Hi everybody, I'm trying to upgrade form 1.0.5 to 1.1.7. For a test run, I copied all the cert and key files (only server-side, it's TTLS) from the production server, and 1.1.7 starts up fine (well, almost, see below). When connecting with a SecureW2 client that goes along well with the 1.0.5 server, I get a dialog window presenting the cert, but SecureW2 complains it's unable to put it into the hierarchy (which is in place already). There is no way to go on then, installing manually won't work either. Have I missed some change in the cert handling? Thanks for any help Martin Here's the output: Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/freeradius/proxy.conf Config: including file: /etc/freeradius/clients.conf Config: including file: /etc/freeradius/snmp.conf Config: including file: /etc/freeradius/eap.conf Config: including file: /etc/freeradius/sql.conf main: prefix = "/usr" main: localstatedir = "/var" main: logdir = "/var/log/freeradius" main: libdir = "/usr/lib/freeradius" main: radacctdir = "/var/log/freeradius/radacct" main: hostname_lookups = no main: snmp = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/var/log/freeradius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/var/run/freeradius/freeradius.pid" main: user = "freerad" main: group = "freerad" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib/freeradius Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" pap: auto_header = yes Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "/etc/shadow" unix: group = "(null)" unix: radwtmp = "/var/log/freeradius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = "ttls" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/etc/freeradius/certs/key-radius-staff.pem" tls: certificate_file = "/etc/freeradius/certs/cert-radius-staff.pem" tls: CA_file = "/etc/freeradius/certs/unimr-ssl-ca.pem" tls: private_key_password = "omihnl" tls: dh_file = "/etc/freeradius/certs/dh" tls: random_file = "/dev/urandom" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = "(null)" tls: cipher_list = "(null)" tls: check_cert_issuer = "(null)" rlm_eap_tls: Loading the certificate file as a chain WARNING: rlm_eap_tls: Unable to set DH parameters. DH cipher suites may not work! WARNING: Fix this by running the OpenSSL command listed in eap.conf rlm_eap: Loaded and initialized type tls ttls: default_eap_type = "md5" ttls: copy_request_to_tunnel = yes ttls: use_tunneled_reply = yes rlm_eap: Loaded and initialized type ttls Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/etc/freeradius/huntgroups" preprocess: hints = "/etc/freeradius/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no preprocess: with_alvarion_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "/etc/freeradius/users" files: acctusersfile = "/etc/freeradius/acct_users" files: preproxy_usersfile = "/etc/freeradius/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = "/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = "/var/log/freeradius/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on authentication *:1812 Listening on accounting *:1813 Ready to process requests. --------------------------- Now the EAP conversation ---------------------------- rad_recv: Access-Request packet from host 192.168.75.247:1645, id=47, length=136 User-Name = "anonymous" Framed-MTU = 1400 Called-Station-Id = "0013.8011.9a60" Calling-Station-Id = "0018.decc.af5f" Service-Type = Login-User Message-Authenticator = 0xfca416db4cadc5cd8d623f4ffa044a8c EAP-Message = 0x0202000e01616e6f6e796d6f7573 NAS-Port-Type = Wireless-802.11 NAS-Port = 1077 NAS-IP-Address = 192.168.75.247 NAS-Identifier = "warz003" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 3 modcall[authorize]: module "preprocess" returns ok for request 3 modcall[authorize]: module "chap" returns noop for request 3 modcall[authorize]: module "mschap" returns noop for request 3 rlm_realm: No '@' in User-Name = "anonymous", looking up realm NULL rlm_realm: Found realm "NULL" rlm_realm: Adding Stripped-User-Name = "anonymous" rlm_realm: Proxying request from user anonymous to realm NULL rlm_realm: Adding Realm = "NULL" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop for request 3 rlm_eap: EAP packet type response id 2 length 14 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 3 modcall[authorize]: module "files" returns notfound for request 3 rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. modcall[authorize]: module "pap" returns noop for request 3 modcall: leaving group authorize (returns updated) for request 3 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 3 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 3 modcall: leaving group authenticate (returns handled) for request 3 Sending Access-Challenge of id 47 to 192.168.75.247 port 1645 EAP-Message = 0x010300061520 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x90e816dcec17882e035976d1081fbf9c Finished request 3 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.75.247:1645, id=48, length=200 User-Name = "anonymous" Framed-MTU = 1400 Called-Station-Id = "0013.8011.9a60" Calling-Station-Id = "0018.decc.af5f" Service-Type = Login-User Message-Authenticator = 0x47f848aca44779c6fe8451fd18e46ec8 EAP-Message = 0x0203003c158000000032160301002d01000029030118e9b132c7808e219ee90a0861130998e95ddde2e6cc192ebf55af97907d967d000002000a0100 NAS-Port-Type = Wireless-802.11 NAS-Port = 1077 State = 0x90e816dcec17882e035976d1081fbf9c NAS-IP-Address = 192.168.75.247 NAS-Identifier = "warz003" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 4 modcall[authorize]: module "preprocess" returns ok for request 4 modcall[authorize]: module "chap" returns noop for request 4 modcall[authorize]: module "mschap" returns noop for request 4 rlm_realm: No '@' in User-Name = "anonymous", looking up realm NULL rlm_realm: Found realm "NULL" rlm_realm: Adding Stripped-User-Name = "anonymous" rlm_realm: Proxying request from user anonymous to realm NULL rlm_realm: Adding Realm = "NULL" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop for request 4 rlm_eap: EAP packet type response id 3 length 60 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 4 modcall[authorize]: module "files" returns notfound for request 4 rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. modcall[authorize]: module "pap" returns noop for request 4 modcall: leaving group authorize (returns updated) for request 4 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 4 rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 002d], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 06c4], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 4 modcall: leaving group authenticate (returns handled) for request 4 Sending Access-Challenge of id 48 to 192.168.75.247 port 1645 EAP-Message = 0x0104040a15c000000721160301004a020000460301472724a3f12ef9d27b81a1de39e0df087e3fe05bf25a3286f8f7c3b660f5c5b220bfee9fee4cbf509b91f36992d5e1064063ca128700a209fa5dd265ca771f3f0e000a0016030106c40b0006c00006bd0006ba308206b63082059ea003020102020200bb300d06092a864886f70d0101040500308181310b3009060355040613024445311d301b060355040a1314556e69766572736974616574204d617262757267312d302b06035504031324582e3530392043657274696669636174696f6e20417574686f72697479202832303034293124302206092a864886f70d010901161573736c2d6361 EAP-Message = 0x40756e692d6d6172627572672e6465301e170d3037303331393133313531305a170d3038303131333133313531305a3081c6310b3009060355040613024445310f300d0603550408130648657373656e3110300e060355040713074d617262757267311e301c060355040a13155068696c697070732d556e69766572736974616574311f301d060355040b1316486f6368736368756c72656368656e7a656e7472756d312430220603550403131b5261646975732e53746166662e556e692d4d6172627572672e4445312d302b06092a864886f70d010901161e756d726e65742d7465616d4068727a2e756e692d6d6172627572672e646530819f300d EAP-Message = 