EAP-PEAP Issue with new Android device
dlux at lux-it-systeme.de
dlux at lux-it-systeme.de
Tue Sep 19 11:32:10 UTC 2023
Hi,
while trying to setup a new Android device an issue started to appear:
Short Story: Authentication fails in the (i guess) P1 phase of EAP-PEAP with
a message: certificate expired.
Long Story:
The radius server is using LetsEncrypt Server certs for ist TLS
configuration. That setups works with every device i know of in this
network.
A new Android device however seems to behave weird with it. Logging
Freeradius with the -X flag results with the log below.
The device is set to not validate the server cert and use EAP-PEAP for P1
and MSCHAPv2 for P2. kp@<domain-stripped> is the anonymous identity.
The last message seems rather short (TLS Length 7) which doesn't sound
right.
I know there is an issue with the domain detection because its only checking
for ntdomain. Thats work for another day.
Thank you in advance,
Daniel Lux
```
(298) Received Access-Request Id 166 from 10.2.254.253:60831 to
10.0.0.248:1812 length 208
(298) User-Name = "kp@<domain-stripped>"
(298) NAS-IP-Address = 10.2.254.253
(298) NAS-Port = 0
(298) NAS-Identifier = "10.2.254.253"
(298) NAS-Port-Type = Wireless-802.11
(298) Calling-Station-Id = "843E1D87F5BF"
(298) Called-Station-Id = "204C03033278"
(298) Service-Type = Framed-User
(298) Framed-MTU = 1100
(298) EAP-Message =
0x0201001b016b70407261747367796d6e617369756d2d70652e6465
(298) Aruba-Essid-Name = "RatseNetL"
(298) Aruba-Location-Id = "AP18"
(298) Aruba-AP-Group = "OS-Trakt"
(298) Message-Authenticator = 0xd4fead8cee934d4d691b8e1218e4220d
(298) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(298) authorize {
(298) [preprocess] = ok
(298) ntdomain: Checking for prefix before "\"
(298) ntdomain: No '\' in User-Name = "kp@<domain-stripped>", looking up
realm NULL
(298) ntdomain: No such realm "NULL"
(298) [ntdomain] = noop
(298) update control {
(298) &Proxy-To-Realm := LOCAL
(298) } # update control = noop
(298) [chap] = noop
(298) [mschap] = noop
(298) [digest] = noop
(298) eap: Peer sent EAP Response (code 2) ID 1 length 27
(298) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(298) [eap] = ok
(298) } # authorize = ok
(298) Found Auth-Type = eap
(298) # Executing group from file /etc/freeradius/sites-enabled/default
(298) authenticate {
(298) eap: Peer sent packet with method EAP Identity (1)
(298) eap: Calling submodule eap_peap to process data
(298) eap_peap: Initiating new EAP-TLS session
(298) eap_peap: [eaptls start] = request
(298) eap: Sending EAP Request (code 1) ID 2 length 6
(298) eap: EAP session adding &reply:State = 0xe37f3d5de37d24b2
(298) [eap] = handled
(298) } # authenticate = handled
(298) Using Post-Auth-Type Challenge
(298) Post-Auth-Type sub-section not found. Ignoring.
