Problem with EAP-TLS, please give me a hint

_Stefan_H stefanh007 at networld.at
Fri Dec 4 20:39:01 CET 2009


> I know that you don't like to waste you time on a newbie like me, but
> please
> give me only a hint where  the problem could be.

Some XP versions won't allow server certificate to be intermediate
certificate. Try altering certs/Makefile to sign client certificates with
ca instead of server certificate.

Ivan Kalik

-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html



I think thats my problem too because the tutorial of Alan DeKok-2 led me to
the same problem, also with peap.

My server is running on vmware and I got the chance to try an switch with
different IOS and an different XP Client and the server output was different
and far longer:
_______________________________________________________________________
Ready to process requests.                                                      
rad_recv: Access-Request packet from host 192.168.5.3 port 1812, id=5,
length=135                                                                               
        NAS-IP-Address = 192.168.5.3                                            
        NAS-Port = 50012                                                        
        NAS-Port-Type = Ethernet                                                
        User-Name = "oss-radius"                                                
        Called-Station-Id = "00-0F-23-01-11-4C"                                 
        Calling-Station-Id = "00-15-60-52-1E-49"                                
        Service-Type = Framed-User                                              
        Framed-MTU = 1500                                                       
        EAP-Message = 0x0203000f016f73732d726164697573                          
        Message-Authenticator = 0x83f50eceb4eb9b3f01b91cba34beda74              
+- entering group authorize {...}                                               
++[preprocess] returns ok                                                       
++[chap] returns noop                                                           
++[mschap] returns noop                                                         
[suffix] No '@' in User-Name = "oss-radius", looking up realm NULL              
[suffix] No such realm "NULL"                                                   
++[suffix] returns noop                                                         
[eap] EAP packet type response id 3 length 15                                   
[eap] No EAP Start, assuming it's an on-going EAP conversation                  
++[eap] returns updated                                                         
++[unix] returns notfound                                                       
[files] users: Matched entry oss-radius at line 204                             
++[files] returns ok                                                            
++[expiration] returns noop                                                     
++[logintime] returns noop                                                      
[pap] Found existing Auth-Type, not changing it.                                
++[pap] returns noop                                                            
Found Auth-Type = EAP                                                           
+- entering group authenticate {...}                                            
[eap] EAP Identity                                                              
[eap] processing type tls                                                       
[tls] Requiring client certificate                                              
[tls] Initiate                                                                  
[tls] Start returned 1                                                          
++[eap] returns handled                                                         
Sending Access-Challenge of id 5 to 192.168.5.3 port 1812                       
        Tunnel-Type:0 = VLAN                                                    
        Tunnel-Medium-Type:0 = IEEE-802                                         
        Tunnel-Private-Group-Id:0 = "5"                                         
        EAP-Message = 0x010400060d20                                            
        Message-Authenticator = 0x00000000000000000000000000000000              
        State = 0xdc2c0ceadc2801a2909332f7877a5def                              
Finished request 7.                                                             
Going to the next request                                                       
Waking up in 4.9 seconds.                                                       
rad_recv: Access-Request packet from host 192.168.5.3 port 1812, id=6,
length=218                                                                               
        NAS-IP-Address = 192.168.5.3                                            
        NAS-Port = 50012                                                        
        NAS-Port-Type = Ethernet                                                
        User-Name = "oss-radius"                                                
        Called-Station-Id = "00-0F-23-01-11-4C"                                 
        Calling-Station-Id = "00-15-60-52-1E-49"                                
        Service-Type = Framed-User                                              
        Framed-MTU = 1500                                                       
        State = 0xdc2c0ceadc2801a2909332f7877a5def                              
        EAP-Message =
0x020400500d800000004616030100410100003d03014b18f9f4d475c347b4c63e498b5588a54d7c3bcfaa54ed228482bbd8cdfb6a0700001600040005000a000900640062000300060013001200630100                                                        
        Message-Authenticator = 0xef2ee3a18747120691d1554121d3647a              
+- entering group authorize {...}                                               
++[preprocess] returns ok                                                       
++[chap] returns noop                                                           
++[mschap] returns noop                                                         
[suffix] No '@' in User-Name = "oss-radius", looking up realm NULL              
[suffix] No such realm "NULL"                                                   
++[suffix] returns noop                                                         
[eap] EAP packet type response id 4 length 80                                   
[eap] No EAP Start, assuming it's an on-going EAP conversation                  
++[eap] returns updated                                                         
++[unix] returns notfound                                                       
[files] users: Matched entry oss-radius at line 204                             
++[files] returns ok                                                            
++[expiration] returns noop                                                     
++[logintime] returns noop                                                      
[pap] Found existing Auth-Type, not changing it.                                
++[pap] returns noop                                                            
Found Auth-Type = EAP                                                           
+- entering group authenticate {...}                                            
[eap] Request found, released from the list                                     
[eap] EAP/tls                                                                   
[eap] processing type tls                                                       
[tls] Authenticate                                                              
[tls] processing EAP-TLS                                                        
  TLS Length 70                                                                 
[tls] Length Included                                                           
[tls] eaptls_verify returned 11                                                 
[tls]     (other): before/accept initialization                                 
[tls]     TLS_accept: before/accept initialization                              
[tls] <<< TLS 1.0 Handshake [length 0041], ClientHello                          
[tls]     TLS_accept: SSLv3 read client hello A                                 
[tls] >>> TLS 1.0 Handshake [length 002a], ServerHello                          
[tls]     TLS_accept: SSLv3 write server hello A                                
