iOS SSL issue
Mankomal Singh
mankomal at shouut.com
Fri Feb 15 17:52:32 CET 2019
Hi,
So I got everything working, and am able to run TLS in my android phone but
when I try thru my iPhone or my MacBook I get SSL error on RADIUS debug.
Amazingly same certificate work on my android phone without any issues. Can
someone share what could be the issue?
A snippet of the error:
*(140) eap_tls: ERROR: TLS_accept: Failed in SSLv3 read client certificate
A*
*(140) eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read):
error:140940E5:SSL routines:ssl3_read_bytes:ssl handshake failure*
*(140) eap_tls: ERROR: System call (I/O) error (-1)*
*(140) eap_tls: ERROR: TLS receive handshake failed during operation*
*(140) eap_tls: ERROR: [eaptls process] = fail*
*(140) eap: ERROR: Failed continuing EAP TLS (13) session. EAP sub-module
failed*
Complete EAP debug from failed devices:
(156) Received Access-Request Id 238 from 103.46.239.184:36499 to
192.168.253.6:1812 length 226
(156) Service-Type = Framed-User
(156) Framed-MTU = 1400
(156) User-Name = "macbook"
(156) NAS-Port-Id = "wlan1"
(156) NAS-Port-Type = Wireless-802.11
(156) Acct-Session-Id = "8220002d"
(156) Acct-Multi-Session-Id =
"CC-2D-E0-39-24-A6-B8-C1-11-D1-4D-50-82-20-00-00-00-00-00-2D"
(156) Calling-Station-Id = "B8-C1-11-D1-4D-50"
(156) Called-Station-Id = "CC-2D-E0-39-24-A6:THIS IS A TEST"
(156) EAP-Message = 0x0200000c016d6163626f6f6b
(156) Message-Authenticator = 0x9b1b6d0c79559268e6cfb2a0cbe5240d
(156) NAS-Identifier = "MikroTik"
(156) NAS-IP-Address = 192.168.88.2
(156) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(156) authorize {
(156) policy filter_username {
(156) if (&User-Name) {
(156) if (&User-Name) -> TRUE
(156) if (&User-Name) {
(156) if (&User-Name =~ / /) {
(156) if (&User-Name =~ / /) -> FALSE
(156) if (&User-Name =~ /@[^@]*@/ ) {
(156) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(156) if (&User-Name =~ /\.\./ ) {
(156) if (&User-Name =~ /\.\./ ) -> FALSE
(156) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(156) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(156) if (&User-Name =~ /\.$/) {
(156) if (&User-Name =~ /\.$/) -> FALSE
(156) if (&User-Name =~ /@\./) {
(156) if (&User-Name =~ /@\./) -> FALSE
(156) } # if (&User-Name) = notfound
(156) } # policy filter_username = notfound
(156) [preprocess] = ok
(156) eap: Peer sent EAP Response (code 2) ID 0 length 12
(156) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(156) [eap] = ok
(156) } # authorize = ok
(156) Found Auth-Type = eap
(156) # Executing group from file /etc/raddb/sites-enabled/default
(156) authenticate {
(156) eap: Peer sent packet with method EAP Identity (1)
(156) eap: Calling submodule eap_tls to process data
(156) eap_tls: Initiating new EAP-TLS session
(156) eap_tls: Setting verify mode to require certificate from client
(156) eap_tls: [eaptls start] = request
(156) eap: Sending EAP Request (code 1) ID 1 length 6
(156) eap: EAP session adding &reply:State = 0xccf8f142ccf9fce7
(156) [eap] = handled
(156) } # authenticate = handled
(156) Using Post-Auth-Type Challenge
(156) # Executing group from file /etc/raddb/sites-enabled/default
(156) Challenge { ... } # empty sub-section is ignored
(156) Sent Access-Challenge Id 238 from 192.168.253.6:1812 to
103.46.239.184:36499 length 0
(156) EAP-Message = 0x010100060d20
(156) Message-Authenticator = 0x00000000000000000000000000000000
(156) State = 0xccf8f142ccf9fce75307e48862cef384
(156) Finished request
Waking up in 4.9 seconds.
