TLS communication, EAP does not work

Edelberto Franco esilva at midiacom.uff.br
Sat Jul 15 19:42:49 CEST 2017 

Updating this thread*

Em 15-Jul-17 11:02 AM, Edelberto Franco escreveu:
> Updating this threat to our colleagues...
>
> Changing the parameter "fragment_size" in tls block on 
> "sites-enable/tls" file, packets were sent and received by FR3 servers 
> (using 756 - less than 1024).
> But it is not an absolute truth, sometimes packets are lost and authA 
> not happens.
>
> *needing more investigation.
>
> --E
>
> Em 14-Jul-17 10:29 AM, Alan DeKok escreveu:
>> On Jul 13, 2017, at 4:50 PM, Edelberto Franco 
>> <esilva at midiacom.uff.br> wrote:
>>> Hi
>>>
>>> I'm working with Luciano on eduroam BR and trying to solve this.
>>> I attached our debug files.
>>> 4 files:
>>> 1) debug-eapol-from-ujfteste-to-rnpteste - the client eapol running 
>>> an auth test
>>> 2) debug-ufjfteste-FR3 - FreeRadius @ inst1/ufjfteste.br
>>> 3) debug-rnpteste-FR3 - FreeRadius @ inst1/rnpteste.br
>>> 4) debug-radsecproxy-FLR - radsecproxy @ federation level
>>    You don't say which server is doing what, or why. Is (1) sending 
>> to (2) which is proxying to (3) and then (4)?
>>
>>    Describing the system would be helpful.
>>
>>> What caught my attention was this "error" on the local (institution) 
>>> FreeRadius
>>> rlm_eap (EAP): No EAP session matching state 0xc6ab1049c7a90598
>>    There's some telling logs in mpteste:
>>
>> (1) # Executing group from file /etc/freeradius/sites-enabled/default
>> (1) Sent Access-Challenge Id 1 from 0.0.0.0:2083 to 
>> 200.130.15.23:33001 length 0
>> (1)   EAP-Message = 0x010200061520
>> (1)   Message-Authenticator = 0x00000000000000000000000000000000
>> (1)   State = 0x161759b417154cb0f3b4952e04b41a4d
>> (1)   Proxy-State = 0x31
>> ...
>> (2) Received Access-Request Id 2 from 200.130.15.23:33001 to 
>> 0.0.0.0:2083 length 464
>> (2)   User-Name = "eduroam at rnpteste.br"
>> ...
>> (2)   EAP-Message = 
>> 0x0202013315001603010128010001240303d2f5eea4fdbe3d97827f69579ce66256228d2985dafcc71333fe57a0d62fe0610000aac030c02cc028c024c014c00a00a500a300a1009f006b006a0069006800390038003700360088008700860085c032c02ec02ac026c00fc005009d003d00350084c02fc0
>> (2)   State = 0x161759b417154cb0f3b4952e04b41a4d
>> ...
>> (3) Received Access-Request Id 3 from 200.130.15.23:33001 to 
>> 0.0.0.0:2083 length 464
>> (3)   User-Name = "eduroam at rnpteste.br"
>> (3)   NAS-IP-Address = 127.0.0.1
>> (3)   Calling-Station-Id = "02-00-00-00-00-01"
>> (3)   Framed-MTU = 1400
>> (3)   NAS-Port-Type = Wireless-802.11
>> (3)   Service-Type = Framed-User
>> (3)   Connect-Info = "CONNECT 11Mbps 802.11b"
>> (3)   EAP-Message = 
>> 0x0202013315001603010128010001240303d2f5eea4fdbe3d97827f69579ce66256228d2985dafcc71333fe57a0d62fe0610000aac030c02cc028c024c014c00a00a500a300a1009f006b006a0069006800390038003700360088008700860085c032c02ec02ac026c00fc005009d003d00350084c02fc0
>> (3)   State = 0x161759b417154cb0f3b4952e04b41a4d
>> (3)   Message-Authenticator = 0x384c2741f7321ca2d8e8f78b9c0864b3
>>
>>
>>    The server is sending a reply to packet 2, and then packet 3 is a 
>> retransmit of packet 2.  That's wrong.  The client should go on to 
>> the next packet.
>>
>>    This is confirmed from the eapol_test packet:
>>
>>     Attribute 24 (State) length=18
>>        Value: 161759b417154cb0f3b4952e04b41a4d
>>     Attribute 80 (Message-Authenticator) length=18
>>        Value: 67ecbe0e885a25686f87da3397222a19
>> Next RADIUS client retransmit in 3 seconds
>> EAPOL: SUPP_BE entering state RECEIVE
>> EAPOL: startWhen --> 0
>> STA 02:00:00:00:00:01: Resending RADIUS message (id=2)
>>
>>
>>   Packets are being lost somewhere.  I have no idea where.
>>
>>    I suggest setting up a test system.  And don't use radsecproxy.  
>> The debug output is entirely useless.  It doesn't show the packets 
>> going back and forth, so it is of *zero* help for debugging.
>>
>>    Test the systems, and watch the packets going back and forth.  
>> Then READ THE DEBUG OUTPUT.  If it's complaining that there's no EAP 
>> session for the State attribute... go back in the debug log looking 
>> for other references to that State.  See if the packets are being 
>> retransmitted.  See if the reply sent by the proxy is making it to 
>> the client.
>>
>>    i.e. debug it.  Trace the packets step by step through the 
>> system.  It isn't hard.  It just takes some effort to read the debug 
>> output.
>>
>>    Alan DeKok.
>>
>>
>> -
>> List info/subscribe/unsubscribe? See 
>> http://www.freeradius.org/list/users.html
>

More information about the Freeradius-Users mailing list