Problem connecting Client to dot1x-Network over Cisco AP

Habegger Lukas, ERZ-AZD-AIL lukas.habegger at erz.be.ch
Wed Nov 1 17:22:16 CET 2006 

Hi,

I try to connect a wireless client (WinXP) to my dot1x-Network over a
Cisco AP 1242AG. 

On my FreeRADIUS i get the following error:
-------------------------------------------------------------
Wed Nov  1 14:59:08 2006 : Debug:   modsingle[authorize]: calling eap
(rlm_eap) for request 5
Wed Nov  1 14:59:08 2006 : Debug:   rlm_eap: EAP packet type response id
3 length 13
Wed Nov  1 14:59:08 2006 : Debug:   rlm_eap: No EAP Start, assuming it's
an on-going EAP conversation
Wed Nov  1 14:59:08 2006 : Debug:   modsingle[authorize]: returned from
eap (rlm_eap) for request 5
Wed Nov  1 14:59:08 2006 : Debug:   modcall[authorize]: module "eap"
returns updated for request 5
Wed Nov  1 14:59:08 2006 : Debug: modcall: leaving group authorize
(returns updated) for request 5
Wed Nov  1 14:59:08 2006 : Debug:   rad_check_password:  Found Auth-Type
EAP
Wed Nov  1 14:59:08 2006 : Debug: auth: type "EAP"
Wed Nov  1 14:59:08 2006 : Debug:   Processing the authenticate section
of radiusd.conf
Wed Nov  1 14:59:08 2006 : Debug: modcall: entering group authenticate
for request 5
Wed Nov  1 14:59:08 2006 : Debug:   modsingle[authenticate]: calling eap
(rlm_eap) for request 5
Wed Nov  1 14:59:08 2006 : Debug:   rlm_eap: Request found, released
from the list
Wed Nov  1 14:59:08 2006 : Debug:   rlm_eap: EAP/peap
Wed Nov  1 14:59:08 2006 : Debug:   rlm_eap: processing type peap
Wed Nov  1 14:59:08 2006 : Debug:   rlm_eap_peap: Authenticate
Wed Nov  1 14:59:08 2006 : Debug:   rlm_eap_tls: processing TLS
Wed Nov  1 14:59:08 2006 : Debug:   eaptls_verify returned 7
Wed Nov  1 14:59:08 2006 : Debug:   rlm_eap_tls: Done initial handshake
Wed Nov  1 14:59:08 2006 : Debug:   rlm_eap_tls: <<< TLS 1.0 Alert
[length 0002], fatal bad_certificate
Wed Nov  1 14:59:08 2006 : Error: TLS Alert read:fatal:bad certificate
Wed Nov  1 14:59:08 2006 : Error:     TLS_accept:failed in SSLv3 read
client certificate A
Wed Nov  1 14:59:08 2006 : Error: rlm_eap: SSL error error:14094412:SSL
routines:SSL3_READ_BYTES:sslv3 alert bad certificate
Wed Nov  1 14:59:08 2006 : Error: rlm_eap_tls: SSL_read failed inside of
TLS (-1), TLS session fails.
Wed Nov  1 14:59:08 2006 : Debug: In SSL Handshake Phase
Wed Nov  1 14:59:08 2006 : Debug: In SSL Accept mode
Wed Nov  1 14:59:08 2006 : Error: rlm_eap: SSL error error:140940E5:SSL
routines:SSL3_READ_BYTES:ssl handshake failure
Wed Nov  1 14:59:08 2006 : Error: rlm_eap_tls: BIO_read failed in a
system call (-1), TLS session fails.
Wed Nov  1 14:59:08 2006 : Debug:   eaptls_process returned 13
Wed Nov  1 14:59:08 2006 : Debug:   rlm_eap_peap: EAPTLS_HANDLED
Wed Nov  1 14:59:08 2006 : Debug:   rlm_eap: Freeing handler
Wed Nov  1 14:59:08 2006 : Debug:   modsingle[authenticate]: returned
from eap (rlm_eap) for request 5

....

Wed Nov  1 14:59:08 2006 : Debug:   modsingle[authorize]: calling eap
(rlm_eap) for request 5
Wed Nov  1 14:59:08 2006 : Debug:   rlm_eap: EAP packet type response id
3 length 13
Wed Nov  1 14:59:08 2006 : Debug:   rlm_eap: No EAP Start, assuming it's
an on-going EAP conversation
Wed Nov  1 14:59:08 2006 : Debug:   modsingle[authorize]: returned from
eap (rlm_eap) for request 5
Wed Nov  1 14:59:08 2006 : Debug:   modcall[authorize]: module "eap"
returns updated for request 5
Wed Nov  1 14:59:08 2006 : Debug: modcall: leaving group authorize
(returns updated) for request 5
Wed Nov  1 14:59:08 2006 : Debug:   rad_check_password:  Found Auth-Type
EAP
Wed Nov  1 14:59:08 2006 : Debug: auth: type "EAP"
Wed Nov  1 14:59:08 2006 : Debug:   Processing the authenticate section
of radiusd.conf
Wed Nov  1 14:59:08 2006 : Debug: modcall: entering group authenticate
for request 5
Wed Nov  1 14:59:08 2006 : Debug:   modsingle[authenticate]: calling eap
(rlm_eap) for request 5
Wed Nov  1 14:59:08 2006 : Debug:   rlm_eap: Request not found in the
list
Wed Nov  1 14:59:08 2006 : Error: rlm_eap: Either EAP-request timed out
OR EAP-response to an unknown EAP-request
Wed Nov  1 14:59:08 2006 : Debug:   rlm_eap: Failed in handler
Wed Nov  1 14:59:08 2006 : Debug:   modsingle[authenticate]: returned
from eap (rlm_eap) for request 5

-------------------------------------------------------------

The AP configuration looks like this:
-------------------------------------------------------------
aaa group server radius rad_eap
 server 10.0.0.10 auth-port 1812 acct-port 1813
!
aaa authentication login default group radius enable
aaa authentication login eap_methods group rad_eap
aaa session-id common

dot11 ssid LAN
   vlan 102
   authentication open eap eap_methods
   authentication network-eap eap_methods
   authentication key-management wpa

interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption vlan 102 mode ciphers tkip
 !
 broadcast-key vlan 102 change 3600
 !
 ssid LAN-Teacher
-------------------------------------------------------------

I use FreeRADIUS 1.1.2

With my wired clients i don't any problems and the same setup
runs with a Cisco ACS

Does anyone have any suggestions?

Lukas

More information about the Freeradius-Users mailing list