EAP-TTLS Certificates expired only when selecting different timezone than GMT Western Zone

franrtorres77 at gmail.com franrtorres77 at gmail.com
Fri Aug 14 23:12:26 CEST 2015


Hi Alan 

Yes that's weird and don't know why just a simple time zone can affect to the certificate.

Here you have the two debugs:

Expired 


[sql] User found in radcheck table
[sql]   expand: SELECT id, username, attribute, value, op           FROM radreply           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radreply           WHERE username = '10.100.11.81'           ORDER BY id
[sql]   expand: SELECT groupname           FROM radusergroup           WHERE username = '%{SQL-User-Name}'           ORDER BY priority -> SELECT groupname           FROM radusergroup           WHERE username = '10.100.11.81'           ORDER BY priority
rlm_sql (sql): Released sql socket id: 1
++[sql] = ok
++[expiration] = noop
++[logintime] = noop
[pap] WARNING: Auth-Type already set.  Not setting to PAP
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!    Replacing User-Password in config items with Cleartext-Password.     !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Please update your configuration so that the "known good"               !!!
!!! clear text password is in Cleartext-Password, and not in User-Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
# Executing group from file /etc/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP NAK
[eap] EAP-NAK asked for EAP-Type/ttls
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 202 to 10.100.1.18 port 50492
        EAP-Message = 0x011200061520
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x06a8d9e807bacc965d85a6032acd597f
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.100.1.18 port 50492, id=203, length=255
        User-Name = "10.100.11.81"
        NAS-Identifier = "pruebas"
        Called-Station-Id = "44-D9-E7-24-BA-A4:pruebas"
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 0
        Calling-Station-Id = "44-D9-E7-24-BC-A1"
        Connect-Info = "CONNECT 0Mbps 802.11b"
        Acct-Session-Id = "55AECF15-0000006C"
        Framed-MTU = 1400
        EAP-Message = 0x021200441500160301003901000035030155a79b6169c471ec71a098f7673cd2fa1254527de63189cc55cdb5236f704a7800000e003d0035003c002f000a000500040100
        State = 0x06a8d9e807bacc965d85a6032acd597f
        Message-Authenticator = 0xe818618d26d54bb94efe9e014eb6b9b9
# Executing section authorize from file /etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "10.100.11.81", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 18 length 68
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7 
[ttls] Done initial handshake
[ttls]     (other): before/accept initialization
[ttls]     TLS_accept: before/accept initialization
[ttls] <<< TLS 1.0 Handshake [length 0039], ClientHello  
[ttls]     TLS_accept: SSLv3 read client hello A
[ttls] >>> TLS 1.0 Handshake [length 002a], ServerHello  
[ttls]     TLS_accept: SSLv3 write server hello A
[ttls] >>> TLS 1.0 Handshake [length 083d], Certificate  
[ttls]     TLS_accept: SSLv3 write certificate A
[ttls] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone  
[ttls]     TLS_accept: SSLv3 write server done A
[ttls]     TLS_accept: SSLv3 flush data
[ttls]     TLS_accept: Need to read more data: SSLv3 read client certificate A
[ttls]     TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase 
In SSL Accept mode  
[ttls] eaptls_process returned 13 
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 203 to 10.100.1.18 port 50492
        EAP-Message = 0x0113040015c00000087a160301002a02000026030155ce464af5f071a1315cf45274adc781bc53c7ca7ac534f4ef347c4c204f620300003500160301083d0b00083900083600039b308203973082027fa003020102020102300d06092a864886f70d010105050030818b310b30090603550406130245533110300e060355040813074772616e6164613110300e060355040713074772616e61646131163014060355040a130d41757061204e6574776f726b73311e301c06092a864886f70d010901160f696e666f40617570616e65742e65733120301e060355040313176175746f726964616420636572746966696361646f72613020170d30323037
