I know that you don't like to waste you time on a newbie like me, but please give me only a hint where the problem could be.
Some XP versions won't allow server certificate to be intermediate certificate. Try altering certs/Makefile to sign client certificates with ca instead of server certificate. Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html I think thats my problem too because the tutorial of Alan DeKok-2 led me to the same problem, also with peap. My server is running on vmware and I got the chance to try an switch with different IOS and an different XP Client and the server output was different and far longer: _______________________________________________________________________ Ready to process requests. rad_recv: Access-Request packet from host 192.168.5.3 port 1812, id=5, length=135 NAS-IP-Address = 192.168.5.3 NAS-Port = 50012 NAS-Port-Type = Ethernet User-Name = "oss-radius" Called-Station-Id = "00-0F-23-01-11-4C" Calling-Station-Id = "00-15-60-52-1E-49" Service-Type = Framed-User Framed-MTU = 1500 EAP-Message = 0x0203000f016f73732d726164697573 Message-Authenticator = 0x83f50eceb4eb9b3f01b91cba34beda74 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "oss-radius", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 3 length 15 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [files] users: Matched entry oss-radius at line 204 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Requiring client certificate [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 5 to 192.168.5.3 port 1812 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "5" EAP-Message = 0x010400060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xdc2c0ceadc2801a2909332f7877a5def Finished request 7. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.5.3 port 1812, id=6, length=218 NAS-IP-Address = 192.168.5.3 NAS-Port = 50012 NAS-Port-Type = Ethernet User-Name = "oss-radius" Called-Station-Id = "00-0F-23-01-11-4C" Calling-Station-Id = "00-15-60-52-1E-49" Service-Type = Framed-User Framed-MTU = 1500 State = 0xdc2c0ceadc2801a2909332f7877a5def EAP-Message = 0x020400500d800000004616030100410100003d03014b18f9f4d475c347b4c63e498b5588a54d7c3bcfaa54ed228482bbd8cdfb6a0700001600040005000a000900640062000300060013001200630100 Message-Authenticator = 0xef2ee3a18747120691d1554121d3647a +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "oss-radius", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 4 length 80 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [files] users: Matched entry oss-radius at line 204 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS TLS Length 70 [tls] Length Included [tls] eaptls_verify returned 11 [tls] (other): before/accept initialization [tls] TLS_accept: before/accept initialization [tls] <<< TLS 1.0 Handshake [length 0041], ClientHello [tls] TLS_accept: SSLv3 read client hello A [tls] >>> TLS 1.0 Handshake [length 002a], ServerHello [tls] TLS_accept: SSLv3 write server hello A [tls] >>> TLS 1.0 Handshake [length 085e], Certificate [tls] TLS_accept: SSLv3 write certificate A [tls] >>> TLS 1.0 Handshake [length 00a6], CertificateRequest [tls] TLS_accept: SSLv3 write certificate request A [tls] TLS_accept: SSLv3 flush data [tls] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [tls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 6 to 192.168.5.3 port 1812 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "5" EAP-Message = 0x010504000dc00000093d160301002a0200002603014b18f9eecee5da441146eddde2ea8e016c2adb0db5c574b49514891d3931f97700000400160301085e0b00085a0008570003a6308203a23082028aa003020102020103300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479 