(298) # Executing group from file /etc/freeradius/sites-enabled/default
(298) Sent Access-Challenge Id 166 from 10.0.0.248:1812 to
10.2.254.253:60831 length 0
(298) EAP-Message = 0x010200061920
(298) Message-Authenticator = 0x00000000000000000000000000000000
(298) State = 0xe37f3d5de37d24b242773e627ff3f802
(298) Finished request
(299) Received Access-Request Id 47 from 10.2.254.253:60831 to
10.0.0.248:1812 length 340
(299) User-Name = "kp@<domain-stripped>"
(299) NAS-IP-Address = 10.2.254.253
(299) NAS-Port = 0
(299) NAS-Identifier = "10.2.254.253"
(299) NAS-Port-Type = Wireless-802.11
(299) Calling-Station-Id = "843E1D87F5BF"
(299) Called-Station-Id = "204C03033278"
(299) Service-Type = Framed-User
(299) Framed-MTU = 1100
(299) EAP-Message =
0x0202008d198000000083160301007e0100007a03039cd3aa393b421414e62481d34c86e861
c1dd382868b4f29944d0c04c62ae43ec00001ec02bc02fc02cc030cca9cca8c009c013c00ac0
14009c009d002f0035000a0100003300170000ff01000100000a00080006001d00170018000b
00020100000d
(299) State = 0xe37f3d5de37d24b242773e627ff3f802
(299) Aruba-Essid-Name = "RatseNetL"
(299) Aruba-Location-Id = "AP18"
(299) Aruba-AP-Group = "OS-Trakt"
(299) Message-Authenticator = 0x6761200777d3cba4c291bc097f235982
(299) session-state: No cached attributes
(299) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(299) authorize {
(299) [preprocess] = ok
(299) ntdomain: Checking for prefix before "\"
(299) ntdomain: No '\' in User-Name = "kp@<domain-stripped>", looking up
realm NULL
(299) ntdomain: No such realm "NULL"
(299) [ntdomain] = noop
(299) update control {
(299) &Proxy-To-Realm := LOCAL
(299) } # update control = noop
(299) [chap] = noop
(299) [mschap] = noop
(299) [digest] = noop
(299) eap: Peer sent EAP Response (code 2) ID 2 length 141
(299) eap: Continuing tunnel setup
(299) [eap] = ok
(299) } # authorize = ok
(299) Found Auth-Type = eap
(299) # Executing group from file /etc/freeradius/sites-enabled/default
(299) authenticate {
(299) eap: Expiring EAP session with state 0x2b35f9422b37e0b9
(299) eap: Finished EAP session with state 0xe37f3d5de37d24b2
(299) eap: Previous EAP request found for state 0xe37f3d5de37d24b2, released
from the list
(299) eap: Peer sent packet with method EAP PEAP (25)
(299) eap: Calling submodule eap_peap to process data
(299) eap_peap: Continuing EAP-TLS
(299) eap_peap: Peer indicated complete TLS record size will be 131 bytes
(299) eap_peap: Got complete TLS record (131 bytes)
(299) eap_peap: [eaptls verify] = length included
(299) eap_peap: (other): before/accept initialization
(299) eap_peap: TLS_accept: before/accept initialization
(299) eap_peap: <<< recv TLS 1.2 [length 007e]
(299) eap_peap: TLS_accept: unknown state
(299) eap_peap: >>> send TLS 1.2 [length 0039]
(299) eap_peap: TLS_accept: unknown state
(299) eap_peap: >>> send TLS 1.2 [length 149f]
(299) eap_peap: TLS_accept: unknown state
(299) eap_peap: >>> send TLS 1.2 [length 014d]
(299) eap_peap: TLS_accept: unknown state
(299) eap_peap: >>> send TLS 1.2 [length 0004]
(299) eap_peap: TLS_accept: unknown state
(299) eap_peap: TLS_accept: unknown state
(299) eap_peap: TLS_accept: unknown state
(299) eap_peap: TLS_accept: Need to read more data: unknown state
(299) eap_peap: TLS_accept: Need to read more data: unknown state
(299) eap_peap: In SSL Handshake Phase
(299) eap_peap: In SSL Accept mode
(299) eap_peap: [eaptls process] = handled
(299) eap: Sending EAP Request (code 1) ID 3 length 1004
(299) eap: EAP session adding &reply:State = 0xe37f3d5de27c24b2
(299) [eap] = handled
(299) } # authenticate = handled
(299) Using Post-Auth-Type Challenge
(299) Post-Auth-Type sub-section not found. Ignoring.
