# [freeradius] EAP-TLS Problem mit XP WLAN-Client

## SilentWarrior

Hi,

ich versuche nun schon seit einiger Zeit meinen Radius-Server (freeradius 2.0.5) mit meinem WLAN-Client (WinXP mit Intel PROSet) über EAP-TLS sprechen zu lassen. Doch leider scheitert die Sache immer am Clientzertifikat (-austausch) zumindest lese ich das so aus dem LOG. Im Vorfeld habe ich bereits mit PEAP getestet und den WLAN-Client über username/passwort authentifiziert, geht auch wunderbar. Daraus folgere ich, dass CA und Server Zertifikat i.O. sind. Bei TLS kommt dann ja nun das Client Zertifikat ins Spiel.

Beim Zertifikataustausch erhalte ich u.a. die Meldung:

rlm_eap_tls: >>> TLS 1.0 Handshake [length 00a8], CertificateRequest

TLS_accept: SSLv3 write certificate request A

TLS_accept: SSLv3 flush data

TLS_accept: Need to read more data: SSLv3 read client certificate A

In SSL Handshake Phase

In SSL Accept mode

Scheinbar ist das Clientzertifikat nicht vollständig beim Radius angekommen, wahrscheinlich durch Fragmentierung oder ähnliches. Scheinbar scheint das System auch nicht in der Lage zu sein, den anderen Teil nachzuliefern, woran wohl die endgültige Authentifizierung scheitert.

Habe jetzt schon probiert gegoogelt und gemacht, komm dem Problem aber nicht auf die Schliche.

Hat hierzu von euch einer eine Idee, an welcher Stelle genau zu suchen ist ?

Zum System:

freeradius 2.0.5 läuft auf gentoo

LANCOM AP (WPA2 Enterprise)

WLAN-Client mit Intel PROSet WLAN-Software (unter XP Pro)

Für den Test verwende ich die test-Zertifikate, die ich unter raddb/certs mit make und make client erstellt habe (cnf-files unverändert)

Danke für eure Hilfe !