(157) Received Access-Request Id 239 from 103.46.239.184:40285 to
192.168.253.6:1812 length 393
(157) Service-Type = Framed-User
(157) Framed-MTU = 1400
(157) User-Name = "macbook"
(157) State = 0xccf8f142ccf9fce75307e48862cef384
(157) NAS-Port-Id = "wlan1"
(157) NAS-Port-Type = Wireless-802.11
(157) Acct-Session-Id = "8220002d"
(157) Acct-Multi-Session-Id =
"CC-2D-E0-39-24-A6-B8-C1-11-D1-4D-50-82-20-00-00-00-00-00-2D"
(157) Calling-Station-Id = "B8-C1-11-D1-4D-50"
(157) Called-Station-Id = "CC-2D-E0-39-24-A6:THIS IS A TEST"
(157) EAP-Message =
0x020100a10d800000009716030300920100008e03035c66eda3b9189d8cb5e4f5d1b7da29789b4f95dc78ef817aeb5462abc249b93100002c00ffc02cc02bc024c023c00ac009c008c030c02fc028c027c014c013c012009d009c003d003c0035002f000a01000039000a00080006001700180019000b00
(157) Message-Authenticator = 0xf775fc6bc1a0190eb8997ecbcbb51f4f
(157) NAS-Identifier = "MikroTik"
(157) NAS-IP-Address = 192.168.88.2
(157) session-state: No cached attributes
(157) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(157) authorize {
(157) policy filter_username {
(157) if (&User-Name) {
(157) if (&User-Name) -> TRUE
(157) if (&User-Name) {
(157) if (&User-Name =~ / /) {
(157) if (&User-Name =~ / /) -> FALSE
(157) if (&User-Name =~ /@[^@]*@/ ) {
(157) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(157) if (&User-Name =~ /\.\./ ) {
(157) if (&User-Name =~ /\.\./ ) -> FALSE
(157) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(157) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(157) if (&User-Name =~ /\.$/) {
(157) if (&User-Name =~ /\.$/) -> FALSE
(157) if (&User-Name =~ /@\./) {
(157) if (&User-Name =~ /@\./) -> FALSE
(157) } # if (&User-Name) = notfound
(157) } # policy filter_username = notfound
(157) [preprocess] = ok
(157) eap: Peer sent EAP Response (code 2) ID 1 length 161
(157) eap: No EAP Start, assuming it's an on-going EAP conversation
(157) [eap] = updated
(157) sql: EXPAND %{User-Name}
(157) sql: --> macbook
(157) sql: SQL-User-Name set to 'macbook'
rlm_sql (sql): Reserved connection (60)
(157) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck
WHERE username = '%{SQL-User-Name}' ORDER BY id
(157) sql: --> SELECT id, username, attribute, value, op FROM radcheck
WHERE username = 'macbook' ORDER BY id
(157) sql: Executing select query: SELECT id, username, attribute, value,
op FROM radcheck WHERE username = 'macbook' ORDER BY id
(157) sql: User found in radcheck table
(157) sql: Conditional check items matched, merging assignment check items
(157) sql: Auth-Type := eap
(157) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply
WHERE username = '%{SQL-User-Name}' ORDER BY id
(157) sql: --> SELECT id, username, attribute, value, op FROM radreply
WHERE username = 'macbook' ORDER BY id
(157) sql: Executing select query: SELECT id, username, attribute, value,
op FROM radreply WHERE username = 'macbook' ORDER BY id
*(157) sql: WARNING: Cannot do check groups when group_membership_query is
