EAP-TLS from IKEv2 initiator

Adam Bishop Adam.Bishop at jisc.ac.uk
Fri Apr 21 19:02:06 CEST 2017


Juniper have added proper EAP support to their VPN stack - I'm trying to get it working. I'm not trying to do anything fancy at this stage, just check that the client cert is signed by a CA.

I've not deployed EAP-TLS before, so I could use a bit of help interpreting the TLS errors - the logs on the concentrator and on the client leave a little to be desired.

It appears to be an issue with the CA being untrusted, but which side it is on - does the client distrust the FreeRADIUS server certificate, or does FreeRADIUS distrust the client's certificate?

Regards,

Adam Bishop

  gpg: E75B 1F92 6407 DFDF 9F1C  BF10 C993 2504 6609 D460

jisc.ac.uk

(33)  Debug: Received Access-Request Id 72 from 172.25.0.176:52447 to 212.219.210.194:1812 length 95
(33)  Debug:   User-Name = "adambishop.dev.ja.net"
(33)  Debug:   EAP-Message = 0x026f001a016164616d626973686f702e6465762e6a612e6e6574
(33)  Debug:   Message-Authenticator = 0x49c30bd1919131b5237affe9e97308c0
(33)  Debug:   NAS-IP-Address = 172.25.0.176
(33)  Debug: # Executing section authorize from file /etc/raddb/sites-enabled/vpn
(33)  Debug:   authorize {
(33)  Debug:     update request {
(33)  Debug:     } # update request = noop
(33)  Debug:     [mschap] = noop
(33)  Debug:     policy ntlm_auth.authorize {
(33)  Debug:       if (!control:Auth-Type && User-Password) {
(33)  Debug:       if (!control:Auth-Type && User-Password)  -> FALSE
(33)  Debug:     } # policy ntlm_auth.authorize = updated
(33)  Debug: vpn-eap: Peer sent EAP Response (code 2) ID 111 length 26
(33)  Debug: vpn-eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(33)  Debug:     [vpn-eap] = ok
(33)  Debug:   } # authorize = ok
(33)  Debug: Found Auth-Type = vpn-eap
(33)  Debug: # Executing group from file /etc/raddb/sites-enabled/vpn
(33)  Debug:   Auth-Type vpn-eap {
(33)  Debug: vpn-eap: Peer sent packet with method EAP Identity (1)
(33)  Debug: vpn-eap: Calling submodule eap_tls to process data
(33)  Debug: eap_tls: Initiating new EAP-TLS session
(33)  Debug: eap_tls: Setting verify mode to require certificate from client
(33)  Debug: eap_tls: [eaptls start] = request
(33)  Debug: vpn-eap: Sending EAP Request (code 1) ID 112 length 6
(33)  Debug: vpn-eap: EAP session adding &reply:State = 0x6aae3f2e6ade326b
(33)  Debug:     [vpn-eap] = handled
(33)  Debug:     if (handled && (Response-Packet-Type == Access-Challenge)) {
(33)  Debug:     EXPAND Response-Packet-Type
(33)  Debug:        --> Access-Challenge
(33)  Debug:     if (handled && (Response-Packet-Type == Access-Challenge))  -> TRUE
(33)  Debug:     if (handled && (Response-Packet-Type == Access-Challenge))  {
(33)  Debug: attr_filter.access_challenge: EXPAND %{User-Name}
(33)  Debug: attr_filter.access_challenge:    --> adambishop.dev.ja.net
(33)  Debug: attr_filter.access_challenge: Matched entry DEFAULT at line 12
(33)  Debug:       [attr_filter.access_challenge.post-auth] = updated
(33)  Debug:       [handled] = handled
(33)  Debug:     } # if (handled && (Response-Packet-Type == Access-Challenge))  = handled
(33)  Debug:   } # Auth-Type vpn-eap = handled
(33)  Debug: Using Post-Auth-Type Challenge
(33)  Debug: Post-Auth-Type sub-section not found.  Ignoring.
(33)  Debug: # Executing group from file /etc/raddb/sites-enabled/vpn
(33)  Debug: Sent Access-Challenge Id 72 from 212.219.210.194:1812 to 172.25.0.176:52447 length 0
(33)  Debug:   EAP-Message = 0x017000060d20
(33)  Debug:   Message-Authenticator = 0x00000000000000000000000000000000
(33)  Debug:   State = 0x6aae3f2e6ade326be20d66152c93ce20
(33)  Debug: Finished request
(34)  Debug: Received Access-Request Id 73 from 172.25.0.176:52447 to 212.219.210.194:1812 length 214
(34)  Debug:   User-Name = "adambishop.dev.ja.net"
(34)  Debug:   State = 0x6aae3f2e6ade326be20d66152c93ce20
(34)  Debug:   EAP-Message = 0x0270007f0d800000007516030100700100006c030158fa35e7494a8208f15734f1b156e5cfb33b722c8028e0ac4c5b609dbbaad4ed00002000ffc024c023c00ac009c008c028c027c014c013c012003d003c0035002f000a01000023000a00080006001700180019000b00020100000500050100000000
(34)  Debug:   Message-Authenticator = 0xe0ffa2f9a4f35bb9c59822b730acb0b7
(34)  Debug:   NAS-IP-Address = 172.25.0.176
(34)  Debug: session-state: No cached attributes
(34)  Debug: # Executing section authorize from file /etc/raddb/sites-enabled/vpn
(34)  Debug:   authorize {
(34)  Debug:     update request {
(34)  Debug:     } # update request = noop
(34)  Debug:     [mschap] = noop
(34)  Debug:     policy ntlm_auth.authorize {
(34)  Debug:       if (!control:Auth-Type && User-Password) {
(34)  Debug:       if (!control:Auth-Type && User-Password)  -> FALSE
(34)  Debug:     } # policy ntlm_auth.authorize = updated
(34)  Debug: vpn-eap: Peer sent EAP Response (code 2) ID 112 length 127
(34)  Debug: vpn-eap: No EAP Start, assuming it's an on-going EAP conversation
(34)  Debug:     [vpn-eap] = updated
(34)  Debug:   } # authorize = updated
(34)  Debug: Found Auth-Type = vpn-eap
(34)  Debug: # Executing group from file /etc/raddb/sites-enabled/vpn
(34)  Debug:   Auth-Type vpn-eap {
(34)  Debug: vpn-eap: Expiring EAP session with state 0x6aae3f2e6ade326b
(34)  Debug: vpn-eap: Finished EAP session with state 0x6aae3f2e6ade326b
(34)  Debug: vpn-eap: Previous EAP request found for state 0x6aae3f2e6ade326b, released from the list
(34)  Debug: vpn-eap: Peer sent packet with method EAP TLS (13)
(34)  Debug: vpn-eap: Calling submodule eap_tls to process data
(34)  Debug: eap_tls: Continuing EAP-TLS