Das komplette freeradius log:

```
Listening on authentication address * port 1812

Listening on accounting address * port 1813

Listening on proxy address * port 1814

Ready to process requests.

rad_recv: Access-Request packet from host 192.168.4.200 port 3072, id=48, length=182

   User-Name = "testuser"

   Service-Type = Framed-User

   NAS-IP-Address = 192.168.4.200

   NAS-Port = 6

   NAS-Port-Id = "6"

   Called-Station-Id = "00-0B-6B-B0-2B-28:Wireless-Home"

   Calling-Station-Id = "00-12-F0-66-52-BC"

   Connect-Info = "CONNECT 54 Mbps 802.11g"

   NAS-Identifier = "Wireless-AP-1"

   NAS-Port-Type = Wireless-802.11

   EAP-Message = 0x0201000d017465737475736572

   Message-Authenticator = 0xf61dad5c5e230e78fab4a5d6e31712be

+- entering group authorize

++[preprocess] returns ok

++[chap] returns noop

++[mschap] returns noop

    rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL

    rlm_realm: No such realm "NULL"

++[suffix] returns noop

  rlm_eap: EAP packet type response id 1 length 13

  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation

++[eap] returns updated

++[unix] returns notfound

    users: Matched entry testuser at line 204

++[files] returns ok

++[expiration] returns noop

++[logintime] returns noop

rlm_pap: Found existing Auth-Type, not changing it.

++[pap] returns noop

  rad_check_password:  Found Auth-Type EAP

auth: type "EAP"

+- entering group authenticate

  rlm_eap: EAP Identity

  rlm_eap: processing type md5

rlm_eap_md5: Issuing Challenge

++[eap] returns handled

Sending Access-Challenge of id 48 to 192.168.4.200 port 3072

   EAP-Message = 0x010200160410f7df58ad60bce4803d853dd05b2cce3a

   Message-Authenticator = 0x00000000000000000000000000000000

   State = 0x97c2de1a97c0da38d66ab46a092483d5

Finished request 0.

Going to the next request

Waking up in 4.9 seconds.

rad_recv: Access-Request packet from host 192.168.4.200 port 3072, id=68, length=193

   User-Name = "testuser"

   Service-Type = Framed-User

   NAS-IP-Address = 192.168.4.200

   NAS-Port = 6

   NAS-Port-Id = "6"

   State = 0x97c2de1a97c0da38d66ab46a092483d5

   Called-Station-Id = "00-0B-6B-B0-2B-28:Wireless-Home"

   Calling-Station-Id = "00-12-F0-66-52-BC"

   Connect-Info = "CONNECT 54 Mbps 802.11g"

   NAS-Identifier = "Wireless-AP-1"

   NAS-Port-Type = Wireless-802.11

   EAP-Message = 0x02020006030d

   Message-Authenticator = 0x5cf298ca2db568a537613cffd154e3c4

+- entering group authorize

++[preprocess] returns ok

++[chap] returns noop

++[mschap] returns noop

    rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL

    rlm_realm: No such realm "NULL"

++[suffix] returns noop

  rlm_eap: EAP packet type response id 2 length 6

  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation

++[eap] returns updated

++[unix] returns notfound

    users: Matched entry testuser at line 204

++[files] returns ok

++[expiration] returns noop

++[logintime] returns noop

rlm_pap: Found existing Auth-Type, not changing it.

++[pap] returns noop

  rad_check_password:  Found Auth-Type EAP

auth: type "EAP"

+- entering group authenticate

  rlm_eap: Request found, released from the list

  rlm_eap: EAP NAK

 rlm_eap: EAP-NAK asked for EAP-Type/tls

  rlm_eap: processing type tls

 rlm_eap_tls: Requiring client certificate

  rlm_eap_tls: Initiate

  rlm_eap_tls: Start returned 1

++[eap] returns handled

Sending Access-Challenge of id 68 to 192.168.4.200 port 3072

   EAP-Message = 0x010300060d20

   Message-Authenticator = 0x00000000000000000000000000000000

   State = 0x97c2de1a96c1d338d66ab46a092483d5

Finished request 1.

Going to the next request

Waking up in 4.9 seconds.

rad_recv: Access-Request packet from host 192.168.4.200 port 3072, id=41, length=295

   User-Name = "testuser"

