Help with non-compliant client (TLS issue)

Geoffrey McRae geoff at hostfission.com
Wed May 17 11:05:22 CEST 2017


The client isn't that intelligent, it is only looking for a valid
certificate, it doesn't verify the CN at any point.

I just confirmed the problem, the device doesn't support SHA512,
dropping back go SHA256 fixes the issue. Thanks for your time.

-- 
Kind Regards,
Geoffrey McRae

HostFission
Server Management & Monitoring
W: https://hostfission.com
P: +61 2 9037 0321



On Wed, 2017-05-17 at 10:51 +0200, Stefan Winter wrote:
> Hello,
> 
> on your client, do you validate the server certificate against the
> correct CA, and if you specify the server name, did you specify the
> *server certificate's* CN / subjectAltName (notably not the name of the
> CA)?
> 
> Greetings,
> 
> Stefan Winter
> 
> Am 17.05.2017 um 09:26 schrieb Geoffrey McRae via Freeradius-Users:
> > Follow up with complete authentication log:
> > 
> > rad_recv: Access-Request packet from host 192.168.50.253 port 33005,
> > id=61, length=213
> > 	User-Name = "office.power.accounting"
> > 	NAS-Identifier = "OpenWRT"
> > 	Called-Station-Id = "74-EA-3A-E4-BF-CE:spacevs.com"
> > 	NAS-Port-Type = Wireless-802.11
> > 	NAS-Port = 1
> > 	Calling-Station-Id = "A0-20-A6-18-6F-D4"
> > 	Connect-Info = "CONNECT 54Mbps 802.11g"
> > 	Acct-Session-Id = "5583280D-00001ECC"
> > 	Framed-MTU = 1400
> > 	EAP-Message =
> > 0x0270001c016f66666963652e706f7765722e6163636f756e74696e67
> > 	Message-Authenticator = 0x89bac36f11fc19def9cf51a7e3e9ca95
> > # Executing section authorize from
> > file /etc/freeradius/sites-enabled/default
> > +group authorize {
> > ++[preprocess] = ok
> > [auth_log] 	expand: %{Packet-Src-IP-Address} -> 192.168.50.253
> > [auth_log]
> > expand: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/192.168.50.253/auth-detail-20170517
> > [auth_log] /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.50.253/auth-detail-20170517
> > [auth_log] 	expand: %t -> Wed May 17 17:24:09 2017
> > ++[auth_log] = ok
> > ++[chap] = noop
> > ++[mschap] = noop
> > ++[digest] = noop
> > [suffix] No '@' in User-Name = "office.power.accounting", looking up
> > realm NULL
> > [suffix] No such realm "NULL"
> > ++[suffix] = noop
> > [eap] EAP packet type response id 112 length 28
> > [eap] No EAP Start, assuming it's an on-going EAP conversation
> > ++[eap] = updated
> > ++[files] = noop
> > ++[expiration] = noop
> > ++[logintime] = noop
> > [pap] WARNING! No "known good" password found for the user.
> > Authentication may fail because of this.
> > ++[pap] = noop
> > +} # group authorize = updated
> > Found Auth-Type = EAP
> > # Executing group from file /etc/freeradius/sites-enabled/default
> > +group authenticate {
> > [eap] EAP Identity
> > [eap] processing type tls
> > [tls] Initiate
> > [tls] Start returned 1
> > ++[eap] = handled
> > +} # group authenticate = handled
> > Sending Access-Challenge of id 61 to 192.168.50.253 port 33005
> > 	EAP-Message = 0x017100061920
> > 	Message-Authenticator = 0x00000000000000000000000000000000
> > 	State = 0x06e4b92c0695a0e7583a5ad1e4b3e5ec
> > Finished request 56.
> > Going to the next request
> > Waking up in 4.9 seconds.