(34)  Debug: eap_tls: Peer indicated complete TLS record size will be 117 bytes
(34)  Debug: eap_tls: Got complete TLS record (117 bytes)
(34)  Debug: eap_tls: [eaptls verify] = length included
(34)  Debug: eap_tls: (other): before/accept initialization
(34)  Debug: eap_tls: TLS_accept: before/accept initialization
(34)  Debug: eap_tls: TLS_accept: SSLv3 read client hello A
(34)  Debug: eap_tls: TLS_accept: SSLv3 write server hello A
(34)  Debug: eap_tls: TLS_accept: SSLv3 write certificate A
(34)  Debug: eap_tls: TLS_accept: SSLv3 write key exchange A
(34)  Debug: eap_tls: TLS_accept: SSLv3 write certificate request A
(34)  Debug: eap_tls: TLS_accept: SSLv3 flush data
(34)  Debug: eap_tls: TLS_accept: Need to read more data: SSLv3 read client certificate A
(34)  Debug: eap_tls: TLS_accept: Need to read more data: SSLv3 read client certificate A
(34)  Debug: eap_tls: In SSL Handshake Phase
(34)  Debug: eap_tls: In SSL Accept mode
(34)  Debug: eap_tls: [eaptls process] = handled
(34)  Debug: vpn-eap: Sending EAP Request (code 1) ID 113 length 1024
(34)  Debug: vpn-eap: EAP session adding &reply:State = 0x6aae3f2e6bdf326b
(34)  Debug:     [vpn-eap] = handled
(34)  Debug:     if (handled && (Response-Packet-Type == Access-Challenge)) {
(34)  Debug:     EXPAND Response-Packet-Type
(34)  Debug:        --> Access-Challenge
(34)  Debug:     if (handled && (Response-Packet-Type == Access-Challenge))  -> TRUE
(34)  Debug:     if (handled && (Response-Packet-Type == Access-Challenge))  {
(34)  Debug: attr_filter.access_challenge: EXPAND %{User-Name}
(34)  Debug: attr_filter.access_challenge:    --> adambishop.dev.ja.net
(34)  Debug: attr_filter.access_challenge: Matched entry DEFAULT at line 12
(34)  Debug:       [attr_filter.access_challenge.post-auth] = updated
(34)  Debug:       [handled] = handled
(34)  Debug:     } # if (handled && (Response-Packet-Type == Access-Challenge))  = handled
(34)  Debug:   } # Auth-Type vpn-eap = handled
(34)  Debug: Using Post-Auth-Type Challenge
(34)  Debug: Post-Auth-Type sub-section not found.  Ignoring.
(34)  Debug: # Executing group from file /etc/raddb/sites-enabled/vpn
(34)  Debug: Sent Access-Challenge Id 73 from 212.219.210.194:1812 to 172.25.0.176:52447 length 0
(34)  Debug:   EAP-Message = 0x017104000dc000000ee6160301005902000055030158fa35e7aba06da2f649d15b2f089f33f9657525d4ea7fbe38c0683b6d562b0d204c1a18aa8cc88018d71230199577025e1582f0af81dbdc9ec817bb59968b8b07c01400000dff01000100000b0004030001021603010b980b000b94000b910005bd
(34)  Debug:   Message-Authenticator = 0x00000000000000000000000000000000
(34)  Debug:   State = 0x6aae3f2e6bdf326be20d66152c93ce20
(34)  Debug: Finished request
(35)  Debug: Received Access-Request Id 74 from 172.25.0.176:52447 to 212.219.210.194:1812 length 93
(35)  Debug:   User-Name = "adambishop.dev.ja.net"
(35)  Debug:   State = 0x6aae3f2e6bdf326be20d66152c93ce20
(35)  Debug:   EAP-Message = 0x027100060d00
(35)  Debug:   Message-Authenticator = 0xa0a4c2467a10884786f7e69f8629f39d
(35)  Debug:   NAS-IP-Address = 172.25.0.176
(35)  Debug: session-state: No cached attributes
(35)  Debug: # Executing section authorize from file /etc/raddb/sites-enabled/vpn
(35)  Debug:   authorize {
(35)  Debug:     update request {
(35)  Debug:     } # update request = noop
(35)  Debug:     [mschap] = noop
(35)  Debug:     policy ntlm_auth.authorize {
(35)  Debug:       if (!control:Auth-Type && User-Password) {
(35)  Debug:       if (!control:Auth-Type && User-Password)  -> FALSE
(35)  Debug:     } # policy ntlm_auth.authorize = updated
(35)  Debug: vpn-eap: Peer sent EAP Response (code 2) ID 113 length 6
(35)  Debug: vpn-eap: No EAP Start, assuming it's an on-going EAP conversation
(35)  Debug:     [vpn-eap] = updated
(35)  Debug:   } # authorize = updated
(35)  Debug: Found Auth-Type = vpn-eap
(35)  Debug: # Executing group from file /etc/raddb/sites-enabled/vpn
(35)  Debug:   Auth-Type vpn-eap {
(35)  Debug: vpn-eap: Expiring EAP session with state 0x6aae3f2e6bdf326b
(35)  Debug: vpn-eap: Finished EAP session with state 0x6aae3f2e6bdf326b
(35)  Debug: vpn-eap: Previous EAP request found for state 0x6aae3f2e6bdf326b, released from the list
(35)  Debug: vpn-eap: Peer sent packet with method EAP TLS (13)
(35)  Debug: vpn-eap: Calling submodule eap_tls to process data
(35)  Debug: eap_tls: Continuing EAP-TLS
(35)  Debug: eap_tls: Peer ACKed our handshake fragment
(35)  Debug: eap_tls: [eaptls verify] = request
(35)  Debug: eap_tls: [eaptls process] = handled
(35)  Debug: vpn-eap: Sending EAP Request (code 1) ID 114 length 1024
(35)  Debug: vpn-eap: EAP session adding &reply:State = 0x6aae3f2e68dc326b
(35)  Debug:     [vpn-eap] = handled
(35)  Debug:     if (handled && (Response-Packet-Type == Access-Challenge)) {
(35)  Debug:     EXPAND Response-Packet-Type
(35)  Debug:        --> Access-Challenge
(35)  Debug:     if (handled && (Response-Packet-Type == Access-Challenge))  -> TRUE
(35)  Debug:     if (handled && (Response-Packet-Type == Access-Challenge))  {
(35)  Debug: attr_filter.access_challenge: EXPAND %{User-Name}
(35)  Debug: attr_filter.access_challenge:    --> adambishop.dev.ja.net
(35)  Debug: attr_filter.access_challenge: Matched entry DEFAULT at line 12
(35)  Debug:       [attr_filter.access_challenge.post-auth] = updated
(35)  Debug:       [handled] = handled
(35)  Debug:     } # if (handled && (Response-Packet-Type == Access-Challenge))  = handled
(35)  Debug:   } # Auth-Type vpn-eap = handled
(35)  Debug: Using Post-Auth-Type Challenge
(35)  Debug: Post-Auth-Type sub-section not found.  Ignoring.
