The android phone is not configured to do EAP-TLS.
Hello, I have manage to setup 2 different android device to connect to my 802.1X network. The "user" certs are installed in each device. When I initiate the EAP-TLS I get the below debug output. The EAP-TLS communication seems to works well, but the communication is end up due to internal error. I have not figured out how to manage this error. Does I need to change my TLS version ? What exactly the debug output means here : "eap_tls: ERROR: (TLS) Failed reading from OpenSSL: error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error" Full output : Ready to process requests (30) Received Access-Request Id 0 from 10.17.30.60:1197 to 172.17.0.2:1812 length 212 (30) Message-Authenticator = 0xa6ec9e72ad06b4bad0c1728ed82b339c (30) Service-Type = Framed-User (30) User-Name = "user@example.org" (30) Framed-MTU = 1488 (30) Called-Station-Id = "00-26-5A-84-0D-89:dlink" (30) Calling-Station-Id = "72-87-6D-9E-D2-0F" (30) NAS-Identifier = "D-Link Access Point" (30) NAS-Port-Type = Wireless-802.11 (30) Connect-Info = "CONNECT 54Mbps 802.11g" (30) EAP-Message = 0x020000150175736572406578616d706c652e6f7267 (30) NAS-IP-Address = 10.17.30.60 (30) NAS-Port = 1 (30) NAS-Port-Id = "STA port # 1" (30) # Executing section authorize from file /etc/freeradius/sites-enabled/default (30) authorize { (30) policy filter_username { (30) if (&User-Name) { (30) if (&User-Name) -> TRUE (30) if (&User-Name) { (30) if (&User-Name =~ / /) { (30) if (&User-Name =~ / /) -> FALSE (30) if (&User-Name =~ /@[^@]*@/ ) { (30) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (30) if (&User-Name =~ /\.\./ ) { (30) if (&User-Name =~ /\.\./ ) -> FALSE (30) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (30) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (30) if (&User-Name =~ /\.$/) { (30) if (&User-Name =~ /\.$/) -> FALSE (30) if (&User-Name =~ /@\./) { (30) if (&User-Name =~ /@\./) -> FALSE (30) } # if (&User-Name) = notfound (30) } # policy filter_username = notfound (30) [preprocess] = ok (30) [chap] = noop (30) [mschap] = noop (30) [digest] = noop (30) suffix: Checking for suffix after "@" (30) suffix: Looking up realm "example.org" for User-Name = "user@example.org" (30) suffix: No such realm "example.org" (30) [suffix] = noop (30) eap: Peer sent EAP Response (code 2) ID 0 length 21 (30) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (30) [eap] = ok (30) } # authorize = ok (30) Found Auth-Type = eap (30) # Executing group from file /etc/freeradius/sites-enabled/default (30) authenticate { (30) eap: Peer sent packet with method EAP Identity (1) (30) eap: Calling submodule eap_tls to process data (30) eap_tls: (TLS) Initiating new session (30) eap_tls: (TLS) Setting verify mode to require certificate from client (30) eap: Sending EAP Request (code 1) ID 1 length 6 (30) eap: EAP session adding &reply:State = 0x6504b08b6505bd57 (30) [eap] = handled (30) } # authenticate = handled (30) Using Post-Auth-Type Challenge (30) # Executing group from file /etc/freeradius/sites-enabled/default (30) Challenge { ... } # empty sub-section is ignored (30) session-state: Saving cached attributes (30) Framed-MTU = 994 (30) Sent Access-Challenge Id 0 from 172.17.0.2:1812 to 10.17.30.60:1197 length 64 (30) EAP-Message = 0x010100060d20 (30) Message-Authenticator = 0x00000000000000000000000000000000 (30) State = 0x6504b08b6505bd57d78f3f37308b4458 (30) Finished request Waking up in 4.9 seconds. (31) Received Access-Request Id 1 from 10.17.30.60:1197 to 172.17.0.2:1812 length 346 (31) Message-Authenticator = 0xaa9a768bc1bc6b1a26a9031785c2e3b4 (31) Service-Type = Framed-User (31) User-Name = "user@example.org" (31) Framed-MTU = 1488 (31) State = 0x6504b08b6505bd57d78f3f37308b4458 (31) Called-Station-Id = "00-26-5A-84-0D-89:dlink" (31) Calling-Station-Id = "72-87-6D-9E-D2-0F" (31) NAS-Identifier = "D-Link Access Point" (31) NAS-Port-Type = Wireless-802.11 (31) Connect-Info = "CONNECT 54Mbps 802.11g" (31) EAP-Message = 