RE: TLS/wired fail

娟 严 iamyanjuan at yahoo.com.cn
Wed Jun 4 05:06:16 CEST 2008


Hi,All!
    I 'd like to add some infos about this issue. TLS/wired is failed,but MD5/wired is successful.
    It's Ok when I use AP instead of switch authenticating eap/tls and eap/ttls with the same freeradius.
    Is it the problem of switch or the problem of radius? 
   I think it's the problem of radius server,because md5 can authenticate successful,
   that means 802.1X works properly on switch. So how to configure freeradius as wired authentication?
    I don't use sql, I just add some items at the end of the users file,just like this:
   switch_client Cleartext-Password :="whatever"
####################################

Hi,All!
    My freeradius version is v2.0.2,and I use cisco 2950 switch as Authenticator; the packet sent by server miss the EAP-TLS Fragments(server sent a packet which miss the server hello and ciper suilt messages after received a client hello packet),I don't kown what the prolbem.Can anybody help me?
Here are the packets,the ip of radius server is:192.168.0.197,the ip of switch is:192.168.0.123.

No.     Time        Source                Destination           Protocol Info
     63 89.556162   192.168.0.123         192.168.0.197         RADIUS   Access-Request(1) (id=3, l=116)

Frame 63 (158 bytes on wire, 158 bytes captured)
    Arrival Time: Jun  3, 2008 08:32:22.456040000
    [Time delta from previous captured frame: 1.228814000 seconds]
    [Time delta from previous displayed frame: 89.556162000 seconds]
    [Time since reference or first frame: 89.556162000 seconds]
    Frame Number: 63
    Frame Length: 158 bytes
    Capture Length: 158 bytes
    [Frame is marked: False]
    [Protocols in frame: eth:ip:udp:radius:eap]
    [Coloring Rule Name: UDP]
    [Coloring Rule String: udp]
Ethernet II, Src: Cisco_44:1b:40 (00:0a:8a:44:1b:40), Dst: Micro-St_89:79:21 (00:19:db:89:79:21)
    Destination: Micro-St_89:79:21 (00:19:db:89:79:21)
        Address: Micro-St_89:79:21 (00:19:db:89:79:21)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
    Source: Cisco_44:1b:40 (00:0a:8a:44:1b:40)
        Address: Cisco_44:1b:40 (00:0a:8a:44:1b:40)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
    Type: IP (0x0800)
Internet Protocol, Src: 192.168.0.123 (192.168.0.123), Dst: 192.168.0.197 (192.168.0.197)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 144
    Identification: 0x0003 (3)
    Flags: 0x00
        0... = Reserved bit: Not set
        .0.. = Don't fragment: Not set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 255
    Protocol: UDP (0x11)
    Header checksum: 0x38c9 [correct]
        [Good: True]
        [Bad : False]
    Source: 192.168.0.123 (192.168.0.123)
    Destination: 192.168.0.197 (192.168.0.197)
User Datagram Protocol, Src Port: radius (1812), Dst Port: radius (1812)
    Source port: radius (1812)
    Destination port: radius (1812)
    Length: 124
    Checksum: 0x12c3 [correct]
        [Good Checksum: True]
        [Bad Checksum: False]
Radius Protocol
    Code: Access-Request (1)
    Packet identifier: 0x3 (3)
    Length: 116
    Authenticator: FE6787CBF64C4301CBAD5355610B9634
    Attribute Value Pairs
        AVP: l=6  t=NAS-IP-Address(4): 192.168.0.123
            NAS-IP-Address: 192.168.0.123 (192.168.0.123)
        AVP: l=6  t=NAS-Port(5): 50003
            NAS-Port: 50003
        AVP: l=6  t=NAS-Port-Type(61): Ethernet(15)
            NAS-Port-Type: Ethernet (15)
        AVP: l=15  t=User-Name(1): switch_client
            User-Name: switch_client
        AVP: l=19  t=Calling-Station-Id(31): 00-C0-02-2B-D6-04
            Calling-Station-Id: 00-C0-02-2B-D6-04
        AVP: l=6  t=Service-Type(6): Framed-User(2)
            Service-Type: Framed-User (2)
        AVP: l=20  t=EAP-Message(79) Last Segment[1]
            EAP fragment
            Extensible Authentication Protocol
                Code: Response (2)
                Id: 2
                Length: 18
                Type: Identity [RFC3748] (1)
                Identity (13 bytes): switch_client
        AVP: l=18  t=Message-Authenticator(80): 1C066799CF105346E40019AA2E291D22
            Message-Authenticator: 1C066799CF105346E40019AA2E291D22