   Service-Type = Framed-User

   NAS-IP-Address = 192.168.4.200

   NAS-Port = 6

   NAS-Port-Id = "6"

   State = 0x97c2de1a96c1d338d66ab46a092483d5

   Called-Station-Id = "00-0B-6B-B0-2B-28:Wireless-Home"

   Calling-Station-Id = "00-12-F0-66-52-BC"

   Connect-Info = "CONNECT 54 Mbps 802.11g"

   NAS-Identifier = "Wireless-AP-1"

   NAS-Port-Type = Wireless-802.11

   EAP-Message = 0x0203006c0d0016030100610100005d03014c1146ee834980748179aab2a5810f38430a78cabe811d28b1d5bd55f3ade7a000003600390038003500160013000a00330032002f0007006600050004006300620061001500120009006500640060001400110008000600030100

   Message-Authenticator = 0x521099c1f76af4dcee95d49dd3a74a85

+- entering group authorize

++[preprocess] returns ok

++[chap] returns noop

++[mschap] returns noop

    rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL

    rlm_realm: No such realm "NULL"

++[suffix] returns noop

  rlm_eap: EAP packet type response id 3 length 108

  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation

++[eap] returns updated

++[unix] returns notfound

    users: Matched entry testuser at line 204

++[files] returns ok

++[expiration] returns noop

++[logintime] returns noop

rlm_pap: Found existing Auth-Type, not changing it.

++[pap] returns noop

  rad_check_password:  Found Auth-Type EAP

auth: type "EAP"

+- entering group authenticate

  rlm_eap: Request found, released from the list

  rlm_eap: EAP/tls

  rlm_eap: processing type tls

  rlm_eap_tls: Authenticate

  rlm_eap_tls: processing TLS

  eaptls_verify returned 7 

  rlm_eap_tls: Done initial handshake

    (other): before/accept initialization 

    TLS_accept: before/accept initialization 

  rlm_eap_tls: <<< TLS 1.0 Handshake [length 0061], ClientHello  

    TLS_accept: SSLv3 read client hello A 

  rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello  

    TLS_accept: SSLv3 write server hello A 

  rlm_eap_tls: >>> TLS 1.0 Handshake [length 085e], Certificate  

    TLS_accept: SSLv3 write certificate A 

  rlm_eap_tls: >>> TLS 1.0 Handshake [length 020d], ServerKeyExchange  

    TLS_accept: SSLv3 write key exchange A 

  rlm_eap_tls: >>> TLS 1.0 Handshake [length 00a8], CertificateRequest  

    TLS_accept: SSLv3 write certificate request A 

    TLS_accept: SSLv3 flush data 

    TLS_accept: Need to read more data: SSLv3 read client certificate A

In SSL Handshake Phase 

In SSL Accept mode  

  eaptls_process returned 13 

++[eap] returns handled

Sending Access-Challenge of id 41 to 192.168.4.200 port 3072

   EAP-Message = 0x010404000dc000000b71160301004a0200004603014c1146ef78cbd5103adc3ca1518cfe70be8a5a7072a5c2247c3b4a4991ada380206bc46ec0745d847d2bf7313f0cab8c3e852789e92c6dbc03b8773b4a0372ebcd003900160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d3126302406035504

   EAP-Message = 0x03131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3130303631303132343134355a170d3131303631303132343134355a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100bd968225cb38dd1e86ade818d7ea4258cf560b0e8710bfd5c6f5e29f73f3

   EAP-Message = 0xd01574fb1dab0a97ff0a9add9c53b7cc2adcb52407bfc391be458648947df7dc7a9cdd8f2a207280a7dd38033bc9989b6f6f19592f7bcd428a0bad6a0584800161d1e3a7603144ba637142804af94c9c05684675ef226b18b4d815bc733e62e35bfa96a7c92c9187fed4ffec68fd96d160a9ae2b4ec5de37c3dea536fc0e9c9e7dba1679f83fd38730f238cedd27b08341f06e40e64659b4d78fe8d7c810aaefbe253cdc4679a1d177bb6388d144680dac2b7e2bbeae8377100fa3be75992f54dd8761a94367f667bb372743daa9f97df4cd45dc71362d0dd612f5973202b837511d0203010001a317301530130603551d25040c300a06082b06010505

