axis audio module and EAP-TLS

Giovanni Venturi gventuri at nexera.it
Mon Jul 19 15:23:36 CEST 2021


Sorry if you received personally the reply. Thunderbird doesn't reply to 
the list by deafult. Sorry. It will never happen again. Sorry.


So it is the camera doesn't send the correct data, I suppose, because I 
verifyed each certificate and the id and password. Freeradius replies in 
this way:


Mon Jul 19 15:14:29 2021 : Debug: (0) Received Access-Request Id 0 from 
192.168.4.248:49156 to 192.168.0.18:1812 length 97
Mon Jul 19 15:14:29 2021 : Debug: (0)   NAS-IP-Address = 192.168.4.248
Mon Jul 19 15:14:29 2021 : Debug: (0)   NAS-Port-Type = Ethernet
Mon Jul 19 15:14:29 2021 : Debug: (0)   NAS-Port = 10
Mon Jul 19 15:14:29 2021 : Debug: (0)   User-Name = "user at example.org"
Mon Jul 19 15:14:29 2021 : Debug: (0)   EAP-Message = 
0x020100150175736572406578616d706c652e6f7267
Mon Jul 19 15:14:29 2021 : Debug: (0)   Message-Authenticator = 
0x2b6c4a8dea1185bee804dbe0d7645f75
Mon Jul 19 15:14:29 2021 : Debug: (0) session-state: No State attribute
Mon Jul 19 15:14:29 2021 : Debug: (0) # Executing section authorize from 
file /etc/raddb/sites-enabled/default
Mon Jul 19 15:14:29 2021 : Debug: (0)   authorize {
Mon Jul 19 15:14:29 2021 : Debug: (0)     policy filter_username {
Mon Jul 19 15:14:29 2021 : Debug: (0)       if (&User-Name) {
Mon Jul 19 15:14:29 2021 : Debug: (0)       if (&User-Name) -> TRUE
Mon Jul 19 15:14:29 2021 : Debug: (0)       if (&User-Name)  {
Mon Jul 19 15:14:29 2021 : Debug: (0)         if (&User-Name =~ / /) {
Mon Jul 19 15:14:29 2021 : Debug: No old matches
Mon Jul 19 15:14:29 2021 : Debug: (0)         if (&User-Name =~ / /)  -> 
FALSE
Mon Jul 19 15:14:29 2021 : Debug: (0)         if (&User-Name =~ 
/@[^@]*@/ ) {
Mon Jul 19 15:14:29 2021 : Debug: No old matches
Mon Jul 19 15:14:29 2021 : Debug: (0)         if (&User-Name =~ 
/@[^@]*@/ )  -> FALSE
Mon Jul 19 15:14:29 2021 : Debug: (0)         if (&User-Name =~ /\.\./ ) {
Mon Jul 19 15:14:29 2021 : Debug: No old matches
Mon Jul 19 15:14:29 2021 : Debug: (0)         if (&User-Name =~ /\.\./ 
)  -> FALSE
Mon Jul 19 15:14:29 2021 : Debug: (0)         if ((&User-Name =~ /@/) && 
(&User-Name !~ /@(.+)\.(.+)$/))  {
Mon Jul 19 15:14:29 2021 : Debug: No old matches
Mon Jul 19 15:14:29 2021 : Debug: Adding 1 matches
Mon Jul 19 15:14:29 2021 : Debug: Clearing 1 old matches
Mon Jul 19 15:14:29 2021 : Debug: Adding 3 matches
Mon Jul 19 15:14:29 2021 : Debug: (0)         if ((&User-Name =~ /@/) && 
(&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
Mon Jul 19 15:14:29 2021 : Debug: (0)         if (&User-Name =~ /\.$/)  {
Mon Jul 19 15:14:29 2021 : Debug: Clearing 3 old matches
Mon Jul 19 15:14:29 2021 : Debug: (0)         if (&User-Name =~ /\.$/)   
-> FALSE
Mon Jul 19 15:14:29 2021 : Debug: (0)         if (&User-Name =~ /@\./)  {
Mon Jul 19 15:14:29 2021 : Debug: No old matches
