Not able to receive inner identity in Access-Accept in EAP-TTLS.

Stefan Paetow Stefan.Paetow at ja.net
Fri Aug 29 11:48:10 CEST 2014


> My log excerpts provided examples of the problem I was facing with 
> both TTLS-MSCHAPv2 and PEAP-MSCHAPv2; I also tried TTLS-PAP, with 
> the same negative result.

I haven't seen any full debug logs (i.e. running radiusd -X and sending the list the complete output) from you... only snippets, which are not helpful without any context.

> To be sure, do you mean you really manage to retrieve the inner identity 
> with the help of an "update outer.reply" only?

Yes. In the 'eap' module I have:

eap: default_eap_type = ttls

eap, ttls: default_eap_type = mschapv2
copy_request_to_tunnel = yes
use_tunneled_reply = no

eap, peap: identical to eap, ttls.

In inner-tunnel, post-auth:

if (... comparison here irrelevant ...) {
    update outer.reply {
        User-Name := "%{Stripped-User-Name}"
    }
} 
else {
    cui-inner
}

Works fine here... 

One thing I did find when I used eapol_test (or more specifically, rad_eap_test, which calls eapol_test), I had to make sure I specified EAPMSCHAPv2 as the inner auth method. Just specifying MSCHAPv2 does not make it EAP-MSCHAPv2.

Stefan

Janet(UK) is a trading name of Jisc Collections and Janet Limited, a 
not-for-profit company which is registered in England under No. 2881024 
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Oxford, Didcot, Oxfordshire. OX11 0SG. VAT No. 614944238



More information about the Freeradius-Users mailing list