iOS mysterious issues on Freeradius 3.0.14
John Tobin
jtobin at po-box.esu.edu
Wed Mar 22 21:37:57 CET 2017
Ah, you mean like this: [ERROR: TLS is down a bit, I took the entire
transaction out of the logŠ]
(86) Received Access-Request Id 196 from 10.99.7.190:1645
<http://10.99.7.190:1645/> to 10.99.7.21:1812 <http://10.99.7.21:1812/>
length 153
(86) User-Name = "tobi1"
(86) Framed-MTU = 1400
(86) Called-Station-Id = "0022.90bd.9500"
(86) Calling-Station-Id = "0025.4b8e.15b9"
(86) Service-Type = Login-User
(86) Message-Authenticator = 0x5f033b48ec2f2a210b5e0ce5379cdf49
(86) EAP-Message = 0x0205001119800000000715030100020100
(86) NAS-Port-Type = Wireless-802.11
(86) NAS-Port = 394
(86) NAS-Port-Id = "394"
(86) State = 0xe046c6d9e243dfdaa11e15be1d36d7b4
(86) NAS-IP-Address = 10.99.7.190
(86) NAS-Identifier = "ap"
(86) session-state: No cached attributes
(86) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(86) authorize {
(86) policy filter_username {
(86) if (&User-Name) {
(86) if (&User-Name) -> TRUE
(86) if (&User-Name) {
(86) if (&User-Name =~ / /) {
(86) if (&User-Name =~ / /) -> FALSE
(86) if (&User-Name =~ /@[^@]*@/ ) {
(86) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(86) if (&User-Name =~ /\.\./ ) {
(86) if (&User-Name =~ /\.\./ ) -> FALSE
(86) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(86) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(86) if (&User-Name =~ /\.$/) {
(86) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(86) if (&User-Name =~ /\.$/) {
(86) if (&User-Name =~ /\.$/) -> FALSE
(86) if (&User-Name =~ /@\./) {
(86) if (&User-Name =~ /@\./) -> FALSE
(86) } # if (&User-Name) = notfound
(86) } # policy filter_username = notfound
(86) [preprocess] = ok
(86) [chap] = noop
(86) [mschap] = noop
(86) [digest] = noop
(86) suffix: Checking for suffix after "@"
(86) suffix: No '@' in User-Name = "tobi1", looking up realm NULL
(86) suffix: No such realm "NULL"
(86) [suffix] = noop
(86) eap: Peer sent EAP Response (code 2) ID 5 length 17
(86) eap: Continuing tunnel setup
(86) [eap] = ok
(86) } # authorize = ok
(86) Found Auth-Type = eap
(86) # Executing group from file /etc/raddb/sites-enabled/default
(86) authenticate {
(86) eap: Expiring EAP session with state 0xe046c6d9e243dfda
(86) eap: Finished EAP session with state 0xe046c6d9e243dfda
(86) eap: Previous EAP request found for state 0xe046c6d9e243dfda,
released from the list
(86) eap: Peer sent packet with method EAP PEAP (25)
(86) eap: Calling submodule eap_peap to process data
(86) eap_peap: Continuing EAP-TLS
(86) eap_peap: Peer indicated complete TLS record size will be 7 bytes
(86) eap_peap: Got complete TLS record (7 bytes)
(86) eap_peap: [eaptls verify] = length included
(86) eap_peap: <<< recv TLS 1.0 Alert [length 0002], warning close_notify
(86) eap_peap: ERROR: TLS_accept: Failed in unknown state
(86) eap_peap: ERROR: SSL says: error:140940E5:SSL
routines:ssl3_read_bytes:ssl handshake failure
(86) eap_peap: ERROR: SSL_read failed in a system call (-1), TLS session
failed
(86) eap_peap: ERROR: TLS receive handshake failed during operation
(86) eap_peap: ERROR: [eaptls process] = fail
(86) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module
failed
(86) eap: Sending EAP Failure (code 4) ID 5 length 4
(86) eap: Failed in EAP select
(86) [eap] = invalid
(86) } # authenticate = invalid
(86) Failed to authenticate the user
(86) Using Post-Auth-Type Reject
(86) # Executing group from file /etc/raddb/sites-enabled/default
(86) Post-Auth-Type REJECT {
(86) attr_filter.access_reject: EXPAND %{User-Name}
(86) attr_filter.access_reject: --> tobi1
(86) attr_filter.access_reject: Matched entry DEFAULT at line 11
(86) [attr_filter.access_reject] = updated
(86) [eap] = noop
(86) policy remove_reply_message_if_eap {
(86) if (&reply:EAP-Message && &reply:Reply-Message) {
(86) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(86) else {
(86) [noop] = noop
(86) } # else = noop
(86) } # policy remove_reply_message_if_eap = noop
(86) } # Post-Auth-Type REJECT = updated
(86) } # policy remove_reply_message_if_eap = noop
(86) } # Post-Auth-Type REJECT = updated
(86) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(86) Sending delayed response
(86) Sent Access-Reject Id 196 from 10.99.7.21:1812
<http://10.99.7.21:1812/> to 10.99.7.190:1645 <http://10.99.7.190:1645/>
length 44
(86) EAP-Message = 0x04050004
(86) Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.7 seconds.
Š..
Waking up in 0.1 seconds.
(86) Cleaning up request packet ID 196 with timestamp +1294629
Ready to process requests
Ready to process requests
Signalled to terminate
Exiting normally
rlm_ldap (ldap): Removing connection pool
rlm_ldap (ldap): Closing connection (12)
rlm_ldap (ldap): Closing connection (11)
rlm_ldap (ldap): Closing connection (10)
tls: Freeing cached session VPs
On 3/22/17, 13:20, "Freeradius-Users on behalf of Brian Julin"
<freeradius-users-bounces+jtobin=po-box.esu.edu at lists.freeradius.org on
behalf of BJulin at clarku.edu> wrote:
>
>
>
>
>> This is not easy research, since the error messages you receive no one
>else seems to see.
>> My problem may be that apple devices are no longer accepting self signed
>certs, but I have also looked at os x upgrades [home brew/openssl
>problems] for openssl.
>
>If the OS is rejecting the cert (or visa versa), you'll see something
>like:
>
>Error: TLS Alert fatal: blah blah blah
>
>The original poster was getting all the way through MS-CHAP inner
>authentication,
>so it was could not have been a certificate issue since the TLS tunnel
>had successfully
>established.
>
>-
>List info/subscribe/unsubscribe? See
>http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list