Hi I want to build a freeradius+openssl server to authenticate 802.1x and I've installed freeradius-1.0.2 and openssl-0.9.7e the server is built in RedHat 9 and the client is Odyssey Client Manager in Windows XP. now i can use EAP/MD5 get the authentication well. but when we use EAP/TLS, the client cannot be authenticated ~~ I don't whether it's the problem of the freeradius server configure or CAs or anyother I paste the fail information and the freeradius debug infos below. Please give me some help ,Thanks! there're such errors: line242: TLS_accept:error in SSLv3 read client certificate A line344: rlm_eap_tls: <<< TLS 1.0 Handshake [length 05d2], Certificate --> verify error:num=18:self signed certificate line361: rlm_eap_tls: >>> TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert write:fatal:unknown CA TLS_accept:error in SSLv3 read client certificate B 5385:error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned:s3_srvr.c:1989: rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails. ##the debug infos of freeradius [root@localhost sbin]# radiusd -X -A Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = "/usr/local" main: localstatedir = "/usr/local/var" main: logdir = "/usr/local/var/log/radius" main: libdir = "/usr/local/lib" main: radacctdir = "/usr/local/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 1812 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/usr/local/var/log/radius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid" main: user = "(null)" main: group = "(null)" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "(null)" unix: group = "(null)" unix: radwtmp = "/usr/local/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = "tls" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/usr/local/etc/raddb/certs/cert-srv.pem" tls: certificate_file = "/usr/local/etc/raddb/certs/cert-srv.pem" tls: CA_file = "/usr/local/etc/raddb/certs/root.pem" tls: private_key_password = "whatever" tls: dh_file = "/usr/local/etc/raddb/certs/DH" tls: random_file = "/usr/local/etc/raddb/certs/random" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = yes tls: check_cert_cn = "%{User-Name}" rlm_eap: Loaded and initialized type tls mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups" preprocess: hints = "/usr/local/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "/usr/local/etc/raddb/users" files: acctusersfile = "/usr/local/etc/raddb/acct_users" files: preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = "/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = "/usr/local/var/log/radius/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on authentication *:1812 Listening on accounting *:1813 Listening on proxy *:1814 Ready to process requests. #### this is the authentication data rad_recv: Access-Request packet from host 172.25.21.203:1030, id=33, length=109 User-Name = "Sam" NAS-IP-Address = 172.25.21.203 Framed-MTU = 1496 Called-Station-Id = "00-13-49-15-78-96" Calling-Station-Id = "00-08-74-a6-b8-4c" NAS-Port-Type = Wireless-802.11 EAP-Message = 0x022100080153616d Message-Authenticator = 0x58ed4dbf6fa79b236215dc83a69ecb82 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 rlm_realm: No '@' in User-Name = "Sam", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 users: Matched entry DEFAULT at line 152 modcall[authorize]: module "files" returns ok for request 0 rlm_eap: EAP packet type response id 33 length 8 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAP rad_check_password: Found Auth-Type EAP Warning: Found 2 auth-types on request for user 'Sam' auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Requiring client certificate rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 0 modcall: group authenticate returns handled for request 0 Sending Access-Challenge of id 33 to 172.25.21.203:1030 EAP-Message = 0x012200060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xce150ae287970e91fcbfbd09127ff0e2 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 172.25.21.203:1030, id=34, length=219 User-Name = "Sam" NAS-IP-Address = 172.25.21.203 Framed-MTU = 1496 Called-Station-Id = "00-13-49-15-78-96" Calling-Station-Id = "00-08-74-a6-b8-4c" NAS-Port-Type = Wireless-802.11 EAP-Message = 0x022200640d800000005a1603010055010000510301514d44b7482a93ff604361c0d24b7964511cb8acac03b6aa94158eea69d0a1e600002a00160013006600150012000a0005000400070009006300650060006200610064001400110003000600080100 State = 