인증서버 구축 솔루션 중, 유일하게 오픈소스인 freeRADIUS 에 대한 설치 및 설정 방법에 대해 설명한다.
고가인, 상용 인증 서버들에 비해 오픈 소스로 공개하는 이유는 단 하나, 기술지원을 전혀 받을 수 없다는 것이다. 며칠 동안 구글링을 해봤지만, 이에 대한 웹사이트는 거의 찾아볼 수 없었다.
참고로 기술지원을 받기 위해서는 돈을 지불해야 한다.
설치 하기
freeRADIUS 는 거의 모든 리눅스 배포판을 지원한다. 심지어 맥과 윈도우용도 지원한다. 하지만, 유료다.
나는 처음 소스코드를 받아 설치하려고 했다. 하지만, 장시간의 삽질 끝에 마음을 고쳐먹고, 패키지 바이너리를 설치하는 쪽으로 마음을 바꿨다.
freeRADIUS 에서는 여러가지 다양한 인증 방식을 지원하는데, TLS 인증 방식을 사용하기 위해서는 openssl 라이브러리가 사전에 설치되어 있어야 한다. apt-get 으로 설치했다면, 이후 freeRADIUS 를 apt-get 으로 설치하든 source 로 설치하든 상관없이 TLS 를 사용할 수 있다.
하지만, openssl 라이브러리를 source 로 설치했다면, freeRADIUS 설치 시, 이에 대한 경로를 참조하도록 해야 한다. apt-get 으로 설치하려면 아래와 같이 실행한다.
#apt-get install libssl-dev
참고로 여기서는 Debian 6.0 상에 구축하는 것을 기준으로 한다. 다음 한 줄이면, freeRADIUS 설치가 완료된다.
#apt-get install freeradius
추가로 source 로 설치하는 방법도 소개하겠다.
#tar xzf freeradius-server-2.2.0.tar.gz #cd freeradius-server-2.2.0 #./configure --prefix=/usr/local/freeradius # openssl 을 source 로 설치했다면 경로를 별도로 지정해야 한다 #make #make install
설치된 라이브러리의 path 를 지정해주어야 한다. /etc/ld.so.conf 파일에 다음을 추가한다.
/usr/local/program/freeradius/lib
그리고 이를 적용하기 위해서 'ldconfig' 를 실행한다.
인증서 생성하기
TLS 같은 인증서 기반의 인증을 사용하기 위해서는 서버와 클라이언트 각각 인증서를 만들어야 한다.
etc/raddb/certs 아래의 Makefile 에 다음을 추가한다.
.PHONY: all all: index.txt serial dh random server ca client // client 추가
빌드하여 생성하자.
#make
openssl dhparam -out dh 1024
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
++*++*++*
openssl req -new -out server.csr -keyout server.key -config ./server.cnf
Generating a 2048 bit RSA private key
.......................................................+++
.......+++
writing new private key to 'server.key'
-----
openssl req -new -x509 -keyout ca.key -out ca.pem \
-days `grep default_days ca.cnf | sed 's/.*=//;s/^ *//'` -config ./ca.cnf
Generating a 2048 bit RSA private key
.................+++
.................................+++
writing new private key to 'ca.key'
-----
openssl ca -batch -keyfile ca.key -cert ca.pem -in server.csr -key `grep output_password ca.cnf | sed 's/.*=//;s/^ *//'` -out server.crt -extensions xpserver_ext -extfile xpextensions -config ./server.cnf
Using configuration from ./server.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Jul 9 09:07:26 2013 GMT
Not After : Jul 9 09:07:26 2014 GMT
Subject:
countryName = FR
stateOrProvinceName = Radius
organizationName = Example Inc.
commonName = Example Server Certificate
emailAddress = admin@example.com
X509v3 extensions:
X509v3 Extended Key Usage:
TLS Web Server Authentication
Certificate is to be certified until Jul 9 09:07:26 2014 GMT (365 days)
Write out database with 1 new entries
Data Base Updated
openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'`
openssl pkcs12 -in server.p12 -out server.pem -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'`
MAC verified OK
openssl verify -CAfile ca.pem server.pem
server.pem: OK
openssl x509 -inform PEM -outform DER -in ca.pem -out ca.der
openssl req -new -out client.csr -keyout client.key -config ./client.cnf
Generating a 2048 bit RSA private key
........................................................................................................................................+++
.............+++
writing new private key to 'client.key'
-----
openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr -key `grep output_password ca.cnf | sed 's/.*=//;s/^ *//'` -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf
Using configuration from ./client.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 2 (0x2)
Validity
Not Before: Jul 9 09:07:26 2013 GMT
Not After : Jul 9 09:07:26 2014 GMT
Subject:
countryName = FR
stateOrProvinceName = Radius
organizationName = Example Inc.
commonName = user@example.com
emailAddress = user@example.com
X509v3 extensions:
X509v3 Extended Key Usage:
TLS Web Client Authentication
Certificate is to be certified until Jul 9 09:07:26 2014 GMT (365 days)
Write out database with 1 new entries
Data Base Updated
openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12 -passin pass:`grep output_password client.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password client.cnf | sed 's/.*=//;s/^ *//'`
openssl pkcs12 -in client.p12 -out client.pem -passin pass:`grep output_password client.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password client.cnf | sed 's/.*=//;s/^ *//'`
MAC verified OK
cp client.pem `grep emailAddress client.cnf | grep '@' | sed 's/.*=//;s/^ *//'`.pem
정상적으로 생성되었다면, 다음과 같은 파일들이 보일 것이다.
01.pem Makefile bootstrap ca.der ca.pem client.crt client.key client.pem index.txt index.txt.attr.old random serial.old server.crt server.key server.pem xpextensions 02.pem README ca.cnf ca.key client.cnf client.csr client.p12 dh index.txt.attr index.txt.old serial server.cnf server.csr server.p12 user@example.com.pem
동작 테스트하기
문제없이 설치가 되었으면, 기본 동작이 제대로 되는지 확인해 볼 필요가 있다. http://freeradius.org/doc/ 에 나와 있는 테스트 방법을 따라해보자!
etc/raddb/users 라는 파일에 다음을 추가한다.
testing Cleartext-Password := "password"
이제 radius 서버를 시작한다.
radiusd -X
새로운 프롬프트 창을 열어 아래와 같이 실행한다.
#radtest testing password 127.0.0.1 0 testing123 Sending Access-Request of id 20 to 127.0.0.1 port 1812 User-Name = "testing" User-Password = "password" NAS-IP-Address = 127.0.1.1 NAS-Port = 0 Message-Authenticator = 0x00000000000000000000000000000000 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=20, length=20
위와 같이 권한을 얻었다면, 성공이다.
서버 쪽에서는 다음과 같은 메세지를 볼 수 있다.
rad_recv: Access-Request packet from host 127.0.0.1 port 34126, id=66, length=77
User-Name = "testing"
User-Password = "password"
NAS-IP-Address = 127.0.1.1
NAS-Port = 0
Message-Authenticator = 0x1ccec3db321f3b63ba36fbe0fb50e511
# Executing section authorize from file /usr/local/program/freeradius/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "testing", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[files] users: Matched entry testing at line 204
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
# Executing group from file /usr/local/program/freeradius/etc/raddb/sites-enabled/default
+- entering group PAP {...}
[pap] login attempt with password "password"
[pap] Using clear text password "password"
[pap] User authenticated successfully
++[pap] returns ok
# Executing section post-auth from file /usr/local/program/freeradius/etc/raddb/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 66 to 127.0.0.1 port 34126
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 2 ID 66 with timestamp +156
Ready to process requests.
인증 네트워크 구성하기
앞서 기본적인 동작을 확인했기 때문에, 여기서는 아주 간단한 인증 네트워크를 구성해보겠다.
대략 그림은 다음과 같다.
supplicant <-> 인증자 <-> 인증 서버
접속할 클라이언트에 대한 설정을 수정하기 위해 etc/raddb/clients.conf 파일을 아래와 같이 수정한다. 설정된 IP 주소를 가진 클라이언트만 인증 요청이 가능하다.
...
client localhost {
#ipaddr = 127.0.0.1
ipaddr = 10.10.10.90 // 공유기의 IP 주소
}
...
또한 /etc/raddb/eap.conf 파일을 아래와 같이 수정한다.
eap {
# Invoke the default supported EAP type when
# EAP-Identity response is received.
#
# The incoming EAP messages DO NOT specify which EAP
# type they will be using, so it MUST be set here.
#
# For now, only one default EAP type may be used at a time.
#
# If the EAP-Type attribute is set by another module,
# then that EAP type takes precedence over the
# default type configured here.
#
#default_eap_type = md5
default_eap_type = tls // 기본 eap 인증 방식을 tls 로 수정한다
# A list is maintained to correlate EAP-Response
# packets with EAP-Request packets. After a
# configurable length of time, entries in the list
앞서 만든 인증서를 접속하려는 PC 로 옮긴다. 필요한 파일은(ca.der, client.p12) 이다. ca.der 파일은 서버 인증서 파일이고, client.p12 파일은 클라이언트 인증서 파일이다.
각각 이 파일들을 더블클릭하여 설치한다. 이후 TLS 인증을 선택하고 설치한 인증서를 선택한다.
자세한 설치 방법은 install_certification.doc 를 참고한다.
유선 네트워크(PC)
유선 네트워크 망에서의 802.1x 테스트 구성을 설명한다. 사실 유선과 무선을 구분해서 기술한 이유는 단순하다. 내가 가진 것 중에 802.1x 를 지원하는 유무선 장비가 없기 때문이다. 이것은 매우 고가인데, 내가 가진 장비는 유선과 무선 각각 따로 지원하는 장비들 뿐이다.
여기서 사용할 준비물을 소개하겠다.
