problem with eap-tls between FR and XP client
hi forum, I'm trying to connect a Windows XP client (also I'm trying with Vista) with freeradius with EAP-TLS. I made my set of certificates (from this site http://www.linuxjournal.com/node/8095/print) and now, I have: CA, radius_cert.pem, radius_key.pem, radius_keycert.pem radius_req.pem, cliente_cert.p12, cliente_key.pem, cliente_cert.pem, cliente_req.pem, dh, random, xpextensions, xpclient_ext, xpserver_ext I've configured eap.conf of this way: tls { certdir = ${confdir}/certs2 cadir = ${confdir}/certs2 private_key_password = ******* private_key_file = ${certdir}/radius_keycert.pem certificate_file = ${certdir}/radius_keycert.pem CA_file = ${cadir}/cacert.pem dh_file = ${certdir}/dh random_file = ${certdir}/random cipher_list = "DEFAULT" make_cert_command = "${certdir}/bootstrap" And I've installed my cacert.pem and cliente_cert.p12 into mmc into Trusted Root Certification Authorities and Personal - certificates, respectively. When I try to connect with freeradius my log is this: (it's too long because I see the same request again and again) rad_recv: Access-Request packet from host 10.0.0.1 port 3072, id=159, length=199 User-Name = "carlosgari@realmprueba.com" NAS-IP-Address = 10.0.0.1 NAS-Port = 0 Called-Station-Id = "00116b3f0ce5" Calling-Station-Id = "00215d9ade9a" NAS-Identifier = "Realtek Access Point. 8181" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Service-Type = Framed-User Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x0200001a016361726c6f7367617269407769746563682e636f6d Message-Authenticator = 0xc6247c05f7aae962aecbc459c9416907 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm "realmprueba.com" for User-Name = "carlosgari@realmprueba.com" [suffix] Found realm "realmprueba.com" [suffix] Adding Realm = "realmprueba.com" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 0 length 26 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [sql] expand: %{User-Name} -> carlosgari@realmprueba.com [sql] sql_set_user escaped user --> 'carlosgari@realmprueba.com' rlm_sql (sql): Reserving sql socket id: 4 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'carlosgari@realmprueba.com' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT groupname FROM usergroup WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT groupname FROM usergroup WHERE username = 'carlosgari@realmprueba.com' ORDER BY id [sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'Navega Mes' ORDER BY id [sql] User found in group Navega Mes [sql] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'Navega Mes' ORDER BY id rlm_sql (sql): Released sql socket id: 4 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Requiring client certificate [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 159 to 10.0.0.1 port 3072 EAP-Message = 0x010100060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x84a02e6384a123686383961ecc8fb910 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.0.0.1 port 3072, id=160, length=191 User-Name = "carlosgari@realmprueba.com" NAS-IP-Address = 10.0.0.1 NAS-Port = 0 Called-Station-Id = "00116b3f0ce5" Calling-Station-Id = "00215d9ade9a" NAS-Identifier = "Realtek Access Point. 8181" NAS-Port-Type = Wireless-802.11 Service-Type = Framed-User Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020100060319 State = 0x84a02e6384a123686383961ecc8fb910 Message-Authenticator = 0xe9335e399fadf61413fddd7e717c778f +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm "realmprueba.com" for User-Name = "carlosgari@realmprueba.com" [suffix] Found realm "realmprueba.com" [suffix] Adding Realm = "realmprueba.com" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 1 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [sql] expand: %{User-Name} -> carlosgari@realmprueba.com [sql] sql_set_user escaped user --> 'carlosgari@realmprueba.com' rlm_sql (sql): Reserving sql socket id: 3 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'carlosgari@realmprueba.com' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT groupname FROM usergroup WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT groupname FROM usergroup WHERE username = 'carlosgari@realmprueba.com' ORDER BY id [sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'Navega Mes' ORDER BY id [sql] User found in group Navega Mes [sql] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'Navega Mes' ORDER BY id rlm_sql (sql): Released sql socket id: 3 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP NAK [eap] EAP-NAK asked for EAP-Type/peap [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 160 to 10.0.0.1 port 3072 EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x84a02e6385a237686383961ecc8fb910 Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.0.0.1 port 3072, id=161, length=317 User-Name = "carlosgari@realmprueba.com" NAS-IP-Address = 10.0.0.1 NAS-Port = 0 Called-Station-Id = "00116b3f0ce5" Calling-Station-Id = "00215d9ade9a" NAS-Identifier = "Realtek Access Point. 