質問編集履歴

4

説明追加

2018/03/29 01:15

投稿

ma-yu
ma-yu

スコア57

test CHANGED
File without changes
test CHANGED
@@ -92,7 +92,7 @@
92
92
 
93
93
 
94
94
 
95
- <wpa_supplicant ログ>
95
+ <wpa_supplicant ログ>(一部省略あり)
96
96
 
97
97
  ```
98
98
 
@@ -110,7 +110,7 @@
110
110
 
111
111
 
112
112
 
113
-
113
+ 省略終わり
114
114
 
115
115
  EAPOL: Received EAP-Packet frame
116
116
 
@@ -262,7 +262,7 @@
262
262
 
263
263
 
264
264
 
265
- <freeradius -X ログ>
265
+ <freeradius -X ログ>(省略なし)
266
266
 
267
267
 
268
268
 

3

誤字修正

2018/03/29 01:15

投稿

ma-yu
ma-yu

スコア57

test CHANGED
File without changes
test CHANGED
@@ -260,7 +260,7 @@
260
260
 
261
261
  ```
262
262
 
263
- ### 2018/03/29 9:45 追記2
263
+
264
264
 
265
265
  <freeradius -X ログ>
266
266
 

2

不足情報の追加

2018/03/29 01:14

投稿

ma-yu
ma-yu

スコア57

test CHANGED
File without changes
test CHANGED
@@ -60,18 +60,420 @@
60
60
 
61
61
 
62
62
 
63
+ ### 試したこと
64
+
65
+ クライアントPCよりeapol_testを行いました。
66
+
63
- ### 発生る問題・エラーメッセージ
67
+ PEAPは成功たのに、TLSがうまくきません。
68
+
69
+
70
+
64
-
71
+ ### 補足情報
72
+
73
+
74
+
65
-
75
+ 使用している証明書はプライベートCAを構築し、サーバー証明書とクライアント証明書を作成しました。
76
+
66
-
77
+ サーバー証明書とクライアント証明書の認証局は同じプライベートCAになります。
78
+
79
+
80
+
81
+ ### 2018/03/29 9:45 追記
82
+
83
+
84
+
67
- 認証失敗時のログです。
85
+ 認証失敗時のログきる限り省略せずに示します。
86
+
68
-
87
+ 10000字制限により全ては書き込めませんでした。
88
+
89
+
90
+
69
-
91
+ FreeRADIUS -Xから"Reply-Message = "20180328Hello, user"が出たのでRADIUS側は成功しているのではと思ってしまいました。
70
-
92
+
93
+
94
+
71
- <freeradius -X>
95
+ <wpa_supplicant ログ>
72
96
 