No.     Time        Source                Destination           Protocol Info
     66 89.572574   192.168.0.197         192.168.0.123         RADIUS   Access-challenge(11) (id=3, l=64)

Frame 66 (106 bytes on wire, 106 bytes captured)
    Arrival Time: Jun  3, 2008 08:32:22.472452000
    [Time delta from previous captured frame: 0.000009000 seconds]
    [Time delta from previous displayed frame: 0.016412000 seconds]
    [Time since reference or first frame: 89.572574000 seconds]
    Frame Number: 66
    Frame Length: 106 bytes
    Capture Length: 106 bytes
    [Frame is marked: False]
    [Protocols in frame: eth:ip:udp:radius:eap]
    [Coloring Rule Name: Checksum Errors]
    [Coloring Rule String: cdp.checksum_bad==1 || edp.checksum_bad==1 || ip.checksum_bad==1 || tcp.checksum_bad==1 || udp.checksum_bad==1]
Ethernet II, Src: Micro-St_89:79:21 (00:19:db:89:79:21), Dst: Cisco_44:1b:40 (00:0a:8a:44:1b:40)
    Destination: Cisco_44:1b:40 (00:0a:8a:44:1b:40)
        Address: Cisco_44:1b:40 (00:0a:8a:44:1b:40)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
    Source: Micro-St_89:79:21 (00:19:db:89:79:21)
        Address: Micro-St_89:79:21 (00:19:db:89:79:21)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
    Type: IP (0x0800)
Internet Protocol, Src: 192.168.0.197 (192.168.0.197), Dst: 192.168.0.123 (192.168.0.123)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 92
    Identification: 0x0000 (0)
    Flags: 0x04 (Don't Fragment)
        0... = Reserved bit: Not set
        .1.. = Don't fragment: Set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 64
    Protocol: UDP (0x11)
    Header checksum: 0xb800 [correct]
        [Good: True]
        [Bad : False]
    Source: 192.168.0.197 (192.168.0.197)
    Destination: 192.168.0.123 (192.168.0.123)
User Datagram Protocol, Src Port: radius (1812), Dst Port: radius (1812)
    Source port: radius (1812)
    Destination port: radius (1812)
    Length: 72
    Checksum: 0x82ea [incorrect, should be 0xa1e2 (maybe caused by "UDP checksum offload"?)]
        [Good Checksum: False]
        [Bad Checksum: True]
Radius Protocol
    Code: Access-challenge (11)
    Packet identifier: 0x3 (3)
    Length: 64
    Authenticator: D2EF3D5B79C3B1A4742E4A8C5FB00BD0
    Attribute Value Pairs
        AVP: l=8  t=EAP-Message(79) Last Segment[1]
            EAP fragment
            Extensible Authentication Protocol
                Code: Request (1)
                Id: 3
                Length: 6
                Type: EAP-TLS [RFC2716] [Aboba] (13)
                Flags(0x20): Start 
        AVP: l=18  t=Message-Authenticator(80): A58A6FE1C598F8E9A979BABECD78BF65
            Message-Authenticator: A58A6FE1C598F8E9A979BABECD78BF65
        AVP: l=18  t=State(24): 6B1410EF6B171D4FB7BBF03DE9D33AFE
            State: 6B1410EF6B171D4FB7BBF03DE9D33AFE

No.     Time        Source                Destination           Protocol Info
     67 89.681078   192.168.0.123         192.168.0.197         RADIUS   Access-Request(1) (id=4, l=224)