0x06092a864886f70d010101050003818d0030818902818100a7b25329a57dcf9f4045f7ca2582b5dfd6c8979bdf109e1cc8acd71fd527c570f0b01e088a4cd1ad922dfa7dece1be7cf36f8b6557008ecc84335d15a02852639b27f38ae4da2adcde274eb0c678c88b7fa1491f9aeda8c817362cf263c13fe3a93377eff7dfa5fda65aa8865f21a757c93c0352b1ea493994cbac1ad290687d0203010001a38203733082036f300c0603551d130101ff04023000300b0603551d0f0404030205a030130603551d25040c300a06082b06010505070301301d0603551d0e04160414a103cee748c398670ec57153cf72f7429b6568533081dc0603551d2304 EAP-Message = 0x81d43081d180142fd7076c8060bddab7344958057dd6211b9b6fd8a181b2a481af3081ac310b30090603550406130244453121301f060355040a131844657574736368657320466f72736368756e67736e65747a31163014060355040b130d44464e2d4345525420476d62483110300e060355040b130744464e2d504341312d302b0603550403132444464e20546f706c6576656c2043657274696669636174696f6e20417574686f726974793121301f06092a864886f70d010901161263657274696679407063612e64666e2e64658204042c914130290603551d1104223020811e756d726e65742d7465616d4068727a2e756e692d6d6172627572 EAP-Message = 0x672e646530090603551d12040230003081950603551d Message-Authenticator = 0x00000000000000000000000000000000 State = 0xbec9e2e7eaa839c8f4518fd18ce5812c Finished request 4 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.75.247:1645, id=49, length=146 User-Name = "anonymous" Framed-MTU = 1400 Called-Station-Id = "0013.8011.9a60" Calling-Station-Id = "0018.decc.af5f" Service-Type = Login-User Message-Authenticator = 0xcd6073f073f94d232526a17acdd917cf EAP-Message = 0x020400061500 NAS-Port-Type = Wireless-802.11 NAS-Port = 1077 State = 0xbec9e2e7eaa839c8f4518fd18ce5812c NAS-IP-Address = 192.168.75.247 NAS-Identifier = "warz003" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 5 modcall[authorize]: module "preprocess" returns ok for request 5 modcall[authorize]: module "chap" returns noop for request 5 modcall[authorize]: module "mschap" returns noop for request 5 rlm_realm: No '@' in User-Name = "anonymous", looking up realm NULL rlm_realm: Found realm "NULL" rlm_realm: Adding Stripped-User-Name = "anonymous" rlm_realm: Proxying request from user anonymous to realm NULL rlm_realm: Adding Realm = "NULL" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop for request 5 rlm_eap: EAP packet type response id 4 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 5 modcall[authorize]: module "files" returns notfound for request 5 rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. modcall[authorize]: module "pap" returns noop for request 5 modcall: leaving group authorize (returns updated) for request 5 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 5 rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 5 modcall: leaving group authenticate (returns handled) for request 5 Sending Access-Challenge of id 49 to 192.168.75.247 port 1645 EAP-Message = 0x0105032b1580000007211f04818d30818a3043a041a03f863d687474703a2f2f7777772e756e692d6d6172627572672e64652f68727a2f73657276696365732f73736c2d63612f323030342f73736c2d63612e6372783043a041a03f863d687474703a2f2f7777772e756e692d6d6172627572672e64652f68727a2f73657276696365732f73736c2d63612f323030342f73736c2d63612e63726c301106096086480186f8420101040403020640303d06096086480186f84201020430162e687474703a2f2f7777772e756e692d6d6172627572672e64652f68727a2f73657276696365732f73736c2d63612f304106096086480186f8420108043416 EAP-Message = 0x32687474703a2f2f7777772e7063612e64666e2e64652f64666e7063612f706f6c6963792f777777706f6c6963792e68746d6c3081db06096086480186f842010d0481cd1681ca546869732063657274696669636174652077617320697373756564206279207468652053534c2043410a6f6620746865205068696c6970707320556e6976657273697479204d6172627572672c204765726d616e792e0a466f72206675727468657220696e666f726d6174696f6e20706c6561736520706f696e7420796f7572206661766f75726974650a5765622042726f7773657220746f0a687474703a2f2f7777772e756e692d6d6172627572672e64652f6872 EAP-Message = 