Hi Alan Yes that's weird and don't know why just a simple time zone can affect to the certificate. Here you have the two debugs: Expired [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = '10.100.11.81' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = '10.100.11.81' ORDER BY priority rlm_sql (sql): Released sql socket id: 1 ++[sql] = ok ++[expiration] = noop ++[logintime] = noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! # Executing group from file /etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP NAK [eap] EAP-NAK asked for EAP-Type/ttls [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 202 to 10.100.1.18 port 50492 EAP-Message = 0x011200061520 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x06a8d9e807bacc965d85a6032acd597f Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.100.1.18 port 50492, id=203, length=255 User-Name = "10.100.11.81" NAS-Identifier = "pruebas" Called-Station-Id = "44-D9-E7-24-BA-A4:pruebas" NAS-Port-Type = Wireless-802.11 NAS-Port = 0 Calling-Station-Id = "44-D9-E7-24-BC-A1" Connect-Info = "CONNECT 0Mbps 802.11b" Acct-Session-Id = "55AECF15-0000006C" Framed-MTU = 1400 EAP-Message = 0x021200441500160301003901000035030155a79b6169c471ec71a098f7673cd2fa1254527de63189cc55cdb5236f704a7800000e003d0035003c002f000a000500040100 State = 0x06a8d9e807bacc965d85a6032acd597f Message-Authenticator = 0xe818618d26d54bb94efe9e014eb6b9b9 # Executing section authorize from file /etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "10.100.11.81", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 18 length 68 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] eaptls_verify returned 7 [ttls] Done initial handshake [ttls] (other): before/accept initialization [ttls] TLS_accept: before/accept initialization [ttls] <<< TLS 1.0 Handshake [length 0039], ClientHello [ttls] TLS_accept: SSLv3 read client hello A [ttls] >>> TLS 1.0 Handshake [length 002a], ServerHello [ttls] TLS_accept: SSLv3 write server hello A [ttls] >>> TLS 1.0 Handshake [length 083d], Certificate [ttls] TLS_accept: SSLv3 write certificate A [ttls] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [ttls] TLS_accept: SSLv3 write server done A [ttls] TLS_accept: SSLv3 flush data [ttls] TLS_accept: Need to read more data: SSLv3 read client certificate A [ttls] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [ttls] eaptls_process returned 13 ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 203 to 10.100.1.18 port 50492 EAP-Message = 0x0113040015c00000087a160301002a02000026030155ce464af5f071a1315cf45274adc781bc53c7ca7ac534f4ef347c4c204f620300003500160301083d0b00083900083600039b308203973082027fa003020102020102300d06092a864886f70d010105050030818b310b30090603550406130245533110300e060355040813074772616e6164613110300e060355040713074772616e61646131163014060355040a130d41757061204e6574776f726b73311e301c06092a864886f70d010901160f696e666f40617570616e65742e65733120301e060355040313176175746f726964616420636572746966696361646f72613020170d30323037 EAP-Message = 0x33303134343830345a180f32323736303531333134343830345a3077310b30090603550406130245533110300e060355040813074772616e61646131163014060355040a130d41757061204e6574776f726b73311e301c06035504031315656e746964616420636572746966696361646f7261311e301c06092a864886f70d010901160f696e666f40617570616e65742e657330820122300d06092a864886f70d01010105000382010f003082010a0282010100d316ef667d1ae9cd661a9e0c38a787741098e99f4e33fc8c6aff78b87df830167b70c5329b443987e96fd4c43ef077b4b5935092e08f5322654fec11fb8f17f7cc2b2231178868578c EAP-Message = 