Based on this: TLS_accept: Failed in SSLv3 read client certificate A Server doesn't like client cert.... On 21 Apr 2017 6:02 pm, "Adam Bishop" <Adam.Bishop@jisc.ac.uk> wrote: Juniper have added proper EAP support to their VPN stack - I'm trying to get it working. I'm not trying to do anything fancy at this stage, just check that the client cert is signed by a CA. I've not deployed EAP-TLS before, so I could use a bit of help interpreting the TLS errors - the logs on the concentrator and on the client leave a little to be desired. It appears to be an issue with the CA being untrusted, but which side it is on - does the client distrust the FreeRADIUS server certificate, or does FreeRADIUS distrust the client's certificate? Regards, Adam Bishop gpg: E75B 1F92 6407 DFDF 9F1C BF10 C993 2504 6609 D460 jisc.ac.uk (33) Debug: Received Access-Request Id 72 from 172.25.0.176:52447 to 212.219.210.194:1812 length 95 (33) Debug: User-Name = "adambishop.dev.ja.net" (33) Debug: EAP-Message = 0x026f001a016164616d626973686f 702e6465762e6a612e6e6574 (33) Debug: Message-Authenticator = 0x49c30bd1919131b5237affe9e97308c0 (33) Debug: NAS-IP-Address = 172.25.0.176 (33) Debug: # Executing section authorize from file /etc/raddb/sites-enabled/vpn (33) Debug: authorize { (33) Debug: update request { (33) Debug: } # update request = noop (33) Debug: [mschap] = noop (33) Debug: policy ntlm_auth.authorize { (33) Debug: if (!control:Auth-Type && User-Password) { (33) Debug: if (!control:Auth-Type && User-Password) -> FALSE (33) Debug: } # policy ntlm_auth.authorize = updated (33) Debug: vpn-eap: Peer sent EAP Response (code 2) ID 111 length 26 (33) Debug: vpn-eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (33) Debug: [vpn-eap] = ok (33) Debug: } # authorize = ok (33) Debug: Found Auth-Type = vpn-eap (33) Debug: # Executing group from file /etc/raddb/sites-enabled/vpn (33) Debug: Auth-Type vpn-eap { (33) Debug: vpn-eap: Peer sent packet with method EAP Identity (1) (33) Debug: vpn-eap: Calling submodule eap_tls to process data (33) Debug: eap_tls: Initiating new EAP-TLS session (33) Debug: eap_tls: Setting verify mode to require certificate from client (33) Debug: eap_tls: [eaptls start] = request (33) Debug: vpn-eap: Sending EAP Request (code 1) ID 112 length 6 (33) Debug: vpn-eap: EAP session adding &reply:State = 0x6aae3f2e6ade326b (33) Debug: [vpn-eap] = handled (33) Debug: if (handled && (Response-Packet-Type == Access-Challenge)) { (33) Debug: EXPAND Response-Packet-Type (33) Debug: --> Access-Challenge (33) Debug: if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (33) Debug: if (handled && (Response-Packet-Type == Access-Challenge)) { (33) Debug: attr_filter.access_challenge: EXPAND %{User-Name} (33) Debug: attr_filter.access_challenge: --> adambishop.dev.ja.net (33) Debug: attr_filter.access_challenge: Matched entry DEFAULT at line 12 (33) Debug: [attr_filter.access_challenge.post-auth] = updated (33) Debug: [handled] = handled (33) Debug: } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (33) Debug: } # Auth-Type vpn-eap = handled (33) Debug: Using Post-Auth-Type Challenge (33) Debug: Post-Auth-Type sub-section not found. Ignoring. (33) Debug: # Executing group from file /etc/raddb/sites-enabled/vpn (33) Debug: Sent Access-Challenge Id 72 from 212.219.210.194:1812 to 172.25.0.176:52447 length 0 (33) Debug: EAP-Message = 0x017000060d20 (33) Debug: Message-Authenticator = 0x00000000000000000000000000000000 (33) Debug: State = 0x6aae3f2e6ade326be20d66152c93ce20 (33) Debug: Finished request (34) Debug: Received Access-Request Id 73 from 172.25.0.176:52447 to 212.219.210.194:1812 length 214 (34) Debug: User-Name = "adambishop.dev.ja.net" (34) Debug: State = 0x6aae3f2e6ade326be20d66152c93ce20 (34) Debug: EAP-Message = 0x0270007f0d800000007516030100 700100006c030158fa35e7494a8208f15734f1b156e5cfb33b722c8028e0 ac4c5b609dbbaad4ed00002000ffc024c023c00ac009c008c028c027c014 c013c012003d003c0035002f000a01000023000a00080006001700180019 000b00020100000500050100000000 (34) Debug: Message-Authenticator = 0xe0ffa2f9a4f35bb9c59822b730acb0b7 (34) Debug: NAS-IP-Address = 172.25.0.176 (34) Debug: session-state: No cached attributes (34) Debug: # Executing section authorize from file /etc/raddb/sites-enabled/vpn (34) Debug: authorize { (34) Debug: update request { (34) Debug: } # update request = noop (34) Debug: [mschap] = noop (34) Debug: policy ntlm_auth.authorize { (34) Debug: if (!control:Auth-Type && User-Password) { (34) Debug: if (!control:Auth-Type && User-Password) -> FALSE (34) Debug: } # policy ntlm_auth.authorize = updated (34) Debug: vpn-eap: Peer sent EAP Response (code 2) ID 112 length 127 (34) Debug: vpn-eap: No EAP Start, assuming it's an on-going EAP conversation (34) Debug: [vpn-eap] = updated (34) Debug: } # authorize = updated (34) Debug: Found Auth-Type = vpn-eap (34) Debug: # Executing group from file /etc/raddb/sites-enabled/vpn (34) Debug: Auth-Type vpn-eap { (34) Debug: vpn-eap: Expiring EAP session with state 0x6aae3f2e6ade326b (34) Debug: vpn-eap: Finished EAP session with state 0x6aae3f2e6ade326b (34) Debug: vpn-eap: Previous EAP request found for state 0x6aae3f2e6ade326b, released from the list (34) Debug: vpn-eap: Peer sent packet with method EAP TLS (13) (34) Debug: vpn-eap: Calling submodule eap_tls to process data (34) Debug: eap_tls: Continuing EAP-TLS (34) Debug: eap_tls: Peer indicated complete TLS record size will be 117 bytes (34) Debug: eap_tls: Got complete TLS record (117 bytes) (34) Debug: eap_tls: [eaptls verify] = length included (34) Debug: eap_tls: (other): before/accept initialization (34) Debug: eap_tls: TLS_accept: before/accept initialization (34) Debug: eap_tls: TLS_accept: SSLv3 read client hello A (34) Debug: eap_tls: TLS_accept: SSLv3 write server hello A (34) Debug: eap_tls: TLS_accept: SSLv3 write certificate A (34) Debug: eap_tls: TLS_accept: SSLv3 write key exchange A (34) Debug: eap_tls: TLS_accept: SSLv3 write certificate request A (34) Debug: eap_tls: TLS_accept: SSLv3 flush data (34) Debug: eap_tls: TLS_accept: Need to read more data: SSLv3 read client certificate A (34) Debug: eap_tls: TLS_accept: Need to read more data: SSLv3 read client certificate A (34) Debug: eap_tls: In SSL Handshake Phase (34) Debug: eap_tls: In SSL Accept mode (34) Debug: eap_tls: [eaptls process] = handled (34) Debug: vpn-eap: Sending EAP Request (code 1) ID 113 length 1024 (34) Debug: vpn-eap: EAP session adding &reply:State = 0x6aae3f2e6bdf326b (34) Debug: [vpn-eap] = handled (34) Debug: if (handled && (Response-Packet-Type == Access-Challenge)) { (34) Debug: EXPAND Response-Packet-Type (34) Debug: --> Access-Challenge (34) Debug: if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (34) Debug: if (handled && (Response-Packet-Type == Access-Challenge)) { (34) Debug: attr_filter.access_challenge: EXPAND %{User-Name} (34) Debug: attr_filter.access_challenge: --> adambishop.dev.ja.net (34) Debug: attr_filter.access_challenge: Matched entry DEFAULT at line 12 (34) Debug: [attr_filter.access_challenge.post-auth] = updated (34) Debug: [handled] = handled (34) Debug: } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (34) Debug: } # Auth-Type vpn-eap = handled (34) Debug: Using Post-Auth-Type Challenge (34) Debug: Post-Auth-Type sub-section not found. Ignoring. (34) Debug: # Executing group from file /etc/raddb/sites-enabled/vpn (34) Debug: Sent Access-Challenge Id 73 from 212.219.210.194:1812 to 172.25.0.176:52447 length 0 (34) Debug: EAP-Message = 0x017104000dc000000ee616030100 5902000055030158fa35e7aba06da2f649d15b2f089f33f9657525d4ea7f be38c0683b6d562b0d204c1a18aa8cc88018d71230199577025e1582f0af 81dbdc9ec817bb59968b8b07c01400000dff01000100000b000403000102 1603010b980b000b94000b910005bd (34) Debug: Message-Authenticator = 0x00000000000000000000000000000000 (34) Debug: State = 0x6aae3f2e6bdf326be20d66152c93ce20 (34) Debug: Finished request (35) Debug: Received Access-Request Id 74 from 172.25.0.176:52447 to 212.219.210.194:1812 length 93 (35) Debug: User-Name = "adambishop.dev.ja.net" (35) Debug: State = 0x6aae3f2e6bdf326be20d66152c93ce20 (35) Debug: EAP-Message = 0x027100060d00 (35) Debug: Message-Authenticator = 0xa0a4c2467a10884786f7e69f8629f39d (35) Debug: NAS-IP-Address = 172.25.0.176 (35) Debug: session-state: No cached attributes (35) Debug: # Executing section authorize from file /etc/raddb/sites-enabled/vpn (35) Debug: authorize { (35) Debug: update request { (35) Debug: } # update request = noop (35) Debug: [mschap] = noop (35) Debug: policy ntlm_auth.authorize { (35) Debug: if (!control:Auth-Type && User-Password) { (35) Debug: if (!control:Auth-Type && User-Password) -> FALSE (35) Debug: } # policy ntlm_auth.authorize = updated (35) Debug: vpn-eap: Peer sent EAP Response (code 2) ID 113 length 6 (35) Debug: vpn-eap: No EAP Start, assuming it's an on-going EAP conversation (35) Debug: [vpn-eap] = updated (35) Debug: } # authorize = updated (35) Debug: Found Auth-Type = vpn-eap (35) Debug: # Executing group from file /etc/raddb/sites-enabled/vpn (35) Debug: Auth-Type vpn-eap { (35) Debug: vpn-eap: Expiring EAP session with state 0x6aae3f2e6bdf326b (35) Debug: vpn-eap: Finished EAP session with state 0x6aae3f2e6bdf326b (35) Debug: vpn-eap: Previous EAP request found for state 0x6aae3f2e6bdf326b, released from the list (35) Debug: vpn-eap: Peer sent packet with method EAP TLS (13) (35) Debug: vpn-eap: Calling submodule eap_tls to process data (35) Debug: eap_tls: Continuing EAP-TLS (35) Debug: eap_tls: Peer ACKed our handshake fragment (35) Debug: eap_tls: [eaptls verify] = request (35) Debug: eap_tls: [eaptls process] = handled (35) Debug: vpn-eap: Sending EAP