TLS Alert read:fatal:unknown CA
Hi everyone, I already success create 802.1x wireless authentication using freeradius and ldap, i did a test to every device that i have (iphone and laptop running windows 10 can connect to 802.1x wireless) but when i try to conenct on laptop running windows 7 there's "TLS Alert read:fatal:unknown CA" error. I already re-create the root CA (i did this following documentation http://deployingradius.com/documents/configuration/certificates.html), import it to the client, and ensure every detail of the certificate. Is there any bug with windows 7 or something? any kind of help would be appreciated. Thankyou (ca.cnf and server.cnf attached) Radius log : (0) Received Access-Request Id 60 from 172.30.254.3:49431 to 172.29.164.218:1812 length 267 (0) User-Name = "gpler" (0) Chargeable-User-Identity = 0x03 (0) Location-Capable = Civix-Location (0) Calling-Station-Id = "6c-71-d9-a9-5e-65" (0) Called-Station-Id = "58-ac-78-ee-8a-20:802.1x" (0) NAS-Port = 1 (0) Cisco-AVPair = "audit-session-id=03fe1eac0003fe3fa18e9759" (0) Acct-Session-Id = "59978ea1/6c:71:d9:a9:5e:65/71057" (0) NAS-IP-Address = 172.30.xxx.x (0) NAS-Identifier = "IPB-WLC-5520" (0) Airespace-Wlan-Id = 69 (0) Service-Type = Framed-User (0) Framed-MTU = 1300 (0) NAS-Port-Type = Wireless-802.11 (0) Tunnel-Type:0 = VLAN (0) Tunnel-Medium-Type:0 = IEEE-802 (0) Tunnel-Private-Group-Id:0 = "255" (0) EAP-Message = 0x0202000a0167706c6572 (0) Message-Authenticator = 0x107b01b20e515d3a076209dea9af2966 (0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "gpler", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) eap: Peer sent EAP Response (code 2) ID 2 length 10 (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # authorize = ok (0) Found Auth-Type = eap (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (0) authenticate { (0) eap: Peer sent packet with method EAP Identity (1) (0) eap: Calling submodule eap_peap to process data (0) eap_peap: Initiating new EAP-TLS session (0) eap_peap: [eaptls start] = request (0) eap: Sending EAP Request (code 1) ID 3 length 6 (0) eap: EAP session adding &reply:State = 0x68d16d7c68d27498 (0) [eap] = handled (0) } # authenticate = handled (0) Using Post-Auth-Type Challenge (0) Post-Auth-Type sub-section not found. Ignoring. (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (0) Sent Access-Challenge Id 60 from 172.29.164.218:1812 to 172.30.xxx.x:49431 length 0 (0) EAP-Message = 0x010300061920 (0) Message-Authenticator = 0x00000000000000000000000000000000 (0) State = 0x68d16d7c68d27498a8bfbed341c368c9 (0) Finished request Waking up in 4.9 seconds. (1) Received Access-Request Id 61 from 172.30.254.3:49431 to 172.29.164.218:1812 length 380 (1) User-Name = "gpler" (1) Chargeable-User-Identity = 0x03 (1) Location-Capable = Civix-Location (1) Calling-Station-Id = "6c-71-d9-a9-5e-65" (1) Called-Station-Id = "58-ac-78-ee-8a-20:802.1x" (1) NAS-Port = 1 (1) Cisco-AVPair = "audit-session-id=03fe1eac0003fe3fa18e9759" (1) Acct-Session-Id = "59978ea1/6c:71:d9:a9:5e:65/71057" (1) NAS-IP-Address = 172.30.xxx.x (1) NAS-Identifier = "IPB-WLC-5520" (1) Airespace-Wlan-Id = 69 (1) Service-Type = Framed-User (1) Framed-MTU = 1300 (1) NAS-Port-Type = Wireless-802.11 (1) Tunnel-Type:0 = VLAN (1) Tunnel-Medium-Type:0 = IEEE-802 (1) Tunnel-Private-Group-Id:0 = "255" (1) EAP-Message = 0x0203006919800000005f160301005a01000056030159978e892bc0cea1314b3076e48c1432d22b3a1f575d2bd9ef5eadcd1efab780000018002f00350005000ac013c014c009c00a003200380013000401000015ff01000100000a0006000400170018000b00020100 (1) State = 0x68d16d7c68d27498a8bfbed341c368c9 (1) Message-Authenticator = 0x9e55b07936045ad7e26084813251454b (1) session-state: No cached attributes (1) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (1) authorize { (1) policy filter_username { (1) if (&User-Name) { (1) if (&User-Name) -> TRUE (1) if (&User-Name) { (1) if (&User-Name =~ /@[^@]*@/ ) { (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (1) if (&User-Name =~ /\.\./ ) { (1) if (&User-Name =~ /\.\./ ) -> FALSE (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (1) if (&User-Name =~ /\.$/) { (1) if (&User-Name =~ /\.$/) -> FALSE (1) if (&User-Name =~ /@\./) { (1) if (&User-Name =~ /@\./) -> FALSE (1) } # if (&User-Name) = notfound (1) } # policy filter_username = notfound (1) [preprocess] = ok (1) [chap] = noop (1) [mschap] = noop (1) [digest] = noop (1) suffix: Checking for suffix after "@" (1) suffix: No '@' in User-Name = "gpler", looking up realm NULL (1) suffix: No such realm "NULL" (1) [suffix] = noop (1) eap: Peer sent EAP Response (code 2) ID 3 length 105 (1) eap: Continuing tunnel setup (1) [eap] = ok (1) } # authorize = ok (1) Found Auth-Type = eap (1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (1) authenticate { (1) eap: Expiring EAP session with state 0x68d16d7c68d27498 (1) eap: Finished EAP session with state 0x68d16d7c68d27498 (1) eap: Previous EAP request found for state 0x68d16d7c68d27498, released from the list (1) eap: Peer sent packet with method EAP PEAP (25) (1) eap: Calling submodule eap_peap to process data (1) eap_peap: Continuing EAP-TLS (1) eap_peap: Peer indicated complete TLS record size will be 95 bytes (1) eap_peap: Got complete TLS record (95 bytes) (1) eap_peap: [eaptls verify] = length included (1) eap_peap: (other): before/accept initialization (1) eap_peap: TLS_accept: before/accept initialization (1) eap_peap: <<< recv TLS 1.0 Handshake [length 005a], ClientHello (1) eap_peap: TLS_accept: unknown state (1) eap_peap: >>> send TLS 1.0 Handshake [length 0031], ServerHello (1) eap_peap: TLS_accept: unknown state (1) eap_peap: >>> send TLS 1.0 Handshake [length 02c0], Certificate (1) eap_peap: TLS_accept: unknown state (1) eap_peap: >>> send TLS 1.0 Handshake [length 0004], ServerHelloDone (1) eap_peap: TLS_accept: unknown state (1) eap_peap: TLS_accept: unknown state (1) eap_peap: TLS_accept: unknown state (1) eap_peap: TLS_accept: Need to read more data: unknown state (1) eap_peap: TLS_accept: Need to read more data: unknown state (1) eap_peap: In SSL Handshake Phase (1) eap_peap: In SSL Accept mode (1) eap_peap: [eaptls process] = handled (1) eap: Sending EAP Request (code 1) ID 4 length 778 (1) eap: EAP session adding &reply:State = 0x68d16d7c69d57498 (1) [eap] = handled (1) } # authenticate = handled (1) Using Post-Auth-Type Challenge (1) Post-Auth-Type sub-section not found. Ignoring. (1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (1) Sent Access-Challenge Id 61 from 172.29.164.218:1812 to 172.30.xxx.x:49431 length 0 (1) EAP-Message = 0x0104030a190016030100310200002d03016e22346727c2b7bfd58d3b5bd06acbc17fa96d02f7937abfe946a411c305079800002f000005ff0100010016030102c00b0002bc0002b90002b6308202b23082019aa003020102020900e889295aaea3149d300d06092a864886f70d01010b05003011310f30 (1) Message-Authenticator = 0x00000000000000000000000000000000 (1) State = 0x68d16d7c69d57498a8bfbed341c368c9 (1) Finished request Waking up in 4.9 seconds. (2) Received Access-Request Id 62 from 172.30.xxx.x:49431 to 172.29.164.218:1812 length 292 (2) User-Name = "gpler" (2) Chargeable-User-Identity = 0x03 (2) Location-Capable = Civix-Location (2) Calling-Station-Id = "6c-71-d9-a9-5e-65" (2) Called-Station-Id = "58-ac-78-ee-8a-20:802.1x" (2) NAS-Port = 1 (2) Cisco-AVPair = "audit-session-id=03fe1eac0003fe3fa18e9759" (2) Acct-Session-Id = "59978ea1/6c:71:d9:a9:5e:65/71057" (2) NAS-IP-Address = 172.30.xxx.x (2) NAS-Identifier = "IPB-WLC-5520" (2) Airespace-Wlan-Id = 69 (2) Service-Type = Framed-User (2) Framed-MTU = 1300 (2) NAS-Port-Type = Wireless-802.11 (2) Tunnel-Type:0 = VLAN (2) Tunnel-Medium-Type:0 = IEEE-802 (2) Tunnel-Private-Group-Id:0 = "255" (2) EAP-Message = 0x0204001119800000000715030100020230 (2) State = 0x68d16d7c69d57498a8bfbed341c368c9 (2) Message-Authenticator = 0xfd97ab9dc41ef3ae771c43ad2daa9331 (2) session-state: No cached attributes (2) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (2) authorize { (2) policy filter_username { (2) if (&User-Name) { (2) if (&User-Name) -> TRUE (2) if (&User-Name) { (2) if (&User-Name =~ /@[^@]*@/ ) { (2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (2) if (&User-Name =~ /\.\./ ) { (2) if (&User-Name =~ /\.\./ ) -> FALSE (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (2) if (&User-Name =~ /\.$/) { (2) if (&User-Name =~ /\.$/) -> FALSE (2) if (&User-Name =~ /@\./) { (2) if (&User-Name =~ /@\./) -> FALSE (2) } # if (&User-Name) = notfound (2) } # policy filter_username = notfound (2) [preprocess] = ok (2) [chap] = noop (2) [mschap] = noop (2) [digest] = noop (2) suffix: Checking for suffix after "@" (2) suffix: No '@' in User-Name = "gpler", looking up realm NULL (2) suffix: No such realm "NULL" (2) [suffix] = noop (2) eap: Peer sent EAP Response (code 2) ID 4 length 17 (2) eap: Continuing tunnel setup (2) [eap] = ok (2) } # authorize = ok (2) Found Auth-Type = eap (2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (2) authenticate { (2) eap: Expiring EAP session with state 0x68d16d7c69d57498 (2) eap: Finished EAP session with state 0x68d16d7c69d57498 (2) eap: Previous EAP request found for state 0x68d16d7c69d57498, released from the list (2) eap: Peer sent packet with method EAP PEAP (25) (2) eap: Calling submodule eap_peap to process data (2) eap_peap: Continuing EAP-TLS (2) eap_peap: Peer indicated complete TLS record size will be 7 bytes (2) eap_peap: Got complete TLS record (7 bytes) (2) eap_peap: [eaptls verify] = length included (2) eap_peap: <<< recv TLS 1.0 Alert [length 0002], fatal unknown_ca *(2) eap_peap: ERROR: TLS Alert read:fatal:unknown CA* *(2) eap_peap: ERROR: TLS_accept: Failed in unknown state* *(2) eap_peap: ERROR: Failed in __FUNCTION__ (SSL_read)* *(2) eap_peap: ERROR: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca* *(2) eap_peap: ERROR: error:140940E5:SSL routines:ssl3_read_bytes:ssl handshake failure* *(2) eap_peap: ERROR: System call (I/O) error (-1)* *(2) eap_peap: ERROR: TLS receive handshake failed during operation* *(2) eap_peap: ERROR: [eaptls process] = fail* *(2) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed* (2) eap: Sending EAP Failure (code 4) ID 4 length 4 (2) eap: Failed in EAP select (2) [eap] = invalid (2) } # authenticate = invalid (2) Failed to authenticate the user (2) Using Post-Auth-Type Reject (2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (2) Post-Auth-Type REJECT { (2) attr_filter.access_reject: EXPAND %{User-Name} (2) attr_filter.access_reject: --> gpler (2) attr_filter.access_reject: Matched entry DEFAULT at line 11 (2) [attr_filter.access_reject] = updated (2) [eap] = noop (2) policy remove_reply_message_if_eap { (2) if (&reply:EAP-Message && &reply:Reply-Message) { (2) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (2) else { (2) [noop] = noop (2) } # else = noop (2) } # policy remove_reply_message_if_eap = noop (2) } # Post-Auth-Type REJECT = updated (2) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (2) Sending delayed response (2) Sent Access-Reject Id 62 from 172.29.164.218:1812 to 172.30.xxx.x:49431 length 44 (2) EAP-Message = 0x04040004 (2) Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.9 seconds. (0) Cleaning up request packet ID 60 with timestamp +628 (1) Cleaning up request packet ID 61 with timestamp +628 (2) Cleaning up request packet ID 62 with timestamp +628
Hi. Try unckecking the box in your network configuration at win7. As you can see on (Passo 4): http://www.midiacom.uff.br/eduroam-br/arquivos/eduroamConfigWin7.pdf I think your are using an untrusted CA for windows (out of the default trusted CA list). --Edelberto Em 18-Aug-17 10:25 PM, Fatih Naufal escreveu:
Hi everyone,
