eap_peap: ERROR: (TLS) Alert read:fatal:unknown CA
Hi all, I'm trying to configure Freeradius (version 3.2.3 on Ubuntu 22.04) to perform either EAP-TLS and EAP-PEAP MSCHAPv2. I need MSCHAPv2 as alternative configuration for Android 11 devices because we are experiencing the deletion of client certificates and I'm not understand why this issue happens. The EAP-TLS configuration works fine with self signed CA and client certs signed by our private CA (except for Android 11 devices as I said). Below are the logs when I try to connect to Freeradius using MSCHAPv2 (I enabled "bob" user): (6) Received Access-Request Id 194 from 172.31.190.2:32773 to 172.31.189.84:1812 length 291 (6) User-Name = "bob" (6) Chargeable-User-Identity = 0x00 (6) Location-Capable = Civic-Location (6) Calling-Station-Id = "9a-8b-7b-d9-b0-cd" (6) Called-Station-Id = "04-5f-b9-81-69-80:PIT_Tag" (6) NAS-Port = 1 (6) Cisco-AVPair = "audit-session-id=ac1fc7020000006765980031" (6) Acct-Session-Id = "65980031/9a:8b:7b:d9:b0:cd/108" (6) NAS-IP-Address = 172.31.190.2 (6) NAS-Identifier = "Cisco_b8:24:65" (6) Airespace-Wlan-Id = 2 (6) Service-Type = Framed-User (6) Framed-MTU = 1300 (6) NAS-Port-Type = Wireless-802.11 (6) Tunnel-Type:0 = VLAN (6) Tunnel-Medium-Type:0 = IEEE-802 (6) Tunnel-Private-Group-Id:0 = "190" (6) EAP-Message = 0x0207001119800000000715030300020230 (6) State = 0xc9ea21cfcced38f11a447042a250057a (6) Message-Authenticator = 0xc33e5f6f8276b61b9ab132b4687b2bdb (6) Restoring &session-state (6) &session-state:Framed-MTU = 994 (6) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (6) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (6) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (6) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (6) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (6) # Executing section authorize from file /etc/freeradius/sites-enabled/tlcamb-tag (6) authorize { (6) [preprocess] = ok (6) eap: Peer sent EAP Response (code 2) ID 7 length 17 (6) eap: Continuing tunnel setup (6) [eap] = ok (6) } # authorize = ok (6) Found Auth-Type = eap (6) # Executing group from file /etc/freeradius/sites-enabled/tlcamb-tag (6) authenticate { (6) eap: Expiring EAP session with state 0xc9ea21cfcced38f1 (6) eap: Finished EAP session with state 0xc9ea21cfcced38f1 (6) eap: Previous EAP request found for state 0xc9ea21cfcced38f1, released from the list (6) eap: Peer sent packet with method EAP PEAP (25) (6) eap: Calling submodule eap_peap to process data (6) eap_peap: (TLS) EAP Peer says that the final record size will be 7 bytes (6) eap_peap: (TLS) EAP Got all data (7 bytes) (6) eap_peap: (TLS) recv TLS 1.2 Alert, fatal unknown_ca (6) eap_peap: (TLS) The client is informing us that it does not recognize the CA used to issue the server certificate. Please update the client so that it knows about the CA. (6) eap_peap: ERROR: (TLS) Alert read:fatal:unknown CA tls: Removing session f3cdb8967121c0da520898ab8e5f39f803d24f44133c7ba63a4cbfb0ea161412 from the cache tls: Could not remove persisted session file /var/log/freeradius/tlscache/f3cdb8967121c0da520898ab8e5f39f803d24f44133c7ba63a4cbfb0ea161412.asn1: Permission denied (6) eap_peap: (TLS) Server : Need to read more data: error (6) eap_peap: ERROR: (TLS) Failed reading from OpenSSL: error:0A000418:SSL routines::tlsv1 alert unknown ca (6) eap_peap: (TLS) In Handshake Phase (6) eap_peap: (TLS) Application data. (6) eap_peap: ERROR: (TLS) Cannot continue, as the peer is misbehaving. (6) eap_peap: ERROR: [eaptls process] = fail (6) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed (6) eap: Sending EAP Failure (code 4) ID 7 length 4 (6) eap: Failed in EAP select (6) [eap] = invalid (6) } # authenticate = invalid (6) Failed to authenticate the user (6) Using Post-Auth-Type Reject (6) # Executing group from file /etc/freeradius/sites-enabled/tlcamb-tag (6) Post-Auth-Type REJECT { (6) attr_filter.access_reject: EXPAND %{User-Name} (6) attr_filter.access_reject: --> bob (6) attr_filter.access_reject: Matched entry DEFAULT at line 11 (6) [attr_filter.access_reject] = updated (6) } # Post-Auth-Type REJECT = updated (6) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (6) Sending delayed response (6) Sent Access-Reject Id 194 from 172.31.189.84:1812 to 172.31.190.2:32773 length 44 (6) EAP-Message = 0x04070004 (6) Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.9 seconds. (0) Cleaning up request packet ID 188 with timestamp +10 due to cleanup_delay was reached (1) Cleaning up request packet ID 189 with timestamp +10 due to cleanup_delay was reached (2) Cleaning up request packet ID 190 with timestamp +10 due to cleanup_delay was reached (3) Cleaning up request packet ID 191 with timestamp +10 due to cleanup_delay was reached (4) Cleaning up request packet ID 192 with timestamp +10 due to cleanup_delay was reached (5) Cleaning up request packet ID 193 with timestamp +10 due to cleanup_delay was reached (6) Cleaning up request packet ID 194 with timestamp +10 due to cleanup_delay was reached Ready to process requests Thanks and best regards. Dario Barbon
On Jan 5, 2024, at 8:57 AM, Dario Barbon <dbarbon@olicom.eu> wrote:
Hi all, I'm trying to configure Freeradius (version 3.2.3 on Ubuntu 22.04) to perform either EAP-TLS and EAP-PEAP MSCHAPv2. I need MSCHAPv2 as alternative configuration for Android 11 devices because we are experiencing the deletion of client certificates and I'm not understand why this issue happens.
I'm not sure what you mean by "deletion of client certificates". FreeRADIUS doesn't delete certificate. Use devices don't delete certificates. My guess is something else is going wrong.
The EAP-TLS configuration works fine with self signed CA and client certs signed by our private CA (except for Android 11 devices as I said).
But it doesn't work with *what* kind of certificates? You're not saying. If you want to get help with something going wrong, it's usually good to explain what you were doing, and what went wrong. It doesn't help to say "I did a bunch of things which worked, but I'm not going to explain what I did when things didn't work".
Below are the logs when I try to connect to Freeradius using MSCHAPv2 (I enabled "bob" user):
(6) eap_peap: (TLS) recv TLS 1.2 Alert, fatal unknown_ca (6) eap_peap: (TLS) The client is informing us that it does not recognize the CA used to issue the server certificate. Please update the client so that it knows about the CA.
That seems pretty clear. This has nothing to do with client certificates. Alan DeKok.
Hi Alan, thanks for your answer (sorry for previous bad explanation of the question). My production Freeradius server is configured to perform EAP-TLS; I created private CA, server certificate and client certificates. All certificates are stored inside freeradius/certs directory. Below the production mods-available/eap file : eap { default_eap_type = tls timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 tls { certdir = ${confdir}/certs cadir = ${confdir}/certs private_key_password = "mypasswordhere" private_key_file = ${certdir}/server.key certificate_file = ${certdir}/server.pem ca_path = ${cadir} ca_file = ${cadir}/ca.pem dh_file = ${certdir}/dh random_file = /dev/urandom cipher_list = "HIGH" make_cert_command = "${certdir}/bootstrap" ecdh_curve = "prime256v1" cache { enable = no # Optionally enable lifetime = 24 # hours max_entries = 255 } verify { tmpdir = /tmp/radiusd client = "/usr/bin/openssl verify -CAfile ${..ca_file} %{TLS-Client-Cert-Filename}" } ocsp { enable = no # optionally enable override_cert_url = yes url = "http://127.0.0.1/ocsp/" } } ttls { default_eap_type = md5 copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" } } and the production virtual server file (sites-enabled/tlcamb-tag): server { # Server listen { ipaddr = * port = 1812 type = auth } # Authorization. First preprocess (hints and huntgroups files), authorize { preprocess # # This module takes care of EAP-MSCHAPv2 authentication. # # It also sets the EAP-Type attribute in the request # attribute list to the EAP type from the packet. # # The example below uses module failover to avoid querying all # of the following modules if the EAP module returns "ok". # Therefore, your LDAP and/or SQL servers will not be queried # for the many packets that go back and forth to set up TTLS # or PEAP. The load on those servers will therefore be redu eap { ok = return } expiration logintime } # Authentication. # authenticate { # MSCHAP authentication. Auth-Type MS-CHAP { mschap } # # Allow EAP authentication. eap } preacct { preprocess acct_unique suffix files } accounting { detail # unix radutmp # exec attr_filter.accounting_response } session { radutmp } # Post-Authentication # post-auth { # # Access-Reject packets are sent through the REJECT sub-section of the # post-auth section. # # Add the ldap module name (or instance) if you have set # 'edir_account_policy_check = yes' in the ldap module configuration # Post-Auth-Type REJECT { attr_filter.access_reject } } # # pre-proxy { } # # When the server receives a reply to a request it proxied # to a home server, the request may be massaged here, in the # post-proxy stage. # post-proxy { # If you want to have a log of replies from a home server, # un-comment the following line, and the 'detail post_proxy_log' # section, above. # post_proxy_log # Uncomment the following line if you want to filter replies from # remote proxies based on the rules defined in the 'attrs' file. # attr_filter.post-proxy # # If you are proxying LEAP, you MUST configure the EAP # module, and you MUST list it here, in the post-proxy # stage. # # You MUST also use the 'nostrip' option in the 'realm' # configuration. Otherwise, the User-Name attribute # in the proxied request will not match the user name # hidden inside of the EAP packet, and the end server will # reject the EAP request. # eap } } With this configuration in place I can connect to enterprise WiFi from Android devices. But very often only Android 11 devices (I don't really know why) "losts" client certificates. The installed certificates get removed from the device itself (often when the device get out of WiFi range for one hour or more). So, to address this problem, I'm trying to add MSCHAPv2 and I updated eap file adding peap directives as follows: peap { tls = tls-common default_eap_type = mschapv2 virtual_server = "inner-tunnel" } and I enabled inner-tunnel virtual server (without changing nothing inside the default inner-tunnel file). With the updated configuration in place I continue to successfully connect to WiFi using EAP-TLS while if I try MSCHAPv2 I cannot connect. I configured Android WiFi profile as follows: EAP Method: PEAP Phase 2 authentication: MSCHAPv2 CA Certificate: use system certificates Online certificate status: do not validate Domain: I'm using the value of the commonName field of CA config file Identity: bob (the test user inside freeradius/users file) Password: whatever Please take note that the lost client certificate issue affects only Android 11 devices; different OS versions aren't affected. Thanks and best regards. Dario Barbon Il 05/01/2024 15:08, Alan DeKok ha scritto:
On Jan 5, 2024, at 8:57 AM, Dario Barbon <dbarbon@olicom.eu> wrote:
Hi all, I'm trying to configure Freeradius (version 3.2.3 on Ubuntu 22.04) to perform either EAP-TLS and EAP-PEAP MSCHAPv2. I need MSCHAPv2 as alternative configuration for Android 11 devices because we are experiencing the deletion of client certificates and I'm not understand why this issue happens. I'm not sure what you mean by "deletion of client certificates". FreeRADIUS doesn't delete certificate. Use devices don't delete certificates. My guess is something else is going wrong.
The EAP-TLS configuration works fine with self signed CA and client certs signed by our private CA (except for Android 11 devices as I said). But it doesn't work with *what* kind of certificates? You're not saying.
If you want to get help with something going wrong, it's usually good to explain what you were doing, and what went wrong. It doesn't help to say "I did a bunch of things which worked, but I'm not going to explain what I did when things didn't work".
Below are the logs when I try to connect to Freeradius using MSCHAPv2 (I enabled "bob" user): (6) eap_peap: (TLS) recv TLS 1.2 Alert, fatal unknown_ca (6) eap_peap: (TLS) The client is informing us that it does not recognize the CA used to issue the server certificate. Please update the client so that it knows about the CA. That seems pretty clear.
This has nothing to do with client certificates.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Jan 5, 2024, at 10:09 AM, Dario Barbon <dbarbon@olicom.eu> wrote:
My production Freeradius server is configured to perform EAP-TLS; I created private CA, server certificate and client certificates. All certificates are stored inside freeradius/certs directory. Below the production mods-available/eap file :
http://wiki.freeradius.org/list-help We don't need to see the configuration files. It doesn't help.
and the production virtual server file (sites-enabled/tlcamb-tag):
You're trying to debug the supplicant by looking at the server configuration. That's not a good idea.
With this configuration in place I can connect to enterprise WiFi from Android devices. But very often only Android 11 devices (I don't really know why) "losts" client certificates. The installed certificates get removed from the device itself (often when the device get out of WiFi range for one hour or more). So, to address this problem, I'm trying to add MSCHAPv2 and I updated eap file adding peap directives as follows:
I would be very surprised if Android devices deleted their client certificates. That's pathologically bad behavior. What does the debug output show for a system which has "lost" it's client certificate?\
With the updated configuration in place I continue to successfully connect to WiFi using EAP-TLS while if I try MSCHAPv2 I cannot connect. ]
And the debug output says... what? If it says "unknown CA", I already explained what the problem is, and what needs to be done to fix it.
I configured Android WiFi profile as follows:
EAP Method: PEAP Phase 2 authentication: MSCHAPv2 CA Certificate: use system certificates
Perhaps that's the issue. As I said, you have to configure the supplicant with the CA used to generate the server certificate.
Online certificate status: do not validate
That field is likely being ignored.
Domain: I'm using the value of the commonName field of CA config file Identity: bob (the test user inside freeradius/users file) Password: whatever
Please take note that the lost client certificate issue affects only Android 11 devices; different OS versions aren't affected.
So it's an android issue. Looking at the FreeRADIUS configuration won't help. Configure the Android systems with the server CA as I said before. Run the server in debug mode to see what happens. Don't post configuration files to the list. Alan DeKok.
Hi Alan, thanks for your patience. Il 05/01/2024 16:18, Alan DeKok ha scritto:
And the debug output says... what? If it says "unknown CA", I already explained what the problem is, and what needs to be done to fix it. Perhaps that's the issue. As I said, you have to configure the supplicant with the CA used to generate the server certificate.
