Help with non-compliant client (TLS issue)

Geoffrey McRae geoff at hostfission.com
Wed May 17 09:26:45 CEST 2017


Follow up with complete authentication log:

rad_recv: Access-Request packet from host 192.168.50.253 port 33005,
id=61, length=213
	User-Name = "office.power.accounting"
	NAS-Identifier = "OpenWRT"
	Called-Station-Id = "74-EA-3A-E4-BF-CE:spacevs.com"
	NAS-Port-Type = Wireless-802.11
	NAS-Port = 1
	Calling-Station-Id = "A0-20-A6-18-6F-D4"
	Connect-Info = "CONNECT 54Mbps 802.11g"
	Acct-Session-Id = "5583280D-00001ECC"
	Framed-MTU = 1400
	EAP-Message =
0x0270001c016f66666963652e706f7765722e6163636f756e74696e67
	Message-Authenticator = 0x89bac36f11fc19def9cf51a7e3e9ca95
# Executing section authorize from
file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
[auth_log] 	expand: %{Packet-Src-IP-Address} -> 192.168.50.253
[auth_log]
expand: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/192.168.50.253/auth-detail-20170517
[auth_log] /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.50.253/auth-detail-20170517
[auth_log] 	expand: %t -> Wed May 17 17:24:09 2017
++[auth_log] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "office.power.accounting", looking up
realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 112 length 28
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
++[expiration] = noop
++[logintime] = noop
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 61 to 192.168.50.253 port 33005
	EAP-Message = 0x017100061920
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x06e4b92c0695a0e7583a5ad1e4b3e5ec
Finished request 56.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.50.253 port 33005,
id=62, length=275
	User-Name = "office.power.accounting"
	NAS-Identifier = "OpenWRT"
	Called-Station-Id = "74-EA-3A-E4-BF-CE:spacevs.com"
	NAS-Port-Type = Wireless-802.11
	NAS-Port = 1
	Calling-Station-Id = "A0-20-A6-18-6F-D4"
	Connect-Info = "CONNECT 54Mbps 802.11g"
	Acct-Session-Id = "5583280D-00001ECC"
	Framed-MTU = 1400
	EAP-Message =
0x0271004819800000003e1603020039010000350302572068748f17c6ace6f3126cc7befac5eddf2d1cc893df1b2ead55eb3cb62c9800000e003d0035003c002f000a000500040100
	State = 0x06e4b92c0695a0e7583a5ad1e4b3e5ec
	Message-Authenticator = 0x560dc60831b0fa342cd1b39f5fded0d0
# Executing section authorize from
file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
[auth_log] 	expand: %{Packet-Src-IP-Address} -> 192.168.50.253
[auth_log]
expand: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/192.168.50.253/auth-detail-20170517
[auth_log] /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.50.253/auth-detail-20170517
[auth_log] 	expand: %t -> Wed May 17 17:24:09 2017
++[auth_log] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "office.power.accounting", looking up
realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 113 length 72
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
  TLS Length 62
[peap] Length Included
[peap] eaptls_verify returned 11 
[peap]     (other): before/accept initialization
[peap]     TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 0039], ClientHello  
[peap]     TLS_accept: unknown state
[peap] >>> TLS 1.0 Handshake [length 002a], ServerHello  
[peap]     TLS_accept: unknown state
[peap] >>> TLS 1.0 Handshake [length 0ad4], Certificate  
[peap]     TLS_accept: unknown state
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone  
[peap]     TLS_accept: unknown state
[peap]     TLS_accept: unknown state
[peap]     TLS_accept: Need to read more data: unknown state