Frame 67 (266 bytes on wire, 266 bytes captured)
    Arrival Time: Jun  3, 2008 08:32:22.580956000
    [Time delta from previous captured frame: 0.108504000 seconds]
    [Time delta from previous displayed frame: 0.108504000 seconds]
    [Time since reference or first frame: 89.681078000 seconds]
    Frame Number: 67
    Frame Length: 266 bytes
    Capture Length: 266 bytes
    [Frame is marked: False]
    [Protocols in frame: eth:ip:udp:radius:eap:ssl]
    [Coloring Rule Name: UDP]
    [Coloring Rule String: udp]
Ethernet II, Src: Cisco_44:1b:40 (00:0a:8a:44:1b:40), Dst: Micro-St_89:79:21 (00:19:db:89:79:21)
    Destination: Micro-St_89:79:21 (00:19:db:89:79:21)
        Address: Micro-St_89:79:21 (00:19:db:89:79:21)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
    Source: Cisco_44:1b:40 (00:0a:8a:44:1b:40)
        Address: Cisco_44:1b:40 (00:0a:8a:44:1b:40)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
    Type: IP (0x0800)
Internet Protocol, Src: 192.168.0.123 (192.168.0.123), Dst: 192.168.0.197 (192.168.0.197)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 252
    Identification: 0x0004 (4)
    Flags: 0x00
        0... = Reserved bit: Not set
        .0.. = Don't fragment: Not set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 255
    Protocol: UDP (0x11)
    Header checksum: 0x385c [correct]
        [Good: True]
        [Bad : False]
    Source: 192.168.0.123 (192.168.0.123)
    Destination: 192.168.0.197 (192.168.0.197)
User Datagram Protocol, Src Port: radius (1812), Dst Port: radius (1812)
    Source port: radius (1812)
    Destination port: radius (1812)
    Length: 232
    Checksum: 0x6329 [correct]
        [Good Checksum: True]
        [Bad Checksum: False]
Radius Protocol
    Code: Access-Request (1)
    Packet identifier: 0x4 (4)
    Length: 224
    Authenticator: E1D8149F5F84CF6AB2EF07BC7AB683F2
    Attribute Value Pairs
        AVP: l=6  t=NAS-IP-Address(4): 192.168.0.123
            NAS-IP-Address: 192.168.0.123 (192.168.0.123)
        AVP: l=6  t=NAS-Port(5): 50003
            NAS-Port: 50003
        AVP: l=6  t=NAS-Port-Type(61): Ethernet(15)
            NAS-Port-Type: Ethernet (15)
        AVP: l=15  t=User-Name(1): switch_client
            User-Name: switch_client
        AVP: l=19  t=Calling-Station-Id(31): 00-C0-02-2B-D6-04
            Calling-Station-Id: 00-C0-02-2B-D6-04
        AVP: l=6  t=Service-Type(6): Framed-User(2)
            Service-Type: Framed-User (2)
        AVP: l=18  t=State(24): 6B1410EF6B171D4FB7BBF03DE9D33AFE
            State: 6B1410EF6B171D4FB7BBF03DE9D33AFE
        AVP: l=110  t=EAP-Message(79) Last Segment[1]
            EAP fragment
            Extensible Authentication Protocol
                Code: Response (2)
                Id: 3
                Length: 108
                Type: EAP-TLS [RFC2716] [Aboba] (13)
                Flags(0x0): 
                Secure Socket Layer
                    SSL Record Layer: Handshake Protocol: Client Hello
                        Content Type: Handshake (22)
                        Version: TLS 1.0 (0x0301)
                        Length: 97
                        Handshake Protocol: Client Hello
                            Handshake Type: Client Hello (1)
                            Length: 93
                            Version: TLS 1.0 (0x0301)
                            Random
                                gmt_unix_time: Jun  3, 2008 00:35:22.000000000
                                random_bytes: 38DD0828D867BEEFB4B298B72518C35459979BC7ED92A0D7...
                            Session ID Length: 0
                            Cipher Suites Length: 54
                            Cipher Suites (27 suites)
                                Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
                                Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038)
                                Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
                                Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016)
                                Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013)
                                Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
                                Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
                                Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032)
                                Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
                                Cipher Suite: TLS_RSA_WITH_IDEA_CBC_SHA (0x0007)
                                Cipher Suite: TLS_DHE_DSS_WITH_RC4_128_SHA (0x0066)
                                Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)
                                Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)
                                Cipher Suite: TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA (0x0063)
                                Cipher Suite: TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA (0x0062)
                                Cipher Suite: TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5 (0x0061)
                                Cipher Suite: TLS_DHE_RSA_WITH_DES_CBC_SHA (0x0015)
                                Cipher Suite: TLS_DHE_DSS_WITH_DES_CBC_SHA (0x0012)
                                Cipher Suite: TLS_RSA_WITH_DES_CBC_SHA (0x0009)
                                Cipher Suite: TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA (0x0065)
                                Cipher Suite: TLS_RSA_EXPORT1024_WITH_RC4_56_SHA (0x0064)
                                Cipher Suite: TLS_RSA_EXPORT1024_WITH_RC4_56_MD5 (0x0060)
                                Cipher Suite: TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA (0x0014)
                                Cipher Suite: TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA (0x0011)
                                Cipher Suite: TLS_RSA_EXPORT_WITH_DES40_CBC_SHA (0x0008)
                                Cipher Suite: TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0x0006)
                                Cipher Suite: TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0x0003)
                            Compression Methods Length: 1
                            Compression Methods (1 method)
                                Compression Method: null (0)
        AVP: l=18  t=Message-Authenticator(80): 4A1E0B1F9718533C8A225B0FC8EBB617
            Message-Authenticator: 4A1E0B1F9718533C8A225B0FC8EBB617