EAP-Message = 0x301e170d3039313132323133343533305a170d3130313132323133343533305a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100ac980cc4c9ec4ad3e23bf9d75989232fb1b5014896413398e3361287de22a5b5c00cac1e0c1b72b2f991aa8c2eeb1e452a7c67950e6af12e31414acbf8a9 EAP-Message = 0x8b96c26e6408da5ca899b30f00799999610945ad89094441a7cafca4067557b4ed52070fdf54b386b2a7a1aa76f134a9b5e7bfdeef3e18bc3d8ba98b49f1f4bb156dd1bbb46ee09b466df0120593471c59acfcb7a2977219e6db535008526dda1f91c374f01bf392d909a1ecde7ec11f926cfd310b39171121228c528a5853524e62ba21f1006c56ef85aa0837bdb123a11a0664015e7b8176b20619e36204f7b7b75d6e445aa84a0cdc49c9a8a82ea97e5686a28a56eced48e43f9c471499d0604f0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010104050003820101009dc4e0c6f6e79b6e1c EAP-Message = 0x330b69759c25ac74cef621f5e8115248b9ea758e5b2af73574bd81953c2b5beb514765bdf4b07d50586dded8cfaac20f6ece9b661938bec737d87348f061ea7e3cd2a7338e786cd765aa8f3db636291c10c041d790ab49fcbcf5b41e7ec1ae2f65495b975286e656b23fed0321284cd6643aa411da03918e148eab2b222aa462bb62d50491ba9a27773e297dc8a59b1b0aa1a6fd2e6a110b2d3f94e81563417a2a4f1127937d38a0c6376e25ec51a0eabcd289a6fdfbcbc6f5c708050d8fdc9ad61cade8fa2b90ce4a6f4ff2ef465a1d61bbeb9373f4ef0c6a9c3d558b8424c130052899aa96271e0a9db4beb254ffcda04e8546e544140004ab308204 EAP-Message = 0xa73082038fa0030201020209 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xdc2c0ceadd2901a2909332f7877a5def Finished request 8. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 192.168.5.3 port 1812, id=7, length=144 NAS-IP-Address = 192.168.5.3 NAS-Port = 50012 NAS-Port-Type = Ethernet User-Name = "oss-radius" Called-Station-Id = "00-0F-23-01-11-4C" Calling-Station-Id = "00-15-60-52-1E-49" Service-Type = Framed-User Framed-MTU = 1500 State = 0xdc2c0ceadd2901a2909332f7877a5def EAP-Message = 0x020500060d00 Message-Authenticator = 0xaef2f990f10c99234767d854d27b544a +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "oss-radius", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 5 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [files] users: Matched entry oss-radius at line 204 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS [tls] Received TLS ACK [tls] ACK handshake fragment handler [tls] eaptls_verify returned 1 [tls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 7 to 192.168.5.3 port 1812 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "5" EAP-Message = 0x010604000dc00000093d00909b9c83a43a1aeb300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3039313132323133343533305a170d3039313232323133343533305a308193310b3009060355040613024652310f300d0603550408130652616469757331123010 EAP-Message = 0x06035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100dca8cc215f2e66300d12c524db0ab7b4e9b3fae5ee90ce3b5d214b1d63f6b7b6e772605bc6ec64f4acac7bfcb7bd2106d2e02c9e2b1412c2ce2a7751741baaf3d73c2ccb496dd9daa8e105b70982c7f8a9326700f2d3ac0959c8f203d0896051427bd12def8761251afb6b EAP-Message = 0x3f5fe90a66fc35542fefe55b7aed80b21304d744bb0407979eb907820a3181cf95df43d395d33eaa396964905162ca449d8e0cad35348272fc067d7b40ebf26382c14ff354886080252b32396b5745dfae39a73d73a10472403eeec68bca7f5ad923a7885fefe49040c86a9760fa62b9899a1908d5ddb4db6ea2d3eaa993e5525c9941d871a6d6618426def29ade4b3bb6f84c2f450203010001a381fb3081f8301d0603551d0e0416041452f2ff741f2d3bbb281fcad3e580b8d70c42650c3081c80603551d230481c03081bd801452f2ff741f2d3bbb281fcad3e580b8d70c42650ca18199a48196308193310b3009060355040613024652310f300d EAP-Message = 0x060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820900909b9c83a43a1aeb300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100c27da3525cc2b702ef481f7c4e7073e22c39bcc870744adcce64e7006bb230f24ba9d45cad1c35de4810c1418e0925a35880097a958ea0a99011d89948490da61e782d41275ab4fa8086fc504684 EAP-Message = 0x35cc4eacbe8a90671537715d Message-Authenticator = 0x00000000000000000000000000000000 State = 0xdc2c0ceade2a01a2909332f7877a5def Finished request 9. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 192.168.5.3 port 1812, id=8, length=144 NAS-IP-Address = 192.168.5.3 NAS-Port = 50012 NAS-Port-Type = Ethernet User-Name = "oss-radius" Called-Station-Id = "00-0F-23-01-11-4C" Calling-Station-Id = "00-15-60-52-1E-49" Service-Type = Framed-User Framed-MTU = 1500 State = 0xdc2c0ceade2a01a2909332f7877a5def EAP-Message = 0x020600060d00 Message-Authenticator = 0xc92addcb64acecf03702578e45472430 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "oss-radius", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 6 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [files] users: Matched entry oss-radius at line 204 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS [tls] Received TLS ACK [tls] ACK handshake fragment handler [tls] eaptls_verify returned 1 [tls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 8 to 192.168.5.3 port 1812 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "5" EAP-Message = 0x0107015b0d800000093de1275d07e1318b3e3f3e38b4e742f948efa0d251272389d58a2a4cbe1c74bddb6d584f384cf715e49bac5c13bce7719c9947c27edfa52b7693b39367b3123c99871549a2f7c63f946d9fde67f403a031f67c05e4327a5e4af1385dd48bb9dcb4105565ada8137083c6c9db74e4c66d6c3e06431c345cdfbd678431dd0ea80b6576955f1c8a40273c5351ae7ff243c98bc9b2a423d0b1f4c5ca5c4a597bad4990e33e1d359a7816030100a60d00009e0301024000980096308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355 EAP-Message = 0x040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f726974790e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xdc2c0ceadf2b01a2909332f7877a5def Finished request 10. Going to the next request Waking up in 4.7 seconds. rad_recv: Access-Request packet from host 192.168.5.3 port 1812, id=9, length=1627 NAS-IP-Address = 192.168.5.3 NAS-Port = 50012 NAS-Port-Type = Ethernet User-Name = "oss-radius" Called-Station-Id = "00-0F-23-01-11-4C" Calling-Station-Id = "00-15-60-52-1E-49" Service-Type = Framed-User Framed-MTU = 1500 State = 0xdc2c0ceadf2b01a2909332f7877a5def EAP-Message = 0x020705c70d80000005bd160301058d0b00037d00037a000377308203733082025ba003020102020104300d06092a864886f70d0101040500307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d301e170d3039313132323133343633385a170d3130313132323133343633385a3065310b3009060355040613024652310f300d0603550408130652616469757331153013060355 EAP-Message = 0x040a130c4578616d706c6520496e632e311330110603550403130a6f73732d7261646975733119301706092a864886f70d010901160a6f73732d72616469757330820122300d06092a864886f70d01010105000382010f003082010a0282010100e1d40ac149204b59321c6251b567611368612d917fa99a21e38fde2fa875f727613c91eda857169f467800fe2a5c72eb58781189a03e3d1ff82c8b98f87197583afc5a299875f45d9fb7dda8e306b6f7afdcea661ef8b9a638096739a836ed6a7e3379bba6093c5ac04770106c08492f08edce25e71bbc27b3ece097abff30d3df8f21e095699fa3735d186cc7ac490556fdeba6bc5df04bc8a30f96 EAP-Message = 0x8f69fc9b535f21fd923cc408072972265dea7743f217eeffeed4dab6e7809915f4c195bfb9d9c5fe1329c83fd9d6fa26f63a775d82e0354e6bc885d6793f38ba95d55558fe623e103581e064d802572914d9596e46fd2fe5a581e27e04538ec74379455b0203010001a317301530130603551d25040c300a06082b06010505070302300d06092a864886f70d010104050003820101000f9716f57efb977d4030add0ed9757bc150e13e37949185a3898a4d5ba802076e8a2e7c011986ccef252b01b386679590330c8cbee366e6437a466ec51b264af9b91086545629b5a6063ba7aa4750af6649ecdf6b5a38b74a0725aaa091379626fccf3fecc6b50 