Re: EAP-TTLS/PAP tunneling issue

Hi Alan,

This is the debug trace
rad_recv: Access-Request packet from host 127.0.0.1:49483, id=24, length=69 
	User-Name = "edwinvanzyl"
	EAP-Message = 0x0200001001656477696e76616e7a796c
	Message-Authenticator = 0xed79f4cc7febfa2e6a5b68d140ee542b
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 4
  rlm_eap: EAP packet type response id 0 length 16
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 4
    users: Matched entry edwinvanzyl at line 80
  modcall[authorize]: module "files" returns ok for request 4
modcall: leaving group authorize (returns updated) for request 4
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 4
  rlm_eap: EAP Identity
  rlm_eap: processing type tls
  rlm_eap_tls: Initiate
  rlm_eap_tls: Start returned 1
  modcall[authenticate]: module "eap" returns handled for request 4
modcall: leaving group authenticate (returns handled) for request 4
Sending Access-Challenge of id 24 to 127.0.0.1 port 49483
	EAP-Message = 0x010100061520
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x59994c8086dcf4cfeabfc31438dbba9d
Finished request 4
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 127.0.0.1:49483, id=25, length=135 
	User-Name = "edwinvanzyl"
	State = 0x59994c8086dcf4cfeabfc31438dbba9d
EAP-Message = 0x0201004015800000003a16030100310100002d030147b19e11c55051203e70a3b34b02f2af7f42fa8345639d44c65c8f5773ba94aa000006002f003300320100 
	Message-Authenticator = 0x073d25f7a7bfc79e5cfe9044951bf879
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 5
  rlm_eap: EAP packet type response id 1 length 64
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 5
    users: Matched entry edwinvanzyl at line 80
  modcall[authorize]: module "files" returns ok for request 5
modcall: leaving group authorize (returns updated) for request 5
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 5
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/ttls
  rlm_eap: processing type ttls
  rlm_eap_ttls: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls:  Length Included
  eaptls_verify returned 11
    (other): before/accept initialization
    TLS_accept: before/accept initialization
  rlm_eap_tls: <<< TLS 1.0 Handshake [length 0031], ClientHello
    TLS_accept: SSLv3 read client hello A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
    TLS_accept: SSLv3 write server hello A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 024f], Certificate
    TLS_accept: SSLv3 write certificate A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
    TLS_accept: SSLv3 write server done A
    TLS_accept: SSLv3 flush data
    TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
  eaptls_process returned 13
  modcall[authenticate]: module "eap" returns handled for request 5
modcall: leaving group authenticate (returns handled) for request 5
Sending Access-Challenge of id 25 to 127.0.0.1 port 49483
EAP-Message = 0x010202b21500160301004a02000046030147b19e119f75aea0f1e09e68fba01f980f72263176ebf126951ca3453fd32e9f207f7fffa1bc92784cdb75d44eeec70d263fbc8e6578b680cff8e74e7d9f58737c002f00160301024f0b00024b00024800024530820241308201aa0203100001300d06092a864886f70d0101040500307431173015060355040a130e616c636174656c2d6c7563656e74310e300c060355040b130557694d4158310c300a06035504071303465344310f300d0603550408130670756e6a6162310b300906035504061302706b311d301b060355040313146161617365727665722e616c636174656c2e706b301e170d303730 EAP-Message = 0x3531343131353334365a170d3038303531333131353334365a305c310b300906035504061302706b310f300d0603550408130670756e6a616231173015060355040a130e616c636174656c2d6c7563656e74310e300c060355040b130557694d4158311330110603550403130a7a7978656c2e7573657230819f300d06092a864886f70d010101050003818d0030818902818100baaf122e60946da7ee1dc1101854e1836e848c0f3d5372be31e29eef2566a673f138809b9a118846e6846280408d822960c6345a6ce922155463fe3a267bc8d047aa8a435f506d9df7670e9d5dcc381f48d99662943546c4acca0db93665023181924fa574b52fb8ec EAP-Message = 0x7a05a85edf77fc408350e82f41536fb4584afe6671fd5f0203010001300d06092a864886f70d01010405000381810065c020869992c43b685a15a53ffee8ea31743ac9fe71a741b5265dbc1caa2d01e614820b4d05d2f5bd5bf04804259abfdad4d492877574946c10afba0c07a04304876701ac9e29a8297b2a9f1d6bb5e080d2fc5b633d63433f63e4be896dc4bd9db1606e80af636c2a1eabba9e0c3d73059bfc66efc9d06b8af35a8d2862971416030100040e000000 
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0xdb9212a8b9011cdfcdf439d379d5f3fd
Finished request 5
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 127.0.0.1:49483, id=26, length=279 
	User-Name = "edwinvanzyl"
	State = 0xdb9212a8b9011cdfcdf439d379d5f3fd
EAP-Message = 0x020200d01580000000ca1603010086100000820080851b83bc1ef0bf9191a86fbaea6ccfc1125f3bb6a921e98c9e4d88a1027f97b7becbfcf93b4680ce3c633d59accde21e782450f8ddc0643fe4940ca0f69bc5685c7c4ad87f6dd48d9071c298444a2aa4c7e00974111f73bed623482b62cafcdd64f80a86c04764eb60cf915817bbfeeeea66c383283f80e9af8f65cba652ea0f1403010001011603010030cbd3122559d1fc2a6ff191e8bdea363db4e5759dcd863977b38556689a77b9711f38db5cace0453b0e1275bb1e6ccd73 
	Message-Authenticator = 0x6be9cce642516930e4ff0790e2040d11
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 6
  rlm_eap: EAP packet type response id 2 length 208
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 6
    users: Matched entry edwinvanzyl at line 80
  modcall[authorize]: module "files" returns ok for request 6
modcall: leaving group authorize (returns updated) for request 6
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 6
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/ttls
  rlm_eap: processing type ttls
  rlm_eap_ttls: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls:  Length Included
  eaptls_verify returned 11
  rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
    TLS_accept: SSLv3 read client key exchange A
  rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001]
  rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished
    TLS_accept: SSLv3 read finished A
  rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001]
    TLS_accept: SSLv3 write change cipher spec A
  rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished
    TLS_accept: SSLv3 write finished A
    TLS_accept: SSLv3 flush data
    (other): SSL negotiation finished successfully
SSL Connection Established
  eaptls_process returned 13
  modcall[authenticate]: module "eap" returns handled for request 6
modcall: leaving group authenticate (returns handled) for request 6
Sending Access-Challenge of id 26 to 127.0.0.1 port 49483
EAP-Message = 0x01030041150014030100010116030100303e4590682263ecfae1df520a9e735fc24dc0b9dadc289c73d44c68e892db13489f2a9d4413f92d0ae4225bdea6d680cd 
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0x57145bf98bdf07a373ce7da47d5414ff
Finished request 6
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 127.0.0.1:49483, id=27, length=134 
	User-Name = "edwinvanzyl"
	State = 0x57145bf98bdf07a373ce7da47d5414ff
EAP-Message = 0x0203003f1580000000391703010030d6fe3b607f24657f497e2f40481ba0002aaab90f6a005f62004eb7f6a1ccdbf1a8c3a93780e2e9402f537bd7b080a283 
	Message-Authenticator = 0x49352d2e77eb31e74b65c2cdc1059f73
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 7
  rlm_eap: EAP packet type response id 3 length 63
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 7
    users: Matched entry edwinvanzyl at line 80
  modcall[authorize]: module "files" returns ok for request 7
modcall: leaving group authorize (returns updated) for request 7
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 7
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/ttls
  rlm_eap: processing type ttls
  rlm_eap_ttls: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls:  Length Included
  eaptls_verify returned 11
  eaptls_process returned 7
rlm_eap_ttls: Session established. Proceeding to decode tunneled attributes. rlm_eap_ttls: Non-RADIUS attribute in tunneled authentication is not supported 
 rlm_eap: Handler failed in EAP/ttls
  rlm_eap: Failed in EAP select
  modcall[authenticate]: module "eap" returns invalid for request 7
modcall: leaving group authenticate (returns invalid) for request 7
auth: Failed to validate the user.
Delaying request 7 for 1 seconds
Finished request 7
Going to the next request
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 4 ID 24 with timestamp 47b19e11
Cleaning up request 5 ID 25 with timestamp 47b19e11
Cleaning up request 6 ID 26 with timestamp 47b19e11
Sending Access-Reject of id 27 to 127.0.0.1 port 49483
	EAP-Message = 0x04030004
	Message-Authenticator = 0x00000000000000000000000000000000
Cleaning up request 7 ID 27 with timestamp 47b19e11
Nothing to do.  Sleeping until we see a request.