(299) # Executing group from file /etc/freeradius/sites-enabled/default
(299) Sent Access-Challenge Id 47 from 10.0.0.248:1812 to 10.2.254.253:60831
length 0
(299) EAP-Message =
0x010303ec19c00000163d16030300390200003503032221981d91de057e15a5d627e7d85254
fb02778827cee35a6895f65d00e6180c00c02f00000dff01000100000b000403000102160303
149f0b00149b001498000a1130820a0d308208f5a00302010202120314c38ef6206d2a5d13b5
c8cb45752f9f
(299) Message-Authenticator = 0x00000000000000000000000000000000
(299) State = 0xe37f3d5de27c24b242773e627ff3f802
(299) Finished request
(240) Cleaning up request packet ID 111 with timestamp +10
(241) Cleaning up request packet ID 60 with timestamp +10
(300) Received Access-Request Id 62 from 10.2.254.253:60831 to
10.0.0.248:1812 length 205
(300) User-Name = "kp@<domain-stripped>"
(300) NAS-IP-Address = 10.2.254.253
(300) NAS-Port = 0
(300) NAS-Identifier = "10.2.254.253"
(300) NAS-Port-Type = Wireless-802.11
(300) Calling-Station-Id = "843E1D87F5BF"
(300) Called-Station-Id = "204C03033278"
(300) Service-Type = Framed-User
(300) Framed-MTU = 1100
(300) EAP-Message = 0x020300061900
(300) State = 0xe37f3d5de27c24b242773e627ff3f802
(300) Aruba-Essid-Name = "RatseNetL"
(300) Aruba-Location-Id = "AP18"
(300) Aruba-AP-Group = "OS-Trakt"
(300) Message-Authenticator = 0x808be1cbe0d6892e798f1d3413c760b5
(300) session-state: No cached attributes
(300) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(300) authorize {
(300) [preprocess] = ok
(300) ntdomain: Checking for prefix before "\"
(300) ntdomain: No '\' in User-Name = "kp@<domain-stripped>", looking up
realm NULL
(300) ntdomain: No such realm "NULL"
(300) [ntdomain] = noop
(300) update control {
(300) &Proxy-To-Realm := LOCAL
(300) } # update control = noop
(300) [chap] = noop
(300) [mschap] = noop
(300) [digest] = noop
(300) eap: Peer sent EAP Response (code 2) ID 3 length 6
(300) eap: Continuing tunnel setup
(300) [eap] = ok
(300) } # authorize = ok
(300) Found Auth-Type = eap
(300) # Executing group from file /etc/freeradius/sites-enabled/default
(300) authenticate {
(300) eap: Expiring EAP session with state 0x2b35f9422b37e0b9
(300) eap: Finished EAP session with state 0xe37f3d5de27c24b2
(300) eap: Previous EAP request found for state 0xe37f3d5de27c24b2, released
from the list
(300) eap: Peer sent packet with method EAP PEAP (25)
(300) eap: Calling submodule eap_peap to process data
(300) eap_peap: Continuing EAP-TLS
(300) eap_peap: Peer ACKed our handshake fragment
(300) eap_peap: [eaptls verify] = request
(300) eap_peap: [eaptls process] = handled
(300) eap: Sending EAP Request (code 1) ID 4 length 1000
(300) eap: EAP session adding &reply:State = 0xe37f3d5de17b24b2
(300) [eap] = handled
(300) } # authenticate = handled
(300) Using Post-Auth-Type Challenge
(300) Post-Auth-Type sub-section not found. Ignoring.
