Bonjour,
Je souhaite mettre en place une architecture Wifi à l'aide de freeradius. Je veux utiliser EAP-TTLS avec mschapv2. J'ai des messages d'erreurs.
Voici mes fichiers de conf :
clients.conf :
Code:
client 127.0.0.1 {
secret = testing123
shortname = localhost
nastype = other # localhost isn't usually a NAS...
}
client 192.168.1.1 {
secret = secret
shortname = APPROJET
nastype = other
}
eap.conf :
Code:
eap {
default_eap_type = ttls
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
tls {
private_key_password = whatever
private_key_file = ${raddbdir}/certs/srv-linux.wifi.local.pem
certificate_file = ${raddbdir}/certs/srv-linux.wifi.local.pem
CA_file = ${raddbdir}/certs/root.pem
dh_file = ${raddbdir}/certs/dh
random_file = ${raddbdir}/certs/random
fragment_size = 1024
include_length = yes
}
ttls {
default_eap_type = mschapv2
copy_request_to_tunnel = yes
use_tunneled_reply = yes
}
mschapv2 {
}
}
users :
Code:
"test" Auth-Type := Local, User-Password =="test"
"nico" Auth-Type := EAP, User-Password =="nico"
radiusd.conf :
Code:
prefix = /usr/local
exec_prefix = ${prefix}
sysconfdir = /etc
localstatedir = ${prefix}/var
sbindir = ${exec_prefix}/sbin
logdir = /var/log
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
confdir = ${raddbdir}
run_dir = ${localstatedir}/run/radiusd
log_file = ${logdir}/radius.log
libdir = ${exec_prefix}/lib
pidfile = ${run_dir}/radiusd.pid
max_request_time = 30
delete_blocked_requests = no
cleanup_delay = 5
max_requests = 1024
bind_address = *
port = 0
hostname_lookups = no
allow_core_dumps = no
regular_expressions = yes
extended_expressions = yes
log_stripped_names = no
log_auth = no
log_auth_badpass = no
log_auth_goodpass = no
usercollide = no
lower_user = no
lower_pass = no
nospace_user = no
nospace_pass = no
checkrad = ${sbindir}/checkrad
security {
max_attributes = 200
reject_delay = 1
status_server = no
}
proxy_requests = no
$INCLUDE ${confdir}/proxy.conf
$INCLUDE ${confdir}/clients.conf
snmp = no
$INCLUDE ${confdir}/snmp.conf
thread pool {
start_servers = 5
max_servers = 32
min_spare_servers = 3
max_spare_servers = 10
max_requests_per_server = 0
}
modules {
$INCLUDE ${confdir}/eap.conf
mschap {
authtype = MS-CHAPv2
}
preprocess {
huntgroups = ${confdir}/huntgroups
hints = ${confdir}/hints
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
}
files {
usersfile = ${confdir}/users
acctusersfile = ${confdir}/acct_users
preproxy_usersfile = ${confdir}/preproxy_users
compat = no
}
detail {
detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
detailperm = 0600
}
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
}
radutmp {
filename = ${logdir}/radutmp
username = %{User-Name}
case_sensitive = yes
check_with_nas = yes
callerid = "yes"
perm = 0600
}
radutmp sradutmp {
filename = ${logdir}/sradutmp
perm = 0644
callerid = "no"
}
attr_filter {
attrsfile = ${confdir}/attrs
}
counter daily {
filename = ${raddbdir}/db.daily
key = User-Name
count-attribute = Acct-Session-Time
reset = daily
counter-name = Daily-Session-Time
check-name = Max-Daily-Session
allowed-servicetype = Framed-User
cache-size = 5000
}
always fail {
rcode = fail
}
always reject {
rcode = reject
}
always ok {
rcode = ok
simulcount = 0
mpp = no
}
expr {
}
exec {
wait = yes
input_pairs = request
}
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = request
output_pairs = reply
}
instantiate {
exec
expr
}
authorize {
preprocess
mschap
eap
files
}
authenticate {
Auth-Type MS-CHAP {
mschap
}
eap
}
preacct {
preprocess
acct_unique
files
}
accounting {
detail
radutmp
}
session {
radutmp
}
post-auth {
}
pre-proxy {
}
post-proxy {
eap
}
Voici le message du mode debug (radius -X -A) :
Code:
rad_recv: Access-Request packet from host 192.168.1.1:32913, id=5, length=170
User-Name = "anonyme@monentreprise.fr"
NAS-IP-Address = 192.168.1.1
Called-Station-Id = "00-0D-54-FB-61-72:ttls"
Calling-Station-Id = "00-0E-35-94-07-7B"
NAS-Identifier = ""
NAS-Port = 29
Service-Type = Framed-User
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x0205001d01616e6f6e796d65406d6f6e656e74726570726973652e6672
Message-Authenticator = 0x666aab110a7c501e49b549313b3b4e1b
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
rlm_eap: EAP packet type response id 5 length 29
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 0
