EAP-TLS from IKEv2 initiator
Adam Bishop
Adam.Bishop at jisc.ac.uk
Fri Apr 21 19:02:06 CEST 2017
Juniper have added proper EAP support to their VPN stack - I'm trying to get it working. I'm not trying to do anything fancy at this stage, just check that the client cert is signed by a CA.
I've not deployed EAP-TLS before, so I could use a bit of help interpreting the TLS errors - the logs on the concentrator and on the client leave a little to be desired.
It appears to be an issue with the CA being untrusted, but which side it is on - does the client distrust the FreeRADIUS server certificate, or does FreeRADIUS distrust the client's certificate?
Regards,
Adam Bishop
gpg: E75B 1F92 6407 DFDF 9F1C BF10 C993 2504 6609 D460
jisc.ac.uk
(33) Debug: Received Access-Request Id 72 from 172.25.0.176:52447 to 212.219.210.194:1812 length 95
(33) Debug: User-Name = "adambishop.dev.ja.net"
(33) Debug: EAP-Message = 0x026f001a016164616d626973686f702e6465762e6a612e6e6574
(33) Debug: Message-Authenticator = 0x49c30bd1919131b5237affe9e97308c0
(33) Debug: NAS-IP-Address = 172.25.0.176
(33) Debug: # Executing section authorize from file /etc/raddb/sites-enabled/vpn
(33) Debug: authorize {
(33) Debug: update request {
(33) Debug: } # update request = noop
(33) Debug: [mschap] = noop
(33) Debug: policy ntlm_auth.authorize {
(33) Debug: if (!control:Auth-Type && User-Password) {
(33) Debug: if (!control:Auth-Type && User-Password) -> FALSE
(33) Debug: } # policy ntlm_auth.authorize = updated
(33) Debug: vpn-eap: Peer sent EAP Response (code 2) ID 111 length 26
(33) Debug: vpn-eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(33) Debug: [vpn-eap] = ok
(33) Debug: } # authorize = ok
(33) Debug: Found Auth-Type = vpn-eap
(33) Debug: # Executing group from file /etc/raddb/sites-enabled/vpn
(33) Debug: Auth-Type vpn-eap {
(33) Debug: vpn-eap: Peer sent packet with method EAP Identity (1)
(33) Debug: vpn-eap: Calling submodule eap_tls to process data
(33) Debug: eap_tls: Initiating new EAP-TLS session
(33) Debug: eap_tls: Setting verify mode to require certificate from client
(33) Debug: eap_tls: [eaptls start] = request
(33) Debug: vpn-eap: Sending EAP Request (code 1) ID 112 length 6
(33) Debug: vpn-eap: EAP session adding &reply:State = 0x6aae3f2e6ade326b
(33) Debug: [vpn-eap] = handled
(33) Debug: if (handled && (Response-Packet-Type == Access-Challenge)) {
(33) Debug: EXPAND Response-Packet-Type
(33) Debug: --> Access-Challenge
(33) Debug: if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(33) Debug: if (handled && (Response-Packet-Type == Access-Challenge)) {
(33) Debug: attr_filter.access_challenge: EXPAND %{User-Name}
(33) Debug: attr_filter.access_challenge: --> adambishop.dev.ja.net
(33) Debug: attr_filter.access_challenge: Matched entry DEFAULT at line 12
(33) Debug: [attr_filter.access_challenge.post-auth] = updated
(33) Debug: [handled] = handled
(33) Debug: } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled
(33) Debug: } # Auth-Type vpn-eap = handled
(33) Debug: Using Post-Auth-Type Challenge
(33) Debug: Post-Auth-Type sub-section not found. Ignoring.
(33) Debug: # Executing group from file /etc/raddb/sites-enabled/vpn
(33) Debug: Sent Access-Challenge Id 72 from 212.219.210.194:1812 to 172.25.0.176:52447 length 0
(33) Debug: EAP-Message = 0x017000060d20
(33) Debug: Message-Authenticator = 0x00000000000000000000000000000000
(33) Debug: State = 0x6aae3f2e6ade326be20d66152c93ce20
(33) Debug: Finished request
(34) Debug: Received Access-Request Id 73 from 172.25.0.176:52447 to 212.219.210.194:1812 length 214
(34) Debug: User-Name = "adambishop.dev.ja.net"
(34) Debug: State = 0x6aae3f2e6ade326be20d66152c93ce20
(34) Debug: EAP-Message = 0x0270007f0d800000007516030100700100006c030158fa35e7494a8208f15734f1b156e5cfb33b722c8028e0ac4c5b609dbbaad4ed00002000ffc024c023c00ac009c008c028c027c014c013c012003d003c0035002f000a01000023000a00080006001700180019000b00020100000500050100000000
(34) Debug: Message-Authenticator = 0xe0ffa2f9a4f35bb9c59822b730acb0b7
(34) Debug: NAS-IP-Address = 172.25.0.176
(34) Debug: session-state: No cached attributes
(34) Debug: # Executing section authorize from file /etc/raddb/sites-enabled/vpn
(34) Debug: authorize {
(34) Debug: update request {
(34) Debug: } # update request = noop
(34) Debug: [mschap] = noop
(34) Debug: policy ntlm_auth.authorize {
(34) Debug: if (!control:Auth-Type && User-Password) {
(34) Debug: if (!control:Auth-Type && User-Password) -> FALSE
(34) Debug: } # policy ntlm_auth.authorize = updated
(34) Debug: vpn-eap: Peer sent EAP Response (code 2) ID 112 length 127
(34) Debug: vpn-eap: No EAP Start, assuming it's an on-going EAP conversation
(34) Debug: [vpn-eap] = updated
(34) Debug: } # authorize = updated
(34) Debug: Found Auth-Type = vpn-eap
(34) Debug: # Executing group from file /etc/raddb/sites-enabled/vpn
(34) Debug: Auth-Type vpn-eap {
(34) Debug: vpn-eap: Expiring EAP session with state 0x6aae3f2e6ade326b
(34) Debug: vpn-eap: Finished EAP session with state 0x6aae3f2e6ade326b
(34) Debug: vpn-eap: Previous EAP request found for state 0x6aae3f2e6ade326b, released from the list
(34) Debug: vpn-eap: Peer sent packet with method EAP TLS (13)
(34) Debug: vpn-eap: Calling submodule eap_tls to process data
(34) Debug: eap_tls: Continuing EAP-TLS