(300) # Executing group from file /etc/freeradius/sites-enabled/default
(300) Sent Access-Challenge Id 62 from 10.0.0.248:1812 to 10.2.254.253:60831
length 0
(300) EAP-Message =
0x010403e8194069756d2d70652e6465821b686170726f78792e7261747367796d6e61736975
6d2d70652e64658218686f6d652e7261747367796d6e617369756d2d70652e64658218696d61
702e7261747367796d6e617369756d2d70652e6465821d696e666f62726574742e7261747367
796d6e617369
(300) Message-Authenticator = 0x00000000000000000000000000000000
(300) State = 0xe37f3d5de17b24b242773e627ff3f802
(300) Finished request
(242) Cleaning up request packet ID 16 with timestamp +10
(301) Received Access-Request Id 64 from 10.2.254.253:60831 to
10.0.0.248:1812 length 205
(301) User-Name = "kp@<domain-stripped>"
(301) NAS-IP-Address = 10.2.254.253
(301) NAS-Port = 0
(301) NAS-Identifier = "10.2.254.253"
(301) NAS-Port-Type = Wireless-802.11
(301) Calling-Station-Id = "843E1D87F5BF"
(301) Called-Station-Id = "204C03033278"
(301) Service-Type = Framed-User
(301) Framed-MTU = 1100
(301) EAP-Message = 0x020400061900
(301) State = 0xe37f3d5de17b24b242773e627ff3f802
(301) Aruba-Essid-Name = "RatseNetL"
(301) Aruba-Location-Id = "AP18"
(301) Aruba-AP-Group = "OS-Trakt"
(301) Message-Authenticator = 0x87340687e4ff778e7567a60a6fad3440
(301) session-state: No cached attributes
(301) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(301) authorize {
(301) [preprocess] = ok
(301) ntdomain: Checking for prefix before "\"
(301) ntdomain: No '\' in User-Name = "kp@<domain-stripped>", looking up
realm NULL
(301) ntdomain: No such realm "NULL"
(301) [ntdomain] = noop
(301) update control {
(301) &Proxy-To-Realm := LOCAL
(301) } # update control = noop
(301) [chap] = noop
(301) [mschap] = noop
(301) [digest] = noop
(301) eap: Peer sent EAP Response (code 2) ID 4 length 6
(301) eap: Continuing tunnel setup
(301) [eap] = ok
(301) } # authorize = ok
(301) Found Auth-Type = eap
(301) # Executing group from file /etc/freeradius/sites-enabled/default
(301) authenticate {
(301) eap: Expiring EAP session with state 0x2b35f9422b37e0b9
(301) eap: Finished EAP session with state 0xe37f3d5de17b24b2
(301) eap: Previous EAP request found for state 0xe37f3d5de17b24b2, released
from the list
(301) eap: Peer sent packet with method EAP PEAP (25)
(301) eap: Calling submodule eap_peap to process data
(301) eap_peap: Continuing EAP-TLS
(301) eap_peap: Peer ACKed our handshake fragment
(301) eap_peap: [eaptls verify] = request
(301) eap_peap: [eaptls process] = handled
(301) eap: Sending EAP Request (code 1) ID 5 length 1000
(301) eap: EAP session adding &reply:State = 0xe37f3d5de07a24b2
(301) [eap] = handled
(301) } # authenticate = handled
(301) Using Post-Auth-Type Challenge
(301) Post-Auth-Type sub-section not found. Ignoring.
(301) # Executing group from file /etc/freeradius/sites-enabled/default
(301) Sent Access-Challenge Id 64 from 10.0.0.248:1812 to 10.2.254.253:60831
length 0
(301) EAP-Message =
0x010503e81940796d6e617369756d2d70652e64658223776c616e2d636f6e74726f6c6c6572
2e7261747367796d6e617369756d2d70652e646582177777772e7261747367796d6e61736975
6d2d70652e6465821a7a61626269782e7261747367796d6e617369756d2d70652e6465301306
03551d20040c
(301) Message-Authenticator = 0x00000000000000000000000000000000
(301) State = 0xe37f3d5de07a24b242773e627ff3f802
(301) Finished request
(302) Received Access-Request Id 52 from 10.2.254.253:60831 to
10.0.0.248:1812 length 205
(302) User-Name = "kp@<domain-stripped>"
(302) NAS-IP-Address = 10.2.254.253
(302) NAS-Port = 0
(302) NAS-Identifier = "10.2.254.253"
(302) NAS-Port-Type = Wireless-802.11
(302) Calling-Station-Id = "843E1D87F5BF"
(302) Called-Station-Id = "204C03033278"
(302) Service-Type = Framed-User
(302) Framed-MTU = 1100
(302) EAP-Message = 0x020500061900
(302) State = 0xe37f3d5de07a24b242773e627ff3f802
(302) Aruba-Essid-Name = "RatseNetL"
(302) Aruba-Location-Id = "AP18"
(302) Aruba-AP-Group = "OS-Trakt"
(302) Message-Authenticator = 0xa55c00579b9ed3c4554238f83309a7be
(302) session-state: No cached attributes
(302) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(302) authorize {
(302) [preprocess] = ok
