FreeRadius EAP-TLS issue

[Hamid Salim]

Hi,
I am just wondering if anyone has encountered the same issue. I have 
set up my enviornment for EAP-TLS, with windows XP SP2 as a supplicant. 
For some reason I am getting:

auth: Failed to validate the user.
Login incorrect: [radiustst/<no User-Password attribute>] (from client 
testradius-ap-1 port 0 cli 00-10-c6-38-af-7b)

complete listing is attached. I am using certificates and SSL session 
is created successfully, then why FreeRadius is expecting a 
userid/password? 

Any help will be appreciated.

Thanks
Hamid.

============= Complete Listing =================
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 129.10.56.156:6001, id=71, 
length=1247
        User-Name = "radiustst"
        NAS-IP-Address = 129.10.56.156
        Called-Station-Id = "00-20-a6-4a-12-21"
        Calling-Station-Id = "00-10-c6-38-af-7b"
        NAS-Identifier = "APtest3"
        State = 0xb9a67433435733a42f7cbd528aa6ae7a
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        EAP-Message = 
0x020504510d800000044716030104170b000307000304000301308202fd30820266a003
020102020102300d06092a864886f70d01010405003054310b3009060355040613025553
310b3009060355040813024d413120301e060355040a13174e6f7274686561737465726e
20556e6976657273697479311630140603550403130d4543454175746853657276657230
1e170d3035313130353232323335345a170d3036313130353232323335345a3050310b30
09060355040613025553310b3009060355040813024d413120301e060355040a13174e6f
7274686561737465726e20556e6976657273697479311230100603550403130972616469
7573
        EAP-Message = 
0x74737430819f300d06092a864886f70d010101050003818d0030818902818100b9983d
b3e72f80fd974f9bcd64081d573fdd27b19089405b696d873f87467ff80a312ef7b399c3
9e9e7018e1aa29203251c40dd6af46d060d1211405bea1888d058da35230f55d7dc27d76
9e0234824d78d5d1b5edf8d39f8ab78255e6cca753424cd0713339a02cf315fbcb6175a0
47fa233d9f64d6f936f5e3a403bcca93ab0203010001a381e23081df30090603551d1304
023000302c06096086480186f842010d041f161d4f70656e53534c2047656e6572617465
64204365727469666963617465301d0603551d0e04160414b77dd4b0207270418f828157
2f5e
        EAP-Message = 
0x3353216fe55f3081840603551d23047d307b801463d38ab984dc364e31383d1ecf3743
0ee64b68e9a158a4563054310b3009060355040613025553310b3009060355040813024d
413120301e060355040a13174e6f7274686561737465726e20556e697665727369747931
1630140603550403130d45434541757468536572766572820900cab77a537cadfaf3300d
06092a864886f70d0101040500038181003cbaf9e576319601ba75222ef4fed8cd584e2d
8aea2f25788bff348f53a699ecab5cb50143f369e7a59da5ba5212105e4d1b642f56cf00
d04efcb911239047393875024e5e4a17b0ac8f87d165c81a5fcfbe2f2a67ee6c7e57dae0
c423
        EAP-Message = 
0x4a3f81753b0817b63f117a0b28c1ca43e1cb31142b47103caef9f28c01860b49f27465
1000008200805d53b3419d272d68175ae404a9a51774f148420e7832d39ceaa311a000f0
70ebf121d27c6f8b15369ab4bc9a1edadd2abd1caace3378f6a9f6623e6f9cb95085df74
830c3e22638bd8e3a63938c9ea8b93895aca23aa131f728ffab7c0cee86b7ed10ced5e2f
30ad19df6cd83a0ac6564a9b833b284b52ff9355741efc7b3e360f0000820080131f2e69
99c156d32b83cb27036db11e9c3571b66d7ab062208a03daf1afb9b3c4a326a09663c1a3
25a3b846a2a34d4cfbdcbd432a18017a9ece2744de377c964649ac146466ee4b71fa5fdd
8f7c
        EAP-Message = 
0x1272df4226eb2805f9268ae2a2e0d0664ced1a8868bada17475dc7889cb73634641d80
af384311d0b2b9e87c7bde4227a47d14030100010116030100202a0a0a3102caaf869886
11a6916269516c4e5b6bf006d943609a71740a4d3a60
        Message-Authenticator = 0x1e4e290a1071052212513c61bfa25dae
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 8
  modcall[authorize]: module "preprocess" returns ok for request 8
radius_xlat:  
'/opt/radiusd/var/log/radius/radacct/129.10.56.156/auth-detail-20051115'
rlm_detail: 
/opt/radiusd/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%
m%d expands to 
/opt/radiusd/var/log/radius/radacct/129.10.56.156/auth-detail-20051115
  modcall[authorize]: module "auth_log" returns ok for request 8
    rlm_realm: No '@' in User-Name = "radiustst", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 8
  rlm_eap: EAP packet type response id 5 length 253
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 8
    users: Matched entry radiustst at line 54
  modcall[authorize]: module "files" returns ok for request 8
modcall: group authorize returns updated for request 8
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 8
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/tls
  rlm_eap: processing type tls
  rlm_eap_tls: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls:  Length Included
