Reject for unknown TLS version
Norman Elton
normelton at gmail.com
Tue Aug 14 16:34:08 CEST 2018
Deploying EAP-TLS, I've got the CA and certificate configured on the
server, and the client-side certificate on the client. But I'm getting
a "Unknown TLS version [length 0002]" message. Debug output below.
Following a previous thread
(http://freeradius.1045715.n5.nabble.com/ttls-lt-lt-lt-Unknown-TLS-version-length-0002-td5734046.html),
I've confirmed that FreeRADIUS is built on a version of OpenSSL that
support TLS 1.2. In wireshark, I see the Server Hello advertising
support for TLS 1.2. I'm also seeing an exchange of four
access-request / access-challenge before the reject is finally sent.
Is there anything else that could be causing this message?
Is the "[length 0002]" referring to only have two bytes to parse? Is
some of the transaction getting lost someplace?
To be fair, we have FreeRADIUS deployed on RHEL6, using the
RedHat-supplied packages. So far, we've been happy with the stability
this provides, but realize that FreeRADIUS 2.2.6 is way outdated.
My suspicion is this is due to a misconfiguration somewhere on my end,
but will test a newer version of FreeRADIUS.
Thanks
Norman
========
rad_recv: Access-Request packet from host 10.100.136.139 port 58966,
id=85, length=256
User-Name = "wnelto at wm.edu"
NAS-Identifier = "AP-Jones14Hallway"
Called-Station-Id = "C4-13-E2-03-28-A7:eduroam-tls"
AH-Vlan-Id = 0
AH-UserProfile-Id = 1100
Acct-Multi-Session-Id = "696D03370B67F9C2"
Service-Type = Framed-User
NAS-Port = 0
Calling-Station-Id = "78-4F-43-51-71-D2"
Connect-Info = "11ac"
Acct-Session-Id = "8C5E9DF056A740DB"
WLAN-Pairwise-Cipher = 1027076
WLAN-Group-Cipher = 1027076
WLAN-AKM-Suite = 1027073
NAS-IP-Address = 10.100.136.139
NAS-Port-Type = Wireless-802.11
Framed-MTU = 1500
EAP-Message = 0x02c7001201776e656c746f40776d2e656475
Message-Authenticator = 0x89c60964c1782091312827729adc6284
server srv-aerohive-aps-eap-tls {
# Executing section authorize from file
/etc/raddb/auth-server/sites/aerohive-aps-eap-tls
+group authorize {
++[preprocess] = ok
[strip_username_prefix] expand: ^campus\\\ -> ^campus\\
strip_username_prefix: Does not match: User-Name = wnelto at wm.edu
++[strip_username_prefix] = ok
++[mschap] = noop
[log_aerohive_inbound] expand: AERO [IN
%{request:Packet-Src-IP-Address}] %{request:Packet-Type}:
%{request:Calling-Station-Id} %{request:Called-Station-Id}
%{request:User-Name} -> AERO [IN 10.100.136.139] Access-Request:
78-4F-43-51-71-D2 C4-13-E2-03-28-A7:eduroam-tls wnelto at wm.edu
++[log_aerohive_inbound] = ok
[eap-aerohive-tls] EAP packet type response id 199 length 18
[eap-aerohive-tls] No EAP Start, assuming it's an on-going EAP conversation
++[eap-aerohive-tls] = updated
+} # group authorize = updated
Found Auth-Type = eap-aerohive-tls
# Executing group from file /etc/raddb/auth-server/sites/aerohive-aps-eap-tls
+group eap-aerohive-tls {
[eap-aerohive-tls] EAP Identity
[eap-aerohive-tls] processing type tls
[tls] Requiring client certificate
[tls] Initiate
[tls] Start returned 1
