Arran Cudbard-Bell <a.cudbardb@freeradius.org> wrote:
please, help me to be sure I understand `radiusd -X' output right way ... I agree, it does look like an MTU issue. But that's v2 output, which we no longer support. Upgrade to v3.0.x preferably v3.0.x HEAD as I just added a bunch of useful debug output, and provide debug output from that.
I have upgraded to freeradius3-3.0.8 (not head since I install it from ports and it the last one available) and result looks the same ... PKI used is the one, created during the installation bellow is the output: in `radiusd -X' I see this ---[ quotation start ]------------------------------------------- ... (141) files: Processing radiusGroupName value "ethernet" as a group name rlm_ldap (ldap): Released connection (24) (141) files: User is not a member of "bootp" (141) files: users: Matched entry DEFAULT at line 288 (141) files: EXPAND %{User-Name}, you have came from %{NAS-IP-Address} copper port %{NAS-Port}. (141) files: --> jdoe-eap, you have came from 192.168.0.1 copper port 14. (141) [files] = ok rlm_ldap (ldap): Reserved connection (24) (141) ldap: EXPAND (&(cn=%{%{Stripped-User-Name}:-%{User-Name}})(|(authorizedService=802.1x-mac@xyz)(authorizedService=802.1x-eap@xyz)(authorizedService=802.1x@xyz))) (141) ldap: --> (&(cn=jdoe-eap)(|(authorizedService=802.1x-mac@xyz)(authorizedService=802.1x-eap@xyz)(authorizedService=802.1x@xyz))) (141) ldap: Performing search in "ou=People,dc=xyz" with filter "(&(cn=jdoe-eap)(|(authorizedService=802.1x-mac@xyz)(authorizedService=802.1x-eap@xyz)(authorizedService=802.1x@xyz)))", scope "sub" (141) ldap: Waiting for search result... (141) ldap: User object found at DN "uid=jdoe-eap,authorizedService=802.1x-eap@xyz,uid=it-jdoe,ou=People,dc=xyz" (141) ldap: Processing user attributes (141) ldap: control:Password-With-Header += 'jdoe-eap' (141) ldap: reply:Tunnel-Type := VLAN (141) ldap: reply:Tunnel-Medium-Type := IEEE-802 (141) ldap: reply:Tunnel-Private-Group-ID := '3495' rlm_ldap (ldap): Released connection (24) (141) [ldap] = updated (141) [expiration] = noop (141) [logintime] = noop (141) pap: No {...} in Password-With-Header, re-writing to Cleartext-Password (141) pap: Removing &control:Password-With-Header (141) pap: WARNING: Auth-Type already set. Not setting to PAP (141) [pap] = noop (141) if (notfound){ (141) if (notfound) -> FALSE (141) if (reject){ (141) if (reject) -> FALSE (141) } # authorize = updated (141) Found Auth-Type = EAP (141) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (141) authenticate { (141) eap: Expiring EAP session with state 0x6aedf5cd69e3f8dd (141) eap: Finished EAP session with state 0x6aedf5cd69e3f8dd (141) eap: Previous EAP request found for state 0x6aedf5cd69e3f8dd, released from the list (141) eap: Peer sent method TLS (13) (141) eap: EAP TLS (13) (141) eap: Calling eap_tls to process EAP data (141) eap_tls: Authenticate (141) eap_tls: processing EAP-TLS (141) eap_tls: Received TLS ACK (141) eap_tls: Received TLS ACK (141) eap_tls: ACK handshake fragment handler (141) eap_tls: eaptls_verify returned 1 (141) eap_tls: eaptls_process returned 13 (141) eap: EAP session adding &reply:State = 0x6aedf5cd6ee2f8dd (141) [eap] = handled (141) } # authenticate = handled (141) Using Post-Auth-Type Challenge (141) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (141) Sent Access-Challenge Id 0 from 192.168.0.254:1812 to 192.168.0.1:49205 length 1032 (141) Reply-Message = 'jdoe-eap, you have came from 192.168.0.1 copper port 14.' (141) Tunnel-Type := VLAN (141) Tunnel-Medium-Type := IEEE-802 (141) Tunnel-Private-Group-Id := '3495' (141) EAP-Message = 0x010f03790d8000000b33696361746520417574686f7269747982 ... (141) Message-Authenticator = 0x00000000000000000000000000000000 (141) State = 0x6aedf5cd6ee2f8dd653acce97afb91c3 (141) Finished request Waking up in 0.3 seconds. Waking up in 4.6 seconds. (141) <done>: Cleaning up request packet ID 0 with timestamp +1513 Ready to process requests ... ---[ quotation end ]------------------------------------------- wpa_supplicant debug shows this: ---[ quotation start ]------------------------------------------- ... 