff0402300030130603551d25040c300a06082b06010505070301300d06092a864886f70d01010d05000382020100a07c7f1f95937ac12218a6612a846c48ac909c37ba3b0f893b5d4f6bcb1c06f6818f09d701a5d4986e081f602c585bb7e7c0441d3f8bbc4ad0a75a2058e9453c9f9ddd8bf675f9e73c01ceb817a18a1f1fe223360fe7a19fadf17a2c2217c96857de3e775f7f74ee504206923f953170593742646c22cea414681af5751d494b4e7004a43523da87
> > EAP-Message = 0x061f85b9da0b385ce0b787b3
> > Message-Authenticator = 0x00000000000000000000000000000000
> > State = 0x06e4b92c0796a0e7583a5ad1e4b3e5ec
> > Finished request 57.
> > Going to the next request
> > Waking up in 4.9 seconds.
> > rad_recv: Access-Request packet from host 192.168.50.253 port 33005,
> > id=63, length=209
> > User-Name = "office.power.accounting"
> > NAS-Identifier = "OpenWRT"
> > Called-Station-Id = "74-EA-3A-E4-BF-CE:spacevs.com"
> > NAS-Port-Type = Wireless-802.11
> > NAS-Port = 1
> > Calling-Station-Id = "A0-20-A6-18-6F-D4"
> > Connect-Info = "CONNECT 54Mbps 802.11g"
> > Acct-Session-Id = "5583280D-00001ECC"
> > Framed-MTU = 1400
> > EAP-Message = 0x027200061900
> > State = 0x06e4b92c0796a0e7583a5ad1e4b3e5ec
> > Message-Authenticator = 0xf99ffa56b22071a5b6849102d0a6c1f9
> > # Executing section authorize from
> > file /etc/freeradius/sites-enabled/default
> > +group authorize {
> > ++[preprocess] = ok
> > [auth_log] expand: %{Packet-Src-IP-Address} -> 192.168.50.253
> > [auth_log]
> > expand: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/192.168.50.253/auth-detail-20170517
> > [auth_log] /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.50.253/auth-detail-20170517
> > [auth_log] expand: %t -> Wed May 17 17:24:09 2017
> > ++[auth_log] = ok
> > ++[chap] = noop
> > ++[mschap] = noop
> > ++[digest] = noop
> > [suffix] No '@' in User-Name = "office.power.accounting", looking up
> > realm NULL
> > [suffix] No such realm "NULL"
> > ++[suffix] = noop
> > [eap] EAP packet type response id 114 length 6
> > [eap] Continuing tunnel setup.
> > ++[eap] = ok
> > +} # group authorize = ok
> > Found Auth-Type = EAP
> > # Executing group from file /etc/freeradius/sites-enabled/default
> > +group authenticate {
> > [eap] Request found, released from the list
> > [eap] EAP/peap
> > [eap] processing type peap
> > [peap] processing EAP-TLS
> > [peap] Received TLS ACK
> > [peap] ACK handshake fragment handler
> > [peap] eaptls_verify returned 1
> > [peap] eaptls_process returned 13
> > [peap] EAPTLS_HANDLED
> > ++[eap] = handled
> > +} # group authenticate = handled
> > Sending Access-Challenge of id 63 to 192.168.50.253 port 33005
> > EAP-Message =
> > 0x017303fc1940afeb0f78225dbf9a7725d984d8b756ee605059925e58d245bc2bb5aace172b22148e151d71ab70730cf8e1298aa800197d8d385f32572da27bf892a694c5a39bfbb57a9074e63c0eed27f60e5449df531ea804c07508b25f20da962bfe92b9ae0a2a93eb9d5e78dfad359e41b9c2aaad26e5b23311ece60fe1af47ea58dc20f315efec877bbf65fe846ddf723b1c202e11c51d54cfae348cfdc00444fb5d6742f3c736f70e09ec21220070b3f09db06d5fe8283ce763086638fc2f79759aced7b9c0169179acc67723a6e8dc02097b6415580b84b460ac1a4f5ca5760e8ef77f102cedd26418b6b185b6c44eed08de4b9027c00cb6cfd7
> > EAP-Message =