8181" NAS-Port-Type = Wireless-802.11 Service-Type = Framed-User Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x0202008419800000007a16030100750100007103014a01acb81f735187841a3bc2edfa94f1384de661364401c1530733f45d00560d000018002f00350005000ac009c00ac013c0140032003800130004010000300000001a00180100156361726c6f7367617269407769746563682e636f6d000a00080006001700180019000b00020100 State = 0x84a02e6385a237686383961ecc8fb910 Message-Authenticator = 0xc9c991513792d8f72f1e6dcbb3728186 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm "realmprueba.com" for User-Name = "carlosgari@realmprueba.com" [suffix] Found realm "realmprueba.com" [suffix] Adding Realm = "realmprueba.com" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 2 length 132 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 122 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 0075], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 002a], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 0501], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 161 to 10.0.0.1 port 3072 EAP-Message = 0x0103040019c00000053e160301002a02000026030149de14372a96c9dee0f575361420bb267d297c2000f439f4b516bbf08fbf6f8c00002f0016030105010b0004fd0004fa00025b30820257308201c0a003020102020101300d06092a864886f70d01010505003052310b3009060355040613024553310f300d060355040813064d6164726964310e300c060355040a1305476f77657831133011060355040b130a696e67656e6965726961310d300b0603550403130474657374301e170d3039303430363035303733375a170d3130303430363035303733375a3078310b3009060355040613024553310f300d060355040813064d6164726964310f EAP-Message = 0x300d060355040713064d6164726964310e300c060355040a1305476f77657831133011060355040b130a696e67656e69657269613122302006035504031319746573742e637573746f6d6572732e696265722d782e6e657430819f300d06092a864886f70d010101050003818d0030818902818100cd1fa7b002fe68845fcf82590e4d53f094b5cba6f8d0f81cc2e942f415bfd015f6a6163016951985d90b95966dcdffbb982515bfd4fcf623b3fa94118a84e9e14697d0d080292cf5d5052f163ead4d63472163664f42e48a7f9de0996823102d8abe56677b45c41c46ec42c8173feafb0cfb7aae29e440880260ccceb08442a90203010001a31730 EAP-Message = 0x1530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010505000381810022c03b52cdb6d30d58ac20fe96dd44bcb9b085bf90efa1db85ca23773e408dd176cc92f97efa0c18150494fe599cdf5f916c7e03e8d47159463f2d5c63b65221380fe5553a838f5e39021ca8c5fe0bcfa383ab4d79c98bb23d6e8e5725ddf592be29906b85c8fc09f6a050087c826b2c30368bc08a33a4a9d9ad9e5794d82eb300029930820295308201fea003020102020100300d06092a864886f70d01010505003052310b3009060355040613024553310f300d060355040813064d6164726964310e300c060355040a1305476f7765783113 EAP-Message = 0x3011060355040b130a696e67656e6965726961310d300b0603550403130474657374301e170d3039303430363030313530365a170d3132303430353030313530365a3052310b3009060355040613024553310f300d060355040813064d6164726964310e300c060355040a1305476f77657831133011060355040b130a696e67656e6965726961310d300b060355040313047465737430819f300d06092a864886f70d010101050003818d0030818902818100ddd96cf2e5e6c7e92e8a43f801e022e3247609b62b6bf40b56b303ae2ff49c5fc65340689ccc673b41ba7d32f0b0084d062083d24f2e4b4c9122707c3e3cf6b30779e5dc37c28c9d9e22 EAP-Message = 0x7e9e619ff325da768ddacc03 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x84a02e6386a337686383961ecc8fb910 Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.0.0.1 port 3072, id=162, length=191 User-Name = "carlosgari@realmprueba.com" NAS-IP-Address = 10.0.0.1 NAS-Port = 0 Called-Station-Id = "00116b3f0ce5" Calling-Station-Id = "00215d9ade9a" NAS-Identifier = "Realtek Access Point. 