wpa_supplicant(eapol_test) with freeradius: error coming in TLS

["Gaurav Kansal" <gkansal@velankani.com>]

Hi

 

I am trying to use EAP-TLS between wpa_supplicant and freeradius. I created the certificates (ca/server/client) as mentioned in freeradius-server-2.0.5/raddb/certs/README. In freeradius-server-2.0.5/raddb/users, following line is added at end: testuser Cleartext-Password := "password"

 

On wpa_supplicant-0.5.10, created eapol_test.conf.tls with following contents:

network={

eap=TLS

eapol_flags=0

key_mgmt=IEEE8021X

identity="testuser"

ca_cert="/usr/local/etc/raddb/certs/ca.pem"

client_cert="/usr/local/etc/raddb/certs/testuser@example.com.pem"

private_key="/usr/local/etc/raddb/certs/client.key"

private_key_passwd="whatever"

}

Executed wpa_supplicant (eapol_test) with following command (wpa_supplicant side logs are after radius logs at end):

eapol_test -c eapol_test.conf.tls -a127.0.0.1 -p1812 -stesting123 -r1

 

On executing /usr/local/sbin/radiusd -X, I get following log and error too:

rad_recv: Access-Request packet from host 127.0.0.1 port 32770, id=0, length=124

        User-Name = "testuser"

        NAS-IP-Address = 127.0.0.1

        Calling-Station-Id = "02-00-00-00-00-01"

        Framed-MTU = 1400

        NAS-Port-Type = Wireless-802.11

        Connect-Info = "CONNECT 11Mbps 802.11b"

        EAP-Message = 0x0200000d017465737475736572

        Message-Authenticator = 0x0e5f593f30507d677e8d7e68b072b55f

+- entering group authorize

++[preprocess] returns ok

++[chap] returns noop

++[mschap] returns noop

    rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL

    rlm_realm: No such realm "NULL"

++[suffix] returns noop

  rlm_eap: EAP packet type response id 0 length 13

  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation

++[eap] returns updated

++[unix] returns updated

++[files] returns noop

++[expiration] returns noop

++[logintime] returns noop

rlm_pap: Found existing Auth-Type, not changing it.

++[pap] returns noop

  rad_check_password:  Found Auth-Type EAP

auth: type "EAP"

+- entering group authenticate

  rlm_eap: EAP Identity

  rlm_eap: processing type md5

rlm_eap_md5: Issuing Challenge

++[eap] returns handled

Sending Access-Challenge of id 0 to 127.0.0.1 port 32770

        EAP-Message = 0x01010016041017695d19037d705af68ca37a7262ddcb

        Message-Authenticator = 0x00000000000000000000000000000000

        State = 0x267673582677771a69809cb3876d58ea

Finished request 0.

Going to the next request

Waking up in 4.9 seconds.

rad_recv: Access-Request packet from host 127.0.0.1 port 32770, id=1, length=135

        User-Name = "testuser"

        NAS-IP-Address = 127.0.0.1

        Calling-Station-Id = "02-00-00-00-00-01"

        Framed-MTU = 1400

        NAS-Port-Type = Wireless-802.11

        Connect-Info = "CONNECT 11Mbps 802.11b"

        EAP-Message = 0x02010006030d

        State = 0x267673582677771a69809cb3876d58ea

        Message-Authenticator = 0x6dd1d34467725c79f19b72ff9612e3ce

+- entering group authorize

++[preprocess] returns ok

++[chap] returns noop

++[mschap] returns noop

    rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL

    rlm_realm: No such realm "NULL"

++[suffix] returns noop

  rlm_eap: EAP packet type response id 1 length 6

  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation

++[eap] returns updated

++[unix] returns updated

++[files] returns noop

++[expiration] returns noop

++[logintime] returns noop

rlm_pap: Found existing Auth-Type, not changing it.

++[pap] returns noop

  rad_check_password:  Found Auth-Type EAP

auth: type "EAP"

+- entering group authenticate

  rlm_eap: Request found, released from the list

  rlm_eap: EAP NAK

 rlm_eap: EAP-NAK asked for EAP-Type/tls

  rlm_eap: processing type tls

 rlm_eap_tls: Requiring client certificate

  rlm_eap_tls: Initiate

  rlm_eap_tls: Start returned 1

++[eap] returns handled

Sending Access-Challenge of id 1 to 127.0.0.1 port 32770

        EAP-Message = 0x010200060d20

        Message-Authenticator = 0x00000000000000000000000000000000

        State = 0x2676735827747e1a69809cb3876d58ea

Finished request 1.

