Alan DeKok aland at
Fri Nov 4 01:08:22 CET 2016

On Nov 3, 2016, at 6:43 AM, Davide Belloni <davide.belloni at> wrote:
> here's the log in question:Nov  2 16:53:15 radiusd[12046]: Received
> Access-Request packet from host port 1645, id=108, length=216

  PLEASE use "radiusd -X".  Not "radiusd -Xxxxxx".  The extra information just makes it hard to read.

> I can't see the client certificate, do you think that I'm executing not an
> EAP-TLS auth?

  It's not doing EAP-TLS, because the request is being rejected.

  Why?  Something in your local configuration is rejecting it. Maybe like 55 of the "users" file.

> And why, if the last ulang check is TRUE, the request isn't proxied?

  Because the unlang checks don't proxy when they return true.  And, because something else is making the server reject the packet.

> User-Name, that I think is retrieved from certificate's CN by Windows. Is
> it not correct?

  That should be correct.  But Windows sometimes does crazy things.

> I'm trying this setup because with "realms" configuration I can't filter
> the SSID

 There are many, many, ways to reach the same goal.  Some are simpler than others.

  Alan DeKok.

More information about the Freeradius-Users mailing list