Authentication seems to work, only it doesn't actually (EAP-TTLS)

Pat Riehecky prieheck at iwu.edu
Thu Aug 14 15:39:14 CEST 2008


My long term goal is EAP-TTLS + PAP with FreeRadius 2.0 and LDAP

That being said I have taken one of my existing, working with FreeRadius
1.1.5, access points and pointed it at my test radius server.

When I try and connect the agent sends dozens of requests that the debug
log seems very happy with "Login OK: [prieheck] (from client...."
However, that seems to be the extent of it.  The login's are approved,
but it doesn't seem like anyone is getting informed.

A radeapclient test:

+++> About to send encoded packet:
User-Name = "prieheck"
Cleartext-Password = "please"
NAS-IP-Address = 127.0.0.1
EAP-Code = Response
EAP-Id = 210
EAP-Type-Identity = "prieheck"
Message-Authenticator = 0x00
NAS-Port = 0
<+++ EAP decoded packet:
EAP-Message = 0x01d300160410e04884bebefb1c9c1940272ac62346e4
Message-Authenticator = 0xe1b0cbd908bc1932ee01c1634efccc17
State = 0x5d58d3605d8bd76df879afd5c99b16ef
EAP-Id = 211
EAP-Code = Request
EAP-Type-MD5 = 0x10e04884bebefb1c9c1940272ac62346e4

+++> About to send encoded packet:
User-Name = "prieheck"
Cleartext-Password = "please"
NAS-IP-Address = 127.0.0.1
EAP-Code = Response
EAP-Id = 211
Message-Authenticator = 0x00000000000000000000000000000000
NAS-Port = 0
EAP-Type-MD5 = 0x105df5963fda67a6941067d7019e8bbe14
State = 0x5d58d3605d8bd76df879afd5c99b16ef
<+++ EAP decoded packet:
EAP-Message = 0x03d30004
Message-Authenticator = 0xd8d24fc4a6faa627be412bfc40169290
User-Name = "prieheck"
EAP-Id = 211
EAP-Code = Success

   Total approved auths:  1
     Total denied auths:  1

So it looks to me like the eap bit is all going good, but I am at a loss
(especially concerning the denied auth there...).

EAP/PEAP is working just fine so I think it may be my eap.conf file
related to ttls:

#### eap.conf
eap {
default_eap_type = md5
timer_expire     = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
md5 {
}
leap {
}
gtc {
auth_type = PAP
}
tls {
certdir = ${confdir}/certs
cadir = ${confdir}/certs
private_key_file = ${certdir}/radius.key
certificate_file = ${certdir}/radius.crt
CA_file = ${cadir}/cacert.pem
dh_file = ${certdir}/dh
random_file = ${certdir}/random
cipher_list = "DEFAULT"
make_cert_command = "${certdir}/bootstrap"
}
ttls {
default_eap_type = md5
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
}
peap {
default_eap_type = mschapv2
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
}
mschapv2 {
}
md5 {
}
}

This is a bit of the debug output from free radius
<snip>
++[pap] returns ok
Login OK: [prieheck] (from client AP1200 port 0 via TLS tunnel)
} # server inner-tunnel
  TTLS: Got tunneled reply RADIUS code 2
  TTLS: Got tunneled Access-Accept
  rlm_eap: Freeing handler
++[eap] returns ok
Login OK: [prieheck] (from client AP1200 port 385 cli 0106.cfa9.d2eb)
+- entering group post-auth
++[exec] returns noop
Sending Access-Accept of id 222 to 10.4.6.7 port 1645
        MS-MPPE-Recv-Key =
0x9a15665cdb643dd496bc1bf028a244b31833e89886d373d74f7864714839c048
        MS-MPPE-Send-Key =
0x92acfe330cfa9a94b9fc61226a1c438c2572287a8aac94c71ed2e0828050f174
        EAP-Message = 0x03060004
        Message-Authenticator = 0x00000000000000000000000000000000
        User-Name = "prieheck"
Finished request 4.
Going to the next request
Waking up in 4.0 seconds.
Cleaning up request 0 ID 218 with timestamp +19
Waking up in 0.3 seconds.
Cleaning up request 1 ID 219 with timestamp +20
Cleaning up request 2 ID 220 with timestamp +20
Waking up in 0.4 seconds.
rad_recv: Access-Request packet from host 10.4.6.7 port 1645, id=223,
length=142
        User-Name = "prieheck"
        Framed-MTU = 1400
        Called-Station-Id = "000f.f7d4.d460"
        Calling-Station-Id = "0106.cfa9.d2eb"
        Service-Type = Login-User
</snip>

Currently using FreeRadius 2.0.5 on 32-bit Ubuntu, built by me.

I would happily share any of my other config lines, but don't know what
you would want to see and don't want to flood you with too much data....

Pat





More information about the Freeradius-Users mailing list