help seeing more debugging EAP-TTLS handshake

Jonathan huffelduffel at gmail.com
Fri Sep 25 23:35:38 CEST 2015


PS, 2.2.9 is not released yet; it was supposed to be released
beginning of september but got jumped AFAIK due to time constraints or
still some bugs open.

On Thu, Sep 24, 2015 at 7:15 PM, Rohan Mahy <rohan.mahy at gmail.com> wrote:
> Hi Alan,
>
> Thanks for the advice. Arran's intuition was correct (as I also suspected).
> As soon as I found out how to turn on debugging on the supplicant I saw
> that it did not like the server certificate. I am now looking for some kind
> of guide about what format the CN/SubjectAltName etc. need to be in certs
> for 802.1x for Apple to be happy with them.
>>Sep 23 12:00:24.045540 Spare-MacBook-Air.local eapolclient[540]: Receive
> Size 472 Type 0x888e From 2:18:5a:1d:ae:3
>>Sep 23 12:00:24.045726 Spare-MacBook-Air.local eapolclient[540]: EAP
> Request: EAP type 21
>>Sep 23 12:00:24.071564 Spare-MacBook-Air.local eapolclient[540]:
> [eapttls_plugin.c:969] eapttls_verify_server(): server certificate not
> trusted status 6 0
>>Sep 23 12:00:24.071763 Spare-MacBook-Air.local eapolclient[540]: Transmit
> Size 21 Type 0x888e To 2:18:5a:1d:ae:3
>>Sep 23 12:00:24.071908 Spare-MacBook-Air.local eapolclient[540]: en0
> EAP-TTLS: authentication failed with status 6
>>Sep 23 12:00:24.072062 Spare-MacBook-Air.local eapolclient[540]: set_msk 0
>
>
> On Wed, Sep 23, 2015 at 11:44 AM, <A.L.M.Buxey at lboro.ac.uk> wrote:
>
>> Hi,
>>
>> > I am trying to debug an EAP-TTLS handshake problem between FreeRADIUS
>> 2.2.4
>> > with OpenSSL 1.0.1f and Mac OS X 10.10.5 and 10.9.5.  The Macs are using
>>
>> old. upgrade your FR
>>
>> > b) FreeRADIUS/OpenSSL and these versions of Mac OS X can all do TLS 1.2.
>> > Does the text "TLS 1.0 Handshake" in the log really mean that it is only
>> > using TLS 1.0 instead of TLS 1.2?
>>
>> yes. FR 2.2.4 doesnt do TLS 1.2  - 2.2.9 does
>
>
> ok. I will probably upgrade to 3.0.9 in a week or two.
>
>
>> > c) There is a message in the log "TLS_accept: failed in SSLv3 read client
>> > certificate A". Does this mean that there was a client certificate
>> > presented by the client? (there shouldn't be a client cert at all)
>>
>> how is the OSX device configured?
>
>
>
> Im attaching the .mobileconfig file. OSX is configured to use EAP-TTLS +
> PAP, the server cert CN is wifi.remind.com and is signed by our self-signed
> CA cert.  Both of these are in the mobileconfig file and WiFi profile says
> to expect  wifi.remind.com. as a Trusted Name for 802.1x from this WiFi
> network.  :-\
>
>
>>
>> > d) Does anyone have any other suggestions to make this work? I already
>> > tried setting the cipher_list to well used ciphers that the Macs
>> generally
>> > like ('AES+aRSA') and got the same result. (The trace below is with the
>> > default cipher_list).
>>
>> works with DEFAULT. unless you want to start playing client compatibility
>> issue
>> and need to remove eg DH methods or DES methods from the list I wouldnt
>> touch it
>> (that particular combo only allows TLS1.2 and a few SSLv3 methods
>>
>> >                         dh_file = ${certdir}/dh
>>
>> how big is that dh key?   must be 1024 or bigger
>>
>
> 1024
>
>
>>
>> openssl dhparam -in dh -text -noout
>>
>> >                 ttls {
>> >                         default_eap_type = md5
>>
>> md5? really?  I'm sure you want that to be mschapv2 for your systems.
>> dont think OSX
>> will renegotiate.
>>
>
> I need PAP inside the EAP-TTLS, because I need to proxy the PAP request to
> a PAP-only RADIUS server. EAP-MD5 is actually disabled, but I found I still
> need a non-TLS default_eap_type inside the ttls block. As we are not
> getting far enough to worry about that (and it works on Windows and
> Android), I am not too worried about that.
>
> Thanks,
> -rohan
>
> alan
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


More information about the Freeradius-Users mailing list