++[eap-aerohive-tls] = handled
++? if (handled)
? Evaluating (handled) -> TRUE
++? if (handled) -> TRUE
++if (handled) {
[log_aerohive_outbound] expand: AERO [OUT
%{reply:Packet-Dst-IP-Address}] %{reply:Packet-Type}:
%{request:Calling-Station-Id} %{request:Called-Station-Id}
%{request:User-Name} -> %{reply:Tunnel-Private-Group-ID} -> AERO [OUT
10.100.136.139] Access-Challenge: 78-4F-43-51-71-D2
C4-13-E2-03-28-A7:eduroam-tls wnelto at wm.edu ->
+++[log_aerohive_outbound] = ok
+++[handled] = handled
++} # if (handled) = handled
+} # group eap-aerohive-tls = handled
} # server srv-aerohive-aps-eap-tls
Sending Access-Challenge of id 85 to 10.100.136.139 port 58966
EAP-Message = 0x01c800060d20
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x6fc2d7b96f0ada3950baa64de4198c71
Finished request 19.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.100.136.139 port 58966,
id=86, length=417
User-Name = "wnelto at wm.edu"
NAS-Identifier = "AP-Jones14Hallway"
Called-Station-Id = "C4-13-E2-03-28-A7:eduroam-tls"
AH-Vlan-Id = 0
AH-UserProfile-Id = 1100
Acct-Multi-Session-Id = "696D03370B67F9C2"
Service-Type = Framed-User
NAS-Port = 0
Calling-Station-Id = "78-4F-43-51-71-D2"
Connect-Info = "11ac"
Acct-Session-Id = "8C5E9DF056A740DB"
WLAN-Pairwise-Cipher = 1027076
WLAN-Group-Cipher = 1027076
WLAN-AKM-Suite = 1027073
NAS-IP-Address = 10.100.136.139
NAS-Port-Type = Wireless-802.11
Framed-MTU = 1500
EAP-Message =
0x02c800a10d800000009716030100920100008e03035b72d919bf25e5e1c2428293f421b0ca996556c5fa8b19f9897c7a1a5c994c0a00002c00ffc02cc02bc024c023c00ac009c008c030c02fc028c027c014c013c012009d009c003d003c0035002f000a01000039000a00080006001700180019000b00020100000d00120010040102010501060104030203050306030005000501000000000012000000170000
State = 0x6fc2d7b96f0ada3950baa64de4198c71
Message-Authenticator = 0xdd283334b485d03b1a1227da4db85c86
server srv-aerohive-aps-eap-tls {
# Executing section authorize from file
/etc/raddb/auth-server/sites/aerohive-aps-eap-tls
+group authorize {
++[preprocess] = ok
[strip_username_prefix] expand: ^campus\\\ -> ^campus\\
strip_username_prefix: Does not match: User-Name = wnelto at wm.edu
++[strip_username_prefix] = ok
++[mschap] = noop
[log_aerohive_inbound] expand: AERO [IN
%{request:Packet-Src-IP-Address}] %{request:Packet-Type}:
%{request:Calling-Station-Id} %{request:Called-Station-Id}
%{request:User-Name} -> AERO [IN 10.100.136.139] Access-Request:
78-4F-43-51-71-D2 C4-13-E2-03-28-A7:eduroam-tls wnelto at wm.edu
++[log_aerohive_inbound] = ok
[eap-aerohive-tls] EAP packet type response id 200 length 161
[eap-aerohive-tls] No EAP Start, assuming it's an on-going EAP conversation
++[eap-aerohive-tls] = updated
+} # group authorize = updated
Found Auth-Type = eap-aerohive-tls
# Executing group from file /etc/raddb/auth-server/sites/aerohive-aps-eap-tls
+group eap-aerohive-tls {
[eap-aerohive-tls] Request found, released from the list
[eap-aerohive-tls] EAP/tls
[eap-aerohive-tls] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
TLS Length 151
[tls] Length Included
[tls] eaptls_verify returned 11