I already success create 802.1x wireless authentication using freeradius and ldap, i did a test to every device that i have (iphone and laptop running windows 10 can connect to 802.1x wireless) but when i try to conenct on laptop running windows 7 there's "TLS Alert read:fatal:unknown CA" error. I already re-create the root CA (i did this following documentation http://deployingradius.com/documents/configuration/certificates.html), import it to the client, and ensure every detail of the certificate. Is there any bug with windows 7 or something? any kind of help would be appreciated. Thankyou (ca.cnf and server.cnf attached)
Radius log : (0) Received Access-Request Id 60 from 172.30.254.3:49431 to 172.29.164.218:1812 length 267 (0) User-Name = "gpler" (0) Chargeable-User-Identity = 0x03 (0) Location-Capable = Civix-Location (0) Calling-Station-Id = "6c-71-d9-a9-5e-65" (0) Called-Station-Id = "58-ac-78-ee-8a-20:802.1x" (0) NAS-Port = 1 (0) Cisco-AVPair = "audit-session-id=03fe1eac0003fe3fa18e9759" (0) Acct-Session-Id = "59978ea1/6c:71:d9:a9:5e:65/71057" (0) NAS-IP-Address = 172.30.xxx.x (0) NAS-Identifier = "IPB-WLC-5520" (0) Airespace-Wlan-Id = 69 (0) Service-Type = Framed-User (0) Framed-MTU = 1300 (0) NAS-Port-Type = Wireless-802.11 (0) Tunnel-Type:0 = VLAN (0) Tunnel-Medium-Type:0 = IEEE-802 (0) Tunnel-Private-Group-Id:0 = "255" (0) EAP-Message = 0x0202000a0167706c6572 (0) Message-Authenticator = 0x107b01b20e515d3a076209dea9af2966 (0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "gpler", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) eap: Peer sent EAP Response (code 2) ID 2 length 10 (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # authorize = ok (0) Found Auth-Type = eap (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (0) authenticate { (0) eap: Peer sent packet with method EAP Identity (1) (0) eap: Calling submodule eap_peap to process data (0) eap_peap: Initiating new EAP-TLS session (0) eap_peap: [eaptls start] = request (0) eap: Sending EAP Request (code 1) ID 3 length 6 (0) eap: EAP session adding &reply:State = 0x68d16d7c68d27498 (0) [eap] = handled (0) } # authenticate = handled (0) Using Post-Auth-Type Challenge (0) Post-Auth-Type sub-section not found. Ignoring. (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (0) Sent Access-Challenge Id 60 from 172.29.164.218:1812 to 172.30.xxx.x:49431 length 0 (0) EAP-Message = 0x010300061920 (0) Message-Authenticator = 0x00000000000000000000000000000000 (0) State = 0x68d16d7c68d27498a8bfbed341c368c9 (0) Finished request Waking up in 4.9 seconds. (1) Received Access-Request Id 61 from 172.30.254.3:49431 to 172.29.164.218:1812 length 380 (1) User-Name = "gpler" (1) Chargeable-User-Identity = 0x03 (1) Location-Capable = Civix-Location (1) Calling-Station-Id = "6c-71-d9-a9-5e-65" (1) Called-Station-Id = "58-ac-78-ee-8a-20:802.1x" (1) NAS-Port = 1 (1) Cisco-AVPair = "audit-session-id=03fe1eac0003fe3fa18e9759" (1) Acct-Session-Id = "59978ea1/6c:71:d9:a9:5e:65/71057" (1) NAS-IP-Address = 172.30.xxx.x (1) NAS-Identifier = "IPB-WLC-5520" (1) Airespace-Wlan-Id = 69 (1) Service-Type = Framed-User (1) Framed-MTU = 1300 (1) NAS-Port-Type = Wireless-802.11 (1) Tunnel-Type:0 = VLAN (1) Tunnel-Medium-Type:0 = IEEE-802 (1) Tunnel-Private-Group-Id:0 = "255" (1) EAP-Message = 0x0203006919800000005f160301005a01000056030159978e892bc0cea1314b3076e48c1432d22b3a1f575d2bd9ef5eadcd1efab780000018002f00350005000ac013c014c009c00a003200380013000401000015ff01000100000a0006000400170018000b00020100 (1) State = 0x68d16d7c68d27498a8bfbed341c368c9 (1) Message-Authenticator = 0x9e55b07936045ad7e26084813251454b (1) session-state: No cached attributes (1) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (1) authorize { (1) policy filter_username { (1) if (&User-Name) { (1) if (&User-Name) -> TRUE (1) if (&User-Name) { (1) if (&User-Name =~ /@[^@]*@/ ) { (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (1) if (&User-Name =~ /\.\./ ) { (1) if (&User-Name =~ /\.\./ ) -> FALSE (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (1) if (&User-Name =~ /\.$/) { (1) if (&User-Name =~ /\.$/) -> FALSE (1) if (&User-Name =~ /@\./) { (1) if (&User-Name =~ /@\./) -> FALSE (1) } # if (&User-Name) = notfound (1) } # policy filter_username = notfound (1) [preprocess] = ok (1) [chap] = noop (1) [mschap] = noop (1) [digest] = noop (1) suffix: Checking for suffix after "@" (1) suffix: No '@' in User-Name = "gpler", looking up realm NULL (1) suffix: No such realm "NULL" (1) [suffix] = noop (1) eap: Peer sent EAP Response (code 2) ID 3 length 105 (1) eap: Continuing tunnel setup (1) [eap] = ok (1) } # authorize = ok (1) Found Auth-Type = eap (1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (1) authenticate { (1) eap: Expiring EAP session with state 0x68d16d7c68d27498 (1) eap: Finished EAP session with state 0x68d16d7c68d27498 (1) eap: Previous EAP request found for state 0x68d16d7c68d27498, released from the list (1) eap: Peer sent packet with method EAP PEAP (25) (1) eap: Calling submodule eap_peap to process data (1) eap_peap: Continuing EAP-TLS (1) eap_peap: Peer indicated complete TLS record size will be 95 bytes (1) eap_peap: Got complete TLS record (95 bytes) (1) eap_peap: [eaptls verify] = length included (1) eap_peap: (other): before/accept initialization (1) eap_peap: TLS_accept: before/accept initialization (1) eap_peap: <<< recv TLS 1.0 Handshake [length 005a], ClientHello (1) eap_peap: TLS_accept: unknown state (1) eap_peap: >>> send TLS 1.0 Handshake [length 0031], ServerHello (1) eap_peap: TLS_accept: unknown state (1) eap_peap: >>> send TLS 1.0 Handshake [length 02c0], Certificate (1) eap_peap: TLS_accept: unknown state (1) eap_peap: >>> send TLS 1.0 Handshake [length 0004], ServerHelloDone (1) eap_peap: TLS_accept: unknown state (1) eap_peap: TLS_accept: unknown state (1) eap_peap: TLS_accept: unknown state (1) eap_peap: TLS_accept: Need to read more data: unknown state (1) eap_peap: TLS_accept: Need to read more data: unknown state (1) eap_peap: In SSL Handshake Phase (1) eap_peap: In SSL Accept mode (1) eap_peap: [eaptls process] = handled (1) eap: Sending EAP Request (code 1) ID 4 length 778 (1) eap: EAP session adding &reply:State = 0x68d16d7c69d57498 (1) [eap] = handled (1) } # authenticate = handled (1) Using Post-Auth-Type Challenge (1) Post-Auth-Type sub-section not found. Ignoring. (1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (1) Sent Access-Challenge Id 61 from 172.29.164.218:1812 to 172.30.xxx.x:49431 length 0 (1) EAP-Message = 0x0104030a190016030100310200002d03016e22346727c2b7bfd58d3b5bd06acbc17fa96d02f7937abfe946a411c305079800002f000005ff0100010016030102c00b0002bc0002b90002b6308202b23082019aa003020102020900e889295aaea3149d300d06092a864886f70d01010b05003011310f30 (1) Message-Authenticator = 0x00000000000000000000000000000000 (1) State = 0x68d16d7c69d57498a8bfbed341c368c9 (1) Finished request Waking up in 4.9 seconds. (2) Received Access-Request Id 62 from 172.30.xxx.x:49431 to 172.29.164.218:1812 length 292 (2) User-Name = "gpler" (2) Chargeable-User-Identity = 0x03 (2) Location-Capable = Civix-Location (2) Calling-Station-Id = "6c-71-d9-a9-5e-65" (2) Called-Station-Id = "58-ac-78-ee-8a-20:802.1x" (2) NAS-Port = 1 (2) Cisco-AVPair = "audit-session-id=03fe1eac0003fe3fa18e9759" (2) Acct-Session-Id = "59978ea1/6c:71:d9:a9:5e:65/71057" (2) NAS-IP-Address = 172.30.xxx.x (2) NAS-Identifier = "IPB-WLC-5520" (2) Airespace-Wlan-Id = 69 (2) Service-Type = Framed-User (2) Framed-MTU = 1300 (2) NAS-Port-Type = Wireless-802.11 (2) Tunnel-Type:0 = VLAN (2) Tunnel-Medium-Type:0 = IEEE-802 (2) Tunnel-Private-Group-Id:0 = "255" (2) EAP-Message = 0x0204001119800000000715030100020230 (2) State = 0x68d16d7c69d57498a8bfbed341c368c9 (2) Message-Authenticator = 0xfd97ab9dc41ef3ae771c43ad2daa9331 (2) session-state: No cached attributes (2) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (2) authorize { (2) policy filter_username { (2) if (&User-Name) { (2) if (&User-Name) -> TRUE (2) if (&User-Name) { (2) if (&User-Name =~ /@[^@]*@/ ) { (2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (2) if (&User-Name =~ /\.\./ ) { (2) if (&User-Name =~ /\.\./ ) -> FALSE (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (2) if (&User-Name =~ /\.$/) { (2) if (&User-Name =~ /\.$/) -> FALSE (2) if (&User-Name =~ /@\./) { (2) if (&User-Name =~ /@\./) -> FALSE (2) } # if (&User-Name) = notfound (2) } # policy filter_username = notfound (2) [preprocess] = ok (2) [chap] = noop (2) [mschap] = noop (2) [digest] = noop (2) suffix: Checking for suffix after "@" (2) suffix: No '@' in User-Name = "gpler", looking up realm NULL (2) suffix: No such realm "NULL" (2) [suffix] = noop (2) eap: Peer sent EAP Response (code 2) ID 4 length 17 (2) eap: Continuing tunnel setup (2) [eap] = ok (2) } # authorize = ok (2) Found Auth-Type = eap (2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (2) authenticate { (2) eap: Expiring EAP session with state 0x68d16d7c69d57498 (2) eap: Finished EAP session with state 0x68d16d7c69d57498 (2) eap: Previous EAP request found for state 0x68d16d7c69d57498, released from the list (2) eap: Peer sent packet with method EAP PEAP (25) (2) eap: Calling submodule eap_peap to process data (2) eap_peap: Continuing EAP-TLS (2) eap_peap: Peer indicated complete TLS record size will be 7 bytes (2) eap_peap: Got complete TLS record (7 bytes) (2) eap_peap: [eaptls verify] = length included (2) eap_peap: <<< recv TLS 1.0 Alert [length 0002], fatal unknown_ca *(2) eap_peap: ERROR: TLS Alert read:fatal:unknown CA* *(2) eap_peap: ERROR: TLS_accept: Failed in unknown state* *(2) eap_peap: ERROR: Failed in __FUNCTION__ (SSL_read)* *(2) eap_peap: ERROR: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca* *(2) eap_peap: ERROR: error:140940E5:SSL routines:ssl3_read_bytes:ssl handshake failure* *(2) eap_peap: ERROR: System call (I/O) error (-1)* *(2) eap_peap: ERROR: TLS receive handshake failed during operation* *(2) eap_peap: ERROR: [eaptls process] = fail* *(2) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed* (2) eap: Sending EAP Failure (code 4) ID 4 length 4 (2) eap: Failed in EAP select (2) [eap] = invalid (2) } # authenticate = invalid (2) Failed to authenticate the user (2) Using Post-Auth-Type Reject (2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (2) Post-Auth-Type REJECT { (2) attr_filter.access_reject: EXPAND %{User-Name} (2) attr_filter.access_reject: --> gpler (2) attr_filter.access_reject: Matched entry DEFAULT at line 11 (2) [attr_filter.access_reject] = updated (2) [eap] = noop (2) policy remove_reply_message_if_eap { (2) if (&reply:EAP-Message && &reply:Reply-Message) { (2) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (2) else { (2) [noop] = noop (2) } # else = noop (2) } # policy remove_reply_message_if_eap = noop (2) } # Post-Auth-Type REJECT = updated (2) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (2) Sending delayed response (2) Sent Access-Reject Id 62 from 172.29.164.218:1812 to 172.30.xxx.x:49431 length 44 (2) EAP-Message = 0x04040004 (2) Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.9 seconds. (0) Cleaning up request packet ID 60 with timestamp +628 (1) Cleaning up request packet ID 61 with timestamp +628 (2) Cleaning up request packet ID 62 with timestamp +628
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi How did you install it on the Windows client? Just double clicked and chose default options? You need to make sure you import it into the correct certificate store location eg local computer/trusted CA location. alan On 19 Aug 2017 2:26 am, "Fatih Naufal" <fatih.avila@gmail.com> wrote:
Hi everyone,