EAP-Message = 0x2b0106225fa8434d2ab807e12dae14bee9eab2ca911e6a1654b900a5e18098469fb718302c594e81fca97d4294f1fad1522a86dba911a4e291579b8f7fc119906cafab8dde63be367dbfb18aa44492ffe2bb0393c231618f71c19cc460d9a53e50f109d1fdf9686b1ca3652b94bffd27d6b0c671b0b1c5b4287ffc135c5a6b3545843aa05e052c881c190490bc51afc74bb1e05d6fe49e13cd1000010201008fe1f9547a012f8094d3609471041d46ffba1642eac3ef7c1579b3b36c0f758470d9615e859ce9b9a170fee2b1c3b5fd43d31b698828ba709310b1dac307aff136bb191f8cce7c05bcbbaeee4400ae46a7740f8d69e737796bf36709f40f EAP-Message = 0x7d29cc4e2a3563c55aa83bbe8d8209e609ea778208c586625af13a5cc772fd67928a6a499cb6899a5fcedfe6636cefaf25c0a46f9e9cd1d7bd5ae3b4e4d79714c7f048074caee86149f678149dd14cecb22a9a505189ca92894863d69500249f1f736fa285319d87e708e72fee68074067a73ab5841f3aee440e3355a447c74559ac9719037069e4df858dfcbb7841dfdabc27b67d8cd103e30b09637745a5186ff20f00010201003b30a7e1ae8d7d4a826c489d34cfcd32d8d5a9773e45ea2bda2298340281b7ccacea41d108f54ff8bcddda958ece15d82af72ede186b93fffff769294b2af6df7d412e4fff6da4a08a47ba423f0f39dd9066de8696 EAP-Message = 0x5b87e12df25b0538042938aa61557bffa40ddf164236590e9f55e9010b681c5f87f2199cd6cddd5e3b6a7de6ae8b00db96b713fbf60688965f857b4238ef9c140bee0321e2c8190aa27b816743d750a22d3a958bda25f739e4521b3f3d2eba5a20b7236d35d706b09be354a3f21377de68cf54228ebf300167775314dda9dfd8e7b1390ff609467b5ac703e26130fdd6519b148409a4be7c44f57f4c7e87461581a4ce8820f2e38561ece614030100010116030100205c40fd19e50ab899199364162f97f139fb524181835a55a83964d818e8ac3076 Message-Authenticator = 0x4b471a16eae8e42d0c58b78e95297293 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "oss-radius", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 7 length 253 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [files] users: Matched entry oss-radius at line 204 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS TLS Length 1469 [tls] Length Included [tls] eaptls_verify returned 11 [tls] <<< TLS 1.0 Handshake [length 0381], Certificate --> verify error:num=20:unable to get local issuer certificate [tls] >>> TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert write:fatal:unknown CA TLS_accept:error in SSLv3 read client certificate B rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned SSL: SSL_read failed in a system call (-1), TLS session fails. TLS receive handshake failed during operation [tls] eaptls_process returned 4 [eap] Handler failed in EAP/tls [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> oss-radius attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 11 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 11 Sending Access-Reject of id 9 to 192.168.5.3 port 1812 EAP-Message = 0x04070004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.6 seconds. rad_recv: Access-Request packet from host 192.168.5.3 port 1812, id=10, length=135 NAS-IP-Address = 192.168.5.3 NAS-Port = 50012 NAS-Port-Type = Ethernet User-Name = "oss-radius" Called-Station-Id = "00-0F-23-01-11-4C" Calling-Station-Id = "00-15-60-52-1E-49" Service-Type = Framed-User Framed-MTU = 1500 EAP-Message = 0x0200000f016f73732d726164697573 Message-Authenticator = 0xa6abf14fc79a6a2a3bab1c7da1a574f8 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "oss-radius", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 0 length 15 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [files] users: Matched entry oss-radius at line 204 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Requiring client certificate [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 10 to 192.168.5.3 port 1812 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "5" EAP-Message = 