[tls] >>> TLS 1.0 Handshake [length 085e], Certificate                          
[tls]     TLS_accept: SSLv3 write certificate A                                 
[tls] >>> TLS 1.0 Handshake [length 00a6], CertificateRequest                   
[tls]     TLS_accept: SSLv3 write certificate request A                         
[tls]     TLS_accept: SSLv3 flush data                                          
[tls]     TLS_accept: Need to read more data: SSLv3 read client certificate
A   
In SSL Handshake Phase                                                          
In SSL Accept mode                                                              
[tls] eaptls_process returned 13                                                
++[eap] returns handled                                                         
Sending Access-Challenge of id 6 to 192.168.5.3 port 1812                       
        Tunnel-Type:0 = VLAN                                                    
        Tunnel-Medium-Type:0 = IEEE-802                                         
        Tunnel-Private-Group-Id:0 = "5"                                         
        EAP-Message =
0x010504000dc00000093d160301002a0200002603014b18f9eecee5da441146eddde2ea8e016c2adb0db5c574b49514891d3931f97700000400160301085e0b00085a0008570003a6308203a23082028aa003020102020103300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479                              
        EAP-Message =
0x301e170d3039313132323133343533305a170d3130313132323133343533305a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100ac980cc4c9ec4ad3e23bf9d75989232fb1b5014896413398e3361287de22a5b5c00cac1e0c1b72b2f991aa8c2eeb1e452a7c67950e6af12e31414acbf8a9                              
        EAP-Message =
0x8b96c26e6408da5ca899b30f00799999610945ad89094441a7cafca4067557b4ed52070fdf54b386b2a7a1aa76f134a9b5e7bfdeef3e18bc3d8ba98b49f1f4bb156dd1bbb46ee09b466df0120593471c59acfcb7a2977219e6db535008526dda1f91c374f01bf392d909a1ecde7ec11f926cfd310b39171121228c528a5853524e62ba21f1006c56ef85aa0837bdb123a11a0664015e7b8176b20619e36204f7b7b75d6e445aa84a0cdc49c9a8a82ea97e5686a28a56eced48e43f9c471499d0604f0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010104050003820101009dc4e0c6f6e79b6e1c                              
        EAP-Message =
0x330b69759c25ac74cef621f5e8115248b9ea758e5b2af73574bd81953c2b5beb514765bdf4b07d50586dded8cfaac20f6ece9b661938bec737d87348f061ea7e3cd2a7338e786cd765aa8f3db636291c10c041d790ab49fcbcf5b41e7ec1ae2f65495b975286e656b23fed0321284cd6643aa411da03918e148eab2b222aa462bb62d50491ba9a27773e297dc8a59b1b0aa1a6fd2e6a110b2d3f94e81563417a2a4f1127937d38a0c6376e25ec51a0eabcd289a6fdfbcbc6f5c708050d8fdc9ad61cade8fa2b90ce4a6f4ff2ef465a1d61bbeb9373f4ef0c6a9c3d558b8424c130052899aa96271e0a9db4beb254ffcda04e8546e544140004ab308204                              
        EAP-Message = 0xa73082038fa0030201020209                                
        Message-Authenticator = 0x00000000000000000000000000000000              
        State = 0xdc2c0ceadd2901a2909332f7877a5def                              
Finished request 8.                                                             
Going to the next request                                                       
Waking up in 4.8 seconds.                                                       
rad_recv: Access-Request packet from host 192.168.5.3 port 1812, id=7,
length=144                                                                               
        NAS-IP-Address = 192.168.5.3                                            
        NAS-Port = 50012                                                        
        NAS-Port-Type = Ethernet                                                
        User-Name = "oss-radius"                                                
        Called-Station-Id = "00-0F-23-01-11-4C"                                 
        Calling-Station-Id = "00-15-60-52-1E-49"                                
        Service-Type = Framed-User                                              
        Framed-MTU = 1500                                                       
        State = 0xdc2c0ceadd2901a2909332f7877a5def                              
        EAP-Message = 0x020500060d00                                            
        Message-Authenticator = 0xaef2f990f10c99234767d854d27b544a              
+- entering group authorize {...}                                               
++[preprocess] returns ok                                                       
++[chap] returns noop                                                           
++[mschap] returns noop                                                         
[suffix] No '@' in User-Name = "oss-radius", looking up realm NULL              
[suffix] No such realm "NULL"                                                   
++[suffix] returns noop                                                         
[eap] EAP packet type response id 5 length 6                                    
[eap] No EAP Start, assuming it's an on-going EAP conversation                  
++[eap] returns updated                                                         
++[unix] returns notfound                                                       
[files] users: Matched entry oss-radius at line 204                             
++[files] returns ok                                                            
++[expiration] returns noop                                                     
++[logintime] returns noop                                                      
[pap] Found existing Auth-Type, not changing it.                                
++[pap] returns noop                                                            
Found Auth-Type = EAP                                                           
+- entering group authenticate {...}                                            
[eap] Request found, released from the list                                     
[eap] EAP/tls                                                                   
[eap] processing type tls                                                       
[tls] Authenticate                                                              
[tls] processing EAP-TLS                                                        
[tls] Received TLS ACK                                                          
[tls] ACK handshake fragment handler                                            
[tls] eaptls_verify returned 1                                                  
[tls] eaptls_process returned 13                                                
++[eap] returns handled                                                         
Sending Access-Challenge of id 7 to 192.168.5.3 port 1812                       
        Tunnel-Type:0 = VLAN                                                    
        Tunnel-Medium-Type:0 = IEEE-802                                         
        Tunnel-Private-Group-Id:0 = "5"                                         
        EAP-Message =
0x010604000dc00000093d00909b9c83a43a1aeb300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3039313132323133343533305a170d3039313232323133343533305a308193310b3009060355040613024652310f300d0603550408130652616469757331123010                              
        EAP-Message =
0x06035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100dca8cc215f2e66300d12c524db0ab7b4e9b3fae5ee90ce3b5d214b1d63f6b7b6e772605bc6ec64f4acac7bfcb7bd2106d2e02c9e2b1412c2ce2a7751741baaf3d73c2ccb496dd9daa8e105b70982c7f8a9326700f2d3ac0959c8f203d0896051427bd12def8761251afb6b                              
        EAP-Message =
0x3f5fe90a66fc35542fefe55b7aed80b21304d744bb0407979eb907820a3181cf95df43d395d33eaa396964905162ca449d8e0cad35348272fc067d7b40ebf26382c14ff354886080252b32396b5745dfae39a73d73a10472403eeec68bca7f5ad923a7885fefe49040c86a9760fa62b9899a1908d5ddb4db6ea2d3eaa993e5525c9941d871a6d6618426def29ade4b3bb6f84c2f450203010001a381fb3081f8301d0603551d0e0416041452f2ff741f2d3bbb281fcad3e580b8d70c42650c3081c80603551d230481c03081bd801452f2ff741f2d3bbb281fcad3e580b8d70c42650ca18199a48196308193310b3009060355040613024652310f300d                              
        EAP-Message =
0x060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820900909b9c83a43a1aeb300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100c27da3525cc2b702ef481f7c4e7073e22c39bcc870744adcce64e7006bb230f24ba9d45cad1c35de4810c1418e0925a35880097a958ea0a99011d89948490da61e782d41275ab4fa8086fc504684                              
