EAP-TLS default config
clement.legoffic at kelio.com
clement.legoffic at kelio.com
Tue Mar 7 14:58:09 UTC 2023
> The android phone is not configured to do EAP-TLS.
Hello, I have manage to setup 2 different android device to connect to my 802.1X network.
The "user" certs are installed in each device.
When I initiate the EAP-TLS I get the below debug output.
The EAP-TLS communication seems to works well, but the communication is end up due to internal error.
I have not figured out how to manage this error. Does I need to change my TLS version ?
What exactly the debug output means here :
"eap_tls: ERROR: (TLS) Failed reading from OpenSSL: error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error"
Full output :
Ready to process requests
(30) Received Access-Request Id 0 from 10.17.30.60:1197 to 172.17.0.2:1812 length 212
(30) Message-Authenticator = 0xa6ec9e72ad06b4bad0c1728ed82b339c
(30) Service-Type = Framed-User
(30) User-Name = "user at example.org"
(30) Framed-MTU = 1488
(30) Called-Station-Id = "00-26-5A-84-0D-89:dlink"
(30) Calling-Station-Id = "72-87-6D-9E-D2-0F"
(30) NAS-Identifier = "D-Link Access Point"
(30) NAS-Port-Type = Wireless-802.11
(30) Connect-Info = "CONNECT 54Mbps 802.11g"
(30) EAP-Message = 0x020000150175736572406578616d706c652e6f7267
(30) NAS-IP-Address = 10.17.30.60
(30) NAS-Port = 1
(30) NAS-Port-Id = "STA port # 1"
(30) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(30) authorize {
(30) policy filter_username {
(30) if (&User-Name) {
(30) if (&User-Name) -> TRUE
(30) if (&User-Name) {
(30) if (&User-Name =~ / /) {
(30) if (&User-Name =~ / /) -> FALSE
(30) if (&User-Name =~ /@[^@]*@/ ) {
(30) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(30) if (&User-Name =~ /\.\./ ) {
(30) if (&User-Name =~ /\.\./ ) -> FALSE
(30) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(30) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(30) if (&User-Name =~ /\.$/) {
(30) if (&User-Name =~ /\.$/) -> FALSE
(30) if (&User-Name =~ /@\./) {
(30) if (&User-Name =~ /@\./) -> FALSE
(30) } # if (&User-Name) = notfound
(30) } # policy filter_username = notfound
(30) [preprocess] = ok
(30) [chap] = noop
(30) [mschap] = noop
(30) [digest] = noop
(30) suffix: Checking for suffix after "@"
(30) suffix: Looking up realm "example.org" for User-Name = "user at example.org"
(30) suffix: No such realm "example.org"
(30) [suffix] = noop
(30) eap: Peer sent EAP Response (code 2) ID 0 length 21
(30) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(30) [eap] = ok
(30) } # authorize = ok
(30) Found Auth-Type = eap
(30) # Executing group from file /etc/freeradius/sites-enabled/default
(30) authenticate {
(30) eap: Peer sent packet with method EAP Identity (1)
(30) eap: Calling submodule eap_tls to process data
(30) eap_tls: (TLS) Initiating new session
(30) eap_tls: (TLS) Setting verify mode to require certificate from client
(30) eap: Sending EAP Request (code 1) ID 1 length 6
(30) eap: EAP session adding &reply:State = 0x6504b08b6505bd57
(30) [eap] = handled
(30) } # authenticate = handled
(30) Using Post-Auth-Type Challenge
(30) # Executing group from file /etc/freeradius/sites-enabled/default
(30) Challenge { ... } # empty sub-section is ignored
(30) session-state: Saving cached attributes
(30) Framed-MTU = 994
(30) Sent Access-Challenge Id 0 from 172.17.0.2:1812 to 10.17.30.60:1197 length 64
(30) EAP-Message = 0x010100060d20
(30) Message-Authenticator = 0x00000000000000000000000000000000
(30) State = 0x6504b08b6505bd57d78f3f37308b4458
(30) Finished request
Waking up in 4.9 seconds.