> > 0x85c16303892c764a6502f724d8ed375b2353a57dadf1c3ccef714ffb3aa483a7059a901f9f2816fabe57558dffccb6e5265d77bfaa478be536cff37adc9b6f9184e06faeb5731385dcff2ef77af4d6e94cb4b338b34d413f2356c5ce188c068ddd6dae505bb85c87410e9b4ad7d4648244439a279a0005a33082059f30820387a003020102020101300d06092a864886f70d01010d05003059310b3009060355040613024155311830160603550408130f4e657720536f7574682057616c65733111300f060355040713084b61746f6f6d6261311d301b0603550403131453565320496e7472616e657420526f6f74204341301e170d31353036313630
> > EAP-Message =
> > 0x30303030305a170d3335303631353233353935395a3059310b3009060355040613024155311830160603550408130f4e657720536f7574682057616c65733111300f060355040713084b61746f6f6d6261311d301b0603550403131453565320496e7472616e657420526f6f7420434130820222300d06092a864886f70d01010105000382020f003082020a0282020100b3a3f9aab5bac705830441d0bec3f2b12e8f2828cf14238b42aedd8e62f52e2751b4f89c0124022bda7a863a937177563cabca1fd27911830d80e7fa5f323a3b81ffac47e76828296ac3ecb0ae13b28182b9082438dd078d55303b490435abe776dfd4c64166eccef6899469
> > EAP-Message =
> > 0xae7c8bb28d33d47ae1bf3d3554654f919a9d5ee7322232315bce08e3014b91602f41a8447f5635c6e7cea20cda5ce62668298bfec986211289b2b37e53c58ade4fe1606681b6f97d25fefd8490a4365f765d021ec8f329609ba2ae739e4706728e2a1455ad3ca101504dd19721908e61a467876f1c01374aacb777cbaf0697b04875b9029c97a642d73225ac7d3cd28266a5a5c7bca2ff59bc9dd933908687fd5f4b661d2e9083a6da59319cd5340955ba3b317eff2558740da438962dee7ac42f8aed3dab51a70ef9672aa98dfdee9cee5ff886adc040872f0b5310de7823d4e63e1d0aa8be808da6173f7a5e478c5e66d61082feda0fec4f16b771fe
> > EAP-Message = 0x5d0e86558c0b467d
> > Message-Authenticator = 0x00000000000000000000000000000000
> > State = 0x06e4b92c0497a0e7583a5ad1e4b3e5ec
> > Finished request 58.
> > Going to the next request
> > Waking up in 4.9 seconds.
> > rad_recv: Access-Request packet from host 192.168.50.253 port 33005,
> > id=64, length=209
> > User-Name = "office.power.accounting"
> > NAS-Identifier = "OpenWRT"
> > Called-Station-Id = "74-EA-3A-E4-BF-CE:spacevs.com"
> > NAS-Port-Type = Wireless-802.11
> > NAS-Port = 1
> > Calling-Station-Id = "A0-20-A6-18-6F-D4"
> > Connect-Info = "CONNECT 54Mbps 802.11g"
> > Acct-Session-Id = "5583280D-00001ECC"
> > Framed-MTU = 1400
> > EAP-Message = 0x027300061900
> > State = 0x06e4b92c0497a0e7583a5ad1e4b3e5ec
> > Message-Authenticator = 0xcf8da5e0de6e6911640cac00e68741a9
> > # Executing section authorize from
> > file /etc/freeradius/sites-enabled/default
> > +group authorize {
> > ++[preprocess] = ok
> > [auth_log] expand: %{Packet-Src-IP-Address} -> 192.168.50.253
> > [auth_log]
> > expand: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/192.168.50.253/auth-detail-20170517
> > [auth_log] /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.50.253/auth-detail-20170517
> > [auth_log] expand: %t -> Wed May 17 17:24:09 2017
> > ++[auth_log] = ok
> > ++[chap] = noop
> > ++[mschap] = noop
> > ++[digest] = noop
> > [suffix] No '@' in User-Name = "office.power.accounting", looking up
> > realm NULL
> > [suffix] No such realm "NULL"
> > ++[suffix] = noop
> > [eap] EAP packet type response id 115 length 6
> > [eap] Continuing tunnel setup.
