EAP-TLS for iPhone on 10.1.1

tj2718 at aol.com tj2718 at aol.com
Fri Nov 4 22:40:53 CET 2016


Hello,

I am running CentOS7, Samba 4.2.10, FreeRADIUS 3.0.4  The client I'm having
trouble with is an iPhone 6 running iOS 10.1.1

With help from this list I was able to get LDAP queries and EAP-TLS certificates working on
Windows devices.  Now I am on to iPhones and running into EAP-TLS/SSL errors that I was hoping to get
insight on as well.  I've added the full radius -X below but the part I think is the issue is the following:

(11)  eap : Peer sent method TLS (13)
(11)  eap : EAP TLS (13)
(11)  eap : Calling eap_tls to process EAP data
(11)  eap_tls : Authenticate
(11)  eap_tls : processing EAP-TLS
  TLS Length 7
(11)  eap_tls : Length Included
(11)  eap_tls : eaptls_verify returned 11
(11)  eap_tls : <<< TLS 1.0 Alert [length 0002], warning close_notify
(11)  ERROR: eap_tls : TLS_accept: Failed in SSLv3 read client certificate A
(11)  ERROR: eap_tls : SSL says: error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure
SSL: SSL_read failed in a system call (-1), TLS session fails.
TLS receive handshake failed during operation
(11)  eap_tls : eaptls_process returned 4
(11)  ERROR: eap : Failed continuing EAP TLS (13) session. EAP sub-module failed
(11)  eap : Failed in EAP select
(11)   [eap] = invalid
(11)  } #  authenticate = invalid
(11) Failed to authenticate the user
(11) Using Post-Auth-Type Reject

At this point I don't know if the issue is the certificates I'm using such as
Apple/iOS devices requiring additional attributes for certificates the
way WindowsXP does, or perhaps a configuration issue on my FreeRADIUS server
that I can change to allow the iPhone to connect successfully?

I have added the individual .p12 certificate for the iPhone and the root
CA of the FreeRADIUS server to the iPhone via MobileIron.  The WiFi network shows
up on the iPhone and when I click the WPA2 Enterprise test network to join,
it spins for a little bit before failing.

As always, any help or insights would be greatly appreciated.

Thank you,
Travis

***** radius -X *****
Ready to process requests
Received Access-Request Id 102 from 10.10.2.164:50046 to 10.10.0.238:1812 length 169
        User-Name = 'telsberry'
        NAS-IP-Address = 10.10.2.164
        NAS-Identifier = '24a43c08fe80'
        NAS-Port = 0
        Called-Station-Id = '20-A4-3C-09-FE-80:TEST'
        Calling-Station-Id = '70-3E-AC-5D-F0-08'
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        Connect-Info = 'CONNECT 0Mbps 802.11b'
        EAP-Message = 0x02a8000e0174656c736265727279
        Message-Authenticator = 0xf92f238034e67c450f8ae544f95a1c15
(0) Received Access-Request packet from host 10.10.2.164 port 50046, id=102, length=169
(0)     User-Name = 'telsberry'
(0)     NAS-IP-Address = 10.10.2.164
(0)     NAS-Identifier = '24a43c08fe80'
(0)     NAS-Port = 0
(0)     Called-Station-Id = '20-A4-3C-09-FE-80:TEST'
(0)     Calling-Station-Id = '70-3E-AC-5D-F0-08'
(0)     Framed-MTU = 1400
(0)     NAS-Port-Type = Wireless-802.11
(0)     Connect-Info = 'CONNECT 0Mbps 802.11b'
(0)     EAP-Message = 0x02a8000e0174656c736265727279
(0)     Message-Authenticator = 0xf92f238034e67c450f8ae544f95a1c15
(0) # Executing section authorize from file /etc/raddb/sites-enabled/default
(0)   authorize {
(0)   filter_username filter_username {
(0)     if (!&User-Name)
(0)     if (!&User-Name)  -> FALSE
(0)     if (&User-Name =~ / /)
(0)     if (&User-Name =~ / /)  -> FALSE
(0)     if (&User-Name =~ /@.*@/ )
(0)     if (&User-Name =~ /@.*@/ )  -> FALSE
(0)     if (&User-Name =~ /\\.\\./ )
(0)     if (&User-Name =~ /\\.\\./ )  -> FALSE
(0)     if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
(0)     if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))   -> FALSE
(0)     if (&User-Name =~ /\\.$/)
(0)     if (&User-Name =~ /\\.$/)   -> FALSE
(0)     if (&User-Name =~ /@\\./)
(0)     if (&User-Name =~ /@\\./)   -> FALSE
(0)   } # filter_username filter_username = notfound
(0)   [preprocess] = ok
(0)   [chap] = noop
(0)   [mschap] = noop
(0)   [digest] = noop
(0)  suffix : Checking for suffix after "@"
(0)  suffix : No '@' in User-Name = "telsberry", looking up realm NULL
(0)  suffix : No such realm "NULL"
(0)   [suffix] = noop
(0)  ntdomain : Checking for prefix before "\"
(0)  ntdomain : No '\' in User-Name = "telsberry", looking up realm NULL
(0)  ntdomain : No such realm "NULL"
(0)   [ntdomain] = noop
(0)  eap : Peer sent code Response (2) ID 168 length 14
(0)  eap : EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(0)   [eap] = ok
(0)  } #  authorize = ok
(0) Found Auth-Type = EAP
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0)   authenticate {
(0)  eap : Peer sent method Identity (1)
(0)  eap : Calling eap_peap to process EAP data
(0)  eap_peap : Flushing SSL sessions (of #0)
(0)  eap_peap : Initiate
(0)  eap_peap : Start returned 1
(0)  eap : New EAP session, adding 'State' attribute to reply 0x38b7b867381ea1e6
(0)   [eap] = handled
(0)  } #  authenticate = handled
(0) Sending Access-Challenge packet to host 10.10.2.164 port 50046, id=102, length=0
(0)     EAP-Message = 0x01a900061920
(0)     Message-Authenticator = 0x00000000000000000000000000000000
(0)     State = 0x38b7b867381ea1e69a6c9c1f62dac08f
Sending Access-Challenge Id 102 from 10.10.0.238:1812 to 10.10.2.164:50046
        EAP-Message = 0x01a900061920
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x38b7b867381ea1e69a6c9c1f62dac08f
(0) Finished request
Waking up in 0.3 seconds.
Received Access-Request Id 103 from 10.10.2.164:50046 to 10.10.0.238:1812 length 179
        User-Name = 'telsberry'
        NAS-IP-Address = 10.10.2.164
        NAS-Identifier = '24a43c08fe80'
        NAS-Port = 0
        Called-Station-Id = '20-A4-3C-09-FE-80:TEST'
        Calling-Station-Id = '70-3E-AC-5D-F0-08'
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        Connect-Info = 'CONNECT 0Mbps 802.11b'
        EAP-Message = 0x02a90006030d
        State = 0x38b7b867381ea1e69a6c9c1f62dac08f
        Message-Authenticator = 0xc53947fd81bdbd9218fb95ecdd62cf70
(1) Received Access-Request packet from host 10.10.2.164 port 50046, id=103, length=179
(1)     User-Name = 'telsberry'
(1)     NAS-IP-Address = 10.10.2.164
(1)     NAS-Identifier = '24a43c08fe80'
(1)     NAS-Port = 0
(1)     Called-Station-Id = '20-A4-3C-09-FE-80:TEST'
(1)     Calling-Station-Id = '70-3E-AC-5D-F0-08'
(1)     Framed-MTU = 1400
(1)     NAS-Port-Type = Wireless-802.11
(1)     Connect-Info = 'CONNECT 0Mbps 802.11b'
(1)     EAP-Message = 0x02a90006030d
(1)     State = 0x38b7b867381ea1e69a6c9c1f62dac08f
(1)     Message-Authenticator = 0xc53947fd81bdbd9218fb95ecdd62cf70
(1) # Executing section authorize from file /etc/raddb/sites-enabled/default
(1)   authorize {
(1)   filter_username filter_username {
(1)     if (!&User-Name)
(1)     if (!&User-Name)  -> FALSE
(1)     if (&User-Name =~ / /)
(1)     if (&User-Name =~ / /)  -> FALSE
(1)     if (&User-Name =~ /@.*@/ )
(1)     if (&User-Name =~ /@.*@/ )  -> FALSE
(1)     if (&User-Name =~ /\\.\\./ )
(1)     if (&User-Name =~ /\\.\\./ )  -> FALSE
(1)     if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
(1)     if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))   -> FALSE
(1)     if (&User-Name =~ /\\.$/)
(1)     if (&User-Name =~ /\\.$/)   -> FALSE
(1)     if (&User-Name =~ /@\\./)
(1)     if (&User-Name =~ /@\\./)   -> FALSE
(1)   } # filter_username filter_username = notfound
(1)   [preprocess] = ok
(1)   [chap] = noop
(1)   [mschap] = noop
(1)   [digest] = noop
(1)  suffix : Checking for suffix after "@"
(1)  suffix : No '@' in User-Name = "telsberry", looking up realm NULL
(1)  suffix : No such realm "NULL"
(1)   [suffix] = noop
(1)  ntdomain : Checking for prefix before "\"
(1)  ntdomain : No '\' in User-Name = "telsberry", looking up realm NULL
(1)  ntdomain : No such realm "NULL"
(1)   [ntdomain] = noop
(1)  eap : Peer sent code Response (2) ID 169 length 6
(1)  eap : No EAP Start, assuming it's an on-going EAP conversation
(1)   [eap] = updated
(1)   [files] = noop
(1)   [expiration] = noop
(1)   [logintime] = noop
(1)  WARNING: pap : No "known good" password found for the user.  Not setting Auth-Type
(1)  WARNING: pap : Authentication will fail unless a "known good" password is available
(1)   [pap] = noop
(1)  } #  authorize = updated
(1) Found Auth-Type = EAP
(1) # Executing group from file /etc/raddb/sites-enabled/default
(1)   authenticate {
(1)  eap : Expiring EAP session with state 0x38b7b867381ea1e6
(1)  eap : Finished EAP session with state 0x38b7b867381ea1e6
(1)  eap : Previous EAP request found for state 0x38b7b867381ea1e6, released from the list
(1)  eap : Peer sent method NAK (3)
(1)  eap : Found mutually acceptable type TLS (13)
(1)  eap : Calling eap_tls to process EAP data
(1)  eap_tls : Requiring client certificate
(1)  eap_tls : Initiate
(1)  eap_tls : Requiring client certificate
(1)  eap_tls : Start returned 1
(1)  eap : New EAP session, adding 'State' attribute to reply 0x38b7b867391db5e6
(1)   [eap] = handled
(1)  } #  authenticate = handled
(1) Sending Access-Challenge packet to host 10.10.2.164 port 50046, id=103, length=0
(1)     EAP-Message = 0x01aa00060d20
(1)     Message-Authenticator = 0x00000000000000000000000000000000
(1)     State = 0x38b7b867391db5e69a6c9c1f62dac08f
Sending Access-Challenge Id 103 from 10.10.0.238:1812 to 10.10.2.164:50046
        EAP-Message = 0x01aa00060d20
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x38b7b867391db5e69a6c9c1f62dac08f
(1) Finished request
Waking up in 0.2 seconds.