Request (code 1) ID 114 length 1024 (35) Debug: vpn-eap: EAP session adding &reply:State = 0x6aae3f2e68dc326b (35) Debug: [vpn-eap] = handled (35) Debug: if (handled && (Response-Packet-Type == Access-Challenge)) { (35) Debug: EXPAND Response-Packet-Type (35) Debug: --> Access-Challenge (35) Debug: if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (35) Debug: if (handled && (Response-Packet-Type == Access-Challenge)) { (35) Debug: attr_filter.access_challenge: EXPAND %{User-Name} (35) Debug: attr_filter.access_challenge: --> adambishop.dev.ja.net (35) Debug: attr_filter.access_challenge: Matched entry DEFAULT at line 12 (35) Debug: [attr_filter.access_challenge.post-auth] = updated (35) Debug: [handled] = handled (35) Debug: } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (35) Debug: } # Auth-Type vpn-eap = handled (35) Debug: Using Post-Auth-Type Challenge (35) Debug: Post-Auth-Type sub-section not found. Ignoring. (35) Debug: # Executing group from file /etc/raddb/sites-enabled/vpn (35) Debug: Sent Access-Challenge Id 74 from 212.219.210.194:1812 to 172.25.0.176:52447 length 0 (35) Debug: EAP-Message = 0x017204000dc000000ee67073312e 6465762e6a612e6e657482106f727073322e6465762e6a612e6e6574300d 06092a864886f70d01010b050003820201003538a5bfb66c1d80c153bea4 bde8797b5771787c349c00a0afb3007452b8263dcfe5f33e97a63b77a618 acc517c74bc965a5636510377123aa (35) Debug: Message-Authenticator = 0x00000000000000000000000000000000 (35) Debug: State = 0x6aae3f2e68dc326be20d66152c93ce20 (35) Debug: Finished request (36) Debug: Received Access-Request Id 75 from 172.25.0.176:52447 to 212.219.210.194:1812 length 93 (36) Debug: User-Name = "adambishop.dev.ja.net" (36) Debug: State = 0x6aae3f2e68dc326be20d66152c93ce20 (36) Debug: EAP-Message = 0x027200060d00 (36) Debug: Message-Authenticator = 0x30592ba50305fc9c46f668bdff6e0501 (36) Debug: NAS-IP-Address = 172.25.0.176 (36) Debug: session-state: No cached attributes (36) Debug: # Executing section authorize from file /etc/raddb/sites-enabled/vpn (36) Debug: authorize { (36) Debug: update request { (36) Debug: } # update request = noop (36) Debug: [mschap] = noop (36) Debug: policy ntlm_auth.authorize { (36) Debug: if (!control:Auth-Type && User-Password) { (36) Debug: if (!control:Auth-Type && User-Password) -> FALSE (36) Debug: } # policy ntlm_auth.authorize = updated (36) Debug: vpn-eap: Peer sent EAP Response (code 2) ID 114 length 6 (36) Debug: vpn-eap: No EAP Start, assuming it's an on-going EAP conversation (36) Debug: [vpn-eap] = updated (36) Debug: } # authorize = updated (36) Debug: Found Auth-Type = vpn-eap (36) Debug: # Executing group from file /etc/raddb/sites-enabled/vpn (36) Debug: Auth-Type vpn-eap { (36) Debug: vpn-eap: Expiring EAP session with state 0x6aae3f2e68dc326b (36) Debug: vpn-eap: Finished EAP session with state 0x6aae3f2e68dc326b (36) Debug: vpn-eap: Previous EAP request found for state 0x6aae3f2e68dc326b, released from the list (36) Debug: vpn-eap: Peer sent packet with method EAP TLS (13) (36) Debug: vpn-eap: Calling submodule eap_tls to process data (36) Debug: eap_tls: Continuing EAP-TLS (36) Debug: eap_tls: Peer ACKed our handshake fragment (36) Debug: eap_tls: [eaptls verify] = request (36) Debug: eap_tls: [eaptls process] = handled (36) Debug: vpn-eap: Sending EAP Request (code 1) ID 115 length 1024 (36) Debug: vpn-eap: EAP session adding &reply:State = 0x6aae3f2e69dd326b (36) Debug: [vpn-eap] = handled (36) Debug: if (handled && (Response-Packet-Type == Access-Challenge)) { (36) Debug: EXPAND Response-Packet-Type (36) Debug: --> Access-Challenge (36) Debug: if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (36) Debug: if (handled && (Response-Packet-Type == Access-Challenge)) { (36) Debug: attr_filter.access_challenge: EXPAND %{User-Name} (36) Debug: attr_filter.access_challenge: --> adambishop.dev.ja.net (36) Debug: attr_filter.access_challenge: Matched entry DEFAULT at line 12 (36) Debug: [attr_filter.access_challenge.post-auth] = updated (36) Debug: [handled] = handled (36) Debug: } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (36) Debug: } # Auth-Type vpn-eap = handled (36) Debug: Using Post-Auth-Type Challenge (36) Debug: Post-Auth-Type sub-section not found. Ignoring. (36) Debug: # Executing group from file /etc/raddb/sites-enabled/vpn (36) Debug: Sent Access-Challenge Id 75 from 212.219.210.194:1812 to 172.25.0.176:52447 length 0 (36) Debug: EAP-Message = 0x017304000dc000000ee6a8a10366 b1a69070f32e9c2285917ba83b5fa6d7c9d736385ae3a898a989b4868c71 3e653962ef9c0e7842f3eb3597fbb63b193af9330d984af5dbed07fe8271 963a833187f2c99189b6001b54a8e3cc4fda9f07abeb2c3f8d9701bbd0de 99a0781ad8cf5ef90ba0cbd528ecbd (36) Debug: Message-Authenticator = 0x00000000000000000000000000000000 (36) Debug: State = 0x6aae3f2e69dd326be20d66152c93ce20 (36) Debug: Finished request (37) Debug: Received Access-Request Id 76 from 172.25.0.176:52447 to 212.219.210.194:1812 length 93 (37) Debug: User-Name = "adambishop.dev.ja.net" (37) Debug: State = 0x6aae3f2e69dd326be20d66152c93ce20 (37) Debug: EAP-Message = 0x027300060d00 (37) Debug: Message-Authenticator = 0xf2e97357da0c1ddd3ce4e45675dc4c85 (37) Debug: NAS-IP-Address = 172.25.0.176 (37) Debug: session-state: No cached attributes (37) Debug: # Executing section authorize from file /etc/raddb/sites-enabled/vpn (37) Debug: authorize { (37) Debug: update request { (37) Debug: } # update request = noop (37) Debug: [mschap] = noop (37) Debug: policy ntlm_auth.authorize { (37) Debug: if (!control:Auth-Type && User-Password) { (37) Debug: if (!control:Auth-Type && User-Password) -> FALSE (37) Debug: } # policy ntlm_auth.authorize = updated (37) Debug: vpn-eap: Peer sent EAP Response (code 2) ID 115 length 6 (37) Debug: vpn-eap: No EAP Start, assuming it's an on-going EAP conversation (37) Debug: [vpn-eap] = updated (37) Debug: } # authorize = updated (37) Debug: Found Auth-Type = vpn-eap (37) Debug: # Executing group from file /etc/raddb/sites-enabled/vpn (37) Debug: Auth-Type vpn-eap { (37) Debug: vpn-eap: Expiring EAP session with state 0x6aae3f2e69dd326b (37) Debug: vpn-eap: Finished EAP session with state 0x6aae3f2e69dd326b (37) Debug: vpn-eap: Previous EAP request found for state 0x6aae3f2e69dd326b, released from the list (37) Debug: vpn-eap: Peer sent packet with method EAP TLS (13) (37) Debug: vpn-eap: Calling submodule eap_tls to process data (37) Debug: eap_tls: Continuing EAP-TLS (37) Debug: eap_tls: Peer ACKed our handshake fragment (37) Debug: eap_tls: [eaptls verify] = request (37) Debug: eap_tls: [eaptls process] = handled (37) Debug: vpn-eap: Sending EAP Request (code 1) ID 116 length 782 (37) Debug: vpn-eap: EAP session adding &reply:State = 0x6aae3f2e6eda326b (37) Debug: [vpn-eap] = handled (37) Debug: if (handled && (Response-Packet-Type == Access-Challenge)) { (37) Debug: EXPAND Response-Packet-Type (37) Debug: --> Access-Challenge (37) Debug: if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE (37) Debug: if (handled && (Response-Packet-Type == Access-Challenge)) { (37) Debug: attr_filter.access_challenge: EXPAND %{User-Name} (37) Debug: attr_filter.access_challenge: --> adambishop.dev.ja.net (37) Debug: attr_filter.access_challenge: Matched entry DEFAULT at line 12 (37) Debug: [attr_filter.access_challenge.post-auth] = updated (37) Debug: [handled] = handled (37) Debug: } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled (37) Debug: } # Auth-Type vpn-eap = handled (37) Debug: Using Post-Auth-Type Challenge (37) Debug: Post-Auth-Type sub-section not found. Ignoring. (37) Debug: # Executing group from file /etc/raddb/sites-enabled/vpn (37) Debug: Sent Access-Challenge Id 76 from 212.219.210.194:1812 to 172.25.0.176:52447 length 0 (37) Debug: EAP-Message = 0x0174030e0d8000000ee6a8e258b2 11b12d7b809f6b1bde4c3b17448fcecde979c5af6b160301024b0c000247 0300174104fca4d3a30ab92336ed8b6d06067e419da55aaed97101b578e7 fc14b09dfa959c3f9532ae1699fedcf0e48443395cb523fb353bc312cd99 b96436c8fb52730dde02002046f7c3 (37) Debug: Message-Authenticator = 0x00000000000000000000000000000000 (37) Debug: State = 0x6aae3f2e6eda326be20d66152c93ce20 (37) Debug: Finished request (38) Debug: Received Access-Request Id 77 from 172.25.0.176:52447 to 212.219.210.194:1812 length 104 (38) Debug: User-Name = "adambishop.dev.ja.net" (38) Debug: State = 0x6aae3f2e6eda326be20d66152c93ce20 (38) Debug: EAP-Message = 0x027400110d800000000715030100020100 (38) Debug: Message-Authenticator = 0x525697ff8dd586a2947f27df10721084 (38) Debug: NAS-IP-Address = 172.25.0.176 (38) Debug: session-state: No cached attributes (38) Debug: # Executing section authorize from file /etc/raddb/sites-enabled/vpn (38) Debug: authorize { (38) Debug: update request { (38) Debug: } # update request = noop (38) Debug: [mschap] = noop (38) Debug: policy ntlm_auth.authorize { (38) Debug: if (!control:Auth-Type && User-Password) { (38) Debug: if (!control:Auth-Type && User-Password) -> FALSE (38) Debug: } # policy ntlm_auth.authorize = updated (38) Debug: vpn-eap: Peer sent EAP Response (code 2) ID 116 length 17 (38) Debug: vpn-eap: No EAP Start, assuming it's an on-going EAP conversation (38) Debug: [vpn-eap] = updated (38) Debug: } # authorize = updated (38) Debug: Found Auth-Type = vpn-eap (38) Debug: # Executing group from file /etc/raddb/sites-enabled/vpn (38) Debug: Auth-Type vpn-eap { (38) Debug: vpn-eap: Expiring EAP session with state 0x6aae3f2e6eda326b (38) Debug: vpn-eap: Finished EAP session with state 0x6aae3f2e6eda326b (38) Debug: vpn-eap: Previous EAP request found for state 0x6aae3f2e6eda326b, released from the list (38) Debug: vpn-eap: Peer sent packet with method EAP TLS (13) (38) Debug: vpn-eap: Calling submodule