Hi, I'm having a problem with my radius server with TLS and TTLS authentication protocols. My current configuration works with simple MD5 and PEAP but fails with TLS and TTLS. I am using freeradius v2.1.10. Previously I was using freeradius v2.1.9 on a different linux box and didn't have the same problems. At the time I was successfully using the same configuration files for all the protocols. I can't figure out what is different now. The client is not a windows platform either so I don't think it's the common windows issues mentioned on the FAQ even though the warning message within the output would imply this. Again, I never saw this problem when running with the older v2.1.9 version of freeradius. As suggested on the wiki, i have included the suggested output below. Thanks. Matt The contents of my users file: testuser Cleartext-Password := "whatever" # md5 user user2 Cleartext-Password := "testing" user3 Cleartext-Password := "testing" The output of my radtest: csahwreg4:/users/mboyle/ws/gash_main/testsuites/dot1x[84]> radtest -d /users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/default/ testuser whatever localhost 1812 testing123 Sending Access-Request of id 4 to 127.0.0.1 port 1812 User-Name = "testuser" User-Password = "whatever" NAS-IP-Address = 138.120.210.28 NAS-Port = 1812 rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=4, length=20 csahwreg4:/users/mboyle/ws/gash_main/testsuites/dot1x[85]> The debug output of the radiusd command: FreeRADIUS Version 2.1.10, for host i686-pc-linux-gnu, built on Nov 1 2010 at 11:19:03 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/radiusd.conf including configuration file /users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/proxy.conf including configuration file /users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/clients.conf including files in directory /users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/modules/ including configuration file /users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/modules/attr_rewrite including configuration file /users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/modules/krb5 including configuration file /users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/modules/linelog including configuration file /users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/modules/sql_log including configuration file /users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/modules/expr including configuration file /users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/modules/inner-eap including configuration file /users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/modules/chap including configuration file /users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/modules/ippool including configuration file /users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/modules/ntlm_auth including configuration file /users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/modules/files including configuration file /users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/modules/preprocess including configuration file /users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/modules/smbpasswd including configuration file /users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/modules/echo including configuration file /users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/modules/pam including configuration file /users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/modules/mac2ip including configuration file /users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/modules/pap including configuration file /users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/modules/counter including configuration file /users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/modules/mschap including configuration file /users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/modules/sradutmp including configuration file /users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/modules/checkval including configuration file /users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/modules/mac2vlan including configuration file /users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/modules/logintime including configuration file /users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/modules/passwd including configuration file /users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/modules/radutmp including configuration file /users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/modules/cui including configuration file /users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/modules/acct_unique including configuration file /users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/modules/otp including configuration file /users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/modules/unix including configuration file /users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/modules/always including configuration file /users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/modules/exec including configuration file /users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/modules/detail including configuration file /users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/modules/expiration including configuration file /users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/modules/digest including configuration file /users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/modules/ldap including configuration file /users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/modules/smsotp including configuration file /users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/modules/policy including configuration file /users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/modules/realm including configuration file /users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/modules/attr_filter including configuration file /users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/modules/wimax including configuration file /users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/modules/perl including configuration file /users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/modules/etc_group including configuration file /users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/modules/detail.example.com including configuration file /users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/modules/sqlcounter_expire_on_login including configuration file /users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/modules/detail.log including configuration file /users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/eap.conf including configuration file /users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/policy.conf including files in directory /users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/sites-enabled/ including configuration file /users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/sites-enabled/control-socket including configuration file /users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/sites-enabled/default including configuration file /users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/sites-enabled/inner-tunnel main { allow_core_dumps = no } including dictionary file /users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/dictionary main { prefix = "/usr/global" localstatedir = "/var" logdir = "/var/log/radius" libdir = "/usr/global/lib/freeradius-2.1.10" radacctdir = "/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/var/run//radiusd.pid" checkrad = "/usr/global/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = yes auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 require_message_authenticator = no zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 irt = 2 mrt = 16 mrc = 5 mrd = 30 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" login = "!root" password = "someadminpas" } client 192.168.255.0/24 { require_message_authenticator = no secret = "testing123" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating module "exec" from file /users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/modules/exec exec { wait = no input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating module "expr" from file /users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/modules/expr Module: Linked to module rlm_expiration Module: Instantiating module "expiration" from file /users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/modules/expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating module "logintime" from file /users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/modules/logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server inner-tunnel { # from file /users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/sites-enabled/inner-tunnel modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating module "pap" from file /users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/modules/pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating module "chap" from file /users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/modules/chap Module: Linked to module rlm_mschap Module: Instantiating module "mschap" from file /users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/modules/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no } Module: Linked to module rlm_unix Module: Instantiating module "unix" from file /users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/modules/unix unix { radwtmp = "/var/log/radius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating module "eap" from file /users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/eap.conf eap { default_eap_type = "peap" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = "/users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/certs/server.pem" certificate_file = "/users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/certs/server.pem" CA_file = "/users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/certs/ca.pem" private_key_password = "whatever" dh_file = "/users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/certs/dh" random_file = "/users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/certs/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "/users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/certs/bootstrap" cache { enable = no lifetime = 24 max_entries = 255 } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no include_length = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = no } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_realm Module: Instantiating module "suffix" from file /users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/modules/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating module "files" from file /users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/modules/files files { usersfile = "/users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/users" acctusersfile = "/users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/acct_users" preproxy_usersfile = "/users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/preproxy_users" compat = "no" } Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating module "radutmp" from file /users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/modules/radutmp radutmp { filename = "/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Linked to module rlm_attr_filter Module: Instantiating module "attr_filter.access_reject" from file /users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/modules/attr_filter attr_filter attr_filter.access_reject { attrsfile = "/users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/attrs.access_reject" key = "%{User-Name}" } } # modules } # server server { # from file /users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/radiusd.conf modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating module "preprocess" from file /users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/modules/preprocess preprocess { huntgroups = "/users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/huntgroups" hints = "/users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating module "acct_unique" from file /users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/modules/acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating module "detail" from file /users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/modules/detail detail { detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating module "attr_filter.accounting_response" from file /users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/modules/attr_filter attr_filter attr_filter.accounting_response { attrsfile = "/users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/attrs.accounting_response" key = "%{User-Name}" } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server radiusd: #### Opening IP addresses and Ports #### Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 192.168.255.1 port 49312, id=119, length=93 User-Name = "testuser" NAS-IP-Address = 138.120.210.29 NAS-Port = 38010880 State = 0xdd49e7f3de30fe9757a3fc0fc6955614 EAP-Message = 0x0277000d017465737475736572 Message-Authenticator = 0xb349b01f57c2fe1a0aec36df96359f1c # Executing section authorize from file /users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "testuser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 119 length 13 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [files] users: Matched entry testuser at line 3 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 119 to 192.168.255.1 port 49312 EAP-Message = 0x017800061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xec965d8cecee44fb4d8bbceb4458d522 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.255.1 port 49312, id=119, length=192 Cleaning up request 0 ID 119 with timestamp +28 WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING: !! EAP session for state 0xec965d8cecee44fb did not finish! WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! User-Name = "testuser" NAS-IP-Address = 138.120.210.29 NAS-Port = 38010880 State = 0xec965d8cecee44fb4d8bbceb4458d522 EAP-Message = 0x0278007019800000006616030100610100005d03014d70058ee0655af152c0e724b6741c74136e3d548354be1e963f370b2234bf2d00003600390038003500160013000a00330032002f0007006600050004006300620061001500120009006500640060001400110008000600030100 Message-Authenticator = 0x42d70e806767446718452f51ccc1e5e5 # Executing section authorize from file /users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "testuser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 120 length 112 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 102 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 0061], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 002a], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 085e], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 018d], ServerKeyExchange [peap] TLS_accept: SSLv3 write key exchange A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 119 to 192.168.255.1 port 49312 EAP-Message = 0x0179040019c000000a2d160301002a0200002603014d700273dfcb6b7bc149262d1830dad9b1e18fabc701dea59587d18b401b5e9200003900160301085e0b00085a0008570003a6308203a23082028aa003020102020102300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479 EAP-Message = 0x301e170d3131303330333230353333365a170d3132303330323230353333365a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100a32285766650c2373324c3727ab93b2a90b3e8a7d34f0646824eca4f6ea0274be4f5d4d8d701e0c0d22c68c71f500d73811315207b281a50aefa449731bd EAP-Message = 0x40df95cd4f764927e7102325987e933a91b6594817b13cfab2b10e8cb0f56a8b034db409049d30326162d8aafd12b6e930c688713b808cc85c9b60dd1ad158b98dcfabbac78cbbc0595360d5521c21e0b1370cccdad5512f356c4384582c846c771d54c15b226aaaf2e358b12214b6eb36144e75af1d192789efcc68cded9ff8c8161a6912b0badb9878472cd5714f7fa246d7dba82bbde2250cde6d223bb9cce737652a9d0a718b176eaf4e34089a727fad05b157ab4ddaaf2a45b59f99a10463230203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010405000382010100d1d306f0df7ff08492 EAP-Message = 0x84ff486b464125ab59ff20d77b1320cb3d9b5a094c5ef39f2a7a11c64cb59bfc9027982761a8a1f65e3427357f320b760d12085a49c652591ef95d9d9adb7abf42685d0376a55512b02beb0ca52cb86a465583006be8d8fe220095901291a95dc030782ff7ddb86854753786ca1271f4074e02aba54582ab364b817cab75f5c788533afd1caa308ee749586b591db6317f5260b195922e7f7dc751c74b3bd150c4a98428b7bc1f357c8d5772acbb931f8e8e7472b5789174b8bf1ba8fde82e51b62347f05bf4083a2a08df0d8aa2045e037a1f0c5183b8c0c5d32741aeaa4b201dc565c28a1a51d48d61af7cb4e6133d1dd4d99a4670700004ab308204 EAP-Message = 0xa73082038fa0030201020209 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xec965d8cedef44fb4d8bbceb4458d522 Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.255.1 port 49312, id=119, length=86 Cleaning up request 1 ID 119 with timestamp +28 WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING: !! EAP session for state 0xec965d8cedef44fb did not finish! WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! User-Name = "testuser" NAS-IP-Address = 138.120.210.29 NAS-Port = 38010880 State = 0xec965d8cedef44fb4d8bbceb4458d522 EAP-Message = 0x027900061900 