iOS SSL issue

Mankomal Singh mankomal at shouut.com
Fri Feb 15 17:52:32 CET 2019


Hi,

So I got everything working, and am able to run TLS in my android phone but
when I try thru my iPhone or my MacBook I get SSL error on RADIUS debug.
Amazingly same certificate work on my android phone without any issues. Can
someone share what could be the issue?

A snippet of the error:

*(140) eap_tls: ERROR: TLS_accept: Failed in SSLv3 read client certificate
A*

*(140) eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read):
error:140940E5:SSL routines:ssl3_read_bytes:ssl handshake failure*

*(140) eap_tls: ERROR: System call (I/O) error (-1)*

*(140) eap_tls: ERROR: TLS receive handshake failed during operation*

*(140) eap_tls: ERROR: [eaptls process] = fail*

*(140) eap: ERROR: Failed continuing EAP TLS (13) session.  EAP sub-module
failed*

Complete EAP debug from failed devices:

(156) Received Access-Request Id 238 from 103.46.239.184:36499 to
192.168.253.6:1812 length 226

(156)   Service-Type = Framed-User

(156)   Framed-MTU = 1400

(156)   User-Name = "macbook"

(156)   NAS-Port-Id = "wlan1"

(156)   NAS-Port-Type = Wireless-802.11

(156)   Acct-Session-Id = "8220002d"

(156)   Acct-Multi-Session-Id =
"CC-2D-E0-39-24-A6-B8-C1-11-D1-4D-50-82-20-00-00-00-00-00-2D"

(156)   Calling-Station-Id = "B8-C1-11-D1-4D-50"

(156)   Called-Station-Id = "CC-2D-E0-39-24-A6:THIS IS A TEST"

(156)   EAP-Message = 0x0200000c016d6163626f6f6b

(156)   Message-Authenticator = 0x9b1b6d0c79559268e6cfb2a0cbe5240d

(156)   NAS-Identifier = "MikroTik"

(156)   NAS-IP-Address = 192.168.88.2

(156) # Executing section authorize from file
/etc/raddb/sites-enabled/default

(156)   authorize {

(156)     policy filter_username {

(156)       if (&User-Name) {

(156)       if (&User-Name)  -> TRUE

(156)       if (&User-Name)  {

(156)         if (&User-Name =~ / /) {

(156)         if (&User-Name =~ / /)  -> FALSE

(156)         if (&User-Name =~ /@[^@]*@/ ) {

(156)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE

(156)         if (&User-Name =~ /\.\./ ) {

(156)         if (&User-Name =~ /\.\./ )  -> FALSE

(156)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {

(156)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE

(156)         if (&User-Name =~ /\.$/)  {

(156)         if (&User-Name =~ /\.$/)   -> FALSE

(156)         if (&User-Name =~ /@\./)  {

(156)         if (&User-Name =~ /@\./)   -> FALSE

(156)       } # if (&User-Name)  = notfound

(156)     } # policy filter_username = notfound

(156)     [preprocess] = ok

(156) eap: Peer sent EAP Response (code 2) ID 0 length 12

(156) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize

(156)     [eap] = ok

(156)   } # authorize = ok

(156) Found Auth-Type = eap

(156) # Executing group from file /etc/raddb/sites-enabled/default

(156)   authenticate {

(156) eap: Peer sent packet with method EAP Identity (1)

(156) eap: Calling submodule eap_tls to process data

(156) eap_tls: Initiating new EAP-TLS session

(156) eap_tls: Setting verify mode to require certificate from client

(156) eap_tls: [eaptls start] = request

(156) eap: Sending EAP Request (code 1) ID 1 length 6

(156) eap: EAP session adding &reply:State = 0xccf8f142ccf9fce7

(156)     [eap] = handled

(156)   } # authenticate = handled

(156) Using Post-Auth-Type Challenge

(156) # Executing group from file /etc/raddb/sites-enabled/default

(156)   Challenge { ... } # empty sub-section is ignored

(156) Sent Access-Challenge Id 238 from 192.168.253.6:1812 to
103.46.239.184:36499 length 0

(156)   EAP-Message = 0x010100060d20

(156)   Message-Authenticator = 0x00000000000000000000000000000000

(156)   State = 0xccf8f142ccf9fce75307e48862cef384

(156) Finished request

Waking up in 4.9 seconds.