I already success create 802.1x wireless authentication using freeradius and ldap, i did a test to every device that i have (iphone and laptop running windows 10 can connect to 802.1x wireless) but when i try to conenct on laptop running windows 7 there's "TLS Alert read:fatal:unknown CA" error. I already re-create the root CA (i did this following documentation http://deployingradius.com/documents/configuration/certificates.html), import it to the client, and ensure every detail of the certificate. Is there any bug with windows 7 or something? any kind of help would be appreciated. Thankyou (ca.cnf and server.cnf attached)
Radius log : (0) Received Access-Request Id 60 from 172.30.254.3:49431 to 172.29.164.218:1812 length 267 (0) User-Name = "gpler" (0) Chargeable-User-Identity = 0x03 (0) Location-Capable = Civix-Location (0) Calling-Station-Id = "6c-71-d9-a9-5e-65" (0) Called-Station-Id = "58-ac-78-ee-8a-20:802.1x" (0) NAS-Port = 1 (0) Cisco-AVPair = "audit-session-id=03fe1eac0003fe3fa18e9759" (0) Acct-Session-Id = "59978ea1/6c:71:d9:a9:5e:65/71057" (0) NAS-IP-Address = 172.30.xxx.x (0) NAS-Identifier = "IPB-WLC-5520" (0) Airespace-Wlan-Id = 69 (0) Service-Type = Framed-User (0) Framed-MTU = 1300 (0) NAS-Port-Type = Wireless-802.11 (0) Tunnel-Type:0 = VLAN (0) Tunnel-Medium-Type:0 = IEEE-802 (0) Tunnel-Private-Group-Id:0 = "255" (0) EAP-Message = 0x0202000a0167706c6572 (0) Message-Authenticator = 0x107b01b20e515d3a076209dea9af2966 (0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "gpler", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) eap: Peer sent EAP Response (code 2) ID 2 length 10 (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # authorize = ok (0) Found Auth-Type = eap (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (0) authenticate { (0) eap: Peer sent packet with method EAP Identity (1) (0) eap: Calling submodule eap_peap to process data (0) eap_peap: Initiating new EAP-TLS session (0) eap_peap: [eaptls start] = request (0) eap: Sending EAP Request (code 1) ID 3 length 6 (0) eap: EAP session adding &reply:State = 0x68d16d7c68d27498 (0) [eap] = handled (0) } # authenticate = handled (0) Using Post-Auth-Type Challenge (0) Post-Auth-Type sub-section not found. Ignoring. (0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (0) Sent Access-Challenge Id 60 from 172.29.164.218:1812 to 172.30.xxx.x:49431 length 0 (0) EAP-Message = 0x010300061920 (0) Message-Authenticator = 0x00000000000000000000000000000000 (0) State = 0x68d16d7c68d27498a8bfbed341c368c9 (0) Finished request Waking up in 4.9 seconds. (1) Received Access-Request Id 61 from 172.30.254.3:49431 to 172.29.164.218:1812 length 380 (1) User-Name = "gpler" (1) Chargeable-User-Identity = 0x03 (1) Location-Capable = Civix-Location (1) Calling-Station-Id = "6c-71-d9-a9-5e-65" (1) Called-Station-Id = "58-ac-78-ee-8a-20:802.1x" (1) NAS-Port = 1 (1) Cisco-AVPair = "audit-session-id=03fe1eac0003fe3fa18e9759" (1) Acct-Session-Id = "59978ea1/6c:71:d9:a9:5e:65/71057" (1) NAS-IP-Address = 172.30.xxx.x (1) NAS-Identifier = "IPB-WLC-5520" (1) Airespace-Wlan-Id = 69 (1) Service-Type = Framed-User (1) Framed-MTU = 1300 (1) NAS-Port-Type = Wireless-802.11 (1) Tunnel-Type:0 = VLAN (1) Tunnel-Medium-Type:0 = IEEE-802 (1) Tunnel-Private-Group-Id:0 = "255" (1) EAP-Message = 0x0203006919800000005f160301005a01000056030159978e892bc0cea1 314b3076e48c1432d22b3a1f575d2bd9ef5eadcd1efab780000018002f00 350005000ac013c014c009c00a003200380013000401000015ff01000100 000a0006000400170018000b00020100 (1) State = 0x68d16d7c68d27498a8bfbed341c368c9 (1) Message-Authenticator = 0x9e55b07936045ad7e26084813251454b (1) session-state: No cached attributes (1) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (1) authorize { (1) policy filter_username { (1) if (&User-Name) { (1) if (&User-Name) -> TRUE (1) if (&User-Name) { (1) if (&User-Name =~ /@[^@]*@/ ) { (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (1) if (&User-Name =~ /\.\./ ) { (1) if (&User-Name =~ /\.\./ ) -> FALSE (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (1) if (&User-Name =~ /\.$/) { (1) if (&User-Name =~ /\.$/) -> FALSE (1) if (&User-Name =~ /@\./) { (1) if (&User-Name =~ /@\./) -> FALSE (1) } # if (&User-Name) = notfound (1) } # policy filter_username = notfound (1) [preprocess] = ok (1) [chap] = noop (1) [mschap] = noop (1) [digest] = noop (1) suffix: Checking for suffix after "@" (1) suffix: No '@' in User-Name = "gpler", looking up realm NULL (1) suffix: No such realm "NULL" (1) [suffix] = noop (1) eap: Peer sent EAP Response (code 2) ID 3 length 105 (1) eap: Continuing tunnel setup (1) [eap] = ok (1) } # authorize = ok (1) Found Auth-Type = eap (1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (1) authenticate { (1) eap: Expiring EAP session with state 0x68d16d7c68d27498 (1) eap: Finished EAP session with state 0x68d16d7c68d27498 (1) eap: Previous EAP request found for state 0x68d16d7c68d27498, released from the list (1) eap: Peer sent packet with method EAP PEAP (25) (1) eap: Calling submodule eap_peap to process data (1) eap_peap: Continuing EAP-TLS (1) eap_peap: Peer indicated complete TLS record size will be 95 bytes (1) eap_peap: Got complete TLS record (95 bytes) (1) eap_peap: [eaptls verify] = length included (1) eap_peap: (other): before/accept initialization (1) eap_peap: TLS_accept: before/accept initialization (1) eap_peap: <<< recv TLS 1.0 Handshake [length 005a], ClientHello (1) eap_peap: TLS_accept: unknown state (1) eap_peap: >>> send TLS 1.0 Handshake [length 0031], ServerHello (1) eap_peap: TLS_accept: unknown state (1) eap_peap: >>> send TLS 1.0 Handshake [length 02c0], Certificate (1) eap_peap: TLS_accept: unknown state (1) eap_peap: >>> send TLS 1.0 Handshake [length 0004], ServerHelloDone (1) eap_peap: TLS_accept: unknown state (1) eap_peap: TLS_accept: unknown state (1) eap_peap: TLS_accept: unknown state (1) eap_peap: TLS_accept: Need to read more data: unknown state (1) eap_peap: TLS_accept: Need to read more data: unknown state (1) eap_peap: In SSL Handshake Phase (1) eap_peap: In SSL Accept mode (1) eap_peap: [eaptls process] = handled (1) eap: Sending EAP Request (code 1) ID 4 length 778 (1) eap: EAP session adding &reply:State = 0x68d16d7c69d57498 (1) [eap] = handled (1) } # authenticate = handled (1) Using Post-Auth-Type Challenge (1) Post-Auth-Type sub-section not found. Ignoring. (1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (1) Sent Access-Challenge Id 61 from 172.29.164.218:1812 to 172.30.xxx.x:49431 length 0 (1) EAP-Message = 0x0104030a190016030100310200002d03016e22346727c2b7bfd58d3b5b d06acbc17fa96d02f7937abfe946a411c305079800002f000005ff010001 0016030102c00b0002bc0002b90002b6308202b23082019aa00302010202 0900e889295aaea3149d300d06092a864886f70d01010b05003011310f30 (1) Message-Authenticator = 0x00000000000000000000000000000000 (1) State = 0x68d16d7c69d57498a8bfbed341c368c9 (1) Finished request Waking up in 4.9 seconds. (2) Received Access-Request Id 62 from 172.30.xxx.x:49431 to 172.29.164.218:1812 length 292 (2) User-Name = "gpler" (2) Chargeable-User-Identity = 0x03 (2) Location-Capable = Civix-Location (2) Calling-Station-Id = "6c-71-d9-a9-5e-65" (2) Called-Station-Id = "58-ac-78-ee-8a-20:802.1x" (2) NAS-Port = 1 (2) Cisco-AVPair = "audit-session-id=03fe1eac0003fe3fa18e9759" (2) Acct-Session-Id = "59978ea1/6c:71:d9:a9:5e:65/71057" (2) NAS-IP-Address = 172.30.xxx.x (2) NAS-Identifier = "IPB-WLC-5520" (2) Airespace-Wlan-Id = 69 (2) Service-Type = Framed-User (2) Framed-MTU = 1300 (2) NAS-Port-Type = Wireless-802.11 (2) Tunnel-Type:0 = VLAN (2) Tunnel-Medium-Type:0 = IEEE-802 (2) Tunnel-Private-Group-Id:0 = "255" (2) EAP-Message = 0x0204001119800000000715030100020230 (2) State = 0x68d16d7c69d57498a8bfbed341c368c9 (2) Message-Authenticator = 0xfd97ab9dc41ef3ae771c43ad2daa9331 (2) session-state: No cached attributes (2) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (2) authorize { (2) policy filter_username { (2) if (&User-Name) { (2) if (&User-Name) -> TRUE (2) if (&User-Name) { (2) if (&User-Name =~ /@[^@]*@/ ) { (2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (2) if (&User-Name =~ /\.\./ ) { (2) if (&User-Name =~ /\.\./ ) -> FALSE (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (2) if (&User-Name =~ /\.$/) { (2) if (&User-Name =~ /\.$/) -> FALSE (2) if (&User-Name =~ /@\./) { (2) if (&User-Name =~ /@\./) -> FALSE (2) } # if (&User-Name) = notfound (2) } # policy filter_username = notfound (2) [preprocess] = ok (2) [chap] = noop (2) [mschap] = noop (2) [digest] = noop (2) suffix: Checking for suffix after "@" (2) suffix: No '@' in User-Name = "gpler", looking up realm NULL (2) suffix: No such realm "NULL" (2) [suffix] = noop (2) eap: Peer sent EAP Response (code 2) ID 4 length 17 (2) eap: Continuing tunnel setup (2) [eap] = ok (2) } # authorize = ok (2) Found Auth-Type = eap (2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (2) authenticate { (2) eap: Expiring EAP session with state 0x68d16d7c69d57498 (2) eap: Finished EAP session with state 0x68d16d7c69d57498 (2) eap: Previous EAP request found for state 0x68d16d7c69d57498, released from the list (2) eap: Peer sent packet with method EAP PEAP (25) (2) eap: Calling submodule eap_peap to process data (2) eap_peap: Continuing EAP-TLS (2) eap_peap: Peer indicated complete TLS record size will be 7 bytes (2) eap_peap: Got complete TLS record (7 bytes) (2) eap_peap: [eaptls verify] = length included (2) eap_peap: <<< recv TLS 1.0 Alert [length 0002], fatal unknown_ca *(2) eap_peap: ERROR: TLS Alert read:fatal:unknown CA* *(2) eap_peap: ERROR: TLS_accept: Failed in unknown state* *(2) eap_peap: ERROR: Failed in __FUNCTION__ (SSL_read)* *(2) eap_peap: ERROR: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca* *(2) eap_peap: ERROR: error:140940E5:SSL routines:ssl3_read_bytes:ssl handshake failure* *(2) eap_peap: ERROR: System call (I/O) error (-1)* *(2) eap_peap: ERROR: TLS receive handshake failed during operation* *(2) eap_peap: ERROR: [eaptls process] = fail* *(2) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed* (2) eap: Sending EAP Failure (code 4) ID 4 length 4 (2) eap: Failed in EAP select (2) [eap] = invalid (2) } # authenticate = invalid (2) Failed to authenticate the user (2) Using Post-Auth-Type Reject (2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (2) Post-Auth-Type REJECT { (2) attr_filter.access_reject: EXPAND %{User-Name} (2) attr_filter.access_reject: --> gpler (2) attr_filter.access_reject: Matched entry DEFAULT at line 11 (2) [attr_filter.access_reject] = updated (2) [eap] = noop (2) policy remove_reply_message_if_eap { (2) if (&reply:EAP-Message && &reply:Reply-Message) { (2) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (2) else { (2) [noop] = noop (2) } # else = noop (2) } # policy remove_reply_message_if_eap = noop (2) } # Post-Auth-Type REJECT = updated (2) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (2) Sending delayed response (2) Sent Access-Reject Id 62 from 172.29.164.218:1812 to 172.30.xxx.x:49431 length 44 (2) EAP-Message = 0x04040004 (2) Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.9 seconds. (0) Cleaning up request packet ID 60 with timestamp +628 (1) Cleaning up request packet ID 61 with timestamp +628 (2) Cleaning up request packet ID 62 with timestamp +628
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
Thanks for the reply Alan and Edelberto, I make the certificate based on default cert (/etc/freeradius/certs) and already install it in the right place (Trusted Root Certification Authorities), didn't know what happened but when i try to uncheck the validate server certificate box i can login with no error. Any suggestion? is it still safe to connect without validate server by validating the certificates? On Sat, Aug 19, 2017 at 11:31 PM, Alan Buxey <alan.buxey@gmail.com> wrote:
Hi
How did you install it on the Windows client? Just double clicked and chose default options? You need to make sure you import it into the correct certificate store location eg local computer/trusted CA location.