- 인증서버 - FreeRADIUS 서버(Desktop / Ubuntu 12.10)
- 인증자 - 유선 L2 스위칭 장비 : HP V1910-24G-PoE (365W) Switch JE007A
- Supplicant - Debian Live(Laptop / Debian 7.0)
인증자에 해당하는 스위치의 설정은 해당문서를 참고하기 바란다.
구성도는 아래 그림과 같다.
위에서 유의할 것은 FreeRadius 서버와 유무선 공유기의 WAN 포트를 연결해야 한다는 것이다. 또한 노트북(supplicant)을 L2 스위치(authenticator)의 7번 포트(802.1x 가 설정된)에 연결해야 한다.
노트북은 debian live 로 부팅한 상태이기 때문에 기본적으로 Gnome 패키지에 포함된 NetworkManager Applet 를 사용하여 접속시도를 해야 한다. 기본적으로는 802.1x 설정없이 IP 할당을 요청하기 때문에, 별도로 802.1x 설정을 해주어야 한다.
화면 오른쪽 상단의 NetworkManager Applet 에서 마우스 오른쪽 버튼을 누르면, 'Connection Information' 이 보인다. 이를 선택하여 유선 연결에 대한 설정을 수정한다.
유선 연결 인터페이스를 선택하고, 'Edit' 를 누른다. 다음 창에서 '802.1x Security' 탭을 선택한다. 그리고 아래와 같이 각 항목을 설정한다.
| Use 802.1X security for this connection | 체크 |
| Authentication | Tunneled TLS |
| Inner authentication | MSCHAPv2 |
| Username | testing |
| Password | password |
마지막으로 Save 버튼을 누르면, 접속 시도를 하게 된다. 이때, 인증서버 쪽의 콘솔을 보면, 접속 시도를 요청했고, 이에 대해 인증이 성공했다는 메세지가 보일 것이다.
rad_recv: Access-Request packet from host 10.10.10.11 port 3807, id=0, length=204
User-Name = "testing"
Framed-MTU = 1450
EAP-Message = 0x0259000c0174657374696e67
Message-Authenticator = 0xc2104957be44e8b576799a7f2bd9f7a8
NAS-IP-Address = 192.168.0.6
NAS-Identifier = "HP"
NAS-Port = 16805889
NAS-Port-Id = "slot=1;subslot=0;port=7;vlanid=1"
NAS-Port-Type = Ethernet
Service-Type = Framed-User
Framed-Protocol = PPP
Calling-Station-Id = "00-0A-E4-25-60-2B"
H3C-Connect_Id = 196609
H3C-Product-ID = "HP V1910-24G-PoE (365W) Switch"
H3C-NAS-Startup-Timestamp = 956750409
# Executing section authorize from file /usr/local/program/freeradius/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "testing", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 89 length 12
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry DEFAULT at line 172
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /usr/local/program/freeradius/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
Sending Access-Challenge of id 0 to 10.10.10.11 port 3807
Framed-Protocol = PPP
Framed-Compression = Van-Jacobson-TCP-IP
EAP-Message = 0x015a001604103aa017cc8bd78f97442f82da89296024
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x8d9cfac78dc6fe7eb9633f50195c60fa
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.10.10.11 port 3807, id=0, length=216
Cleaning up request 0 ID 0 with timestamp +20
User-Name = "testing"
Framed-MTU = 1450
EAP-Message = 0x025a00060315
Message-Authenticator = 0x69e56fd8e8139a8959dd16d9a3983abd
NAS-IP-Address = 192.168.0.6
NAS-Identifier = "HP"
NAS-Port = 16805889
NAS-Port-Id = "slot=1;subslot=0;port=7;vlanid=1"
NAS-Port-Type = Ethernet
Service-Type = Framed-User
Framed-Protocol = PPP
Calling-Station-Id = "00-0A-E4-25-60-2B"
State = 0x8d9cfac78dc6fe7eb9633f50195c60fa
H3C-Connect_Id = 196609
H3C-Product-ID = "HP V1910-24G-PoE (365W) Switch"
H3C-NAS-Startup-Timestamp = 956750409
# Executing section authorize from file /usr/local/program/freeradius/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "testing", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 90 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry DEFAULT at line 172
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /usr/local/program/freeradius/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP NAK
[eap] EAP-NAK asked for EAP-Type/ttls
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 0 to 10.10.10.11 port 3807
Framed-Protocol = PPP
Framed-Compression = Van-Jacobson-TCP-IP
EAP-Message = 0x015b00061520
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x8d9cfac78cc7ef7eb9633f50195c60fa
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.10.10.11 port 3807, id=0, length=441
Cleaning up request 1 ID 0 with timestamp +20
User-Name = "testing"
Framed-MTU = 1450
EAP-Message = 0x025b00e7150016030100dc010000d8030152087dea0db9d080fd334db2852b025bcca3a3401a971dc8f462538eb4736d05000066c014c00ac022c0210039003800880087c00fc00500350084c012c008c01cc01b00160013c00dc003000ac013c009c01fc01e00330032009a009900450044c00ec004002f00960041c011c007c00cc002000500040015001200090014001100080006000300ff01000049000b000403000102000a00340032000e000d0019000b000c00180009000a00160017000800060007001400150004000500120013000100020003000f0010001100230000000f000101
Message-Authenticator = 0x00fd570271f51b4993959be56026c766
NAS-IP-Address = 192.168.0.6
NAS-Identifier = "HP"
NAS-Port = 16805889
NAS-Port-Id = "slot=1;subslot=0;port=7;vlanid=1"
NAS-Port-Type = Ethernet
Service-Type = Framed-User
Framed-Protocol = PPP
Calling-Station-Id = "00-0A-E4-25-60-2B"
State = 0x8d9cfac78cc7ef7eb9633f50195c60fa
H3C-Connect_Id = 196609
H3C-Product-ID = "HP V1910-24G-PoE (365W) Switch"
H3C-NAS-Startup-Timestamp = 956750409
# Executing section authorize from file /usr/local/program/freeradius/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "testing", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 91 length 231
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/local/program/freeradius/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7
[ttls] Done initial handshake
[ttls] (other): before/accept initialization
[ttls] TLS_accept: before/accept initialization
[ttls] <<< TLS 1.0 Handshake [length 00dc], ClientHello
[ttls] TLS_accept: SSLv3 read client hello A
[ttls] >>> TLS 1.0 Handshake [length 003e], ServerHello
[ttls] TLS_accept: SSLv3 write server hello A
[ttls] >>> TLS 1.0 Handshake [length 085e], Certificate
[ttls] TLS_accept: SSLv3 write certificate A
[ttls] >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange
[ttls] TLS_accept: SSLv3 write key exchange A
[ttls] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[ttls] TLS_accept: SSLv3 write server done A
[ttls] TLS_accept: SSLv3 flush data
[ttls] TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
[ttls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 0 to 10.10.10.11 port 3807
EAP-Message = 0x015c040015c0000009ff160301003e0200003a030152087d6f689488914850a0e83a3a78eae051f4acad72ddc570d49b3be5b34b2700c014000012ff01000100000b000403000102000f000101160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c652043
EAP-Message = 0x6572746966696361746520417574686f72697479301e170d3133303830383038353734315a170d3134303830383038353734315a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a02820101009f35aa675e5709aee2bf7633dd2116c150640133d76715d930303d6479ce753644d262c7e7be8ad63613
EAP-Message = 0x5240715bfa5439c58bed2d301ec7d770910ba02c0863dadfaac86b77e4f48ae3495093755c31f19a24008271d0a4b439f32766d54572e5320b92da9a6331b4470d53e170235f819a7c7464e48ce82c1cf8d2dcba6394ccacb272d6abdfa56896b0a771b6b1c764cd91a37bd9a3417ae12ce9dceea6600f758380e8008fc00ff8226d6bf8858514e77a0f679b4319009728585deef926533dc73178df07c2b28a32869a10176afc4b0756913c7e9c6d3f59e43089c74200d5e301bee520076967469a07b61703a87648ceab6da13eaecd404e78f0abd10203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f7
EAP-Message = 0x0d010105050003820101006fa7cddb014567b9c9822430de67c8760a9ee03aaf3d2226fa49ef9ff4eb6aa33047873e6bd6fad1b7cf69937189861339a96d5cd1ba2714837774977b14b6fd7c9fa8ccc9f0e049711a49fe89c8aa5dcef2ec188ea5efcfa1d7d0779370a75f89d043849b8293cf15e65a5eef00ec5f37fe54c277ea17f02dc53d9f21e19cde29b5c35f3220d405786a41b059993b3e55921ef72bdccbade5278ce54877dd9a968b17a9839bdf2dad9bf2f78f856511589e2ba227407e2e437c57741e2ef841d48787f6caa338447718027891df432fbe846da2463ce0a4c8c0c40aed1123af8401e12202bac5cdb8c3d413857b8808319d
EAP-Message = 0xa4c43d3be018238c49b92b56
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x8d9cfac78fc0ef7eb9633f50195c60fa
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.10.10.11 port 3807, id=0, length=216
Cleaning up request 2 ID 0 with timestamp +20
User-Name = "testing"
Framed-MTU = 1450
EAP-Message = 0x025c00061500
Message-Authenticator = 0xac0a02bf8488ea3a99dc733769d07d55
NAS-IP-Address = 192.168.0.6
NAS-Identifier = "HP"
NAS-Port = 16805889
NAS-Port-Id = "slot=1;subslot=0;port=7;vlanid=1"
NAS-Port-Type = Ethernet
Service-Type = Framed-User
Framed-Protocol = PPP
Calling-Station-Id = "00-0A-E4-25-60-2B"
State = 0x8d9cfac78fc0ef7eb9633f50195c60fa
H3C-Connect_Id = 196609
H3C-Product-ID = "HP V1910-24G-PoE (365W) Switch"
