Hi all, my configuration is FreeRadius (1.0.5) with Chillispot in proxy mode (and WPA-Enterprise-Auto), when i try to connect with a client, it accepts the certificate, but authentication failed. FreeRadius communicate with Chillispot and all seems work fine. I've seen that in the firts request, TLS give an error ( TLS_accept:error in SSLv3 read client certificate A ) but in the third request (whit the same login) it works. What's wrong? Best regards. These are radius and chilli log: rad_recv: Access-Request packet from host 192.168.181.1:1026, id=0, length=118 User-Name = "prof1" EAP-Message = 0x0200000a0170726f6631 Message-Authenticator = 0xa755e14d8f738a60ad50681a848c4d27 Calling-Station-Id = "00-17-F2-44-11-C2" Called-Station-Id = "00-50-BF-E3-E8-2A" NAS-Port-Type = Wireless-802.11 NAS-Port = 1 NAS-IP-Address = 192.168.181.1 NAS-Identifier = "14" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "prof1", looking up realm NULL rlm_realm: Found realm "NULL" rlm_realm: Adding Stripped-User-Name = "prof1" rlm_realm: Proxying request from user prof1 to realm NULL rlm_realm: Adding Realm = "NULL" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: EAP packet type response id 0 length 10 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 users: Matched entry DEFAULT at line 154 rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'ou=mydepartment,dc=mydomain,dc=it' radius_xlat: '(uid=prof1)' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to localhost:389, authentication 0 rlm_ldap: bind as cn=Manager,dc=mydomain,dc=it/password to localhost:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=mydepartment,dc=mydomain,dc=it, with filter (uid=prof1) rlm_ldap: ldap_release_conn: Release Id: 0 radius_xlat: '(|(&(objectClass=GroupOfNames)(member=cn=Maurizio Costanzo,ou=faculty,ou=dspsa,ou=mydepartment,dc=mydomain,dc=it))(&(objectClass=GroupOfUniqueNames)(uniquemember=cn=Maurizio Costanzo,ou=faculty,ou=dspsa,ou=mydepartment,dc=mydomain,dc=it)))' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=mydepartment,dc=mydomain,dc=it, with filter (&(cn=student)(|(&(objectClass=GroupOfNames)(member=cn=Maurizio Costanzo,ou=faculty,ou=dspsa,ou=mydepartment,dc=mydomain,dc=it))(&(objectClass=GroupOfUniqueNames)(uniquemember=cn=Maurizio Costanzo,ou=faculty,ou=dspsa,ou=mydepartment,dc=mydomain,dc=it)))) rlm_ldap: object not found or got ambiguous search result rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in cn=Maurizio Costanzo,ou=faculty,ou=dspsa,ou=mydepartment,dc=mydomain,dc=it, with filter (objectclass=*) rlm_ldap::groupcmp: Group student not found ????or user not a member rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "files" returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for prof1 radius_xlat: '(uid=prof1)' radius_xlat: 'ou=mydepartment,dc=mydomain,dc=it' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=mydepartment,dc=mydomain,dc=it, with filter (uid=prof1) rlm_ldap: checking if remote access for prof1 is allowed by userPassword rlm_ldap: Added password a in check items rlm_ldap: looking for check items in directory... rlm_ldap: Adding radiusGroupName as Ldap-Group, value professor & op=21 rlm_ldap: Adding radiusCallingStationId as Calling-Station-Id, value 00-05-5D-25-12-5B & op=21 rlm_ldap: Adding radiusCallingStationId as Calling-Station-Id, value 00-02-C7-8F-A0-16 & op=21 rlm_ldap: Adding radiusCallingStationId as Calling-Station-Id, value 00-0B-6B-4A-22-E8 & op=21 rlm_ldap: Adding radiusCallingStationId as Calling-Station-Id, value 00-17-F2-44-11-C2 & op=21 rlm_ldap: Adding userPassword as User-Password, value a & op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: Adding radiusFilterId as Filter-Id, value 98 & op=11 rlm_ldap: user prof1 authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 0 rlm_checkval: Item Name: Calling-Station-Id, Value: 00-17-F2-44-11-C2 rlm_checkval: Value Name: Calling-Station-Id, Value: 00-05-5D-25-12-5B rlm_checkval: Value Name: Calling-Station-Id, Value: 00-02-C7-8F-A0-16 rlm_checkval: Value Name: Calling-Station-Id, Value: 00-0B-6B-4A-22-E8 rlm_checkval: Value Name: Calling-Station-Id, Value: 