EAP-TLS from IKEv2 initiator

Alan Buxey alan.buxey at gmail.com
Fri Apr 21 19:19:11 CEST 2017


Based on this:

TLS_accept: Failed in SSLv3 read client certificate A

Server doesn't like client cert....

On 21 Apr 2017 6:02 pm, "Adam Bishop" <Adam.Bishop at jisc.ac.uk> wrote:

Juniper have added proper EAP support to their VPN stack - I'm trying to
get it working. I'm not trying to do anything fancy at this stage, just
check that the client cert is signed by a CA.

I've not deployed EAP-TLS before, so I could use a bit of help interpreting
the TLS errors - the logs on the concentrator and on the client leave a
little to be desired.

It appears to be an issue with the CA being untrusted, but which side it is
on - does the client distrust the FreeRADIUS server certificate, or does
FreeRADIUS distrust the client's certificate?

Regards,

Adam Bishop

  gpg: E75B 1F92 6407 DFDF 9F1C  BF10 C993 2504 6609 D460

jisc.ac.uk

(33)  Debug: Received Access-Request Id 72 from 172.25.0.176:52447 to
212.219.210.194:1812 length 95
(33)  Debug:   User-Name = "adambishop.dev.ja.net"
(33)  Debug:   EAP-Message = 0x026f001a016164616d626973686f
702e6465762e6a612e6e6574
(33)  Debug:   Message-Authenticator = 0x49c30bd1919131b5237affe9e97308c0
(33)  Debug:   NAS-IP-Address = 172.25.0.176
(33)  Debug: # Executing section authorize from file
/etc/raddb/sites-enabled/vpn
(33)  Debug:   authorize {
(33)  Debug:     update request {
(33)  Debug:     } # update request = noop
(33)  Debug:     [mschap] = noop
(33)  Debug:     policy ntlm_auth.authorize {
(33)  Debug:       if (!control:Auth-Type && User-Password) {
(33)  Debug:       if (!control:Auth-Type && User-Password)  -> FALSE
(33)  Debug:     } # policy ntlm_auth.authorize = updated
(33)  Debug: vpn-eap: Peer sent EAP Response (code 2) ID 111 length 26
(33)  Debug: vpn-eap: EAP-Identity reply, returning 'ok' so we can
short-circuit the rest of authorize
(33)  Debug:     [vpn-eap] = ok
(33)  Debug:   } # authorize = ok
(33)  Debug: Found Auth-Type = vpn-eap
(33)  Debug: # Executing group from file /etc/raddb/sites-enabled/vpn
(33)  Debug:   Auth-Type vpn-eap {
(33)  Debug: vpn-eap: Peer sent packet with method EAP Identity (1)
(33)  Debug: vpn-eap: Calling submodule eap_tls to process data
(33)  Debug: eap_tls: Initiating new EAP-TLS session
(33)  Debug: eap_tls: Setting verify mode to require certificate from client
(33)  Debug: eap_tls: [eaptls start] = request
(33)  Debug: vpn-eap: Sending EAP Request (code 1) ID 112 length 6
(33)  Debug: vpn-eap: EAP session adding &reply:State = 0x6aae3f2e6ade326b
(33)  Debug:     [vpn-eap] = handled
(33)  Debug:     if (handled && (Response-Packet-Type == Access-Challenge))
{
(33)  Debug:     EXPAND Response-Packet-Type
(33)  Debug:        --> Access-Challenge
(33)  Debug:     if (handled && (Response-Packet-Type ==
Access-Challenge))  -> TRUE
(33)  Debug:     if (handled && (Response-Packet-Type ==
Access-Challenge))  {
(33)  Debug: attr_filter.access_challenge: EXPAND %{User-Name}
(33)  Debug: attr_filter.access_challenge:    --> adambishop.dev.ja.net
(33)  Debug: attr_filter.access_challenge: Matched entry DEFAULT at line 12
(33)  Debug:       [attr_filter.access_challenge.post-auth] = updated
(33)  Debug:       [handled] = handled
(33)  Debug:     } # if (handled && (Response-Packet-Type ==
Access-Challenge))  = handled
(33)  Debug:   } # Auth-Type vpn-eap = handled
(33)  Debug: Using Post-Auth-Type Challenge
(33)  Debug: Post-Auth-Type sub-section not found.  Ignoring.
(33)  Debug: # Executing group from file /etc/raddb/sites-enabled/vpn
(33)  Debug: Sent Access-Challenge Id 72 from 212.219.210.194:1812 to
172.25.0.176:52447 length 0
(33)  Debug:   EAP-Message = 0x017000060d20
(33)  Debug:   Message-Authenticator = 0x00000000000000000000000000000000
(33)  Debug:   State = 0x6aae3f2e6ade326be20d66152c93ce20
(33)  Debug: Finished request
(34)  Debug: Received Access-Request Id 73 from 172.25.0.176:52447 to
212.219.210.194:1812 length 214
(34)  Debug:   User-Name = "adambishop.dev.ja.net"
(34)  Debug:   State = 0x6aae3f2e6ade326be20d66152c93ce20
(34)  Debug:   EAP-Message = 0x0270007f0d800000007516030100
700100006c030158fa35e7494a8208f15734f1b156e5cfb33b722c8028e0
ac4c5b609dbbaad4ed00002000ffc024c023c00ac009c008c028c027c014
c013c012003d003c0035002f000a01000023000a00080006001700180019
000b00020100000500050100000000
(34)  Debug:   Message-Authenticator = 0xe0ffa2f9a4f35bb9c59822b730acb0b7
(34)  Debug:   NAS-IP-Address = 172.25.0.176
(34)  Debug: session-state: No cached attributes
(34)  Debug: # Executing section authorize from file
/etc/raddb/sites-enabled/vpn
(34)  Debug:   authorize {
(34)  Debug:     update request {
(34)  Debug:     } # update request = noop
