Unable to complete TLS handshake with iwd client
I am trying to use freeradius with WPA2-EAP. I have android clients working but using IWD it seems to fail with a TLS handshake error. Ready to process requests Threads: total/active/spare threads = 2/0/2 Waking up in 0.3 seconds. Thread 1 got semaphore Thread 1 handling request 0, (1 handled so far) (0) Received Access-Request Id 0 from 192.168.2.2:44444 to 192.168.2.1:1812 length 117 (0) User-Name = "as" (0) NAS-IP-Address = 192.168.2.2 (0) Called-Station-Id = "b4378330fc3b" (0) Calling-Station-Id = "5a5b3135062e" (0) NAS-Identifier = "b4378330fc3b" (0) NAS-Port = 29 (0) Framed-MTU = 1400 (0) NAS-Port-Type = Wireless-802.11 (0) EAP-Message = 0x02000007016173 (0) Message-Authenticator = 0x03105277799198b5f2c8e05d953827e8 (0) session-state: No State attribute (0) # Executing section authorize from file /etc/raddb/radiusd.conf (0) authorize { (0) modsingle[authorize]: calling eap (rlm_eap) (0) eap: Peer sent EAP Response (code 2) ID 0 length 7 (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) modsingle[authorize]: returned from eap (rlm_eap) (0) [eap] = ok (0) } # authorize = ok (0) Found Auth-Type = eap (0) # Executing group from file /etc/raddb/radiusd.conf (0) authenticate { (0) modsingle[authenticate]: calling eap (rlm_eap) (0) eap: Peer sent packet with method EAP Identity (1) (0) eap: Calling submodule eap_tls to process data (0) eap_tls: (TLS) TLS -Initiating new session (0) eap_tls: (TLS) TLS - Setting verify mode to require certificate from client (0) eap_tls: [eaptls start] = request (0) eap: Sending EAP Request (code 1) ID 1 length 10 (0) eap: EAP session adding &reply:State = 0xdfcd0373dfcc0e53 (0) modsingle[authenticate]: returned from eap (rlm_eap) (0) [eap] = handled (0) } # authenticate = handled (0) Using Post-Auth-Type Challenge (0) Post-Auth-Type sub-section not found. Ignoring. (0) session-state: Saving cached attributes (0) Framed-MTU = 1014 (0) Sent Access-Challenge Id 0 from 192.168.2.1:1812 to 192.168.2.2:44444 length 68 (0) EAP-Message = 0x0101000a0da000000000 (0) Message-Authenticator = 0x00000000000000000000000000000000 (0) State = 0xdfcd0373dfcc0e53057e01be00df4fb0 (0) Finished request Thread 1 waiting to be assigned a request (0) Cleaning up request packet ID 0 with timestamp +16 due to conflicting packet was received Waking up in 0.3 seconds. Thread 2 got semaphore Thread 2 handling request 1, (1 handled so far) (1) Received Access-Request Id 0 from 192.168.2.2:44444 to 192.168.2.1:1812 length 265 (1) User-Name = "as" (1) NAS-IP-Address = 192.168.2.2 (1) Called-Station-Id = "b4378330fc3b" (1) Calling-Station-Id = "5a5b3135062e" (1) NAS-Identifier = "b4378330fc3b" (1) NAS-Port = 29 (1) Framed-MTU = 1400 (1) State = 0xdfcd0373dfcc0e53057e01be00df4fb0 (1) NAS-Port-Type = Wireless-802.11 (1) EAP-Message = 0x020100890d00160301007e0100007a030367df7cae99f0e7e4fba4bb3181d9255fb4e4053b47f21d704f41904b9a089dc400002ac014c013003900330035002fc028c027006b0067003d003cc030c02f009f009e009d009cc0120016000a0100002700 (1) Message-Authenticator = 