[EXTERNAL] - Re: EAP failure when using production certificates

Wed Feb 9 21:17:02 UTC 2022

Thank you kindly. After reading your email I performed the following:

1 - removed existing certs in /etc/freeradius/3.0/certs using: rm -f *.pem *.der *.csr *.crt *.key .p12 serial*  index.txt*
2 - Using the .cnf I included excerpts for I ran:
     make ca.pem
     make client.pem
     make server.pem
3 - I copied the new files from /etc/freeradius/3.0/certs to a freshly formatted USB drive
4 - rebooted the system
5 - start the server: sudo freeradius -X
6 - factory reset WPA system to clear possibility of stale certificates
6 - imported the new ca and client certificates from the USB into the WPA supplicant (linux platfom) 
7 - attempt PEAP with bob/hello (also tried TLS/TTLS).

I am seeing the following error (looks same/similar):

(0) Received Access-Request Id 115 from 192.168.1.150:1812 to 192.168.1.77:1812 length 133
(0)   NAS-IP-Address = 192.168.1.150
(0)   NAS-Port = 50006
(0)   NAS-Port-Type = Ethernet
(0)   User-Name = "anonymous"
(0)   Called-Station-Id = "00-19-55-14-71-86"
(0)   Calling-Station-Id = "00-0E-CC-01-00-12"
(0)   Service-Type = Framed-User
(0)   Framed-MTU = 1500
(0)   EAP-Message = 0x020f000e01616e6f6e796d6f7573
(0)   Message-Authenticator = 0xc8f986ea7efc49fe7e246a7f030bd60c
(0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(0)   authorize {
(0)     policy filter_username {
(0)       if (&User-Name) {
(0)       if (&User-Name)  -> TRUE
(0)       if (&User-Name)  {
(0)         if (&User-Name =~ / /) {
(0)         if (&User-Name =~ / /)  -> FALSE
(0)         if (&User-Name =~ /@[^@]*@/ ) {
(0)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(0)         if (&User-Name =~ /\.\./ ) {
(0)         if (&User-Name =~ /\.\./ )  -> FALSE
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(0)         if (&User-Name =~ /\.$/)  {
(0)         if (&User-Name =~ /\.$/)   -> FALSE
(0)         if (&User-Name =~ /@\./)  {
(0)         if (&User-Name =~ /@\./)   -> FALSE
(0)       } # if (&User-Name)  = notfound
(0)     } # policy filter_username = notfound
(0)     [preprocess] = ok
(0)     [chap] = noop
(0)     [mschap] = noop
(0)     [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "anonymous", looking up realm NULL
(0) suffix: No such realm "NULL"
(0)     [suffix] = noop
(0) eap: Peer sent EAP Response (code 2) ID 15 length 14
(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(0)     [eap] = ok
(0)   } # authorize = ok
(0) Found Auth-Type = eap
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0)   authenticate {
(0) eap: Peer sent packet with method EAP Identity (1)
(0) eap: Calling submodule eap_md5 to process data
(0) eap_md5: Issuing MD5 Challenge
(0) eap: Sending EAP Request (code 1) ID 16 length 22
(0) eap: EAP session adding &reply:State = 0xacfcce85aceccab2
(0)     [eap] = handled
(0)   } # authenticate = handled
(0) Using Post-Auth-Type Challenge
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0)   Challenge { ... } # empty sub-section is ignored
(0) Sent Access-Challenge Id 115 from 192.168.1.77:1812 to 192.168.1.150:1812 length 0
(0)   EAP-Message = 0x0110001604105eb0aa70cca2a2ea15954f30fb2553b1
(0)   Message-Authenticator = 0x00000000000000000000000000000000
(0)   State = 0xacfcce85aceccab2345ee891f7e86332
(0) Finished request
Waking up in 4.9 seconds.
(1) Received Access-Request Id 116 from 192.168.1.150:1812 to 192.168.1.77:1812 length 143
(1)   NAS-IP-Address = 192.168.1.150
(1)   NAS-Port = 50006
(1)   NAS-Port-Type = Ethernet
(1)   User-Name = "anonymous"
(1)   Called-Station-Id = "00-19-55-14-71-86"
(1)   Calling-Station-Id = "00-0E-CC-01-00-12"
(1)   Service-Type = Framed-User
(1)   Framed-MTU = 1500
(1)   State = 0xacfcce85aceccab2345ee891f7e86332
(1)   EAP-Message = 0x021000060319
