Alan,
We have tried with patch provided. Here is the Debug log form old (master 2.2.0) and new (latest 2.x.x branch 18/2/2013) Old one: Here the tls state machine goes from Access-Request to Access-Challenge and then to Access-Accepted And New one: Here the tls state machine goes from Access-Request to Access-Rejected and then ends with segmentation fault Note: configuration of Client and Switch remains the same in both cases. What could have gone wrong?? /////////////////////////////// Old one: rad_recv: Access-Request packet from host 10.0.1.10 port 1645, id=3, length=1020 Sat Aug 18 03:04:46 2012 : Info: Found Auth-Type = EAP Sat Aug 18 03:04:46 2012 : Info: # Executing group from file /usr/local/etc/raddb/sites-enabled/default Sat Aug 18 03:04:46 2012 : Info: +- entering group authenticate {...} Sat Aug 18 03:04:46 2012 : Info: [eap] Request found, released from the list Sat Aug 18 03:04:46 2012 : Info: [eap] EAP/tls Sat Aug 18 03:04:46 2012 : Info: [eap] processing type tls Sat Aug 18 03:04:46 2012 : Info: [tls] Authenticate Sat Aug 18 03:04:46 2012 : Info: [tls] processing EAP-TLS Sat Aug 18 03:04:46 2012 : Info: [tls] eaptls_verify returned 7 Sat Aug 18 03:04:46 2012 : Info: [tls] Done initial handshake Sat Aug 18 03:04:46 2012 : Info: [tls] <<< TLS 1.0 Handshake [length 05f6], Certificate Sat Aug 18 03:04:46 2012 : Info: [tls] chain-depth=1, Sat Aug 18 03:04:46 2012 : Info: [tls] error=0 Sat Aug 18 03:04:46 2012 : Info: [tls] --> User-Name = testuse...@vitesse.com Sat Aug 18 03:04:46 2012 : Info: [tls] --> BUF-Name = MACsec Test CA Sat Aug 18 03:04:46 2012 : Info: [tls] --> subject = /C=FI/O=SafeNet, Inc./CN=MACsec Test CA Sat Aug 18 03:04:46 2012 : Info: [tls] --> issuer = /C=FI/O=SafeNet, Inc./CN=MACsec Test CA Sat Aug 18 03:04:46 2012 : Info: [tls] --> verify return:1 Sat Aug 18 03:04:46 2012 : Info: [tls] chain-depth=0, Sat Aug 18 03:04:46 2012 : Info: [tls] error=0 Sat Aug 18 03:04:46 2012 : Info: [tls] --> User-Name = testuse...@vitesse.com Sat Aug 18 03:04:46 2012 : Info: [tls] --> BUF-Name = test user 2 Sat Aug 18 03:04:46 2012 : Info: [tls] --> verify return:1 Sat Aug 18 03:04:46 2012 : Info: [tls] TLS_accept: SSLv3 read client certificate A Sat Aug 18 03:04:46 2012 : Info: [tls] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange Sat Aug 18 03:04:46 2012 : Info: [tls] TLS_accept: SSLv3 read client key exchange A Sat Aug 18 03:04:46 2012 : Info: [tls] <<< TLS 1.0 Handshake [length 0086], CertificateVerify Sat Aug 18 03:04:46 2012 : Info: [tls] TLS_accept: SSLv3 read certificate verify A Sat Aug 18 03:04:46 2012 : Info: [tls] <<< TLS 1.0 ChangeCipherSpec [length 0001] Sat Aug 18 03:04:46 2012 : Info: [tls] <<< TLS 1.0 Handshake [length 0010], Finished Sat Aug 18 03:04:46 2012 : Info: [tls] TLS_accept: SSLv3 read finished A Sat Aug 18 03:04:46 2012 : Info: [tls] >>> TLS 1.0 ChangeCipherSpec [length 0001] Sat Aug 18 03:04:46 2012 : Info: [tls] TLS_accept: SSLv3 write change cipher spec A Sat Aug 18 03:04:46 2012 : Info: [tls] >>> TLS 1.0 Handshake [length 0010], Finished Sat Aug 18 03:04:46 2012 : Info: [tls] TLS_accept: SSLv3 write finished A Sat Aug 18 03:04:46 2012 : Info: [tls] TLS_accept: SSLv3 flush data Sat Aug 18 03:04:46 2012 : Info: [tls] (other): SSL negotiation finished successfully Sat Aug 18 03:04:46 2012 : Debug: SSL Connection Established