(34) Debug: eap_tls: Peer indicated complete TLS record size will be 117 bytes
(34) Debug: eap_tls: Got complete TLS record (117 bytes)
(34) Debug: eap_tls: [eaptls verify] = length included
(34) Debug: eap_tls: (other): before/accept initialization
(34) Debug: eap_tls: TLS_accept: before/accept initialization
(34) Debug: eap_tls: TLS_accept: SSLv3 read client hello A
(34) Debug: eap_tls: TLS_accept: SSLv3 write server hello A
(34) Debug: eap_tls: TLS_accept: SSLv3 write certificate A
(34) Debug: eap_tls: TLS_accept: SSLv3 write key exchange A
(34) Debug: eap_tls: TLS_accept: SSLv3 write certificate request A
(34) Debug: eap_tls: TLS_accept: SSLv3 flush data
(34) Debug: eap_tls: TLS_accept: Need to read more data: SSLv3 read client certificate A
(34) Debug: eap_tls: TLS_accept: Need to read more data: SSLv3 read client certificate A
(34) Debug: eap_tls: In SSL Handshake Phase
(34) Debug: eap_tls: In SSL Accept mode
(34) Debug: eap_tls: [eaptls process] = handled
(34) Debug: vpn-eap: Sending EAP Request (code 1) ID 113 length 1024
(34) Debug: vpn-eap: EAP session adding &reply:State = 0x6aae3f2e6bdf326b
(34) Debug: [vpn-eap] = handled
(34) Debug: if (handled && (Response-Packet-Type == Access-Challenge)) {
(34) Debug: EXPAND Response-Packet-Type
(34) Debug: --> Access-Challenge
(34) Debug: if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(34) Debug: if (handled && (Response-Packet-Type == Access-Challenge)) {
(34) Debug: attr_filter.access_challenge: EXPAND %{User-Name}
(34) Debug: attr_filter.access_challenge: --> adambishop.dev.ja.net
(34) Debug: attr_filter.access_challenge: Matched entry DEFAULT at line 12
(34) Debug: [attr_filter.access_challenge.post-auth] = updated
(34) Debug: [handled] = handled
(34) Debug: } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled
(34) Debug: } # Auth-Type vpn-eap = handled
(34) Debug: Using Post-Auth-Type Challenge
(34) Debug: Post-Auth-Type sub-section not found. Ignoring.
(34) Debug: # Executing group from file /etc/raddb/sites-enabled/vpn
(34) Debug: Sent Access-Challenge Id 73 from 212.219.210.194:1812 to 172.25.0.176:52447 length 0
(34) Debug: EAP-Message = 0x017104000dc000000ee6160301005902000055030158fa35e7aba06da2f649d15b2f089f33f9657525d4ea7fbe38c0683b6d562b0d204c1a18aa8cc88018d71230199577025e1582f0af81dbdc9ec817bb59968b8b07c01400000dff01000100000b0004030001021603010b980b000b94000b910005bd
(34) Debug: Message-Authenticator = 0x00000000000000000000000000000000
(34) Debug: State = 0x6aae3f2e6bdf326be20d66152c93ce20
(34) Debug: Finished request
(35) Debug: Received Access-Request Id 74 from 172.25.0.176:52447 to 212.219.210.194:1812 length 93
(35) Debug: User-Name = "adambishop.dev.ja.net"
(35) Debug: State = 0x6aae3f2e6bdf326be20d66152c93ce20
(35) Debug: EAP-Message = 0x027100060d00
(35) Debug: Message-Authenticator = 0xa0a4c2467a10884786f7e69f8629f39d
(35) Debug: NAS-IP-Address = 172.25.0.176
(35) Debug: session-state: No cached attributes
(35) Debug: # Executing section authorize from file /etc/raddb/sites-enabled/vpn
(35) Debug: authorize {
(35) Debug: update request {
(35) Debug: } # update request = noop
(35) Debug: [mschap] = noop
(35) Debug: policy ntlm_auth.authorize {
(35) Debug: if (!control:Auth-Type && User-Password) {
(35) Debug: if (!control:Auth-Type && User-Password) -> FALSE
(35) Debug: } # policy ntlm_auth.authorize = updated
(35) Debug: vpn-eap: Peer sent EAP Response (code 2) ID 113 length 6
(35) Debug: vpn-eap: No EAP Start, assuming it's an on-going EAP conversation
(35) Debug: [vpn-eap] = updated
(35) Debug: } # authorize = updated
(35) Debug: Found Auth-Type = vpn-eap
(35) Debug: # Executing group from file /etc/raddb/sites-enabled/vpn
(35) Debug: Auth-Type vpn-eap {
(35) Debug: vpn-eap: Expiring EAP session with state 0x6aae3f2e6bdf326b
(35) Debug: vpn-eap: Finished EAP session with state 0x6aae3f2e6bdf326b
(35) Debug: vpn-eap: Previous EAP request found for state 0x6aae3f2e6bdf326b, released from the list
(35) Debug: vpn-eap: Peer sent packet with method EAP TLS (13)
(35) Debug: vpn-eap: Calling submodule eap_tls to process data
(35) Debug: eap_tls: Continuing EAP-TLS
(35) Debug: eap_tls: Peer ACKed our handshake fragment
(35) Debug: eap_tls: [eaptls verify] = request
(35) Debug: eap_tls: [eaptls process] = handled
(35) Debug: vpn-eap: Sending EAP Request (code 1) ID 114 length 1024
(35) Debug: vpn-eap: EAP session adding &reply:State = 0x6aae3f2e68dc326b
(35) Debug: [vpn-eap] = handled
(35) Debug: if (handled && (Response-Packet-Type == Access-Challenge)) {
(35) Debug: EXPAND Response-Packet-Type
(35) Debug: --> Access-Challenge
(35) Debug: if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(35) Debug: if (handled && (Response-Packet-Type == Access-Challenge)) {
(35) Debug: attr_filter.access_challenge: EXPAND %{User-Name}
(35) Debug: attr_filter.access_challenge: --> adambishop.dev.ja.net
(35) Debug: attr_filter.access_challenge: Matched entry DEFAULT at line 12
(35) Debug: [attr_filter.access_challenge.post-auth] = updated
(35) Debug: [handled] = handled
(35) Debug: } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled
(35) Debug: } # Auth-Type vpn-eap = handled
(35) Debug: Using Post-Auth-Type Challenge
(35) Debug: Post-Auth-Type sub-section not found. Ignoring.
