We have a stangle problem going on with the Apple iTouches in the district here. This started since they were upgraded to iOS v.4.x....so it seems. What is happening is that the user will put in their credentials and get prompted to accept the certificate as it says its untrusted. The user clicks accept, all looks good and then it says it failed to connected. So they hit dismiss on that message, click join again, accept the certificate again and then they are accepted onto the network. But, sometimes they have to hit Dismiss/Join up to 15-20 times until it will accept it. Right now I am working with a default install FreeRadius v2.1.8 for testing this, including default certificates. I was planning on slowly adding in my config to narrow it down, but the problem appears to be happening by default. I *thought* that setting the default_eap_type to peap was causing it, but I had it happen when it was set to md5 as well. Im working on a iPod Touch with iOS v4.2. Below is the debug output of a failed attempt, and the follow up attempt that put the user through. *********************** FAILED ATTEMPT *************************** Ready to process requests. rad_recv: Access-Request packet from host 10.1.1.1 port 38428, id=66, length=277 User-Name = "ktest5" NAS-IP-Address = 127.0.4.1 NAS-Port = 259 Framed-MTU = 1400 Called-Station-Id = "00:1f:45:7f:83:fa" Calling-Station-Id = "58:b0:35:28:19:ad" NAS-Port-Type = Wireless-802.11 NAS-Identifier = "KASD_TEST" Service-Type = Framed-User Vendor-4329-Attr-3 = 0x3035303030313031343330353233
3035 Vendor-4329-Attr-2 = 0x4a52472d31464c2d41503039 Vendor-4329-Attr-4 = 0x4b4153445f54455354 Vendor-4329-Attr-5 = 0x4b4153445f54455354 Vendor-4329-Attr-6 = 0x30303a31663a34353a37663a38333a6661 Vendor-4329-Attr-7 = 0x53747564656e7473 Vendor-4329-Attr-8 = 0x4b41534453747564656e7473 EAP-Message = 0x0200000b016b7465737435 Message-Authenticator = 0x32cf9f891633152f0f139a53cb61f9ee +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "ktest5", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 0 length 11 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 66 to 10.1.1.1 port 38428 EAP-Message = 0x010100061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc4b1fdf8c4b0e4f9163ffe27c4915746 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.1.1.1 port 38428, id=66, length=420 Cleaning up request 0 ID 66 with timestamp +30 User-Name = "ktest5" NAS-IP-Address = 127.0.4.1 NAS-Port = 259 Framed-MTU = 1400 Called-Station-Id = "00:1f:45:7f:83:fa" Calling-Station-Id = "58:b0:35:28:19:ad" NAS-Port-Type = Wireless-802.11 NAS-Identifier = "KASD_TEST" Service-Type = Framed-User Vendor-4329-Attr-3 = 0x30353030303130313433303532333035 Vendor-4329-Attr-2 = 0x4a52472d31464c2d41503039 Vendor-4329-Attr-4 = 0x4b4153445f54455354 Vendor-4329-Attr-5 = 0x4b4153445f54455354 Vendor-4329-Attr-6 = 0x30303a31663a34353a37663a38333a6661 Vendor-4329-Attr-7 = 0x53747564656e7473 Vendor-4329-Attr-8 = 0x4b41534453747564656e7473 EAP-Message = 0x0201008819800000007e16030100790100007503014d2e0343e5f920d1f519dbfeac002febc3736014d9bee7e0c55fd8085b99b7af00003ac00ac009c007c008c013c014c011c012c004c005c002c003c00ec00fc00cc00d002f000500040035000a0009000300080033003900160015001401000012000a00080006001700180019000b00020100 State = 0xc4b1fdf8c4b0e4f9163ffe27c4915746 Message-Authenticator = 0xf4e7c59223ecd3e5741cc6cc48762e1f +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "ktest5", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 1 length 136 