Hello, For some times now, Android 11 requires cert validation in WiFi connections (see [1]). At the same time, Android 11 also makes it much harder for end users to import self-signed root CA (see [2]). As I provide WiFi connectivity in BYOD environments and can't help end users when they import certs, I choosed to test PEAP/MSCHAPv2 with LetsEncrypt certs though I know this would be less secure than with self-signed root CA. I'm planning to generate and renew LetsEncrypt cert on a remote Internet-connected host, and then copy both privkey.pem and fullchain.pem files to Freeradius instance, as suggested by [3]. In my lab setup, I'm using a Samsung Galaxy Tab A7 Lite to test. Though being Android 11-powered, this device also allows Do-Not-Validate pre-Android 11 option ! When I connect to WiFi with this device, I'm using the following settings: Identity: bar Password: whateverneeded CA Certificate: use system certificate Online cert status: do not validate Domain: the exact CN value My lab setup includes: - a Freeradius 3.0.21 on Debian Bullseye - a Unifi WiFi Network 6.5.55 with WiFi AP - a Samsung Galaxy Tab A7 Lite - valid LetsEncrypt certs My certs files are copied into Freeradius host as: # ls -l /etc/freeradius/3.0/certs/letsencrypt/ total 12 -rw-r----- 1 freerad freerad 5604 27 juin 19:04 fullchain.pem -rw------- 1 freerad freerad 1704 27 juin 19:04 privkey.pem # openssl x509 -dates -noout -in /etc/freeradius/3.0/certs/letsencrypt/fullchain.pem notBefore=May 28 17:32:21 2022 GMT notAfter=Aug 26 17:32:20 2022 GMT [1] https://internet-access-guide.com/android-wifi-ca-certificate-do-not-validat... [2] https://httptoolkit.tech/blog/android-11-trust-ca-certificates/ [3] https://framebyframewifi.net/2017/01/29/use-lets-encrypt-certificates-with-f... When I connect to WiFi, this is part of freeradius -X output: # Loaded module rlm_realm # Loading module "IPASS" from file /etc/freeradius/3.0/mods-enabled/realm realm IPASS { format = "prefix" delimiter = "/" ignore_default = no ignore_null = no } ... rlm_mschap (mschap): using internal authentication # Instantiating module "eap" from file /etc/freeradius/3.0/mods-enabled/eap # Linked to sub-module rlm_eap_md5 # Linked to sub-module rlm_eap_leap # Linked to sub-module rlm_eap_gtc gtc { challenge = "Password: " auth_type = "PAP" } # Linked to sub-module rlm_eap_tls tls { tls = "tls-common" } tls-config tls-common { verify_depth = 0 ca_path = "/etc/freeradius/3.0/certs" pem_file_type = yes private_key_file = "/etc/freeradius/3.0/certs/letsencrypt/privkey.pem" certificate_file = "/etc/freeradius/3.0/certs/letsencrypt/fullchain.pem" ca_file = "/etc/ssl/certs/ca-certificates.crt" private_key_password = <<< secret >>> dh_file = "/etc/freeradius/3.0/certs/dh" fragment_size = 1024 include_length = yes auto_chain = yes check_crl = no check_all_crl = no cipher_list = "DEFAULT" cipher_server_preference = no ecdh_curve = "prime256v1" disable_tlsv1 = yes disable_tlsv1_1 = yes tls_max_version = "1.2" tls_min_version = "1.2" cache { enable = no lifetime = 24 max_entries = 255 } verify { skip_if_ocsp_ok = no } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" use_nonce = yes timeout = 0 softfail = no } } Please use tls_min_version and tls_max_version instead of disable_tlsv1 Please use tls_min_version and tls_max_version instead of disable_tlsv1_2 # Linked to sub-module rlm_eap_ttls ttls { tls = "tls-common" default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes