<div class="gmail_quote">On Fri, May 29, 2009 at 10:32 AM, Ivan Kalik <span dir="ltr"><<a href="mailto:tnt@kalik.net">tnt@kalik.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div class="im">> Problem was solved thanks to Ivan assistance,<br>
> Main problem was on switch side and its configuration,<br>
> Second problem was - proper certificate to proper certificate store<br>
> And third - in my head :).<br>
<br>
</div>OK. Now that you have established that client certificates signed by CA<br>
work with XP SP3, can you check if server signed certificates (made by<br>
original Makefile) also work, or is XP SP3 rejecting them. Could you<br>
report to the list with the result.<br>
<div class="im"><br>
Ivan Kalik<br>
Kalik Informatika ISP<br>
<br>
</div><div><div></div><div class="h5">-<br>
List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html" target="_blank">http://www.freeradius.org/list/users.html</a><br>
</div></div></blockquote></div><br>No, standard Makefile is no working<br><br>freeradius -X output:<br><br>Ready to process requests.<br>rad_recv: Access-Request packet from host 192.168.5.206 port 1812, id=160, length=147<br>
NAS-IP-Address = 192.168.5.206<br> NAS-Port = 50046<br> NAS-Port-Type = Ethernet<br> User-Name = "<a href="mailto:user@example.com">user@example.com</a>"<br> Called-Station-Id = "00-0C-30-81-9B-EE"<br>
Calling-Station-Id = "00-0A-E4-13-1A-02"<br> Service-Type = Framed-User<br> Framed-MTU = 1500<br> EAP-Message = 0x020000150175736572406578616d706c652e636f6d<br> Message-Authenticator = 0x3fa86bcca888e9174c33ff2206178e97<br>
+- entering group authorize {...}<br>++[preprocess] returns ok<br>++[chap] returns noop<br>++[mschap] returns noop<br>[suffix] Looking up realm "<a href="http://example.com">example.com</a>" for User-Name = "<a href="mailto:user@example.com">user@example.com</a>"<br>
[suffix] No such realm "<a href="http://example.com">example.com</a>"<br>++[suffix] returns noop<br>[eap] EAP packet type response id 0 length 21<br>[eap] No EAP Start, assuming it's an on-going EAP conversation<br>
++[eap] returns updated<br>++[unix] returns notfound<br>++[files] returns noop<br>++[expiration] returns noop<br>++[logintime] returns noop<br>[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.<br>
++[pap] returns noop<br>Found Auth-Type = EAP<br>+- entering group authenticate {...}<br>[eap] EAP Identity<br>[eap] processing type tls<br>[tls] Initiate<br>[tls] Start returned 1<br>++[eap] returns handled<br>Sending Access-Challenge of id 160 to 192.168.5.206 port 1812<br>
EAP-Message = 0x010100061920<br> Message-Authenticator = 0x00000000000000000000000000000000<br> State = 0x0a8a026e0a8b1bea4f51a121d61eb2bf<br>Finished request 0.<br>Going to the next request<br>Waking up in 4.9 seconds.<br>
rad_recv: Access-Request packet from host 192.168.5.206 port 1812, id=161, length=150<br> NAS-IP-Address = 192.168.5.206<br> NAS-Port = 50046<br> NAS-Port-Type = Ethernet<br> User-Name = "<a href="mailto:user@example.com">user@example.com</a>"<br>
Called-Station-Id = "00-0C-30-81-9B-EE"<br> Calling-Station-Id = "00-0A-E4-13-1A-02"<br> Service-Type = Framed-User<br> Framed-MTU = 1500<br> State = 0x0a8a026e0a8b1bea4f51a121d61eb2bf<br>
EAP-Message = 0x02010006030d<br> Message-Authenticator = 0xe1ef7b423be0a169598a253da36247c0<br>+- entering group authorize {...}<br>++[preprocess] returns ok<br>++[chap] returns noop<br>++[mschap] returns noop<br>
[suffix] Looking up realm "<a href="http://example.com">example.com</a>" for User-Name = "<a href="mailto:user@example.com">user@example.com</a>"<br>[suffix] No such realm "<a href="http://example.com">example.com</a>"<br>
