hi everybody, i'm using debian sarge kernel 2.6.13, openssl 0.9.8a, hostapd 0.5.1, freeradius 1.0.5, madwifi-ng-r1406, i want to use eap-tls in my wlan and over my own ap over linux. so i can install and configure all programs (except hostapd, so instead compile myself i installed it from .deb format), now i have my certificates and programs running but when try to connect a windows client it always stops in this state: "Trying to authenticate", and any more happen. i generate certificates using winxp extensions and try to export and install them in winxp but always same behavior. clients cann't get ip direction, but before implementing this they could. here you have an extract from freeradius messages: --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 192.168.50.1:32771, id=14, length=250 User-Name = "Administrador" NAS-IP-Address = 192.168.50.1 NAS-Port = 0 Called-Station-Id = "00-0F-66-11-C1-97:WLAN1" Calling-Station-Id = "00-12-F0-BC-C1-68" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x021400500d800000004616030100410100003d03014403d116c1beab0d54a 903ac411f6de1bd9eaf339bf5ac89f9e0ff0a7410c68800001600040005000a0009006400620003000600 13001200630100 State = 0x6780e9b9e7fd2c531421b8437d11c9db Message-Authenticator = 0x11d975fb9373293a13b5a0b3ad2f6f1f Processing the authorize section of radiusd.conf modcall: entering group authorize for request 19 modcall[authorize]: module "preprocess" returns ok for request 19 modcall[authorize]: module "chap" returns noop for request 19 modcall[authorize]: module "mschap" returns noop for request 19 rlm_realm: No '@' in User-Name = "Administrador", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 19 rlm_eap: EAP packet type response id 20 length 80 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 19 users: Matched entry Administrador at line 97 modcall[authorize]: module "files" returns ok for request 19 modcall: group authorize returns updated for request 19 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 19 rlm_eap: Request found, released from the list rlm_eap: EAP/tls rlm_eap: processing type tls rlm_eap_tls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0041], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 025c], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0070], CertificateRequest TLS_accept: SSLv3 write certificate request A TLS_accept: SSLv3 flush data TLS_accept:error in SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 19 modcall: group authenticate returns handled for request 19 Sending Access-Challenge of id 14 to 192.168.50.1:32771 EAP-Message = 0x0115032f0d8000000325160301004a02000046030144038ac7e0a94b5017e c7050d18c3b7c7de8ae1b639249257f1753c48bc3ddee2014ad227cbde60e2c63a6cf9f2a85ae8ff8ba6a d0b3bca15b0ad6cc8e5e90703d000400160301025c0b0002580002550002523082024e308201b7a003020 102020428022006300d06092a864886f70d0101050500305f310b30090603550406130245433113301106 03550408130a4368696d626f72617a6f3111300f0603550407130852696f62616d6261310f300d0603550 