(35) Debug: # Executing group from file /etc/raddb/sites-enabled/vpn
(35) Debug: Sent Access-Challenge Id 74 from 212.219.210.194:1812 to 172.25.0.176:52447 length 0
(35) Debug: EAP-Message = 0x017204000dc000000ee67073312e6465762e6a612e6e657482106f727073322e6465762e6a612e6e6574300d06092a864886f70d01010b050003820201003538a5bfb66c1d80c153bea4bde8797b5771787c349c00a0afb3007452b8263dcfe5f33e97a63b77a618acc517c74bc965a5636510377123aa
(35) Debug: Message-Authenticator = 0x00000000000000000000000000000000
(35) Debug: State = 0x6aae3f2e68dc326be20d66152c93ce20
(35) Debug: Finished request
(36) Debug: Received Access-Request Id 75 from 172.25.0.176:52447 to 212.219.210.194:1812 length 93
(36) Debug: User-Name = "adambishop.dev.ja.net"
(36) Debug: State = 0x6aae3f2e68dc326be20d66152c93ce20
(36) Debug: EAP-Message = 0x027200060d00
(36) Debug: Message-Authenticator = 0x30592ba50305fc9c46f668bdff6e0501
(36) Debug: NAS-IP-Address = 172.25.0.176
(36) Debug: session-state: No cached attributes
(36) Debug: # Executing section authorize from file /etc/raddb/sites-enabled/vpn
(36) Debug: authorize {
(36) Debug: update request {
(36) Debug: } # update request = noop
(36) Debug: [mschap] = noop
(36) Debug: policy ntlm_auth.authorize {
(36) Debug: if (!control:Auth-Type && User-Password) {
(36) Debug: if (!control:Auth-Type && User-Password) -> FALSE
(36) Debug: } # policy ntlm_auth.authorize = updated
(36) Debug: vpn-eap: Peer sent EAP Response (code 2) ID 114 length 6
(36) Debug: vpn-eap: No EAP Start, assuming it's an on-going EAP conversation
(36) Debug: [vpn-eap] = updated
(36) Debug: } # authorize = updated
(36) Debug: Found Auth-Type = vpn-eap
(36) Debug: # Executing group from file /etc/raddb/sites-enabled/vpn
(36) Debug: Auth-Type vpn-eap {
(36) Debug: vpn-eap: Expiring EAP session with state 0x6aae3f2e68dc326b
(36) Debug: vpn-eap: Finished EAP session with state 0x6aae3f2e68dc326b
(36) Debug: vpn-eap: Previous EAP request found for state 0x6aae3f2e68dc326b, released from the list
(36) Debug: vpn-eap: Peer sent packet with method EAP TLS (13)
(36) Debug: vpn-eap: Calling submodule eap_tls to process data
(36) Debug: eap_tls: Continuing EAP-TLS
(36) Debug: eap_tls: Peer ACKed our handshake fragment
(36) Debug: eap_tls: [eaptls verify] = request
(36) Debug: eap_tls: [eaptls process] = handled
(36) Debug: vpn-eap: Sending EAP Request (code 1) ID 115 length 1024
(36) Debug: vpn-eap: EAP session adding &reply:State = 0x6aae3f2e69dd326b
(36) Debug: [vpn-eap] = handled
(36) Debug: if (handled && (Response-Packet-Type == Access-Challenge)) {
(36) Debug: EXPAND Response-Packet-Type
(36) Debug: --> Access-Challenge
(36) Debug: if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(36) Debug: if (handled && (Response-Packet-Type == Access-Challenge)) {
(36) Debug: attr_filter.access_challenge: EXPAND %{User-Name}
(36) Debug: attr_filter.access_challenge: --> adambishop.dev.ja.net
(36) Debug: attr_filter.access_challenge: Matched entry DEFAULT at line 12
(36) Debug: [attr_filter.access_challenge.post-auth] = updated
(36) Debug: [handled] = handled
(36) Debug: } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled
(36) Debug: } # Auth-Type vpn-eap = handled
(36) Debug: Using Post-Auth-Type Challenge
(36) Debug: Post-Auth-Type sub-section not found. Ignoring.
