Hello My server is now accepting the eap authentication, but is sending after this accept an access challenge to the client. It seems that the client "ignores" the access challenge sent by the server !! Any idea ?? Fabien rad_recv: Access-Request packet from host 10.166.42.30:1024, id=3, length=159 User-Name = "sierre08015" NAS-IP-Address = 10.166.42.30 NAS-Port = 1 Called-Station-Id = "00-14-C2-BB-FF-70:test" Calling-Station-Id = "00-1F-3C-13-1A-1F" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11g" EAP-Message = 0x02070010017369657272653038303135 Message-Authenticator = 0x44d8e63aaf78d1dd710924a013bfe7ba Processing the authorize section of radiusd.conf modcall: entering group authorize for request 3 modcall[authorize]: module "preprocess" returns ok for request 3 rlm_eap: EAP packet type response id 7 length 16 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 3 users: Matched entry sierre08015 at line 97 modcall[authorize]: module "files" returns ok for request 3 modcall: leaving group authorize (returns updated) for request 3 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 3 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Requiring client certificate rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 3 modcall: leaving group authenticate (returns handled) for request 3 Sending Access-Challenge of id 3 to 10.166.42.30 port 1024 EAP-Message = 0x010800060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x70d9ca888398794265f013f1ea86a3b8 Finished request 3 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.166.42.30:1024, id=4, length=241 User-Name = "sierre08015" NAS-IP-Address = 10.166.42.30 NAS-Port = 1 Called-Station-Id = "00-14-C2-BB-FF-70:test" Calling-Station-Id = "00-1F-3C-13-1A-1F" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11g" EAP-Message = 0x020800500d800000004616030100410100003d030149ae3f67c2530394de05ba7fb9c39413db6dd4d884994527880e0543a428dee400001600040005000a000900640062000300060013001200630100 State = 0x70d9ca888398794265f013f1ea86a3b8 Message-Authenticator = 0x56372f6bfce57e79360ae0c757da625b Processing the authorize section of radiusd.conf modcall: entering group authorize for request 4 modcall[authorize]: module "preprocess" returns ok for request 4 rlm_eap: EAP packet type response id 8 length 80 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 4 users: Matched entry sierre08015 at line 97 modcall[authorize]: module "files" returns ok for request 4 modcall: leaving group authorize (returns updated) for request 4 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 4 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 02ad], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 00a3], CertificateRequest TLS_accept: SSLv3 write certificate request A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 4 modcall: leaving group authenticate (returns handled) for request 4 Sending Access-Challenge of id 4 to 10.166.42.30 port 1024 EAP-Message = 0x010903b30d80000003a9160301004a02000046030149ae3f6712908d3b767909434474e04763782e4799f5ba8fa55677e4cc5ebb69201f975e44af3ffdd4256b3608b4501983469357e875c2d3df0e562e297d56618300040016030102ad0b0002a90002a60002a33082029f30820208020900d79b076a9c2a726f300d06092a864886f70d0101050500308193310b3009060355040613024348311430120603550408130b537769747a65726c616e64310f300d06035504071306536965727265311d301b060355040a13144e6f76656c697320506c616e7420536965727265311630140603550403130d526164697573205365727665723126302406 EAP-Message = 0x092a864886f70d01090116177369657272657261643130406e6f76656c69732e636f6d301e170d3039303131323139323733375a170d3039303231313139323733375a308193310b3009060355040613024348311430120603550408130b537769747a65726c616e64310f300d06035504071306536965727265311d301b060355040a13144e6f76656c697320506c616e7420536965727265311630140603550403130d526164697573205365727665723126302406092a864886f70d01090116177369657272657261643130406e6f76656c69732e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ec5d7c0b616c84 EAP-Message = 0x9cb4d290cf1ba7432d4581ef7602de5309e60866c877dd2772a62df72614f0988998a7c5feffd6c2454656c0376e3e0f9fd0586bed25ffa89e6f416b92b352fd6090d3b9cf3f0bcb182a2e68ca58848f7cca593c62726f96421e1726757ffc143bf16dd9b132909199d1292ba067160afff70e612f56bfcc550203010001300d06092a864886f70d0101050500038181008f10a3348b6a8192ab370370cf5bc572fe2228a782b7fa97828e798716d26508dfe471fa5352f4ea71a8e5eb12b71413733f07e0d6222a9dec199b76b4434aba154bb64d6e77cd3e5471003e2fceb03bfa6d69340a1b4802edc3959f0de8a52d1ae0cc88217a2db731513ad9 EAP-Message = 0xc8ad4170e9d80b47b6e9ae2a82cc577076dec8b316030100a30d00009b0301020500950093308190310b3009060355040613024348311430120603550408130b537769747a65726c616e64310f300d0603550407130653696572726531163014060355040a130d4e6f76656c697320506c616e74311730150603550403130e46616269656e204372657474617a3129302706092a864886f70d010901161a66616269656e2e6372657474617a406e6f76656c69732e636f6d0e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xcad27a06a3667c11a3c87b3e41faa858 Finished request 4 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.166.42.30:1024, id=5, length=167 User-Name = "sierre08015" NAS-IP-Address = 10.166.42.30 NAS-Port = 1 Called-Station-Id = "00-14-C2-BB-FF-70:test" Calling-Station-Id = "00-1F-3C-13-1A-1F" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 0Mbps 802.11g" EAP-Message = 0x020900060d00 State = 0xcad27a06a3667c11a3c87b3e41faa858 Message-Authenticator = 0x57367206865668163c2155289735fb84 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 5 modcall[authorize]: module "preprocess" returns ok for request 5 rlm_eap: EAP packet type response id 9 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 5 users: Matched entry sierre08015 at line 97 modcall[authorize]: module "files" returns ok for request 5 modcall: leaving group authorize (returns updated) for request 5 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 5 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 5 modcall: leaving group authenticate (returns handled) for request 5 Sending Access-Challenge of id 5 to 10.166.42.30 port 1024 EAP-Message = 0x010a000a0d8000000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x850de87f7a3c97df745f110aed8ce38e Finished request 5 Going to the next request Waking up in 6 seconds... NOVELIS Fabien Crettaz IT System and Infrastructure Novelis Automotive, Painted & Specialities Novelis Switzerland SA CH - 3960 Sierre, Switzerland phone: +41 (0)27 457 7164 fax: +41 (0)27 457 7105 e-mail: fabien.crettaz@novelis.com http://www.novelis.ch P Please consider the environment before printing this email. <tnt@kalik.net> Sent by: freeradius-users-bounces+fabien.crettaz=novelis.com@lists.freeradius.org 03.03.2009 16:50 Please respond to FreeRadius users mailing list <freeradius-users@lists.freeradius.org> To "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> cc Subject Re: eap-tls configuration not running...
Thanks for you response, what should I set as Auth-Type, as 'Auth-Type := eap' is not recommended (cf. coment in eap.conf) ?
You don't set anything. Server will set what it needs. It "just works". Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html