EAP-TTLS+PAP vs. Ubunt 15 / Windows 10

Bogdan Rudas brudas at exadel.com
Tue Sep 6 09:52:02 CEST 2016 

Hi,

I'm trying to connect my Ubuntu 15.10 laptop  to WLAN with Cisco Aironet
WLC and FreeRADIUS 3.0.11.

First of all, I've checked if my RADIUS server works with *eapol_test*
utility from wpa_supplicant 2.5 suite and modified eap-ttls-pap.conf
confguration file.

Then I go to Ubuntu laptop and create custom configuration using Network
Manager:

[wifi-security]
group=
key-mgmt=wpa-eap
pairwise=
proto=

[802-1x]
altsubject-matches=
anonymous-identity=anonymous
eap=ttls;
identity=ttest
password-flags=2
phase2-altsubject-matches=
phase2-auth=pap

Here is server debug output:

(0) Received Access-Request Id 153 from 1.2.3.2:32768 to 1.2.3.4:1812
length 264
(0)   User-Name = "anonymous"
(0)   Chargeable-User-Identity = 0x00
(0)   Location-Capable = Civix-Location
(0)   Calling-Station-Id = "c4-8e-8f-f5-eb-4f"
(0)   Called-Station-Id = "54-7c-69-f2-1c-a0:New"
(0)   NAS-Port = 1
(0)   Cisco-AVPair = "audit-session-id=c0a819020000044557ce6e9b"
(0)   Acct-Session-Id = "57ce6e9b/c4:8e:8f:f5:eb:4f/2735"
(0)   NAS-IP-Address = 1.2.3.2
(0)   NAS-Identifier = "backup"
(0)   Airespace-Wlan-Id = 6
(0)   Service-Type = Framed-User
(0)   Framed-MTU = 1300
(0)   NAS-Port-Type = Wireless-802.11
(0)   Tunnel-Type:0 = VLAN
(0)   Tunnel-Medium-Type:0 = IEEE-802
(0)   Tunnel-Private-Group-Id:0 = "15"
(0)   EAP-Message = 0x0201000e01616e6f6e796d6f7573
(0)   Message-Authenticator = 0xcf196523d6fc7d6179e7b3252525b1ed
(0) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(0)   authorize {
(0)     policy filter_username {
(0)       if (&User-Name) {
(0)       if (&User-Name)  -> TRUE
(0)       if (&User-Name)  {
(0)         if (&User-Name =~ / /) {
(0)         if (&User-Name =~ / /)  -> FALSE
(0)         if (&User-Name =~ /@[^@]*@/ ) {
(0)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(0)         if (&User-Name =~ /\.\./ ) {
(0)         if (&User-Name =~ /\.\./ )  -> FALSE
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE
(0)         if (&User-Name =~ /\.$/)  {
(0)         if (&User-Name =~ /\.$/)   -> FALSE
(0)         if (&User-Name =~ /@\./)  {
(0)         if (&User-Name =~ /@\./)   -> FALSE
(0)       } # if (&User-Name)  = notfound
(0)     } # policy filter_username = notfound
(0)     [preprocess] = ok
(0)     [chap] = noop
(0)     [mschap] = noop
(0)     [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "anonymous", looking up realm NULL
(0) suffix: No such realm "NULL"
(0)     [suffix] = noop
(0) eap: Peer sent EAP Response (code 2) ID 1 length 14
(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(0)     [eap] = ok
(0)   } # authorize = ok
(0) Found Auth-Type = eap
(0) # Executing group from file /etc/freeradius/sites-enabled/default
(0)   authenticate {
(0) eap: Peer sent packet with method EAP Identity (1)
(0) eap: Calling submodule eap_ttls to process data
(0) eap_ttls: Initiating new EAP-TLS session
(0) eap_ttls: Flushing SSL sessions (of #0)
(0) eap_ttls: [eaptls start] = request
(0) eap: Sending EAP Request (code 1) ID 2 length 6
(0) eap: EAP session adding &reply:State = 0x53397887533b6d8a
(0)     [eap] = handled
(0)   } # authenticate = handled
(0) Using Post-Auth-Type Challenge
(0) Post-Auth-Type sub-section not found.  Ignoring.
(0) # Executing group from file /etc/freeradius/sites-enabled/default
(0) Sent Access-Challenge Id 153 from 1.2.3.4:1812 to 1.2.3.2:32768 length 0
(0)   EAP-Message = 0x010200061520
(0)   Message-Authenticator = 0x00000000000000000000000000000000
(0)   State = 0x53397887533b6d8a7ce5420be31fd0c8
(0) Finished request

There are very similar output for Windows 10 with custom-made connection.
I expect many Access-Request like in case with *eapol_test*
authentification attempt.

Please, help me distinguish: is it WiFi client, WLC or FreeRADIUS
configuration issue?

Thank you.
-- 
Bogdan Rudas
Head of Minsk IT Support Department
Exadel Inc.
http://www.exadel.com/
E-mail: brudas at exadel.com
Skype ID: bogdan.rudas

-- 


CONFIDENTIALITY NOTICE: This email and files attached to it are 
confidential. If you are not the intended recipient you are hereby notified 
that using, copying, distributing or taking any action in reliance on the 
contents of this information is strictly prohibited. If you have received 
this email in error please notify the sender and delete this email.

More information about the Freeradius-Users mailing list