80_._x

Securing wi-fi net with EAP/TTLS

This is a very simple cookbook to configure EAP-TTLS with PAP to secure wi-fi LAN.

(INTERNET) ↔ (1.1.1.1) fw (lan:192.168.1.254) ↔ (inet:192.168.1.253) AP (wlan: 192.168.27.254) ↔ (wlan:192.168.27.111) client

FreeRadius 1.1.1

File /etc/raddb/radiusd.conf:

prefix = /usr
exec_prefix = ${prefix}
sysconfdir = /etc
localstatedir = /var
sbindir = ${exec_prefix}/sbin
logdir = ${localstatedir}/log/radius
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
log_file = ${logdir}/radius.log
libdir = ${exec_prefix}/lib
pidfile = ${run_dir}/radiusd.pid
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
bind_address = 192.168.1.254
port = 0
hostname_lookups = no
allow_core_dumps = no
regular_expressions     = yes
extended_expressions    = yes
log_stripped_names = no
log_auth = no
log_auth_badpass = no
log_auth_goodpass = no
usercollide = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
Checkrad = ${sbindir}/checkrad
security {
        max_attributes = 200
        reject_delay = 1
        status_server = no
}
 
proxy_requests  = yes
$INCLUDE  ${confdir}/proxy.conf
$INCLUDE  ${confdir}/clients.conf
snmp    = no
$INCLUDE  ${confdir}/snmp.conf
thread pool {
        start_servers = 5
        max_servers = 32
        min_spare_servers = 3
        max_spare_servers = 10
        max_requests_per_server = 0
}
 
modules {
        pap {
                encryption_scheme = clear
        }
 
        eap {
                default_eap_type = ttls
                timer_expire     = 60
                ignore_unknown_eap_types = no
 
                gtc {
                        auth_type = PAP
                }
                tls {
                        private_key_password = druvs2systems
                        private_key_file = /etc/raddb/certs/cert-srv.pem
                        certificate_file = /etc/raddb/certs/cert-srv.pem
                        CA_file = /etc/raddb/certs/demoCA/cacert.pem
                        dh_file = /etc/raddb/certs/dh
                        random_file = /etc/raddb/certs/random
                        fragment_size = 1024
                        include_length = yes
                }
                ttls {
                        default_eap_type = gtc
                        copy_request_to_tunnel = no
                        use_tunneled_reply = no
                }
        }
 
        files {
                usersfile = ${confdir}/users
                acctusersfile = ${confdir}/acct_users
                compat = no
        }
}
 
authorize {
        eap
        files
}
authenticate {
        eap
        Auth-Type PAP {
               pap
        }
}
 
post-proxy {
        eap
}

File /etc/raddb/clients.conf:

client 192.168.1.253/32 {
        secret          = SharedSecret99
        shortname       = localhost
}

File /etc/raddb/users:

"testuser"      User-Password == "secret"

When launch radius with debug mode radiusd -X we have this output:

Starting - reading configuration files ...
reread_config:  reading radiusd.conf
Config:   including file: /etc/raddb/proxy.conf
Config:   including file: /etc/raddb/clients.conf
Config:   including file: /etc/raddb/snmp.conf
 main: prefix = "/usr"
 main: localstatedir = "/var"
 main: logdir = "/var/log/radius"
 main: libdir = "/usr/lib"
 main: radacctdir = "/var/log/radius/radacct"
 main: hostname_lookups = no
 main: snmp = no
 main: max_request_time = 30
 main: cleanup_delay = 5
 main: max_requests = 1024
 main: delete_blocked_requests = 0
 main: port = 0
 main: allow_core_dumps = no
 main: log_stripped_names = no
 main: log_file = "/var/log/radius/radius.log"
 main: log_auth = no
 main: log_auth_badpass = no
 main: log_auth_goodpass = no
 main: pidfile = "/var/run/radiusd/radiusd.pid"
 main: bind_address = 192.168.1.254 IP address [192.168.1.254]
 main: user = "(null)"
 main: group = "(null)"
 main: usercollide = no
 main: lower_user = "no"
 main: lower_pass = "no"
 main: nospace_user = "no"
 main: nospace_pass = "no"
 main: checkrad = "/usr/sbin/checkrad"
 main: proxy_requests = yes
 proxy: retry_delay = 5
 proxy: retry_count = 3
 proxy: synchronous = no
 proxy: default_fallback = yes
 proxy: dead_time = 120
 proxy: post_proxy_authorize = yes
 proxy: wake_all_if_all_dead = no
 security: max_attributes = 200
 security: reject_delay = 1
 security: status_server = no
 main: debug_level = 0
read_config_files:  reading dictionary
read_config_files:  reading naslist
Using deprecated naslist file.  Support for this will go away soon.
read_config_files:  reading clients
read_config_files:  reading realms
radiusd:  entering modules setup
Module: Library search path is /usr/lib
Module: Loaded eap
 eap: default_eap_type = "ttls"
 eap: timer_expire = 60
 eap: ignore_unknown_eap_types = no
 eap: cisco_accounting_username_bug = no
 gtc: challenge = "Password: "
 gtc: auth_type = "PAP"
rlm_eap: Loaded and initialized type gtc
 tls: rsa_key_exchange = no
 tls: dh_key_exchange = yes
 tls: rsa_key_length = 512
 tls: dh_key_length = 512
 tls: verify_depth = 0
 tls: CA_path = "(null)"
 tls: pem_file_type = yes
 tls: private_key_file = "/etc/raddb/certs/cert-srv.pem"
 tls: certificate_file = "/etc/raddb/certs/cert-srv.pem"
 tls: CA_file = "/etc/raddb/certs/demoCA/cacert.pem"
 tls: private_key_password = "druvs2systems"
 tls: dh_file = "/etc/raddb/certs/dh"
 tls: random_file = "/etc/raddb/certs/random"
 tls: fragment_size = 1024
 tls: include_length = yes
 tls: check_crl = no
 tls: check_cert_cn = "(null)"
rlm_eap_tls: Loading the certificate file as a chain
rlm_eap: Loaded and initialized type tls
 ttls: default_eap_type = "gtc"
 ttls: copy_request_to_tunnel = no
 ttls: use_tunneled_reply = no
rlm_eap: Loaded and initialized type ttls
Module: Instantiated eap (eap)
Module: Loaded PAP
 pap: encryption_scheme = "clear"
Module: Instantiated pap (pap)
Module: Loaded files
 files: usersfile = "/etc/raddb/users"
 files: acctusersfile = "/etc/raddb/acct_users"
 files: preproxy_usersfile = "/etc/raddb/preproxy_users"
 files: compat = "no"
Module: Instantiated files (files)
Listening on authentication 192.168.1.254:1812
Listening on accounting 192.168.1.254:1813
Ready to process requests.

The client is a linux box with wpa_supplicant.

WPA supplicant configuration file /etc/wpa_supplicant.conf:

network={
ssid="ymbi"
proto=WPA
key_mgmt=WPA-EAP
pairwise=TKIP
group=TKIP
eap=TTLS
ca_cert="/etc/cert/demoCA/cacert.pem"
client_cert="/etc/cert/cert-clt.pem"
private_key="/etc/cert/cert-clt.p12"
private_key_passwd="passwordofkeyfile"
 
identity="testuser"
password="secret"
}

Now we try tu run wpa_supplicant with debug output:
# wpa_supplicant -iwlan0 -c/etc/wpa_supplicant.conf -w -Dndiswrapper

