Help!Problems when eap=ttls.
娟 严
iamyanjuan at yahoo.com.cn
Tue May 13 06:36:38 EDT 2008
Hi!
I'd like to describe the problem in detail,my radius server is freeradius.net which is a Windows version of freeradius.
According to the draft-ietf-pppext-eap-ttls-05, a Successful authentication via tunneled EAP/MD5-Challenge
should be like this--->>
client access point TTLS server AAA/H
------ ------------ ----------- -----
EAP-Request/Identity
<--------------------
EAP-Response/Identity
-------------------->
RADIUS Access-Request:
EAP-Response passthrough
-------------------->
RADIUS Access-Challenge:
EAP-Request/TTLS-Start
<--------------------
EAP-Request passthrough
<--------------------
EAP-Response/TTLS:
ClientHello
-------------------->
RADIUS Access-Request:
EAP-Response passthrough
-------------------->
#######################################################
The right packet shoud be:
RADIUS Access-Challenge:
EAP-Request/TTLS:
ServerHello
Certificate
ServerKeyExchange
ServerHelloDone
<--------------------
But my freeradius sends the packet as:
RADIUS Access-Challenge:
Success/Generic Token Card
<--------------------
########################################################
Then the following process will not happen.....
And my eap.conf is:
eap {
default_eap_type = ttls
timer_expire = 60
cisco_accounting_username_bug = no
md5 {
}
leap {
}
gtc {
auth_type = PAP
}
tls {
private_key_password = demo
private_key_file = ${certsdir}/FreeRADIUS.net-Server.pem
certificate_file = ${certsdir}/FreeRADIUS.net-Server.crt
CA_file = ${certsdir}/FreeRADIUS.net-CA.crt
dh_file = ${certsdir}/dh
random_file = ${certsdir}/random
check_cert_cn = %{User-Name}
}
ttls {
default_eap_type = md5
copy_request_to_tunnel = no
use_tunneled_reply = no
}
peap {
default_eap_type = mschapv2
}
mschapv2 {
}
}
##########################
And my user.conf is #
test Auth-Type := EAP, User-Password == "test"
Tunnel-Type = "VLAN",
Tunnel-Medium-Type = "IEEE-802",
Tunnel-Private-Group-Id = "1",
>I use the wireshark to sniff traffic on linux PC which also runs wpa_supplicant.
>1.And the first packet is EAPOL Start;
>2.Then switch send a Request Identity packet;
>3.Then wpa_supplicant send a Response,Identitiy packet;
>4.Then swith send a Request,EAP-TTLS[Funk] packet;
>5.Then wpa_supplicant sent a Client Hello packet;
>6.Then switch send 2 EAP Success packets;//Why does the switch send success packets?
>7.Then switch send 2 Failure packets;
>8Then switch send Request Identity packet,start back at 1.
___________________________________________________________
雅虎邮箱,您的终生邮箱!
http://cn.mail.yahoo.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.shmoo.com/pipermail/hostap/attachments/20080513/324f67c3/attachment-0001.htm
More information about the HostAP
mailing list