EAP-TTLS+PAP vs. Ubunt 15 / Windows 10

Bogdan Rudas brudas at exadel.com
Tue Sep 6 15:58:44 CEST 2016 

I've used Wireshark to get traffic between Radius server and Cisco WLC.
It looks like Access-Challenge were lost somewhere in transition and WLC
re-send Access-Request with same Packet identifier. Sadly there were
nothing in logs about duplicated access requests with same ID
Disabling "Radius Server Overwrite interface" in WLC settings resolved this
issue. I'm still unsure why does my WLC doing so, but now login works well
for Windows 10 (no configuration required, just confirmation, user name and
password), Ubuntu (configuration required) and Android (configuration
required), OS X (profile generation required)

Thank you.

On Tue, Sep 6, 2016 at 1:55 PM, Matthew Newton <mcn4 at leicester.ac.uk> wrote:

> On Tue, Sep 06, 2016 at 01:14:04PM +0300, Bogdan Rudas via
> Freeradius-Users wrote:
> > Here is more complete output for Ubuntu 15.10 client:
>
> That's more useful, thanks.
>
> ...
> > (0) Sent Access-Challenge Id 172 from 1.2.3.4:1812 to 1.2.3.2:32768
> length 0
> > (0)   EAP-Message = 0x010200061520
> > (0)   Message-Authenticator = 0x00000000000000000000000000000000
> > (0)   State = 0xaa5a11c1aa5804cd3319b975cc2ec9dd
> > (0) Finished request
> > Waking up in 4.9 seconds.
> > Waking up in 7.8 seconds.
> > Waking up in 15.7 seconds.
> > Waking up in 33.6 seconds.
>
>
> ...
> > (0) Sent Access-Challenge Id 173 from 1.2.3.4:1812 to 1.2.3.2:32768
> length 0
> > (0)   EAP-Message = 0x010300061520
> > (0)   Message-Authenticator = 0x00000000000000000000000000000000
> > (0)   State = 0x8d5396258d5083331fb57364af922639
> > (0) Finished request
> > Waking up in 4.9 seconds.
> > Waking up in 7.8 seconds.
> > Waking up in 15.7 seconds.
> > Waking up in 33.6 seconds.
> > Waking up in 71.5 seconds.
>
> I would check firewalls to make sure the RADIUS packets are
> actually getting back to the NAS (or that the NAS is sending the
> EAP challenge back to the clients).
>
> Nothing has happened this early in the process, so it's not
> something like the client is rejecting the server certificate.
>
> Rather than eapol_test, you could run wpasupplicant directly on
> the linux box and watch its debug output. See if it gets a
> response - if not, then work out why. Possibly check the NAS logs.
>
> Matthew
>
>
> --
> Matthew Newton, Ph.D. <mcn4 at leicester.ac.uk>
>
> Systems Specialist, Infrastructure Services,
> I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
>
> For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>
>



-- 
Bogdan Rudas
Head of Minsk IT Support Department
Exadel Inc.
http://www.exadel.com/
E-mail: brudas at exadel.com
Skype ID: bogdan.rudas

-- 


CONFIDENTIALITY NOTICE: This email and files attached to it are 
confidential. If you are not the intended recipient you are hereby notified 
that using, copying, distributing or taking any action in reliance on the 
contents of this information is strictly prohibited. If you have received 
this email in error please notify the sender and delete this email.

More information about the Freeradius-Users mailing list