I've got authentication with Android and Linux clients working using EAP/TTLS and PAP, however Windows and OSX clients dont seem to work. This is a log of a Windows 7 client. I was able to get iphones working with a special config, but the same method doesn't seem to work for OSX. Any help you could offer is appreciated
Log follows, with secure bits edited out: FreeRADIUS Version 2.1.10, for host x86_64-pc-linux-gnu, built on Nov 14 2010 at 21:12:30 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/clients.conf including configuration file /etc/freeradius/snmp.conf including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/policy.conf including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/inner-tunnel including configuration file /etc/freeradius/sites-enabled/default main { user = "freerad" group = "freerad" allow_core_dumps = no } including dictionary file /etc/freeradius/dictionary main { prefix = "/usr" localstatedir = "/var" logdir = "/var/log/freeradius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/freeradius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/var/run/freeradius/freeradius.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = yes auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "-removed-" shortname = "localhost" } -EDITED: Client entries removed- radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating module "exec" from file /etc/freeradius/radiusd.conf exec { wait = yes input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating module "expr" from file /etc/freeradius/radiusd.conf Module: Linked to module rlm_expiration Module: Instantiating module "expiration" from file /etc/freeradius/radiusd.conf expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating module "logintime" from file /etc/freeradius/radiusd.conf logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server inner-tunnel { # from file /etc/freeradius/sites-enabled/inner-tunnel modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating module "pap" from file /etc/freeradius/radiusd.conf pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating module "chap" from file /etc/freeradius/radiusd.conf Module: Linked to module rlm_pam Module: Instantiating module "pam" from file /etc/freeradius/radiusd.conf pam { pam_auth = "radiusd" } Module: Linked to module rlm_eap Module: Instantiating module "eap" from file /etc/freeradius/eap.conf eap { default_eap_type = "ttls" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = "/etc/ssl/private/-removed-_generic.key" certificate_file = "/etc/ssl/certs/-removed-_generic.crt" CA_file = "/etc/ssl/certs/-removed-_ca.crt" dh_file = "/etc/freeradius/certs/dh" random_file = "/dev/urandom" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "/etc/freeradius/certs/bootstrap" cache { enable = no lifetime = 24 max_entries = 255 } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" include_length = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_realm Module: Instantiating module "suffix" from file /etc/freeradius/radiusd.conf realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating module "files" from file /etc/freeradius/radiusd.conf files { usersfile = "/etc/freeradius/users" acctusersfile = "/etc/freeradius/acct_users" preproxy_usersfile = "/etc/freeradius/preproxy_users" compat = "no" } Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating module "radutmp" from file /etc/freeradius/radiusd.conf radutmp { filename = "/var/log/freeradius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Linked to module rlm_attr_filter Module: Instantiating module "attr_filter.access_reject" from file /etc/freeradius/radiusd.conf attr_filter attr_filter.access_reject { attrsfile = "/etc/freeradius/attrs.access_reject" key = "%{User-Name}" } } # modules } # server server { # from file /etc/freeradius/radiusd.conf modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_digest Module: Instantiating module "digest" from file /etc/freeradius/radiusd.conf Module: Linked to module rlm_unix Module: Instantiating module "unix" from file /etc/freeradius/radiusd.conf unix { radwtmp = "/var/log/freeradius/radwtmp" } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating module "preprocess" from file /etc/freeradius/radiusd.conf preprocess { huntgroups = "/etc/freeradius/huntgroups" hints = "/etc/freeradius/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating module "acct_unique" from file /etc/freeradius/radiusd.conf acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating module "detail" from file /etc/freeradius/radiusd.conf detail { detailfile = "/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/radiusd.conf attr_filter attr_filter.accounting_response { attrsfile = "/etc/freeradius/attrs.accounting_response" key = "%{User-Name}" } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host -REMOVED- port 2048, id=28, length=139 User-Name = "test" NAS-Port = 0 Called-Station-Id = "00-27-22-12-59-1F:Helio" Calling-Station-Id = "00-1F-3A-25-62-B3" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11" EAP-Message = 0x02a600090174657374 Message-Authenticator = 0xf0a3cd406f5b38050aae2efd796bd150 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 166 length 9 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry DEFAULT at line 222 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 28 to -REMOVED- port 2048 EAP-Message = 0x01a700061520 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x71e0a8b07147bdedb47e6a205d08c074 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host -REMOVED- port 2048, id=29, length=154 User-Name = "test" NAS-Port = 0 Called-Station-Id = "00-27-22-12-59-1F:Helio" Calling-Station-Id = "00-1F-3A-25-62-B3" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11" EAP-Message = 0x02a700060319 State = 0x71e0a8b07147bdedb47e6a205d08c074 Message-Authenticator = 0x941f56eedd5fd79424f5a78073c48749 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 167 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry DEFAULT at line 222 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP NAK [eap] EAP-NAK asked for EAP-Type/peap [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 29 to -REMOVED- port 2048 EAP-Message = 0x01a800061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x71e0a8b07048b1edb47e6a205d08c074 Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host -REMOVED- port 2048, id=30, length=266 User-Name = "test" NAS-Port = 0 Called-Station-Id = "00-27-22-12-59-1F:Helio" Calling-Station-Id = "00-1F-3A-25-62-B3" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11" EAP-Message = 0x02a8007619800000006c16030100670100006303014fbcf94545d3023dee569705aee1ec705dcdef5a8a6665f7c2f20dca50f6aca2000018002f00350005000ac013c014c009c00a003200380013000401000022ff0100010000000009000700000474657374000a0006000400170018000b00020100 State = 0x71e0a8b07048b1edb47e6a205d08c074 Message-Authenticator = 0x4487ab715ace2b169a8b6e84f5139e21 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 168 length 118 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 108 [peap] Length Included [peap] eaptls_verify returned 11 [peap] (other): before/accept initialization [peap] TLS_accept: before/accept initialization [peap] <<< TLS 1.0 Handshake [length 0067], ClientHello [peap] TLS_accept: SSLv3 read client hello A [peap] >>> TLS 1.0 Handshake [length 0031], ServerHello [peap] TLS_accept: SSLv3 write server hello A [peap] >>> TLS 1.0 Handshake [length 08fb], Certificate [peap] TLS_accept: SSLv3 write certificate A [peap] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [peap] TLS_accept: SSLv3 write server done A [peap] TLS_accept: SSLv3 flush data [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 30 to -REMOVED- port 2048 EAP-Message = 