Free Radius Eap Tls

Linux based RADIUS Setup Introduction The Linux distribution chosen to setup the FreeRADIUS server was SuSE 9.3 Professional. Several distributions were tried; the location of the files varies a bit from the distribution. You can download the ISO for CD 1, and if you have a fast network connection, you can point the installation to be performed from SuSE's FTP server. In our case we downloaded all the ISO images and performed a "regular" OS installation in a PII machine with 512MB RAM. How can this be used? Giving a username/password can be a problem because it can be shared. Installing a certificate on a machine will prevent this; the user can not use the certificate anywhere else because the password is not available. An additional control is the certificate revocation date. In this kind of scenario the time consuming part is the process of managing the certificates. Hardware needed:

• 1 PC with at least 256MB RAM; for the NIC use 3COM or Intel (suggested) This PC will be used to install SuSE 9.3

• 1 AP/Router configured to have access to the Internet on the WAN port. A Linksys WRT54GL was used

• 1 Windows NT Client + (1) Ethernet port + (1) wireless port with WPA support. The AP will have the following settings:

• LAN address: 172.16.1.1/24, DNS values are left blank (on auto) • WAN address: set by DHCP • Wireless: The same settings as the setup used for the Windows based RADIUS

configuration (Server IP 172.16.1.10, etc.) • The rest of the values are to be left at the default factory settings

The Windows NT Client will have the following settings:

• Ethernet IP: Set by DHCP • Wireless IP: Set by DHCP

The topology is as follows: The Ethernet ports of the Windows NT client and the Linux box will be connected to the LAN side of the router, the WAN port will be provided access to the Internet.

Linux based RADIUS Setup Page 2 of 38

FreeRADIUS EAP-TLS.doc Saved: 6/28/06

Installing SuSE 9.3

Screenshot 1

1. Click on Installation, then I agree, then Accept, then Details

The YaST installer window displays

Screenshot 2

2. In the Installation Settings pane scroll down a bit and click on Software



The Software Selection pane displays

Screenshot 3

3. The radio button for Standard system with KDE should be selected by default

4. Click the Detailed selection… button

The Installation Settings window displays

Screenshot 4

5. In the left Selection pane click on Network/Server (no need for a checkmark)



6. In the right Package pane place a checkmark on freeradius.

7. Click the Accept button.

The Changed Packages window displays

Screenshot 5

8. Click the Continue button

a. The Installation Settings window displays (Screenshot 4)

b. Click the Accept button.

9. On the license for the Flash Player screen, confirm all.

10. On the Confirm Install screen, choose Install.

11. Your hard disk will be partitioned, and the requested packages will be copied onto it

12. For the root user, the password is toor.

a. Confirm the password settings twice



The Network Configuration window displays

Screenshot 6

13. Click the Change… button

14. Choose Network interfaces

15. On the section of Already Configured Network devices, choose Change

• Your NIC should be listed there



The Network Configuration Overview window displays

Screenshot 7

16. Click the Edit button

The Network Address Setup window displays

Screenshot 8

17. Click the Advanced button.



The Network Address Setup window displays

Screenshot 9

18. Click the Hostname and Name Server button

19. To the domain section, add “.com” to site, so it displays site.com

Note: So far the domain linux.site.com is not registered in the WWW

20. Click the OK button.

21. Click the Advanced button, then choose Detailed Settings.



The Detailed Network Card Settings window displays

Screenshot 10

22. Change the Firewall Zone to Internal Zone (unprotected), then click OK, then click Next, then click Finish, then click Next.

23. Skip the Online Update, click Skip This Test, then click Next.

24. For the Authentication Method, use Local

25. On the Add New User screen enter the username “user” and assign the password “toor’

26. Click Next, then click Yes, then click Yes. Disable the Auto login option.

27. Click Next on the release notes

28. For the Hardware configuration click Next.

29. On the Installation Completed screen click Finish.

30. Allow the computer to reboot

• You will be greeted by a series of requests about updates, etc.

• Cancel them all; we will manually update specific areas after RADIUS works.



31. Login as root, password is toor.

a. If at this point you are logged in as “user”, your desktop’s background will be in blue.

b. Log off by clicking on the icon, located on the bottom left.

• This is the K Menu and we will be referring to it many times.

The root user’s Desktop displays

Screenshot 11

Notes: • We are now ready to start. The overall recommendation is to be working as the

regular user “user”, but for developmental purposes, we will work as super-user “root”.

• From here on, every step more or less constitutes a test; each item has been made as granular as possible to allow for easy troubleshooting.

• In Linux, commands are case-sensitive.



Starting and stopping the RADIUS server

Starting the server

1. In the taskbar shown in Screenshot 11, click the

2. This opens a shell window, the Linux command line interface.

3. Enter radiusd -X

4. If all is OK from the perspective of the server, the last line will display "Ready to process requests".

5. Scroll through the window and look for entries that begin with rlm_eap. • All of them must be followed by a “success” comment. If not, this indicates that

OpenSSL is not working or configured properly. Fix this item before proceeding.

Stopping the server

6. Click the on the taskbar to start a second shell.

7. Enter netstat -ap –udp • We are interested in an entry that will be in the format or mask of

nnnnn/radiusd. • nnnnn is the process number or identifier (PID) for that process.

8. To stop the RADIUS server, enter the command kill nnnnn • Look at the first shell window were radiusd was started. It should display a

message that the process was “killed”.

There are other ways and options to stop and start the server. Up to this point, we have tested one item: The basic server setup is running.

