My certificate generation went really well, no errors at all. I generated the certificates with openssl. My windowsd is also upto date. One thing I would like to drew your attention is, which even myself has just noticed, that it is going through an ongoing EAP conversation, I do not know what this means, I am attaching below the complete complete conversation, which is just one request, but consists of almost 7 pages. rad_recv: Access-Request packet from host 130.1.254.174 port 20000, id=207, length=145 NAS-Port-Id = "2049/1" Calling-Station-Id = "00-1F-3B-70-5B-7F" Called-Station-Id = "00-18-6E-30-70-C0:NYCC_TEST" Service-Type = Framed-User EAP-Message = 0x0201000e016a617377696e646572 User-Name = "jaswinder" NAS-Port-Type = Wireless-802.11 NAS-Identifier = "3Com" NAS-IP-Address = 130.1.254.174 Message-Authenticator = 0xf63ccec115958bf26b31d981d45e74fc +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "jaswinder", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 1 length 14 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [files] users: Matched entry jaswinder at line 92 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 207 to 130.1.254.174 port 20000 EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x42ade4d942affde10d0318327cc26cf5 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 130.1.254.174 port 20000, id=208, length=145 NAS-Port-Id = "2049/1" Calling-Station-Id = "00-1F-3B-70-5B-7F" Called-Station-Id = "00-18-6E-30-70-C0:NYCC_TEST" Service-Type = Framed-User EAP-Message = 0x0202000e016a617377696e646572 User-Name = "jaswinder" NAS-Port-Type = Wireless-802.11 NAS-Identifier = "3Com" NAS-IP-Address = 130.1.254.174 Message-Authenticator = 0x6ce51603d385790a48f26b8f8b8ced74 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "jaswinder", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 2 length 14 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [files] users: Matched entry jaswinder at line 92 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 208 to 130.1.254.174 port 20000 EAP-Message = 0x010300061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2aaca71b2aafbed260fc846046180105 Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 130.1.254.174 port 20000, id=209, length=229 NAS-Port-Id = "2049/1" Calling-Station-Id = "00-1F-3B-70-5B-7F" Called-Station-Id = "00-18-6E-30-70-C0:NYCC_TEST" Service-Type = Framed-User User-Name = "jaswinder" State = 0x2aaca71b2aafbed260fc846046180105 EAP-Message = 0x0203005019800000004616030100410100003d030148f74ff6fe78ad4a45efb2be837bc5286bbf40fd69482e1455cf68232482fe2600001600040005000a000900640062000300060013001200630100 NAS-Port-Type = Wireless-802.11 NAS-Identifier = "3Com" NAS-IP-Address = 130.1.254.174 Message-Authenticator = 0x891f4b7fd81806810ba67094f50d2e72 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "jaswinder", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 3 length 80 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 70 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 0041], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 002a], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 057f], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 209 to 130.1.254.174 port 20000 EAP-Message = 0x0104040019c0000005bc160301002a02000026030148f741e17de2bfc1097ed5b10abf43f984fa0df49da2e88cff388b7eed48895200000400160301057f0b00057b0005780005753082057130820359020101300d06092a864886f70d01010505003076310b300906035504061302554b311330110603550408130a4e6f7274682045617374310d300b06035504071304596f726b3121301f060355040a1318496e7465726e6574205769646769747320507479204c74643120301e0603550403131753656c66205369676e6564204365727469666963617465301e170d3038313031353135323832315a170d3138313031333135323832315a308186 EAP-Message = 0x310b300906035504061302554b311830160603550408130f4e6f72746820596f726b7368697265311630140603550407130d4e6f727468616c6c6572746f6e310d300b060355040a13044e594343310c300a060355040313034943543128302606092a864886f70d0109011619667761646d696e406e6f727468796f726b732e676f762e756b30820222300d06092a864886f70d01010105000382020f003082020a0282020100bed98962fe36a547055100ea062bc27e267b07ce8a2ed8c8c54741e1f566f8a67e5c6240964f1e97596604064390207cb46bca566b548ff52f7223b627787916bde8578ffae1348d45a2d35f9e75f2e81b188a13c146 