   EAP-Message = 0x070301300d06092a864886f70d010104050003820101008bb91fa7912b2f8ea379639a2ea21f106602b7b8cc73581c237c3a503368c8a163c93a0769fb76602a3f9dfdba062a4f23aae21f5d3d5edb24aa4c24a459b251e2eaab398f41b442560eec61e145a9ee88d98f3e011d6d1cf50164666042f070d1281b898d01a2a53bf1db2f20bacc9c3afaf470a285343f8886b2d048c06f85ad479f3327c1d77f42d448a8f06bba822bc2305e50501f8bbbcfbf7fd0f4211ed929f7861238a1f13f886d433c8b2c87b4c1e21b06886b7f05661c97db28d6c4bfb45eb17b75e63f6f135d156c94dfb3d78a545b4af77f7c7f3242fd94c052f278c4880fb9ca

   EAP-Message = 0x83367206357b3b063f1f5971

   Message-Authenticator = 0x00000000000000000000000000000000

   State = 0x97c2de1a95c6d338d66ab46a092483d5

Finished request 2.

Going to the next request

Waking up in 4.6 seconds.

rad_recv: Access-Request packet from host 192.168.4.200 port 3072, id=109, length=193

   User-Name = "testuser"

   Service-Type = Framed-User

   NAS-IP-Address = 192.168.4.200

   NAS-Port = 6

   NAS-Port-Id = "6"

   State = 0x97c2de1a95c6d338d66ab46a092483d5

   Called-Station-Id = "00-0B-6B-B0-2B-28:Wireless-Home"

   Calling-Station-Id = "00-12-F0-66-52-BC"

   Connect-Info = "CONNECT 54 Mbps 802.11g"

   NAS-Identifier = "Wireless-AP-1"

   NAS-Port-Type = Wireless-802.11

   EAP-Message = 0x020400060d00

   Message-Authenticator = 0x42651247b7a8defe6968c78b551bafb0

+- entering group authorize

++[preprocess] returns ok

++[chap] returns noop

++[mschap] returns noop

    rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL

    rlm_realm: No such realm "NULL"

++[suffix] returns noop

  rlm_eap: EAP packet type response id 4 length 6

  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation

++[eap] returns updated

++[unix] returns notfound

    users: Matched entry testuser at line 204

++[files] returns ok

++[expiration] returns noop

++[logintime] returns noop

rlm_pap: Found existing Auth-Type, not changing it.

++[pap] returns noop

  rad_check_password:  Found Auth-Type EAP

auth: type "EAP"

+- entering group authenticate

  rlm_eap: Request found, released from the list

  rlm_eap: EAP/tls

  rlm_eap: processing type tls

  rlm_eap_tls: Authenticate

  rlm_eap_tls: processing TLS

rlm_eap_tls: Received EAP-TLS ACK message

  rlm_eap_tls: ack handshake fragment handler

  eaptls_verify returned 1 

  eaptls_process returned 13 

++[eap] returns handled

Sending Access-Challenge of id 109 to 192.168.4.200 port 3072

   EAP-Message = 0x010504000dc000000b71a5c1aa63a960f8b7e566244ac9020004ab308204a73082038fa003020102020900e4b7b675e9a5b5e6300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3130303631303132343134345a170d3131303631303132343134345a308193310b

   EAP-Message = 0x3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100b033572e706588d09dc857175a17aeaa47f6fb60b1502124448e6bff93143a4ef7700ca2f4abaab5541fc69219288c33b957eef7cb70a89133946784f951464d1e39c35130e0f496ce96bd

   EAP-Message = 0xcd7a9842d6f9380a096fe2fc8410a802829225f703fc9e5ea39b52bb0c87b3239643f4545804173afb3a9fdcd5c43f3a05211f32c6073951a606589464b05276a330a63bfded3e355a2768b22211ae9d4675d9303a8adf6fe9a111f383fdbb01d59bfa18e1900b760bd33a5336a4fd025fe0289f71d72f0693342b13d6d3889519eeaee5164c133e435f4f001b2060ecf01187a70f55ec2a1798b0d2eea4f96d2eef58bf2f1323354c2d3f4c52b61a44a96391411d0203010001a381fb3081f8301d0603551d0e041604143d766fb4865b3a4d218f1074239c4db0df184e1c3081c80603551d230481c03081bd80143d766fb4865b3a4d218f1074239c

   EAP-Message = 0x4db0df184e1ca18199a48196308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820900e4b7b675e9a5b5e6300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100301ebcbd8940dec66c645a6fc665854e5d45ac6443287969276764c7f36f3fce1a7a8c007ec6dcd81d65784d8b81

   EAP-Message = 0x2fe3a7ef9a23f787befa7bae

   Message-Authenticator = 0x00000000000000000000000000000000

   State = 0x97c2de1a94c7d338d66ab46a092483d5

Finished request 3.

Going to the next request

Waking up in 4.5 seconds.

rad_recv: Access-Request packet from host 192.168.4.200 port 3072, id=133, length=193

