Help!Problems when eap=ttls.

娟 严 iamyanjuan at yahoo.com.cn
Tue May 13 06:36:38 EDT 2008


Hi!
   I'd like to describe the problem in detail,my radius server is freeradius.net which is a Windows version of freeradius. 
According to the draft-ietf-pppext-eap-ttls-05, a Successful authentication via tunneled EAP/MD5-Challenge
should be like this--->>
 
 client          access point           TTLS server             AAA/H
   ------          ------------           -----------             -----

     EAP-Request/Identity
     <--------------------

     EAP-Response/Identity
     -------------------->

                           RADIUS Access-Request:
                             EAP-Response passthrough
                           -------------------->

                           RADIUS Access-Challenge:
                             EAP-Request/TTLS-Start
                           <--------------------

     EAP-Request passthrough
     <--------------------

     EAP-Response/TTLS:
       ClientHello
     -------------------->

                           RADIUS Access-Request:
                             EAP-Response passthrough
                           -------------------->

#######################################################
The right packet shoud be:
                           RADIUS Access-Challenge:
                             EAP-Request/TTLS:
                               ServerHello
                               Certificate
                               ServerKeyExchange
                               ServerHelloDone
                           <--------------------
But my freeradius sends the packet as:
                           RADIUS Access-Challenge:
                           Success/Generic Token Card
                           <--------------------
########################################################
Then the following process will not happen.....

And my eap.conf is:                                             
 eap {

  default_eap_type = ttls
    timer_expire     = 60
  cisco_accounting_username_bug = no
  md5 {
  }

  leap {
  }
 
  gtc {
   auth_type = PAP
  }
  tls {
   private_key_password = demo
   private_key_file = ${certsdir}/FreeRADIUS.net-Server.pem
   certificate_file = ${certsdir}/FreeRADIUS.net-Server.crt
   CA_file = ${certsdir}/FreeRADIUS.net-CA.crt 
   dh_file = ${certsdir}/dh
   random_file = ${certsdir}/random
   check_cert_cn = %{User-Name}
  }
   ttls {
     default_eap_type = md5
     copy_request_to_tunnel = no
    use_tunneled_reply = no      
  }
      peap {
     default_eap_type = mschapv2
  }
    mschapv2 {
  }
 }
##########################
And my user.conf is                   #
 
test Auth-Type := EAP, User-Password == "test"
  Tunnel-Type = "VLAN",
  Tunnel-Medium-Type = "IEEE-802",
  Tunnel-Private-Group-Id = "1",
 
 
>I use the wireshark to sniff traffic on linux PC which also runs wpa_supplicant.
>1.And the first packet is EAPOL Start;
>2.Then switch send a Request Identity packet;
>3.Then wpa_supplicant send a Response,Identitiy packet;
>4.Then swith send a Request,EAP-TTLS[Funk] packet;
>5.Then wpa_supplicant sent a Client Hello packet;
>6.Then switch send 2 EAP Success packets;//Why does the switch send success packets? 
>7.Then switch send 2 Failure packets;
>8Then switch send Request Identity packet,start back at 1.


      ___________________________________________________________ 
 雅虎邮箱,您的终生邮箱! 
http://cn.mail.yahoo.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.shmoo.com/pipermail/hostap/attachments/20080513/324f67c3/attachment-0001.htm 


More information about the HostAP mailing list