H3C-NAS-Startup-Timestamp = 956750409
# Executing section authorize from file /usr/local/program/freeradius/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "testing", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 92 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/local/program/freeradius/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] Received TLS ACK
[ttls] ACK handshake fragment handler
[ttls] eaptls_verify returned 1
[ttls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 0 to 10.10.10.11 port 3807
EAP-Message = 0x015d040015c0000009ff09e50004ab308204a73082038fa0030201020209009406bdef19b4dfc1300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3133303830383038353734315a170d3134303830383038353734315a308193310b300906035504061302465231
EAP-Message = 0x0f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100c37031aa44d39072acf1951ce61e1d15e55dfa0a083e4d037d9d9d18256d89431188989299d48cd790f7253e195d64b8260d95dbc75c8d29b6cd9dd903f8e2b03777be682f4c82c26bd9cb28caeb3b50d9d3ec580908f7
EAP-Message = 0xcd3ea309d5a209a946c5e68e8d696238304bed9bf38bc653de7e50edbb4e94e25e53675c675022f82bb5ba09142f92a18eb5ea4e98a459b5adc55c479e02c349c80ccdbc96a3f42c1834729efc66fb1ca2b540253144272bd4838275a2bd486a4301f23bdf6c3b64da0f988fe2172f7755ed8997a5319164b127922e4f39b1088a7eb5823375796221d1181106073c1a310cc3b3f66cde1f20e90082bb57a50f82c1ad4c7cfd99b0c70203010001a381fb3081f8301d0603551d0e04160414c5366b01ce6508cb1824faeae4aea739724566ae3081c80603551d230481c03081bd8014c5366b01ce6508cb1824faeae4aea739724566aea18199a48196
EAP-Message = 0x308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f726974798209009406bdef19b4dfc1300c0603551d13040530030101ff300d06092a864886f70d010105050003820101004ec69ecf0fad22fc0a8640fade4d52285e78c23d10699f70228faa8f972852738618c692e08a3113a10f37dc1c4e9d138ddfd64fc3f0fa355dac
EAP-Message = 0x6b258e636ad4df9d1a64e9cf
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x8d9cfac78ec1ef7eb9633f50195c60fa
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.10.10.11 port 3807, id=0, length=216
Cleaning up request 3 ID 0 with timestamp +20
User-Name = "testing"
Framed-MTU = 1450
EAP-Message = 0x025d00061500
Message-Authenticator = 0xd79a942a75206115694625c41a661124
NAS-IP-Address = 192.168.0.6
NAS-Identifier = "HP"
NAS-Port = 16805889
NAS-Port-Id = "slot=1;subslot=0;port=7;vlanid=1"
NAS-Port-Type = Ethernet
Service-Type = Framed-User
Framed-Protocol = PPP
Calling-Station-Id = "00-0A-E4-25-60-2B"
State = 0x8d9cfac78ec1ef7eb9633f50195c60fa
H3C-Connect_Id = 196609
H3C-Product-ID = "HP V1910-24G-PoE (365W) Switch"
H3C-NAS-Startup-Timestamp = 956750409
# Executing section authorize from file /usr/local/program/freeradius/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "testing", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 93 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/local/program/freeradius/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] Received TLS ACK
[ttls] ACK handshake fragment handler
[ttls] eaptls_verify returned 1
[ttls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 0 to 10.10.10.11 port 3807
EAP-Message = 0x015e021d1580000009ff1bd4f51a342e07bb7d9618f98d5bf6a1c67030d1a9bb5f83a7944691edfe5d479ae8f9408ce46925932621ff7849f3e75d63ad89a5a5c8c8b7209ab6b3f50901b62c58f50e4b165b3a79ad76b8887a1e6c532af6db307e386cfcf50360f8322d21a3826cb696d3a1ed14a701df51ddfc1727afb8e0c29f5fede5f4b97336a6f2522ead3229a7c9dffec2e23a037d68a4dabf3c519133d89e3b8c9d05486151c7c61d7dec65822ab568059a2c340281437ceb83b0041831fba348160301014b0c0001470300174104fb9b847e27b9b2eaf74e376af08f96c6a5474477ee95b981131d602dfbf06d1401fa0ebee76f5f70198818
EAP-Message = 0x3af350c1513aa7bf4ce7da73839554b4089978731701006bbbed62fd9ab5ed8ccb7971744919a51014eb030913f4d8fa63a6efafbb5d91c5f7cdb262bc619ef56227284ed6500058efd6191e77619d05bf1753ca386dc0b03378a70da67a510eef3b71eb4a47266cac9352cd20da6140484d606eea81107f713803199c499d928a67851e4c1aa19c93688daa2ffc4b3ac51c6ddcd36c2847d02feb81027dcc365dca8e0e3eb1b0a5421f2eb80d78c9e44179db6fe9faaf1abded5005dc7ba0640a97c081a254380f247b43f63891272643859aae52b51ba1bba650227f5fc0399887523d9d32f4f95e2dbb93a6118cb4e9127c93123f93f14c11996be9
EAP-Message = 0x8be4e75bfa0b1046c5274abcc53ee32943929fac694708ac990616030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x8d9cfac789c2ef7eb9633f50195c60fa
Finished request 4.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.10.10.11 port 3807, id=0, length=350
Cleaning up request 4 ID 0 with timestamp +20
User-Name = "testing"
Framed-MTU = 1450
EAP-Message = 0x025e008c150016030100461000004241044d6599ea0975741782917cea5fda43d7a1c20c5b5eb8a0aacd609fa5760675db04b6a275000e9e3a299be1999fb9c671d9f73dcd7db71d9562f8c3637ed1aec4140301000101160301003091ba659c1401ad9dde07f0bdf4a5620e32ad93b7dac28cbe61ecfd5c5d22da6fd43b7a4f268cf17d80a721d19da02a6b
Message-Authenticator = 0x81cde9432dd171c6c4958a0adb474e8b
NAS-IP-Address = 192.168.0.6
NAS-Identifier = "HP"
NAS-Port = 16805889
NAS-Port-Id = "slot=1;subslot=0;port=7;vlanid=1"
NAS-Port-Type = Ethernet
Service-Type = Framed-User
Framed-Protocol = PPP
Calling-Station-Id = "00-0A-E4-25-60-2B"
State = 0x8d9cfac789c2ef7eb9633f50195c60fa
H3C-Connect_Id = 196609
H3C-Product-ID = "HP V1910-24G-PoE (365W) Switch"
H3C-NAS-Startup-Timestamp = 956750409
# Executing section authorize from file /usr/local/program/freeradius/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "testing", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 94 length 140
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/local/program/freeradius/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7
[ttls] Done initial handshake
[ttls] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange
[ttls] TLS_accept: SSLv3 read client key exchange A
[ttls] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[ttls] <<< TLS 1.0 Handshake [length 0010], Finished
[ttls] TLS_accept: SSLv3 read finished A
[ttls] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[ttls] TLS_accept: SSLv3 write change cipher spec A
[ttls] >>> TLS 1.0 Handshake [length 0010], Finished
[ttls] TLS_accept: SSLv3 write finished A
[ttls] TLS_accept: SSLv3 flush data
[ttls] (other): SSL negotiation finished successfully
SSL Connection Established
[ttls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 0 to 10.10.10.11 port 3807
EAP-Message = 0x015f004515800000003b140301000101160301003040bdc2d2c45338ab47bf612a17fca692687e388dd9eee19291df0dc0cda3888cb156870567f7c8ca55bb6e8e3336d573
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x8d9cfac788c3ef7eb9633f50195c60fa
Finished request 5.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.10.10.11 port 3807, id=0, length=402
Cleaning up request 5 ID 0 with timestamp +20
User-Name = "testing"
Framed-MTU = 1450
EAP-Message = 0x025f00c015001703010020b6a5045a2ecfda79db35f575d0c15d20731d11759e2cf6769cf62250f5911214170301009049917e4b2e51d8d8e8935ec63824fbb284106b255dae9770cb601a93c2cfad7647af12aa34a9d5913df797b6d9862d3c474c0df98e9fed34b80093d2b9f349998d1dee339443bb37641c75a89bfe669ce039ae82275abfcf865789b90ec650261a2dcc2c6992e5e4f82666e0d51bfe85240800410127af704d269e80fd8b01479544f23139f7dfb8103cdbcef655d1cc
Message-Authenticator = 0x75b44cc9edfff180e0cc5ecdc295a7a2
NAS-IP-Address = 192.168.0.6
NAS-Identifier = "HP"
NAS-Port = 16805889
NAS-Port-Id = "slot=1;subslot=0;port=7;vlanid=1"
NAS-Port-Type = Ethernet
Service-Type = Framed-User
Framed-Protocol = PPP
Calling-Station-Id = "00-0A-E4-25-60-2B"
State = 0x8d9cfac788c3ef7eb9633f50195c60fa
H3C-Connect_Id = 196609
H3C-Product-ID = "HP V1910-24G-PoE (365W) Switch"
H3C-NAS-Startup-Timestamp = 956750409
# Executing section authorize from file /usr/local/program/freeradius/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "testing", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 95 length 192
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/local/program/freeradius/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7
[ttls] Done initial handshake
[ttls] eaptls_process returned 7
[ttls] Session established. Proceeding to decode tunneled attributes.