Mon Jul 19 15:14:29 2021 : Debug: (0)         if (&User-Name =~ /@\./)   
-> FALSE
Mon Jul 19 15:14:29 2021 : Debug: (0)       } # if (&User-Name)  = notfound
Mon Jul 19 15:14:29 2021 : Debug: (0)     } # policy filter_username = 
notfound
Mon Jul 19 15:14:29 2021 : Debug: (0)     modsingle[authorize]: calling 
preprocess (rlm_preprocess)
Mon Jul 19 15:14:29 2021 : Debug: (0)     modsingle[authorize]: returned 
from preprocess (rlm_preprocess)
Mon Jul 19 15:14:29 2021 : Debug: (0)     [preprocess] = ok
Mon Jul 19 15:14:29 2021 : Debug: (0)     modsingle[authorize]: calling 
auth_log (rlm_detail)
Mon Jul 19 15:14:29 2021 : Debug: 
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d 

Mon Jul 19 15:14:29 2021 : Debug: Parsed xlat tree:
Mon Jul 19 15:14:29 2021 : Debug: literal --> /var/log/radius/radacct/
Mon Jul 19 15:14:29 2021 : Debug: XLAT-IF {
Mon Jul 19 15:14:29 2021 : Debug:     attribute --> Packet-Src-IP-Address
Mon Jul 19 15:14:29 2021 : Debug: }
Mon Jul 19 15:14:29 2021 : Debug: XLAT-ELSE {
Mon Jul 19 15:14:29 2021 : Debug:     attribute --> Packet-Src-IPv6-Address
Mon Jul 19 15:14:29 2021 : Debug: }
Mon Jul 19 15:14:29 2021 : Debug: literal --> /auth-detail-
Mon Jul 19 15:14:29 2021 : Debug: percent --> Y
Mon Jul 19 15:14:29 2021 : Debug: percent --> m
Mon Jul 19 15:14:29 2021 : Debug: percent --> d
Mon Jul 19 15:14:29 2021 : Debug: (0) auth_log: EXPAND 
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d 

Mon Jul 19 15:14:29 2021 : Debug: (0) auth_log:    --> 
/var/log/radius/radacct/192.168.4.248/auth-detail-20210719
Mon Jul 19 15:14:29 2021 : Debug: (0) auth_log: 
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d 
expands to /var/log/radius/radacct/192.168.4.248/auth-detail-20210719
Mon Jul 19 15:14:29 2021 : Debug: %t
Mon Jul 19 15:14:29 2021 : Debug: Parsed xlat tree:
Mon Jul 19 15:14:29 2021 : Debug: percent --> t
Mon Jul 19 15:14:29 2021 : Debug: (0) auth_log: EXPAND %t
Mon Jul 19 15:14:29 2021 : Debug: (0) auth_log:    --> Mon Jul 19 
15:14:29 2021
Mon Jul 19 15:14:29 2021 : Debug: (0)     modsingle[authorize]: returned 
from auth_log (rlm_detail)
Mon Jul 19 15:14:29 2021 : Debug: (0)     [auth_log] = ok
Mon Jul 19 15:14:29 2021 : Debug: (0)     modsingle[authorize]: calling 
chap (rlm_chap)
Mon Jul 19 15:14:29 2021 : Debug: (0)     modsingle[authorize]: returned 
from chap (rlm_chap)
Mon Jul 19 15:14:29 2021 : Debug: (0)     [chap] = noop
Mon Jul 19 15:14:29 2021 : Debug: (0)     modsingle[authorize]: calling 
mschap (rlm_mschap)
Mon Jul 19 15:14:29 2021 : Debug: (0)     modsingle[authorize]: returned 
from mschap (rlm_mschap)
Mon Jul 19 15:14:29 2021 : Debug: (0)     [mschap] = noop
Mon Jul 19 15:14:29 2021 : Debug: (0)     modsingle[authorize]: calling 
digest (rlm_digest)
Mon Jul 19 15:14:29 2021 : Debug: (0)     modsingle[authorize]: returned 
from digest (rlm_digest)
Mon Jul 19 15:14:29 2021 : Debug: (0)     [digest] = noop
Mon Jul 19 15:14:29 2021 : Debug: (0)     modsingle[authorize]: calling 