++[suffix] returns noop<br>[eap] EAP packet type response id 1 length 6<br>[eap] No EAP Start, assuming it's an on-going EAP conversation<br>++[eap] returns updated<br>++[unix] returns notfound<br>++[files] returns noop<br>
++[expiration] returns noop<br>++[logintime] returns noop<br>[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.<br>++[pap] returns noop<br>Found Auth-Type = EAP<br>
+- entering group authenticate {...}<br>[eap] Request found, released from the list<br>[eap] EAP NAK<br>[eap] EAP-NAK asked for EAP-Type/tls<br>[eap] processing type tls<br>[tls] Requiring client certificate<br>[tls] Initiate<br>
[tls] Start returned 1<br>++[eap] returns handled<br>Sending Access-Challenge of id 161 to 192.168.5.206 port 1812<br> EAP-Message = 0x010200060d20<br> Message-Authenticator = 0x00000000000000000000000000000000<br>
State = 0x0a8a026e0b880fea4f51a121d61eb2bf<br>Finished request 1.<br>Going to the next request<br>Waking up in 4.9 seconds.<br>rad_recv: Access-Request packet from host 192.168.5.206 port 1812, id=162, length=224<br>
NAS-IP-Address = 192.168.5.206<br> NAS-Port = 50046<br> NAS-Port-Type = Ethernet<br> User-Name = "<a href="mailto:user@example.com">user@example.com</a>"<br> Called-Station-Id = "00-0C-30-81-9B-EE"<br>
Calling-Station-Id = "00-0A-E4-13-1A-02"<br> Service-Type = Framed-User<br> Framed-MTU = 1500<br> State = 0x0a8a026e0b880fea4f51a121d61eb2bf<br> EAP-Message = 0x020200500d800000004616030100410100003d03014a1fb693a40277392668182f296a92feb2a08a3e25a3c170dfa77f83d18f569400001600040005000a0009006400<br>
62000300060013001200630100<br> Message-Authenticator = 0xca0d351030f630125dd9b87f5d39e7e9<br>+- entering group authorize {...}<br>++[preprocess] returns ok<br>++[chap] returns noop<br>++[mschap] returns noop<br>[suffix] Looking up realm "<a href="http://example.com">example.com</a>" for User-Name = "<a href="mailto:user@example.com">user@example.com</a>"<br>
[suffix] No such realm "<a href="http://example.com">example.com</a>"<br>++[suffix] returns noop<br>[eap] EAP packet type response id 2 length 80<br>[eap] No EAP Start, assuming it's an on-going EAP conversation<br>
++[eap] returns updated<br>++[unix] returns notfound<br>++[files] returns noop<br>++[expiration] returns noop<br>++[logintime] returns noop<br>++[pap] returns noop<br>Found Auth-Type = EAP<br>+- entering group authenticate {...}<br>
[eap] Request found, released from the list<br>[eap] EAP/tls<br>[eap] processing type tls<br>[tls] Authenticate<br>[tls] processing EAP-TLS<br> TLS Length 70<br>[tls] Length Included<br>[tls] eaptls_verify returned 11<br>
[tls] (other): before/accept initialization<br>[tls] TLS_accept: before/accept initialization<br>[tls] <<< TLS 1.0 Handshake [length 0041], ClientHello<br>[tls] TLS_accept: SSLv3 read client hello A<br>
[tls] >>> TLS 1.0 Handshake [length 002a], ServerHello<br>[tls] TLS_accept: SSLv3 write server hello A<br>[tls] >>> TLS 1.0 Handshake [length 085e], Certificate<br>[tls] TLS_accept: SSLv3 write certificate A<br>
[tls] >>> TLS 1.0 Handshake [length 00a6], CertificateRequest<br>[tls] TLS_accept: SSLv3 write certificate request A<br>[tls] TLS_accept: SSLv3 flush data<br>[tls] TLS_accept: Need to read more data: SSLv3 read client certificate A<br>
In SSL Handshake Phase<br>In SSL Accept mode<br>[tls] eaptls_process returned 13<br>++[eap] returns handled<br>Sending Access-Challenge of id 162 to 192.168.5.206 port 1812<br> EAP-Message = 0x010304000dc00000093d160301002a0200002603014a1fb649f90a6e4db1414f2a91473940c7257976a7dbb0150b8771d1c403998300000400160301085e0b00085a00<br>
