<html><head><style type="text/css"><!-- DIV {margin:0px;} --></style></head><body><div style="font-family:times new roman, new york, times, serif;font-size:12pt"><DIV></DIV>
<DIV>Hi,All!</DIV>
<DIV> I 'd like to add some infos about this issue. TLS/wired is failed,but MD5/wired is successful.</DIV>
<DIV> It's Ok when I use AP instead of switch authenticating eap/tls and eap/ttls with the same freeradius.</DIV>
<DIV> Is it the problem of switch or the problem of radius? </DIV>
<DIV> I think it's the problem of radius server,because md5 can authenticate successful,</DIV>
<DIV> that means 802.1X works properly on switch. So how to configure freeradius as wired authentication?</DIV>
<DIV> I don't use sql, I just add some items at the end of the users file,just like this:</DIV>
<DIV> switch_client Cleartext-Password :="whatever"</DIV>
<DIV>####################################<BR></DIV>
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif">
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif">
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif">
<DIV></DIV>
<DIV>Hi,All!<BR> My freeradius version is v2.0.2,and I use cisco 2950 switch as Authenticator; the packet sent by server miss the EAP-TLS Fragments(server sent a packet which miss the server hello and ciper suilt messages after received a client hello packet),I don't kown what the prolbem.Can anybody help me?</DIV>
<DIV>Here are the packets,the ip of radius server is:192.168.0.197,the ip of switch is:192.168.0.123.</DIV>
<DIV><BR>No. Time Source Destination Protocol Info<BR> 63 89.556162 192.168.0.123 192.168.0.197 RADIUS Access-Request(1) (id=3, l=116)<BR><BR>Frame 63 (158 bytes on wire, 158 bytes captured)<BR> Arrival Time: Jun 3, 2008 08:32:22.456040000<BR> [Time delta from previous captured frame: 1.228814000 seconds]<BR> [Time delta from previous displayed frame: 89.556162000 seconds]<BR> [Time since reference or first frame: 89.556162000 seconds]<BR> Frame Number: 63<BR> Frame Length: 158
bytes<BR> Capture Length: 158 bytes<BR> [Frame is marked: False]<BR> [Protocols in frame: eth:ip:udp:radius:eap]<BR> [Coloring Rule Name: UDP]<BR> [Coloring Rule String: udp]<BR>Ethernet II, Src: Cisco_44:1b:40 (00:0a:8a:44:1b:40), Dst: Micro-St_89:79:21 (00:19:db:89:79:21)<BR> Destination: Micro-St_89:79:21 (00:19:db:89:79:21)<BR> Address: Micro-St_89:79:21 (00:19:db:89:79:21)<BR> .... ...0 .... .... .... .... = IG bit: Individual address (unicast)<BR> .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)<BR> Source: Cisco_44:1b:40 (00:0a:8a:44:1b:40)<BR> Address: Cisco_44:1b:40
(00:0a:8a:44:1b:40)<BR> .... ...0 .... .... .... .... = IG bit: Individual address (unicast)<BR> .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)<BR> Type: IP (0x0800)<BR>Internet Protocol, Src: 192.168.0.123 (192.168.0.123), Dst: 192.168.0.197 (192.168.0.197)<BR> Version: 4<BR> Header length: 20 bytes<BR> Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)<BR> 0000 00.. = Differentiated Services Codepoint: Default (0x00)<BR> .... ..0. = ECN-Capable Transport (ECT): 0<BR> .... ...0 = ECN-CE: 0<BR> Total Length: 144<BR> Identification: 0x0003 (3)<BR> Flags:
0x00<BR> 0... = Reserved bit: Not set<BR> .0.. = Don't fragment: Not set<BR> ..0. = More fragments: Not set<BR> Fragment offset: 0<BR> Time to live: 255<BR> Protocol: UDP (0x11)<BR> Header checksum: 0x38c9 [correct]<BR> [Good: True]<BR> [Bad : False]<BR> Source: 192.168.0.123 (192.168.0.123)<BR> Destination: 192.168.0.197 (192.168.0.197)<BR>User Datagram Protocol, Src Port: radius (1812), Dst Port: radius (1812)<BR> Source port: radius (1812)<BR> Destination port: radius (1812)<BR> Length: 124<BR> Checksum: 0x12c3 [correct]<BR>