Received Access-Request Id 104 from 10.10.2.164:50046 to 10.10.0.238:1812 length 300
        User-Name = 'telsberry'
        NAS-IP-Address = 10.10.2.164
        NAS-Identifier = '24a43c08fe80'
        NAS-Port = 0
        Called-Station-Id = '20-A4-3C-09-FE-80:TEST'
        Calling-Station-Id = '70-3E-AC-5D-F0-08'
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        Connect-Info = 'CONNECT 0Mbps 802.11b'
        EAP-Message = 0x02aa007f0d800000007516030100700100006c0301581cbf0ca2d28cea68d276805042fd88c6e95061393ba9592634261687604d5500002000ffc024c023c00ac009c008c028c027c014c013c012003d003c0035002f000a01000023000a00080006001700180019000b000201000005000501000000000012000000170000
        State = 0x38b7b867391db5e69a6c9c1f62dac08f
        Message-Authenticator = 0xa1e0bcb1d1b00775ebbc1ce4a245048b
(2) Received Access-Request packet from host 10.10.2.164 port 50046, id=104, length=300
(2)     User-Name = 'telsberry'
(2)     NAS-IP-Address = 10.10.2.164
(2)     NAS-Identifier = '24a43c08fe80'
(2)     NAS-Port = 0
(2)     Called-Station-Id = '20-A4-3C-09-FE-80:TEST'
(2)     Calling-Station-Id = '70-3E-AC-5D-F0-08'
(2)     Framed-MTU = 1400
(2)     NAS-Port-Type = Wireless-802.11
(2)     Connect-Info = 'CONNECT 0Mbps 802.11b'
(2)     EAP-Message = 0x02aa007f0d800000007516030100700100006c0301581cbf0ca2d28cea68d276805042fd88c6e95061393ba9592634261687604d5500002000ffc024c023c00ac009c008c028c027c014c013c012003d003c0035002f000a01000023000a00080006001700180019000b000201000005000501000000000012000000170000
(2)     State = 0x38b7b867391db5e69a6c9c1f62dac08f
(2)     Message-Authenticator = 0xa1e0bcb1d1b00775ebbc1ce4a245048b
(2) # Executing section authorize from file /etc/raddb/sites-enabled/default
(2)   authorize {
(2)   filter_username filter_username {
(2)     if (!&User-Name)
(2)     if (!&User-Name)  -> FALSE
(2)     if (&User-Name =~ / /)
(2)     if (&User-Name =~ / /)  -> FALSE
(2)     if (&User-Name =~ /@.*@/ )
(2)     if (&User-Name =~ /@.*@/ )  -> FALSE
(2)     if (&User-Name =~ /\\.\\./ )
(2)     if (&User-Name =~ /\\.\\./ )  -> FALSE
(2)     if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
(2)     if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))   -> FALSE
(2)     if (&User-Name =~ /\\.$/)
(2)     if (&User-Name =~ /\\.$/)   -> FALSE
(2)     if (&User-Name =~ /@\\./)
(2)     if (&User-Name =~ /@\\./)   -> FALSE
(2)   } # filter_username filter_username = notfound
(2)   [preprocess] = ok
(2)   [chap] = noop
(2)   [mschap] = noop
(2)   [digest] = noop
(2)  suffix : Checking for suffix after "@"
(2)  suffix : No '@' in User-Name = "telsberry", looking up realm NULL
(2)  suffix : No such realm "NULL"
(2)   [suffix] = noop
(2)  ntdomain : Checking for prefix before "\"
(2)  ntdomain : No '\' in User-Name = "telsberry", looking up realm NULL
(2)  ntdomain : No such realm "NULL"
(2)   [ntdomain] = noop
(2)  eap : Peer sent code Response (2) ID 170 length 127
(2)  eap : No EAP Start, assuming it's an on-going EAP conversation
(2)   [eap] = updated
(2)   [files] = noop
(2)   [expiration] = noop
(2)   [logintime] = noop
(2)   [pap] = noop
(2)  } #  authorize = updated
(2) Found Auth-Type = EAP
(2) # Executing group from file /etc/raddb/sites-enabled/default
(2)   authenticate {
(2)  eap : Expiring EAP session with state 0x38b7b867391db5e6
(2)  eap : Finished EAP session with state 0x38b7b867391db5e6
(2)  eap : Previous EAP request found for state 0x38b7b867391db5e6, released from the list
(2)  eap : Peer sent method TLS (13)
(2)  eap : EAP TLS (13)
(2)  eap : Calling eap_tls to process EAP data
(2)  eap_tls : Authenticate
(2)  eap_tls : processing EAP-TLS
  TLS Length 117
(2)  eap_tls : Length Included
(2)  eap_tls : eaptls_verify returned 11
(2)  eap_tls : (other): before/accept initialization
(2)  eap_tls : TLS_accept: before/accept initialization
(2)  eap_tls : <<< TLS 1.0 Handshake [length 0070], ClientHello
(2)  eap_tls : TLS_accept: SSLv3 read client hello A
(2)  eap_tls : >>> TLS 1.0 Handshake [length 0059], ServerHello
(2)  eap_tls : TLS_accept: SSLv3 write server hello A
(2)  eap_tls : >>> TLS 1.0 Handshake [length 085c], Certificate
(2)  eap_tls : TLS_accept: SSLv3 write certificate A
(2)  eap_tls : >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange
(2)  eap_tls : TLS_accept: SSLv3 write key exchange A
(2)  eap_tls : >>> TLS 1.0 Handshake [length 00a6], CertificateRequest
(2)  eap_tls : TLS_accept: SSLv3 write certificate request A
(2)  eap_tls : TLS_accept: SSLv3 flush data
(2)  eap_tls : TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
(2)  eap_tls : eaptls_process returned 13
(2)  eap : New EAP session, adding 'State' attribute to reply 0x38b7b8673a1cb5e6
(2)   [eap] = handled
(2)  } #  authenticate = handled
(2) Sending Access-Challenge packet to host 10.10.2.164 port 50046, id=104, length=0
(2)     EAP-Message = 0x01ab03ec0dc000000aba1603010059020000550301581cbf0c713c6d11a66cdaf995b78d1e16b7d6082961572ccef3d6d0d516ea042031b33b78ae02c8c96ff5b159bd6c35ede39fef7f157adcca7cdb804adedd0bc5c01400000dff01000100000b000403000102160301085c0b0008580008550003a4308203a030820288a003020102020103300d06092a864886f70d0101050500308193310b3009060355040613025553311330110603550408130a43616c69666f726e6961311430120603550407130b4c616b6520466f72657374310c300a060355040a13035253443120301e06092a864886f70d010901161174656c736265727279407273642e6e657431293027060355040313205253442052414449555320436572746966696361746520417574686f72697479301e170d3133313031343231323431305a170d3430303331363231323431305a307a310b3009060355040613025553311330110603550408130a43616c69666f726e6961310c300a060355040a1303525344312630240603550403131d52534420524144495553205365727665722043657274696669636174653120301e06092a864886f70d010901161174656c736265727279407273642e6e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100c808fa56d1dbe367d186b614040b
(2)     Message-Authenticator = 0x00000000000000000000000000000000
(2)     State = 0x38b7b8673a1cb5e69a6c9c1f62dac08f
Sending Access-Challenge Id 104 from 10.10.0.238:1812 to 10.10.2.164:50046
        EAP-Message = 0x01ab03ec0dc000000aba1603010059020000550301581cbf0c713c6d11a66cdaf995b78d1e16b7d6082961572ccef3d6d0d516ea042031b33b78ae02c8c96ff5b159bd6c35ede39fef7f157adcca7cdb804adedd0bc5c01400000dff01000100000b000403000102160301085c0b0008580008550003a4308203a030820288a003020102020103300d06092a864886f70d0101050500308193310b3009060355040613025553311330110603550408130a43616c69666f726e6961311430120603550407130b4c616b6520466f72657374310c300a060355040a13035253443120301e06092a864886f70d010901161174656c736265727279407273642e6e657431293027060355040313205253442052414449555320436572746966696361746520417574686f72697479301e170d3133313031343231323431305a170d3430303331363231323431305a307a310b3009060355040613025553311330110603550408130a43616c69666f726e6961310c300a060355040a1303525344312630240603550403131d52534420524144495553205365727665722043657274696669636174653120301e06092a864886f70d010901161174656c736265727279407273642e6e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100c808fa56d1dbe367d186b614040
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x38b7b8673a1cb5e69a6c9c1f62dac08f
(2) Finished request
Waking up in 0.2 seconds.
