Are there any secrets to getting Win 8.1 client to connect with TTLS and PAP? I have done all of the custom settings in the network config but the server is just ignoring those settings and choosing to try TLS with certs even though I have TTLS selected client side. As of 8.1 is this supposed to work natively inside the OS? Are there any tips to getting it to work? My Mac clients connect fine with a profile created and pushed. Thanks, Alex P.S. Just in case here is the output - BTW the URL in the error at the bottom is: http://wiki.freeradius.org/Certificate_Compatibility (which forwards to http://wiki.freeradius.org/create/Certificate_Compatibility and needs to authenticate) should this be: http://wiki.freeradius.org/guide/Certificate-Compatibility ? root@openldap ~# freeradius -X FreeRADIUS Version 2.1.12, for host x86_64-pc-linux-gnu, built on Dec 16 2012 at 13:28:43 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including files in directory /etc/freeradius/modules/ including configuration file /etc/freeradius/modules/mschap including configuration file /etc/freeradius/modules/pam including configuration file /etc/freeradius/modules/digest including configuration file /etc/freeradius/modules/etc_group including configuration file /etc/freeradius/modules/detail.log including configuration file /etc/freeradius/modules/preprocess including configuration file /etc/freeradius/modules/ldap including configuration file /etc/freeradius/modules/smsotp including configuration file /etc/freeradius/modules/checkval including configuration file /etc/freeradius/modules/mac2ip including configuration file /etc/freeradius/modules/inner-eap including configuration file /etc/freeradius/modules/radutmp including configuration file /etc/freeradius/modules/replicate including configuration file /etc/freeradius/modules/attr_filter including configuration file /etc/freeradius/modules/otp including configuration file /etc/freeradius/modules/ippool including configuration file /etc/freeradius/modules/krb5 including configuration file /etc/freeradius/modules/chap including configuration file /etc/freeradius/modules/detail including configuration file /etc/freeradius/modules/exec including configuration file /etc/freeradius/modules/always including configuration file /etc/freeradius/modules/opendirectory including configuration file /etc/freeradius/modules/files including configuration file /etc/freeradius/modules/sradutmp including configuration file /etc/freeradius/modules/attr_rewrite including configuration file /etc/freeradius/modules/pap including configuration file /etc/freeradius/modules/linelog including configuration file /etc/freeradius/modules/unix including configuration file /etc/freeradius/modules/sql_log including configuration file /etc/freeradius/modules/expiration including configuration file /etc/freeradius/modules/detail.example.com including configuration file /etc/freeradius/modules/logintime including configuration file /etc/freeradius/modules/mac2vlan including configuration file /etc/freeradius/modules/dynamic_clients including configuration file /etc/freeradius/modules/perl including configuration file /etc/freeradius/modules/acct_unique including configuration file /etc/freeradius/modules/rediswho including configuration file /etc/freeradius/modules/ntlm_auth including configuration file /etc/freeradius/modules/expr including configuration file /etc/freeradius/modules/policy including configuration file /etc/freeradius/modules/realm including configuration file /etc/freeradius/modules/echo including configuration file /etc/freeradius/modules/cui including configuration file /etc/freeradius/modules/wimax including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login including configuration file /etc/freeradius/modules/smbpasswd including configuration file /etc/freeradius/modules/counter