Setting in the CPE unit
EAP-TTLS Username: cambium
EAP-TTLS Password: cambium
Authentication Identity String: anonymous-test
Authentication Identity Realm : cambiumnetworks.com
FreeRADIUS setting:
the cambium-ca.key, cambium-ca.crt are create according to ePMP User Guide_v2.3
eap.conf
tls {
#
# These is used to simplify later configurations.
#
certdir = ${confdir}/certs
cadir = ${confdir}/certs
private_key_password = 1234
private_key_file = ${certdir}/cambium/cambium-ca.key
certificate_file = ${certdir}/cambium/cambium-ca.crt
dh_file = ${certdir}/dh
random_file = ${certdir}/random
cipher_list = "DEFAULT"
}
ttls{
virtual_server = "inner-tunnel"
}
"users" file
cambium Cleartext-Password := "cambium"
Cambium-ePMP-ULMB = 100,
Cambium-ePMP-DLMB = 100,
Cambium-ePMP-VLManagPVID = 20,
Cambium-ePMP-VLDataPVID = 200
-----------------------------------------
radiusd -X output
rad_recv: Access-Request packet from host 10.12.29.60 port 56880, id=91, length=221
User-Name = "anonymous-test@cambiumnetworks.com"
NAS-Identifier = "Cambium-Device"
NAS-Port = 0
Called-Station-Id = "00-04-56-C7-C3-D2:Cambium-AP"
Calling-Station-Id = "00-04-56-C1-2C-F8"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11b"
EAP-Message = 0x02c9002701616e6f6e796d6f75732d746573744063616d6269756d6e6574776f726b732e636f6d
Message-Authenticator = 0x2539e0d5ffaea8adf2d0fa8e106bb97c
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++? if (NAS-Port-Type == '')
? Evaluating (NAS-Port-Type == '') -> FALSE
++? if (NAS-Port-Type == '') -> FALSE
[auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/10.12.29.60/auth-detail-20150203
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/10.12.29.60/auth-detail-20150203
[auth_log] expand: %t -> Tue Feb 3 11:45:49 2015
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] Looking up realm "cambiumnetworks.com" for User-Name = "anonymous-test@cambiumnetworks.com"
[suffix] No such realm "cambiumnetworks.com"
++[suffix] returns noop
[eap] EAP packet type response id 201 length 39
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] expand: %{User-Name} -> anonymous-test@cambiumnetworks.com
[files] expand: %{User-Name} -> anonymous-test@cambiumnetworks.com
++[files] returns noop
[sql] expand: %{User-Name} -> anonymous-test@cambiumnetworks.com
[sql] sql_set_user escaped user --> 'anonymous-test@cambiumnetworks.com'
rlm_sql (sql): Reserving sql socket id: 3
[sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'anonymous-test@cambiumnetworks.com' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'anonymous-test@cambiumnetworks.com' ORDER BY priority
rlm_sql (sql): Released sql socket id: 3
[sql] User anonymous-test@cambiumnetworks.com not found
++[sql] returns notfound
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 91 to 10.12.29.60 port 56880
EAP-Message = 0x01ca00061520
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xe1afb6f1e165a38a5ea3ca2dba87e12c
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.12.29.60 port 56880, id=92, length=262
User-Name = "anonymous-test@cambiumnetworks.com"
NAS-Identifier = "Cambium-Device"
NAS-Port = 0
Called-Station-Id = "00-04-56-C7-C3-D2:Cambium-AP"
Calling-Station-Id = "00-04-56-C1-2C-F8"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11b"
EAP-Message = 0x02ca003e150016030100330100002f030100000a8b3169ba6e1041017cd59685709f512eba0e4dcda6b057011929e4fe54000008002f000a000500040100
State = 0xe1afb6f1e165a38a5ea3ca2dba87e12c
Message-Authenticator = 0xe1600cc45555e5f259a8872b153bf9b5
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++? if (NAS-Port-Type == '')
? Evaluating (NAS-Port-Type == '') -> FALSE
++? if (NAS-Port-Type == '') -> FALSE
[auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/10.12.29.60/auth-detail-20150203
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/10.12.29.60/auth-detail-20150203
[auth_log] expand: %t -> Tue Feb 3 11:45:49 2015