[tls] (other): before/accept initialization
[tls] TLS_accept: before/accept initialization
[tls] <<< Unknown TLS version [length 0092]
[tls] TLS_accept: SSLv3 read client hello A
[tls] >>> Unknown TLS version [length 0039]
[tls] TLS_accept: SSLv3 write server hello A
[tls] >>> Unknown TLS version [length 0667]
[tls] TLS_accept: SSLv3 write certificate A
[tls] >>> Unknown TLS version [length 014d]
[tls] TLS_accept: SSLv3 write key exchange A
[tls] >>> Unknown TLS version [length 00f4]
[tls] TLS_accept: SSLv3 write certificate request A
[tls] TLS_accept: SSLv3 flush data
[tls] TLS_accept: Need to read more data: SSLv3 read client certificate A
[tls] TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
[tls] eaptls_process returned 13
++[eap-aerohive-tls] = handled
++? if (handled)
? Evaluating (handled) -> TRUE
++? if (handled) -> TRUE
++if (handled) {
[log_aerohive_outbound] expand: AERO [OUT
%{reply:Packet-Dst-IP-Address}] %{reply:Packet-Type}:
%{request:Calling-Station-Id} %{request:Called-Station-Id}
%{request:User-Name} -> %{reply:Tunnel-Private-Group-ID} -> AERO [OUT
10.100.136.139] Access-Challenge: 78-4F-43-51-71-D2
C4-13-E2-03-28-A7:eduroam-tls wnelto at wm.edu ->
+++[log_aerohive_outbound] = ok
+++[handled] = handled
++} # if (handled) = handled
+} # group eap-aerohive-tls = handled
} # server srv-aerohive-aps-eap-tls
Sending Access-Challenge of id 86 to 10.100.136.139 port 58966
EAP-Message =
0x01c904000dc0000008f516030300390200003503035b72d9197e597f8bc8a618afe30f89ecffd92dff97fc8acae895d7ac1498d4c200c03000000dff01000100000b00040300010216030306670b00066300066000065d3082065930820541a00302010202107e23e2f2c72fa07f91b662af2727e01b300d06092a864886f70d01010b05003076310b3009060355040613025553310b3009060355040813024d493112301006035504071309416e6e204172626f7231123010060355040a1309496e7465726e6574323111300f060355040b1308496e436f6d6d6f6e311f301d06035504031316496e436f6d6d6f6e2052534120536572766572204341
EAP-Message =
0x301e170d3136303230393030303030305a170d3139303230383233353935395a3081b5310b3009060355040613025553311330110603550411130a32333138372d38373935310b3009060355040813025641311530130603550407130c57696c6c69616d7362757267311c301a06035504091313426c6f772048616c6c2c20526f6f6d2031353031283026060355040a131f54686520436f6c6c656765206f662057696c6c69616d20616e64204d617279310b3009060355040b13024954311830160603550403130f776972656c6573732e776d2e65647530820122300d06092a864886f70d01010105000382010f003082010a0282010100b81b7f2a
EAP-Message =
0x5457ad3bd6fd8fe5a4ad8f00278203819792ce336920bc498078a01a67cd1f3209ab29aa6408360079fdf24c8dc55a0b0dcfb7fb2ac2388707e95bb0addce869229dd675e2a22674b8106acc105752dbf8bb22492d4c435ccf2a5c9092dc906dc896fe7f2c139cbaefa8017fbeb1fd07054d6aa2781f2ae43682f211cba7c336f20c5fe5919e89a68ebcd4f7994ad497abb1ca5a2c70d876e1fb5678c190484afefbe8ca5ecb59bcc2ab81c2dac39b5f1b469d6b72117cabec5bd0c4ef3da8ca20ea1f7d6ed6e7dec9da78abd2489b9d054593ca8eff7d0f8f40fd4b6ddd40f760f0b9b229a3ad57116734dcc9144d0020cf9355ad909e1e0a3db5dd02
EAP-Message =
