<div dir="ltr"><div class="gmail_default" style="font-family:courier new,monospace"><div class="gmail_default" style="font-family:courier new,monospace">Hi,<br><br>I'm using FreeBSD 11.0-CURRENT r277315 and meet a problem with my FreeBSD Access Point on an EAP-TLS setup.<br></div><div class="gmail_default" style="font-family:courier new,monospace">I've tested with hostapd 2.0 (included with FreeBSD) and hostapd 2.3 (from the port) but I have the same problem:<br><br></div><div class="gmail_default" style="font-family:courier new,monospace">During
EAP-TLS authentication, the Authenticator (hostapd) correctly
send an EAP fragmented "Server Hello, Certificate, Certificate Request"
message to the supplicant.<br>The supplicant (MS Windows native client) correctly ACK each of theses fragmented EAP packets with an empty EAP-TLS packet.<br><br></div><div class="gmail_default" style="font-family:courier new,monospace">Once
the supplicant re-assemble the full EAP Certificate request from the
Authenticator, it send a response (EAP fragmented too).<br></div><div class="gmail_default" style="font-family:courier new,monospace">But hostapd never ACK this first fragmented packet received from the supplicant<br>=> Then the authentication phase time out.<br><br></div><div class="gmail_default" style="font-family:courier new,monospace">I've tried with 3 different wireless card:<br></div><div class="gmail_default" style="font-family:courier new,monospace">- Atheros 9280 (ath driver)<br></div><div class="gmail_default" style="font-family:courier new,monospace">- Atheros AR2425 (ath driver)<br>- Ralink RT2573 (rum driver)<br></div>And all these have the same problem (not a chipset or driver problem).<br><br>Here is a tcpdump text-export of an exchange (done on the hostapd):<br>- D-Link_58:79:3e is the AP (authenticator)<br>- GemtekTe_35:8c:70 is the wireless-client (supplicant)<br><br><br>No. Time Source Destination Protocol Length Info<br> 21 21.497272 D-Link_58:79:3e GemtekTe_35:8c:70 EAP 23 Request, Identity<br> 22 21.541316 GemtekTe_35:8c:70 D-Link_58:79:3e EAPOL 19 Start<br> 23 21.542460 D-Link_58:79:3e GemtekTe_35:8c:70 EAP 23 Request, Identity<br> 24 21.544299 GemtekTe_35:8c:70 D-Link_58:79:3e EAP 60 Response, Identity<br> 25 21.547151 GemtekTe_35:8c:70 D-Link_58:79:3e EAP 60 Response, Identity<br> 26 21.615532 D-Link_58:79:3e GemtekTe_35:8c:70 EAP 24 Request, TLS EAP (EAP-TLS)<br> 27 21.622288 GemtekTe_35:8c:70 D-Link_58:79:3e SSL 125 Client Hello<br> 28 21.691433 D-Link_58:79:3e GemtekTe_35:8c:70 TLSv1 1314 Server Hello, Certificate, Certificate Request, Server Hello Done<br> 29 21.694861 GemtekTe_35:8c:70 D-Link_58:79:3e EAP 24 Response, TLS EAP (EAP-TLS)<br> 30 23.594184 D-Link_58:79:3e GemtekTe_35:8c:70 TLSv1 1314 Server Hello, Certificate, Certificate Request, Server Hello Done<br> 31 23.596294 GemtekTe_35:8c:70 D-Link_58:79:3e EAP 24 Response, TLS EAP (EAP-TLS)<br> 32 23.664337 D-Link_58:79:3e GemtekTe_35:8c:70 TLSv1 1314 Server Hello, Certificate, Certificate Request, Server Hello Done<br> 33 23.668877 GemtekTe_35:8c:70 D-Link_58:79:3e EAP 24 Response, TLS EAP (EAP-TLS)<br> 34 23.732970 D-Link_58:79:3e GemtekTe_35:8c:70 TLSv1 272 Server Hello, Certificate, Certificate Request, Server Hello Done<br> 35 23.743648 GemtekTe_35:8c:70 D-Link_58:79:3e EAP 1510 Response, TLS EAP (EAP-TLS)<br><br><br></div><div class="gmail_default" style="font-family:courier new,monospace">And here here the detail of this last frame 35:<br><br>No. Time Source Destination Protocol Length Info<br> 35 23.743648 GemtekTe_35:8c:70 D-Link_58:79:3e EAP 1510 Response, TLS EAP (EAP-TLS)<br><br>Frame 35: 1510 bytes on wire (12080 bits), 1510 bytes captured (12080 bits)<br>Ethernet II, Src: GemtekTe_35:8c:70 (20:10:7a:35:8c:70), Dst: D-Link_58:79:3e (00:21:91:58:79:3e)<br> Destination: D-Link_58:79:3e (00:21:91:58:79:3e)<br> Source: GemtekTe_35:8c:70 (20:10:7a:35:8c:70)<br> Type: 802.1X Authentication (0x888e)<br>802.1X Authentication<br> Version: 802.1X-2001 (1)<br> Type: EAP Packet (0)<br> Length: 1492<br> Extensible Authentication Protocol<br> Code: Response (2)<br> Id: 9<br> Length: 1492<br> Type: TLS EAP (EAP-TLS) (13)<br> EAP-TLS Flags: 0xc0<br> 1... .... = Length Included: True<br> .1.. .... = More Fragments: True<br> ..0. .... = Start: False<br> EAP-TLS Length: 3524<br><br><br></div><div class="gmail_default" style="font-family:courier new,monospace">=> it's a fragmented EAP-TLS (Lenght: 3524, More Fragment set).<br></div><div class="gmail_default" style="font-family:courier new,monospace">Then once this first fragment received, hostapd should ACK this fragment by an empty EAP-TLS frame… but it didn't send it.<br><br></div><div class="gmail_default" style="font-family:courier new,monospace">I've checked the eap_server/eap_server_tls common.c file and see lot's of wpa_printf() regarding EAP-TLS and SSL that can help me to debug it. But I didn't reach to enable this debug mode (event by starting hostapd with -dd).<br><br></div><div class="gmail_default" style="font-family:courier new,monospace">How to display theses EAP-TLS/SSL debug messages ?<br><br></div><div class="gmail_default" style="font-family:courier new,monospace">Thanks,<br></div></div>