Radius eap- tls certificate failure

classic Classic list List threaded Threaded
6 messages Options
| Threaded
Open this post in threaded view
|

Radius eap- tls certificate failure

Dominique
I hope someone can help me out. I have an Ubuntu with Free Radius server where i am authenticating wired camera's with eap tls. I have made an CA, server and client certificate and it works fine, but only on one camera, when i try to do the same to the second camera ( same brand, model and fw) i get an handshake failure. Any idea what the problem can be? Hope to hear from you, if you need any information let me know

Thanks already.

Dominique
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Radius eap- tls certificate failure

Alan DeKok-2
On Jan 28, 2019, at 2:52 PM, Dominique der <[hidden email]> wrote:
>
> I hope someone can help me out. I have an Ubuntu with Free Radius server where i am authenticating wired camera's with eap tls. I have made an CA, server and client certificate and it works fine, but only on one camera, when i try to do the same to the second camera ( same brand, model and fw) i get an handshake failure. Any idea what the problem can be? Hope to hear from you, if you need any information let me know

  The information we need is listed here:  http://wiki.freeradius.org/list-help .  That URL is in the email message you get when joining the list.

  The short answer is that a "handshake failure" could be anything.  We need *specific* error messages.  The kind that the debug output produces.  A vague description isn't enough.

  What is *likely* happening is that the second camera doesn't have the correct certificates installed.  So, go do that.

  If the correct certificates are installed, ask the camera manufacturer how their product works.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Radius eap- tls certificate failure

Dominique
I keep getting the same error message:

eap_tls: ERROR: TLS alert: fatal : bad certificate
eap_tls: ERROR: failed in __FUNCTION__ (SSL_read): error 14094412:SSL routines:ssl3_read_bytes: sslv3 alert bad certificate
eap_tls: ERROR: System call (I/O) error (-1)
eap_tls: ERROR: TLS receive handshake failed during operation
eap_tls: ERROR: [eaptls process] = fail
eap_tls: ERROR: failed continuing EAP TLS (13) session. EAP sub module failed.


The other camera works fine, I made the certificates the same way, I need to create an CSR in the camera, it is all identical.

Regards Dominique

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Radius eap- tls certificate failure

Alan DeKok-2


> On Jan 29, 2019, at 9:10 AM, Dominique der <[hidden email]> wrote:
>
> I keep getting the same error message:
>
> eap_tls: ERROR: TLS alert: fatal : bad certificate
> eap_tls: ERROR: failed in __FUNCTION__ (SSL_read): error 14094412:SSL routines:ssl3_read_bytes: sslv3 alert bad certificate

  "bad certificate" isn't "handshake failure", is it?

  This is what computers are about.  Details matter.

  And you're still deleting most of the debug output.  So it's not clear if the alert is coming from the server, or from the client.

  I could ask *why* you're doing this.  But you've been told repeatedly to follow the docs, and haven't.

> The other camera works fine, I made the certificates the same way, I need to create an CSR in the camera, it is all identical.

  Ask the camera manufacturer why their product is broken.

  We can't help you.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Radius eap- tls certificate failure

Dominique
In reply to this post by Dominique
Dear Alan, you are wright, my apologies, I have read the guide 😊

What I am trying to do is make EAP-TLS certificates work with an closed (LAN) camera network with own made CA, server and client certificates. I made the certificates as follow.
openssl genrsa -out rootCA.key 2048
openssl req -x509 -new -nodes -key rootCA_V1.0.key -sha256 -days 1024 -out rootCA_V1.0.pem

Country Name (2 letter code) [AU]:NL
State or Province Name (full name) [Some-State]:.
Locality Name (eg, city) []:.
Organization Name (eg, company) [Internet Widgits Pty Ltd]:.
Organizational Unit Name (eg, section) []:.
Common Name (eg, YOUR name) []:CA
Email Address []:.


Then I made an server certificate as follow.

openssl genrsa -out SRV_V1.0.key 2048
openssl req -new -key SRV_V1.0.key -out SRV_V1.0.csr
Country Name (2 letter code) [AU]:NL
State or Province Name (full name) [Some-State]:.
Locality Name (eg, city) []:.
Organization Name (eg, company) [Internet Widgits Pty Ltd]:.
Organizational Unit Name (eg, section) []:.
Common Name (eg, YOUR name) []:SERVER
Email Address []:.

openssl x509 -req -in SRV_V1.0.csr -CA rootCA_V1.0.pem -CAkey rootCA_V1.0.key -CAcreateserial -out SRV_V1.0.crt -days 500 -sha256


Then I made an client certificate as follow.
In the camera (Bosch) I have to create an CSR where I have to enter the same questions and answers as above except the CN, I entered Cam4
Then I copied the file in an txt file and changed the format to .csr
openssl x509 -req -in cam4.csr -CA rootCA_V1.0.pem -CAkey rootCA)V1.0.key -CAcreateserial -out cam4.crt -days 500 -sha256

dropped the CA and client certificates in the camera where I chose the CA as EAP-TLS and the client as EAP-TLS client.  In the specs from the camera I found the next info:
the camera supports 802.1x network verification with EAP/TLS and TLS 1.2 including encryption AES 256.
Then I dropped the CA and server certificates in the certs map in "/etc/freeradius/3.0/certs/
I made an test with multiple camera’s but only one works, I used al the same camera’s so my guess is that there is one camera defect I my benefit because the other four camera’s are not working, by all the other camera’s I get the error that’s in the debug below.



FreeRADIUS Version 3.0.16

Copyright (C) 1999-2017 The FreeRADIUS server project and contributors

There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A

PARTICULAR PURPOSE

You may redistribute copies of FreeRADIUS under the terms of the

GNU General Public License

For more information about these matters, see the file named COPYRIGHT

Starting - reading configuration files ...

