After checking the ethereal log and the eap_tls.c code, I really don't get it how can
the rlm_eap_tls response both
"Received EAP-TLS ACK message" and "Invalid ACK received"!?
Problem:
"rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: Invalid ACK received
modcall[authenticate]: module "eap" returns invalid"
code excerpt from eap_tls.c:
if ((eap_ds->response->length == EAP_HEADER_LEN + 2/*EAPtype+flags*/) &&
((eaptls_packet != NULL) && (eaptls_packet->flags == 0x00))) {
if (prev_eap_ds->request->id == eap_ds->response->id) {
radlog(L_INFO, "rlm_eap_tls: Received EAP-TLS ACK message");
return EAPTLS_ACK;
} else {
radlog(L_ERR, "rlm_eap_tls: Received Invalid EAP-TLS ACK
message");
return EAPTLS_INVALID;
}
}
ethereal capture of the EAP-TLS ACK message (you may see the context in previous
email):
t:EAP-Message(79) l:8
Extensible Authentication Protocol
Code: Response (2)
Id: 4
Length: 6
Type: EAP-TLS [RFC2716] [Aboba] (13)
Flags(0x0):
Length no problem, flag correct, id same as previous packet from server, and the
eap_tls.c response "Received EAP-TLS
ACK message" correctly, but then why the "Invalid ACK received" follow? Any advise?
Thank you much for your help.
-Paul
-----Original Message-----
From: Ynjiun P. Wang [mailto:ypw@;eSignX.com]
Sent: Friday, November 15, 2002 2:43 PM
To: [EMAIL PROTECTED]
Subject: EAP/TLS
Now I have full captured logs (ethereal(0.9.3), freeradius(snapshot10282002) and
AP350(v.12T))regarding to the problem
of:
"rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: Invalid ACK received
modcall[authenticate]: module "eap" returns invalid"
Could you please take a look to see if there is any obvious blonder? Thanks.
/****************Ethereal (0.9.3) capture: *******************************/
Frame 14 (191 on wire, 191 captured)
Arrival Time: Nov 15, 2002 13:44:03.415674000
Time delta from previous packet: 1.267728000 seconds
Time relative to first packet: 19.405991000 seconds
Frame Number: 14
Packet Length: 191 bytes
Capture Length: 191 bytes
Ethernet II
Destination: 00:c0:9f:05:12:a6 (curve.esignx.com)
Source: 00:08:a1:1d:e7:30 (ip204.aec-1.sfo.interquest.net)
Type: IP (0x0800)
Internet Protocol, Src Addr: ip204.aec-1.sfo.interquest.net (66.135.138.204), Dst
Addr: curve.esignx.com
(66.135.138.207)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 177
Identification: 0x3981
Flags: 0x00
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 63
Protocol: UDP (0x11)
Header checksum: 0xa711 (correct)
Source: ip204.aec-1.sfo.interquest.net (66.135.138.204)
Destination: curve.esignx.com (66.135.138.207)
User Datagram Protocol, Src Port: 22563 (22563), Dst Port: radius (1812)
Source port: 22563 (22563)
Destination port: radius (1812)
Length: 157
Checksum: 0x50c2 (correct)
Radius Protocol
Code: Access Request (1)
Packet identifier: 0x4d (77)
Length: 149
Authenticator
Attribute value pairs
t:User Name(1) l:7, Value:"kevin"
t:Vendor Specific(26) l:20, Vendor:Cisco, Type:Cisco AV Pair, Len:12
Value:"ssid=tsunami"
t:NAS IP Address(4) l:6, Value:192.168.0.8
t:Called Station Id(30) l:14, Value:"004096495de0"
t:Calling Station Id(31) l:14, Value:"0006250baad2"
t:NAS identifier(32) l:14, Value:"AP350-495de0"
t:NAS Port(5) l:6, Value:37
t:Framed MTU(12) l:6, Value:1400
t:NAS Port Type(61) l:6, Value:Wireless IEEE 802.11
t:Service Type(6) l:6, Value:Login
t:EAP-Message(79) l:12
Extensible Authentication Protocol
Code: Response (2)
Id: 2
Length: 10
Type: Identity [RFC2284] (1)
Identity (5 bytes): kevin
t:Message Authenticator(80) l:18, Value:"�N�k~\147����,c\144��\025"