00-17-F2-44-11-C2 modcall[authorize]: module "checkval" returns ok for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 0 modcall: group authenticate returns handled for request 0 Sending Access-Challenge of id 0 to 192.168.181.1:1026 Filter-Id = "98" EAP-Message = 0x010100061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x43ba05fe457734cfdd7739795f3bdc8b Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.181.1:1026, id=1, length=244 User-Name = "prof1" State = 0x43ba05fe457734cfdd7739795f3bdc8b EAP-Message = 0x0201007619800000006c1603010067010000630301452e55f989de814794c772b01ccc34ce2afa98a74d0ad6bea3f928e7c288115000003c002f000500040035000aff830009ff82000300080006ff8000320033003400380039003a0016001500140013001200110018001b001a0017001900010100 Message-Authenticator = 0xc8af438cacd711e7ff0d740c3cd87384 Calling-Station-Id = "00-17-F2-44-11-C2" Called-Station-Id = "00-50-BF-E3-E8-2A" NAS-Port-Type = Wireless-802.11 NAS-Port = 1 NAS-IP-Address = 192.168.181.1 NAS-Identifier = "14" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_realm: No '@' in User-Name = "prof1", looking up realm NULL rlm_realm: Found realm "NULL" rlm_realm: Adding Stripped-User-Name = "prof1" rlm_realm: Proxying request from user prof1 to realm NULL rlm_realm: Adding Realm = "NULL" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop for request 1 rlm_eap: EAP packet type response id 1 length 118 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 1 users: Matched entry DEFAULT at line 154 rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'ou=mydepartment,dc=mydomain,dc=it' radius_xlat: '(uid=prof1)' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=mydepartment,dc=mydomain,dc=it, with filter (uid=prof1) rlm_ldap: ldap_release_conn: Release Id: 0 radius_xlat: '(|(&(objectClass=GroupOfNames)(member=cn=Maurizio Costanzo,ou=faculty,ou=dspsa,ou=mydepartment,dc=mydomain,dc=it))(&(objectClass=GroupOfUniqueNames)(uniquemember=cn=Maurizio Costanzo,ou=faculty,ou=dspsa,ou=mydepartment,dc=mydomain,dc=it)))' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=mydepartment,dc=mydomain,dc=it, with filter (&(cn=student)(|(&(objectClass=GroupOfNames)(member=cn=Maurizio Costanzo,ou=faculty,ou=dspsa,ou=mydepartment,dc=mydomain,dc=it))(&(objectClass=GroupOfUniqueNames)(uniquemember=cn=Maurizio Costanzo,ou=faculty,ou=dspsa,ou=mydepartment,dc=mydomain,dc=it)))) rlm_ldap: object not found or got ambiguous search result rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in cn=Maurizio Costanzo,ou=faculty,ou=dspsa,ou=mydepartment,dc=mydomain,dc=it, with filter (objectclass=*) rlm_ldap::groupcmp: Group student not found ????or user not a member rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "files" returns ok for request 1 rlm_ldap: - authorize rlm_ldap: performing user authorization for prof1 radius_xlat: '(uid=prof1)' radius_xlat: 'ou=mydepartment,dc=mydomain,dc=it' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=mydepartment,dc=mydomain,dc=it, with filter (uid=prof1) rlm_ldap: checking if remote access for prof1 is allowed by userPassword rlm_ldap: Added password a in check items rlm_ldap: looking for check items in directory... rlm_ldap: Adding radiusGroupName as Ldap-Group, value professor & op=21 rlm_ldap: Adding radiusCallingStationId as Calling-Station-Id, value 00-05-5D-25-12-5B & op=21 rlm_ldap: Adding radiusCallingStationId as Calling-Station-Id, value 00-02-C7-8F-A0-16 & op=21 rlm_ldap: Adding radiusCallingStationId as Calling-Station-Id, value 00-0B-6B-4A-22-E8 & op=21 rlm_ldap: Adding radiusCallingStationId as Calling-Station-Id, value 00-17-F2-44-11-C2 & op=21 rlm_ldap: Adding userPassword as User-Password, value a & op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: Adding radiusFilterId as Filter-Id, value 98 & op=11 rlm_ldap: user prof1 authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 1 rlm_checkval: Item Name: Calling-Station-Id, Value: 00-17-F2-44-11-C2 rlm_checkval: Value Name: Calling-Station-Id, Value: 00-05-5D-25-12-5B rlm_checkval: Value Name: Calling-Station-Id, Value: 00-02-C7-8F-A0-16 rlm_checkval: Value Name: Calling-Station-Id, Value: 