Trying to associate with 00:18:39:bf:d4:81 (SSID='ymbi' freq=2437 MHz)
Associated with 00:18:39:bf:d4:81
CTRL-EVENT-EAP-STARTED EAP authentication started
OpenSSL: pending error: error:0D07803A:asn1 encoding
routines:ASN1_ITEM_EX_D2I:nested asn1 error
OpenSSL: pending error: error:140C800D:SSL
routines:SSL_use_certificate_file:ASN1 lib
OpenSSL: pending error: error:140CB009:SSL
routines:SSL_use_PrivateKey_file:PEM lib
CTRL-EVENT-EAP-METHOD EAP method 21 (TTLS) selected
CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully
WPA: Key negotiation completed with 00:18:39:bf:d4:81 [PTK=TKIP
GTK=TKIP]
CTRL-EVENT-CONNECTED - Connection to 00:18:39:bf:d4:81 completed (auth)
rad_recv: Access-Request packet from host 192.168.1.253:2049, id=0,
length=129
        User-Name = "testuser"
        NAS-IP-Address = 192.168.1.253
        Called-Station-Id = "001839bfd481"
        Calling-Station-Id = "009096a365ec"
        NAS-Identifier = "001839bfd481"
        NAS-Port = 42
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        EAP-Message = 0x0200000d017465737475736572
        Message-Authenticator = 0xeee5396011aad1c468c591d4ca65d012
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
  rlm_eap: EAP packet type response id 0 length 13
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 0
    users: Matched entry testuser at line 1
  modcall[authorize]: module "files" returns ok for request 0
modcall: leaving group authorize (returns updated) for request 0
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
  rlm_eap: EAP Identity
  rlm_eap: processing type tls
  rlm_eap_tls: Initiate
  rlm_eap_tls: Start returned 1
  modcall[authenticate]: module "eap" returns handled for request 0
modcall: leaving group authenticate (returns handled) for request 0
Sending Access-Challenge of id 0 to 192.168.1.253 port 2049
        EAP-Message = 0x010100061520
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x21182ca541e9335a66f8b91266e2e5a3
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.1.253:2049, id=0,
length=242
        User-Name = "testuser"
        NAS-IP-Address = 192.168.1.253
        Called-Station-Id = "001839bfd481"
        Calling-Station-Id = "009096a365ec"
        NAS-Identifier = "001839bfd481"
        NAS-Port = 42
        Framed-MTU = 1400
        State = 0x21182ca541e9335a66f8b91266e2e5a3
        NAS-Port-Type = Wireless-802.11
        EAP-Message =
0x0201006c150016030100610100005d030144f963994bb3b5b6843d1ffb980f1dd90664779d88fa0d45e592b349d0c4a2b000003600390038003500160013000a00330032002f0007006600050004006300620061001500120009006500640060001400110008000600030100
        Message-Authenticator = 0x37bd3d6c73d7d196d9ffd4125fa7520f
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
  rlm_eap: EAP packet type response id 1 length 108
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 1
    users: Matched entry testuser at line 1
  modcall[authorize]: module "files" returns ok for request 1
modcall: leaving group authorize (returns updated) for request 1
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 1
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/ttls
  rlm_eap: processing type ttls
  rlm_eap_ttls: Authenticate
  rlm_eap_tls: processing TLS
  eaptls_verify returned 7
  rlm_eap_tls: Done initial handshake
    (other): before/accept initialization
    TLS_accept: before/accept initialization
  rlm_eap_tls: <<< TLS 1.0 Handshake [length 0061], ClientHello
    TLS_accept: SSLv3 read client hello A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
    TLS_accept: SSLv3 write server hello A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 069f], Certificate
    TLS_accept: SSLv3 write certificate A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 010d], ServerKeyExchange
    TLS_accept: SSLv3 write key exchange A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
    TLS_accept: SSLv3 write server done A
    TLS_accept: SSLv3 flush data
    TLS_accept:error in SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
  eaptls_process returned 13
  modcall[authenticate]: module "eap" returns handled for request 1
modcall: leaving group authenticate (returns handled) for request 1
Sending Access-Challenge of id 0 to 192.168.1.253 port 2049
        EAP-Message =
