Hi! I know that it's an old version but anyway I hope someone can help me. The problem is with EAP-TLS and the freeradius upgrade von RHEL6 from 2.2.6 freeradius-2.1.12-6.el6.x86_64 to freeradius-2.2.6-4.el6.x86_64 last fall. The same configuration works on a freeradius 2.1.12 (and 2.2.0, but not 2.2.1 we compiled for testing). The error happens at the first packet, there is no TLS stuff. It looks like this on the 2.1.12. rad_recv: Access-Request packet from host 10.12.138.222 port 59774, id=0, length=165 User-Name = "DVT-DVT0060.tirol.local" Calling-Station-Id = "5C-26-0A-6E-84-2E" Framed-MTU = 1400 NAS-Port-Type = Ethernet NAS-Port-Id = "2:22" NAS-Port = 1022 NAS-IP-Address = 10.12.138.222 Connect-Info = "CONNECT 1000Mbs" Service-Type = Login-User EAP-Message = 0x0200001c014456542d445654303036302e7469726f6c2e6c6f63616c Message-Authenticator = 0xca7712ac53f23d4f869fc36646c0b841 ... ++? if (!EAP-Message) -> FALSE ++- entering else else {...} [eap] EAP packet type response id 0 length 28 [eap] No EAP Start, assuming it's an on-going EAP conversation +++[eap] returns updated ++- else else returns updated Found Auth-Type = EAP # Executing group from file /etc/raddb-fallback//sites-enabled/default +- entering group EAP {...} [eap] EAP Identity [eap] processing type tls [tls] Requiring client certificate [tls] Initiate [tls] Start returned 1 ++[eap] returns handled ++? if (invalid) .... Sending Access-Challenge of id 0 to 10.12.138.222 port 59774 EAP-Message = 0x010100060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe5ec0911e5ed0403ee357f922ace544a Finished request 0. ..... On 2.2.6 I looks like this: rad_recv: Access-Request packet from host 127.0.0.1 port 33977, id=0, length=175 User-Name = "host/DVT-3N14N4J.tirol.local" Calling-Station-Id = "00-24-E8-3A-FA-66" Framed-MTU = 1400 NAS-Port-Type = Ethernet NAS-Port-Id = "2:22" NAS-Port = 1022 NAS-IP-Address = 127.0.0.1 Connect-Info = "CONNECT 1000Mbs" Service-Type = Login-User EAP-Message = 0x0200002101686f73742f4456542d334e31344e344a2e7469726f6c2e6c6f63616c Message-Authenticator = 0x904a22572d739d5a070b01dc941d1daa ++? if (!EAP-Message) -> FALSE ++else else { [eap] EAP packet type response id 0 length 33 [eap] No EAP Start, assuming it's an on-going EAP conversation +++[eap] = updated ++} # else else = updated +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/raddb//sites-enabled/default +group EAP { [eap] EAP Identity [eap] processing type tls [tls] Requiring client certificate [tls] Initiate [tls] Start returned 1 ++[eap] = handled ++? if (ok) ? Evaluating (ok) -> FALSE ++? if (ok) -> FALSE ++else else { +++? if (EAP-Type == "NAK") ? Evaluating (EAP-Type == "NAK") -> FALSE +++? if (EAP-Type == "NAK") -> FALSE +++else else { ++++update control { ++++} # update control = noop +++} # else else = noop ++} # else else = noop ++? if (handled && (Response-Packet-Type == Access-Challenge)) ? Evaluating (handled ) -> FALSE ?? Skipping (Response-Packet-Type == Access-Challenge) ++? if (handled && (Response-Packet-Type == Access-Challenge)) -> FALSE +} # group EAP = noop Failed to authenticate the user. Login incorrect: [host/DVT-3N14N4J.tirol.local/<via Auth-Type = EAP>] (from client macau03_local port 1022 cli 0024e83afa66) Using Post-Auth-Type REJECT ..... Sending delayed reject for request 0 Sending Access-Reject of id 0 to 127.0.0.1 port 33977 EAP-Message = 0x010100060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xca5a2b60ca5b268f8efac2a79a6aa6aa We did check at which version the problem got introduced and found that 2.2.0 worked 2.2.1 did not anymore. The relevant config looks this way authenticate { ..... Auth-Type EAP { eap { handled = 1 invalid = 1 } if (ok) { if ("%{TLS-Client-Cert-Subject}" !~ /\/CN=%{sql:SELECT subject8021x FROM tdevices WHERE mac = '%{Calling-Station-Id}'}/i) { update control { MACAU-Reason := "Cert-Subject <%{TLS-Client-Cert-Subject}> entspricht nicht dem Hinterlegten --> Remediation Netz" } handled } # hat das EAP worked, need to overright the vlan, depending on the switch type elsif ("%{reply:Tunnel-Private-Group-ID}") { update reply { Tunnel-Private-Group-ID := "%{sql:SELECT ..... " } } elsif ("%{reply:Extreme-Netlogin-Extended-Vlan}") { update reply { Extreme-Netlogin-Extended-Vlan := "%{sql:SELECT ....." } } elsif ("%{reply:Xylan-Auth-Group}") { update reply { Xylan-Auth-Group := "%{sql:SELECT ...." } } # store that 802.1x worked update control { MACAU-Reason := "802.1x <%{TLS-Client-Cert-Subject}> authentifiziert" } # Delete Entries the switches don't like # <Warn:AAA.RADIUS.vsaUnknownVend> radDecodeVsa :Unknown vendor 311 16 # <Warn:AAA.RADIUS.vsaUnknownVend> radDecodeVsa :Unknown vendor 311 17 update reply { MS-MPPE-Recv-Key !* ANY MS-MPPE-Send-Key !* ANY } } else { # EAP did not work if (EAP-Type == "NAK") { update control { MACAU-Reason := "Nicht unterstuetzter EAP Typ --> Client Fehlkonfiguration" } } else { update control { MACAU-Reason := "Zertifikat ungueltig (z.b. revoked/abgelaufen)" } } } We also found out that just putting "eap" without {} and Auth-Type EAP just before that code block works - but then the rest of the code is not executed. Where should I put the set/update of the attributes in the newer versions of freeradius? Regards, Robert