00-0B-6B-4A-22-E8 rlm_checkval: Value Name: Calling-Station-Id, Value: 00-17-F2-44-11-C2 modcall[authorize]: module "checkval" returns ok for request 1 modcall: group authorize returns updated for request 1 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0067], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 06ae], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 1 modcall: group authenticate returns handled for request 1 Sending Access-Challenge of id 1 to 192.168.181.1:1026 Filter-Id = "98" EAP-Message = 0x0102040a19c00000070b160301004a020000460301452e537ca488ea6621f71250f98002c85a45166c0ec16bc5ab15b0bf86e938202019a4321b13304c3472967d3a7b9522f73a985f43176c08f3e0f4441d250f5971002f0016030106ae0b0006aa0006a70002d5308202d13082023aa003020102020900c15c0043e46eeae0300d06092a864886f70d010104050030819f310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e31123010060355040b1309626172626163756c6f311b30190603550403131243 EAP-Message = 0x6c69656e742063657274696669636174653121301f06092a864886f70d0109011612636c69656e74406578616d706c652e636f6d301e170d3036313031323134323031375a170d3037313031323134323031375a30819b310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e31123010060355040b1309626172626163756c6f3119301706035504031310526f6f74206365727469666963617465311f301d06092a864886f70d0109011610726f6f74406578616d706c652e636f6d30819f300d06092a864886 EAP-Message = 0xf70d010101050003818d0030818902818100c60af01facdb1bbf0dfcf9693f1db7b7abb6905261ddac50b3594df62ceabe39a5f931dd97f2521f754cd66c39f8f37b1149a26d74af49b4eeb7bc930839ab9dc93595f181170600c1aefc24e028b41431259e61e679ade357f82ae8e7f554ec5c572151fa0c4c583d794769cb98867bcde07335ac95c94be9561fb2de82563d0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101040500038181009d6536d8cb33f8365fd61bc062a6d6f706cddc11063d84ef4b6ae543dd18d15eef5c1c273403f4c466d890bb55e1bbbf29f38f511554831cb460 EAP-Message = 0xdb90ea3c4fa657556e3bf1bbb86b1f5bceadb472663b26dd17fd83ac2db439b0f185605d909a3fcd3d31f85096bd14e415dcce5fcc298776bbe82baa28b408abcbc5225f102e0003cc308203c830820331a003020102020900c15c0043e46eeade300d06092a864886f70d010104050030819f310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e31123010060355040b1309626172626163756c6f311b301906035504031312436c69656e742063657274696669636174653121301f06092a864886f70d0109 EAP-Message = 0x011612636c69656e74406578616d706c652e636f6d30 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x5039a921f9fc66f28d6e3f4b862f6345 Finished request 1 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.181.1:1026, id=2, length=132 User-Name = "prof1" State = 0x5039a921f9fc66f28d6e3f4b862f6345 EAP-Message = 0x020200061900 Message-Authenticator = 0xa91e107ec69b91ffe7cb31a455684512 Calling-Station-Id = "00-17-F2-44-11-C2" Called-Station-Id = "00-50-BF-E3-E8-2A" NAS-Port-Type = Wireless-802.11 NAS-Port = 1 NAS-IP-Address = 192.168.181.1 NAS-Identifier = "14" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall[authorize]: module "preprocess" returns ok for request 2 modcall[authorize]: module "chap" returns noop for request 2 modcall[authorize]: module "mschap" returns noop for request 2 rlm_realm: No '@' in User-Name = "prof1", looking up realm NULL rlm_realm: Found realm "NULL" rlm_realm: Adding Stripped-User-Name = "prof1" rlm_realm: Proxying request from user prof1 to realm NULL rlm_realm: Adding Realm = "NULL" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop for request 2 rlm_eap: EAP packet type response id 2 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 2 users: Matched entry DEFAULT at line 154 rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'ou=mydepartment,dc=mydomain,dc=it' radius_xlat: '(uid=prof1)' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=mydepartment,dc=mydomain,dc=it, with filter (uid=prof1) rlm_ldap: ldap_release_conn: Release Id: 0 radius_xlat: '(|(&(objectClass=GroupOfNames)(member=cn=Maurizio Costanzo,ou=faculty,ou=dspsa,ou=mydepartment,dc=mydomain,dc=it))(&(objectClass=GroupOfUniqueNames)(uniquemember=cn=Maurizio Costanzo,ou=faculty,ou=dspsa,ou=mydepartment,dc=mydomain,dc=it)))' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=mydepartment,dc=mydomain,dc=it, with