Hello, I’m using version 2.2.0 which is installed with Mac OS X 10.10.3. Trying to get EAP-TLS working. I *think* I have my certificates installed, and permissions set correctly, however my clients can’t connect and the error, best I can tell, is certificate based as I receive the error “certificate signature failure”. Where I’m not sure is if this means I have something wrong with my public/private key, an error in my config files with FreeRadius, or something else entirely. Pasting an excerpt of what I believe my problem is, then the entire listing when I run "sudo radiusd -X”. Any help appreciated. Thanks. Scott EXCERPT: +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS [tls] eaptls_verify returned 7 [tls] Done initial handshake [tls] <<< TLS 1.0 Handshake [length 07f4], Certificate [tls] chain-depth=1, [tls] error=0 [tls] --> User-Name = excelsior.REDACTED [tls] --> BUF-Name = REDACTED CA ROOT [tls] --> subject = /CN=REDACTED CA ROOT/O=REDACTED/OU=Network Operations/ST=Alaska/C=US/L=Nome/emailAddress=REDACTED@gmail.com [tls] --> issuer = /CN=REDACTED CA ROOT/O=REDACTED/OU=Network Operations/ST=Alaska/C=US/L=Nome/emailAddress=REDACTED@gmail.com [tls] --> verify return:1 --> verify error:num=7:certificate signature failure [tls] >>> TLS 1.0 Alert [length 0002], fatal decrypt_error TLS Alert write:fatal:decrypt error TLS_accept: error in SSLv3 read client certificate B rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned SSL: SSL_read failed in a system call (-1), TLS session fails. TLS receive handshake failed during operation [tls] eaptls_process returned 4 [eap] Handler failed in EAP/tls [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Login incorrect (certificate signature failure): [excelsior.REDACTED/<via Auth-Type = EAP>] (from client melbourne.REDACTED port 0 cli 80-BE-05-3A-12-72) Using Post-Auth-Type REJECT FULL OUTPUT OF “radiusd -X” FreeRADIUS Version 2.2.0, for host i386-apple-darwin13.0, built on Mar 31 2015 at 12:21:58 Copyright (C) 1999-2012 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /Library/Server/radius/raddb/radiusd.conf including configuration file /Library/Server/radius/raddb/clients.conf including files in directory /Library/Server/radius/raddb/modules/ including configuration file /Library/Server/radius/raddb/modules/acct_unique including configuration file /Library/Server/radius/raddb/modules/always including configuration file /Library/Server/radius/raddb/modules/attr_filter including configuration file /Library/Server/radius/raddb/modules/attr_rewrite including configuration file /Library/Server/radius/raddb/modules/cache including configuration file /Library/Server/radius/raddb/modules/chap including configuration file /Library/Server/radius/raddb/modules/checkval including configuration file /Library/Server/radius/raddb/modules/counter including configuration file /Library/Server/radius/raddb/modules/cui including configuration file /Library/Server/radius/raddb/modules/detail including configuration file /Library/Server/radius/raddb/modules/detail.example.com including configuration file /Library/Server/radius/raddb/modules/detail.log including configuration file /Library/Server/radius/raddb/modules/dhcp_sqlippool including configuration file /Library/Server/radius/raddb/sql/mysql/ippool-dhcp.conf including configuration file /Library/Server/radius/raddb/modules/digest including configuration file /Library/Server/radius/raddb/modules/dynamic_clients including configuration file /Library/Server/radius/raddb/modules/echo including configuration file /Library/Server/radius/raddb/modules/etc_group including configuration file /Library/Server/radius/raddb/modules/exec including configuration file /Library/Server/radius/raddb/modules/expiration including configuration file /Library/Server/radius/raddb/modules/expr including configuration file /Library/Server/radius/raddb/modules/files including configuration file /Library/Server/radius/raddb/modules/inner-eap including configuration file /Library/Server/radius/raddb/modules/ippool including configuration file /Library/Server/radius/raddb/modules/krb5 including configuration file /Library/Server/radius/raddb/modules/ldap including configuration file /Library/Server/radius/raddb/modules/linelog including configuration file /Library/Server/radius/raddb/modules/logintime including configuration file /Library/Server/radius/raddb/modules/mac2ip including configuration file /Library/Server/radius/raddb/modules/mac2vlan including configuration file /Library/Server/radius/raddb/modules/mschap including configuration file /Library/Server/radius/raddb/modules/ntlm_auth including configuration file /Library/Server/radius/raddb/modules/opendirectory including configuration file /Library/Server/radius/raddb/modules/otp including configuration file /Library/Server/radius/raddb/modules/pam including configuration file /Library/Server/radius/raddb/modules/pap including configuration file /Library/Server/radius/raddb/modules/passwd including configuration file /Library/Server/radius/raddb/modules/perl including configuration file /Library/Server/radius/raddb/modules/policy including configuration file /Library/Server/radius/raddb/modules/preprocess including configuration file /Library/Server/radius/raddb/modules/radrelay including configuration file /Library/Server/radius/raddb/modules/radutmp including configuration file /Library/Server/radius/raddb/modules/realm including configuration file /Library/Server/radius/raddb/modules/redis including configuration file /Library/Server/radius/raddb/modules/rediswho including configuration file /Library/Server/radius/raddb/modules/replicate including configuration file /Library/Server/radius/raddb/modules/smbpasswd including configuration file /Library/Server/radius/raddb/modules/smsotp including configuration file /Library/Server/radius/raddb/modules/soh including configuration file /Library/Server/radius/raddb/modules/sql_log including configuration file /Library/Server/radius/raddb/modules/sqlcounter_expire_on_login including configuration file /Library/Server/radius/raddb/modules/sradutmp including configuration file /Library/Server/radius/raddb/modules/unix including configuration file /Library/Server/radius/raddb/modules/wimax including configuration file /Library/Server/radius/raddb/eap.conf including configuration file /Library/Server/radius/raddb/sql.conf including configuration file /Library/Server/radius/raddb/sql/sqlite/dialup.conf including configuration file /Library/Server/radius/raddb/policy.conf including files in directory /Library/Server/radius/raddb/sites-enabled/ including configuration file /Library/Server/radius/raddb/sites-enabled/control-socket including configuration file /Library/Server/radius/raddb/sites-enabled/default including configuration file /Library/Server/radius/raddb/sites-enabled/inner-tunnel main { allow_core_dumps = no } including dictionary file /Library/Server/radius/raddb/dictionary main { name = "radiusd" prefix = "/Applications/Server.app/Contents/ServerRoot/usr" localstatedir = "/private/var" sbindir = "/Applications/Server.app/Contents/ServerRoot/usr/sbin" logdir = "/private/var/log/radius" run_dir = "/private/var" libdir = "/Applications/Server.app/Contents/ServerRoot/usr/lib/freeradius" radacctdir = "/private/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/private/var/radiusd.pid" checkrad = "/Applications/Server.app/Contents/ServerRoot/usr/sbin/checkrad" debug_level = 0 proxy_requests = no log { stripped_names = no auth = yes auth_badpass = yes auth_goodpass = yes } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating module "exec" from file /Library/Server/radius/raddb/modules/exec exec { wait = no input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating module "expr" from file /Library/Server/radius/raddb/modules/expr Module: Linked to module rlm_expiration Module: Instantiating module "expiration" from file /Library/Server/radius/raddb/modules/expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating module "logintime" from file /Library/Server/radius/raddb/modules/logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } Module: Linked to module rlm_sql Module: Instantiating module "sql" from file /Library/Server/radius/raddb/sql.conf sql { driver = "rlm_sql_sqlite" server = "localhost" port = "" login = "radius" password = "radpass" radius_db = "radius" read_groups = yes sqltrace = no sqltracefile = "/private/var/log/radius/sqltrace.sql" readclients = yes deletestalesessions = yes num_sql_socks = 5 lifetime = 0 max_queries = 0 sql_user_name = "%{User-Name}" default_user_profile = "" nas_query = "SELECT id,nasname,shortname,type,secret FROM nas" authorize_check_query = "" authorize_group_check_query = "" authorize_group_reply_query = "" accounting_onoff_query = "" accounting_update_query = "" accounting_update_query_alt = "" accounting_start_query = "" accounting_start_query_alt = "" accounting_stop_query = "" accounting_stop_query_alt = "" connect_failure_retry_delay = 60 simul_count_query = "" simul_verify_query = "" postauth_query = "" safe-characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /" } rlm_sql (sql): Driver rlm_sql_sqlite (module rlm_sql_sqlite) loaded and linked rlm_sql (sql): Attempting to connect to radius@localhost:/radius rlm_sql (sql): starting 0 rlm_sql (sql): Attempting to connect rlm_sql_sqlite #0 rlm_sql_sqlite: Opening sqlite database /Library/Server/radius/raddb/sqlite_radius_client_database for #0 rlm_sql_sqlite: sqlite3_open() = 0 rlm_sql (sql): Connected new DB handle, #0 rlm_sql (sql): starting 1 rlm_sql (sql): Attempting to connect rlm_sql_sqlite #1 rlm_sql_sqlite: Opening sqlite database /Library/Server/radius/raddb/sqlite_radius_client_database for #1 rlm_sql_sqlite: sqlite3_open() = 0 rlm_sql (sql): Connected new DB handle, #1 rlm_sql (sql): starting 2 rlm_sql (sql): Attempting to connect rlm_sql_sqlite #2 rlm_sql_sqlite: Opening sqlite database /Library/Server/radius/raddb/sqlite_radius_client_database for #2 rlm_sql_sqlite: sqlite3_open() = 0 rlm_sql (sql): Connected new DB handle, #2 rlm_sql (sql): starting 3 rlm_sql (sql): Attempting to connect rlm_sql_sqlite #3 rlm_sql_sqlite: Opening sqlite database /Library/Server/radius/raddb/sqlite_radius_client_database for #3 rlm_sql_sqlite: sqlite3_open() = 0 rlm_sql (sql): Connected new DB handle, #3 rlm_sql (sql): starting 4 rlm_sql (sql): Attempting to connect rlm_sql_sqlite #4 rlm_sql_sqlite: Opening sqlite database /Library/Server/radius/raddb/sqlite_radius_client_database for #4 rlm_sql_sqlite: sqlite3_open() = 0 rlm_sql (sql): Connected new DB handle, #4 rlm_sql (sql): Processing generate_sql_clients rlm_sql (sql) in generate_sql_clients: query is SELECT id,nasname,shortname,type,secret FROM nas rlm_sql (sql): Reserving sql socket id: 4 rlm_sql_sqlite: sqlite3_prepare() = 0 rlm_sql_sqlite: sqlite3_step = 100 rlm_sql (sql): Read entry nasname=10.0.2.212,shortname=melbourne.REDACTED,secret=8AToGBlTfakHTRIgDkgxkJKOGpwPuRj8nC6WywGBmiQOiHL5oz rlm_sql (sql): Adding client 10.0.2.212 (melbourne.REDACTED, server=<none>) to clients list rlm_sql_sqlite: sqlite3_step = 101 rlm_sql_sqlite: sqlite3_finalize() = 0 rlm_sql (sql): Released sql socket id: 4 } radiusd: #### Loading Virtual Servers #### server { # from file /Library/Server/radius/raddb/radiusd.conf modules { Module: Creating Post-Auth-Type = REJECT Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_eap Module: Instantiating module "eap" from file /Library/Server/radius/raddb/eap.conf eap { default_eap_type = "tls" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 CA_path = "/Library/Server/radius/raddb/certs" pem_file_type = yes private_key_file = "server.key" certificate_file = "server.crt" CA_file = "server.crt" private_key_password = “REDACTED” dh_file = "/Library/Server/radius/raddb/certs/dh" random_file = "/Library/Server/radius/raddb/certs/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "/Library/Server/radius/raddb/certs/bootstrap" ecdh_curve = "prime256v1" cache { enable = no lifetime = 24 max_entries = 255 } verify { tmpdir = "/tmp/radiusd" client = "/usr/bin/openssl verify -CApath /Library/Server/radius/raddb/certs %{TLS-Client-Cert-Filename}" } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" use_nonce = yes timeout = 0 softfail = no } } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating module "preprocess" from file /Library/Server/radius/raddb/modules/preprocess preprocess { huntgroups = "/Library/Server/radius/raddb/huntgroups" hints = "/Library/Server/radius/raddb/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } reading pairlist file /Library/Server/radius/raddb/huntgroups reading pairlist file /Library/Server/radius/raddb/hints Module: Linked to module rlm_realm Module: Instantiating module "suffix" from file /Library/Server/radius/raddb/modules/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating module "acct_unique" from file /Library/Server/radius/raddb/modules/acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, NAS-Identifier, NAS-Port" } Module: Linked to module rlm_files Module: Instantiating module "files" from file /Library/Server/radius/raddb/modules/files files { usersfile = "/Library/Server/radius/raddb/users" acctusersfile = "/Library/Server/radius/raddb/acct_users" preproxy_usersfile = "/Library/Server/radius/raddb/preproxy_users" compat = "no" } reading pairlist file /Library/Server/radius/raddb/users reading pairlist file /Library/Server/radius/raddb/acct_users reading pairlist file /Library/Server/radius/raddb/preproxy_users Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating module "detail" from file /Library/Server/radius/raddb/modules/detail detail { detailfile = "/private/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Linked to module rlm_attr_filter Module: Instantiating module "attr_filter.accounting_response" from file /Library/Server/radius/raddb/modules/attr_filter attr_filter attr_filter.accounting_response { attrsfile = "/Library/Server/radius/raddb/attrs.accounting_response" key = "%{User-Name}" relaxed = no } reading pairlist file /Library/Server/radius/raddb/attrs.accounting_response Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating module "radutmp" from file /Library/Server/radius/raddb/modules/radutmp radutmp { filename = "/private/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Instantiating module "attr_filter.access_reject" from file /Library/Server/radius/raddb/modules/attr_filter attr_filter attr_filter.access_reject { attrsfile = "/Library/Server/radius/raddb/attrs.access_reject" key = "%{User-Name}" relaxed = no } reading pairlist file /Library/Server/radius/raddb/attrs.access_reject } # modules } # server server inner-tunnel { # from file /Library/Server/radius/raddb/sites-enabled/inner-tunnel modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating module "pap" from file /Library/Server/radius/raddb/modules/pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating module "chap" from file /Library/Server/radius/raddb/modules/chap Module: Linked to module rlm_mschap Module: Instantiating module "mschap" from file /Library/Server/radius/raddb/modules/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no allow_retry = yes use_open_directory = yes } Module: Linked to module rlm_unix Module: Instantiating module "unix" from file /Library/Server/radius/raddb/modules/unix unix { radwtmp = "/private/var/log/radius/radwtmp" } Module: Checking authorize {...