73
97
  ```
74
98
 
99
+ ~# wpa_supplicant -i eth3 -c /etc/wpa_supplicant.conf -D wired -dd
100
+
101
+ wpa_supplicant v2.6
102
+
103
+ random: Trying to read entropy from /dev/random
104
+
105
+ Successfully initialized wpa_supplicant
106
+
107
+ Initializing interface 'eth3' conf '/etc/wpa_supplicant.conf' driver 'wired' ctrl_interface 'N/A' bridge 'N/A'
108
+
109
+ *文字数制限のため省略します。
110
+
111
+
112
+
113
+
114
+
115
+ EAPOL: Received EAP-Packet frame
116
+
117
+ EAPOL: SUPP_PAE entering state RESTART
118
+
119
+ EAP: EAP entering state INITIALIZE
120
+
121
+ EAP: EAP entering state IDLE
122
+
123
+ EAPOL: SUPP_PAE entering state AUTHENTICATING
124
+
125
+ EAPOL: SUPP_BE entering state REQUEST
126
+
127
+ EAPOL: getSuppRsp
128
+
129
+ EAP: EAP entering state RECEIVED
130
+
131
+ EAP: Received EAP-Request id=1 method=1 vendor=0 vendorMethod=0
132
+
133
+ EAP: EAP entering state IDENTITY
134
+
135
+ eth3: CTRL-EVENT-EAP-STARTED EAP authentication started
136
+
137
+ EAP: Status notification: started (param=)
138
+
139
+ EAP: EAP-Request Identity data - hexdump_ascii(len=0):
140
+
141
+ EAP: using real identity - hexdump_ascii(len=4):
142
+
143
+ 75 73 65 72 user
144
+
145
+ EAP: EAP entering state SEND_RESPONSE
146
+
147
+ EAP: EAP entering state IDLE
148
+
149
+ EAPOL: SUPP_BE entering state RESPONSE
150
+
151
+ EAPOL: txSuppRsp
152
+
153
+ TX EAPOL: dst=01:80:c2:xx:xx:xx
154
+
155
+ TX EAPOL - hexdump(len=13): 01 00 00 09 02 01 00 09 01 75 73 65 72
156
+
157
+ EAPOL: SUPP_BE entering state RECEIVE
158
+
159
+ l2_packet_receive: src=34:76:c5:xx:xx:xx len=46
160
+
161
+ eth3: RX EAPOL from 34:76:c5:xx:xx:xx
162
+
163
+ RX EAPOL - hexdump(len=46): 02 00 00 06 01 02 00 06 0d 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
164
+
165
+ EAPOL: Received EAP-Packet frame
166
+
167
+ EAPOL: SUPP_BE entering state REQUEST
168
+
169
+ EAPOL: getSuppRsp
170
+
171
+ EAP: EAP entering state RECEIVED
172
+
173
+ EAP: Received EAP-Request id=2 method=13 vendor=0 vendorMethod=0
174
+
175
+ EAP: EAP entering state GET_METHOD
176
+
177
+ eth3: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13
178
+
179
+ EAP: Status notification: accept proposed method (param=TLS)
180
+
181
+ EAP: Initialize selected EAP method: vendor 0 method 13 (TLS)
182
+
183
+ TLS: using phase1 config options
184
+
185
+ OpenSSL: tls_connection_ca_cert - Failed to load root certificates error:02001002:system library:fopen:No such file or directory
186
+
187
+ OpenSSL: pending error: error:2006D080:BIO routines:BIO_new_file:no such file
188
+
189
+ OpenSSL: pending error: error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib
190
+
191
+ OpenSSL: tls_load_ca_der - Failed load CA in DER format error:02001002:system library:fopen:No such file or directory
192
+
193
+ OpenSSL: pending error: error:20074002:BIO routines:FILE_CTRL:system lib
194
+
195
+ OpenSSL: pending error: error:0B06F002:x509 certificate routines:X509_load_cert_file:system lib
196
+
197
+ TLS: Failed to set TLS connection parameters
198
+
199
+ ENGINE: engine deinit
200
+
201
+ EAP-TLS: Failed to initialize SSL.
202
+
203
+ eth3: EAP: Failed to initialize EAP method: vendor 0 method 13 (TLS)
