Hi Hoercher, Thank you very much for your advice. Using ethereal sniffing, I've captured the *packets in the wireless supplicant interface and the related records are as follows:* No. Time Source Destination Protocol Info 65 40.298751 Colubris_f3:dc:20 192.168.1.3 EAP Request, Identity [RFC3748] Frame 65 (27 bytes on wire, 27 bytes captured) Ethernet II, Src: Colubris_f3:dc:20 (00:03:52:f3:dc:20), Dst: 192.168.1.3(00:0e:35:89:71:e0) 802.1X Authentication No. Time Source Destination Protocol Info 66 40.299193 192.168.1.3 Colubris_f3:dc:20 EAP Response, Identity [RFC3748] Frame 66 (30 bytes on wire, 30 bytes captured) Ethernet II, Src: 192.168.1.3 (00:0e:35:89:71:e0), Dst: Colubris_f3:dc:20 (00:03:52:f3:dc:20) 802.1X Authentication No. Time Source Destination Protocol Info 69 50.331149 Colubris_f3:dc:20 192.168.1.3 EAP Request, PEAP [Palekar] Frame 69 (24 bytes on wire, 24 bytes captured) Ethernet II, Src: Colubris_f3:dc:20 (00:03:52:f3:dc:20), Dst: 192.168.1.3(00:0e:35:89:71:e0) 802.1X Authentication No. Time Source Destination Protocol Info 70 50.332306 192.168.1.3 Colubris_f3:dc:20 TLSv1 Client Hello Frame 70 (98 bytes on wire, 98 bytes captured) Ethernet II, Src: 192.168.1.3 (00:0e:35:89:71:e0), Dst: Colubris_f3:dc:20 (00:03:52:f3:dc:20) 802.1X Authentication No. Time Source Destination Protocol Info 71 50.355419 Colubris_f3:dc:20 192.168.1.3 TLSv1 Server Hello, Certificate, Server Hello Done Frame 71 (696 bytes on wire, 696 bytes captured) Ethernet II, Src: Colubris_f3:dc:20 (00:03:52:f3:dc:20), Dst: 192.168.1.3(00:0e:35:89:71:e0) 802.1X Authentication No. Time Source Destination Protocol Info 72 50.371799 192.168.1.3 Colubris_f3:dc:20 EAP Response, PEAP [Palekar] Frame 72 (24 bytes on wire, 24 bytes captured) Ethernet II, Src: 192.168.1.3 (00:0e:35:89:71:e0), Dst: Colubris_f3:dc:20 (00:03:52:f3:dc:20) 802.1X Authentication No. Time Source Destination Protocol Info 73 50.392452 Colubris_f3:dc:20 192.168.1.3 EAP Request, PEAP [Palekar] Frame 73 (24 bytes on wire, 24 bytes captured) Ethernet II, Src: Colubris_f3:dc:20 (00:03:52:f3:dc:20), Dst: 192.168.1.3(00:0e:35:89:71:e0) 802.1X Authentication No. Time Source Destination Protocol Info 76 60.383628 Colubris_f3:dc:20 192.168.1.3 EAP Request, PEAP [Palekar] Frame 76 (24 bytes on wire, 24 bytes captured) Ethernet II, Src: Colubris_f3:dc:20 (00:03:52:f3:dc:20), Dst: 192.168.1.3(00:0e:35:89:71:e0) 802.1X Authentication No. Time Source Destination Protocol Info 79 70.376465 Colubris_f3:dc:20 192.168.1.3 EAP Failure Besides, * the related radius log is as follows:* rad_recv: Access-Request packet from host 172.24.26.144:1025, id=186, length=249 Acct-Session-Id = "2e578294" NAS-Port = 1 NAS-Port-Type = Wireless-802.11 User-Name = "alcatel" Calling-Station-Id = "00-0E-35-89-71-E0" Called-Station-Id = "00-03-52-01-84-7D" EAP-Message = 0x02f3005019800000004616030100410100003d030144ed53ef07a048b6fc29ca4e446ccb5d3fbfca4977bba0fee1d0212aacab134400001600040005000a000900640062000300060013001200630100 State = 0xd5fc64a31e807c1466886de9976ddb63 NAS-Identifier = "R014-00755" NAS-IP-Address = 172.24.26.144 Framed-MTU = 1496 Connect-Info = "IEEE802.1X" Service-Type = Framed-User Message-Authenticator = 0xad27137f763a888a127758b4802d60bd Processing the authorize section of radiusd.conf modcall: entering group authorize for request 6 modcall[authorize]: module "preprocess" returns ok for request 6 radius_xlat: '/usr/local/var/log/radius/radacct/172.24.26.144/auth-detail-20060824' rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/172.24.26.144/auth-detail-20060824 modcall[authorize]: module "auth_log" returns ok for request 6 