Hello, Thanks for the reply Alan! Made all the changes you indicated. However, I am still having issues. Also, is it required to run a proxy if I only use the radius host? This is just for a small home lab. Please see below results. I really appreciate the help. Also, while I can build from source, would doing so fix this? It seems more like something I have done wrong. A rebuild would just reflect the same misconfigurations if that is what the issue is. SERVER DEBUG : ( listing DEBUG AFTER server came up using radiusd -X ) Received Access-Request Id 0 from 127.0.0.1:52104 to 127.0.0.1:1812 length 140 User-Name = 'user@example.org' NAS-IP-Address = 127.0.0.1 Calling-Station-Id = '02-00-00-00-00-01' Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = 'CONNECT 11Mbps 802.11b' EAP-Message = 0x020000150175736572406578616d706c652e6f7267 Message-Authenticator = 0xbd9fa940f7dd27fd9abc4aa6e9bd9615 (0) Received Access-Request packet from host 127.0.0.1 port 52104, id=0, length=140 (0) User-Name = 'user@example.org' (0) NAS-IP-Address = 127.0.0.1 (0) Calling-Station-Id = '02-00-00-00-00-01' (0) Framed-MTU = 1400 (0) NAS-Port-Type = Wireless-802.11 (0) Connect-Info = 'CONNECT 11Mbps 802.11b' (0) EAP-Message = 0x020000150175736572406578616d706c652e6f7267 (0) Message-Authenticator = 0xbd9fa940f7dd27fd9abc4aa6e9bd9615 (0) # Executing section authorize from file /etc/raddb/sites-enabled/default (0) authorize { (0) filter_username filter_username { (0) if (!&User-Name) (0) if (!&User-Name) -> FALSE (0) if (&User-Name =~ / /) (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@.*@/ ) (0) if (&User-Name =~ /@.*@/ ) -> FALSE (0) if (&User-Name =~ /\\.\\./ ) (0) if (&User-Name =~ /\\.\\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\\.$/) (0) if (&User-Name =~ /\\.$/) -> FALSE (0) if (&User-Name =~ /@\\./) (0) if (&User-Name =~ /@\\./) -> FALSE (0) } # filter_username filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix : Checking for suffix after "@" (0) suffix : Looking up realm "example.org" for User-Name = " user@example.org" (0) suffix : Found realm "example.org" (0) suffix : Adding Stripped-User-Name = "user" (0) suffix : Adding Realm = "example.org" (0) suffix : Authentication realm is LOCAL (0) [suffix] = ok (0) eap : Peer sent code Response (2) ID 0 length 21 (0) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # authorize = ok (0) Found Auth-Type = EAP (0) # Executing group from file /etc/raddb/sites-enabled/default (0) authenticate { (0) eap : Peer sent method Identity (1) (0) eap : Calling eap_md5 to process EAP data (0) eap_md5 : Issuing MD5 Challenge (0) eap : New EAP session, adding 'State' attribute to reply 0x4bf773f04bf67754 (0) [eap] = handled (0) } # authenticate = handled (0) Sending Access-Challenge packet to host 127.0.0.1 port 52104, id=0, length=0 (0) EAP-Message = 0x0101001604106ca31f737c07bba501ae819fa3fffc2f (0) Message-Authenticator = 0x00000000000000000000000000000000 (0) State = 0x4bf773f04bf67754734c0cd3aa7a1f2e Sending Access-Challenge Id 0 from 127.0.0.1:1812 to 127.0.0.1:52104 EAP-Message = 0x0101001604106ca31f737c07bba501ae819fa3fffc2f Message-Authenticator = 0x00000000000000000000000000000000 State = 0x4bf773f04bf67754734c0cd3aa7a1f2e (0) Finished request Waking up in 0.3 seconds. Received