I installed the CA certificate and collected the entire log file content: FreeRADIUS Version 3.2.3 Copyright (C) 1999-2022 The FreeRADIUS server project and contributors There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License For more information about these matters, see the file named COPYRIGHT Starting - reading configuration files ... including dictionary file /usr/share/freeradius/dictionary including dictionary file /usr/share/freeradius/dictionary.dhcp including dictionary file /usr/share/freeradius/dictionary.vqp including dictionary file /etc/freeradius/dictionary including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including files in directory /etc/freeradius/mods-enabled/ including configuration file /etc/freeradius/mods-enabled/always including configuration file /etc/freeradius/mods-enabled/detail.log including configuration file /etc/freeradius/mods-enabled/expiration including configuration file /etc/freeradius/mods-enabled/pap including configuration file /etc/freeradius/mods-enabled/logintime including configuration file /etc/freeradius/mods-enabled/replicate including configuration file /etc/freeradius/mods-enabled/unpack including configuration file /etc/freeradius/mods-enabled/detail including configuration file /etc/freeradius/mods-enabled/echo including configuration file /etc/freeradius/mods-enabled/unix including configuration file /etc/freeradius/mods-enabled/chap including configuration file /etc/freeradius/mods-enabled/radutmp including configuration file /etc/freeradius/mods-enabled/linelog including configuration file /etc/freeradius/mods-enabled/soh including configuration file /etc/freeradius/mods-enabled/dynamic_clients including configuration file /etc/freeradius/mods-enabled/mschap including configuration file /etc/freeradius/mods-enabled/utf8 including configuration file /etc/freeradius/mods-enabled/digest including configuration file /etc/freeradius/mods-enabled/sradutmp including configuration file /etc/freeradius/mods-enabled/realm including configuration file /etc/freeradius/mods-enabled/ntlm_auth including configuration file /etc/freeradius/mods-enabled/eap including configuration file /etc/freeradius/mods-enabled/passwd including configuration file /etc/freeradius/mods-enabled/totp including configuration file /etc/freeradius/mods-enabled/date including configuration file /etc/freeradius/mods-enabled/preprocess including configuration file /etc/freeradius/mods-enabled/attr_filter including configuration file /etc/freeradius/mods-enabled/expr including configuration file /etc/freeradius/mods-enabled/exec including configuration file /etc/freeradius/mods-enabled/files including files in directory /etc/freeradius/policy.d/ including configuration file /etc/freeradius/policy.d/cui including configuration file /etc/freeradius/policy.d/control including configuration file /etc/freeradius/policy.d/abfab-tr including configuration file /etc/freeradius/policy.d/filter including configuration file /etc/freeradius/policy.d/accounting including configuration file /etc/freeradius/policy.d/dhcp including configuration file /etc/freeradius/policy.d/rfc7542 including configuration file /etc/freeradius/policy.d/eap including configuration file /etc/freeradius/policy.d/debug including configuration file /etc/freeradius/policy.d/operator-name including configuration file /etc/freeradius/policy.d/moonshot-targeted-ids including configuration file /etc/freeradius/policy.d/canonicalization including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/inner-tunnel including configuration file /etc/freeradius/sites-enabled/tlcamb-tag main { security { user = "operatore" group = "operatore" allow_core_dumps = no } name = "freeradius" prefix = "/usr" localstatedir = "/var" logdir = "/var/log/freeradius" run_dir = "/var/run/freeradius" } main { name = "freeradius" prefix = "/usr" localstatedir = "/var" sbindir = "/usr/sbin" logdir = "/var/log/freeradius" run_dir = "/var/run/freeradius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/freeradius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 16384 postauth_client_lost = no pidfile = "/var/run/freeradius/freeradius.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no colourise = yes msg_denied = "You are already logged in - access denied" } resources { } security { max_attributes = 200 reject_delay = 1.000000 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { nonblock = no ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = <<< secret >>> response_window = 20.000000 response_timeouts = 1 max_outstanding = 65536 zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 check_timeout = 4 num_answers_to_alive = 3 revive_interval = 120 limit { max_connections = 16 max_requests = 0 lifetime = 0 idle_timeout = 0 } coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } recv_coa { } } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = <<< secret >>> nas_type = "other" proto = "*" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client localhost_ipv6 { ipv6addr = ::1 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client TLC_TAG-MGT { ipaddr = 172.31.190.2 require_message_authenticator = yes secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } Debugger not attached systemd watchdog is disabled # Creating Auth-Type = mschap # Creating Auth-Type = eap # Creating Auth-Type = PAP # Creating Auth-Type = CHAP # Creating Auth-Type = MS-CHAP radiusd: #### Instantiating modules #### modules { # Loaded module rlm_always # Loading module "reject" from file /etc/freeradius/mods-enabled/always always reject { rcode = "reject" simulcount = 0 mpp = no } # Loading module "fail" from file /etc/freeradius/mods-enabled/always always fail { rcode = "fail" simulcount = 0 mpp = no } # Loading module "ok" from file /etc/freeradius/mods-enabled/always always ok { rcode = "ok" simulcount = 0 mpp = no } # Loading module "handled" from file /etc/freeradius/mods-enabled/always always handled { rcode = "handled" simulcount = 0 mpp = no } # Loading module "invalid" from file /etc/freeradius/mods-enabled/always always invalid { rcode = "invalid" simulcount = 0 mpp = no } # Loading module "userlock" from file /etc/freeradius/mods-enabled/always always userlock { rcode = "userlock" simulcount = 0 mpp = no } # Loading module "notfound" from file /etc/freeradius/mods-enabled/always always notfound { rcode = "notfound" simulcount = 0 mpp = no } # Loading module "noop" from file /etc/freeradius/mods-enabled/always always noop { rcode = "noop" simulcount = 0 mpp = no } # Loading module "updated" from file /etc/freeradius/mods-enabled/always always updated { rcode = "updated" simulcount = 0 mpp = no } # Loaded module rlm_detail # Loading module "auth_log" from file /etc/freeradius/mods-enabled/detail.log detail auth_log { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "reply_log" from file /etc/freeradius/mods-enabled/detail.log detail reply_log { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "pre_proxy_log" from file /etc/freeradius/mods-enabled/detail.log detail pre_proxy_log { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "post_proxy_log" from file /etc/freeradius/mods-enabled/detail.log detail post_proxy_log { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loaded module rlm_expiration # Loading module "expiration" from file /etc/freeradius/mods-enabled/expiration # Loaded module rlm_pap # Loading module "pap" from file /etc/freeradius/mods-enabled/pap pap { normalise = yes } # Loaded module rlm_logintime # Loading module "logintime" from file /etc/freeradius/mods-enabled/logintime logintime { minimum_timeout = 60 } # Loaded module rlm_replicate # Loading module "replicate" from file /etc/freeradius/mods-enabled/replicate # Loaded module rlm_unpack # Loading module "unpack" from file /etc/freeradius/mods-enabled/unpack # Loading module "detail" from file /etc/freeradius/mods-enabled/detail detail { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loaded module rlm_exec # Loading module "echo" from file /etc/freeradius/mods-enabled/echo exec echo { wait = yes program = "/bin/echo %{User-Name}" input_pairs = "request" output_pairs = "reply" shell_escape = yes } # Loaded module rlm_unix # Loading module "unix" from file /etc/freeradius/mods-enabled/unix unix { radwtmp = "/var/log/freeradius/radwtmp" } Creating attribute Unix-Group # Loaded module rlm_chap # Loading module "chap" from file /etc/freeradius/mods-enabled/chap # Loaded module rlm_radutmp # Loading module "radutmp" from file /etc/freeradius/mods-enabled/radutmp radutmp { filename = "/var/log/freeradius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 384 caller_id = yes } # Loaded module rlm_linelog # Loading module "linelog" from file /etc/freeradius/mods-enabled/linelog linelog { filename = "/var/log/freeradius/linelog" escape_filenames = no syslog_severity = "info" permissions = 384 format = "This is a log message for %{User-Name}" reference = "messages.%{%{reply:Packet-Type}:-default}" } # Loading module "log_accounting" from file /etc/freeradius/mods-enabled/linelog linelog log_accounting { filename = "/var/log/freeradius/linelog-accounting" escape_filenames = no syslog_severity = "info" permissions = 384 format = "" reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}" } # Loaded module rlm_soh # Loading module "soh" from file /etc/freeradius/mods-enabled/soh soh { dhcp = yes } # Loaded module rlm_dynamic_clients # Loading module "dynamic_clients" from file /etc/freeradius/mods-enabled/dynamic_clients # Loaded module rlm_mschap # Loading module "mschap" from file /etc/freeradius/mods-enabled/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = yes passchange { } allow_retry = yes winbind_retry_with_normalised_username = no } # Loaded module rlm_utf8 # Loading module "utf8" from file /etc/freeradius/mods-enabled/utf8 # Loaded module rlm_digest # Loading module "digest" from file /etc/freeradius/mods-enabled/digest # Loading module "sradutmp" from file /etc/freeradius/mods-enabled/sradutmp radutmp sradutmp { filename = "/var/log/freeradius/sradutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 420 caller_id = no } # Loaded module rlm_realm # Loading module "IPASS" from file /etc/freeradius/mods-enabled/realm realm IPASS { format = "prefix" delimiter = "/" ignore_default = no ignore_null = no } # Loading module "suffix" from file /etc/freeradius/mods-enabled/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } # Loading module "bangpath" from file /etc/freeradius/mods-enabled/realm realm bangpath { format = "prefix" delimiter = "!" ignore_default = no ignore_null = no } # Loading module "realmpercent" from file /etc/freeradius/mods-enabled/realm realm realmpercent { format = "suffix" delimiter = "%" ignore_default = no ignore_null = no } # Loading module "ntdomain" from file /etc/freeradius/mods-enabled/realm realm ntdomain { format = "prefix" delimiter = "\\" ignore_default = no ignore_null = no } # Loading module "ntlm_auth" from file /etc/freeradius/mods-enabled/ntlm_auth exec ntlm_auth { wait = yes program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}" shell_escape = yes } # Loaded module rlm_eap # Loading module "eap" from file /etc/freeradius/mods-enabled/eap eap { default_eap_type = "tls" timer_expire = 60 max_eap_type = 52 ignore_unknown_eap_types = yes cisco_accounting_username_bug = no max_sessions = 16384 } # Loaded module rlm_passwd # Loading module "etc_passwd" from file /etc/freeradius/mods-enabled/passwd passwd etc_passwd { filename = "/etc/passwd" format = "*User-Name:Crypt-Password:" delimiter = ":" ignore_nislike = no ignore_empty = yes allow_multiple_keys = no hash_size = 100 } # Loaded module rlm_totp # Loading module "totp" from file /etc/freeradius/mods-enabled/totp # Loaded module rlm_date # Loading module "date" from file /etc/freeradius/mods-enabled/date date { format = "%b %e %Y %H:%M:%S %Z" utc = no } # Loading module "wispr2date" from file /etc/freeradius/mods-enabled/date date wispr2date { format = "%Y-%m-%dT%H:%M:%S" utc = no } # Loaded module rlm_preprocess # Loading module "preprocess" from file /etc/freeradius/mods-enabled/preprocess preprocess { huntgroups = "/etc/freeradius/mods-config/preprocess/huntgroups" hints = "/etc/freeradius/mods-config/preprocess/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } # Loaded module rlm_attr_filter # Loading module "attr_filter.post-proxy" from file /etc/freeradius/mods-enabled/attr_filter attr_filter attr_filter.post-proxy { filename = "/etc/freeradius/mods-config/attr_filter/post-proxy" key = "%{Realm}" relaxed = no } # Loading module "attr_filter.pre-proxy" from file /etc/freeradius/mods-enabled/attr_filter attr_filter attr_filter.pre-proxy { filename = "/etc/freeradius/mods-config/attr_filter/pre-proxy" key = "%{Realm}" relaxed = no } # Loading module "attr_filter.access_reject" from file /etc/freeradius/mods-enabled/attr_filter attr_filter attr_filter.access_reject { filename = "/etc/freeradius/mods-config/attr_filter/access_reject" key = "%{User-Name}" relaxed = no } # Loading module "attr_filter.access_challenge" from file /etc/freeradius/mods-enabled/attr_filter attr_filter attr_filter.access_challenge { filename = "/etc/freeradius/mods-config/attr_filter/access_challenge" key = "%{User-Name}" relaxed = no } # Loading module "attr_filter.accounting_response" from file /etc/freeradius/mods-enabled/attr_filter attr_filter attr_filter.accounting_response { filename = "/etc/freeradius/mods-config/attr_filter/accounting_response" key = "%{User-Name}" relaxed = no } # Loading module "attr_filter.coa" from file /etc/freeradius/mods-enabled/attr_filter attr_filter attr_filter.coa { filename = "/etc/freeradius/mods-config/attr_filter/coa" key = "%{User-Name}" relaxed = no } # Loaded module rlm_expr # Loading module "expr" from file /etc/freeradius/mods-enabled/expr expr { safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ" } # Loading module "exec" from file /etc/freeradius/mods-enabled/exec exec { wait = no input_pairs = "request" shell_escape = yes timeout = 10 } # Loaded module rlm_files # Loading module "files" from file /etc/freeradius/mods-enabled/files files { filename = "/etc/freeradius/mods-config/files/authorize" acctusersfile = "/etc/freeradius/mods-config/files/accounting" preproxy_usersfile = "/etc/freeradius/mods-config/files/pre-proxy" } instantiate { } # Instantiating module "reject" from file /etc/freeradius/mods-enabled/always # Instantiating module "fail" from file /etc/freeradius/mods-enabled/always # Instantiating module "ok" from file /etc/freeradius/mods-enabled/always # Instantiating module "handled" from file /etc/freeradius/mods-enabled/always # Instantiating module "invalid" from file /etc/freeradius/mods-enabled/always # Instantiating module "userlock" from file /etc/freeradius/mods-enabled/always # Instantiating module "notfound" from file /etc/freeradius/mods-enabled/always # Instantiating module "noop" from file /etc/freeradius/mods-enabled/always # Instantiating module "updated" from file /etc/freeradius/mods-enabled/always # Instantiating module "auth_log" from file /etc/freeradius/mods-enabled/detail.log rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output # Instantiating module "reply_log" from file /etc/freeradius/mods-enabled/detail.log # Instantiating module "pre_proxy_log" from file /etc/freeradius/mods-enabled/detail.log # Instantiating module "post_proxy_log" from file /etc/freeradius/mods-enabled/detail.log # Instantiating module "expiration" from file /etc/freeradius/mods-enabled/expiration # Instantiating module "pap" from file /etc/freeradius/mods-enabled/pap # Instantiating module "logintime" from file /etc/freeradius/mods-enabled/logintime # Instantiating module "detail" from file /etc/freeradius/mods-enabled/detail # Instantiating module "linelog" from file /etc/freeradius/mods-enabled/linelog # Instantiating module "log_accounting" from file /etc/freeradius/mods-enabled/linelog # Instantiating module "mschap" from file /etc/freeradius/mods-enabled/mschap rlm_mschap (mschap): using internal authentication # Instantiating module "IPASS" from file /etc/freeradius/mods-enabled/realm # Instantiating module "suffix" from file /etc/freeradius/mods-enabled/realm # Instantiating module "bangpath" from file /etc/freeradius/mods-enabled/realm # Instantiating module "realmpercent" from file /etc/freeradius/mods-enabled/realm # Instantiating module "ntdomain" from file /etc/freeradius/mods-enabled/realm # Instantiating module "eap" from file /etc/freeradius/mods-enabled/eap # Linked to sub-module rlm_eap_tls tls { tls = "tls-common" } tls-config tls-common { verify_depth = 0 ca_path = "/etc/freeradius/certs" pem_file_type = yes private_key_file = "/etc/freeradius/certs/server.key" certificate_file = "/etc/freeradius/certs/server.pem" ca_file = "/etc/freeradius/certs/ca.pem" private_key_password = <<< secret >>> fragment_size = 1024 include_length = yes auto_chain = yes check_crl = no check_all_crl = no ca_path_reload_interval = 0 cipher_list = "DEFAULT" cipher_server_preference = no reject_unknown_intermediate_ca = no ecdh_curve = "prime256v1" tls_max_version = "1.2" tls_min_version = "1.2" cache { enable = yes lifetime = 24 max_entries = 255 persist_dir = "/var/log/freeradius/tlscache" } verify { skip_if_ocsp_ok = no tmpdir = "/tmp/radiusd" client = "/usr/bin/openssl verify -CAfile /etc/freeradius/certs/ca.pem %{TLS-Client-Cert-Filename}" } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" use_nonce = yes timeout = 0 softfail = no } } # Linked to sub-module rlm_eap_ttls ttls { tls = "tls-common" default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes require_client_cert = no } tls: Using cached TLS configuration from previous invocation # Linked to sub-module rlm_eap_peap peap { tls = "tls-common" default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" soh = no require_client_cert = no } tls: Using cached TLS configuration from previous invocation # Instantiating module "etc_passwd" from file /etc/freeradius/mods-enabled/passwd rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no # Instantiating module "preprocess" from file /etc/freeradius/mods-enabled/preprocess reading pairlist file /etc/freeradius/mods-config/preprocess/huntgroups reading pairlist file /etc/freeradius/mods-config/preprocess/hints # Instantiating module "attr_filter.post-proxy" from file /etc/freeradius/mods-enabled/attr_filter reading pairlist file /etc/freeradius/mods-config/attr_filter/post-proxy # Instantiating module "attr_filter.pre-proxy" from file /etc/freeradius/mods-enabled/attr_filter reading pairlist file /etc/freeradius/mods-config/attr_filter/pre-proxy # Instantiating module "attr_filter.access_reject" from file /etc/freeradius/mods-enabled/attr_filter reading pairlist file /etc/freeradius/mods-config/attr_filter/access_reject # Instantiating module "attr_filter.access_challenge" from file /etc/freeradius/mods-enabled/attr_filter reading pairlist file /etc/freeradius/mods-config/attr_filter/access_challenge # Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/mods-enabled/attr_filter reading pairlist file /etc/freeradius/mods-config/attr_filter/accounting_response # Instantiating module "attr_filter.coa" from file /etc/freeradius/mods-enabled/attr_filter reading pairlist file /etc/freeradius/mods-config/attr_filter/coa # Instantiating module "files" from file /etc/freeradius/mods-enabled/files reading pairlist file /etc/freeradius/mods-config/files/authorize reading pairlist file /etc/freeradius/mods-config/files/accounting reading pairlist file /etc/freeradius/mods-config/files/pre-proxy } # modules radiusd: #### Loading Virtual Servers #### server { # from file /etc/freeradius/sites-enabled/tlcamb-tag # Loading authenticate {...} Compiling Auth-Type MS-CHAP for attr Auth-Type # Loading authorize {...} # Loading preacct {...} # Loading accounting {...} # Loading session {...} # Loading post-proxy {...} # Loading post-auth {...} Compiling Post-Auth-Type REJECT for attr Post-Auth-Type } # server server inner-tunnel { # from file /etc/freeradius/sites-enabled/inner-tunnel # Loading authenticate {...} Compiling Auth-Type PAP for attr Auth-Type Compiling Auth-Type CHAP for attr Auth-Type Compiling Auth-Type MS-CHAP for attr Auth-Type # Loading authorize {...} Ignoring "sql" (see raddb/mods-available/README.rst) Ignoring "ldap" (see raddb/mods-available/README.rst) # Loading session {...} # Loading post-proxy {...} # Loading post-auth {...} # Skipping contents of 'if' as it is always 'false' -- /etc/freeradius/sites-enabled/inner-tunnel:366 Compiling Post-Auth-Type REJECT for attr Post-Auth-Type } # server inner-tunnel radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } listen { type = "auth" ipaddr = * port = 1812 } Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel Listening on auth address * port 1812 Listening on proxy address * port 37457 Ready to process requests (0) Received Access-Request Id 189 from 172.31.190.2:32768 to 172.31.189.84:1812 length 264 (0) User-Name = "bob" (0) Chargeable-User-Identity = 0x00 (0) Location-Capable = Civic-Location (0) Calling-Station-Id = "18-d6-1c-41-10-58" (0) Called-Station-Id = "04-5f-b9-81-69-80:PIT_Tag" (0) NAS-Port = 1 (0) Cisco-AVPair = "audit-session-id=ac1fc7020000007a659828a7" (0) Acct-Session-Id = "659828a7/18:d6:1c:41:10:58/127" (0) NAS-IP-Address = 172.31.190.2 (0) NAS-Identifier = "Cisco_b8:24:65" (0) Airespace-Wlan-Id = 2 (0) Service-Type = Framed-User (0) Framed-MTU = 1300 (0) NAS-Port-Type = Wireless-802.11 (0) Tunnel-Type:0 = VLAN (0) Tunnel-Medium-Type:0 = IEEE-802 (0) Tunnel-Private-Group-Id:0 = "190" (0) EAP-Message = 0x0201000801626f62 (0) Message-Authenticator = 0xa56b69482431dd25cd2eadfa730aab04 (0) # Executing section authorize from file /etc/freeradius/sites-enabled/tlcamb-tag (0) authorize { (0) [preprocess] = ok (0) eap: Peer sent EAP Response (code 2) ID 1 length 8 (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # authorize = ok (0) Found Auth-Type = eap (0) # Executing group from file /etc/freeradius/sites-enabled/tlcamb-tag (0) authenticate { (0) eap: Peer sent packet with method EAP Identity (1) (0) eap: Calling submodule eap_tls to process data (0) eap_tls: (TLS) Initiating new session (0) eap_tls: (TLS) Setting verify mode to require certificate from client (0) eap: Sending EAP Request (code 1) ID 2 length 6 (0) eap: EAP session adding &reply:State = 0x0d11b4170d13b92d (0) [eap] = handled (0) } # authenticate = handled (0) Using Post-Auth-Type Challenge (0) Post-Auth-Type sub-section not found. Ignoring. (0) # Executing group from file /etc/freeradius/sites-enabled/tlcamb-tag (0) session-state: Saving cached attributes (0) Framed-MTU = 994 (0) Sent Access-Challenge Id 189 from 172.31.189.84:1812 to 172.31.190.2:32768 length 64 (0) EAP-Message = 0x010200060d20 (0) Message-Authenticator = 0x00000000000000000000000000000000 (0) State = 0x0d11b4170d13b92d61b96bcf376c045f (0) Finished request Waking up in 4.9 seconds. (1) Received Access-Request Id 190 from 172.31.190.2:32768 to 172.31.189.84:1812 length 280 (1) User-Name = "bob" (1) Chargeable-User-Identity = 0x00 (1) Location-Capable = Civic-Location (1) Calling-Station-Id = "18-d6-1c-41-10-58" (1) Called-Station-Id = "04-5f-b9-81-69-80:PIT_Tag" (1) NAS-Port = 1 (1) Cisco-AVPair = "audit-session-id=ac1fc7020000007a659828a7" (1) Acct-Session-Id = "659828a7/18:d6:1c:41:10:58/127" (1) NAS-IP-Address = 172.31.190.2 (1) NAS-Identifier = "Cisco_b8:24:65" (1) Airespace-Wlan-Id = 2 (1) Service-Type = Framed-User (1) Framed-MTU = 1300 (1) NAS-Port-Type = Wireless-802.11 (1) Tunnel-Type:0 = VLAN (1) Tunnel-Medium-Type:0 = IEEE-802 (1) Tunnel-Private-Group-Id:0 = "190" (1) EAP-Message = 0x020200060319 (1) State = 0x0d11b4170d13b92d61b96bcf376c045f (1) Message-Authenticator = 0xdafc0b1348fcef4df99c152593fa1d99 (1) Restoring &session-state (1) &session-state:Framed-MTU = 994 (1) # Executing section authorize from file /etc/freeradius/sites-enabled/tlcamb-tag (1) authorize { (1) [preprocess] = ok (1) eap: Peer sent EAP Response (code 2) ID 2 length 6 (1) eap: No EAP Start, assuming it's an on-going EAP conversation (1) [eap] = updated (1) [expiration] = noop (1) [logintime] = noop (1) } # authorize = updated (1) Found Auth-Type = eap (1) # Executing group from file /etc/freeradius/sites-enabled/tlcamb-tag (1) authenticate { (1) eap: Expiring EAP session with state 0x0d11b4170d13b92d (1) eap: Finished EAP session with state 0x0d11b4170d13b92d (1) eap: Previous EAP request found for state 0x0d11b4170d13b92d, released from the list (1) eap: Peer sent packet with method EAP NAK (3) (1) eap: Found mutually acceptable type PEAP (25) (1) eap: Calling submodule eap_peap to process data (1) eap_peap: (TLS) Initiating new session (1) eap: Sending EAP Request (code 1) ID 3 length 6 (1) eap: EAP session adding &reply:State = 0x0d11b4170c12ad2d (1) [eap] = handled (1) } # authenticate = handled (1) Using Post-Auth-Type Challenge (1) Post-Auth-Type sub-section not found. Ignoring. (1) # Executing group from file /etc/freeradius/sites-enabled/tlcamb-tag (1) session-state: Saving cached attributes (1) Framed-MTU = 994 (1) Sent Access-Challenge Id 190 from 172.31.189.84:1812 to 172.31.190.2:32768 length 64 (1) EAP-Message = 0x010300061920 (1) Message-Authenticator = 0x00000000000000000000000000000000 (1) State = 0x0d11b4170c12ad2d61b96bcf376c045f (1) Finished request Waking up in 4.9 seconds. (2) Received Access-Request Id 191 from 172.31.190.2:32768 to 172.31.189.84:1812 length 415 (2) User-Name = "bob" (2) Chargeable-User-Identity = 0x00 (2) Location-Capable = Civic-Location (2) Calling-Station-Id = "18-d6-1c-41-10-58" (2) Called-Station-Id = "04-5f-b9-81-69-80:PIT_Tag" (2) NAS-Port = 1 (2) Cisco-AVPair = "audit-session-id=ac1fc7020000007a659828a7" (2) Acct-Session-Id = "659828a7/18:d6:1c:41:10:58/127" (2) NAS-IP-Address = 172.31.190.2 (2) NAS-Identifier = "Cisco_b8:24:65" (2) Airespace-Wlan-Id = 2 (2) Service-Type = Framed-User (2) Framed-MTU = 1300 (2) NAS-Port-Type = Wireless-802.11 (2) Tunnel-Type:0 = VLAN (2) Tunnel-Medium-Type:0 = IEEE-802 (2) Tunnel-Private-Group-Id:0 = "190" (2) EAP-Message = 0x0203008d198000000083160301007e0100007a0303c6f301ce926ca1685ce0dbfb51a89f6b48740f866852288de095da1412a88e4d00001ec02bc02fc02cc030cca9cca8c009c013c00ac014009c009d002f0035000a0100003300170000ff01000100000a00080006001d00170018000b00020100000d00140012040308040401050308050501080606010201 (2) State = 0x0d11b4170c12ad2d61b96bcf376c045f (2) Message-Authenticator = 0xb18c0203b47bef6e6a99f6d2e3a6ac5b (2) Restoring &session-state (2) &session-state:Framed-MTU = 994 (2) # Executing section authorize from file /etc/freeradius/sites-enabled/tlcamb-tag (2) authorize { (2) [preprocess] = ok (2) eap: Peer sent EAP Response (code 2) ID 3 length 141 (2) eap: Continuing tunnel setup (2) [eap] = ok (2) } # authorize = ok (2) Found Auth-Type = eap (2) # Executing group from file /etc/freeradius/sites-enabled/tlcamb-tag (2) authenticate { (2) eap: Expiring EAP session with state 0x0d11b4170c12ad2d (2) eap: Finished EAP session with state 0x0d11b4170c12ad2d (2) eap: Previous EAP request found for state 0x0d11b4170c12ad2d, released from the list (2) eap: Peer sent packet with method EAP PEAP (25) (2) eap: Calling submodule eap_peap to process data (2) eap_peap: (TLS) EAP Peer says that the final record size will be 131 bytes (2) eap_peap: (TLS) EAP Got all data (131 bytes) (2) eap_peap: (TLS) Handshake state - before SSL initialization (2) eap_peap: (TLS) Handshake state - Server before SSL initialization (2) eap_peap: (TLS) Handshake state - Server before SSL initialization (2) eap_peap: (TLS) recv TLS 1.3 Handshake, ClientHello (2) eap_peap: (TLS) Handshake state - Server SSLv3/TLS read client hello (2) eap_peap: (TLS) send TLS 1.2 Handshake, ServerHello (2) eap_peap: (TLS) Handshake state - Server SSLv3/TLS write server hello (2) eap_peap: (TLS) send TLS 1.2 Handshake, Certificate (2) eap_peap: (TLS) Handshake state - Server SSLv3/TLS write certificate (2) eap_peap: (TLS) send TLS 1.2 Handshake, ServerKeyExchange (2) eap_peap: (TLS) Handshake state - Server SSLv3/TLS write key exchange (2) eap_peap: (TLS) send TLS 1.2 Handshake, ServerHelloDone (2) eap_peap: (TLS) Handshake state - Server SSLv3/TLS write server done (2) eap_peap: (TLS) Server : Need to read more data: SSLv3/TLS write server done (2) eap_peap: (TLS) In Handshake Phase (2) eap: Sending EAP Request (code 1) ID 4 length 1004 (2) eap: EAP session adding &reply:State = 0x0d11b4170f15ad2d (2) [eap] = handled (2) } # authenticate = handled (2) Using Post-Auth-Type Challenge (2) Post-Auth-Type sub-section not found. Ignoring. (2) # Executing group from file /etc/freeradius/sites-enabled/tlcamb-tag (2) session-state: Saving cached attributes (2) Framed-MTU = 994 (2) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (2) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (2) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (2) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (2) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (2) Sent Access-Challenge Id 191 from 172.31.189.84:1812 to 172.31.190.2:32768 length 1068 (2) EAP-Message = 0x010403ec19c000000f51160303005d0200005903034697e31c9d3ed5476528a2994019a712aefd733e4c0b775b0ea9c7687ad6237f2028598cb4ba77510a52abb1e63011f9c061077719c09a59908092e2ca6b9c1ffdc02f000011ff01000100000b000403000102001700001603030c8f0b000c8b000c880005bd308205b9308203a1a003020102020101300d06092a864886f70d01010b0500308180310b3009060355040613024954310e300c06035504080c054974616c793110300e06035504070c07426f6c6f676e61310d300b060355040a0c04486572613121301f06092a864886f70d0109011612696e666f4067727570706f686572612e6974311d301b06035504030c144865726120436572747320417574686f72697479301e170d3231303930363133353235315a170d3236303930353133353235315a306e310b3009060355040613024954310e300c06035504080c054974616c79310d300b060355040a0c0448657261311d301b06035504030c1448 (2) Message-Authenticator = 0x00000000000000000000000000000000 (2) State = 0x0d11b4170f15ad2d61b96bcf376c045f (2) Finished request Waking up in 4.9 seconds. (3) Received Access-Request Id 192 from 172.31.190.2:32768 to 172.31.189.84:1812 length 280 (3) User-Name = "bob" (3) Chargeable-User-Identity = 0x00 (3) Location-Capable = Civic-Location (3) Calling-Station-Id = "18-d6-1c-41-10-58" (3) Called-Station-Id = "04-5f-b9-81-69-80:PIT_Tag" (3) NAS-Port = 1 (3) Cisco-AVPair = "audit-session-id=ac1fc7020000007a659828a7" (3) Acct-Session-Id = "659828a7/18:d6:1c:41:10:58/127" (3) NAS-IP-Address = 172.31.190.2 (3) NAS-Identifier = "Cisco_b8:24:65" (3) Airespace-Wlan-Id = 2 (3) Service-Type = Framed-User (3) Framed-MTU = 1300 (3) NAS-Port-Type = Wireless-802.11 (3) Tunnel-Type:0 = VLAN (3) Tunnel-Medium-Type:0 = IEEE-802 (3) Tunnel-Private-Group-Id:0 = "190" (3) EAP-Message = 0x020400061900 (3) State = 0x0d11b4170f15ad2d61b96bcf376c045f (3) Message-Authenticator = 0xd9637685761ab785243b786f07806ea7 (3) Restoring &session-state (3) &session-state:Framed-MTU = 994 (3) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (3) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (3) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (3) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (3) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (3) # Executing section authorize from file /etc/freeradius/sites-enabled/tlcamb-tag (3) authorize { (3) [preprocess] = ok (3) eap: Peer sent EAP Response (code 2) ID 4 length 6 (3) eap: Continuing tunnel setup (3) [eap] = ok (3) } # authorize = ok (3) Found Auth-Type = eap (3) # Executing group from file /etc/freeradius/sites-enabled/tlcamb-tag (3) authenticate { (3) eap: Expiring EAP session with state 0x0d11b4170f15ad2d (3) eap: Finished EAP session with state 0x0d11b4170f15ad2d (3) eap: Previous EAP request found for state 0x0d11b4170f15ad2d, released from the list (3) eap: Peer sent packet with method EAP PEAP (25) (3) eap: Calling submodule eap_peap to process data (3) eap_peap: (TLS) Peer ACKed our handshake fragment (3) eap: Sending EAP Request (code 1) ID 5 length 1000 (3) eap: EAP session adding &reply:State = 0x0d11b4170e14ad2d (3) [eap] = handled (3) } # authenticate = handled (3) Using Post-Auth-Type Challenge (3) Post-Auth-Type sub-section not found. Ignoring. (3) # Executing group from file /etc/freeradius/sites-enabled/tlcamb-tag (3) session-state: Saving cached attributes (3) Framed-MTU = 994 (3) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (3) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (3) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (3) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (3) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (3) Sent Access-Challenge Id 192 from 172.31.189.84:1812 to 172.31.190.2:32768 length 1064 (3) EAP-Message = 0x010503e8194030360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e636f6d2f6578616d706c655f63612e63726c300d06092a864886f70d01010b05000382020100588bcf7067b77ccd6bd129f2e9263cf44ba44823c27e888a96039ade1440214f5df9720bc4d10e9daa2f2dd2ddcfb8e36c9686b973caecc8237e0207b69fec20e4a03a39c4d4c72ee30d4f929ac5d70193b4892111be9b37c5540460cedcfe078afee6ffb1ba0da5cab1ff5dc8e6fb267beb9363b0efdfc924dad63fb1b305d886db8a130aa38686fca067f42dab1fa9afee20bb35775cb4fe8309842a9e215219a788cc64c2a0bd425c928c1bddd59ba07ebf66c568df15d104a562d53f1b3b5ca970403c39d75ecc88c07c2a888f909831f7abfeb9fff77bb8e70f800345f7967144d3f2227f8562c5cdb23f3f961b6c47ca485bb344d0058dcb8d986cfc50f31af456208b6bfc0e6fff8e028d2c90e6850d5fd1acf0c2bc65fb983a7a04429c48884933 (3) Message-Authenticator = 0x00000000000000000000000000000000 (3) State = 0x0d11b4170e14ad2d61b96bcf376c045f (3) Finished request Waking up in 4.9 seconds. (4) Received Access-Request Id 193 from 172.31.190.2:32768 to 172.31.189.84:1812 length 280 (4) User-Name = "bob" (4) Chargeable-User-Identity = 0x00 (4) Location-Capable = Civic-Location (4) Calling-Station-Id = "18-d6-1c-41-10-58" (4) Called-Station-Id = "04-5f-b9-81-69-80:PIT_Tag" (4) NAS-Port = 1 (4) Cisco-AVPair = "audit-session-id=ac1fc7020000007a659828a7" (4) Acct-Session-Id = "659828a7/18:d6:1c:41:10:58/127" (4) NAS-IP-Address = 172.31.190.2 (4) NAS-Identifier = "Cisco_b8:24:65" (4) Airespace-Wlan-Id = 2 (4) Service-Type = Framed-User (4) Framed-MTU = 1300 (4) NAS-Port-Type = Wireless-802.11 (4) Tunnel-Type:0 = VLAN (4) Tunnel-Medium-Type:0 = IEEE-802 (4) Tunnel-Private-Group-Id:0 = "190" (4) EAP-Message = 0x020500061900 (4) State = 0x0d11b4170e14ad2d61b96bcf376c045f (4) Message-Authenticator = 0xda41e2480443e88f2b6b4f53deb52a66 (4) Restoring &session-state (4) &session-state:Framed-MTU = 994 (4) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (4) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (4) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (4) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (4) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (4) # Executing section authorize from file /etc/freeradius/sites-enabled/tlcamb-tag (4) authorize { (4) [preprocess] = ok (4) eap: Peer sent EAP Response (code 2) ID 5 length 6 (4) eap: Continuing tunnel setup (4) [eap] = ok (4) } # authorize = ok (4) Found Auth-Type = eap (4) # Executing group from file /etc/freeradius/sites-enabled/tlcamb-tag (4) authenticate { (4) eap: Expiring EAP session with state 0x0d11b4170e14ad2d (4) eap: Finished EAP session with state 0x0d11b4170e14ad2d (4) eap: Previous EAP request found for state 0x0d11b4170e14ad2d, released from the list (4) eap: Peer sent packet with method EAP PEAP (25) (4) eap: Calling submodule eap_peap to process data (4) eap_peap: (TLS) Peer ACKed our handshake fragment (4) eap: Sending EAP Request (code 1) ID 6 length 1000 (4) eap: EAP session adding &reply:State = 0x0d11b4170917ad2d (4) [eap] = handled (4) } # authenticate = handled (4) Using Post-Auth-Type Challenge (4) Post-Auth-Type sub-section not found. Ignoring. (4) # Executing group from file /etc/freeradius/sites-enabled/tlcamb-tag (4) session-state: Saving cached attributes (4) Framed-MTU = 994 (4) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (4) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (4) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (4) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (4) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (4) Sent Access-Challenge Id 193 from 172.31.189.84:1812 to 172.31.190.2:32768 length 1064 (4) EAP-Message = 0x010603e8194031f42cbf128be2e450c87719ec8b0b64c119a678567fcebbc306d36b97beb57985fec99fcc76d40a472d0a5e87cf8a059de7ab132fd531d5da43c671a4ab7aa5bd781b78b911488d0e1aba088f95e3b3dc610fd8e9659fad7a4fbe8205d193eaf616c20c47529d2cb7ea539e974e445e362854a1dddcd39b7dfdb1649ba2a59b9fde6f3967fc776c14715f6c6fc75bf1d3e4bff0b0939c997509ad3e811b706d2688210c27fbbc0750f4a8017dbc776e0cf2c744d45ef4a20731d661ca118612c96fa492ce73341078ae543538c6598dd98692d369581fcd723746c834edc6df3ca41f243a253bd1564b69240e63d89eb6b7bced3d39d6587f7893c054519e89932120d3c945918e2a3c8964537e48fa20b0ff7e2043d5da742ade20ba920856270afc852a45fb4834d7cf7644f9a2c8d1a29436a1857b48e763a68f8598bd3daa5d17a93038da33a18256d14a840584f1fbc20c29c57c2d31b7538aea58e23193c2d7a8fa3205b6fb4e10b9db21d1d7bd (4) Message-Authenticator = 0x00000000000000000000000000000000 (4) State = 0x0d11b4170917ad2d61b96bcf376c045f (4) Finished request Waking up in 4.9 seconds. (5) Received Access-Request Id 194 from 172.31.190.2:32768 to 172.31.189.84:1812 length 280 (5) User-Name = "bob" (5) Chargeable-User-Identity = 0x00 (5) Location-Capable = Civic-Location (5) Calling-Station-Id = "18-d6-1c-41-10-58" (5) Called-Station-Id = "04-5f-b9-81-69-80:PIT_Tag" (5) NAS-Port = 1 (5) Cisco-AVPair = "audit-session-id=ac1fc7020000007a659828a7" (5) Acct-Session-Id = "659828a7/18:d6:1c:41:10:58/127" (5) NAS-IP-Address = 172.31.190.2 (5) NAS-Identifier = "Cisco_b8:24:65" (5) Airespace-Wlan-Id = 2 (5) Service-Type = Framed-User (5) Framed-MTU = 1300 (5) NAS-Port-Type = Wireless-802.11 (5) Tunnel-Type:0 = VLAN (5) Tunnel-Medium-Type:0 = IEEE-802 (5) Tunnel-Private-Group-Id:0 = "190" (5) EAP-Message = 0x020600061900 (5) State = 0x0d11b4170917ad2d61b96bcf376c045f (5) Message-Authenticator = 0x88618a00d2590eec642ecbc9d69420b8 (5) Restoring &session-state (5) &session-state:Framed-MTU = 994 (5) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (5) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (5) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (5) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (5) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (5) # Executing section authorize from file /etc/freeradius/sites-enabled/tlcamb-tag (5) authorize { (5) [preprocess] = ok (5) eap: Peer sent EAP Response (code 2) ID 6 length 6 (5) eap: Continuing tunnel setup (5) [eap] = ok (5) } # authorize = ok (5) Found Auth-Type = eap (5) # Executing group from file /etc/freeradius/sites-enabled/tlcamb-tag (5) authenticate { (5) eap: Expiring EAP session with state 0x0d11b4170917ad2d (5) eap: Finished EAP session with state 0x0d11b4170917ad2d (5) eap: Previous EAP request found for state 0x0d11b4170917ad2d, released from the list (5) eap: Peer sent packet with method EAP PEAP (25) (5) eap: Calling submodule eap_peap to process data (5) eap_peap: (TLS) Peer ACKed our handshake fragment (5) eap: Sending EAP Request (code 1) ID 7 length 945 (5) eap: EAP session adding &reply:State = 0x0d11b4170816ad2d (5) [eap] = handled (5) } # authenticate = handled (5) Using Post-Auth-Type Challenge (5) Post-Auth-Type sub-section not found. Ignoring. (5) # Executing group from file /etc/freeradius/sites-enabled/tlcamb-tag (5) session-state: Saving cached attributes (5) Framed-MTU = 994 (5) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (5) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (5) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (5) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (5) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (5) Sent Access-Challenge Id 194 from 172.31.189.84:1812 to 172.31.190.2:32768 length 1009 (5) EAP-Message = 0x010703b11900e29ef689daa944195ebb62f6184cb3f10c02fe6efd6890cd9625bc41865c94da0d7db79e4dc977e743f77d40f614bef67d08fa1226c65a5b45d64dc9af587a21e7035dd49c5bf0ad7a18d82d57d31cd0d4363e98f61d95e1cce2fde1b9bf43d8c53643b00aeb8cf16a9a9321ea12cde84749dddb554a3236551178387170c50b5a7203ec6a5b6822b2c6a2a8044bdab0d9837b3c52ccbd0abbbc770f174249fbfc8c0c7bbf67a1f77e843eaeca88b528617e3f6285b229ef10a45b91219c78e18a3ee8fc6ad495241f37c64d6f87bf765a7a6b5fff8aa6198525ae057bc0fb6fa7124e727eee271be01cadeacd99710c95925cd6ca8a1bfb86e29b9128965930a33527e505bdb845932b6ec1b8f224d675205acd24a147bcc6fe0aeae4828b62c1a089abe5cdffdf75db21c4961984aa080505fc895c15504bd534de75974d6113ee1b5415527afd4ee42da8e8f0d094160303024d0c00024903001741043696db9d6e80ad5efe19d2ba77ae1d11f957f1 (5) Message-Authenticator = 0x00000000000000000000000000000000 (5) State = 0x0d11b4170816ad2d61b96bcf376c045f (5) Finished request Waking up in 4.9 seconds. (6) Received Access-Request Id 195 from 172.31.190.2:32768 to 172.31.189.84:1812 length 410 (6) User-Name = "bob" (6) Chargeable-User-Identity = 0x00 (6) Location-Capable = Civic-Location (6) Calling-Station-Id = "18-d6-1c-41-10-58" (6) Called-Station-Id = "04-5f-b9-81-69-80:PIT_Tag" (6) NAS-Port = 1 (6) Cisco-AVPair = "audit-session-id=ac1fc7020000007a659828a7" (6) Acct-Session-Id = "659828a7/18:d6:1c:41:10:58/127" (6) NAS-IP-Address = 172.31.190.2 (6) NAS-Identifier = "Cisco_b8:24:65" (6) Airespace-Wlan-Id = 2 (6) Service-Type = Framed-User (6) Framed-MTU = 1300 (6) NAS-Port-Type = Wireless-802.11 (6) Tunnel-Type:0 = VLAN (6) Tunnel-Medium-Type:0 = IEEE-802 (6) Tunnel-Private-Group-Id:0 = "190" (6) EAP-Message = 0x0207008819800000007e1603030046100000424104cd6bd7736158e470412015bb2ee5d346ada0a894992b3fa07f11e4c8ba7ba47b903aac71b564046e6972f93ec26bc1b29e67521e3970bc41d3bbf64ce9c424bd14030300010116030300280000000000000000a751777235b7701fd317e3496e0be3c062459dada4c49205c6e24f00fb0ffed7 (6) State = 0x0d11b4170816ad2d61b96bcf376c045f (6) Message-Authenticator = 0x9cf7a7b14313231804a56cdab9d7500a (6) Restoring &session-state (6) &session-state:Framed-MTU = 994 (6) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (6) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (6) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (6) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (6) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (6) # Executing section authorize from file /etc/freeradius/sites-enabled/tlcamb-tag (6) authorize { (6) [preprocess] = ok (6) eap: Peer sent EAP Response (code 2) ID 7 length 136 (6) eap: Continuing tunnel setup (6) [eap] = ok (6) } # authorize = ok (6) Found Auth-Type = eap (6) # Executing group from file /etc/freeradius/sites-enabled/tlcamb-tag (6) authenticate { (6) eap: Expiring EAP session with state 0x0d11b4170816ad2d (6) eap: Finished EAP session with state 0x0d11b4170816ad2d (6) eap: Previous EAP request found for state 0x0d11b4170816ad2d, released from the list (6) eap: Peer sent packet with method EAP PEAP (25) (6) eap: Calling submodule eap_peap to process data (6) eap_peap: (TLS) EAP Peer says that the final record size will be 126 bytes (6) eap_peap: (TLS) EAP Got all data (126 bytes) (6) eap_peap: (TLS) Handshake state - Server SSLv3/TLS write server done (6) eap_peap: (TLS) recv TLS 1.2 Handshake, ClientKeyExchange (6) eap_peap: (TLS) Handshake state - Server SSLv3/TLS read client key exchange (6) eap_peap: (TLS) Handshake state - Server SSLv3/TLS read change cipher spec (6) eap_peap: (TLS) recv TLS 1.2 Handshake, Finished (6) eap_peap: (TLS) Handshake state - Server SSLv3/TLS read finished (6) eap_peap: (TLS) send TLS 1.2 ChangeCipherSpec (6) eap_peap: (TLS) Handshake state - Server SSLv3/TLS write change cipher spec (6) eap_peap: (TLS) send TLS 1.2 Handshake, Finished (6) eap_peap: (TLS) Handshake state - Server SSLv3/TLS write finished (6) eap_peap: Serialising session 28598cb4ba77510a52abb1e63011f9c061077719c09a59908092e2ca6b9c1ffd, and storing in cache (6) eap_peap: ERROR: (TLS) Session serialisation failed, failed opening session file /var/log/freeradius/tlscache/28598cb4ba77510a52abb1e63011f9c061077719c09a59908092e2ca6b9c1ffd.asn1: Permission denied (6) eap_peap: (TLS) Handshake state - SSL negotiation finished successfully (6) eap_peap: (TLS) Connection Established (6) eap_peap: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES128-GCM-SHA256" (6) eap_peap: TLS-Session-Version = "TLS 1.2" (6) eap: Sending EAP Request (code 1) ID 8 length 57 (6) eap: EAP session adding &reply:State = 0x0d11b4170b19ad2d (6) [eap] = handled (6) } # authenticate = handled (6) Using Post-Auth-Type Challenge (6) Post-Auth-Type sub-section not found. Ignoring. (6) # Executing group from file /etc/freeradius/sites-enabled/tlcamb-tag (6) session-state: Saving cached attributes (6) Framed-MTU = 994 (6) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (6) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (6) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (6) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (6) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (6) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange" (6) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished" (6) TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec" (6) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished" (6) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES128-GCM-SHA256" (6) TLS-Session-Version = "TLS 1.2" (6) Sent Access-Challenge Id 195 from 172.31.189.84:1812 to 172.31.190.2:32768 length 115 (6) EAP-Message = 0x0108003919001403030001011603030028bbbeaeb45ef65e6016f7876f98fea4df4b8d349a44428864b8e4073deecc9d9fbf3c637baf2060ea (6) Message-Authenticator = 0x00000000000000000000000000000000 (6) State = 0x0d11b4170b19ad2d61b96bcf376c045f (6) Finished request Waking up in 4.9 seconds. (7) Received Access-Request Id 196 from 172.31.190.2:32768 to 172.31.189.84:1812 length 280 (7) User-Name = "bob" (7) Chargeable-User-Identity = 0x00 (7) Location-Capable = Civic-Location (7) Calling-Station-Id = "18-d6-1c-41-10-58" (7) Called-Station-Id = "04-5f-b9-81-69-80:PIT_Tag" (7) NAS-Port = 1 (7) Cisco-AVPair = "audit-session-id=ac1fc7020000007a659828a7" (7) Acct-Session-Id = "659828a7/18:d6:1c:41:10:58/127" (7) NAS-IP-Address = 172.31.190.2 (7) NAS-Identifier = "Cisco_b8:24:65" (7) Airespace-Wlan-Id = 2 (7) Service-Type = Framed-User (7) Framed-MTU = 1300 (7) NAS-Port-Type = Wireless-802.11 (7) Tunnel-Type:0 = VLAN (7) Tunnel-Medium-Type:0 = IEEE-802 (7) Tunnel-Private-Group-Id:0 = "190" (7) EAP-Message = 0x020800061900 (7) State = 0x0d11b4170b19ad2d61b96bcf376c045f (7) Message-Authenticator = 0xd401e5af0b9a419fdaf417106d38614e (7) Restoring &session-state (7) &session-state:Framed-MTU = 994 (7) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (7) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (7) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (7) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (7) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (7) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange" (7) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished" (7) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec" (7) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished" (7) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES128-GCM-SHA256" (7) &session-state:TLS-Session-Version = "TLS 1.2" (7) # Executing section authorize from file /etc/freeradius/sites-enabled/tlcamb-tag (7) authorize { (7) [preprocess] = ok (7) eap: Peer sent EAP Response (code 2) ID 8 length 6 (7) eap: Continuing tunnel setup (7) [eap] = ok (7) } # authorize = ok (7) Found Auth-Type = eap (7) # Executing group from file /etc/freeradius/sites-enabled/tlcamb-tag (7) authenticate { (7) eap: Expiring EAP session with state 0x0d11b4170b19ad2d (7) eap: Finished EAP session with state 0x0d11b4170b19ad2d (7) eap: Previous EAP request found for state 0x0d11b4170b19ad2d, released from the list (7) eap: Peer sent packet with method EAP PEAP (25) (7) eap: Calling submodule eap_peap to process data (7) eap_peap: (TLS) Peer ACKed our handshake fragment. handshake is finished (7) eap_peap: Session established. Decoding tunneled attributes (7) eap_peap: PEAP state TUNNEL ESTABLISHED (7) eap: Sending EAP Request (code 1) ID 9 length 40 (7) eap: EAP session adding &reply:State = 0x0d11b4170a18ad2d (7) [eap] = handled (7) } # authenticate = handled (7) Using Post-Auth-Type Challenge (7) Post-Auth-Type sub-section not found. Ignoring. (7) # Executing group from file /etc/freeradius/sites-enabled/tlcamb-tag (7) session-state: Saving cached attributes (7) Framed-MTU = 994 (7) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (7) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (7) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (7) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (7) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (7) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange" (7) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished" (7) TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec" (7) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished" (7) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES128-GCM-SHA256" (7) TLS-Session-Version = "TLS 1.2" (7) Sent Access-Challenge Id 196 from 172.31.189.84:1812 to 172.31.190.2:32768 length 98 (7) EAP-Message = 0x010900281900170303001dbbbeaeb45ef65e6162b484726759166336c75ee2efa33fd3ef9823735f (7) Message-Authenticator = 0x00000000000000000000000000000000 (7) State = 0x0d11b4170a18ad2d61b96bcf376c045f (7) Finished request Waking up in 4.9 seconds. (8) Received Access-Request Id 197 from 172.31.190.2:32768 to 172.31.189.84:1812 length 313 (8) User-Name = "bob" (8) Chargeable-User-Identity = 0x00 (8) Location-Capable = Civic-Location (8) Calling-Station-Id = "18-d6-1c-41-10-58" (8) Called-Station-Id = "04-5f-b9-81-69-80:PIT_Tag" (8) NAS-Port = 1 (8) Cisco-AVPair = "audit-session-id=ac1fc7020000007a659828a7" (8) Acct-Session-Id = "659828a7/18:d6:1c:41:10:58/127" (8) NAS-IP-Address = 172.31.190.2 (8) NAS-Identifier = "Cisco_b8:24:65" (8) Airespace-Wlan-Id = 2 (8) Service-Type = Framed-User (8) Framed-MTU = 1300 (8) NAS-Port-Type = Wireless-802.11 (8) Tunnel-Type:0 = VLAN (8) Tunnel-Medium-Type:0 = IEEE-802 (8) Tunnel-Private-Group-Id:0 = "190" (8) EAP-Message = 0x020900271900170303001c00000000000000010bfbfbf16742525071bfbbf45c50d4d0b12b3334 (8) State = 0x0d11b4170a18ad2d61b96bcf376c045f (8) Message-Authenticator = 0x63b9cf54b21cfa3f30bd43a45677d8e4 (8) Restoring &session-state (8) &session-state:Framed-MTU = 994 (8) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (8) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (8) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (8) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (8) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (8) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange" (8) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished" (8) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec" (8) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished" (8) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES128-GCM-SHA256" (8) &session-state:TLS-Session-Version = "TLS 1.2" (8) # Executing section authorize from file /etc/freeradius/sites-enabled/tlcamb-tag (8) authorize { (8) [preprocess] = ok (8) eap: Peer sent EAP Response (code 2) ID 9 length 39 (8) eap: Continuing tunnel setup (8) [eap] = ok (8) } # authorize = ok (8) Found Auth-Type = eap (8) # Executing group from file /etc/freeradius/sites-enabled/tlcamb-tag (8) authenticate { (8) eap: Expiring EAP session with state 0x0d11b4170a18ad2d (8) eap: Finished EAP session with state 0x0d11b4170a18ad2d (8) eap: Previous EAP request found for state 0x0d11b4170a18ad2d, released from the list (8) eap: Peer sent packet with method EAP PEAP (25) (8) eap: Calling submodule eap_peap to process data (8) eap_peap: (TLS) EAP Done initial handshake (8) eap_peap: Session established. Decoding tunneled attributes (8) eap_peap: PEAP state WAITING FOR INNER IDENTITY (8) eap_peap: Identity - bob (8) eap_peap: Got inner identity 'bob' (8) eap_peap: Setting default EAP type for tunneled EAP session (8) eap_peap: Got tunneled request (8) eap_peap: EAP-Message = 0x0209000801626f62 (8) eap_peap: Setting User-Name to bob (8) eap_peap: Sending tunneled request to inner-tunnel (8) eap_peap: EAP-Message = 0x0209000801626f62 (8) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (8) eap_peap: User-Name = "bob" (8) Virtual server inner-tunnel received request (8) EAP-Message = 0x0209000801626f62 (8) FreeRADIUS-Proxied-To = 127.0.0.1 (8) User-Name = "bob" (8) WARNING: Outer and inner identities are the same. User privacy is compromised. (8) server inner-tunnel { (8) # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel (8) authorize { (8) policy filter_username { (8) if (&User-Name) { (8) if (&User-Name) -> TRUE (8) if (&User-Name) { (8) if (&User-Name =~ / /) { (8) if (&User-Name =~ / /) -> FALSE (8) if (&User-Name =~ /@[^@]*@/ ) { (8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (8) if (&User-Name =~ /\.\./ ) { (8) if (&User-Name =~ /\.\./ ) -> FALSE (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (8) if (&User-Name =~ /\.$/) { (8) if (&User-Name =~ /\.$/) -> FALSE (8) if (&User-Name =~ /@\./) { (8) if (&User-Name =~ /@\./) -> FALSE (8) } # if (&User-Name) = notfound (8) } # policy filter_username = notfound (8) [chap] = noop (8) [mschap] = noop (8) suffix: Checking for suffix after "@" (8) suffix: No '@' in User-Name = "bob", looking up realm NULL (8) suffix: No such realm "NULL" (8) [suffix] = noop (8) update control { (8) &Proxy-To-Realm := LOCAL (8) } # update control = noop (8) eap: Peer sent EAP Response (code 2) ID 9 length 8 (8) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (8) [eap] = ok (8) } # authorize = ok (8) Found Auth-Type = eap (8) # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel (8) authenticate { (8) eap: Peer sent packet with method EAP Identity (1) (8) eap: ERROR: Tried to start unsupported EAP type MSCHAPv2 (26) (8) eap: Sending EAP Failure (code 4) ID 9 length 4 (8) eap: Failed in EAP select (8) [eap] = invalid (8) } # authenticate = invalid (8) Failed to authenticate the user (8) Using Post-Auth-Type Reject (8) # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel (8) Post-Auth-Type REJECT { (8) attr_filter.access_reject: EXPAND %{User-Name} (8) attr_filter.access_reject: --> bob (8) attr_filter.access_reject: Matched entry DEFAULT at line 11 (8) [attr_filter.access_reject] = updated (8) update outer.session-state { (8) &Module-Failure-Message := &request:Module-Failure-Message -> 'eap: Tried to start unsupported EAP type MSCHAPv2 (26)' (8) } # update outer.session-state = noop (8) } # Post-Auth-Type REJECT = updated (8) } # server inner-tunnel (8) Virtual server sending reply (8) EAP-Message = 0x04090004 (8) Message-Authenticator = 0x00000000000000000000000000000000 (8) eap_peap: Got tunneled reply code 3 (8) eap_peap: EAP-Message = 0x04090004 (8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (8) eap_peap: Got tunneled reply RADIUS code 3 (8) eap_peap: EAP-Message = 0x04090004 (8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (8) eap_peap: Tunneled authentication was rejected (8) eap_peap: FAILURE (8) eap: Sending EAP Request (code 1) ID 10 length 46 (8) eap: EAP session adding &reply:State = 0x0d11b417051bad2d (8) [eap] = handled (8) } # authenticate = handled (8) Using Post-Auth-Type Challenge (8) Post-Auth-Type sub-section not found. Ignoring. (8) # Executing group from file /etc/freeradius/sites-enabled/tlcamb-tag (8) session-state: Saving cached attributes (8) Framed-MTU = 994 (8) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (8) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (8) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (8) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (8) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (8) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange" (8) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished" (8) TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec" (8) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished" (8) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES128-GCM-SHA256" (8) TLS-Session-Version = "TLS 1.2" (8) Module-Failure-Message := "eap: Tried to start unsupported EAP type MSCHAPv2 (26)" (8) Sent Access-Challenge Id 197 from 172.31.189.84:1812 to 172.31.190.2:32768 length 104 (8) EAP-Message = 0x010a002e19001703030023bbbeaeb45ef65e627aa4bccaa2c60861939a0f335e061557fc95843a2eae5411d60d14 (8) Message-Authenticator = 0x00000000000000000000000000000000 (8) State = 0x0d11b417051bad2d61b96bcf376c045f (8) Finished request Waking up in 4.9 seconds. (9) Received Access-Request Id 198 from 172.31.190.2:32768 to 172.31.189.84:1812 length 320 (9) User-Name = "bob" (9) Chargeable-User-Identity = 0x00 (9) Location-Capable = Civic-Location (9) Calling-Station-Id = "18-d6-1c-41-10-58" (9) Called-Station-Id = "04-5f-b9-81-69-80:PIT_Tag" (9) NAS-Port = 1 (9) Cisco-AVPair = "audit-session-id=ac1fc7020000007a659828a7" (9) Acct-Session-Id = "659828a7/18:d6:1c:41:10:58/127" (9) NAS-IP-Address = 172.31.190.2 (9) NAS-Identifier = "Cisco_b8:24:65" (9) Airespace-Wlan-Id = 2 (9) Service-Type = Framed-User (9) Framed-MTU = 1300 (9) NAS-Port-Type = Wireless-802.11 (9) Tunnel-Type:0 = VLAN (9) Tunnel-Medium-Type:0 = IEEE-802 (9) Tunnel-Private-Group-Id:0 = "190" (9) EAP-Message = 0x020a002e19001703030023000000000000000223f50c731b3798307fe0fc5cd61bc2d2aa1749c703090f7b0ad738 (9) State = 0x0d11b417051bad2d61b96bcf376c045f (9) Message-Authenticator = 0xb22fcc0660d918d2885cd2e8a99b32f2 (9) Restoring &session-state (9) &session-state:Framed-MTU = 994 (9) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (9) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (9) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (9) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (9) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (9) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange" (9) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished" (9) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec" (9) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished" (9) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES128-GCM-SHA256" (9) &session-state:TLS-Session-Version = "TLS 1.2" (9) &session-state:Module-Failure-Message := "eap: Tried to start unsupported EAP type MSCHAPv2 (26)" (9) # Executing section authorize from file /etc/freeradius/sites-enabled/tlcamb-tag (9) authorize { (9) [preprocess] = ok (9) eap: Peer sent EAP Response (code 2) ID 10 length 46 (9) eap: Continuing tunnel setup (9) [eap] = ok (9) } # authorize = ok (9) Found Auth-Type = eap (9) # Executing group from file /etc/freeradius/sites-enabled/tlcamb-tag (9) authenticate { (9) eap: Expiring EAP session with state 0x0d11b417051bad2d (9) eap: Finished EAP session with state 0x0d11b417051bad2d (9) eap: Previous EAP request found for state 0x0d11b417051bad2d, released from the list (9) eap: Peer sent packet with method EAP PEAP (25) (9) eap: Calling submodule eap_peap to process data (9) eap_peap: (TLS) EAP Done initial handshake (9) eap_peap: Session established. Decoding tunneled attributes (9) eap_peap: PEAP state send tlv failure (9) eap_peap: Received EAP-TLV response (9) eap_peap: ERROR: The users session was previously rejected: returning reject (again.) (9) eap_peap: This means you need to read the PREVIOUS messages in the debug output (9) eap_peap: to find out the reason why the user was rejected (9) eap_peap: Look for "reject" or "fail". Those earlier messages will tell you (9) eap_peap: what went wrong, and how to fix the problem tls: Removing session 28598cb4ba77510a52abb1e63011f9c061077719c09a59908092e2ca6b9c1ffd from the cache tls: Could not remove persisted session file /var/log/freeradius/tlscache/28598cb4ba77510a52abb1e63011f9c061077719c09a59908092e2ca6b9c1ffd.asn1: Permission denied (9) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed (9) eap: Sending EAP Failure (code 4) ID 10 length 4 (9) eap: Failed in EAP select (9) [eap] = invalid (9) } # authenticate = invalid (9) Failed to authenticate the user (9) Using Post-Auth-Type Reject (9) # Executing group from file /etc/freeradius/sites-enabled/tlcamb-tag (9) Post-Auth-Type REJECT { (9) attr_filter.access_reject: EXPAND %{User-Name} (9) attr_filter.access_reject: --> bob (9) attr_filter.access_reject: Matched entry DEFAULT at line 11 (9) [attr_filter.access_reject] = updated (9) } # Post-Auth-Type REJECT = updated (9) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (9) Sending delayed response (9) Sent Access-Reject Id 198 from 172.31.189.84:1812 to 172.31.190.2:32768 length 44 (9) EAP-Message = 0x040a0004 (9) Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.8 seconds. (0) Cleaning up request packet ID 189 with timestamp +3 due to cleanup_delay was reached (1) Cleaning up request packet ID 190 with timestamp +3 due to cleanup_delay was reached (2) Cleaning up request packet ID 191 with timestamp +3 due to cleanup_delay was reached (3) Cleaning up request packet ID 192 with timestamp +3 due to cleanup_delay was reached (4) Cleaning up request packet ID 193 with timestamp +3 due to cleanup_delay was reached (5) Cleaning up request packet ID 194 with timestamp +3 due to cleanup_delay was reached (6) Cleaning up request packet ID 195 with timestamp +3 due to cleanup_delay was reached (7) Cleaning up request packet ID 196 with timestamp +3 due to cleanup_delay was reached (8) Cleaning up request packet ID 197 with timestamp +3 due to cleanup_delay was reached (9) Cleaning up request packet ID 198 with timestamp +3 due to cleanup_delay was reached Thanks and best regards. Dario Barbon
Dario, you have a server configuration issue:
(6) eap_peap: ERROR: (TLS) Session serialisation failed, failed opening session file /var/log/freeradius/tlscache/28598cb4ba77510a52abb1e63011f9c061077719c09a59908092e2ca6b9c1ffd.asn1: Permission denied
and an eap issue:
(8) eap: Peer sent packet with method EAP Identity (1) (8) eap: ERROR: Tried to start unsupported EAP type MSCHAPv2 (26) (8) eap: Sending EAP Failure (code 4) ID 9 length 4 (8) eap: Failed in EAP select (8) [eap] = invalid (8) } # authenticate = invalid (8) Failed to authenticate the user (8) Using Post-Auth-Type Reject
I don't know if that file permissions issue could cause the invalid eap error but that would be the place that I would start and then look for further eap errors. On Fri, 5 Jan 2024, Dario Barbon wrote:
Hi Alan, thanks for your patience.
Il 05/01/2024 16:18, Alan DeKok ha scritto:
And the debug output says... what? If it says "unknown CA", I already explained what the problem is, and what needs to be done to fix it. Perhaps that's the issue. As I said, you have to configure the supplicant with the CA used to generate the server certificate.
I installed the CA certificate and collected the entire log file content:
[snip..]