        EAP-Message = 0x33303134343830345a180f32323736303531333134343830345a3077310b30090603550406130245533110300e060355040813074772616e61646131163014060355040a130d41757061204e6574776f726b73311e301c06035504031315656e746964616420636572746966696361646f7261311e301c06092a864886f70d010901160f696e666f40617570616e65742e657330820122300d06092a864886f70d01010105000382010f003082010a0282010100d316ef667d1ae9cd661a9e0c38a787741098e99f4e33fc8c6aff78b87df830167b70c5329b443987e96fd4c43ef077b4b5935092e08f5322654fec11fb8f17f7cc2b2231178868578c
        EAP-Message = 0x00f71015b7588f1a232d1c2923e5d6ed62255d8900ff8fdf4f3a6eff0b937ec924ce21ebdf6c26f6b4d2f28e98f3cf2639825ea539ec73bc9258d94738f8e20c4548ba953cb0ca9789e537a0bb6a5d1a7dfb950abf9733e07f751c5fb1d5a458585d4aac2dc9d5d75c284a71d23555e6a04d1f5e5a232979bd08a7dba2f780196e97b014334b9df9cad8dbe81b1dd068a2133f401e9ebb4c50559c9bdc8877dca8eeb5ec8c94672b5556c07675ece2087c7d9cd5935d0b0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101050500038201010028f3291c4aabfa07cf5eeaf83c107173f873cfb0
        EAP-Message = 0x6dad4d92578a3ccf39b0b99ee31fbf2e292895a3bb462251aede7719827b5ae8d384e927a1fac3d45d6973df6fcf6b6aa747d496e4d13f0d405194d3b92bed70ab17f6f5c1dc06c4d37545557d4a78a0def874b04444518ee3d25827e6b63cd5e8239e67fac6054a770e366257273bc8794d3fe2690bc368907a0f1662766aecab2e19475379d266bf12713ca35b59b8624baf2a9cf46e930e0d65aef336ddaa11843bbeebafb5ebe97afd7425189544a98fbd24a94c963107d5a6dc54e86288bcfd3ca25ef4da3eee3b82db961bb13b0fe26564d4522204a695fda3691e82a6e3cf7a0095686244965be27d0004953082049130820379a00302010202
        EAP-Message = 0x0900e33004b87e4e891f300d
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x06a8d9e804bbcc965d85a6032acd597f
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.100.1.18 port 50492, id=204, length=193
        User-Name = "10.100.11.81"
        NAS-Identifier = "pruebas"
        Called-Station-Id = "44-D9-E7-24-BA-A4:pruebas"
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 0
        Calling-Station-Id = "44-D9-E7-24-BC-A1"
        Connect-Info = "CONNECT 0Mbps 802.11b"
        Acct-Session-Id = "55AECF15-0000006C"
        Framed-MTU = 1400
        EAP-Message = 0x021300061500
        State = 0x06a8d9e804bbcc965d85a6032acd597f
        Message-Authenticator = 0xf9add50bf881a2ee0364cde5115f1046
# Executing section authorize from file /etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "10.100.11.81", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 19 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] Received TLS ACK
[ttls] ACK handshake fragment handler
[ttls] eaptls_verify returned 1 
[ttls] eaptls_process returned 13 
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 204 to 10.100.1.18 port 50492
        EAP-Message = 0x0114040015c00000087a06092a864886f70d010105050030818b310b30090603550406130245533110300e060355040813074772616e6164613110300e060355040713074772616e61646131163014060355040a130d41757061204e6574776f726b73311e301c06092a864886f70d010901160f696e666f40617570616e65742e65733120301e060355040313176175746f726964616420636572746966696361646f72613020170d3032303733303134343830345a180f32323736303531333134343830345a30818b310b30090603550406130245533110300e060355040813074772616e6164613110300e060355040713074772616e6164613116
        EAP-Message = 0x3014060355040a130d41757061204e6574776f726b73311e301c06092a864886f70d010901160f696e666f40617570616e65742e65733120301e060355040313176175746f726964616420636572746966696361646f726130820122300d06092a864886f70d01010105000382010f003082010a0282010100a4e89b6a03a0cc4fd44dcd40a15a288d71c3c61c46accde28f14133ebb526cb053f13f2bdd98f87abb212ca20b214fa688886057eae2aa54c05d9cb0ddd7f470405f276cfc73be1f47c669db16fd441117e4db36d95233623b933b4b30d68617aa9cf2591ca17d9b047bc35319da76bd23bfbd8ff97259e4be26b5b0b724ad95c37eaa39