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 126 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 0079], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 002a], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 085e], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 66 to 10.1.1.1 port 38428 EAP-Message = 0x0102040019c00000089b160301002a0200002603014d2e0330bf07fe39f7236a619358e64fa3db011bcbda7c9b9584846f6e32102000002f00160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479 EAP-Message = 0x301e170d3131303131323138353335325a170d3132303131323138353335325a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100e8460af12ab26451d71f5f5853ac201a8dee4f3c17d2f6c4725f4c9cc44fc6ae87c1b32d3e62fcd1964c8b1f81044272b76dbaa079cbd3dd727461dfd7a5 EAP-Message = 0x8b623cc4e0c8beccafbc499fc74e8d17e3c9fbd9aafbac061bfa1309372c83e95c8dd5da071d7d97fdd7660ab45c93db04d72184885f895897d840ac4934c11f51c81c4d2e83dccf646b499739781cdff243a48f064e209bef2d2bcde936c6104b63ee467f448d005c127b83bfa708aeed69f1467d3b280a4f1b151d153ce7216ea94c2e33fe400de92d84b823c5b32828959b9ea5b8afbc063ba5db0cabb0b602fdf90e60c354b8e788facfc654ff2310ea763297ea1aef098b4ddb5466abb528910203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010405000382010100904c9828165a2de337 EAP-Message = 0x50191a87ef600b1584376573598f31e772c944faf6e61c383d477c201b0aa6cf8bcb49d8b416f2de1e84774a9423608aad94af078dad2b6b30979d1c6b58cd8eefa9cf827d27f7755f8030dbc7c9e230187f212a5d4400928da0cc2845a7b5048a3b7425818fb437ac9c33746b39aaf4aa49af51340496250c837496f449307860f6cae9bd224c557af44806b46ac837b12a149124e35da9bde2538d9f39c2c33fe33dc7df0d45c5bec5bda68294a994af2db4f7298cf47e680cbca4789791aa3048a17761e4c71ebbd9b82bd324af0dbe8ce26ae88ee8a5d16dbd6685dce7ecb7af820abf975c67bfd34797fbefa47a4eed95cca895860004ab308204 EAP-Message = 0xa73082038fa0030201020209 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc4b1fdf8c5b3e4f9163ffe27c4915746 Finished request 1. Going to the next request Waking up in 4.9 seconds. Cleaning up request 1 ID 66 with timestamp +30 Ready to process requests. rad_recv: Access-Request packet from host 10.1.1.1 port 38428, id=66, length=290 User-Name = "ktest5" NAS-IP-Address = 127.0.4.1 NAS-Port = 259 Framed-MTU = 1400 Called-Station-Id = "00:1f:45:7f:83:fa" Calling-Station-Id = "58:b0:35:28:19:ad" NAS-Port-Type = Wireless-802.11 NAS-Identifier = "KASD_TEST" Service-Type = Framed-User Vendor-4329-Attr-3 = 0x30353030303130313433303532333035 Vendor-4329-Attr-2 = 0x4a52472d31464c2d41503039 Vendor-4329-Attr-4 = 0x4b4153445f54455354 Vendor-4329-Attr-5 = 0x4b4153445f54455354 Vendor-4329-Attr-6 = 0x30303a31663a34353a37663a38333a6661 Vendor-4329-Attr-7 = 0x53747564656e7473 Vendor-4329-Attr-8 = 0x4b41534453747564656e7473 EAP-Message = 0x020200061900 State = 0xc4b1fdf8c5b3e4f9163ffe27c4915746 Message-Authenticator = 0xa5c69d05dee0560c68b7d67d25b2e0b1 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "ktest5", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 2 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 66 to 10.1.1.1 port 38428 EAP-Message = 0x010303fc194000ae0fc87b0b841be2300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3131303131323138353335315a170d3132303131323138353335315a308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504 EAP-Message = 0x071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100d73060bc3e4f3bacd8c526ff5efa081cbfd333963c0a90272e83d654b8d1a16a25c9e1358b347d3f91d49ed29d387fd6de5ba5fe18c43b48065e8f1bb9dcb22d1a8679925af0bdc049d32199ba543f1d40a7c6b3578892efcaea646bdde6442593b17cb4713fb4d6f0616a5db38d9b