I want to configure EAP-TLS on freeradius but it doesn’t work I hope the information below is enough. I am using freeradius 2.1.1. (openSUSE11.1), first I configured PAP using this tutorial( http://en.opensuse.org/RadiusServerHOWTO#Configuring_file_based_authenticati... http://en.opensuse.org/RadiusServerHOWTO#Configuring_file_based_authenticati... ) and it works with an xp supplicant. Then I wanted to configure EAP-TLS. Well the tutorials I found said that there is not much to do and I guess that's wrong. I only edited pap to tls in the eap.conf: eap { default_eap_type = tls The Cisco2950 Switch was added in the clients.conf while the pap tutorial: client 192.168.5.3 { secret = testing123 shortname = cisco } Well I added some kind of attributes in the users file because of dynamic vlans but I think that's not relevant now, isn't it?: oss-radius Cleartext-Password:="hello" Auth-Type :=EAP, Tunnel-Type= 13, Tunnel-Medium-Type= 6, Tunnel-Private-Group-Id= 5 For testing i created the standard certificates from freeradius with this commands: cd /etc/raddb/certs/ make all make client.pem Before I did this I changed the commonName and the email address in the client.cnf: [client] countryName = FR stateOrProvinceName = Radius localityName = Somewhere organizationName = Example Inc. emailAddress = oss-radius commonName = oss-radius I imported the ca.der and the client.p12 on the XP Client and at last I configured the XP Client using EAP-TLS: http://old.nabble.com/file/p26515010/zertifikateinstellung.jpg The authentication doesn't work and that is the debugging output: rad_recv: Access-Request packet from host 192.168.5.3 port 1812, id=3, length=110 NAS-IP-Address = 192.168.5.3 NAS-Port = 50012 NAS-Port-Type = Ethernet User-Name = "oss-radius" Calling-Station-Id = "00-0B-6A-2B-DA-78" Service-Type = Framed-User EAP-Message = 0x0201000f016f73732d726164697573 Message-Authenticator = 0xf68cf58770b7aca2671434c718bc4fb9 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "oss-radius", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 1 length 15 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [files] users: Matched entry oss-radius at line 204 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Requiring client certificate [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 3 to 192.168.5.3 port 1812 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "5" EAP-Message = 0x010200060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x8f71f7ba8f73faff5e448e0442a84581 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.5.3 port 1812, id=4, length=193 NAS-IP-Address = 192.168.5.3 NAS-Port = 50012 NAS-Port-Type = Ethernet User-Name = "oss-radius" Calling-Station-Id = "00-0B-6A-2B-DA-78" Service-Type = Framed-User State = 0x8f71f7ba8f73faff5e448e0442a84581 EAP-Message = 0x020200500d800000004616030100410100003d03014b0d47720ea38e9c9e290d9e80220a921d82c0e9cb675bbf329d349ac5f22ec700001600040005000a000900640062000300060013001200630100 Message-Authenticator = 0x20c78201bedf353fa22ef5383779e476 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "oss-radius", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 2 length 80 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [files] users: Matched entry oss-radius at line 204 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS TLS Length 70 [tls] Length Included [tls] eaptls_verify returned 11 [tls] (other): before/accept initialization [tls] TLS_accept: before/accept initialization [tls] <<< TLS 1.0 Handshake [length 0041], ClientHello [tls] TLS_accept: SSLv3 read client hello A [tls] >>> TLS 1.0 Handshake [length 002a], ServerHello [tls] TLS_accept: SSLv3 write server hello A [tls] >>> TLS 1.0 Handshake [length 085e], Certificate [tls] TLS_accept: SSLv3 write certificate A [tls] >>> TLS 1.0 Handshake [length 00a6], CertificateRequest [tls] TLS_accept: SSLv3 write certificate request A [tls] TLS_accept: SSLv3 flush data [tls] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [tls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 4 to 192.168.5.3 port 1812 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "5" EAP-Message = 0x010304000dc00000093d160301002a0200002603014b128ce6a59c7cc44dc8e5dda195b7358a9511b32aee8be1c928dadb4091169200000400160301085e0b00085a0008570003a6308203a23082028aa003020102020103300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479 EAP-Message = 0x301e170d3039313132323133343533305a170d3130313132323133343533305a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100ac980cc4c9ec4ad3e23bf9d75989232fb1b5014896413398e3361287de22a5b5c00cac1e0c1b72b2f991aa8c2eeb1e452a7c67950e6af12e31414acbf8a9 EAP-Message = 0x8b96c26e6408da5ca899b30f00799999610945ad89094441a7cafca4067557b4ed52070fdf54b386b2a7a1aa76f134a9b5e7bfdeef3e18bc3d8ba98b49f1f4bb156dd1bbb46ee09b466df0120593471c59acfcb7a2977219e6db535008526dda1f91c374f01bf392d909a1ecde7ec11f926cfd310b39171121228c528a5853524e62ba21f1006c56ef85aa0837bdb123a11a0664015e7b8176b20619e36204f7b7b75d6e445aa84a0cdc49c9a8a82ea97e5686a28a56eced48e43f9c471499d0604f0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010104050003820101009dc4e0c6f6e79b6e1c EAP-Message = 0x330b69759c25ac74cef621f5e8115248b9ea758e5b2af73574bd81953c2b5beb514765bdf4b07d50586dded8cfaac20f6ece9b661938bec737d87348f061ea7e3cd2a7338e786cd765aa8f3db636291c10c041d790ab49fcbcf5b41e7ec1ae2f65495b975286e656b23fed0321284cd6643aa411da03918e148eab2b222aa462bb62d50491ba9a27773e297dc8a59b1b0aa1a6fd2e6a110b2d3f94e81563417a2a4f1127937d38a0c6376e25ec51a0eabcd289a6fdfbcbc6f5c708050d8fdc9ad61cade8fa2b90ce4a6f4ff2ef465a1d61bbeb9373f4ef0c6a9c3d558b8424c130052899aa96271e0a9db4beb254ffcda04e8546e544140004ab308204 EAP-Message = 0xa73082038fa0030201020209 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x8f71f7ba8e72faff5e448e0442a84581 Finished request 1. Going to the next request Waking up in 4.7 seconds. Cleaning up request 0 ID 3 with timestamp +66 Waking up in 0.2 seconds. Cleaning up request 1 ID 4 with timestamp +66 Ready to process requests. Well I use the standardcertificate only for testing, but am I right that the problem is caused by the certificates? If you need the full output or the configs please don’t hesitate to contact me. -- View this message in context: http://old.nabble.com/Problem-with-EAP-TLS-tp26515010p26515010.html Sent from the FreeRadius - User mailing list archive at Nabble.com.