> > rad_recv: Access-Request packet from host 192.168.50.253 port 33005,
> > id=62, length=275
> > 	User-Name = "office.power.accounting"
> > 	NAS-Identifier = "OpenWRT"
> > 	Called-Station-Id = "74-EA-3A-E4-BF-CE:spacevs.com"
> > 	NAS-Port-Type = Wireless-802.11
> > 	NAS-Port = 1
> > 	Calling-Station-Id = "A0-20-A6-18-6F-D4"
> > 	Connect-Info = "CONNECT 54Mbps 802.11g"
> > 	Acct-Session-Id = "5583280D-00001ECC"
> > 	Framed-MTU = 1400
> > 	EAP-Message =
> > 0x0271004819800000003e1603020039010000350302572068748f17c6ace6f3126cc7befac5eddf2d1cc893df1b2ead55eb3cb62c9800000e003d0035003c002f000a000500040100
> > 	State = 0x06e4b92c0695a0e7583a5ad1e4b3e5ec
> > 	Message-Authenticator = 0x560dc60831b0fa342cd1b39f5fded0d0
> > # Executing section authorize from
> > file /etc/freeradius/sites-enabled/default
> > +group authorize {
> > ++[preprocess] = ok
> > [auth_log] 	expand: %{Packet-Src-IP-Address} -> 192.168.50.253
> > [auth_log]
> > expand: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/192.168.50.253/auth-detail-20170517
> > [auth_log] /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.50.253/auth-detail-20170517
> > [auth_log] 	expand: %t -> Wed May 17 17:24:09 2017
> > ++[auth_log] = ok
> > ++[chap] = noop
> > ++[mschap] = noop
> > ++[digest] = noop
> > [suffix] No '@' in User-Name = "office.power.accounting", looking up
> > realm NULL
> > [suffix] No such realm "NULL"
> > ++[suffix] = noop
> > [eap] EAP packet type response id 113 length 72
> > [eap] Continuing tunnel setup.
> > ++[eap] = ok
> > +} # group authorize = ok
> > Found Auth-Type = EAP
> > # Executing group from file /etc/freeradius/sites-enabled/default
> > +group authenticate {
> > [eap] Request found, released from the list
> > [eap] EAP/peap
> > [eap] processing type peap
> > [peap] processing EAP-TLS
> >   TLS Length 62
> > [peap] Length Included
> > [peap] eaptls_verify returned 11 
> > [peap]     (other): before/accept initialization
> > [peap]     TLS_accept: before/accept initialization
> > [peap] <<< TLS 1.0 Handshake [length 0039], ClientHello  
> > [peap]     TLS_accept: unknown state
> > [peap] >>> TLS 1.0 Handshake [length 002a], ServerHello  
> > [peap]     TLS_accept: unknown state
> > [peap] >>> TLS 1.0 Handshake [length 0ad4], Certificate  
> > [peap]     TLS_accept: unknown state
> > [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone  
> > [peap]     TLS_accept: unknown state
> > [peap]     TLS_accept: unknown state
> > [peap]     TLS_accept: Need to read more data: unknown state
> > In SSL Handshake Phase 
> > In SSL Accept mode  
> > [peap] eaptls_process returned 13 
> > [peap] EAPTLS_HANDLED
> > ++[eap] = handled
> > +} # group authenticate = handled
> > Sending Access-Challenge of id 62 to 192.168.50.253 port 33005
> > 	EAP-Message =
> > 0x0172040019c000000b11160301002a020000260301312e84aae4c09a6aee14557c0394a0fb817bd2fdf30fe8480ff3866390d2cdbf000035001603010ad40b000ad0000acd0005243082052030820308a003020102020117300d06092a864886f70d01010d05003059310b3009060355040613024155311830160603550408130f4e657720536f7574682057616c65733111300f060355040713084b61746f6f6d6261311d301b0603550403131453565320496e7472616e657420526f6f74204341301e170d3137303131313035353930305a170d3335303631353233353930305a3027312530230603550403131c526164697573202867772e686f6d
