Hi
I am trying to use EAP-TLS between wpa_supplicant and freeradius. I
created the certificates (ca/server/client) as mentioned in
freeradius-server-2.0.5/raddb/certs/README. In
freeradius-server-2.0.5/raddb/users, following line is added at end:
testuser Cleartext-Password := "password"
On wpa_supplicant-0.5.10, created eapol_test.conf.tls with following
contents:
network={
eap=TLS
eapol_flags=0
key_mgmt=IEEE8021X
identity="testuser"
ca_cert="/usr/local/etc/raddb/certs/ca.pem"
client_cert="/usr/local/etc/raddb/certs/[EMAIL PROTECTED]"
private_key="/usr/local/etc/raddb/certs/client.key"
private_key_passwd="whatever"
}
Executed wpa_supplicant (eapol_test) with following command
(wpa_supplicant side logs are after radius logs at end):
eapol_test -c eapol_test.conf.tls -a127.0.0.1 -p1812 -stesting123 -r1
On executing /usr/local/sbin/radiusd -X, I get following log and error
too:
rad_recv: Access-Request packet from host 127.0.0.1 port 32770, id=0,
length=124
User-Name = "testuser"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x0200000d017465737475736572
Message-Authenticator = 0x0e5f593f30507d677e8d7e68b072b55f
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 0 length 13
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: EAP Identity
rlm_eap: processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
Sending Access-Challenge of id 0 to 127.0.0.1 port 32770
EAP-Message = 0x01010016041017695d19037d705af68ca37a7262ddcb
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x267673582677771a69809cb3876d58ea
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 32770, id=1,
length=135
User-Name = "testuser"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x02010006030d
State = 0x267673582677771a69809cb3876d58ea
Message-Authenticator = 0x6dd1d34467725c79f19b72ff9612e3ce
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 1 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP NAK
rlm_eap: EAP-NAK asked for EAP-Type/tls
rlm_eap: processing type tls
rlm_eap_tls: Requiring client certificate
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 1 to 127.0.0.1 port 32770
EAP-Message = 0x010200060d20
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x2676735827747e1a69809cb3876d58ea
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 32770, id=2,
length=236
User-Name = "testuser"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message =
0x0202006b0d0016030100600100005c03014874ff7ae4659071f23a8aac506f1f25b7c9f1272eca77a38aaea1b9788b532d00003400390038003500160013000a00330032002f00660005000400630062006100150012000900650064006000140011000800060003020100
State = 0x2676735827747e1a69809cb3876d58ea
Message-Authenticator = 0x1a18c152c7a7d0032d7876c2e02214d3
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 2 length 107
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/tls
rlm_eap: processing type tls
rlm_eap_tls: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
(other): before/accept initialization
TLS_accept: before/accept initialization
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0060], ClientHello
TLS_accept: SSLv3 read client hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
TLS_accept: SSLv3 write server hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 085e], Certificate
TLS_accept: SSLv3 write certificate A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 020d], ServerKeyExchange
TLS_accept: SSLv3 write key exchange A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 00a7], CertificateRequest
TLS_accept: SSLv3 write certificate request A
TLS_accept: SSLv3 flush data
TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 2 to 127.0.0.1 port 32770
EAP-Message =
0x010304000dc000000b70160301004a0200004603014874ff7af840e0ce0c0562387841cbf363e6be64f8dd2def0915579fb271a7d320bc89e200ccdb1ad9ae9498442013c69878623fb1e470357891b9df6651cbf029003901160301085e0b00085a0008570003a6308203a23082028aa003020102020101300d06092a864886f70d0101040500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d3126302406035504
