80_._x

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

80_._x [2012/06/06 12:15] (current)
Line 1: Line 1:
 +====== Securing wi-fi net with EAP/TTLS ======
  
 +This is a very simple cookbook to configure EAP-TTLS with PAP to secure wi-fi LAN.
 +
 +===== Network Map =====
 +
 +(INTERNET) <-> (1.1.1.1) fw (lan:192.168.1.254) <-> (inet:192.168.1.253) AP (wlan: 192.168.27.254) <-> (wlan:192.168.27.111) client
 +
 +===== fw: FreeRadius Config Files =====
 +
 +FreeRadius 1.1.1
 +
 +File **/etc/raddb/radiusd.conf**:
 +<code bash>
 +prefix = /usr
 +exec_prefix = ${prefix}
 +sysconfdir = /etc
 +localstatedir = /var
 +sbindir = ${exec_prefix}/sbin
 +logdir = ${localstatedir}/log/radius
 +raddbdir = ${sysconfdir}/raddb
 +radacctdir = ${logdir}/radacct
 +confdir = ${raddbdir}
 +run_dir = ${localstatedir}/run/radiusd
 +log_file = ${logdir}/radius.log
 +libdir = ${exec_prefix}/lib
 +pidfile = ${run_dir}/radiusd.pid
 +max_request_time = 30
 +delete_blocked_requests = no
 +cleanup_delay = 5
 +max_requests = 1024
 +bind_address = 192.168.1.254
 +port = 0
 +hostname_lookups = no
 +allow_core_dumps = no
 +regular_expressions     = yes
 +extended_expressions    = yes
 +log_stripped_names = no
 +log_auth = no
 +log_auth_badpass = no
 +log_auth_goodpass = no
 +usercollide = no
 +lower_user = no
 +lower_pass = no
 +nospace_user = no
 +nospace_pass = no
 +Checkrad = ${sbindir}/checkrad
 +security {
 +        max_attributes = 200
 +        reject_delay = 1
 +        status_server = no
 +}
 +
 +proxy_requests  = yes
 +$INCLUDE  ${confdir}/proxy.conf
 +$INCLUDE  ${confdir}/clients.conf
 +snmp    = no
 +$INCLUDE  ${confdir}/snmp.conf
 +thread pool {
 +        start_servers = 5
 +        max_servers = 32
 +        min_spare_servers = 3
 +        max_spare_servers = 10
 +        max_requests_per_server = 0
 +}
 +
 +modules {
 +        pap {
 +                encryption_scheme = clear
 +        }
 +
 +        eap {
 +                default_eap_type = ttls
 +                timer_expire     = 60
 +                ignore_unknown_eap_types = no
 +
 +                gtc {
 +                        auth_type = PAP
 +                }
 +                tls {
 +                        private_key_password = druvs2systems
 +                        private_key_file = /etc/raddb/certs/cert-srv.pem
 +                        certificate_file = /etc/raddb/certs/cert-srv.pem
 +                        CA_file = /etc/raddb/certs/demoCA/cacert.pem
 +                        dh_file = /etc/raddb/certs/dh
 +                        random_file = /etc/raddb/certs/random
 +                        fragment_size = 1024
 +                        include_length = yes
 +                }
 +                ttls {
 +                        default_eap_type = gtc
 +                        copy_request_to_tunnel = no
 +                        use_tunneled_reply = no
 +                }
 +        }
 +
 +        files {
 +                usersfile = ${confdir}/users
 +                acctusersfile = ${confdir}/acct_users
 +                compat = no
 +        }
 +}
 +
 +authorize {
 +        eap
 +        files
 +}
 +authenticate {
 +        eap
 +        Auth-Type PAP {
 +               pap
 +        }
 +}
 +
 +post-proxy {
 +        eap
 +}
 +
 +
 +</code>
 +
 +
 +
 +File **/etc/raddb/clients.conf**:
 +<code bash>
 +client 192.168.1.253/32 {
 +        secret          = SharedSecret99
 +        shortname       = localhost
 +}
 +</code>
 +
 +File **/etc/raddb/users**:
 +<code bash>
 +"testuser"      User-Password == "secret"
 +</code>
 +
 +When launch radius with debug mode **radiusd -X** we have this output:
 +<file>
 +Starting - reading configuration files ...