Well, can anyone tell me, why nobody is helping me? I would not get on your nerves if there would be a solution to my problem. I was searching for a time and i found this helpful solutions "look in the FAQ" and "look in the eap.conf". Well the FAQ tells about the xptensions and the help in the eap.conf doesn't give me a solution. I know that you don't like to waste you time on a newbie like me, but please give me only a hint where the problem could be. -- View this message in context: http://old.nabble.com/Problem-with-EAP-TLS%2C-please-give-me-a-hint-tp265150... Sent from the FreeRadius - User mailing list archive at Nabble.com.
_Stefan_H wrote:
Well, can anyone tell me, why nobody is helping me? I would not get on your nerves if there would be a solution to my problem. I was searching for a time and i found this helpful solutions "look in the FAQ" and "look in the eap.conf". Well the FAQ tells about the xptensions and the help in the eap.conf doesn't give me a solution.
I know that you don't like to waste you time on a newbie like me, but please give me only a hint where the problem could be.
Follow the instructions on my web site for configuring EAP: http://deployingradius.com Don't worry about testing with PEAP first. If that works, EAP-TLS is a simple step. Follow the instructions in the FAQ for asking questions on the list. Alan DeKok.
Well, can anyone tell me, why nobody is helping me? I would not get on your nerves if there would be a solution to my problem. I was searching for a time and i found this helpful solutions "look in the FAQ" and "look in the eap.conf". Well the FAQ tells about the xptensions and the help in the eap.conf doesn't give me a solution.
I know that you don't like to waste you time on a newbie like me, but please give me only a hint where the problem could be.
Some XP versions won't allow server certificate to be intermediate certificate. Try altering certs/Makefile to sign client certificates with ca instead of server certificate. Ivan Kalik
Great!! Finally, after several weeks posting question on this forum trying to solve "my first test with EAP-TLS", you give with this tip the correct solution!! Thanks a lot Ivan!! Cheers, Fernando. PS: Only for your knowledge... It seems this tip is also applicable to M.Vista (my case ;-) Thanks again! tnt@kalik.net wrote:
Well, can anyone tell me, why nobody is helping me? I would not get on your nerves if there would be a solution to my problem. I was searching for a time and i found this helpful solutions "look in the FAQ" and "look in the eap.conf". Well the FAQ tells about the xptensions and the help in the eap.conf doesn't give me a solution.
I know that you don't like to waste you time on a newbie like me, but please give me only a hint where the problem could be.
Some XP versions won't allow server certificate to be intermediate certificate. Try altering certs/Makefile to sign client certificates with ca instead of server certificate.
Ivan Kalik
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I know that you don't like to waste you time on a newbie like me, but please give me only a hint where the problem could be.
Some XP versions won't allow server certificate to be intermediate certificate. Try altering certs/Makefile to sign client certificates with ca instead of server certificate. Ivan Kalik - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html I think thats my problem too because the tutorial of Alan DeKok-2 led me to the same problem, also with peap. My server is running on vmware and I got the chance to try an switch with different IOS and an different XP Client and the server output was different and far longer: _______________________________________________________________________ Ready to process requests. rad_recv: Access-Request packet from host 192.168.5.3 port 1812, id=5, length=135 NAS-IP-Address = 192.168.5.3 NAS-Port = 50012 NAS-Port-Type = Ethernet User-Name = "oss-radius" Called-Station-Id = "00-0F-23-01-11-4C" Calling-Station-Id = "00-15-60-52-1E-49" Service-Type = Framed-User Framed-MTU = 1500 EAP-Message = 0x0203000f016f73732d726164697573 Message-Authenticator = 0x83f50eceb4eb9b3f01b91cba34beda74 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "oss-radius", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 3 length 15 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [files] users: Matched entry oss-radius at line 204 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Requiring client certificate [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 5 to 192.168.5.3 port 1812 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "5" EAP-Message = 0x010400060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xdc2c0ceadc2801a2909332f7877a5def Finished request 7. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.5.3 port 1812, id=6, length=218 NAS-IP-Address = 192.168.5.3 NAS-Port = 50012 NAS-Port-Type = Ethernet User-Name = "oss-radius" Called-Station-Id = "00-0F-23-01-11-4C" Calling-Station-Id = "00-15-60-52-1E-49" Service-Type = Framed-User Framed-MTU = 1500 State = 0xdc2c0ceadc2801a2909332f7877a5def EAP-Message = 0x020400500d800000004616030100410100003d03014b18f9f4d475c347b4c63e498b5588a54d7c3bcfaa54ed228482bbd8cdfb6a0700001600040005000a000900640062000300060013001200630100 Message-Authenticator = 0xef2ee3a18747120691d1554121d3647a +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "oss-radius", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 4 length 80 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [files] users: Matched entry oss-radius at line 204 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS TLS Length 70 [tls] Length Included [tls] eaptls_verify returned 11 [tls] (other): before/accept initialization [tls] TLS_accept: before/accept initialization [tls] <<< TLS 1.0 Handshake [length 0041], ClientHello [tls] TLS_accept: SSLv3 read client hello A [tls] >>> TLS 1.0 Handshake [length 002a], ServerHello [tls] TLS_accept: SSLv3 write server hello A [tls] >>> TLS 1.0 Handshake [length 085e], Certificate [tls] TLS_accept: SSLv3 write certificate A [tls] >>> TLS 1.0 Handshake [length 00a6], CertificateRequest [tls] TLS_accept: SSLv3 write certificate request A [tls] TLS_accept: SSLv3 flush data [tls] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [tls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 6 to 192.168.5.3 port 1812 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "5" EAP-Message = 0x010504000dc00000093d160301002a0200002603014b18f9eecee5da441146eddde2ea8e016c2adb0db5c574b49514891d3931f97700000400160301085e0b00085a0008570003a6308203a23082028aa003020102020103300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479 EAP-Message = 0x301e170d3039313132323133343533305a170d3130313132323133343533305a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100ac980cc4c9ec4ad3e23bf9d75989232fb1b5014896413398e3361287de22a5b5c00cac1e0c1b72b2f991aa8c2eeb1e452a7c67950e6af12e31414acbf8a9 EAP-Message = 0x8b96c26e6408da5ca899b30f00799999610945ad89094441a7cafca4067557b4ed52070fdf54b386b2a7a1aa76f134a9b5e7bfdeef3e18bc3d8ba98b49f1f4bb156dd1bbb46ee09b466df0120593471c59acfcb7a2977219e6db535008526dda1f91c374f01bf392d909a1ecde7ec11f926cfd310b39171121228c528a5853524e62ba21f1006c56ef85aa0837bdb123a11a0664015e7b8176b20619e36204f7b7b75d6e445aa84a0cdc49c9a8a82ea97e5686a28a56eced48e43f9c471499d0604f0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010104050003820101009dc4e0c6f6e79b6e1c EAP-Message = 0x330b69759c25ac74cef621f5e8115248b9ea758e5b2af73574bd81953c2b5beb514765bdf4b07d50586dded8cfaac20f6ece9b661938bec737d87348f061ea7e3cd2a7338e786cd765aa8f3db636291c10c041d790ab49fcbcf5b41e7ec1ae2f65495b975286e656b23fed0321284cd6643aa411da03918e148eab2b222aa462bb62d50491ba9a27773e297dc8a59b1b0aa1a6fd2e6a110b2d3f94e81563417a2a4f1127937d38a0c6376e25ec51a0eabcd289a6fdfbcbc6f5c708050d8fdc9ad61cade8fa2b90ce4a6f4ff2ef465a1d61bbeb9373f4ef0c6a9c3d558b8424c130052899aa96271e0a9db4beb254ffcda04e8546e544140004ab308204 EAP-Message = 0xa73082038fa0030201020209 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xdc2c0ceadd2901a2909332f7877a5def Finished request 8. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 192.168.5.3 port 1812, id=7, length=144 NAS-IP-Address = 192.168.5.3 NAS-Port = 50012 NAS-Port-Type = Ethernet User-Name = "oss-radius" Called-Station-Id = "00-0F-23-01-11-4C" Calling-Station-Id = "00-15-60-52-1E-49" Service-Type = Framed-User Framed-MTU = 1500 State = 0xdc2c0ceadd2901a2909332f7877a5def EAP-Message = 0x020500060d00 Message-Authenticator = 0xaef2f990f10c99234767d854d27b544a +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "oss-radius", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 5 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [files] users: Matched entry oss-radius at line 204 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS [tls] Received TLS ACK [tls] ACK handshake fragment handler [tls] eaptls_verify returned 1 [tls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 7 to 192.168.5.3 port 1812 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "5" EAP-Message = 0x010604000dc00000093d00909b9c83a43a1aeb300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3039313132323133343533305a170d3039313232323133343533305a308193310b3009060355040613024652310f300d0603550408130652616469757331123010 EAP-Message = 0x06035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100dca8cc215f2e66300d12c524db0ab7b4e9b3fae5ee90ce3b5d214b1d63f6b7b6e772605bc6ec64f4acac7bfcb7bd2106d2e02c9e2b1412c2ce2a7751741baaf3d73c2ccb496dd9daa8e105b70982c7f8a9326700f2d3ac0959c8f203d0896051427bd12def8761251afb6b EAP-Message = 0x3f5fe90a66fc35542fefe55b7aed80b21304d744bb0407979eb907820a3181cf95df43d395d33eaa396964905162ca449d8e0cad35348272fc067d7b40ebf26382c14ff354886080252b32396b5745dfae39a73d73a10472403eeec68bca7f5ad923a7885fefe49040c86a9760fa62b9899a1908d5ddb4db6ea2d3eaa993e5525c9941d871a6d6618426def29ade4b3bb6f84c2f450203010001a381fb3081f8301d0603551d0e0416041452f2ff741f2d3bbb281fcad3e580b8d70c42650c3081c80603551d230481c03081bd801452f2ff741f2d3bbb281fcad3e580b8d70c42650ca18199a48196308193310b3009060355040613024652310f300d EAP-Message = 0x060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820900909b9c83a43a1aeb300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100c27da3525cc2b702ef481f7c4e7073e22c39bcc870744adcce64e7006bb230f24ba9d45cad1c35de4810c1418e0925a35880097a958ea0a99011d89948490da61e782d41275ab4fa8086fc504684 EAP-Message = 0x35cc4eacbe8a90671537715d Message-Authenticator = 0x00000000000000000000000000000000 State = 0xdc2c0ceade2a01a2909332f7877a5def Finished request 9. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 192.168.5.3 port 1812, id=8, length=144 NAS-IP-Address = 192.168.5.3 NAS-Port = 50012 NAS-Port-Type = Ethernet User-Name = "oss-radius" Called-Station-Id = "00-0F-23-01-11-4C" Calling-Station-Id = "00-15-60-52-1E-49" Service-Type = Framed-User Framed-MTU = 1500 State = 0xdc2c0ceade2a01a2909332f7877a5def EAP-Message = 0x020600060d00 Message-Authenticator = 0xc92addcb64acecf03702578e45472430 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "oss-radius", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 6 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [files] users: Matched entry oss-radius at line 204 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS [tls] Received TLS ACK [tls] ACK handshake fragment handler [tls] eaptls_verify returned 1 [tls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 8 to 192.168.5.3 port 1812 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "5" EAP-Message = 0x0107015b0d800000093de1275d07e1318b3e3f3e38b4e742f948efa0d251272389d58a2a4cbe1c74bddb6d584f384cf715e49bac5c13bce7719c9947c27edfa52b7693b39367b3123c99871549a2f7c63f946d9fde67f403a031f67c05e4327a5e4af1385dd48bb9dcb4105565ada8137083c6c9db74e4c66d6c3e06431c345cdfbd678431dd0ea80b6576955f1c8a40273c5351ae7ff243c98bc9b2a423d0b1f4c5ca5c4a597bad4990e33e1d359a7816030100a60d00009e0301024000980096308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355 EAP-Message = 0x040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f726974790e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xdc2c0ceadf2b01a2909332f7877a5def Finished request 10. Going to the next request Waking up in 4.7 seconds. rad_recv: Access-Request packet from host 192.168.5.3 port 1812, id=9, length=1627 NAS-IP-Address = 192.168.5.3 NAS-Port = 50012 NAS-Port-Type = Ethernet User-Name = "oss-radius" Called-Station-Id = "00-0F-23-01-11-4C" Calling-Station-Id = "00-15-60-52-1E-49" Service-Type = Framed-User Framed-MTU = 1500 State = 0xdc2c0ceadf2b01a2909332f7877a5def EAP-Message = 0x020705c70d80000005bd160301058d0b00037d00037a000377308203733082025ba003020102020104300d06092a864886f70d0101040500307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d301e170d3039313132323133343633385a170d3130313132323133343633385a3065310b3009060355040613024652310f300d0603550408130652616469757331153013060355 EAP-Message = 0x040a130c4578616d706c6520496e632e311330110603550403130a6f73732d7261646975733119301706092a864886f70d010901160a6f73732d72616469757330820122300d06092a864886f70d01010105000382010f003082010a0282010100e1d40ac149204b59321c6251b567611368612d917fa99a21e38fde2fa875f727613c91eda857169f467800fe2a5c72eb58781189a03e3d1ff82c8b98f87197583afc5a299875f45d9fb7dda8e306b6f7afdcea661ef8b9a638096739a836ed6a7e3379bba6093c5ac04770106c08492f08edce25e71bbc27b3ece097abff30d3df8f21e095699fa3735d186cc7ac490556fdeba6bc5df04bc8a30f96 EAP-Message = 0x8f69fc9b535f21fd923cc408072972265dea7743f217eeffeed4dab6e7809915f4c195bfb9d9c5fe1329c83fd9d6fa26f63a775d82e0354e6bc885d6793f38ba95d55558fe623e103581e064d802572914d9596e46fd2fe5a581e27e04538ec74379455b0203010001a317301530130603551d25040c300a06082b06010505070302300d06092a864886f70d010104050003820101000f9716f57efb977d4030add0ed9757bc150e13e37949185a3898a4d5ba802076e8a2e7c011986ccef252b01b386679590330c8cbee366e6437a466ec51b264af9b91086545629b5a6063ba7aa4750af6649ecdf6b5a38b74a0725aaa091379626fccf3fecc6b50 EAP-Message = 0x2b0106225fa8434d2ab807e12dae14bee9eab2ca911e6a1654b900a5e18098469fb718302c594e81fca97d4294f1fad1522a86dba911a4e291579b8f7fc119906cafab8dde63be367dbfb18aa44492ffe2bb0393c231618f71c19cc460d9a53e50f109d1fdf9686b1ca3652b94bffd27d6b0c671b0b1c5b4287ffc135c5a6b3545843aa05e052c881c190490bc51afc74bb1e05d6fe49e13cd1000010201008fe1f9547a012f8094d3609471041d46ffba1642eac3ef7c1579b3b36c0f758470d9615e859ce9b9a170fee2b1c3b5fd43d31b698828ba709310b1dac307aff136bb191f8cce7c05bcbbaeee4400ae46a7740f8d69e737796bf36709f40f EAP-Message = 0x7d29cc4e2a3563c55aa83bbe8d8209e609ea778208c586625af13a5cc772fd67928a6a499cb6899a5fcedfe6636cefaf25c0a46f9e9cd1d7bd5ae3b4e4d79714c7f048074caee86149f678149dd14cecb22a9a505189ca92894863d69500249f1f736fa285319d87e708e72fee68074067a73ab5841f3aee440e3355a447c74559ac9719037069e4df858dfcbb7841dfdabc27b67d8cd103e30b09637745a5186ff20f00010201003b30a7e1ae8d7d4a826c489d34cfcd32d8d5a9773e45ea2bda2298340281b7ccacea41d108f54ff8bcddda958ece15d82af72ede186b93fffff769294b2af6df7d412e4fff6da4a08a47ba423f0f39dd9066de8696 EAP-Message = 0x5b87e12df25b0538042938aa61557bffa40ddf164236590e9f55e9010b681c5f87f2199cd6cddd5e3b6a7de6ae8b00db96b713fbf60688965f857b4238ef9c140bee0321e2c8190aa27b816743d750a22d3a958bda25f739e4521b3f3d2eba5a20b7236d35d706b09be354a3f21377de68cf54228ebf300167775314dda9dfd8e7b1390ff609467b5ac703e26130fdd6519b148409a4be7c44f57f4c7e87461581a4ce8820f2e38561ece614030100010116030100205c40fd19e50ab899199364162f97f139fb524181835a55a83964d818e8ac3076 