Problem with SMC Access Point in Client Mode using EAP-TLS and Freeradius-2.1.1
Hello, I'm running a Freeradius-Server 2.1.1 on my SuSE Linux 11.0 Box to control the access to my WLAN using EAP-TLS. This works fine with my notebook. But now I have bought a SMC EZ Connect N Pro Access Point which I have configured as a WLAN client using EAP-TLS too. When this WLAN client tries to authenticate itself at the Freeradius Server the authentication fails and I get the message rlm_eap: No EAP session matching the State variable. [eap] Either EAP-request timed out OR EAP-response to an unknown EAP-request in the Freeradius log file. Can someone please tell me what's going wrong there? Any help is appreciated. Here is the output of radiusd -X when an authentication request of the SMC access point comes in: rad_recv: Access-Request packet from host 192.168.254.1 port 1024, id=1, length=125 User-Name = "harald" NAS-IP-Address = 192.168.254.1 Called-Station-Id = "0014bf3bcd8a" Calling-Station-Id = "0013f7ca60de" NAS-Identifier = "0014bf3bcd8a" NAS-Port = 52 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0200000b01686172616c64 Message-Authenticator = 0x543152e558b443afb9430d9fd02aa75f +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "harald", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 0 length 11 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [files] users: Matched entry harald at line 2 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Requiring client certificate [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 1 to 192.168.254.1 port 1024 EAP-Message = 0x010100060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x7139c4e57138c9bf5d9926d441f8680e Finished request 6. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.254.1 port 1024, id=1, length=200 Cleaning up request 6 ID 1 with timestamp +1123 User-Name = "harald" NAS-IP-Address = 192.168.254.1 Called-Station-Id = "0014bf3bcd8a" Calling-Station-Id = "0013f7ca60de" NAS-Identifier = "0014bf3bcd8a" NAS-Port = 52 Framed-MTU = 1400 State = 0x7139c4e57138c9bf5d9926d441f8680e NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020100440d800000003a160301003501000031030163c2a49b798675d7c211a92ace77bde2102205aefca9044d7fc1ab18323a627d00000a0035002f000a000400050100 Message-Authenticator = 0x2f0e13f531634f6696098de4ecf6dfca +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "harald", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 1 length 68 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [files] users: Matched entry harald at line 2 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS TLS Length 58 [tls] Length Included [tls] eaptls_verify returned 11 [tls] (other): before/accept initialization [tls] TLS_accept: before/accept initialization [tls] <<< TLS 1.0 Handshake [length 0035], ClientHello [tls] TLS_accept: SSLv3 read client hello A [tls] >>> TLS 1.0 Handshake [length 002a], ServerHello [tls] TLS_accept: SSLv3 write server hello A [tls] >>> TLS 1.0 Handshake [length 05fb], Certificate [tls] TLS_accept: SSLv3 write certificate A [tls] >>> TLS 1.0 Handshake [length 0091], CertificateRequest [tls] TLS_accept: SSLv3 write certificate request A [tls] TLS_accept: SSLv3 flush data [tls] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [tls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 1 to 192.168.254.1 port 1024 EAP-Message = 0x010204000dc0000006c5160301002a020000260301492dce64477d25af22eea4fd4d959b5969a18f53653bebd1acb9136964e5a0bc0000350016030105fb0b0005f70005f400028730820283308201eca003020102020108300d06092a864886f70d0101050500307f310b3009060355040613024445310c300a060355040813034e5257310f300d0603550407130641616368656e311b3019060355040a1312486172616c64734379626572467265616b733119301706035504031310486172616c64205363687265696265723119301706092a864886f70d010901160a684072616c642e6e6574301e170d3037313232313233333730385a170d3039 EAP-Message = 0x313232303233333730385a3077310b3009060355040613024445310c300a060355040813034e5257310f300d0603550407130641616368656e311b3019060355040a1312486172616c64734379626572467265616b733111300f06035504031308626c697a7a6172643119301706092a864886f70d010901160a684072616c642e6e657430819f300d06092a864886f70d010101050003818d0030818902818100a4c3faac47f1cebf599f6433f5e6c1e3bcaae35f0f331376a4dd97f5127dfeb6a49b58ebd7ce517ec260fa6d3e6774e11a02a9a2dee2f82f4eefca6dc4f72e2945667a4f1ea3842ac99edd33bf4be8d5fe8f54ef901c397844b57f8d EAP-Message = 0xa9ddfe26d6b22420136a7daa27b3ba904b4c27ff1164155068385e76e09319fcea07c24f0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010105050003818100591a7cda98a98824bba908f67ecba91fa8c5b108effe7368313a5b7f89ba4246bebd69e51249844ebe9b9dc16f22c3a4bef4441465a7e4b800adf3318ee23ed6cf924388f6a78675eaf3f92a899aedfa43b186630e4155758559562a52141587d709e71333a8b4be631a35b0d498afcda15c4213454ce3688fbbc46378bd404000036730820363308202cca003020102020900dfcd0dfb0e951628300d06092a864886f70d010104 EAP-Message = 0x0500307f310b3009060355040613024445310c300a060355040813034e5257310f300d0603550407130641616368656e311b3019060355040a1312486172616c64734379626572467265616b733119301706035504031310486172616c64205363687265696265723119301706092a864886f70d010901160a684072616c642e6e6574301e170d3035313231373139333235365a170d3135313231353139333235365a307f310b3009060355040613024445310c300a060355040813034e5257310f300d0603550407130641616368656e311b3019060355040a1312486172616c64734379626572467265616b73311930170603550403131048617261 EAP-Message = 0x6c6420536368726569626572 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x7139c4e5703bc9bf5d9926d441f8680e Finished request 7. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.254.1 port 1024, id=1, length=138 Cleaning up request 7 ID 1 with timestamp +1123 User-Name = "harald" NAS-IP-Address = 192.168.254.1 Called-Station-Id = "0014bf3bcd8a" Calling-Station-Id = "0013f7ca60de" NAS-Identifier = "0014bf3bcd8a" NAS-Port = 52 Framed-MTU = 1400 State = 0x7139c4e5703bc9bf5d9926d441f8680e NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020200060d00 Message-Authenticator = 0x45eb23701fb6bcbe430512689ce99aa1 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "harald", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 2 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [files] users: Matched entry harald at line 2 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS [tls] Received TLS ACK [tls] ACK handshake fragment handler [tls] eaptls_verify returned 1 [tls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 1 to 192.168.254.1 port 1024 EAP-Message = 0x010302d90d80000006c53119301706092a864886f70d010901160a684072616c642e6e657430819f300d06092a864886f70d010101050003818d0030818902818100c230fad1501053fa9d4e7af119979d2dabfca054a985830d0da415d7001fd0af897687fad6adcb26fb06a2137c24dcb52a27df6ffc9281aa40d7f525d8669d51794486ff24b46565428842de83512f0a4005bf707854d5a1df8b7dd901bbb4ef7997927cbe5a797da4c670e8ebd4162699c5b83dfd45a4fcc00c7aea5bb0eb710203010001a381e63081e3301d0603551d0e041604142eb59a09ae8a1fe82961d44d33dc1d90652f489d3081b30603551d230481ab3081a880142e EAP-Message = 0xb59a09ae8a1fe82961d44d33dc1d90652f489da18184a48181307f310b3009060355040613024445310c300a060355040813034e5257310f300d0603550407130641616368656e311b3019060355040a1312486172616c64734379626572467265616b733119301706035504031310486172616c64205363687265696265723119301706092a864886f70d010901160a684072616c642e6e6574820900dfcd0dfb0e951628300c0603551d13040530030101ff300d06092a864886f70d0101040500038181000b7e2f9395ee1fee0e969c5d0982887d5832a4acaa7961228c0a5a654d7122070c751c00b23ca4f31b7487ac91235e462c15ca909fc0ab EAP-Message = 0xd786ca2d48078d6c34c45666ae966c4b8d52806adc07f6a25cf7e72f6a953f1e40046d8934b0b2a074f158d9c85f0025c21fac551f8659ec8d254744d5927662dec81eb10d102f0c0a16030100910d0000890301024000830081307f310b3009060355040613024445310c300a060355040813034e5257310f300d0603550407130641616368656e311b3019060355040a1312486172616c64734379626572467265616b733119301706035504031310486172616c64205363687265696265723119301706092a864886f70d010901160a684072616c642e6e65740e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x7139c4e5733ac9bf5d9926d441f8680e Finished request 8. Going to the next request Waking up in 4.9 seconds. Cleaning up request 8 ID 1 with timestamp +1123 Ready to process requests. rad_recv: Access-Request packet from host 192.168.254.1 port 1024, id=1, length=200 User-Name = "harald" NAS-IP-Address = 192.168.254.1 Called-Station-Id = "0014bf3bcd8a" Calling-Station-Id = "0013f7ca60de" NAS-Identifier = "0014bf3bcd8a" NAS-Port = 52 Framed-MTU = 1400 State = 0x7139c4e5733ac9bf5d9926d441f8680e NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020200440d800000003a160301003501000031030163c2a49b798675d7c211a92ace77bde2102205aefca9044d7fc1ab18323a627d00000a0035002f000a000400050100 Message-Authenticator = 0x25fd4ab36c6ba9a789644e5a77225539 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "harald", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 2 length 68 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [files] users: Matched entry harald at line 2 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} rlm_eap: No EAP session matching the State variable. [eap] Either EAP-request timed out OR EAP-response to an unknown EAP-request [eap] Failed in handler ++[eap] returns invalid Failed to authenticate the user. Login incorrect: [harald/<via Auth-Type = EAP>] (from client blizzard port 52 cli 0013f7ca60de) Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> harald attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 9 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 9 Sending Access-Reject of id 1 to 192.168.254.1 port 1024 Waking up in 4.9 seconds. Cleaning up request 9 ID 1 with timestamp +1131 Ready to process requests.
