XP won't authenticate with EAP TLS - log shows unknown_ca fatal error

classic Classic list List threaded Threaded
8 messages Options
| Threaded
Open this post in threaded view
|

XP won't authenticate with EAP TLS - log shows unknown_ca fatal error

Landon Cox
Problem statement:
XP won't authenticate with EAP TLS and FreeRADIUS debug logs  
(appended) shows unknown_ca fatal error

Background:
I've been following the 3-part series instructions outlined in the  
Linux Journal series starting at:

http://www.linuxjournal.com/article/8017
"Paranoid Penguin - Securing WLANs with WPA and FreeRADIUS, Part I"

I chose to start with this article as it was one of the most recent  
tutorials I could find on the topic of FreeRADIUS and EAP TLS.

I'm running:
     SuSE 9.2 Pro
     FreeRADIUS version 1.0.0 Oct 5, 2004, 00:13:22  (installed from  
SuSE Yast and distro DVD)
     OpenSSL 0.9.7d 17 Mar 2004

I've read everything I can find on unknown_ca but cannot find any  
solutions and the Linux Journal article, while good, doesn't do much  
to help when something goes wrong. I've made it quite a ways into  
this install and think I'm close, but I just do not know where to go  
next or what to try.

One question I have on the Linux Journal article:  At the point of  
using openssl to convert the client cert to pkcs12 format,   it says  
"You are prompted for client_key.pem's passphrase and then for a new  
passphrase for the new file; you can use the same password as before  
if you like.  You may be tempted to press Enter instead, especially  
given that the WPA supplicant in Windows XP works only when you store  
its certificates without a passphrases..."  I've tried generate the  
client p12 file both ways and reimporting to XP's Personal  
Certificates to no avail. Is that pkcs12 passphrase assertion still  
true for XP supplicant?  Either way, with or without, I can't get  
this to work, so that must not be the issue.

I have also tried un-checking the "Validate Server Certificate" in  
the 802.1x settings of XP for that Access Point.  I get the same  
error, so the error seems to indicate an issue with not being able to  
deal with the client side cert?

I've imported both the cacert.pem into my Trusted Root Certs in XP  
and the client_cert.p12 into "Personal->Certificates".   There were  
no steps indicated I needed to import server cert  on the XP side  
(which doesn't make sense anyway...just noting here that for  
diagnostic purposes.)

Any help towards solving this issue would be very much appreciated.

Now for the debug log:

