probleme freeradius eap-ttls mschapv2

probleme freeradius eap-ttls mschapv2 - Réseaux - Réseaux grand public / SoHo

Marsh Posté le 12-04-2007 à 14:01:29    

Bonjour,
 
Je souhaite mettre en place une architecture Wifi à l'aide de freeradius. Je veux utiliser EAP-TTLS avec mschapv2. J'ai des messages d'erreurs.
 
Voici mes fichiers de conf :
 
clients.conf :
Code:
 
client 127.0.0.1 {
        secret          = testing123
        shortname       = localhost
        nastype     = other     # localhost isn't usually a NAS...
}
 
client 192.168.1.1 {
        secret          = secret
        shortname       = APPROJET
        nastype         = other
}
 
eap.conf :
Code:
 
        eap {
                default_eap_type = ttls
                timer_expire     = 60
                ignore_unknown_eap_types = no
                cisco_accounting_username_bug = no
                tls {
                        private_key_password = whatever
                        private_key_file = ${raddbdir}/certs/srv-linux.wifi.local.pem
                        certificate_file = ${raddbdir}/certs/srv-linux.wifi.local.pem
                        CA_file = ${raddbdir}/certs/root.pem
                        dh_file = ${raddbdir}/certs/dh
                        random_file = ${raddbdir}/certs/random
                        fragment_size = 1024
                        include_length = yes
                }
                ttls {
                        default_eap_type = mschapv2
                        copy_request_to_tunnel = yes
                        use_tunneled_reply = yes
                }
                mschapv2 {
                }
        }
 
users :
Code:
 
"test" Auth-Type := Local, User-Password =="test"
"nico" Auth-Type := EAP, User-Password =="nico"
 
radiusd.conf :
Code:
 
prefix = /usr/local
exec_prefix = ${prefix}
sysconfdir = /etc
localstatedir = ${prefix}/var
sbindir = ${exec_prefix}/sbin
logdir = /var/log
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
log_file = ${logdir}/radius.log
libdir = ${exec_prefix}/lib
pidfile = ${run_dir}/radiusd.pid
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
bind_address = *
port = 0
hostname_lookups = no
allow_core_dumps = no
regular_expressions     = yes
extended_expressions    = yes
log_stripped_names = no
log_auth = no
log_auth_badpass = no
log_auth_goodpass = no
usercollide = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
checkrad = ${sbindir}/checkrad
security {
        max_attributes = 200
        reject_delay = 1
  status_server = no
}
 
proxy_requests  = no
$INCLUDE  ${confdir}/proxy.conf
$INCLUDE  ${confdir}/clients.conf
snmp    = no
$INCLUDE  ${confdir}/snmp.conf
thread pool {
        start_servers = 5
        max_servers = 32
        min_spare_servers = 3
        max_spare_servers = 10
        max_requests_per_server = 0
}
 
modules {
$INCLUDE ${confdir}/eap.conf
        mschap {
                authtype = MS-CHAPv2
        }
 
        preprocess {
                huntgroups = ${confdir}/huntgroups
                hints = ${confdir}/hints
                with_ascend_hack = no
                ascend_channels_per_line = 23
                with_ntdomain_hack = no
                with_specialix_jetstream_hack = no
                with_cisco_vsa_hack = no
        }
 
        files {
                usersfile = ${confdir}/users
                acctusersfile = ${confdir}/acct_users
                preproxy_usersfile = ${confdir}/preproxy_users
                compat = no
        }
 
        detail {
                detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
                detailperm = 0600
        }
 
        acct_unique {
                key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
        }
 
        radutmp {
 
                filename = ${logdir}/radutmp
                username = %{User-Name}
                case_sensitive = yes
                check_with_nas = yes
                callerid = "yes"
                perm = 0600
 