0x7a2f73657276696365732f73736c2d63612f202e300d06092a864886f70d010104050003820101007ff9ef1d9c04f8e22415b1f74c7a20f6865b231c7c12fc90064b14c4c3489b577b0b0e0b606091de3f3dc6e5d09237c6ed27969915479522009c73f666d306309e34398df72d4349ccae354b9e723ff03ddf1a2147a09dfab2cba0a2eebf0bced6278be2c305f75a3f09b5a39833f438d1e18ad58ee3da35d0d2fdc11c7ed822370bb0b368ee80e4e42143425661f20b18bbd458fb6cecf6237f9714af076ea338b45cf03a165741a81712e0127620789d2450233c6135700048148efa0d7dc46c4155905bdd89bf630524c960a288b47e254feaa5 EAP-Message = 0xe8c2de0a76e2259f3ad7b54afd7ec1420928d2d0dca289a121cba633073fcaa07fe0bd6b2293f42227d00f16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x8e7573394ea8f9f58ca7a725d6852aa4 Finished request 5 Going to the next request Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 3 ID 47 with timestamp 472724a3 Cleaning up request 4 ID 48 with timestamp 472724a3 Cleaning up request 5 ID 49 with timestamp 472724a3 Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 192.168.75.247:1645, id=50, length=136 User-Name = "anonymous" Framed-MTU = 1400 Called-Station-Id = "0013.8011.9a60" Calling-Station-Id = "0018.decc.af5f" Service-Type = Login-User Message-Authenticator = 0x992ff1c2c9770439d989157ffebd90e3 EAP-Message = 0x0201000e01616e6f6e796d6f7573 NAS-Port-Type = Wireless-802.11 NAS-Port = 1078 NAS-IP-Address = 192.168.75.247 NAS-Identifier = "warz003" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 6 modcall[authorize]: module "preprocess" returns ok for request 6 modcall[authorize]: module "chap" returns noop for request 6 modcall[authorize]: module "mschap" returns noop for request 6 rlm_realm: No '@' in User-Name = "anonymous", looking up realm NULL rlm_realm: Found realm "NULL" rlm_realm: Adding Stripped-User-Name = "anonymous" rlm_realm: Proxying request from user anonymous to realm NULL rlm_realm: Adding Realm = "NULL" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop for request 6 rlm_eap: EAP packet type response id 1 length 14 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 6 modcall[authorize]: module "files" returns notfound for request 6 rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. modcall[authorize]: module "pap" returns noop for request 6 modcall: leaving group authorize (returns updated) for request 6 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 6 modcall: leaving group authenticate (returns handled) for request 6 Sending Access-Challenge of id 50 to 192.168.75.247 port 1645 EAP-Message = 0x010200061520 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x16e504561504244a150659018be695aa Finished request 6 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.75.247:1645, id=51, length=136 User-Name = "anonymous" Framed-MTU = 1400 Called-Station-Id = "0013.8011.9a60" Calling-Station-Id = "0018.decc.af5f" Service-Type = Login-User Message-Authenticator = 0x0c100489fd8c2198b35376fa9a9e58ea EAP-Message = 0x0203000e01616e6f6e796d6f7573 NAS-Port-Type = Wireless-802.11 NAS-Port = 1078 NAS-IP-Address = 192.168.75.247 NAS-Identifier = "warz003" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 7 modcall[authorize]: module "preprocess" returns ok for request 7 modcall[authorize]: module "chap" returns noop for request 7 modcall[authorize]: module "mschap" returns noop for request 7 rlm_realm: No '@' in User-Name = "anonymous", looking up realm NULL rlm_realm: Found realm "NULL" rlm_realm: Adding Stripped-User-Name = "anonymous" rlm_realm: Proxying request from user anonymous to realm NULL rlm_realm: Adding Realm = "NULL" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop for request 7 rlm_eap: EAP packet type response id 3 length 14 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 7 modcall[authorize]: module "files" returns notfound for request 7 rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. modcall[authorize]: module "pap" returns noop for request 7 modcall: leaving group authorize (returns updated) for request 7 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 7 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 7 modcall: leaving group