including dictionary file /usr/share/freeradius/dictionary

including dictionary file /usr/share/freeradius/dictionary.dhcp

including dictionary file /usr/share/freeradius/dictionary.vqp

including dictionary file /etc/freeradius/3.0/dictionary

including configuration file /etc/freeradius/3.0/radiusd.conf

including configuration file /etc/freeradius/3.0/proxy.conf

including configuration file /etc/freeradius/3.0/clients.conf

including files in directory /etc/freeradius/3.0/mods-enabled/

including configuration file /etc/freeradius/3.0/mods-enabled/expiration

including configuration file /etc/freeradius/3.0/mods-enabled/chap

including configuration file /etc/freeradius/3.0/mods-enabled/mschap

including configuration file /etc/freeradius/3.0/mods-enabled/linelog

including configuration file /etc/freeradius/3.0/mods-enabled/digest

including configuration file /etc/freeradius/3.0/mods-enabled/soh

including configuration file /etc/freeradius/3.0/mods-enabled/files

including configuration file /etc/freeradius/3.0/mods-enabled/detail.log

including configuration file /etc/freeradius/3.0/mods-enabled/radutmp

including configuration file /etc/freeradius/3.0/mods-enabled/preprocess

including configuration file /etc/freeradius/3.0/mods-enabled/echo

including configuration file /etc/freeradius/3.0/mods-enabled/realm

including configuration file /etc/freeradius/3.0/mods-enabled/always

including configuration file /etc/freeradius/3.0/mods-enabled/sradutmp

including configuration file /etc/freeradius/3.0/mods-enabled/logintime

including configuration file /etc/freeradius/3.0/mods-enabled/cache_eap

including configuration file /etc/freeradius/3.0/mods-enabled/pap

including configuration file /etc/freeradius/3.0/mods-enabled/utf8

including configuration file /etc/freeradius/3.0/mods-enabled/exec

including configuration file /etc/freeradius/3.0/mods-enabled/dynamic_clients

including configuration file /etc/freeradius/3.0/mods-enabled/attr_filter

including configuration file /etc/freeradius/3.0/mods-enabled/ntlm_auth

including configuration file /etc/freeradius/3.0/mods-enabled/passwd

including configuration file /etc/freeradius/3.0/mods-enabled/unpack

including configuration file /etc/freeradius/3.0/mods-enabled/replicate

including configuration file /etc/freeradius/3.0/mods-enabled/unix

including configuration file /etc/freeradius/3.0/mods-enabled/expr

including configuration file /etc/freeradius/3.0/mods-enabled/detail

including configuration file /etc/freeradius/3.0/mods-enabled/eap

including files in directory /etc/freeradius/3.0/policy.d/

including configuration file /etc/freeradius/3.0/policy.d/control

including configuration file /etc/freeradius/3.0/policy.d/abfab-tr

including configuration file /etc/freeradius/3.0/policy.d/filter

including configuration file /etc/freeradius/3.0/policy.d/canonicalization

including configuration file /etc/freeradius/3.0/policy.d/debug

including configuration file /etc/freeradius/3.0/policy.d/cui

including configuration file /etc/freeradius/3.0/policy.d/moonshot-targeted-ids

including configuration file /etc/freeradius/3.0/policy.d/accounting

including configuration file /etc/freeradius/3.0/policy.d/operator-name

including configuration file /etc/freeradius/3.0/policy.d/dhcp

including configuration file /etc/freeradius/3.0/policy.d/eap

including files in directory /etc/freeradius/3.0/sites-enabled/

including configuration file /etc/freeradius/3.0/sites-enabled/default

including configuration file /etc/freeradius/3.0/sites-enabled/inner-tunnel

main {

security {

           user = "freerad"

           group = "freerad"

           allow_core_dumps = no

}

            name = "freeradius"

            prefix = "/usr"

            localstatedir = "/var"

            logdir = "/var/log/freeradius"

            run_dir = "/var/run/freeradius"

}

main {

            name = "freeradius"

            prefix = "/usr"

            localstatedir = "/var"

            sbindir = "/usr/sbin"

            logdir = "/var/log/freeradius"

            run_dir = "/var/run/freeradius"

            libdir = "/usr/lib/freeradius"

            radacctdir = "/var/log/freeradius/radacct"

            hostname_lookups = no

            max_request_time = 30

            cleanup_delay = 5

            max_requests = 16384

            pidfile = "/var/run/freeradius/freeradius.pid"

            checkrad = "/usr/sbin/checkrad"

            debug_level = 0

            proxy_requests = yes

log {

           stripped_names = no

           auth = no

           auth_badpass = no

           auth_goodpass = no

           colourise = yes

           msg_denied = "You are already logged in - access denied"

}

resources {

}

security {

           max_attributes = 200

           reject_delay = 1.000000

           status_server = yes

}

}

radiusd: #### Loading Realms and Home Servers ####

proxy server {

           retry_delay = 5

           retry_count = 3

           default_fallback = no

           dead_time = 120

           wake_all_if_all_dead = no

}

home_server localhost {

           ipaddr = 127.0.0.1

           port = 1812

           type = "auth"

           secret = <<< secret >>>

           response_window = 20.000000

           response_timeouts = 1

           max_outstanding = 65536

           zombie_period = 40

           status_check = "status-server"

           ping_interval = 30

           check_interval = 30

           check_timeout = 4

           num_answers_to_alive = 3

           revive_interval = 120

  limit {

            max_connections = 16

            max_requests = 0

            lifetime = 0

            idle_timeout = 0

  }

  coa {

            irt = 2

            mrt = 16

            mrc = 5

            mrd = 30

  }

}

home_server_pool my_auth_failover {

            type = fail-over

            home_server = localhost

}

realm example.com {

            auth_pool = my_auth_failover

}

realm LOCAL {

}

radiusd: #### Loading Clients ####

client localhost {

           ipaddr = 127.0.0.1

           require_message_authenticator = no

           secret = <<< secret >>>

           nas_type = "other"

           proto = "*"

  limit {

           max_connections = 16

            lifetime = 0

            idle_timeout = 30

  }

}

client localhost_ipv6 {

           ipv6addr = ::1

           require_message_authenticator = no

           secret = <<< secret >>>

  limit {

            max_connections = 16

            lifetime = 0

            idle_timeout = 30

  }

}

client private-network-1 {

           ipaddr = 192.168.0.239

           require_message_authenticator = no

           secret = <<< secret >>>

  limit {

            max_connections = 16

            lifetime = 0

            idle_timeout = 30

  }

}

Debugger not attached

# Creating Auth-Type = mschap

# Creating Auth-Type = digest

# Creating Auth-Type = eap

# Creating Auth-Type = PAP

# Creating Auth-Type = CHAP

# Creating Auth-Type = MS-CHAP

radiusd: #### Instantiating modules ####

modules {

  # Loaded module rlm_expiration

  # Loading module "expiration" from file /etc/freeradius/3.0/mods-enabled/expiration

  # Loaded module rlm_chap

  # Loading module "chap" from file /etc/freeradius/3.0/mods-enabled/chap

  # Loaded module rlm_mschap

  # Loading module "mschap" from file /etc/freeradius/3.0/mods-enabled/mschap

  mschap {

            use_mppe = yes

            require_encryption = no

            require_strong = no

            with_ntdomain_hack = yes

   passchange {

   }

            allow_retry = yes

            winbind_retry_with_normalised_username = no

  }

  # Loaded module rlm_linelog

  # Loading module "linelog" from file /etc/freeradius/3.0/mods-enabled/linelog

  linelog {

            filename = "/var/log/freeradius/linelog"

            escape_filenames = no

            syslog_severity = "info"

            permissions = 384

            format = "This is a log message for %{User-Name}"

            reference = "messages.%{%{reply:Packet-Type}:-default}"

