Have your radius server multiple IP addresses? In my case that was one of my problems. And the second was that the client and server certificate has not extensions part.
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] ] On Behalf Of Adam Rogalski Sent: Friday, December 30, 2005 12:10 PM To: FreeRadius users mailing list Subject: FreeRadius +TLS (base on openssl) Hi I figth with my Radius for one week and I don't have more ideas. I would like to make my home network with WPA enterprise (WPA with TKIP + 802.1x). I made my own CA and generate certificates for server and client. Everything like I red in howto from freeradius.org. My server is on fedora core 4 but I try on slackware too. When I use on my AP (linksys wrt54g) WPA enterprise command radiusd -X stops after: Listening on authentication *:1812 Listening on accounting *:1813 Listening on proxy *:1814 Ready to process requests. when I change for only RADIUS and WEP I get after radiusd -X message: [EMAIL PROTECTED] sbin]# ./radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf Config: including file: /etc/raddb/sql.conf main: prefix = "/usr" main: localstatedir = "/var" main: logdir = "/var/log/radius" main: libdir = "/usr/lib" main: radacctdir = "/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/var/log/radius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/var/run/radiusd/radiusd.pid" main: user = "nobody" main: group = "nobody" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "/etc/shadow" unix: group = "(null)" unix: radwtmp = "/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = "tls" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/etc/raddb/certs/server_keycert.pem" tls: certificate_file = "/etc/raddb/certs/server_keycert.pem" tls: CA_file = "/etc/raddb/certs/cacert.pem" tls: private_key_password = "adam01" tls: dh_file = "/etc/raddb/certs/dh" tls: random_file = "/etc/raddb/certs/random" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = "(null)" rlm_eap: Loaded and initialized type tls mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/etc/raddb/huntgroups" preprocess: hints = "/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "/etc/raddb/users" files: acctusersfile = "/etc/raddb/acct_users" files: preproxy_usersfile = "/etc/raddb/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Addre ss, NAS-Port" Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m% d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = "/var/log/radius/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on authentication *:1812 Listening on accounting *:1813 Listening on proxy *:1814 Ready to process requests. [EMAIL PROTECTED] sbin]# ./radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf Config: including file: /etc/raddb/sql.conf main: prefix = "/usr" main: localstatedir = "/var" main: logdir = "/var/log/radius" main: libdir = "/usr/lib" main: radacctdir = "/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/var/log/radius/radius.log" main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = "/var/run/radiusd/radiusd.pid" main: user = "nobody" main: group = "nobody" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib Module: Loaded exec exec: wait = yes exec: program = "(null)" exec: input_pairs = "request" exec: output_pairs = "(null)" exec: packet_type = "(null)" rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = "crypt" Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: authtype = "MS-CHAP" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = "(null)" unix: shadow = "/etc/shadow" unix: group = "(null)" unix: radwtmp = "/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = "tls" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = "Password: " gtc: auth_type = "PAP" rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/etc/raddb/certs/server_keycert.pem" tls: certificate_file = "/etc/raddb/certs/server_keycert.pem" tls: CA_file = "/etc/raddb/certs/cacert.pem" tls: private_key_password = "adam01" tls: dh_file = "/etc/raddb/certs/dh" tls: random_file = "/etc/raddb/certs/random" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = "(null)" rlm_eap: Loaded and initialized type tls mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/etc/raddb/huntgroups" preprocess: hints = "/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "/etc/raddb/users" files: acctusersfile = "/etc/raddb/acct_users" files: preproxy_usersfile = "/etc/raddb/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Addre ss, NAS-Port" Module: Instantiated acct_unique (acct_unique) Module: Loaded detail detail: detailfile = "/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m% d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = "/var/log/radius/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) Listening on