I use eap-tsl for the registration record of computer. It is necessary to open access to the network to pressure of Ctrl+Alt+Del. I will not understand what is the matter: rad_recv: Access-Request packet from host 10.0.1.2:5007, id=154, length=216 User-Name = "host/cit44" EAP-Message = 0x0202000f01686f73742f6369743434 Message-Authenticator = 0xda5f6a382f76e341ecd76c7fe2eda837 NAS-IP-Address = 10.0.1.2 NAS-Identifier = "001ac1d4ee42" NAS-Port = 117604353 NAS-Port-Id = "unit=7;subslot=0;port=40;vlanid=1" NAS-Port-Type = Ethernet Service-Type = Framed-User Framed-Protocol = PPP Calling-Station-Id = "0013-7737-714e" Vendor-25506-Attr-26 = 0x0000001e Vendor-25506-Attr-255 = 0x353530302d4549 Vendor-25506-Attr-60 = 0x302e302e302e302030303a31333a37373a33373a37313a3465 Vendor-25506-Attr-59 = 0x38e68c68 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '\' in User-Name = "host/cit44", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "ntdomain" returns noop for request 0 rlm_eap: EAP packet type response id 2 length 15 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 users: Matched entry DEFAULT at line 152 users: Matched entry host/cit44 at line 235 modcall[authorize]: module "files" returns ok for request 0 modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Requiring client certificate rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 0 modcall: leaving group authenticate (returns handled) for request 0 Sending Access-Challenge of id 154 to 10.0.1.2 port 5007 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "2" EAP-Message = 0x010300060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x85f944d1ab810baf397561351f4da39d Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.0.1.2:5007, id=155, length=335 User-Name = "host/cit44" EAP-Message = 0x020300740d800000006a160301006501000061030148eca4801a94d16d54f4d65aa34134bcbd1fb96c22cd0e25ccbbcb4298d76bee000018002f00350005000ac009c00ac013c0140032003800130004010000200000000a00080000056369743434000a00080006001700180019000b00020100 Message-Authenticator = 0x2e81df002f583a191f6f4845ac7caac4 NAS-IP-Address = 10.0.1.2 NAS-Identifier = "001ac1d4ee42" NAS-Port = 117604353 NAS-Port-Id = "unit=7;subslot=0;port=40;vlanid=1" NAS-Port-Type = Ethernet Service-Type = Framed-User Framed-Protocol = PPP Calling-Station-Id = "0013-7737-714e" State = 0x85f944d1ab810baf397561351f4da39d Vendor-25506-Attr-26 = 0x0000001e Vendor-25506-Attr-255 = 0x353530302d4549 Vendor-25506-Attr-60 = 0x302e302e302e302030303a31333a37373a33373a37313a3465 Vendor-25506-Attr-59 = 0x38e68c68 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_realm: No '\' in User-Name = "host/cit44", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "ntdomain" returns noop for request 1 rlm_eap: EAP packet type response id 3 length 116 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 1 users: Matched entry DEFAULT at line 152 users: Matched entry host/cit44 at line 235 modcall[authorize]: module "files" returns ok for request 1 modcall: leaving group authorize (returns updated) for request 1 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0065], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 056e], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0074], CertificateRequest TLS_accept: SSLv3 write certificate request A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0) In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 1 modcall: leaving group authenticate (returns handled) for request 1 Sending Access-Challenge of id 155 to 10.0.1.2 port 5007 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "2" EAP-Message = 