Received Access-Request Id 105 from 10.10.2.164:50046 to 10.10.0.238:1812 length 179
        User-Name = 'telsberry'
        NAS-IP-Address = 10.10.2.164
        NAS-Identifier = '24a43c08fe80'
        NAS-Port = 0
        Called-Station-Id = '20-A4-3C-09-FE-80:TEST'
        Calling-Station-Id = '70-3E-AC-5D-F0-08'
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        Connect-Info = 'CONNECT 0Mbps 802.11b'
        EAP-Message = 0x02ab00060d00
        State = 0x38b7b8673a1cb5e69a6c9c1f62dac08f
        Message-Authenticator = 0x9b16c07977b90cec214cdd76a5845ebd
(3) Received Access-Request packet from host 10.10.2.164 port 50046, id=105, length=179
(3)     User-Name = 'telsberry'
(3)     NAS-IP-Address = 10.10.2.164
(3)     NAS-Identifier = '24a43c08fe80'
(3)     NAS-Port = 0
(3)     Called-Station-Id = '20-A4-3C-09-FE-80:TEST'
(3)     Calling-Station-Id = '70-3E-AC-5D-F0-08'
(3)     Framed-MTU = 1400
(3)     NAS-Port-Type = Wireless-802.11
(3)     Connect-Info = 'CONNECT 0Mbps 802.11b'
(3)     EAP-Message = 0x02ab00060d00
(3)     State = 0x38b7b8673a1cb5e69a6c9c1f62dac08f
(3)     Message-Authenticator = 0x9b16c07977b90cec214cdd76a5845ebd
(3) # Executing section authorize from file /etc/raddb/sites-enabled/default
(3)   authorize {
(3)   filter_username filter_username {
(3)     if (!&User-Name)
(3)     if (!&User-Name)  -> FALSE
(3)     if (&User-Name =~ / /)
(3)     if (&User-Name =~ / /)  -> FALSE
(3)     if (&User-Name =~ /@.*@/ )
(3)     if (&User-Name =~ /@.*@/ )  -> FALSE
(3)     if (&User-Name =~ /\\.\\./ )
(3)     if (&User-Name =~ /\\.\\./ )  -> FALSE
(3)     if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
(3)     if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))   -> FALSE
(3)     if (&User-Name =~ /\\.$/)
(3)     if (&User-Name =~ /\\.$/)   -> FALSE
(3)     if (&User-Name =~ /@\\./)
(3)     if (&User-Name =~ /@\\./)   -> FALSE
(3)   } # filter_username filter_username = notfound
(3)   [preprocess] = ok
(3)   [chap] = noop
(3)   [mschap] = noop
(3)   [digest] = noop
(3)  suffix : Checking for suffix after "@"
(3)  suffix : No '@' in User-Name = "telsberry", looking up realm NULL
(3)  suffix : No such realm "NULL"
(3)   [suffix] = noop
(3)  ntdomain : Checking for prefix before "\"
(3)  ntdomain : No '\' in User-Name = "telsberry", looking up realm NULL
(3)  ntdomain : No such realm "NULL"
(3)   [ntdomain] = noop
(3)  eap : Peer sent code Response (2) ID 171 length 6
(3)  eap : No EAP Start, assuming it's an on-going EAP conversation
(3)   [eap] = updated
(3)   [files] = noop
(3)   [expiration] = noop
(3)   [logintime] = noop
(3)   [pap] = noop
(3)  } #  authorize = updated
(3) Found Auth-Type = EAP
(3) # Executing group from file /etc/raddb/sites-enabled/default
(3)   authenticate {
(3)  eap : Expiring EAP session with state 0x38b7b8673a1cb5e6
(3)  eap : Finished EAP session with state 0x38b7b8673a1cb5e6
(3)  eap : Previous EAP request found for state 0x38b7b8673a1cb5e6, released from the list
(3)  eap : Peer sent method TLS (13)
(3)  eap : EAP TLS (13)
(3)  eap : Calling eap_tls to process EAP data
(3)  eap_tls : Authenticate
(3)  eap_tls : processing EAP-TLS
(3)  eap_tls : Received TLS ACK
(3)  eap_tls : Received TLS ACK
(3)  eap_tls : ACK handshake fragment handler
(3)  eap_tls : eaptls_verify returned 1
(3)  eap_tls : eaptls_process returned 13
(3)  eap : New EAP session, adding 'State' attribute to reply 0x38b7b8673b1bb5e6
(3)   [eap] = handled
(3)  } #  authenticate = handled
(3) Sending Access-Challenge packet to host 10.10.2.164 port 50046, id=105, length=0
(3)     EAP-Message = 0x01ac03ec0dc000000aba3d020af37f4d5ca6683ed1bb3c3f0126e81cbf4dca7685005045586f807a4afae217d51b520f606f936e43f1123b8f0004ab308204a73082038fa003020102020900a793227a08ee79ec300d06092a864886f70d0101050500308193310b3009060355040613025553311330110603550408130a43616c69666f726e6961311430120603550407130b4c616b6520466f72657374310c300a060355040a13035253443120301e06092a864886f70d010901161174656c736265727279407273642e6e657431293027060355040313205253442052414449555320436572746966696361746520417574686f72697479301e170d3133313031343231323430345a170d3430303331363231323430345a308193310b3009060355040613025553311330110603550408130a43616c69666f726e6961311430120603550407130b4c616b6520466f72657374310c300a060355040a13035253443120301e06092a864886f70d010901161174656c736265727279407273642e6e657431293027060355040313205253442052414449555320436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100e43eb98242ab168e7d82505a8e27744ba7bb5fe0b12b8926ed1867163d7626a748fe1eab67fd82
(3)     Message-Authenticator = 0x00000000000000000000000000000000
(3)     State = 0x38b7b8673b1bb5e69a6c9c1f62dac08f
Sending Access-Challenge Id 105 from 10.10.0.238:1812 to 10.10.2.164:50046
        EAP-Message = 0x01ac03ec0dc000000aba3d020af37f4d5ca6683ed1bb3c3f0126e81cbf4dca7685005045586f807a4afae217d51b520f606f936e43f1123b8f0004ab308204a73082038fa003020102020900a793227a08ee79ec300d06092a864886f70d0101050500308193310b3009060355040613025553311330110603550408130a43616c69666f726e6961311430120603550407130b4c616b6520466f72657374310c300a060355040a13035253443120301e06092a864886f70d010901161174656c736265727279407273642e6e657431293027060355040313205253442052414449555320436572746966696361746520417574686f72697479301e170d3133313031343231323430345a170d3430303331363231323430345a308193310b3009060355040613025553311330110603550408130a43616c69666f726e6961311430120603550407130b4c616b6520466f72657374310c300a060355040a13035253443120301e06092a864886f70d010901161174656c736265727279407273642e6e657431293027060355040313205253442052414449555320436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100e43eb98242ab168e7d82505a8e27744ba7bb5fe0b12b8926ed1867163d7626a748fe1eab67fd8
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x38b7b8673b1bb5e69a6c9c1f62dac08f
(3) Finished request
Waking up in 0.1 seconds.
Received Access-Request Id 106 from 10.10.2.164:50046 to 10.10.0.238:1812 length 179
        User-Name = 'telsberry'
        NAS-IP-Address = 10.10.2.164
        NAS-Identifier = '24a43c08fe80'
        NAS-Port = 0
        Called-Station-Id = '20-A4-3C-09-FE-80:TEST'
        Calling-Station-Id = '70-3E-AC-5D-F0-08'
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        Connect-Info = 'CONNECT 0Mbps 802.11b'
        EAP-Message = 0x02ac00060d00
        State = 0x38b7b8673b1bb5e69a6c9c1f62dac08f
        Message-Authenticator = 0xa8b6c078c03a7583b4a4cc5628fe3e44
(4) Received Access-Request packet from host 10.10.2.164 port 50046, id=106, length=179
(4)     User-Name = 'telsberry'
(4)     NAS-IP-Address = 10.10.2.164
(4)     NAS-Identifier = '24a43c08fe80'
(4)     NAS-Port = 0
(4)     Called-Station-Id = '20-A4-3C-09-FE-80:TEST'
(4)     Calling-Station-Id = '70-3E-AC-5D-F0-08'
(4)     Framed-MTU = 1400
(4)     NAS-Port-Type = Wireless-802.11
(4)     Connect-Info = 'CONNECT 0Mbps 802.11b'
(4)     EAP-Message = 0x02ac00060d00
(4)     State = 0x38b7b8673b1bb5e69a6c9c1f62dac08f
(4)     Message-Authenticator = 0xa8b6c078c03a7583b4a4cc5628fe3e44
(4) # Executing section authorize from file /etc/raddb/sites-enabled/default
(4)   authorize {
(4)   filter_username filter_username {
(4)     if (!&User-Name)
(4)     if (!&User-Name)  -> FALSE
(4)     if (&User-Name =~ / /)
(4)     if (&User-Name =~ / /)  -> FALSE
(4)     if (&User-Name =~ /@.*@/ )
(4)     if (&User-Name =~ /@.*@/ )  -> FALSE
(4)     if (&User-Name =~ /\\.\\./ )
(4)     if (&User-Name =~ /\\.\\./ )  -> FALSE
(4)     if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
(4)     if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))   -> FALSE
(4)     if (&User-Name =~ /\\.$/)
(4)     if (&User-Name =~ /\\.$/)   -> FALSE
(4)     if (&User-Name =~ /@\\./)
(4)     if (&User-Name =~ /@\\./)   -> FALSE
(4)   } # filter_username filter_username = notfound
(4)   [preprocess] = ok
(4)   [chap] = noop
(4)   [mschap] = noop
(4)   [digest] = noop
(4)  suffix : Checking for suffix after "@"
(4)  suffix : No '@' in User-Name = "telsberry", looking up realm NULL
(4)  suffix : No such realm "NULL"
(4)   [suffix] = noop
(4)  ntdomain : Checking for prefix before "\"
(4)  ntdomain : No '\' in User-Name = "telsberry", looking up realm NULL
(4)  ntdomain : No such realm "NULL"
(4)   [ntdomain] = noop