Going to the next request

Waking up in 4.9 seconds.

rad_recv: Access-Request packet from host 127.0.0.1 port 32770, id=2, length=236

        User-Name = "testuser"

        NAS-IP-Address = 127.0.0.1

        Calling-Station-Id = "02-00-00-00-00-01"

        Framed-MTU = 1400

        NAS-Port-Type = Wireless-802.11

        Connect-Info = "CONNECT 11Mbps 802.11b"

        EAP-Message = 0x0202006b0d0016030100600100005c03014874ff7ae4659071f23a8aac506f1f25b7c9f1272eca77a38aaea1b9788b532d00003400390038003500160013000a00330032002f00660005000400630062006100150012000900650064006000140011000800060003020100

        State = 0x2676735827747e1a69809cb3876d58ea

        Message-Authenticator = 0x1a18c152c7a7d0032d7876c2e02214d3

+- entering group authorize

++[preprocess] returns ok

++[chap] returns noop

++[mschap] returns noop

    rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL

    rlm_realm: No such realm "NULL"

++[suffix] returns noop

  rlm_eap: EAP packet type response id 2 length 107

  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation

++[eap] returns updated

++[unix] returns updated

++[files] returns noop

++[expiration] returns noop

++[logintime] returns noop

rlm_pap: Found existing Auth-Type, not changing it.

++[pap] returns noop

  rad_check_password:  Found Auth-Type EAP

auth: type "EAP"

+- entering group authenticate

  rlm_eap: Request found, released from the list

  rlm_eap: EAP/tls

  rlm_eap: processing type tls

  rlm_eap_tls: Authenticate

  rlm_eap_tls: processing TLS

  eaptls_verify returned 7

  rlm_eap_tls: Done initial handshake

    (other): before/accept initialization

    TLS_accept: before/accept initialization

  rlm_eap_tls: <<< TLS 1.0 Handshake [length 0060], ClientHello 

    TLS_accept: SSLv3 read client hello A

  rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello 

    TLS_accept: SSLv3 write server hello A

  rlm_eap_tls: >>> TLS 1.0 Handshake [length 085e], Certificate 

    TLS_accept: SSLv3 write certificate A

  rlm_eap_tls: >>> TLS 1.0 Handshake [length 020d], ServerKeyExchange 

    TLS_accept: SSLv3 write key exchange A

  rlm_eap_tls: >>> TLS 1.0 Handshake [length 00a7], CertificateRequest 

    TLS_accept: SSLv3 write certificate request A

    TLS_accept: SSLv3 flush data

    TLS_accept: Need to read more data: SSLv3 read client certificate A

In SSL Handshake Phase

In SSL Accept mode 

  eaptls_process returned 13

++[eap] returns handled

Sending Access-Challenge of id 2 to 127.0.0.1 port 32770

        EAP-Message = 0x010304000dc000000b70160301004a0200004603014874ff7af840e0ce0c0562387841cbf363e6be64f8dd2def0915579fb271a7d320bc89e200ccdb1ad9ae9498442013c69878623fb1e470357891b9df6651cbf029003901160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d3126302406035504

        EAP-Message = 0x03131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3038303730393138313131375a170d3039303730393138313131375a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100c296eb2d169b654435a174fd8ead1b26d65b1298d9a7bcc561a051d2b667

        EAP-Message = 0x28a6c693620ce3c06c032ebe4dbeedff9020f24d06430433091b7e9762575c12fdb988ad5d6dfee570df9a0aa1ce55de2d308c162bbcf917c8441071ea895cfb102721f2a5059f402317457a104650b4fea1975e04fb83fc4d0a2cf72167830d5281398c981ac2f27370a34aa49b07e007fa955ebf187a8fd476174e7493ffa02bf466b07846382b4eaf03551fef5ca60ab3fc3aa19983aeb5015147ed3317f659f0355a43091eb19ab0c4a8d07651627d1fad596cc5ee44fa2ccfcd92d6c63d778a9d958a6ca4a02409c546d3b8400928e1b635c26ef5ab7fc54b68b8aa2e98b2830203010001a317301530130603551d25040c300a06082b06010505

