I've got authentication with Android and Linux clients working using EAP/TTLS and PAP, however Windows and OSX clients dont seem to work. This is a log of a Windows 7 client. I was able to get iphones working with a special config, but the same method doesn't seem to work for OSX. Any help you could offer is appreciated Log follows, with secure bits edited out: FreeRADIUS Version 2.1.10, for host x86_64-pc-linux-gnu, built on Nov 14 2010 at 21:12:30 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/clients.conf including configuration file /etc/freeradius/snmp.conf including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/policy.conf including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/inner-tunnel including configuration file /etc/freeradius/sites-enabled/default main { user = "freerad" group = "freerad" allow_core_dumps = no } including dictionary file /etc/freeradius/dictionary main { prefix = "/usr" localstatedir = "/var" logdir = "/var/log/freeradius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/freeradius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/var/run/freeradius/freeradius.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = yes auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "-removed-" shortname = "localhost" } -EDITED: Client entries removed- radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating module "exec" from file /etc/freeradius/radiusd.conf exec { wait = yes input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating module "expr" from file /etc/freeradius/radiusd.conf Module: Linked to module rlm_expiration Module: Instantiating module "expiration" from file /etc/freeradius/radiusd.conf expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating module "logintime" from file /etc/freeradius/radiusd.conf logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server inner-tunnel { # from file /etc/freeradius/sites-enabled/inner-tunnel modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating module "pap" from file /etc/freeradius/radiusd.conf pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating module "chap" from file /etc/freeradius/radiusd.conf Module: Linked to module rlm_pam Module: Instantiating module "pam" from file /etc/freeradius/radiusd.conf pam { pam_auth = "radiusd" } Module: Linked to module rlm_eap Module: Instantiating module "eap" from file /etc/freeradius/eap.conf eap { default_eap_type = "ttls" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = "/etc/ssl/private/-removed-_generic.key" certificate_file = "/etc/ssl/certs/-removed-_generic.crt" CA_file = "/etc/ssl/certs/-removed-_ca.crt" dh_file = "/etc/freeradius/certs/dh" random_file = "/dev/urandom" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "/etc/freeradius/certs/bootstrap" cache { enable = no lifetime = 24 max_entries = 255 } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_realm Module: Instantiating module "suffix" from file /etc/freeradius/radiusd.conf realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating module "files" from file /etc/freeradius/radiusd.conf files { usersfile = "/etc/freeradius/users" acctusersfile = "/etc/freeradius/acct_users" preproxy_usersfile = "/etc/freeradius/preproxy_users" compat = "no" } Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating module "radutmp" from file /etc/freeradius/radiusd.conf radutmp { filename = "/var/log/freeradius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Linked to module rlm_attr_filter Module: Instantiating module "attr_filter.access_reject" from file /etc/freeradius/radiusd.conf attr_filter attr_filter.access_reject { attrsfile = "/etc/freeradius/attrs.access_reject" key = "%{User-Name}" } } # modules } # server server { # from file /etc/freeradius/radiusd.conf modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_digest Module: Instantiating module "digest" from file /etc/freeradius/radiusd.conf Module: Linked to module rlm_unix Module: Instantiating module "unix" from file /etc/freeradius/radiusd.conf unix { radwtmp = "/var/log/freeradius/radwtmp" } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating module "preprocess" from file /etc/freeradius/radiusd.conf preprocess { huntgroups = "/etc/freeradius/huntgroups" hints = "/etc/freeradius/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating module "acct_unique" from file /etc/freeradius/radiusd.conf acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating module "detail" from file /etc/freeradius/radiusd.conf detail { detailfile = "/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/radiusd.conf attr_filter attr_filter.accounting_response { attrsfile = "/etc/freeradius/attrs.accounting_response" key = "%{User-Name}" } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host -REMOVED- port 2048, id=28, length=139 User-Name = "test" NAS-Port = 0 Called-Station-Id = "00-27-22-12-59-1F:Helio" Calling-Station-Id = "00-1F-3A-25-62-B3" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11" EAP-Message = 0x02a600090174657374 Message-Authenticator = 0xf0a3cd406f5b38050aae2efd796bd150 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 166 length 9 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry DEFAULT at line 222 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 28 to -REMOVED- port 2048 EAP-Message = 0x01a700061520 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x71e0a8b07147bdedb47e6a205d08c074 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host -REMOVED- port 2048, id=29, length=154 User-Name = "test" NAS-Port = 0 Called-Station-Id = "00-27-22-12-59-1F:Helio" Calling-Station-Id = "00-1F-3A-25-62-B3" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11" EAP-Message = 0x02a700060319 State = 0x71e0a8b07147bdedb47e6a205d08c074 Message-Authenticator = 0x941f56eedd5fd79424f5a78073c48749 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 167 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry DEFAULT at line 222 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP NAK [eap] EAP-NAK asked for EAP-Type/peap [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 29 to -REMOVED- port 2048 EAP-Message = 0x01a800061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x71e0a8b07048b1edb47e6a205d08c074 Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host -REMOVED- port 2048, id=30, length=266 User-Name = "test" NAS-Port = 0 Called-Station-Id = "00-27-22-12-59-1F:Helio" Calling-Station-Id = "00-1F-3A-25-62-B3" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11" EAP-Message = 0x02a8007619800000006c16030100670100006303014fbcf94545d3023dee569705aee1ec705dcdef5a8a6665f7c2f20dca50f6aca2000018002f00350005000ac013c014c009c00a003200380013000401000022ff0100010000000009000700000474657374000a0006000400170018000b00020100 State = 0x71e0a8b07048b1edb47e6a205d08c074 Message-Authenticator = 0x4487ab715ace2b169a8b6e84f5139e21 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 168 length 118 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 108 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 0067], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 0031], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 08fb], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 30 to -REMOVED- port 2048 EAP-Message = 0x01a9040019c00000093f16030100310200002d03014fbcf94597d6b23a2ed5bcd2d24437f03429322d863df6b087bffdd04d2d69d600002f000005ff0100010016030108fb0b0008f70008f40003d6308203d2308202ba020101300d06092a864886f70d01010505003081b6310b30090603550406130255533111300f06035504081308496c6c696e6f69733110300e060355040713074368696361676f312a3028060355040a13216f6e53686f7265204e6574776f726b73206f6620496c6c696e6f69732c204c4c43310c300a060355040b13034e4f43312830260603550403131f6f6e53686f726520436572746966696361746520417574686f72 EAP-Message = 0x6974792033311e301c06092a864886f70d010901160f6e6f63406f6e73686f72652e636f6d3020170d3132303430393230323534385a180f32303632303332383230323534385a3081a4310b30090603550406130255533111300f06035504081308496c6c696e6f69733110300e060355040713074368696361676f312a3028060355040a13216f6e53686f7265204e6574776f726b73206f6620496c6c696e6f69732c204c4c43310c300a060355040b13034e4f43311630140603550403140d2a2e6f6e73686f72652e636f6d311e301c06092a864886f70d010901160f6e6f63406f6e73686f72652e636f6d30820122300d06092a864886f70d01 