modcall[authorize]: module "mschap" returns noop for request 6 rlm_realm: No '@' in User-Name = "alcatel", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 6 rlm_eap: EAP packet type response id 243 length 80 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 6 users: Matched entry DEFAULT at line 152 users: Matched entry DEFAULT at line 171 modcall[authorize]: module "files" returns ok for request 6 modcall: leaving group authorize (returns updated) for request 6 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0243], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0) In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 6 modcall: leaving group authenticate (returns handled) for request 6 Sending Access-Challenge of id 186 to 172.24.26.144 port 1025 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User EAP-Message = 0x01f402a61900160301004a02000046030144ed52c7791dfb4db0d0bacf1f84744c2e7aa61d8990d0711343cfd7428edc4320d9fdf4f079954337b4c264c8a33c0b2ccca925f5119a4c314a5d25e612fca3aa00040016030102430b00023f00023c000239308202353082019ea003020102020101300d06092a864886f70d01010405003054310b3009060355040613024652310e300c060355040813055061726973310f300d0603550407130656656c697a793110300e060355040a1307416c636174656c31123010060355040313096c6f63616c686f7374301e170d3036303831373131343230355a170d3037303831373131343230355a3054310b EAP-Message = 0x3009060355040613024652310e300c060355040813055061726973310f300d0603550407130656656c697a793110300e060355040a1307416c636174656c31123010060355040313096c6f63616c686f737430819f300d06092a864886f70d010101050003818d0030818902818100c0b68a2064159d8dc8b4067746ee82384bc71ac4efbf1132ffe1afabf49a207e3e3d553a6e27b1a7c3875c8892c8ebd91a09fd7709e354168e9a4a71e38a936c82e2b857eb5176eae445966adf28ce8f3a31c987aced4d774a9957de5b26bdc300fcee71c0f7139845ebd253c6f27945bbe70fd3501563e231ba1d52419508ed0203010001a31730153013060355 EAP-Message = 0x1d25040c300a06082b06010505070301300d06092a864886f70d0101040500038181001a8366350e04eb86535cbf2b3c4a13c32f5c4455310aad4e23480d695cab9ea9dbdeed10885c1c483beb583e19adaf4e663bc41fe81c3a00a83dbcb86dbae0dd25653c2f2eea11f510cbc359e83589e6236a8456ae91bb0631c30c87172933e625ff3e2571d8781b5a3351179d0ebcd2955b235513684fcdcd288386eb612a8316030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xac69d287747a66f880697ba51187da63 Finished request 6 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 172.24.26.144:1025, id=144, length=175 Acct-Session-Id = "2e578294" NAS-Port = 1 NAS-Port-Type = Wireless-802.11 User-Name = "alcatel" Calling-Station-Id = "00-0E-35-89-71-E0" Called-Station-Id = "00-03-52-01-84-7D" EAP-Message = 0x02f400061900 State = 0xac69d287747a66f880697ba51187da63 NAS-Identifier = "R014-00755" NAS-IP-Address = 172.24.26.144 Framed-MTU = 1496 Connect-Info = "IEEE802.1X" Service-Type = Framed-User Message-Authenticator = 0x96da8d8ab41d8a0d4d4fe964298b1d0f Processing the authorize section of radiusd.conf modcall: entering group authorize for request 7 modcall[authorize]: module "preprocess" returns ok for request 7 radius_xlat: '/usr/local/var/log/radius/radacct/172.24.26.144/auth-detail-20060824' rlm_detail: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/172.24.26.144/auth-detail-20060824 modcall[authorize]: module "auth_log" returns ok for request 7 modcall[authorize]: module "mschap" returns noop for request 7 rlm_realm: No '@' in User-Name = "alcatel", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 7 rlm_eap: EAP packet type response id 244 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 7 users: Matched entry DEFAULT at line 152 users: Matched entry DEFAULT at line 171 modcall[authorize]: module "files" returns ok for request 7 modcall: leaving group authorize (returns updated) for request 7 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 7 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Received EAP-TLS ACK message rlm_eap_tls: ack handshake fragment handler eaptls_verify returned 1 eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED modcall[authenticate]: module "eap" returns handled for request 7 modcall: leaving group authenticate (returns handled) for request 7 Sending Access-Challenge of id 144 to 172.24.26.144 port 1025 Framed-IP-Address = 255.255.255.254 Framed-MTU = 576 Service-Type = Framed-User EAP-Message = 0x01f500061900 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb2fb4146c8792b2e32313e63983fdbdd Finished request 7 Going to the next request Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 5 ID 108 with timestamp 44ed52c7 Cleaning up request 7 ID 144 with timestamp 44ed52c7 Cleaning up request 6 ID 186 with timestamp 44ed52c7 Nothing to do. Sleeping until we see a request. Anyone has some good suggestions? Thanks in advance. 2006/8/23, K. Hoercher <wbhoer@gmail.com>:
On 8/22/06, sheng <wushengws1001@gmail.com> wrote:
There's a strange problem: each time the client send a request, the server tries to read the client certificate on the supplicant. I think it's very strange considering that no client certificate is needed for peap/mschapv2. This event is recorded in the handshake phase on the radius logfile(I've listed it in the below). It seems the handshake phase fails because the server cann't read the client certificate. [...] TLS_accept:error in SSLv3 read client certificate A rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0) In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 rlm_eap_peap: EAPTLS_HANDLED
Hi,
if you are referring to the quoted part, that' not a problem. Roughly put: openssl just mentiones that it wasn't able to check the client cert (which is possible, but unneeded for eap-peap).
Finished request 3 Going to the next request Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 2 ID 19 with timestamp 44e9e42f Cleaning up request 3 ID 138 with timestamp 44e9e42f Nothing to do. Sleeping until we see a request. rad_recv: Access-Request packet from host 172.24.26.144:1025, id=137, length=249 Acct-Session-Id = "67671438" NAS-Port = 1 NAS-Port-Type = Wireless-802.11 User-Name = "alcatel" Calling-Station-Id = "00-0E-35-89-71-E0" Called-Station-Id = "00-03-52-01-84-7D" EAP-Message = 0x0280005019800000004616030100410100003d030144e9e54ee8bf5c390cecf9fa8b659b32ac0a7eb623919876fa26dd9dc220d75800001600040005000a000900640062000300060013001200630100 State = 0x091ad12235d4b0c91ca834c803d04ee0 [...] modcall: entering group authenticate for request 4 rlm_eap: Request not found in the list rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request rlm_eap: Failed in handler
Which of the two cases mentioned in the debug output to your further requests might be happening I'm not sure of. There seems to elapse quite some time, before they come in after the challenge was sent out. That looks curious.
As your included data got truncated on the list you might consider resending it as attachment or use a pastebot and provide the link.
Maybe you could provide some sniffing on the wireless part (via wireshark et al). That might be instructive in sorting out when who did send what.
regards K. Hoercher (Hopefully gmail really could not send this out, as it keept telling me. Otherwise this must be the 5th reply, if so please excuse me.) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Best Wishes, Sheng Wu