        EAP-Message = 0x070301300d06092a864886f70d01010405000382010100095935837d63c395fca941ae947c03fac66f843b37c9969c2f46cb8b26348bfbd6348ac0d13b6a752886f1e83579122942dd8d0ab6b2757849735dccfd82d06d3a07d1a2de3097c76cbb431042062e26df240d5d40ada6bc999bade14ebc0661362f9a7f8644943e78a29e329c67ec32cf393205408021e56e461ce3320127b27df474f4c37be7cccf46754c32ee8243500a194759ba6c5b2fcd563117b2ea94b9c63eb1678ff836afd92118a98b93fc51992e9de619a9c7576fe3cae6a1e9988a2b10b0685ca7e58e5b100ec0817d511f34f59f794bcde25c247259a57ab8b1d686fce7c7cd

        EAP-Message = 0x3f8d16472d4a3eb1ee492fd3

        Message-Authenticator = 0x00000000000000000000000000000000

        State = 0x2676735824757e1a69809cb3876d58ea

Finished request 2.

Going to the next request

Waking up in 4.9 seconds.

rad_recv: Access-Request packet from host 127.0.0.1 port 32770, id=3, length=135

        User-Name = "testuser"

        NAS-IP-Address = 127.0.0.1

        Calling-Station-Id = "02-00-00-00-00-01"

        Framed-MTU = 1400

        NAS-Port-Type = Wireless-802.11

        Connect-Info = "CONNECT 11Mbps 802.11b"

        EAP-Message = 0x020300060d00

        State = 0x2676735824757e1a69809cb3876d58ea

        Message-Authenticator = 0x86f3e31b265162f7716d461a9aae98f2

+- entering group authorize

++[preprocess] returns ok

++[chap] returns noop

++[mschap] returns noop

    rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL

    rlm_realm: No such realm "NULL"

++[suffix] returns noop

  rlm_eap: EAP packet type response id 3 length 6

  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation

++[eap] returns updated

++[unix] returns updated

++[files] returns noop

++[expiration] returns noop

++[logintime] returns noop

rlm_pap: Found existing Auth-Type, not changing it.

++[pap] returns noop

  rad_check_password:  Found Auth-Type EAP

auth: type "EAP"

+- entering group authenticate

  rlm_eap: Request found, released from the list

  rlm_eap: EAP/tls

  rlm_eap: processing type tls

  rlm_eap_tls: Authenticate

  rlm_eap_tls: processing TLS

rlm_eap_tls: Received EAP-TLS ACK message

  rlm_eap_tls: ack handshake fragment handler

  eaptls_verify returned 1

  eaptls_process returned 13

++[eap] returns handled

Sending Access-Challenge of id 3 to 127.0.0.1 port 32770

        EAP-Message = 0x010404000dc000000b70bf312a81c68194ac03b073abf2410004ab308204a73082038fa003020102020900ac4ad85feeea230a300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3038303730393138313131325a170d3038303830383138313131325a308193310b

        EAP-Message = 0x3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100ccff47e75ebf3d06a9472810c0352b254cca71cbb52cb8202d29ae967c715640e4d2b6c3e60641c4d54fdc03fe6ebdfb1953dc1b8c1f44202cf488249d37f2b7902efdf546fabb283a9653

        EAP-Message = 0xfa065f9b063843f36456ac437df7cefeaad4d44004939d63ae9c4df03f1b856d8340ab4e6317a111aecfd860639f0056069404c4d2f9f10e9048b10f4bd65dfe2a61470543b7b323895dfbb54053f84cb0417f5eafdf8aa236a2afea06047be624e1f7b85e757be3749e6946439ad4e85de0d4f66f35e1a4ee8258727033035877b43232c0697a2baf3d09e8aa337366b1cbbccf72a509b977d426d546c7b165f873308f0a6964f430ee01b74cc0a561d9869fd84f0203010001a381fb3081f8301d0603551d0e041604141c71c3ab8dbd86f36bbf4b24d5b72d291bc88aaf3081c80603551d230481c03081bd80141c71c3ab8dbd86f36bbf4b24d5b7

        EAP-Message = 0x2d291bc88aafa18199a48196308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820900ac4ad85feeea230a300c0603551d13040530030101ff300d06092a864886f70d010105050003820101005925971768cfc1bb8f4b1dd4b9d0abd84cca91dc19d344451da159ae0925f1924022b20ea548d56947a26c987dc0

        EAP-Message = 0xfb36d1078bef2f36de91d2b5

        Message-Authenticator = 0x00000000000000000000000000000000

        State = 0x2676735825727e1a69809cb3876d58ea

Finished request 3.

