Problem with SMC Access Point in Client Mode using EAP-TLS and Freeradius-2.1.1

Harald Schreiber h at rald.net
Sun Nov 30 18:22:50 CET 2008


Hello,

I'm running a Freeradius-Server 2.1.1 on my SuSE Linux 11.0 Box to
control the access to my WLAN using EAP-TLS. This works fine with my
notebook. But now I have bought a SMC EZ Connect N Pro Access Point
which I have configured as a WLAN client using EAP-TLS too. When this
WLAN client tries to authenticate itself at the Freeradius Server the
authentication fails and I get the message

rlm_eap: No EAP session matching the State variable.
[eap] Either EAP-request timed out OR EAP-response to an unknown EAP-request

in the Freeradius log file. 

Can someone please tell me what's going wrong there?
Any help is appreciated.

Here is the output of radiusd -X when an authentication request of
the SMC access point comes in:

rad_recv: Access-Request packet from host 192.168.254.1 port 1024, id=1, length=125
        User-Name = "harald"
        NAS-IP-Address = 192.168.254.1
        Called-Station-Id = "0014bf3bcd8a"
        Calling-Station-Id = "0013f7ca60de"
        NAS-Identifier = "0014bf3bcd8a"
        NAS-Port = 52
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        EAP-Message = 0x0200000b01686172616c64
        Message-Authenticator = 0x543152e558b443afb9430d9fd02aa75f
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "harald", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 0 length 11
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
[files] users: Matched entry harald at line 2
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Requiring client certificate
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 1 to 192.168.254.1 port 1024
        EAP-Message = 0x010100060d20
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x7139c4e57138c9bf5d9926d441f8680e
Finished request 6.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.254.1 port 1024, id=1, length=200
Cleaning up request 6 ID 1 with timestamp +1123
        User-Name = "harald"
        NAS-IP-Address = 192.168.254.1
        Called-Station-Id = "0014bf3bcd8a"
        Calling-Station-Id = "0013f7ca60de"
        NAS-Identifier = "0014bf3bcd8a"
        NAS-Port = 52
        Framed-MTU = 1400
        State = 0x7139c4e57138c9bf5d9926d441f8680e
        NAS-Port-Type = Wireless-802.11
        EAP-Message = 0x020100440d800000003a160301003501000031030163c2a49b798675d7c211a92ace77bde2102205aefca9044d7fc1ab18323a627d00000a0035002f000a000400050100
        Message-Authenticator = 0x2f0e13f531634f6696098de4ecf6dfca
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "harald", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 1 length 68
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
[files] users: Matched entry harald at line 2
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
  TLS Length 58
[tls] Length Included
[tls] eaptls_verify returned 11
[tls]     (other): before/accept initialization
[tls]     TLS_accept: before/accept initialization
[tls] <<< TLS 1.0 Handshake [length 0035], ClientHello
[tls]     TLS_accept: SSLv3 read client hello A
[tls] >>> TLS 1.0 Handshake [length 002a], ServerHello
[tls]     TLS_accept: SSLv3 write server hello A
[tls] >>> TLS 1.0 Handshake [length 05fb], Certificate
[tls]     TLS_accept: SSLv3 write certificate A
[tls] >>> TLS 1.0 Handshake [length 0091], CertificateRequest
[tls]     TLS_accept: SSLv3 write certificate request A
[tls]     TLS_accept: SSLv3 flush data
[tls]     TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
[tls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 1 to 192.168.254.1 port 1024
        EAP-Message = 0x010204000dc0000006c5160301002a020000260301492dce64477d25af22eea4fd4d959b5969a18f53653bebd1acb9136964e5a0bc0000350016030105fb0b0005f70005f400028730820283308201eca003020102020108300d06092a864886f70d0101050500307f310b3009060355040613024445310c300a060355040813034e5257310f300d0603550407130641616368656e311b3019060355040a1312486172616c64734379626572467265616b733119301706035504031310486172616c64205363687265696265723119301706092a864886f70d010901160a684072616c642e6e6574301e170d3037313232313233333730385a170d3039
        EAP-Message = 0x313232303233333730385a3077310b3009060355040613024445310c300a060355040813034e5257310f300d0603550407130641616368656e311b3019060355040a1312486172616c64734379626572467265616b733111300f06035504031308626c697a7a6172643119301706092a864886f70d010901160a684072616c642e6e657430819f300d06092a864886f70d010101050003818d0030818902818100a4c3faac47f1cebf599f6433f5e6c1e3bcaae35f0f331376a4dd97f5127dfeb6a49b58ebd7ce517ec260fa6d3e6774e11a02a9a2dee2f82f4eefca6dc4f72e2945667a4f1ea3842ac99edd33bf4be8d5fe8f54ef901c397844b57f8d
        EAP-Message = 0xa9ddfe26d6b22420136a7daa27b3ba904b4c27ff1164155068385e76e09319fcea07c24f0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010105050003818100591a7cda98a98824bba908f67ecba91fa8c5b108effe7368313a5b7f89ba4246bebd69e51249844ebe9b9dc16f22c3a4bef4441465a7e4b800adf3318ee23ed6cf924388f6a78675eaf3f92a899aedfa43b186630e4155758559562a52141587d709e71333a8b4be631a35b0d498afcda15c4213454ce3688fbbc46378bd404000036730820363308202cca003020102020900dfcd0dfb0e951628300d06092a864886f70d010104
