Hi I have installed freeradius recently with MySQL and tested with success to authenticate VTY session en cisco routers and switches. However, my configuration with EAP_TLS is not working properly. I use a Cisco AP I create and copy the certificates to a Windows XP SP3 laptop to test if everything is OK, but in "freeradius -X" mode I got a lot of message and none give me the reason of the problem. The AP says authentication failed and the Radius server sends the challenge an wait, and later clean all request an "becomes" ready to process requests. here is a portion of the output of the radius activity Its appears that certificates are accepted, but XP stations continue trying to authenticated THANKS ===================================== rad_recv: Access-Request packet from host 10.10.10.5 port 1645, id=16, length=176 User-Name = "prueba1@mydomain" Framed-MTU = 1400 Called-Station-Id = "a8b1.d422.d432" Calling-Station-Id = "0019.d20c.4ed4" Service-Type = Login-User Message-Authenticator = 0x7c4ac4a412db3b9cfba443de50792eed EAP-Message = 0x0202001b01707275656261314062616e636f706c617a612e636f6d NAS-Port-Type = Wireless-802.11 NAS-Port = 19153 NAS-Port-Id = "19153" NAS-IP-Address = 10.10.10.5 NAS-Identifier = "AP_CISCO" +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm "mydomain.com" for User-Name = "prueba1@mydomain" [suffix] No such realm "mydomain" ++[suffix] returns noop [eap] EAP packet type response id 2 length 27 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop [sql] expand: %{User-Name} -> prueba1@mydomain [sql] sql_set_user escaped user --> 'prueba1@mydomain' rlm_sql (sql): Reserving sql socket id: 4 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'prueba1@mydomain' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'prueba1@mydomain' ORDER BY priority [sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'TI' ORDER BY id [sql] User found in group TI [sql] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'TI' ORDER BY id rlm_sql (sql): Released sql socket id: 4 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 16 to 10.10.10.5 port 1645 EAP-Message = 0x010300061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x765770697654693c62d8b4b34c9394a6 Finished request 0. Going to the next request . . ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS TLS Length 70 [tls] Length Included [tls] eaptls_verify returned 11 [tls] (other): before/accept initialization [tls] TLS_accept: before/accept initialization [tls] <<< TLS 1.0 Handshake [length 0041], ClientHello [tls] TLS_accept: SSLv3 read client hello A [tls] >>> TLS 1.0 Handshake [length 002a], ServerHello [tls] TLS_accept: SSLv3 write server hello A [tls] >>> TLS 1.0 Handshake [length 05c7], Certificate [tls] TLS_accept: SSLv3 write certificate A [tls] >>> TLS 1.0 Handshake [length 0082], CertificateRequest [tls] TLS_accept: SSLv3 write certificate request A [tls] TLS_accept: SSLv3 flush data [tls] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [tls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 18 to 10.10.10.5 port 1645 . . . [tls] --> verify return:1 [tls] TLS_accept: SSLv3 read client certificate A [tls] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange [tls] TLS_accept: SSLv3 read client key exchange A [tls] <<< TLS 1.0 Handshake [length 0086], CertificateVerify [tls] TLS_accept: SSLv3 read certificate verify A [tls] <<< TLS 1.0 ChangeCipherSpec [length 0001] [tls] <<< TLS 1.0 Handshake [length 0010], Finished [tls] TLS_accept: SSLv3 read finished A [tls] >>> TLS 1.0 ChangeCipherSpec [length 0001] [tls] TLS_accept: SSLv3 write change cipher spec A [tls] >>> TLS 1.0 Handshake [length 0010], Finished [tls] TLS_accept: SSLv3 write finished A [tls] TLS_accept: SSLv3 flush data [tls] (other): SSL negotiation finished successfully SSL Connection Established [tls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 20 to 10.10.10.5 port 1645 EAP-Message = 0x010700900099090099099999010001011603010020164176d954d98c1d1daf5753815c720f6ef0f6e55dc05b2d682f44342e259e66 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x7657706972507d3c62d8b4b34c9394a6 Finished request 4. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 16 with timestamp +7 Cleaning up request 1 ID 17 with timestamp +7 Cleaning up request 2 ID 18 with timestamp +7 Cleaning up request 3 ID 19 with timestamp +7 Cleaning up request 4 ID 20 with timestamp +7 Ready to process requests. ===================================== -- *Esteban Talavera* * *