(31) Received Access-Request Id 1 from 10.17.30.60:1197 to 172.17.0.2:1812 length 346
(31) Message-Authenticator = 0xaa9a768bc1bc6b1a26a9031785c2e3b4
(31) Service-Type = Framed-User
(31) User-Name = "user at example.org"
(31) Framed-MTU = 1488
(31) State = 0x6504b08b6505bd57d78f3f37308b4458
(31) Called-Station-Id = "00-26-5A-84-0D-89:dlink"
(31) Calling-Station-Id = "72-87-6D-9E-D2-0F"
(31) NAS-Identifier = "D-Link Access Point"
(31) NAS-Port-Type = Wireless-802.11
(31) Connect-Info = "CONNECT 54Mbps 802.11g"
(31) EAP-Message = 0x020100890d00160301007e0100007a0303e44ff5fb591c7700c7a3ae0c54b2f8bd7989a300554ac911a84733b16d1e652700001ec02bc02fc02cc030cca9cca8c009c013c00ac014009c009d002f0035000a0100003300170000ff01000100000a00080006001d00170018000b00020100000d00140012040308040401050308050501080606010201
(31) NAS-IP-Address = 10.17.30.60
(31) NAS-Port = 1
(31) NAS-Port-Id = "STA port # 1"
(31) Restoring &session-state
(31) &session-state:Framed-MTU = 994
(31) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(31) authorize {
(31) policy filter_username {
(31) if (&User-Name) {
(31) if (&User-Name) -> TRUE
(31) if (&User-Name) {
(31) if (&User-Name =~ / /) {
(31) if (&User-Name =~ / /) -> FALSE
(31) if (&User-Name =~ /@[^@]*@/ ) {
(31) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(31) if (&User-Name =~ /\.\./ ) {
(31) if (&User-Name =~ /\.\./ ) -> FALSE
(31) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(31) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(31) if (&User-Name =~ /\.$/) {
(31) if (&User-Name =~ /\.$/) -> FALSE
(31) if (&User-Name =~ /@\./) {
(31) if (&User-Name =~ /@\./) -> FALSE
(31) } # if (&User-Name) = notfound
(31) } # policy filter_username = notfound
(31) [preprocess] = ok
(31) [chap] = noop
(31) [mschap] = noop
(31) [digest] = noop
(31) suffix: Checking for suffix after "@"
(31) suffix: Looking up realm "example.org" for User-Name = "user at example.org"
(31) suffix: No such realm "example.org"
(31) [suffix] = noop
(31) eap: Peer sent EAP Response (code 2) ID 1 length 137
(31) eap: No EAP Start, assuming it's an on-going EAP conversation
(31) [eap] = updated
(31) files: users: Matched entry user at example.org at line 2
(31) [files] = ok
(31) [expiration] = noop
(31) [logintime] = noop
(31) [pap] = noop
(31) } # authorize = updated
(31) Found Auth-Type = eap
(31) # Executing group from file /etc/freeradius/sites-enabled/default
(31) authenticate {
(31) eap: Expiring EAP session with state 0x6504b08b6505bd57
(31) eap: Finished EAP session with state 0x6504b08b6505bd57
(31) eap: Previous EAP request found for state 0x6504b08b6505bd57, released from the list
(31) eap: Peer sent packet with method EAP TLS (13)
(31) eap: Calling submodule eap_tls to process data
(31) eap_tls: (TLS) EAP Got final fragment (131 bytes)
(31) eap_tls: WARNING: (TLS) EAP Total received record fragments (131 bytes), does not equal expected expected data length (0 bytes)
(31) eap_tls: (TLS) EAP Done initial handshake
(31) eap_tls: (TLS) Handshake state - before SSL initialization
(31) eap_tls: (TLS) Handshake state - Server before SSL initialization
(31) eap_tls: (TLS) Handshake state - Server before SSL initialization
(31) eap_tls: (TLS) recv TLS 1.3 Handshake, ClientHello
(31) eap_tls: (TLS) Handshake state - Server SSLv3/TLS read client hello
(31) eap_tls: (TLS) send TLS 1.2 Handshake, ServerHello
(31) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write server hello
(31) eap_tls: (TLS) send TLS 1.2 Handshake, Certificate
(31) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write certificate
(31) eap_tls: (TLS) send TLS 1.2 Handshake, ServerKeyExchange
(31) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write key exchange
(31) eap_tls: (TLS) send TLS 1.2 Handshake, CertificateRequest
(31) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write certificate request
(31) eap_tls: (TLS) send TLS 1.2 Handshake, ServerHelloDone
(31) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write server done
(31) eap_tls: (TLS) Server : Need to read more data: SSLv3/TLS write server done
(31) eap_tls: (TLS) In Handshake Phase
(31) eap: Sending EAP Request (code 1) ID 2 length 1004
(31) eap: EAP session adding &reply:State = 0x6504b08b6406bd57
