TLS Certificate error?
Scott A. Johnson
scott.a.johnson at gmail.com
Tue May 26 04:46:14 CEST 2015
Hello,
I’m using version 2.2.0 which is installed with Mac OS X 10.10.3. Trying to get EAP-TLS working. I *think* I have my certificates installed, and permissions set correctly, however my clients can’t connect and the error, best I can tell, is certificate based as I receive the error “certificate signature failure”. Where I’m not sure is if this means I have something wrong with my public/private key, an error in my config files with FreeRadius, or something else entirely.
Pasting an excerpt of what I believe my problem is, then the entire listing when I run "sudo radiusd -X”.
Any help appreciated.
Thanks.
Scott
EXCERPT:
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
[tls] eaptls_verify returned 7
[tls] Done initial handshake
[tls] <<< TLS 1.0 Handshake [length 07f4], Certificate
[tls] chain-depth=1,
[tls] error=0
[tls] --> User-Name = excelsior.REDACTED
[tls] --> BUF-Name = REDACTED CA ROOT
[tls] --> subject = /CN=REDACTED CA ROOT/O=REDACTED/OU=Network Operations/ST=Alaska/C=US/L=Nome/emailAddress=REDACTED at gmail.com
[tls] --> issuer = /CN=REDACTED CA ROOT/O=REDACTED/OU=Network Operations/ST=Alaska/C=US/L=Nome/emailAddress=REDACTED at gmail.com
[tls] --> verify return:1
--> verify error:num=7:certificate signature failure
[tls] >>> TLS 1.0 Alert [length 0002], fatal decrypt_error
TLS Alert write:fatal:decrypt error
TLS_accept: error in SSLv3 read client certificate B
rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
SSL: SSL_read failed in a system call (-1), TLS session fails.
TLS receive handshake failed during operation
[tls] eaptls_process returned 4
[eap] Handler failed in EAP/tls
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Login incorrect (certificate signature failure): [excelsior.REDACTED/<via Auth-Type = EAP>] (from client melbourne.REDACTED port 0 cli 80-BE-05-3A-12-72)
Using Post-Auth-Type REJECT
FULL OUTPUT OF “radiusd -X”
FreeRADIUS Version 2.2.0, for host i386-apple-darwin13.0, built on Mar 31 2015 at 12:21:58
Copyright (C) 1999-2012 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /Library/Server/radius/raddb/radiusd.conf
including configuration file /Library/Server/radius/raddb/clients.conf
including files in directory /Library/Server/radius/raddb/modules/
including configuration file /Library/Server/radius/raddb/modules/acct_unique
including configuration file /Library/Server/radius/raddb/modules/always
including configuration file /Library/Server/radius/raddb/modules/attr_filter
including configuration file /Library/Server/radius/raddb/modules/attr_rewrite
including configuration file /Library/Server/radius/raddb/modules/cache
including configuration file /Library/Server/radius/raddb/modules/chap
including configuration file /Library/Server/radius/raddb/modules/checkval
including configuration file /Library/Server/radius/raddb/modules/counter
including configuration file /Library/Server/radius/raddb/modules/cui
including configuration file /Library/Server/radius/raddb/modules/detail
including configuration file /Library/Server/radius/raddb/modules/detail.example.com
including configuration file /Library/Server/radius/raddb/modules/detail.log
including configuration file /Library/Server/radius/raddb/modules/dhcp_sqlippool
including configuration file /Library/Server/radius/raddb/sql/mysql/ippool-dhcp.conf
including configuration file /Library/Server/radius/raddb/modules/digest
including configuration file /Library/Server/radius/raddb/modules/dynamic_clients
including configuration file /Library/Server/radius/raddb/modules/echo
including configuration file /Library/Server/radius/raddb/modules/etc_group
including configuration file /Library/Server/radius/raddb/modules/exec
including configuration file /Library/Server/radius/raddb/modules/expiration
including configuration file /Library/Server/radius/raddb/modules/expr
including configuration file /Library/Server/radius/raddb/modules/files
including configuration file /Library/Server/radius/raddb/modules/inner-eap
including configuration file /Library/Server/radius/raddb/modules/ippool
including configuration file /Library/Server/radius/raddb/modules/krb5
including configuration file /Library/Server/radius/raddb/modules/ldap
including configuration file /Library/Server/radius/raddb/modules/linelog
including configuration file /Library/Server/radius/raddb/modules/logintime
including configuration file /Library/Server/radius/raddb/modules/mac2ip
including configuration file /Library/Server/radius/raddb/modules/mac2vlan
including configuration file /Library/Server/radius/raddb/modules/mschap
including configuration file /Library/Server/radius/raddb/modules/ntlm_auth
including configuration file /Library/Server/radius/raddb/modules/opendirectory
including configuration file /Library/Server/radius/raddb/modules/otp
including configuration file /Library/Server/radius/raddb/modules/pam
including configuration file /Library/Server/radius/raddb/modules/pap
including configuration file /Library/Server/radius/raddb/modules/passwd
including configuration file /Library/Server/radius/raddb/modules/perl
including configuration file /Library/Server/radius/raddb/modules/policy
including configuration file /Library/Server/radius/raddb/modules/preprocess
including configuration file /Library/Server/radius/raddb/modules/radrelay
including configuration file /Library/Server/radius/raddb/modules/radutmp
including configuration file /Library/Server/radius/raddb/modules/realm
including configuration file /Library/Server/radius/raddb/modules/redis
including configuration file /Library/Server/radius/raddb/modules/rediswho
including configuration file /Library/Server/radius/raddb/modules/replicate
including configuration file /Library/Server/radius/raddb/modules/smbpasswd
including configuration file /Library/Server/radius/raddb/modules/smsotp
including configuration file /Library/Server/radius/raddb/modules/soh
including configuration file /Library/Server/radius/raddb/modules/sql_log
including configuration file /Library/Server/radius/raddb/modules/sqlcounter_expire_on_login
including configuration file /Library/Server/radius/raddb/modules/sradutmp
including configuration file /Library/Server/radius/raddb/modules/unix
including configuration file /Library/Server/radius/raddb/modules/wimax
including configuration file /Library/Server/radius/raddb/eap.conf
including configuration file /Library/Server/radius/raddb/sql.conf
including configuration file /Library/Server/radius/raddb/sql/sqlite/dialup.conf
including configuration file /Library/Server/radius/raddb/policy.conf
including files in directory /Library/Server/radius/raddb/sites-enabled/
including configuration file /Library/Server/radius/raddb/sites-enabled/control-socket
including configuration file /Library/Server/radius/raddb/sites-enabled/default
including configuration file /Library/Server/radius/raddb/sites-enabled/inner-tunnel
main {
allow_core_dumps = no
}
including dictionary file /Library/Server/radius/raddb/dictionary
main {
name = "radiusd"
prefix = "/Applications/Server.app/Contents/ServerRoot/usr"
localstatedir = "/private/var"
sbindir = "/Applications/Server.app/Contents/ServerRoot/usr/sbin"
logdir = "/private/var/log/radius"
run_dir = "/private/var"
libdir = "/Applications/Server.app/Contents/ServerRoot/usr/lib/freeradius"
radacctdir = "/private/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
pidfile = "/private/var/radiusd.pid"
checkrad = "/Applications/Server.app/Contents/ServerRoot/usr/sbin/checkrad"
debug_level = 0
proxy_requests = no
log {
stripped_names = no
auth = yes
auth_badpass = yes
auth_goodpass = yes
}
security {
max_attributes = 200
reject_delay = 1
status_server = yes
}
}
radiusd: #### Loading Realms and Home Servers ####
radiusd: #### Loading Clients ####
client localhost {
ipaddr = 127.0.0.1
require_message_authenticator = no
secret = "testing123"
nastype = "other"
}
radiusd: #### Instantiating modules ####
instantiate {
Module: Linked to module rlm_exec
Module: Instantiating module "exec" from file /Library/Server/radius/raddb/modules/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
}
Module: Linked to module rlm_expr
Module: Instantiating module "expr" from file /Library/Server/radius/raddb/modules/expr
Module: Linked to module rlm_expiration
Module: Instantiating module "expiration" from file /Library/Server/radius/raddb/modules/expiration
expiration {
reply-message = "Password Has Expired "
}
Module: Linked to module rlm_logintime
Module: Instantiating module "logintime" from file /Library/Server/radius/raddb/modules/logintime
logintime {
reply-message = "You are calling outside your allowed timespan "
minimum-timeout = 60
