Nope, I tried that too. Sorry for not putting that in the original message. In-fact that is what led me to find out that the EAP type was being set wrong.
Jake Sallee Godfather of Bandwidth System Engineer University of Mary Hardin-Baylor 900 College St. Belton TX. 76513 Fone: 254-295-4658 Phax: 254-295-4221 HTTP://WWW.UMHB.EDU -----Original Message----- From: Francois Gaudreault [mailto:[email protected]] Sent: Monday, May 07, 2012 7:21 AM To: [email protected] Subject: Re: [PacketFence-users] EAP type getting set to EAP-TLS Jake, If you unselect "Validate Server Certificate" is it better? On 12-05-06 8:30 PM, Sallee, Stephen (Jake) wrote: > I am seeing something strange, my 802.1x clients cannot connect. I > have my client configured to use PEAP/MSCHAPv2 with user auth, however > the requests I see in my FreeRADIUS debug are set to EAP-TLS. > > I have checked SEVERAL times that my client is set to use > PAEP/MSCHAPv2 ... why is it going to EAP-TLS! GARH! > > From /etc/raddb/eap.conf > > <SNIP> > > eap { > > default_eap_type = peap > > timer_expire = 60 > > ignore_unknown_eap_types = no > > cisco_accounting_username_bug = no > > max_sessions = 2048 > > . > > . > > . > > peap { > > default_eap_type = mschapv2 > > copy_request_to_tunnel = yes > > use_tunneled_reply = yes > > virtual_server = "packetfence-tunnel" > > #soh = yes > > #soh_virtual_server = "soh-server" > > } > > mschapv2 { > > } > > } > > </SNIP> > > From radius -X > > <SNIP> > > rlm_perl: Added pair NAS-Port-Type = Wireless-802.11 > > rlm_perl: Added pair State = 0x17e0bcdd14e5b1eefaf2eaeec0be4f98 > > rlm_perl: Added pair Calling-Station-Id = 4C-EB-42-33-64-8B > > rlm_perl: Added pair Called-Station-Id = 00-0F-7D-31-67-B3:UMHB > SecureNet > > rlm_perl: Added pair Message-Authenticator = > 0x3b675a5f98a378fd637acfaa3c8c41e0 > > rlm_perl: Added pair User-Name = [email protected] > > rlm_perl: Added pair NAS-Identifier = Sanderford-3 > > rlm_perl: Added pair EAP-Message = > 0x020500110d800000000715030100020230 > > rlm_perl: Added pair Connect-Info = CONNECT 6Mbps/6Mbps 802.11g > > rlm_perl: Added pair Realm = umhb.edu > > rlm_perl: Added pair EAP-Type = EAP-TLS > > rlm_perl: Added pair Stripped-User-Name = jake.sallee > > rlm_perl: Added pair NAS-IP-Address = 10.11.40.180 > > rlm_perl: Added pair NAS-Port = 912 > > rlm_perl: Added pair Framed-MTU = 1400 > > rlm_perl: Added pair Auth-Type = EAP > > ++[packetfence] returns noop > > Found Auth-Type = EAP > > # Executing group from file /etc/raddb/sites-enabled/packetfence > > +- entering group authenticate {...} > > [eap] Request found, released from the list > > [eap] EAP/tls > > [eap] processing type tls > > [tls] Authenticate > > [tls] processing EAP-TLS > > TLS Length 7 > > [tls] Length Included > > [tls] eaptls_verify returned 11 > > [tls] <<< TLS 1.0 Alert [length 0002], fatal unknown_ca > > TLS Alert read:fatal:unknown CA > > TLS_accept: failed in SSLv3 read client certificate A > > rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 > alert unknown ca > > SSL: SSL_read failed inside of TLS (-1), TLS session fails. > > TLS receive handshake failed during operation > > [tls] eaptls_process returned 4 > > [eap] Handler failed in EAP/tls > > [eap] Failed in EAP select > > ++[eap] returns invalid > > Failed to authenticate the user. > > Login incorrect (TLS Alert read:fatal:unknown CA): > [[email protected]] (from client 10.11.40.180 port 912 cli > 4C-EB-42-33-64-8B) > > } # server packetfence > > Using Post-Auth-Type Reject > > # Executing group from file /etc/raddb/sites-enabled/packetfence > > +- entering group REJECT {...} > > [attr_filter.access_reject] expand: %{User-Name} -> > [email protected] > > attr_filter: Matched entry DEFAULT at line 11 > > ++[attr_filter.access_reject] returns updated > > Delaying reject of request 10 for 1 seconds > > </SNIP> > > Jake Sallee > > Godfather of Bandwidth > > System Engineer > > University of Mary Hardin-Baylor > > 900 College St. > > Belton TX. 76513 > > Fone: 254-295-4658 > > Phax: 254-295-4221 > > HTTP://WWW.UMHB.EDU > > > > ---------------------------------------------------------------------- > -------- > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. > Discussions will include endpoint security, mobile security and the > latest in malware threats. > http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > > > > _______________________________________________ > PacketFence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Francois Gaudreault, ing. jr [email protected] :: +1.514.447.4918 (x130) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