users: Matched entry DEFAULT at line 156
users: Matched entry DEFAULT at line 175
modcall[authorize]: module "files" returns ok for request 0
modcall: leaving group authorize (returns updated) for request 0
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
rlm_eap: EAP Identity
rlm_eap: processing type tls
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
modcall[authenticate]: module "eap" returns handled for request 0
modcall: leaving group authenticate (returns handled) for request 0
Sending Access-Challenge of id 5 to 192.168.1.1 port 32913
Framed-IP-Address = 255.255.255.254
Framed-MTU = 576
Service-Type = Framed-User
EAP-Message = 0x010600061520
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xd9db4cca54dd0b13a7c7fa510bd9e0ff
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.1.1:32914, id=6, length=261
User-Name = "anonyme@monentreprise.fr"
NAS-IP-Address = 192.168.1.1
Called-Station-Id = "00-0D-54-FB-61-72:ttls"
Calling-Station-Id = "00-0E-35-94-07-7B"
NAS-Identifier = ""
NAS-Port = 29
Service-Type = Framed-User
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
State = 0xd9db4cca54dd0b13a7c7fa510bd9e0ff
EAP-Message = 0x020600661500160301005b010000570301461e17b0860f09a447f4bb2bed3404b9137974e95339a16802e31318eea237dc00003000390038003500160013000a00330032002f0066000500040065006400630062006000150012000900140011000800030100
Message-Authenticator = 0x4050c580de8aa3f3e9092010ba9a12de
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
rlm_eap: EAP packet type response id 6 length 102
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 1
users: Matched entry DEFAULT at line 156
users: Matched entry DEFAULT at line 175
modcall[authorize]: module "files" returns ok for request 1
modcall: leaving group authorize (returns updated) for request 1
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 1
rlm_eap: Request found, released from the list
rlm_eap: EAP/ttls
rlm_eap: processing type ttls
rlm_eap_ttls: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
(other): before/accept initialization
TLS_accept: before/accept initialization
rlm_eap_tls: <<<TLS>>> TLS 1.0 Handshake [length 004a], ServerHello
TLS_accept: SSLv3 write server hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0652], Certificate
TLS_accept: SSLv3 write certificate A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
TLS_accept: SSLv3 write server done A
TLS_accept: SSLv3 flush data
TLS_accept:error in SSLv3 read client certificate A
rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0)
In SSL Handshake Phase
In SSL Accept mode
eaptls_process returned 13
modcall[authenticate]: module "eap" returns handled for request 1
modcall: leaving group authenticate (returns handled) for request 1
Sending Access-Challenge of id 6 to 192.168.1.1 port 32914
Framed-IP-Address = 255.255.255.254
Framed-MTU = 576
Service-Type = Framed-User
EAP-Message = 0x0107040a15c0000006af160301004a020000460301461e185e2edb0d40717ad98dae29ac4dd387faa2a733ec3b80b1f5d14f22c0682024fd008921aac82c588875912b645c386dabb403828434eda81a1d240d36200200350016030106520b00064e00064b0002b1308202ad30820216a003020102020101300d06092a864886f70d010104050030818d310b3009060355040613024652310c300a06035504081303494446310e300c060355040713054365726779310d300b060355040a13044954494e31143012060355040b130b70726f6a6574207769666931193017060355040313104954494e20576972656c6573732043413120301e06092a86
EAP-Message = 0x4886f70d01090116116b61626f756e733231406d736e2e636f6d301e170d3037303430333134303930375a170d3038303430323134303930375a308191310b3009060355040613024652310c300a06035504081303494446310e300c060355040713054365726779310d300b060355040a13044954494e31143012060355040b130b70726f6a65742077696669311d301b060355040313147372762d6c696e75782e776966692e6c6f63616c3120301e06092a864886f70d01090116116b61626f756e733231406d736e2e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100d1b510926706128c8067125c73b6a20f4174
EAP-Message = 0x2945ef6be6863c51783f6271bc19948eb92bd875acdb905b5ec96cd0e98ab97ad018f88191174b80a0457d9a93f85dcbd0fbce44f12e3368dab89b92f135d5383fcee686ed91d740ab84ab0348917a5e6ab07f9a2ff5c3b0cd0d1b1887996e240fcd244643d2dfcf1a043f64d7a10203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101040500038181009240590b0cfdd796feba0d9ba1d8773de354420836048972c3e1c8226adc706eb27048a71aad969bfb6c4509694e42a12303f5e734ba807be2fd8408800f7e7bc25c2dc64f686bfd3e2777e030025b19f959496d4521ada6eaf8d8fdbf4d