0x00f71015b7588f1a232d1c2923e5d6ed62255d8900ff8fdf4f3a6eff0b937ec924ce21ebdf6c26f6b4d2f28e98f3cf2639825ea539ec73bc9258d94738f8e20c4548ba953cb0ca9789e537a0bb6a5d1a7dfb950abf9733e07f751c5fb1d5a458585d4aac2dc9d5d75c284a71d23555e6a04d1f5e5a232979bd08a7dba2f780196e97b014334b9df9cad8dbe81b1dd068a2133f401e9ebb4c50559c9bdc8877dca8eeb5ec8c94672b5556c07675ece2087c7d9cd5935d0b0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101050500038201010028f3291c4aabfa07cf5eeaf83c107173f873cfb0 EAP-Message = 0x6dad4d92578a3ccf39b0b99ee31fbf2e292895a3bb462251aede7719827b5ae8d384e927a1fac3d45d6973df6fcf6b6aa747d496e4d13f0d405194d3b92bed70ab17f6f5c1dc06c4d37545557d4a78a0def874b04444518ee3d25827e6b63cd5e8239e67fac6054a770e366257273bc8794d3fe2690bc368907a0f1662766aecab2e19475379d266bf12713ca35b59b8624baf2a9cf46e930e0d65aef336ddaa11843bbeebafb5ebe97afd7425189544a98fbd24a94c963107d5a6dc54e86288bcfd3ca25ef4da3eee3b82db961bb13b0fe26564d4522204a695fda3691e82a6e3cf7a0095686244965be27d0004953082049130820379a00302010202 EAP-Message = 0x0900e33004b87e4e891f300d Message-Authenticator = 0x00000000000000000000000000000000 State = 0x06a8d9e804bbcc965d85a6032acd597f Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.100.1.18 port 50492, id=204, length=193 User-Name = "10.100.11.81" NAS-Identifier = "pruebas" Called-Station-Id = "44-D9-E7-24-BA-A4:pruebas" NAS-Port-Type = Wireless-802.11 NAS-Port = 0 Calling-Station-Id = "44-D9-E7-24-BC-A1" Connect-Info = "CONNECT 0Mbps 802.11b" Acct-Session-Id = "55AECF15-0000006C" Framed-MTU = 1400 EAP-Message = 0x021300061500 State = 0x06a8d9e804bbcc965d85a6032acd597f Message-Authenticator = 0xf9add50bf881a2ee0364cde5115f1046 # Executing section authorize from file /etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "10.100.11.81", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 19 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] Received TLS ACK [ttls] ACK handshake fragment handler [ttls] eaptls_verify returned 1 [ttls] eaptls_process returned 13 ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 204 to 10.100.1.18 port 50492 EAP-Message = 0x0114040015c00000087a06092a864886f70d010105050030818b310b30090603550406130245533110300e060355040813074772616e6164613110300e060355040713074772616e61646131163014060355040a130d41757061204e6574776f726b73311e301c06092a864886f70d010901160f696e666f40617570616e65742e65733120301e060355040313176175746f726964616420636572746966696361646f72613020170d3032303733303134343830345a180f32323736303531333134343830345a30818b310b30090603550406130245533110300e060355040813074772616e6164613110300e060355040713074772616e6164613116 EAP-Message = 0x3014060355040a130d41757061204e6574776f726b73311e301c06092a864886f70d010901160f696e666f40617570616e65742e65733120301e060355040313176175746f726964616420636572746966696361646f726130820122300d06092a864886f70d01010105000382010f003082010a0282010100a4e89b6a03a0cc4fd44dcd40a15a288d71c3c61c46accde28f14133ebb526cb053f13f2bdd98f87abb212ca20b214fa688886057eae2aa54c05d9cb0ddd7f470405f276cfc73be1f47c669db16fd441117e4db36d95233623b933b4b30d68617aa9cf2591ca17d9b047bc35319da76bd23bfbd8ff97259e4be26b5b0b724ad95c37eaa39 EAP-Message = 0x4bcf50141152f78f986c609c845ba927b1a3a73f399493dcd933e6e29ceb8cea1002b80af40fb81f9edcca23abc5e64106873048c6dbaaacb1cc64364bff8f3c8a8c8b402eb46cf9a431ee948e3d1ebbe1bd38aae3b863a91448134f92007a2fccc201e06be864f8401394cd967fc49cbff9a9b0ef38bf5d41d905430203010001a381f33081f0301d0603551d0e04160414137ae40b3936ddbfaa7a0d967801671fc9c66d0e3081c00603551d230481b83081b58014137ae40b3936ddbfaa7a0d967801671fc9c66d0ea18191a4818e30818b310b30090603550406130245533110300e060355040813074772616e6164613110300e06035504071307 EAP-Message = 0x4772616e61646131163014060355040a130d41757061204e6574776f726b73311e301c06092a864886f70d010901160f696e666f40617570616e65742e65733120301e060355040313176175746f726964616420636572746966696361646f7261820900e33004b87e4e891f300c0603551d13040530030101ff300d06092a864886f70d010105050003820101009f2e655078c5c1804b12cd89d927ae63ea1188876f741a756736d3c8f1fa056a63617e2e112c74babba9b0589c20da0ae50fd9b4602c9a0c37139c220a24aedf157014ce86fa51815a49074a0524299ab25b072448b63c6faafce4691f6fd7d2b1baf40e0525dad1db773eb0a4827c EAP-Message = 0xbde906fae653821f96a80e3e Message-Authenticator = 0x00000000000000000000000000000000 State = 0x06a8d9e805bccc965d85a6032acd597f Finished request 4. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.100.1.18 port 50492, id=205, length=193 User-Name = "10.100.11.81" NAS-Identifier = "pruebas" Called-Station-Id = "44-D9-E7-24-BA-A4:pruebas" NAS-Port-Type = Wireless-802.11 NAS-Port = 0 Calling-Station-Id = "44-D9-E7-24-BC-A1" Connect-Info = "CONNECT 0Mbps 802.11b" Acct-Session-Id = "55AECF15-0000006C" Framed-MTU = 1400 EAP-Message = 0x021400061500 State = 0x06a8d9e805bccc965d85a6032acd597f Message-Authenticator = 0x60799f3cc519c6519bf60c4092e5e0e1 # Executing section authorize from file /etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "10.100.11.81", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 20 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] Received TLS ACK [ttls] ACK handshake fragment handler [ttls] eaptls_verify returned 1 [ttls] eaptls_process returned 13 ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 205 to 10.100.1.18 port 50492 EAP-Message = 0x0115009815800000087af625b5685c93bcd9a0b9551b1248e20167add84cfcce79d65e6abbd09ea6e6ee6ae3131c8e543e9fbf82dbab7a9ae69b82961d775ad61f73920bcec8784acabedb6f1565b9a6b8804244d93866309afd20d09e27d4a582cf7c44825874f8ffb7093a03cdad63143b191786ed51ddb14c566ed709f730c4a858ec2c176784f5f4e1d0d42f0316030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x06a8d9e802bdcc965d85a6032acd597f Finished request 5. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.100.1.18 port 50492, id=206, length=200 User-Name = "10.100.11.81" NAS-Identifier = "pruebas" Called-Station-Id = "44-D9-E7-24-BA-A4:pruebas" NAS-Port-Type = Wireless-802.11 NAS-Port = 0 Calling-Station-Id = "44-D9-E7-24-BC-A1" Connect-Info = "CONNECT 0Mbps 802.11b" Acct-Session-Id = "55AECF15-0000006C" Framed-MTU = 1400 EAP-Message = 0x0215000d15001503010002022d State = 0x06a8d9e802bdcc965d85a6032acd597f Message-Authenticator = 0x9fae65c5ac8df0c52b0ac9784973bb44 # Executing section authorize from file /etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "10.100.11.81", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 21 length 13 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] eaptls_verify returned 7 [ttls] Done initial handshake [ttls] <<< TLS 1.0 Alert [length 0002], fatal certificate_expired TLS Alert read:fatal:certificate expired TLS_accept: failed in SSLv3 read client certificate A rlm_eap: SSL error error:14094415:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate expired SSL: SSL_read failed inside of TLS (-1), TLS session fails. TLS receive handshake failed during operation [ttls] eaptls_process returned 4 [eap] Handler failed in EAP/ttls [eap] Failed in EAP select ++[eap] = invalid +} # group authenticate = invalid Failed to authenticate the user. Using Post-Auth-Type REJECT # Executing group from file /etc/raddb/sites-enabled/default +group REJECT { [attr_filter.access_reject] expand: %{User-Name} -> 10.100.11.81 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] = updated +} # group REJECT = updated Delaying reject of request 6 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 6 Sending Access-Reject of id 206 to 10.100.1.18 port 50492 EAP-Message = 0x04150004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.9 seconds. Cleaning up request 1 ID 201 with timestamp +89 Cleaning up request 2 ID 202 with timestamp +89 Cleaning up request 3 ID 203 with timestamp +89 Cleaning up request 4 ID 204 with timestamp +89 Cleaning up request 5 ID 205 with timestamp +89 Waking up in 1.0 seconds. Cleaning up request 6 ID 206 with timestamp +89 Ready to process requests. Correct connection Bien EAP-Message = 0xbde906fae653821f96a80e3e Message-Authenticator = 0x00000000000000000000000000000000 State = 0xebe5d19ce8e3c4cca364a660c76c86a2 Finished request 33. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 10.100.1.18 port 50492, id=156, length=193 User-Name = "10.100.11.81" NAS-Identifier = "pruebas" Called-Station-Id = "44-D9-E7-24-BA-A4:pruebas" NAS-Port-Type = Wireless-802.11 NAS-Port = 0 Calling-Station-Id = "44-D9-E7-24-BC-A1" Connect-Info = "CONNECT 0Mbps 802.11b" Acct-Session-Id = "55AECF15-00000064" Framed-MTU = 1400 EAP-Message = 0x020600061500 State = 0xebe5d19ce8e3c4cca364a660c76c86a2 Message-Authenticator = 0x6359348b2a80a686d9524bf5950f44ea # Executing section authorize from file /etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "10.100.11.81", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 6 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] Received TLS ACK [ttls] ACK handshake fragment handler [ttls] eaptls_verify returned 1 [ttls] eaptls_process returned 13 ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 156 to 10.100.1.18 port 50492 EAP-Message = 0x0107009815800000087af625b5685c93bcd9a0b9551b1248e20167add84cfcce79d65e6abbd09ea6e6ee6ae3131c8e543e9fbf82dbab7a9ae69b82961d775ad61f73920bcec8784acabedb6f1565b9a6b8804244d93866309afd20d09e27d4a582cf7c44825874f8ffb7093a03cdad63143b191786ed51ddb14c566ed709f730c4a858ec2c176784f5f4e1d0d42f0316030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xebe5d19cefe2c4cca364a660c76c86a2 Finished request 34. Going to the next request Waking up in 4.7 seconds. rad_recv: Access-Request packet from host 10.100.1.18 port 50492, id=157, length=521 User-Name = "10.100.11.81" NAS-Identifier = "pruebas" Called-Station-Id = "44-D9-E7-24-BA-A4:pruebas" NAS-Port-Type = Wireless-802.11 NAS-Port = 0 Calling-Station-Id = "44-D9-E7-24-BC-A1" Connect-Info = "CONNECT 0Mbps 802.11b" Acct-Session-Id = "55AECF15-00000064" Framed-MTU = 1400 EAP-Message = 0x0207014c15001603010106100001020100943a50c744ac2b36871c1bd3c9b8786d5f76d52b6e720f638b04c649561cd9209da4eb941b7bd3413c757dc82acac47defa1d22edfa7d19b4608a91d6060eab0be79cac08220eeb72a9914fb661fde8783125ac6d1f2af2da37eb25f7b6472a063c237905c4a046cf0847ba38c2b83b34d240e27390e8e484149f48cc845b3dbb3206df4584734fe76bb07d5757c7bb1c0a91211ba1aadfb89787fee9a891f1c46d85bba02b72ee0d8c477e3d9c775e93e357e02680f1c3542041eeea52fa0b046e477c9183269783810ec21ba2ac7a83c2127cf938a919407e715026c28277c7126c65e14fac8379c0ff93c EAP-Message = 0xef619cc496d3c2e173b7b6a67fc28e0c3a049fe71403010001011603010030ca40d3e0ef7779e9689f4d2fa0db480288f416ea459ae4751441d2f900226574c793e40beec08ab9e943c4d957245192 State = 0xebe5d19cefe2c4cca364a660c76c86a2 Message-Authenticator = 0x0fc598e9956ca5cbe8799e0dd85d36d9 # Executing section authorize from file /etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "10.100.11.81", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 7 length 253 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] eaptls_verify returned 7 [ttls] Done initial handshake [ttls] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange [ttls] TLS_accept: SSLv3 read client key exchange A [ttls] <<< TLS 1.0 ChangeCipherSpec [length 0001] [ttls] <<< TLS 1.0 Handshake [length 0010], Finished [ttls] TLS_accept: SSLv3 read finished A [ttls] >>> TLS 1.0 ChangeCipherSpec [length 0001] [ttls] TLS_accept: SSLv3 write change cipher spec A [ttls] >>> TLS 1.0 Handshake [length 0010], Finished [ttls] TLS_accept: SSLv3 write finished A [ttls] TLS_accept: SSLv3 flush data [ttls] (other): SSL