        EAP-Message = 0x35cc4eacbe8a90671537715d                                
        Message-Authenticator = 0x00000000000000000000000000000000              
        State = 0xdc2c0ceade2a01a2909332f7877a5def                              
Finished request 9.                                                             
Going to the next request                                                       
Waking up in 4.8 seconds.                                                       
rad_recv: Access-Request packet from host 192.168.5.3 port 1812, id=8,
length=144                                                                               
        NAS-IP-Address = 192.168.5.3                                            
        NAS-Port = 50012                                                        
        NAS-Port-Type = Ethernet                                                
        User-Name = "oss-radius"                                                
        Called-Station-Id = "00-0F-23-01-11-4C"                                 
        Calling-Station-Id = "00-15-60-52-1E-49"                                
        Service-Type = Framed-User                                              
        Framed-MTU = 1500                                                       
        State = 0xdc2c0ceade2a01a2909332f7877a5def                              
        EAP-Message = 0x020600060d00                                            
        Message-Authenticator = 0xc92addcb64acecf03702578e45472430              
+- entering group authorize {...}                                               
++[preprocess] returns ok                                                       
++[chap] returns noop                                                           
++[mschap] returns noop                                                         
[suffix] No '@' in User-Name = "oss-radius", looking up realm NULL              
[suffix] No such realm "NULL"                                                   
++[suffix] returns noop                                                         
[eap] EAP packet type response id 6 length 6                                    
[eap] No EAP Start, assuming it's an on-going EAP conversation                  
++[eap] returns updated                                                         
++[unix] returns notfound                                                       
[files] users: Matched entry oss-radius at line 204                             
++[files] returns ok                                                            
++[expiration] returns noop                                                     
++[logintime] returns noop                                                      
[pap] Found existing Auth-Type, not changing it.                                
++[pap] returns noop                                                            
Found Auth-Type = EAP                                                           
+- entering group authenticate {...}                                            
[eap] Request found, released from the list                                     
[eap] EAP/tls                                                                   
[eap] processing type tls                                                       
[tls] Authenticate                                                              
[tls] processing EAP-TLS                                                        
[tls] Received TLS ACK                                                          
[tls] ACK handshake fragment handler                                            
[tls] eaptls_verify returned 1                                                  
[tls] eaptls_process returned 13                                                
++[eap] returns handled                                                         
Sending Access-Challenge of id 8 to 192.168.5.3 port 1812                       
        Tunnel-Type:0 = VLAN                                                    
        Tunnel-Medium-Type:0 = IEEE-802                                         
        Tunnel-Private-Group-Id:0 = "5"                                         
        EAP-Message =
0x0107015b0d800000093de1275d07e1318b3e3f3e38b4e742f948efa0d251272389d58a2a4cbe1c74bddb6d584f384cf715e49bac5c13bce7719c9947c27edfa52b7693b39367b3123c99871549a2f7c63f946d9fde67f403a031f67c05e4327a5e4af1385dd48bb9dcb4105565ada8137083c6c9db74e4c66d6c3e06431c345cdfbd678431dd0ea80b6576955f1c8a40273c5351ae7ff243c98bc9b2a423d0b1f4c5ca5c4a597bad4990e33e1d359a7816030100a60d00009e0301024000980096308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355                              
        EAP-Message =
0x040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f726974790e000000                            
        Message-Authenticator = 0x00000000000000000000000000000000              
        State = 0xdc2c0ceadf2b01a2909332f7877a5def                              
Finished request 10.                                                            
Going to the next request                                                       
Waking up in 4.7 seconds.                                                       
rad_recv: Access-Request packet from host 192.168.5.3 port 1812, id=9,
length=1627                                                                              
        NAS-IP-Address = 192.168.5.3                                            
        NAS-Port = 50012                                                        
        NAS-Port-Type = Ethernet                                                
        User-Name = "oss-radius"                                                
        Called-Station-Id = "00-0F-23-01-11-4C"                                 
        Calling-Station-Id = "00-15-60-52-1E-49"                                
        Service-Type = Framed-User                                              
        Framed-MTU = 1500                                                       
        State = 0xdc2c0ceadf2b01a2909332f7877a5def                              
        EAP-Message =
0x020705c70d80000005bd160301058d0b00037d00037a000377308203733082025ba003020102020104300d06092a864886f70d0101040500307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d301e170d3039313132323133343633385a170d3130313132323133343633385a3065310b3009060355040613024652310f300d0603550408130652616469757331153013060355                              
        EAP-Message =
0x040a130c4578616d706c6520496e632e311330110603550403130a6f73732d7261646975733119301706092a864886f70d010901160a6f73732d72616469757330820122300d06092a864886f70d01010105000382010f003082010a0282010100e1d40ac149204b59321c6251b567611368612d917fa99a21e38fde2fa875f727613c91eda857169f467800fe2a5c72eb58781189a03e3d1ff82c8b98f87197583afc5a299875f45d9fb7dda8e306b6f7afdcea661ef8b9a638096739a836ed6a7e3379bba6093c5ac04770106c08492f08edce25e71bbc27b3ece097abff30d3df8f21e095699fa3735d186cc7ac490556fdeba6bc5df04bc8a30f96                              
        EAP-Message =
0x8f69fc9b535f21fd923cc408072972265dea7743f217eeffeed4dab6e7809915f4c195bfb9d9c5fe1329c83fd9d6fa26f63a775d82e0354e6bc885d6793f38ba95d55558fe623e103581e064d802572914d9596e46fd2fe5a581e27e04538ec74379455b0203010001a317301530130603551d25040c300a06082b06010505070302300d06092a864886f70d010104050003820101000f9716f57efb977d4030add0ed9757bc150e13e37949185a3898a4d5ba802076e8a2e7c011986ccef252b01b386679590330c8cbee366e6437a466ec51b264af9b91086545629b5a6063ba7aa4750af6649ecdf6b5a38b74a0725aaa091379626fccf3fecc6b50                              
        EAP-Message =
0x2b0106225fa8434d2ab807e12dae14bee9eab2ca911e6a1654b900a5e18098469fb718302c594e81fca97d4294f1fad1522a86dba911a4e291579b8f7fc119906cafab8dde63be367dbfb18aa44492ffe2bb0393c231618f71c19cc460d9a53e50f109d1fdf9686b1ca3652b94bffd27d6b0c671b0b1c5b4287ffc135c5a6b3545843aa05e052c881c190490bc51afc74bb1e05d6fe49e13cd1000010201008fe1f9547a012f8094d3609471041d46ffba1642eac3ef7c1579b3b36c0f758470d9615e859ce9b9a170fee2b1c3b5fd43d31b698828ba709310b1dac307aff136bb191f8cce7c05bcbbaeee4400ae46a7740f8d69e737796bf36709f40f                              
        EAP-Message =
0x7d29cc4e2a3563c55aa83bbe8d8209e609ea778208c586625af13a5cc772fd67928a6a499cb6899a5fcedfe6636cefaf25c0a46f9e9cd1d7bd5ae3b4e4d79714c7f048074caee86149f678149dd14cecb22a9a505189ca92894863d69500249f1f736fa285319d87e708e72fee68074067a73ab5841f3aee440e3355a447c74559ac9719037069e4df858dfcbb7841dfdabc27b67d8cd103e30b09637745a5186ff20f00010201003b30a7e1ae8d7d4a826c489d34cfcd32d8d5a9773e45ea2bda2298340281b7ccacea41d108f54ff8bcddda958ece15d82af72ede186b93fffff769294b2af6df7d412e4fff6da4a08a47ba423f0f39dd9066de8696                              
