Help!Problems when eap=ttls.

娟 严 iamyanjuan
Mon May 12 20:04:50 PDT 2008


Hi,All!
??? When I set eap type to ttls,wpa_supplicant?will fail to authenticate with?FreeRadius.net.
1)I copy the cacert.pem from the FreeRADIUS.net/etc/raddb/certs/demoCA to /etc/cert/cacert.pem
I have a question,is it a must to?set the value of?ca_cert in wpa_supplicant.conf,as I know,
ttls only require the certificate of server.
2)Then I configure the wpa_supplicant.conf as follow:
###############################################
ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=wheel
ap_scan=0
network={
?key_mgmt=IEEE8021X
?eap=TTLS
?identity="test"
?password="test"
?ca_cert="/etc/cert/cacert.pem"
?eapol_flags=0
}
3)run wpa_supplicant:
#wpa_supplicant -ieth0 -c/etc/wpa_supplicant/wpa_supplicant.conf -D wired -d
?
The logs of wpa_supplicant?are as follows:
#########################################################################################
Initializing interface 'eth0' conf '/etc/wpa_supplicant/wpa_supplicant.conf' driver 'wired' ctrl_interface 'N/A' bridge 'N/A'
Configuration file '/etc/wpa_supplicant/wpa_supplicant.conf' -> '/etc/wpa_supplicant/wpa_supplicant.conf'
Reading configuration file '/etc/wpa_supplicant/wpa_supplicant.conf'
ctrl_interface='/var/run/wpa_supplicant'
eapol_version=1
ap_scan=0
Priority group 0
?? id=0 ssid=''
Initializing interface (2) 'eth0'
wpa_driver_wired_init: Added multicast membership with packet socket
Own MAC address: 00:19:db:89:79:21
RSN: flushing PMKID list in the driver
Setting scan request: 0 sec 100000 usec
EAPOL: SUPP_PAE entering state DISCONNECTED
EAPOL: KEY_RX entering state NO_KEY_RECEIVE
EAPOL: SUPP_BE entering state INITIALIZE
EAP: EAP entering state DISABLED
Added interface eth0
EAPOL: External notification - portControl=Auto
Already associated with a configured network - generating associated event
Association info event
State: DISCONNECTED -> ASSOCIATED
Associated to a new BSS: BSSID=01:80:c2:00:00:03
No keys have been configured - skip key clearing
Select network based on association information
Network configuration found for the current AP
WPA: clearing AP WPA IE
WPA: clearing AP RSN IE
WPA: clearing own WPA/RSN IE
EAPOL: External notification - portControl=Auto
Associated with 01:80:c2:00:00:03
WPA: Association event - clear replay counter
EAPOL: External notification - portEnabled=0
EAPOL: External notification - portValid=0
EAPOL: External notification - portEnabled=1
EAPOL: SUPP_PAE entering state CONNECTING
EAPOL: SUPP_BE entering state IDLE
EAP: EAP entering state INITIALIZE
EAP: EAP entering state IDLE
Cancelling scan request
EAPOL: startWhen --> 0
EAPOL: SUPP_PAE entering state CONNECTING
EAPOL: txStart
TX EAPOL: dst=01:80:c2:00:00:03
RX EAPOL from 00:0a:8a:44:1b:43
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_PAE entering state RESTART
EAP: EAP entering state INITIALIZE
EAP: EAP entering state IDLE
EAPOL: SUPP_PAE entering state AUTHENTICATING
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Request id=7 method=1 vendor=0 vendorMethod=0
EAP: EAP entering state IDENTITY
CTRL-EVENT-EAP-STARTED EAP authentication started
EAP: EAP-Request Identity data - hexdump_ascii(len=0):
EAP: using real identity - hexdump_ascii(len=4):
???? 74 65 73 74?????????????????????????????????????? test??????????? 
EAP: EAP entering state SEND_RESPONSE
EAP: EAP entering state IDLE
EAPOL: SUPP_BE entering state RESPONSE
EAPOL: txSuppRsp
TX EAPOL: dst=01:80:c2:00:00:03
EAPOL: SUPP_BE entering state RECEIVE
RX EAPOL from 00:0a:8a:44:1b:43
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Request id=8 method=21 vendor=0 vendorMethod=0
EAP: EAP entering state GET_METHOD
EAP: Initialize selected EAP method: vendor 0 method 21 (TTLS)
