Hi, I recently upgraded from the CVS version of freeradius to 1.0.0-pre3. Since then, my previously functional EAP/TLS config has stopped working. I've modified the config to reflect the new use of eap.conf, rather than the built-in eap module. There have been no changes to the certificates, no changes to the version of OpenSSL and no change to the supplicant (Funk Odyssey 3.0 running on Windows XP SP1).
Below is the output from radiusd -X. I apologise that it's such a long log. I believe that the relevant information is right at the end. buddhist# radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/eap.conf main: prefix = "/usr/local" main: localstatedir = "/usr/local/var" main: logdir = "/usr/local/var/log/radius" main: libdir = "/usr/local/lib" main: radacctdir = "/usr/local/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 1812 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/usr/local/var/log/radius/radius.log" main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = no main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid" main: bind_address = 192.168.103.1 IP address [192.168.103.1] main: user = "nobody" main: group = "nobody" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "(null)" unix: group = "(null)" unix: radwtmp = "/usr/local/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = "tls" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/usr/local/etc/raddb/certs/radiusprivkey.pem" tls: certificate_file = "/usr/local/etc/raddb/certs/radiuscert.pem" tls: CA_file = "/usr/local/ssl/private/cacert.pem" tls: private_key_password = "muzzy28" tls: dh_file = "/usr/local/etc/raddb/certs/dh" tls: random_file = "/usr/local/etc/raddb/certs/random" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = "(null)" rlm_eap: Loaded and initialized type tls ttls: default_eap_type = "md5" ttls: copy_request_to_tunnel = no ttls: use_tunneled_reply = no rlm_eap: Loaded and initialized type ttls Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups" preprocess: hints = "/usr/local/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "/usr/local/etc/raddb/users" files: acctusersfile = "/usr/local/etc/raddb/acct_users" files: preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = "/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = "/usr/local/var/log/radius/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on authentication 192.168.103.1:1812 Listening on accounting 192.168.103.1:1813 Listening on proxy 192.168.103.1:1814 Ready to process requests. rad_recv: Access-Request packet from host 192.168.103.253:1590, id=68, length=126 User-Name = "000d5499164e" User-Password = "000d5499164e" NAS-IP-Address = 192.168.103.253 Called-Station-Id = "004096311e3b" NAS-Port = 38 NAS-Port-Type = Wireless-802.11 Cisco-AVPair = "ssid=IPARCH" Calling-Station-Id = "000d5499164e" NAS-Identifier = "Aironet" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "000d5499164e", looking up realm NULL rlm_realm: Found realm "NULL" rlm_realm: Adding Stripped-User-Name = "000d5499164e" rlm_realm: Proxying request from user 000d5499164e to realm NULL rlm_realm: Adding Realm = "NULL" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 0 modcall[authorize]: module "files" returns notfound for request 0 modcall: group authorize returns ok for request 0 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Login incorrect: [000d5499164e/000d5499164e] (from client Aironet port 38 cli 000d5499164e) Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... rad_recv: Access-Request packet from host 192.168.103.253:1591, id=69, length=163 User-Name = "[EMAIL PROTECTED]" Cisco-AVPair = "ssid=IPARCH" NAS-IP-Address = 192.168.103.253 Called-Station-Id = "004096311e3b" Calling-Station-Id = "000d5499164e" NAS-Identifier = "Aironet" NAS-Port = 38 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Service-Type = Login-User EAP-Message = 0x027700140167757964406970617263682e6e6574 Message-Authenticator = 0x1c1de4a30edd950ba5bbea0f08f327ac Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_realm: Looking up realm "iparch.net" for User-Name = "[EMAIL PROTECTED]" rlm_realm: Found realm "iparch.net" rlm_realm: Adding Stripped-User-Name = "guyd" rlm_realm: Proxying request from user guyd to realm iparch.net rlm_realm: Adding Realm = "iparch.net" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop for request 1 rlm_eap: EAP packet type response id 119 length 20 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 1 modcall[authorize]: module "files" returns notfound for request 1 modcall: group authorize returns updated for request 1 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Requiring client certificate rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 1 modcall: group authenticate returns handled for request 1 Sending Access-Challenge of id 69 to 192.168.103.253:1591 EAP-Message = 0x017800060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x59282ed36502e054ab4a17d0eae911ac Finished request 1 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... rad_recv: Access-Request packet from host 192.168.103.253:1592, id=70, length=259 User-Name = "[EMAIL PROTECTED]" Cisco-AVPair = "ssid=IPARCH" NAS-IP-Address = 192.168.103.253 Called-Station-Id = "004096311e3b" Calling-Station-Id = "000d5499164e" NAS-Identifier = "Aironet" NAS-Port = 38 Framed-MTU = 1400 State = 0x59282ed36502e054ab4a17d0eae911ac NAS-Port-Type = Wireless-802.11 Service-Type = Login-User EAP-Message = 0x027800620d800000005816030100530100004f030140d9f16da7f3c425ed603d801a4f 8c930a7ac34f41c7f1dec1529d967929e19b00002800160013006600150012000a000500 040009006300650060006200610064001400110003000600080100 Message-Authenticator = 0x6fdf66c7c95156e555bf5082ec52dc8c Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall[authorize]: module "preprocess" returns ok for request 2 modcall[authorize]: module "chap" returns noop for request 2 modcall[authorize]: module "mschap" returns noop for request 2 rlm_realm: Looking up realm "iparch.net" for User-Name = "[EMAIL PROTECTED]" rlm_realm: Found realm "iparch.net" rlm_realm: Adding Stripped-User-Name = "guyd" rlm_realm: Proxying request from user guyd to realm iparch.net rlm_realm: Adding Realm = "iparch.net" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop for request 2 rlm_eap: EAP packet type response id 120 length 98 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 2 modcall[authorize]: module "files" returns notfound for request 2 modcall: group authorize returns updated for request 2 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 2 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0053], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0a1f], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 00cc], CertificateRequest TLS_accept: SSLv3 write certificate request A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 2 modcall: group authenticate returns handled for request 2 Sending Access-Challenge of id 70 to 192.168.103.253:1592 EAP-Message = 0x0179040a0dc000000b44160301004a02000046030140d9f140c9f2f9b10f115fb8978f 78bd3b8ef72eaaec500975acf21bde64215f2022769f1829d25aa340446aefca8e137d73 6b8fe902412118e2eb4a9176b4a91e000a001603010a1f0b000a1b000a18000500308204 