including configuration file /etc/freeradius/modules/soh including configuration file /etc/freeradius/modules/passwd including configuration file /etc/freeradius/modules/redis including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/policy.conf including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/default including configuration file /etc/freeradius/sites-enabled/inner-tunnel main { user = "freerad" group = "freerad" allow_core_dumps = no } including dictionary file /etc/freeradius/dictionary main { name = "freeradius" prefix = "/usr" localstatedir = "/var" sbindir = "/usr/sbin" logdir = "/var/log/freeradius" run_dir = "/var/run/freeradius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/freeradius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/var/run/freeradius/freeradius.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 require_message_authenticator = yes zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Loading Clients #### client 0.0.0.0/0 { require_message_authenticator = no secret = "supersecretsecret" nastype = "other" } client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "supersecretsecret" nastype = "other" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating module "exec" from file /etc/freeradius/modules/exec exec { wait = no input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating module "expr" from file /etc/freeradius/modules/expr Module: Linked to module rlm_expiration Module: Instantiating module "expiration" from file /etc/freeradius/modules/exp iration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating module "logintime" from file /etc/freeradius/modules/logi ntime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server { # from file /etc/freeradius/radiusd.conf modules { Module: Creating Auth-Type = digest Module: Creating Post-Auth-Type = REJECT Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating module "pap" from file /etc/freeradius/modules/pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating module "chap" from file /etc/freeradius/modules/chap Module: Linked to module rlm_mschap Module: Instantiating module "mschap" from file /etc/freeradius/modules/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no allow_retry = yes } Module: Linked to module rlm_digest Module: Instantiating module "digest" from file /etc/freeradius/modules/digest Module: Linked to module rlm_unix Module: Instantiating module "unix" from file /etc/freeradius/modules/unix unix { radwtmp = "/var/log/freeradius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating module "eap" from file /etc/freeradius/eap.conf eap { default_eap_type = "ttls" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 CA_path = "/etc/freeradius/certs" pem_file_type = yes private_key_file = "/etc/freeradius/certs/server.key" certificate_file = "/etc/freeradius/certs/server.pem" CA_file = "/etc/freeradius/certs/ca.pem" private_key_password = "whatever" dh_file = "/etc/freeradius/certs/dh" random_file = "/dev/urandom" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "/etc/freeradius/certs/bootstrap" ecdh_curve = "prime256v1" cache { enable = no lifetime = 24 max_entries = 255 } verify { } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = yes use_tunneled_reply = yes virtual_server = "inner-tunnel" include_length = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" soh = no } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating module "preprocess" from file /etc/freeradius/modules/pre process preprocess { huntgroups = "/etc/freeradius/huntgroups" hints = "/etc/freeradius/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Linked to module rlm_realm Module: Instantiating module "suffix" from file /etc/freeradius/modules/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating module "files" from file /etc/freeradius/modules/files files { usersfile = "/etc/freeradius/users" acctusersfile = "/etc/freeradius/acct_users" preproxy_usersfile = "/etc/freeradius/preproxy_users" compat = "no" } Module: Linked to module rlm_ldap Module: Instantiating module "ldap" from file /etc/freeradius/modules/ldap ldap { server = "localhost" port = 389 password = "supersecretpassword" identity = "cn=admin,dc=team,dc=company,dc=com" net_timeout = 1 timeout = 4 timelimit = 3 tls_mode = no start_tls = no tls_require_cert = "allow" tls { start_tls = no require_cert = "allow" } basedn = "ou=Users,dc=team,dc=company,dc=com" filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" base_filter = "(objectclass=radiusprofile)" auto_header = no access_attr_used_for_allow = yes groupname_attribute = "cn" groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-U serDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" dictionary_mapping = "/etc/freeradius/ldap.attrmap" ldap_debug = 0 ldap_connections_number = 5 compare_check_items = no do_xlat = yes edir_account_policy_check = no set_auth_type = yes keepalive { idle = 60 probes = 3 interval = 3 } } rlm_ldap: Registering ldap_groupcmp for Ldap-Group rlm_ldap: Registering ldap_xlat with xlat_name ldap rlm_ldap: Over-riding set_auth_type, as there is no module ldap listed in the "a uthenticate" section. rlm_ldap: reading ldap<->radius mappings from file /etc/freeradius/ldap.attrmap rlm_ldap: LDAP radiusCheckItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusReplyItem mapped to RADIUS $GENERIC$ rlm_ldap: LDAP radiusAuthType mapped to RADIUS Auth-Type rlm_ldap: LDAP radiusSimultaneousUse mapped to RADIUS Simultaneous-Use rlm_ldap: LDAP radiusCalledStationId mapped to RADIUS Called-Station-Id rlm_ldap: LDAP radiusCallingStationId mapped to RADIUS Calling-Station-Id rlm_ldap: LDAP lmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP ntPassword mapped to RADIUS NT-Password rlm_ldap: LDAP sambaLmPassword mapped to RADIUS LM-Password rlm_ldap: LDAP sambaNtPassword mapped to RADIUS NT-Password rlm_ldap: LDAP dBCSPwd mapped to RADIUS LM-Password rlm_ldap: LDAP userPassword mapped to RADIUS Password-With-Header rlm_ldap: LDAP acctFlags mapped to RADIUS SMB-Account-CTRL-TEXT rlm_ldap: LDAP radiusExpiration mapped to RADIUS Expiration rlm_ldap: LDAP radiusNASIpAddress mapped to RADIUS NAS-IP-Address rlm_ldap: LDAP radiusServiceType mapped to RADIUS Service-Type rlm_ldap: LDAP radiusFramedProtocol mapped to RADIUS Framed-Protocol rlm_ldap: LDAP radiusFramedIPAddress mapped to RADIUS Framed-IP-Address rlm_ldap: LDAP radiusFramedIPNetmask mapped to RADIUS Framed-IP-Netmask rlm_ldap: LDAP radiusFramedRoute mapped to RADIUS Framed-Route rlm_ldap: LDAP radiusFramedRouting mapped to RADIUS Framed-Routing rlm_ldap: LDAP radiusFilterId mapped to RADIUS Filter-Id rlm_ldap: LDAP radiusFramedMTU mapped to RADIUS Framed-MTU rlm_ldap: LDAP radiusFramedCompression mapped to RADIUS Framed-Compression rlm_ldap: LDAP radiusLoginIPHost mapped to RADIUS Login-IP-Host rlm_ldap: LDAP radiusLoginService mapped to RADIUS Login-Service rlm_ldap: LDAP radiusLoginTCPPort mapped to RADIUS Login-TCP-Port rlm_ldap: LDAP radiusCallbackNumber mapped to RADIUS Callback-Number rlm_ldap: LDAP radiusCallbackId mapped to RADIUS Callback-Id rlm_ldap: LDAP radiusFramedIPXNetwork mapped to RADIUS Framed-IPX-Network rlm_ldap: LDAP radiusClass mapped to RADIUS Class rlm_ldap: LDAP radiusSessionTimeout mapped to RADIUS Session-Timeout rlm_ldap: LDAP radiusIdleTimeout mapped to RADIUS Idle-Timeout rlm_ldap: LDAP radiusTerminationAction mapped to RADIUS Termination-Action rlm_ldap: LDAP radiusLoginLATService mapped to RADIUS Login-LAT-Service rlm_ldap: LDAP radiusLoginLATNode mapped to RADIUS Login-LAT-Node rlm_ldap: LDAP radiusLoginLATGroup mapped to RADIUS Login-LAT-Group rlm_ldap: LDAP radiusFramedAppleTalkLink mapped to RADIUS Framed-AppleTalk-Link