}
Module: Linked to module rlm_sql
Module: Instantiating module "sql" from file /Library/Server/radius/raddb/sql.conf
sql {
driver = "rlm_sql_sqlite"
server = "localhost"
port = ""
login = "radius"
password = "radpass"
radius_db = "radius"
read_groups = yes
sqltrace = no
sqltracefile = "/private/var/log/radius/sqltrace.sql"
readclients = yes
deletestalesessions = yes
num_sql_socks = 5
lifetime = 0
max_queries = 0
sql_user_name = "%{User-Name}"
default_user_profile = ""
nas_query = "SELECT id,nasname,shortname,type,secret FROM nas"
authorize_check_query = ""
authorize_group_check_query = ""
authorize_group_reply_query = ""
accounting_onoff_query = ""
accounting_update_query = ""
accounting_update_query_alt = ""
accounting_start_query = ""
accounting_start_query_alt = ""
accounting_stop_query = ""
accounting_stop_query_alt = ""
connect_failure_retry_delay = 60
simul_count_query = ""
simul_verify_query = ""
postauth_query = ""
safe-characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
}
rlm_sql (sql): Driver rlm_sql_sqlite (module rlm_sql_sqlite) loaded and linked
rlm_sql (sql): Attempting to connect to radius at localhost:/radius
rlm_sql (sql): starting 0
rlm_sql (sql): Attempting to connect rlm_sql_sqlite #0
rlm_sql_sqlite: Opening sqlite database /Library/Server/radius/raddb/sqlite_radius_client_database for #0
rlm_sql_sqlite: sqlite3_open() = 0
rlm_sql (sql): Connected new DB handle, #0
rlm_sql (sql): starting 1
rlm_sql (sql): Attempting to connect rlm_sql_sqlite #1
rlm_sql_sqlite: Opening sqlite database /Library/Server/radius/raddb/sqlite_radius_client_database for #1
rlm_sql_sqlite: sqlite3_open() = 0
rlm_sql (sql): Connected new DB handle, #1
rlm_sql (sql): starting 2
rlm_sql (sql): Attempting to connect rlm_sql_sqlite #2
rlm_sql_sqlite: Opening sqlite database /Library/Server/radius/raddb/sqlite_radius_client_database for #2
rlm_sql_sqlite: sqlite3_open() = 0
rlm_sql (sql): Connected new DB handle, #2
rlm_sql (sql): starting 3
rlm_sql (sql): Attempting to connect rlm_sql_sqlite #3
rlm_sql_sqlite: Opening sqlite database /Library/Server/radius/raddb/sqlite_radius_client_database for #3
rlm_sql_sqlite: sqlite3_open() = 0
rlm_sql (sql): Connected new DB handle, #3
rlm_sql (sql): starting 4
rlm_sql (sql): Attempting to connect rlm_sql_sqlite #4
rlm_sql_sqlite: Opening sqlite database /Library/Server/radius/raddb/sqlite_radius_client_database for #4
rlm_sql_sqlite: sqlite3_open() = 0
rlm_sql (sql): Connected new DB handle, #4
rlm_sql (sql): Processing generate_sql_clients
rlm_sql (sql) in generate_sql_clients: query is SELECT id,nasname,shortname,type,secret FROM nas
rlm_sql (sql): Reserving sql socket id: 4
rlm_sql_sqlite: sqlite3_prepare() = 0
rlm_sql_sqlite: sqlite3_step = 100
rlm_sql (sql): Read entry nasname=10.0.2.212,shortname=melbourne.REDACTED,secret=8AToGBlTfakHTRIgDkgxkJKOGpwPuRj8nC6WywGBmiQOiHL5oz
rlm_sql (sql): Adding client 10.0.2.212 (melbourne.REDACTED, server=<none>) to clients list
rlm_sql_sqlite: sqlite3_step = 101
rlm_sql_sqlite: sqlite3_finalize() = 0
rlm_sql (sql): Released sql socket id: 4
}
radiusd: #### Loading Virtual Servers ####
server { # from file /Library/Server/radius/raddb/radiusd.conf
modules {
Module: Creating Post-Auth-Type = REJECT
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_eap
Module: Instantiating module "eap" from file /Library/Server/radius/raddb/eap.conf
eap {
default_eap_type = "tls"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 4096
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
CA_path = "/Library/Server/radius/raddb/certs"
pem_file_type = yes
private_key_file = "server.key"
certificate_file = "server.crt"
CA_file = "server.crt"
private_key_password = “REDACTED”
dh_file = "/Library/Server/radius/raddb/certs/dh"
random_file = "/Library/Server/radius/raddb/certs/random"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
make_cert_command = "/Library/Server/radius/raddb/certs/bootstrap"
ecdh_curve = "prime256v1"
cache {
enable = no
lifetime = 24
max_entries = 255
}
verify {
tmpdir = "/tmp/radiusd"
client = "/usr/bin/openssl verify -CApath /Library/Server/radius/raddb/certs %{TLS-Client-Cert-Filename}"
}
ocsp {
enable = no
override_cert_url = yes
url = "http://127.0.0.1/ocsp/"
use_nonce = yes
timeout = 0
softfail = no
}
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_preprocess
Module: Instantiating module "preprocess" from file /Library/Server/radius/raddb/modules/preprocess
preprocess {
huntgroups = "/Library/Server/radius/raddb/huntgroups"
hints = "/Library/Server/radius/raddb/hints"
with_ascend_hack = no
ascend_channels_per_line = 23
with_ntdomain_hack = no
with_specialix_jetstream_hack = no
with_cisco_vsa_hack = no
with_alvarion_vsa_hack = no
}
reading pairlist file /Library/Server/radius/raddb/huntgroups
reading pairlist file /Library/Server/radius/raddb/hints
Module: Linked to module rlm_realm
Module: Instantiating module "suffix" from file /Library/Server/radius/raddb/modules/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
}
Module: Checking preacct {...} for more modules to load
Module: Linked to module rlm_acct_unique
Module: Instantiating module "acct_unique" from file /Library/Server/radius/raddb/modules/acct_unique
acct_unique {
key = "User-Name, Acct-Session-Id, NAS-IP-Address, NAS-Identifier, NAS-Port"
}
Module: Linked to module rlm_files
Module: Instantiating module "files" from file /Library/Server/radius/raddb/modules/files
files {
usersfile = "/Library/Server/radius/raddb/users"
acctusersfile = "/Library/Server/radius/raddb/acct_users"
preproxy_usersfile = "/Library/Server/radius/raddb/preproxy_users"
compat = "no"
}
reading pairlist file /Library/Server/radius/raddb/users
reading pairlist file /Library/Server/radius/raddb/acct_users
reading pairlist file /Library/Server/radius/raddb/preproxy_users
Module: Checking accounting {...} for more modules to load
Module: Linked to module rlm_detail
Module: Instantiating module "detail" from file /Library/Server/radius/raddb/modules/detail
detail {
detailfile = "/private/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
header = "%t"
detailperm = 384
dirperm = 493
locking = no
log_packet_header = no
}
Module: Linked to module rlm_attr_filter
Module: Instantiating module "attr_filter.accounting_response" from file /Library/Server/radius/raddb/modules/attr_filter
attr_filter attr_filter.accounting_response {
attrsfile = "/Library/Server/radius/raddb/attrs.accounting_response"
key = "%{User-Name}"
relaxed = no
}
reading pairlist file /Library/Server/radius/raddb/attrs.accounting_response
Module: Checking session {...} for more modules to load
Module: Linked to module rlm_radutmp
Module: Instantiating module "radutmp" from file /Library/Server/radius/raddb/modules/radutmp
radutmp {
filename = "/private/var/log/radius/radutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
perm = 384
callerid = yes
}
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
Module: Instantiating module "attr_filter.access_reject" from file /Library/Server/radius/raddb/modules/attr_filter
attr_filter attr_filter.access_reject {
attrsfile = "/Library/Server/radius/raddb/attrs.access_reject"
key = "%{User-Name}"
relaxed = no
}
reading pairlist file /Library/Server/radius/raddb/attrs.access_reject
} # modules
} # server
server inner-tunnel { # from file /Library/Server/radius/raddb/sites-enabled/inner-tunnel
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating module "pap" from file /Library/Server/radius/raddb/modules/pap
pap {
encryption_scheme = "auto"
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating module "chap" from file /Library/Server/radius/raddb/modules/chap
Module: Linked to module rlm_mschap
Module: Instantiating module "mschap" from file /Library/Server/radius/raddb/modules/mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = no
allow_retry = yes
use_open_directory = yes
}
Module: Linked to module rlm_unix
Module: Instantiating module "unix" from file /Library/Server/radius/raddb/modules/unix
unix {
radwtmp = "/private/var/log/radius/radwtmp"
}
Module: Checking authorize {...} for more modules to load
Module: Checking session {...} for more modules to load
Module: Checking post-proxy {...} for more modules to load
Module: Checking post-auth {...} for more modules to load
} # modules
} # server
radiusd: #### Opening IP addresses and Ports ####
listen {
type = "auth"
ipaddr = *
port = 0
}
listen {
type = "acct"
ipaddr = *
port = 0
}
listen {
type = "control"
listen {
socket = "/private/var/radiusd.sock"
}
}
listen {
type = "auth"
ipaddr = 127.0.0.1
port = 18120
}
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /private/var/radiusd.sock
Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel
Ready to process requests.