8181" NAS-Port-Type = Wireless-802.11 Service-Type = Framed-User Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020300061900 State = 0x84a02e6386a337686383961ecc8fb910 Message-Authenticator = 0x05d653107342a96a9c356290a260d61f +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm "realmprueba.com" for User-Name = "carlosgari@realmprueba.com" [suffix] Found realm "realmprueba.com" [suffix] Adding Realm = "realmprueba.com" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 3 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 162 to 10.0.0.1 port 3072 EAP-Message = 0x0104014e1900c7cae9bdebcfaa3a06726618751da075a2c79e748c02a30758a3550184fca872a01f3ec7c2ef8cee1b4d0203010001a37b307930090603551d1304023000302c06096086480186f842010d041f161d4f70656e53534c2047656e657261746564204365727469666963617465301d0603551d0e0416041421863a36c31be281cd1a3c31e52544b384bb25f1301f0603551d2304183016801421863a36c31be281cd1a3c31e52544b384bb25f1300d06092a864886f70d010105050003818100c851fd68627d9b98e537ff0e548d8a43683349ff2ced4e109cd6577d7cf0f6c7da04fe94c31f66a473385c2dfb626fd08bb8a69ab7276c1e EAP-Message = 0x99166bf09c44c83fc5ce3d362171b85d7de918d590a4acf95e0fc5da662c3f0d516c493675ce95470a92157a39b40f80b7431c291a211d4edaaa381acc2ca0512cae8015326e731516030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x84a02e6387a437686383961ecc8fb910 Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.0.0.1 port 3072, id=163, length=191 User-Name = "carlosgari@realmprueba.com" NAS-IP-Address = 10.0.0.1 NAS-Port = 0 Called-Station-Id = "00116b3f0ce5" Calling-Station-Id = "00215d9ade9a" NAS-Identifier = "Realtek Access Point. 8181" NAS-Port-Type = Wireless-802.11 Service-Type = Framed-User Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020400061900 State = 0x84a02e6387a437686383961ecc8fb910 Message-Authenticator = 0xb9e22b4414f41497b616c4174385b8b4 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm "realmprueba.com" for User-Name = "carlosgari@realmprueba.com" [suffix] Found realm "realmprueba.com" [suffix] Adding Realm = "realmprueba.com" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 4 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 163 to 10.0.0.1 port 3072 EAP-Message = 0x010500061900 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x84a02e6380a537686383961ecc8fb910 Finished request 4. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.0.0.1 port 3072, id=164, length=199 User-Name = "carlosgari@realmprueba.com" NAS-IP-Address = 10.0.0.1 NAS-Port = 0 Called-Station-Id = "00116b3f0ce5" Calling-Station-Id = "00215d9ade9a" NAS-Identifier = "Realtek Access Point. 8181" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Service-Type = Framed-User Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x0200001a016361726c6f7367617269407769746563682e636f6d Message-Authenticator = 0xdd14d44138adb1f24901af4f2ac21fdc +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm "realmprueba.com" for User-Name = "carlosgari@realmprueba.com" [suffix] Found realm "realmprueba.com" [suffix] Adding Realm = "realmprueba.com" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 0 length 26 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [sql] expand: %{User-Name} -> carlosgari@realmprueba.com [sql] sql_set_user escaped user --> 'carlosgari@realmprueba.com' rlm_sql (sql): Reserving sql socket id: 2 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'carlosgari@realmprueba.com' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT groupname FROM usergroup WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT groupname FROM usergroup WHERE username = 'carlosgari@realmprueba.com' ORDER BY id [sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'Navega Mes' ORDER BY id [sql] User found in group Navega Mes [sql] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'Navega Mes' ORDER BY id rlm_sql (sql): Released sql socket id: 2 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Requiring client certificate [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 164 to 10.0.0.1 port 3072 EAP-Message = 0x010100060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xec2decd6ec2ce137c20d83eb1d1d1e4f Finished request 5. Going to the next request Waking up in 4.5 seconds. rad_recv: Access-Request packet from host 10.0.0.1 port 3072, id=165, length=317 User-Name = "carlosgari@realmprueba.com" NAS-IP-Address = 10.0.0.1 NAS-Port = 0 Called-Station-Id = "00116b3f0ce5" Calling-Station-Id = "00215d9ade9a" NAS-Identifier = "Realtek Access Point. 