Certificate Compatibility - Successful Network Entry

Ben Wiechman wiechman.lists at gmail.com
Thu Mar 31 19:00:23 CEST 2011


While testing authentication with a Motorola Canopy AP I noticed that
I was getting a Certificate Compatibility warning. I understand why
this typically happens.

What struck me as odd is that network entry still succeeds.

Just to verify nothing really out of the ordinary was happening I
verified the CA certificate that the server was using and re-imported
this certificate onto the device, but still receive the same
notification and still the same successful network entry.

Does FR only use the State attribute to determine if the previous
session didn't complete? The reason I ask is that the State attribute
sent by FR in the Access-Challenge, and then echoed in the following
Access-Request are the same, but the warning appears to truncate the
value.

Sending Access-Challenge of id 0 to 10.0.12.129 port 1273
       User-Name = "anonymous"
       EAP-Message =
0x0107005f15800000005517030100508d4766c847a9447872b323a9bd33e47f6b3fc9a3be04184631d16bb14289d9d3f2387d214da2b3103eb90e7f9934044382fbe188be4b0a54956e6059b864b36088912d8de6da414965ea8577aca8bf87
       Message-Authenticator = 0x00000000000000000000000000000000
       State = 0xc2539648c75483204cf5c8028cb0d506
Finished request 9.
Going to the next request
Waking up in 2.9 seconds.
rad_recv: Access-Request packet from host 10.0.12.129 port 1273, id=0, length=99
Cleaning up request 9 ID 0 with timestamp +54
WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
WARNING: !! EAP session for state 0xc2539648c7548320 did not finish!
WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility
WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
       User-Name = "anonymous"
       State = 0xc2539648c75483204cf5c8028cb0d506
       NAS-IP-Address = 10.0.12.129
       NAS-Port = 5
       NAS-Port-Type = Wireless-802.11
       Framed-MTU = 1020
       EAP-Message = 0x020700061500
       Message-Authenticator = 0x333490df7d6b149bd645a83de291660e


This appears to be a client side issue, but I would like to confirm
that this is the case. I'm a little confused as to what is really
happening here.

Ben
-------------- next part --------------
A non-text attachment was scrubbed...
Name: debug.zip
Type: application/zip
Size: 13106 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20110331/646eb1fa/attachment.zip>


More information about the Freeradius-Users mailing list