rad_recv: Access-Request packet from host 10.0.2.212 port 32817, id=4, length=210
User-Name = "excelsior.REDACTED"
NAS-IP-Address = 10.0.2.212
NAS-Identifier = "0418d6105a2e"
NAS-Port = 0
Called-Station-Id = "04-18-D6-1B-45-C1:secure.REDACTED"
Calling-Station-Id = "80-BE-05-3A-12-72"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11b"
EAP-Message = 0x024a001b01657863656c73696f722e616b67686574746f2e636f6d
Message-Authenticator = 0x25fa1d3162e5d274f37dd609d784e864
# Executing section authorize from file /Library/Server/radius/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[suffix] No '@' in User-Name = "excelsior.REDACTED", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 74 length 27
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[expiration] returns noop
++[logintime] returns noop
Found Auth-Type = EAP
# Executing group from file /Library/Server/radius/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Requiring client certificate
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 4 to 10.0.2.212 port 32817
EAP-Message = 0x014b00060d20
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x01225f91016952cfb3e720410b079302
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.0.2.212 port 32817, id=5, length=353
User-Name = "excelsior.REDACTED"
NAS-IP-Address = 10.0.2.212
NAS-Identifier = "0418d6105a2e"
NAS-Port = 0
Called-Station-Id = "04-18-D6-1B-45-C1:secure.REDACTED"
Calling-Station-Id = "80-BE-05-3A-12-72"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11b"
EAP-Message = 0x024b00980d800000008e16030100890100008503015563dc437b970647c704a53905a9ef995102a97e4e93d9353f774bd59e92d43000004a00ffc024c023c00ac009c008c028c027c014c013c012c026c025c005c004c003c02ac029c00fc00ec00d006b0067003900330016003d003c0035002f000ac007c011c002c00c0005000401000012000a00080006001700180019000b00020100
State = 0x01225f91016952cfb3e720410b079302
Message-Authenticator = 0x09da5a8ca03143ce1fe242d7846b6c9a
# Executing section authorize from file /Library/Server/radius/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[suffix] No '@' in User-Name = "excelsior.REDACTED", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 75 length 152
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[expiration] returns noop
++[logintime] returns noop
Found Auth-Type = EAP
# Executing group from file /Library/Server/radius/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
TLS Length 142
[tls] Length Included
[tls] eaptls_verify returned 11
[tls] (other): before/accept initialization
[tls] TLS_accept: before/accept initialization
[tls] <<< TLS 1.0 Handshake [length 0089], ClientHello
[tls] TLS_accept: SSLv3 read client hello A
[tls] >>> TLS 1.0 Handshake [length 0031], ServerHello
[tls] TLS_accept: SSLv3 write server hello A
[tls] >>> TLS 1.0 Handshake [length 0446], Certificate
[tls] TLS_accept: SSLv3 write certificate A
[tls] >>> TLS 1.0 Handshake [length 020d], ServerKeyExchange
[tls] TLS_accept: SSLv3 write key exchange A
[tls] >>> TLS 1.0 Handshake [length 00bb], CertificateRequest
[tls] TLS_accept: SSLv3 write certificate request A
[tls] TLS_accept: SSLv3 flush data
[tls] TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
[tls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 5 to 10.0.2.212 port 32817
EAP-Message = 0x014c04000dc00000075316030100310200002d03015563dc4307b72fca4a9e4d223bc00807a5c8cc128360c6d430002ed4736304d0000039000005ff0100010016030104460b00044200043f00043c3082043830820320a003020102020101300b06092a864886f70d01010b3081a63119301706035504030c10414b47686574746f20434120524f4f5431153013060355040a0c0c414b47686574746f2e636f6d311b3019060355040b0c124e6574776f726b204f7065726174696f6e73310f300d06035504080c06416c61736b61310b3009060355040613025553310d300b06035504070c044e6f6d653128302606092a864886f70d010901161973
EAP-Message = 0x636f74742e612e6a6f686e736f6e40676d61696c2e636f6d301e170d3135303532343233313834335a170d3138303930353233313834335a3081a63119301706035504030c10414b47686574746f20434120524f4f5431153013060355040a0c0c414b47686574746f2e636f6d311b3019060355040b0c124e6574776f726b204f7065726174696f6e73310f300d06035504080c06416c61736b61310b3009060355040613025553310d300b06035504070c044e6f6d653128302606092a864886f70d010901161973636f74742e612e6a6f686e736f6e40676d61696c2e636f6d30820122300d06092a864886f70d01010105000382010f003082010a
EAP-Message = 0x0282010100d382b05f1f2b02e7d4e7029d8bc1abfaddc1d4d2c7fa97698adb0e930d4bbb780d3a38637c8943e2d2ecac3e190318ca0c24b58f1ab98fbbfa9f066452d3fae77183eaad7b8459f275cc4d2f8b84a60dee373e40dff311eab2b5db0e212739fc71298002e5265282568ffea594b7c7c0fed2adee0129df98474e69a9fef0de66f643ff1883fcd74b98448db4e231be0eebe7a39144dc646473f91be952fb407429f944fffe2b16fc17a2e13cff5873043246f4c89ebc61e01427ced66633cf4685183e18fd1e906c88facb1878394181e00f1369d12c69825f22ae2ad31022cc35158a61e80a611ff3d8ddc0bb211baca7b4696f09491343
EAP-Message = 0x456438585a7840db0203010001a371306f300f0603551d130101ff040530030101ff300e0603551d0f0101ff0404030201be304c0603551d250101ff0442304006082b0601050507030406082b0601050507030206082b0601050507030106082b0601050507030306072b06010502030406072b0601050203050604551d2500300d06092a864886f70d01010b050003820101003998868f30bb38272971676fbfb238c12a845b76744db0a22dfcdd2026b08c22a5ad4c058c1379440372336cbb283bc9cabc6c7b0068b338c25e9dd37a6092a305afe2fd36af92a0bb2ad05ed31b131b3f5ce08df86f19d93251108e1ba90356e17aec90aab58f7d7a
EAP-Message = 0x5878127fef2b98ebdd0d6593
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x01225f91006e52cfb3e720410b079302
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.0.2.212 port 32817, id=6, length=207
User-Name = "excelsior.REDACTED"
NAS-IP-Address = 10.0.2.212
NAS-Identifier = "0418d6105a2e"
NAS-Port = 0
Called-Station-Id = "04-18-D6-1B-45-C1:secure.REDACTED"
Calling-Station-Id = "80-BE-05-3A-12-72"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11b"
EAP-Message = 0x024c00060d00
State = 0x01225f91006e52cfb3e720410b079302
Message-Authenticator = 0x55a0649c9f63d4eee5491d479d547ca2
