<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 11 (filtered medium)">
<title>No client cert request when configured EAP-TLS-Require-Client-Cert </title>
<style>
<!--
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{color:purple;
text-decoration:underline;}
p
{mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman";}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:Arial;
color:navy;}
@page Section1
{size:595.3pt 841.9pt;
margin:72.0pt 90.0pt 72.0pt 90.0pt;}
div.Section1
{page:Section1;}
-->
</style>
</head>
<body lang=EN-US link=blue vlink=purple>
<div class=Section1 dir=RTL>
<p class=MsoNormal dir=LTR><font size=3 color=navy face="Times New Roman"><span
style='font-size:12.0pt;color:navy'>Forgot to add the sniffing results earlier</span></font><o:p></o:p></p>
<p class=MsoNormal dir=LTR><font size=2 color=navy face=Arial><span
style='font-size:10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p dir=LTR><font size=2 face="Courier New"><span style='font-size:10.0pt;
font-family:"Courier New"'>Hi,</span></font><o:p></o:p></p>
<p dir=LTR><font size=2 face="Courier New"><span style='font-size:10.0pt;
font-family:"Courier New"'>I have strange behavior on my freeradius.</span></font><o:p></o:p></p>
<p dir=LTR><font size=2 face="Courier New"><span style='font-size:10.0pt;
font-family:"Courier New"'>I try to make it ask for client certificate as part
of</span></font> <font size=2 face="Courier New"><span style='font-size:10.0pt;
font-family:"Courier New"'>EAP-TTLS authentication.</span></font><o:p></o:p></p>
<p dir=LTR><font size=2 face="Courier New"><span style='font-size:10.0pt;
font-family:"Courier New"'>I added the configuration</span></font> <font
size=2 face="Courier New"><span style='font-size:10.0pt;font-family:"Courier New"'>EAP-TLS-Require-Client-Cert
= Yes</span></font> <font size=2 face="Courier New"><span style='font-size:
10.0pt;font-family:"Courier New"'>to users configuration file as control for my
username.</span></font><o:p></o:p></p>
<p dir=LTR><font size=2 face="Courier New"><span style='font-size:10.0pt;
font-family:"Courier New"'>And got the following LOG</span></font> <font
size=2 face="Courier New"><span style='font-size:10.0pt;font-family:"Courier New"'> </span></font>
<o:p></o:p></p>
<p dir=LTR><font size=2 face="Courier New"><span style='font-size:10.0pt;
font-family:"Courier New"'> TLS_accept: SSLv3 write server done A</span></font><o:p></o:p></p>
<p dir=LTR><font size=2 face="Courier New"><span style='font-size:10.0pt;
font-family:"Courier New"'>[ttls] TLS_accept: SSLv3
flush data</span></font><o:p></o:p></p>
<p dir=LTR><b><font size=2 face="Courier New"><span style='font-size:10.0pt;
font-family:"Courier New";font-weight:bold'>[ttls]
TLS_accept: Need to read more data: SSLv3 read client certificate</span></font></b><o:p></o:p></p>
<p dir=LTR><font size=2 face="Courier New"><span style='font-size:10.0pt;
font-family:"Courier New"'>However,</span></font> <font size=2
face="Courier New"><span style='font-size:10.0pt;font-family:"Courier New"'>the
sniffing shows no client certificate sending and there is no cert request sent
by the server</span></font><o:p></o:p></p>
<p dir=LTR><font size=2 face="Courier New"><span style='font-size:10.0pt;
font-family:"Courier New"'>You can see it below</span></font><o:p></o:p></p>
<p dir=LTR><font size=2 face="Courier New"><span style='font-size:10.0pt;
font-family:"Courier New"'>Thanks for your help.</span></font><o:p></o:p></p>
<p class=MsoNormal dir=LTR style='margin-bottom:12.0pt'><font size=3
color=navy face="Times New Roman"><span style='font-size:12.0pt;color:navy'>Radius
Protocol<o:p></o:p></span></font></p>
<p class=MsoNormal dir=LTR style='margin-bottom:12.0pt'><font size=3
color=navy face="Times New Roman"><span style='font-size:12.0pt;color:navy'>
Code: Access-challenge (11)<o:p></o:p></span></font></p>
<p class=MsoNormal dir=LTR style='margin-bottom:12.0pt'><font size=3
color=navy face="Times New Roman"><span style='font-size:12.0pt;color:navy'>
Packet identifier: 0x2 (2)<o:p></o:p></span></font></p>
<p class=MsoNormal dir=LTR style='margin-bottom:12.0pt'><font size=3
color=navy face="Times New Roman"><span style='font-size:12.0pt;color:navy'>
Length: 1090<o:p></o:p></span></font></p>
<p class=MsoNormal dir=LTR style='margin-bottom:12.0pt'><font size=3
color=navy face="Times New Roman"><span style='font-size:12.0pt;color:navy'>
Authenticator: 30C0590D2DA3E4BBA06A60E9956D6441<o:p></o:p></span></font></p>
<p class=MsoNormal dir=LTR style='margin-bottom:12.0pt'><font size=3
color=navy face="Times New Roman"><span style='font-size:12.0pt;color:navy'>
Attribute Value Pairs<o:p></o:p></span></font></p>
<p class=MsoNormal dir=LTR style='margin-bottom:12.0pt'><font size=3
color=navy face="Times New Roman"><span style='font-size:12.0pt;color:navy'>