authenticate (returns handled) for request 7 Sending Access-Challenge of id 51 to 192.168.75.247 port 1645 EAP-Message = 0x010400061520 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0e968b1d48e923f2d0f659205a8734fc Finished request 7 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.75.247:1645, id=52, length=200 User-Name = "anonymous" Framed-MTU = 1400 Called-Station-Id = "0013.8011.9a60" Calling-Station-Id = "0018.decc.af5f" Service-Type = Login-User Message-Authenticator = 0x0bd73c4dafc4b09b305e403cc6f0b8f8 EAP-Message = 0x0204003c158000000032160301002d0100002903019034a3764181867ef4d75ce71605ce439dcbe684c9eccae4acd8cf15fc9e07ea000002000a0100 NAS-Port-Type = Wireless-802.11 NAS-Port = 1078 State = 0x0e968b1d48e923f2d0f659205a8734fc NAS-IP-Address = 192.168.75.247 NAS-Identifier = "warz003" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 8 modcall[authorize]: module "preprocess" returns ok for request 8 modcall[authorize]: module "chap" returns noop for request 8 modcall[authorize]: module "mschap" returns noop for request 8 rlm_realm: No '@' in User-Name = "anonymous", looking up realm NULL rlm_realm: Found realm "NULL" rlm_realm: Adding Stripped-User-Name = "anonymous" rlm_realm: Proxying request from user anonymous to realm NULL rlm_realm: Adding Realm = "NULL" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop for request 8 rlm_eap: EAP packet type response id 4 length 60 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 8 modcall[authorize]: module "files" returns notfound for request 8 rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. modcall[authorize]: module "pap" returns noop for request 8 modcall: leaving group authorize (returns updated) for request 8 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 8 rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 002d], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 06c4], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 8 modcall: leaving group authenticate (returns handled) for request 8 Sending Access-Challenge of id 52 to 192.168.75.247 port 1645 EAP-Message = 0x0105040a15c000000721160301004a020000460301472724c19cf50e6bd75f97c0fc3859f33f37b69424d5bd7bce85bdd37ff989a220a44484ec21d75b10cfa8f6bf2ab7334a07c9ec560f963aa1c462a33a50808772000a0016030106c40b0006c00006bd0006ba308206b63082059ea003020102020200bb300d06092a864886f70d0101040500308181310b3009060355040613024445311d301b060355040a1314556e69766572736974616574204d617262757267312d302b06035504031324582e3530392043657274696669636174696f6e20417574686f72697479202832303034293124302206092a864886f70d010901161573736c2d6361 EAP-Message = 0x40756e692d6d6172627572672e6465301e170d3037303331393133313531305a170d3038303131333133313531305a3081c6310b3009060355040613024445310f300d0603550408130648657373656e3110300e060355040713074d617262757267311e301c060355040a13155068696c697070732d556e69766572736974616574311f301d060355040b1316486f6368736368756c72656368656e7a656e7472756d312430220603550403131b5261646975732e53746166662e556e692d4d6172627572672e4445312d302b06092a864886f70d010901161e756d726e65742d7465616d4068727a2e756e692d6d6172627572672e646530819f300d EAP-Message = 0x06092a864886f70d010101050003818d0030818902818100a7b25329a57dcf9f4045f7ca2582b5dfd6c8979bdf109e1cc8acd71fd527c570f0b01e088a4cd1ad922dfa7dece1be7cf36f8b6557008ecc84335d15a02852639b27f38ae4da2adcde274eb0c678c88b7fa1491f9aeda8c817362cf263c13fe3a93377eff7dfa5fda65aa8865f21a757c93c0352b1ea493994cbac1ad290687d0203010001a38203733082036f300c0603551d130101ff04023000300b0603551d0f0404030205a030130603551d25040c300a06082b06010505070301301d0603551d0e04160414a103cee748c398670ec57153cf72f7429b6568533081dc0603551d2304 EAP-Message = 0x81d43081d180142fd7076c8060bddab7344958057dd6211b9b6fd8a181b2a481af3081ac310b30090603550406130244453121301f060355040a131844657574736368657320466f72736368756e67736e65747a31163014060355040b130d44464e2d4345525420476d62483110300e060355040b130744464e2d504341312d302b0603550403132444464e20546f706c6576656c2043657274696669636174696f6e20417574686f726974793121301f06092a864886f70d010901161263657274696679407063612e64666e2e64658204042c914130290603551d1104223020811e756d726e65742d7465616d4068727a2e756e692d6d6172627572 