0x03010001a38202a13082029d301f0603551d230418301680141e05a3778f6c96e25b874ba6b486ac71000ce738301d0603551d0e04160414e221c3b8b5a1ed4f545c740be804648cdc845c34300e0603551d0f0101ff0404030205a0300c0603551d130101ff04023000301d0603551d250416301406082b0601050507030106082b0601050507030230670603551d200460305e3052060c2b06010401ae2301040301013042304006082b06010505070201163468747470733a2f2f7777772e696e636f6d6d6f6e2e6f72672f636572742f7265706f7369746f72792f6370735f73736c2e7064663008060667810c01020230440603551d1f043d303b
EAP-Message = 0x3039a037a035863368747470
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x6fc2d7b96e0bda3950baa64de4198c71
Finished request 20.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.100.136.139 port 58966,
id=87, length=262
User-Name = "wnelto at wm.edu"
NAS-Identifier = "AP-Jones14Hallway"
Called-Station-Id = "C4-13-E2-03-28-A7:eduroam-tls"
AH-Vlan-Id = 0
AH-UserProfile-Id = 1100
Acct-Multi-Session-Id = "696D03370B67F9C2"
Service-Type = Framed-User
NAS-Port = 0
Calling-Station-Id = "78-4F-43-51-71-D2"
Connect-Info = "11ac"
Acct-Session-Id = "8C5E9DF056A740DB"
WLAN-Pairwise-Cipher = 1027076
WLAN-Group-Cipher = 1027076
WLAN-AKM-Suite = 1027073
NAS-IP-Address = 10.100.136.139
NAS-Port-Type = Wireless-802.11
Framed-MTU = 1500
EAP-Message = 0x02c900060d00
State = 0x6fc2d7b96e0bda3950baa64de4198c71
Message-Authenticator = 0x66c9255b45835d0d2d54398dc804a0b6
server srv-aerohive-aps-eap-tls {
# Executing section authorize from file
/etc/raddb/auth-server/sites/aerohive-aps-eap-tls
+group authorize {
++[preprocess] = ok
[strip_username_prefix] expand: ^campus\\\ -> ^campus\\
strip_username_prefix: Does not match: User-Name = wnelto at wm.edu
++[strip_username_prefix] = ok
++[mschap] = noop
[log_aerohive_inbound] expand: AERO [IN
%{request:Packet-Src-IP-Address}] %{request:Packet-Type}:
%{request:Calling-Station-Id} %{request:Called-Station-Id}
%{request:User-Name} -> AERO [IN 10.100.136.139] Access-Request:
78-4F-43-51-71-D2 C4-13-E2-03-28-A7:eduroam-tls wnelto at wm.edu
++[log_aerohive_inbound] = ok
[eap-aerohive-tls] EAP packet type response id 201 length 6
[eap-aerohive-tls] No EAP Start, assuming it's an on-going EAP conversation
++[eap-aerohive-tls] = updated
+} # group authorize = updated
Found Auth-Type = eap-aerohive-tls
# Executing group from file /etc/raddb/auth-server/sites/aerohive-aps-eap-tls
+group eap-aerohive-tls {
[eap-aerohive-tls] Request found, released from the list
[eap-aerohive-tls] EAP/tls
[eap-aerohive-tls] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
[tls] Received TLS ACK
[tls] ACK handshake fragment handler
[tls] eaptls_verify returned 1
[tls] eaptls_process returned 13
++[eap-aerohive-tls] = handled
++? if (handled)
? Evaluating (handled) -> TRUE
++? if (handled) -> TRUE
++if (handled) {
[log_aerohive_outbound] expand: AERO [OUT
%{reply:Packet-Dst-IP-Address}] %{reply:Packet-Type}:
%{request:Calling-Station-Id} %{request:Called-Station-Id}
%{request:User-Name} -> %{reply:Tunnel-Private-Group-ID} -> AERO [OUT
10.100.136.139] Access-Challenge: 78-4F-43-51-71-D2
C4-13-E2-03-28-A7:eduroam-tls wnelto at wm.edu ->
