Hi, So I got everything working, and am able to run TLS in my android phone but when I try thru my iPhone or my MacBook I get SSL error on RADIUS debug. Amazingly same certificate work on my android phone without any issues. Can someone share what could be the issue? A snippet of the error: *(140) eap_tls: ERROR: TLS_accept: Failed in SSLv3 read client certificate A* *(140) eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:140940E5:SSL routines:ssl3_read_bytes:ssl handshake failure* *(140) eap_tls: ERROR: System call (I/O) error (-1)* *(140) eap_tls: ERROR: TLS receive handshake failed during operation* *(140) eap_tls: ERROR: [eaptls process] = fail* *(140) eap: ERROR: Failed continuing EAP TLS (13) session. EAP sub-module failed* Complete EAP debug from failed devices: (156) Received Access-Request Id 238 from 103.46.239.184:36499 to 192.168.253.6:1812 length 226 (156) Service-Type = Framed-User (156) Framed-MTU = 1400 (156) User-Name = "macbook" (156) NAS-Port-Id = "wlan1" (156) NAS-Port-Type = Wireless-802.11 (156) Acct-Session-Id = "8220002d" (156) Acct-Multi-Session-Id = "CC-2D-E0-39-24-A6-B8-C1-11-D1-4D-50-82-20-00-00-00-00-00-2D" (156) Calling-Station-Id = "B8-C1-11-D1-4D-50" (156) Called-Station-Id = "CC-2D-E0-39-24-A6:THIS IS A TEST" (156) EAP-Message = 0x0200000c016d6163626f6f6b (156) Message-Authenticator = 0x9b1b6d0c79559268e6cfb2a0cbe5240d (156) NAS-Identifier = "MikroTik" (156) NAS-IP-Address = 192.168.88.2 (156) # Executing section authorize from file /etc/raddb/sites-enabled/default (156) authorize { (156) policy filter_username { (156) if (&User-Name) { (156) if (&User-Name) -> TRUE (156) if (&User-Name) { (156) if (&User-Name =~ / /) { (156) if (&User-Name =~ / /) -> FALSE (156) if (&User-Name =~ /@[^@]*@/ ) { (156) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (156) if (&User-Name =~ /\.\./ ) { (156) if (&User-Name =~ /\.\./ ) -> FALSE (156) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (156) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (156) if (&User-Name =~ /\.$/) { (156) if (&User-Name =~ /\.$/) -> FALSE (156) if (&User-Name =~ /@\./) { (156) if (&User-Name =~ /@\./) -> FALSE (156) } # if (&User-Name) = notfound (156) } # policy filter_username = notfound (156) [preprocess] = ok (156) eap: Peer sent EAP Response (code 2) ID 0 length 12 (156) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (156) [eap] = ok (156) } # authorize = ok (156) Found Auth-Type = eap (156) # Executing group from file /etc/raddb/sites-enabled/default (156) authenticate { (156) eap: Peer sent packet with method EAP Identity (1) (156) eap: Calling submodule eap_tls to process data (156) eap_tls: Initiating new EAP-TLS session (156) eap_tls: Setting verify mode to require certificate from client (156) eap_tls: [eaptls start] = request (156) eap: Sending EAP Request (code 1) ID 1 length 6 (156) eap: EAP session adding &reply:State = 0xccf8f142ccf9fce7 (156) [eap] = handled (156) } # authenticate = handled (156) Using Post-Auth-Type Challenge (156) # Executing group from file /etc/raddb/sites-enabled/default (156) Challenge { ... } # empty sub-section is ignored (156) Sent Access-Challenge Id 238 from 192.168.253.6:1812 to 103.46.239.184:36499 length 0 (156) EAP-Message = 0x010100060d20 (156) Message-Authenticator = 0x00000000000000000000000000000000 (156) State = 0xccf8f142ccf9fce75307e48862cef384 (156) Finished request Waking up in 4.9 seconds. (157) Received Access-Request Id 239 from 103.46.239.184:40285 to 192.168.253.6:1812 length 393 (157) Service-Type = Framed-User (157) Framed-MTU = 1400 (157) User-Name = "macbook" (157) State = 0xccf8f142ccf9fce75307e48862cef384 (157) NAS-Port-Id = "wlan1" (157) NAS-Port-Type = Wireless-802.11 (157) Acct-Session-Id = "8220002d" (157) Acct-Multi-Session-Id = "CC-2D-E0-39-24-A6-B8-C1-11-D1-4D-50-82-20-00-00-00-00-00-2D" (157) Calling-Station-Id = "B8-C1-11-D1-4D-50" (157) Called-Station-Id = "CC-2D-E0-39-24-A6:THIS IS A TEST" (157) EAP-Message = 