On Fri, May 29, 2009 at 10:32 AM, Ivan Kalik <tnt@kalik.net> wrote:
> Problem was solved thanks to Ivan assistance,
> Main problem was on switch side and its configuration,
> Second problem was - proper certificate to proper certificate store
> And third - in my head :).

OK. Now that you have established that client certificates signed by CA
work with XP SP3, can you check if server signed certificates (made by
original Makefile) also work, or is XP SP3 rejecting them. Could you
report to the list with the result.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

No, standard Makefile is no working

freeradius -X output:

Ready to process requests.
rad_recv: Access-Request packet from host 192.168.5.206 port 1812, id=160, length=147
        NAS-IP-Address = 192.168.5.206
        NAS-Port = 50046
        NAS-Port-Type = Ethernet
        User-Name = "user@example.com"
        Called-Station-Id = "00-0C-30-81-9B-EE"
        Calling-Station-Id = "00-0A-E4-13-1A-02"
        Service-Type = Framed-User
        Framed-MTU = 1500
        EAP-Message = 0x020000150175736572406578616d706c652e636f6d
        Message-Authenticator = 0x3fa86bcca888e9174c33ff2206178e97
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm "example.com" for User-Name = "user@example.com"
[suffix] No such realm "example.com"
++[suffix] returns noop
[eap] EAP packet type response id 0 length 21
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 160 to 192.168.5.206 port 1812
        EAP-Message = 0x010100061920
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x0a8a026e0a8b1bea4f51a121d61eb2bf
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.5.206 port 1812, id=161, length=150
        NAS-IP-Address = 192.168.5.206
        NAS-Port = 50046
        NAS-Port-Type = Ethernet
        User-Name = "user@example.com"
        Called-Station-Id = "00-0C-30-81-9B-EE"
        Calling-Station-Id = "00-0A-E4-13-1A-02"
        Service-Type = Framed-User
        Framed-MTU = 1500
        State = 0x0a8a026e0a8b1bea4f51a121d61eb2bf
        EAP-Message = 0x02010006030d
        Message-Authenticator = 0xe1ef7b423be0a169598a253da36247c0
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm "example.com" for User-Name = "user@example.com"
[suffix] No such realm "example.com"
++[suffix] returns noop
[eap] EAP packet type response id 1 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP NAK
[eap] EAP-NAK asked for EAP-Type/tls
[eap] processing type tls
[tls] Requiring client certificate
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 161 to 192.168.5.206 port 1812
        EAP-Message = 0x010200060d20
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x0a8a026e0b880fea4f51a121d61eb2bf
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.5.206 port 1812, id=162, length=224
        NAS-IP-Address = 192.168.5.206
        NAS-Port = 50046
        NAS-Port-Type = Ethernet
        User-Name = "user@example.com"
        Called-Station-Id = "00-0C-30-81-9B-EE"
        Calling-Station-Id = "00-0A-E4-13-1A-02"
        Service-Type = Framed-User
        Framed-MTU = 1500
        State = 0x0a8a026e0b880fea4f51a121d61eb2bf
        EAP-Message = 0x020200500d800000004616030100410100003d03014a1fb693a40277392668182f296a92feb2a08a3e25a3c170dfa77f83d18f569400001600040005000a0009006400
62000300060013001200630100
        Message-Authenticator = 0xca0d351030f630125dd9b87f5d39e7e9
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm "example.com" for User-Name = "user@example.com"
[suffix] No such realm "example.com"
++[suffix] returns noop
[eap] EAP packet type response id 2 length 80
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
  TLS Length 70
[tls] Length Included
[tls] eaptls_verify returned 11
[tls]     (other): before/accept initialization
[tls]     TLS_accept: before/accept initialization
[tls] <<< TLS 1.0 Handshake [length 0041], ClientHello
[tls]     TLS_accept: SSLv3 read client hello A
[tls] >>> TLS 1.0 Handshake [length 002a], ServerHello
[tls]     TLS_accept: SSLv3 write server hello A
[tls] >>> TLS 1.0 Handshake [length 085e], Certificate
[tls]     TLS_accept: SSLv3 write certificate A
[tls] >>> TLS 1.0 Handshake [length 00a6], CertificateRequest
[tls]     TLS_accept: SSLv3 write certificate request A
[tls]     TLS_accept: SSLv3 flush data
[tls]     TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
[tls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 162 to 192.168.5.206 port 1812
        EAP-Message = 0x010304000dc00000093d160301002a0200002603014a1fb649f90a6e4db1414f2a91473940c7257976a7dbb0150b8771d1c403998300000400160301085e0b00085a00