+++[log_aerohive_outbound] = ok
+++[handled] = handled
++} # if (handled) = handled
+} # group eap-aerohive-tls = handled
} # server srv-aerohive-aps-eap-tls
Sending Access-Challenge of id 87 to 10.100.136.139 port 58966
EAP-Message =
0x01ca04000dc0000008f53a2f2f63726c2e696e636f6d6d6f6e2d7273612e6f72672f496e436f6d6d6f6e52534153657276657243412e63726c307506082b0601050507010104693067303e06082b060105050730028632687474703a2f2f6372742e7573657274727573742e636f6d2f496e436f6d6d6f6e52534153657276657243415f322e637274302506082b060105050730018619687474703a2f2f6f6373702e7573657274727573742e636f6d3081f70603551d110481ef3081ec820f776972656c6573732e776d2e656475821761757468312e7361666574792e6e65742e776d2e656475821761757468322e7361666574792e6e65742e776d
EAP-Message =
0x2e656475821761757468332e7361666574792e6e65742e776d2e656475821761757468342e7361666574792e6e65742e776d2e6564758219617574686465762e7361666574792e6e65742e776d2e6564758215726164697573312e63616d7075732e776d2e6564758215726164697573322e63616d7075732e776d2e6564758215726164697573332e63616d7075732e776d2e6564758215726164697573342e63616d7075732e776d2e656475300d06092a864886f70d01010b050003820101008a0e6906805755e7771d4007da7cc49081e60831f0170be61b71a9919ffe692638c427069ca1bcc3479d6e76ba03de3cf11934df860be80cf452885b
EAP-Message =
0x40c6cd525a6871b33f0fcbcdcf526c5142868b8bc6a60dd745682e84a1caea9ffc3b50e447586d75a06530a4ac2cd44a6e5ad2044e157f4cf83cd603f8b5126f1cd90ebc61483d0a7b6d77d12630e610a7d4afc462cacb7a932f15989bb8a28bf01e2619420d37ce3e9dc4bcf269c2b7966ef9a326af879e0a11b981fc4202999fd3fd0ef1fc6f1201a091e8d895029616ae92eb6fb43615721f270fb7cbaeda1f619684960b55aa016eaaae364be336d7bf0e0c6943734924d5f218ab033185c8dc253a160303014d0c0001490300174104a43ff793877aa3cbe8938ad243c61ba19f3d9f8716e6fabff6279898c7181cdbb2402ec0c27715ed0a0ae3
EAP-Message =
0x592362b8138e143a1617a3f2c98af985ab7fa9f3b904010100b64e0ddac89de21dae049cb7c20d90cb5bc6674450eb8aaba7987a919cdb401cfada8f96fee3f8dd629b67955b60cc4aa1efe7b91a50917d51ac7b056e7ca76aac2ba42f26dfb86df1e6a8ab2de6017a08210b6e9f51c7b07bca6ab9df8b675e88dbb027e13be5fe52acbe48eb3072ff34c762ad66c02217aec74e2dca794b1bc27ed461268466e77135c90628f91bbda6c3a3043097a2d3391f02dbcfb730ef5009acac1352bfb0a8184ce2f0da3b179669c50e9277728a694ff236eed58a1b25e2cf9c2b26be443799c5c25391ef859a33dcae27d83b034e4d597c642835cbb7d8c924
EAP-Message = 0x61afcf995dfc00d54f975473
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x6fc2d7b96d08da3950baa64de4198c71
Finished request 21.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.100.136.139 port 58966,
id=88, length=262
User-Name = "wnelto at wm.edu"
NAS-Identifier = "AP-Jones14Hallway"
Called-Station-Id = "C4-13-E2-03-28-A7:eduroam-tls"
AH-Vlan-Id = 0
AH-UserProfile-Id = 1100
Acct-Multi-Session-Id = "696D03370B67F9C2"
Service-Type = Framed-User
NAS-Port = 0
Calling-Station-Id = "78-4F-43-51-71-D2"
Connect-Info = "11ac"
Acct-Session-Id = "8C5E9DF056A740DB"
WLAN-Pairwise-Cipher = 1027076
WLAN-Group-Cipher = 1027076
WLAN-AKM-Suite = 1027073
NAS-IP-Address = 10.100.136.139
NAS-Port-Type = Wireless-802.11