Access-Request Id 1 from 127.0.0.1:52104 to 127.0.0.1:1812 length 143 User-Name = 'user@example.org' NAS-IP-Address = 127.0.0.1 Calling-Station-Id = '02-00-00-00-00-01' Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = 'CONNECT 11Mbps 802.11b' EAP-Message = 0x02010006030d State = 0x4bf773f04bf67754734c0cd3aa7a1f2e Message-Authenticator = 0xa16f90d8ae45de1cdf7f0d503d820a2e (1) Received Access-Request packet from host 127.0.0.1 port 52104, id=1, length=143 (1) User-Name = 'user@example.org' (1) NAS-IP-Address = 127.0.0.1 (1) Calling-Station-Id = '02-00-00-00-00-01' (1) Framed-MTU = 1400 (1) NAS-Port-Type = Wireless-802.11 (1) Connect-Info = 'CONNECT 11Mbps 802.11b' (1) EAP-Message = 0x02010006030d (1) State = 0x4bf773f04bf67754734c0cd3aa7a1f2e (1) Message-Authenticator = 0xa16f90d8ae45de1cdf7f0d503d820a2e (1) # Executing section authorize from file /etc/raddb/sites-enabled/default (1) authorize { (1) filter_username filter_username { (1) if (!&User-Name) (1) if (!&User-Name) -> FALSE (1) if (&User-Name =~ / /) (1) if (&User-Name =~ / /) -> FALSE (1) if (&User-Name =~ /@.*@/ ) (1) if (&User-Name =~ /@.*@/ ) -> FALSE (1) if (&User-Name =~ /\\.\\./ ) (1) if (&User-Name =~ /\\.\\./ ) -> FALSE (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (1) if (&User-Name =~ /\\.$/) (1) if (&User-Name =~ /\\.$/) -> FALSE (1) if (&User-Name =~ /@\\./) (1) if (&User-Name =~ /@\\./) -> FALSE (1) } # filter_username filter_username = notfound (1) [preprocess] = ok (1) [chap] = noop (1) [mschap] = noop (1) [digest] = noop (1) suffix : Checking for suffix after "@" (1) suffix : Looking up realm "example.org" for User-Name = " user@example.org" (1) suffix : Found realm "example.org" (1) suffix : Adding Stripped-User-Name = "user" (1) suffix : Adding Realm = "example.org" (1) suffix : Authentication realm is LOCAL (1) [suffix] = ok (1) eap : Peer sent code Response (2) ID 1 length 6 (1) eap : No EAP Start, assuming it's an on-going EAP conversation (1) [eap] = updated (1) [files] = noop (1) [expiration] = noop (1) [logintime] = noop (1) WARNING: pap : No "known good" password found for the user. Not setting Auth-Type (1) WARNING: pap : Authentication will fail unless a "known good" password is available (1) [pap] = noop (1) } # authorize = updated (1) Found Auth-Type = EAP (1) # Executing group from file /etc/raddb/sites-enabled/default (1) authenticate { (1) eap : Expiring EAP session with state 0x4bf773f04bf67754 (1) eap : Finished EAP session with state 0x4bf773f04bf67754 (1) eap : Previous EAP request found for state 0x4bf773f04bf67754, released from the list (1) eap : Peer sent method NAK (3) (1) eap : Found mutually acceptable type TLS (13) (1) eap : Calling eap_tls to process EAP data (1) eap_tls : Flushing SSL sessions (of #0) (1) eap_tls : Requiring client certificate (1) eap_tls : Initiate (1) eap_tls : Requiring client certificate (1) eap_tls : Start returned 1 (1) eap : New EAP session, adding 'State' attribute to reply 0x4bf773f04af57e54 (1) [eap] = handled (1) } # authenticate = handled (1) Sending Access-Challenge packet to host 127.0.0.1 port 52104, id=1, length=0 (1) EAP-Message = 0x010200060d20 (1) Message-Authenticator = 0x00000000000000000000000000000000 (1) State = 0x4bf773f04af57e54734c0cd3aa7a1f2e Sending Access-Challenge Id 1 