alan
On 19 Aug 2017 2:26 am, "Fatih Naufal" <fatih.avila@gmail.com> wrote:
Hi everyone,
I already success create 802.1x wireless authentication using freeradius and ldap, i did a test to every device that i have (iphone and laptop running windows 10 can connect to 802.1x wireless) but when i try to conenct on laptop running windows 7 there's "TLS Alert read:fatal:unknown CA" error. I already re-create the root CA (i did this following documentation http://deployingradius.com/documents/configuration/certificates.html), import it to the client, and ensure every detail of the certificate. Is there any bug with windows 7 or something? any kind of help would be appreciated. Thankyou (ca.cnf and server.cnf attached)
Radius log : (0) Received Access-Request Id 60 from 172.30.254.3:49431 to 172.29.164.218:1812 length 267 (0) User-Name = "gpler" (0) Chargeable-User-Identity = 0x03 (0) Location-Capable = Civix-Location (0) Calling-Station-Id = "6c-71-d9-a9-5e-65" (0) Called-Station-Id = "58-ac-78-ee-8a-20:802.1x" (0) NAS-Port = 1 (0) Cisco-AVPair = "audit-session-id=03fe1eac0003fe3fa18e9759" (0) Acct-Session-Id = "59978ea1/6c:71:d9:a9:5e:65/71057" (0) NAS-IP-Address = 172.30.xxx.x (0) NAS-Identifier = "IPB-WLC-5520" (0) Airespace-Wlan-Id = 69 (0) Service-Type = Framed-User (0) Framed-MTU = 1300 (0) NAS-Port-Type = Wireless-802.11 (0) Tunnel-Type:0 = VLAN (0) Tunnel-Medium-Type:0 = IEEE-802 (0) Tunnel-Private-Group-Id:0 = "255" (0) EAP-Message = 0x0202000a0167706c6572 (0) Message-Authenticator = 0x107b01b20e515d3a076209dea9af2966 (0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "gpler", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) eap: Peer sent EAP Response (code 2) ID 2 length 10 (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # authorize = ok (0) Found Auth-Type = eap (0) # Executing group from file /etc/freeradius/3.0/sites- enabled/default (0) authenticate { (0) eap: Peer sent packet with method EAP Identity (1) (0) eap: Calling submodule eap_peap to process data (0) eap_peap: Initiating new EAP-TLS session (0) eap_peap: [eaptls start] = request (0) eap: Sending EAP Request (code 1) ID 3 length 6 (0) eap: EAP session adding &reply:State = 0x68d16d7c68d27498 (0) [eap] = handled (0) } # authenticate = handled (0) Using Post-Auth-Type Challenge (0) Post-Auth-Type sub-section not found. Ignoring. (0) # Executing group from file /etc/freeradius/3.0/sites- enabled/default (0) Sent Access-Challenge Id 60 from 172.29.164.218:1812 to 172.30.xxx.x:49431 length 0 (0) EAP-Message = 0x010300061920 (0) Message-Authenticator = 0x00000000000000000000000000000000 (0) State = 0x68d16d7c68d27498a8bfbed341c368c9 (0) Finished request Waking up in 4.9 seconds. (1) Received Access-Request Id 61 from 172.30.254.3:49431 to 172.29.164.218:1812 length 380 (1) User-Name = "gpler" (1) Chargeable-User-Identity = 0x03 (1) Location-Capable = Civix-Location (1) Calling-Station-Id = "6c-71-d9-a9-5e-65" (1) Called-Station-Id = "58-ac-78-ee-8a-20:802.1x" (1) NAS-Port = 1 (1) Cisco-AVPair = "audit-session-id=03fe1eac0003fe3fa18e9759" (1) Acct-Session-Id = "59978ea1/6c:71:d9:a9:5e:65/71057" (1) NAS-IP-Address = 172.30.xxx.x (1) NAS-Identifier = "IPB-WLC-5520" (1) Airespace-Wlan-Id = 69 (1) Service-Type = Framed-User (1) Framed-MTU = 1300 (1) NAS-Port-Type = Wireless-802.11 (1) Tunnel-Type:0 = VLAN (1) Tunnel-Medium-Type:0 = IEEE-802 (1) Tunnel-Private-Group-Id:0 = "255" (1) EAP-Message = 0x0203006919800000005f160301005a01000056030159978e892bc0cea1 314b3076e48c1432d22b3a1f575d2bd9ef5eadcd1efab780000018002f00 350005000ac013c014c009c00a003200380013000401000015ff01000100 000a0006000400170018000b00020100 (1) State = 0x68d16d7c68d27498a8bfbed341c368c9 (1) Message-Authenticator = 0x9e55b07936045ad7e26084813251454b (1) session-state: No cached attributes (1) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (1) authorize { (1) policy filter_username { (1) if (&User-Name) { (1) if (&User-Name) -> TRUE (1) if (&User-Name) { (1) if (&User-Name =~ /@[^@]*@/ ) { (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (1) if (&User-Name =~ /\.\./ ) { (1) if (&User-Name =~ /\.\./ ) -> FALSE (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (1) if (&User-Name =~ /\.$/) { (1) if (&User-Name =~ /\.$/) -> FALSE (1) if (&User-Name =~ /@\./) { (1) if (&User-Name =~ /@\./) -> FALSE (1) } # if (&User-Name) = notfound (1) } # policy filter_username = notfound (1) [preprocess] = ok (1) [chap] = noop (1) [mschap] = noop (1) [digest] = noop (1) suffix: Checking for suffix after "@" (1) suffix: No '@' in User-Name = "gpler", looking up realm NULL (1) suffix: No such realm "NULL" (1) [suffix] = noop (1) eap: Peer sent EAP Response (code 2) ID 3 length 105 (1) eap: Continuing tunnel setup (1) [eap] = ok (1) } # authorize = ok (1) Found Auth-Type = eap (1) # Executing group from file /etc/freeradius/3.0/sites- enabled/default (1) authenticate { (1) eap: Expiring EAP session with state 0x68d16d7c68d27498 (1) eap: Finished EAP session with state 0x68d16d7c68d27498 (1) eap: Previous EAP request found for state 0x68d16d7c68d27498, released from the list (1) eap: Peer sent packet with method EAP PEAP (25) (1) eap: Calling submodule eap_peap to process data (1) eap_peap: Continuing EAP-TLS (1) eap_peap: Peer indicated complete TLS record size will be 95 bytes (1) eap_peap: Got complete TLS record (95 bytes) (1) eap_peap: [eaptls verify] = length included (1) eap_peap: (other): before/accept initialization (1) eap_peap: TLS_accept: before/accept initialization (1) eap_peap: <<< recv TLS 1.0 Handshake [length 005a], ClientHello (1) eap_peap: TLS_accept: unknown state (1) eap_peap: >>> send TLS 1.0 Handshake [length 0031], ServerHello (1) eap_peap: TLS_accept: unknown state (1) eap_peap: >>> send TLS 1.0 Handshake [length 02c0], Certificate (1) eap_peap: TLS_accept: unknown state (1) eap_peap: >>> send TLS 1.0 Handshake [length 0004], ServerHelloDone (1) eap_peap: TLS_accept: unknown state (1) eap_peap: TLS_accept: unknown state (1) eap_peap: TLS_accept: unknown state (1) eap_peap: TLS_accept: Need to read more data: unknown state (1) eap_peap: TLS_accept: Need to read more data: unknown state (1) eap_peap: In SSL Handshake Phase (1) eap_peap: In SSL Accept mode (1) eap_peap: [eaptls process] = handled (1) eap: Sending EAP Request (code 1) ID 4 length 778 (1) eap: EAP session adding &reply:State = 0x68d16d7c69d57498 (1) [eap] = handled (1) } # authenticate = handled (1) Using Post-Auth-Type Challenge (1) Post-Auth-Type sub-section not found. Ignoring. (1) # Executing group from file /etc/freeradius/3.0/sites- enabled/default (1) Sent Access-Challenge Id 61 from 172.29.164.218:1812 to 172.30.xxx.x:49431 length 0 (1) EAP-Message = 0x0104030a190016030100310200002d03016e22346727c2b7bfd58d3b5b d06acbc17fa96d02f7937abfe946a411c305079800002f000005ff010001 0016030102c00b0002bc0002b90002b6308202b23082019aa00302010202 0900e889295aaea3149d300d06092a864886f70d01010b05003011310f30 (1) Message-Authenticator = 0x00000000000000000000000000000000 (1) State = 0x68d16d7c69d57498a8bfbed341c368c9 (1) Finished request Waking up in 4.9 seconds. (2) Received Access-Request Id 62 from 172.30.xxx.x:49431 to 172.29.164.218:1812 length 292 (2) User-Name = "gpler" (2) Chargeable-User-Identity = 0x03 (2) Location-Capable = Civix-Location (2) Calling-Station-Id = "6c-71-d9-a9-5e-65" (2) Called-Station-Id = "58-ac-78-ee-8a-20:802.1x" (2) NAS-Port = 1 (2) Cisco-AVPair = "audit-session-id=03fe1eac0003fe3fa18e9759" (2) Acct-Session-Id = "59978ea1/6c:71:d9:a9:5e:65/71057" (2) NAS-IP-Address = 172.30.xxx.x (2) NAS-Identifier = "IPB-WLC-5520" (2) Airespace-Wlan-Id = 69 (2) Service-Type = Framed-User (2) Framed-MTU = 1300 (2) NAS-Port-Type = Wireless-802.11 (2) Tunnel-Type:0 = VLAN (2) Tunnel-Medium-Type:0 = IEEE-802 (2) Tunnel-Private-Group-Id:0 = "255" (2) EAP-Message = 0x0204001119800000000715030100020230 (2) State = 0x68d16d7c69d57498a8bfbed341c368c9 (2) Message-Authenticator = 0xfd97ab9dc41ef3ae771c43ad2daa9331 (2) session-state: No cached attributes (2) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (2) authorize { (2) policy filter_username { (2) if (&User-Name) { (2) if (&User-Name) -> TRUE (2) if (&User-Name) { (2) if (&User-Name =~ /@[^@]*@/ ) { (2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (2) if (&User-Name =~ /\.\./ ) { (2) if (&User-Name =~ /\.\./ ) -> FALSE (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (2) if (&User-Name =~ /\.$/) { (2) if (&User-Name =~ /\.$/) -> FALSE (2) if (&User-Name =~ /@\./) { (2) if (&User-Name =~ /@\./) -> FALSE (2) } # if (&User-Name) = notfound (2) } # policy filter_username = notfound (2) [preprocess] = ok (2) [chap] = noop (2) [mschap] = noop (2) [digest] = noop (2) suffix: Checking for suffix after "@" (2) suffix: No '@' in User-Name = "gpler", looking up realm NULL (2) suffix: No such realm "NULL" (2) [suffix] = noop (2) eap: Peer sent EAP Response (code 2) ID 4 length 17 (2) eap: Continuing tunnel setup (2) [eap] = ok (2) } # authorize = ok (2) Found Auth-Type = eap (2) # Executing group from file /etc/freeradius/3.0/sites- enabled/default (2) authenticate { (2) eap: Expiring EAP session with state 0x68d16d7c69d57498 (2) eap: Finished EAP session with state 0x68d16d7c69d57498 (2) eap: Previous EAP request found for state 0x68d16d7c69d57498, released from the list (2) eap: Peer sent packet with method EAP PEAP (25) (2) eap: Calling submodule eap_peap to process data (2) eap_peap: Continuing EAP-TLS (2) eap_peap: Peer indicated complete TLS record size will be 7 bytes (2) eap_peap: Got complete TLS record (7 bytes) (2) eap_peap: [eaptls verify] = length included (2) eap_peap: <<< recv TLS 1.0 Alert [length 0002], fatal unknown_ca *(2) eap_peap: ERROR: TLS Alert read:fatal:unknown CA* *(2) eap_peap: ERROR: TLS_accept: Failed in unknown state* *(2) eap_peap: ERROR: Failed in __FUNCTION__ (SSL_read)* *(2) eap_peap: ERROR: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca* *(2) eap_peap: ERROR: error:140940E5:SSL routines:ssl3_read_bytes:ssl handshake failure* *(2) eap_peap: ERROR: System call (I/O) error (-1)* *(2) eap_peap: ERROR: TLS receive handshake failed during operation* *(2) eap_peap: ERROR: [eaptls process] = fail* *(2) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed* (2) eap: Sending EAP Failure (code 4) ID 4 length 4 (2) eap: Failed in EAP select (2) [eap] = invalid (2) } # authenticate = invalid (2) Failed to authenticate the user (2) Using Post-Auth-Type Reject (2) # Executing group from file /etc/freeradius/3.0/sites- enabled/default (2) Post-Auth-Type REJECT { (2) attr_filter.access_reject: EXPAND %{User-Name} (2) attr_filter.access_reject: --> gpler (2) attr_filter.access_reject: Matched entry DEFAULT at line 11 (2) [attr_filter.access_reject] = updated (2) [eap] = noop (2) policy remove_reply_message_if_eap { (2) if (&reply:EAP-Message && &reply:Reply-Message) { (2) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (2) else { (2) [noop] = noop (2) } # else = noop (2) } # policy remove_reply_message_if_eap = noop (2) } # Post-Auth-Type REJECT = updated (2) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (2) Sending delayed response (2) Sent Access-Reject Id 62 from 172.29.164.218:1812 to 172.30.xxx.x:49431 length 44 (2) EAP-Message = 0x04040004 (2) Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.9 seconds. (0) Cleaning up request packet ID 60 with timestamp +628 (1) Cleaning up request packet ID 61 with timestamp +628 (2) Cleaning up request packet ID 62 with timestamp +628
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
No. Not really I wonder if you've installed it in the user store rather than system store or such. alan On 19 Aug 2017 7:43 pm, "Fatih Naufal" <fatih.avila@gmail.com> wrote:
Thanks for the reply Alan and Edelberto,
I make the certificate based on default cert (/etc/freeradius/certs) and already install it in the right place (Trusted Root Certification Authorities), didn't know what happened but when i try to uncheck the validate server certificate box i can login with no error. Any suggestion? is it still safe to connect without validate server by validating the certificates?