suffix (rlm_realm)
Mon Jul 19 15:14:29 2021 : Debug: (0) suffix: Checking for suffix after "@"
Mon Jul 19 15:14:29 2021 : Debug: (0) suffix: Looking up realm 
"example.org" for User-Name = "user at example.org"
Mon Jul 19 15:14:29 2021 : Debug: (0) suffix: No such realm "example.org"
Mon Jul 19 15:14:29 2021 : Debug: (0)     modsingle[authorize]: returned 
from suffix (rlm_realm)
Mon Jul 19 15:14:29 2021 : Debug: (0)     [suffix] = noop
Mon Jul 19 15:14:29 2021 : Debug: (0)     modsingle[authorize]: calling 
eap (rlm_eap)
Mon Jul 19 15:14:29 2021 : Debug: (0) eap: Peer sent EAP Response (code 
2) ID 1 length 21
Mon Jul 19 15:14:29 2021 : Debug: (0) eap: EAP-Identity reply, returning 
'ok' so we can short-circuit the rest of authorize
Mon Jul 19 15:14:29 2021 : Debug: (0)     modsingle[authorize]: returned 
from eap (rlm_eap)
Mon Jul 19 15:14:29 2021 : Debug: (0)     [eap] = ok
Mon Jul 19 15:14:29 2021 : Debug: (0)   } # authorize = ok
Mon Jul 19 15:14:29 2021 : Debug: (0) Found Auth-Type = eap
Mon Jul 19 15:14:29 2021 : Debug: (0) # Executing group from file 
/etc/raddb/sites-enabled/default
Mon Jul 19 15:14:29 2021 : Debug: (0)   authenticate {
Mon Jul 19 15:14:29 2021 : Debug: (0)     modsingle[authenticate]: 
calling eap (rlm_eap)
Mon Jul 19 15:14:29 2021 : Debug: (0) eap: Peer sent packet with method 
EAP Identity (1)
Mon Jul 19 15:14:29 2021 : Debug: (0) eap: Calling submodule eap_tls to 
process data
Mon Jul 19 15:14:29 2021 : Debug: (0) eap_tls: Initiating new TLS session
Mon Jul 19 15:14:29 2021 : Debug: (0) eap_tls: Setting verify mode to 
require certificate from client
Mon Jul 19 15:14:29 2021 : Debug: (0) eap_tls: [eaptls start] = request
Mon Jul 19 15:14:29 2021 : Debug: (0) eap: Sending EAP Request (code 1) 
ID 2 length 6
Mon Jul 19 15:14:29 2021 : Debug: (0) eap: EAP session adding 
&reply:State = 0x704e25f0704c2894
Mon Jul 19 15:14:29 2021 : Debug: (0)     modsingle[authenticate]: 
returned from eap (rlm_eap)
Mon Jul 19 15:14:29 2021 : Debug: (0)     [eap] = handled
Mon Jul 19 15:14:29 2021 : Debug: (0)   } # authenticate = handled
Mon Jul 19 15:14:29 2021 : Debug: (0) Using Post-Auth-Type Challenge
Mon Jul 19 15:14:29 2021 : Debug: (0) # Executing group from file 
/etc/raddb/sites-enabled/default
Mon Jul 19 15:14:29 2021 : Debug: (0)   Challenge { ... } # empty 
sub-section is ignored
Mon Jul 19 15:14:29 2021 : Debug: (0) session-state: Nothing to cache
Mon Jul 19 15:14:29 2021 : Debug: (0) Sent Access-Challenge Id 0 from 
192.168.0.18:1812 to 192.168.4.248:49156 length 0
Mon Jul 19 15:14:29 2021 : Debug: (0)   EAP-Message = 0x010200060d20
Mon Jul 19 15:14:29 2021 : Debug: (0)   Message-Authenticator = 
0x00000000000000000000000000000000
Mon Jul 19 15:14:29 2021 : Debug: (0)   State = 
0x704e25f0704c2894350a7a76741cdfd3
Mon Jul 19 15:14:29 2021 : Debug: (0) Finished request
Mon Jul 19 15:14:29 2021 : Debug: Waking up in 4.9 seconds.
