I think this is probably a bug. Maybe it's not from radius side, but probably should be checked, as it appear in what actually seems to be the standard configuration for EAP: winXp supplicant ( SP1 + WPA patch 815485 ) Cisco AP ( 1230 ios version 12.2(13)JA2 Freeradius. ( cvs snapshot 03-08-2004 ) Here my details: i have a working setup with those three actors, which is working correctly for EAP-TLS and PEAP. On supplicant side I've installed the certificates generated from the certs.sh script, and so I did on freeradius. I'm able to authenticate checking the user on an external LDAP server either in EAP-TLS ( extracting the username from certificate ) that in PEAP using the microsoft window for user and password. I decided then to give a more high level of security, double-checking the certificate against the root certificate, on client-side. I've then imported the root certificate ( the same I've installed on radius ) but as soon I activate the "validate server certificate" and restart the authentication, on the radius log I get the error : rlm_eap_tls: Received unexpected tunneled data after successful handshake
Here the relevant part of the log: ... ... Debug: rad_check_password: Found Auth-Type EAP Debug: auth: type "EAP" Debug: Processing the authenticate section of radiusd.conf Debug: modcall: entering group authenticate for request 4 Debug: modsingle[authenticate]: calling eap (rlm_eap) for request 4 Debug: rlm_eap: Request found, released from the list Debug: rlm_eap: EAP/tls Debug: rlm_eap: processing type tls Debug: rlm_eap_tls: Authenticate Debug: rlm_eap_tls: processing TLS Info: rlm_eap_tls: Length Included Debug: eaptls_verify returned 11 Debug: rlm_eap_tls: <<< TLS 1.0 Handshake [length 03b2], Certificate Info: chain-depth=1, Info: error=0 Info: --> User-Name = testuser Info: --> BUF-Name = Pierluigi Info: --> subject = /C=IT/ST=Italy/L=Milano/O=R-IT.SPA/OU=Security Office/CN=Pierluigi/[EMAIL PROTECTED] Info: --> issuer = /C=IT/ST=Italy/L=Milano/O=R-IT.SPA/OU=Security Office/CN=Pierluigi/[EMAIL PROTECTED] Info: --> verify return:1 Info: chain-depth=0, Info: error=0 Info: --> User-Name = testuser Info: --> BUF-Name = testuser Info: --> subject = /C=IT/ST=Italy/L=Milan/O=R-IT.SPA/OU=User Wifi/CN=testuser/[EMAIL PROTECTED] Info: --> issuer = /C=IT/ST=Italy/L=Milano/O=R-IT.SPA/OU=Security Office/CN=Pierluigi/[EMAIL PROTECTED] Info: --> verify return:1 Info: TLS_accept: SSLv3 read client certificate A Debug: rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange Info: TLS_accept: SSLv3 read client key exchange A Debug: rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], CertificateVerify Info: TLS_accept: SSLv3 read certificate verify A Debug: rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001] Debug: rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished Info: TLS_accept: SSLv3 read finished A Debug: rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001] Info: TLS_accept: SSLv3 write change cipher spec A Debug: rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished Info: TLS_accept: SSLv3 write finished A Info: TLS_accept: SSLv3 flush data Info: (other): SSL negotiation finished successfully Debug: SSL Connection Established Debug: eaptls_process returned 13 Debug: modsingle[authenticate]: returned from eap (rlm_eap) for request 4 Debug: modcall[authenticate]: module "eap" returns handled for request 4 Debug: modcall: group authenticate returns handled for request 4 Sending Access-Challenge of id 153 to 10.128.255.3:21645 Framed-MTU = 576 Service-Type = Framed-User EAP-Message = 0x010700350d800000002b14030100010116030100207223dd51362cd36caca76901e7d3535467e547af436be89e5a02f50498ddf4d7 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xed6fed8c05cb3ec79c6c31406ac05e9c Debug: Finished request 4 Debug: Going to the next request Debug: Thread 5 waiting to be assigned a request rad_recv: Access-Request packet from host 10.128.255.3:21645, id=154, length=166 Debug: Waking up in 5 seconds... Debug: Thread 1 got semaphore Debug: Thread 1 handling request 5, (2 handled so far) User-Name = "testuser" Framed-MTU = 1400 Called-Station-Id = "000e.380d.0e5f" Calling-Station-Id = "000e.38ee.0e28" Message-Authenticator = 0xe4f4d3ed725a77a902c35252e2b7cff0 EAP-Message = 0x020700210d8000000017150301001272ee05fb3c18fc4cfd0db2b207f26ed87f7c NAS-Port-Type = Wireless-802.11 NAS-Port = 279 State = 0xed6fed8c05cb3ec79c6c31406ac05e9c Service-Type = Framed-User NAS-IP-Address = 10.128.255.3 NAS-Identifier = "ap" ... ... Debug: modcall: group authorize returns updated for request 5 Debug: rad_check_password: Found Auth-Type EAP Debug: auth: type "EAP" Debug: Processing the authenticate section of radiusd.conf Debug: modcall: entering group authenticate for request 5 Debug: modsingle[authenticate]: calling eap (rlm_eap) for request 5 Debug: rlm_eap: Request found, released from the list Debug: rlm_eap: EAP/tls Debug: rlm_eap: processing type tls Debug: rlm_eap_tls: Authenticate Debug: rlm_eap_tls: processing TLS Info: rlm_eap_tls: Length Included Debug: eaptls_verify returned 11 Debug: eaptls_process returned 7 Debug: rlm_eap_tls: Received unexpected tunneled data after successful handshake. Debug: Tunneled data (23 bytes) 0: 15 03 01 00 12 72 ee 05 fb 3c 18 fc 4c fd 0d b2 16: b2 07 f2 6e d8 7f 7c Debug: rlm_eap: Handler failed in EAP/tls Debug: rlm_eap: Failed in EAP select Debug: modsingle[authenticate]: returned from eap (rlm_eap) for request 5 Debug: modcall[authenticate]: module "eap" returns invalid for request 5 Debug: modcall: group authenticate returns invalid for request 5 Debug: auth: Failed to validate the user. Auth: Login incorrect: [testuser/<no User-Password attribute>] (from client vpnrit1 port 279 cli 000e.38ee.0e28) Debug: Delaying request 5 for 1 seconds - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html