authentication *:1812 Listening on accounting *:1813 Listening on proxy *:1814 Ready to process requests. rad_recv: Access-Request packet from host 192.168.1.1:2054, id=0, length=121 User-Name = "Adam" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "0014bf2f16c2" Calling-Station-Id = "000e3573296d" NAS-Identifier = "0014bf2f16c2" NAS-Port = 55 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x02000009014164616d Message-Authenticator = 0x88f32269e104d036be28f8411cd133b6 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "Adam", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_eap: EAP packet type response id 0 length 9 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 0 users: Matched entry DEFAULT at line 152 modcall[authorize]: module "files" returns ok for request 0 modcall: group authorize returns updated for request 0 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 0 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Requiring client certificate rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 0 modcall: group authenticate returns handled for request 0 Sending Access-Challenge of id 0 to 192.168.1.1:2054 EAP-Message = 0x010100060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x44e256d6f94136dbb146b56055f69cf3 Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.1.1:2054, id=0, length=236 User-Name = "Adam" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "0014bf2f16c2" Calling-Station-Id = "000e3573296d" NAS-Identifier = "0014bf2f16c2" NAS-Port = 55 Framed-MTU = 1400 State = 0x44e256d6f94136dbb146b56055f69cf3 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0201006a0d8000000060160301005b01000057030143b50d1a0e6730 f71ec0114327ca53bc3eade6ecabd6c027a46f2642fb6e39d000003000390038003500160013 000a 00330032002f0066000500040065006400630062006000150012000900140011000800030100 Message-Authenticator = 0xe801c7aec46700968dfa44913e23d516 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 1 modcall[authorize]: module "preprocess" returns ok for request 1 modcall[authorize]: module "chap" returns noop for request 1 modcall[authorize]: module "mschap" returns noop for request 1 rlm_realm: No '@' in User-Name = "Adam", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 1 rlm_eap: EAP packet type response id 1 length 106 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 1 users: Matched entry DEFAULT at line 152 modcall[authorize]: module "files" returns ok for request 1 modcall: group authorize returns updated for request 1 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 1 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 005b], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 02a7], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 010d], ServerKeyExchange TLS_accept: SSLv3 write key exchange A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0099], CertificateRequest TLS_accept: SSLv3 write certificate request A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 1 modcall: group authenticate returns handled for request 1 Sending Access-Challenge of id 0 to 192.168.1.1:2054 EAP-Message = 0x0102040a0dc0000004ab160301004a02000046030143b50c5e53e9e8 a74a80938207f2b0b3bb015986bef383fbada6998b571453ee2050a14d2d1936b94767dc8e38 5486 0e4a418ee7d1541dc3c54807f12c5996889200390016030102a70b0002a30002a000029d3082 0299 30820202a003020102020101300d06092a864886f70d0101040500308185310b300906035504 0613 02504c311330110603550408130a446f6c6e79536c61736b3110300e0603550407130757726f 636c 6177310e300c060355040a1305446f6d656b3122302006035504031319736572776572656b2e 6164 616d656b2e686f70746f2e6f7267311b301906092a864886f7 EAP-Message = 0x0d010901160c61726f67616c4077702e706c301e170d303531323330 3038333635345a170d3036313233303038333635345a308185310b300906035504061302504c 3113 30110603550408130a446f6c6e79536c61736b3110300e0603550407130757726f636c617731 0e30 0c060355040a1305446f6d656b3122302006035504031319736572776572656b2e6164616d65 6b2e 686f70746f2e6f7267311b301906092a864886f70d010901160c61726f67616c4077702e706c 3081 9f300d06092a864886f70d010101050003818d0030818902818100e446b6595abca00c76e48b 21d6 95f43d9a2770dd067bfcaef859ec5bcedb74a14600a9dd179e EAP-Message = 0x23d8f7809495f018a50d359f78915fb18b41a74e7441f6716823e415 0febd758698291dd48150bc697d56be21a536b089b17f9e3fa049db4e52402fac8f72e493cbf cbda 0e217cdd2a93598632c1c64cc7d70840ec0fbce918e30203010001a317301530130603551d25 040c 300a06082b06010505070301300d06092a864886f70d0101040500038181000662e9a572dec1 51d2 6adb88c7cee3cc7bf0f7f41e8c03d8b85b2b7db7ab2b35fb21ecabb9f15f395e6482b762c04a ec81 0c4a9883986037d5c17eaf0539e64aae928e7da2394d5b5b3c7d61791d3ae373cf15a1592502 1f00 51f518de9c12f6e04fe46f39a2b53f6b2345b0b94fc9da2499 EAP-Message = 0x110108df4251a2d2f21ca4ebaf2c160301010d0c0001090040ca7f38 