# Executing section authorize from file /Library/Server/radius/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[suffix] No '@' in User-Name = "excelsior.REDACTED", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 76 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[expiration] returns noop
++[logintime] returns noop
Found Auth-Type = EAP
# Executing group from file /Library/Server/radius/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
[tls] Received TLS ACK
[tls] ACK handshake fragment handler
[tls] eaptls_verify returned 1
[tls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 6 to 10.0.2.212 port 32817
EAP-Message = 0x014d03670d80000007534fa5e8c2905f845d124c1271b0a022f8c74304c3f1fc6c606367141945240a914b538239f27c525a8cdbc8c27a9a0324829d5d76b9265799375e69a7c3a50ba06cdb8698104c7d117c41fa5fe7c171fcb4bcc157bb1a1c61972be7cd8c672f232c7d9471d5f8a81dae59793a4dbd8f4000573a46518d94cc58c4cf1e9bb11ceceacadb58fe77ff4c086a30160301020d0c0002090080d5a9b49c3a74120e0ab80fafbacf3b7c0a0a4971814dcf0918484d21147c0971b222e6d2d8bc6fa92f13683f7f792a3ffffa6a0fd59dc268612175a84b610a268924ff711100ef2091bf096450b9fe33d9c89768044a45cf9922c54710
EAP-Message = 0xd83e201a78cbec5ff7df962d1d13c1ce76f59c2fb2e9fc36da77a054442693d74d56730001050080b27b19fb4ee27274196d95ffaadca22f8f817fb34b5483b91ba8e8cf67ade0612c3d0d7d0d4bdf047b5eb6a1fa0b8b41d1dde26d880bb887d803e383fa6c60c45682bfddfe9917fe7b65e5d8099b5932e567b985e5db31e25a13ade81d6a234f31ef5935664790e92fb6c8462c9b655127fd8a7fb1400e82d3495902b2c6986e010055a625d94b8a8dfa31dcf5203b924ac4236c8100b330c109baafc6fb94dfa08155421005aa93b3c9c54cc9e188506d010506e842b8d98daf5a47fbec72a550c55029272a5b9f0f934cfe972c749f9f41e0c4e9
EAP-Message = 0x673fdbaf8dd649de2f2983117345b1a634c9745a0ab2b5ea74a5dfa9e2a093a1268cea05ee70aac8276fc2312aef0bfa49f2933a50bae9fbcb15347caf38a1e575f86f7c4c6c584c6762cf51adf172aa3796f5a63da7352799c6794b02cd10042aa5f0e278c097867479489b4e7ce1ee57b3726a5b9da517169b01fdbc295ea66f0946c6282e5f5b65256d45549f21bd1dfd089f2ca0486ae99ab61639a3abec1cec4f9c69c3206409e2197bcc16030100bb0d0000b305030401024000ab00a93081a63119301706035504030c10414b47686574746f20434120524f4f5431153013060355040a0c0c414b47686574746f2e636f6d311b301906035504
EAP-Message = 0x0b0c124e6574776f726b204f7065726174696f6e73310f300d06035504080c06416c61736b61310b3009060355040613025553310d300b06035504070c044e6f6d653128302606092a864886f70d010901161973636f74742e612e6a6f686e736f6e40676d61696c2e636f6d0e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x01225f91036f52cfb3e720410b079302
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.0.2.212 port 32817, id=7, length=1487
User-Name = "excelsior.REDACTED"
NAS-IP-Address = 10.0.2.212
NAS-Identifier = "0418d6105a2e"
NAS-Port = 0
Called-Station-Id = "04-18-D6-1B-45-C1:secure.REDACTED"
Calling-Station-Id = "80-BE-05-3A-12-72"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11b"
EAP-Message = 0x024d04fc0dc0000009ca16030107f40b0007f00007ed0003ab308203a73082028fa00302010202010a300b06092a864886f70d01010b3081a63119301706035504030c10414b47686574746f20434120524f4f5431153013060355040a0c0c414b47686574746f2e636f6d311b3019060355040b0c124e6574776f726b204f7065726174696f6e73310f300d06035504080c06416c61736b61310b3009060355040613025553310d300b06035504070c044e6f6d653128302606092a864886f70d010901161973636f74742e612e6a6f686e736f6e40676d61696c2e636f6d301e170d3135303532353032303233325a170d3136303532343032303233
EAP-Message = 0x325a305d311f301d06035504030c16657863656c73696f722e616b67686574746f2e636f6d310b3009060355040613025553312d302b06092a864886f70d010901161e73636f74742e612e6a6f686e736f6e4077656c6c73666172676f2e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100c5a9c7fb77faa3b27e434505743b5e7662a6abc512d873049cae8074243cfc556439e7b4780dfb054f63dfbf148303b4a41c3c495c3c4837661888d88ffe3d3561fad3a3a07a006b8bc0031fbaf7f659c321208741b4b778eaeb4b076df24bfd4858c49bc271b7ec8fe518083f360cd4c2980ba1e4abb48c42a136
EAP-Message = 0xb97f33d0ba311a1ccb604cbeaba1900060a83ecc5132c925ef0e1883a4c1c9a3fd10305cc1f852f3db3ee819e252fc82270d6642da69633ae255bdcd9c596d5b5fcc1ae32cd36f2968c9ef5945b829e2370f4b1ef1466e5b6a806c0381abe60c0e70e90ba12b847b856ec79151ac41b0ebfb3b26562c2fdac6380acc9485584c999982702f0203010001a32a3028300e0603551d0f0101ff04040302078030160603551d250101ff040c300a06082b06010505070302300d06092a864886f70d01010b050003820101007d3b8b74f07a5d7eb3acfa9870e571f69e9df262eaec17a4e9054aab826d7ce554cd6c7e159372be9efef6bd453b93d0f57b26
EAP-Message = 0x952dd184a421224f9dc3776c14ef596f47d5912dd87783c7d78ea14fca2f3eab987de8cd25434bf7c4f0a104b70fa6426677d300ccf844d1746c4649d91eaf82e7c8a9eae8b99960e3e0a9eb10599685bbbf4c6ada0c7a2d79bf23fe0cac48da9d444590fe378327c19ba1074c8f524592530c65c43c8b4c4b27b6534029dd87f140dca526b8d2731376b4ce55c3a9bdf88584a4bb9653394a4b8a1d0f6e3faaf5ba892daf7c52f7292c5c5d90ad7e6694d0f689e882998eddae207c584f92e77e0043a1afc685218f7f6643bd00043c3082043830820320a003020102020101300b06092a864886f70d01010b3081a63119301706035504030c10414b
EAP-Message = 0x47686574746f20434120524f4f5431153013060355040a0c0c414b47686574746f2e636f6d311b3019060355040b0c124e6574776f726b204f7065726174696f6e73310f300d06035504080c06416c61736b61310b3009060355040613025553310d300b06035504070c044e6f6d653128302606092a864886f70d010901161973636f74742e612e6a6f686e736f6e40676d61696c2e636f6d301e170d3135303532343233313834335a170d3138303930353233313834335a3081a63119301706035504030c10414b47686574746f20434120524f4f5431153013060355040a0c0c414b47686574746f2e636f6d311b3019060355040b0c124e657477
EAP-Message = 0x6f726b204f706572617469
State = 0x01225f91036f52cfb3e720410b079302
Message-Authenticator = 0x2440d17407bd35257e345216c3df16a4
# Executing section authorize from file /Library/Server/radius/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[suffix] No '@' in User-Name = "excelsior.REDACTED", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 77 length 253
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[expiration] returns noop
++[logintime] returns noop
Found Auth-Type = EAP
# Executing group from file /Library/Server/radius/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
TLS Length 2506
[tls] Received EAP-TLS First Fragment of the message
[tls] eaptls_verify returned 9
