EAP-TLS eapol_test on a remote server
Emile Swarts
emile.swarts123 at gmail.com
Thu Apr 22 18:42:24 CEST 2021
Thanks for the quick reply Alan. Really helps narrow it down.
I forgot to mention, I am seeing "Fragmented IP protocol" packets in the
capture, which seems to correspond to each of the Access-Requests.
Could this have something to do with MTU configuration of Freeradius?
1 0.000000000 10.5.0.5 18.168.48.94 RADIUS 203 Access-Request id=0
2 0.015807600 18.168.48.94 10.5.0.5 RADIUS 108 Access-Challenge id=0
3 0.025829000 10.5.0.5 18.168.48.94 RADIUS 396 Access-Request id=1
4 0.040322200 18.168.48.94 10.5.0.5 RADIUS 1112 Access-Challenge id=1
5 0.042580700 10.5.0.5 18.168.48.94 RADIUS 206 Access-Request id=2
6 0.056210200 18.168.48.94 10.5.0.5 RADIUS 1112 Access-Challenge id=2
7 0.064416100 10.5.0.5 18.168.48.94 RADIUS 206 Access-Request id=3
8 0.076431300 18.168.48.94 10.5.0.5 RADIUS 1070 Access-Challenge id=3
9 0.119411100 10.5.0.5 18.168.48.94 IPv4 1516 Fragmented IP protocol
(proto=UDP 17, off=0, ID=6f5e) [Reassembled in #10]
10 0.119491200 10.5.0.5 18.168.48.94 RADIUS 138 Access-Request id=4
11 3.121173000 10.5.0.5 18.168.48.94 IPv4 1516 Fragmented IP protocol
(proto=UDP 17, off=0, ID=78ae) [Reassembled in #12]
12 3.121220200 10.5.0.5 18.168.48.94 RADIUS 138 Access-Request id=4,
Duplicate Request
13 9.122227800 10.5.0.5 18.168.48.94 IPv4 1516 Fragmented IP protocol
(proto=UDP 17, off=0, ID=84ec) [Reassembled in #18]
14 9.122298400 10.5.0.5 18.168.48.94 RADIUS 138 Access-Request id=4,
Duplicate Request
15 21.090812700 10.5.0.5 18.168.48.94 IPv4 1516 Fragmented IP protocol
(proto=UDP 17, off=0, ID=8a74) [Reassembled in #20]
16 21.090888500 10.5.0.5 18.168.48.94 RADIUS 138 Access-Request id=4,
Duplicate Request
Kind Regards,
Emile
On Thu, Apr 22, 2021 at 4:03 PM Alan DeKok <aland at deployingradius.com>
wrote:
> On Apr 22, 2021, at 10:58 AM, Emile Swarts <emile.swarts123 at gmail.com>
> wrote:
> > Pointing this to a Freeradius server running on AWS with exactly the same
> > configuration and certificates, I get the following:
> >
> > 1 0.000000000 10.5.0.5 18.168.48.94 RADIUS 203 Access-Request id=0
> > 2 0.015807600 18.168.48.94 10.5.0.5 RADIUS 108 Access-Challenge id=0
> > 3 0.025829000 10.5.0.5 18.168.48.94 RADIUS 396 Access-Request id=1
> > 4 0.040322200 18.168.48.94 10.5.0.5 RADIUS 1112 Access-Challenge id=1
> > 5 0.042580700 10.5.0.5 18.168.48.94 RADIUS 206 Access-Request id=2
> > 6 0.056210200 18.168.48.94 10.5.0.5 RADIUS 1112 Access-Challenge id=2
> > 7 0.064416100 10.5.0.5 18.168.48.94 RADIUS 206 Access-Request id=3
> > 8 0.076431300 18.168.48.94 10.5.0.5 RADIUS 1070 Access-Challenge id=3
> > 10 0.119491200 10.5.0.5 18.168.48.94 RADIUS 138 Access-Request id=4
> > 12 3.121220200 10.5.0.5 18.168.48.94 RADIUS 138 Access-Request id=4,
> > Duplicate Request
> > 18 9.122298400 10.5.0.5 18.168.48.94 RADIUS 138 Access-Request id=4,
> > Duplicate Request
> > 20 21.090888500 10.5.0.5 18.168.48.94 RADIUS 138 Access-Request id=4,
> > Duplicate Request
>
> The server isn't replying to the client. This is likely due to a
> network issue.
> > ...
> > EAPOL: startWhen --> 0
> > STA 00:11:22:33:44:55: Resending RADIUS message (id=4)
> >
> > Next RADIUS client retransmit in 6 seconds
> > STA 00:11:22:33:44:55: Resending RADIUS message (id=4)
> >
> > Next RADIUS client retransmit in 12 seconds
> > STA 00:11:22:33:44:55: Resending RADIUS message (id=4)
> >
> > Next RADIUS client retransmit in 24 seconds
> > EAPOL test timed out
>
> Yup.
>
> > If anyone has any ideas how to debug this further, please do let me
> know. I
> > regenerated the self signed certificates but that didn't fix the issue,
> > currently suspecting either latency or miss-configured client.
>
> It's a networking issue.
>
> Why can some packets get through and others can't? I don't know.
>
> If both wpa_supplicant && FreeRADIUS work in one network, but they don't
> work in another network... then the issue is a networking problem.
>
> Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list