In SSL Handshake Phase 
In SSL Accept mode  
[peap] eaptls_process returned 13 
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 62 to 192.168.50.253 port 33005
	EAP-Message =
0x0172040019c000000b11160301002a020000260301312e84aae4c09a6aee14557c0394a0fb817bd2fdf30fe8480ff3866390d2cdbf000035001603010ad40b000ad0000acd0005243082052030820308a003020102020117300d06092a864886f70d01010d05003059310b3009060355040613024155311830160603550408130f4e657720536f7574682057616c65733111300f060355040713084b61746f6f6d6261311d301b0603550403131453565320496e7472616e657420526f6f74204341301e170d3137303131313035353930305a170d3335303631353233353930305a3027312530230603550403131c526164697573202867772e686f6d
	EAP-Message =
0x652e737061636576732e636f6d2930820222300d06092a864886f70d01010105000382020f003082020a0282020100bec565c37302f5a1f3f227c5005bfe7f58f0f1eb7b9d50268f577013854424c0746e2b93c3322363c53ccd3cde4638d9e6a6054db5ec9c6668714f461a5a9e7713f1bd273a3d4295cf11966d4b0d119c5fa6e2d63e81bf571a09beffd557ab8135fdf041d3ddc4ed836835ddd4b5357d05850e36bb80e92f18d0896c0c3396a087e733ccaf65f4223e1ebea23d7d6ec9185f4737cb1dd42e91c1c5363f3e6f631c17d00fcd000c88fa5db04b3a9c1e9ee8679c8e335375c9c9f620b564d331c2bbebda2772871a7ac0dbfa389af2
	EAP-Message =
0x779deb793cc81a51370838d00ef1c084d97877891942304d28063f7f213b111a67959ee680f72c0e03bf9836a2b855df4e7e2ff4de272627be5c4d69b9741a5c46e37e8c749305bd085a2da344da6470b9b19d83a2f40fd9ec94750c0c36f6facf2f9e7ffc0f1560bbabb433563cd94a7d0b4878a01cab3038adc8fc39cbb3a1770358222baf763a501f49efd9c4a6c876527c7aae9bfc5378c1a9dd380b1e9015a89cd721797fd7b5fc3c119769dc78bcd39e9f17e02979a9e88bd20dc0c8c9208c978c3f42870e3791090db10bb8a579bbf75ea511e09e89b7370bab7cd641d3de283e8f64249435fe6515707e87e15cd2a30f1a1f40e897aa7ec3ee
	EAP-Message =
0xc67fb9bf99a82b0aaf71835bc7fab0b5dfd43d99a0fb8f721176fccc01c6711911277641d1de1ad4d908f407b39687ce77aabf12890203010001a3253023300c0603551d130101ff0402300030130603551d25040c300a06082b06010505070301300d06092a864886f70d01010d05000382020100a07c7f1f95937ac12218a6612a846c48ac909c37ba3b0f893b5d4f6bcb1c06f6818f09d701a5d4986e081f602c585bb7e7c0441d3f8bbc4ad0a75a2058e9453c9f9ddd8bf675f9e73c01ceb817a18a1f1fe223360fe7a19fadf17a2c2217c96857de3e775f7f74ee504206923f953170593742646c22cea414681af5751d494b4e7004a43523da87
	EAP-Message = 0x061f85b9da0b385ce0b787b3
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x06e4b92c0796a0e7583a5ad1e4b3e5ec
Finished request 57.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.50.253 port 33005,
id=63, length=209
	User-Name = "office.power.accounting"
	NAS-Identifier = "OpenWRT"
	Called-Station-Id = "74-EA-3A-E4-BF-CE:spacevs.com"
	NAS-Port-Type = Wireless-802.11
	NAS-Port = 1
	Calling-Station-Id = "A0-20-A6-18-6F-D4"
	Connect-Info = "CONNECT 54Mbps 802.11g"
	Acct-Session-Id = "5583280D-00001ECC"
	Framed-MTU = 1400
	EAP-Message = 0x027200061900
	State = 0x06e4b92c0796a0e7583a5ad1e4b3e5ec
	Message-Authenticator = 0xf99ffa56b22071a5b6849102d0a6c1f9
# Executing section authorize from
file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
[auth_log] 	expand: %{Packet-Src-IP-Address} -> 192.168.50.253
[auth_log]
expand: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/192.168.50.253/auth-detail-20170517
[auth_log] /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.50.253/auth-detail-20170517
[auth_log] 	expand: %t -> Wed May 17 17:24:09 2017
++[auth_log] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "office.power.accounting", looking up
realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 114 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1 
