RE: TLS/wired fail
娟 严
iamyanjuan at yahoo.com.cn
Wed Jun 4 05:06:16 CEST 2008
Hi,All!
I 'd like to add some infos about this issue. TLS/wired is failed,but MD5/wired is successful.
It's Ok when I use AP instead of switch authenticating eap/tls and eap/ttls with the same freeradius.
Is it the problem of switch or the problem of radius?
I think it's the problem of radius server,because md5 can authenticate successful,
that means 802.1X works properly on switch. So how to configure freeradius as wired authentication?
I don't use sql, I just add some items at the end of the users file,just like this:
switch_client Cleartext-Password :="whatever"
####################################
Hi,All!
My freeradius version is v2.0.2,and I use cisco 2950 switch as Authenticator; the packet sent by server miss the EAP-TLS Fragments(server sent a packet which miss the server hello and ciper suilt messages after received a client hello packet),I don't kown what the prolbem.Can anybody help me?
Here are the packets,the ip of radius server is:192.168.0.197,the ip of switch is:192.168.0.123.
No. Time Source Destination Protocol Info
63 89.556162 192.168.0.123 192.168.0.197 RADIUS Access-Request(1) (id=3, l=116)
Frame 63 (158 bytes on wire, 158 bytes captured)
Arrival Time: Jun 3, 2008 08:32:22.456040000
[Time delta from previous captured frame: 1.228814000 seconds]
[Time delta from previous displayed frame: 89.556162000 seconds]
[Time since reference or first frame: 89.556162000 seconds]
Frame Number: 63
Frame Length: 158 bytes
Capture Length: 158 bytes
[Frame is marked: False]
[Protocols in frame: eth:ip:udp:radius:eap]
[Coloring Rule Name: UDP]
[Coloring Rule String: udp]
Ethernet II, Src: Cisco_44:1b:40 (00:0a:8a:44:1b:40), Dst: Micro-St_89:79:21 (00:19:db:89:79:21)
Destination: Micro-St_89:79:21 (00:19:db:89:79:21)
Address: Micro-St_89:79:21 (00:19:db:89:79:21)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Source: Cisco_44:1b:40 (00:0a:8a:44:1b:40)
Address: Cisco_44:1b:40 (00:0a:8a:44:1b:40)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Type: IP (0x0800)
Internet Protocol, Src: 192.168.0.123 (192.168.0.123), Dst: 192.168.0.197 (192.168.0.197)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 144
Identification: 0x0003 (3)
Flags: 0x00
0... = Reserved bit: Not set
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 255
Protocol: UDP (0x11)
Header checksum: 0x38c9 [correct]
[Good: True]
[Bad : False]
Source: 192.168.0.123 (192.168.0.123)
Destination: 192.168.0.197 (192.168.0.197)
User Datagram Protocol, Src Port: radius (1812), Dst Port: radius (1812)
Source port: radius (1812)
Destination port: radius (1812)
Length: 124
Checksum: 0x12c3 [correct]
[Good Checksum: True]
[Bad Checksum: False]
Radius Protocol
Code: Access-Request (1)
Packet identifier: 0x3 (3)
Length: 116
Authenticator: FE6787CBF64C4301CBAD5355610B9634
Attribute Value Pairs
AVP: l=6 t=NAS-IP-Address(4): 192.168.0.123
NAS-IP-Address: 192.168.0.123 (192.168.0.123)