        EAP-Message = 0x4bcf50141152f78f986c609c845ba927b1a3a73f399493dcd933e6e29ceb8cea1002b80af40fb81f9edcca23abc5e64106873048c6dbaaacb1cc64364bff8f3c8a8c8b402eb46cf9a431ee948e3d1ebbe1bd38aae3b863a91448134f92007a2fccc201e06be864f8401394cd967fc49cbff9a9b0ef38bf5d41d905430203010001a381f33081f0301d0603551d0e04160414137ae40b3936ddbfaa7a0d967801671fc9c66d0e3081c00603551d230481b83081b58014137ae40b3936ddbfaa7a0d967801671fc9c66d0ea18191a4818e30818b310b30090603550406130245533110300e060355040813074772616e6164613110300e06035504071307
        EAP-Message = 0x4772616e61646131163014060355040a130d41757061204e6574776f726b73311e301c06092a864886f70d010901160f696e666f40617570616e65742e65733120301e060355040313176175746f726964616420636572746966696361646f7261820900e33004b87e4e891f300c0603551d13040530030101ff300d06092a864886f70d010105050003820101009f2e655078c5c1804b12cd89d927ae63ea1188876f741a756736d3c8f1fa056a63617e2e112c74babba9b0589c20da0ae50fd9b4602c9a0c37139c220a24aedf157014ce86fa51815a49074a0524299ab25b072448b63c6faafce4691f6fd7d2b1baf40e0525dad1db773eb0a4827c
        EAP-Message = 0xbde906fae653821f96a80e3e
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x06a8d9e805bccc965d85a6032acd597f
Finished request 4.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.100.1.18 port 50492, id=205, length=193
        User-Name = "10.100.11.81"
        NAS-Identifier = "pruebas"
        Called-Station-Id = "44-D9-E7-24-BA-A4:pruebas"
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 0
        Calling-Station-Id = "44-D9-E7-24-BC-A1"
        Connect-Info = "CONNECT 0Mbps 802.11b"
        Acct-Session-Id = "55AECF15-0000006C"
        Framed-MTU = 1400
        EAP-Message = 0x021400061500
        State = 0x06a8d9e805bccc965d85a6032acd597f
        Message-Authenticator = 0x60799f3cc519c6519bf60c4092e5e0e1
# Executing section authorize from file /etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "10.100.11.81", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 20 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] Received TLS ACK
[ttls] ACK handshake fragment handler
[ttls] eaptls_verify returned 1 
[ttls] eaptls_process returned 13 
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 205 to 10.100.1.18 port 50492
        EAP-Message = 0x0115009815800000087af625b5685c93bcd9a0b9551b1248e20167add84cfcce79d65e6abbd09ea6e6ee6ae3131c8e543e9fbf82dbab7a9ae69b82961d775ad61f73920bcec8784acabedb6f1565b9a6b8804244d93866309afd20d09e27d4a582cf7c44825874f8ffb7093a03cdad63143b191786ed51ddb14c566ed709f730c4a858ec2c176784f5f4e1d0d42f0316030100040e000000
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x06a8d9e802bdcc965d85a6032acd597f
Finished request 5.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.100.1.18 port 50492, id=206, length=200
        User-Name = "10.100.11.81"
        NAS-Identifier = "pruebas"
        Called-Station-Id = "44-D9-E7-24-BA-A4:pruebas"
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 0
        Calling-Station-Id = "44-D9-E7-24-BC-A1"
        Connect-Info = "CONNECT 0Mbps 802.11b"
        Acct-Session-Id = "55AECF15-0000006C"
        Framed-MTU = 1400
        EAP-Message = 0x0215000d15001503010002022d
        State = 0x06a8d9e802bdcc965d85a6032acd597f
        Message-Authenticator = 0x9fae65c5ac8df0c52b0ac9784973bb44
# Executing section authorize from file /etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "10.100.11.81", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 21 length 13
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7 
[ttls] Done initial handshake
[ttls] <<< TLS 1.0 Alert [length 0002], fatal certificate_expired  
TLS Alert read:fatal:certificate expired
    TLS_accept: failed in SSLv3 read client certificate A
rlm_eap: SSL error error:14094415:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate expired
SSL: SSL_read failed inside of TLS (-1), TLS session fails.