        EAP-Message =
0x5b87e12df25b0538042938aa61557bffa40ddf164236590e9f55e9010b681c5f87f2199cd6cddd5e3b6a7de6ae8b00db96b713fbf60688965f857b4238ef9c140bee0321e2c8190aa27b816743d750a22d3a958bda25f739e4521b3f3d2eba5a20b7236d35d706b09be354a3f21377de68cf54228ebf300167775314dda9dfd8e7b1390ff609467b5ac703e26130fdd6519b148409a4be7c44f57f4c7e87461581a4ce8820f2e38561ece614030100010116030100205c40fd19e50ab899199364162f97f139fb524181835a55a83964d818e8ac3076                            
        Message-Authenticator = 0x4b471a16eae8e42d0c58b78e95297293              
+- entering group authorize {...}                                               
++[preprocess] returns ok                                                       
++[chap] returns noop                                                           
++[mschap] returns noop                                                         
[suffix] No '@' in User-Name = "oss-radius", looking up realm NULL              
[suffix] No such realm "NULL"                                                   
++[suffix] returns noop                                                         
[eap] EAP packet type response id 7 length 253                                  
[eap] No EAP Start, assuming it's an on-going EAP conversation                  
++[eap] returns updated                                                         
++[unix] returns notfound                                                       
[files] users: Matched entry oss-radius at line 204                             
++[files] returns ok                                                            
++[expiration] returns noop                                                     
++[logintime] returns noop                                                      
[pap] Found existing Auth-Type, not changing it.                                
++[pap] returns noop                                                            
Found Auth-Type = EAP                                                           
+- entering group authenticate {...}                                            
[eap] Request found, released from the list                                     
[eap] EAP/tls                                                                   
[eap] processing type tls                                                       
[tls] Authenticate                                                              
[tls] processing EAP-TLS                                                        
  TLS Length 1469                                                               
[tls] Length Included                                                           
[tls] eaptls_verify returned 11                                                 
[tls] <<< TLS 1.0 Handshake [length 0381], Certificate                          
--> verify error:num=20:unable to get local issuer certificate                  
[tls] >>> TLS 1.0 Alert [length 0002], fatal unknown_ca                         
TLS Alert write:fatal:unknown CA                                                
    TLS_accept:error in SSLv3 read client certificate B                         
rlm_eap: SSL error error:140890B2:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned                                                              
SSL: SSL_read failed in a system call (-1), TLS session fails.                  
TLS receive handshake failed during operation                                   
[tls] eaptls_process returned 4                                                 
[eap] Handler failed in EAP/tls                                                 
[eap] Failed in EAP select                                                      
++[eap] returns invalid                                                         
Failed to authenticate the user.                                                
Using Post-Auth-Type Reject                                                     
+- entering group REJECT {...}                                                  
[attr_filter.access_reject]     expand: %{User-Name} -> oss-radius              
 attr_filter: Matched entry DEFAULT at line 11                                  
++[attr_filter.access_reject] returns updated                                   
Delaying reject of request 11 for 1 seconds                                     
Going to the next request                                                       
Waking up in 0.9 seconds.                                                       
Sending delayed reject for request 11                                           
Sending Access-Reject of id 9 to 192.168.5.3 port 1812                          
        EAP-Message = 0x04070004                                                
        Message-Authenticator = 0x00000000000000000000000000000000              
Waking up in 3.6 seconds.                                                       
rad_recv: Access-Request packet from host 192.168.5.3 port 1812, id=10,
length=135                                                                              
        NAS-IP-Address = 192.168.5.3                                            
        NAS-Port = 50012                                                        
        NAS-Port-Type = Ethernet                                                
        User-Name = "oss-radius"                                                
        Called-Station-Id = "00-0F-23-01-11-4C"                                 
        Calling-Station-Id = "00-15-60-52-1E-49"                                
        Service-Type = Framed-User                                              
        Framed-MTU = 1500                                                       
        EAP-Message = 0x0200000f016f73732d726164697573                          
        Message-Authenticator = 0xa6abf14fc79a6a2a3bab1c7da1a574f8              
+- entering group authorize {...}                                               
++[preprocess] returns ok                                                       
++[chap] returns noop                                                           
++[mschap] returns noop                                                         
[suffix] No '@' in User-Name = "oss-radius", looking up realm NULL              
[suffix] No such realm "NULL"                                                   
++[suffix] returns noop                                                         
[eap] EAP packet type response id 0 length 15                                   
[eap] No EAP Start, assuming it's an on-going EAP conversation                  
++[eap] returns updated                                                         
++[unix] returns notfound                                                       
[files] users: Matched entry oss-radius at line 204                             
++[files] returns ok                                                            
++[expiration] returns noop                                                     
++[logintime] returns noop                                                      
[pap] Found existing Auth-Type, not changing it.                                
++[pap] returns noop                                                            
Found Auth-Type = EAP                                                           
+- entering group authenticate {...}                                            
[eap] EAP Identity                                                              
[eap] processing type tls                                                       
[tls] Requiring client certificate                                              
[tls] Initiate                                                                  
[tls] Start returned 1                                                          
++[eap] returns handled                                                         
Sending Access-Challenge of id 10 to 192.168.5.3 port 1812                      
        Tunnel-Type:0 = VLAN                                                    
        Tunnel-Medium-Type:0 = IEEE-802                                         
        Tunnel-Private-Group-Id:0 = "5"                                         
        EAP-Message = 0x010100060d20                                            
        Message-Authenticator = 0x00000000000000000000000000000000              
        State = 0xc1758d8dc17480a17ea88a729c3ffa64                              
