Hi, So I got everything working, and am able to run TLS in my android phone but when I try thru my iPhone or my MacBook I get SSL error on RADIUS debug. Amazingly same certificate work on my android phone without any issues. Can someone share what could be the issue? A snippet of the error: *(140) eap_tls: ERROR: TLS_accept: Failed in SSLv3 read client certificate A* *(140) eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:140940E5:SSL routines:ssl3_read_bytes:ssl handshake failure* *(140) eap_tls: ERROR: System call (I/O) error (-1)* *(140) eap_tls: ERROR: TLS receive handshake failed during operation* *(140) eap_tls: ERROR: [eaptls process] = fail* *(140) eap: ERROR: Failed continuing EAP TLS (13) session. EAP sub-module failed* Complete EAP debug from failed devices: (156) Received Access-Request Id 238 from 103.46.239.184:36499 to 192.168.253.6:1812 length 226 (156) Service-Type = Framed-User (156) Framed-MTU = 1400 (156) User-Name = "macbook" (156) NAS-Port-Id = "wlan1" (156) NAS-Port-Type = Wireless-802.11 (156) Acct-Session-Id = "8220002d" (156) Acct-Multi-Session-Id = "CC-2D-E0-39-24-A6-B8-C1-11-D1-4D-50-82-20-00-00-00-00-00-2D" (156) Calling-Station-Id = "B8-C1-11-D1-4D-50" (156) Called-Station-Id = "CC-2D-E0-39-24-A6:THIS IS A TEST" (156) EAP-Message = 0x0200000c016d6163626f6f6b (156) Message-Authenticator = 0x9b1b6d0c79559268e6cfb2a0cbe5240d (156) NAS-Identifier = "MikroTik" (156) NAS-IP-Address = 192.168.88.2 (156) # Executing section authorize from file /etc/raddb/sites-enabled/default (156) authorize { (156) policy filter_username { (156) if (&User-Name) { (156) if (&User-Name) -> TRUE (156) if (&User-Name) { (156) if (&User-Name =~ / /) { (156) if (&User-Name =~ / /) -> FALSE (156) if (&User-Name =~ /@[^@]*@/ ) { (156) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (156) if (&User-Name =~ /\.\./ ) { (156) if (&User-Name =~ /\.\./ ) -> FALSE (156) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (156) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (156) if (&User-Name =~ /\.$/) { (156) if (&User-Name =~ /\.$/) -> FALSE (156) if (&User-Name =~ /@\./) { (156) if (&User-Name =~ /@\./) -> FALSE (156) } # if (&User-Name) = notfound (156) } # policy filter_username = notfound (156) [preprocess] = ok (156) eap: Peer sent EAP Response (code 2) ID 0 length 12 (156) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (156) [eap] = ok (156) } # authorize = ok (156) Found Auth-Type = eap (156) # Executing group from file /etc/raddb/sites-enabled/default (156) authenticate { (156) eap: Peer sent packet with method EAP Identity (1) (156) eap: Calling submodule eap_tls to process data (156) eap_tls: Initiating new EAP-TLS session (156) eap_tls: Setting verify mode to require certificate from client (156) eap_tls: [eaptls start] = request (156) eap: Sending EAP Request (code 1) ID 1 length 6 (156) eap: EAP session adding &reply:State = 0xccf8f142ccf9fce7 (156) [eap] = handled (156) } # authenticate = handled (156) Using Post-Auth-Type Challenge (156) # Executing group from file /etc/raddb/sites-enabled/default (156) Challenge { ... } # empty sub-section is ignored (156) Sent Access-Challenge Id 238 from 192.168.253.6:1812 to 103.46.239.184:36499 length 0 (156) EAP-Message = 0x010100060d20 (156) Message-Authenticator = 0x00000000000000000000000000000000 (156) State = 0xccf8f142ccf9fce75307e48862cef384 (156) Finished request Waking up in 4.9 seconds. (157) Received Access-Request Id 239 from 103.46.239.184:40285 to 192.168.253.6:1812 length 393 (157) Service-Type = Framed-User (157) Framed-MTU = 1400 (157) User-Name = "macbook" (157) State = 0xccf8f142ccf9fce75307e48862cef384 (157) NAS-Port-Id = "wlan1" (157) NAS-Port-Type = Wireless-802.11 (157) Acct-Session-Id = "8220002d" (157) Acct-Multi-Session-Id = "CC-2D-E0-39-24-A6-B8-C1-11-D1-4D-50-82-20-00-00-00-00-00-2D" (157) Calling-Station-Id = "B8-C1-11-D1-4D-50" (157) Called-Station-Id = "CC-2D-E0-39-24-A6:THIS IS A TEST" (157) EAP-Message = 0x020100a10d800000009716030300920100008e03035c66eda3b9189d8cb5e4f5d1b7da29789b4f95dc78ef817aeb5462abc249b93100002c00ffc02cc02bc024c023c00ac009c008c030c02fc028c027c014c013c012009d009c003d003c0035002f000a01000039000a00080006001700180019000b00 (157) Message-Authenticator = 0xf775fc6bc1a0190eb8997ecbcbb51f4f (157) NAS-Identifier = "MikroTik" (157) NAS-IP-Address = 192.168.88.2 (157) session-state: No cached attributes (157) # Executing section authorize from file /etc/raddb/sites-enabled/default (157) authorize { (157) policy filter_username { (157) if (&User-Name) { (157) if (&User-Name) -> TRUE (157) if (&User-Name) { (157) if (&User-Name =~ / /) { (157) if (&User-Name =~ / /) -> FALSE (157) if (&User-Name =~ /@[^@]*@/ ) { (157) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (157) if (&User-Name =~ /\.\./ ) { (157) if (&User-Name =~ /\.\./ ) -> FALSE (157) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (157) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (157) if (&User-Name =~ /\.$/) { (157) if (&User-Name =~ /\.$/) -> FALSE (157) if (&User-Name =~ /@\./) { (157) if (&User-Name =~ /@\./) -> FALSE (157) } # if (&User-Name) = notfound (157) } # policy filter_username = notfound (157) [preprocess] = ok (157) eap: Peer sent EAP Response (code 2) ID 1 length 161 (157) eap: No EAP Start, assuming it's an on-going EAP conversation (157) [eap] = updated (157) sql: EXPAND %{User-Name} (157) sql: --> macbook (157) sql: SQL-User-Name set to 'macbook' rlm_sql (sql): Reserved connection (60) (157) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (157) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'macbook' ORDER BY id (157) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'macbook' ORDER BY id (157) sql: User found in radcheck table (157) sql: Conditional check items matched, merging assignment check items (157) sql: Auth-Type := eap (157) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id (157) sql: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'macbook' ORDER BY id (157) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'macbook' ORDER BY id *(157) sql: WARNING: Cannot do check groups when group_membership_query is not set* rlm_sql (sql): Released connection (60) *Need 7 more connections to reach 10 spares* *rlm_sql (sql): Opening additional connection (63), 1 of 29 pending slots used* rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.6.43, protocol version 10 (157) [sql] = ok (157) if (notfound) { (157) if (notfound) -> FALSE (157) [expiration] = noop (157) [logintime] = noop (157) [pap] = noop (157) } # authorize = updated (157) Found Auth-Type = eap (157) # Executing group from file /etc/raddb/sites-enabled/default (157) authenticate { (157) eap: Expiring EAP session with state 0xccf8f142ccf9fce7 (157) eap: Finished EAP session with state 0xccf8f142ccf9fce7 (157) eap: Previous EAP request found for state 0xccf8f142ccf9fce7, released from the list (157) eap: Peer sent packet with method EAP TLS (13) (157) eap: Calling submodule eap_tls to process data (157) eap_tls: Continuing EAP-TLS (157) eap_tls: Peer indicated complete TLS record size will be 151 bytes (157) eap_tls: Got complete TLS record (151 bytes) (157) eap_tls: [eaptls verify] = length included (157) eap_tls: (other): before/accept initialization (157) eap_tls: TLS_accept: before/accept initialization (157) eap_tls: <<< recv TLS 1.2 [length 0092] (157) eap_tls: TLS_accept: SSLv3 read client hello A (157) eap_tls: >>> send TLS 1.2 [length 0039] (157) eap_tls: TLS_accept: SSLv3 write server hello A (157) eap_tls: >>> send TLS 1.2 [length 06ee] (157) eap_tls: TLS_accept: SSLv3 write certificate A (157) eap_tls: >>> send TLS 1.2 [length 00cd] (157) eap_tls: TLS_accept: SSLv3 write key exchange A (157) eap_tls: >>> send TLS 1.2 [length 00a5] (157) eap_tls: TLS_accept: SSLv3 write certificate request A (157) eap_tls: TLS_accept: SSLv3 flush data (157) eap_tls: TLS_accept: Need to read more data: SSLv3 read client certificate A (157) eap_tls: TLS_accept: Need to read more data: SSLv3 read client certificate A (157) eap_tls: In SSL Handshake Phase (157) eap_tls: In SSL Accept mode (157) eap_tls: [eaptls process] = handled (157) eap: Sending EAP Request (code 1) ID 2 length 1024 (157) eap: EAP session adding &reply:State = 0xccf8f142cdfafce7 (157) [eap] = handled (157) } # authenticate = handled (157) Using Post-Auth-Type Challenge (157) # Executing group from file /etc/raddb/sites-enabled/default (157) Challenge { ... } # empty sub-section is ignored (157) Sent Access-Challenge Id 239 from 192.168.253.6:1812 to 103.46.239.184:40285 length 0 (157) EAP-Message = 0x010204000dc0000008ad160303003902000035030368fd206e3ef60d7fd094ee6184fa23ad9edd6bc23b529f88b11669a0e088a95700c03000000dff01000100000b00040300010216030306ee0b0006ea0006e70003a03082039c30820305a003020102020101300d06092a864886f70d010105050030 (157) Message-Authenticator = 0x00000000000000000000000000000000 (157) State = 0xccf8f142cdfafce75307e48862cef384 (157) Finished request Waking up in 4.9 seconds. (158) Received Access-Request Id 240 from 103.46.239.184:53647 to 192.168.253.6:1812 length 238 (158) Service-Type = Framed-User (158) Framed-MTU = 1400 (158) User-Name = "macbook" (158) State = 0xccf8f142cdfafce75307e48862cef384 (158) NAS-Port-Id = "wlan1" (158) NAS-Port-Type = Wireless-802.11 (158) Acct-Session-Id = "8220002d" (158) Acct-Multi-Session-Id = "CC-2D-E0-39-24-A6-B8-C1-11-D1-4D-50-82-20-00-00-00-00-00-2D" (158) Calling-Station-Id = "B8-C1-11-D1-4D-50" (158) Called-Station-Id = "CC-2D-E0-39-24-A6:THIS IS A TEST" (158) EAP-Message = 0x020200060d00 (158) Message-Authenticator = 0xb397d9cf688e3c16bfacd51e63ee0677 (158) NAS-Identifier = "MikroTik" (158) NAS-IP-Address = 192.168.88.2 (158) session-state: No cached attributes (158) # Executing section authorize from file /etc/raddb/sites-enabled/default (158) authorize { (158) policy filter_username { (158) if (&User-Name) { (158) if (&User-Name) -> TRUE (158) if (&User-Name) { (158) if (&User-Name =~ / /) { (158) if (&User-Name =~ / /) -> FALSE (158) if (&User-Name =~ /@[^@]*@/ ) { (158) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (158) if (&User-Name =~ /\.\./ ) { (158) if (&User-Name =~ /\.\./ ) -> FALSE (158) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (158) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (158) if (&User-Name =~ /\.$/) { (158) if (&User-Name =~ /\.$/) -> FALSE (158) if (&User-Name =~ /@\./) { (158) if (&User-Name =~ /@\./) -> FALSE (158) } # if (&User-Name) = notfound (158) } # policy filter_username = notfound (158) [preprocess] = ok (158) eap: Peer sent EAP Response (code 2) ID 2 length 6 (158) eap: No EAP Start, assuming it's an on-going EAP conversation (158) [eap] = updated (158) sql: EXPAND %{User-Name} (158) sql: --> macbook (158) sql: SQL-User-Name set to 'macbook' rlm_sql (sql): Reserved connection (62) (158) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (158) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'macbook' ORDER BY id (158) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'macbook' ORDER BY id (158) sql: User found in radcheck table (158) sql: Conditional check items matched, merging assignment check items (158) sql: Auth-Type := eap (158) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id (158) sql: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'macbook' ORDER BY id (158) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'macbook' ORDER BY id *(158) sql: WARNING: Cannot do check groups when group_membership_query is not set* rlm_sql (sql): Released connection (62) (158) [sql] = ok (158) if (notfound) { (158) if (notfound) -> FALSE (158) [expiration] = noop (158) [logintime] = noop (158) [pap] = noop (158) } # authorize = updated (158) Found Auth-Type = eap (158) # Executing group from file /etc/raddb/sites-enabled/default (158) authenticate { (158) eap: Expiring EAP session with state 0xccf8f142cdfafce7 (158) eap: Finished EAP session with state 0xccf8f142cdfafce7 (158) eap: Previous EAP request found for state 0xccf8f142cdfafce7, released from the list (158) eap: Peer sent packet with method EAP TLS (13) (158) eap: Calling submodule eap_tls to process data (158) eap_tls: Continuing EAP-TLS (158) eap_tls: Peer ACKed our handshake fragment (158) eap_tls: [eaptls verify] = request (158) eap_tls: [eaptls process] = handled (158) eap: Sending EAP Request (code 1) ID 3 length 1024 (158) eap: EAP session adding &reply:State = 0xccf8f142cefbfce7 (158) [eap] = handled (158) } # authenticate = handled (158) Using Post-Auth-Type Challenge (158) # Executing group from file /etc/raddb/sites-enabled/default (158) Challenge { ... } # empty sub-section is ignored (158) Sent Access-Challenge Id 240 from 192.168.253.6:1812 to 103.46.239.184:53647 length 0 (158) EAP-Message = 0x010304000dc0000008ad02a6a003020102020900b184f1d60648f80a300d06092a864886f70d01010b05003073310b300906035504061302494e310b3009060355040813024445310e300c0603550407130544656c6869310f300d060355040a130653686f757574311230100603550403130953686f75 (158) Message-Authenticator = 0x00000000000000000000000000000000 (158) State = 0xccf8f142cefbfce75307e48862cef384 (158) Finished request Waking up in 4.8 seconds. (159) Received Access-Request Id 241 from 103.46.239.184:58701 to 192.168.253.6:1812 length 238 (159) Service-Type = Framed-User (159) Framed-MTU = 1400 (159) User-Name = "macbook" (159) State = 0xccf8f142cefbfce75307e48862cef384 (159) NAS-Port-Id = "wlan1" (159) NAS-Port-Type = Wireless-802.11 (159) Acct-Session-Id = "8220002d" (159) Acct-Multi-Session-Id = "CC-2D-E0-39-24-A6-B8-C1-11-D1-4D-50-82-20-00-00-00-00-00-2D" (159) Calling-Station-Id = "B8-C1-11-D1-4D-50" (159) Called-Station-Id = "CC-2D-E0-39-24-A6:THIS IS A TEST" (159) EAP-Message = 0x020300060d00 (159) Message-Authenticator = 0x599b7d41483b5ff646d709190859ad41 (159) NAS-Identifier = "MikroTik" (159) NAS-IP-Address = 192.168.88.2 (159) session-state: No cached attributes (159) # Executing section authorize from file /etc/raddb/sites-enabled/default (159) authorize { (159) policy filter_username { (159) if (&User-Name) { (159) if (&User-Name) -> TRUE (159) if (&User-Name) { (159) if (&User-Name =~ / /) { (159) if (&User-Name =~ / /) -> FALSE (159) if (&User-Name =~ /@[^@]*@/ ) { (159) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (159) if (&User-Name =~ /\.\./ ) { (159) if (&User-Name =~ /\.\./ ) -> FALSE (159) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (159) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (159) if (&User-Name =~ /\.$/) { (159) if (&User-Name =~ /\.$/) -> FALSE (159) if (&User-Name =~ /@\./) { (159) if (&User-Name =~ /@\./) -> FALSE (159) } # if (&User-Name) = notfound (159) } # policy filter_username = notfound (159) [preprocess] = ok (159) eap: Peer sent EAP Response (code 2) ID 3 length 6 (159) eap: No EAP Start, assuming it's an on-going EAP conversation (159) [eap] = updated (159) sql: EXPAND %{User-Name} (159) sql: --> macbook (159) sql: SQL-User-Name set to 'macbook' rlm_sql (sql): Reserved connection (61) (159) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (159) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'macbook' ORDER BY id (159) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'macbook' ORDER BY id (159) sql: User found in radcheck table (159) sql: Conditional check items matched, merging assignment check items (159) sql: Auth-Type := eap (159) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id (159) sql: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'macbook' ORDER BY id (159) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'macbook' ORDER