[ttls] Got tunneled request
User-Name = "testing"
MS-CHAP-Challenge = 0xeed18c01cab4e86c0a6a6f600e11998a
MS-CHAP2-Response = 0x280036084a997844d15c21a0e47e586c7274000000000000000011b5932cb039435151231854c9ef311f1871ebab02fd5fba
FreeRADIUS-Proxied-To = 127.0.0.1
[ttls] Sending tunneled request
User-Name = "testing"
MS-CHAP-Challenge = 0xeed18c01cab4e86c0a6a6f600e11998a
MS-CHAP2-Response = 0x280036084a997844d15c21a0e47e586c7274000000000000000011b5932cb039435151231854c9ef311f1871ebab02fd5fba
FreeRADIUS-Proxied-To = 127.0.0.1
server inner-tunnel {
# Executing section authorize from file /usr/local/program/freeradius/etc/raddb/sites-enabled/inner-tunnel
+- entering group authorize {...}
++[chap] returns noop
[mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
++[mschap] returns ok
[suffix] No '@' in User-Name = "testing", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[control] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[files] users: Matched entry testing at line 204
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = MSCHAP
# Executing group from file /usr/local/program/freeradius/etc/raddb/sites-enabled/inner-tunnel
+- entering group MS-CHAP {...}
[mschap] Creating challenge hash with username: testing
[mschap] Client is using MS-CHAPv2 for testing, we need NT-Password
[mschap] adding MS-CHAPv2 MPPE keys
++[mschap] returns ok
WARNING: Empty post-auth section. Using default return values.
# Executing section post-auth from file /usr/local/program/freeradius/etc/raddb/sites-enabled/inner-tunnel
} # server inner-tunnel
[ttls] Got tunneled reply code 2
MS-CHAP2-Success = 0x28533d46314338463437373930443737374442433030353239324231463738344234383033333544453635
MS-MPPE-Recv-Key = 0x3381f649828c01f414dd4dc0eb11545c
MS-MPPE-Send-Key = 0xbcda42b1e31f38a8827f1e3c6b38e3be
MS-MPPE-Encryption-Policy = 0x00000001
MS-MPPE-Encryption-Types = 0x00000006
[ttls] Got tunneled Access-Accept
[ttls] Got MS-CHAP2-Success, tunneling it to the client in a challenge.
++[eap] returns handled
Sending Access-Challenge of id 0 to 10.10.10.11 port 3807
EAP-Message = 0x0160005f15800000005517030100507cf044940a6d06e34c711f87679ed92820856bc928ed6b8444b250ca0d46e7218044d3709b15a8401cfabd4cc526fa9c88e99d37673efd3286939fb52d6f34b0376e476dbcf9be4d0da8497f1d8061e5
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x8d9cfac78bfcef7eb9633f50195c60fa
Finished request 6.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.10.10.11 port 3807, id=0, length=216
Cleaning up request 6 ID 0 with timestamp +20
User-Name = "testing"
Framed-MTU = 1450
EAP-Message = 0x026000061500
Message-Authenticator = 0xc5d2cb715f42ac2f2613dda7589003ad
NAS-IP-Address = 192.168.0.6
NAS-Identifier = "HP"
NAS-Port = 16805889
NAS-Port-Id = "slot=1;subslot=0;port=7;vlanid=1"
NAS-Port-Type = Ethernet
Service-Type = Framed-User
Framed-Protocol = PPP
Calling-Station-Id = "00-0A-E4-25-60-2B"
State = 0x8d9cfac78bfcef7eb9633f50195c60fa
H3C-Connect_Id = 196609
H3C-Product-ID = "HP V1910-24G-PoE (365W) Switch"
H3C-NAS-Startup-Timestamp = 956750409
# Executing section authorize from file /usr/local/program/freeradius/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "testing", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 96 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/local/program/freeradius/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] Received TLS ACK
[ttls] ACK handshake is finished
[ttls] eaptls_verify returned 3
[ttls] eaptls_process returned 3
[ttls] Using saved attributes from the original Access-Accept
[eap] Freeing handler
++[eap] returns ok
# Executing section post-auth from file /usr/local/program/freeradius/etc/raddb/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 0 to 10.10.10.11 port 3807
MS-MPPE-Recv-Key = 0x1f90b97a298ade1883633c749c5d7aa1db0ee62aa5786c8d38a1bfd5e576ee6d
MS-MPPE-Send-Key = 0xabd47e3eac05692b5de370cc2f4bbe3e9ca66e01dd7738d10a581f6ffc7b6595
EAP-Message = 0x03600004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "testing"
Finished request 7.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 7 ID 0 with timestamp +20
Ready to process requests.
EAP-TLS 인증(X-Windows 환경)
TLS 인증의 경우, 설정이 좀더 복잡하다. 또한 인증에 필요한 파일들이 있어야 하는데, 이를 참고하기 바란다.
인증서 파일들은 /usr/local/program/freeradius/etc/raddb/certs 아래에 생성되는 데, 이를 접속하려는 supplicant 에 복사해줘야 한다.
접속 설정은 아래와 같다.
| 인증 | TLS |
| 인증 정보 | testing |
| 사용자 인증서 | client.pem |
| CA 인증서 | ca.pem |
| 비밀키 | client.p12 |
| 비밀키 암호 | whatever |
EAP-TLS 인증(터미널 환경)
wpa_supplicant 에서 802.1X 접속을 하도록 하기 위해 시작시에 참조하는 /etc/wpa_supplicant/wpa.conf 파일에 다음과 같이 추가한다.
ctrl_interface=/var/run/wpa_supplicant
update_config=1
ap_scan=0
eapol_version=1
network={
eapol_flags=0
key_mgmt=IEEE8021X
eap=TLS
identity="testing"
ca_cert="/home/fat81/certs/ca.pem"
client_cert="/home/fat81/certs/client.pem"
private_key="/home/fat81/certs/client.p12"
private_key_passwd="whatever"
}
이제 wpa_supplicant 를 아래처럼 시작한다.
#wpa_supplicant -Dwired -ieth0 -c /etc/wpa_supplicant/wpa.conf -dd &
FreeRadius 서버 쪽에 로그를 확인하자. 인증에 성공하면, dhcp client 를 실행하여 IP 주소를 할당받도록 한다.
위와 같이 설정 파일(wpa.conf)에 추가함으로서 접속을 할 수도 있지만, wpa_cli 를 이용해서도 접속이 가능하다.
wpa_cli -p /var/run/wpa_supplicant remove_network 0 wpa_cli -p /var/run/wpa_supplicant ap_scan 0 wpa_cli -p /var/run/wpa_supplicant add_network wpa_cli -p /var/run/wpa_supplicant set_network 0 eapol_flags 0 wpa_cli -p /var/run/wpa_supplicant set_network 0 key_mgmt IEEE8021X wpa_cli -p /var/run/wpa_supplicant set_network 0 eap TLS wpa_cli -p /var/run/wpa_supplicant set_network 0 identity '"testing"' wpa_cli -p /var/run/wpa_supplicant set_network 0 ca_cert '"/home/fat81/certs/ca.pem"' wpa_cli -p /var/run/wpa_supplicant set_network 0 client_cert '"/home/fat81/certs/client.pem"' wpa_cli -p /var/run/wpa_supplicant set_network 0 private_key '"/home/fat81/certs/client.p12"' wpa_cli -p /var/run/wpa_supplicant set_network 0 private_key_passwd '"whatever"' wpa_cli -p /var/run/wpa_supplicant select_network 0
유선 네트워크(AXIS 카메라) : EAP-TLS
이번에는 supplicant 로 노트북 대신, AXIS 카메라를 사용하여 접속해보겠다.
IP 카메라의 설정페이지에 접근하여 'IEEE 802.1X' 메뉴에 진입한다. 참고로 접근하기 위한 계정은 'ID : root, Password : itx' 이다.
이 카메라는 EAP-TLS 인증만 지원하기 때문에, 접속 시에 필요한 인증 파일들이 필요하다.
인증에 필요한 파일들은 /usr/local/program/freeradius/etc/raddb/certs 아래에 있는데, 이를 디렉토리 통째로 USB 에 저장하여 카메라의 설정 페이지에 접근가능한 PC 로 옮긴다.
카메라의 802.1x 메뉴에는 다음과 같이 파일을 선택한 후, 업로드 한다.
| 메뉴 | 파일 및 설정 값 |
| CA certificate | ca.pem |
| Client certificate | client.pem |
| Client private key(and certificate) | client.p12 |
| EAPOL version | 1 |
| EAP identity | testing |
| Private key password | whatever |
| Enable IEEE 802.1x | 체크 |
위와 같이 설정 후, Save 버튼을 누른 후 'UnAuthorized' 메세지가 출력되는지 확인한다. 만일 모두 입력했음에도 'Stop' 이라는 메세지가 출력된다면, 뭔가 설정이 잘못된 것이다. 이 상태에서는 접속시도를 하지 않는다.