0x020100a10d800000009716030300920100008e03035c66eda3b9189d8cb5e4f5d1b7da29789b4f95dc78ef817aeb5462abc249b93100002c00ffc02cc02bc024c023c00ac009c008c030c02fc028c027c014c013c012009d009c003d003c0035002f000a01000039000a00080006001700180019000b00 (157) Message-Authenticator = 0xf775fc6bc1a0190eb8997ecbcbb51f4f (157) NAS-Identifier = "MikroTik" (157) NAS-IP-Address = 192.168.88.2 (157) session-state: No cached attributes (157) # Executing section authorize from file /etc/raddb/sites-enabled/default (157) authorize { (157) policy filter_username { (157) if (&User-Name) { (157) if (&User-Name) -> TRUE (157) if (&User-Name) { (157) if (&User-Name =~ / /) { (157) if (&User-Name =~ / /) -> FALSE (157) if (&User-Name =~ /@[^@]*@/ ) { (157) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (157) if (&User-Name =~ /\.\./ ) { (157) if (&User-Name =~ /\.\./ ) -> FALSE (157) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (157) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (157) if (&User-Name =~ /\.$/) { (157) if (&User-Name =~ /\.$/) -> FALSE (157) if (&User-Name =~ /@\./) { (157) if (&User-Name =~ /@\./) -> FALSE (157) } # if (&User-Name) = notfound (157) } # policy filter_username = notfound (157) [preprocess] = ok (157) eap: Peer sent EAP Response (code 2) ID 1 length 161 (157) eap: No EAP Start, assuming it's an on-going EAP conversation (157) [eap] = updated (157) sql: EXPAND %{User-Name} (157) sql: --> macbook (157) sql: SQL-User-Name set to 'macbook' rlm_sql (sql): Reserved connection (60) (157) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (157) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'macbook' ORDER BY id (157) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'macbook' ORDER BY id (157) sql: User found in radcheck table (157) sql: Conditional check items matched, merging assignment check items (157) sql: Auth-Type := eap (157) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id (157) sql: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'macbook' ORDER BY id (157) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'macbook' ORDER BY id *(157) sql: WARNING: Cannot do check groups when group_membership_query is not set* rlm_sql (sql): Released connection (60) *Need 7 more connections to reach 10 spares* *rlm_sql (sql): Opening additional connection (63), 1 of 29 pending slots used* rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket, server version 5.6.43, protocol version 10 (157) [sql] = ok (157) if (notfound) { (157) if (notfound) -> FALSE (157) [expiration] = noop (157) [logintime] = noop (157) [pap] = noop (157) } # authorize = updated (157) Found Auth-Type = eap (157) # Executing group from file /etc/raddb/sites-enabled/default (157) authenticate { (157) eap: Expiring EAP session with state 0xccf8f142ccf9fce7 (157) eap: Finished EAP session with state 0xccf8f142ccf9fce7 (157) eap: Previous EAP request found for state 0xccf8f142ccf9fce7, released from the list (157) eap: Peer sent packet with method EAP TLS (13) (157) eap: Calling submodule eap_tls to process data (157) eap_tls: Continuing EAP-TLS (157) eap_tls: Peer indicated complete TLS record size will be 151 bytes (157) eap_tls: Got complete TLS record (151 bytes) (157) eap_tls: [eaptls verify] = length included (157) eap_tls: (other): before/accept initialization (157) eap_tls: TLS_accept: before/accept initialization (157) eap_tls: <<< recv TLS 1.2 [length 0092] (157) eap_tls: TLS_accept: SSLv3 read client hello A (157) eap_tls: >>> send TLS 1.2 [length 0039] (157) eap_tls: TLS_accept: SSLv3 write server hello A (157) eap_tls: >>> send TLS 1.2 [length 06ee] (157) eap_tls: TLS_accept: SSLv3 write certificate A (157) eap_tls: >>> send TLS 1.2 [length 00cd] (157) eap_tls: TLS_accept: SSLv3 write key exchange A (157) eap_tls: >>> send TLS 1.2 [length 00a5] (157) eap_tls: TLS_accept: SSLv3 write certificate request A (157) eap_tls: TLS_accept: SSLv3 flush data (157) eap_tls: TLS_accept: Need to read more data: SSLv3 read client certificate A (157) eap_tls: TLS_accept: Need to read more data: SSLv3 read client certificate A (157) eap_tls: In SSL Handshake Phase (157) eap_tls: In SSL Accept mode (157) eap_tls: [eaptls process] = handled (157) eap: Sending EAP Request (code 1) ID 2 length 1024 (157) eap: EAP session adding &reply:State = 0xccf8f142cdfafce7 (157) [eap] = handled (157) } # authenticate = handled (157) Using Post-Auth-Type Challenge (157) # Executing group from file /etc/raddb/sites-enabled/default (157) Challenge { ... } # empty sub-section is ignored (157) Sent Access-Challenge Id 239 from 192.168.253.6:1812 to 103.46.239.184:40285 length 0 (157) EAP-Message = 0x010204000dc0000008ad160303003902000035030368fd206e3ef60d7fd094ee6184fa23ad9edd6bc23b529f88b11669a0e088a95700c03000000dff01000100000b00040300010216030306ee0b0006ea0006e70003a03082039c30820305a003020102020101300d06092a864886f70d010105050030 (157) Message-Authenticator = 0x00000000000000000000000000000000 (157) State = 0xccf8f142cdfafce75307e48862cef384 (157) Finished request Waking up in 4.9 seconds. (158) Received Access-Request Id 240 from 103.46.239.184:53647 to 192.168.253.6:1812 length 238 (158) Service-Type = Framed-User (158) Framed-MTU = 1400 (158) User-Name = "macbook" (158) State = 0xccf8f142cdfafce75307e48862cef384 (158) NAS-Port-Id = "wlan1" (158) NAS-Port-Type = Wireless-802.11 (158) Acct-Session-Id = "8220002d" (158) Acct-Multi-Session-Id = "CC-2D-E0-39-24-A6-B8-C1-11-D1-4D-50-82-20-00-00-00-00-00-2D" (158) Calling-Station-Id = "B8-C1-11-D1-4D-50" (158) Called-Station-Id = "CC-2D-E0-39-24-A6:THIS IS A TEST" (158) EAP-Message = 0x020200060d00 (158) Message-Authenticator = 0xb397d9cf688e3c16bfacd51e63ee0677 (158) NAS-Identifier = "MikroTik" (158) NAS-IP-Address = 192.168.88.2 (158) session-state: No cached attributes (158) # Executing section authorize from file /etc/raddb/sites-enabled/default (158) authorize { (158) policy filter_username { (158) if (&User-Name) { (158) if (&User-Name) -> TRUE (158) if (&User-Name) { (158) if (&User-Name =~ / /) { (158) if (&User-Name =~ / /) -> FALSE (158) if (&User-Name =~ /@[^@]*@/ ) { (158) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (158) if (&User-Name =~ /\.\./ ) { (158) if (&User-Name =~ /\.\./ ) -> FALSE (158) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (158) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (158) if (&User-Name =~ /\.$/) { (158) if (&User-Name =~ /\.$/) -> FALSE (158) if (&User-Name =~ /@\./) { (158) if (&User-Name =~ /@\./) -> FALSE (158) } # if (&User-Name) = notfound (158) } # policy filter_username = notfound (158) [preprocess] = ok (158) eap: Peer sent EAP Response (code 2) ID 2 length 6 (158) eap: No EAP Start, assuming it's an on-going EAP conversation (158) [eap] = updated (158) sql: EXPAND %{User-Name} (158) sql: --> macbook (158) sql: SQL-User-Name set to 'macbook' rlm_sql (sql): Reserved connection (62) (158) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (158) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'macbook' ORDER BY id (158) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'macbook' ORDER BY id (158) sql: User found in radcheck table (158) sql: Conditional check items matched, merging assignment check items (158) sql: Auth-Type := eap (158) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id (158) sql: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'macbook' ORDER BY id (158) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'macbook' ORDER BY id *(158) sql: WARNING: Cannot do check groups when group_membership_query is not set* rlm_sql (sql): Released connection (62) (158) [sql] = ok (158) if (notfound) { (158) if (notfound) -> FALSE (158) [expiration] = noop (158) [logintime] = noop (158) [pap] = noop (158) } # authorize = updated (158) Found Auth-Type = eap (158) # Executing group from file /etc/raddb/sites-enabled/default (158) authenticate { (158) eap: Expiring EAP session with state 0xccf8f142cdfafce7 (158) eap: Finished EAP session with state 0xccf8f142cdfafce7 (158) eap: Previous EAP request found for state 0xccf8f142cdfafce7, released from the list (158) eap: Peer sent packet with method