[ttls] <<< TLS 1.0 Alert [length 0002], fatal bad_certificate

Ben ben+freeradius at list-subs.com
Sat Mar 1 10:08:33 CET 2014


Hi all,

In my quest to get TTLS working I'm making slow and painful progress.

I've now reached this stage, I can see what Freeradius is complaining 
about but don't know how to fix it.  I've tried putting the root cert on 
the client, the intermediate cert on the client, the chain of 
intermediate+root on the client... nothing works !!!!

What certificate am I supposed to be putting on the client to get TTLS 
working ?????

This is all with the current 2.2.x version and the auth user just in the 
radb/users file.


Thanks




rad_recv: Access-Request packet from host 172.16.100.254 port 32771, 
id=25, length=166
     User-Name = "bob"
     NAS-IP-Address = 172.16.100.254
     NAS-Identifier = "hello"
     NAS-Port = 0
     Called-Station-Id = "84-1B-FF-FF-FF-FF:XXXXXXXXX"
     Calling-Station-Id = "10-AE-FF-FF-FF-FF"
     Framed-MTU = 1400
     NAS-Port-Type = Wireless-802.11
     Connect-Info = "CONNECT 0Mbps 802.11b"
     EAP-Message = 0x0200000801626f62
     Message-Authenticator = 0x3b90b7bce827872043429fc5d3c4d4fa
# Executing section authorize from file 
/usr/local/freeradius_new/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "bob", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 0 length 8
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
[files] users: Matched entry bob at line 1
++[files] = ok
++[expiration] = noop
++[logintime] = noop
[pap] WARNING: Auth-Type already set.  Not setting to PAP
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file 
/usr/local/freeradius_new/etc/raddb/sites-enabled/default
+group authenticate {
[eap] EAP Identity
[eap] processing type tls
[tls] Requiring client certificate
[tls] Initiate
[tls] Start returned 1
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 25 to 172.16.100.254 port 32771
     EAP-Message = 0x010100060d20
     Message-Authenticator = 0x00000000000000000000000000000000
     State = 0xfce0cbcffce1c61e13af06a62b033add
Finished request 99.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 172.16.100.254 port 32771, 
id=26, length=182
     User-Name = "bob"
     NAS-IP-Address = 172.16.100.254
     NAS-Identifier = "hello"
     NAS-Port = 0
     Called-Station-Id = "84-1B-FF-FF-FF-FF:XXXXXXXXX"
     Calling-Station-Id = "10-AE-FF-FF-FF-FF"
     Framed-MTU = 1400
     NAS-Port-Type = Wireless-802.11
     Connect-Info = "CONNECT 0Mbps 802.11b"
     EAP-Message = 0x020100060315
     State = 0xfce0cbcffce1c61e13af06a62b033add
     Message-Authenticator = 0x544d5ecfbb5fcfea7fc92c6af9995988
# Executing section authorize from file 
/usr/local/freeradius_new/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "bob", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 1 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
[files] users: Matched entry bob at line 1
++[files] = ok
++[expiration] = noop
++[logintime] = noop
[pap] WARNING: Auth-Type already set.  Not setting to PAP
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file 
/usr/local/freeradius_new/etc/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP NAK
[eap] EAP-NAK asked for EAP-Type/ttls
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 26 to 172.16.100.254 port 32771
     EAP-Message = 0x010200061520
     Message-Authenticator = 0x00000000000000000000000000000000
     State = 0xfce0cbcffde2de1e13af06a62b033add
Finished request 100.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 172.16.100.254 port 32771, 
id=27, length=409
     User-Name = "bob"
     NAS-IP-Address = 172.16.100.254
     NAS-Identifier = "hello"
     NAS-Port = 0
     Called-Station-Id = "84-1B-FF-FF-FF-FF:XXXXXXXXX"
     Calling-Station-Id = "10-AE-FF-FF-FF-FF"
     Framed-MTU = 1400
     NAS-Port-Type = Wireless-802.11
     Connect-Info = "CONNECT 0Mbps 802.11b"
     EAP-Message = 0xXXXX
     State = 0xfce0cbcffde2de1e13af06a62b033add
     Message-Authenticator = 0x51c1fa9a013d0796e3c69e73feacaee9
# Executing section authorize from file 
/usr/local/freeradius_new/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "bob", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 2 length 233