        }
 
        radutmp sradutmp {
                filename = ${logdir}/sradutmp
                perm = 0644
                callerid = "no"
        }
 
        attr_filter {
                attrsfile = ${confdir}/attrs
        }
 
        counter daily {
    filename = ${raddbdir}/db.daily
                key = User-Name
                count-attribute = Acct-Session-Time
                reset = daily
                counter-name = Daily-Session-Time
                check-name = Max-Daily-Session
                allowed-servicetype = Framed-User
                cache-size = 5000
        }
 
        always fail {
                rcode = fail
        }
        always reject {
                rcode = reject
        }
        always ok {
                rcode = ok
                simulcount = 0
                mpp = no
        }
 
        expr {
        }
 
        exec {
                wait = yes
                input_pairs = request
        }
 
        exec echo {
                wait = yes
                program = "/bin/echo %{User-Name}"
                input_pairs = request
                output_pairs = reply
        }
 
instantiate {
        exec
        expr
}
 
authorize {
        preprocess
        mschap
        eap
        files
}
 
authenticate {
        Auth-Type MS-CHAP {
                mschap
        }
        eap
}
 
preacct {
        preprocess
        acct_unique
        files
}
 
accounting {
        detail
        radutmp
}
 
 
session {
        radutmp
   }
 
post-auth {
 
}
 
pre-proxy {
}
 
post-proxy {
 
        eap
}
 
 
Voici le message du mode debug (radius -X -A) :
Code:
 