 +reread_config:  reading radiusd.conf
 +Config:   including file: /etc/raddb/proxy.conf
 +Config:   including file: /etc/raddb/clients.conf
 +Config:   including file: /etc/raddb/snmp.conf
 + main: prefix = "/usr"
 + main: localstatedir = "/var"
 + main: logdir = "/var/log/radius"
 + main: libdir = "/usr/lib"
 + main: radacctdir = "/var/log/radius/radacct"
 + main: hostname_lookups = no
 + main: snmp = no
 + main: max_request_time = 30
 + main: cleanup_delay = 5
 + main: max_requests = 1024
 + main: delete_blocked_requests = 0
 + main: port = 0
 + main: allow_core_dumps = no
 + main: log_stripped_names = no
 + main: log_file = "/var/log/radius/radius.log"
 + main: log_auth = no
 + main: log_auth_badpass = no
 + main: log_auth_goodpass = no
 + main: pidfile = "/var/run/radiusd/radiusd.pid"
 + main: bind_address = 192.168.1.254 IP address [192.168.1.254]
 + main: user = "(null)"
 + main: group = "(null)"
 + main: usercollide = no
 + main: lower_user = "no"
 + main: lower_pass = "no"
 + main: nospace_user = "no"
 + main: nospace_pass = "no"
 + main: checkrad = "/usr/sbin/checkrad"
 + main: proxy_requests = yes
 + proxy: retry_delay = 5
 + proxy: retry_count = 3
 + proxy: synchronous = no
 + proxy: default_fallback = yes
 + proxy: dead_time = 120
 + proxy: post_proxy_authorize = yes
 + proxy: wake_all_if_all_dead = no
 + security: max_attributes = 200
 + security: reject_delay = 1
 + security: status_server = no
 + main: debug_level = 0
 +read_config_files:  reading dictionary
 +read_config_files:  reading naslist
 +Using deprecated naslist file.  Support for this will go away soon.
 +read_config_files:  reading clients
 +read_config_files:  reading realms
 +radiusd:  entering modules setup
 +Module: Library search path is /usr/lib
 +Module: Loaded eap
 + eap: default_eap_type = "ttls"
 + eap: timer_expire = 60
 + eap: ignore_unknown_eap_types = no
 + eap: cisco_accounting_username_bug = no
 + gtc: challenge = "Password: "
 + gtc: auth_type = "PAP"
 +rlm_eap: Loaded and initialized type gtc
 + tls: rsa_key_exchange = no
 + tls: dh_key_exchange = yes
 + tls: rsa_key_length = 512
 + tls: dh_key_length = 512
 + tls: verify_depth = 0
 + tls: CA_path = "(null)"
 + tls: pem_file_type = yes
 + tls: private_key_file = "/etc/raddb/certs/cert-srv.pem"
 + tls: certificate_file = "/etc/raddb/certs/cert-srv.pem"
 + tls: CA_file = "/etc/raddb/certs/demoCA/cacert.pem"
 + tls: private_key_password = "druvs2systems"
 + tls: dh_file = "/etc/raddb/certs/dh"
 + tls: random_file = "/etc/raddb/certs/random"
 + tls: fragment_size = 1024
 + tls: include_length = yes
 + tls: check_crl = no
 + tls: check_cert_cn = "(null)"
 +rlm_eap_tls: Loading the certificate file as a chain
 +rlm_eap: Loaded and initialized type tls
 + ttls: default_eap_type = "gtc"
 + ttls: copy_request_to_tunnel = no
 + ttls: use_tunneled_reply = no
 +rlm_eap: Loaded and initialized type ttls
 +Module: Instantiated eap (eap)
 +Module: Loaded PAP
 + pap: encryption_scheme = "clear"
 +Module: Instantiated pap (pap)
 +Module: Loaded files
 + files: usersfile = "/etc/raddb/users"
 + files: acctusersfile = "/etc/raddb/acct_users"
 + files: preproxy_usersfile = "/etc/raddb/preproxy_users"
 + files: compat = "no"
 +Module: Instantiated files (files)
 +Listening on authentication 192.168.1.254:1812
 +Listening on accounting 192.168.1.254:1813
 +Ready to process requests.
 +</file>
 +
 +===== Client Configuration =====
 +
 +The client is a linux box with wpa_supplicant.
