K. Hoercher wrote:
......... 3. I more or less duplicated your setup from <44EB5C4F.2040504@crema.unimi.it>and tested it here with freeradius-1.1.2, hostapd-0.5.3, wpa_supplicant-0.5.4. It worked as you wish and should be expected.
4. It even worked with the hard Auth-Type setting in users file (changed to local environment) despite that being unnecessary and insofar wrong. Please see http://deployingradius.com/documents/configuration/auth_type.html. I cannot understand french, but at least in this respect http://www.alphacore.net/spip/article.php3?id_article=33 seems to err.
Ok, i deleted Auth-Type setting in users file. My user now is: marcello
6. The radius.log you attached earlier didn't show any incoming EAP-Responses to the Challenges freeradius sent out. The snippets you keep posting since then show a part of the debug log, which doesn't exhibit a fault compared to what I'm getting here. If the cut off parts show the same as in the attached file, the same problem exists: your client isn't responding properly.
regards K. Hoercher
This is what continuous to see when start radiusd - X: rad_recv: Access-Request packet from host 192.168.1.5:1214, id=36, length=139 User-Name = "marcello" NAS-IP-Address = 192.168.1.5 NAS-Port = 0 Called-Station-Id = "00-40-05-30-C5-86" Calling-Station-Id = "00-0C-F1-15-17-59" NAS-Identifier = "DLink-900AP+" Framed-MTU = 1380 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0223000d016d617263656c6c6f Message-Authenticator = 0x8afce08acace447ca9a52f94717767dd Processing the authorize section of radiusd.conf modcall: entering group authorize for request 27 modcall[authorize]: module "preprocess" returns ok for request 27 radius_xlat: '/usr/local/var/log/radius/radacct/192.168.1.5/auth-detail-20060823' rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/192.168.1.5/auth-detail-20060823 modcall[authorize]: module "auth_log" returns ok for request 27 rlm_eap: EAP packet type response id 35 length 13 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 27 users: Matched entry marcello at line 7 modcall[authorize]: module "files" returns ok for request 27 modcall: leaving group authorize (returns updated) for request 27 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 27 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Requiring client certificate rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 27 modcall: leaving group authenticate (returns handled) for request 27 Sending Access-Challenge of id 36 to 192.168.1.5 port 1214 EAP-Message = 0x012400060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x4a4231b4adfeba0f626bea47adfe79b3 Finished request 27 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.1.5:1214, id=37, length=224 User-Name = "marcello" NAS-IP-Address = 192.168.1.5 NAS-Port = 0 Called-Station-Id = "00-40-05-30-C5-86" Calling-Station-Id = "00-0C-F1-15-17-59" NAS-Identifier = "DLink-900AP+" Framed-MTU = 1380 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x022400500d800000004616030100410100003d030144ec5fa59a64845898c9f5ad123fc6b0198a4905db195cec34455b869c4d4b1100001600040005000a000900640062000300060013001200630100 State = 0x4a4231b4adfeba0f626bea47adfe79b3 Message-Authenticator = 0x954557a26d69418d4ec39d196da5d9b1 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 28 modcall[authorize]: module "preprocess" returns ok for request 28 radius_xlat: '/usr/local/var/log/radius/radacct/192.168.1.5/auth-detail-20060823' rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/192.168.1.5/auth-detail-20060823 modcall[authorize]: module "auth_log" returns ok for request 28 rlm_eap: EAP packet type response id 36 length 80 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 28 users: Matched entry marcello at line 7 modcall[authorize]: module "files" returns ok for request 28 modcall: leaving group authorize (returns updated) for request 28 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 28 