(31) [eap] = handled
(31) } # authenticate = handled
(31) Using Post-Auth-Type Challenge
(31) # Executing group from file /etc/freeradius/sites-enabled/default
(31) Challenge { ... } # empty sub-section is ignored
(31) session-state: Saving cached attributes
(31) Framed-MTU = 994
(31) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(31) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(31) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(31) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange"
(31) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest"
(31) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone"
(31) Sent Access-Challenge Id 1 from 172.17.0.2:1812 to 10.17.30.60:1197 length 1068
(31) EAP-Message = 0x010203ec0dc000000b97160303003d020000390303f29f622d180458fa14a91132f177a4d8ef046372693508507424cb1c54c0034700c02f000011ff01000100000b0004030001020017000016030309450b00094100093e00043a308204363082031ea003020102020101300d06092a864886f70d01010b0500308193310b3009060355040613024652310f300d06035504080c065261646975733112301006035504070c09536f6d65776865726531153013060355040a0c0c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e6f72673126302406035504030c1d4578616d706c6520436572746966696361746520417574686f72697479301e170d3233303232383135353035395a170d3233303432393135353035395a307c310b3009060355040613024652310f300d06035504080c0652616469757331153013060355040a0c0c4578616d706c6520496e632e3123302106035504030c1a4578616d70
(31) Message-Authenticator = 0x00000000000000000000000000000000
(31) State = 0x6504b08b6406bd57d78f3f37308b4458
(31) Finished request
Waking up in 4.9 seconds.
(32) Received Access-Request Id 2 from 10.17.30.60:1197 to 172.17.0.2:1812 length 215
(32) Message-Authenticator = 0x5fe578dcf59a3710251051f46ad445c3
(32) Service-Type = Framed-User
(32) User-Name = "user at example.org"
(32) Framed-MTU = 1488
(32) State = 0x6504b08b6406bd57d78f3f37308b4458
(32) Called-Station-Id = "00-26-5A-84-0D-89:dlink"
(32) Calling-Station-Id = "72-87-6D-9E-D2-0F"
(32) NAS-Identifier = "D-Link Access Point"
(32) NAS-Port-Type = Wireless-802.11
(32) Connect-Info = "CONNECT 54Mbps 802.11g"
(32) EAP-Message = 0x020200060d00
(32) NAS-IP-Address = 10.17.30.60
(32) NAS-Port = 1
(32) NAS-Port-Id = "STA port # 1"
(32) Restoring &session-state
(32) &session-state:Framed-MTU = 994
(32) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(32) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(32) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(32) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange"
(32) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest"
(32) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone"
(32) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(32) authorize {
(32) policy filter_username {
(32) if (&User-Name) {
(32) if (&User-Name) -> TRUE
(32) if (&User-Name) {
(32) if (&User-Name =~ / /) {
(32) if (&User-Name =~ / /) -> FALSE
(32) if (&User-Name =~ /@[^@]*@/ ) {
(32) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(32) if (&User-Name =~ /\.\./ ) {
(32) if (&User-Name =~ /\.\./ ) -> FALSE
(32) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(32) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(32) if (&User-Name =~ /\.$/) {
(32) if (&User-Name =~ /\.$/) -> FALSE
(32) if (&User-Name =~ /@\./) {
(32) if (&User-Name =~ /@\./) -> FALSE
(32) } # if (&User-Name) = notfound
(32) } # policy filter_username = notfound
(32) [preprocess] = ok
(32) [chap] = noop
(32) [mschap] = noop
(32) [digest] = noop
(32) suffix: Checking for suffix after "@"
(32) suffix: Looking up realm "example.org" for User-Name = "user at example.org"
(32) suffix: No such realm "example.org"
(32) [suffix] = noop
(32) eap: Peer sent EAP Response (code 2) ID 2 length 6
(32) eap: No EAP Start, assuming it's an on-going EAP conversation
(32) [eap] = updated
(32) files: users: Matched entry user at example.org at line 2
(32) [files] = ok
(32) [expiration] = noop
(32) [logintime] = noop
(32) [pap] = noop
(32) } # authorize = updated
(32) Found Auth-Type = eap
(32) # Executing group from file /etc/freeradius/sites-enabled/default
(32) authenticate {