40a13064553504f4348311730150603550403130e7777772e61706d6167612e636f6d301e170d30363032 32373135303735335a17 EAP-Message = 0x0d3037303232373135303735335a305f310b3009060355040613024543311 330110603550408130a4368696d626f72617a6f3111300f0603550407130852696f62616d6261310f300d 060355040a13064553504f4348311730150603550403130e7777772e61706d6167612e636f6d30819f300 d06092a864886f70d010101050003818d0030818902818100b94ddf014e77cbcc5b23133a98b77090353f 7b9fba6db33b2cd1510e8f8c8f533bcec923900dad61e3a0c02e04700c9c95856bdf7d559147a4afc8cb5 c38d410178d9552d322aedcce46483f7dd761e7583b1e6d075cd10727c0941416b9accb097baaec90b46c 04aef567ffd08c4acff6 EAP-Message = 0x88252d81a766ce4e63d9a21c774d970203010001a317301530130603551d2 5040c300a06082b06010505070301300d06092a864886f70d0101050500038181007f41e4ef50c1c77d45 0dee7b0b4372c3cb68163fec851512100ac72fc77d70a83fe87d93d1447842eb919bac6a0ad112b687550 ad520f50e4651cfde1246343e6f458a1501de2e4018dbfbb5658b9da522e6283e3d0ab083e8e344befc06 28d3ec0245dc672333ace70c8d44d0f1cfce9571c74a4ead43597c4567322e09954e16030100700d00006 802010200630061305f310b3009060355040613024543311330110603550408130a4368696d626f72617a 6f3111300f0603550407 EAP-Message = 0x130852696f62616d6261310f300d060355040a13064553504f43483117301 50603550403130e7777772e61706d6167612e636f6d0e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa544f4d0d0e97f26a36b397073d84dfc Finished request 19 and here is hostapd output: IEEE 802.1X: 00:12:f0:bc:c1:68 REAUTH_TIMER entering state INITIALIZE IEEE 802.1X: 00:12:f0:bc:c1:68 REAUTH_TIMER entering state INITIALIZE ath0: RADIUS Received 68 bytes from RADIUS server ath0: RADIUS Received RADIUS message RADIUS message: code=11 (Access-Challenge) identifier=12 length=68 Attribute 79 (EAP-Message) length=12 Value: 01 12 00 0a 0d 80 00 00 00 00 Attribute 80 (Message-Authenticator) length=18 Value: 27 c2 5d 33 9e 5a 62 db bc 26 d5 c6 5c 7f 62 4c Attribute 24 (State) length=18 Value: 39 24 c3 3e ed 0b 61 bd c2 95 36 bc 86 1e 47 bc ath0: STA 00:12:f0:bc:c1:68 RADIUS: Received RADIUS packet matched with a pendin g request, round trip time 0.00 sec RADIUS packet matching with station 00:12:f0:bc:c1:68 ath0: STA 00:12:f0:bc:c1:68 IEEE 802.1X: using EAP timeout of 30 seconds ath0: STA 00:12:f0:bc:c1:68 IEEE 802.1X: decapsulated EAP packet (code=1 id=18 l en=10) from RADIUS server: EAP-Request-TLS (13) IEEE 802.1X: 00:12:f0:bc:c1:68 BE_AUTH entering state REQUEST IEEE 802.1X: Sending EAP Packet to 00:12:f0:bc:c1:68 (identifier 18) TX EAPOL - hexdump(len=28): 00 12 f0 bc c1 68 00 0f 66 11 c1 97 88 8e 02 00 00 0 a 01 12 00 0a 0d 80 00 00 00 00 IEEE 802.1X: 00:12:f0:bc:c1:68 REAUTH_TIMER entering state INITIALIZE IEEE 802.1X: 00:12:f0:bc:c1:68 REAUTH_TIMER entering state INITIALIZE IEEE 802.1X: 00:12:f0:bc:c1:68 REAUTH_TIMER entering state INITIALIZE IEEE 802.1X: 00:12:f0:bc:c1:68 REAUTH_TIMER entering state INITIALIZE IEEE 802.1X: 00:12:f0:bc:c1:68 REAUTH_TIMER