SSL Problem???
Locked
 
|
Hello all,
I have been successfully providing 802.1x authentication to my wireless users for approx six months. This was implemented using ntlm_auth, PEAP, and MSCHAPV2 (windows XP client) against an Active Directory backend. We had a power spike, which produced multiple simultaneous drive failures and there is little but corrupted data left on my server. I managed to retrieve my config files from backup, but had to do a clean install, recreate SSL certs, etc. I am using freeradius-1.0.0-5 on Suse 9.2 Pro. I *believe* this snippet from my debug output shows the problem: ----snip----- eaptls_process returned 3 TLS_accept:error in SSLv3 read client certificate A rlm_eap_peap: EAPTLS_SUCCESS -----snip------ This would *seem* to indicate a problem with my certificate generation. I've deleted and re-created my certs on both the server and the client 4 times now. I've tried giving the certs different names, thinking that they weren't deleted correctly from WinXP's mmc panel. I'm following this howto on cert creation: http://jeremy.austux.net/resources/network/eaptls.html I'm pretty sure that this is the same howto I followed last time and it, "just worked". I'm only about 95% sure that my certs are the problem. If someone could at least confirm that, it would help. If anyone can pinpoint my issue more precisely I would be eternally grateful, as I'm really in a bind right now. Any and all suggestions are most welcome. Thanks much! ~Brandon ***************************** **Exhaustive info below:***** ***************************** I have the following relevant software installed: samba-3.0.9-2.3 samba-winbind-3.0.9-2.3 openssl-0.9.7d-25 Here are a couple radtest outputs (note: the user here is local, not AD and obviously this is by-passing certificates). houston:/etc/raddb # radtest test testing localhost 43.191.108.31 SECRET Sending Access-Request of id 135 to 127.0.0.1:1812 User-Name = "test" User-Password = "testing" NAS-IP-Address = houston NAS-Port = 43 rad_recv: Access-Accept packet from host 127.0.0.1:1812, id=135, length=20 houston:/etc/raddb # houston:/etc/raddb # radtest test wrongpw localhost 43.191.108.31 SECRET Sending Access-Request of id 156 to 127.0.0.1:1812 User-Name = "test" User-Password = "wrongpw" NAS-IP-Address = houston NAS-Port = 43 rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=156, length=20 houston:/etc/raddb # .....So that works as it should..... Here's an ntlm_auth output: houston:/etc/raddb # /usr/bin/ntlm_auth --username=deyoungb --domain=AM password: NT_STATUS_OK: Success (0x0) houston:/etc/raddb # ....that works too, but, Houston...we still have a problem..... here is a full debug output: Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf Config: including file: /etc/raddb/sql.conf main: prefix = "/usr" main: localstatedir = "/var" main: logdir = "/var/log/radius" main: libdir = "/usr/lib/freeradius" main: radacctdir = "/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/var/log/radius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/var/run/radiusd/radiusd.pid" main: user = "radiusd" main: group = "radiusd" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib/freeradius Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" mschap: ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=AM --username=%{Stripped-User-Name:-%{User-Name:-None}} --chall enge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "(null)" unix: group = "(null)" unix: radwtmp = "/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = "peap" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/etc/raddb/certs/cert-srv.pem" tls: certificate_file = "/etc/raddb/certs/cert-srv.pem" tls: CA_file = "/etc/raddb/certs/demoCA/cacert.pem" tls: private_key_password = "This has been sanitized" tls: dh_file = "/etc/raddb/certs/dh" tls: random_file = "/dev/urandom" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = "(null)" rlm_eap: Loaded and initialized type tls peap: default_eap_type = "mschapv2" peap: copy_request_to_tunnel = no peap: use_tunneled_reply = no peap: proxy_tunneled_request_as_eap = yes rlm_eap: Loaded and initialized type peap mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/etc/raddb/huntgroups" preprocess: hints = "/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) realm: format = "prefix" realm: delimiter = "\" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (ntdomain) Module: Loaded files files: usersfile = "/etc/raddb/users" files: acctusersfile = "/etc/raddb/acct_users" files: preproxy_usersfile = "/etc/raddb/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = "/var/log/radius/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on authentication *:1812 Listening on accounting *:1813 Listening on proxy *:1814 Ready to process requests. rad_recv: Access-Request packet from host 43.191.108.31:1645, id=36, length=139 User-Name = "deyoungb" Framed-MTU = 1400 Called-Station-Id = "0014.6a49.efd0" Calling-Station-Id = "000e.3562.498f" Service-Type = Login-User Message-Authenticator = 0x10d861f115dbb07d2b2c807ed6013e43 EAP-Message = 0x0202000d016465796f756e6762 NAS-Port-Type = Wireless-802.11 NAS-Port = 52618 NAS-IP-Address = 43.191.108.31 NAS-Identifier = "SDB5-3-ENG-G" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "deyoungb", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_realm: No '\' in User-Name = "deyoungb", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "ntdomain" returns noop for request 0 rlm_eap: EAP packet type response id 2 length 13 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 modcall[authorize]: module "files" returns notfound for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 0 modcall: group authenticate returns handled for request 0 Sending Access-Challenge of id 36 to 43.191.108.31:1645 EAP-Message = 0x010300061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb476e560b219ce685233a2a3dce96543 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 43.191.108.31:1645, id=37, length=224 User-Name = "deyoungb" Framed-MTU = 1400 Called-Station-Id = "0014.6a49.efd0" Calling-Station-Id = "000e.3562.498f" Service-Type = Login-User Message-Authenticator = 0xa82fd9208da8cfd5dbed5cc52d11b381 EAP-Message = 0x0203005019800000004616030100410100003d0301430367671bc00064cbb7578abf6c 264a8d6dc1249e2654915d4bd8b26395cad2 00001600040005000a000900640062000300060013001200630100 NAS-Port-Type = Wireless-802.11 NAS-Port = 52618 State = 0xb476e560b219ce685233a2a3dce96543 NAS-IP-Address = 43.191.108.31 NAS-Identifier = "SDB5-3-ENG-G" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_realm: No '@' in User-Name = "deyoungb", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 1 rlm_realm: No '\' in User-Name = "deyoungb", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "ntdomain" returns noop for request 1 rlm_eap: EAP packet type response id 3 length 80 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 1 modcall[authorize]: module "files" returns notfound for request 1 modcall: group authorize returns updated for request 1 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 02c9], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 1 modcall: group authenticate returns handled for request 1 Sending Access-Challenge of id 37 to 43.191.108.31:1645 EAP-Message = 0x0104032c1900160301004a0200004603014303657d517ec9f755c72b45c7f0613e7b5a 8b6c14976b236eb6518cfee742e320cf6bc4 9299508610ad4c7bb13a2877938fd7a54e3cdd2d56de739fd81f99dbf500040016030102 c90b0002c50002c20002bf308202bb30820224a003020102020101300d 06092a864886f70d0101040500308196310b3009060355040613025553310b3009060355 040813024341311230100603550407130953616e20446965676f311930 17060355040a1310536f6e7920456c656374726f6e696373310c300a060355040b130349 544d3111300f060355040314084541505f536f6e79312a302806092a86 4886f70d01 EAP-Message = 0x0901161b6272616e646f6e2e6465796f756e6740616d2e736f6e792e636f6d301e170d 3035303831373135323131375a170d303630 3831373135323131375a308196310b3009060355040613025553310b3009060355040813 024341311230100603550407130953616e20446965676f311930170603 