<html><head><style type="text/css"><!-- DIV {margin:0px;} --></style></head><body><div style="font-family:times new roman, new york, times, serif;font-size:18pt"><DIV style="FONT-SIZE: 18pt; FONT-FAMILY: times new roman, new york, times, serif">
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif">
<DIV style="FONT-SIZE: 18pt; FONT-FAMILY: times new roman, new york, times, serif">
<DIV style="FONT-SIZE: 18pt; FONT-FAMILY: times new roman, new york, times, serif">
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif">
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif">
<DIV>Hi,All!</DIV>
<DIV> When I set eap type to ttls,wpa_supplicant will fail to authenticate with FreeRadius.net.</DIV>
<DIV><STRONG>1)I copy the cacert.pem from the FreeRADIUS.net/etc/raddb/certs/demoCA to /etc/cert/cacert.pem</STRONG></DIV>
<DIV>I have a question,is it a must to set the value of ca_cert in wpa_supplicant.conf,as I know,</DIV>
<DIV>ttls only require the certificate of server.</DIV>
<DIV><STRONG>2)Then I configure the wpa_supplicant.conf as follow:</STRONG></DIV>
<DIV>###############################################</DIV>
<DIV>
<DIV>ctrl_interface=/var/run/wpa_supplicant<BR>ctrl_interface_group=wheel<BR>ap_scan=0<BR>network={<BR> key_mgmt=IEEE8021X<BR> eap=TTLS</DIV>
<DIV> identity="test"<BR> password="test"</DIV>
<DIV> ca_cert="/etc/cert/cacert.pem"<BR> eapol_flags=0<BR>}</DIV>
<DIV><STRONG>3)run wpa_supplicant:</STRONG></DIV>
<DIV>#wpa_supplicant -ieth0 -c/etc/wpa_supplicant/wpa_supplicant.conf -D wired -d</DIV>
<DIV> </DIV>
<DIV>
<DIV><STRONG>The logs of wpa_supplicant are as follows:</STRONG></DIV>
<DIV>#########################################################################################<BR>Initializing interface 'eth0' conf '/etc/wpa_supplicant/wpa_supplicant.conf' driver 'wired' ctrl_interface 'N/A' bridge 'N/A'<BR>Configuration file '/etc/wpa_supplicant/wpa_supplicant.conf' -> '/etc/wpa_supplicant/wpa_supplicant.conf'<BR>Reading configuration file '/etc/wpa_supplicant/wpa_supplicant.conf'<BR>ctrl_interface='/var/run/wpa_supplicant'<BR>eapol_version=1<BR>ap_scan=0<BR>Priority group 0<BR> id=0 ssid=''<BR>Initializing interface (2) 'eth0'<BR>wpa_driver_wired_init: Added multicast membership with packet socket<BR>Own MAC address: 00:19:db:89:79:21<BR>RSN: flushing PMKID list in the driver<BR>Setting scan request: 0 sec 100000 usec<BR>EAPOL: SUPP_PAE entering state DISCONNECTED<BR>EAPOL: KEY_RX entering state NO_KEY_RECEIVE<BR>EAPOL: SUPP_BE entering state INITIALIZE<BR>EAP: EAP entering state DISABLED<BR>Added interface
