TLS communication, EAP does not work

Alan Buxey alan.buxey at gmail.com
Thu Jul 13 21:59:26 CEST 2017


not sure what you've done - I've used FreeRADIUS with native radsec
connectivity to proxy EAP to remote servers (RADIATOR and radsecproxy)
and to receive
EAP from the same remote proxies. Would suggest, as Alan had said, to
grab debug and check what the server is doing. its all quite clear
what its
doing (dont be overwhelmed by all the output, just read it step by
step...) - there will be some very ovbious difference between the EAP
and your radtest - likely
to be related to action of server when packet has gone into
inner-tunnel (which, I'm guessing it shouldnt be doing as its supposed
to be proxied
to remote site......)

alan

On 13 July 2017 at 15:23, Alan DeKok <aland at deployingradius.com> wrote:
> On Jul 13, 2017, at 9:46 AM, Luciano Fernandes da Rocha <luciano.rocha at rnp.br> wrote:
>>
>>
>> Briefly, our scenario has 3 servers with FreeRadius 3.0.14. 2 institutions (ufjfteste.br and rnpteste.br) and 1 FLR (.br). On the institution level we run RadSec (embedded TCP/TLS in FreeRadius3) to communicate with our FLR, a radsecproxy. So, using this TLS communication, EAP does not work, but turning off it and doing the communication between all servers using only UDP (disabling RadSec at institutions and radsecproxy at FLR), all EAP methods works.
>
>   Please be clearer about "it doesn't work".  What happens?  What does the debug say?
>
>> To confirm it, if we turn on the TLS communication, we could only authenticate using 'radtest' (as we know, a simple authentication without EAP).
>>
>> We suspect that EAP messages are lost during the exchanging when TLS communication are enable.
>
>   The server doesn't lose EAP messages.
>
>> Do you have any ideia about it to help us?
>
>   Read the debug output.  Or, post it to the list.  Nothing else will help.
>
>   if it's too large to send on the list (~500K), send it to me off-list.  Preferably gzip'd.
>
>   Set up a proxy which uses RadSec to talk to a home server.  Set up the home server with test certs and a test user.  Use wpa_supplicant to send packets to the proxy.
>
>   Then send ALL the debug output over.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



More information about the Freeradius-Users mailing list