Finished request 12.                                                            
Going to the next request                                                       
Waking up in 2.3 seconds.                                                       
rad_recv: Access-Request packet from host 192.168.5.3 port 1812, id=11,
length=218                                                                              
        NAS-IP-Address = 192.168.5.3                                            
        NAS-Port = 50012                                                        
        NAS-Port-Type = Ethernet                                                
        User-Name = "oss-radius"                                                
        Called-Station-Id = "00-0F-23-01-11-4C"                                 
        Calling-Station-Id = "00-15-60-52-1E-49"                                
        Service-Type = Framed-User                                              
        Framed-MTU = 1500                                                       
        State = 0xc1758d8dc17480a17ea88a729c3ffa64                              
        EAP-Message =
0x020100500d800000004616030100410100003d03014b18f9f6af7d3ffe4b3887242954843428771b6af2fdc46e52714e7cc4cacb8500001600040005000a000900640062000300060013001200630100                                                        
        Message-Authenticator = 0xb1d532e53fec6922f1e8030c4f8e39e2              
+- entering group authorize {...}                                               
++[preprocess] returns ok                                                       
++[chap] returns noop                                                           
++[mschap] returns noop                                                         
[suffix] No '@' in User-Name = "oss-radius", looking up realm NULL              
[suffix] No such realm "NULL"                                                   
++[suffix] returns noop                                                         
[eap] EAP packet type response id 1 length 80                                   
[eap] No EAP Start, assuming it's an on-going EAP conversation                  
++[eap] returns updated                                                         
++[unix] returns notfound                                                       
[files] users: Matched entry oss-radius at line 204                             
++[files] returns ok                                                            
++[expiration] returns noop                                                     
++[logintime] returns noop                                                      
[pap] Found existing Auth-Type, not changing it.                                
++[pap] returns noop                                                            
Found Auth-Type = EAP                                                           
+- entering group authenticate {...}                                            
[eap] Request found, released from the list                                     
[eap] EAP/tls                                                                   
[eap] processing type tls                                                       
[tls] Authenticate                                                              
[tls] processing EAP-TLS                                                        
  TLS Length 70                                                                 
[tls] Length Included                                                           
[tls] eaptls_verify returned 11                                                 
[tls]     (other): before/accept initialization                                 
[tls]     TLS_accept: before/accept initialization                              
[tls] <<< TLS 1.0 Handshake [length 0041], ClientHello                          
[tls]     TLS_accept: SSLv3 read client hello A                                 
[tls] >>> TLS 1.0 Handshake [length 002a], ServerHello                          
[tls]     TLS_accept: SSLv3 write server hello A                                
[tls] >>> TLS 1.0 Handshake [length 085e], Certificate                          
[tls]     TLS_accept: SSLv3 write certificate A                                 
[tls] >>> TLS 1.0 Handshake [length 00a6], CertificateRequest                   
[tls]     TLS_accept: SSLv3 write certificate request A                         
[tls]     TLS_accept: SSLv3 flush data                                          
[tls]     TLS_accept: Need to read more data: SSLv3 read client certificate
A   
In SSL Handshake Phase                                                          
In SSL Accept mode                                                              
[tls] eaptls_process returned 13                                                
++[eap] returns handled                                                         
Sending Access-Challenge of id 11 to 192.168.5.3 port 1812                      
        Tunnel-Type:0 = VLAN                                                    
        Tunnel-Medium-Type:0 = IEEE-802                                         
        Tunnel-Private-Group-Id:0 = "5"                                         
        EAP-Message =
0x010204000dc00000093d160301002a0200002603014b18f9f1d4e09ac9a9cb137294e433a251f940e98cfab9111ea2f2a059aa127500000400160301085e0b00085a0008570003a6308203a23082028aa003020102020103300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479                              
        EAP-Message =
0x301e170d3039313132323133343533305a170d3130313132323133343533305a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100ac980cc4c9ec4ad3e23bf9d75989232fb1b5014896413398e3361287de22a5b5c00cac1e0c1b72b2f991aa8c2eeb1e452a7c67950e6af12e31414acbf8a9                              
        EAP-Message =
0x8b96c26e6408da5ca899b30f00799999610945ad89094441a7cafca4067557b4ed52070fdf54b386b2a7a1aa76f134a9b5e7bfdeef3e18bc3d8ba98b49f1f4bb156dd1bbb46ee09b466df0120593471c59acfcb7a2977219e6db535008526dda1f91c374f01bf392d909a1ecde7ec11f926cfd310b39171121228c528a5853524e62ba21f1006c56ef85aa0837bdb123a11a0664015e7b8176b20619e36204f7b7b75d6e445aa84a0cdc49c9a8a82ea97e5686a28a56eced48e43f9c471499d0604f0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010104050003820101009dc4e0c6f6e79b6e1c                              
        EAP-Message =
0x330b69759c25ac74cef621f5e8115248b9ea758e5b2af73574bd81953c2b5beb514765bdf4b07d50586dded8cfaac20f6ece9b661938bec737d87348f061ea7e3cd2a7338e786cd765aa8f3db636291c10c041d790ab49fcbcf5b41e7ec1ae2f65495b975286e656b23fed0321284cd6643aa411da03918e148eab2b222aa462bb62d50491ba9a27773e297dc8a59b1b0aa1a6fd2e6a110b2d3f94e81563417a2a4f1127937d38a0c6376e25ec51a0eabcd289a6fdfbcbc6f5c708050d8fdc9ad61cade8fa2b90ce4a6f4ff2ef465a1d61bbeb9373f4ef0c6a9c3d558b8424c130052899aa96271e0a9db4beb254ffcda04e8546e544140004ab308204                              
        EAP-Message = 0xa73082038fa0030201020209                                
        Message-Authenticator = 0x00000000000000000000000000000000              
        State = 0xc1758d8dc07780a17ea88a729c3ffa64                              
Finished request 13.                                                            
Going to the next request                                                       
Waking up in 2.2 seconds.                                                       
rad_recv: Access-Request packet from host 192.168.5.3 port 1812, id=12,
length=144                                                                              
        NAS-IP-Address = 192.168.5.3                                            
        NAS-Port = 50012                                                        
        NAS-Port-Type = Ethernet                                                
        User-Name = "oss-radius"                                                
        Called-Station-Id = "00-0F-23-01-11-4C"                                 
        Calling-Station-Id = "00-15-60-52-1E-49"                                
        Service-Type = Framed-User                                              
        Framed-MTU = 1500                                                       
        State = 0xc1758d8dc07780a17ea88a729c3ffa64                              
        EAP-Message = 0x020200060d00                                            
        Message-Authenticator = 0xbee4c0a1276cce1934909d7485a45127              
+- entering group authorize {...}                                               