Message-Authenticator = 0x6c18d5570978030e54e5db55c56387b4 # Executing section authorize from file /users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "testuser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 121 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 119 to 192.168.255.1 port 49312 EAP-Message = 0x017a03fc194000f7697706395171f3300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3131303330333230353133355a170d3132303330323230353133355a308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504 EAP-Message = 0x071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100dc6ea4edbe4db69d4bd69d326323cdedb3338ff5723be976695f323d78072114aa95dfc6cd2eb3f53e9cf87b6b05c13fffed7ec3552718903d63183b44a709850c570d5a48f0f18ee99ea8c6cb909d77e9d96b49f730d5ee478a9f81c539a76e33d48787295893ef62391296c2db52 EAP-Message = 0xeee772007805c6254ed137f33c19bece6594b52ca67166980cf74ecf5d0ac57020b67ffe21ebcbeccd60984be329ec926dc666dc9dd03d9eaccba298e9001c378b80af004cbc65c3ce6dcda73c21f5a29f290d1dc115140f983d66805c1e9ac76261c4ddd0717019e8e0ee82fbdbed4357f62d48b6a5562301a59f0823e5d3f813c04be10e285f7e71b500a0e7e26c0eab0203010001a381fb3081f8301d0603551d0e04160414cbd9b86f2696ac67ca45b68e79c20922efe1cdfa3081c80603551d230481c03081bd8014cbd9b86f2696ac67ca45b68e79c20922efe1cdfaa18199a48196308193310b3009060355040613024652310f300d06035504 EAP-Message = 0x0813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820900f7697706395171f3300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100be853339529a1e2a7cc494c6291ce912a33d81c089ec703836a052acaca622500c9aba2cac5b7240821bd651c032a3577e146016368573865ae1637d99b068dce4f6caf1114a71625b0a877c096b96405b90 EAP-Message = 0xee81783cfb132a81 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xec965d8ceeec44fb4d8bbceb4458d522 Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.255.1 port 49312, id=119, length=86 Cleaning up request 2 ID 119 with timestamp +28 WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING: !! EAP session for state 0xec965d8ceeec44fb did not finish! WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! User-Name = "testuser" NAS-IP-Address = 138.120.210.29 NAS-Port = 38010880 State = 0xec965d8ceeec44fb4d8bbceb4458d522 EAP-Message = 0x027a00061900 Message-Authenticator = 0x9254622fc70a462364a5ff4a5ceb68a9 # Executing section authorize from file /users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "testuser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 122 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 119 to 192.168.255.1 port 49312 EAP-Message = 0x017b02471900870dcd2be5d84d70dc8fe5ff8853345779cc683f87fcbfb3103a549b568fa52c8f8284f1e9eee492b52d288c42571d94d76aab093b67fca9cc0a75161b84b46cf32128b4921d8a23064c7282ed9719aef7834453c0872ee0562ca3efcad21e24e839eb3fdcdd3a1616feddf2e2fe3ceec9b3a8100c438e5342cd3a9a0604ab0b0cbbe043617d5ffc343197f0f618fa81bb54212eb18eca4b47369bceeb80c11f6c91f1cf6bb1160301018d0c000189004083ace75d820fb0e461fdc6327ee023cd85361001cc4aa6b53540b0aeb31ffb806496f201d45eaba5ccb14fc9917cc37485b5140b3fa02c30566068a8a2a57833000102004061 EAP-Message = 0x8b363669d93b01e15b09e3755c24bcfc8de7efdc24547fa007d57096cfd884101aa191c786d4d2303833c206e28aeb1fd1d601ee02a26bb82254864f0b3d0601005238091945165edf3b6e638e6f7b6930cfd6a942056f0e5e3efce74d4b4956d12d7a5e7ee69e29c093231874ab76afaab6e2fce822b74818ec07b2a09c0166b7ae51d92e0551c89ef58adc7fbbf74a122260522746e2c56209cf7b677276ec9cef4ebff1e63636a1e07657ad3af4b428a43c4282b4ae50402422192723ef067636695a866bcef036bd7d2e1e1fed7b00758ea8f96e9a1e22c848c393162e79f8e05fb7a1c5e84f6cc9d4c49f841be4d8785830932530c8aa23bb58eb EAP-Message = 0x93f445f895b15e6bb06aaa7792f8c766d6a64d85d4d023bc2a839709a251c94b7fe2225d0d7964835c1932a401bd967ec6fdca56f22764dbf4af68f26339c25f0dec4ab816030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xec965d8cefed44fb4d8bbceb4458d522 Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.255.1 port 49312, id=119, length=97 Cleaning up request 3 ID 119 with timestamp +28 WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING: !! EAP session for state 0xec965d8cefed44fb did not finish! WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! User-Name = "testuser" NAS-IP-Address = 138.120.210.29 NAS-Port = 38010880 State = 0xec965d8cefed44fb4d8bbceb4458d522 EAP-Message = 0x027b001119800000000715030100020233 Message-Authenticator = 0x249feeaa383c0a20a88c331e98abbb41 # Executing section authorize from file /users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "testuser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 123 length 17 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 7 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Alert [length 0002], fatal decrypt_error TLS Alert read:fatal:decrypt error TLS_accept: failed in SSLv3 read client certificate A rlm_eap: SSL error error:1409441B:SSL routines:SSL3_READ_BYTES:tlsv1 alert decrypt error SSL: SSL_read failed inside of TLS (-1), TLS session fails. TLS receive handshake failed during operation [peap] eaptls_process returned 4 [peap] EAPTLS_OTHERS [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Login incorrect (TLS Alert read:fatal:decrypt error): [testuser] (from client 192.168.255.0/24 port 38010880) Using Post-Auth-Type Reject # Executing group from file /users/mboyle/ws/gash_main/testsuites/dot1x/raddbs/tls/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> testuser attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 4 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 4 Sending Access-Reject of id 119 to 192.168.255.1 port 49312 EAP-Message = 0x047b0004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 4.9 seconds. Cleaning up request 4 ID 119 with timestamp +29 Ready to process requests.