The EAP-TLS packet will contain more data than we can process
Hi, I'm setting up a Mikrotik wireless AP with a freeradius server behind it and EAP-TLS, client connects "fine" (those errors are meaningless, right? can I get rid of them?): Tue May 29 11:47:56 2007 : Error: TLS_accept:error in SSLv3 read client certificate A Tue May 29 11:47:56 2007 : Error: rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0) Tue May 29 11:47:59 2007 : Error: rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0) Tue May 29 11:48:00 2007 : Auth: Login OK: [Jan Schermer/<no User-Password attribute>] (from client internal-rec port 0) but after a while, the connection is renegotiated (maybe because of weak signal), but then it starts failing: Tue May 29 12:01:12 2007 : Error: TLS_accept:error in SSLv3 read client certificate A Tue May 29 12:01:12 2007 : Error: rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0) Tue May 29 12:01:16 2007 : Error: rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0) Tue May 29 12:01:16 2007 : Auth: Login OK: [Jan Schermer/<no User-Password attribute>] (from client internal-rec port 0) Tue May 29 12:01:41 2007 : Error: TLS_accept:error in SSLv3 read client certificate A Tue May 29 12:01:41 2007 : Error: rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0) Tue May 29 12:02:42 2007 : Error: TLS_accept:error in SSLv3 read client certificate A Tue May 29 12:02:42 2007 : Error: rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0) Tue May 29 12:02:44 2007 : Error: rlm_eap_tls: The EAP-TLS packet will contain more data than we can process. Tue May 29 12:02:44 2007 : Auth: Login incorrect: [Jan Schermer/<no User-Password attribute>] (from client internal-rec port 0) Tue May 29 12:02:53 2007 : Error: TLS_accept:error in SSLv3 read client certificate A Tue May 29 12:02:53 2007 : Error: rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0) Tue May 29 12:02:55 2007 : Error: rlm_eap_tls: The EAP-TLS packet will contain more data than we can process. Tue May 29 12:02:55 2007 : Auth: Login incorrect: [Jan Schermer/<no User-Password attribute>] (from client internal-rec port 0) Tue May 29 12:03:08 2007 : Error: TLS_accept:error in SSLv3 read client certificate A Tue May 29 12:03:08 2007 : Error: rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0) Tue May 29 12:03:09 2007 : Error: rlm_eap_tls: The EAP-TLS packet will contain more data than we can process. Tue May 29 12:03:09 2007 : Auth: Login incorrect: [Jan Schermer/<no User-Password attribute>] (from client internal-rec port 0) What might be the cause of this? I suspect that Mikrotik corrupts the packets somehow... I'm using freeradius 1.1.3-3 (debian etch version with EAP-TLS enabled) Thanks -- Jan Schermer Linux Administrator ET NETERA | smart e-business solutions jan.schermer@etnetera.cz +420 608022225 ~ [ www.ahold.cz | www.annonce.cz | www.datart.cz ] [ www.knizniweb.cz | www.siemens.cz | www.cz.o2.com ] Created by ET NETERA | Powered by jNetPublish
Jan Schermer / ET NETERA wrote:
I'm setting up a Mikrotik wireless AP with a freeradius server behind it and EAP-TLS, client connects "fine" (those errors are meaningless, right? can I get rid of them?):
Upgrade to 1.1.6.
but after a while, the connection is renegotiated (maybe because of weak signal), but then it starts failing: ... Tue May 29 12:02:44 2007 : Error: rlm_eap_tls: The EAP-TLS packet will contain more data than we can process.
The supplicant is tunnelling additional data inside of EAP-TLS. FreeRADIUS doesn't support that. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
Hi, I'll give 2.0-pre1 a try, to see if it works. I will revert to 1.1.6 if needed.
The supplicant is tunnelling additional data inside of EAP-TLS. FreeRADIUS doesn't support that
Supplicant - do you mean Mikrotik AP or wpa_supplicant on the client? I'm not sure what exactly Mikrotik does with EAP-TLS (and there are several options - EAP-TLS or passthrough, and verify cert. x don't verify cert x no certificate) - I thought the AP doesn't care about certificates, only forwards it to the RADIUS service (I already set this up once on a different AP and it had no such options) Thanks Jan Alan Dekok wrote:
Jan Schermer / ET NETERA wrote:
I'm setting up a Mikrotik wireless AP with a freeradius server behind it and EAP-TLS, client connects "fine" (those errors are meaningless, right? can I get rid of them?):
Upgrade to 1.1.6.
but after a while, the connection is renegotiated (maybe because of weak signal), but then it starts failing: ... Tue May 29 12:02:44 2007 : Error: rlm_eap_tls: The EAP-TLS packet will contain more data than we can process.
The supplicant is tunnelling additional data inside of EAP-TLS. FreeRADIUS doesn't support that.
Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Jan Schermer / ET NETERA wrote:
Supplicant - do you mean Mikrotik AP or wpa_supplicant on the client?
wpa_supplicant.
I'm not sure what exactly Mikrotik does with EAP-TLS (and there are several options - EAP-TLS or passthrough, and verify cert. x don't verify cert x no certificate)
AP's just pass EAP packets back and forth. They don't do much more.
- I thought the AP doesn't care about certificates, only forwards it to the RADIUS service (I already set this up once on a different AP and it had no such options)
Yes. The problem is on the supplicant side, not on the AP. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog
participants (2)
-
Alan Dekok -
Jan Schermer / ET NETERA