(4)  eap : Peer sent code Response (2) ID 172 length 6
(4)  eap : No EAP Start, assuming it's an on-going EAP conversation
(4)   [eap] = updated
(4)   [files] = noop
(4)   [expiration] = noop
(4)   [logintime] = noop
(4)   [pap] = noop
(4)  } #  authorize = updated
(4) Found Auth-Type = EAP
(4) # Executing group from file /etc/raddb/sites-enabled/default
(4)   authenticate {
(4)  eap : Expiring EAP session with state 0x38b7b8673b1bb5e6
(4)  eap : Finished EAP session with state 0x38b7b8673b1bb5e6
(4)  eap : Previous EAP request found for state 0x38b7b8673b1bb5e6, released from the list
(4)  eap : Peer sent method TLS (13)
(4)  eap : EAP TLS (13)
(4)  eap : Calling eap_tls to process EAP data
(4)  eap_tls : Authenticate
(4)  eap_tls : processing EAP-TLS
(4)  eap_tls : Received TLS ACK
(4)  eap_tls : Received TLS ACK
(4)  eap_tls : ACK handshake fragment handler
(4)  eap_tls : eaptls_verify returned 1
(4)  eap_tls : eaptls_process returned 13
(4)  eap : New EAP session, adding 'State' attribute to reply 0x38b7b8673c1ab5e6
(4)   [eap] = handled
(4)  } #  authenticate = handled
(4) Sending Access-Challenge packet to host 10.10.2.164 port 50046, id=106, length=0
(4)     EAP-Message = 0x01ad03000d8000000aba57cffcd6a6e267773915e7f022918d87964b4e86868ffa7591f71fbab5286049316c8d7073ea5adbf3c6906964d21f07b7052d41b86ae3f55e0708864a12e874d436f993b3ac1be6258aaa41f5af26b93b9feb744ca9b3920c3c177703388abcfbc89202f0bc22c65f8efa13292881e1839df045c53e73eeb2e5eb51454e5d95df924b25c9d854d18bb3e297454430f4fa6d6dc5023e6b8710567b6f0560576818ffd6641065e02937dc7c0efa5b82f98f475d907d54eb73065217c5bc00e733a6c98c81159e55de1b1a833d5ddb5291d40b6a87376b130be2b1cd25522cad7a675e85b0c30dd84b13a0dcee44e39ed95be27daf75626172ef2d5a160301014b0c0001470300174104b184fa4f5e15c47e7630f58784864684ffa82c705bcfcb18ad213d6717e9535cc5dcc6c88028ee1297ee239cdc3830363c77b0954d93bdf1cd22bf0811229a6601009edeaa4f60d6d84718ebedf5108c9135b0c0f0165eef4fd3de4bb036a4af81f8cf5348c71d87a43aa9ac9720690827bd408a149644be7c6dd89859fe65160ea309e5678bd60c03484a54436b27221ea45811938bf1cae5698f6e24d8d4ffbcae82da1d82a97978cd7eda7c590e55f7b1acd0146bcb515e719062b65564d8472ad74a5925524a89b978aa60b60c1e967a2c3ed6aa8d4f612d85209dbb346217108ea7
(4)     Message-Authenticator = 0x00000000000000000000000000000000
(4)     State = 0x38b7b8673c1ab5e69a6c9c1f62dac08f
Sending Access-Challenge Id 106 from 10.10.0.238:1812 to 10.10.2.164:50046
        EAP-Message = 0x01ad03000d8000000aba57cffcd6a6e267773915e7f022918d87964b4e86868ffa7591f71fbab5286049316c8d7073ea5adbf3c6906964d21f07b7052d41b86ae3f55e0708864a12e874d436f993b3ac1be6258aaa41f5af26b93b9feb744ca9b3920c3c177703388abcfbc89202f0bc22c65f8efa13292881e1839df045c53e73eeb2e5eb51454e5d95df924b25c9d854d18bb3e297454430f4fa6d6dc5023e6b8710567b6f0560576818ffd6641065e02937dc7c0efa5b82f98f475d907d54eb73065217c5bc00e733a6c98c81159e55de1b1a833d5ddb5291d40b6a87376b130be2b1cd25522cad7a675e85b0c30dd84b13a0dcee44e39ed95be27daf75626172ef2d5a160301014b0c0001470300174104b184fa4f5e15c47e7630f58784864684ffa82c705bcfcb18ad213d6717e9535cc5dcc6c88028ee1297ee239cdc3830363c77b0954d93bdf1cd22bf0811229a6601009edeaa4f60d6d84718ebedf5108c9135b0c0f0165eef4fd3de4bb036a4af81f8cf5348c71d87a43aa9ac9720690827bd408a149644be7c6dd89859fe65160ea309e5678bd60c03484a54436b27221ea45811938bf1cae5698f6e24d8d4ffbcae82da1d82a97978cd7eda7c590e55f7b1acd0146bcb515e719062b65564d8472ad74a5925524a89b978aa60b60c1e967a2c3ed6aa8d4f612d85209dbb346217108ea
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x38b7b8673c1ab5e69a6c9c1f62dac08f
(4) Finished request
Received Access-Request Id 107 from 10.10.2.164:50046 to 10.10.0.238:1812 length 190
        User-Name = 'telsberry'
        NAS-IP-Address = 10.10.2.164
        NAS-Identifier = '24a43c08fe80'
        NAS-Port = 0
        Called-Station-Id = '20-A4-3C-09-FE-80:TEST'
        Calling-Station-Id = '70-3E-AC-5D-F0-08'
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        Connect-Info = 'CONNECT 0Mbps 802.11b'
        EAP-Message = 0x02ad00110d800000000715030100020100
        State = 0x38b7b8673c1ab5e69a6c9c1f62dac08f
        Message-Authenticator = 0xcf2e8ffdeba30f091aaace4d30d50867
(5) Received Access-Request packet from host 10.10.2.164 port 50046, id=107, length=190
(5)     User-Name = 'telsberry'
(5)     NAS-IP-Address = 10.10.2.164
(5)     NAS-Identifier = '24a43c08fe80'
(5)     NAS-Port = 0
(5)     Called-Station-Id = '20-A4-3C-09-FE-80:TEST'
(5)     Calling-Station-Id = '70-3E-AC-5D-F0-08'
(5)     Framed-MTU = 1400
(5)     NAS-Port-Type = Wireless-802.11
(5)     Connect-Info = 'CONNECT 0Mbps 802.11b'
(5)     EAP-Message = 0x02ad00110d800000000715030100020100
(5)     State = 0x38b7b8673c1ab5e69a6c9c1f62dac08f
(5)     Message-Authenticator = 0xcf2e8ffdeba30f091aaace4d30d50867
(5) # Executing section authorize from file /etc/raddb/sites-enabled/default
(5)   authorize {
(5)   filter_username filter_username {
(5)     if (!&User-Name)
(5)     if (!&User-Name)  -> FALSE
(5)     if (&User-Name =~ / /)
(5)     if (&User-Name =~ / /)  -> FALSE
(5)     if (&User-Name =~ /@.*@/ )
(5)     if (&User-Name =~ /@.*@/ )  -> FALSE
(5)     if (&User-Name =~ /\\.\\./ )
(5)     if (&User-Name =~ /\\.\\./ )  -> FALSE
(5)     if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
(5)     if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))   -> FALSE
(5)     if (&User-Name =~ /\\.$/)
(5)     if (&User-Name =~ /\\.$/)   -> FALSE
(5)     if (&User-Name =~ /@\\./)
(5)     if (&User-Name =~ /@\\./)   -> FALSE
(5)   } # filter_username filter_username = notfound
(5)   [preprocess] = ok
(5)   [chap] = noop
(5)   [mschap] = noop
(5)   [digest] = noop
(5)  suffix : Checking for suffix after "@"
(5)  suffix : No '@' in User-Name = "telsberry", looking up realm NULL
(5)  suffix : No such realm "NULL"
(5)   [suffix] = noop
(5)  ntdomain : Checking for prefix before "\"
(5)  ntdomain : No '\' in User-Name = "telsberry", looking up realm NULL
(5)  ntdomain : No such realm "NULL"
(5)   [ntdomain] = noop
(5)  eap : Peer sent code Response (2) ID 173 length 17
(5)  eap : No EAP Start, assuming it's an on-going EAP conversation
(5)   [eap] = updated
(5)   [files] = noop
(5)   [expiration] = noop
(5)   [logintime] = noop
(5)   [pap] = noop
(5)  } #  authorize = updated
(5) Found Auth-Type = EAP
(5) # Executing group from file /etc/raddb/sites-enabled/default
(5)   authenticate {
(5)  eap : Expiring EAP session with state 0x38b7b8673c1ab5e6
(5)  eap : Finished EAP session with state 0x38b7b8673c1ab5e6
(5)  eap : Previous EAP request found for state 0x38b7b8673c1ab5e6, released from the list
(5)  eap : Peer sent method TLS (13)
(5)  eap : EAP TLS (13)
(5)  eap : Calling eap_tls to process EAP data
(5)  eap_tls : Authenticate
(5)  eap_tls : processing EAP-TLS
  TLS Length 7
(5)  eap_tls : Length Included
(5)  eap_tls : eaptls_verify returned 11
(5)  eap_tls : <<< TLS 1.0 Alert [length 0002], warning close_notify
(5)  ERROR: eap_tls : TLS_accept: Failed in SSLv3 read client certificate A
(5)  ERROR: eap_tls : SSL says: error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure
SSL: SSL_read failed in a system call (-1), TLS session fails.
TLS receive handshake failed during operation
(5)  eap_tls : eaptls_process returned 4
(5)  ERROR: eap : Failed continuing EAP TLS (13) session. EAP sub-module failed
(5)  eap : Failed in EAP select
(5)   [eap] = invalid
(5)  } #  authenticate = invalid
(5) Failed to authenticate the user
(5) Using Post-Auth-Type Reject
(5) # Executing group from file /etc/raddb/sites-enabled/default
(5)  Post-Auth-Type REJECT {
(5)  attr_filter.access_reject : EXPAND %{User-Name}
(5)  attr_filter.access_reject :    --> telsberry
(5)  attr_filter.access_reject : Matched entry DEFAULT at line 11
(5)   [attr_filter.access_reject] = updated
(5)  eap : Reply already contained an EAP-Message, not inserting EAP-Failure
(5)   [eap] = noop
(5)   remove_reply_message_if_eap remove_reply_message_if_eap {
(5)     if (&reply:EAP-Message && &reply:Reply-Message)
(5)     if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(5)    else else {
(5)     [noop] = noop
(5)    } # else else = noop
(5)   } # remove_reply_message_if_eap remove_reply_message_if_eap = noop
(5)  } # Post-Auth-Type REJECT = updated
(5) Delaying response for 1 seconds
Waking up in 0.1 seconds.