Going to the next request

Waking up in 4.8 seconds.

rad_recv: Access-Request packet from host 127.0.0.1 port 32770, id=4, length=135

        User-Name = "testuser"

        NAS-IP-Address = 127.0.0.1

        Calling-Station-Id = "02-00-00-00-00-01"

        Framed-MTU = 1400

        NAS-Port-Type = Wireless-802.11

        Connect-Info = "CONNECT 11Mbps 802.11b"

        EAP-Message = 0x020400060d00

        State = 0x2676735825727e1a69809cb3876d58ea

        Message-Authenticator = 0xd88cda63a2776910572007659978dff0

+- entering group authorize

++[preprocess] returns ok

++[chap] returns noop

++[mschap] returns noop

    rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL

    rlm_realm: No such realm "NULL"

++[suffix] returns noop

  rlm_eap: EAP packet type response id 4 length 6

  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation

++[eap] returns updated

++[unix] returns updated

++[files] returns noop

++[expiration] returns noop

++[logintime] returns noop

rlm_pap: Found existing Auth-Type, not changing it.

++[pap] returns noop

  rad_check_password:  Found Auth-Type EAP

auth: type "EAP"

+- entering group authenticate

  rlm_eap: Request found, released from the list

  rlm_eap: EAP/tls

  rlm_eap: processing type tls

  rlm_eap_tls: Authenticate

  rlm_eap_tls: processing TLS

rlm_eap_tls: Received EAP-TLS ACK message

  rlm_eap_tls: ack handshake fragment handler

  eaptls_verify returned 1

  eaptls_process returned 13

++[eap] returns handled

Sending Access-Challenge of id 4 to 127.0.0.1 port 32770

        EAP-Message = 0x0105038e0d8000000b7083ce8bd2a2e5a3df721979638d83518a19e079bf804773b82753a039b6b053a357acb9d1954ecb25330390d4d54583a6fdeb74f039f492238f8d93bdc53d3acc2366af2771253c218dbc3a006b911f1e4bb6fd491b99ed05b1520cf14d08d12119b177f754cae89d065edb48680f35d8df3c0e7fcec9c6e84d52a1136f7a56a90f539addc1ad3c44e25de731f0443844dbfe83d0432ad61f7ed89184a407e0b41a9ffbc0389637071d937e63e136311e467b914839fd7382c216734b1de93368e4fb6b2303f4160301020d0c0002090080b3afe7fd33f61741e813a2a82d3e2e44f4e3a6cba8ba274ff2a14cdee764e7ec4e45

        EAP-Message = 0x4df9c4b18aa0bb45b4dcbe5022790ed79559ec10e6b017165192ca92ee664df49dd6de389d1eba0400804b550239ffca80cdd27f3cc0ce1fc851463b672a8e260e415d3d3a40e8ae5102105bddc30b8c1a3031af0bc0a78b4ea69f5e66630001020080a0cc4357af8865d129c3e7c20c4283e7a4a4c522e23e0f3cb9b462c2923ea92c3a2781665e6d1fe4096f9832e39c33424106d2429f569da06ac67c9b0800351a1b7c512cd541edf0a135330412dbccd37885e35ce75111476fe045e0a85c70abf40a30089c4d4302179e1f084bffe853b1845c99010515a1970a03a87449615a010060149cd09ea980ec82c55cfe09857dbb7c5811f45c64e0fe

        EAP-Message = 0x9d59d03e704806e99f1cb29f0286c1015c81d7824e617a53bd69dacefe51425fec76315ad4861b81d8aff93491a3b7a18988a9a9ee16acba071272b143c7bb8106d29ac8e6087a066498b3f47cf216fb2a96f19d7ccd8459646ed27ce02852c2c402000778e68ec419b9f14059fea1eaaad700a5c1d71f8ba516d820a6b0520e9a808736de80b97588f6b72b6b405b1f8a5a8779e01cd882c352aabb41e4a60fd2e4c64382e2a12deb09e8fb2caaa26a86aec4606044a283b9d20b0bf2637a953e8716d0b90958aebeb9995898714edb927fb52e51c4a1a2ff1157ae26402265dbbbb03f99e23f2416030100a70d00009f040304010200980096308193

        EAP-Message = 0x310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f726974790e000000

        Message-Authenticator = 0x00000000000000000000000000000000

        State = 0x2676735822737e1a69809cb3876d58ea

Finished request 4.

