more EAP/TTLS trouble

Steve Hopps steve.hopps at gmail.com
Wed May 23 17:03:19 CEST 2012


I've got authentication with Android and Linux clients working using
EAP/TTLS and PAP, however Windows and OSX clients dont seem to work.
This is a log of a Windows 7 client. I was able to get iphones working
with a special config, but the same method doesn't seem to work for
OSX. Any help you could offer is appreciated

Log follows, with secure bits edited out:

FreeRADIUS Version 2.1.10, for host x86_64-pc-linux-gnu, built on Nov
14 2010 at 21:12:30
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/clients.conf
including configuration file /etc/freeradius/snmp.conf
including configuration file /etc/freeradius/eap.conf
including configuration file /etc/freeradius/policy.conf
including files in directory /etc/freeradius/sites-enabled/
including configuration file /etc/freeradius/sites-enabled/inner-tunnel
including configuration file /etc/freeradius/sites-enabled/default
main {
	user = "freerad"
	group = "freerad"
	allow_core_dumps = no
}
including dictionary file /etc/freeradius/dictionary
main {
	prefix = "/usr"
	localstatedir = "/var"
	logdir = "/var/log/freeradius"
	libdir = "/usr/lib/freeradius"
	radacctdir = "/var/log/freeradius/radacct"
	hostname_lookups = no
	max_request_time = 30
	cleanup_delay = 5
	max_requests = 1024
	pidfile = "/var/run/freeradius/freeradius.pid"
	checkrad = "/usr/sbin/checkrad"
	debug_level = 0
	proxy_requests = yes
 log {
	stripped_names = no
	auth = yes
	auth_badpass = no
	auth_goodpass = no
 }
 security {
	max_attributes = 200
	reject_delay = 1
	status_server = yes
 }
}
radiusd: #### Loading Realms and Home Servers ####
radiusd: #### Loading Clients ####
 client localhost {
	ipaddr = 127.0.0.1
	require_message_authenticator = no
	secret = "-removed-"
	shortname = "localhost"
 }

-EDITED: Client entries removed-

 radiusd: #### Instantiating modules ####
 instantiate {
 Module: Linked to module rlm_exec
 Module: Instantiating module "exec" from file /etc/freeradius/radiusd.conf
  exec {
	wait = yes
	input_pairs = "request"
	shell_escape = yes
  }
 Module: Linked to module rlm_expr
 Module: Instantiating module "expr" from file /etc/freeradius/radiusd.conf
 Module: Linked to module rlm_expiration
 Module: Instantiating module "expiration" from file
/etc/freeradius/radiusd.conf
  expiration {
	reply-message = "Password Has Expired  "
  }
 Module: Linked to module rlm_logintime
 Module: Instantiating module "logintime" from file /etc/freeradius/radiusd.conf
  logintime {
	reply-message = "You are calling outside your allowed timespan  "
	minimum-timeout = 60
  }
 }
radiusd: #### Loading Virtual Servers ####
server inner-tunnel { # from file /etc/freeradius/sites-enabled/inner-tunnel
 modules {
 Module: Checking authenticate {...} for more modules to load
 Module: Linked to module rlm_pap
 Module: Instantiating module "pap" from file /etc/freeradius/radiusd.conf
  pap {
	encryption_scheme = "auto"
	auto_header = no
  }
 Module: Linked to module rlm_chap
 Module: Instantiating module "chap" from file /etc/freeradius/radiusd.conf
 Module: Linked to module rlm_pam
 Module: Instantiating module "pam" from file /etc/freeradius/radiusd.conf
  pam {
	pam_auth = "radiusd"
  }
 Module: Linked to module rlm_eap
 Module: Instantiating module "eap" from file /etc/freeradius/eap.conf
  eap {
	default_eap_type = "ttls"
	timer_expire = 60
	ignore_unknown_eap_types = no
	cisco_accounting_username_bug = no
	max_sessions = 4096
  }
 Module: Linked to sub-module rlm_eap_md5
 Module: Instantiating eap-md5
 Module: Linked to sub-module rlm_eap_leap
 Module: Instantiating eap-leap
 Module: Linked to sub-module rlm_eap_gtc
 Module: Instantiating eap-gtc
   gtc {
	challenge = "Password: "
	auth_type = "PAP"
   }
 Module: Linked to sub-module rlm_eap_tls
 Module: Instantiating eap-tls
   tls {
	rsa_key_exchange = no
	dh_key_exchange = yes
	rsa_key_length = 512
	dh_key_length = 512
	verify_depth = 0
	pem_file_type = yes
