Hi! We are using EAP/TLS for wired authentication on our networks, in one of our sites the SSL negotiation fails when the client is connected behind a Cisco 7962 IP phone. We have this same setup working on other sites. The phone model varies between the sites, but I cannot find any information about incompatibilities for the particular phone model saying it should be the phone that is causing the problem.
I figured that the problem was caused by fragmentation but after adjusting the fragment_size parameter in eap.conf, according to the comments..; # This can never exceed the size of a RADIUS # packet (4096 bytes), and is preferably half # that, to accomodate other attributes in # RADIUS packet. On most APs the MAX packet # length is configured between 1500 - 1600 # In these cases, fragment size should be # 1024 or less. ..without any result, i am not sure anymore. When I connect the client directly to a switch port, without the IP phone in-between, everything works perfect. Here comes the relevant part of RADIUS debug output, first session - Without IP phone, directly connected to the switch [ client -> switch ]; ------------------------------------------------------------------------------ Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS [tls] eaptls_verify returned 7 [tls] Done initial handshake [tls] <<< TLS 1.0 Handshake [length 0b2e], Certificate [tls] chain-depth=2, [tls] error=0 [tls] --> User-Name = host/US-LAPJAMIESON.us.xxxx.yyy [tls] --> BUF-Name = Xxxx Root CA [tls] --> subject = /C=SE/O=Xxxx Communications AB/OU=IT-group/CN=Xxxx Root CA [tls] --> issuer = /C=SE/O=Xxxx Communications AB/OU=IT-group/CN=Xxxx Root CA [tls] --> verify return:1 [tls] chain-depth=1, [tls] error=0 [tls] --> User-Name = host/US-LAPJAMIESON.us.xxxx.yyy [tls] --> BUF-Name = Xxxx Sub CA [tls] --> subject = /DC=com/DC=xxxx/CN=Xxxx Sub CA [tls] --> issuer = /C=SE/O=Xxxx Communications AB/OU=IT-group/CN=Xxxx Root CA [tls] --> verify return:1 [tls] chain-depth=0, [tls] error=0 [tls] --> User-Name = host/US-LAPJAMIESON.us.xxxx.yyy [tls] --> BUF-Name = US-LAPJAMIESON.us.xxxx.yyy [tls] --> subject = /CN=US-LAPJAMIESON.us.xxxx.yyy [tls] --> issuer = /DC=com/DC=xxxx/CN=Xxxx Sub CA [tls] --> verify return:1 [tls] TLS_accept: SSLv3 read client certificate A [tls] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange [tls] TLS_accept: SSLv3 read client key exchange A [tls] <<< TLS 1.0 Handshake [length 0106], CertificateVerify [tls] TLS_accept: SSLv3 read certificate verify A [tls] <<< TLS 1.0 ChangeCipherSpec [length 0001] [tls] <<< TLS 1.0 Handshake [length 0010], Finished [tls] TLS_accept: SSLv3 read finished A [tls] >>> TLS 1.0 ChangeCipherSpec [length 0001] [tls] TLS_accept: SSLv3 write change cipher spec A [tls] >>> TLS 1.0 Handshake [length 0010], Finished [tls] TLS_accept: SSLv3 write finished A [tls] TLS_accept: SSLv3 flush data [tls] (other): SSL negotiation finished successfully SSL Connection Established ------------------------------------------------------------------------------ ------------------------------------------------------------------------------ Second part - With IP phone in-between [ client -> ipphone -> switch ]; ------------------------------------------------------------------------------ Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS [tls] eaptls_verify returned 7 [tls] Done initial handshake [tls] <<< TLS 1.0 Handshake [length 0b2e], Certificate [tls] chain-depth=2, [tls] error=0 [tls] --> User-Name = host/US-LAPJAMIESON.us.xxxx.yyy [tls] --> BUF-Name = Xxxx Root CA [tls] --> subject = /C=SE/O=Xxxx Communications AB/OU=IT-group/CN=Xxxx Root CA [tls] --> issuer = /C=SE/O=Xxxx Communications AB/OU=IT-group/CN=Xxxx Root CA [tls] --> verify return:1 [tls] chain-depth=1, [tls] error=0 [tls] --> User-Name = host/US-LAPJAMIESON.us.xxxx.yyy [tls] --> BUF-Name = Xxxx Sub CA [tls] --> subject = /DC=com/DC=xxxx/CN=Xxxx Sub CA [tls] --> issuer = /C=SE/O=Xxxx Communications AB/OU=IT-group/CN=Xxxx Root CA [tls] --> verify return:1 --> verify error:num=7:certificate signature failure [tls] >>> TLS 1.0 Alert [length 0002], fatal decrypt_error TLS Alert write:fatal:decrypt error TLS_accept: error in SSLv3 read client certificate B rlm_eap: SSL error error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01 SSL: SSL_read failed inside of TLS (-1), TLS session fails. TLS receive handshake failed during operation [tls] eaptls_process returned 4 [eap] Handler failed in EAP/tls [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> host/US-LAPJAMIESON.us.xxxx.yyy attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 11 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 11 Sending Access-Reject of id 50 to 192.168.207.202 port 1812 EAP-Message = 0x040c0004 Message-Authenticator = 0x00000000000000000000000000000000 ------------------------------------------------------------------------------ ------------------------------------------------------------------------------ I am stuck, any suggestions would be much appreciated. Brgds, //Dan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html