08570003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d0603550408130652616469757331123010060355040713
09536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d45
78616d706c6520436572746966696361746520417574686f72697479
        EAP-Message = 0x301e170d3039303532303133303535305a170d3130303532303133303535305a307c310b3009060355040613024652310f300d06035504081306526164697573311530
13060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e
406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100d1c880577d809eac3b12eeb843eaad382da99c2de125a840a49f25585bbb8186bb93
22a8dba7f08cfe901a0d85b6b0865e816b927a48f72d2e066f57f711
        EAP-Message = 0xe6361d191beba216660aa6a1e4aa5fc2ab00aa67456586c42e40e8ecccb851425851581fbe189de1440b882ca86211a4c71ffb13823f942f0dc36af3b7fa38f2a59933
35dd63e56edef32a7eccc3054088fc2da16f50674092656c86e715c5582bfafd3dd4ff47c03ac93829f8a3db1acc30b55144788d6d77c9ddaab9006efe0deec77e93c0a449375491f79a7c68e7efeb
3b47d0b5c18496281016dad45ff47b34e172c445007c0151d73468807f131e2f433136061d6761f2450607fac932b6f90203010001a317301530130603551d25040c300a06082b0601050507030130
0d06092a864886f70d010104050003820101003f38caf011d81255ce
        EAP-Message = 0xe6aa7a0d3ba87fa4c7bae364e4f0329d1b193d7ba36ba7506af0eb0e783e88ccc4b6a34a346a578ec3d12edef4f0060a34f42d1163b33f950397ac5ff566d3a4ca3ff0
4169eae2baf3203a4cde15b30f774640d16727fb1ed7a189f518031bd482626199bd62d7f603f4d665fc2955e82fbf7fea03efb4a676c2deb868043cd4cd6bd0dba790b710406de0c68dada48b0327
1cd2153384e1a34b3d401edc3476a318f0b91febcb797e4f3da9e9a4e48bce8456bf2c950e767dac3e967835fa537e35adfaec26159f681911208c6e401147b85dd66842131b373483503d14a3c705
6560dcaa282bfdeb9a3b70447093641032cbad777eee0004ab308204
        EAP-Message = 0xa73082038fa0030201020209
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x0a8a026e08890fea4f51a121d61eb2bf
Finished request 2.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 192.168.5.206 port 1812, id=163, length=150
        NAS-IP-Address = 192.168.5.206
        NAS-Port = 50046
        NAS-Port-Type = Ethernet
        User-Name = "user@example.com"
        Called-Station-Id = "00-0C-30-81-9B-EE"
        Calling-Station-Id = "00-0A-E4-13-1A-02"
        Service-Type = Framed-User
        Framed-MTU = 1500
        State = 0x0a8a026e08890fea4f51a121d61eb2bf
        EAP-Message = 0x020300060d00
        Message-Authenticator = 0x528ebb6278cb97676edaa2345aaf2f10
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm "example.com" for User-Name = "user@example.com"
[suffix] No such realm "example.com"
++[suffix] returns noop
[eap] EAP packet type response id 3 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
[tls] Received TLS ACK
[tls] ACK handshake fragment handler
[tls] eaptls_verify returned 1
[tls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 163 to 192.168.5.206 port 1812
        EAP-Message = 0x010404000dc00000093d00e274f9526898aa5c300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d06035504081306526164697573
3112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d3126
30240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3039303532303133303535305a170d3130303532303133303535305a308193310b30090603
55040613024652310f300d0603550408130652616469757331123010
        EAP-Message = 0x06035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d70
6c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100
abfd23d2502cc6f6f29c367e592227c9b4ef02e40b02e8468d7c2087197a03bf4bab18c57c3c2501782b9c5a979b2806b42b6062e213319daaf4d5a27984953ebce5433a1be4a5716b94e8979cc24c
1dd525d86fc14543b1380ce3f8fc126780193e7ec5bf3abe590b970b
        EAP-Message = 0x4d5a1ea02ae515af74cfce42c5bb10d0cc620412a14f623c34fbca4fb9b8ee66b04b7cfff1a278a54ac69fa675a4a9ca6605689319fc5307c4b6f9fae8f653d9b7ecbd
854cf4b667de8c895c7f849df8c9362711fa703b4ed0a8f63504ded0fda6ae0dd472793766c3124dcb42cdbb25dca397db3f841ce13dfbbc10c8848bd39d43a2620e8e0c95b1a35891fcce33359f38
0a29650203010001a381fb3081f8301d0603551d0e04160414123ff562737fc2d9bc6d96afae6f4337c08846a73081c80603551d230481c03081bd8014123ff562737fc2d9bc6d96afae6f4337c088
46a7a18199a48196308193310b3009060355040613024652310f300d
        EAP-Message = 0x060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f7
0d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820900e274f9526898aa5c300c060355
1d13040530030101ff300d06092a864886f70d0101050500038201010043cf9119db5dd9fe4f21b6e809f5e244dbfc6aee7866316441a9db5f3c4abae403f9012c8a4348a12c9ba24e02b188746872
56dfd374cb8ccfe6cfd9932ce2f4a03f1f695b221f97550e9510185c
        EAP-Message = 0x2c53e4c88640391d8a02fe15
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x0a8a026e098e0fea4f51a121d61eb2bf
Finished request 3.