filter (&(cn=student)(|(&(objectClass=GroupOfNames)(member=cn=Maurizio Costanzo,ou=faculty,ou=dspsa,ou=mydepartment,dc=mydomain,dc=it))(&(objectClass=GroupOfUniqueNames)(uniquemember=cn=Maurizio Costanzo,ou=faculty,ou=dspsa,ou=mydepartment,dc=mydomain,dc=it)))) rlm_ldap: object not found or got ambiguous search result rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in cn=Maurizio Costanzo,ou=faculty,ou=dspsa,ou=mydepartment,dc=mydomain,dc=it, with filter (objectclass=*) rlm_ldap::groupcmp: Group student not found ????or user not a member rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "files" returns ok for request 2 rlm_ldap: - authorize rlm_ldap: performing user authorization for prof1 radius_xlat: '(uid=prof1)' radius_xlat: 'ou=mydepartment,dc=mydomain,dc=it' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=mydepartment,dc=mydomain,dc=it, with filter (uid=prof1) rlm_ldap: checking if remote access for prof1 is allowed by userPassword rlm_ldap: Added password a in check items rlm_ldap: looking for check items in directory... rlm_ldap: Adding radiusGroupName as Ldap-Group, value professor & op=21 rlm_ldap: Adding radiusCallingStationId as Calling-Station-Id, value 00-05-5D-25-12-5B & op=21 rlm_ldap: Adding radiusCallingStationId as Calling-Station-Id, value 00-02-C7-8F-A0-16 & op=21 rlm_ldap: Adding radiusCallingStationId as Calling-Station-Id, value 00-0B-6B-4A-22-E8 & op=21 rlm_ldap: Adding radiusCallingStationId as Calling-Station-Id, value 00-17-F2-44-11-C2 & op=21 rlm_ldap: Adding userPassword as User-Password, value a & op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: Adding radiusFilterId as Filter-Id, value 98 & op=11 rlm_ldap: user prof1 authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 2 rlm_checkval: Item Name: Calling-Station-Id, Value: 00-17-F2-44-11-C2 rlm_checkval: Value Name: Calling-Station-Id, Value: 00-05-5D-25-12-5B rlm_checkval: Value Name: Calling-Station-Id, Value: 00-02-C7-8F-A0-16 rlm_checkval: Value Name: Calling-Station-Id, Value: 00-0B-6B-4A-22-E8 rlm_checkval: Value Name: Calling-Station-Id, Value: 00-17-F2-44-11-C2 modcall[authorize]: module "checkval" returns ok for request 2 modcall: group authorize returns updated for request 2 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 2 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 2 modcall: group authenticate returns handled for request 2 Sending Access-Challenge of id 2 to 192.168.181.1:1026 Filter-Id = "98" EAP-Message = 0x0103031119001e170d3036313031323134323031335a170d3038313031313134323031335a30819f310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a130c4f7267616e697a6174696f6e31123010060355040b1309626172626163756c6f311b301906035504031312436c69656e742063657274696669636174653121301f06092a864886f70d0109011612636c69656e74406578616d706c652e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100d1834676843139241f85b29b130df7eade2392a6f86ce3b912 EAP-Message = 0x0ca3a35399e73d2b3148b8decb8914a41ae016625a6d93b4266ad18023b924aa4b5ae13bd7d9cfff0fc885d7523163d3904e434c7fae94b82b1474cd318c0c88af5db0cab240c4c7be02f527bf766420266bff30a2a572de64507f01ee9e35283a7022370429a30203010001a382010830820104301d0603551d0e041604142f4a965f7d02a211a01c6062f921e94c7c3978e53081d40603551d230481cc3081c980142f4a965f7d02a211a01c6062f921e94c7c3978e5a181a5a481a230819f310b30090603550406130243413111300f0603550408130850726f76696e63653112301006035504071309536f6d65204369747931153013060355040a EAP-Message = 0x130c4f7267616e697a6174696f6e31123010060355040b1309626172626163756c6f311b301906035504031312436c69656e742063657274696669636174653121301f06092a864886f70d0109011612636c69656e74406578616d706c652e636f6d820900c15c0043e46eeade300c0603551d13040530030101ff300d06092a864886f70d01010405000381810018230a55e71091a68331acbbdc7c440fedc00bdca273904f8abb0f89eece7b7788691cd225b6f79ed7938b9b6c3bc065a9673db78fad613669252f435b9d41b9003fb953d87d6152df09ce6fce19c7960d9e718c81455543cee043c5f00206f7afd633ad017ee4c5c7d6162f434476 EAP-Message = 0x5d21f4f6fd18a48d99efd1cb23d17c76ef16030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x35e5753e170bf0eef07f6baa43a9ed96 Finished