(36) Debug: # Executing group from file /etc/raddb/sites-enabled/vpn
(36) Debug: Sent Access-Challenge Id 75 from 212.219.210.194:1812 to 172.25.0.176:52447 length 0
(36) Debug: EAP-Message = 0x017304000dc000000ee6a8a10366b1a69070f32e9c2285917ba83b5fa6d7c9d736385ae3a898a989b4868c713e653962ef9c0e7842f3eb3597fbb63b193af9330d984af5dbed07fe8271963a833187f2c99189b6001b54a8e3cc4fda9f07abeb2c3f8d9701bbd0de99a0781ad8cf5ef90ba0cbd528ecbd
(36) Debug: Message-Authenticator = 0x00000000000000000000000000000000
(36) Debug: State = 0x6aae3f2e69dd326be20d66152c93ce20
(36) Debug: Finished request
(37) Debug: Received Access-Request Id 76 from 172.25.0.176:52447 to 212.219.210.194:1812 length 93
(37) Debug: User-Name = "adambishop.dev.ja.net"
(37) Debug: State = 0x6aae3f2e69dd326be20d66152c93ce20
(37) Debug: EAP-Message = 0x027300060d00
(37) Debug: Message-Authenticator = 0xf2e97357da0c1ddd3ce4e45675dc4c85
(37) Debug: NAS-IP-Address = 172.25.0.176
(37) Debug: session-state: No cached attributes
(37) Debug: # Executing section authorize from file /etc/raddb/sites-enabled/vpn
(37) Debug: authorize {
(37) Debug: update request {
(37) Debug: } # update request = noop
(37) Debug: [mschap] = noop
(37) Debug: policy ntlm_auth.authorize {
(37) Debug: if (!control:Auth-Type && User-Password) {
(37) Debug: if (!control:Auth-Type && User-Password) -> FALSE
(37) Debug: } # policy ntlm_auth.authorize = updated
(37) Debug: vpn-eap: Peer sent EAP Response (code 2) ID 115 length 6
(37) Debug: vpn-eap: No EAP Start, assuming it's an on-going EAP conversation
(37) Debug: [vpn-eap] = updated
(37) Debug: } # authorize = updated
(37) Debug: Found Auth-Type = vpn-eap
(37) Debug: # Executing group from file /etc/raddb/sites-enabled/vpn
(37) Debug: Auth-Type vpn-eap {
(37) Debug: vpn-eap: Expiring EAP session with state 0x6aae3f2e69dd326b
(37) Debug: vpn-eap: Finished EAP session with state 0x6aae3f2e69dd326b
(37) Debug: vpn-eap: Previous EAP request found for state 0x6aae3f2e69dd326b, released from the list
(37) Debug: vpn-eap: Peer sent packet with method EAP TLS (13)
(37) Debug: vpn-eap: Calling submodule eap_tls to process data
(37) Debug: eap_tls: Continuing EAP-TLS
(37) Debug: eap_tls: Peer ACKed our handshake fragment
(37) Debug: eap_tls: [eaptls verify] = request
(37) Debug: eap_tls: [eaptls process] = handled
(37) Debug: vpn-eap: Sending EAP Request (code 1) ID 116 length 782
(37) Debug: vpn-eap: EAP session adding &reply:State = 0x6aae3f2e6eda326b
(37) Debug: [vpn-eap] = handled
(37) Debug: if (handled && (Response-Packet-Type == Access-Challenge)) {
(37) Debug: EXPAND Response-Packet-Type
(37) Debug: --> Access-Challenge
(37) Debug: if (handled && (Response-Packet-Type == Access-Challenge)) -> TRUE
(37) Debug: if (handled && (Response-Packet-Type == Access-Challenge)) {
(37) Debug: attr_filter.access_challenge: EXPAND %{User-Name}
(37) Debug: attr_filter.access_challenge: --> adambishop.dev.ja.net
(37) Debug: attr_filter.access_challenge: Matched entry DEFAULT at line 12
(37) Debug: [attr_filter.access_challenge.post-auth] = updated
(37) Debug: [handled] = handled
(37) Debug: } # if (handled && (Response-Packet-Type == Access-Challenge)) = handled
(37) Debug: } # Auth-Type vpn-eap = handled
(37) Debug: Using Post-Auth-Type Challenge
(37) Debug: Post-Auth-Type sub-section not found. Ignoring.
