ich habe einen FreeRADIUS-Server eingerichtet, doch er läuft nicht so wie ich es will
....Mit "radtest" werden alle Anfragen erfoglreich quitiert, doch sobald ich mich über einen Access-Point verbinden möchte lehnt er jegliche Verbindungsversuche ab (siehe Log). Ich schätze es hängt mit den Zertifikaten zusammen, doch ganz sicher bin ich mir nicht, da ich das erste Mal mit FreeRADIUS arbeite.
Der RADIUS-Server soll später mit einer nachgelagerten SQL-DB für die User und dem dialup_admin betrieben werden.
Hardware:
Ciscos AP541N-E-K9 Dual Band Access Point
Software:
CentOS 6.3 (ja es ist ein debian Forum, aber dies sollte ja für FreeRADIUS kein Unterschied machen?!?! Falls ja kann ich es gerne auf einem debian system neuinstallieren)
FreeRADIUS 2.x
Die .conf Files reiche ich in 1-2Stunden nach wenn ich zu Hause bin! Falls ihr noch weiter Infos benötigt reiche ich die natürlich nach!
Euer horrorhorst
Code: Alles auswählen
Finished request 6.
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Request packet from host 192.168.131.104 port 32782, id=17, length=200
User-Name = "host/RECHNER.DOMAIN.COM"
NAS-IP-Address = 192.168.131.104
NAS-Port = 0
Called-Station-Id = "00-21-29-06-40-90:cisco-data"
Calling-Station-Id = "D8-30-62-49-D7-4D"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11g"
EAP-Message = 0x020200061900
State = 0x570d2f1d560f36dad7e563237fe790b3
Message-Authenticator = 0x3fc0c5eacb3277b16d6f1032c3c277a2
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "host/RECHNER.DOMAIN.COM", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 2 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 17 to 192.168.131.104 port 32782
EAP-Message = 0x010303fc1940017d0a300d06092a864886f70d010105050030818a310b3009060355040613024445311330110603550408140a526164697573404a52473110300e0603550407130748616d62757267311e301c060355040a13154a6f68616e2d526973742d47796d6e617369756d2e311f301d06092a864886f70d0109011610696e666f40677261737361752e636f6d311330110603550403130a72616469757374657374301e170d3132303831333132303033335a170d3232303832313132303033335a30818a310b3009060355040613024445311330110603550408140a526164697573404a52473110300e0603550407130748616d6275726731
EAP-Message = 0x1e301c060355040a13154a6f68616e2d526973742d47796d6e617369756d2e311f301d06092a864886f70d0109011610696e666f40677261737361752e636f6d311330110603550403130a7261646975737465737430820122300d06092a864886f70d01010105000382010f003082010a02820101009fea0d08da62ca9103afd7c80477406be60e44c3a7aadb83b6c143f8488f33706b3f843d8d599763fce8427c22e552021be93130400bd9493baf947b537da29d50efd1b3e1d7617eaaf337d372133bfe83ad64558c30da7e03bbcb080f0ca2b87895d475c33c01a425920c2ec0d1729f11ca6309db95048852afbdca19261c56b16a0d6e4114c2
EAP-Message = 0x15562a5043f5cb748290a6b03c6728cefe2a31c951be29dc24be7930faeefffb5f63a998b6fa6309dcad88f225f6b5f22fc986b93ec6cfeb429e6d239b0608e7c9bd01da003c500562d6b4d77c68bd96e81f0bf51be473747e8a3a7cc88b0e333f21e3371ca63c1f03c62c3090e5d9329f8ce2835a59884f110203010001a381f23081ef301d0603551d0e04160414744b4644080bdd3285f1c1600cd9a29e51ff472c3081bf0603551d230481b73081b48014744b4644080bdd3285f1c1600cd9a29e51ff472ca18190a4818d30818a310b3009060355040613024445311330110603550408140a526164697573404a52473110300e06035504071307
EAP-Message = 0x48616d62757267311e301c060355040a13154a6f68616e2d526973742d47796d6e617369756d2e311f301d06092a864886f70d0109011610696e666f40677261737361752e636f6d311330110603550403130a72616469757374657374820900e40a7cb204017d0a300c0603551d13040530030101ff300d06092a864886f70d010105050003820101009cf73f613a5b907170c57eaa14078d84b6ec77e0fc93f7d929cc19217399de57357b08181db07446775a22fee31673b4c693e65b2ce68356b4c52ce400b9daf530791a4b6244400a075a6351600aab15132e95f6f01c0c7dc3aacbd07898000d001915dd4f8ce79641774995f6e5a7ec5402b6
EAP-Message = 0x19d8b372ecba4570
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x570d2f1d550e36dad7e563237fe790b3
Finished request 7.