8181" NAS-Port-Type = Wireless-802.11 Service-Type = Framed-User Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020100840d800000007a16030100750100007103014a01acb83f8216b6454c57ebba9d19e3cc7db4ab863547bf1884f25b21b3eca6000018002f00350005000ac009c00ac013c0140032003800130004010000300000001a00180100156361726c6f7367617269407769746563682e636f6d000a00080006001700180019000b00020100 State = 0xec2decd6ec2ce137c20d83eb1d1d1e4f Message-Authenticator = 0xa9accde6d4fed435cc4b51e08c4a1fbd +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm "realmprueba.com" for User-Name = "carlosgari@realmprueba.com" [suffix] Found realm "realmprueba.com" [suffix] Adding Realm = "realmprueba.com" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 1 length 132 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [sql] expand: %{User-Name} -> carlosgari@realmprueba.com [sql] sql_set_user escaped user --> 'carlosgari@realmprueba.com' rlm_sql (sql): Reserving sql socket id: 1 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'carlosgari@realmprueba.com' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT groupname FROM usergroup WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT groupname FROM usergroup WHERE username = 'carlosgari@realmprueba.com' ORDER BY id [sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'Navega Mes' ORDER BY id [sql] User found in group Navega Mes [sql] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'Navega Mes' ORDER BY id rlm_sql (sql): Released sql socket id: 1 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS TLS Length 122 [tls] Length Included [tls] eaptls_verify returned 11 [tls] (other): before/accept initialization [tls] TLS_accept: before/accept initialization [tls] <<< TLS 1.0 Handshake [length 0075], ClientHello [tls] TLS_accept: SSLv3 read client hello A [tls] >>> TLS 1.0 Handshake [length 002a], ServerHello [tls] TLS_accept: SSLv3 write server hello A [tls] >>> TLS 1.0 Handshake [length 0501], Certificate [tls] TLS_accept: SSLv3 write certificate A [tls] >>> TLS 1.0 Handshake [length 0064], CertificateRequest [tls] TLS_accept: SSLv3 write certificate request A [tls] TLS_accept: SSLv3 flush data [tls] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [tls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 165 to 10.0.0.1 port 3072 EAP-Message = 0x010204000dc00000059e160301002a02000026030149de14379e475e80becd7ed1b05b777c2454aba0aab441958d3bc618844205e300002f0016030105010b0004fd0004fa00025b30820257308201c0a003020102020101300d06092a864886f70d01010505003052310b3009060355040613024553310f300d060355040813064d6164726964310e300c060355040a1305476f77657831133011060355040b130a696e67656e6965726961310d300b0603550403130474657374301e170d3039303430363035303733375a170d3130303430363035303733375a3078310b3009060355040613024553310f300d060355040813064d6164726964310f EAP-Message = 0x300d060355040713064d6164726964310e300c060355040a1305476f77657831133011060355040b130a696e67656e69657269613122302006035504031319746573742e637573746f6d6572732e696265722d782e6e657430819f300d06092a864886f70d010101050003818d0030818902818100cd1fa7b002fe68845fcf82590e4d53f094b5cba6f8d0f81cc2e942f415bfd015f6a6163016951985d90b95966dcdffbb982515bfd4fcf623b3fa94118a84e9e14697d0d080292cf5d5052f163ead4d63472163664f42e48a7f9de0996823102d8abe56677b45c41c46ec42c8173feafb0cfb7aae29e440880260ccceb08442a90203010001a31730 EAP-Message = 0x1530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010505000381810022c03b52cdb6d30d58ac20fe96dd44bcb9b085bf90efa1db85ca23773e408dd176cc92f97efa0c18150494fe599cdf5f916c7e03e8d47159463f2d5c63b65221380fe5553a838f5e39021ca8c5fe0bcfa383ab4d79c98bb23d6e8e5725ddf592be29906b85c8fc09f6a050087c826b2c30368bc08a33a4a9d9ad9e5794d82eb300029930820295308201fea003020102020100300d06092a864886f70d01010505003052310b3009060355040613024553310f300d060355040813064d6164726964310e300c060355040a1305476f7765783113 EAP-Message = 0x3011060355040b130a696e67656e6965726961310d300b0603550403130474657374301e170d3039303430363030313530365a170d3132303430353030313530365a3052310b3009060355040613024553310f300d060355040813064d6164726964310e300c060355040a1305476f77657831133011060355040b130a696e67656e6965726961310d300b060355040313047465737430819f300d06092a864886f70d010101050003818d0030818902818100ddd96cf2e5e6c7e92e8a43f801e022e3247609b62b6bf40b56b303ae2ff49c5fc65340689ccc673b41ba7d32f0b0084d062083d24f2e4b4c9122707c3e3cf6b30779e5dc37c28c9d9e22 EAP-Message = 0x7e9e619ff325da768ddacc03 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xec2decd6ed2fe137c20d83eb1d1d1e4f Finished request 6. Going to the next request Waking up in 4.4 seconds. rad_recv: Access-Request packet from host 10.0.0.1 port 3072, id=166, length=191 User-Name = "carlosgari@realmprueba.com" NAS-IP-Address = 10.0.0.1 NAS-Port = 0 Called-Station-Id = "00116b3f0ce5" Calling-Station-Id = "00215d9ade9a" NAS-Identifier = "Realtek Access Point. 