(37) Debug: # Executing group from file /etc/raddb/sites-enabled/vpn
(37) Debug: Sent Access-Challenge Id 76 from 212.219.210.194:1812 to 172.25.0.176:52447 length 0
(37) Debug: EAP-Message = 0x0174030e0d8000000ee6a8e258b211b12d7b809f6b1bde4c3b17448fcecde979c5af6b160301024b0c0002470300174104fca4d3a30ab92336ed8b6d06067e419da55aaed97101b578e7fc14b09dfa959c3f9532ae1699fedcf0e48443395cb523fb353bc312cd99b96436c8fb52730dde02002046f7c3
(37) Debug: Message-Authenticator = 0x00000000000000000000000000000000
(37) Debug: State = 0x6aae3f2e6eda326be20d66152c93ce20
(37) Debug: Finished request
(38) Debug: Received Access-Request Id 77 from 172.25.0.176:52447 to 212.219.210.194:1812 length 104
(38) Debug: User-Name = "adambishop.dev.ja.net"
(38) Debug: State = 0x6aae3f2e6eda326be20d66152c93ce20
(38) Debug: EAP-Message = 0x027400110d800000000715030100020100
(38) Debug: Message-Authenticator = 0x525697ff8dd586a2947f27df10721084
(38) Debug: NAS-IP-Address = 172.25.0.176
(38) Debug: session-state: No cached attributes
(38) Debug: # Executing section authorize from file /etc/raddb/sites-enabled/vpn
(38) Debug: authorize {
(38) Debug: update request {
(38) Debug: } # update request = noop
(38) Debug: [mschap] = noop
(38) Debug: policy ntlm_auth.authorize {
(38) Debug: if (!control:Auth-Type && User-Password) {
(38) Debug: if (!control:Auth-Type && User-Password) -> FALSE
(38) Debug: } # policy ntlm_auth.authorize = updated
(38) Debug: vpn-eap: Peer sent EAP Response (code 2) ID 116 length 17
(38) Debug: vpn-eap: No EAP Start, assuming it's an on-going EAP conversation
(38) Debug: [vpn-eap] = updated
(38) Debug: } # authorize = updated
(38) Debug: Found Auth-Type = vpn-eap
(38) Debug: # Executing group from file /etc/raddb/sites-enabled/vpn
(38) Debug: Auth-Type vpn-eap {
(38) Debug: vpn-eap: Expiring EAP session with state 0x6aae3f2e6eda326b
(38) Debug: vpn-eap: Finished EAP session with state 0x6aae3f2e6eda326b
(38) Debug: vpn-eap: Previous EAP request found for state 0x6aae3f2e6eda326b, released from the list
(38) Debug: vpn-eap: Peer sent packet with method EAP TLS (13)
(38) Debug: vpn-eap: Calling submodule eap_tls to process data
(38) Debug: eap_tls: Continuing EAP-TLS
(38) Debug: eap_tls: Peer indicated complete TLS record size will be 7 bytes
(38) Debug: eap_tls: Got complete TLS record (7 bytes)
(38) Debug: eap_tls: [eaptls verify] = length included
(38) ERROR: eap_tls: TLS_accept: Failed in SSLv3 read client certificate A
(38) ERROR: eap_tls: Failed in __FUNCTION__ (SSL_read): error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure
(38) ERROR: eap_tls: System call (I/O) error (-1)
(38) ERROR: eap_tls: TLS receive handshake failed during operation
(38) ERROR: eap_tls: [eaptls process] = fail
(38) ERROR: vpn-eap: Failed continuing EAP TLS (13) session. EAP sub-module failed
(38) Debug: vpn-eap: Sending EAP Failure (code 4) ID 116 length 4
(38) Debug: vpn-eap: Failed in EAP select
(38) Debug: [vpn-eap] = invalid
(38) Debug: } # Auth-Type vpn-eap = invalid
(38) Debug: Failed to authenticate the user
(38) Debug: Using Post-Auth-Type Reject
(38) Debug: # Executing group from file /etc/raddb/sites-enabled/vpn
(38) Debug: Post-Auth-Type REJECT {
(38) Debug: attr_filter.access_reject: EXPAND %{User-Name}
(38) Debug: attr_filter.access_reject: --> adambishop.dev.ja.net
(38) Debug: attr_filter.access_reject: Matched entry DEFAULT at line 11
(38) Debug: [attr_filter.access_reject] = updated
(38) Debug: [eap] = noop
(38) Debug: rp_log: EXPAND rp_log.%{%{reply:Packet-Type}:-format}
(38) Debug: rp_log: --> rp_log.Access-Reject
(38) Debug: rp_log: EXPAND radiusd-rp-log#DOMAIN=DEV#LOCATION=LH#SERVICE=%{%{Service-Class}:-NONE}#ORG=%{%{request:operator-name}:-%{request:Stripped-User-Domain}}#USER=%{User-Name}#CSI=%{Calling-Station-Id}#NAS=%{Called-Station-Id}#CUI=%{reply:Chargeable-User-Identity}#RESULT=FAIL#VLAN=%{%{reply:Tunnel-Private-Group-ID}:-NONE}#CLIENT=%{client:shortname}#REPLY_MESSAGE=%{%{reply:reply-message}:-NONE}#MODULE_MESSAGE=%{%{%{request:Module-Failure-Message}:-%{session-state:Module-Failure-Message}}:-NONE}#
(38) Fri Apr 21 16:40:07 2017: Debug: rp_log: --> radiusd-rp-log#DOMAIN=DEV#LOCATION=LH#SERVICE=vpn#ORG=#USER=adambishop.dev.ja.net#CSI=#NAS=#CUI=#RESULT=FAIL#VLAN=NONE#CLIENT=castle-black.djn#REPLY_MESSAGE=NONE#MODULE_MESSAGE=eap_tls: TLS_accept: Failed in SSLv3 read client certificate A#
(38) Debug: [rp_log] = ok
(38) Debug: policy remove_reply_message_if_eap {
(38) Debug: if (&reply:EAP-Message && &reply:Reply-Message) {
(38) Debug: if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(38) Debug: else {
(38) Debug: [noop] = noop
(38) Debug: } # else = noop
(38) Debug: } # policy remove_reply_message_if_eap = noop
(38) Debug: } # Post-Auth-Type REJECT = updated
(38) Debug: Delaying response for 1.000000 seconds
(38) Debug: Sending delayed response
(38) Debug: Sent Access-Reject Id 77 from 212.219.210.194:1812 to 172.25.0.176:52447 length 44
(38) Debug: EAP-Message = 0x04740004
(38) Debug: Message-Authenticator = 0x00000000000000000000000000000000
---
# radiusd -C -X
FreeRADIUS Version 3.0.13
Copyright (C) 1999-2016 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
<snip>
main {
security {
user = "radiusd"
group = "radiusd"
allow_core_dumps = no
}
name = "radiusd"
prefix = "/usr"
localstatedir = "/var"
logdir = "/var/log/radius"
run_dir = "/var/run/radiusd"
}
main {
name = "radiusd"