> > 	EAP-Message =
> > 0x652e737061636576732e636f6d2930820222300d06092a864886f70d01010105000382020f003082020a0282020100bec565c37302f5a1f3f227c5005bfe7f58f0f1eb7b9d50268f577013854424c0746e2b93c3322363c53ccd3cde4638d9e6a6054db5ec9c6668714f461a5a9e7713f1bd273a3d4295cf11966d4b0d119c5fa6e2d63e81bf571a09beffd557ab8135fdf041d3ddc4ed836835ddd4b5357d05850e36bb80e92f18d0896c0c3396a087e733ccaf65f4223e1ebea23d7d6ec9185f4737cb1dd42e91c1c5363f3e6f631c17d00fcd000c88fa5db04b3a9c1e9ee8679c8e335375c9c9f620b564d331c2bbebda2772871a7ac0dbfa389af2
> > 	EAP-Message =
> > 0x779deb793cc81a51370838d00ef1c084d97877891942304d28063f7f213b111a67959ee680f72c0e03bf9836a2b855df4e7e2ff4de272627be5c4d69b9741a5c46e37e8c749305bd085a2da344da6470b9b19d83a2f40fd9ec94750c0c36f6facf2f9e7ffc0f1560bbabb433563cd94a7d0b4878a01cab3038adc8fc39cbb3a1770358222baf763a501f49efd9c4a6c876527c7aae9bfc5378c1a9dd380b1e9015a89cd721797fd7b5fc3c119769dc78bcd39e9f17e02979a9e88bd20dc0c8c9208c978c3f42870e3791090db10bb8a579bbf75ea511e09e89b7370bab7cd641d3de283e8f64249435fe6515707e87e15cd2a30f1a1f40e897aa7ec3ee
> > 	EAP-Message =
> > 0xc67fb9bf99a82b0aaf71835bc7fab0b5dfd43d99a0fb8f721176fccc01c6711911277641d1de1ad4d908f407b39687ce77aabf12890203010001a3253023300c0603551d130101ff0402300030130603551d25040c300a06082b06010505070301300d06092a864886f70d01010d05000382020100a07c7f1f95937ac12218a6612a846c48ac909c37ba3b0f893b5d4f6bcb1c06f6818f09d701a5d4986e081f602c585bb7e7c0441d3f8bbc4ad0a75a2058e9453c9f9ddd8bf675f9e73c01ceb817a18a1f1fe223360fe7a19fadf17a2c2217c96857de3e775f7f74ee504206923f953170593742646c22cea414681af5751d494b4e7004a43523da87
> > 	EAP-Message = 0x061f85b9da0b385ce0b787b3
> > 	Message-Authenticator = 0x00000000000000000000000000000000
> > 	State = 0x06e4b92c0796a0e7583a5ad1e4b3e5ec
> > Finished request 57.
> > Going to the next request
> > Waking up in 4.9 seconds.
> > rad_recv: Access-Request packet from host 192.168.50.253 port 33005,
> > id=63, length=209
> > 	User-Name = "office.power.accounting"
> > 	NAS-Identifier = "OpenWRT"
> > 	Called-Station-Id = "74-EA-3A-E4-BF-CE:spacevs.com"
> > 	NAS-Port-Type = Wireless-802.11
> > 	NAS-Port = 1
> > 	Calling-Station-Id = "A0-20-A6-18-6F-D4"
> > 	Connect-Info = "CONNECT 54Mbps 802.11g"
> > 	Acct-Session-Id = "5583280D-00001ECC"
> > 	Framed-MTU = 1400
> > 	EAP-Message = 0x027200061900
> > 	State = 0x06e4b92c0796a0e7583a5ad1e4b3e5ec
> > 	Message-Authenticator = 0xf99ffa56b22071a5b6849102d0a6c1f9
> > # Executing section authorize from
> > file /etc/freeradius/sites-enabled/default
> > +group authorize {
> > ++[preprocess] = ok
> > [auth_log] 	expand: %{Packet-Src-IP-Address} -> 192.168.50.253
> > [auth_log]
> > expand: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/192.168.50.253/auth-detail-20170517
> > [auth_log] /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.50.253/auth-detail-20170517
> > [auth_log] 	expand: %t -> Wed May 17 17:24:09 2017
> > ++[auth_log] = ok
> > ++[chap] = noop
> > ++[mschap] = noop
> > ++[digest] = noop
> > [suffix] No '@' in User-Name = "office.power.accounting", looking up
> > realm NULL
> > [suffix] No such realm "NULL"
> > ++[suffix] = noop
> > [eap] EAP packet type response id 114 length 6
> > [eap] Continuing tunnel setup.
