Hi all, My PKI infrastructure is hierarchical, meaning that client certificate path looks like below: ROOT_CA->Sub1_CA->Sub2_CA->Client_Cert
Client_Cert & Sub2_CA purposes are set correctly. After I import client certificate (client.p12) into the Windows Cert Store the following events occur: -Root CA cert is imported into the Trusted Root CAs, -every sub CA cert (Sub1 CA & Sub2 CA) is imported into the Intermediate CAs, -user's cert is imported into Personal Certificates, I can't connect.... As soon as I delete Sub2 CA (that is, the CA certificate of the certificate authority which issued client's certificate) I am able to connect successfully. I suspect that Windows 7 supplicant sends entire chain of client certificate to FreeRadius server what makes it confused. I suppose that FreeRadius cannot verify Sub2_CA certificate received from the client because its purpose is not "Client Auth". As a result FreeRadius outputs the following message: *--> verify error:num=26:unsupported certificate purpose [tls] >>> TLS 1.0 Alert [length 0002], fatal unsupported_certificate TLS Alert write:fatal:unsupported certificate TLS_accept: error in SSLv3 read client certificate B rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned SSL: SSL_read failed in a system call (-1), TLS session fails. TLS receive handshake failed during operation* Below you can find two debug outputs. First one represents situation when Sub2 CA is present in the Intermediate CAs Store and another one shows the case when Sub2 CA was deleted. Additionally, CA_file in the eap.conf is set to ${cadir}/Sub2_CA_*entire_chain*.pem When I try to connect from linux machine everything works great (wpa supplicant doesn't send entire client's certificate chain toward radius server, it sends only client cert - the last cert from the chain). The problem arised while connecting from Windows 7 machine. Is there any way to configure FreeRadius server to explicitly accept intermediate CAs received from the client supplicant? Appreciate any hints. Gabriel ############################################### ################## FAILD ###################### ################## FAILD ###################### ############################################### rad_recv: Access-Request packet from host 172.16.16.1 port 32770, id=182, length=193 User-Name = "2762_hd.test6" Calling-Station-Id = "AA-AA-AA-AA-AA-AA" Called-Station-Id = "XX-XX-XX-XX-XX-XX:SSID" NAS-Port = 1 NAS-IP-Address = 172.16.16.1 NAS-Identifier = "wlc.intra" Airespace-Wlan-Id = 4 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "2" EAP-Message = 0xFF Message-Authenticator = 0xFF # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "2762_hd.test6", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 1 length 18 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Requiring client certificate [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 182 to 172.16.16.1 port 32770 EAP-Message = 0xFF Message-Authenticator = 0xFF State = 0xFF Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.16.16.1 port 32770, id=183, length=298 User-Name = "2762_hd.test6" Calling-Station-Id = "AA-AA-AA-AA-AA-AA" Called-Station-Id = "XX-XX-XX-XX-XX-XX:SSID" NAS-Port = 1 NAS-IP-Address = 172.16.16.1 NAS-Identifier = "wlc.intra" Airespace-Wlan-Id = 4 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "2" EAP-Message = 0xFF State = 0xFF Message-Authenticator = 0xFF # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "2762_hd.test6", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 2 length 105 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS TLS Length 95 [tls] Length Included [tls] eaptls_verify returned 11 [tls] (other): before/accept initialization [tls] TLS_accept: before/accept initialization [tls] <<< TLS 1.0 Handshake [length 005a], ClientHello [tls] TLS_accept: SSLv3 