1435088855.951675: EAPOL: Received EAP-Packet frame 1435088855.951676: EAPOL: SUPP_BE entering state REQUEST 1435088855.951677: EAPOL: getSuppRsp 1435088855.951678: EAP: EAP entering state RECEIVED 1435088855.951683: EAP: Received EAP-Request id=106 method=13 vendor=0 vendorMethod=0 1435088855.951685: EAP: EAP entering state METHOD 1435088855.951687: SSL: Received packet(len=889) - Flags 0x80 1435088855.951688: SSL: TLS Message Length: 2867 1435088855.951706: SSL: (where=0x1001 ret=0x1) 1435088855.951708: SSL: SSL_connect:SSLv3 read server hello A 1435088855.951922: TLS: tls_verify_cb - preverify_ok=1 err=0 (ok) ca_cert_verify=1 depth=1 buf='/C=FR/ST=Radius/L=Somewhere/O=Example Inc./emailAddress=admin@example.com/CN=Example Certificate Authority' 1435088855.951932: igb0: CTRL-EVENT-EAP-PEER-CERT depth=1 subject='/C=FR/ST=Radius/L=Somewhere/O=Example Inc./emailAddress=admin@example.com/CN=Example Certificate Authority' 1435088855.951934: EAP: Status notification: remote certificate verification (param=success) 1435088855.952016: TLS: tls_verify_cb - preverify_ok=1 err=0 (ok) ca_cert_verify=1 depth=0 buf='/C=FR/ST=Radius/O=Example Inc./CN=Example Server Certificate/emailAddress=admin@example.com' 1435088855.952020: igb0: CTRL-EVENT-EAP-PEER-CERT depth=0 subject='/C=FR/ST=Radius/O=Example Inc./CN=Example Server Certificate/emailAddress=admin@example.com' 1435088855.952302: EAP: Status notification: remote certificate verification (param=success) 1435088855.952308: SSL: (where=0x1001 ret=0x1) 1435088855.952310: SSL: SSL_connect:SSLv3 read server certificate A 1435088855.952395: SSL: (where=0x1001 ret=0x1) 1435088855.952397: SSL: SSL_connect:SSLv3 read server key exchange A 1435088855.952416: SSL: (where=0x1001 ret=0x1) 1435088855.952417: SSL: SSL_connect:SSLv3 read server certificate request A 1435088855.952419: SSL: (where=0x1001 ret=0x1) 1435088855.952420: SSL: SSL_connect:SSLv3 read server done A 1435088855.952506: SSL: (where=0x1001 ret=0x1) 1435088855.952509: SSL: SSL_connect:SSLv3 write client certificate A 1435088855.953325: SSL: (where=0x1001 ret=0x1) 1435088855.953328: SSL: SSL_connect:SSLv3 write client key exchange A 1435088855.955164: SSL: (where=0x1001 ret=0x1) 1435088855.955167: SSL: SSL_connect:SSLv3 write certificate verify A 1435088855.955232: SSL: (where=0x1001 ret=0x1) 1435088855.955234: SSL: SSL_connect:SSLv3 write change cipher spec A 1435088855.955251: SSL: (where=0x1001 ret=0x1) 1435088855.955252: SSL: SSL_connect:SSLv3 write finished A 1435088855.955256: SSL: (where=0x1001 ret=0x1) 1435088855.955257: SSL: SSL_connect:SSLv3 flush data 1435088855.955259: SSL: (where=0x1002 ret=0xffffffff) 1435088855.955260: SSL: SSL_connect:error in SSLv3 read finished A 1435088855.955262: SSL: SSL_connect - want more data 1435088855.955263: SSL: 2651 bytes pending from ssl_out 1435088855.955266: SSL: 2651 bytes left to be sent out (of total 2651 bytes) 1435088855.955267: SSL: sending 1398 bytes, more fragments will follow 1435088855.955269: EAP: method process -> ignore=FALSE methodState=MAY_CONT decision=FAIL 1435088855.955271: EAP: EAP entering state SEND_RESPONSE 1435088855.955273: EAP: EAP entering state IDLE 1435088855.955274: EAPOL: SUPP_BE entering state RESPONSE 1435088855.955275: EAPOL: txSuppRsp 1435088855.955277: TX EAPOL: dst=01:80:c2:00:00:03 1435088855.955279: TX EAPOL - hexdump(len=1412): 01 00 05 80 ... 1435088885.940665: EAPOL: Received EAP-Packet frame 1435088885.940667: EAPOL: SUPP_BE entering state REQUEST 1435088885.940668: EAPOL: getSuppRsp 1435088885.940669: EAP: EAP entering state RECEIVED 1435088885.940676: EAP: Received EAP-Request id=106 method=13 vendor=0 vendorMethod=0 1435088885.940678: EAP: EAP entering state RETRANSMIT 1435088885.940680: EAP: EAP entering state SEND_RESPONSE 1435088885.940681: EAP: EAP entering state IDLE 1435088885.940682: EAPOL: SUPP_BE entering state RESPONSE 1435088885.940683: EAPOL: txSuppRsp 1435088885.940685: TX EAPOL: dst=01:80:c2:00:00:03 1435088885.940687: TX EAPOL - hexdump(len=1412): 01 ... ... ---[ quotation end ]------------------------------------------- MTU tried (inteface is ethernet, not tun) are 1500 and 1250 what am I missing? -- Zeus V. Panchenko jid:zeus@im.ibs.dn.ua IT Dpt., I.B.S. LLC GMT+2 (EET)