Hi Alan, This is the duplicate EAP-Message:
This is the Freeradius output before the encode: Mon Mar 8 08:51:30 2004 : Debug: TTLS::process_reply Mon Mar 8 08:51:30 2004 : Debug: TTLS: Got tunneled Access-Challenge TTLS tunnel data out 0000: 00 00 00 4f 40 00 00 3b 01 02 00 33 1a 03 01 00 TTLS tunnel data out 0010: 2e 53 3d 42 46 33 41 43 35 43 33 45 33 34 36 36 TTLS tunnel data out 0020: 46 44 43 42 42 37 42 34 39 41 37 44 30 33 37 44 TTLS tunnel data out 0030: 37 41 33 43 38 33 34 41 41 38 36 00 00 00 Mon Mar 8 08:51:30 2004 : Debug: TTLS: handled Access-Challenge Put it together into a 4 byte sequence and you can see the incorrect padding. It should be 1: 00 00 00 4f 40 00 00 3b 01 02 00 33 1a 03 01 00 2e 53 3d 42 46 33 41 43 35 43 33 45 33 34 36 36 46 44 43 42 42 37 42 34 39 41 37 44 30 33 37 44 37 41 33 43 38 33 34 41 41 38 36 00 <- this is correct 00 00 <- these are incorrect The TLS decoded blob of data received by SecureW2 is: 8:51:30:871::TLSDecBlock::pbDecBlock(136): 0000004F400000340101002C1A0101002710CA9F5BCBDDA23929D85DBEC28414E859746F6D2E7269786F6D40746573742E636F6D0000004F4000003B010200331A0301002E533D424633414335433345333436364644434242374234394137443033374437413343383334414138360000005BE6A6D35924F1B695ED7D04A33B3472FB2D820A0101 You can see the two EAP-messages, the MAC and the padding. EAP-Message1: 0000004F400000340101002C1A0101002710CA9F5BCBDDA23929D85DBEC28414E859746F6D2E7269786F6D40746573742E636F6D EAP-Message2: 0000004F4000003B010200331A0301002E533D42463341433543334533343636464443424237423439413744303337443741334338333441413836 MAC: 0000005BE6A6D35924F1B695ED7D04A33B3472FB2D820A Padding: 0101 This means the extra EAP-Message is either are added or not flushed before encryption takes place. And I checked, the extra EAP-Message is the message previously sent by FreeRadius. The extra message looks likt the response to an EAP-Identity message as it has the name of our TTLS server. Thanks, Tom. > -----Original Message----- > From: Alan DeKok [mailto:[EMAIL PROTECTED] > Sent: Tuesday, March 09, 2004 5:11 PM > To: [EMAIL PROTECTED] > Subject: Re: EAP-TTLS-EAP-* > > > "Tom Rixom" <[EMAIL PROTECTED]> wrote: > > I am using a debugged version of our SecureW2 Client v2.0.0 and I am > > seeing the double EAP-Mesage just after decryption so that means it > > must have been sent by the FreeRadius server. Even the MAC checks > > out. > > Ok. Is the first EAP-Message a duplicate of a previous one? If so, > we know at that point, the "tunnel data" buffer isn't being flushed. > > > You are saying the Aegis Client did not pick this up? > > <g> It looks that way. Maybe the Aegis client didn't even get the > duplicatee EAP-Messages, because it's interaction with the server is > different. > > > I can get the SecureW2 v2.0.0 client to work but then I > need to ignore > > the incorrect padding... > > That should be easy to fix. The "vp2diameter" code prints the "TTLS > tunnel data out", so you should see if the extra data is there, or is > added elsewhere. > > > I want to do the same with freeradius as this is another > radius server > > frequently used by our customers. > > I agree. I'd like to see it fixed, too. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html