++[preprocess] returns ok                                                       
++[chap] returns noop                                                           
++[mschap] returns noop                                                         
[suffix] No '@' in User-Name = "oss-radius", looking up realm NULL              
[suffix] No such realm "NULL"                                                   
++[suffix] returns noop                                                         
[eap] EAP packet type response id 2 length 6                                    
[eap] No EAP Start, assuming it's an on-going EAP conversation                  
++[eap] returns updated                                                         
++[unix] returns notfound                                                       
[files] users: Matched entry oss-radius at line 204                             
++[files] returns ok                                                            
++[expiration] returns noop                                                     
++[logintime] returns noop                                                      
[pap] Found existing Auth-Type, not changing it.                                
++[pap] returns noop                                                            
Found Auth-Type = EAP                                                           
+- entering group authenticate {...}                                            
[eap] Request found, released from the list                                     
[eap] EAP/tls                                                                   
[eap] processing type tls                                                       
[tls] Authenticate                                                              
[tls] processing EAP-TLS                                                        
[tls] Received TLS ACK                                                          
[tls] ACK handshake fragment handler                                            
[tls] eaptls_verify returned 1                                                  
[tls] eaptls_process returned 13                                                
++[eap] returns handled                                                         
Sending Access-Challenge of id 12 to 192.168.5.3 port 1812                      
        Tunnel-Type:0 = VLAN                                                    
        Tunnel-Medium-Type:0 = IEEE-802                                         
        Tunnel-Private-Group-Id:0 = "5"                                         
        EAP-Message =
0x010304000dc00000093d00909b9c83a43a1aeb300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3039313132323133343533305a170d3039313232323133343533305a308193310b3009060355040613024652310f300d0603550408130652616469757331123010                              
        EAP-Message =
0x06035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100dca8cc215f2e66300d12c524db0ab7b4e9b3fae5ee90ce3b5d214b1d63f6b7b6e772605bc6ec64f4acac7bfcb7bd2106d2e02c9e2b1412c2ce2a7751741baaf3d73c2ccb496dd9daa8e105b70982c7f8a9326700f2d3ac0959c8f203d0896051427bd12def8761251afb6b                              
        EAP-Message =
0x3f5fe90a66fc35542fefe55b7aed80b21304d744bb0407979eb907820a3181cf95df43d395d33eaa396964905162ca449d8e0cad35348272fc067d7b40ebf26382c14ff354886080252b32396b5745dfae39a73d73a10472403eeec68bca7f5ad923a7885fefe49040c86a9760fa62b9899a1908d5ddb4db6ea2d3eaa993e5525c9941d871a6d6618426def29ade4b3bb6f84c2f450203010001a381fb3081f8301d0603551d0e0416041452f2ff741f2d3bbb281fcad3e580b8d70c42650c3081c80603551d230481c03081bd801452f2ff741f2d3bbb281fcad3e580b8d70c42650ca18199a48196308193310b3009060355040613024652310f300d                              
        EAP-Message =
0x060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820900909b9c83a43a1aeb300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100c27da3525cc2b702ef481f7c4e7073e22c39bcc870744adcce64e7006bb230f24ba9d45cad1c35de4810c1418e0925a35880097a958ea0a99011d89948490da61e782d41275ab4fa8086fc504684                              
        EAP-Message = 0x35cc4eacbe8a90671537715d                                
        Message-Authenticator = 0x00000000000000000000000000000000              
        State = 0xc1758d8dc37680a17ea88a729c3ffa64                              
Finished request 14.                                                            
Going to the next request                                                       
Waking up in 2.2 seconds.                                                       
rad_recv: Access-Request packet from host 192.168.5.3 port 1812, id=13,
length=144                                                                              
        NAS-IP-Address = 192.168.5.3                                            
        NAS-Port = 50012                                                        
        NAS-Port-Type = Ethernet                                                
        User-Name = "oss-radius"                                                
        Called-Station-Id = "00-0F-23-01-11-4C"                                 
        Calling-Station-Id = "00-15-60-52-1E-49"                                
        Service-Type = Framed-User                                              
        Framed-MTU = 1500                                                       
        State = 0xc1758d8dc37680a17ea88a729c3ffa64                              
        EAP-Message = 0x020300060d00                                            
        Message-Authenticator = 0xc9ec1a2a313c897c3d546b1e17a21e62              
+- entering group authorize {...}                                               
++[preprocess] returns ok                                                       
++[chap] returns noop                                                           
++[mschap] returns noop                                                         
[suffix] No '@' in User-Name = "oss-radius", looking up realm NULL              
[suffix] No such realm "NULL"                                                   
++[suffix] returns noop                                                         
[eap] EAP packet type response id 3 length 6                                    
[eap] No EAP Start, assuming it's an on-going EAP conversation                  
++[eap] returns updated                                                         
++[unix] returns notfound                                                       
[files] users: Matched entry oss-radius at line 204                             
++[files] returns ok                                                            
++[expiration] returns noop                                                     
++[logintime] returns noop                                                      
[pap] Found existing Auth-Type, not changing it.                                
++[pap] returns noop                                                            
Found Auth-Type = EAP                                                           
+- entering group authenticate {...}                                            
[eap] Request found, released from the list                                     
[eap] EAP/tls                                                                   
[eap] processing type tls                                                       
[tls] Authenticate                                                              
[tls] processing EAP-TLS                                                        
[tls] Received TLS ACK                                                          
[tls] ACK handshake fragment handler                                            
[tls] eaptls_verify returned 1                                                  
[tls] eaptls_process returned 13                                                
++[eap] returns handled                                                         
Sending Access-Challenge of id 13 to 192.168.5.3 port 1812                      
        Tunnel-Type:0 = VLAN                                                    
        Tunnel-Medium-Type:0 = IEEE-802                                         
        Tunnel-Private-Group-Id:0 = "5"                                         
        EAP-Message =
0x0104015b0d800000093de1275d07e1318b3e3f3e38b4e742f948efa0d251272389d58a2a4cbe1c74bddb6d584f384cf715e49bac5c13bce7719c9947c27edfa52b7693b39367b3123c99871549a2f7c63f946d9fde67f403a031f67c05e4327a5e4af1385dd48bb9dcb4105565ada8137083c6c9db74e4c66d6c3e06431c345cdfbd678431dd0ea80b6576955f1c8a40273c5351ae7ff243c98bc9b2a423d0b1f4c5ca5c4a597bad4990e33e1d359a7816030100a60d00009e0301024000980096308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355                              