08570003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d0603550408130652616469757331123010060355040713<br>09536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d45<br>
78616d706c6520436572746966696361746520417574686f72697479<br> EAP-Message = 0x301e170d3039303532303133303535305a170d3130303532303133303535305a307c310b3009060355040613024652310f300d06035504081306526164697573311530<br>
13060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e<br>406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100d1c880577d809eac3b12eeb843eaad382da99c2de125a840a49f25585bbb8186bb93<br>
22a8dba7f08cfe901a0d85b6b0865e816b927a48f72d2e066f57f711<br> EAP-Message = 0xe6361d191beba216660aa6a1e4aa5fc2ab00aa67456586c42e40e8ecccb851425851581fbe189de1440b882ca86211a4c71ffb13823f942f0dc36af3b7fa38f2a59933<br>
35dd63e56edef32a7eccc3054088fc2da16f50674092656c86e715c5582bfafd3dd4ff47c03ac93829f8a3db1acc30b55144788d6d77c9ddaab9006efe0deec77e93c0a449375491f79a7c68e7efeb<br>3b47d0b5c18496281016dad45ff47b34e172c445007c0151d73468807f131e2f433136061d6761f2450607fac932b6f90203010001a317301530130603551d25040c300a06082b0601050507030130<br>
0d06092a864886f70d010104050003820101003f38caf011d81255ce<br> EAP-Message = 0xe6aa7a0d3ba87fa4c7bae364e4f0329d1b193d7ba36ba7506af0eb0e783e88ccc4b6a34a346a578ec3d12edef4f0060a34f42d1163b33f950397ac5ff566d3a4ca3ff0<br>
4169eae2baf3203a4cde15b30f774640d16727fb1ed7a189f518031bd482626199bd62d7f603f4d665fc2955e82fbf7fea03efb4a676c2deb868043cd4cd6bd0dba790b710406de0c68dada48b0327<br>1cd2153384e1a34b3d401edc3476a318f0b91febcb797e4f3da9e9a4e48bce8456bf2c950e767dac3e967835fa537e35adfaec26159f681911208c6e401147b85dd66842131b373483503d14a3c705<br>
6560dcaa282bfdeb9a3b70447093641032cbad777eee0004ab308204<br> EAP-Message = 0xa73082038fa0030201020209<br> Message-Authenticator = 0x00000000000000000000000000000000<br> State = 0x0a8a026e08890fea4f51a121d61eb2bf<br>
Finished request 2.<br>Going to the next request<br>Waking up in 4.8 seconds.<br>rad_recv: Access-Request packet from host 192.168.5.206 port 1812, id=163, length=150<br> NAS-IP-Address = 192.168.5.206<br> NAS-Port = 50046<br>
NAS-Port-Type = Ethernet<br> User-Name = "<a href="mailto:user@example.com">user@example.com</a>"<br> Called-Station-Id = "00-0C-30-81-9B-EE"<br> Calling-Station-Id = "00-0A-E4-13-1A-02"<br>
Service-Type = Framed-User<br> Framed-MTU = 1500<br> State = 0x0a8a026e08890fea4f51a121d61eb2bf<br> EAP-Message = 0x020300060d00<br> Message-Authenticator = 0x528ebb6278cb97676edaa2345aaf2f10<br>
+- entering group authorize {...}<br>++[preprocess] returns ok<br>++[chap] returns noop<br>++[mschap] returns noop<br>[suffix] Looking up realm "<a href="http://example.com">example.com</a>" for User-Name = "<a href="mailto:user@example.com">user@example.com</a>"<br>
[suffix] No such realm "<a href="http://example.com">example.com</a>"<br>++[suffix] returns noop<br>[eap] EAP packet type response id 3 length 6<br>[eap] No EAP Start, assuming it's an on-going EAP conversation<br>
++[eap] returns updated<br>++[unix] returns notfound<br>++[files] returns noop<br>++[expiration] returns noop<br>++[logintime] returns noop<br>++[pap] returns noop<br>Found Auth-Type = EAP<br>+- entering group authenticate {...}<br>
[eap] Request found, released from the list<br>[eap] EAP/tls<br>[eap] processing type tls<br>[tls] Authenticate<br>[tls] processing EAP-TLS<br>[tls] Received TLS ACK<br>[tls] ACK handshake fragment handler<br>[tls] eaptls_verify returned 1<br>
