Elektron radius & EAP-TLS problem.
Last Post: February 2, 2010:
-
Hello,
I know alot of you guys here use Elektron radius either for experimenting with stuff or even in production environments.
As a part of my CWSP studies and after reading Jim Geier's famous book about 802.1x implementing, i decided to give the whole world of 802.1x a try.
Using Elektron v2.1.2376 (installed on XP Pro SP2 pc) and tried previous versions too trying to authenticate XP clients (Broadcom 1395 wireless utility & another realtek 8187L Alfa card wireless utility) using EAP-TLS with no use.
EAP-TTLS & PEAP (MS-Chap v2) works fine with no problem, and i can verify the server certificate too in both cases.
Made my own CA, Server & client certs. using XCA tool with the needed EKUs needed for XP, imported the CA + Server certs. & keys into Elektron, made the 3 certs. trusted, CA & client certs. are imported into the xp client pc.
Not sure what am doing wrong actually, but i already started to pull my hair out, it's been 3 days now and it's very confusing!
Here's a part of Elektron's error log:
Extensible Authentication Protocol
Code: Request (1)
Id: 14
Length: 749
Type: EAP-TLS (13)
Flags(0xD): Length
80 00 00 0A D9 06 F9 EC 93 93 F1 AF 00 A3 7F 85 ................
41 84 D2 98 34 CD 00 4C 36 EB A1 C8 B3 5A 95 F5 A...4..L6....Z..
CA F4 5F 23 F8 58 1A D1 FC CC A6 A1 A1 E8 D1 FA .._#.X..........
AA 75 21 B3 42 21 62 49 3D D2 2C 5A 9F 53 EB 9F .u!.B!bI=.,Z.S..
74 4D D4 43 6B DE A5 E6 F3 BE 12 7F 93 23 E7 E9 tM.Ck........#..
FD 4C C4 60 97 9B F9 E5 D9 2B 53 09 68 79 F1 6F .L.`.....+S.hy.o
71 BB 60 A4 A0 8B 5C F7 1B 6E DA B6 E6 67 63 B2 q.`.....n...gc.
7F E6 EC BE 05 5C 84 58 5E D6 BB FB AF CD D4 BD ......X^.......
67 E0 8F 52 30 8F 5A 0F 92 CE AA BD 52 04 CC 53 g..R0.Z.....R..S
58 D0 89 36 EC 1C 77 EF 99 5C CD EA E6 11 F3 06 X..6..w........
24 A1 4C 82 E7 EC D1 C9 44 9F 77 F9 61 87 F5 26 $.L.....D.w.a..&
E7 18 28 D2 8C D9 FD 58 00 4E CF 78 F0 71 2E 16 ..(....X.N.x.q..
03 01 02 0D 0C 00 02 09 00 80 FF FF FF FF FF FF ................
FF FF C9 0F DA A2 21 68 C2 34 C4 C6 62 8B 80 DC ......!h.4..b...
1C D1 29 02 4E 08 8A 67 CC 74 02 0B BE A6 3B 13 ..).N..g.t....;.
9B 22 51 4A 08 79 8E 34 ."QJ.y.4
t:EAP Message(79) l:255
Extensible Authentication Protocol
EAP Message Fragment
04 DD EF 95 19 B3 CD 3A 43 1B 30 2B 0A 6D F2 5F .......:C.0+.m._
14 37 4F E1 35 6D 6D 51 C2 45 E4 85 B5 76 62 5E .7O.5mmQ.E...vb^
7E C6 F4 4C 42 E9 A6 37 ED 6B 0B FF 5C B6 F4 06 ~..LB..7.k.....
B7 ED EE 38 6B FB 5A 89 9F A5 AE 9F 24 11 7C 4B ...8k.Z.....$.|K
1F E6 49 28 66 51 EC E6 53 81 FF FF FF FF FF FF ..I(fQ..S.......
FF FF 00 01 02 00 80 86 30 64 C7 5B 14 69 E2 F0 ........0d.[.i..
D3 3B 6C 76 24 72 09 94 FB 53 73 32 61 CB 85 10 .;lv$r...Ss2a...
5D F1 8C A2 B9 52 3E C1 41 E6 75 0E 19 3D F7 5E ]....R>.A.u..=.^
7D 03 2D B5 B5 CC 6D FD D0 E6 CD E2 9D 18 BA A7 }.-...m.........