On Sat, Aug 19, 2017 at 11:31 PM, Alan Buxey <alan.buxey@gmail.com> wrote:
Hi
How did you install it on the Windows client? Just double clicked and chose default options? You need to make sure you import it into the correct certificate store location eg local computer/trusted CA location.
alan
On 19 Aug 2017 2:26 am, "Fatih Naufal" <fatih.avila@gmail.com> wrote:
Hi everyone,
I already success create 802.1x wireless authentication using freeradius and ldap, i did a test to every device that i have (iphone and laptop running windows 10 can connect to 802.1x wireless) but when i try to conenct on laptop running windows 7 there's "TLS Alert read:fatal:unknown CA" error. I already re-create the root CA (i did this following documentation http://deployingradius.com/documents/configuration/certificates.html), import it to the client, and ensure every detail of the certificate. Is there any bug with windows 7 or something? any kind of help would be appreciated. Thankyou (ca.cnf and server.cnf attached)
Radius log : (0) Received Access-Request Id 60 from 172.30.254.3:49431 to 172.29.164.218:1812 length 267 (0) User-Name = "gpler" (0) Chargeable-User-Identity = 0x03 (0) Location-Capable = Civix-Location (0) Calling-Station-Id = "6c-71-d9-a9-5e-65" (0) Called-Station-Id = "58-ac-78-ee-8a-20:802.1x" (0) NAS-Port = 1 (0) Cisco-AVPair = "audit-session-id=03fe1eac0003fe3fa18e9759" (0) Acct-Session-Id = "59978ea1/6c:71:d9:a9:5e:65/71057" (0) NAS-IP-Address = 172.30.xxx.x (0) NAS-Identifier = "IPB-WLC-5520" (0) Airespace-Wlan-Id = 69 (0) Service-Type = Framed-User (0) Framed-MTU = 1300 (0) NAS-Port-Type = Wireless-802.11 (0) Tunnel-Type:0 = VLAN (0) Tunnel-Medium-Type:0 = IEEE-802 (0) Tunnel-Private-Group-Id:0 = "255" (0) EAP-Message = 0x0202000a0167706c6572 (0) Message-Authenticator = 0x107b01b20e515d3a076209dea9af2966 (0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "gpler", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) eap: Peer sent EAP Response (code 2) ID 2 length 10 (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # authorize = ok (0) Found Auth-Type = eap (0) # Executing group from file /etc/freeradius/3.0/sites- enabled/default (0) authenticate { (0) eap: Peer sent packet with method EAP Identity (1) (0) eap: Calling submodule eap_peap to process data (0) eap_peap: Initiating new EAP-TLS session (0) eap_peap: [eaptls start] = request (0) eap: Sending EAP Request (code 1) ID 3 length 6 (0) eap: EAP session adding &reply:State = 0x68d16d7c68d27498 (0) [eap] = handled (0) } # authenticate = handled (0) Using Post-Auth-Type Challenge (0) Post-Auth-Type sub-section not found. Ignoring. (0) # Executing group from file /etc/freeradius/3.0/sites- enabled/default (0) Sent Access-Challenge Id 60 from 172.29.164.218:1812 to 172.30.xxx.x:49431 length 0 (0) EAP-Message = 0x010300061920 (0) Message-Authenticator = 0x00000000000000000000000000000000 (0) State = 0x68d16d7c68d27498a8bfbed341c368c9 (0) Finished request Waking up in 4.9 seconds. (1) Received Access-Request Id 61 from 172.30.254.3:49431 to 172.29.164.218:1812 length 380 (1) User-Name = "gpler" (1) Chargeable-User-Identity = 0x03 (1) Location-Capable = Civix-Location (1) Calling-Station-Id = "6c-71-d9-a9-5e-65" (1) Called-Station-Id = "58-ac-78-ee-8a-20:802.1x" (1) NAS-Port = 1 (1) Cisco-AVPair = "audit-session-id=03fe1eac0003fe3fa18e9759" (1) Acct-Session-Id = "59978ea1/6c:71:d9:a9:5e:65/71057" (1) NAS-IP-Address = 172.30.xxx.x (1) NAS-Identifier = "IPB-WLC-5520" (1) Airespace-Wlan-Id = 69 (1) Service-Type = Framed-User (1) Framed-MTU = 1300 (1) NAS-Port-Type = Wireless-802.11 (1) Tunnel-Type:0 = VLAN (1) Tunnel-Medium-Type:0 = IEEE-802 (1) Tunnel-Private-Group-Id:0 = "255" (1) EAP-Message = 0x0203006919800000005f160301005a01000056030159978e892bc0cea1 314b3076e48c1432d22b3a1f575d2bd9ef5eadcd1efab780000018002f00 350005000ac013c014c009c00a003200380013000401000015ff01000100 000a0006000400170018000b00020100 (1) State = 0x68d16d7c68d27498a8bfbed341c368c9 (1) Message-Authenticator = 0x9e55b07936045ad7e26084813251454b (1) session-state: No cached attributes (1) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (1) authorize { (1) policy filter_username { (1) if (&User-Name) { (1) if (&User-Name) -> TRUE (1) if (&User-Name) { (1) if (&User-Name =~ /@[^@]*@/ ) { (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (1) if (&User-Name =~ /\.\./ ) { (1) if (&User-Name =~ /\.\./ ) -> FALSE (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (1) if (&User-Name =~ /\.$/) { (1) if (&User-Name =~ /\.$/) -> FALSE (1) if (&User-Name =~ /@\./) { (1) if (&User-Name =~ /@\./) -> FALSE (1) } # if (&User-Name) = notfound (1) } # policy filter_username = notfound (1) [preprocess] = ok (1) [chap] = noop (1) [mschap] = noop (1) [digest] = noop (1) suffix: Checking for suffix after "@" (1) suffix: No '@' in User-Name = "gpler", looking up realm NULL (1) suffix: No such realm "NULL" (1) [suffix] = noop (1) eap: Peer sent EAP Response (code 2) ID 3 length 105 (1) eap: Continuing tunnel setup (1) [eap] = ok (1) } # authorize = ok (1) Found Auth-Type = eap (1) # Executing group from file /etc/freeradius/3.0/sites- enabled/default (1) authenticate { (1) eap: Expiring EAP session with state 0x68d16d7c68d27498 (1) eap: Finished EAP session with state 0x68d16d7c68d27498 (1) eap: Previous EAP request found for state 0x68d16d7c68d27498, released from the list (1) eap: Peer sent packet with method EAP PEAP (25) (1) eap: Calling submodule eap_peap to process data (1) eap_peap: Continuing EAP-TLS (1) eap_peap: Peer indicated complete TLS record size will be 95 bytes (1) eap_peap: Got complete TLS record (95 bytes) (1) eap_peap: [eaptls verify] = length included (1) eap_peap: (other): before/accept initialization (1) eap_peap: TLS_accept: before/accept initialization (1) eap_peap: <<< recv TLS 1.0 Handshake [length 005a], ClientHello (1) eap_peap: TLS_accept: unknown state (1) eap_peap: >>> send TLS 1.0 Handshake [length 0031], ServerHello (1) eap_peap: TLS_accept: unknown state (1) eap_peap: >>> send TLS 1.0 Handshake [length 02c0], Certificate (1) eap_peap: TLS_accept: unknown state (1) eap_peap: >>> send TLS 1.0 Handshake [length 0004], ServerHelloDone (1) eap_peap: TLS_accept: unknown state (1) eap_peap: TLS_accept: unknown state (1) eap_peap: TLS_accept: unknown state (1) eap_peap: TLS_accept: Need to read more data: unknown state (1) eap_peap: TLS_accept: Need to read more data: unknown state (1) eap_peap: In SSL Handshake Phase (1) eap_peap: In SSL Accept mode (1) eap_peap: [eaptls process] = handled (1) eap: Sending EAP Request (code 1) ID 4 length 778 (1) eap: EAP session adding &reply:State = 0x68d16d7c69d57498 (1) [eap] = handled (1) } # authenticate = handled (1) Using Post-Auth-Type Challenge (1) Post-Auth-Type sub-section not found. Ignoring. (1) # Executing group from file /etc/freeradius/3.0/sites- enabled/default (1) Sent Access-Challenge Id 61 from 172.29.164.218:1812 to 172.30.xxx.x:49431 length 0 (1) EAP-Message = 0x0104030a190016030100310200002d03016e22346727c2b7bfd58d3b5b d06acbc17fa96d02f7937abfe946a411c305079800002f000005ff010001 0016030102c00b0002bc0002b90002b6308202b23082019aa00302010202 0900e889295aaea3149d300d06092a864886f70d01010b05003011310f30 (1) Message-Authenticator = 0x00000000000000000000000000000000 (1) State = 0x68d16d7c69d57498a8bfbed341c368c9 (1) Finished request Waking up in 4.9 seconds. (2) Received Access-Request Id 62 from 172.30.xxx.x:49431 to 172.29.164.218:1812 length 292 (2) User-Name = "gpler" (2) Chargeable-User-Identity = 0x03 (2) Location-Capable = Civix-Location (2) Calling-Station-Id = "6c-71-d9-a9-5e-65" (2) Called-Station-Id = "58-ac-78-ee-8a-20:802.1x" (2) NAS-Port = 1 (2) Cisco-AVPair = "audit-session-id=03fe1eac0003fe3fa18e9759" (2) Acct-Session-Id = "59978ea1/6c:71:d9:a9:5e:65/71057" (2) NAS-IP-Address = 172.30.xxx.x (2) NAS-Identifier = "IPB-WLC-5520" (2) Airespace-Wlan-Id = 69 (2) Service-Type = Framed-User (2) Framed-MTU = 1300 (2) NAS-Port-Type = Wireless-802.11 (2) Tunnel-Type:0 = VLAN (2) Tunnel-Medium-Type:0 = IEEE-802 (2) Tunnel-Private-Group-Id:0 = "255" (2) EAP-Message = 0x0204001119800000000715030100020230 (2) State = 0x68d16d7c69d57498a8bfbed341c368c9 (2) Message-Authenticator = 0xfd97ab9dc41ef3ae771c43ad2daa9331 (2) session-state: No cached attributes (2) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (2) authorize { (2) policy filter_username { (2) if (&User-Name) { (2) if (&User-Name) -> TRUE (2) if (&User-Name) { (2) if (&User-Name =~ /@[^@]*@/ ) { (2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (2) if (&User-Name =~ /\.\./ ) { (2) if (&User-Name =~ /\.\./ ) -> FALSE (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (2) if (&User-Name =~ /\.$/) { (2) if (&User-Name =~ /\.$/) -> FALSE (2) if (&User-Name =~ /@\./) { (2) if (&User-Name =~ /@\./) -> FALSE (2) } # if (&User-Name) = notfound (2) } # policy filter_username = notfound (2) [preprocess] = ok (2) [chap] = noop (2) [mschap] = noop (2) [digest] = noop (2) suffix: Checking for suffix after "@" (2) suffix: No '@' in User-Name = "gpler", looking up realm NULL (2) suffix: No such realm "NULL" (2) [suffix] = noop (2) eap: Peer sent EAP Response (code 2) ID 4 length 17 (2) eap: Continuing tunnel setup (2) [eap] = ok (2) } # authorize = ok (2) Found Auth-Type = eap (2) # Executing group from file /etc/freeradius/3.0/sites- enabled/default (2) authenticate { (2) eap: Expiring EAP session with state 0x68d16d7c69d57498 (2) eap: Finished EAP session with state 0x68d16d7c69d57498 (2) eap: Previous EAP request found for state 0x68d16d7c69d57498, released from the list (2) eap: Peer sent packet with method EAP PEAP (25) (2) eap: Calling submodule eap_peap to process data (2) eap_peap: Continuing EAP-TLS (2) eap_peap: Peer indicated complete TLS record size will be 7 bytes (2) eap_peap: Got complete TLS record (7 bytes) (2) eap_peap: [eaptls verify] = length included (2) eap_peap: <<< recv TLS 1.0 Alert [length 0002], fatal unknown_ca *(2) eap_peap: ERROR: TLS Alert read:fatal:unknown CA* *(2) eap_peap: ERROR: TLS_accept: Failed in unknown state* *(2) eap_peap: ERROR: Failed in __FUNCTION__ (SSL_read)* *(2) eap_peap: ERROR: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca* *(2) eap_peap: ERROR: error:140940E5:SSL routines:ssl3_read_bytes:ssl handshake failure* *(2) eap_peap: ERROR: System call (I/O) error (-1)* *(2) eap_peap: ERROR: TLS receive handshake failed during operation* *(2) eap_peap: ERROR: [eaptls process] = fail* *(2) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed* (2) eap: Sending EAP Failure (code 4) ID 4 length 4 (2) eap: Failed in EAP select (2) [eap] = invalid (2) } # authenticate = invalid (2) Failed to authenticate the user (2) Using Post-Auth-Type Reject (2) # Executing group from file /etc/freeradius/3.0/sites- enabled/default (2) Post-Auth-Type REJECT { (2) attr_filter.access_reject: EXPAND %{User-Name} (2) attr_filter.access_reject: --> gpler (2) attr_filter.access_reject: Matched entry DEFAULT at line 11 (2) [attr_filter.access_reject] = updated (2) [eap] = noop (2) policy remove_reply_message_if_eap { (2) if (&reply:EAP-Message && &reply:Reply-Message) { (2) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (2) else { (2) [noop] = noop (2) } # else = noop (2) } # policy remove_reply_message_if_eap = noop (2) } # Post-Auth-Type REJECT = updated (2) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (2) Sending delayed response (2) Sent Access-Reject Id 62 from 172.29.164.218:1812 to 172.30.xxx.x:49431 length 44 (2) EAP-Message = 0x04040004 (2) Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.9 seconds. (0) Cleaning up request packet ID 60 with timestamp +628 (1) Cleaning up request packet ID 61 with timestamp +628 (2) Cleaning up request packet ID 62 with timestamp +628
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
I store it in the local machine, i will try to store it in the user store
then.
Thanks for the help Alan.
On Sun, Aug 20, 2017 at 5:51 AM, Alan Buxey <alan.buxey@gmail.com> wrote:
> No. Not really I wonder if you've installed it in the user store rather
> than system store or such.
>
> alan
>
> On 19 Aug 2017 7:43 pm, "Fatih Naufal" <fatih.avila@gmail.com> wrote:
>
> > Thanks for the reply Alan and Edelberto,
> >
> > I make the certificate based on default cert (/etc/freeradius/certs) and
> > already install it in the right place (Trusted Root Certification
> > Authorities), didn't know what happened but when i try to uncheck the
> > validate server certificate box i can login with no error. Any
> suggestion?
> > is it still safe to connect without validate server by validating the
> > certificates?
> >
> > On Sat, Aug 19, 2017 at 11:31 PM, Alan Buxey <alan.buxey@gmail.com>
> wrote:
> >
> > > Hi
> > >
> > > How did you install it on the Windows client? Just double clicked and
> > chose
> > > default options? You need to make sure you import it into the correct
> > > certificate store location eg local computer/trusted CA location.
> > >
> > > alan
> > >
> > > On 19 Aug 2017 2:26 am, "Fatih Naufal" <fatih.avila@gmail.com> wrote:
> > >
> > > > Hi everyone,
> > > >
> > > > I already success create 802.1x wireless authentication using
> > freeradius
> > > > and ldap, i did a test to every device that i have (iphone and laptop
> > > > running windows 10 can connect to 802.1x wireless) but when i try to
> > > > conenct on laptop running windows 7 there's "TLS Alert
> > read:fatal:unknown
> > > > CA" error. I already re-create the root CA (i did this following
> > > > documentation
> > > > http://deployingradius.com/documents/configuration/certificates.html
> ),
> > > > import it to the client, and ensure every detail of the certificate.