(157) Received Access-Request Id 239 from 103.46.239.184:40285 to
192.168.253.6:1812 length 393

(157)   Service-Type = Framed-User

(157)   Framed-MTU = 1400

(157)   User-Name = "macbook"

(157)   State = 0xccf8f142ccf9fce75307e48862cef384

(157)   NAS-Port-Id = "wlan1"

(157)   NAS-Port-Type = Wireless-802.11

(157)   Acct-Session-Id = "8220002d"

(157)   Acct-Multi-Session-Id =
"CC-2D-E0-39-24-A6-B8-C1-11-D1-4D-50-82-20-00-00-00-00-00-2D"

(157)   Calling-Station-Id = "B8-C1-11-D1-4D-50"

(157)   Called-Station-Id = "CC-2D-E0-39-24-A6:THIS IS A TEST"

(157)   EAP-Message =
0x020100a10d800000009716030300920100008e03035c66eda3b9189d8cb5e4f5d1b7da29789b4f95dc78ef817aeb5462abc249b93100002c00ffc02cc02bc024c023c00ac009c008c030c02fc028c027c014c013c012009d009c003d003c0035002f000a01000039000a00080006001700180019000b00

(157)   Message-Authenticator = 0xf775fc6bc1a0190eb8997ecbcbb51f4f

(157)   NAS-Identifier = "MikroTik"

(157)   NAS-IP-Address = 192.168.88.2

(157) session-state: No cached attributes

(157) # Executing section authorize from file
/etc/raddb/sites-enabled/default

(157)   authorize {

(157)     policy filter_username {

(157)       if (&User-Name) {

(157)       if (&User-Name)  -> TRUE

(157)       if (&User-Name)  {

(157)         if (&User-Name =~ / /) {

(157)         if (&User-Name =~ / /)  -> FALSE

(157)         if (&User-Name =~ /@[^@]*@/ ) {

(157)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE

(157)         if (&User-Name =~ /\.\./ ) {

(157)         if (&User-Name =~ /\.\./ )  -> FALSE

(157)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {

(157)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE

(157)         if (&User-Name =~ /\.$/)  {

(157)         if (&User-Name =~ /\.$/)   -> FALSE

(157)         if (&User-Name =~ /@\./)  {

(157)         if (&User-Name =~ /@\./)   -> FALSE

(157)       } # if (&User-Name)  = notfound

(157)     } # policy filter_username = notfound

(157)     [preprocess] = ok

(157) eap: Peer sent EAP Response (code 2) ID 1 length 161

(157) eap: No EAP Start, assuming it's an on-going EAP conversation

(157)     [eap] = updated

(157) sql: EXPAND %{User-Name}

(157) sql:    --> macbook

(157) sql: SQL-User-Name set to 'macbook'

rlm_sql (sql): Reserved connection (60)

(157) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck
WHERE username = '%{SQL-User-Name}' ORDER BY id

(157) sql:    --> SELECT id, username, attribute, value, op FROM radcheck
WHERE username = 'macbook' ORDER BY id

(157) sql: Executing select query: SELECT id, username, attribute, value,
op FROM radcheck WHERE username = 'macbook' ORDER BY id

(157) sql: User found in radcheck table

(157) sql: Conditional check items matched, merging assignment check items

(157) sql:   Auth-Type := eap

(157) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply
WHERE username = '%{SQL-User-Name}' ORDER BY id

(157) sql:    --> SELECT id, username, attribute, value, op FROM radreply
WHERE username = 'macbook' ORDER BY id

(157) sql: Executing select query: SELECT id, username, attribute, value,
op FROM radreply WHERE username = 'macbook' ORDER BY id

*(157) sql: WARNING: Cannot do check groups when group_membership_query is
not set*

rlm_sql (sql): Released connection (60)

*Need 7 more connections to reach 10 spares*

*rlm_sql (sql): Opening additional connection (63), 1 of 29 pending slots
used*

rlm_sql_mysql: Starting connect to MySQL server

rlm_sql_mysql: Connected to database 'radius' on Localhost via UNIX socket,
server version 5.6.43, protocol version 10