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file 
/usr/local/freeradius_new/etc/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7
[ttls] Done initial handshake
[ttls]     (other): before/accept initialization
[ttls]     TLS_accept: before/accept initialization
[ttls] <<< TLS 1.0 Handshake [length 00de], ClientHello
[ttls]     TLS_accept: SSLv3 read client hello A
[ttls] >>> TLS 1.0 Handshake [length 003e], ServerHello
[ttls]     TLS_accept: SSLv3 write server hello A
[ttls] >>> TLS 1.0 Handshake [length 0d03], Certificate
[ttls]     TLS_accept: SSLv3 write certificate A
[ttls] >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange
[ttls]     TLS_accept: SSLv3 write key exchange A
[ttls] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[ttls]     TLS_accept: SSLv3 write server done A
[ttls]     TLS_accept: SSLv3 flush data
[ttls]     TLS_accept: Need to read more data: SSLv3 read client 
certificate A
In SSL Handshake Phase
In SSL Accept mode
[ttls] eaptls_process returned 13
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 27 to 172.16.100.254 port 32771
     EAP-Message = 0xXXXXX
     EAP-Message = 0xXXXX
     EAP-Message = 0xXXXXX
     EAP-Message = 0xXXXXX
     EAP-Message = 0x54563bfc875ead29ea258ceb
     Message-Authenticator = 0x00000000000000000000000000000000
     State = 0xfce0cbcffee3de1e13af06a62b033add
Finished request 101.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 172.16.100.254 port 32771, 
id=28, length=182
     User-Name = "bob"
     NAS-IP-Address = 172.16.100.254
     NAS-Identifier = "hello"
     NAS-Port = 0
     Called-Station-Id = "84-1B-FF-FF-FF-FF:XXXXXXXXX"
     Calling-Station-Id = "10-AE-FF-FF-FF-FF"
     Framed-MTU = 1400
     NAS-Port-Type = Wireless-802.11
     Connect-Info = "CONNECT 0Mbps 802.11b"
     EAP-Message = 0x020300061500
     State = 0xfce0cbcffee3de1e13af06a62b033add
     Message-Authenticator = 0x0b7f096f4fc0c8acb5407c07e58c4f13
# Executing section authorize from file 
/usr/local/freeradius_new/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "bob", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 3 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file 
/usr/local/freeradius_new/etc/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] Received TLS ACK
[ttls] ACK handshake fragment handler
[ttls] eaptls_verify returned 1
[ttls] eaptls_process returned 13
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 28 to 172.16.100.254 port 32771
     EAP-Message = 0xXXXXX
     EAP-Message = 0xXXXXX
     EAP-Message = 0xXXXXXX
     EAP-Message = 0xXXXXXX
     EAP-Message = 0x010056212ec4da360bb41484
     Message-Authenticator = 0x00000000000000000000000000000000
     State = 0xfce0cbcfffe4de1e13af06a62b033add
Finished request 102.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 172.16.100.254 port 32771, 
id=29, length=182
     User-Name = "bob"
     NAS-IP-Address = 172.16.100.254
     NAS-Identifier = "hello"
     NAS-Port = 0
     Called-Station-Id = "84-1B-FF-FF-FF-FF:XXXXXXXXX"
     Calling-Station-Id = "10-AE-FF-FF-FF-FF"
     Framed-MTU = 1400
     NAS-Port-Type = Wireless-802.11
     Connect-Info = "CONNECT 0Mbps 802.11b"
     EAP-Message = 0x020400061500
     State = 0xfce0cbcfffe4de1e13af06a62b033add
     Message-Authenticator = 0x94688416253b77d96df25b1c2f7d9a1f
# Executing section authorize from file 
/usr/local/freeradius_new/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "bob", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 4 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file 
/usr/local/freeradius_new/etc/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] Received TLS ACK
[ttls] ACK handshake fragment handler
[ttls] eaptls_verify returned 1
[ttls] eaptls_process returned 13
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 29 to 172.16.100.254 port 32771
     EAP-Message = 0xXXXXX
     EAP-Message = 0xXXXXX
     EAP-Message = 0xxXXXX
     EAP-Message = 0xXXXXX
     EAP-Message = 0x0e06035504081307456e676c
     Message-Authenticator = 0x00000000000000000000000000000000
     State = 0xfce0cbcff8e5de1e13af06a62b033add
Finished request 103.