0x010100060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc1758d8dc17480a17ea88a729c3ffa64 Finished request 12. Going to the next request Waking up in 2.3 seconds. rad_recv: Access-Request packet from host 192.168.5.3 port 1812, id=11, length=218 NAS-IP-Address = 192.168.5.3 NAS-Port = 50012 NAS-Port-Type = Ethernet User-Name = "oss-radius" Called-Station-Id = "00-0F-23-01-11-4C" Calling-Station-Id = "00-15-60-52-1E-49" Service-Type = Framed-User Framed-MTU = 1500 State = 0xc1758d8dc17480a17ea88a729c3ffa64 EAP-Message = 0x020100500d800000004616030100410100003d03014b18f9f6af7d3ffe4b3887242954843428771b6af2fdc46e52714e7cc4cacb8500001600040005000a000900640062000300060013001200630100 Message-Authenticator = 0xb1d532e53fec6922f1e8030c4f8e39e2 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "oss-radius", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 1 length 80 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [files] users: Matched entry oss-radius at line 204 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS TLS Length 70 [tls] Length Included [tls] eaptls_verify returned 11 [tls] (other): before/accept initialization [tls] TLS_accept: before/accept initialization [tls] <<< TLS 1.0 Handshake [length 0041], ClientHello [tls] TLS_accept: SSLv3 read client hello A [tls] >>> TLS 1.0 Handshake [length 002a], ServerHello [tls] TLS_accept: SSLv3 write server hello A [tls] >>> TLS 1.0 Handshake [length 085e], Certificate [tls] TLS_accept: SSLv3 write certificate A [tls] >>> TLS 1.0 Handshake [length 00a6], CertificateRequest [tls] TLS_accept: SSLv3 write certificate request A [tls] TLS_accept: SSLv3 flush data [tls] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [tls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 11 to 192.168.5.3 port 1812 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "5" EAP-Message = 0x010204000dc00000093d160301002a0200002603014b18f9f1d4e09ac9a9cb137294e433a251f940e98cfab9111ea2f2a059aa127500000400160301085e0b00085a0008570003a6308203a23082028aa003020102020103300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479 EAP-Message = 0x301e170d3039313132323133343533305a170d3130313132323133343533305a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100ac980cc4c9ec4ad3e23bf9d75989232fb1b5014896413398e3361287de22a5b5c00cac1e0c1b72b2f991aa8c2eeb1e452a7c67950e6af12e31414acbf8a9 EAP-Message = 0x8b96c26e6408da5ca899b30f00799999610945ad89094441a7cafca4067557b4ed52070fdf54b386b2a7a1aa76f134a9b5e7bfdeef3e18bc3d8ba98b49f1f4bb156dd1bbb46ee09b466df0120593471c59acfcb7a2977219e6db535008526dda1f91c374f01bf392d909a1ecde7ec11f926cfd310b39171121228c528a5853524e62ba21f1006c56ef85aa0837bdb123a11a0664015e7b8176b20619e36204f7b7b75d6e445aa84a0cdc49c9a8a82ea97e5686a28a56eced48e43f9c471499d0604f0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010104050003820101009dc4e0c6f6e79b6e1c EAP-Message = 0x330b69759c25ac74cef621f5e8115248b9ea758e5b2af73574bd81953c2b5beb514765bdf4b07d50586dded8cfaac20f6ece9b661938bec737d87348f061ea7e3cd2a7338e786cd765aa8f3db636291c10c041d790ab49fcbcf5b41e7ec1ae2f65495b975286e656b23fed0321284cd6643aa411da03918e148eab2b222aa462bb62d50491ba9a27773e297dc8a59b1b0aa1a6fd2e6a110b2d3f94e81563417a2a4f1127937d38a0c6376e25ec51a0eabcd289a6fdfbcbc6f5c708050d8fdc9ad61cade8fa2b90ce4a6f4ff2ef465a1d61bbeb9373f4ef0c6a9c3d558b8424c130052899aa96271e0a9db4beb254ffcda04e8546e544140004ab308204 EAP-Message = 0xa73082038fa0030201020209 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc1758d8dc07780a17ea88a729c3ffa64 Finished request 13. Going to the next request Waking up in 2.2 seconds. rad_recv: Access-Request packet from host 192.168.5.3 port 1812, id=12, length=144 NAS-IP-Address = 192.168.5.3 NAS-Port = 50012 NAS-Port-Type = Ethernet User-Name = "oss-radius" Called-Station-Id = "00-0F-23-01-11-4C" Calling-Station-Id = "00-15-60-52-1E-49" Service-Type = Framed-User Framed-MTU = 1500 State = 0xc1758d8dc07780a17ea88a729c3ffa64 EAP-Message = 0x020200060d00 Message-Authenticator = 0xbee4c0a1276cce1934909d7485a45127 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "oss-radius", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 2 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [files] users: Matched entry oss-radius at line 204 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS [tls] Received TLS ACK [tls] ACK handshake fragment handler [tls] eaptls_verify returned 1 [tls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 12 to 192.168.5.3 port 1812 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "5" EAP-Message = 0x010304000dc00000093d00909b9c83a43a1aeb300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3039313132323133343533305a170d3039313232323133343533305a308193310b3009060355040613024652310f300d0603550408130652616469757331123010 EAP-Message = 0x06035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100dca8cc215f2e66300d12c524db0ab7b4e9b3fae5ee90ce3b5d214b1d63f6b7b6e772605bc6ec64f4acac7bfcb7bd2106d2e02c9e2b1412c2ce2a7751741baaf3d73c2ccb496dd9daa8e105b70982c7f8a9326700f2d3ac0959c8f203d0896051427bd12def8761251afb6b EAP-Message = 0x3f5fe90a66fc35542fefe55b7aed80b21304d744bb0407979eb907820a3181cf95df43d395d33eaa396964905162ca449d8e0cad35348272fc067d7b40ebf26382c14ff354886080252b32396b5745dfae39a73d73a10472403eeec68bca7f5ad923a7885fefe49040c86a9760fa62b9899a1908d5ddb4db6ea2d3eaa993e5525c9941d871a6d6618426def29ade4b3bb6f84c2f450203010001a381fb3081f8301d0603551d0e0416041452f2ff741f2d3bbb281fcad3e580b8d70c42650c3081c80603551d230481c03081bd801452f2ff741f2d3bbb281fcad3e580b8d70c42650ca18199a48196308193310b3009060355040613024652310f300d EAP-Message = 0x060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820900909b9c83a43a1aeb300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100c27da3525cc2b702ef481f7c4e7073e22c39bcc870744adcce64e7006bb230f24ba9d45cad1c35de4810c1418e0925a35880097a958ea0a99011d89948490da61e782d41275ab4fa8086fc504684 EAP-Message = 0x35cc4eacbe8a90671537715d Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc1758d8dc37680a17ea88a729c3ffa64 Finished request 14. Going to the next request Waking up in 2.2 seconds. rad_recv: Access-Request packet from host 192.168.5.3 port 1812, id=13, length=144 NAS-IP-Address = 192.168.5.3 NAS-Port = 50012 NAS-Port-Type = Ethernet User-Name = "oss-radius" Called-Station-Id = "00-0F-23-01-11-4C" Calling-Station-Id = "00-15-60-52-1E-49" Service-Type = Framed-User Framed-MTU = 1500 State = 0xc1758d8dc37680a17ea88a729c3ffa64 EAP-Message = 0x020300060d00 Message-Authenticator = 0xc9ec1a2a313c897c3d546b1e17a21e62 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "oss-radius", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 3 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [files] users: Matched entry oss-radius at line 204 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS [tls] Received TLS ACK [tls] ACK handshake fragment handler [tls] eaptls_verify returned 1 [tls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 13 to 192.168.5.3 port 1812 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "5" EAP-Message = 0x0104015b0d800000093de1275d07e1318b3e3f3e38b4e742f948efa0d251272389d58a2a4cbe1c74bddb6d584f384cf715e49bac5c13bce7719c9947c27edfa52b7693b39367b3123c99871549a2f7c63f946d9fde67f403a031f67c05e4327a5e4af1385dd48bb9dcb4105565ada8137083c6c9db74e4c66d6c3e06431c345cdfbd678431dd0ea80b6576955f1c8a40273c5351ae7ff243c98bc9b2a423d0b1f4c5ca5c4a597bad4990e33e1d359a7816030100a60d00009e0301024000980096308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355 