Freeradius - Problème d'authentification wifi

Freeradius - Problème d'authentification wifi - Sécurité - Systèmes & Réseaux Pro

Marsh Posté le 27-03-2012 à 10:31:50    

Bonjour,
 
Mon problème est le suivant, je souhaite utiliser mon serveur freeradius pour pouvoir m'authentifier avec mes identifiants active directory, lorsque je cherche à me connecter à mon réseau wifi. et lorsque la connexion échoue dans le fichier log de mon serveur j'obtiens les informations suivantes :
 

Citation :

Tue Mar 27 10:15:47 2012 : Error: TLS Alert read:fatal:unknown CA
Tue Mar 27 10:15:47 2012 : Error:     TLS_accept: failed in SSLv3 read client certificate A
Tue Mar 27 10:15:47 2012 : Error: rlm_eap: SSL error error:14094418:SSLroutines:SSL3_READ_BYTES:tlsv1 alert unknown ca
Tue Mar 27 10:15:47 2012 : Error: SSL: SSL_read failed inside of TLS (-1), TLS session fails.


 
Merci d'avance pour votre aide.

Reply

Marsh Posté le 27-03-2012 à 10:31:50   

Reply

Marsh Posté le 27-03-2012 à 14:18:49    

unknown Ca:  tu demandes à faire une auth SSL , mais visiblement, on client ne possède pas la CA (Certificate autority : autorité de certification) locale qui a servie à signer le certificat.
 
de ce fait, tu dois d'abord importer la CA et ça fonctionnera

Reply

Marsh Posté le 28-03-2012 à 08:29:03    

Tout d'abord, merci pour ta réponse.
 
Ensuite, mon problème est que je ne sais pas quel certificat je dois utiliser. Car j'ai lu différents forums et j'ai lu plein de choses différentes, disant sur l'un d'utiliser tel fichier comme certificat, un autre fichier sur un autre forum alors je suis un peu perdu.
 
Voici les fichiers que j'ai, et je me demande lequel je dois utiliser.
 

Citation :

/etc/ssl/certs/ca.pem
/etc/freeradius/certs/ca.pem
/usr/share/ca-certificates/debconf.org/ca.crt
/etc/freeradius/certs/server_cert.pem
/etc/freeradius/certs/ca.pem
/etc/freeradius/certs/server.pem


 
Merci encore une fois pour ton aide, ainsi que pour celle que d'autres pourraient m'apporter.  :)  

Reply

Marsh Posté le 28-03-2012 à 10:25:29    

tu as une doc qui peux t'aider ici : http://freeradius.org/doc/EAPTLS.pdf
 
et ici http://www.privacywonk.net/2010/10 [...] etwork.php
 
have fun :)

Reply

Marsh Posté le 03-04-2012 à 11:07:27    

Merci à tous pour votre aide.
 
A présent je n'ai plus de problème en rapport avec les certificats.
 
Mais par contre quand je tente de m'authentifier sur mon réseau wifi avec un compte de mon Active Directory, j'obtiens le message suivant :
 

Citation :

Tue Apr  3 10:52:21 2012 : Auth: Login incorrect: [wifi/<via Auth-Type = EAP>] (from client AP_INFO port 410 cli xxxx.xxxx.xxxx via TLS tunnel)
Tue Apr  3 10:52:21 2012 : Auth: Login incorrect: [wifi/<via Auth-Type = EAP>] (from client AP_INFO port 410 cli xxxx.xxxx.xxxx)


 
Alors que mon serveur radius est bien enregistré dans mon AD et que je peux m'authentifier sur mon serveur radius avec les compte de mon AD.
 
Voici également ce que j'obtiens comme résultat lorsque je démarre le serveur avec freeradius -X, et que je tente de m'authentifier :
 

Citation :

