Peter Lesko plesko at
Tue Sep 27 19:07:39 CEST 2016

I have thrown away that environment because it was debian using 2.x, which
is apparently not recommended for new deployments

I have set up ubuntu running 3.0.11 instead, and I have generated certs
using my own CA, along with

make server
make client

If I use eapol_test with these certs, I can successfully auth with PEAP,
TLS configurations, but when I try to import the client .crt in apple
configurator 2, or the .p12, I am unable to authenticate using PEAP, TLS,
or TTLS with my macbook running OS X 10.11 through my WAP after generating
a pfx with:

openssl pkcs12 -export -out client.pfx -inkey client.key -in client.pem
-certfile ca.crt

I am unable to select client.pem or client.crt as a client certificate in
my configuration for TLS.

The error I get running /usr/sbin/freeradius -fxx -l stdout for this
connection appears to indicate I don't have a good cert:

(9) Found Auth-Type = eap
(9) # Executing group from file /etc/freeradius/sites-enabled/default
(9)   authenticate {
(9) eap: Expiring EAP session with state 0xe86272eeeb667f10
(9) eap: Finished EAP session with state 0xe86272eeeb667f10
(9) eap: Previous EAP request found for state 0xe86272eeeb667f10, released
from the list
(9) eap: Peer sent packet with method EAP TLS (13)
(9) eap: Calling submodule eap_tls to process data
(9) eap_tls: Continuing EAP-TLS
(9) eap_tls: Peer indicated complete TLS record size will be 7 bytes
(9) eap_tls: Got complete TLS record (7 bytes)
(9) eap_tls: [eaptls verify] = length included
(9) eap_tls: <<< recv TLS 1.0 Alert [length 0002], warning close_notify
(9) eap_tls: ERROR: TLS_accept: Failed in SSLv3 read client certificate A
(9) eap_tls: ERROR: SSL says: error:140940E5:SSL
routines:SSL3_READ_BYTES:ssl handshake failure
(9) eap_tls: ERROR: SSL_read failed in a system call (-1), TLS session
(9) eap_tls: ERROR: TLS receive handshake failed during operation
(9) eap_tls: ERROR: [eaptls process] = fail
(9) eap: ERROR: Failed continuing EAP TLS (13) session.  EAP sub-module
(9) eap: Sending EAP Failure (code 4) ID 4 length 4
(9) eap: Failed in EAP select
(9)     [eap] = invalid
(9)   } # authenticate = invalid
(9) Failed to authenticate the user
(9) Using Post-Auth-Type Reject

On Sun, Sep 25, 2016 at 7:46 PM Matthew Newton <mcn4 at> wrote:

> On Fri, Sep 23, 2016 at 07:20:29PM +0000, Peter Lesko wrote:
> > I'm having a similar issue to the one described here:
> >
> >
> > Currently, I can auth with just a signed cert, or just username/password
> >
> > I would like to enforce both, but I have been unable to determine the
> > correct keywords/config after reading many forum posts, in addition to
> the
> > comments provided in the default configuration
> Just check your client's supplicant capabilities first.
> Many can't do this at all. For example I am not aware of any
> version of Windows where this will work. One or the other, yes.
> Both, no.
> Matthew
> --
> Matthew Newton, Ph.D. <mcn4 at>
> Systems Specialist, Infrastructure Services,
> I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
> For IT help contact helpdesk extn. 2253, <ithelp at>
> -
> List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list