> > ++[eap] = ok
> > +} # group authorize = ok
> > Found Auth-Type = EAP
> > # Executing group from file /etc/freeradius/sites-enabled/default
> > +group authenticate {
> > [eap] Request found, released from the list
> > [eap] EAP/peap
> > [eap] processing type peap
> > [peap] processing EAP-TLS
> > [peap] Received TLS ACK
> > [peap] ACK handshake fragment handler
> > [peap] eaptls_verify returned 1
> > [peap] eaptls_process returned 13
> > [peap] EAPTLS_HANDLED
> > ++[eap] = handled
> > +} # group authenticate = handled
> > Sending Access-Challenge of id 64 to 192.168.50.253 port 33005
> > EAP-Message =
> > 0x0174032b19009c2fdba754b1d148d6279ce364711dd12d68525c32f979a94fac099639eca233e51aba4359c32cc5cbf6043602e1251c1d25f7246d84577bbbab67b2b9affa9f8ad4aa01ef468da9773beee865505ae2501f9b373dc4165764745f778f76ff2be2b5deb70c46d71f8338710d082f3e4345af844a9f53fee6a16cc18f316fe9e577ab66207525181fec73978603dd030203010001a3723070300f0603551d130101ff040530030101ff301d0603551d0e04160414b7c17edc21e626d8297c93a827bbf6b16aa2557f300b0603551d0f040403020106301106096086480186f8420101040403020007301e06096086480186f842010d0411
> > EAP-Message =
> > 0x160f786361206365727469666963617465300d06092a864886f70d01010d0500038202010037d15182d4db682f480e8bc12cd74f8648218f4e9f92f40a69e4847aed7db19042a7fa79f5639fd2c0576e9f46d46514816d75f056edcc27327981f726b5a7136c4cf2654af17889753ac1c7cffa8394fd274dd027e3c1cc163e9fb74580027281907d5d3acb13e409fc76bc0f73bbef386de80381962eed04bdaad47db7f9d7c15388669e165c3f64ae171d256ca1cae698c36125ec52b10804575069d6a281ee49821fa999d875a6afaf36b2d607fa0a339bbb3e77813566805029087188a6cb80fe9cc9b2782380ab3b5be5ecc8463021069c892dbf23
> > EAP-Message =
> > 0xa0e6ae9473b66aa5dd4cdc14473b0798019f215f127f7585945105f338b7624793f75e415d62f240db4912c4f24c19647c374ec5dc7cf44f7a9a17b6e49bc6e38d15a9497a3b21c9ae12fa4e11c217261fbcaf6925fb073e64468aae539926c08c35b1de249c5182d92a97fbc6636dfb4f22e7c7ef4fa90c4b934d5cf6c095fc8359f766b752046b83095d211d682d88b1fda7b591d2913e48a82fc5664052be49cd8edde079fe8939311c630beaaebd6739d84e353c47c81d18cd2fa860c38edd7889eb96e0f98efdf92c8597fa4a9e2a28e85ce68f18dbc1681abfee34075348c52041769d8879918f93926e93b509788e0182b92eaa24881d7ad1d6
> > EAP-Message =
> > 0x4bd1b7c07a522d0d95d8d66e8bb99b2f44b0a043e61f6bdf6b82b869132d6a1051c37c6bd696631d0699d416030100040e000000
> > Message-Authenticator = 0x00000000000000000000000000000000
> > State = 0x06e4b92c0590a0e7583a5ad1e4b3e5ec
> > Finished request 59.
> > Going to the next request
> > Waking up in 4.9 seconds.
