Hi, we have installed freeradius in conjunction with a 3com OfficeConnect Wireless AP, with WPA encryption. Our system is a Slackware Linux with kernel ver. 2.4.28. The 3Com OfficeConnect Wireless 11g Access Point model is 3CRWE454G72. We've installed the version 1.1.1 of Freeradius, and we used openssl to create the certificates for the server and the clients. We tried different configuration, read faq, discussion groups etc., but the system fails. The client start the EAP transaction, start TLS and receive the server certifcate, we have used WinXp as client and then WIN requests to the user the client certificate. After the choice of the certificate, the client remain blocked. Here we have posted the radius debug output: Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = "/usr/local" main: localstatedir = "/usr/local/var" main: logdir = "/usr/local/var/log/radius" main: libdir = "/usr/local/lib" main: radacctdir = "/usr/local/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/usr/local/var/log/radius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid" main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = yes mschap: require_strong = yes mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "(null)" unix: group = "(null)" unix: radwtmp = "/usr/local/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = "tls" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/usr/local/etc/raddb/certs/server.pem" tls: certificate_file = "/usr/local/etc/raddb/certs/server.pem" tls: CA_file = "/usr/local/etc/raddb/certs/root.pem" tls: private_key_password = "whatever" tls: dh_file = "/usr/local/etc/raddb/certs/dh" tls: random_file = "/usr/local/etc/raddb/certs/random" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = "(null)" rlm_eap_tls: Loading the certificate file as a chain rlm_eap: Loaded and initialized type tls peap: default_eap_type = "mschapv2" peap: copy_request_to_tunnel = no peap: use_tunneled_reply = no peap: proxy_tunneled_request_as_eap = yes rlm_eap: Loaded and initialized type peap mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups" preprocess: hints = "/usr/local/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "/usr/local/etc/raddb/users" files: acctusersfile = "/usr/local/etc/raddb/acct_users" files: preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = "/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = "/usr/local/var/log/radius/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. rad_recv: Access-Request packet from host 192.168.1.254:3544, id=142, length=93 User-Name = "Roberto" NAS-IP-Address = 192.168.1.254 NAS-Identifier = "" NAS-Port = 29 Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x028e000c01526f626572746f Message-Authenticator = 0xb55a7cf8add654a3a2f627a983584a26 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "Roberto", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: EAP packet type response id 142 length 12 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 users: Matched entry Roberto at line 216 modcall[authorize]: module "files" returns ok for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Requiring client certificate rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 0 modcall: leaving group authenticate (returns handled) for request 0 Sending Access-Challenge of id 142 to 192.168.1.254 port 3544 EAP-Message = 0x018f00060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd31f2f5f5f870497aa396155166ca8fa Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.1.254:3545, id=143, length=179 User-Name = "Roberto" NAS-IP-Address = 192.168.1.254 NAS-Identifier = "" NAS-Port = 29 Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 State = 0xd31f2f5f5f870497aa396155166ca8fa EAP-Message = 0x028f00500d800000004616030100410100003d0301442baf2655b72d4ab025b2d05ef8360e73f8ab6bf8fae204c1d19927387adafc00001600040005000a000900640062000300060013001200630100 Message-Authenticator = 0xe91e302630229d5e42eab44b6622c911 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_realm: No '@' in User-Name = "Roberto", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 1 rlm_eap: EAP packet type response id 143 length 80 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 1 users: Matched entry Roberto at line 216 modcall[authorize]: module "files" returns ok for request 1 modcall: leaving group authorize (returns updated) for request 1 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 027f], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 007f], CertificateRequest TLS_accept: SSLv3 write certificate request A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 1 modcall: leaving group authenticate (returns handled) for request 1 Sending Access-Challenge of id 143 to 192.168.1.254 port 3545 EAP-Message = 0x019003610d8000000357160301004a020000460301442b8e5b6233434e31e800ab8a715ae577fa51d24f619d7ae5319bda5caa03c220ad755d37d34c5c822ea79225b05c557391c03a273ebc10acaaab6c0dfa976b0b000400160301027f0b00027b00027800027530820271308201daa003020102020900aa4ba0044b60a2cb300d06092a864886f70d0101040500306e310b3009060355040613024954310c300a060355040813036d6974310c300a060355040713036d6974310c300a060355040a13036d6974310c300a060355040b13036d6974310c300a060355040313036d69743119301706092a864886f70d010901160a6d6974406d69742e EAP-Message = 0x6974301e170d3036303332383038313430375a170d3037303332383038313430375a306e310b3009060355040613024954310c300a060355040813036d6974310c300a060355040713036d6974310c300a060355040a13036d6974310c300a060355040b13036d6974310c300a060355040313036d69743119301706092a864886f70d010901160a6d6974406d69742e697430819f300d06092a864886f70d010101050003818d0030818902818100d0b8d6c7706f408c87fe35a34030d908520460b43cd34fdfde0566b9e75602f45f65b30846e8a7d5ca2ff3237fc916c2c40b726de40ca004ea68bf6d3d1f106ed4584ea7f5d80fcbca7379059323 EAP-Message = 0x9a1a72a34b33d5b0cec0624543558c46e2b216e16ce47770465d55dcd9500cf70eb59f4ba70c7da4d2a7dea55419e700aa0d0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010405000381810046fb8261e93111d30d2b1f794ef922d114f67a16eaef27c054589d013b37de7508ddcc26580852bcdfdd688ebf664f4e5fa04d2e45686268e1585556c57d70bbb17255d7d0dee55e8cdf20dd86850c9cc8b3c08ace49e46728e13c71641b78e1e8ab24b88401d1e04e574a07b272692f8ae0290e9178c8507f65296f03418435160301007f0d00007702010200720070306e310b300906035504 EAP-Message = 0x0613024954310c300a060355040813036d6974310c300a060355040713036d6974310c300a060355040a13036d6974310c300a060355040b13036d6974310c300a060355040313036d69743119301706092a864886f70d010901160a6d6974406d69742e69740e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc317b1f0947b3868a6ce76d9107a6308 Finished request 1 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.1.254:3546, id=144, length=105 User-Name = "Roberto" NAS-IP-Address = 192.168.1.254 NAS-Identifier = "" NAS-Port = 29 Service-Type = Framed-User Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 State = 0xc317b1f0947b3868a6ce76d9107a6308 EAP-Message = 0x029000060d00 Message-Authenticator = 0x80e0d9154111b75e2f24f084b9bd4d6a Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall[authorize]: module "preprocess" returns ok for request 2 modcall[authorize]: module "chap" returns noop for request 2 modcall[authorize]: module "mschap" returns noop for request 2 rlm_realm: No '@' in User-Name = "Roberto", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 2 rlm_eap: EAP packet type response id 144 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 2 users: Matched entry Roberto at line 216 modcall[authorize]: module "files" returns ok for request 2 modcall: leaving group authorize (returns updated) for request 2 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 2 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 2 modcall: leaving group authenticate (returns handled) for request 2 Sending Access-Challenge of id 144 to 192.168.1.254 port 3546 EAP-Message = 0x0191000a0d8000000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x75ac3a428d93b0ba22431963a01bd5fd Finished request 2 Going to the next request Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 142 with timestamp 442b8e5b Cleaning up request 1 ID 143 with timestamp 442b8e5b Cleaning up request 2 ID 144 with timestamp 442b8e5b Nothing to do. Sleeping until we see a request. Have you some idea on how can we solve the problem? thanks for any support