0xce150ae287970e91fcbfbd09127ff0e2 Message-Authenticator = 0xf62dedf8c4304aaa8b9084d455e256f4 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 rlm_realm: No '@' in User-Name = "Sam", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 1 users: Matched entry DEFAULT at line 152 modcall[authorize]: module "files" returns ok for request 1 rlm_eap: EAP packet type response id 34 length 100 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 1 modcall: group authorize returns updated for request 1 rad_check_password: Found Auth-Type EAP rad_check_password: Found Auth-Type EAP Warning: Found 2 auth-types on request for user 'Sam' auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0055], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 028b], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0085], CertificateRequest TLS_accept: SSLv3 write certificate request A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 1 modcall: group authenticate returns handled for request 1 Sending Access-Challenge of id 34 to 172.25.21.203:1030 EAP-Message = 0x012303730d8000000369160301004a02000046030155fe4b40e21929bb32f71055b4c0cd2a02abcb5234c712e5be94a4d71e94a6bd202c07c710ca61dfe6e08dbc7e4aa571dec3f76f2258af432c3b02b2ba2d064f51000a00160301028b0b0002870002840002813082027d308201e6a003020102020900d690ec138d6d5b2d300d06092a864886f70d01010405003074310b300906035504061302434e310b3009060355040813024a53310b3009060355040713025758310e300c060355040a13055a7958454c310c300a060355040b1303535732310c300a0603550403130353616d311f301d06092a864886f70d010901161053616d2053756e40 EAP-Message = 0x7a7978656c2e636e301e170d3132303631383135313034365a170d3133303631383135313034365a3074310b300906035504061302434e310b3009060355040813024a53310b3009060355040713025758310e300c060355040a13055a7958454c310c300a060355040b1303535732310c300a0603550403130353616d311f301d06092a864886f70d010901161053616d2053756e407a7978656c2e636e30819f300d06092a864886f70d010101050003818d0030818902818100ba52e1415fb78b2b99ee0f451a191813f2e9768b99511bd72d993d52508079f7c1cfdc205d1366632406778e7dde1f96bba92f33cdc00fc7d67b5bdcfd210905eca1 EAP-Message = 0xc8af2d74e7fc91aecd9d2ed60b84996bcf64438865277fc825d712cc552c179260b4f3edd53c19884c62a0c40358496d6110963216df8f2f5c5a9c2d08550203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010104050003818100113ba998589b4180c504aaf6c2a931605e4c884f7c81f8df7c4f9aa2b273e64cc576419a894594a9febee40c9e8e297a102aad70b9e08efa46c9a5adaa817973f61760244aec4e7f1b19600321a32c4f45f12a4b64129dea5a7c346595041703697b3a285582f2e5b54c4843fc0aca173f2ffe923716045ae5d1a96fb711b72816030100850d00007d0201020078 EAP-Message = 0x00763074310b300906035504061302434e310b3009060355040813024a53310b3009060355040713025758310e300c060355040a13055a7958454c310c300a060355040b1303535732310c300a0603550403130353616d311f301d06092a864886f70d010901161053616d2053756e407a7978656c2e636e0e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x894b290d4553bf236dab7a5db8f0894a Finished request 1 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 172.25.21.203:1030, id=35, length=1529 User-Name = "Sam" NAS-IP-Address = 172.25.21.203 Framed-MTU = 1496 Called-Station-Id = "00-13-49-15-78-96" Calling-Station-Id = "00-08-74-a6-b8-4c" NAS-Port-Type = Wireless-802.11 EAP-Message = 0x022305780dc00000072016030105d20b0005ce0005cb0002813082027d308201e6a003020102020900d690ec138d6d5b2c300d06092a864886f70d01010405003074310b300906035504061302434e310b3009060355040813024a53310b3009060355040713025758310e300c060355040a13055a7958454c310c300a060355040b1303535732310c300a0603550403130353616d311f301d06092a864886f70d010901161053616d2053756e407a7978656c2e636e301e170d3132303631383135313031375a170d3133303631383135313031375a3074310b300906035504061302434e310b3009060355040813024a53310b300906035504071302 EAP-Message = 0x5758310e300c060355040a13055a7958454c310c300a060355040b1303537732310c300a0603550403130353616d311f301d06092a864886f70d010901161053616d2053756e407a7978656c2e636e30819f300d06092a864886f70d010101050003818d0030818902818100bc70ccb8574f0be248e5579dccc1cb08af4ac56d02b2290766f1fd74356bc42f93170a088e40b4d6b68225bad6df15b68df7a15be8c98a4df21ab036887c046ace42ff02ae171c6b4fa9d1d26a35dea1dfa96e383377300fc7ac9fc200ac11c7a2b92bff95c2eb121eb3e4d749ee1b4093cf1b69a474b9a50ee51a64f10cbf2b0203010001a317301530130603551d2504 EAP-Message = 