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0715], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 00c7], CertificateRequest TLS_accept: SSLv3 write certificate request A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0) In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 28 modcall: leaving group authenticate (returns handled) for request 28 Sending Access-Challenge of id 37 to 192.168.1.5 port 1214 EAP-Message = 0x0125040a0dc000000835160301004a02000046030144ec6005a36d16b4738f0725c7e28d3aacc9e100cee2b61fd3f8b5525dab88a12056e63ac6ba7034af4f37c7329304af510ee21461f940f7718850d502ebfad26200040016030107150b00071100070e0002fa308202f63082025fa003020102020900f224c648347dc88c300d06092a864886f70d01010405003081b5310b3009060355040613024954310e300c060355040813054954414c593110300e0603550407130742657267616d6f31123010060355040a130947727570706f696d69311e301c060355040a13153830322e31782041757468656e7469636174696f6e3110300e06035504 EAP-Message = 0x0b1307696d692073726c311630140603550403130d43412d467265657261646975733126302406092a864886f70d0109011617667265657261646975734067727570706f696d692e6974301e170d3036303832323136333935375a170d3037303832323136333935375a3081aa310b3009060355040613024954310e300c060355040813054954414c593110300e0603550407130742657267616d6f31123010060355040a130947727570706f696d69311e301c060355040a13153830322e31782041757468656e7469636174696f6e3110300e060355040b1307696d692073726c310f300d060355040313066a61676765723122302006092a864886 EAP-Message = 0xf70d01090116136a61676765724067727570706f696d692e697430819f300d06092a864886f70d010101050003818d0030818902818100c2889e425836d09f8235751e0ff076778dfad149ef3ef3f5d474375ad07c6d7d8924c1626b2c5478638564287fb4023b5ce68bcd0ffd7c21ac57d06ef8ef98f5ab9d5de84379f4f64bdef487a93350102d22f58200f16000756e3e98a677881f171155a679058c72d7a23d88e9d29daa1be63a014dca55ab45ac4383f04dbf610203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010104050003818100b2288be7befe02ede8b87a2965337aaa586ac346be EAP-Message = 0x14150f8914a326d60ec602e4e2076441b2266b013a2a5a6a083adf3abad567d1581e42fe22dfba9ae4b1a6e08333fe84d50950a5ff6a918f1bdcde276c6563d208ab5b6e95128e38e9454314e3a8be08896e031ef2f1332347d9b93e6caa8761ef5e9758ef6618946f816e00040e3082040a30820373a003020102020900f224c648347dc88a300d06092a864886f70d01010405003081b5310b3009060355040613024954310e300c060355040813054954414c593110300e0603550407130742657267616d6f31123010060355040a130947727570706f696d69311e301c060355040a13153830322e31782041757468656e7469636174696f6e3110 EAP-Message = 0x300e060355040b1307696d692073726c311630140603 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd61433c363fad2062dd0ed86dd317d38 Finished request 28 Going to the next request Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 27 ID 36 with timestamp 44ec6005 Cleaning up request 28 ID 37 with timestamp 44ec6005 Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 192.168.1.5:1214, id=38, length=139 User-Name = "marcello" NAS-IP-Address = 192.168.1.5 NAS-Port = 0 Called-Station-Id = "00-40-05-30-C5-86" Calling-Station-Id = "00-0C-F1-15-17-59" NAS-Identifier = "DLink-900AP+" Framed-MTU = 1380 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0226000d016d617263656c6c6f Message-Authenticator = 0xdc2e7392680a90e16f7675db392ae62a Processing the authorize section of radiusd.conf modcall: entering group authorize for request 29 modcall[authorize]: module "preprocess" returns ok for request 29 radius_xlat: '/usr/local/var/log/radius/radacct/192.168.1.5/auth-detail-20060823' rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/192.168.1.5/auth-detail-20060823 modcall[authorize]: module "auth_log" returns ok for request 29 rlm_eap: EAP packet type response id 38 length 13 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 29 users: Matched entry marcello at line 7 modcall[authorize]: module "files" returns ok for request 29 modcall: leaving group authorize (returns updated) for request 29 