55040a1310536f6e7920456c656374726f6e696373310c300a060355040b130349544d31 11300f060355040314084541505f536f6e79312a302806092a864886f7 0d010901161b6272616e646f6e2e6465796f756e6740616d2e736f6e792e636f6d30819f 300d06092a864886f70d010101050003818d0030818902818100a04276 9934723dc7 EAP-Message = 0x5e3fd51b19b85c280fbe8df9cdca5d311e2b0418a52ce7382ac77ad00178fa63a553a0 3e39a1fff8e10ff5f41c5a41b20b8ef5600d 6fd72a5392c948a625e5d491338fc7f11c0b14a765d8f80412f37fcf3f0d93987882f3d4 588035c9a4ed9e9724e5c06c54bc02ccb412e5b4f688ce6feb323505f3 7f550203010001a317301530130603551d25040c300a06082b06010505070301300d0609 2a864886f70d0101040500038181004928c9b15407cb400ed3ad5b1b5e 6b0413ceb246e0023bb07c36575945118bee439e4b3b72554e2770e2a1500dbae20fc603 eb394c695b961bff8813b2369e64fecc9b1742a934eeda706b3b87d836 325555f1cb EAP-Message = 0x25399be1adcd2944c15b78169fbfbb9b15269e94c8882dc7b9e3e57fe36158f9445904 18b935c779a4d19d5416030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x3233e8ac062396376b95baab46ff3932 Finished request 1 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 43.191.108.31:1645, id=38, length=150 User-Name = "deyoungb" Framed-MTU = 1400 Called-Station-Id = "0014.6a49.efd0" Calling-Station-Id = "000e.3562.498f" Service-Type = Login-User Message-Authenticator = 0xcd50d811b2bd62c6131965d2a98ec598 EAP-Message = 0x020400061900 NAS-Port-Type = Wireless-802.11 NAS-Port = 52618 State = 0x3233e8ac062396376b95baab46ff3932 NAS-IP-Address = 43.191.108.31 NAS-Identifier = "SDB5-3-ENG-G" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall[authorize]: module "preprocess" returns ok for request 2 modcall[authorize]: module "chap" returns noop for request 2 modcall[authorize]: module "mschap" returns noop for request 2 rlm_realm: No '@' in User-Name = "deyoungb", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 2 rlm_realm: No '\' in User-Name = "deyoungb", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "ntdomain" returns noop for request 2 rlm_eap: EAP packet type response id 4 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 2 modcall[authorize]: module "files" returns notfound for request 2 modcall: group authorize returns updated for request 2 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 2 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message eaptls_verify returned 3 eaptls_process returned 3 TLS_accept:error in SSLv3 read client certificate A rlm_eap_peap: EAPTLS_SUCCESS modcall[authenticate]: module "eap" returns handled for request 2 modcall: group authenticate returns handled for request 2 Sending Access-Challenge of id 38 to 43.191.108.31:1645 EAP-Message = 0x010500061900 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2a59d5433efbf6567da0c6b9c10eab2e Finished request 2 Going to the next request Waking up in 6 seconds. Here is another snippet from debug output, when a local user tries to auth from XP, MSCHAP client. -----------snip-------------- Waking up in 6 seconds... rad_recv: Access-Request packet from host 43.191.108.31:1645, id=34, length=146 User-Name = "test" Framed-MTU = 1400 Called-Station-Id = "0014.6a49.efd0" Calling-Station-Id = "000e.3562.498f" Service-Type = Login-User Message-Authenticator = 0xdc3a1578cac294fb244a5592d95b9a97 EAP-Message = 0x020400061900 NAS-Port-Type = Wireless-802.11 NAS-Port = 52567 State = 0x3233e8ac06239637866e7bccf095f26e NAS-IP-Address = 43.191.108.31 NAS-Identifier = "SDB5-3-ENG-G" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall[authorize]: module "preprocess" returns ok for request 2 modcall[authorize]: module "chap" returns noop for request 2 modcall[authorize]: module "mschap" returns noop for request 2 rlm_realm: No '@' in User-Name = "test", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 2 rlm_realm: No '\' in User-Name = "test", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "ntdomain" returns noop for request 2 rlm_eap: EAP packet type response id 4 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 2 users: Matched test at 93 modcall[authorize]: module "files" returns ok for request 2 modcall: group