Hello, I am getting a strange error in my FreeRADIUS debug output, which I have posted below. I have built the client using C, OpenSSL and raw sockets, and uses the 'user@example.com.pem' certificate generated by the scripts provided in /raddb/certs. Can you please tell me where am I going wrong? It is an error at the penultimate step of the EAP-TLS exchange. Thank you ! :) - Soham rad_recv: Access-Request packet from host 192.168.1.11 port 62733, id=254, length=829 User-Name = "sohama411111" Called-Station-Id = "ec-e5-55-9c-c3-b6" Calling-Station-Id = "00:24:9b:0c:2f:6e" NAS-Identifier = "ec-e5-55-9c-c3-ac" NAS-IP-Address = 192.168.1.11 NAS-Port = 6 Framed-MTU = 1500 NAS-Port-Type = Ethernet State = 0xa2a1f780a7a7fad11c1fdcdf4905f39b EAP-Message = 0x020602a00d8000000a825997f20225258bb1ff09cf6b173f27777f32ed2ef263a69ea7500fa0df24d984336cfaa193a9be78c06dc15278b6ef4b7cd930d166dd8427b3d155235edc0ce87fedcb214f913db8080089ccb1c651ec2042c9f1f8438926650157af19f77f059a5be97bb32f4c522230719d03a1f6553f3e311249f84eb6bb6740d218c346fe6fb5e08a471fe90bce818d62480b66b82412ff00a1fde2d7e9e2ef2c09d9dcddb20923c9d911fc13aa74742728bf7a2228a1a3de6cb4e9375b66638d73dee5d6dfde7144f8d701a9e16304225c983231cb1bbf1d67f713eb13d5ad916e404c71160301004610000042410414242a58afc24797 EAP-Message = 0x1adbed2ab769f9d1840a5956aad1bc07ec4de29645f706568bdeb474f455be264384b32a21ef52fa83a0ce73f1eb065a0a67cde112c2082916030101060f0001020100cb37b6b39e07acbe5db0119c5f7bc8d2aef80ae74c33c1c7c4e3a85bdb9d98a0c540d9d16d6f08d0e019b1fce07a337e9869e079519f2f65161a744f38b0a3e541461a74c2c05adebde38b07c6c6d7301be51de656cf231ff4d58e4836e09633bdc379bca36a538b5bc4646e2a212b9c436af8749840e14d646268d52770f263e0bcbc965b37ae0d0dbb5e3e259882a29cdfb0f7eaba21d984748d017f4e495bcbe909d71e2f7a3d08689a49d9479e4887ea0558293d4e0dcc74 EAP-Message = 0x61e3d33b48576d468e293468648476786964d5d050203aa0706fef1426432c3e5f5e49d33f77148209d34f01928db02b6b8d30338b9fd51e589b57576217a16c19c5a60bc875140301000101160301003099875a615089ecf3a1b21b7297c276f5bc8ab7be2f85d981f32a93c53ba178cf38c3be709ef5a241f1641f18bfc86cff1503010020ecc14febfeb1efd89ca273228fabc163f4d2536f8077de497b8257f10c0cfd80 Message-Authenticator = 0xb2addbdef36eea66889ed2c3e3ee302e # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "sohama411111", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 6 length 253 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated ++[files] = noop ++[expiration] = noop ++[logintime] = noop ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS TLS Length 2690 [tls] Length Included [tls] eaptls_verify returned 11 [tls] <<< TLS 1.0 Handshake [length 08c7], Certificate [tls] chain-depth=1, [tls] error=0 [tls] --> User-Name = sohama411111 [tls] --> BUF-Name = Example Certificate Authority [tls] --> subject = /C=FR/ST=Radius/L=Somewhere/O=Example Inc./emailAddress=admin@example.com/CN=Example Certificate Authority [tls] --> issuer = /C=FR/ST=Radius/L=Somewhere/O=Example Inc./emailAddress=admin@example.com/CN=Example Certificate Authority [tls] --> verify return:1 TLS-Client-Cert-X509v3-Extended-Key-Usage += "TLS Web Client Authentication" [tls] chain-depth=0, [tls] error=0 [tls] --> User-Name = sohama411111 [tls] --> BUF-Name = sohama4@gmail.com [tls] --> subject = /C=FR/ST=Radius/O=Example Inc./CN=sohama4@gmail.com/emailAddress=sohama4@gmail.com [tls] --> issuer = /C=FR/ST=Radius/L=Somewhere/O=Example