Dear all, I am working on a EAP/TLS authentication with Freeradius and the Odessey client. After a client hello message with a bunch of cipher suites, the odyssey client receives a server hello message with one cipher suites. It responds with a TLS Alert message that tells the server the cipher suite selection has been fatal!
At the end I attached the complete protocol as well for further studies. How does Freeradius choose the cipher suite? Kind regards, Markus ------------------------------------------------------------------------------------ In Frame 3 you see the tls client hello message [...] t:EAP Message(79) l:100 Extensible Authentication Protocol Code: Response (2) Id: 1 Length: 98 Type: EAP-TLS [RFC2716] [Aboba] (13) Flags(0x80): Length Length: 88 Secure Socket Layer TLS Record Layer: Client Hello Content Type: Handshake (22) Version: TLS 1.0 (0x0301) Length: 83 Handshake Protocol: Client Hello Handshake Type: Client Hello (1) Length: 79 Version: TLS 1.0 (0x0301) Random.gmt_unix_time: Dec 10, 2003 07:34:00.000000000 Random.bytes Session ID Length: 0 Cipher Suites Length: 40 Cipher Suites (20 suites) Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016) Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013) Cipher Suite: TLS_DHE_DSS_WITH_RC4_128_SHA (0x0066) Cipher Suite: TLS_DHE_RSA_WITH_DES_CBC_SHA (0x0015) Cipher Suite: TLS_DHE_DSS_WITH_DES_CBC_SHA (0x0012) Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a) Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005) Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004) Cipher Suite: TLS_RSA_WITH_DES_CBC_SHA (0x0009) Cipher Suite: TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA (0x0063) Cipher Suite: TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA (0x0065) Cipher Suite: Unknown (0x0060) Cipher Suite: TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA (0x0062) Cipher Suite: Unknown (0x0061) Cipher Suite: TLS_RSA_EXPORT1024_WITH_RC4_56_SHA (0x0064) Cipher Suite: TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA (0x0014) Cipher Suite: TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA (0x0011) Cipher Suite: TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0x0003) Cipher Suite: TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0x0006) Cipher Suite: TLS_RSA_EXPORT_WITH_DES40_CBC_SHA (0x0008) Compression Methods Length: 1 Compression Methods (1 method) Compression Method: null (0) t:State(24) l:18, Value:EC4C30D787C1E6E5707DCD67163D55AD t:Message Authenticator(80) l:18, Value:02BD363DEBC6CBD6D79384C72CA6A89D In Frame 4 you see the server hello [...] Extensible Authentication Protocol Code: Request (1) Id: 2 Length: 1034 Type: EAP-TLS [RFC2716] [Aboba] (13) Flags(0xC0): Length More Length: 1497 EAP-TLS Fragments Frame:4 payload:0-1023 Frame:6 payload:1024-1496 Secure Socket Layer TLS Record Layer: Server Hello Content Type: Handshake (22) Version: TLS 1.0 (0x0301) Length: 74 Handshake Protocol: Server Hello Handshake Type: Server Hello (2) Length: 70 Version: TLS 1.0 (0x0301) Random.gmt_unix_time: Dec 10, 2003 07:30:44.000000000 Random.bytes Session ID Length: 32 Session ID (32 bytes) Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a) <============ Cipher suite Compression Method: null (0) TLS Record Layer: Certificate Content Type: Handshake (22) Version: TLS 1.0 (0x0301) Length: 1307 Handshake Protocol: Certificate Handshake Type: Certificate (11) Length: 1303 Certificates Length: 1300 Certificates (1300 bytes) Certificate Length: 573 Certificate (573 bytes) Certificate Length: 721 Certificate (721 bytes) TLS Record Layer: Multiple Handshake Messages Content Type: Handshake (22) Version: TLS 1.0 (0x0301) Length: 101 Handshake Protocol: Certificate Request Handshake Type: Certificate Request (13) Length: 93 Certificate types count: 2 Certificate types (2 types) Certificate type: RSA Sign (1) Certificate type: DSS Sign (2) Distinguished Names Length: 88 Distinguished Names (88 bytes) Distinguished Name Length: 86 Distinguished Name (86 bytes) Handshake Protocol: Server