EAP-Message = 0xfd1d6e9dd30b6e536ba717a75adaa7c87fd019e83bea06f5eacb6a09fa9954b60ccc92116455610a2674a03a4ecacee05ce914a72a27965d55471df19c8751fdb69fe66426bb236f7d57cfffe41822e7d8ddfc6c1c8f5b45e6010c896918c4f111626979b280ddf2219099024cb0efb17c9660df9fc642edc9874074cb83e93349b19a2c16409b7444545ee27b2a52bb9d0203010001a381fb3081f8301d0603551d0e04160414872c00a6ed850850f4e202b4d86a1d663b35fd8e3081c80603551d230481c03081bd8014872c00a6ed850850f4e202b4d86a1d663b35fd8ea18199a48196308193310b3009060355040613024652310f300d06035504 EAP-Message = 0x0813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820900ae0fc87b0b841be2300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100a5c0c601e1cb4606aa986dc240b7488bb4afd8c0e81ba0361530d556ad117222cdcc5a57a13fe3eb073ca72dff40db0a58c8d835ec110485bd158ab6cd1d8583cd575710b49070b3794384d2cff45f22b81e EAP-Message = 0x2dc327be959645c8 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc4b1fdf8c6b2e4f9163ffe27c4915746 Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.1.1.1 port 38428, id=66, length=290 Cleaning up request 2 ID 66 with timestamp +39 User-Name = "ktest5" NAS-IP-Address = 127.0.4.1 NAS-Port = 259 Framed-MTU = 1400 Called-Station-Id = "00:1f:45:7f:83:fa" Calling-Station-Id = "58:b0:35:28:19:ad" NAS-Port-Type = Wireless-802.11 NAS-Identifier = "KASD_TEST" Service-Type = Framed-User Vendor-4329-Attr-3 = 0x30353030303130313433303532333035 Vendor-4329-Attr-2 = 0x4a52472d31464c2d41503039 Vendor-4329-Attr-4 = 0x4b4153445f54455354 Vendor-4329-Attr-5 = 0x4b4153445f54455354 Vendor-4329-Attr-6 = 0x30303a31663a34353a37663a38333a6661 Vendor-4329-Attr-7 = 0x53747564656e7473 Vendor-4329-Attr-8 = 0x4b41534453747564656e7473 EAP-Message = 0x020300061900 State = 0xc4b1fdf8c6b2e4f9163ffe27c4915746 Message-Authenticator = 0x834956d460493056f00e0117298d68d7 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "ktest5", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 3 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 66 to 10.1.1.1 port 38428 EAP-Message = 0x010400b51900387bb57f237040a0b009495fcb1c4460694c6214f871d93a5afddfcc7aa7727e9ce657d22551e936e9415eea3a0ce78a7ea4b121f711fc19e2b505b4fa004bcc2952effdc18d0cd1ec6fe10bf431e8a189a5cbefcaebd9beab4e75c2309b55de25a9e392112915ad1c7b866a902f091b366eb96e7aa6ab544889069e70fda7ad8a9ec9eb729a6db3aeeb3ca9965daf0d515783a89a0947b6004eaad452777ae3413772aa2f5f16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc4b1fdf8c7b5e4f9163ffe27c4915746 Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.1.1.1 port 38428, id=66, length=622 Cleaning up request 3 ID 66 with timestamp +39 User-Name = "ktest5" NAS-IP-Address = 127.0.4.1 NAS-Port = 259 Framed-MTU = 1400 Called-Station-Id = "00:1f:45:7f:83:fa" Calling-Station-Id = "58:b0:35:28:19:ad" NAS-Port-Type = Wireless-802.11 NAS-Identifier = "KASD_TEST" Service-Type = Framed-User Vendor-4329-Attr-3 = 0x30353030303130313433303532333035 Vendor-4329-Attr-2 = 0x4a52472d31464c2d41503039 Vendor-4329-Attr-4 = 0x4b4153445f54455354 Vendor-4329-Attr-5 = 0x4b4153445f54455354 Vendor-4329-Attr-6 = 0x30303a31663a34353a37663a38333a6661 Vendor-4329-Attr-7 = 0x53747564656e7473 Vendor-4329-Attr-8 = 0x4b41534453747564656e7473 EAP-Message = 