63 35 11 8A D9 70 0B A7 1C 49 46 50 CC 64 C8 32 c5...p...IFP.d.2
B6 61 BE 88 59 A6 C3 F6 3D B4 95 5C 1A BE C6 6C .a..Y...=.....l
25 6E 52 4C 61 B3 BC B3 81 1A D5 DE 64 F9 DD 8C %nRLa.......d...
8B 1E FA 46 83 50 63 C5 04 A6 54 4C F2 AD 8A 7E ...F.Pc...TL...~
44 62 C1 4F 95 4A 7D 01 00 4C 4C A4 C1 00 95 EA Db.O.J}..LL.....
19 48 6B 84 0E 77 D1 98 64 91 06 49 4E 56 BF BC .Hk..w..d..INV..
E1 16 73 F2 45 9B 38 05 AF C7 34 97 E0 ..s.E.8...4..
t:EAP Message(79) l:245
Extensible Authentication Protocol
EAP Message Fragment
9A D0 08 54 D4 F1 FF FE 40 97 1B C6 93 D5 4F 04 ...T....@.....O.
6F 16 1E BF 8E 4C 98 D0 84 38 45 45 A5 B6 85 84 o....L...8EE....
90 CE FC CF 56 8E 74 DA B5 78 A0 CC A5 C6 61 C0 ....V.t..x....a.
35 D3 79 AD 98 53 FC 31 4A 0C EC 25 A5 5A E0 0E 5.y..S.1J..%.Z..
E7 7F 86 B0 23 D6 17 37 F0 70 86 26 44 93 41 6F ....#..7.p.&D.Ao
DC 83 EF 65 6F C4 AA 6E 16 31 FF E4 30 DA 91 BE ...eo..n.1..0...
90 FC FC 4F 54 93 27 D9 A1 0B 60 03 9F 37 5D E3 ...OT.''...`..7].
B2 8E 72 E7 57 C4 B9 9B AB 0F FC DA 9C F3 2A DC ..r.W.........*.
EB 5F B0 64 21 41 C8 BA A3 32 B5 6F 23 D6 BD DC ._.d!A...2.o#...
18 B8 CE 3B 26 66 4A B0 48 75 8E 0E 1E 0A 1F 1F ...;&fJ.Hu......
28 19 D3 74 9C 6E 9B 5D E7 63 D8 E0 61 58 83 2E (..t.n.].c..aX..
9E 78 17 E0 E2 41 79 F6 90 9D A1 7E 55 75 3E 17 .x...Ay....~Uu>.
35 07 93 2B 11 A8 26 DB 41 9A 81 EE DA C1 44 76 5..+..&.A.....Dv
6F 0D 9E 61 EB FE 54 87 6E 30 14 63 16 03 01 00 o..a..T.n0.c....
09 0D 00 00 05 02 01 02 00 00 16 03 01 00 04 0E ................
00 00 00 ...
t:State(24) l:16, Value:61D17C5D1A175651D21EAD4A00000003
t:Message-Authenticator(80) l:16, Value:95B359560B63B8A1FCDA92018A6AEC2C
23:26:18 10/05/2009 retransmitting packet for session 6
23:26:18 10/05/2009 RADIUS packet sent from StillSRV to 192.168.1.5
Code: Access Challenge (11)
Packet identifier: 0x3
Length: 811
Authenticator: 488656CB732BAAC1F446EF2B1B3FD2E5
Attribute value pairs
t:EAP Message(79) l:255
Extensible Authentication Protocol
Code: Request (1)
Id: 4
Length: 749
Type: EAP-TLS (13)
Flags(0xD): Length
80 00 00 0A D9 06 F9 EC 93 93 F1 AF 00 A3 7F 85 ................
41 84 D2 98 34 CD 00 4C 36 EB A1 C8 B3 5A 95 F5 A...4..L6....Z..
CA F4 5F 23 F8 58 1A D1 FC CC A6 A1 A1 E8 D1 FA .._#.X..........
AA 75 21 B3 42 21 62 49 3D D2 2C 5A 9F 53 EB 9F .u!.B!bI=.,Z.S..
74 4D D4 43 6B DE A5 E6 F3 BE 12 7F 93 23 E7 E9 tM.Ck........#..