authorize returns updated for request 2 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 2 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message eaptls_verify returned 3 eaptls_process returned 3 TLS_accept:error in SSLv3 read client certificate A rlm_eap_peap: EAPTLS_SUCCESS modcall[authenticate]: module "eap" returns handled for request 2 modcall: group authenticate returns handled for request 2 Sending Access-Challenge of id 34 to 43.191.108.31:1645 EAP-Message = 0x010500061900 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2a59d5433efbf6562cf7f44fe38cdae4 Finished request 2 Going to the next request Waking up in 6 seconds.. ---------snip---------------------- Here is a sanitized version of eap.conf (include file in radiusd.conf) ----------snip------------------ # $Id: eap.conf,v 1.4 2004/04/15 18:34:41 aland Exp $ eap { default_eap_type = peap # default_eap_type = md5 timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no md5 { } leap { } gtc { # The default challenge, which many clients # ignore.. #challenge = "Password: " auth_type = PAP } ## EAP-TLS # # To generate ctest certificates, run the script # # ../scripts/certs.sh # # The documents on http://www.freeradius.org/doc # are old, but may be helpful. # # See also: # # http://www.dslreports.com/forum/remark,9286052~mode=flat # tls { private_key_password = "This has been sanitized" private_key_file = ${raddbdir}/certs/cert-srv.pem certificate_file = ${raddbdir}/certs/cert-srv.pem # Trusted Root CA list CA_file = ${raddbdir}/certs/demoCA/cacert.pem dh_file = ${raddbdir}/certs/dh random_file = /dev/urandom fragment_size = 1024 include_length = yes # check_crl = yes # check_cert_cn = %{User-Name} } #ttls { # default_eap_type = md5 # copy_request_to_tunnel = no # use_tunneled_reply = no #} peap { default_eap_type = mschapv2 } mschapv2 { } } ------------------snip------------------------------------------- Here is the full radiusd.conf (coments removed for brevity) -----------------snip-------------------------------------- ## ## radiusd.conf -- FreeRADIUS server configuration file. ## ## http://www.freeradius.org/ ## $Id: radiusd.conf.in,v 1.188 2004/05/13 20:10:19 pnixon Exp $ ## prefix = /usr exec_prefix = ${prefix} sysconfdir = /etc localstatedir = /var sbindir = ${exec_prefix}/sbin logdir = ${localstatedir}/log/radius raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct confdir = ${raddbdir} run_dir = ${localstatedir}/run/radiusd log_file = ${logdir}/radius.log libdir = /usr/lib/freeradius pidfile = ${run_dir}/radiusd.pid user = radiusd group = radiusd max_request_time = 30 delete_blocked_requests = no cleanup_delay = 5 max_requests = 1024 bind_address = * #bind_address = 43.191.104.39 # port: Allows you to bind FreeRADIUS to a specific port. # # The default port that most NAS boxes use is 1645, which is historical. # RFC 2138 defines 1812 to be the new port. Many new servers and # NAS boxes use 1812, which can create interoperability problems. # # The port is defined here to be 0 so that the server will pick up # the machine's local configuration for the radius port, as defined # in /etc/services. # port = 0 # If you comment out the "bind_address" and "port" configuration entries, # then it becomes possible to make the server accept only accounting, # or authentication packets. Previously, it always listened for both # types of packets, and it was impossible to make it listen for only # one type of packet. # #listen { # IP address on which to listen. # Allowed values are: # dotted quad (1.2.3.4) # hostname (radius.example.com) # wildcard (*) # ipaddr = * # Port on which to listen. # Allowed values are: # integer port number (1812) # 0 means "use /etc/services for the proper port" # port = 0 # Type of packets to listen for. # Allowed values are: # auth listen for authentication packets # acct listen for accounting packets # # type = auth #} hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions = yes log_stripped_names = no log_auth = no log_auth_badpass = no log_auth_goodpass = no usercollide = no # Default is 'no' (don't lowercase values) # Valid values = "before" / "after" / "no" # lower_user = no lower_pass = no # Default is 'no' (don't remove spaces) # Valid values = "before" / "after" / "no" (explanation above) # nospace_user = no nospace_pass = no # The program to execute to do concurrency checks. checkrad = ${sbindir}/checkrad security { max_attributes = 200 reject_delay = 1 status_server = no } proxy_requests = yes $INCLUDE ${confdir}/proxy.conf $INCLUDE ${confdir}/clients.conf snmp = no $INCLUDE ${confdir}/snmp.conf thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } modules { pap { encryption_scheme = crypt } chap { authtype = CHAP } pam { pam_auth = radiusd } unix { cache = no cache_reload = 600 radwtmp = ${logdir}/radwtmp } $INCLUDE ${confdir}/eap.conf mschap { authtype = MS-CHAP #use_mppe = no #require_encryption = yes #require_strong = yes with_ntdomain_hack = no # Be VERY careful when editing the following line! # ####ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Cha llenge:-00} --nt-response=%{mschap:NT-Response:-00}" ####ntlm_auth = "/usr/bin/ntlm_auth --domain=AM --username=%{Stripped-User-Name:-%{User-Name:-None}} --challenge=%{mschap:Challeng e:-00} --nt-response=%{mschap:NT-Response:-00}" ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key --domain=AM --username=%{Stripped-User-Name:-%{User-Name:-None}} --challe nge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}" } ldap { server = "ldap.your.domain" # identity = "cn=admin,o=My Org,c=UA" # password = mypass basedn = "o=My Org,c=UA" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" # base_filter = "(objectclass=radiusprofile)" connections start_tls = no # tls_cacertfile = /path/to/cacert.pem # tls_cacertdir = /path/to/ca/dir/ # tls_certfile = /path/to/radius.crt # tls_keyfile = /path/to/radius.key # tls_randfile = /path/to/rnd # tls_require_cert = "demand" # default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA" # profile_attribute = "radiusProfileDn" access_attr = "dialupAccess" # Mapping of RADIUS dictionary attributes to LDAP # directory attributes. dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 # # NOTICE: The password_header directive is NOT case insensitive pull # password_attribute = userPassword # groupname_attribute = cn # groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=Gr oupOfUniqueName s)(uniquemember=%{Ldap-UserDn})))" # groupmembership_attribute = radiusGroupName timeout = 4 timelimit = 3 net_timeout = 1 # compare_check_items = yes # do_xlat = yes # access_attr_used_for_allow = yes } realm IPASS { format = prefix delimiter = "/" ignore_default = no ignore_null = no } # realm suffix { format = suffix delimiter = "@" ignore_default = no ignore_null = no } # realm realmpercent { format = suffix realm ntdomain { format = prefix delimiter = "\\" ignore_default = no ignore_null = no } delimiter = "%" ignore_default = no ignore_null = no } checkval { item-name = Calling-Station-Id check-name = Calling-Station-Id data-type = string } preprocess { huntgroups = ${confdir}/huntgroups hints = ${confdir}/hints with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no } files { usersfile = ${confdir}/users acctusersfile = ${confdir}/acct_users compat = no } detail { detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d detailperm = 0600 } # detail auth_log { # detailfile = ${radacctdir}/%{Client-IP-Address}/auth-detail-%Y%m%d # } # detail reply_log { # } # detail pre_proxy_log { # detailfile = ${radacctdir}/%{Client-IP-Address}/pre-proxy-detail-%Y%m%d # detailperm = 0600 # } # detail post_proxy_log { # detailfile = ${radacctdir}/%{Client-IP-Address}/post-proxy-detail-%Y%m%d # detailperm = 0600 # } acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } $INCLUDE ${confdir}/sql.conf radutmp { filename = ${logdir}/radutmp username = %{User-Name} case_sensitive = yes check_with_nas = yes perm = 0600 callerid = "yes" } radutmp sradutmp { filename = ${logdir}/sradutmp perm = 0644 callerid = "no" } attr_filter { attrsfile = ${confdir}/attrs } counter daily { filename = ${raddbdir}/db.daily key = User-Name count-attribute = Acct-Session-Time reset = daily counter-name = Daily-Session-Time check-name = Max-Daily-Session allowed-servicetype = Framed-User cache-size = 5000 } always fail { rcode = fail } always reject { rcode = reject } always ok { rcode = ok simulcount = 0 mpp = no } expr { } digest { } exec { wait = yes input_pairs = request } exec echo { wait = yes program = "/bin/echo %{User-Name}" input_pairs = request output_pairs = reply } ippool main_pool { range-start = 192.168.1.1 range-stop = 192.168.3.254 netmask = 255.255.255.0 cache-size = 800 session-db = ${raddbdir}/db.ippool ip-index = ${raddbdir}/db.ipindex override = no maximum-timeout = 0 } } instantiate { exec expr } authorize { preprocess # auth_log # attr_filter chap mschap # digest # IPASS suffix ntdomain eap files # sql # etc_smbpasswd # ldap # daily # checkval } # Authentication. authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } # digest # pam unix # Auth-Type LDAP { # ldap # } eap } # # Pre-accounting. Decide which accounting type to use. # preacct { preprocess acct_unique # IPASS suffix # ntdomain files } # # Accounting. Log the accounting data. # accounting { detail # daily unix radutmp # sradutmp # main_pool # sql # pgsql-voip } # Session database, used for checking Simultaneous-Use. Either the radutmp session { radutmp # sql } # Post-Authentication post-auth { # Get an address from the IP Pool. # main_pool # reply_log # sql # Post-Auth-Type REJECT { # insert-module-name-here # } } pre-proxy { # attr_rewrite # pre_proxy_log } post-proxy { # # post_proxy_log # attr_rewrite # attr_filter eap } --------------------snip-------------------------------------------- Here'a my users file: --------------------snip----------------- # http://www.freeradius.org/rfc/attributes.html #lameuser Auth-Type := Reject # Reply-Message = "Your account has been disabled." #DEFAULT Group == "disabled", Auth-Type := Reject # Reply-Message = "Your account has been disabled." #test Auth-Type := MS-CHAP, User-Password == "testing" # Service-Type = Framed-User, # Framed-Protocol = PPP, # Framed-IP-Address = 43.191.0.0/16, # Framed-IP-Netmask = 255.255.0.0, # Framed-Routing = Broadcast-Listen, # Framed-Filter-Id = "std.ppp", # Framed-MTU = 1500, # Framed-Compression = Van-Jacobsen-TCP-IP #test Auth-Type = Local, Password = "wrongpw" #test User-Password == "testing", MS-CHAP-Use-NTLM-Auth = No test User-Password == "testing", MS-Chap-Use-NTLM-Auth := 0 DEFAULT Service-Type == Framed-User Framed-IP-Address = 255.255.255.254, Framed-MTU = 576, Service-Type = Framed-User, Fall-Through = Yes DEFAULT Framed-Protocol == PPP Framed-Protocol = PPP, Framed-Compression = Van-Jacobson-TCP-IP DEFAULT Hint == "CSLIP" Framed-Protocol = SLIP, Framed-Compression = Van-Jacobson-TCP-IP DEFAULT Hint == "SLIP" Framed-Protocol = SLIP # On no match, the user is denied access. ---------snip--------------------------------- You are truly noble for reading this far. Thanks! ~Brandon Brandon S. DeYoung Network Administration Supervisor Sony Technology Center, San Diego [hidden email] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html |
|
|
"DeYoung, Brandon" <[hidden email]> wrote:
> I *believe* this snippet from my debug output shows the problem: > > ----snip----- > eaptls_process returned 3 > TLS_accept:error in SSLv3 read client certificate A > rlm_eap_peap: EAPTLS_SUCCESS > -----snip------ > > This would *seem* to indicate a problem with my certificate generation. No, because it returns success. SSL is looking for a client certificate, and PEAP doesn't need one. SSL is then "helpful", and prints out error messages. The rest of your debug log shows that the client just stops talking to the server. Odds are they're XP SP2 boxes, where MS broke EAP. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html |
|
|
In reply to this post by DeYoung, Brandon
In the statement "Odds are they're XP SP2 boxes, where MS broke EAP" what exactly is broken. Will XP SP2 not work with PEAP?