Frame 15 (126 on wire, 126 captured)
Arrival Time: Nov 15, 2002 13:44:03.417986000
Time delta from previous packet: 0.002312000 seconds
Time relative to first packet: 19.408303000 seconds
Frame Number: 15
Packet Length: 126 bytes
Capture Length: 126 bytes
Ethernet II
Destination: 00:08:a1:1d:e7:30 (ip204.aec-1.sfo.interquest.net)
Source: 00:c0:9f:05:12:a6 (curve.esignx.com)
Type: IP (0x0800)
Internet Protocol, Src Addr: curve.esignx.com (66.135.138.207), Dst Addr:
ip204.aec-1.sfo.interquest.net
(66.135.138.204)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 112
Identification: 0x0000
Flags: 0x04
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 64
Protocol: UDP (0x11)
Header checksum: 0x9fd3 (correct)
Source: curve.esignx.com (66.135.138.207)
Destination: ip204.aec-1.sfo.interquest.net (66.135.138.204)
User Datagram Protocol, Src Port: radius (1812), Dst Port: 22563 (22563)
Source port: radius (1812)
Destination port: 22563 (22563)
Length: 92
Checksum: 0x0f31 (correct)
Radius Protocol
Code: Access challenge (11)
Packet identifier: 0x4d (77)
Length: 84
Authenticator
Attribute value pairs
t:EAP-Message(79) l:8
Extensible Authentication Protocol
Code: Request (1)
Id: 3
Length: 6
Type: EAP-TLS [RFC2716] [Aboba] (13)
Flags(0x20): Start
t:Message Authenticator(80) l:18, Value:"��t\001�\143�G��\148\128�J/?"
t:State(24) l:38,
Value:"\005\023\017b\019\013jy\145\153�x1P'£j�=�Z^#\013��M��kFF\007R�"
Frame 17 (299 on wire, 299 captured)
Arrival Time: Nov 15, 2002 13:44:03.789273000
Time delta from previous packet: 0.106425000 seconds
Time relative to first packet: 19.779590000 seconds
Frame Number: 17
Packet Length: 299 bytes
Capture Length: 299 bytes
Ethernet II
Destination: 00:c0:9f:05:12:a6 (curve.esignx.com)
Source: 00:08:a1:1d:e7:30 (ip204.aec-1.sfo.interquest.net)
Type: IP (0x0800)
Internet Protocol, Src Addr: ip204.aec-1.sfo.interquest.net (66.135.138.204), Dst
Addr: curve.esignx.com
(66.135.138.207)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 285
Identification: 0x3984
Flags: 0x00
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 63
Protocol: UDP (0x11)
Header checksum: 0xa6a2 (correct)
Source: ip204.aec-1.sfo.interquest.net (66.135.138.204)
Destination: curve.esignx.com (66.135.138.207)
User Datagram Protocol, Src Port: 22564 (22564), Dst Port: radius (1812)
Source port: 22564 (22564)
Destination port: radius (1812)
Length: 265
Checksum: 0xa839 (correct)
Radius Protocol
Code: Access Request (1)
Packet identifier: 0x4e (78)
Length: 257
Authenticator
Attribute value pairs
t:User Name(1) l:7, Value:"kevin"
t:Vendor Specific(26) l:20, Vendor:Cisco, Type:Cisco AV Pair, Len:12
Value:"ssid=tsunami"
t:NAS IP Address(4) l:6, Value:192.168.0.8
t:Called Station Id(30) l:14, Value:"004096495de0"
t:Calling Station Id(31) l:14, Value:"0006250baad2"
t:NAS identifier(32) l:14, Value:"AP350-495de0"
t:NAS Port(5) l:6, Value:37
t:Framed MTU(12) l:6, Value:1400
t:State(24) l:38,
Value:"\005\023\017b\019\013jy\145\153�x1P'£j�=�Z^#\013��M��kFF\007R�"
t:NAS Port Type(61) l:6, Value:Wireless IEEE 802.11
t:Service Type(6) l:6, Value:Login
t:EAP-Message(79) l:82
Extensible Authentication Protocol
Code: Response (2)
Id: 3
Length: 80
Type: EAP-TLS [RFC2716] [Aboba] (13)
Flags(0x80): Length
Length: 70
Secure Socket Layer
TLS Record Layer: Client Hello
Content Type: Handshake (22)
Version: TLS 1.0 (0x0301)
Length: 65
Handshake Protocol: Client Hello
Handshake Type: Client Hello (1)
Length: 61
Version: TLS 1.0 (0x0301)
Random.gmt_unix_time: Nov 15, 2002 13:45:56.000000000