0x020100890d00160301007e0100007a0303e44ff5fb591c7700c7a3ae0c54b2f8bd7989a300554ac911a84733b16d1e652700001ec02bc02fc02cc030cca9cca8c009c013c00ac014009c009d002f0035000a0100003300170000ff01000100000a00080006001d00170018000b00020100000d00140012040308040401050308050501080606010201 (31) NAS-IP-Address = 10.17.30.60 (31) NAS-Port = 1 (31) NAS-Port-Id = "STA port # 1" (31) Restoring &session-state (31) &session-state:Framed-MTU = 994 (31) # Executing section authorize from file /etc/freeradius/sites-enabled/default (31) authorize { (31) policy filter_username { (31) if (&User-Name) { (31) if (&User-Name) -> TRUE (31) if (&User-Name) { (31) if (&User-Name =~ / /) { (31) if (&User-Name =~ / /) -> FALSE (31) if (&User-Name =~ /@[^@]*@/ ) { (31) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (31) if (&User-Name =~ /\.\./ ) { (31) if (&User-Name =~ /\.\./ ) -> FALSE (31) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (31) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (31) if (&User-Name =~ /\.$/) { (31) if (&User-Name =~ /\.$/) -> FALSE (31) if (&User-Name =~ /@\./) { (31) if (&User-Name =~ /@\./) -> FALSE (31) } # if (&User-Name) = notfound (31) } # policy filter_username = notfound (31) [preprocess] = ok (31) [chap] = noop (31) [mschap] = noop (31) [digest] = noop (31) suffix: Checking for suffix after "@" (31) suffix: Looking up realm "example.org" for User-Name = "user@example.org" (31) suffix: No such realm "example.org" (31) [suffix] = noop (31) eap: Peer sent EAP Response (code 2) ID 1 length 137 (31) eap: No EAP Start, assuming it's an on-going EAP conversation (31) [eap] = updated (31) files: users: Matched entry user@example.org at line 2 (31) [files] = ok (31) [expiration] = noop (31) [logintime] = noop (31) [pap] = noop (31) } # authorize = updated (31) Found Auth-Type = eap (31) # Executing group from file /etc/freeradius/sites-enabled/default (31) authenticate { (31) eap: Expiring EAP session with state 0x6504b08b6505bd57 (31) eap: Finished EAP session with state 0x6504b08b6505bd57 (31) eap: Previous EAP request found for state 0x6504b08b6505bd57, released from the list (31) eap: Peer sent packet with method EAP TLS (13) (31) eap: Calling submodule eap_tls to process data (31) eap_tls: (TLS) EAP Got final fragment (131 bytes) (31) eap_tls: WARNING: (TLS) EAP Total received record fragments (131 bytes), does not equal expected expected data length (0 bytes) (31) eap_tls: (TLS) EAP Done initial handshake (31) eap_tls: (TLS) Handshake state - before SSL initialization (31) eap_tls: (TLS) Handshake state - Server before SSL initialization (31) eap_tls: (TLS) Handshake state - Server before SSL initialization (31) eap_tls: (TLS) recv TLS 1.3 Handshake, ClientHello (31) eap_tls: (TLS) Handshake state - Server SSLv3/TLS read client hello (31) eap_tls: (TLS) send TLS 1.2 Handshake, ServerHello (31) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write server hello (31) eap_tls: (TLS) send TLS 1.2 Handshake, Certificate (31) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write certificate (31) eap_tls: (TLS) send TLS 1.2 Handshake, ServerKeyExchange (31) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write key exchange (31) eap_tls: (TLS) send TLS 1.2 Handshake, CertificateRequest (31) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write certificate request (31) eap_tls: (TLS) send TLS 1.2 Handshake, ServerHelloDone (31) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write server done (31) eap_tls: (TLS) Server : Need to read more data: SSLv3/TLS write server done (31) eap_tls: (TLS) In Handshake Phase (31) eap: Sending EAP Request (code 1) ID 2 length 1004 (31) eap: EAP session adding &reply:State = 0x6504b08b6406bd57 (31) [eap] = handled (31) } # authenticate = handled (31) Using Post-Auth-Type Challenge (31) # Executing group from file /etc/freeradius/sites-enabled/default (31) Challenge { ... } # empty sub-section is ignored (31) session-state: Saving cached attributes (31) Framed-MTU = 994 (31) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (31) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (31) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (31) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (31) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest" (31) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (31) Sent Access-Challenge Id 1 from 172.17.0.2:1812 to 10.17.30.60:1197 length 1068 (31) EAP-Message = 0x010203ec0dc000000b97160303003d020000390303f29f622d180458fa14a91132f177a4d8ef046372693508507424cb1c54c0034700c02f000011ff01000100000b0004030001020017000016030309450b00094100093e00043a308204363082031ea003020102020101300d06092a864886f70d01010b0500308193310b3009060355040613024652310f300d06035504080c065261646975733112301006035504070c09536f6d65776865726531153013060355040a0c0c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e6f72673126302406035504030c1d4578616d706c6520436572746966696361746520417574686f72697479301e170d3233303232383135353035395a170d3233303432393135353035395a307c310b3009060355040613024652310f300d06035504080c0652616469757331153013060355040a0c0c4578616d706c6520496e632e3123302106035504030c1a4578616d70 (31) Message-Authenticator = 0x00000000000000000000000000000000 (31) State = 0x6504b08b6406bd57d78f3f37308b4458 (31) Finished request Waking up in 4.9 seconds. (32) Received Access-Request Id 2 from 10.17.30.60:1197 to 172.17.0.2:1812 length 215 (32) Message-Authenticator = 0x5fe578dcf59a3710251051f46ad445c3 (32) Service-Type = Framed-User (32) User-Name = "user@example.org" (32) Framed-MTU = 1488 (32) State = 0x6504b08b6406bd57d78f3f37308b4458 (32) Called-Station-Id = "00-26-5A-84-0D-89:dlink" (32) Calling-Station-Id = "72-87-6D-9E-D2-0F" (32) NAS-Identifier = "D-Link Access Point" (32) NAS-Port-Type = Wireless-802.11 (32) Connect-Info = "CONNECT 54Mbps 802.11g" (32) EAP-Message = 0x020200060d00 (32) NAS-IP-Address = 10.17.30.60 (32) NAS-Port = 1 (32) NAS-Port-Id = "STA port # 1" (32) Restoring &session-state (32) &session-state:Framed-MTU = 994 (32) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (32) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (32) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (32) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (32) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest" (32) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (32) # Executing section authorize from file /etc/freeradius/sites-enabled/default (32) authorize { (32) policy filter_username { (32) if (&User-Name) { (32) if (&User-Name) -> TRUE (32) if (&User-Name) { (32) if (&User-Name =~ / /) { (32) if (&User-Name =~ / /) -> FALSE (32) if (&User-Name =~ /@[^@]*@/ ) { (32) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (32) if (&User-Name =~ /\.\./ ) { (32) if (&User-Name =~ /\.\./ ) -> FALSE (32) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (32) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (32) if (&User-Name =~ /\.$/) { (32) if (&User-Name =~ /\.$/) -> FALSE (32) if (&User-Name =~ /@\./) { (32) if (&User-Name =~ /@\./) -> FALSE (32) } # if (&User-Name) = notfound (32) } # policy filter_username = notfound (32) [preprocess] = ok (32) [chap] = noop (32) [mschap] = noop (32) [digest] = noop (32) suffix: Checking for suffix after "@" (32) suffix: Looking up realm "example.org" for User-Name = "user@example.org" (32) suffix: No such realm "example.org" (32) [suffix] = noop (32) eap: Peer sent EAP Response (code 2) ID 2 length 6 (32) eap: No EAP Start, assuming it's an on-going EAP conversation (32) [eap] = updated (32) files: users: Matched entry user@example.org at line 2 (32) [files] = ok (32) [expiration] = noop (32) [logintime] = noop (32) [pap] = noop (32) } # authorize = updated (32) Found Auth-Type = eap (32) # Executing group from file /etc/freeradius/sites-enabled/default (32) authenticate { (32) eap: Expiring EAP session with state 0x6504b08b6406bd57 (32) eap: Finished EAP session with state 0x6504b08b6406bd57 (32) eap: Previous EAP request found for state 0x6504b08b6406bd57, released from the list (32) eap: Peer sent packet with method EAP TLS (13) (32) eap: Calling submodule eap_tls to process data (32) eap_tls: (TLS) Peer