rad_recv: Access-Request packet from host 192.168.1.1:32913, id=5, length=170
        User-Name = "anonyme@monentreprise.fr"
        NAS-IP-Address = 192.168.1.1
        Called-Station-Id = "00-0D-54-FB-61-72:ttls"
        Calling-Station-Id = "00-0E-35-94-07-7B"
        NAS-Identifier = ""
        NAS-Port = 29
        Service-Type = Framed-User
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        EAP-Message = 0x0205001d01616e6f6e796d65406d6f6e656e74726570726973652e6672
        Message-Authenticator = 0x666aab110a7c501e49b549313b3b4e1b
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
  rlm_eap: EAP packet type response id 5 length 29
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 0
    users: Matched entry DEFAULT at line 156
    users: Matched entry DEFAULT at line 175
  modcall[authorize]: module "files" returns ok for request 0
modcall: leaving group authorize (returns updated) for request 0
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
  rlm_eap: EAP Identity
  rlm_eap: processing type tls
  rlm_eap_tls: Initiate
  rlm_eap_tls: Start returned 1
  modcall[authenticate]: module "eap" returns handled for request 0
modcall: leaving group authenticate (returns handled) for request 0
Sending Access-Challenge of id 5 to 192.168.1.1 port 32913
        Framed-IP-Address = 255.255.255.254
        Framed-MTU = 576
        Service-Type = Framed-User
        EAP-Message = 0x010600061520
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xd9db4cca54dd0b13a7c7fa510bd9e0ff
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.1.1:32914, id=6, length=261
        User-Name = "anonyme@monentreprise.fr"
        NAS-IP-Address = 192.168.1.1
        Called-Station-Id = "00-0D-54-FB-61-72:ttls"
        Calling-Station-Id = "00-0E-35-94-07-7B"
        NAS-Identifier = ""
        NAS-Port = 29
        Service-Type = Framed-User
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        State = 0xd9db4cca54dd0b13a7c7fa510bd9e0ff
        EAP-Message = 0x020600661500160301005b010000570301461e17b0860f09a447f4bb2bed3404b9137974e95339a16802e31318eea237dc00003000390038003500160013000a00330032002f0066000500040065006400630062006000150012000900140011000800030100
        Message-Authenticator = 0x4050c580de8aa3f3e9092010ba9a12de
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
  rlm_eap: EAP packet type response id 6 length 102
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 1
    users: Matched entry DEFAULT at line 156
    users: Matched entry DEFAULT at line 175
  modcall[authorize]: module "files" returns ok for request 1
modcall: leaving group authorize (returns updated) for request 1
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 1
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/ttls
  rlm_eap: processing type ttls
  rlm_eap_ttls: Authenticate
  rlm_eap_tls: processing TLS
  eaptls_verify returned 7
  rlm_eap_tls: Done initial handshake
    (other): before/accept initialization
    TLS_accept: before/accept initialization
  rlm_eap_tls: <<<TLS>>> TLS 1.0 Handshake [length 004a], ServerHello
    TLS_accept: SSLv3 write server hello A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 0652], Certificate
    TLS_accept: SSLv3 write certificate A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
    TLS_accept: SSLv3 write server done A
    TLS_accept: SSLv3 flush data
    TLS_accept:error in SSLv3 read client certificate A
rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0)
In SSL Handshake Phase
In SSL Accept mode
  eaptls_process returned 13
  modcall[authenticate]: module "eap" returns handled for request 1
modcall: leaving group authenticate (returns handled) for request 1
Sending Access-Challenge of id 6 to 192.168.1.1 port 32914
        Framed-IP-Address = 255.255.255.254
        Framed-MTU = 576
        Service-Type = Framed-User
        EAP-Message = 0x0107040a15c0000006af160301004a020000460301461e185e2edb0d40717ad98dae29ac4dd387faa2a733ec3b80b1f5d14f22c0682024fd008921aac82c588875912b645c386dabb403828434eda81a1d240d36200200350016030106520b00064e00064b0002b1308202ad30820216a003020102020101300d06092a864886f70d010104050030818d310b3009060355040613024652310c300a06035504081303494446310e300c060355040713054365726779310d300b060355040a13044954494e31143012060355040b130b70726f6a6574207769666931193017060355040313104954494e20576972656c6573732043413120301e06092a86
        EAP-Message = 0x4886f70d01090116116b61626f756e733231406d736e2e636f6d301e170d3037303430333134303930375a170d3038303430323134303930375a308191310b3009060355040613024652310c300a06035504081303494446310e300c060355040713054365726779310d300b060355040a13044954494e31143012060355040b130b70726f6a65742077696669311d301b060355040313147372762d6c696e75782e776966692e6c6f63616c3120301e06092a864886f70d01090116116b61626f756e733231406d736e2e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100d1b510926706128c8067125c73b6a20f4174