Starting - reading configuration files ...
reread_config:  reading radiusd.conf
Config:   including file: /etc/raddb/proxy.conf
Config:   including file: /etc/raddb/clients.conf
Config:   including file: /etc/raddb/snmp.conf
Config:   including file: /etc/raddb/eap.conf
Config:   including file: /etc/raddb/sql.conf
  main: prefix = "/usr"
  main: localstatedir = "/var"
  main: logdir = "/var/log/radius"
  main: libdir = "/usr/lib/freeradius"
  main: radacctdir = "/var/log/radius/radacct"
  main: hostname_lookups = no
  main: max_request_time = 30
  main: cleanup_delay = 5
  main: max_requests = 1024
  main: delete_blocked_requests = 0
  main: port = 0
  main: allow_core_dumps = no
  main: log_stripped_names = no
  main: log_file = "/var/log/radius/radius.log"
  main: log_auth = no
  main: log_auth_badpass = no
  main: log_auth_goodpass = no
  main: pidfile = "/var/run/radiusd/radiusd.pid"
  main: user = "radiusd"
  main: group = "radiusd"
  main: usercollide = no
  main: lower_user = "no"
  main: lower_pass = "no"
  main: nospace_user = "no"
  main: nospace_pass = "no"
  main: checkrad = "/usr/sbin/checkrad"
  main: proxy_requests = yes
  proxy: retry_delay = 5
  proxy: retry_count = 3
  proxy: synchronous = no
  proxy: default_fallback = yes
  proxy: dead_time = 120
  proxy: post_proxy_authorize = yes
  proxy: wake_all_if_all_dead = no
  security: max_attributes = 200
  security: reject_delay = 1
  security: status_server = no
  main: debug_level = 0
read_config_files:  reading dictionary
read_config_files:  reading naslist
read_config_files:  reading clients
read_config_files:  reading realms
radiusd:  entering modules setup
Module: Library search path is /usr/lib/freeradius
Module: Loaded exec
  exec: wait = yes
  exec: program = "(null)"
  exec: input_pairs = "request"
  exec: output_pairs = "(null)"
  exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
  pap: encryption_scheme = "crypt"
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
  mschap: use_mppe = yes
  mschap: require_encryption = no
  mschap: require_strong = no
  mschap: with_ntdomain_hack = no
  mschap: passwd = "(null)"
  mschap: authtype = "MS-CHAP"
  mschap: ntlm_auth = "(null)"
Module: Instantiated mschap (mschap)
Module: Loaded System
  unix: cache = no
  unix: passwd = "(null)"
  unix: shadow = "(null)"
  unix: group = "(null)"
  unix: radwtmp = "/var/log/radius/radwtmp"
  unix: usegroup = no
  unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
  eap: default_eap_type = "tls"
  eap: timer_expire = 60
  eap: ignore_unknown_eap_types = no
  eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
  gtc: challenge = "Password: "
  gtc: auth_type = "PAP"
rlm_eap: Loaded and initialized type gtc
  tls: rsa_key_exchange = no
  tls: dh_key_exchange = yes
  tls: rsa_key_length = 512
  tls: dh_key_length = 512
  tls: verify_depth = 0
  tls: CA_path = "(null)"
  tls: pem_file_type = yes
  tls: private_key_file = "/etc/raddb/certs/server_key.pem"
  tls: certificate_file = "/etc/raddb/certs/server_cert.pem"
  tls: CA_file = "/etc/raddb/certs/cacert.pem"
  tls: private_key_password = "capasswd"
  tls: dh_file = "/etc/raddb/certs/dh"
  tls: random_file = "/etc/raddb/certs/random"
  tls: fragment_size = 1024
  tls: include_length = yes
  tls: check_crl = no
  tls: check_cert_cn = "(null)"
rlm_eap: Loaded and initialized type tls
  mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
  preprocess: huntgroups = "/etc/raddb/huntgroups"
  preprocess: hints = "/etc/raddb/hints"
  preprocess: with_ascend_hack = no
  preprocess: ascend_channels_per_line = 23
  preprocess: with_ntdomain_hack = no
  preprocess: with_specialix_jetstream_hack = no
  preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
  realm: format = "suffix"
  realm: delimiter = "@"
  realm: ignore_default = no
  realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded files
  files: usersfile = "/etc/raddb/users"
  files: acctusersfile = "/etc/raddb/acct_users"
  files: preproxy_usersfile = "/etc/raddb/preproxy_users"
  files: compat = "no"
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
  acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address,  
Client-IP-Address, NAS-Port"
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
  detail: detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/
detail-%Y%m%d"
  detail: detailperm = 384
  detail: dirperm = 493
  detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
  radutmp: filename = "/var/log/radius/radutmp"
  radutmp: username = "%{User-Name}"
  radutmp: case_sensitive = yes
  radutmp: check_with_nas = yes
  radutmp: perm = 384
  radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Listening on authentication *:1812
Listening on accounting *:1813
Listening on proxy *:1814
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.5.59:1075, id=165,  
length=167
     Message-Authenticator = 0x70dbfbdbb80a0132ab36ea91639115a7
     Service-Type = Framed-User
     User-Name = "360VL"
     Framed-MTU = 1488
     Called-Station-Id = "000FB57A156E:360VL"
     Calling-Station-Id = "000BCD56E3CB"
     NAS-Identifier = "360VL"
     NAS-Port-Type = Wireless-802.11
     Connect-Info = "CONNECT 54Mbps 802.11g"
     EAP-Message = 0x0200000a01333630564c
     NAS-IP-Address = 192.168.5.59
     NAS-Port = 1
     NAS-Port-Id = "STA port # 1"
   Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
   modcall[authorize]: module "preprocess" returns ok for request 0
   modcall[authorize]: module "chap" returns noop for request 0
   modcall[authorize]: module "mschap" returns noop for request 0
     rlm_realm: No '@' in User-Name = "360VL", looking up realm NULL
     rlm_realm: No such realm "NULL"
   modcall[authorize]: module "suffix" returns noop for request 0
   rlm_eap: EAP packet type response id 0 length 10
   rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
   modcall[authorize]: module "eap" returns updated for request 0
     users: Matched DEFAULT at 156
     users: Matched DEFAULT at 175
   modcall[authorize]: module "files" returns ok for request 0
modcall: group authorize returns updated for request 0
   rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
   Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
   rlm_eap: EAP Identity
   rlm_eap: processing type tls
  rlm_eap_tls: Requiring client certificate
   rlm_eap_tls: Initiate
   rlm_eap_tls: Start returned 1
   modcall[authenticate]: module "eap" returns handled for request 0
modcall: group authenticate returns handled for request 0
Sending Access-Challenge of id 165 to 192.168.5.59:1075
     Framed-IP-Address = 255.255.255.254
     Framed-MTU = 576
     Service-Type = Framed-User
     EAP-Message = 0x010100060d20
     Message-Authenticator = 0x00000000000000000000000000000000
     State = 0xeb75fcb695cff41098dcdde96721a715
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.5.59:1075, id=166,  
length=255
     Message-Authenticator = 0x1a26f3a01ff1ea192ae8660258ff07a3
     Service-Type = Framed-User
     User-Name = "360VL"
     Framed-MTU = 1488
     State = 0xeb75fcb695cff41098dcdde96721a715
     Called-Station-Id = "000FB57A156E:360VL"
     Calling-Station-Id = "000BCD56E3CB"
     NAS-Identifier = "360VL"
     NAS-Port-Type = Wireless-802.11
     Connect-Info = "CONNECT 54Mbps 802.11g"
     EAP-Message =  
0x020100500d800000004616030100410100003d030142f390d929fcbdc42804368a39fe
a1de8e5033352c8556ede0a5f441cfb7492300001600040005000a000900640062000300
060013001200630100
     NAS-IP-Address = 192.168.5.59
     NAS-Port = 1
     NAS-Port-Id = "STA port # 1"
   Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
   modcall[authorize]: module "preprocess" returns ok for request 1
   modcall[authorize]: module "chap" returns noop for request 1
   modcall[authorize]: module "mschap" returns noop for request 1
     rlm_realm: No '@' in User-Name = "360VL", looking up realm NULL
     rlm_realm: No such realm "NULL"
   modcall[authorize]: module "suffix" returns noop for request 1
   rlm_eap: EAP packet type response id 1 length 80
   rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
   modcall[authorize]: module "eap" returns updated for request 1
     users: Matched DEFAULT at 156
     users: Matched DEFAULT at 175
   modcall[authorize]: module "files" returns ok for request 1
modcall: group authorize returns updated for request 1
   rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
   Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 1
   rlm_eap: Request found, released from the list
   rlm_eap: EAP/tls
   rlm_eap: processing type tls
   rlm_eap_tls: Authenticate
   rlm_eap_tls: processing TLS
rlm_eap_tls:  Length Included
   eaptls_verify returned 11
     (other): before/accept initialization
     TLS_accept: before/accept initialization
   rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello
     TLS_accept: SSLv3 read client hello A
   rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
     TLS_accept: SSLv3 write server hello A
   rlm_eap_tls: >>> TLS 1.0 Handshake [length 062b], Certificate
     TLS_accept: SSLv3 write certificate A
   rlm_eap_tls: >>> TLS 1.0 Handshake [length 0099], CertificateRequest
     TLS_accept: SSLv3 write certificate request A
     TLS_accept: SSLv3 flush data
     TLS_accept:error in SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
   eaptls_process returned 13
   modcall[authenticate]: module "eap" returns handled for request 1
modcall: group authenticate returns handled for request 1
Sending Access-Challenge of id 166 to 192.168.5.59:1075
     Framed-IP-Address = 255.255.255.254
     Framed-MTU = 576
     Service-Type = Framed-User
     EAP-Message =  
0x0102040a0dc00000071d160301004a02000046030142f390985a8abe09d131a2f9e13d
fecad96ddd392d9d8b3070c9b63cae9e8e6c20f18fbf2845995fae88dae4ee8b3a17fbdd
1c58f26c914d243f432c3f12a12850000400160301062b0b0006270006240002ac308202
a830820211a003020102020101300d06092a864886f70d0101040500308187310b300906
03550406130255533111300f06035504081308436f6c6f7261646f311930170603550407
1310436f6c6f7261646f20537072696e6773311b3019060355040a1312333630564c2049
6e636f72706f7261746564310e300c06035504031305333630564c311d301b06092a8648
86f7
     EAP-Message =  
0x0d010901160e696e666f40333630766c2e636f6d301e170d3035303830353135313034
305a170d3036303830353135313034305a308192310b3009060355040613025553311130
0f06035504081308436f6c6f7261646f3119301706035504071310436f6c6f7261646f20
537072696e6773311b3019060355040a1312333630564c20496e636f72706f7261746564
3119301706035504031310636f707065722e333630766c2e636f6d311d301b06092a8648
86f70d010901160e696e666f40333630766c2e636f6d30819f300d06092a864886f70d01
0101050003818d0030818902818100b2a8e575361b42490538c4ed2247ad4df5abc181da
c9ed
     EAP-Message =  
0x95d835a509bf155163928ba6119defdbfab08ee7a195f6d7dc261d1ff95994f8cca744
57327260e5814422485945ee4714ecb35820520be84ff4620497cd4daa6bbe6780b07b73
ea7452db5a55684b2c13d40d0e2add84c7979c056f2a17fe1b96fb3afd85f6bddfc50203
010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886
f70d0101040500038181001ac5a999fdb7bb40a77a34ecff459e4bbed2583cc0cca87080
566061428bb88ad090c7db85db96c07dc195a512bdae84849c112036af44b9320e8c0c91
