I have configured etc/raddb/mods-available/eap eap { default_eap_type = tls } peap { default_eap_type = tls } I have this warning: 6) eap_tls: WARNING: (TLS) EAP Total received record fragments (91 bytes), does not equal expected expected data length (0 bytes) And this is my log: (12) Received Access-Request Id 245 from 172.17.0.1:50346 to 172.17.0.2:1812 length 228 (12) User-Name = "bob" (12) NAS-IP-Address = 192.168.2.1 (12) NAS-Identifier = "RalinkAP0" (12) NAS-Port = 0 (12) Called-Station-Id = "04-D9-F5-57-18-30" (12) Calling-Station-Id = "00-0B-57-F6-1C-D5" (12) Framed-MTU = 1400 (12) NAS-Port-Type = Wireless-802.11 (12) EAP-Message = 0x0208005c0d00011603030050b26cf6b6226b3980df1fbf03079d6cf034ebba09a493c5f51e2b3c95ac12d5366d8429430577a30f6ec4647169c7ca70a2aed956dfab9473c0c3f7f00f8eff475db3f3fa5a27aa592bfc598b75310dff (12) State = 0x65c4754763cc78ec7a205a84609f1783 (12) Message-Authenticator = 0xa68af9191955bedeeab1daf3abfca207 (12) Restoring &session-state (12) &session-state:Framed-MTU = 994 (12) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (12) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (12) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (12) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest" (12) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (12) # Executing section authorize from file /etc/freeradius/sites-enabled/default (12) authorize { (12) policy filter_username { (12) if (&User-Name) { (12) if (&User-Name) -> TRUE (12) if (&User-Name) { (12) if (&User-Name =~ / /) { (12) if (&User-Name =~ / /) -> FALSE (12) if (&User-Name =~ /@[^@]*@/ ) { (12) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (12) if (&User-Name =~ /\.\./ ) { (12) if (&User-Name =~ /\.\./ ) -> FALSE (12) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (12) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (12) if (&User-Name =~ /\.$/) { (12) if (&User-Name =~ /\.$/) -> FALSE (12) if (&User-Name =~ /@\./) { (12) if (&User-Name =~ /@\./) -> FALSE (12) } # if (&User-Name) = notfound (12) } # policy filter_username = notfound (12) [preprocess] = ok (12) [chap] = noop (12) [mschap] = noop (12) [digest] = noop (12) suffix: Checking for suffix after "@" (12) suffix: No '@' in User-Name = "bob", looking up realm NULL (12) suffix: No such realm "NULL" (12) [suffix] = noop (12) eap: Peer sent EAP Response (code 2) ID 8 length 92 (12) eap: No EAP Start, assuming it's an on-going EAP conversation (12) [eap] = updated (12) files: users: Matched entry bob at line 87 (12) [files] = ok (12) [expiration] = noop (12) [logintime] = noop (12) pap: WARNING: Auth-Type already set. Not setting to PAP (12) [pap] = noop (12) } # authorize = updated (12) Found Auth-Type = eap (12) # Executing group from file /etc/freeradius/sites-enabled/default (12) authenticate { (12) eap: Expiring EAP session with state 0x83c0258587c628a6 (12) eap: Finished EAP session with state 0x65c4754763cc78ec (12) eap: Previous EAP request found for state 0x65c4754763cc78ec, released from the list (12) eap: Peer sent packet with method EAP TLS (13) (12) eap: Calling submodule eap_tls to process data (12) eap_tls: (TLS) EAP Got final fragment (86 bytes) (12) eap_tls: (TLS) EAP Done initial handshake (12) eap_tls: (TLS) Handshake state - Server SSLv3/TLS write server done (12) eap_tls: (TLS) recv TLS 1.2 Handshake, Certificate (12) eap_tls: (TLS) send TLS 1.2 Alert, fatal decode_error (12) eap_tls: ERROR: (TLS) Alert write:fatal:decode error (12) eap_tls: ERROR: (TLS) Server : Error in error (12) eap_tls: ERROR: (TLS) Failed reading from OpenSSL: error:1417C087:SSL routines:tls_process_client_certificate:cert length mismatch (12) eap_tls: ERROR: (TLS) System call (I/O) error (-1) (12) eap_tls: ERROR: (TLS) EAP Receive handshake failed during operation (12) eap_tls: ERROR: [eaptls process] = fail (12) eap: ERROR: Failed continuing EAP TLS (13) session. EAP sub-module failed (12) eap: Sending EAP Failure (code 4) ID 8 length 4 (12) eap: Failed in EAP select (12) [eap] = invalid (12) } # authenticate = invalid (12) Failed to authenticate the user (12) Using Post-Auth-Type Reject (12) # Executing group from file /etc/freeradius/sites-enabled/default (12) Post-Auth-Type REJECT { (12) attr_filter.access_reject: EXPAND %{User-Name} (12) attr_filter.access_reject: --> bob (12) attr_filter.access_reject: Matched entry DEFAULT at line 11 (12) [attr_filter.access_reject] = updated (12) [eap] = noop (12) policy remove_reply_message_if_eap { (12) if (&reply:EAP-Message && &reply:Reply-Message) { (12) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (12) else { (12) [noop] = noop (12) } # else = noop (12) } # policy remove_reply_message_if_eap = noop (12) } # Post-Auth-Type REJECT = updated (12) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (12) (12) Discarding duplicate request from client desktop port 50346 - ID: 245 due to delayed response (12) Sending delayed response (12) Sent Access-Reject Id 245 from 172.17.0.2:1812 to 172.17.0.1:50346 length 44 (12) EAP-Message = 0x04080004 (12) Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.9 seconds. (9) Cleaning up request packet ID 242 with timestamp +53 (10) Cleaning up request packet ID 243 with timestamp +53 (11) Cleaning up request packet ID 244 with timestamp +53 (12) Cleaning up request packet ID 245 with timestamp +53 Ready to process requests Instead the connection with PEAP-MSCHAP is correct. El lun, 7 mar 2022 a las 13:39, Alan DeKok (<aland@deployingradius.com>) escribió:
On Mar 7, 2022, at 4:19 AM, Iñigo Vicente <ivicente@bexencardio.com> wrote:
What changes do I have to make to configure freeradius with TLS?
Edit the configuration files.
There's lots of documentation and examples.
If you have a *specific* question, ask that. Questions like "How can I do stuff" are vague and useless.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html