EAP-Message =
0x03131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3038303730393138313131375a170d3039303730393138313131375a307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100c296eb2d169b654435a174fd8ead1b26d65b1298d9a7bcc561a051d2b667
EAP-Message =
0x28a6c693620ce3c06c032ebe4dbeedff9020f24d06430433091b7e9762575c12fdb988ad5d6dfee570df9a0aa1ce55de2d308c162bbcf917c8441071ea895cfb102721f2a5059f402317457a104650b4fea1975e04fb83fc4d0a2cf72167830d5281398c981ac2f27370a34aa49b07e007fa955ebf187a8fd476174e7493ffa02bf466b07846382b4eaf03551fef5ca60ab3fc3aa19983aeb5015147ed3317f659f0355a43091eb19ab0c4a8d07651627d1fad596cc5ee44fa2ccfcd92d6c63d778a9d958a6ca4a02409c546d3b8400928e1b635c26ef5ab7fc54b68b8aa2e98b2830203010001a317301530130603551d25040c300a06082b06010505
EAP-Message =
0x070301300d06092a864886f70d01010405000382010100095935837d63c395fca941ae947c03fac66f843b37c9969c2f46cb8b26348bfbd6348ac0d13b6a752886f1e83579122942dd8d0ab6b2757849735dccfd82d06d3a07d1a2de3097c76cbb431042062e26df240d5d40ada6bc999bade14ebc0661362f9a7f8644943e78a29e329c67ec32cf393205408021e56e461ce3320127b27df474f4c37be7cccf46754c32ee8243500a194759ba6c5b2fcd563117b2ea94b9c63eb1678ff836afd92118a98b93fc51992e9de619a9c7576fe3cae6a1e9988a2b10b0685ca7e58e5b100ec0817d511f34f59f794bcde25c247259a57ab8b1d686fce7c7cd
EAP-Message = 0x3f8d16472d4a3eb1ee492fd3
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x2676735824757e1a69809cb3876d58ea
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 32770, id=3,
length=135
User-Name = "testuser"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020300060d00
State = 0x2676735824757e1a69809cb3876d58ea
Message-Authenticator = 0x86f3e31b265162f7716d461a9aae98f2
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 3 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/tls
rlm_eap: processing type tls
rlm_eap_tls: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake fragment handler
eaptls_verify returned 1
eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 3 to 127.0.0.1 port 32770
EAP-Message =
0x010404000dc000000b70bf312a81c68194ac03b073abf2410004ab308204a73082038fa003020102020900ac4ad85feeea230a300d06092a864886f70d0101050500308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479301e170d3038303730393138313131325a170d3038303830383138313131325a308193310b
EAP-Message =
0x3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100ccff47e75ebf3d06a9472810c0352b254cca71cbb52cb8202d29ae967c715640e4d2b6c3e60641c4d54fdc03fe6ebdfb1953dc1b8c1f44202cf488249d37f2b7902efdf546fabb283a9653
EAP-Message =
0xfa065f9b063843f36456ac437df7cefeaad4d44004939d63ae9c4df03f1b856d8340ab4e6317a111aecfd860639f0056069404c4d2f9f10e9048b10f4bd65dfe2a61470543b7b323895dfbb54053f84cb0417f5eafdf8aa236a2afea06047be624e1f7b85e757be3749e6946439ad4e85de0d4f66f35e1a4ee8258727033035877b43232c0697a2baf3d09e8aa337366b1cbbccf72a509b977d426d546c7b165f873308f0a6964f430ee01b74cc0a561d9869fd84f0203010001a381fb3081f8301d0603551d0e041604141c71c3ab8dbd86f36bbf4b24d5b72d291bc88aaf3081c80603551d230481c03081bd80141c71c3ab8dbd86f36bbf4b24d5b7
EAP-Message =
0x2d291bc88aafa18199a48196308193310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f72697479820900ac4ad85feeea230a300c0603551d13040530030101ff300d06092a864886f70d010105050003820101005925971768cfc1bb8f4b1dd4b9d0abd84cca91dc19d344451da159ae0925f1924022b20ea548d56947a26c987dc0
EAP-Message = 0xfb36d1078bef2f36de91d2b5
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x2676735825727e1a69809cb3876d58ea
Finished request 3.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 32770, id=4,
length=135
User-Name = "testuser"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message = 0x020400060d00
State = 0x2676735825727e1a69809cb3876d58ea
Message-Authenticator = 0xd88cda63a2776910572007659978dff0
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 4 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/tls
rlm_eap: processing type tls