thanks, jamie Jamie Crawford, MCSE RHCT Network Analyst I Information Services Central Missouri State University Warrensburg, MO 64093 Phone:6605434357 Email:[hidden email] >>> [hidden email] 08/17/05 2:10 PM >>> "DeYoung, Brandon" <[hidden email]> wrote: > I *believe* this snippet from my debug output shows the problem: > > ----snip----- > eaptls_process returned 3 > TLS_accept:error in SSLv3 read client certificate A > rlm_eap_peap: EAPTLS_SUCCESS > -----snip------ > > This would *seem* to indicate a problem with my certificate generation. No, because it returns success. SSL is looking for a client certificate, and PEAP doesn't need one. SSL is then "helpful", and prints out error messages. The rest of your debug log shows that the client just stops talking to the server. Odds are they're XP SP2 boxes, where MS broke EAP. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html |
|
|
"Jamie Crawford" <[hidden email]> wrote:
> In the statement "Odds are they're XP SP2 boxes, where MS broke EAP" > what exactly is broken. Will XP SP2 not work with PEAP? It won't. This was discussed on the list last week. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html |
|
|
In reply to this post by DeYoung, Brandon
Thanks for the response Alan,
My clients are WinXP SP2 boxes. I have several hundred of these which had been working fine for the last 6 months...until my server blew up. In fact I had more problems getting this setup to work with SP1 and made it a policy for everyone to put SP2 on before I would configure wireless for them. Any other thoughts/workarounds? ~Brandon -----Original Message----- From: [hidden email] [mailto:[hidden email]] On Behalf Of Jamie Crawford Sent: Wednesday, August 17, 2005 12:22 PM To: [hidden email]; [hidden email] Subject: Re: SSL Problem??? In the statement "Odds are they're XP SP2 boxes, where MS broke EAP" what exactly is broken. Will XP SP2 not work with PEAP? thanks, jamie Jamie Crawford, MCSE RHCT Network Analyst I Information Services Central Missouri State University Warrensburg, MO 64093 Phone:6605434357 Email:[hidden email] >>> [hidden email] 08/17/05 2:10 PM >>> "DeYoung, Brandon" <[hidden email]> wrote: > I *believe* this snippet from my debug output shows the problem: > > ----snip----- > eaptls_process returned 3 > TLS_accept:error in SSLv3 read client certificate A > rlm_eap_peap: EAPTLS_SUCCESS > -----snip------ > > This would *seem* to indicate a problem with my certificate generation. No, because it returns success. SSL is looking for a client certificate, and PEAP doesn't need one. SSL is then "helpful", and prints out error messages. The rest of your debug log shows that the client just stops talking to the server. Odds are they're XP SP2 boxes, where MS broke EAP. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html |
|
|
In reply to this post by DeYoung, Brandon
I manged to fix this. Something was whackinated in my certificate
generation process. Followed howto here: http://www.alphacore.net/contrib/nantes-wireless/eap-tls-HOWTO.html And all works well, even with XP SP2. ~Brandon -----Original Message----- From: DeYoung, Brandon Sent: Wednesday, August 17, 2005 12:38 PM To: 'FreeRadius users mailing list' Subject: RE: SSL Problem??? Thanks for the response Alan, My clients are WinXP SP2 boxes. I have several hundred of these which had been working fine for the last 6 months...until my server blew up. In fact I had more problems getting this setup to work with SP1 and made it a policy for everyone to put SP2 on before I would configure wireless for them. Any other thoughts/workarounds? ~Brandon -----Original Message----- From: [hidden email] [mailto:[hidden email]] On Behalf Of Jamie Crawford Sent: Wednesday, August 17, 2005 12:22 PM To: [hidden email]; [hidden email] Subject: Re: SSL Problem??? In the statement "Odds are they're XP SP2 boxes, where MS broke EAP" what exactly is broken. Will XP SP2 not work with PEAP? thanks, jamie Jamie Crawford, MCSE RHCT Network Analyst I Information Services Central Missouri State University Warrensburg, MO 64093 Phone:6605434357 Email:[hidden email] >>> [hidden email] 08/17/05 2:10 PM >>> "DeYoung, Brandon" <[hidden email]> wrote: > I *believe* this snippet from my debug output shows the problem: > > ----snip----- > eaptls_process returned 3 > TLS_accept:error in SSLv3 read client certificate A > rlm_eap_peap: EAPTLS_SUCCESS > -----snip------ > > This would *seem* to indicate a problem with my certificate generation. No, because it returns success. SSL is looking for a client certificate, and PEAP doesn't need one. SSL is then "helpful", and prints out error messages. The rest of your debug log shows that the client just stops talking to the server. Odds are they're XP SP2 boxes, where MS broke EAP. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html |
«
Return to Users
|
1 view|%1 views
| Free forum by Nabble | Edit this page |