fc308203e4a00302010202011d300d06092a864886f70d01010405003081ba310b300906 0355040613024742311230100603550408130948616d7073686972653118301606035504 07130f4368757263682043726f6f6b68616d31193017060355040a131049502041726368 697465637475726573311e301c060355040b131543657274696669636174652041757468 6f72 EAP-Message = 0x697479311c301a06035504031313495020417263686974656374757265732043413124 302206092a864886f70d01090116154775792e446176696573406970617263682e6e6574 301e170d3034303330343232303932325a170d3035303330343232303932325a307e310b 3009060355040613024742311230100603550408130948616d7073686972653119301706 0355040a131049502041726368697465637475726573311a301806035504031311726164 6975732e6970617263682e6e65743124302206092a864886f70d01090116154775792e44 6176696573406970617263682e6e657430820122300d06092a864886f70d010101050003 8201 EAP-Message = 0x0f003082010a028201010099211990d8fc5630c997ef685779f73ba0eb916779762e5a 66114b544527cd8451bfd0de7b00abef2a780f28d5c0c5f9fdd071a46d06ac93f67387b4 a22d5b200f16336715b35d776c86335569ec49d536d6b07456cef63f5346ea49327d2b68 12632364c6287f7d64acd799129f7dd0e674990bd32b2fb252c103c87c1030f009c154d0 b4637a53adae931b685c3129e3901c040b873d60435b2a96b8ba217d26e8a0b4512f833e fb9315973b491e18e772fb7d85cf96dec2da9a73b56ee1e124d4d7c277e39c3c3bb5715b 7ae3179bae1c20a913e8fbe9d9411a8608ab62da763db3a81289d9349a5bec271bec8f35 4c5b EAP-Message = 0xb96c618c06f134d65f96cf0321110203010001a38201463082014230090603551d1304 023000302c06096086480186f842010d041f161d4f70656e53534c2047656e6572617465 64204365727469666963617465301d0603551d0e04160414135d72f0a12876b6af8fa476 15d69980279278b53081e70603551d230481df3081dc8014530b72f9875596a11561ae2f 9ca589781ce59e27a181c0a481bd3081ba310b3009060355040613024742311230100603 550408130948616d707368697265311830160603550407130f4368757263682043726f6f 6b68616d31193017060355040a131049502041726368697465637475726573311e301c06 0355 EAP-Message = 0x040b1315436572746966696361746520417574686f72 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc8990606d021a95d865fe859761a9804 Finished request 2 Going to the next request --- Walking the entire request list --- Sending Access-Reject of id 68 to 192.168.103.253:1590 Waking up in 4 seconds... rad_recv: Access-Request packet from host 192.168.103.253:1593, id=71, length=167 User-Name = "[EMAIL PROTECTED]" Cisco-AVPair = "ssid=IPARCH" NAS-IP-Address = 192.168.103.253 Called-Station-Id = "004096311e3b" Calling-Station-Id = "000d5499164e" NAS-Identifier = "Aironet" NAS-Port = 38 Framed-MTU = 1400 State = 0xc8990606d021a95d865fe859761a9804 NAS-Port-Type = Wireless-802.11 Service-Type = Login-User EAP-Message = 0x027900060d00 Message-Authenticator = 0xdf2986fe7157def30bdde9d136983fce Processing the authorize section of radiusd.conf modcall: entering group authorize for request 3 modcall[authorize]: module "preprocess" returns ok for request 3 modcall[authorize]: module "chap" returns noop for request 3 modcall[authorize]: module "mschap" returns noop for request 3 rlm_realm: Looking up realm "iparch.net" for User-Name = "[EMAIL PROTECTED]" rlm_realm: Found realm "iparch.net" rlm_realm: Adding Stripped-User-Name = "guyd" rlm_realm: Proxying request from user guyd to realm iparch.net rlm_realm: Adding Realm = "iparch.net" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop for request 3 rlm_eap: EAP packet type response id 121 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 3 modcall[authorize]: module "files" returns notfound for request 3 modcall: group authorize returns updated for request 3 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 3 