On 12/16/2011 04:13 AM, Indrajaya Pitra Perdana wrote: > Thanks, i give it a try, i already enable tls trace in my win xp, and i > don't see there's an exchange certificate :-)
What client are you using? I noticed the log shows it sends EAP TLS (type 13) responses while also logging about detecting PEAP authentication. > [1448] 11:49:36:218: PeapReadConnectionData > [1448] 11:49:36:218: PeapReadUserData > [1448] 11:49:36:218: RasEapGetInfo > [2884] 11:49:52:515: EapPeapBegin > [2884] 11:49:52:515: PeapReadConnectionData > [2884] 11:49:52:515: PeapReadUserData > [2884] 11:49:52:515: > [2884] 11:49:52:515: EapTlsBegin(test) > [2884] 11:49:52:515: State change to Initial > [2884] 11:49:52:515: EapTlsBegin: Detected 8021X authentication > [2884] 11:49:52:515: EapTlsBegin: Detected PEAP authentication > [2884] 11:49:52:515: MaxTLSMessageLength is now 16384 > [2884] 11:49:52:515: EapPeapBegin done > [2884] 11:49:52:515: EapPeapMakeMessage > [2884] 11:49:52:515: EapPeapCMakeMessage > [2884] 11:49:52:515: PEAP:PEAP_STATE_INITIAL > [2884] 11:49:52:515: EapTlsCMakeMessage > [2884] 11:49:52:515: EapTlsReset > [2884] 11:49:52:515: State change to Initial > [2884] 11:49:52:515: GetCredentials > [2884] 11:49:52:515: Flag is Client and Store is Current User > [2884] 11:49:52:515: GetCachedCredentials > [2884] 11:49:52:515: FreeCachedCredentials > [2884] 11:49:52:515: No Cert Store. Guest Access requested > [2884] 11:49:52:515: No Cert Name. Guest access requested > [2884] 11:49:52:515: Will validate server cert > [2884] 11:49:52:515: MakeReplyMessage > [2884] 11:49:52:515: SecurityContextFunction > [2884] 11:49:52:515: InitializeSecurityContext returned 0x90312 > [2884] 11:49:52:515: State change to SentHello > [2884] 11:49:52:515: BuildPacket > [2884] 11:49:52:515: << Sending Response (Code: 2) packet: Id: 2, > Length: 80, Type: 13, TLS blob length: 70. Flags: L > [2884] 11:49:52:515: EapPeapCMakeMessage done > [2884] 11:49:52:515: EapPeapMakeMessage done > [1352] 11:50:22:531: EapPeapEnd > [1352] 11:50:22:531: EapTlsEnd > [1352] 11:50:22:531: EapTlsEnd(test) > [1352] 11:50:22:531: EapPeapEnd done > [1352] 11:50:22:562: EapPeapBegin > [1352] 11:50:22:562: PeapReadConnectionData > [1352] 11:50:22:562: PeapReadUserData > [1352] 11:50:22:562: > [1352] 11:50:22:562: EapTlsBegin(test) > [1352] 11:50:22:562: State change to Initial > [1352] 11:50:22:562: EapTlsBegin: Detected 8021X authentication > [1352] 11:50:22:562: EapTlsBegin: Detected PEAP authentication > [1352] 11:50:22:562: MaxTLSMessageLength is now 16384 > [1352] 11:50:22:562: EapPeapBegin done > [1352] 11:50:22:562: EapPeapMakeMessage > [1352] 11:50:22:562: EapPeapCMakeMessage > [1352] 11:50:22:562: PEAP:PEAP_STATE_INITIAL > [1352] 11:50:22:562: EapTlsCMakeMessage > [1352] 11:50:22:562: EapTlsReset > [1352] 11:50:22:562: State change to Initial > [1352] 11:50:22:562: GetCredentials > [1352] 11:50:22:562: Flag is Client and Store is Current User > [1352] 11:50:22:562: GetCachedCredentials > [1352] 11:50:22:562: FreeCachedCredentials > [1352] 11:50:22:562: No Cert Store. Guest Access requested > [1352] 11:50:22:562: No Cert Name. Guest access requested > [1352] 11:50:22:562: Will validate server cert > [1352] 11:50:22:562: MakeReplyMessage > [1352] 11:50:22:562: SecurityContextFunction > [1352] 11:50:22:562: InitializeSecurityContext returned 0x90312 > [1352] 11:50:22:562: State change to SentHello > [1352] 11:50:22:562: BuildPacket > [1352] 11:50:22:562: << Sending Response (Code: 2) packet: Id: 37, > Length: 80, Type: 13, TLS blob length: 70. Flags: L > [1352] 11:50:22:562: EapPeapCMakeMessage