(34)  Debug:     [mschap] = noop
(34)  Debug:     policy ntlm_auth.authorize {
(34)  Debug:       if (!control:Auth-Type && User-Password) {
(34)  Debug:       if (!control:Auth-Type && User-Password)  -> FALSE
(34)  Debug:     } # policy ntlm_auth.authorize = updated
(34)  Debug: vpn-eap: Peer sent EAP Response (code 2) ID 112 length 127
(34)  Debug: vpn-eap: No EAP Start, assuming it's an on-going EAP
conversation
(34)  Debug:     [vpn-eap] = updated
(34)  Debug:   } # authorize = updated
(34)  Debug: Found Auth-Type = vpn-eap
(34)  Debug: # Executing group from file /etc/raddb/sites-enabled/vpn
(34)  Debug:   Auth-Type vpn-eap {
(34)  Debug: vpn-eap: Expiring EAP session with state 0x6aae3f2e6ade326b
(34)  Debug: vpn-eap: Finished EAP session with state 0x6aae3f2e6ade326b
(34)  Debug: vpn-eap: Previous EAP request found for state
0x6aae3f2e6ade326b, released from the list
(34)  Debug: vpn-eap: Peer sent packet with method EAP TLS (13)
(34)  Debug: vpn-eap: Calling submodule eap_tls to process data
(34)  Debug: eap_tls: Continuing EAP-TLS
(34)  Debug: eap_tls: Peer indicated complete TLS record size will be 117
bytes
(34)  Debug: eap_tls: Got complete TLS record (117 bytes)
(34)  Debug: eap_tls: [eaptls verify] = length included
(34)  Debug: eap_tls: (other): before/accept initialization
(34)  Debug: eap_tls: TLS_accept: before/accept initialization
(34)  Debug: eap_tls: TLS_accept: SSLv3 read client hello A
(34)  Debug: eap_tls: TLS_accept: SSLv3 write server hello A
(34)  Debug: eap_tls: TLS_accept: SSLv3 write certificate A
(34)  Debug: eap_tls: TLS_accept: SSLv3 write key exchange A
(34)  Debug: eap_tls: TLS_accept: SSLv3 write certificate request A
(34)  Debug: eap_tls: TLS_accept: SSLv3 flush data
(34)  Debug: eap_tls: TLS_accept: Need to read more data: SSLv3 read client
certificate A
(34)  Debug: eap_tls: TLS_accept: Need to read more data: SSLv3 read client
certificate A
(34)  Debug: eap_tls: In SSL Handshake Phase
(34)  Debug: eap_tls: In SSL Accept mode
(34)  Debug: eap_tls: [eaptls process] = handled
(34)  Debug: vpn-eap: Sending EAP Request (code 1) ID 113 length 1024
(34)  Debug: vpn-eap: EAP session adding &reply:State = 0x6aae3f2e6bdf326b
(34)  Debug:     [vpn-eap] = handled
(34)  Debug:     if (handled && (Response-Packet-Type == Access-Challenge))
{
(34)  Debug:     EXPAND Response-Packet-Type
(34)  Debug:        --> Access-Challenge
(34)  Debug:     if (handled && (Response-Packet-Type ==
Access-Challenge))  -> TRUE
(34)  Debug:     if (handled && (Response-Packet-Type ==
Access-Challenge))  {
(34)  Debug: attr_filter.access_challenge: EXPAND %{User-Name}
(34)  Debug: attr_filter.access_challenge:    --> adambishop.dev.ja.net
(34)  Debug: attr_filter.access_challenge: Matched entry DEFAULT at line 12
(34)  Debug:       [attr_filter.access_challenge.post-auth] = updated
(34)  Debug:       [handled] = handled
(34)  Debug:     } # if (handled && (Response-Packet-Type ==
Access-Challenge))  = handled
(34)  Debug:   } # Auth-Type vpn-eap = handled
(34)  Debug: Using Post-Auth-Type Challenge
(34)  Debug: Post-Auth-Type sub-section not found.  Ignoring.
(34)  Debug: # Executing group from file /etc/raddb/sites-enabled/vpn
(34)  Debug: Sent Access-Challenge Id 73 from 212.219.210.194:1812 to
172.25.0.176:52447 length 0
(34)  Debug:   EAP-Message = 0x017104000dc000000ee616030100
5902000055030158fa35e7aba06da2f649d15b2f089f33f9657525d4ea7f
be38c0683b6d562b0d204c1a18aa8cc88018d71230199577025e1582f0af
81dbdc9ec817bb59968b8b07c01400000dff01000100000b000403000102
1603010b980b000b94000b910005bd
(34)  Debug:   Message-Authenticator = 0x00000000000000000000000000000000
(34)  Debug:   State = 0x6aae3f2e6bdf326be20d66152c93ce20
(34)  Debug: Finished request
(35)  Debug: Received Access-Request Id 74 from 172.25.0.176:52447 to
212.219.210.194:1812 length 93
(35)  Debug:   User-Name = "adambishop.dev.ja.net"
(35)  Debug:   State = 0x6aae3f2e6bdf326be20d66152c93ce20
(35)  Debug:   EAP-Message = 0x027100060d00
(35)  Debug:   Message-Authenticator = 0xa0a4c2467a10884786f7e69f8629f39d
(35)  Debug:   NAS-IP-Address = 172.25.0.176
(35)  Debug: session-state: No cached attributes
(35)  Debug: # Executing section authorize from file
/etc/raddb/sites-enabled/vpn
(35)  Debug:   authorize {
(35)  Debug:     update request {
(35)  Debug:     } # update request = noop
(35)  Debug:     [mschap] = noop
(35)  Debug:     policy ntlm_auth.authorize {
(35)  Debug:       if (!control:Auth-Type && User-Password) {
(35)  Debug:       if (!control:Auth-Type && User-Password)  -> FALSE
(35)  Debug:     } # policy ntlm_auth.authorize = updated
(35)  Debug: vpn-eap: Peer sent EAP Response (code 2) ID 113 length 6
(35)  Debug: vpn-eap: No EAP Start, assuming it's an on-going EAP