from 127.0.0.1:1812 to 127.0.0.1:52104 EAP-Message = 0x010200060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x4bf773f04af57e54734c0cd3aa7a1f2e (1) Finished request Waking up in 0.3 seconds. Received Access-Request Id 2 from 127.0.0.1:52104 to 127.0.0.1:1812 length 143 User-Name = 'user@example.org' NAS-IP-Address = 127.0.0.1 Calling-Station-Id = '02-00-00-00-00-01' Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = 'CONNECT 11Mbps 802.11b' EAP-Message = 0x020200060300 State = 0x4bf773f04af57e54734c0cd3aa7a1f2e Message-Authenticator = 0xb1da50c5d4bdd5bb67f32dec997d2d3a (2) Received Access-Request packet from host 127.0.0.1 port 52104, id=2, length=143 (2) User-Name = 'user@example.org' (2) NAS-IP-Address = 127.0.0.1 (2) Calling-Station-Id = '02-00-00-00-00-01' (2) Framed-MTU = 1400 (2) NAS-Port-Type = Wireless-802.11 (2) Connect-Info = 'CONNECT 11Mbps 802.11b' (2) EAP-Message = 0x020200060300 (2) State = 0x4bf773f04af57e54734c0cd3aa7a1f2e (2) Message-Authenticator = 0xb1da50c5d4bdd5bb67f32dec997d2d3a (2) # Executing section authorize from file /etc/raddb/sites-enabled/default (2) authorize { (2) filter_username filter_username { (2) if (!&User-Name) (2) if (!&User-Name) -> FALSE (2) if (&User-Name =~ / /) (2) if (&User-Name =~ / /) -> FALSE (2) if (&User-Name =~ /@.*@/ ) (2) if (&User-Name =~ /@.*@/ ) -> FALSE (2) if (&User-Name =~ /\\.\\./ ) (2) if (&User-Name =~ /\\.\\./ ) -> FALSE (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (2) if (&User-Name =~ /\\.$/) (2) if (&User-Name =~ /\\.$/) -> FALSE (2) if (&User-Name =~ /@\\./) (2) if (&User-Name =~ /@\\./) -> FALSE (2) } # filter_username filter_username = notfound (2) [preprocess] = ok (2) [chap] = noop (2) [mschap] = noop (2) [digest] = noop (2) suffix : Checking for suffix after "@" (2) suffix : Looking up realm "example.org" for User-Name = " user@example.org" (2) suffix : Found realm "example.org" (2) suffix : Adding Stripped-User-Name = "user" (2) suffix : Adding Realm = "example.org" (2) suffix : Authentication realm is LOCAL (2) [suffix] = ok (2) eap : Peer sent code Response (2) ID 2 length 6 (2) eap : No EAP Start, assuming it's an on-going EAP conversation (2) [eap] = updated (2) [files] = noop (2) [expiration] = noop (2) [logintime] = noop (2) WARNING: pap : No "known good" password found for the user. Not setting Auth-Type (2) WARNING: pap : Authentication will fail unless a "known good" password is available (2) [pap] = noop (2) } # authorize = updated (2) Found Auth-Type = EAP (2) # Executing group from file /etc/raddb/sites-enabled/default (2) authenticate { (2) eap : Expiring EAP session with state 0x4bf773f04af57e54 (2) eap : Finished EAP session with state 0x4bf773f04af57e54 (2) eap : Previous EAP request found for state 0x4bf773f04af57e54, released from the list (2) eap : Peer sent method NAK (3) (2) eap : Peer NAK'd indicating it is not willing to continue (2) eap : Failed in EAP select (2) [eap] = invalid (2) } # authenticate = invalid (2) Failed to authenticate the user (2) Using Post-Auth-Type Reject (2) # Executing group from file /etc/raddb/sites-enabled/default (2) Post-Auth-Type REJECT { (2) attr_filter.access_reject : EXPAND %{User-Name} (2) attr_filter.access_reject : --> user@example.org (2) attr_filter.access_reject : Matched entry