Connectivity Testing Before we start to configure anything, we must test for connectivity, internal and external. The server will report all that it sees, at this point we want to see activity, it does not matter if it denies or accepts requests for any of these tests.

Internal connectivity quick test (localhost): 9. Start the server in one shell window as shown in step 3 above. 10. In the second shell window, enter the command:

radtest test test localhost 0 testing123 • What matters is the last line that displays rad_recv: Rejected

- This indicates the server is sending/receiving info. So far, so good. 11. Stop the server as shown in steps 7 and 9 above.

• Now try the same command and see the difference (The PID will be different, find



out the new one, running the kill command blindly can cause problems).

External connectivity quick test: 12. Start the FreeRADIUS server. 13. Download the NTRadPing utility.

• Simply open Google, search for NTRadPing. The Novell site should be at the top.

14. Install it on the PC with the Ethernet and Wireless cards.

Screenshot 12

15. Once you have it running, enter 172.16.1.10:1812 in the RADIUS Server/port box.

16. For the request type, choose Authentication Request.

17. Click the Send button.

18. On the server shell, you will see activity. The IP of the computer running the ping must show up somewhere in the debug info from the server. If so, move on to the next step.

19. At this point, we have now tested the connectivity of the server.

20. Shutdown FreeRADIUS

Testing the OpenSSL compilation and configurations.

Notes: • One time consuming part in any Linux distro is finding where all files are. The Linux file

system is a huge tree, and all starts at the root, or / . • On Wintel platforms, the root for a particular storage unit is located at \ plus the letter of

the unit as a prefix (a colon in the middle of course). In Linux, / serves the same purpose as \ in Wintel systems.

• In Linux, hardware devices are treated as folders located or mounted in the file system



21. Click on K Menu • Right above there you will see Find Files/Folders, click on it.

The Find Files/Folders window displays.

Screenshot 13

22. Search for a file named eap.conf, and look in / as shown.

23. After a while, only one entry will show up.

24. Click on the name itself, and a text file editor will automatically open the file.



Screenshot 14

25. Look for the entry that begins with #tls {.

26. Remove the # before it, and carefully find the closing } below it. It should be located below the line #check_cert_cn. Also remove the preceding # from here. • We now have enabled the EAP-TLS module. We will temporarily be using the demo

certs to test it.

27. Below the line tls{ you will see 6 # (pound symbols), up to the line #random_file. • Remove them. • Close the editor, click Yes to save. • The above Screenshot 14 shows the detail. Keep this in mind, we will be changing

those lines again later on.

28. Start the server. For SuSE 9.3, an error message will be displayed, that is no problem. • The error relates to being unable to open the root CA. What matters is that somewhere in

the displayed lines it says that the module rml_eap did initialize. • Notice how the password <whatever> is shown in the listing. The error will be related to

not having the correct permissions to open a file.



We are done with the setup testing; now we move on to setting up RADIUS to work with our system.



We will group this in 3 major sections: A. Setting up the CA authority, Server CA, Client CA B. Setting up radius config files C. Setting up the Windows NT Client configuration files.

Tips and Hints • You can copy this file into the Linux box, and simply cut and paste all the commands.

- The short cut keys for the shell to paste is [SHIFT]+[INS] or simply right click in it and choose paste.

• vi tips • vi is a command line editor

- To start inserting text press the i key, - To finish inserting text, press the ESC key - To exit vi exit press capital Z two times, i.e. ZZ

Setting up the CA authority, Server CA, Client CA 1. To set the CA system, we must modify the openssl.cnf file. You can search for it, and

open it, modify the blue text to suit your needs. cd /etc/ssl vi openssl.cnf [i] 2. Change the CA root path in the CA_default section to reflect the CA we're about to create.

[ CA_default ] dir = ./luisCA # Where everything is kept # The following lines are further down in openssl.cnf: countryName_default = US stateOrProvinceName_default = Texas 0.organizationName_default = Industrial Wiremonkeys of the World commonName = linux.site.com [ESC] [Z][Z] 3. Keep this in mind: As we go through this process, the common name linux.site.com will be

changed twice from the default setting. If this is not done, the setup will fail. 4. The file xpextensions must be created in the same folder (/etc/ssl), so you can either use vi

or find the application KWRITE. vi xpextensions i [ xpclient_ext ] extendedKeyUsage = 1.3.6.1.5.5.7.3.2 [ xpserver_ext ] extendedKeyUsage = 1.3.6.1.5.5.7.3.1 [ESC] [Z][Z]



5. We now create the CA authority, SuSE93CA, by modifying the script that is responsible for

creating one. It will also create the luisCA folder for us. 6. Find the CA.sh file. It should be located in the /usr/share/ssl/misc folder, and

make the changes marked in blue. cd /usr/share/ssl/misc vi CA.sh i CATOP=./luisCA [esc] [Z][Z] 7. Jump back to the ssl folder: cd /etc/ssl 8. Type in a pass phrase (use “passphrase” {suggestion}), 9. For common name use SuSE93CA (suggestion, otherwise substitute accordingly) 10. /usr/share/ssl/misc/CA.sh -newca CA certificate filename (or enter to create) #Do not type anything here, simply press enter Making CA certificate ... Generating a 1024 bit RSA private key ........................++++++ ..++++++ writing new private key to './luisCA/private/./cakey.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [US]: State or Province Name (full name) [Texas]: Locality Name (eg, city) []: Organization Name (eg, company) [Internet Widgits Pty Ltd]: Organizational Unit Name (eg, section) []: linux.site.com []:Suse93CA Email Address []:

11. We are now creating a server certificate, the Common Name is linux.site.com. • The -nodes option is not recommended, in a production environment, but for now we

will use it. The server is running in our Linux box, the Common Name will be linux.site.com



12. Enter the following command: openssl req -new -nodes -keyout server_key.pem –out server_req.pem -days 730 -config ./openssl.cnf

• Note: The above command must be typed on one line, even though it may wrap on your screen.