[tls] eaptls_process returned 13<br>++[eap] returns handled<br>Sending Access-Challenge of id 163 to 192.168.5.206 port 1812<br> EAP-Message = 0x010404000dc00000093d00e274f9526898aa5c300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d06035504081306526164697573<br>
3112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d3126<br>30240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3039303532303133303535305a170d3130303532303133303535305a308193310b30090603<br>
55040613024652310f300d0603550408130652616469757331123010<br> EAP-Message = 0x06035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d70<br>
6c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100<br>abfd23d2502cc6f6f29c367e592227c9b4ef02e40b02e8468d7c2087197a03bf4bab18c57c3c2501782b9c5a979b2806b42b6062e213319daaf4d5a27984953ebce5433a1be4a5716b94e8979cc24c<br>
1dd525d86fc14543b1380ce3f8fc126780193e7ec5bf3abe590b970b<br> EAP-Message = 0x4d5a1ea02ae515af74cfce42c5bb10d0cc620412a14f623c34fbca4fb9b8ee66b04b7cfff1a278a54ac69fa675a4a9ca6605689319fc5307c4b6f9fae8f653d9b7ecbd<br>
854cf4b667de8c895c7f849df8c9362711fa703b4ed0a8f63504ded0fda6ae0dd472793766c3124dcb42cdbb25dca397db3f841ce13dfbbc10c8848bd39d43a2620e8e0c95b1a35891fcce33359f38<br>0a29650203010001a381fb3081f8301d0603551d0e04160414123ff562737fc2d9bc6d96afae6f4337c08846a73081c80603551d230481c03081bd8014123ff562737fc2d9bc6d96afae6f4337c088<br>
46a7a18199a48196308193310b3009060355040613024652310f300d<br> EAP-Message = 0x060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f7<br>
0d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820900e274f9526898aa5c300c060355<br>1d13040530030101ff300d06092a864886f70d0101050500038201010043cf9119db5dd9fe4f21b6e809f5e244dbfc6aee7866316441a9db5f3c4abae403f9012c8a4348a12c9ba24e02b188746872<br>
56dfd374cb8ccfe6cfd9932ce2f4a03f1f695b221f97550e9510185c<br> EAP-Message = 0x2c53e4c88640391d8a02fe15<br> Message-Authenticator = 0x00000000000000000000000000000000<br> State = 0x0a8a026e098e0fea4f51a121d61eb2bf<br>
Finished request 3.<br>Going to the next request<br>Waking up in 4.7 seconds.<br>rad_recv: Access-Request packet from host 192.168.5.206 port 1812, id=164, length=150<br> NAS-IP-Address = 192.168.5.206<br> NAS-Port = 50046<br>
NAS-Port-Type = Ethernet<br> User-Name = "<a href="mailto:user@example.com">user@example.com</a>"<br> Called-Station-Id = "00-0C-30-81-9B-EE"<br> Calling-Station-Id = "00-0A-E4-13-1A-02"<br>
Service-Type = Framed-User<br> Framed-MTU = 1500<br> State = 0x0a8a026e098e0fea4f51a121d61eb2bf<br> EAP-Message = 0x020400060d00<br> Message-Authenticator = 0xc5e0fca3b00a3878caa40e8d9b79618a<br>
+- entering group authorize {...}<br>++[preprocess] returns ok<br>++[chap] returns noop<br>++[mschap] returns noop<br>[suffix] Looking up realm "<a href="http://example.com">example.com</a>" for User-Name = "<a href="mailto:user@example.com">user@example.com</a>"<br>
[suffix] No such realm "<a href="http://example.com">example.com</a>"<br>++[suffix] returns noop<br>[eap] EAP packet type response id 4 length 6<br>[eap] No EAP Start, assuming it's an on-going EAP conversation<br>
++[eap] returns updated<br>++[unix] returns notfound<br>++[files] returns noop<br>++[expiration] returns noop<br>++[logintime] returns noop<br>++[pap] returns noop<br>Found Auth-Type = EAP<br>+- entering group authenticate {...}<br>
[eap] Request found, released from the list<br>[eap] EAP/tls<br>[eap] processing type tls<br>[tls] Authenticate<br>[tls] processing EAP-TLS<br>[tls] Received TLS ACK<br>[tls] ACK handshake fragment handler<br>[tls] eaptls_verify returned 1<br>