Mon Jul 19 15:14:29 2021 : Debug: (0) Cleaning up request packet ID 0 
with timestamp +7
Mon Jul 19 15:14:29 2021 : Debug: (1) Received Access-Request Id 0 from 
192.168.4.248:49156 to 192.168.0.18:1812 length 100
Mon Jul 19 15:14:29 2021 : Debug: (1)   NAS-IP-Address = 192.168.4.248
Mon Jul 19 15:14:29 2021 : Debug: (1)   NAS-Port-Type = Ethernet
Mon Jul 19 15:14:29 2021 : Debug: (1)   NAS-Port = 10
Mon Jul 19 15:14:29 2021 : Debug: (1)   User-Name = "user at example.org"
Mon Jul 19 15:14:29 2021 : Debug: (1)   State = 
0x704e25f0704c2894350a7a76741cdfd3
Mon Jul 19 15:14:29 2021 : Debug: (1)   EAP-Message = 0x020200060300
Mon Jul 19 15:14:29 2021 : Debug: (1)   Message-Authenticator = 
0xb56b2484ee97b397f38baefb6a09ecfb
Mon Jul 19 15:14:29 2021 : Debug: (1) session-state: No cached attributes
Mon Jul 19 15:14:29 2021 : Debug: (1) # Executing section authorize from 
file /etc/raddb/sites-enabled/default
Mon Jul 19 15:14:29 2021 : Debug: (1)   authorize {
Mon Jul 19 15:14:29 2021 : Debug: (1)     policy filter_username {
Mon Jul 19 15:14:29 2021 : Debug: (1)       if (&User-Name) {
Mon Jul 19 15:14:29 2021 : Debug: (1)       if (&User-Name) -> TRUE
Mon Jul 19 15:14:29 2021 : Debug: (1)       if (&User-Name)  {
Mon Jul 19 15:14:29 2021 : Debug: (1)         if (&User-Name =~ / /) {
Mon Jul 19 15:14:29 2021 : Debug: No old matches
Mon Jul 19 15:14:29 2021 : Debug: (1)         if (&User-Name =~ / /)  -> 
FALSE
Mon Jul 19 15:14:29 2021 : Debug: (1)         if (&User-Name =~ 
/@[^@]*@/ ) {
Mon Jul 19 15:14:29 2021 : Debug: No old matches
Mon Jul 19 15:14:29 2021 : Debug: (1)         if (&User-Name =~ 
/@[^@]*@/ )  -> FALSE
Mon Jul 19 15:14:29 2021 : Debug: (1)         if (&User-Name =~ /\.\./ ) {
Mon Jul 19 15:14:29 2021 : Debug: No old matches
Mon Jul 19 15:14:29 2021 : Debug: (1)         if (&User-Name =~ /\.\./ 
)  -> FALSE
Mon Jul 19 15:14:29 2021 : Debug: (1)         if ((&User-Name =~ /@/) && 
(&User-Name !~ /@(.+)\.(.+)$/))  {
Mon Jul 19 15:14:29 2021 : Debug: No old matches
Mon Jul 19 15:14:29 2021 : Debug: Adding 1 matches
Mon Jul 19 15:14:29 2021 : Debug: Clearing 1 old matches
Mon Jul 19 15:14:29 2021 : Debug: Adding 3 matches
Mon Jul 19 15:14:29 2021 : Debug: (1)         if ((&User-Name =~ /@/) && 
(&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
Mon Jul 19 15:14:29 2021 : Debug: (1)         if (&User-Name =~ /\.$/)  {
Mon Jul 19 15:14:29 2021 : Debug: Clearing 3 old matches
Mon Jul 19 15:14:29 2021 : Debug: (1)         if (&User-Name =~ /\.$/)   
