Gday :-) Each day is a step closer. Here I am trying to run a test with the the test certificates and am failing. I see the positives in the fail in that I am actually contacting Freeradius. That's a step forwards. Any chance of knowing what these error messages mean? Have I used the wrong certificates in the wrong place? *** (39) eap: Peer sent EAP Response (code 2) ID 224 length 1344 (39) eap: No EAP Start, assuming it's an on-going EAP conversation (39) [eap] = updated (39) [files] = noop (39) [expiration] = noop (39) [logintime] = noop (39) [pap] = noop (39) } # authorize = updated (39) Found Auth-Type = eap (39) # Executing group from file /etc/freeradius/sites-enabled/default (39) authenticate { (39) eap: Removing EAP session with state 0x7724b18972c4bc8c (39) eap: Previous EAP request found for state 0x7724b18972c4bc8c, released from the list (39) eap: Peer sent packet with method EAP TLS (13) (39) eap: Calling submodule eap_tls to process data (39) eap_tls: (TLS) EAP Done initial handshake (39) eap_tls: (TLS) TLS - Handshake state - Server SSLv3/TLS write server done (39) eap_tls: (TLS) TLS - recv TLS 1.2 Handshake, Certificate (39) eap_tls: (TLS) TLS - Creating attributes from 2 certificate in chain (39) eap_tls: TLS-Cert-Serial := "7b3ac5c50ab5ad8b63570648b1f5642e20c97be2" (39) eap_tls: TLS-Cert-Expiration := "250907060222Z" (39) eap_tls: TLS-Cert-Valid-Since := "250709060222Z" (39) eap_tls: TLS-Cert-Subject := "/C=FR/ST=Radius/L=Somewhere/O=Example Inc./emailAddress=admin@example.org/CN=Example Certificate Authority" (39) eap_tls: TLS-Cert-Issuer := "/C=FR/ST=Radius/L=Somewhere/O=Example Inc./emailAddress=admin@example.org/CN=Example Certificate Authority" (39) eap_tls: TLS-Cert-Common-Name := "Example Certificate Authority" (39) eap_tls: TLS-Cert-CRL-Distribution-Points += "http://www.example.org/example_ca.crl" (39) eap_tls: (TLS) TLS - Creating attributes from 1 certificate in chain (39) eap_tls: TLS-Client-Cert-Serial := "02" (39) eap_tls: TLS-Client-Cert-Expiration := "250907060223Z" (39) eap_tls: TLS-Client-Cert-Valid-Since := "250709060223Z" (39) eap_tls: TLS-Client-Cert-Subject := "/C=FR/ST=Radius/O=Example Inc./CN=user@example.org/emailAddress=user@example.org" (39) eap_tls: TLS-Client-Cert-Issuer := "/C=FR/ST=Radius/L=Somewhere/O=Example Inc./emailAddress=admin@example.org/CN=Example Certificate Authority" (39) eap_tls: TLS-Client-Cert-Common-Name := "user@example.org" (39) eap_tls: TLS-Client-Cert-CRL-Distribution-Points += "http://www.example.com/example_ca.crl" (39) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage += "TLS Web Client Authentication" (39) eap_tls: TLS-Client-Cert-X509v3-Subject-Key-Identifier += "6D:00:F5:8E:7C:BB:67:49:12:7A:C1:3F:93:AB:78:A9:68:87:9B:90" (39) eap_tls: TLS-Client-Cert-X509v3-Authority-Key-Identifier += "E1:9D:14:10:16:D5:9D:4E:CE:42:43:E7:49:3A:5E:74:92:46:07:64" (39) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += "1.3.6.1.5.5.7.3.2" (39) eap_tls: Verifying client certificate: /usr/bin/openssl verify -CApath /etc/freeradius/certs %{TLS-Client-Cert-Filename} (39) eap_tls: Executing: /usr/bin/openssl verify -CApath /etc/freeradius/certs %{TLS-Client-Cert-Filename}: (39) eap_tls: EXPAND %{TLS-Client-Cert-Filename} (39) eap_tls: --> /tmp/radiusd/radiusd.client.XXUK9jFp C = FR, ST = Radius, O = Example Inc., CN = user@example.org, emailAddress = user@example.org error 20 at 0 depth lookup: unable to get local issuer certificate error /tmp/radiusd/radiusd.client.XXUK9jFp: verification failed (39) eap_tls: ERROR: Program returned code (2) and output '' tls: Certificate CN (user@example.org) fails external verification! (39) eap_tls: (TLS) TLS - send TLS 1.2 Alert, fatal internal_error (39) eap_tls: ERROR: (TLS) TLS - Alert write:fatal:internal error (39) eap_tls: ERROR: (TLS) TLS - Server : Error in error (39) eap_tls: ERROR: (TLS) Failed reading from OpenSSL: error:0A000086:SSL routines::certificate verify failed (39) eap_tls: ERROR: (TLS) System call (I/O) error (-1) (39) eap_tls: ERROR: (TLS) EAP Receive handshake failed during operation (39) eap_tls: ERROR: [eaptls process] = fail (39) eap: ERROR: Failed continuing EAP TLS (13) session. EAP sub-module failed (39) eap: Sending EAP Failure (code 4) ID 224 length 4 (39) eap: Failed in EAP select (39) [eap] = invalid (39) } # authenticate = invalid (39) Failed to authenticate the user (39) Using Post-Auth-Type Reject (39) # Executing group from file /etc/freeradius/sites-enabled/default (39) Post-Auth-Type REJECT { (39) attr_filter.access_reject: EXPAND %{User-Name} (39) attr_filter.access_reject: --> user@example.org (39) attr_filter.access_reject: Matched entry DEFAULT at line 11 (39) [attr_filter.access_reject] = updated (39) [eap] = noop (39) policy remove_reply_message_if_eap { (39) if (&reply:EAP-Message && &reply:Reply-Message) { (39) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (39) else { (39) [noop] = noop (39) } # else = noop (39) } # policy remove_reply_message_if_eap = noop (39) } # Post-Auth-Type REJECT = updated (39) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (39) Sending delayed response (39) Sent Access-Reject Id 46 from 172.17.0.5:1812 to 172.17.0.1:34232 length 44 (39) EAP-Message = 0x04e00004 (39) Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 0.1 seconds. (26) Cleaning up request packet ID 33 with timestamp +49 due to cleanup_delay was reached (27) Cleaning up request packet ID 34 with timestamp +49 due to cleanup_delay was reached (28) Cleaning up request packet ID 35 with timestamp +49 due to cleanup_delay was reached (29) Cleaning up request packet ID 36 with timestamp +49 due to cleanup_delay was reached (30) Cleaning up request packet ID 37 with timestamp +49 due to cleanup_delay was reached (31) Cleaning up request packet ID 38 with timestamp +49 due to cleanup_delay was reached (32) Cleaning up request packet ID 39 with timestamp +49 due to cleanup_delay was reached Waking up in 3.6 seconds. (33) Cleaning up request packet ID 40 with timestamp +53 due to cleanup_delay was reached (34) Cleaning up request packet ID 41 with timestamp +53 due to cleanup_delay was reached (35) Cleaning up request packet ID 42 with timestamp +53 due to cleanup_delay was reached (36) Cleaning up request packet ID 43 with timestamp +53 due to cleanup_delay was reached (37) Cleaning up request packet ID 44 with timestamp +53 due to cleanup_delay was reached (38) Cleaning up request packet ID 45 with timestamp +53 due to cleanup_delay was reached (39) Cleaning up request packet ID 46 with timestamp +53 due to cleanup_delay was reached Ready to process requests