eap_tls to process data (38) Debug: eap_tls: Continuing EAP-TLS (38) Debug: eap_tls: Peer indicated complete TLS record size will be 7 bytes (38) Debug: eap_tls: Got complete TLS record (7 bytes) (38) Debug: eap_tls: [eaptls verify] = length included (38) ERROR: eap_tls: TLS_accept: Failed in SSLv3 read client certificate A (38) ERROR: eap_tls: Failed in __FUNCTION__ (SSL_read): error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure (38) ERROR: eap_tls: System call (I/O) error (-1) (38) ERROR: eap_tls: TLS receive handshake failed during operation (38) ERROR: eap_tls: [eaptls process] = fail (38) ERROR: vpn-eap: Failed continuing EAP TLS (13) session. EAP sub-module failed (38) Debug: vpn-eap: Sending EAP Failure (code 4) ID 116 length 4 (38) Debug: vpn-eap: Failed in EAP select (38) Debug: [vpn-eap] = invalid (38) Debug: } # Auth-Type vpn-eap = invalid (38) Debug: Failed to authenticate the user (38) Debug: Using Post-Auth-Type Reject (38) Debug: # Executing group from file /etc/raddb/sites-enabled/vpn (38) Debug: Post-Auth-Type REJECT { (38) Debug: attr_filter.access_reject: EXPAND %{User-Name} (38) Debug: attr_filter.access_reject: --> adambishop.dev.ja.net (38) Debug: attr_filter.access_reject: Matched entry DEFAULT at line 11 (38) Debug: [attr_filter.access_reject] = updated (38) Debug: [eap] = noop (38) Debug: rp_log: EXPAND rp_log.%{%{reply:Packet-Type}:-format} (38) Debug: rp_log: --> rp_log.Access-Reject (38) Debug: rp_log: EXPAND radiusd-rp-log#DOMAIN=DEV# LOCATION=LH#SERVICE=%{%{Service-Class}:-NONE}#ORG=%{%{ request:operator-name}:-%{request:Stripped-User-Domain}} #USER=%{User-Name}#CSI=%{Calling-Station-Id}#NAS=%{Called-Station-Id}#CUI=%{ reply:Chargeable-User-Identity}#RESULT=FAIL#VLAN=%{% {reply:Tunnel-Private-Group-ID}:-NONE}#CLIENT=%{client: shortname}#REPLY_MESSAGE=%{%{reply:reply-message}:-NONE}# MODULE_MESSAGE=%{%{%{request:Module-Failure-Message}:-%{ session-state:Module-Failure-Message}}:-NONE}# (38) Fri Apr 21 16:40:07 2017: Debug: rp_log: --> radiusd-rp-log#DOMAIN=DEV#LOCATION=LH#SERVICE=vpn#ORG=#USER= adambishop.dev.ja.net#CSI=#NAS=#CUI=#RESULT=FAIL# VLAN=NONE#CLIENT=castle-black.djn#REPLY_MESSAGE=NONE#MODULE_MESSAGE=eap_tls: TLS_accept: Failed in SSLv3 read client certificate A# (38) Debug: [rp_log] = ok (38) Debug: policy remove_reply_message_if_eap { (38) Debug: if (&reply:EAP-Message && &reply:Reply-Message) { (38) Debug: if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (38) Debug: else { (38) Debug: [noop] = noop (38) Debug: } # else = noop (38) Debug: } # policy remove_reply_message_if_eap = noop (38) Debug: } # Post-Auth-Type REJECT = updated (38) Debug: Delaying response for 1.000000 seconds (38) Debug: Sending delayed response (38) Debug: Sent Access-Reject Id 77 from 212.219.210.194:1812 to 172.25.0.176:52447 length 44 (38) Debug: EAP-Message = 0x04740004 (38) Debug: Message-Authenticator = 0x00000000000000000000000000000000 --- # radiusd -C -X FreeRADIUS Version 3.0.13 Copyright (C) 1999-2016 The FreeRADIUS server project and contributors There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License For more information about these matters, see the file named COPYRIGHT Starting - reading configuration files ... <snip> main { security { user = "radiusd" group = "radiusd" allow_core_dumps = no } name = "radiusd" prefix = "/usr" localstatedir = "/var" logdir = "/var/log/radius" run_dir = "/var/run/radiusd" } main { name = "radiusd" prefix = "/usr" localstatedir = "/var" sbindir = "/usr/sbin" logdir = "/var/log/radius" run_dir = "/var/run/radiusd" libdir = "/usr/lib64/freeradius" radacctdir = "/var/log/radius/radacct" hostname_lookups = no max_request_time = 60 cleanup_delay = 10 max_requests = 16384 pidfile = "/var/run/radiusd/radiusd.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no colourise = yes msg_denied = "You are already logged in - access denied" } resources { } security { max_attributes = 200 reject_delay = 1.000000 status_server = yes allow_vulnerable_openssl = "CVE-2016-6304" } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } realm LOCAL { nostrip } <snip> realm dev.ja.net { } radiusd: #### Loading Clients #### <snip> client 172.25.0.176 { ipaddr = 172.25.0.176 require_message_authenticator = yes secret = <<< secret >>> shortname = "castle-black.djn" nas_type = "other" virtual_server = "vpn" proto = "udp" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } <snip> Debugger not attached # Creating Auth-Type = mschap # Creating Auth-Type = PAP # Creating Auth-Type = MS-CHAP # Creating Auth-Type = eap # Creating Autz-Type = Status-Server # Creating Auth-Type = inner-eap # Creating Auth-Type = ntlm_auth # Creating Auth-Type = VPN # Creating Auth-Type = vpn-eap radiusd: #### Instantiating modules #### modules { # Loaded module rlm_always # Loading module "reject" from file /etc/raddb/mods-enabled/always always reject { rcode = "reject" simulcount = 0 mpp = no } # Loading module "fail" from file /etc/raddb/mods-enabled/always always fail { rcode = "fail" simulcount = 0 mpp = no } # Loading module "ok" from file /etc/raddb/mods-enabled/always always ok { rcode = "ok" simulcount = 0 mpp = no } # Loading module "handled" from file /etc/raddb/mods-enabled/always always handled { rcode = "handled" simulcount = 0 mpp = no } # Loading module "invalid" from file /etc/raddb/mods-enabled/always always invalid { rcode = "invalid" simulcount = 0 mpp = no } # Loading module "userlock" from file /etc/raddb/mods-enabled/always always userlock { rcode = "userlock" simulcount = 0 mpp = no } # Loading module "notfound" from file /etc/raddb/mods-enabled/always always notfound { rcode = "notfound" simulcount = 0 mpp = no } # Loading module "noop" from file /etc/raddb/mods-enabled/always always noop { rcode = "noop" simulcount = 0 mpp = no } # Loading module "updated" from file /etc/raddb/mods-enabled/always always updated { rcode = "updated" simulcount = 0 mpp = no } # Loaded module rlm_attr_filter # Loading module "attr_filter.post-proxy" from file /etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.post-proxy { filename = "/etc/raddb/mods-config/attr_filter/post-proxy" key = "%{Realm}" relaxed = no } # Loading module "attr_filter.pre-proxy" from file /etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.pre-proxy { filename = "/etc/raddb/mods-config/attr_filter/pre-proxy" key = "%{Realm}" relaxed = no } # Loading module "attr_filter.access_reject" from file /etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.access_reject { filename = "/etc/raddb/mods-config/attr_filter/access_reject" key = "%{User-Name}" relaxed = no } # Loading module "attr_filter.access_challenge" from file /etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.access_challenge { filename = "/etc/raddb/mods-config/attr_filter/access_challenge" key = "%{User-Name}" relaxed = no } # Loading module "attr_filter.accounting_response" from file /etc/raddb/mods-enabled/attr_filter attr_filter attr_filter.accounting_response { filename = "/etc/raddb/mods-config/attr_filter/accounting_response" key = "%{User-Name}" relaxed = no } # Loaded module rlm_cache # Loading module "cache_eap" from file /etc/raddb/mods-enabled/cache_eap cache cache_eap { driver = "rlm_cache_rbtree" key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}" ttl = 15 max_entries = 0 epoch = 0 add_stats = no } # Loaded module rlm_date # Loading module "date" from file /etc/raddb/mods-enabled/date date { format = "%b %e %Y %H:%M:%S %Z" } # Loaded module rlm_digest # Loading module "digest" from file /etc/raddb/mods-enabled/digest # Loaded module rlm_eap # Loading module "eap" from file /etc/raddb/mods-enabled/eap eap { default_eap_type = "peap" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 16384 } # Loaded module rlm_exec # Loading module "echo" from file /etc/raddb/mods-enabled/echo exec echo { wait = yes program = "/bin/echo %{User-Name}" input_pairs = "request" output_pairs = "reply" shell_escape = yes } # Loading module "exec" from file /etc/raddb/mods-enabled/exec exec { wait = no input_pairs = "request" shell_escape = yes timeout = 10 } # Loaded module rlm_expiration # Loading module "expiration" from file /etc/raddb/mods-enabled/expiration # Loaded module rlm_expr # Loading module "expr" from file /etc/raddb/mods-enabled/expr expr { safe_characters = "@abcdefghijklmnopqrstuvwxyzABCD EFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇ ÈÉÊËÎÏÔŒÙÛÜŸ" } # Loaded module rlm_files # Loading module "files" from file /etc/raddb/mods-enabled/files files { filename = "/etc/raddb/mods-config/files/authorize" acctusersfile = "/etc/raddb/mods-config/files/accounting" preproxy_usersfile = "/etc/raddb/mods-config/files/pre-proxy" } # Loaded module rlm_linelog # Loading module "linelog" from file /etc/raddb/mods-enabled/linelog linelog { filename = "/var/log/radius/linelog" escape_filenames = no syslog_severity = "info" permissions = 384 format = "This is a log message for %{User-Name}" reference = "messages.