RE: Wrong sequence of packets during re-authentication

[Bilal Shahid]

Hello again,

Can someone please help me this? I am clueless as how to solve this problem.

Thanks,
Bilal

-Original Message-
From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Bilal 
Shahid

Sent: Friday, September 23, 2005 4:00 PM
To: freeradius-users@lists.freeradius.org
Subject: Wrong sequence of packets during re-authentication

Hello all,

During my 802.1X Supplicant's re-authentication (using EAP-TTLS) with
FreeRADIUS using DLINK switch, I face the following scenario:

Sometimes "during re-authentication", one of the FreeRADIUS's replies does
not reach the DLINK switch. When DLINK's RADIUS timer expires, it re-starts
the re-authentication by sending the Supplicant's identity to FreeRADIUS. At
this time, an initial couple of packets are exchanges correctly, however
then it seems that FreeRADIUS wants to skip some of the packets and complete
the authentication whereas my Supplicant wants to re-do everything.

For example, during a 'correct re-authentication", FreeRADIUS sends the
following packet:

TLS_accept: before/accept initialization
 rlm_eap_tls: <<< TLS 1.0 Handshake [length 0067], ClientHello
   TLS_accept: SSLv3 read client hello A
 rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
   TLS_accept: SSLv3 write server hello A
 rlm_eap_tls: >>> TLS 1.0 Handshake [length 05ca], Certificate
   TLS_accept: SSLv3 write certificate A
 rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
   TLS_accept: SSLv3 write server done A
   TLS_accept: SSLv3 flush data
   TLS_accept:error in SSLv3 read client certificate A


However, during the "incorrect" re-authentication cycle, which has been
started due to a packet loss in the middle as explained above, FreeRADIUS
send the following packet:

TLS_accept: before/accept initialization
 rlm_eap_tls: <<< TLS 1.0 Handshake [length 0067], ClientHello
   TLS_accept: SSLv3 read client hello A
 rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
   TLS_accept: SSLv3 write server hello A
 rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001]
   TLS_accept: SSLv3 write change cipher spec A
 rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished
   TLS_accept: SSLv3 write finished A
   TLS_accept: SSLv3 flush data
   TLS_accept:error in SSLv3 read finished A


Note that this time FreeRADIUS has sent ChangeCipherSpec and Finished
instead of Certificate and ServerHelloDone. Is this the normal and correct
behavior?

My Supplicant's response to this packet is then liked by the FreeRADIUS and
its sends an alert.

Could someone please help me understanding this problem.

Thanks,
Bilal

_
Express yourself instantly with MSN Messenger! Download today it's FREE! 
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Wrong sequence of packets during re-authentication

[Alan DeKok]

"Bilal Shahid" <[EMAIL PROTECTED]> wrote:
> Can someone please help me this? I am clueless as how to solve this problem.

  As always, the RADIUS conversations are driven by the client.  Given
the same input packets, the server behaves the same.

  So if theserver is doing two different things, it's because the
client is asking for two different things.

 Alan DeKok.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html