Problem with SMC Access Point in Client Mode using EAP-TLS and Freeradius-2.1.1

Alan DeKok aland at deployingradius.com
Sun Nov 30 18:54:35 CET 2008 

Harald Schreiber wrote:
> I'm running a Freeradius-Server 2.1.1 on my SuSE Linux 11.0 Box to
> control the access to my WLAN using EAP-TLS. This works fine with my
> notebook. But now I have bought a SMC EZ Connect N Pro Access Point
> which I have configured as a WLAN client using EAP-TLS too. When this
> WLAN client tries to authenticate itself at the Freeradius Server the
> authentication fails and I get the message

  Because the AP delays packets for quite a while:

...
> Sending Access-Challenge of id 1 to 192.168.254.1 port 1024
>         EAP-Message = 0x010302d90d80000006c53119301706092a864886f70d010901160a684072616c642e6e657430819f300d06092a864886f70d010101050003818d0030818902818100c230fad1501053fa9d4e7af119979d2dabfca054a985830d0da415d7001fd0af897687fad6adcb26fb06a2137c24dcb52a27df6ffc9281aa40d7f525d8669d51794486ff24b46565428842de83512f0a4005bf707854d5a1df8b7dd901bbb4ef7997927cbe5a797da4c670e8ebd4162699c5b83dfd45a4fcc00c7aea5bb0eb710203010001a381e63081e3301d0603551d0e041604142eb59a09ae8a1fe82961d44d33dc1d90652f489d3081b30603551d230481ab3081a880142e
>         EAP-Message = 0xb59a09ae8a1fe82961d44d33dc1d90652f489da18184a48181307f310b3009060355040613024445310c300a060355040813034e5257310f300d0603550407130641616368656e311b3019060355040a1312486172616c64734379626572467265616b733119301706035504031310486172616c64205363687265696265723119301706092a864886f70d010901160a684072616c642e6e6574820900dfcd0dfb0e951628300c0603551d13040530030101ff300d06092a864886f70d0101040500038181000b7e2f9395ee1fee0e969c5d0982887d5832a4acaa7961228c0a5a654d7122070c751c00b23ca4f31b7487ac91235e462c15ca909fc0ab
>         EAP-Message = 0xd786ca2d48078d6c34c45666ae966c4b8d52806adc07f6a25cf7e72f6a953f1e40046d8934b0b2a074f158d9c85f0025c21fac551f8659ec8d254744d5927662dec81eb10d102f0c0a16030100910d0000890301024000830081307f310b3009060355040613024445310c300a060355040813034e5257310f300d0603550407130641616368656e311b3019060355040a1312486172616c64734379626572467265616b733119301706035504031310486172616c64205363687265696265723119301706092a864886f70d010901160a684072616c642e6e65740e000000
>         Message-Authenticator = 0x00000000000000000000000000000000
>         State = 0x7139c4e5733ac9bf5d9926d441f8680e
> Finished request 8.
> Going to the next request
> Waking up in 4.9 seconds.
> Cleaning up request 8 ID 1 with timestamp +1123
> Ready to process requests.
> rad_recv: Access-Request packet from host 192.168.254.1 port 1024, id=1, length=200

  i.e. at LEAST 5 seconds after the previous packet in the EAP-TLS session.

>         State = 0x7139c4e5733ac9bf5d9926d441f8680e

  Which is correct... but too late.

> rlm_eap: No EAP session matching the State variable.
> [eap] Either EAP-request timed out OR EAP-response to an unknown EAP-request

  Because it arrived more than 5 seconds after the previous packet.

  The simplest way to solve the problem is to throw away the AP, and buy
one that works.

  Or, call SMC, and ask then for technical support.  The odds of them
being able (or willing) to help you are pretty slim.

  Alan DeKok.

More information about the Freeradius-Users mailing list