DEFAULT at line 11 (2) [attr_filter.access_reject] = updated (2) eap : Reply already contained an EAP-Message, not inserting EAP-Failure (2) [eap] = noop (2) remove_reply_message_if_eap remove_reply_message_if_eap { (2) if (&reply:EAP-Message && &reply:Reply-Message) (2) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (2) else else { (2) [noop] = noop (2) } # else else = noop (2) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop (2) } # Post-Auth-Type REJECT = updated (2) Delaying response for 1 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (2) Sending delayed response (2) Sending Access-Reject packet to host 127.0.0.1 port 52104, id=2, length=0 (2) EAP-Message = 0x04020004 (2) Message-Authenticator = 0x00000000000000000000000000000000 Sending Access-Reject Id 2 from 127.0.0.1:1812 to 127.0.0.1:52104 EAP-Message = 0x04020004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.9 seconds. (0) Cleaning up request packet ID 0 with timestamp +22 (1) Cleaning up request packet ID 1 with timestamp +22 (2) Cleaning up request packet ID 2 with timestamp +22 Ready to process requests EAPOL_TEST OUTPUT : eapol_test -c /root/eapol_tls_test.tls -A127.0.0.1 -a127.0.0.1 -p1812 -stesting123 -r1 Reading configuration file '/root/eapol_tls_test.tls' Line: 1 - start of a new network block ssid - hexdump_ascii(len=9): 54 45 53 54 2d 53 53 49 44 TEST-SSID eap methods - hexdump(len=16): 00 00 00 00 0d 00 00 00 00 00 00 00 00 00 00 00 eapol_flags=0 (0x0) key_mgmt: 0x1 identity - hexdump_ascii(len=16): 75 73 65 72 40 65 78 61 6d 70 6c 65 2e 6f 72 67 user@example.org ca_cert - hexdump_ascii(len=24): 2f 65 74 63 2f 72 61 64 64 62 2f 63 65 72 74 73 /etc/raddb/certs 2f 63 61 5f 2e 70 65 6d /ca_.pem client_cert - hexdump_ascii(len=25): 2f 65 74 63 2f 72 61 64 64 62 2f 63 65 72 74 73 /etc/raddb/certs 2f 75 73 65 72 2e 70 65 6d /user.pem private_key - hexdump_ascii(len=27): 2f 65 74 63 2f 72 61 64 64 62 2f 63 65 72 74 73 /etc/raddb/certs 2f 63 6c 69 65 6e 74 2e 6b 65 79 /client.key private_key_passwd - hexdump_ascii(len=8): 77 68 61 74 65 76 65 72 whatever eapol_flags=3 (0x3) Priority group 0 id=0 ssid='TEST-SSID' Authentication server 127.0.0.1:1812 RADIUS local address: 127.0.0.1:52104 EAPOL: SUPP_PAE entering state DISCONNECTED EAPOL: KEY_RX entering state NO_KEY_RECEIVE EAPOL: SUPP_BE entering state INITIALIZE EAP: EAP entering state DISABLED EAPOL: External notification - portValid=0 EAPOL: External notification - portEnabled=1 EAPOL: SUPP_PAE entering state CONNECTING EAPOL: SUPP_BE entering state IDLE EAP: EAP entering state INITIALIZE EAP: EAP entering state IDLE Sending fake EAP-Request-Identity EAPOL: Received EAP-Packet frame EAPOL: SUPP_PAE entering state RESTART EAP: EAP entering state INITIALIZE EAP: EAP entering state IDLE EAPOL: SUPP_PAE entering state AUTHENTICATING EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Request id=0 method=1 vendor=0 vendorMethod=0 EAP: EAP entering state IDENTITY CTRL-EVENT-EAP-STARTED EAP authentication started EAP: EAP-Request Identity data - hexdump_ascii(len=0): EAP: using real identity - hexdump_ascii(len=16): 75 73 65 72 40 65 78 61 6d 70 6c 65 2e 6f 72 67 user@example.org EAP: EAP entering state SEND_RESPONSE EAP: EAP entering state IDLE EAPOL: SUPP_BE entering state RESPONSE EAPOL: txSuppRsp WPA: eapol_test_eapol_send(type=0 len=21) TX EAP -> RADIUS - hexdump(len=21): 02 00 00 15 01 75 73 65 72 40 65 78 61 6d 70 6c 65 2e 6f 72 67 Encapsulating EAP message into a RADIUS packet Learned identity from EAP-Response-Identity - hexdump(len=16): 75 73 65 72 40 65 78 61 6d 70 6c 65 2e 6f 72 67 Sending RADIUS message to authentication server RADIUS message: code=1 (Access-Request) identifier=0 length=140 Attribute 1 (User-Name) length=18 Value: 'user@example.org' Attribute 4 (NAS-IP-Address) length=6 Value: 127.0.0.1 Attribute 31 (Calling-Station-Id) length=19 Value: '02-00-00-00-00-01' Attribute 12 (Framed-MTU) length=6 Value: 1400 Attribute 61 (NAS-Port-Type) length=6 Value: 19 Attribute 77 (Connect-Info) length=24 Value: 'CONNECT 11Mbps 802.11b' Attribute 79 (EAP-Message) length=23 Value: 02 00 00 15 01 75 73 65 72 40 65 78 61 6d 70 6c 65 2e 6f 72 67 Attribute 80 (Message-Authenticator) length=18 Value: bd 9f a9 40 f7 dd 27 fd 9a bc 4a a6 e9 bd 96 15 Next RADIUS client retransmit in 3 seconds EAPOL: SUPP_BE entering state RECEIVE Received 80 bytes from RADIUS server Received RADIUS message RADIUS message: code=11 (Access-Challenge) identifier=0 length=80 Attribute 79 (EAP-Message) length=24 Value: 01 01 00 16 04 10 6c a3 1f 73 7c 07 bb a5 01 ae 81 9f a3 ff fc 2f Attribute 80 (Message-Authenticator) length=18 Value: f2 bf 89 14 05 06 6f 04 17 5e 85 a8 0d 5f db b0 Attribute 24 (State) length=18 Value: 4b f7 73 f0 4b f6 77 54 73 4c 0c d3 aa 7a 1f 2e STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending request, round trip time 0.00 sec RADIUS packet matching with station decapsulated EAP packet (code=1 id=1 len=22) from RADIUS server: EAP-Request-MD5 (4) EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Request id=1 method=4 vendor=0 vendorMethod=0 EAP: EAP entering state GET_METHOD EAP: configuration does not allow: vendor 0 method 4 EAP: vendor 0 method 4 not allowed CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=4 -> NAK EAP: Status notification: refuse proposed method (param=MD5) EAP: Building EAP-Nak (requested type 4 vendor=0 method=0 not allowed) EAP: allowed methods - hexdump(len=1): 0d EAP: EAP entering state SEND_RESPONSE EAP: EAP entering state IDLE EAPOL: SUPP_BE entering state RESPONSE EAPOL: txSuppRsp WPA: eapol_test_eapol_send(type=0 len=6) TX EAP -> RADIUS - hexdump(len=6): 02 01 00 06 03 0d Encapsulating EAP message into a RADIUS packet Copied RADIUS State Attribute Sending RADIUS message to authentication server RADIUS message: code=1 (Access-Request) identifier=1 length=143 Attribute 1 (User-Name) length=18 Value: 'user@example.org' Attribute 4 (NAS-IP-Address) length=6 Value: 127.0.0.1 Attribute 31 (Calling-Station-Id) length=19 Value: '02-00-00-00-00-01' Attribute 12 (Framed-MTU) length=6 Value: 1400 Attribute 61 (NAS-Port-Type) length=6 Value: 19 Attribute 77 (Connect-Info) length=24 Value: 'CONNECT 11Mbps 802.11b' Attribute 79 (EAP-Message) length=8 Value: 02 01 00 06 03 0d Attribute 24 (State) length=18 Value: 4b f7 73 f0 4b f6 77 54 73 4c 0c d3 aa 7a 1f 2e Attribute 80 (Message-Authenticator) length=18 Value: a1 6f 90 d8 ae 45 de 1c df 7f 0d 50 3d 82 0a 2e Next RADIUS client retransmit in 3 seconds EAPOL: SUPP_BE entering state RECEIVE Received 64 bytes from RADIUS server