CentOS 6.3 RADIUS - Keine Verbindung möglich

G

Gast123

Hallo Leute,

ich möchte für einen WiFi-Access point einen RADIUS Server mit freeradius aufsetzen.
Ich bin dabei nach diesem Tutorial vorgegangen:
http://wiki.freeradius.org/guide/HOWTO
Das Verbinden per Konsole klappt wie angegeben.
Ich habe den Access Point ind die clients.conf eingetragen:
Code:
# -*- text -*-
##
## clients.conf -- client configuration directives
##
##	$Id$

#######################################################################
#
#  Define RADIUS clients (usually a NAS, Access Point, etc.).

#
#  Defines a RADIUS client.
#
#  '127.0.0.1' is another name for 'localhost'.  It is enabled by default,
#  to allow testing of the server after an initial installation.  If you
#  are not going to be permitting RADIUS queries from localhost, we suggest
#  that you delete, or comment out, this entry.
#
#

#
#  Each client has a "short name" that is used to distinguish it from
#  other clients.
#
#  In version 1.x, the string after the word "client" was the IP
#  address of the client.  In 2.0, the IP address is configured via
#  the "ipaddr" or "ipv6addr" fields.  For compatibility, the 1.x
#  format is still accepted.
#
client localhost {
	#  Allowed values are:
	#	dotted quad (1.2.3.4)
	#       hostname    (radius.example.com)
	ipaddr = 127.0.0.1

	#  OR, you can use an IPv6 address, but not both
	#  at the same time.
#	ipv6addr = ::	# any.  ::1 == localhost

	#
	#  A note on DNS:  We STRONGLY recommend using IP addresses
	#  rather than host names.  Using host names means that the
	#  server will do DNS lookups when it starts, making it
	#  dependent on DNS.  i.e. If anything goes wrong with DNS,
	#  the server won't start!
	#
	#  The server also looks up the IP address from DNS once, and
	#  only once, when it starts.  If the DNS record is later
	#  updated, the server WILL NOT see that update.
	#

	#  One client definition can be applied to an entire network.
	#  e.g. 127/8 should be defined with "ipaddr = 127.0.0.0" and
	#  "netmask = 8"
	#
	#  If not specified, the default netmask is 32 (i.e. /32)
	#
	#  We do NOT recommend using anything other than 32.  There
	#  are usually other, better ways to achieve the same goal.
	#  Using netmasks of other than 32 can cause security issues.
	#
	#  You can specify overlapping networks (127/8 and 127.0/16)
	#  In that case, the smallest possible network will be used
	#  as the "best match" for the client.
	#
	#  Clients can also be defined dynamically at run time, based
	#  on any criteria.  e.g. SQL lookups, keying off of NAS-Identifier,
	#  etc.
	#  See raddb/sites-available/dynamic-clients for details.
	#

#	netmask = 32

	#
	#  The shared secret use to "encrypt" and "sign" packets between
	#  the NAS and FreeRADIUS.  You MUST change this secret from the
	#  default, otherwise it's not a secret any more!
	#
	#  The secret can be any string, up to 8k characters in length.
	#
	#  Control codes can be entered vi octal encoding,
	#	e.g. "\101\102" == "AB"
	#  Quotation marks can be entered by escaping them,
	#	e.g. "foo\"bar"
	#
	#  A note on security:  The security of the RADIUS protocol
	#  depends COMPLETELY on this secret!  We recommend using a
	#  shared secret that is composed of:
	#
	#	upper case letters
	#	lower case letters
	#	numbers
	#
	#  And is at LEAST 8 characters long, preferably 16 characters in
	#  length.  The secret MUST be random, and should not be words,
	#  phrase, or anything else that is recognizable.
	#
	#  The default secret below is only for testing, and should
	#  not be used in any real environment.
	#
	secret		= testing123

	#
	#  Old-style clients do not send a Message-Authenticator
	#  in an Access-Request.  RFC 5080 suggests that all clients
	#  SHOULD include it in an Access-Request.  The configuration
	#  item below allows the server to require it.  If a client
	#  is required to include a Message-Authenticator and it does
	#  not, then the packet will be silently discarded.
	#
	#  allowed values: yes, no
	require_message_authenticator = no