TLS receive handshake failed during operation
[ttls] eaptls_process returned 4 
[eap] Handler failed in EAP/ttls
[eap] Failed in EAP select
++[eap] = invalid
+} # group authenticate = invalid
Failed to authenticate the user.
Using Post-Auth-Type REJECT
# Executing group from file /etc/raddb/sites-enabled/default
+group REJECT {
[attr_filter.access_reject]     expand: %{User-Name} -> 10.100.11.81
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] = updated
+} # group REJECT = updated
Delaying reject of request 6 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 6
Sending Access-Reject of id 206 to 10.100.1.18 port 50492
        EAP-Message = 0x04150004
        Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.9 seconds.
Cleaning up request 1 ID 201 with timestamp +89
Cleaning up request 2 ID 202 with timestamp +89
Cleaning up request 3 ID 203 with timestamp +89
Cleaning up request 4 ID 204 with timestamp +89
Cleaning up request 5 ID 205 with timestamp +89
Waking up in 1.0 seconds.
Cleaning up request 6 ID 206 with timestamp +89
Ready to process requests.


Correct connection 

Bien 



         
        EAP-Message = 0xbde906fae653821f96a80e3e
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xebe5d19ce8e3c4cca364a660c76c86a2
Finished request 33.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 10.100.1.18 port 50492, id=156, length=193
        User-Name = "10.100.11.81"
        NAS-Identifier = "pruebas"
        Called-Station-Id = "44-D9-E7-24-BA-A4:pruebas"
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 0
        Calling-Station-Id = "44-D9-E7-24-BC-A1"
        Connect-Info = "CONNECT 0Mbps 802.11b"
        Acct-Session-Id = "55AECF15-00000064"
        Framed-MTU = 1400
        EAP-Message = 0x020600061500
        State = 0xebe5d19ce8e3c4cca364a660c76c86a2
        Message-Authenticator = 0x6359348b2a80a686d9524bf5950f44ea
# Executing section authorize from file /etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "10.100.11.81", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 6 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] Received TLS ACK
[ttls] ACK handshake fragment handler
[ttls] eaptls_verify returned 1 
[ttls] eaptls_process returned 13 
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 156 to 10.100.1.18 port 50492
        EAP-Message = 0x0107009815800000087af625b5685c93bcd9a0b9551b1248e20167add84cfcce79d65e6abbd09ea6e6ee6ae3131c8e543e9fbf82dbab7a9ae69b82961d775ad61f73920bcec8784acabedb6f1565b9a6b8804244d93866309afd20d09e27d4a582cf7c44825874f8ffb7093a03cdad63143b191786ed51ddb14c566ed709f730c4a858ec2c176784f5f4e1d0d42f0316030100040e000000
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xebe5d19cefe2c4cca364a660c76c86a2
Finished request 34.
