Hello I have SLES 11 SP1(64bit), freeradius 2.1.12 and openssl 0.9.8r. I set up authentication with EAP/TLS. Server and client certificates are valid until 3011 year. Here they are: Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Dec 5 07:05:02 2011 GMT Not After : Apr 7 07:05:02 3011 GMT Subject: countryName = AU stateOrProvinceName = Some-State organizationName = Internet Widgits Pty Ltd commonName = Root X509v3 extensions: X509v3 Extended Key Usage: TLS Web Server Authentication Certificate is to be certified until Apr 7 07:05:02 3011 GMT (365000 days) Certificate Details: Serial Number: 2 (0x2) Validity Not Before: Dec 5 07:06:57 2011 GMT Not After : Apr 7 07:06:57 3011 GMT Subject: countryName = AU stateOrProvinceName = Some-State organizationName = Internet Widgits Pty Ltd commonName = testuser X509v3 extensions: X509v3 Extended Key Usage: TLS Web Client Authentication Certificate is to be certified until Apr 7 07:06:57 3011 GMT (365000 days) Now client like authentication is successful. About this show freeradius: Login OK: [host/testuser] (from client private-network port 33566721 cli 0022-15ef-ab87) # Executing section post-auth from file /etc/raddb/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 67 to 10.2.2.240 port 5002 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "3" MS-MPPE-Recv-Key = 0xca7449798f0f957fe8e03542d1b9a5ef6291756644f4e392a60f078a3c858cba MS-MPPE-Send-Key = 0xcfffb577e162ba2111b253f1f969e46e39521626f4669704e367502640f368a7 EAP-Message = 0x03050004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "host/testuser" Finished request 3. After that, I wanted to check as to be the case in 2050, as we recall certificates are valid until 3011. Set the time on the server freeradius August 1, 2050 (01/08/2050) and the same thing on a client running on Windows XP SP3. Authentication fails (slightly below records cite the radius). I have a question for all who can help, this is the mistake of freeradius, which can not correctly identify the validity of the certificate. Or somewhere I made a mistake when setting up. Maybe this one is already experienced. I'll be glad for your help. test#radiusd -X .................. rad_recv: Access-Request packet from host 10.2.2.240 port 5002, id=68, length=221 User-Name = "host/testuser" EAP-Message = 0x0202001201686f73742f7465737475736572 Message-Authenticator = 0xe394bda2df7b6ff808bd0079cb5620cd NAS-IP-Address = 10.2.2.240 NAS-Identifier = "001ac1d4d442" NAS-Port = 33566721 NAS-Port-Id = "unit=2;subslot=0;port=3;vlanid=1" NAS-Port-Type = Ethernet Service-Type = Framed-User Framed-Protocol = PPP Calling-Station-Id = "0022-15ef-ab87" H3C-Connect_Id = 18 H3C-Product-ID = "5500-EI" H3C-Ip-Host-Addr = "0.0.0.0 00:22:15:ef:ab:87" H3C-NAS-Startup-Timestamp = 954640520 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "host/testuser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 2 length 18 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry DEFAULT at line 152 [files] users: Matched entry host/testuser at line 234 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Requiring client certificate [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 68 to 10.2.2.240 port 5002 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "3" EAP-Message = 0x010300060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x905a520890595f1e7244e69c58c3b630 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.2.2.240 port 5002, id=69, length=301 User-Name = "host/testuser" EAP-Message = 0x020300500d800000004616030100410100003d030198387b2b15bc66925793a2b08aec38827730edb90a98238b1f8967ad5b0e5a3000001600040005000a000900640062000300060013001200630100 Message-Authenticator = 0x57f352efbff4566bed7422e481a95c1e NAS-IP-Address = 10.2.2.240 NAS-Identifier = "001ac1d4d442" NAS-Port = 33566721 NAS-Port-Id = "unit=2;subslot=0;port=3;vlanid=1" NAS-Port-Type = Ethernet Service-Type = Framed-User Framed-Protocol = PPP Calling-Station-Id = "0022-15ef-ab87" State = 0x905a520890595f1e7244e69c58c3b630 H3C-Connect_Id = 18 H3C-Product-ID = "5500-EI" H3C-Ip-Host-Addr = "0.0.0.0 00:22:15:ef:ab:87" H3C-NAS-Startup-Timestamp = 954640520 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "host/testuser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 3 length 80 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry DEFAULT at line 152 [files] users: Matched entry host/testuser at line 234 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS TLS Length 70 [tls] Length Included [tls] eaptls_verify returned 11 [tls] (other): before/accept initialization [tls] TLS_accept: before/accept initialization [tls] <<< TLS 1.0 Handshake [length 0041], ClientHello [tls] TLS_accept: SSLv3 read client hello A [tls] >>> TLS 1.0 Handshake [length 002a], ServerHello [tls] TLS_accept: SSLv3 write server hello A [tls] >>> TLS 1.0 Handshake [length 0245], Certificate [tls] TLS_accept: SSLv3 write certificate A [tls] >>> TLS 1.0 Handshake [length 0066], CertificateRequest [tls] TLS_accept: SSLv3 write certificate request A [tls] TLS_accept: SSLv3 flush data [tls] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [tls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 69 to 10.2.2.240 port 5002 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "3" EAP-Message = 0x010402ee0d80000002e4160301002a02000026030198387b5ccef9ea8b00a2b87027963d9f59eccbf3df96bfb208b4fb2072f06cd10000040016030102450b00024100023e00023b30820237308201a0a003020102020101300d06092a864886f70d01010505003054310b3009060355040613024155311330110603550408130a536f6d652d53746174653121301f060355040a1318496e7465726e6574205769646769747320507479204c7464310d300b06035504031304526f6f743020170d3131313230353037303530325a180f33303131303430373037303530325a3054310b3009060355040613024155311330110603550408130a536f6d65 EAP-Message = 0x2d53746174653121301f060355040a1318496e7465726e6574205769646769747320507479204c7464310d300b06035504031304526f6f7430819f300d06092a864886f70d010101050003818d0030818902818100e3bd7f6d0226d923d61f85542cd081e2a78a647855b252a3796b624daf45cc8e7d2ce664942d507fdd60bb8bfcf4b439122a7cf5607957e25439b3df92a56bbab3f6ead61042869e1beee05acfc3a5b338e5cc847ce2e4c09d3b8122569bbdbb93939502bbd9c7fc8efe1af165aaca423562729433f8c94466df2742c6dcc56d0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d EAP-Message = 0x010105050003818100ae145995a7db51de5488b35bb51c8cd9cb38be974572fb10989e2bfd5e8d2bcb1fac78a393e2b1afcb23a7436194078d4c246ae4c2f2823a2cfb586dbb1ba181887761f3eb2e4ee93fda19ed3b461af1f1dd49040462f574913234446b52d926f9680dca83626fc6deb048ce1d8cd1ef09b6cf42464bfc2dda2534ded1aec5ae16030100660d00005e03010240005800563054310b3009060355040613024155311330110603550408130a536f6d652d53746174653121301f060355040a1318496e7465726e6574205769646769747320507479204c7464310d300b06035504031304526f6f740e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x905a5208915e5f1e7244e69c58c3b630 Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.2.2.240 port 5002, id=70, length=1138 User-Name = "host/testuser" EAP-Message = 0x0204038f0d800000038516030103550b00024500024200023f3082023b308201a4a003020102020102300d06092a864886f70d01010505003054310b3009060355040613024155311330110603550408130a536f6d652d53746174653121301f060355040a1318496e7465726e6574205769646769747320507479204c7464310d300b06035504031304526f6f743020170d3131313230353037303635375a180f33303131303430373037303635375a3058310b3009060355040613024155311330110603550408130a536f6d652d53746174653121301f060355040a1318496e7465726e6574205769646769747320507479204c74643111300f0603 