request 2 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.181.1:1026, id=3, length=334 User-Name = "prof1" State = 0x35e5753e170bf0eef07f6baa43a9ed96 EAP-Message = 0x020300d01980000000c616030100861000008200809bf4fb80396fa2a36688d08c0636c920f85ca7789f995dfe204a3639c4e0efc7c9213477807580d1404813daf96be6ff227836e5992d3cea4232acb679abf4a38835f0fa6a6c481509ad39a804309f9e25f5ba15b68e7c964a10272d86904d036053abbcda030d7567189e27b42b91a74671e7fb006e64cafb4a603e91d7bb6d14030100010116030100309034f26ce775a9be886de32e9101e1eeb42d5cad400ce3166058a23d047e7b4d5ad80e0e68568c2c78ce8daea1bf0b46 Message-Authenticator = 0x37a6aa57d05283ed1e2727c1cbd2e246 Calling-Station-Id = "00-17-F2-44-11-C2" Called-Station-Id = "00-50-BF-E3-E8-2A" NAS-Port-Type = Wireless-802.11 NAS-Port = 1 NAS-IP-Address = 192.168.181.1 NAS-Identifier = "14" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 3 modcall[authorize]: module "preprocess" returns ok for request 3 modcall[authorize]: module "chap" returns noop for request 3 modcall[authorize]: module "mschap" returns noop for request 3 rlm_realm: No '@' in User-Name = "prof1", looking up realm NULL rlm_realm: Found realm "NULL" rlm_realm: Adding Stripped-User-Name = "prof1" rlm_realm: Proxying request from user prof1 to realm NULL rlm_realm: Adding Realm = "NULL" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop for request 3 rlm_eap: EAP packet type response id 3 length 208 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 3 users: Matched entry DEFAULT at line 154 rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'ou=mydepartment,dc=mydomain,dc=it' radius_xlat: '(uid=prof1)' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=mydepartment,dc=mydomain,dc=it, with filter (uid=prof1) rlm_ldap: ldap_release_conn: Release Id: 0 radius_xlat: '(|(&(objectClass=GroupOfNames)(member=cn=Maurizio Costanzo,ou=faculty,ou=dspsa,ou=mydepartment,dc=mydomain,dc=it))(&(objectClass=GroupOfUniqueNames)(uniquemember=cn=Maurizio Costanzo,ou=faculty,ou=dspsa,ou=mydepartment,dc=mydomain,dc=it)))' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=mydepartment,dc=mydomain,dc=it, with filter (&(cn=student)(|(&(objectClass=GroupOfNames)(member=cn=Maurizio Costanzo,ou=faculty,ou=dspsa,ou=mydepartment,dc=mydomain,dc=it))(&(objectClass=GroupOfUniqueNames)(uniquemember=cn=Maurizio Costanzo,ou=faculty,ou=dspsa,ou=mydepartment,dc=mydomain,dc=it)))) rlm_ldap: object not found or got ambiguous search result rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in cn=Maurizio Costanzo,ou=faculty,ou=dspsa,ou=mydepartment,dc=mydomain,dc=it, with filter (objectclass=*) rlm_ldap::groupcmp: Group student not found ????or user not a member rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "files" returns ok for request 3 rlm_ldap: - authorize rlm_ldap: performing user authorization for prof1 radius_xlat: '(uid=prof1)' radius_xlat: 'ou=mydepartment,dc=mydomain,dc=it' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=mydepartment,dc=mydomain,dc=it, with filter (uid=prof1) rlm_ldap: checking if remote access for prof1 is allowed by userPassword rlm_ldap: Added password a in check items rlm_ldap: looking for check items in directory... rlm_ldap: Adding radiusGroupName as Ldap-Group, value professor & op=21 rlm_ldap: Adding radiusCallingStationId as Calling-Station-Id, value 00-05-5D-25-12-5B & op=21 rlm_ldap: Adding radiusCallingStationId as Calling-Station-Id, value 00-02-C7-8F-A0-16 & op=21 rlm_ldap: Adding radiusCallingStationId as Calling-Station-Id, value 00-0B-6B-4A-22-E8 & op=21 rlm_ldap: Adding radiusCallingStationId as Calling-Station-Id, value 00-17-F2-44-11-C2 & op=21 rlm_ldap: Adding userPassword as User-Password, value a & op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: Adding radiusFilterId as Filter-Id, value 98 & op=11 rlm_ldap: user prof1 authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok for request 3 rlm_checkval: Item Name: Calling-Station-Id, Value: 00-17-F2-44-11-C2 rlm_checkval: Value Name: Calling-Station-Id, Value: 00-05-5D-25-12-5B rlm_checkval: Value Name: Calling-Station-Id, Value: 00-02-C7-8F-A0-16 rlm_checkval: Value