hi
alan, please see the remark in text.
[EMAIL PROTECTED] wrote:
I am testing EAP-TLS with Windows XP(EAP-TLS supplicant) , Freeradius(running on Redhat 9) and Cisco Aironet 1100 series Access Point. I have done all the required setup and EAP-TLS authentication has been successful with that setup. But the problem is within the EAP-TLS packet sequence. From the ethereal capture (from WinXP) it is shown that after "Server hello/Certificate/Certificate Request/Server hello done" packet transmission freeradius is sending "EAP-Success" message followed by "EAPOL-Key" messages (rsdius log also displays
freeradius NEVER sends the EAPOL Key message. also the sending of an encapsulated EAP-Success is without any interest. The AP only wants to see the Access-Accept and that is what freeradius is responsible for.
the same sequence). There is no evidence of transmitting "Client certificate/Client Key exchange" message from XP supplicant. But according to the RFC Client MUST provide certificate whenever server requests for a client certificate. So in turn there does not occur any client side authentication, only server side authentication has been done. I am testing against XP's "Administrator" login.
why did you set the User-Password? you do not need any user password. just comment out both lines and try again.
(also why did you explicitly set the Auth-Type? the eap.conf *shouts* that you should not do that.)
I am not sure whether it's a right behaviour from XP/Freeradus or I have to change setup to make the thing working correctly. So please can anyone help on this matter?
actually, IMHO, it's not. even provided with a user-password the TLS module should not just accept the user.
alan, what do you think, is it a bug? even if i configure a user with a user-password, the TLS module should not just accept him without Client Certificate request, should it?
ciao artur
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