not set*
rlm_sql (sql): Released connection (60)
*Need 7 more connections to reach 10 spares*
*rlm_sql (sql): Opening additional connection (63), 1 of 29 pending slots
used*
rlm_sql_mysql: Starting connect to MySQL server
rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket,
server version 5.6.43, protocol version 10
(157) [sql] = ok
(157) if (notfound) {
(157) if (notfound) -> FALSE
(157) [expiration] = noop
(157) [logintime] = noop
(157) [pap] = noop
(157) } # authorize = updated
(157) Found Auth-Type = eap
(157) # Executing group from file /etc/raddb/sites-enabled/default
(157) authenticate {
(157) eap: Expiring EAP session with state 0xccf8f142ccf9fce7
(157) eap: Finished EAP session with state 0xccf8f142ccf9fce7
(157) eap: Previous EAP request found for state 0xccf8f142ccf9fce7,
released from the list
(157) eap: Peer sent packet with method EAP TLS (13)
(157) eap: Calling submodule eap_tls to process data
(157) eap_tls: Continuing EAP-TLS
(157) eap_tls: Peer indicated complete TLS record size will be 151 bytes
(157) eap_tls: Got complete TLS record (151 bytes)
(157) eap_tls: [eaptls verify] = length included
(157) eap_tls: (other): before/accept initialization
(157) eap_tls: TLS_accept: before/accept initialization
(157) eap_tls: <<< recv TLS 1.2 [length 0092]
(157) eap_tls: TLS_accept: SSLv3 read client hello A
(157) eap_tls: >>> send TLS 1.2 [length 0039]
(157) eap_tls: TLS_accept: SSLv3 write server hello A
(157) eap_tls: >>> send TLS 1.2 [length 06ee]
(157) eap_tls: TLS_accept: SSLv3 write certificate A
(157) eap_tls: >>> send TLS 1.2 [length 00cd]
(157) eap_tls: TLS_accept: SSLv3 write key exchange A
(157) eap_tls: >>> send TLS 1.2 [length 00a5]
(157) eap_tls: TLS_accept: SSLv3 write certificate request A
(157) eap_tls: TLS_accept: SSLv3 flush data
(157) eap_tls: TLS_accept: Need to read more data: SSLv3 read client
certificate A
(157) eap_tls: TLS_accept: Need to read more data: SSLv3 read client
certificate A
(157) eap_tls: In SSL Handshake Phase
(157) eap_tls: In SSL Accept mode
(157) eap_tls: [eaptls process] = handled
(157) eap: Sending EAP Request (code 1) ID 2 length 1024
(157) eap: EAP session adding &reply:State = 0xccf8f142cdfafce7
(157) [eap] = handled
(157) } # authenticate = handled
(157) Using Post-Auth-Type Challenge
(157) # Executing group from file /etc/raddb/sites-enabled/default
(157) Challenge { ... } # empty sub-section is ignored
(157) Sent Access-Challenge Id 239 from 192.168.253.6:1812 to
103.46.239.184:40285 length 0
(157) EAP-Message =
0x010204000dc0000008ad160303003902000035030368fd206e3ef60d7fd094ee6184fa23ad9edd6bc23b529f88b11669a0e088a95700c03000000dff01000100000b00040300010216030306ee0b0006ea0006e70003a03082039c30820305a003020102020101300d06092a864886f70d010105050030
(157) Message-Authenticator = 0x00000000000000000000000000000000
(157) State = 0xccf8f142cdfafce75307e48862cef384
(157) Finished request
Waking up in 4.9 seconds.