Sat Aug 18 03:04:46 2012 : Info: [tls] eaptls_process returned 13 Sat Aug 18 03:04:46 2012 : Info: ++[eap] returns handled Sending Access-Challenge of id 3 to 10.0.1.10 port 1645 EAP-Message = 0x010c00350d800000002b1403010001011603010020f2847b79b15d316feb376cd0294bffca228fb31bcdfd4e3ac450b4b3148c0eda Message-Authenticator = 0x00000000000000000000000000000000 State = 0x1bc2fd5d1fcef0fc7198dd89ed915160 Sat Aug 18 03:04:46 2012 : Info: Finished request 4. Sat Aug 18 03:04:46 2012 : Debug: Going to the next request Sat Aug 18 03:04:46 2012 : Debug: Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 10.0.1.10 port 1645, id=4, length=191 Sat Aug 18 03:04:46 2012 : Info: # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default Sat Aug 18 03:04:46 2012 : Info: +- entering group authorize {...} Sat Aug 18 03:04:46 2012 : Info: ++[preprocess] returns ok Sat Aug 18 03:04:46 2012 : Info: ++[chap] returns noop Sat Aug 18 03:04:46 2012 : Info: ++[mschap] returns noop Sat Aug 18 03:04:46 2012 : Info: ++[digest] returns noop Sat Aug 18 03:04:46 2012 : Info: [suffix] Looking up realm "vitesse.com" for User-Name = "testuse...@vitesse.com" Sat Aug 18 03:04:46 2012 : Info: [suffix] No such realm "vitesse.com" Sat Aug 18 03:04:46 2012 : Info: ++[suffix] returns noop Sat Aug 18 03:04:46 2012 : Info: [eap] EAP packet type response id 12 length 6 Sat Aug 18 03:04:46 2012 : Info: [eap] No EAP Start, assuming it's an on-going EAP conversation Sat Aug 18 03:04:46 2012 : Info: ++[eap] returns updated Sat Aug 18 03:04:46 2012 : Info: ++[files] returns noop Sat Aug 18 03:04:46 2012 : Info: ++[expiration] returns noop Sat Aug 18 03:04:46 2012 : Info: ++[logintime] returns noop Sat Aug 18 03:04:46 2012 : Info: ++[pap] returns noop Sat Aug 18 03:04:46 2012 : Info: Found Auth-Type = EAP Sat Aug 18 03:04:46 2012 : Info: # Executing group from file /usr/local/etc/raddb/sites-enabled/default Sat Aug 18 03:04:46 2012 : Info: +- entering group authenticate {...} Sat Aug 18 03:04:46 2012 : Info: [eap] Request found, released from the list Sat Aug 18 03:04:46 2012 : Info: [eap] EAP/tls Sat Aug 18 03:04:46 2012 : Info: [eap] processing type tls Sat Aug 18 03:04:46 2012 : Info: [tls] Authenticate Sat Aug 18 03:04:46 2012 : Info: [tls] processing EAP-TLS Sat Aug 18 03:04:46 2012 : Info: [tls] Received TLS ACK Sat Aug 18 03:04:46 2012 : Info: [tls] ACK handshake is finished Sat Aug 18 03:04:46 2012 : Info: [tls] eaptls_verify returned 3 Sat Aug 18 03:04:46 2012 : Info: [tls] eaptls_process returned 3 Sat Aug 18 03:04:46 2012 : Info: [tls] Adding user data to cached session Sat Aug 18 03:04:46 2012 : Info: [eap] Freeing handler Sat Aug 18 03:04:46 2012 : Info: ++[eap] returns ok Sat Aug 18 03:04:46 2012 : Info: # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default Sat Aug 18 03:04:46 2012 : Info: +- entering group post-auth {...} Sat Aug 18 03:04:46 2012 : Info: ++[exec] returns noop Sat Aug 18 03:04:46 2012 : Info: expand: %{reply:EAP-Session-Id} -> Sat Aug 18 03:04:46 2012 : Info: ++[reply] returns noop Sending Access-Accept of id 4 to 10.0.1.10 port 1645 MS-MPPE-Recv-Key = 0xabfde3ba0cc6ec4bf616ec5c094607c9ba1c4b9936ff5145b50f35e19f15423f MS-MPPE-Send-Key = 0x1855579adb2ba678eef70b24a449df8f8a8d9ac120b2a82fbe44371aa6f976e6 EAP-Message = 0x030c0004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "testuse...