(32) eap: Expiring EAP session with state 0x6504b08b6406bd57
(32) eap: Finished EAP session with state 0x6504b08b6406bd57
(32) eap: Previous EAP request found for state 0x6504b08b6406bd57, released from the list
(32) eap: Peer sent packet with method EAP TLS (13)
(32) eap: Calling submodule eap_tls to process data
(32) eap_tls: (TLS) Peer ACKed our handshake fragment
(32) eap: Sending EAP Request (code 1) ID 3 length 1004
(32) eap: EAP session adding &reply:State = 0x6504b08b6707bd57
(32) [eap] = handled
(32) } # authenticate = handled
(32) Using Post-Auth-Type Challenge
(32) # Executing group from file /etc/freeradius/sites-enabled/default
(32) Challenge { ... } # empty sub-section is ignored
(32) session-state: Saving cached attributes
(32) Framed-MTU = 994
(32) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(32) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(32) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(32) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange"
(32) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest"
(32) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone"
(32) Sent Access-Challenge Id 2 from 172.17.0.2:1812 to 10.17.30.60:1197 length 1068
(32) EAP-Message = 0x010303ec0dc000000b9739c511820dffd845488537b44057b4d4dd85d5e6e6eae53d369feaecb50fb2b8d8c5ccb0e795e8c868228f4f8b9910ba0f7ed2a047c098c98325f80e264ba86c53948ade85d1ffdf010886fec27ab99731041848b33a1da630279b4ebc265bfcfa1aef22cf2172d15cfcc80b6b3f01b3bec3b98cbe678abd92da4e4c2d625de911912ccc123df90b98465ffa6dc9ea6d0a42b65e8a416b51a18881d3a321e060ea9e1ce9fc94aef76f0004fe308204fa308203e2a0030201020214063c2615870dc518cfe2e2bba0164fd660669d24300d06092a864886f70d01010b0500308193310b3009060355040613024652310f300d06035504080c065261646975733112301006035504070c09536f6d65776865726531153013060355040a0c0c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e6f72673126302406035504030c1d4578616d706c65204365727469666963617465204175
(32) Message-Authenticator = 0x00000000000000000000000000000000
(32) State = 0x6504b08b6707bd57d78f3f37308b4458
(32) Finished request
Waking up in 4.9 seconds.
(33) Received Access-Request Id 3 from 10.17.30.60:1197 to 172.17.0.2:1812 length 215
(33) Message-Authenticator = 0xe065dbb565280ef42143f9d09f9952e6
(33) Service-Type = Framed-User
(33) User-Name = "user at example.org"
(33) Framed-MTU = 1488
(33) State = 0x6504b08b6707bd57d78f3f37308b4458
(33) Called-Station-Id = "00-26-5A-84-0D-89:dlink"
(33) Calling-Station-Id = "72-87-6D-9E-D2-0F"
(33) NAS-Identifier = "D-Link Access Point"
(33) NAS-Port-Type = Wireless-802.11
(33) Connect-Info = "CONNECT 54Mbps 802.11g"
(33) EAP-Message = 0x020300060d00
(33) NAS-IP-Address = 10.17.30.60
(33) NAS-Port = 1
(33) NAS-Port-Id = "STA port # 1"
(33) Restoring &session-state
(33) &session-state:Framed-MTU = 994
(33) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(33) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(33) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(33) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange"
(33) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest"
(33) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone"
(33) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(33) authorize {
(33) policy filter_username {
(33) if (&User-Name) {
(33) if (&User-Name) -> TRUE
(33) if (&User-Name) {
(33) if (&User-Name =~ / /) {
(33) if (&User-Name =~ / /) -> FALSE
(33) if (&User-Name =~ /@[^@]*@/ ) {
(33) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(33) if (&User-Name =~ /\.\./ ) {
(33) if (&User-Name =~ /\.\./ ) -> FALSE
(33) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(33) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(33) if (&User-Name =~ /\.$/) {
(33) if (&User-Name =~ /\.$/) -> FALSE
(33) if (&User-Name =~ /@\./) {
(33) if (&User-Name =~ /@\./) -> FALSE
(33) } # if (&User-Name) = notfound
(33) } # policy filter_username = notfound
(33) [preprocess] = ok
(33) [chap] = noop
(33) [mschap] = noop
(33) [digest] = noop
(33) suffix: Checking for suffix after "@"
(33) suffix: Looking up realm "example.org" for User-Name = "user at example.org"
(33) suffix: No such realm "example.org"
(33) [suffix] = noop
(33) eap: Peer sent EAP Response (code 2) ID 3 length 6