> Is
> > > > there any bug with windows 7 or something? any kind of help would be
> > > > appreciated. Thankyou (ca.cnf and server.cnf attached)
> > > >
> > > > Radius log :
> > > > (0) Received Access-Request Id 60 from 172.30.254.3:49431 to
> > > > 172.29.164.218:1812 length 267
> > > > (0) User-Name = "gpler"
> > > > (0) Chargeable-User-Identity = 0x03
> > > > (0) Location-Capable = Civix-Location
> > > > (0) Calling-Station-Id = "6c-71-d9-a9-5e-65"
> > > > (0) Called-Station-Id = "58-ac-78-ee-8a-20:802.1x"
> > > > (0) NAS-Port = 1
> > > > (0) Cisco-AVPair = "audit-session-id=03fe1eac0003fe3fa18e9759"
> > > > (0) Acct-Session-Id = "59978ea1/6c:71:d9:a9:5e:65/71057"
> > > > (0) NAS-IP-Address = 172.30.xxx.x
> > > > (0) NAS-Identifier = "IPB-WLC-5520"
> > > > (0) Airespace-Wlan-Id = 69
> > > > (0) Service-Type = Framed-User
> > > > (0) Framed-MTU = 1300
> > > > (0) NAS-Port-Type = Wireless-802.11
> > > > (0) Tunnel-Type:0 = VLAN
> > > > (0) Tunnel-Medium-Type:0 = IEEE-802
> > > > (0) Tunnel-Private-Group-Id:0 = "255"
> > > > (0) EAP-Message = 0x0202000a0167706c6572
> > > > (0) Message-Authenticator = 0x107b01b20e515d3a076209dea9af2966
> > > > (0) # Executing section authorize from file
> > > > /etc/freeradius/3.0/sites-enabled/default
> > > > (0) authorize {
> > > > (0) policy filter_username {
> > > > (0) if (&User-Name) {
> > > > (0) if (&User-Name) -> TRUE
> > > > (0) if (&User-Name) {
> > > > (0) if (&User-Name =~ /@[^@]*@/ ) {
> > > > (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> > > > (0) if (&User-Name =~ /\.\./ ) {
> > > > (0) if (&User-Name =~ /\.\./ ) -> FALSE
> > > > (0) if ((&User-Name =~ /@/) && (&User-Name !~
> > /@(.+)\.(.+)$/)) {
> > > > (0) if ((&User-Name =~ /@/) && (&User-Name !~
> /@(.+)\.(.+)$/))
> > > ->
> > > > FALSE
> > > > (0) if (&User-Name =~ /\.$/) {
> > > > (0) if (&User-Name =~ /\.$/) -> FALSE
> > > > (0) if (&User-Name =~ /@\./) {
> > > > (0) if (&User-Name =~ /@\./) -> FALSE
> > > > (0) } # if (&User-Name) = notfound
> > > > (0) } # policy filter_username = notfound
> > > > (0) [preprocess] = ok
> > > > (0) [chap] = noop
> > > > (0) [mschap] = noop
> > > > (0) [digest] = noop
> > > > (0) suffix: Checking for suffix after "@"
> > > > (0) suffix: No '@' in User-Name = "gpler", looking up realm NULL
> > > > (0) suffix: No such realm "NULL"
> > > > (0) [suffix] = noop
> > > > (0) eap: Peer sent EAP Response (code 2) ID 2 length 10
> > > > (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit
> the
> > > > rest of authorize
> > > > (0) [eap] = ok
> > > > (0) } # authorize = ok
> > > > (0) Found Auth-Type = eap
> > > > (0) # Executing group from file /etc/freeradius/3.0/sites-
> > > enabled/default
> > > > (0) authenticate {
> > > > (0) eap: Peer sent packet with method EAP Identity (1)
> > > > (0) eap: Calling submodule eap_peap to process data
> > > > (0) eap_peap: Initiating new EAP-TLS session
> > > > (0) eap_peap: [eaptls start] = request
> > > > (0) eap: Sending EAP Request (code 1) ID 3 length 6
> > > > (0) eap: EAP session adding &reply:State = 0x68d16d7c68d27498
> > > > (0) [eap] = handled
> > > > (0) } # authenticate = handled
> > > > (0) Using Post-Auth-Type Challenge
> > > > (0) Post-Auth-Type sub-section not found. Ignoring.
> > > > (0) # Executing group from file /etc/freeradius/3.0/sites-
> > > enabled/default
> > > > (0) Sent Access-Challenge Id 60 from 172.29.164.218:1812 to
> > > > 172.30.xxx.x:49431 length 0
> > > > (0) EAP-Message = 0x010300061920
> > > > (0) Message-Authenticator = 0x00000000000000000000000000000000
> > > > (0) State = 0x68d16d7c68d27498a8bfbed341c368c9
> > > > (0) Finished request
> > > > Waking up in 4.9 seconds.
> > > > (1) Received Access-Request Id 61 from 172.30.254.3:49431 to
> > > > 172.29.164.218:1812 length 380
> > > > (1) User-Name = "gpler"
> > > > (1) Chargeable-User-Identity = 0x03
> > > > (1) Location-Capable = Civix-Location
> > > > (1) Calling-Station-Id = "6c-71-d9-a9-5e-65"
> > > > (1) Called-Station-Id = "58-ac-78-ee-8a-20:802.1x"
> > > > (1) NAS-Port = 1
> > > > (1) Cisco-AVPair = "audit-session-id=03fe1eac0003fe3fa18e9759"
> > > > (1) Acct-Session-Id = "59978ea1/6c:71:d9:a9:5e:65/71057"
> > > > (1) NAS-IP-Address = 172.30.xxx.x
> > > > (1) NAS-Identifier = "IPB-WLC-5520"
> > > > (1) Airespace-Wlan-Id = 69
> > > > (1) Service-Type = Framed-User
> > > > (1) Framed-MTU = 1300
> > > > (1) NAS-Port-Type = Wireless-802.11
> > > > (1) Tunnel-Type:0 = VLAN
> > > > (1) Tunnel-Medium-Type:0 = IEEE-802
> > > > (1) Tunnel-Private-Group-Id:0 = "255"
> > > > (1) EAP-Message =
> > > > 0x0203006919800000005f160301005a01000056030159978e892bc0cea1
> > > > 314b3076e48c1432d22b3a1f575d2bd9ef5eadcd1efab780000018002f00
> > > > 350005000ac013c014c009c00a003200380013000401000015ff01000100
> > > > 000a0006000400170018000b00020100
> > > > (1) State = 0x68d16d7c68d27498a8bfbed341c368c9
> > > > (1) Message-Authenticator = 0x9e55b07936045ad7e26084813251454b
> > > > (1) session-state: No cached attributes
> > > > (1) # Executing section authorize from file
> > > > /etc/freeradius/3.0/sites-enabled/default
> > > > (1) authorize {
> > > > (1) policy filter_username {
> > > > (1) if (&User-Name) {
> > > > (1) if (&User-Name) -> TRUE
> > > > (1) if (&User-Name) {
> > > > (1) if (&User-Name =~ /@[^@]*@/ ) {
> > > > (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> > > > (1) if (&User-Name =~ /\.\./ ) {
> > > > (1) if (&User-Name =~ /\.\./ ) -> FALSE
> > > > (1) if ((&User-Name =~ /@/) && (&User-Name !~
> > /@(.+)\.(.+)$/)) {
> > > > (1) if ((&User-Name =~ /@/) && (&User-Name !~
> /@(.+)\.(.+)$/))
> > > ->
> > > > FALSE
> > > > (1) if (&User-Name =~ /\.$/) {
> > > > (1) if (&User-Name =~ /\.$/) -> FALSE
> > > > (1) if (&User-Name =~ /@\./) {
> > > > (1) if (&User-Name =~ /@\./) -> FALSE
> > > > (1) } # if (&User-Name) = notfound
> > > > (1) } # policy filter_username = notfound
> > > > (1) [preprocess] = ok
> > > > (1) [chap] = noop
> > > > (1) [mschap] = noop
> > > > (1) [digest] = noop
> > > > (1) suffix: Checking for suffix after "@"
> > > > (1) suffix: No '@' in User-Name = "gpler", looking up realm NULL
> > > > (1) suffix: No such realm "NULL"
> > > > (1) [suffix] = noop
> > > > (1) eap: Peer sent EAP Response (code 2) ID 3 length 105
> > > > (1) eap: Continuing tunnel setup
> > > > (1) [eap] = ok
> > > > (1) } # authorize = ok
> > > > (1) Found Auth-Type = eap
> > > > (1) # Executing group from file /etc/freeradius/3.0/sites-
> > > enabled/default
> > > > (1) authenticate {
> > > > (1) eap: Expiring EAP session with state 0x68d16d7c68d27498
> > > > (1) eap: Finished EAP session with state 0x68d16d7c68d27498
> > > > (1) eap: Previous EAP request found for state 0x68d16d7c68d27498,
> > > released
> > > > from the list
> > > > (1) eap: Peer sent packet with method EAP PEAP (25)
> > > > (1) eap: Calling submodule eap_peap to process data
> > > > (1) eap_peap: Continuing EAP-TLS
> > > > (1) eap_peap: Peer indicated complete TLS record size will be 95
> bytes
> > > > (1) eap_peap: Got complete TLS record (95 bytes)
> > > > (1) eap_peap: [eaptls verify] = length included
> > > > (1) eap_peap: (other): before/accept initialization
> > > > (1) eap_peap: TLS_accept: before/accept initialization
> > > > (1) eap_peap: <<< recv TLS 1.0 Handshake [length 005a], ClientHello
> > > > (1) eap_peap: TLS_accept: unknown state
> > > > (1) eap_peap: >>> send TLS 1.0 Handshake [length 0031], ServerHello
> > > > (1) eap_peap: TLS_accept: unknown state
> > > > (1) eap_peap: >>> send TLS 1.0 Handshake [length 02c0], Certificate
> > > > (1) eap_peap: TLS_accept: unknown state
> > > > (1) eap_peap: >>> send TLS 1.0 Handshake [length 0004],
> ServerHelloDone
> > > > (1) eap_peap: TLS_accept: unknown state
> > > > (1) eap_peap: TLS_accept: unknown state
> > > > (1) eap_peap: TLS_accept: unknown state
> > > > (1) eap_peap: TLS_accept: Need to read more data: unknown state
> > > > (1) eap_peap: TLS_accept: Need to read more data: unknown state
> > > > (1) eap_peap: In SSL Handshake Phase
> > > > (1) eap_peap: In SSL Accept mode
> > > > (1) eap_peap: [eaptls process] = handled
> > > > (1) eap: Sending EAP Request (code 1) ID 4 length 778
> > > > (1) eap: EAP session adding &reply:State = 0x68d16d7c69d57498
> > > > (1) [eap] = handled
> > > > (1) } # authenticate = handled
> > > > (1) Using Post-Auth-Type Challenge
> > > > (1) Post-Auth-Type sub-section not found. Ignoring.
> > > > (1) # Executing group from file /etc/freeradius/3.0/sites-
> > > enabled/default
> > > > (1) Sent Access-Challenge Id 61 from 172.29.164.218:1812 to
> > > > 172.30.xxx.x:49431 length 0
> > > > (1) EAP-Message =
> > > > 0x0104030a190016030100310200002d03016e22346727c2b7bfd58d3b5b
> > > > d06acbc17fa96d02f7937abfe946a411c305079800002f000005ff010001
> > > > 0016030102c00b0002bc0002b90002b6308202b23082019aa00302010202
> > > > 0900e889295aaea3149d300d06092a864886f70d01010b05003011310f30
> > > > (1) Message-Authenticator = 0x00000000000000000000000000000000
> > > > (1) State = 0x68d16d7c69d57498a8bfbed341c368c9
> > > > (1) Finished request
> > > > Waking up in 4.9 seconds.