0x15eed9703faadf1d00a6dfe52a3e6807 (1) Restoring &session-state (1) &session-state:Framed-MTU = 1014 (1) # Executing section authorize from file /etc/raddb/radiusd.conf (1) authorize { (1) modsingle[authorize]: calling eap (rlm_eap) (1) eap: Peer sent EAP Response (code 2) ID 1 length 137 (1) eap: No EAP Start, assuming it's an on-going EAP conversation (1) modsingle[authorize]: returned from eap (rlm_eap) (1) [eap] = updated (1) } # authorize = updated (1) Found Auth-Type = eap (1) # Executing group from file /etc/raddb/radiusd.conf (1) authenticate { (1) modsingle[authenticate]: calling eap (rlm_eap) (1) eap: Removing EAP session with state 0xdfcd0373dfcc0e53 (1) eap: Previous EAP request found for state 0xdfcd0373dfcc0e53, released from the list (1) eap: Peer sent packet with method EAP TLS (13) (1) eap: Calling submodule eap_tls to process data (1) eap_tls: (TLS) EAP Continuing ... (1) eap_tls: (TLS) EAP Peer sent flags --- (1) eap_tls: (TLS) EAP Got final fragment (131 bytes) WARNING: (1) eap_tls: (TLS) EAP Total received record fragments (131 bytes), does not equal expected expected data length (0 bytes) (1) eap_tls: (TLS) EAP Verification says ok (1) eap_tls: (TLS) EAP Done initial handshake (1) eap_tls: (TLS) TLS - Handshake state [PINIT] - before SSL initialization (0) (1) eap_tls: (TLS) TLS - Handshake state [PINIT] - Server before SSL initialization (0) (TLS) Ignoring cbtls_msg call with pseudo content type 256, version 00000301 (1) eap_tls: (TLS) TLS - Handshake state [PINIT] - Server before SSL initialization (0) (TLS) Received 126 bytes of TLS data (TLS) 01 00 00 7a 03 03 67 df 7c ae 99 f0 e7 e4 fb a4 (TLS) bb 31 81 d9 25 5f b4 e4 05 3b 47 f2 1d 70 4f 41 (TLS) 90 4b 9a 08 9d c4 00 00 2a c0 14 c0 13 00 39 00 (TLS) 33 00 35 00 2f c0 28 c0 27 00 6b 00 67 00 3d 00 (TLS) 3c c0 30 c0 2f 00 9f 00 9e 00 9d 00 9c c0 12 00 (TLS) 16 00 0a 01 00 00 27 00 0a 00 10 00 0e 00 17 00 (TLS) 18 01 00 01 01 01 02 01 03 01 04 00 0d 00 0a 00 (TLS) 08 05 01 04 01 01 01 02 01 ff 01 00 01 00 (1) eap_tls: (TLS) TLS - recv TLS 1.3 Handshake, ClientHello (TLS) Ignoring cbtls_msg call with pseudo content type 256, version 00000303 (TLS) Received 2 bytes of TLS data (TLS) 02 28 (1) eap_tls: (TLS) TLS - send TLS 1.2 Alert, fatal handshake_failure ERROR: (1) eap_tls: (TLS) TLS - Alert write:fatal:handshake failure ERROR: (1) eap_tls: (TLS) TLS - Server : Error in error (1) eap_tls: Server preferred ciphers (by priority) (1) eap_tls: (TLS) [0] TLS_AES_256_GCM_SHA384 (1) eap_tls: (TLS) [1] TLS_AES_128_GCM_SHA256 (1) eap_tls: (TLS) [2] ECDHE-ECDSA-AES256-GCM-SHA384 (1) eap_tls: (TLS) [3] ECDHE-RSA-AES256-GCM-SHA384 (1) eap_tls: (TLS) [4] DHE-DSS-AES256-GCM-SHA384 (1) eap_tls: (TLS) [5] DHE-RSA-AES256-GCM-SHA384 (1) eap_tls: (TLS) [6] ECDHE-ECDSA-AES256-CCM (1) eap_tls: (TLS) [7] DHE-RSA-AES256-CCM (1) eap_tls: (TLS) [8] ECDHE-ECDSA-ARIA256-GCM-SHA384 (1) eap_tls: (TLS) [9] ECDHE-ARIA256-GCM-SHA384 (1) eap_tls: (TLS) [10] DHE-DSS-ARIA256-GCM-SHA384 (1) eap_tls: (TLS) [11] DHE-RSA-ARIA256-GCM-SHA384 (1) eap_tls: (TLS) [12] ADH-AES256-GCM-SHA384 (1) eap_tls: (TLS) [13] ECDHE-ECDSA-AES128-GCM-SHA256 (1) eap_tls: (TLS) [14] ECDHE-RSA-AES128-GCM-SHA256 (1) eap_tls: (TLS) [15] DHE-DSS-AES128-GCM-SHA256 (1) eap_tls: (TLS) [16] DHE-RSA-AES128-GCM-SHA256 (1) eap_tls: (TLS) [17] ECDHE-ECDSA-AES128-CCM (1) eap_tls: (TLS) [18] DHE-RSA-AES128-CCM (1) eap_tls: (TLS) [19] ECDHE-ECDSA-ARIA128-GCM-SHA256 (1) eap_tls: (TLS) [20] ECDHE-ARIA128-GCM-SHA256 (1) eap_tls: (TLS) [21] DHE-DSS-ARIA128-GCM-SHA256 (1) eap_tls: (TLS) [22] DHE-RSA-ARIA128-GCM-SHA256 (1) eap_tls: (TLS) [23] ADH-AES128-GCM-SHA256 (1) eap_tls: (TLS) [24] ECDHE-ECDSA-AES256-SHA384 (1) eap_tls: (TLS) [25] ECDHE-RSA-AES256-SHA384 (1) eap_tls: (TLS) [26] DHE-RSA-AES256-SHA256 (1) eap_tls: (TLS) [27] DHE-DSS-AES256-SHA256 (1) eap_tls: (TLS) [28] ECDHE-ECDSA-CAMELLIA256-SHA384 (1) eap_tls: (TLS) [29] ECDHE-RSA-CAMELLIA256-SHA384 (1) eap_tls: (TLS) [30] DHE-RSA-CAMELLIA256-SHA256 (1) eap_tls: (TLS) [31] DHE-DSS-CAMELLIA256-SHA256 (1) eap_tls: (TLS) [32] ADH-AES256-SHA256 (1) eap_tls: (TLS) [33] ADH-CAMELLIA256-SHA256 (1) eap_tls: (TLS) [34] ECDHE-ECDSA-AES128-SHA256 (1) eap_tls: (TLS) [35] ECDHE-RSA-AES128-SHA256 (1) eap_tls: (TLS) [36] DHE-RSA-AES128-SHA256 (1) eap_tls: (TLS) [37] DHE-DSS-AES128-SHA256 (1) eap_tls: (TLS) [38] ECDHE-ECDSA-CAMELLIA128-SHA256 (1) eap_tls: (TLS) [39] ECDHE-RSA-CAMELLIA128-SHA256 (1) eap_tls: (TLS) [40] DHE-RSA-CAMELLIA128-SHA256 (1) eap_tls: (TLS) [41] DHE-DSS-CAMELLIA128-SHA256 (1) eap_tls: (TLS) [42] ADH-AES128-SHA256 (1) eap_tls: (TLS) [43] ADH-CAMELLIA128-SHA256 (1) eap_tls: (TLS) [44] ECDHE-ECDSA-AES256-SHA (1) eap_tls: (TLS) [45] ECDHE-RSA-AES256-SHA (1) eap_tls: (TLS) [46] DHE-RSA-AES256-SHA (1) eap_tls: (TLS) [47] DHE-DSS-AES256-SHA (1) eap_tls: (TLS) [48] DHE-RSA-CAMELLIA256-SHA (1) eap_tls: (TLS) [49] DHE-DSS-CAMELLIA256-SHA (1) eap_tls: (TLS) [50] AECDH-AES256-SHA (1) eap_tls: (TLS) [51] ADH-AES256-SHA (1) eap_tls: (TLS) [52] ADH-CAMELLIA256-SHA (1) eap_tls: (TLS) [53] ECDHE-ECDSA-AES128-SHA (1) eap_tls: (TLS) [54] ECDHE-RSA-AES128-SHA (1) eap_tls: (TLS) [55] DHE-RSA-AES128-SHA (1) eap_tls: (TLS) [56] DHE-DSS-AES128-SHA (1) eap_tls: (TLS) [57] DHE-RSA-CAMELLIA128-SHA (1) eap_tls: (TLS) [58] DHE-DSS-CAMELLIA128-SHA (1) eap_tls: (TLS) [59] AECDH-AES128-SHA (1) eap_tls: (TLS) [60] ADH-AES128-SHA (1) eap_tls: (TLS) [61] ADH-CAMELLIA128-SHA (1) eap_tls: (TLS) [62] AES256-GCM-SHA384 (1) eap_tls: (TLS) [63] AES256-CCM (1) eap_tls: (TLS) [64] ARIA256-GCM-SHA384 (1) eap_tls: (TLS) [65] AES128-GCM-SHA256 (1) eap_tls: (TLS) [66] AES128-CCM (1) eap_tls: (TLS) [67] ARIA128-GCM-SHA256 (1) eap_tls: (TLS) [68] AES256-SHA256 (1) eap_tls: (TLS) [69] CAMELLIA256-SHA256 (1) eap_tls: (TLS) [70] AES128-SHA256 (1) eap_tls: (TLS) [71] CAMELLIA128-SHA256 (1) eap_tls: (TLS) [72] SRP-DSS-AES-256-CBC-SHA (1) eap_tls: (TLS) [73] SRP-RSA-AES-256-CBC-SHA (1) eap_tls: (TLS) [74] SRP-AES-256-CBC-SHA (1) eap_tls: (TLS) [75] AES256-SHA (1) eap_tls: (TLS) [76] CAMELLIA256-SHA (1) eap_tls: (TLS) [77] SRP-DSS-AES-128-CBC-SHA (1) eap_tls: (TLS) [78] SRP-RSA-AES-128-CBC-SHA (1) eap_tls: (TLS) [79] SRP-AES-128-CBC-SHA (1) eap_tls: (TLS) [80] AES128-SHA (1) eap_tls: (TLS) [81] CAMELLIA128-SHA (1) eap_tls: (TLS) TLS - Client preferred ciphers (by priority) (1) eap_tls: (TLS) [0] ECDHE-RSA-AES256-SHA (1) eap_tls: (TLS) [1] ECDHE-RSA-AES128-SHA (1) eap_tls: (TLS) [2] DHE-RSA-AES256-SHA (1) eap_tls: (TLS) [3] DHE-RSA-AES128-SHA (1) eap_tls: (TLS) [4] AES256-SHA (1) eap_tls: (TLS) [5] AES128-SHA (1) eap_tls: (TLS) [6] ECDHE-RSA-AES256-SHA384 (1) eap_tls: (TLS) [7] ECDHE-RSA-AES128-SHA256 (1) eap_tls: (TLS) [8] DHE-RSA-AES256-SHA256 (1) eap_tls: (TLS) [9] DHE-RSA-AES128-SHA256 (1) eap_tls: (TLS) [10] AES256-SHA256 (1) eap_tls: (TLS) [11] AES128-SHA256 (1) eap_tls: (TLS) [12] ECDHE-RSA-AES256-GCM-SHA384 (1) eap_tls: (TLS) [13] ECDHE-RSA-AES128-GCM-SHA256 (1) eap_tls: (TLS) [14] DHE-RSA-AES256-GCM-SHA384 (1) eap_tls: (TLS) [15] DHE-RSA-AES128-GCM-SHA256 (1) eap_tls: (TLS) [16] AES256-GCM-SHA384 (1) eap_tls: (TLS) [17] AES128-GCM-SHA256 ERROR: (1) eap_tls: (TLS) Failed reading from OpenSSL: ssl/statem/statem_srvr.c[2312]:error:0A0000C1:lib(20)::reason(193) ERROR: (1) eap_tls: (TLS) System call (I/O) error (-1) ERROR: (1) eap_tls: (TLS) EAP Receive handshake failed during operation ERROR: (1) eap_tls: [eaptls process] = fail ERROR: (1) eap: Failed continuing EAP TLS (13) session. EAP sub-module failed (1) eap: Sending EAP Failure (code 4) ID 1 length 4 (1) eap: Failed in EAP select (1) modsingle[authenticate]: returned from eap (rlm_eap) (1) [eap] = invalid (1) } # authenticate = invalid (1) Failed to authenticate the user (1) Using Post-Auth-Type Reject (1) Post-Auth-Type sub-section not found. Ignoring. (1) Login incorrect (eap_tls: (TLS) TLS - Alert write:fatal:handshake failure): [as] (from client ac port 29 cli 5a5b3135062e) (1) Delaying response for 5.000000 seconds Thread 2 waiting to be assigned a request Waking up in 4.6 seconds. (1) Sending delayed response (1) Sent Access-Reject Id 0 from 192.168.2.1:1812 to 192.168.2.2:44444 length 44 (1) EAP-Message = 0x04010004 (1) Message-Authenticator = 0x00000000000000000000000000000000 (1) Cleaning up request packet ID 0 with timestamp +16 due to done eady to process requests Waking up in 0.3 seconds. Thread 1 got semaphore Thread 1 handling request 2, (2 handled so far) (2) Received Access-Request Id 0 from 192.168.2.2:44444 to 192.168.2.1:1812 length 117 (2) User-Name = "as" (2) NAS-IP-Address = 192.168.2.2 (2) Called-Station-Id = "b4378330fc3b" (2) Calling-Station-Id = "5a5b3135062e" (2) NAS-Identifier = "b4378330fc3b" (2) NAS-Port = 29 (2) Framed-MTU = 1400 (2) NAS-Port-Type = Wireless-802.11 (2) EAP-Message = 0x02000007016173 (2) Message-Authenticator = 0x65ea19588c27954be750b34f05da01b7 (2) session-state: No State attribute (2) # Executing section authorize from file /etc/raddb/radiusd.conf (2) authorize { (2) modsingle[authorize]: calling eap (rlm_eap) (2) eap: Peer sent EAP Response (code 2) ID 0 length 7 (2) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (2) modsingle[authorize]: returned from eap (rlm_eap) (2) [eap] = ok (2) } # authorize = ok (2) Found Auth-Type = eap (2) # Executing