0x0104040a0dc00000063b160301004a02000046030148eca6691c134aa5dcae49113ba12777f17184a40c5aa0006278ed9da3dadb3e20ead1859034d686e829341c20201db4c23929ba343e371ace1058d1c5025949f9002f00160301056e0b00056a0005670002503082024c308201b5a003020102020101300d06092a864886f70d01010505003063310b3009060355040613025541311330110603550408130a5a61706f726f7a736845310b3009060355040713025a50310c300a060355040a13035a415a310c300a060355040b13034d4953311630140603550403130d41646d696e6973747261746f72301e170d3038313030313037343430315a EAP-Message = 0x170d3039313030313037343430315a305c310b3009060355040613025541311330110603550408130a5a61706f726f7a736865310b3009060355040713025a50310c300a060355040a13035a415a310c300a060355040b13034d4953310f300d0603550403130652414449555330819f300d06092a864886f70d010101050003818d0030818902818100ac35b8809afa0040f3ebc0af9fb56e2a4196f58fe6aee43df306d38e27a8d3da043dfffa300bf8e4b851e88612e6ddce19aaf601912a9a0cb400d736cef53ffdc07950598741653bd839b24e80399c02eaaa48627241d20b20be2df7311ce3b9f7524ffcb03045bcc56d3a0de7d3c382720512 EAP-Message = 0xbfb3d14e7b8418fcdd61f241930203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010505000381810037d0d8ed990d72b050cc7c62fb550e65ee8e6115634fa1cd470d344e19c5cf820e0de0c74db9da252d8c2dd9135c32311d9de10d77abe571ceb0c8e8451ba9f06a04aa12b18e917ccd85763f38d7daf3440f4c62c388019f79329d49fb8d2cae40d997db06a8ec8f5b02b92648fc7c9ebd8d75135e4fa4b804e33ec48db919400003113082030d30820276a003020102020900d603ee3f96fc604d300d06092a864886f70d01010505003063310b3009060355040613025541311330110603 EAP-Message = 0x550408130a5a61706f726f7a736845310b3009060355040713025a50310c300a060355040a13035a415a310c300a060355040b13034d4953311630140603550403130d41646d696e6973747261746f72301e170d3038313030313037343330345a170d3130313030313037343330345a3063310b3009060355040613025541311330110603550408130a5a61706f726f7a736845310b3009060355040713025a50310c300a060355040a13035a415a310c300a060355040b13034d4953311630140603550403130d41646d696e6973747261746f7230819f300d06092a864886f70d010101050003818d00308189028181009b2e0773ff8310e98addfa EAP-Message = 0xb3458c421c935ca651f8f7ca3899d6506d065de4f53f Message-Authenticator = 0x00000000000000000000000000000000 State = 0x475d38bc73179456ecabe627f4c349ab Finished request 1 Going to the next request --- Walking the entire request list --- Waking up in 5 seconds... rad_recv: Access-Request packet from host 10.0.1.2:5007, id=156, length=225 User-Name = "host/cit44" EAP-Message = 0x020400060d00 Message-Authenticator = 0x74221ef1383128241e231013179f3213 NAS-IP-Address = 10.0.1.2 NAS-Identifier = "001ac1d4ee42" NAS-Port = 117604353 NAS-Port-Id = "unit=7;subslot=0;port=40;vlanid=1" NAS-Port-Type = Ethernet Service-Type = Framed-User Framed-Protocol = PPP Calling-Station-Id = "0013-7737-714e" State = 0x475d38bc73179456ecabe627f4c349ab Vendor-25506-Attr-26 = 0x0000001e Vendor-25506-Attr-255 = 0x353530302d4549 Vendor-25506-Attr-60 = 0x302e302e302e302030303a31333a37373a33373a37313a3465 Vendor-25506-Attr-59 = 0x38e68c68 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall[authorize]: module "mschap" returns noop for request 2 rlm_realm: No '\' in User-Name = "host/cit44", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "ntdomain" returns noop for request 2 rlm_eap: EAP packet type response id 4 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 2 users: Matched entry DEFAULT at line 152 users: Matched entry host/cit44 at line 235 modcall[authorize]: module "files" returns ok for request 2 modcall: leaving group authorize (returns updated) for request 2 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 2 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 2 modcall: leaving group authenticate (returns handled) for request 2 Sending Access-Challenge of id 156 to 10.0.1.2 port 5007 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "2" EAP-Message = 