PEAP/MSCHAPv2 authentication problems

K. Hoercher wbhoer at
Wed Aug 23 12:59:01 CEST 2006

On 8/22/06, sheng <wushengws1001 at> wrote:

> There's a strange problem: each time the client send a request, the server
> tries to read the client certificate on the supplicant. I think it's very
> strange considering that no client certificate is needed for peap/mschapv2.
> This event is recorded in the handshake phase on the radius logfile(I've
> listed it in the below). It seems the handshake phase fails because the
> server cann't read the client certificate.
>     TLS_accept:error in SSLv3 read client certificate A
> rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0)
> In SSL Handshake Phase
> In SSL Accept mode
>   eaptls_process returned 13
>   rlm_eap_peap: EAPTLS_HANDLED


if you are referring to the quoted part, that' not a problem. Roughly
put: openssl just mentiones that it wasn't able to check the client
cert (which is possible, but unneeded for eap-peap).

> Finished request 3
> Going to the next request
> Waking up in 6 seconds...
> --- Walking the entire request list ---
> Cleaning up request 2 ID 19 with timestamp 44e9e42f
> Cleaning up request 3 ID 138 with timestamp 44e9e42f
> Nothing to do.  Sleeping until we see a request.
> rad_recv: Access-Request packet from host, id=137,
> length=249
>  Acct-Session-Id = "67671438"
>  NAS-Port = 1
>  NAS-Port-Type = Wireless-802.11
>  User-Name = "alcatel"
>  Calling-Station-Id = "00-0E-35-89-71-E0"
>  Called-Station-Id = "00-03-52-01-84-7D"
>  EAP-Message = 0x0280005019800000004616030100410100003d030144e9e54ee8bf5c390cecf9fa8b659b32ac0a7eb623919876fa26dd9dc220d75800001600040005000a000900640062000300060013001200630100
>  State = 0x091ad12235d4b0c91ca834c803d04ee0
> modcall: entering group authenticate for request 4
> rlm_eap: Request not found in the list
> rlm_eap: Either EAP-request timed out OR EAP-response to an unknown
> EAP-request
> rlm_eap: Failed in handler

Which of the two cases mentioned in the debug output to your further
requests might be happening I'm not sure of. There seems to elapse
quite some time, before they come in after the challenge was sent out.
That looks curious.

As your included data got truncated on the list you might consider
resending it as attachment or use a pastebot and provide the link.

Maybe you could provide some sniffing on the wireless part (via
wireshark et al). That might be instructive in sorting out when who
did send what.

K. Hoercher
(Hopefully gmail really could not send this out, as it keept telling
me. Otherwise this must be the 5th reply, if so please excuse me.)

More information about the Freeradius-Users mailing list