[peap] eaptls_process returned 13 
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 63 to 192.168.50.253 port 33005
	EAP-Message =
0x017303fc1940afeb0f78225dbf9a7725d984d8b756ee605059925e58d245bc2bb5aace172b22148e151d71ab70730cf8e1298aa800197d8d385f32572da27bf892a694c5a39bfbb57a9074e63c0eed27f60e5449df531ea804c07508b25f20da962bfe92b9ae0a2a93eb9d5e78dfad359e41b9c2aaad26e5b23311ece60fe1af47ea58dc20f315efec877bbf65fe846ddf723b1c202e11c51d54cfae348cfdc00444fb5d6742f3c736f70e09ec21220070b3f09db06d5fe8283ce763086638fc2f79759aced7b9c0169179acc67723a6e8dc02097b6415580b84b460ac1a4f5ca5760e8ef77f102cedd26418b6b185b6c44eed08de4b9027c00cb6cfd7
	EAP-Message =
0x85c16303892c764a6502f724d8ed375b2353a57dadf1c3ccef714ffb3aa483a7059a901f9f2816fabe57558dffccb6e5265d77bfaa478be536cff37adc9b6f9184e06faeb5731385dcff2ef77af4d6e94cb4b338b34d413f2356c5ce188c068ddd6dae505bb85c87410e9b4ad7d4648244439a279a0005a33082059f30820387a003020102020101300d06092a864886f70d01010d05003059310b3009060355040613024155311830160603550408130f4e657720536f7574682057616c65733111300f060355040713084b61746f6f6d6261311d301b0603550403131453565320496e7472616e657420526f6f74204341301e170d31353036313630
	EAP-Message =
0x30303030305a170d3335303631353233353935395a3059310b3009060355040613024155311830160603550408130f4e657720536f7574682057616c65733111300f060355040713084b61746f6f6d6261311d301b0603550403131453565320496e7472616e657420526f6f7420434130820222300d06092a864886f70d01010105000382020f003082020a0282020100b3a3f9aab5bac705830441d0bec3f2b12e8f2828cf14238b42aedd8e62f52e2751b4f89c0124022bda7a863a937177563cabca1fd27911830d80e7fa5f323a3b81ffac47e76828296ac3ecb0ae13b28182b9082438dd078d55303b490435abe776dfd4c64166eccef6899469
	EAP-Message =
0xae7c8bb28d33d47ae1bf3d3554654f919a9d5ee7322232315bce08e3014b91602f41a8447f5635c6e7cea20cda5ce62668298bfec986211289b2b37e53c58ade4fe1606681b6f97d25fefd8490a4365f765d021ec8f329609ba2ae739e4706728e2a1455ad3ca101504dd19721908e61a467876f1c01374aacb777cbaf0697b04875b9029c97a642d73225ac7d3cd28266a5a5c7bca2ff59bc9dd933908687fd5f4b661d2e9083a6da59319cd5340955ba3b317eff2558740da438962dee7ac42f8aed3dab51a70ef9672aa98dfdee9cee5ff886adc040872f0b5310de7823d4e63e1d0aa8be808da6173f7a5e478c5e66d61082feda0fec4f16b771fe
	EAP-Message = 0x5d0e86558c0b467d
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x06e4b92c0497a0e7583a5ad1e4b3e5ec
Finished request 58.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.50.253 port 33005,
id=64, length=209
	User-Name = "office.power.accounting"
	NAS-Identifier = "OpenWRT"
	Called-Station-Id = "74-EA-3A-E4-BF-CE:spacevs.com"
	NAS-Port-Type = Wireless-802.11
	NAS-Port = 1
	Calling-Station-Id = "A0-20-A6-18-6F-D4"
	Connect-Info = "CONNECT 54Mbps 802.11g"
	Acct-Session-Id = "5583280D-00001ECC"
	Framed-MTU = 1400
	EAP-Message = 0x027300061900
	State = 0x06e4b92c0497a0e7583a5ad1e4b3e5ec
	Message-Authenticator = 0xcf8da5e0de6e6911640cac00e68741a9
# Executing section authorize from
file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
[auth_log] 	expand: %{Packet-Src-IP-Address} -> 192.168.50.253
[auth_log]
expand: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/192.168.50.253/auth-detail-20170517
[auth_log] /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.50.253/auth-detail-20170517
[auth_log] 	expand: %t -> Wed May 17 17:24:09 2017
++[auth_log] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "office.power.accounting", looking up
realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 115 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1 