이제 FreeRadius 가 실행된 창의 로그를 확인해보자! 성공적으로 인증되었을 경우, 아래와 같은 로그가 출력된다.
rad_recv: Access-Request packet from host 10.10.10.11 port 1939, id=0, length=204
User-Name = "testing"
Framed-MTU = 1450
EAP-Message = 0x0201000c0174657374696e67
Message-Authenticator = 0x96338e67e4d532c68a3a45f959822603
NAS-IP-Address = 192.168.0.2
NAS-Identifier = "HP"
NAS-Port = 16805889
NAS-Port-Id = "slot=1;subslot=0;port=7;vlanid=1"
NAS-Port-Type = Ethernet
Service-Type = Framed-User
Framed-Protocol = PPP
Calling-Station-Id = "00-40-8C-85-CE-54"
H3C-Connect_Id = 5963777
H3C-Product-ID = "HP V1910-24G-PoE (365W) Switch"
H3C-NAS-Startup-Timestamp = 956750409
# Executing section authorize from file /usr/local/program/freeradius/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "testing", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 1 length 12
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry DEFAULT at line 172
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /usr/local/program/freeradius/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Requiring client certificate
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 0 to 10.10.10.11 port 1939
Framed-Protocol = PPP
Framed-Compression = Van-Jacobson-TCP-IP
EAP-Message = 0x010200060d20
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x6e4907946e4b0aa6f89aa34067c2212d
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.10.10.11 port 1939, id=0, length=302
Cleaning up request 0 ID 0 with timestamp +15
User-Name = "testing"
Framed-MTU = 1450
EAP-Message = 0x0202005c0d0016030100510100004d030152126596f7fbbab3b4160c43a9db91387b4a13a04fe5a9e43e71269894d7f68600002600390038003500160013000a00330032002f00050004001500120009001400110008000600030100
Message-Authenticator = 0xf150824563d6fcf5903070ec5af0b752
NAS-IP-Address = 192.168.0.2
NAS-Identifier = "HP"
NAS-Port = 16805889
NAS-Port-Id = "slot=1;subslot=0;port=7;vlanid=1"
NAS-Port-Type = Ethernet
Service-Type = Framed-User
Framed-Protocol = PPP
Calling-Station-Id = "00-40-8C-85-CE-54"
State = 0x6e4907946e4b0aa6f89aa34067c2212d
H3C-Connect_Id = 5963777
H3C-Product-ID = "HP V1910-24G-PoE (365W) Switch"
H3C-NAS-Startup-Timestamp = 956750409
# Executing section authorize from file /usr/local/program/freeradius/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "testing", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 2 length 92
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry DEFAULT at line 172
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /usr/local/program/freeradius/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
[tls] eaptls_verify returned 7
[tls] Done initial handshake
[tls] (other): before/accept initialization
[tls] TLS_accept: before/accept initialization
[tls] <<< TLS 1.0 Handshake [length 0051], ClientHello
[tls] TLS_accept: SSLv3 read client hello A
[tls] >>> TLS 1.0 Handshake [length 002a], ServerHello
[tls] TLS_accept: SSLv3 write server hello A
[tls] >>> TLS 1.0 Handshake [length 085e], Certificate
[tls] TLS_accept: SSLv3 write certificate A
[tls] >>> TLS 1.0 Handshake [length 020d], ServerKeyExchange
[tls] TLS_accept: SSLv3 write key exchange A
[tls] >>> TLS 1.0 Handshake [length 00a8], CertificateRequest
[tls] TLS_accept: SSLv3 write certificate request A
[tls] TLS_accept: SSLv3 flush data
[tls] TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
[tls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 0 to 10.10.10.11 port 1939
Framed-Protocol = PPP
Framed-Compression = Van-Jacobson-TCP-IP
EAP-Message = 0x010304000dc000000b51160301002a0200002603015211e1f4d404389c52e22460c077073e5f3320e1e01679aef5ca00fe2c299f7600003900160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479
EAP-Message = 0x301e170d3133303831393034353034305a170d3134303831393034353034305a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100d5b78bf31c89e9689e6ea6f0ee83e5b5236f03946bc033b02ce89cfefe2dede2bddc3f8b601a70a6dfba4d7c5d93c2c09d1f42e41df20e61884b34f897e8
EAP-Message = 0x6e2236d7ae6b450fddc0660ae872864c3d42a2dba2e511eeca829101af8af1c8f7bd649ebbd98ee85e9e7c1737dbf6aa1f185aa6ff12666cf357a72eecbd584e80c8cbee75d8a6ea731a3459dc5c90fdedf871a2f5e02e21efd179a2119a867a896089e91b75556882c6c5ea4018cc82b41cfb07f3ee301b0ecfed17fc595d40e2698366b5a0ed5ac86a4957b6293da1fd5c6256ca0bddfe5899af9c9c24a70fb4da59f5ce5fad5313c84af7e0bf29cabbb97be2d87482abe3352f72720b9cc8cae10203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010505000382010100b30bd4eb4c26d2027e
EAP-Message = 0x8892a38a9a7effac7693f01bfe2773480ae4904321b3ea7eacd4af32025dc250728c7bd8334770d7a93435c23d5dfc99dca6ea23540d841f548af97ece19bcec1bf656d26158d46d1e8dc0618ab17eb728eb443064206613a573616cdc33e5433315b2b5518a9c546f98d80a9e11a63a85b889d58fbc194f94400f572b9c36bbc1fa9329142d33a02f67fb4c6d3ad031734d76431bc6af07aa1f1c30d7ec3af6bcea4e5c36848a96a0016fe0e73f877b35004b4940ef2e69634e55972b20da54c35ef1d8fa5b9cc228194c854d0bfe953d6b647a245f71c73e5a3042342691790720c6e7e5305dd9445659735d6869d2a48b4e664d37fe0004ab308204
EAP-Message = 0xa73082038fa0030201020209
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x6e4907946f4a0aa6f89aa34067c2212d
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.10.10.11 port 1939, id=0, length=216
Cleaning up request 1 ID 0 with timestamp +15
User-Name = "testing"
Framed-MTU = 1450
EAP-Message = 0x020300060d00
Message-Authenticator = 0x4d0950df19e16d842b041e3eedc9d679
NAS-IP-Address = 192.168.0.2
NAS-Identifier = "HP"
NAS-Port = 16805889
NAS-Port-Id = "slot=1;subslot=0;port=7;vlanid=1"
NAS-Port-Type = Ethernet
Service-Type = Framed-User
Framed-Protocol = PPP
Calling-Station-Id = "00-40-8C-85-CE-54"
State = 0x6e4907946f4a0aa6f89aa34067c2212d
H3C-Connect_Id = 5963777
H3C-Product-ID = "HP V1910-24G-PoE (365W) Switch"
H3C-NAS-Startup-Timestamp = 956750409
# Executing section authorize from file /usr/local/program/freeradius/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "testing", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 3 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry DEFAULT at line 172
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /usr/local/program/freeradius/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
[tls] Received TLS ACK
[tls] ACK handshake fragment handler
[tls] eaptls_verify returned 1
[tls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 0 to 10.10.10.11 port 1939
Framed-Protocol = PPP
Framed-Compression = Van-Jacobson-TCP-IP
EAP-Message = 0x010404000dc000000b5100e03c8d2e44930059300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3133303831393034353034305a170d3134303831393034353034305a308193310b3009060355040613024652310f300d0603550408130652616469757331123010
EAP-Message = 0x06035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100c596c5954fdd991d54b6f6eb725249c88aab47a635964729eb32e4d1a7c250f61dde897f5bfd76e1ecb6613da7f62da083ae86d2531ed325895d92952a4c22b19e3081d0def2b0ebb6c61dd76988dcb3e4f3a512f89625c02f4d574c04694709ba98a702857f008b122e46
EAP-Message = 0xdbcb5b883ccd3c375e26b10551199b400cfb7180e744741ac7bc700e28ae5582add267b2de927a1a2c7c2c1aa052f9b76562cab5104f93eaaaf01d67a6d01236f7b0be635da29fbd27eb3349bd637515c38ed844e6ce8d6ccdb87a46ecedd69f8514ee5a5bbe6dfb76a7c6ff5ec46e080f62e0e6fa7c1f70ff4d00597a548c47124fcf60e2be37441aaacf541789b936ec984695e30203010001a381fb3081f8301d0603551d0e04160414d14b8978a161e99192b9c0bb678b11d8d8a870293081c80603551d230481c03081bd8014d14b8978a161e99192b9c0bb678b11d8d8a87029a18199a48196308193310b3009060355040613024652310f300d
EAP-Message = 0x060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820900e03c8d2e44930059300c0603551d13040530030101ff300d06092a864886f70d010105050003820101007a4225551fd7f56a30054f119af35f1aa9eaf64bb4fc71356a12264a8a9c033fce7623b6a623e237a4ff9e42449d13db1dfeb99d837e74d4dc64b04a6825eff463415588cee5fb7b130ad8bf9601
EAP-Message = 0xd6aac62b872c78b0b4a9a707
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x6e4907946c4d0aa6f89aa34067c2212d
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.10.10.11 port 1939, id=0, length=216
Cleaning up request 2 ID 0 with timestamp +15
User-Name = "testing"
Framed-MTU = 1450
EAP-Message = 0x020400060d00
Message-Authenticator = 0x8ac7b8e1b57441e6ed1d9ee68c8778e4