conversation
(35)  Debug:     [vpn-eap] = updated
(35)  Debug:   } # authorize = updated
(35)  Debug: Found Auth-Type = vpn-eap
(35)  Debug: # Executing group from file /etc/raddb/sites-enabled/vpn
(35)  Debug:   Auth-Type vpn-eap {
(35)  Debug: vpn-eap: Expiring EAP session with state 0x6aae3f2e6bdf326b
(35)  Debug: vpn-eap: Finished EAP session with state 0x6aae3f2e6bdf326b
(35)  Debug: vpn-eap: Previous EAP request found for state
0x6aae3f2e6bdf326b, released from the list
(35)  Debug: vpn-eap: Peer sent packet with method EAP TLS (13)
(35)  Debug: vpn-eap: Calling submodule eap_tls to process data
(35)  Debug: eap_tls: Continuing EAP-TLS
(35)  Debug: eap_tls: Peer ACKed our handshake fragment
(35)  Debug: eap_tls: [eaptls verify] = request
(35)  Debug: eap_tls: [eaptls process] = handled
(35)  Debug: vpn-eap: Sending EAP Request (code 1) ID 114 length 1024
(35)  Debug: vpn-eap: EAP session adding &reply:State = 0x6aae3f2e68dc326b
(35)  Debug:     [vpn-eap] = handled
(35)  Debug:     if (handled && (Response-Packet-Type == Access-Challenge))
{
(35)  Debug:     EXPAND Response-Packet-Type
(35)  Debug:        --> Access-Challenge
(35)  Debug:     if (handled && (Response-Packet-Type ==
Access-Challenge))  -> TRUE
(35)  Debug:     if (handled && (Response-Packet-Type ==
Access-Challenge))  {
(35)  Debug: attr_filter.access_challenge: EXPAND %{User-Name}
(35)  Debug: attr_filter.access_challenge:    --> adambishop.dev.ja.net
(35)  Debug: attr_filter.access_challenge: Matched entry DEFAULT at line 12
(35)  Debug:       [attr_filter.access_challenge.post-auth] = updated
(35)  Debug:       [handled] = handled
(35)  Debug:     } # if (handled && (Response-Packet-Type ==
Access-Challenge))  = handled
(35)  Debug:   } # Auth-Type vpn-eap = handled
(35)  Debug: Using Post-Auth-Type Challenge
(35)  Debug: Post-Auth-Type sub-section not found.  Ignoring.
(35)  Debug: # Executing group from file /etc/raddb/sites-enabled/vpn
(35)  Debug: Sent Access-Challenge Id 74 from 212.219.210.194:1812 to
172.25.0.176:52447 length 0
(35)  Debug:   EAP-Message = 0x017204000dc000000ee67073312e
6465762e6a612e6e657482106f727073322e6465762e6a612e6e6574300d
06092a864886f70d01010b050003820201003538a5bfb66c1d80c153bea4
bde8797b5771787c349c00a0afb3007452b8263dcfe5f33e97a63b77a618
acc517c74bc965a5636510377123aa
(35)  Debug:   Message-Authenticator = 0x00000000000000000000000000000000
(35)  Debug:   State = 0x6aae3f2e68dc326be20d66152c93ce20
(35)  Debug: Finished request
(36)  Debug: Received Access-Request Id 75 from 172.25.0.176:52447 to
212.219.210.194:1812 length 93
(36)  Debug:   User-Name = "adambishop.dev.ja.net"
(36)  Debug:   State = 0x6aae3f2e68dc326be20d66152c93ce20
(36)  Debug:   EAP-Message = 0x027200060d00
(36)  Debug:   Message-Authenticator = 0x30592ba50305fc9c46f668bdff6e0501
(36)  Debug:   NAS-IP-Address = 172.25.0.176
(36)  Debug: session-state: No cached attributes
(36)  Debug: # Executing section authorize from file
/etc/raddb/sites-enabled/vpn
(36)  Debug:   authorize {
(36)  Debug:     update request {
(36)  Debug:     } # update request = noop
(36)  Debug:     [mschap] = noop
(36)  Debug:     policy ntlm_auth.authorize {
(36)  Debug:       if (!control:Auth-Type && User-Password) {
(36)  Debug:       if (!control:Auth-Type && User-Password)  -> FALSE
(36)  Debug:     } # policy ntlm_auth.authorize = updated
(36)  Debug: vpn-eap: Peer sent EAP Response (code 2) ID 114 length 6
(36)  Debug: vpn-eap: No EAP Start, assuming it's an on-going EAP
conversation
(36)  Debug:     [vpn-eap] = updated
(36)  Debug:   } # authorize = updated
(36)  Debug: Found Auth-Type = vpn-eap
(36)  Debug: # Executing group from file /etc/raddb/sites-enabled/vpn
(36)  Debug:   Auth-Type vpn-eap {
(36)  Debug: vpn-eap: Expiring EAP session with state 0x6aae3f2e68dc326b
(36)  Debug: vpn-eap: Finished EAP session with state 0x6aae3f2e68dc326b
(36)  Debug: vpn-eap: Previous EAP request found for state
0x6aae3f2e68dc326b, released from the list
(36)  Debug: vpn-eap: Peer sent packet with method EAP TLS (13)
(36)  Debug: vpn-eap: Calling submodule eap_tls to process data
(36)  Debug: eap_tls: Continuing EAP-TLS
(36)  Debug: eap_tls: Peer ACKed our handshake fragment
(36)  Debug: eap_tls: [eaptls verify] = request
(36)  Debug: eap_tls: [eaptls process] = handled
(36)  Debug: vpn-eap: Sending EAP Request (code 1) ID 115 length 1024
(36)  Debug: vpn-eap: EAP session adding &reply:State = 0x6aae3f2e69dd326b
(36)  Debug:     [vpn-eap] = handled
(36)  Debug:     if (handled && (Response-Packet-Type == Access-Challenge))
{
(36)  Debug:     EXPAND Response-Packet-Type
(36)  Debug:        --> Access-Challenge
(36)  Debug:     if (handled && (Response-Packet-Type ==