Random.bytes
Session ID Length: 0
Cipher Suites Length: 22
Cipher Suites (11 suites)
Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)
Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)
Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
Cipher Suite: TLS_RSA_WITH_DES_CBC_SHA (0x0009)
Cipher Suite: TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
(0x0064)
Cipher Suite: TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
(0x0062)
Cipher Suite: TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0x0003)
Cipher Suite: TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
(0x0006)
Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
(0x0013)
Cipher Suite: TLS_DHE_DSS_WITH_DES_CBC_SHA (0x0012)
Cipher Suite: TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA
(0x0063)
Compression Methods Length: 1
Compression Methods (1 method)
Compression Method: null (0)
t:Message Authenticator(80) l:18, Value:"�\131\021�|\030\144�̷�\020L�k\022"
Frame 18 (1145 on wire, 1145 captured)
Arrival Time: Nov 15, 2002 13:44:03.792712000
Time delta from previous packet: 0.003439000 seconds
Time relative to first packet: 19.783029000 seconds
Frame Number: 18
Packet Length: 1145 bytes
Capture Length: 1145 bytes
Ethernet II
Destination: 00:08:a1:1d:e7:30 (ip204.aec-1.sfo.interquest.net)
Source: 00:c0:9f:05:12:a6 (curve.esignx.com)
Type: IP (0x0800)
Internet Protocol, Src Addr: curve.esignx.com (66.135.138.207), Dst Addr:
ip204.aec-1.sfo.interquest.net
(66.135.138.204)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 1131
Identification: 0x0000
Flags: 0x04
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 64
Protocol: UDP (0x11)
Header checksum: 0x9bd8 (correct)
Source: curve.esignx.com (66.135.138.207)
Destination: ip204.aec-1.sfo.interquest.net (66.135.138.204)
User Datagram Protocol, Src Port: radius (1812), Dst Port: 22564 (22564)
Source port: radius (1812)
Destination port: 22564 (22564)
Length: 1111
Checksum: 0xdec5 (correct)
Radius Protocol
Code: Access challenge (11)
Packet identifier: 0x4e (78)
Length: 1103
Authenticator
Attribute value pairs
t:EAP-Message(79) l:254
EAP fragment
t:EAP-Message(79) l:254
EAP fragment
t:EAP-Message(79) l:254
EAP fragment
t:EAP-Message(79) l:254
EAP fragment
t:EAP-Message(79) l:11
EAP fragment
Extensible Authentication Protocol
Code: Request (1)
Id: 4
Length: 1017
Type: EAP-TLS [RFC2716] [Aboba] (13)
Flags(0x80): Length
Length: 1007
Secure Socket Layer
TLS Record Layer: Server Hello
Content Type: Handshake (22)
Version: TLS 1.0 (0x0301)
Length: 74
Handshake Protocol: Server Hello
Handshake Type: Server Hello (2)
Length: 70
Version: TLS 1.0 (0x0301)
Random.gmt_unix_time: Nov 15, 2002 13:44:03.000000000
Random.bytes
Session ID Length: 32
Session ID (32 bytes)
Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)
Compression Method: null (0)
TLS Record Layer: Certificate
Content Type: Handshake (22)
Version: TLS 1.0 (0x0301)
Length: 737
Handshake Protocol: Certificate
Handshake Type: Certificate (11)
Length: 733
Certificates Length: 730
Certificates (730 bytes)
Certificate Length: 727
Certificate (727 bytes)
TLS Record Layer: Multiple Handshake Messages
Content Type: Handshake (22)
Version: TLS 1.0 (0x0301)
Length: 181
Handshake Protocol: Certificate Request
Handshake Type: Certificate Request (13)
Length: 173
Certificate types count: 3
Certificate types (3 types)
Certificate type: RSA Sign (1)
Certificate type: DSS Sign (2)
Certificate type: Unknown (5)
Distinguished Names Length: 167
Distinguished Names (167 bytes)