ACKed our handshake fragment (32) eap: Sending EAP Request (code 1) ID 3 length 1004 (32) eap: EAP session adding &reply:State = 0x6504b08b6707bd57 (32) [eap] = handled (32) } # authenticate = handled (32) Using Post-Auth-Type Challenge (32) # Executing group from file /etc/freeradius/sites-enabled/default (32) Challenge { ... } # empty sub-section is ignored (32) session-state: Saving cached attributes (32) Framed-MTU = 994 (32) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (32) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (32) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (32) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (32) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest" (32) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (32) Sent Access-Challenge Id 2 from 172.17.0.2:1812 to 10.17.30.60:1197 length 1068 (32) EAP-Message = 0x010303ec0dc000000b9739c511820dffd845488537b44057b4d4dd85d5e6e6eae53d369feaecb50fb2b8d8c5ccb0e795e8c868228f4f8b9910ba0f7ed2a047c098c98325f80e264ba86c53948ade85d1ffdf010886fec27ab99731041848b33a1da630279b4ebc265bfcfa1aef22cf2172d15cfcc80b6b3f01b3bec3b98cbe678abd92da4e4c2d625de911912ccc123df90b98465ffa6dc9ea6d0a42b65e8a416b51a18881d3a321e060ea9e1ce9fc94aef76f0004fe308204fa308203e2a0030201020214063c2615870dc518cfe2e2bba0164fd660669d24300d06092a864886f70d01010b0500308193310b3009060355040613024652310f300d06035504080c065261646975733112301006035504070c09536f6d65776865726531153013060355040a0c0c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e6f72673126302406035504030c1d4578616d706c65204365727469666963617465204175 (32) Message-Authenticator = 0x00000000000000000000000000000000 (32) State = 0x6504b08b6707bd57d78f3f37308b4458 (32) Finished request Waking up in 4.9 seconds. (33) Received Access-Request Id 3 from 10.17.30.60:1197 to 172.17.0.2:1812 length 215 (33) Message-Authenticator = 0xe065dbb565280ef42143f9d09f9952e6 (33) Service-Type = Framed-User (33) User-Name = "user@example.org" (33) Framed-MTU = 1488 (33) State = 0x6504b08b6707bd57d78f3f37308b4458 (33) Called-Station-Id = "00-26-5A-84-0D-89:dlink" (33) Calling-Station-Id = "72-87-6D-9E-D2-0F" (33) NAS-Identifier = "D-Link Access Point" (33) NAS-Port-Type = Wireless-802.11 (33) Connect-Info = "CONNECT 54Mbps 802.11g" (33) EAP-Message = 0x020300060d00 (33) NAS-IP-Address = 10.17.30.60 (33) NAS-Port = 1 (33) NAS-Port-Id = "STA port # 1" (33) Restoring &session-state (33) &session-state:Framed-MTU = 994 (33) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (33) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (33) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (33) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (33) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest" (33) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (33) # Executing section authorize from file /etc/freeradius/sites-enabled/default (33) authorize { (33) policy filter_username { (33) if (&User-Name) { (33) if (&User-Name) -> TRUE (33) if (&User-Name) { (33) if (&User-Name =~ / /) { (33) if (&User-Name =~ / /) -> FALSE (33) if (&User-Name =~ /@[^@]*@/ ) { (33) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (33) if (&User-Name =~ /\.\./ ) { (33) if (&User-Name =~ /\.\./ ) -> FALSE (33) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (33) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (33) if (&User-Name =~ /\.$/) { (33) if (&User-Name =~ /\.$/) -> FALSE (33) if (&User-Name =~ /@\./) { (33) if (&User-Name =~ /@\./) -> FALSE (33) } # if (&User-Name) = notfound (33) } # policy filter_username = notfound (33) [preprocess] = ok (33) [chap] = noop (33) [mschap] = noop (33) [digest] = noop (33) suffix: Checking for suffix after "@" (33) suffix: Looking up realm "example.org" for User-Name = "user@example.org" (33) suffix: No such realm "example.org" (33) [suffix] = noop (33) eap: Peer sent EAP Response (code 2) ID 3 length 6 (33) eap: No EAP Start, assuming it's an on-going EAP conversation (33) [eap] = updated (33) files: users: Matched entry user@example.org at line 2 (33) [files] = ok (33) [expiration] = noop (33) [logintime] = noop (33) [pap] = noop (33) } # authorize = updated (33) Found Auth-Type = eap (33) # Executing group from file /etc/freeradius/sites-enabled/default (33) authenticate { (33) eap: Expiring EAP session with state 0x6504b08b6707bd57 (33) eap: Finished EAP session with state 0x6504b08b6707bd57 (33) eap: Previous EAP request found for state 0x6504b08b6707bd57, released from the list (33) eap: Peer sent packet with method EAP TLS (13) (33) eap: Calling submodule eap_tls to process data (33) eap_tls: (TLS) Peer ACKed our handshake fragment (33) eap: Sending EAP Request (code 1) ID 4 length 989 (33) eap: EAP session adding &reply:State = 0x6504b08b6600bd57 (33) [eap] = handled (33) } # authenticate = handled (33) Using Post-Auth-Type Challenge (33) # Executing group from file /etc/freeradius/sites-enabled/default (33) Challenge { ... } # empty sub-section is ignored (33) session-state: Saving cached attributes (33) Framed-MTU = 994 (33) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (33) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (33) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (33) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (33) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest" (33) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (33) Sent Access-Challenge Id 3 from 172.17.0.2:1812 to 10.17.30.60:1197 length 1053 (33) EAP-Message = 0x010403dd0d8000000b9778616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e6f72673126302406035504030c1d4578616d706c6520436572746966696361746520417574686f726974798214063c2615870dc518cfe2e2bba0164fd660669d24300f0603551d130101ff040530030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e6f72672f6578616d706c655f63612e63726c300d06092a864886f70d01010b05000382010100cf68f241d458b89c56759bf85344b58cd5f746d473a8875a2ad387ba29119f9ef2259377f107fff5f9779ca759bf5b4c7880fb10e3d7df34d5bf5bccabd8d392aa0d436251debc1059dab3172be448379a5e7d3c06e3c67db7b55212a6ce7ea3f0ce5d9c5a2eb3a2f29c45a8ebbd4bc9c0d367ffa8a0b4e482d0f767954cf8f9e155b5f285146d835b8a70bedc2180957ac217160d10b74ae6db16ef51834baa6fa6f957d0 (33) Message-Authenticator = 0x00000000000000000000000000000000 (33) State = 0x6504b08b6600bd57d78f3f37308b4458 (33) Finished request Waking up in 4.9 seconds. (34) Received Access-Request Id 4 from 10.17.30.60:1197 to 172.17.0.2:1812 length 222 (34) Message-Authenticator = 0xb2905e57775d4e42a7e828a09212dcde (34) Service-Type = Framed-User (34) User-Name = "user@example.org" (34) Framed-MTU = 1488 (34) State = 0x6504b08b6600bd57d78f3f37308b4458 (34) Called-Station-Id = "00-26-5A-84-0D-89:dlink" (34) Calling-Station-Id = "72-87-6D-9E-D2-0F" (34) NAS-Identifier = "D-Link Access Point" (34) NAS-Port-Type = Wireless-802.11 (34) Connect-Info = "CONNECT 54Mbps 802.11g" (34) EAP-Message = 0x0204000d0d0015030300020250 (34) NAS-IP-Address = 10.17.30.60 (34) NAS-Port = 1 (34) NAS-Port-Id = "STA port # 1" (34) Restoring &session-state (34) &session-state:Framed-MTU = 994 (34) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (34) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (34) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (34) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (34) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest" (34) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (34) # Executing section authorize from file /etc/freeradius/sites-enabled/default (34) authorize { (34) policy filter_username { (34) if (&User-Name) { (34) if (&User-Name) -> TRUE (34) if (&User-Name) { (34) if (&User-Name =~ / /) { (34) if (&User-Name =~ / /) -> FALSE (34) if (&User-Name =~ /@[^@]*@/ ) { (34) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (34) if (&User-Name =~ /\.\./ ) { (34) if (&User-Name =~ /\.\./ ) -> FALSE (34) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (34) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (34) if (&User-Name =~ /\.$/) { (34) if (&User-Name =~ /\.