AVP: l=255 t=EAP-Message(79) Segment[1]<o:p></o:p></span></font></p>
<p class=MsoNormal dir=LTR style='margin-bottom:12.0pt'><font size=3
color=navy face="Times New Roman"><span style='font-size:12.0pt;color:navy'>
AVP: l=255 t=EAP-Message(79) Segment[2]<o:p></o:p></span></font></p>
<p class=MsoNormal dir=LTR style='margin-bottom:12.0pt'><font size=3
color=navy face="Times New Roman"><span style='font-size:12.0pt;color:navy'>
AVP: l=255 t=EAP-Message(79) Segment[3]<o:p></o:p></span></font></p>
<p class=MsoNormal dir=LTR style='margin-bottom:12.0pt'><font size=3
color=navy face="Times New Roman"><span style='font-size:12.0pt;color:navy'>
AVP: l=255 t=EAP-Message(79) Segment[4]<o:p></o:p></span></font></p>
<p class=MsoNormal dir=LTR style='margin-bottom:12.0pt'><font size=3
color=navy face="Times New Roman"><span style='font-size:12.0pt;color:navy'>
AVP: l=14 t=EAP-Message(79) Last Segment[5]<o:p></o:p></span></font></p>
<p class=MsoNormal dir=LTR style='margin-bottom:12.0pt'><font size=3
color=navy face="Times New Roman"><span style='font-size:12.0pt;color:navy'>
EAP fragment<o:p></o:p></span></font></p>
<p class=MsoNormal dir=LTR style='margin-bottom:12.0pt'><font size=3
color=navy face="Times New Roman"><span style='font-size:12.0pt;color:navy'>
Extensible Authentication Protocol<o:p></o:p></span></font></p>
<p class=MsoNormal dir=LTR style='margin-bottom:12.0pt'><font size=3
color=navy face="Times New Roman"><span style='font-size:12.0pt;color:navy'>
Code: Request (1)<o:p></o:p></span></font></p>
<p class=MsoNormal dir=LTR style='margin-bottom:12.0pt'><font size=3
color=navy face="Times New Roman"><span style='font-size:12.0pt;color:navy'>
Id: 3<o:p></o:p></span></font></p>
<p class=MsoNormal dir=LTR style='margin-bottom:12.0pt'><font size=3
color=navy face="Times New Roman"><span style='font-size:12.0pt;color:navy'>
Length: 1024<o:p></o:p></span></font></p>
<p class=MsoNormal dir=LTR style='margin-bottom:12.0pt'><font size=3
color=navy face="Times New Roman"><span style='font-size:12.0pt;color:navy'>
Type: EAP-TTLS [RFC5281] (21)<o:p></o:p></span></font></p>
<p class=MsoNormal dir=LTR style='margin-bottom:12.0pt'><font size=3
color=navy face="Times New Roman"><span style='font-size:12.0pt;color:navy'>
Flags(0xC0): Length More <o:p></o:p></span></font></p>
<p class=MsoNormal dir=LTR style='margin-bottom:12.0pt'><font size=3
color=navy face="Times New Roman"><span style='font-size:12.0pt;color:navy'>
TTLS version 0<o:p></o:p></span></font></p>
<p class=MsoNormal dir=LTR style='margin-bottom:12.0pt'><font size=3
color=navy face="Times New Roman"><span style='font-size:12.0pt;color:navy'>
Length: 3578<o:p></o:p></span></font></p>
<p class=MsoNormal dir=LTR style='margin-bottom:12.0pt'><font size=3
color=navy face="Times New Roman"><span style='font-size:12.0pt;color:navy'>
[EAP-TLS Fragments (3578 bytes): #14(1014), #16(1014), #18(1014), #20(536)]<o:p></o:p></span></font></p>
<p class=MsoNormal dir=LTR style='margin-bottom:12.0pt'><font size=3
color=navy face="Times New Roman"><span style='font-size:12.0pt;color:navy'>
Secure Socket Layer<o:p></o:p></span></font></p>
<p class=MsoNormal dir=LTR style='margin-bottom:12.0pt'><font size=3
color=navy face="Times New Roman"><span style='font-size:12.0pt;color:navy'>
TLSv1 Record Layer: Handshake Protocol: Server Hello<o:p></o:p></span></font></p>
<p class=MsoNormal dir=LTR style='margin-bottom:12.0pt'><font size=3
color=navy face="Times New Roman"><span style='font-size:12.0pt;color:navy'>
TLSv1 Record Layer: Handshake Protocol: Certificate<o:p></o:p></span></font></p>
<p class=MsoNormal dir=LTR style='margin-bottom:12.0pt'><font size=3
color=navy face="Times New Roman"><span style='font-size:12.0pt;color:navy'>
TLSv1 Record Layer: Handshake Protocol: Server Key Exchange<o:p></o:p></span></font></p>
<p class=MsoNormal dir=LTR style='margin-bottom:12.0pt'><font size=3
color=navy face="Times New Roman"><span style='font-size:12.0pt;color:navy'>
TLSv1 Record Layer: Handshake Protocol: Server Hello Done<o:p></o:p></span></font></p>
<p class=MsoNormal dir=LTR style='margin-bottom:12.0pt'><font size=3
color=navy face="Times New Roman"><span style='font-size:12.0pt;color:navy'>
AVP: l=18 t=Message-Authenticator(80): 3B8DD2F0E3AE6A6C08BA6B8CC5A12D8B<o:p></o:p></span></font></p>
<p class=MsoNormal dir=LTR style='margin-bottom:12.0pt'><font size=3
color=navy face="Times New Roman"><span style='font-size:12.0pt;color:navy'>
AVP: l=18 t=State(24): A97FDCBBAB7CC99E1A7630EF1EB500F8<o:p></o:p></span></font></p>
<p class=MsoNormal dir=LTR style='margin-bottom:12.0pt'><font size=3
color=navy face="Times New Roman"><span style='font-size:12.0pt;color:navy'>
State: A97FDCBBAB7CC99E1A7630EF1EB500F8</span></font><br>
<br>
<br>
<o:p></o:p></p>
</div>
</body>
</html>