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 29 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Requiring client certificate rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 29 modcall: leaving group authenticate (returns handled) for request 29 Sending Access-Challenge of id 38 to 192.168.1.5 port 1214 EAP-Message = 0x012700060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xbe099fcd698213125f5c1f9b6f57edf0 Finished request 29 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.1.5:1214, id=39, length=224 User-Name = "marcello" NAS-IP-Address = 192.168.1.5 NAS-Port = 0 Called-Station-Id = "00-40-05-30-C5-86" Calling-Station-Id = "00-0C-F1-15-17-59" NAS-Identifier = "DLink-900AP+" Framed-MTU = 1380 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x022700500d800000004616030100410100003d030144ec5fc3b3c0a02d79dde2cbaee6994cb365bda0921afe69fea98cf513ae68be00001600040005000a000900640062000300060013001200630100 State = 0xbe099fcd698213125f5c1f9b6f57edf0 Message-Authenticator = 0xd6d1ed5825fe4c35f5a1d60b5898697c Processing the authorize section of radiusd.conf modcall: entering group authorize for request 30 modcall[authorize]: module "preprocess" returns ok for request 30 radius_xlat: '/usr/local/var/log/radius/radacct/192.168.1.5/auth-detail-20060823' rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/192.168.1.5/auth-detail-20060823 modcall[authorize]: module "auth_log" returns ok for request 30 rlm_eap: EAP packet type response id 39 length 80 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 30 users: Matched entry marcello at line 7 modcall[authorize]: module "files" returns ok for request 30 modcall: leaving group authorize (returns updated) for request 30 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 30 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0715], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 00c7], CertificateRequest TLS_accept: SSLv3 write certificate request A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0) In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 30 modcall: leaving group authenticate (returns handled) for request 30 Sending Access-Challenge of id 39 to 192.168.1.5 port 1214 EAP-Message = 0x0128040a0dc000000835160301004a02000046030144ec602379b9029259e24bf1b103bb550102f05bfed202c361b441e98891a58c20c0328494ad8c1af13e31715a0d7c244a442af30d449dd3b72f9811946120d00200040016030107150b00071100070e0002fa308202f63082025fa003020102020900f224c648347dc88c300d06092a864886f70d01010405003081b5310b3009060355040613024954310e300c060355040813054954414c593110300e0603550407130742657267616d6f31123010060355040a130947727570706f696d69311e301c060355040a13153830322e31782041757468656e7469636174696f6e3110300e06035504 EAP-Message = 0x0b1307696d692073726c311630140603550403130d43412d467265657261646975733126302406092a864886f70d0109011617667265657261646975734067727570706f696d692e6974301e170d3036303832323136333935375a170d3037303832323136333935375a3081aa310b3009060355040613024954310e300c060355040813054954414c593110300e0603550407130742657267616d6f31123010060355040a130947727570706f696d69311e301c060355040a13153830322e31782041757468656e7469636174696f6e3110300e060355040b1307696d692073726c310f300d060355040313066a61676765723122302006092a864886 EAP-Message = 0xf70d01090116136a61676765724067727570706f696d692e697430819f300d06092a864886f70d010101050003818d0030818902818100c2889e425836d09f8235751e0ff076778dfad149ef3ef3f5d474375ad07c6d7d8924c1626b2c5478638564287fb4023b5ce68bcd0ffd7c21ac57d06ef8ef98f5ab9d5de84379f4f64bdef487a93350102d22f58200f16000756e3e98a677881f171155a679058c72d7a23d88e9d29daa1be63a014dca55ab45ac4383f04dbf610203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010104050003818100b2288be7befe02ede8b87a2965337aaa586ac346be EAP-Message = 