0x0102040a15c00000080e160301004a02000046030144f963990894dce46a385ae5d10e6c63b9ec7ec31021cde5ee21da67d6876c2020969cced1cf79f958c9a4099552b16b0f57e7df5a5bded193933d0a6095d03c42003900160301069f0b00069b0006980002cc308202c830820231a003020102020102300d06092a864886f70d010104050030819d310b3009060355040613024341311230100603550408130942617263656c6f6e613111300f06035504071308436f726e656c6c6131163014060355040a130d44525556532053797374656d73310b3009060355040b13026630311a301806035504031311436c69656e74207769666920647275
        EAP-Message =
0x76733126302406092a864886f70d01090116176f72696f6c4064727576732d73797374656d732e636f6d301e170d3036303132353230353030385a170d3037303132353230353030385a30819c310b3009060355040613024341311230100603550408130942617263656c6f6e613111300f06035504071308436f726e656c6c6131163014060355040a130d44525556532053797374656d73310b3009060355040b13026630311930170603550403131043412064727576732073797374656d733126302406092a864886f70d01090116176f72696f6c4064727576732d73797374656d732e636f6d30819f300d06092a864886f70d01010105000381
        EAP-Message =
0x8d0030818902818100ca75d0502d1fcc9a98659a215fd56bc988c9456cbbed6652c09e06c871164172109ae52ce14e6e28bac61e65f28fdd38ae40206d429ee272d851c1be1c999c3f46afb67b816ed39b0d31248289b2fd19793ac00c68da96bb5e68436fee8accd7ac931a3ab53d3e17a9bed9fa65757753e66ea9ba1c3fdcd2424fbc99aca980370203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101040500038181002e9c93dcfcda12811599b13551965a35afb4e26feb98756a38f24b7da903bc3fc9a287846af47f6116f9792911770d9182fc56cc9c0c302ff99535e01fc3578fc285d9
        EAP-Message =
0xed279fb00cf4c23b60f95eded17bff4b645dcb0fd3c84719fb8a31be52f093be7f82874c68dd1706fdc4b40cf1d6eceec354cc352051690938d8e28f450003c6308203c23082032ba003020102020900f950691baf0e3e16300d06092a864886f70d010104050030819d310b3009060355040613024341311230100603550408130942617263656c6f6e613111300f06035504071308436f726e656c6c6131163014060355040a130d44525556532053797374656d73310b3009060355040b13026630311a301806035504031311436c69656e7420776966692064727576733126302406092a864886f70d01090116176f72696f6c4064727576732d73
        EAP-Message = 0x797374656d732e636f6d301e170d3036303132353230
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x12ac64c530bb647d09b3f01125f34fb0
Finished request 1
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.1.253:2049, id=0,
length=140
        User-Name = "testuser"
        NAS-IP-Address = 192.168.1.253
        Called-Station-Id = "001839bfd481"
        Calling-Station-Id = "009096a365ec"
        NAS-Identifier = "001839bfd481"
        NAS-Port = 42
        Framed-MTU = 1400
        State = 0x12ac64c530bb647d09b3f01125f34fb0
        NAS-Port-Type = Wireless-802.11
        EAP-Message = 0x020200061500
        Message-Authenticator = 0x29ccd4e00a0946e81b116a2204e47dcc
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
  rlm_eap: EAP packet type response id 2 length 6
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 2
    users: Matched entry testuser at line 1
  modcall[authorize]: module "files" returns ok for request 2
modcall: leaving group authorize (returns updated) for request 2
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 2
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/ttls
  rlm_eap: processing type ttls
  rlm_eap_ttls: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
  rlm_eap_tls: ack handshake fragment handler
  eaptls_verify returned 1
  eaptls_process returned 13
  modcall[authenticate]: module "eap" returns handled for request 2
modcall: leaving group authenticate (returns handled) for request 2
Sending Access-Challenge of id 0 to 192.168.1.253 port 2049
        EAP-Message =
0x0103040a15c00000080e353030365a170d3136303132333230353030365a30819d310b3009060355040613024341311230100603550408130942617263656c6f6e613111300f06035504071308436f726e656c6c6131163014060355040a130d44525556532053797374656d73310b3009060355040b13026630311a301806035504031311436c69656e7420776966692064727576733126302406092a864886f70d01090116176f72696f6c4064727576732d73797374656d732e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100b95b5417dddca78cffb8aebf8fde0c552069265a1676426d09f02e00ff588663d6b8
        EAP-Message =
0x5b96436030129f8faeb9676b3fb6dcf645e28677431d9eedd301fdcb195f9c4e3d69ccdcc87c3995df378bb01a7dabdd05d5875d888d46056c971c33eca8e6f9d91068518693d67ca813e58a4922897edfbcb0cb1ad18e0a09f7f46894070203010001a382010630820102301d0603551d0e0416041474c62db92bf47efc071c41018111e3e5e32aa50e3081d20603551d230481ca3081c7801474c62db92bf47efc071c41018111e3e5e32aa50ea181a3a481a030819d310b3009060355040613024341311230100603550408130942617263656c6f6e613111300f06035504071308436f726e656c6c6131163014060355040a130d44525556532053