	private_key_file = "/etc/ssl/private/-removed-_generic.key"
	certificate_file = "/etc/ssl/certs/-removed-_generic.crt"
	CA_file = "/etc/ssl/certs/-removed-_ca.crt"
	dh_file = "/etc/freeradius/certs/dh"
	random_file = "/dev/urandom"
	fragment_size = 1024
	include_length = yes
	check_crl = no
	cipher_list = "DEFAULT"
	make_cert_command = "/etc/freeradius/certs/bootstrap"
    cache {
	enable = no
	lifetime = 24
	max_entries = 255
    }
   }
 Module: Linked to sub-module rlm_eap_ttls
 Module: Instantiating eap-ttls
   ttls {
	default_eap_type = "md5"
	copy_request_to_tunnel = no
	use_tunneled_reply = no
	virtual_server = "inner-tunnel"
	include_length = yes
   }
 Module: Linked to sub-module rlm_eap_peap
 Module: Instantiating eap-peap
   peap {
	default_eap_type = "mschapv2"
	copy_request_to_tunnel = no
	use_tunneled_reply = no
	proxy_tunneled_request_as_eap = yes
	virtual_server = "inner-tunnel"
   }
 Module: Linked to sub-module rlm_eap_mschapv2
 Module: Instantiating eap-mschapv2
   mschapv2 {
	with_ntdomain_hack = no
   }
 Module: Checking authorize {...} for more modules to load
 Module: Linked to module rlm_realm
 Module: Instantiating module "suffix" from file /etc/freeradius/radiusd.conf
  realm suffix {
	format = "suffix"
	delimiter = "@"
	ignore_default = no
	ignore_null = no
  }
 Module: Linked to module rlm_files
 Module: Instantiating module "files" from file /etc/freeradius/radiusd.conf
  files {
	usersfile = "/etc/freeradius/users"
	acctusersfile = "/etc/freeradius/acct_users"
	preproxy_usersfile = "/etc/freeradius/preproxy_users"
	compat = "no"
  }
 Module: Checking session {...} for more modules to load
 Module: Linked to module rlm_radutmp
 Module: Instantiating module "radutmp" from file /etc/freeradius/radiusd.conf
  radutmp {
	filename = "/var/log/freeradius/radutmp"
	username = "%{User-Name}"
	case_sensitive = yes
	check_with_nas = yes
	perm = 384
	callerid = yes
  }
 Module: Checking post-proxy {...} for more modules to load
 Module: Checking post-auth {...} for more modules to load
 Module: Linked to module rlm_attr_filter
 Module: Instantiating module "attr_filter.access_reject" from file
/etc/freeradius/radiusd.conf
  attr_filter attr_filter.access_reject {
	attrsfile = "/etc/freeradius/attrs.access_reject"
	key = "%{User-Name}"
  }
 } # modules
} # server
server { # from file /etc/freeradius/radiusd.conf
 modules {
 Module: Checking authenticate {...} for more modules to load
 Module: Linked to module rlm_digest
 Module: Instantiating module "digest" from file /etc/freeradius/radiusd.conf
 Module: Linked to module rlm_unix
 Module: Instantiating module "unix" from file /etc/freeradius/radiusd.conf
  unix {
	radwtmp = "/var/log/freeradius/radwtmp"
  }
 Module: Checking authorize {...} for more modules to load
 Module: Linked to module rlm_preprocess
 Module: Instantiating module "preprocess" from file
/etc/freeradius/radiusd.conf
  preprocess {
	huntgroups = "/etc/freeradius/huntgroups"
	hints = "/etc/freeradius/hints"
	with_ascend_hack = no
	ascend_channels_per_line = 23
	with_ntdomain_hack = no
	with_specialix_jetstream_hack = no
	with_cisco_vsa_hack = no
	with_alvarion_vsa_hack = no
  }
 Module: Checking preacct {...} for more modules to load
 Module: Linked to module rlm_acct_unique
 Module: Instantiating module "acct_unique" from file
/etc/freeradius/radiusd.conf
  acct_unique {
	key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port"
  }
 Module: Checking accounting {...} for more modules to load
 Module: Linked to module rlm_detail
 Module: Instantiating module "detail" from file /etc/freeradius/radiusd.conf
  detail {
	detailfile = "/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
	header = "%t"
	detailperm = 384
	dirperm = 493
	locking = no
	log_packet_header = no
  }
 Module: Instantiating module "attr_filter.accounting_response" from
file /etc/freeradius/radiusd.conf
  attr_filter attr_filter.accounting_response {
	attrsfile = "/etc/freeradius/attrs.accounting_response"
	key = "%{User-Name}"
  }
 Module: Checking session {...} for more modules to load