(33) eap: No EAP Start, assuming it's an on-going EAP conversation
(33) [eap] = updated
(33) files: users: Matched entry user at example.org at line 2
(33) [files] = ok
(33) [expiration] = noop
(33) [logintime] = noop
(33) [pap] = noop
(33) } # authorize = updated
(33) Found Auth-Type = eap
(33) # Executing group from file /etc/freeradius/sites-enabled/default
(33) authenticate {
(33) eap: Expiring EAP session with state 0x6504b08b6707bd57
(33) eap: Finished EAP session with state 0x6504b08b6707bd57
(33) eap: Previous EAP request found for state 0x6504b08b6707bd57, released from the list
(33) eap: Peer sent packet with method EAP TLS (13)
(33) eap: Calling submodule eap_tls to process data
(33) eap_tls: (TLS) Peer ACKed our handshake fragment
(33) eap: Sending EAP Request (code 1) ID 4 length 989
(33) eap: EAP session adding &reply:State = 0x6504b08b6600bd57
(33) [eap] = handled
(33) } # authenticate = handled
(33) Using Post-Auth-Type Challenge
(33) # Executing group from file /etc/freeradius/sites-enabled/default
(33) Challenge { ... } # empty sub-section is ignored
(33) session-state: Saving cached attributes
(33) Framed-MTU = 994
(33) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(33) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(33) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(33) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange"
(33) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest"
(33) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone"
(33) Sent Access-Challenge Id 3 from 172.17.0.2:1812 to 10.17.30.60:1197 length 1053
(33) EAP-Message = 0x010403dd0d8000000b9778616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e6f72673126302406035504030c1d4578616d706c6520436572746966696361746520417574686f726974798214063c2615870dc518cfe2e2bba0164fd660669d24300f0603551d130101ff040530030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e6f72672f6578616d706c655f63612e63726c300d06092a864886f70d01010b05000382010100cf68f241d458b89c56759bf85344b58cd5f746d473a8875a2ad387ba29119f9ef2259377f107fff5f9779ca759bf5b4c7880fb10e3d7df34d5bf5bccabd8d392aa0d436251debc1059dab3172be448379a5e7d3c06e3c67db7b55212a6ce7ea3f0ce5d9c5a2eb3a2f29c45a8ebbd4bc9c0d367ffa8a0b4e482d0f767954cf8f9e155b5f285146d835b8a70bedc2180957ac217160d10b74ae6db16ef51834baa6fa6f957d0
(33) Message-Authenticator = 0x00000000000000000000000000000000
(33) State = 0x6504b08b6600bd57d78f3f37308b4458
(33) Finished request
Waking up in 4.9 seconds.
(34) Received Access-Request Id 4 from 10.17.30.60:1197 to 172.17.0.2:1812 length 222
(34) Message-Authenticator = 0xb2905e57775d4e42a7e828a09212dcde
(34) Service-Type = Framed-User
(34) User-Name = "user at example.org"
(34) Framed-MTU = 1488
(34) State = 0x6504b08b6600bd57d78f3f37308b4458
(34) Called-Station-Id = "00-26-5A-84-0D-89:dlink"
(34) Calling-Station-Id = "72-87-6D-9E-D2-0F"
(34) NAS-Identifier = "D-Link Access Point"
(34) NAS-Port-Type = Wireless-802.11
(34) Connect-Info = "CONNECT 54Mbps 802.11g"
(34) EAP-Message = 0x0204000d0d0015030300020250
(34) NAS-IP-Address = 10.17.30.60
(34) NAS-Port = 1
(34) NAS-Port-Id = "STA port # 1"
(34) Restoring &session-state
(34) &session-state:Framed-MTU = 994
(34) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello"
(34) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello"
(34) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate"
(34) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange"
(34) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest"
(34) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone"
(34) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(34) authorize {
(34) policy filter_username {
(34) if (&User-Name) {
(34) if (&User-Name) -> TRUE
(34) if (&User-Name) {
(34) if (&User-Name =~ / /) {
(34) if (&User-Name =~ / /) -> FALSE
(34) if (&User-Name =~ /@[^@]*@/ ) {
(34) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(34) if (&User-Name =~ /\.\./ ) {
(34) if (&User-Name =~ /\.\./ ) -> FALSE
(34) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(34) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(34) if (&User-Name =~ /\.$/) {
(34) if (&User-Name =~ /\.$/) -> FALSE
(34) if (&User-Name =~ /@\./) {