Generating a 1024 bit RSA private key .................................................................................................++++++ .............................................................++++++ writing new private key to 'server_key.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [US]: State or Province Name (full name) [Texas]: Locality Name (eg, city) []: Organization Name (eg, company) [Internet Widgits Pty Ltd]: Organizational Unit Name (eg, section) []: linux.site.com []:linux.site.com Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:password An optional company name []: 13. Enter the command below. The CA is used to sign the server certificate request: openssl ca -config ./openssl.cnf -policy policy_anything -out server_cert.pem -extensions xpserver_ext -extfile ./xpextensions \-infiles ./server_req.pem



Using configuration from ./openssl.cnf Enter pass phrase for ./luisCA/private/cakey.pem: Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Jun 21 14:43:05 2006 GMT Not After : Jun 21 14:43:05 2007 GMT Subject: countryName = US stateOrProvinceName = Texas organizationName = Internet Widgits Pty Ltd commonName = linux.site.com X509v3 extensions: X509v3 Extended Key Usage: TLS Web Server Authentication Certificate is to be certified until Jun 21 14:43:05 2007 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated

14. It is time to clean out the certificate, and combine the key and certificate in a single file. The file to be modified is server_cert.pem. We edit the file as shown below.

• vi server_cert.pem • delete by pressing the d key as needed until the line

--Begin CERTIFICATE--- is left at the top

• [Z][Z]

15. We now concatenate these two files files: cat server_key.pem server_cert.pem > \server_keycert.pem

16. We now start the same process for the clients.

17. First we request a certificate for the client.

• In our case, the NetBIOS name of the client is LIFEBOOK.

• In the shell, you can press the up arrow key to go back to the previous command and only make the needed changes. The -nodes option is left out.

openssl req -new -keyout client_key.pem -out client_req.pem -days 730 -config ./openssl.cnf



Generating a 1024 bit RSA private key .++++++ ........++++++ writing new private key to 'client_key.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [US]: State or Province Name (full name) [Texas]: Locality Name (eg, city) []: Organization Name (eg, company) [Internet Widgits Pty Ltd]: Organizational Unit Name (eg, section) []: linux.site.com []:LIFEBOOK Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:password An optional company name []:

18. We now sign the client certificate. openssl ca -config ./openssl.cnf -policy policy_anything -out client_cert.pem -extensions xpclient_ext -extfile ./xpextensions -infiles ./client_req.pem



Using configuration from ./openssl.cnf Enter pass phrase for ./luisCA/private/cakey.pem: DEBUG[load_index]: unique_subject = "yes" Check that the request matches the signature Signature ok Certificate Details: Serial Number: 2 (0x2) Validity Not Before: Jun 21 20:27:39 2006 GMT Not After : Jun 21 20:27:39 2007 GMT Subject: countryName = US stateOrProvinceName = Texas organizationName = Internet Widgits Pty Ltd commonName = LIFEBOOK X509v3 extensions: X509v3 Extended Key Usage: TLS Web Client Authentication Certificate is to be certified until Jun 21 20:27:39 2007 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated

19. We now do the same with the client certificate. • vi client_cert.pem • delete by pressing the letter d as needed until

--Begin CERTIFICATE--- is left at the top

• [Z][Z]

20. Concatenating the files : cat client_key.pem client_cert.pem > \client_keycert.pem

21. Here we begin to setup the information needed to run the EAP-TLS authentication for XP, first we export to a certificate file to be sent to XP later on.

openssl pkcs12 -export -in client_cert.pem -inkey client_key.pem -out client_cert.p12 –clcerts

Enter pass phrase for client_key.pem: Enter Export Password: Verifying - Enter Export Password:

22. Setting up the certificates in RADIUS

23. The files we have created must now be copied to the right places, and then we set the ownerships and permissions. Enter the following commands:



• cp /etc/ssl/luisCA/cacert.pem /etc/raddb/certs • chmod 0444 /etc/raddb/certs/cacert.pem • cp /etc/ssl/server_keycert.pem /etc/raddb/certs • chmod 0400 /etc/raddb/certs/server_keycert.pem

24. In SuSE 9.3 the user user was created during the setup process. Enter: chown radiusd:users /raddb/certs/server_keycert.pem

25. If all is fine, no error messages will show for any of the commands above

26. We need random numbers, always use the internal random number generator. Enter • cd /etc/raddb/certs • openssl dhparam -check -text -5 512 -out dh

Generating DH parameters, 512 bit long safe prime, generator 5 This is going to take a long time ...........+...............................................................................+..........+.......+..............+........................+..+........+..+..............+.............................................................................+......+...............................................................+.....................+................+......+....................+.+..................................+................................................................+..+........+.+.................+....................+...................+..........+........................+............................................................+........................................+...............+..+..........+...............+.........+....................................++*++*++*++*++*++* DH parameters appear to be ok. dd if=/dev/random of=random count=2 0+2 records in 0+1 records out 170 bytes (170 B) copied, 0.001783 seconds, 95.3 kB/s chmod 0400 dh chmod 0400 random chown user:users dh chown user:users random

27. At this point we are done with setting up the CA, we have partially configured RADIUS by setting up the CA files and setting ownerships.

