(RADIATOR) Intel Proset 9.0 weirdness with EAP-TTLS
Mike McCauley
mikem at open.com.au
Tue Jan 25 16:10:41 CST 2005
Hello Jeff,
The alert says it all:
> Tue Jan 25 11:23:57 2005: DEBUG: EAP result: 1, EAP TLS Handshake
> unsuccessful: 380: 1 - error:14094418:SSL
> routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
This means that the client gave up on the TLS handshake because it had not
heard of the CA that signed the radius server's certificate. If your Radius
server is using private CA certificate files (eg the sample ones we provide
in /certificates), then you wil also need to install the CAs root certificate
(eg certificates/root.der) on the client, so it believes the radius servers
certificate.
Hope that helps.
Cheers.
On Wednesday 26 January 2005 04:38, Jeff Wolfe wrote:
> Jeff Wolfe wrote:
> > Has anyone seen problems with users using the new 9.0 version of Intel's
> > Proset wireless drivers and centrino cards? I have a laptop here with
> > the 2200BG chipset and the 9.0 drivers and for reasons I can't explain,
> > it's adding a leading "\" to the User-Name inside the TTLS tunnel:
> >
> > Code: Access-Request
> > Identifier: 120
> > Authentic:
> > Attributes:
> > User-Name = "\jtw106"
> > Framed-MTU = 1400
> > Called-Station-Id = "00-0F-23-94-44-7E"
> > Calling-Station-Id = "00-0E-35-1E-3D-8A"
> > cisco-avpair = "ssid=ems-wpa"
> > Service-Type = Login-User
> > Message-Authenticator =
> > EAP-Message =
> > NAS-Port-Type = Wireless-IEEE-802-11
> > Cisco-NAS-Port = "601"
> > NAS-Port = 601
> > NAS-IP-Address = 172.16.4.5
> > NAS-Identifier = "rscap-3"
> >
> >
> > Actually, it stinks of some sort of Windows Domain logins and Bad
> > Code(tm)..
> >
> > anyway,
> >
> > What's the best way to sanitize the user-name before processing it?
>
> After testing this some more, I've found that 9.0 will properly go
> through the TTLS authentication process the first time, but on
> subsequent attempts, this shows up in the radiator logs:
>
>
> Tue Jan 25 11:23:57 2005: DEBUG: Handling request with Handler
> 'Client-Identifier=wpa'
> Tue Jan 25 11:23:57 2005: DEBUG: Rewrote user name to jtw106
> Tue Jan 25 11:23:57 2005: DEBUG: Deleting session for \jtw106,
> 172.16.4.5, 610
> Tue Jan 25 11:23:57 2005: DEBUG: do query is: 'delete from RADONLINE
> where NASIDENTIFIER='172.16.4.5' and NASPORT=0610':
>
>
> Tue Jan 25 11:23:57 2005: DEBUG: Handling with Radius::AuthSQL
> Tue Jan 25 11:23:57 2005: DEBUG: Handling with Radius::AuthFILE:
> Tue Jan 25 11:23:57 2005: DEBUG: Handling with EAP: code 2, 5, 17
> Tue Jan 25 11:23:57 2005: DEBUG: Response type 21
> Tue Jan 25 11:23:57 2005: DEBUG: EAP TLS SSL_accept result: 0, 1, 8576
> Tue Jan 25 11:23:57 2005: DEBUG: EAP result: 1, EAP TLS Handshake
> unsuccessful: 380: 1 - error:14094418:SSL
> routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
>
>
> Tue Jan 25 11:23:57 2005: INFO: Access rejected for jtw106: EAP TLS
> Handshake unsuccessful: 380: 1 - error:14094418:SSL
> routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
>
>
>
>
> Any ideas? I presume this is a broken supplicant. Oh well..
>
> -JEff
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
--
Mike McCauley mikem at open.com.au
Open System Consultants Pty. Ltd Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au
Phone +61 7 5598-7474 Fax +61 7 5598-7070
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP etc on Unix, Windows, MacOS etc.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list