[tls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 7 to 10.0.2.212 port 32817
EAP-Message = 0x014e00060d00
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x01225f91026c52cfb3e720410b079302
Finished request 3.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 10.0.2.212 port 32817, id=8, length=1455
User-Name = "excelsior.REDACTED"
NAS-IP-Address = 10.0.2.212
NAS-Identifier = "0418d6105a2e"
NAS-Port = 0
Called-Station-Id = "04-18-D6-1B-45-C1:secure.REDACTED"
Calling-Station-Id = "80-BE-05-3A-12-72"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11b"
EAP-Message = 0x024e04de0d006f6e73310f300d06035504080c06416c61736b61310b3009060355040613025553310d300b06035504070c044e6f6d653128302606092a864886f70d010901161973636f74742e612e6a6f686e736f6e40676d61696c2e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100d382b05f1f2b02e7d4e7029d8bc1abfaddc1d4d2c7fa97698adb0e930d4bbb780d3a38637c8943e2d2ecac3e190318ca0c24b58f1ab98fbbfa9f066452d3fae77183eaad7b8459f275cc4d2f8b84a60dee373e40dff311eab2b5db0e212739fc71298002e5265282568ffea594b7c7c0fed2adee0129df98474e69a9
EAP-Message = 0xfef0de66f643ff1883fcd74b98448db4e231be0eebe7a39144dc646473f91be952fb407429f944fffe2b16fc17a2e13cff5873043246f4c89ebc61e01427ced66633cf4685183e18fd1e906c88facb1878394181e00f1369d12c69825f22ae2ad31022cc35158a61e80a611ff3d8ddc0bb211baca7b4696f09491343456438585a7840db0203010001a371306f300f0603551d130101ff040530030101ff300e0603551d0f0101ff0404030201be304c0603551d250101ff0442304006082b0601050507030406082b0601050507030206082b0601050507030106082b0601050507030306072b06010502030406072b0601050203050604551d250030
EAP-Message = 0x0d06092a864886f70d01010b050003820101003998868f30bb38272971676fbfb238c12a845b76744db0a22dfcdd2026b08c22a5ad4c058c1379440372336cbb283bc9cabc6c7b0068b338c25e9dd37a6092a305afe2fd36af92a0bb2ad05ed31b131b3f5ce08df86f19d93251108e1ba90356e17aec90aab58f7d7a5878127fef2b98ebdd0d65934fa5e8c2905f845d124c1271b0a022f8c74304c3f1fc6c606367141945240a914b538239f27c525a8cdbc8c27a9a0324829d5d76b9265799375e69a7c3a50ba06cdb8698104c7d117c41fa5fe7c171fcb4bcc157bb1a1c61972be7cd8c672f232c7d9471d5f8a81dae59793a4dbd8f4000573a4651
EAP-Message = 0x8d94cc58c4cf1e9bb11ceceacadb58fe77ff4c086a30160301008610000082008076ae79d0ea88643b5cbbc47bf605ea6056d9f9f31a2b3e4c4905ed82b9547d7088a6c38d72239281428afaddb24d8e9cd52a220cffafec9ed506b0e1d51559c5c82f9746a2f2a45ab5f47cfd255f2bbf170b5df1a4e50c73ed36b74a9abaa9476eab9a897463d55189dc935c669eaff7f3b452d991a13c51a7582dbc35a62f4316030101060f0001020100ac295e703efa852fb102990efb0b4204c27abf5c2a1f3d0c9f9751ad0e9b386ab5f4b63090c521fdbb38244eb5af4c8959076c80672747b2cf1dd327889db859ba6b7f68540272ce446fa569d3e59efd41
EAP-Message = 0x19daaa4c523ad21e6a8a114f41e86c0590d58e2098a6921c0cf1946f777f3825aaf06c4c7301de1a17ff2e8a46104ab57caddfe8e54e3da7f226a8f210e1d09b08b5318dd386c9ad50ae8996e29ae657d6d5827acb73447e6d556b001de51662637257da3d56164f09090a89aa8619fce80162d2b00361ceb84fdcdbb5c355a38bfb643fca4fdfab7ae0064dcd5a7a43d6ae9a6e048181213036647c37e421160ade6819f0bd28115eb9739d9da0b8140301000101160301003068e729c6d8580453099ff4313996d147ef59b22a90cb83af06b7e67ea7ab1cf22cc541fb61f6b978f7f9cdad684838aa
State = 0x01225f91026c52cfb3e720410b079302
Message-Authenticator = 0xb5c05f761e635be28cfe0d537a85e7e8
# Executing section authorize from file /Library/Server/radius/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[suffix] No '@' in User-Name = "excelsior.REDACTED", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 78 length 253
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[expiration] returns noop
++[logintime] returns noop
Found Auth-Type = EAP
# Executing group from file /Library/Server/radius/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
[tls] eaptls_verify returned 7
[tls] Done initial handshake
[tls] <<< TLS 1.0 Handshake [length 07f4], Certificate
[tls] chain-depth=1,
[tls] error=0
[tls] --> User-Name = excelsior.REDACTED
[tls] --> BUF-Name = REDACTED CA ROOT
[tls] --> subject = /CN=REDACTED CA ROOT/O=REDACTED/OU=Network Operations/ST=Alaska/C=US/L=Nome/emailAddress=REDACTED at gmail.com
[tls] --> issuer = /CN=REDACTED CA ROOT/O=REDACTED/OU=Network Operations/ST=Alaska/C=US/L=Nome/emailAddress=REDACTED at gmail.com
[tls] --> verify return:1
--> verify error:num=7:certificate signature failure
[tls] >>> TLS 1.0 Alert [length 0002], fatal decrypt_error
TLS Alert write:fatal:decrypt error
TLS_accept: error in SSLv3 read client certificate B
rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
SSL: SSL_read failed in a system call (-1), TLS session fails.
TLS receive handshake failed during operation
[tls] eaptls_process returned 4
[eap] Handler failed in EAP/tls
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Login incorrect (certificate signature failure): [excelsior.REDACTED/<via Auth-Type = EAP>] (from client melbourne.REDACTED port 0 cli 80-BE-05-3A-12-72)
Using Post-Auth-Type REJECT
# Executing group from file /Library/Server/radius/raddb/sites-enabled/default
+- entering group REJECT {...}
++? if ("%{EAP-Message}")
expand: %{EAP-Message} -> 0x024e04de0d006f6e73310f300d06035504080c06416c61736b61310b3009060355040613025553310d300b06035504070c044e6f6d653128302606092a864886f70d010901161973636f74742e612e6a6f686e736f6e40676d61696c2e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100d382b05f1f2b02e7d4e7029d8bc1abfaddc1d4d2c7fa97698adb0e930d4bbb780d3a38637c8943e2d2ecac3e190318ca0c24b58f1ab98fbbfa9f066452d3fae77183eaad7b8459f275cc4d2f8b84a60dee373e40dff311eab2b5db0e212739fc71298002e5265282568ffea594b7c7c0fed2adee0129df98474e69a9
? Evaluating ("%{EAP-Message}") -> TRUE
++? if ("%{EAP-Message}") -> TRUE
++- entering if ("%{EAP-Message}") {...}
expand: %{Message-Authenticator} -> 0xb5c05f761e635be28cfe0d537a85e7e8
+++[reply] returns noop
++- if ("%{EAP-Message}") returns noop
[attr_filter.access_reject] expand: %{User-Name} -> excelsior.REDACTED
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 4 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 4
Sending Access-Reject of id 8 to 10.0.2.212 port 32817
EAP-Message = 0x044e0004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.7 seconds.