 Module: Checking post-proxy {...} for more modules to load
 Module: Checking post-auth {...} for more modules to load
 } # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
	type = "auth"
	ipaddr = *
	port = 0
}
listen {
	type = "acct"
	ipaddr = *
	port = 0
}
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host -REMOVED- port 2048, id=28, length=139
	User-Name = "test"
	NAS-Port = 0
	Called-Station-Id = "00-27-22-12-59-1F:Helio"
	Calling-Station-Id = "00-1F-3A-25-62-B3"
	Framed-MTU = 1400
	NAS-Port-Type = Wireless-802.11
	Connect-Info = "CONNECT 0Mbps 802.11"
	EAP-Message = 0x02a600090174657374
	Message-Authenticator = 0xf0a3cd406f5b38050aae2efd796bd150
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "test", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 166 length 9
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry DEFAULT at line 222
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 28 to -REMOVED- port 2048
	EAP-Message = 0x01a700061520
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x71e0a8b07147bdedb47e6a205d08c074
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host -REMOVED- port 2048, id=29, length=154
	User-Name = "test"
	NAS-Port = 0
	Called-Station-Id = "00-27-22-12-59-1F:Helio"
	Calling-Station-Id = "00-1F-3A-25-62-B3"
	Framed-MTU = 1400
	NAS-Port-Type = Wireless-802.11
	Connect-Info = "CONNECT 0Mbps 802.11"
	EAP-Message = 0x02a700060319
	State = 0x71e0a8b07147bdedb47e6a205d08c074
	Message-Authenticator = 0x941f56eedd5fd79424f5a78073c48749
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "test", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 167 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry DEFAULT at line 222
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP NAK
[eap] EAP-NAK asked for EAP-Type/peap
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 29 to -REMOVED- port 2048
	EAP-Message = 0x01a800061920
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x71e0a8b07048b1edb47e6a205d08c074
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host -REMOVED- port 2048, id=30, length=266
	User-Name = "test"
	NAS-Port = 0
	Called-Station-Id = "00-27-22-12-59-1F:Helio"
	Calling-Station-Id = "00-1F-3A-25-62-B3"
	Framed-MTU = 1400
	NAS-Port-Type = Wireless-802.11
	Connect-Info = "CONNECT 0Mbps 802.11"
	EAP-Message = 0x02a8007619800000006c16030100670100006303014fbcf94545d3023dee569705aee1ec705dcdef5a8a6665f7c2f20dca50f6aca2000018002f00350005000ac013c014c009c00a003200380013000401000022ff0100010000000009000700000474657374000a0006000400170018000b00020100
	State = 0x71e0a8b07048b1edb47e6a205d08c074
	Message-Authenticator = 0x4487ab715ace2b169a8b6e84f5139e21
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "test", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 168 length 118
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
  TLS Length 108
[peap] Length Included
[peap] eaptls_verify returned 11
[peap]     (other): before/accept initialization
[peap]     TLS_accept: before/accept initialization
[peap] <<< TLS 1.0 Handshake [length 0067], ClientHello
[peap]     TLS_accept: SSLv3 read client hello A
[peap] >>> TLS 1.0 Handshake [length 0031], ServerHello
[peap]     TLS_accept: SSLv3 write server hello A
[peap] >>> TLS 1.0 Handshake [length 08fb], Certificate
[peap]     TLS_accept: SSLv3 write certificate A
[peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[peap]     TLS_accept: SSLv3 write server done A
[peap]     TLS_accept: SSLv3 flush data
[peap]     TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 30 to -REMOVED- port 2048
	EAP-Message = 0x01a9040019c00000093f16030100310200002d03014fbcf94597d6b23a2ed5bcd2d24437f03429322d863df6b087bffdd04d2d69d600002f000005ff0100010016030108fb0b0008f70008f40003d6308203d2308202ba020101300d06092a864886f70d01010505003081b6310b30090603550406130255533111300f06035504081308496c6c696e6f69733110300e060355040713074368696361676f312a3028060355040a13216f6e53686f7265204e6574776f726b73206f6620496c6c696e6f69732c204c4c43310c300a060355040b13034e4f43312830260603550403131f6f6e53686f726520436572746966696361746520417574686f72
