Hello All, I am not able able to successfully get a port authorized via dot1x (wired connection). I am using SecureW2 suite as a client. I get the following message in the debug output of freeradius: "rlm_eap: SSL error error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate"
I think this means that my windows XP client isn't returning a certificate to the radius server, but I am not sure. I hope someone can help me figure this out. Below is a fuller output from freeradius. Thanks! John +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "john", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 5 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] Received TLS ACK [ttls] ACK handshake fragment handler [ttls] eaptls_verify returned 1 [ttls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 218 to 10.1.3.222 port 1024 EAP-Message = 0x010601541580000009363f8ea34a8928213fd268bf7e6095409ac959f34f444b40faf097692923ad83963e0395fa7c5dbee0011b5a9e43c819695e8dff5e4e393438c1f21a524eb69847838585d3d3c5dc5768677062f7f1fa98a14c0a1efe75201e211059691499941fa930077d23734c28a28c985d3131b7f01d21faa3dea7a544df8e6c2e87746d1b4e82eec6475a3b538d87a6cad17520189c2f86f1aa9a6e1c0deca5e45d9ee916030100a60d00009e0301024000980096308193310b3009060355040613025553311330110603550408130a57617368696e67746f6e310f300d06035504071306566173686f6e310d300b060355040a13045649 EAP-Message = 0x53443127302506092a864886f70d010901161874656368737570706f727440766173686f6e73642e6f7267312630240603550403131d566173686f6e2049736c616e64205363686f6f6c2044697374726963740e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x4aacbade4eaaaf8b77d4bfdb2d602cc2 Finished request 4. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 10.1.3.222 port 1024, id=219, length=558 Framed-MTU = 1480 NAS-IP-Address = 10.1.3.222 NAS-Identifier = "HP ProCurve Switch 2524" User-Name = "john" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 16 NAS-Port-Type = Ethernet NAS-Port-Id = "16" Called-Station-Id = "00-04-ea-a7-c2-70" Calling-Station-Id = "00-1c-25-93-26-16" Connect-Info = "CONNECT Ethernet 100Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "1" State = 0x4aacbade4eaaaf8b77d4bfdb2d602cc2 EAP-Message = 0x02060150150016030100070b00000300000016030101061000010201001ec801e7b54f1bacc0068882e8c18fce1cc9781c535dc2a9406139225a5f85a8bf309d83741a9c1980c009a09e60088af3eb8f6b0140772ca72a788e4653bf8b5df15e8a38eaa34da31bc6f2604438fb83156d7750ba083ee83838c06cdd09838e86289fb9dfe1e1664da15f157228a86ba5d248db4fae6c9e7d6c782ec9594d0e3c643becf5709608041eab084d0f2aa2237601f71b6ef98d0ee2a190101d67a908a98373884030becfb0df0b8c31349bcbfffc92e072bf3fc8591da21a70edfb234a916d3d1d19533ebec53f245e5facea057e1822a9ab93464dda7903198b EAP-Message = 0xa87b9eb6eee9a3bca55c890b7161b1997f57f84244ef309bdbd91d5e63f9fab3140301000101160301002841175ab1eb200cb6ed8eb09ebdd827dcb0c94fb2f0cc4bbc1057c217d57c7082f6232bda1742633c Message-Authenticator = 0x6d04184f1dac42b9c7c6da356158f8c5 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "john", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 6 length 253 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] eaptls_verify returned 7 [ttls] Done initial handshake [ttls] <<< TLS 1.0 Handshake [length 0007], Certificate [ttls] >>> TLS 1.0 Alert [length 0002], fatal handshake_failure TLS Alert write:fatal:handshake failure TLS_accept:error in SSLv3 read client certificate B rlm_eap: SSL error error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate SSL: SSL_read failed in a system call (-1), TLS session fails. TLS receive handshake failed during operation [ttls] eaptls_process returned 4 [eap] Handler failed in EAP/ttls [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> john attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 5 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 5 Sending Access-Reject of id 219 to 10.1.3.222 port 1024 EAP-Message = 0x04060004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.5 seconds. Cleaning up request 0 ID 214 with timestamp +10 Cleaning up request 1 ID 215 with timestamp +10 Cleaning up request 2 ID 216 with timestamp +10 Cleaning up request 3 ID 217 with timestamp +10 Cleaning up request 4 ID 218 with timestamp +10 Waking up in 1.2 seconds. Cleaning up request 5 ID 219 with timestamp +10 Ready to process requests. rad_recv: Access-Request packet from host 10.1.3.222 port 1024, id=220, length=211 Framed-MTU = 1480 NAS-IP-Address = 10.1.3.222 NAS-Identifier = "HP ProCurve Switch 2524" User-Name = "john" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 16 NAS-Port-Type = Ethernet NAS-Port-Id = "16" Called-Station-Id = "00-04-ea-a7-c2-70" Calling-Station-Id = "00-1c-25-93-26-16" Connect-Info = "CONNECT Ethernet 100Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "1" EAP-Message = 0x02070009016a6f686e Message-Authenticator = 0x4bff9404e7321b17c71b169a7fe8c714 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "john", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 7 length 9 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[control] returns updated ++[unix] returns updated [files] users: Matched entry DEFAULT at line 172 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Requiring client certificate [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 220 to 10.1.3.222 port 1024 Framed-Protocol = PPP Framed-Compression = Van-Jacobson-TCP-IP EAP-Message = 0x010800061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd9e67c5bd9ee655f64d832ead121cf75 Finished request 6. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.1.3.222 port 1024, id=221, length=226 Framed-MTU = 1480 NAS-IP-Address = 10.1.3.222 NAS-Identifier = "HP ProCurve Switch 2524" User-Name = "john" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 16 NAS-Port-Type = Ethernet NAS-Port-Id = "16" Called-Station-Id = "00-04-ea-a7-c2-70" Calling-Station-Id = "00-1c-25-93-26-16" Connect-Info = "CONNECT Ethernet 100Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "1" State = 0xd9e67c5bd9ee655f64d832ead121cf75 EAP-Message = 0x020800060315 Message-Authenticator = 0xf05ccffdc48c602e7055f1f09fd9f5bc +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "john", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 8 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[control] returns updated ++[unix] returns updated [files] users: Matched entry DEFAULT at line 172 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP NAK [eap] EAP-NAK asked for EAP-Type/ttls [eap] processing type tls [tls] Requiring client certificate [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 221 to 10.1.3.222 port 1024 Framed-Protocol = PPP Framed-Compression = Van-Jacobson-TCP-IP EAP-Message = 0x010900061520 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd9e67c5bd8ef695f64d832ead121cf75 Finished request 7. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.1.3.222 port 1024, id=222, length=276 Framed-MTU = 1480 NAS-IP-Address = 10.1.3.222 NAS-Identifier = "HP ProCurve Switch 2524" User-Name = "john" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 16 NAS-Port-Type = Ethernet NAS-Port-Id = "16" Called-Station-Id = "00-04-ea-a7-c2-70" Calling-Station-Id = "00-1c-25-93-26-16" Connect-Info = "CONNECT Ethernet 100Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "1" State = 0xd9e67c5bd8ef695f64d832ead121cf75 EAP-Message = 0x020900381500160301002d0100002903013faeaed39396e322ae3de01571d4a0cd64ad1a76a0e496d88b18489466fa7e58000002000a0100 Message-Authenticator = 0xb689989c467d49826a7819dc6283749e +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "john", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 9 length 56 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] eaptls_verify returned 7 [ttls] Done initial handshake [ttls] (other): before/accept initialization [ttls] TLS_accept: before/accept initialization [ttls] <<< TLS 1.0 Handshake [length 002d], ClientHello [ttls] TLS_accept: SSLv3 read client hello A [ttls] >>> TLS 1.0 Handshake [length 002a], ServerHello [ttls] TLS_accept: SSLv3 write server hello A [ttls] >>> TLS 1.0 Handshake [length 0857], Certificate [ttls] TLS_accept: SSLv3 write certificate A [ttls] >>> TLS 1.0 Handshake [length 00a6], CertificateRequest [ttls] TLS_accept: SSLv3 write certificate request A [ttls] TLS_accept: SSLv3 flush data [ttls] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [ttls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 222 to 10.1.3.222 port 1024 EAP-Message = 0x010a040015c000000936160301002a0200002603014a32986de07b75d573655c77f11d4537645a9e1e9e971ae8d47560ff836ac66800000a0016030108570b00085300085000039f3082039b30820283a003020102020101300d06092a864886f70d0101040500308193310b3009060355040613025553311330110603550408130a57617368696e67746f6e310f300d06035504071306566173686f6e310d300b060355040a1304564953443127302506092a864886f70d010901161874656368737570706f727440766173686f6e73642e6f7267312630240603550403131d566173686f6e2049736c616e64205363686f6f6c204469737472696374 EAP-Message = 0x301e170d3039303630383139323933385a170d3130303630383139323933385a3075310b3009060355040613025553311330110603550408130a57617368696e67746f6e310d300b060355040a1304564953443119301706035504031310564953442052616469757320436572743127302506092a864886f70d010901161874656368737570706f727440766173686f6e73642e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100a9fb1e03259aafb1864477e036bb8f09194747b63bc2596d7c451882edd20837cb08675acf0e2d5fde4144bee680a0e2db76ed8fc5d717ae2cf3ab7f51acc522c7d3e50acd EAP-Message = 0xa727b5aceb75346f22c7eef985b9703d2f7ac67192feb1e7762cd35e3c987bf5659fcd4167f60bdbf4a393ddf4b839fc6ef538c225f2277540cfd89602512127dd8c669c2010d7e7dbb2890e3b26ccc0912e3d67d0c115df2e9522999e5fc984e002890a87046517d6cc5b7a95b5e60ab5aa3b0bdc2471d3ae9a3c0a6774e29ef4df460cb409b010e998b0a80f17032e1c71cf4047f9ece5f2501fd32b6f7b4e25a4d62544f1cde4497f191c7224386d6762a6e1aba1e472af3ab50203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d0101040500038201010093bff95e424f631cf806273bae99ae9e EAP-Message = 0xced52efcd8e0905a6ea89f11adec836027c810257d2007ae4862ee5d6ca2dc969866d0f851ea82d7ef607da5a544b99d6392c1f86388ed55837c61f6fb634c4b537dd646332b25d729d2e6b6504f5d79f5c973d307573459f1a1afc0b86831d033c8a64bab7ba84875028362a2d44a605b1097e244073a1d9df1ca3d51622e536be8e570dacb061726210a814eb075a15b42715bec94fe1d4d6c36dbed8382bb141163ea74331741736ebafd5ac8497a639d024648badffe66853fb42c81bc83f0053b6fec9b4795035e094090d8183a340625e32903f380a38eb5578bd79940931644a6c1ef74bb15815f2cffcd7f290004ab308204a73082038fa003 EAP-Message = 0x020102020900833987f5f546 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd9e67c5bdbec695f64d832ead121cf75 Finished request 8. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 10.1.3.222 port 1024, id=223, length=226 Framed-MTU = 1480 NAS-IP-Address = 10.1.3.222 NAS-Identifier = "HP ProCurve Switch 2524" User-Name = "john" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 16 NAS-Port-Type = Ethernet NAS-Port-Id = "16" Called-Station-Id = "00-04-ea-a7-c2-70" Calling-Station-Id = "00-1c-25-93-26-16" Connect-Info = "CONNECT Ethernet 100Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "1" State = 0xd9e67c5bdbec695f64d832ead121cf75 EAP-Message = 0x020a00061500 Message-Authenticator = 0x16540a47b56572901005cd0703be8083 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "john", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 10 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] Received TLS ACK [ttls] ACK handshake fragment handler [ttls] eaptls_verify returned 1 [ttls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 223 to 10.1.3.222 port 1024 EAP-Message = 0x010b040015c0000009363b43300d06092a864886f70d0101050500308193310b3009060355040613025553311330110603550408130a57617368696e67746f6e310f300d06035504071306566173686f6e310d300b060355040a1304564953443127302506092a864886f70d010901161874656368737570706f727440766173686f6e73642e6f7267312630240603550403131d566173686f6e2049736c616e64205363686f6f6c204469737472696374301e170d3039303630383139323833395a170d3130303630383139323833395a308193310b3009060355040613025553311330110603550408130a57617368696e67746f6e310f300d060355 EAP-Message = 0x04071306566173686f6e310d300b060355040a1304564953443127302506092a864886f70d010901161874656368737570706f727440766173686f6e73642e6f7267312630240603550403131d566173686f6e2049736c616e64205363686f6f6c20446973747269637430820122300d06092a864886f70d01010105000382010f003082010a0282010100a55584aa47296e32cbab93cdad9908b909d0d7b633fde3e846df3b9a70d74940eb63cd058ed1557ae9f98342785555a7f69b29a170e1b0cc9865448cf75f18bdf837559e6c58f8f8ed427076258110aa99459a3ee88350fe1ea5a295fe7b8d9b4861e4dc8281bee62c64ae560fad3d741127 EAP-Message = 0x090cf68c60831fe46c8a894e4b15d923bea2b62ffc0b274dafe6f18012a821d91c25e5a16763ce21fa710f971d003503692a98ec8bc7e7aa68ab0e35c8f98d6dee0e3997055d3dab1d5f02890e50c2e57c8f41bd59aae1eb012900d4772c0f4f833db3c0e43ca8ad1653a13316e926364cd35f252e607b0cedd51d257a82a5bdb87320d7984f7e3b3bc864e923710203010001a381fb3081f8301d0603551d0e04160414543e18343eb614370c4130e3ff1afd8cf93fe9af3081c80603551d230481c03081bd8014543e18343eb614370c4130e3ff1afd8cf93fe9afa18199a48196308193310b3009060355040613025553311330110603550408130a EAP-Message = 0x57617368696e67746f6e310f300d06035504071306566173686f6e310d300b060355040a1304564953443127302506092a864886f70d010901161874656368737570706f727440766173686f6e73642e6f7267312630240603550403131d566173686f6e2049736c616e64205363686f6f6c204469737472696374820900833987f5f5463b43300c0603551d13040530030101ff300d06092a864886f70d010105050003820101007b2ccc21443a1b43a5562175e927500efa22c16d4d8dd566cdead0b0830269d54cd7afa1098199403df344c78059d781af4ce410cfcd663c52cec5440540b0663a6096dd0084bd20b8ea8601860e244d922f85b7f1 EAP-Message = 0xfc18f3952fd1dda7d4ecca4e Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd9e67c5bdaed695f64d832ead121cf75 Finished request 9. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 10.1.3.222 port 1024, id=224, length=226 Framed-MTU = 1480 NAS-IP-Address = 10.1.3.222 NAS-Identifier = "HP ProCurve Switch 2524" User-Name = "john" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 16 NAS-Port-Type = Ethernet NAS-Port-Id = "16" Called-Station-Id = "00-04-ea-a7-c2-70" Calling-Station-Id = "00-1c-25-93-26-16" Connect-Info = "CONNECT Ethernet 100Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "1" State = 0xd9e67c5bdaed695f64d832ead121cf75 EAP-Message = 0x020b00061500 Message-Authenticator = 0xb4dd50363a7aa33881d9d2ba2fad1f4b +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "john", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 11 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] Received TLS ACK [ttls] ACK handshake fragment