	#
	#  The short name is used as an alias for the fully qualified
	#  domain name, or the IP address.
	#
	#  It is accepted for compatibility with 1.x, but it is no
	#  longer necessary in 2.0
	#
#	shortname	= localhost

	#
	# the following three fields are optional, but may be used by
	# checkrad.pl for simultaneous use checks
	#

	#
	# The nastype tells 'checkrad.pl' which NAS-specific method to
	#  use to query the NAS for simultaneous use.
	#
	#  Permitted NAS types are:
	#
	#	cisco
	#	computone
	#	livingston
	#	max40xx
	#	multitech
	#	netserver
	#	pathras
	#	patton
	#	portslave
	#	tc
	#	usrhiper
	#	other		# for all other types

	#
	nastype     = other	# localhost isn't usually a NAS...

	#
	#  The following two configurations are for future use.
	#  The 'naspasswd' file is currently used to store the NAS
	#  login name and password, which is used by checkrad.pl
	#  when querying the NAS for simultaneous use.
	#
#	login       = !root
#	password    = someadminpas

	#
	#  As of 2.0, clients can also be tied to a virtual server.
	#  This is done by setting the "virtual_server" configuration
	#  item, as in the example below.
	#
#	virtual_server = home1

	#
	#  A pointer to the "home_server_pool" OR a "home_server"
	#  section that contains the CoA configuration for this
	#  client.  For an example of a coa home server or pool,
	#  see raddb/sites-available/originate-coa
#	coa_server = coa
}

# IPv6 Client
#client ::1 {
#	secret		= testing123
#	shortname	= localhost
#}
#
# All IPv6 Site-local clients
#client fe80::/16 {
#	secret		= testing123
#	shortname	= localhost
#}

#client some.host.org {
#	secret		= testing123
#	shortname	= localhost
#}

#
#  You can now specify one secret for a network of clients.
#  When a client request comes in, the BEST match is chosen.
#  i.e. The entry from the smallest possible network.
#
#client 192.168.0.0/24 {
#	secret		= testing123-1
#	shortname	= private-network-1
#}
#
#client 192.168.0.0/16 {
#	secret		= testing123-2
#	shortname	= private-network-2
#}


client dir655 {
	# secret and password are mapped through the "secrets" file.
	secret      = CSH-RadiusPW
	shortname   = dir655
       # the following three fields are optional, but may be used by
       # checkrad.pl for simultaneous usage checks
#	nastype     = livingston
#	login       = !root
#	password    = someadminpas
}

client thinkpad {
	secret	= CSH-RadiusPW
	shortname = thinkpad
}

#######################################################################
#
#  Per-socket client lists.  The configuration entries are exactly
#  the same as above, but they are nested inside of a section.
#
#  You can have as many per-socket client lists as you have "listen"
#  sections, or you can re-use a list among multiple "listen" sections.
#
#  Un-comment this section, and edit a "listen" section to add:
#  "clients = per_socket_clients".  That IP address/port combination
#  will then accept ONLY the clients listed in this section.
#
#clients per_socket_clients {
#	client 192.168.3.4 {
#		secret = testing123
#        }
#}
Und den Access Point für den RADIUS Server konfiguriert.
Dann habe ich einen Benutzer (neumannr) angelegt:
Code:
#
#	Please read the documentation file ../doc/processing_users_file,
#	or 'man 5 users' (after installing the server) for more information.
#
#	This file contains authentication security and configuration
#	information for each user.  Accounting requests are NOT processed
#	through this file.  Instead, see 'acct_users', in this directory.
#
#	The first field is the user's name and can be up to
#	253 characters in length.  This is followed (on the same line) with
#	the list of authentication requirements for that user.  This can
#	include password, comm server name, comm server port number, protocol
#	type (perhaps set by the "hints" file), and huntgroup name (set by
#	the "huntgroups" file).
#
#	If you are not sure why a particular reply is being sent by the
#	server, then run the server in debugging mode (radiusd -X), and
#	you will see which entries in this file are matched.
#
#	When an authentication request is received from the comm server,
#	these values are tested. Only the first match is used unless the
#	"Fall-Through" variable is set to "Yes".
#
#	A special user named "DEFAULT" matches on all usernames.
#	You can have several DEFAULT entries. All entries are processed
#	in the order they appear in this file. The first entry that
#	matches the login-request will stop processing unless you use
#	the Fall-Through variable.
#
#	If you use the database support to turn this file into a .db or .dbm
#	file, the DEFAULT entries _have_ to be at the end of this file and
#	you can't have multiple entries for one username.
#
#	Indented (with the tab character) lines following the first
#	line indicate the configuration values to be passed back to
#	the comm server to allow the initiation of a user session.
#	This can include things like the PPP configuration values
#	or the host to log the user onto.
#
#	You can include another `users' file with `$INCLUDE users.other'
#