(6) eap_peap: (TLS) Handshake state - Server SSLv3/TLS write finished (6) eap_peap: Serialising session 28598cb4ba77510a52abb1e63011f9c061077719c09a59908092e2ca6b9c1ffd, and storing in cache (6) eap_peap: ERROR: (TLS) Session serialisation failed, failed opening session file /var/log/freeradius/tlscache/28598cb4ba77510a52abb1e63011f9c061077719c09a59908092e2ca6b9c1ffd.asn1: Permission denied (6) eap_peap: (TLS) Handshake state - SSL negotiation finished successfully (6) eap_peap: (TLS) Connection Established (6) eap_peap: TLS-Session-Cipher-Suite = "ECDHE-RSA-AES128-GCM-SHA256" (6) eap_peap: TLS-Session-Version = "TLS 1.2" (6) eap: Sending EAP Request (code 1) ID 8 length 57 (6) eap: EAP session adding &reply:State = 0x0d11b4170b19ad2d (6) [eap] = handled (6) } # authenticate = handled (6) Using Post-Auth-Type Challenge (6) Post-Auth-Type sub-section not found. Ignoring. (6) # Executing group from file /etc/freeradius/sites-enabled/tlcamb-tag (6) session-state: Saving cached attributes (6) Framed-MTU = 994 (6) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (6) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (6) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (6) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (6) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (6) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange" (6) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished" (6) TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec" (6) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished" (6) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES128-GCM-SHA256" (6) TLS-Session-Version = "TLS 1.2" (6) Sent Access-Challenge Id 195 from 172.31.189.84:1812 to 172.31.190.2:32768 length 115 (6) EAP-Message = 0x0108003919001403030001011603030028bbbeaeb45ef65e6016f7876f98fea4df4b8d349a44428864b8e4073deecc9d9fbf3c637baf2060ea (6) Message-Authenticator = 0x00000000000000000000000000000000 (6) State = 0x0d11b4170b19ad2d61b96bcf376c045f (6) Finished request Waking up in 4.9 seconds. (7) Received Access-Request Id 196 from 172.31.190.2:32768 to 172.31.189.84:1812 length 280 (7) User-Name = "bob" (7) Chargeable-User-Identity = 0x00 (7) Location-Capable = Civic-Location (7) Calling-Station-Id = "18-d6-1c-41-10-58" (7) Called-Station-Id = "04-5f-b9-81-69-80:PIT_Tag" (7) NAS-Port = 1 (7) Cisco-AVPair = "audit-session-id=ac1fc7020000007a659828a7" (7) Acct-Session-Id = "659828a7/18:d6:1c:41:10:58/127" (7) NAS-IP-Address = 172.31.190.2 (7) NAS-Identifier = "Cisco_b8:24:65" (7) Airespace-Wlan-Id = 2 (7) Service-Type = Framed-User (7) Framed-MTU = 1300 (7) NAS-Port-Type = Wireless-802.11 (7) Tunnel-Type:0 = VLAN (7) Tunnel-Medium-Type:0 = IEEE-802 (7) Tunnel-Private-Group-Id:0 = "190" (7) EAP-Message = 0x020800061900 (7) State = 0x0d11b4170b19ad2d61b96bcf376c045f (7) Message-Authenticator = 0xd401e5af0b9a419fdaf417106d38614e (7) Restoring &session-state (7) &session-state:Framed-MTU = 994 (7) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (7) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (7) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (7) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (7) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (7) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange" (7) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished" (7) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec" (7) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished" (7) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES128-GCM-SHA256" (7) &session-state:TLS-Session-Version = "TLS 1.2" (7) # Executing section authorize from file /etc/freeradius/sites-enabled/tlcamb-tag (7) authorize { (7) [preprocess] = ok (7) eap: Peer sent EAP Response (code 2) ID 8 length 6 (7) eap: Continuing tunnel setup (7) [eap] = ok (7) } # authorize = ok (7) Found Auth-Type = eap (7) # Executing group from file /etc/freeradius/sites-enabled/tlcamb-tag (7) authenticate { (7) eap: Expiring EAP session with state 0x0d11b4170b19ad2d (7) eap: Finished EAP session with state 0x0d11b4170b19ad2d (7) eap: Previous EAP request found for state 0x0d11b4170b19ad2d, released from the list (7) eap: Peer sent packet with method EAP PEAP (25) (7) eap: Calling submodule eap_peap to process data (7) eap_peap: (TLS) Peer ACKed our handshake fragment. handshake is finished (7) eap_peap: Session established. Decoding tunneled attributes (7) eap_peap: PEAP state TUNNEL ESTABLISHED (7) eap: Sending EAP Request (code 1) ID 9 length 40 (7) eap: EAP session adding &reply:State = 0x0d11b4170a18ad2d (7) [eap] = handled (7) } # authenticate = handled (7) Using Post-Auth-Type Challenge (7) Post-Auth-Type sub-section not found. Ignoring. (7) # Executing group from file /etc/freeradius/sites-enabled/tlcamb-tag (7) session-state: Saving cached attributes (7) Framed-MTU = 994 (7) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (7) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (7) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (7) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (7) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (7) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange" (7) TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished" (7) TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec" (7) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished" (7) TLS-Session-Cipher-Suite = "ECDHE-RSA-AES128-GCM-SHA256" (7) TLS-Session-Version = "TLS 1.2" (7) Sent Access-Challenge Id 196 from 172.31.189.84:1812 to 172.31.190.2:32768 length 98 (7) EAP-Message = 0x010900281900170303001dbbbeaeb45ef65e6162b484726759166336c75ee2efa33fd3ef9823735f (7) Message-Authenticator = 0x00000000000000000000000000000000 (7) State = 0x0d11b4170a18ad2d61b96bcf376c045f (7) Finished request Waking up in 4.9 seconds. (8) Received Access-Request Id 197 from 172.31.190.2:32768 to 172.31.189.84:1812 length 313 (8) User-Name = "bob" (8) Chargeable-User-Identity = 0x00 (8) Location-Capable = Civic-Location (8) Calling-Station-Id = "18-d6-1c-41-10-58" (8) Called-Station-Id = "04-5f-b9-81-69-80:PIT_Tag" (8) NAS-Port = 1 (8) Cisco-AVPair = "audit-session-id=ac1fc7020000007a659828a7" (8) Acct-Session-Id = "659828a7/18:d6:1c:41:10:58/127" (8) NAS-IP-Address = 172.31.190.2 (8) NAS-Identifier = "Cisco_b8:24:65" (8) Airespace-Wlan-Id = 2 (8) Service-Type = Framed-User (8) Framed-MTU = 1300 (8) NAS-Port-Type = Wireless-802.11 (8) Tunnel-Type:0 = VLAN (8) Tunnel-Medium-Type:0 = IEEE-802 (8) Tunnel-Private-Group-Id:0 = "190" (8) EAP-Message = 0x020900271900170303001c00000000000000010bfbfbf16742525071bfbbf45c50d4d0b12b3334 (8) State = 0x0d11b4170a18ad2d61b96bcf376c045f (8) Message-Authenticator = 0x63b9cf54b21cfa3f30bd43a45677d8e4 (8) Restoring &session-state (8) &session-state:Framed-MTU = 994 (8) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (8) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (8) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (8) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (8) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (8) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange" (8) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished" (8) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec" (8) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished" (8) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES128-GCM-SHA256" (8) &session-state:TLS-Session-Version = "TLS 1.2" (8) # Executing section authorize from file /etc/freeradius/sites-enabled/tlcamb-tag (8) authorize { (8) [preprocess] = ok (8) eap: Peer sent EAP Response (code 2) ID 9 length 39 (8) eap: Continuing tunnel setup (8) [eap] = ok (8) } # authorize = ok (8) Found Auth-Type = eap (8) # Executing group from file /etc/freeradius/sites-enabled/tlcamb-tag (8) authenticate { (8) eap: Expiring EAP session with state 0x0d11b4170a18ad2d (8) eap: Finished EAP session with state 0x0d11b4170a18ad2d (8) eap: Previous EAP request found for state 0x0d11b4170a18ad2d, released from the list (8) eap: Peer sent packet with method EAP PEAP (25) (8) eap: Calling submodule eap_peap to process data (8) eap_peap: (TLS) EAP Done initial handshake (8) eap_peap: Session established. Decoding tunneled attributes (8) eap_peap: PEAP state WAITING FOR INNER IDENTITY (8) eap_peap: Identity - bob (8) eap_peap: Got inner identity 'bob' (8) eap_peap: Setting default EAP type for tunneled EAP session (8) eap_peap: Got tunneled request (8) eap_peap: EAP-Message = 0x0209000801626f62 (8) eap_peap: Setting User-Name to bob (8) eap_peap: Sending tunneled request to inner-tunnel (8) eap_peap: EAP-Message = 0x0209000801626f62 (8) eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 (8) eap_peap: User-Name = "bob" (8) Virtual server inner-tunnel received request (8) EAP-Message = 0x0209000801626f62 (8) FreeRADIUS-Proxied-To = 127.0.0.1 (8) User-Name = "bob" (8) WARNING: Outer and inner identities are the same. User privacy is compromised. (8) server inner-tunnel { (8) # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel (8) authorize { (8) policy filter_username { (8) if (&User-Name) { (8) if (&User-Name) -> TRUE (8) if (&User-Name) { (8) if (&User-Name =~ / /) { (8) if (&User-Name =~ / /) -> FALSE (8) if (&User-Name =~ /@[^@]*@/ ) { (8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (8) if (&User-Name =~ /\.\./ ) { (8) if (&User-Name =~ /\.\./ ) -> FALSE (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (8) if (&User-Name =~ /\.$/) { (8) if (&User-Name =~ /\.$/) -> FALSE (8) if (&User-Name =~ /@\./) { (8) if (&User-Name =~ /@\./) -> FALSE (8) } # if (&User-Name) = notfound (8) } # policy filter_username = notfound (8) [chap] = noop (8) [mschap] = noop (8) suffix: Checking for suffix after "@" (8) suffix: No '@' in User-Name = "bob", looking up realm NULL (8) suffix: No such realm "NULL" (8) [suffix] = noop (8) update control { (8) &Proxy-To-Realm := LOCAL (8) } # update control = noop (8) eap: Peer sent EAP Response (code 2) ID 9 length 8 (8) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (8) [eap] = ok (8) } # authorize = ok (8) Found Auth-Type = eap (8) # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel (8) authenticate { (8) eap: Peer sent packet with method EAP Identity (1) (8) eap: ERROR: Tried to start unsupported EAP type MSCHAPv2 (26) (8) eap: Sending EAP Failure (code 4) ID 9 length 4 (8) eap: Failed in EAP select (8) [eap] = invalid (8) } # authenticate = invalid (8) Failed to authenticate the user (8) Using Post-Auth-Type Reject (8) # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel (8) Post-Auth-Type REJECT { (8) attr_filter.access_reject: EXPAND %{User-Name} (8) attr_filter.access_reject: --> bob (8) attr_filter.access_reject: Matched entry DEFAULT at line 11 (8) [attr_filter.access_reject] = updated (8) update outer.session-state { (8) &Module-Failure-Message := &request:Module-Failure-Message -> 'eap: Tried to start unsupported EAP type MSCHAPv2 (26)' (8) } # update outer.session-state = noop (8) } # Post-Auth-Type REJECT = updated (8) } # server inner-tunnel (8) Virtual server sending reply (8) EAP-Message = 0x04090004 (8) Message-Authenticator = 0x00000000000000000000000000000000 (8) eap_peap: Got tunneled reply code 3 (8) eap_peap: EAP-Message = 0x04090004 (8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (8) eap_peap: Got tunneled reply RADIUS code 3 (8) eap_peap: EAP-Message = 0x04090004 (8) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (8) eap_peap: Tunneled authentication was rejected (8) eap_peap: FAILURE [snip..]
Thanks and best regards.
Dario Barbon
-- Dave Funk University of Iowa <dbfunk (at) engineering.uiowa.edu> College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center, 103 S Capitol St. Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527 #include <std_disclaimer.h> Better is not better, 'standard' is better. B{
On Jan 5, 2024, at 11:25 AM, Dario Barbon <dbarbon@olicom.eu> wrote:
I installed the CA certificate and collected the entire log file content:
This page gives a good overview of what to look for: http://wiki.freeradius.org/radiusd-X Simply lookiing for the word "error" gives you this:
(6) eap_peap: Serialising session 28598cb4ba77510a52abb1e63011f9c061077719c09a59908092e2ca6b9c1ffd, and storing in cache (6) eap_peap: ERROR: (TLS) Session serialisation failed, failed opening session file /var/log/freeradius/tlscache/28598cb4ba77510a52abb1e63011f9c061077719c09a59908092e2ca6b9c1ffd.asn1: Permission denied
And looking for more "error" gives you this:
(8) eap: Peer sent packet with method EAP Identity (1) (8) eap: ERROR: Tried to start unsupported EAP type MSCHAPv2 (26) (8) eap: Sending EAP Failure (code 4) ID 9 length 4
You edited the mods-available/eap file, deleted the "mschapv2" configuration, and then tried to do EAP-MSCHAPv2. If you want to use EAP-MSCHAPv2, then enable the mschapv2 EAP configuration. And read the debug output. Honestly. 99% of problems can be solved by just looking for "error" and going "whoops, that message is pretty clear". Alan DeKok.