(35)  Debug: # Executing group from file /etc/raddb/sites-enabled/vpn
(35)  Debug: Sent Access-Challenge Id 74 from 212.219.210.194:1812 to 172.25.0.176:52447 length 0
(35)  Debug:   EAP-Message = 0x017204000dc000000ee67073312e6465762e6a612e6e657482106f727073322e6465762e6a612e6e6574300d06092a864886f70d01010b050003820201003538a5bfb66c1d80c153bea4bde8797b5771787c349c00a0afb3007452b8263dcfe5f33e97a63b77a618acc517c74bc965a5636510377123aa
(35)  Debug:   Message-Authenticator = 0x00000000000000000000000000000000
(35)  Debug:   State = 0x6aae3f2e68dc326be20d66152c93ce20
(35)  Debug: Finished request
(36)  Debug: Received Access-Request Id 75 from 172.25.0.176:52447 to 212.219.210.194:1812 length 93
(36)  Debug:   User-Name = "adambishop.dev.ja.net"
(36)  Debug:   State = 0x6aae3f2e68dc326be20d66152c93ce20
(36)  Debug:   EAP-Message = 0x027200060d00
(36)  Debug:   Message-Authenticator = 0x30592ba50305fc9c46f668bdff6e0501
(36)  Debug:   NAS-IP-Address = 172.25.0.176
(36)  Debug: session-state: No cached attributes
(36)  Debug: # Executing section authorize from file /etc/raddb/sites-enabled/vpn
(36)  Debug:   authorize {
(36)  Debug:     update request {
(36)  Debug:     } # update request = noop
(36)  Debug:     [mschap] = noop
(36)  Debug:     policy ntlm_auth.authorize {
(36)  Debug:       if (!control:Auth-Type && User-Password) {
(36)  Debug:       if (!control:Auth-Type && User-Password)  -> FALSE
(36)  Debug:     } # policy ntlm_auth.authorize = updated
(36)  Debug: vpn-eap: Peer sent EAP Response (code 2) ID 114 length 6
(36)  Debug: vpn-eap: No EAP Start, assuming it's an on-going EAP conversation
(36)  Debug:     [vpn-eap] = updated
(36)  Debug:   } # authorize = updated
(36)  Debug: Found Auth-Type = vpn-eap
(36)  Debug: # Executing group from file /etc/raddb/sites-enabled/vpn
(36)  Debug:   Auth-Type vpn-eap {
(36)  Debug: vpn-eap: Expiring EAP session with state 0x6aae3f2e68dc326b
(36)  Debug: vpn-eap: Finished EAP session with state 0x6aae3f2e68dc326b
(36)  Debug: vpn-eap: Previous EAP request found for state 0x6aae3f2e68dc326b, released from the list
(36)  Debug: vpn-eap: Peer sent packet with method EAP TLS (13)
(36)  Debug: vpn-eap: Calling submodule eap_tls to process data
(36)  Debug: eap_tls: Continuing EAP-TLS
(36)  Debug: eap_tls: Peer ACKed our handshake fragment
(36)  Debug: eap_tls: [eaptls verify] = request
(36)  Debug: eap_tls: [eaptls process] = handled
(36)  Debug: vpn-eap: Sending EAP Request (code 1) ID 115 length 1024
(36)  Debug: vpn-eap: EAP session adding &reply:State = 0x6aae3f2e69dd326b
(36)  Debug:     [vpn-eap] = handled
(36)  Debug:     if (handled && (Response-Packet-Type == Access-Challenge)) {
(36)  Debug:     EXPAND Response-Packet-Type
(36)  Debug:        --> Access-Challenge
(36)  Debug:     if (handled && (Response-Packet-Type == Access-Challenge))  -> TRUE
(36)  Debug:     if (handled && (Response-Packet-Type == Access-Challenge))  {
(36)  Debug: attr_filter.access_challenge: EXPAND %{User-Name}
(36)  Debug: attr_filter.access_challenge:    --> adambishop.dev.ja.net
(36)  Debug: attr_filter.access_challenge: Matched entry DEFAULT at line 12
(36)  Debug:       [attr_filter.access_challenge.post-auth] = updated
(36)  Debug:       [handled] = handled
(36)  Debug:     } # if (handled && (Response-Packet-Type == Access-Challenge))  = handled
(36)  Debug:   } # Auth-Type vpn-eap = handled
(36)  Debug: Using Post-Auth-Type Challenge
(36)  Debug: Post-Auth-Type sub-section not found.  Ignoring.