0x14150f8914a326d60ec602e4e2076441b2266b013a2a5a6a083adf3abad567d1581e42fe22dfba9ae4b1a6e08333fe84d50950a5ff6a918f1bdcde276c6563d208ab5b6e95128e38e9454314e3a8be08896e031ef2f1332347d9b93e6caa8761ef5e9758ef6618946f816e00040e3082040a30820373a003020102020900f224c648347dc88a300d06092a864886f70d01010405003081b5310b3009060355040613024954310e300c060355040813054954414c593110300e0603550407130742657267616d6f31123010060355040a130947727570706f696d69311e301c060355040a13153830322e31782041757468656e7469636174696f6e3110 EAP-Message = 0x300e060355040b1307696d692073726c311630140603 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x20848349a7d8931898eab18b497b7eaa Finished request 30 Going to the next request Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 29 ID 38 with timestamp 44ec6023 Cleaning up request 30 ID 39 with timestamp 44ec6023 Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 192.168.1.5:1214, id=40, length=139 User-Name = "marcello" NAS-IP-Address = 192.168.1.5 NAS-Port = 0 Called-Station-Id = "00-40-05-30-C5-86" Calling-Station-Id = "00-0C-F1-15-17-59" NAS-Identifier = "DLink-900AP+" Framed-MTU = 1380 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0229000d016d617263656c6c6f Message-Authenticator = 0xa1721cbe7301b0520d0be5a419388965 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 31 modcall[authorize]: module "preprocess" returns ok for request 31 radius_xlat: '/usr/local/var/log/radius/radacct/192.168.1.5/auth-detail-20060823' rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/192.168.1.5/auth-detail-20060823 modcall[authorize]: module "auth_log" returns ok for request 31 rlm_eap: EAP packet type response id 41 length 13 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 31 users: Matched entry marcello at line 7 modcall[authorize]: module "files" returns ok for request 31 modcall: leaving group authorize (returns updated) for request 31 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 31 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Requiring client certificate rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 31 modcall: leaving group authenticate (returns handled) for request 31 Sending Access-Challenge of id 40 to 192.168.1.5 port 1214 EAP-Message = 0x012a00060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x6e1434ca3d57d931af8880e288a906a5 Finished request 31 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.1.5:1214, id=41, length=224 User-Name = "marcello" NAS-IP-Address = 192.168.1.5 NAS-Port = 0 Called-Station-Id = "00-40-05-30-C5-86" Calling-Station-Id = "00-0C-F1-15-17-59" NAS-Identifier = "DLink-900AP+" Framed-MTU = 1380 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x022a00500d800000004616030100410100003d030144ec5fe1afe282c139685d0cc920d57ec74fadd16301b2b11d962a4c48167e9a00001600040005000a000900640062000300060013001200630100 State = 0x6e1434ca3d57d931af8880e288a906a5 Message-Authenticator = 0x562492cb1ddbe4fe6e6f26676b04641a Processing the authorize section of radiusd.conf modcall: entering group authorize for request 32 modcall[authorize]: module "preprocess" returns ok for request 32 radius_xlat: '/usr/local/var/log/radius/radacct/192.168.1.5/auth-detail-20060823' rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/192.168.1.5/auth-detail-20060823 modcall[authorize]: module "auth_log" returns ok for request 32 rlm_eap: EAP packet type response id 42 length 80 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 32 users: Matched entry marcello at line 7 modcall[authorize]: module "files" returns ok for request 32 modcall: leaving group authorize (returns updated) for request 32 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 32 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0715], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 00c7], CertificateRequest TLS_accept: SSLv3 write certificate request A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0) In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 32 modcall: leaving group authenticate (returns handled) for request 32 Sending Access-Challenge of id 41 to 192.168.1.5 port 1214 