0x01a9040019c00000093f16030100310200002d03014fbcf94597d6b23a2ed5bcd2d24437f03429322d863df6b087bffdd04d2d69d600002f000005ff0100010016030108fb0b0008f70008f40003d6308203d2308202ba020101300d06092a864886f70d01010505003081b6310b30090603550406130255533111300f06035504081308496c6c696e6f69733110300e060355040713074368696361676f312a3028060355040a13216f6e53686f7265204e6574776f726b73206f6620496c6c696e6f69732c204c4c43310c300a060355040b13034e4f43312830260603550403131f6f6e53686f726520436572746966696361746520417574686f72 EAP-Message = 0x6974792033311e301c06092a864886f70d010901160f6e6f63406f6e73686f72652e636f6d3020170d3132303430393230323534385a180f32303632303332383230323534385a3081a4310b30090603550406130255533111300f06035504081308496c6c696e6f69733110300e060355040713074368696361676f312a3028060355040a13216f6e53686f7265204e6574776f726b73206f6620496c6c696e6f69732c204c4c43310c300a060355040b13034e4f43311630140603550403140d2a2e6f6e73686f72652e636f6d311e301c06092a864886f70d010901160f6e6f63406f6e73686f72652e636f6d30820122300d06092a864886f70d01 EAP-Message = 0x010105000382010f003082010a0282010100c248803189d09c7eed9ac9f9d09143753af2692669ac40e9bd973cfec8d4c70cb1c380fa19347d82c3b880fa06e026b3648475cd3d4966e6db6fca2e3df700ec9203c303029ab5115c9fd311583802ec251136e35cf1f0be0884cb569d73e13b01b3e526734cb9b4c5aef5b58c9bce548d3fccc6259734253c75c966ab826a91e52decaf0eb5df76f3f6aeb60a1e2d1f0e4647050c6904da7ccd29ca007806509685d468683e41faae6605fa7de716e89b788f6eaf890367f92e32225ecf1f12cb7cd4adc459a3313eb46c488970c16c281fcc036bddf45ed21972867b0081eb1682ed55a0df758dddc72e EAP-Message = 0x1111b5cac31f4bb4634d71c57e9621f0377e435aef0203010001300d06092a864886f70d0101050500038201010005aa73489f8d50351c637f39d181f54c9938c959223a35dd2a9fcc46b05e732c21c183196926860c5714f0e2725064f2b1793482b8f1321a73c3152a74e926b7b1bc9343812126d019771b8af6be86b0eb22db4708144d5dff8168dcfbc59aed9393d8b82ccdb92444ddb6875d2cc5bfdbed44f04db6e0047ae0ee5893721f6156dd7592e9c79ae3209611a430f2119a76e0f34645e0c16770ea3c4700a0d07ad0187f97287cf5cdad4724519201fe2a807506935e44e8363a028a75a19b113a9e06ce376072378a9d2a2e69195038 EAP-Message = 0x9301579b39f9d8ddd10c6cbc Message-Authenticator = 0x00000000000000000000000000000000 State = 0x71e0a8b07349b1edb47e6a205d08c074 Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host -REMOVED- port 2048, id=31, length=154 User-Name = "test" NAS-Port = 0 Called-Station-Id = "00-27-22-12-59-1F:Helio" Calling-Station-Id = "00-1F-3A-25-62-B3" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11" EAP-Message = 0x02a900061900 State = 0x71e0a8b07349b1edb47e6a205d08c074 Message-Authenticator = 0x98e8a0ace30ceb08bbb1d7f2ba55bf90 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 169 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 31 to -REMOVED- port 2048 EAP-Message = 0x01aa03fc194090721d968f18d8550cd66d8c7e1e37c714f6ac62baedecad3fb5ebd2873dd52797395bd7c700051830820514308203fca0030201020209008c06dc0a280a91a2300d06092a864886f70d01010505003081b6310b30090603550406130255533111300f06035504081308496c6c696e6f69733110300e060355040713074368696361676f312a3028060355040a13216f6e53686f7265204e6574776f726b73206f6620496c6c696e6f69732c204c4c43310c300a060355040b13034e4f43312830260603550403131f6f6e53686f726520436572746966696361746520417574686f726974792033311e301c06092a864886f70d010901 EAP-Message = 0x160f6e6f63406f6e73686f72652e636f6d3020170d3132303430393230323135315a180f32303632303332383230323135315a3081b6310b30090603550406130255533111300f06035504081308496c6c696e6f69733110300e060355040713074368696361676f312a3028060355040a13216f6e53686f7265204e6574776f726b73206f6620496c6c696e6f69732c204c4c43310c300a060355040b13034e4f43312830260603550403131f6f6e53686f726520436572746966696361746520417574686f726974792033311e301c06092a864886f70d010901160f6e6f63406f6e73686f72652e636f6d30820122300d06092a864886f70d010101 EAP-Message = 