(158) Received Access-Request Id 240 from 103.46.239.184:53647 to
192.168.253.6:1812 length 238
(158) Service-Type = Framed-User
(158) Framed-MTU = 1400
(158) User-Name = "macbook"
(158) State = 0xccf8f142cdfafce75307e48862cef384
(158) NAS-Port-Id = "wlan1"
(158) NAS-Port-Type = Wireless-802.11
(158) Acct-Session-Id = "8220002d"
(158) Acct-Multi-Session-Id =
"CC-2D-E0-39-24-A6-B8-C1-11-D1-4D-50-82-20-00-00-00-00-00-2D"
(158) Calling-Station-Id = "B8-C1-11-D1-4D-50"
(158) Called-Station-Id = "CC-2D-E0-39-24-A6:THIS IS A TEST"
(158) EAP-Message = 0x020200060d00
(158) Message-Authenticator = 0xb397d9cf688e3c16bfacd51e63ee0677
(158) NAS-Identifier = "MikroTik"
(158) NAS-IP-Address = 192.168.88.2
(158) session-state: No cached attributes
(158) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(158) authorize {
(158) policy filter_username {
(158) if (&User-Name) {
(158) if (&User-Name) -> TRUE
(158) if (&User-Name) {
(158) if (&User-Name =~ / /) {
(158) if (&User-Name =~ / /) -> FALSE
(158) if (&User-Name =~ /@[^@]*@/ ) {
(158) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(158) if (&User-Name =~ /\.\./ ) {
(158) if (&User-Name =~ /\.\./ ) -> FALSE
(158) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(158) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(158) if (&User-Name =~ /\.$/) {
(158) if (&User-Name =~ /\.$/) -> FALSE
(158) if (&User-Name =~ /@\./) {
(158) if (&User-Name =~ /@\./) -> FALSE
(158) } # if (&User-Name) = notfound
(158) } # policy filter_username = notfound
(158) [preprocess] = ok
(158) eap: Peer sent EAP Response (code 2) ID 2 length 6
(158) eap: No EAP Start, assuming it's an on-going EAP conversation
(158) [eap] = updated
(158) sql: EXPAND %{User-Name}
(158) sql: --> macbook
(158) sql: SQL-User-Name set to 'macbook'
rlm_sql (sql): Reserved connection (62)
(158) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck
WHERE username = '%{SQL-User-Name}' ORDER BY id
(158) sql: --> SELECT id, username, attribute, value, op FROM radcheck
WHERE username = 'macbook' ORDER BY id
(158) sql: Executing select query: SELECT id, username, attribute, value,
op FROM radcheck WHERE username = 'macbook' ORDER BY id
(158) sql: User found in radcheck table
(158) sql: Conditional check items matched, merging assignment check items
(158) sql: Auth-Type := eap
(158) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply
WHERE username = '%{SQL-User-Name}' ORDER BY id
(158) sql: --> SELECT id, username, attribute, value, op FROM radreply
WHERE username = 'macbook' ORDER BY id
(158) sql: Executing select query: SELECT id, username, attribute, value,
op FROM radreply WHERE username = 'macbook' ORDER BY id
*(158) sql: WARNING: Cannot do check groups when group_membership_query is
not set*
rlm_sql (sql): Released connection (62)
(158) [sql] = ok
(158) if (notfound) {
(158) if (notfound) -> FALSE
(158) [expiration] = noop
(158) [logintime] = noop
(158) [pap] = noop
(158) } # authorize = updated
(158) Found Auth-Type = eap
(158) # Executing group from file /etc/raddb/sites-enabled/default
(158) authenticate {
(158) eap: Expiring EAP session with state 0xccf8f142cdfafce7
(158) eap: Finished EAP session with state 0xccf8f142cdfafce7
(158) eap: Previous EAP request found for state 0xccf8f142cdfafce7,
released from the list
(158) eap: Peer sent packet with method EAP TLS (13)
(158) eap: Calling submodule eap_tls to process data
(158) eap_tls: Continuing EAP-TLS
(158) eap_tls: Peer ACKed our handshake fragment
(158) eap_tls: [eaptls verify] = request
(158) eap_tls: [eaptls process] = handled
(158) eap: Sending EAP Request (code 1) ID 3 length 1024
(158) eap: EAP session adding &reply:State = 0xccf8f142cefbfce7
(158) [eap] = handled
(158) } # authenticate = handled
(158) Using Post-Auth-Type Challenge
(158) # Executing group from file /etc/raddb/sites-enabled/default
(158) Challenge { ... } # empty sub-section is ignored
(158) Sent Access-Challenge Id 240 from 192.168.253.6:1812 to
103.46.239.184:53647 length 0
(158) EAP-Message =
0x010304000dc0000008ad02a6a003020102020900b184f1d60648f80a300d06092a864886f70d01010b05003073310b300906035504061302494e310b3009060355040813024445310e300c0603550407130544656c6869310f300d060355040a130653686f757574311230100603550403130953686f75
(158) Message-Authenticator = 0x00000000000000000000000000000000
(158) State = 0xccf8f142cefbfce75307e48862cef384
(158) Finished request
Waking up in 4.8 seconds.
