Hi, during client authentication process FreeRadius (0.9.1) reports the attached messages.
Here I see two problems: TLS_accept:error in SSLv3 read client certificate A rlm_eap_tls: SSL_read Error Error code is ..... 2 SSL Error ..... 2 and rlm_eap: EAP packet type notification id 6 length 17 rlm_eap: EAP Start not found rlm_eap: Request found, released from the list rlm_eap: EAP_TYPE - tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: Length Included rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal bad_certificate TLS Alert read:fatal:bad certificate TLS_accept:failed in SSLv3 read client certificate A rlm_eap_tls: SSL_read Error Error code is ..... 1 Error in SSL ..... 1 rlm_eap_tls: BIO_read Error Error code is ..... 1 Error in SSL ..... 1 rlm_eap: Freeing handler I use the example certificates that are available in http://www.missl.cs.umd.edu/wireless/eaptls/ What do these messages mean, what has to be done? Kind regards, Olaf _______________________________________________ Ready to process requests. rad_recv: Access-Request packet from host 172.31.128.21:32798, id=1, length=150 User-Name = "olaf" NAS-IP-Address = 172.31.128.21 NAS-Port = 1 Called-Station-Id = "00-09-5B-3B-B1-FA:MyMedLAN" Calling-Station-Id = "00-0B-FD-E7-65-9D" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x02030009016f6c6166 Message-Authenticator = 0xd01c6d88de21535ee0010eef5fad806f modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok modcall[authorize]: module "chap" returns noop rlm_eap: EAP packet type notification id 3 length 9 rlm_eap: EAP Start not found modcall[authorize]: module "eap" returns updated rlm_realm: No '@' in User-Name = "olaf", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop users: Matched olaf at 90 modcall[authorize]: module "files" returns ok modcall[authorize]: module "mschap" returns noop modcall: group authorize returns updated rad_check_password: Found Auth-Type EAP auth: type "EAP" modcall: entering group authenticate rlm_eap: EAP packet type notification id 3 length 9 rlm_eap: EAP Start not found rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns ok modcall: group authenticate returns ok radius_xlat: 'Hello, olaf' Sending Access-Challenge of id 1 to 172.31.128.21:32798 Reply-Message = "Hello, olaf" EAP-Message = 0x010400060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x8d042b88745e96d2f5f4ac980656fcfd64c0693fe7f4ad2c1dc906f9acd5e8f1bc5529be Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 172.31.128.21:32798, id=2, length=291 User-Name = "olaf" NAS-IP-Address = 172.31.128.21 NAS-Port = 1 Called-Station-Id = "00-09-5B-3B-B1-FA:MyMedLAN" Calling-Station-Id = "00-0B-FD-E7-65-9D" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020400700d800000006616030100610100005d03013f69bf7192dc0a3fd21b9938493987b5ce7eac9cec59a560ed32835035369c8000003600390038003500160013000a00330032002f0007006600050004006300620061001500120009006500640060001400110008000600030100 State = 0x8d042b88745e96d2f5f4ac980656fcfd64c0693fe7f4ad2c1dc906f9acd5e8f1bc5529be Message-Authenticator = 0xf89a4df4d08affd50fadb8773ad62fc0 modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok modcall[authorize]: module "chap" returns noop rlm_eap: EAP packet type notification id 4 length 112 rlm_eap: EAP Start not found modcall[authorize]: module "eap" returns updated rlm_realm: No '@' in User-Name = "olaf", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop users: Matched olaf at 90 modcall[authorize]: module "files" returns ok modcall[authorize]: module "mschap" returns noop modcall: group authorize returns updated rad_check_password: Found Auth-Type EAP auth: type "EAP" modcall: entering group authenticate rlm_eap: EAP packet type notification id 4 length 112 rlm_eap: EAP Start not found rlm_eap: Request found, released from the list rlm_eap: EAP_TYPE - tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: Length Included undefined: before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0061], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 07aa], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 00b1], CertificateRequest TLS_accept: SSLv3 write certificate request A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A rlm_eap_tls: SSL_read Error Error code is ..... 