AVP: l=6 t=NAS-Port(5): 50003
NAS-Port: 50003
AVP: l=6 t=NAS-Port-Type(61): Ethernet(15)
NAS-Port-Type: Ethernet (15)
AVP: l=15 t=User-Name(1): switch_client
User-Name: switch_client
AVP: l=19 t=Calling-Station-Id(31): 00-C0-02-2B-D6-04
Calling-Station-Id: 00-C0-02-2B-D6-04
AVP: l=6 t=Service-Type(6): Framed-User(2)
Service-Type: Framed-User (2)
AVP: l=20 t=EAP-Message(79) Last Segment[1]
EAP fragment
Extensible Authentication Protocol
Code: Response (2)
Id: 2
Length: 18
Type: Identity [RFC3748] (1)
Identity (13 bytes): switch_client
AVP: l=18 t=Message-Authenticator(80): 1C066799CF105346E40019AA2E291D22
Message-Authenticator: 1C066799CF105346E40019AA2E291D22
No. Time Source Destination Protocol Info
66 89.572574 192.168.0.197 192.168.0.123 RADIUS Access-challenge(11) (id=3, l=64)
Frame 66 (106 bytes on wire, 106 bytes captured)
Arrival Time: Jun 3, 2008 08:32:22.472452000
[Time delta from previous captured frame: 0.000009000 seconds]
[Time delta from previous displayed frame: 0.016412000 seconds]
[Time since reference or first frame: 89.572574000 seconds]
Frame Number: 66
Frame Length: 106 bytes
Capture Length: 106 bytes
[Frame is marked: False]
[Protocols in frame: eth:ip:udp:radius:eap]
[Coloring Rule Name: Checksum Errors]
[Coloring Rule String: cdp.checksum_bad==1 || edp.checksum_bad==1 || ip.checksum_bad==1 || tcp.checksum_bad==1 || udp.checksum_bad==1]
Ethernet II, Src: Micro-St_89:79:21 (00:19:db:89:79:21), Dst: Cisco_44:1b:40 (00:0a:8a:44:1b:40)
Destination: Cisco_44:1b:40 (00:0a:8a:44:1b:40)
Address: Cisco_44:1b:40 (00:0a:8a:44:1b:40)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Source: Micro-St_89:79:21 (00:19:db:89:79:21)
Address: Micro-St_89:79:21 (00:19:db:89:79:21)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Type: IP (0x0800)
Internet Protocol, Src: 192.168.0.197 (192.168.0.197), Dst: 192.168.0.123 (192.168.0.123)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 92
Identification: 0x0000 (0)
Flags: 0x04 (Don't Fragment)
0... = Reserved bit: Not set
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 64
Protocol: UDP (0x11)
Header checksum: 0xb800 [correct]
[Good: True]
[Bad : False]
Source: 192.168.0.197 (192.168.0.197)
Destination: 192.168.0.123 (192.168.0.123)
User Datagram Protocol, Src Port: radius (1812), Dst Port: radius (1812)
Source port: radius (1812)
Destination port: radius (1812)
Length: 72
Checksum: 0x82ea [incorrect, should be 0xa1e2 (maybe caused by "UDP checksum offload"?)]
[Good Checksum: False]
[Bad Checksum: True]
Radius Protocol
Code: Access-challenge (11)
Packet identifier: 0x3 (3)
Length: 64
Authenticator: D2EF3D5B79C3B1A4742E4A8C5FB00BD0
Attribute Value Pairs
AVP: l=8 t=EAP-Message(79) Last Segment[1]
EAP fragment
Extensible Authentication Protocol
Code: Request (1)
Id: 3
Length: 6
Type: EAP-TLS [RFC2716] [Aboba] (13)
Flags(0x20): Start
AVP: l=18 t=Message-Authenticator(80): A58A6FE1C598F8E9A979BABECD78BF65
Message-Authenticator: A58A6FE1C598F8E9A979BABECD78BF65