} for more modules to load Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } listen { type = "control" listen { socket = "/private/var/radiusd.sock" } } listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on command file /private/var/radiusd.sock Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Ready to process requests. rad_recv: Access-Request packet from host 10.0.2.212 port 32817, id=4, length=210 User-Name = "excelsior.REDACTED" NAS-IP-Address = 10.0.2.212 NAS-Identifier = "0418d6105a2e" NAS-Port = 0 Called-Station-Id = "04-18-D6-1B-45-C1:secure.REDACTED" Calling-Station-Id = "80-BE-05-3A-12-72" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11b" EAP-Message = 0x024a001b01657863656c73696f722e616b67686574746f2e636f6d Message-Authenticator = 0x25fa1d3162e5d274f37dd609d784e864 # Executing section authorize from file /Library/Server/radius/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [suffix] No '@' in User-Name = "excelsior.REDACTED", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 74 length 27 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = EAP # Executing group from file /Library/Server/radius/raddb/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Requiring client certificate [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 4 to 10.0.2.212 port 32817 EAP-Message = 0x014b00060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x01225f91016952cfb3e720410b079302 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.0.2.212 port 32817, id=5, length=353 User-Name = "excelsior.REDACTED" NAS-IP-Address = 10.0.2.212 NAS-Identifier = "0418d6105a2e" NAS-Port = 0 Called-Station-Id = "04-18-D6-1B-45-C1:secure.REDACTED" Calling-Station-Id = "80-BE-05-3A-12-72" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11b" EAP-Message = 0x024b00980d800000008e16030100890100008503015563dc437b970647c704a53905a9ef995102a97e4e93d9353f774bd59e92d43000004a00ffc024c023c00ac009c008c028c027c014c013c012c026c025c005c004c003c02ac029c00fc00ec00d006b0067003900330016003d003c0035002f000ac007c011c002c00c0005000401000012000a00080006001700180019000b00020100 State = 0x01225f91016952cfb3e720410b079302 Message-Authenticator = 0x09da5a8ca03143ce1fe242d7846b6c9a # Executing section authorize from file /Library/Server/radius/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [suffix] No '@' in User-Name = "excelsior.REDACTED", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 75 length 152 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = EAP # Executing group from file /Library/Server/radius/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS TLS Length 142 [tls] Length Included [tls] eaptls_verify returned 11 [tls] (other): before/accept initialization [tls] TLS_accept: before/accept initialization [tls] <<< TLS 1.0 Handshake [length 0089], ClientHello [tls] TLS_accept: SSLv3 read client hello A [tls] >>> TLS 1.0 Handshake [length 0031], ServerHello [tls] TLS_accept: SSLv3 write server hello A [tls] >>> TLS 1.0 Handshake [length 0446], Certificate [tls] TLS_accept: SSLv3 write certificate A [tls] >>> TLS 1.0 Handshake [length 020d], ServerKeyExchange [tls] TLS_accept: SSLv3 write key exchange A [tls] >>> TLS 1.0 Handshake [length 00bb], CertificateRequest [tls] TLS_accept: SSLv3 write certificate request A [tls] TLS_accept: SSLv3 flush data [tls] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [tls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 5 to 10.0.2.212 port 32817 EAP-Message = 0x014c04000dc00000075316030100310200002d03015563dc4307b72fca4a9e4d223bc00807a5c8cc128360c6d430002ed4736304d0000039000005ff0100010016030104460b00044200043f00043c3082043830820320a003020102020101300b06092a864886f70d01010b3081a63119301706035504030c10414b47686574746f20434120524f4f5431153013060355040a0c0c414b47686574746f2e636f6d311b3019060355040b0c124e6574776f726b204f7065726174696f6e73310f300d06035504080c06416c61736b61310b3009060355040613025553310d300b06035504070c044e6f6d653128302606092a864886f70d010901161973 EAP-Message = 0x636f74742e612e6a6f686e736f6e40676d61696c2e636f6d301e170d3135303532343233313834335a170d3138303930353233313834335a3081a63119301706035504030c10414b47686574746f20434120524f4f5431153013060355040a0c0c414b47686574746f2e636f6d311b3019060355040b0c124e6574776f726b204f7065726174696f6e73310f300d06035504080c06416c61736b61310b3009060355040613025553310d300b06035504070c044e6f6d653128302606092a864886f70d010901161973636f74742e612e6a6f686e736f6e40676d61696c2e636f6d30820122300d06092a864886f70d01010105000382010f003082010a EAP-Message = 0x0282010100d382b05f1f2b02e7d4e7029d8bc1abfaddc1d4d2c7fa97698adb0e930d4bbb780d3a38637c8943e2d2ecac3e190318ca0c24b58f1ab98fbbfa9f066452d3fae77183eaad7b8459f275cc4d2f8b84a60dee373e40dff311eab2b5db0e212739fc71298002e5265282568ffea594b7c7c0fed2adee0129df98474e69a9fef0de66f643ff1883fcd74b98448db4e231be0eebe7a39144dc646473f91be952fb407429f944fffe2b16fc17a2e13cff5873043246f4c89ebc61e01427ced66633cf4685183e18fd1e906c88facb1878394181e00f1369d12c69825f22ae2ad31022cc35158a61e80a611ff3d8ddc0bb211baca7b4696f09491343 EAP-Message = 0x456438585a7840db0203010001a371306f300f0603551d130101ff040530030101ff300e0603551d0f0101ff0404030201be304c0603551d250101ff0442304006082b0601050507030406082b0601050507030206082b0601050507030106082b0601050507030306072b06010502030406072b0601050203050604551d2500300d06092a864886f70d01010b050003820101003998868f30bb38272971676fbfb238c12a845b76744db0a22dfcdd2026b08c22a5ad4c058c1379440372336cbb283bc9cabc6c7b0068b338c25e9dd37a6092a305afe2fd36af92a0bb2ad05ed31b131b3f5ce08df86f19d93251108e1ba90356e17aec90aab58f7d7a EAP-Message = 0x5878127fef2b98ebdd0d6593 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x01225f91006e52cfb3e720410b079302 Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.0.2.212 port 32817, id=6, length=207 User-Name = "excelsior.REDACTED" NAS-IP-Address = 10.0.2.212 NAS-Identifier = "0418d6105a2e" NAS-Port = 0 Called-Station-Id = "04-18-D6-1B-45-C1:secure.REDACTED" Calling-Station-Id = "80-BE-05-3A-12-72" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11b" EAP-Message = 0x024c00060d00 State = 0x01225f91006e52cfb3e720410b079302 Message-Authenticator = 0x55a0649c9f63d4eee5491d479d547ca2 # Executing section authorize