2 SSL Error ..... 2 modcall[authenticate]: module "eap" returns ok modcall: group authenticate returns ok radius_xlat: 'Hello, olaf' Sending Access-Challenge of id 2 to 172.31.128.21:32798 Reply-Message = "Hello, olaf" EAP-Message = 0x010506e00dc0000008b4160301004a0200004603013f69c065973ca545044a2596ef7148b185d23120bf6359fd0a49a0128fb4c667208b58896d605da90c3825cb75a2208e17aa846f3dd95d366e827cd850e430c24500350016030107aa0b0007a60007a30003e6308203e23082034ba003020102020102300d06092a864886f70d010104050030819e310b30090603550406130255533111300f060355040813084d6172796c616e64311530130603550407130c436f6c6c656765205061726b311f301d060355040a1316556e6976657273697479206f66204d6172796c616e64310e300c060355040b13054d4953534c3112301006035504031309 EAP-Message = 0x6164616d2d726f6f743120301e06092a864886f70d01090116116164616d40636661722e756d642e656475301e170d3032303232383038343030375a170d3033303232383038343030375a3081a0310b30090603550406130255533111300f060355040813084d6172796c616e64311530130603550407130c436f6c6c656765205061726b311f301d060355040a1316556e6976657273697479206f66204d6172796c616e64310e300c060355040b13054d4953534c311430120603550403130b6164616d2d7365727665723120301e06092a864886f70d01090116116164616d40636661722e756d642e65647530819f300d06092a864886f70d0101 EAP-Message = 0x01050003818d0030818902818100bb02c243540c09a20d64a5c8c29bca7727f62a6432265c38fd4900392d5754469617386e959cb43eee77cc98a80c1e8fcfda55813115edc142141b953b5771b79e1a32bbdc2f3b1d0046082db28fe553631f83cd21411388949432c3b0d96cd77c046b32284a939240555ba0a8f38320b0921ef5c8b3cd1a9fadee9c3256c6e50203010001a382012a3082012630090603551d1304023000302c06096086480186f842010d041f161d4f70656e53534c2047656e657261746564204365727469666963617465301d0603551d0e04160414c66c3206e508b305c2353cae6192e9d21dd6b12c3081cb0603551d230481 EAP-Message = 0xc33081c080146f89584e55edc5d0e6bd2d8b80fe919605897694a181a4a481a130819e310b30090603550406130255533111300f060355040813084d6172796c616e64311530130603550407130c436f6c6c656765205061726b311f301d060355040a1316556e6976657273697479206f66204d6172796c616e64310e300c060355040b13054d4953534c31123010060355040313096164616d2d726f6f743120301e06092a864886f70d01090116116164616d40636661722e756d642e656475820100300d06092a864886f70d01010405000381810002a0ec352165caeffc552e1476b8d0912997c06f287732c00a5b8373d3f2e1f1a985f1851cd3 EAP-Message = 0xbc7abb38a7d905daa7abb2ae4cbcb6877e437e8be10d93b9c3a5d96464990a2c72c0efdcd5e5fe040d41a1b4c426acb573ac968e7208d06cfe81b4cf79655a134275d844fc53d6b3a55fdcd5fac17fcee0aa86d3338e9fbc2acc0003b7308203b33082031ca003020102020100300d06092a864886f70d010104050030819e310b30090603550406130255533111300f060355040813084d6172796c616e64311530130603550407130c436f6c6c656765205061726b311f301d060355040a1316556e6976657273697479206f66204d6172796c616e64310e300c060355040b13054d4953534c31123010060355040313096164616d2d726f6f743120 EAP-Message = 0x301e06092a864886f70d01090116116164616d40636661722e756d642e656475301e170d3032303232383038333834345a170d3033303232383038333834345a30819e310b30090603550406130255533111300f060355040813084d6172796c616e64311530130603550407130c436f6c6c656765205061726b311f301d060355040a1316556e6976657273697479206f66204d6172796c616e64310e300c060355040b13054d4953534c31123010060355040313096164616d2d726f6f743120301e06092a864886f70d01090116116164616d40636661722e756d642e65647530819f300d06092a864886f70d010101050003818d00308189028181 