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 3 modcall: group authenticate returns handled for request 3 Sending Access-Challenge of id 71 to 192.168.103.253:1593 EAP-Message = 0x017a040a0dc000000b44697479311c301a060355040313134950204172636869746563 74757265732043413124302206092a864886f70d01090116154775792e44617669657340 6970617263682e6e6574820100300d06092a864886f70d0101040500038201010067e989 8654cd9fa28505426e2d0cbcdea0bcbe98bddf522e9ae7b243fcd56647ff5432578bb208 d8f185289c49fa55d89791fbbc04f5506f9bbb7252620d7312c65cbb28ad4e101fd0ea49 1c2a42796fe27e685d180a9249378a0d21e594505b2735ac58cee6f65408c1f310855cbd c84d6a8c017df618875a8fb63037f91b1b49c4294dfd12f6ef08d7df3c52d204ed6354ea e761 EAP-Message = 0x307923464ac67aca107788f17b8230f08cdc35afa9314269e3e4b9f49b78f797435b1e 8aff5bd87cbc53484d8836026a7278a8963bd97a829a3946a30237a9661a7c10b785a40f 8d188ff0e7764500a3ec1b1df6031d5cee28ecf1326e09808b4042de1c3c4e1c941dd9b0 0005123082050e308203f6a003020102020100300d06092a864886f70d01010405003081 ba310b3009060355040613024742311230100603550408130948616d7073686972653118 30160603550407130f4368757263682043726f6f6b68616d31193017060355040a131049 502041726368697465637475726573311e301c060355040b131543657274696669636174 6520 EAP-Message = 0x417574686f72697479311c301a06035504031313495020417263686974656374757265 732043413124302206092a864886f70d01090116154775792e4461766965734069706172 63682e6e6574301e170d3034303330343231343632345a170d3134303330323231343632 345a3081ba310b3009060355040613024742311230100603550408130948616d70736869 7265311830160603550407130f4368757263682043726f6f6b68616d3119301706035504 0a131049502041726368697465637475726573311e301c060355040b1315436572746966 696361746520417574686f72697479311c301a0603550403131349502041726368697465 6374 EAP-Message = 0x757265732043413124302206092a864886f70d01090116154775792e44617669657340 6970617263682e6e657430820122300d06092a864886f70d01010105000382010f003082 010a0282010100bdd837adc3f9456e6a0fa7b231afb1b8c31926c4adb45f873486c78336 a6f3acb8f8facc785e4bfacbefede43bd2577f159f25a8539070f953433ddf48d99d8868 73c58486f8a76e14d02c80c859c750d0f2809b348fc15158ce29dff52a9f7d8a465bd192 63f05f8d26178830b3c652e0ed5edd1633a95db997ee76abff65bbee7bd974dc3926273f e9801ec5c3dcd291b55ea477a2c628c6c9375d368024c3646ceffabb365dc7a8ad5a86bd de01 EAP-Message = 0x2ac89cb2d451b3131ba61387adaf075f921f8a8564f3 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1951dc5b3a356ec80a81c6101f826c23 Finished request 3 Going to the next request --- Walking the entire request list --- Waking up in 3 seconds... rad_recv: Access-Request packet from host 192.168.103.253:1594, id=72, length=167 User-Name = "[EMAIL PROTECTED]" Cisco-AVPair = "ssid=IPARCH" NAS-IP-Address = 192.168.103.253 Called-Station-Id = "004096311e3b" Calling-Station-Id = "000d5499164e" NAS-Identifier = "Aironet" NAS-Port = 38 Framed-MTU = 1400 State = 0x1951dc5b3a356ec80a81c6101f826c23 NAS-Port-Type = Wireless-802.11 Service-Type = Login-User EAP-Message = 0x027a00060d00 Message-Authenticator = 0x34e5f0775aa1a19f1c91d6e1c6eb1bdf Processing the authorize section of radiusd.conf modcall: entering group authorize for request 4 modcall[authorize]: module "preprocess" returns ok for request 4 modcall[authorize]: module "chap" returns noop for request 4 modcall[authorize]: module "mschap" returns noop for request 4 rlm_realm: Looking up realm "iparch.net" for User-Name = "[EMAIL PROTECTED]" rlm_realm: Found realm "iparch.net" rlm_realm: Adding Stripped-User-Name = "guyd" rlm_realm: Proxying request from user guyd to realm iparch.net rlm_realm: Adding Realm = "iparch.net" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop for request 4 rlm_eap: EAP packet type response id 122 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 4 modcall[authorize]: module "files" returns notfound for request 4 modcall: group authorize returns updated for request 4 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 4 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 4 modcall: group authenticate returns handled for request 4 Sending Access-Challenge of id 72 to 192.168.103.253:1594 EAP-Message = 0x017b034e0d8000000b448fed88a92cbc2022b886ffe3ffccfeddf7a7d49d8ab309abac 1aa9522b95c26df54242ea42a74bf975a914a4cee91c7a286a596f7acc070ab2e3670203 010001a382011b30820117301d0603551d0e04160414530b72f9875596a11561ae2f9ca5 89781ce59e273081e70603551d230481df3081dc8014530b72f9875596a11561ae2f9ca5 89781ce59e27a181c0a481bd3081ba310b30090603550406130247423112301006035504 08130948616d707368697265311830160603550407130f4368757263682043726f6f6b68 616d31193017060355040a131049502041726368697465637475726573311e301c060355 040b EAP-Message = 0x1315436572746966696361746520417574686f72697479311c301a0603550403131349 5020417263686974656374757265732043413124302206092a864886f70d010901161547 75792e446176696573406970617263682e6e6574820100300c0603551d13040530030101 ff300d06092a864886f70d010104050003820101008f337b029626ed3ca91c82fc1f69a4 83ce0149d22ca3a5e03d2712b250fe1e40dad8e03e14262f20f85f14ea54614eb606980d 3a8679f5c624a044489f372c4e848f4f8d51f9bf10856d78c43449406a7f6fc6b5672777 0a770bffc2c0eb004a0a6c95bbecc675313bfa50c57144d9b3942a4ab8f771f9c02cfd70 e111 EAP-Message = 0xa200b924ba8291b80fc8c046afadb33ad05e08db3954cd0fe11d550b2d5cfe9bf5a185 709bd9a7961f942cbe3af48d97b525148ad5289d4d0476e102486f3b78f7c91282dfeb58 d1ad70dfd96238e0431877cebe1f0e8191c4d6c21888e918a41f90f47c4863fc292f4785 0faf4b92d61a29c5f03ceb5026779fd6cd54253b7989638316030100cc0d0000c4020102 00bf00bd3081ba310b3009060355040613024742311230100603550408130948616d7073 68697265311830160603550407130f4368757263682043726f6f6b68616d311930170603 55040a131049502041726368697465637475726573311e301c060355040b131543657274 6966 EAP-Message = 0x696361746520417574686f72697479311c301a06035504031313495020417263686974 656374757265732043413124302206092a864886f70d01090116154775792e4461766965 73406970617263682e6e65740e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x7d6f2c09caa53c378167f97a865b40be Finished request 4 Going to the next request Waking up in 3 seconds... rad_recv: Access-Request packet from host 192.168.103.253:1595, id=73, length=1571 User-Name = "[EMAIL PROTECTED]" Cisco-AVPair = "ssid=IPARCH" NAS-IP-Address = 192.168.103.253 Called-Station-Id = "004096311e3b" Calling-Station-Id = "000d5499164e" NAS-Identifier = "Aironet" NAS-Port = 38 Framed-MTU = 1400 State = 0x7d6f2c09caa53c378167f97a865b40be NAS-Port-Type = Wireless-802.11 Service-Type = Login-User EAP-Message = 0x027b05780dc000000a1e16030109070b0009030009000003e8308203e4308202cca003 020102020121300d06092a864886f70d01010405003081ba310b30090603550406130247 42311230100603550408130948616d707368697265311830160603550407130f43687572 63682043726f6f6b68616d31193017060355040a13104950204172636869746563747572 6573311e301c060355040b1315436572746966696361746520417574686f72697479311c 301a06035504031313495020417263686974656374757265732043413124302206092a86 4886f70d01090116154775792e446176696573406970617263682e6e6574301e170d3034 3033 EAP-Message = 0x31313232333332355a170d3035303331313232333332355a308196310b300906035504 0613024742311230100603550408130948616d707368697265311830160603550407130f 4368757263682043726f6f6b68616d31193017060355040a131049502041726368697465 