8181" NAS-Port-Type = Wireless-802.11 Service-Type = Framed-User Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020200060d00 State = 0xec2decd6ed2fe137c20d83eb1d1d1e4f Message-Authenticator = 0xd94d9be93b04169026b7368402da36ae +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm "realmprueba.com" for User-Name = "carlosgari@realmprueba.com" [suffix] Found realm "realmprueba.com" [suffix] Adding Realm = "realmprueba.com" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 2 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [sql] expand: %{User-Name} -> carlosgari@realmprueba.com [sql] sql_set_user escaped user --> 'carlosgari@realmprueba.com' rlm_sql (sql): Reserving sql socket id: 0 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'carlosgari@realmprueba.com' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT groupname FROM usergroup WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT groupname FROM usergroup WHERE username = 'carlosgari@realmprueba.com' ORDER BY id [sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'Navega Mes' ORDER BY id [sql] User found in group Navega Mes [sql] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'Navega Mes' ORDER BY id rlm_sql (sql): Released sql socket id: 0 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS [tls] Received TLS ACK [tls] ACK handshake fragment handler [tls] eaptls_verify returned 1 [tls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 166 to 10.0.0.1 port 3072 EAP-Message = 0x010301b20d800000059ec7cae9bdebcfaa3a06726618751da075a2c79e748c02a30758a3550184fca872a01f3ec7c2ef8cee1b4d0203010001a37b307930090603551d1304023000302c06096086480186f842010d041f161d4f70656e53534c2047656e657261746564204365727469666963617465301d0603551d0e0416041421863a36c31be281cd1a3c31e52544b384bb25f1301f0603551d2304183016801421863a36c31be281cd1a3c31e52544b384bb25f1300d06092a864886f70d010105050003818100c851fd68627d9b98e537ff0e548d8a43683349ff2ced4e109cd6577d7cf0f6c7da04fe94c31f66a473385c2dfb626fd08bb8a69a EAP-Message = 0xb7276c1e99166bf09c44c83fc5ce3d362171b85d7de918d590a4acf95e0fc5da662c3f0d516c493675ce95470a92157a39b40f80b7431c291a211d4edaaa381acc2ca0512cae8015326e731516030100640d00005c03010240005600543052310b3009060355040613024553310f300d060355040813064d6164726964310e300c060355040a1305476f77657831133011060355040b130a696e67656e6965726961310d300b06035504031304746573740e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xec2decd6ee2ee137c20d83eb1d1d1e4f Finished request 7. Going to the next request Waking up in 4.4 seconds. rad_recv: Access-Request packet from host 10.0.0.1 port 3072, id=167, length=191 User-Name = "carlosgari@realmprueba.com" NAS-IP-Address = 10.0.0.1 NAS-Port = 0 Called-Station-Id = "00116b3f0ce5" Calling-Station-Id = "00215d9ade9a" NAS-Identifier = "Realtek Access Point. 8181" NAS-Port-Type = Wireless-802.11 Service-Type = Framed-User Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020300060d00 State = 0xec2decd6ee2ee137c20d83eb1d1d1e4f Message-Authenticator = 0xc8ad2690ce4bb94fa6ee92d26df76db2 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm "realmprueba.com" for User-Name = "carlosgari@realmprueba.com" [suffix] Found realm "realmprueba.com" [suffix] Adding Realm = "realmprueba.com" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 3 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [sql] expand: %{User-Name} -> carlosgari@realmprueba.com [sql] sql_set_user escaped user --> 'carlosgari@realmprueba.com' rlm_sql (sql): Reserving sql socket id: 4 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'carlosgari@realmprueba.com' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT groupname FROM usergroup WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT groupname FROM usergroup WHERE username = 'carlosgari@realmprueba.com' ORDER BY id [sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'Navega Mes' ORDER BY id [sql] User found in group Navega Mes [sql] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'Navega Mes' ORDER BY id rlm_sql (sql): Released sql socket id: 4 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS [tls] Received TLS ACK [tls] ACK handshake fragment handler [tls] eaptls_verify returned 1 [tls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 167 to 10.0.0.1 port 3072 EAP-Message = 0x0104000a0d8000000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xec2decd6ef29e137c20d83eb1d1d1e4f Finished request 8. Going to the next request Waking up in 4.4 seconds. rad_recv: Access-Request packet from host 10.0.0.1 port 3072, id=168, length=217 User-Name = "carlosgari@realmprueba.com" NAS-IP-Address = 10.0.0.1 NAS-Port = 0 Called-Station-Id = "00116b3f0ce5" Calling-Station-Id = "00215d9ade9a" NAS-Identifier = "Realtek Access Point. 