(302) ntdomain: Checking for prefix before "\"
(302) ntdomain: No '\' in User-Name = "kp@<domain-stripped>", looking up
realm NULL
(302) ntdomain: No such realm "NULL"
(302) [ntdomain] = noop
(302) update control {
(302) &Proxy-To-Realm := LOCAL
(302) } # update control = noop
(302) [chap] = noop
(302) [mschap] = noop
(302) [digest] = noop
(302) eap: Peer sent EAP Response (code 2) ID 5 length 6
(302) eap: Continuing tunnel setup
(302) [eap] = ok
(302) } # authorize = ok
(302) Found Auth-Type = eap
(302) # Executing group from file /etc/freeradius/sites-enabled/default
(302) authenticate {
(302) eap: Expiring EAP session with state 0x2b35f9422b37e0b9
(302) eap: Finished EAP session with state 0xe37f3d5de07a24b2
(302) eap: Previous EAP request found for state 0xe37f3d5de07a24b2, released
from the list
(302) eap: Peer sent packet with method EAP PEAP (25)
(302) eap: Calling submodule eap_peap to process data
(302) eap_peap: Continuing EAP-TLS
(302) eap_peap: Peer ACKed our handshake fragment
(302) eap_peap: [eaptls verify] = request
(302) eap_peap: [eaptls process] = handled
(302) eap: Sending EAP Request (code 1) ID 6 length 1000
(302) eap: EAP session adding &reply:State = 0xe37f3d5de77924b2
(302) [eap] = handled
(302) } # authenticate = handled
(302) Using Post-Auth-Type Challenge
(302) Post-Auth-Type sub-section not found. Ignoring.
(302) # Executing group from file /etc/freeradius/sites-enabled/default
(302) Sent Access-Challenge Id 52 from 10.0.0.248:1812 to 10.2.254.253:60831
length 0
(302) EAP-Message =
0x010603e819400b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34
c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f8
30175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60
677566b3f118
(302) Message-Authenticator = 0x00000000000000000000000000000000
(302) State = 0xe37f3d5de77924b242773e627ff3f802
(302) Finished request
(243) Cleaning up request packet ID 156 with timestamp +10
Waking up in 0.9 seconds.
(303) Received Access-Request Id 130 from 10.2.254.253:60831 to
10.0.0.248:1812 length 205
(303) User-Name = "kp@<domain-stripped>"
(303) NAS-IP-Address = 10.2.254.253
(303) NAS-Port = 0
(303) NAS-Identifier = "10.2.254.253"
(303) NAS-Port-Type = Wireless-802.11
(303) Calling-Station-Id = "843E1D87F5BF"
(303) Called-Station-Id = "204C03033278"
(303) Service-Type = Framed-User
(303) Framed-MTU = 1100
(303) EAP-Message = 0x020600061900
(303) State = 0xe37f3d5de77924b242773e627ff3f802
(303) Aruba-Essid-Name = "RatseNetL"
(303) Aruba-Location-Id = "AP18"
(303) Aruba-AP-Group = "OS-Trakt"
(303) Message-Authenticator = 0x718692290105f2acae5e8598d3db3aad
(303) session-state: No cached attributes
(303) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(303) authorize {
(303) [preprocess] = ok
(303) ntdomain: Checking for prefix before "\"
(303) ntdomain: No '\' in User-Name = "kp@<domain-stripped>", looking up
realm NULL
(303) ntdomain: No such realm "NULL"
(303) [ntdomain] = noop
(303) update control {
(303) &Proxy-To-Realm := LOCAL
(303) } # update control = noop
(303) [chap] = noop
(303) [mschap] = noop
(303) [digest] = noop
(303) eap: Peer sent EAP Response (code 2) ID 6 length 6
(303) eap: Continuing tunnel setup
(303) [eap] = ok
(303) } # authorize = ok
(303) Found Auth-Type = eap
(303) # Executing group from file /etc/freeradius/sites-enabled/default
(303) authenticate {
(303) eap: Expiring EAP session with state 0x2b35f9422b37e0b9
(303) eap: Finished EAP session with state 0xe37f3d5de77924b2
(303) eap: Previous EAP request found for state 0xe37f3d5de77924b2, released
from the list
(303) eap: Peer sent packet with method EAP PEAP (25)
(303) eap: Calling submodule eap_peap to process data
(303) eap_peap: Continuing EAP-TLS
(303) eap_peap: Peer ACKed our handshake fragment
(303) eap_peap: [eaptls verify] = request
(303) eap_peap: [eaptls process] = handled
(303) eap: Sending EAP Request (code 1) ID 7 length 1000
(303) eap: EAP session adding &reply:State = 0xe37f3d5de67824b2
(303) [eap] = handled
(303) } # authenticate = handled
(303) Using Post-Auth-Type Challenge
(303) Post-Auth-Type sub-section not found. Ignoring.