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] Looking up realm "cambiumnetworks.com" for User-Name = "anonymous-test@cambiumnetworks.com"
[suffix] No such realm "cambiumnetworks.com"
++[suffix] returns noop
[eap] EAP packet type response id 202 length 62
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7
[ttls] Done initial handshake
[ttls] (other): before/accept initialization
[ttls] TLS_accept: before/accept initialization
[ttls] <<< TLS 1.0 Handshake [length 0033], ClientHello
[ttls] TLS_accept: SSLv3 read client hello A
[ttls] >>> TLS 1.0 Handshake [length 002a], ServerHello
[ttls] TLS_accept: SSLv3 write server hello A
[ttls] >>> TLS 1.0 Handshake [length 0413], Certificate
[ttls] TLS_accept: SSLv3 write certificate A
[ttls] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[ttls] TLS_accept: SSLv3 write server done A
[ttls] TLS_accept: SSLv3 flush data
[ttls] TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
[ttls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 92 to 10.12.29.60 port 56880
EAP-Message = 0x01cb040015c000000450160301002a02000026030154d01a3d4929a72d454b6345439fbdfcd352d990d342185919fca333bc65583b00002f0016030104130b00040f00040c00040930820405308202eda003020102020900bd8d3e3677209a1b300d06092a864886f70d0101050500308198310b30090603550406130241553118301606035504080c0f4e657720536f7574682057616c65733112301006035504070c094e6577636173746c6531143012060355040a0c0b436f756e74727974656c6c31143012060355040b0c0b4170706c69636174696f6e3110300e06035504030c0754696666616e79311d301b06092a864886f70d010901160e6e
EAP-Message = 0x6f63406363622e6e65742e6175301e170d3135303230323233333634325a170d3235303133303233333634325a308198310b30090603550406130241553118301606035504080c0f4e657720536f7574682057616c65733112301006035504070c094e6577636173746c6531143012060355040a0c0b436f756e74727974656c6c31143012060355040b0c0b4170706c69636174696f6e3110300e06035504030c0754696666616e79311d301b06092a864886f70d010901160e6e6f63406363622e6e65742e617530820122300d06092a864886f70d01010105000382010f003082010a0282010100cc09a594c4f3026b8da0af5f7121f8566ff4d050
EAP-Message = 0x4f249de3254981504e637ce9e9000ef1dda7b549d0bf45911478f024577789298334f4847b6d3a38c15fe40447196deb7b395c14f79fdc0390d1138b7a6f2b7d9db022f429f2fd7f40daeb901740193b911d4979ad38e879ee6c52080e4a2d26d8b737b529a5257586a6f9468fe1cc22decddbbacbb9b589cfadf0e08e200e3e13ca74a3d659733fc7f26ca5093cd9939ee7535eee60d67c7af5f3d0a0c7dbd2f62430bf8abc87864152db9c45f0dc2e9ebe56e5735402d0534cb36645d1220beab2b681121fcfe4809921bc6bfcc5f328940b2a79f08449653433a86b33f0546a52c740fc7c826012867c3f0203010001a350304e301d0603551d0e04
EAP-Message = 0x1604143f3cef46c8ab7bb80137dfbddfe629bc05010504301f0603551d230418301680143f3cef46c8ab7bb80137dfbddfe629bc05010504300c0603551d13040530030101ff300d06092a864886f70d010105050003820101009fc160536a1d37e1faa0f2b598573875f10f02d84fa9db1ff7c2936b51fe627314bf585f2c43dec82366b58f16b0ab80e1b86addeaab3bc033482c8c9d1fc0f5489d1a1500bd7b4d3f4b1106bf94d48fc9c7529c4f462e52c839630823beb38f16a9430bce0d38d9dc7a11f3693a2a508675de76b312d6051419419cf259dc9ac44cd928799e81cec2a14abc1a2baad5ca6bcc10b74dc7b249bb930d24bfa717ac4c37
EAP-Message = 0x8a497a5839b78e5b00d0116a
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xe1afb6f1e064a38a5ea3ca2dba87e12c
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.12.29.60 port 56880, id=93, length=206
User-Name = "anonymous-test@cambiumnetworks.com"
NAS-Identifier = "Cambium-Device"
NAS-Port = 0
Called-Station-Id = "00-04-56-C7-C3-D2:Cambium-AP"
Calling-Station-Id = "00-04-56-C1-2C-F8"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11b"
EAP-Message = 0x02cb00061500
State = 0xe1afb6f1e064a38a5ea3ca2dba87e12c
Message-Authenticator = 0x03cab8e8941d44e6eea9a7d2168a7b2e
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++? if (NAS-Port-Type == '')
? Evaluating (NAS-Port-Type == '') -> FALSE
++? if (NAS-Port-Type == '') -> FALSE
[auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/10.12.29.60/auth-detail-20150203