(157)     [sql] = ok

(157)     if (notfound) {

(157)     if (notfound)  -> FALSE

(157)     [expiration] = noop

(157)     [logintime] = noop

(157)     [pap] = noop

(157)   } # authorize = updated

(157) Found Auth-Type = eap

(157) # Executing group from file /etc/raddb/sites-enabled/default

(157)   authenticate {

(157) eap: Expiring EAP session with state 0xccf8f142ccf9fce7

(157) eap: Finished EAP session with state 0xccf8f142ccf9fce7

(157) eap: Previous EAP request found for state 0xccf8f142ccf9fce7,
released from the list

(157) eap: Peer sent packet with method EAP TLS (13)

(157) eap: Calling submodule eap_tls to process data

(157) eap_tls: Continuing EAP-TLS

(157) eap_tls: Peer indicated complete TLS record size will be 151 bytes

(157) eap_tls: Got complete TLS record (151 bytes)

(157) eap_tls: [eaptls verify] = length included

(157) eap_tls: (other): before/accept initialization

(157) eap_tls: TLS_accept: before/accept initialization

(157) eap_tls: <<< recv TLS 1.2  [length 0092]

(157) eap_tls: TLS_accept: SSLv3 read client hello A

(157) eap_tls: >>> send TLS 1.2  [length 0039]

(157) eap_tls: TLS_accept: SSLv3 write server hello A

(157) eap_tls: >>> send TLS 1.2  [length 06ee]

(157) eap_tls: TLS_accept: SSLv3 write certificate A

(157) eap_tls: >>> send TLS 1.2  [length 00cd]

(157) eap_tls: TLS_accept: SSLv3 write key exchange A

(157) eap_tls: >>> send TLS 1.2  [length 00a5]

(157) eap_tls: TLS_accept: SSLv3 write certificate request A

(157) eap_tls: TLS_accept: SSLv3 flush data

(157) eap_tls: TLS_accept: Need to read more data: SSLv3 read client
certificate A

(157) eap_tls: TLS_accept: Need to read more data: SSLv3 read client
certificate A

(157) eap_tls: In SSL Handshake Phase

(157) eap_tls: In SSL Accept mode

(157) eap_tls: [eaptls process] = handled

(157) eap: Sending EAP Request (code 1) ID 2 length 1024

(157) eap: EAP session adding &reply:State = 0xccf8f142cdfafce7

(157)     [eap] = handled

(157)   } # authenticate = handled

(157) Using Post-Auth-Type Challenge

(157) # Executing group from file /etc/raddb/sites-enabled/default

(157)   Challenge { ... } # empty sub-section is ignored

(157) Sent Access-Challenge Id 239 from 192.168.253.6:1812 to
103.46.239.184:40285 length 0

(157)   EAP-Message =
0x010204000dc0000008ad160303003902000035030368fd206e3ef60d7fd094ee6184fa23ad9edd6bc23b529f88b11669a0e088a95700c03000000dff01000100000b00040300010216030306ee0b0006ea0006e70003a03082039c30820305a003020102020101300d06092a864886f70d010105050030

(157)   Message-Authenticator = 0x00000000000000000000000000000000

(157)   State = 0xccf8f142cdfafce75307e48862cef384

(157) Finished request

Waking up in 4.9 seconds.

(158) Received Access-Request Id 240 from 103.46.239.184:53647 to
192.168.253.6:1812 length 238

(158)   Service-Type = Framed-User

(158)   Framed-MTU = 1400

(158)   User-Name = "macbook"

(158)   State = 0xccf8f142cdfafce75307e48862cef384

(158)   NAS-Port-Id = "wlan1"

(158)   NAS-Port-Type = Wireless-802.11

(158)   Acct-Session-Id = "8220002d"

(158)   Acct-Multi-Session-Id =
"CC-2D-E0-39-24-A6-B8-C1-11-D1-4D-50-82-20-00-00-00-00-00-2D"

(158)   Calling-Station-Id = "B8-C1-11-D1-4D-50"

(158)   Called-Station-Id = "CC-2D-E0-39-24-A6:THIS IS A TEST"

(158)   EAP-Message = 0x020200060d00

(158)   Message-Authenticator = 0xb397d9cf688e3c16bfacd51e63ee0677

(158)   NAS-Identifier = "MikroTik"