Hello Done Handshake Type: Server Hello Done (14) Length: 0 t:Message Authenticator(80) l:18, Value:EEE427708D3FF4AB6AD7921AA3E0FC92 t:State(24) l:18, Value:378E7C2A2E06280A7986381040618B5D In Frame 9 you see the TLS Alert message as fatal error [...] Extensible Authentication Protocol Code: Response (2) Id: 4 Length: 74 Type: EAP-TLS [RFC2716] [Aboba] (13) Flags(0x0): EAP-TLS Fragments Frame:7 payload:0-1389 Frame:9 payload:1390-1457 Secure Socket Layer TLS Record Layer: Certificate Content Type: Handshake (22) Version: TLS 1.0 (0x0301) Length: 1307 Handshake Protocol: Certificate Handshake Type: Certificate (11) Length: 1303 Certificates Length: 1300 Certificates (1300 bytes) Certificate Length: 573 Certificate (573 bytes) Certificate Length: 721 Certificate (721 bytes) TLS Record Layer: Client Key Exchange Content Type: Handshake (22) Version: TLS 1.0 (0x0301) Length: 134 Handshake Protocol: Client Key Exchange Handshake Type: Client Key Exchange (16) Length: 130 TLS Record Layer: Alert (Level: Fatal, Description: Handshake Failure) Content Type: Alert (21) Version: TLS 1.0 (0x0301) Length: 2 Alert Message Level: Fatal (2) Description: Handshake Failure (40) <==================== Fatal error t:State(24) l:18, Value:7717B50DC9F3D796E9FC814587C2B057 t:Message Authenticator(80) l:18, Value:99F362B8E864AEF78B30FDBF764AA3B3 ------------------------------------------------------------------------------------ COMPLETE PROTOCOL ------------------------------------------------------------------------------------ Frame 1 (200 bytes on wire, 200 bytes captured) Arrival Time: Dec 10, 2003 07:30:44.455371000 Time delta from previous packet: 0.000000000 seconds Time relative to first packet: 0.000000000 seconds Frame Number: 1 Packet Length: 200 bytes Capture Length: 200 bytes Ethernet II, Src: 00:00:00:00:00:00, Dst: 00:00:00:00:00:00 Destination: 00:00:00:00:00:00 (00:00:00_00:00:00) Source: 00:00:00:00:00:00 (00:00:00_00:00:00) Type: IP (0x0800) Internet Protocol, Src Addr: 127.0.0.1 (127.0.0.1), Dst Addr: 127.0.0.1 (127.0.0.1) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 186 Identification: 0x0047 Flags: 0x04 .1.. = Don't fragment: Set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 64 Protocol: UDP (0x11) Header checksum: 0x3bea (correct) Source: 127.0.0.1 (127.0.0.1) Destination: 127.0.0.1 (127.0.0.1) User Datagram Protocol, Src Port: 1028 (1028), Dst Port: radius (1812) Source port: 1028 (1028) Destination port: radius (1812) Length: 166 Checksum: 0x9d9a (correct) Radius Protocol Code: Access Request (1) Packet identifier: 0x0 (0) Length: 158 Authenticator Attribute value pairs t:User Name(1) l:10, Value:"obermeim" t:NAS IP Address(4) l:6, Value:127.0.0.1 t:NAS Port(5) l:6, Value:1 t:Called Station Id(30) l:28, Value:"00-09-5B-3E-AD-8C:Germania" t:Calling Station Id(31) l:19, Value:"00-30-AB-12-78-42" t:Framed MTU(12) l:6, Value:1400 t:NAS Port Type(61) l:6, Value:Wireless IEEE 802.11(19) t:Connect Info(77) l:24, Value:"CONNECT 11Mbps 802.11b" t:EAP Message(79) l:15 Extensible Authentication Protocol Code: Response (2) Id: 0 Length: 13 Type: Identity [RFC2284] (1) Identity (8 bytes): obermeim t:Message Authenticator(80) l:18, Value:FABE7FD695CBFDCC2FA072EC9C032EE0 Frame 2 (106 bytes on wire, 106 bytes captured) Arrival Time: Dec 10, 2003 07:30:44.569854000 Time delta from previous packet: 0.114483000 seconds Time relative to first packet: 0.114483000 seconds Frame Number: 2 Packet Length: 106 bytes Capture Length: 106 bytes Ethernet II, Src: 00:00:00:00:00:00, Dst: 00:00:00:00:00:00 Destination: 00:00:00:00:00:00 (00:00:00_00:00:00) Source: 00:00:00:00:00:00 (00:00:00_00:00:00) Type: IP (0x0800) Internet Protocol, Src Addr: 127.0.0.1 (127.0.0.1), Dst Addr: 127.0.0.1 (127.0.0.1) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 92 Identification: 0x0048 Flags: 0x04 .1.. = Don't fragment: Set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 64 Protocol: UDP (0x11) Header checksum: 0x3c47 (correct) Source: 127.0.0.1 (127.0.0.1) Destination: 127.0.0.1 (127.0.0.1) User