  }

  # Loading module "log_accounting" from file /etc/freeradius/3.0/mods-enabled/linelog

  linelog log_accounting {

            filename = "/var/log/freeradius/linelog-accounting"

            escape_filenames = no

            syslog_severity = "info"

            permissions = 384

            format = ""

            reference = "Accounting-Request.%{%{Acct-Status-Type}:-unknown}"

  }

  # Loaded module rlm_digest

  # Loading module "digest" from file /etc/freeradius/3.0/mods-enabled/digest

  # Loaded module rlm_soh

  # Loading module "soh" from file /etc/freeradius/3.0/mods-enabled/soh

  soh {

            dhcp = yes

  }

  # Loaded module rlm_files

  # Loading module "files" from file /etc/freeradius/3.0/mods-enabled/files

  files {

            filename = "/etc/freeradius/3.0/mods-config/files/authorize"

            acctusersfile = "/etc/freeradius/3.0/mods-config/files/accounting"

            preproxy_usersfile = "/etc/freeradius/3.0/mods-config/files/pre-proxy"

  }

  # Loaded module rlm_detail

  # Loading module "auth_log" from file /etc/freeradius/3.0/mods-enabled/detail.log

  detail auth_log {

            filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d"

            header = "%t"

            permissions = 384

            locking = no

            escape_filenames = no

            log_packet_header = no

  }

  # Loading module "reply_log" from file /etc/freeradius/3.0/mods-enabled/detail.log

  detail reply_log {

            filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/reply-detail-%Y%m%d"

            header = "%t"

            permissions = 384

            locking = no

            escape_filenames = no

            log_packet_header = no

  }

  # Loading module "pre_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log

  detail pre_proxy_log {

            filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d"

            header = "%t"

            permissions = 384

            locking = no

            escape_filenames = no

            log_packet_header = no

  }

  # Loading module "post_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log

  detail post_proxy_log {

            filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/post-proxy-detail-%Y%m%d"

            header = "%t"

            permissions = 384

            locking = no

            escape_filenames = no

            log_packet_header = no

  }

  # Loaded module rlm_radutmp

  # Loading module "radutmp" from file /etc/freeradius/3.0/mods-enabled/radutmp

  radutmp {

            filename = "/var/log/freeradius/radutmp"

            username = "%{User-Name}"

            case_sensitive = yes

            check_with_nas = yes

            permissions = 384

            caller_id = yes

  }

  # Loaded module rlm_preprocess

  # Loading module "preprocess" from file /etc/freeradius/3.0/mods-enabled/preprocess

  preprocess {

            huntgroups = "/etc/freeradius/3.0/mods-config/preprocess/huntgroups"

            hints = "/etc/freeradius/3.0/mods-config/preprocess/hints"

            with_ascend_hack = no

            ascend_channels_per_line = 23

            with_ntdomain_hack = no

            with_specialix_jetstream_hack = no

            with_cisco_vsa_hack = no

            with_alvarion_vsa_hack = no

  }

  # Loaded module rlm_exec

  # Loading module "echo" from file /etc/freeradius/3.0/mods-enabled/echo

  exec echo {

            wait = yes

            program = "/bin/echo %{User-Name}"

            input_pairs = "request"

            output_pairs = "reply"

            shell_escape = yes

  }

  # Loaded module rlm_realm

  # Loading module "IPASS" from file /etc/freeradius/3.0/mods-enabled/realm

  realm IPASS {

            format = "prefix"

            delimiter = "/"

            ignore_default = no

            ignore_null = no

  }

  # Loading module "suffix" from file /etc/freeradius/3.0/mods-enabled/realm

  realm suffix {

            format = "suffix"

            delimiter = "@"

            ignore_default = no

            ignore_null = no

  }

  # Loading module "realmpercent" from file /etc/freeradius/3.0/mods-enabled/realm

  realm realmpercent {

            format = "suffix"

            delimiter = "%"

            ignore_default = no

            ignore_null = no

  }

  # Loading module "ntdomain" from file /etc/freeradius/3.0/mods-enabled/realm

  realm ntdomain {

            format = "prefix"

            delimiter = "\\"

            ignore_default = no

            ignore_null = no

  }

  # Loaded module rlm_always

  # Loading module "reject" from file /etc/freeradius/3.0/mods-enabled/always

  always reject {

            rcode = "reject"

            simulcount = 0

            mpp = no

  }

  # Loading module "fail" from file /etc/freeradius/3.0/mods-enabled/always

  always fail {

            rcode = "fail"

            simulcount = 0

            mpp = no

  }

  # Loading module "ok" from file /etc/freeradius/3.0/mods-enabled/always

  always ok {

            rcode = "ok"

            simulcount = 0

            mpp = no

  }

  # Loading module "handled" from file /etc/freeradius/3.0/mods-enabled/always

  always handled {

            rcode = "handled"

            simulcount = 0

            mpp = no

  }

  # Loading module "invalid" from file /etc/freeradius/3.0/mods-enabled/always

  always invalid {

            rcode = "invalid"

            simulcount = 0

            mpp = no

  }

  # Loading module "userlock" from file /etc/freeradius/3.0/mods-enabled/always

  always userlock {

            rcode = "userlock"

            simulcount = 0

            mpp = no

  }

  # Loading module "notfound" from file /etc/freeradius/3.0/mods-enabled/always

  always notfound {

            rcode = "notfound"

            simulcount = 0

            mpp = no

  }

  # Loading module "noop" from file /etc/freeradius/3.0/mods-enabled/always

  always noop {

            rcode = "noop"

            simulcount = 0

            mpp = no

  }

  # Loading module "updated" from file /etc/freeradius/3.0/mods-enabled/always

  always updated {

            rcode = "updated"

            simulcount = 0

           mpp = no

  }

  # Loading module "sradutmp" from file /etc/freeradius/3.0/mods-enabled/sradutmp

  radutmp sradutmp {

            filename = "/var/log/freeradius/sradutmp"