EAP-Message = 0x040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f726974790e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc1758d8dc27180a17ea88a729c3ffa64 Finished request 15. Going to the next request Waking up in 2.2 seconds. rad_recv: Access-Request packet from host 192.168.5.3 port 1812, id=14, length=1627 NAS-IP-Address = 192.168.5.3 NAS-Port = 50012 NAS-Port-Type = Ethernet User-Name = "oss-radius" Called-Station-Id = "00-0F-23-01-11-4C" Calling-Station-Id = "00-15-60-52-1E-49" Service-Type = Framed-User Framed-MTU = 1500 State = 0xc1758d8dc27180a17ea88a729c3ffa64 EAP-Message = 0x020405c70d80000005bd160301058d0b00037d00037a000377308203733082025ba003020102020104300d06092a864886f70d0101040500307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d301e170d3039313132323133343633385a170d3130313132323133343633385a3065310b3009060355040613024652310f300d0603550408130652616469757331153013060355 EAP-Message = 0x040a130c4578616d706c6520496e632e311330110603550403130a6f73732d7261646975733119301706092a864886f70d010901160a6f73732d72616469757330820122300d06092a864886f70d01010105000382010f003082010a0282010100e1d40ac149204b59321c6251b567611368612d917fa99a21e38fde2fa875f727613c91eda857169f467800fe2a5c72eb58781189a03e3d1ff82c8b98f87197583afc5a299875f45d9fb7dda8e306b6f7afdcea661ef8b9a638096739a836ed6a7e3379bba6093c5ac04770106c08492f08edce25e71bbc27b3ece097abff30d3df8f21e095699fa3735d186cc7ac490556fdeba6bc5df04bc8a30f96 EAP-Message = 0x8f69fc9b535f21fd923cc408072972265dea7743f217eeffeed4dab6e7809915f4c195bfb9d9c5fe1329c83fd9d6fa26f63a775d82e0354e6bc885d6793f38ba95d55558fe623e103581e064d802572914d9596e46fd2fe5a581e27e04538ec74379455b0203010001a317301530130603551d25040c300a06082b06010505070302300d06092a864886f70d010104050003820101000f9716f57efb977d4030add0ed9757bc150e13e37949185a3898a4d5ba802076e8a2e7c011986ccef252b01b386679590330c8cbee366e6437a466ec51b264af9b91086545629b5a6063ba7aa4750af6649ecdf6b5a38b74a0725aaa091379626fccf3fecc6b50 EAP-Message = 0x2b0106225fa8434d2ab807e12dae14bee9eab2ca911e6a1654b900a5e18098469fb718302c594e81fca97d4294f1fad1522a86dba911a4e291579b8f7fc119906cafab8dde63be367dbfb18aa44492ffe2bb0393c231618f71c19cc460d9a53e50f109d1fdf9686b1ca3652b94bffd27d6b0c671b0b1c5b4287ffc135c5a6b3545843aa05e052c881c190490bc51afc74bb1e05d6fe49e13cd1000010201005e3aefc7d60eee0c2378e4faaa28aec136ce78769b625949c4f7fed69e720b4e38f9e37b035b298b7cea3a85ca410ffd72d2b853c8afc5742ca05956b4a7b38d592f2686a2d3a0de245a48ef84103107be0f93761fab3fdc02c01b1796ca EAP-Message = 0x500a7374042d37199de10997b7f70c648dbf7b93290d3ec638b201fea8f8b2942cb05db8b87783165f1446c9893fe74cf5aa7aaca6c07f7c08a0d9923f133fdf912a3a25a4133a95ba387e1d00893485ac5bf1cb66920e3ef29c36c3e25d97a1e12f5b5f6f0e1830b1e23c008379b00c3a205775162e6ed24a9182d9f75546389809a817f7cc1d4dffcc67dec692d4a63a0f6c9ff2b82bb829b56723ff2f80ad79ed0f0001020100d02e9c4475d354b4b159779f4b5232c1518ae7bc92555afba9bb255998cc85b163a379c19f29425a4a209d611f28d0f44dfa813963b228d3a61617ef4db9d800ecd57e6b43796fb89f16abaa1a2500ebc762958538 EAP-Message = 0xfb7468f5a51fb74e25f9797e2558882a3db6128557e1bbbcb08833404496c0ea4e57e7ec846a9a38f81f75a255edba3e15dffa0ec8b04d07ea9bcae2947b24dbe34b4bd01b9eafd15b463db3130afa3e98f0bc58fa36608104207eeb78488708d24c8b7e93e629e4134e282c72020bc47cff40ec8351fe303c905f61e7fbef781193915691403ecb945ae625c692705df1e27dfd3a4b22f0a5f1e60bb6180021c022f5a2f4021280cd3e2c1403010001011603010020849bf86551030b13023b06784ee2f662244e52dba0d38da35803b72742e7b6bc Message-Authenticator = 0x842fdcc9d3a304697a8b444fea294886 