Fabrice Beauvir <[EMAIL PROTECTED]> wrote: > I think I have some misgonfiguration but, to my point of view it comes > from free-redius configuration .
I doubt that very much. > Freeradius : > 1. AP -> freeradius ACCESS REQUEST (1) : EAP message type iddentity > 2. freeradius -> AP ACCESS CHALLENGE (11) : EAP request type EAP-TLS > (flag start) > 3. AP -> freeradius ACCESS CHALLENGE (11) : EAP request type EAP-TLS > (flag start) There is NOTHING you can to do the RADIUS server to make the AP send an Access-Challenge back to the RADIUS server. The AP is broken. The AP MUST NOT send an Access-Challenge to the RADIUS server. Any AP which DOES send an Access-Challenge is stupid and wrong. > I don't understand why the AP sent an ACCESS CHALENGE instead of a ACCES > REQUEST contaning a SSL handshake . Because the AP is broken. Rather than giving an error message saying what it doesn't like, it does something incredibly stupid. So you blame FreeRADIUS, rather than the AP. Nice. > But I had observed something a little bit ....ahum ... interesting : > When radius servers replie to AP the 1rst time they sent same EAP > request but EAP message authenticator & EAP States are inverted at the > end of the frame . > So, another idea , is when the AP (In my case an INTEL PRO 5000) receive > such a frame, it cannot interpet it beacause it is malformed and send it > back to the Radius serveur . No. The RFC's allow the RADIUS attributes to be in any order. If the AP wants them in a certain order, it's broken. It looks like the AP does NOT like the order of the attributes sent by FreeRADIUS. But rather than doing anything intelligent, it does the stupidest thing imaginable. I would suggest calling the company who sold you the AP, and complaining that it's broken. Tell them you want a firmware upgrade so that the AP actually handles the RADIUS protocol. > Iam not a EAP expert but I can understand that if an frame is malformed > the negociation can begin... The packet is not malformed. It's fine. > What happenned with others AP like Aironet ??? Someone ??? They work. They don't go out of their way to do stupid things. I'm willing to change the code in FreeRADIUS, but I would rather not. The AP should be thrown in the garbage, (or upgraded) instead. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