35a6f502731fe2507dbf3a337317f739c70a561f3c7d9504293301a6b321574d22509f69
6948
     EAP-Message =  
0xe479ed655c56041259d23a0713e28a6206517e4e10349839d5dfee6a56000372308203
6e308202d7a003020102020100300d06092a864886f70d0101040500308187310b300906
03550406130255533111300f06035504081308436f6c6f7261646f311930170603550407
1310436f6c6f7261646f20537072696e6773311b3019060355040a1312333630564c2049
6e636f72706f7261746564310e300c06035504031305333630564c311d301b06092a8648
86f70d010901160e696e666f40333630766c2e636f6d301e170d30353038303531353036
32355a170d3036303830353135303632355a308187310b30090603550406130255533111
300f
     EAP-Message = 0x06035504081308436f6c6f7261646f31193017060355
     Message-Authenticator = 0x00000000000000000000000000000000
     State = 0xc5258593a428dfd0124288d31ba9eb20
Finished request 1
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.5.59:1075, id=167,  
length=181
     Message-Authenticator = 0x7a06c1de0bcf813186df0d4425d9f50e
     Service-Type = Framed-User
     User-Name = "360VL"
     Framed-MTU = 1488
     State = 0xc5258593a428dfd0124288d31ba9eb20
     Called-Station-Id = "000FB57A156E:360VL"
     Calling-Station-Id = "000BCD56E3CB"
     NAS-Identifier = "360VL"
     NAS-Port-Type = Wireless-802.11
     Connect-Info = "CONNECT 54Mbps 802.11g"
     EAP-Message = 0x020200060d00
     NAS-IP-Address = 192.168.5.59
     NAS-Port = 1
     NAS-Port-Id = "STA port # 1"
   Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
   modcall[authorize]: module "preprocess" returns ok for request 2
   modcall[authorize]: module "chap" returns noop for request 2
   modcall[authorize]: module "mschap" returns noop for request 2
     rlm_realm: No '@' in User-Name = "360VL", looking up realm NULL
     rlm_realm: No such realm "NULL"
   modcall[authorize]: module "suffix" returns noop for request 2
   rlm_eap: EAP packet type response id 2 length 6
   rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
   modcall[authorize]: module "eap" returns updated for request 2
     users: Matched DEFAULT at 156
     users: Matched DEFAULT at 175
   modcall[authorize]: module "files" returns ok for request 2
modcall: group authorize returns updated for request 2
   rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
   Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 2
   rlm_eap: Request found, released from the list
   rlm_eap: EAP/tls
   rlm_eap: processing type tls
   rlm_eap_tls: Authenticate
   rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
   rlm_eap_tls: ack handshake fragment handler
   eaptls_verify returned 1
   eaptls_process returned 13
   modcall[authenticate]: module "eap" returns handled for request 2
modcall: group authenticate returns handled for request 2
Sending Access-Challenge of id 167 to 192.168.5.59:1075
     Framed-IP-Address = 255.255.255.254
     Framed-MTU = 576
     Service-Type = Framed-User
     EAP-Message =  
0x010303270d800000071d04071310436f6c6f7261646f20537072696e6773311b301906
0355040a1312333630564c20496e636f72706f7261746564310e300c0603550403130533
3630564c311d301b06092a864886f70d010901160e696e666f40333630766c2e636f6d30
819f300d06092a864886f70d010101050003818d0030818902818100c1e36a58cf62e3ae
df95552d32ec708012aded9061932aee060840cae5a20c8fa8ea72ba1f21253454a79c27
799f309812d703e7bcf414044dfc3b8ea2702c0cb9a912a15e110962d8c5229ea6e7404e
c1b28bb85f69c93f503dc4195926e8f0f621aacb7337fd8da8af009e6d5896647af6c198
5955
     EAP-Message =  
0x1e5ce9db7367fd90c8870203010001a381e73081e4301d0603551d0e04160414ca07e0
025ebeb3f17c26b027e597f97cfc5777493081b40603551d230481ac3081a98014ca07e0
025ebeb3f17c26b027e597f97cfc577749a1818da4818a308187310b3009060355040613
0255533111300f06035504081308436f6c6f7261646f3119301706035504071310436f6c
6f7261646f20537072696e6773311b3019060355040a1312333630564c20496e636f7270
6f7261746564310e300c06035504031305333630564c311d301b06092a864886f70d0109
01160e696e666f40333630766c2e636f6d820100300c0603551d13040530030101ff300d
0609
     EAP-Message =  
0x2a864886f70d01010405000381810053b790c3ef4f488e5b3c018545d4d2b91ab028c4
7c547ecbdff6a152f80b52c4f6fbc3d074779ed87fb047a844bc473d6c417048b74409df
5727543b8da49cef8c651ac4598c27ce116d58c5fa0337e44e1b81c2a72935f2e2e13a8b
8ebbcc883c9135de3a11e8798abe9fb7828028d0c2ab4542e13ff7c629214fed18f086f5
16030100990d000091020102008c008a308187310b30090603550406130255533111300f
06035504081308436f6c6f7261646f3119301706035504071310436f6c6f7261646f2053
7072696e6773311b3019060355040a1312333630564c20496e636f72706f726174656431
0e30
     EAP-Message =  
0x0c06035504031305333630564c311d301b06092a864886f70d010901160e696e666f40
333630766c2e636f6d0e000000
     Message-Authenticator = 0x00000000000000000000000000000000
     State = 0xd3a7a2876fe028447b05a62c6f56ea76
Finished request 2
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.5.59:1075, id=168,  
length=1190
     Message-Authenticator = 0x0a1661fc6d58ef65de8bf05f6a442100
     Service-Type = Framed-User
     User-Name = "360VL"
     Framed-MTU = 1488
     State = 0xd3a7a2876fe028447b05a62c6f56ea76
     Called-Station-Id = "000FB57A156E:360VL"
     Calling-Station-Id = "000BCD56E3CB"
     NAS-Identifier = "360VL"
     NAS-Port-Type = Wireless-802.11
     Connect-Info = "CONNECT 54Mbps 802.11g"
     EAP-Message =  
0x020303f10d80000003e716030103b70b0002a70002a40002a13082029d30820206a003
020102020102300d06092a864886f70d0101040500308187310b30090603550406130255
533111300f06035504081308436f6c6f7261646f3119301706035504071310436f6c6f72
61646f20537072696e6773311b3019060355040a1312333630564c20496e636f72706f72
61746564310e300c06035504031305333630564c311d301b06092a864886f70d01090116
0e696e666f40333630766c2e636f6d301e170d3035303830353135313335335a170d3036
303830353135313335335a308187310b30090603550406130255533111300f0603550408
1308
     EAP-Message =  
0x436f6c6f7261646f3119301706035504071310436f6c6f7261646f20537072696e6773
311b3019060355040a1312333630564c20496e636f72706f7261746564310e300c060355
04031305333630564c311d301b06092a864886f70d010901160e696e666f40333630766c
2e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ccbbdc
b09846dcd91ca4d52b83d090144dd17379a121e0dfe4333eac31e4ecab9ddc5c161f372a
c3d29dd07620ab1ef80302682a2e74a9715690651458d601326a99eccb3c8f07bd7db896
d5797a559e1480a2691afd76ae30f91b952705e315fc1c4a6072b442aa78f05946338ef8
5b9c
     EAP-Message =  
0xf9dde843c5bc1ece843f1414d4444d0203010001a317301530130603551d25040c300a
06082b06010505070302300d06092a864886f70d010104050003818100763976dd9a2f05
81394d8cf9680bc788e97e06a77759d79cb50f4b1d06dcad24112081efbfeb6850e8131a
60e4a7406708d93005ab50cc5448c1caa94ff090f42645f0e0dd0bdb85742f8c804fed33
2f48d68f5ebb4f327a4ecd1452b6032eb6f657d2867659380235bab98316528ec20b9855
5d5bdf93d8c594ef593b3f81911000008200809f1ebfd92a15800034c04c8a49af03ace9
740f760bce20bcfa1d54e882e44b5a61852c476702eeffbf1c9380c5e56cc8fc647b82fd
b28b
     EAP-Message =  
0x7688f3c1ab9f0d9e688800c158a425f464d06eea90583411d1603ab65f6f6d0aa7901a
6b288a16d1f745834497f99a0659c77bbdce4d4f9239373ab40b99857ab10f8de72bc9c9
74160f00008200802c85ac1155a0e0cce2716888890728287ac6d449ecfaf9480420f31a
9d04c4ffddab974cfddb9c992682fb94e4ba1adbdc8807fdff0f350a9ded1e9d17572796
8054e1f879072230dbfde1bc60f581554d7c54b5745f9bed2f86dceaf11e152462d0ba71
7df029f3753e3679803160309931f5eeb10fa4a2b3df4876ae0aa8631403010001011603
0100205cae2f6bb96df0c4d92cbb42362de07293ecd73f2f2e48f7ce42f235107820db
     NAS-IP-Address = 192.168.5.59
     NAS-Port = 1
     NAS-Port-Id = "STA port # 1"
   Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 3
   modcall[authorize]: module "preprocess" returns ok for request 3
   modcall[authorize]: module "chap" returns noop for request 3
   modcall[authorize]: module "mschap" returns noop for request 3
     rlm_realm: No '@' in User-Name = "360VL", looking up realm NULL
     rlm_realm: No such realm "NULL"
   modcall[authorize]: module "suffix" returns noop for request 3
   rlm_eap: EAP packet type response id 3 length 253
   rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
   modcall[authorize]: module "eap" returns updated for request 3
     users: Matched DEFAULT at 156
     users: Matched DEFAULT at 175
   modcall[authorize]: module "files" returns ok for request 3
modcall: group authorize returns updated for request 3
   rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
   Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 3
   rlm_eap: Request found, released from the list
   rlm_eap: EAP/tls
   rlm_eap: processing type tls
   rlm_eap_tls: Authenticate
   rlm_eap_tls: processing TLS
rlm_eap_tls:  Length Included
   eaptls_verify returned 11
   rlm_eap_tls: <<< TLS 1.0 Handshake [length 02ab], Certificate
--> verify error:num=18:self signed certificate
chain-depth=0,
error=18
--> User-Name = 360VL
--> BUF-Name = 360VL
--> subject = /C=US/ST=Colorado/L=Colorado Springs/O=360VL  
Incorporated/CN=360VL/emailAddress=emailwithheld
--> issuer  = /C=US/ST=Colorado/L=Colorado Springs/O=360VL  
Incorporated/CN=360VL/emailAddress=emailwithheld
--> verify return:0
   rlm_eap_tls: >>> TLS 1.0 Alert [length 0002], fatal unknown_ca
TLS Alert write:fatal:unknown CA
     TLS_accept:error in SSLv3 read client certificate B
rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails.
In SSL Handshake Phase
In SSL Accept mode
   eaptls_process returned 13
   modcall[authenticate]: module "eap" returns handled for request 3
modcall: group authenticate returns handled for request 3
Sending Access-Challenge of id 168 to 192.168.5.59:1075
     Framed-IP-Address = 255.255.255.254
     Framed-MTU = 576
     Service-Type = Framed-User
     EAP-Message = 0x010400110d800000000715030100020230
     Message-Authenticator = 0x00000000000000000000000000000000
     State = 0x107dc1452fdb7d1314512bc4d7d9b173
Finished request 3
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.5.59:1075, id=169,  
length=181
     Message-Authenticator = 0x4fe8511906befacbdea9b16b43158663
     Service-Type = Framed-User
     User-Name = "360VL"
     Framed-MTU = 1488
     State = 0x107dc1452fdb7d1314512bc4d7d9b173
     Called-Station-Id = "000FB57A156E:360VL"
     Calling-Station-Id = "000BCD56E3CB"
     NAS-Identifier = "360VL"
     NAS-Port-Type = Wireless-802.11
     Connect-Info = "CONNECT 54Mbps 802.11g"
     EAP-Message = 0x020400060d00
     NAS-IP-Address = 192.168.5.59
     NAS-Port = 1
     NAS-Port-Id = "STA port # 1"
   Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 4
   modcall[authorize]: module "preprocess" returns ok for request 4
   modcall[authorize]: module "chap" returns noop for request 4
   modcall[authorize]: module "mschap" returns noop for request 4
     rlm_realm: No '@' in User-Name = "360VL", looking up realm NULL
     rlm_realm: No such realm "NULL"
   modcall[authorize]: module "suffix" returns noop for request 4
   rlm_eap: EAP packet type response id 4 length 6
   rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
   modcall[authorize]: module "eap" returns updated for request 4
     users: Matched DEFAULT at 156
     users: Matched DEFAULT at 175
   modcall[authorize]: module "files" returns ok for request 4
modcall: group authorize returns updated for request 4
   rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
   Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 4
   rlm_eap: Request found, released from the list
   rlm_eap: EAP/tls
   rlm_eap: processing type tls
   rlm_eap_tls: Authenticate
   rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
   rlm_eap_tls: ack alert
   eaptls_verify returned 4
   eaptls_process returned 4
  rlm_eap: Handler failed in EAP/tls
   rlm_eap: Failed in EAP select
   modcall[authenticate]: module "eap" returns invalid for request 4
modcall: group authenticate returns invalid for request 4
auth: Failed to validate the user.
Delaying request 4 for 1 seconds
Finished request 4
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.5.59:1075, id=169,  
length=181
Sending Access-Reject of id 169 to 192.168.5.59:1075
     EAP-Message = 0x04040004
     Message-Authenticator = 0x00000000000000000000000000000000
--- Walking the entire request list ---
Waking up in 5 seconds...
rad_recv: Access-Request packet from host 192.168.5.59:1075, id=170,  
length=167
     Message-Authenticator = 0x8071ba7139288a5d4eaf417b07e8488a
     Service-Type = Framed-User
     User-Name = "360VL"
     Framed-MTU = 1488
     Called-Station-Id = "000FB57A156E:360VL"
     Calling-Station-Id = "000BCD56E3CB"
     NAS-Identifier = "360VL"
     NAS-Port-Type = Wireless-802.11
     Connect-Info = "CONNECT 54Mbps 802.11g"
     EAP-Message = 0x0200000a01333630564c
     NAS-IP-Address = 192.168.5.59
     NAS-Port = 1
     NAS-Port-Id = "STA port # 1"
   Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 5
   modcall[authorize]: module "preprocess" returns ok for request 5
   modcall[authorize]: module "chap" returns noop for request 5
   modcall[authorize]: module "mschap" returns noop for request 5
     rlm_realm: No '@' in User-Name = "360VL", looking up realm NULL
     rlm_realm: No such realm "NULL"
   modcall[authorize]: module "suffix" returns noop for request 5
   rlm_eap: EAP packet type response id 0 length 10
   rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
   modcall[authorize]: module "eap" returns updated for request 5
     users: Matched DEFAULT at 156
     users: Matched DEFAULT at 175
   modcall[authorize]: module "files" returns ok for request 5
modcall: group authorize returns updated for request 5
   rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
   Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 5
   rlm_eap: EAP Identity
   rlm_eap: processing type tls
  rlm_eap_tls: Requiring client certificate
   rlm_eap_tls: Initiate
   rlm_eap_tls: Start returned 1
   modcall[authenticate]: module "eap" returns handled for request 5
modcall: group authenticate returns handled for request 5
Sending Access-Challenge of id 170 to 192.168.5.59:1075
     Framed-IP-Address = 255.255.255.254
     Framed-MTU = 576
     Service-Type = Framed-User
     EAP-Message = 0x010100060d20
     Message-Authenticator = 0x00000000000000000000000000000000
     State = 0x0b76a7305f1a54c116e95a56da193528
Finished request 5
Going to the next request
--- Walking the entire request list ---
Waking up in 4 seconds...
rad_recv: Access-Request packet from host 192.168.5.59:1075, id=171,  
length=167
     Message-Authenticator = 0x536ad3d398545cb133dd088d08575af0
     Service-Type = Framed-User
     User-Name = "360VL"
     Framed-MTU = 1488
     Called-Station-Id = "000FB57A156E:360VL"
     Calling-Station-Id = "000BCD56E3CB"
     NAS-Identifier = "360VL"
     NAS-Port-Type = Wireless-802.11
     Connect-Info = "CONNECT 54Mbps 802.11g"
     EAP-Message = 0x0202000a01333630564c
     NAS-IP-Address = 192.168.5.59
     NAS-Port = 1
     NAS-Port-Id = "STA port # 1"
   Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 6
   modcall[authorize]: module "preprocess" returns ok for request 6
   modcall[authorize]: module "chap" returns noop for request 6
   modcall[authorize]: module "mschap" returns noop for request 6
     rlm_realm: No '@' in User-Name = "360VL", looking up realm NULL
     rlm_realm: No such realm "NULL"
   modcall[authorize]: module "suffix" returns noop for request 6
   rlm_eap: EAP packet type response id 2 length 10
   rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
   modcall[authorize]: module "eap" returns updated for request 6
     users: Matched DEFAULT at 156
     users: Matched DEFAULT at 175
   modcall[authorize]: module "files" returns ok for request 6
modcall: group authorize returns updated for request 6
   rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
   Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 6
   rlm_eap: EAP Identity
   rlm_eap: processing type tls
  rlm_eap_tls: Requiring client certificate
   rlm_eap_tls: Initiate
   rlm_eap_tls: Start returned 1
   modcall[authenticate]: module "eap" returns handled for request 6
modcall: group authenticate returns handled for request 6
Sending Access-Challenge of id 171 to 192.168.5.59:1075
     Framed-IP-Address = 255.255.255.254
     Framed-MTU = 576
     Service-Type = Framed-User
     EAP-Message = 0x010300060d20
     Message-Authenticator = 0x00000000000000000000000000000000
     State = 0x0a7243677871b927d0cd5d13a0eb4166
Finished request 6
Going to the next request
Waking up in 4 seconds...
rad_recv: Access-Request packet from host 192.168.5.59:1075, id=172,  
length=255
     Message-Authenticator = 0xbbc4d103a1ea7017be31b1f93cc303b7
     Service-Type = Framed-User
     User-Name = "360VL"
     Framed-MTU = 1488
     State = 0x0a7243677871b927d0cd5d13a0eb4166
     Called-Station-Id = "000FB57A156E:360VL"
     Calling-Station-Id = "000BCD56E3CB"
     NAS-Identifier = "360VL"
     NAS-Port-Type = Wireless-802.11
     Connect-Info = "CONNECT 54Mbps 802.11g"
     EAP-Message =  
0x020300500d800000004616030100410100003d030142f390db8a634fbe9ea8d2cb1a86
cc43d9d6cc7be556720178af5cbbf49af4b400001600040005000a000900640062000300
060013001200630100
     NAS-IP-Address = 192.168.5.59
     NAS-Port = 1
     NAS-Port-Id = "STA port # 1"
   Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 7
   modcall[authorize]: module "preprocess" returns ok for request 7
   modcall[authorize]: module "chap" returns noop for request 7
   modcall[authorize]: module "mschap" returns noop for request 7
     rlm_realm: No '@' in User-Name = "360VL", looking up realm NULL
     rlm_realm: No such realm "NULL"
   modcall[authorize]: module "suffix" returns noop for request 7
   rlm_eap: EAP packet type response id 3 length 80
   rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
   modcall[authorize]: module "eap" returns updated for request 7
     users: Matched DEFAULT at 156
     users: Matched DEFAULT at 175
   modcall[authorize]: module "files" returns ok for request 7
modcall: group authorize returns updated for request 7
   rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
   Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 7
   rlm_eap: Request found, released from the list
   rlm_eap: EAP/tls
   rlm_eap: processing type tls
   rlm_eap_tls: Authenticate
   rlm_eap_tls: processing TLS
rlm_eap_tls:  Length Included
   eaptls_verify returned 11
     (other): before/accept initialization
     TLS_accept: before/accept initialization
   rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello
     TLS_accept: SSLv3 read client hello A
   rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
     TLS_accept: SSLv3 write server hello A
   rlm_eap_tls: >>> TLS 1.0 Handshake [length 062b], Certificate
     TLS_accept: SSLv3 write certificate A
   rlm_eap_tls: >>> TLS 1.0 Handshake [length 0099], CertificateRequest
     TLS_accept: SSLv3 write certificate request A
     TLS_accept: SSLv3 flush data
     TLS_accept:error in SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
   eaptls_process returned 13
   modcall[authenticate]: module "eap" returns handled for request 7
modcall: group authenticate returns handled for request 7
Sending Access-Challenge of id 172 to 192.168.5.59:1075
     Framed-IP-Address = 255.255.255.254
     Framed-MTU = 576
     Service-Type = Framed-User
     EAP-Message =  
0x0104040a0dc00000071d160301004a02000046030142f3909a4e2851d1e4bd63c58a11
4fb87326da069a327e9ce84767108513edfd206424e4a88c3433368a8e62962cf0f4dca7
507a95f1d61e0c052687dbd817b4cb000400160301062b0b0006270006240002ac308202
a830820211a003020102020101300d06092a864886f70d0101040500308187310b300906
03550406130255533111300f06035504081308436f6c6f7261646f311930170603550407
1310436f6c6f7261646f20537072696e6773311b3019060355040a1312333630564c2049
6e636f72706f7261746564310e300c06035504031305333630564c311d301b06092a8648
86f7
     EAP-Message =  
0x0d010901160e696e666f40333630766c2e636f6d301e170d3035303830353135313034
305a170d3036303830353135313034305a308192310b3009060355040613025553311130
0f06035504081308436f6c6f7261646f3119301706035504071310436f6c6f7261646f20
537072696e6773311b3019060355040a1312333630564c20496e636f72706f7261746564
3119301706035504031310636f707065722e333630766c2e636f6d311d301b06092a8648
86f70d010901160e696e666f40333630766c2e636f6d30819f300d06092a864886f70d01
0101050003818d0030818902818100b2a8e575361b42490538c4ed2247ad4df5abc181da
c9ed
     EAP-Message =  
0x95d835a509bf155163928ba6119defdbfab08ee7a195f6d7dc261d1ff95994f8cca744
57327260e5814422485945ee4714ecb35820520be84ff4620497cd4daa6bbe6780b07b73
ea7452db5a55684b2c13d40d0e2add84c7979c056f2a17fe1b96fb3afd85f6bddfc50203
010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886
f70d0101040500038181001ac5a999fdb7bb40a77a34ecff459e4bbed2583cc0cca87080
566061428bb88ad090c7db85db96c07dc195a512bdae84849c112036af44b9320e8c0c91
35a6f502731fe2507dbf3a337317f739c70a561f3c7d9504293301a6b321574d22509f69
6948
     EAP-Message =  
0xe479ed655c56041259d23a0713e28a6206517e4e10349839d5dfee6a56000372308203
6e308202d7a003020102020100300d06092a864886f70d0101040500308187310b300906
03550406130255533111300f06035504081308436f6c6f7261646f311930170603550407
1310436f6c6f7261646f20537072696e6773311b3019060355040a1312333630564c2049
6e636f72706f7261746564310e300c06035504031305333630564c311d301b06092a8648
86f70d010901160e696e666f40333630766c2e636f6d301e170d30353038303531353036
32355a170d3036303830353135303632355a308187310b30090603550406130255533111
300f
     EAP-Message = 0x06035504081308436f6c6f7261646f31193017060355
     Message-Authenticator = 0x00000000000000000000000000000000
     State = 0xc2b080bfcb34d8cbd3fbbb69d15050d3
Finished request 7
Going to the next request
Waking up in 4 seconds...
rad_recv: Access-Request packet from host 192.168.5.59:1075, id=173,  
length=181
     Message-Authenticator = 0x7f76805cf32b6ca33cfdf4e43a6667f5
     Service-Type = Framed-User
     User-Name = "360VL"
     Framed-MTU = 1488
     State = 0xc2b080bfcb34d8cbd3fbbb69d15050d3
     Called-Station-Id = "000FB57A156E:360VL"
     Calling-Station-Id = "000BCD56E3CB"
     NAS-Identifier = "360VL"
     NAS-Port-Type = Wireless-802.11
     Connect-Info = "CONNECT 54Mbps 802.11g"
     EAP-Message = 0x020400060d00
     NAS-IP-Address = 192.168.5.59
     NAS-Port = 1
     NAS-Port-Id = "STA port # 1"
   Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 8