(36)  Debug: # Executing group from file /etc/raddb/sites-enabled/vpn
(36)  Debug: Sent Access-Challenge Id 75 from 212.219.210.194:1812 to 172.25.0.176:52447 length 0
(36)  Debug:   EAP-Message = 0x017304000dc000000ee6a8a10366b1a69070f32e9c2285917ba83b5fa6d7c9d736385ae3a898a989b4868c713e653962ef9c0e7842f3eb3597fbb63b193af9330d984af5dbed07fe8271963a833187f2c99189b6001b54a8e3cc4fda9f07abeb2c3f8d9701bbd0de99a0781ad8cf5ef90ba0cbd528ecbd
(36)  Debug:   Message-Authenticator = 0x00000000000000000000000000000000
(36)  Debug:   State = 0x6aae3f2e69dd326be20d66152c93ce20
(36)  Debug: Finished request
(37)  Debug: Received Access-Request Id 76 from 172.25.0.176:52447 to 212.219.210.194:1812 length 93
(37)  Debug:   User-Name = "adambishop.dev.ja.net"
(37)  Debug:   State = 0x6aae3f2e69dd326be20d66152c93ce20
(37)  Debug:   EAP-Message = 0x027300060d00
(37)  Debug:   Message-Authenticator = 0xf2e97357da0c1ddd3ce4e45675dc4c85
(37)  Debug:   NAS-IP-Address = 172.25.0.176
(37)  Debug: session-state: No cached attributes
(37)  Debug: # Executing section authorize from file /etc/raddb/sites-enabled/vpn
(37)  Debug:   authorize {
(37)  Debug:     update request {
(37)  Debug:     } # update request = noop
(37)  Debug:     [mschap] = noop
(37)  Debug:     policy ntlm_auth.authorize {
(37)  Debug:       if (!control:Auth-Type && User-Password) {
(37)  Debug:       if (!control:Auth-Type && User-Password)  -> FALSE
(37)  Debug:     } # policy ntlm_auth.authorize = updated
(37)  Debug: vpn-eap: Peer sent EAP Response (code 2) ID 115 length 6
(37)  Debug: vpn-eap: No EAP Start, assuming it's an on-going EAP conversation
(37)  Debug:     [vpn-eap] = updated
(37)  Debug:   } # authorize = updated
(37)  Debug: Found Auth-Type = vpn-eap
(37)  Debug: # Executing group from file /etc/raddb/sites-enabled/vpn
(37)  Debug:   Auth-Type vpn-eap {
(37)  Debug: vpn-eap: Expiring EAP session with state 0x6aae3f2e69dd326b
(37)  Debug: vpn-eap: Finished EAP session with state 0x6aae3f2e69dd326b
(37)  Debug: vpn-eap: Previous EAP request found for state 0x6aae3f2e69dd326b, released from the list
(37)  Debug: vpn-eap: Peer sent packet with method EAP TLS (13)
(37)  Debug: vpn-eap: Calling submodule eap_tls to process data
(37)  Debug: eap_tls: Continuing EAP-TLS
(37)  Debug: eap_tls: Peer ACKed our handshake fragment
(37)  Debug: eap_tls: [eaptls verify] = request
(37)  Debug: eap_tls: [eaptls process] = handled
(37)  Debug: vpn-eap: Sending EAP Request (code 1) ID 116 length 782
(37)  Debug: vpn-eap: EAP session adding &reply:State = 0x6aae3f2e6eda326b
(37)  Debug:     [vpn-eap] = handled
(37)  Debug:     if (handled && (Response-Packet-Type == Access-Challenge)) {
(37)  Debug:     EXPAND Response-Packet-Type
(37)  Debug:        --> Access-Challenge
(37)  Debug:     if (handled && (Response-Packet-Type == Access-Challenge))  -> TRUE
(37)  Debug:     if (handled && (Response-Packet-Type == Access-Challenge))  {
(37)  Debug: attr_filter.access_challenge: EXPAND %{User-Name}
(37)  Debug: attr_filter.access_challenge:    --> adambishop.dev.ja.net
(37)  Debug: attr_filter.access_challenge: Matched entry DEFAULT at line 12
(37)  Debug:       [attr_filter.access_challenge.post-auth] = updated
(37)  Debug:       [handled] = handled
(37)  Debug:     } # if (handled && (Response-Packet-Type == Access-Challenge))  = handled
(37)  Debug:   } # Auth-Type vpn-eap = handled
(37)  Debug: Using Post-Auth-Type Challenge
(37)  Debug: Post-Auth-Type sub-section not found.  Ignoring.
(37)  Debug: # Executing group from file /etc/raddb/sites-enabled/vpn
(37)  Debug: Sent Access-Challenge Id 76 from 212.219.210.194:1812 to 172.25.0.176:52447 length 0
(37)  Debug:   EAP-Message = 0x0174030e0d8000000ee6a8e258b211b12d7b809f6b1bde4c3b17448fcecde979c5af6b160301024b0c0002470300174104fca4d3a30ab92336ed8b6d06067e419da55aaed97101b578e7fc14b09dfa959c3f9532ae1699fedcf0e48443395cb523fb353bc312cd99b96436c8fb52730dde02002046f7c3
(37)  Debug:   Message-Authenticator = 0x00000000000000000000000000000000
(37)  Debug:   State = 0x6aae3f2e6eda326be20d66152c93ce20
(37)  Debug: Finished request
(38)  Debug: Received Access-Request Id 77 from 172.25.0.176:52447 to 212.219.210.194:1812 length 104
(38)  Debug:   User-Name = "adambishop.dev.ja.net"
(38)  Debug:   State = 0x6aae3f2e6eda326be20d66152c93ce20
(38)  Debug:   EAP-Message = 0x027400110d800000000715030100020100
(38)  Debug:   Message-Authenticator = 0x525697ff8dd586a2947f27df10721084
(38)  Debug:   NAS-IP-Address = 172.25.0.176
(38)  Debug: session-state: No cached attributes
(38)  Debug: # Executing section authorize from file /etc/raddb/sites-enabled/vpn
(38)  Debug:   authorize {
(38)  Debug:     update request {
(38)  Debug:     } # update request = noop
(38)  Debug:     [mschap] = noop
(38)  Debug:     policy ntlm_auth.authorize {
(38)  Debug:       if (!control:Auth-Type && User-Password) {
(38)  Debug:       if (!control:Auth-Type && User-Password)  -> FALSE
(38)  Debug:     } # policy ntlm_auth.authorize = updated
(38)  Debug: vpn-eap: Peer sent EAP Response (code 2) ID 116 length 17
(38)  Debug: vpn-eap: No EAP Start, assuming it's an on-going EAP conversation
(38)  Debug:     [vpn-eap] = updated
(38)  Debug:   } # authorize = updated
(38)  Debug: Found Auth-Type = vpn-eap
(38)  Debug: # Executing group from file /etc/raddb/sites-enabled/vpn