group from file /etc/raddb/radiusd.conf (2) authenticate { (2) modsingle[authenticate]: calling eap (rlm_eap) (2) eap: Peer sent packet with method EAP Identity (1) (2) eap: Calling submodule eap_tls to process data (2) eap_tls: (TLS) TLS -Initiating new session (2) eap_tls: (TLS) TLS - Setting verify mode to require certificate from client (2) eap_tls: [eaptls start] = request (2) eap: Sending EAP Request (code 1) ID 1 length 10 (2) eap: EAP session adding &reply:State = 0x73da5fd773db5206 (2) modsingle[authenticate]: returned from eap (rlm_eap) (2) [eap] = handled (2) } # authenticate = handled (2) Using Post-Auth-Type Challenge (2) Post-Auth-Type sub-section not found. Ignoring. (2) session-state: Saving cached attributes (2) Framed-MTU = 1014 (2) Sent Access-Challenge Id 0 from 192.168.2.1:1812 to 192.168.2.2:44444 length 68 (2) EAP-Message = 0x0101000a0da000000000 (2) Message-Authenticator = 0x00000000000000000000000000000000 (2) State = 0x73da5fd773db520659675dbb5c31485d (2) Finished request Thread 1 waiting to be assigned a request (2) Cleaning up request packet ID 0 with timestamp +131 due to conflicting packet was received Waking up in 0.3 seconds. Thread 2 got semaphore Thread 2 handling request 3, (2 handled so far) (3) Received Access-Request Id 0 from 192.168.2.2:44444 to 192.168.2.1:1812 length 265 (3) User-Name = "as" (3) NAS-IP-Address = 192.168.2.2 (3) Called-Station-Id = "b4378330fc3b" (3) Calling-Station-Id = "5a5b3135062e" (3) NAS-Identifier = "b4378330fc3b" (3) NAS-Port = 29 (3) Framed-MTU = 1400 (3) State = 0x73da5fd773db520659675dbb5c31485d (3) NAS-Port-Type = Wireless-802.11 (3) EAP-Message = 0x020100890d00160301007e0100007a030367df7d21f4b742d6792d0128f9d335437102d658ee7fe1dc1c334257dacf927600002ac014c013003900330035002fc028c027006b0067003d003cc030c02f009f009e009d009cc0120016000a0100002700 (3) Message-Authenticator = 0x68e323e0b85f9b9e6c84bec8bc5bb779 (3) Restoring &session-state (3) &session-state:Framed-MTU = 1014 (3) # Executing section authorize from file /etc/raddb/radiusd.conf (3) authorize { (3) modsingle[authorize]: calling eap (rlm_eap) (3) eap: Peer sent EAP Response (code 2) ID 1 length 137 (3) eap: No EAP Start, assuming it's an on-going EAP conversation (3) modsingle[authorize]: returned from eap (rlm_eap) (3) [eap] = updated (3) } # authorize = updated (3) Found Auth-Type = eap (3) # Executing group from file /etc/raddb/radiusd.conf (3) authenticate { (3) modsingle[authenticate]: calling eap (rlm_eap) (3) eap: Removing EAP session with state 0x73da5fd773db5206 (3) eap: Previous EAP request found for state 0x73da5fd773db5206, released from the list (3) eap: Peer sent packet with method EAP TLS (13) (3) eap: Calling submodule eap_tls to process data (3) eap_tls: (TLS) EAP Continuing ... (3) eap_tls: (TLS) EAP Peer sent flags --- (3) eap_tls: (TLS) EAP Got final fragment (131 bytes) WARNING: (3) eap_tls: (TLS) EAP Total received record fragments (131 bytes), does not equal expected expected data length (0 bytes) (3) eap_tls: (TLS) EAP Verification says ok (3) eap_tls: (TLS) EAP Done initial