db174492ff0737acbd4117d15bb7b41b837016a8422f3a34f9af06244de89a01df120f154711 7480 2929bc655907ca6ff7b441f03ea72c1ad2c3caae8b00010500407f8f356cf73802cb22f17e4d 3a2c ea90839f15a1b1c4d7d15014724bd5ef9aba1e17dd262df70a5c8784c64dbd5dcb6a0ae0bdfa 390b 337d50ed9e97d97324b60080c10536878e2d1ec56f2ad550b03e61c35ae1920f1d5ab39c5ed5 bfe2 f8cd2b804799634038088cd836ab6229e86a39589c5a3f9cf93c700c2dfd6bf684ea2e5efc90 12db f4a6704e75cdd233d632c43e0f0a762ad8df90da110e39dd2f EAP-Message = 0x0aab1b9e0bc4fe20ea2b877b8ccb0c2e7b89e1e6952f Message-Authenticator = 0x00000000000000000000000000000000 State = 0x767b202144333f7b0182c93a33070eb4 Finished request 1 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.1.1:2054, id=0, length=136 User-Name = "Adam" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "0014bf2f16c2" Calling-Station-Id = "000e3573296d" NAS-Identifier = "0014bf2f16c2" NAS-Port = 55 Framed-MTU = 1400 State = 0x767b202144333f7b0182c93a33070eb4 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020200060d00 Message-Authenticator = 0x2e5131827a4a1a6955a9eada5a37ad5d Processing the authorize section of radiusd.conf modcall: entering group authorize for request 2 modcall[authorize]: module "preprocess" returns ok for request 2 modcall[authorize]: module "chap" returns noop for request 2 modcall[authorize]: module "mschap" returns noop for request 2 rlm_realm: No '@' in User-Name = "Adam", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 2 rlm_eap: EAP packet type response id 2 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 2 users: Matched entry DEFAULT at line 152 modcall[authorize]: module "files" returns ok for request 2 modcall: group authorize returns updated for request 2 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 2 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 2 modcall: group authenticate returns handled for request 2 Sending Access-Challenge of id 0 to 192.168.1.1:2054 EAP-Message = 0x010300b50d80000004abea37366e949b739e4e8ce5d1051603010099 0d0000910403040102008a0088308185310b300906035504061302504c311330110603550408 130a 446f6c6e79536c61736b3110300e0603550407130757726f636c6177310e300c060355040a13 0544 6f6d656b3122302006035504031319736572776572656b2e6164616d656b2e686f70746f2e6f 7267 311b301906092a864886f70d010901160c61726f67616c4077702e706c0e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xe15d58f49422b6ce53338dbcb286d67d Finished request 2 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.1.1:2054, id=0, length=147 User-Name = "Adam" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "0014bf2f16c2" Calling-Station-Id = "000e3573296d" NAS-Identifier = "0014bf2f16c2" NAS-Port = 55 Framed-MTU = 1400 State = 0xe15d58f49422b6ce53338dbcb286d67d NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020300110d800000000715030100020230 Message-Authenticator = 0x9ccbb7428e7fb4c0adce582d01b259c6 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 3 modcall[authorize]: module "preprocess" returns ok for request 3 modcall[authorize]: module "chap" returns noop for request 3 modcall[authorize]: module "mschap" returns noop for request 3 rlm_realm: No '@' in User-Name = "Adam", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 3 rlm_eap: EAP packet type response id 3 length 17 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 3 users: Matched entry DEFAULT at line 152 modcall[authorize]: module "files" returns ok for request 3 modcall: group authorize returns updated for request 3 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 3 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert read:fatal:unknown CA TLS_accept:failed in SSLv3 read client certificate A 2426:error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:s3_pkt.c :1052:SSL alert number 48 2426:error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure:s3_pkt.c: 837: rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails. In SSL Handshake Phase In SSL Accept mode rlm_eap_tls: BIO_read failed in a system call (-1), TLS session fails. eaptls_process returned 13 rlm_eap: Freeing handler modcall[authenticate]: module "eap" returns reject for request 3 modcall: group authenticate returns reject for request 3 auth: Failed to validate the user. Delaying request 3 for 1 seconds Finished request 3 Going to the next request Waking up in 6 seconds... --- Walking the entire request list --- Sending Access-Reject of id 0 to 192.168.1.1:2054 EAP-Message = 0x04030004 Message-Authenticator = 0x00000000000000000000000000000000 Cleaning up request 3 ID 0 with timestamp 43b50c5e Nothing to do. Sleeping until we see a request. As a client I use my buildin centrino card intel2200 and windows xp with sp2 So if enybody can help I will be very gratefull Best regards Adam - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html