 +
 +WPA supplicant configuration file **/etc/wpa_supplicant.conf**: 
 +<code bash>
 +network={
 +ssid="ymbi"
 +proto=WPA
 +key_mgmt=WPA-EAP
 +pairwise=TKIP
 +group=TKIP
 +eap=TTLS
 +ca_cert="/etc/cert/demoCA/cacert.pem"
 +client_cert="/etc/cert/cert-clt.pem"
 +private_key="/etc/cert/cert-clt.p12"
 +private_key_passwd="passwordofkeyfile"
 +
 +identity="testuser"
 +password="secret"
 +}
 +</code>
 +
 +Now we try tu run wpa_supplicant with debug output: \\
 +**# wpa_supplicant -iwlan0 -c/etc/wpa_supplicant.conf -w -Dndiswrapper**
 +<file>
 +Trying to associate with 00:18:39:bf:d4:81 (SSID='ymbi' freq=2437 MHz)
 +Associated with 00:18:39:bf:d4:81
 +CTRL-EVENT-EAP-STARTED EAP authentication started
 +OpenSSL: pending error: error:0D07803A:asn1 encoding
 +routines:ASN1_ITEM_EX_D2I:nested asn1 error
 +OpenSSL: pending error: error:140C800D:SSL
 +routines:SSL_use_certificate_file:ASN1 lib
 +OpenSSL: pending error: error:140CB009:SSL
 +routines:SSL_use_PrivateKey_file:PEM lib
 +CTRL-EVENT-EAP-METHOD EAP method 21 (TTLS) selected
 +CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully
 +WPA: Key negotiation completed with 00:18:39:bf:d4:81 [PTK=TKIP
 +GTK=TKIP]
 +CTRL-EVENT-CONNECTED - Connection to 00:18:39:bf:d4:81 completed (auth)
 +</file>
 +
 +===== Debug ouput of radius =====
 +
 +<file>
 +rad_recv: Access-Request packet from host 192.168.1.253:2049, id=0,
 +length=129
 +        User-Name = "testuser"
 +        NAS-IP-Address = 192.168.1.253
 +        Called-Station-Id = "001839bfd481"
 +        Calling-Station-Id = "009096a365ec"
 +        NAS-Identifier = "001839bfd481"
 +        NAS-Port = 42
 +        Framed-MTU = 1400
 +        NAS-Port-Type = Wireless-802.11
 +        EAP-Message = 0x0200000d017465737475736572
 +        Message-Authenticator = 0xeee5396011aad1c468c591d4ca65d012
 +  Processing the authorize section of radiusd.conf
 +modcall: entering group authorize for request 0
 +  rlm_eap: EAP packet type response id 0 length 13
 +  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
 +  modcall[authorize]: module "eap" returns updated for request 0
 +    users: Matched entry testuser at line 1
 +  modcall[authorize]: module "files" returns ok for request 0
 +modcall: leaving group authorize (returns updated) for request 0
 +  rad_check_password:  Found Auth-Type EAP
 +auth: type "EAP"
 +  Processing the authenticate section of radiusd.conf
 +modcall: entering group authenticate for request 0
 +  rlm_eap: EAP Identity
 +  rlm_eap: processing type tls
 +  rlm_eap_tls: Initiate
 +  rlm_eap_tls: Start returned 1
 +  modcall[authenticate]: module "eap" returns handled for request 0
 +modcall: leaving group authenticate (returns handled) for request 0
 +Sending Access-Challenge of id 0 to 192.168.1.253 port 2049
 +        EAP-Message = 0x010100061520
 +        Message-Authenticator = 0x00000000000000000000000000000000
 +        State = 0x21182ca541e9335a66f8b91266e2e5a3
 +Finished request 0
 +Going to the next request
 +--- Walking the entire request list ---
 +Waking up in 6 seconds...
 +rad_recv: Access-Request packet from host 192.168.1.253:2049, id=0,
 +length=242
 +        User-Name = "testuser"
 +        NAS-IP-Address = 192.168.1.253
 +        Called-Station-Id = "001839bfd481"
 +        Calling-Station-Id = "009096a365ec"
 +        NAS-Identifier = "001839bfd481"
 +        NAS-Port = 42
 +        Framed-MTU = 1400
 +        State = 0x21182ca541e9335a66f8b91266e2e5a3
 +        NAS-Port-Type = Wireless-802.11
 +        EAP-Message =
 +0x0201006c150016030100610100005d030144f963994bb3b5b6843d1ffb980f1dd90664779d88fa0d45e592b349d0c4a2b000003600390038003500160013000a00330032002f0007006600050004006300620061001500120009006500640060001400110008000600030100
 +        Message-Authenticator = 0x37bd3d6c73d7d196d9ffd4125fa7520f
 +  Processing the authorize section of radiusd.conf
 +modcall: entering group authorize for request 1
 +  rlm_eap: EAP packet type response id 1 length 108
 +  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