FD 4C C4 60 97 9B F9 E5 D9 2B 53 09 68 79 F1 6F .L.`.....+S.hy.o
71 BB 60 A4 A0 8B 5C F7 1B 6E DA B6 E6 67 63 B2 q.`.....n...gc.
7F E6 EC BE 05 5C 84 58 5E D6 BB FB AF CD D4 BD ......X^.......
67 E0 8F 52 30 8F 5A 0F 92 CE AA BD 52 04 CC 53 g..R0.Z.....R..S
58 D0 89 36 EC 1C 77 EF 99 5C CD EA E6 11 F3 06 X..6..w........
24 A1 4C 82 E7 EC D1 C9 44 9F 77 F9 61 87 F5 26 $.L.....D.w.a..&
E7 18 28 D2 8C D9 FD 58 00 4E CF 78 F0 71 2E 16 ..(....X.N.x.q..
03 01 02 0D 0C 00 02 09 00 80 FF FF FF FF FF FF ................
FF FF C9 0F DA A2 21 68 C2 34 C4 C6 62 8B 80 DC ......!h.4..b...
1C D1 29 02 4E 08 8A 67 CC 74 02 0B BE A6 3B 13 ..).N..g.t....;.
9B 22 51 4A 08 79 8E 34 ."QJ.y.4
t:EAP Message(79) l:255
Extensible Authentication Protocol
EAP Message Fragment
04 DD EF 95 19 B3 CD 3A 43 1B 30 2B 0A 6D F2 5F .......:C.0+.m._
14 37 4F E1 35 6D 6D 51 C2 45 E4 85 B5 76 62 5E .7O.5mmQ.E...vb^
7E C6 F4 4C 42 E9 A6 37 ED 6B 0B FF 5C B6 F4 06 ~..LB..7.k.....
B7 ED EE 38 6B FB 5A 89 9F A5 AE 9F 24 11 7C 4B ...8k.Z.....$.|K
1F E6 49 28 66 51 EC E6 53 81 FF FF FF FF FF FF ..I(fQ..S.......
FF FF 00 01 02 00 80 40 FB 51 14 59 3D FE F4 40 .......@.Q.Y=..@
D9 63 77 1A F1 8E E7 95 B5 79 12 3F 3F 77 04 48 .cw......y.??w.H
A8 63 05 4E 46 F6 8E 00 C4 1B 3B 9E E6 25 49 47 .c.NF.....;..%IG
D5 BE 64 AB FB F2 D7 E1 1C CA 96 2E A6 DA 3C AB ..d...........<87>W^..QO..%.P..J
0A 5F 9E 8F 2E 21 A3 88 F3 39 2F AB E3 DE 11 CB ._...!...9/.....
7E 07 73 90 13 53 C3 AD 9C A1 2F 20 36 1B 98 16 ~.s..S..../ 6...
AE 60 AB F0 DE 54 0D 4B 00 1A D4 35 12 76 36 26 .`...T.K...5.v6&
CD 33 8C 87 D4 75 0C 69 9A 54 F7 49 00 B5 5B 2C .3...u.i.T.I..[,
31 46 7D 4C 31 99 90 01 00 0E F8 BF 7D C2 CE 66 1F}L1.......}..f
6F 12 D9 81 36 3A 15 B4 75 8A D7 33 6C 34 0F 02 o...6:..u..3l4..
DE 27 3B 8B 62 3E 9B 7B DC D0 24 30 1F .'';.b>.{..$0.
t:EAP Message(79) l:245
Extensible Authentication Protocol
EAP Message Fragment
26 CE 3C 2B BE AC C5 2A E6 29 FC F6 11 5B C8 AC &.<6F>.AT.^c..Va.].$.
F9 8F E4 A9 65 4F 52 E9 BD 6F 0F F3 9A 37 68 FA ....eOR..o...7h.
33 C6 FB 08 B2 3B B9 4A FB BF E1 AD AA FF AE 2C 3....;.J.......,
64 3C EA 99 10 E1 49 30 D0 F4 BE 26 51 5E E4 14 d<....I0...&Q^..
0E 52 EE 8F 5E 54 66 AA 8A BA C0 45 9B 6D 6F 7A .R..^Tf....E.moz
27 40 E3 19 28 43 CC 30 9A 79 39 BF E4 95 76 A4 ''@..(C.0.y9...v.