EAP-Message = 0x1b98ddaa456f8bd0bff203a143704b41a8ad66665f16478408211905eca00f87e11c00039430820390308202f9a003020102020900b8b0a09b1aae01d3300d06092a864886f70d010105050030818d310b3009060355040613024652310c300a06035504081303494446310e300c060355040713054365726779310d300b060355040a13044954494e31143012060355040b130b70726f6a6574207769666931193017060355040313104954494e20576972656c6573732043413120301e06092a864886f70d01090116116b61626f756e733231406d736e2e636f6d301e170d3037303430333134303531365a170d3038303430323134303531365a30
EAP-Message = 0x818d310b3009060355040613024652310c300a060355
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xa7e3d8a6b5fa1238dff6378c16da9c5b
Finished request 1
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.1.1:32915, id=7, length=165
User-Name = "anonyme@monentreprise.fr"
NAS-IP-Address = 192.168.1.1
Called-Station-Id = "00-0D-54-FB-61-72:ttls"
Calling-Station-Id = "00-0E-35-94-07-7B"
NAS-Identifier = ""
NAS-Port = 29
Service-Type = Framed-User
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
State = 0xa7e3d8a6b5fa1238dff6378c16da9c5b
EAP-Message = 0x020700061500
Message-Authenticator = 0x85e033e552410493c017878f97832c58
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
rlm_eap: EAP packet type response id 7 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 2
users: Matched entry DEFAULT at line 156
users: Matched entry DEFAULT at line 175
modcall[authorize]: module "files" returns ok for request 2
modcall: leaving group authorize (returns updated) for request 2
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 2
rlm_eap: Request found, released from the list
rlm_eap: EAP/ttls
rlm_eap: processing type ttls
rlm_eap_ttls: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake fragment handler
eaptls_verify returned 1
eaptls_process returned 13
modcall[authenticate]: module "eap" returns handled for request 2
modcall: leaving group authenticate (returns handled) for request 2
Sending Access-Challenge of id 7 to 192.168.1.1 port 32915
Framed-IP-Address = 255.255.255.254
Framed-MTU = 576
Service-Type = Framed-User
EAP-Message = 0x010802b91580000006af04081303494446310e300c060355040713054365726779310d300b060355040a13044954494e31143012060355040b130b70726f6a6574207769666931193017060355040313104954494e20576972656c6573732043413120301e06092a864886f70d01090116116b61626f756e733231406d736e2e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100b1c460fa5ccc002ae623a334b7a930caad26140ed69a51c283965c4465c44587bef3a1298875750497c9641a5e464b14d21d27dfa03c5322a627570db44778c6d201ed7ed0c4f76877e80ad73d9a908643bce0fcd03127d83b39541914
EAP-Message = 0x06cfd96469de5aca582b500395f9c2f02effd9bd1691ab105abd12b6d4b0cbbb32fbb30203010001a381f53081f2301d0603551d0e04160414d1f50866e2308f76cb9ee73142c2caf5081203813081c20603551d230481ba3081b78014d1f50866e2308f76cb9ee73142c2caf508120381a18193a4819030818d310b3009060355040613024652310c300a06035504081303494446310e300c060355040713054365726779310d300b060355040a13044954494e31143012060355040b130b70726f6a6574207769666931193017060355040313104954494e20576972656c6573732043413120301e06092a864886f70d01090116116b61626f756e73
EAP-Message = 0x3231406d736e2e636f6d820900b8b0a09b1aae01d3300c0603551d13040530030101ff300d06092a864886f70d01010505000381810072149ae8736f0f19aee0a152f9f088cf7f871465187fcfaea8ee80273d7e9286ed67986e4bf3fbeb9decf113cb1975041c3dd7627df2bd8e2e73a65158b5e7f62b1cac2879fe8033992728677080f38fb621502974c9a599f813a1fb0d4c556bfbef3ccbbdbaeeef2d9e194b38cc4fdb8462ef5ce216a25c24e720e1fb78ba6016030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xc22c197ed0c4de73d2ca61134e8e5449
Finished request 2
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.1.1:32916, id=8, length=363
User-Name = "anonyme@monentreprise.fr"
NAS-IP-Address = 192.168.1.1
Called-Station-Id = "00-0D-54-FB-61-72:ttls"
Calling-Station-Id = "00-0E-35-94-07-7B"
NAS-Identifier = ""
NAS-Port = 29
Service-Type = Framed-User
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
State = 0xc22c197ed0c4de73d2ca61134e8e5449