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Request packet from host 192.168.131.104 port 32782, id=18, length=200
User-Name = "host/RECHNER.DOMAIN.COM"
NAS-IP-Address = 192.168.131.104
NAS-Port = 0
Called-Station-Id = "00-21-29-06-40-90:cisco-data"
Calling-Station-Id = "D8-30-62-49-D7-4D"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11g"
EAP-Message = 0x020300061900
State = 0x570d2f1d550e36dad7e563237fe790b3
Message-Authenticator = 0xa16222f4c4f58048e23ecdc7a31966e9
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "host/RECHNER.DOMAIN.COM", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 3 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 18 to 192.168.131.104 port 32782
EAP-Message = 0x010400941900f61c04f2482cca194f68ea4ec13ee3260fdcd90aaa7697506c51d0d5e6f3883e9e0058a09061da9718066145bb4f634ea253e8e94186c027483addbeb02f73e3fd82ba85a8f3374355c3b46ece26f16311253a043139965b0231eda9961c0360a13557a947fbbd695591ba0debc7d38e019d7eb6310ec7284f6d8aa784ecafb4674cd38f2516030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x570d2f1d540936dad7e563237fe790b3
Finished request 8.
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Request packet from host 192.168.131.104 port 32782, id=19, length=211
User-Name = "host/RECHNER.DOMAIN.COM"
NAS-IP-Address = 192.168.131.104
NAS-Port = 0
Called-Station-Id = "00-21-29-06-40-90:cisco-data"
Calling-Station-Id = "D8-30-62-49-D7-4D"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11g"
EAP-Message = 0x0204001119800000000715030100020230
State = 0x570d2f1d540936dad7e563237fe790b3
Message-Authenticator = 0x2b5b6a03307124372785925b61f7ca86
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "host/RECHNER.DOMAIN.COM", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 4 length 17
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 7
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Alert [length 0002], fatal unknown_ca
TLS Alert read:fatal:unknown CA
TLS_accept: failed in SSLv3 read client certificate A
rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
SSL: SSL_read failed inside of TLS (-1), TLS session fails.
TLS receive handshake failed during operation
[peap] eaptls_process returned 4
[peap] EAPTLS_OTHERS
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
expand: ->
Login incorrect (TLS Alert read:fatal:unknown CA): [host/RECHNER.DOMAIN.COM/<via Auth-Type = EAP>] (from client ap1 port 0 cli D8-30-62-49-D7-4D)
Using Post-Auth-Type Reject
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> host/RECHNER.DOMAIN.COM
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 9 for 1 seconds
Going to the next request
Waking up in 0.8 seconds.
Cleaning up request 4 ID 14 with timestamp +5
Waking up in 0.1 seconds.
Sending delayed reject for request 9
Sending Access-Reject of id 19 to 192.168.131.104 port 32782
EAP-Message = 0x04040004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.9 seconds.
Cleaning up request 5 ID 15 with timestamp +10
Cleaning up request 6 ID 16 with timestamp +10
Cleaning up request 7 ID 17 with timestamp +10
Cleaning up request 8 ID 18 with timestamp +10
Waking up in 1.0 seconds.
Cleaning up request 9 ID 19 with timestamp +10
Ready to process requests.