require_client_cert = no } tls: Using cached TLS configuration from previous invocation # Linked to sub-module rlm_eap_peap peap { tls = "tls-common" default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" soh = no require_client_cert = no } tls: Using cached TLS configuration from previous invocation # Linked to sub-module rlm_eap_mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } # Instantiating module "cache_eap" from file /etc/freeradius/3.0/mods-enabled/cache_eap rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked # Instantiating module "reject" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "fail" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "ok" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "handled" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "invalid" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "userlock" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "notfound" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "noop" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "updated" from file /etc/freeradius/3.0/mods-enabled/always # Instantiating module "etc_passwd" from file /etc/freeradius/3.0/mods-enabled/passwd rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no } # modules radiusd: #### Loading Virtual Servers #### server { # from file /etc/freeradius/3.0/radiusd.conf } # server server inner-tunnel { # from file /etc/freeradius/3.0/sites-enabled/inner-tunnel # Loading authenticate {...} # Loading authorize {...} Ignoring "sql" (see raddb/mods-available/README.rst) Ignoring "ldap" (see raddb/mods-available/README.rst) # Loading session {...} # Loading post-proxy {...} # Loading post-auth {...} # Skipping contents of 'if' as it is always 'false' -- /etc/freeradius/3.0/sites-enabled/inner-tunnel:336 } # server inner-tunnel server default { # from file /etc/freeradius/3.0/sites-enabled/default # Loading authenticate {...} # Loading authorize {...} # Loading preacct {...} # Loading accounting {...} # Loading post-proxy {...} # Loading post-auth {...} } # server default radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } listen { type = "auth" ipaddr = * port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "acct" ipaddr = * port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "auth" ipv6addr = :: port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } listen { type = "acct" ipv6addr = :: port = 0 limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel Listening on auth address * port 1812 bound to server default Listening on acct address * port 1813 bound to server default Listening on auth address :: port 1812 bound to server default Listening on acct address :: port 1813 bound to server default Listening on proxy address * port 56401 Listening on proxy address :: port 45775 Ready to process requests (26) eap: Peer sent EAP Response (code 2) ID 1 length 141 (26) eap: Continuing tunnel setup (26) [eap] = ok (26) } # authorize = ok (26) Found Auth-Type = eap (26) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (26) authenticate { (26) eap: Expiring EAP session with state 0xc733062dc6321fce (26) eap: Finished EAP session with state 0xc733062dc6321fce (26) eap: Previous EAP request found for state 0xc733062dc6321fce, released from the list (26) eap: Peer sent packet with method EAP PEAP (25) (26) eap: Calling submodule eap_peap to process data (26) eap_peap: Continuing EAP-TLS (26) eap_peap: Peer indicated complete TLS record size will be 131 bytes (26) eap_peap: Got complete TLS record (131 bytes) (26) eap_peap: [eaptls verify] = length included (26) eap_peap: (other): before SSL initialization (26) eap_peap: TLS_accept: before SSL initialization (26) eap_peap: TLS_accept: before SSL initialization (26) eap_peap: <<< recv TLS 1.3 [length 007e] (26) eap_peap: TLS_accept: SSLv3/TLS read client hello (26) eap_peap: >>> send TLS 1.2 [length 003d] (26) eap_peap: TLS_accept: SSLv3/TLS write server hello (26) eap_peap: >>> send TLS 1.2 [length 0fbe] (26) eap_peap: TLS_accept: SSLv3/TLS write certificate (26) eap_peap: >>> send TLS 1.2 [length 014d] (26) eap_peap: TLS_accept: SSLv3/TLS write key exchange (26) eap_peap: >>> send TLS 1.2 [length 0004] (26) eap_peap: TLS_accept: SSLv3/TLS write server done (26) eap_peap: TLS_accept: Need to read more data: SSLv3/TLS write server done (26) eap_peap: TLS - In Handshake Phase (26) eap_peap: TLS - got 4448 bytes of data (26) eap_peap: [eaptls process] = handled (26) eap: Sending EAP Request (code 1) ID 2 length 1004 (26) eap: EAP session adding &reply:State = 0xc733062dc5311fce (26) [eap] = handled (26) } # authenticate = handled (26) Using Post-Auth-Type Challenge (26) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (26) Challenge { ... } # empty sub-section is ignored (26) Sent Access-Challenge Id 43 from 192.168.1.244:1812 to 192.168.1.50:58452 length 0 (26) EAP-Message = 0x010203ec19c000001160160303003d020000390303af5657898d92eefe5085a4ad3604bed4f0f0b48e39cd7ada954fbee1b104098800c02f000011ff01000100000b000403000102001700001603030fbe0b000fba000fb70005303082052c30820414a003020102021203734b50cf2bcbeb7c22ada836c00a3f624f300d06092a864886f70d01010b05003032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b3009060355040313025233301e170d3232303532383137333232315a170d3232303832363137333232305a301e311c301a06035504031313686f7374332e706572656e69702e636c6f756430820122300d06092a864886f70d01010105000382010f003082010a0282010100e653da7ed722cc166a21b4055852edc8973b7daa624eb8897805f735be194e49d231f0d04e2d091679c8a1f9075bf6051d24661042467c293e77827ed8de02eacf8132699f9aac89cb9471f1857c292dca4cc9d69608d7 (26) Message-Authenticator = 0x00000000000000000000000000000000 (26) State = 0xc733062dc5311fceda200d98107c2728 (26) Finished request Waking up in 4.9 seconds. (27) Received Access-Request Id 44 from 192.168.1.50:58452 to 192.168.1.244:1812 length 231 (27) User-Name = "bar" (27) NAS-IP-Address = 192.168.1.50 (27) NAS-Identifier = "f09fc2f50d43" (27) Called-Station-Id = "F0-9F-C2-F5-0D-43:MyCompany" (27) NAS-Port-Type = Wireless-802.11 (27) Service-Type = Framed-User (27) Calling-Station-Id = "2E-9A-17-FA-78-FA" (27) Connect-Info = "CONNECT 0Mbps 802.11b" (27) Acct-Session-Id = "2087B41CCAAC0F74" (27) Acct-Multi-Session-Id = "C546EF77BB09F037" (27) WLAN-Pairwise-Cipher = 1027076 (27) WLAN-Group-Cipher = 1027076 (27) WLAN-AKM-Suite = 1027073 (27) Framed-MTU = 1400 (27) EAP-Message = 0x020200061900 (27) State = 0xc733062dc5311fceda200d98107c2728 (27) Message-Authenticator = 0x39f4e95b5909f1152843a2e02fbaffde (27) session-state: No cached attributes (27) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (27) authorize { (27) policy filter_username { (27) if (&User-Name) { (27) if (&User-Name) -> TRUE (27) if (&User-Name) { (27) if (&User-Name =~ / /) { (27) if (&User-Name =~ / /) -> FALSE (27) if (&User-Name =~ /@[^@]*@/ ) { (27) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (27) if (&User-Name =~ /\.