Distinguished Name Length: 165
Distinguished Name (165 bytes)
Handshake Protocol: Server Hello Done
Handshake Type: Server Hello Done (14)
Length: 0
t:Message Authenticator(80) l:18, Value:"$\155\004��\013f\001�\025�P\136��="
t:State(24) l:38,
Value:"���y��\141�\148O2b�j�=S�\127,\138�:�\026\026�\01253\136\017"
Frame 21 (225 on wire, 225 captured)
Arrival Time: Nov 15, 2002 13:44:05.004527000
Time delta from previous packet: 0.715416000 seconds
Time relative to first packet: 20.994844000 seconds
Frame Number: 21
Packet Length: 225 bytes
Capture Length: 225 bytes
Ethernet II
Destination: 00:c0:9f:05:12:a6 (curve.esignx.com)
Source: 00:08:a1:1d:e7:30 (ip204.aec-1.sfo.interquest.net)
Type: IP (0x0800)
Internet Protocol, Src Addr: ip204.aec-1.sfo.interquest.net (66.135.138.204), Dst
Addr: curve.esignx.com
(66.135.138.207)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 211
Identification: 0x398d
Flags: 0x00
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 63
Protocol: UDP (0x11)
Header checksum: 0xa6e3 (correct)
Source: ip204.aec-1.sfo.interquest.net (66.135.138.204)
Destination: curve.esignx.com (66.135.138.207)
User Datagram Protocol, Src Port: 22565 (22565), Dst Port: radius (1812)
Source port: 22565 (22565)
Destination port: radius (1812)
Length: 191
Checksum: 0xa27e (correct)
Radius Protocol
Code: Access Request (1)
Packet identifier: 0x4f (79)
Length: 183
Authenticator
Attribute value pairs
t:User Name(1) l:7, Value:"kevin"
t:Vendor Specific(26) l:20, Vendor:Cisco, Type:Cisco AV Pair, Len:12
Value:"ssid=tsunami"
t:NAS IP Address(4) l:6, Value:192.168.0.8
t:Called Station Id(30) l:14, Value:"004096495de0"
t:Calling Station Id(31) l:14, Value:"0006250baad2"
t:NAS identifier(32) l:14, Value:"AP350-495de0"
t:NAS Port(5) l:6, Value:37
t:Framed MTU(12) l:6, Value:1400
t:State(24) l:38,
Value:"���y��\141�\148O2b�j�=S�\127,\138�:�\026\026�\01253\136\017"
t:NAS Port Type(61) l:6, Value:Wireless IEEE 802.11
t:Service Type(6) l:6, Value:Login
t:EAP-Message(79) l:8
Extensible Authentication Protocol
Code: Response (2)
Id: 4
Length: 6
Type: EAP-TLS [RFC2716] [Aboba] (13)
Flags(0x0):
t:Message Authenticator(80) l:18, Value:"K\148����v�\134�\152\023'\006\154�"
Frame 23 (86 on wire, 86 captured)
Arrival Time: Nov 15, 2002 13:44:07.003563000
Time delta from previous packet: 0.968648000 seconds
Time relative to first packet: 22.993880000 seconds
Frame Number: 23
Packet Length: 86 bytes
Capture Length: 86 bytes
Ethernet II
Destination: 00:08:a1:1d:e7:30 (ip204.aec-1.sfo.interquest.net)
Source: 00:c0:9f:05:12:a6 (curve.esignx.com)
Type: IP (0x0800)
Internet Protocol, Src Addr: curve.esignx.com (66.135.138.207), Dst Addr:
ip204.aec-1.sfo.interquest.net
(66.135.138.204)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 72
Identification: 0x0000
Flags: 0x04
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 64
Protocol: UDP (0x11)
Header checksum: 0x9ffb (correct)
Source: curve.esignx.com (66.135.138.207)
Destination: ip204.aec-1.sfo.interquest.net (66.135.138.204)
User Datagram Protocol, Src Port: radius (1812), Dst Port: 22565 (22565)
Source port: radius (1812)
Destination port: 22565 (22565)
Length: 52
Checksum: 0x220e (correct)
Radius Protocol
Code: Access Reject (3)
Packet identifier: 0x4f (79)
Length: 44
Authenticator
Attribute value pairs
t:EAP-Message(79) l:6
Extensible Authentication Protocol
Code: Failure (4)
Id: 4
Length: 4
t:Message Authenticator(80) l:18, Value:"8\129�d�b�����\138��\1495"
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