8181" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Service-Type = Framed-User Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x0204001a016361726c6f7367617269407769746563682e636f6d State = 0xec2decd6ef29e137c20d83eb1d1d1e4f Message-Authenticator = 0x274fd340f61d1f66b2b03ba704d3ec2e +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm "realmprueba.com" for User-Name = "carlosgari@realmprueba.com" [suffix] Found realm "realmprueba.com" [suffix] Adding Realm = "realmprueba.com" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 4 length 26 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [sql] expand: %{User-Name} -> carlosgari@realmprueba.com [sql] sql_set_user escaped user --> 'carlosgari@realmprueba.com' rlm_sql (sql): Reserving sql socket id: 3 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'carlosgari@realmprueba.com' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT groupname FROM usergroup WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT groupname FROM usergroup WHERE username = 'carlosgari@realmprueba.com' ORDER BY id [sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'Navega Mes' ORDER BY id [sql] User found in group Navega Mes [sql] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'Navega Mes' ORDER BY id rlm_sql (sql): Released sql socket id: 3 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Requiring client certificate [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 168 to 10.0.0.1 port 3072 EAP-Message = 0x010500060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2f6428b72f6125c07b0fb3246e0f1a2d Finished request 9. Going to the next request Waking up in 0.8 seconds. rad_recv: Access-Request packet from host 10.0.0.1 port 3072, id=169, length=317 User-Name = "carlosgari@realmprueba.com" NAS-IP-Address = 10.0.0.1 NAS-Port = 0 Called-Station-Id = "00116b3f0ce5" Calling-Station-Id = "00215d9ade9a" NAS-Identifier = "Realtek Access Point. 8181" NAS-Port-Type = Wireless-802.11 Service-Type = Framed-User Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020500840d800000007a16030100750100007103014a01acbdbadc9a09fff908f49117fe4256ccc1abe3d5e0b168a22041e5eada09000018002f00350005000ac009c00ac013c0140032003800130004010000300000001a00180100156361726c6f7367617269407769746563682e636f6d000a00080006001700180019000b00020100 State = 0x2f6428b72f6125c07b0fb3246e0f1a2d Message-Authenticator = 0x945e136366ba63bb7daa1d7d67603aeb +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm "realmprueba.com" for User-Name = "carlosgari@realmprueba.com" [suffix] Found realm "realmprueba.com" [suffix] Adding Realm = "realmprueba.com" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 5 length 132 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [sql] expand: %{User-Name} -> carlosgari@realmprueba.com [sql] sql_set_user escaped user --> 'carlosgari@realmprueba.com' rlm_sql (sql): Reserving sql socket id: 2 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'carlosgari@realmprueba.com' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT groupname FROM usergroup WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT groupname FROM usergroup WHERE username = 'carlosgari@realmprueba.com' ORDER BY id [sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'Navega Mes' ORDER BY id [sql] User found in group Navega Mes [sql] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'Navega Mes' ORDER BY id rlm_sql (sql): Released sql socket id: 2 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS TLS Length 122 [tls] Length Included [tls] eaptls_verify returned 11 [tls] (other): before/accept initialization [tls] TLS_accept: before/accept initialization [tls] <<< TLS 1.0 Handshake [length 0075], ClientHello [tls] TLS_accept: SSLv3 read client hello A [tls] >>> TLS 1.0 Handshake [length 002a], ServerHello [tls] TLS_accept: SSLv3 write server hello A [tls] >>> TLS 1.0 Handshake [length 0501], Certificate [tls] TLS_accept: SSLv3 write certificate A [tls] >>> TLS 1.0 Handshake [length 0064], CertificateRequest [tls] TLS_accept: SSLv3 write certificate request A [tls] TLS_accept: SSLv3 flush data [tls] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [tls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 169 to 10.0.0.1 port 3072 EAP-Message = 0x010604000dc00000059e160301002a02000026030149de143bc7b95d7d8c7dd9e2a3d466bb438c26fd9c94393b645e7652fb10a3fc00002f0016030105010b0004fd0004fa00025b30820257308201c0a003020102020101300d06092a864886f70d01010505003052310b3009060355040613024553310f300d060355040813064d6164726964310e300c060355040a1305476f77657831133011060355040b130a696e67656e6965726961310d300b0603550403130474657374301e170d3039303430363035303733375a170d3130303430363035303733375a3078310b3009060355040613024553310f300d060355040813064d6164726964310f EAP-Message = 0x300d060355040713064d6164726964310e300c060355040a1305476f77657831133011060355040b130a696e67656e69657269613122302006035504031319746573742e637573746f6d6572732e696265722d782e6e657430819f300d06092a864886f70d010101050003818d0030818902818100cd1fa7b002fe68845fcf82590e4d53f094b5cba6f8d0f81cc2e942f415bfd015f6a6163016951985d90b95966dcdffbb982515bfd4fcf623b3fa94118a84e9e14697d0d080292cf5d5052f163ead4d63472163664f42e48a7f9de0996823102d8abe56677b45c41c46ec42c8173feafb0cfb7aae29e440880260ccceb08442a90203010001a31730 EAP-Message = 0x1530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010505000381810022c03b52cdb6d30d58ac20fe96dd44bcb9b085bf90efa1db85ca23773e408dd176cc92f97efa0c18150494fe599cdf5f916c7e03e8d47159463f2d5c63b65221380fe5553a838f5e39021ca8c5fe0bcfa383ab4d79c98bb23d6e8e5725ddf592be29906b85c8fc09f6a050087c826b2c30368bc08a33a4a9d9ad9e5794d82eb300029930820295308201fea003020102020100300d06092a864886f70d01010505003052310b3009060355040613024553310f300d060355040813064d6164726964310e300c060355040a1305476f7765783113 EAP-Message = 0x3011060355040b130a696e67656e6965726961310d300b0603550403130474657374301e170d3039303430363030313530365a170d3132303430353030313530365a3052310b3009060355040613024553310f300d060355040813064d6164726964310e300c060355040a1305476f77657831133011060355040b130a696e67656e6965726961310d300b060355040313047465737430819f300d06092a864886f70d010101050003818d0030818902818100ddd96cf2e5e6c7e92e8a43f801e022e3247609b62b6bf40b56b303ae2ff49c5fc65340689ccc673b41ba7d32f0b0084d062083d24f2e4b4c9122707c3e3cf6b30779e5dc37c28c9d9e22 EAP-Message = 0x7e9e619ff325da768ddacc03 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2f6428b72e6225c07b0fb3246e0f1a2d Finished request 10. Going to the next request Waking up in 0.8 seconds. rad_recv: Access-Request packet from host 10.0.0.1 port 3072, id=170, length=191 User-Name = "carlosgari@realmprueba.com" NAS-IP-Address = 10.0.0.1 NAS-Port = 0 Called-Station-Id = "00116b3f0ce5" Calling-Station-Id = "00215d9ade9a" NAS-Identifier = "Realtek Access Point. 8181" NAS-Port-Type = Wireless-802.11 Service-Type = Framed-User Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020600060d00 State = 0x2f6428b72e6225c07b0fb3246e0f1a2d Message-Authenticator = 0x618e4164cf39a7a344ca991da0c24224 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm "realmprueba.com" for User-Name = "carlosgari@realmprueba.com" [suffix] Found realm "realmprueba.com" [suffix] Adding Realm = "realmprueba.com" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 6 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [sql] expand: %{User-Name} -> carlosgari@realmprueba.com [sql] sql_set_user escaped user --> 'carlosgari@realmprueba.com' rlm_sql (sql): Reserving sql socket id: 1 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'carlosgari@realmprueba.com' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT groupname FROM usergroup WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT groupname FROM usergroup WHERE username = 'carlosgari@realmprueba.com' ORDER BY id [sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'Navega Mes' ORDER BY id [sql] User found in group Navega Mes [sql] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'Navega Mes' ORDER BY id rlm_sql (sql): Released sql socket id: 1 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS [tls] Received TLS ACK [tls] ACK handshake fragment handler [tls] eaptls_verify returned 1 [tls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 170 to 10.0.0.1 port 3072 EAP-Message = 0x010701b20d800000059ec7cae9bdebcfaa3a06726618751da075a2c79e748c02a30758a3550184fca872a01f3ec7c2ef8cee1b4d0203010001a37b307930090603551d1304023000302c06096086480186f842010d041f161d4f70656e53534c2047656e657261746564204365727469666963617465301d0603551d0e0416041421863a36c31be281cd1a3c31e52544b384bb25f1301f0603551d2304183016801421863a36c31be281cd1a3c31e52544b384bb25f1300d06092a864886f70d010105050003818100c851fd68627d9b98e537ff0e548d8a43683349ff2ced4e109cd6577d7cf0f6c7da04fe94c31f66a473385c2dfb626fd08bb8a69a EAP-Message = 0xb7276c1e99166bf09c44c83fc5ce3d362171b85d7de918d590a4acf95e0fc5da662c3f0d516c493675ce95470a92157a39b40f80b7431c291a211d4edaaa381acc2ca0512cae8015326e731516030100640d00005c03010240005600543052310b3009060355040613024553310f300d060355040813064d6164726964310e300c060355040a1305476f77657831133011060355040b130a696e67656e6965726961310d300b06035504031304746573740e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2f6428b72d6325c07b0fb3246e0f1a2d Finished request 11. Going to the next request Waking up in 0.8 seconds. rad_recv: Access-Request packet from host 10.0.0.1 port 3072, id=171, length=191 User-Name = "carlosgari@realmprueba.com" NAS-IP-Address = 10.0.0.1 NAS-Port = 0 Called-Station-Id = "00116b3f0ce5" Calling-Station-Id = "00215d9ade9a" NAS-Identifier = "Realtek Access Point. 