0x020401501980000001461603010106100001020100373aae08036c5c081766d84efb8b257d7a9840bd2d91f9fbb1bad0c23993b1becc777b0890f6c8eb6b9ad515a2a5436dd50ea6feaeb8d0e9d3b7142af44ef0a0d52004a50e4b3022e3c2752cbc9caff85cbbd8281543a4a2c1b8a9a9141dd4430cafb7375f8d1a299c321a10edf205010f828f80cb188855d7888ef33d2c14d9bbc52bb23e99e2570ec2be2e6896f918c61926fbfc21009af339abbf671c483c897e7f5a9614f7ffd003d126edeebb752e3af6f8dc63a10a314fb5d105124ce25332a68c7b6aee6bebcf5eb9aa3a3853cdb0ecef655a78107a86ce327d51d84fb858490131e5c8 EAP-Message = 0x4fdfa622a41c66fd40edceb1c3cc99f33a0591a75a1c419d681403010001011603010030183a1d1ce2e805a60d16d91940d4b659bc1ecda540c675ea25f530b5c3ebe4114d5553609074df1351384da76ab4f78a State = 0xc4b1fdf8c7b5e4f9163ffe27c4915746 Message-Authenticator = 0xef9d2df3d5a31b39f3ddf68d687d6b5c +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "ktest5", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 4 length 252 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 326 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 66 to 10.1.1.1 port 38428 EAP-Message = 0x0105004119001403010001011603010030c5ca03d2a20ef23d2e6375c8153c3e6c1afa2151b0232004998802bece4070cb14b8a1bffac3874c849f89a1f8450de2 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc4b1fdf8c0b4e4f9163ffe27c4915746 Finished request 4. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.1.1.1 port 38428, id=66, length=277 Cleaning up request 4 ID 66 with timestamp +39 User-Name = "ktest5" NAS-IP-Address = 127.0.4.1 NAS-Port = 259 Framed-MTU = 1400 Called-Station-Id = "00:1f:45:7f:83:fa" Calling-Station-Id = "58:b0:35:28:19:ad" NAS-Port-Type = Wireless-802.11 NAS-Identifier = "KASD_TEST" Service-Type = Framed-User Vendor-4329-Attr-3 = 0x30353030303130313433303532333035 Vendor-4329-Attr-2 = 0x4a52472d31464c2d41503039 Vendor-4329-Attr-4 = 0x4b4153445f54455354 Vendor-4329-Attr-5 = 0x4b4153445f54455354 Vendor-4329-Attr-6 = 0x30303a31663a34353a37663a38333a6661 Vendor-4329-Attr-7 = 0x53747564656e7473 Vendor-4329-Attr-8 = 0x4b41534453747564656e7473 EAP-Message = 0x0206000b016b7465737435 Message-Authenticator = 0x7667edddd0b6ae7ddec276f6fc0d09fd +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "ktest5", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 6 length 11 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 66 to 10.1.1.1 port 38428 EAP-Message = 0x010700061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x8791eff18796f6b55a0a76adc31036d5 Finished request 5. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.1.1.1 port 38428, id=66, length=420 Cleaning up request 5 ID 66 with timestamp +42 User-Name = "ktest5" NAS-IP-Address = 127.0.4.1 NAS-Port = 259 Framed-MTU = 1400 Called-Station-Id = "00:1f:45:7f:83:fa" Calling-Station-Id = "58:b0:35:28:19:ad" NAS-Port-Type = Wireless-802.11 NAS-Identifier = "KASD_TEST" Service-Type = Framed-User Vendor-4329-Attr-3 = 0x30353030303130313433303532333035 Vendor-4329-Attr-2 = 0x4a52472d31464c2d41503039 Vendor-4329-Attr-4 = 0x4b4153445f54455354 Vendor-4329-Attr-5 = 0x4b4153445f54455354 Vendor-4329-Attr-6 = 0x30303a31663a34353a37663a38333a6661 Vendor-4329-Attr-7 = 0x53747564656e7473 Vendor-4329-Attr-8 = 0x4b41534453747564656e7473 EAP-Message = 0x0207008819800000007e16030100790100007503014d2e034fe43eb22c54e9c30587e009b69a0a7712664fc62b7754d5321207a9e700003ac00ac009c007c008c013c014c011c012c004c005c002c003c00ec00fc00cc00d002f000500040035000a0009000300080033003900160015001401000012000a00080006001700180019000b00020100 State = 0x8791eff18796f6b55a0a76adc31036d5 Message-Authenticator = 0xdd954eaa01deac01b7a9d0973e934401 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "ktest5", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 7 length 136 