WPA-Enterprise with TTLS fails to authenticate (from Windows ok, but Linux fails).
Janusz Syrytczyk
jsyrytczyk at uni.opole.pl
Mon Sep 24 14:11:30 CEST 2007
Monday 24 September 2007 13:30:45 Alan DeKok napisał(a):
> Janusz Syrytczyk wrote:
> > Problem is that I cannot authenticate to my network with wpa_supplicant,
> > although I could, and from Windows & Secure2w TTLS wrapper - I can. I use
> > Gentoo and did some upgrades (but nothing special I guess, kernel is the
> > same, and wpa_supplicant also)
>
> ...
>
> > Ready to process requests.
>
> < deleted>
>
> > EAP-Message = 0x020200060315
>
> ...
>
> > rlm_eap: EAP-NAK asked for EAP-Type/ttls
>
> So the server starts EAP-TTLS:
> > Sending Access-Challenge of id 90 to 217.173.193.40 port 4347
> > EAP-Message = 0x010300061520
>
> The server increments the EAP id (byte 2 of the EAP-Message)
>
> > rad_recv: Access-Request packet from host 217.173.193.40:4347, id=91,
> > length=201
>
> ...
>
> > EAP-Message = 0x020200060315
>
> And the supplicant responds with an EAP NAK, sating "No, I want
> EAP-TTLS".
>
> Either the AP is broken, or the supplicant is broken. The supplicant
> SHOULD NOT send back a NAK for something it just asked for. It should
> also increment the EAP id field (byte 2). Instead, it re-uses the EAP Id.
>
> If the AP is broken, then it's the one that decides to NOT send the
> EAP-TTLS start to the supplicant. Instead, it just echoes back the NAK
> that the supplicant previously sent.
>
> Check the supplicant logs. If it's really sending the NAK twice, then
> it is broken. If it's sending the NAK once, then the AP is broken.
>
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
OK,
I need to check my logs, but at once I tried changing AP... and it worked. So
I assume you're right, and now I will try to debug my supplicant and if it
goes right - change AP config (which is Cisco AP1242).
Partly solved, I'll post more comments later.
--
Syrytczyk Janusz - Administrator serwerów
Centrum Informatyczne Uniwersytetu Opolskiego
Nr telefonu: +48 77 452-70-91
E-mail: jsyrytczyk at uni.opole.pl
More information about the Freeradius-Users
mailing list