Received RADIUS message RADIUS message: code=11 (Access-Challenge) identifier=1 length=64 Attribute 79 (EAP-Message) length=8 Value: 01 02 00 06 0d 20 Attribute 80 (Message-Authenticator) length=18 Value: 46 0f 99 22 0c 12 9d 9d 15 b2 62 54 73 a2 1e 80 Attribute 24 (State) length=18 Value: 4b f7 73 f0 4a f5 7e 54 73 4c 0c d3 aa 7a 1f 2e STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending request, round trip time 0.00 sec RADIUS packet matching with station decapsulated EAP packet (code=1 id=2 len=6) from RADIUS server: EAP-Request-TLS (13) EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Request id=2 method=13 vendor=0 vendorMethod=0 EAP: EAP entering state GET_METHOD CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=13 EAP: Status notification: accept proposed method (param=TLS) EAP: Initialize selected EAP method: vendor 0 method 13 (TLS) TLS: using phase1 config options OpenSSL: tls_connection_ca_cert - Failed to load root certificates error:02001002:system library:fopen:No such file or directory OpenSSL: pending error: error:2006D080:BIO routines:BIO_new_file:no such file OpenSSL: pending error: error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib OpenSSL: tls_load_ca_der - Failed load CA in DER format error:02001002:system library:fopen:No such file or directory OpenSSL: pending error: error:20074002:BIO routines:FILE_CTRL:system lib OpenSSL: pending error: error:0B06F002:x509 certificate routines:X509_load_cert_file:system lib TLS: Failed to set TLS connection parameters ENGINE: engine deinit EAP-TLS: Failed to initialize SSL. EAP: Failed to initialize EAP method: vendor 0 method 13 (TLS) EAP: Building EAP-Nak (requested type 13 vendor=0 method=0 not allowed) EAP: allowed methods - hexdump(len=0): EAP: EAP entering state SEND_RESPONSE EAP: EAP entering state IDLE EAPOL: SUPP_BE entering state RESPONSE EAPOL: txSuppRsp WPA: eapol_test_eapol_send(type=0 len=6) TX EAP -> RADIUS - hexdump(len=6): 02 02 00 06 03 00 Encapsulating EAP message into a RADIUS packet Copied RADIUS State Attribute Sending RADIUS message to authentication server RADIUS message: code=1 (Access-Request) identifier=2 length=143 Attribute 1 (User-Name) length=18 Value: 'user@example.org' Attribute 4 (NAS-IP-Address) length=6 Value: 127.0.0.1 Attribute 31 (Calling-Station-Id) length=19 Value: '02-00-00-00-00-01' Attribute 12 (Framed-MTU) length=6 Value: 1400 Attribute 61 (NAS-Port-Type) length=6 Value: 19 Attribute 77 (Connect-Info) length=24 Value: 'CONNECT 11Mbps 802.11b' Attribute 79 (EAP-Message) length=8 Value: 02 02 00 06 03 00 Attribute 24 (State) length=18 Value: 4b f7 73 f0 4a f5 7e 54 73 4c 0c d3 aa 7a 1f 2e Attribute 80 (Message-Authenticator) length=18 Value: b1 da 50 c5 d4 bd d5 bb 67 f3 2d ec 99 7d 2d 3a Next RADIUS client retransmit in 3 seconds EAPOL: SUPP_BE entering state RECEIVE EAPOL: startWhen --> 0 Received 44 bytes from RADIUS server Received RADIUS message RADIUS message: code=3 (Access-Reject) identifier=2 length=44 Attribute 79 (EAP-Message) length=6 Value: 04 02 00 04 Attribute 80 (Message-Authenticator) length=18 Value: fc 84 e6 2f ec ab 4f 8b 78 0d a8 32 37 03 18 99 STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending request, round trip time 1.00 sec RADIUS packet matching with station decapsulated