Going to the next request
Waking up in 4.7 seconds.
rad_recv: Access-Request packet from host 172.16.100.254 port 32771, 
id=30, length=182
     User-Name = "bob"
     NAS-IP-Address = 172.16.100.254
     NAS-Identifier = "hello"
     NAS-Port = 0
     Called-Station-Id = "84-1B-FF-FF-FF-FF:XXXXXXXXX"
     Calling-Station-Id = "10-AE-FF-FF-FF-FF"
     Framed-MTU = 1400
     NAS-Port-Type = Wireless-802.11
     Connect-Info = "CONNECT 0Mbps 802.11b"
     EAP-Message = 0x020500061500
     State = 0xfce0cbcff8e5de1e13af06a62b033add
     Message-Authenticator = 0x4ab77dde9316429ec01785aea3bf8f23
# Executing section authorize from file 
/usr/local/freeradius_new/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "bob", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 5 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file 
/usr/local/freeradius_new/etc/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] Received TLS ACK
[ttls] ACK handshake fragment handler
[ttls] eaptls_verify returned 1
[ttls] eaptls_process returned 13
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 30 to 172.16.100.254 port 32771
     EAP-Message = 0xXXXXXX
     EAP-Message = 0xXXXXXX
     EAP-Message = 0xXXXXXX
     Message-Authenticator = 0x00000000000000000000000000000000
     State = 0xfce0cbcff9e6de1e13af06a62b033add
Finished request 104.
Going to the next request
Waking up in 4.7 seconds.
rad_recv: Access-Request packet from host 172.16.100.254 port 32771, 
id=31, length=189
     User-Name = "bob"
     NAS-IP-Address = 172.16.100.254
     NAS-Identifier = "hello"
     NAS-Port = 0
     Called-Station-Id = "84-1B-FF-FF-FF-FF:XXXXXXXXX"
     Calling-Station-Id = "10-AE-FF-FF-FF-FF"
     Framed-MTU = 1400
     NAS-Port-Type = Wireless-802.11
     Connect-Info = "CONNECT 0Mbps 802.11b"
     EAP-Message = 0x0206000d15001503010002022a
     State = 0xfce0cbcff9e6de1e13af06a62b033add
     Message-Authenticator = 0xd3580f9793092740ddc482652114e45a
# Executing section authorize from file 
/usr/local/freeradius_new/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "bob", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 6 length 13
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file 
/usr/local/freeradius_new/etc/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7
[ttls] Done initial handshake
[ttls] <<< TLS 1.0 Alert [length 0002], fatal bad_certificate
TLS Alert read:fatal:bad certificate
     TLS_accept: failed in SSLv3 read client certificate A
rlm_eap: SSL error error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 
alert bad certificate
SSL: SSL_read failed inside of TLS (-1), TLS session fails.
TLS receive handshake failed during operation
[ttls] eaptls_process returned 4
[eap] Handler failed in EAP/ttls
[eap] Failed in EAP select
++[eap] = invalid
+} # group authenticate = invalid
Failed to authenticate the user.
Using Post-Auth-Type REJECT
# Executing group from file 
/usr/local/freeradius_new/etc/raddb/sites-enabled/default
+group REJECT {
[attr_filter.access_reject]     expand: %{User-Name} -> bob
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] = updated
+} # group REJECT = updated
Delaying reject of request 105 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 105
Sending Access-Reject of id 31 to 172.16.100.254 port 32771
     EAP-Message = 0x04060004
     Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Request packet from host 172.16.100.254 port 32771, 
id=31, length=189
Sending duplicate reply to client XYZwifi2 port 32771 - ID: 31
Sending Access-Reject of id 31 to 172.16.100.254 port 32771
     EAP-Message = 0x04060004
     Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.7 seconds.