Datagram Protocol, Src Port: radius (1812), Dst Port: 1028 (1028) Source port: radius (1812) Destination port: 1028 (1028) Length: 72 Checksum: 0x22d3 (correct) Radius Protocol Code: Access challenge (11) Packet identifier: 0x0 (0) Length: 64 Authenticator Attribute value pairs t:EAP Message(79) l:8 Extensible Authentication Protocol Code: Request (1) Id: 1 Length: 6 Type: EAP-TLS [RFC2716] [Aboba] (13) Flags(0x20): Start t:Message Authenticator(80) l:18, Value:C992DDE8026D2E3615D24D85680D820D t:State(24) l:18, Value:EC4C30D787C1E6E5707DCD67163D55AD Frame 3 (303 bytes on wire, 303 bytes captured) Arrival Time: Dec 10, 2003 07:30:44.595602000 Time delta from previous packet: 0.025748000 seconds Time relative to first packet: 0.140231000 seconds Frame Number: 3 Packet Length: 303 bytes Capture Length: 303 bytes Ethernet II, Src: 00:00:00:00:00:00, Dst: 00:00:00:00:00:00 Destination: 00:00:00:00:00:00 (00:00:00_00:00:00) Source: 00:00:00:00:00:00 (00:00:00_00:00:00) Type: IP (0x0800) Internet Protocol, Src Addr: 127.0.0.1 (127.0.0.1), Dst Addr: 127.0.0.1 (127.0.0.1) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 289 Identification: 0x0049 Flags: 0x04 .1.. = Don't fragment: Set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 64 Protocol: UDP (0x11) Header checksum: 0x3b81 (correct) Source: 127.0.0.1 (127.0.0.1) Destination: 127.0.0.1 (127.0.0.1) User Datagram Protocol, Src Port: 1028 (1028), Dst Port: radius (1812) Source port: 1028 (1028) Destination port: radius (1812) Length: 269 Checksum: 0xad84 (correct) Radius Protocol Code: Access Request (1) Packet identifier: 0x1 (1) Length: 261 Authenticator Attribute value pairs t:User Name(1) l:10, Value:"obermeim" t:NAS IP Address(4) l:6, Value:127.0.0.1 t:NAS Port(5) l:6, Value:1 t:Called Station Id(30) l:28, Value:"00-09-5B-3E-AD-8C:Germania" t:Calling Station Id(31) l:19, Value:"00-30-AB-12-78-42" t:Framed MTU(12) l:6, Value:1400 t:NAS Port Type(61) l:6, Value:Wireless IEEE 802.11(19) t:Connect Info(77) l:24, Value:"CONNECT 11Mbps 802.11b" t:EAP Message(79) l:100 Extensible Authentication Protocol Code: Response (2) Id: 1 Length: 98 Type: EAP-TLS [RFC2716] [Aboba] (13) Flags(0x80): Length Length: 88 Secure Socket Layer TLS Record Layer: Client Hello Content Type: Handshake (22) Version: TLS 1.0 (0x0301) Length: 83 Handshake Protocol: Client Hello Handshake Type: Client Hello (1) Length: 79 Version: TLS 1.0 (0x0301) Random.gmt_unix_time: Dec 10, 2003 07:34:00.000000000 Random.bytes Session ID Length: 0 Cipher Suites Length: 40 Cipher Suites (20 suites) Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016) Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013) Cipher Suite: TLS_DHE_DSS_WITH_RC4_128_SHA (0x0066) Cipher Suite: TLS_DHE_RSA_WITH_DES_CBC_SHA (0x0015) Cipher Suite: TLS_DHE_DSS_WITH_DES_CBC_SHA (0x0012) Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a) Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005) Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004) Cipher Suite: TLS_RSA_WITH_DES_CBC_SHA (0x0009) Cipher Suite: TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA (0x0063) Cipher Suite: TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA (0x0065) Cipher Suite: Unknown (0x0060) Cipher Suite: TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA (0x0062) Cipher Suite: Unknown (0x0061) Cipher Suite: TLS_RSA_EXPORT1024_WITH_RC4_56_SHA (0x0064) Cipher Suite: TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA (0x0014) Cipher Suite: TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA (0x0011) Cipher Suite: TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0x0003) Cipher Suite: TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0x0006) Cipher Suite: TLS_RSA_EXPORT_WITH_DES40_CBC_SHA (0x0008) Compression Methods Length: 1 Compression Methods (1 method) Compression Method: null (0) t:State(24) l:18, Value:EC4C30D787C1E6E5707DCD67163D55AD t:Message Authenticator(80) l:18, Value:02BD363DEBC6CBD6D79384C72CA6A89D Frame 4 (1142 bytes on wire, 1142 bytes captured) Arrival Time: Dec 