done > [1352] 11:50:22:562: EapPeapMakeMessage done > [1448] 11:50:52:578: EapPeapEnd > [1448] 11:50:52:578: EapTlsEnd > [1448] 11:50:52:578: EapTlsEnd(test) > [1448] 11:50:52:578: EapPeapEnd done > [1448] 11:51:52:593: PeapReadConnectionData > [1448] 11:51:52:593: PeapReadUserData > [1448] 11:51:52:593: RasEapGetInfo > [1352] 12:02:42:625: PeapReadConnectionData > [1352] 12:02:42:640: PeapReadUserData > [1352] 12:02:42:640: RasEapGetInfo > [1352] 12:02:42:640: PeapReDoUserData > [1352] 12:02:42:640: EapTlsInvokeIdentityUI > [1352] 12:02:42:640: GetCertInfo > [1352] 12:03:42:640: PeapReadConnectionData > [1352] 12:03:42:640: PeapReadUserData > [1352] 12:03:42:640: RasEapGetInfo > [1352] 12:03:42:671: EapPeapBegin > [1352] 12:03:42:671: PeapReadConnectionData > [1352] 12:03:42:671: PeapReadUserData > [1352] 12:03:42:671: > [1352] 12:03:42:671: EapTlsBegin(GHOST\indrajaya) > [1352] 12:03:42:671: State change to Initial > [1352] 12:03:42:671: EapTlsBegin: Detected 8021X authentication > [1352] 12:03:42:671: EapTlsBegin: Detected PEAP authentication > [1352] 12:03:42:671: MaxTLSMessageLength is now 16384 > [1352] 12:03:42:671: EapPeapBegin done > [1352] 12:03:42:671: EapPeapMakeMessage > [1352] 12:03:42:671: EapPeapCMakeMessage > [1352] 12:03:42:671: PEAP:PEAP_STATE_INITIAL > [1352] 12:03:42:671: EapTlsCMakeMessage > [1352] 12:03:42:671: EapTlsReset > [1352] 12:03:42:671: State change to Initial > [1352] 12:03:42:671: GetCredentials > [1352] 12:03:42:671: Flag is Client and Store is Current User > [1352] 12:03:42:671: GetCachedCredentials > [1352] 12:03:42:671: FreeCachedCredentials > [1352] 12:03:42:671: No Cert Store. Guest Access requested > [1352] 12:03:42:671: No Cert Name. Guest access requested > [1352] 12:03:42:671: Will validate server cert > [1352] 12:03:42:671: MakeReplyMessage > [1352] 12:03:42:671: SecurityContextFunction > [1352] 12:03:42:671: InitializeSecurityContext returned 0x90312 > [1352] 12:03:42:671: State change to SentHello > [1352] 12:03:42:671: BuildPacket > [1352] 12:03:42:671: << Sending Response (Code: 2) packet: Id: 3, > Length: 80, Type: 13, TLS blob length: 70. Flags: L > [1352] 12:03:42:671: EapPeapCMakeMessage done > [1352] 12:03:42:671: EapPeapMakeMessage done > [2004] 12:04:12:687: EapPeapEnd > [2004] 12:04:12:687: EapTlsEnd > [2004] 12:04:12:687: EapTlsEnd(ghost\indrajaya) > [2004] 12:04:12:687: EapPeapEnd done > [2004] 12:04:42:734: EapPeapBegin > [2004] 12:04:42:734: PeapReadConnectionData > [2004] 12:04:42:734: PeapReadUserData > > /Regards, > Indrajaya Pitra Perdana/ > > On 12/15/2011 6:04 PM, Heikki Vatiainen wrote: >> On 12/15/2011 06:18 AM, Indrajaya Pitra Perdana wrote: >> >>> The problem still persist even i created my own certificate using the >>> steps in mkcertificate.sh goodies , my windows didn't respon to the eap >>> challenge sent by Radiator, do u have any clue on this? or perhaps the >>> problem is within my 2950 catalyst ? thanks :-) >> You could try enabling debug for EAP authentication on the switch to see >> how it reacts to EAP messages. >> >> Meanwhile you could also try running wireshark on Windows to see if the >> challenge with the certificate is sent by the switch to the XP box. >> >> One thing you could try first is to use even lower value for >> EAPTLS_MaxFragmentSize >> >> The messages before certifcate are much smaller and so this challenge >> would be the first that can reach the maximum size. >> >> Thanks! >> -- Heikki Vatiainen <h...@open.com.au> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. _______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