rad_recv: Access-Request packet from host 172.16.100.254 port 32771, 
id=32, length=166
     User-Name = "bob"
     NAS-IP-Address = 172.16.100.254
     NAS-Identifier = "hello"
     NAS-Port = 0
     Called-Station-Id = "84-1B-FF-FF-FF-FF:XXXXXXXXX"
     Calling-Station-Id = "10-AE-FF-FF-FF-FF"
     Framed-MTU = 1400
     NAS-Port-Type = Wireless-802.11
     Connect-Info = "CONNECT 0Mbps 802.11b"
     EAP-Message = 0x0200000801626f62
     Message-Authenticator = 0xe1dae59cd99e96df6fa5959228d8ed52
# Executing section authorize from file 
/usr/local/freeradius_new/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "bob", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 0 length 8
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
[files] users: Matched entry bob at line 1
++[files] = ok
++[expiration] = noop
++[logintime] = noop
[pap] WARNING: Auth-Type already set.  Not setting to PAP
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file 
/usr/local/freeradius_new/etc/raddb/sites-enabled/default
+group authenticate {
[eap] EAP Identity
[eap] processing type tls
[tls] Requiring client certificate
[tls] Initiate
[tls] Start returned 1
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 32 to 172.16.100.254 port 32771
     EAP-Message = 0x010100060d20
     Message-Authenticator = 0x00000000000000000000000000000000
     State = 0x1bfbd3351bfade698a8490efd3984a5c
Finished request 106.
Going to the next request
Waking up in 1.5 seconds.
rad_recv: Access-Request packet from host 172.16.100.254 port 32771, 
id=33, length=182
     User-Name = "bob"
     NAS-IP-Address = 172.16.100.254
     NAS-Identifier = "hello"
     NAS-Port = 0
     Called-Station-Id = "84-1B-FF-FF-FF-FF:XXXXXXXXX"
     Calling-Station-Id = "10-AE-FF-FF-FF-FF"
     Framed-MTU = 1400
     NAS-Port-Type = Wireless-802.11
     Connect-Info = "CONNECT 0Mbps 802.11b"
     EAP-Message = 0x020100060315
     State = 0x1bfbd3351bfade698a8490efd3984a5c
     Message-Authenticator = 0x680c5830cb9579e83b610caf7bf1f22d
# Executing section authorize from file 
/usr/local/freeradius_new/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "bob", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 1 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
[files] users: Matched entry bob at line 1
++[files] = ok
++[expiration] = noop
++[logintime] = noop
[pap] WARNING: Auth-Type already set.  Not setting to PAP
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file 
/usr/local/freeradius_new/etc/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP NAK
[eap] EAP-NAK asked for EAP-Type/ttls
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 33 to 172.16.100.254 port 32771
     EAP-Message = 0x010200061520
     Message-Authenticator = 0x00000000000000000000000000000000
     State = 0x1bfbd3351af9c6698a8490efd3984a5c
Finished request 107.
Going to the next request
Waking up in 1.5 seconds.
rad_recv: Access-Request packet from host 172.16.100.254 port 32771, 
id=34, length=409
     User-Name = "bob"
     NAS-IP-Address = 172.16.100.254
     NAS-Identifier = "hello"
     NAS-Port = 0
     Called-Station-Id = "84-1B-FF-FF-FF-FF:XXXXXXXXX"
     Calling-Station-Id = "10-AE-FF-FF-FF-FF"
     Framed-MTU = 1400
     NAS-Port-Type = Wireless-802.11
     Connect-Info = "CONNECT 0Mbps 802.11b"
     EAP-Message = 0xXXXXXXX
     State = 0x1bfbd3351af9c6698a8490efd3984a5c
     Message-Authenticator = 0x0e0248858e573f5236dbc87ccc0ba636
# Executing section authorize from file 
/usr/local/freeradius_new/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "bob", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 2 length 233
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file 
/usr/local/freeradius_new/etc/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7
[ttls] Done initial handshake
[ttls]     (other): before/accept initialization
[ttls]     TLS_accept: before/accept initialization
[ttls] <<< TLS 1.0 Handshake [length 00de], ClientHello
[ttls]     TLS_accept: SSLv3 read client hello A
[ttls] >>> TLS 1.0 Handshake [length 003e], ServerHello
[ttls]     TLS_accept: SSLv3 write server hello A
[ttls] >>> TLS 1.0 Handshake [length 0d03], Certificate
[ttls]     TLS_accept: SSLv3 write certificate A
[ttls] >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange
[ttls]     TLS_accept: SSLv3 write key exchange A
[ttls] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[ttls]     TLS_accept: SSLv3 write server done A
[ttls]     TLS_accept: SSLv3 flush data
[ttls]     TLS_accept: Need to read more data: SSLv3 read client 
certificate A
In SSL Handshake Phase
In SSL Accept mode
[ttls] eaptls_process returned 13
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 34 to 172.16.100.254 port 32771
     EAP-Message = 0xXXXXXXX
     EAP-Message = 0xXXXXXXX
     EAP-Message = 0xXXXXXXX
     EAP-Message = 0xXXXXXXX
     EAP-Message = 0x54563bfc875ead29ea258ceb
     Message-Authenticator = 0x00000000000000000000000000000000
     State = 0x1bfbd33519f8c6698a8490efd3984a5c
Finished request 108.