28. We now modify the eap.conf file again, change to the values shown below, vi eap.conf [i] default_eap_type = tls private_key_password = qwerty private_key_file = ${raddbdir}/certs/server_keycert.pem certificate_file = ${raddbdir}/certs/server_keycert.pem CA_file = ${raddbdir}/certs/cacert.pem dh_file = ${raddbdir}/certs/dh random_file = ${raddbdir}/certs/random [ESC][Z][Z]



29. At the end of the clients.conf file add vi client.conf [i] client 172.16.1.0/24{ secret = qaz123 shortname = linksys nastype = other } [ESC][Z][Z]

30. Another file to be modified would be radiusd.conf. Since SuSE does not create a user for FreeRadius, for now it is best not to make any changes.

31. Later on, the files must be secured, for example:

chown root:root eap.conf chmod 0600 eap.conf

32. We are done with the Linux system, start the RADIUS server. Watch carefully all the messages.



Access point setup: Quick reminder:

Wireless Security window

Screenshot 15

Configuring XP 1. In order to manually import the files, there are two files that must be copied into XP:

client_cert.p12 and cacert.pem. These files must be imported using the certificates snap-in.

Screenshot 16

2. The .p12 file goes into Certificate –current user/personal/certificates



3. The other file goes here:

Screenshot 16

4. The Wireless NIC has to be configured as follows:



5. Then:

6. Save the profile and connect.



Troubleshooting. 1. If all goes ok, you will see something similar to the following output once connected:

rad_recv: Access-Request packet from host 172.16.1.1:2048, id=0, length=129 User-Name = "LIFEBOOK" NAS-IP-Address = 172.16.1.1 Called-Station-Id = "0014bf18fbd1" Calling-Station-Id = "000e35e93319" NAS-Identifier = "0014bf18fbd1" NAS-Port = 3 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0201000d014c494645424f4f4b Message-Authenticator = 0xaabedd1f00d840959228067122f038f9 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "LIFEBOOK", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: EAP packet type response id 1 length 13 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 users: Matched entry DEFAULT at line 152 modcall[authorize]: module "files" returns ok for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Requiring client certificate rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 0 modcall: group authenticate returns handled for request 0 Sending Access-Challenge of id 0 to 172.16.1.1:2048 EAP-Message = 0x010200060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x98bb72e5259b893d9048b63f08918889 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 172.16.1.1:2048, id=0, length=240 User-Name = "LIFEBOOK" NAS-IP-Address = 172.16.1.1 Called-Station-Id = "0014bf18fbd1" Calling-Station-Id = "000e35e93319" NAS-Identifier = "0014bf18fbd1" NAS-Port = 3 Framed-MTU = 1400



State = 0x98bb72e5259b893d9048b63f08918889 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0202006a0d8000000060160301005b01000057030144a0b189d7d493b3b398a78a05be64894e89e0408557c428d930eefb2b1db10f00003000390038003500160013000a00330032002f0066000500040065006400630062006000150012000900140011000800030100 Message-Authenticator = 0x1bd4f459c5c46dd9ef95192e791f7a0a Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_realm: No '@' in User-Name = "LIFEBOOK", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 1 rlm_eap: EAP packet type response id 2 length 106 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 1 users: Matched entry DEFAULT at line 152 modcall[authorize]: module "files" returns ok for request 1 modcall: group authorize returns updated for request 1 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 005b], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0529], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 010d], ServerKeyExchange TLS_accept: SSLv3 write key exchange A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0066], CertificateRequest TLS_accept: SSLv3 write certificate request A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 1 modcall: group authenticate returns handled for request 1 Sending Access-Challenge of id 0 to 172.16.1.1:2048 EAP-Message = 0x0103040a0dc0000006fa160301004a02000046030144a0b20210c68653fbb1925194ce4e811644421c87a5e5cb88c1e1f57447a94820242eae1d7eab56ba07b3e1b021f9d774e0e8000a2921305b23ee21098fcc1f8a00390016030105290b00052500052200023d30820239308201a2a003020102020101300d06092a864886f70d01010405003053310b3009060355040613025553310e30