   modcall[authorize]: module "preprocess" returns ok for request 8
   modcall[authorize]: module "chap" returns noop for request 8
   modcall[authorize]: module "mschap" returns noop for request 8
     rlm_realm: No '@' in User-Name = "360VL", looking up realm NULL
     rlm_realm: No such realm "NULL"
   modcall[authorize]: module "suffix" returns noop for request 8
   rlm_eap: EAP packet type response id 4 length 6
   rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
   modcall[authorize]: module "eap" returns updated for request 8
     users: Matched DEFAULT at 156
     users: Matched DEFAULT at 175
   modcall[authorize]: module "files" returns ok for request 8
modcall: group authorize returns updated for request 8
   rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
   Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 8
   rlm_eap: Request found, released from the list
   rlm_eap: EAP/tls
   rlm_eap: processing type tls
   rlm_eap_tls: Authenticate
   rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
   rlm_eap_tls: ack handshake fragment handler
   eaptls_verify returned 1
   eaptls_process returned 13
   modcall[authenticate]: module "eap" returns handled for request 8
modcall: group authenticate returns handled for request 8
Sending Access-Challenge of id 173 to 192.168.5.59:1075
     Framed-IP-Address = 255.255.255.254
     Framed-MTU = 576
     Service-Type = Framed-User
     EAP-Message =  
0x010503270d800000071d04071310436f6c6f7261646f20537072696e6773311b301906
0355040a1312333630564c20496e636f72706f7261746564310e300c0603550403130533
3630564c311d301b06092a864886f70d010901160e696e666f40333630766c2e636f6d30
819f300d06092a864886f70d010101050003818d0030818902818100c1e36a58cf62e3ae
df95552d32ec708012aded9061932aee060840cae5a20c8fa8ea72ba1f21253454a79c27
799f309812d703e7bcf414044dfc3b8ea2702c0cb9a912a15e110962d8c5229ea6e7404e
c1b28bb85f69c93f503dc4195926e8f0f621aacb7337fd8da8af009e6d5896647af6c198
5955
     EAP-Message =  
0x1e5ce9db7367fd90c8870203010001a381e73081e4301d0603551d0e04160414ca07e0
025ebeb3f17c26b027e597f97cfc5777493081b40603551d230481ac3081a98014ca07e0
025ebeb3f17c26b027e597f97cfc577749a1818da4818a308187310b3009060355040613
0255533111300f06035504081308436f6c6f7261646f3119301706035504071310436f6c
6f7261646f20537072696e6773311b3019060355040a1312333630564c20496e636f7270
6f7261746564310e300c06035504031305333630564c311d301b06092a864886f70d0109
01160e696e666f40333630766c2e636f6d820100300c0603551d13040530030101ff300d
0609
     EAP-Message =  
0x2a864886f70d01010405000381810053b790c3ef4f488e5b3c018545d4d2b91ab028c4
7c547ecbdff6a152f80b52c4f6fbc3d074779ed87fb047a844bc473d6c417048b74409df
5727543b8da49cef8c651ac4598c27ce116d58c5fa0337e44e1b81c2a72935f2e2e13a8b
8ebbcc883c9135de3a11e8798abe9fb7828028d0c2ab4542e13ff7c629214fed18f086f5
16030100990d000091020102008c008a308187310b30090603550406130255533111300f
06035504081308436f6c6f7261646f3119301706035504071310436f6c6f7261646f2053
7072696e6773311b3019060355040a1312333630564c20496e636f72706f726174656431
0e30
     EAP-Message =  
0x0c06035504031305333630564c311d301b06092a864886f70d010901160e696e666f40
333630766c2e636f6d0e000000
     Message-Authenticator = 0x00000000000000000000000000000000
     State = 0x46be83586ea1540428f18bc0d43999e2
Finished request 8
Going to the next request
Waking up in 4 seconds...
rad_recv: Access-Request packet from host 192.168.5.59:1075, id=174,  
length=1190
     Message-Authenticator = 0x3ea36373b58083333020105f98fcc6f9
     Service-Type = Framed-User
     User-Name = "360VL"
     Framed-MTU = 1488
     State = 0x46be83586ea1540428f18bc0d43999e2
     Called-Station-Id = "000FB57A156E:360VL"
     Calling-Station-Id = "000BCD56E3CB"
     NAS-Identifier = "360VL"
     NAS-Port-Type = Wireless-802.11
     Connect-Info = "CONNECT 54Mbps 802.11g"
     EAP-Message =  
0x020503f10d80000003e716030103b70b0002a70002a40002a13082029d30820206a003
020102020102300d06092a864886f70d0101040500308187310b30090603550406130255
533111300f06035504081308436f6c6f7261646f3119301706035504071310436f6c6f72
61646f20537072696e6773311b3019060355040a1312333630564c20496e636f72706f72
61746564310e300c06035504031305333630564c311d301b06092a864886f70d01090116
0e696e666f40333630766c2e636f6d301e170d3035303830353135313335335a170d3036
303830353135313335335a308187310b30090603550406130255533111300f0603550408
1308
     EAP-Message =  
0x436f6c6f7261646f3119301706035504071310436f6c6f7261646f20537072696e6773
311b3019060355040a1312333630564c20496e636f72706f7261746564310e300c060355
04031305333630564c311d301b06092a864886f70d010901160e696e666f40333630766c
2e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ccbbdc
b09846dcd91ca4d52b83d090144dd17379a121e0dfe4333eac31e4ecab9ddc5c161f372a
c3d29dd07620ab1ef80302682a2e74a9715690651458d601326a99eccb3c8f07bd7db896
d5797a559e1480a2691afd76ae30f91b952705e315fc1c4a6072b442aa78f05946338ef8
5b9c
     EAP-Message =  
0xf9dde843c5bc1ece843f1414d4444d0203010001a317301530130603551d25040c300a
06082b06010505070302300d06092a864886f70d010104050003818100763976dd9a2f05
81394d8cf9680bc788e97e06a77759d79cb50f4b1d06dcad24112081efbfeb6850e8131a
60e4a7406708d93005ab50cc5448c1caa94ff090f42645f0e0dd0bdb85742f8c804fed33
2f48d68f5ebb4f327a4ecd1452b6032eb6f657d2867659380235bab98316528ec20b9855
5d5bdf93d8c594ef593b3f819110000082008017b86f4025160fcf01c703fc64ae1cc08b
cc734196507bddff87d6cfe97ae57f284a98976ab69f278c20d9e29eb37dca36c06b2ffb
eca3
     EAP-Message =  
0x8fa19bb0e069266e74d2fd52e4c784892cf6eed652723b7b1800acfc0f79d324f13b5c
ea2819b4c710a126b5182cf510b36901e8175571a25908b4432f580dafbf5f344f1dacdc
d03f0f000082008022b85e222f7e51d8ab7064bb66fdcfaa4e5e19533975f958ce4232d2
2923fb753b05d8a631506848aefd3a4ad6cf1425935cf0b8ac3054b608c394b1d35a0646
eafc858c495206d9cb277a3129aff3bab030f860e4387e235b2e5c53219c5e86c5f3eee1
1ad88feea95fdb327a920ed287142a9c19d1807ae88af91c7e93e2ab1403010001011603
010020d30f49c2ee685496c0b673f3c30ace4e9d068b37f57937dee17f73cc7aee525e
     NAS-IP-Address = 192.168.5.59
     NAS-Port = 1
     NAS-Port-Id = "STA port # 1"
   Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 9
   modcall[authorize]: module "preprocess" returns ok for request 9
   modcall[authorize]: module "chap" returns noop for request 9
   modcall[authorize]: module "mschap" returns noop for request 9
     rlm_realm: No '@' in User-Name = "360VL", looking up realm NULL
     rlm_realm: No such realm "NULL"
   modcall[authorize]: module "suffix" returns noop for request 9
   rlm_eap: EAP packet type response id 5 length 253
   rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
   modcall[authorize]: module "eap" returns updated for request 9
     users: Matched DEFAULT at 156
     users: Matched DEFAULT at 175
   modcall[authorize]: module "files" returns ok for request 9
modcall: group authorize returns updated for request 9
   rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
   Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 9
   rlm_eap: Request found, released from the list
   rlm_eap: EAP/tls
   rlm_eap: processing type tls
   rlm_eap_tls: Authenticate
   rlm_eap_tls: processing TLS
rlm_eap_tls:  Length Included
   eaptls_verify returned 11
   rlm_eap_tls: <<< TLS 1.0 Handshake [length 02ab], Certificate
--> verify error:num=18:self signed certificate
chain-depth=0,
error=18
--> User-Name = 360VL
--> BUF-Name = 360VL
--> subject = /C=US/ST=Colorado/L=Colorado Springs/O=360VL  
Incorporated/CN=360VL/emailAddress=emailwithheld
--> issuer  = /C=US/ST=Colorado/L=Colorado Springs/O=360VL  
Incorporated/CN=360VL/emailAddress=emailwithheld
--> verify return:0
   rlm_eap_tls: >>> TLS 1.0 Alert [length 0002], fatal unknown_ca
TLS Alert write:fatal:unknown CA
     TLS_accept:error in SSLv3 read client certificate B
rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails.
In SSL Handshake Phase
In SSL Accept mode
   eaptls_process returned 13
   modcall[authenticate]: module "eap" returns handled for request 9
modcall: group authenticate returns handled for request 9
Sending Access-Challenge of id 174 to 192.168.5.59:1075
     Framed-IP-Address = 255.255.255.254
     Framed-MTU = 576
     Service-Type = Framed-User
     EAP-Message = 0x010600110d800000000715030100020230
     Message-Authenticator = 0x00000000000000000000000000000000
     State = 0xfc76e05422193720d431a9e96db434ad
Finished request 9
Going to the next request
Waking up in 4 seconds...
rad_recv: Access-Request packet from host 192.168.5.59:1075, id=175,  
length=181
     Message-Authenticator = 0x3cb38e214ac8af13cae93335934db928
     Service-Type = Framed-User
     User-Name = "360VL"
     Framed-MTU = 1488
     State = 0xfc76e05422193720d431a9e96db434ad
     Called-Station-Id = "000FB57A156E:360VL"
     Calling-Station-Id = "000BCD56E3CB"
     NAS-Identifier = "360VL"
     NAS-Port-Type = Wireless-802.11
     Connect-Info = "CONNECT 54Mbps 802.11g"
     EAP-Message = 0x020600060d00
     NAS-IP-Address = 192.168.5.59
     NAS-Port = 1
     NAS-Port-Id = "STA port # 1"
   Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 10
   modcall[authorize]: module "preprocess" returns ok for request 10
   modcall[authorize]: module "chap" returns noop for request 10
   modcall[authorize]: module "mschap" returns noop for request 10
     rlm_realm: No '@' in User-Name = "360VL", looking up realm NULL
     rlm_realm: No such realm "NULL"
   modcall[authorize]: module "suffix" returns noop for request 10
   rlm_eap: EAP packet type response id 6 length 6
   rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
   modcall[authorize]: module "eap" returns updated for request 10
     users: Matched DEFAULT at 156
     users: Matched DEFAULT at 175
   modcall[authorize]: module "files" returns ok for request 10
modcall: group authorize returns updated for request 10
   rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
   Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 10
   rlm_eap: Request found, released from the list
   rlm_eap: EAP/tls
   rlm_eap: processing type tls
   rlm_eap_tls: Authenticate
   rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
   rlm_eap_tls: ack alert
   eaptls_verify returned 4
   eaptls_process returned 4
  rlm_eap: Handler failed in EAP/tls
   rlm_eap: Failed in EAP select
   modcall[authenticate]: module "eap" returns invalid for request 10
modcall: group authenticate returns invalid for request 10
auth: Failed to validate the user.
Delaying request 10 for 1 seconds
Finished request 10
Going to the next request
Waking up in 4 seconds...
rad_recv: Access-Request packet from host 192.168.5.59:1075, id=175,  
length=181
Sending Access-Reject of id 175 to 192.168.5.59:1075
     EAP-Message = 0x04060004
     Message-Authenticator = 0x00000000000000000000000000000000
--- Walking the entire request list ---
Waking up in 3 seconds...
rad_recv: Access-Request packet from host 192.168.5.59:1075, id=176,  
length=167
     Message-Authenticator = 0xed8dfb1d74dd2d45a5aa491086fc34d7
     Service-Type = Framed-User
     User-Name = "360VL"
     Framed-MTU = 1488
     Called-Station-Id = "000FB57A156E:360VL"
     Calling-Station-Id = "000BCD56E3CB"
     NAS-Identifier = "360VL"