\./ ) { (27) if (&User-Name =~ /\.\./ ) -> FALSE (27) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (27) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (27) if (&User-Name =~ /\.$/) { (27) if (&User-Name =~ /\.$/) -> FALSE (27) if (&User-Name =~ /@\./) { (27) if (&User-Name =~ /@\./) -> FALSE (27) } # if (&User-Name) = notfound (27) } # policy filter_username = notfound (27) [preprocess] = ok (27) [chap] = noop (27) [mschap] = noop (27) [digest] = noop (27) suffix: Checking for suffix after "@" (27) suffix: No '@' in User-Name = "bar", looking up realm NULL (27) suffix: No such realm "NULL" (27) [suffix] = noop (27) eap: Peer sent EAP Response (code 2) ID 2 length 6 (27) eap: Continuing tunnel setup (27) [eap] = ok (27) } # authorize = ok (27) Found Auth-Type = eap (27) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (27) authenticate { (27) eap: Expiring EAP session with state 0xc733062dc5311fce (27) eap: Finished EAP session with state 0xc733062dc5311fce (27) eap: Previous EAP request found for state 0xc733062dc5311fce, released from the list (27) eap: Peer sent packet with method EAP PEAP (25) (27) eap: Calling submodule eap_peap to process data (27) eap_peap: Continuing EAP-TLS (27) eap_peap: Peer ACKed our handshake fragment (27) eap_peap: [eaptls verify] = request (27) eap_peap: [eaptls process] = handled (27) eap: Sending EAP Request (code 1) ID 3 length 1000 (27) eap: EAP session adding &reply:State = 0xc733062dc4301fce (27) [eap] = handled (27) } # authenticate = handled (27) Using Post-Auth-Type Challenge (27) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (27) Challenge { ... } # empty sub-section is ignored (27) Sent Access-Challenge Id 44 from 192.168.1.244:1812 to 192.168.1.50:58452 length 0 (27) EAP-Message = 0x010303e81940cca15e2a9dd6bfa61b4d866fdcc7284c9a6a860076002979bef09e393921f056739f63a577e5be577d9c600af8f94d5d265c255dc784000001810bf0d4030000040300473045022037d7b0385f16f2b16e8903082d51bb15604c0262cd7473239d165e5ca5a858740221009c92c932de42f9d7883a89cd8ddc171d91a0f5b0d2e77b6886d1ea473f7fbe17300d06092a864886f70d01010b05000382010100731334fe1bbdc145631a0ddd0e7174e87df1da2cf6b032521bba82995c0460886e5b751c5f0b417ad32fa987caac9f61be48ec68673e33bc5a1deebe1004c5546cb3ef098495ab393bd60c614e132ad13e5fe0ca56106aeb92cf1f4e6de2f8f736bc1e94b7659439b711b931ba2174abb85ef05347b7d82f18411fe147f74939fbe311977c50c90b7c7720e890b59300fef66c0c7b84cd536cbde1aee6231f21550751613cba3ad52f48c82b2cc0de8e38764ba3c988a8cd37994500c1233288e294319b95c4600a48b3094eadf3ac1d68bf (27) Message-Authenticator = 0x00000000000000000000000000000000 (27) State = 0xc733062dc4301fceda200d98107c2728 (27) Finished request Waking up in 4.9 seconds. (28) Received Access-Request Id 45 from 192.168.1.50:58452 to 192.168.1.244:1812 length 231 (28) User-Name = "bar" (28) NAS-IP-Address = 192.168.1.50 (28) NAS-Identifier = "f09fc2f50d43" (28) Called-Station-Id = "F0-9F-C2-F5-0D-43:MyCompany" (28) NAS-Port-Type = Wireless-802.11 (28) Service-Type = Framed-User (28) Calling-Station-Id = "2E-9A-17-FA-78-FA" (28) Connect-Info = "CONNECT 0Mbps 802.11b" (28) Acct-Session-Id = "2087B41CCAAC0F74" (28) Acct-Multi-Session-Id = "C546EF77BB09F037" (28) WLAN-Pairwise-Cipher = 1027076 (28) WLAN-Group-Cipher = 1027076 (28) WLAN-AKM-Suite = 1027073 (28) Framed-MTU = 1400 (28) EAP-Message = 0x020300061900 (28) State = 0xc733062dc4301fceda200d98107c2728 (28) Message-Authenticator = 0x441e1d2d2df0e955fe4065c44cb93a6b (28) session-state: No cached attributes (28) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (28) authorize { (28) policy filter_username { (28) if (&User-Name) { (28) if (&User-Name) -> TRUE (28) if (&User-Name) { (28) if (&User-Name =~ / /) { (28) if (&User-Name =~ / /) -> FALSE (28) if (&User-Name =~ /@[^@]*@/ ) { (28) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (28) if (&User-Name =~ /\.