Wrong sequence of packets during re-authentication

Bilal Shahid bilal_shahid5 at hotmail.com
Fri Sep 23 13:00:05 CEST 2005


Hello all,

During my 802.1X Supplicant's re-authentication (using EAP-TTLS) with 
FreeRADIUS using DLINK switch, I face the following scenario:

Sometimes "during re-authentication", one of the FreeRADIUS's replies does 
not reach the DLINK switch. When DLINK's RADIUS timer expires, it re-starts 
the re-authentication by sending the Supplicant's identity to FreeRADIUS. At 
this time, an initial couple of packets are exchanges correctly, however 
then it seems that FreeRADIUS wants to skip some of the packets and complete 
the authentication whereas my Supplicant wants to re-do everything.

For example, during a 'correct re-authentication", FreeRADIUS sends the 
following packet:

TLS_accept: before/accept initialization
  rlm_eap_tls: <<< TLS 1.0 Handshake [length 0067], ClientHello
    TLS_accept: SSLv3 read client hello A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
    TLS_accept: SSLv3 write server hello A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 05ca], Certificate
    TLS_accept: SSLv3 write certificate A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
    TLS_accept: SSLv3 write server done A
    TLS_accept: SSLv3 flush data
    TLS_accept:error in SSLv3 read client certificate A


However, during the "incorrect" re-authentication cycle, which has been 
started due to a packet loss in the middle as explained above, FreeRADIUS 
send the following packet:

TLS_accept: before/accept initialization
  rlm_eap_tls: <<< TLS 1.0 Handshake [length 0067], ClientHello
    TLS_accept: SSLv3 read client hello A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
    TLS_accept: SSLv3 write server hello A
  rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001]
    TLS_accept: SSLv3 write change cipher spec A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished
    TLS_accept: SSLv3 write finished A
    TLS_accept: SSLv3 flush data
    TLS_accept:error in SSLv3 read finished A


Note that this time FreeRADIUS has sent ChangeCipherSpec and Finished 
instead of Certificate and ServerHelloDone. Is this the normal and correct 
behavior?

My Supplicant's response to this packet is then liked by the FreeRADIUS and 
its sends an alert.

Could someone please help me understanding this problem.

Thanks,
Bilal

_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today it's FREE! 
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/




More information about the Freeradius-Users mailing list