eth0<BR>EAPOL: External notification - portControl=Auto<BR>Already associated with a configured network - generating associated event<BR>Association info event<BR>State: DISCONNECTED -> ASSOCIATED<BR>Associated to a new BSS: BSSID=01:80:c2:00:00:03<BR>No keys have been configured - skip key clearing<BR>Select network based on association information<BR>Network configuration found for the current AP<BR>WPA: clearing AP WPA IE<BR>WPA: clearing AP RSN IE<BR>WPA: clearing own WPA/RSN IE<BR>EAPOL: External notification - portControl=Auto<BR>Associated with 01:80:c2:00:00:03<BR>WPA: Association event - clear replay counter<BR>EAPOL: External notification - portEnabled=0<BR>EAPOL: External notification - portValid=0<BR>EAPOL: External notification - portEnabled=1<BR>EAPOL: SUPP_PAE entering state CONNECTING<BR>EAPOL: SUPP_BE entering state IDLE<BR>EAP: EAP entering state INITIALIZE<BR>EAP: EAP entering state IDLE<BR>Cancelling scan request<BR>EAPOL:
startWhen --> 0<BR>EAPOL: SUPP_PAE entering state CONNECTING<BR>EAPOL: txStart<BR>TX EAPOL: dst=01:80:c2:00:00:03<BR>RX EAPOL from 00:0a:8a:44:1b:43<BR>EAPOL: Received EAP-Packet frame<BR>EAPOL: SUPP_PAE entering state RESTART<BR>EAP: EAP entering state INITIALIZE<BR>EAP: EAP entering state IDLE<BR>EAPOL: SUPP_PAE entering state AUTHENTICATING<BR>EAPOL: SUPP_BE entering state REQUEST<BR>EAPOL: getSuppRsp<BR>EAP: EAP entering state RECEIVED<BR>EAP: Received EAP-Request id=7 method=1 vendor=0 vendorMethod=0<BR>EAP: EAP entering state IDENTITY<BR>CTRL-EVENT-EAP-STARTED EAP authentication started<BR>EAP: EAP-Request Identity data - hexdump_ascii(len=0):<BR>EAP: using real identity - hexdump_ascii(len=4):<BR> 74 65 73
74 test <BR>EAP: EAP entering state SEND_RESPONSE<BR>EAP: EAP entering state IDLE<BR>EAPOL: SUPP_BE entering state RESPONSE<BR>EAPOL: txSuppRsp<BR>TX EAPOL: dst=01:80:c2:00:00:03<BR>EAPOL: SUPP_BE entering state RECEIVE<BR>RX EAPOL from 00:0a:8a:44:1b:43<BR>EAPOL: Received EAP-Packet frame<BR>EAPOL: SUPP_BE entering state REQUEST<BR>EAPOL: getSuppRsp<BR>EAP: EAP entering state RECEIVED<BR>EAP: Received EAP-Request id=8 method=21 vendor=0 vendorMethod=0<BR>EAP: EAP entering state GET_METHOD<BR>EAP: Initialize selected EAP method: vendor 0 method 21 (TTLS)<BR>EAP-TTLS: Phase2 type: EAP<BR>TLS: Phase2 EAP types - hexdump(len=40): 00 00 00 00 04 00 00 00 00 00 00 00 1a
00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 11 00 00 00<BR>CTRL-EVENT-EAP-METHOD EAP vendor 0 method 21 (TTLS) selected<BR>EAP: EAP entering state METHOD<BR>SSL: Received packet(len=6) - Flags 0x20<BR>EAP-TTLS: Start (server ver=0, own ver=0)<BR>TLS: Trusted root certificate(s) loaded<BR>EAP-TTLS: Start<BR>SSL: (where=0x10 ret=0x1)<BR>SSL: (where=0x1001 ret=0x1)<BR>SSL: SSL_connect:before/connect initialization<BR>SSL: (where=0x1001 ret=0x1)<BR>SSL: SSL_connect:SSLv3 write client hello A<BR>SSL: (where=0x1002 ret=0xffffffff)<BR><STRONG><FONT size=5>SSL: SSL_connect:error in SSLv3 read server hello A<BR></FONT></STRONG>SSL: SSL_connect - want more data<BR>SSL: 101 bytes pending from ssl_out<BR>SSL: 101 bytes left to be sent out (of total 101 bytes)<BR>EAP: method process -> ignore=FALSE methodState=MAY_CONT decision=FAIL<BR>EAP: EAP entering state SEND_RESPONSE<BR>EAP: EAP entering state IDLE<BR>EAPOL: SUPP_BE entering state
