On 8/22/06, sheng <wushengws1001@gmail.com> wrote:
There's a strange problem: each time the client send a request, the server tries to read the client certificate on the supplicant. I think it's very strange considering that no client certificate is needed for peap/mschapv2. This event is recorded in the handshake phase on the radius logfile(I've listed it in the below). It seems the handshake phase fails because the server cann't read the client certificate. [...] TLS_accept:error in SSLv3 read client certificate A rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0) In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED
Hi, if you are referring to the quoted part, that' not a problem. Roughly put: openssl just mentiones that it wasn't able to check the client cert (which is possible, but unneeded for eap-peap).
Finished request 3 Going to the next request Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 2 ID 19 with timestamp 44e9e42f Cleaning up request 3 ID 138 with timestamp 44e9e42f Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 172.24.26.144:1025, id=137, length=249 Acct-Session-Id = "67671438" NAS-Port = 1 NAS-Port-Type = Wireless-802.11 User-Name = "alcatel" Calling-Station-Id = "00-0E-35-89-71-E0" Called-Station-Id = "00-03-52-01-84-7D" EAP-Message = 0x0280005019800000004616030100410100003d030144e9e54ee8bf5c390cecf9fa8b659b32ac0a7eb623919876fa26dd9dc220d75800001600040005000a000900640062000300060013001200630100 State = 0x091ad12235d4b0c91ca834c803d04ee0 [...] modcall: entering group authenticate for request 4 rlm_eap: Request not found in the list rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request rlm_eap: Failed in handler
Which of the two cases mentioned in the debug output to your further requests might be happening I'm not sure of. There seems to elapse quite some time, before they come in after the challenge was sent out. That looks curious. As your included data got truncated on the list you might consider resending it as attachment or use a pastebot and provide the link. Maybe you could provide some sniffing on the wireless part (via wireshark et al). That might be instructive in sorting out when who did send what. regards K. Hoercher (Hopefully gmail really could not send this out, as it keept telling me. Otherwise this must be the 5th reply, if so please excuse me.)