0x05000382010f003082010a0282010100d9770f8e1b56d4e76474ae6a66eafe8e8256334cb66b331101f427395bd18bd2092e2798a010bb36ea6711f29529e1fe21ec2e023949f2fb9e28797c099f9829a3e2e6ba9d5610685b9e1cc21d361dacae362fabf8d65f98fff1fde72f7a0a2b49b2f3eda5f7f1dcf54e43920c5389ac010beaccb5d8b6b98acf5448fb9e7a1136871179883851e03daa2e6238c05e1c86f1b4344746e6c83b30a3d7aadc36f34e01b93547661f66ea3b506e6eaf61fe9d0adb0f82f2b2140f14a1b2ecead5e07c00e3cb4809064421104a7c144bd1b85a4d9b192f3c00f8cf61a366d3e614a4fdd5f759aca370c34ea4400980 EAP-Message = 0x5e2b5fa2fdd46a22204f16a9f4222c95480b7d0203010001a382011f3082011b301d0603551d0e041604149e11eecbde81d102a1c68c8d31b3db9f2ace574a3081eb0603551d230481e33081e080149e11eecbde81d102a1c68c8d31b3db9f2ace574aa181bca481b93081b6310b30090603550406130255533111300f06035504081308496c6c696e6f69733110300e060355040713074368696361676f312a3028060355040a13216f6e53686f7265204e6574776f726b73206f6620496c6c696e6f69732c204c4c43310c300a060355040b13034e4f43312830260603550403131f6f6e53686f726520436572746966696361746520417574686f72 EAP-Message = 0x6974792033311e30 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x71e0a8b0724ab1edb47e6a205d08c074 Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host -REMOVED- port 2048, id=32, length=154 User-Name = "test" NAS-Port = 0 Called-Station-Id = "00-27-22-12-59-1F:Helio" Calling-Station-Id = "00-1F-3A-25-62-B3" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11" EAP-Message = 0x02aa00061900 State = 0x71e0a8b0724ab1edb47e6a205d08c074 Message-Authenticator = 0xcc80b68891296025aae224e56db19f21 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 170 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] Received TLS ACK [peap] ACK handshake fragment handler [peap] eaptls_verify returned 1 [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 32 to -REMOVED- port 2048 EAP-Message = 0x01ab015919001c06092a864886f70d010901160f6e6f63406f6e73686f72652e636f6d8209008c06dc0a280a91a2300c0603551d13040530030101ff300d06092a864886f70d0101050500038201010024bbfcf28b2f8bdd20d9b7cafb9bd4614aa44999ea1202b0710a8e2a17863c32286d4faef0e2e859f71f0dc2f821f11933c6721eedf77cb02c1ea68da33acf1e310b3e4347cfdc70425f40796d6d2704d02ee7577a41dc14cef7eedfb358873330009e63df02a9d551d9ae8fe784fdd36a7501b596d8ac6e7a3d50f0e1ec54347b68d35786baa2ede9d4e585993804949d813ebad21fc7d8ee70110a9aded292fae58cf2b19150b4845422717d EAP-Message = 0x15eab2013e8a4e22dff0415f321de688d820ff72d7c470519296b9e7f384a54da3ca3da6f30b4cab50d2bee1ab870f73acbe679145b16c7896e0b1c07d686a63b1cbd8d030f34b95ace9bbf0668c8671de816516030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x71e0a8b0754bb1edb47e6a205d08c074 Finished request 4. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host -REMOVED- port 2048, id=33, length=165 User-Name = "test" NAS-Port = 0 Called-Station-Id = "00-27-22-12-59-1F:Helio" Calling-Station-Id = "00-1F-3A-25-62-B3" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11" EAP-Message = 0x02ab001119800000000715030100020230 State = 0x71e0a8b0754bb1edb47e6a205d08c074 Message-Authenticator = 0xd2c0db5aa72047e9f4909baa4447796e # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 171 length 17 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS TLS Length 7 [peap] Length Included [peap] eaptls_verify returned 11 [peap] <<< TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert read:fatal:unknown CA TLS_accept: failed in SSLv3 read client certificate A rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca SSL: SSL_read failed inside of TLS (-1), TLS session fails. TLS receive handshake failed during operation [peap] eaptls_process returned 4 [peap] EAPTLS_OTHERS [eap] Handler failed in EAP/peap [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Login incorrect (TLS Alert read:fatal:unknown CA): [test] (from client -REMOVED- port 0 cli 00-1F-3A-25-62-B3) Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> test attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 5 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 5 Sending Access-Reject of id 33 to -REMOVED- port 2048 EAP-Message = 0x04ab0004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.9 seconds. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html