 +  modcall[authorize]: module "eap" returns updated for request 1
 +    users: Matched entry testuser at line 1
 +  modcall[authorize]: module "files" returns ok for request 1
 +modcall: leaving group authorize (returns updated) for request 1
 +  rad_check_password:  Found Auth-Type EAP
 +auth: type "EAP"
 +  Processing the authenticate section of radiusd.conf
 +modcall: entering group authenticate for request 1
 +  rlm_eap: Request found, released from the list
 +  rlm_eap: EAP/ttls
 +  rlm_eap: processing type ttls
 +  rlm_eap_ttls: Authenticate
 +  rlm_eap_tls: processing TLS
 +  eaptls_verify returned 7
 +  rlm_eap_tls: Done initial handshake
 +    (other): before/accept initialization
 +    TLS_accept: before/accept initialization
 +  rlm_eap_tls: <<< TLS 1.0 Handshake [length 0061], ClientHello
 +    TLS_accept: SSLv3 read client hello A
 +  rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
 +    TLS_accept: SSLv3 write server hello A
 +  rlm_eap_tls: >>> TLS 1.0 Handshake [length 069f], Certificate
 +    TLS_accept: SSLv3 write certificate A
 +  rlm_eap_tls: >>> TLS 1.0 Handshake [length 010d], ServerKeyExchange
 +    TLS_accept: SSLv3 write key exchange A
 +  rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
 +    TLS_accept: SSLv3 write server done A
 +    TLS_accept: SSLv3 flush data
 +    TLS_accept:error in SSLv3 read client certificate A
 +In SSL Handshake Phase
 +In SSL Accept mode
 +  eaptls_process returned 13
 +  modcall[authenticate]: module "eap" returns handled for request 1
 +modcall: leaving group authenticate (returns handled) for request 1
 +Sending Access-Challenge of id 0 to 192.168.1.253 port 2049
 +        EAP-Message =
 +0x0102040a15c00000080e160301004a02000046030144f963990894dce46a385ae5d10e6c63b9ec7ec31021cde5ee21da67d6876c2020969cced1cf79f958c9a4099552b16b0f57e7df5a5bded193933d0a6095d03c42003900160301069f0b00069b0006980002cc308202c830820231a003020102020102300d06092a864886f70d010104050030819d310b3009060355040613024341311230100603550408130942617263656c6f6e613111300f06035504071308436f726e656c6c6131163014060355040a130d44525556532053797374656d73310b3009060355040b13026630311a301806035504031311436c69656e74207769666920647275
 +        EAP-Message =
 +0x76733126302406092a864886f70d01090116176f72696f6c4064727576732d73797374656d732e636f6d301e170d3036303132353230353030385a170d3037303132353230353030385a30819c310b3009060355040613024341311230100603550408130942617263656c6f6e613111300f06035504071308436f726e656c6c6131163014060355040a130d44525556532053797374656d73310b3009060355040b13026630311930170603550403131043412064727576732073797374656d733126302406092a864886f70d01090116176f72696f6c4064727576732d73797374656d732e636f6d30819f300d06092a864886f70d01010105000381
 +        EAP-Message =
 +0x8d0030818902818100ca75d0502d1fcc9a98659a215fd56bc988c9456cbbed6652c09e06c871164172109ae52ce14e6e28bac61e65f28fdd38ae40206d429ee272d851c1be1c999c3f46afb67b816ed39b0d31248289b2fd19793ac00c68da96bb5e68436fee8accd7ac931a3ab53d3e17a9bed9fa65757753e66ea9ba1c3fdcd2424fbc99aca980370203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101040500038181002e9c93dcfcda12811599b13551965a35afb4e26feb98756a38f24b7da903bc3fc9a287846af47f6116f9792911770d9182fc56cc9c0c302ff99535e01fc3578fc285d9
 +        EAP-Message =
 +0xed279fb00cf4c23b60f95eded17bff4b645dcb0fd3c84719fb8a31be52f093be7f82874c68dd1706fdc4b40cf1d6eceec354cc352051690938d8e28f450003c6308203c23082032ba003020102020900f950691baf0e3e16300d06092a864886f70d010104050030819d310b3009060355040613024341311230100603550408130942617263656c6f6e613111300f06035504071308436f726e656c6c6131163014060355040a130d44525556532053797374656d73310b3009060355040b13026630311a301806035504031311436c69656e7420776966692064727576733126302406092a864886f70d01090116176f72696f6c4064727576732d73
 +        EAP-Message = 0x797374656d732e636f6d301e170d3036303132353230
 +        Message-Authenticator = 0x00000000000000000000000000000000
 +        State = 0x12ac64c530bb647d09b3f01125f34fb0
 +Finished request 1
 +Going to the next request
 +Waking up in 6 seconds...