%{%{reply:Packet-Type}:-default}" } # Loading module "log_accounting" from file /etc/raddb/mods-enabled/ linelog linelog log_accounting { filename = "/var/log/radius/linelog-accounting" escape_filenames = no syslog_severity = "info" permissions = 384 format = "" reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}" } # Loaded module rlm_logintime # Loading module "logintime" from file /etc/raddb/mods-enabled/logintime logintime { minimum_timeout = 60 } # Loaded module rlm_pap # Loading module "pap" from file /etc/raddb/mods-enabled/pap pap { normalise = yes } # Loaded module rlm_passwd # Loading module "etc_passwd" from file /etc/raddb/mods-enabled/passwd passwd etc_passwd { filename = "/etc/passwd" format = "*User-Name:Crypt-Password:" delimiter = ":" ignore_nislike = no ignore_empty = yes allow_multiple_keys = no hash_size = 100 } # Loaded module rlm_realm # Loading module "IPASS" from file /etc/raddb/mods-enabled/realm realm IPASS { format = "prefix" delimiter = "/" ignore_default = no ignore_null = no default_community = "none" rp_realm = "none" trust_router = "none" tr_port = 0 } # Loading module "suffix" from file /etc/raddb/mods-enabled/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no default_community = "none" rp_realm = "none" trust_router = "none" tr_port = 0 } # Loading module "realmpercent" from file /etc/raddb/mods-enabled/realm realm realmpercent { format = "suffix" delimiter = "%" ignore_default = no ignore_null = no default_community = "none" rp_realm = "none" trust_router = "none" tr_port = 0 } # Loading module "ntdomain" from file /etc/raddb/mods-enabled/realm realm ntdomain { format = "prefix" delimiter = "\\" ignore_default = no ignore_null = no default_community = "none" rp_realm = "none" trust_router = "none" tr_port = 0 } # Loaded module rlm_replicate # Loading module "replicate" from file /etc/raddb/mods-enabled/replicate # Loaded module rlm_soh # Loading module "soh" from file /etc/raddb/mods-enabled/soh soh { dhcp = yes } # Loaded module rlm_radutmp # Loading module "sradutmp" from file /etc/raddb/mods-enabled/sradutmp radutmp sradutmp { filename = "/var/log/radius/sradutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 420 caller_id = no } # Loaded module rlm_unpack # Loading module "unpack" from file /etc/raddb/mods-enabled/unpack # Loaded module rlm_utf8 # Loading module "utf8" from file /etc/raddb/mods-enabled/utf8 # Loaded module rlm_mschap # Loading module "mschap" from file /etc/raddb/mods-enabled/mschap mschap { use_mppe = yes require_encryption = yes require_strong = yes with_ntdomain_hack = yes passchange { } allow_retry = yes retry_msg = "Your credentials were not accepted, please try again" winbind_retry_with_normalised_username = yes } # Loading module "inner-eap" from file /etc/raddb/mods-enabled/inner-eap eap inner-eap { default_eap_type = "mschapv2" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 2048 } # Loading module "ntlm_auth" from file /etc/raddb/mods-enabled/ntlm_auth exec ntlm_auth { wait = yes program = "/usr/bin/ntlm_auth --request-nt-key --domain=DEV --username=%{%{Stripped-User-Name}:-%{mschap:User-Name}} --password=%{User-Password}" shell_escape = yes } # Loaded module rlm_redis # Loading module "redis" from file /etc/raddb/mods-enabled/redis redis { server = "127.0.0.1" port = 6379 database = 0 password = <<< secret >>> } rlm_redis: libhiredis version: 0.12.1 # Loading module "idp_log" from file /etc/raddb/mods-enabled/idp_log linelog idp_log { filename = "syslog" escape_filenames = no syslog_severity = "info" permissions = 384 format = "" reference = "idp_log.%{%{reply:Packet-Type}:-format}" } # Loading module "rp_log" from file /etc/raddb/mods-enabled/rp_log linelog rp_log { filename = "syslog" escape_filenames = no syslog_severity = "info" permissions = 384 format = "" reference = "rp_log.%{%{reply:Packet-Type}:-format}" } # Loading module "vpn-eap" from file /etc/raddb/mods-enabled/vpn-eap eap vpn-eap { default_eap_type = "tls" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 16384 } instantiate { } # Instantiating module "reject" from file /etc/raddb/mods-enabled/always # Instantiating module "fail" from file /etc/raddb/mods-enabled/always # Instantiating module "ok" from file /etc/raddb/mods-enabled/always # Instantiating module "handled" from file /etc/raddb/mods-enabled/always # Instantiating module "invalid" from file /etc/raddb/mods-enabled/always # Instantiating module "userlock" from file /etc/raddb/mods-enabled/always # Instantiating module "notfound" from file /etc/raddb/mods-enabled/always # Instantiating module "noop" from file /etc/raddb/mods-enabled/always # Instantiating module "updated" from file /etc/raddb/mods-enabled/always # Instantiating module "attr_filter.post-proxy" from file /etc/raddb/mods-enabled/attr_filter reading pairlist file /etc/raddb/mods-config/attr_filter/post-proxy # Instantiating module "attr_filter.pre-proxy" from file /etc/raddb/mods-enabled/attr_filter reading pairlist file /etc/raddb/mods-config/attr_filter/pre-proxy # Instantiating module "attr_filter.access_reject" from file /etc/raddb/mods-enabled/attr_filter reading pairlist file /etc/raddb/mods-config/attr_filter/access_reject [/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT". [/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay-USec" found in filter list for realm "DEFAULT". # Instantiating module "attr_filter.access_challenge" from file /etc/raddb/mods-enabled/attr_filter reading pairlist file /etc/raddb/mods-config/attr_filter/access_challenge # Instantiating module "attr_filter.accounting_response" from file /etc/raddb/mods-enabled/attr_filter reading pairlist file /etc/raddb/mods-config/attr_filter/accounting_response # Instantiating module "cache_eap" from file /etc/raddb/mods-enabled/cache_eap rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked # Instantiating module "eap" from file /etc/raddb/mods-enabled/eap # Linked to sub-module rlm_eap_md5 # Linked to sub-module rlm_eap_gtc gtc { challenge = "Password: " auth_type = "PAP" } # Linked to sub-module rlm_eap_ttls ttls { tls = "tls-common" default_eap_type = "mschapv2" copy_request_to_tunnel = yes use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes require_client_cert = no } tls-config tls-common { verify_depth = 0 ca_path = "/etc/raddb/certs" pem_file_type = yes private_key_file = "/etc/raddb/certs.d/DEV/server.pem" certificate_file = "/etc/raddb/certs.d/DEV/server.crt" dh_file = "/etc/raddb/certs.d/DEV/dh" fragment_size = 1024 include_length = yes auto_chain = yes check_crl = yes check_all_crl = yes cipher_list = "DEFAULT" cipher_server_preference = yes ecdh_curve = "prime256v1" cache { enable = yes lifetime = 24 name = "Default EAP Cache" max_entries = 16384 persist_dir = "/var/lib/radiusd/tlscache" } verify { skip_if_ocsp_ok = no } ocsp { enable = no override_cert_url = no use_nonce = yes timeout = 0 softfail = no } } # Linked to sub-module rlm_eap_peap peap { tls = "tls-common" default_eap_type = "mschapv2" copy_request_to_tunnel = yes use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" soh = no require_client_cert = no } tls: Using cached TLS configuration from previous invocation # Linked to sub-module rlm_eap_mschapv2 mschapv2 { with_ntdomain_hack = no send_error = yes } # Instantiating module "expiration" from file /etc/raddb/mods-enabled/ expiration # Instantiating module "files" from file /etc/raddb/mods-enabled/files reading pairlist file /etc/raddb/mods-config/files/authorize reading pairlist file /etc/raddb/mods-config/files/accounting reading pairlist file /etc/raddb/mods-config/files/pre-proxy # Instantiating module "linelog" from file /etc/raddb/mods-enabled/linelog # Instantiating module "log_accounting" from file /etc/raddb/mods-enabled/ linelog # Instantiating module "logintime" from file /etc/raddb/mods-enabled/ logintime # Instantiating module "pap" from file /etc/raddb/mods-enabled/pap # Instantiating module "etc_passwd" from file /etc/raddb/mods-enabled/passwd rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no # Instantiating module "IPASS" from file /etc/raddb/mods-enabled/realm # Instantiating module "suffix" from file /etc/raddb/mods-enabled/realm # Instantiating module "realmpercent" from file /etc/raddb/mods-enabled/realm # Instantiating module "ntdomain" from file /etc/raddb/mods-enabled/realm # Instantiating module "mschap" from file /etc/raddb/mods-enabled/mschap rlm_mschap (mschap): Initialising connection pool pool { start = 5 min = 3 max = 32 spare = 10 uses = 0 lifetime = 86400 cleanup_interval = 300 idle_timeout = 600 retry_delay = 30 spread = no } rlm_mschap (mschap): authenticating directly to winbind # Instantiating module "inner-eap" from file /etc/raddb/mods-enabled/inner-eap # Linked to sub-module rlm_eap_gtc gtc { challenge = "Password: " auth_type = "PAP" } # Linked to sub-module rlm_eap_mschapv2 mschapv2 { with_ntdomain_hack = no send_error = yes } # Instantiating module "redis" from file /etc/raddb/mods-enabled/redis rlm_redis (redis): Initialising connection pool pool { start = 5 min = 3 max = 32 spare = 10 uses = 0 lifetime = 86400 cleanup_interval = 300 idle_timeout = 0 retry_delay = 10 spread = no } # Instantiating module "idp_log" from file /etc/raddb/mods-enabled/idp_log # Instantiating module "rp_log" from file /etc/raddb/mods-enabled/rp_log # Instantiating module "vpn-eap" from file /etc/raddb/mods-enabled/vpn-eap # Linked to sub-module rlm_eap_tls tls { tls = "vpn-tls" } tls-config vpn-tls { verify_depth = 0 pem_file_type = yes private_key_file = "/etc/raddb/certs.d/DEV/vpn/server.pem" certificate_file = "/etc/raddb/certs.d/DEV/vpn/server.crt" ca_file = "/etc/raddb/certs.d/DEV/vpn/ca/root.crt" dh_file = "/etc/raddb/certs.d/DEV/dh" fragment_size = 1024 include_length = yes auto_chain = yes check_crl = yes check_all_crl = yes cipher_list = "DEFAULT" cipher_server_preference = yes ecdh_curve = "prime256v1" cache { enable = yes lifetime = 24 name = "Default EAP VPN Cache" max_entries = 16384 persist_dir = "/var/lib/radiusd/tlscache" } verify { skip_if_ocsp_ok = no } ocsp { enable = no override_cert_url = no use_nonce = yes timeout = 0 softfail = no } } } # modules Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800. Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800. - List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html