I have the following message in the radius.log rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal access_denied I tried with intel adapter and cisco adapter. The result is the same. I tried with different ssl certificates but it's the same.
Somebody can help me? Thanks
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/radius093/etc/raddb/proxy.conf
Config: including file: /usr/local/radius093/etc/raddb/clients.conf
Config: including file: /usr/local/radius093/etc/raddb/snmp.conf
Config: including file: /usr/local/radius093/etc/raddb/sql.conf
main: prefix = "/usr/local/radius093"
main: localstatedir = "/usr/local/radius093/var"
main: logdir = "/usr/local/radius093/var/log/radius"
main: libdir = "/usr/local/radius093/lib"
main: radacctdir = "/usr/local/radius093/var/log/radius/radacct"
main: hostname_lookups = no
main: snmp = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 1912
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = "/usr/local/radius093/var/log/radius/radius.log"
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = "/usr/local/radius093/var/run/radiusd/radiusd.pid"
main: user = "(null)"
main: group = "(null)"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/local/radius093/sbin/checkrad"
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = yes
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
Using deprecated clients file. Support for this will go away soon.
read_config_files: reading realms
Using deprecated realms file. Support for this will go away soon.
radiusd: entering modules setup
Module: Library search path is /usr/local/radius093/lib
Module: Loaded exec
exec: wait = yes
exec: program = "(null)"
exec: input_pairs = "request"
exec: output_pairs = "(null)"
exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = "crypt"
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = no
mschap: passwd = "(null)"
mschap: authtype = "MS-CHAP"
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = "(null)"
unix: shadow = "(null)"
unix: group = "(null)"
unix: radwtmp = "/usr/local/radius093/var/log/radius/radwtmp"
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
eap: default_eap_type = "peap"
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
tls: rsa_key_exchange = no
tls: dh_key_exchange = yes
tls: rsa_key_length = 512
tls: dh_key_length = 512
tls: verify_depth = 0
tls: CA_path = "(null)"
tls: pem_file_type = yes
tls: private_key_file = "/usr/local/radius093/etc/raddb/cert-srv4-key.pem"
tls: certificate_file = "/usr/local/radius093/etc/raddb/cert-srv4.pem"
tls: CA_file = "/usr/local/radius093/etc/raddb/root4.pem"
tls: private_key_password = "xxxxxxx"
tls: dh_file = "/usr/local/radius093/etc/raddb/DH"
tls: random_file = "/usr/local/radius093/etc/raddb/random"
tls: fragment_size = 1024
tls: include_length = no
tls: check_crl = no
rlm_eap: Loaded and initialized type tls
ttls: default_eap_type = "md5"
ttls: copy_request_to_tunnel = no
ttls: use_tunneled_reply = no
rlm_eap: Loaded and initialized type ttls
peap: default_eap_type = "mschapv2"
peap: copy_request_to_tunnel = no
peap: use_tunneled_reply = no
rlm_eap: Loaded and initialized type peap
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = "/usr/local/radius093/etc/raddb/huntgroups"
preprocess: hints = "/usr/local/radius093/etc/raddb/hints"
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
realm: format = "suffix"
realm: delimiter = "@"
Module: Instantiated realm (suffix)
Module: Loaded files
files: usersfile = "/usr/local/radius093/etc/raddb/users"
files: acctusersfile = "/usr/local/radius093/etc/raddb/acct_users"
files: preproxy_usersfile = "/usr/local/radius093/etc/raddb/preproxy_users"
files: compat = "no"
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Addre
ss, NAS-Port"
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
detail: detailfile = "/usr/local/radius093/var/log/radius/radacct/%{Client-IP-A
ddress}/detail-%Y%m%d"
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
radutmp: filename = "/usr/local/radius093/var/log/radius/radutmp"
radutmp: username = "%{User-Name}"
radutmp: case_sensitive = yes
radutmp: check_with_nas = yes
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
Listening on IP address *, ports 1912/udp and 1913/udp, with proxy on 1914/udp.