[peap] Setting default EAP type for tunneled EAP session.
[peap] Got tunneled request
        EAP-Message = 0x020600090177696669
server  {
  PEAP: Setting User-Name to wifi
Sending tunneled request
        EAP-Message = 0x020600090177696669
        FreeRADIUS-Proxied-To = 127.0.0.1
        User-Name = "wifi"
        Framed-MTU = 1400
        Called-Station-Id = "xxxx.xxxx.xxxx"
        Calling-Station-Id = "xxxx.xxxx.xxxx"
        Service-Type = Login-User
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 411
        NAS-Port-Id = "411"
        NAS-IP-Address = 10.20.1.1
server inner-tunnel {
# Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "wifi", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 6 length 9
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled reply code 11
        EAP-Message = 0x0107001e1a01070019103d53d013874e16128593421437ca55b577696669
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xfa7eb8c5fa79a2253c39a41379f09bf7
[peap] Got tunneled reply RADIUS code 11
        EAP-Message = 0x0107001e1a01070019103d53d013874e16128593421437ca55b577696669
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xfa7eb8c5fa79a2253c39a41379f09bf7
[peap] Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 105 to 10.20.1.1 port 1645
        EAP-Message = 0x0107003b190017030100302ff926dd272d0439bc9854a91db4396ae45a300af9a12b52dd42f84df75911421b562b350fdb330b77d7a75aea20f59b
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x70381020743f09956cd9c7d5119e1cbb
Finished request 4.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.20.1.1 port 1645, id=106, length=222
        User-Name = "wifi"
        Framed-MTU = 1400
        Called-Station-Id = "xxxx.xxxx.xxxx"
        Calling-Station-Id = "xxxx.xxxx.xxxx"
        Service-Type = Login-User
        Message-Authenticator = 0x4a4b807a81bdeca3d9410439db02ded0
        EAP-Message = 0x0207005b190017030100508b606e27fcd080bc542fd901e3ca91b5b0797ef8a0dd05326c436ab1273cfd83eb13b1070799f1783f61c3c0cd0c67481c9d0433d386633595128870b7363a6e549dbc43487082e9a999e3ed13f9f363
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 411
        NAS-Port-Id = "411"
        State = 0x70381020743f09956cd9c7d5119e1cbb
        NAS-IP-Address = 10.20.1.1
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "wifi", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 7 length 91
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
        EAP-Message = 0x0207003f1a0207003a31620b46bf5770cc5afb72b993d3d2e2ab00000000000000001985f8e3ee6ef20a384c4108116d476c5f0c63c7482650680077696669
server  {
  PEAP: Setting User-Name to wifi
Sending tunneled request
        EAP-Message = 0x0207003f1a0207003a31620b46bf5770cc5afb72b993d3d2e2ab00000000000000001985f8e3ee6ef20a384c4108116d476c5f0c63c7482650680077696669
        FreeRADIUS-Proxied-To = 127.0.0.1
        User-Name = "wifi"
        State = 0xfa7eb8c5fa79a2253c39a41379f09bf7
        Framed-MTU = 1400
        Called-Station-Id = "xxxx.xxxx.xxxx"
        Calling-Station-Id = "xxxx.xxxx.xxxx"
        Service-Type = Login-User
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 411
        NAS-Port-Id = "411"
        NAS-IP-Address = 10.20.1.1
server inner-tunnel {
# Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] No '@' in User-Name = "wifi", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] EAP packet type response id 7 length 63
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2]   WARNING: Unknown value specified for Auth-Type.  Cannot perform requested action.
[mschapv2] # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
[eap] Freeing handler
++[eap] returns reject
Failed to authenticate the user.
Login incorrect: [wifi/<via Auth-Type = EAP>] (from client AP_INFO port 411 cli xxxx.xxxx.xxxx via TLS tunnel)
} # server inner-tunnel
[peap] Got tunneled reply code 3
        EAP-Message = 0x04070004
        Message-Authenticator = 0x00000000000000000000000000000000
[peap] Got tunneled reply RADIUS code 3
        EAP-Message = 0x04070004
        Message-Authenticator = 0x00000000000000000000000000000000
[peap] Tunneled authentication was rejected.
[peap] FAILURE
++[eap] returns handled
Sending Access-Challenge of id 106 to 10.20.1.1 port 1645
        EAP-Message = 0x0108002b19001703010020cfb698ff279c60d723a606f60114338a08c4e93dc2ef2801fc738f67f3c06cfe
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x70381020753009956cd9c7d5119e1cbb
Finished request 5.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.20.1.1 port 1645, id=107, length=174
        User-Name = "wifi"
        Framed-MTU = 1400
        Called-Station-Id = "xxxx.xxxx.xxxx"
        Calling-Station-Id = "xxxx.xxxx.xxxx"
        Service-Type = Login-User
        Message-Authenticator = 0xbefa783943f178b2ce2a8b3cb4bae610
        EAP-Message = 0x0208002b190017030100202d6ca98e22870344576d7751f513cb75cf7f39659188ae782e287566df1dc1ea
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 411
        NAS-Port-Id = "411"
        State = 0x70381020753009956cd9c7d5119e1cbb
        NAS-IP-Address = 10.20.1.1
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "wifi", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 8 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state send tlv failure
[peap] Received EAP-TLV response.
[peap]  The users session was previously rejected: returning reject (again.)
[peap]  *** This means you need to read the PREVIOUS messages in the debug output
[peap]  *** to find out the reason why the user was rejected.
[peap]  *** Look for "reject" or "fail".  Those earlier messages will tell you.
[peap]  *** what went wrong, and how to fix the problem.
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Login incorrect: [wifi/<via Auth-Type = EAP>] (from client AP_INFO port 411 cli xxxx.xxxx.xxxx)
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> wifi
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 6 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 6
Sending Access-Reject of id 107 to 10.20.1.1 port 1645
        EAP-Message = 0x04080004
        Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.9 seconds.
Cleaning up request 0 ID 101 with timestamp +12
Cleaning up request 1 ID 102 with timestamp +12
Cleaning up request 2 ID 103 with timestamp +12
Cleaning up request 3 ID 104 with timestamp +12
Cleaning up request 4 ID 105 with timestamp +12
Cleaning up request 5 ID 106 with timestamp +12
Waking up in 1.0 seconds.
Cleaning up request 6 ID 107 with timestamp +12


 
 
Merci pour votre aide.

Reply

Marsh Posté le 03-04-2012 à 11:51:32    

Reply

Marsh Posté le 03-04-2012 à 13:41:32    

gizmo31 a écrit :

as tu jeté un oeil sur cette kb :
http://wiki.freeradius.org/FreeRAD [...] tion_HOWTO


 
Oui j'ai déjà suivi les instructions de cette doc, mais ça n'a pas fonctionné pour moi.

Reply

Marsh Posté le 03-04-2012 à 13:49:48    

as tu essayé de rajouter le domaine suffixé pour ton compte AD
genre domaine\username ou username@domaine comme login ?
as tu les meme résultats ?

Reply

Marsh Posté le 03-04-2012 à 14:07:46    

Oui le même résultat pour ces deux méthodes.

Reply

Marsh Posté le 03-04-2012 à 14:19:15    

et sur cet article :
http://www.mail-archive.com/freera [...] 02230.html
est ce le cas ?
 
sinon j'ai trouvé ça :
http://deployingradius.com/
ptete que ça t'aideras :)

Reply

Marsh Posté le 03-04-2012 à 14:19:15   

Reply

Marsh Posté le 03-04-2012 à 14:38:12    

Merci, je vais regarder. :)

Reply

Sujets relatifs:

Leave a Replay

Make sure you enter the(*)required information where indicate.HTML code is not allowed