Thx
Edwin
On 12 Feb 2008, at 2:47 PM, Alan DeKok wrote:


Edwin van Zyl wrote:

I'm looking for some help with regards to setting up EAP-TTLS. I've
managed to make some progress, but can't get past the following problem 
which gets printed in the debug logs:
"rlm_eap_ttls: Non-RADIUS attribute in tunneled authentication is not 
supported"
The message gets generated when attribute length > 255, but none of the 
attributes I send through are that large.


 Then (a) the code in FreeRADIUS is buggy, or (b) the code in jradius
is buggy, or (c) you actually are sending attributes that are that large.
I'm using JRadius to simulate Radius traffic over EAP-TTLS/PAP and are 
sending through the following when receiving the message.
Is jradius sending this? Because that message *only* gets printed out 
for data inside of the TTLS tunnel.  And the sample packet you show
does not contain enough data to form anything inside of the TTLS tunnel. 

 And... most importantly... if the server was built with debugging
symbols (like it usually is), then running in debugging mode would show you the raw data inside of the TLS tunnel, which would give you (and me) 
enough information to decide definitively what's going on.


Can anyone please assist?


 Can you post the debug log, as suggested in the FAQ, README, INSTALL,
and daily on this list?

 Honestly... I'm still amazed at the number of people who careful post
what the client is sending... and then ask "Why does the server not do
what I expect?"  If your car is broken, it is totally pointless to go
examine the road.

 Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
This archive was generated by a fusion of Pipermail (Mailman edition) and MHonArc.