On 8/22/06, sheng <[EMAIL PROTECTED]> wrote:
There's a strange problem: each time the client send a request, the server
tries to read the client certificate on the supplicant. I think it's very
strange considering that no client certificate is needed for peap/mschapv2.
This event is recorded in the handshake phase on the radius logfile(I've
listed it in the below). It seems the handshake phase fails because the
server cann't read the client certificate.
[...]
TLS_accept:error in SSLv3 read client certificate A
rlm_eap: SSL error error:00000000:lib(0):func(0):reason(0)
In SSL Handshake Phase
In SSL Accept mode
eaptls_process returned 13
rlm_eap_peap: EAPTLS_HANDLED
Hi,
if you are referring to the quoted part, that' not a problem. Roughly
put: openssl just mentiones that it wasn't able to check the client
cert (which is possible, but unneeded for eap-peap).
Finished request 3
Going to the next request
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 2 ID 19 with timestamp 44e9e42f
Cleaning up request 3 ID 138 with timestamp 44e9e42f
Nothing to do. Sleeping until we see a request.
rad_recv: Access-Request packet from host 172.24.26.144:1025, id=137,
length=249
Acct-Session-Id = "67671438"
NAS-Port = 1
NAS-Port-Type = Wireless-802.11
User-Name = "alcatel"
Calling-Station-Id = "00-0E-35-89-71-E0"
Called-Station-Id = "00-03-52-01-84-7D"
EAP-Message =
0x0280005019800000004616030100410100003d030144e9e54ee8bf5c390cecf9fa8b659b32ac0a7eb623919876fa26dd9dc220d75800001600040005000a000900640062000300060013001200630100
State = 0x091ad12235d4b0c91ca834c803d04ee0
[...]
modcall: entering group authenticate for request 4
rlm_eap: Request not found in the list
rlm_eap: Either EAP-request timed out OR EAP-response to an unknown
EAP-request
rlm_eap: Failed in handler
Which of the two cases mentioned in the debug output to your further
requests might be happening I'm not sure of. There seems to elapse
quite some time, before they come in after the challenge was sent out.
That looks curious.
As your included data got truncated on the list you might consider
resending it as attachment or use a pastebot and provide the link.
Maybe you could provide some sniffing on the wireless part (via
wireshark et al). That might be instructive in sorting out when who
did send what.
regards
K. Hoercher
(Hopefully gmail really could not send this out, as it keept telling
me. Otherwise this must be the 5th reply, if so please excuse me.)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