-> FALSE
Mon Jul 19 15:14:29 2021 : Debug: (1)         if (&User-Name =~ /@\./)  {
Mon Jul 19 15:14:29 2021 : Debug: No old matches
Mon Jul 19 15:14:29 2021 : Debug: (1)         if (&User-Name =~ /@\./)   
-> FALSE
Mon Jul 19 15:14:29 2021 : Debug: (1)       } # if (&User-Name)  = notfound
Mon Jul 19 15:14:29 2021 : Debug: (1)     } # policy filter_username = 
notfound
Mon Jul 19 15:14:29 2021 : Debug: (1)     modsingle[authorize]: calling 
preprocess (rlm_preprocess)
Mon Jul 19 15:14:29 2021 : Debug: (1)     modsingle[authorize]: returned 
from preprocess (rlm_preprocess)
Mon Jul 19 15:14:29 2021 : Debug: (1)     [preprocess] = ok
Mon Jul 19 15:14:29 2021 : Debug: (1)     modsingle[authorize]: calling 
auth_log (rlm_detail)
Mon Jul 19 15:14:29 2021 : Debug: 
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d 

Mon Jul 19 15:14:29 2021 : Debug: Parsed xlat tree:
Mon Jul 19 15:14:29 2021 : Debug: literal --> /var/log/radius/radacct/
Mon Jul 19 15:14:29 2021 : Debug: XLAT-IF {
Mon Jul 19 15:14:29 2021 : Debug:     attribute --> Packet-Src-IP-Address
Mon Jul 19 15:14:29 2021 : Debug: }
Mon Jul 19 15:14:29 2021 : Debug: XLAT-ELSE {
Mon Jul 19 15:14:29 2021 : Debug:     attribute --> Packet-Src-IPv6-Address
Mon Jul 19 15:14:29 2021 : Debug: }
Mon Jul 19 15:14:29 2021 : Debug: literal --> /auth-detail-
Mon Jul 19 15:14:29 2021 : Debug: percent --> Y
Mon Jul 19 15:14:29 2021 : Debug: percent --> m
Mon Jul 19 15:14:29 2021 : Debug: percent --> d
Mon Jul 19 15:14:29 2021 : Debug: (1) auth_log: EXPAND 
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d 

Mon Jul 19 15:14:29 2021 : Debug: (1) auth_log:    --> 
/var/log/radius/radacct/192.168.4.248/auth-detail-20210719
Mon Jul 19 15:14:29 2021 : Debug: (1) auth_log: 
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d 
expands to /var/log/radius/radacct/192.168.4.248/auth-detail-20210719
Mon Jul 19 15:14:29 2021 : Debug: %t
Mon Jul 19 15:14:29 2021 : Debug: Parsed xlat tree:
Mon Jul 19 15:14:29 2021 : Debug: percent --> t
Mon Jul 19 15:14:29 2021 : Debug: (1) auth_log: EXPAND %t
Mon Jul 19 15:14:29 2021 : Debug: (1) auth_log:    --> Mon Jul 19 
15:14:29 2021
Mon Jul 19 15:14:29 2021 : Debug: (1)     modsingle[authorize]: returned 
from auth_log (rlm_detail)
Mon Jul 19 15:14:29 2021 : Debug: (1)     [auth_log] = ok
Mon Jul 19 15:14:29 2021 : Debug: (1)     modsingle[authorize]: calling 
chap (rlm_chap)
Mon Jul 19 15:14:29 2021 : Debug: (1)     modsingle[authorize]: returned 