        EAP-Message = 0x2945ef6be6863c51783f6271bc19948eb92bd875acdb905b5ec96cd0e98ab97ad018f88191174b80a0457d9a93f85dcbd0fbce44f12e3368dab89b92f135d5383fcee686ed91d740ab84ab0348917a5e6ab07f9a2ff5c3b0cd0d1b1887996e240fcd244643d2dfcf1a043f64d7a10203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101040500038181009240590b0cfdd796feba0d9ba1d8773de354420836048972c3e1c8226adc706eb27048a71aad969bfb6c4509694e42a12303f5e734ba807be2fd8408800f7e7bc25c2dc64f686bfd3e2777e030025b19f959496d4521ada6eaf8d8fdbf4d
        EAP-Message = 0x1b98ddaa456f8bd0bff203a143704b41a8ad66665f16478408211905eca00f87e11c00039430820390308202f9a003020102020900b8b0a09b1aae01d3300d06092a864886f70d010105050030818d310b3009060355040613024652310c300a06035504081303494446310e300c060355040713054365726779310d300b060355040a13044954494e31143012060355040b130b70726f6a6574207769666931193017060355040313104954494e20576972656c6573732043413120301e06092a864886f70d01090116116b61626f756e733231406d736e2e636f6d301e170d3037303430333134303531365a170d3038303430323134303531365a30
        EAP-Message = 0x818d310b3009060355040613024652310c300a060355
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xa7e3d8a6b5fa1238dff6378c16da9c5b
Finished request 1
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.1.1:32915, id=7, length=165
        User-Name = "anonyme@monentreprise.fr"
        NAS-IP-Address = 192.168.1.1
        Called-Station-Id = "00-0D-54-FB-61-72:ttls"
        Calling-Station-Id = "00-0E-35-94-07-7B"
        NAS-Identifier = ""
        NAS-Port = 29
        Service-Type = Framed-User
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        State = 0xa7e3d8a6b5fa1238dff6378c16da9c5b
        EAP-Message = 0x020700061500
        Message-Authenticator = 0x85e033e552410493c017878f97832c58
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
  rlm_eap: EAP packet type response id 7 length 6
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 2
    users: Matched entry DEFAULT at line 156
    users: Matched entry DEFAULT at line 175
  modcall[authorize]: module "files" returns ok for request 2
modcall: leaving group authorize (returns updated) for request 2
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 2
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/ttls
  rlm_eap: processing type ttls
  rlm_eap_ttls: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
  rlm_eap_tls: ack handshake fragment handler
  eaptls_verify returned 1
  eaptls_process returned 13
  modcall[authenticate]: module "eap" returns handled for request 2
modcall: leaving group authenticate (returns handled) for request 2
Sending Access-Challenge of id 7 to 192.168.1.1 port 32915
        Framed-IP-Address = 255.255.255.254
        Framed-MTU = 576
        Service-Type = Framed-User
        EAP-Message = 0x010802b91580000006af04081303494446310e300c060355040713054365726779310d300b060355040a13044954494e31143012060355040b130b70726f6a6574207769666931193017060355040313104954494e20576972656c6573732043413120301e06092a864886f70d01090116116b61626f756e733231406d736e2e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100b1c460fa5ccc002ae623a334b7a930caad26140ed69a51c283965c4465c44587bef3a1298875750497c9641a5e464b14d21d27dfa03c5322a627570db44778c6d201ed7ed0c4f76877e80ad73d9a908643bce0fcd03127d83b39541914
        EAP-Message = 0x06cfd96469de5aca582b500395f9c2f02effd9bd1691ab105abd12b6d4b0cbbb32fbb30203010001a381f53081f2301d0603551d0e04160414d1f50866e2308f76cb9ee73142c2caf5081203813081c20603551d230481ba3081b78014d1f50866e2308f76cb9ee73142c2caf508120381a18193a4819030818d310b3009060355040613024652310c300a06035504081303494446310e300c060355040713054365726779310d300b060355040a13044954494e31143012060355040b130b70726f6a6574207769666931193017060355040313104954494e20576972656c6573732043413120301e06092a864886f70d01090116116b61626f756e73
        EAP-Message = 0x3231406d736e2e636f6d820900b8b0a09b1aae01d3300c0603551d13040530030101ff300d06092a864886f70d01010505000381810072149ae8736f0f19aee0a152f9f088cf7f871465187fcfaea8ee80273d7e9286ed67986e4bf3fbeb9decf113cb1975041c3dd7627df2bd8e2e73a65158b5e7f62b1cac2879fe8033992728677080f38fb621502974c9a599f813a1fb0d4c556bfbef3ccbbdbaeeef2d9e194b38cc4fdb8462ef5ce216a25c24e720e1fb78ba6016030100040e000000
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xc22c197ed0c4de73d2ca61134e8e5449
Finished request 2
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.1.1:32916, id=8, length=363
        User-Name = "anonyme@monentreprise.fr"
        NAS-IP-Address = 192.168.1.1
        Called-Station-Id = "00-0D-54-FB-61-72:ttls"
        Calling-Station-Id = "00-0E-35-94-07-7B"
        NAS-Identifier = ""
        NAS-Port = 29
        Service-Type = Framed-User
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        State = 0xc22c197ed0c4de73d2ca61134e8e5449