rlm_eap_tls: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake fragment handler
eaptls_verify returned 1
eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 4 to 127.0.0.1 port 32770
EAP-Message =
0x0105038e0d8000000b7083ce8bd2a2e5a3df721979638d83518a19e079bf804773b82753a039b6b053a357acb9d1954ecb25330390d4d54583a6fdeb74f039f492238f8d93bdc53d3acc2366af2771253c218dbc3a006b911f1e4bb6fd491b99ed05b1520cf14d08d12119b177f754cae89d065edb48680f35d8df3c0e7fcec9c6e84d52a1136f7a56a90f539addc1ad3c44e25de731f0443844dbfe83d0432ad61f7ed89184a407e0b41a9ffbc0389637071d937e63e136311e467b914839fd7382c216734b1de93368e4fb6b2303f4160301020d0c0002090080b3afe7fd33f61741e813a2a82d3e2e44f4e3a6cba8ba274ff2a14cdee764e7ec4e45
EAP-Message =
0x4df9c4b18aa0bb45b4dcbe5022790ed79559ec10e6b017165192ca92ee664df49dd6de389d1eba0400804b550239ffca80cdd27f3cc0ce1fc851463b672a8e260e415d3d3a40e8ae5102105bddc30b8c1a3031af0bc0a78b4ea69f5e66630001020080a0cc4357af8865d129c3e7c20c4283e7a4a4c522e23e0f3cb9b462c2923ea92c3a2781665e6d1fe4096f9832e39c33424106d2429f569da06ac67c9b0800351a1b7c512cd541edf0a135330412dbccd37885e35ce75111476fe045e0a85c70abf40a30089c4d4302179e1f084bffe853b1845c99010515a1970a03a87449615a010060149cd09ea980ec82c55cfe09857dbb7c5811f45c64e0fe
EAP-Message =
0x9d59d03e704806e99f1cb29f0286c1015c81d7824e617a53bd69dacefe51425fec76315ad4861b81d8aff93491a3b7a18988a9a9ee16acba071272b143c7bb8106d29ac8e6087a066498b3f47cf216fb2a96f19d7ccd8459646ed27ce02852c2c402000778e68ec419b9f14059fea1eaaad700a5c1d71f8ba516d820a6b0520e9a808736de80b97588f6b72b6b405b1f8a5a8779e01cd882c352aabb41e4a60fd2e4c64382e2a12deb09e8fb2caaa26a86aec4606044a283b9d20b0bf2637a953e8716d0b90958aebeb9995898714edb927fb52e51c4a1a2ff1157ae26402265dbbbb03f99e23f2416030100a70d00009f040304010200980096308193
EAP-Message =
0x310b3009060355040613024652310f300d060355040813065261646975733112301006035504071309536f6d65776865726531153013060355040a130c4578616d706c6520496e632e3120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d312630240603550403131d4578616d706c6520436572746966696361746520417574686f726974790e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x2676735822737e1a69809cb3876d58ea
Finished request 4.
Going to the next request
Waking up in 4.7 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 32770, id=5,
length=1532
User-Name = "testuser"
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = "02-00-00-00-00-01"
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message =
0x020505710d0016030103950b00039100038e00038b308203873082026fa003020102020102300d06092a864886f70d0101040500307c310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c4578616d706c6520496e632e312330210603550403131a4578616d706c65205365727665722043657274696669636174653120301e06092a864886f70d010901161161646d696e406578616d706c652e636f6d301e170d3038303730393138313132345a170d3039303730393138313132345a3079310b3009060355040613024652310f300d0603550408130652616469757331153013060355040a130c
EAP-Message =
0x4578616d706c6520496e632e311d301b060355040314147465737475736572406578616d706c652e636f6d3123302106092a864886f70d01090116147465737475736572406578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100b510efbf58ad201585beac3f327bba71b761612df254a3e44ffe4f5a182852e2a64d11912ca27013be01dae059ef3d8a9b2ca7a81c9da01b2291b6e38f07339c7668c6b7ce6c936bef181c33c16d5c34e17b0c878648bb73199645bb81febb577aff69f4881080ea593f31b5efcccebd3772dda5666a5e139a38e89b9ca13712462098dbfc5c526253985609
EAP-Message =
0x583e54d9d74b9b263cda9647c523d9922c1992736d176c3b869b373a9824a8c046dfd49118a90d5c8e9504cae9209d8254c31f98c3979a307f0515e88e820c29c9092c0de6c9af76c9a1bc8eee37aea8d047bf8c1af257f42b550932995e5083364a7e185a62de08976e2ca45d334231109eeaf70203010001a317301530130603551d25040c300a06082b06010505070302300d06092a864886f70d0101040500038201010085cf673c6dd1deb8648e0589573c0e55e286ba9f3ef23a3882fbe024a5c54aeef510e96f36291f0172deb8bcf2b8ce9e6517a143c658e8fb24c80a7936138c5e6f7dda3ca8b33e4600a1cb92c2f079793304c0ddc296c4
EAP-Message =