Message-Authenticator = 0x4b471a16eae8e42d0c58b78e95297293 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "oss-radius", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 7 length 253 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [files] users: Matched entry oss-radius at line 204 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS TLS Length 1469 [tls] Length Included [tls] eaptls_verify returned 11 [tls] <<< TLS 1.0 Handshake [length 0381], Certificate --> verify error:num=20:unable to get local issuer certificate [tls] >>> TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert write:fatal:unknown CA TLS_accept:error in SSLv3 read client certificate B rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned SSL: SSL_read failed in a system call (-1), TLS session fails. TLS receive handshake failed during operation [tls] eaptls_process returned 4 [eap] Handler failed in EAP/tls [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> oss-radius attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 11 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 11 Sending Access-Reject of id 9 to 192.168.5.3 port 1812 EAP-Message = 0x04070004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.6 seconds. rad_recv: Access-Request packet from host 192.168.5.3 port 1812, id=10, length=135 NAS-IP-Address = 192.168.5.3 NAS-Port = 50012 NAS-Port-Type = Ethernet User-Name = "oss-radius" Called-Station-Id = "00-0F-23-01-11-4C" Calling-Station-Id = "00-15-60-52-1E-49" Service-Type = Framed-User Framed-MTU = 1500 EAP-Message = 0x0200000f016f73732d726164697573 Message-Authenticator = 0xa6abf14fc79a6a2a3bab1c7da1a574f8 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "oss-radius", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 0 length 15 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [files] users: Matched entry oss-radius at line 204 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Requiring client certificate [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 10 to 192.168.5.3 port 1812 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "5" EAP-Message = 0x010100060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc1758d8dc17480a17ea88a729c3ffa64 Finished request 12. Going to the next request Waking up in 2.3 seconds. rad_recv: Access-Request packet from host 192.168.5.3 port 1812, id=11, length=218 NAS-IP-Address = 192.168.5.3 NAS-Port = 50012 NAS-Port-Type = Ethernet User-Name = "oss-radius" Called-Station-Id = "00-0F-23-01-11-4C" Calling-Station-Id = "00-15-60-52-1E-49" Service-Type = Framed-User Framed-MTU = 1500 State = 0xc1758d8dc17480a17ea88a729c3ffa64 EAP-Message = 0x020100500d800000004616030100410100003d03014b18f9f6af7d3ffe4b3887242954843428771b6af2fdc46e52714e7cc4cacb8500001600040005000a000900640062000300060013001200630100 Message-Authenticator = 0xb1d532e53fec6922f1e8030c4f8e39e2 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "oss-radius", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 1 length 80 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [files] users: Matched entry oss-radius at line 204 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS TLS Length 70 [tls] Length Included [tls] eaptls_verify returned 11 [tls] (other): before/accept initialization [tls] TLS_accept: before/accept initialization [tls] <<< TLS 1.0 Handshake [length 0041], ClientHello [tls] TLS_accept: SSLv3 read client hello A [tls] >>> TLS 1.0 Handshake [length 002a], ServerHello [tls] TLS_accept: SSLv3 write server hello A [tls] >>> TLS 1.0 Handshake [length 085e], Certificate [tls] TLS_accept: SSLv3 write certificate A [tls] >>> TLS 1.0 Handshake [length 00a6], CertificateRequest [tls] TLS_accept: SSLv3 write certificate request A [tls] TLS_accept: SSLv3 flush data [tls] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [tls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 11 to 192.168.5.3 port 1812 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "5" EAP-Message = 0x010204000dc00000093d160301002a0200002603014b18f9f1d4e09ac9a9cb137294e433a251f940e98cfab9111ea2f2a059aa127500000400160301085e0b00085a0008570003a6308203a23082028aa003020102020103300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479 EAP-Message = 0x301e170d3039313132323133343533305a170d3130313132323133343533305a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100ac980cc4c9ec4ad3e23bf9d75989232fb1b5014896413398e3361287de22a5b5c00cac1e0c1b72b2f991aa8c2eeb1e452a7c67950e6af12e31414acbf8a9 EAP-Message = 0x8b96c26e6408da5ca899b30f00799999610945ad89094441a7cafca4067557b4ed52070fdf54b386b2a7a1aa76f134a9b5e7bfdeef3e18bc3d8ba98b49f1f4bb156dd1bbb46ee09b466df0120593471c59acfcb7a2977219e6db535008526dda1f91c374f01bf392d909a1ecde7ec11f926cfd310b39171121228c528a5853524e62ba21f1006c56ef85aa0837bdb123a11a0664015e7b8176b20619e36204f7b7b75d6e445aa84a0cdc49c9a8a82ea97e5686a28a56eced48e43f9c471499d0604f0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010104050003820101009dc4e0c6f6e79b6e1c EAP-Message = 0x330b69759c25ac74cef621f5e8115248b9ea758e5b2af73574bd81953c2b5beb514765bdf4b07d50586dded8cfaac20f6ece9b661938bec737d87348f061ea7e3cd2a7338e786cd765aa8f3db636291c10c041d790ab49fcbcf5b41e7ec1ae2f65495b975286e656b23fed0321284cd6643aa411da03918e148eab2b222aa462bb62d50491ba9a27773e297dc8a59b1b0aa1a6fd2e6a110b2d3f94e81563417a2a4f1127937d38a0c6376e25ec51a0eabcd289a6fdfbcbc6f5c708050d8fdc9ad61cade8fa2b90ce4a6f4ff2ef465a1d61bbeb9373f4ef0c6a9c3d558b8424c130052899aa96271e0a9db4beb254ffcda04e8546e544140004ab308204 EAP-Message = 0xa73082038fa0030201020209 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc1758d8dc07780a17ea88a729c3ffa64 Finished request 13. Going to the next request Waking up in 2.2 seconds. rad_recv: Access-Request packet from host 192.168.5.3 port 1812, id=12, length=144 NAS-IP-Address = 192.168.5.3 NAS-Port = 50012 NAS-Port-Type = Ethernet User-Name = "oss-radius" Called-Station-Id = "00-0F-23-01-11-4C" Calling-Station-Id = "00-15-60-52-1E-49" Service-Type = Framed-User Framed-MTU = 1500 State = 0xc1758d8dc07780a17ea88a729c3ffa64 EAP-Message = 0x020200060d00 Message-Authenticator = 0xbee4c0a1276cce1934909d7485a45127 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "oss-radius", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 2 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [files] users: Matched entry oss-radius at line 204 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS [tls] Received TLS ACK [tls] ACK handshake fragment handler [tls] eaptls_verify returned 1 [tls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 12 to 192.168.5.3 port 1812 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "5" EAP-Message = 0x010304000dc00000093d00909b9c83a43a1aeb300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3039313132323133343533305a170d3039313232323133343533305a308193310b3009060355040613024652310f300d0603550408130652616469757331123010 EAP-Message = 0x06035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100dca8cc215f2e66300d12c524db0ab7b4e9b3fae5ee90ce3b5d214b1d63f6b7b6e772605bc6ec64f4acac7bfcb7bd2106d2e02c9e2b1412c2ce2a7751741baaf3d73c2ccb496dd9daa8e105b70982c7f8a9326700f2d3ac0959c8f203d0896051427bd12def8761251afb6b EAP-Message = 0x3f5fe90a66fc35542fefe55b7aed80b21304d744bb0407979eb907820a3181cf95df43d395d33eaa396964905162ca449d8e0cad35348272fc067d7b40ebf26382c14ff354886080252b32396b5745dfae39a73d73a10472403eeec68bca7f5ad923a7885fefe49040c86a9760fa62b9899a1908d5ddb4db6ea2d3eaa993e5525c9941d871a6d6618426def29ade4b3bb6f84c2f450203010001a381fb3081f8301d0603551d0e0416041452f2ff741f2d3bbb281fcad3e580b8d70c42650c3081c80603551d230481c03081bd801452f2ff741f2d3bbb281fcad3e580b8d70c42650ca18199a48196308193310b3009060355040613024652310f300d EAP-Message = 0x060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820900909b9c83a43a1aeb300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100c27da3525cc2b702ef481f7c4e7073e22c39bcc870744adcce64e7006bb230f24ba9d45cad1c35de4810c1418e0925a35880097a958ea0a99011d89948490da61e782d41275ab4fa8086fc504684 EAP-Message = 0x35cc4eacbe8a90671537715d Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc1758d8dc37680a17ea88a729c3ffa64 Finished request 14. Going to the next request Waking up in 2.2 seconds. rad_recv: Access-Request packet from host 192.168.5.3 port 1812, id=13, length=144 NAS-IP-Address = 192.168.5.3 NAS-Port = 50012 NAS-Port-Type = Ethernet User-Name = "oss-radius" Called-Station-Id = "00-0F-23-01-11-4C" Calling-Station-Id = "00-15-60-52-1E-49" Service-Type = Framed-User Framed-MTU = 1500 State = 0xc1758d8dc37680a17ea88a729c3ffa64 EAP-Message = 0x020300060d00 Message-Authenticator = 0xc9ec1a2a313c897c3d546b1e17a21e62 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "oss-radius", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 3 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [files] users: Matched entry oss-radius at line 204 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS [tls] Received TLS ACK [tls] ACK handshake fragment handler [tls] eaptls_verify returned 1 [tls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 13 to 192.168.5.3 port 1812 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "5" EAP-Message = 0x0104015b0d800000093de1275d07e1318b3e3f3e38b4e742f948efa0d251272389d58a2a4cbe1c74bddb6d584f384cf715e49bac5c13bce7719c9947c27edfa52b7693b39367b3123c99871549a2f7c63f946d9fde67f403a031f67c05e4327a5e4af1385dd48bb9dcb4105565ada8137083c6c9db74e4c66d6c3e06431c345cdfbd678431dd0ea80b6576955f1c8a40273c5351ae7ff243c98bc9b2a423d0b1f4c5ca5c4a597bad4990e33e1d359a7816030100a60d00009e0301024000980096308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355 EAP-Message = 0x040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f726974790e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc1758d8dc27180a17ea88a729c3ffa64 Finished request 15. Going to the next request Waking up in 2.2 seconds. rad_recv: Access-Request packet from host 192.168.5.3 port 1812, id=14, length=1627 NAS-IP-Address = 192.168.5.3 NAS-Port = 50012 NAS-Port-Type = Ethernet User-Name = "oss-radius" Called-Station-Id = "00-0F-23-01-11-4C" Calling-Station-Id = "00-15-60-52-1E-49" Service-Type = Framed-User Framed-MTU = 1500 State = 0xc1758d8dc27180a17ea88a729c3ffa64 EAP-Message = 0x020405c70d80000005bd160301058d0b00037d00037a000377308203733082025ba003020102020104300d06092a864886f70d0101040500307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d301e170d3039313132323133343633385a170d3130313132323133343633385a3065310b3009060355040613024652310f300d0603550408130652616469757331153013060355 EAP-Message = 0x040a130c4578616d706c6520496e632e311330110603550403130a6f73732d7261646975733119301706092a864886f70d010901160a6f73732d72616469757330820122300d06092a864886f70d01010105000382010f003082010a0282010100e1d40ac149204b59321c6251b567611368612d917fa99a21e38fde2fa875f727613c91eda857169f467800fe2a5c72eb58781189a03e3d1ff82c8b98f87197583afc5a299875f45d9fb7dda8e306b6f7afdcea661ef8b9a638096739a836ed6a7e3379bba6093c5ac04770106c08492f08edce25e71bbc27b3ece097abff30d3df8f21e095699fa3735d186cc7ac490556fdeba6bc5df04bc8a30f96 EAP-Message = 0x8f69fc9b535f21fd923cc408072972265dea7743f217eeffeed4dab6e7809915f4c195bfb9d9c5fe1329c83fd9d6fa26f63a775d82e0354e6bc885d6793f38ba95d55558fe623e103581e064d802572914d9596e46fd2fe5a581e27e04538ec74379455b0203010001a317301530130603551d25040c300a06082b06010505070302300d06092a864886f70d010104050003820101000f9716f57efb977d4030add0ed9757bc150e13e37949185a3898a4d5ba802076e8a2e7c011986ccef252b01b386679590330c8cbee366e6437a466ec51b264af9b91086545629b5a6063ba7aa4750af6649ecdf6b5a38b74a0725aaa091379626fccf3fecc6b50 EAP-Message = 0x2b0106225fa8434d2ab807e12dae14bee9eab2ca911e6a1654b900a5e18098469fb718302c594e81fca97d4294f1fad1522a86dba911a4e291579b8f7fc119906cafab8dde63be367dbfb18aa44492ffe2bb0393c231618f71c19cc460d9a53e50f109d1fdf9686b1ca3652b94bffd27d6b0c671b0b1c5b4287ffc135c5a6b3545843aa05e052c881c190490bc51afc74bb1e05d6fe49e13cd1000010201005e3aefc7d60eee0c2378e4faaa28aec136ce78769b625949c4f7fed69e720b4e38f9e37b035b298b7cea3a85ca410ffd72d2b853c8afc5742ca05956b4a7b38d592f2686a2d3a0de245a48ef84103107be0f93761fab3fdc02c01b1796ca EAP-Message = 0x500a7374042d37199de10997b7f70c648dbf7b93290d3ec638b201fea8f8b2942cb05db8b87783165f1446c9893fe74cf5aa7aaca6c07f7c08a0d9923f133fdf912a3a25a4133a95ba387e1d00893485ac5bf1cb66920e3ef29c36c3e25d97a1e12f5b5f6f0e1830b1e23c008379b00c3a205775162e6ed24a9182d9f75546389809a817f7cc1d4dffcc67dec692d4a63a0f6c9ff2b82bb829b56723ff2f80ad79ed0f0001020100d02e9c4475d354b4b159779f4b5232c1518ae7bc92555afba9bb255998cc85b163a379c19f29425a4a209d611f28d0f44dfa813963b228d3a61617ef4db9d800ecd57e6b43796fb89f16abaa1a2500ebc762958538 EAP-Message = 0xfb7468f5a51fb74e25f9797e2558882a3db6128557e1bbbcb08833404496c0ea4e57e7ec846a9a38f81f75a255edba3e15dffa0ec8b04d07ea9bcae2947b24dbe34b4bd01b9eafd15b463db3130afa3e98f0bc58fa36608104207eeb78488708d24c8b7e93e629e4134e282c72020bc47cff40ec8351fe303c905f61e7fbef781193915691403ecb945ae625c692705df1e27dfd3a4b22f0a5f1e60bb6180021c022f5a2f4021280cd3e2c1403010001011603010020849bf86551030b13023b06784ee2f662244e52dba0d38da35803b72742e7b6bc Message-Authenticator = 0x842fdcc9d3a304697a8b444fea294886 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "oss-radius", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 4 length 253 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [files] users: Matched entry oss-radius at line 204 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS TLS Length 1469 [tls] Length Included [tls] eaptls_verify returned 11 [tls] <<< TLS 1.0 Handshake [length 0381], Certificate --> verify error:num=20:unable to get local issuer certificate [tls] >>> TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert write:fatal:unknown CA TLS_accept:error in SSLv3 read client certificate B rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned SSL: SSL_read failed in a system call (-1), TLS session fails. TLS receive handshake failed during operation [tls] eaptls_process returned 4 [eap] Handler failed in EAP/tls [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> oss-radius attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 16 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 16 Sending Access-Reject of id 14 to 192.168.5.3 port 1812 EAP-Message = 0x04040004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 1.1 seconds. Cleaning up request 7 ID 5 with timestamp +807 Waking up in 0.1 seconds. Cleaning up request 8 ID 6 with timestamp +807 Cleaning up request 9 ID 7 with timestamp +807 Cleaning up request 10 ID 8 with timestamp +807 Waking up in 1.0 seconds. Cleaning up request 11 ID 9 with timestamp +807 Waking up in 1.3 seconds. Cleaning up request 12 ID 10 with timestamp +810 Cleaning up request 13 ID 11 with timestamp +810 Cleaning up request 14 ID 12 with timestamp +810 Cleaning up request 15 ID 13 with timestamp +810 Waking up in 1.0 seconds. Cleaning up request 16 ID 14 with timestamp +810 Ready to process requests. _______________________________________________________________________ Well after i read your post i tried to sign the client certificates with the ca. I make some changes in the makefile but it think I made something wrong because it doesn't work: old: client.csr client.key: client.cnf openssl req -new -out client.csr -keyout client.key -config ./client.cnf client.crt: client.csr server.crt server.key index.txt serial openssl ca -batch -keyfile server.key -cert server.crt -in client.csr -key $(PASSWORD_SERVER) -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf client.p12: client.crt openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12 -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT) client.pem: client.p12 openssl pkcs12 -in client.p12 -out client.pem -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT) cp client.pem $(USER_NAME).pem .PHONY: server.vrfy client.vrfy: server.pem client.pem c_rehash . openssl verify -CApath . client.pem new: client.csr client.key: client.cnf openssl req -new -out client.csr -keyout client.key -config ./client.cnf client.crt: client.csr ca.key ca.pem index.txt serial openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr -key $(PASSWORD_SERVER) -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf client.p12: client.crt openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12 -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT) client.pem: client.p12 openssl pkcs12 -in client.p12 -out client.pem -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT) cp client.pem $(USER_NAME).pem .PHONY: server.vrfy client.vrfy: ca.pem client.pem c_rehash . openssl verify -CApath . client.pem -- View this message in context: http://old.nabble.com/Problem-with-EAP-TLS%2C-please-give-me-a-hint-tp265150... Sent from the FreeRadius - User mailing list archive at Nabble.com.
Well after i read your post i tried to sign the client certificates with the ca. I make some changes in the makefile but it think I made something wrong because it doesn't work:
old:
client.csr client.key: client.cnf openssl req -new -out client.csr -keyout client.key -config ./client.cnf
client.crt: client.csr server.crt server.key index.txt serial openssl ca -batch -keyfile server.key -cert server.crt -in client.csr -key $(PASSWORD_SERVER) -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf
client.p12: client.crt openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12 -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT)
client.pem: client.p12 openssl pkcs12 -in client.p12 -out client.pem -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT) cp client.pem $(USER_NAME).pem
.PHONY: server.vrfy client.vrfy: server.pem client.pem c_rehash . openssl verify -CApath . client.pem
new:
client.csr client.key: client.cnf openssl req -new -out client.csr -keyout client.key -config ./client.cnf
client.crt: client.csr ca.key ca.pem index.txt serial openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr -key $(PASSWORD_SERVER) -out client.crt -extensions xpclient_ext -extfile
At a glance, that should be ca password. Ivan Kalik
tnt-5 wrote:
client.crt: client.csr ca.key ca.pem index.txt serial openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr -key $(PASSWORD_SERVER) -out client.crt -extensions xpclient_ext -extfile
At a glance, that should be ca password.
Ivan Kalik
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I changed it but it's always the same problem: [tls] TLS_accept: SSLv3 write certificate request A [tls] TLS_accept: SSLv3 flush data [tls] TLS_accept: Need to read more data: SSLv3 read client certificate A Next week I will try it with the other switch and client again. Now I am waiting for an other xp version for my client. -- View this message in context: http://old.nabble.com/Problem-with-EAP-TLS%2C-please-give-me-a-hint-tp265150... Sent from the FreeRadius - User mailing list archive at Nabble.com.
I changed it but it's always the same problem:
[tls] TLS_accept: SSLv3 write certificate request A [tls] TLS_accept: SSLv3 flush data [tls] TLS_accept: Need to read more data: SSLv3 read client certificate A
Problem? What problem? Those are normal openSSL messages. Ivan Kalik
tnt-5 wrote:
I changed it but it's always the same problem:
[tls] TLS_accept: SSLv3 write certificate request A [tls] TLS_accept: SSLv3 flush data [tls] TLS_accept: Need to read more data: SSLv3 read client certificate A
Problem? What problem? Those are normal openSSL messages.
Ivan Kalik
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
But then nothing happens and the cleaning up follows, take a look at the debug in my first post -- View this message in context: http://old.nabble.com/Problem-with-EAP-TLS%2C-please-give-me-a-hint-tp265150... Sent from the FreeRadius - User mailing list archive at Nabble.com.
I changed it but it's always the same problem:
[tls] TLS_accept: SSLv3 write certificate request A [tls] TLS_accept: SSLv3 flush data [tls] TLS_accept: Need to read more data: SSLv3 read client certificate A
Problem? What problem? Those are normal openSSL messages.
Ivan Kalik
But then nothing happens and the cleaning up follows, take a look at the debug in my first post
You had your hints: either ca certificate isn't uploaded on a supplicant or XP/Vista doesn't recongnize server certificate as intermediate ca. Ivan Kalik
participants (4)
-
_Stefan_H -
Alan DeKok -
Fernando Calvelo Vazquez -
tnt@kalik.net