Hello, I'm running a Freeradius-Server 2.1.1 on my SuSE Linux 11.0 Box to control the access to my WLAN using EAP-TLS. This works fine with my notebook. But now I have bought a SMC EZ Connect N Pro Access Point which I have configured as a WLAN client using EAP-TLS too. When this WLAN client tries to authenticate itself at the Freeradius Server the authentication fails and I get the message
rlm_eap: No EAP session matching the State variable. [eap] Either EAP-request timed out OR EAP-response to an unknown EAP-request in the Freeradius log file. Can someone please tell me what's going wrong there? Any help is appreciated. Here is the output of radiusd -X when an authentication request of the SMC access point comes in: rad_recv: Access-Request packet from host 192.168.254.1 port 1024, id=1, length=125 User-Name = "harald" NAS-IP-Address = 192.168.254.1 Called-Station-Id = "0014bf3bcd8a" Calling-Station-Id = "0013f7ca60de" NAS-Identifier = "0014bf3bcd8a" NAS-Port = 52 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0200000b01686172616c64 Message-Authenticator = 0x543152e558b443afb9430d9fd02aa75f +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "harald", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 0 length 11 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [files] users: Matched entry harald at line 2 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Requiring client certificate [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 1 to 192.168.254.1 port 1024 EAP-Message = 0x010100060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x7139c4e57138c9bf5d9926d441f8680e Finished request 6. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.254.1 port 1024, id=1, length=200 Cleaning up request 6 ID 1 with timestamp +1123 User-Name = "harald" NAS-IP-Address = 192.168.254.1 Called-Station-Id = "0014bf3bcd8a" Calling-Station-Id = "0013f7ca60de" NAS-Identifier = "0014bf3bcd8a" NAS-Port = 52 Framed-MTU = 1400 State = 0x7139c4e57138c9bf5d9926d441f8680e NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020100440d800000003a160301003501000031030163c2a49b798675d7c211a92ace77bde2102205aefca9044d7fc1ab18323a627d00000a0035002f000a000400050100 Message-Authenticator = 0x2f0e13f531634f6696098de4ecf6dfca +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "harald", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 1 length 68 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [files] users: Matched entry harald at line 2 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS TLS Length 58 [tls] Length Included [tls] eaptls_verify returned 11 [tls] (other): before/accept initialization [tls] TLS_accept: before/accept initialization [tls] <<< TLS 1.0 Handshake [length 0035], ClientHello [tls] TLS_accept: SSLv3 read client hello A [tls] >>> TLS 1.0 Handshake [length 002a], ServerHello [tls] TLS_accept: SSLv3 write server hello A [tls] >>> TLS 1.0 Handshake [length 05fb], Certificate [tls] TLS_accept: SSLv3 write certificate A [tls] >>> TLS 1.0 Handshake [length 0091], CertificateRequest [tls] TLS_accept: SSLv3 write certificate request A [tls] TLS_accept: SSLv3 flush data [tls] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [tls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 1 to 192.168.254.1 port 1024 EAP-Message = 0x010204000dc0000006c5160301002a020000260301492dce64477d25af22eea4fd4d959b5969a18f53653bebd1acb9136964e5a0bc0000350016030105fb0b0005f70005f400028730820283308201eca003020102020108300d06092a864886f70d0101050500307f310b3009060355040613024445310c300a060355040813034e5257310f300d0603550407130641616368656e311b3019060355040a1312486172616c64734379626572467265616b733119301706035504031310486172616c64205363687265696265723119301706092a864886f70d010901160a684072616c642e6e6574301e170d3037313232313233333730385a170d3039 EAP-Message = 0x313232303233333730385a3077310b3009060355040613024445310c300a060355040813034e5257310f300d0603550407130641616368656e311b3019060355040a1312486172616c64734379626572467265616b733111300f06035504031308626c697a7a6172643119301706092a864886f70d010901160a684072616c642e6e657430819f300d06092a864886f70d010101050003818d0030818902818100a4c3faac47f1cebf599f6433f5e6c1e3bcaae35f0f331376a4dd97f5127dfeb6a49b58ebd7ce517ec260fa6d3e6774e11a02a9a2dee2f82f4eefca6dc4f72e2945667a4f1ea3842ac99edd33bf4be8d5fe8f54ef901c397844b57f8d EAP-Message = 0xa9ddfe26d6b22420136a7daa27b3ba904b4c27ff1164155068385e76e09319fcea07c24f0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d010105050003818100591a7cda98a98824bba908f67ecba91fa8c5b108effe7368313a5b7f89ba4246bebd69e51249844ebe9b9dc16f22c3a4bef4441465a7e4b800adf3318ee23ed6cf924388f6a78675eaf3f92a899aedfa43b186630e4155758559562a52141587d709e71333a8b4be631a35b0d498afcda15c4213454ce3688fbbc46378bd404000036730820363308202cca003020102020900dfcd0dfb0e951628300d06092a864886f70d010104 EAP-Message = 0x0500307f310b3009060355040613024445310c300a060355040813034e5257310f300d0603550407130641616368656e311b3019060355040a1312486172616c64734379626572467265616b733119301706035504031310486172616c64205363687265696265723119301706092a864886f70d010901160a684072616c642e6e6574301e170d3035313231373139333235365a170d3135313231353139333235365a307f310b3009060355040613024445310c300a060355040813034e5257310f300d0603550407130641616368656e311b3019060355040a1312486172616c64734379626572467265616b73311930170603550403131048617261 EAP-Message = 0x6c6420536368726569626572 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x7139c4e5703bc9bf5d9926d441f8680e Finished request 7. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.254.1 port 1024, id=1, length=138 Cleaning up request 7 ID 1 with timestamp +1123 User-Name = "harald" NAS-IP-Address = 192.168.254.1 Called-Station-Id = "0014bf3bcd8a" Calling-Station-Id = "0013f7ca60de" NAS-Identifier = "0014bf3bcd8a" NAS-Port = 52 Framed-MTU = 1400 State = 0x7139c4e5703bc9bf5d9926d441f8680e NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020200060d00 Message-Authenticator = 0x45eb23701fb6bcbe430512689ce99aa1 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "harald", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 2 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [files] users: Matched entry harald at line 2 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS [tls] Received TLS ACK [tls] ACK handshake fragment handler [tls] eaptls_verify returned 1 [tls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 1 to 192.168.254.1 port 1024 EAP-Message = 0x010302d90d80000006c53119301706092a864886f70d010901160a684072616c642e6e657430819f300d06092a864886f70d010101050003818d0030818902818100c230fad1501053fa9d4e7af119979d2dabfca054a985830d0da415d7001fd0af897687fad6adcb26fb06a2137c24dcb52a27df6ffc9281aa40d7f525d8669d51794486ff24b46565428842de83512f0a4005bf707854d5a1df8b7dd901bbb4ef7997927cbe5a797da4c670e8ebd4162699c5b83dfd45a4fcc00c7aea5bb0eb710203010001a381e63081e3301d0603551d0e041604142eb59a09ae8a1fe82961d44d33dc1d90652f489d3081b30603551d230481ab3081a880142e EAP-Message = 0xb59a09ae8a1fe82961d44d33dc1d90652f489da18184a48181307f310b3009060355040613024445310c300a060355040813034e5257310f300d0603550407130641616368656e311b3019060355040a1312486172616c64734379626572467265616b733119301706035504031310486172616c64205363687265696265723119301706092a864886f70d010901160a684072616c642e6e6574820900dfcd0dfb0e951628300c0603551d13040530030101ff300d06092a864886f70d0101040500038181000b7e2f9395ee1fee0e969c5d0982887d5832a4acaa7961228c0a5a654d7122070c751c00b23ca4f31b7487ac91235e462c15ca909fc0ab EAP-Message = 0xd786ca2d48078d6c34c45666ae966c4b8d52806adc07f6a25cf7e72f6a953f1e40046d8934b0b2a074f158d9c85f0025c21fac551f8659ec8d254744d5927662dec81eb10d102f0c0a16030100910d0000890301024000830081307f310b3009060355040613024445310c300a060355040813034e5257310f300d0603550407130641616368656e311b3019060355040a1312486172616c64734379626572467265616b733119301706035504031310486172616c64205363687265696265723119301706092a864886f70d010901160a684072616c642e6e65740e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x7139c4e5733ac9bf5d9926d441f8680e Finished request 8. Going to the next request Waking up in 4.9 seconds. Cleaning up request 8 ID 1 with timestamp +1123 Ready to process requests. rad_recv: Access-Request packet from host 192.168.254.1 port 1024, id=1, length=200 User-Name = "harald" NAS-IP-Address = 192.168.254.1 Called-Station-Id = "0014bf3bcd8a" Calling-Station-Id = "0013f7ca60de" NAS-Identifier = "0014bf3bcd8a" NAS-Port = 52 Framed-MTU = 1400 State = 0x7139c4e5733ac9bf5d9926d441f8680e NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020200440d800000003a160301003501000031030163c2a49b798675d7c211a92ace77bde2102205aefca9044d7fc1ab18323a627d00000a0035002f000a000400050100 Message-Authenticator = 0x25fd4ab36c6ba9a789644e5a77225539 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = "harald", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 2 length 68 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound [files] users: Matched entry harald at line 2 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP +- entering group authenticate {...} rlm_eap: No EAP session matching the State variable. [eap] Either EAP-request timed out OR EAP-response to an unknown EAP-request [eap] Failed in handler ++[eap] returns invalid Failed to authenticate the user. Login incorrect: [harald/<via Auth-Type = EAP>] (from client blizzard port 52 cli 0013f7ca60de) Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> harald attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 9 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 9 Sending Access-Reject of id 1 to 192.168.254.1 port 1024 Waking up in 4.9 seconds. Cleaning up request 9 ID 1 with timestamp +1131 Ready to process requests. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html