Hello and good day.
Finally found the actual reason.
The outer client is failed eap tls because of packet fragmentation. on
interface mtu is set as 1500, and packet is 1514.
from tshark:
RADIUS 1514 Access-Request id=4[BoundErrorUnreassembled Packet]
RADIUS 1514 Access-Request id=4, Duplicate
Request[BoundErrorUnreassembled Packet]
RADIUS 1514 Access-Request id=4, Duplicate
Request[BoundErrorUnreassembled Packet]
RADIUS 1514 Access-Request id=4, Duplicate
Request[BoundErrorUnreassembled Packet]
if set fragment_size to wpa_supplicant.conf to a little below value, it
helps and eap_tls is successful.
It's good for configurable client, however how about phones where all
parameters are default ?
# fragment_size: Maximum EAP fragment size in bytes (default 1398).
# This value limits the fragment size for EAP methods that support
# fragmentation (e.g., EAP-TLS and EAP-PEAP). This value should be set
# small enough to make the EAP messages fit in MTU of the network
# interface used for EAPOL. The default value is suitable for most
# cases.
any idea why this happen ?
Thank you.
On 2/27/23 13:56, Stuart Henderson wrote:
(moving to ports#, reply-to is set, although this is unlikely to be
OpenBSD-specific)
On 2023/02/25 02:18, Mikhael Lialin wrote:
Trying to setup witi with radius eap-tls authentication.
And getting time out while authenticated.
Tried with custome setup, and default setup with generated
certificates within installation.
in ktrace of rediusd something waiting:
28664 radiusd RET wait4 -1 errno 10 No child processes
all configuration of freeradius are default after
installation, nothing were modified.
Please help.
Debug ant ktrace session attached.
ktrace is too low-level to be useful here.
freeradius won't work directly with default setup, you at least need to
configure shared secrets between the APs and freeradius (in clients.conf
and on the AP), and tell freeradius how to decide whether a user is
allowed to authenticate.
You say EAP-TLS, this uses certificates for authentication on bith the
server *and* the client, so for that you'll also need to figure out how
to get client certificates signed, etc. I strongly recommend ignoring
this until you have the basics working with password based auth.
Followhttps://wiki.freeradius.org/guide/Basic-configuration-HOWTO
first and make sure it works with radtest on the local machine.
(Note if running it manually in debug mode as suggested in that guide,
you will need the full path /usr/local/sbin/radiusd, there is a minimal
radius daemon from the base OS in /usr/sbin/radiusd which does not
support EAP/PEAP).
If that fails, it needs fixing first before moving onto one of the
EAP methods that you need for WPA-Enterprise (either on an AP directly
or you can try eapol_test running on the freeradius server as shown in
http://deployingradius.com/scripts/eapol_test/ - skip the "building
eapol_test" section and pkg_add wpa_supplicant instead).
