EAP-TTLS problem at phase 1

Rafiqul Ahsan rafiqul.ahsan at gmail.com
Sat Oct 21 19:56:16 CEST 2006 

Hello Hoercher,

Please see below answers/questions (in red):

ok, i played around a bit and found EAP-TTLS working with no
particular problems.

On 10/21/06, Rafiqul Ahsan <rafiqul.ahsan at gmail.com> wrote:
> "testuser" User-Password := "testuser"
looks ok, but I'm not absolutely sure about the quotation marks for
the username, they are not needed in any case.

testuser User-Password :="testuser"
I will try with only above entry in users file



> > the error was about no matching "anonymous_identity", and thats why I
> had to
> > have a DEFAULT entry after this with Auth-Type :=EAP.
>
> As you didn't show that error one cannot check for it's real cause.
> Everything else correctly configured you don't need that setting (and
> it might be actually wrong depending on circumstances).


OK, I found some positings about username_identity_check disabling for user
"anonymous"...here it is

Quote
I guess since somebody implemented this check, there must be some broken
NASes out there... and
the attached patch fixes this situation. If user sets
"username_identity_check = no" in
eap section it will disable this check. The default for this setting is
"yes".
Unquote

So, now I have added this patch to files eap.c, rlm_eap.h, and rlm_eap.c,
compiled. I will test it this on monday.I am expecting this patch will lead
to pass this anonymous user check phase in radius server.I will post you the
result on that. Please let me know if you are aware of this.


> > Do you suggest any particular format of my users file ? Please note, the
> > phase 1 user identity is "anonymous_identity", and phase 2 user/passwd
> is
> > "testuser/testuser".
>
> I did take note. So, take an unaltered users file and just add your
> line as mentioned above.
> Something I found in your previous post led to an failure here. Use
> phase2="autheap=MSCHAPV2"
> instead of
> phase2="auth=MSCHAPV2"


Not sure where we configure this phase2="autheap=MSCHAPV2" ? Are we at phase
2 yet ? I thought we have not passed the phase 1..can you pls clarify ?

> modcall: entering group authenticate for request 1^M
> > rlm_eap: Either EAP-request timed out OR EAP-response to an unknown
> > EAP-request^M
>
> That does look strange (and might indicate your real problem), if it
> still persists with the suggested changes it might be useful to dig
> further into that. Perhaps you could add another -x to the freeradius
> invocation to get timestamps on the logfile.



I will test with the above patch - and see if we can pass the anonymous
identity check problem. If persists - I will recompile with original files
mentioned above, and test again to give you the full debug logs.

Thanks
Rafi

regards
> K. Hoercher
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20061021/c7a009f7/attachment.html>

More information about the Freeradius-Users mailing list