> > > > (2) Received Access-Request Id 62 from 172.30.xxx.x:49431 to
> > > > 172.29.164.218:1812 length 292
> > > > (2) User-Name = "gpler"
> > > > (2) Chargeable-User-Identity = 0x03
> > > > (2) Location-Capable = Civix-Location
> > > > (2) Calling-Station-Id = "6c-71-d9-a9-5e-65"
> > > > (2) Called-Station-Id = "58-ac-78-ee-8a-20:802.1x"
> > > > (2) NAS-Port = 1
> > > > (2) Cisco-AVPair = "audit-session-id=03fe1eac0003fe3fa18e9759"
> > > > (2) Acct-Session-Id = "59978ea1/6c:71:d9:a9:5e:65/71057"
> > > > (2) NAS-IP-Address = 172.30.xxx.x
> > > > (2) NAS-Identifier = "IPB-WLC-5520"
> > > > (2) Airespace-Wlan-Id = 69
> > > > (2) Service-Type = Framed-User
> > > > (2) Framed-MTU = 1300
> > > > (2) NAS-Port-Type = Wireless-802.11
> > > > (2) Tunnel-Type:0 = VLAN
> > > > (2) Tunnel-Medium-Type:0 = IEEE-802
> > > > (2) Tunnel-Private-Group-Id:0 = "255"
> > > > (2) EAP-Message = 0x0204001119800000000715030100020230
> > > > (2) State = 0x68d16d7c69d57498a8bfbed341c368c9
> > > > (2) Message-Authenticator = 0xfd97ab9dc41ef3ae771c43ad2daa9331
> > > > (2) session-state: No cached attributes
> > > > (2) # Executing section authorize from file
> > > > /etc/freeradius/3.0/sites-enabled/default
> > > > (2) authorize {
> > > > (2) policy filter_username {
> > > > (2) if (&User-Name) {
> > > > (2) if (&User-Name) -> TRUE
> > > > (2) if (&User-Name) {
> > > > (2) if (&User-Name =~ /@[^@]*@/ ) {
> > > > (2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> > > > (2) if (&User-Name =~ /\.\./ ) {
> > > > (2) if (&User-Name =~ /\.\./ ) -> FALSE
> > > > (2) if ((&User-Name =~ /@/) && (&User-Name !~
> > /@(.+)\.(.+)$/)) {
> > > > (2) if ((&User-Name =~ /@/) && (&User-Name !~
> /@(.+)\.(.+)$/))
> > > ->
> > > > FALSE
> > > > (2) if (&User-Name =~ /\.$/) {
> > > > (2) if (&User-Name =~ /\.$/) -> FALSE
> > > > (2) if (&User-Name =~ /@\./) {
> > > > (2) if (&User-Name =~ /@\./) -> FALSE
> > > > (2) } # if (&User-Name) = notfound
> > > > (2) } # policy filter_username = notfound
> > > > (2) [preprocess] = ok
> > > > (2) [chap] = noop
> > > > (2) [mschap] = noop
> > > > (2) [digest] = noop
> > > > (2) suffix: Checking for suffix after "@"
> > > > (2) suffix: No '@' in User-Name = "gpler", looking up realm NULL
> > > > (2) suffix: No such realm "NULL"
> > > > (2) [suffix] = noop
> > > > (2) eap: Peer sent EAP Response (code 2) ID 4 length 17
> > > > (2) eap: Continuing tunnel setup
> > > > (2) [eap] = ok
> > > > (2) } # authorize = ok
> > > > (2) Found Auth-Type = eap
> > > > (2) # Executing group from file /etc/freeradius/3.0/sites-
> > > enabled/default
> > > > (2) authenticate {
> > > > (2) eap: Expiring EAP session with state 0x68d16d7c69d57498
> > > > (2) eap: Finished EAP session with state 0x68d16d7c69d57498
> > > > (2) eap: Previous EAP request found for state 0x68d16d7c69d57498,
> > > released
> > > > from the list
> > > > (2) eap: Peer sent packet with method EAP PEAP (25)
> > > > (2) eap: Calling submodule eap_peap to process data
> > > > (2) eap_peap: Continuing EAP-TLS
> > > > (2) eap_peap: Peer indicated complete TLS record size will be 7 bytes
> > > > (2) eap_peap: Got complete TLS record (7 bytes)
> > > > (2) eap_peap: [eaptls verify] = length included
> > > > (2) eap_peap: <<< recv TLS 1.0 Alert [length 0002], fatal unknown_ca
> > > > *(2) eap_peap: ERROR: TLS Alert read:fatal:unknown CA*
> > > > *(2) eap_peap: ERROR: TLS_accept: Failed in unknown state*
> > > > *(2) eap_peap: ERROR: Failed in __FUNCTION__ (SSL_read)*
> > > > *(2) eap_peap: ERROR: error:14094418:SSL
> routines:ssl3_read_bytes:tlsv1
> > > > alert unknown ca*
> > > > *(2) eap_peap: ERROR: error:140940E5:SSL routines:ssl3_read_bytes:ssl
> > > > handshake failure*
> > > > *(2) eap_peap: ERROR: System call (I/O) error (-1)*
> > > > *(2) eap_peap: ERROR: TLS receive handshake failed during operation*
> > > > *(2) eap_peap: ERROR: [eaptls process] = fail*
> > > > *(2) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP
> > sub-module
> > > > failed*
> > > > (2) eap: Sending EAP Failure (code 4) ID 4 length 4
> > > > (2) eap: Failed in EAP select
> > > > (2) [eap] = invalid
> > > > (2) } # authenticate = invalid
> > > > (2) Failed to authenticate the user
> > > > (2) Using Post-Auth-Type Reject
> > > > (2) # Executing group from file /etc/freeradius/3.0/sites-
> > > enabled/default
> > > > (2) Post-Auth-Type REJECT {
> > > > (2) attr_filter.access_reject: EXPAND %{User-Name}
> > > > (2) attr_filter.access_reject: --> gpler
> > > > (2) attr_filter.access_reject: Matched entry DEFAULT at line 11
> > > > (2) [attr_filter.access_reject] = updated
> > > > (2) [eap] = noop
> > > > (2) policy remove_reply_message_if_eap {
> > > > (2) if (&reply:EAP-Message && &reply:Reply-Message) {
> > > > (2) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
> > > > (2) else {
> > > > (2) [noop] = noop
> > > > (2) } # else = noop
> > > > (2) } # policy remove_reply_message_if_eap = noop
> > > > (2) } # Post-Auth-Type REJECT = updated
> > > > (2) Delaying response for 1.000000 seconds
> > > > Waking up in 0.3 seconds.
> > > > Waking up in 0.6 seconds.
> > > > (2) Sending delayed response
> > > > (2) Sent Access-Reject Id 62 from 172.29.164.218:1812 to
> > > > 172.30.xxx.x:49431
> > > > length 44
> > > > (2) EAP-Message = 0x04040004
> > > > (2) Message-Authenticator = 0x00000000000000000000000000000000
> > > > Waking up in 3.9 seconds.
> > > > (0) Cleaning up request packet ID 60 with timestamp +628
> > > > (1) Cleaning up request packet ID 61 with timestamp +628
> > > > (2) Cleaning up request packet ID 62 with timestamp +628
> > > >
> > > > -
> > > > List info/subscribe/unsubscribe? See http://www.freeradius.org/
> > > > list/users.html
> > > >
> > > -
> > > List info/subscribe/unsubscribe? See http://www.freeradius.org/
> > > list/users.html
> > >
> > -
> > List info/subscribe/unsubscribe? See http://www.freeradius.org/
> > list/users.html
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html
>
Hello,
you should also note that doing this manually does not scale at all.
Non-you users without a tech clue will rather tick that insecure box
than jump through the hoops if it's too difficult.
You may want to consider generating automated installers, e.g. check out
https://802.1x-config.org
There used to be a section about 802.1X and secure client-side config on
the old FreeRADIUS website, but I can't find it on the new one right now.
Is that content still there?
Greetings,
Stefan Winter
Am 20.08.2017 um 04:21 schrieb Fatih Naufal:
> I store it in the local machine, i will try to store it in the user store
> then.
> Thanks for the help Alan.
>
> On Sun, Aug 20, 2017 at 5:51 AM, Alan Buxey <alan.buxey@gmail.com> wrote:
>
>> No. Not really I wonder if you've installed it in the user store rather
>> than system store or such.
>>
>> alan
>>
>> On 19 Aug 2017 7:43 pm, "Fatih Naufal" <fatih.avila@gmail.com> wrote:
>>
>>> Thanks for the reply Alan and Edelberto,
>>>
>>> I make the certificate based on default cert (/etc/freeradius/certs) and
>>> already install it in the right place (Trusted Root Certification
>>> Authorities), didn't know what happened but when i try to uncheck the
>>> validate server certificate box i can login with no error. Any
>> suggestion?
>>> is it still safe to connect without validate server by validating the
>>> certificates?
>>>
>>> On Sat, Aug 19, 2017 at 11:31 PM, Alan Buxey <alan.buxey@gmail.com>
>> wrote:
>>>
>>>> Hi
>>>>
>>>> How did you install it on the Windows client? Just double clicked and
>>> chose
>>>> default options? You need to make sure you import it into the correct
>>>> certificate store location eg local computer/trusted CA location.
>>>>
>>>> alan
>>>>
>>>> On 19 Aug 2017 2:26 am, "Fatih Naufal" <fatih.avila@gmail.com> wrote:
>>>>
>>>>> Hi everyone,
>>>>>
>>>>> I already success create 802.1x wireless authentication using
>>> freeradius
>>>>> and ldap, i did a test to every device that i have (iphone and laptop
>>>>> running windows 10 can connect to 802.1x wireless) but when i try to
>>>>> conenct on laptop running windows 7 there's "TLS Alert
>>> read:fatal:unknown
>>>>> CA" error. I already re-create the root CA (i did this following
>>>>> documentation
>>>>> http://deployingradius.com/documents/configuration/certificates.html
>> ),
>>>>> import it to the client, and ensure every detail of the certificate.
>> Is
>>>>> there any bug with windows 7 or something? any kind of help would be
>>>>> appreciated. Thankyou (ca.cnf and server.cnf attached)
>>>>>
>>>>> Radius log :
>>>>> (0) Received Access-Request Id 60 from 172.30.254.3:49431 to
>>>>> 172.29.164.218:1812 length 267
>>>>> (0) User-Name = "gpler"
>>>>> (0) Chargeable-User-Identity = 0x03
>>>>> (0) Location-Capable = Civix-Location
>>>>> (0) Calling-Station-Id = "6c-71-d9-a9-5e-65"
>>>>> (0) Called-Station-Id = "58-ac-78-ee-8a-20:802.1x"
>>>>> (0) NAS-Port = 1
>>>>> (0) Cisco-AVPair = "audit-session-id=03fe1eac0003fe3fa18e9759"
>>>>> (0) Acct-Session-Id = "59978ea1/6c:71:d9:a9:5e:65/71057"
>>>>> (0) NAS-IP-Address = 172.30.xxx.x
>>>>> (0) NAS-Identifier = "IPB-WLC-5520"
>>>>> (0) Airespace-Wlan-Id = 69
>>>>> (0) Service-Type = Framed-User
>>>>> (0) Framed-MTU = 1300
>>>>> (0) NAS-Port-Type = Wireless-802.11
>>>>> (0) Tunnel-Type:0 = VLAN
>>>>> (0) Tunnel-Medium-Type:0 = IEEE-802
>>>>> (0) Tunnel-Private-Group-Id:0 = "255"
>>>>> (0) EAP-Message = 0x0202000a0167706c6572
>>>>> (0) Message-Authenticator = 0x107b01b20e515d3a076209dea9af2966
>>>>> (0) # Executing section authorize from file
>>>>> /etc/freeradius/3.0/sites-enabled/default
>>>>> (0) authorize {
>>>>> (0) policy filter_username {
>>>>> (0) if (&User-Name) {
>>>>> (0) if (&User-Name) -> TRUE
>>>>> (0) if (&User-Name) {
>>>>> (0) if (&User-Name =~ /@[^@]*@/ ) {
>>>>> (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
>>>>> (0) if (&User-Name =~ /\.\./ ) {
>>>>> (0) if (&User-Name =~ /\.\./ ) -> FALSE
>>>>> (0) if ((&User-Name =~ /@/) && (&User-Name !~
>>> /@(.+)\.(.+)$/)) {
>>>>> (0) if ((&User-Name =~ /@/) && (&User-Name !~
>> /@(.+)\.(.+)$/))
>>>> ->
>>>>> FALSE
>>>>> (0) if (&User-Name =~ /\.$/) {
>>>>> (0) if (&User-Name =~ /\.$/) -> FALSE
>>>>> (0) if (&User-Name =~ /@\./) {
>>>>> (0) if (&User-Name =~ /@\./) -> FALSE
>>>>> (0) } # if (&User-Name) = notfound
>>>>> (0) } # policy filter_username = notfound
>>>>> (0) [preprocess] = ok
>>>>> (0) [chap] = noop
>>>>> (0) [mschap] = noop
>>>>> (0) [digest] = noop
>>>>> (0) suffix: Checking for suffix after "@"
>>>>> (0) suffix: No '@' in User-Name = "gpler", looking up realm NULL
>>>>> (0) suffix: No such realm "NULL"
>>>>> (0) [suffix] = noop
>>>>> (0) eap: Peer sent EAP Response (code 2) ID 2 length 10
>>>>> (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit
>> the
>>>>> rest of authorize
>>>>> (0) [eap] = ok
>>>>> (0) } # authorize = ok
>>>>> (0) Found Auth-Type = eap
>>>>> (0) # Executing group from file /etc/freeradius/3.0/sites-
>>>> enabled/default
>>>>> (0) authenticate {
>>>>> (0) eap: Peer sent packet with method EAP Identity (1)
>>>>> (0) eap: Calling submodule eap_peap to process data
>>>>> (0) eap_peap: Initiating new EAP-TLS session
>>>>> (0) eap_peap: [eaptls start] = request
>>>>> (0) eap: Sending EAP Request (code 1) ID 3 length 6
>>>>> (0) eap: EAP session adding &reply:State = 0x68d16d7c68d27498
>>>>> (0) [eap] = handled
>>>>> (0) } # authenticate = handled
>>>>> (0) Using Post-Auth-Type Challenge
>>>>> (0) Post-Auth-Type sub-section not found. Ignoring.
>>>>> (0) # Executing group from file /etc/freeradius/3.0/sites-
>>>> enabled/default
>>>>> (0) Sent Access-Challenge Id 60 from 172.29.164.218:1812 to
>>>>> 172.30.xxx.x:49431 length 0
>>>>> (0) EAP-Message = 0x010300061920
>>>>> (0) Message-Authenticator = 0x00000000000000000000000000000000
>>>>> (0) State = 0x68d16d7c68d27498a8bfbed341c368c9
>>>>> (0) Finished request
>>>>> Waking up in 4.9 seconds.