Going to the next request
Waking up in 4.7 seconds.
rad_recv: Access-Request packet from host 192.168.5.206 port 1812, id=164, length=150
        NAS-IP-Address = 192.168.5.206
        NAS-Port = 50046
        NAS-Port-Type = Ethernet
        User-Name = "user@example.com"
        Called-Station-Id = "00-0C-30-81-9B-EE"
        Calling-Station-Id = "00-0A-E4-13-1A-02"
        Service-Type = Framed-User
        Framed-MTU = 1500
        State = 0x0a8a026e098e0fea4f51a121d61eb2bf
        EAP-Message = 0x020400060d00
        Message-Authenticator = 0xc5e0fca3b00a3878caa40e8d9b79618a
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm "example.com" for User-Name = "user@example.com"
[suffix] No such realm "example.com"
++[suffix] returns noop
[eap] EAP packet type response id 4 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
[tls] Received TLS ACK
[tls] ACK handshake fragment handler
[tls] eaptls_verify returned 1
[tls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 164 to 192.168.5.206 port 1812
        EAP-Message = 0x0105015b0d800000093de20bb9019906632f477573ee5ce336970857546c707151916f52825101b95c005509c9ba6c631dc4ed44105ec67210fff11968122772734826
f9998404c54b4c828a81726a1992a010b065e299b3cf573365d6d52f47285e9e2d27e39df13e75936e03eb9827f9b9b99747cdb9ce186baad8104b24275e45984252a2615f35d2f620510128bd0d6e
5071c1006aba908c75b5d13e2aba260bd84e7c40e9703eec9c02be07071a16030100a60d00009e0301024000980096308193310b3009060355040613024652310f300d060355040813065261646975
733112301006035504071309536f6d65776865726531153013060355
        EAP-Message = 0x040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c
6520436572746966696361746520417574686f726974790e000000
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x0a8a026e0e8f0fea4f51a121d61eb2bf
Finished request 4.
Going to the next request
Waking up in 4.6 seconds.
rad_recv: Access-Request packet from host 192.168.5.206 port 1812, id=165, length=1645
        NAS-IP-Address = 192.168.5.206
        NAS-Port = 50046
        NAS-Port-Type = Ethernet
        User-Name = "user@example.com"
        Called-Station-Id = "00-0C-30-81-9B-EE"
        Calling-Station-Id = "00-0A-E4-13-1A-02"
        Service-Type = Framed-User
        Framed-MTU = 1500
        State = 0x0a8a026e0e8f0fea4f51a121d61eb2bf
        EAP-Message = 0x020505d30d80000005c916030105990b0003890003860003833082037f30820267a003020102020104300d06092a864886f70d0101040500307c310b30090603550406
13024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c652053657276657220436572746966696361
74653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d301e170d3039303532393130313133385a170d3130303532393130313133385a3071310b30090603550406
13024652310f300d0603550408130652616469757331153013060355
        EAP-Message = 0x040a130c4578616d706c6520496e632e311930170603550403141075736572406578616d706c652e636f6d311f301d06092a864886f70d010901161075736572406578
616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100bf797e10a06c11b69b3304655b17de55f2bbf74109065f46a5fc85f3d49432b7f9630ad995
94c793671ca8e6ee900dda23e4f384c5080c584e87c18935f83fe34340723e7062374a02ea13a82e0599f15f970c4b2249038b17779363caf16e77a273a29b3b4b27c63c04daa06dff67f09fe5c346
b9a634952197a7a378f588dbd13c9e70c94d125cfc263585872ec9dc
        EAP-Message = 0xb7a1fdf853e5585bcc9b90a01181b757e54215196986c919ca8a09811f6bbd629417b8b108e316bdbc520d324a4ea0c84d7169036a4d134fbc5889e7cb5a00648a3869
a34b426482ca8721d57ed809afc580f78cabce08ede364da1604dd27c8ebc4b49ad210539a0b0452c77a84945f0203010001a317301530130603551d25040c300a06082b06010505070302300d0609