     NAS-Port-Type = Wireless-802.11
     Connect-Info = "CONNECT 54Mbps 802.11g"
     EAP-Message = 0x0200000a01333630564c
     NAS-IP-Address = 192.168.5.59
     NAS-Port = 1
     NAS-Port-Id = "STA port # 1"
   Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 11
   modcall[authorize]: module "preprocess" returns ok for request 11
   modcall[authorize]: module "chap" returns noop for request 11
   modcall[authorize]: module "mschap" returns noop for request 11
     rlm_realm: No '@' in User-Name = "360VL", looking up realm NULL
     rlm_realm: No such realm "NULL"
   modcall[authorize]: module "suffix" returns noop for request 11
   rlm_eap: EAP packet type response id 0 length 10
   rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
   modcall[authorize]: module "eap" returns updated for request 11
     users: Matched DEFAULT at 156
     users: Matched DEFAULT at 175
   modcall[authorize]: module "files" returns ok for request 11
modcall: group authorize returns updated for request 11
   rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
   Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 11
   rlm_eap: EAP Identity
   rlm_eap: processing type tls
  rlm_eap_tls: Requiring client certificate
   rlm_eap_tls: Initiate
   rlm_eap_tls: Start returned 1
   modcall[authenticate]: module "eap" returns handled for request 11
modcall: group authenticate returns handled for request 11
Sending Access-Challenge of id 176 to 192.168.5.59:1075
     Framed-IP-Address = 255.255.255.254
     Framed-MTU = 576
     Service-Type = Framed-User
     EAP-Message = 0x010100060d20
     Message-Authenticator = 0x00000000000000000000000000000000
     State = 0x477c55c8220b91dbaaf48dec55693784
Finished request 11
Going to the next request
--- Walking the entire request list ---
Waking up in 2 seconds...
rad_recv: Access-Request packet from host 192.168.5.59:1075, id=177,  
length=167
     Message-Authenticator = 0xf2ffc7d2b55b48a295ea98c02dd2beba
     Service-Type = Framed-User
     User-Name = "360VL"
     Framed-MTU = 1488
     Called-Station-Id = "000FB57A156E:360VL"
     Calling-Station-Id = "000BCD56E3CB"
     NAS-Identifier = "360VL"
     NAS-Port-Type = Wireless-802.11
     Connect-Info = "CONNECT 54Mbps 802.11g"
     EAP-Message = 0x0202000a01333630564c
     NAS-IP-Address = 192.168.5.59
     NAS-Port = 1
     NAS-Port-Id = "STA port # 1"
   Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 12
   modcall[authorize]: module "preprocess" returns ok for request 12
   modcall[authorize]: module "chap" returns noop for request 12
   modcall[authorize]: module "mschap" returns noop for request 12
     rlm_realm: No '@' in User-Name = "360VL", looking up realm NULL
     rlm_realm: No such realm "NULL"
   modcall[authorize]: module "suffix" returns noop for request 12
   rlm_eap: EAP packet type response id 2 length 10
   rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
   modcall[authorize]: module "eap" returns updated for request 12
     users: Matched DEFAULT at 156
     users: Matched DEFAULT at 175
   modcall[authorize]: module "files" returns ok for request 12
modcall: group authorize returns updated for request 12
   rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
   Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 12
   rlm_eap: EAP Identity
   rlm_eap: processing type tls
  rlm_eap_tls: Requiring client certificate
   rlm_eap_tls: Initiate
   rlm_eap_tls: Start returned 1
   modcall[authenticate]: module "eap" returns handled for request 12
modcall: group authenticate returns handled for request 12
Sending Access-Challenge of id 177 to 192.168.5.59:1075
     Framed-IP-Address = 255.255.255.254
     Framed-MTU = 576
     Service-Type = Framed-User
     EAP-Message = 0x010300060d20
     Message-Authenticator = 0x00000000000000000000000000000000
     State = 0x5132de59d6e9fa7406d5a3a7fd916460
Finished request 12
Going to the next request
Waking up in 2 seconds...
rad_recv: Access-Request packet from host 192.168.5.59:1075, id=178,  
length=255
     Message-Authenticator = 0x1dd14c9ef65e83a0230f1870c2339f1d
     Service-Type = Framed-User
     User-Name = "360VL"
     Framed-MTU = 1488
     State = 0x5132de59d6e9fa7406d5a3a7fd916460
     Called-Station-Id = "000FB57A156E:360VL"
     Calling-Station-Id = "000BCD56E3CB"
     NAS-Identifier = "360VL"
     NAS-Port-Type = Wireless-802.11
     Connect-Info = "CONNECT 54Mbps 802.11g"
     EAP-Message =  
0x020300500d800000004616030100410100003d030142f390ddb61a462925787781e43b
633cd37484dcbb2f065295ea83ef3f32d69d00001600040005000a000900640062000300
060013001200630100
     NAS-IP-Address = 192.168.5.59
     NAS-Port = 1
     NAS-Port-Id = "STA port # 1"
   Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 13
   modcall[authorize]: module "preprocess" returns ok for request 13
   modcall[authorize]: module "chap" returns noop for request 13
   modcall[authorize]: module "mschap" returns noop for request 13
     rlm_realm: No '@' in User-Name = "360VL", looking up realm NULL
     rlm_realm: No such realm "NULL"
   modcall[authorize]: module "suffix" returns noop for request 13
   rlm_eap: EAP packet type response id 3 length 80
   rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
   modcall[authorize]: module "eap" returns updated for request 13
     users: Matched DEFAULT at 156
     users: Matched DEFAULT at 175
   modcall[authorize]: module "files" returns ok for request 13
modcall: group authorize returns updated for request 13
   rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
   Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 13
   rlm_eap: Request found, released from the list
   rlm_eap: EAP/tls
   rlm_eap: processing type tls
   rlm_eap_tls: Authenticate
   rlm_eap_tls: processing TLS
rlm_eap_tls:  Length Included
   eaptls_verify returned 11
     (other): before/accept initialization
     TLS_accept: before/accept initialization
   rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello
     TLS_accept: SSLv3 read client hello A
   rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
     TLS_accept: SSLv3 write server hello A
   rlm_eap_tls: >>> TLS 1.0 Handshake [length 062b], Certificate
     TLS_accept: SSLv3 write certificate A
   rlm_eap_tls: >>> TLS 1.0 Handshake [length 0099], CertificateRequest
     TLS_accept: SSLv3 write certificate request A
     TLS_accept: SSLv3 flush data
     TLS_accept:error in SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
   eaptls_process returned 13
   modcall[authenticate]: module "eap" returns handled for request 13
modcall: group authenticate returns handled for request 13
Sending Access-Challenge of id 178 to 192.168.5.59:1075
     Framed-IP-Address = 255.255.255.254
     Framed-MTU = 576
     Service-Type = Framed-User
     EAP-Message =  
0x0104040a0dc00000071d160301004a02000046030142f3909c147f72795543365b423d
357307980b8bfeadf7b73a6872c7d925d1b220dd77b106135ce0d8f7882941c54cfa5c9a
db0969ab8fac2df1d21b212c9ef0ad000400160301062b0b0006270006240002ac308202
a830820211a003020102020101300d06092a864886f70d0101040500308187310b300906
03550406130255533111300f06035504081308436f6c6f7261646f311930170603550407
1310436f6c6f7261646f20537072696e6773311b3019060355040a1312333630564c2049
6e636f72706f7261746564310e300c06035504031305333630564c311d301b06092a8648
86f7
     EAP-Message =  
0x0d010901160e696e666f40333630766c2e636f6d301e170d3035303830353135313034
305a170d3036303830353135313034305a308192310b3009060355040613025553311130
0f06035504081308436f6c6f7261646f3119301706035504071310436f6c6f7261646f20
537072696e6773311b3019060355040a1312333630564c20496e636f72706f7261746564
3119301706035504031310636f707065722e333630766c2e636f6d311d301b06092a8648
86f70d010901160e696e666f40333630766c2e636f6d30819f300d06092a864886f70d01
0101050003818d0030818902818100b2a8e575361b42490538c4ed2247ad4df5abc181da
c9ed
     EAP-Message =  
0x95d835a509bf155163928ba6119defdbfab08ee7a195f6d7dc261d1ff95994f8cca744
57327260e5814422485945ee4714ecb35820520be84ff4620497cd4daa6bbe6780b07b73
ea7452db5a55684b2c13d40d0e2add84c7979c056f2a17fe1b96fb3afd85f6bddfc50203
010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886
f70d0101040500038181001ac5a999fdb7bb40a77a34ecff459e4bbed2583cc0cca87080
566061428bb88ad090c7db85db96c07dc195a512bdae84849c112036af44b9320e8c0c91
35a6f502731fe2507dbf3a337317f739c70a561f3c7d9504293301a6b321574d22509f69
6948
     EAP-Message =  
0xe479ed655c56041259d23a0713e28a6206517e4e10349839d5dfee6a56000372308203
6e308202d7a003020102020100300d06092a864886f70d0101040500308187310b300906
03550406130255533111300f06035504081308436f6c6f7261646f311930170603550407
1310436f6c6f7261646f20537072696e6773311b3019060355040a1312333630564c2049
6e636f72706f7261746564310e300c06035504031305333630564c311d301b06092a8648
86f70d010901160e696e666f40333630766c2e636f6d301e170d30353038303531353036
32355a170d3036303830353135303632355a308187310b30090603550406130255533111
300f
     EAP-Message = 0x06035504081308436f6c6f7261646f31193017060355
     Message-Authenticator = 0x00000000000000000000000000000000
     State = 0x65e62c501c4cec769c8d45a40faf9a67
Finished request 13
Going to the next request
Waking up in 2 seconds...
rad_recv: Access-Request packet from host 192.168.5.59:1075, id=179,  
length=181
     Message-Authenticator = 0x4b1d387a1df61d3afeff11b22d27432f
     Service-Type = Framed-User
     User-Name = "360VL"
     Framed-MTU = 1488
     State = 0x65e62c501c4cec769c8d45a40faf9a67
     Called-Station-Id = "000FB57A156E:360VL"
     Calling-Station-Id = "000BCD56E3CB"
     NAS-Identifier = "360VL"
     NAS-Port-Type = Wireless-802.11
     Connect-Info = "CONNECT 54Mbps 802.11g"
     EAP-Message = 0x020400060d00
     NAS-IP-Address = 192.168.5.59
     NAS-Port = 1
     NAS-Port-Id = "STA port # 1"
   Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 14
   modcall[authorize]: module "preprocess" returns ok for request 14
   modcall[authorize]: module "chap" returns noop for request 14
   modcall[authorize]: module "mschap" returns noop for request 14
     rlm_realm: No '@' in User-Name = "360VL", looking up realm NULL
     rlm_realm: No such realm "NULL"
   modcall[authorize]: module "suffix" returns noop for request 14
   rlm_eap: EAP packet type response id 4 length 6
   rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
   modcall[authorize]: module "eap" returns updated for request 14
     users: Matched DEFAULT at 156
     users: Matched DEFAULT at 175
   modcall[authorize]: module "files" returns ok for request 14
modcall: group authorize returns updated for request 14
   rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
   Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 14
   rlm_eap: Request found, released from the list
   rlm_eap: EAP/tls
   rlm_eap: processing type tls
   rlm_eap_tls: Authenticate
   rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
   rlm_eap_tls: ack handshake fragment handler
   eaptls_verify returned 1
   eaptls_process returned 13
   modcall[authenticate]: module "eap" returns handled for request 14
modcall: group authenticate returns handled
| Threaded
Open this post in threaded view
|