Going to the next request

Waking up in 4.7 seconds.

rad_recv: Access-Request packet from host 127.0.0.1 port 32770, id=5, length=1532

        User-Name = "testuser"

        NAS-IP-Address = 127.0.0.1

        Calling-Station-Id = "02-00-00-00-00-01"

        Framed-MTU = 1400

        NAS-Port-Type = Wireless-802.11

        Connect-Info = "CONNECT 11Mbps 802.11b"

        EAP-Message = 0x020505710d0016030103950b00039100038e00038b308203873082026fa003020102020102300d06092a864886f70d0101040500307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d301e170d3038303730393138313132345a170d3039303730393138313132345a3079310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c

        EAP-Message = 0x4578616d706c6520496e632e311d301b060355040314147465737475736572406578616d706c652e636f6d3123302106092a864886f70d01090116147465737475736572406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100b510efbf58ad201585beac3f327bba71b761612df254a3e44ffe4f5a182852e2a64d11912ca27013be01dae059ef3d8a9b2ca7a81c9da01b2291b6e38f07339c7668c6b7ce6c936bef181c33c16d5c34e17b0c878648bb73199645bb81febb577aff69f4881080ea593f31b5efcccebd3772dda5666a5e139a38e89b9ca13712462098dbfc5c526253985609

        EAP-Message = 0x583e54d9d74b9b263cda9647c523d9922c1992736d176c3b869b373a9824a8c046dfd49118a90d5c8e9504cae9209d8254c31f98c3979a307f0515e88e820c29c9092c0de6c9af76c9a1bc8eee37aea8d047bf8c1af257f42b550932995e5083364a7e185a62de08976e2ca45d334231109eeaf70203010001a317301530130603551d25040c300a06082b06010505070302300d06092a864886f70d0101040500038201010085cf673c6dd1deb8648e0589573c0e55e286ba9f3ef23a3882fbe024a5c54aeef510e96f36291f0172deb8bcf2b8ce9e6517a143c658e8fb24c80a7936138c5e6f7dda3ca8b33e4600a1cb92c2f079793304c0ddc296c4

        EAP-Message = 0x015d6d73cdae8f32eea68667d9cf33a6ad8c5e38a0ffbda541b5b789ffd0cd2b4de23592384ee23e154ea629f1a3743fcba443f8e6d355411d310f787d6551c413af2eccfabc2b28e9e786fd78cb3250a0ca2cd0adf11d8045d03ea0cca6b28d5c498c0965a238b05ccf7cadc3946ee0c42d65594ca3378ecd205c74b42b5f9c060287639e4cf76f5003ec0d3723abd391f4693556553f5aaac2684a2bb808e2a2cf16b425c9736e1c16030100861000008200803d7d38a765634fe46cd97911bbb0826fd6bb317dc04dbb7ca60c2d352f4a9be2f147f261ccf2d7c5e05b85783810260ddaed3c3772fcceab264dd8daf8a4467e6a6729a7152dabe5a4

        EAP-Message = 0x4c2375c148a15096de5c28842d80507318656b36edc71772326fd6fddbc6dbb9d5476332d561de95d1a40b59779113ada15e6b466977eb16030101060f00010201003fcdbdf9a53a3f14ce87dbc34568e1cc53d78b24457c12a7be38fc6e07932f6a253fc07cf73579bc7dbb98eeaf91076ba912ff6fe2f6bfc1d2803974757922cd8fa5142f870aae126053adf7b4c7456bb431a174446775b7e9f78fcfb0925edee9a12cf5a76fc6ef7fdf983adeb3ec234d89af9e7298602df31a4febaa1c9aa039c3142ec57416c3771b1ae8934b1444dda9e28b932ae8ff1a22aae98ceb9f2d7a9caac9efb16c01a4cd3dadda86513428a3bd3a11b262eaa750dc