[Good Checksum: True]<BR> [Bad Checksum: False]<BR>Radius Protocol<BR> Code: Access-Request (1)<BR> Packet identifier: 0x3 (3)<BR> Length: 116<BR> Authenticator: FE6787CBF64C4301CBAD5355610B9634<BR> Attribute Value Pairs<BR> AVP: l=6 t=NAS-IP-Address(4): 192.168.0.123<BR> NAS-IP-Address: 192.168.0.123 (192.168.0.123)<BR> AVP: l=6 t=NAS-Port(5): 50003<BR> NAS-Port: 50003<BR> AVP: l=6 t=NAS-Port-Type(61): Ethernet(15)<BR> NAS-Port-Type: Ethernet
(15)<BR> AVP: l=15 t=User-Name(1): switch_client<BR> User-Name: switch_client<BR> AVP: l=19 t=Calling-Station-Id(31): 00-C0-02-2B-D6-04<BR> Calling-Station-Id: 00-C0-02-2B-D6-04<BR> AVP: l=6 t=Service-Type(6): Framed-User(2)<BR> Service-Type: Framed-User (2)<BR> AVP: l=20 t=EAP-Message(79) Last Segment[1]<BR> EAP fragment<BR> Extensible Authentication
Protocol<BR> Code: Response (2)<BR> Id: 2<BR> Length: 18<BR> Type: Identity [RFC3748] (1)<BR> Identity (13 bytes): switch_client<BR> AVP: l=18 t=Message-Authenticator(80): 1C066799CF105346E40019AA2E291D22<BR> Message-Authenticator: 1C066799CF105346E40019AA2E291D22<BR><BR>No. Time
Source Destination Protocol Info<BR> 66 89.572574 192.168.0.197 192.168.0.123 RADIUS Access-challenge(11) (id=3, l=64)<BR><BR>Frame 66 (106 bytes on wire, 106 bytes captured)<BR> Arrival Time: Jun 3, 2008 08:32:22.472452000<BR> [Time delta from previous captured frame: 0.000009000 seconds]<BR> [Time delta from previous displayed frame: 0.016412000 seconds]<BR> [Time since reference or first frame: 89.572574000 seconds]<BR> Frame Number: 66<BR> Frame Length: 106 bytes<BR> Capture Length: 106 bytes<BR> [Frame is marked:
False]<BR> [Protocols in frame: eth:ip:udp:radius:eap]<BR> [Coloring Rule Name: Checksum Errors]<BR> [Coloring Rule String: cdp.checksum_bad==1 || edp.checksum_bad==1 || ip.checksum_bad==1 || tcp.checksum_bad==1 || udp.checksum_bad==1]<BR>Ethernet II, Src: Micro-St_89:79:21 (00:19:db:89:79:21), Dst: Cisco_44:1b:40 (00:0a:8a:44:1b:40)<BR> Destination: Cisco_44:1b:40 (00:0a:8a:44:1b:40)<BR> Address: Cisco_44:1b:40 (00:0a:8a:44:1b:40)<BR> .... ...0 .... .... .... .... = IG bit: Individual address (unicast)<BR> .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)<BR> Source: Micro-St_89:79:21 (00:19:db:89:79:21)<BR> Address: Micro-St_89:79:21
(00:19:db:89:79:21)<BR> .... ...0 .... .... .... .... = IG bit: Individual address (unicast)<BR> .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)<BR> Type: IP (0x0800)<BR>Internet Protocol, Src: 192.168.0.197 (192.168.0.197), Dst: 192.168.0.123 (192.168.0.123)<BR> Version: 4<BR> Header length: 20 bytes<BR> Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)<BR> 0000 00.. = Differentiated Services Codepoint: Default (0x00)<BR> .... ..0. = ECN-Capable Transport (ECT): 0<BR> .... ...0 = ECN-CE: 0<BR> Total Length: 92<BR> Identification: 0x0000 (0)<BR> Flags: 0x04 (Don't
Fragment)<BR> 0... = Reserved bit: Not set<BR> .1.. = Don't fragment: Set<BR> ..0. = More fragments: Not set<BR> Fragment offset: 0<BR> Time to live: 64<BR> Protocol: UDP (0x11)<BR> Header checksum: 0xb800 [correct]<BR> [Good: True]<BR> [Bad : False]<BR> Source: 192.168.0.197 (192.168.0.197)<BR> Destination: 192.168.0.123 (192.168.0.123)<BR>User Datagram Protocol, Src Port: radius (1812), Dst Port: radius (1812)<BR> Source port: radius (1812)<BR> Destination port: radius (1812)<BR> Length: 72<BR> Checksum: 0x82ea [incorrect, should be 0xa1e2 (maybe caused by "UDP