(158)   NAS-IP-Address = 192.168.88.2

(158) session-state: No cached attributes

(158) # Executing section authorize from file
/etc/raddb/sites-enabled/default

(158)   authorize {

(158)     policy filter_username {

(158)       if (&User-Name) {

(158)       if (&User-Name)  -> TRUE

(158)       if (&User-Name)  {

(158)         if (&User-Name =~ / /) {

(158)         if (&User-Name =~ / /)  -> FALSE

(158)         if (&User-Name =~ /@[^@]*@/ ) {

(158)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE

(158)         if (&User-Name =~ /\.\./ ) {

(158)         if (&User-Name =~ /\.\./ )  -> FALSE

(158)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {

(158)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE

(158)         if (&User-Name =~ /\.$/)  {

(158)         if (&User-Name =~ /\.$/)   -> FALSE

(158)         if (&User-Name =~ /@\./)  {

(158)         if (&User-Name =~ /@\./)   -> FALSE

(158)       } # if (&User-Name)  = notfound

(158)     } # policy filter_username = notfound

(158)     [preprocess] = ok

(158) eap: Peer sent EAP Response (code 2) ID 2 length 6

(158) eap: No EAP Start, assuming it's an on-going EAP conversation

(158)     [eap] = updated

(158) sql: EXPAND %{User-Name}

(158) sql:    --> macbook

(158) sql: SQL-User-Name set to 'macbook'

rlm_sql (sql): Reserved connection (62)

(158) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck
WHERE username = '%{SQL-User-Name}' ORDER BY id

(158) sql:    --> SELECT id, username, attribute, value, op FROM radcheck
WHERE username = 'macbook' ORDER BY id

(158) sql: Executing select query: SELECT id, username, attribute, value,
op FROM radcheck WHERE username = 'macbook' ORDER BY id

(158) sql: User found in radcheck table

(158) sql: Conditional check items matched, merging assignment check items

(158) sql:   Auth-Type := eap

(158) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply
WHERE username = '%{SQL-User-Name}' ORDER BY id

(158) sql:    --> SELECT id, username, attribute, value, op FROM radreply
WHERE username = 'macbook' ORDER BY id

(158) sql: Executing select query: SELECT id, username, attribute, value,
op FROM radreply WHERE username = 'macbook' ORDER BY id

*(158) sql: WARNING: Cannot do check groups when group_membership_query is
not set*

rlm_sql (sql): Released connection (62)

(158)     [sql] = ok

(158)     if (notfound) {

(158)     if (notfound)  -> FALSE

(158)     [expiration] = noop

(158)     [logintime] = noop

(158)     [pap] = noop

(158)   } # authorize = updated

(158) Found Auth-Type = eap

(158) # Executing group from file /etc/raddb/sites-enabled/default

(158)   authenticate {

(158) eap: Expiring EAP session with state 0xccf8f142cdfafce7

(158) eap: Finished EAP session with state 0xccf8f142cdfafce7

(158) eap: Previous EAP request found for state 0xccf8f142cdfafce7,
released from the list

(158) eap: Peer sent packet with method EAP TLS (13)

(158) eap: Calling submodule eap_tls to process data

(158) eap_tls: Continuing EAP-TLS

(158) eap_tls: Peer ACKed our handshake fragment

(158) eap_tls: [eaptls verify] = request

(158) eap_tls: [eaptls process] = handled

(158) eap: Sending EAP Request (code 1) ID 3 length 1024

(158) eap: EAP session adding &reply:State = 0xccf8f142cefbfce7

(158)     [eap] = handled

(158)   } # authenticate = handled

(158) Using Post-Auth-Type Challenge

(158) # Executing group from file /etc/raddb/sites-enabled/default

(158)   Challenge { ... } # empty sub-section is ignored

(158) Sent Access-Challenge Id 240 from 192.168.253.6:1812 to
103.46.239.184:53647 length 0

(158)   EAP-Message =
0x010304000dc0000008ad02a6a003020102020900b184f1d60648f80a300d06092a864886f70d01010b05003073310b300906035504061302494e310b3009060355040813024445310e300c0603550407130544656c6869310f300d060355040a130653686f757574311230100603550403130953686f75

(158)   Message-Authenticator = 0x00000000000000000000000000000000

(158)   State = 0xccf8f142cefbfce75307e48862cef384

(158) Finished request

Waking up in 4.8 seconds.