EAP-Message = 0x010105000382010f003082010a0282010100c248803189d09c7eed9ac9f9d09143753af2692669ac40e9bd973cfec8d4c70cb1c380fa19347d82c3b880fa06e026b3648475cd3d4966e6db6fca2e3df700ec9203c303029ab5115c9fd311583802ec251136e35cf1f0be0884cb569d73e13b01b3e526734cb9b4c5aef5b58c9bce548d3fccc6259734253c75c966ab826a91e52decaf0eb5df76f3f6aeb60a1e2d1f0e4647050c6904da7ccd29ca007806509685d468683e41faae6605fa7de716e89b788f6eaf890367f92e32225ecf1f12cb7cd4adc459a3313eb46c488970c16c281fcc036bddf45ed21972867b0081eb1682ed55a0df758dddc72e EAP-Message = 0x1111b5cac31f4bb4634d71c57e9621f0377e435aef0203010001300d06092a864886f70d0101050500038201010005aa73489f8d50351c637f39d181f54c9938c959223a35dd2a9fcc46b05e732c21c183196926860c5714f0e2725064f2b1793482b8f1321a73c3152a74e926b7b1bc9343812126d019771b8af6be86b0eb22db4708144d5dff8168dcfbc59aed9393d8b82ccdb92444ddb6875d2cc5bfdbed44f04db6e0047ae0ee5893721f6156dd7592e9c79ae3209611a430f2119a76e0f34645e0c16770ea3c4700a0d07ad0187f97287cf5cdad4724519201fe2a807506935e44e8363a028a75a19b113a9e06ce376072378a9d2a2e69195038 EAP-Message = 0x9301579b39f9d8ddd10c6cbc Message-Authenticator = 0x00000000000000000000000000000000 State = 0x71e0a8b07349b1edb47e6a205d08c074 Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host -REMOVED- port 2048, id=31, length=154 User-Name = "test" NAS-Port = 0 Called-Station-Id = "00-27-22-12-59-1F:Helio" Calling-Station-Id = "00-1F-3A-25-62-B3" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11" EAP-Message = 0x02a900061900 State = 0x71e0a8b07349b1edb47e6a205d08c074 Message-Authenticator = 0x98e8a0ace30ceb08bbb1d7f2ba55bf90 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 169 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 31 to -REMOVED- port 2048 EAP-Message = 0x01aa03fc194090721d968f18d8550cd66d8c7e1e37c714f6ac62baedecad3fb5ebd2873dd52797395bd7c700051830820514308203fca0030201020209008c06dc0a280a91a2300d06092a864886f70d01010505003081b6310b30090603550406130255533111300f06035504081308496c6c696e6f69733110300e060355040713074368696361676f312a3028060355040a13216f6e53686f7265204e6574776f726b73206f6620496c6c696e6f69732c204c4c43310c300a060355040b13034e4f43312830260603550403131f6f6e53686f726520436572746966696361746520417574686f726974792033311e301c06092a864886f70d010901 EAP-Message = 0x160f6e6f63406f6e73686f72652e636f6d3020170d3132303430393230323135315a180f32303632303332383230323135315a3081b6310b30090603550406130255533111300f06035504081308496c6c696e6f69733110300e060355040713074368696361676f312a3028060355040a13216f6e53686f7265204e6574776f726b73206f6620496c6c696e6f69732c204c4c43310c300a060355040b13034e4f43312830260603550403131f6f6e53686f726520436572746966696361746520417574686f726974792033311e301c06092a864886f70d010901160f6e6f63406f6e73686f72652e636f6d30820122300d06092a864886f70d010101 EAP-Message = 0x05000382010f003082010a0282010100d9770f8e1b56d4e76474ae6a66eafe8e8256334cb66b331101f427395bd18bd2092e2798a010bb36ea6711f29529e1fe21ec2e023949f2fb9e28797c099f9829a3e2e6ba9d5610685b9e1cc21d361dacae362fabf8d65f98fff1fde72f7a0a2b49b2f3eda5f7f1dcf54e43920c5389ac010beaccb5d8b6b98acf5448fb9e7a1136871179883851e03daa2e6238c05e1c86f1b4344746e6c83b30a3d7aadc36f34e01b93547661f66ea3b506e6eaf61fe9d0adb0f82f2b2140f14a1b2ecead5e07c00e3cb4809064421104a7c144bd1b85a4d9b192f3c00f8cf61a366d3e614a4fdd5f759aca370c34ea4400980 EAP-Message = 0x5e2b5fa2fdd46a22204f16a9f4222c95480b7d0203010001a382011f3082011b301d0603551d0e041604149e11eecbde81d102a1c68c8d31b3db9f2ace574a3081eb0603551d230481e33081e080149e11eecbde81d102a1c68c8d31b3db9f2ace574aa181bca481b93081b6310b30090603550406130255533111300f06035504081308496c6c696e6f69733110300e060355040713074368696361676f312a3028060355040a13216f6e53686f7265204e6574776f726b73206f6620496c6c696e6f69732c204c4c43310c300a060355040b13034e4f43312830260603550403131f6f6e53686f726520436572746966696361746520417574686f72 EAP-Message = 0x6974792033311e30 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x71e0a8b0724ab1edb47e6a205d08c074 Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host -REMOVED- port 