need help setting up WPA2 enterprise

C

Cheetoz

[H]ard|Gawd
Joined
Mar 3, 2003
Messages
1,972
I'm doing dd-wrt + freeradius on a debian server.

testing authentication works fine

Code: 
# radtest test test 127.0.0.1:1645 1645 secret
Sending Access-Request of id 82 to 127.0.0.1 port 1645
	User-Name = "test"
	User-Password = "test"
	NAS-IP-Address = 255.255.255.255
	NAS-Port = 1645
rad_recv: Access-Accept packet from host 127.0.0.1:1645, id=82, length=20

but when connecting to it from my macbook, freeradius in debug shows
Code: 
Listening on authentication *:1645
Listening on accounting *:1646
Ready to process requests.
rad_recv: Access-Request packet from host 10.0.0.11:2053, id=0, length=121
	User-Name = "test"
	NAS-IP-Address = 10.0.0.11
	Called-Station-Id = "001217464f3b"
	Calling-Station-Id = "001b630a4039"
	NAS-Identifier = "001217464f3b"
	NAS-Port = 51
	Framed-MTU = 1400
	NAS-Port-Type = Wireless-802.11
	EAP-Message = 0x020000090174657374
	Message-Authenticator = 0xebd43a7e4d20a3c9c817860c6c1f20fd
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
  modcall[authorize]: module "preprocess" returns ok for request 0
  modcall[authorize]: module "chap" returns noop for request 0
  modcall[authorize]: module "mschap" returns noop for request 0
    rlm_realm: No '@' in User-Name = "test", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 0
  rlm_eap: EAP packet type response id 0 length 9
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 0
  modcall[authorize]: module "files" returns notfound for request 0
radius_xlat:  'test'
rlm_sql (sql): sql_set_user escaped user --> 'test'
radius_xlat:  'SELECT id, UserName, Attribute, Value, op           FROM radcheck           WHERE Username = 'test'           ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 4
radius_xlat:  'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op  FROM radgroupcheck,usergroup WHERE usergroup.Username = 'test' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
radius_xlat:  'SELECT id, UserName, Attribute, Value, op           FROM radreply           WHERE Username = 'test'           ORDER BY id'
radius_xlat:  'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op  FROM radgroupreply,usergroup WHERE usergroup.Username = 'test' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql (sql): Released sql socket id: 4
  modcall[authorize]: module "sql" returns ok for request 0
modcall: leaving group authorize (returns updated) for request 0
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
  rlm_eap: EAP Identity
  rlm_eap: processing type tls
  rlm_eap_tls: Initiate
  rlm_eap_tls: Start returned 1
  modcall[authenticate]: module "eap" returns handled for request 0
modcall: leaving group authenticate (returns handled) for request 0
Sending Access-Challenge of id 0 to 10.0.0.11 port 2053
	EAP-Message = 0x010100061520
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x78d2c504ff946ce6e4395659478cabfe
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 10.0.0.11:2053, id=0, length=242
	User-Name = "test"
	NAS-IP-Address = 10.0.0.11
	Called-Station-Id = "001217464f3b"
	Calling-Station-Id = "001b630a4039"
	NAS-Identifier = "001217464f3b"
	NAS-Port = 51
	Framed-MTU = 1400
	State = 0x78d2c504ff946ce6e4395659478cabfe
	NAS-Port-Type = Wireless-802.11
	EAP-Message = 0x0201007015800000006616030100610100005d03014884ee5302fe3b065929b342007f93bb2d7b4af411103789eadeefa162df23b0000036002f000500040035000a000900030008000600320033003800390016001500140013001200110034003a0018001b001a0017001900010100
	Message-Authenticator = 0x43888d4898fbc8e74366f9e00b49dcf2
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
  modcall[authorize]: module "preprocess" returns ok for request 1
  modcall[authorize]: module "chap" returns noop for request 1
  modcall[authorize]: module "mschap" returns noop for request 1
    rlm_realm: No '@' in User-Name = "test", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 1
  rlm_eap: EAP packet type response id 1 length 112
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 1