 +rad_recv: Access-Request packet from host 192.168.1.253:2049, id=0,
 +length=140
 +        User-Name = "testuser"
 +        NAS-IP-Address = 192.168.1.253
 +        Called-Station-Id = "001839bfd481"
 +        Calling-Station-Id = "009096a365ec"
 +        NAS-Identifier = "001839bfd481"
 +        NAS-Port = 42
 +        Framed-MTU = 1400
 +        State = 0x12ac64c530bb647d09b3f01125f34fb0
 +        NAS-Port-Type = Wireless-802.11
 +        EAP-Message = 0x020200061500
 +        Message-Authenticator = 0x29ccd4e00a0946e81b116a2204e47dcc
 +  Processing the authorize section of radiusd.conf
 +modcall: entering group authorize for request 2
 +  rlm_eap: EAP packet type response id 2 length 6
 +  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
 +  modcall[authorize]: module "eap" returns updated for request 2
 +    users: Matched entry testuser at line 1
 +  modcall[authorize]: module "files" returns ok for request 2
 +modcall: leaving group authorize (returns updated) for request 2
 +  rad_check_password:  Found Auth-Type EAP
 +auth: type "EAP"
 +  Processing the authenticate section of radiusd.conf
 +modcall: entering group authenticate for request 2
 +  rlm_eap: Request found, released from the list
 +  rlm_eap: EAP/ttls
 +  rlm_eap: processing type ttls
 +  rlm_eap_ttls: Authenticate
 +  rlm_eap_tls: processing TLS
 +rlm_eap_tls: Received EAP-TLS ACK message
 +  rlm_eap_tls: ack handshake fragment handler
 +  eaptls_verify returned 1
 +  eaptls_process returned 13
 +  modcall[authenticate]: module "eap" returns handled for request 2
 +modcall: leaving group authenticate (returns handled) for request 2
 +Sending Access-Challenge of id 0 to 192.168.1.253 port 2049
 +        EAP-Message =
 +0x0103040a15c00000080e353030365a170d3136303132333230353030365a30819d310b3009060355040613024341311230100603550408130942617263656c6f6e613111300f06035504071308436f726e656c6c6131163014060355040a130d44525556532053797374656d73310b3009060355040b13026630311a301806035504031311436c69656e7420776966692064727576733126302406092a864886f70d01090116176f72696f6c4064727576732d73797374656d732e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100b95b5417dddca78cffb8aebf8fde0c552069265a1676426d09f02e00ff588663d6b8
 +        EAP-Message =
 +0x5b96436030129f8faeb9676b3fb6dcf645e28677431d9eedd301fdcb195f9c4e3d69ccdcc87c3995df378bb01a7dabdd05d5875d888d46056c971c33eca8e6f9d91068518693d67ca813e58a4922897edfbcb0cb1ad18e0a09f7f46894070203010001a382010630820102301d0603551d0e0416041474c62db92bf47efc071c41018111e3e5e32aa50e3081d20603551d230481ca3081c7801474c62db92bf47efc071c41018111e3e5e32aa50ea181a3a481a030819d310b3009060355040613024341311230100603550408130942617263656c6f6e613111300f06035504071308436f726e656c6c6131163014060355040a130d44525556532053
 +        EAP-Message =
 +0x797374656d73310b3009060355040b13026630311a301806035504031311436c69656e7420776966692064727576733126302406092a864886f70d01090116176f72696f6c4064727576732d73797374656d732e636f6d820900f950691baf0e3e16300c0603551d13040530030101ff300d06092a864886f70d0101040500038181001ed1a0326268e23341f45fe0d1ac5e7a0dd08763838d53c1d90a8d71245e0aba46a68fe376e576f7dc3d4188ff72e71cfd9b1bda2b8b20ffcea988a65f5fb9296ebcadefc30fdb60e95f07d0b88124d9fd40debaa83b316818064bbe2f4a57edc0964efa3fa85ea4bedc8c4d5c23c46f9033162edd9d5805920d
 +        EAP-Message =
 +0x3d50555c1047160301010d0c0001090040d4e5200ad631ef8e2e8fccb0f3cb8c9f9cde60256c57b678151215ed3d218a4e8e5ba535b88f5fd8dd06a4d4789d79128e9d8d1758ada473c1253e820e9d95a300010200407b1811b1c240010d6d0f006b977786e6a0e482fd1d0149fb32c5341131b27e4ad185e4f87bf0fb9fa34cbf20d30fc4731dbf23be3d1e8ef0ded34e75ea47ad6300804a4c5849a91145aaa406e73887c7afb669171a4fc757d77a4800ac6220f51238e157241cfaaa5b464945a497fb01ccb51d5676deae0c48cbb810a2dff763fc7b09f948432ffc346788373d6e7c667b54c75073c6798accbd4a465960439eaff6dfae9dd6e2
 +        EAP-Message = 0xfffca21e7f20b1e3019625cb55180331e4aae00c74c1
 +        Message-Authenticator = 0x00000000000000000000000000000000
 +        State = 0xec9855d26368dcc0a19d5c7603762c6c
 +Finished request 2
 +Going to the next request
 +Waking up in 6 seconds...
 +rad_recv: Access-Request packet from host 192.168.1.253:2049, id=0,
 +length=140
 +        User-Name = "testuser"
 +        NAS-IP-Address = 192.168.1.253
 +        Called-Station-Id = "001839bfd481"
 +        Calling-Station-Id = "009096a365ec"
 +        NAS-Identifier = "001839bfd481"
 +        NAS-Port = 42
 +        Framed-MTU = 1400
 +        State = 0xec9855d26368dcc0a19d5c7603762c6c
 +        NAS-Port-Type = Wireless-802.11
 +        EAP-Message = 0x020300061500
 +        Message-Authenticator = 0x8e9fc5b99c088bb76d6bff199f5a5ed1
 +  Processing the authorize section of radiusd.conf
 +modcall: entering group authorize for request 3
 +  rlm_eap: EAP packet type response id 3 length 6
 +  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
 +  modcall[authorize]: module "eap" returns updated for request 3
 +    users: Matched entry testuser at line 1
 +  modcall[authorize]: module "files" returns ok for request 3
 +modcall: leaving group authorize (returns updated) for request 3
 +  rad_check_password:  Found Auth-Type EAP
 +auth: type "EAP"
 +  Processing the authenticate section of radiusd.conf
 +modcall: entering group authenticate for request 3
 +  rlm_eap: Request found, released from the list
 +  rlm_eap: EAP/ttls
 +  rlm_eap: processing type ttls
 +  rlm_eap_ttls: Authenticate
 +  rlm_eap_tls: processing TLS
 +rlm_eap_tls: Received EAP-TLS ACK message
 +  rlm_eap_tls: ack handshake fragment handler
 +  eaptls_verify returned 1
 +  eaptls_process returned 13
 +  modcall[authenticate]: module "eap" returns handled for request 3
 +modcall: leaving group authenticate (returns handled) for request 3
 +Sending Access-Challenge of id 0 to 192.168.1.253 port 2049
 +        EAP-Message = 0x0104001815800000080e20cd7349f716030100040e000000
 +        Message-Authenticator = 0x00000000000000000000000000000000
 +        State = 0x74f0f317d1e6515d0e08de153e7585b5
 +Finished request 3
 +Going to the next request
 +Waking up in 6 seconds...