NAS-IP-Address = 192.168.0.2
NAS-Identifier = "HP"
NAS-Port = 16805889
NAS-Port-Id = "slot=1;subslot=0;port=7;vlanid=1"
NAS-Port-Type = Ethernet
Service-Type = Framed-User
Framed-Protocol = PPP
Calling-Station-Id = "00-40-8C-85-CE-54"
State = 0x6e4907946c4d0aa6f89aa34067c2212d
H3C-Connect_Id = 5963777
H3C-Product-ID = "HP V1910-24G-PoE (365W) Switch"
H3C-NAS-Startup-Timestamp = 956750409
# Executing section authorize from file /usr/local/program/freeradius/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "testing", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 4 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry DEFAULT at line 172
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /usr/local/program/freeradius/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
[tls] Received TLS ACK
[tls] ACK handshake fragment handler
[tls] eaptls_verify returned 1
[tls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 0 to 10.10.10.11 port 1939
Framed-Protocol = PPP
Framed-Compression = Van-Jacobson-TCP-IP
EAP-Message = 0x0105036f0d8000000b515d1d3e3ad4676622c7bac62d05e1d6c408770ba1e5c037b24e95a247f17c5606ef821771be3ae3f6e38e4430496c066cfa78421498fe5bf601008e13de029c25273b7df866e8e4f946626b3b6c94dbcb00cf58b2b31b792e5ebd3fb6ddd0cb4ea75f65485e70462fbc1b935b3ba8b0f83ed1ab470de2128241b927bc2149c162682f914684dbe6bf663dd2a99a732a691411c4e00cf77a8d162feb556ca37b2f233bfb7f535e160301020d0c0002090080c50f775b80c3a1bf010012c262fbab93181399194f38fc6d495591a1b63f8680211ca06849575c9d39a5fceb12b7168009af0fea4b914278d2dc01acf14941c8a9ea
EAP-Message = 0xdafee73ad0f5fb1652513d5f289ee79a1e19aaf0b3d305f2c64d944cf975744bdb7211a055b13ef4d73adf9611b5af5c0cd047ef8462b75f4de42ddcb82b00010200803ba944b9b993f062b89158ae76e4cd5ce95a0a61e8f8a030ed1ed6f98c978738ea8cd37a0b8012f018af165668e91f0304c20a1019442597d92f410c927430c892d9c82a4ca271de8abb6e873c736396e6aec09601508bb09e73287e9b98722e28377493b68f16330b6e0c61cb7a4400a0921ed05a1d935dab51ef3ad6afafeb010048e35c61d8a00d122704e3beb946a66035fb38f356c65d83c40c36b2e17924dbd575044eea59635807a6d31f6df471de2234d3f28a8a5419
EAP-Message = 0x6cc9165934d2bdd45393806edbdd9622a9cba882ae745f080018c25782f0a1541d141f006d7564165af22fd601c6d15eb30dd6cafdad2caa1882bc62d88f57e9abf0a97404bae79fd9c4b91a4a029719542f098913071062a208e9c257f4c8e744b993b1644580552f9ba96491a7264b43c8b1665b95e03302dde5f549ca057ffe9ca5a8325485b80b5e42db72bcd36cf0ebfabfa0f878fb5cd05b2766257ea059339c4a1f708c46c0e5575dad6b0d682e027bc53dac3b3a5f4833f7964ea8318bb56faf86c950fe16030100a80d0000a005030401024000980096308193310b3009060355040613024652310f300d0603550408130652616469757331
EAP-Message = 0x12301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f726974790e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x6e4907946d4c0aa6f89aa34067c2212d
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.10.10.11 port 1939, id=0, length=1628
Cleaning up request 3 ID 0 with timestamp +15
User-Name = "testing"
Framed-MTU = 1450
EAP-Message = 0x020505800dc000000a2916030108530b00084f00084c00039b308203973082027fa003020102020102300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3133303831393034353034305a170d3134303831393034353034305a3071310b3009060355040613024652
EAP-Message = 0x310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e311930170603550403141075736572406578616d706c652e636f6d311f301d06092a864886f70d010901161075736572406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100e55a101e80d8a558cd62c2cf4f34ef714d97334b008e90bcb3afbb602dfcc90d9573ba58684ef8ff6e0a27ed71e33a18cb21041ee7ede781b1b32c966339417a5af41949f28de5326d92254553875dbb2180bb5764a9b4bfa973f4d5695858c02d008dfaf6cbfd5ec94f32707792f01c7544a529675e1d11
EAP-Message = 0xf68598dca047aef8a303c094aed8dfc081f30fb13e61601219d47ae505d0c99d14a06186e5f672f8af0b7d6c05a6bfc6f5d949b390407dcf79c387a25013143ac5d5be6386f201d85c826e9df4adca75d2d9ea292d55efc7043c8a37b502f9ee7916e25992d8ac1ccd08913c68c4a37ee551e0d125c66ccb0192c764b70dd9364e478f66efe9422f0203010001a317301530130603551d25040c300a06082b06010505070302300d06092a864886f70d010105050003820101009fd43679b2d4cc6de22fb10c28d93abd1a708ba20eb91858573e06dcd8b0ca85425df5951ffcefc8576b7955772e08f6f8cc570eab1954dd27de63c9fd913f26196bea
EAP-Message = 0xbf1ee6a6ecfd43f63ccadc75d0ceffa15f0f8a953bf580bb238090079886f9c430bb4ed2b74e69f5b4cbb999555665cf05bae4b7e3df6ca5e56cd8053fc1891835a46747afa648f979b409e05d288ede6ecd63110def091a152524219a1d031b2ccbddaf008dbc50b35529f65d937c8f73a66dfa9980c22e54b2e19edfaea507de8eca8ac690fe546ecab3eb87d4f03bdfb28ddfbd6ea0f84d2faf93cc21f91616bfc2300e3a49bee1443ad399f7fab2b2fef2b174659d145d3f33ec550004ab308204a73082038fa003020102020900e03c8d2e44930059300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d0603
EAP-Message = 0x55040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3133303831393034353034305a170d3134303831393034353034305a308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d0109011611
EAP-Message = 0x61646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100c596c5954fdd991d54b6f6eb725249c88aab47a635964729eb32e4d1a7c250f61dde897f5bfd76e1ecb6613da7f62da083ae86d253
Message-Authenticator = 0x68d6ee79a8fda9d6235fcb20c0065f09
NAS-IP-Address = 192.168.0.2
NAS-Identifier = "HP"
NAS-Port = 16805889
NAS-Port-Id = "slot=1;subslot=0;port=7;vlanid=1"
NAS-Port-Type = Ethernet
Service-Type = Framed-User
Framed-Protocol = PPP
Calling-Station-Id = "00-40-8C-85-CE-54"
State = 0x6e4907946d4c0aa6f89aa34067c2212d
H3C-Connect_Id = 5963777
H3C-Product-ID = "HP V1910-24G-PoE (365W) Switch"
H3C-NAS-Startup-Timestamp = 956750409
# Executing section authorize from file /usr/local/program/freeradius/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "testing", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 5 length 253
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry DEFAULT at line 172
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /usr/local/program/freeradius/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
TLS Length 2601
[tls] Received EAP-TLS First Fragment of the message
[tls] eaptls_verify returned 9
[tls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 0 to 10.10.10.11 port 1939
Framed-Protocol = PPP
Framed-Compression = Van-Jacobson-TCP-IP
EAP-Message = 0x010600060d00
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x6e4907946a4f0aa6f89aa34067c2212d
Finished request 4.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.10.10.11 port 1939, id=0, length=1427
Cleaning up request 4 ID 0 with timestamp +16
User-Name = "testing"
Framed-MTU = 1450
EAP-Message = 0x020604b90d001ed325895d92952a4c22b19e3081d0def2b0ebb6c61dd76988dcb3e4f3a512f89625c02f4d574c04694709ba98a702857f008b122e46dbcb5b883ccd3c375e26b10551199b400cfb7180e744741ac7bc700e28ae5582add267b2de927a1a2c7c2c1aa052f9b76562cab5104f93eaaaf01d67a6d01236f7b0be635da29fbd27eb3349bd637515c38ed844e6ce8d6ccdb87a46ecedd69f8514ee5a5bbe6dfb76a7c6ff5ec46e080f62e0e6fa7c1f70ff4d00597a548c47124fcf60e2be37441aaacf541789b936ec984695e30203010001a381fb3081f8301d0603551d0e04160414d14b8978a161e99192b9c0bb678b11d8d8a870293081
EAP-Message = 0xc80603551d230481c03081bd8014d14b8978a161e99192b9c0bb678b11d8d8a87029a18199a48196308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820900e03c8d2e44930059300c0603551d13040530030101ff300d06092a864886f70d010105050003820101007a4225551fd7f56a30054f119af35f1aa9ea
EAP-Message = 0xf64bb4fc71356a12264a8a9c033fce7623b6a623e237a4ff9e42449d13db1dfeb99d837e74d4dc64b04a6825eff463415588cee5fb7b130ad8bf9601d6aac62b872c78b0b4a9a7075d1d3e3ad4676622c7bac62d05e1d6c408770ba1e5c037b24e95a247f17c5606ef821771be3ae3f6e38e4430496c066cfa78421498fe5bf601008e13de029c25273b7df866e8e4f946626b3b6c94dbcb00cf58b2b31b792e5ebd3fb6ddd0cb4ea75f65485e70462fbc1b935b3ba8b0f83ed1ab470de2128241b927bc2149c162682f914684dbe6bf663dd2a99a732a691411c4e00cf77a8d162feb556ca37b2f233bfb7f535e16030100861000008200807405e03d
EAP-Message = 0x57bb45d09af42ce6b17bf3e9bf4d00f7deabce1bd96405f1915462c8b3a8cc231132f7b7b2e9737415d50322623ecb5a1f16b16fe24503a61d23127974741f0c3ae17f604dd5383dea6f252af77612e4d3e356cca84946624c5ec82f4004bcf21fe4b1ee6c6dc7d6f2c1eab1405a876ddc83237876e57ba5aa65018716030101060f000102010043fb3bbddf944d132e46cbc58aef0fbf2cf96ec707258184283d898f397a97af6cd5ad5a664ee63d83e8dde35c7c0f5c665ce20fd863943b40106cab7ae71a4fcf1334af2e166665a3f1dcd3bc8f0d0071bbbdea7431495de76f19b59b600685131338e0c6a714c304887306a292918b8ab4aa1424ce