(1)   Message-Authenticator = 0x24c93442f8f474cabdcaf9478e94388b
(1) session-state: No cached attributes
(1) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(1)   authorize {
(1)     policy filter_username {
(1)       if (&User-Name) {
(1)       if (&User-Name)  -> TRUE
(1)       if (&User-Name)  {
(1)         if (&User-Name =~ / /) {
(1)         if (&User-Name =~ / /)  -> FALSE
(1)         if (&User-Name =~ /@[^@]*@/ ) {
(1)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(1)         if (&User-Name =~ /\.\./ ) {
(1)         if (&User-Name =~ /\.\./ )  -> FALSE
(1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(1)         if (&User-Name =~ /\.$/)  {
(1)         if (&User-Name =~ /\.$/)   -> FALSE
(1)         if (&User-Name =~ /@\./)  {
(1)         if (&User-Name =~ /@\./)   -> FALSE
(1)       } # if (&User-Name)  = notfound
(1)     } # policy filter_username = notfound
(1)     [preprocess] = ok
(1)     [chap] = noop
(1)     [mschap] = noop
(1)     [digest] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "anonymous", looking up realm NULL
(1) suffix: No such realm "NULL"
(1)     [suffix] = noop
(1) eap: Peer sent EAP Response (code 2) ID 16 length 6
(1) eap: No EAP Start, assuming it's an on-going EAP conversation
(1)     [eap] = updated
(1)     [files] = noop
(1)     [expiration] = noop
(1)     [logintime] = noop
Not doing PAP as Auth-Type is already set.
(1)     [pap] = noop
(1)   } # authorize = updated
(1) Found Auth-Type = eap
(1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(1)   authenticate {
(1) eap: Expiring EAP session with state 0xacfcce85aceccab2
(1) eap: Finished EAP session with state 0xacfcce85aceccab2
(1) eap: Previous EAP request found for state 0xacfcce85aceccab2, released from the list
(1) eap: Peer sent packet with method EAP NAK (3)
(1) eap: Found mutually acceptable type PEAP (25)
(1) eap: Calling submodule eap_peap to process data
(1) eap_peap: Initiating new TLS session
(1) eap_peap: [eaptls start] = request
(1) eap: Sending EAP Request (code 1) ID 17 length 6
(1) eap: EAP session adding &reply:State = 0xacfcce85adedd7b2
(1)     [eap] = handled
(1)   } # authenticate = handled
(1) Using Post-Auth-Type Challenge
(1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(1)   Challenge { ... } # empty sub-section is ignored
(1) Sent Access-Challenge Id 116 from 192.168.1.77:1812 to 192.168.1.150:1812 length 0
(1)   EAP-Message = 0x011100061920
(1)   Message-Authenticator = 0x00000000000000000000000000000000
(1)   State = 0xacfcce85adedd7b2345ee891f7e86332
(1) Finished request
Waking up in 4.9 seconds.
(2) Received Access-Request Id 117 from 192.168.1.150:1812 to 192.168.1.77:1812 length 337
(2)   NAS-IP-Address = 192.168.1.150
(2)   NAS-Port = 50006
(2)   NAS-Port-Type = Ethernet
(2)   User-Name = "anonymous"
(2)   Called-Station-Id = "00-19-55-14-71-86"
(2)   Calling-Station-Id = "00-0E-CC-01-00-12"
(2)   Service-Type = Framed-User
(2)   Framed-MTU = 1500
(2)   State = 0xacfcce85adedd7b2345ee891f7e86332
(2)   EAP-Message = 0x021100c81980000000be16030100b9010000b5030353b89ef43885f37e7b872705585bd8da8b56d0d60d22d3af5f2e00a082d18862000038c02cc030009fcca9cca8ccaac02bc02f009ec024c028006bc023c0270067c00ac0140039c009c0130033009d009c003d003c0035002f00ff01000054000b000403000102000a000c000a001d0017001e001900180016000000170000000d0030002e040305030603080708080809080a080b080408050806040105010601030302030301020103020202040205020602
(2)   Message-Authenticator = 0x5365a6fd3d09cd64d01bc0bdb8f3172e
(2) session-state: No cached attributes
(2) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(2)   authorize {
(2)     policy filter_username {
(2)       if (&User-Name) {
(2)       if (&User-Name)  -> TRUE
(2)       if (&User-Name)  {
(2)         if (&User-Name =~ / /) {
(2)         if (&User-Name =~ / /)  -> FALSE