> > ++[eap] = ok
> > +} # group authorize = ok
> > Found Auth-Type = EAP
> > # Executing group from file /etc/freeradius/sites-enabled/default
> > +group authenticate {
> > [eap] Request found, released from the list
> > [eap] EAP/peap
> > [eap] processing type peap
> > [peap] processing EAP-TLS
> > [peap] Received TLS ACK
> > [peap] ACK handshake fragment handler
> > [peap] eaptls_verify returned 1 
> > [peap] eaptls_process returned 13 
> > [peap] EAPTLS_HANDLED
> > ++[eap] = handled
> > +} # group authenticate = handled
> > Sending Access-Challenge of id 63 to 192.168.50.253 port 33005
> > 	EAP-Message =
> > 0x017303fc1940afeb0f78225dbf9a7725d984d8b756ee605059925e58d245bc2bb5aace172b22148e151d71ab70730cf8e1298aa800197d8d385f32572da27bf892a694c5a39bfbb57a9074e63c0eed27f60e5449df531ea804c07508b25f20da962bfe92b9ae0a2a93eb9d5e78dfad359e41b9c2aaad26e5b23311ece60fe1af47ea58dc20f315efec877bbf65fe846ddf723b1c202e11c51d54cfae348cfdc00444fb5d6742f3c736f70e09ec21220070b3f09db06d5fe8283ce763086638fc2f79759aced7b9c0169179acc67723a6e8dc02097b6415580b84b460ac1a4f5ca5760e8ef77f102cedd26418b6b185b6c44eed08de4b9027c00cb6cfd7
> > 	EAP-Message =
> > 0x85c16303892c764a6502f724d8ed375b2353a57dadf1c3ccef714ffb3aa483a7059a901f9f2816fabe57558dffccb6e5265d77bfaa478be536cff37adc9b6f9184e06faeb5731385dcff2ef77af4d6e94cb4b338b34d413f2356c5ce188c068ddd6dae505bb85c87410e9b4ad7d4648244439a279a0005a33082059f30820387a003020102020101300d06092a864886f70d01010d05003059310b3009060355040613024155311830160603550408130f4e657720536f7574682057616c65733111300f060355040713084b61746f6f6d6261311d301b0603550403131453565320496e7472616e657420526f6f74204341301e170d31353036313630
> > 	EAP-Message =
> > 0x30303030305a170d3335303631353233353935395a3059310b3009060355040613024155311830160603550408130f4e657720536f7574682057616c65733111300f060355040713084b61746f6f6d6261311d301b0603550403131453565320496e7472616e657420526f6f7420434130820222300d06092a864886f70d01010105000382020f003082020a0282020100b3a3f9aab5bac705830441d0bec3f2b12e8f2828cf14238b42aedd8e62f52e2751b4f89c0124022bda7a863a937177563cabca1fd27911830d80e7fa5f323a3b81ffac47e76828296ac3ecb0ae13b28182b9082438dd078d55303b490435abe776dfd4c64166eccef6899469
> > 	EAP-Message =
> > 0xae7c8bb28d33d47ae1bf3d3554654f919a9d5ee7322232315bce08e3014b91602f41a8447f5635c6e7cea20cda5ce62668298bfec986211289b2b37e53c58ade4fe1606681b6f97d25fefd8490a4365f765d021ec8f329609ba2ae739e4706728e2a1455ad3ca101504dd19721908e61a467876f1c01374aacb777cbaf0697b04875b9029c97a642d73225ac7d3cd28266a5a5c7bca2ff59bc9dd933908687fd5f4b661d2e9083a6da59319cd5340955ba3b317eff2558740da438962dee7ac42f8aed3dab51a70ef9672aa98dfdee9cee5ff886adc040872f0b5310de7823d4e63e1d0aa8be808da6173f7a5e478c5e66d61082feda0fec4f16b771fe
> > 	EAP-Message = 0x5d0e86558c0b467d
> > 	Message-Authenticator = 0x00000000000000000000000000000000
> > 	State = 0x06e4b92c0497a0e7583a5ad1e4b3e5ec
> > Finished request 58.
> > Going to the next request
> > Waking up in 4.9 seconds.
> > rad_recv: Access-Request packet from host 192.168.50.253 port 33005,
> > id=64, length=209
> > 	User-Name = "office.power.accounting"
> > 	NAS-Identifier = "OpenWRT"
> > 	Called-Station-Id = "74-EA-3A-E4-BF-CE:spacevs.com"
> > 	NAS-Port-Type = Wireless-802.11
> > 	NAS-Port = 1
> > 	Calling-Station-Id = "A0-20-A6-18-6F-D4"
> > 	Connect-Info = "CONNECT 54Mbps 802.11g"
> > 	Acct-Session-Id = "5583280D-00001ECC"
> > 	Framed-MTU = 1400
> > 	EAP-Message = 0x027300061900
> > 	State = 0x06e4b92c0497a0e7583a5ad1e4b3e5ec
> > 	Message-Authenticator = 0xcf8da5e0de6e6911640cac00e68741a9
> > # Executing section authorize from
> > file /etc/freeradius/sites-enabled/default
> > +group authorize {
> > ++[preprocess] = ok
> > [auth_log] 	expand: %{Packet-Src-IP-Address} -> 192.168.50.253
> > [auth_log]
> > expand: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/192.168.50.253/auth-detail-20170517
> > [auth_log] /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.50.253/auth-detail-20170517
> > [auth_log] 	expand: %t -> Wed May 17 17:24:09 2017
> > ++[auth_log] = ok
> > ++[chap] = noop
> > ++[mschap] = noop
> > ++[digest] = noop
> > [suffix] No '@' in User-Name = "office.power.accounting", looking up
> > realm NULL
> > [suffix] No such realm "NULL"
> > ++[suffix] = noop
> > [eap] EAP packet type response id 115 length 6
> > [eap] Continuing tunnel setup.