        EAP-Message =
0x040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f726974790e000000                            
        Message-Authenticator = 0x00000000000000000000000000000000              
        State = 0xc1758d8dc27180a17ea88a729c3ffa64                              
Finished request 15.                                                            
Going to the next request                                                       
Waking up in 2.2 seconds.                                                       
rad_recv: Access-Request packet from host 192.168.5.3 port 1812, id=14,
length=1627                                                                             
        NAS-IP-Address = 192.168.5.3                                            
        NAS-Port = 50012                                                        
        NAS-Port-Type = Ethernet                                                
        User-Name = "oss-radius"                                                
        Called-Station-Id = "00-0F-23-01-11-4C"                                 
        Calling-Station-Id = "00-15-60-52-1E-49"                                
        Service-Type = Framed-User                                              
        Framed-MTU = 1500                                                       
        State = 0xc1758d8dc27180a17ea88a729c3ffa64                              
        EAP-Message =
0x020405c70d80000005bd160301058d0b00037d00037a000377308203733082025ba003020102020104300d06092a864886f70d0101040500307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d301e170d3039313132323133343633385a170d3130313132323133343633385a3065310b3009060355040613024652310f300d0603550408130652616469757331153013060355                              
        EAP-Message =
0x040a130c4578616d706c6520496e632e311330110603550403130a6f73732d7261646975733119301706092a864886f70d010901160a6f73732d72616469757330820122300d06092a864886f70d01010105000382010f003082010a0282010100e1d40ac149204b59321c6251b567611368612d917fa99a21e38fde2fa875f727613c91eda857169f467800fe2a5c72eb58781189a03e3d1ff82c8b98f87197583afc5a299875f45d9fb7dda8e306b6f7afdcea661ef8b9a638096739a836ed6a7e3379bba6093c5ac04770106c08492f08edce25e71bbc27b3ece097abff30d3df8f21e095699fa3735d186cc7ac490556fdeba6bc5df04bc8a30f96                              
        EAP-Message =
0x8f69fc9b535f21fd923cc408072972265dea7743f217eeffeed4dab6e7809915f4c195bfb9d9c5fe1329c83fd9d6fa26f63a775d82e0354e6bc885d6793f38ba95d55558fe623e103581e064d802572914d9596e46fd2fe5a581e27e04538ec74379455b0203010001a317301530130603551d25040c300a06082b06010505070302300d06092a864886f70d010104050003820101000f9716f57efb977d4030add0ed9757bc150e13e37949185a3898a4d5ba802076e8a2e7c011986ccef252b01b386679590330c8cbee366e6437a466ec51b264af9b91086545629b5a6063ba7aa4750af6649ecdf6b5a38b74a0725aaa091379626fccf3fecc6b50                              
        EAP-Message =
0x2b0106225fa8434d2ab807e12dae14bee9eab2ca911e6a1654b900a5e18098469fb718302c594e81fca97d4294f1fad1522a86dba911a4e291579b8f7fc119906cafab8dde63be367dbfb18aa44492ffe2bb0393c231618f71c19cc460d9a53e50f109d1fdf9686b1ca3652b94bffd27d6b0c671b0b1c5b4287ffc135c5a6b3545843aa05e052c881c190490bc51afc74bb1e05d6fe49e13cd1000010201005e3aefc7d60eee0c2378e4faaa28aec136ce78769b625949c4f7fed69e720b4e38f9e37b035b298b7cea3a85ca410ffd72d2b853c8afc5742ca05956b4a7b38d592f2686a2d3a0de245a48ef84103107be0f93761fab3fdc02c01b1796ca                              
        EAP-Message =
0x500a7374042d37199de10997b7f70c648dbf7b93290d3ec638b201fea8f8b2942cb05db8b87783165f1446c9893fe74cf5aa7aaca6c07f7c08a0d9923f133fdf912a3a25a4133a95ba387e1d00893485ac5bf1cb66920e3ef29c36c3e25d97a1e12f5b5f6f0e1830b1e23c008379b00c3a205775162e6ed24a9182d9f75546389809a817f7cc1d4dffcc67dec692d4a63a0f6c9ff2b82bb829b56723ff2f80ad79ed0f0001020100d02e9c4475d354b4b159779f4b5232c1518ae7bc92555afba9bb255998cc85b163a379c19f29425a4a209d611f28d0f44dfa813963b228d3a61617ef4db9d800ecd57e6b43796fb89f16abaa1a2500ebc762958538                              
        EAP-Message =
0xfb7468f5a51fb74e25f9797e2558882a3db6128557e1bbbcb08833404496c0ea4e57e7ec846a9a38f81f75a255edba3e15dffa0ec8b04d07ea9bcae2947b24dbe34b4bd01b9eafd15b463db3130afa3e98f0bc58fa36608104207eeb78488708d24c8b7e93e629e4134e282c72020bc47cff40ec8351fe303c905f61e7fbef781193915691403ecb945ae625c692705df1e27dfd3a4b22f0a5f1e60bb6180021c022f5a2f4021280cd3e2c1403010001011603010020849bf86551030b13023b06784ee2f662244e52dba0d38da35803b72742e7b6bc                            
        Message-Authenticator = 0x842fdcc9d3a304697a8b444fea294886              
+- entering group authorize {...}                                               
++[preprocess] returns ok                                                       
++[chap] returns noop                                                           
++[mschap] returns noop                                                         
[suffix] No '@' in User-Name = "oss-radius", looking up realm NULL              
[suffix] No such realm "NULL"                                                   
++[suffix] returns noop                                                         
[eap] EAP packet type response id 4 length 253                                  
[eap] No EAP Start, assuming it's an on-going EAP conversation                  
++[eap] returns updated                                                         
++[unix] returns notfound                                                       
[files] users: Matched entry oss-radius at line 204                             
++[files] returns ok                                                            
++[expiration] returns noop                                                     
++[logintime] returns noop                                                      
[pap] Found existing Auth-Type, not changing it.                                
++[pap] returns noop                                                            
Found Auth-Type = EAP                                                           
+- entering group authenticate {...}                                            
[eap] Request found, released from the list                                     
[eap] EAP/tls                                                                   
[eap] processing type tls                                                       
[tls] Authenticate                                                              
[tls] processing EAP-TLS                                                        
  TLS Length 1469                                                               
[tls] Length Included                                                           
[tls] eaptls_verify returned 11                                                 
[tls] <<< TLS 1.0 Handshake [length 0381], Certificate                          
--> verify error:num=20:unable to get local issuer certificate                  
[tls] >>> TLS 1.0 Alert [length 0002], fatal unknown_ca                         
TLS Alert write:fatal:unknown CA                                                
    TLS_accept:error in SSLv3 read client certificate B                         
rlm_eap: SSL error error:140890B2:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
SSL: SSL_read failed in a system call (-1), TLS session fails.
TLS receive handshake failed during operation
[tls] eaptls_process returned 4
[eap] Handler failed in EAP/tls
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> oss-radius
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 16 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 16
Sending Access-Reject of id 14 to 192.168.5.3 port 1812
        EAP-Message = 0x04040004
        Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 1.1 seconds.
Cleaning up request 7 ID 5 with timestamp +807
Waking up in 0.1 seconds.
Cleaning up request 8 ID 6 with timestamp +807
Cleaning up request 9 ID 7 with timestamp +807
Cleaning up request 10 ID 8 with timestamp +807
Waking up in 1.0 seconds.
Cleaning up request 11 ID 9 with timestamp +807
Waking up in 1.3 seconds.
Cleaning up request 12 ID 10 with timestamp +810
Cleaning up request 13 ID 11 with timestamp +810
Cleaning up request 14 ID 12 with timestamp +810
Cleaning up request 15 ID 13 with timestamp +810
Waking up in 1.0 seconds.
Cleaning up request 16 ID 14 with timestamp +810
Ready to process requests.