(2)         if (&User-Name =~ /@[^@]*@/ ) {
(2)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(2)         if (&User-Name =~ /\.\./ ) {
(2)         if (&User-Name =~ /\.\./ )  -> FALSE
(2)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(2)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(2)         if (&User-Name =~ /\.$/)  {
(2)         if (&User-Name =~ /\.$/)   -> FALSE
(2)         if (&User-Name =~ /@\./)  {
(2)         if (&User-Name =~ /@\./)   -> FALSE
(2)       } # if (&User-Name)  = notfound
(2)     } # policy filter_username = notfound
(2)     [preprocess] = ok
(2)     [chap] = noop
(2)     [mschap] = noop
(2)     [digest] = noop
(2) suffix: Checking for suffix after "@"
(2) suffix: No '@' in User-Name = "anonymous", looking up realm NULL
(2) suffix: No such realm "NULL"
(2)     [suffix] = noop
(2) eap: Peer sent EAP Response (code 2) ID 17 length 200
(2) eap: Continuing tunnel setup
(2)     [eap] = ok
(2)   } # authorize = ok
(2) Found Auth-Type = eap
(2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(2)   authenticate {
(2) eap: Expiring EAP session with state 0xacfcce85adedd7b2
(2) eap: Finished EAP session with state 0xacfcce85adedd7b2
(2) eap: Previous EAP request found for state 0xacfcce85adedd7b2, released from the list
(2) eap: Peer sent packet with method EAP PEAP (25)
(2) eap: Calling submodule eap_peap to process data
(2) eap_peap: Continuing EAP-TLS
(2) eap_peap: Peer indicated complete TLS record size will be 190 bytes
(2) eap_peap: Got complete TLS record (190 bytes)
(2) eap_peap: [eaptls verify] = length included
(2) eap_peap: (other): before SSL initialization
(2) eap_peap: TLS_accept: before SSL initialization
(2) eap_peap: TLS_accept: before SSL initialization
(2) eap_peap: <<< recv TLS 1.3  [length 00b9]
(2) eap_peap: TLS_accept: SSLv3/TLS read client hello
(2) eap_peap: >>> send TLS 1.2  [length 003d]
(2) eap_peap: TLS_accept: SSLv3/TLS write server hello
(2) eap_peap: >>> send TLS 1.2  [length 02de]
(2) eap_peap: TLS_accept: SSLv3/TLS write certificate
(2) eap_peap: >>> send TLS 1.2  [length 014d]
(2) eap_peap: TLS_accept: SSLv3/TLS write key exchange
(2) eap_peap: >>> send TLS 1.2  [length 0004]
(2) eap_peap: TLS_accept: SSLv3/TLS write server done
(2) eap_peap: TLS_accept: Need to read more data: SSLv3/TLS write server done
(2) eap_peap: TLS - In Handshake Phase
(2) eap_peap: TLS - got 1152 bytes of data
(2) eap_peap: [eaptls process] = handled
(2) eap: Sending EAP Request (code 1) ID 18 length 1004
(2) eap: EAP session adding &reply:State = 0xacfcce85aeeed7b2
(2)     [eap] = handled
(2)   } # authenticate = handled
(2) Using Post-Auth-Type Challenge
(2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(2)   Challenge { ... } # empty sub-section is ignored
(2) Sent Access-Challenge Id 117 from 192.168.1.77:1812 to 192.168.1.150:1812 length 0
(2)   EAP-Message = 0x011203ec19c000000480160303003d020000390303cab82678ca39bd453c5259c52b0b4927337460ffc1279bd40ba712cc682a8c7600c030000011ff01000100000b0004030001020017000016030302de0b0002da0002d70002d4308202d0308201b8a003020102021419d6f93d1218741c7f2fa6ede241a78132b401ac300d06092a864886f70d01010b05003011310f300d06035504030c067562756e7475301e170d3232303132363031313931335a170d3332303132343031313931335a3011310f300d06035504030c067562756e747530820122300d06092a864886f70d01010105000382010f003082010a0282010100d656ad371181abcd6dc6f07509488dc77d22f6155af16aa35c5309c976fa9420fb38f8b8cbc39a1c2bb7eb1feabd7b240773e067e3b5549ffa3f5824a69b1b7784c8f4e63aa63a1cf9749dbc3bc5501053c57cb0a2e259cc980310d47f32f306a6606828c81f64df02505498228575742e23311a7b600705c40465800fe7b8ad76d948
(2)   Message-Authenticator = 0x00000000000000000000000000000000
(2)   State = 0xacfcce85aeeed7b2345ee891f7e86332
(2) Finished request
Waking up in 4.9 seconds.
(3) Received Access-Request Id 118 from 192.168.1.150:1812 to 192.168.1.77:1812 length 143
