Freeradius reply attribute problem when using PEAP

Dale Blount freeradius-users at dale.us
Wed Aug 13 16:54:36 CEST 2014


On Tue, 2014-08-12 at 18:36 +0200, Alan DeKok wrote:

> > Does PEAP require a different inner-tunnel than TTLS does?  At the
> > moment they are both using the same default inner-tunnel.
> 
>   They're using the same inner tunnel.
> 
>   There's no magic here.  Everything is in the debug log.  If the
> replies are different, it's because the server does *different* things
> in the inner-tunnel.  And if you read it, it does.
> 
>   Stop trying to debug the entire EAP thing.  It's a waste of your time.
>  Debug the inner-tunnel, as I said.  See the comments at the top of the
> inner-tunnel file (in recent versions)

I've already debugged the inner-tunnel using the radtest commands in the
top of the inner-tunnel file.  They both work and pass the Ruckus-Role
just fine:

$ radtest rickjames XXXX 127.0.0.1:18120 0 ZZZZ 
SOFT ASSERT FAILED src/lib/valuepair.c[235]: vp
Sending Access-Request Id 141 from 0.0.0.0:33424 to 127.0.0.1:18120
	User-Name = 'rickjames'
	User-Password = 'test1234'
	NAS-IP-Address = 192.168.211.189
	NAS-Port = 0
	Message-Authenticator = 0x00
	Framed-Protocol = PPP
Received Access-Accept Id 141 from 127.0.0.1:18120 to 127.0.0.1:33424
length 42
	Ruckus-Role = 'TestSite-Premium'
$ radtest -t mschap rickjames XXXX 127.0.0.1:18120 0 ZZZZ
SOFT ASSERT FAILED src/lib/valuepair.c[235]: vp
Sending Access-Request Id 2 from 0.0.0.0:58096 to 127.0.0.1:18120
	User-Name = 'rickjames'
	NAS-IP-Address = 192.168.211.189
	NAS-Port = 0
	Message-Authenticator = 0x00
	Framed-Protocol = PPP
	MS-CHAP-Challenge = 0x1a0e8931efa7d3bf
	MS-CHAP-Response =
0x00010000000000000000000000000000000000000000000000000cbf65ea5964d246e0d583e86aadcb125ab474f95c97d27d
Received Access-Accept Id 2 from 127.0.0.1:18120 to 127.0.0.1:58096
length 106
	Ruckus-Role = 'TestSite-Premium'
	MS-CHAP-MPPE-Keys = 0x624aac413795cdc1ae33a32dca8c9821844f740d5b3f4d6c
	MS-MPPE-Encryption-Policy = Encryption-Allowed
	MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed



I did find something odd, though.  I upgraded to 3.0.4rc1 based on a few
bug reports I had found earlier to see if it would provide additional
debug.  Now EAP-PEAP connects the first time radiusd is started, and
fails subsequent times.  If I switch the client
(NetworkManager/wpa_supplicant) from PEAP to TTLS it connects, and if I
switch it back to PEAP it'll connect again as long as I keep switching
the type.  I then disabled cache in mods-enabled/eap and it'll work
repeatedly using PEAP on every client device I can find.

Logs:
http://dale.us/temp/fr-304rc1-1.log
and broken out into the separate attempts:
http://dale.us/temp/fr-304rc1-1-works.log
http://dale.us/temp/fr-304rc1-1-broken.log



Any hints?

Dale





More information about the Freeradius-Users mailing list