excelsio@gmx.net wrote:
Freeradius is 2.x on a Debian 5.0. My first attempt was with MD5, which works without any problem. Next step is TLS, which works at 50%. Well, the client authentication of TLS works, but when I configure to do a server authentication within the IP phone´s setup, it fails. ... ============================================================================================================================= As soon as I enable "Server Authentication" wthin the IP phone, it fails: =============================================================================================================================
Going to the next request Ready to process requests. rad_recv: Access-Request packet from host 192.168.10.130 port 1812, id=146, length=336
EAP Identity...
Sending Access-Challenge of id 146 to 192.168.10.130 port 1812 Framed-Protocol = PPP Framed-Compression = Van-Jacobson-TCP-IP EAP-Message = 0x011800060d20
Starting EAP-TLS...
rad_recv: Access-Request packet from host 192.168.10.130 port 1812, id=147, length=343 ... EAP-Message = 0x02180006030d
Ugh.
[eap] ERROR! Our request for tls was NAK'd with a request for tls. Skipping the requested type.
Yup.
Well, what´s going wrong?
The client is badly written. It shouldn't NAK tls with a request for TLS. The likely cause is that the client (for some unknown reason) doesn't like the server certificate. I would suggest trying with different certificates, and possibly different EAP types. Alan DeKok.