(3)   NAS-IP-Address = 192.168.1.150
(3)   NAS-Port = 50006
(3)   NAS-Port-Type = Ethernet
(3)   User-Name = "anonymous"
(3)   Called-Station-Id = "00-19-55-14-71-86"
(3)   Calling-Station-Id = "00-0E-CC-01-00-12"
(3)   Service-Type = Framed-User
(3)   Framed-MTU = 1500
(3)   State = 0xacfcce85aeeed7b2345ee891f7e86332
(3)   EAP-Message = 0x021200061900
(3)   Message-Authenticator = 0xa1ebca1864e223eb64a0967689d7d8a2
(3) session-state: No cached attributes
(3) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(3)   authorize {
(3)     policy filter_username {
(3)       if (&User-Name) {
(3)       if (&User-Name)  -> TRUE
(3)       if (&User-Name)  {
(3)         if (&User-Name =~ / /) {
(3)         if (&User-Name =~ / /)  -> FALSE
(3)         if (&User-Name =~ /@[^@]*@/ ) {
(3)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(3)         if (&User-Name =~ /\.\./ ) {
(3)         if (&User-Name =~ /\.\./ )  -> FALSE
(3)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(3)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(3)         if (&User-Name =~ /\.$/)  {
(3)         if (&User-Name =~ /\.$/)   -> FALSE
(3)         if (&User-Name =~ /@\./)  {
(3)         if (&User-Name =~ /@\./)   -> FALSE
(3)       } # if (&User-Name)  = notfound
(3)     } # policy filter_username = notfound
(3)     [preprocess] = ok
(3)     [chap] = noop
(3)     [mschap] = noop
(3)     [digest] = noop
(3) suffix: Checking for suffix after "@"
(3) suffix: No '@' in User-Name = "anonymous", looking up realm NULL
(3) suffix: No such realm "NULL"
(3)     [suffix] = noop
(3) eap: Peer sent EAP Response (code 2) ID 18 length 6
(3) eap: Continuing tunnel setup
(3)     [eap] = ok
(3)   } # authorize = ok
(3) Found Auth-Type = eap
(3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(3)   authenticate {
(3) eap: Expiring EAP session with state 0xacfcce85aeeed7b2
(3) eap: Finished EAP session with state 0xacfcce85aeeed7b2
(3) eap: Previous EAP request found for state 0xacfcce85aeeed7b2, released from the list
(3) eap: Peer sent packet with method EAP PEAP (25)
(3) eap: Calling submodule eap_peap to process data
(3) eap_peap: Continuing EAP-TLS
(3) eap_peap: Peer ACKed our handshake fragment
(3) eap_peap: [eaptls verify] = request
(3) eap_peap: [eaptls process] = handled
(3) eap: Sending EAP Request (code 1) ID 19 length 164
(3) eap: EAP session adding &reply:State = 0xacfcce85afefd7b2
(3)     [eap] = handled
(3)   } # authenticate = handled
(3) Using Post-Auth-Type Challenge
(3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(3)   Challenge { ... } # empty sub-section is ignored
(3) Sent Access-Challenge Id 118 from 192.168.1.77:1812 to 192.168.1.150:1812 length 0
(3)   EAP-Message = 0x011300a41900c3c29b31548e4280270048dc264893dcd9b7f970128deecaabb8796693ae5a8abf3354be8c9a61ad2053c7177b8758ca6d9783e86b8c2165a4307bf76c21a7ee238792ee9ee3a14193db877284603f6164408f4774f84b7a3a1152b7bd64742d9d98415cb33f14c7a104266c21b81a05414db70dbb4c76964e3ccdd92771ea5eda07a3346d5dc6fecf7458b9fcf420bb0245d74c0f16030300040e000000
(3)   Message-Authenticator = 0x00000000000000000000000000000000
(3)   State = 0xacfcce85afefd7b2345ee891f7e86332
(3) Finished request
Waking up in 4.9 seconds.
(4) Received Access-Request Id 119 from 192.168.1.150:1812 to 192.168.1.77:1812 length 154
(4)   NAS-IP-Address = 192.168.1.150
(4)   NAS-Port = 50006
(4)   NAS-Port-Type = Ethernet
(4)   User-Name = "anonymous"
(4)   Called-Station-Id = "00-19-55-14-71-86"
(4)   Calling-Station-Id = "00-0E-CC-01-00-12"
(4)   Service-Type = Framed-User
(4)   Framed-MTU = 1500
(4)   State = 0xacfcce85afefd7b2345ee891f7e86332
(4)   EAP-Message = 0x0213001119800000000715030300020230
(4)   Message-Authenticator = 0x9eef9c9a4980071b07836d6398333e0d
(4) session-state: No cached attributes