(38)  Debug:   Auth-Type vpn-eap {
(38)  Debug: vpn-eap: Expiring EAP session with state 0x6aae3f2e6eda326b
(38)  Debug: vpn-eap: Finished EAP session with state 0x6aae3f2e6eda326b
(38)  Debug: vpn-eap: Previous EAP request found for state 0x6aae3f2e6eda326b, released from the list
(38)  Debug: vpn-eap: Peer sent packet with method EAP TLS (13)
(38)  Debug: vpn-eap: Calling submodule eap_tls to process data
(38)  Debug: eap_tls: Continuing EAP-TLS
(38)  Debug: eap_tls: Peer indicated complete TLS record size will be 7 bytes
(38)  Debug: eap_tls: Got complete TLS record (7 bytes)
(38)  Debug: eap_tls: [eaptls verify] = length included
(38)  ERROR: eap_tls: TLS_accept: Failed in SSLv3 read client certificate A
(38)  ERROR: eap_tls: Failed in __FUNCTION__ (SSL_read): error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure
(38)  ERROR: eap_tls: System call (I/O) error (-1)
(38)  ERROR: eap_tls: TLS receive handshake failed during operation
(38)  ERROR: eap_tls: [eaptls process] = fail
(38)  ERROR: vpn-eap: Failed continuing EAP TLS (13) session.  EAP sub-module failed
(38)  Debug: vpn-eap: Sending EAP Failure (code 4) ID 116 length 4
(38)  Debug: vpn-eap: Failed in EAP select
(38)  Debug:     [vpn-eap] = invalid
(38)  Debug:   } # Auth-Type vpn-eap = invalid
(38)  Debug: Failed to authenticate the user
(38)  Debug: Using Post-Auth-Type Reject
(38)  Debug: # Executing group from file /etc/raddb/sites-enabled/vpn
(38)  Debug:   Post-Auth-Type REJECT {
(38)  Debug: attr_filter.access_reject: EXPAND %{User-Name}
(38)  Debug: attr_filter.access_reject:    --> adambishop.dev.ja.net
(38)  Debug: attr_filter.access_reject: Matched entry DEFAULT at line 11
(38)  Debug:     [attr_filter.access_reject] = updated
(38)  Debug:     [eap] = noop
(38)  Debug: rp_log: EXPAND rp_log.%{%{reply:Packet-Type}:-format}
(38)  Debug: rp_log:    --> rp_log.Access-Reject
(38)  Debug: rp_log: EXPAND radiusd-rp-log#DOMAIN=DEV#LOCATION=LH#SERVICE=%{%{Service-Class}:-NONE}#ORG=%{%{request:operator-name}:-%{request:Stripped-User-Domain}}#USER=%{User-Name}#CSI=%{Calling-Station-Id}#NAS=%{Called-Station-Id}#CUI=%{reply:Chargeable-User-Identity}#RESULT=FAIL#VLAN=%{%{reply:Tunnel-Private-Group-ID}:-NONE}#CLIENT=%{client:shortname}#REPLY_MESSAGE=%{%{reply:reply-message}:-NONE}#MODULE_MESSAGE=%{%{%{request:Module-Failure-Message}:-%{session-state:Module-Failure-Message}}:-NONE}#
(38) Fri Apr 21 16:40:07 2017: Debug: rp_log:    --> radiusd-rp-log#DOMAIN=DEV#LOCATION=LH#SERVICE=vpn#ORG=#USER=adambishop.dev.ja.net#CSI=#NAS=#CUI=#RESULT=FAIL#VLAN=NONE#CLIENT=castle-black.djn#REPLY_MESSAGE=NONE#MODULE_MESSAGE=eap_tls: TLS_accept: Failed in SSLv3 read client certificate A#
(38)  Debug:     [rp_log] = ok
(38)  Debug:     policy remove_reply_message_if_eap {
(38)  Debug:       if (&reply:EAP-Message && &reply:Reply-Message) {
(38)  Debug:       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(38)  Debug:       else {
(38)  Debug:         [noop] = noop
(38)  Debug:       } # else = noop
(38)  Debug:     } # policy remove_reply_message_if_eap = noop
(38)  Debug:   } # Post-Auth-Type REJECT = updated
(38)  Debug: Delaying response for 1.000000 seconds
(38)  Debug: Sending delayed response
(38)  Debug: Sent Access-Reject Id 77 from 212.219.210.194:1812 to 172.25.0.176:52447 length 44
(38)  Debug:   EAP-Message = 0x04740004
(38)  Debug:   Message-Authenticator = 0x00000000000000000000000000000000


---
# radiusd -C -X
FreeRADIUS Version 3.0.13
Copyright (C) 1999-2016 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
<snip>
main {
 security {
 	user = "radiusd"
 	group = "radiusd"
 	allow_core_dumps = no
 }
	name = "radiusd"
	prefix = "/usr"
	localstatedir = "/var"
	logdir = "/var/log/radius"
	run_dir = "/var/run/radiusd"
}
main {
	name = "radiusd"
	prefix = "/usr"
	localstatedir = "/var"
	sbindir = "/usr/sbin"
	logdir = "/var/log/radius"
	run_dir = "/var/run/radiusd"
	libdir = "/usr/lib64/freeradius"
	radacctdir = "/var/log/radius/radacct"
	hostname_lookups = no
	max_request_time = 60
	cleanup_delay = 10
	max_requests = 16384
	pidfile = "/var/run/radiusd/radiusd.pid"
	checkrad = "/usr/sbin/checkrad"
	debug_level = 0
	proxy_requests = yes
 log {
 	stripped_names = no
 	auth = no
 	auth_badpass = no
 	auth_goodpass = no
 	colourise = yes
 	msg_denied = "You are already logged in - access denied"
 }
 resources {
 }
 security {
 	max_attributes = 200
 	reject_delay = 1.000000
 	status_server = yes
 	allow_vulnerable_openssl = "CVE-2016-6304"
 }
}
radiusd: #### Loading Realms and Home Servers ####
 proxy server {
 	retry_delay = 5
 	retry_count = 3
 	default_fallback = no
 	dead_time = 120
 	wake_all_if_all_dead = no
 }
 realm LOCAL {
	nostrip
 }
<snip>
 realm dev.ja.net {
 }
radiusd: #### Loading Clients ####
<snip>
 client 172.25.0.176 {
 	ipaddr = 172.25.0.176
 	require_message_authenticator = yes
 	secret = <<< secret >>>
 	shortname = "castle-black.djn"
 	nas_type = "other"
 	virtual_server = "vpn"
 	proto = "udp"
  limit {
  	max_connections = 16
  	lifetime = 0
  	idle_timeout = 30
  }
 }
<snip>
 Debugger not attached
 # Creating Auth-Type = mschap
 # Creating Auth-Type = PAP
 # Creating Auth-Type = MS-CHAP
 # Creating Auth-Type = eap
 # Creating Autz-Type = Status-Server
 # Creating Auth-Type = inner-eap
 # Creating Auth-Type = ntlm_auth
 # Creating Auth-Type = VPN
 # Creating Auth-Type = vpn-eap
radiusd: #### Instantiating modules ####