(159) Received Access-Request Id 241 from 103.46.239.184:58701 to
192.168.253.6:1812 length 238
(159) Service-Type = Framed-User
(159) Framed-MTU = 1400
(159) User-Name = "macbook"
(159) State = 0xccf8f142cefbfce75307e48862cef384
(159) NAS-Port-Id = "wlan1"
(159) NAS-Port-Type = Wireless-802.11
(159) Acct-Session-Id = "8220002d"
(159) Acct-Multi-Session-Id =
"CC-2D-E0-39-24-A6-B8-C1-11-D1-4D-50-82-20-00-00-00-00-00-2D"
(159) Calling-Station-Id = "B8-C1-11-D1-4D-50"
(159) Called-Station-Id = "CC-2D-E0-39-24-A6:THIS IS A TEST"
(159) EAP-Message = 0x020300060d00
(159) Message-Authenticator = 0x599b7d41483b5ff646d709190859ad41
(159) NAS-Identifier = "MikroTik"
(159) NAS-IP-Address = 192.168.88.2
(159) session-state: No cached attributes
(159) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(159) authorize {
(159) policy filter_username {
(159) if (&User-Name) {
(159) if (&User-Name) -> TRUE
(159) if (&User-Name) {
(159) if (&User-Name =~ / /) {
(159) if (&User-Name =~ / /) -> FALSE
(159) if (&User-Name =~ /@[^@]*@/ ) {
(159) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(159) if (&User-Name =~ /\.\./ ) {
(159) if (&User-Name =~ /\.\./ ) -> FALSE
(159) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(159) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(159) if (&User-Name =~ /\.$/) {
(159) if (&User-Name =~ /\.$/) -> FALSE
(159) if (&User-Name =~ /@\./) {
(159) if (&User-Name =~ /@\./) -> FALSE
(159) } # if (&User-Name) = notfound
(159) } # policy filter_username = notfound
(159) [preprocess] = ok
(159) eap: Peer sent EAP Response (code 2) ID 3 length 6
(159) eap: No EAP Start, assuming it's an on-going EAP conversation
(159) [eap] = updated
(159) sql: EXPAND %{User-Name}
(159) sql: --> macbook
(159) sql: SQL-User-Name set to 'macbook'
rlm_sql (sql): Reserved connection (61)
(159) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck
WHERE username = '%{SQL-User-Name}' ORDER BY id
(159) sql: --> SELECT id, username, attribute, value, op FROM radcheck
WHERE username = 'macbook' ORDER BY id
(159) sql: Executing select query: SELECT id, username, attribute, value,
op FROM radcheck WHERE username = 'macbook' ORDER BY id
(159) sql: User found in radcheck table
(159) sql: Conditional check items matched, merging assignment check items
(159) sql: Auth-Type := eap
(159) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply
WHERE username = '%{SQL-User-Name}' ORDER BY id
(159) sql: --> SELECT id, username, attribute, value, op FROM radreply
WHERE username = 'macbook' ORDER BY id
(159) sql: Executing select query: SELECT id, username, attribute, value,
op FROM radreply WHERE username = 'macbook' ORDER BY id
*(159) sql: WARNING: Cannot do check groups when group_membership_query is
not set*
rlm_sql (sql): Released connection (61)
(159) [sql] = ok
(159) if (notfound) {
(159) if (notfound) -> FALSE
(159) [expiration] = noop
(159) [logintime] = noop
(159) [pap] = noop
(159) } # authorize = updated
(159) Found Auth-Type = eap
(159) # Executing group from file /etc/raddb/sites-enabled/default
(159) authenticate {
(159) eap: Expiring EAP session with state 0xccf8f142cefbfce7
(159) eap: Finished EAP session with state 0xccf8f142cefbfce7
(159) eap: Previous EAP request found for state 0xccf8f142cefbfce7,
released from the list
(159) eap: Peer sent packet with method EAP TLS (13)
(159) eap: Calling submodule eap_tls to process data
(159) eap_tls: Continuing EAP-TLS
(159) eap_tls: Peer ACKed our handshake fragment
(159) eap_tls: [eaptls verify] = request
(159) eap_tls: [eaptls process] = handled
(159) eap: Sending EAP Request (code 1) ID 4 length 203
(159) eap: EAP session adding &reply:State = 0xccf8f142cffcfce7
(159) [eap] = handled
(159) } # authenticate = handled
(159) Using Post-Auth-Type Challenge
(159) # Executing group from file /etc/raddb/sites-enabled/default
(159) Challenge { ... } # empty sub-section is ignored
(159) Sent Access-Challenge Id 241 from 192.168.253.6:1812 to
103.46.239.184:58701 length 0
(159) EAP-Message =
0x010400cb0d80000008ad24a53a7915db5dc8993989d24c02cfa39af20337cc762c16030300a50d00009d03010240001e060106020603050105020503040104020403030103020303020102020203007700753073310b300906035504061302494e310b3009060355040813024445310e300c0603550407
(159) Message-Authenticator = 0x00000000000000000000000000000000
(159) State = 0xccf8f142cffcfce75307e48862cef384
(159) Finished request
Waking up in 4.8 seconds.