Access-Challenge))  -> TRUE
(36)  Debug:     if (handled && (Response-Packet-Type ==
Access-Challenge))  {
(36)  Debug: attr_filter.access_challenge: EXPAND %{User-Name}
(36)  Debug: attr_filter.access_challenge:    --> adambishop.dev.ja.net
(36)  Debug: attr_filter.access_challenge: Matched entry DEFAULT at line 12
(36)  Debug:       [attr_filter.access_challenge.post-auth] = updated
(36)  Debug:       [handled] = handled
(36)  Debug:     } # if (handled && (Response-Packet-Type ==
Access-Challenge))  = handled
(36)  Debug:   } # Auth-Type vpn-eap = handled
(36)  Debug: Using Post-Auth-Type Challenge
(36)  Debug: Post-Auth-Type sub-section not found.  Ignoring.
(36)  Debug: # Executing group from file /etc/raddb/sites-enabled/vpn
(36)  Debug: Sent Access-Challenge Id 75 from 212.219.210.194:1812 to
172.25.0.176:52447 length 0
(36)  Debug:   EAP-Message = 0x017304000dc000000ee6a8a10366
b1a69070f32e9c2285917ba83b5fa6d7c9d736385ae3a898a989b4868c71
3e653962ef9c0e7842f3eb3597fbb63b193af9330d984af5dbed07fe8271
963a833187f2c99189b6001b54a8e3cc4fda9f07abeb2c3f8d9701bbd0de
99a0781ad8cf5ef90ba0cbd528ecbd
(36)  Debug:   Message-Authenticator = 0x00000000000000000000000000000000
(36)  Debug:   State = 0x6aae3f2e69dd326be20d66152c93ce20
(36)  Debug: Finished request
(37)  Debug: Received Access-Request Id 76 from 172.25.0.176:52447 to
212.219.210.194:1812 length 93
(37)  Debug:   User-Name = "adambishop.dev.ja.net"
(37)  Debug:   State = 0x6aae3f2e69dd326be20d66152c93ce20
(37)  Debug:   EAP-Message = 0x027300060d00
(37)  Debug:   Message-Authenticator = 0xf2e97357da0c1ddd3ce4e45675dc4c85
(37)  Debug:   NAS-IP-Address = 172.25.0.176
(37)  Debug: session-state: No cached attributes
(37)  Debug: # Executing section authorize from file
/etc/raddb/sites-enabled/vpn
(37)  Debug:   authorize {
(37)  Debug:     update request {
(37)  Debug:     } # update request = noop
(37)  Debug:     [mschap] = noop
(37)  Debug:     policy ntlm_auth.authorize {
(37)  Debug:       if (!control:Auth-Type && User-Password) {
(37)  Debug:       if (!control:Auth-Type && User-Password)  -> FALSE
(37)  Debug:     } # policy ntlm_auth.authorize = updated
(37)  Debug: vpn-eap: Peer sent EAP Response (code 2) ID 115 length 6
(37)  Debug: vpn-eap: No EAP Start, assuming it's an on-going EAP
conversation
(37)  Debug:     [vpn-eap] = updated
(37)  Debug:   } # authorize = updated
(37)  Debug: Found Auth-Type = vpn-eap
(37)  Debug: # Executing group from file /etc/raddb/sites-enabled/vpn
(37)  Debug:   Auth-Type vpn-eap {
(37)  Debug: vpn-eap: Expiring EAP session with state 0x6aae3f2e69dd326b
(37)  Debug: vpn-eap: Finished EAP session with state 0x6aae3f2e69dd326b
(37)  Debug: vpn-eap: Previous EAP request found for state
0x6aae3f2e69dd326b, released from the list
(37)  Debug: vpn-eap: Peer sent packet with method EAP TLS (13)
(37)  Debug: vpn-eap: Calling submodule eap_tls to process data
(37)  Debug: eap_tls: Continuing EAP-TLS
(37)  Debug: eap_tls: Peer ACKed our handshake fragment
(37)  Debug: eap_tls: [eaptls verify] = request
(37)  Debug: eap_tls: [eaptls process] = handled
(37)  Debug: vpn-eap: Sending EAP Request (code 1) ID 116 length 782
(37)  Debug: vpn-eap: EAP session adding &reply:State = 0x6aae3f2e6eda326b
(37)  Debug:     [vpn-eap] = handled
(37)  Debug:     if (handled && (Response-Packet-Type == Access-Challenge))
{
(37)  Debug:     EXPAND Response-Packet-Type
(37)  Debug:        --> Access-Challenge
(37)  Debug:     if (handled && (Response-Packet-Type ==
Access-Challenge))  -> TRUE
(37)  Debug:     if (handled && (Response-Packet-Type ==
Access-Challenge))  {
(37)  Debug: attr_filter.access_challenge: EXPAND %{User-Name}
(37)  Debug: attr_filter.access_challenge:    --> adambishop.dev.ja.net
(37)  Debug: attr_filter.access_challenge: Matched entry DEFAULT at line 12
(37)  Debug:       [attr_filter.access_challenge.post-auth] = updated
(37)  Debug:       [handled] = handled
(37)  Debug:     } # if (handled && (Response-Packet-Type ==
Access-Challenge))  = handled
(37)  Debug:   } # Auth-Type vpn-eap = handled
(37)  Debug: Using Post-Auth-Type Challenge
(37)  Debug: Post-Auth-Type sub-section not found.  Ignoring.
(37)  Debug: # Executing group from file /etc/raddb/sites-enabled/vpn
(37)  Debug: Sent Access-Challenge Id 76 from 212.219.210.194:1812 to
172.25.0.176:52447 length 0
(37)  Debug:   EAP-Message = 0x0174030e0d8000000ee6a8e258b2
11b12d7b809f6b1bde4c3b17448fcecde979c5af6b160301024b0c000247
0300174104fca4d3a30ab92336ed8b6d06067e419da55aaed97101b578e7
fc14b09dfa959c3f9532ae1699fedcf0e48443395cb523fb353bc312cd99
b96436c8fb52730dde02002046f7c3
(37)  Debug:   Message-Authenticator = 0x00000000000000000000000000000000
(37)  Debug:   State = 0x6aae3f2e6eda326be20d66152c93ce20