rad_recv: Access-Request packet from host 10.0.2.212 port 32817, id=9, length=210
User-Name = "excelsior.REDACTED"
NAS-IP-Address = 10.0.2.212
NAS-Identifier = "0418d6105a2e"
NAS-Port = 0
Called-Station-Id = "04-18-D6-1B-45-C1:secure.REDACTED"
Calling-Station-Id = "80-BE-05-3A-12-72"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11b"
EAP-Message = 0x02f2001b01657863656c73696f722e616b67686574746f2e636f6d
Message-Authenticator = 0x83c791cc5877bd077c0961d93cecdead
# Executing section authorize from file /Library/Server/radius/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[suffix] No '@' in User-Name = "excelsior.REDACTED", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 242 length 27
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[expiration] returns noop
++[logintime] returns noop
Found Auth-Type = EAP
# Executing group from file /Library/Server/radius/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Requiring client certificate
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 9 to 10.0.2.212 port 32817
EAP-Message = 0x01f300060d20
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xcd1d2c5bcdee2148e0c4efca7138c662
Finished request 5.
Going to the next request
Waking up in 3.3 seconds.
rad_recv: Access-Request packet from host 10.0.2.212 port 32817, id=10, length=353
User-Name = "excelsior.REDACTED"
NAS-IP-Address = 10.0.2.212
NAS-Identifier = "0418d6105a2e"
NAS-Port = 0
Called-Station-Id = "04-18-D6-1B-45-C1:secure.REDACTED"
Calling-Station-Id = "80-BE-05-3A-12-72"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11b"
EAP-Message = 0x02f300980d800000008e16030100890100008503015563dc45cc56c1efaa2cc6712a2b8e5493a662ee52a6311a68b42c0d1001822f00004a00ffc024c023c00ac009c008c028c027c014c013c012c026c025c005c004c003c02ac029c00fc00ec00d006b0067003900330016003d003c0035002f000ac007c011c002c00c0005000401000012000a00080006001700180019000b00020100
State = 0xcd1d2c5bcdee2148e0c4efca7138c662
Message-Authenticator = 0x90be50ebd35ab89ba525e4dfa557d9a7
# Executing section authorize from file /Library/Server/radius/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[suffix] No '@' in User-Name = "excelsior.REDACTED", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 243 length 152
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[expiration] returns noop
++[logintime] returns noop
Found Auth-Type = EAP
# Executing group from file /Library/Server/radius/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
TLS Length 142
[tls] Length Included
[tls] eaptls_verify returned 11
[tls] (other): before/accept initialization
[tls] TLS_accept: before/accept initialization
[tls] <<< TLS 1.0 Handshake [length 0089], ClientHello
[tls] TLS_accept: SSLv3 read client hello A
[tls] >>> TLS 1.0 Handshake [length 0031], ServerHello
[tls] TLS_accept: SSLv3 write server hello A
[tls] >>> TLS 1.0 Handshake [length 0446], Certificate
[tls] TLS_accept: SSLv3 write certificate A
[tls] >>> TLS 1.0 Handshake [length 020d], ServerKeyExchange
[tls] TLS_accept: SSLv3 write key exchange A
[tls] >>> TLS 1.0 Handshake [length 00bb], CertificateRequest
[tls] TLS_accept: SSLv3 write certificate request A
[tls] TLS_accept: SSLv3 flush data
[tls] TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
[tls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 10 to 10.0.2.212 port 32817
EAP-Message = 0x01f404000dc00000075316030100310200002d03015563dc45971ac2228efffbc2df066c646694798f220d29d35d3965cba5076c76000039000005ff0100010016030104460b00044200043f00043c3082043830820320a003020102020101300b06092a864886f70d01010b3081a63119301706035504030c10414b47686574746f20434120524f4f5431153013060355040a0c0c414b47686574746f2e636f6d311b3019060355040b0c124e6574776f726b204f7065726174696f6e73310f300d06035504080c06416c61736b61310b3009060355040613025553310d300b06035504070c044e6f6d653128302606092a864886f70d010901161973
EAP-Message = 0x636f74742e612e6a6f686e736f6e40676d61696c2e636f6d301e170d3135303532343233313834335a170d3138303930353233313834335a3081a63119301706035504030c10414b47686574746f20434120524f4f5431153013060355040a0c0c414b47686574746f2e636f6d311b3019060355040b0c124e6574776f726b204f7065726174696f6e73310f300d06035504080c06416c61736b61310b3009060355040613025553310d300b06035504070c044e6f6d653128302606092a864886f70d010901161973636f74742e612e6a6f686e736f6e40676d61696c2e636f6d30820122300d06092a864886f70d01010105000382010f003082010a
EAP-Message = 0x0282010100d382b05f1f2b02e7d4e7029d8bc1abfaddc1d4d2c7fa97698adb0e930d4bbb780d3a38637c8943e2d2ecac3e190318ca0c24b58f1ab98fbbfa9f066452d3fae77183eaad7b8459f275cc4d2f8b84a60dee373e40dff311eab2b5db0e212739fc71298002e5265282568ffea594b7c7c0fed2adee0129df98474e69a9fef0de66f643ff1883fcd74b98448db4e231be0eebe7a39144dc646473f91be952fb407429f944fffe2b16fc17a2e13cff5873043246f4c89ebc61e01427ced66633cf4685183e18fd1e906c88facb1878394181e00f1369d12c69825f22ae2ad31022cc35158a61e80a611ff3d8ddc0bb211baca7b4696f09491343
EAP-Message = 0x456438585a7840db0203010001a371306f300f0603551d130101ff040530030101ff300e0603551d0f0101ff0404030201be304c0603551d250101ff0442304006082b0601050507030406082b0601050507030206082b0601050507030106082b0601050507030306072b06010502030406072b0601050203050604551d2500300d06092a864886f70d01010b050003820101003998868f30bb38272971676fbfb238c12a845b76744db0a22dfcdd2026b08c22a5ad4c058c1379440372336cbb283bc9cabc6c7b0068b338c25e9dd37a6092a305afe2fd36af92a0bb2ad05ed31b131b3f5ce08df86f19d93251108e1ba90356e17aec90aab58f7d7a
EAP-Message = 0x5878127fef2b98ebdd0d6593
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xcd1d2c5bcce92148e0c4efca7138c662
Finished request 6.
Going to the next request
Waking up in 3.2 seconds.