#
#	For a list of RADIUS attributes, and links to their definitions,
#	see:
#
#	http://www.freeradius.org/rfc/attributes.html
#

#
# Deny access for a specific user.  Note that this entry MUST
# be before any other 'Auth-Type' attribute which results in the user
# being authenticated.
#
# Note that there is NO 'Fall-Through' attribute, so the user will not
# be given any additional resources.
#
#lameuser	Auth-Type := Reject
#		Reply-Message = "Your account has been disabled."

#
# Deny access for a group of users.
#
# Note that there is NO 'Fall-Through' attribute, so the user will not
# be given any additional resources.
#
#DEFAULT	Group == "disabled", Auth-Type := Reject
#		Reply-Message = "Your account has been disabled."
#

#
# This is a complete entry for "steve". Note that there is no Fall-Through
# entry so that no DEFAULT entry will be used, and the user will NOT
# get any attributes in addition to the ones listed here.
#
neumannr	Cleartext-Password := "testing"
#steve	Cleartext-Password := "testing"
#	Service-Type = Framed-User,
#	Framed-Protocol = PPP,
#	Framed-IP-Address = 172.16.3.33,
#	Framed-IP-Netmask = 255.255.255.0,
#	Framed-Routing = Broadcast-Listen,
#	Framed-Filter-Id = "std.ppp",
#	Framed-MTU = 1500,
#	Framed-Compression = Van-Jacobsen-TCP-IP

#
# This is an entry for a user with a space in their name.
# Note the double quotes surrounding the name.
#
#"John Doe"	Cleartext-Password := "hello"
#		Reply-Message = "Hello, %{User-Name}"

#
# Dial user back and telnet to the default host for that port
#
#Deg	Cleartext-Password := "ge55ged"
#	Service-Type = Callback-Login-User,
#	Login-IP-Host = 0.0.0.0,
#	Callback-Number = "9,5551212",
#	Login-Service = Telnet,
#	Login-TCP-Port = Telnet

#
# Another complete entry. After the user "dialbk" has logged in, the
# connection will be broken and the user will be dialed back after which
# he will get a connection to the host "timeshare1".
#
#dialbk	Cleartext-Password := "callme"
#	Service-Type = Callback-Login-User,
#	Login-IP-Host = timeshare1,
#	Login-Service = PortMaster,
#	Callback-Number = "9,1-800-555-1212"

#
# user "swilson" will only get a static IP number if he logs in with
# a framed protocol on a terminal server in Alphen (see the huntgroups file).
#
# Note that by setting "Fall-Through", other attributes will be added from
# the following DEFAULT entries
#
#swilson	Service-Type == Framed-User, Huntgroup-Name == "alphen"
#		Framed-IP-Address = 192.168.1.65,
#		Fall-Through = Yes

#
# If the user logs in as 'username.shell', then authenticate them
# using the default method, give them shell access, and stop processing
# the rest of the file.
#
#DEFAULT	Suffix == ".shell"
#		Service-Type = Login-User,
#		Login-Service = Telnet,
#		Login-IP-Host = your.shell.machine


#
# The rest of this file contains the several DEFAULT entries.
# DEFAULT entries match with all login names.
# Note that DEFAULT entries can also Fall-Through (see first entry).
# A name-value pair from a DEFAULT entry will _NEVER_ override
# an already existing name-value pair.
#