>>>>> (1) Received Access-Request Id 61 from 172.30.254.3:49431 to
>>>>> 172.29.164.218:1812 length 380
>>>>> (1) User-Name = "gpler"
>>>>> (1) Chargeable-User-Identity = 0x03
>>>>> (1) Location-Capable = Civix-Location
>>>>> (1) Calling-Station-Id = "6c-71-d9-a9-5e-65"
>>>>> (1) Called-Station-Id = "58-ac-78-ee-8a-20:802.1x"
>>>>> (1) NAS-Port = 1
>>>>> (1) Cisco-AVPair = "audit-session-id=03fe1eac0003fe3fa18e9759"
>>>>> (1) Acct-Session-Id = "59978ea1/6c:71:d9:a9:5e:65/71057"
>>>>> (1) NAS-IP-Address = 172.30.xxx.x
>>>>> (1) NAS-Identifier = "IPB-WLC-5520"
>>>>> (1) Airespace-Wlan-Id = 69
>>>>> (1) Service-Type = Framed-User
>>>>> (1) Framed-MTU = 1300
>>>>> (1) NAS-Port-Type = Wireless-802.11
>>>>> (1) Tunnel-Type:0 = VLAN
>>>>> (1) Tunnel-Medium-Type:0 = IEEE-802
>>>>> (1) Tunnel-Private-Group-Id:0 = "255"
>>>>> (1) EAP-Message =
>>>>> 0x0203006919800000005f160301005a01000056030159978e892bc0cea1
>>>>> 314b3076e48c1432d22b3a1f575d2bd9ef5eadcd1efab780000018002f00
>>>>> 350005000ac013c014c009c00a003200380013000401000015ff01000100
>>>>> 000a0006000400170018000b00020100
>>>>> (1) State = 0x68d16d7c68d27498a8bfbed341c368c9
>>>>> (1) Message-Authenticator = 0x9e55b07936045ad7e26084813251454b
>>>>> (1) session-state: No cached attributes
>>>>> (1) # Executing section authorize from file
>>>>> /etc/freeradius/3.0/sites-enabled/default
>>>>> (1) authorize {
>>>>> (1) policy filter_username {
>>>>> (1) if (&User-Name) {
>>>>> (1) if (&User-Name) -> TRUE
>>>>> (1) if (&User-Name) {
>>>>> (1) if (&User-Name =~ /@[^@]*@/ ) {
>>>>> (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
>>>>> (1) if (&User-Name =~ /\.\./ ) {
>>>>> (1) if (&User-Name =~ /\.\./ ) -> FALSE
>>>>> (1) if ((&User-Name =~ /@/) && (&User-Name !~
>>> /@(.+)\.(.+)$/)) {
>>>>> (1) if ((&User-Name =~ /@/) && (&User-Name !~
>> /@(.+)\.(.+)$/))
>>>> ->
>>>>> FALSE
>>>>> (1) if (&User-Name =~ /\.$/) {
>>>>> (1) if (&User-Name =~ /\.$/) -> FALSE
>>>>> (1) if (&User-Name =~ /@\./) {
>>>>> (1) if (&User-Name =~ /@\./) -> FALSE
>>>>> (1) } # if (&User-Name) = notfound
>>>>> (1) } # policy filter_username = notfound
>>>>> (1) [preprocess] = ok
>>>>> (1) [chap] = noop
>>>>> (1) [mschap] = noop
>>>>> (1) [digest] = noop
>>>>> (1) suffix: Checking for suffix after "@"
>>>>> (1) suffix: No '@' in User-Name = "gpler", looking up realm NULL
>>>>> (1) suffix: No such realm "NULL"
>>>>> (1) [suffix] = noop
>>>>> (1) eap: Peer sent EAP Response (code 2) ID 3 length 105
>>>>> (1) eap: Continuing tunnel setup
>>>>> (1) [eap] = ok
>>>>> (1) } # authorize = ok
>>>>> (1) Found Auth-Type = eap
>>>>> (1) # Executing group from file /etc/freeradius/3.0/sites-
>>>> enabled/default
>>>>> (1) authenticate {
>>>>> (1) eap: Expiring EAP session with state 0x68d16d7c68d27498
>>>>> (1) eap: Finished EAP session with state 0x68d16d7c68d27498
>>>>> (1) eap: Previous EAP request found for state 0x68d16d7c68d27498,
>>>> released
>>>>> from the list
>>>>> (1) eap: Peer sent packet with method EAP PEAP (25)
>>>>> (1) eap: Calling submodule eap_peap to process data
>>>>> (1) eap_peap: Continuing EAP-TLS
>>>>> (1) eap_peap: Peer indicated complete TLS record size will be 95
>> bytes
>>>>> (1) eap_peap: Got complete TLS record (95 bytes)
>>>>> (1) eap_peap: [eaptls verify] = length included
>>>>> (1) eap_peap: (other): before/accept initialization
>>>>> (1) eap_peap: TLS_accept: before/accept initialization
>>>>> (1) eap_peap: <<< recv TLS 1.0 Handshake [length 005a], ClientHello
>>>>> (1) eap_peap: TLS_accept: unknown state
>>>>> (1) eap_peap: >>> send TLS 1.0 Handshake [length 0031], ServerHello
>>>>> (1) eap_peap: TLS_accept: unknown state
>>>>> (1) eap_peap: >>> send TLS 1.0 Handshake [length 02c0], Certificate
>>>>> (1) eap_peap: TLS_accept: unknown state
>>>>> (1) eap_peap: >>> send TLS 1.0 Handshake [length 0004],
>> ServerHelloDone
>>>>> (1) eap_peap: TLS_accept: unknown state
>>>>> (1) eap_peap: TLS_accept: unknown state
>>>>> (1) eap_peap: TLS_accept: unknown state
>>>>> (1) eap_peap: TLS_accept: Need to read more data: unknown state
>>>>> (1) eap_peap: TLS_accept: Need to read more data: unknown state
>>>>> (1) eap_peap: In SSL Handshake Phase
>>>>> (1) eap_peap: In SSL Accept mode
>>>>> (1) eap_peap: [eaptls process] = handled
>>>>> (1) eap: Sending EAP Request (code 1) ID 4 length 778
>>>>> (1) eap: EAP session adding &reply:State = 0x68d16d7c69d57498
>>>>> (1) [eap] = handled
>>>>> (1) } # authenticate = handled
>>>>> (1) Using Post-Auth-Type Challenge
>>>>> (1) Post-Auth-Type sub-section not found. Ignoring.
>>>>> (1) # Executing group from file /etc/freeradius/3.0/sites-
>>>> enabled/default
>>>>> (1) Sent Access-Challenge Id 61 from 172.29.164.218:1812 to
>>>>> 172.30.xxx.x:49431 length 0
>>>>> (1) EAP-Message =
>>>>> 0x0104030a190016030100310200002d03016e22346727c2b7bfd58d3b5b
>>>>> d06acbc17fa96d02f7937abfe946a411c305079800002f000005ff010001
>>>>> 0016030102c00b0002bc0002b90002b6308202b23082019aa00302010202
>>>>> 0900e889295aaea3149d300d06092a864886f70d01010b05003011310f30
>>>>> (1) Message-Authenticator = 0x00000000000000000000000000000000
>>>>> (1) State = 0x68d16d7c69d57498a8bfbed341c368c9
>>>>> (1) Finished request
>>>>> Waking up in 4.9 seconds.
>>>>> (2) Received Access-Request Id 62 from 172.30.xxx.x:49431 to
>>>>> 172.29.164.218:1812 length 292
>>>>> (2) User-Name = "gpler"
>>>>> (2) Chargeable-User-Identity = 0x03
>>>>> (2) Location-Capable = Civix-Location
>>>>> (2) Calling-Station-Id = "6c-71-d9-a9-5e-65"
>>>>> (2) Called-Station-Id = "58-ac-78-ee-8a-20:802.1x"
>>>>> (2) NAS-Port = 1
>>>>> (2) Cisco-AVPair = "audit-session-id=03fe1eac0003fe3fa18e9759"
>>>>> (2) Acct-Session-Id = "59978ea1/6c:71:d9:a9:5e:65/71057"
>>>>> (2) NAS-IP-Address = 172.30.xxx.x
>>>>> (2) NAS-Identifier = "IPB-WLC-5520"
>>>>> (2) Airespace-Wlan-Id = 69
>>>>> (2) Service-Type = Framed-User
>>>>> (2) Framed-MTU = 1300
>>>>> (2) NAS-Port-Type = Wireless-802.11
>>>>> (2) Tunnel-Type:0 = VLAN
>>>>> (2) Tunnel-Medium-Type:0 = IEEE-802
>>>>> (2) Tunnel-Private-Group-Id:0 = "255"
>>>>> (2) EAP-Message = 0x0204001119800000000715030100020230
>>>>> (2) State = 0x68d16d7c69d57498a8bfbed341c368c9
>>>>> (2) Message-Authenticator = 0xfd97ab9dc41ef3ae771c43ad2daa9331
>>>>> (2) session-state: No cached attributes
>>>>> (2) # Executing section authorize from file
>>>>> /etc/freeradius/3.0/sites-enabled/default
>>>>> (2) authorize {
>>>>> (2) policy filter_username {
>>>>> (2) if (&User-Name) {
>>>>> (2) if (&User-Name) -> TRUE
>>>>> (2) if (&User-Name) {
>>>>> (2) if (&User-Name =~ /@[^@]*@/ ) {
>>>>> (2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
>>>>> (2) if (&User-Name =~ /\.\./ ) {
>>>>> (2) if (&User-Name =~ /\.\./ ) -> FALSE
>>>>> (2) if ((&User-Name =~ /@/) && (&User-Name !~
>>> /@(.+)\.(.+)$/)) {
>>>>> (2) if ((&User-Name =~ /@/) && (&User-Name !~
>> /@(.+)\.(.+)$/))
>>>> ->
>>>>> FALSE
>>>>> (2) if (&User-Name =~ /\.$/) {
>>>>> (2) if (&User-Name =~ /\.$/) -> FALSE
>>>>> (2) if (&User-Name =~ /@\./) {
>>>>> (2) if (&User-Name =~ /@\./) -> FALSE
>>>>> (2) } # if (&User-Name) = notfound
>>>>> (2) } # policy filter_username = notfound
>>>>> (2) [preprocess] = ok
>>>>> (2) [chap] = noop
>>>>> (2) [mschap] = noop
>>>>> (2) [digest] = noop
>>>>> (2) suffix: Checking for suffix after "@"
>>>>> (2) suffix: No '@' in User-Name = "gpler", looking up realm NULL
>>>>> (2) suffix: No such realm "NULL"
>>>>> (2) [suffix] = noop
>>>>> (2) eap: Peer sent EAP Response (code 2) ID 4 length 17
>>>>> (2) eap: Continuing tunnel setup
>>>>> (2) [eap] = ok
>>>>> (2) } # authorize = ok
>>>>> (2) Found Auth-Type = eap
>>>>> (2) # Executing group from file /etc/freeradius/3.0/sites-
>>>> enabled/default
>>>>> (2) authenticate {
>>>>> (2) eap: Expiring EAP session with state 0x68d16d7c69d57498
>>>>> (2) eap: Finished EAP session with state 0x68d16d7c69d57498
>>>>> (2) eap: Previous EAP request found for state 0x68d16d7c69d57498,
>>>> released
>>>>> from the list
>>>>> (2) eap: Peer sent packet with method EAP PEAP (25)
>>>>> (2) eap: Calling submodule eap_peap to process data
>>>>> (2) eap_peap: Continuing EAP-TLS
>>>>> (2) eap_peap: Peer indicated complete TLS record size will be 7 bytes
>>>>> (2) eap_peap: Got complete TLS record (7 bytes)
>>>>> (2) eap_peap: [eaptls verify] = length included
>>>>> (2) eap_peap: <<< recv TLS 1.0 Alert [length 0002], fatal unknown_ca
>>>>> *(2) eap_peap: ERROR: TLS Alert read:fatal:unknown CA*
>>>>> *(2) eap_peap: ERROR: TLS_accept: Failed in unknown state*
>>>>> *(2) eap_peap: ERROR: Failed in __FUNCTION__ (SSL_read)*
>>>>> *(2) eap_peap: ERROR: error:14094418:SSL
>> routines:ssl3_read_bytes:tlsv1
>>>>> alert unknown ca*
>>>>> *(2) eap_peap: ERROR: error:140940E5:SSL routines:ssl3_read_bytes:ssl
>>>>> handshake failure*
>>>>> *(2) eap_peap: ERROR: System call (I/O) error (-1)*
>>>>> *(2) eap_peap: ERROR: TLS receive handshake failed during operation*
>>>>> *(2) eap_peap: ERROR: [eaptls process] = fail*
>>>>> *(2) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP
>>> sub-module
>>>>> failed*
>>>>> (2) eap: Sending EAP Failure (code 4) ID 4 length 4
>>>>> (2) eap: Failed in EAP select
>>>>> (2) [eap] = invalid
>>>>> (2) } # authenticate = invalid
>>>>> (2) Failed to authenticate the user
>>>>> (2) Using Post-Auth-Type Reject
>>>>> (2) # Executing group from file /etc/freeradius/3.0/sites-
>>>> enabled/default
>>>>> (2) Post-Auth-Type REJECT {
>>>>> (2) attr_filter.access_reject: EXPAND %{User-Name}
>>>>> (2) attr_filter.access_reject: --> gpler
>>>>> (2) attr_filter.access_reject: Matched entry DEFAULT at line 11
>>>>> (2) [attr_filter.access_reject] = updated
>>>>> (2) [eap] = noop
>>>>> (2) policy remove_reply_message_if_eap {
>>>>> (2) if (&reply:EAP-Message && &reply:Reply-Message) {
>>>>> (2) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
>>>>> (2) else {
>>>>> (2) [noop] = noop
>>>>> (2) } # else = noop
>>>>> (2) } # policy remove_reply_message_if_eap = noop
>>>>> (2) } # Post-Auth-Type REJECT = updated
>>>>> (2) Delaying response for 1.000000 seconds
>>>>> Waking up in 0.3 seconds.
>>>>> Waking up in 0.6 seconds.
>>>>> (2) Sending delayed response
>>>>> (2) Sent Access-Reject Id 62 from 172.29.164.218:1812 to
>>>>> 172.30.xxx.x:49431
>>>>> length 44
>>>>> (2) EAP-Message = 0x04040004
>>>>> (2) Message-Authenticator = 0x00000000000000000000000000000000
>>>>> Waking up in 3.9 seconds.
>>>>> (0) Cleaning up request packet ID 60 with timestamp +628
>>>>> (1) Cleaning up request packet ID 61 with timestamp +628
>>>>> (2) Cleaning up request packet ID 62 with timestamp +628
>>>>>
>>>>> -
>>>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/
>>>>> list/users.html
>>>>>
>>>> -
>>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/
>>>> list/users.html
>>>>
>>> -
>>> List info/subscribe/unsubscribe? See http://www.freeradius.org/
>>> list/users.html
>> -
>> List info/subscribe/unsubscribe? See http://www.freeradius.org/
>> list/users.html
>>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette
Tel: +352 424409 1
Fax: +352 422473
PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
On Aug 21, 2017, at 10:02 AM, Stefan Winter <stefan.winter@restena.lu> wrote:
There used to be a section about 802.1X and secure client-side config on the old FreeRADIUS website, but I can't find it on the new one right now.
Is that content still there?
Hm.. seems to have disappeared in the move. I'll take a look. Alan DeKok.
participants (5)
-
Alan Buxey -
Alan DeKok -
Edelberto Franco -
Fatih Naufal -
Stefan Winter