204
+
205
+ EAP: Building EAP-Nak (requested type 13 vendor=0 method=0 not allowed)
206
+
207
+ EAP: allowed methods - hexdump(len=0):
208
+
209
+ EAP: EAP entering state SEND_RESPONSE
210
+
211
+ EAP: EAP entering state IDLE
212
+
213
+ EAPOL: SUPP_BE entering state RESPONSE
214
+
215
+ EAPOL: txSuppRsp
216
+
217
+ TX EAPOL: dst=01:80:c2:xx:xx:xx
218
+
219
+ TX EAPOL - hexdump(len=10): 01 00 00 06 02 02 00 06 03 00
220
+
221
+ EAPOL: SUPP_BE entering state RECEIVE
222
+
223
+ l2_packet_receive: src=34:76:c5:xx:xx:xx len=46
224
+
225
+ eth3: RX EAPOL from 34:76:c5:xx:xx:xx
226
+
227
+ RX EAPOL - hexdump(len=46): 02 00 00 04 04 02 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
228
+
229
+ EAPOL: Received EAP-Packet frame
230
+
231
+ EAPOL: SUPP_BE entering state REQUEST
232
+
233
+ EAPOL: getSuppRsp
234
+
235
+ EAP: EAP entering state RECEIVED
236
+
237
+ EAP: Received EAP-Failure
238
+
239
+ EAP: Status notification: completion (param=failure)
240
+
241
+ EAP: EAP entering state FAILURE
242
+
243
+ eth3: CTRL-EVENT-EAP-FAILURE EAP authentication failed
244
+
245
+ EAPOL: SUPP_PAE entering state HELD
246
+
247
+ EAPOL: Supplicant port status: Unauthorized
248
+
249
+ EAPOL: SUPP_BE entering state RECEIVE
250
+
251
+ EAPOL: SUPP_BE entering state FAIL
252
+
253
+ EAPOL: SUPP_BE entering state IDLE
254
+
255
+ EAPOL authentication completed - result=FAILURE
256
+
257
+
258
+
259
+
260
+
261
+ ```
262
+
263
+ ### 2018/03/29 9:45 追記2
264
+
265
+ <freeradius -X ログ>
266
+
267
+
268
+
269
+ ```
270
+
271
+
272
+
273
+ Ready to process requests.
274
+
275
+ rad_recv: Access-Request packet from host 192.168.1.253 port 19181, id=136, length=123
276
+
277
+ NAS-IP-Address = 192.168.1.253
278
+
279
+ NAS-Port = 5
280
+
281
+ User-Name = "user"
282
+
283
+ Called-Station-Id = "34-76-C5-70-F4-14"
284
+
285
+ Calling-Station-Id = "00-22-CF-F9-2E-04"
286
+
287
+ Service-Type = Framed-User
288
+
289
+ Framed-MTU = 1300
290
+
291
+ NAS-Port-Type = Ethernet
292
+
293
+ Message-Authenticator = 0x1d0cf8f2a5cdb24657f4d76dfb804dc2
294
+
295
+ EAP-Message = 0x020100090175736572
296
+
297
+ # Executing section authorize from file /etc/freeradius/sites-enabled/default
298
+
299
+ +group authorize {
300
+
301
+ ++[preprocess] = ok
302
+
303
+ ++[chap] = noop
304
+
305
+ ++[mschap] = noop
306
+
307
+ ++[digest] = noop
308
+
309
+ [suffix] No '@' in User-Name = "user", looking up realm NULL
310
+
311
+ [suffix] No such realm "NULL"
312
+
313
+ ++[suffix] = noop
314
+
315
+ [eap] EAP packet type response id 1 length 9
316
+
317
+ [eap] No EAP Start, assuming it's an on-going EAP conversation
318
+
319
+ ++[eap] = updated
320
+
321
+ [files] users: Matched entry user at line 94
322
+
323
+ [files] expand: 20180328Hello, %{User-Name} -> 20180328Hello, user
324
+
325
+ ++[files] = ok
326
+
327
+ ++[expiration] = noop
328
+
329
+ ++[logintime] = noop
330
+
331
+ [pap] WARNING: Auth-Type already set. Not setting to PAP
332
+
333
+ ++[pap] = noop
334
+
335
+ +} # group authorize = updated
336
+
337
+ Found Auth-Type = EAP
338
+
339
+ # Executing group from file /etc/freeradius/sites-enabled/default
340
+
341