#
# Set up different IP address pools for the terminal servers.
# Note that the "+" behind the IP address means that this is the "base"
# IP address. The Port-Id (S0, S1 etc) will be added to it.
#
#DEFAULT	Service-Type == Framed-User, Huntgroup-Name == "alphen"
#		Framed-IP-Address = 192.168.1.32+,
#		Fall-Through = Yes

#DEFAULT	Service-Type == Framed-User, Huntgroup-Name == "delft"
#		Framed-IP-Address = 192.168.2.32+,
#		Fall-Through = Yes

#
# Sample defaults for all framed connections.
#
#DEFAULT	Service-Type == Framed-User
#	Framed-IP-Address = 255.255.255.254,
#	Framed-MTU = 576,
#	Service-Type = Framed-User,
#	Fall-Through = Yes

#
# Default for PPP: dynamic IP address, PPP mode, VJ-compression.
# NOTE: we do not use Hint = "PPP", since PPP might also be auto-detected
#	by the terminal server in which case there may not be a "P" suffix.
#	The terminal server sends "Framed-Protocol = PPP" for auto PPP.
#
DEFAULT	Framed-Protocol == PPP
	Framed-Protocol = PPP,
	Framed-Compression = Van-Jacobson-TCP-IP

#
# Default for CSLIP: dynamic IP address, SLIP mode, VJ-compression.
#
DEFAULT	Hint == "CSLIP"
	Framed-Protocol = SLIP,
	Framed-Compression = Van-Jacobson-TCP-IP

#
# Default for SLIP: dynamic IP address, SLIP mode.
#
DEFAULT	Hint == "SLIP"
	Framed-Protocol = SLIP

#
# Last default: rlogin to our main server.
#
#DEFAULT
#	Service-Type = Login-User,
#	Login-Service = Rlogin,
#	Login-IP-Host = shellbox.ispdomain.com