prefix = "/usr"
localstatedir = "/var"
sbindir = "/usr/sbin"
logdir = "/var/log/radius"
run_dir = "/var/run/radiusd"
libdir = "/usr/lib64/freeradius"
radacctdir = "/var/log/radius/radacct"
hostname_lookups = no
max_request_time = 60
cleanup_delay = 10
max_requests = 16384
pidfile = "/var/run/radiusd/radiusd.pid"
checkrad = "/usr/sbin/checkrad"
debug_level = 0
proxy_requests = yes
log {
stripped_names = no
auth = no
auth_badpass = no
auth_goodpass = no
colourise = yes
msg_denied = "You are already logged in - access denied"
}
resources {
}
security {
max_attributes = 200
reject_delay = 1.000000
status_server = yes
allow_vulnerable_openssl = "CVE-2016-6304"
}
}
radiusd: #### Loading Realms and Home Servers ####
proxy server {
retry_delay = 5
retry_count = 3
default_fallback = no
dead_time = 120
wake_all_if_all_dead = no
}
realm LOCAL {
nostrip
}
<snip>
realm dev.ja.net {
}
radiusd: #### Loading Clients ####
<snip>
client 172.25.0.176 {
ipaddr = 172.25.0.176
require_message_authenticator = yes
secret = <<< secret >>>
shortname = "castle-black.djn"
nas_type = "other"
virtual_server = "vpn"
proto = "udp"
limit {
max_connections = 16
lifetime = 0
idle_timeout = 30
}
}
<snip>
Debugger not attached
# Creating Auth-Type = mschap
# Creating Auth-Type = PAP
# Creating Auth-Type = MS-CHAP
# Creating Auth-Type = eap
# Creating Autz-Type = Status-Server
# Creating Auth-Type = inner-eap
# Creating Auth-Type = ntlm_auth
# Creating Auth-Type = VPN
# Creating Auth-Type = vpn-eap
radiusd: #### Instantiating modules ####
modules {
# Loaded module rlm_always
# Loading module "reject" from file /etc/raddb/mods-enabled/always
always reject {
rcode = "reject"
simulcount = 0
mpp = no
}
# Loading module "fail" from file /etc/raddb/mods-enabled/always
always fail {
rcode = "fail"
simulcount = 0
mpp = no
}
# Loading module "ok" from file /etc/raddb/mods-enabled/always
always ok {
rcode = "ok"
simulcount = 0
mpp = no
}
# Loading module "handled" from file /etc/raddb/mods-enabled/always
always handled {
rcode = "handled"
simulcount = 0
mpp = no
}
# Loading module "invalid" from file /etc/raddb/mods-enabled/always
always invalid {
rcode = "invalid"
simulcount = 0
mpp = no
}
# Loading module "userlock" from file /etc/raddb/mods-enabled/always
always userlock {
rcode = "userlock"
simulcount = 0
mpp = no
}
# Loading module "notfound" from file /etc/raddb/mods-enabled/always
always notfound {
rcode = "notfound"
simulcount = 0
mpp = no
}
# Loading module "noop" from file /etc/raddb/mods-enabled/always
always noop {
rcode = "noop"
simulcount = 0
mpp = no
}
# Loading module "updated" from file /etc/raddb/mods-enabled/always
always updated {
rcode = "updated"
simulcount = 0
mpp = no
}
# Loaded module rlm_attr_filter
# Loading module "attr_filter.post-proxy" from file /etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.post-proxy {
filename = "/etc/raddb/mods-config/attr_filter/post-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.pre-proxy" from file /etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.pre-proxy {
filename = "/etc/raddb/mods-config/attr_filter/pre-proxy"
key = "%{Realm}"
relaxed = no
}
# Loading module "attr_filter.access_reject" from file /etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_reject {
filename = "/etc/raddb/mods-config/attr_filter/access_reject"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.access_challenge" from file /etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.access_challenge {
filename = "/etc/raddb/mods-config/attr_filter/access_challenge"
key = "%{User-Name}"
relaxed = no
}
# Loading module "attr_filter.accounting_response" from file /etc/raddb/mods-enabled/attr_filter
attr_filter attr_filter.accounting_response {
filename = "/etc/raddb/mods-config/attr_filter/accounting_response"
key = "%{User-Name}"
relaxed = no
}
# Loaded module rlm_cache
# Loading module "cache_eap" from file /etc/raddb/mods-enabled/cache_eap
cache cache_eap {
driver = "rlm_cache_rbtree"
key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
ttl = 15
max_entries = 0
epoch = 0
add_stats = no
}
# Loaded module rlm_date
# Loading module "date" from file /etc/raddb/mods-enabled/date
date {
format = "%b %e %Y %H:%M:%S %Z"
}
# Loaded module rlm_digest
# Loading module "digest" from file /etc/raddb/mods-enabled/digest
# Loaded module rlm_eap
# Loading module "eap" from file /etc/raddb/mods-enabled/eap
eap {
default_eap_type = "peap"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 16384
}
# Loaded module rlm_exec
# Loading module "echo" from file /etc/raddb/mods-enabled/echo
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = "request"
output_pairs = "reply"
shell_escape = yes
}
# Loading module "exec" from file /etc/raddb/mods-enabled/exec
exec {
wait = no
input_pairs = "request"
shell_escape = yes
timeout = 10
}
# Loaded module rlm_expiration
# Loading module "expiration" from file /etc/raddb/mods-enabled/expiration
# Loaded module rlm_expr
# Loading module "expr" from file /etc/raddb/mods-enabled/expr
expr {
safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"
}
# Loaded module rlm_files
# Loading module "files" from file /etc/raddb/mods-enabled/files
files {
filename = "/etc/raddb/mods-config/files/authorize"
acctusersfile = "/etc/raddb/mods-config/files/accounting"
preproxy_usersfile = "/etc/raddb/mods-config/files/pre-proxy"
}