negotiation finished successfully SSL Connection Established [ttls] eaptls_process returned 13 ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 157 to 10.100.1.18 port 50492 EAP-Message = 0x0108004515800000003b1403010001011603010030d583dac826056375700fbac982e9b14c1c1e2e0f477fa316dd2342015d818cc5b3581319bffd65d7024055b0dbc5eb14 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xebe5d19ceeedc4cca364a660c76c86a2 Finished request 35. Going to the next request Waking up in 4.5 seconds. rad_recv: Access-Request packet from host 10.100.1.18 port 50492, id=158, length=342 User-Name = "10.100.11.81" NAS-Identifier = "pruebas" Called-Station-Id = "44-D9-E7-24-BA-A4:pruebas" NAS-Port-Type = Wireless-802.11 NAS-Port = 0 Calling-Station-Id = "44-D9-E7-24-BC-A1" Connect-Info = "CONNECT 0Mbps 802.11b" Acct-Session-Id = "55AECF15-00000064" Framed-MTU = 1400 EAP-Message = 0x0208009b150017030100906231c104376ca4f931b513c0842a8042f5435c977320c09c7dbc125e076f8e879bd02edd9db2debeac767945957e21548018107c5f880a44f9619234819cb5348198105280c45cf07b3e044deb88249e3a31c56b6123d4055f66cf3ccb0ea01f94e9317cd44b6385644e622116fa633777a955148ba43deaf6975dc45cbe668358ed6d101181319c13df67710c10335c State = 0xebe5d19ceeedc4cca364a660c76c86a2 Message-Authenticator = 0x2e508fa6d71de73c0006015be799c7d1 # Executing section authorize from file /etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "10.100.11.81", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 8 length 155 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] eaptls_verify returned 7 [ttls] Done initial handshake [ttls] eaptls_process returned 7 [ttls] Session established. Proceeding to decode tunneled attributes. [ttls] Got tunneled request User-Name = "10.100.11.81" MS-CHAP-Challenge = 0xc6085db271f9f0d6ad2cc83ac3b92c79 MS-CHAP2-Response = 0xb9008fd66ce60ade72bcf005a9a51c64747c00000000000000001febf74cee06df578fedf84bc5ed92fb2638f5d789dbb11d FreeRADIUS-Proxied-To = 127.0.0.1 [ttls] Sending tunneled request User-Name = "10.100.11.81" MS-CHAP-Challenge = 0xc6085db271f9f0d6ad2cc83ac3b92c79 MS-CHAP2-Response = 0xb9008fd66ce60ade72bcf005a9a51c64747c00000000000000001febf74cee06df578fedf84bc5ed92fb2638f5d789dbb11d FreeRADIUS-Proxied-To = 127.0.0.1 server inner-tunnel { # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel +group authorize { ++[chap] = noop [mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap' ++[mschap] = ok [suffix] No '@' in User-Name = "10.100.11.81", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop ++update control { ++} # update control = noop [eap] No EAP-Message, not doing EAP ++[eap] = noop ++[files] = noop [sql] expand: %{User-Name} -> 10.100.11.81 [sql] sql_set_user escaped user --> '10.100.11.81' rlm_sql (sql): Reserving sql socket id: 1 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = '10.100.11.81' ORDER BY id WARNING: Found User-Password == "...".WARNING: Are you sure you don't mean Cleartext-Password? WARNING: See "man rlm_pap" for more information. [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = '10.100.11.81' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = '10.100.11.81' ORDER BY priority rlm_sql (sql): Released sql socket id: 1 ++[sql] = ok ++[expiration] = noop ++[logintime] = noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] = noop +} # group authorize = ok Found Auth-Type = MSCHAP !