08 5C 96 C5 C9 CD BC 1E 96 C2 D6 BF F1 AD 8D 12 ...............
85 EC E8 E1 D3 33 94 DC C2 5F D0 EB 96 F9 81 6A .....3..._.....j
E0 84 A4 CC 14 65 A3 41 F2 81 C4 C5 03 51 D7 DA .....e.A.....Q..
25 BB 2C 94 50 95 E8 EF FF 7C EC 60 6B 85 7A 94 %.,.P....|.`k.z.
1F 77 48 BD 78 B9 11 01 D2 07 4F 26 A7 89 27 FB .wH.x.....O&..''.
51 E1 BF 0E 44 BE 9A 02 8F 1E 8D 68 99 Q...D......h.
t:EAP Message(79) l:255
Extensible Authentication Protocol
EAP Message Fragment
17 28 27 EF 0F 67 A2 25 04 23 90 D6 73 A7 B6 CB .(''..g.%.#..s...
58 0D 60 BE 25 64 1C A2 3D E3 56 AD 80 08 E5 A0 X.`.%d..=.V.....
1D 95 FA B0 25 2D A7 88 91 AA 8E 3B E5 EC 1A 1B ....%-.....;....
58 0A F1 61 8E 77 A5 80 77 DC F5 02 03 01 00 01 X..a.w..w.......
A3 72 30 70 30 0F 06 03 55 1D 13 01 01 FF 04 05 .r0p0...U.......
30 03 01 01 FF 30 1D 06 03 55 1D 0E 04 16 04 14 0....0...U......
8E 88 DC 4B 8B BD E7 DA 83 F9 A5 69 DC 2F 06 4F ...K.......i./.O
D4 39 A6 9C 30 0B 06 03 55 1D 0F 04 04 03 02 01 .9..0...U.......
06 30 11 06 09 60 86 48 01 86 F8 42 01 01 04 04 .0...`.H...B....
03 02 00 07 30 1E 06 09 60 86 48 01 86 F8 42 01 ....0...`.H...B.
0D 04 11 16 0F 78 63 61 20 63 65 72 74 69 66 69 .....xca certifi
63 61 74 65 30 0D 06 09 2A 86 48 86 F7 0D 01 01 cate0...*.H.....
05 05 00 03 82 01 01 00 0C 25 CC FF A4 4E 4A F7 .........%...NJ.
3B 8A 90 3C 1B AD 61 1F C8 E3 9B 7E EA AE D2 93 ;..<..a....~....
06 6A 74 DE 92 4D 27 AA 2F 38 48 58 9F A2 82 50 .jt..M''./8HX...P
DC BF E0 C7 DC 07 7E 19 C3 CE 0A 59 10 ......~....Y.
t:EAP Message(79) l:19
Extensible Authentication Protocol
EAP Message Fragment
FC 78 79 4F B9 4D 86 87 61 74 E2 78 95 CF AB 3D .xyO.M..at.x...=
EE .
t:State(24) l:16, Value:ABA91B58035B59A23876C26700000005
t:Message-Authenticator(80) l:16, Value:10E656AB6FF477DC2C767887E5A9DA28
23:26:18 10/05/2009 released session 5
23:26:18 10/05/2009 RADIUS packet received from 192.168.1.5 to StillSRV
Code: Access Request (1)
Packet identifier: 0x8
Length: 205
Authenticator: 671270B14FBA648A22A31F665658052F
Attribute value pairs
t:Message-Authenticator(80) l:16, Value:E5C0CD520FC494D143BD3E7D107FBBDB
t:Service-Type(6) l:4, Value:Framed (2)
t:User-Name(1) l:6, Value:5374696C6C00
t:Framed-MTU(12) l:4, Value:1488
t:State(24) l:16, Value:ABA91B58035B59A23876C26700000005
t:Called-Station-Id(30) l:23, Value:"00-1E-58-B1-BD-79:Geeky"
t:Calling-Station-Id(31) l:17, Value:"00-05-65-5F-21-DC"
t:NAS-Identifier(32) l:19, Value:"D-Link Access Point"
t:NAS-Port-Type(61) l:4, Value:Wireless-IEEE-802.11 (19)
t:Connect-Info(77) l:22, Value:"CONNECT 54Mbps 802.11g"
t:EAP Message(79) l:8
Extensible Authentication Protocol
Code: Response (2)
Id: 8
Length: 6
Type: EAP-TLS (13)
Flags(0xD):
00 .
