fragmented ipv4[udp] ignored by server.
Hi. I'm successfully configured eap tls with freeradius. However with default value for fragment_size in wpa_supplicant.conf which equals 1398 - packets get fragmented and seems ignored by the server. Both systems are openbsd 7.2 here is output from thsark: --target radius-- 9 124.886123 10.10.2.10 ? 10.10.2.1 RADIUS 188 Access-Request id=0 10 124.894967 10.10.2.1 ? 10.10.2.10 RADIUS 106 Access-Challenge id=0 11 124.914163 10.10.2.10 ? 10.10.2.1 RADIUS 373 Access-Request id=1 12 125.010446 10.10.2.1 ? 10.10.2.10 RADIUS 1320 Access-Challenge id=1 13 125.014979 10.10.2.10 ? 10.10.2.1 RADIUS 191 Access-Request id=2 14 125.032537 10.10.2.1 ? 10.10.2.10 RADIUS 1320 Access-Challenge id=2 15 125.034214 10.10.2.10 ? 10.10.2.1 RADIUS 191 Access-Request id=3 16 125.045650 10.10.2.1 ? 10.10.2.10 RADIUS 300 Access-Challenge id=3 --source eapol_test with wpa_supplicant.conf--- 1 0.00 10.10.2.10 ? 10.10.2.1 RADIUS 188 Access-Request id=0 2 0.011025 10.10.2.1 ? 10.10.2.10 RADIUS 106 Access-Challenge id=0 3 0.027023 10.10.2.10 ? 10.10.2.1 RADIUS 373 Access-Request id=1 4 0.126651 10.10.2.1 ? 10.10.2.10 RADIUS 1320 Access-Challenge id=1 5 0.127440 10.10.2.10 ? 10.10.2.1 RADIUS 191 Access-Request id=2 6 0.148742 10.10.2.1 ? 10.10.2.10 RADIUS 1320 Access-Challenge id=2 7 0.149411 10.10.2.10 ? 10.10.2.1 RADIUS 191 Access-Request id=3 8 0.161846 10.10.2.1 ? 10.10.2.10 RADIUS 300 Access-Challenge id=3 9 0.179447 10.10.2.10 ? 10.10.2.1 IPv4 1514 Fragmented IP protocol (proto=UDP 17, off=0, ID=b444) 10 3.193244 10.10.2.10 ? 10.10.2.1 IPv4 1514 Fragmented IP protocol (proto=UDP 17, off=0, ID=b576) 11 9.213196 10.10.2.10 ? 10.10.2.1 IPv4 1514 Fragmented IP protocol (proto=UDP 17, off=0, ID=ef21) 12 21.233280 10.10.2.10 ? 10.10.2.1 IPv4 1514 Fragmented IP protocol (proto=UDP 17, off=0, ID=00d0) eapol_test fails setting fragment_size = 1212 in wpa_supplicant.conf and getting success. output from tshark: --target radius-- 1 0.00 10.10.2.10 ? 10.10.2.1 RADIUS 188 Access-Request id=0 2 0.006613 10.10.2.1 ? 10.10.2.10 RADIUS 106 Access-Challenge id=0 3 0.024538 10.10.2.10 ? 10.10.2.1 RADIUS 373 Access-Request id=1 4 0.104617 10.10.2.1 ? 10.10.2.10 RADIUS 1320 Access-Challenge id=1 5 0.106355 10.10.2.10 ? 10.10.2.1 RADIUS 191 Access-Request id=2 6 0.114877 10.10.2.1 ? 10.10.2.10 RADIUS 1320 Access-Challenge id=2 7 0.118679 10.10.2.10 ? 10.10.2.1 RADIUS 191 Access-Request id=3 8 0.128309 10.10.2.1 ? 10.10.2.10 RADIUS 300 Access-Challenge id=3 9 0.145442 10.10.2.10 ? 10.10.2.1 RADIUS 1415 Access-Request id=4 10 0.160230 10.10.2.1 ? 10.10.2.10 RADIUS 106 Access-Challenge id=4 11 0.161621 10.10.2.10 ? 10.10.2.1 RADIUS 1372 Access-Request id=5 12 0.262102 10.10.2.1 ? 10.10.2.10 RADIUS 161 Access-Challenge id=5 13 0.263753 10.10.2.10 ? 10.10.2.1 RADIUS 191 Access-Request id=6 14 0.281330 10.10.2.1 ? 10.10.2.10 RADIUS 226 Access-Accept id=6 --source eapol_test with wpa_supplicant.conf--- 1 0.00 10.10.2.10 ? 10.10.2.1 RADIUS 188 Access-Request id=0 2 0.010060 10.10.2.1 ? 10.10.2.10 RADIUS 106 Access-Challenge id=0 3 0.023662 10.10.2.10 ? 10.10.2.1 RADIUS 373 Access-Request id=1 4 0.108072 10.10.2.1 ? 10.10.2.10 RADIUS 1320 Access-Challenge id=1 5 0.108734 10.10.2.10 ? 10.10.2.1 RADIUS 191 Access-Request id=2 6 0.118632 10.10.2.1 ? 10.10.2.10 RADIUS 1320 Access-Challenge id=2 7 0.119341 10.10.2.10 ? 10.10.2.1 RADIUS 191 Access-Request id=3 8 0.132026 10.10.2.1 ? 10.10.2.10 RADIUS 300 Access-Challenge id=3 9 0.147236 10.10.2.10 ? 10.10.2.1 RADIUS 1415 Access-Request id=4 10 0.163300 10.10.2.1 ? 10.10.2.10 RADIUS 106 Access-Challenge id=4 11 0.164158 10.10.2.10 ? 10.10.2.1 RADIUS 1372 Access-Request id=5 12 0.265514 10.10.2.1 ? 10.10.2.10 RADIUS 161 Access-Challenge id=5 13 0.266328 10.10.2.10 ? 10.10.2.1 RADIUS 191 Access-Request id=6 14 0.284607 10.10.2.1 ? 10.10.2.10 RADIUS 226 Access-Accept id=6 Question: How to avoid altering fragment_size to get this working ? Some clients could not be set so easily like phones. Thank you. Mikhael.