	EAP-Message = 0x6974792033311e301c06092a864886f70d010901160f6e6f63406f6e73686f72652e636f6d3020170d3132303430393230323534385a180f32303632303332383230323534385a3081a4310b30090603550406130255533111300f06035504081308496c6c696e6f69733110300e060355040713074368696361676f312a3028060355040a13216f6e53686f7265204e6574776f726b73206f6620496c6c696e6f69732c204c4c43310c300a060355040b13034e4f43311630140603550403140d2a2e6f6e73686f72652e636f6d311e301c06092a864886f70d010901160f6e6f63406f6e73686f72652e636f6d30820122300d06092a864886f70d01
	EAP-Message = 0x010105000382010f003082010a0282010100c248803189d09c7eed9ac9f9d09143753af2692669ac40e9bd973cfec8d4c70cb1c380fa19347d82c3b880fa06e026b3648475cd3d4966e6db6fca2e3df700ec9203c303029ab5115c9fd311583802ec251136e35cf1f0be0884cb569d73e13b01b3e526734cb9b4c5aef5b58c9bce548d3fccc6259734253c75c966ab826a91e52decaf0eb5df76f3f6aeb60a1e2d1f0e4647050c6904da7ccd29ca007806509685d468683e41faae6605fa7de716e89b788f6eaf890367f92e32225ecf1f12cb7cd4adc459a3313eb46c488970c16c281fcc036bddf45ed21972867b0081eb1682ed55a0df758dddc72e
	EAP-Message = 0x1111b5cac31f4bb4634d71c57e9621f0377e435aef0203010001300d06092a864886f70d0101050500038201010005aa73489f8d50351c637f39d181f54c9938c959223a35dd2a9fcc46b05e732c21c183196926860c5714f0e2725064f2b1793482b8f1321a73c3152a74e926b7b1bc9343812126d019771b8af6be86b0eb22db4708144d5dff8168dcfbc59aed9393d8b82ccdb92444ddb6875d2cc5bfdbed44f04db6e0047ae0ee5893721f6156dd7592e9c79ae3209611a430f2119a76e0f34645e0c16770ea3c4700a0d07ad0187f97287cf5cdad4724519201fe2a807506935e44e8363a028a75a19b113a9e06ce376072378a9d2a2e69195038
	EAP-Message = 0x9301579b39f9d8ddd10c6cbc
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x71e0a8b07349b1edb47e6a205d08c074
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host -REMOVED- port 2048, id=31, length=154
	User-Name = "test"
	NAS-Port = 0
	Called-Station-Id = "00-27-22-12-59-1F:Helio"
	Calling-Station-Id = "00-1F-3A-25-62-B3"
	Framed-MTU = 1400
	NAS-Port-Type = Wireless-802.11
	Connect-Info = "CONNECT 0Mbps 802.11"
	EAP-Message = 0x02a900061900
	State = 0x71e0a8b07349b1edb47e6a205d08c074
	Message-Authenticator = 0x98e8a0ace30ceb08bbb1d7f2ba55bf90
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "test", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 169 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 31 to -REMOVED- port 2048
	EAP-Message = 0x01aa03fc194090721d968f18d8550cd66d8c7e1e37c714f6ac62baedecad3fb5ebd2873dd52797395bd7c700051830820514308203fca0030201020209008c06dc0a280a91a2300d06092a864886f70d01010505003081b6310b30090603550406130255533111300f06035504081308496c6c696e6f69733110300e060355040713074368696361676f312a3028060355040a13216f6e53686f7265204e6574776f726b73206f6620496c6c696e6f69732c204c4c43310c300a060355040b13034e4f43312830260603550403131f6f6e53686f726520436572746966696361746520417574686f726974792033311e301c06092a864886f70d010901
	EAP-Message = 0x160f6e6f63406f6e73686f72652e636f6d3020170d3132303430393230323135315a180f32303632303332383230323135315a3081b6310b30090603550406130255533111300f06035504081308496c6c696e6f69733110300e060355040713074368696361676f312a3028060355040a13216f6e53686f7265204e6574776f726b73206f6620496c6c696e6f69732c204c4c43310c300a060355040b13034e4f43312830260603550403131f6f6e53686f726520436572746966696361746520417574686f726974792033311e301c06092a864886f70d010901160f6e6f63406f6e73686f72652e636f6d30820122300d06092a864886f70d010101
	EAP-Message = 0x05000382010f003082010a0282010100d9770f8e1b56d4e76474ae6a66eafe8e8256334cb66b331101f427395bd18bd2092e2798a010bb36ea6711f29529e1fe21ec2e023949f2fb9e28797c099f9829a3e2e6ba9d5610685b9e1cc21d361dacae362fabf8d65f98fff1fde72f7a0a2b49b2f3eda5f7f1dcf54e43920c5389ac010beaccb5d8b6b98acf5448fb9e7a1136871179883851e03daa2e6238c05e1c86f1b4344746e6c83b30a3d7aadc36f34e01b93547661f66ea3b506e6eaf61fe9d0adb0f82f2b2140f14a1b2ecead5e07c00e3cb4809064421104a7c144bd1b85a4d9b192f3c00f8cf61a366d3e614a4fdd5f759aca370c34ea4400980