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/10.12.29.60/auth-detail-20150203
[auth_log] expand: %t -> Tue Feb 3 11:45:49 2015
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] Looking up realm "cambiumnetworks.com" for User-Name = "anonymous-test@cambiumnetworks.com"
[suffix] No such realm "cambiumnetworks.com"
++[suffix] returns noop
[eap] EAP packet type response id 203 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] Received TLS ACK
[ttls] ACK handshake fragment handler
[ttls] eaptls_verify returned 1
[ttls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 93 to 10.12.29.60 port 56880
EAP-Message = 0x01cc0064158000000450f13dd823e7de85fa7a204442a9db86fdcea293d2eebe3aa73812282a95141b9746ccccdf0ed3216c236d440234d17422ccf10cfaee18d9bac9a57dece1d5b7704ebbdb8e08e52d2730584d951fdc21ff6e16030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xe1afb6f1e363a38a5ea3ca2dba87e12c
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.12.29.60 port 56880, id=94, length=213
User-Name = "anonymous-test@cambiumnetworks.com"
NAS-Identifier = "Cambium-Device"
NAS-Port = 0
Called-Station-Id = "00-04-56-C7-C3-D2:Cambium-AP"
Calling-Station-Id = "00-04-56-C1-2C-F8"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11b"
EAP-Message = 0x02cc000d150015030100020230
State = 0xe1afb6f1e363a38a5ea3ca2dba87e12c
Message-Authenticator = 0x739db21ec9753290595f31bc9e9a378d
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++? if (NAS-Port-Type == '')
? Evaluating (NAS-Port-Type == '') -> FALSE
++? if (NAS-Port-Type == '') -> FALSE
[auth_log] expand: /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/radius/radacct/10.12.29.60/auth-detail-20150203
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/10.12.29.60/auth-detail-20150203
[auth_log] expand: %t -> Tue Feb 3 11:45:49 2015
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] Looking up realm "cambiumnetworks.com" for User-Name = "anonymous-test@cambiumnetworks.com"
[suffix] No such realm "cambiumnetworks.com"
++[suffix] returns noop
[eap] EAP packet type response id 204 length 13
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7
[ttls] Done initial handshake
[ttls] <<< TLS 1.0 Alert [length 0002], fatal unknown_ca
TLS Alert read:fatal:unknown CA
TLS_accept: failed in SSLv3 read client certificate A
rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
SSL: SSL_read failed inside of TLS (-1), TLS session fails.
TLS receive handshake failed during operation
[ttls] eaptls_process returned 4
[eap] Handler failed in EAP/ttls
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Login incorrect (TLS Alert read:fatal:unknown CA): [anonymous-test@cambiumnetworks.com/<via Auth-Type = EAP>] (from client 10.12.29.60 port 0 cli 00-04-56-C1-2C-F8)
Using Post-Auth-Type Reject
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> anonymous-test@cambiumnetworks.com
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 3 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 3
Sending Access-Reject of id 94 to 10.12.29.60 port 56880
EAP-Message = 0x04cc0004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.9 seconds.
Cleaning up request 0 ID 91 with timestamp +51
Cleaning up request 1 ID 92 with timestamp +51
Cleaning up request 2 ID 93 with timestamp +51
Waking up in 1.0 seconds.
Cleaning up request 3 ID 94 with timestamp +51
Ready to process requests.
---------------------------------------------------------------
as per instruction page: 214 Issuance of certificates (sign_cert.sh), created the following files.
Where should we put this files and how to apply to FreeRADIUS or what the use of it?
ca.db.certs (01.pem)
ca.db.index
ca.db.index.attr
ca.db.serial
certificates (radius.cambium.com.crt radius.cambium.com.key radius.cambium.com.key.unsecure)
---------------------------------------------------------------
Did I miss anything here?
Thank you if someone can help me out.