+ +group authenticate {
342
+
343
+ [eap] EAP Identity
344
+
345
+ [eap] processing type tls
346
+
347
+ [tls] Requiring client certificate
348
+
349
+ [tls] Initiate
350
+
351
+ [tls] Start returned 1
352
+
353
+ ++[eap] = handled
354
+
355
+ +} # group authenticate = handled
356
+
357
+ Sending Access-Challenge of id 136 to 192.168.1.253 port 19181
358
+
359
+ Reply-Message = "20180328Hello, user"
360
+
361
+ EAP-Message = 0x010200060d20
362
+
363
+ Message-Authenticator = 0x00000000000000000000000000000000
364
+
365
+ State = 0x67ee941c67ec99990c723ec61783218e
366
+
367
+ Finished request 0.
368
+
369
+ Going to the next request
370
+
371
+ Waking up in 4.9 seconds.
372
+
373
+ rad_recv: Access-Request packet from host 192.168.1.253 port 50587, id=136, length=138
374
+
375
+ NAS-IP-Address = 192.168.1.253
376
+
377
+ NAS-Port = 5
378
+
379
+ User-Name = "user"
380
+
381
+ Called-Station-Id = "34-76-C5-70-F4-14"
382
+
383
+ Calling-Station-Id = "00-22-CF-F9-2E-04"
384
+
385
+ Service-Type = Framed-User
386
+
387
+ Framed-MTU = 1300
388
+
389
+ NAS-Port-Type = Ethernet
390
+
391
+ Message-Authenticator = 0xc32aa9880c71f8baab1c716b57118412
392
+
393
+ EAP-Message = 0x020200060300
394
+
395
+ State = 0x67ee941c67ec99990c723ec61783218e
396
+
397
+ # Executing section authorize from file /etc/freeradius/sites-enabled/default
398
+
399
+ +group authorize {
400
+
401
+ ++[preprocess] = ok
402
+
403
+ ++[chap] = noop
404
+
405
+ ++[mschap] = noop
406
+
407
+ ++[digest] = noop
408
+
409
+ [suffix] No '@' in User-Name = "user", looking up realm NULL
410
+
411
+ [suffix] No such realm "NULL"
412
+
413
+ ++[suffix] = noop
414
+
415
+ [eap] EAP packet type response id 2 length 6
416
+
417
+ [eap] No EAP Start, assuming it's an on-going EAP conversation
418
+
419
+ ++[eap] = updated
420
+
421
+ [files] users: Matched entry user at line 94
422
+
423
+ [files] expand: 20180328Hello, %{User-Name} -> 20180328Hello, user
424
+
425
+ ++[files] = ok
426
+
427
+ ++[expiration] = noop
428
+
429
+ ++[logintime] = noop
430
+
431
+ [pap] WARNING: Auth-Type already set. Not setting to PAP
432
+
433
+ ++[pap] = noop
434
+
435
+ +} # group authorize = updated
436
+
437
+ Found Auth-Type = EAP
438
+
439
+ # Executing group from file /etc/freeradius/sites-enabled/default
440
+
441
+ +group authenticate {
442
+
443
+ [eap] Request found, released from the list
444
+
445
+ [eap] EAP NAK
446
+
447
+ [eap] NAK asked for bad type 0
448
+
449
+ [eap] Failed in EAP select
450
+
451
+ ++[eap] = invalid
452
+
453
+ +} # group authenticate = invalid
454
+
455
+ Failed to authenticate the user.
456
+
457
+ Login incorrect: [user/<via Auth-Type = EAP>] (from client private-network-1 port 5 cli 00-22-CF-F9-2E-04)
458
+
459
+ Using Post-Auth-Type Reject
460
+
461
+ # Executing group from file /etc/freeradius/sites-enabled/default
462
+
463
+ +group REJECT {
464
+
465
+ [eap] Reply already contained an EAP-Message, not inserting EAP-Failure
466
+
467
+ ++[eap] = noop
468
+
469
+ [attr_filter.access_reject] expand: %{User-Name} -> user
470
+
471
+ attr_filter: Matched entry DEFAULT at line 11
472
+
473
+ ++[attr_filter.access_reject] = updated
474
+