Going to the next request
Waking up in 4.7 seconds.
rad_recv: Access-Request packet from host 10.100.1.18 port 50492, id=157, length=521
        User-Name = "10.100.11.81"
        NAS-Identifier = "pruebas"
        Called-Station-Id = "44-D9-E7-24-BA-A4:pruebas"
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 0
        Calling-Station-Id = "44-D9-E7-24-BC-A1"
        Connect-Info = "CONNECT 0Mbps 802.11b"
        Acct-Session-Id = "55AECF15-00000064"
        Framed-MTU = 1400
        EAP-Message = 0x0207014c15001603010106100001020100943a50c744ac2b36871c1bd3c9b8786d5f76d52b6e720f638b04c649561cd9209da4eb941b7bd3413c757dc82acac47defa1d22edfa7d19b4608a91d6060eab0be79cac08220eeb72a9914fb661fde8783125ac6d1f2af2da37eb25f7b6472a063c237905c4a046cf0847ba38c2b83b34d240e27390e8e484149f48cc845b3dbb3206df4584734fe76bb07d5757c7bb1c0a91211ba1aadfb89787fee9a891f1c46d85bba02b72ee0d8c477e3d9c775e93e357e02680f1c3542041eeea52fa0b046e477c9183269783810ec21ba2ac7a83c2127cf938a919407e715026c28277c7126c65e14fac8379c0ff93c
        EAP-Message = 0xef619cc496d3c2e173b7b6a67fc28e0c3a049fe71403010001011603010030ca40d3e0ef7779e9689f4d2fa0db480288f416ea459ae4751441d2f900226574c793e40beec08ab9e943c4d957245192
        State = 0xebe5d19cefe2c4cca364a660c76c86a2
        Message-Authenticator = 0x0fc598e9956ca5cbe8799e0dd85d36d9
# Executing section authorize from file /etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "10.100.11.81", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 7 length 253
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7 
[ttls] Done initial handshake
[ttls] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange  
[ttls]     TLS_accept: SSLv3 read client key exchange A
[ttls] <<< TLS 1.0 ChangeCipherSpec [length 0001]  
[ttls] <<< TLS 1.0 Handshake [length 0010], Finished  
[ttls]     TLS_accept: SSLv3 read finished A
[ttls] >>> TLS 1.0 ChangeCipherSpec [length 0001]  
[ttls]     TLS_accept: SSLv3 write change cipher spec A
[ttls] >>> TLS 1.0 Handshake [length 0010], Finished  
[ttls]     TLS_accept: SSLv3 write finished A
[ttls]     TLS_accept: SSLv3 flush data
[ttls]     (other): SSL negotiation finished successfully
SSL Connection Established 
[ttls] eaptls_process returned 13 
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 157 to 10.100.1.18 port 50492
        EAP-Message = 0x0108004515800000003b1403010001011603010030d583dac826056375700fbac982e9b14c1c1e2e0f477fa316dd2342015d818cc5b3581319bffd65d7024055b0dbc5eb14
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xebe5d19ceeedc4cca364a660c76c86a2
Finished request 35.
Going to the next request
Waking up in 4.5 seconds.
rad_recv: Access-Request packet from host 10.100.1.18 port 50492, id=158, length=342
        User-Name = "10.100.11.81"
        NAS-Identifier = "pruebas"
        Called-Station-Id = "44-D9-E7-24-BA-A4:pruebas"
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 0
        Calling-Station-Id = "44-D9-E7-24-BC-A1"
        Connect-Info = "CONNECT 0Mbps 802.11b"
        Acct-Session-Id = "55AECF15-00000064"
        Framed-MTU = 1400
        EAP-Message = 0x0208009b150017030100906231c104376ca4f931b513c0842a8042f5435c977320c09c7dbc125e076f8e879bd02edd9db2debeac767945957e21548018107c5f880a44f9619234819cb5348198105280c45cf07b3e044deb88249e3a31c56b6123d4055f66cf3ccb0ea01f94e9317cd44b6385644e622116fa633777a955148ba43deaf6975dc45cbe668358ed6d101181319c13df67710c10335c
        State = 0xebe5d19ceeedc4cca364a660c76c86a2
        Message-Authenticator = 0x2e508fa6d71de73c0006015be799c7d1
# Executing section authorize from file /etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "10.100.11.81", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 8 length 155
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7 
[ttls] Done initial handshake
[ttls] eaptls_process returned 7 
[ttls] Session established.  Proceeding to decode tunneled attributes.