from file /Library/Server/radius/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [suffix] No '@' in User-Name = "excelsior.REDACTED", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 76 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = EAP # Executing group from file /Library/Server/radius/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS [tls] Received TLS ACK [tls] ACK handshake fragment handler [tls] eaptls_verify returned 1 [tls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 6 to 10.0.2.212 port 32817 EAP-Message = 0x014d03670d80000007534fa5e8c2905f845d124c1271b0a022f8c74304c3f1fc6c606367141945240a914b538239f27c525a8cdbc8c27a9a0324829d5d76b9265799375e69a7c3a50ba06cdb8698104c7d117c41fa5fe7c171fcb4bcc157bb1a1c61972be7cd8c672f232c7d9471d5f8a81dae59793a4dbd8f4000573a46518d94cc58c4cf1e9bb11ceceacadb58fe77ff4c086a30160301020d0c0002090080d5a9b49c3a74120e0ab80fafbacf3b7c0a0a4971814dcf0918484d21147c0971b222e6d2d8bc6fa92f13683f7f792a3ffffa6a0fd59dc268612175a84b610a268924ff711100ef2091bf096450b9fe33d9c89768044a45cf9922c54710 EAP-Message = 0xd83e201a78cbec5ff7df962d1d13c1ce76f59c2fb2e9fc36da77a054442693d74d56730001050080b27b19fb4ee27274196d95ffaadca22f8f817fb34b5483b91ba8e8cf67ade0612c3d0d7d0d4bdf047b5eb6a1fa0b8b41d1dde26d880bb887d803e383fa6c60c45682bfddfe9917fe7b65e5d8099b5932e567b985e5db31e25a13ade81d6a234f31ef5935664790e92fb6c8462c9b655127fd8a7fb1400e82d3495902b2c6986e010055a625d94b8a8dfa31dcf5203b924ac4236c8100b330c109baafc6fb94dfa08155421005aa93b3c9c54cc9e188506d010506e842b8d98daf5a47fbec72a550c55029272a5b9f0f934cfe972c749f9f41e0c4e9 EAP-Message = 0x673fdbaf8dd649de2f2983117345b1a634c9745a0ab2b5ea74a5dfa9e2a093a1268cea05ee70aac8276fc2312aef0bfa49f2933a50bae9fbcb15347caf38a1e575f86f7c4c6c584c6762cf51adf172aa3796f5a63da7352799c6794b02cd10042aa5f0e278c097867479489b4e7ce1ee57b3726a5b9da517169b01fdbc295ea66f0946c6282e5f5b65256d45549f21bd1dfd089f2ca0486ae99ab61639a3abec1cec4f9c69c3206409e2197bcc16030100bb0d0000b305030401024000ab00a93081a63119301706035504030c10414b47686574746f20434120524f4f5431153013060355040a0c0c414b47686574746f2e636f6d311b301906035504 EAP-Message = 0x0b0c124e6574776f726b204f7065726174696f6e73310f300d06035504080c06416c61736b61310b3009060355040613025553310d300b06035504070c044e6f6d653128302606092a864886f70d010901161973636f74742e612e6a6f686e736f6e40676d61696c2e636f6d0e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x01225f91036f52cfb3e720410b079302 Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.0.2.212 port 32817, id=7, length=1487 User-Name = "excelsior.REDACTED" NAS-IP-Address = 10.0.2.212 NAS-Identifier = "0418d6105a2e" NAS-Port = 0 Called-Station-Id = "04-18-D6-1B-45-C1:secure.REDACTED" Calling-Station-Id = "80-BE-05-3A-12-72" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11b" EAP-Message = 0x024d04fc0dc0000009ca16030107f40b0007f00007ed0003ab308203a73082028fa00302010202010a300b06092a864886f70d01010b3081a63119301706035504030c10414b47686574746f20434120524f4f5431153013060355040a0c0c414b47686574746f2e636f6d311b3019060355040b0c124e6574776f726b204f7065726174696f6e73310f300d06035504080c06416c61736b61310b3009060355040613025553310d300b06035504070c044e6f6d653128302606092a864886f70d010901161973636f74742e612e6a6f686e736f6e40676d61696c2e636f6d301e170d3135303532353032303233325a170d3136303532343032303233 EAP-Message = 0x325a305d311f301d06035504030c16657863656c73696f722e616b67686574746f2e636f6d310b3009060355040613025553312d302b06092a864886f70d010901161e73636f74742e612e6a6f686e736f6e4077656c6c73666172676f2e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100c5a9c7fb77faa3b27e434505743b5e7662a6abc512d873049cae8074243cfc556439e7b4780dfb054f63dfbf148303b4a41c3c495c3c4837661888d88ffe3d3561fad3a3a07a006b8bc0031fbaf7f659c321208741b4b778eaeb4b076df24bfd4858c49bc271b7ec8fe518083f360cd4c2980ba1e4abb48c42a136 EAP-Message = 0xb97f33d0ba311a1ccb604cbeaba1900060a83ecc5132c925ef0e1883a4c1c9a3fd10305cc1f852f3db3ee819e252fc82270d6642da69633ae255bdcd9c596d5b5fcc1ae32cd36f2968c9ef5945b829e2370f4b1ef1466e5b6a806c0381abe60c0e70e90ba12b847b856ec79151ac41b0ebfb3b26562c2fdac6380acc9485584c999982702f0203010001a32a3028300e0603551d0f0101ff04040302078030160603551d250101ff040c300a06082b06010505070302300d06092a864886f70d01010b050003820101007d3b8b74f07a5d7eb3acfa9870e571f69e9df262eaec17a4e9054aab826d7ce554cd6c7e159372be9efef6bd453b93d0f57b26 EAP-Message = 0x952dd184a421224f9dc3776c14ef596f47d5912dd87783c7d78ea14fca2f3eab987de8cd25434bf7c4f0a104b70fa6426677d300ccf844d1746c4649d91eaf82e7c8a9eae8b99960e3e0a9eb10599685bbbf4c6ada0c7a2d79bf23fe0cac48da9d444590fe378327c19ba1074c8f524592530c65c43c8b4c4b27b6534029dd87f140dca526b8d2731376b4ce55c3a9bdf88584a4bb9653394a4b8a1d0f6e3faaf5ba892daf7c52f7292c5c5d90ad7e6694d0f689e882998eddae207c584f92e77e0043a1afc685218f7f6643bd00043c3082043830820320a003020102020101300b06092a864886f70d01010b3081a63119301706035504030c10414b EAP-Message = 0x47686574746f20434120524f4f5431153013060355040a0c0c414b47686574746f2e636f6d311b3019060355040b0c124e6574776f726b204f7065726174696f6e73310f300d06035504080c06416c61736b61310b3009060355040613025553310d300b06035504070c044e6f6d653128302606092a864886f70d010901161973636f74742e612e6a6f686e736f6e40676d61696c2e636f6d301e170d3135303532343233313834335a170d3138303930353233313834335a3081a63119301706035504030c10414b47686574746f20434120524f4f5431153013060355040a0c0c414b47686574746f2e636f6d311b3019060355040b0c124e657477 EAP-Message = 0x6f726b204f706572617469 State = 0x01225f91036f52cfb3e720410b079302 Message-Authenticator = 0x2440d17407bd35257e345216c3df16a4 # Executing section authorize from file /Library/Server/radius/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [suffix] No '@' in User-Name = "excelsior.REDACTED", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 77 length 253 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = EAP # Executing group from file /Library/Server/radius/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS TLS Length 2506 [tls] Received EAP-TLS First Fragment of the message [tls] eaptls_verify returned 9 [tls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 7 to 10.0.2.212 port 32817 EAP-Message = 0x014e00060d00 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x01225f91026c52cfb3e720410b079302 Finished request 3. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 10.0.2.212 port 32817, id=8, length=1455 User-Name = "excelsior.REDACTED" NAS-IP-Address = 10.0.2.212 NAS-Identifier = "0418d6105a2e" NAS-Port = 0 Called-Station-Id = "04-18-D6-1B-45-C1:secure.REDACTED" Calling-Station-Id = "80-BE-05-3A-12-72" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11b" EAP-Message = 0x024e04de0d006f6e73310f300d06035504080c06416c61736b61310b3009060355040613025553310d300b06035504070c044e6f6d653128302606092a864886f70d010901161973636f74742e612e6a6f686e736f6e40676d61696c2e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100d382b05f1f2b02e7d4e7029d8bc1abfaddc1d4d2c7fa97698adb0e930d4bbb780d3a38637c8943e2d2ecac3e190318ca0c24b58f1ab98fbbfa9f066452d3fae77183eaad7b8459f275cc4d2f8b84a60dee373e40dff311eab2b5db0e212739fc71298002e5265282568ffea594b7c7c0fed2adee0129df98474e69a9 EAP-Message = 0xfef0de66f643ff1883fcd74b98448db4e231be0eebe7a39144dc646473f91be952fb407429f944fffe2b16fc17a2e13cff5873043246f4c89ebc61e01427ced66633cf4685183e18fd1e906c88facb1878394181e00f1369d12c69825f22ae2ad31022cc35158a61e80a611ff3d8ddc0bb211baca7b4696f09491343456438585a7840db0203010001a371306f300f0603551d130101ff040530030101ff300e0603551d0f0101ff0404030201be304c0603551d250101ff0442304006082b0601050507030406082b0601050507030206082b0601050507030106082b0601050507030306072b06010502030406072b0601050203050604551d250030 EAP-Message = 0x0d06092a864886f70d01010b050003820101003998868f30bb38272971676fbfb238c12a845b76744db0a22dfcdd2026b08c22a5ad4c058c1379440372336cbb283bc9cabc6c7b0068b338c25e9dd37a6092a305afe2fd36af92a0bb2ad05ed31b131b3f5ce08df86f19d93251108e1ba90356e17aec90aab58f7d7a5878127fef2b98ebdd0d65934fa5e8c2905f845d124c1271b0a022f8c74304c3f1fc6c606367141945240a914b538239f27c525a8cdbc8c27a9a0324829d5d76b9265799375e69a7c3a50ba06cdb8698104c7d117c41fa5fe7c171fcb4bcc157bb1a1c61972be7cd8c672f232c7d9471d5f8a81dae59793a4dbd8f4000573a4651 EAP-Message = 0x8d94cc58c4cf1e9bb11ceceacadb58fe77ff4c086a30160301008610000082008076ae79d0ea88643b5cbbc47bf605ea6056d9f9f31a2b3e4c4905ed82b9547d7088a6c38d72239281428afaddb24d8e9cd52a220cffafec9ed506b0e1d51559c5c82f9746a2f2a45ab5f47cfd255f2bbf170b5df1a4e50c73ed36b74a9abaa9476eab9a897463d55189dc935c669eaff7f3b452d991a13c51a7582dbc35a62f4316030101060f0001020100ac295e703efa852fb102990efb0b4204c27abf5c2a1f3d0c9f9751ad0e9b386ab5f4b63090c521fdbb38244eb5af4c8959076c80672747b2cf1dd327889db859ba6b7f68540272ce446fa569d3e59efd41 EAP-Message = 0x19daaa4c523ad21e6a8a114f41e86c0590d58e2098a6921c0cf1946f777f3825aaf06c4c7301de1a17ff2e8a46104ab57caddfe8e54e3da7f226a8f210e1d09b08b5318dd386c9ad50ae8996e29ae657d6d5827acb73447e6d556b001de51662637257da3d56164f09090a89aa8619fce80162d2b00361ceb84fdcdbb5c355a38bfb643fca4fdfab7ae0064dcd5a7a43d6ae9a6e048181213036647c37e421160ade6819f0bd28115eb9739d9da0b8140301000101160301003068e729c6d8580453099ff4313996d147ef59b22a90cb83af06b7e67ea7ab1cf22cc541fb61f6b978f7f9cdad684838aa State = 0x01225f91026c52cfb3e720410b079302 Message-Authenticator = 0xb5c05f761e635be28cfe0d537a85e7e8 # Executing section authorize from file /Library/Server/radius/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [suffix] No '@' in User-Name = "excelsior.REDACTED", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 78 length 253 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = EAP # Executing group from file /Library/Server/radius/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS [tls] eaptls_verify returned 7 [tls] Done initial handshake [tls] <<< TLS 1.0 Handshake [length 07f4], Certificate [tls] chain-depth=1, [tls] error=0 [tls] --> User-Name = excelsior.REDACTED [tls] --> BUF-Name = REDACTED CA ROOT [tls] --> subject = /CN=REDACTED CA ROOT/O=REDACTED/OU=Network Operations/ST=Alaska/C=US/L=Nome/emailAddress=REDACTED@gmail.com [tls] --> issuer = /CN=REDACTED CA ROOT/O=REDACTED/OU=Network Operations/ST=Alaska/C=US/L=Nome/emailAddress=REDACTED@gmail.com [tls] --> verify return:1 --> verify error:num=7:certificate signature failure [tls] >>> TLS 1.0 Alert [length 0002], fatal decrypt_error TLS Alert write:fatal:decrypt error TLS_accept: error in SSLv3 read client certificate B rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned SSL: SSL_read failed in a system call (-1), TLS session fails. TLS receive handshake failed during operation [tls] eaptls_process returned 4 [eap] Handler failed in EAP/tls [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Login incorrect (certificate signature failure): [excelsior.REDACTED/<via Auth-Type = EAP>] (from client melbourne.REDACTED port 0 cli 80-BE-05-3A-12-72) Using Post-Auth-Type REJECT # Executing group from file /Library/Server/radius/raddb/sites-enabled/default +- entering group REJECT {...} ++? if ("%{EAP-Message}") expand: %{EAP-Message} -> 0x024e04de0d006f6e73310f300d06035504080c06416c61736b61310b3009060355040613025553310d300b06035504070c044e6f6d653128302606092a864886f70d010901161973636f74742e612e6a6f686e736f6e40676d61696c2e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100d382b05f1f2b02e7d4e7029d8bc1abfaddc1d4d2c7fa97698adb0e930d4bbb780d3a38637c8943e2d2ecac3e190318ca0c24b58f1ab98fbbfa9f066452d3fae77183eaad7b8459f275cc4d2f8b84a60dee373e40dff311eab2b5db0e212739fc71298002e5265282568ffea594b7c7c0fed2adee0129df98474e69a9 ? Evaluating ("%{EAP-Message}") -> TRUE ++? if ("%{EAP-Message}") -> TRUE ++- entering if ("%{EAP-Message}") {...} expand: %{Message-Authenticator} -> 0xb5c05f761e635be28cfe0d537a85e7e8 +++[reply] returns noop ++- if ("%{EAP-Message}") returns noop [attr_filter.access_reject] expand: %{User-Name} -> excelsior.REDACTED attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 4 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 4 Sending Access-Reject of id 8 to 10.0.2.212 port 32817 EAP-Message = 0x044e0004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.7 seconds. rad_recv: Access-Request packet from host 10.0.2.212 port 32817, id=9, length=210 User-Name = "excelsior.REDACTED" NAS-IP-Address = 10.0.2.212 NAS-Identifier = "0418d6105a2e" NAS-Port = 0 Called-Station-Id = "04-18-D6-1B-45-C1:secure.REDACTED" Calling-Station-Id = "80-BE-05-3A-12-72" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11b" EAP-Message = 0x02f2001b01657863656c73696f722e616b67686574746f2e636f6d Message-Authenticator = 0x83c791cc5877bd077c0961d93cecdead # Executing section authorize from file /Library/Server/radius/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [suffix] No '@' in User-Name = "excelsior.REDACTED", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 242 length 27 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = EAP # Executing group from file /Library/Server/radius/raddb/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Requiring client certificate [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 9 to 10.0.2.212 port 32817 EAP-Message = 0x01f300060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xcd1d2c5bcdee2148e0c4efca7138c662 Finished request 5. Going to the next request Waking up in 3.3 seconds. rad_recv: Access-Request packet from host 10.0.2.212 port 32817, id=10, length=353 User-Name = "excelsior.REDACTED" NAS-IP-Address = 10.0.2.212 NAS-Identifier = "0418d6105a2e" NAS-Port = 0 Called-Station-Id = "04-18-D6-1B-45-C1:secure.REDACTED" Calling-Station-Id = "80-BE-05-3A-12-72" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11b" EAP-Message = 0x02f300980d800000008e16030100890100008503015563dc45cc56c1efaa2cc6712a2b8e5493a662ee52a6311a68b42c0d1001822f00004a00ffc024c023c00ac009c008c028c027c014c013c012c026c025c005c004c003c02ac029c00fc00ec00d006b0067003900330016003d003c0035002f000ac007c011c002c00c0005000401000012000a00080006001700180019000b00020100 State = 0xcd1d2c5bcdee2148e0c4efca7138c662 Message-Authenticator = 0x90be50ebd35ab89ba525e4dfa557d9a7 # Executing section authorize from file /Library/Server/radius/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [suffix] No '@' in User-Name = "excelsior.REDACTED", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 243 length 152 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = EAP # Executing group from file /Library/Server/radius/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS TLS Length 142 [tls] Length Included [tls] eaptls_verify