EAP packet (code=4 id=2 len=4) from RADIUS server: EAP Failure EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Failure EAP: Status notification: completion (param=failure) EAP: EAP entering state FAILURE CTRL-EVENT-EAP-FAILURE EAP authentication failed EAPOL: SUPP_PAE entering state HELD EAPOL: SUPP_BE entering state RECEIVE EAPOL: SUPP_BE entering state FAIL EAPOL: SUPP_BE entering state IDLE eapol_sm_cb: success=0 EAPOL: EAP key not available EAPOL: EAP key not available MPPE keys OK: 0 mismatch: 2 FAILURE EAPOL_CONFIG : cat /root/eapol_tls_test.tls network={ ssid="TEST-SSID" eap=TLS eapol_flags=0 key_mgmt=WPA-EAP identity="user@example.org" ca_cert="/etc/raddb/certs/ca_.pem" client_cert="/etc/raddb/certs/user.pem" private_key="/etc/raddb/certs/client.key" private_key_passwd="whatever" eapol_flags=3 } Ollie Teasley Linux Administrator ISMELL.SHOES, LLC On Sat, Feb 6, 2016 at 8:09 PM, Alan DeKok <aland@deployingradius.com> wrote:
On Feb 6, 2016, at 8:45 PM, John Teasley <ollieteasley@gmail.com> wrote:
I have been trying to freeRADIUS Version 3.0.4 worling with EAP-TLS for a while now.
Please don't. 3.0.11 was released recently. There are few reasons to use a version which is years out of date.
I was able to get PAP working using the guide athttp://deployingradius.com/documents/configuration/pap.html. However, getting EAP-TLS to work has been a pain.
3.0.11 has a sample config for eapol_test in src/tests/eap-tls.conf. It should pretty much work.
In my case I used the freeradius as installed by yum from the repos. Before doing the guide at the link posted below I built the certs in /etc/raddb/certs using make. No changes have been made to the .cnf files in the certs directory since this was a test. The eapol_test config is also posted below.
OK.
I have used radius as installed on pfsense in the past. However, I now wish to have a standalone host to take care of this. I have spent 3 days trying to get this to work. I am at a complete loss as what is wrong or how to even find out at this point. I have already ran radius with radius -XX and am not seeing that I know how to change. I would greatly appreciate some help on this. The settings I have used are EXACTLY what i slisted in the links.
That's good...
eapol_test configuration :
network={ ssid="TEST-SSID" eap=TLS eapol_flags=0 key_mgmt=WPA-EAP identity="user@example.com"
Which is the problem. If you read the debug output, you'll see it proxying requests. You probably don't want to do that.
(0) suffix : Looking up realm "example.com" for User-Name = "
user@example.com"
(0) suffix : Found realm "example.com" (0) suffix : Adding Stripped-User-Name = "user" (0) suffix : Adding Realm = "example.com" (0) suffix : Proxying request from user user to realm example.com (0) suffix : Preparing to proxy authentication request to realm " example.com" (0) [suffix] = updated (0) eap : Request is supposed to be proxied to Realm example.com. Not doing EAP.
Which is the issue.
Change the eapol_test config file to use example.org, and edit proxy.conf to add:
realm example.org { }
Which says it's a local realm, and not to be proxied.
This change is also available in 3.0.11, which is one reason why we suggest using the latest versions.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html