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "oss-radius", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 4 length 253 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [files] users: Matched entry oss-radius at line 204 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS TLS Length 1469 [tls] Length Included [tls] eaptls_verify returned 11 [tls] <<< TLS 1.0 Handshake [length 0381], Certificate --> verify error:num=20:unable to get local issuer certificate [tls] >>> TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert write:fatal:unknown CA TLS_accept:error in SSLv3 read client certificate B rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned SSL: SSL_read failed in a system call (-1), TLS session fails. TLS receive handshake failed during operation [tls] eaptls_process returned 4 [eap] Handler failed in EAP/tls [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> oss-radius attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 16 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 16 Sending Access-Reject of id 14 to 192.168.5.3 port 1812 EAP-Message = 0x04040004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 1.1 seconds. Cleaning up request 7 ID 5 with timestamp +807 Waking up in 0.1 seconds. Cleaning up request 8 ID 6 with timestamp +807 Cleaning up request 9 ID 7 with timestamp +807 Cleaning up request 10 ID 8 with timestamp +807 Waking up in 1.0 seconds. Cleaning up request 11 ID 9 with timestamp +807 Waking up in 1.3 seconds. Cleaning up request 12 ID 10 with timestamp +810 Cleaning up request 13 ID 11 with timestamp +810 Cleaning up request 14 ID 12 with timestamp +810 Cleaning up request 15 ID 13 with timestamp +810 Waking up in 1.0 seconds. Cleaning up request 16 ID 14 with timestamp +810 Ready to process requests. _______________________________________________________________________ Well after i read your post i tried to sign the client certificates with the ca. I make some changes in the makefile but it think I made something wrong because it doesn't work: old: client.csr client.key: client.cnf openssl req -new -out client.csr -keyout client.key -config ./client.cnf client.crt: client.csr server.crt server.key index.txt serial openssl ca -batch -keyfile server.key -cert server.crt -in client.csr -key $(PASSWORD_SERVER) -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf client.p12: client.crt openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12 -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT) client.pem: client.p12 openssl pkcs12 -in client.p12 -out client.pem -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT) cp client.pem $(USER_NAME).pem .PHONY: server.vrfy client.vrfy: server.pem client.pem c_rehash . openssl verify -CApath . client.pem new: client.csr client.key: client.cnf openssl req -new -out client.csr -keyout client.key -config ./client.cnf client.crt: client.csr ca.key ca.pem index.txt serial openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr -key $(PASSWORD_SERVER) -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf client.p12: client.crt openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12 -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT) client.pem: client.p12 openssl pkcs12 -in client.p12 -out client.pem -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT) cp client.pem $(USER_NAME).pem .PHONY: server.vrfy client.vrfy: ca.pem client.pem c_rehash . openssl verify -CApath . client.pem -- View this message in context: http://old.nabble.com/Problem-with-EAP-TLS%2C-please-give-me-a-hint-tp265150... Sent from the FreeRadius - User mailing list archive at Nabble.com.