Hi All, I am using Freeradius 2.1.0 PEAP/TTLS is working fine and I am facing problem in TLS authentication. I am able to generate certificate but while connecting it throws Authentication error. Please let me know how to debug it.
rad_recv: Access-Request packet from host 192.168.1.1 port 4906, id=6, length=147 User-Name = "ma...@nokia.com" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "0023692c6f74" Calling-Station-Id = "0025d05b72ab" NAS-Identifier = "0023692c6f74" NAS-Port = 2 Framed-MTU = 1400 State = 0xc0ff35f8c1fd389f4e860dc8a76c03f8 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020200060d00 Message-Authenticator = 0xcf453c67c6fe4f7695dbba231da2ba1e +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm "nokia.com" for User-Name = "ma...@nokia.com" [suffix] Found realm "DEFAULT" [suffix] Adding Stripped-User-Name = "maemo" [suffix] Adding Realm = "DEFAULT" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 2 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns updated [files] users: Matched entry maemo at line 74 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS [tls] Received TLS ACK [tls] ACK handshake fragment handler [tls] eaptls_verify returned 1 [tls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 6 to 192.168.1.1 port 4906 EAP-Message = 0x010304000dc00000085b310e300c060355040a13054e6f6b6961311e301c06092a864886f70d010901160f6d616d656f406e6f6b69612e636f6d310e300c060355040313054d6565676f301e170d3131303430373038333135345a170d3132303430363038333135345a306e310b300906035504061302494e310b3009060355040813024b413112301006035504071309536f6d657768657265310e300c060355040a13054e6f6b6961311e301c06092a864886f70d010901160f6d616d656f406e6f6b69612e636f6d310e300c060355040313054d6565676f30820122300d06092a864886f70d01010105000382010f003082010a0282010100ebdf EAP-Message = 0xbd5045d1129f68d6354ecaf6d0b003ba682e0399145d83af7d3f7baeac7b70278682f26b7a6cf02cb0f70d06c27cd5666f6acd0a6e1a05f14cbca9ee2ca06038289d718635789b9378b41d5d89d98c09528e5d75a7ed1210ab639c80a82bb7f727a6641b4ead338d36c98e4910f69add0990c1838bf1dd67d3ef00190a8c50afa3d267b4721eb24c9297eac37244c2f09bf5db1e864ed3e71d7b2f1523f957d040b88bdfbb50ffa7a1fcb77fe8f692faeaf4f26539f93d4b16fefd22576b63425a3b106d4100a7e606110980202629a14f721f576e7b57e94182c695034f33cc5cf153c08074379ee285a4800d30fcc3eeb9618e95b3298852c0e050cc EAP-Message = 0x370203010001a381d33081d0301d0603551d0e041604146495968035da2071580d6554ff37f49f34a6a4fc3081a00603551d2304819830819580146495968035da2071580d6554ff37f49f34a6a4fca172a470306e310b300906035504061302494e310b3009060355040813024b413112301006035504071309536f6d657768657265310e300c060355040a13054e6f6b6961311e301c06092a864886f70d010901160f6d616d656f406e6f6b69612e636f6d310e300c060355040313054d6565676f82090088f0548531fc31df300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100c60eb4fe9642b5cf1a479ddd03 EAP-Message = 0x31954bd3c5a8c13dac220146915074390da01b0cf44950935ca2fad0bbca312ad8d1ac38a0ad88e51bc7bfc4df349d238aa9dee95ccc333e46e422da2fd67073a5fc1d6109e623efdf7be334a6746b4d3eb012ddb331600471732e961861980a4d0a146e56ee383e1717a209476a34d2ad7153a00f0729976f4d73d4979dc992ab8cc4515787e68afd1979038963882c5f55ed1d038c137689ef3e0fa52d63eabe0466ef126564ff4627776f31dba8bd91b9c486ddf6e8399c755bd29456cfed9bda7890851bfb23d3c381e5176a6b6c86ea9cefc5b7428409e35a794775d27f1664c06aeb46842f61c6145a71a7a0fdea54e316030100800d00007803 EAP-Message = 0x01024000720070306e310b30 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc0ff35f8c2fc389f4e860dc8a76c03f8 Finished request 156. Going to the next request Waking up in 0.4 seconds. rad_recv: Access-Request packet from host 192.168.1.1 port 4908, id=6, length=147 User-Name = "ma...@nokia.com" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "0023692c6f74" Calling-Station-Id = "0025d05b72ab" NAS-Identifier = "0023692c6f74" NAS-Port = 2 Framed-MTU = 1400 State = 0xc0ff35f8c2fc389f4e860dc8a76c03f8 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020300060d00 Message-Authenticator = 0xdeea6893aacbe253ed951368cec20746 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm "nokia.com" for User-Name = "ma...