(37)  Debug: Finished request
(38)  Debug: Received Access-Request Id 77 from 172.25.0.176:52447 to
212.219.210.194:1812 length 104
(38)  Debug:   User-Name = "adambishop.dev.ja.net"
(38)  Debug:   State = 0x6aae3f2e6eda326be20d66152c93ce20
(38)  Debug:   EAP-Message = 0x027400110d800000000715030100020100
(38)  Debug:   Message-Authenticator = 0x525697ff8dd586a2947f27df10721084
(38)  Debug:   NAS-IP-Address = 172.25.0.176
(38)  Debug: session-state: No cached attributes
(38)  Debug: # Executing section authorize from file
/etc/raddb/sites-enabled/vpn
(38)  Debug:   authorize {
(38)  Debug:     update request {
(38)  Debug:     } # update request = noop
(38)  Debug:     [mschap] = noop
(38)  Debug:     policy ntlm_auth.authorize {
(38)  Debug:       if (!control:Auth-Type && User-Password) {
(38)  Debug:       if (!control:Auth-Type && User-Password)  -> FALSE
(38)  Debug:     } # policy ntlm_auth.authorize = updated
(38)  Debug: vpn-eap: Peer sent EAP Response (code 2) ID 116 length 17
(38)  Debug: vpn-eap: No EAP Start, assuming it's an on-going EAP
conversation
(38)  Debug:     [vpn-eap] = updated
(38)  Debug:   } # authorize = updated
(38)  Debug: Found Auth-Type = vpn-eap
(38)  Debug: # Executing group from file /etc/raddb/sites-enabled/vpn
(38)  Debug:   Auth-Type vpn-eap {
(38)  Debug: vpn-eap: Expiring EAP session with state 0x6aae3f2e6eda326b
(38)  Debug: vpn-eap: Finished EAP session with state 0x6aae3f2e6eda326b
(38)  Debug: vpn-eap: Previous EAP request found for state
0x6aae3f2e6eda326b, released from the list
(38)  Debug: vpn-eap: Peer sent packet with method EAP TLS (13)
(38)  Debug: vpn-eap: Calling submodule eap_tls to process data
(38)  Debug: eap_tls: Continuing EAP-TLS
(38)  Debug: eap_tls: Peer indicated complete TLS record size will be 7
bytes
(38)  Debug: eap_tls: Got complete TLS record (7 bytes)
(38)  Debug: eap_tls: [eaptls verify] = length included
(38)  ERROR: eap_tls: TLS_accept: Failed in SSLv3 read client certificate A
(38)  ERROR: eap_tls: Failed in __FUNCTION__ (SSL_read): error:140940E5:SSL
routines:SSL3_READ_BYTES:ssl handshake failure
(38)  ERROR: eap_tls: System call (I/O) error (-1)
(38)  ERROR: eap_tls: TLS receive handshake failed during operation
(38)  ERROR: eap_tls: [eaptls process] = fail
(38)  ERROR: vpn-eap: Failed continuing EAP TLS (13) session.  EAP
sub-module failed
(38)  Debug: vpn-eap: Sending EAP Failure (code 4) ID 116 length 4
(38)  Debug: vpn-eap: Failed in EAP select
(38)  Debug:     [vpn-eap] = invalid
(38)  Debug:   } # Auth-Type vpn-eap = invalid
(38)  Debug: Failed to authenticate the user
(38)  Debug: Using Post-Auth-Type Reject
(38)  Debug: # Executing group from file /etc/raddb/sites-enabled/vpn
(38)  Debug:   Post-Auth-Type REJECT {
(38)  Debug: attr_filter.access_reject: EXPAND %{User-Name}
(38)  Debug: attr_filter.access_reject:    --> adambishop.dev.ja.net
(38)  Debug: attr_filter.access_reject: Matched entry DEFAULT at line 11
(38)  Debug:     [attr_filter.access_reject] = updated
(38)  Debug:     [eap] = noop
(38)  Debug: rp_log: EXPAND rp_log.%{%{reply:Packet-Type}:-format}
(38)  Debug: rp_log:    --> rp_log.Access-Reject
(38)  Debug: rp_log: EXPAND radiusd-rp-log#DOMAIN=DEV#
LOCATION=LH#SERVICE=%{%{Service-Class}:-NONE}#ORG=%{%{
request:operator-name}:-%{request:Stripped-User-Domain}}
#USER=%{User-Name}#CSI=%{Calling-Station-Id}#NAS=%{Called-Station-Id}#CUI=%{
reply:Chargeable-User-Identity}#RESULT=FAIL#VLAN=%{%
{reply:Tunnel-Private-Group-ID}:-NONE}#CLIENT=%{client:
shortname}#REPLY_MESSAGE=%{%{reply:reply-message}:-NONE}#
MODULE_MESSAGE=%{%{%{request:Module-Failure-Message}:-%{
session-state:Module-Failure-Message}}:-NONE}#
(38) Fri Apr 21 16:40:07 2017: Debug: rp_log:    -->
radiusd-rp-log#DOMAIN=DEV#LOCATION=LH#SERVICE=vpn#ORG=#USER=
adambishop.dev.ja.net#CSI=#NAS=#CUI=#RESULT=FAIL#
VLAN=NONE#CLIENT=castle-black.djn#REPLY_MESSAGE=NONE#MODULE_MESSAGE=eap_tls:
TLS_accept: Failed in SSLv3 read client certificate A#
(38)  Debug:     [rp_log] = ok
(38)  Debug:     policy remove_reply_message_if_eap {
(38)  Debug:       if (&reply:EAP-Message && &reply:Reply-Message) {
(38)  Debug:       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(38)  Debug:       else {
(38)  Debug:         [noop] = noop
(38)  Debug:       } # else = noop
(38)  Debug:     } # policy remove_reply_message_if_eap = noop
(38)  Debug:   } # Post-Auth-Type REJECT = updated
(38)  Debug: Delaying response for 1.000000 seconds
(38)  Debug: Sending delayed response
(38)  Debug: Sent Access-Reject Id 77 from 212.219.210.194:1812 to
172.25.0.176:52447 length 44
(38)  Debug:   EAP-Message = 0x04740004
(38)  Debug:   Message-Authenticator = 0x00000000000000000000000000000000