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 126 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 0079], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 002a], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 085e], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 66 to 10.1.1.1 port 38428 EAP-Message = 0x0108040019c00000089b160301002a0200002603014d2e033cabdd48cf6a4f062f86f5947a33952f7547e4871741c1b81a7c7ae51e00002f00160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479 EAP-Message = 0x301e170d3131303131323138353335325a170d3132303131323138353335325a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100e8460af12ab26451d71f5f5853ac201a8dee4f3c17d2f6c4725f4c9cc44fc6ae87c1b32d3e62fcd1964c8b1f81044272b76dbaa079cbd3dd727461dfd7a5 EAP-Message = 0x8b623cc4e0c8beccafbc499fc74e8d17e3c9fbd9aafbac061bfa1309372c83e95c8dd5da071d7d97fdd7660ab45c93db04d72184885f895897d840ac4934c11f51c81c4d2e83dccf646b499739781cdff243a48f064e209bef2d2bcde936c6104b63ee467f448d005c127b83bfa708aeed69f1467d3b280a4f1b151d153ce7216ea94c2e33fe400de92d84b823c5b32828959b9ea5b8afbc063ba5db0cabb0b602fdf90e60c354b8e788facfc654ff2310ea763297ea1aef098b4ddb5466abb528910203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010405000382010100904c9828165a2de337 EAP-Message = 0x50191a87ef600b1584376573598f31e772c944faf6e61c383d477c201b0aa6cf8bcb49d8b416f2de1e84774a9423608aad94af078dad2b6b30979d1c6b58cd8eefa9cf827d27f7755f8030dbc7c9e230187f212a5d4400928da0cc2845a7b5048a3b7425818fb437ac9c33746b39aaf4aa49af51340496250c837496f449307860f6cae9bd224c557af44806b46ac837b12a149124e35da9bde2538d9f39c2c33fe33dc7df0d45c5bec5bda68294a994af2db4f7298cf47e680cbca4789791aa3048a17761e4c71ebbd9b82bd324af0dbe8ce26ae88ee8a5d16dbd6685dce7ecb7af820abf975c67bfd34797fbefa47a4eed95cca895860004ab308204 EAP-Message = 0xa73082038fa0030201020209 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x8791eff18699f6b55a0a76adc31036d5 Finished request 6. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.1.1.1 port 38428, id=66, length=290 Cleaning up request 6 ID 66 with timestamp +42 User-Name = "ktest5" NAS-IP-Address = 127.0.4.1 NAS-Port = 259 Framed-MTU = 1400 Called-Station-Id = "00:1f:45:7f:83:fa" Calling-Station-Id = "58:b0:35:28:19:ad" NAS-Port-Type = Wireless-802.11 NAS-Identifier = "KASD_TEST" Service-Type = Framed-User Vendor-4329-Attr-3 = 0x30353030303130313433303532333035 Vendor-4329-Attr-2 = 0x4a52472d31464c2d41503039 Vendor-4329-Attr-4 = 0x4b4153445f54455354 Vendor-4329-Attr-5 = 0x4b4153445f54455354 Vendor-4329-Attr-6 = 0x30303a31663a34353a37663a38333a6661 Vendor-4329-Attr-7 = 0x53747564656e7473 Vendor-4329-Attr-8 = 0x4b41534453747564656e7473 EAP-Message = 0x020800061900 State = 0x8791eff18699f6b55a0a76adc31036d5 Message-Authenticator = 0x806cd522495a9dea0f1b63c2c7612616 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "ktest5", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 8 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 66 to 10.1.1.1 port 38428 EAP-Message = 0x010903fc194000ae0fc87b0b841be2300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3131303131323138353335315a170d3132303131323138353335315a308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504 EAP-Message = 0x071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100d73060bc3e4f3bacd8c526ff5efa081cbfd333963c0a90272e83d654b8d1a16a25c9e1358b347d3f91d49ed29d387fd6de5ba5fe18c43b48065e8f1bb9dcb22d1a8679925af0bdc049d32199ba543f1d40a7c6b3578892efcaea646bdde6442593b17cb4713fb4d6f0616a5db38d9b EAP-Message = 