2a864886f70d01010405000382010100b824bac6618246aa3df9d6a50c2ee5161cac3b6979193f3a2b82017dd415abee24b0e3d45a7490b0bf73cea8125e6acbd364f910cd4fb76c813504ef819d49
53b840353c432536b7d9c6eabe1fd266a71e42f3efa0b685416aeec4
        EAP-Message = 0x1c43c72fcfaa119600f722e0309cb3ee7358bf499eeb015ebb3f205258edaf49e8cd737d066acfc9172eff5d586171aca8b684ec3f2e3c9d2d4338600e43b6464f850f
c5f82537af003b3fd6af7458e8abc3f71b2981660f52f2ffd4c0f320c0f61268fad45021cc7a18134d4dd6c0f3909d2d9da7c79c1b35fa4abdc83d42f41c6be15cda3eae7a7f961ceae952db3f3ece
b2533471b9262285871b286198e5a994ceed7810000102010039799a4cff52d1c4e26c86166903bf17c9995b9ced533f0c9f8607a63095f6ac1b06aef1a43ae26cdf4efbff5ffa6be61c7a551cb888
6900003592ae9b0656db3188691c3685baa18351172711a7f3656d7f
        EAP-Message = 0x541c37b660b38ca9b136e3a4a0446e9af1cfb098ae8b935edaec3423d12e666ccc7394988ba43de7aa7e59bc0c16830a822c9adb78b80190c7ee4ad5e85246d351cb23
e8ed045d5ba855191dd90784e5e06b435ee430709329b64e21dd1fed49ef235a759e68b7a7d31c04cda9d84362bcdecf6aba073cbcd70b0a4a0713a1488ab498cad52e8d937637d8990833fcc72573
178c254b45399a002b04374408e90bd023633f35c0a2593abfda231e0f0001020100097d445b7c7219aead21140d9101c9f7f9da2024b9d531cbd6e226fb458e51e350aeadb3b4cd04fc8edfd6ec9c
fd0fd89c556cfda7c8f9c259add11a4e338adebf2929678b78a4557c
        EAP-Message = 0x33e61e8c1eb9208357b3188d97057cf314eed12077b984678370924b24909a62d0957b26d8757621f7f325fe3087b7a2a0e9d81bb19abe4e5a6ddf7cf6c526a536a2ab
c37815c8b4a95040805674491dbf3408cc4cb95f782a50afc5131d7560683e453ae98e0b873bd725fed496dc9305802fa79acb7b8de28e12962898174594d4c2685dc0f604b2a4cc6f39c4643e581e
f497d854bcec7c66c52961f02643bd97f57d4c7ab39ff1a018c4ff4e1eb6a76c8bf8adb1b414030100010116030100201a0a68bdcf37fc694fe9d7ed1bec7d348371c6ebe1612d3a28e43d3db5dc8b
28
        Message-Authenticator = 0x15cf2cb082e9388a241090a905703ecc
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm "example.com" for User-Name = "user@example.com"
[suffix] No such realm "example.com"
++[suffix] returns noop
[eap] EAP packet type response id 5 length 253
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
  TLS Length 1481
[tls] Length Included
[tls] eaptls_verify returned 11
[tls] <<< TLS 1.0 Handshake [length 038d], Certificate
--> verify error:num=20:unable to get local issuer certificate
[tls] >>> TLS 1.0 Alert [length 0002], fatal unknown_ca
TLS Alert write:fatal:unknown CA
    TLS_accept:error in SSLv3 read client certificate B
rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
SSL: SSL_read failed in a system call (-1), TLS session fails.
TLS receive handshake failed during operation
[tls] eaptls_process returned 4
[eap] Handler failed in EAP/tls
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Login incorrect: [user@example.com/<via Auth-Type = EAP>] (from client private-network-2 port 50046 cli 00-0A-E4-13-1A-02)
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> user@example.com
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 5 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 5
Sending Access-Reject of id 165 to 192.168.5.206 port 1812
        EAP-Message = 0x04050004
        Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.5 seconds.
Cleaning up request 0 ID 160 with timestamp +10
Cleaning up request 1 ID 161 with timestamp +10
Cleaning up request 2 ID 162 with timestamp +10
Cleaning up request 3 ID 163 with timestamp +10
Cleaning up request 4 ID 164 with timestamp +10
Waking up in 1.1 seconds.
Cleaning up request 5 ID 165 with timestamp +10
Ready to process requests.