637475726573311830160603550403140f67757964406970617263682e6e657431243022 06092a864886f70d01090116154775792e446176696573406970617263682e6e65743082 0122300d06092a864886f70d01010105000382010f003082010a02820101009a52d0320a 547f6942a31f58fb922d7f2f50a16ab67c58e9fe3f2480631ad2e60407b3fecca37c342e e468 EAP-Message = 0xeb1e8be94e89d859e84b18f5ffe7a09032cc6e2532de4c71a6cdfa2766c79eb48bb9f3 30b76e58d550ca65c917049b4597da45e230223a6eebc4eba5c51ecb2edf44b070fb0bb3 0c52965e0317ee8eb608e1f92f985cbfb9f1d0d9e8cf193f6c0197d90ac94c1418db5560 2c557b36e3497ed7ad18e9cf6efd5d586140b1a976f3800f7c3260afcf0f69a740ca0f90 b30b9be722eb53b5f41b2c99ea2ad650616e2848c142a866090a4c7961d904d5db8f9305 fa0266e421bf54dec1c44841b955eb7ef5f2d2cc8e4b7bced3734192c9146723511f0203 010001a317301530130603551d25040c300a06082b06010505070302300d06092a864886 f70d EAP-Message = 0x01010405000382010100823d6662722d6bb2edc598077345a15114f7101b4739f9befd 0d6cce9500049860b8b6b72a41cd54576bb6da41024167508228d0455a8d1fccd2e15d88 d5f4776876a8c91b73ac64cd0e375158d3f1a0cd7ba93506eda1d59e8590c40930e7217d 9e2059fe1e568ebeb5859b7e87cbcaa10a62dd6608b67570a3c7d8c1263e8ec5d4d15e0f 8226d7ae5c17002a4929cde5f0905dc38255bcd63d3787bc5eebb8f8daf1ba0626eb600a 5e8e98de92fd07b79f07894740678a2c6a7e27a9b8e63a8e33b9099fbc05478dd002cd37 32624710bcdf743ea18e8e1181cb303ffb590ec248eb46816deb52f5c211e9fdfa96a1bf ffde EAP-Message = 0x7b8da980edc7ce8f4dd2fef1410005123082050e308203f6a003020102020100300d06 092a864886f70d01010405003081ba310b30090603550406130247423112301006035504 08130948616d707368697265311830160603550407130f4368757263682043726f6f6b68 616d31193017060355040a131049502041726368697465637475726573311e301c060355 040b1315436572746966696361746520417574686f72697479311c301a06035504031313 495020417263686974656374757265732043413124302206092a864886f70d0109011615 4775792e446176696573406970617263682e6e6574301e170d3034303330343231343632 345a EAP-Message = 0x170d3134303330323231343632345a3081ba310b300906035504061302474231123010 0603550408130948616d707368697265311830160603550407130f436875726368204372 6f6f6b68616d31193017060355040a131049502041726368697465637475726573311e30 1c060355040b1315436572746966696361746520417574686f726974 Message-Authenticator = 0x4412a92a4149941015a3cda010009895 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 5 modcall[authorize]: module "preprocess" returns ok for request 5 modcall[authorize]: module "chap" returns noop for request 5 modcall[authorize]: module "mschap" returns noop for request 5 rlm_realm: Looking up realm "iparch.net" for User-Name = "[EMAIL PROTECTED]" rlm_realm: Found realm "iparch.net" rlm_realm: Adding Stripped-User-Name = "guyd" rlm_realm: Proxying request from user guyd to realm iparch.net rlm_realm: Adding Realm = "iparch.net" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop for request 5 rlm_eap: EAP packet type response id 123 length 253 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 5 modcall[authorize]: module "files" returns notfound for request 5 modcall: group authorize returns updated for request 5 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 5 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS First Fragment of the message eaptls_verify returned 9 eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 5 modcall: group authenticate returns handled for request 5 Sending Access-Challenge of id 73 to 192.168.103.253:1595 EAP-Message = 0x017c00060d00 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x6bdbb6fe6590dc59560eea5d883a6288 Finished request 5 Going to the next request Waking up in 3 seconds... rad_recv: Access-Request packet from