            username = "%{User-Name}"

            case_sensitive = yes

            check_with_nas = yes

            permissions = 420

            caller_id = no

  }

  # Loaded module rlm_logintime

  # Loading module "logintime" from file /etc/freeradius/3.0/mods-enabled/logintime

  logintime {

            minimum_timeout = 60

  }

  # Loaded module rlm_cache

  # Loading module "cache_eap" from file /etc/freeradius/3.0/mods-enabled/cache_eap

  cache cache_eap {

            driver = "rlm_cache_rbtree"

            key = "%{%{control:State}:-%{%{reply:State}:-%{State}}}"

            ttl = 15

            max_entries = 0

            epoch = 0

            add_stats = no

  }

  # Loaded module rlm_pap

  # Loading module "pap" from file /etc/freeradius/3.0/mods-enabled/pap

  pap {

            normalise = yes

  }

  # Loaded module rlm_utf8

  # Loading module "utf8" from file /etc/freeradius/3.0/mods-enabled/utf8

  # Loading module "exec" from file /etc/freeradius/3.0/mods-enabled/exec

  exec {

            wait = no

            input_pairs = "request"

            shell_escape = yes

            timeout = 10

  }

  # Loaded module rlm_dynamic_clients

  # Loading module "dynamic_clients" from file /etc/freeradius/3.0/mods-enabled/dynamic_clients

  # Loaded module rlm_attr_filter

  # Loading module "attr_filter.post-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter

  attr_filter attr_filter.post-proxy {

            filename = "/etc/freeradius/3.0/mods-config/attr_filter/post-proxy"

            key = "%{Realm}"

            relaxed = no

  }

  # Loading module "attr_filter.pre-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter

  attr_filter attr_filter.pre-proxy {

            filename = "/etc/freeradius/3.0/mods-config/attr_filter/pre-proxy"

            key = "%{Realm}"

            relaxed = no

  }

  # Loading module "attr_filter.access_reject" from file /etc/freeradius/3.0/mods-enabled/attr_filter

  attr_filter attr_filter.access_reject {

            filename = "/etc/freeradius/3.0/mods-config/attr_filter/access_reject"

            key = "%{User-Name}"

            relaxed = no

  }

  # Loading module "attr_filter.access_challenge" from file /etc/freeradius/3.0/mods-enabled/attr_filter

  attr_filter attr_filter.access_challenge {

            filename = "/etc/freeradius/3.0/mods-config/attr_filter/access_challenge"

            key = "%{User-Name}"

            relaxed = no

  }

  # Loading module "attr_filter.accounting_response" from file /etc/freeradius/3.0/mods-enabled/attr_filter

  attr_filter attr_filter.accounting_response {

            filename = "/etc/freeradius/3.0/mods-config/attr_filter/accounting_response"

            key = "%{User-Name}"

            relaxed = no

  }

  # Loading module "ntlm_auth" from file /etc/freeradius/3.0/mods-enabled/ntlm_auth

  exec ntlm_auth {

            wait = yes

            program = "/path/to/ntlm_auth --request-nt-key --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"

            shell_escape = yes

  }

  # Loaded module rlm_passwd

  # Loading module "etc_passwd" from file /etc/freeradius/3.0/mods-enabled/passwd

  passwd etc_passwd {

            filename = "/etc/passwd"

            format = "*User-Name:Crypt-Password:"

            delimiter = ":"

            ignore_nislike = no

            ignore_empty = yes

            allow_multiple_keys = no

            hash_size = 100

  }

  # Loaded module rlm_unpack

  # Loading module "unpack" from file /etc/freeradius/3.0/mods-enabled/unpack

  # Loaded module rlm_replicate

  # Loading module "replicate" from file /etc/freeradius/3.0/mods-enabled/replicate

  # Loaded module rlm_unix

  # Loading module "unix" from file /etc/freeradius/3.0/mods-enabled/unix

  unix {

            radwtmp = "/var/log/freeradius/radwtmp"

  }

Creating attribute Unix-Group

  # Loaded module rlm_expr

  # Loading module "expr" from file /etc/freeradius/3.0/mods-enabled/expr

  expr {

            safe_characters = "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /äéöüàâæçèéêëîïôœùûüaÿÄÉÖÜßÀÂÆÇÈÉÊËÎÏÔŒÙÛÜŸ"

  }

  # Loading module "detail" from file /etc/freeradius/3.0/mods-enabled/detail

  detail {

            filename = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"

            header = "%t"

            permissions = 384

            locking = no

            escape_filenames = no

            log_packet_header = no

  }

  # Loaded module rlm_eap

  # Loading module "eap" from file /etc/freeradius/3.0/mods-enabled/eap

  eap {

            default_eap_type = "tls"

            timer_expire = 160

            ignore_unknown_eap_types = no

            cisco_accounting_username_bug = no

            max_sessions = 16384

  }

  instantiate {

  }

  # Instantiating module "expiration" from file /etc/freeradius/3.0/mods-enabled/expiration

  # Instantiating module "mschap" from file /etc/freeradius/3.0/mods-enabled/mschap

rlm_mschap (mschap): using internal authentication

  # Instantiating module "linelog" from file /etc/freeradius/3.0/mods-enabled/linelog

  # Instantiating module "log_accounting" from file /etc/freeradius/3.0/mods-enabled/linelog

  # Instantiating module "files" from file /etc/freeradius/3.0/mods-enabled/files

reading pairlist file /etc/freeradius/3.0/mods-config/files/authorize

reading pairlist file /etc/freeradius/3.0/mods-config/files/accounting

reading pairlist file /etc/freeradius/3.0/mods-config/files/pre-proxy

  # Instantiating module "auth_log" from file /etc/freeradius/3.0/mods-enabled/detail.log

rlm_detail (auth_log): 'User-Password' suppressed, will not appear in detail output