Hi Alan, I enabled mschapv2 section inside eap file and it works... thanks again for your support. Regarding the source of my problems, I confirm you that Android 11 devices continue to "lost" the installed client certificate: this time I collected the logs as you suggested after the device lost the certificate. FreeRADIUS Version 3.2.3 Copyright (C) 1999-2022 The FreeRADIUS server project and contributors There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License For more information about these matters, see the file named COPYRIGHT Starting - reading configuration files ... including dictionary file /usr/share/freeradius/dictionary including dictionary file /usr/share/freeradius/dictionary.dhcp including dictionary file /usr/share/freeradius/dictionary.vqp including dictionary file /etc/freeradius/dictionary including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including files in directory /etc/freeradius/mods-enabled/ including configuration file /etc/freeradius/mods-enabled/always including configuration file /etc/freeradius/mods-enabled/detail.log including configuration file /etc/freeradius/mods-enabled/expiration including configuration file /etc/freeradius/mods-enabled/pap including configuration file /etc/freeradius/mods-enabled/logintime including configuration file /etc/freeradius/mods-enabled/replicate including configuration file /etc/freeradius/mods-enabled/unpack including configuration file /etc/freeradius/mods-enabled/detail including configuration file /etc/freeradius/mods-enabled/echo including configuration file /etc/freeradius/mods-enabled/unix including configuration file /etc/freeradius/mods-enabled/chap including configuration file /etc/freeradius/mods-enabled/radutmp including configuration file /etc/freeradius/mods-enabled/linelog including configuration file /etc/freeradius/mods-enabled/soh including configuration file /etc/freeradius/mods-enabled/dynamic_clients including configuration file /etc/freeradius/mods-enabled/mschap including configuration file /etc/freeradius/mods-enabled/utf8 including configuration file /etc/freeradius/mods-enabled/digest including configuration file /etc/freeradius/mods-enabled/sradutmp including configuration file /etc/freeradius/mods-enabled/realm including configuration file /etc/freeradius/mods-enabled/ntlm_auth including configuration file /etc/freeradius/mods-enabled/eap including configuration file /etc/freeradius/mods-enabled/passwd including configuration file /etc/freeradius/mods-enabled/totp including configuration file /etc/freeradius/mods-enabled/date including configuration file /etc/freeradius/mods-enabled/preprocess including configuration file /etc/freeradius/mods-enabled/attr_filter including configuration file /etc/freeradius/mods-enabled/expr including configuration file /etc/freeradius/mods-enabled/exec including configuration file /etc/freeradius/mods-enabled/files including files in directory /etc/freeradius/policy.d/ including configuration file /etc/freeradius/policy.d/cui including configuration file /etc/freeradius/policy.d/control including configuration file /etc/freeradius/policy.d/abfab-tr including configuration file /etc/freeradius/policy.d/filter including configuration file /etc/freeradius/policy.d/accounting including configuration file /etc/freeradius/policy.d/dhcp including configuration file /etc/freeradius/policy.d/rfc7542 including configuration file /etc/freeradius/policy.d/eap including configuration file /etc/freeradius/policy.d/debug including configuration file /etc/freeradius/policy.d/operator-name including configuration file /etc/freeradius/policy.d/moonshot-targeted-ids including configuration file /etc/freeradius/policy.d/canonicalization including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/inner-tunnel including configuration file /etc/freeradius/sites-enabled/tlcamb-tag main { security { user = "operatore" group = "operatore" allow_core_dumps = no } name = "freeradius" prefix = "/usr" localstatedir = "/var" logdir = "/var/log/freeradius" run_dir = "/var/run/freeradius" } main { name = "freeradius" prefix = "/usr" localstatedir = "/var" sbindir = "/usr/sbin" logdir = "/var/log/freeradius" run_dir = "/var/run/freeradius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/freeradius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 16384 postauth_client_lost = no pidfile = "/var/run/freeradius/freeradius.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no colourise = yes msg_denied = "You are already logged in - access denied" } resources { } security { max_attributes = 200 reject_delay = 1.000000 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { nonblock = no ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = <<< secret >>> response_window = 20.000000 response_timeouts = 1 max_outstanding = 65536 zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 check_timeout = 4 num_answers_to_alive = 3 revive_interval = 120 limit { max_connections = 16 max_requests = 0 lifetime = 0 idle_timeout = 0 } coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } recv_coa { } } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = <<< secret >>> nas_type = "other" proto = "*" limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client localhost_ipv6 { ipv6addr = ::1 require_message_authenticator = no secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } client TLC_TAG-MGT { ipaddr = 172.31.190.2 require_message_authenticator = yes secret = <<< secret >>> limit { max_connections = 16 lifetime = 0 idle_timeout = 30 } } Debugger not attached systemd watchdog is disabled # Creating Auth-Type = mschap # Creating Auth-Type = eap # Creating Auth-Type = PAP # Creating Auth-Type = CHAP # Creating Auth-Type = MS-CHAP radiusd: #### Instantiating modules #### modules { # Loaded module rlm_always # Loading module "reject" from file /etc/freeradius/mods-enabled/always always reject { rcode = "reject" simulcount = 0 mpp = no } # Loading module "fail" from file /etc/freeradius/mods-enabled/always always fail { rcode = "fail" simulcount = 0 mpp = no } # Loading module "ok" from file /etc/freeradius/mods-enabled/always always ok { rcode = "ok" simulcount = 0 mpp = no } # Loading module "handled" from file /etc/freeradius/mods-enabled/always always handled { rcode = "handled" simulcount = 0 mpp = no } # Loading module "invalid" from file /etc/freeradius/mods-enabled/always always invalid { rcode = "invalid" simulcount = 0 mpp = no } # Loading module "userlock" from file /etc/freeradius/mods-enabled/always always userlock { rcode = "userlock" simulcount = 0 mpp = no } # Loading module "notfound" from file /etc/freeradius/mods-enabled/always always notfound { rcode = "notfound" simulcount = 0 mpp = no } # Loading module "noop" from file /etc/freeradius/mods-enabled/always always noop { rcode = "noop" simulcount = 0 mpp = no } # Loading module "updated" from file /etc/freeradius/mods-enabled/always always updated { rcode = "updated" simulcount = 0 mpp = no } # Loaded module rlm_detail # Loading module "auth_log" from file /etc/freeradius/mods-enabled/detail.log detail auth_log { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "reply_log" from file /etc/freeradius/mods-enabled/detail.log detail reply_log { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "pre_proxy_log" from file /etc/freeradius/mods-enabled/detail.log detail pre_proxy_log { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loading module "post_proxy_log" from file /etc/freeradius/mods-enabled/detail.log detail post_proxy_log { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loaded module rlm_expiration # Loading module "expiration" from file /etc/freeradius/mods-enabled/expiration # Loaded module rlm_pap # Loading module "pap" from file /etc/freeradius/mods-enabled/pap pap { normalise = yes } # Loaded module rlm_logintime # Loading module "logintime" from file /etc/freeradius/mods-enabled/logintime logintime { minimum_timeout = 60 } # Loaded module rlm_replicate # Loading module "replicate" from file /etc/freeradius/mods-enabled/replicate # Loaded module rlm_unpack # Loading module "unpack" from file /etc/freeradius/mods-enabled/unpack # Loading module "detail" from file /etc/freeradius/mods-enabled/detail detail { filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d" header = "%t" permissions = 384 locking = no escape_filenames = no log_packet_header = no } # Loaded module rlm_exec # Loading module "echo" from file /etc/freeradius/mods-enabled/echo exec echo { wait = yes program = "/bin/echo %{User-Name}" input_pairs = "request" output_pairs = "reply" shell_escape = yes } # Loaded module rlm_unix # Loading module "unix" from file /etc/freeradius/mods-enabled/unix unix { radwtmp = "/var/log/freeradius/radwtmp" } Creating attribute Unix-Group # Loaded module rlm_chap # Loading module "chap" from file /etc/freeradius/mods-enabled/chap # Loaded module rlm_radutmp # Loading module "radutmp" from file /etc/freeradius/mods-enabled/radutmp radutmp { filename = "/var/log/freeradius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 384 caller_id = yes } # Loaded module rlm_linelog # Loading module "linelog" from file /etc/freeradius/mods-enabled/linelog linelog { filename = "/var/log/freeradius/linelog" escape_filenames = no syslog_severity = "info" permissions = 384 format = "This is a log message for %{User-Name}" reference = "messages.%{%{reply:Packet-Type}:-default}" } # Loading module "log_accounting" from file /etc/freeradius/mods-enabled/linelog linelog log_accounting { filename = "/var/log/freeradius/linelog-accounting" escape_filenames = no syslog_severity = "info" permissions = 384 format = "" reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}" } # Loaded module rlm_soh # Loading module "soh" from file /etc/freeradius/mods-enabled/soh soh { dhcp = yes } # Loaded module rlm_dynamic_clients # Loading module "dynamic_clients" from file /etc/freeradius/mods-enabled/dynamic_clients # Loaded module rlm_mschap # Loading module "mschap" from file /etc/freeradius/mods-enabled/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = yes passchange { } allow_retry = yes winbind_retry_with_normalised_username = no } # Loaded module rlm_utf8 # Loading module "utf8" from file /etc/freeradius/mods-enabled/utf8 # Loaded module rlm_digest # Loading module "digest" from file /etc/freeradius/mods-enabled/digest # Loading module "sradutmp" from file /etc/freeradius/mods-enabled/sradutmp radutmp sradutmp { filename = "/var/log/freeradius/sradutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes permissions = 420 caller_id = no } # Loaded module rlm_realm # Loading module "IPASS" from file /etc/freeradius/mods-enabled/realm realm IPASS { format = "prefix" delimiter = "/" ignore_default = no ignore_null = no } # Loading module "suffix" from file /etc/freeradius/mods-enabled/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } # Loading module "bangpath" from file /etc/freeradius/mods-enabled/realm realm bangpath { format = "prefix" delimiter = "!" ignore_default = no ignore_null = no } # Loading module "realmpercent" from file /etc/freeradius/mods-enabled/realm realm realmpercent { format = "suffix" delimiter = "%" ignore_default = no ignore_null = no } # Loading module "ntdomain" from file /etc/freeradius/mods-enabled/realm realm ntdomain { format = "prefix" delimiter = "\\" ignore_default = no ignore_null = no } # Loading module "ntlm_auth" from file /etc/freeradius/mods-enabled/ntlm_auth exec ntlm_auth { wait = yes program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}" shell_escape = yes } # Loaded module rlm_eap # Loading module "eap" from file /etc/freeradius/mods-enabled/eap eap { default_eap_type = "tls" timer_expire = 60 max_eap_type = 52 ignore_unknown_eap_types = yes cisco_accounting_username_bug = no max_sessions = 16384 } # Loaded module rlm_passwd # Loading module "etc_passwd" from file /etc/freeradius/mods-enabled/passwd passwd etc_passwd { filename = "/etc/passwd" format = "*User-Name:Crypt-Password:" delimiter = ":" ignore_nislike = no ignore_empty = yes allow_multiple_keys = no hash_size = 100 } # Loaded module rlm_totp # Loading module "totp" from file /etc/freeradius/mods-enabled/totp # Loaded module rlm_date # Loading module "date" from file /etc/freeradius/mods-enabled/date date { format = "%b %e %Y %H:%M:%S %Z" utc = no } # Loading module "wispr2date" from file /etc/freeradius/mods-enabled/date date wispr2date { format = "%Y-%m-%dT%H:%M:%S" utc = no } # Loaded module rlm_preprocess # Loading module "preprocess" from file /etc/freeradius/mods-enabled/preprocess preprocess { huntgroups = "/etc/freeradius/mods-config/preprocess/huntgroups" hints = "/etc/freeradius/mods-config/preprocess/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } # Loaded module rlm_attr_filter # Loading module "attr_filter.post-proxy" from file /etc/freeradius/mods-enabled/attr_filter attr_filter attr_filter.post-proxy { filename = "/etc/freeradius/mods-config/attr_filter/post-proxy" key = "%{Realm}" relaxed = no } # Loading module "attr_filter.pre-proxy" from file /etc/freeradius/mods-enabled/attr_filter attr_filter attr_filter.pre-proxy { filename = "/etc/freeradius/mods-config/attr_filter/pre-proxy" key = "%{Realm}" relaxed = no } # Loading module "attr_filter.access_reject" from file /etc/freeradius/mods-enabled/attr_filter attr_filter attr_filter.access_reject { filename = "/etc/freeradius/mods-config/attr_filter/access_reject" key = "%{User-Name}" relaxed = no } # Loading module "attr_filter.access_challenge" from file /etc/freeradius/mods-enabled/attr_filter attr_filter attr_filter.access_challenge { filename = "/etc/freeradius/mods-config/attr_filter/access_challenge" key = "%{User-Name}" relaxed = no } # Loading module "attr_filter.accounting_response" from file /etc/freeradius/mods-enabled/attr_filter attr_filter attr_filter.accounting_response { filename = "/etc/freeradius/mods-config/attr_filter/accounting_response" key = "%{User-Name}" relaxed = no } # Loading module "attr_filter.coa" from file /etc/freeradius/mods-enabled/attr_filter attr_filter attr_filter.coa { filename = "/etc/freeradius/mods-config/attr_filter/coa" key = "%{User-Name}" relaxed = no } # Loaded module rlm_expr # Loading module "expr" from file /etc/freeradius/mods-enabled/expr expr { safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ" } # Loading module "exec" from file /etc/freeradius/mods-enabled/exec exec { wait = no input_pairs = "request" shell_escape = yes timeout = 10 } # Loaded module rlm_files # Loading module "files" from file /etc/freeradius/mods-enabled/files files { filename = "/etc/freeradius/mods-config/files/authorize" acctusersfile = "/etc/freeradius/mods-config/files/accounting" preproxy_usersfile = "/etc/freeradius/mods-config/files/pre-proxy" } instantiate { } # Instantiating module "reject" from file /etc/freeradius/mods-enabled/always # Instantiating module "fail" from file /etc/freeradius/mods-enabled/always # Instantiating module "ok" from file /etc/freeradius/mods-enabled/always # Instantiating module "handled" from file /etc/freeradius/mods-enabled/always # Instantiating module "invalid" from file /etc/freeradius/mods-enabled/always # Instantiating module "userlock" from file /etc/freeradius/mods-enabled/always # Instantiating module "notfound" from file /etc/freeradius/mods-enabled/always # Instantiating module "noop" from file /etc/freeradius/mods-enabled/always # Instantiating module "updated" from file /etc/freeradius/mods-enabled/always # Instantiating module "auth_log" from file /etc/freeradius/mods-enabled/detail.log rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output # Instantiating module "reply_log" from file /etc/freeradius/mods-enabled/detail.log # Instantiating module "pre_proxy_log" from file /etc/freeradius/mods-enabled/detail.log # Instantiating module "post_proxy_log" from file /etc/freeradius/mods-enabled/detail.log # Instantiating module "expiration" from file /etc/freeradius/mods-enabled/expiration # Instantiating module "pap" from file /etc/freeradius/mods-enabled/pap # Instantiating module "logintime" from file /etc/freeradius/mods-enabled/logintime # Instantiating module "detail" from file /etc/freeradius/mods-enabled/detail # Instantiating module "linelog" from file /etc/freeradius/mods-enabled/linelog # Instantiating module "log_accounting" from file /etc/freeradius/mods-enabled/linelog # Instantiating module "mschap" from file /etc/freeradius/mods-enabled/mschap rlm_mschap (mschap): using internal authentication # Instantiating module "IPASS" from file /etc/freeradius/mods-enabled/realm # Instantiating module "suffix" from file /etc/freeradius/mods-enabled/realm # Instantiating module "bangpath" from file /etc/freeradius/mods-enabled/realm # Instantiating module "realmpercent" from file /etc/freeradius/mods-enabled/realm # Instantiating module "ntdomain" from file /etc/freeradius/mods-enabled/realm # Instantiating module "eap" from file /etc/freeradius/mods-enabled/eap # Linked to sub-module rlm_eap_tls tls { tls = "tls-common" } tls-config tls-common { verify_depth = 0 ca_path = "/etc/freeradius/certs" pem_file_type = yes private_key_file = "/etc/freeradius/certs/server.key" certificate_file = "/etc/freeradius/certs/server.pem" ca_file = "/etc/freeradius/certs/ca.pem" private_key_password = <<< secret >>> fragment_size = 1024 include_length = yes auto_chain = yes check_crl = no check_all_crl = no ca_path_reload_interval = 0 cipher_list = "DEFAULT" cipher_server_preference = no reject_unknown_intermediate_ca = no ecdh_curve = "prime256v1" tls_max_version = "1.2" tls_min_version = "1.2" cache { enable = yes lifetime = 24 max_entries = 255 persist_dir = "/var/log/freeradius/tlscache" } verify { skip_if_ocsp_ok = no tmpdir = "/tmp/radiusd" client = "/usr/bin/openssl verify -CAfile /etc/freeradius/certs/ca.pem %{TLS-Client-Cert-Filename}" } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" use_nonce = yes timeout = 0 softfail = no } } # Linked to sub-module rlm_eap_ttls ttls { tls = "tls-common" default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes require_client_cert = no } tls: Using cached TLS configuration from previous invocation # Linked to sub-module rlm_eap_peap peap { tls = "tls-common" default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" soh = no require_client_cert = no } tls: Using cached TLS configuration from previous invocation # Linked to sub-module rlm_eap_mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no identity = "FreeRADIUS" } # Instantiating module "etc_passwd" from file /etc/freeradius/mods-enabled/passwd rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no # Instantiating module "preprocess" from file /etc/freeradius/mods-enabled/preprocess reading pairlist file /etc/freeradius/mods-config/preprocess/huntgroups reading pairlist file /etc/freeradius/mods-config/preprocess/hints # Instantiating module "attr_filter.post-proxy" from file /etc/freeradius/mods-enabled/attr_filter reading pairlist file /etc/freeradius/mods-config/attr_filter/post-proxy # Instantiating module "attr_filter.pre-proxy" from file /etc/freeradius/mods-enabled/attr_filter reading pairlist file /etc/freeradius/mods-config/attr_filter/pre-proxy # Instantiating module "attr_filter.access_reject" from file /etc/freeradius/mods-enabled/attr_filter reading pairlist file /etc/freeradius/mods-config/attr_filter/access_reject # Instantiating module "attr_filter.access_challenge" from file /etc/freeradius/mods-enabled/attr_filter reading pairlist file /etc/freeradius/mods-config/attr_filter/access_challenge # Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/mods-enabled/attr_filter reading pairlist file /etc/freeradius/mods-config/attr_filter/accounting_response # Instantiating module "attr_filter.coa" from file /etc/freeradius/mods-enabled/attr_filter reading pairlist file /etc/freeradius/mods-config/attr_filter/coa # Instantiating module "files" from file /etc/freeradius/mods-enabled/files reading pairlist file /etc/freeradius/mods-config/files/authorize reading pairlist file /etc/freeradius/mods-config/files/accounting reading pairlist file /etc/freeradius/mods-config/files/pre-proxy } # modules radiusd: #### Loading Virtual Servers #### server { # from file /etc/freeradius/sites-enabled/tlcamb-tag # Loading authenticate {...