returned 11 [tls] (other): before/accept initialization [tls] TLS_accept: before/accept initialization [tls] <<< TLS 1.0 Handshake [length 0089], ClientHello [tls] TLS_accept: SSLv3 read client hello A [tls] >>> TLS 1.0 Handshake [length 0031], ServerHello [tls] TLS_accept: SSLv3 write server hello A [tls] >>> TLS 1.0 Handshake [length 0446], Certificate [tls] TLS_accept: SSLv3 write certificate A [tls] >>> TLS 1.0 Handshake [length 020d], ServerKeyExchange [tls] TLS_accept: SSLv3 write key exchange A [tls] >>> TLS 1.0 Handshake [length 00bb], CertificateRequest [tls] TLS_accept: SSLv3 write certificate request A [tls] TLS_accept: SSLv3 flush data [tls] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [tls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 10 to 10.0.2.212 port 32817 EAP-Message = 0x01f404000dc00000075316030100310200002d03015563dc45971ac2228efffbc2df066c646694798f220d29d35d3965cba5076c76000039000005ff0100010016030104460b00044200043f00043c3082043830820320a003020102020101300b06092a864886f70d01010b3081a63119301706035504030c10414b47686574746f20434120524f4f5431153013060355040a0c0c414b47686574746f2e636f6d311b3019060355040b0c124e6574776f726b204f7065726174696f6e73310f300d06035504080c06416c61736b61310b3009060355040613025553310d300b06035504070c044e6f6d653128302606092a864886f70d010901161973 EAP-Message = 0x636f74742e612e6a6f686e736f6e40676d61696c2e636f6d301e170d3135303532343233313834335a170d3138303930353233313834335a3081a63119301706035504030c10414b47686574746f20434120524f4f5431153013060355040a0c0c414b47686574746f2e636f6d311b3019060355040b0c124e6574776f726b204f7065726174696f6e73310f300d06035504080c06416c61736b61310b3009060355040613025553310d300b06035504070c044e6f6d653128302606092a864886f70d010901161973636f74742e612e6a6f686e736f6e40676d61696c2e636f6d30820122300d06092a864886f70d01010105000382010f003082010a EAP-Message = 0x0282010100d382b05f1f2b02e7d4e7029d8bc1abfaddc1d4d2c7fa97698adb0e930d4bbb780d3a38637c8943e2d2ecac3e190318ca0c24b58f1ab98fbbfa9f066452d3fae77183eaad7b8459f275cc4d2f8b84a60dee373e40dff311eab2b5db0e212739fc71298002e5265282568ffea594b7c7c0fed2adee0129df98474e69a9fef0de66f643ff1883fcd74b98448db4e231be0eebe7a39144dc646473f91be952fb407429f944fffe2b16fc17a2e13cff5873043246f4c89ebc61e01427ced66633cf4685183e18fd1e906c88facb1878394181e00f1369d12c69825f22ae2ad31022cc35158a61e80a611ff3d8ddc0bb211baca7b4696f09491343 EAP-Message = 0x456438585a7840db0203010001a371306f300f0603551d130101ff040530030101ff300e0603551d0f0101ff0404030201be304c0603551d250101ff0442304006082b0601050507030406082b0601050507030206082b0601050507030106082b0601050507030306072b06010502030406072b0601050203050604551d2500300d06092a864886f70d01010b050003820101003998868f30bb38272971676fbfb238c12a845b76744db0a22dfcdd2026b08c22a5ad4c058c1379440372336cbb283bc9cabc6c7b0068b338c25e9dd37a6092a305afe2fd36af92a0bb2ad05ed31b131b3f5ce08df86f19d93251108e1ba90356e17aec90aab58f7d7a EAP-Message = 0x5878127fef2b98ebdd0d6593 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xcd1d2c5bcce92148e0c4efca7138c662 Finished request 6. Going to the next request Waking up in 3.2 seconds. rad_recv: Access-Request packet from host 10.0.2.212 port 32817, id=11, length=207 User-Name = "excelsior.REDACTED" NAS-IP-Address = 10.0.2.212 NAS-Identifier = "0418d6105a2e" NAS-Port = 0 Called-Station-Id = "04-18-D6-1B-45-C1:secure.REDACTED" Calling-Station-Id = "80-BE-05-3A-12-72" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11b" EAP-Message = 0x02f400060d00 State = 0xcd1d2c5bcce92148e0c4efca7138c662 Message-Authenticator = 0xdcb38934bb553b00882b2180b31f24bb # Executing section authorize from file /Library/Server/radius/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [suffix] No '@' in User-Name = "excelsior.REDACTED", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 244 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = EAP # Executing group from file /Library/Server/radius/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS [tls] Received TLS ACK [tls] ACK handshake fragment handler [tls] eaptls_verify returned 1 [tls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 11 to 10.0.2.212 port 32817 EAP-Message = 0x01f503670d80000007534fa5e8c2905f845d124c1271b0a022f8c74304c3f1fc6c606367141945240a914b538239f27c525a8cdbc8c27a9a0324829d5d76b9265799375e69a7c3a50ba06cdb8698104c7d117c41fa5fe7c171fcb4bcc157bb1a1c61972be7cd8c672f232c7d9471d5f8a81dae59793a4dbd8f4000573a46518d94cc58c4cf1e9bb11ceceacadb58fe77ff4c086a30160301020d0c0002090080d5a9b49c3a74120e0ab80fafbacf3b7c0a0a4971814dcf0918484d21147c0971b222e6d2d8bc6fa92f13683f7f792a3ffffa6a0fd59dc268612175a84b610a268924ff711100ef2091bf096450b9fe33d9c89768044a45cf9922c54710 EAP-Message = 0xd83e201a78cbec5ff7df962d1d13c1ce76f59c2fb2e9fc36da77a054442693d74d567300010500802a74984a5f651db815612265315dab94cf8ed8c35f12a8ee8dc65d8dfafff25805842759ee1c223670e1e0fb9f51955c53c3d149c00ea3ece7518a3b0b318b156b4f10fab1e590862ad49fbcae23df2430a00b43a1bad6b8a1e5f1fdb7d9c4e087d54303984ec695ef01e5a1dae25f12b9edaf1e0de139a13e990bf836e885bc01007594387c10b6cf639b83bb1551526e7edd3bb849d14dc36550f42316166daeed07f22037e614f598d8ee419f566efac7ad90b71d88799a5fcc5dd52cabacaaf3e1b86bd37786cf050f800edb179894dc8d6223 EAP-Message = 0x4a05c165eeb09b5db2f7bff6598bcd4cc6d8245d14ec9b7466f3f10395c02b82586687fe0c0f117cfa5d6bff8c6dc78899f4d7b62e6ec88467b4296ce9d6f4272254aa8d683545a26feb8b863f44fb13cc0083740dc540507327a2d004c06fe7691ca49eb813b33aff9442d1dba472830ec56b16bc5a20111598815131ba26aa9822b1176bb948597833f49bc2e46b6bdd80d76593b2d27b5cd23983bdc4b608a0029d25a3d2fcb3806bc9435616030100bb0d0000b305030401024000ab00a93081a63119301706035504030c10414b47686574746f20434120524f4f5431153013060355040a0c0c414b47686574746f2e636f6d311b301906035504 EAP-Message = 0x0b0c124e6574776f726b204f7065726174696f6e73310f300d06035504080c06416c61736b61310b3009060355040613025553310d300b06035504070c044e6f6d653128302606092a864886f70d010901161973636f74742e612e6a6f686e736f6e40676d61696c2e636f6d0e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xcd1d2c5bcfe82148e0c4efca7138c662 Finished request 7. Going to the next request Waking up in 3.1 seconds. rad_recv: Access-Request packet from host 10.0.2.212 port 32817, id=12, length=1487 User-Name = "excelsior.REDACTED" NAS-IP-Address = 10.0.2.212 NAS-Identifier = "0418d6105a2e" NAS-Port = 0 Called-Station-Id = "04-18-D6-1B-45-C1:secure.REDACTED" Calling-Station-Id = "80-BE-05-3A-12-72" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11b" EAP-Message = 0x02f504fc0dc0000009ca16030107f40b0007f00007ed0003ab308203a73082028fa00302010202010a300b06092a864886f70d01010b3081a63119301706035504030c10414b47686574746f20434120524f4f5431153013060355040a0c0c414b47686574746f2e636f6d311b3019060355040b0c124e6574776f726b204f7065726174696f6e73310f300d06035504080c06416c61736b61310b3009060355040613025553310d300b06035504070c044e6f6d653128302606092a864886f70d010901161973636f74742e612e6a6f686e736f6e40676d61696c2e636f6d301e170d3135303532353032303233325a170d3136303532343032303233 EAP-Message = 0x325a305d311f301d06035504030c16657863656c73696f722e616b67686574746f2e636f6d310b3009060355040613025553312d302b06092a864886f70d010901161e73636f74742e612e6a6f686e736f6e4077656c6c73666172676f2e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100c5a9c7fb77faa3b27e434505743b5e7662a6abc512d873049cae8074243cfc556439e7b4780dfb054f63dfbf148303b4a41c3c495c3c4837661888d88ffe3d3561fad3a3a07a006b8bc0031fbaf7f659c321208741b4b778eaeb4b076df24bfd4858c49bc271b7ec8fe518083f360cd4c2980ba1e4abb48c42a136 