10, 2003 07:30:44.681160000 Time delta from previous packet: 0.085558000 seconds Time relative to first packet: 0.225789000 seconds Frame Number: 4 Packet Length: 1142 bytes Capture Length: 1142 bytes Ethernet II, Src: 00:00:00:00:00:00, Dst: 00:00:00:00:00:00 Destination: 00:00:00:00:00:00 (00:00:00_00:00:00) Source: 00:00:00:00:00:00 (00:00:00_00:00:00) Type: IP (0x0800) Internet Protocol, Src Addr: 127.0.0.1 (127.0.0.1), Dst Addr: 127.0.0.1 (127.0.0.1) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 1128 Identification: 0x004a Flags: 0x04 .1.. = Don't fragment: Set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 64 Protocol: UDP (0x11) Header checksum: 0x3839 (correct) Source: 127.0.0.1 (127.0.0.1) Destination: 127.0.0.1 (127.0.0.1) User Datagram Protocol, Src Port: radius (1812), Dst Port: 1028 (1028) Source port: radius (1812) Destination port: 1028 (1028) Length: 1108 Checksum: 0x10dd (correct) Radius Protocol Code: Access challenge (11) Packet identifier: 0x1 (1) Length: 1100 Authenticator Attribute value pairs t:EAP Message(79) l:255 EAP fragment t:EAP Message(79) l:255 EAP fragment t:EAP Message(79) l:255 EAP fragment t:EAP Message(79) l:255 EAP fragment t:EAP Message(79) l:24 EAP fragment Extensible Authentication Protocol Code: Request (1) Id: 2 Length: 1034 Type: EAP-TLS [RFC2716] [Aboba] (13) Flags(0xC0): Length More Length: 1497 EAP-TLS Fragments Frame:4 payload:0-1023 Frame:6 payload:1024-1496 Secure Socket Layer TLS Record Layer: Server Hello Content Type: Handshake (22) Version: TLS 1.0 (0x0301) Length: 74 Handshake Protocol: Server Hello Handshake Type: Server Hello (2) Length: 70 Version: TLS 1.0 (0x0301) Random.gmt_unix_time: Dec 10, 2003 07:30:44.000000000 Random.bytes Session ID Length: 32 Session ID (32 bytes) Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a) Compression Method: null (0) TLS Record Layer: Certificate Content Type: Handshake (22) Version: TLS 1.0 (0x0301) Length: 1307 Handshake Protocol: Certificate Handshake Type: Certificate (11) Length: 1303 Certificates Length: 1300 Certificates (1300 bytes) Certificate Length: 573 Certificate (573 bytes) Certificate Length: 721 Certificate (721 bytes) TLS Record Layer: Multiple Handshake Messages Content Type: Handshake (22) Version: TLS 1.0 (0x0301) Length: 101 Handshake Protocol: Certificate Request Handshake Type: Certificate Request (13) Length: 93 Certificate types count: 2 Certificate types (2 types) Certificate type: RSA Sign (1) Certificate type: DSS Sign (2) Distinguished Names Length: 88 Distinguished Names (88 bytes) Distinguished Name Length: 86 Distinguished Name (86 bytes) Handshake Protocol: Server Hello Done Handshake Type: Server Hello Done (14) Length: 0 t:Message Authenticator(80) l:18, Value:EEE427708D3FF4AB6AD7921AA3E0FC92 t:State(24) l:18, Value:378E7C2A2E06280A7986381040618B5D Frame 5 (211 bytes on wire, 211 bytes captured) Arrival Time: Dec 10, 2003 07:30:44.706789000 Time delta from previous packet: 0.025629000 seconds Time relative to first packet: 0.251418000 seconds Frame Number: 5 Packet Length: 211 bytes Capture Length: 211 bytes Ethernet II, Src: 00:00:00:00:00:00, Dst: 00:00:00:00:00:00 Destination: 00:00:00:00:00:00 (00:00:00_00:00:00) Source: 00:00:00:00:00:00 (00:00:00_00:00:00) Type: IP (0x0800) Internet Protocol, Src Addr: 127.0.0.1 (127.0.0.1), Dst Addr: 127.0.0.1 (127.0.0.1) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 197 Identification: 0x004b Flags: 0x04 .1.. = Don't fragment: Set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 64 Protocol: UDP (0x11) Header checksum: 0x3bdb (correct) Source: 127.0.0.1 (127.0.0.1) Destination: 127.0.0.1 (127.0.0.1) User Datagram Protocol, Src Port: 1028 (1028), Dst Port: radius (1812) Source port: 1028 (1028) Destination port: radius (1812) Length: 177 Checksum: 0x5bac (correct) Radius Protocol Code: Access Request (1) Packet identifier: 0x2 (2) Length: 169 Authenticator Attribute value pairs t:User Name(1) l:10, Value:"obermeim" t:NAS IP Address(4) l:6, Value:127.0.0.1 t:NAS Port(5) l:6, Value:1 