  modcall[authorize]: module "files" returns notfound for request 1
radius_xlat:  'test'
rlm_sql (sql): sql_set_user escaped user --> 'test'
radius_xlat:  'SELECT id, UserName, Attribute, Value, op           FROM radcheck           WHERE Username = 'test'           ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 3
radius_xlat:  'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op  FROM radgroupcheck,usergroup WHERE usergroup.Username = 'test' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
radius_xlat:  'SELECT id, UserName, Attribute, Value, op           FROM radreply           WHERE Username = 'test'           ORDER BY id'
radius_xlat:  'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op  FROM radgroupreply,usergroup WHERE usergroup.Username = 'test' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql (sql): Released sql socket id: 3
  modcall[authorize]: module "sql" returns ok for request 1
modcall: leaving group authorize (returns updated) for request 1
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 1
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/ttls
  rlm_eap: processing type ttls
  rlm_eap_ttls: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls:  Length Included
  eaptls_verify returned 11 
    (other): before/accept initialization 
    TLS_accept: before/accept initialization 
  rlm_eap_tls: <<< TLS 1.0 Handshake [length 0061], ClientHello  
    TLS_accept: SSLv3 read client hello A 
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello  
    TLS_accept: SSLv3 write server hello A 
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 0550], Certificate  
    TLS_accept: SSLv3 write certificate A 
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone  
    TLS_accept: SSLv3 write server done A 
    TLS_accept: SSLv3 flush data 
    TLS_accept:error in SSLv3 read client certificate A 
rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0)
In SSL Handshake Phase 
In SSL Accept mode  
  eaptls_process returned 13 
  modcall[authenticate]: module "eap" returns handled for request 1
modcall: leaving group authenticate (returns handled) for request 1
Sending Access-Challenge of id 0 to 10.0.0.11 port 2053
	EAP-Message = 0x0102040a15c0000005ad160301004a0200004603014884ee52aae8d7f8b5d62be6e0c125a5884b50e4c3c91a83789fc78a4589694d209ea8cb2d64ad373be422a171bb608b42bfa22a917dd173bed3e1ba6eeab4e6d2002f0016030105500b00054c00054900024d30820249308201b2a003020102020101300d06092a864886f70d0101050500305a310b3009060355040613025553310b300906035504081302666c310e300c060355040a130544756d7039310e300c0603550403130564756d7039311e301c06092a864886f70d010901160f61646d696e4064756d70392e6e6574301e170d3038303732313139313330375a170d30393037323131
	EAP-Message = 0x39313330375a3062310b3009060355040613025553311330110603550408130a536f6d652d5374617465310e300c060355040a130544756d7039310e300c0603550403130564756d7039311e301c06092a864886f70d010901160f61646d696e4064756d70392e6e657430819f300d06092a864886f70d010101050003818d0030818902818100a746f5d91e44f393c949423593bab3470cf9673604bb26d0e4395c09334e456a0fb50461ab06cc62e611bd14cfce6460018ddde14c596387941b275ffc422436d7eaa187d7654ffcfbd4d06f6be9be5efe111d97946387dce29e5c6b625ff4a78dd10105ac5209557e2ad0cced129ad1f80a4dee2a83
	EAP-Message = 0x84f5865f9b769f5f41c70203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101050500038181002b81525557d44a6b74f0ae3feed3ec65b29e704673e588095beeaf0a48923d5d63830158ea2fa56ac6b061ae02511102b712712df8f71ad81417557e24c26ab9144eb684b35eba6576ac587efa00534047e326401768707d03ec60d556c6a3ec1b4a86d1cbd7b985da9e94105ae7ded728dcdf28975b9e9659678459014640330002f6308202f23082025ba0030201020209008ebf92e5f8de1a52300d06092a864886f70d0101050500305a310b3009060355040613025553310b30090603550408
	EAP-Message = 0x1302666c310e300c060355040a130544756d7039310e300c0603550403130564756d7039311e301c06092a864886f70d010901160f61646d696e4064756d70392e6e6574301e170d3038303732313139313232325a170d3138303731393139313232325a305a310b3009060355040613025553310b300906035504081302666c310e300c060355040a130544756d7039310e300c0603550403130564756d7039311e301c06092a864886f70d010901160f61646d696e4064756d70392e6e657430819f300d06092a864886f70d010101050003818d0030818902818100dab949c5e6e258d375c8830866e47fd6103cef9db0cd2f7239cd2676c276d875