EAP-Message = 0x672e646530090603551d12040230003081950603551d Message-Authenticator = 0x00000000000000000000000000000000 State = 0xf64bcd7ab184104b28fe791bc4534cc7 Finished request 8 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.75.247:1645, id=53, length=146 User-Name = "anonymous" Framed-MTU = 1400 Called-Station-Id = "0013.8011.9a60" Calling-Station-Id = "0018.decc.af5f" Service-Type = Login-User Message-Authenticator = 0xfce71b18a6dc790150378ea46f150da9 EAP-Message = 0x020500061500 NAS-Port-Type = Wireless-802.11 NAS-Port = 1078 State = 0xf64bcd7ab184104b28fe791bc4534cc7 NAS-IP-Address = 192.168.75.247 NAS-Identifier = "warz003" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 9 modcall[authorize]: module "preprocess" returns ok for request 9 modcall[authorize]: module "chap" returns noop for request 9 modcall[authorize]: module "mschap" returns noop for request 9 rlm_realm: No '@' in User-Name = "anonymous", looking up realm NULL rlm_realm: Found realm "NULL" rlm_realm: Adding Stripped-User-Name = "anonymous" rlm_realm: Proxying request from user anonymous to realm NULL rlm_realm: Adding Realm = "NULL" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop for request 9 rlm_eap: EAP packet type response id 5 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 9 modcall[authorize]: module "files" returns notfound for request 9 rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. modcall[authorize]: module "pap" returns noop for request 9 modcall: leaving group authorize (returns updated) for request 9 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 9 rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 9 modcall: leaving group authenticate (returns handled) for request 9 Sending Access-Challenge of id 53 to 192.168.75.247 port 1645 EAP-Message = 0x0106032b1580000007211f04818d30818a3043a041a03f863d687474703a2f2f7777772e756e692d6d6172627572672e64652f68727a2f73657276696365732f73736c2d63612f323030342f73736c2d63612e6372783043a041a03f863d687474703a2f2f7777772e756e692d6d6172627572672e64652f68727a2f73657276696365732f73736c2d63612f323030342f73736c2d63612e63726c301106096086480186f8420101040403020640303d06096086480186f84201020430162e687474703a2f2f7777772e756e692d6d6172627572672e64652f68727a2f73657276696365732f73736c2d63612f304106096086480186f8420108043416 EAP-Message = 0x32687474703a2f2f7777772e7063612e64666e2e64652f64666e7063612f706f6c6963792f777777706f6c6963792e68746d6c3081db06096086480186f842010d0481cd1681ca546869732063657274696669636174652077617320697373756564206279207468652053534c2043410a6f6620746865205068696c6970707320556e6976657273697479204d6172627572672c204765726d616e792e0a466f72206675727468657220696e666f726d6174696f6e20706c6561736520706f696e7420796f7572206661766f75726974650a5765622042726f7773657220746f0a687474703a2f2f7777772e756e692d6d6172627572672e64652f6872 EAP-Message = 0x7a2f73657276696365732f73736c2d63612f202e300d06092a864886f70d010104050003820101007ff9ef1d9c04f8e22415b1f74c7a20f6865b231c7c12fc90064b14c4c3489b577b0b0e0b606091de3f3dc6e5d09237c6ed27969915479522009c73f666d306309e34398df72d4349ccae354b9e723ff03ddf1a2147a09dfab2cba0a2eebf0bced6278be2c305f75a3f09b5a39833f438d1e18ad58ee3da35d0d2fdc11c7ed822370bb0b368ee80e4e42143425661f20b18bbd458fb6cecf6237f9714af076ea338b45cf03a165741a81712e0127620789d2450233c6135700048148efa0d7dc46c4155905bdd89bf630524c960a288b47e254feaa5 EAP-Message = 0xe8c2de0a76e2259f3ad7b54afd7ec1420928d2d0dca289a121cba633073fcaa07fe0bd6b2293f42227d00f16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x194813969de6dafbfed1a83597dc3f1b Finished request 9 -- Dr. Martin Pauly Fax: 49-6421-28-26994 HRZ Univ. Marburg Phone: 49-6421-28-23527 Hans-Meerwein-Str. E-Mail: pauly@HRZ.Uni-Marburg.DE D-35032 Marburg