t:Called Station Id(30) l:28, Value:"00-09-5B-3E-AD-8C:Germania" t:Calling Station Id(31) l:19, Value:"00-30-AB-12-78-42" t:Framed MTU(12) l:6, Value:1400 t:NAS Port Type(61) l:6, Value:Wireless IEEE 802.11(19) t:Connect Info(77) l:24, Value:"CONNECT 11Mbps 802.11b" t:EAP Message(79) l:8 Extensible Authentication Protocol Code: Response (2) Id: 2 Length: 6 Type: EAP-TLS [RFC2716] [Aboba] (13) Flags(0x0): t:State(24) l:18, Value:378E7C2A2E06280A7986381040618B5D t:Message Authenticator(80) l:18, Value:3A4AAB76000111F70BADFFDD4F304A08 Frame 6 (581 bytes on wire, 581 bytes captured) Arrival Time: Dec 10, 2003 07:30:44.710602000 Time delta from previous packet: 0.003813000 seconds Time relative to first packet: 0.255231000 seconds Frame Number: 6 Packet Length: 581 bytes Capture Length: 581 bytes Ethernet II, Src: 00:00:00:00:00:00, Dst: 00:00:00:00:00:00 Destination: 00:00:00:00:00:00 (00:00:00_00:00:00) Source: 00:00:00:00:00:00 (00:00:00_00:00:00) Type: IP (0x0800) Internet Protocol, Src Addr: 127.0.0.1 (127.0.0.1), Dst Addr: 127.0.0.1 (127.0.0.1) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 567 Identification: 0x004c Flags: 0x04 .1.. = Don't fragment: Set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 64 Protocol: UDP (0x11) Header checksum: 0x3a68 (correct) Source: 127.0.0.1 (127.0.0.1) Destination: 127.0.0.1 (127.0.0.1) User Datagram Protocol, Src Port: radius (1812), Dst Port: 1028 (1028) Source port: radius (1812) Destination port: 1028 (1028) Length: 547 Checksum: 0x1843 (correct) Radius Protocol Code: Access challenge (11) Packet identifier: 0x2 (2) Length: 539 Authenticator Attribute value pairs t:EAP Message(79) l:255 EAP fragment t:EAP Message(79) l:228 EAP fragment Extensible Authentication Protocol Code: Request (1) Id: 3 Length: 479 Type: EAP-TLS [RFC2716] [Aboba] (13) Flags(0x0): EAP-TLS Fragments Frame:4 payload:0-1023 Frame:6 payload:1024-1496 Secure Socket Layer TLS Record Layer: Server Hello Content Type: Handshake (22) Version: TLS 1.0 (0x0301) Length: 74 Handshake Protocol: Server Hello Handshake Type: Server Hello (2) Length: 70 Version: TLS 1.0 (0x0301) Random.gmt_unix_time: Dec 10, 2003 07:30:44.000000000 Random.bytes Session ID Length: 32 Session ID (32 bytes) Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a) Compression Method: null (0) TLS Record Layer: Certificate Content Type: Handshake (22) Version: TLS 1.0 (0x0301) Length: 1307 Handshake Protocol: Certificate Handshake Type: Certificate (11) Length: 1303 Certificates Length: 1300 Certificates (1300 bytes) Certificate Length: 573 Certificate (573 bytes) Certificate Length: 721 Certificate (721 bytes) TLS Record Layer: Multiple Handshake Messages Content Type: Handshake (22) Version: TLS 1.0 (0x0301) Length: 101 Handshake Protocol: Certificate Request Handshake Type: Certificate Request (13) Length: 93 Certificate types count: 2 Certificate types (2 types) Certificate type: RSA Sign (1) Certificate type: DSS Sign (2) Distinguished Names Length: 88 Distinguished Names (88 bytes) Distinguished Name Length: 86 Distinguished Name (86 bytes) Handshake Protocol: Server Hello Done Handshake Type: Server Hello Done (14) Length: 0 t:Message Authenticator(80) l:18, Value:635333F6C059893DF8915D99975BEE7F t:State(24) l:18, Value:90876CA593B38C034637D2D96C2E91F8 Frame 7 (1615 bytes on wire, 1615 bytes captured) Arrival Time: Dec 10, 2003 07:30:45.913213000 Time delta from previous packet: 1.202611000 seconds Time relative to first packet: 1.457842000 seconds Frame Number: 7 Packet Length: 1615 bytes Capture Length: 1615 bytes Ethernet II, Src: 00:00:00:00:00:00, Dst: 00:00:00:00:00:00 Destination: 00:00:00:00:00:00 (00:00:00_00:00:00) Source: 00:00:00:00:00:00 (00:00:00_00:00:00) Type: IP (0x0800) Internet Protocol, Src Addr: 127.0.0.1 (127.0.0.1), Dst Addr: 127.0.0.1 (127.0.0.1) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 1601 Identification: 0x004d Flags: 0x04 .1.. = Don't fragment: Set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 64 Protocol: UDP (0x11) Header checksum: 0x365d (correct) Source: 127.0.0.1 (127.0.0.1) Destination: 127.0.0.1 (127.0.0.1) User Datagram Protocol, Src Port: 1028 (1028), Dst Port: radius (1812) Source port: 1028 (1028) Destination port: radius (1812) Length: 1581 Checksum: 0x8f66 (correct) Radius Protocol Code: Access Request (1) Packet identifier: 0x3 (3) Length: 1573 Authenticator Attribute value pairs t:User Name(1) l:10, Value:"obermeim" t:NAS IP Address(4) l:6, Value:127.0.0.1 t:NAS Port(5) l:6, Value:1 t:Called Station Id(30) l:28, Value:"00-09-5B-3E-AD-8C:Germania" t:Calling Station Id(31) l:19, Value:"00-30-AB-12-78-42" t:Framed MTU(12) l:6, Value:1400 t:NAS Port Type(61) l:6, Value:Wireless IEEE 802.11(19) t:Connect Info(77) l:24, Value:"CONNECT 11Mbps 802.11b" t:EAP Message(79) l:255 EAP fragment t:EAP Message(79) l:255 EAP fragment t:EAP Message(79) l:255 EAP fragment t:EAP Message(79) l:255 EAP fragment t:EAP Message(79) l:255 EAP fragment t:EAP Message(79) l:137 EAP fragment Extensible Authentication Protocol Code: Response (2) Id: 3 Length: 1400 Type: EAP-TLS [RFC2716] [Aboba] (13) Flags(0xC0): Length More Length: 1458 EAP-TLS Fragments Frame:7 payload:0-1389 Frame:9 payload:1390-1457 Secure Socket Layer TLS Record Layer: Certificate Content Type: Handshake (22) Version: TLS 1.0 (0x0301) Length: 1307 Handshake Protocol: Certificate Handshake Type: Certificate (11) Length: 1303 Certificates Length: 1300 Certificates (1300 bytes) Certificate Length: 573 Certificate (573 bytes) Certificate Length: 721 Certificate (721 bytes) TLS Record Layer: Client Key Exchange Content Type: Handshake (22) Version: TLS 1.0 (0x0301) Length: 134 Handshake Protocol: Client Key Exchange Handshake Type: Client Key Exchange (16) Length: 130 TLS Record Layer: Alert (Level: Fatal, Description: Handshake Failure) Content Type: Alert (21) Version: TLS 1.0 (0x0301) Length: 2 Alert Message Level: Fatal (2) Description: Handshake Failure (40) t:State(24) l:18, Value:90876CA593B38C034637D2D96C2E91F8 t:Message Authenticator(80) l:18, Value:0AAD5865A0B160EB6361290E32C9CF3A Frame 8 (106 bytes on wire, 106 bytes captured) Arrival Time: Dec 10, 2003 07:30:45.945853000 Time delta from previous packet: 0.032640000 seconds Time relative to first packet: 1.490482000 seconds Frame Number: 8 Packet Length: 106 bytes Capture Length: 106 bytes Ethernet II, Src: 00:00:00:00:00:00, Dst: 00:00:00:00:00:00 Destination: 00:00:00:00:00:00 (00:00:00_00:00:00) Source: 00:00:00:00:00:00 (00:00:00_00:00:00) Type: IP (0x0800) Internet Protocol, Src Addr: 127.0.0.1 (127.0.0.1), Dst Addr: 127.0.0.1 (127.0.0.1) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 92 Identification: 0x004e Flags: 0x04 .1.. = Don't fragment: Set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 64 Protocol: UDP (0x11) Header checksum: 0x3c41 (correct) Source: 127.0.0.1 (127.0.0.1) Destination: 127.0.0.1 (127.0.0.1) User Datagram Protocol, Src Port: radius (1812), Dst Port: 1028 (1028) Source port: radius (1812) Destination port: 1028 (1028) Length: 72 Checksum: 0x819f (correct) Radius Protocol Code: Access challenge (11) Packet identifier: 0x3 (3) Length: 64 Authenticator Attribute value pairs t:EAP Message(79) l:8 Extensible Authentication Protocol Code: Request (1) Id: 4 Length: 6 Type: EAP-TLS [RFC2716] [Aboba] (13) Flags(0x0): t:Message Authenticator(80) l:18, Value:B0BBCFFA2BAFC58BCB979FA3BB8572E1 t:State(24) l:18, Value:7717B50DC9F3D796E9FC814587C2B057 Frame 9 (279 bytes on wire, 279 bytes captured) Arrival Time: Dec 10, 2003 07:30:45.954269000 Time delta from previous packet: 0.008416000 seconds Time relative to first packet: 1.498898000 seconds Frame Number: 9 Packet Length: 279 bytes Capture Length: 279 bytes Ethernet II, Src: 00:00:00:00:00:00, Dst: 00:00:00:00:00:00 Destination: 00:00:00:00:00:00 (00:00:00_00:00:00) Source: 00:00:00:00:00:00 (00:00:00_00:00:00) Type: IP (0x0800) Internet Protocol, Src Addr: 127.0.0.1 (127.0.0.1), Dst Addr: 127.0.0.1 (127.0.0.1) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 265 Identification: 0x004f Flags: 0x04 .1.. = Don't fragment: Set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 64 Protocol: UDP (0x11) Header checksum: 0x3b93 (correct) Source: 127.0.0.1 (127.0.0.1) Destination: 127.0.0.1 (127.0.0.1) User Datagram Protocol, Src Port: 1028 (1028), Dst Port: radius (1812) Source port: 1028 (1028) Destination port: radius (1812) Length: 245 Checksum: 0xf191 (correct) Radius Protocol Code: Access Request (1) Packet identifier: 0x4 (4) Length: 237 Authenticator Attribute value pairs t:User Name(1) l:10, Value:"obermeim" t:NAS IP Address(4) l:6, Value:127.0.0.1 t:NAS Port(5) l:6, Value:1 t:Called Station Id(30) l:28, Value:"00-09-5B-3E-AD-8C:Germania" t:Calling Station Id(31) l:19, Value:"00-30-AB-12-78-42" t:Framed MTU(12) l:6, Value:1400 t:NAS Port Type(61) l:6, Value:Wireless IEEE 802.11(19) t:Connect Info(77) l:24, Value:"CONNECT 11Mbps 802.11b" t:EAP Message(79) l:76 Extensible Authentication Protocol Code: Response (2) Id: 4 Length: 74 Type: EAP-TLS [RFC2716] [Aboba] (13) Flags(0x0): EAP-TLS Fragments Frame:7 payload:0-1389 Frame:9 payload:1390-1457 Secure Socket Layer TLS Record Layer: Certificate Content Type: Handshake (22) Version: TLS 1.0 (0x0301) Length: 1307 Handshake Protocol: Certificate Handshake Type: Certificate (11) Length: 1303 Certificates Length: 1300 Certificates (1300 bytes) Certificate Length: 573 Certificate (573 bytes) Certificate Length: 721 Certificate (721 bytes) TLS Record Layer: Client Key Exchange Content Type: Handshake (22) Version: TLS 1.0 (0x0301) Length: 134 Handshake Protocol: Client Key Exchange Handshake Type: Client Key Exchange (16) Length: 130 TLS Record Layer: Alert (Level: Fatal, Description: Handshake Failure) Content Type: Alert (21) Version: TLS 1.0 (0x0301) Length: 2 Alert Message Level: Fatal (2) Description: Handshake Failure (40) t:State(24) l:18, Value:7717B50DC9F3D796E9FC814587C2B057 t:Message Authenticator(80) l:18, Value:99F362B8E864AEF78B30FDBF764AA3B3 Frame 10 (86 bytes on wire, 86 bytes captured) Arrival Time: Dec 10, 2003 07:30:46.063764000 Time delta from previous packet: 0.109495000 seconds Time relative to first packet: 1.608393000 seconds Frame Number: 10 Packet Length: 86 bytes Capture Length: 86 bytes Ethernet II, Src: 00:00:00:00:00:00, Dst: 00:00:00:00:00:00 Destination: 00:00:00:00:00:00 (00:00:00_00:00:00) Source: 00:00:00:00:00:00 (00:00:00_00:00:00) Type: IP (0x0800) Internet Protocol, Src Addr: 127.0.0.1 (127.0.0.1), Dst Addr: 127.0.0.1 (127.0.0.1) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 72 Identification: 0x0050 Flags: 0x04 .1.. = Don't fragment: Set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 64 Protocol: UDP (0x11) Header checksum: 0x3c53 (correct) Source: 127.0.0.1 (127.0.0.1) Destination: 127.0.0.1 (127.0.0.1) User Datagram Protocol, Src Port: radius (1812), Dst Port: 1028 (1028) Source port: radius (1812) Destination port: 1028 (1028) Length: 52 Checksum: 0x7d30 (correct) Radius Protocol Code: Access Reject (3) Packet identifier: 0x4 (4) Length: 44 Authenticator Attribute value pairs t:EAP Message(79) l:6 Extensible Authentication Protocol Code: Failure (4) Id: 4 Length: 4 t:Message Authenticator(80) l:18, Value:824D2A1B4085F02EEBD22FE600ED80D9 Frame 11 (228 bytes on wire, 228 bytes captured) Arrival Time: Dec 10, 2003 07:31:13.365139000 Time delta from previous packet: 27.301375000 seconds Time relative to first packet: 28.909768000 seconds Frame Number: 11 Packet Length: 228 bytes Capture Length: 228 bytes Ethernet II, Src: 00:00:00:00:00:00, Dst: 00:00:00:00:00:00 Destination: 00:00:00:00:00:00 (00:00:00_00:00:00) Source: 00:00:00:00:00:00 (00:00:00_00:00:00) Type: IP (0x0800) Internet Protocol, Src Addr: 127.0.0.1 (127.0.0.1), Dst Addr: 127.0.0.1 (127.0.0.1) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 214 Identification: 0x0051 Flags: 0x04 .1.. = Don't fragment: Set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 64 Protocol: UDP (0x11) Header checksum: 0x3bc4 (correct) Source: 127.0.0.1 (127.0.0.1) Destination: 127.0.0.1 (127.0.0.1) User Datagram Protocol, Src Port: 1029 (1029), Dst