problems with EAP-TTLS with Intermec GUN 2415

Phil Mayers p.mayers at imperial.ac.uk
Fri Feb 17 00:36:13 CET 2006


Johan Arens wrote:
> Hi
> 
> 
> I cannot authenticate with the radius, I got this error when the 
> handheld try to auth :
> 
> Wed Feb 15 15:27:42 2006 : Info: Ready to process requests.
> Wed Feb 15 15:28:21 2006 : Error:     TLS_accept:error in SSLv3 read 
> client certificate A
> Wed Feb 15 15:28:21 2006 : Info: rlm_eap_tls: Received EAP-TLS ACK message

That is not a significant error - it's just noise, ignore it.

> 
> However, if I enable the radius inside the access point, the handheld 
> can authenticate. This tells me that the handheld has been configured 
> properly.


> 
> What is missing in my freeradius config ?

Probably nothing. The last thing the server does is:

> modcall: entering group authenticate for request 2
>   rlm_eap: Request found, released from the list
>   rlm_eap: EAP/ttls
>   rlm_eap: processing type ttls
>   rlm_eap_ttls: Authenticate
>   rlm_eap_tls: processing TLS
> rlm_eap_tls: Received EAP-TLS ACK message
>   rlm_eap_tls: ack handshake fragment handler
>   eaptls_verify returned 1
>   eaptls_process returned 13
>   modcall[authenticate]: module "eap" returns handled for request 2
> modcall: group authenticate returns handled for request 2
> Sending Access-Challenge of id 8 to 192.168.0.1:1024 
>         EAP-Message = snip
>         Message-Authenticator = 0x00000000000000000000000000000000
>         State = 0x8c3b86d02966b223e117138d5c1d946e
> Finished request 2
> Going to the next request
> Waking up in 6 seconds...
> --- Walking the entire request list ---
> Cleaning up request 1 ID 7 with timestamp 43f489f9
> Cleaning up request 2 ID 8 with timestamp 43f489f9
> Nothing to do.  Sleeping until we see a request.

The supplicant or the AP stops sending EAP messages. Up to that point as 
far as FreeRadius is concerned it's all fine. Consult the logs on the 
supplicant or AP to determine why.

> 
> 
> Users
> 
>     gun Auth-Type := EAP, User-Password := "gun123"
> 

Note, although it is not likely to be causing your current problems, it 
is ALMOST ALWAYS a bad idea to set Auth-Type to EAP. The default config 
is very specific on this. It will certainly fail later on when the inner 
request of the TTLS is handled and EAP gets forced for that username 
when in fact you want PAP or something.



More information about the Freeradius-Users mailing list