handler [ttls] eaptls_verify returned 1 [ttls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 224 to 10.1.3.222 port 1024 EAP-Message = 0x010c01541580000009363f8ea34a8928213fd268bf7e6095409ac959f34f444b40faf097692923ad83963e0395fa7c5dbee0011b5a9e43c819695e8dff5e4e393438c1f21a524eb69847838585d3d3c5dc5768677062f7f1fa98a14c0a1efe75201e211059691499941fa930077d23734c28a28c985d3131b7f01d21faa3dea7a544df8e6c2e87746d1b4e82eec6475a3b538d87a6cad17520189c2f86f1aa9a6e1c0deca5e45d9ee916030100a60d00009e0301024000980096308193310b3009060355040613025553311330110603550408130a57617368696e67746f6e310f300d06035504071306566173686f6e310d300b060355040a13045649 EAP-Message = 0x53443127302506092a864886f70d010901161874656368737570706f727440766173686f6e73642e6f7267312630240603550403131d566173686f6e2049736c616e64205363686f6f6c2044697374726963740e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xd9e67c5bddea695f64d832ead121cf75 Finished request 10. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 10.1.3.222 port 1024, id=225, length=558 Framed-MTU = 1480 NAS-IP-Address = 10.1.3.222 NAS-Identifier = "HP ProCurve Switch 2524" User-Name = "john" Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 16 NAS-Port-Type = Ethernet NAS-Port-Id = "16" Called-Station-Id = "00-04-ea-a7-c2-70" Calling-Station-Id = "00-1c-25-93-26-16" Connect-Info = "CONNECT Ethernet 100Mbps Full duplex" Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "1" State = 0xd9e67c5bddea695f64d832ead121cf75 EAP-Message = 0x020c0150150016030100070b000003000000160301010610000102010029f7cad2a5ed026b3f6ac94cbeff92814502139418aa0c84ac8530c3f8b94a1a7aa8e8d45cf5b45d5779353a166d916292d43cff1264d5d99484b5aca8c6a381dd11db935d9d5cdb36d718c0b5e1c6ef7cb8774a461feb431c3918b706066e0a112a991af85400d62bf7ef76b370a3aeea705256c55afedf775aeb1405edeb429ac74753aa03b82c52c1c56a7e8145056e0f01a5d1a689cca54cb9ed121ea86a1e6ace3ac093f9d757752049924ab81792d47beb638b4e6eecdc55e88da3218972a2aa0380bf2d38b517101373498c55bd60d6ae9e581a5d976662a6188ec416 EAP-Message = 0x258d45ed623983520f1b0a30aa81bda3ecc551ac0617eb0de1185927b79dca21140301000101160301002874cdc78d855874525e120a085bfeb198cb565313472a4bda41ca3a52acb2df5b2df7561652ffa1d9 Message-Authenticator = 0xc93875552209af406690e002d9d996ee +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "john", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 12 length 253 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] eaptls_verify returned 7 [ttls] Done initial handshake [ttls] <<< TLS 1.0 Handshake [length 0007], Certificate [ttls] >>> TLS 1.0 Alert [length 0002], fatal handshake_failure TLS Alert write:fatal:handshake failure TLS_accept:error in SSLv3 read client certificate B rlm_eap: SSL error error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate SSL: SSL_read failed in a system call (-1), TLS session fails. TLS receive handshake failed during operation [ttls] eaptls_process returned 4 [eap] Handler failed in EAP/ttls [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> john attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 11 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 11 Sending Access-Reject of id 225 to 10.1.3.222 port 1024 EAP-Message = 0x040c0004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.5 seconds. Cleaning up request 6 ID 220 with timestamp +71 Cleaning up request 7 ID 221 with timestamp +71 Cleaning up request 8 ID 222 with timestamp +71 Cleaning up request 9 ID 223 with timestamp +71 Cleaning up request 10 ID 224 with timestamp +71 Waking up in 1.3 seconds. Cleaning up request 11 ID 225 with timestamp +71 Ready to process requests. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html