rad_recv: Access-Request packet from host 10.0.2.212 port 32817, id=11, length=207
User-Name = "excelsior.REDACTED"
NAS-IP-Address = 10.0.2.212
NAS-Identifier = "0418d6105a2e"
NAS-Port = 0
Called-Station-Id = "04-18-D6-1B-45-C1:secure.REDACTED"
Calling-Station-Id = "80-BE-05-3A-12-72"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11b"
EAP-Message = 0x02f400060d00
State = 0xcd1d2c5bcce92148e0c4efca7138c662
Message-Authenticator = 0xdcb38934bb553b00882b2180b31f24bb
# Executing section authorize from file /Library/Server/radius/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[suffix] No '@' in User-Name = "excelsior.REDACTED", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 244 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[expiration] returns noop
++[logintime] returns noop
Found Auth-Type = EAP
# Executing group from file /Library/Server/radius/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
[tls] Received TLS ACK
[tls] ACK handshake fragment handler
[tls] eaptls_verify returned 1
[tls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 11 to 10.0.2.212 port 32817
EAP-Message = 0x01f503670d80000007534fa5e8c2905f845d124c1271b0a022f8c74304c3f1fc6c606367141945240a914b538239f27c525a8cdbc8c27a9a0324829d5d76b9265799375e69a7c3a50ba06cdb8698104c7d117c41fa5fe7c171fcb4bcc157bb1a1c61972be7cd8c672f232c7d9471d5f8a81dae59793a4dbd8f4000573a46518d94cc58c4cf1e9bb11ceceacadb58fe77ff4c086a30160301020d0c0002090080d5a9b49c3a74120e0ab80fafbacf3b7c0a0a4971814dcf0918484d21147c0971b222e6d2d8bc6fa92f13683f7f792a3ffffa6a0fd59dc268612175a84b610a268924ff711100ef2091bf096450b9fe33d9c89768044a45cf9922c54710
EAP-Message = 0xd83e201a78cbec5ff7df962d1d13c1ce76f59c2fb2e9fc36da77a054442693d74d567300010500802a74984a5f651db815612265315dab94cf8ed8c35f12a8ee8dc65d8dfafff25805842759ee1c223670e1e0fb9f51955c53c3d149c00ea3ece7518a3b0b318b156b4f10fab1e590862ad49fbcae23df2430a00b43a1bad6b8a1e5f1fdb7d9c4e087d54303984ec695ef01e5a1dae25f12b9edaf1e0de139a13e990bf836e885bc01007594387c10b6cf639b83bb1551526e7edd3bb849d14dc36550f42316166daeed07f22037e614f598d8ee419f566efac7ad90b71d88799a5fcc5dd52cabacaaf3e1b86bd37786cf050f800edb179894dc8d6223
EAP-Message = 0x4a05c165eeb09b5db2f7bff6598bcd4cc6d8245d14ec9b7466f3f10395c02b82586687fe0c0f117cfa5d6bff8c6dc78899f4d7b62e6ec88467b4296ce9d6f4272254aa8d683545a26feb8b863f44fb13cc0083740dc540507327a2d004c06fe7691ca49eb813b33aff9442d1dba472830ec56b16bc5a20111598815131ba26aa9822b1176bb948597833f49bc2e46b6bdd80d76593b2d27b5cd23983bdc4b608a0029d25a3d2fcb3806bc9435616030100bb0d0000b305030401024000ab00a93081a63119301706035504030c10414b47686574746f20434120524f4f5431153013060355040a0c0c414b47686574746f2e636f6d311b301906035504
EAP-Message = 0x0b0c124e6574776f726b204f7065726174696f6e73310f300d06035504080c06416c61736b61310b3009060355040613025553310d300b06035504070c044e6f6d653128302606092a864886f70d010901161973636f74742e612e6a6f686e736f6e40676d61696c2e636f6d0e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xcd1d2c5bcfe82148e0c4efca7138c662
Finished request 7.
Going to the next request
Waking up in 3.1 seconds.
rad_recv: Access-Request packet from host 10.0.2.212 port 32817, id=12, length=1487
User-Name = "excelsior.REDACTED"
NAS-IP-Address = 10.0.2.212
NAS-Identifier = "0418d6105a2e"
NAS-Port = 0
Called-Station-Id = "04-18-D6-1B-45-C1:secure.REDACTED"
Calling-Station-Id = "80-BE-05-3A-12-72"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11b"
EAP-Message = 0x02f504fc0dc0000009ca16030107f40b0007f00007ed0003ab308203a73082028fa00302010202010a300b06092a864886f70d01010b3081a63119301706035504030c10414b47686574746f20434120524f4f5431153013060355040a0c0c414b47686574746f2e636f6d311b3019060355040b0c124e6574776f726b204f7065726174696f6e73310f300d06035504080c06416c61736b61310b3009060355040613025553310d300b06035504070c044e6f6d653128302606092a864886f70d010901161973636f74742e612e6a6f686e736f6e40676d61696c2e636f6d301e170d3135303532353032303233325a170d3136303532343032303233
EAP-Message = 0x325a305d311f301d06035504030c16657863656c73696f722e616b67686574746f2e636f6d310b3009060355040613025553312d302b06092a864886f70d010901161e73636f74742e612e6a6f686e736f6e4077656c6c73666172676f2e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100c5a9c7fb77faa3b27e434505743b5e7662a6abc512d873049cae8074243cfc556439e7b4780dfb054f63dfbf148303b4a41c3c495c3c4837661888d88ffe3d3561fad3a3a07a006b8bc0031fbaf7f659c321208741b4b778eaeb4b076df24bfd4858c49bc271b7ec8fe518083f360cd4c2980ba1e4abb48c42a136
EAP-Message = 0xb97f33d0ba311a1ccb604cbeaba1900060a83ecc5132c925ef0e1883a4c1c9a3fd10305cc1f852f3db3ee819e252fc82270d6642da69633ae255bdcd9c596d5b5fcc1ae32cd36f2968c9ef5945b829e2370f4b1ef1466e5b6a806c0381abe60c0e70e90ba12b847b856ec79151ac41b0ebfb3b26562c2fdac6380acc9485584c999982702f0203010001a32a3028300e0603551d0f0101ff04040302078030160603551d250101ff040c300a06082b06010505070302300d06092a864886f70d01010b050003820101007d3b8b74f07a5d7eb3acfa9870e571f69e9df262eaec17a4e9054aab826d7ce554cd6c7e159372be9efef6bd453b93d0f57b26
EAP-Message = 0x952dd184a421224f9dc3776c14ef596f47d5912dd87783c7d78ea14fca2f3eab987de8cd25434bf7c4f0a104b70fa6426677d300ccf844d1746c4649d91eaf82e7c8a9eae8b99960e3e0a9eb10599685bbbf4c6ada0c7a2d79bf23fe0cac48da9d444590fe378327c19ba1074c8f524592530c65c43c8b4c4b27b6534029dd87f140dca526b8d2731376b4ce55c3a9bdf88584a4bb9653394a4b8a1d0f6e3faaf5ba892daf7c52f7292c5c5d90ad7e6694d0f689e882998eddae207c584f92e77e0043a1afc685218f7f6643bd00043c3082043830820320a003020102020101300b06092a864886f70d01010b3081a63119301706035504030c10414b
EAP-Message = 0x47686574746f20434120524f4f5431153013060355040a0c0c414b47686574746f2e636f6d311b3019060355040b0c124e6574776f726b204f7065726174696f6e73310f300d06035504080c06416c61736b61310b3009060355040613025553310d300b06035504070c044e6f6d653128302606092a864886f70d010901161973636f74742e612e6a6f686e736f6e40676d61696c2e636f6d301e170d3135303532343233313834335a170d3138303930353233313834335a3081a63119301706035504030c10414b47686574746f20434120524f4f5431153013060355040a0c0c414b47686574746f2e636f6d311b3019060355040b0c124e657477
EAP-Message = 0x6f726b204f706572617469
State = 0xcd1d2c5bcfe82148e0c4efca7138c662
Message-Authenticator = 0x298751ce5d021e84c76d895e0d8079f4
# Executing section authorize from file /Library/Server/radius/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[suffix] No '@' in User-Name = "excelsior.REDACTED", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 245 length 253
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[expiration] returns noop
++[logintime] returns noop
Found Auth-Type = EAP
# Executing group from file /Library/Server/radius/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
TLS Length 2506
[tls] Received EAP-TLS First Fragment of the message
[tls] eaptls_verify returned 9
[tls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 12 to 10.0.2.212 port 32817
EAP-Message = 0x01f600060d00
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xcd1d2c5bceeb2148e0c4efca7138c662
Finished request 8.