handshake (3) eap_tls: (TLS) TLS - Handshake state [PINIT] - before SSL initialization (0) (3) eap_tls: (TLS) TLS - Handshake state [PINIT] - Server before SSL initialization (0) (TLS) Ignoring cbtls_msg call with pseudo content type 256, version 00000301 (3) eap_tls: (TLS) TLS - Handshake state [PINIT] - Server before SSL initialization (0) (TLS) Received 126 bytes of TLS data (TLS) 01 00 00 7a 03 03 67 df 7d 21 f4 b7 42 d6 79 2d (TLS) 01 28 f9 d3 35 43 71 02 d6 58 ee 7f e1 dc 1c 33 (TLS) 42 57 da cf 92 76 00 00 2a c0 14 c0 13 00 39 00 (TLS) 33 00 35 00 2f c0 28 c0 27 00 6b 00 67 00 3d 00 (TLS) 3c c0 30 c0 2f 00 9f 00 9e 00 9d 00 9c c0 12 00 (TLS) 16 00 0a 01 00 00 27 00 0a 00 10 00 0e 00 17 00 (TLS) 18 01 00 01 01 01 02 01 03 01 04 00 0d 00 0a 00 (TLS) 08 05 01 04 01 01 01 02 01 ff 01 00 01 00 (3) eap_tls: (TLS) TLS - recv TLS 1.3 Handshake, ClientHello (TLS) Ignoring cbtls_msg call with pseudo content type 256, version 00000303 (TLS) Received 2 bytes of TLS data (TLS) 02 28 (3) eap_tls: (TLS) TLS - send TLS 1.2 Alert, fatal handshake_failure ERROR: (3) eap_tls: (TLS) TLS - Alert write:fatal:handshake failure ERROR: (3) eap_tls: (TLS) TLS - Server : Error in error (3) eap_tls: Server preferred ciphers (by priority) (3) eap_tls: (TLS) [0] TLS_AES_256_GCM_SHA384 (3) eap_tls: (TLS) [1] TLS_AES_128_GCM_SHA256 (3) eap_tls: (TLS) [2] ECDHE-ECDSA-AES256-GCM-SHA384 (3) eap_tls: (TLS) [3] ECDHE-RSA-AES256-GCM-SHA384 (3) eap_tls: (TLS) [4] DHE-DSS-AES256-GCM-SHA384 (3) eap_tls: (TLS) [5] DHE-RSA-AES256-GCM-SHA384 (3) eap_tls: (TLS) [6] ECDHE-ECDSA-AES256-CCM (3) eap_tls: (TLS) [7] DHE-RSA-AES256-CCM (3) eap_tls: (TLS) [8] ECDHE-ECDSA-ARIA256-GCM-SHA384 (3) eap_tls: (TLS) [9] ECDHE-ARIA256-GCM-SHA384 (3) eap_tls: (TLS) [10] DHE-DSS-ARIA256-GCM-SHA384 (3) eap_tls: (TLS) [11] DHE-RSA-ARIA256-GCM-SHA384 (3) eap_tls: (TLS) [12] ADH-AES256-GCM-SHA384 (3) eap_tls: (TLS) [13] ECDHE-ECDSA-AES128-GCM-SHA256 (3) eap_tls: (TLS) [14] ECDHE-RSA-AES128-GCM-SHA256 (3) eap_tls: (TLS) [15] DHE-DSS-AES128-GCM-SHA256 (3) eap_tls: (TLS) [16] DHE-RSA-AES128-GCM-SHA256 (3) eap_tls: (TLS) [17] ECDHE-ECDSA-AES128-CCM (3) eap_tls: (TLS) [18] DHE-RSA-AES128-CCM (3) eap_tls: (TLS) [19] ECDHE-ECDSA-ARIA128-GCM-SHA256 (3) eap_tls: (TLS) [20] ECDHE-ARIA128-GCM-SHA256 (3) eap_tls: (TLS) [21] DHE-DSS-ARIA128-GCM-SHA256 (3) eap_tls: (TLS) [22] DHE-RSA-ARIA128-GCM-SHA256 (3) eap_tls: (TLS) [23] ADH-AES128-GCM-SHA256 (3) eap_tls: (TLS) [24] ECDHE-ECDSA-AES256-SHA384 (3) eap_tls: (TLS) [25] ECDHE-RSA-AES256-SHA384 (3) eap_tls: (TLS) [26] DHE-RSA-AES256-SHA256 (3) eap_tls: (TLS) [27] DHE-DSS-AES256-SHA256 (3) eap_tls: (TLS) [28] ECDHE-ECDSA-CAMELLIA256-SHA384 (3) eap_tls: (TLS) [29] ECDHE-RSA-CAMELLIA256-SHA384 (3) eap_tls: (TLS) [30] DHE-RSA-CAMELLIA256-SHA256 (3) eap_tls: (TLS) [31] DHE-DSS-CAMELLIA256-SHA256 (3) eap_tls: (TLS) [32] ADH-AES256-SHA256 (3) eap_tls: (TLS) [33] ADH-CAMELLIA256-SHA256 (3) eap_tls: (TLS) [34] ECDHE-ECDSA-AES128-SHA256 (3) eap_tls: (TLS) [35] ECDHE-RSA-AES128-SHA256 (3) eap_tls: (TLS) [36] DHE-RSA-AES128-SHA256 (3) eap_tls: (TLS) [37] DHE-DSS-AES128-SHA256 (3) eap_tls: (TLS) [38] ECDHE-ECDSA-CAMELLIA128-SHA256 (3) eap_tls: (TLS) [39] ECDHE-RSA-CAMELLIA128-SHA256 (3) eap_tls: (TLS) [40] DHE-RSA-CAMELLIA128-SHA256 (3) eap_tls: (TLS) [41] DHE-DSS-CAMELLIA128-SHA256 (3) eap_tls: (TLS) [42] ADH-AES128-SHA256 (3) eap_tls: (TLS) [43] ADH-CAMELLIA128-SHA256 (3) eap_tls: (TLS) [44] ECDHE-ECDSA-AES256-SHA (3) eap_tls: (TLS) [45] ECDHE-RSA-AES256-SHA (3) eap_tls: (TLS) [46] DHE-RSA-AES256-SHA (3) eap_tls: (TLS) [47] DHE-DSS-AES256-SHA (3) eap_tls: (TLS) [48] DHE-RSA-CAMELLIA256-SHA (3) eap_tls: (TLS) [49] DHE-DSS-CAMELLIA256-SHA (3) eap_tls: (TLS) [50] AECDH-AES256-SHA (3) eap_tls: (TLS) [51] ADH-AES256-SHA (3) eap_tls: (TLS) [52] ADH-CAMELLIA256-SHA (3) eap_tls: (TLS) [53] ECDHE-ECDSA-AES128-SHA (3) eap_tls: (TLS) [54] ECDHE-RSA-AES128-SHA (3) eap_tls: (TLS) [55] DHE-RSA-AES128-SHA (3) eap_tls: (TLS) [56] DHE-DSS-AES128-SHA (3) eap_tls: (TLS) [57] DHE-RSA-CAMELLIA128-SHA (3) eap_tls: (TLS) [58] DHE-DSS-CAMELLIA128-SHA (3) eap_tls: (TLS) [59] AECDH-AES128-SHA (3) eap_tls: (TLS) [60] ADH-AES128-SHA (3) eap_tls: (TLS) [61] ADH-CAMELLIA128-SHA (3) eap_tls: (TLS) [62] AES256-GCM-SHA384 (3) eap_tls: (TLS) [63] AES256-CCM (3) eap_tls: (TLS) [64] ARIA256-GCM-SHA384 (3) eap_tls: (TLS) [65] AES128-GCM-SHA256 (3) eap_tls: (TLS) [66] AES128-CCM (3) eap_tls: (TLS) [67] ARIA128-GCM-SHA256 (3) eap_tls: (TLS) [68] AES256-SHA256 (3) eap_tls: (TLS) [69] CAMELLIA256-SHA256 (3) eap_tls: (TLS) [70] AES128-SHA256 (3) eap_tls: (TLS) [71] CAMELLIA128-SHA256 (3) eap_tls: (TLS) [72] SRP-DSS-AES-256-CBC-SHA (3) eap_tls: (TLS) [73] SRP-RSA-AES-256-CBC-SHA (3) eap_tls: (TLS) [74] SRP-AES-256-CBC-SHA (3) eap_tls: (TLS) [75] AES256-SHA (3) eap_tls: (TLS) [76] CAMELLIA256-SHA (3) eap_tls: (TLS) [77] SRP-DSS-AES-128-CBC-SHA (3) eap_tls: (TLS) [78] SRP-RSA-AES-128-CBC-SHA (3) eap_tls: (TLS) [79] SRP-AES-128-CBC-SHA (3) eap_tls: (TLS) [80] AES128-SHA (3) eap_tls: (TLS) [81] CAMELLIA128-SHA (3) eap_tls: (TLS) TLS - Client preferred ciphers (by priority) (3) eap_tls: (TLS) [0] ECDHE-RSA-AES256-SHA (3) eap_tls: (TLS) [1] ECDHE-RSA-AES128-SHA (3) eap_tls: (TLS) [2] DHE-RSA-AES256-SHA (3) eap_tls: (TLS) [3] DHE-RSA-AES128-SHA (3) eap_tls: (TLS) [4] AES256-SHA (3) eap_tls: (TLS) [5] AES128-SHA (3) eap_tls: (TLS) [6] ECDHE-RSA-AES256-SHA384 (3) eap_tls: (TLS) [7] ECDHE-RSA-AES128-SHA256 (3) eap_tls: (TLS) [8] DHE-RSA-AES256-SHA256 (3) eap_tls: (TLS) [9] DHE-RSA-AES128-SHA256 (3) eap_tls: (TLS) [10] AES256-SHA256 (3) eap_tls: (TLS) [11] AES128-SHA256 (3) eap_tls: (TLS) [12] ECDHE-RSA-AES256-GCM-SHA384 (3) eap_tls: (TLS) [13] ECDHE-RSA-AES128-GCM-SHA256 (3) eap_tls: (TLS) [14] DHE-RSA-AES256-GCM-SHA384 (3) eap_tls: (TLS) [15] DHE-RSA-AES128-GCM-SHA256 (3) eap_tls: (TLS) [16] AES256-GCM-SHA384 (3) eap_tls: (TLS) [17] AES128-GCM-SHA256 ERROR: (3) eap_tls: (TLS) Failed reading from OpenSSL: ssl/statem/statem_srvr.c[2312]:error:0A0000C1:lib(20)::reason(193) ERROR: (3) eap_tls: (TLS) System call (I/O) error (-1) ERROR: (3) eap_tls: (TLS) EAP Receive handshake failed during operation ERROR: (3) eap_tls: [eaptls