Ready to process requests.
rad_recv: Access-Request packet from host 172.20.237.238:1645, id=0, length=133
User-Name = "quetwilf"
Framed-MTU = 1400
Called-Station-Id = "000c.ceff.56e9"
Calling-Station-Id = "0004.2372.d636"
Message-Authenticator = 0x3055534bc48d25dacbdf31697767e9c5
EAP-Message = 0x0202000d017175657477696c66
NAS-Port-Type = Virtual
NAS-Port = 274
NAS-IP-Address = 172.20.237.238
NAS-Identifier = "aironet-si-2"
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "mschap" returns noop for request 0
rlm_realm: No '@' in User-Name = "quetwilf", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
rlm_eap: EAP packet type response id 2 length 13
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 0
users: Matched DEFAULT at 152
users: Matched quetwilf at 217
modcall[authorize]: module "files" returns ok for request 0
modcall: group authorize returns updated for request 0
rad_check_password: Found Auth-Type eap
auth: type "EAP"
modcall: entering group authenticate for request 0
rlm_eap: EAP Identity
rlm_eap: processing type tls
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
modcall[authenticate]: module "eap" returns handled for request 0
modcall: group authenticate returns handled for request 0
Sending Access-Challenge of id 0 to 172.20.237.238:1645
Reply-Message = " YYYYYEEEESSSSSSSSSS, %u"
EAP-Message = 0x010300061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x024e9a6685042b99c22e22bd3246aa85
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 172.20.237.238:1645, id=1, length=218
User-Name = "quetwilf"
Framed-MTU = 1400
Called-Station-Id = "000c.ceff.56e9"
Calling-Station-Id = "0004.2372.d636"
Message-Authenticator = 0x9040d9ef12be03da5c0b94fd318514b4
EAP-Message = 0x0203005019800000004616030100410100003d0301403b26a13dd578
cbf8d67381c84a5f491d5828a401f72ad1eb97e5bfbff9e75200001600040005000a000900640062
000300060013001200630100
NAS-Port-Type = Virtual
NAS-Port = 274
State = 0x024e9a6685042b99c22e22bd3246aa85
NAS-IP-Address = 172.20.237.238
NAS-Identifier = "aironet-si-2"
modcall: entering group authorize for request 1
modcall[authorize]: module "preprocess" returns ok for request 1
modcall[authorize]: module "chap" returns noop for request 1
modcall[authorize]: module "mschap" returns noop for request 1
rlm_realm: No '@' in User-Name = "quetwilf", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 1
rlm_eap: EAP packet type response id 3 length 80
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 1
users: Matched DEFAULT at 152
users: Matched quetwilf at 217
modcall[authorize]: module "files" returns ok for request 1
modcall: group authorize returns updated for request 1
rad_check_password: Found Auth-Type eap
auth: type "EAP"
modcall: entering group authenticate for request 1
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Length Included
eaptls_verify returned 11
(other): before/accept initialization
TLS_accept: before/accept initialization
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello
TLS_accept: SSLv3 read client hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
TLS_accept: SSLv3 write server hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0376], Certificate
TLS_accept: SSLv3 write certificate A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
TLS_accept: SSLv3 write server done A
TLS_accept: SSLv3 flush data
TLS_accept:error in SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
eaptls_process returned 13
rlm_eap_peap: EAPTLS_HANDLED
modcall[authenticate]: module "eap" returns handled for request 1
modcall: group authenticate returns handled for request 1
Sending Access-Challenge of id 1 to 172.20.237.238:1645
Reply-Message = " YYYYYEEEESSSSSSSSSS, %u"
EAP-Message = 0x010403d91900160301004a020000460301403b26a1145ae2f6f90833
04803cc857882cebd850a59fe63aac87bda143c3eb2055b6e4fbabc80119dadd1b24c8aea77483fa
0f339f1c2cefbfa8cdd50479b8b900040016030103760b00037200036f00036c30820368308202d1
a003020102020101300d06092a864886f70d01010405003078310b3009060355040613024652310e
300c060355040813055041524953310e300c060355040713055041524953310d300b060355040a13
0455545443310b3009060355040b13025349310f300d060355040313066d7973656c66311c301a06
092a864886f70d010901160d746f746f407961686f6f2e6672
EAP-Message = 0x301e170d3034303232333137313533335a170d303730323232313731