BY id *(159) sql: WARNING: Cannot do check groups when group_membership_query is not set* rlm_sql (sql): Released connection (61) (159) [sql] = ok (159) if (notfound) { (159) if (notfound) -> FALSE (159) [expiration] = noop (159) [logintime] = noop (159) [pap] = noop (159) } # authorize = updated (159) Found Auth-Type = eap (159) # Executing group from file /etc/raddb/sites-enabled/default (159) authenticate { (159) eap: Expiring EAP session with state 0xccf8f142cefbfce7 (159) eap: Finished EAP session with state 0xccf8f142cefbfce7 (159) eap: Previous EAP request found for state 0xccf8f142cefbfce7, released from the list (159) eap: Peer sent packet with method EAP TLS (13) (159) eap: Calling submodule eap_tls to process data (159) eap_tls: Continuing EAP-TLS (159) eap_tls: Peer ACKed our handshake fragment (159) eap_tls: [eaptls verify] = request (159) eap_tls: [eaptls process] = handled (159) eap: Sending EAP Request (code 1) ID 4 length 203 (159) eap: EAP session adding &reply:State = 0xccf8f142cffcfce7 (159) [eap] = handled (159) } # authenticate = handled (159) Using Post-Auth-Type Challenge (159) # Executing group from file /etc/raddb/sites-enabled/default (159) Challenge { ... } # empty sub-section is ignored (159) Sent Access-Challenge Id 241 from 192.168.253.6:1812 to 103.46.239.184:58701 length 0 (159) EAP-Message = 0x010400cb0d80000008ad24a53a7915db5dc8993989d24c02cfa39af20337cc762c16030300a50d00009d03010240001e060106020603050105020503040104020403030103020303020102020203007700753073310b300906035504061302494e310b3009060355040813024445310e300c0603550407 (159) Message-Authenticator = 0x00000000000000000000000000000000 (159) State = 0xccf8f142cffcfce75307e48862cef384 (159) Finished request Waking up in 4.8 seconds. (160) Received Access-Request Id 242 from 103.46.239.184:59711 to 192.168.253.6:1812 length 249 (160) Service-Type = Framed-User (160) Framed-MTU = 1400 (160) User-Name = "macbook" (160) State = 0xccf8f142cffcfce75307e48862cef384 (160) NAS-Port-Id = "wlan1" (160) NAS-Port-Type = Wireless-802.11 (160) Acct-Session-Id = "8220002d" (160) Acct-Multi-Session-Id = "CC-2D-E0-39-24-A6-B8-C1-11-D1-4D-50-82-20-00-00-00-00-00-2D" (160) Calling-Station-Id = "B8-C1-11-D1-4D-50" (160) Called-Station-Id = "CC-2D-E0-39-24-A6:THIS IS A TEST" (160) EAP-Message = 0x020400110d800000000715030300020100 (160) Message-Authenticator = 0x0dd503fd540264a4baa68f7135caa25d (160) NAS-Identifier = "MikroTik" (160) NAS-IP-Address = 192.168.88.2 (160) session-state: No cached attributes (160) # Executing section authorize from file /etc/raddb/sites-enabled/default (160) authorize { (160) policy filter_username { (160) if (&User-Name) { (160) if (&User-Name) -> TRUE (160) if (&User-Name) { (160) if (&User-Name =~ / /) { (160) if (&User-Name =~ / /) -> FALSE (160) if (&User-Name =~ /@[^@]*@/ ) { (160) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (160) if (&User-Name =~ /\.\./ ) { (160) if (&User-Name =~ /\.\./ ) -> FALSE (160) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (160) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (160) if (&User-Name =~ /\.$/) { (160) if (&User-Name =~ /\.$/) -> FALSE (160) if (&User-Name =~ /@\./) { (160) if (&User-Name =~ /@\./) -> FALSE (160) } # if (&User-Name) = notfound (160) } # policy filter_username = notfound (160) [preprocess] = ok (160) eap: Peer sent EAP Response (code 2) ID 4 length 17 (160) eap: No EAP Start, assuming it's an on-going EAP conversation (160) [eap] = updated (160) sql: EXPAND %{User-Name} (160) sql: --> macbook (160) sql: SQL-User-Name set to 'macbook' rlm_sql (sql): Reserved connection (60) (160) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (160) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'macbook' ORDER BY id (160) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'macbook' ORDER BY id (160) sql: User found in radcheck table (160) sql: Conditional check items matched, merging assignment check items (160) sql: Auth-Type := eap (160) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id (160) sql: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'macbook' ORDER BY id (160) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'macbook' ORDER BY id *(160) sql: WARNING: Cannot do check groups when group_membership_query is not set* rlm_sql (sql): Released connection (60) (160) [sql] = ok (160) if (notfound) { (160) if (notfound) -> FALSE (160) [expiration] = noop (160) [logintime] = noop (160) [pap] = noop (160) } # authorize = updated (160) Found Auth-Type = eap (160) # Executing group from file /etc/raddb/sites-enabled/default (160) authenticate { (160) eap: Expiring EAP session with state 0xccf8f142cffcfce7 (160) eap: Finished EAP session with state 0xccf8f142cffcfce7 (160) eap: Previous EAP request found for state 0xccf8f142cffcfce7, released from the list (160) eap: Peer sent packet with method EAP TLS (13) (160) eap: Calling submodule eap_tls to process data (160) eap_tls: Continuing EAP-TLS (160) eap_tls: Peer indicated complete TLS record size will be 7 bytes (160) eap_tls: Got complete TLS record (7 bytes) (160) eap_tls: [eaptls verify] = length included (160) eap_tls: <<< recv TLS 1.2 [length 0002] *(160) eap_tls: ERROR: TLS_accept: Failed in SSLv3 read client certificate A* *(160) eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:140940E5:SSL routines:ssl3_read_bytes:ssl handshake failure* *(160) eap_tls: ERROR: System call (I/O) error (-1)* *(160) eap_tls: ERROR: TLS receive handshake failed during operation* *(160) eap_tls: ERROR: [eaptls process] = fail* *(160) eap: ERROR: Failed continuing EAP TLS (13) session. EAP sub-module failed* (160) eap: Sending EAP Failure (code 4) ID 4 length 4 (160) eap: Failed in EAP select (160) [eap] = invalid (160) } # authenticate = invalid (160) Failed to authenticate the user (160) Using Post-Auth-Type Reject (160) # Executing group from file /etc/raddb/sites-enabled/default (160) Post-Auth-Type REJECT { (160) sql: EXPAND .query (160) sql: --> .query (160) sql: Using query template 'query' rlm_sql (sql): Reserved connection (63) (160) sql: EXPAND %{User-Name} (160) sql: --> macbook (160) sql: SQL-User-Name set to 'macbook' (160) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') (160) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'macbook', '', 'Access-Reject', '2019-02-15 22:36:48.754856') (160) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'macbook', '', 'Access-Reject', '2019-02-15 22:36:48.754856') (160) sql: SQL query returned: success (160) sql: 1 record(s) updated rlm_sql (sql): Released connection (63) (160) [sql] = ok (160) attr_filter.access_reject: EXPAND %{User-Name} (160) attr_filter.access_reject: --> macbook (160) attr_filter.access_reject: Matched entry DEFAULT at line 11 (160) [attr_filter.access_reject] = updated (160) [eap] = noop (160) policy remove_reply_message_if_eap { (160) if (&reply:EAP-Message && &reply:Reply-Message) { (160) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (160) else { (160) [noop] = noop (160) } # else = noop (160) } # policy remove_reply_message_if_eap = noop (160) } # Post-Auth-Type REJECT = updated (160) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (160) Sending delayed response (160) Sent Access-Reject Id 242 from 192.168.253.6:1812 to 103.46.239.184:59711 length 44 (160) EAP-Message = 0x04040004 (160) Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.8 seconds. (156) Cleaning up request packet ID 238 with timestamp +5619 (157) Cleaning up request packet ID 239 with timestamp +5619 (158) Cleaning up request packet ID 240 with timestamp +5619 (159) Cleaning up request packet ID 241 with timestamp +5619 (160) Cleaning up request packet ID 242 with timestamp +5619 *Ready to process requests* Cheers MK Singh +91-9910416231 www.shouut.com