Re: freeradius denies to authentocate with eap-tls
Hello and good day. Finally found the actual reason. The outer client is failed eap tls because of packet fragmentation. on interface mtu is set as 1500, and packet is 1514. from tshark: RADIUS 1514 Access-Request id=4[BoundErrorUnreassembled Packet] RADIUS 1514 Access-Request id=4, Duplicate Request[BoundErrorUnreassembled Packet] RADIUS 1514 Access-Request id=4, Duplicate Request[BoundErrorUnreassembled Packet] RADIUS 1514 Access-Request id=4, Duplicate Request[BoundErrorUnreassembled Packet] if set fragment_size to wpa_supplicant.conf to a little below value, it helps and eap_tls is successful. It's good for configurable client, however how about phones where all parameters are default ? # fragment_size: Maximum EAP fragment size in bytes (default 1398). # This value limits the fragment size for EAP methods that support # fragmentation (e.g., EAP-TLS and EAP-PEAP). This value should be set # small enough to make the EAP messages fit in MTU of the network # interface used for EAPOL. The default value is suitable for most # cases. any idea why this happen ? Thank you. On 2/27/23 13:56, Stuart Henderson wrote: (moving to ports#, reply-to is set, although this is unlikely to be OpenBSD-specific) On 2023/02/25 02:18, Mikhael Lialin wrote: Trying to setup witi with radius eap-tls authentication. And getting time out while authenticated. Tried with custome setup, and default setup with generated certificates within installation. in ktrace of rediusd something waiting: 28664 radiusd RET wait4 -1 errno 10 No child processes all configuration of freeradius are default after installation, nothing were modified. Please help. Debug ant ktrace session attached. ktrace is too low-level to be useful here. freeradius won't work directly with default setup, you at least need to configure shared secrets between the APs and freeradius (in clients.conf and on the AP), and tell freeradius how to decide whether a user is allowed to authenticate. You say EAP-TLS, this uses certificates for authentication on bith the server *and* the client, so for that you'll also need to figure out how to get client certificates signed, etc. I strongly recommend ignoring this until you have the basics working with password based auth. Followhttps://wiki.freeradius.org/guide/Basic-configuration-HOWTO first and make sure it works with radtest on the local machine. (Note if running it manually in debug mode as suggested in that guide, you will need the full path /usr/local/sbin/radiusd, there is a minimal radius daemon from the base OS in /usr/sbin/radiusd which does not support EAP/PEAP). If that fails, it needs fixing first before moving onto one of the EAP methods that you need for WPA-Enterprise (either on an AP directly or you can try eapol_test running on the freeradius server as shown in http://deployingradius.com/scripts/eapol_test/ - skip the "building eapol_test" section and pkg_add wpa_supplicant instead).