	EAP-Message = 0xa442f5b35302003977c888cbf4b09e86ab8632b33cfa
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x4357b8a1c358bab38bd4f8e73119035a
Finished request 1
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 10.0.0.11:2053, id=0, length=136
	User-Name = "test"
	NAS-IP-Address = 10.0.0.11
	Called-Station-Id = "001217464f3b"
	Calling-Station-Id = "001b630a4039"
	NAS-Identifier = "001217464f3b"
	NAS-Port = 51
	Framed-MTU = 1400
	State = 0x4357b8a1c358bab38bd4f8e73119035a
	NAS-Port-Type = Wireless-802.11
	EAP-Message = 0x020200061500
	Message-Authenticator = 0xc7ab82cd636b8c3304ac8d8d85f88f68
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
  modcall[authorize]: module "preprocess" returns ok for request 2
  modcall[authorize]: module "chap" returns noop for request 2
  modcall[authorize]: module "mschap" returns noop for request 2
    rlm_realm: No '@' in User-Name = "test", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 2
  rlm_eap: EAP packet type response id 2 length 6
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 2
  modcall[authorize]: module "files" returns notfound for request 2
radius_xlat:  'test'
rlm_sql (sql): sql_set_user escaped user --> 'test'
radius_xlat:  'SELECT id, UserName, Attribute, Value, op           FROM radcheck           WHERE Username = 'test'           ORDER BY id'
rlm_sql (sql): Reserving sql socket id: 2
radius_xlat:  'SELECT radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op  FROM radgroupcheck,usergroup WHERE usergroup.Username = 'test' AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY radgroupcheck.id'
radius_xlat:  'SELECT id, UserName, Attribute, Value, op           FROM radreply           WHERE Username = 'test'           ORDER BY id'
radius_xlat:  'SELECT radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op  FROM radgroupreply,usergroup WHERE usergroup.Username = 'test' AND usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql (sql): Released sql socket id: 2
  modcall[authorize]: module "sql" returns ok for request 2
modcall: leaving group authorize (returns updated) for request 2
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 2
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/ttls
  rlm_eap: processing type ttls
  rlm_eap_ttls: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
  rlm_eap_tls: ack handshake fragment handler
  eaptls_verify returned 1 
  eaptls_process returned 13 
  modcall[authenticate]: module "eap" returns handled for request 2
modcall: leaving group authenticate (returns handled) for request 2
Sending Access-Challenge of id 0 to 10.0.0.11 port 2053
	EAP-Message = 0x010301b71580000005ad1efc742f2872808f77825ae98973e18f7601041fc7bec5556480ac830689ea2f60d9ff84bdf8e41e969b82635ebd0b0236dddaf8bb9d6aef58456b2aae1eab63d0078d08783f01589d050203010001a381bf3081bc301d0603551d0e0416041495a9b77d3f41abec9c6c51252b1a10a38b34490f30818c0603551d23048184308181801495a9b77d3f41abec9c6c51252b1a10a38b34490fa15ea45c305a310b3009060355040613025553310b300906035504081302666c310e300c060355040a130544756d7039310e300c0603550403130564756d7039311e301c06092a864886f70d010901160f61646d696e4064756d70
	EAP-Message = 0x392e6e65748209008ebf92e5f8de1a52300c0603551d13040530030101ff300d06092a864886f70d0101050500038181006dbb743aa6d7ecdd8505c2843a00a5d26e9c3d6943d6d59f372e1b67a5bc13aa7abe6ba646618aa64bffc550d096d58e0595a265cc259064379417a69618a21874d2502a5999009ff2fd4ad3737c45e3f713ecaf9daf87a002e195602054de1a3809e188ae715b5b6709182a54b4c4f7912f912957550dcb205d16abb8cc7b8216030100040e000000
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0xcd19ada89fc1681b5e8405635b92cbe1
Finished request 2
Going to the next request
Waking up in 6 seconds...

this (looks to be) repeating over and over, with the client never getting authenticated.

any idears? :confused:
 
You must log in or register to reply here.
Back
Top