0x015d6d73cdae8f32eea68667d9cf33a6ad8c5e38a0ffbda541b5b789ffd0cd2b4de23592384ee23e154ea629f1a3743fcba443f8e6d355411d310f787d6551c413af2eccfabc2b28e9e786fd78cb3250a0ca2cd0adf11d8045d03ea0cca6b28d5c498c0965a238b05ccf7cadc3946ee0c42d65594ca3378ecd205c74b42b5f9c060287639e4cf76f5003ec0d3723abd391f4693556553f5aaac2684a2bb808e2a2cf16b425c9736e1c16030100861000008200803d7d38a765634fe46cd97911bbb0826fd6bb317dc04dbb7ca60c2d352f4a9be2f147f261ccf2d7c5e05b85783810260ddaed3c3772fcceab264dd8daf8a4467e6a6729a7152dabe5a4
EAP-Message =
0x4c2375c148a15096de5c28842d80507318656b36edc71772326fd6fddbc6dbb9d5476332d561de95d1a40b59779113ada15e6b466977eb16030101060f00010201003fcdbdf9a53a3f14ce87dbc34568e1cc53d78b24457c12a7be38fc6e07932f6a253fc07cf73579bc7dbb98eeaf91076ba912ff6fe2f6bfc1d2803974757922cd8fa5142f870aae126053adf7b4c7456bb431a174446775b7e9f78fcfb0925edee9a12cf5a76fc6ef7fdf983adeb3ec234d89af9e7298602df31a4febaa1c9aa039c3142ec57416c3771b1ae8934b1444dda9e28b932ae8ff1a22aae98ceb9f2d7a9caac9efb16c01a4cd3dadda86513428a3bd3a11b262eaa750dc
EAP-Message =
0xd50749f461997927394171b785ff74c98d883674fc8035287993a279f1ffa72b9c4cbc6b96fcaad6e5daaca7bd9aca988c6a8b3c487bd1e5cc73dd3c3c59f8ec39549ebeb61403010001011603010030f1c1d6ee34104fca2869c989529493079d85690315b83299b5d9567823fea467b507af2267dd69305c7d35d7809adf12
State = 0x2676735822737e1a69809cb3876d58ea
Message-Authenticator = 0xcc6ace4662072c78666cb7d873d7a354
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 5 length 253
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/tls
rlm_eap: processing type tls
rlm_eap_tls: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0395], Certificate
--> verify error:num=20:unable to get local issuer certificate
rlm_eap_tls: >>> TLS 1.0 Alert [length 0002], fatal unknown_ca
TLS Alert write:fatal:unknown CA
TLS_accept:error in SSLv3 read client certificate B
rlm_eap: SSL error error:140890B2:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails.
eaptls_process returned 13
rlm_eap: Freeing handler
++[eap] returns reject
auth: Failed to validate the user.
Found Post-Auth-Type Reject
+- entering group REJECT
expand: %{User-Name} -> testuser
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Sending Access-Reject of id 5 to 127.0.0.1 port 32770
EAP-Message = 0x04050004
Message-Authenticator = 0x00000000000000000000000000000000
Finished request 5.
Going to the next request
Waking up in 4.4 seconds.
Cleaning up request 0 ID 0 with timestamp +4
Cleaning up request 1 ID 1 with timestamp +4
Cleaning up request 2 ID 2 with timestamp +4
Cleaning up request 3 ID 3 with timestamp +4
Waking up in 0.1 seconds.
Cleaning up request 4 ID 4 with timestamp +4
Waking up in 0.2 seconds.
Cleaning up request 5 ID 5 with timestamp +5
Ready to process requests.
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
wpa_supplicant logs (copying only FAILURE logs seen at end)
++++++++++++++++++++++++++++++++++++++++++++++++++++++
EAPOL: SUPP_BE entering state RECEIVE
Received 44 bytes from RADIUS server
Received RADIUS message
RADIUS message: code=3 (Access-Reject) identifier=5 length=44
Attribute 79 (EAP-Message) length=6
Value: 04 05 00 04
Attribute 80 (Message-Authenticator) length=18
Value: 7a 61 25 5b 8e cd 44 3b 18 b1 af e3 82 fd 32 5d
STA 02:00:00:00:00:01: Received RADIUS packet matched with a pending
request, round trip time 0.00 sec
RADIUS packet matching with station
decapsulated EAP packet (code=4 id=5 len=4) from RADIUS server: EAP
Failure
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Failure
EAP: EAP entering state FAILURE
CTRL-EVENT-EAP-FAILURE EAP authentication failed
EAPOL: SUPP_PAE entering state HELD
EAPOL: SUPP_BE entering state RECEIVE
EAPOL: SUPP_BE entering state FAIL
EAPOL: SUPP_BE entering state IDLE
eapol_sm_cb: success=0
EAP: deinitialize previously used EAP method (13, TLS) at EAP deinit
ENGINE: engine deinit
MPPE keys OK: 0 mismatch: 2
FAILURE
Regards,
Gaurav Kansal
------------------------------------------------------------------------
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