EAP-Message = 0x012b040a0dc000000835160301004a02000046030144ec6041b7dd765e8e8522dafce7f647e1e3f83e07194d2445c0e8ed0f6eb448205e608aec3f12e3763220cc2838cfe79c1a371553d637835c640b8cf3fa9ea46c00040016030107150b00071100070e0002fa308202f63082025fa003020102020900f224c648347dc88c300d06092a864886f70d01010405003081b5310b3009060355040613024954310e300c060355040813054954414c593110300e0603550407130742657267616d6f31123010060355040a130947727570706f696d69311e301c060355040a13153830322e31782041757468656e7469636174696f6e3110300e06035504 EAP-Message = 0x0b1307696d692073726c311630140603550403130d43412d467265657261646975733126302406092a864886f70d0109011617667265657261646975734067727570706f696d692e6974301e170d3036303832323136333935375a170d3037303832323136333935375a3081aa310b3009060355040613024954310e300c060355040813054954414c593110300e0603550407130742657267616d6f31123010060355040a130947727570706f696d69311e301c060355040a13153830322e31782041757468656e7469636174696f6e3110300e060355040b1307696d692073726c310f300d060355040313066a61676765723122302006092a864886 EAP-Message = 0xf70d01090116136a61676765724067727570706f696d692e697430819f300d06092a864886f70d010101050003818d0030818902818100c2889e425836d09f8235751e0ff076778dfad149ef3ef3f5d474375ad07c6d7d8924c1626b2c5478638564287fb4023b5ce68bcd0ffd7c21ac57d06ef8ef98f5ab9d5de84379f4f64bdef487a93350102d22f58200f16000756e3e98a677881f171155a679058c72d7a23d88e9d29daa1be63a014dca55ab45ac4383f04dbf610203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010104050003818100b2288be7befe02ede8b87a2965337aaa586ac346be EAP-Message = 0x14150f8914a326d60ec602e4e2076441b2266b013a2a5a6a083adf3abad567d1581e42fe22dfba9ae4b1a6e08333fe84d50950a5ff6a918f1bdcde276c6563d208ab5b6e95128e38e9454314e3a8be08896e031ef2f1332347d9b93e6caa8761ef5e9758ef6618946f816e00040e3082040a30820373a003020102020900f224c648347dc88a300d06092a864886f70d01010405003081b5310b3009060355040613024954310e300c060355040813054954414c593110300e0603550407130742657267616d6f31123010060355040a130947727570706f696d69311e301c060355040a13153830322e31782041757468656e7469636174696f6e3110 EAP-Message = 0x300e060355040b1307696d692073726c311630140603 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc9750d7b7c4f4c25d35382ef3c495bf3 Finished request 32 Going to the next request Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 31 ID 40 with timestamp 44ec6041 Cleaning up request 32 ID 41 with timestamp 44ec6041 Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 192.168.1.5:1214, id=42, length=139 User-Name = "marcello" NAS-IP-Address = 192.168.1.5 NAS-Port = 0 Called-Station-Id = "00-40-05-30-C5-86" Calling-Station-Id = "00-0C-F1-15-17-59" NAS-Identifier = "DLink-900AP+" Framed-MTU = 1380 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x022c000d016d617263656c6c6f Message-Authenticator = 0x490a18c23fc91fdc1c9b8e643b1e369c Processing the authorize section of radiusd.conf modcall: entering group authorize for request 33 modcall[authorize]: module "preprocess" returns ok for request 33 radius_xlat: '/usr/local/var/log/radius/radacct/192.168.1.5/auth-detail-20060823' rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/192.168.1.5/auth-detail-20060823 modcall[authorize]: module "auth_log" returns ok for request 33 rlm_eap: EAP packet type response id 44 length 13 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 33 users: Matched entry marcello at line 7 modcall[authorize]: module "files" returns ok for request 33 modcall: leaving group authorize (returns updated) for request 33 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 33 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Requiring client certificate rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 33 modcall: leaving group authenticate (returns handled) for request 33 Sending Access-Challenge of id 42 to 192.168.1.5 port 1214 EAP-Message = 0x012d00060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x03c28905812b5b3f6b129e967146cf6f