---
# radiusd -C -X
FreeRADIUS Version 3.0.13
Copyright (C) 1999-2016 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
<snip>
main {
 security {
        user = "radiusd"
        group = "radiusd"
        allow_core_dumps = no
 }
        name = "radiusd"
        prefix = "/usr"
        localstatedir = "/var"
        logdir = "/var/log/radius"
        run_dir = "/var/run/radiusd"
}
main {
        name = "radiusd"
        prefix = "/usr"
        localstatedir = "/var"
        sbindir = "/usr/sbin"
        logdir = "/var/log/radius"
        run_dir = "/var/run/radiusd"
        libdir = "/usr/lib64/freeradius"
        radacctdir = "/var/log/radius/radacct"
        hostname_lookups = no
        max_request_time = 60
        cleanup_delay = 10
        max_requests = 16384
        pidfile = "/var/run/radiusd/radiusd.pid"
        checkrad = "/usr/sbin/checkrad"
        debug_level = 0
        proxy_requests = yes
 log {
        stripped_names = no
        auth = no
        auth_badpass = no
        auth_goodpass = no
        colourise = yes
        msg_denied = "You are already logged in - access denied"
 }
 resources {
 }
 security {
        max_attributes = 200
        reject_delay = 1.000000
        status_server = yes
        allow_vulnerable_openssl = "CVE-2016-6304"
 }
}
radiusd: #### Loading Realms and Home Servers ####
 proxy server {
        retry_delay = 5
        retry_count = 3
        default_fallback = no
        dead_time = 120
        wake_all_if_all_dead = no
 }
 realm LOCAL {
        nostrip
 }
<snip>
 realm dev.ja.net {
 }
radiusd: #### Loading Clients ####
<snip>
 client 172.25.0.176 {
        ipaddr = 172.25.0.176
        require_message_authenticator = yes
        secret = <<< secret >>>
        shortname = "castle-black.djn"
        nas_type = "other"
        virtual_server = "vpn"
        proto = "udp"
  limit {
        max_connections = 16
        lifetime = 0
        idle_timeout = 30
  }
 }
<snip>
 Debugger not attached
 # Creating Auth-Type = mschap
 # Creating Auth-Type = PAP
 # Creating Auth-Type = MS-CHAP
 # Creating Auth-Type = eap
 # Creating Autz-Type = Status-Server
 # Creating Auth-Type = inner-eap
 # Creating Auth-Type = ntlm_auth
 # Creating Auth-Type = VPN
 # Creating Auth-Type = vpn-eap
radiusd: #### Instantiating modules ####
 modules {
  # Loaded module rlm_always
  # Loading module "reject" from file /etc/raddb/mods-enabled/always
  always reject {
        rcode = "reject"
        simulcount = 0
        mpp = no
  }
  # Loading module "fail" from file /etc/raddb/mods-enabled/always
  always fail {
        rcode = "fail"
        simulcount = 0
        mpp = no
  }
  # Loading module "ok" from file /etc/raddb/mods-enabled/always
  always ok {
        rcode = "ok"
        simulcount = 0
        mpp = no
  }
  # Loading module "handled" from file /etc/raddb/mods-enabled/always
  always handled {
        rcode = "handled"
        simulcount = 0
        mpp = no
  }
  # Loading module "invalid" from file /etc/raddb/mods-enabled/always
  always invalid {
        rcode = "invalid"
        simulcount = 0
        mpp = no
  }
  # Loading module "userlock" from file /etc/raddb/mods-enabled/always
  always userlock {
        rcode = "userlock"
        simulcount = 0
        mpp = no
  }
  # Loading module "notfound" from file /etc/raddb/mods-enabled/always
  always notfound {
        rcode = "notfound"
        simulcount = 0
        mpp = no
  }
  # Loading module "noop" from file /etc/raddb/mods-enabled/always
  always noop {
        rcode = "noop"
        simulcount = 0
        mpp = no
  }
  # Loading module "updated" from file /etc/raddb/mods-enabled/always
  always updated {
        rcode = "updated"
        simulcount = 0
        mpp = no
  }
  # Loaded module rlm_attr_filter
  # Loading module "attr_filter.post-proxy" from file
/etc/raddb/mods-enabled/attr_filter
  attr_filter attr_filter.post-proxy {
        filename = "/etc/raddb/mods-config/attr_filter/post-proxy"
        key = "%{Realm}"
        relaxed = no
  }
  # Loading module "attr_filter.pre-proxy" from file
/etc/raddb/mods-enabled/attr_filter
  attr_filter attr_filter.pre-proxy {
        filename = "/etc/raddb/mods-config/attr_filter/pre-proxy"
        key = "%{Realm}"
        relaxed = no
  }
  # Loading module "attr_filter.access_reject" from file
/etc/raddb/mods-enabled/attr_filter
  attr_filter attr_filter.access_reject {
        filename = "/etc/raddb/mods-config/attr_filter/access_reject"
        key = "%{User-Name}"
        relaxed = no
  }
  # Loading module "attr_filter.access_challenge" from file
/etc/raddb/mods-enabled/attr_filter
  attr_filter attr_filter.access_challenge {
        filename = "/etc/raddb/mods-config/attr_filter/access_challenge"
        key = "%{User-Name}"
        relaxed = no
  }
  # Loading module "attr_filter.accounting_response" from file
/etc/raddb/mods-enabled/attr_filter
  attr_filter attr_filter.accounting_response {
        filename = "/etc/raddb/mods-config/attr_filter/accounting_response"
        key = "%{User-Name}"
        relaxed = no
  }
  # Loaded module rlm_cache
  # Loading module "cache_eap" from file /etc/raddb/mods-enabled/cache_eap
  cache cache_eap {
        driver = "rlm_cache_rbtree"
        key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"
        ttl = 15
        max_entries = 0
        epoch = 0
        add_stats = no
  }
  # Loaded module rlm_date
  # Loading module "date" from file /etc/raddb/mods-enabled/date
  date {
        format = "%b %e %Y %H:%M:%S %Z"
  }
  # Loaded module rlm_digest
  # Loading module "digest" from file /etc/raddb/mods-enabled/digest
  # Loaded module rlm_eap
  # Loading module "eap" from file /etc/raddb/mods-enabled/eap
  eap {
        default_eap_type = "peap"
        timer_expire = 60
        ignore_unknown_eap_types = no
        cisco_accounting_username_bug = no
        max_sessions = 16384
  }
  # Loaded module rlm_exec
  # Loading module "echo" from file /etc/raddb/mods-enabled/echo
  exec echo {
        wait = yes
        program = "/bin/echo %{User-Name}"
        input_pairs = "request"
        output_pairs = "reply"
        shell_escape = yes
  }
  # Loading module "exec" from file /etc/raddb/mods-enabled/exec
  exec {
        wait = no
        input_pairs = "request"
        shell_escape = yes
        timeout = 10
  }
  # Loaded module rlm_expiration
  # Loading module "expiration" from file /etc/raddb/mods-enabled/expiration
  # Loaded module rlm_expr
  # Loading module "expr" from file /etc/raddb/mods-enabled/expr
  expr {
        safe_characters = "@abcdefghijklmnopqrstuvwxyzABCD
EFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇ
ÈÉÊËÎÏÔŒÙÛÜŸ"
  }