0c0603550408130554657861733121301f060355040a1318496e7465726e6574205769646769747320507479204c74643111300f060355040313085375736539334341301e170d3036303632333030343330395a170d3037303632333030343330395a30 EAP-Message = 0x59310b3009060355040613025553310e300c0603550408130554657861733121301f060355040a1318496e7465726e6574205769646769747320507479204c7464311730150603550403130e6c696e75782e736974652e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100b28d45af30e2dd0733a4c0b01bcbaf59e2d3dc72daa28becb2eaab87951f4bcef29e389f42ca16b572ed75ea6a4858b1db6b5d69d0c0d76c776a1a0022c700bdc12e3331b83a740f7d54354afcc95df484201db372b0814e904b5a40f8373f00e9864647ba3a8e465dfbd63468beed15ac2dde3134c8336ad1086dd023dc40fd0203010001a3 EAP-Message = 0x17301530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010405000381810077bc1b07fd241b45066b3033a44ebe48cc4599008542a669f3a1f2e691fbf0e11cd5696d9c18cf9580d6443b90ced2a66f24a81ef4751b0cd38d799c3820efd2a1bdb9e1b8ff0838d7685532ccb441fe459d7f723ce83c2889406ccdaa34f8884a7b2e8435ec87a24a22379eeb5bf60bbea51bb66a4d684d61f58b478b8ccdec0002df308202db30820244a003020102020900fadf8685a1337da4300d06092a864886f70d01010405003053310b3009060355040613025553310e300c0603550408130554657861733121301f060355040a EAP-Message = 0x1318496e7465726e6574205769646769747320507479204c74643111300f060355040313085375736539334341301e170d3036303632333030343134365a170d3037303632333030343134365a3053310b3009060355040613025553310e300c0603550408130554657861733121301f060355040a1318496e7465726e6574205769646769747320507479204c74643111300f06035504031308537573653933434130819f300d06092a864886f70d010101050003818d0030818902818100c14faa1ea6e09568ec8ed722d4b10b2a61c3230190fb3c00467380a7adb3bb68c9e43cb852467331be7aebf0fd391113bab1b94d10f985a30d02c244cba5 EAP-Message = 0x3da49ba0cfb8c8d5d68f029ec94fc94c0aaf9e8ac6e9 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd0fa6a5ad055c6ad336cb8af99beb64a Finished request 1 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 172.16.1.1:2048, id=0, length=140 User-Name = "LIFEBOOK" NAS-IP-Address = 172.16.1.1 Called-Station-Id = "0014bf18fbd1" Calling-Station-Id = "000e35e93319" NAS-Identifier = "0014bf18fbd1" NAS-Port = 3 Framed-MTU = 1400 State = 0xd0fa6a5ad055c6ad336cb8af99beb64a NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020300060d00 Message-Authenticator = 0x5330a137852ce3a28af6629bd1067b6d Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall[authorize]: module "preprocess" returns ok for request 2 modcall[authorize]: module "chap" returns noop for request 2 modcall[authorize]: module "mschap" returns noop for request 2 rlm_realm: No '@' in User-Name = "LIFEBOOK", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 2 rlm_eap: EAP packet type response id 3 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 2 users: Matched entry DEFAULT at line 152



modcall[authorize]: module "files" returns ok for request 2 modcall: group authorize returns updated for request 2 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 2 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 2 modcall: group authenticate returns handled for request 2 Sending Access-Challenge of id 0 to 172.16.1.1:2048 EAP-Message = 0x010403040d80000006fa19bcb492be041c164db2caf555e07364ffe37736e104d46dd3ffcaa435249a53648741f8e9bf2c2cf81e17610203010001a381b63081b3301d0603551d0e04160414dc0a7a63e7c2df866f01aff0b4609c1a32b966403081830603551d23047c307a8014dc0a7a63e7c2df866f01aff0b4609c1a32b96640a157a4553053310b3009060355040613025553310e300c0603550408130554657861733121301f060355040a1318496e7465726e6574205769646769747320507479204c74643111300f060355040313085375736539334341820900fadf8685a1337da4300c0603551d13040530030101ff300d06092a864886f7 EAP-Message = 0x0d0101040500038181007bebc67e9bb290e997ac42b4be73fea306bc22d2b876ca78d8c53cf69807b81d871357512cb2e83265cd73a7b329bc17f3269c6ed0b699002eaa3816cbf724ee6e79677a66fe13dad6e63aef3786054d7f4958543a95e060596eb32e0630d6e8b1fb92bee54429d0f4eb1aace90ccde7baaecd3fec520f15c2952a6ce739d6f0160301010d0c0001090040ab9714319d4ca6ac89e55edd0b8a6a3269f11a12768ecf7599d7dda6ad5f82eb898f960c3230a481978b6effe406d0de3f6fc3122a6c55d7ae6aa1f1219ccaab0001050040187c8feb8aeb7734fcd3cca5489751780fa0a6a8df79ffce7cddc027994bbe81fc5d57 EAP-Message = 0xdd8f59bf5297e8d13c79c6ed38b4c045d6fe0f0a7a391bba9ed93ca78b00803257ff5cada79730e2d1db79d9981d8dbddfe96ec5a7e00e7b7cf3deee94bfc7e379ab46b43ae083558746c2e15e632af3a7de69532df479fdfbda70467398a7d9005c51e83bb1903ccb34dcd49aa3ce822a3cc2259b0f17bd010925c4b86919b27fbd6cf2cb243439e247327b8f08f66e636f025c9d3dfb911a60ef1e01325716030100660d00005e0403040102005700553053310b3009060355040613025553310e300c0603550408130554657861733121301f060355040a1318496e7465726e6574205769646769747320507479204c74643111300f060355040313 EAP-Message = 0x0853757365393343410e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xcdb9cf3efdc25f9c31b52c55763e7213 Finished request 2 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 172.16.1.1:2048, id=0, length=1640 User-Name = "LIFEBOOK" NAS-IP-Address = 172.16.1.1 Called-Station-Id = "0014bf18fbd1" Calling-Station-Id = "000e35e93319" NAS-Identifier = "0014bf18fbd1" NAS-Port = 3 Framed-MTU = 1400 State = 0xcdb9cf3efdc25f9c31b52c55763e7213



NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020405d80dc00000063916030105230b00051f00051c000237308202333082019ca003020102020102300d06092a864886f70d01010405003053310b3009060355040613025553310e300c0603550408130554657861733121301f060355040a1318496e7465726e6574205769646769747320507479204c74643111300f060355040313085375736539334341301e170d3036303632333030343535385a170d3037303632333030343535385a3053310b3009060355040613025553310e300c0603550408130554657861733121301f060355040a1318496e7465726e6574205769646769747320507479204c74643111300f060355040313084c4946 EAP-Message = 0x45424f4f4b30819f300d06092a864886f70d010101050003818d0030818902818100e132acb5baef33b65eb1531239067c7d63f022b4e178797f86ca37dc246f17dfede8c3ff70689c6424923f771251bbc8e8ccfb2fa3fc1ca5fa0e093c9b37e2a95789c32ea49e84cc09d581645fe9a93de027670cf8021c3a999d51d1f63f1377cc02748643bff9968df9cabbaff0b84f9af839132316dcb24b529a5c1682771b0203010001a317301530130603551d25040c300a06082b06010505070302300d06092a864886f70d0101040500038181006e7fa09d749f54d9a210baf23e21a4be82dd19b3e712f5d90ec6bf161ab903ce75823a75c06fe66b7065 EAP-Message = 0x61f8fc747f3de445e32e1fcc34bfda04c05defb8afe5624712a88de62cc37d7aa1cabb3108eb8f5f5b42cabf8e197a8303d2cb83a64fbc6d4f30c9a4165a429941cb01d5a0584591e91d115a93ec086c5c102a8559160002df308202db30820244a003020102020900fadf8685a1337da4300d06092a864886f70d01010405003053310b3009060355040613025553310e300c0603550408130554657861733121301f060355040a1318496e7465726e6574205769646769747320507479204c74643111300f060355040313085375736539334341301e170d3036303632333030343134365a170d3037303632333030343134365a3053310b30090603 EAP-Message = 0x55040613025553310e300c0603550408130554657861733121301f060355040a1318496e7465726e6574205769646769747320507479204c74643111300f06035504031308537573653933434130819f300d06092a864886f70d010101050003818d0030818902818100c14faa1ea6e09568ec8ed722d4b10b2a61c3230190fb3c00467380a7adb3bb68c9e43cb852467331be7aebf0fd391113bab1b94d10f985a30d02c244cba53da49ba0cfb8c8d5d68f029ec94fc94c0aaf9e8ac6e919bcb492be041c164db2caf555e07364ffe37736e104d46dd3ffcaa435249a53648741f8e9bf2c2cf81e17610203010001a381b63081b3301d0603551d0e04 EAP-Message = 0x160414dc0a7a63e7c2df866f01aff0b4609c1a32b966403081830603551d23047c307a8014dc0a7a63e7c2df866f01aff0b4609c1a32b96640a157a4553053310b3009060355040613025553310e300c0603550408130554657861733121301f060355040a1318496e7465726e6574205769646769747320507479204c74643111300f060355040313085375736539334341820900fadf8685a1337da4300c0603551d13040530030101ff300d06092a864886f70d0101040500038181007bebc67e9bb290e997ac42b4be73fea306bc22d2b876ca78d8c53cf69807b81d871357512cb2e83265cd73a7b329bc17f3269c6ed0b699002eaa3816cbf724 EAP-Message = 0xee6e79677a66fe13dad6e63aef3786054d7f4958543a95e060596eb32e0630d6e8b1fb92bee54429d0f4eb1aace90ccde7baaecd3fec520f15c2952a6ce739d6f0160301004610000042004068159e7556e242d4f9a923bb949cdbc6399cf3cef8fb5b15dac5a95dc858b28ab15a136ea05943ada87a37f1b22afc116c755e902ae76d04002dde24f949febe16030100860f00008200806797ba15c43c566668c0691043147bedbf9cdecc530edd93691fdd5a437fbbddc5cf5cc051ae2af107a635bf1d9cb22414144effca8d50916e07fef23cad79f6f2824729719a6148593272c3d9dc3f06 Message-Authenticator = 0x5deaef240bde7b5ddf0ec8f82cfb238c Processing the authorize section of radiusd.conf modcall: entering group authorize for request 3 modcall[authorize]: module "preprocess" returns ok for request 3 modcall[authorize]: module "chap" returns noop for request 3 modcall[authorize]: module "mschap" returns noop for request 3 rlm_realm: No '@' in User-Name = "LIFEBOOK", looking up realm NULL rlm_realm: No such realm "NULL"



modcall[authorize]: module "suffix" returns noop for request 3 rlm_eap: EAP packet type response id 4 length 253 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 3 users: Matched entry DEFAULT at line 152 modcall[authorize]: module "files" returns ok for request 3 modcall: group authorize returns updated for request 3 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 3 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS First Fragment of the message eaptls_verify returned 9 eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 3 modcall: group authenticate returns handled for request 3 Sending Access-Challenge of id 0 to 172.16.1.1:2048 EAP-Message = 0x010500060d00 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb3776a248e752a5b898b3a09d7f53563 Finished request 3 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 172.16.1.1:2048, id=0, length=247 User-Name = "LIFEBOOK" NAS-IP-Address = 172.16.1.1 Called-Station-Id = "0014bf18fbd1" Calling-Station-Id = "000e35e93319" NAS-Identifier = "0014bf18fbd1" NAS-Port = 3 Framed-MTU = 1400 State = 0xb3776a248e752a5b898b3a09d7f53563 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020500710d002607d5d30cd4bd2a712b22788615156a932768e07111935e7d1645e2b21eb2ebd9f945a3453a87acb2b4d7aa9d3d77d214030100010116030100301e7de961308a03425adf5286655c082dfdb3aac03f9d66c2f033144a64a0153c1f6b5677908e0270c442f6ccc0acf06f Message-Authenticator = 0x1ed3f4beeeb8aa26b78949f1766b932a Processing the authorize section of radiusd.conf modcall: entering group authorize for request 4 modcall[authorize]: module "preprocess" returns ok for request 4 modcall[authorize]: module "chap" returns noop for request 4 modcall[authorize]: module "mschap" returns noop for request 4 rlm_realm: No '@' in User-Name = "LIFEBOOK", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 4 rlm_eap: EAP packet type response id 5 length 113 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 4 users: Matched entry DEFAULT at line 152 modcall[authorize]: module "files" returns ok for request 4 modcall: group authorize returns updated for request 4



rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 4 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake rlm_eap_tls: <<< TLS 1.0 Handshake [length 0523], Certificate chain-depth=1, error=0 --> User-Name = LIFEBOOK --> BUF-Name = Suse93CA --> subject = /C=US/ST=Texas/O=Internet Widgits Pty Ltd/CN=Suse93CA --> issuer = /C=US/ST=Texas/O=Internet Widgits Pty Ltd/CN=Suse93CA --> verify return:1 chain-depth=0, error=0 --> User-Name = LIFEBOOK --> BUF-Name = LIFEBOOK --> subject = /C=US/ST=Texas/O=Internet Widgits Pty Ltd/CN=LIFEBOOK --> issuer = /C=US/ST=Texas/O=Internet Widgits Pty Ltd/CN=Suse93CA --> verify return:1 TLS_accept: SSLv3 read client certificate A rlm_eap_tls: <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange TLS_accept: SSLv3 read client key exchange A rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], CertificateVerify TLS_accept: SSLv3 read certificate verify A rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001] rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 read finished A rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001] TLS_accept: SSLv3 write change cipher spec A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 write finished A TLS_accept: SSLv3 flush data (other): SSL negotiation finished successfully SSL Connection Established eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 4 modcall: group authenticate returns handled for request 4 Sending Access-Challenge of id 0 to 172.16.1.1:2048 EAP-Message = 0x010600450d800000003b1403010001011603010030ffc1330acd1b4fa431cd36d692e54683f23bba1fc746a43454c9638d95747eef167a1ff32a76ce8bdbb32cf3323df5f6 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x686fc26dc863eae98add41589a941fde Finished request 4 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 172.16.1.1:2048, id=0, length=140 User-Name = "LIFEBOOK" NAS-IP-Address = 172.16.1.1 Called-Station-Id = "0014bf18fbd1"



Calling-Station-Id = "000e35e93319" NAS-Identifier = "0014bf18fbd1" NAS-Port = 3 Framed-MTU = 1400 State = 0x686fc26dc863eae98add41589a941fde NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020600060d00 Message-Authenticator = 0x9b18f0f66649b6c99513a0a457d5ac3b Processing the authorize section of radiusd.conf modcall: entering group authorize for request 5 modcall[authorize]: module "preprocess" returns ok for request 5 modcall[authorize]: module "chap" returns noop for request 5 modcall[authorize]: module "mschap" returns noop for request 5 rlm_realm: No '@' in User-Name = "LIFEBOOK", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 5 rlm_eap: EAP packet type response id 6 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 5 users: Matched entry DEFAULT at line 152 modcall[authorize]: module "files" returns ok for request 5 modcall: group authorize returns updated for request 5 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 5 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake is finished eaptls_verify returned 3 eaptls_process returned 3 rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns ok for request 5 modcall: group authenticate returns ok for request 5 Login OK: [LIFEBOOK/<no User-Password attribute>] (from client linksys port 3 cli 000e35e93319) Sending Access-Accept of id 0 to 172.16.1.1:2048 MS-MPPE-Recv-Key = 0xcf735d5779fd012c96f4245e2e55f39c14764742ef8d772e3b2688064bb8b63c MS-MPPE-Send-Key = 0x2962bb710502043ca21d199bf97d3477042dc37f1529d9086c0b9603cd66b183 EAP-Message = 0x03060004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "LIFEBOOK" Finished request 5 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 172.16.1.1:2048, id=0, length=247 User-Name = "LIFEBOOK" NAS-IP-Address = 172.16.1.1 Called-Station-Id = "0014bf18fbd1" Calling-Station-Id = "000e35e93319" NAS-Identifier = "0014bf18fbd1"



NAS-Port = 3 Framed-MTU = 1400 State = 0xb3776a248e752a5b898b3a09d7f53563 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020500710d002607d5d30cd4bd2a712b22788615156a932768e07111935e7d1645e2b21eb2ebd9f945a3453a87acb2b4d7aa9d3d77d214030100010116030100301e7de961308a03425adf5286655c082dfdb3aac03f9d66c2f033144a64a0153c1f6b5677908e0270c442f6ccc0acf06f Message-Authenticator = 0x1ed3f4beeeb8aa26b78949f1766b932a Processing the authorize section of radiusd.conf modcall: entering group authorize for request 4 modcall[authorize]: module "preprocess" returns ok for request 4 modcall[authorize]: module "chap" returns noop for request 4 modcall[authorize]: module "mschap" returns noop for request 4 rlm_realm: No '@' in User-Name = "LIFEBOOK", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 4 rlm_eap: EAP packet type response id 5 length 113 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 4 users: Matched entry DEFAULT at line 152 modcall[authorize]: module "files" returns ok for request 4 modcall: group authorize returns updated for request 4 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 4 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake rlm_eap_tls: <<< TLS 1.0 Handshake [length 0523], Certificate chain-depth=1, error=0 --> User-Name = LIFEBOOK --> BUF-Name = Suse93CA --> subject = /C=US/ST=Texas/O=Internet Widgits Pty Ltd/CN=Suse93CA --> issuer = /C=US/ST=Texas/O=Internet Widgits Pty Ltd/CN=Suse93CA --> verify return:1 chain-depth=0, error=0 --> User-Name = LIFEBOOK --> BUF-Name = LIFEBOOK --> subject = /C=US/ST=Texas/O=Internet Widgits Pty Ltd/CN=LIFEBOOK --> issuer = /C=US/ST=Texas/O=Internet Widgits Pty Ltd/CN=Suse93CA --> verify return:1 TLS_accept: SSLv3 read client certificate A rlm_eap_tls: <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange TLS_accept: SSLv3 read client key exchange A rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], CertificateVerify TLS_accept: SSLv3 read certificate verify A rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001] rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 read finished A



rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001] TLS_accept: SSLv3 write change cipher spec A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 write finished A TLS_accept: SSLv3 flush data (other): SSL negotiation finished successfully SSL Connection Established eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 4 modcall: group authenticate returns handled for request 4 Sending Access-Challenge of id 0 to 172.16.1.1:2048 EAP-Message = 0x010600450d800000003b1403010001011603010030ffc1330acd1b4fa431cd36d692e54683f23bba1fc746a43454c9638d95747eef167a1ff32a76ce8bdbb32cf3323df5f6 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x686fc26dc863eae98add41589a941fde Finished request 4 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 172.16.1.1:2048, id=0, length=140 User-Name = "LIFEBOOK" NAS-IP-Address = 172.16.1.1 Called-Station-Id = "0014bf18fbd1" Calling-Station-Id = "000e35e93319" NAS-Identifier = "0014bf18fbd1" NAS-Port = 3 Framed-MTU = 1400 State = 0x686fc26dc863eae98add41589a941fde NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020600060d00 Message-Authenticator = 0x9b18f0f66649b6c99513a0a457d5ac3b Processing the authorize section of radiusd.conf modcall: entering group authorize for request 5 modcall[authorize]: module "preprocess" returns ok for request 5 modcall[authorize]: module "chap" returns noop for request 5 modcall[authorize]: module "mschap" returns noop for request 5 rlm_realm: No '@' in User-Name = "LIFEBOOK", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 5 rlm_eap: EAP packet type response id 6 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 5 users: Matched entry DEFAULT at line 152 modcall[authorize]: module "files" returns ok for request 5 modcall: group authorize returns updated for request 5 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 5 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake is finished eaptls_verify returned 3



eaptls_process returned 3 rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns ok for request 5 modcall: group authenticate returns ok for request 5 Login OK: [LIFEBOOK/<no User-Password attribute>] (from client linksys port 3 cli 000e35e93319) Sending Access-Accept of id 0 to 172.16.1.1:2048 MS-MPPE-Recv-Key = 0xcf735d5779fd012c96f4245e2e55f39c14764742ef8d772e3b2688064bb8b63c MS-MPPE-Send-Key = 0x2962bb710502043ca21d199bf97d3477042dc37f1529d9086c0b9603cd66b183 EAP-Message = 0x03060004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "LIFEBOOK" Finished request 5 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 5 ID 0 with timestamp 44a0b203 Nothing to do. Sleeping until we see a request.



2. The listing below shows a problem. Do not be misguided; this has nothing to do with the MTU size. The Linux virtual NIC adapter had to be manually assigned to the physical Ethernet port to correct it.

rad_recv: Access-Request packet from host 172.16.1.1:2053, id=0, length=129 User-Name = "LIFEBOOK" NAS-IP-Address = 172.16.1.1 Called-Station-Id = "0014bf18fbd1" Calling-Station-Id = "000e35e93319" NAS-Identifier = "0014bf18fbd1" NAS-Port = 3 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0201000d014c494645424f4f4b Message-Authenticator = 0x3431b5fa7e98a9995472157a0099025b Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "LIFEBOOK", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: EAP packet type response id 1 length 13 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 users: Matched entry DEFAULT at line 152 modcall[authorize]: module "files" returns ok for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type tls Segmentation fault Problems with installing OpenSSL and FreeRADIUS latest versions. 1. In some cases, building the newest version can cause problems, bugs within the compilation

scripts can be very difficult to resolve. As you compile, messages as “silently not building rlm_eap” means a particular module was not included.

2. Using the versions included within your Linux distribution adds a level of assurance, since these have been tested to work properly.

3. First get to work the basic settings, then start to build additional items into it; otherwise it will be almost impossible to debug.

4. There are other configuration files for RADIUS, as they are, for example, the users,conf file allows for almost anything to log in. This is needed for initial debug, later on you can come back and start developing more security.

5. FreeRADIUS supports MySQL and other systems. It is really flexible, but it takes time to setup.



Patches & Updates

• If you will recall from our initial configuration, DNS was never configured. It is left to the student to manually set up DNS on the Linux box.

• Once this works, the first update that must be applied is the kernel. One of the options available to you is to delete the source files, uncheck it, if later on you need to recompile something e.g. VMWare drivers, the kernel header files are needed.

• Keep updating the kernel as needed until it no longer shows up on the list.

• FreeRadius and OpenSSL are next in priority. For these you do no need to keep the installation files.

• To update, run YAST, it is the fifth icon going from left to right, and on the left pane you will see Online Update, click on it. After a few screens related to connectivity, click on the option of Manually Select patches, then click Next. The rest is very intuitive. After any changes, test the RadiusSERVER

Student Activities

• The setup shows how to use TLS, the student should now configure MS-CHAPv2. Questions:

1. Is it advisable to store passwords in a certificate? 2. What are the options that control this in openssl?

RESOURCES:

• www.freeradius.org The links software itself, and links to other articles

• www.aspisos.org/wiki/index.php?n=Guides.EAP-TLS#toc1 Provides the information to setup EAP-TLS, the procedure is not centered in a particular Linux distribution, it shows how to create a script for setting multiple users

• www.urbanwireless.co.nz/?p=3 This document was based on the Urban Wireless Information site

Documents

Free Radius Eap Tls