rlm_ldap: LDAP radiusFramedAppleTalkNetwork mapped to RADIUS Framed-AppleTalk-Ne twork rlm_ldap: LDAP radiusFramedAppleTalkZone mapped to RADIUS Framed-AppleTalk-Zone rlm_ldap: LDAP radiusPortLimit mapped to RADIUS Port-Limit rlm_ldap: LDAP radiusLoginLATPort mapped to RADIUS Login-LAT-Port rlm_ldap: LDAP radiusReplyMessage mapped to RADIUS Reply-Message rlm_ldap: LDAP radiusTunnelType mapped to RADIUS Tunnel-Type rlm_ldap: LDAP radiusTunnelMediumType mapped to RADIUS Tunnel-Medium-Type rlm_ldap: LDAP radiusTunnelPrivateGroupId mapped to RADIUS Tunnel-Private-Group- Id conns: 0x1585070 Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating module "acct_unique" from file /etc/freeradius/modules/ac ct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NA S-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating module "detail" from file /etc/freeradius/modules/detail detail { detailfile = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{ Packet-Src-IPv6-Address}}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Linked to module rlm_radutmp Module: Instantiating module "radutmp" from file /etc/freeradius/modules/radutm p radutmp { filename = "/var/log/freeradius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Linked to module rlm_attr_filter Module: Instantiating module "attr_filter.accounting_response" from file /etc/f reeradius/modules/attr_filter attr_filter attr_filter.accounting_response { attrsfile = "/etc/freeradius/attrs.accounting_response" key = "%{User-Name}" relaxed = no } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Instantiating module "attr_filter.access_reject" from file /etc/freerad ius/modules/attr_filter attr_filter attr_filter.access_reject { attrsfile = "/etc/freeradius/attrs.access_reject" key = "%{User-Name}" relaxed = no } } # modules } # server server inner-tunnel { # from file /etc/freeradius/sites-enabled/inner-tunnel modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } ... adding new socket proxy address * port 40922 Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host xxx.xxx.xxx.xxx port 32768, id=238, len gth=215 User-Name = "joeuser" Chargeable-User-Identity = "" Location-Capable = Civix-Location Calling-Station-Id = "78-31-c1-be-89-a8" Called-Station-Id = "d4-a0-2a-15-7f-00:C2_Test" NAS-Port = 4 Cisco-AVPair = "audit-session-id=0a210082000007c753ecfe82" NAS-IP-Address = 10.33.0.130 NAS-Identifier = "inWebo" Airespace-Wlan-Id = 6 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0202000c016a6f6575736572 Message-Authenticator = 0xc497ede93a97c9c7ca14600aa7a34cb5 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "joeuser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 2 length 12 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [ldap] performing user authorization for joeuser [ldap] expand: %{Stripped-User-Name} -> [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> joeuser [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=joeuser) [ldap] expand: ou=Users,dc=team,dc=company,dc=com -> ou=Users,dc=team,dc=company, dc=com [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to localhost:389, authentication 0 [ldap] bind as cn=admin,dc=team,dc=company,dc=com/653776d05374 to localhost:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in ou=Users,dc=team,dc=company,dc=com, with filter (ui d=joeuser) [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] userPassword -> Password-With-Header == "{MD5}X03MO1qnZdYdgyfeuILPmQ==" [ldap] looking for reply items in directory... [ldap] user joeuser authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 238 to xxx.xxx.xxx.xxx port 32768 EAP-Message = 0x010300061520 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xed6525f7ed663089b8218754dbe49259 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host xxx.xxx.xxx.xxx port 32768, id=239, len gth=330 User-Name = "joeuser" Chargeable-User-Identity = "" Location-Capable = Civix-Location Calling-Station-Id = "78-31-c1-be-89-a8" Called-Station-Id = "d4-a0-2a-15-7f-00:C2_Test" NAS-Port = 4 Cisco-AVPair = "audit-session-id=0a210082000007c753ecfe82" NAS-IP-Address = 10.33.0.130 NAS-Identifier = "inWebo" Airespace-Wlan-Id = 6 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0203006d158000000063160301005e0100005a030153ecfe8c41fb05 d4be0db49380ac2117339a05970e400027fc9e188f772b01ac000018c014c0130035002fc00ac009 00380032000a00130005000401000019ff01000100000a0006000400170018000b00020100002300 00 State = 0xed6525f7ed663089b8218754dbe49259 Message-Authenticator = 0xe7b0a3ce6ee4d2a08b64284b15610fd3 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "joeuser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 3 length 109 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS TLS Length 99 [ttls] Length Included [ttls] eaptls_verify returned 11 [ttls] (other): before/accept initialization [ttls] TLS_accept: before/accept initialization [ttls] <<< TLS 1.0 Handshake [length 005e], ClientHello [ttls] TLS_accept: SSLv3 read client hello A [ttls] >>> TLS 1.0 Handshake [length 0039], ServerHello [ttls] TLS_accept: SSLv3 write server hello A [ttls] >>> TLS 1.0 Handshake [length 02c4], Certificate [ttls] TLS_accept: SSLv3 write certificate A [ttls] >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange [ttls] TLS_accept: SSLv3 write key exchange A [ttls] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [ttls] TLS_accept: SSLv3 write server done A [ttls] TLS_accept: SSLv3 flush data [ttls] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [ttls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 239 to xxx.xxx.xxx.xxx port 32768 EAP-Message = 0x0104040015c000000460160301003902000035030153ecfe8b473327 ed0607aed0ec6cec3726d01ac8da0842fbcdb3fd8a5cbc272300c01400000dff01000100000b0004 0300010216030102c40b0002c00002bd0002ba308202b63082019ea003020102020900b507e23193 5d6b3f300d06092a864886f70d010105050030133111300f060355040313086f70656e6c64617030 1e170d3134303830373232333035385a170d3234303830343232333035385a30133111300f060355 040313086f70656e6c64617030820122300d06092a864886f70d01010105000382010f003082010a 0282010100bae7e24798efa862ea1659a17ac74864a297d09a EAP-Message = 0x249d8e467e1a40a3fc4fdcf36e73ac43cc11e5df4978020ae6af6c12 d0a98f7c90d0352eae9c5b9c8364cffe115b833c52bfbcb43c292c303ee0f8cca82a3732ed53bcdb a3905a9f030c9bf242e7482f28c0a30e5210afbf064e6129cef1358e30942581621b927da448fcea 0fcca181c7ea6ac7385946513bd092e7ccf41df13f7a4f498533947d1f0451659c20977cfddeb5ff adef948b8f876a1bbba0f2a574e05daf8fe696a828973f21674abc246ca73279dcd5fe1720f1140b 3f351427fc5be4a4158fb31d2b46643e0bbef9297b892cea88babfcb26e53bcc981bec71b84d0fb2 1760176f5d12adc90203010001a30d300b30090603551d1304 EAP-Message = 0x023000300d06092a864886f70d010105050003820101009a35e4dddb 99265dfbe96dbd2dd5efcec97ebbb6111d42b313a0d7b6f29a4a4cc378c154afc028a986a118ddf1 e611aa3fda9ed59c9f745663fcfd2655891584047b99042c2f7d3757ff92e86d008a55dac7e1e2a8 f7e67711fec590812461e9de753eacf30285e44c3c7ecc31671d4ccbfdc6de65536e8b780cbf05ca 5e0442748ccc7356f315baac1cc9bb528198bba1526d18213171b26e3676162be28056600762ed21 df47ca64f29fb8b9853b8e84731708c7e7c5b0862c3d61aa07b37b89eb915e0fb7f5867a9eb93465 74bfc112aa4ea45ae9bae8fdf44b9cedbd3ba5082046a7de23 EAP-Message = 0xc8fefa2502dad1e8da8bf54443bc2b061a301dd93689ce6867d91603 01014b0c0001470300174104f70fc638876015314276bcccdabe2440aad56a3917572ed7a87f0ba4 c26f5351c6d0a46f43b1f83dc2b5f7ae786ec0c7a334dac6db2de6dd502a3f7a0f0b7284010056e3 7efc9925fbb9aa1151fabeb552c39dd8d874facd2371c9732c85d7b0acf8d655082daaaf20e401af a2103f7000ca74f791a31dd8f59a44ad57b08cf2e9d0d351e378d148a4b581f4a1abd3ec78bec92a 8d3bb1431a932a45b757e3e0b0c1ad7c17745e3595cf2fab67df52f256060228ced8e8a6409d58aa c91a8e8c4ad4b7db8c8c45ea9457fd36ae010cbc89e780d7f6 EAP-Message = 