PDA

Archiv verlassen und diese Seite im Standarddesign anzeigen : freeradius: EAP-TLS Problem mit XP WLAN-Client



Sil3ntWarri0r
11.06.10, 12:23
Hi,

ich versuche nun schon seit einiger Zeit meinen Radius-Server (freeradius 2.0.5) mit meinem WLAN-Client (WinXP mit Intel PROSet) über EAP-TLS sprechen zu lassen. Doch leider scheitert die Sache immer am Clientzertifikat (-austausch) zumindest lese ich das so aus dem LOG. Im Vorfeld habe ich bereits mit PEAP getestet und den WLAN-Client über username/passwort authentifiziert, geht auch wunderbar. Daraus folgere ich, dass CA und Server Zertifikat i.O. sind. Bei TLS kommt dann ja nun das Client Zertifikat ins Spiel.
Beim Zertifikataustausch erhalte ich u.a. die Meldung:

rlm_eap_tls: >>> TLS 1.0 Handshake [length 00a8], CertificateRequest
TLS_accept: SSLv3 write certificate request A
TLS_accept: SSLv3 flush data
TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode

Scheinbar ist das Clientzertifikat nicht vollständig beim Radius angekommen, wahrscheinlich durch Fragmentierung oder ähnliches. Scheinbar scheint das System auch nicht in der Lage zu sein, den anderen Teil nachzuliefern, woran wohl die endgültige Authentifizierung scheitert.
Habe jetzt schon probiert gegoogelt und gemacht, komm dem Problem aber nicht auf die Schliche.

Hat hierzu von euch einer eine Idee, an welcher Stelle genau zu suchen ist ?

Zum System:
freeradius 2.0.5 läuft auf gentoo
LANCOM AP (WPA2 Enterprise)
WLAN-Client mit Intel PROSet WLAN-Software (unter XP Pro)
Für den Test verwende ich die test-Zertifikate, die ich unter raddb/certs mit make und make client erstellt habe (cnf-files unverändert)


Danke für eure Hilfe !


Das komplette freeradius log:

Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.4.200 port 3072, id=48, length=182
User-Name = "testuser"
Service-Type = Framed-User
NAS-IP-Address = 192.168.4.200
NAS-Port = 6
NAS-Port-Id = "6"
Called-Station-Id = "00-0B-6B-B0-2B-28:Wireless-Home"
Calling-Station-Id = "00-12-F0-66-52-BC"
Connect-Info = "CONNECT 54 Mbps 802.11g"
NAS-Identifier = "Wireless-AP-1"
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x0201000d017465737475736572
Message-Authenticator = 0xf61dad5c5e230e78fab4a5d6e31712be
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 1 length 13
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
users: Matched entry testuser at line 204
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: EAP Identity
rlm_eap: processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
Sending Access-Challenge of id 48 to 192.168.4.200 port 3072
EAP-Message = 0x010200160410f7df58ad60bce4803d853dd05b2cce3a
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x97c2de1a97c0da38d66ab46a092483d5
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.4.200 port 3072, id=68, length=193
User-Name = "testuser"
Service-Type = Framed-User
NAS-IP-Address = 192.168.4.200
NAS-Port = 6
NAS-Port-Id = "6"
State = 0x97c2de1a97c0da38d66ab46a092483d5
Called-Station-Id = "00-0B-6B-B0-2B-28:Wireless-Home"
Calling-Station-Id = "00-12-F0-66-52-BC"
Connect-Info = "CONNECT 54 Mbps 802.11g"
NAS-Identifier = "Wireless-AP-1"
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x02020006030d
Message-Authenticator = 0x5cf298ca2db568a537613cffd154e3c4
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 2 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
users: Matched entry testuser at line 204
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP NAK
rlm_eap: EAP-NAK asked for EAP-Type/tls
rlm_eap: processing type tls
rlm_eap_tls: Requiring client certificate
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 68 to 192.168.4.200 port 3072
EAP-Message = 0x010300060d20
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x97c2de1a96c1d338d66ab46a092483d5
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.4.200 port 3072, id=41, length=295
User-Name = "testuser"
Service-Type = Framed-User
NAS-IP-Address = 192.168.4.200
NAS-Port = 6
NAS-Port-Id = "6"
State = 0x97c2de1a96c1d338d66ab46a092483d5
Called-Station-Id = "00-0B-6B-B0-2B-28:Wireless-Home"
Calling-Station-Id = "00-12-F0-66-52-BC"
Connect-Info = "CONNECT 54 Mbps 802.11g"
NAS-Identifier = "Wireless-AP-1"
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x0203006c0d0016030100610100005d03014c1146ee834980 748179aab2a5810f38430a78cabe811d28b1d5bd55f3ade7a0 00003600390038003500160013000a00330032002f00070066 00050004006300620061001500120009006500640060001400 110008000600030100
Message-Authenticator = 0x521099c1f76af4dcee95d49dd3a74a85
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 3 length 108
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
users: Matched entry testuser at line 204
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/tls
rlm_eap: processing type tls
rlm_eap_tls: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
(other): before/accept initialization
TLS_accept: before/accept initialization
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0061], ClientHello
TLS_accept: SSLv3 read client hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
TLS_accept: SSLv3 write server hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 085e], Certificate
TLS_accept: SSLv3 write certificate A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 020d], ServerKeyExchange
TLS_accept: SSLv3 write key exchange A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 00a8], CertificateRequest
TLS_accept: SSLv3 write certificate request A
TLS_accept: SSLv3 flush data
TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 41 to 192.168.4.200 port 3072
EAP-Message = 0x010404000dc000000b71160301004a0200004603014c1146 ef78cbd5103adc3ca1518cfe70be8a5a7072a5c2247c3b4a49 91ada380206bc46ec0745d847d2bf7313f0cab8c3e852789e9 2c6dbc03b8773b4a0372ebcd003900160301085e0b00085a00 08570003a6308203a23082028aa003020102020101300d0609 2a864886f70d0101040500308193310b300906035504061302 4652310f300d06035504081306526164697573311230100603 5504071309536f6d65776865726531153013060355040a130c 4578616d706c6520496e632e3120301e06092a864886f70d01 0901161161646d696e406578616d706c652e636f6d31263024 06035504
EAP-Message = 0x03131d4578616d706c652043657274696669636174652041 7574686f72697479301e170d3130303631303132343134355a 170d3131303631303132343134355a307c310b300906035504 0613024652310f300d06035504081306526164697573311530 13060355040a130c4578616d706c6520496e632e3123302106 03550403131a4578616d706c65205365727665722043657274 696669636174653120301e06092a864886f70d010901161161 646d696e406578616d706c652e636f6d30820122300d06092a 864886f70d01010105000382010f003082010a0282010100bd 968225cb38dd1e86ade818d7ea4258cf560b0e8710bfd5c6f5 e29f73f3
EAP-Message = 0xd01574fb1dab0a97ff0a9add9c53b7cc2adcb52407bfc391 be458648947df7dc7a9cdd8f2a207280a7dd38033bc9989b6f 6f19592f7bcd428a0bad6a0584800161d1e3a7603144ba6371 42804af94c9c05684675ef226b18b4d815bc733e62e35bfa96 a7c92c9187fed4ffec68fd96d160a9ae2b4ec5de37c3dea536 fc0e9c9e7dba1679f83fd38730f238cedd27b08341f06e40e6 4659b4d78fe8d7c810aaefbe253cdc4679a1d177bb6388d144 680dac2b7e2bbeae8377100fa3be75992f54dd8761a94367f6 67bb372743daa9f97df4cd45dc71362d0dd612f5973202b837 511d0203010001a317301530130603551d25040c300a06082b 06010505
EAP-Message = 0x070301300d06092a864886f70d010104050003820101008b b91fa7912b2f8ea379639a2ea21f106602b7b8cc73581c237c 3a503368c8a163c93a0769fb76602a3f9dfdba062a4f23aae2 1f5d3d5edb24aa4c24a459b251e2eaab398f41b442560eec61 e145a9ee88d98f3e011d6d1cf50164666042f070d1281b898d 01a2a53bf1db2f20bacc9c3afaf470a285343f8886b2d048c0 6f85ad479f3327c1d77f42d448a8f06bba822bc2305e50501f 8bbbcfbf7fd0f4211ed929f7861238a1f13f886d433c8b2c87 b4c1e21b06886b7f05661c97db28d6c4bfb45eb17b75e63f6f 135d156c94dfb3d78a545b4af77f7c7f3242fd94c052f278c4 880fb9ca
EAP-Message = 0x83367206357b3b063f1f5971
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x97c2de1a95c6d338d66ab46a092483d5
Finished request 2.
Going to the next request
Waking up in 4.6 seconds.
rad_recv: Access-Request packet from host 192.168.4.200 port 3072, id=109, length=193
User-Name = "testuser"
Service-Type = Framed-User
NAS-IP-Address = 192.168.4.200
NAS-Port = 6
NAS-Port-Id = "6"