EAP-Message = 0x65b07552f3ee034b02d5b804e54f502d50f7ac23af35f04314a1a76f4626b03499303320cde2786460e70983dba8d208970f5b07ea2b42b197851bd874bfee47489b000209a7f4ff49b781db8ad91985c5c6505d2f0f3f3ee074689045852182b3d38886e34113c41016820dfe5eab673578d46eb57fa2e560947c72d26ce56d7031d24830eeafcd9651632d8dd5f763131cb3616ce8d284079ac502bb13d05e8f4c5cbc8b80d3e8697aa460d19284adaca07ee6cffa512335f865f1f02334aa9fb189a2649e0de2d07112c8bbd6973e7a880405b32f5e51d0bd31472189e58d9bee7293e16d7d522872b5d94efb1104ba2a7fc34c8997ce5d0eeca3f3 EAP-Message = 0x4761f8760c1376e9b229e9eb056c1be0164b1be2d60620ef21bf0c47404768cfacecc675cd0a36bead65473853410ee9a1ccce01918deca06651890652326146b4b1c4ffbe3ee1745f37b616fe0f520daa878e26c981309f1a6997eb16317c72aeb9c63b36b7cf6be31f42aef27e02998da39be123b1ce7f52582bd6ad84e0550cefa028365c76b8e29e8755935639228cb8287cfa63359a1a788c547d6b2c0bb23bbad9efb23cd590feefbd210203010001300d06092a864886f70d0101050500038202010006f65a65a21f16e7bdf65f6b7b13403f7bbebd7329ffdce2de70327474ce63572e56bdad6fc935d0df75ff1c0582a855cd02135b2c8252 EAP-Message = 0xf79ea04b8da213dba5afb4a1 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2aaca71b2ba8bed260fc846046180105 Finished request 2. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 130.1.254.174 port 20000, id=210, length=155 NAS-Port-Id = "2049/1" Calling-Station-Id = "00-1F-3B-70-5B-7F" Called-Station-Id = "00-18-6E-30-70-C0:NYCC_TEST" Service-Type = Framed-User User-Name = "jaswinder" State = 0x2aaca71b2ba8bed260fc846046180105 EAP-Message = 0x020400061900 NAS-Port-Type = Wireless-802.11 NAS-Identifier = "3Com" NAS-IP-Address = 130.1.254.174 Message-Authenticator = 0xedfc96cee46cd1ae4c2bb2edb58beb6d +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "jaswinder", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 4 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 210 to 130.1.254.174 port 20000 EAP-Message = 0x010501cc1900ad8f81aacc1c1ea3293108bad29497af6488aace454af4ae5cfe840dcbfe98af8028cbf26cf947d56b4d0d6aeb9a9b019fc21277a76632808e3f154dd0794e3ea7908b0e277e9e2b26a0969622a04bf5bd8d1bb52e3391bb06c878659db0529f1659fa5593aa58fba0c11c149e00d83fdaab2452fa32aff4175beedf74e4387c268408bc1bc643c0e4c5662245fadd1c12d01bb10f633321c390bd0957810c9e3aaacf5f4a73636a226b2fefa76c4856a154fb840dfb59a411fe15580854a4ad78b63f84e240b12655b7a6971665cc6ab040f1b8fb38c5ad52dd142018776ed575f1576a7c13501bf849d573341b99fc80ef6fdc649fa2 EAP-Message = 0x270eb9001d46851f7c2b3952c24edaae2443a81107bb833c09281bacf591d9916c07575605100a21467d4530690e77a4f725a9b216ca755b8d0cd893922fe36b8837c9e8ec081c46f9f4eed2fc9838415ff9fd44c5e2efc04a9037bbd68af38bb76859c79de8c55f689efb8816db1b09b51ba5d6518416b4796263ef38976e33a268920afb4a8e00d28a041133e4c472c44372ee427f00cf1fbc044447054c22025e7fa95392d70a78aae166cca57ac97ff24309543a20ca5389b652b3e8789d11ce199ee1d216030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2aaca71b28a9bed260fc846046180105 Finished request 3. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 130.1.254.174 port 20000, id=211, length=729 NAS-Port-Id = "2049/1" Calling-Station-Id = "00-1F-3B-70-5B-7F" Called-Station-Id = "00-18-6E-30-70-C0:NYCC_TEST" Service-Type = Framed-User User-Name = "jaswinder" State = 0x2aaca71b28a9bed260fc846046180105 EAP-Message = 0x02050240198000000236160301020610000202020023086e39ea84810380a80a421d7846158936dcd4d4c521625afabf1a9945dea981e5c27294816d1034b060f8c96a71fa434ba1a91ad5f2bd8beb9513f93d0d7dbcdaab113931907ff95ebe05c628d90ba8b0adf41c2b74a47ece8a9f6ff09354d4ec36d7a04da07b3bb221f90c811a0eb908b9a67fdd81db14e7bec64beaee466938ef9355214a004096f053c0f6d5afd85b393ea9ae205ddfa3400fe66728b10a24c3e4f234588b15436437cc43277e0512fc2346d3fa788b3e8a67d74917a18dcca8ce934594e4475de0254c9248eadea22e468765b8e1cedf529f109f02c7148ba081c1d01d EAP-Message = 