read client hello A [tls] >>> TLS 1.0 Handshake [length 0031], ServerHello [tls] TLS_accept: SSLv3 write server hello A [tls] >>> TLS 1.0 Handshake [length 0578], Certificate [tls] TLS_accept: SSLv3 write certificate A [tls] >>> TLS 1.0 Handshake [length 00f9], CertificateRequest [tls] TLS_accept: SSLv3 write certificate request A [tls] TLS_accept: SSLv3 flush data [tls] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [tls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 183 to 172.16.16.1 port 32770 EAP-Message = 0xFF EAP-Message = 0xFF EAP-Message = 0xFF EAP-Message = 0xFF EAP-Message = 0xFF Message-Authenticator = 0xFF State = 0xFF Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.16.16.1 port 32770, id=184, length=199 User-Name = "2762_hd.test6" Calling-Station-Id = "AA-AA-AA-AA-AA-AA" Called-Station-Id = "XX-XX-XX-XX-XX-XX:SSID" NAS-Port = 1 NAS-IP-Address = 172.16.16.1 NAS-Identifier = "wlc.intra" Airespace-Wlan-Id = 4 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "2" EAP-Message = 0xFF State = 0xFF Message-Authenticator = 0xFF # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "2762_hd.test6", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 3 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS [tls] Received TLS ACK [tls] ACK handshake fragment handler [tls] eaptls_verify returned 1 [tls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 184 to 172.16.16.1 port 32770 EAP-Message = 0xFF EAP-Message = 0xFF EAP-Message = 0xFF Message-Authenticator = 0xFF State = 0xFF Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.16.16.1 port 32770, id=185, length=1695 User-Name = "2762_hd.test6" Calling-Station-Id = "AA-AA-AA-AA-AA-AA" Called-Station-Id = "XX-XX-XX-XX-XX-XX:SSID" NAS-Port = 1 NAS-IP-Address = 172.16.16.1 NAS-Identifier = "wlc.intra" Airespace-Wlan-Id = 4 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "2" EAP-Message = 0xFF EAP-Message = 0xFF EAP-Message = 0xFF EAP-Message = 0xFF EAP-Message = 0xFF EAP-Message = 0xFF State = 0xFF Message-Authenticator = 0xFF # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "2762_hd.test6", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 4 length 253 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS TLS Length 5695 [tls] Received EAP-TLS First Fragment of the message [tls] eaptls_verify returned 9 [tls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 185 to 172.16.16.1 port 32770 EAP-Message = 0xFF Message-Authenticator = 0xFF State = 0xFF Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.16.16.1 port 32770, id=186, length=1695 User-Name = "2762_hd.test6" Calling-Station-Id = "AA-AA-AA-AA-AA-AA" Called-Station-Id = "XX-XX-XX-XX-XX-XX:SSID" NAS-Port = 1 NAS-IP-Address = 172.16.16.1 NAS-Identifier = "wlc.intra" Airespace-Wlan-Id = 4 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "2" EAP-Message = 0xFF EAP-Message = 0xFF EAP-Message = 0xFF EAP-Message = 0xFF EAP-Message = 0xFF EAP-Message = 0xFF State = 0xFF Message-Authenticator = 0xFF # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "2762_hd.test6", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 5 length 253 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS [tls] More fragments to follow [tls] eaptls_verify returned 10 [tls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 186 to 172.16.16.1 port 32770 EAP-Message = 0xFF Message-Authenticator = 0xFF State = 0xFF Finished request 4. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.16.16.1 port 32770, id=187, length=1695 User-Name = "2762_hd.test6" Calling-Station-Id = "AA-AA-AA-AA-AA-AA" Called-Station-Id = "XX-XX-XX-XX-XX-XX:SSID" NAS-Port = 1 NAS-IP-Address = 172.16.16.1 NAS-Identifier = "wlc.intra" Airespace-Wlan-Id = 4 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "2" EAP-Message = 0xFF EAP-Message = 0xFF EAP-Message = 0xFF EAP-Message = 0xFF EAP-Message = 0xFF EAP-Message = 0xFF State = 0xFF Message-Authenticator = 0xFF # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "2762_hd.test6", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 6 length 253 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS [tls] More fragments to follow [tls] eaptls_verify returned 10 [tls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 187 to 172.16.16.1 port 32770 EAP-Message = 0xFF Message-Authenticator = 0xFF State = 0xFF Finished request 5. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.16.16.1 port 32770, id=188, length=1448 User-Name = "2762_hd.test6" Calling-Station-Id = "AA-AA-AA-AA-AA-AA" Called-Station-Id = "XX-XX-XX-XX-XX-XX:SSID" NAS-Port = 1 NAS-IP-Address = 172.16.16.1 NAS-Identifier = "wlc.intra" Airespace-Wlan-Id = 4 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "2" EAP-Message = 0xFF EAP-Message = 0xFF EAP-Message = 0xFF EAP-Message = 0xFF EAP-Message = 0xFF State = 0xFF Message-Authenticator = 0xFF # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "2762_hd.test6", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 7 length 253 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS [tls] eaptls_verify returned 7 [tls] Done initial handshake [tls] <<< TLS 1.0 Handshake [length 13f3], Certificate --> verify error:num=26:unsupported certificate purpose [tls] >>> TLS 1.0 Alert [length 0002], fatal unsupported_certificate TLS Alert write:fatal:unsupported certificate TLS_accept: error in SSLv3 read client certificate B rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned SSL: SSL_read failed in a system call (-1), TLS session fails. TLS receive handshake failed during operation [tls] eaptls_process returned 4 [eap] Handler failed in EAP/tls [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> 2762_hd.test6 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 6 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 6 Sending Access-Reject of id 188 to 172.16.16.1 port 32770 EAP-Message = 0xFF Message-Authenticator = 0xFF Waking up in 3.9 seconds. Cleaning up request 0 ID 182 with timestamp +23 Cleaning up request 1 ID 183 with timestamp +23 Cleaning up request 2 ID 184 with timestamp +23 Cleaning up request 3 ID 185 with timestamp +23 Cleaning up request 4 ID 186 with timestamp +23 Cleaning up request 5 ID 187 with timestamp +23 Waking up in 1.0 seconds. Cleaning up request 6 ID 188 with timestamp +23 Ready to process requests. ############################################### ################## ACCEPT ###################### ################## ACCEPT ###################### ############################################### rad_recv: Access-Request packet from host 172.16.16.1 port 32770, id=189, length=193 User-Name = "2762_hd.test6" Calling-Station-Id = "AA-AA-AA-AA-AA-AA" Called-Station-Id = "XX-XX-XX-XX-XX-XX:SSID" NAS-Port = 1 NAS-IP-Address = 172.16.16.1 NAS-Identifier = "wlc.intra" Airespace-Wlan-Id = 4 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "2" EAP-Message = 0xFF Message-Authenticator = 0xFF # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "2762_hd.test6", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 2 length 18 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Requiring client certificate [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 189 to 172.16.16.1 port 32770 EAP-Message = 0xFF Message-Authenticator = 0xFF State = 0xFF Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.16.16.1 port 32770, id=190, length=298 User-Name = "2762_hd.test6" Calling-Station-Id = "AA-AA-AA-AA-AA-AA" Called-Station-Id = "XX-XX-XX-XX-XX-XX:SSID" NAS-Port = 1 NAS-IP-Address = 172.16.16.1 NAS-Identifier = "wlc.intra" Airespace-Wlan-Id = 4 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "2" EAP-Message = 0xFF State = 0xFF Message-Authenticator = 0xFF # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "2762_hd.test6", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 3 length 105 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS TLS Length 95 [tls] Length Included [tls] eaptls_verify returned 11 [tls] (other): before/accept initialization [tls] TLS_accept: before/accept initialization [tls] <<< TLS 1.0 Handshake [length 005a], ClientHello [tls] TLS_accept: SSLv3 read client hello A [tls] >>> TLS 1.0 Handshake [length 0031], ServerHello [tls] TLS_accept: SSLv3 write server hello A [tls] >>> TLS 1.0 Handshake [length 0578], Certificate [tls] TLS_accept: SSLv3 write certificate A [tls] >>> TLS 1.0 Handshake [length 00f9], CertificateRequest [tls] TLS_accept: SSLv3 write certificate request A [tls] TLS_accept: SSLv3 flush data [tls] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [tls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 190 to 172.16.16.1 port 32770 EAP-Message = 0xFF EAP-Message = 0xFF EAP-Message = 0xFF EAP-Message = 0xFF EAP-Message = 0xFF Message-Authenticator = 0xFF State = 0xFF Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.16.16.1 port 32770, id=191, length=199 User-Name = "2762_hd.test6" Calling-Station-Id = "AA-AA-AA-AA-AA-AA" Called-Station-Id = "XX-XX-XX-XX-XX-XX:SSID" NAS-Port = 1 NAS-IP-Address = 172.16.16.1 NAS-Identifier = "wlc.intra" Airespace-Wlan-Id = 4 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "2" EAP-Message = 0xFF State = 0xFF Message-Authenticator = 0xFF # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "2762_hd.test6", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 4 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS [tls] Received TLS ACK [tls] ACK handshake fragment handler [tls] eaptls_verify returned 1 [tls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 191 to 172.16.16.1 port 32770 EAP-Message = 0xFF EAP-Message = 0xFF EAP-Message = 0xFF Message-Authenticator = 0xFF State = 0xFF Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.16.16.1 port 32770, id=192, length=1695 User-Name = "2762_hd.test6" Calling-Station-Id = "AA-AA-AA-AA-AA-AA" Called-Station-Id = "XX-XX-XX-XX-XX-XX:SSID" NAS-Port = 1 NAS-IP-Address = 172.16.16.1 NAS-Identifier = "wlc.intra" Airespace-Wlan-Id = 4 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "2" EAP-Message = 0xFF EAP-Message = 0xFF EAP-Message = 0xFF EAP-Message = 0xFF EAP-Message = 0xFF EAP-Message = 0xFF State = 0xFF Message-Authenticator = 0xFF # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "2762_hd.test6", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 5 length 253 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS TLS Length 2193 [tls] Received EAP-TLS First Fragment of the message [tls] eaptls_verify returned 9 [tls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 192 to 172.16.16.1 port 32770 EAP-Message = 0xFF Message-Authenticator = 0xFF State = 0xFF Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.16.16.1 port 32770, id=193, length=914 User-Name = "2762_hd.test6" Calling-Station-Id = "AA-AA-AA-AA-AA-AA" Called-Station-Id = "XX-XX-XX-XX-XX-XX:SSID" NAS-Port = 1 NAS-IP-Address = 172.16.16.1 NAS-Identifier = "wlc.intra" Airespace-Wlan-Id = 4 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "2" EAP-Message = 0xFF EAP-Message = 0xFF EAP-Message = 0xFF State = 0xFF Message-Authenticator = 0xFF # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "2762_hd.test6", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 6 length 253 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS [tls] eaptls_verify returned 7 [tls] Done initial handshake [tls] <<< TLS 1.0 Handshake [length 0645], Certificate [tls] chain-depth=3, [tls] error=0 [tls] --> User-Name = 2762_hd.test6 [tls] --> BUF-Name = SNAKE OIL ROOT CA [tls] --> subject = /CN=SNAKE OIL ROOT