Help debugging EAP -TLS

Joe Price joeprice99 at gmail.com
Tue Mar 6 21:05:28 CET 2018 

Hello:

I'm setting up EAP-TLS for the first time using the test certificates.  Can
someone please look at the debug output and help me find what's causing the
failure ?  I think I've included the correct snippet:

rad_recv: Access-Request packet from host 192.168.10.22 port 49205, id=37,
length=128
        NAS-IP-Address = 192.168.10.22
        NAS-Port-Type = Ethernet
        NAS-Port = 12
        User-Name = "client"
        State = 0xda0f395eda0d3de3fa5ad84917a2fd9b
        Called-Station-Id = "EC-1D-8B-EC-5C-F7"
        Calling-Station-Id = "00-40-8C-BF-28-F4"
        EAP-Message = 0x02020006030d
        Message-Authenticator = 0x6ffb217a2a4a97d64cd8714d965b7b2b
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "client", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 2 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
[files] users: Matched entry client at line 1
++[files] = ok
++[expiration] = noop
++[logintime] = noop
[pap] WARNING: Auth-Type already set.  Not setting to PAP
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP NAK
[eap] EAP-NAK asked for EAP-Type/tls
[eap] processing type tls
[tls] Requiring client certificate
[tls] Initiate
[tls] Start returned 1
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 37 to 192.168.10.22 port 49205
        EAP-Message = 0x010300060d20
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xda0f395edb0c34e3fa5ad84917a2fd9b
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.10.22 port 49205, id=38,
length=128
        NAS-IP-Address = 192.168.10.22
        NAS-Port-Type = Ethernet
        NAS-Port = 12
        User-Name = "client"
        State = 0xda0f395edb0c34e3fa5ad84917a2fd9b
        Called-Station-Id = "EC-1D-8B-EC-5C-F7"
        Calling-Station-Id = "00-40-8C-BF-28-F4"
        EAP-Message = 0x020300060300
        Message-Authenticator = 0x18eed350fa3d2921bb07065aa89044d8
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "client", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 3 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
[files] users: Matched entry client at line 1
++[files] = ok
++[expiration] = noop
++[logintime] = noop
[pap] WARNING: Auth-Type already set.  Not setting to PAP
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP NAK
[eap] NAK asked for bad type 0
[eap] Failed in EAP select
++[eap] = invalid
+} # group authenticate = invalid
Failed to authenticate the user.


Thank you,
Joe

More information about the Freeradius-Users mailing list