Harald Schreiber wrote:
I'm running a Freeradius-Server 2.1.1 on my SuSE Linux 11.0 Box to control the access to my WLAN using EAP-TLS. This works fine with my notebook. But now I have bought a SMC EZ Connect N Pro Access Point which I have configured as a WLAN client using EAP-TLS too. When this WLAN client tries to authenticate itself at the Freeradius Server the authentication fails and I get the message
Because the AP delays packets for quite a while: ...
Sending Access-Challenge of id 1 to 192.168.254.1 port 1024 EAP-Message = 0x010302d90d80000006c53119301706092a864886f70d010901160a684072616c642e6e657430819f300d06092a864886f70d010101050003818d0030818902818100c230fad1501053fa9d4e7af119979d2dabfca054a985830d0da415d7001fd0af897687fad6adcb26fb06a2137c24dcb52a27df6ffc9281aa40d7f525d8669d51794486ff24b46565428842de83512f0a4005bf707854d5a1df8b7dd901bbb4ef7997927cbe5a797da4c670e8ebd4162699c5b83dfd45a4fcc00c7aea5bb0eb710203010001a381e63081e3301d0603551d0e041604142eb59a09ae8a1fe82961d44d33dc1d90652f489d3081b30603551d230481ab3081a880142e EAP-Message = 0xb59a09ae8a1fe82961d44d33dc1d90652f489da18184a48181307f310b3009060355040613024445310c300a060355040813034e5257310f300d0603550407130641616368656e311b3019060355040a1312486172616c64734379626572467265616b733119301706035504031310486172616c64205363687265696265723119301706092a864886f70d010901160a684072616c642e6e6574820900dfcd0dfb0e951628300c0603551d13040530030101ff300d06092a864886f70d0101040500038181000b7e2f9395ee1fee0e969c5d0982887d5832a4acaa7961228c0a5a654d7122070c751c00b23ca4f31b7487ac91235e462c15ca909fc0ab EAP-Message = 0xd786ca2d48078d6c34c45666ae966c4b8d52806adc07f6a25cf7e72f6a953f1e40046d8934b0b2a074f158d9c85f0025c21fac551f8659ec8d254744d5927662dec81eb10d102f0c0a16030100910d0000890301024000830081307f310b3009060355040613024445310c300a060355040813034e5257310f300d0603550407130641616368656e311b3019060355040a1312486172616c64734379626572467265616b733119301706035504031310486172616c64205363687265696265723119301706092a864886f70d010901160a684072616c642e6e65740e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x7139c4e5733ac9bf5d9926d441f8680e Finished request 8. Going to the next request Waking up in 4.9 seconds. Cleaning up request 8 ID 1 with timestamp +1123 Ready to process requests. rad_recv: Access-Request packet from host 192.168.254.1 port 1024, id=1, length=200
i.e. at LEAST 5 seconds after the previous packet in the EAP-TLS session.
State = 0x7139c4e5733ac9bf5d9926d441f8680e
Which is correct... but too late.
rlm_eap: No EAP session matching the State variable. [eap] Either EAP-request timed out OR EAP-response to an unknown EAP-request
Because it arrived more than 5 seconds after the previous packet. The simplest way to solve the problem is to throw away the AP, and buy one that works. Or, call SMC, and ask then for technical support. The odds of them being able (or willing) to help you are pretty slim. Alan DeKok.
participants (2)
-
Alan DeKok -
Harald Schreiber