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! # Executing group from file /etc/raddb/sites-enabled/inner-tunnel +group MS-CHAP { [mschap] Creating challenge hash with username: 10.100.11.81 [mschap] Client is using MS-CHAPv2 for 10.100.11.81, we need NT-Password [mschap] adding MS-CHAPv2 MPPE keys ++[mschap] = ok +} # group MS-CHAP = ok WARNING: Empty post-auth section. Using default return values. # Executing section post-auth from file /etc/raddb/sites-enabled/inner-tunnel } # server inner-tunnel [ttls] Got tunneled reply code Access-Accept MS-CHAP2-Success = 0xb9533d30373838383644373042443137303446453536334438333233463541353745444244413643324338 MS-MPPE-Recv-Key = 0xadabbcb4057b776727ce20040d0741a7 MS-MPPE-Send-Key = 0x70dd412b691fdb0b5f102c9113c1a8d7 MS-MPPE-Encryption-Policy = 0x00000001 MS-MPPE-Encryption-Types = 0x00000006 [ttls] Got tunneled Access-Accept [ttls] Got MS-CHAP2-Success, tunneling it to the client in a challenge. ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 158 to 10.100.1.18 port 50492 EAP-Message = 0x0109005f158000000055170301005093610acea0f0be93d112d29f7bcf0c255b0082945dec344640bb2137fcaa08e89a04fdfd76d041391584d96d18ead83684ed347138a9e3181f3ac1af26a0e38dd99a36e7a9c37aa5f8d92fb6373af880 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xebe5d19cedecc4cca364a660c76c86a2 Finished request 36. Going to the next request Waking up in 4.5 seconds. rad_recv: Access-Request packet from host 10.100.1.18 port 50492, id=159, length=193 User-Name = "10.100.11.81" NAS-Identifier = "pruebas" Called-Station-Id = "44-D9-E7-24-BA-A4:pruebas" NAS-Port-Type = Wireless-802.11 NAS-Port = 0 Calling-Station-Id = "44-D9-E7-24-BC-A1" Connect-Info = "CONNECT 0Mbps 802.11b" Acct-Session-Id = "55AECF15-00000064" Framed-MTU = 1400 EAP-Message = 0x020900061500 State = 0xebe5d19cedecc4cca364a660c76c86a2 Message-Authenticator = 0x6e0941ab053e33487162905c4a60aa28 # Executing section authorize from file /etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "10.100.11.81", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 9 length 6 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] Received TLS ACK [ttls] ACK handshake is finished [ttls] eaptls_verify returned 3 [ttls] eaptls_process returned 3 [ttls] Using saved attributes from the original Access-Accept [eap] Freeing handler ++[eap] = ok +} # group authenticate = ok # Executing section post-auth from file /etc/raddb/sites-enabled/default +group post-auth { ++[exec] = noop +} # group post-auth = noop Sending Access-Accept of id 159 to 10.100.1.18 port 50492 MS-MPPE-Recv-Key = 0x2993c35cf4d962cb0a623d0edefb1774c005a176084985230d659a7573791cd2 MS-MPPE-Send-Key = 0x28ac8a8b487a53ae0caa05f61c731b1c88497438cb476e0b1fcdc2c05847d686 EAP-Message = 0x03090004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "10.100.11.81" Finished request 37. Going to the next request Waking up in 4.4 seconds. Cleaning up request 30 ID 152 with timestamp +360 Cleaning up request 31 ID 153 with timestamp +360 Cleaning up request 32 ID 154 with timestamp +360 Cleaning up request 33 ID 155 with timestamp +360 Cleaning up request 34 ID 156 with timestamp +360 Waking up in 0.2 seconds. Cleaning up request 35 ID 157 with timestamp +361 Cleaning up request 36 ID 158 with timestamp +361 Cleaning up request 37 ID 159 with timestamp +361 Ready to process requests. Regards
El 14/8/2015, a las 11:11, Alan DeKok <aland@deployingradius.com> escribió:
On Aug 13, 2015, at 8:26 AM, Francisco Rodriguez <franrtorres77@gmail.com> wrote: Hi, I have a problem using certificates when for example a device has set the timezone to GMT+1. So if the user has the timezone different than GMT Western Zone does not connect and it launchs a message saying the certificate has expired.
Is there a way to allow devices trying to connect with a different timezone to be able to connect and accept the certicate?
Hmm... that's weird. OpenSSL should take care of converting dates from one time zone to another.
What does the debug output say for a device that works, and one that doesn't work?
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html