0x010502450d800000063b4837ac2b653e806f55c44239a6b0fb8de79a837bfe337e34804ee812673f27d00c28fb9735b2e7833b7a4211be3fbb997b2010c63c845b310be1ffd7226f4e9a7a238604f59873c29b47eb3a94fc3255baf8e09bc4580e685d6cef61016acd0203010001a381c83081c5301d0603551d0e041604144883dff930ad8def715cc306a93b716ed1dfa2f03081950603551d2304818d30818a80144883dff930ad8def715cc306a93b716ed1dfa2f0a167a4653063310b3009060355040613025541311330110603550408130a5a61706f726f7a736845310b3009060355040713025a50310c300a060355040a13035a415a310c30 EAP-Message = 0x0a060355040b13034d4953311630140603550403130d41646d696e6973747261746f72820900d603ee3f96fc604d300c0603551d13040530030101ff300d06092a864886f70d010105050003818100798409d24a31663705ea77a113da2d5283a687cc78561854f7205ff9e565cb2cbd7a133b1361b3bd93f58a0ac03872ca5fefccd451b7e1c7a5827ebe061ec2259436b5c3006895e8c49b356052161f6d3e4b9f7001397ca581bae2b178fc0da21f774a85f1290f71b82ee10bf23604613a0d354556ebf6d1937267a94f3a96ac16030100740d00006c020102006700653063310b3009060355040613025541311330110603550408130a5a61706f EAP-Message = 0x726f7a736845310b3009060355040713025a50310c300a060355040a13035a415a310c300a060355040b13034d4953311630140603550403130d41646d696e6973747261746f720e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x83c05bad6798917fd36b49f983ccfcb8 Finished request 2 Going to the next request Waking up in 5 seconds... rad_recv: Access-Request packet from host 10.0.1.2:5007, id=157, length=1172 User-Name = "host/cit44" EAP-Message = 0x020503b30d80000003a916030103690b0002590002560002533082024f308201b8a003020102020105300d06092a864886f70d01010505003063310b3009060355040613025541311330110603550408130a5a61706f726f7a736845310b3009060355040713025a50310c300a060355040a13035a415a310c300a060355040b13034d4953311630140603550403130d41646d696e6973747261746f72301e170d3038313030383131303833375a170d3039313030383131303833375a305f310b300906035504061302554131123010060355040813094265726b73686972653110300e060355040713074e657762757279310c300a060355040a1303 EAP-Message = 0x7a617a310c300a060355040b13036d6973310e300c06035504031305636974343430819f300d06092a864886f70d010101050003818d0030818902818100b82b614adec29d80e4316eba19ee74db1f2ac3e542f25f193b28af28166a9c4e49321fce20195e01a1fe85977b0e86fa7836226953fff50f42d62d83d16555a0c7b48ab36a2c46edf58c9a1f4427e4a41c3e5e4f6d98cec0626fd0d6e16812ab9e469dd7000e738f037ab7f4c95c74eb627c1cf7adc4d7d42fb3e685ad5783e10203010001a317301530130603551d25040c300a06082b06010505070302300d06092a864886f70d010105050003818100610a54b441c6152b00fb776a8833 EAP-Message = 0xfa33aacc278fc6b1f419aecf639a3459edc7450b12285ce1e75053100b955f3012b3f88c7934e0a6016c9c28145b08e0aafb3f581913ee2f24c9c114d470adc9bf591b84e1b9e2d7f1ab04120536145683843cc767aa0589358dec9230469924abe314fa034e47527778eae154b4bdc0fe521000008200800802c992280a9400196f4f6462e392dbb711a5a55d31704ca9492cf35befc97df7d31a9a05de4a01a8c8865125e451412fdabae12a0e94b745535cbb3426f0bbb42961cac7f8952e1a0e847ec175bbfea2f55a419d351a8892cf8290f489df15c478389a1cebcd6a59701fb9fd847a55df834ecf3ed7fdca679becd740db41e60f00008200 EAP-Message = 0x809ff27f75ca3b3daee7c93342cb9535179e2412c5eb27364503da2cc3162abd6ee34e6a6c89c20323c7ed38a52ecb0ec9b48f90078df77a5079b39ac46395bb31fe846f7ad584da3d3cf9d1959e4d70ed4ecbffbcbb22d68f5bb8915fe16de9b2f7899a3d96053f77e586b586af49fab7a378a582f030b3716d5ddcaff33c5ecc14030100010116030100301a884c8358de9a72b0cb658bfe1ffce51786d194e5e2161065e41f350d1fcb6db0f5dcb0e3205984d70521571606f823 Message-Authenticator = 0x0b3ffd5fd267d3e7de9d0ea79faf6edb NAS-IP-Address = 10.0.1.2 NAS-Identifier = "001ac1d4ee42" NAS-Port = 117604353 NAS-Port-Id = "unit=7;subslot=0;port=40;vlanid=1" NAS-Port-Type = Ethernet Service-Type = Framed-User Framed-Protocol = PPP Calling-Station-Id = "0013-7737-714e" State = 0x83c05bad6798917fd36b49f983ccfcb8 Vendor-25506-Attr-26 = 0x0000001e Vendor-25506-Attr-255 = 0x353530302d4549 Vendor-25506-Attr-60 = 0x302e302e302e302030303a31333a37373a33373a37313a3465 Vendor-25506-Attr-59 = 0x38e68c68 