        EAP-Message = 0xd50749f461997927394171b785ff74c98d883674fc8035287993a279f1ffa72b9c4cbc6b96fcaad6e5daaca7bd9aca988c6a8b3c487bd1e5cc73dd3c3c59f8ec39549ebeb61403010001011603010030f1c1d6ee34104fca2869c989529493079d85690315b83299b5d9567823fea467b507af2267dd69305c7d35d7809adf12

        State = 0x2676735822737e1a69809cb3876d58ea

        Message-Authenticator = 0xcc6ace4662072c78666cb7d873d7a354

+- entering group authorize

++[preprocess] returns ok

++[chap] returns noop

++[mschap] returns noop

    rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL

    rlm_realm: No such realm "NULL"

++[suffix] returns noop

  rlm_eap: EAP packet type response id 5 length 253

  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation

++[eap] returns updated

++[unix] returns updated

++[files] returns noop

++[expiration] returns noop

++[logintime] returns noop

rlm_pap: Found existing Auth-Type, not changing it.

++[pap] returns noop

  rad_check_password:  Found Auth-Type EAP

auth: type "EAP"

+- entering group authenticate

  rlm_eap: Request found, released from the list

  rlm_eap: EAP/tls

  rlm_eap: processing type tls

  rlm_eap_tls: Authenticate

  rlm_eap_tls: processing TLS

  eaptls_verify returned 7

  rlm_eap_tls: Done initial handshake

  rlm_eap_tls: <<< TLS 1.0 Handshake [length 0395], Certificate 

--> verify error:num=20:unable to get local issuer certificate

  rlm_eap_tls: >>> TLS 1.0 Alert [length 0002], fatal unknown_ca 

TLS Alert write:fatal:unknown CA

    TLS_accept:error in SSLv3 read client certificate B

rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned

rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails.

  eaptls_process returned 13

  rlm_eap: Freeing handler

++[eap] returns reject

auth: Failed to validate the user.

  Found Post-Auth-Type Reject

+- entering group REJECT

        expand: %{User-Name} -> testuser

 attr_filter: Matched entry DEFAULT at line 11

++[attr_filter.access_reject] returns updated

Sending Access-Reject of id 5 to 127.0.0.1 port 32770

        EAP-Message = 0x04050004

        Message-Authenticator = 0x00000000000000000000000000000000

Finished request 5.

Going to the next request

Waking up in 4.4 seconds.

Cleaning up request 0 ID 0 with timestamp +4

Cleaning up request 1 ID 1 with timestamp +4

Cleaning up request 2 ID 2 with timestamp +4

Cleaning up request 3 ID 3 with timestamp +4

Waking up in 0.1 seconds.

Cleaning up request 4 ID 4 with timestamp +4

Waking up in 0.2 seconds.

Cleaning up request 5 ID 5 with timestamp +5

Ready to process requests.

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

wpa_supplicant logs (copying only FAILURE logs seen at end)

++++++++++++++++++++++++++++++++++++++++++++++++++++++

EAPOL: SUPP_BE entering state RECEIVE

Received 44 bytes from RADIUS server

Received RADIUS message

RADIUS message: code=3 (Access-Reject) identifier=5 length=44

   Attribute 79 (EAP-Message) length=6

      Value: 04 05 00 04

   Attribute 80 (Message-Authenticator) length=18

      Value: 7a 61 25 5b 8e cd 44 3b 18 b1 af e3 82 fd 32 5d

STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending request, round trip time 0.00 sec

RADIUS packet matching with station

decapsulated EAP packet (code=4 id=5 len=4) from RADIUS server: EAP Failure

EAPOL: Received EAP-Packet frame

EAPOL: SUPP_BE entering state REQUEST

EAPOL: getSuppRsp

EAP: EAP entering state RECEIVED

EAP: Received EAP-Failure

EAP: EAP entering state FAILURE

CTRL-EVENT-EAP-FAILURE EAP authentication failed

EAPOL: SUPP_PAE entering state HELD

EAPOL: SUPP_BE entering state RECEIVE

EAPOL: SUPP_BE entering state FAIL

EAPOL: SUPP_BE entering state IDLE

eapol_sm_cb: success=0

EAP: deinitialize previously used EAP method (13, TLS) at EAP deinit

ENGINE: engine deinit

MPPE keys OK: 0  mismatch: 2

FAILURE

 

Regards,
Gaurav Kansal