8181" NAS-Port-Type = Wireless-802.11 Service-Type = Framed-User Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020700060d00 State = 0x2f6428b72d6325c07b0fb3246e0f1a2d Message-Authenticator = 0x5b4d57449b4510dfe0ec25fbd8141a1e +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm "realmprueba.com" for User-Name = "carlosgari@realmprueba.com" [suffix] Found realm "realmprueba.com" [suffix] Adding Realm = "realmprueba.com" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 7 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [sql] expand: %{User-Name} -> carlosgari@realmprueba.com [sql] sql_set_user escaped user --> 'carlosgari@realmprueba.com' rlm_sql (sql): Reserving sql socket id: 0 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'carlosgari@realmprueba.com' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT groupname FROM usergroup WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT groupname FROM usergroup WHERE username = 'carlosgari@realmprueba.com' ORDER BY id [sql] expand: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'Navega Mes' ORDER BY id [sql] User found in group Navega Mes [sql] expand: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{Sql-Group}' ORDER BY id -> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'Navega Mes' ORDER BY id rlm_sql (sql): Released sql socket id: 0 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS [tls] Received TLS ACK [tls] ACK handshake fragment handler [tls] eaptls_verify returned 1 [tls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 171 to 10.0.0.1 port 3072 EAP-Message = 0x0108000a0d8000000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2f6428b72c6c25c07b0fb3246e0f1a2d Finished request 12. Going to the next request Waking up in 0.8 seconds. Cleaning up request 0 ID 159 with timestamp +21 Cleaning up request 1 ID 160 with timestamp +21 Cleaning up request 2 ID 161 with timestamp +21 Cleaning up request 3 ID 162 with timestamp +21 Cleaning up request 4 ID 163 with timestamp +21 Waking up in 0.4 seconds. Cleaning up request 5 ID 164 with timestamp +21 Cleaning up request 6 ID 165 with timestamp +21 Cleaning up request 7 ID 166 with timestamp +21 Cleaning up request 8 ID 167 with timestamp +21 Waking up in 3.5 seconds. I've tried with AP Mikrotiks too and I got the same error, I think freeradius is waiting for the request from client and this doesn't back never, but I'm not sure. I've also tried with export password and not password in the client_cert.p12. I saw in another web this possible mistake. Anyone who can illuminate me???? please
bLn wrote:
I'm trying to connect a Windows XP client (also I'm trying with Vista) with freeradius with EAP-TLS. I made my set of certificates (from this site http://www.linuxjournal.com/node/8095/print)
Why? If you just start the server in debugging mode after you first install it, it will create temporary certificates for you. The radb/certs directory also has Makefiles and OpenSSL configuration files that allow you to easily create certificates. Did you not see them when you edited the RADIUS configuration? Did you not see the *DOCUMENTATION* saying that this happened when you edited the "tls" section of "eap.conf" ?
When I try to connect with freeradius my log is this: (it's too long because I see the same request again and again) ... Sending Access-Challenge of id 171 to 10.0.0.1 port 3072 EAP-Message = 0x0108000a0d8000000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x2f6428b72c6c25c07b0fb3246e0f1a2d Finished request 12. Going to the next request Waking up in 0.8 seconds. Cleaning up request 0 ID 159 with timestamp +21
Yes. This is a common problem. The discussion of the cause, and how to fix it, is in the FAQ, and in the comments in eap.conf. Where should we put documentation so that you will READ it? Apparently including it with the server doesn't help.
I've tried with AP Mikrotiks too and I got the same error, I think freeradius is waiting for the request from client and this doesn't back never, but I'm not sure.
The reason is documented. Lots. I've never been able to understand why people spend huge amounts of time working with third-party web sites and guides that are YEARS out of date, when they could just read the documentation included with the server. Alan DeKok.
participants (2)
-
Alan DeKok -
bLn