# #
# # Last default: shell on the local terminal server.
# #
# DEFAULT
# 	Service-Type = Administrative-User

# On no match, the user is denied access.
Das Testen mit radtest funktionierte prima.
Leider passiert beim Versuch, mich mit dem WLAN zu verbinden folgendes:
Code:
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.178.3 port 4097, id=20, length=75
	User-Name = "neumannr"
	NAS-IP-Address = 192.168.178.3
	NAS-Port-Type = Wireless-802.11
	EAP-Message = 0x0212000d016e65756d616e6e72
	Message-Authenticator = 0xbe4e8498b1305bc0c9e599042b8c98de
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "neumannr", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 18 length 13
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry neumannr at line 76
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set.  Not setting to PAP
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
Sending Access-Challenge of id 20 to 192.168.178.3 port 4097
	EAP-Message = 0x0113001604104c38534b252c3ddf3a967331284453d7
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x566a0b4156790fe6dc3e4dc407c5d04f
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.178.3 port 4097, id=21, length=86
	User-Name = "neumannr"
	NAS-IP-Address = 192.168.178.3
	NAS-Port-Type = Wireless-802.11
	State = 0x566a0b4156790fe6dc3e4dc407c5d04f
	EAP-Message = 0x021300060319
	Message-Authenticator = 0x1acdb2f6c137ea94f7105f3b97674208
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "neumannr", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 19 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry neumannr at line 76
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set.  Not setting to PAP
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP NAK
[eap] EAP-NAK asked for EAP-Type/peap
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 21 to 192.168.178.3 port 4097
	EAP-Message = 0x011400061920
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x566a0b41577e12e6dc3e4dc407c5d04f
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.178.3 port 4097, id=22, length=202
	User-Name = "neumannr"
	NAS-IP-Address = 192.168.178.3
	NAS-Port-Type = Wireless-802.11
	State = 0x566a0b41577e12e6dc3e4dc407c5d04f
	EAP-Message = 0x0214007a198000000070160301006b01000067030151058b7cda730bbe539a79b90f1eb4329b95a7f11051447e052e8ebcaa6d49a8000018002f00350005000ac013c014c009c00a003200380013000401000026ff010001000000000d000b0000086e65756d616e6e72000a0006000400170018000b00020100
	Message-Authenticator = 0x35d9916ca9320b88fffda598bcf5dbd8
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "neumannr", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 20 length 122
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
  TLS Length 112
[peap] Length Included
[peap] eaptls_verify returned 11 
[peap]     (other): before/accept initialization
[peap]     TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 006b], ClientHello  
[peap]     TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 0031], ServerHello  
[peap]     TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 085e], Certificate  
[peap]     TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone  
[peap]     TLS_accept: SSLv3 write server done A
[peap]     TLS_accept: SSLv3 flush data
[peap]     TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase 
In SSL Accept mode  
[peap] eaptls_process returned 13 
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 22 to 192.168.178.3 port 4097
	EAP-Message = 0x0115040019c0000008a216030100310200002d030151058b7b1f314397d412be94576744824b9844ba144df3fef8c0332a055428b600002f000005ff01000100160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c65204365727469666963617465204175
	EAP-Message = 0x74686f72697479301e170d3133303132373138323534345a170d3133303332383138323534345a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100c7c0b7db8ff137fd2a657db85256dd6adc680406ded04e8a334e040c1566c7df1aba7d39c5c13346f45dc395a2f0a7eeb7366a0e13ede5
	EAP-Message = 0x6f98437e2a5709edf0145151df5634ecc18f70580535e9c54d2968c4f95e581065d878786ffd3c31f2d0fc2158498fe8331a0f5e6212bd207b878becfd0a0af13cf90f529f568d8959b49df56ab41e6289424316458cd1024a961b9c6dd447bc63a5cadb60cc1b4c56ccebe2b1ba938d85c3141c6d6c287bff61a2eca88914fad4936f3d66d91370de2871c1e030c877c798778c5e057d06dda3de5dba4962e00bf86834c8d06238414ee98d89937c68bcb783bc9345910503b5fe06f65bb54c0f1fc9e5b127149ff70203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010105050003820101009b94
	EAP-Message = 0x0f6bbd692a4b3921f0f52a43f60b3ea2bbb603d336b59fa07b966cdb2b6cc896565c12f0ecede20da26f36eefeaa662c9110db75a5d1bf90d4c20265394600d506f0109906965871fe16ae1a133c97a6bdfc2c5e67ca6dc1a67ffff20c3ed2e4c198a15dd2b53b4f12b2bc942fc8c724d48a1891b261b9583be98f7b7d7d649f293c131ebf7c277353b8bc264cce1a9ba7f540a7b79263120c6ae6569e10f6eb8c15f381d7dd870c4e90e9e98f298ff7c380ac51aa1f83fbed18b676b79096fb79f7bc67be2fc20167038cb3f67925e79a1cbb9bd497acd2b16e1aa5d1d9502972d1aa07af3ebd3d440962809fb686df4c762d2aa9c44309123a628dda
	EAP-Message = 0x740004ab308204a73082038f
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x566a0b41547f12e6dc3e4dc407c5d04f