Inc./emailAddress=admin@example.com/CN=Example Certificate Authority [tls] --> verify return:1 [tls] TLS_accept: SSLv3 read client certificate A [tls] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange [tls] TLS_accept: SSLv3 read client key exchange A [tls] <<< TLS 1.0 Handshake [length 0106], CertificateVerify [tls] TLS_accept: SSLv3 read certificate verify A [tls] <<< TLS 1.0 ChangeCipherSpec [length 0001] [tls] <<< TLS 1.0 Handshake [length 0010], Finished [tls] TLS_accept: SSLv3 read finished A [tls] >>> TLS 1.0 ChangeCipherSpec [length 0001] [tls] TLS_accept: SSLv3 write change cipher spec A [tls] >>> TLS 1.0 Handshake [length 0010], Finished [tls] TLS_accept: SSLv3 write finished A [tls] TLS_accept: SSLv3 flush data [tls] (other): SSL negotiation finished successfully [tls] <<< TLS 1.0 Alert [length 0002], fatal protocol_version TLS Alert read:fatal:protocol version rlm_eap: SSL error error:1409442E:SSL routines:SSL3_READ_BYTES:tlsv1 alert protocol version SSL Connection Established [tls] eaptls_process returned 13 ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 254 to 192.168.1.11 port 62733 EAP-Message = 0x010700450d800000003b1403010001011603010030fcca5a85d37c2ec29f40904ccb9dbe3ac886668b24f36a70ea88aed096ed2520ee567dcce866caf89a455cdc9b1421ed Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa2a1f780a4a6fad11c1fdcdf4905f39b Finished request 6. Going to the next request Waking up in 2.2 seconds. rad_recv: Access-Request packet from host 192.168.1.11 port 62733, id=255, length=159 User-Name = "sohama411111" Called-Station-Id = "ec-e5-55-9c-c3-b6" Calling-Station-Id = "00:24:9b:0c:2f:6e" NAS-Identifier = "ec-e5-55-9c-c3-ac" NAS-IP-Address = 192.168.1.11 NAS-Port = 6 Framed-MTU = 1500 NAS-Port-Type = Ethernet State = 0xa2a1f780a4a6fad11c1fdcdf4905f39b EAP-Message = 0x020700060d00 Message-Authenticator = 0x9edad03d955fdbb9df9945226a174d53 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "sohama411111", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 7 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated ++[files] = noop ++[expiration] = noop ++[logintime] = noop ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS [tls] Received TLS ACK [tls] ACK alert [tls] eaptls_verify returned 4 [tls] eaptls_process returned 4 [eap] Handler failed in EAP/tls [eap] Failed in EAP select ++[eap] = invalid +} # group authenticate = invalid Failed to authenticate the user. Using Post-Auth-Type REJECT # Executing group from file /usr/local/etc/raddb/sites-enabled/default +group REJECT { [attr_filter.access_reject] expand: %{User-Name} -> sohama411111 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] = updated +} # group REJECT = updated Delaying reject of request 7 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 7 Sending Access-Reject of id 255 to 192.168.1.11 port 62733 EAP-Message = 0x04070004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 1.2 seconds. Cleaning up request 0 ID 248 with timestamp +21 Waking up in 2.6 seconds. Cleaning up request 1 ID 249 with timestamp +24 Cleaning up request 2 ID 250 with timestamp +24 Cleaning up request 3 ID 251 with timestamp +24 Cleaning up request 4 ID 252 with timestamp +24 Cleaning up request 5 ID 253 with timestamp +24 Cleaning up request 6 ID 254 with timestamp +24 Waking up in 1.0 seconds. Cleaning up request 7 ID 255 with timestamp +24