[ttls] Got tunneled request
        User-Name = "10.100.11.81"
        MS-CHAP-Challenge = 0xc6085db271f9f0d6ad2cc83ac3b92c79
        MS-CHAP2-Response = 0xb9008fd66ce60ade72bcf005a9a51c64747c00000000000000001febf74cee06df578fedf84bc5ed92fb2638f5d789dbb11d
        FreeRADIUS-Proxied-To = 127.0.0.1
[ttls] Sending tunneled request
        User-Name = "10.100.11.81"
        MS-CHAP-Challenge = 0xc6085db271f9f0d6ad2cc83ac3b92c79
        MS-CHAP2-Response = 0xb9008fd66ce60ade72bcf005a9a51c64747c00000000000000001febf74cee06df578fedf84bc5ed92fb2638f5d789dbb11d
        FreeRADIUS-Proxied-To = 127.0.0.1
server inner-tunnel {
# Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel
+group authorize {
++[chap] = noop
[mschap] Found MS-CHAP attributes.  Setting 'Auth-Type  = mschap'
++[mschap] = ok
[suffix] No '@' in User-Name = "10.100.11.81", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
++update control {
++} # update control = noop
[eap] No EAP-Message, not doing EAP
++[eap] = noop
++[files] = noop
[sql]   expand: %{User-Name} -> 10.100.11.81
[sql] sql_set_user escaped user --> '10.100.11.81'
rlm_sql (sql): Reserving sql socket id: 1
[sql]   expand: SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radcheck           WHERE username = '10.100.11.81'           ORDER BY id
WARNING: Found User-Password == "...".WARNING: Are you sure you don't mean Cleartext-Password?
WARNING: See "man rlm_pap" for more information.
[sql] User found in radcheck table
[sql]   expand: SELECT id, username, attribute, value, op           FROM radreply           WHERE username = '%{SQL-User-Name}'           ORDER BY id -> SELECT id, username, attribute, value, op           FROM radreply           WHERE username = '10.100.11.81'           ORDER BY id
[sql]   expand: SELECT groupname           FROM radusergroup           WHERE username = '%{SQL-User-Name}'           ORDER BY priority -> SELECT groupname           FROM radusergroup           WHERE username = '10.100.11.81'           ORDER BY priority
rlm_sql (sql): Released sql socket id: 1
++[sql] = ok
++[expiration] = noop
++[logintime] = noop
[pap] WARNING: Auth-Type already set.  Not setting to PAP
++[pap] = noop
+} # group authorize = ok
Found Auth-Type = MSCHAP
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!    Replacing User-Password in config items with Cleartext-Password.     !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Please update your configuration so that the "known good"               !!!
!!! clear text password is in Cleartext-Password, and not in User-Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
# Executing group from file /etc/raddb/sites-enabled/inner-tunnel
+group MS-CHAP {
[mschap] Creating challenge hash with username: 10.100.11.81
[mschap] Client is using MS-CHAPv2 for 10.100.11.81, we need NT-Password
[mschap] adding MS-CHAPv2 MPPE keys
++[mschap] = ok
+} # group MS-CHAP = ok
  WARNING: Empty post-auth section.  Using default return values.
# Executing section post-auth from file /etc/raddb/sites-enabled/inner-tunnel
} # server inner-tunnel
[ttls] Got tunneled reply code Access-Accept
        MS-CHAP2-Success = 0xb9533d30373838383644373042443137303446453536334438333233463541353745444244413643324338
        MS-MPPE-Recv-Key = 0xadabbcb4057b776727ce20040d0741a7
        MS-MPPE-Send-Key = 0x70dd412b691fdb0b5f102c9113c1a8d7
        MS-MPPE-Encryption-Policy = 0x00000001
        MS-MPPE-Encryption-Types = 0x00000006
[ttls] Got tunneled Access-Accept
[ttls] Got MS-CHAP2-Success, tunneling it to the client in a challenge.