> > ++[eap] = ok
> > +} # group authorize = ok
> > Found Auth-Type = EAP
> > # Executing group from file /etc/freeradius/sites-enabled/default
> > +group authenticate {
> > [eap] Request found, released from the list
> > [eap] EAP/peap
> > [eap] processing type peap
> > [peap] processing EAP-TLS
> > [peap] Received TLS ACK
> > [peap] ACK handshake fragment handler
> > [peap] eaptls_verify returned 1 
> > [peap] eaptls_process returned 13 
> > [peap] EAPTLS_HANDLED
> > ++[eap] = handled
> > +} # group authenticate = handled
> > Sending Access-Challenge of id 64 to 192.168.50.253 port 33005
> > 	EAP-Message =
> > 0x0174032b19009c2fdba754b1d148d6279ce364711dd12d68525c32f979a94fac099639eca233e51aba4359c32cc5cbf6043602e1251c1d25f7246d84577bbbab67b2b9affa9f8ad4aa01ef468da9773beee865505ae2501f9b373dc4165764745f778f76ff2be2b5deb70c46d71f8338710d082f3e4345af844a9f53fee6a16cc18f316fe9e577ab66207525181fec73978603dd030203010001a3723070300f0603551d130101ff040530030101ff301d0603551d0e04160414b7c17edc21e626d8297c93a827bbf6b16aa2557f300b0603551d0f040403020106301106096086480186f8420101040403020007301e06096086480186f842010d0411
> > 	EAP-Message =
> > 0x160f786361206365727469666963617465300d06092a864886f70d01010d0500038202010037d15182d4db682f480e8bc12cd74f8648218f4e9f92f40a69e4847aed7db19042a7fa79f5639fd2c0576e9f46d46514816d75f056edcc27327981f726b5a7136c4cf2654af17889753ac1c7cffa8394fd274dd027e3c1cc163e9fb74580027281907d5d3acb13e409fc76bc0f73bbef386de80381962eed04bdaad47db7f9d7c15388669e165c3f64ae171d256ca1cae698c36125ec52b10804575069d6a281ee49821fa999d875a6afaf36b2d607fa0a339bbb3e77813566805029087188a6cb80fe9cc9b2782380ab3b5be5ecc8463021069c892dbf23
> > 	EAP-Message =
> > 0xa0e6ae9473b66aa5dd4cdc14473b0798019f215f127f7585945105f338b7624793f75e415d62f240db4912c4f24c19647c374ec5dc7cf44f7a9a17b6e49bc6e38d15a9497a3b21c9ae12fa4e11c217261fbcaf6925fb073e64468aae539926c08c35b1de249c5182d92a97fbc6636dfb4f22e7c7ef4fa90c4b934d5cf6c095fc8359f766b752046b83095d211d682d88b1fda7b591d2913e48a82fc5664052be49cd8edde079fe8939311c630beaaebd6739d84e353c47c81d18cd2fa860c38edd7889eb96e0f98efdf92c8597fa4a9e2a28e85ce68f18dbc1681abfee34075348c52041769d8879918f93926e93b509788e0182b92eaa24881d7ad1d6
> > 	EAP-Message =
> > 0x4bd1b7c07a522d0d95d8d66e8bb99b2f44b0a043e61f6bdf6b82b869132d6a1051c37c6bd696631d0699d416030100040e000000
> > 	Message-Authenticator = 0x00000000000000000000000000000000
> > 	State = 0x06e4b92c0590a0e7583a5ad1e4b3e5ec
> > Finished request 59.
> > Going to the next request
> > Waking up in 4.9 seconds.