Going to the next request
Waking up in 1.4 seconds.
rad_recv: Access-Request packet from host 172.16.100.254 port 32771, 
id=35, length=182
     User-Name = "bob"
     NAS-IP-Address = 172.16.100.254
     NAS-Identifier = "hello"
     NAS-Port = 0
     Called-Station-Id = "84-1B-FF-FF-FF-FF:XXXXXXXXX"
     Calling-Station-Id = "10-AE-FF-FF-FF-FF"
     Framed-MTU = 1400
     NAS-Port-Type = Wireless-802.11
     Connect-Info = "CONNECT 0Mbps 802.11b"
     EAP-Message = 0x020300061500
     State = 0x1bfbd33519f8c6698a8490efd3984a5c
     Message-Authenticator = 0x6ef912f386d9451add40ddb6eab06618
# Executing section authorize from file 
/usr/local/freeradius_new/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "bob", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 3 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file 
/usr/local/freeradius_new/etc/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] Received TLS ACK
[ttls] ACK handshake fragment handler
[ttls] eaptls_verify returned 1
[ttls] eaptls_process returned 13
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 35 to 172.16.100.254 port 32771
     EAP-Message = 0xXXXXXX
     EAP-Message = 0xXXXXXX
     EAP-Message = 0xXXXXXX
     EAP-Message = 0xXXXXXX
     EAP-Message = 0x010056212ec4da360bb41484
     Message-Authenticator = 0x00000000000000000000000000000000
     State = 0x1bfbd33518ffc6698a8490efd3984a5c
Finished request 109.
Going to the next request
Waking up in 1.3 seconds.
rad_recv: Access-Request packet from host 172.16.100.254 port 32771, 
id=36, length=182
     User-Name = "bob"
     NAS-IP-Address = 172.16.100.254
     NAS-Identifier = "hello"
     NAS-Port = 0
     Called-Station-Id = "84-1B-FF-FF-FF-FF:XXXXXXXXX"
     Calling-Station-Id = "10-AE-FF-FF-FF-FF"
     Framed-MTU = 1400
     NAS-Port-Type = Wireless-802.11
     Connect-Info = "CONNECT 0Mbps 802.11b"
     EAP-Message = 0x020400061500
     State = 0x1bfbd33518ffc6698a8490efd3984a5c
     Message-Authenticator = 0x9c6e329e9225bce68c8aff6c2e6c91a1
# Executing section authorize from file 
/usr/local/freeradius_new/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "bob", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 4 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file 
/usr/local/freeradius_new/etc/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] Received TLS ACK
[ttls] ACK handshake fragment handler
[ttls] eaptls_verify returned 1
[ttls] eaptls_process returned 13
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 36 to 172.16.100.254 port 32771
     EAP-Message = 0xXXXXXX
     EAP-Message = 0xXXXXX
     EAP-Message = 0xXXXXX
     EAP-Message = 0xXXXXX
     EAP-Message = 0x0e06035504081307456e676c
     Message-Authenticator = 0x00000000000000000000000000000000
     State = 0x1bfbd3351ffec6698a8490efd3984a5c
Finished request 110.