entering state INITIALIZE ath0: RADIUS Next RADIUS client retransmit in 75 seconds IEEE 802.1X: 00:12:f0:bc:c1:68 REAUTH_TIMER entering state INITIALIZE IEEE 802.1X: 00:12:f0:bc:c1:68 REAUTH_TIMER entering state INITIALIZE IEEE 802.1X: 00:12:f0:bc:c1:68 REAUTH_TIMER entering state INITIALIZE IEEE 802.1X: 00:12:f0:bc:c1:68 REAUTH_TIMER entering state INITIALIZE IEEE 802.1X: 00:12:f0:bc:c1:68 REAUTH_TIMER entering state INITIALIZE IEEE 802.1X: 00:12:f0:bc:c1:68 REAUTH_TIMER entering state INITIALIZE IEEE 802.1X: 00:12:f0:bc:c1:68 REAUTH_TIMER entering state INITIALIZE IEEE 802.1X: 00:12:f0:bc:c1:68 REAUTH_TIMER entering state INITIALIZE IEEE 802.1X: 00:12:f0:bc:c1:68 REAUTH_TIMER entering state INITIALIZE IEEE 802.1X: 00:12:f0:bc:c1:68 REAUTH_TIMER entering state INITIALIZE IEEE 802.1X: 00:12:f0:bc:c1:68 REAUTH_TIMER entering state INITIALIZE IEEE 802.1X: 00:12:f0:bc:c1:68 REAUTH_TIMER entering state INITIALIZE IEEE 802.1X: 00:12:f0:bc:c1:68 REAUTH_TIMER entering state INITIALIZE IEEE 802.1X: 00:12:f0:bc:c1:68 REAUTH_TIMER entering state INITIALIZE IEEE 802.1X: 00:12:f0:bc:c1:68 REAUTH_TIMER entering state INITIALIZE IEEE 802.1X: 00:12:f0:bc:c1:68 REAUTH_TIMER entering state INITIALIZE IEEE 802.1X: 00:12:f0:bc:c1:68 REAUTH_TIMER entering state INITIALIZE IEEE 802.1X: 00:12:f0:bc:c1:68 REAUTH_TIMER entering state INITIALIZE IEEE 802.1X: 00:12:f0:bc:c1:68 REAUTH_TIMER entering state INITIALIZE IEEE 802.1X: 00:12:f0:bc:c1:68 REAUTH_TIMER entering state INITIALIZE IEEE 802.1X: 00:12:f0:bc:c1:68 REAUTH_TIMER entering state INITIALIZE IEEE 802.1X: 00:12:f0:bc:c1:68 REAUTH_TIMER entering state INITIALIZE IEEE 802.1X: 00:12:f0:bc:c1:68 REAUTH_TIMER entering state INITIALIZE IEEE 802.1X: 00:12:f0:bc:c1:68 REAUTH_TIMER entering state INITIALIZE IEEE 802.1X: 00:12:f0:bc:c1:68 REAUTH_TIMER entering state INITIALIZE IEEE 802.1X: 00:12:f0:bc:c1:68 REAUTH_TIMER entering state INITIALIZE IEEE 802.1X: 00:12:f0:bc:c1:68 - aWhile --> 0 IEEE 802.1X: 00:12:f0:bc:c1:68 REAUTH_TIMER entering state INITIALIZE ath0: STA 00:12:f0:bc:c1:68 IEEE 802.1X: EAP timeout IEEE 802.1X: 5 bytes from 00:12:f0:bc:c1:68 IEEE 802.1X: version=1 type=1 length=0 ignoring 1 extra octets after IEEE 802.1X packet ath0: STA 00:12:f0:bc:c1:68 IEEE 802.1X: received EAPOL-Start from STA ath0: STA 00:12:f0:bc:c1:68 WPA: event 5 notification WPA: 00:12:f0:bc:c1:68 WPA_PTK entering state AUTHENTICATION2 IEEE 802.1X: 00:12:f0:bc:c1:68 AUTH_PAE entering state ABORTING IEEE 802.1X: 00:12:f0:bc:c1:68 BE_AUTH entering state INITIALIZE ath0: STA 00:12:f0:bc:c1:68 IEEE 802.1X: aborting authentication IEEE 802.1X: 00:12:f0:bc:c1:68 REAUTH_TIMER entering state INITIALIZE IEEE 802.1X: 00:12:f0:bc:c1:68 AUTH_PAE entering state RESTART IEEE 802.1X: station 00:12:f0:bc:c1:68 - new auth session, clearing State IEEE 802.1X: Generated EAP Request-Identity for 00:12:f0:bc:c1:68 (identifier 19 , timeout 30) IEEE 802.1X: 00:12:f0:bc:c1:68 BE_AUTH entering state IDLE IEEE 