> > rad_recv: Access-Request packet from host 192.168.50.253 port 33005,
> > id=65, length=220
> > 	User-Name = "office.power.accounting"
> > 	NAS-Identifier = "OpenWRT"
> > 	Called-Station-Id = "74-EA-3A-E4-BF-CE:spacevs.com"
> > 	NAS-Port-Type = Wireless-802.11
> > 	NAS-Port = 1
> > 	Calling-Station-Id = "A0-20-A6-18-6F-D4"
> > 	Connect-Info = "CONNECT 54Mbps 802.11g"
> > 	Acct-Session-Id = "5583280D-00001ECC"
> > 	Framed-MTU = 1400
> > 	EAP-Message = 0x027400111980000000071503010002022a
> > 	State = 0x06e4b92c0590a0e7583a5ad1e4b3e5ec
> > 	Message-Authenticator = 0x9580deaf1ada4b60f7a7e6c2312f6a0c
> > # Executing section authorize from
> > file /etc/freeradius/sites-enabled/default
> > +group authorize {
> > ++[preprocess] = ok
> > [auth_log] 	expand: %{Packet-Src-IP-Address} -> 192.168.50.253
> > [auth_log]
> > expand: /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/192.168.50.253/auth-detail-20170517
> > [auth_log] /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/192.168.50.253/auth-detail-20170517
> > [auth_log] 	expand: %t -> Wed May 17 17:24:10 2017
> > ++[auth_log] = ok
> > ++[chap] = noop
> > ++[mschap] = noop
> > ++[digest] = noop
> > [suffix] No '@' in User-Name = "office.power.accounting", looking up
> > realm NULL
> > [suffix] No such realm "NULL"
> > ++[suffix] = noop
> > [eap] EAP packet type response id 116 length 17
> > [eap] Continuing tunnel setup.
> > ++[eap] = ok
> > +} # group authorize = ok
> > Found Auth-Type = EAP
> > # Executing group from file /etc/freeradius/sites-enabled/default
> > +group authenticate {
> > [eap] Request found, released from the list
> > [eap] EAP/peap
> > [eap] processing type peap
> > [peap] processing EAP-TLS
> >   TLS Length 7
> > [peap] Length Included
> > [peap] eaptls_verify returned 11 
> > [peap] <<< TLS 1.0 Alert [length 0002], fatal bad_certificate  
> > TLS Alert read:fatal:bad certificate
> >     TLS_accept: failed in unknown state
> > rlm_eap: SSL error error:14094412:SSL routines:SSL3_READ_BYTES:sslv3
> > alert bad certificate
> > SSL: SSL_read failed inside of TLS (-1), TLS session fails.
> > TLS receive handshake failed during operation
> > [peap] eaptls_process returned 4 
> > [peap] EAPTLS_OTHERS
> > [eap] Handler failed in EAP/peap
> > [eap] Failed in EAP select
> > ++[eap] = invalid
> > +} # group authenticate = invalid
> > Failed to authenticate the user.
> > Login incorrect (TLS Alert read:fatal:bad certificate):
> > [office.power.accounting/<via Auth-Type = EAP>] (from client
> > 192.168.50.253 port 1 cli A0-20-A6-18-6F-D4)
> > Using Post-Auth-Type REJECT
> > # Executing group from file /etc/freeradius/sites-enabled/default
> > +group REJECT {
> > [attr_filter.access_reject] 	expand: %{User-Name} ->
> > office.power.accounting
> > attr_filter: Matched entry DEFAULT at line 11
> > ++[attr_filter.access_reject] = updated
> > +} # group REJECT = updated
> > Delaying reject of request 60 for 1 seconds
> > Going to the next request
> > Waking up in 0.9 seconds.
> > Sending delayed reject for request 60
> > Sending Access-Reject of id 65 to 192.168.50.253 port 33005
> > 	EAP-Message = 0x04740004
> > 	Message-Authenticator = 0x00000000000000000000000000000000
> > Waking up in 3.3 seconds.
> > Cleaning up request 56 ID 61 with timestamp +2171
> > Cleaning up request 57 ID 62 with timestamp +2171
> > Cleaning up request 58 ID 63 with timestamp +2171
> > Cleaning up request 59 ID 64 with timestamp +2171
> > Waking up in 1.6 seconds.
> > Cleaning up request 60 ID 65 with timestamp +2172
> > Ready to process requests.
> > 
> > 
> 
> 



More information about the Freeradius-Users mailing list