3533335a3078310b3009060355040613024652310e300c060355040813055041524953310e300c06
0355040713055041524953310d300b060355040a130455545443310b3009060355040b1302534931
0f300d060355040313066d7973656c66311c301a06092a864886f70d010901160d746f746f407961
686f6f2e667230819f300d06092a864886f70d010101050003818d0030818902818100b470b81130
2f9a7633ea48baf27a75b06ccbf6493308f6c77f626dfd178d384f9efd07dcf49abd9e1b7bd2ab3a
10aced170fa578b4b5b92664b8bdf5a6da2ed438645a42a749
EAP-Message = 0x9b8b15b7c6c1e9683456b4447877f157c1f5401a938460bc50350f24
8fb082483ae7ba491af8cf99d45a4f14cc6a9702bba6bd32734496e8ed2d0203010001a382010030
81fd30090603551d1304023000302c06096086480186f842010d041f161d4f70656e53534c204765
6e657261746564204365727469666963617465301d0603551d0e04160414a14b8efcbbad93f4b231
dd8509115dab505a06c73081a20603551d2304819a308197801439f455368e36f2287fa3c0e5ea99
fa0ddde01e19a17ca47a3078310b3009060355040613024652310e300c0603550408130550415249
53310e300c060355040713055041524953310d300b06035504
EAP-Message = 0x0a130455545443310b3009060355040b13025349310f300d06035504
0313066d7973656c66311c301a06092a864886f70d010901160d746f746f407961686f6f2e667282
0100300d06092a864886f70d0101040500038181009d81e05c7a3b34d13b3be84fd44042563e3695
8eefd5a0e7fd70fba4f5a10b051b23fe885ce86780e655d01d6a5575f61fc8a519d6edd560f8e0f8
c1269797c886b2997f63ef46a7672ad565264fda850ceb75e5564d15ac38039e3317910d2149f46a
8f51dbda46304bed055e3f1d37b48f6c1614eaf0ab53f0aad592b4fef316030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xef56419098394bd6cf50002f7a6ac992
Finished request 1
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 172.20.237.238:1645, id=2, length=330
User-Name = "quetwilf"
Framed-MTU = 1400
Called-Station-Id = "000c.ceff.56e9"
Calling-Station-Id = "0004.2372.d636"
Message-Authenticator = 0x8f0c153b965ce294e3f5312b0682deba
EAP-Message = 0x020400c01980000000b616030100861000008200800f56da7d278440
713810c35c45836a65c52be7565863cd6bd3d44271da86d01d7382f06a592b102431b368b887a210
e79c4f9e438401645dae4858e3b3ad3d5cf6e401ab27dbd092660daee207528a3ddb096002682943
7a04c22ad396b205aa588e8582de1cd1d24e13119a22cb56ec059647a112b77565cd807309980f85
881403010001011603010020a228a20497224064c60a0ba30a3e583986f62d7ff77234eb75f16963
2c7c815b
NAS-Port-Type = Virtual
NAS-Port = 274
State = 0xef56419098394bd6cf50002f7a6ac992
NAS-IP-Address = 172.20.237.238
NAS-Identifier = "aironet-si-2"
modcall: entering group authorize for request 2
modcall[authorize]: module "preprocess" returns ok for request 2
modcall[authorize]: module "chap" returns noop for request 2
modcall[authorize]: module "mschap" returns noop for request 2
rlm_realm: No '@' in User-Name = "quetwilf", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 2
rlm_eap: EAP packet type response id 4 length 192
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 2
users: Matched DEFAULT at 152
users: Matched quetwilf at 217
modcall[authorize]: module "files" returns ok for request 2
modcall: group authorize returns updated for request 2
rad_check_password: Found Auth-Type eap
auth: type "EAP"
modcall: entering group authenticate for request 2
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Length Included
eaptls_verify returned 11
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
TLS_accept: SSLv3 read client key exchange A
rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001]
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished
TLS_accept: SSLv3 read finished A
rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001]
TLS_accept: SSLv3 write change cipher spec A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished
TLS_accept: SSLv3 write finished A
TLS_accept: SSLv3 flush data
(other): SSL negotiation finished successfully
SSL Connection Established
eaptls_process returned 13
rlm_eap_peap: EAPTLS_HANDLED
modcall[authenticate]: module "eap" returns handled for request 2
modcall: group authenticate returns handled for request 2
Sending Access-Challenge of id 2 to 172.20.237.238:1645
Reply-Message = " YYYYYEEEESSSSSSSSSS, %u"
EAP-Message = 0x0105003119001403010001011603010020e2d84bb819f8b0f071af71
dbd99df82724dbdc1c72c26647bb23fc55563e2c4e
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x474bc9eb5f988655822a2a347b9d77d6
Finished request 2