(34) if (&User-Name =~ /@\./) -> FALSE
(34) } # if (&User-Name) = notfound
(34) } # policy filter_username = notfound
(34) [preprocess] = ok
(34) [chap] = noop
(34) [mschap] = noop
(34) [digest] = noop
(34) suffix: Checking for suffix after "@"
(34) suffix: Looking up realm "example.org" for User-Name = "user at example.org"
(34) suffix: No such realm "example.org"
(34) [suffix] = noop
(34) eap: Peer sent EAP Response (code 2) ID 4 length 13
(34) eap: No EAP Start, assuming it's an on-going EAP conversation
(34) [eap] = updated
(34) files: users: Matched entry user at example.org at line 2
(34) [files] = ok
(34) [expiration] = noop
(34) [logintime] = noop
(34) [pap] = noop
(34) } # authorize = updated
(34) Found Auth-Type = eap
(34) # Executing group from file /etc/freeradius/sites-enabled/default
(34) authenticate {
(34) eap: Expiring EAP session with state 0x6504b08b6600bd57
(34) eap: Finished EAP session with state 0x6504b08b6600bd57
(34) eap: Previous EAP request found for state 0x6504b08b6600bd57, released from the list
(34) eap: Peer sent packet with method EAP TLS (13)
(34) eap: Calling submodule eap_tls to process data
(34) eap_tls: (TLS) EAP Done initial handshake
(34) eap_tls: (TLS) recv TLS 1.2 Alert, fatal internal_error
(34) eap_tls: (TLS) The client is informing us that there is a failure inside the TLS protocol exchange.
(34) eap_tls: ERROR: (TLS) Alert read:fatal:internal error
(34) eap_tls: (TLS) Server : Need to read more data: error
(34) eap_tls: ERROR: (TLS) Failed reading from OpenSSL: error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error
(34) eap_tls: (TLS) In Handshake Phase
(34) eap_tls: (TLS) Application data.
(34) eap_tls: ERROR: (TLS) Cannot continue, as the peer is misbehaving.
(34) eap_tls: ERROR: [eaptls process] = fail
(34) eap: ERROR: Failed continuing EAP TLS (13) session. EAP sub-module failed
(34) eap: Sending EAP Failure (code 4) ID 4 length 4
(34) eap: Failed in EAP select
(34) [eap] = invalid
(34) } # authenticate = invalid
(34) Failed to authenticate the user
(34) Using Post-Auth-Type Reject
(34) # Executing group from file /etc/freeradius/sites-enabled/default
(34) Post-Auth-Type REJECT {
(34) attr_filter.access_reject: EXPAND %{User-Name}
(34) attr_filter.access_reject: --> user at example.org
(34) attr_filter.access_reject: Matched entry DEFAULT at line 11
(34) [attr_filter.access_reject] = updated
(34) [eap] = noop
(34) policy remove_reply_message_if_eap {
(34) if (&reply:EAP-Message && &reply:Reply-Message) {
(34) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(34) else {
(34) [noop] = noop
(34) } # else = noop
(34) } # policy remove_reply_message_if_eap = noop
(34) } # Post-Auth-Type REJECT = updated
(34) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(34) Sending delayed response
(34) Sent Access-Reject Id 4 from 172.17.0.2:1812 to 10.17.30.60:1197 length 44
(34) EAP-Message = 0x04040004
(34) Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.8 seconds.
(30) Cleaning up request packet ID 0 with timestamp +1674 due to cleanup_delay was reached
(31) Cleaning up request packet ID 1 with timestamp +1674 due to cleanup_delay was reached
(32) Cleaning up request packet ID 2 with timestamp +1674 due to cleanup_delay was reached
(33) Cleaning up request packet ID 3 with timestamp +1674 due to cleanup_delay was reached
(34) Cleaning up request packet ID 4 with timestamp +1674 due to cleanup_delay was reached
Ready to process requests
-----Message d'origine-----
De : Freeradius-Users <freeradius-users-bounces+clement.legoffic=kelio.com at lists.freeradius.org> De la part de Alan DeKok
Envoyé : mardi 28 février 2023 15:32
À : FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Objet : Re: EAP-TLS default config
On Feb 28, 2023, at 5:44 AM, clement.legoffic at kelio.com wrote:
> ...
> On my android phone, I connect to a dlink wifi access point (DWL-2100AP) configured for 802.1X.
> The ca.pem has been installed on my phone in order to use it for EAP-TLS when I select it.
> ...
> (5) eap: Peer NAK'd indicating it is not willing to continue
The android phone is not configured to do EAP-TLS.
Alan DeKok.
-
More information about the Freeradius-Users
mailing list