# Loaded module rlm_linelog
# Loading module "linelog" from file /etc/raddb/mods-enabled/linelog
linelog {
filename = "/var/log/radius/linelog"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = "This is a log message for %{User-Name}"
reference = "messages.%{%{reply:Packet-Type}:-default}"
}
# Loading module "log_accounting" from file /etc/raddb/mods-enabled/linelog
linelog log_accounting {
filename = "/var/log/radius/linelog-accounting"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = ""
reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
}
# Loaded module rlm_logintime
# Loading module "logintime" from file /etc/raddb/mods-enabled/logintime
logintime {
minimum_timeout = 60
}
# Loaded module rlm_pap
# Loading module "pap" from file /etc/raddb/mods-enabled/pap
pap {
normalise = yes
}
# Loaded module rlm_passwd
# Loading module "etc_passwd" from file /etc/raddb/mods-enabled/passwd
passwd etc_passwd {
filename = "/etc/passwd"
format = "*User-Name:Crypt-Password:"
delimiter = ":"
ignore_nislike = no
ignore_empty = yes
allow_multiple_keys = no
hash_size = 100
}
# Loaded module rlm_realm
# Loading module "IPASS" from file /etc/raddb/mods-enabled/realm
realm IPASS {
format = "prefix"
delimiter = "/"
ignore_default = no
ignore_null = no
default_community = "none"
rp_realm = "none"
trust_router = "none"
tr_port = 0
}
# Loading module "suffix" from file /etc/raddb/mods-enabled/realm
realm suffix {
format = "suffix"
delimiter = "@"
ignore_default = no
ignore_null = no
default_community = "none"
rp_realm = "none"
trust_router = "none"
tr_port = 0
}
# Loading module "realmpercent" from file /etc/raddb/mods-enabled/realm
realm realmpercent {
format = "suffix"
delimiter = "%"
ignore_default = no
ignore_null = no
default_community = "none"
rp_realm = "none"
trust_router = "none"
tr_port = 0
}
# Loading module "ntdomain" from file /etc/raddb/mods-enabled/realm
realm ntdomain {
format = "prefix"
delimiter = "\\"
ignore_default = no
ignore_null = no
default_community = "none"
rp_realm = "none"
trust_router = "none"
tr_port = 0
}
# Loaded module rlm_replicate
# Loading module "replicate" from file /etc/raddb/mods-enabled/replicate
# Loaded module rlm_soh
# Loading module "soh" from file /etc/raddb/mods-enabled/soh
soh {
dhcp = yes
}
# Loaded module rlm_radutmp
# Loading module "sradutmp" from file /etc/raddb/mods-enabled/sradutmp
radutmp sradutmp {
filename = "/var/log/radius/sradutmp"
username = "%{User-Name}"
case_sensitive = yes
check_with_nas = yes
permissions = 420
caller_id = no
}
# Loaded module rlm_unpack
# Loading module "unpack" from file /etc/raddb/mods-enabled/unpack
# Loaded module rlm_utf8
# Loading module "utf8" from file /etc/raddb/mods-enabled/utf8
# Loaded module rlm_mschap
# Loading module "mschap" from file /etc/raddb/mods-enabled/mschap
mschap {
use_mppe = yes
require_encryption = yes
require_strong = yes
with_ntdomain_hack = yes
passchange {
}
allow_retry = yes
retry_msg = "Your credentials were not accepted, please try again"
winbind_retry_with_normalised_username = yes
}
# Loading module "inner-eap" from file /etc/raddb/mods-enabled/inner-eap
eap inner-eap {
default_eap_type = "mschapv2"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 2048
}
# Loading module "ntlm_auth" from file /etc/raddb/mods-enabled/ntlm_auth
exec ntlm_auth {
wait = yes
program = "/usr/bin/ntlm_auth --request-nt-key --domain=DEV --username=%{%{Stripped-User-Name}:-%{mschap:User-Name}} --password=%{User-Password}"
shell_escape = yes
}
# Loaded module rlm_redis
# Loading module "redis" from file /etc/raddb/mods-enabled/redis
redis {
server = "127.0.0.1"
port = 6379
database = 0
password = <<< secret >>>
}
rlm_redis: libhiredis version: 0.12.1
# Loading module "idp_log" from file /etc/raddb/mods-enabled/idp_log
linelog idp_log {
filename = "syslog"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = ""
reference = "idp_log.%{%{reply:Packet-Type}:-format}"
}
# Loading module "rp_log" from file /etc/raddb/mods-enabled/rp_log
linelog rp_log {
filename = "syslog"
escape_filenames = no
syslog_severity = "info"
permissions = 384
format = ""
reference = "rp_log.%{%{reply:Packet-Type}:-format}"
}
# Loading module "vpn-eap" from file /etc/raddb/mods-enabled/vpn-eap
eap vpn-eap {
default_eap_type = "tls"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 16384
}
instantiate {
}
# Instantiating module "reject" from file /etc/raddb/mods-enabled/always
# Instantiating module "fail" from file /etc/raddb/mods-enabled/always
# Instantiating module "ok" from file /etc/raddb/mods-enabled/always
# Instantiating module "handled" from file /etc/raddb/mods-enabled/always
# Instantiating module "invalid" from file /etc/raddb/mods-enabled/always
# Instantiating module "userlock" from file /etc/raddb/mods-enabled/always
# Instantiating module "notfound" from file /etc/raddb/mods-enabled/always
# Instantiating module "noop" from file /etc/raddb/mods-enabled/always
# Instantiating module "updated" from file /etc/raddb/mods-enabled/always
# Instantiating module "attr_filter.post-proxy" from file /etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/post-proxy
# Instantiating module "attr_filter.pre-proxy" from file /etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/pre-proxy
# Instantiating module "attr_filter.access_reject" from file /etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/access_reject
[/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT".