Re: XP won't authenticate with EAP TLS - log shows unknown_ca fatal error

Michael Wang-7
Hi Landon,

I think this piece from the log is suspicious:

> rlm_eap_tls:  Length Included
>  eaptls_verify returned 11
>  rlm_eap_tls: <<< TLS 1.0 Handshake [length 02ab], Certificate
> --> verify error:num=18:self signed certificate
> chain-depth=0,
> error=18
> --> User-Name = 360VL
> --> BUF-Name = 360VL
> --> subject = /C=US/ST=Colorado/L=Colorado Springs/O=360VL
> Incorporated/CN=360VL/emailAddress=emailwithheld
> --> issuer  = /C=US/ST=Colorado/L=Colorado Springs/O=360VL
> Incorporated/CN=360VL/emailAddress=emailwithheld
> --> verify return:0
>  rlm_eap_tls: >>> TLS 1.0 Alert [length 0002], fatal unknown_ca
> TLS Alert write:fatal:unknown CA
>   TLS_accept:error in SSLv3 read client certificate B
> rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails.

I think the problem is the user certificate that you imported into XP
is "self-signed".  What you need to do is use openssl to create a
certificate request (using openssl req ...) and then sign that request
using the CA (using openssl ca).  Then package up the user key and
signed user cert into the pkcs#12 envelope (using openssl pkcs12).
Finally import into XP.  I looked at the instructions for certificate
generation in the linux format article and they look OK.  Make sure
you did not miss a step or use the wrong command somewhere.