0x5013f21536cd80c635dc39f2167476ecc42687792d6374c6bb23847bcfee92aa732393a7734baac02a0dbd5530a84196d0adca485436a896aeb553a32ecba4033c9a5baec9bba8d13eb2f98365f9f3ec48e5e53e75881a96fd1b20c42bacbe5cea1f9188de61f97cb6b4ec6b62c4993ec2ac5174bc428cbb43ee1f16c0b00661fba9834fdfb26136b02ea82419a375a682d5373455514876c41727da3f2b8f97a67e6ec057cd6ad21f359c8df7ba913995a989fcd6137fa6a3f4add6d1e3f4255688174f2d155baeb9ed1cdb9ddc6824f621412eaf48e226b6a01ac97caee423bd7af1c89751bf5c725ab79f981da9659eaab12ae9080f3920e971d7 EAP-Message = 0xeed4e752b463889892048fb908fbb9e3aa007f818dbd748f52757d122e1403010001011603010020ce5fb7cdcc8e3e0d7d94e85912776bfc213cbd1712f3cb886c58a737608a4f55 NAS-Port-Type = Wireless-802.11 NAS-Identifier = "3Com" NAS-IP-Address = 130.1.254.174 Message-Authenticator = 0x76d3b1109f1d3b8742d0d48a3d5b6287 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "jaswinder", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 5 length 252 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 566 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Handshake [length 0206], ClientKeyExchange [peap] TLS_accept: SSLv3 read client key exchange A [peap] <<< TLS 1.0 ChangeCipherSpec [length 0001] [peap] <<< TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 read finished A [peap] >>> TLS 1.0 ChangeCipherSpec [length 0001] [peap] TLS_accept: SSLv3 write change cipher spec A [peap] >>> TLS 1.0 Handshake [length 0010], Finished [peap] TLS_accept: SSLv3 write finished A [peap] TLS_accept: SSLv3 flush data [peap] (other): SSL negotiation finished successfully SSL Connection Established [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 211 to 130.1.254.174 port 20000 EAP-Message = 0x0106003119001403010001011603010020b117ea55275553e890ee4de849ea7d495a46e8c5e63d7b80e1a369d181ff8020 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2aaca71b29aabed260fc846046180105 Finished request 4. Going to the next request Waking up in 4.5 seconds. rad_recv: Access-Request packet from host 130.1.254.174 port 20000, id=212, length=182 NAS-Port-Id = "2049/1" Calling-Station-Id = "00-1F-3B-70-5B-7F" Called-Station-Id = "00-18-6E-30-70-C0:NYCC_TEST" Service-Type = Framed-User User-Name = "jaswinder" State = 0x2aaca71b29aabed260fc846046180105 EAP-Message = 0x02060021198000000017150301001294659677442f8e7a361ee8ee93374c90ed53 NAS-Port-Type = Wireless-802.11 NAS-Identifier = "3Com" NAS-IP-Address = 130.1.254.174 Message-Authenticator = 0xe42d1530c16b34c5b74bfb4c486083aa +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "jaswinder", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 6 length 33 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 23 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Alert [length 0002], fatal access_denied TLS Alert read:fatal:access denied [peap] WARNING: No data inside of the tunnel. [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Tunneled data is invalid. [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> jaswinder attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 5 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 5 Sending Access-Reject of id 212 to 130.1.254.174 port 20000 EAP-Message = 0x04060004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.4 seconds. Cleaning up request 0 ID 207 with timestamp +46 Cleaning up request 1 ID 208 with timestamp +46 Cleaning up request 2 ID 209 with timestamp +46 Cleaning up request 3 ID 210 with timestamp +46 Waking up in 0.3 seconds. Cleaning up request 4 ID 211 with timestamp +46 Waking up in 1.0 seconds. Cleaning up request 5 ID 212 with timestamp +47 Ready to process requests. Thanks, Jas tnt-4 wrote:
[peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Alert [length 0002], fatal access_denied TLS Alert read:fatal:access denied [peap] WARNING: No data inside of the tunnel.
Something is badly broken here. XP rejected CA certificate. It tends to do that if certificate doesn't have xpextensions. Are you using the CA certificate generated by freeradius? Were there any errors when you were making certificates? Is your XP patched up-to-date?
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- View this message in context: http://www.nabble.com/Mschapv2-not-working%21-Please-help%21-tp20015619p2003... Sent from the FreeRadius - User mailing list archive at Nabble.com.