(159) Received Access-Request Id 241 from 103.46.239.184:58701 to
192.168.253.6:1812 length 238

(159)   Service-Type = Framed-User

(159)   Framed-MTU = 1400

(159)   User-Name = "macbook"

(159)   State = 0xccf8f142cefbfce75307e48862cef384

(159)   NAS-Port-Id = "wlan1"

(159)   NAS-Port-Type = Wireless-802.11

(159)   Acct-Session-Id = "8220002d"

(159)   Acct-Multi-Session-Id =
"CC-2D-E0-39-24-A6-B8-C1-11-D1-4D-50-82-20-00-00-00-00-00-2D"

(159)   Calling-Station-Id = "B8-C1-11-D1-4D-50"

(159)   Called-Station-Id = "CC-2D-E0-39-24-A6:THIS IS A TEST"

(159)   EAP-Message = 0x020300060d00

(159)   Message-Authenticator = 0x599b7d41483b5ff646d709190859ad41

(159)   NAS-Identifier = "MikroTik"

(159)   NAS-IP-Address = 192.168.88.2

(159) session-state: No cached attributes

(159) # Executing section authorize from file
/etc/raddb/sites-enabled/default

(159)   authorize {

(159)     policy filter_username {

(159)       if (&User-Name) {

(159)       if (&User-Name)  -> TRUE

(159)       if (&User-Name)  {

(159)         if (&User-Name =~ / /) {

(159)         if (&User-Name =~ / /)  -> FALSE

(159)         if (&User-Name =~ /@[^@]*@/ ) {

(159)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE

(159)         if (&User-Name =~ /\.\./ ) {

(159)         if (&User-Name =~ /\.\./ )  -> FALSE

(159)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {

(159)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE

(159)         if (&User-Name =~ /\.$/)  {

(159)         if (&User-Name =~ /\.$/)   -> FALSE

(159)         if (&User-Name =~ /@\./)  {

(159)         if (&User-Name =~ /@\./)   -> FALSE

(159)       } # if (&User-Name)  = notfound

(159)     } # policy filter_username = notfound

(159)     [preprocess] = ok

(159) eap: Peer sent EAP Response (code 2) ID 3 length 6

(159) eap: No EAP Start, assuming it's an on-going EAP conversation

(159)     [eap] = updated

(159) sql: EXPAND %{User-Name}

(159) sql:    --> macbook

(159) sql: SQL-User-Name set to 'macbook'

rlm_sql (sql): Reserved connection (61)

(159) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck
WHERE username = '%{SQL-User-Name}' ORDER BY id

(159) sql:    --> SELECT id, username, attribute, value, op FROM radcheck
WHERE username = 'macbook' ORDER BY id

(159) sql: Executing select query: SELECT id, username, attribute, value,
op FROM radcheck WHERE username = 'macbook' ORDER BY id

(159) sql: User found in radcheck table

(159) sql: Conditional check items matched, merging assignment check items

(159) sql:   Auth-Type := eap

(159) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply
WHERE username = '%{SQL-User-Name}' ORDER BY id

(159) sql:    --> SELECT id, username, attribute, value, op FROM radreply
WHERE username = 'macbook' ORDER BY id

(159) sql: Executing select query: SELECT id, username, attribute, value,
op FROM radreply WHERE username = 'macbook' ORDER BY id

*(159) sql: WARNING: Cannot do check groups when group_membership_query is
not set*

rlm_sql (sql): Released connection (61)

(159)     [sql] = ok

(159)     if (notfound) {

(159)     if (notfound)  -> FALSE

(159)     [expiration] = noop

(159)     [logintime] = noop

(159)     [pap] = noop

(159)   } # authorize = updated

(159) Found Auth-Type = eap

(159) # Executing group from file /etc/raddb/sites-enabled/default

(159)   authenticate {

(159) eap: Expiring EAP session with state 0xccf8f142cefbfce7

(159) eap: Finished EAP session with state 0xccf8f142cefbfce7

(159) eap: Previous EAP request found for state 0xccf8f142cefbfce7,
released from the list

(159) eap: Peer sent packet with method EAP TLS (13)

(159) eap: Calling submodule eap_tls to process data

(159) eap_tls: Continuing EAP-TLS

(159) eap_tls: Peer ACKed our handshake fragment

(159) eap_tls: [eaptls verify] = request

(159) eap_tls: [eaptls process] = handled

(159) eap: Sending EAP Request (code 1) ID 4 length 203

(159) eap: EAP session adding &reply:State = 0xccf8f142cffcfce7

(159)     [eap] = handled

(159)   } # authenticate = handled

(159) Using Post-Auth-Type Challenge

(159) # Executing group from file /etc/raddb/sites-enabled/default

(159)   Challenge { ... } # empty sub-section is ignored

(159) Sent Access-Challenge Id 241 from 192.168.253.6:1812 to
103.46.239.184:58701 length 0

