Help!Problems when eap=ttls.
j at w1.fi
Tue May 13 09:04:43 EDT 2008
On Tue, May 13, 2008 at 11:04:50AM +0800, 娟 严 wrote:
> When I set eap type to ttls,wpa_supplicant will fail to authenticate with FreeRadius.net.
> 1)I copy the cacert.pem from the FreeRADIUS.net/etc/raddb/certs/demoCA to /etc/cert/cacert.pem
> I have a question,is it a must to set the value of ca_cert in wpa_supplicant.conf,as I know,
> ttls only require the certificate of server.
In order to achieve secure authentication, yes, ca_cert has to be
configured to make the supplicant authenticate the server. Sure, the
connection would "work" if ca_cert is not set, but that would mean that
only the client is authenticated and there is no protection against
> EAP: Ignored truncated EAP-Packet (len=22 plen=2091)
This looks quite odd.. I don't know what exactly is being received here.
> The logs of freeRadius are as follows:
> rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
> TLS_accept: SSLv3 write server done A
> Sending Access-Challenge of id 251 to 192.168.1.10 port 1812
> Tunnel-Type:0 = VLAN
> Tunnel-Medium-Type:0 = IEEE-802
> Tunnel-Private-Group-Id:0 = "1"
> EAP-Message = 0x0306082b0601050507030406082b0601050507030806
This EAP message looks truncated.. It looks like something odd happened
> I use the wireshark to sniff traffic on linux PC which also runs wpa_supplicant.
> 1.And the first packet is EAPOL Start;
> 2.Then switch send a Request Identity packet;
> 3.Then wpa_supplicant send a Response,Identitiy packet;
> 4.Then swith send a Request,EAP-TTLS[Funk] packet;
> 5.Then wpa_supplicant sent a Client Hello packet;
This seemed to match with the debug logs from the client and server.
> 6.Then switch send 2 EAP Success packets;//Why does the switch send success packets?
This is odd and looks like a server issue.
Jouni Malinen PGP id EFC895FA
More information about the HostAP