EAP TLS (13) (158) eap: Calling submodule eap_tls to process data (158) eap_tls: Continuing EAP-TLS (158) eap_tls: Peer ACKed our handshake fragment (158) eap_tls: [eaptls verify] = request (158) eap_tls: [eaptls process] = handled (158) eap: Sending EAP Request (code 1) ID 3 length 1024 (158) eap: EAP session adding &reply:State = 0xccf8f142cefbfce7 (158) [eap] = handled (158) } # authenticate = handled (158) Using Post-Auth-Type Challenge (158) # Executing group from file /etc/raddb/sites-enabled/default (158) Challenge { ... } # empty sub-section is ignored (158) Sent Access-Challenge Id 240 from 192.168.253.6:1812 to 103.46.239.184:53647 length 0 (158) EAP-Message = 0x010304000dc0000008ad02a6a003020102020900b184f1d60648f80a300d06092a864886f70d01010b05003073310b300906035504061302494e310b3009060355040813024445310e300c0603550407130544656c6869310f300d060355040a130653686f757574311230100603550403130953686f75 (158) Message-Authenticator = 0x00000000000000000000000000000000 (158) State = 0xccf8f142cefbfce75307e48862cef384 (158) Finished request Waking up in 4.8 seconds. (159) Received Access-Request Id 241 from 103.46.239.184:58701 to 192.168.253.6:1812 length 238 (159) Service-Type = Framed-User (159) Framed-MTU = 1400 (159) User-Name = "macbook" (159) State = 0xccf8f142cefbfce75307e48862cef384 (159) NAS-Port-Id = "wlan1" (159) NAS-Port-Type = Wireless-802.11 (159) Acct-Session-Id = "8220002d" (159) Acct-Multi-Session-Id = "CC-2D-E0-39-24-A6-B8-C1-11-D1-4D-50-82-20-00-00-00-00-00-2D" (159) Calling-Station-Id = "B8-C1-11-D1-4D-50" (159) Called-Station-Id = "CC-2D-E0-39-24-A6:THIS IS A TEST" (159) EAP-Message = 0x020300060d00 (159) Message-Authenticator = 0x599b7d41483b5ff646d709190859ad41 (159) NAS-Identifier = "MikroTik" (159) NAS-IP-Address = 192.168.88.2 (159) session-state: No cached attributes (159) # Executing section authorize from file /etc/raddb/sites-enabled/default (159) authorize { (159) policy filter_username { (159) if (&User-Name) { (159) if (&User-Name) -> TRUE (159) if (&User-Name) { (159) if (&User-Name =~ / /) { (159) if (&User-Name =~ / /) -> FALSE (159) if (&User-Name =~ /@[^@]*@/ ) { (159) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (159) if (&User-Name =~ /\.\./ ) { (159) if (&User-Name =~ /\.\./ ) -> FALSE (159) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (159) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (159) if (&User-Name =~ /\.$/) { (159) if (&User-Name =~ /\.$/) -> FALSE (159) if (&User-Name =~ /@\./) { (159) if (&User-Name =~ /@\./) -> FALSE (159) } # if (&User-Name) = notfound (159) } # policy filter_username = notfound (159) [preprocess] = ok (159) eap: Peer sent EAP Response (code 2) ID 3 length 6 (159) eap: No EAP Start, assuming it's an on-going EAP conversation (159) [eap] = updated (159) sql: EXPAND %{User-Name} (159) sql: --> macbook (159) sql: SQL-User-Name set to 'macbook' rlm_sql (sql): Reserved connection (61) (159) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (159) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'macbook' ORDER BY id (159) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'macbook' ORDER BY id (159) sql: User found in radcheck table (159) sql: Conditional check items matched, merging assignment check items (159) sql: Auth-Type := eap (159) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id (159) sql: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'macbook' ORDER BY id (159) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'macbook' ORDER BY id *(159) sql: WARNING: Cannot do check groups when group_membership_query is not set* rlm_sql (sql): Released connection (61) (159) [sql] = ok (159) if (notfound) { (159) if (notfound) -> FALSE (159) [expiration] = noop (159) [logintime] = noop (159) [pap] = noop (159) } # authorize = updated (159) Found Auth-Type = eap (159) # Executing group from file /etc/raddb/sites-enabled/default (159) authenticate { (159) eap: Expiring EAP session with state 0xccf8f142cefbfce7 (159) eap: Finished EAP session with state 0xccf8f142cefbfce7 (159) eap: Previous EAP request found for state 0xccf8f142cefbfce7, released from the list (159) eap: Peer sent packet with method EAP TLS (13) (159) eap: Calling submodule eap_tls to process data (159) eap_tls: Continuing EAP-TLS (159) eap_tls: Peer ACKed our handshake fragment (159) eap_tls: [eaptls verify] = request (159) eap_tls: [eaptls process] = handled (159) eap: Sending EAP Request (code 1) ID 4 length 203 (159) eap: EAP session adding &reply:State = 0xccf8f142cffcfce7 (159) [eap] = handled (159) } # authenticate = handled (159) Using Post-Auth-Type Challenge (159) # Executing group from file /etc/raddb/sites-enabled/default (159) Challenge { ... } # empty sub-section is ignored (159) Sent Access-Challenge Id 241 from 192.168.253.6:1812 to 103.46.239.184:58701 length 0 (159) EAP-Message = 0x010400cb0d80000008ad24a53a7915db5dc8993989d24c02cfa39af20337cc762c16030300a50d00009d03010240001e060106020603050105020503040104020403030103020303020102020203007700753073310b300906035504061302494e310b3009060355040813024445310e300c0603550407 (159) Message-Authenticator = 0x00000000000000000000000000000000 (159) State = 0xccf8f142cffcfce75307e48862cef384 (159) Finished request Waking up in 4.8 seconds. (160) Received Access-Request Id 242 from 103.46.239.184:59711 to 192.168.253.6:1812 length 249 (160) Service-Type = Framed-User (160) Framed-MTU = 1400 (160) User-Name = "macbook" (160) State = 0xccf8f142cffcfce75307e48862cef384 (160) NAS-Port-Id = "wlan1" (160) NAS-Port-Type = Wireless-802.11 (160) Acct-Session-Id = "8220002d" (160) Acct-Multi-Session-Id = "CC-2D-E0-39-24-A6-B8-C1-11-D1-4D-50-82-20-00-00-00-00-00-2D" (160) Calling-Station-Id = "B8-C1-11-D1-4D-50" (160) Called-Station-Id = "CC-2D-E0-39-24-A6:THIS IS A TEST" (160) EAP-Message = 0x020400110d800000000715030300020100 (160) Message-Authenticator = 0x0dd503fd540264a4baa68f7135caa25d (160) NAS-Identifier = "MikroTik" (160) NAS-IP-Address = 192.168.88.2 (160) session-state: No cached attributes (160) # Executing section authorize from file /etc/raddb/sites-enabled/default (160) authorize { (160) policy filter_username { (160) if (&User-Name) { (160) if (&User-Name) -> TRUE (160) if (&User-Name) { (160) if (&User-Name =~ / /) { (160) if (&User-Name =~ / /) -> FALSE (160) if (&User-Name =~ /@[^@]*@/ ) { (160) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (160) if (&User-Name =~ /\.\./ ) { (160) if (&User-Name =~ /\.\./ ) -> FALSE (160) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (160) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (160) if (&User-Name =~ /\.$/) { (160) if (&User-Name =~ /\.$/) -> FALSE (160) if (&User-Name =~ /@\./) { (160) if (&User-Name =~ /@\./) -> FALSE (160) } # if (&User-Name) = notfound (160) } # policy filter_username = notfound (160) [preprocess] = ok (160) eap: Peer sent EAP Response (code 2) ID 4 length 17 (160) eap: No EAP Start, assuming it's an on-going EAP conversation (160) [eap] = updated (160) sql: EXPAND %{User-Name} (160) sql: --> macbook (160) sql: SQL-User-Name set to 'macbook' rlm_sql (sql): Reserved connection (60) (160) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (160) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'macbook' ORDER BY id (160) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'macbook' ORDER BY id (160) sql: User found in radcheck table (160) sql: Conditional check items matched, merging assignment check items (160) sql: Auth-Type := eap (160) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id (160) sql: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'macbook' ORDER BY id (160) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = 'macbook' ORDER BY id *(160) sql: WARNING: Cannot do check groups when group_membership_query is not set* rlm_sql (sql): Released connection (60) (160) [sql] = ok (160) if (notfound) { (160) if (notfound) -> FALSE (160) [expiration] = noop (160) [logintime] = noop (160) [pap] = noop (160) } # authorize = updated (160) Found Auth-Type = eap (160) # Executing group from file /etc/raddb/sites-enabled/default (160) authenticate { (160) eap: Expiring EAP session with state 0xccf8f142cffcfce7 (160) eap: Finished EAP session with state 0xccf8f142cffcfce7 (160) eap: Previous EAP request found for state 0xccf8f142cffcfce7, released from the list (160) eap: Peer sent packet with method EAP TLS (13) (160) eap: Calling submodule eap_tls to process data (160) eap_tls: Continuing EAP-TLS (160) eap_tls: Peer indicated complete TLS record size will be 7 bytes (160) eap_tls: Got complete TLS record (7 bytes) (160) eap_tls: [eaptls verify] = length included (160) eap_tls: <<< recv TLS 1.2 [length 0002] *(160) eap_tls: ERROR: TLS_accept: Failed in SSLv3 read client certificate A* *(160) eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:140940E5:SSL routines:ssl3_read_bytes:ssl handshake failure* *(160) eap_tls: ERROR: System call (I/O) error (-1)* *(160) eap_tls: ERROR: TLS receive handshake failed during operation* *(160) eap_tls: ERROR: [eaptls process] = fail* *(160) eap: ERROR: Failed continuing EAP TLS (13) session. EAP sub-module failed* (160) eap: Sending EAP Failure (code 4) ID 4 length 4 (160) eap: Failed in EAP select (160) [eap] = invalid (160) } # authenticate = invalid (160) Failed to authenticate the user (160) Using Post-Auth-Type Reject (160) # Executing group from file /etc/raddb/sites-enabled/default (160) Post-Auth-Type REJECT { (160) sql: EXPAND .query (160) sql: --> .query (160) sql: Using query template 'query' rlm_sql (sql): Reserved connection (63) (160) sql: EXPAND %{User-Name} (160) sql: --> macbook (160) sql: SQL-User-Name set to 'macbook' (160) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') (160) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'macbook', '', 'Access-Reject', '2019-02-15 22:36:48.754856') (160) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'macbook', '', 'Access-Reject', '2019-02-15 22:36:48.754856') (160) sql: SQL query returned: success (160) sql: 1 record(s) updated rlm_sql (sql): Released connection (63) (160) [sql] = ok (160) attr_filter.access_reject: EXPAND %{User-Name} (160) attr_filter.access_reject: --> macbook (160) attr_filter.access_reject: Matched entry DEFAULT at line 11 (160) [attr_filter.access_reject] = updated (160) [eap] = noop (160) policy remove_reply_message_if_eap { (160) if (&reply:EAP-Message && &reply:Reply-Message) { (160) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (160) else { (160) [noop] = noop (160) } # else = noop (160) } # policy remove_reply_message_if_eap = noop (160) } # Post-Auth-Type REJECT = updated (160) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (160) Sending delayed response (160) Sent Access-Reject Id 242 from 192.168.253.6:1812 to 103.46.239.184:59711 length 44 (160) EAP-Message = 0x04040004 (160) Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.8 seconds. (156) Cleaning up request packet ID 238 with timestamp +5619 (157) Cleaning up request packet ID 239 with timestamp +5619 (158) Cleaning up request packet ID 240 with timestamp +5619 (159) Cleaning up request packet ID 241 with timestamp +5619 (160) Cleaning up request packet ID 242 with timestamp +5619 *Ready to process requests* Cheers MK Singh +91-9910416231 www.shouut.com
On Feb 15, 2019, at 11:52 AM, Mankomal Singh <mankomal@shouut.com> wrote:
So I got everything working, and am able to run TLS in my android phone but when I try thru my iPhone or my MacBook I get SSL error on RADIUS debug. Amazingly same certificate work on my android phone without any issues. Can someone share what could be the issue?
A snippet of the error:
*(140) eap_tls: ERROR: TLS_accept: Failed in SSLv3 read client certificate A*
That's not overly descriptive. As with most SSL errors. The problem is likely that the iPhone doesn't like the server certificate. You'll have create a certificate that the iPhone likes. See the Apple documentation for more information. But... if you use the certificate creation scripts that come with the server, it will work. Alan DeKok.
participants (2)
-
Alan DeKok -
Mankomal Singh