Help!Problems when eap=ttls.

[Jouni Malinen]

On Tue, May 13, 2008 at 11:04:50AM +0800, ? ? wrote:

> ??? When I set eap type to ttls,wpa_supplicant?will fail to authenticate with?FreeRadius.net.
> 1)I copy the cacert.pem from the FreeRADIUS.net/etc/raddb/certs/demoCA to /etc/cert/cacert.pem
> I have a question,is it a must to?set the value of?ca_cert in wpa_supplicant.conf,as I know,
> ttls only require the certificate of server.

In order to achieve secure authentication, yes, ca_cert has to be
configured to make the supplicant authenticate the server. Sure, the
connection would "work" if ca_cert is not set, but that would mean that
only the client is authenticated and there is no protection against
man-in-the-middle attacks.

> EAP: Ignored truncated EAP-Packet (len=22 plen=2091)

This looks quite odd.. I don't know what exactly is being received here.

> The logs of freeRadius are as follows:

> ? rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
> ??? TLS_accept: SSLv3 write server done A

> Sending Access-Challenge of id 251 to 192.168.1.10 port 1812
> ??????? Tunnel-Type:0 = VLAN
> ??????? Tunnel-Medium-Type:0 = IEEE-802
> ??????? Tunnel-Private-Group-Id:0 = "1"
> ??????? ......
> ??????? EAP-Message = 0x0306082b0601050507030406082b0601050507030806

This EAP message looks truncated.. It looks like something odd happened
in FreeRADIUS..

> I?use the wireshark to?sniff traffic?on linux PC which also runs wpa_supplicant.
> 1.And the first packet is EAPOL Start;
> 2.Then switch send a Request Identity packet;
> 3.Then wpa_supplicant send a Response,Identitiy packet;
> 4.Then swith send a Request,EAP-TTLS[Funk] packet;
> 5.Then wpa_supplicant sent a Client Hello packet;

This seemed to match with the debug logs from the client and server.

> 6.Then switch send?2 EAP Success packets;//Why does the switch send success packets? 

This is odd and looks like a server issue.

-- 
Jouni Malinen                                            PGP id EFC895FA