As to using a password for the pkcs#12 envelope, go ahead and use it.
When you import the pkcs#12 file into XP, it will just ask for it, and
you enter it, and that should be it.

Hope that helps.

Michael

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: XP won't authenticate with EAP TLS - log shows unknown_ca fatal error

Landon Cox

Thanks for looking at this, Michael.

I decided to restart the certificate generation process and did it  
again from scratch following the article.  Same results.

I did it a 3rd time and but this time copied the certs to /etc/ssl/
certs and insured all CNs were unique (not being completely up on  
what is right or wrong w/r to input values for the cert process or  
what directories the new certs needed to live in, I wanted to make  
sure that wasn't an issue.)  So, one of those actions did the trick  
and I haven't gone back to isolate which one.

After that I was able to login - authenticated in both directions,  
too.  I did go ahead and do the pkcs export password and that worked  
fine.  I'm not sure what Bauer's comment was referring to in the  
article about XP supplicants only working with non-pw protected certs  
in the store.  Oh well, it's up and working and I'm grateful.

Thank you,

Landon

On Aug 5, 2005, at 4:30 PM, Michael Wang wrote:

> Hi Landon,
>
> I think this piece from the log is suspicious:
>
>
>> rlm_eap_tls:  Length Included
>>  eaptls_verify returned 11
>>  rlm_eap_tls: <<< TLS 1.0 Handshake [length 02ab], Certificate
>> --> verify error:num=18:self signed certificate
>> chain-depth=0,
>> error=18
>> --> User-Name = 360VL
>> --> BUF-Name = 360VL
>> --> subject = /C=US/ST=Colorado/L=Colorado Springs/O=360VL
>> Incorporated/CN=360VL/emailAddress=emailwithheld
>> --> issuer  = /C=US/ST=Colorado/L=Colorado Springs/O=360VL
>> Incorporated/CN=360VL/emailAddress=emailwithheld
>> --> verify return:0
>>  rlm_eap_tls: >>> TLS 1.0 Alert [length 0002], fatal unknown_ca
>> TLS Alert write:fatal:unknown CA
>>   TLS_accept:error in SSLv3 read client certificate B
>> rlm_eap_tls: SSL_read failed in a system call (-1), TLS session  
>> fails.
>>
>
> I think the problem is the user certificate that you imported into XP
> is "self-signed".  What you need to do is use openssl to create a
> certificate request (using openssl req ...) and then sign that request
> using the CA (using openssl ca).  Then package up the user key and
> signed user cert into the pkcs#12 envelope (using openssl pkcs12).
> Finally import into XP.  I looked at the instructions for certificate
> generation in the linux format article and they look OK.  Make sure
> you did not miss a step or use the wrong command somewhere.
>
> As to using a password for the pkcs#12 envelope, go ahead and use it.
> When you import the pkcs#12 file into XP, it will just ask for it, and
> you enter it, and that should be it.
>
> Hope that helps.
>
> Michael
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: XP won't authenticate with EAP TLS - log shows unknown_ca fatal error

A.L.M.Buxey
In reply to this post by Landon Cox
Hi,

> I chose to start with this article as it was one of the most recent  
> tutorials I could find on the topic of FreeRADIUS and EAP TLS.

strange. the EAP-TLS HOWTO seems uite straight forward. everything
else is a rewrite of this guide.

> if you like.  You may be tempted to press Enter instead, especially  
> given that the WPA supplicant in Windows XP works only when you store  
> its certificates without a passphrases..."  I've tried generate the  

interesting. we've used pass phrases...stops people just copying the
certificate onto any unknown machine.

> client p12 file both ways and reimporting to XP's Personal  
> Certificates to no avail. Is that pkcs12 passphrase assertion still  
> true for XP supplicant?  Either way, with or without, I can't get  
> this to work, so that must not be the issue.

did you use the extra XP SSL additions as per the EAP-TLS HOWTO?

> I have also tried un-checking the "Validate Server Certificate" in  
> the 802.1x settings of XP for that Access Point.  I get the same  
> error, so the error seems to indicate an issue with not being able to  
> deal with the client side cert?
>
> I've imported both the cacert.pem into my Trusted Root Certs in XP  
> and the client_cert.p12 into "Personal->Certificates".   There were  
> no steps indicated I needed to import server cert  on the XP side  
> (which doesn't make sense anyway...just noting here that for  
> diagnostic purposes.)
>
> Any help towards solving this issue would be very much appreciated.
>
> Now for the debug log:
>
> TLS Alert write:fatal:unknown CA
>     TLS_accept:error in SSLv3 read client certificate B

though this seems to suggest that your FreeRADIUS doesnt know
much about this certificate. I'd check the eap.conf file

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: XP won't authenticate with EAP TLS - log shows unknown_ca fatal error

Landon Cox

On Aug 7, 2005, at 7:47 AM, [hidden email] wrote:
>
>> I chose to start with this article as it was one of the most recent
>> tutorials I could find on the topic of FreeRADIUS and EAP TLS.
>>
>
> strange. the EAP-TLS HOWTO seems uite straight forward. everything
> else is a rewrite of this guide.

For me, I appreciated the tutorial approach of Bauer's article vs  
something more scripted because it helped me understand what was  
going on.  I hadn't ever set up CAs and certificates before so  
Bauer's article was better for me, especially Part 1 which laid out  
the WPA landscape.  The EAP-TLS HOWTO was fine, I just didn't get the  
lay of the land as a background that I needed to understand where I  
was headed and why.

>
> interesting. we've used pass phrases...stops people just copying the
> certificate onto any unknown machine.

Indeed it works either way as I found out, so again, not sure what he  
was referring to in the article.

>> client p12 file both ways and reimporting to XP's Personal
>> Certificates to no avail. Is that pkcs12 passphrase assertion still
>> true for XP supplicant?  Either way, with or without, I can't get
>> this to work, so that must not be the issue.
>>
>
> did you use the extra XP SSL additions as per the EAP-TLS HOWTO?

Yes I had the ASN1 xpextensions all along; that was not the problem  
as it turned out.

>
> though this seems to suggest that your FreeRADIUS doesnt know
> much about this certificate. I'd check the eap.conf file

The eap.conf was correct also.

I think the problem was that the certs I generated for CA and server  
weren't in the ssl/certs directory though they were in the raddb/
certs directory.  Other than that, I don't think I did anything  
different between attempts at CA and cert creation when I finally got  
it working.  Definitely didn't change my radiusd.conf, clients.conf  
or eap.conf files between attempts, so it was definitely cert related.

I need to experiment a little more to see where I went wrong the  
first couple attempts, but all the conf files were correct as I  
didn't change them between attempts.

Thanks,

Landon
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: XP won't authenticate with EAP TLS - log shows unknown_ca fatal error

Kris Benson
>I think the problem was that the certs I generated for CA and server  
>weren't in the ssl/certs directory though they were in the raddb/
>certs directory.  Other than that, I don't think I did anything  
>different between attempts at CA and cert creation when I finally got  
>it working.  Definitely didn't change my radiusd.conf, clients.conf  
>or eap.conf files between attempts, so it was definitely cert related.
>
>I need to experiment a little more to see where I went wrong the  
>first couple attempts, but all the conf files were correct as I  
>didn't change them between attempts.


Did you do anything differently with your 'random' file and your 'dh' file?

Creating those properly (as opposed to the idiotic directions of "date >
dh; date > random") seemed to solve my dilemma when I was getting a
similar issue to what you were getting.

-kb
--
Kris Benson, CCP, I.S.P.
Technical Analyst, District Projects
School District #57 (Prince George)

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: XP won't authenticate with EAP TLS - log shows unknown_ca fatal error

Landon Cox

On Aug 8, 2005, at 9:18 AM, Kris Benson wrote:
>
> Did you do anything differently with your 'random' file and your  
> 'dh' file?
>
> Creating those properly (as opposed to the idiotic directions of  
> "date >
> dh; date > random") seemed to solve my dilemma when I was getting a
> similar issue to what you were getting.

Hi Kris,

No, both dh and random stayed as initially generated.  I used the  
Bauer Linux journal article to do that step which used the /dev/
urandom method vs date.

I'm going to do some experiments later tonight and see if I can  
isolate the success factor.

Thanks,

Landon
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: XP won't authenticate with EAP TLS - log shows unknown_ca fatal error

Landon Cox

On Aug 8, 2005, at 9:39 AM, Landon Cox wrote:
>
> I'm going to do some experiments later tonight and see if I can  
> isolate the success factor.

Back on this topic for a moment...some things I tried to see if I  
could break the configuration were:
     1) remove the certs from the /etc/ssl/certs directory, restart  
FR, no difference - still hooked up fine since the certs are also in  
raddb/certs.

I decided to generate a client cert for a Mac box and when I imported  
it into the Keychain of OS X, I noticed "This certificate is not yet  
valid".

I went back and looked at the output of the certificate generation  
and the "validity Not Before" gave a date/time stamp that was 1 hour  
future (my timezone setting was off by one hour.)

But this made me wonder....was the unknown_ca problem caused by the  
CA cert having a "Not Valid Before" validity that was in the future  
from the real time when it was generated and then initially tested?

Is this a possible cause for an unknown_ca error?

Landon
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html