t:NAS-IP-Address(4) l:4, Value:192.168.1.5
t:NAS-Port(5) l:4, Value:2
t:Unknown(87) l:12, Value:53544120706F727420232032
23:26:18 10/05/2009 acquiring session 5
23:26:18 10/05/2009 retrieved session 5
23:26:18 10/05/2009 RADIUS packet sent from StillSRV to 192.168.1.5
Code: Access Challenge (11)
Packet identifier: 0x8
Length: 811
Authenticator: 3E0A8E45DCB7B57F31731AD7D0A2DF74
Attribute value pairs
t:EAP Message(79) l:255
Extensible Authentication Protocol
Code: Request (1)
Id: 9
Length: 749
Type: EAP-TLS (13)
Flags(0xD): Length
80 00 00 0A D9 06 F9 EC 93 93 F1 AF 00 A3 7F 85 ................
41 84 D2 98 34 CD 00 4C 36 EB A1 C8 B3 5A 95 F5 A...4..L6....Z..
CA F4 5F 23 F8 58 1A D1 FC CC A6 A1 A1 E8 D1 FA .._#.X..........
AA 75 21 B3 42 21 62 49 3D D2 2C 5A 9F 53 EB 9F .u!.B!bI=.,Z.S..
74 4D D4 43 6B DE A5 E6 F3 BE 12 7F 93 23 E7 E9 tM.Ck........#..
FD 4C C4 60 97 9B F9 E5 D9 2B 53 09 68 79 F1 6F .L.`.....+S.hy.o
71 BB 60 A4 A0 8B 5C F7 1B 6E DA B6 E6 67 63 B2 q.`.....n...gc.
7F E6 EC BE 05 5C 84 58 5E D6 BB FB AF CD D4 BD ......X^.......
67 E0 8F 52 30 8F 5A 0F 92 CE AA BD 52 04 CC 53 g..R0.Z.....R..S
58 D0 89 36 EC 1C 77 EF 99 5C CD EA E6 11 F3 06 X..6..w........
24 A1 4C 82 E7 EC D1 C9 44 9F 77 F9 61 87 F5 26 $.L.....D.w.a..&
E7 18 28 D2 8C D9 FD 58 00 4E CF 78 F0 71 2E 16 ..(....X.N.x.q..
03 01 02 0D 0C 00 02 09 00 80 FF FF FF FF FF FF ................
FF FF C9 0F DA A2 21 68 C2 34 C4 C6 62 8B 80 DC ......!h.4..b...
1C D1 29 02 4E 08 8A 67 CC 74 02 0B BE A6 3B 13 ..).N..g.t....;.
9B 22 51 4A 08 79 8E 34 ."QJ.y.4
t:EAP Message(79) l:255
Extensible Authentication Protocol
EAP Message Fragment
04 DD EF 95 19 B3 CD 3A 43 1B 30 2B 0A 6D F2 5F .......:C.0+.m._
14 37 4F E1 35 6D 6D 51 C2 45 E4 85 B5 76 62 5E .7O.5mmQ.E...vb^
7E C6 F4 4C 42 E9 A6 37 ED 6B 0B FF 5C B6 F4 06 ~..LB..7.k.....
B7 ED EE 38 6B FB 5A 89 9F A5 AE 9F 24 11 7C 4B ...8k.Z.....$.|K
1F E6 49 28 66 51 EC E6 53 81 FF FF FF FF FF FF ..I(fQ..S.......
FF FF 00 01 02 00 80 9E 4C E0 84 50 95 C4 42 1B ........L..P..B.
17 19 E1 04 9C 64 A5 CB 83 60 DC 02 9D A8 E0 14 .....d...`......
1D 42 68 12 85 C1 94 97 5A 0E E6 50 34 61 E9 50 .Bh.....Z..P4a.P
E9 C0 BE 60 F3 C5 BF AF 39 F6 E0 1E E1 4E 30 42 ...`....9....N0B
7F BA 6E D8 36 83 2E 24 F0 33 4D DB 60 3D 1D 96 ..n.6..$.3M.`=..