        EAP-Message = 0x0500307f310b3009060355040613024445310c300a060355040813034e5257310f300d0603550407130641616368656e311b3019060355040a1312486172616c64734379626572467265616b733119301706035504031310486172616c64205363687265696265723119301706092a864886f70d010901160a684072616c642e6e6574301e170d3035313231373139333235365a170d3135313231353139333235365a307f310b3009060355040613024445310c300a060355040813034e5257310f300d0603550407130641616368656e311b3019060355040a1312486172616c64734379626572467265616b73311930170603550403131048617261
        EAP-Message = 0x6c6420536368726569626572
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x7139c4e5703bc9bf5d9926d441f8680e
Finished request 7.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.254.1 port 1024, id=1, length=138
Cleaning up request 7 ID 1 with timestamp +1123
        User-Name = "harald"
        NAS-IP-Address = 192.168.254.1
        Called-Station-Id = "0014bf3bcd8a"
        Calling-Station-Id = "0013f7ca60de"
        NAS-Identifier = "0014bf3bcd8a"
        NAS-Port = 52
        Framed-MTU = 1400
        State = 0x7139c4e5703bc9bf5d9926d441f8680e
        NAS-Port-Type = Wireless-802.11
        EAP-Message = 0x020200060d00
        Message-Authenticator = 0x45eb23701fb6bcbe430512689ce99aa1
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "harald", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 2 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
[files] users: Matched entry harald at line 2
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
[tls] Received TLS ACK
[tls] ACK handshake fragment handler
[tls] eaptls_verify returned 1
[tls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 1 to 192.168.254.1 port 1024
        EAP-Message = 0x010302d90d80000006c53119301706092a864886f70d010901160a684072616c642e6e657430819f300d06092a864886f70d010101050003818d0030818902818100c230fad1501053fa9d4e7af119979d2dabfca054a985830d0da415d7001fd0af897687fad6adcb26fb06a2137c24dcb52a27df6ffc9281aa40d7f525d8669d51794486ff24b46565428842de83512f0a4005bf707854d5a1df8b7dd901bbb4ef7997927cbe5a797da4c670e8ebd4162699c5b83dfd45a4fcc00c7aea5bb0eb710203010001a381e63081e3301d0603551d0e041604142eb59a09ae8a1fe82961d44d33dc1d90652f489d3081b30603551d230481ab3081a880142e
        EAP-Message = 0xb59a09ae8a1fe82961d44d33dc1d90652f489da18184a48181307f310b3009060355040613024445310c300a060355040813034e5257310f300d0603550407130641616368656e311b3019060355040a1312486172616c64734379626572467265616b733119301706035504031310486172616c64205363687265696265723119301706092a864886f70d010901160a684072616c642e6e6574820900dfcd0dfb0e951628300c0603551d13040530030101ff300d06092a864886f70d0101040500038181000b7e2f9395ee1fee0e969c5d0982887d5832a4acaa7961228c0a5a654d7122070c751c00b23ca4f31b7487ac91235e462c15ca909fc0ab
        EAP-Message = 0xd786ca2d48078d6c34c45666ae966c4b8d52806adc07f6a25cf7e72f6a953f1e40046d8934b0b2a074f158d9c85f0025c21fac551f8659ec8d254744d5927662dec81eb10d102f0c0a16030100910d0000890301024000830081307f310b3009060355040613024445310c300a060355040813034e5257310f300d0603550407130641616368656e311b3019060355040a1312486172616c64734379626572467265616b733119301706035504031310486172616c64205363687265696265723119301706092a864886f70d010901160a684072616c642e6e65740e000000
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x7139c4e5733ac9bf5d9926d441f8680e
Finished request 8.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 8 ID 1 with timestamp +1123
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.254.1 port 1024, id=1, length=200
        User-Name = "harald"
        NAS-IP-Address = 192.168.254.1
        Called-Station-Id = "0014bf3bcd8a"
        Calling-Station-Id = "0013f7ca60de"
        NAS-Identifier = "0014bf3bcd8a"
        NAS-Port = 52
        Framed-MTU = 1400
        State = 0x7139c4e5733ac9bf5d9926d441f8680e
        NAS-Port-Type = Wireless-802.11
        EAP-Message = 0x020200440d800000003a160301003501000031030163c2a49b798675d7c211a92ace77bde2102205aefca9044d7fc1ab18323a627d00000a0035002f000a000400050100
        Message-Authenticator = 0x25fd4ab36c6ba9a789644e5a77225539
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "harald", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 2 length 68
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
[files] users: Matched entry harald at line 2
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
rlm_eap: No EAP session matching the State variable.
[eap] Either EAP-request timed out OR EAP-response to an unknown EAP-request
[eap] Failed in handler
++[eap] returns invalid
Failed to authenticate the user.
Login incorrect: [harald/<via Auth-Type = EAP>] (from client blizzard port 52 cli 0013f7ca60de)
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> harald
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 9 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 9
Sending Access-Reject of id 1 to 192.168.254.1 port 1024
Waking up in 4.9 seconds.
Cleaning up request 9 ID 1 with timestamp +1131
Ready to process requests.
 



More information about the Freeradius-Users mailing list