host 192.168.103.253:1596, id=74, length=1375 User-Name = "[EMAIL PROTECTED]" Cisco-AVPair = "ssid=IPARCH" NAS-IP-Address = 192.168.103.253 Called-Station-Id = "004096311e3b" Calling-Station-Id = "000d5499164e" NAS-Identifier = "Aironet" NAS-Port = 38 Framed-MTU = 1400 State = 0x6bdbb6fe6590dc59560eea5d883a6288 NAS-Port-Type = Wireless-802.11 Service-Type = Login-User EAP-Message = 0x027c04b60d0079311c301a060355040313134950204172636869746563747572657320 43413124302206092a864886f70d01090116154775792e44617669657340697061726368 2e6e657430820122300d06092a864886f70d01010105000382010f003082010a02820101 00bdd837adc3f9456e6a0fa7b231afb1b8c31926c4adb45f873486c78336a6f3acb8f8fa cc785e4bfacbefede43bd2577f159f25a8539070f953433ddf48d99d886873c58486f8a7 6e14d02c80c859c750d0f2809b348fc15158ce29dff52a9f7d8a465bd19263f05f8d2617 8830b3c652e0ed5edd1633a95db997ee76abff65bbee7bd974dc3926273fe9801ec5c3dc d291 EAP-Message = 0xb55ea477a2c628c6c9375d368024c3646ceffabb365dc7a8ad5a86bdde012ac89cb2d4 51b3131ba61387adaf075f921f8a8564f38fed88a92cbc2022b886ffe3ffccfeddf7a7d4 9d8ab309abac1aa9522b95c26df54242ea42a74bf975a914a4cee91c7a286a596f7acc07 0ab2e3670203010001a382011b30820117301d0603551d0e04160414530b72f9875596a1 1561ae2f9ca589781ce59e273081e70603551d230481df3081dc8014530b72f9875596a1 1561ae2f9ca589781ce59e27a181c0a481bd3081ba310b30090603550406130247423112 30100603550408130948616d707368697265311830160603550407130f43687572636820 4372 EAP-Message = 0x6f6f6b68616d31193017060355040a131049502041726368697465637475726573311e 301c060355040b1315436572746966696361746520417574686f72697479311c301a0603 5504031313495020417263686974656374757265732043413124302206092a864886f70d 01090116154775792e446176696573406970617263682e6e6574820100300c0603551d13 040530030101ff300d06092a864886f70d010104050003820101008f337b029626ed3ca9 1c82fc1f69a483ce0149d22ca3a5e03d2712b250fe1e40dad8e03e14262f20f85f14ea54 614eb606980d3a8679f5c624a044489f372c4e848f4f8d51f9bf10856d78c43449406a7f 6fc6 EAP-Message = 0xb56727770a770bffc2c0eb004a0a6c95bbecc675313bfa50c57144d9b3942a4ab8f771 f9c02cfd70e111a200b924ba8291b80fc8c046afadb33ad05e08db3954cd0fe11d550b2d 5cfe9bf5a185709bd9a7961f942cbe3af48d97b525148ad5289d4d0476e102486f3b78f7 c91282dfeb58d1ad70dfd96238e0431877cebe1f0e8191c4d6c21888e918a41f90f47c48 63fc292f47850faf4b92d61a29c5f03ceb5026779fd6cd54253b79896383160301010610 00010201008f4b0a1bf396d6c2274339bb31cec7dbd07f14781aedf8da57f0195af41ed7 f0d3e394166c831323f78a0a2bac020b362249829f74e259e6ac784541da83c1e8f2ea06 2732 EAP-Message = 0x5c5368d82de6a6097103abc29d82878fc1cb1c9e2da7494efbc1a086dbaa9bfabdc826 94290b39954e16ab62176bc03681475837d41e4a42bf14b1238666efeac881952cc2cb41 6f720fc93af3f420852c8686d60255f78c49826d4d67ab0f09fcbf6e499d4844fc35c01d 148a5e91771d56b551cc9c4b498c82b310029efe333dfe73c07ecb8f72720992ef05f0b9 d88f9cb8fcaa2681549eb11ad4f93a884bd27713bf783a747233377da9f1cf06643fedfb 2108d547f7aad7ee15030100020228 Message-Authenticator = 0x26470ac969ad0d74287d181c69d9a770 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 6 modcall[authorize]: module "preprocess" returns ok for request 6 modcall[authorize]: module "chap" returns noop for request 6 modcall[authorize]: module "mschap" returns noop for request 6 rlm_realm: Looking up realm "iparch.net" for User-Name = "[EMAIL PROTECTED]" rlm_realm: Found realm "iparch.net" rlm_realm: Adding Stripped-User-Name = "guyd" rlm_realm: Proxying request from user guyd to realm iparch.net rlm_realm: Adding Realm = "iparch.net" rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module "suffix" returns noop for request 6 rlm_eap: EAP packet type response id 124 