  eaptls_verify returned 11
  rlm_eap_tls: <<< TLS 1.0 Handshake [length 030b], Certificate
chain-depth=1,
error=0
--> User-Name = radiustst
--> BUF-Name = ECEAuthServer
--> subject = /C=US/ST=MA/O=Northeastern University/CN=ECEAuthServer
--> issuer  = /C=US/ST=MA/O=Northeastern University/CN=ECEAuthServer
--> verify return:1
chain-depth=0,
error=0
--> User-Name = radiustst
--> BUF-Name = radiustst
--> subject = /C=US/ST=MA/O=Northeastern University/CN=radiustst
--> issuer  = /C=US/ST=MA/O=Northeastern University/CN=ECEAuthServer
--> verify return:1
    TLS_accept: SSLv3 read client certificate A
  rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
    TLS_accept: SSLv3 read client key exchange A
  rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], CertificateVerify
    TLS_accept: SSLv3 read certificate verify A
  rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001]
  rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished
    TLS_accept: SSLv3 read finished A
  rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001]
    TLS_accept: SSLv3 write change cipher spec A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished
    TLS_accept: SSLv3 write finished A
    TLS_accept: SSLv3 flush data
    (other): SSL negotiation finished successfully
SSL Connection Established
  eaptls_process returned 13
  modcall[authenticate]: module "eap" returns handled for request 8
modcall: group authenticate returns handled for request 8
Sending Access-Challenge of id 71 to 129.10.56.156:6001
        EAP-Message = 
0x010600350d800000002b1403010001011603010020c76c26e20a3f56cdad1183c5e9c2
4322bdbd6ca0af149ba46d197f153a7f4f32
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x70ed13d02f1854999ba5b4513143d53d
Finished request 8
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 129.10.56.156:6001, id=72, 
length=167
        User-Name = "radiustst"
        NAS-IP-Address = 129.10.56.156
        Called-Station-Id = "00-20-a6-4a-12-21"
        Calling-Station-Id = "00-10-c6-38-af-7b"
        NAS-Identifier = "APtest3"
        State = 0x70ed13d02f1854999ba5b4513143d53d
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        EAP-Message = 
0x020600210d8000000017150301001267dd17534e604a647897732130f58409b115
        Message-Authenticator = 0xce216e15de7058166ce90f8cde7d5094
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 9
  modcall[authorize]: module "preprocess" returns ok for request 9
radius_xlat:  
'/opt/radiusd/var/log/radius/radacct/129.10.56.156/auth-detail-20051115'
rlm_detail: 
/opt/radiusd/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%
m%d expands to 
/opt/radiusd/var/log/radius/radacct/129.10.56.156/auth-detail-20051115
  modcall[authorize]: module "auth_log" returns ok for request 9
    rlm_realm: No '@' in User-Name = "radiustst", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 9
  rlm_eap: EAP packet type response id 6 length 33
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 9
    users: Matched entry radiustst at line 54
  modcall[authorize]: module "files" returns ok for request 9
modcall: group authorize returns updated for request 9
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 9
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/tls
  rlm_eap: processing type tls
  rlm_eap_tls: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls:  Length Included
  eaptls_verify returned 11
  eaptls_process returned 7
  rlm_eap_tls: Received unexpected tunneled data after successful 
handshake.
 rlm_eap: Handler failed in EAP/tls
  rlm_eap: Failed in EAP select
  modcall[authenticate]: module "eap" returns invalid for request 9
modcall: group authenticate returns invalid for request 9
auth: Failed to validate the user.
Login incorrect: [radiustst/<no User-Password attribute>] (from client 
testradius-ap-1 port 0 cli 00-10-c6-38-af-7b)
Delaying request 9 for 1 seconds
Finished request 9
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 129.10.56.156:6001, id=72, 
length=167
Sending Access-Reject of id 72 to 129.10.56.156:6001
        EAP-Message = 0x04060004
        Message-Authenticator = 0x00000000000000000000000000000000
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Cleaning up request 5 ID 68 with timestamp 437a661d
Cleaning up request 6 ID 69 with timestamp 437a661d
Cleaning up request 7 ID 70 with timestamp 437a661d
Cleaning up request 8 ID 71 with timestamp 437a661d
Cleaning up request 9 ID 72 with timestamp 437a661d
Nothing to do.  Sleeping until we see a request.