> > rad_recv: Access-Request packet from host 192.168.50.253 port 33005,
> > id=65, length=220
> > User-Name = "office.power.accounting"
> > NAS-Identifier = "OpenWRT"
> > Called-Station-Id = "74-EA-3A-E4-BF-CE:spacevs.com"
> > NAS-Port-Type = Wireless-802.11
> > NAS-Port = 1
> > Calling-Station-Id = "A0-20-A6-18-6F-D4"
> > Connect-Info = "CONNECT 54Mbps 802.11g"
> > Acct-Session-Id = "5583280D-00001ECC"
> > Framed-MTU = 1400
> > EAP-Message = 0x027400111980000000071503010002022a
> > State = 0x06e4b92c0590a0e7583a5ad1e4b3e5ec
> > Message-Authenticator = 0x9580deaf1ada4b60f7a7e6c2312f6a0c
> > # Executing section authorize from
> > file /etc/freeradius/sites-enabled/default
> > +group authorize {
> > ++[preprocess] = ok
> > [auth_log] expand: %{Packet-Src-IP-Address} -> 192.168.50.253
> > [auth_log]
> > expand: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/192.168.50.253/auth-detail-20170517
> > [auth_log] /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.50.253/auth-detail-20170517
> > [auth_log] expand: %t -> Wed May 17 17:24:10 2017
> > ++[auth_log] = ok
> > ++[chap] = noop
> > ++[mschap] = noop
> > ++[digest] = noop
> > [suffix] No '@' in User-Name = "office.power.accounting", looking up
> > realm NULL
> > [suffix] No such realm "NULL"
> > ++[suffix] = noop
> > [eap] EAP packet type response id 116 length 17
> > [eap] Continuing tunnel setup.
> > ++[eap] = ok
> > +} # group authorize = ok
> > Found Auth-Type = EAP
> > # Executing group from file /etc/freeradius/sites-enabled/default
> > +group authenticate {
> > [eap] Request found, released from the list
> > [eap] EAP/peap
> > [eap] processing type peap
> > [peap] processing EAP-TLS
> >   TLS Length 7
> > [peap] Length Included
> > [peap] eaptls_verify returned 11
> > [peap] <<< TLS 1.0 Alert [length 0002], fatal bad_certificate  
> > TLS Alert read:fatal:bad certificate
> >     TLS_accept: failed in unknown state
> > rlm_eap: SSL error error:14094412:SSL routines:SSL3_READ_BYTES:sslv3
> > alert bad certificate
> > SSL: SSL_read failed inside of TLS (-1), TLS session fails.
> > TLS receive handshake failed during operation
> > [peap] eaptls_process returned 4
> > [peap] EAPTLS_OTHERS
> > [eap] Handler failed in EAP/peap
> > [eap] Failed in EAP select
> > ++[eap] = invalid
> > +} # group authenticate = invalid
> > Failed to authenticate the user.
> > Login incorrect (TLS Alert read:fatal:bad certificate):
> > [office.power.accounting/<via Auth-Type = EAP>] (from client
> > 192.168.50.253 port 1 cli A0-20-A6-18-6F-D4)
> > Using Post-Auth-Type REJECT
> > # Executing group from file /etc/freeradius/sites-enabled/default
> > +group REJECT {
> > [attr_filter.access_reject] expand: %{User-Name} ->
> > office.power.accounting
> > attr_filter: Matched entry DEFAULT at line 11
> > ++[attr_filter.access_reject] = updated
> > +} # group REJECT = updated
> > Delaying reject of request 60 for 1 seconds
> > Going to the next request
> > Waking up in 0.9 seconds.
> > Sending delayed reject for request 60
> > Sending Access-Reject of id 65 to 192.168.50.253 port 33005
> > EAP-Message = 0x04740004
> > Message-Authenticator = 0x00000000000000000000000000000000
> > Waking up in 3.3 seconds.
> > Cleaning up request 56 ID 61 with timestamp +2171
> > Cleaning up request 57 ID 62 with timestamp +2171
> > Cleaning up request 58 ID 63 with timestamp +2171
> > Cleaning up request 59 ID 64 with timestamp +2171
> > Waking up in 1.6 seconds.
> > Cleaning up request 60 ID 65 with timestamp +2172
> > Ready to process requests.
> >
> >
>
>

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html