\./ ) { (28) if (&User-Name =~ /\.\./ ) -> FALSE (28) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (28) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (28) if (&User-Name =~ /\.$/) { (28) if (&User-Name =~ /\.$/) -> FALSE (28) if (&User-Name =~ /@\./) { (28) if (&User-Name =~ /@\./) -> FALSE (28) } # if (&User-Name) = notfound (28) } # policy filter_username = notfound (28) [preprocess] = ok (28) [chap] = noop (28) [mschap] = noop (28) [digest] = noop (28) suffix: Checking for suffix after "@" (28) suffix: No '@' in User-Name = "bar", looking up realm NULL (28) suffix: No such realm "NULL" (28) [suffix] = noop (28) eap: Peer sent EAP Response (code 2) ID 3 length 6 (28) eap: Continuing tunnel setup (28) [eap] = ok (28) } # authorize = ok (28) Found Auth-Type = eap (28) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (28) authenticate { (28) eap: Expiring EAP session with state 0xc733062dc4301fce (28) eap: Finished EAP session with state 0xc733062dc4301fce (28) eap: Previous EAP request found for state 0xc733062dc4301fce, released from the list (28) eap: Peer sent packet with method EAP PEAP (25) (28) eap: Calling submodule eap_peap to process data (28) eap_peap: Continuing EAP-TLS (28) eap_peap: Peer ACKed our handshake fragment (28) eap_peap: [eaptls verify] = request (28) eap_peap: [eaptls process] = handled (28) eap: Sending EAP Request (code 1) ID 4 length 1000 (28) eap: EAP session adding &reply:State = 0xc733062dc3371fce (28) [eap] = handled (28) } # authenticate = handled (28) Using Post-Auth-Type Challenge (28) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (28) Challenge { ... } # empty sub-section is ignored (28) Sent Access-Challenge Id 45 from 192.168.1.244:1812 to 192.168.1.50:58452 length 0 (28) EAP-Message = 0x010403e8194001ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10 (28) Message-Authenticator = 0x00000000000000000000000000000000 (28) State = 0xc733062dc3371fceda200d98107c2728 (28) Finished request Waking up in 4.9 seconds. (29) Received Access-Request Id 46 from 192.168.1.50:58452 to 192.168.1.244:1812 length 231 (29) User-Name = "bar" (29) NAS-IP-Address = 192.168.1.50 (29) NAS-Identifier = "f09fc2f50d43" (29) Called-Station-Id = "F0-9F-C2-F5-0D-43:MyCompany" (29) NAS-Port-Type = Wireless-802.11 (29) Service-Type = Framed-User (29) Calling-Station-Id = "2E-9A-17-FA-78-FA" (29) Connect-Info = "CONNECT 0Mbps 802.11b" (29) Acct-Session-Id = "2087B41CCAAC0F74" (29) Acct-Multi-Session-Id = "C546EF77BB09F037" (29) WLAN-Pairwise-Cipher = 1027076 (29) WLAN-Group-Cipher = 1027076 (29) WLAN-AKM-Suite = 1027073 (29) Framed-MTU = 1400 (29) EAP-Message = 0x020400061900 (29) State = 0xc733062dc3371fceda200d98107c2728 (29) Message-Authenticator = 0x662064b545b5aa385ea1ebd63c5d881b (29) session-state: No cached attributes (29) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (29) authorize { (29) policy filter_username { (29) if (&User-Name) { (29) if (&User-Name) -> TRUE (29) if (&User-Name) { (29) if (&User-Name =~ / /) { (29) if (&User-Name =~ / /) -> FALSE (29) if (&User-Name =~ /@[^@]*@/ ) { (29) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (29) if (&User-Name =~ /\.