EAP-Message = 0xb093d9deeb39861f89458299de1c80102d719077fe7bf23d9e1961f8078002f0826a98294182ed200d4549a4107657c0a31c8ef7fa11b03b63f6479aee1c7b5aa28750767d26611e3c1ca8571617118d4f181247cfb8bf4a231b721fd05bb6276194287edb4fd1faf30f1e279d0775d84e638cb4755a0f3967149d588985519514e396f50b1f9f1d87c8140301000101160301003089d924fbf9455d2d4e9ced7d5312896531368d5a6e3fef3cfdcd9195514806d16bf783463d365a896b7850d3130ab667
Message-Authenticator = 0x323381556cefe6a52dadb0d2bf696a31
NAS-IP-Address = 192.168.0.2
NAS-Identifier = "HP"
NAS-Port = 16805889
NAS-Port-Id = "slot=1;subslot=0;port=7;vlanid=1"
NAS-Port-Type = Ethernet
Service-Type = Framed-User
Framed-Protocol = PPP
Calling-Station-Id = "00-40-8C-85-CE-54"
State = 0x6e4907946a4f0aa6f89aa34067c2212d
H3C-Connect_Id = 5963777
H3C-Product-ID = "HP V1910-24G-PoE (365W) Switch"
H3C-NAS-Startup-Timestamp = 956750409
# Executing section authorize from file /usr/local/program/freeradius/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "testing", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 6 length 253
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry DEFAULT at line 172
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /usr/local/program/freeradius/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
[tls] eaptls_verify returned 7
[tls] Done initial handshake
[tls] <<< TLS 1.0 Handshake [length 0853], Certificate
[tls] chain-depth=1,
[tls] error=0
[tls] --> User-Name = testing
[tls] --> BUF-Name = Example Certificate Authority
[tls] --> subject = /C=FR/ST=Radius/L=Somewhere/O=Example Inc./emailAddress=admin@example.com/CN=Example Certificate Authority
[tls] --> issuer = /C=FR/ST=Radius/L=Somewhere/O=Example Inc./emailAddress=admin@example.com/CN=Example Certificate Authority
[tls] --> verify return:1
[tls] chain-depth=0,
[tls] error=0
[tls] --> User-Name = testing
[tls] --> BUF-Name = user@example.com
[tls] --> subject = /C=FR/ST=Radius/O=Example Inc./CN=user@example.com/emailAddress=user@example.com
[tls] --> issuer = /C=FR/ST=Radius/L=Somewhere/O=Example Inc./emailAddress=admin@example.com/CN=Example Certificate Authority
[tls] --> verify return:1
[tls] TLS_accept: SSLv3 read client certificate A
[tls] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
[tls] TLS_accept: SSLv3 read client key exchange A
[tls] <<< TLS 1.0 Handshake [length 0106], CertificateVerify
[tls] TLS_accept: SSLv3 read certificate verify A
[tls] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[tls] <<< TLS 1.0 Handshake [length 0010], Finished
[tls] TLS_accept: SSLv3 read finished A
[tls] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[tls] TLS_accept: SSLv3 write change cipher spec A
[tls] >>> TLS 1.0 Handshake [length 0010], Finished
[tls] TLS_accept: SSLv3 write finished A
[tls] TLS_accept: SSLv3 flush data
[tls] (other): SSL negotiation finished successfully
SSL Connection Established
[tls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 0 to 10.10.10.11 port 1939
Framed-Protocol = PPP
Framed-Compression = Van-Jacobson-TCP-IP
EAP-Message = 0x010700450d800000003b140301000101160301003057a81c6d1ebe91549809d41dda7a8e54c7e00d7e50f5d6c01484ad158b28c36250b19975d1685d82c655bd5f85aef735
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x6e4907946b4e0aa6f89aa34067c2212d
Finished request 5.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.10.10.11 port 1939, id=0, length=216
Cleaning up request 5 ID 0 with timestamp +16
User-Name = "testing"
Framed-MTU = 1450
EAP-Message = 0x020700060d00
Message-Authenticator = 0xa38882586b32cac9d140604cf3bc124b
NAS-IP-Address = 192.168.0.2
NAS-Identifier = "HP"
NAS-Port = 16805889
NAS-Port-Id = "slot=1;subslot=0;port=7;vlanid=1"
NAS-Port-Type = Ethernet
Service-Type = Framed-User
Framed-Protocol = PPP
Calling-Station-Id = "00-40-8C-85-CE-54"
State = 0x6e4907946b4e0aa6f89aa34067c2212d
H3C-Connect_Id = 5963777
H3C-Product-ID = "HP V1910-24G-PoE (365W) Switch"
H3C-NAS-Startup-Timestamp = 956750409
# Executing section authorize from file /usr/local/program/freeradius/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "testing", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 7 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry DEFAULT at line 172
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /usr/local/program/freeradius/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
[tls] Received TLS ACK
[tls] ACK handshake is finished
[tls] eaptls_verify returned 3
[tls] eaptls_process returned 3
[tls] Adding user data to cached session
[eap] Freeing handler
++[eap] returns ok
# Executing section post-auth from file /usr/local/program/freeradius/etc/raddb/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 0 to 10.10.10.11 port 1939
Framed-Protocol = PPP
Framed-Compression = Van-Jacobson-TCP-IP
MS-MPPE-Recv-Key = 0x1d44aa2ab0c7033c86effd31e4f2bd2c7eab68bae578df71728407a828e38bd2
MS-MPPE-Send-Key = 0x94fbdc93dfefa83fc2d0a037a68b1690bc2d084dc0c213ad8a148b8b679d4545
EAP-Message = 0x03070004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "testing"
Finished request 6.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 6 ID 0 with timestamp +16
Ready to process requests.
또한 802.1X 설정페이지에 'Authorized' 라는 메세지가 출력된다.
유선 네트워크(DM368 카메라) : EAP-TLS
가장 먼저 해야 할 일은 wpa_supplicant 를 재 빌드 하는 것이다. 기존까지는 wpa_supplicant 의 암호화 모듈을 'internal(내부)' 로 설정하여 사용했었다. 이럴 경우, wpa_supplicant 빌드 시, 별다른 암호화 라이브러리를 참조하지 않고 빌드하기 때문에 별다른 에러없이 컴파일 된다.
재빌드 해야 하는 이유는 EAP-TLS 인증을 사용하기 위해서는 'internal 이 아닌 openssl' 을 사용하기 때문이다. 실제 wpa_supplicant 의 기본 빌드 설정의 경우, 기본값으로 openssl 을 사용하도록 되어 있다. 당연한 얘기지만, 빌드 시, openssl 관련 헤더파일이나 라이브러리가 없으면 컴파일 에러가 발생한다.
따라서, wpa_supplicant 를 빌드하기 전에, 먼저 openssl 을 빌드해야 한다.
여기서 한가지 짚고 넘어가야 할 것이 있다. 여기서 설명하는 모든 컴파일은 크로스 컴파일이다. wpa_supplicant 는 물론이고, openssl 또한 마찬가지다. PC 타겟의 wpa_supplicant 컴파일은 별다른 설정없이 컴파일이 될 것이다. 이 이유는 openssl 관련 파일(헤더파일, 라이브러리)이 사전에 설치되어 있고, PATH 또한 걸려 있기 때문이다.
물론 PC 타겟의 컴파일에서도 컴파일 에러가 발생할 수 있다. 그렇다면, 이유는 openssl 파일이 설치되지 않은 것이다.
차라리 컴파일 도중 에러가 발생하는 편이 낫다. 나의 경우, wpa_supplicant 를 크로스 컴파일 시, 사전에 openssl 을 크로스 컴파일 하지 않았음에도 빌드에 성공했다.
어떻게 된 일일까?
wpa_supplicant 빌드 시, PC 에 설치된 openssl 관련 파일을 참조한 것이다. 실제 생성된 wpa_supplicant 바이너리 파일은 ARM 용 바이너리여서 겉보기에 동작에 아무런 이상이 없어보였다. 하지만, TLS 인증의 openssl 을 사용하는 구간에서 해당 API 에 대한 심볼을 찾지 못하거나, 오동작을 일으켜, 인증이 Fail 되었다.
이 같은 문제를 해결하기 위해서는 openssl 을 크로스 컴파일 해주어야 하며, 이 관련 파일들을 wpa_supplicant 빌드 시, 참조하게끔 설정해주어야 한다.
이제 본격적으로 빌드해보자. wpa_supplicant 와 openssl 을 준비한다(2013/8/22 현재, 최신버전이다).
- wpa_supplicant-2.0.tar.gz
- openssl-1.0.1e.tar.gz
openssl 빌드하기
먼저 압축을 풀고, Configure 파일을 수정한다.
#tar xzf openssl-1.0.1e.tar.gz #cd openssl-1.0.1e #vi Configure
'linux-elf-arm' 이라는 빌드 타겟을 추가로 선언한다. 기존의 'linux-elf' 타겟을 복사하여 컴파일러 이름과 경로만 수정한다.
#"linux-elf", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
"linux-elf-arm", "/home/sungho/opt/montavista/pro/devkit/arm/v5t_le/bin/arm_v5t_le-gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
이제 Makefile 파일을 만들 차례다.
#./Configure linux-elf-arm --prefix=/home/wjkim/program/openssl-arm --openssldir=/home/wjkim/program/openssl-arm no-threads no-asm
prefix 와 openssldir 은 빌드 후 설치할 경로를 적으면 된다. 이제 빌드 후, 설치하면 된다.
#make #make install
에러없이 종료되었다면, 설치된 경로에 가보자.
#cd /home/wjkim/program/openssl-arm #ls include/openssl/ aes.h asn1t.h bn.h cast.h comp.h crypto.h dh.h dtls1.h ec.h engine.h hmac.h kssl.h md5.h obj_mac.h opensslconf.h pem.h pkcs7.h rc2.h rsa.h sha.h ssl.h ssl3.h tls1.h ui.h x509.h asn1.h bio.h buffer.h cmac.h conf.h des.h dsa.h e_os2.h ecdh.h err.h idea.h lhash.h mdc2.h objects.h opensslv.h pem2.h pqueue.h rc4.h safestack.h srp.h ssl2.h stack.h ts.h ui_compat.h x509_vfy.h asn1_mac.h blowfish.h camellia.h cms.h conf_api.h des_old.h dso.h ebcdic.h ecdsa.h evp.h krb5_asn.h md4.h modes.h ocsp.h ossl_typ.h pkcs12.h rand.h ripemd.h seed.h srtp.h ssl23.h symhacks.h txt_db.h whrlpool.h x509v3.h #ls lib/ engines libcrypto.a libssl.a pkgconfig
wpa_supplicant 가 참조하는 파일인 헤더파일(include)과 라이브러리(lib) 파일들을 확인한다.
wpa_supplicant 빌드하기
빌드 설정 파일은 기본 파일을 복사하여 사용한다.