2048, id=32, length=154 User-Name = "test" NAS-Port = 0 Called-Station-Id = "00-27-22-12-59-1F:Helio" Calling-Station-Id = "00-1F-3A-25-62-B3" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11" EAP-Message = 0x02aa00061900 State = 0x71e0a8b0724ab1edb47e6a205d08c074 Message-Authenticator = 0xcc80b68891296025aae224e56db19f21 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 170 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 32 to -REMOVED- port 2048 EAP-Message = 0x01ab015919001c06092a864886f70d010901160f6e6f63406f6e73686f72652e636f6d8209008c06dc0a280a91a2300c0603551d13040530030101ff300d06092a864886f70d0101050500038201010024bbfcf28b2f8bdd20d9b7cafb9bd4614aa44999ea1202b0710a8e2a17863c32286d4faef0e2e859f71f0dc2f821f11933c6721eedf77cb02c1ea68da33acf1e310b3e4347cfdc70425f40796d6d2704d02ee7577a41dc14cef7eedfb358873330009e63df02a9d551d9ae8fe784fdd36a7501b596d8ac6e7a3d50f0e1ec54347b68d35786baa2ede9d4e585993804949d813ebad21fc7d8ee70110a9aded292fae58cf2b19150b4845422717d EAP-Message = 0x15eab2013e8a4e22dff0415f321de688d820ff72d7c470519296b9e7f384a54da3ca3da6f30b4cab50d2bee1ab870f73acbe679145b16c7896e0b1c07d686a63b1cbd8d030f34b95ace9bbf0668c8671de816516030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x71e0a8b0754bb1edb47e6a205d08c074 Finished request 4. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host -REMOVED- port 2048, id=33, length=165 User-Name = "test" NAS-Port = 0 Called-Station-Id = "00-27-22-12-59-1F:Helio" Calling-Station-Id = "00-1F-3A-25-62-B3" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11" EAP-Message = 0x02ab001119800000000715030100020230 State = 0x71e0a8b0754bb1edb47e6a205d08c074 Message-Authenticator = 0xd2c0db5aa72047e9f4909baa4447796e # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 171 length 17 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 7 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert read:fatal:unknown CA TLS_accept: failed in SSLv3 read client certificate A rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca SSL: SSL_read failed inside of TLS (-1), TLS session fails. TLS receive handshake failed during operation [peap] eaptls_process returned 4 [peap] EAPTLS_OTHERS [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Login incorrect (TLS Alert read:fatal:unknown CA): [test] (from client -REMOVED- port 0 cli 00-1F-3A-25-62-B3) Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> test attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 5 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 5 Sending Access-Reject of id 33 to -REMOVED- port 2048 EAP-Message = 0x04ab0004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.9 seconds.
Steve Hopps wrote:
I've got authentication with Android and Linux clients working using EAP/TTLS and PAP, however Windows and OSX clients dont seem to work. This is a log of a Windows 7 client. I was able to get iphones working with a special config, but the same method doesn't seem to work for OSX. Any help you could offer is appreciated
This is pretty definitive:
[peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert read:fatal:unknown CA TLS_accept: failed in SSLv3 read client certificate A rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca SSL: SSL_read failed inside of TLS (-1), TLS session fails.
IIRC, it means that the client doesn't have the same CA as the server. So it gets the server's certificate, and goes "huh?". It then sends an "unknown CA" back to the server. The solution is to add the CA to the client PC. Alan DeKok.
On 23/05/12 16:16, Alan DeKok wrote:
rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca SSL: SSL_read failed inside of TLS (-1), TLS session fails.
IIRC, it means that the client doesn't have the same CA as the server. So it gets the server's certificate, and goes "huh?". It then sends an "unknown CA" back to the server.
The solution is to add the CA to the client PC.
For what it's worth, it would be *really* handle to be able to trigger a log message (with controllable format) when this happened; possibly a "trigger"?
participants (3)
-
Alan DeKok -
Phil Mayers -
Steve Hopps