(160) Received Access-Request Id 242 from 103.46.239.184:59711 to
192.168.253.6:1812 length 249
(160) Service-Type = Framed-User
(160) Framed-MTU = 1400
(160) User-Name = "macbook"
(160) State = 0xccf8f142cffcfce75307e48862cef384
(160) NAS-Port-Id = "wlan1"
(160) NAS-Port-Type = Wireless-802.11
(160) Acct-Session-Id = "8220002d"
(160) Acct-Multi-Session-Id =
"CC-2D-E0-39-24-A6-B8-C1-11-D1-4D-50-82-20-00-00-00-00-00-2D"
(160) Calling-Station-Id = "B8-C1-11-D1-4D-50"
(160) Called-Station-Id = "CC-2D-E0-39-24-A6:THIS IS A TEST"
(160) EAP-Message = 0x020400110d800000000715030300020100
(160) Message-Authenticator = 0x0dd503fd540264a4baa68f7135caa25d
(160) NAS-Identifier = "MikroTik"
(160) NAS-IP-Address = 192.168.88.2
(160) session-state: No cached attributes
(160) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(160) authorize {
(160) policy filter_username {
(160) if (&User-Name) {
(160) if (&User-Name) -> TRUE
(160) if (&User-Name) {
(160) if (&User-Name =~ / /) {
(160) if (&User-Name =~ / /) -> FALSE
(160) if (&User-Name =~ /@[^@]*@/ ) {
(160) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(160) if (&User-Name =~ /\.\./ ) {
(160) if (&User-Name =~ /\.\./ ) -> FALSE
(160) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(160) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(160) if (&User-Name =~ /\.$/) {
(160) if (&User-Name =~ /\.$/) -> FALSE
(160) if (&User-Name =~ /@\./) {
(160) if (&User-Name =~ /@\./) -> FALSE
(160) } # if (&User-Name) = notfound
(160) } # policy filter_username = notfound
(160) [preprocess] = ok
(160) eap: Peer sent EAP Response (code 2) ID 4 length 17
(160) eap: No EAP Start, assuming it's an on-going EAP conversation
(160) [eap] = updated
(160) sql: EXPAND %{User-Name}
(160) sql: --> macbook
(160) sql: SQL-User-Name set to 'macbook'
rlm_sql (sql): Reserved connection (60)
(160) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck
WHERE username = '%{SQL-User-Name}' ORDER BY id
(160) sql: --> SELECT id, username, attribute, value, op FROM radcheck
WHERE username = 'macbook' ORDER BY id
(160) sql: Executing select query: SELECT id, username, attribute, value,
op FROM radcheck WHERE username = 'macbook' ORDER BY id
(160) sql: User found in radcheck table
(160) sql: Conditional check items matched, merging assignment check items
(160) sql: Auth-Type := eap
(160) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply
WHERE username = '%{SQL-User-Name}' ORDER BY id
(160) sql: --> SELECT id, username, attribute, value, op FROM radreply
WHERE username = 'macbook' ORDER BY id
(160) sql: Executing select query: SELECT id, username, attribute, value,
op FROM radreply WHERE username = 'macbook' ORDER BY id
*(160) sql: WARNING: Cannot do check groups when group_membership_query is
not set*
rlm_sql (sql): Released connection (60)
(160) [sql] = ok
(160) if (notfound) {
(160) if (notfound) -> FALSE
(160) [expiration] = noop
(160) [logintime] = noop
(160) [pap] = noop
(160) } # authorize = updated
(160) Found Auth-Type = eap
(160) # Executing group from file /etc/raddb/sites-enabled/default
(160) authenticate {
(160) eap: Expiring EAP session with state 0xccf8f142cffcfce7
(160) eap: Finished EAP session with state 0xccf8f142cffcfce7