#cp defconfig .config
nl80211 은 사용하지 않으므로 다음 항목만 주석처리한다.
# Driver interface for Linux drivers using the nl80211 kernel interface #CONFIG_DRIVER_NL80211=y
이제 Makefile 을 수정할 차례다.
CC=/home/sungho/opt/montavista/pro/devkit/arm/v5t_le/bin/arm_v5t_le-gcc // 추가 ifndef CC CC=/home/sungho/opt/montavista/pro/devkit/arm/v5t_le/bin/arm_v5t_le-gcc // 수정 endif ... CFLAGS += -I/home/wjkim/program/openssl-arm/include // 추가 ... ifeq ($(CONFIG_TLS), openssl) ifdef TLS_FUNCS CFLAGS += -DEAP_TLS_OPENSSL OBJS += ../src/crypto/tls_openssl.o LIBS += -L/home/wjkim/program/openssl-arm/lib -lssl // 수정 endif OBJS += ../src/crypto/crypto_openssl.o OBJS_p += ../src/crypto/crypto_openssl.o ifdef NEED_FIPS186_2_PRF OBJS += ../src/crypto/fips_prf_openssl.o endif LIBS += -L/home/wjkim/program/openssl-arm/lib -lcrypto // 수정 LIBS_p += -L/home/wjkim/program/openssl-arm/lib -lcrypto // 수정 ifdef CONFIG_TLS_ADD_DL LIBS += -ldl LIBS_p += -ldl endif endif
이제 빌드하자.
#make ... LD wpa_cli CC wpa_passphrase.c /home/wjkim/program/openssl-arm/lib/libcrypto.a(dso_dlfcn.o): In function `dlfcn_globallookup': dso_dlfcn.c:(.text+0x20): undefined reference to `dlopen' dso_dlfcn.c:(.text+0x34): undefined reference to `dlsym' dso_dlfcn.c:(.text+0x40): undefined reference to `dlclose' /home/wjkim/program/openssl-arm/lib/libcrypto.a(dso_dlfcn.o): In function `dlfcn_pathbyaddr': dso_dlfcn.c:(.text+0x70): undefined reference to `dladdr' dso_dlfcn.c:(.text+0xc4): undefined reference to `dlerror' /home/wjkim/program/openssl-arm/lib/libcrypto.a(dso_dlfcn.o): In function `dlfcn_bind_func': dso_dlfcn.c:(.text+0x3d4): undefined reference to `dlsym' dso_dlfcn.c:(.text+0x474): undefined reference to `dlerror' /home/wjkim/program/openssl-arm/lib/libcrypto.a(dso_dlfcn.o): In function `dlfcn_bind_var': dso_dlfcn.c:(.text+0x508): undefined reference to `dlsym' dso_dlfcn.c:(.text+0x5a4): undefined reference to `dlerror' /home/wjkim/program/openssl-arm/lib/libcrypto.a(dso_dlfcn.o): In function `dlfcn_unload': dso_dlfcn.c:(.text+0x600): undefined reference to `dlclose' /home/wjkim/program/openssl-arm/lib/libcrypto.a(dso_dlfcn.o): In function `dlfcn_load': dso_dlfcn.c:(.text+0x694): undefined reference to `dlopen' dso_dlfcn.c:(.text+0x6ec): undefined reference to `dlclose' dso_dlfcn.c:(.text+0x714): undefined reference to `dlerror' collect2: ld returned 1 exit status make: *** [wpa_passphrase] Error 1
빌드 도중 위와 같이 에러가 발생한다. wpa_passphrase 를 생성하던 도중에 발생하는 것인데, 이미 필요한 wpa_supplicant 와 wpa_cli 이 생성되었기 때문에 무시해도 된다.
이제 이를 타겟보드 상에 올리고 동작 여부를 확인해보자.
무선 네트워크(PC)
이번에는 무선환경에서의 freeRadius 사용예를 설명한다. 아래와 같이 네트워크를 구성하였다.
앞선 유선 네트워크와 다른 점은 L2 스위치가 아닌 AP 로 바뀐 점이다. 여기서 AP 는 일반 유무선 공유기와는 다르다. 802.1X 가 지원되는 AP 이다. 내가 사용한 제품은 3COM 의 3CRWE554G72T 이다.
구형 제품으로 802.11b/g 만 지원하고, 802.1X 가 지원하는 다양한 인증을 지원하지 않는다.
AP 설정
802.1X 로 설정하는 방법을 설명한다. AP 의 관리 페이지에 접속하여 'Wireless Settings → Encryption' 을 선택한다. 그리고 아래 표와 같이 설정한다.
| WPA Type | Enterprise Mode |
| Primary RADIUS Server | 10.10.10.10 |
| Secondary RADIUS Server | 0.0.0.0 |
Primary RADIUS Server 설정은 역시 아래와 같다.
| RADIUS Server IP Address | 10.10.10.10 |
| Server Port | 1812 |
| Secret | testing123 |
1대의 RADIUS Server 만 사용하므로 Primary 만 적어준다. 나머지 설정들은 일반 유무선 공유기와 동일하다. WAN 포트에 freeRadius 서버와 연결되어 있는 랜선을 꼽는다.
접속 하기
Debian live 로 부팅한 supplicant 에서 앞서 설정한 AP 의 SSID 를 찾아 접속 한다. 접속 창에 아래와 입력한다.
| Wireless security | WPA & WPA2 Enterprise |
| Authentication | Tunneled TLS |
| Anonymous identity | 입력안함 |
| CA certificate | (None) |
| Inner authentication | MSCHAPv2 |
| User name | testing |
| Password | password |
연결을 시도하면, freeRadius 서버의 터미널 창에 로그가 출력되면서, 인증 성공과 함께 접속이 된다.
무선 네트워크(DM368 카메라)
실제 타겟에서 동작을 확인해보자!
타겟 부팅 후, wpa.conf 파일을 아래와 같이 작성한다.
ctrl_interface=/var/run/wpa_supplicant
network={
ssid="WIFI_DEV3"
scan_ssid=1
key_mgmt=WPA-EAP
eap=PEAP
identity="testing"
password="password"
# ca_cert="/etc/cert/ca.pem"
phase1="peaplabel=0"
phase2="auth=MSCHAPV2"
}
그리고 wpa_supplicant 를 실행한다.
#wpa_supplicant -Dwext -ieth1 -c /etc/wpa_supplicant/wpa.conf -dd &
또한 wpa_cli 를 이용해서 접속을 할 수도 있다.
wpa_cli -p /var/run/wpa_supplicant remove_network 0 wpa_cli -p /var/run/wpa_supplicant ap_scan 1 wpa_cli -p /var/run/wpa_supplicant add_network wpa_cli -p /var/run/wpa_supplicant set_network 0 ssid '"WIFI_DEV3"' wpa_cli -p /var/run/wpa_supplicant set_network 0 scan_ssid 1 wpa_cli -p /var/run/wpa_supplicant set_network 0 key_mgmt WPA-EAP wpa_cli -p /var/run/wpa_supplicant set_network 0 eap PEAP wpa_cli -p /var/run/wpa_supplicant set_network 0 identity '"testing"' wpa_cli -p /var/run/wpa_supplicant set_network 0 password '"password"' #wpa_cli -p /var/run/wpa_supplicant set_network 0 ca_cert '"/home/fat81/certs/ca.pem"' wpa_cli -p /var/run/wpa_supplicant set_network 0 phase1 '"peaplabel=0"' wpa_cli -p /var/run/wpa_supplicant set_network 0 phase2 '"auth=MSCHAPV2"' wpa_cli -p /var/run/wpa_supplicant select_network 0
FAQ
타겟보드에서 TLS 로 접속이 안될 때
아래와 같은 에러 메세지를 출력하면서 접속이 안되는 경우가 있다.
... LS: Certificate verification failed, error 10 (certificate has expired) depth 1 for '/C=FR/ST=Radius/L=Somewhere/O=Example Inc./emailAddress=admin@example.com/CN=Example Certificate Authority' eth0: CTRL-EVENT-EAP-TLS-CERT-ERROR reason=4 depth=1 subject='/C=FR/ST=Radius/L=Somewhere/O=Example Inc./emailAddress=admin@example.com/CN=Example Certificate Authority' err='certificate has expired' EAP: Status notification: remote certificate verification (param=certificate has expired) SSL: (where=0x4008 ret=0x22d) SSL: SSL3 alert: write (local SSL3 detected an error):fatal:certificate expired EAP: Status notification: local TLS alert (param=certificate expired) SSL: (where=0x1002 ret=0xffffffff) SSL: SSL_connect:error in SSLv3 read server certificate B OpenSSL: openssl_handshake - SSL_connect error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed SSL: 7 bytes pending from ssl_out SSL: Failed - tls_out available to report error SSL: 7 bytes left to be sent out (of total 7 bytes) EAP-TLS: TLS processing failed EAP: method process -> ignore=FALSE methodState=DONE decision=FAIL EAP: EAP entering state SEND_RESPONSE ...
에러의 원인은 인증서가 만료되었다는 내용인데, 이럴 때는 타겟의 시스템 시간을 확인해야 한다. date 명령어를 사용하여 현재의 시간으로 설정한 후, 재시도 해보자.
#date 110116322013 // 2013년 11월 1일 오후 4시 32 분