} Compiling Auth-Type MS-CHAP for attr Auth-Type # Loading authorize {...} # Loading preacct {...} # Loading accounting {...} # Loading session {...} # Loading post-proxy {...} # Loading post-auth {...} Compiling Post-Auth-Type REJECT for attr Post-Auth-Type } # server server inner-tunnel { # from file /etc/freeradius/sites-enabled/inner-tunnel # Loading authenticate {...} Compiling Auth-Type PAP for attr Auth-Type Compiling Auth-Type CHAP for attr Auth-Type Compiling Auth-Type MS-CHAP for attr Auth-Type # Loading authorize {...} Ignoring "sql" (see raddb/mods-available/README.rst) Ignoring "ldap" (see raddb/mods-available/README.rst) # Loading session {...} # Loading post-proxy {...} # Loading post-auth {...} # Skipping contents of 'if' as it is always 'false' -- /etc/freeradius/sites-enabled/inner-tunnel:366 Compiling Post-Auth-Type REJECT for attr Post-Auth-Type } # server inner-tunnel radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } listen { type = "auth" ipaddr = * port = 1812 } Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel Listening on auth address * port 1812 Listening on proxy address * port 55078 Ready to process requests (0) Received Access-Request Id 29 from 172.31.190.2:32773 to 172.31.189.84:1812 length 298 (0) User-Name = "Hera Certs Authority" (0) Chargeable-User-Identity = 0x00 (0) Location-Capable = Civic-Location (0) Calling-Station-Id = "9a-8b-7b-d9-b0-cd" (0) Called-Station-Id = "04-5f-b9-81-69-80:PIT_Tag" (0) NAS-Port = 1 (0) Cisco-AVPair = "audit-session-id=ac1fc70200000089659842c9" (0) Acct-Session-Id = "659842c9/9a:8b:7b:d9:b0:cd/142" (0) NAS-IP-Address = 172.31.190.2 (0) NAS-Identifier = "Cisco_b8:24:65" (0) Airespace-Wlan-Id = 2 (0) Service-Type = Framed-User (0) Framed-MTU = 1300 (0) NAS-Port-Type = Wireless-802.11 (0) Tunnel-Type:0 = VLAN (0) Tunnel-Medium-Type:0 = IEEE-802 (0) Tunnel-Private-Group-Id:0 = "190" (0) EAP-Message = 0x02010019014865726120436572747320417574686f72697479 (0) Message-Authenticator = 0x859db34773badd1d0180d10a1ff8aeed (0) # Executing section authorize from file /etc/freeradius/sites-enabled/tlcamb-tag (0) authorize { (0) [preprocess] = ok (0) eap: Peer sent EAP Response (code 2) ID 1 length 25 (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # authorize = ok (0) Found Auth-Type = eap (0) # Executing group from file /etc/freeradius/sites-enabled/tlcamb-tag (0) authenticate { (0) eap: Peer sent packet with method EAP Identity (1) (0) eap: Calling submodule eap_tls to process data (0) eap_tls: (TLS) Initiating new session (0) eap_tls: (TLS) Setting verify mode to require certificate from client (0) eap: Sending EAP Request (code 1) ID 2 length 6 (0) eap: EAP session adding &reply:State = 0x9293c9989291c4c7 (0) [eap] = handled (0) } # authenticate = handled (0) Using Post-Auth-Type Challenge (0) Post-Auth-Type sub-section not found. Ignoring. (0) # Executing group from file /etc/freeradius/sites-enabled/tlcamb-tag (0) session-state: Saving cached attributes (0) Framed-MTU = 994 (0) Sent Access-Challenge Id 29 from 172.31.189.84:1812 to 172.31.190.2:32773 length 64 (0) EAP-Message = 0x010200060d20 (0) Message-Authenticator = 0x00000000000000000000000000000000 (0) State = 0x9293c9989291c4c7d042ac954afd7f3b (0) Finished request Waking up in 4.9 seconds. (1) Received Access-Request Id 30 from 172.31.190.2:32773 to 172.31.189.84:1812 length 297 (1) User-Name = "Hera Certs Authority" (1) Chargeable-User-Identity = 0x00 (1) Location-Capable = Civic-Location (1) Calling-Station-Id = "9a-8b-7b-d9-b0-cd" (1) Called-Station-Id = "04-5f-b9-81-69-80:PIT_Tag" (1) NAS-Port = 1 (1) Cisco-AVPair = "audit-session-id=ac1fc70200000089659842c9" (1) Acct-Session-Id = "659842c9/9a:8b:7b:d9:b0:cd/142" (1) NAS-IP-Address = 172.31.190.2 (1) NAS-Identifier = "Cisco_b8:24:65" (1) Airespace-Wlan-Id = 2 (1) Service-Type = Framed-User (1) Framed-MTU = 1300 (1) NAS-Port-Type = Wireless-802.11 (1) Tunnel-Type:0 = VLAN (1) Tunnel-Medium-Type:0 = IEEE-802 (1) Tunnel-Private-Group-Id:0 = "190" (1) EAP-Message = 0x020200060300 (1) State = 0x9293c9989291c4c7d042ac954afd7f3b (1) Message-Authenticator = 0x7bb0df4e74c814803e896c7e15a6a274 (1) Restoring &session-state (1) &session-state:Framed-MTU = 994 (1) # Executing section authorize from file /etc/freeradius/sites-enabled/tlcamb-tag (1) authorize { (1) [preprocess] = ok (1) eap: Peer sent EAP Response (code 2) ID 2 length 6 (1) eap: Ignoring NAK with request for unknown EAP type (1) [eap] = noop (1) [expiration] = noop (1) [logintime] = noop (1) } # authorize = ok (1) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject (1) Failed to authenticate the user (1) Using Post-Auth-Type Reject (1) # Executing group from file /etc/freeradius/sites-enabled/tlcamb-tag (1) Post-Auth-Type REJECT { (1) attr_filter.access_reject: EXPAND %{User-Name} (1) attr_filter.access_reject: --> Hera Certs Authority (1) attr_filter.access_reject: Matched entry DEFAULT at line 11 (1) [attr_filter.access_reject] = updated (1) } # Post-Auth-Type REJECT = updated (1) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (1) Sending delayed response (1) Sent Access-Reject Id 30 from 172.31.189.84:1812 to 172.31.190.2:32773 length 20 Waking up in 3.9 seconds. (0) Cleaning up request packet ID 29 with timestamp +3 due to cleanup_delay was reached (1) Cleaning up request packet ID 30 with timestamp +3 due to cleanup_delay was reached Thanks. Dario Barbon Il 05/01/2024 18:30, Alan DeKok ha scritto:
On Jan 5, 2024, at 11:25 AM, Dario Barbon <dbarbon@olicom.eu> wrote:
I installed the CA certificate and collected the entire log file content: This page gives a good overview of what to look for: http://wiki.freeradius.org/radiusd-X
Simply lookiing for the word "error" gives you this:
(6) eap_peap: Serialising session 28598cb4ba77510a52abb1e63011f9c061077719c09a59908092e2ca6b9c1ffd, and storing in cache (6) eap_peap: ERROR: (TLS) Session serialisation failed, failed opening session file /var/log/freeradius/tlscache/28598cb4ba77510a52abb1e63011f9c061077719c09a59908092e2ca6b9c1ffd.asn1: Permission denied And looking for more "error" gives you this:
(8) eap: Peer sent packet with method EAP Identity (1) (8) eap: ERROR: Tried to start unsupported EAP type MSCHAPv2 (26) (8) eap: Sending EAP Failure (code 4) ID 9 length 4 You edited the mods-available/eap file, deleted the "mschapv2" configuration, and then tried to do EAP-MSCHAPv2.
If you want to use EAP-MSCHAPv2, then enable the mschapv2 EAP configuration.
And read the debug output. Honestly. 99% of problems can be solved by just looking for "error" and going "whoops, that message is pretty clear".
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Jan 5, 2024, at 1:11 PM, Dario Barbon <dbarbon@olicom.eu> wrote:
Hi Alan, I enabled mschapv2 section inside eap file and it works... thanks again for your support.
That's good.
Regarding the source of my problems, I confirm you that Android 11 devices continue to "lost" the installed client certificate: this time I collected the logs as you suggested after the device lost the certificate. ... (0) Found Auth-Type = eap (0) # Executing group from file /etc/freeradius/sites-enabled/tlcamb-tag (0) authenticate { (0) eap: Peer sent packet with method EAP Identity (1) (0) eap: Calling submodule eap_tls to process data (0) eap_tls: (TLS) Initiating new session (0) eap_tls: (TLS) Setting verify mode to require certificate from client
FreeRADIUS is doing EAP-TLS, and asking for a client cert.
... (1) EAP-Message = 0x020200060300 (1)... (1) eap: Peer sent EAP Response (code 2) ID 2 length 6 (1) eap: Ignoring NAK with request for unknown EAP type
The client sent "No, I'm not doing EAP-TLS, and I have no other options". Yeah, the client is broken. There is nothing you can do to FreeRADIUS to fix it. I'd suggest filing a bug report with Google. Alan DeKok.
Dario Barbon <dbarbon@olicom.eu> writes:
Hi all, I'm trying to configure Freeradius (version 3.2.3 on Ubuntu 22.04) to perform either EAP-TLS and EAP-PEAP MSCHAPv2. I need MSCHAPv2 as alternative configuration for Android 11 devices because we are experiencing the deletion of client certificates and I'm not understand why this issue happens.
I have configured eap-tls on several android devices (including 2 with android 11) and did not experienced certificate removal. BUT I have experience profile (=package with credentials) removal on corporate iphones managed by some kind of MDM. Are these phones corporate managed? KJ
Hi Kamil, thanks for sharing your experience. The phones aren't MDM managed; I experienced the certificate removal issue on Motorola Defy and CAT S62PRO (both Android 11). Maybe that's something wrong with my self signed CA and client certificates... May I ask you how did you generate your certificates? Dario Barbon Il 06/01/2024 09:05, Kamil Jońca ha scritto:
Dario Barbon <dbarbon@olicom.eu> writes:
Hi all, I'm trying to configure Freeradius (version 3.2.3 on Ubuntu 22.04) to perform either EAP-TLS and EAP-PEAP MSCHAPv2. I need MSCHAPv2 as alternative configuration for Android 11 devices because we are experiencing the deletion of client certificates and I'm not understand why this issue happens. I have configured eap-tls on several android devices (including 2 with android 11) and did not experienced certificate removal.
BUT I have experience profile (=package with credentials) removal on corporate iphones managed by some kind of MDM.
Are these phones corporate managed? KJ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Jan 8, 2024, at 2:14 AM, Dario Barbon <dbarbon@olicom.eu> wrote:
The phones aren't MDM managed; I experienced the certificate removal issue on Motorola Defy and CAT S62PRO (both Android 11). Maybe that's something wrong with my self signed CA and client certificates...
About the only thing which could be wrong is that the certificates could expire. i.e. if the certificate lifetime is 30 days, after those 30 days have passed, the phone will likely refuse to send the certificates to the server. But I would be very surprised if the phone randomly deleted the certificates. That is a serious bug, which many people would have seen. Maybe the users are deleting the certificates. Alan DeKok.
Dario Barbon <dbarbon@olicom.eu> writes:
Hi Kamil, thanks for sharing your experience.
The phones aren't MDM managed; I experienced the certificate removal issue on Motorola Defy and CAT S62PRO (both Android 11). Maybe that's something wrong with my self signed CA and client certificates... May I ask you how did you generate your certificates?
I would reverse this quesiton: How do YOU generate certificates and put them into phone(s)? And why do you think that certificates are deleted? KJ
Hi Kamil, I generated the certificates by following this tutorial
("configure EAP-TLS" section):
https://techtalkblog.ch/ubuntu-18-04-freeradius-v3-wifi-authentication/
I'm not thinking that certificates are deleted ... I saw this happens
many times! And it happens (in my limited experience) always with
Android 11 devices.
Sometimes users deleted the WiFi connection: that action deletes also
WiFi user installed certificates. Sometimes, after a bunch of
unsuccessful connection tries, Android 11 devices deletes certificates.
In comparison with Android 12 devices that retains certificates but
required to switch off/on WiFi to successfully reconnect.
Dario Barbon
Il 08/01/2024 17:33, Kamil Jońca ha scritto:
> Dario Barbon <dbarbon@olicom.eu> writes:
>
>> Hi Kamil, thanks for sharing your experience.
>>
>> The phones aren't MDM managed; I experienced the certificate removal
>> issue on Motorola Defy and CAT S62PRO (both Android 11). Maybe that's
>> something wrong with my self signed CA and client certificates... May
>> I ask you how did you generate your certificates?
> I would reverse this quesiton: How do YOU generate certificates and
> put them into phone(s)? And why do you think that certificates are
> deleted?
> KJ
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Jan 8, 2024, at 11:48 AM, Dario Barbon <dbarbon@olicom.eu> wrote:
Hi Kamil, I generated the certificates by following this tutorial ("configure EAP-TLS" section): https://techtalkblog.ch/ubuntu-18-04-freeradius-v3-wifi-authentication/
I'm not thinking that certificates are deleted ... I saw this happens many times! And it happens (in my limited experience) always with Android 11 devices.
Sometimes users deleted the WiFi connection: that action deletes also WiFi user installed certificates. Sometimes, after a bunch of unsuccessful connection tries, Android 11 devices deletes certificates.
When this happens, get one of the devices and double-check its configuration. If the certificates really are deleted, ask Google to fix their bug. There's nothing you can do to FreeRADIUS which will help. Alan DeKok.
Dario Barbon <dbarbon@olicom.eu> writes:
Hi Kamil, I generated the certificates by following this tutorial ("configure EAP-TLS" section): https://techtalkblog.ch/ubuntu-18-04-freeradius-v3-wifi-authentication/
I did not ask you for link but for steps you did. Moreover this howto might be obsolete because "openssl pkcs12" with openssl3.0 sometimes needs "-legacy" option i.e. openssl pkcs12 -legacy -export -in ... -certfile ...-inkey ... -out ...
I'm not thinking that certificates are deleted ... I saw this happens many times! And it happens (in my limited experience) always with Android 11 devices.
Sometimes users deleted the WiFi connection: that action deletes also WiFi user installed certificates. Sometimes, after a bunch of unsuccessful connection tries, Android 11 devices deletes certificates.
Tested now: TCL NXT paper - (Android 11) - no such thing happened, after "forgetting" connection certificates remains, and can be used to redefine connection. As Alan said: either you do something wrong (this is my susppect) or you found SERIOUS bug in android supplicant (I doubt) KJ
Hi Kamil, to configure my private CA I did this operations: 1) edited the ca.cnf file provided by FreeRadius with organization relevant values (default_days, input and output password, country_name, stateOrProvinceName, localityName, organizationName, emailAddress and commonName) 2) executed the make command to generate "ca.pem", "ca.der", "printca", "dh" files 3) edited the server.cnf file provided by FreeRadius (default_days, input and output password) 4) executed the make command to generate "server.pem" file 5) edited the Makefile in order to execute the following openssl commands to create client certificates (the reference for this changes is the TechTalk tutorial posted in the previous mail) client.p12: client.crt openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12 -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT) cp client.p12 $(USER_NAME).p12 client.pem: client.p12 openssl pkcs12 -in client.p12 -out client.pem -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT) cp client.pem $(USER_NAME).pem client_android.p12: client.crt openssl pkcs12 -export -in client.crt -inkey client.key -certfile ca.pem -name "$(USER_NAME)" -out client_android.p12 -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT) cp client_android.p12 $(USER_NAME)_android.p12 6) edited the client.cnf file provided by FreeRadius ( default_days, input and output password, countryName, stateOrProvinceName, localityName, organizationName, emailAddress, commonName) 7) executed the make command to generate client certificates with .p12 extension. To install the client certificate on Android devices we usually copy p12 files inside Download folder and tap on file to extract the certificate specifiying WiFi as type. To configure the WiFi profile on device, we chose EAP-TLS and we select the just installed certificate both on CA dropdown and client dropdown. Identity and Domain field are filled with "commonName" value. All certs are stored inside "freeradius/certs" directory. Thanks Dario Barbon Il 08/01/2024 19:18, Kamil Jońca ha scritto:
Dario Barbon <dbarbon@olicom.eu> writes:
Hi Kamil, I generated the certificates by following this tutorial ("configure EAP-TLS" section): https://techtalkblog.ch/ubuntu-18-04-freeradius-v3-wifi-authentication/ I did not ask you for link but for steps you did.
Moreover this howto might be obsolete because
"openssl pkcs12" with openssl3.0 sometimes needs "-legacy" option i.e.
openssl pkcs12 -legacy -export -in ... -certfile ...-inkey ... -out ...
I'm not thinking that certificates are deleted ... I saw this happens many times! And it happens (in my limited experience) always with Android 11 devices.
Sometimes users deleted the WiFi connection: that action deletes also WiFi user installed certificates. Sometimes, after a bunch of unsuccessful connection tries, Android 11 devices deletes certificates. Tested now: TCL NXT paper - (Android 11) - no such thing happened, after "forgetting" connection certificates remains, and can be used to redefine connection.
As Alan said: either you do something wrong (this is my susppect) or you found SERIOUS bug in android supplicant (I doubt)
KJ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (4)
-
Alan DeKok -
Dario Barbon -
Dave Funk -
Kamil Jońca