hi All ! i have one problem for wireless connection after authentication procedure using EAP-TLS authentication method through a radius server . i have not solved this problem for about two week .. :-) wondering is that after xsupplicant print out "AUTHENTICATED" message , my wireless card even can't connect to AP or other links i cant get a any ping reply from other host ! but during athentication prcedure, radius server sent "Access-Accept " message with MS-MPPE-Recv-Key and MS-MPPE-Send-Key to AP, then xsupplicant display authentication success message like below ->[ALL] Got EAP-Success! ->Authenticated! [ testbed ] WN(192.168.1.2) < -- wireless network -- > AP (192.168.1.1) <----- LAN -----> Authentication Server (192.168.1.3) - WN [hardware] : thinkpad R52 [OS]: debian3.1, kernel 2.6.11.11 [software] : xsupplicant 1.2pre and 1.2.1 configuration file -> openssl 0.9.7a ieee802 v1.0.3 ipw2200 v1.0.6 ( intel pro/wireless 2915ABG ) xsupplication configuration : http://jhpark.guideline.co.kr/project/mds/xsupplicant/xsupplicant-tls.conf - AP [hardware] : ASUS wl500g, firmware v 1.9.4 configuration info : http://jhpark.guideline.co.kr/project/mds/AP/ap_config_info.txt - Authentication Server [hardware] : toshiba tecra m3 [OS]: debian3.1, kernel 2.6.13 [software]: freeradius v1.0.4, openssl v0.9.7e ( /usr/lib is base install path ) freeradius configuration : radiud.conf -> http://jhpark.guideline.co.kr/project/mds/freeradius/radiusd.conf eap.conf -> http://jhpark.guideline.co.kr/project/mds/freeradius/eap.conf other config -> http://jhpark.guideline.co.kr/project/mds/freeradius/ 1. association command with iwconfig root@debian#iwconfig eth1 essid asus key [xxxxx: 26 hex key which was setup in AP wep key] open 2. xsupplicant exec command root@debian#/usr/local/sbin/xsupplicant -i eth1 -d 7 -f -c /root/xsupplicant-tls.conf 3. interface up root@debian#ifconfig eth1 92.168.1.3 netmask 255.255.255.0 up and as a result, i got this xsupplicant result message ---------------------snip ------------------------ Stats for Interface eth1 : EAPOL Frames RX : 8 EAPOL Frames TX : 8 EAPOL Starts TX : 1 EAPOL Logoff TX : 0 EAPOL Resp. ID TX : 1 EAPOL Resp. TX : 6 EAPOL Req. ID RX : 1 EAPOL Req. RX : 6 EAPOL Invalid Frame: 0 EAP Length Error : 0 Last EAPOL Version : 1 Last EAPOL Src. :00 11 D8 24 69 AA EAPOL Success : 1 EAPOL Failure : 0 [STATE] Backend State : RECEIVE -> SUCCESS [STATE] Backend State : SUCCESS -> IDLE [ALL] Got Frame : -------------------- snip --------------------------------- Processing EAPoL-Key! [INT] Key Descriptor = 1 [INT] Key Length = 13 [INT] Replay Counter = 83 AA 80 92 94 9F 62 2A [INT] Key IV = B9 11 F5 37 D3 57 75 DB C4 F7 F1 47 98 BB 55 58 [INT] Key Index (RAW) = 83 [INT] Key Signature = C2 76 90 CD 97 20 AA CF 8A EB 12 C8 DD 45 BC B9 [INT] EAPoL Key Processed: unicast [4] 13 bytes. [INT] Using peer key! *WARNING* This AP uses the key generated during the authentication process. If reauthentication doesn't happen frequently enough your connection may not be very secure! [INT] Successfully set WEP key [4] [INT] Successfully set the WEP transmit key [4] [INT] Got an RTM_NEWLINK! [INT] Wireless event: cmd=0x8b2a len=12 [INT] Encryption key set [STATE] AUTHENTICATING -> AUTHENTICATED [ALL] Canceled timer for 'authentication timer'! [INT] Got an RTM_NEWLINK! [INT] Wireless event: cmd=0x8b2a len=12 [INT] Encryption key set ------------------------------------------------------------------ Full xsupplicant message is this ( http://jhpark.guideline.co.kr/project/mds/xsupplicant/xsupplicant.result ) above all, i can't sure AP and WN (client) have successed in making a right pairwise transient key. if pairwise transient key was made perfectly, why Wn node can't connect other network links ? here is radiusd message during processing above client request. root@debian#radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = "/usr/local" main: localstatedir = "/usr/local/var" main: logdir = "/usr/local/var/log/radius" main: libdir = "/usr/local/lib" main: radacctdir = "/usr/local/var/log/radius/radacct" main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = "/usr/local/var/log/radius/radius.log" main: log_auth = yes main: log_auth_badpass = yes main: log_auth_goodpass = yes main: pidfile = "/usr/local/var/run/radiusd/radiusd.pid" main: user = "root" main: group = "root" main: usercollide = no main: lower_user = "no" main: lower_pass = "no" main: nospace_user = "no" main: nospace_pass = "no" main: checkrad = "/usr/local/sbin/checkrad" main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = yes mschap: require_strong = yes mschap: with_ntdomain_hack = no mschap: passwd = "(null)" mschap: authtype = "MS-CHAPv2" mschap: ntlm_auth = "(null)" Module: Instantiated mschap (mschap) Module: Loaded eap eap: default_eap_type = "tls" eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = "(null)" tls: pem_file_type = yes tls: private_key_file = "/usr/local/etc/raddb/certs/cert-srv.pem" tls: certificate_file = "/usr/local/etc/raddb/certs/cert-srv.pem" tls: CA_file = "/usr/local/etc/raddb/certs/root.pem" tls: private_key_password = "whatever" tls: dh_file = "/usr/local/etc/raddb/certs/dh" tls: random_file = "/usr/local/etc/raddb/certs/random" tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = "(null)" rlm_eap: Loaded and initialized type tls mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = "/usr/local/etc/raddb/huntgroups" preprocess: hints = "/usr/local/etc/raddb/hints" preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded detail detail: detailfile = "/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (auth_log) Module: Loaded realm realm: format = "suffix" realm: delimiter = "@" realm: ignore_default = yes realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded files files: usersfile = "/usr/local/etc/raddb/users" files: acctusersfile = "/usr/local/etc/raddb/acct_users" files: preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users" files: compat = "no" Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" Module: Instantiated acct_unique (acct_unique) detail: detailfile = "/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded System unix: cache = no unix: passwd = "/etc/passwd" unix: shadow = "/etc/shadow" unix: group = "/etc/group" unix: radwtmp = "/usr/local/var/log/radius/radwtmp" unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded radutmp radutmp: filename = "/usr/local/var/log/radius/radutmp" radutmp: username = "%{User-Name}" radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) detail: detailfile = "%A/%{Client-IP-Address}/detail" detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (reply_log) Listening on authentication *:1812 Listening on accounting *:1813 Listening on proxy *:1814 Ready to process requests. rad_recv: Access-Request packet from host 192.168.1.1:2048, id=0, length=129 User-Name = "testUser" NAS-IP-Address = 192.168.1.1 Called-Station-Id = "0011d82469aa" Calling-Station-Id = "0012f0947701" NAS-Identifier = "0011d82469aa" NAS-Port = 34 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0200000d017465737455736572 Message-Authenticator = 0x0a886b447e7581235a7974ecabcc0d92 ------------------ snip ---------------------------------------------------- modcall: group post-auth returns ok for request 6 Sending Access-Accept of id 0 to 192.168.1.1:2048 Session-Timeout := 900 MS-MPPE-Recv-Key = 0xb6eed12463e0d9089d372359a2ee586ef35c93293d0579ab053fe2fd617b8353 MS-MPPE-Send-Key = 0x79ae9d4df30ea49dbc6fe5884a20da515fd6b23b2cc9f0cfd44503e0fc2e6c9b EAP-Message = 0x03060004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "testUser" Finished request 6 Going to the next request Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 6 ID 0 with timestamp 43323914 Nothing to do. Sleeping until we see a request. ---------------------------------------------------------------------------------- Full radiusd result message is this ( http://jhpark.guideline.co.kr/project/mds/freeradius/radiusd.result Why i can't connect any other host after finishing EAP-TLS authenticaiton procedure ? and someone please explain to me why xsupplicant prints driver warning message previously Thanks ! --- http://jhpark.guideline.co.kr private mail : linuxpark@kernelproject.org