        EAP-Message = 0x020800cc1500160301008610000082008096e2e3a993f2b919ca3eb62f694e7e752cca96d34f34551fc442698c927a7efb696712859c72e1dea2817f003d7b98d26c03a7974c3f92e1ef9a8032f805ad19bc267280d4d03b39425463458c334912779ecc1d1c8ad4bc5c06566a72e7b8b09c6ce0ec2e97564067db60c2613e9b75ea353964cfdf98677d988e51b418f1ad140301000101160301003074348e8f0c082ef691585e0c32a19aad61f649b7a589c4415087f93e4e7437e8004e9bf854b70b8b4c653d0175935e5f
        Message-Authenticator = 0x74ba8ce2fa087d8d15b97e1f8486373f
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 3
  rlm_eap: EAP packet type response id 8 length 204
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 3
    users: Matched entry DEFAULT at line 156
    users: Matched entry DEFAULT at line 175
  modcall[authorize]: module "files" returns ok for request 3
modcall: leaving group authorize (returns updated) for request 3
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 3
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/ttls
  rlm_eap: processing type ttls
  rlm_eap_ttls: Authenticate
  rlm_eap_tls: processing TLS
  eaptls_verify returned 7
  rlm_eap_tls: Done initial handshake
  rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
    TLS_accept: SSLv3 read client key exchange A
  rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001]
  rlm_eap_tls: <<<TLS>>> TLS 1.0 ChangeCipherSpec [length 0001]
    TLS_accept: SSLv3 write change cipher spec A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished
    TLS_accept: SSLv3 write finished A
    TLS_accept: SSLv3 flush data
    (other): SSL negotiation finished successfully
rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0)
SSL Connection Established
  eaptls_process returned 13
  modcall[authenticate]: module "eap" returns handled for request 3
modcall: leaving group authenticate (returns handled) for request 3
Sending Access-Challenge of id 8 to 192.168.1.1 port 32916
        Framed-IP-Address = 255.255.255.254
        Framed-MTU = 576
        Service-Type = Framed-User
        EAP-Message = 0x0109004515800000003b1403010001011603010030743c5d3fe343697a29b0bbdcca319d01e493693d331d696ffad03dbb9c45699890a3bc83d7b62f6debe20ebcd037c093
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x90fbaf8d42552395fc4d98c8f730a2b2
Finished request 3
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.1.1:32917, id=9, length=335
        User-Name = "anonyme@monentreprise.fr"
        NAS-IP-Address = 192.168.1.1
        Called-Station-Id = "00-0D-54-FB-61-72:ttls"
        Calling-Station-Id = "00-0E-35-94-07-7B"
        NAS-Identifier = ""
        NAS-Port = 29
        Service-Type = Framed-User
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        State = 0x90fbaf8d42552395fc4d98c8f730a2b2
        EAP-Message = 0x020900b0150017030100208a8684fc9f210a1fa5b1c3ec51048469d6fe3a0a33239eb95e528db991379a781703010080130d3503d09e40709aa6f4865bb98ad8ced00d86919d22924280584cc3f4841fb678152fb366adb4538ace53a963d4b19e6dfc12086b98741f8f4989ed4975d738d967a224f190c5bfd827d9fa4ee8d7c4718f44af706ca23ab66e67f879f18c8fbe9828be897f2356cdf0482b8dd90152cf1611ec386d7d0858f21b07374278
        Message-Authenticator = 0x9405349379b1bd2e9a4e5f699ac4ac7e
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 4
  rlm_eap: EAP packet type response id 9 length 176
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 4
    users: Matched entry DEFAULT at line 156
    users: Matched entry DEFAULT at line 175
  modcall[authorize]: module "files" returns ok for request 4
modcall: leaving group authorize (returns updated) for request 4
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 4
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/ttls
  rlm_eap: processing type ttls
  rlm_eap_ttls: Authenticate
  rlm_eap_tls: processing TLS
  eaptls_verify returned 7
  rlm_eap_tls: Done initial handshake
  eaptls_process returned 7
  rlm_eap_ttls: Session established.  Proceeding to decode tunneled attributes.
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 4
  rlm_eap: No EAP-Message, not doing EAP
  modcall[authorize]: module "eap" returns noop for request 4
    users: Matched entry nico at line 90
  modcall[authorize]: module "files" returns ok for request 4
modcall: leaving group authorize (returns ok) for request 4
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 4
rlm_eap: EAP-Message not found
rlm_eap: Malformed EAP Message
  modcall[authenticate]: module "eap" returns fail for request 4
modcall: leaving group authenticate (returns fail) for request 4
auth: Failed to validate the user.
  TTLS: Got tunneled Access-Reject
 rlm_eap: Handler failed in EAP/ttls
  rlm_eap: Failed in EAP select
  modcall[authenticate]: module "eap" returns invalid for request 4
modcall: leaving group authenticate (returns invalid) for request 4
auth: Failed to validate the user.
 
 
Merci beaucoup de votre aide
 
Kab

Reply

Marsh Posté le 12-04-2007 à 14:01:29   

Reply

Sujets relatifs:

Leave a Replay

Make sure you enter the(*)required information where indicate.HTML code is not allowed