\./ ) { (29) if (&User-Name =~ /\.\./ ) -> FALSE (29) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (29) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (29) if (&User-Name =~ /\.$/) { (29) if (&User-Name =~ /\.$/) -> FALSE (29) if (&User-Name =~ /@\./) { (29) if (&User-Name =~ /@\./) -> FALSE (29) } # if (&User-Name) = notfound (29) } # policy filter_username = notfound (29) [preprocess] = ok (29) [chap] = noop (29) [mschap] = noop (29) [digest] = noop (29) suffix: Checking for suffix after "@" (29) suffix: No '@' in User-Name = "bar", looking up realm NULL (29) suffix: No such realm "NULL" (29) [suffix] = noop (29) eap: Peer sent EAP Response (code 2) ID 4 length 6 (29) eap: Continuing tunnel setup (29) [eap] = ok (29) } # authorize = ok (29) Found Auth-Type = eap (29) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (29) authenticate { (29) eap: Expiring EAP session with state 0xc733062dc3371fce (29) eap: Finished EAP session with state 0xc733062dc3371fce (29) eap: Previous EAP request found for state 0xc733062dc3371fce, released from the list (29) eap: Peer sent packet with method EAP PEAP (25) (29) eap: Calling submodule eap_peap to process data (29) eap_peap: Continuing EAP-TLS (29) eap_peap: Peer ACKed our handshake fragment (29) eap_peap: [eaptls verify] = request (29) eap_peap: [eaptls process] = handled (29) eap: Sending EAP Request (code 1) ID 5 length 1000 (29) eap: EAP session adding &reply:State = 0xc733062dc2361fce (29) [eap] = handled (29) } # authenticate = handled (29) Using Post-Auth-Type Challenge (29) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (29) Challenge { ... } # empty sub-section is ignored (29) Sent Access-Challenge Id 46 from 192.168.1.244:1812 to 192.168.1.50:58452 length 0 (29) EAP-Message = 0x010503e81940f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd0 (29) Message-Authenticator = 0x00000000000000000000000000000000 (29) State = 0xc733062dc2361fceda200d98107c2728 (29) Finished request Waking up in 4.8 seconds. (30) Received Access-Request Id 47 from 192.168.1.50:58452 to 192.168.1.244:1812 length 231 (30) User-Name = "bar" (30) NAS-IP-Address = 192.168.1.50 (30) NAS-Identifier = "f09fc2f50d43" (30) Called-Station-Id = "F0-9F-C2-F5-0D-43:MyCompany" (30) NAS-Port-Type = Wireless-802.11 (30) Service-Type = Framed-User (30) Calling-Station-Id = "2E-9A-17-FA-78-FA" (30) Connect-Info = "CONNECT 0Mbps 802.11b" (30) Acct-Session-Id = "2087B41CCAAC0F74" (30) Acct-Multi-Session-Id = "C546EF77BB09F037" (30) WLAN-Pairwise-Cipher = 1027076 (30) WLAN-Group-Cipher = 1027076 (30) WLAN-AKM-Suite = 1027073 (30) Framed-MTU = 1400 (30) EAP-Message = 0x020500061900 (30) State = 0xc733062dc2361fceda200d98107c2728 (30) Message-Authenticator = 0xdb1a11eda65bfd28f2bae8a4467c4bea (30) session-state: No cached attributes (30) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (30) authorize { (30) policy filter_username { (30) if (&User-Name) { (30) if (&User-Name) -> TRUE (30) if (&User-Name) { (30) if (&User-Name =~ / /) { (30) if (&User-Name =~ / /) -> FALSE (30) if (&User-Name =~ /@[^@]*@/ ) { (30) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (30) if (&User-Name =~ /\.\./ ) { (30) if (&User-Name =~ /\.