EAP-Message = 0xb97f33d0ba311a1ccb604cbeaba1900060a83ecc5132c925ef0e1883a4c1c9a3fd10305cc1f852f3db3ee819e252fc82270d6642da69633ae255bdcd9c596d5b5fcc1ae32cd36f2968c9ef5945b829e2370f4b1ef1466e5b6a806c0381abe60c0e70e90ba12b847b856ec79151ac41b0ebfb3b26562c2fdac6380acc9485584c999982702f0203010001a32a3028300e0603551d0f0101ff04040302078030160603551d250101ff040c300a06082b06010505070302300d06092a864886f70d01010b050003820101007d3b8b74f07a5d7eb3acfa9870e571f69e9df262eaec17a4e9054aab826d7ce554cd6c7e159372be9efef6bd453b93d0f57b26 EAP-Message = 0x952dd184a421224f9dc3776c14ef596f47d5912dd87783c7d78ea14fca2f3eab987de8cd25434bf7c4f0a104b70fa6426677d300ccf844d1746c4649d91eaf82e7c8a9eae8b99960e3e0a9eb10599685bbbf4c6ada0c7a2d79bf23fe0cac48da9d444590fe378327c19ba1074c8f524592530c65c43c8b4c4b27b6534029dd87f140dca526b8d2731376b4ce55c3a9bdf88584a4bb9653394a4b8a1d0f6e3faaf5ba892daf7c52f7292c5c5d90ad7e6694d0f689e882998eddae207c584f92e77e0043a1afc685218f7f6643bd00043c3082043830820320a003020102020101300b06092a864886f70d01010b3081a63119301706035504030c10414b EAP-Message = 0x47686574746f20434120524f4f5431153013060355040a0c0c414b47686574746f2e636f6d311b3019060355040b0c124e6574776f726b204f7065726174696f6e73310f300d06035504080c06416c61736b61310b3009060355040613025553310d300b06035504070c044e6f6d653128302606092a864886f70d010901161973636f74742e612e6a6f686e736f6e40676d61696c2e636f6d301e170d3135303532343233313834335a170d3138303930353233313834335a3081a63119301706035504030c10414b47686574746f20434120524f4f5431153013060355040a0c0c414b47686574746f2e636f6d311b3019060355040b0c124e657477 EAP-Message = 0x6f726b204f706572617469 State = 0xcd1d2c5bcfe82148e0c4efca7138c662 Message-Authenticator = 0x298751ce5d021e84c76d895e0d8079f4 # Executing section authorize from file /Library/Server/radius/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [suffix] No '@' in User-Name = "excelsior.REDACTED", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 245 length 253 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = EAP # Executing group from file /Library/Server/radius/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS TLS Length 2506 [tls] Received EAP-TLS First Fragment of the message [tls] eaptls_verify returned 9 [tls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 12 to 10.0.2.212 port 32817 EAP-Message = 0x01f600060d00 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xcd1d2c5bceeb2148e0c4efca7138c662 Finished request 8. Going to the next request Waking up in 3.0 seconds. rad_recv: Access-Request packet from host 10.0.2.212 port 32817, id=13, length=1455 User-Name = "excelsior.REDACTED" NAS-IP-Address = 10.0.2.212 NAS-Identifier = "0418d6105a2e" NAS-Port = 0 Called-Station-Id = "04-18-D6-1B-45-C1:secure.REDACTED" Calling-Station-Id = "80-BE-05-3A-12-72" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11b" EAP-Message = 0x02f604de0d006f6e73310f300d06035504080c06416c61736b61310b3009060355040613025553310d300b06035504070c044e6f6d653128302606092a864886f70d010901161973636f74742e612e6a6f686e736f6e40676d61696c2e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100d382b05f1f2b02e7d4e7029d8bc1abfaddc1d4d2c7fa97698adb0e930d4bbb780d3a38637c8943e2d2ecac3e190318ca0c24b58f1ab98fbbfa9f066452d3fae77183eaad7b8459f275cc4d2f8b84a60dee373e40dff311eab2b5db0e212739fc71298002e5265282568ffea594b7c7c0fed2adee0129df98474e69a9 EAP-Message = 0xfef0de66f643ff1883fcd74b98448db4e231be0eebe7a39144dc646473f91be952fb407429f944fffe2b16fc17a2e13cff5873043246f4c89ebc61e01427ced66633cf4685183e18fd1e906c88facb1878394181e00f1369d12c69825f22ae2ad31022cc35158a61e80a611ff3d8ddc0bb211baca7b4696f09491343456438585a7840db0203010001a371306f300f0603551d130101ff040530030101ff300e0603551d0f0101ff0404030201be304c0603551d250101ff0442304006082b0601050507030406082b0601050507030206082b0601050507030106082b0601050507030306072b06010502030406072b0601050203050604551d250030 EAP-Message = 0x0d06092a864886f70d01010b050003820101003998868f30bb38272971676fbfb238c12a845b76744db0a22dfcdd2026b08c22a5ad4c058c1379440372336cbb283bc9cabc6c7b0068b338c25e9dd37a6092a305afe2fd36af92a0bb2ad05ed31b131b3f5ce08df86f19d93251108e1ba90356e17aec90aab58f7d7a5878127fef2b98ebdd0d65934fa5e8c2905f845d124c1271b0a022f8c74304c3f1fc6c606367141945240a914b538239f27c525a8cdbc8c27a9a0324829d5d76b9265799375e69a7c3a50ba06cdb8698104c7d117c41fa5fe7c171fcb4bcc157bb1a1c61972be7cd8c672f232c7d9471d5f8a81dae59793a4dbd8f4000573a4651 EAP-Message = 0x8d94cc58c4cf1e9bb11ceceacadb58fe77ff4c086a3016030100861000008200804ab58d0bb504ba8bb26f9fd078ddcbc4aab6f191a7e1e48a524480cfa18bc27345f630b26ad1e3cd9f7ad682b523817dd0a5aacd64893ccc72a61bfdb27048497aec9cbdd524ceb647df1532e882e620b3e77aef1eef10fe24406f6ec8191a52a775ea1904cc67e821a95e975e998e4eeab9dc2702bb0fd7268357a0e289076316030101060f00010201004f060c2d60aa075ac423db932d27aefbb53d8acbd4be8a342ffaaa7673d7476e3570fe68076f5f01dde2bba47b2be20a33f7f3da5396e77eb0f9c8635e8caf4518cd6cec5fafcfde331f16214d543923c1 EAP-Message = 0xd8ba2376518d720ccaaea91f2e74d75e25586d5585700085f07abaa37767f460b5531242341cd9593974f7779fb4aed46e04763f7a3d5cdd40bb6eeb210099d7f77b5b800d86f34cc668b38332954abdaa04b683b343c3dff5c956f517a0b9867c3e002f98174f7502e58b0755a807e38550fc07b273caa714e49485396ddf95298de41f291319725b40bc272983a9abc5ac0eaccffeb4b50ecb0d456e4035b885d1ae1b28803a12148777dd770b0b1403010001011603010030943862ac5b33a9d15a6c49d981287e7bc9e8ada5924a68ea08562ec6fb5696c9aabc5aeb7408ccb8fbcdb5a4f25c37c6 State = 0xcd1d2c5bceeb2148e0c4efca7138c662 Message-Authenticator = 0x524988758316be767df6d5d82b608979 # Executing section authorize from file /Library/Server/radius/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [suffix] No '@' in User-Name = "excelsior.REDACTED", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 246 length 253 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = EAP # Executing group from file /Library/Server/radius/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS [tls] eaptls_verify returned 7 [tls] Done initial handshake [tls] <<< TLS 1.0 Handshake [length 07f4], Certificate [tls] chain-depth=1, [tls] error=0 [tls] --> User-Name = excelsior.REDACTED [tls] --> BUF-Name = REDACTED CA ROOT [tls] --> subject = /CN=REDACTED CA ROOT/O=REDACTED/OU=Network Operations/ST=Alaska/C=US/L=Nome/emailAddress=REDACTED@gmail.com [tls] --> issuer = /CN=REDACTED CA ROOT/O=REDACTED/OU=Network Operations/ST=Alaska/C=US/L=Nome/emailAddress=REDACTED@gmail.com [tls] --> verify return:1 --> verify error:num=7:certificate signature failure [tls] >>> TLS 1.0 Alert [length 0002], fatal decrypt_error TLS Alert write:fatal:decrypt error TLS_accept: error in SSLv3 read client certificate B rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned SSL: SSL_read failed in a system call (-1), TLS session fails. TLS receive handshake failed during operation [tls] eaptls_process returned 4 [eap] Handler failed in EAP/tls [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Login incorrect (certificate signature failure): [excelsior.REDACTED/<via Auth-Type = EAP>] (from client melbourne.REDACTED port 0 cli 80-BE-05-3A-12-72) Using Post-Auth-Type REJECT # Executing group from file /Library/Server/radius/raddb/sites-enabled/default +- entering group REJECT {...