(303) # Executing group from file /etc/freeradius/sites-enabled/default
(303) Sent Access-Challenge Id 130 from 10.0.0.248:1812 to
10.2.254.253:60831 length 0
(303) EAP-Message =
0x010703e8194002010202104001772137d4e942b8ee76aa3c640ab7300d06092a864886f70d
01010b0500303f31243022060355040a131b4469676974616c205369676e6174757265205472
75737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3231
303132303139
(303) Message-Authenticator = 0x00000000000000000000000000000000
(303) State = 0xe37f3d5de67824b242773e627ff3f802
(303) Finished request
Waking up in 0.8 seconds.
(304) Received Access-Request Id 7 from 10.2.254.253:60831 to
10.0.0.248:1812 length 205
(304) User-Name = "kp@<domain-stripped>"
(304) NAS-IP-Address = 10.2.254.253
(304) NAS-Port = 0
(304) NAS-Identifier = "10.2.254.253"
(304) NAS-Port-Type = Wireless-802.11
(304) Calling-Station-Id = "843E1D87F5BF"
(304) Called-Station-Id = "204C03033278"
(304) Service-Type = Framed-User
(304) Framed-MTU = 1100
(304) EAP-Message = 0x020700061900
(304) State = 0xe37f3d5de67824b242773e627ff3f802
(304) Aruba-Essid-Name = "RatseNetL"
(304) Aruba-Location-Id = "AP18"
(304) Aruba-AP-Group = "OS-Trakt"
(304) Message-Authenticator = 0x2c0fc1bf87744bffe4e874075c9484f0
(304) session-state: No cached attributes
(304) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(304) authorize {
(304) [preprocess] = ok
(304) ntdomain: Checking for prefix before "\"
(304) ntdomain: No '\' in User-Name = "kp@<domain-stripped>", looking up
realm NULL
(304) ntdomain: No such realm "NULL"
(304) [ntdomain] = noop
(304) update control {
(304) &Proxy-To-Realm := LOCAL
(304) } # update control = noop
(304) [chap] = noop
(304) [mschap] = noop
(304) [digest] = noop
(304) eap: Peer sent EAP Response (code 2) ID 7 length 6
(304) eap: Continuing tunnel setup
(304) [eap] = ok
(304) } # authorize = ok
(304) Found Auth-Type = eap
(304) # Executing group from file /etc/freeradius/sites-enabled/default
(304) authenticate {
(304) eap: Expiring EAP session with state 0x2b35f9422b37e0b9
(304) eap: Finished EAP session with state 0xe37f3d5de67824b2
(304) eap: Previous EAP request found for state 0xe37f3d5de67824b2, released
from the list
(304) eap: Peer sent packet with method EAP PEAP (25)
(304) eap: Calling submodule eap_peap to process data
(304) eap_peap: Continuing EAP-TLS
(304) eap_peap: Peer ACKed our handshake fragment
(304) eap_peap: [eaptls verify] = request
(304) eap_peap: [eaptls process] = handled
(304) eap: Sending EAP Request (code 1) ID 8 length 729
(304) eap: EAP session adding &reply:State = 0xe37f3d5de57724b2
(304) [eap] = handled
(304) } # authenticate = handled
(304) Using Post-Auth-Type Challenge
(304) Post-Auth-Type sub-section not found. Ignoring.
(304) # Executing group from file /etc/freeradius/sites-enabled/default
(304) Sent Access-Challenge Id 7 from 10.0.0.248:1812 to 10.2.254.253:60831
length 0
(304) EAP-Message =
0x010802d919007970742e6f7267303c0603551d1f043530333031a02fa02d862b687474703a
2f2f63726c2e6964656e74727573742e636f6d2f445354524f4f544341583343524c2e63726c
301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a8648
86f70d01010b
(304) Message-Authenticator = 0x00000000000000000000000000000000
(304) State = 0xe37f3d5de57724b242773e627ff3f802
(304) Finished request
Waking up in 0.8 seconds.