[tls] eaptls_process returned 13<br>++[eap] returns handled<br>Sending Access-Challenge of id 164 to 192.168.5.206 port 1812<br> EAP-Message = 0x0105015b0d800000093de20bb9019906632f477573ee5ce336970857546c707151916f52825101b95c005509c9ba6c631dc4ed44105ec67210fff11968122772734826<br>
f9998404c54b4c828a81726a1992a010b065e299b3cf573365d6d52f47285e9e2d27e39df13e75936e03eb9827f9b9b99747cdb9ce186baad8104b24275e45984252a2615f35d2f620510128bd0d6e<br>5071c1006aba908c75b5d13e2aba260bd84e7c40e9703eec9c02be07071a16030100a60d00009e0301024000980096308193310b3009060355040613024652310f300d060355040813065261646975<br>
733112301006035504071309536f6d65776865726531153013060355<br> EAP-Message = 0x040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c<br>
6520436572746966696361746520417574686f726974790e000000<br> Message-Authenticator = 0x00000000000000000000000000000000<br> State = 0x0a8a026e0e8f0fea4f51a121d61eb2bf<br>Finished request 4.<br>Going to the next request<br>
Waking up in 4.6 seconds.<br>rad_recv: Access-Request packet from host 192.168.5.206 port 1812, id=165, length=1645<br> NAS-IP-Address = 192.168.5.206<br> NAS-Port = 50046<br> NAS-Port-Type = Ethernet<br>
User-Name = "<a href="mailto:user@example.com">user@example.com</a>"<br> Called-Station-Id = "00-0C-30-81-9B-EE"<br> Calling-Station-Id = "00-0A-E4-13-1A-02"<br> Service-Type = Framed-User<br>
Framed-MTU = 1500<br> State = 0x0a8a026e0e8f0fea4f51a121d61eb2bf<br> EAP-Message = 0x020505d30d80000005c916030105990b0003890003860003833082037f30820267a003020102020104300d06092a864886f70d0101040500307c310b30090603550406<br>
13024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c652053657276657220436572746966696361<br>74653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d301e170d3039303532393130313133385a170d3130303532393130313133385a3071310b30090603550406<br>
13024652310f300d0603550408130652616469757331153013060355<br> EAP-Message = 0x040a130c4578616d706c6520496e632e311930170603550403141075736572406578616d706c652e636f6d311f301d06092a864886f70d010901161075736572406578<br>
616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100bf797e10a06c11b69b3304655b17de55f2bbf74109065f46a5fc85f3d49432b7f9630ad995<br>94c793671ca8e6ee900dda23e4f384c5080c584e87c18935f83fe34340723e7062374a02ea13a82e0599f15f970c4b2249038b17779363caf16e77a273a29b3b4b27c63c04daa06dff67f09fe5c346<br>
b9a634952197a7a378f588dbd13c9e70c94d125cfc263585872ec9dc<br> EAP-Message = 0xb7a1fdf853e5585bcc9b90a01181b757e54215196986c919ca8a09811f6bbd629417b8b108e316bdbc520d324a4ea0c84d7169036a4d134fbc5889e7cb5a00648a3869<br>
a34b426482ca8721d57ed809afc580f78cabce08ede364da1604dd27c8ebc4b49ad210539a0b0452c77a84945f0203010001a317301530130603551d25040c300a06082b06010505070302300d0609<br>2a864886f70d01010405000382010100b824bac6618246aa3df9d6a50c2ee5161cac3b6979193f3a2b82017dd415abee24b0e3d45a7490b0bf73cea8125e6acbd364f910cd4fb76c813504ef819d49<br>
53b840353c432536b7d9c6eabe1fd266a71e42f3efa0b685416aeec4<br> EAP-Message = 0x1c43c72fcfaa119600f722e0309cb3ee7358bf499eeb015ebb3f205258edaf49e8cd737d066acfc9172eff5d586171aca8b684ec3f2e3c9d2d4338600e43b6464f850f<br>
c5f82537af003b3fd6af7458e8abc3f71b2981660f52f2ffd4c0f320c0f61268fad45021cc7a18134d4dd6c0f3909d2d9da7c79c1b35fa4abdc83d42f41c6be15cda3eae7a7f961ceae952db3f3ece<br>b2533471b9262285871b286198e5a994ceed7810000102010039799a4cff52d1c4e26c86166903bf17c9995b9ced533f0c9f8607a63095f6ac1b06aef1a43ae26cdf4efbff5ffa6be61c7a551cb888<br>
6900003592ae9b0656db3188691c3685baa18351172711a7f3656d7f<br> EAP-Message = 0x541c37b660b38ca9b136e3a4a0446e9af1cfb098ae8b935edaec3423d12e666ccc7394988ba43de7aa7e59bc0c16830a822c9adb78b80190c7ee4ad5e85246d351cb23<br>