(159)   EAP-Message =
0x010400cb0d80000008ad24a53a7915db5dc8993989d24c02cfa39af20337cc762c16030300a50d00009d03010240001e060106020603050105020503040104020403030103020303020102020203007700753073310b300906035504061302494e310b3009060355040813024445310e300c0603550407

(159)   Message-Authenticator = 0x00000000000000000000000000000000

(159)   State = 0xccf8f142cffcfce75307e48862cef384

(159) Finished request

Waking up in 4.8 seconds.

(160) Received Access-Request Id 242 from 103.46.239.184:59711 to
192.168.253.6:1812 length 249

(160)   Service-Type = Framed-User

(160)   Framed-MTU = 1400

(160)   User-Name = "macbook"

(160)   State = 0xccf8f142cffcfce75307e48862cef384

(160)   NAS-Port-Id = "wlan1"

(160)   NAS-Port-Type = Wireless-802.11

(160)   Acct-Session-Id = "8220002d"

(160)   Acct-Multi-Session-Id =
"CC-2D-E0-39-24-A6-B8-C1-11-D1-4D-50-82-20-00-00-00-00-00-2D"

(160)   Calling-Station-Id = "B8-C1-11-D1-4D-50"

(160)   Called-Station-Id = "CC-2D-E0-39-24-A6:THIS IS A TEST"

(160)   EAP-Message = 0x020400110d800000000715030300020100

(160)   Message-Authenticator = 0x0dd503fd540264a4baa68f7135caa25d

(160)   NAS-Identifier = "MikroTik"

(160)   NAS-IP-Address = 192.168.88.2

(160) session-state: No cached attributes

(160) # Executing section authorize from file
/etc/raddb/sites-enabled/default

(160)   authorize {

(160)     policy filter_username {

(160)       if (&User-Name) {

(160)       if (&User-Name)  -> TRUE

(160)       if (&User-Name)  {

(160)         if (&User-Name =~ / /) {

(160)         if (&User-Name =~ / /)  -> FALSE

(160)         if (&User-Name =~ /@[^@]*@/ ) {

(160)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE

(160)         if (&User-Name =~ /\.\./ ) {

(160)         if (&User-Name =~ /\.\./ )  -> FALSE

(160)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {

(160)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE

(160)         if (&User-Name =~ /\.$/)  {

(160)         if (&User-Name =~ /\.$/)   -> FALSE

(160)         if (&User-Name =~ /@\./)  {

(160)         if (&User-Name =~ /@\./)   -> FALSE

(160)       } # if (&User-Name)  = notfound

(160)     } # policy filter_username = notfound

(160)     [preprocess] = ok

(160) eap: Peer sent EAP Response (code 2) ID 4 length 17

(160) eap: No EAP Start, assuming it's an on-going EAP conversation

(160)     [eap] = updated

(160) sql: EXPAND %{User-Name}

(160) sql:    --> macbook

(160) sql: SQL-User-Name set to 'macbook'

rlm_sql (sql): Reserved connection (60)

(160) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck
WHERE username = '%{SQL-User-Name}' ORDER BY id

(160) sql:    --> SELECT id, username, attribute, value, op FROM radcheck
WHERE username = 'macbook' ORDER BY id

(160) sql: Executing select query: SELECT id, username, attribute, value,
op FROM radcheck WHERE username = 'macbook' ORDER BY id

(160) sql: User found in radcheck table

(160) sql: Conditional check items matched, merging assignment check items

(160) sql:   Auth-Type := eap

(160) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply
WHERE username = '%{SQL-User-Name}' ORDER BY id

(160) sql:    --> SELECT id, username, attribute, value, op FROM radreply
WHERE username = 'macbook' ORDER BY id

(160) sql: Executing select query: SELECT id, username, attribute, value,
op FROM radreply WHERE username = 'macbook' ORDER BY id

*(160) sql: WARNING: Cannot do check groups when group_membership_query is
not set*

rlm_sql (sql): Released connection (60)