0xfd1d6e9dd30b6e536ba717a75adaa7c87fd019e83bea06f5eacb6a09fa9954b60ccc92116455610a2674a03a4ecacee05ce914a72a27965d55471df19c8751fdb69fe66426bb236f7d57cfffe41822e7d8ddfc6c1c8f5b45e6010c896918c4f111626979b280ddf2219099024cb0efb17c9660df9fc642edc9874074cb83e93349b19a2c16409b7444545ee27b2a52bb9d0203010001a381fb3081f8301d0603551d0e04160414872c00a6ed850850f4e202b4d86a1d663b35fd8e3081c80603551d230481c03081bd8014872c00a6ed850850f4e202b4d86a1d663b35fd8ea18199a48196308193310b3009060355040613024652310f300d06035504 EAP-Message = 0x0813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820900ae0fc87b0b841be2300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100a5c0c601e1cb4606aa986dc240b7488bb4afd8c0e81ba0361530d556ad117222cdcc5a57a13fe3eb073ca72dff40db0a58c8d835ec110485bd158ab6cd1d8583cd575710b49070b3794384d2cff45f22b81e EAP-Message = 0x2dc327be959645c8 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x8791eff18598f6b55a0a76adc31036d5 Finished request 7. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.1.1.1 port 38428, id=66, length=290 Cleaning up request 7 ID 66 with timestamp +43 User-Name = "ktest5" NAS-IP-Address = 127.0.4.1 NAS-Port = 259 Framed-MTU = 1400 Called-Station-Id = "00:1f:45:7f:83:fa" Calling-Station-Id = "58:b0:35:28:19:ad" NAS-Port-Type = Wireless-802.11 NAS-Identifier = "KASD_TEST" Service-Type = Framed-User Vendor-4329-Attr-3 = 0x30353030303130313433303532333035 Vendor-4329-Attr-2 = 0x4a52472d31464c2d41503039 Vendor-4329-Attr-4 = 0x4b4153445f54455354 Vendor-4329-Attr-5 = 0x4b4153445f54455354 Vendor-4329-Attr-6 = 0x30303a31663a34353a37663a38333a6661 Vendor-4329-Attr-7 = 0x53747564656e7473 Vendor-4329-Attr-8 = 0x4b41534453747564656e7473 EAP-Message = 0x020900061900 State = 0x8791eff18598f6b55a0a76adc31036d5 Message-Authenticator = 0xf2ec741c480f9339eaa13537cadc59e4 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "ktest5", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 9 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 66 to 10.1.1.1 port 38428 EAP-Message = 0x010a00b51900387bb57f237040a0b009495fcb1c4460694c6214f871d93a5afddfcc7aa7727e9ce657d22551e936e9415eea3a0ce78a7ea4b121f711fc19e2b505b4fa004bcc2952effdc18d0cd1ec6fe10bf431e8a189a5cbefcaebd9beab4e75c2309b55de25a9e392112915ad1c7b866a902f091b366eb96e7aa6ab544889069e70fda7ad8a9ec9eb729a6db3aeeb3ca9965daf0d515783a89a0947b6004eaad452777ae3413772aa2f5f16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x8791eff1849bf6b55a0a76adc31036d5 Finished request 8. Going to the next request Waking up in 4.9 seconds. Cleaning up request 8 ID 66 with timestamp +43 Ready to process requests. rad_recv: Access-Request packet from host 10.1.1.1 port 38428, id=66, length=277 User-Name = "ktest5" NAS-IP-Address = 127.0.4.1 NAS-Port = 259 Framed-MTU = 1400 Called-Station-Id = "00:1f:45:7f:83:fa" Calling-Station-Id = "58:b0:35:28:19:ad" NAS-Port-Type = Wireless-802.11 NAS-Identifier = "KASD_TEST" Service-Type = Framed-User Vendor-4329-Attr-3 = 0x30353030303130313433303532333035 Vendor-4329-Attr-2 = 0x4a52472d31464c2d41503039 Vendor-4329-Attr-4 = 0x4b4153445f54455354 Vendor-4329-Attr-5 = 0x4b4153445f54455354 Vendor-4329-Attr-6 = 0x30303a31663a34353a37663a38333a6661 Vendor-4329-Attr-7 = 0x53747564656e7473 Vendor-4329-Attr-8 = 0x4b41534453747564656e7473 EAP-Message = 0x0201000b016b7465737435 Message-Authenticator = 0xacd1f25254d19ef7ef878a3a79e240be +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "ktest5", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 1 length 11 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 66 to 10.1.1.1 port 38428 EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x119bd5731199cc528cc4c05b9703cffa Finished request 9. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.1.1.1 port 38428, id=66, length=420 Cleaning up request 9 ID 66 with timestamp +48 User-Name = "ktest5" NAS-IP-Address = 127.0.4.1 NAS-Port = 259 Framed-MTU = 1400 Called-Station-Id = "00:1f:45:7f:83:fa" Calling-Station-Id = "58:b0:35:28:19:ad" NAS-Port-Type = Wireless-802.11 NAS-Identifier = "KASD_TEST" Service-Type = Framed-User Vendor-4329-Attr-3 = 0x30353030303130313433303532333035 Vendor-4329-Attr-2 = 0x4a52472d31464c2d41503039 Vendor-4329-Attr-4 = 0x4b4153445f54455354 Vendor-4329-Attr-5 = 0x4b4153445f54455354 Vendor-4329-Attr-6 = 0x30303a31663a34353a37663a38333a6661 Vendor-4329-Attr-7 = 0x53747564656e7473 Vendor-4329-Attr-8 = 0x4b41534453747564656e7473 EAP-Message = 0x0202008819800000007e16030100790100007503014d2e0355d881daaa7bc48ab53b8cbf1877d5045d28d27e8bc56439c8160f2d2e00003ac00ac009c007c008c013c014c011c012c004c005c002c003c00ec00fc00cc00d002f000500040035000a0009000300080033003900160015001401000012000a00080006001700180019000b00020100 State = 0x119bd5731199cc528cc4c05b9703cffa Message-Authenticator = 0x502685c6634bcf13076884276d720178 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "ktest5", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 2 length 136 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 126 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 0079], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 002a], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 085e], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 66 to 10.1.1.1 port 38428 EAP-Message = 0x0103040019c00000089b160301002a0200002603014d2e0342163fcd54d6877c34fe6b48bf4ada483c9daaeb893988fd2bdc1ee46300002f00160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479 EAP-Message = 0x301e170d3131303131323138353335325a170d3132303131323138353335325a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100e8460af12ab26451d71f5f5853ac201a8dee4f3c17d2f6c4725f4c9cc44fc6ae87c1b32d3e62fcd1964c8b1f81044272b76dbaa079cbd3dd727461dfd7a5 EAP-Message = 0x8b623cc4e0c8beccafbc499fc74e8d17e3c9fbd9aafbac061bfa1309372c83e95c8dd5da071d7d97fdd7660ab45c93db04d72184885f895897d840ac4934c11f51c81c4d2e83dccf646b499739781cdff243a48f064e209bef2d2bcde936c6104b63ee467f448d005c127b83bfa708aeed69f1467d3b280a4f1b151d153ce7216ea94c2e33fe400de92d84b823c5b32828959b9ea5b8afbc063ba5db0cabb0b602fdf90e60c354b8e788facfc654ff2310ea763297ea1aef098b4ddb5466abb528910203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010405000382010100904c9828165a2de337 EAP-Message = 0x50191a87ef600b1584376573598f31e772c944faf6e61c383d477c201b0aa6cf8bcb49d8b416f2de1e84774a9423608aad94af078dad2b6b30979d1c6b58cd8eefa9cf827d27f7755f8030dbc7c9e230187f212a5d4400928da0cc2845a7b5048a3b7425818fb437ac9c33746b39aaf4aa49af51340496250c837496f449307860f6cae9bd224c557af44806b46ac837b12a149124e35da9bde2538d9f39c2c33fe33dc7df0d45c5bec5bda68294a994af2db4f7298cf47e680cbca4789791aa3048a17761e4c71ebbd9b82bd324af0dbe8ce26ae88ee8a5d16dbd6685dce7ecb7af820abf975c67bfd34797fbefa47a4eed95cca895860004ab308204 EAP-Message = 0xa73082038fa0030201020209 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x119bd5731098cc528cc4c05b9703cffa Finished request 10. Going to the next request Waking up in 4.9 seconds. Cleaning up request 10 ID 66 with timestamp +48 Ready to process requests.