Waking up in 0.6 seconds.
Received Access-Request Id 108 from 10.10.2.164:50046 to 10.10.0.238:1812 length 169
        User-Name = 'telsberry'
        NAS-IP-Address = 10.10.2.164
        NAS-Identifier = '24a43c08fe80'
        NAS-Port = 0
        Called-Station-Id = '20-A4-3C-09-FE-80:TEST'
        Calling-Station-Id = '70-3E-AC-5D-F0-08'
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        Connect-Info = 'CONNECT 0Mbps 802.11b'
        EAP-Message = 0x02b3000e0174656c736265727279
        Message-Authenticator = 0xf5f62dd56d143761a4e9a7897c7a981a
(6) Received Access-Request packet from host 10.10.2.164 port 50046, id=108, length=169
(6)     User-Name = 'telsberry'
(6)     NAS-IP-Address = 10.10.2.164
(6)     NAS-Identifier = '24a43c08fe80'
(6)     NAS-Port = 0
(6)     Called-Station-Id = '20-A4-3C-09-FE-80:TEST'
(6)     Calling-Station-Id = '70-3E-AC-5D-F0-08'
(6)     Framed-MTU = 1400
(6)     NAS-Port-Type = Wireless-802.11
(6)     Connect-Info = 'CONNECT 0Mbps 802.11b'
(6)     EAP-Message = 0x02b3000e0174656c736265727279
(6)     Message-Authenticator = 0xf5f62dd56d143761a4e9a7897c7a981a
(6) # Executing section authorize from file /etc/raddb/sites-enabled/default
(6)   authorize {
(6)   filter_username filter_username {
(6)     if (!&User-Name)
(6)     if (!&User-Name)  -> FALSE
(6)     if (&User-Name =~ / /)
(6)     if (&User-Name =~ / /)  -> FALSE
(6)     if (&User-Name =~ /@.*@/ )
(6)     if (&User-Name =~ /@.*@/ )  -> FALSE
(6)     if (&User-Name =~ /\\.\\./ )
(6)     if (&User-Name =~ /\\.\\./ )  -> FALSE
(6)     if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
(6)     if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))   -> FALSE
(6)     if (&User-Name =~ /\\.$/)
(6)     if (&User-Name =~ /\\.$/)   -> FALSE
(6)     if (&User-Name =~ /@\\./)
(6)     if (&User-Name =~ /@\\./)   -> FALSE
(6)   } # filter_username filter_username = notfound
(6)   [preprocess] = ok
(6)   [chap] = noop
(6)   [mschap] = noop
(6)   [digest] = noop
(6)  suffix : Checking for suffix after "@"
(6)  suffix : No '@' in User-Name = "telsberry", looking up realm NULL
(6)  suffix : No such realm "NULL"
(6)   [suffix] = noop
(6)  ntdomain : Checking for prefix before "\"
(6)  ntdomain : No '\' in User-Name = "telsberry", looking up realm NULL
(6)  ntdomain : No such realm "NULL"
(6)   [ntdomain] = noop
(6)  eap : Peer sent code Response (2) ID 179 length 14
(6)  eap : EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(6)   [eap] = ok
(6)  } #  authorize = ok
(6) Found Auth-Type = EAP
(6) # Executing group from file /etc/raddb/sites-enabled/default
(6)   authenticate {
(6)  eap : Peer sent method Identity (1)
(6)  eap : Calling eap_peap to process EAP data
(6)  eap_peap : Initiate
(6)  eap_peap : Start returned 1
(6)  eap : New EAP session, adding 'State' attribute to reply 0x496f1c9349db05d0
(6)   [eap] = handled
(6)  } #  authenticate = handled
(6) Sending Access-Challenge packet to host 10.10.2.164 port 50046, id=108, length=0
(6)     EAP-Message = 0x01b400061920
(6)     Message-Authenticator = 0x00000000000000000000000000000000
(6)     State = 0x496f1c9349db05d0cb25530063a54d60
Sending Access-Challenge Id 108 from 10.10.0.238:1812 to 10.10.2.164:50046
        EAP-Message = 0x01b400061920
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x496f1c9349db05d0cb25530063a54d60
(6) Finished request
Waking up in 0.3 seconds.
Received Access-Request Id 109 from 10.10.2.164:50046 to 10.10.0.238:1812 length 179
        User-Name = 'telsberry'
        NAS-IP-Address = 10.10.2.164
        NAS-Identifier = '24a43c08fe80'
        NAS-Port = 0
        Called-Station-Id = '20-A4-3C-09-FE-80:TEST'
        Calling-Station-Id = '70-3E-AC-5D-F0-08'
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        Connect-Info = 'CONNECT 0Mbps 802.11b'
        EAP-Message = 0x02b40006030d
        State = 0x496f1c9349db05d0cb25530063a54d60
        Message-Authenticator = 0x8765dc04efcb9e3eecd759231b4e5766
(7) Received Access-Request packet from host 10.10.2.164 port 50046, id=109, length=179
(7)     User-Name = 'telsberry'
(7)     NAS-IP-Address = 10.10.2.164
(7)     NAS-Identifier = '24a43c08fe80'
(7)     NAS-Port = 0
(7)     Called-Station-Id = '20-A4-3C-09-FE-80:TEST'
(7)     Calling-Station-Id = '70-3E-AC-5D-F0-08'
(7)     Framed-MTU = 1400
(7)     NAS-Port-Type = Wireless-802.11
(7)     Connect-Info = 'CONNECT 0Mbps 802.11b'
(7)     EAP-Message = 0x02b40006030d
(7)     State = 0x496f1c9349db05d0cb25530063a54d60
(7)     Message-Authenticator = 0x8765dc04efcb9e3eecd759231b4e5766
(7) # Executing section authorize from file /etc/raddb/sites-enabled/default
(7)   authorize {
(7)   filter_username filter_username {
(7)     if (!&User-Name)
(7)     if (!&User-Name)  -> FALSE
(7)     if (&User-Name =~ / /)
(7)     if (&User-Name =~ / /)  -> FALSE
(7)     if (&User-Name =~ /@.*@/ )
(7)     if (&User-Name =~ /@.*@/ )  -> FALSE
(7)     if (&User-Name =~ /\\.\\./ )
(7)     if (&User-Name =~ /\\.\\./ )  -> FALSE
(7)     if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
(7)     if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))   -> FALSE
(7)     if (&User-Name =~ /\\.$/)
(7)     if (&User-Name =~ /\\.$/)   -> FALSE
(7)     if (&User-Name =~ /@\\./)
(7)     if (&User-Name =~ /@\\./)   -> FALSE
(7)   } # filter_username filter_username = notfound
(7)   [preprocess] = ok
(7)   [chap] = noop
(7)   [mschap] = noop
(7)   [digest] = noop
(7)  suffix : Checking for suffix after "@"
(7)  suffix : No '@' in User-Name = "telsberry", looking up realm NULL
(7)  suffix : No such realm "NULL"
(7)   [suffix] = noop
(7)  ntdomain : Checking for prefix before "\"
(7)  ntdomain : No '\' in User-Name = "telsberry", looking up realm NULL
(7)  ntdomain : No such realm "NULL"
(7)   [ntdomain] = noop
(7)  eap : Peer sent code Response (2) ID 180 length 6
(7)  eap : No EAP Start, assuming it's an on-going EAP conversation
(7)   [eap] = updated
(7)   [files] = noop
(7)   [expiration] = noop
(7)   [logintime] = noop
(7)  WARNING: pap : No "known good" password found for the user.  Not setting Auth-Type
(7)  WARNING: pap : Authentication will fail unless a "known good" password is available
(7)   [pap] = noop
(7)  } #  authorize = updated
(7) Found Auth-Type = EAP
(7) # Executing group from file /etc/raddb/sites-enabled/default
(7)   authenticate {
(7)  eap : Expiring EAP session with state 0x496f1c9349db05d0
(7)  eap : Finished EAP session with state 0x496f1c9349db05d0
(7)  eap : Previous EAP request found for state 0x496f1c9349db05d0, released from the list
(7)  eap : Peer sent method NAK (3)
(7)  eap : Found mutually acceptable type TLS (13)
(7)  eap : Calling eap_tls to process EAP data
(7)  eap_tls : Requiring client certificate
(7)  eap_tls : Initiate
(7)  eap_tls : Requiring client certificate
(7)  eap_tls : Start returned 1
(7)  eap : New EAP session, adding 'State' attribute to reply 0x496f1c9348da11d0
(7)   [eap] = handled
(7)  } #  authenticate = handled
(7) Sending Access-Challenge packet to host 10.10.2.164 port 50046, id=109, length=0
(7)     EAP-Message = 0x01b500060d20
(7)     Message-Authenticator = 0x00000000000000000000000000000000
(7)     State = 0x496f1c9348da11d0cb25530063a54d60
Sending Access-Challenge Id 109 from 10.10.0.238:1812 to 10.10.2.164:50046
        EAP-Message = 0x01b500060d20
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x496f1c9348da11d0cb25530063a54d60
(7) Finished request
Waking up in 0.2 seconds.