(4) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(4)   authorize {
(4)     policy filter_username {
(4)       if (&User-Name) {
(4)       if (&User-Name)  -> TRUE
(4)       if (&User-Name)  {
(4)         if (&User-Name =~ / /) {
(4)         if (&User-Name =~ / /)  -> FALSE
(4)         if (&User-Name =~ /@[^@]*@/ ) {
(4)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(4)         if (&User-Name =~ /\.\./ ) {
(4)         if (&User-Name =~ /\.\./ )  -> FALSE
(4)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(4)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(4)         if (&User-Name =~ /\.$/)  {
(4)         if (&User-Name =~ /\.$/)   -> FALSE
(4)         if (&User-Name =~ /@\./)  {
(4)         if (&User-Name =~ /@\./)   -> FALSE
(4)       } # if (&User-Name)  = notfound
(4)     } # policy filter_username = notfound
(4)     [preprocess] = ok
(4)     [chap] = noop
(4)     [mschap] = noop
(4)     [digest] = noop
(4) suffix: Checking for suffix after "@"
(4) suffix: No '@' in User-Name = "anonymous", looking up realm NULL
(4) suffix: No such realm "NULL"
(4)     [suffix] = noop
(4) eap: Peer sent EAP Response (code 2) ID 19 length 17
(4) eap: Continuing tunnel setup
(4)     [eap] = ok
(4)   } # authorize = ok
(4) Found Auth-Type = eap
(4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(4)   authenticate {
(4) eap: Expiring EAP session with state 0xacfcce85afefd7b2
(4) eap: Finished EAP session with state 0xacfcce85afefd7b2
(4) eap: Previous EAP request found for state 0xacfcce85afefd7b2, released from the list
(4) eap: Peer sent packet with method EAP PEAP (25)
(4) eap: Calling submodule eap_peap to process data
(4) eap_peap: Continuing EAP-TLS
(4) eap_peap: Peer indicated complete TLS record size will be 7 bytes
(4) eap_peap: Got complete TLS record (7 bytes)
(4) eap_peap: [eaptls verify] = length included
(4) eap_peap: <<< recv TLS 1.2  [length 0002]
(4) eap_peap: ERROR: TLS Alert read:fatal:unknown CA
(4) eap_peap: TLS_accept: Need to read more data: error
(4) eap_peap: ERROR: Failed in __FUNCTION__ (SSL_read): error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
(4) eap_peap: TLS - In Handshake Phase
(4) eap_peap: TLS - Application data.
(4) eap_peap: ERROR: TLS failed during operation
(4) eap_peap: ERROR: [eaptls process] = fail
(4) eap: ERROR: Failed continuing EAP PEAP (25) session.  EAP sub-module failed
(4) eap: Sending EAP Failure (code 4) ID 19 length 4
(4) eap: Failed in EAP select
(4)     [eap] = invalid
(4)   } # authenticate = invalid
(4) Failed to authenticate the user
(4) Using Post-Auth-Type Reject
(4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(4)   Post-Auth-Type REJECT {
(4) attr_filter.access_reject: EXPAND %{User-Name}
(4) attr_filter.access_reject:    --> anonymous
(4) attr_filter.access_reject: Matched entry DEFAULT at line 11
(4)     [attr_filter.access_reject] = updated
(4)     [eap] = noop
(4)     policy remove_reply_message_if_eap {
(4)       if (&reply:EAP-Message && &reply:Reply-Message) {
(4)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(4)       else {
(4)         [noop] = noop
(4)       } # else = noop
(4)     } # policy remove_reply_message_if_eap = noop
(4)   } # Post-Auth-Type REJECT = updated
(4) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(4) Sending delayed response
(4) Sent Access-Reject Id 119 from 192.168.1.77:1812 to 192.168.1.150:1812 length 44
(4)   EAP-Message = 0x04130004
(4)   Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.9 seconds.
(0) Cleaning up request packet ID 115 with timestamp +4
(1) Cleaning up request packet ID 116 with timestamp +4
(2) Cleaning up request packet ID 117 with timestamp +4
(3) Cleaning up request packet ID 118 with timestamp +4
(4) Cleaning up request packet ID 119 with timestamp +4
Ready to process requests