State = 0x97c2de1a95c6d338d66ab46a092483d5
Called-Station-Id = "00-0B-6B-B0-2B-28:Wireless-Home"
Calling-Station-Id = "00-12-F0-66-52-BC"
Connect-Info = "CONNECT 54 Mbps 802.11g"
NAS-Identifier = "Wireless-AP-1"
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020400060d00
Message-Authenticator = 0x42651247b7a8defe6968c78b551bafb0
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 4 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
users: Matched entry testuser at line 204
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/tls
rlm_eap: processing type tls
rlm_eap_tls: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake fragment handler
eaptls_verify returned 1
eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 109 to 192.168.4.200 port 3072
EAP-Message = 0x010504000dc000000b71a5c1aa63a960f8b7e566244ac902 0004ab308204a73082038fa003020102020900e4b7b675e9a5 b5e6300d06092a864886f70d0101050500308193310b300906 0355040613024652310f300d06035504081306526164697573 3112301006035504071309536f6d6577686572653115301306 0355040a130c4578616d706c6520496e632e3120301e06092a 864886f70d010901161161646d696e406578616d706c652e63 6f6d312630240603550403131d4578616d706c652043657274 6966696361746520417574686f72697479301e170d31303036 31303132343134345a170d3131303631303132343134345a30 8193310b
EAP-Message = 0x3009060355040613024652310f300d060355040813065261 646975733112301006035504071309536f6d65776865726531 153013060355040a130c4578616d706c6520496e632e312030 1e06092a864886f70d010901161161646d696e406578616d70 6c652e636f6d312630240603550403131d4578616d706c6520 436572746966696361746520417574686f7269747930820122 300d06092a864886f70d01010105000382010f003082010a02 82010100b033572e706588d09dc857175a17aeaa47f6fb60b1 502124448e6bff93143a4ef7700ca2f4abaab5541fc6921928 8c33b957eef7cb70a89133946784f951464d1e39c35130e0f4 96ce96bd
EAP-Message = 0xcd7a9842d6f9380a096fe2fc8410a802829225f703fc9e5e a39b52bb0c87b3239643f4545804173afb3a9fdcd5c43f3a05 211f32c6073951a606589464b05276a330a63bfded3e355a27 68b22211ae9d4675d9303a8adf6fe9a111f383fdbb01d59bfa 18e1900b760bd33a5336a4fd025fe0289f71d72f0693342b13 d6d3889519eeaee5164c133e435f4f001b2060ecf01187a70f 55ec2a1798b0d2eea4f96d2eef58bf2f1323354c2d3f4c52b6 1a44a96391411d0203010001a381fb3081f8301d0603551d0e 041604143d766fb4865b3a4d218f1074239c4db0df184e1c30 81c80603551d230481c03081bd80143d766fb4865b3a4d218f 1074239c
EAP-Message = 0x4db0df184e1ca18199a48196308193310b30090603550406 13024652310f300d0603550408130652616469757331123010 06035504071309536f6d65776865726531153013060355040a 130c4578616d706c6520496e632e3120301e06092a864886f7 0d010901161161646d696e406578616d706c652e636f6d3126 30240603550403131d4578616d706c65204365727469666963 61746520417574686f72697479820900e4b7b675e9a5b5e630 0c0603551d13040530030101ff300d06092a864886f70d0101 0505000382010100301ebcbd8940dec66c645a6fc665854e5d 45ac6443287969276764c7f36f3fce1a7a8c007ec6dcd81d65 784d8b81
EAP-Message = 0x2fe3a7ef9a23f787befa7bae
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x97c2de1a94c7d338d66ab46a092483d5
Finished request 3.
Going to the next request
Waking up in 4.5 seconds.
rad_recv: Access-Request packet from host 192.168.4.200 port 3072, id=133, length=193
User-Name = "testuser"
Service-Type = Framed-User
NAS-IP-Address = 192.168.4.200
NAS-Port = 6
NAS-Port-Id = "6"
State = 0x97c2de1a94c7d338d66ab46a092483d5
Called-Station-Id = "00-0B-6B-B0-2B-28:Wireless-Home"
Calling-Station-Id = "00-12-F0-66-52-BC"
Connect-Info = "CONNECT 54 Mbps 802.11g"
NAS-Identifier = "Wireless-AP-1"
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x020500060d00
Message-Authenticator = 0xdfc4c29217187c3f9cd47048533fd167
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 5 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
users: Matched entry testuser at line 204
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/tls
rlm_eap: processing type tls
rlm_eap_tls: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake fragment handler
eaptls_verify returned 1
eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 133 to 192.168.4.200 port 3072
EAP-Message = 0x0106038f0d8000000b711bc56f15202560b77288f9efae54 9e22a7245dfa0ee137b3f88c868c095e9cd928a2af97ee7c1e 1c6ebb29dc439c6643bc389ef9d92f831a50868494f271d357 ef20e6f134a05f062a5865ec79e1e36983ce25dc190d25ce8b 2b79a9d938c36bfd0f59fe7091193d6cdcce4e330c72f9c9be b1f77ceaef361f2ee13b00d40aa3f13b617cac8c00efad1f39 adcaffff8a13c6a0367e3d980a84197a25852c5ed76df6a6a1 3785c516578b0462379d61d444f493fef872c3011998d417f2 fa8691de4ba7ecb983160301020d0c00020900809cd9b3313c 82fe0c30f8905c911998e3154c14b0f23b03de40bb6b3d8c64 59fc9664
EAP-Message = 0x4a49b6916ea1486fd7a7b864ac7f1507735bb4bb2776dad4 de46481856f3202f9b831d2d05d5da96815299610c9fbbb376 0089c3b5b7fb935e30b274ee72c3de29a2e3bb60db408e03e8 347ac74f271776b4ab4ca2504f27c3467902fb830001020080 76f4b85cadcbd82825b95333d6975896a89761feb09acc510b 04b6d6bd665611193493565d8689030f4ab6413d5022a0b093 ac0d79a5a4573b4bdbf9a9d5f4b1c292221aa6dd483b193b46 2d668bb2e3e0a50e20360c3dce9f7e15922c9c3361f7f57337 48c9e41b2cab92c9c81629469edb0e5da8615469cd1018db06 20a5cd0100b6cf51b6bf38b8a1a259c4bb6fe3fbf7a07bd534 98998a49
EAP-Message = 0xe2f84144b16b2d33cfc65e380e71e6f71f959e8d2364742a bd3e25a3ed37c46c0b84a7bfb1517bd2dc6cbdb88569692803 923381dcd58bd8147363ae4d883f2c37a2cf8be66c41e71a36 1d53066dc3d1381a4774a3503cd885e47347cb879e94e5983b f88d3b769055bbbb0e764d03a0be0803c0b4f0709076de6aee 266a2de5c24807bf9682b98c9c1fcedb4a155a7d1152238172 87323297737dab72d15050eb4d8ffa06b9d0178dc4eb6858d4 119d9df6dce3666ad86da8fb0fe5c45f5df7ea65d451a87319 2cbe05fb20b14435539efbf2455ee7c41f52ac85e7333ded28 0a08a3b9a2cfe6ba16030100a80d0000a00503040102400098 00963081
EAP-Message = 0x93310b3009060355040613024652310f300d060355040813 065261646975733112301006035504071309536f6d65776865 726531153013060355040a130c4578616d706c6520496e632e 3120301e06092a864886f70d010901161161646d696e406578 616d706c652e636f6d312630240603550403131d4578616d70 6c6520436572746966696361746520417574686f726974790e 000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x97c2de1a93c4d338d66ab46a092483d5
Finished request 4.
Going to the next request
Waking up in 4.5 seconds.
Cleaning up request 0 ID 48 with timestamp +53
Cleaning up request 1 ID 68 with timestamp +53
Waking up in 0.3 seconds.
Cleaning up request 2 ID 41 with timestamp +53
Cleaning up request 3 ID 109 with timestamp +53
Cleaning up request 4 ID 133 with timestamp +53
Ready to process requests.