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 3 modcall[authorize]: module "mschap" returns noop for request 3 rlm_realm: No '\' in User-Name = "host/cit44", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "ntdomain" returns noop for request 3 rlm_eap: EAP packet type response id 5 length 253 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 3 users: Matched entry DEFAULT at line 152 users: Matched entry host/cit44 at line 235 modcall[authorize]: module "files" returns ok for request 3 modcall: leaving group authorize (returns updated) for request 3 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 3 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 rlm_eap_tls: <<< TLS 1.0 Handshake [length 025d], Certificate chain-depth=1, error=0 --> User-Name = host/cit44 --> BUF-Name = Administrator --> subject = /C=UA/ST=ZaporozshE/L=ZP/O=ZAZ/OU=MIS/CN=Administrator --> issuer = /C=UA/ST=ZaporozshE/L=ZP/O=ZAZ/OU=MIS/CN=Administrator --> verify return:1 radius_xlat: 'host/cit44' rlm_eap_tls: checking certificate CN (cit44) with xlat'ed value (host/cit44) rlm_eap_tls: Certificate CN (cit44) does not match specified value (host/cit44)! chain-depth=0, error=0 --> User-Name = host/cit44 --> BUF-Name = cit44 --> subject = /C=UA/ST=Berkshire/L=Newbury/O=zaz/OU=mis/CN=cit44 --> issuer = /C=UA/ST=ZaporozshE/L=ZP/O=ZAZ/OU=MIS/CN=Administrator --> verify return:0 rlm_eap_tls: >>> TLS 1.0 Alert [length 0002], fatal certificate_unknown TLS Alert write:fatal:certificate unknown TLS_accept:error in SSLv3 read client certificate B rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails. In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 3 modcall: leaving group authenticate (returns handled) for request 3 Sending Access-Challenge of id 157 to 10.0.1.2 port 5007 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "2" EAP-Message = 0x010600110d80000000071503010002022e Message-Authenticator = 0x00000000000000000000000000000000 State = 0x6422c1f11b093d41a5e6dd774b5b1cc8 Finished request 3 Going to the next request Waking up in 5 seconds... rad_recv: Access-Request packet from host 10.0.1.2:5007, id=158, length=225 User-Name = "host/cit44" EAP-Message = 0x020600060d00 Message-Authenticator = 0x6405c8b36bf1e85aa28b4856efba37d7 NAS-IP-Address = 10.0.1.2 NAS-Identifier = "001ac1d4ee42" NAS-Port = 117604353 NAS-Port-Id = "unit=7;subslot=0;port=40;vlanid=1" NAS-Port-Type = Ethernet Service-Type = Framed-User Framed-Protocol = PPP Calling-Station-Id = "0013-7737-714e" State = 0x6422c1f11b093d41a5e6dd774b5b1cc8 Vendor-25506-Attr-26 = 0x0000001e Vendor-25506-Attr-255 = 0x353530302d4549 Vendor-25506-Attr-60 = 0x302e302e302e302030303a31333a37373a33373a37313a3465 Vendor-25506-Attr-59 = 0x38e68c68 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 4 modcall[authorize]: module "mschap" returns noop for request 4 rlm_realm: No '\' in User-Name = "host/cit44", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "ntdomain" returns noop for request 4 rlm_eap: EAP packet type response id 6 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 4 users: Matched entry DEFAULT at line 152 users: Matched entry host/cit44 at line 235 modcall[authorize]: module "files" returns ok for request 4 modcall: leaving group authorize (returns updated) for request 4 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 4 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack alert eaptls_verify returned 4 eaptls_process returned 4 rlm_eap: Handler failed in EAP/tls rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 4 modcall: leaving group authenticate (returns invalid) for request 4 auth: Failed to validate the user. Login incorrect: [host/cit44/<no User-Password attribute>] (from client 10.0.1.2 port 117604353 cli 0013-7737-714e) Delaying request 4 for 1 seconds Finished request 4