checksum offload"?)]<BR> [Good Checksum: False]<BR> [Bad Checksum: True]<BR>Radius Protocol<BR> Code: Access-challenge (11)<BR> Packet identifier: 0x3 (3)<BR> Length: 64<BR> Authenticator: D2EF3D5B79C3B1A4742E4A8C5FB00BD0<BR> Attribute Value Pairs<BR> AVP: l=8 t=EAP-Message(79) Last Segment[1]<BR> EAP fragment<BR> Extensible Authentication Protocol<BR> Code: Request (1)<BR> Id:
3<BR> Length: 6<BR> Type: EAP-TLS [RFC2716] [Aboba] (13)<BR> Flags(0x20): Start <BR> AVP: l=18 t=Message-Authenticator(80): A58A6FE1C598F8E9A979BABECD78BF65<BR> Message-Authenticator: A58A6FE1C598F8E9A979BABECD78BF65<BR> AVP: l=18 t=State(24): 6B1410EF6B171D4FB7BBF03DE9D33AFE<BR> State: 6B1410EF6B171D4FB7BBF03DE9D33AFE<BR><BR>No. Time
Source Destination Protocol Info<BR> 67 89.681078 192.168.0.123 192.168.0.197 RADIUS Access-Request(1) (id=4, l=224)<BR><BR>Frame 67 (266 bytes on wire, 266 bytes captured)<BR> Arrival Time: Jun 3, 2008 08:32:22.580956000<BR> [Time delta from previous captured frame: 0.108504000 seconds]<BR> [Time delta from previous displayed frame: 0.108504000 seconds]<BR> [Time since reference or first frame: 89.681078000 seconds]<BR> Frame Number: 67<BR> Frame Length: 266 bytes<BR> Capture Length: 266 bytes<BR> [Frame is marked:
False]<BR> [Protocols in frame: eth:ip:udp:radius:eap:ssl]<BR> [Coloring Rule Name: UDP]<BR> [Coloring Rule String: udp]<BR>Ethernet II, Src: Cisco_44:1b:40 (00:0a:8a:44:1b:40), Dst: Micro-St_89:79:21 (00:19:db:89:79:21)<BR> Destination: Micro-St_89:79:21 (00:19:db:89:79:21)<BR> Address: Micro-St_89:79:21 (00:19:db:89:79:21)<BR> .... ...0 .... .... .... .... = IG bit: Individual address (unicast)<BR> .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)<BR> Source: Cisco_44:1b:40 (00:0a:8a:44:1b:40)<BR> Address: Cisco_44:1b:40 (00:0a:8a:44:1b:40)<BR> .... ...0 .... .... .... .... = IG bit: Individual address
(unicast)<BR> .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)<BR> Type: IP (0x0800)<BR>Internet Protocol, Src: 192.168.0.123 (192.168.0.123), Dst: 192.168.0.197 (192.168.0.197)<BR> Version: 4<BR> Header length: 20 bytes<BR> Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)<BR> 0000 00.. = Differentiated Services Codepoint: Default (0x00)<BR> .... ..0. = ECN-Capable Transport (ECT): 0<BR> .... ...0 = ECN-CE: 0<BR> Total Length: 252<BR> Identification: 0x0004 (4)<BR> Flags: 0x00<BR> 0... = Reserved bit: Not set<BR> .0.. = Don't
fragment: Not set<BR> ..0. = More fragments: Not set<BR> Fragment offset: 0<BR> Time to live: 255<BR> Protocol: UDP (0x11)<BR> Header checksum: 0x385c [correct]<BR> [Good: True]<BR> [Bad : False]<BR> Source: 192.168.0.123 (192.168.0.123)<BR> Destination: 192.168.0.197 (192.168.0.197)<BR>User Datagram Protocol, Src Port: radius (1812), Dst Port: radius (1812)<BR> Source port: radius (1812)<BR> Destination port: radius (1812)<BR> Length: 232<BR> Checksum: 0x6329 [correct]<BR> [Good Checksum: True]<BR> [Bad Checksum: False]<BR>Radius Protocol<BR> Code:
Access-Request (1)<BR> Packet identifier: 0x4 (4)<BR> Length: 224<BR> Authenticator: E1D8149F5F84CF6AB2EF07BC7AB683F2<BR> Attribute Value Pairs<BR> AVP: l=6 t=NAS-IP-Address(4): 192.168.0.123<BR> NAS-IP-Address: 192.168.0.123 (192.168.0.123)<BR> AVP: l=6 t=NAS-Port(5): 50003<BR> NAS-Port: 50003<BR> AVP: l=6 t=NAS-Port-Type(61): Ethernet(15)<BR> NAS-Port-Type: Ethernet (15)<BR> AVP: l=15 t=User-Name(1): switch_client<BR> User-Name:
switch_client<BR> AVP: l=19 t=Calling-Station-Id(31): 00-C0-02-2B-D6-04<BR> Calling-Station-Id: 00-C0-02-2B-D6-04<BR> AVP: l=6 t=Service-Type(6): Framed-User(2)<BR> Service-Type: Framed-User (2)<BR> AVP: l=18 t=State(24): 6B1410EF6B171D4FB7BBF03DE9D33AFE<BR> State: 6B1410EF6B171D4FB7BBF03DE9D33AFE<BR> AVP: l=110 t=EAP-Message(79) Last Segment[1]<BR> EAP fragment<BR> Extensible Authentication
Protocol<BR> Code: Response (2)<BR> Id: 3<BR> Length: 108<BR> Type: EAP-TLS [RFC2716] [Aboba] (13)<BR> Flags(0x0): <BR> Secure Socket Layer<BR> SSL Record Layer: Handshake Protocol: Client
Hello<BR> Content Type: Handshake (22)<BR> Version: TLS 1.0 (0x0301)<BR> Length: 97<BR> Handshake Protocol: Client Hello<BR> Handshake Type: Client Hello
(1)<BR> Length: 93<BR> Version: TLS 1.0 (0x0301)<BR> Random<BR> gmt_unix_time: Jun 3, 2008
00:35:22.000000000<BR> random_bytes: 38DD0828D867BEEFB4B298B72518C35459979BC7ED92A0D7...<BR> Session ID Length: 0<BR> Cipher Suites Length: 54<BR> Cipher Suites (27
suites)<BR> Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)<BR> Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038)<BR> Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)<BR> Cipher Suite:
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016)<BR> Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013)<BR> Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)<BR> Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA
(0x0033)<BR> Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032)<BR> Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)<BR> Cipher Suite: TLS_RSA_WITH_IDEA_CBC_SHA (0x0007)<BR> Cipher Suite:
TLS_DHE_DSS_WITH_RC4_128_SHA (0x0066)<BR> Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)<BR> Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)<BR> Cipher Suite: TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA (0x0063)<BR> Cipher
Suite: TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA (0x0062)<BR> Cipher Suite: TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5 (0x0061)<BR> Cipher Suite: TLS_DHE_RSA_WITH_DES_CBC_SHA (0x0015)<BR> Cipher Suite: TLS_DHE_DSS_WITH_DES_CBC_SHA
(0x0012)<BR> Cipher Suite: TLS_RSA_WITH_DES_CBC_SHA (0x0009)<BR> Cipher Suite: TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA (0x0065)<BR> Cipher Suite: TLS_RSA_EXPORT1024_WITH_RC4_56_SHA (0x0064)<BR> Cipher Suite:
TLS_RSA_EXPORT1024_WITH_RC4_56_MD5 (0x0060)<BR> Cipher Suite: TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA (0x0014)<BR> Cipher Suite: TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA (0x0011)<BR> Cipher Suite: TLS_RSA_EXPORT_WITH_DES40_CBC_SHA
(0x0008)<BR> Cipher Suite: TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0x0006)<BR> Cipher Suite: TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0x0003)<BR> Compression Methods Length: 1<BR> Compression Methods (1
method)<BR> Compression Method: null (0)<BR> AVP: l=18 t=Message-Authenticator(80): 4A1E0B1F9718533C8A225B0FC8EBB617<BR> Message-Authenticator: 4A1E0B1F9718533C8A225B0FC8EBB617<BR><BR>No. Time Source Destination Protocol Info<BR> 68 89.725405 192.168.0.197 192.168.0.123 RADIUS Access-challenge(11) (id=4,