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 172.20.237.238:1645, id=3, length=171
User-Name = "quetwilf"
Framed-MTU = 1400
Called-Station-Id = "000c.ceff.56e9"
Calling-Station-Id = "0004.2372.d636"
Message-Authenticator = 0x65305c6f064bce8fcbf97217426e1219
EAP-Message = 0x02050021198000000017150301001222b4b0c3391151f24bda622edd
8a5c802393
NAS-Port-Type = Virtual
NAS-Port = 274
State = 0x474bc9eb5f988655822a2a347b9d77d6
NAS-IP-Address = 172.20.237.238
NAS-Identifier = "aironet-si-2"
modcall: entering group authorize for request 3
modcall[authorize]: module "preprocess" returns ok for request 3
modcall[authorize]: module "chap" returns noop for request 3
modcall[authorize]: module "mschap" returns noop for request 3
rlm_realm: No '@' in User-Name = "quetwilf", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 3
rlm_eap: EAP packet type response id 5 length 33
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 3
users: Matched DEFAULT at 152
users: Matched quetwilf at 217
modcall[authorize]: module "files" returns ok for request 3
modcall: group authorize returns updated for request 3
rad_check_password: Found Auth-Type eap
auth: type "EAP"
modcall: entering group authenticate for request 3
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Length Included
eaptls_verify returned 11
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Proceeding to decode tunneled attributes.
rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal access_denied
TLS Alert read:fatal:access denied
rlm_eap_peap: No data inside of the tunnel.
rlm_eap: Handler failed in EAP/peap
rlm_eap: Failed in EAP select
modcall[authenticate]: module "eap" returns invalid for request 3
modcall: group authenticate returns invalid for request 3
auth: Failed to validate the user.
Delaying request 3 for 1 seconds
Finished request 3
Going to the next request
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 0 with timestamp 403b26a1
Cleaning up request 1 ID 1 with timestamp 403b26a1
Cleaning up request 2 ID 2 with timestamp 403b26a1
Sending Access-Reject of id 3 to 172.20.237.238:1645
EAP-Message = 0x04050004
Message-Authenticator = 0x00000000000000000000000000000000
Reply-Message = " YYYYYEEEESSSSSSSSSS, %u"
Cleaning up request 3 ID 3 with timestamp 403b26a1
Nothing to do. Sleeping until we see a request.
rad_recv: Access-Request packet from host 172.20.237.238:1645, id=4, length=133
User-Name = "quetwilf"
Framed-MTU = 1400
Called-Station-Id = "000c.ceff.56e9"
Calling-Station-Id = "0004.2372.d636"
Message-Authenticator = 0xd9f4904473d3b1262b8ad5742220bb04
EAP-Message = 0x0201000d017175657477696c66
NAS-Port-Type = Virtual
NAS-Port = 275
NAS-IP-Address = 172.20.237.238
NAS-Identifier = "aironet-si-2"
modcall: entering group authorize for request 4
modcall[authorize]: module "preprocess" returns ok for request 4
modcall[authorize]: module "chap" returns noop for request 4
modcall[authorize]: module "mschap" returns noop for request 4
rlm_realm: No '@' in User-Name = "quetwilf", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 4
rlm_eap: EAP packet type response id 1 length 13
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 4
users: Matched DEFAULT at 152
users: Matched quetwilf at 217
modcall[authorize]: module "files" returns ok for request 4
modcall: group authorize returns updated for request 4
rad_check_password: Found Auth-Type eap
auth: type "EAP"
modcall: entering group authenticate for request 4
rlm_eap: EAP Identity
rlm_eap: processing type tls
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
modcall[authenticate]: module "eap" returns handled for request 4
modcall: group authenticate returns handled for request 4
Sending Access-Challenge of id 4 to 172.20.237.238:1645
Reply-Message = " YYYYYEEEESSSSSSSSSS, %u"
EAP-Message = 0x010200061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x3e314e3711dd5d616c3196b87a400c83
Finished request 4
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 4 ID 4 with timestamp 403b26a9
Nothing to do. Sleeping until we see a request.
-- ------------------------------------------ - Wilfried QUET - - Universit� de Technologie de Compi�gne - - Service Informatique - - mail : [EMAIL PROTECTED] - ------------------------------------------
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