No.     Time        Source                Destination           Protocol Info
     68 89.725405   192.168.0.197         192.168.0.123         RADIUS   Access-challenge(11) (id=4, l=1090)

Frame 68 (1132 bytes on wire, 1132 bytes captured)
    Arrival Time: Jun  3, 2008 08:32:22.625283000
    [Time delta from previous captured frame: 0.044327000 seconds]
    [Time delta from previous displayed frame: 0.044327000 seconds]
    [Time since reference or first frame: 89.725405000 seconds]
    Frame Number: 68
    Frame Length: 1132 bytes
    Capture Length: 1132 bytes
    [Frame is marked: False]
    [Protocols in frame: eth:ip:udp:radius:eap]
    [Coloring Rule Name: Checksum Errors]
    [Coloring Rule String: cdp.checksum_bad==1 || edp.checksum_bad==1 || ip.checksum_bad==1 || tcp.checksum_bad==1 || udp.checksum_bad==1]
Ethernet II, Src: Micro-St_89:79:21 (00:19:db:89:79:21), Dst: Cisco_44:1b:40 (00:0a:8a:44:1b:40)
    Destination: Cisco_44:1b:40 (00:0a:8a:44:1b:40)
        Address: Cisco_44:1b:40 (00:0a:8a:44:1b:40)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
    Source: Micro-St_89:79:21 (00:19:db:89:79:21)
        Address: Micro-St_89:79:21 (00:19:db:89:79:21)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
    Type: IP (0x0800)
Internet Protocol, Src: 192.168.0.197 (192.168.0.197), Dst: 192.168.0.123 (192.168.0.123)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 1118
    Identification: 0x0000 (0)
    Flags: 0x04 (Don't Fragment)
        0... = Reserved bit: Not set
        .1.. = Don't fragment: Set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 64
    Protocol: UDP (0x11)
    Header checksum: 0xb3fe [correct]
        [Good: True]
        [Bad : False]
    Source: 192.168.0.197 (192.168.0.197)
    Destination: 192.168.0.123 (192.168.0.123)
User Datagram Protocol, Src Port: radius (1812), Dst Port: radius (1812)
    Source port: radius (1812)
    Destination port: radius (1812)
    Length: 1098
    Checksum: 0x86ec [incorrect, should be 0x7116 (maybe caused by "UDP checksum offload"?)]
        [Good Checksum: False]
        [Bad Checksum: True]
Radius Protocol
    Code: Access-challenge (11)
    Packet identifier: 0x4 (4)
    Length: 1090
    Authenticator: BFFB901870A6B7784BF8FC427088FD1F
    Attribute Value Pairs
        AVP: l=255  t=EAP-Message(79) Segment[1]
            EAP fragment
        AVP: l=255  t=EAP-Message(79) Segment[2]
            EAP fragment
        AVP: l=255  t=EAP-Message(79) Segment[3]
            EAP fragment
        AVP: l=255  t=EAP-Message(79) Segment[4]
            EAP fragment
        AVP: l=14  t=EAP-Message(79) Last Segment[5]
            EAP fragment
            Extensible Authentication Protocol
                Code: Request (1)
                Id: 4
                Length: 1024
                Type: EAP-TLS [RFC2716] [Aboba] (13)
                Flags(0xC0): Length More 
                Length: 2669
        AVP: l=18  t=Message-Authenticator(80): F7F26F81A3C0666CA9725E9E0C46907C
            Message-Authenticator: F7F26F81A3C0666CA9725E9E0C46907C
        AVP: l=18  t=State(24): 6B1410EF6A101D4FB7BBF03DE9D33AFE
            State: 6B1410EF6A101D4FB7BBF03DE9D33AFE

back at one....
________________________________
雅虎邮箱,您的终生邮箱!


      ___________________________________________________________ 
 雅虎邮箱,您的终生邮箱! 
http://cn.mail.yahoo.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20080604/6d3a1cb3/attachment.html>


More information about the Freeradius-Users mailing list