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.178.3 port 4097, id=23, length=86
	User-Name = "neumannr"
	NAS-IP-Address = 192.168.178.3
	NAS-Port-Type = Wireless-802.11
	State = 0x566a0b41547f12e6dc3e4dc407c5d04f
	EAP-Message = 0x021500061900
	Message-Authenticator = 0x31e6efbf4ff8433dd71c5ff2b94e267e
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "neumannr", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 21 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1 
[peap] eaptls_process returned 13 
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 23 to 192.168.178.3 port 4097
	EAP-Message = 0x011603fc1940a003020102020900e792485d9d919b72300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3133303132373138323534345a170d3133303332383138323534345a308193310b3009060355040613024652310f300d0603550408130652616469757331
	EAP-Message = 0x12301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100df1b25c1349f4920b36a93e10324b57845368c176dcc9db53fb8d55d95cc0efce7a3d51f072db517f450288ff1caa0b248ab499dbfb938c785afc7ddd3f415d32fab58b5d29c77366a1f3ff0bac7dd8cf2ce879d8a93ccd467a7ed49809c663de9c42a02a4937347
	EAP-Message = 0xa1e9a23ea63fecf365dd3b368378a9d4aedb9f294928951850300b010b825ae940730da32126170da928f1cc967985a5702a7f228557e7dd28ff4a139312ae3ed27ad4f9825175b7bc5510498660a2dce4a1a414d70a4d19d45bd6892ba022f5e9eafc0d85156c47b685bb38c3fe213da5f1b0f01e4af97102bc6cd0875df49699af26ee8c90613ed32e8ef4d4950004461d4d1d27dda5df0203010001a381fb3081f8301d0603551d0e04160414e46140509ee19bfa7d5ba94c21d5a18d520d41733081c80603551d230481c03081bd8014e46140509ee19bfa7d5ba94c21d5a18d520d4173a18199a48196308193310b300906035504061302465231
	EAP-Message = 0x0f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820900e792485d9d919b72300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100c9edf55fbcc14e434565b36bb8fd410526829bef277dabcc2843a8dfbda0e43993be01539bd252fc26f91d33c84ba58eeab86216c0222c8bc406f0fb6e96190647ccf34b42503394df3ef2
	EAP-Message = 0x2223ae0afe0dea18
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x566a0b41557c12e6dc3e4dc407c5d04f
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.178.3 port 4097, id=24, length=86
	User-Name = "neumannr"
	NAS-IP-Address = 192.168.178.3
	NAS-Port-Type = Wireless-802.11
	State = 0x566a0b41557c12e6dc3e4dc407c5d04f
	EAP-Message = 0x021600061900
	Message-Authenticator = 0xf524ca03daa6bbb0be1d01a4f451fa17
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "neumannr", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 22 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1 
[peap] eaptls_process returned 13 
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 24 to 192.168.178.3 port 4097
	EAP-Message = 0x011700bc1900817c1e3af8bfb4d040c95b2605a8d0f0e39747517535b55e96bf38c3a65864c80feafbee76ec737796c3a0d9cf6a0792a771b3e66a7f674bbd7071653ebac8e2a1a5fd16814b3f317f1d11ea18119872a31088b326fe16f94000be34f9c5b14147fef5b761059572045853fc62e1a6144b83d7aedcba36b7d02b850e47106e3e2bfce96919be48562ff75489ba9f25ba9b4bf780a539b37f332a4eed65685f5e1a2aca88c5f3256671be9b818816030100040e000000
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x566a0b41527d12e6dc3e4dc407c5d04f
Finished request 4.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.178.3 port 4097, id=25, length=97
	User-Name = "neumannr"
	NAS-IP-Address = 192.168.178.3
	NAS-Port-Type = Wireless-802.11
	State = 0x566a0b41527d12e6dc3e4dc407c5d04f
	EAP-Message = 0x0217001119800000000715030100020230
	Message-Authenticator = 0x9697f9833e3b2c1b0f84221679a042d5
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "neumannr", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 23 length 17
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
  TLS Length 7
[peap] Length Included
[peap] eaptls_verify returned 11 
[peap] <<< TLS 1.0 Alert [length 0002], fatal unknown_ca  
TLS Alert read:fatal:unknown CA
    TLS_accept: failed in SSLv3 read client certificate A
rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
SSL: SSL_read failed inside of TLS (-1), TLS session fails.
TLS receive handshake failed during operation
[peap] eaptls_process returned 4 
[peap] EAPTLS_OTHERS
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] 	expand: %{User-Name} -> neumannr
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 5 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 5
Sending Access-Reject of id 25 to 192.168.178.3 port 4097
	EAP-Message = 0x04170004
	Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.8 seconds.
Cleaning up request 0 ID 20 with timestamp +20
Cleaning up request 1 ID 21 with timestamp +20
Cleaning up request 2 ID 22 with timestamp +20
Cleaning up request 3 ID 23 with timestamp +20
Cleaning up request 4 ID 24 with timestamp +20
Waking up in 1.0 seconds.
Cleaning up request 5 ID 25 with timestamp +21
Ready to process requests.
Mache ich da was falsch, oder habe ich etwas übersehen.

MfG

Schard
 

Ähnliche Themen

Nginx als Reverse Proxy für Nextcloud und Emby

Zugriff Ubuntu 16.04. auf Freigabe 18.04. LTS nicht möglich

Adressvergabe in anderen Subnets

Samba4 AD DC

Debian Routing Problem

Zurück
Oben