802.1X: 00:12:f0:bc:c1:68 REAUTH_TIMER entering state INITIALIZE IEEE 802.1X: 00:12:f0:bc:c1:68 AUTH_PAE entering state CONNECTING IEEE 802.1X: 00:12:f0:bc:c1:68 REAUTH_TIMER entering state INITIALIZE IEEE 802.1X: 00:12:f0:bc:c1:68 AUTH_PAE entering state AUTHENTICATING IEEE 802.1X: 00:12:f0:bc:c1:68 BE_AUTH entering state REQUEST IEEE 802.1X: Sending EAP Packet to 00:12:f0:bc:c1:68 (identifier 19) TX EAPOL - hexdump(len=36): 00 12 f0 bc c1 68 00 0f 66 11 c1 97 88 8e 02 00 00 1 2 01 13 00 12 01 68 65 6c 6c 6f 5f 63 6c 69 65 6e 74 73 IEEE 802.1X: 00:12:f0:bc:c1:68 REAUTH_TIMER entering state INITIALIZE IEEE 802.1X: 00:12:f0:bc:c1:68 REAUTH_TIMER entering state INITIALIZE IEEE 802.1X: 00:12:f0:bc:c1:68 REAUTH_TIMER entering state INITIALIZE IEEE 802.1X: 22 bytes from 00:12:f0:bc:c1:68 IEEE 802.1X: version=1 type=0 length=18 EAP: code=2 identifier=19 length=18 (response) ath0: STA 00:12:f0:bc:c1:68 IEEE 802.1X: received EAP packet (code=2 id=19 len=1 8) from STA: EAP Response-Identity (1) ath0: STA 00:12:f0:bc:c1:68 IEEE 802.1X: STA identity 'Administrador' IEEE 802.1X: 00:12:f0:bc:c1:68 BE_AUTH entering state RESPONSE Encapsulating EAP message into a RADIUS packet ath0: RADIUS Sending RADIUS message to authentication server RADIUS message: code=1 (Access-Request) identifier=13 length=170 Attribute 1 (User-Name) length=15 Value: 'Administrador' Attribute 4 (NAS-IP-Address) length=6 Value: 192.168.50.1 Attribute 5 (NAS-Port) length=6 Value: 0 Attribute 30 (Called-Station-Id) length=30 Value: '00-0F-66-11-C1-97:WLANESPOCH' Attribute 31 (Calling-Station-Id) length=19 Value: '00-12-F0-BC-C1-68' Attribute 12 (Framed-MTU) length=6 Value: 1400 Attribute 61 (NAS-Port-Type) length=6 Value: 19 Attribute 77 (Connect-Info) length=24 Value: 'CONNECT 11Mbps 802.11b' Attribute 79 (EAP-Message) length=20 Value: 02 13 00 12 01 41 64 6d 69 6e 69 73 74 72 61 64 6f 72 Attribute 80 (Message-Authenticator) length=18 Value: 41 7b 75 d3 c0 21 4b 3e 18 3e 40 10 62 37 3c 9a ath0: RADIUS Next RADIUS client retransmit in 3 seconds so my questions are: 1) why client cann't authenticate to freeradius? maybe i'm missing any configuration or freeradius and hostapd aren't working well together? 2) as you can see in freeradius and hostapd output, they say: "CONNECT 11Mbps 802.11b", but my ap and clients are configured to work with 802.11g, why freeradius and hostapd detects 11b? 3) what does this mean: "TLS_accept:error in SSLv3 read client certificate A"? 4) is there any way i can test my certificates from freeradius?? any command? or may be install wpa-supplicant over my debian and test from there (authenticator and supplicant in same machine??). could any body try to help? i know these are many questions but i'm lost and don't know what to do. thanks in advance for your help and time. _________________________________________________________________ Charla con tus amigos en lĂnea mediante MSN Messenger: http://messenger.latam.msn.com/