[/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay-USec" found in filter list for realm "DEFAULT".
# Instantiating module "attr_filter.access_challenge" from file /etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/access_challenge
# Instantiating module "attr_filter.accounting_response" from file /etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/accounting_response
# Instantiating module "cache_eap" from file /etc/raddb/mods-enabled/cache_eap
rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked
# Instantiating module "eap" from file /etc/raddb/mods-enabled/eap
# Linked to sub-module rlm_eap_md5
# Linked to sub-module rlm_eap_gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
# Linked to sub-module rlm_eap_ttls
ttls {
tls = "tls-common"
default_eap_type = "mschapv2"
copy_request_to_tunnel = yes
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
require_client_cert = no
}
tls-config tls-common {
verify_depth = 0
ca_path = "/etc/raddb/certs"
pem_file_type = yes
private_key_file = "/etc/raddb/certs.d/DEV/server.pem"
certificate_file = "/etc/raddb/certs.d/DEV/server.crt"
dh_file = "/etc/raddb/certs.d/DEV/dh"
fragment_size = 1024
include_length = yes
auto_chain = yes
check_crl = yes
check_all_crl = yes
cipher_list = "DEFAULT"
cipher_server_preference = yes
ecdh_curve = "prime256v1"
cache {
enable = yes
lifetime = 24
name = "Default EAP Cache"
max_entries = 16384
persist_dir = "/var/lib/radiusd/tlscache"
}
verify {
skip_if_ocsp_ok = no
}
ocsp {
enable = no
override_cert_url = no
use_nonce = yes
timeout = 0
softfail = no
}
}
# Linked to sub-module rlm_eap_peap
peap {
tls = "tls-common"
default_eap_type = "mschapv2"
copy_request_to_tunnel = yes
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
soh = no
require_client_cert = no
}
tls: Using cached TLS configuration from previous invocation
# Linked to sub-module rlm_eap_mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = yes
}
# Instantiating module "expiration" from file /etc/raddb/mods-enabled/expiration
# Instantiating module "files" from file /etc/raddb/mods-enabled/files
reading pairlist file /etc/raddb/mods-config/files/authorize
reading pairlist file /etc/raddb/mods-config/files/accounting
reading pairlist file /etc/raddb/mods-config/files/pre-proxy
# Instantiating module "linelog" from file /etc/raddb/mods-enabled/linelog
# Instantiating module "log_accounting" from file /etc/raddb/mods-enabled/linelog
# Instantiating module "logintime" from file /etc/raddb/mods-enabled/logintime
# Instantiating module "pap" from file /etc/raddb/mods-enabled/pap
# Instantiating module "etc_passwd" from file /etc/raddb/mods-enabled/passwd
rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
# Instantiating module "IPASS" from file /etc/raddb/mods-enabled/realm
# Instantiating module "suffix" from file /etc/raddb/mods-enabled/realm
# Instantiating module "realmpercent" from file /etc/raddb/mods-enabled/realm
# Instantiating module "ntdomain" from file /etc/raddb/mods-enabled/realm
# Instantiating module "mschap" from file /etc/raddb/mods-enabled/mschap
rlm_mschap (mschap): Initialising connection pool
pool {
start = 5
min = 3
max = 32
spare = 10
uses = 0
lifetime = 86400
cleanup_interval = 300
idle_timeout = 600
retry_delay = 30
spread = no
}
rlm_mschap (mschap): authenticating directly to winbind
# Instantiating module "inner-eap" from file /etc/raddb/mods-enabled/inner-eap
# Linked to sub-module rlm_eap_gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
# Linked to sub-module rlm_eap_mschapv2
mschapv2 {
with_ntdomain_hack = no
send_error = yes
}
# Instantiating module "redis" from file /etc/raddb/mods-enabled/redis
rlm_redis (redis): Initialising connection pool
pool {
start = 5
min = 3
max = 32
spare = 10
uses = 0
lifetime = 86400
cleanup_interval = 300
idle_timeout = 0
retry_delay = 10
spread = no
}
# Instantiating module "idp_log" from file /etc/raddb/mods-enabled/idp_log
# Instantiating module "rp_log" from file /etc/raddb/mods-enabled/rp_log
# Instantiating module "vpn-eap" from file /etc/raddb/mods-enabled/vpn-eap
# Linked to sub-module rlm_eap_tls
tls {
tls = "vpn-tls"
}
tls-config vpn-tls {
verify_depth = 0
pem_file_type = yes
private_key_file = "/etc/raddb/certs.d/DEV/vpn/server.pem"
certificate_file = "/etc/raddb/certs.d/DEV/vpn/server.crt"
ca_file = "/etc/raddb/certs.d/DEV/vpn/ca/root.crt"
dh_file = "/etc/raddb/certs.d/DEV/dh"
fragment_size = 1024
include_length = yes
auto_chain = yes
check_crl = yes
check_all_crl = yes
cipher_list = "DEFAULT"
cipher_server_preference = yes
ecdh_curve = "prime256v1"
cache {
enable = yes
lifetime = 24
name = "Default EAP VPN Cache"
max_entries = 16384
persist_dir = "/var/lib/radiusd/tlscache"
}
verify {
skip_if_ocsp_ok = no
}
ocsp {
enable = no
override_cert_url = no
use_nonce = yes
timeout = 0
softfail = no
}
}
} # modules
Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.
More information about the Freeradius-Users
mailing list