  # Loaded module rlm_files
  # Loading module "files" from file /etc/raddb/mods-enabled/files
  files {
        filename = "/etc/raddb/mods-config/files/authorize"
        acctusersfile = "/etc/raddb/mods-config/files/accounting"
        preproxy_usersfile = "/etc/raddb/mods-config/files/pre-proxy"
  }
  # Loaded module rlm_linelog
  # Loading module "linelog" from file /etc/raddb/mods-enabled/linelog
  linelog {
        filename = "/var/log/radius/linelog"
        escape_filenames = no
        syslog_severity = "info"
        permissions = 384
        format = "This is a log message for %{User-Name}"
        reference = "messages.%{%{reply:Packet-Type}:-default}"
  }
  # Loading module "log_accounting" from file /etc/raddb/mods-enabled/
linelog
  linelog log_accounting {
        filename = "/var/log/radius/linelog-accounting"
        escape_filenames = no
        syslog_severity = "info"
        permissions = 384
        format = ""
        reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"
  }
  # Loaded module rlm_logintime
  # Loading module "logintime" from file /etc/raddb/mods-enabled/logintime
  logintime {
        minimum_timeout = 60
  }
  # Loaded module rlm_pap
  # Loading module "pap" from file /etc/raddb/mods-enabled/pap
  pap {
        normalise = yes
  }
  # Loaded module rlm_passwd
  # Loading module "etc_passwd" from file /etc/raddb/mods-enabled/passwd
  passwd etc_passwd {
        filename = "/etc/passwd"
        format = "*User-Name:Crypt-Password:"
        delimiter = ":"
        ignore_nislike = no
        ignore_empty = yes
        allow_multiple_keys = no
        hash_size = 100
  }
  # Loaded module rlm_realm
  # Loading module "IPASS" from file /etc/raddb/mods-enabled/realm
  realm IPASS {
        format = "prefix"
        delimiter = "/"
        ignore_default = no
        ignore_null = no
        default_community = "none"
        rp_realm = "none"
        trust_router = "none"
        tr_port = 0
  }
  # Loading module "suffix" from file /etc/raddb/mods-enabled/realm
  realm suffix {
        format = "suffix"
        delimiter = "@"
        ignore_default = no
        ignore_null = no
        default_community = "none"
        rp_realm = "none"
        trust_router = "none"
        tr_port = 0
  }
  # Loading module "realmpercent" from file /etc/raddb/mods-enabled/realm
  realm realmpercent {
        format = "suffix"
        delimiter = "%"
        ignore_default = no
        ignore_null = no
        default_community = "none"
        rp_realm = "none"
        trust_router = "none"
        tr_port = 0
  }
  # Loading module "ntdomain" from file /etc/raddb/mods-enabled/realm
  realm ntdomain {
        format = "prefix"
        delimiter = "\\"
        ignore_default = no
        ignore_null = no
        default_community = "none"
        rp_realm = "none"
        trust_router = "none"
        tr_port = 0
  }
  # Loaded module rlm_replicate
  # Loading module "replicate" from file /etc/raddb/mods-enabled/replicate
  # Loaded module rlm_soh
  # Loading module "soh" from file /etc/raddb/mods-enabled/soh
  soh {
        dhcp = yes
  }
  # Loaded module rlm_radutmp
  # Loading module "sradutmp" from file /etc/raddb/mods-enabled/sradutmp
  radutmp sradutmp {
        filename = "/var/log/radius/sradutmp"
        username = "%{User-Name}"
        case_sensitive = yes
        check_with_nas = yes
        permissions = 420
        caller_id = no
  }
  # Loaded module rlm_unpack
  # Loading module "unpack" from file /etc/raddb/mods-enabled/unpack
  # Loaded module rlm_utf8
  # Loading module "utf8" from file /etc/raddb/mods-enabled/utf8
  # Loaded module rlm_mschap
  # Loading module "mschap" from file /etc/raddb/mods-enabled/mschap
  mschap {
        use_mppe = yes
        require_encryption = yes
        require_strong = yes
        with_ntdomain_hack = yes
   passchange {
   }
        allow_retry = yes
        retry_msg = "Your credentials were not accepted, please try again"
        winbind_retry_with_normalised_username = yes
  }
  # Loading module "inner-eap" from file /etc/raddb/mods-enabled/inner-eap
  eap inner-eap {
        default_eap_type = "mschapv2"
        timer_expire = 60
        ignore_unknown_eap_types = no
        cisco_accounting_username_bug = no
        max_sessions = 2048
  }
  # Loading module "ntlm_auth" from file /etc/raddb/mods-enabled/ntlm_auth
  exec ntlm_auth {
        wait = yes
        program = "/usr/bin/ntlm_auth --request-nt-key --domain=DEV
--username=%{%{Stripped-User-Name}:-%{mschap:User-Name}}
--password=%{User-Password}"
        shell_escape = yes
  }
  # Loaded module rlm_redis
  # Loading module "redis" from file /etc/raddb/mods-enabled/redis
  redis {
        server = "127.0.0.1"
        port = 6379
        database = 0
        password = <<< secret >>>
  }
rlm_redis: libhiredis version: 0.12.1
  # Loading module "idp_log" from file /etc/raddb/mods-enabled/idp_log
  linelog idp_log {
        filename = "syslog"
        escape_filenames = no
        syslog_severity = "info"
        permissions = 384
        format = ""
        reference = "idp_log.%{%{reply:Packet-Type}:-format}"
  }
  # Loading module "rp_log" from file /etc/raddb/mods-enabled/rp_log
  linelog rp_log {
        filename = "syslog"
        escape_filenames = no
        syslog_severity = "info"
        permissions = 384
        format = ""
        reference = "rp_log.%{%{reply:Packet-Type}:-format}"
  }
  # Loading module "vpn-eap" from file /etc/raddb/mods-enabled/vpn-eap
  eap vpn-eap {
        default_eap_type = "tls"
        timer_expire = 60
        ignore_unknown_eap_types = no
        cisco_accounting_username_bug = no
        max_sessions = 16384
  }
  instantiate {
  }
  # Instantiating module "reject" from file /etc/raddb/mods-enabled/always
  # Instantiating module "fail" from file /etc/raddb/mods-enabled/always
  # Instantiating module "ok" from file /etc/raddb/mods-enabled/always
  # Instantiating module "handled" from file /etc/raddb/mods-enabled/always
  # Instantiating module "invalid" from file /etc/raddb/mods-enabled/always
  # Instantiating module "userlock" from file /etc/raddb/mods-enabled/always
  # Instantiating module "notfound" from file /etc/raddb/mods-enabled/always
  # Instantiating module "noop" from file /etc/raddb/mods-enabled/always
  # Instantiating module "updated" from file /etc/raddb/mods-enabled/always
  # Instantiating module "attr_filter.post-proxy" from file
/etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/post-proxy
  # Instantiating module "attr_filter.pre-proxy" from file
/etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/pre-proxy
  # Instantiating module "attr_filter.access_reject" from file
/etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/access_reject