  # Instantiating module "reply_log" from file /etc/freeradius/3.0/mods-enabled/detail.log

  # Instantiating module "pre_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log

  # Instantiating module "post_proxy_log" from file /etc/freeradius/3.0/mods-enabled/detail.log

  # Instantiating module "preprocess" from file /etc/freeradius/3.0/mods-enabled/preprocess

reading pairlist file /etc/freeradius/3.0/mods-config/preprocess/huntgroups

reading pairlist file /etc/freeradius/3.0/mods-config/preprocess/hints

  # Instantiating module "IPASS" from file /etc/freeradius/3.0/mods-enabled/realm

  # Instantiating module "suffix" from file /etc/freeradius/3.0/mods-enabled/realm

  # Instantiating module "realmpercent" from file /etc/freeradius/3.0/mods-enabled/realm

  # Instantiating module "ntdomain" from file /etc/freeradius/3.0/mods-enabled/realm

  # Instantiating module "reject" from file /etc/freeradius/3.0/mods-enabled/always

  # Instantiating module "fail" from file /etc/freeradius/3.0/mods-enabled/always

  # Instantiating module "ok" from file /etc/freeradius/3.0/mods-enabled/always

  # Instantiating module "handled" from file /etc/freeradius/3.0/mods-enabled/always

  # Instantiating module "invalid" from file /etc/freeradius/3.0/mods-enabled/always

  # Instantiating module "userlock" from file /etc/freeradius/3.0/mods-enabled/always

  # Instantiating module "notfound" from file /etc/freeradius/3.0/mods-enabled/always

  # Instantiating module "noop" from file /etc/freeradius/3.0/mods-enabled/always

  # Instantiating module "updated" from file /etc/freeradius/3.0/mods-enabled/always

  # Instantiating module "logintime" from file /etc/freeradius/3.0/mods-enabled/logintime

  # Instantiating module "cache_eap" from file /etc/freeradius/3.0/mods-enabled/cache_eap

rlm_cache (cache_eap): Driver rlm_cache_rbtree (module rlm_cache_rbtree) loaded and linked

  # Instantiating module "pap" from file /etc/freeradius/3.0/mods-enabled/pap

  # Instantiating module "attr_filter.post-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter

reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/post-proxy

  # Instantiating module "attr_filter.pre-proxy" from file /etc/freeradius/3.0/mods-enabled/attr_filter

reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/pre-proxy

  # Instantiating module "attr_filter.access_reject" from file /etc/freeradius/3.0/mods-enabled/attr_filter

reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/access_reject

[/etc/freeradius/3.0/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay"             found in filter list for realm "DEFAULT".

[/etc/freeradius/3.0/mods-config/attr_filter/access_reject]:11 Check item "FreeRADIUS-Response-Delay-USec" found in filter list for realm "DEFAULT".

  # Instantiating module "attr_filter.access_challenge" from file /etc/freeradius/3.0/mods-enabled/attr_filter

reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/access_challenge

  # Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/3.0/mods-enabled/attr_filter

reading pairlist file /etc/freeradius/3.0/mods-config/attr_filter/accounting_response

  # Instantiating module "etc_passwd" from file /etc/freeradius/3.0/mods-enabled/passwd

rlm_passwd: nfields: 3 keyfield 0(User-Name) listable: no

  # Instantiating module "detail" from file /etc/freeradius/3.0/mods-enabled/detail

  # Instantiating module "eap" from file /etc/freeradius/3.0/mods-enabled/eap

   # Linked to sub-module rlm_eap_md5

   # Linked to sub-module rlm_eap_leap

   # Linked to sub-module rlm_eap_gtc

   gtc {

            challenge = "Password: "

            auth_type = "PAP"

   }

   # Linked to sub-module rlm_eap_tls

   tls {

            tls = "tls-common"

   }

   tls-config tls-common {

            verify_depth = 0

            ca_path = "/etc/freeradius/3.0/certs"

            pem_file_type = yes

            private_key_file = "/etc/freeradius/3.0/certs/SRV_V1.0.key"

            certificate_file = "/etc/freeradius/3.0/certs/SRV_V1.0.crt"

            ca_file = "/etc/freeradius/3.0/certs/rootCA_V1.0.pem"

            dh_file = "/etc/freeradius/3.0/certs/dh"

            fragment_size = 1024

            include_length = yes

            auto_chain = yes

            check_crl = no

            check_all_crl = no

            cipher_list = "ALL:!EXPORT:!eNULL:!SSLv2"

            cipher_server_preference = yes

            ecdh_curve = "prime256v1"

            tls_max_version = "1.2"

            tls_min_version = "1.0"

    cache {

            enable = no

            lifetime = 24

            max_entries = 255

    }

    verify {

            skip_if_ocsp_ok = no

    }

    ocsp {

            enable = no

            override_cert_url = yes

            url = "http://127.0.0.1/ocsp/"

            use_nonce = yes

            timeout = 0

            softfail = no

    }

   }

   # Linked to sub-module rlm_eap_ttls

   ttls {

            tls = "tls-common"

            default_eap_type = "tls"

            copy_request_to_tunnel = no

            use_tunneled_reply = no

            virtual_server = "inner-tunnel"

            include_length = yes

            require_client_cert = no

   }

tls: Using cached TLS configuration from previous invocation

   # Linked to sub-module rlm_eap_peap

   peap {

            tls = "tls-common"

            default_eap_type = "tls"

            copy_request_to_tunnel = no

            use_tunneled_reply = no

            proxy_tunneled_request_as_eap = yes

            virtual_server = "inner-tunnel"

            soh = no

            require_client_cert = no

   }

tls: Using cached TLS configuration from previous invocation

   # Linked to sub-module rlm_eap_mschapv2

   mschapv2 {

            with_ntdomain_hack = no

            send_error = no

   }

} # modules

radiusd: #### Loading Virtual Servers ####

server { # from file /etc/freeradius/3.0/radiusd.conf

} # server

server default { # from file /etc/freeradius/3.0/sites-enabled/default

# Loading authenticate {...}

# Loading authorize {...}

Ignoring "sql" (see raddb/mods-available/README.rst)

Ignoring "ldap" (see raddb/mods-available/README.rst)

# Loading preacct {...}

# Loading accounting {...}

# Loading post-proxy {...}

# Loading post-auth {...}

} # server default

server inner-tunnel { # from file /etc/freeradius/3.0/sites-enabled/inner-tunnel

# Loading authenticate {...}

# Loading authorize {...}

# Loading session {...}

# Loading post-proxy {...}

# Loading post-auth {...}

# Skipping contents of 'if' as it is always 'false' -- /etc/freeradius/3.0/sites-enabled/inner-tunnel:331

} # server inner-tunnel

radiusd: #### Opening IP addresses and Ports ####

listen {

            type = "auth"

            ipaddr = *

            port = 0

   limit {

            max_connections = 16

            lifetime = 0

            idle_timeout = 30

   }

}

listen {

            type = "acct"

            ipaddr = *

            port = 0

   limit {

            max_connections = 16

            lifetime = 0

            idle_timeout = 30

   }

}

listen {

            type = "auth"

            ipv6addr = ::

            port = 0

   limit {

            max_connections = 16

            lifetime = 0

            idle_timeout = 30

   }

}

listen {

            type = "acct"

            ipv6addr = ::

            port = 0

   limit {

            max_connections = 16

            lifetime = 0

            idle_timeout = 30

   }

}

listen {

            type = "auth"

            ipaddr = 127.0.0.1

            port = 18120

}

Listening on auth address * port 1812 bound to server default

Listening on acct address * port 1813 bound to server default

Listening on auth address :: port 1812 bound to server default

Listening on acct address :: port 1813 bound to server default

Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel

Listening on proxy address * port 49922

Listening on proxy address :: port 56544

Ready to process requests

(0) Received Access-Request Id 51 from 192.168.0.239:1028 to 192.168.0.222:1812 length 148