process] = fail ERROR: (3) eap: Failed continuing EAP TLS (13) session. EAP sub-module failed (3) eap: Sending EAP Failure (code 4) ID 1 length 4 (3) eap: Failed in EAP select (3) modsingle[authenticate]: returned from eap (rlm_eap) (3) [eap] = invalid (3) } # authenticate = invalid (3) Failed to authenticate the user (3) Using Post-Auth-Type Reject (3) Post-Auth-Type sub-section not found. Ignoring. (3) Login incorrect (eap_tls: (TLS) TLS - Alert write:fatal:handshake failure): [as] (from client ac port 29 cli 5a5b3135062e) (3) Delaying response for 5.000000 seconds Thread 2 waiting to be assigned a request Waking up in 4.6 seconds. (3) Sending delayed response (3) Sent Access-Reject Id 0 from 192.168.2.1:1812 to 192.168.2.2:44444 length 44 (3) EAP-Message = 0x04010004 (3) Message-Authenticator = 0x00000000000000000000000000000000 (3) Cleaning up request packet ID 0 with timestamp +131 due to done Ready to process requests
On Mar 23, 2025, at 5:37 AM, Pat Pat <pat97040@gmail.com> wrote:
I am trying to use freeradius with WPA2-EAP. I have android clients working but using IWD it seems to fail with a TLS handshake error.
Which version of FreeRADIUS are you using?
(TLS) Ignoring cbtls_msg call with pseudo content type 256, version 00000303 (TLS) Received 2 bytes of TLS data (TLS) 02 28 (1) eap_tls: (TLS) TLS - send TLS 1.2 Alert, fatal handshake_failure ERROR: (1) eap_tls: (TLS) TLS - Alert write:fatal:handshake failure ERROR: (1) eap_tls: (TLS) TLS - Server : Error in error
Something is going wrong in the TLS negotiation. There isn't much to debug here. If one supplicant works, and another one fails, the issue is likely the supplicant. Alan DeKok.
I am trying to use freeradius with WPA2-EAP. I have android clients working but using IWD it seems to fail with a TLS handshake error.
Which version of FreeRADIUS are you using?
I am using 3.2.6 with openssl 3.4.1
If one supplicant works, and another one fails, the issue is likely the supplicant.
Hence my quick email to the list. Ell (the library used by IWD) only supports RSA certificates for the client, which is most annoying the only place it is documented is in the source. Thanks for the reply. Cheers Pat On Mon, Mar 24, 2025 at 12:06 AM Alan DeKok <aland@deployingradius.com> wrote:
On Mar 23, 2025, at 5:37 AM, Pat Pat <pat97040@gmail.com> wrote:
I am trying to use freeradius with WPA2-EAP. I have android clients working but using IWD it seems to fail with a TLS handshake error.
Which version of FreeRADIUS are you using?
(TLS) Ignoring cbtls_msg call with pseudo content type 256, version 00000303 (TLS) Received 2 bytes of TLS data (TLS) 02 28 (1) eap_tls: (TLS) TLS - send TLS 1.2 Alert, fatal handshake_failure ERROR: (1) eap_tls: (TLS) TLS - Alert write:fatal:handshake failure ERROR: (1) eap_tls: (TLS) TLS - Server : Error in error
Something is going wrong in the TLS negotiation. There isn't much to debug here.
If one supplicant works, and another one fails, the issue is likely the supplicant.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (2)
-
Alan DeKok -
Pat Pat