-----Original Message-----
From: Alan DeKok <aland at deployingradius.com> 
Sent: Wednesday, February 9, 2022 2:43 PM
To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Cc: Wayne Fillmer <wfillmer at opentext.com>
Subject: [EXTERNAL] - Re: EAP failure when using production certificates

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. If you feel that the email is suspicious, please report it using PhishAlarm.

On Feb 9, 2022, at 3:29 PM, Wayne Fillmer via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
>
> I am attempting to setup a freeRADIUS server in a lab environment on Ubuntu 18.04. This server is used to test a WPA supplicant implementation on a piece of portable hardware. I feel reasonably confident the supplicant and nas (Cisco 2950) are configured correctly. I am very much unfamiliar with freeradius - that means I could get pretty far using the available documentation until I ran into trouble. Now I have no idea what to do.
>
> Everything seems to be working according to the guide up until making production certs. I have performed eapol_test tests using the snakeoil certs.
>
> Note: I have created the user "bob" and still have the pwd "hello" at the top of my "users" file. I am using user "bob" and pwd: "hello" when I attempt to connect from the supplicant
>
> When I create production  certs (deployingradius.com instructions) and attempt to authenticate I see the following error (log is followed by excerpts of my .cnf files):\\

  You didn't install the correct CA on the supplicant.

> (9) eap_peap: <<< recv TLS 1.2  [length 0002]
> (9) eap_peap: ERROR: TLS Alert read:fatal:unknown CA
> (9) eap_peap: TLS_accept: Need to read more data: error
> (9) eap_peap: ERROR: Failed in __FUNCTION__ (SSL_read): error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca

  The supplicant sent a TLS error to FreeRADIUS, saying "I don't know the CA used to sign your server certificate, so I don't trust you, and I won't talk to you".

  Install the production CA on the supplicant.

  Alan DeKok.