@nokia.com" [suffix] Found realm "DEFAULT" [suffix] Adding Stripped-User-Name = "maemo" [suffix] Adding Realm = "DEFAULT" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 3 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns updated [files] users: Matched entry maemo at line 74 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS [tls] Received TLS ACK [tls] ACK handshake fragment handler [tls] eaptls_verify returned 1 [tls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 6 to 192.168.1.1 port 4908 EAP-Message = 0x010400790d800000085b0906035504061302494e310b3009060355040813024b413112301006035504071309536f6d657768657265310e300c060355040a13054e6f6b6961311e301c06092a864886f70d010901160f6d616d656f406e6f6b69612e636f6d310e300c060355040313054d6565676f0e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xc0ff35f8c3fb389f4e860dc8a76c03f8 Finished request 157. Going to the next request Waking up in 0.4 seconds. rad_recv: Access-Request packet from host 192.168.1.1 port 4910, id=6, length=154 User-Name = "ma...@nokia.com" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "0023692c6f74" Calling-Station-Id = "0025d05b72ab" NAS-Identifier = "0023692c6f74" NAS-Port = 2 Framed-MTU = 1400 State = 0xc0ff35f8c3fb389f4e860dc8a76c03f8 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0204000d0d001503010002012a Message-Authenticator = 0x782f15b2fce0fe49f406f1cb224b1ccf +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm "nokia.com" for User-Name = "ma...@nokia.com" [suffix] Found realm "DEFAULT" [suffix] Adding Stripped-User-Name = "maemo" [suffix] Adding Realm = "DEFAULT" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 4 length 13 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns updated [files] users: Matched entry maemo at line 74 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS [tls] eaptls_verify returned 7 [tls] Done initial handshake [tls] <<< TLS 1.0 Alert [length 0002], warning bad_certificate TLS Alert read:warning:bad certificate [tls] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode SSL Application Data TLS failed during operation [tls] eaptls_process returned 4 [eap] Handler failed in EAP/tls [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} expand: %{User-Name} -> ma...@nokia.com attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 158 for 1 seconds Going to the next request Waking up in 0.4 seconds. rad_recv: Access-Request packet from host 192.168.1.1 port 4912, id=6, length=136 User-Name = "ma...@nokia.com" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "0023692c6f74" Calling-Station-Id = "0025d05b72ab" NAS-Identifier = "0023692c6f74" NAS-Port = 2 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0204000d0d001503010002020a Message-Authenticator = 0x542730d7c53937fe5e038692a71646ff +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm "nokia.com" for User-Name = "ma...@nokia.com" [suffix] Found realm "DEFAULT" [suffix] Adding Stripped-User-Name = "maemo" [suffix] Adding Realm = "DEFAULT" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 4 length 13 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns updated [files] users: Matched entry maemo at line 74 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Either EAP-request timed out OR EAP-response to an unknown EAP-request [eap] Failed in handler ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject +- entering group REJECT {...} expand: %{User-Name} -> ma...@nokia.com attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 159 for 1 seconds Going to the next request Waking up in 0.4 seconds. Cleaning up request 146 ID 6 with timestamp +2141 Cleaning up request 147 ID 6 with timestamp +2141 Waking up in 0.5 seconds. Sending delayed reject for request 158 Sending Access-Reject of id 6 to 192.168.1.1 port 4910 EAP-Message = 0x04040004 Message-Authenticator = 0x00000000000000000000000000000000 Sending delayed reject for request 159 Sending Access-Reject of id 6 to 192.168.1.1 port 4912 Waking up in 1.1 seconds. Cleaning up request 148 ID 6 with timestamp +2143 Cleaning up request 149 ID 6 with timestamp +2143 Cleaning up request 150 ID 6 with timestamp +2143 Cleaning up request 151 ID 6 with timestamp +2143 Waking up in 1.0 seconds. Cleaning up request 152 ID 6 with timestamp +2143 Cleaning up request 153 ID 6 with timestamp +2143 Waking up in 1.7 seconds. Cleaning up request 154 ID 6 with timestamp +2146 Cleaning up request 155 ID 6 with timestamp +2146 Cleaning up request 156 ID 6 with timestamp +2146 Cleaning up request 157 ID 6 with timestamp +2146 Waking up in 1.0 seconds. Cleaning up request 158 ID 6 with timestamp +2146 Cleaning up request 159 ID 6 with timestamp +2146 -- "Adversity always presents opportunity for Introspection" Regards Senthil -- "Adversity always presents opportunity for Introspection" Regards Senthil
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html