Framed-MTU = 1500
EAP-Message = 0x02ca00060d00
State = 0x6fc2d7b96d08da3950baa64de4198c71
Message-Authenticator = 0x4853ab54dca98d2730b55492154a5900
server srv-aerohive-aps-eap-tls {
# Executing section authorize from file
/etc/raddb/auth-server/sites/aerohive-aps-eap-tls
+group authorize {
++[preprocess] = ok
[strip_username_prefix] expand: ^campus\\\ -> ^campus\\
strip_username_prefix: Does not match: User-Name = wnelto at wm.edu
++[strip_username_prefix] = ok
++[mschap] = noop
[log_aerohive_inbound] expand: AERO [IN
%{request:Packet-Src-IP-Address}] %{request:Packet-Type}:
%{request:Calling-Station-Id} %{request:Called-Station-Id}
%{request:User-Name} -> AERO [IN 10.100.136.139] Access-Request:
78-4F-43-51-71-D2 C4-13-E2-03-28-A7:eduroam-tls wnelto at wm.edu
++[log_aerohive_inbound] = ok
[eap-aerohive-tls] EAP packet type response id 202 length 6
[eap-aerohive-tls] No EAP Start, assuming it's an on-going EAP conversation
++[eap-aerohive-tls] = updated
+} # group authorize = updated
Found Auth-Type = eap-aerohive-tls
# Executing group from file /etc/raddb/auth-server/sites/aerohive-aps-eap-tls
+group eap-aerohive-tls {
[eap-aerohive-tls] Request found, released from the list
[eap-aerohive-tls] EAP/tls
[eap-aerohive-tls] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
[tls] Received TLS ACK
[tls] ACK handshake fragment handler
[tls] eaptls_verify returned 1
[tls] eaptls_process returned 13
++[eap-aerohive-tls] = handled
++? if (handled)
? Evaluating (handled) -> TRUE
++? if (handled) -> TRUE
++if (handled) {
[log_aerohive_outbound] expand: AERO [OUT
%{reply:Packet-Dst-IP-Address}] %{reply:Packet-Type}:
%{request:Calling-Station-Id} %{request:Called-Station-Id}
%{request:User-Name} -> %{reply:Tunnel-Private-Group-ID} -> AERO [OUT
10.100.136.139] Access-Challenge: 78-4F-43-51-71-D2
C4-13-E2-03-28-A7:eduroam-tls wnelto at wm.edu ->
+++[log_aerohive_outbound] = ok
+++[handled] = handled
++} # if (handled) = handled
+} # group eap-aerohive-tls = handled
} # server srv-aerohive-aps-eap-tls
Sending Access-Challenge of id 88 to 10.100.136.139 port 58966
EAP-Message =
0x01cb01130d80000008f5f4cbf66cc3d63f418c16b335bf8fc5e216030300f40d0000ec03010240001e06010602060305010502050304010402040303010302030302010202020300c6005d305b31243022060355040a0c1b436f6c6c656765206f662057696c6c69616d20616e64204d6172793133303106035504030c2a436f6c6c656765206f662057696c6c69616d20616e64204d6172792044657669636520526f6f742043410065306331243022060355040a0c1b436f6c6c656765206f662057696c6c69616d20616e64204d617279313b303906035504030c32436f6c6c656765206f662057696c6c69616d20616e64204d6172792044657669
EAP-Message = 0x636520496e7465726d6564696174652043410e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x6fc2d7b96c09da3950baa64de4198c71
Finished request 22.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.100.136.139 port 58966,
id=89, length=273
User-Name = "wnelto at wm.edu"
NAS-Identifier = "AP-Jones14Hallway"
Called-Station-Id = "C4-13-E2-03-28-A7:eduroam-tls"
AH-Vlan-Id = 0
AH-UserProfile-Id = 1100
Acct-Multi-Session-Id = "696D03370B67F9C2"