	EAP-Message = 0x5e2b5fa2fdd46a22204f16a9f4222c95480b7d0203010001a382011f3082011b301d0603551d0e041604149e11eecbde81d102a1c68c8d31b3db9f2ace574a3081eb0603551d230481e33081e080149e11eecbde81d102a1c68c8d31b3db9f2ace574aa181bca481b93081b6310b30090603550406130255533111300f06035504081308496c6c696e6f69733110300e060355040713074368696361676f312a3028060355040a13216f6e53686f7265204e6574776f726b73206f6620496c6c696e6f69732c204c4c43310c300a060355040b13034e4f43312830260603550403131f6f6e53686f726520436572746966696361746520417574686f72
	EAP-Message = 0x6974792033311e30
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x71e0a8b0724ab1edb47e6a205d08c074
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host -REMOVED- port 2048, id=32, length=154
	User-Name = "test"
	NAS-Port = 0
	Called-Station-Id = "00-27-22-12-59-1F:Helio"
	Calling-Station-Id = "00-1F-3A-25-62-B3"
	Framed-MTU = 1400
	NAS-Port-Type = Wireless-802.11
	Connect-Info = "CONNECT 0Mbps 802.11"
	EAP-Message = 0x02aa00061900
	State = 0x71e0a8b0724ab1edb47e6a205d08c074
	Message-Authenticator = 0xcc80b68891296025aae224e56db19f21
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "test", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 170 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] Received TLS ACK
[peap] ACK handshake fragment handler
[peap] eaptls_verify returned 1
[peap] eaptls_process returned 13
[peap] EAPTLS_HANDLED
++[eap] returns handled
Sending Access-Challenge of id 32 to -REMOVED- port 2048
	EAP-Message = 0x01ab015919001c06092a864886f70d010901160f6e6f63406f6e73686f72652e636f6d8209008c06dc0a280a91a2300c0603551d13040530030101ff300d06092a864886f70d0101050500038201010024bbfcf28b2f8bdd20d9b7cafb9bd4614aa44999ea1202b0710a8e2a17863c32286d4faef0e2e859f71f0dc2f821f11933c6721eedf77cb02c1ea68da33acf1e310b3e4347cfdc70425f40796d6d2704d02ee7577a41dc14cef7eedfb358873330009e63df02a9d551d9ae8fe784fdd36a7501b596d8ac6e7a3d50f0e1ec54347b68d35786baa2ede9d4e585993804949d813ebad21fc7d8ee70110a9aded292fae58cf2b19150b4845422717d
	EAP-Message = 0x15eab2013e8a4e22dff0415f321de688d820ff72d7c470519296b9e7f384a54da3ca3da6f30b4cab50d2bee1ab870f73acbe679145b16c7896e0b1c07d686a63b1cbd8d030f34b95ace9bbf0668c8671de816516030100040e000000
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x71e0a8b0754bb1edb47e6a205d08c074
Finished request 4.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host -REMOVED- port 2048, id=33, length=165
	User-Name = "test"
	NAS-Port = 0
	Called-Station-Id = "00-27-22-12-59-1F:Helio"
	Calling-Station-Id = "00-1F-3A-25-62-B3"
	Framed-MTU = 1400
	NAS-Port-Type = Wireless-802.11
	Connect-Info = "CONNECT 0Mbps 802.11"
	EAP-Message = 0x02ab001119800000000715030100020230
	State = 0x71e0a8b0754bb1edb47e6a205d08c074
	Message-Authenticator = 0xd2c0db5aa72047e9f4909baa4447796e
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "test", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 171 length 17
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
  TLS Length 7
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] <<< TLS 1.0 Alert [length 0002], fatal unknown_ca
TLS Alert read:fatal:unknown CA
    TLS_accept: failed in SSLv3 read client certificate A
rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1
alert unknown ca
SSL: SSL_read failed inside of TLS (-1), TLS session fails.
TLS receive handshake failed during operation
[peap] eaptls_process returned 4
[peap] EAPTLS_OTHERS
[eap] Handler failed in EAP/peap
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Login incorrect (TLS Alert read:fatal:unknown CA): [test] (from client
-REMOVED- port 0 cli 00-1F-3A-25-62-B3)
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] 	expand: %{User-Name} -> test
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 5 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 5
Sending Access-Reject of id 33 to -REMOVED- port 2048
	EAP-Message = 0x04ab0004
	Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.9 seconds.


More information about the Freeradius-Users mailing list