(305) Received Access-Request Id 157 from 10.2.254.253:60831 to
10.0.0.248:1812 length 216
(305) User-Name = "kp@<domain-stripped>"
(305) NAS-IP-Address = 10.2.254.253
(305) NAS-Port = 0
(305) NAS-Identifier = "10.2.254.253"
(305) NAS-Port-Type = Wireless-802.11
(305) Calling-Station-Id = "843E1D87F5BF"
(305) Called-Station-Id = "204C03033278"
(305) Service-Type = Framed-User
(305) Framed-MTU = 1100
(305) EAP-Message = 0x020800111980000000071503030002022d
(305) State = 0xe37f3d5de57724b242773e627ff3f802
(305) Aruba-Essid-Name = "RatseNetL"
(305) Aruba-Location-Id = "AP18"
(305) Aruba-AP-Group = "OS-Trakt"
(305) Message-Authenticator = 0x2db17bbdf81f36dcb1577a0066f224d2
(305) session-state: No cached attributes
(305) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(305) authorize {
(305) [preprocess] = ok
(305) ntdomain: Checking for prefix before "\"
(305) ntdomain: No '\' in User-Name = "kp@<domain-stripped>", looking up
realm NULL
(305) ntdomain: No such realm "NULL"
(305) [ntdomain] = noop
(305) update control {
(305) &Proxy-To-Realm := LOCAL
(305) } # update control = noop
(305) [chap] = noop
(305) [mschap] = noop
(305) [digest] = noop
(305) eap: Peer sent EAP Response (code 2) ID 8 length 17
(305) eap: Continuing tunnel setup
(305) [eap] = ok
(305) } # authorize = ok
(305) Found Auth-Type = eap
(305) # Executing group from file /etc/freeradius/sites-enabled/default
(305) authenticate {
(305) eap: Expiring EAP session with state 0x2b35f9422b37e0b9
(305) eap: Finished EAP session with state 0xe37f3d5de57724b2
(305) eap: Previous EAP request found for state 0xe37f3d5de57724b2, released
from the list
(305) eap: Peer sent packet with method EAP PEAP (25)
(305) eap: Calling submodule eap_peap to process data
(305) eap_peap: Continuing EAP-TLS
(305) eap_peap: Peer indicated complete TLS record size will be 7 bytes
(305) eap_peap: Got complete TLS record (7 bytes)
(305) eap_peap: [eaptls verify] = length included
(305) eap_peap: <<< recv TLS 1.2 [length 0002]
(305) eap_peap: ERROR: TLS Alert read:fatal:certificate expired
(305) eap_peap: ERROR: TLS_accept: Failed in error
(305) eap_peap: ERROR: Failed in __FUNCTION__ (SSL_read)
(305) eap_peap: ERROR: error:14094415:SSL routines:ssl3_read_bytes:sslv3
alert certificate expired
(305) eap_peap: ERROR: error:140940E5:SSL routines:ssl3_read_bytes:ssl
handshake failure
(305) eap_peap: ERROR: System call (I/O) error (-1)
(305) eap_peap: ERROR: TLS receive handshake failed during operation
(305) eap_peap: ERROR: [eaptls process] = fail
(305) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module
failed
(305) eap: Sending EAP Failure (code 4) ID 8 length 4
(305) eap: Failed in EAP select
(305) [eap] = invalid
(305) } # authenticate = invalid
(305) Failed to authenticate the user
(305) Using Post-Auth-Type Reject
(305) Post-Auth-Type sub-section not found. Ignoring.
(305) # Executing group from file /etc/freeradius/sites-enabled/default
(305) Login incorrect (eap_peap: TLS Alert read:fatal:certificate expired):
[kp@<domain-stripped>/<via Auth-Type = eap>] (from client wlan_controller
port 0 cli 843E1D87F5BF)
(305) Delaying response for 1.000000 seconds
```
More information about the Freeradius-Users
mailing list