Service-Type = Framed-User
NAS-Port = 0
Calling-Station-Id = "78-4F-43-51-71-D2"
Connect-Info = "11ac"
Acct-Session-Id = "8C5E9DF056A740DB"
WLAN-Pairwise-Cipher = 1027076
WLAN-Group-Cipher = 1027076
WLAN-AKM-Suite = 1027073
NAS-IP-Address = 10.100.136.139
NAS-Port-Type = Wireless-802.11
Framed-MTU = 1500
EAP-Message = 0x02cb00110d800000000715030300020100
State = 0x6fc2d7b96c09da3950baa64de4198c71
Message-Authenticator = 0x574a16f4a82bcdf900c20574210fde90
server srv-aerohive-aps-eap-tls {
# Executing section authorize from file
/etc/raddb/auth-server/sites/aerohive-aps-eap-tls
+group authorize {
++[preprocess] = ok
[strip_username_prefix] expand: ^campus\\\ -> ^campus\\
strip_username_prefix: Does not match: User-Name = wnelto at wm.edu
++[strip_username_prefix] = ok
++[mschap] = noop
[log_aerohive_inbound] expand: AERO [IN
%{request:Packet-Src-IP-Address}] %{request:Packet-Type}:
%{request:Calling-Station-Id} %{request:Called-Station-Id}
%{request:User-Name} -> AERO [IN 10.100.136.139] Access-Request:
78-4F-43-51-71-D2 C4-13-E2-03-28-A7:eduroam-tls wnelto at wm.edu
++[log_aerohive_inbound] = ok
[eap-aerohive-tls] EAP packet type response id 203 length 17
[eap-aerohive-tls] No EAP Start, assuming it's an on-going EAP conversation
++[eap-aerohive-tls] = updated
+} # group authorize = updated
Found Auth-Type = eap-aerohive-tls
# Executing group from file /etc/raddb/auth-server/sites/aerohive-aps-eap-tls
+group eap-aerohive-tls {
[eap-aerohive-tls] Request found, released from the list
[eap-aerohive-tls] EAP/tls
[eap-aerohive-tls] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
TLS Length 7
[tls] Length Included
[tls] eaptls_verify returned 11
[tls] <<< Unknown TLS version [length 0002]
TLS Alert read:warning:close notify
TLS_accept: failed in SSLv3 read client certificate A
rlm_eap: SSL error error:140940E5:SSL routines:SSL3_READ_BYTES:ssl
handshake failure
SSL: SSL_read failed in a system call (-1), TLS session fails.
TLS receive handshake failed during operation
[tls] eaptls_process returned 4
[eap-aerohive-tls] Handler failed in EAP/tls
[eap-aerohive-tls] Failed in EAP select
++[eap-aerohive-tls] = invalid
+} # group eap-aerohive-tls = invalid
Failed to authenticate the user.
} # server srv-aerohive-aps-eap-tls
Using Post-Auth-Type REJECT
# Executing group from file /etc/raddb/auth-server/sites/aerohive-aps-eap-tls
+group REJECT {
[log_aerohive_outbound] expand: AERO [OUT
%{reply:Packet-Dst-IP-Address}] %{reply:Packet-Type}:
%{request:Calling-Station-Id} %{request:Called-Station-Id}
%{request:User-Name} -> %{reply:Tunnel-Private-Group-ID} -> AERO [OUT
10.100.136.139] Access-Reject: 78-4F-43-51-71-D2
C4-13-E2-03-28-A7:eduroam-tls wnelto at wm.edu ->
++[log_aerohive_outbound] = ok
+} # group REJECT = ok
Delaying reject of request 23 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 23
Sending Access-Reject of id 89 to 10.100.136.139 port 58966
EAP-Message = 0x04cb0004
Message-Authenticator = 0x00000000000000000000000000000000
More information about the Freeradius-Users
mailing list