475
+ +} # group REJECT = updated
476
+
75
477
  Delaying reject of request 1 for 1 seconds
76
478
 
77
479
  Going to the next request
@@ -80,126 +482,24 @@
80
482
 
81
483
  Sending delayed reject for request 1
82
484
 
83
- Sending Access-Reject of id 1 to 192.168.0.34 port 43842
485
+ Sending Access-Reject of id 136 to 192.168.1.253 port 50587
84
-
486
+
85
- Reply-Message = "20180327Hello, user"
487
+ Reply-Message = "20180328Hello, user"
86
-
488
+
87
- EAP-Message = 0x04010004
489
+ EAP-Message = 0x04020004
88
490
 
89
491
  Message-Authenticator = 0x00000000000000000000000000000000
90
492
 
91
493
  Waking up in 3.9 seconds.
92
494
 
93
- Cleaning up request 0 ID 0 with timestamp +6
495
+ Cleaning up request 0 ID 136 with timestamp +6
94
496
 
95
497
  Waking up in 1.0 seconds.
96
498
 
97
- Cleaning up request 1 ID 1 with timestamp +6
499
+ Cleaning up request 1 ID 136 with timestamp +6
98
500
 
99
501
  Ready to process requests.
100
502
 
503
+
504
+
101
505
  ```
102
-
103
-
104
-
105
-
106
-
107
- <eapol_test>
108
-
109
- ```
110
-
111
- EAPOL: SUPP_BE entering state RECEIVE
112
-
113
- Received 65 bytes from RADIUS server
114
-
115
- Received RADIUS message
116
-
117
- RADIUS message: code=3 (Access-Reject) identifier=1 length=65
118
-
119
- Attribute 18 (Reply-Message) length=21
120
-
121
- Value: '20180327Hello, user'
122
-
123
- Attribute 79 (EAP-Message) length=6
124
-
125
- Value: 04 01 00 04
126
-
127
- Attribute 80 (Message-Authenticator) length=18
128
-
129
- Value: bd d5 54 1d ef af 23 1a f8 a7 ca e7 69 a1 6a d7
130
-
131
- STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending request, round trip time 1.00 sec
132
-
133
-
134
-
135
- RADIUS packet matching with station
136
-
137
- decapsulated EAP packet (code=4 id=1 len=4) from RADIUS server: EAP Failure
138
-
139
- EAPOL: Received EAP-Packet frame
140
-
141
- EAPOL: SUPP_BE entering state REQUEST
142
-
143
- EAPOL: getSuppRsp
144
-
145
- EAP: EAP entering state RECEIVED
146
-
147
- EAP: Received EAP-Failure
148
-
149
- EAP: EAP entering state FAILURE
150
-
151
- CTRL-EVENT-EAP-FAILURE EAP authentication failed
152
-
153
- EAPOL: SUPP_PAE entering state HELD
154
-
155
- EAPOL: SUPP_BE entering state RECEIVE
156
-
157
- EAPOL: SUPP_BE entering state FAIL
158
-
159
- EAPOL: SUPP_BE entering state IDLE
160
-
161
- eapol_sm_cb: success=0
162
-
163
- EAPOL: EAP key not available
164
-
165
- Control interface directory not empty - leaving it behind
166
-
167
- MPPE keys OK: 0 mismatch: 1
168
-
169
- FAILURE
170
-
171
-
172
-
173
-
174
-
175
- ```
176
-
177
-
178
-
179
-
180
-
181
-
182
-
183
- ### 試したこと
184
-
185
- クライアントPCよりeapol_testを行いました。
186
-
187
- PEAPは成功したのに、TLSがうまくいきません。
188
-
189
-
190
-
191
- ### 補足情報(FW/ツールのバージョンなど)
192
-
193
-
194
-
195
- 使用している証明書はプライベートCAを構築し、サーバー証明書とクライアント証明書を作成しました。
196
-
197
- サーバー証明書とクライアント証明書の認証局は同じプライベートCAになります。
198
-
199
-
200
-
201
-
202
-
203
- FreeRADIUS側はSuccessのようなログがでますが、クライアントPC側はfailedが出ています。
204
-
205
- クライアント証明書が悪いのでしょうか?

1

タグ追加

2018/03/29 01:13

投稿

ma-yu
ma-yu

スコア57

test CHANGED
@@ -1 +1 @@
1
- FREERADIUSEAP-TLSにつ
1
+ FreeRADIUSEAP-TLS認証がした
test CHANGED
File without changes