l=1090)<BR><BR>Frame 68 (1132 bytes on wire, 1132 bytes captured)<BR> Arrival Time: Jun 3, 2008 08:32:22.625283000<BR> [Time delta from previous captured frame: 0.044327000 seconds]<BR> [Time delta from previous displayed frame: 0.044327000 seconds]<BR> [Time since reference or first frame: 89.725405000 seconds]<BR> Frame Number: 68<BR> Frame Length: 1132 bytes<BR> Capture Length: 1132 bytes<BR> [Frame is marked: False]<BR> [Protocols in frame: eth:ip:udp:radius:eap]<BR> [Coloring Rule Name: Checksum Errors]<BR> [Coloring Rule String: cdp.checksum_bad==1 || edp.checksum_bad==1 || ip.checksum_bad==1 || tcp.checksum_bad==1 || udp.checksum_bad==1]<BR>Ethernet II, Src: Micro-St_89:79:21 (00:19:db:89:79:21), Dst: Cisco_44:1b:40
(00:0a:8a:44:1b:40)<BR> Destination: Cisco_44:1b:40 (00:0a:8a:44:1b:40)<BR> Address: Cisco_44:1b:40 (00:0a:8a:44:1b:40)<BR> .... ...0 .... .... .... .... = IG bit: Individual address (unicast)<BR> .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)<BR> Source: Micro-St_89:79:21 (00:19:db:89:79:21)<BR> Address: Micro-St_89:79:21 (00:19:db:89:79:21)<BR> .... ...0 .... .... .... .... = IG bit: Individual address (unicast)<BR> .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)<BR> Type: IP (0x0800)<BR>Internet Protocol, Src: 192.168.0.197 (192.168.0.197), Dst: 192.168.0.123
(192.168.0.123)<BR> Version: 4<BR> Header length: 20 bytes<BR> Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)<BR> 0000 00.. = Differentiated Services Codepoint: Default (0x00)<BR> .... ..0. = ECN-Capable Transport (ECT): 0<BR> .... ...0 = ECN-CE: 0<BR> Total Length: 1118<BR> Identification: 0x0000 (0)<BR> Flags: 0x04 (Don't Fragment)<BR> 0... = Reserved bit: Not set<BR> .1.. = Don't fragment: Set<BR> ..0. = More fragments: Not set<BR> Fragment offset: 0<BR> Time to live: 64<BR> Protocol: UDP (0x11)<BR> Header
checksum: 0xb3fe [correct]<BR> [Good: True]<BR> [Bad : False]<BR> Source: 192.168.0.197 (192.168.0.197)<BR> Destination: 192.168.0.123 (192.168.0.123)<BR>User Datagram Protocol, Src Port: radius (1812), Dst Port: radius (1812)<BR> Source port: radius (1812)<BR> Destination port: radius (1812)<BR> Length: 1098<BR> Checksum: 0x86ec [incorrect, should be 0x7116 (maybe caused by "UDP checksum offload"?)]<BR> [Good Checksum: False]<BR> [Bad Checksum: True]<BR>Radius Protocol<BR> Code: Access-challenge (11)<BR> Packet identifier: 0x4 (4)<BR> Length: 1090<BR> Authenticator:
BFFB901870A6B7784BF8FC427088FD1F<BR> Attribute Value Pairs<BR> AVP: l=255 t=EAP-Message(79) Segment[1]<BR> EAP fragment<BR> AVP: l=255 t=EAP-Message(79) Segment[2]<BR> EAP fragment<BR> AVP: l=255 t=EAP-Message(79) Segment[3]<BR> EAP fragment<BR> AVP: l=255 t=EAP-Message(79) Segment[4]<BR> EAP fragment<BR> AVP: l=14 t=EAP-Message(79) Last Segment[5]<BR> EAP
fragment<BR> Extensible Authentication Protocol<BR> Code: Request (1)<BR> Id: 4<BR> Length: 1024<BR> Type: EAP-TLS [RFC2716] [Aboba] (13)<BR> Flags(0xC0): Length More <BR> Length: 2669<BR> AVP: l=18 t=Message-Authenticator(80):
F7F26F81A3C0666CA9725E9E0C46907C<BR> Message-Authenticator: F7F26F81A3C0666CA9725E9E0C46907C<BR> AVP: l=18 t=State(24): 6B1410EF6A101D4FB7BBF03DE9D33AFE<BR> State: 6B1410EF6A101D4FB7BBF03DE9D33AFE<BR><BR>back at one....</DIV>
<DIV></DIV></DIV><BR>
<HR SIZE=1>
<A href="http://cn.mail.yahoo.com/" target=_blank rel=nofollow>ÑÅ»¢ÓÊÏ䣬ÄúµÄÖÕÉúÓÊÏ䣡</A></DIV></DIV></div><br>
<hr size=1><a href="http://cn.mail.yahoo.com/"> ÑÅ»¢ÓÊÏ䣬ÄúµÄÖÕÉúÓÊÏ䣡</a></body></html>