EAP-TTLS/PAP with realm - <no User-Password attribute>

Stefan Paetow Stefan.Paetow at jisc.ac.uk
Sun Mar 13 21:32:06 CET 2016 

Rob, 

Can you show us the full debug log of the home server (I'm assuming you
are running that in debug mode)?

Thanks!

Stefan Paetow
Moonshot Industry & Research Liaison Coordinator

t: +44 (0)1235 822 125
gpg: 0x3FCE5142
xmpp: stefanp at jabber.dev.ja.net
skype: stefan.paetow.janet

jisc.ac.uk

Networkshop44, University of Manchester. Save the date: 22-24 March, 2016.
#NWS44

Jisc is a registered charity (number 1149740) and a company limited by
guarantee which is registered in England under Company No. 5747339, VAT
No. GB 197 0632 86. JiscĀ¹s registered office is: One Castlepark, Tower
Hill, Bristol, BS2 0JA. T 0203 697 5800.

Jisc Collections and Janet Ltd. is a wholly owned Jisc subsidiary and a
company limited by guarantee which is registered in England under Company
No. number 2881024, VAT No. GB 197 0632 86. The registered office is:
Lumen House, Library Avenue, Harwell, Didcot, Oxfordshire, OX11 0SG. T
01235 822200.



On 13/03/2016 19:38, "Freeradius-Users on behalf of Rob Gorrell"
<freeradius-users-bounces+stefan.paetow=jisc.ac.uk at lists.freeradius.org on
behalf of rwgorrel at uncg.edu> wrote:

>I am trying to set up a working EAP-TTLS/PAP demo using FreeRadius 2.2.6
>on
>top of CentOS6.
>For simplicity, I would like to use PAP and statically define
>Cleartext-Password for users in the users file.
>But I also would like to be able to authenticate using full realm since I
>plan on using realm for testing some routing.
>I currently have this working for basic radius by stripping the realm and
>then using  Cleartext-Password from the users file ... however, when I
>went
>to put the same setup through EAP TTLS, I'm now having problems and
>getting
>a no User-Password attribute dispite supplying one the same one from
>radtest but using rad_eap_test.
>
>Sun Mar 13 13:06:32 2016 : Auth: Login incorrect: [bob/<via Auth-Type =
>EAP>] (from client localhost port 58 cli fcdbb33f581d)
>Sun Mar 13 13:06:33 2016 : Auth: Login incorrect (Home Server says so): [
>bob at rgorrell.net/<no User-Password attribute>] (from client raddev port 58
>cli fcdbb33f581d)
>
>While researching, I came across a theory that sounds fitting to my
>situation... upon receiving a username qualified by a realm, FreeRadius
>will strip the realm off before matching the username. This results in the
>User-Name being modified to be different to the EAP Identity field before
>being sent for actual authenticating.  This results in FreeRadius issueing
>a rejection due to the mismatch between the two fields.
>
>Does that sound right? If so, I'm not sure what I can do about it... I
>can't nostrip the username as then I won't be able to authenticate via
>PAP.
>but I can't login identically matching my users file (ie no realm),
>because
>I need the realm for routing.
>
>Suggestions? Thanks,
>-Rob
>-
>List info/subscribe/unsubscribe? See
>http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list