 modules {
  # Loaded module rlm_always
  # Loading module "reject" from file /etc/raddb/mods-enabled/always
  always reject {
  	rcode = "reject"
  	simulcount = 0
  	mpp = no
  }
  # Loading module "fail" from file /etc/raddb/mods-enabled/always
  always fail {
  	rcode = "fail"
  	simulcount = 0
  	mpp = no
  }
  # Loading module "ok" from file /etc/raddb/mods-enabled/always
  always ok {
  	rcode = "ok"
  	simulcount = 0
  	mpp = no
  }
  # Loading module "handled" from file /etc/raddb/mods-enabled/always
  always handled {
  	rcode = "handled"
  	simulcount = 0
  	mpp = no
  }
  # Loading module "invalid" from file /etc/raddb/mods-enabled/always
  always invalid {
  	rcode = "invalid"
  	simulcount = 0
  	mpp = no
  }
  # Loading module "userlock" from file /etc/raddb/mods-enabled/always
  always userlock {
  	rcode = "userlock"
  	simulcount = 0
  	mpp = no
  }
  # Loading module "notfound" from file /etc/raddb/mods-enabled/always
  always notfound {
  	rcode = "notfound"
  	simulcount = 0
  	mpp = no
  }
  # Loading module "noop" from file /etc/raddb/mods-enabled/always
  always noop {
  	rcode = "noop"
  	simulcount = 0
  	mpp = no
  }
  # Loading module "updated" from file /etc/raddb/mods-enabled/always
  always updated {
  	rcode = "updated"
  	simulcount = 0
  	mpp = no
  }
  # Loaded module rlm_attr_filter
  # Loading module "attr_filter.post-proxy" from file /etc/raddb/mods-enabled/attr_filter
  attr_filter attr_filter.post-proxy {
  	filename = "/etc/raddb/mods-config/attr_filter/post-proxy"
  	key = "%{Realm}"
  	relaxed = no
  }
  # Loading module "attr_filter.pre-proxy" from file /etc/raddb/mods-enabled/attr_filter
  attr_filter attr_filter.pre-proxy {
  	filename = "/etc/raddb/mods-config/attr_filter/pre-proxy"
  	key = "%{Realm}"
  	relaxed = no
  }
  # Loading module "attr_filter.access_reject" from file /etc/raddb/mods-enabled/attr_filter
  attr_filter attr_filter.access_reject {
  	filename = "/etc/raddb/mods-config/attr_filter/access_reject"
  	key = "%{User-Name}"
  	relaxed = no
  }
  # Loading module "attr_filter.access_challenge" from file /etc/raddb/mods-enabled/attr_filter
  attr_filter attr_filter.access_challenge {
  	filename = "/etc/raddb/mods-config/attr_filter/access_challenge"
  	key = "%{User-Name}"
  	relaxed = no
  }
  # Loading module "attr_filter.accounting_response" from file /etc/raddb/mods-enabled/attr_filter
  attr_filter attr_filter.accounting_response {
  	filename = "/etc/raddb/mods-config/attr_filter/accounting_response"
  	key = "%{User-Name}"
  	relaxed = no
  }
  # Loaded module rlm_cache
  # Loading module "cache_eap" from file /etc/raddb/mods-enabled/cache_eap
  cache cache_eap {
  	driver = "rlm_cache_rbtree"
  	key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
  	ttl = 15
  	max_entries = 0
  	epoch = 0
  	add_stats = no
  }
  # Loaded module rlm_date
  # Loading module "date" from file /etc/raddb/mods-enabled/date
  date {
  	format = "%b %e %Y %H:%M:%S %Z"
  }
  # Loaded module rlm_digest
  # Loading module "digest" from file /etc/raddb/mods-enabled/digest
  # Loaded module rlm_eap
  # Loading module "eap" from file /etc/raddb/mods-enabled/eap
  eap {
  	default_eap_type = "peap"
  	timer_expire = 60
  	ignore_unknown_eap_types = no
  	cisco_accounting_username_bug = no
  	max_sessions = 16384
  }
  # Loaded module rlm_exec
  # Loading module "echo" from file /etc/raddb/mods-enabled/echo
  exec echo {
  	wait = yes
  	program = "/bin/echo %{User-Name}"
  	input_pairs = "request"
  	output_pairs = "reply"
  	shell_escape = yes
  }
  # Loading module "exec" from file /etc/raddb/mods-enabled/exec
  exec {
  	wait = no
  	input_pairs = "request"
  	shell_escape = yes
  	timeout = 10
  }
  # Loaded module rlm_expiration
  # Loading module "expiration" from file /etc/raddb/mods-enabled/expiration
  # Loaded module rlm_expr
  # Loading module "expr" from file /etc/raddb/mods-enabled/expr
  expr {
  	safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
  }
  # Loaded module rlm_files
  # Loading module "files" from file /etc/raddb/mods-enabled/files
  files {
  	filename = "/etc/raddb/mods-config/files/authorize"
  	acctusersfile = "/etc/raddb/mods-config/files/accounting"
  	preproxy_usersfile = "/etc/raddb/mods-config/files/pre-proxy"
  }
  # Loaded module rlm_linelog
  # Loading module "linelog" from file /etc/raddb/mods-enabled/linelog
  linelog {
  	filename = "/var/log/radius/linelog"
  	escape_filenames = no
  	syslog_severity = "info"
  	permissions = 384
  	format = "This is a log message for %{User-Name}"
  	reference = "messages.%{%{reply:Packet-Type}:-default}"
  }
  # Loading module "log_accounting" from file /etc/raddb/mods-enabled/linelog
  linelog log_accounting {
  	filename = "/var/log/radius/linelog-accounting"
  	escape_filenames = no
  	syslog_severity = "info"
  	permissions = 384
  	format = ""
  	reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
  }
  # Loaded module rlm_logintime
  # Loading module "logintime" from file /etc/raddb/mods-enabled/logintime
  logintime {
  	minimum_timeout = 60
  }
  # Loaded module rlm_pap
  # Loading module "pap" from file /etc/raddb/mods-enabled/pap
  pap {
