RADIUS message format needed to trigger EAP-TLS/EAP-TTLS negotiation
aland at deployingradius.com
Tue Nov 6 13:45:55 CET 2018
On Nov 6, 2018, at 4:24 AM, Joe Garcia <joe27256 at gmail.com> wrote:
> I'm working with an embedded device that needs to authenticate to a
> FreeRADIUS server using EAP-TLS or EAP-TTLS. I don't control the
> FreeRADIUS server (this means I can't provide debug output, sorry), I
> just need to authenticate to it from the device, with the server
> configured to talk EAP-TLS/EAP-TTLS. The device runs custom software
> that talks RADIUS, EAP, and TLS, but no matter what I try, I can't
> find the right combination of messages to get the server to negotiate
> one of the two TLS protocols.
The server needs to be configured to *accept* and *negotiate* EAP-TLS.
If you don't control the server and can't get it's debug output, then you should configure your *own* FreeRADIUS server. Which you can then control and get debug output for.
> I've tried the obvious option of sending a RADIUS Access-Request
> containing an EAP-Message TLV with code EAP-Request, type EAP-TLS or
> EAP-TTLS, but get no response from the server.
That's not how EAP works. The client has to start with an EAP-Identity.
Maybe the admin configured the server to ignore packets that contain EAP. The default configuration does *not* do this. The default configuration enables nearly all EAP methods. And the default configuration will send an Access-Reject for broken EAP negotiations.
Complain to the admin that they've broken their RADIUS server. And after you've installed FreeRADIUS yourself on a test system, you can instruct him on how to create a working configuration:
And, run "eapol_test" yourself to see how EAP is supposed to work. All the information you need is public. There isn't really any need to read the RFCs.
For running eapol_test, see my web site: http://deployingradius.com/ There is detailed documentation.
> It replies to other
> random requests with the expected Access-Reject, so it's responding to
> requests, just not the TLS ones. All the example message flows I can
> find, e.g. in RFC 3579, have three parties involved, the client, a
> NAS, and the RADIUS server, so the client ends up sending an
> EAP-Response to the NAS rather than anything to the RADIUS server.
That's how EAP works, yes.
> Does anyone know what I need to send from the client directly to the
> FreeRADIUS server to trigger the EAP-TLS/TTLS process? I'm looking
> for something like RADIUS code, EAP code, and EAP type, along with any
> other RADIUS and EAP TLVs that may be required.
Send an EAP-Message containing an EAP-Identity. That starts EAP. The server SHOULD respond with an Access-Challenge containing an EAP-Message. That EAP-Message essentially says "Hi! Let's do TTLS!"
And the process continues from there.
More information about the Freeradius-Users