AVP: l=18 t=State(24): 6B1410EF6B171D4FB7BBF03DE9D33AFE
State: 6B1410EF6B171D4FB7BBF03DE9D33AFE
No. Time Source Destination Protocol Info
67 89.681078 192.168.0.123 192.168.0.197 RADIUS Access-Request(1) (id=4, l=224)
Frame 67 (266 bytes on wire, 266 bytes captured)
Arrival Time: Jun 3, 2008 08:32:22.580956000
[Time delta from previous captured frame: 0.108504000 seconds]
[Time delta from previous displayed frame: 0.108504000 seconds]
[Time since reference or first frame: 89.681078000 seconds]
Frame Number: 67
Frame Length: 266 bytes
Capture Length: 266 bytes
[Frame is marked: False]
[Protocols in frame: eth:ip:udp:radius:eap:ssl]
[Coloring Rule Name: UDP]
[Coloring Rule String: udp]
Ethernet II, Src: Cisco_44:1b:40 (00:0a:8a:44:1b:40), Dst: Micro-St_89:79:21 (00:19:db:89:79:21)
Destination: Micro-St_89:79:21 (00:19:db:89:79:21)
Address: Micro-St_89:79:21 (00:19:db:89:79:21)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Source: Cisco_44:1b:40 (00:0a:8a:44:1b:40)
Address: Cisco_44:1b:40 (00:0a:8a:44:1b:40)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Type: IP (0x0800)
Internet Protocol, Src: 192.168.0.123 (192.168.0.123), Dst: 192.168.0.197 (192.168.0.197)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 252
Identification: 0x0004 (4)
Flags: 0x00
0... = Reserved bit: Not set
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 255
Protocol: UDP (0x11)
Header checksum: 0x385c [correct]
[Good: True]
[Bad : False]
Source: 192.168.0.123 (192.168.0.123)
Destination: 192.168.0.197 (192.168.0.197)
User Datagram Protocol, Src Port: radius (1812), Dst Port: radius (1812)
Source port: radius (1812)
Destination port: radius (1812)
Length: 232
Checksum: 0x6329 [correct]
[Good Checksum: True]
[Bad Checksum: False]
Radius Protocol
Code: Access-Request (1)
Packet identifier: 0x4 (4)
Length: 224
Authenticator: E1D8149F5F84CF6AB2EF07BC7AB683F2
Attribute Value Pairs
AVP: l=6 t=NAS-IP-Address(4): 192.168.0.123
NAS-IP-Address: 192.168.0.123 (192.168.0.123)
AVP: l=6 t=NAS-Port(5): 50003
NAS-Port: 50003
AVP: l=6 t=NAS-Port-Type(61): Ethernet(15)
NAS-Port-Type: Ethernet (15)
AVP: l=15 t=User-Name(1): switch_client
User-Name: switch_client
AVP: l=19 t=Calling-Station-Id(31): 00-C0-02-2B-D6-04
Calling-Station-Id: 00-C0-02-2B-D6-04
AVP: l=6 t=Service-Type(6): Framed-User(2)
Service-Type: Framed-User (2)
AVP: l=18 t=State(24): 6B1410EF6B171D4FB7BBF03DE9D33AFE
State: 6B1410EF6B171D4FB7BBF03DE9D33AFE
AVP: l=110 t=EAP-Message(79) Last Segment[1]
EAP fragment
Extensible Authentication Protocol
Code: Response (2)
Id: 3
Length: 108
Type: EAP-TLS [RFC2716] [Aboba] (13)
Flags(0x0):
Secure Socket Layer
SSL Record Layer: Handshake Protocol: Client Hello
Content Type: Handshake (22)
Version: TLS 1.0 (0x0301)
Length: 97
Handshake Protocol: Client Hello
Handshake Type: Client Hello (1)
Length: 93
Version: TLS 1.0 (0x0301)
Random
gmt_unix_time: Jun 3, 2008 00:35:22.000000000
random_bytes: 38DD0828D867BEEFB4B298B72518C35459979BC7ED92A0D7...