Received Access-Request Id 110 from 10.10.2.164:50046 to 10.10.0.238:1812 length 300
        User-Name = 'telsberry'
        NAS-IP-Address = 10.10.2.164
        NAS-Identifier = '24a43c08fe80'
        NAS-Port = 0
        Called-Station-Id = '20-A4-3C-09-FE-80:TEST'
        Calling-Station-Id = '70-3E-AC-5D-F0-08'
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        Connect-Info = 'CONNECT 0Mbps 802.11b'
        EAP-Message = 0x02b5007f0d800000007516030100700100006c0301581cbf0d7c0a3ef4383e83be2721cea5e727c278e92dc39373b4a32067950d6700002000ffc024c023c00ac009c008c028c027c014c013c012003d003c0035002f000a01000023000a00080006001700180019000b000201000005000501000000000012000000170000
        State = 0x496f1c9348da11d0cb25530063a54d60
        Message-Authenticator = 0x43af2747bf3cf6edd237f2ab70dae62a
(8) Received Access-Request packet from host 10.10.2.164 port 50046, id=110, length=300
(8)     User-Name = 'telsberry'
(8)     NAS-IP-Address = 10.10.2.164
(8)     NAS-Identifier = '24a43c08fe80'
(8)     NAS-Port = 0
(8)     Called-Station-Id = '20-A4-3C-09-FE-80:TEST'
(8)     Calling-Station-Id = '70-3E-AC-5D-F0-08'
(8)     Framed-MTU = 1400
(8)     NAS-Port-Type = Wireless-802.11
(8)     Connect-Info = 'CONNECT 0Mbps 802.11b'
(8)     EAP-Message = 0x02b5007f0d800000007516030100700100006c0301581cbf0d7c0a3ef4383e83be2721cea5e727c278e92dc39373b4a32067950d6700002000ffc024c023c00ac009c008c028c027c014c013c012003d003c0035002f000a01000023000a00080006001700180019000b000201000005000501000000000012000000170000
(8)     State = 0x496f1c9348da11d0cb25530063a54d60
(8)     Message-Authenticator = 0x43af2747bf3cf6edd237f2ab70dae62a
(8) # Executing section authorize from file /etc/raddb/sites-enabled/default
(8)   authorize {
(8)   filter_username filter_username {
(8)     if (!&User-Name)
(8)     if (!&User-Name)  -> FALSE
(8)     if (&User-Name =~ / /)
(8)     if (&User-Name =~ / /)  -> FALSE
(8)     if (&User-Name =~ /@.*@/ )
(8)     if (&User-Name =~ /@.*@/ )  -> FALSE
(8)     if (&User-Name =~ /\\.\\./ )
(8)     if (&User-Name =~ /\\.\\./ )  -> FALSE
(8)     if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
(8)     if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))   -> FALSE
(8)     if (&User-Name =~ /\\.$/)
(8)     if (&User-Name =~ /\\.$/)   -> FALSE
(8)     if (&User-Name =~ /@\\./)
(8)     if (&User-Name =~ /@\\./)   -> FALSE
(8)   } # filter_username filter_username = notfound
(8)   [preprocess] = ok
(8)   [chap] = noop
(8)   [mschap] = noop
(8)   [digest] = noop
(8)  suffix : Checking for suffix after "@"
(8)  suffix : No '@' in User-Name = "telsberry", looking up realm NULL
(8)  suffix : No such realm "NULL"
(8)   [suffix] = noop
(8)  ntdomain : Checking for prefix before "\"
(8)  ntdomain : No '\' in User-Name = "telsberry", looking up realm NULL
(8)  ntdomain : No such realm "NULL"
(8)   [ntdomain] = noop
(8)  eap : Peer sent code Response (2) ID 181 length 127
(8)  eap : No EAP Start, assuming it's an on-going EAP conversation
(8)   [eap] = updated
(8)   [files] = noop
(8)   [expiration] = noop
(8)   [logintime] = noop
(8)   [pap] = noop
(8)  } #  authorize = updated
(8) Found Auth-Type = EAP
(8) # Executing group from file /etc/raddb/sites-enabled/default
(8)   authenticate {
(8)  eap : Expiring EAP session with state 0x496f1c9348da11d0
(8)  eap : Finished EAP session with state 0x496f1c9348da11d0
(8)  eap : Previous EAP request found for state 0x496f1c9348da11d0, released from the list
(8)  eap : Peer sent method TLS (13)
(8)  eap : EAP TLS (13)
(8)  eap : Calling eap_tls to process EAP data
(8)  eap_tls : Authenticate
(8)  eap_tls : processing EAP-TLS
  TLS Length 117
(8)  eap_tls : Length Included
(8)  eap_tls : eaptls_verify returned 11
(8)  eap_tls : (other): before/accept initialization
(8)  eap_tls : TLS_accept: before/accept initialization
(8)  eap_tls : <<< TLS 1.0 Handshake [length 0070], ClientHello
(8)  eap_tls : TLS_accept: SSLv3 read client hello A
(8)  eap_tls : >>> TLS 1.0 Handshake [length 0059], ServerHello
(8)  eap_tls : TLS_accept: SSLv3 write server hello A
(8)  eap_tls : >>> TLS 1.0 Handshake [length 085c], Certificate
(8)  eap_tls : TLS_accept: SSLv3 write certificate A
(8)  eap_tls : >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange
(8)  eap_tls : TLS_accept: SSLv3 write key exchange A
(8)  eap_tls : >>> TLS 1.0 Handshake [length 00a6], CertificateRequest
(8)  eap_tls : TLS_accept: SSLv3 write certificate request A
(8)  eap_tls : TLS_accept: SSLv3 flush data
(8)  eap_tls : TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
(8)  eap_tls : eaptls_process returned 13
(8)  eap : New EAP session, adding 'State' attribute to reply 0x496f1c934bd911d0
(8)   [eap] = handled
(8)  } #  authenticate = handled
(8) Sending Access-Challenge packet to host 10.10.2.164 port 50046, id=110, length=0
(8)     EAP-Message = 0x01b603ec0dc000000aba1603010059020000550301581cbf0d57eb94540f06eeb5ca253a8c46ed8a0268ae406f100b51543d43862e205d7bfdb9f03c2696da98fe2978c7284475f07f7a9b886e24124d2f87efffdf0cc01400000dff01000100000b000403000102160301085c0b0008580008550003a4308203a030820288a003020102020103300d06092a864886f70d0101050500308193310b3009060355040613025553311330110603550408130a43616c69666f726e6961311430120603550407130b4c616b6520466f72657374310c300a060355040a13035253443120301e06092a864886f70d010901161174656c736265727279407273642e6e657431293027060355040313205253442052414449555320436572746966696361746520417574686f72697479301e170d3133313031343231323431305a170d3430303331363231323431305a307a310b3009060355040613025553311330110603550408130a43616c69666f726e6961310c300a060355040a1303525344312630240603550403131d52534420524144495553205365727665722043657274696669636174653120301e06092a864886f70d010901161174656c736265727279407273642e6e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100c808fa56d1dbe367d186b614040b
(8)     Message-Authenticator = 0x00000000000000000000000000000000
(8)     State = 0x496f1c934bd911d0cb25530063a54d60
Sending Access-Challenge Id 110 from 10.10.0.238:1812 to 10.10.2.164:50046
        EAP-Message = 0x01b603ec0dc000000aba1603010059020000550301581cbf0d57eb94540f06eeb5ca253a8c46ed8a0268ae406f100b51543d43862e205d7bfdb9f03c2696da98fe2978c7284475f07f7a9b886e24124d2f87efffdf0cc01400000dff01000100000b000403000102160301085c0b0008580008550003a4308203a030820288a003020102020103300d06092a864886f70d0101050500308193310b3009060355040613025553311330110603550408130a43616c69666f726e6961311430120603550407130b4c616b6520466f72657374310c300a060355040a13035253443120301e06092a864886f70d010901161174656c736265727279407273642e6e657431293027060355040313205253442052414449555320436572746966696361746520417574686f72697479301e170d3133313031343231323431305a170d3430303331363231323431305a307a310b3009060355040613025553311330110603550408130a43616c69666f726e6961310c300a060355040a1303525344312630240603550403131d52534420524144495553205365727665722043657274696669636174653120301e06092a864886f70d010901161174656c736265727279407273642e6e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100c808fa56d1dbe367d186b614040
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x496f1c934bd911d0cb25530063a54d60
(8) Finished request
Waking up in 0.1 seconds.