EAP-Message = 0x00b76856cbfed7232ee45c3ed43f8040e993252d513b9a045d14f5b7517dba75ea2fb28301f43e365bf24d708896b46b48436b17bcc6373878fb2c92c6355ecefda18e4a6f9b3d22da693e8710841074aba5f4711738aa23248cae7f14eca024366572eefdbf72549e937c977a2ceac764a2c95da163e5c0596e6cb092b4ae11dd0203010001a381fe3081fb301d0603551d0e041604146f89584e55edc5d0e6bd2d8b80fe9196058976943081cb0603551d230481c33081c080146f89584e55edc5d0e6bd2d8b80fe919605897694a181a4a481a130819e310b30090603550406130255533111300f060355040813084d61 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x357254e5fb5a552b83b13f60ff39f2f965c0693f46a004f580503a3d66ee0374bedc63d0 Finished request 1 Going to the next request --- Walking the entire request list --- Waking up in 5 seconds... rad_recv: Access-Request packet from host 172.31.128.21:32798, id=3, length=185 User-Name = "olaf" NAS-IP-Address = 172.31.128.21 NAS-Port = 1 Called-Station-Id = "00-09-5B-3B-B1-FA:MyMedLAN" Calling-Station-Id = "00-0B-FD-E7-65-9D" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020500060d00 State = 0x357254e5fb5a552b83b13f60ff39f2f965c0693f46a004f580503a3d66ee0374bedc63d0 Message-Authenticator = 0xdc4458f72033d77cbb2d90dcef4156ec modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok modcall[authorize]: module "chap" returns noop rlm_eap: EAP packet type notification id 5 length 6 rlm_eap: EAP Start not found modcall[authorize]: module "eap" returns updated rlm_realm: No '@' in User-Name = "olaf", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop users: Matched olaf at 90 modcall[authorize]: module "files" returns ok modcall[authorize]: module "mschap" returns noop modcall: group authorize returns updated rad_check_password: Found Auth-Type EAP auth: type "EAP" modcall: entering group authenticate rlm_eap: EAP packet type notification id 5 length 6 rlm_eap: EAP Start not found rlm_eap: Request found, released from the list rlm_eap: EAP_TYPE - tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: Received EAP-TLS ACK message modcall[authenticate]: module "eap" returns ok modcall: group authenticate returns ok radius_xlat: 'Hello, olaf' Sending Access-Challenge of id 3 to 172.31.128.21:32798 Reply-Message = "Hello, olaf" EAP-Message = 0x010601e80d80000008b472796c616e64311530130603550407130c436f6c6c656765205061726b311f301d060355040a1316556e6976657273697479206f66204d6172796c616e64310e300c060355040b13054d4953534c31123010060355040313096164616d2d726f6f743120301e06092a864886f70d01090116116164616d40636661722e756d642e656475820100300c0603551d13040530030101ff300d06092a864886f70d010104050003818100450e6fd396fb46ec1d9820542ecf1d75363f08b2cc07cb84b6d7451aff714c7a775d3bf1666973fb0c35e7cfd6c31a179d70c085bc459ba1294c1dca22cb9273c76c3b12f519a74318c3ae EAP-Message = 0x0d7705d32cfdf75ad32a597fbde29a2780c102ec0751a1adefff8ad463c1f5a175313c998a42537e8114e0bba00898c9963931d64d16030100b10d0000a90301020500a300a130819e310b30090603550406130255533111300f060355040813084d6172796c616e64311530130603550407130c436f6c6c656765205061726b311f301d060355040a1316556e6976657273697479206f66204d6172796c616e64310e300c060355040b13054d4953534c31123010060355040313096164616d2d726f6f743120301e06092a864886f70d01090116116164616d40636661722e756d642e6564750e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x155775bacc87b5bf8e95a946c95c69c765c0693f4eb1be5bfa48b42ea59c72e4e65fe257 Finished request 2 Going to the next request Waking up in 5 seconds... rad_recv: Access-Request packet from host 172.31.128.21:32798, id=4, length=196 User-Name = "olaf" NAS-IP-Address = 172.31.128.21 NAS-Port = 1 Called-Station-Id = "00-09-5B-3B-B1-FA:MyMedLAN" Calling-Station-Id = "00-0B-FD-E7-65-9D" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020600110d80000000071503010002022a State = 0x155775bacc87b5bf8e95a946c95c69c765c0693f4eb1be5bfa48b42ea59c72e4e65fe257 Message-Authenticator = 0x6eb0b7961bab7476e66d16f905002e73 modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok modcall[authorize]: module "chap" returns noop rlm_eap: EAP packet type notification id 6 length 17 rlm_eap: EAP Start not found modcall[authorize]: module "eap" returns updated rlm_realm: No '@' in User-Name = "olaf", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop users: Matched olaf at 90 modcall[authorize]: module "files" returns ok modcall[authorize]: module "mschap" returns noop modcall: group authorize returns updated rad_check_password: Found Auth-Type EAP auth: type "EAP" modcall: entering group authenticate rlm_eap: EAP packet type notification id 6 length 17 rlm_eap: EAP Start not found rlm_eap: Request found, released from the list rlm_eap: EAP_TYPE - tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: Length Included rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal bad_certificate TLS Alert read:fatal:bad certificate TLS_accept:failed in SSLv3 read client certificate A rlm_eap_tls: SSL_read Error Error code is ..... 1 Error in SSL ..... 1 rlm_eap_tls: BIO_read Error Error code is ..... 1 Error in SSL ..... 1 rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns ok modcall: group authenticate returns ok radius_xlat: 'Hello, olaf' Delaying request 3 for 1 seconds Finished request 3 Going to the next request Waking up in 5 seconds... rad_recv: Access-Request packet from host 172.31.128.21:32798, id=4, length=196 Sending Access-Reject of id 4 to 172.31.128.21:32798 EAP-Message = 0x04060004 Message-Authenticator = 0x00000000000000000000000000000000 Reply-Message = "Hello, olaf" Waking up in 5 seconds... rad_recv: Access-Request packet from host 172.31.128.21:32798, id=0, length=150 User-Name = "olaf" NAS-IP-Address = 172.31.128.21 NAS-Port = 1 Called-Station-Id = "00-09-5B-3B-B1-FA:MyMedLAN" Calling-Station-Id = "00-0B-FD-E7-65-9D" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x02000009016f6c6166 Message-Authenticator = 0xd4c8a0bd58662d8e452f1c3dc88fe1f4 modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok modcall[authorize]: module "chap" returns noop rlm_eap: EAP packet type notification id 0 length 9 rlm_eap: EAP Start not found modcall[authorize]: module "eap" returns updated rlm_realm: No '@' in User-Name = "olaf", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop users: Matched olaf at 90 modcall[authorize]: module "files" returns ok modcall[authorize]: module "mschap" returns noop modcall: group authorize returns updated rad_check_password: Found Auth-Type EAP auth: type "EAP" modcall: entering group authenticate rlm_eap: EAP packet type notification id 0 length 9 rlm_eap: EAP Start not found rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns ok modcall: group authenticate returns ok radius_xlat: 'Hello, olaf' Sending Access-Challenge of id 0 to 172.31.128.21:32798 Reply-Message = "Hello, olaf" EAP-Message = 0x010100060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x4549787ad96b38792a129c386445d18765c0693f4ff3d928a427a2f91759cefede272b0f Finished request 5 Going to the next request Waking up in 5 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 1 with timestamp 3f69c064 Waking up in 1 seconds... --- Walking the entire request list --- Cleaning up request 5 ID 0 with timestamp 3f69c065 Cleaning up request 1 ID 2 with timestamp 3f69c065 Cleaning up request 2 ID 3 with timestamp 3f69c065 Cleaning up request 3 ID 4 with timestamp 3f69c065 Nothing to do. Sleeping until we see a request. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