length 253 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 6 modcall[authorize]: module "files" returns notfound for request 6 modcall: group authorize returns updated for request 6 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake rlm_eap_tls: <<< TLS 1.0 Handshake [length 0907], Certificate chain-depth=1, error=0 --> User-Name = [EMAIL PROTECTED] --> BUF-Name = IP Architectures CA --> subject = /C=GB/ST=Hampshire/L=Church Crookham/O=IP Architectures/OU=Certificate Authority/CN=IP Architectures CA/[EMAIL PROTECTED] --> issuer = /C=GB/ST=Hampshire/L=Church Crookham/O=IP Architectures/OU=Certificate Authority/CN=IP Architectures CA/[EMAIL PROTECTED] --> verify return:1 chain-depth=0, error=0 --> User-Name = [EMAIL PROTECTED] --> BUF-Name = [EMAIL PROTECTED] --> subject = /C=GB/ST=Hampshire/L=Church Crookham/O=IP Architectures/[EMAIL PROTECTED]/[EMAIL PROTECTED] --> issuer = /C=GB/ST=Hampshire/L=Church Crookham/O=IP Architectures/OU=Certificate Authority/CN=IP Architectures CA/[EMAIL PROTECTED] --> verify return:1 TLS_accept: SSLv3 read client certificate A rlm_eap_tls: <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange TLS_accept: SSLv3 read client key exchange A rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal handshake_failure TLS Alert read:fatal:handshake failure TLS_accept:failed in SSLv3 read certificate verify A 3940:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1052:SSL alert number 40 3940:error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure:s3_pkt.c:837: rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails. In SSL Handshake Phase In SSL Accept mode rlm_eap_tls: BIO_read failed in a system call (-1), TLS session fails. eaptls_process returned 13 rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns reject for request 6 modcall: group authenticate returns reject for request 6 auth: Failed to validate the user. Login incorrect: [EMAIL PROTECTED]/<no User-Password attribute>] (from client Aironet port 38 cli 000d5499164e) Delaying request 6 for 1 seconds Finished request 6 Going to the next request Waking up in 3 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 68 with timestamp 40d9f13e Sending Access-Reject of id 74 to 192.168.103.253:1596 EAP-Message = 0x047c0004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 1 seconds... --- Walking the entire request list --- Cleaning up request 1 ID 69 with timestamp 40d9f13f Waking up in 1 seconds... --- Walking the entire request list --- Cleaning up request 2 ID 70 with timestamp 40d9f140 Waking up in 1 seconds... --- Walking the entire request list --- Cleaning up request 3 ID 71 with timestamp 40d9f141 Cleaning up request 4 ID 72 with timestamp 40d9f141 Cleaning up request 5 ID 73 with timestamp 40d9f141 Cleaning up request 6 ID 74 with timestamp 40d9f141 Nothing to do. Sleeping until we see a request. Regards, Guy This e-mail is private and may be confidential and is for the intended recipient only. If misdirected, please notify us by telephone and confirm that it has been deleted from your system and any copies destroyed. If you are not the intended recipient you are strictly prohibited from using, printing, copying, distributing or disseminating this e-mail or any information contained in it. We use reasonable endeavours to virus scan all e-mails leaving the Company but no warranty is given that this e-mail and any attachments are virus free. You should undertake your own virus checking. The right to monitor e-mail communications through our network is reserved by us. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html