e8ed045d5ba855191dd90784e5e06b435ee430709329b64e21dd1fed49ef235a759e68b7a7d31c04cda9d84362bcdecf6aba073cbcd70b0a4a0713a1488ab498cad52e8d937637d8990833fcc72573<br>178c254b45399a002b04374408e90bd023633f35c0a2593abfda231e0f0001020100097d445b7c7219aead21140d9101c9f7f9da2024b9d531cbd6e226fb458e51e350aeadb3b4cd04fc8edfd6ec9c<br>
fd0fd89c556cfda7c8f9c259add11a4e338adebf2929678b78a4557c<br> EAP-Message = 0x33e61e8c1eb9208357b3188d97057cf314eed12077b984678370924b24909a62d0957b26d8757621f7f325fe3087b7a2a0e9d81bb19abe4e5a6ddf7cf6c526a536a2ab<br>
c37815c8b4a95040805674491dbf3408cc4cb95f782a50afc5131d7560683e453ae98e0b873bd725fed496dc9305802fa79acb7b8de28e12962898174594d4c2685dc0f604b2a4cc6f39c4643e581e<br>f497d854bcec7c66c52961f02643bd97f57d4c7ab39ff1a018c4ff4e1eb6a76c8bf8adb1b414030100010116030100201a0a68bdcf37fc694fe9d7ed1bec7d348371c6ebe1612d3a28e43d3db5dc8b<br>
28<br> Message-Authenticator = 0x15cf2cb082e9388a241090a905703ecc<br>+- entering group authorize {...}<br>++[preprocess] returns ok<br>++[chap] returns noop<br>++[mschap] returns noop<br>[suffix] Looking up realm "<a href="http://example.com">example.com</a>" for User-Name = "<a href="mailto:user@example.com">user@example.com</a>"<br>
[suffix] No such realm "<a href="http://example.com">example.com</a>"<br>++[suffix] returns noop<br>[eap] EAP packet type response id 5 length 253<br>[eap] No EAP Start, assuming it's an on-going EAP conversation<br>
++[eap] returns updated<br>++[unix] returns notfound<br>++[files] returns noop<br>++[expiration] returns noop<br>++[logintime] returns noop<br>++[pap] returns noop<br>Found Auth-Type = EAP<br>+- entering group authenticate {...}<br>
[eap] Request found, released from the list<br>[eap] EAP/tls<br>[eap] processing type tls<br>[tls] Authenticate<br>[tls] processing EAP-TLS<br> TLS Length 1481<br>[tls] Length Included<br>[tls] eaptls_verify returned 11<br>
[tls] <<< TLS 1.0 Handshake [length 038d], Certificate<br>--> verify error:num=20:unable to get local issuer certificate<br>[tls] >>> TLS 1.0 Alert [length 0002], fatal unknown_ca<br>TLS Alert write:fatal:unknown CA<br>
TLS_accept:error in SSLv3 read client certificate B<br>rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned<br>SSL: SSL_read failed in a system call (-1), TLS session fails.<br>
TLS receive handshake failed during operation<br>[tls] eaptls_process returned 4<br>[eap] Handler failed in EAP/tls<br>[eap] Failed in EAP select<br>++[eap] returns invalid<br>Failed to authenticate the user.<br>Login incorrect: [<a href="http://user@example.com/">user@example.com/</a><via Auth-Type = EAP>] (from client private-network-2 port 50046 cli 00-0A-E4-13-1A-02)<br>
Using Post-Auth-Type Reject<br>+- entering group REJECT {...}<br>[attr_filter.access_reject] expand: %{User-Name} -> <a href="mailto:user@example.com">user@example.com</a><br> attr_filter: Matched entry DEFAULT at line 11<br>
++[attr_filter.access_reject] returns updated<br>Delaying reject of request 5 for 1 seconds<br>Going to the next request<br>Waking up in 0.9 seconds.<br>Sending delayed reject for request 5<br>Sending Access-Reject of id 165 to 192.168.5.206 port 1812<br>
EAP-Message = 0x04050004<br> Message-Authenticator = 0x00000000000000000000000000000000<br>Waking up in 3.5 seconds.<br>Cleaning up request 0 ID 160 with timestamp +10<br>Cleaning up request 1 ID 161 with timestamp +10<br>
Cleaning up request 2 ID 162 with timestamp +10<br>Cleaning up request 3 ID 163 with timestamp +10<br>Cleaning up request 4 ID 164 with timestamp +10<br>Waking up in 1.1 seconds.<br>Cleaning up request 5 ID 165 with timestamp +10<br>
Ready to process requests.<br><br><br>