        EAP-Message =
0x797374656d73310b3009060355040b13026630311a301806035504031311436c69656e7420776966692064727576733126302406092a864886f70d01090116176f72696f6c4064727576732d73797374656d732e636f6d820900f950691baf0e3e16300c0603551d13040530030101ff300d06092a864886f70d0101040500038181001ed1a0326268e23341f45fe0d1ac5e7a0dd08763838d53c1d90a8d71245e0aba46a68fe376e576f7dc3d4188ff72e71cfd9b1bda2b8b20ffcea988a65f5fb9296ebcadefc30fdb60e95f07d0b88124d9fd40debaa83b316818064bbe2f4a57edc0964efa3fa85ea4bedc8c4d5c23c46f9033162edd9d5805920d
        EAP-Message =
0x3d50555c1047160301010d0c0001090040d4e5200ad631ef8e2e8fccb0f3cb8c9f9cde60256c57b678151215ed3d218a4e8e5ba535b88f5fd8dd06a4d4789d79128e9d8d1758ada473c1253e820e9d95a300010200407b1811b1c240010d6d0f006b977786e6a0e482fd1d0149fb32c5341131b27e4ad185e4f87bf0fb9fa34cbf20d30fc4731dbf23be3d1e8ef0ded34e75ea47ad6300804a4c5849a91145aaa406e73887c7afb669171a4fc757d77a4800ac6220f51238e157241cfaaa5b464945a497fb01ccb51d5676deae0c48cbb810a2dff763fc7b09f948432ffc346788373d6e7c667b54c75073c6798accbd4a465960439eaff6dfae9dd6e2
        EAP-Message = 0xfffca21e7f20b1e3019625cb55180331e4aae00c74c1
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xec9855d26368dcc0a19d5c7603762c6c
Finished request 2
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.1.253:2049, id=0,
length=140
        User-Name = "testuser"
        NAS-IP-Address = 192.168.1.253
        Called-Station-Id = "001839bfd481"
        Calling-Station-Id = "009096a365ec"
        NAS-Identifier = "001839bfd481"
        NAS-Port = 42
        Framed-MTU = 1400
        State = 0xec9855d26368dcc0a19d5c7603762c6c
        NAS-Port-Type = Wireless-802.11
        EAP-Message = 0x020300061500
        Message-Authenticator = 0x8e9fc5b99c088bb76d6bff199f5a5ed1
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 3
  rlm_eap: EAP packet type response id 3 length 6
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 3
    users: Matched entry testuser at line 1
  modcall[authorize]: module "files" returns ok for request 3
modcall: leaving group authorize (returns updated) for request 3
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 3
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/ttls
  rlm_eap: processing type ttls
  rlm_eap_ttls: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
  rlm_eap_tls: ack handshake fragment handler
  eaptls_verify returned 1
  eaptls_process returned 13
  modcall[authenticate]: module "eap" returns handled for request 3
modcall: leaving group authenticate (returns handled) for request 3
Sending Access-Challenge of id 0 to 192.168.1.253 port 2049
        EAP-Message = 0x0104001815800000080e20cd7349f716030100040e000000
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x74f0f317d1e6515d0e08de153e7585b5
Finished request 3
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.1.253:2049, id=0,
length=274
        User-Name = "testuser"
        NAS-IP-Address = 192.168.1.253
        Called-Station-Id = "001839bfd481"
        Calling-Station-Id = "009096a365ec"
        NAS-Identifier = "001839bfd481"
        NAS-Port = 42
        Framed-MTU = 1400
        State = 0x74f0f317d1e6515d0e08de153e7585b5
        NAS-Port-Type = Wireless-802.11
        EAP-Message =
0x0204008c150016030100461000004200406a306957e94709b5329f4fef619d08070850b8a1a497b1d323d0ec3678954a7e3ac6cba9940583aedd8cd622a6b0afd84e537d05b3377cae21aab6b904bab8eb1403010001011603010030a3afca3f1defb9b613af40bff506261a52f97d6df30a9e62702bfc295f8589dea32cc126282236d73928f31472e1da27
        Message-Authenticator = 0x74bee9bfe2b8e4b724d2954862405b17
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 4
  rlm_eap: EAP packet type response id 4 length 140
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 4
    users: Matched entry testuser at line 1
  modcall[authorize]: module "files" returns ok for request 4
modcall: leaving group authorize (returns updated) for request 4
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 4
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/ttls
  rlm_eap: processing type ttls
  rlm_eap_ttls: Authenticate
  rlm_eap_tls: processing TLS