Port: radius-acct (1813) Source port: 1029 (1029) Destination port: radius-acct (1813) Length: 194 Checksum: 0xe9fc (correct) Radius Protocol Code: Accounting Request (4) Packet identifier: 0x5 (5) Length: 186 Authenticator Attribute value pairs t:Acct Session Id(44) l:19, Value:"3FD6BD68-00000000" t:Acct Status Type(40) l:6, Value:Stop(2) t:Acct Authentic(45) l:6, Value:Radius(1) t:User Name(1) l:10, Value:"obermeim" t:NAS IP Address(4) l:6, Value:127.0.0.1 t:NAS Port(5) l:6, Value:1 t:Called Station Id(30) l:28, Value:"00-09-5B-3E-AD-8C:Germania" t:Calling Station Id(31) l:19, Value:"00-30-AB-12-78-42" t:NAS Port Type(61) l:6, Value:Wireless IEEE 802.11(19) t:Connect Info(77) l:24, Value:"CONNECT 11Mbps 802.11b" t:Acct Session Time(46) l:6, Value:1071037873 t:Acct Input Packets(47) l:6, Value:6 t:Acct Output Packets(48) l:6, Value:6 t:Acct Input Octets(42) l:6, Value:1808 t:Acct Output Octets(43) l:6, Value:1827 t:Acct Terminate Cause(49) l:6, Value:Admin Reboot(7) Frame 12 (62 bytes on wire, 62 bytes captured) Arrival Time: Dec 10, 2003 07:31:13.798325000 Time delta from previous packet: 0.433186000 seconds Time relative to first packet: 29.342954000 seconds Frame Number: 12 Packet Length: 62 bytes Capture Length: 62 bytes Ethernet II, Src: 00:00:00:00:00:00, Dst: 00:00:00:00:00:00 Destination: 00:00:00:00:00:00 (00:00:00_00:00:00) Source: 00:00:00:00:00:00 (00:00:00_00:00:00) Type: IP (0x0800) Internet Protocol, Src Addr: 127.0.0.1 (127.0.0.1), Dst Addr: 127.0.0.1 (127.0.0.1) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 48 Identification: 0x0052 Flags: 0x04 .1.. = Don't fragment: Set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 64 Protocol: UDP (0x11) Header checksum: 0x3c69 (correct) Source: 127.0.0.1 (127.0.0.1) Destination: 127.0.0.1 (127.0.0.1) User Datagram Protocol, Src Port: radius-acct (1813), Dst Port: 1029 (1029) Source port: radius-acct (1813) Destination port: 1029 (1029) Length: 28 Checksum: 0x7aee (correct) Radius Protocol Code: Accounting Response (5) Packet identifier: 0x5 (5) Length: 20 Authenticator Frame 13 (90 bytes on wire, 90 bytes captured) Arrival Time: Dec 10, 2003 07:31:13.798364000 Time delta from previous packet: 0.000039000 seconds Time relative to first packet: 29.342993000 seconds Frame Number: 13 Packet Length: 90 bytes Capture Length: 90 bytes Ethernet II, Src: 00:00:00:00:00:00, Dst: 00:00:00:00:00:00 Destination: 00:00:00:00:00:00 (00:00:00_00:00:00) Source: 00:00:00:00:00:00 (00:00:00_00:00:00) Type: IP (0x0800) Internet Protocol, Src Addr: 127.0.0.1 (127.0.0.1), Dst Addr: 127.0.0.1 (127.0.0.1) Version: 4 Header length: 20 bytes Differentiated Services Field: 0xc0 (DSCP 0x30: Class Selector 6; ECN: 0x00) 1100 00.. = Differentiated Services Codepoint: Class Selector 6 (0x30) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 76 Identification: 0x0053 Flags: 0x00 .0.. = Don't fragment: Not set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 64 Protocol: ICMP (0x01) Header checksum: 0x7b9c (correct) Source: 127.0.0.1 (127.0.0.1) Destination: 127.0.0.1 (127.0.0.1) Internet Control Message Protocol Type: 3 (Destination unreachable) Code: 3 (Port unreachable) Checksum: 0xfb2c (correct) Internet Protocol, Src Addr: 127.0.0.1 (127.0.0.1), Dst Addr: 127.0.0.1 (127.0.0.1) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 48 Identification: 0x0052 Flags: 0x04 .1.. = Don't fragment: Set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 64 Protocol: UDP (0x11) Header checksum: 0x3c69 (correct) Source: 127.0.0.1 (127.0.0.1) Destination: 127.0.0.1 (127.0.0.1) User Datagram Protocol, Src Port: radius-acct (1813), Dst Port: 1029 (1029) Source port: radius-acct (1813) Destination port: 1029 (1029) Length: 28 Checksum: 0x7aee (correct) Radius Protocol Code: Accounting Response (5) Packet identifier: 0x5 (5) Length: 20 Authenticator Markus Obermeier System Architect HW Connectivity Siemens AG ICM MP P S 2 Tel. +49-89-722-32549 Mob. +49-160-7481061 Fax. +49-89-722-913490 EMail: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html