RESPONSE<BR>EAPOL: txSuppRsp<BR>TX EAPOL: dst=01:80:c2:00:00:03<BR>EAPOL: SUPP_BE entering state RECEIVE<BR>RX EAPOL from 00:0a:8a:44:1b:43<BR>EAPOL: Received EAP-Packet frame<BR>EAPOL: SUPP_BE entering state REQUEST<BR>EAPOL: getSuppRsp<BR>EAP: EAP entering state RECEIVED<BR>EAP: Ignored truncated EAP-Packet (len=22 plen=2091)<BR>EAP: EAP entering state DISCARD<BR>EAP: EAP entering state IDLE<BR>EAPOL: SUPP_BE entering state RECEIVE</DIV>
<DIV> </DIV>
<DIV><STRONG>The logs of freeRadius are as follows:</STRONG></DIV>
<DIV>############################################################################################</DIV>
<DIV>...... </DIV>
<DIV>rlm_eap: Request found, released from the list<BR> rlm_eap: EAP/ttls<BR> rlm_eap: processing type ttls<BR> rlm_eap_ttls: Authenticate<BR> rlm_eap_tls: processing TLS<BR> eaptls_verify returned 7<BR> rlm_eap_tls: Done initial handshake<BR> (other): before/accept initialization<BR> TLS_accept: before/accept initialization<BR> rlm_eap_tls: <<< TLS 1.0 Handshake [length 0060], ClientHello<BR> TLS_accept: SSLv3 read client hello A<BR> rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello<BR> TLS_accept: SSLv3 write server hello A<BR> rlm_eap_tls: >>> TLS 1.0 Handshake [length 09cd], Certificate<BR> TLS_accept: SSLv3 write certificate A<BR> rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone<BR> TLS_accept: SSLv3 write server done
A<BR> TLS_accept: SSLv3 flush data<BR> TLS_accept: Need to read more data: SSLv3 read client certificate A<BR>In SSL Handshake Phase<BR>In SSL Accept mode<BR> eaptls_process returned 13<BR> modcall[authenticate]: module "eap" returns handled for request 11<BR>modcall: leaving group authenticate (returns handled) for request 11<BR>Sending Access-Challenge of id 251 to 192.168.1.10 port 1812<BR> Tunnel-Type:0 = VLAN<BR> Tunnel-Medium-Type:0 = IEEE-802<BR> Tunnel-Private-Group-Id:0 = "1"<BR> ......</DIV>
<DIV> EAP-Message = 0x0306082b0601050507030406082b0601050507030806<BR> Message-Authenticator = 0x00000000000000000000000000000000<BR> State = 0xcca1b62278d13b94358cd7d6397845c2<BR>Finished request 11<BR>.......</DIV>
<DIV> </DIV>
<DIV><STRONG>I use the wireshark to sniff traffic on linux PC which also runs wpa_supplicant.</STRONG></DIV>
<DIV>1.And the first packet is EAPOL Start;</DIV>
<DIV>2.Then switch send a Request Identity packet;</DIV>
<DIV>3.Then wpa_supplicant send a Response,Identitiy packet;</DIV>
<DIV>4.Then swith send a Request,EAP-TTLS[Funk] packet;</DIV>
<DIV>5.Then wpa_supplicant sent a Client Hello packet;</DIV>
<DIV>6.Then switch send 2 EAP Success packets<STRONG>;//Why does the switch send success packets?</STRONG> </DIV>
<DIV>7.Then switch send 2 Failure packets;</DIV>
<DIV>8Then switch send Request Identity packet,start back at 1.</DIV>
<DIV> </DIV>
<DIV><BR><BR> </DIV></DIV></DIV></DIV><BR>
<HR SIZE=1>
<A href="http://cn.mail.yahoo.com/" target=_blank rel=nofollow>ÑÅ»¢ÓÊÏ䣬ÄúµÄÖÕÉúÓÊÏ䣡</A></DIV></DIV></DIV><BR>
<HR SIZE=1>
<A href="http://cn.mail.yahoo.com/" target=_blank rel=nofollow>ÑÅ»¢ÓÊÏ䣬ÄúµÄÖÕÉúÓÊÏ䣡</A></DIV></DIV></div><br>
<hr size=1><a href="http://cn.mail.yahoo.com/"> ÑÅ»¢ÓÊÏ䣬ÄúµÄÖÕÉúÓÊÏ䣡</a></body></html>