@vitesse.com" Sat Aug 18 03:04:46 2012 : Info: Finished request 5. Sat Aug 18 03:04:46 2012 : Debug: Going to the next request Sat Aug 18 03:04:46 2012 : Debug: Waking up in 4.8 seconds /////////////////////////////// And New one: Here the tls state machine goes from Access-Request to Access-Rejected and then segmentation fault rad_recv: Access-Request packet from host 10.0.1.10 port 1645, id=147, length=205 Sat Aug 18 02:44:32 2012 : Info: # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default Sat Aug 18 02:44:32 2012 : Info: +- entering group authorize {...} Sat Aug 18 02:44:32 2012 : Info: ++[preprocess] returns ok Sat Aug 18 02:44:32 2012 : Info: ++[chap] returns noop Sat Aug 18 02:44:32 2012 : Info: ++[mschap] returns noop Sat Aug 18 02:44:32 2012 : Info: ++[digest] returns noop Sat Aug 18 02:44:32 2012 : Info: [suffix] Looking up realm "vitesse.com" for User-Name = "testuse...@vitesse.com" Sat Aug 18 02:44:32 2012 : Info: [suffix] No such realm "vitesse.com" Sat Aug 18 02:44:32 2012 : Info: ++[suffix] returns noop Sat Aug 18 02:44:32 2012 : Info: [eap] EAP packet type response id 1 length 38 Sat Aug 18 02:44:32 2012 : Info: [eap] No EAP Start, assuming it's an on-going EAP conversation Sat Aug 18 02:44:32 2012 : Info: ++[eap] returns updated Sat Aug 18 02:44:32 2012 : Info: ++[files] returns noop Sat Aug 18 02:44:32 2012 : Info: ++[expiration] returns noop Sat Aug 18 02:44:32 2012 : Info: ++[logintime] returns noop Sat Aug 18 02:44:32 2012 : Info: [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. Sat Aug 18 02:44:32 2012 : Info: ++[pap] returns noop Sat Aug 18 02:44:32 2012 : Info: Found Auth-Type = EAP Sat Aug 18 02:44:32 2012 : Info: # Executing group from file /usr/local/etc/raddb/sites-enabled/default Sat Aug 18 02:44:32 2012 : Info: +- entering group authenticate {...} Sat Aug 18 02:44:32 2012 : Info: [eap] EAP Identity Sat Aug 18 02:44:32 2012 : Info: [eap] processing type tls Sat Aug 18 02:44:32 2012 : Info: [tls] Requiring client certificate Sat Aug 18 02:44:32 2012 : Info: [tls] Initiate Sat Aug 18 02:44:32 2012 : Info: [tls] Start returned 1 Sat Aug 18 02:44:32 2012 : Info: ++[eap] returns handled Sat Aug 18 02:44:32 2012 : Info: Failed to authenticate the user. Sat Aug 18 02:44:32 2012 : Info: Using Post-Auth-Type REJECT Sat Aug 18 02:44:32 2012 : Info: # Executing group from file /usr/local/etc/raddb/sites-enabled/default Sat Aug 18 02:44:32 2012 : Info: +- entering group REJECT {...} Sat Aug 18 02:44:32 2012 : Info: [attr_filter.access_reject] expand: %{User-Name} -> testuse...@vitesse.com Sat Aug 18 02:44:32 2012 : Debug: attr_filter: Matched entry DEFAULT at line 11 Sat Aug 18 02:44:32 2012 : Info: ++[attr_filter.access_reject] returns updated Sat Aug 18 02:44:32 2012 : Info: Delaying reject of request 0 for 1 seconds Sat Aug 18 02:44:32 2012 : Debug: Going to the next request Sat Aug 18 02:44:32 2012 : Debug: Waking up in 0.9 seconds. Sat Aug 18 02:44:33 2012 : Info: Sending delayed reject for request 0 Sending Access-Reject of id 147 to 10.0.1.10 port 1645 Sat Aug 18 02:44:33 2012 : Debug: Waking up in 0.3 seconds. Sat Aug 18 02:44:33 2012 : Info: Sending delayed reject for request 1 Sending Access-Reject of id 148 to 10.0.1.10 port 1645 Thanks, Srinivas B CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html