$/) -> FALSE (34) if (&User-Name =~ /@\./) { (34) if (&User-Name =~ /@\./) -> FALSE (34) } # if (&User-Name) = notfound (34) } # policy filter_username = notfound (34) [preprocess] = ok (34) [chap] = noop (34) [mschap] = noop (34) [digest] = noop (34) suffix: Checking for suffix after "@" (34) suffix: Looking up realm "example.org" for User-Name = "user@example.org" (34) suffix: No such realm "example.org" (34) [suffix] = noop (34) eap: Peer sent EAP Response (code 2) ID 4 length 13 (34) eap: No EAP Start, assuming it's an on-going EAP conversation (34) [eap] = updated (34) files: users: Matched entry user@example.org at line 2 (34) [files] = ok (34) [expiration] = noop (34) [logintime] = noop (34) [pap] = noop (34) } # authorize = updated (34) Found Auth-Type = eap (34) # Executing group from file /etc/freeradius/sites-enabled/default (34) authenticate { (34) eap: Expiring EAP session with state 0x6504b08b6600bd57 (34) eap: Finished EAP session with state 0x6504b08b6600bd57 (34) eap: Previous EAP request found for state 0x6504b08b6600bd57, released from the list (34) eap: Peer sent packet with method EAP TLS (13) (34) eap: Calling submodule eap_tls to process data (34) eap_tls: (TLS) EAP Done initial handshake (34) eap_tls: (TLS) recv TLS 1.2 Alert, fatal internal_error (34) eap_tls: (TLS) The client is informing us that there is a failure inside the TLS protocol exchange. (34) eap_tls: ERROR: (TLS) Alert read:fatal:internal error (34) eap_tls: (TLS) Server : Need to read more data: error (34) eap_tls: ERROR: (TLS) Failed reading from OpenSSL: error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error (34) eap_tls: (TLS) In Handshake Phase (34) eap_tls: (TLS) Application data. (34) eap_tls: ERROR: (TLS) Cannot continue, as the peer is misbehaving. (34) eap_tls: ERROR: [eaptls process] = fail (34) eap: ERROR: Failed continuing EAP TLS (13) session. EAP sub-module failed (34) eap: Sending EAP Failure (code 4) ID 4 length 4 (34) eap: Failed in EAP select (34) [eap] = invalid (34) } # authenticate = invalid (34) Failed to authenticate the user (34) Using Post-Auth-Type Reject (34) # Executing group from file /etc/freeradius/sites-enabled/default (34) Post-Auth-Type REJECT { (34) attr_filter.access_reject: EXPAND %{User-Name} (34) attr_filter.access_reject: --> user@example.org (34) attr_filter.access_reject: Matched entry DEFAULT at line 11 (34) [attr_filter.access_reject] = updated (34) [eap] = noop (34) policy remove_reply_message_if_eap { (34) if (&reply:EAP-Message && &reply:Reply-Message) { (34) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (34) else { (34) [noop] = noop (34) } # else = noop (34) } # policy remove_reply_message_if_eap = noop (34) } # Post-Auth-Type REJECT = updated (34) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (34) Sending delayed response (34) Sent Access-Reject Id 4 from 172.17.0.2:1812 to 10.17.30.60:1197 length 44 (34) EAP-Message = 0x04040004 (34) Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.8 seconds. (30) Cleaning up request packet ID 0 with timestamp +1674 due to cleanup_delay was reached (31) Cleaning up request packet ID 1 with timestamp +1674 due to cleanup_delay was reached (32) Cleaning up request packet ID 2 with timestamp +1674 due to cleanup_delay was reached (33) Cleaning up request packet ID 3 with timestamp +1674 due to cleanup_delay was reached (34) Cleaning up request packet ID 4 with timestamp +1674 due to cleanup_delay was reached Ready to process requests -----Message d'origine----- De : Freeradius-Users <freeradius-users-bounces+clement.legoffic=kelio.com@lists.freeradius.org> De la part de Alan DeKok Envoyé : mardi 28 février 2023 15:32 À : FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Objet : Re: EAP-TLS default config On Feb 28, 2023, at 5:44 AM, clement.legoffic@kelio.com wrote:
... On my android phone, I connect to a dlink wifi access point (DWL-2100AP) configured for 802.1X. The ca.pem has been installed on my phone in order to use it for EAP-TLS when I select it. ... (5) eap: Peer NAK'd indicating it is not willing to continue
The android phone is not configured to do EAP-TLS. Alan DeKok. -