EAP-TTLS: Phase2 type: EAP
TLS: Phase2 EAP types - hexdump(len=40): 00 00 00 00 04 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 11 00 00 00
CTRL-EVENT-EAP-METHOD EAP vendor 0 method 21 (TTLS) selected
EAP: EAP entering state METHOD
SSL: Received packet(len=6) - Flags 0x20
EAP-TTLS: Start (server ver=0, own ver=0)
TLS: Trusted root certificate(s) loaded
EAP-TTLS: Start
SSL: (where=0x10 ret=0x1)
SSL: (where=0x1001 ret=0x1)
SSL: SSL_connect:before/connect initialization
SSL: (where=0x1001 ret=0x1)
SSL: SSL_connect:SSLv3 write client hello A
SSL: (where=0x1002 ret=0xffffffff)
SSL: SSL_connect:error in SSLv3 read server hello A
SSL: SSL_connect - want more data
SSL: 101 bytes pending from ssl_out
SSL: 101 bytes left to be sent out (of total 101 bytes)
EAP: method process -> ignore=FALSE methodState=MAY_CONT decision=FAIL
EAP: EAP entering state SEND_RESPONSE
EAP: EAP entering state IDLE
EAPOL: SUPP_BE entering state RESPONSE
EAPOL: txSuppRsp
TX EAPOL: dst=01:80:c2:00:00:03
EAPOL: SUPP_BE entering state RECEIVE
RX EAPOL from 00:0a:8a:44:1b:43
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Ignored truncated EAP-Packet (len=22 plen=2091)
EAP: EAP entering state DISCARD
EAP: EAP entering state IDLE
EAPOL: SUPP_BE entering state RECEIVE
?
The logs of freeRadius are as follows:
############################################################################################
......??
rlm_eap: Request found, released from the list
? rlm_eap: EAP/ttls
? rlm_eap: processing type ttls
? rlm_eap_ttls: Authenticate
? rlm_eap_tls: processing TLS
? eaptls_verify returned 7
? rlm_eap_tls: Done initial handshake
??? (other): before/accept initialization
??? TLS_accept: before/accept initialization
? rlm_eap_tls: <<< TLS 1.0 Handshake [length 0060], ClientHello
??? TLS_accept: SSLv3 read client hello A
? rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
??? TLS_accept: SSLv3 write server hello A
? rlm_eap_tls: >>> TLS 1.0 Handshake [length 09cd], Certificate
??? TLS_accept: SSLv3 write certificate A
? rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
??? TLS_accept: SSLv3 write server done A
??? TLS_accept: SSLv3 flush data
??? TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
? eaptls_process returned 13
? modcall[authenticate]: module "eap" returns handled for request 11
modcall: leaving group authenticate (returns handled) for request 11
Sending Access-Challenge of id 251 to 192.168.1.10 port 1812
??????? Tunnel-Type:0 = VLAN
??????? Tunnel-Medium-Type:0 = IEEE-802
??????? Tunnel-Private-Group-Id:0 = "1"
??????? ......
??????? EAP-Message = 0x0306082b0601050507030406082b0601050507030806
??????? Message-Authenticator = 0x00000000000000000000000000000000
??????? State = 0xcca1b62278d13b94358cd7d6397845c2
Finished request 11
.......
?
I?use the wireshark to?sniff traffic?on linux PC which also runs wpa_supplicant.
1.And the first packet is EAPOL Start;
2.Then switch send a Request Identity packet;
3.Then wpa_supplicant send a Response,Identitiy packet;
4.Then swith send a Request,EAP-TTLS[Funk] packet;
5.Then wpa_supplicant sent a Client Hello packet;
6.Then switch send?2 EAP Success packets;//Why does the switch send success packets? 
7.Then switch send 2 Failure packets;
8Then switch send Request Identity packet,start back at 1.
?


?
________________________________
????????????
________________________________
????????????


      ___________________________________________________________ 
 ???????????? 
http://cn.mail.yahoo.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.shmoo.com/pipermail/hostap/attachments/20080513/946baaf1/attachment.htm 



More information about the Hostap mailing list