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 158 to 10.100.1.18 port 50492
        EAP-Message = 0x0109005f158000000055170301005093610acea0f0be93d112d29f7bcf0c255b0082945dec344640bb2137fcaa08e89a04fdfd76d041391584d96d18ead83684ed347138a9e3181f3ac1af26a0e38dd99a36e7a9c37aa5f8d92fb6373af880
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xebe5d19cedecc4cca364a660c76c86a2
Finished request 36.
Going to the next request
Waking up in 4.5 seconds.
rad_recv: Access-Request packet from host 10.100.1.18 port 50492, id=159, length=193
        User-Name = "10.100.11.81"
        NAS-Identifier = "pruebas"
        Called-Station-Id = "44-D9-E7-24-BA-A4:pruebas"
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 0
        Calling-Station-Id = "44-D9-E7-24-BC-A1"
        Connect-Info = "CONNECT 0Mbps 802.11b"
        Acct-Session-Id = "55AECF15-00000064"
        Framed-MTU = 1400
        EAP-Message = 0x020900061500
        State = 0xebe5d19cedecc4cca364a660c76c86a2
        Message-Authenticator = 0x6e0941ab053e33487162905c4a60aa28
# Executing section authorize from file /etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "10.100.11.81", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 9 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] Received TLS ACK
[ttls] ACK handshake is finished
[ttls] eaptls_verify returned 3 
[ttls] eaptls_process returned 3 
[ttls] Using saved attributes from the original Access-Accept
[eap] Freeing handler
++[eap] = ok
+} # group authenticate = ok
# Executing section post-auth from file /etc/raddb/sites-enabled/default
+group post-auth {
++[exec] = noop
+} # group post-auth = noop
Sending Access-Accept of id 159 to 10.100.1.18 port 50492
        MS-MPPE-Recv-Key = 0x2993c35cf4d962cb0a623d0edefb1774c005a176084985230d659a7573791cd2
        MS-MPPE-Send-Key = 0x28ac8a8b487a53ae0caa05f61c731b1c88497438cb476e0b1fcdc2c05847d686
        EAP-Message = 0x03090004
        Message-Authenticator = 0x00000000000000000000000000000000
        User-Name = "10.100.11.81"
Finished request 37.
Going to the next request
Waking up in 4.4 seconds.
Cleaning up request 30 ID 152 with timestamp +360
Cleaning up request 31 ID 153 with timestamp +360
Cleaning up request 32 ID 154 with timestamp +360
Cleaning up request 33 ID 155 with timestamp +360
Cleaning up request 34 ID 156 with timestamp +360
Waking up in 0.2 seconds.
Cleaning up request 35 ID 157 with timestamp +361
Cleaning up request 36 ID 158 with timestamp +361
Cleaning up request 37 ID 159 with timestamp +361
Ready to process requests.


Regards

> El 14/8/2015, a las 11:11, Alan DeKok <aland at deployingradius.com> escribió:
> 
>> On Aug 13, 2015, at 8:26 AM, Francisco Rodriguez <franrtorres77 at gmail.com> wrote:
>> Hi, I have a problem using certificates when for example a device has set
>> the timezone to GMT+1. So if the user has the timezone different than GMT
>> Western Zone does not connect and it launchs a message saying the
>> certificate has expired.
>> 
>> Is there a way to allow devices trying to connect with a different timezone
>> to be able to connect and accept the certicate?
> 
>  Hmm... that's weird.  OpenSSL should take care of converting dates from one time zone to another.
> 
>  What does the debug output say for a device that works, and one that doesn't work?
> 
>  Alan DeKok.
> 
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


More information about the Freeradius-Users mailing list