Received Access-Request Id 111 from 10.10.2.164:50046 to 10.10.0.238:1812 length 179
        User-Name = 'telsberry'
        NAS-IP-Address = 10.10.2.164
        NAS-Identifier = '24a43c08fe80'
        NAS-Port = 0
        Called-Station-Id = '20-A4-3C-09-FE-80:TEST'
        Calling-Station-Id = '70-3E-AC-5D-F0-08'
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        Connect-Info = 'CONNECT 0Mbps 802.11b'
        EAP-Message = 0x02b600060d00
        State = 0x496f1c934bd911d0cb25530063a54d60
        Message-Authenticator = 0x145d45b6eaa3bb1fbdfccbd08721ef5a
(9) Received Access-Request packet from host 10.10.2.164 port 50046, id=111, length=179
(9)     User-Name = 'telsberry'
(9)     NAS-IP-Address = 10.10.2.164
(9)     NAS-Identifier = '24a43c08fe80'
(9)     NAS-Port = 0
(9)     Called-Station-Id = '20-A4-3C-09-FE-80:TEST'
(9)     Calling-Station-Id = '70-3E-AC-5D-F0-08'
(9)     Framed-MTU = 1400
(9)     NAS-Port-Type = Wireless-802.11
(9)     Connect-Info = 'CONNECT 0Mbps 802.11b'
(9)     EAP-Message = 0x02b600060d00
(9)     State = 0x496f1c934bd911d0cb25530063a54d60
(9)     Message-Authenticator = 0x145d45b6eaa3bb1fbdfccbd08721ef5a
(9) # Executing section authorize from file /etc/raddb/sites-enabled/default
(9)   authorize {
(9)   filter_username filter_username {
(9)     if (!&User-Name)
(9)     if (!&User-Name)  -> FALSE
(9)     if (&User-Name =~ / /)
(9)     if (&User-Name =~ / /)  -> FALSE
(9)     if (&User-Name =~ /@.*@/ )
(9)     if (&User-Name =~ /@.*@/ )  -> FALSE
(9)     if (&User-Name =~ /\\.\\./ )
(9)     if (&User-Name =~ /\\.\\./ )  -> FALSE
(9)     if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
(9)     if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))   -> FALSE
(9)     if (&User-Name =~ /\\.$/)
(9)     if (&User-Name =~ /\\.$/)   -> FALSE
(9)     if (&User-Name =~ /@\\./)
(9)     if (&User-Name =~ /@\\./)   -> FALSE
(9)   } # filter_username filter_username = notfound
(9)   [preprocess] = ok
(9)   [chap] = noop
(9)   [mschap] = noop
(9)   [digest] = noop
(9)  suffix : Checking for suffix after "@"
(9)  suffix : No '@' in User-Name = "telsberry", looking up realm NULL
(9)  suffix : No such realm "NULL"
(9)   [suffix] = noop
(9)  ntdomain : Checking for prefix before "\"
(9)  ntdomain : No '\' in User-Name = "telsberry", looking up realm NULL
(9)  ntdomain : No such realm "NULL"
(9)   [ntdomain] = noop
(9)  eap : Peer sent code Response (2) ID 182 length 6
(9)  eap : No EAP Start, assuming it's an on-going EAP conversation
(9)   [eap] = updated
(9)   [files] = noop
(9)   [expiration] = noop
(9)   [logintime] = noop
(9)   [pap] = noop
(9)  } #  authorize = updated
(9) Found Auth-Type = EAP
(9) # Executing group from file /etc/raddb/sites-enabled/default
(9)   authenticate {
(9)  eap : Expiring EAP session with state 0x496f1c934bd911d0
(9)  eap : Finished EAP session with state 0x496f1c934bd911d0
(9)  eap : Previous EAP request found for state 0x496f1c934bd911d0, released from the list
(9)  eap : Peer sent method TLS (13)
(9)  eap : EAP TLS (13)
(9)  eap : Calling eap_tls to process EAP data
(9)  eap_tls : Authenticate
(9)  eap_tls : processing EAP-TLS
(9)  eap_tls : Received TLS ACK
(9)  eap_tls : Received TLS ACK
(9)  eap_tls : ACK handshake fragment handler
(9)  eap_tls : eaptls_verify returned 1
(9)  eap_tls : eaptls_process returned 13
(9)  eap : New EAP session, adding 'State' attribute to reply 0x496f1c934ad811d0
(9)   [eap] = handled
(9)  } #  authenticate = handled
(9) Sending Access-Challenge packet to host 10.10.2.164 port 50046, id=111, length=0
(9)     EAP-Message = 0x01b703ec0dc000000aba3d020af37f4d5ca6683ed1bb3c3f0126e81cbf4dca7685005045586f807a4afae217d51b520f606f936e43f1123b8f0004ab308204a73082038fa003020102020900a793227a08ee79ec300d06092a864886f70d0101050500308193310b3009060355040613025553311330110603550408130a43616c69666f726e6961311430120603550407130b4c616b6520466f72657374310c300a060355040a13035253443120301e06092a864886f70d010901161174656c736265727279407273642e6e657431293027060355040313205253442052414449555320436572746966696361746520417574686f72697479301e170d3133313031343231323430345a170d3430303331363231323430345a308193310b3009060355040613025553311330110603550408130a43616c69666f726e6961311430120603550407130b4c616b6520466f72657374310c300a060355040a13035253443120301e06092a864886f70d010901161174656c736265727279407273642e6e657431293027060355040313205253442052414449555320436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100e43eb98242ab168e7d82505a8e27744ba7bb5fe0b12b8926ed1867163d7626a748fe1eab67fd82
(9)     Message-Authenticator = 0x00000000000000000000000000000000
(9)     State = 0x496f1c934ad811d0cb25530063a54d60
Sending Access-Challenge Id 111 from 10.10.0.238:1812 to 10.10.2.164:50046
        EAP-Message = 0x01b703ec0dc000000aba3d020af37f4d5ca6683ed1bb3c3f0126e81cbf4dca7685005045586f807a4afae217d51b520f606f936e43f1123b8f0004ab308204a73082038fa003020102020900a793227a08ee79ec300d06092a864886f70d0101050500308193310b3009060355040613025553311330110603550408130a43616c69666f726e6961311430120603550407130b4c616b6520466f72657374310c300a060355040a13035253443120301e06092a864886f70d010901161174656c736265727279407273642e6e657431293027060355040313205253442052414449555320436572746966696361746520417574686f72697479301e170d3133313031343231323430345a170d3430303331363231323430345a308193310b3009060355040613025553311330110603550408130a43616c69666f726e6961311430120603550407130b4c616b6520466f72657374310c300a060355040a13035253443120301e06092a864886f70d010901161174656c736265727279407273642e6e657431293027060355040313205253442052414449555320436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100e43eb98242ab168e7d82505a8e27744ba7bb5fe0b12b8926ed1867163d7626a748fe1eab67fd8
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x496f1c934ad811d0cb25530063a54d60
(9) Finished request
Waking up in 0.1 seconds.
Received Access-Request Id 112 from 10.10.2.164:50046 to 10.10.0.238:1812 length 179
        User-Name = 'telsberry'
        NAS-IP-Address = 10.10.2.164
        NAS-Identifier = '24a43c08fe80'
        NAS-Port = 0
        Called-Station-Id = '20-A4-3C-09-FE-80:TEST'
        Calling-Station-Id = '70-3E-AC-5D-F0-08'
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        Connect-Info = 'CONNECT 0Mbps 802.11b'
        EAP-Message = 0x02b700060d00
        State = 0x496f1c934ad811d0cb25530063a54d60
        Message-Authenticator = 0xafbed7e2c8772e0c8c2b6969bcee3283
(10) Received Access-Request packet from host 10.10.2.164 port 50046, id=112, length=179
(10)    User-Name = 'telsberry'
(10)    NAS-IP-Address = 10.10.2.164
(10)    NAS-Identifier = '24a43c08fe80'
(10)    NAS-Port = 0
(10)    Called-Station-Id = '20-A4-3C-09-FE-80:TEST'
(10)    Calling-Station-Id = '70-3E-AC-5D-F0-08'
(10)    Framed-MTU = 1400
(10)    NAS-Port-Type = Wireless-802.11
(10)    Connect-Info = 'CONNECT 0Mbps 802.11b'
(10)    EAP-Message = 0x02b700060d00
(10)    State = 0x496f1c934ad811d0cb25530063a54d60
(10)    Message-Authenticator = 0xafbed7e2c8772e0c8c2b6969bcee3283
(10) # Executing section authorize from file /etc/raddb/sites-enabled/default
(10)   authorize {
(10)   filter_username filter_username {
(10)     if (!&User-Name)
(10)     if (!&User-Name)  -> FALSE
(10)     if (&User-Name =~ / /)
(10)     if (&User-Name =~ / /)  -> FALSE
(10)     if (&User-Name =~ /@.*@/ )
(10)     if (&User-Name =~ /@.*@/ )  -> FALSE
(10)     if (&User-Name =~ /\\.\\./ )
(10)     if (&User-Name =~ /\\.\\./ )  -> FALSE
(10)     if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
(10)     if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))   -> FALSE
(10)     if (&User-Name =~ /\\.$/)
(10)     if (&User-Name =~ /\\.$/)   -> FALSE
(10)     if (&User-Name =~ /@\\./)
(10)     if (&User-Name =~ /@\\./)   -> FALSE
(10)   } # filter_username filter_username = notfound
(10)   [preprocess] = ok
(10)   [chap] = noop
(10)   [mschap] = noop
(10)   [digest] = noop
(10)  suffix : Checking for suffix after "@"
(10)  suffix : No '@' in User-Name = "telsberry", looking up realm NULL
(10)  suffix : No such realm "NULL"
(10)   [suffix] = noop
(10)  ntdomain : Checking for prefix before "\"
(10)  ntdomain : No '\' in User-Name = "telsberry", looking up realm NULL
(10)  ntdomain : No such realm "NULL"
(10)   [ntdomain] = noop
(10)  eap : Peer sent code Response (2) ID 183 length 6
(10)  eap : No EAP Start, assuming it's an on-going EAP conversation
(10)   [eap] = updated
(10)   [files] = noop
(10)   [expiration] = noop
(10)   [logintime] = noop
(10)   [pap] = noop
(10)  } #  authorize = updated
(10) Found Auth-Type = EAP
(10) # Executing group from file /etc/raddb/sites-enabled/default
(10)   authenticate {
(10)  eap : Expiring EAP session with state 0x496f1c934ad811d0
(10)  eap : Finished EAP session with state 0x496f1c934ad811d0
(10)  eap : Previous EAP request found for state 0x496f1c934ad811d0, released from the list
(10)  eap : Peer sent method TLS (13)
(10)  eap : EAP TLS (13)
(10)  eap : Calling eap_tls to process EAP data
(10)  eap_tls : Authenticate
(10)  eap_tls : processing EAP-TLS
(10)  eap_tls : Received TLS ACK
(10)  eap_tls : Received TLS ACK
(10)  eap_tls : ACK handshake fragment handler
(10)  eap_tls : eaptls_verify returned 1
(10)  eap_tls : eaptls_process returned 13
(10)  eap : New EAP session, adding 'State' attribute to reply 0x496f1c934dd711d0
(10)   [eap] = handled
(10)  } #  authenticate = handled
(10) Sending Access-Challenge packet to host 10.10.2.164 port 50046, id=112, length=0
(10)    EAP-Message = 0x01b803000d8000000aba57cffcd6a6e267773915e7f022918d87964b4e86868ffa7591f71fbab5286049316c8d7073ea5adbf3c6906964d21f07b7052d41b86ae3f55e0708864a12e874d436f993b3ac1be6258aaa41f5af26b93b9feb744ca9b3920c3c177703388abcfbc89202f0bc22c65f8efa13292881e1839df045c53e73eeb2e5eb51454e5d95df924b25c9d854d18bb3e297454430f4fa6d6dc5023e6b8710567b6f0560576818ffd6641065e02937dc7c0efa5b82f98f475d907d54eb73065217c5bc00e733a6c98c81159e55de1b1a833d5ddb5291d40b6a87376b130be2b1cd25522cad7a675e85b0c30dd84b13a0dcee44e39ed95be27daf75626172ef2d5a160301014b0c000147030017410477eb6ee541e20125c5bf56e361d9d976353033a965436e6a02c7a30a428f83d53751abadebe6e3e7479a08568b4d5eabef8e9bd8453eafdf1d1d4ed6f4333b2601005ffd822d10df944a4af656d9df0c52e96838cc722aa8856847b1bc815bf9f0db28925b2c4cd290084f31665cf88fdbb01917d8e6e06647a2b32ee3c3cb3dd359b857478a2b4e8cfb703e3b3b4cbb6c8357c42addca951a2dd6df116ef891f2b309fb83b68f47c96076cb8231767904099477fbb17801902b578ccf0b6090572436e9f6a201bd66a7780bc627192f9e82b74353fc158a635c20d9913e3ef512c4b3c5
(10)    Message-Authenticator = 0x00000000000000000000000000000000
(10)    State = 0x496f1c934dd711d0cb25530063a54d60
Sending Access-Challenge Id 112 from 10.10.0.238:1812 to 10.10.2.164:50046
        EAP-Message = 0x01b803000d8000000aba57cffcd6a6e267773915e7f022918d87964b4e86868ffa7591f71fbab5286049316c8d7073ea5adbf3c6906964d21f07b7052d41b86ae3f55e0708864a12e874d436f993b3ac1be6258aaa41f5af26b93b9feb744ca9b3920c3c177703388abcfbc89202f0bc22c65f8efa13292881e1839df045c53e73eeb2e5eb51454e5d95df924b25c9d854d18bb3e297454430f4fa6d6dc5023e6b8710567b6f0560576818ffd6641065e02937dc7c0efa5b82f98f475d907d54eb73065217c5bc00e733a6c98c81159e55de1b1a833d5ddb5291d40b6a87376b130be2b1cd25522cad7a675e85b0c30dd84b13a0dcee44e39ed95be27daf75626172ef2d5a160301014b0c000147030017410477eb6ee541e20125c5bf56e361d9d976353033a965436e6a02c7a30a428f83d53751abadebe6e3e7479a08568b4d5eabef8e9bd8453eafdf1d1d4ed6f4333b2601005ffd822d10df944a4af656d9df0c52e96838cc722aa8856847b1bc815bf9f0db28925b2c4cd290084f31665cf88fdbb01917d8e6e06647a2b32ee3c3cb3dd359b857478a2b4e8cfb703e3b3b4cbb6c8357c42addca951a2dd6df116ef891f2b309fb83b68f47c96076cb8231767904099477fbb17801902b578ccf0b6090572436e9f6a201bd66a7780bc627192f9e82b74353fc158a635c20d9913e3ef512c4b3c
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x496f1c934dd711d0cb25530063a54d60
(10) Finished request
Waking up in 0.1 seconds.
