Help!Problems when eap=ttls.

娟 严 iamyanjuan
Tue May 13 03:36:38 PDT 2008


Hi!
?? I'd like to describe the problem in detail,my radius server is freeradius.net which is a Windows version?of freeradius.?
According to the draft-ietf-pppext-eap-ttls-05, a Successful authentication via tunneled EAP/MD5-Challenge
should be like this--->>
?
?client????????? access point?????????? TTLS server???????????? AAA/H
?? ------????????? ------------?????????? -----------???????????? -----

???? EAP-Request/Identity
???? <--------------------

???? EAP-Response/Identity
???? -------------------->

?????????????????????????? RADIUS Access-Request:
???????????????????????????? EAP-Response passthrough
?????????????????????????? -------------------->

?????????????????????????? RADIUS Access-Challenge:
???????????????????????????? EAP-Request/TTLS-Start
?????????????????????????? <--------------------

???? EAP-Request passthrough
???? <--------------------

???? EAP-Response/TTLS:
?????? ClientHello
???? -------------------->

?????????????????????????? RADIUS Access-Request:
???????????????????????????? EAP-Response passthrough
?????????????????????????? -------------------->

#######################################################
The right?packet shoud be:
?????????????????????????? RADIUS Access-Challenge:
???????????????????????????? EAP-Request/TTLS:
?????????????????????????????? ServerHello
?????????????????????????????? Certificate
?????????????????????????????? ServerKeyExchange
?????????????????????????????? ServerHelloDone
?????????????????????????? <--------------------
But my?freeradius sends the?packet as:
?????????????????????????? RADIUS Access-Challenge:
?????????????????????????? Success/Generic Token Card
?????????????????????????? <--------------------
########################################################
Then the following process will?not happen.....

And my eap.conf is:?????????????????????????????????????????????
?eap {

??default_eap_type = ttls
????timer_expire???? = 60
??cisco_accounting_username_bug = no
??md5 {
??}

??leap {
??}
?
??gtc {
???auth_type = PAP
??}
??tls {
???private_key_password = demo
???private_key_file = ${certsdir}/FreeRADIUS.net-Server.pem
???certificate_file = ${certsdir}/FreeRADIUS.net-Server.crt
???CA_file = ${certsdir}/FreeRADIUS.net-CA.crt?
???dh_file = ${certsdir}/dh
???random_file = ${certsdir}/random
???check_cert_cn = %{User-Name}
??}
???ttls {
?????default_eap_type = md5
?????copy_request_to_tunnel = no
????use_tunneled_reply = no??????
??}
????? peap {
?????default_eap_type = mschapv2
??}
????mschapv2 {
??}
?}
##########################
And my user.conf is?????????????????? #
?
test?Auth-Type := EAP, User-Password == "test"
??Tunnel-Type = "VLAN",
??Tunnel-Medium-Type = "IEEE-802",
??Tunnel-Private-Group-Id = "1",
?
?
>I?use the wireshark to?sniff traffic?on linux PC which also runs wpa_supplicant.
>1.And the first packet is EAPOL Start;
>2.Then switch send a Request Identity packet;
>3.Then wpa_supplicant send a Response,Identitiy packet;
>4.Then swith send a Request,EAP-TTLS[Funk] packet;
>5.Then wpa_supplicant sent a Client Hello packet;
>6.Then switch send?2 EAP Success packets;//Why does the switch send success packets? 
>7.Then switch send 2 Failure packets;
>8Then switch send Request Identity packet,start back at 1.


      ___________________________________________________________ 
 ???????????? 
http://cn.mail.yahoo.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.shmoo.com/pipermail/hostap/attachments/20080513/324f67c3/attachment-0001.htm 



More information about the Hostap mailing list