Finished request 33 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.1.5:1214, id=43, length=224 User-Name = "marcello" NAS-IP-Address = 192.168.1.5 NAS-Port = 0 Called-Station-Id = "00-40-05-30-C5-86" Calling-Station-Id = "00-0C-F1-15-17-59" NAS-Identifier = "DLink-900AP+" Framed-MTU = 1380 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x022d00500d800000004616030100410100003d030144ec5fff1ddc76fd1cd92cf4a616ed25f594f37b078d23151e633e7adbaa807d00001600040005000a000900640062000300060013001200630100 State = 0x03c28905812b5b3f6b129e967146cf6f Message-Authenticator = 0x7d908821b7b8043f3af46b45ea38b038 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 34 modcall[authorize]: module "preprocess" returns ok for request 34 radius_xlat: '/usr/local/var/log/radius/radacct/192.168.1.5/auth-detail-20060823' rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/192.168.1.5/auth-detail-20060823 modcall[authorize]: module "auth_log" returns ok for request 34 rlm_eap: EAP packet type response id 45 length 80 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 34 users: Matched entry marcello at line 7 modcall[authorize]: module "files" returns ok for request 34 modcall: leaving group authorize (returns updated) for request 34 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 34 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0715], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 00c7], CertificateRequest TLS_accept: SSLv3 write certificate request A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0) In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 34 modcall: leaving group authenticate (returns handled) for request 34 Sending Access-Challenge of id 43 to 192.168.1.5 port 1214 EAP-Message = 0x012e040a0dc000000835160301004a02000046030144ec605fb82c174431ef92debba911fd499931199bf231f28652609ac0b808f6200f53f7874c685ad093cdc266a254182b21efc28655f8deb62304a41f7a23f9d500040016030107150b00071100070e0002fa308202f63082025fa003020102020900f224c648347dc88c300d06092a864886f70d01010405003081b5310b3009060355040613024954310e300c060355040813054954414c593110300e0603550407130742657267616d6f31123010060355040a130947727570706f696d69311e301c060355040a13153830322e31782041757468656e7469636174696f6e3110300e06035504 EAP-Message = 0x0b1307696d692073726c311630140603550403130d43412d467265657261646975733126302406092a864886f70d0109011617667265657261646975734067727570706f696d692e6974301e170d3036303832323136333935375a170d3037303832323136333935375a3081aa310b3009060355040613024954310e300c060355040813054954414c593110300e0603550407130742657267616d6f31123010060355040a130947727570706f696d69311e301c060355040a13153830322e31782041757468656e7469636174696f6e3110300e060355040b1307696d692073726c310f300d060355040313066a61676765723122302006092a864886 EAP-Message = 0xf70d01090116136a61676765724067727570706f696d692e697430819f300d06092a864886f70d010101050003818d0030818902818100c2889e425836d09f8235751e0ff076778dfad149ef3ef3f5d474375ad07c6d7d8924c1626b2c5478638564287fb4023b5ce68bcd0ffd7c21ac57d06ef8ef98f5ab9d5de84379f4f64bdef487a93350102d22f58200f16000756e3e98a677881f171155a679058c72d7a23d88e9d29daa1be63a014dca55ab45ac4383f04dbf610203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010104050003818100b2288be7befe02ede8b87a2965337aaa586ac346be EAP-Message = 0x14150f8914a326d60ec602e4e2076441b2266b013a2a5a6a083adf3abad567d1581e42fe22dfba9ae4b1a6e08333fe84d50950a5ff6a918f1bdcde276c6563d208ab5b6e95128e38e9454314e3a8be08896e031ef2f1332347d9b93e6caa8761ef5e9758ef6618946f816e00040e3082040a30820373a003020102020900f224c648347dc88a300d06092a864886f70d01010405003081b5310b3009060355040613024954310e300c060355040813054954414c593110300e0603550407130742657267616d6f31123010060355040a130947727570706f696d69311e301c060355040a13153830322e31782041757468656e7469636174696f6e3110 EAP-Message = 0x300e060355040b1307696d692073726c311630140603 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xeacc5432cc73aaa14a0bb9aae4a1c3cb Finished request 34 Going to the next request Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 33 ID 42 with timestamp 44ec605f Cleaning up request 34 ID 43 with timestamp 44ec605f Probably it is like you said; "If the cut off parts show the same as in the attached file, the same problem exists: your client isn't responding properly."