  	normalise = yes
  }
  # Loaded module rlm_passwd
  # Loading module "etc_passwd" from file /etc/raddb/mods-enabled/passwd
  passwd etc_passwd {
  	filename = "/etc/passwd"
  	format = "*User-Name:Crypt-Password:"
  	delimiter = ":"
  	ignore_nislike = no
  	ignore_empty = yes
  	allow_multiple_keys = no
  	hash_size = 100
  }
  # Loaded module rlm_realm
  # Loading module "IPASS" from file /etc/raddb/mods-enabled/realm
  realm IPASS {
  	format = "prefix"
  	delimiter = "/"
  	ignore_default = no
  	ignore_null = no
  	default_community = "none"
  	rp_realm = "none"
  	trust_router = "none"
  	tr_port = 0
  }
  # Loading module "suffix" from file /etc/raddb/mods-enabled/realm
  realm suffix {
  	format = "suffix"
  	delimiter = "@"
  	ignore_default = no
  	ignore_null = no
  	default_community = "none"
  	rp_realm = "none"
  	trust_router = "none"
  	tr_port = 0
  }
  # Loading module "realmpercent" from file /etc/raddb/mods-enabled/realm
  realm realmpercent {
  	format = "suffix"
  	delimiter = "%"
  	ignore_default = no
  	ignore_null = no
  	default_community = "none"
  	rp_realm = "none"
  	trust_router = "none"
  	tr_port = 0
  }
  # Loading module "ntdomain" from file /etc/raddb/mods-enabled/realm
  realm ntdomain {
  	format = "prefix"
  	delimiter = "\\"
  	ignore_default = no
  	ignore_null = no
  	default_community = "none"
  	rp_realm = "none"
  	trust_router = "none"
  	tr_port = 0
  }
  # Loaded module rlm_replicate
  # Loading module "replicate" from file /etc/raddb/mods-enabled/replicate
  # Loaded module rlm_soh
  # Loading module "soh" from file /etc/raddb/mods-enabled/soh
  soh {
  	dhcp = yes
  }
  # Loaded module rlm_radutmp
  # Loading module "sradutmp" from file /etc/raddb/mods-enabled/sradutmp
  radutmp sradutmp {
  	filename = "/var/log/radius/sradutmp"
  	username = "%{User-Name}"
  	case_sensitive = yes
  	check_with_nas = yes
  	permissions = 420
  	caller_id = no
  }
  # Loaded module rlm_unpack
  # Loading module "unpack" from file /etc/raddb/mods-enabled/unpack
  # Loaded module rlm_utf8
  # Loading module "utf8" from file /etc/raddb/mods-enabled/utf8
  # Loaded module rlm_mschap
  # Loading module "mschap" from file /etc/raddb/mods-enabled/mschap
  mschap {
  	use_mppe = yes
  	require_encryption = yes
  	require_strong = yes
  	with_ntdomain_hack = yes
   passchange {
   }
  	allow_retry = yes
  	retry_msg = "Your credentials were not accepted, please try again"
  	winbind_retry_with_normalised_username = yes
  }
  # Loading module "inner-eap" from file /etc/raddb/mods-enabled/inner-eap
  eap inner-eap {
  	default_eap_type = "mschapv2"
  	timer_expire = 60
  	ignore_unknown_eap_types = no
  	cisco_accounting_username_bug = no
  	max_sessions = 2048
  }
  # Loading module "ntlm_auth" from file /etc/raddb/mods-enabled/ntlm_auth
  exec ntlm_auth {
  	wait = yes
  	program = "/usr/bin/ntlm_auth --request-nt-key --domain=DEV --username=%{%{Stripped-User-Name}:-%{mschap:User-Name}} --password=%{User-Password}"
  	shell_escape = yes
  }
  # Loaded module rlm_redis
  # Loading module "redis" from file /etc/raddb/mods-enabled/redis
  redis {
  	server = "127.0.0.1"
  	port = 6379
  	database = 0
  	password = <<< secret >>>
  }
rlm_redis: libhiredis version: 0.12.1
  # Loading module "idp_log" from file /etc/raddb/mods-enabled/idp_log
  linelog idp_log {
  	filename = "syslog"
  	escape_filenames = no
  	syslog_severity = "info"
  	permissions = 384
  	format = ""
  	reference = "idp_log.%{%{reply:Packet-Type}:-format}"
  }
  # Loading module "rp_log" from file /etc/raddb/mods-enabled/rp_log
  linelog rp_log {
  	filename = "syslog"
  	escape_filenames = no
  	syslog_severity = "info"
  	permissions = 384
  	format = ""
  	reference = "rp_log.%{%{reply:Packet-Type}:-format}"
  }
  # Loading module "vpn-eap" from file /etc/raddb/mods-enabled/vpn-eap
  eap vpn-eap {
  	default_eap_type = "tls"
  	timer_expire = 60
  	ignore_unknown_eap_types = no
  	cisco_accounting_username_bug = no
  	max_sessions = 16384
  }
  instantiate {
  }
  # Instantiating module "reject" from file /etc/raddb/mods-enabled/always
  # Instantiating module "fail" from file /etc/raddb/mods-enabled/always
  # Instantiating module "ok" from file /etc/raddb/mods-enabled/always
  # Instantiating module "handled" from file /etc/raddb/mods-enabled/always
  # Instantiating module "invalid" from file /etc/raddb/mods-enabled/always
  # Instantiating module "userlock" from file /etc/raddb/mods-enabled/always
  # Instantiating module "notfound" from file /etc/raddb/mods-enabled/always
  # Instantiating module "noop" from file /etc/raddb/mods-enabled/always
  # Instantiating module "updated" from file /etc/raddb/mods-enabled/always
  # Instantiating module "attr_filter.post-proxy" from file /etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/post-proxy
  # Instantiating module "attr_filter.pre-proxy" from file /etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/pre-proxy
  # Instantiating module "attr_filter.access_reject" from file /etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/access_reject
[/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay" 	found in filter list for realm "DEFAULT".
[/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay-USec" 	found in filter list for realm "DEFAULT".
