TTLS + GTC Configuration -> No Error in log but cleint stuck on "connecting"
mclarke4 at gmail.com
Fri Sep 15 17:11:54 CEST 2017
Thanks for the quick feedback. It is really appreciated. I will read
through the site referenced this evening. If the MS_MPPE_Recv-Key are the
result of a successful authenticate then does that mean I have been
authenticated successfully? Could be there is something else that is going
wrong like not getting a dhcp address?
Below is a copy of the message I refer to.
(14) Sent Access-Accept Id 210 from 192.168.10.73:1812 to
192.168.10.103:12115 length 0
(14) Message-Authenticator = 0x00000000000000000000000000000000
(14) User-Name = "mark"
(14) MS-MPPE-Recv-Key =
(14) MS-MPPE-Send-Key =
(14) EAP-Message = 0x03430004
(14) Finished request
On 15 September 2017 at 16:50, Alan DeKok <aland at deployingradius.com> wrote:
> On Sep 15, 2017, at 10:44 AM, Mark <mclarke4 at gmail.com> wrote:
> > Ok so I have gone through the configuration and verified that the ssl
> > and passwords are correct but the authentication still fails.
> The debug log will show why.
> a) something happened in the server, and it will tell you why the user was
> b) something happened in TLS, and the client will just drop the
> authentication attempt.
> > I tried
> > setting the Auth-Type to local
> Don't do that. It's been deprecated for about 8 years.
> > Maybe I need to force set
> > it to the provided clear-text password before the inner tunnel is set up?
> > (I am fully aware I could be talking complete nonsense at this point as
> > brain is swimming in a rough see of concepts and, what seems like
> > convoluted labyrinthine mess of configuration options - kind of like
> > a Kafka novel :( )
> It's simple. Follow the guide on my site:
> While there are a lot of configuration options, most of them can be
> ignored. Follow the guide, and it should work.
> The point is to test each thing in isolation. Test one thing, get it to
> work, and only then test another thing.
> There's also the "inner-tunnel" virtual server. Read the comments at
> the start. You can test EAP-GTC authentication *just* for the
> inner-tunnel, *without* using TTLS. The eapol_test program can be used to
> test this.
> So follow the guide, and use eapol_test to test EAP-GTC in isolation.
> If nothing else, it will get you MUCH smaller debug output. That makes
> it easier to see what's going on.
> > It tried changing the setting to ldap but still cannot login. A bit lost
> > really :( I see some time "MS-MPPE-Recv-Key" messages but not sure how
> > got in there as I don't request any MSCHAP authentication?
> Those are put in the Access-Accept when the user successfully
> authenticates. They're the dynamic WiFi encryption keys.
> Alan DeKok.
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
More information about the Freeradius-Users