 +rad_recv: Access-Request packet from host 192.168.1.253:2049, id=0,
 +length=274
 +        User-Name = "testuser"
 +        NAS-IP-Address = 192.168.1.253
 +        Called-Station-Id = "001839bfd481"
 +        Calling-Station-Id = "009096a365ec"
 +        NAS-Identifier = "001839bfd481"
 +        NAS-Port = 42
 +        Framed-MTU = 1400
 +        State = 0x74f0f317d1e6515d0e08de153e7585b5
 +        NAS-Port-Type = Wireless-802.11
 +        EAP-Message =
 +0x0204008c150016030100461000004200406a306957e94709b5329f4fef619d08070850b8a1a497b1d323d0ec3678954a7e3ac6cba9940583aedd8cd622a6b0afd84e537d05b3377cae21aab6b904bab8eb1403010001011603010030a3afca3f1defb9b613af40bff506261a52f97d6df30a9e62702bfc295f8589dea32cc126282236d73928f31472e1da27
 +        Message-Authenticator = 0x74bee9bfe2b8e4b724d2954862405b17
 +  Processing the authorize section of radiusd.conf
 +modcall: entering group authorize for request 4
 +  rlm_eap: EAP packet type response id 4 length 140
 +  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
 +  modcall[authorize]: module "eap" returns updated for request 4
 +    users: Matched entry testuser at line 1
 +  modcall[authorize]: module "files" returns ok for request 4
 +modcall: leaving group authorize (returns updated) for request 4
 +  rad_check_password:  Found Auth-Type EAP
 +auth: type "EAP"
 +  Processing the authenticate section of radiusd.conf
 +modcall: entering group authenticate for request 4
 +  rlm_eap: Request found, released from the list
 +  rlm_eap: EAP/ttls
 +  rlm_eap: processing type ttls
 +  rlm_eap_ttls: Authenticate
 +  rlm_eap_tls: processing TLS
 +  eaptls_verify returned 7
 +  rlm_eap_tls: Done initial handshake
 +  rlm_eap_tls: <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange
 +    TLS_accept: SSLv3 read client key exchange A
 +  rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001]
 +  rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished
 +    TLS_accept: SSLv3 read finished A
 +  rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001]
 +    TLS_accept: SSLv3 write change cipher spec A
 +  rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished
 +    TLS_accept: SSLv3 write finished A
 +    TLS_accept: SSLv3 flush data
 +    (other): SSL negotiation finished successfully
 +SSL Connection Established
 +  eaptls_process returned 13
 +  modcall[authenticate]: module "eap" returns handled for request 4
 +modcall: leaving group authenticate (returns handled) for request 4
 +Sending Access-Challenge of id 0 to 192.168.1.253 port 2049
 +        EAP-Message =
 +0x0105004515800000003b14030100010116030100305c7ade06311b72ffb6ee34f58e3045f96e98b6d21c4274b513542c2270e9d6b0f46a8231b70471c17d5e44193001c0e0
 +        Message-Authenticator = 0x00000000000000000000000000000000
 +        State = 0xd47040ab18b10619471de9cccf19268e
 +Finished request 4
 +Going to the next request
 +Waking up in 6 seconds...
