Monday 24 September 2007 13:30:45 Alan DeKok napisał(a): > Janusz Syrytczyk wrote: > > Problem is that I cannot authenticate to my network with wpa_supplicant, > > although I could, and from Windows & Secure2w TTLS wrapper - I can. I use > > Gentoo and did some upgrades (but nothing special I guess, kernel is the > > same, and wpa_supplicant also) > > ... > > > Ready to process requests. > > < deleted> > > > EAP-Message = 0x020200060315 > > ... > > > rlm_eap: EAP-NAK asked for EAP-Type/ttls > > So the server starts EAP-TTLS: > > Sending Access-Challenge of id 90 to 217.173.193.40 port 4347 > > EAP-Message = 0x010300061520 > > The server increments the EAP id (byte 2 of the EAP-Message) > > > rad_recv: Access-Request packet from host 217.173.193.40:4347, id=91, > > length=201 > > ... > > > EAP-Message = 0x020200060315 > > And the supplicant responds with an EAP NAK, sating "No, I want > EAP-TTLS". > > Either the AP is broken, or the supplicant is broken. The supplicant > SHOULD NOT send back a NAK for something it just asked for. It should > also increment the EAP id field (byte 2). Instead, it re-uses the EAP Id. > > If the AP is broken, then it's the one that decides to NOT send the > EAP-TTLS start to the supplicant. Instead, it just echoes back the NAK > that the supplicant previously sent. > > Check the supplicant logs. If it's really sending the NAK twice, then > it is broken. If it's sending the NAK once, then the AP is broken. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html
OK, I need to check my logs, but at once I tried changing AP... and it worked. So I assume you're right, and now I will try to debug my supplicant and if it goes right - change AP config (which is Cisco AP1242). Partly solved, I'll post more comments later. -- Syrytczyk Janusz - Administrator serwerów Centrum Informatyczne Uniwersytetu Opolskiego Nr telefonu: +48 77 452-70-91 E-mail: [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