Name: Calling-Station-Id, Value: 00-0B-6B-4A-22-E8 rlm_checkval: Value Name: Calling-Station-Id, Value: 00-17-F2-44-11-C2 modcall[authorize]: module "checkval" returns ok for request 3 modcall: group authorize returns updated for request 3 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 3 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange TLS_accept: SSLv3 read client key exchange A rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001] rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 read finished A rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001] TLS_accept: SSLv3 write change cipher spec A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 write finished A TLS_accept: SSLv3 flush data (other): SSL negotiation finished successfully SSL Connection Established eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 3 modcall: group authenticate returns handled for request 3 Sending Access-Challenge of id 3 to 192.168.181.1:1026 Filter-Id = "98" EAP-Message = 0x01040041190014030100010116030100305cbbad378481f9e36a6768f41f18a5924a34dcebde91f3b0f4ec5c8782aa697976a71ce9edb66d2cd16282a3f5fae348 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd9784d7c093eb0db5f8af482bc1e7400 Finished request 3 ===================================================== bash-3.00# chilli --fg --debug --conup=/etc/conup --condown=/etc/condow --eapolenable ChilliSpot version 1.1.0 started. chillispot[1696]: ChilliSpot 1.1.0. Copyright 2002-2005 Mondru AB. Licensed under GPL. See http://www.chillispot.org for credits. Waiting for client request... chillispot[1696]: chilli.c: 3509: New DHCP request from MAC=00-11-95-C2-93-0A New DHCP connection established DHCP requested IP address chillispot[1696]: chilli.c: 3479: Client MAC=00-11-95-C2-93-0A assigned IP 192.168.182.2 cb_dhcp_data_ind. Packet received. DHCP authstate: 5 Radius access request received! Calling Station ID is: 00-17-F2-44-11-C2 Username is: prof1 chillispot[1696]: chilli.c: 3509: New DHCP request from MAC=00-17-F2-44-11-C2 New DHCP connection established Received access request confirmation from radius server Received access challenge from radius server cb_dhcp_data_ind. Packet received. DHCP authstate: 5 Radius access request received! Calling Station ID is: 00-17-F2-44-11-C2 Username is: prof1 Received access request confirmation from radius server Received access challenge from radius server cb_dhcp_data_ind. Packet received. DHCP authstate: 5 Radius access request received! Calling Station ID is: 00-17-F2-44-11-C2 Username is: prof1 Received access request confirmation from radius server Received access reject from radius server chillispot[1696]: chilli.c: 3550: DHCP addr released by MAC=00-17-F2-44-11-C2 IP=0.0.0.0 DHCP connection removed chillispot[1696]: chilli.c: 3550: DHCP addr released by MAC=00-11-95-C2-93-0A IP=192.168.182.2 DHCP connection removed
Hi, maybe a few helpful notes: On 10/12/06, Giuseppina Venezia <giusy.venezia@gmail.com> wrote:
I've seen that in the firts request, TLS give an error ( TLS_accept:error in SSLv3 read client certificate A ) but in the third request (whit the same login) it works. What's wrong?
"TLS_accept:error" isn't really an error here, just an error message not to worry about (see the list archives). The different reuqests/challenges are part of the ongoing EAP mechanism (normally consisting of approx. 5-15 in either direction). So after the third one:
SSL Connection Established
means just that, it's not a successful auth yet. If configured/working correctly, the next challenge sent by freeradius would be the requiring the client (meaning supplicant) to provide the users's credentials inside the now established SSL layer (inside EAP transmitted inside RADIUS protocol from the client (here meaning nas, i.e. apparently chillispot)). Apparently you cut the freeradius debug here, as the chillispot claims:
Received access reject from radius server
which doesn't show up in freeradius debug output as being sent. So, whatever (really) fails, is further down the line. You should check that. regards K. Hoercher
participants (2)
-
Giuseppina Venezia -
K. Hoercher