[/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item
"FreeRADIUS-Response-Delay"    found in filter list for realm "DEFAULT".
[/etc/raddb/mods-config/attr_filter/access_reject]:11 Check item
"FreeRADIUS-Response-Delay-USec"       found in filter list for realm
"DEFAULT".
  # Instantiating module "attr_filter.access_challenge" from file
/etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/access_challenge
  # Instantiating module "attr_filter.accounting_response" from file
/etc/raddb/mods-enabled/attr_filter
reading pairlist file /etc/raddb/mods-config/attr_filter/accounting_response
  # Instantiating module "cache_eap" from file
/etc/raddb/mods-enabled/cache_eap
rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree)
loaded and linked
  # Instantiating module "eap" from file /etc/raddb/mods-enabled/eap
   # Linked to sub-module rlm_eap_md5
   # Linked to sub-module rlm_eap_gtc
   gtc {
        challenge = "Password: "
        auth_type = "PAP"
   }
   # Linked to sub-module rlm_eap_ttls
   ttls {
        tls = "tls-common"
        default_eap_type = "mschapv2"
        copy_request_to_tunnel = yes
        use_tunneled_reply = no
        virtual_server = "inner-tunnel"
        include_length = yes
        require_client_cert = no
   }
   tls-config tls-common {
        verify_depth = 0
        ca_path = "/etc/raddb/certs"
        pem_file_type = yes
        private_key_file = "/etc/raddb/certs.d/DEV/server.pem"
        certificate_file = "/etc/raddb/certs.d/DEV/server.crt"
        dh_file = "/etc/raddb/certs.d/DEV/dh"
        fragment_size = 1024
        include_length = yes
        auto_chain = yes
        check_crl = yes
        check_all_crl = yes
        cipher_list = "DEFAULT"
        cipher_server_preference = yes
        ecdh_curve = "prime256v1"
    cache {
        enable = yes
        lifetime = 24
        name = "Default EAP Cache"
        max_entries = 16384
        persist_dir = "/var/lib/radiusd/tlscache"
    }
    verify {
        skip_if_ocsp_ok = no
    }
    ocsp {
        enable = no
        override_cert_url = no
        use_nonce = yes
        timeout = 0
        softfail = no
    }
   }
   # Linked to sub-module rlm_eap_peap
   peap {
        tls = "tls-common"
        default_eap_type = "mschapv2"
        copy_request_to_tunnel = yes
        use_tunneled_reply = no
        proxy_tunneled_request_as_eap = yes
        virtual_server = "inner-tunnel"
        soh = no
        require_client_cert = no
   }
tls: Using cached TLS configuration from previous invocation
   # Linked to sub-module rlm_eap_mschapv2
   mschapv2 {
        with_ntdomain_hack = no
        send_error = yes
   }
  # Instantiating module "expiration" from file /etc/raddb/mods-enabled/
expiration
  # Instantiating module "files" from file /etc/raddb/mods-enabled/files
reading pairlist file /etc/raddb/mods-config/files/authorize
reading pairlist file /etc/raddb/mods-config/files/accounting
reading pairlist file /etc/raddb/mods-config/files/pre-proxy
  # Instantiating module "linelog" from file /etc/raddb/mods-enabled/linelog
  # Instantiating module "log_accounting" from file /etc/raddb/mods-enabled/
linelog
  # Instantiating module "logintime" from file /etc/raddb/mods-enabled/
logintime
  # Instantiating module "pap" from file /etc/raddb/mods-enabled/pap
  # Instantiating module "etc_passwd" from file
/etc/raddb/mods-enabled/passwd
rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no
  # Instantiating module "IPASS" from file /etc/raddb/mods-enabled/realm
  # Instantiating module "suffix" from file /etc/raddb/mods-enabled/realm
  # Instantiating module "realmpercent" from file
/etc/raddb/mods-enabled/realm
  # Instantiating module "ntdomain" from file /etc/raddb/mods-enabled/realm
  # Instantiating module "mschap" from file /etc/raddb/mods-enabled/mschap
rlm_mschap (mschap): Initialising connection pool
   pool {
        start = 5
        min = 3
        max = 32
        spare = 10
        uses = 0
        lifetime = 86400
        cleanup_interval = 300
        idle_timeout = 600
        retry_delay = 30
        spread = no
   }
rlm_mschap (mschap): authenticating directly to winbind
  # Instantiating module "inner-eap" from file
/etc/raddb/mods-enabled/inner-eap
   # Linked to sub-module rlm_eap_gtc
   gtc {
        challenge = "Password: "
        auth_type = "PAP"
   }
   # Linked to sub-module rlm_eap_mschapv2
   mschapv2 {
        with_ntdomain_hack = no
        send_error = yes
   }
  # Instantiating module "redis" from file /etc/raddb/mods-enabled/redis
rlm_redis (redis): Initialising connection pool
   pool {
        start = 5
        min = 3
        max = 32
        spare = 10
        uses = 0
        lifetime = 86400
        cleanup_interval = 300
        idle_timeout = 0
        retry_delay = 10
        spread = no
   }
  # Instantiating module "idp_log" from file /etc/raddb/mods-enabled/idp_log
  # Instantiating module "rp_log" from file /etc/raddb/mods-enabled/rp_log
  # Instantiating module "vpn-eap" from file /etc/raddb/mods-enabled/vpn-eap
   # Linked to sub-module rlm_eap_tls
   tls {
        tls = "vpn-tls"
   }
   tls-config vpn-tls {
        verify_depth = 0
        pem_file_type = yes
        private_key_file = "/etc/raddb/certs.d/DEV/vpn/server.pem"
        certificate_file = "/etc/raddb/certs.d/DEV/vpn/server.crt"
        ca_file = "/etc/raddb/certs.d/DEV/vpn/ca/root.crt"
        dh_file = "/etc/raddb/certs.d/DEV/dh"
        fragment_size = 1024
        include_length = yes
        auto_chain = yes
        check_crl = yes
        check_all_crl = yes
        cipher_list = "DEFAULT"
        cipher_server_preference = yes
        ecdh_curve = "prime256v1"
    cache {
        enable = yes
        lifetime = 24
        name = "Default EAP VPN Cache"
        max_entries = 16384
        persist_dir = "/var/lib/radiusd/tlscache"
    }
    verify {
        skip_if_ocsp_ok = no
    }
    ocsp {
        enable = no
        override_cert_url = no
        use_nonce = yes
        timeout = 0
        softfail = no
    }
   }
 } # modules

Jisc is a registered charity (number 1149740) and a company limited by
guarantee which is registered in England under Company No. 5747339, VAT No.
GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill,
Bristol, BS2 0JA. T 0203 697 5800.

Jisc Services Limited is a wholly owned Jisc subsidiary and a company
limited by guarantee which is registered in England under company number
2881024, VAT number GB 197 0632 86. The registered office is: One Castle
Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/
list/users.html


More information about the Freeradius-Users mailing list