 +rad_recv: Access-Request packet from host 192.168.1.253:2049, id=0,
 +length=230
 +        User-Name = "testuser"
 +        NAS-IP-Address = 192.168.1.253
 +        Called-Station-Id = "001839bfd481"
 +        Calling-Station-Id = "009096a365ec"
 +        NAS-Identifier = "001839bfd481"
 +        NAS-Port = 42
 +        Framed-MTU = 1400
 +        State = 0xd47040ab18b10619471de9cccf19268e
 +        NAS-Port-Type = Wireless-802.11
 +        EAP-Message =
 +0x020500601500170301002080f833d632ed6b6db2e546c61ec3a9bcb03ad2bb400d4065ebcdcef8369c313a1703010030544963e7a4c65456f1c07ca60baf6997fc8780b459f979353aa222806431d767564b7a9e56454fc37f73d383de22e38d
 +        Message-Authenticator = 0x9d57d285158cea3f520c61f70b494356
 +  Processing the authorize section of radiusd.conf
 +modcall: entering group authorize for request 5
 +  rlm_eap: EAP packet type response id 5 length 96
 +  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
 +  modcall[authorize]: module "eap" returns updated for request 5
 +    users: Matched entry testuser at line 1
 +  modcall[authorize]: module "files" returns ok for request 5
 +modcall: leaving group authorize (returns updated) for request 5
 +  rad_check_password:  Found Auth-Type EAP
 +auth: type "EAP"
 +  Processing the authenticate section of radiusd.conf
 +modcall: entering group authenticate for request 5
 +  rlm_eap: Request found, released from the list
 +  rlm_eap: EAP/ttls
 +  rlm_eap: processing type ttls
 +  rlm_eap_ttls: Authenticate
 +  rlm_eap_tls: processing TLS
 +  eaptls_verify returned 7
 +  rlm_eap_tls: Done initial handshake
 +  eaptls_process returned 7
 +  rlm_eap_ttls: Session established.  Proceeding to decode tunneled
 +attributes.
 +  TTLS: Got tunneled request
 +        EAP-Message = 0x0205000d017465737475736572
 +        FreeRADIUS-Proxied-To = 127.0.0.1
 +  TTLS: Got tunneled identity of testuser
 +  TTLS: Setting default EAP type for tunneled EAP session.
 +  TTLS: Sending tunneled request
 +        EAP-Message = 0x0205000d017465737475736572
 +        FreeRADIUS-Proxied-To = 127.0.0.1
 +        User-Name = "testuser"
 +  Processing the authorize section of radiusd.conf
 +modcall: entering group authorize for request 5
 +  rlm_eap: EAP packet type response id 5 length 13
 +  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
 +  modcall[authorize]: module "eap" returns updated for request 5
 +    users: Matched entry testuser at line 1
 +  modcall[authorize]: module "files" returns ok for request 5
 +modcall: leaving group authorize (returns updated) for request 5
 +  rad_check_password:  Found Auth-Type EAP
 +auth: type "EAP"
 +  Processing the authenticate section of radiusd.conf
 +modcall: entering group authenticate for request 5
 +  rlm_eap: EAP Identity
 +  rlm_eap: processing type gtc
 +  modcall[authenticate]: module "eap" returns handled for request 5
 +modcall: leaving group authenticate (returns handled) for request 5
 +  TTLS: Got tunneled reply RADIUS code 11
 +        EAP-Message = 0x0106000f0650617373776f72643a20
 +        Message-Authenticator = 0x00000000000000000000000000000000
 +        State = 0x7483fff7bbbda2819fabed3436521707
 +  TTLS: Got tunneled Access-Challenge
 +  modcall[authenticate]: module "eap" returns handled for request 5
 +modcall: leaving group authenticate (returns handled) for request 5
 +Sending Access-Challenge of id 0 to 192.168.1.253 port 2049
 +        EAP-Message =
 +0x0106006415800000005a17030100206b1cf1e2a1e2158735a57447c681de391dfcf092b1351b10899076ec92799fe81703010030b777d90ae1ceb35bd526231cf8dcf42ab213ccce63c75f9ad707ee338b18b091d8873f47db22320ac244d486497d341a
 +        Message-Authenticator = 0x00000000000000000000000000000000
 +        State = 0x84af535b759debdba1ca077c27856ed1
 +Finished request 5
 +Going to the next request
 +Waking up in 6 seconds...
 +rad_recv: Access-Request packet from host 192.168.1.253:2049, id=0,
 +length=230
 +        User-Name = "testuser"
 +        NAS-IP-Address = 192.168.1.253
 +        Called-Station-Id = "001839bfd481"
 +        Calling-Station-Id = "009096a365ec"
 +        NAS-Identifier = "001839bfd481"
 +        NAS-Port = 42
 +        Framed-MTU = 1400
 +        State = 0x84af535b759debdba1ca077c27856ed1
 +        NAS-Port-Type = Wireless-802.11
 +        EAP-Message =
 +0x0206006015001703010020bc268ee2898714c93524893ede7786b9b04df170e995785b90a9a60e8636c2bd1703010030e7e8fd5b1f56171c498c926fc69888387be70fea1b7b633fc28ddfd9866e43114e27f6148e76226e533f48b97576d9c9
 +        Message-Authenticator = 0x53958e76e1d55accf242e40af246ff8f
 +  Processing the authorize section of radiusd.conf
 +modcall: entering group authorize for request 6
 +  rlm_eap: EAP packet type response id 6 length 96
 +  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
 +  modcall[authorize]: module "eap" returns updated for request 6
 +    users: Matched entry testuser at line 1
 +  modcall[authorize]: module "files" returns ok for request 6
 +modcall: leaving group authorize (returns updated) for request 6
 +  rad_check_password:  Found Auth-Type EAP
 +auth: type "EAP"
 +  Processing the authenticate section of radiusd.conf
 +modcall: entering group authenticate for request 6
 +  rlm_eap: Request found, released from the list
 +  rlm_eap: EAP/ttls
 +  rlm_eap: processing type ttls
 +  rlm_eap_ttls: Authenticate
 +  rlm_eap_tls: processing TLS
 +  eaptls_verify returned 7
 +  rlm_eap_tls: Done initial handshake
 +  eaptls_process returned 7
 +  rlm_eap_ttls: Session established.  Proceeding to decode tunneled
 +attributes.
