help seeing more debugging EAP-TTLS handshake

Arran Cudbard-Bell a.cudbardb at freeradius.org
Wed Sep 23 20:17:06 CEST 2015 

> On 23 Sep 2015, at 14:04, Rohan Mahy <rohan.mahy at gmail.com> wrote:
> 
> Hi,
> I am trying to debug an EAP-TTLS handshake problem between FreeRADIUS 2.2.4
> with OpenSSL 1.0.1f and Mac OS X 10.10.5 and 10.9.5.  The Macs are using
> WPA2 Enterprise / 802.1x through a Meraki MR34 Access Point. This
> configuration works fine with Windows 8 and Android 4.4.1.
> 
> My questions for the FreeRADIUS folks:
> 
> a) Is there a way that I can view the decoded TLS attributes from the TLS
> handshake? (I'm already running with the -X option).  For example, I'd like
> to see what ciphersuites are being proposed and any additional attributes
> in the the ClientHello.

Maybe more -x arguments, but I don't think so.  If you feel like running a v3.1.x version, i'd be happy to work with you to add additional debugging.

> b) FreeRADIUS/OpenSSL and these versions of Mac OS X can all do TLS 1.2.
> Does the text "TLS 1.0 Handshake" in the log really mean that it is only
> using TLS 1.0 instead of TLS 1.2?

For 2.2.4, yes.

> c) There is a message in the log "TLS_accept: failed in SSLv3 read client
> certificate A". Does this mean that there was a client certificate
> presented by the client? (there shouldn't be a client cert at all)

In this case it looks like the client sent a TLS notice saying it was closing the TLS session (instead of a certificate).

The error message is misleading.

> d) Does anyone have any other suggestions to make this work? I already
> tried setting the cipher_list to well used ciphers that the Macs generally
> like ('AES+aRSA') and got the same result. (The trace below is with the
> default cipher_list).

Debugging logs on the supplicant are your best bet.  This isn't an MTU issue or a misconfiguration of the NAS/FreeRADIUS AFAICT.  The supplicant is likely rejecting the server certificate for some reason.  Double check you provided the complete certificate chain, that the Root CA is trusted, that the CN in the server certificate is correct for the wireless profile.

-Arran

Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS development team

FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 872 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20150923/7c5a07b5/attachment.sig>

More information about the Freeradius-Users mailing list