(0)   User-Name = "cam5"

(0)   Called-Station-Id = "9c-3d-cf-e3-f6-65"

(0)   Calling-Station-Id = "00-07-5f-a7-9f-13"

(0)   NAS-Identifier = "9c-3d-cf-e3-f6-63"

(0)   NAS-Port = 1

(0)   Framed-MTU = 1500

(0)   NAS-Port-Type = Ethernet

(0)   State = 0xd00877cbd20c7a360a6b89ab4941d679

(0)   EAP-Message = 0x020500090163616d35

(0)   Message-Authenticator = 0x5ce981744bef87aa8e7c2ecd4c87297d

(0) session-state: No cached attributes

(0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default

(0)   authorize {

(0)     policy filter_username {

(0)       if (&User-Name) {

(0)       if (&User-Name)  -> TRUE

(0)       if (&User-Name)  {

(0)         if (&User-Name =~ / /) {

(0)         if (&User-Name =~ / /)  -> FALSE

(0)         if (&User-Name =~ /@[^@]*@/ ) {

(0)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE

(0)         if (&User-Name =~ /\.\./ ) {

(0)         if (&User-Name =~ /\.\./ )  -> FALSE

(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {

(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE

(0)         if (&User-Name =~ /\.$/)  {

(0)         if (&User-Name =~ /\.$/)   -> FALSE

(0)         if (&User-Name =~ /@\./)  {

(0)         if (&User-Name =~ /@\./)   -> FALSE

(0)       } # if (&User-Name)  = notfound

(0)     } # policy filter_username = notfound

(0)     [preprocess] = ok

(0)     [chap] = noop

(0)     [mschap] = noop

(0)     [digest] = noop

(0) suffix: Checking for suffix after "@"

(0) suffix: No '@' in User-Name = "cam5", looking up realm NULL

(0) suffix: No such realm "NULL"

(0)     [suffix] = noop

(0) eap: Peer sent EAP Response (code 2) ID 5 length 9

(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize

(0)     [eap] = ok

(0)   } # authorize = ok

(0) Found Auth-Type = eap

(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default

(0)   authenticate {

(0) eap: Peer sent packet with method EAP Identity (1)

(0) eap: Calling submodule eap_tls to process data

(0) eap_tls: Initiating new EAP-TLS session

(0) eap_tls: Setting verify mode to require certificate from client

(0) eap_tls: [eaptls start] = request

(0) eap: Sending EAP Request (code 1) ID 6 length 6

(0) eap: EAP session adding &reply:State = 0x1b301b2c1b36165c

(0)     [eap] = handled

(0)   } # authenticate = handled

(0) Using Post-Auth-Type Challenge

(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default

(0)   Challenge { ... } # empty sub-section is ignored

(0) Sent Access-Challenge Id 51 from 192.168.0.222:1812 to 192.168.0.239:1028 length 0

(0)   EAP-Message = 0x010600060d20

(0)   Message-Authenticator = 0x00000000000000000000000000000000

(0)   State = 0x1b301b2c1b36165ca1b3f5c2affdbb31

(0) Finished request

Waking up in 4.9 seconds.

(1) Received Access-Request Id 52 from 192.168.0.239:1028 to 192.168.0.222:1812 length 241

(1)   User-Name = "cam5"

(1)   Called-Station-Id = "9c-3d-cf-e3-f6-65"

(1)   Calling-Station-Id = "00-07-5f-a7-9f-13"

(1)   NAS-Identifier = "9c-3d-cf-e3-f6-63"

(1)   NAS-Port = 1

(1)   Framed-MTU = 1500

(1)   NAS-Port-Type = Ethernet

(1)   State = 0x1b301b2c1b36165ca1b3f5c2affdbb31

(1)   EAP-Message = 0x020600660d800000005c16030300570100005303035b9ce97e5cbff150cf17efe837d59c2f2bd86e090d4dcc9d58364356dd438f7c000012c023c00ac009c027c014003d003c0035002f01000018000d000c000a04010201000104030203000a000400020017

(1)   Message-Authenticator = 0x9cfccae10d6c23328595355295df3638

(1) session-state: No cached attributes

(1) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default

(1)   authorize {

(1)     policy filter_username {

(1)       if (&User-Name) {

(1)       if (&User-Name)  -> TRUE

(1)       if (&User-Name)  {

(1)         if (&User-Name =~ / /) {

(1)         if (&User-Name =~ / /)  -> FALSE

(1)         if (&User-Name =~ /@[^@]*@/ ) {

(1)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE

(1)         if (&User-Name =~ /\.\./ ) {

(1)         if (&User-Name =~ /\.\./ )  -> FALSE

(1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {

(1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE

(1)         if (&User-Name =~ /\.$/)  {

(1)         if (&User-Name =~ /\.$/)   -> FALSE

(1)         if (&User-Name =~ /@\./)  {

(1)         if (&User-Name =~ /@\./)   -> FALSE

(1)       } # if (&User-Name)  = notfound

(1)     } # policy filter_username = notfound

(1)     [preprocess] = ok

(1)     [chap] = noop

(1)     [mschap] = noop

(1)     [digest] = noop

(1) suffix: Checking for suffix after "@"

(1) suffix: No '@' in User-Name = "cam5", looking up realm NULL

(1) suffix: No such realm "NULL"

(1)     [suffix] = noop

(1) eap: Peer sent EAP Response (code 2) ID 6 length 102

(1) eap: No EAP Start, assuming it's an on-going EAP conversation

(1)     [eap] = updated

(1) files: users: Matched entry cam5 at line 87

(1)     [files] = ok

(1)     [expiration] = noop

(1)     [logintime] = noop

(1) pap: WARNING: Auth-Type already set.  Not setting to PAP

(1)     [pap] = noop

(1)   } # authorize = updated

(1) Found Auth-Type = eap

(1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default

(1)   authenticate {

(1) eap: Expiring EAP session with state 0x1b301b2c1b36165c

(1) eap: Finished EAP session with state 0x1b301b2c1b36165c

(1) eap: Previous EAP request found for state 0x1b301b2c1b36165c, released from the list