 +  TTLS: Got tunneled request
 +        EAP-Message = 0x0206000b06736563726574
 +        FreeRADIUS-Proxied-To = 127.0.0.1
 +  TTLS: Adding old state with 74 83
 +  TTLS: Sending tunneled request
 +        EAP-Message = 0x0206000b06736563726574
 +        FreeRADIUS-Proxied-To = 127.0.0.1
 +        User-Name = "testuser"
 +        State = 0x7483fff7bbbda2819fabed3436521707
 +  Processing the authorize section of radiusd.conf
 +modcall: entering group authorize for request 6
 +  rlm_eap: EAP packet type response id 6 length 11
 +  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
 +  modcall[authorize]: module "eap" returns updated for request 6
 +    users: Matched entry testuser at line 1
 +  modcall[authorize]: module "files" returns ok for request 6
 +modcall: leaving group authorize (returns updated) for request 6
 +  rad_check_password:  Found Auth-Type EAP
 +auth: type "EAP"
 +  Processing the authenticate section of radiusd.conf
 +modcall: entering group authenticate for request 6
 +  rlm_eap: Request found, released from the list
 +  rlm_eap: EAP/gtc
 +  rlm_eap: processing type gtc
 +  Processing the authenticate section of radiusd.conf
 +modcall: entering group PAP for request 6
 +rlm_pap: login attempt by "testuser" with password secret
 +rlm_pap: Using password "secret" for user testuser authentication.
 +rlm_pap: Using clear text password.
 +rlm_pap: User authenticated succesfully
 +  modcall[authenticate]: module "pap" returns ok for request 6
 +modcall: leaving group PAP (returns ok) for request 6
 +  rlm_eap_gtc: Everything is OK.
 +  rlm_eap: Freeing handler
 +  modcall[authenticate]: module "eap" returns ok for request 6
 +modcall: leaving group authenticate (returns ok) for request 6
 +  TTLS: Got tunneled reply RADIUS code 2
 +        EAP-Message = 0x03060004
 +        Message-Authenticator = 0x00000000000000000000000000000000
 +        User-Name = "testuser"
 +  TTLS: Got tunneled Access-Accept
 +  rlm_eap: Freeing handler
 +  TTLS: Freeing handler for user testuser
 +  modcall[authenticate]: module "eap" returns ok for request 6
 +modcall: leaving group authenticate (returns ok) for request 6
 +Sending Access-Accept of id 0 to 192.168.1.253 port 2049
 +        MS-MPPE-Recv-Key =
 +0x12b314a97cb067d593c25c0395ee246852caf129258cf0a00d25b7a5b9343e50
 +        MS-MPPE-Send-Key =
 +0x78bd0fe823f947ea326d25d576313556a477394a7fedaeb66351ff51ddc041b2
 +        EAP-Message = 0x03060004
 +        Message-Authenticator = 0x00000000000000000000000000000000
 +        User-Name = "testuser"
 +Finished request 6
 +Going to the next request
 +Waking up in 6 seconds...
 +--- Walking the entire request list ---
 +Cleaning up request 6 ID 0 with timestamp 44f96399
 +Nothing to do.  Sleeping until we see a request.
 +</file>
 +
 +
 +===== Wireless interface aspect after authentication =====
 +
 +<code bash>
 +# iwconfig wlan0
 +
 +wlan0     IEEE 802.11g  ESSID:"ymbi"
 +          Mode:Managed  Frequency:2.437 GHz  Access Point:
 +00:18:39:BF:D4:81
 +          Bit Rate=54 Mb/s   Tx-Power:25 dBm
 +          RTS thr:2347 B   Fragment thr:2346 B
 +          Encryption
 +key:A761-2CB0-936F-CCEB-591A-F18C-6ABF-89E5-73E8-347F-6D96-9121-279C-54FC-24AF-088D
 +          Power Management:off
 +          Link Quality: Signal level: Noise level:0
 +          Rx invalid nwid: Rx invalid crypt: Rx invalid frag:0
 +          Tx excessive retries: Invalid misc:  Missed beacon:0
 +</code>
  • 80_._x.txt
  • Last modified: 2012/06/06 12:15
  • (external edit)