EAP-Message = 0x020800cc1500160301008610000082008096e2e3a993f2b919ca3eb62f694e7e752cca96d34f34551fc442698c927a7efb696712859c72e1dea2817f003d7b98d26c03a7974c3f92e1ef9a8032f805ad19bc267280d4d03b39425463458c334912779ecc1d1c8ad4bc5c06566a72e7b8b09c6ce0ec2e97564067db60c2613e9b75ea353964cfdf98677d988e51b418f1ad140301000101160301003074348e8f0c082ef691585e0c32a19aad61f649b7a589c4415087f93e4e7437e8004e9bf854b70b8b4c653d0175935e5f
Message-Authenticator = 0x74ba8ce2fa087d8d15b97e1f8486373f
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 3
rlm_eap: EAP packet type response id 8 length 204
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 3
users: Matched entry DEFAULT at line 156
users: Matched entry DEFAULT at line 175
modcall[authorize]: module "files" returns ok for request 3
modcall: leaving group authorize (returns updated) for request 3
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 3
rlm_eap: Request found, released from the list
rlm_eap: EAP/ttls
rlm_eap: processing type ttls
rlm_eap_ttls: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
TLS_accept: SSLv3 read client key exchange A
rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001]
rlm_eap_tls: <<<TLS>>> TLS 1.0 ChangeCipherSpec [length 0001]
TLS_accept: SSLv3 write change cipher spec A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished
TLS_accept: SSLv3 write finished A
TLS_accept: SSLv3 flush data
(other): SSL negotiation finished successfully
rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0)
SSL Connection Established
eaptls_process returned 13
modcall[authenticate]: module "eap" returns handled for request 3
modcall: leaving group authenticate (returns handled) for request 3
Sending Access-Challenge of id 8 to 192.168.1.1 port 32916
Framed-IP-Address = 255.255.255.254
Framed-MTU = 576
Service-Type = Framed-User
EAP-Message = 0x0109004515800000003b1403010001011603010030743c5d3fe343697a29b0bbdcca319d01e493693d331d696ffad03dbb9c45699890a3bc83d7b62f6debe20ebcd037c093
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x90fbaf8d42552395fc4d98c8f730a2b2
Finished request 3
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.1.1:32917, id=9, length=335
User-Name = "anonyme@monentreprise.fr"
NAS-IP-Address = 192.168.1.1
Called-Station-Id = "00-0D-54-FB-61-72:ttls"
Calling-Station-Id = "00-0E-35-94-07-7B"
NAS-Identifier = ""
NAS-Port = 29
Service-Type = Framed-User
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
State = 0x90fbaf8d42552395fc4d98c8f730a2b2
EAP-Message = 0x020900b0150017030100208a8684fc9f210a1fa5b1c3ec51048469d6fe3a0a33239eb95e528db991379a781703010080130d3503d09e40709aa6f4865bb98ad8ced00d86919d22924280584cc3f4841fb678152fb366adb4538ace53a963d4b19e6dfc12086b98741f8f4989ed4975d738d967a224f190c5bfd827d9fa4ee8d7c4718f44af706ca23ab66e67f879f18c8fbe9828be897f2356cdf0482b8dd90152cf1611ec386d7d0858f21b07374278
Message-Authenticator = 0x9405349379b1bd2e9a4e5f699ac4ac7e
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 4
rlm_eap: EAP packet type response id 9 length 176
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 4
users: Matched entry DEFAULT at line 156
users: Matched entry DEFAULT at line 175
modcall[authorize]: module "files" returns ok for request 4
modcall: leaving group authorize (returns updated) for request 4
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 4
rlm_eap: Request found, released from the list
rlm_eap: EAP/ttls
rlm_eap: processing type ttls
rlm_eap_ttls: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_ttls: Session established. Proceeding to decode tunneled attributes.
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 4
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 4
users: Matched entry nico at line 90
modcall[authorize]: module "files" returns ok for request 4
modcall: leaving group authorize (returns ok) for request 4
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 4
rlm_eap: EAP-Message not found
rlm_eap: Malformed EAP Message
modcall[authenticate]: module "eap" returns fail for request 4
modcall: leaving group authenticate (returns fail) for request 4
auth: Failed to validate the user.
TTLS: Got tunneled Access-Reject
rlm_eap: Handler failed in EAP/ttls
rlm_eap: Failed in EAP select
modcall[authenticate]: module "eap" returns invalid for request 4
modcall: leaving group authenticate (returns invalid) for request 4
auth: Failed to validate the user.
Merci beaucoup de votre aide
Kab