freeradius EAP TLS / Windows 8 Client

kai.zemke at hauni.com kai.zemke at hauni.com
Thu Apr 3 12:04:01 CEST 2014 

Hi everyone,

we have a strange problem going on here. We have a Windows 8 Client that tries to join our WLAN using EAP TLS Auth.

The Server writes to its logfiles that everything seems to be ok and he is willing to give this system a: ACCESS-ACCEPT

Thu Apr  3 06:05:55 2014 : Auth: Login OK: [host/KP4101] (from client kc1034 port 807 cli 5C-51-4F-D9-5E-6D)

In a traffic dump I can see the following packages to the end of the conversation:

PacketNo                     Length              Info
17                                825                   Access-Request
18                                1132                 Access-Challenge <<<< In this Packet is EAP-TLS Length of 1626 mentioned but its size is only 1024, shouldn't the server send the missing 602 bytes in response to the next request instead of the Access-Accept?
19                                219                   Access-Request
20                                232                  Access-Accept

Because on the other side we have the client on there are the following log entries:

0086 [5060] 03-11 08:41:37:364: >> Received Request (Code: 1) packet: Id: 11, Length: 1024, Type: 13, TLS blob length: 1626. Flags: LM  <<<< The client receives the 1024 bytes from packet no. 18, I assume and he is aware of the fact that the TLS blob is 1626 bytes.
0087 [5060] 03-11 08:41:37:364: EapTlsCMakeMessage, state(3) flags (0x1400)
0090 [5060] 03-11 08:41:37:364: << Sending Response (Code: 2) packet: Id: 11, Length: 6, Type: 13, TLS blob length: 0. Flags:                                 <<<< The client is responding
0093 [5060] 03-11 08:41:37:379: >> Received Success (Code: 3) packet: Id: 11, Length: 4, Type: 0, TLS blob length: 0. Flags:                                  <<<< The client receives a Success ( Access-Accept ), but aren't we expecting 602 Bytes here?
0094 [5060] 03-11 08:41:37:379: EapTlsCMakeMessage, state(3) flags (0x1410)
0095 [5060] 03-11 08:41:37:379: Code 3 unexpected in state SentFinished                          <<<< The client wonders about something ( 602 missing bytes?) and cancels the whole authentication process to restart it again 5 seconds later.
0096 [5060] 03-11 08:41:37:379: EapTlsEnd
0097 [5060] 03-11 08:41:37:379: EapTlsEnd(host/kp5975.hauni.koerber.de)

This process loops for about 5 minutes than the client seems to be feed up and stops its joining efforts.

In my lab I have a Cisco Access Point with a brand new IOS Version 15.2(4)JB4.

Freeradius comes in its version 2.1.1 and the client runs Windows8 we also have a Windows8.1 client but the problem is the same.

Can anyone bring a clarification to this? The exact same setup is working with Windows7 clients without any problems.

Regards from Hamburg/Germany
Kai

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/mailman/private/freeradius-users/attachments/20140403/89eeb627/attachment.html>

More information about the Freeradius-Users mailing list