\./ ) -> FALSE (30) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (30) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (30) if (&User-Name =~ /\.$/) { (30) if (&User-Name =~ /\.$/) -> FALSE (30) if (&User-Name =~ /@\./) { (30) if (&User-Name =~ /@\./) -> FALSE (30) } # if (&User-Name) = notfound (30) } # policy filter_username = notfound (30) [preprocess] = ok (30) [chap] = noop (30) [mschap] = noop (30) [digest] = noop (30) suffix: Checking for suffix after "@" (30) suffix: No '@' in User-Name = "bar", looking up realm NULL (30) suffix: No such realm "NULL" (30) [suffix] = noop (30) eap: Peer sent EAP Response (code 2) ID 5 length 6 (30) eap: Continuing tunnel setup (30) [eap] = ok (30) } # authorize = ok (30) Found Auth-Type = eap (30) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (30) authenticate { (30) eap: Expiring EAP session with state 0xc733062dc2361fce (30) eap: Finished EAP session with state 0xc733062dc2361fce (30) eap: Previous EAP request found for state 0xc733062dc2361fce, released from the list (30) eap: Peer sent packet with method EAP PEAP (25) (30) eap: Calling submodule eap_peap to process data (30) eap_peap: Continuing EAP-TLS (30) eap_peap: Peer ACKed our handshake fragment (30) eap_peap: [eaptls verify] = request (30) eap_peap: [eaptls process] = handled (30) eap: Sending EAP Request (code 1) ID 6 length 478 (30) eap: EAP session adding &reply:State = 0xc733062dc1351fce (30) [eap] = handled (30) } # authenticate = handled (30) Using Post-Auth-Type Challenge (30) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (30) Challenge { ... } # empty sub-section is ignored (30) Sent Access-Challenge Id 47 from 192.168.1.244:1812 to 192.168.1.50:58452 length 0 (30) EAP-Message = 0x010601de1900676dc257c5463941cf8a5883586d99fe57e8360ef00e23aafd8897d0e35c0e9449b5b51735d22ebf4e85ef18e08592eb063b6c29230960dc45024c12183be9fb0ededc44f85898aeeabd4545a1885d66cafe10e96f82c811420dfbe9ece38600de9d10e338faa47db1d8e8498284069b2be86b4f010c38772ef9dde739160303014d0c0001490300174104182d51bb94eedf8e4d45ba672b11c1683550862e7b3cbcc4c060eeb4bb6a788ba97e3226321cf8ba7055f70228fd8fbd726b203aaecea3297f2f15e87c0e13190804010065efa44cf7b89671f95ce0791208321c652e630ca175e1c4c11946ffa99a7ecddf6f6e5bc8b7689bca97ea17a48c085474e867dc62b2102a477c4a022336e02e2e4e38d5542a7c69276d22fd961b4022e88c54c7fe6fad2d1176b734f007a2af32ae3fd62b53a6fcd2da0b78040ee68241e4435189e87093b227e4f4f9ebb3c1b3da591bd3c129f70dcd71fca22d92ceaa6318dfcf6397a92d127e2a999be84a9be8 (30) Message-Authenticator = 0x00000000000000000000000000000000 (30) State = 0xc733062dc1351fceda200d98107c2728 (30) Finished request Waking up in 4.8 seconds. (31) Received Access-Request Id 48 from 192.168.1.50:58452 to 192.168.1.244:1812 length 242 (31) User-Name = "bar" (31) NAS-IP-Address = 192.168.1.50 (31) NAS-Identifier = "f09fc2f50d43" (31) Called-Station-Id = "F0-9F-C2-F5-0D-43:MyCompany" (31) NAS-Port-Type = Wireless-802.11 (31) Service-Type = Framed-User (31) Calling-Station-Id = "2E-9A-17-FA-78-FA" (31) Connect-Info = "CONNECT 0Mbps 802.11b" (31) Acct-Session-Id = "2087B41CCAAC0F74" (31) Acct-Multi-Session-Id = "C546EF77BB09F037" (31) WLAN-Pairwise-Cipher = 1027076 (31) WLAN-Group-Cipher = 1027076 (31) WLAN-AKM-Suite = 1027073 (31) Framed-MTU = 1400 (31) EAP-Message = 0x020600111980000000071503030002022d (31) State = 0xc733062dc1351fceda200d98107c2728 (31) Message-Authenticator = 0x96fa48935246587652cd6219e8243639 (31) session-state: No cached attributes (31) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (31) authorize { (31) policy filter_username { (31) if (&User-Name) { (31) if (&User-Name) -> TRUE (31) if (&User-Name) { (31) if (&User-Name =~ / /) { (31) if (&User-Name =~ / /) -> FALSE (31) if (&User-Name =~ /@[^@]*@/ ) { (31) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (31) if (&User-Name =~ /\.