(160)     [sql] = ok

(160)     if (notfound) {

(160)     if (notfound)  -> FALSE

(160)     [expiration] = noop

(160)     [logintime] = noop

(160)     [pap] = noop

(160)   } # authorize = updated

(160) Found Auth-Type = eap

(160) # Executing group from file /etc/raddb/sites-enabled/default

(160)   authenticate {

(160) eap: Expiring EAP session with state 0xccf8f142cffcfce7

(160) eap: Finished EAP session with state 0xccf8f142cffcfce7

(160) eap: Previous EAP request found for state 0xccf8f142cffcfce7,
released from the list

(160) eap: Peer sent packet with method EAP TLS (13)

(160) eap: Calling submodule eap_tls to process data

(160) eap_tls: Continuing EAP-TLS

(160) eap_tls: Peer indicated complete TLS record size will be 7 bytes

(160) eap_tls: Got complete TLS record (7 bytes)

(160) eap_tls: [eaptls verify] = length included

(160) eap_tls: <<< recv TLS 1.2  [length 0002]

*(160) eap_tls: ERROR: TLS_accept: Failed in SSLv3 read client certificate
A*

*(160) eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read):
error:140940E5:SSL routines:ssl3_read_bytes:ssl handshake failure*

*(160) eap_tls: ERROR: System call (I/O) error (-1)*

*(160) eap_tls: ERROR: TLS receive handshake failed during operation*

*(160) eap_tls: ERROR: [eaptls process] = fail*

*(160) eap: ERROR: Failed continuing EAP TLS (13) session.  EAP sub-module
failed*

(160) eap: Sending EAP Failure (code 4) ID 4 length 4

(160) eap: Failed in EAP select

(160)     [eap] = invalid

(160)   } # authenticate = invalid

(160) Failed to authenticate the user

(160) Using Post-Auth-Type Reject

(160) # Executing group from file /etc/raddb/sites-enabled/default

(160)   Post-Auth-Type REJECT {

(160) sql: EXPAND .query

(160) sql:    --> .query

(160) sql: Using query template 'query'

rlm_sql (sql): Reserved connection (63)

(160) sql: EXPAND %{User-Name}

(160) sql:    --> macbook

(160) sql: SQL-User-Name set to 'macbook'

(160) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate)
VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}',
'%{reply:Packet-Type}', '%S')

(160) sql:    --> INSERT INTO radpostauth (username, pass, reply, authdate)
VALUES ( 'macbook', '', 'Access-Reject', '2019-02-15 22:36:48.754856')

(160) sql: Executing query: INSERT INTO radpostauth (username, pass, reply,
authdate) VALUES ( 'macbook', '', 'Access-Reject', '2019-02-15
22:36:48.754856')

(160) sql: SQL query returned: success

(160) sql: 1 record(s) updated

rlm_sql (sql): Released connection (63)

(160)     [sql] = ok

(160) attr_filter.access_reject: EXPAND %{User-Name}

(160) attr_filter.access_reject:    --> macbook

(160) attr_filter.access_reject: Matched entry DEFAULT at line 11

(160)     [attr_filter.access_reject] = updated

(160)     [eap] = noop

(160)     policy remove_reply_message_if_eap {

(160)       if (&reply:EAP-Message && &reply:Reply-Message) {

(160)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE

(160)       else {

(160)         [noop] = noop

(160)       } # else = noop

(160)     } # policy remove_reply_message_if_eap = noop

(160)   } # Post-Auth-Type REJECT = updated

(160) Delaying response for 1.000000 seconds

Waking up in 0.3 seconds.

Waking up in 0.6 seconds.

(160) Sending delayed response

(160) Sent Access-Reject Id 242 from 192.168.253.6:1812 to
103.46.239.184:59711 length 44

(160)   EAP-Message = 0x04040004

(160)   Message-Authenticator = 0x00000000000000000000000000000000

Waking up in 3.8 seconds.

(156) Cleaning up request packet ID 238 with timestamp +5619

(157) Cleaning up request packet ID 239 with timestamp +5619

(158) Cleaning up request packet ID 240 with timestamp +5619

(159) Cleaning up request packet ID 241 with timestamp +5619

(160) Cleaning up request packet ID 242 with timestamp +5619

*Ready to process requests*
Cheers

MK Singh
+91-9910416231
www.shouut.com


More information about the Freeradius-Users mailing list