0xbacd4f2fa71734998aea28f3 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xed6525f7ec613089b8218754dbe49259 Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host xxx.xxx.xxx.xxx port 32768, id=240, len gth=227 User-Name = "joeuser" Chargeable-User-Identity = "" Location-Capable = Civix-Location Calling-Station-Id = "78-31-c1-be-89-a8" Called-Station-Id = "d4-a0-2a-15-7f-00:C2_Test" NAS-Port = 4 Cisco-AVPair = "audit-session-id=0a210082000007c753ecfe82" NAS-IP-Address = 10.33.0.130 NAS-Identifier = "inWebo" Airespace-Wlan-Id = 6 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020400061500 State = 0xed6525f7ec613089b8218754dbe49259 Message-Authenticator = 0xf111afd88c78687ff4aa2eef1f17a0d1 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "joeuser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 4 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] Received TLS ACK [ttls] ACK handshake fragment handler [ttls] eaptls_verify returned 1 [ttls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 240 to xxx.xxx.xxx.xxx port 32768 EAP-Message = 0x0105007415800000046006a4ad2d954ab98d347d80ffe5e4296b00b8 06a0a46e2983f027daa7afe8737a814be4e3c2f7bfb6e843bf83511520b211abf8b0f9ed67ca009f 43704d492682c5f871c77485c4032e8e5f5ad8dafde1cfc2700cccf1b4c32df117b96b0e530db316 030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xed6525f7ef603089b8218754dbe49259 Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host xxx.xxx.xxx.xxx port 32768, id=241, len gth=365 User-Name = "joeuser" Chargeable-User-Identity = "" Location-Capable = Civix-Location Calling-Station-Id = "78-31-c1-be-89-a8" Called-Station-Id = "d4-a0-2a-15-7f-00:C2_Test" NAS-Port = 4 Cisco-AVPair = "audit-session-id=0a210082000007c753ecfe82" NAS-IP-Address = 10.33.0.130 NAS-Identifier = "inWebo" Airespace-Wlan-Id = 6 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020500901580000000861603010046100000424104f036a69ecb1ba1 3c2f4819fdc2d56f1b71d50a96f86eea7fa05ffe8beaea8254033a11d7d6a0116adb797210ceccb0 81aa171f75ed257305ddedc502bd164c6e1403010001011603010030cf4dbf96b0aa2afb8a7ab99b ba1c049a38c2a0ef029bbadce9e2fea5becece66b318dd62d481e5216f1b2b0d8e5b5cf0 State = 0xed6525f7ef603089b8218754dbe49259 Message-Authenticator = 0x49bfce06950321a5dd2ca7c61e2bcb9f # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "joeuser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 5 length 144 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS TLS Length 134 [ttls] Length Included [ttls] eaptls_verify returned 11 [ttls] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange [ttls] TLS_accept: SSLv3 read client key exchange A [ttls] <<< TLS 1.0 ChangeCipherSpec [length 0001] [ttls] <<< TLS 1.0 Handshake [length 0010], Finished [ttls] TLS_accept: SSLv3 read finished A [ttls] >>> TLS 1.0 ChangeCipherSpec [length 0001] [ttls] TLS_accept: SSLv3 write change cipher spec A [ttls] >>> TLS 1.0 Handshake [length 0010], Finished [ttls] TLS_accept: SSLv3 write finished A [ttls] TLS_accept: SSLv3 flush data [ttls] (other): SSL negotiation finished successfully SSL Connection Established [ttls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 241 to xxx.xxx.xxx.xxx port 32768 EAP-Message = 0x0106004515800000003b1403010001011603010030f3cf5808ab3431 98558fd70b33f85ba4c376b3c43fc8aad4f22e4addea3814a164b0813d022c503300c184a18a58ac 78 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xed6525f7ee633089b8218754dbe49259 Finished request 3. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 238 with timestamp +87 Cleaning up request 1 ID 239 with timestamp +87 Cleaning up request 2 ID 240 with timestamp +87 Cleaning up request 3 ID 241 with timestamp +87 WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING: !! EAP session for state 0xed6525f7ee633089 did not finish! WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Ready to process requests.