(160) eap: Previous EAP request found for state 0xccf8f142cffcfce7,
released from the list
(160) eap: Peer sent packet with method EAP TLS (13)
(160) eap: Calling submodule eap_tls to process data
(160) eap_tls: Continuing EAP-TLS
(160) eap_tls: Peer indicated complete TLS record size will be 7 bytes
(160) eap_tls: Got complete TLS record (7 bytes)
(160) eap_tls: [eaptls verify] = length included
(160) eap_tls: <<< recv TLS 1.2 [length 0002]
*(160) eap_tls: ERROR: TLS_accept: Failed in SSLv3 read client certificate
A*
*(160) eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read):
error:140940E5:SSL routines:ssl3_read_bytes:ssl handshake failure*
*(160) eap_tls: ERROR: System call (I/O) error (-1)*
*(160) eap_tls: ERROR: TLS receive handshake failed during operation*
*(160) eap_tls: ERROR: [eaptls process] = fail*
*(160) eap: ERROR: Failed continuing EAP TLS (13) session. EAP sub-module
failed*
(160) eap: Sending EAP Failure (code 4) ID 4 length 4
(160) eap: Failed in EAP select
(160) [eap] = invalid
(160) } # authenticate = invalid
(160) Failed to authenticate the user
(160) Using Post-Auth-Type Reject
(160) # Executing group from file /etc/raddb/sites-enabled/default
(160) Post-Auth-Type REJECT {
(160) sql: EXPAND .query
(160) sql: --> .query
(160) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (63)
(160) sql: EXPAND %{User-Name}
(160) sql: --> macbook
(160) sql: SQL-User-Name set to 'macbook'
(160) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate)
VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}',
'%{reply:Packet-Type}', '%S')
(160) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate)
VALUES ( 'macbook', '', 'Access-Reject', '2019-02-15 22:36:48.754856')
(160) sql: Executing query: INSERT INTO radpostauth (username, pass, reply,
authdate) VALUES ( 'macbook', '', 'Access-Reject', '2019-02-15
22:36:48.754856')
(160) sql: SQL query returned: success
(160) sql: 1 record(s) updated
rlm_sql (sql): Released connection (63)
(160) [sql] = ok
(160) attr_filter.access_reject: EXPAND %{User-Name}
(160) attr_filter.access_reject: --> macbook
(160) attr_filter.access_reject: Matched entry DEFAULT at line 11
(160) [attr_filter.access_reject] = updated
(160) [eap] = noop
(160) policy remove_reply_message_if_eap {
(160) if (&reply:EAP-Message && &reply:Reply-Message) {
(160) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(160) else {
(160) [noop] = noop
(160) } # else = noop
(160) } # policy remove_reply_message_if_eap = noop
(160) } # Post-Auth-Type REJECT = updated
(160) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(160) Sending delayed response
(160) Sent Access-Reject Id 242 from 192.168.253.6:1812 to
103.46.239.184:59711 length 44
(160) EAP-Message = 0x04040004
(160) Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.8 seconds.
(156) Cleaning up request packet ID 238 with timestamp +5619
(157) Cleaning up request packet ID 239 with timestamp +5619
(158) Cleaning up request packet ID 240 with timestamp +5619
(159) Cleaning up request packet ID 241 with timestamp +5619
(160) Cleaning up request packet ID 242 with timestamp +5619
*Ready to process requests*
Cheers
MK Singh
+91-9910416231
www.shouut.com
More information about the Freeradius-Users
mailing list