Multiple Password Prompts

ragan_davis at colstate.edu ragan_davis at colstate.edu
Fri Aug 5 04:04:14 CEST 2005 

As I'm troubleshooting this, I generated another question in my head.  
This time I'll give some freeradius debug (see blocks 
between "*********"):

Here's an exerpt from first try (failure):

rlm_ldap: - authorize
rlm_ldap: performing user authorization for anonymous
radius_xlat:  '(cn=anonymous)'
radius_xlat:  'o=sometree'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in o=sometree, with filter (cn=anonymous)
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user anonymous authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns ok for request 4
modcall: group authorize returns updated for request 4
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 4
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/ttls
  rlm_eap: processing type ttls
  rlm_eap_ttls: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls:  Length Included

*********
  eaptls_verify returned 11
  rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
    TLS_accept: SSLv3 read client key exchange A
  rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001]
  rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished
    TLS_accept: SSLv3 read finished A
  rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001]
    TLS_accept: SSLv3 write change cipher spec A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished
    TLS_accept: SSLv3 write finished A
    TLS_accept: SSLv3 flush data
    (other): SSL negotiation finished successfully
SSL Connection Established
  eaptls_process returned 13
**********

  modcall[authenticate]: module "eap" returns handled for request 4
modcall: group authenticate returns handled for request 4
Sending Access-Challenge of id 186 to 192.168.3.2:1024


Here's an exerpt from the second attempt (success):

rlm_ldap: - authorize
rlm_ldap: performing user authorization for anonymous
radius_xlat:  '(cn=anonymous)'
radius_xlat:  'o=sometree'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in o=sometree, with filter (cn=anonymous)
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user anonymous authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns ok for request 5
modcall: group authorize returns updated for request 5
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 5
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/ttls
  rlm_eap: processing type ttls
  rlm_eap_ttls: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls:  Length Included

***********
  eaptls_verify returned 11
  eaptls_process returned 7
***********

  rlm_eap_ttls: Session established.  Proceeding to decode tunneled 
attributes.
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 5
  modcall[authorize]: module "preprocess" returns ok for request 5
  rlm_eap: No EAP-Message, not doing EAP
  modcall[authorize]: module "eap" returns noop for request 5
rlm_ldap: - authorize
rlm_ldap: performing user authorization for doe_john


I looked back through some of the output, and it seems that each time 
it fails I get "eaptls_process returned 13", but when it is succeeds I 
get "eaptls_process returned 7".  Anyone know what 7 and 13 represent 
(please don't say 'sucess' or 'failure'...i'm hoping it more 
meaningful than that).  Also, anyone know what the rlm_eap_tls 
messages mean that accompany the 'returned 13' block?

Thanks for any help!




----- Original Message -----
From: ragan_davis at colstate.edu
Date: Thursday, August 4, 2005 6:40 pm
Subject: Multiple Password Prompts

> Hi,
> 
> The Odyssey Client prompts at least twice for the password.  Once 
> connected, clients can roam across different AP's within the same 
> WLAN 
> with no problems.  Has anyone else experienced this problem with a 
> similar configuration?
> 
> Running Environment:
> 
> -- Freeradius Server = Gentoo Linux running FreeRADIUS v1.0.2
> -- User DB = Novell NetWare 6.5 SP3 w/ eDirectory 8.7.3.5 (LDAP)
> -- Wireless Switch = Cisco Airespace 4100 WLAN Switch with WLAN 
> configured for WPA-TKIP using dynamic key exchange
> -- Wireless AP = Cisco 1000 Series AP's (was Airespace)
> -- Wireless Client = Funk Odyssey Client v4.0.1 on Windows XP 
> configured for WPA-TKIP and EAP-TTLS
> 
> 
> We have captured debug output on the Odyssey Client, on the 
> Airespace 
> WLAN switch, and on FreeRADIUS, as well as an ethereal sniff on 
> the 
> freeradius interface on the radius server.  I can provide these as 
> well as freeradius configs if needed.
> 
> Thanks!
> 
> - 
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list