B5 17 0A E3 46 03 A8 8F F4 2E 6B 5E 13 BF B4 6E ....F.....k^...n
13 28 44 F1 E6 F3 D7 35 95 0E 67 C3 0F E8 E0 B0 .(D....5..g.....
DB E7 0F 87 8C F0 4F F1 C5 A7 A0 75 06 A8 73 17 ......O....u..s.
4D 62 C4 38 34 C2 15 01 00 96 D4 80 EA 16 4F 43 Mb.84.........OC
97 F6 4D 1D 90 65 C9 4A D4 DA 03 BA 7D 5C 6B 57 ..M..e.J....}kW
D3 E5 F0 67 D4 2B C9 49 6F 0E EA BB FF ...g.+.Io....
t:EAP Message(79) l:245
Extensible Authentication Protocol
EAP Message Fragment
33 02 86 9F 73 82 26 3F A5 85 45 4D 07 D0 71 2C 3...s.&?..EM..q,
34 EE 97 D1 53 2A 38 3E 6C 02 A0 DD BC 50 1A 4E 4...S*8>l....P.N
34 7D C9 8F 21 E3 9D FA 51 0A 6A 69 1B 1C 73 94 4}..!...Q.ji..s.
DD E2 BB 49 10 02 B2 7E 8A CC DA EE CD 7D 40 8E ...I...~.....}@.
0C B8 5C 26 19 E7 AB A8 C4 07 69 23 9A 5C 14 20 ..&......i#..
66 6C 29 35 DC FA 97 D3 65 4B 5E AF DC 82 6E 23 fl)5....eK^...n#
8E 5F 51 F9 A3 C2 EB 6F 23 38 DB 2A 4B B6 8D B2 ._Q....o#8.*K...
75 5D 4D 8B F6 F4 4A 29 7B 21 C8 1E A8 03 16 A6 u]M...J){!......
2C 46 C6 D9 84 5B DF CF 3B AE A4 00 64 79 B3 1E ,F...[..;...dy..
DD 32 AE 65 0A FC 8D E9 A5 F0 37 63 FF 60 9D 70 .2.e......7c.`.p
5F 1A 6A 23 80 59 D1 55 85 CF EB 48 8B 5E 18 53 _.j#.Y.U...H.^.S
20 50 A5 C3 EE CF 3E C1 C2 95 0B 2B AD DB 5B 68 P....>....+..[h
9E FF E3 52 1F 79 91 81 DB 38 D8 38 FF 2C A2 7C ...R.y...8.8.,.|
CD 70 C4 F7 B2 EB 27 75 B5 F4 50 58 16 03 01 00 .p....''u..PX....
09 0D 00 00 05 02 01 02 00 00 16 03 01 00 04 0E ................
00 00 00 ...
t:State(24) l:16, Value:AD39392E58AF5476D1A3F01100000005
t:Message-Authenticator(80) l:16, Value:62B63AF3E60A44AE8AFD7C5A7D5510C8
23:26:18 10/05/2009 released session 5
Any kind of input is really appreciated,
Thanks in advance.
Mohamed Hany -
I find that troubleshooting EAP authentication helps when you watch it with a packet capture (sorry, I know that is a no-brainer). If you understand the frame exchanges included in the authentication, you can identify where it is hanging up. That may help you to identify if it is a server or client certificate problem and you can go from there.
-
Thanks for the reply, Marcus.
Just to make sure am on a solid ground, what are the exact requirements for the windows certificates needed for an EAP-TLS authentication?
Supplicant side:
CA cert. to be imported in trusted root cert. auth.
Client cert. to be imported in Personal
*Both in (Current User) certificates.
Server side:
CA cert. to be imported in trusted root cert. auth.
Server cert. to be imported in Personal
Client cert. to be imported in Personal
*All in (Local Computer) certificates.
The client & server certs. have the appropriate EKUs needed for windows EAP-TLS auth.
Am i correct on the above configurations?
Which of the above certs. need to be associated with it's private keys, Personal certs. only?
And is it true that in the client certs. , a Subject Alternative Name extension must exist with a UPN value (equal to username)?
Sorry if this's basic stuff but confusion is driving me crazy.
Thanks.
Mohamed Hany -
You dont need a client certificate on server. You just got to ensure the CA of the client's certificate and server's CA are same or under the same root CA.
-Ramprasad.
- 1