(1) eap: Peer sent packet with method EAP TLS (13)

(1) eap: Calling submodule eap_tls to process data

(1) eap_tls: Continuing EAP-TLS

(1) eap_tls: Peer indicated complete TLS record size will be 92 bytes

(1) eap_tls: Got complete TLS record (92 bytes)

(1) eap_tls: [eaptls verify] = length included

(1) eap_tls: (other): before SSL initialization

(1) eap_tls: TLS_accept: before SSL initialization

(1) eap_tls: TLS_accept: before SSL initialization

(1) eap_tls: <<< recv TLS 1.2  [length 0057]

(1) eap_tls: TLS_accept: SSLv3/TLS read client hello

(1) eap_tls: >>> send TLS 1.2  [length 002a]

(1) eap_tls: TLS_accept: SSLv3/TLS write server hello

(1) eap_tls: >>> send TLS 1.2  [length 05dc]

(1) eap_tls: TLS_accept: SSLv3/TLS write certificate

(1) eap_tls: >>> send TLS 1.2  [length 014d]

(1) eap_tls: TLS_accept: SSLv3/TLS write key exchange

(1) eap_tls: >>> send TLS 1.2  [length 004c]

(1) eap_tls: TLS_accept: SSLv3/TLS write certificate request

(1) eap_tls: >>> send TLS 1.2  [length 0004]

(1) eap_tls: TLS_accept: SSLv3/TLS write server done

(1) eap_tls: TLS_accept: Need to read more data: SSLv3/TLS write server done

(1) eap_tls: In SSL Handshake Phase

(1) eap_tls: In SSL Accept mode

(1) eap_tls: [eaptls process] = handled

(1) eap: Sending EAP Request (code 1) ID 7 length 1004

(1) eap: EAP session adding &reply:State = 0x1b301b2c1a37165c

(1)     [eap] = handled

(1)   } # authenticate = handled

(1) Using Post-Auth-Type Challenge

(1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default

(1)   Challenge { ... } # empty sub-section is ignored

(1) Sent Access-Challenge Id 52 from 192.168.0.222:1812 to 192.168.0.239:1028 length 0

(1)   EAP-Message = 0x010703ec0dc0000007bc160303002a020000260303b2d244ac8ee4502f0c3224e3fcc9df7816bf63699f367a92929a97ac992a230c00c0270016030305dc0b0005d80005d50002b9308202b53082019d020900c1ce0581de11e02e300d06092a864886f70d01010b0500301e310b300906035504061302

(1)   Message-Authenticator = 0x00000000000000000000000000000000

(1)   State = 0x1b301b2c1a37165ca1b3f5c2affdbb31

(1) Finished request

Waking up in 4.9 seconds.

(2) Received Access-Request Id 53 from 192.168.0.239:1028 to 192.168.0.222:1812 length 145

(2)   User-Name = "cam5"

(2)   Called-Station-Id = "9c-3d-cf-e3-f6-65"

(2)   Calling-Station-Id = "00-07-5f-a7-9f-13"

(2)   NAS-Identifier = "9c-3d-cf-e3-f6-63"

(2)   NAS-Port = 1

(2)   Framed-MTU = 1500

(2)   NAS-Port-Type = Ethernet

(2)   State = 0x1b301b2c1a37165ca1b3f5c2affdbb31

(2)   EAP-Message = 0x020700060d00

(2)   Message-Authenticator = 0xc1d68169efdb5821030956d5f03f4249

(2) session-state: No cached attributes

(2) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default

(2)   authorize {

(2)     policy filter_username {

(2)       if (&User-Name) {

(2)       if (&User-Name)  -> TRUE

(2)       if (&User-Name)  {

(2)         if (&User-Name =~ / /) {

(2)         if (&User-Name =~ / /)  -> FALSE

(2)         if (&User-Name =~ /@[^@]*@/ ) {

(2)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE

(2)         if (&User-Name =~ /\.\./ ) {

(2)         if (&User-Name =~ /\.\./ )  -> FALSE

(2)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {

(2)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE

(2)         if (&User-Name =~ /\.$/)  {

(2)         if (&User-Name =~ /\.$/)   -> FALSE

(2)         if (&User-Name =~ /@\./)  {

(2)         if (&User-Name =~ /@\./)   -> FALSE

(2)       } # if (&User-Name)  = notfound

(2)     } # policy filter_username = notfound

(2)     [preprocess] = ok

(2)     [chap] = noop

(2)     [mschap] = noop

(2)     [digest] = noop

(2) suffix: Checking for suffix after "@"

(2) suffix: No '@' in User-Name = "cam5", looking up realm NULL

(2) suffix: No such realm "NULL"

(2)     [suffix] = noop

(2) eap: Peer sent EAP Response (code 2) ID 7 length 6

(2) eap: No EAP Start, assuming it's an on-going EAP conversation

(2)     [eap] = updated

(2) files: users: Matched entry cam5 at line 87

(2)     [files] = ok

(2)     [expiration] = noop

(2)     [logintime] = noop

(2) pap: WARNING: Auth-Type already set.  Not setting to PAP

(2)     [pap] = noop

(2)   } # authorize = updated

(2) Found Auth-Type = eap

(2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default

(2)   authenticate {

(2) eap: Expiring EAP session with state 0x1b301b2c1a37165c

(2) eap: Finished EAP session with state 0x1b301b2c1a37165c

(2) eap: Previous EAP request found for state 0x1b301b2c1a37165c, released from the list

(2) eap: Peer sent packet with method EAP TLS (13)

(2) eap: Calling submodule eap_tls to process data

(2) eap_tls: Continuing EAP-TLS

(2) eap_tls: Peer ACKed our handshake fragment

(2) eap_tls: [eaptls verify] = request

(2) eap_tls: [eaptls process] = handled

(2) eap: Sending EAP Request (code 1) ID 8 length 996

(2) eap: EAP session adding &reply:State = 0x1b301b2c1938165c

(2)     [eap] = handled

(2)   } # authenticate = handled

(2) Using Post-Auth-Type Challenge

(2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default

(2)   Challenge { ... } # empty sub-section is ignored

(2) Sent Access-Challenge Id 53 from 192.168.0.222:1812 to 192.168.0.239:1028 length 0

(2)   EAP-Message = 0x010803e40d80000007bcd107270420a7559985709ac39ad7e08f42a3c82a2635c5fb62b0ed9d7c1c7214852d39bc88bac232264c19637fb799974ce29856a19c00c00adb45ffc8ba7662afbd74e20a950cdb8291c1f839075e75ce59db3d042d56e5ef2479bc29b863ac4b7e7f16a586de87d5ab14e108

(2)   Message-Authenticator = 0x00000000000000000000000000000000

(2)   State = 0x1b301b2c1938165ca1b3f5c2affdbb31

(2) Finished request

Waking up in 4.9 seconds.