EAP-Message = 0x5504031308746573747573657230819f300d06092a864886f70d010101050003818d0030818902818100e4991040e15c9024ae083463fd6e2d09f46ca74e3cbeadd978f2e41ddb724e19ad31a9992e8da760d4892efaf9aeeff0c3331935020138485f7d48e625c4e57e55de639f131144c4e57fa7392f963ac719cf79d8dec0aa13254a8593022cb0004e58377ac8e2deaeb543b412a4ec96f955a30efab73e08cb7a825c9a6ec871af0203010001a317301530130603551d25040c300a06082b06010505070302300d06092a864886f70d01010505000381810057827d8957a1782f450852803827b2e739cf5d7f85aac9a851467b4f8f2e2925c80d EAP-Message = 0xe075839d54a9b794e8a57a46750d932ae08a9c5b459d612dbd3153917da9f59dd493035382d696b1ecdcf1d867b55bdead570bd2417bd73c9c25b97d059c0579010da85edea51153830e4f4ce739ad361840198a7fefb1a68f328760ae561000008200807e2f5d813d13b4d0b4a37a400aa4047bd80f48b2239421304e8e87ddd9f1e8346ce680c7d965d83b6b11dcd1d6630ef0558f98c7323fe944aa024b8a51bd3ee5d376abb52df677e950eac9264435d027cc10e852107936a47fa622da0dfd575fcc48d095a931b544e6a9807dbfea859060cf28aa77eee6b66f20f94b9f183b620f00008200801f56d252999ca4dace4dd3653ab3ba1d2b232a EAP-Message = 0x126b781576b298652220ea7135e389b908c5e792fc316c3932836c317527278ba5682d5f22b86671f4bec52015f513402f6dfe9c371dbc245b8a563c87b1a3ea5589ecd20814e4e8aeee29c6832ebad011afc6040b85e4e2ec2b2ece9acdefa78e9f3c533f9ad13f104a7d5fa81403010001011603010020484dad944f3d7e14256da2f4be5641b0e3e094b3bbd20f973f13f4c081a6fddb Message-Authenticator = 0xc43e468dd06dc0a9bc0a93893dbd14a5 NAS-IP-Address = 10.2.2.240 NAS-Identifier = "001ac1d4d442" NAS-Port = 33566721 NAS-Port-Id = "unit=2;subslot=0;port=3;vlanid=1" NAS-Port-Type = Ethernet Service-Type = Framed-User Framed-Protocol = PPP Calling-Station-Id = "0022-15ef-ab87" State = 0x905a5208915e5f1e7244e69c58c3b630 H3C-Connect_Id = 18 H3C-Product-ID = "5500-EI" H3C-Ip-Host-Addr = "0.0.0.0 00:22:15:ef:ab:87" H3C-NAS-Startup-Timestamp = 954640520 # Executing section authorize from file /etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "host/testuser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 4 length 253 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry DEFAULT at line 152 [files] users: Matched entry host/testuser at line 234 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS TLS Length 901 [tls] Length Included [tls] eaptls_verify returned 11 [tls] <<< TLS 1.0 Handshake [length 0249], Certificate --> verify error:num=9:certificate is not yet valid [tls] >>> TLS 1.0 Alert [length 0002], fatal bad_certificate TLS Alert write:fatal:bad certificate TLS_accept: error in SSLv3 read client certificate B rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned SSL: SSL_read failed in a system call (-1), TLS session fails. TLS receive handshake failed during operation [tls] eaptls_process returned 4 [eap] Handler failed in EAP/tls [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Login incorrect (certificate is not yet valid): [host/testuser] (from client private-network port 33566721 cli 0022-15ef-ab87) Using Post-Auth-Type Reject # Executing group from file /etc/raddb/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> host/testuser attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 2 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 2 Sending Access-Reject of id 70 to 10.2.2.240 port 5002 EAP-Message = 0x04040004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.9 seconds. Cleaning up request 0 ID 68 with timestamp +11 Cleaning up request 1 ID 69 with timestamp +11 Waking up in 1.0 seconds. Cleaning up request 2 ID 70 with timestamp +11 Ready to process requests.