CA/OU=Digital Certificate Services/O=Snake Oil Company/C=PL [tls] --> issuer = /CN=SNAKE OIL ROOT CA/OU=Digital Certificate Services/O=Snake Oil Company/C=PL [tls] --> verify return:1 [tls] chain-depth=2, [tls] error=0 [tls] --> User-Name = 2762_hd.test6 [tls] --> BUF-Name = SNAKE OIL CA [tls] --> subject = /CN=SNAKE OIL CA/O=Snake Oil Company 2/C=PL [tls] --> issuer = /CN=SNAKE OIL ROOT CA/OU=Digital Certificate Services/O=Snake Oil Company/C=PL [tls] --> verify return:1 [tls] chain-depth=1, [tls] error=0 [tls] --> User-Name = 2762_hd.test6 [tls] --> BUF-Name = SNAKE OIL WIFI CA [tls] --> subject = /CN=SNAKE OIL WIFI CA/O=Snake Oil Company 2/C=PL [tls] --> issuer = /CN=SNAKE OIL CA/O=Snake Oil Company 2/C=PL [tls] --> verify return:1 [tls] Verifying client certificate: /etc/freeradius/geppetto.sh %{TLS-Client-Cert-Filename} %{Called-Station-Id} [tls] expand: %{TLS-Client-Cert-Filename} -> /tmp/radiusd/freeradius.client.XXnI1oCe [tls] expand: %{Called-Station-Id} -> XX-XX-XX-XX-XX-XX:SSID + GREP=/bin/grep + LDAP=/usr/bin/ldapsearch + OPENSSL=/usr/bin/openssl + cp /tmp/radiusd/freeradius.client.XXnI1oCe /tmp/ + exit 0 Exec-Program output: Exec-Program: returned: 0 [tls] Client certificate CN 2762_hd.test6 passed external validation [tls] chain-depth=0, [tls] error=0 [tls] --> User-Name = 2762_hd.test6 [tls] --> BUF-Name = 2762_hd.test6 [tls] --> subject = /emailAddress=2762_hd.te...@snakeoil.com/CN=2762_hd.test6/GN=HD/SN=Test6/OU=Operations/OU=HelpDesk/O=Snake Oil Company [tls] --> issuer = /CN=SNAKE OIL WIFI CA/O=Snake Oil Company 2/C=PL [tls] --> verify return:1 [tls] TLS_accept: SSLv3 read client certificate A [tls] <<< TLS 1.0 Handshake [length 0106], ClientKeyExchange [tls] TLS_accept: SSLv3 read client key exchange A [tls] <<< TLS 1.0 Handshake [length 0106], CertificateVerify [tls] TLS_accept: SSLv3 read certificate verify A [tls] <<< TLS 1.0 ChangeCipherSpec [length 0001] [tls] <<< TLS 1.0 Handshake [length 0010], Finished [tls] TLS_accept: SSLv3 read finished A [tls] >>> TLS 1.0 ChangeCipherSpec [length 0001] [tls] TLS_accept: SSLv3 write change cipher spec A [tls] >>> TLS 1.0 Handshake [length 0010], Finished [tls] TLS_accept: SSLv3 write finished A [tls] TLS_accept: SSLv3 flush data [tls] (other): SSL negotiation finished successfully SSL Connection Established [tls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 193 to 172.16.16.1 port 32770 EAP-Message = 0xFF Message-Authenticator = 0xFF State = 0xFF Finished request 4. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 172.16.16.1 port 32770, id=194, length=199 User-Name = "2762_hd.test6" Calling-Station-Id = "AA-AA-AA-AA-AA-AA" Called-Station-Id = "XX-XX-XX-XX-XX-XX:SSID" NAS-Port = 1 NAS-IP-Address = 172.16.16.1 NAS-Identifier = "wlc.intra" Airespace-Wlan-Id = 4 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = "2" EAP-Message = 0xFF State = 0xFF Message-Authenticator = 0xFF # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "2762_hd.test6", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 7 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS [tls] Received TLS ACK [tls] ACK handshake is finished [tls] eaptls_verify returned 3 [tls] eaptls_process returned 3 [tls] Adding user data to cached session [eap] Freeing handler ++[eap] returns ok # Executing section post-auth from file /etc/freeradius/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 194 to 172.16.16.1 port 32770 MS-MPPE-Recv-Key = 0xFF MS-MPPE-Send-Key = 0xFF EAP-Message = 0xFF Message-Authenticator = 0xFF User-Name = "2762_hd.test6" Finished request 5. Going to the next request Waking up in 4.9 seconds. -- View this message in context: http://freeradius.1045715.n5.nabble.com/EAP-TLS-Windows-7-Problem-with-chain-certificate-on-the-client-side-tp5664334p5664334.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html