Received Access-Request Id 113 from 10.10.2.164:50046 to 10.10.0.238:1812 length 190
        User-Name = 'telsberry'
        NAS-IP-Address = 10.10.2.164
        NAS-Identifier = '24a43c08fe80'
        NAS-Port = 0
        Called-Station-Id = '20-A4-3C-09-FE-80:TEST'
        Calling-Station-Id = '70-3E-AC-5D-F0-08'
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        Connect-Info = 'CONNECT 0Mbps 802.11b'
        EAP-Message = 0x02b800110d800000000715030100020100
        State = 0x496f1c934dd711d0cb25530063a54d60
        Message-Authenticator = 0x876249358ed2813eb58000dda097472f
(11) Received Access-Request packet from host 10.10.2.164 port 50046, id=113, length=190
(11)    User-Name = 'telsberry'
(11)    NAS-IP-Address = 10.10.2.164
(11)    NAS-Identifier = '24a43c08fe80'
(11)    NAS-Port = 0
(11)    Called-Station-Id = '20-A4-3C-09-FE-80:TEST'
(11)    Calling-Station-Id = '70-3E-AC-5D-F0-08'
(11)    Framed-MTU = 1400
(11)    NAS-Port-Type = Wireless-802.11
(11)    Connect-Info = 'CONNECT 0Mbps 802.11b'
(11)    EAP-Message = 0x02b800110d800000000715030100020100
(11)    State = 0x496f1c934dd711d0cb25530063a54d60
(11)    Message-Authenticator = 0x876249358ed2813eb58000dda097472f
(11) # Executing section authorize from file /etc/raddb/sites-enabled/default
(11)   authorize {
(11)   filter_username filter_username {
(11)     if (!&User-Name)
(11)     if (!&User-Name)  -> FALSE
(11)     if (&User-Name =~ / /)
(11)     if (&User-Name =~ / /)  -> FALSE
(11)     if (&User-Name =~ /@.*@/ )
(11)     if (&User-Name =~ /@.*@/ )  -> FALSE
(11)     if (&User-Name =~ /\\.\\./ )
(11)     if (&User-Name =~ /\\.\\./ )  -> FALSE
(11)     if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
(11)     if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))   -> FALSE
(11)     if (&User-Name =~ /\\.$/)
(11)     if (&User-Name =~ /\\.$/)   -> FALSE
(11)     if (&User-Name =~ /@\\./)
(11)     if (&User-Name =~ /@\\./)   -> FALSE
(11)   } # filter_username filter_username = notfound
(11)   [preprocess] = ok
(11)   [chap] = noop
(11)   [mschap] = noop
(11)   [digest] = noop
(11)  suffix : Checking for suffix after "@"
(11)  suffix : No '@' in User-Name = "telsberry", looking up realm NULL
(11)  suffix : No such realm "NULL"
(11)   [suffix] = noop
(11)  ntdomain : Checking for prefix before "\"
(11)  ntdomain : No '\' in User-Name = "telsberry", looking up realm NULL
(11)  ntdomain : No such realm "NULL"
(11)   [ntdomain] = noop
(11)  eap : Peer sent code Response (2) ID 184 length 17
(11)  eap : No EAP Start, assuming it's an on-going EAP conversation
(11)   [eap] = updated
(11)   [files] = noop
(11)   [expiration] = noop
(11)   [logintime] = noop
(11)   [pap] = noop
(11)  } #  authorize = updated
(11) Found Auth-Type = EAP
(11) # Executing group from file /etc/raddb/sites-enabled/default
(11)   authenticate {
(11)  eap : Expiring EAP session with state 0x496f1c934dd711d0
(11)  eap : Finished EAP session with state 0x496f1c934dd711d0
(11)  eap : Previous EAP request found for state 0x496f1c934dd711d0, released from the list
(11)  eap : Peer sent method TLS (13)
(11)  eap : EAP TLS (13)
(11)  eap : Calling eap_tls to process EAP data
(11)  eap_tls : Authenticate
(11)  eap_tls : processing EAP-TLS
  TLS Length 7
(11)  eap_tls : Length Included
(11)  eap_tls : eaptls_verify returned 11
(11)  eap_tls : <<< TLS 1.0 Alert [length 0002], warning close_notify
(11)  ERROR: eap_tls : TLS_accept: Failed in SSLv3 read client certificate A
(11)  ERROR: eap_tls : SSL says: error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure
SSL: SSL_read failed in a system call (-1), TLS session fails.
TLS receive handshake failed during operation
(11)  eap_tls : eaptls_process returned 4
(11)  ERROR: eap : Failed continuing EAP TLS (13) session. EAP sub-module failed
(11)  eap : Failed in EAP select
(11)   [eap] = invalid
(11)  } #  authenticate = invalid
(11) Failed to authenticate the user
(11) Using Post-Auth-Type Reject
(11) # Executing group from file /etc/raddb/sites-enabled/default
(11)  Post-Auth-Type REJECT {
(11)  attr_filter.access_reject : EXPAND %{User-Name}
(11)  attr_filter.access_reject :    --> telsberry
(11)  attr_filter.access_reject : Matched entry DEFAULT at line 11
(11)   [attr_filter.access_reject] = updated
(11)  eap : Reply already contained an EAP-Message, not inserting EAP-Failure
(11)   [eap] = noop
(11)   remove_reply_message_if_eap remove_reply_message_if_eap {
(11)     if (&reply:EAP-Message && &reply:Reply-Message)
(11)     if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(11)    else else {
(11)     [noop] = noop
(11)    } # else else = noop
(11)   } # remove_reply_message_if_eap remove_reply_message_if_eap = noop
(11)  } # Post-Auth-Type REJECT = updated
(11) Delaying response for 1 seconds
Waking up in 0.1 seconds.
(5) Sending delayed response
(5) Sending Access-Reject packet to host 10.10.2.164 port 50046, id=107, length=0
(5)     EAP-Message = 0x04ad0004
(5)     Message-Authenticator = 0x00000000000000000000000000000000
Sending Access-Reject Id 107 from 10.10.0.238:1812 to 10.10.2.164:50046
        EAP-Message = 0x04ad0004
        Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 0.6 seconds.
(11) Sending delayed response
(11) Sending Access-Reject packet to host 10.10.2.164 port 50046, id=113, length=0
(11)    EAP-Message = 0x04b80004
(11)    Message-Authenticator = 0x00000000000000000000000000000000
Sending Access-Reject Id 113 from 10.10.0.238:1812 to 10.10.2.164:50046
        EAP-Message = 0x04b80004
        Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 2.8 seconds.
(0) Cleaning up request packet ID 102 with timestamp +10
(1) Cleaning up request packet ID 103 with timestamp +10
(2) Cleaning up request packet ID 104 with timestamp +10
(3) Cleaning up request packet ID 105 with timestamp +10
(4) Cleaning up request packet ID 106 with timestamp +10
Waking up in 0.1 seconds.
(5) Cleaning up request packet ID 107 with timestamp +10
Waking up in 0.4 seconds.
(6) Cleaning up request packet ID 108 with timestamp +11
Waking up in 0.1 seconds.
(7) Cleaning up request packet ID 109 with timestamp +11
(8) Cleaning up request packet ID 110 with timestamp +11
(9) Cleaning up request packet ID 111 with timestamp +11
(10) Cleaning up request packet ID 112 with timestamp +11
(11) Cleaning up request packet ID 113 with timestamp +11
Ready to process requests



More information about the Freeradius-Users mailing list