from chap (rlm_chap)
Mon Jul 19 15:14:29 2021 : Debug: (1)     [chap] = noop
Mon Jul 19 15:14:29 2021 : Debug: (1)     modsingle[authorize]: calling 
mschap (rlm_mschap)
Mon Jul 19 15:14:29 2021 : Debug: (1)     modsingle[authorize]: returned 
from mschap (rlm_mschap)
Mon Jul 19 15:14:29 2021 : Debug: (1)     [mschap] = noop
Mon Jul 19 15:14:29 2021 : Debug: (1)     modsingle[authorize]: calling 
digest (rlm_digest)
Mon Jul 19 15:14:29 2021 : Debug: (1)     modsingle[authorize]: returned 
from digest (rlm_digest)
Mon Jul 19 15:14:29 2021 : Debug: (1)     [digest] = noop
Mon Jul 19 15:14:29 2021 : Debug: (1)     modsingle[authorize]: calling 
suffix (rlm_realm)
Mon Jul 19 15:14:29 2021 : Debug: (1) suffix: Checking for suffix after "@"
Mon Jul 19 15:14:29 2021 : Debug: (1) suffix: Looking up realm 
"example.org" for User-Name = "user at example.org"
Mon Jul 19 15:14:29 2021 : Debug: (1) suffix: No such realm "example.org"
Mon Jul 19 15:14:29 2021 : Debug: (1)     modsingle[authorize]: returned 
from suffix (rlm_realm)
Mon Jul 19 15:14:29 2021 : Debug: (1)     [suffix] = noop
Mon Jul 19 15:14:29 2021 : Debug: (1)     modsingle[authorize]: calling 
eap (rlm_eap)
Mon Jul 19 15:14:29 2021 : Debug: (1) eap: Peer sent EAP Response (code 
2) ID 2 length 6
Mon Jul 19 15:14:29 2021 : Debug: (1) eap: No EAP Start, assuming it's 
an on-going EAP conversation
Mon Jul 19 15:14:29 2021 : Debug: (1)     modsingle[authorize]: returned 
from eap (rlm_eap)
Mon Jul 19 15:14:29 2021 : Debug: (1)     [eap] = updated
Mon Jul 19 15:14:29 2021 : Debug: (1)     modsingle[authorize]: calling 
files (rlm_files)
Mon Jul 19 15:14:29 2021 : Debug: (1)     modsingle[authorize]: returned 
from files (rlm_files)
Mon Jul 19 15:14:29 2021 : Debug: (1)     [files] = noop
Mon Jul 19 15:14:29 2021 : Debug: (1)     modsingle[authorize]: calling 
expiration (rlm_expiration)
Mon Jul 19 15:14:29 2021 : Debug: (1)     modsingle[authorize]: returned 
from expiration (rlm_expiration)
Mon Jul 19 15:14:29 2021 : Debug: (1)     [expiration] = noop
Mon Jul 19 15:14:29 2021 : Debug: (1)     modsingle[authorize]: calling 
logintime (rlm_logintime)
Mon Jul 19 15:14:29 2021 : Debug: (1)     modsingle[authorize]: returned 
from logintime (rlm_logintime)
Mon Jul 19 15:14:29 2021 : Debug: (1)     [logintime] = noop
Mon Jul 19 15:14:29 2021 : Debug: (1)     modsingle[authorize]: calling 
pap (rlm_pap)
Mon Jul 19 15:14:29 2021 : Debug: Not doing PAP as Auth-Type is already 
set.