_______________________________________________________________________


Well after i read your post i tried to sign the client certificates with the
ca. I make some changes in the makefile but it think I made something wrong
because it doesn't work:



old:

client.csr client.key: client.cnf
	openssl req -new  -out client.csr -keyout client.key -config ./client.cnf

client.crt: client.csr server.crt server.key index.txt serial
	openssl ca -batch -keyfile server.key -cert server.crt -in client.csr  -key
$(PASSWORD_SERVER) -out client.crt -extensions xpclient_ext -extfile
xpextensions -config ./client.cnf

client.p12: client.crt
	openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12 
-passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT)

client.pem: client.p12
	openssl pkcs12 -in client.p12 -out client.pem -passin
pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT)
	cp client.pem $(USER_NAME).pem

.PHONY: server.vrfy
client.vrfy: server.pem client.pem 
	c_rehash .
	openssl verify -CApath . client.pem



new:

client.csr client.key: client.cnf
	openssl req -new  -out client.csr -keyout client.key -config ./client.cnf

client.crt: client.csr ca.key ca.pem index.txt serial
	openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr  -key
$(PASSWORD_SERVER) -out client.crt -extensions xpclient_ext -extfile
xpextensions -config ./client.cnf

client.p12: client.crt
	openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12 
-passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT)

client.pem: client.p12
	openssl pkcs12 -in client.p12 -out client.pem -passin
pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT)
	cp client.pem $(USER_NAME).pem

.PHONY: server.vrfy
client.vrfy: ca.pem client.pem 
	c_rehash .
	openssl verify -CApath . client.pem

-- 
View this message in context: http://old.nabble.com/Problem-with-EAP-TLS%2C-please-give-me-a-hint-tp26515010p26636380.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.




More information about the Freeradius-Users mailing list