Session ID Length: 0
Cipher Suites Length: 54
Cipher Suites (27 suites)
Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038)
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016)
Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013)
Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032)
Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
Cipher Suite: TLS_RSA_WITH_IDEA_CBC_SHA (0x0007)
Cipher Suite: TLS_DHE_DSS_WITH_RC4_128_SHA (0x0066)
Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)
Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)
Cipher Suite: TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA (0x0063)
Cipher Suite: TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA (0x0062)
Cipher Suite: TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5 (0x0061)
Cipher Suite: TLS_DHE_RSA_WITH_DES_CBC_SHA (0x0015)
Cipher Suite: TLS_DHE_DSS_WITH_DES_CBC_SHA (0x0012)
Cipher Suite: TLS_RSA_WITH_DES_CBC_SHA (0x0009)
Cipher Suite: TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA (0x0065)
Cipher Suite: TLS_RSA_EXPORT1024_WITH_RC4_56_SHA (0x0064)
Cipher Suite: TLS_RSA_EXPORT1024_WITH_RC4_56_MD5 (0x0060)
Cipher Suite: TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA (0x0014)
Cipher Suite: TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA (0x0011)
Cipher Suite: TLS_RSA_EXPORT_WITH_DES40_CBC_SHA (0x0008)
Cipher Suite: TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0x0006)
Cipher Suite: TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0x0003)
Compression Methods Length: 1
Compression Methods (1 method)
Compression Method: null (0)
AVP: l=18 t=Message-Authenticator(80): 4A1E0B1F9718533C8A225B0FC8EBB617
Message-Authenticator: 4A1E0B1F9718533C8A225B0FC8EBB617
No. Time Source Destination Protocol Info
68 89.725405 192.168.0.197 192.168.0.123 RADIUS Access-challenge(11) (id=4, l=1090)
Frame 68 (1132 bytes on wire, 1132 bytes captured)
Arrival Time: Jun 3, 2008 08:32:22.625283000
[Time delta from previous captured frame: 0.044327000 seconds]
[Time delta from previous displayed frame: 0.044327000 seconds]
[Time since reference or first frame: 89.725405000 seconds]
Frame Number: 68
Frame Length: 1132 bytes
Capture Length: 1132 bytes
[Frame is marked: False]
[Protocols in frame: eth:ip:udp:radius:eap]
[Coloring Rule Name: Checksum Errors]
[Coloring Rule String: cdp.checksum_bad==1 || edp.checksum_bad==1 || ip.checksum_bad==1 || tcp.checksum_bad==1 || udp.checksum_bad==1]
Ethernet II, Src: Micro-St_89:79:21 (00:19:db:89:79:21), Dst: Cisco_44:1b:40 (00:0a:8a:44:1b:40)
Destination: Cisco_44:1b:40 (00:0a:8a:44:1b:40)
Address: Cisco_44:1b:40 (00:0a:8a:44:1b:40)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Source: Micro-St_89:79:21 (00:19:db:89:79:21)
Address: Micro-St_89:79:21 (00:19:db:89:79:21)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Type: IP (0x0800)
Internet Protocol, Src: 192.168.0.197 (192.168.0.197), Dst: 192.168.0.123 (192.168.0.123)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 1118
Identification: 0x0000 (0)
Flags: 0x04 (Don't Fragment)
0... = Reserved bit: Not set
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 64
Protocol: UDP (0x11)
Header checksum: 0xb3fe [correct]
[Good: True]
[Bad : False]
Source: 192.168.0.197 (192.168.0.197)
Destination: 192.168.0.123 (192.168.0.123)
User Datagram Protocol, Src Port: radius (1812), Dst Port: radius (1812)
Source port: radius (1812)
Destination port: radius (1812)
Length: 1098
Checksum: 0x86ec [incorrect, should be 0x7116 (maybe caused by "UDP checksum offload"?)]
[Good Checksum: False]
[Bad Checksum: True]
Radius Protocol
Code: Access-challenge (11)
Packet identifier: 0x4 (4)
Length: 1090
Authenticator: BFFB901870A6B7784BF8FC427088FD1F
Attribute Value Pairs
AVP: l=255 t=EAP-Message(79) Segment[1]
EAP fragment
AVP: l=255 t=EAP-Message(79) Segment[2]
EAP fragment
AVP: l=255 t=EAP-Message(79) Segment[3]
EAP fragment
AVP: l=255 t=EAP-Message(79) Segment[4]
EAP fragment
AVP: l=14 t=EAP-Message(79) Last Segment[5]
EAP fragment
Extensible Authentication Protocol
Code: Request (1)
Id: 4
Length: 1024
Type: EAP-TLS [RFC2716] [Aboba] (13)
Flags(0xC0): Length More
Length: 2669
AVP: l=18 t=Message-Authenticator(80): F7F26F81A3C0666CA9725E9E0C46907C
Message-Authenticator: F7F26F81A3C0666CA9725E9E0C46907C
AVP: l=18 t=State(24): 6B1410EF6A101D4FB7BBF03DE9D33AFE
State: 6B1410EF6A101D4FB7BBF03DE9D33AFE
back at one....
________________________________
雅虎邮箱,您的终生邮箱!
___________________________________________________________
雅虎邮箱,您的终生邮箱!
http://cn.mail.yahoo.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20080604/6d3a1cb3/attachment.html>
More information about the Freeradius-Users
mailing list