[vmd] vmctl console hung
Hi i'm running 6.2-current on Lenovo TP x240, Installed alpine linux 3.6.2-virt as vmm guest. I Faced issue that sometimes vmctl console connection hungs and reconnection just point me to the thread that output that i'm typing without interaction. However while this happened i could connect to this vmm guest through ssh and all works. OpenBSD 6.2-beta (GENERIC.MP) #63: Wed Aug 30 18:23:19 MDT 2017 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 8206696448 (7826MB) avail mem = 7950970880 (7582MB) mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.7 @ 0xdcd3d000 (60 entries) bios0: vendor LENOVO version "GIET89WW (2.39 )" date 04/26/2017 bios0: LENOVO 20AL006 acpi0 at bios0: rev 2 acpi0: sleep states S0 S3 S4 S5 acpi0: tables DSDT FACP SLIC DBGP ECDT HPET APIC MCFG SSDT SSDT SSDT SSDT SSDT SSDT SSDT SSDT PCCT SSDT UEFI MSDM ASF! BATB FPDT UEFI DMAR acpi0: wakeup devices LID_(S4) SLPB(S3) IGBE(S4) EXP2(S4) XHCI(S3) EHC1(S3) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpiec0 at acpi0 acpihpet0 at acpi0: 14318179 Hz acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Core(TM) i7-4600U CPU @ 2.10GHz, 2694.13 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,SENSOR,ARAT cpu0: 256KB 64b/line 8-way L2 cache cpu0: TSC frequency 2694128190 Hz cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges cpu0: apic clock running at 99MHz cpu0: mwait min=64, max=64, C-substates=0.2.1.2.4.1.1.1, IBE cpu1 at mainbus0: apid 1 (application processor) cpu1: Intel(R) Core(TM) i7-4600U CPU @ 2.10GHz, 2693.77 MHz cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,SENSOR,ARAT cpu1: 256KB 64b/line 8-way L2 cache cpu1: smt 1, core 0, package 0 cpu2 at mainbus0: apid 2 (application processor) cpu2: Intel(R) Core(TM) i7-4600U CPU @ 2.10GHz, 2693.77 MHz cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,SENSOR,ARAT cpu2: 256KB 64b/line 8-way L2 cache cpu2: smt 0, core 1, package 0 cpu3 at mainbus0: apid 3 (application processor) cpu3: Intel(R) Core(TM) i7-4600U CPU @ 2.10GHz, 2693.77 MHz cpu3: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,NXE,PAGE1GB,RDTSCP,LONG,LAHF,ABM,PERF,ITSC,FSGSBASE,BMI1,AVX2,SMEP,BMI2,ERMS,INVPCID,SENSOR,ARAT cpu3: 256KB 64b/line 8-way L2 cache cpu3: smt 1, core 1, package 0 ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 40 pins acpimcfg0 at acpi0 addr 0xf800, bus 0-63 acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus -1 (PEG_) acpiprt2 at acpi0: bus 2 (EXP1) acpiprt3 at acpi0: bus 3 (EXP2) acpiprt4 at acpi0: bus -1 (EXP3) acpicpu0 at acpi0: C3(200@506 mwait.1@0x60), C2(200@148 mwait.1@0x33), C1(1000@1 mwait.1), PSS acpicpu1 at acpi0: C3(200@506 mwait.1@0x60), C2(200@148 mwait.1@0x33), C1(1000@1 mwait.1), PSS acpicpu2 at acpi0: C3(200@506 mwait.1@0x60), C2(200@148 mwait.1@0x33), C1(1000@1 mwait.1), PSS acpicpu3 at acpi0: C3(200@506 mwait.1@0x60), C2(200@148 mwait.1@0x33), C1(1000@1 mwait.1), PSS acpipwrres0 at acpi0: PUBS, resource for XHCI, EHC1 acpitz0 at acpi0: critical temperature is 200 degC acpibtn0 at acpi0: LID_ acpibtn1 at acpi0: SLPB "LEN0071" at acpi0 not configured "LEN0035" at acpi0 not configured acpibat0 at acpi0: BAT0 model "45N1773" serial 16525 type LION oem "SANYO" acpibat1 at acpi0: BAT1 model "45N1777" serial 27584 type LION oem "SANYO" acpiac0 at acpi0: AC unit online acpithinkpad0 at acpi0 "PNP0C14" at acpi0 not configured "PNP0C14" at acpi0 not configured "PNP0C14" at acpi0 not configured "INT340F" at acpi0 not configured acpivideo0 at acpi0: VID_ acpivout at acpivideo0 not configured acpivideo1 at acpi0: VID_ cpu0: Enhanced SpeedStep 2694 MHz: speeds: 2701, 2700, 2600, 2400, 2300, 2100, 2000, 1800, 1700, 1600, 1400, 1300, 1100, 1000, 800,