   User-Name = "testuser"

   Service-Type = Framed-User

   NAS-IP-Address = 192.168.4.200

   NAS-Port = 6

   NAS-Port-Id = "6"

   State = 0x97c2de1a94c7d338d66ab46a092483d5

   Called-Station-Id = "00-0B-6B-B0-2B-28:Wireless-Home"

   Calling-Station-Id = "00-12-F0-66-52-BC"

   Connect-Info = "CONNECT 54 Mbps 802.11g"

   NAS-Identifier = "Wireless-AP-1"

   NAS-Port-Type = Wireless-802.11

   EAP-Message = 0x020500060d00

   Message-Authenticator = 0xdfc4c29217187c3f9cd47048533fd167

+- entering group authorize

++[preprocess] returns ok

++[chap] returns noop

++[mschap] returns noop

    rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL

    rlm_realm: No such realm "NULL"

++[suffix] returns noop

  rlm_eap: EAP packet type response id 5 length 6

  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation

++[eap] returns updated

++[unix] returns notfound

    users: Matched entry testuser at line 204

++[files] returns ok

++[expiration] returns noop

++[logintime] returns noop

rlm_pap: Found existing Auth-Type, not changing it.

++[pap] returns noop

  rad_check_password:  Found Auth-Type EAP

auth: type "EAP"

+- entering group authenticate

  rlm_eap: Request found, released from the list

  rlm_eap: EAP/tls

  rlm_eap: processing type tls

  rlm_eap_tls: Authenticate

  rlm_eap_tls: processing TLS

rlm_eap_tls: Received EAP-TLS ACK message

  rlm_eap_tls: ack handshake fragment handler

  eaptls_verify returned 1 

  eaptls_process returned 13 

++[eap] returns handled

Sending Access-Challenge of id 133 to 192.168.4.200 port 3072

   EAP-Message = 0x0106038f0d8000000b711bc56f15202560b77288f9efae549e22a7245dfa0ee137b3f88c868c095e9cd928a2af97ee7c1e1c6ebb29dc439c6643bc389ef9d92f831a50868494f271d357ef20e6f134a05f062a5865ec79e1e36983ce25dc190d25ce8b2b79a9d938c36bfd0f59fe7091193d6cdcce4e330c72f9c9beb1f77ceaef361f2ee13b00d40aa3f13b617cac8c00efad1f39adcaffff8a13c6a0367e3d980a84197a25852c5ed76df6a6a13785c516578b0462379d61d444f493fef872c3011998d417f2fa8691de4ba7ecb983160301020d0c00020900809cd9b3313c82fe0c30f8905c911998e3154c14b0f23b03de40bb6b3d8c6459fc9664

   EAP-Message = 0x4a49b6916ea1486fd7a7b864ac7f1507735bb4bb2776dad4de46481856f3202f9b831d2d05d5da96815299610c9fbbb3760089c3b5b7fb935e30b274ee72c3de29a2e3bb60db408e03e8347ac74f271776b4ab4ca2504f27c3467902fb83000102008076f4b85cadcbd82825b95333d6975896a89761feb09acc510b04b6d6bd665611193493565d8689030f4ab6413d5022a0b093ac0d79a5a4573b4bdbf9a9d5f4b1c292221aa6dd483b193b462d668bb2e3e0a50e20360c3dce9f7e15922c9c3361f7f5733748c9e41b2cab92c9c81629469edb0e5da8615469cd1018db0620a5cd0100b6cf51b6bf38b8a1a259c4bb6fe3fbf7a07bd53498998a49

   EAP-Message = 0xe2f84144b16b2d33cfc65e380e71e6f71f959e8d2364742abd3e25a3ed37c46c0b84a7bfb1517bd2dc6cbdb88569692803923381dcd58bd8147363ae4d883f2c37a2cf8be66c41e71a361d53066dc3d1381a4774a3503cd885e47347cb879e94e5983bf88d3b769055bbbb0e764d03a0be0803c0b4f0709076de6aee266a2de5c24807bf9682b98c9c1fcedb4a155a7d115223817287323297737dab72d15050eb4d8ffa06b9d0178dc4eb6858d4119d9df6dce3666ad86da8fb0fe5c45f5df7ea65d451a873192cbe05fb20b14435539efbf2455ee7c41f52ac85e7333ded280a08a3b9a2cfe6ba16030100a80d0000a0050304010240009800963081

   EAP-Message = 0x93310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f726974790e000000

   Message-Authenticator = 0x00000000000000000000000000000000

   State = 0x97c2de1a93c4d338d66ab46a092483d5

Finished request 4.

Going to the next request

Waking up in 4.5 seconds.

Cleaning up request 0 ID 48 with timestamp +53

Cleaning up request 1 ID 68 with timestamp +53

Waking up in 0.3 seconds.

Cleaning up request 2 ID 41 with timestamp +53

Cleaning up request 3 ID 109 with timestamp +53

Cleaning up request 4 ID 133 with timestamp +53

Ready to process requests.
```

----------