\./ ) { (31) if (&User-Name =~ /\.\./ ) -> FALSE (31) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (31) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (31) if (&User-Name =~ /\.$/) { (31) if (&User-Name =~ /\.$/) -> FALSE (31) if (&User-Name =~ /@\./) { (31) if (&User-Name =~ /@\./) -> FALSE (31) } # if (&User-Name) = notfound (31) } # policy filter_username = notfound (31) [preprocess] = ok (31) [chap] = noop (31) [mschap] = noop (31) [digest] = noop (31) suffix: Checking for suffix after "@" (31) suffix: No '@' in User-Name = "bar", looking up realm NULL (31) suffix: No such realm "NULL" (31) [suffix] = noop (31) eap: Peer sent EAP Response (code 2) ID 6 length 17 (31) eap: Continuing tunnel setup (31) [eap] = ok (31) } # authorize = ok (31) Found Auth-Type = eap (31) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (31) authenticate { (31) eap: Expiring EAP session with state 0xc733062dc1351fce (31) eap: Finished EAP session with state 0xc733062dc1351fce (31) eap: Previous EAP request found for state 0xc733062dc1351fce, released from the list (31) eap: Peer sent packet with method EAP PEAP (25) (31) eap: Calling submodule eap_peap to process data (31) eap_peap: Continuing EAP-TLS (31) eap_peap: Peer indicated complete TLS record size will be 7 bytes (31) eap_peap: Got complete TLS record (7 bytes) (31) eap_peap: [eaptls verify] = length included (31) eap_peap: <<< recv TLS 1.2 [length 0002] (31) eap_peap: ERROR: TLS Alert read:fatal:certificate expired (31) eap_peap: TLS_accept: Need to read more data: error (31) eap_peap: ERROR: Failed in __FUNCTION__ (SSL_read): error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired (31) eap_peap: TLS - In Handshake Phase (31) eap_peap: TLS - Application data. (31) eap_peap: ERROR: TLS failed during operation (31) eap_peap: ERROR: [eaptls process] = fail (31) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed (31) eap: Sending EAP Failure (code 4) ID 6 length 4 (31) eap: Failed in EAP select (31) [eap] = invalid (31) } # authenticate = invalid (31) Failed to authenticate the user (31) Using Post-Auth-Type Reject (31) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (31) Post-Auth-Type REJECT { (31) attr_filter.access_reject: EXPAND %{User-Name} (31) attr_filter.access_reject: --> bar (31) attr_filter.access_reject: Matched entry DEFAULT at line 11 (31) [attr_filter.access_reject] = updated (31) [eap] = noop (31) policy remove_reply_message_if_eap { (31) if (&reply:EAP-Message && &reply:Reply-Message) { (31) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (31) else { (31) [noop] = noop (31) } # else = noop (31) } # policy remove_reply_message_if_eap = noop (31) } # Post-Auth-Type REJECT = updated (31) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (31) Sending delayed response (31) Sent Access-Reject Id 48 from 192.168.1.244:1812 to 192.168.1.50:58452 length 44 (31) EAP-Message = 0x04060004 (31) Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.8 seconds. (24) Cleaning up request packet ID 41 with timestamp +308 How can I correct this ? Best regards