Re: problems with EAP-TTLS with Intermec GUN 2415

[Phil Mayers]

Johan Arens wrote:
Hi

I cannot authenticate with the radius, I got this error when the 
handheld try to auth :

Wed Feb 15 15:27:42 2006 : Info: Ready to process requests.
Wed Feb 15 15:28:21 2006 : Error:     TLS_accept:error in SSLv3 read 
client certificate A
Wed Feb 15 15:28:21 2006 : Info: rlm_eap_tls: Received EAP-TLS ACK message

That is not a significant error - it's just noise, ignore it.


However, if I enable the radius inside the access point, the handheld 
can authenticate. This tells me that the handheld has been configured 
properly.



What is missing in my freeradius config ?

Probably nothing. The last thing the server does is:

modcall: entering group authenticate for request 2
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/ttls
  rlm_eap: processing type ttls
  rlm_eap_ttls: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
  rlm_eap_tls: ack handshake fragment handler
  eaptls_verify returned 1
  eaptls_process returned 13
  modcall[authenticate]: module "eap" returns handled for request 2
modcall: group authenticate returns handled for request 2
Sending Access-Challenge of id 8 to 192.168.0.1:1024 
        EAP-Message = snip
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x8c3b86d02966b223e117138d5c1d946e
Finished request 2
Going to the next request
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 1 ID 7 with timestamp 43f489f9
Cleaning up request 2 ID 8 with timestamp 43f489f9
Nothing to do.  Sleeping until we see a request.

The supplicant or the AP stops sending EAP messages. Up to that point as 
far as FreeRadius is concerned it's all fine. Consult the logs on the 
supplicant or AP to determine why.



Users

    gun Auth-Type := EAP, User-Password := "gun123"


Note, although it is not likely to be causing your current problems, it 
is ALMOST ALWAYS a bad idea to set Auth-Type to EAP. The default config 
is very specific on this. It will certainly fail later on when the inner 
request of the TTLS is handled and EAP gets forced for that username 
when in fact you want PAP or something.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html