Mon Jul 19 15:14:29 2021 : Debug: (1)     modsingle[authorize]: returned 
from pap (rlm_pap)
Mon Jul 19 15:14:29 2021 : Debug: (1)     [pap] = noop
Mon Jul 19 15:14:29 2021 : Debug: (1)   } # authorize = updated
Mon Jul 19 15:14:29 2021 : Debug: (1) Found Auth-Type = eap
Mon Jul 19 15:14:29 2021 : Debug: (1) # Executing group from file 
/etc/raddb/sites-enabled/default
Mon Jul 19 15:14:29 2021 : Debug: (1)   authenticate {
Mon Jul 19 15:14:29 2021 : Debug: (1)     modsingle[authenticate]: 
calling eap (rlm_eap)
Mon Jul 19 15:14:29 2021 : Debug: (1) eap: Expiring EAP session with 
state 0x704e25f0704c2894
Mon Jul 19 15:14:29 2021 : Debug: (1) eap: Finished EAP session with 
state 0x704e25f0704c2894
Mon Jul 19 15:14:29 2021 : Debug: (1) eap: Previous EAP request found 
for state 0x704e25f0704c2894, released from the list
Mon Jul 19 15:14:29 2021 : Debug: (1) eap: Peer sent packet with method 
EAP NAK (3)
Mon Jul 19 15:14:29 2021 : Debug: (1) eap: Peer NAK'd indicating it is 
not willing to continue
Mon Jul 19 15:14:29 2021 : Debug: (1) eap: Sending EAP Failure (code 4) 
ID 2 length 4
Mon Jul 19 15:14:29 2021 : Debug: (1) eap: Failed in EAP select
Mon Jul 19 15:14:29 2021 : Debug: (1)     modsingle[authenticate]: 
returned from eap (rlm_eap)
Mon Jul 19 15:14:29 2021 : Debug: (1)     [eap] = invalid
Mon Jul 19 15:14:29 2021 : Debug: (1)   } # authenticate = invalid
Mon Jul 19 15:14:29 2021 : Debug: (1) Failed to authenticate the user
Mon Jul 19 15:14:29 2021 : Debug: (1) Using Post-Auth-Type Reject
Mon Jul 19 15:14:29 2021 : Debug: (1) # Executing group from file 
/etc/raddb/sites-enabled/default
Mon Jul 19 15:14:29 2021 : Debug: (1)   Post-Auth-Type REJECT {
Mon Jul 19 15:14:29 2021 : Debug: (1)     modsingle[post-auth]: calling 
attr_filter.access_reject (rlm_attr_filter)
Mon Jul 19 15:14:29 2021 : Debug: %{User-Name}
Mon Jul 19 15:14:29 2021 : Debug: Parsed xlat tree:
Mon Jul 19 15:14:29 2021 : Debug: attribute --> User-Name
Mon Jul 19 15:14:29 2021 : Debug: (1) attr_filter.access_reject: EXPAND 
%{User-Name}
Mon Jul 19 15:14:29 2021 : Debug: (1) attr_filter.access_reject:    --> 
user at example.org
Mon Jul 19 15:14:29 2021 : Debug: (1) attr_filter.access_reject: Matched 
entry DEFAULT at line 11
Mon Jul 19 15:14:29 2021 : Debug: (1) attr_filter.access_reject: 
EAP-Message = 0x04020004 allowed by EAP-Message =* 0x
Mon Jul 19 15:14:29 2021 : Debug: (1) attr_filter.access_reject: 
Attribute "EAP-Message" allowed by 1 rules, disallowed by 0 rules
Mon Jul 19 15:14:29 2021 : Debug: (1) attr_filter.access_reject: 
Message-Authenticator = 0x00000000000000000000000000000000 allowed by 
Message-Authenticator =* 0x
Mon Jul 19 15:14:29 2021 : Debug: (1) attr_filter.access_reject: 
Attribute "Message-Authenticator" allowed by 1 rules, disallowed by 0 rules
Mon Jul 19 15:14:29 2021 : Debug: (1)     modsingle[post-auth]: returned 
from attr_filter.access_reject (rlm_attr_filter)
Mon Jul 19 15:14:29 2021 : Debug: (1) [attr_filter.access_reject] = updated
Mon Jul 19 15:14:29 2021 : Debug: (1)     modsingle[post-auth]: calling 
eap (rlm_eap)
Mon Jul 19 15:14:29 2021 : Debug: (1) eap: Reply already contained an 
EAP-Message, not inserting EAP-Failure
Mon Jul 19 15:14:29 2021 : Debug: (1)     modsingle[post-auth]: returned 
