EAP-TTLS client ignoring user attributes when moving from 1.0 to 2.1

Phil Mayers p.mayers at imperial.ac.uk
Sat Jan 22 18:30:59 CET 2011


On 01/22/2011 03:50 PM, David Coulson wrote:
> I am trying to move my RADIUS environment from RHEL4 to RHEL6. All it
> does is support WPA2-Enterprise authentication with access points.
>
> RHEL4:
> freeradius-1.0.1-3.RHEL4.5
>
> RHEL6:
> freeradius-2.1.9-3.el6.x86_64
>
> My Netgear APs are setup pointing to my RHEL4 systems right now and it
> works fine with this user config:
>
> testuser        User-Password := "temp1234"
>                           Tunnel-Type = 13,
>                           Tunnel-Medium-Type = 6,
>                           Tunnel-Private-Group-ID = 100

This should really be:

testuser	Cleartext-Password := "temp1234"
		... reply attributes ---

...under 2.x

>
> When I duplicate this user config on RHEL6 the AP behaves like it does
> not receive any attributes and the user is dropped on the default VLAN.

As always, the FAQ entry for "it doesn't work" is instructive. 
Specifically, examine the debug output of "radiusd -X" to see what's 
going on. You can paste it here:

http://networkradius.com/freeradius.html

...or post it to the list if you can't figure it out.

>
> Is there a specific process for migrating from 1.x to 2.x? I really did
> not have a very elaborate configuration, so I was trying to just rebuild
> it from scratch.

In all probability the issue is the new "inner-tunnel" virtual servers 
that appeared in 2.x. In 2.x, the "inner" portion of the EAP tunnel goes 
through a separate authentication pass to the outer, and the replies 
from the inner are not, by default, copied back to the final outer reply 
(which the AP sees).

Ensure that you have:

/etc/raddb/sites-enabled/inner-tunnel:

authorize {
   ...
   files
   ...
}

/etc/raddb/eap.conf:

eap {
   ...
   peap {
     ...
     use_tunneled_reply = yes
     ...
   }
   ...
}



More information about the Freeradius-Users mailing list