Going to the next request
Waking up in 3.0 seconds.
rad_recv: Access-Request packet from host 10.0.2.212 port 32817, id=13, length=1455
User-Name = "excelsior.REDACTED"
NAS-IP-Address = 10.0.2.212
NAS-Identifier = "0418d6105a2e"
NAS-Port = 0
Called-Station-Id = "04-18-D6-1B-45-C1:secure.REDACTED"
Calling-Station-Id = "80-BE-05-3A-12-72"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 0Mbps 802.11b"
EAP-Message = 0x02f604de0d006f6e73310f300d06035504080c06416c61736b61310b3009060355040613025553310d300b06035504070c044e6f6d653128302606092a864886f70d010901161973636f74742e612e6a6f686e736f6e40676d61696c2e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100d382b05f1f2b02e7d4e7029d8bc1abfaddc1d4d2c7fa97698adb0e930d4bbb780d3a38637c8943e2d2ecac3e190318ca0c24b58f1ab98fbbfa9f066452d3fae77183eaad7b8459f275cc4d2f8b84a60dee373e40dff311eab2b5db0e212739fc71298002e5265282568ffea594b7c7c0fed2adee0129df98474e69a9
EAP-Message = 0xfef0de66f643ff1883fcd74b98448db4e231be0eebe7a39144dc646473f91be952fb407429f944fffe2b16fc17a2e13cff5873043246f4c89ebc61e01427ced66633cf4685183e18fd1e906c88facb1878394181e00f1369d12c69825f22ae2ad31022cc35158a61e80a611ff3d8ddc0bb211baca7b4696f09491343456438585a7840db0203010001a371306f300f0603551d130101ff040530030101ff300e0603551d0f0101ff0404030201be304c0603551d250101ff0442304006082b0601050507030406082b0601050507030206082b0601050507030106082b0601050507030306072b06010502030406072b0601050203050604551d250030
EAP-Message = 0x0d06092a864886f70d01010b050003820101003998868f30bb38272971676fbfb238c12a845b76744db0a22dfcdd2026b08c22a5ad4c058c1379440372336cbb283bc9cabc6c7b0068b338c25e9dd37a6092a305afe2fd36af92a0bb2ad05ed31b131b3f5ce08df86f19d93251108e1ba90356e17aec90aab58f7d7a5878127fef2b98ebdd0d65934fa5e8c2905f845d124c1271b0a022f8c74304c3f1fc6c606367141945240a914b538239f27c525a8cdbc8c27a9a0324829d5d76b9265799375e69a7c3a50ba06cdb8698104c7d117c41fa5fe7c171fcb4bcc157bb1a1c61972be7cd8c672f232c7d9471d5f8a81dae59793a4dbd8f4000573a4651
EAP-Message = 0x8d94cc58c4cf1e9bb11ceceacadb58fe77ff4c086a3016030100861000008200804ab58d0bb504ba8bb26f9fd078ddcbc4aab6f191a7e1e48a524480cfa18bc27345f630b26ad1e3cd9f7ad682b523817dd0a5aacd64893ccc72a61bfdb27048497aec9cbdd524ceb647df1532e882e620b3e77aef1eef10fe24406f6ec8191a52a775ea1904cc67e821a95e975e998e4eeab9dc2702bb0fd7268357a0e289076316030101060f00010201004f060c2d60aa075ac423db932d27aefbb53d8acbd4be8a342ffaaa7673d7476e3570fe68076f5f01dde2bba47b2be20a33f7f3da5396e77eb0f9c8635e8caf4518cd6cec5fafcfde331f16214d543923c1
EAP-Message = 0xd8ba2376518d720ccaaea91f2e74d75e25586d5585700085f07abaa37767f460b5531242341cd9593974f7779fb4aed46e04763f7a3d5cdd40bb6eeb210099d7f77b5b800d86f34cc668b38332954abdaa04b683b343c3dff5c956f517a0b9867c3e002f98174f7502e58b0755a807e38550fc07b273caa714e49485396ddf95298de41f291319725b40bc272983a9abc5ac0eaccffeb4b50ecb0d456e4035b885d1ae1b28803a12148777dd770b0b1403010001011603010030943862ac5b33a9d15a6c49d981287e7bc9e8ada5924a68ea08562ec6fb5696c9aabc5aeb7408ccb8fbcdb5a4f25c37c6
State = 0xcd1d2c5bceeb2148e0c4efca7138c662
Message-Authenticator = 0x524988758316be767df6d5d82b608979
# Executing section authorize from file /Library/Server/radius/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[suffix] No '@' in User-Name = "excelsior.REDACTED", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 246 length 253
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[expiration] returns noop
++[logintime] returns noop
Found Auth-Type = EAP
# Executing group from file /Library/Server/radius/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
[tls] eaptls_verify returned 7
[tls] Done initial handshake
[tls] <<< TLS 1.0 Handshake [length 07f4], Certificate
[tls] chain-depth=1,
[tls] error=0
[tls] --> User-Name = excelsior.REDACTED
[tls] --> BUF-Name = REDACTED CA ROOT
[tls] --> subject = /CN=REDACTED CA ROOT/O=REDACTED/OU=Network Operations/ST=Alaska/C=US/L=Nome/emailAddress=REDACTED at gmail.com
[tls] --> issuer = /CN=REDACTED CA ROOT/O=REDACTED/OU=Network Operations/ST=Alaska/C=US/L=Nome/emailAddress=REDACTED at gmail.com
[tls] --> verify return:1
--> verify error:num=7:certificate signature failure
[tls] >>> TLS 1.0 Alert [length 0002], fatal decrypt_error
TLS Alert write:fatal:decrypt error
TLS_accept: error in SSLv3 read client certificate B
rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
SSL: SSL_read failed in a system call (-1), TLS session fails.
TLS receive handshake failed during operation
[tls] eaptls_process returned 4
[eap] Handler failed in EAP/tls
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Login incorrect (certificate signature failure): [excelsior.REDACTED/<via Auth-Type = EAP>] (from client melbourne.REDACTED port 0 cli 80-BE-05-3A-12-72)
Using Post-Auth-Type REJECT
# Executing group from file /Library/Server/radius/raddb/sites-enabled/default
+- entering group REJECT {...}
++? if ("%{EAP-Message}")
expand: %{EAP-Message} -> 0x02f604de0d006f6e73310f300d06035504080c06416c61736b61310b3009060355040613025553310d300b06035504070c044e6f6d653128302606092a864886f70d010901161973636f74742e612e6a6f686e736f6e40676d61696c2e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100d382b05f1f2b02e7d4e7029d8bc1abfaddc1d4d2c7fa97698adb0e930d4bbb780d3a38637c8943e2d2ecac3e190318ca0c24b58f1ab98fbbfa9f066452d3fae77183eaad7b8459f275cc4d2f8b84a60dee373e40dff311eab2b5db0e212739fc71298002e5265282568ffea594b7c7c0fed2adee0129df98474e69a9
? Evaluating ("%{EAP-Message}") -> TRUE
++? if ("%{EAP-Message}") -> TRUE
++- entering if ("%{EAP-Message}") {...}
expand: %{Message-Authenticator} -> 0x524988758316be767df6d5d82b608979
+++[reply] returns noop
++- if ("%{EAP-Message}") returns noop
[attr_filter.access_reject] expand: %{User-Name} -> excelsior.REDACTED
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 9 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 9
Sending Access-Reject of id 13 to 10.0.2.212 port 32817
EAP-Message = 0x04f60004
Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 1.9 seconds.
Cleaning up request 0 ID 4 with timestamp +13
Cleaning up request 1 ID 5 with timestamp +13
Cleaning up request 2 ID 6 with timestamp +13
Waking up in 0.1 seconds.
Cleaning up request 3 ID 7 with timestamp +13
Waking up in 1.0 seconds.
Cleaning up request 4 ID 8 with timestamp +13
Waking up in 0.4 seconds.
Cleaning up request 5 ID 9 with timestamp +15
Cleaning up request 6 ID 10 with timestamp +15
Cleaning up request 7 ID 11 with timestamp +15
Waking up in 0.1 seconds.
Cleaning up request 8 ID 12 with timestamp +15
Waking up in 1.0 seconds.
Cleaning up request 9 ID 13 with timestamp +15
Ready to process requests.
More information about the Freeradius-Users
mailing list