When using PEAP, it's normal to see that. You really need to post your entire debug output somewhere if you want help figuring out what the problem is. Pieces here and there is quite frustrating and like playing 20 questions.
--Mike On Fri, 2004-04-23 at 18:10, Clayton Dukes wrote: > Here's my latest error... > TLS_accept:error in SSLv3 read client certificate A > > Did I screw up the certificates? > > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Bob > McCormick > Sent: Friday, April 23, 2004 5:40 PM > To: [EMAIL PROTECTED] > Subject: Re: Cisco 1100 AP and XP Client using tls (PEAP) > > If it's working you should get something like this at the end of the > debugs: > > modcall: group authenticate returns ok for request 8 Sending Access-Accept > of id 47 to 10.140.24.12:21666 > Session-Timeout := 300 > MS-MPPE-Recv-Key = > 0xa11d483cf9aba48bfab9540fd61d804c7237c5eda0b4dc05c54135d87943895f > MS-MPPE-Send-Key = > 0xe5318527f167aed0bc874c07f301c966c58b3e93747df14a44b5f67477caaf35 > EAP-Message = 0x03090004 > Message-Authenticator = 0x00000000000000000000000000000000 > User-Name = "bobm" > Finished request 8 > Going to the next request > > > I'm not seeing that in *your* debugs, so unless you left it out, it ain't > working. > Can you post the contents of your users file? > > On Apr 23, 2004, at 4:28 PM, Clayton Dukes wrote: > > > That's what I would have thought -- but the debugs seem to indicate > > that the laptop is connecting. > > Any ideas for a next step? > > > > Here's my AP debug: > > > > Apr 23 18:25:05 EST: RADIUS(0000028A): Using existing nas_port 384 Apr > > 23 18:25:05 EST: RADIUS: Pick NAS IP for uid=650 tableid=0 > > cfg_addr=10.100.10.10 best_addr=0.0.0.0 Apr 23 18:25:05 EST: RADIUS: > > Pick NAS IP for uid=650 tableid=0 cfg_addr=10.100.10.10 > > best_addr=0.0.0.0 Apr 23 18:25:05 EST: RADIUS(0000028A): Send > > Access-Request to > > 16.19.20.133:1812 id 21647/105, len 147 Apr 23 18:25:05 EST: RADIUS: > > Received from id 21647/105 16.19.20.133:1812, Access-Challenge, len 82 > > Apr 23 18:25:05 EST: RADIUS/DECODE: EAP-Message fragments, 6, total 6 > > bytes > > > > > > And here's the associated radius debug: > > > > Cleaning up request 53 ID 105 with timestamp 408997c2 Nothing to do. > > Sleeping until we see a request. > > rad_recv: Access-Request packet from host 16.19.20.5:59475, id=106, > > length=147 > > User-Name = "cdukes" > > Framed-MTU = 1400 > > Called-Station-Id = "000f.8f76.2e20" > > Calling-Station-Id = "0006.25a9.8594" > > Message-Authenticator = 0x9b684a21fff2d3e1a47467fd3f363ee2 > > EAP-Message = 0x0211000b016364756b6573 > > NAS-Port-Type = Wireless-802.11 > > NAS-Port = 384 > > State = 0x7ef8020751e4e748b152c0a9060b4c2d > > Service-Type = Framed-User > > NAS-IP-Address = 10.100.10.10 > > NAS-Identifier = "ap-noc" > > Processing the authorize section of radiusd.conf > > modcall: entering group authorize for request 54 > > modcall[authorize]: module "preprocess" returns ok for request 54 > > modcall[authorize]: module "chap" returns noop for request 54 > > modcall[authorize]: module "mschap" returns noop for request 54 > > rlm_realm: No '@' in User-Name = "cdukes", looking up realm NULL > > rlm_realm: No such realm "NULL" > > modcall[authorize]: module "suffix" returns noop for request 54 > > rlm_eap: EAP packet type response id 17 length 11 > > rlm_eap: No EAP Start, assuming it's an on-going EAP conversation > > modcall[authorize]: module "eap" returns updated for request 54 > > users: Matched DEFAULT at 152 > > users: Matched DEFAULT at 171 > > users: Matched cdukes at 215 > > modcall[authorize]: module "files" returns ok for request 54 > > modcall: group authorize returns updated for request 54 > > rad_check_password: Found Auth-Type EAP > > auth: type "EAP" > > Processing the authenticate section of radiusd.conf > > modcall: entering group authenticate for request 54 > > rlm_eap: EAP Identity > > rlm_eap: processing type tls > > rlm_eap_tls: Requiring client certificate > > rlm_eap_tls: Initiate > > rlm_eap_tls: Start returned 1 > > modcall[authenticate]: module "eap" returns handled for request 54 > > modcall: group authenticate returns handled for request 54 Sending > > Access-Challenge of id 106 to 26.19.20.5:59475 > > Framed-IP-Address = 255.255.255.254 > > Framed-MTU = 576 > > Service-Type = Framed-User > > EAP-Message = 0x011200060d20 > > Message-Authenticator = 0x00000000000000000000000000000000 > > State = 0xa934524327fc14393c93048971b9574c > > Finished request 54 > > Going to the next request > > --- Walking the entire request list --- Waking up in 6 seconds... > > --- Walking the entire request list --- Cleaning up request 54 ID 106 > > with timestamp 408997e0 Nothing to do. Sleeping until we see a > > request. > > > > #######END > > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Alan > > DeKok > > Sent: Friday, April 23, 2004 5:21 PM > > To: [EMAIL PROTECTED] > > Subject: Re: Cisco 1100 AP and XP Client using tls (PEAP) > > > > "Clayton Dukes" <[EMAIL PROTECTED]> wrote: > >> Well, I have it working, at least it appears to be, but I am still > >> not getting an ip on the laptop -- do I need to pass the dhcp server > > somewhere? > > > > No. The client should send a broadcast DHCP request, and the dhcp > > server should pick that up. > > > > Alan DeKok. > > > > > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > > > > > > > > > > > > > > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > !DSPAM:40898b61286402097320812! > > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