from eap (rlm_eap)
Mon Jul 19 15:14:29 2021 : Debug: (1)     [eap] = noop
Mon Jul 19 15:14:29 2021 : Debug: (1)     policy 
remove_reply_message_if_eap {
Mon Jul 19 15:14:29 2021 : Debug: (1)       if (&reply:EAP-Message && 
&reply:Reply-Message) {
Mon Jul 19 15:14:29 2021 : Debug: (1)       if (&reply:EAP-Message && 
&reply:Reply-Message) -> FALSE
Mon Jul 19 15:14:29 2021 : Debug: (1)       else {
Mon Jul 19 15:14:29 2021 : Debug: (1) modsingle[post-auth]: calling noop 
(rlm_always)
Mon Jul 19 15:14:29 2021 : Debug: (1) modsingle[post-auth]: returned 
from noop (rlm_always)
Mon Jul 19 15:14:29 2021 : Debug: (1)         [noop] = noop
Mon Jul 19 15:14:29 2021 : Debug: (1)       } # else = noop
Mon Jul 19 15:14:29 2021 : Debug: (1)     } # policy 
remove_reply_message_if_eap = noop
Mon Jul 19 15:14:29 2021 : Debug: (1)   } # Post-Auth-Type REJECT = updated
Mon Jul 19 15:14:29 2021 : Auth: (1) Login incorrect: [user at example.org] 
(from client axis_switch port 10)
Mon Jul 19 15:14:29 2021 : Debug: (1) Delaying response for 1.000000 
seconds
Mon Jul 19 15:14:29 2021 : Debug: Waking up in 0.3 seconds.
Mon Jul 19 15:14:29 2021 : Debug: Waking up in 0.6 seconds.
Mon Jul 19 15:14:30 2021 : Debug: (1) Sending delayed response
Mon Jul 19 15:14:30 2021 : Debug: (1) Sent Access-Reject Id 0 from 
192.168.0.18:1812 to 192.168.4.248:49156 length 44
Mon Jul 19 15:14:30 2021 : Debug: (1)   EAP-Message = 0x04020004
Mon Jul 19 15:14:30 2021 : Debug: (1)   Message-Authenticator = 
0x00000000000000000000000000000000
Mon Jul 19 15:14:30 2021 : Debug: Waking up in 3.9 seconds.
Mon Jul 19 15:14:34 2021 : Debug: (1) Cleaning up request packet ID 0 
with timestamp +7
Mon Jul 19 15:14:34 2021 : Info: Ready to process requests

Il 19/07/21 14:02, Alan DeKok ha scritto:
> On Jul 19, 2021, at 3:42 AM, Giovanni Venturi <gventuri at nexera.it> wrote:
>> And I'm a bit confused how to configure it to make it work with an AXIS P8221 I/O Audio Module.
>    The screen shot you posted shows EAP-TLS.  Which doesn't use passwords like YEAP.
>
>> In the section 802.1X I uploaded the certificate I geneated with freeradius Makefile from the directory /etc/raddb/certs/
>>
>> I uploaded the CA certificate and the clients one and client ons plus the key.
>    Then it should work.
>
>> But when I have to set the EAPOL version, EAP identity and password I don't know what specify and how to configure freeradius to match that parametes.
>    The EAP identity should be the "common name" from the certificate.
>
>    The password is the password for the client certificate private key.  See the client.cnf file for examples.
>
>> Can someone help me?
>>
>> I tryed to configure a simply user with a password into /etc/raddb/mods-config/files/authorize :
>>
>> testing Cleartext-Password := "password"
>    That won't work for EAP-TLS.
>
>> And using a freeradius client from an ArchLinux client it works doing command line call.
>    Which isn't using EAP-TLS.  Read the debug output to see.
>
>    Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-- 
Giovanni Venturi
Nexera S.p.A.
Centro Direzionale, IS/A3
80143 - Napoli
Tel. +39.081.5625868
Fax. +39.081.5625135
e-mail: gventuri at nexera.it
web: http://www.nexera.it



More information about the Freeradius-Users mailing list