Going to the next request
Waking up in 1.3 seconds.
rad_recv: Access-Request packet from host 172.16.100.254 port 32771, 
id=37, length=182
     User-Name = "bob"
     NAS-IP-Address = 172.16.100.254
     NAS-Identifier = "hello"
     NAS-Port = 0
     Called-Station-Id = "84-1B-FF-FF-FF-FF:XXXXXXXXX"
     Calling-Station-Id = "10-AE-FF-FF-FF-FF"
     Framed-MTU = 1400
     NAS-Port-Type = Wireless-802.11
     Connect-Info = "CONNECT 0Mbps 802.11b"
     EAP-Message = 0x020500061500
     State = 0x1bfbd3351ffec6698a8490efd3984a5c
     Message-Authenticator = 0xe496aa258d721f863cba6a3fcf4eb638
# Executing section authorize from file 
/usr/local/freeradius_new/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "bob", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 5 length 6
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file 
/usr/local/freeradius_new/etc/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] Received TLS ACK
[ttls] ACK handshake fragment handler
[ttls] eaptls_verify returned 1
[ttls] eaptls_process returned 13
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 37 to 172.16.100.254 port 32771
     EAP-Message = 0xXXXXXXX
     EAP-Message = 0xXXXXXXX
     EAP-Message = 0xXXXXXXX
     Message-Authenticator = 0x00000000000000000000000000000000
     State = 0x1bfbd3351efdc6698a8490efd3984a5c
Finished request 111.
Going to the next request
Waking up in 1.3 seconds.
rad_recv: Access-Request packet from host 172.16.100.254 port 32771, 
id=38, length=189
     User-Name = "bob"
     NAS-IP-Address = 172.16.100.254
     NAS-Identifier = "hello"
     NAS-Port = 0
     Called-Station-Id = "84-1B-FF-FF-FF-FF:XXXXXXXXX"
     Calling-Station-Id = "10-AE-FF-FF-FF-FF"
     Framed-MTU = 1400
     NAS-Port-Type = Wireless-802.11
     Connect-Info = "CONNECT 0Mbps 802.11b"
     EAP-Message = 0x0206000d15001503010002022a
     State = 0x1bfbd3351efdc6698a8490efd3984a5c
     Message-Authenticator = 0xfd05c1a5ced3bc05e5a969aad7e6c316
# Executing section authorize from file 
/usr/local/freeradius_new/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "bob", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 6 length 13
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file 
/usr/local/freeradius_new/etc/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7
[ttls] Done initial handshake
[ttls] <<< TLS 1.0 Alert [length 0002], fatal bad_certificate
TLS Alert read:fatal:bad certificate
     TLS_accept: failed in SSLv3 read client certificate A
rlm_eap: SSL error error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 
alert bad certificate
SSL: SSL_read failed inside of TLS (-1), TLS session fails.
TLS receive handshake failed during operation
[ttls] eaptls_process returned 4
[eap] Handler failed in EAP/ttls
[eap] Failed in EAP select
++[eap] = invalid
+} # group authenticate = invalid
Failed to authenticate the user.
Using Post-Auth-Type REJECT
# Executing group from file 
/usr/local/freeradius_new/etc/raddb/sites-enabled/default
+group REJECT {
[attr_filter.access_reject]     expand: %{User-Name} -> bob
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] = updated
+} # group REJECT = updated
Delaying reject of request 112 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 112
Sending Access-Reject of id 38 to 172.16.100.254 port 32771
     EAP-Message = 0x04060004
     Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Request packet from host 172.16.100.254 port 32771, 
id=38, length=189
Sending duplicate reply to client XYZwifi2 port 32771 - ID: 38
Sending Access-Reject of id 38 to 172.16.100.254 port 32771
     EAP-Message = 0x04060004
     Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 0.3 seconds.
Cleaning up request 99 ID 25 with timestamp +564
Cleaning up request 100 ID 26 with timestamp +564
Waking up in 0.1 seconds.
Cleaning up request 101 ID 27 with timestamp +564
Cleaning up request 102 ID 28 with timestamp +565
Cleaning up request 103 ID 29 with timestamp +565
Cleaning up request 104 ID 30 with timestamp +565
Waking up in 1.0 seconds.
Cleaning up request 105 ID 31 with timestamp +565
Waking up in 2.1 seconds.
Cleaning up request 106 ID 32 with timestamp +568
Cleaning up request 107 ID 33 with timestamp +568
Waking up in 0.1 seconds.
Cleaning up request 108 ID 34 with timestamp +568
Cleaning up request 109 ID 35 with timestamp +568
Cleaning up request 110 ID 36 with timestamp +568
Cleaning up request 111 ID 37 with timestamp +568
Waking up in 1.0 seconds.
Cleaning up request 112 ID 38 with timestamp +568
Ready to process requests.



More information about the Freeradius-Users mailing list