[peap] eaptls_process returned 13 
[peap] EAPTLS_HANDLED
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 64 to 192.168.50.253 port 33005
	EAP-Message =
0x0174032b19009c2fdba754b1d148d6279ce364711dd12d68525c32f979a94fac099639eca233e51aba4359c32cc5cbf6043602e1251c1d25f7246d84577bbbab67b2b9affa9f8ad4aa01ef468da9773beee865505ae2501f9b373dc4165764745f778f76ff2be2b5deb70c46d71f8338710d082f3e4345af844a9f53fee6a16cc18f316fe9e577ab66207525181fec73978603dd030203010001a3723070300f0603551d130101ff040530030101ff301d0603551d0e04160414b7c17edc21e626d8297c93a827bbf6b16aa2557f300b0603551d0f040403020106301106096086480186f8420101040403020007301e06096086480186f842010d0411
	EAP-Message =
0x160f786361206365727469666963617465300d06092a864886f70d01010d0500038202010037d15182d4db682f480e8bc12cd74f8648218f4e9f92f40a69e4847aed7db19042a7fa79f5639fd2c0576e9f46d46514816d75f056edcc27327981f726b5a7136c4cf2654af17889753ac1c7cffa8394fd274dd027e3c1cc163e9fb74580027281907d5d3acb13e409fc76bc0f73bbef386de80381962eed04bdaad47db7f9d7c15388669e165c3f64ae171d256ca1cae698c36125ec52b10804575069d6a281ee49821fa999d875a6afaf36b2d607fa0a339bbb3e77813566805029087188a6cb80fe9cc9b2782380ab3b5be5ecc8463021069c892dbf23
	EAP-Message =
0xa0e6ae9473b66aa5dd4cdc14473b0798019f215f127f7585945105f338b7624793f75e415d62f240db4912c4f24c19647c374ec5dc7cf44f7a9a17b6e49bc6e38d15a9497a3b21c9ae12fa4e11c217261fbcaf6925fb073e64468aae539926c08c35b1de249c5182d92a97fbc6636dfb4f22e7c7ef4fa90c4b934d5cf6c095fc8359f766b752046b83095d211d682d88b1fda7b591d2913e48a82fc5664052be49cd8edde079fe8939311c630beaaebd6739d84e353c47c81d18cd2fa860c38edd7889eb96e0f98efdf92c8597fa4a9e2a28e85ce68f18dbc1681abfee34075348c52041769d8879918f93926e93b509788e0182b92eaa24881d7ad1d6
	EAP-Message =
0x4bd1b7c07a522d0d95d8d66e8bb99b2f44b0a043e61f6bdf6b82b869132d6a1051c37c6bd696631d0699d416030100040e000000
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x06e4b92c0590a0e7583a5ad1e4b3e5ec
Finished request 59.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.50.253 port 33005,
id=65, length=220
	User-Name = "office.power.accounting"
	NAS-Identifier = "OpenWRT"
	Called-Station-Id = "74-EA-3A-E4-BF-CE:spacevs.com"
	NAS-Port-Type = Wireless-802.11
	NAS-Port = 1
	Calling-Station-Id = "A0-20-A6-18-6F-D4"
	Connect-Info = "CONNECT 54Mbps 802.11g"
	Acct-Session-Id = "5583280D-00001ECC"
	Framed-MTU = 1400
	EAP-Message = 0x027400111980000000071503010002022a
	State = 0x06e4b92c0590a0e7583a5ad1e4b3e5ec
	Message-Authenticator = 0x9580deaf1ada4b60f7a7e6c2312f6a0c
# Executing section authorize from
file /etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
[auth_log] 	expand: %{Packet-Src-IP-Address} -> 192.168.50.253
[auth_log]
expand: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/192.168.50.253/auth-detail-20170517
[auth_log] /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.50.253/auth-detail-20170517
[auth_log] 	expand: %t -> Wed May 17 17:24:10 2017
++[auth_log] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "office.power.accounting", looking up
realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 116 length 17
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
  TLS Length 7
[peap] Length Included
[peap] eaptls_verify returned 11 
[peap] <<< TLS 1.0 Alert [length 0002], fatal bad_certificate  
TLS Alert read:fatal:bad certificate
    TLS_accept: failed in unknown state
rlm_eap: SSL error error:14094412:SSL routines:SSL3_READ_BYTES:sslv3
alert bad certificate
SSL: SSL_read failed inside of TLS (-1), TLS session fails.