0x0c300a06082b06010505070302300d06092a864886f70d0101040500038181009cd05e5f9e251b695a0e82817348865521eeb00af1f35ede38ff1b622f47feb8c31c9a79b5892b8b0ea1bbb8d1b3f94075f35d4587642aa1afc1d2645972d313b8966ee0ab7f8a6f5d8360f4167778bc89e05d07053ea1e212e8c54925c06aece5861a5bd0d820c03ffb0a1aa130da26f067dd17b277ecc25584a8670b947f3800034430820340308202a9a003020102020900d690ec138d6d5b2b300d06092a864886f70d01010405003074310b300906035504061302434e310b3009060355040813024a53310b3009060355040713025758310e300c060355040a13 EAP-Message = 0x055a7958454c310c300a060355040b1303535732310c300a0603550403130353616d311f301d06092a864886f70d010901161053616d2053756e407a7978656c2e636e301e170d3132303631383135303935335a170d3134303631383135303935335a3074310b300906035504061302434e310b3009060355040813024a53310b3009060355040713025758310e300c060355040a13055a7958454c310c300a060355040b1303535732310c300a0603550403130353616d311f301d06092a864886f70d010901161053616d2053756e407a7978656c2e636e30819f300d06092a864886f70d010101050003818d0030818902818100b373bed5d07f0c EAP-Message = 0xcbfe9769892d71807e15feb97661b86fa2a5e332827c75f9cf05e0a8a3f43d45ef641d2ac603b11b015841720ac1be9a250b568f4070b65fe988a012ace24ee29e9ca5f5044a73dfdc3558e63eca6fc48e4601a704c17148e2b8c337ba1f6ddd8049422df495316b96896ad28d8e8ffb7cc8102212027680130203010001a381d93081d6301d0603551d0e04160414ce8042abed0581e6f1e378f37dc77afc543dd21e3081a60603551d2304819e30819b8014ce8042abed0581e6f1e378f37dc77afc543dd21ea178a4763074310b300906035504061302434e310b3009060355040813024a53310b3009060355040713025758310e300c060355040a EAP-Message = 0x13055a7958454c310c300a060355040b1303535732310c300a0603550403130353616d311f301d06092a864886f70d010901161053616d2053756e407a7978656c2e636e820900d690ec138d6d5b2b300c0603551d13040530030101ff300d06092a864886f70d010104050003818100337ffcd394ec39d477cc6f9d7c58217b78fd1d0857971a State = 0x894b290d4553bf236dab7a5db8f0894a Message-Authenticator = 0xb23f9e4b235a60f7434eb38853ec5fbc Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall[authorize]: module "preprocess" returns ok for request 2 rlm_realm: No '@' in User-Name = "Sam", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 2 users: Matched entry DEFAULT at line 152 modcall[authorize]: module "files" returns ok for request 2 rlm_eap: EAP packet type response id 35 length 253 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 2 modcall: group authorize returns updated for request 2 rad_check_password: Found Auth-Type EAP rad_check_password: Found Auth-Type EAP Warning: Found 2 auth-types on request for user 'Sam' auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 2 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS First Fragment of the message eaptls_verify returned 9 eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 2 modcall: group authenticate returns handled for request 2 Sending Access-Challenge of id 35 to 172.25.21.203:1030 EAP-Message = 0x012400060d00 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xca244c898e1852b4494ff05fd0068a85 Finished request 2 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 172.25.21.203:1030, id=36, length=561 User-Name = "Sam" NAS-IP-Address = 172.25.21.203 Framed-MTU = 1496 Called-Station-Id = "00-13-49-15-78-96" Calling-Station-Id = "00-08-74-a6-b8-4c" NAS-Port-Type = Wireless-802.11 EAP-Message = 0x022401b80d007dd1e5f1b1df308f634b87f1ead9d842e4d04d71ea8ad741aba645ae2170a17681dc3d1c422126606deb89b585b5391cde1d911d8352174fa8356e9302990109da48fb02b0e07c19beb3648accafc52d6a6d9ae2bd84d10568ecc4b07a8d4de2b9286bb431ba516e2a1603010086100000820080487c15acddfb9dc4cb072308587e9ef376c90bafb63619c97548d55ea160653716b3e8dd4320fbde80cff743586d664f6b5f6292a500c251bc8da381f9279f2d4bd416828ed7e7e409d90feb31f9a31c0b395aba788f5f33d051b1d89e08c8cf5aba166e5d2f855a5c3ee50ee9ea7afb6f990e98284a5c75d6520aaba2e1e5b3160301 EAP-Message = 0x00860f00008200801afd253bf4c2af89391d35e69407fbec36aa6ac194f11698e1289c2bca3854fa4eb6448c2c6f2d1f7920dd0731402faa27dd43a168b4f082e237290f83a340ff552dc4ef79bc9d4aadfe298ef440e8e5597a842c5ff74713108221b600e9d0db7540596033de6181730556957c4162f8d69b2b0a1763492c606465e78d0668ff1403010001011603010028105d46dd2521cc9473cc530e9b64ee580bb0950cc3548ff0e0b0e662325fcea856bf7b24816d6a2c State = 0xca244c898e1852b4494ff05fd0068a85 Message-Authenticator = 0x3d53140a85dc2575e4a2af85179cbeb0 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 3 modcall[authorize]: module "preprocess" returns ok for request 3 rlm_realm: No '@' in User-Name = "Sam", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 3 users: Matched entry DEFAULT at line 152 modcall[authorize]: module "files" returns ok for