  # Instantiating module "attr_filter.access_challenge" from file /etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/access_challenge
  # Instantiating module "attr_filter.accounting_response" from file /etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/accounting_response
  # Instantiating module "cache_eap" from file /etc/raddb/mods-enabled/cache_eap
rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked
  # Instantiating module "eap" from file /etc/raddb/mods-enabled/eap
   # Linked to sub-module rlm_eap_md5
   # Linked to sub-module rlm_eap_gtc
   gtc {
   	challenge = "Password: "
   	auth_type = "PAP"
   }
   # Linked to sub-module rlm_eap_ttls
   ttls {
   	tls = "tls-common"
   	default_eap_type = "mschapv2"
   	copy_request_to_tunnel = yes
   	use_tunneled_reply = no
   	virtual_server = "inner-tunnel"
   	include_length = yes
   	require_client_cert = no
   }
   tls-config tls-common {
   	verify_depth = 0
   	ca_path = "/etc/raddb/certs"
   	pem_file_type = yes
   	private_key_file = "/etc/raddb/certs.d/DEV/server.pem"
   	certificate_file = "/etc/raddb/certs.d/DEV/server.crt"
   	dh_file = "/etc/raddb/certs.d/DEV/dh"
   	fragment_size = 1024
   	include_length = yes
   	auto_chain = yes
   	check_crl = yes
   	check_all_crl = yes
   	cipher_list = "DEFAULT"
   	cipher_server_preference = yes
   	ecdh_curve = "prime256v1"
    cache {
    	enable = yes
    	lifetime = 24
    	name = "Default EAP Cache"
    	max_entries = 16384
    	persist_dir = "/var/lib/radiusd/tlscache"
    }
    verify {
    	skip_if_ocsp_ok = no
    }
    ocsp {
    	enable = no
    	override_cert_url = no
    	use_nonce = yes
    	timeout = 0
    	softfail = no
    }
   }
   # Linked to sub-module rlm_eap_peap
   peap {
   	tls = "tls-common"
   	default_eap_type = "mschapv2"
   	copy_request_to_tunnel = yes
   	use_tunneled_reply = no
   	proxy_tunneled_request_as_eap = yes
   	virtual_server = "inner-tunnel"
   	soh = no
   	require_client_cert = no
   }
tls: Using cached TLS configuration from previous invocation
   # Linked to sub-module rlm_eap_mschapv2
   mschapv2 {
   	with_ntdomain_hack = no
   	send_error = yes
   }
  # Instantiating module "expiration" from file /etc/raddb/mods-enabled/expiration
  # Instantiating module "files" from file /etc/raddb/mods-enabled/files
reading pairlist file /etc/raddb/mods-config/files/authorize
reading pairlist file /etc/raddb/mods-config/files/accounting
reading pairlist file /etc/raddb/mods-config/files/pre-proxy
  # Instantiating module "linelog" from file /etc/raddb/mods-enabled/linelog
  # Instantiating module "log_accounting" from file /etc/raddb/mods-enabled/linelog
  # Instantiating module "logintime" from file /etc/raddb/mods-enabled/logintime
  # Instantiating module "pap" from file /etc/raddb/mods-enabled/pap
  # Instantiating module "etc_passwd" from file /etc/raddb/mods-enabled/passwd
rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
  # Instantiating module "IPASS" from file /etc/raddb/mods-enabled/realm
  # Instantiating module "suffix" from file /etc/raddb/mods-enabled/realm
  # Instantiating module "realmpercent" from file /etc/raddb/mods-enabled/realm
  # Instantiating module "ntdomain" from file /etc/raddb/mods-enabled/realm
  # Instantiating module "mschap" from file /etc/raddb/mods-enabled/mschap
rlm_mschap (mschap): Initialising connection pool
   pool {
   	start = 5
   	min = 3
   	max = 32
   	spare = 10
   	uses = 0
   	lifetime = 86400
   	cleanup_interval = 300
   	idle_timeout = 600
   	retry_delay = 30
   	spread = no
   }
rlm_mschap (mschap): authenticating directly to winbind
  # Instantiating module "inner-eap" from file /etc/raddb/mods-enabled/inner-eap
   # Linked to sub-module rlm_eap_gtc
   gtc {
   	challenge = "Password: "
   	auth_type = "PAP"
   }
   # Linked to sub-module rlm_eap_mschapv2
   mschapv2 {
   	with_ntdomain_hack = no
   	send_error = yes
   }
  # Instantiating module "redis" from file /etc/raddb/mods-enabled/redis
rlm_redis (redis): Initialising connection pool
   pool {
   	start = 5
   	min = 3
   	max = 32
   	spare = 10
   	uses = 0
   	lifetime = 86400
   	cleanup_interval = 300
   	idle_timeout = 0
   	retry_delay = 10
   	spread = no
   }
  # Instantiating module "idp_log" from file /etc/raddb/mods-enabled/idp_log
  # Instantiating module "rp_log" from file /etc/raddb/mods-enabled/rp_log
  # Instantiating module "vpn-eap" from file /etc/raddb/mods-enabled/vpn-eap
   # Linked to sub-module rlm_eap_tls
   tls {
   	tls = "vpn-tls"
   }
   tls-config vpn-tls {
   	verify_depth = 0
   	pem_file_type = yes
   	private_key_file = "/etc/raddb/certs.d/DEV/vpn/server.pem"
   	certificate_file = "/etc/raddb/certs.d/DEV/vpn/server.crt"
   	ca_file = "/etc/raddb/certs.d/DEV/vpn/ca/root.crt"
   	dh_file = "/etc/raddb/certs.d/DEV/dh"
   	fragment_size = 1024
   	include_length = yes
   	auto_chain = yes
   	check_crl = yes
   	check_all_crl = yes
   	cipher_list = "DEFAULT"
   	cipher_server_preference = yes
   	ecdh_curve = "prime256v1"
    cache {
    	enable = yes
    	lifetime = 24
    	name = "Default EAP VPN Cache"
    	max_entries = 16384
    	persist_dir = "/var/lib/radiusd/tlscache"
    }
    verify {
    	skip_if_ocsp_ok = no
    }
    ocsp {
    	enable = no
    	override_cert_url = no
    	use_nonce = yes
    	timeout = 0
    	softfail = no
    }
   }
 } # modules

Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.

Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.  



More information about the Freeradius-Users mailing list