... The clients system is Windows XP SP2 and I used the default supplicant. It is subject to particular problems? Many guides speak about as to configure an win xp supplicant and I have made like they without to change nothing. They could be the certs not-compatible? It could be AP not to send the messages correctly? The AP's log are very poors. Only see the Access-Request from the user "marcello". Aug/23/2006 16:48:48 Send Accounting logout message marcello Aug/23/2006 16:48:48 EAP-Failure 00-0C-F1-15-17-59 Aug/23/2006 16:48:48 state: paeDISCONNECTED Aug/23/2006 16:48:43 EAP-Request/Identity Aug/23/2006 16:48:38 EAP-Request/Identity Aug/23/2006 16:48:33 EAP-Request/Identity Aug/23/2006 16:48:28 EAP-Request/Identity Aug/23/2006 16:48:23 EAP-Request/Identity Aug/23/2006 16:48:18 EAP-Request/Identity Aug/23/2006 16:48:13 EAP-Request/Identity Aug/23/2006 16:48:08 EAP-Request/Identity Aug/23/2006 16:48:04 Authentication timeout 00-0C-F1-15-17-59 Aug/23/2006 16:48:04 EAP-Request/Identity Aug/23/2006 16:48:04 EAP-Failure 00-0C-F1-15-17-59 Aug/23/2006 16:48:04 EAP-Request/Identity Aug/23/2006 16:48:04 EAP-Failure 00-0C-F1-15-17-59 Aug/23/2006 16:48:00 EAP-Response/Identity marcello Aug/23/2006 16:48:00 EAP-Request/Identity Aug/23/2006 16:47:56 Authentication timeout 00-0C-F1-15-17-59 Aug/23/2006 16:47:56 EAP-Request/Identity Aug/23/2006 16:47:56 EAP-Failure 00-0C-F1-15-17-59 Aug/23/2006 16:47:52 EAP-Response/Identity marcello Aug/23/2006 16:47:52 EAP-Request/Identity This is a .../radacct/192.168.1.5/auth-detail-20060823 log file: Packet-Type = Access-Request Wed Aug 23 16:04:15 2006 User-Name = "marcello" NAS-IP-Address = 192.168.1.5 NAS-Port = 0 Called-Station-Id = "00-40-05-30-C5-86" Calling-Station-Id = "00-0C-F1-15-17-59" NAS-Identifier = "DLink-900AP+" Framed-MTU = 1380 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x022d00500d800000004616030100410100003d030144ec5fff1ddc7$ State = 0x03c28905812b5b3f6b129e967146cf6f Message-Authenticator = 0x7d908821b7b8043f3af46b45ea38b038 Packet-Type = Access-Request Wed Aug 23 16:04:15 2006 User-Name = "marcello" NAS-IP-Address = 192.168.1.5 NAS-Port = 0 Called-Station-Id = "00-40-05-30-C5-86" Calling-Station-Id = "00-0C-F1-15-17-59" NAS-Identifier = "DLink-900AP+" Framed-MTU = 1380 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x022d00500d800000004616030100410100003d030144ec5fff1ddc76fd1cd92cf4a616ed25f594f37b078d23151e633e7adbaa807d00001600040005000a0009006$ State = 0x03c28905812b5b3f6b129e967146cf6f Message-Authenticator = 0x7d908821b7b8043f3af46b45ea38b038 Client-IP-Address = 192.168.1.5 Packet-Type = Access-Request Wed Aug 23 16:54:41 2006 User-Name = "marcello" NAS-IP-Address = 192.168.1.5 NAS-Port = 0 Called-Station-Id = "00-40-05-30-C5-86" Calling-Station-Id = "00-0C-F1-15-17-59" NAS-Identifier = "DLink-900AP+" Framed-MTU = 1380 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0207000d016d617263656c6c6f Message-Authenticator = 0x35dce2ba502963e6a55781a6863ee665 Client-IP-Address = 192.168.1.5 Packet-Type = Access-Request Wed Aug 23 16:54:41 2006 User-Name = "marcello" NAS-IP-Address = 192.168.1.5 NAS-Port = 0 Called-Station-Id = "00-40-05-30-C5-86" Calling-Station-Id = "00-0C-F1-15-17-59" NAS-Identifier = "DLink-900AP+" Framed-MTU = 1380 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020800500d800000004616030100410100003d030144ec6bd18e05eb916c88e10b9cc8e5b620271365a5b4ea1f40965f1b1d18a19600001600040005000a0009006$ State = 0xfd9cd50d382b9c1e0da734eb064d896d Message-Authenticator = 0xb4f18cd8d063fcdc0b2291f37307a047 Client-IP-Address = 192.168.1.5