On Mon, 10 Nov 2003, Kostas Kalevras wrote:
> Hello, we are facing a problem when trying to test EAP-TTLS with the
> Meetinghouse AEGIS Client
>
> We are using a Cisco 2950 as an AP (EAPOL authentication) with recent IOS.
>
> freeradius latest cvs (two or three days old)
> Aegis 2.1.0
> OpenSSL 0.9.7c
>
> Unfortunately we haven't been able to find a sniffer capable of reporting the
> TLS traffic within an EAP-TTLS (or EAP-TLS for that matter) conversation.
> So I am mostly speculating what the problem is.
>
> As can be seen from the radiusd -X -xxx output after sending a TLS Hello with
> the server certificate the client returns with a TLS ACK. I am guessing that one
> TLS fragment got to the client and it is ACKing for another. Though the eap_tls
> module seems to not accept that ACK.
> From what i 've found the eaptls_ack_handler() never seems to be called. If it
> is an openssl or rlm_eap_tls module problem i don't know. From the documentation
> on openssl.org it seems that the handler will only be called if the received
> packet is ok so it can just be that the packet is malformed somehow.
> In any case I don't really know where to go from here. One thing that would help
> would be if someone confirmed that eap-ttls works with such a configuration.
OK that one was a typo. I was actually referring to cbtls_msg() function in cb.c
which is never called. And now that i think of it (and read the EAP-TLS RFC):
EAP-Message = 0x021100061500
So we do get an EAP-TLS Fragment ACK. But the callback function will *never* get
called for a packet like this (it isn't an actual TLS segment in any case). As a
result i don't think that the checks run in the eaptls_ack_handler() function
can actually work. I 've removed them and now the TTLS session works much better
(i do get a core dump just before sending back the Access-Accept but i 'll
probably figure that one out).
>
> tls {
> private_key_password = ""
> private_key_file = /etc/1x/private.pem
> certificate_file = /etc/1x/cert.pem
> CA_file = /etc/1x/CA.pem
> dh_file = /etc/1x/DH
> random_file = /etc/1x/random
> fragment_size = 1024
> # include_length = no
> }
>
> --
> Kostas Kalevras Network Operations Center
> [EMAIL PROTECTED] National Technical University of Athens, Greece
> Work Phone: +30 210 7721861
> 'Go back to the shadow' Gandalf
--
Kostas Kalevras Network Operations Center
[EMAIL PROTECTED] National Technical University of Athens, Greece
Work Phone: +30 210 7721861
'Go back to the shadow' Gandalf
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
