<html><head><style type="text/css"><!-- DIV {margin:0px;} --></style></head><body><div style="font-family:times new roman, new york, times, serif;font-size:18pt"><DIV style="FONT-SIZE: 18pt; FONT-FAMILY: times new roman, new york, times, serif">
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif">
<DIV style="FONT-SIZE: 18pt; FONT-FAMILY: times new roman, new york, times, serif">
<DIV style="FONT-SIZE: 18pt; FONT-FAMILY: times new roman, new york, times, serif">
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif">Hi!</DIV>
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif"> I'd like to describe the problem in detail,my radius server is freeradius.net which is a Windows version of freeradius. </DIV>
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif">According to the draft-ietf-pppext-eap-ttls-05, a <STRONG>Successful authentication via tunneled EAP/MD5-Challenge</STRONG></DIV>
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif"><STRONG>should be like this--->></STRONG></DIV>
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif"><STRONG></STRONG> </DIV>
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif"> client access point TTLS server AAA/H<BR> ------ ------------ ----------- -----<BR><BR> EAP-Request/Identity<BR> <--------------------<BR><BR> EAP-Response/Identity<BR> --------------------><BR><BR> RADIUS
Access-Request:<BR> EAP-Response passthrough<BR> --------------------><BR><BR> RADIUS Access-Challenge:<BR> EAP-Request/TTLS-Start<BR>
<--------------------<BR><BR> EAP-Request passthrough<BR> <--------------------<BR><BR> EAP-Response/TTLS:<BR> ClientHello<BR> --------------------><BR><BR> RADIUS Access-Request:<BR> EAP-Response passthrough<BR> --------------------><BR></DIV>
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif">#######################################################</DIV>
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif">The right packet shoud be:<BR> RADIUS Access-Challenge:<BR> EAP-Request/TTLS:<BR> ServerHello<BR>
Certificate<BR> ServerKeyExchange<BR> ServerHelloDone<BR> <--------------------</DIV>
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif">But my freeradius sends the packet as:</DIV>
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif"> RADIUS Access-Challenge:</DIV>
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif"> Success/Generic Token Card</DIV>
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif"> <--------------------</DIV>
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif">########################################################<BR>Then the following process will not happen.....</DIV>
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif"><BR>And my eap.conf is: <BR> eap {<BR><BR> default_eap_type = ttls<BR> timer_expire = 60</DIV>
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif"> cisco_accounting_username_bug = no<BR> md5 {<BR> }</DIV>
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif"><BR> leap {<BR> }</DIV>
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif"> <BR> gtc {<BR> auth_type = PAP<BR> }<BR> tls {<BR> private_key_password = demo<BR> private_key_file = ${certsdir}/FreeRADIUS.net-Server.pem<BR> certificate_file = ${certsdir}/FreeRADIUS.net-Server.crt<BR> CA_file = ${certsdir}/FreeRADIUS.net-CA.crt <BR> dh_file = ${certsdir}/dh<BR> random_file = ${certsdir}/random<BR> check_cert_cn = %{User-Name}<BR> }</DIV>
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif"> ttls {<BR> default_eap_type = md5</DIV>
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif"> copy_request_to_tunnel = no</DIV>
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif"> use_tunneled_reply = no <BR> }</DIV>
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif"> peap {<BR> default_eap_type = mschapv2<BR> }</DIV>
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif"> mschapv2 {<BR> }<BR> }</DIV>
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif">##########################</DIV>
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif">And my user.conf is #</DIV>
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif"> </DIV>
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif">test Auth-Type := EAP, User-Password == "test"<BR> Tunnel-Type = "VLAN",<BR> Tunnel-Medium-Type = "IEEE-802",<BR> Tunnel-Private-Group-Id = "1",</DIV>
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif"> </DIV>
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif"> <BR><STRONG>>I use the wireshark to sniff traffic on linux PC which also runs wpa_supplicant.</STRONG></DIV>
<DIV style="FONT-SIZE: 18pt; FONT-FAMILY: times new roman, new york, times, serif">
<DIV style="FONT-SIZE: 18pt; FONT-FAMILY: times new roman, new york, times, serif">
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif">
<DIV style="FONT-SIZE: 18pt; FONT-FAMILY: times new roman, new york, times, serif">
<DIV style="FONT-SIZE: 18pt; FONT-FAMILY: times new roman, new york, times, serif">
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif">
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif">
<DIV>
<DIV>
<DIV>>1.And the first packet is EAPOL Start;</DIV>
<DIV>>2.Then switch send a Request Identity packet;</DIV>
<DIV>>3.Then wpa_supplicant send a Response,Identitiy packet;</DIV>
<DIV>>4.Then swith send a Request,EAP-TTLS[Funk] packet;</DIV>
<DIV>>5.Then wpa_supplicant sent a Client Hello packet;</DIV>
<DIV>>6.Then switch send 2 EAP Success packets<STRONG>;//Why does the switch send success packets?</STRONG> </DIV>
<DIV>>7.Then switch send 2 Failure packets;</DIV>
<DIV>>8Then switch send Request Identity packet,start back at 1.</DIV>
<DIV> </DIV>
<DIV> </DIV></DIV></DIV></DIV></DIV></DIV></DIV></DIV></DIV></DIV></DIV></DIV></DIV></DIV></div><br>
<hr size=1><a href="http://cn.mail.yahoo.com/"> ÑÅ»¢ÓÊÏ䣬ÄúµÄÖÕÉúÓÊÏ䣡</a></body></html>