  eaptls_verify returned 7
  rlm_eap_tls: Done initial handshake
  rlm_eap_tls: <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange
    TLS_accept: SSLv3 read client key exchange A
  rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001]
  rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished
    TLS_accept: SSLv3 read finished A
  rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001]
    TLS_accept: SSLv3 write change cipher spec A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished
    TLS_accept: SSLv3 write finished A
    TLS_accept: SSLv3 flush data
    (other): SSL negotiation finished successfully
SSL Connection Established
  eaptls_process returned 13
  modcall[authenticate]: module "eap" returns handled for request 4
modcall: leaving group authenticate (returns handled) for request 4
Sending Access-Challenge of id 0 to 192.168.1.253 port 2049
        EAP-Message =
0x0105004515800000003b14030100010116030100305c7ade06311b72ffb6ee34f58e3045f96e98b6d21c4274b513542c2270e9d6b0f46a8231b70471c17d5e44193001c0e0
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xd47040ab18b10619471de9cccf19268e
Finished request 4
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.1.253:2049, id=0,
length=230
        User-Name = "testuser"
        NAS-IP-Address = 192.168.1.253
        Called-Station-Id = "001839bfd481"
        Calling-Station-Id = "009096a365ec"
        NAS-Identifier = "001839bfd481"
        NAS-Port = 42
        Framed-MTU = 1400
        State = 0xd47040ab18b10619471de9cccf19268e
        NAS-Port-Type = Wireless-802.11
        EAP-Message =
0x020500601500170301002080f833d632ed6b6db2e546c61ec3a9bcb03ad2bb400d4065ebcdcef8369c313a1703010030544963e7a4c65456f1c07ca60baf6997fc8780b459f979353aa222806431d767564b7a9e56454fc37f73d383de22e38d
        Message-Authenticator = 0x9d57d285158cea3f520c61f70b494356
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 5
  rlm_eap: EAP packet type response id 5 length 96
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 5
    users: Matched entry testuser at line 1
  modcall[authorize]: module "files" returns ok for request 5
modcall: leaving group authorize (returns updated) for request 5
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 5
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/ttls
  rlm_eap: processing type ttls
  rlm_eap_ttls: Authenticate
  rlm_eap_tls: processing TLS
  eaptls_verify returned 7
  rlm_eap_tls: Done initial handshake
  eaptls_process returned 7
  rlm_eap_ttls: Session established.  Proceeding to decode tunneled
attributes.
  TTLS: Got tunneled request
        EAP-Message = 0x0205000d017465737475736572
        FreeRADIUS-Proxied-To = 127.0.0.1
  TTLS: Got tunneled identity of testuser
  TTLS: Setting default EAP type for tunneled EAP session.
  TTLS: Sending tunneled request
        EAP-Message = 0x0205000d017465737475736572
        FreeRADIUS-Proxied-To = 127.0.0.1
        User-Name = "testuser"
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 5
  rlm_eap: EAP packet type response id 5 length 13
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 5
    users: Matched entry testuser at line 1
  modcall[authorize]: module "files" returns ok for request 5
modcall: leaving group authorize (returns updated) for request 5
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 5
  rlm_eap: EAP Identity
  rlm_eap: processing type gtc
  modcall[authenticate]: module "eap" returns handled for request 5
modcall: leaving group authenticate (returns handled) for request 5
  TTLS: Got tunneled reply RADIUS code 11
        EAP-Message = 0x0106000f0650617373776f72643a20
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x7483fff7bbbda2819fabed3436521707
  TTLS: Got tunneled Access-Challenge
  modcall[authenticate]: module "eap" returns handled for request 5
modcall: leaving group authenticate (returns handled) for request 5
Sending Access-Challenge of id 0 to 192.168.1.253 port 2049
        EAP-Message =
0x0106006415800000005a17030100206b1cf1e2a1e2158735a57447c681de391dfcf092b1351b10899076ec92799fe81703010030b777d90ae1ceb35bd526231cf8dcf42ab213ccce63c75f9ad707ee338b18b091d8873f47db22320ac244d486497d341a
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x84af535b759debdba1ca077c27856ed1
Finished request 5
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.1.253:2049, id=0,