TLS receive handshake failed during operation
[peap] eaptls_process returned 4 
[peap] EAPTLS_OTHERS
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] = invalid
+} # group authenticate = invalid
Failed to authenticate the user.
Login incorrect (TLS Alert read:fatal:bad certificate):
[office.power.accounting/<via Auth-Type = EAP>] (from client
192.168.50.253 port 1 cli A0-20-A6-18-6F-D4)
Using Post-Auth-Type REJECT
# Executing group from file /etc/freeradius/sites-enabled/default
+group REJECT {
[attr_filter.access_reject] 	expand: %{User-Name} ->
office.power.accounting
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] = updated
+} # group REJECT = updated
Delaying reject of request 60 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 60
Sending Access-Reject of id 65 to 192.168.50.253 port 33005
	EAP-Message = 0x04740004
	Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.3 seconds.
Cleaning up request 56 ID 61 with timestamp +2171
Cleaning up request 57 ID 62 with timestamp +2171
Cleaning up request 58 ID 63 with timestamp +2171
Cleaning up request 59 ID 64 with timestamp +2171
Waking up in 1.6 seconds.
Cleaning up request 60 ID 65 with timestamp +2172
Ready to process requests.


-- 
Kind Regards,
Geoffrey McRae

HostFission
Server Management & Monitoring
W: https://hostfission.com
P: +61 2 9037 0321



On Wed, 2017-05-17 at 16:16 +1000, Geoffrey McRae via Freeradius-Users
wrote:
> Hi,
> 
> I am trying to use an ESP8266 to connect to a network using freeradius,
> I have confirmed that the fault is not due to freeradius but since the
> code in the SDK for the device is closed, I am limited in what I can do
> to resolve the problem.
> 
> The server is configured and is working fine with EAP-PEAP using
> MSCHAPv2 auth, which the device is supposed to support. Other devices
> and eapol_test confirm that the radius server is setup correctly.
> 
> When the device attempts to authenticate the following in the freeradius
> debug output is observed.
> 
> [eap] Request found, released from the list
> [eap] EAP/peap
> [eap] processing type peap
> [peap] processing EAP-TLS
>   TLS Length 7
> [peap] Length Included
> [peap] eaptls_verify returned 11 
> [peap] <<< TLS 1.0 Alert [length 0002], fatal bad_certificate  
> TLS Alert read:fatal:bad certificate
>     TLS_accept: failed in unknown state
> rlm_eap: SSL error error:14094412:SSL routines:SSL3_READ_BYTES:sslv3
> alert bad certificate
> SSL: SSL_read failed inside of TLS (-1), TLS session fails.
> 
> My assumption is that the device is erroneously trying to tell the
> server that it is providing a client certificate, which it obviously is
> not, but I do not know enough about TLS to verify this and would love
> some feedback if anyone is a guru in this area.
> 
> Even if I provide a client certificate the above error still occurs,
> clearly the fault is in the binary blob that Espressif provides.
> 



More information about the Freeradius-Users mailing list