request 3 rlm_eap: EAP packet type response id 36 length 253 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 3 modcall: group authorize returns updated for request 3 rad_check_password: Found Auth-Type EAP rad_check_password: Found Auth-Type EAP Warning: Found 2 auth-types on request for user 'Sam' auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 3 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake rlm_eap_tls: <<< TLS 1.0 Handshake [length 05d2], Certificate --> verify error:num=18:self signed certificate radius_xlat: 'Sam' rlm_eap_tls: checking certificate CN (Sam) with xlat'ed value (Sam) chain-depth=0, error=18 --> User-Name = Sam --> BUF-Name = Sam --> subject = /C=CN/ST=JS/L=WX/O=ZyXEL/OU=Sw2/CN=Sam/emailAddress=Sam Sun@zyxel.cn --> issuer = /C=CN/ST=JS/L=WX/O=ZyXEL/OU=SW2/CN=Sam/emailAddress=Sam Sun@zyxel.cn --> verify return:0 rlm_eap_tls: >>> TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert write:fatal:unknown CA TLS_accept:error in SSLv3 read client certificate B 5385:error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned:s3_srvr.c:1989: rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails. In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 3 modcall: group authenticate returns handled for request 3 Sending Access-Challenge of id 36 to 172.25.21.203:1030 EAP-Message = 0x012500110d800000000715030100020230 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xbc1cb22c61b7204b53f59c2dd49d9539 Finished request 3 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 172.25.21.203:1030, id=37, length=125 User-Name = "Sam" NAS-IP-Address = 172.25.21.203 Framed-MTU = 1496 Called-Station-Id = "00-13-49-15-78-96" Calling-Station-Id = "00-08-74-a6-b8-4c" NAS-Port-Type = Wireless-802.11 EAP-Message = 0x022500060d00 State = 0xbc1cb22c61b7204b53f59c2dd49d9539 Message-Authenticator = 0x98b3d6dd9d36516deeb220a74387cd41 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 4 modcall[authorize]: module "preprocess" returns ok for request 4 rlm_realm: No '@' in User-Name = "Sam", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 4 users: Matched entry DEFAULT at line 152 modcall[authorize]: module "files" returns ok for request 4 rlm_eap: EAP packet type response id 37 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 4 modcall: group authorize returns updated for request 4 rad_check_password: Found Auth-Type EAP rad_check_password: Found Auth-Type EAP Warning: Found 2 auth-types on request for user 'Sam' auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 4 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack alert eaptls_verify returned 4 eaptls_process returned 4 rlm_eap: Handler failed in EAP/tls rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 4 modcall: group authenticate returns invalid for request 4 auth: Failed to validate the user. Delaying request 4 for 1 seconds Finished request 4 Going to the next request Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 33 with timestamp 55fe4b40 Cleaning up request 1 ID 34 with timestamp 55fe4b40 Cleaning up request 2 ID 35 with timestamp 55fe4b40 Cleaning up request 3 ID 36 with timestamp 55fe4b40 Sending Access-Reject of id 37 to 172.25.21.203:1030 EAP-Message = 0x04250004 Message-Authenticator = 0x00000000000000000000000000000000 Cleaning up request 4 ID 37 with timestamp 55fe4b40 Nothing to do. Sleeping until we see a request. _________________________________________________________________ 享用世界上最大的电子邮件系统― MSN Hotmail。 http://www.hotmail.com
hi, I note you are not using the root.crt file for the CA_file. I've found that using the pem often causes issues depending on how the cert was generated. also, did you use the XP extensions with your certificate as per the docs? alan
=?gb2312?B?y+8gx78=?= <sumner007@hotmail.com> wrote:
now i can use EAP/MD5 get the authentication well. but when we use EAP/TLS, the client cannot be authenticated ~~ I don't whether it's the problem of the freeradius server configure or CAs or anyother
EAP-TLS authenticates users by seeing if the certificate they supply is signed by the certificate that the RADIUS server has. You're not doing that:
rlm_eap_tls: <<< TLS 1.0 Handshake [length 05d2], Certificate --> verify error:num=18:self signed certificate
The user is supplying a self-signed certificate, so the server has no way of validating who they are. Alan DeKok.
participants (3)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
孙 强