(3) Received Access-Request Id 54 from 192.168.0.239:1028 to 192.168.0.222:1812 length 156

(3)   User-Name = "cam5"

(3)   Called-Station-Id = "9c-3d-cf-e3-f6-65"

(3)   Calling-Station-Id = "00-07-5f-a7-9f-13"

(3)   NAS-Identifier = "9c-3d-cf-e3-f6-63"

(3)   NAS-Port = 1

(3)   Framed-MTU = 1500

(3)   NAS-Port-Type = Ethernet

(3)   State = 0x1b301b2c1938165ca1b3f5c2affdbb31

(3)   EAP-Message = 0x020800110d80000000071503030002022a

(3)   Message-Authenticator = 0x6c18fff4015a4e1f59180ac006099e78

(3) session-state: No cached attributes

(3) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default

(3)   authorize {

(3)     policy filter_username {

(3)       if (&User-Name) {

(3)       if (&User-Name)  -> TRUE

(3)       if (&User-Name)  {

(3)         if (&User-Name =~ / /) {

(3)         if (&User-Name =~ / /)  -> FALSE

(3)         if (&User-Name =~ /@[^@]*@/ ) {

(3)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE

(3)         if (&User-Name =~ /\.\./ ) {

(3)         if (&User-Name =~ /\.\./ )  -> FALSE

(3)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {

(3)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE

(3)         if (&User-Name =~ /\.$/)  {

(3)         if (&User-Name =~ /\.$/)   -> FALSE

(3)         if (&User-Name =~ /@\./)  {

(3)         if (&User-Name =~ /@\./)   -> FALSE

(3)       } # if (&User-Name)  = notfound

(3)     } # policy filter_username = notfound

(3)     [preprocess] = ok

(3)     [chap] = noop

(3)     [mschap] = noop

(3)     [digest] = noop

(3) suffix: Checking for suffix after "@"

(3) suffix: No '@' in User-Name = "cam5", looking up realm NULL

(3) suffix: No such realm "NULL"

(3)     [suffix] = noop

(3) eap: Peer sent EAP Response (code 2) ID 8 length 17

(3) eap: No EAP Start, assuming it's an on-going EAP conversation

(3)     [eap] = updated

(3) files: users: Matched entry cam5 at line 87

(3)     [files] = ok

(3)     [expiration] = noop

(3)     [logintime] = noop

(3) pap: WARNING: Auth-Type already set.  Not setting to PAP

(3)     [pap] = noop

(3)   } # authorize = updated

(3) Found Auth-Type = eap

(3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default

(3)   authenticate {

(3) eap: Expiring EAP session with state 0x1b301b2c1938165c

(3) eap: Finished EAP session with state 0x1b301b2c1938165c

(3) eap: Previous EAP request found for state 0x1b301b2c1938165c, released from the list

(3) eap: Peer sent packet with method EAP TLS (13)

(3) eap: Calling submodule eap_tls to process data

(3) eap_tls: Continuing EAP-TLS

(3) eap_tls: Peer indicated complete TLS record size will be 7 bytes

(3) eap_tls: Got complete TLS record (7 bytes)

(3) eap_tls: [eaptls verify] = length included

(3) eap_tls: <<< recv TLS 1.2  [length 0002]

(3) eap_tls: ERROR: TLS Alert read:fatal:bad certificate

(3) eap_tls: TLS_accept: Need to read more data: SSLv3/TLS write server done

(3) eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate

(3) eap_tls: ERROR: System call (I/O) error (-1)

(3) eap_tls: ERROR: TLS receive handshake failed during operation

(3) eap_tls: ERROR: [eaptls process] = fail

(3) eap: ERROR: Failed continuing EAP TLS (13) session.  EAP sub-module failed

(3) eap: Sending EAP Failure (code 4) ID 8 length 4

(3) eap: Failed in EAP select

(3)     [eap] = invalid

(3)   } # authenticate = invalid

(3) Failed to authenticate the user

(3) Using Post-Auth-Type Reject

(3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default

(3)   Post-Auth-Type REJECT {

(3) attr_filter.access_reject: EXPAND %{User-Name}

(3) attr_filter.access_reject:    --> cam5

(3) attr_filter.access_reject: Matched entry DEFAULT at line 11

(3)     [attr_filter.access_reject] = updated

(3)     [eap] = noop

(3)     policy remove_reply_message_if_eap {

(3)       if (&reply:EAP-Message && &reply:Reply-Message) {

(3)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE

(3)       else {

(3)         [noop] = noop

(3)       } # else = noop

(3)     } # policy remove_reply_message_if_eap = noop

(3)   } # Post-Auth-Type REJECT = updated

(3) Delaying response for 1.000000 seconds

Waking up in 0.3 seconds.

Waking up in 0.6 seconds.

(3) Sending delayed response

(3) Sent Access-Reject Id 54 from 192.168.0.222:1812 to 192.168.0.239:1028 length 44

(3)   EAP-Message = 0x04080004

(3)   Message-Authenticator = 0x00000000000000000000000000000000

Waking up in 3.8 seconds.

(0) Cleaning up request packet ID 51 with timestamp +35

(1) Cleaning up request packet ID 52 with timestamp +35

(2) Cleaning up request packet ID 53 with timestamp +35

(3) Cleaning up request packet ID 54 with timestamp +35

Ready to process requests

Regards Dominique


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Radius eap- tls certificate failure

Alan Buxey
hi,

given that your process works for one camera..and you followed the same
client cert process for the others, then I would look at something
different on those other 3 clients - eg the camera firmware?   or did you
try using the same cert on all cameras?  in this case no - as i guess
theres a private key on the client when the CSR is created and you have to
have matching cert - so either copy ALL things from the working camera (so
all cameras using same cert) or go through the CSR - CRT process
individually for each camera)

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html