length=230
        User-Name = "testuser"
        NAS-IP-Address = 192.168.1.253
        Called-Station-Id = "001839bfd481"
        Calling-Station-Id = "009096a365ec"
        NAS-Identifier = "001839bfd481"
        NAS-Port = 42
        Framed-MTU = 1400
        State = 0x84af535b759debdba1ca077c27856ed1
        NAS-Port-Type = Wireless-802.11
        EAP-Message =
0x0206006015001703010020bc268ee2898714c93524893ede7786b9b04df170e995785b90a9a60e8636c2bd1703010030e7e8fd5b1f56171c498c926fc69888387be70fea1b7b633fc28ddfd9866e43114e27f6148e76226e533f48b97576d9c9
        Message-Authenticator = 0x53958e76e1d55accf242e40af246ff8f
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 6
  rlm_eap: EAP packet type response id 6 length 96
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 6
    users: Matched entry testuser at line 1
  modcall[authorize]: module "files" returns ok for request 6
modcall: leaving group authorize (returns updated) for request 6
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 6
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/ttls
  rlm_eap: processing type ttls
  rlm_eap_ttls: Authenticate
  rlm_eap_tls: processing TLS
  eaptls_verify returned 7
  rlm_eap_tls: Done initial handshake
  eaptls_process returned 7
  rlm_eap_ttls: Session established.  Proceeding to decode tunneled
attributes.
  TTLS: Got tunneled request
        EAP-Message = 0x0206000b06736563726574
        FreeRADIUS-Proxied-To = 127.0.0.1
  TTLS: Adding old state with 74 83
  TTLS: Sending tunneled request
        EAP-Message = 0x0206000b06736563726574
        FreeRADIUS-Proxied-To = 127.0.0.1
        User-Name = "testuser"
        State = 0x7483fff7bbbda2819fabed3436521707
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 6
  rlm_eap: EAP packet type response id 6 length 11
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 6
    users: Matched entry testuser at line 1
  modcall[authorize]: module "files" returns ok for request 6
modcall: leaving group authorize (returns updated) for request 6
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 6
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/gtc
  rlm_eap: processing type gtc
  Processing the authenticate section of radiusd.conf
modcall: entering group PAP for request 6
rlm_pap: login attempt by "testuser" with password secret
rlm_pap: Using password "secret" for user testuser authentication.
rlm_pap: Using clear text password.
rlm_pap: User authenticated succesfully
  modcall[authenticate]: module "pap" returns ok for request 6
modcall: leaving group PAP (returns ok) for request 6
  rlm_eap_gtc: Everything is OK.
  rlm_eap: Freeing handler
  modcall[authenticate]: module "eap" returns ok for request 6
modcall: leaving group authenticate (returns ok) for request 6
  TTLS: Got tunneled reply RADIUS code 2
        EAP-Message = 0x03060004
        Message-Authenticator = 0x00000000000000000000000000000000
        User-Name = "testuser"
  TTLS: Got tunneled Access-Accept
  rlm_eap: Freeing handler
  TTLS: Freeing handler for user testuser
  modcall[authenticate]: module "eap" returns ok for request 6
modcall: leaving group authenticate (returns ok) for request 6
Sending Access-Accept of id 0 to 192.168.1.253 port 2049
        MS-MPPE-Recv-Key =
0x12b314a97cb067d593c25c0395ee246852caf129258cf0a00d25b7a5b9343e50
        MS-MPPE-Send-Key =
0x78bd0fe823f947ea326d25d576313556a477394a7fedaeb66351ff51ddc041b2
        EAP-Message = 0x03060004
        Message-Authenticator = 0x00000000000000000000000000000000
        User-Name = "testuser"
Finished request 6
Going to the next request
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 6 ID 0 with timestamp 44f96399
Nothing to do.  Sleeping until we see a request.
# iwconfig wlan0
 
wlan0     IEEE 802.11g  ESSID:"ymbi"
          Mode:Managed  Frequency:2.437 GHz  Access Point:
00:18:39:BF:D4:81
          Bit Rate=54 Mb/s   Tx-Power:25 dBm
          RTS thr:2347 B   Fragment thr:2346 B
          Encryption
key:A761-2CB0-936F-CCEB-591A-F18C-6ABF-89E5-73E8-347F-6D96-9121-279C-54FC-24AF-088D
          Power Management:off
          Link Quality:0  Signal level:0  Noise level:0
          Rx invalid nwid:0  Rx invalid crypt:0  Rx invalid frag:0
          Tx excessive retries:0  Invalid misc:0   Missed beacon:0
  • 80_._x.txt
  • Last modified: 2012/06/06 12:15
  • (external edit)