hessijens
11.06.10, 13:02
Es fehlt die "Microsoft Erweiterung". Lies mal "PEAP or EAP-TLS Doesn't Work with a Windows machine" unter: http://wiki.freeradius.org/index.php/FAQ

oder google mal nach xpextension problem (http://lmgtfy.com/?q=xpextension+problem)

Sil3ntWarri0r
11.06.10, 13:26
Es fehlt die "Microsoft Erweiterung". Lies mal "PEAP or EAP-TLS Doesn't Work with a Windows machine" unter: http://wiki.freeradius.org/index.php/FAQ

oder google mal nach xpextension problem (http://lmgtfy.com/?q=xpextension+problem)

Mhh, ist das aus dem LOG ersichtlich ?

Das Problem ist mir durchaus bekannt und ich habe auch die xpextensions mit folgendem Inhalt verwendet:

#
# File containing the OID's required for Windows.
#
# http://support.microsoft.com/kb/814394/en-us
#
[ xpclient_ext]
extendedKeyUsage = 1.3.6.1.5.5.7.3.2

[ xpserver_ext]
extendedKeyUsage = 1.3.6.1.5.5.7.3.1


openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr -key $(PASSWORD_CA) -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf

und

openssl ca -batch -keyfile ca.key -cert ca.pem -in server.csr -key $(PASSWORD_CA) -out server.crt -extensions xpserver_ext -extfile xpextensions -config ./server.cnf