} ++? if ("%{EAP-Message}") expand: %{EAP-Message} -> 0x02f604de0d006f6e73310f300d06035504080c06416c61736b61310b3009060355040613025553310d300b06035504070c044e6f6d653128302606092a864886f70d010901161973636f74742e612e6a6f686e736f6e40676d61696c2e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100d382b05f1f2b02e7d4e7029d8bc1abfaddc1d4d2c7fa97698adb0e930d4bbb780d3a38637c8943e2d2ecac3e190318ca0c24b58f1ab98fbbfa9f066452d3fae77183eaad7b8459f275cc4d2f8b84a60dee373e40dff311eab2b5db0e212739fc71298002e5265282568ffea594b7c7c0fed2adee0129df98474e69a9 ? Evaluating ("%{EAP-Message}") -> TRUE ++? if ("%{EAP-Message}") -> TRUE ++- entering if ("%{EAP-Message}") {...} expand: %{Message-Authenticator} -> 0x524988758316be767df6d5d82b608979 +++[reply] returns noop ++- if ("%{EAP-Message}") returns noop [attr_filter.access_reject] expand: %{User-Name} -> excelsior.REDACTED attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 9 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 9 Sending Access-Reject of id 13 to 10.0.2.212 port 32817 EAP-Message = 0x04f60004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 1.9 seconds. Cleaning up request 0 ID 4 with timestamp +13 Cleaning up request 1 ID 5 with timestamp +13 Cleaning up request 2 ID 6 with timestamp +13 Waking up in 0.1 seconds. Cleaning up request 3 ID 7 with timestamp +13 Waking up in 1.0 seconds. Cleaning up request 4 ID 8 with timestamp +13 Waking up in 0.4 seconds. Cleaning up request 5 ID 9 with timestamp +15 Cleaning up request 6 ID 10 with timestamp +15 Cleaning up request 7 ID 11 with timestamp +15 Waking up in 0.1 seconds. Cleaning up request 8 ID 12 with timestamp +15 Waking up in 1.0 seconds. Cleaning up request 9 ID 13 with timestamp +15 Ready to process requests.
On May 25, 2015, at 10:46 PM, Scott A. Johnson <scott.a.johnson@gmail.com> wrote:
I’m using version 2.2.0 which is installed with Mac OS X 10.10.3. Trying to get EAP-TLS working. I *think* I have my certificates installed, and permissions set correctly, however my clients can’t connect and the error, best I can tell, is certificate based as I receive the error “certificate signature failure”. Where I’m not sure is if this means I have something wrong with my public/private key, an error in my config files with FreeRadius, or something else entirely.
Magic... deep magic. Not really, but sometimes SSL feels like that.
--> verify error:num=7:certificate signature failure [tls] >>> TLS 1.0 Alert [length 0002], fatal decrypt_error TLS Alert write:fatal:decrypt error
That's not good. I've seen it from time to time, and honestly... it's not clear what's going on. I'm not familiar enough with the SSL internals to say. Try using the fake certificates in raddb/certs/. If those don't work, then the system is broken. Something in the client, or OpenSSL, or 2.2.0. If those certificates do work, then the certificates you're using are broken somehow. Alan DeKok.
What kind of certificates do you use? RSA or ECDSA? If these are simple RSA certificates try using a simple tls config. private_key_password = “REDACTED” private_key_file = "server.key" certificate_file = "server.crt" ca_file = "server.crt" dh_file = "/Library/Server/radius/raddb/certs/dh" ca_path = "/Library/Server/radius/raddb/certs" cipher_list = "DEFAULT" ecdh_curve = "prime256v1" these are the only configuration options in the default FR 3.0.7 eap tls config and it works well for me (RSA with sha256). Also make you you have the correct "Extended Key Usage" OIDs set for each the server as well as the client cert. If this doesn't help reupload / install the correct certificates on your client and as well as your radius server. Don't think "this is the correct cert", just replace it with the definitely correct one from your CA. SSL can't decrypt thus the private key doesn't match the public key so either the config is broken or you haven't updated the key but the cert (or vice-versa). 2015-05-26 14:19 GMT+02:00 Alan DeKok <aland@deployingradius.com>:
On May 25, 2015, at 10:46 PM, Scott A. Johnson <scott.a.johnson@gmail.com> wrote:
I’m using version 2.2.0 which is installed with Mac OS X 10.10.3. Trying to get EAP-TLS working. I *think* I have my certificates installed, and permissions set correctly, however my clients can’t connect and the error, best I can tell, is certificate based as I receive the error “certificate signature failure”. Where I’m not sure is if this means I have something wrong with my public/private key, an error in my config files with FreeRadius, or something else entirely.
Magic... deep magic.
Not really, but sometimes SSL feels like that.
--> verify error:num=7:certificate signature failure [tls] >>> TLS 1.0 Alert [length 0002], fatal decrypt_error TLS Alert write:fatal:decrypt error
That's not good. I've seen it from time to time, and honestly... it's not clear what's going on. I'm not familiar enough with the SSL internals to say.
Try using the fake certificates in raddb/certs/. If those don't work, then the system is broken. Something in the client, or OpenSSL, or 2.2.0. If those certificates do work, then the certificates you're using are broken somehow.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
2015-05-26 4:46 GMT+02:00 Scott A. Johnson <scott.a.johnson@gmail.com>:
Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 CA_path = "/Library/Server/radius/raddb/certs" pem_file_type = yes private_key_file = "server.key" certificate_file = "server.crt" CA_file = "server.crt" private_key_password = “REDACTED” dh_file = "/Library/Server/radius/raddb/certs/dh" random_file = "/Library/Server/radius/raddb/certs/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "/Library/Server/radius/raddb/certs/bootstrap" ecdh_curve = "prime256v1" cache { enable = no lifetime = 24 max_entries = 255 } verify { tmpdir = "/tmp/radiusd" client = "/usr/bin/openssl verify -CApath /Library/Server/radius/raddb/certs %{TLS-Client-Cert-Filename}" } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" use_nonce = yes timeout = 0 softfail = no } }
Alan, I was looking for the documentation about the configuration options for tls-common but it's neither on freeradius.org nor networkradius.com. I found the site where it should be (http://networkradius.com/doc/3.0.8/raddb/tls/tls-config_tls-common.html) but it's 404. I tried 3.0.8, 3.0.7 and current. I'm just wondering where Scott got all these options from :)
On May 26, 2015, at 10:48 AM, Ben Humpert <ben@an3k.de> wrote:
Alan, I was looking for the documentation about the configuration options for tls-common but it's neither on freeradius.org nor networkradius.com.
It's in raddb/mods-available/eap. Look for "tls-common"
I found the site where it should be (http://networkradius.com/doc/3.0.8/raddb/tls/tls-config_tls-common.html) but it's 404. I tried 3.0.8, 3.0.7 and current. I'm just wondering where Scott got all these options from :)
The example config files. :) As for the documentation, I'm working on it now. Expect more pages up soon. Alan DeKok.
participants (3)
-
Alan DeKok -
Ben Humpert -
Scott A. Johnson