RADIUS message format needed to trigger EAP-TLS/EAP-TTLS negotiation

Wed Nov 7 07:54:26 CET 2018

Alan DeKok <aland at deployingradius.com> wrote:

> If you don't control the server and can't get it's debug output, then you
> should configure your *own* FreeRADIUS server.  Which you can then control
> and get debug output for.

It's a bit more complex than that, the embedded device(s) and server
are on an isolated network and talk DNP3 (a SCADA protocol), so they
can't easily be redirected to a standard FreeRADIUS server we set up.
Without getting into too much boring details, I'm trying to resolve a
case of two parties pointing fingers at the other side for doing
things wrong, while operating mostly blindfolded...

> Send an EAP-Message containing an EAP-Identity.  That starts EAP.  The
> server SHOULD respond with an Access-Challenge containing an EAP-Message.
> That EAP-Message essentially says "Hi!  Let's do TTLS!"

Ah, thanks, that gives me something to start with.

JG.
On Wed, 7 Nov 2018 at 01:49, Alan DeKok <aland at deployingradius.com> wrote:
>
> On Nov 6, 2018, at 4:24 AM, Joe Garcia <joe27256 at gmail.com> wrote:
> >
> > I'm working with an embedded device that needs to authenticate to a
> > FreeRADIUS server using EAP-TLS or EAP-TTLS.  I don't control the
> > FreeRADIUS server (this means I can't provide debug output, sorry), I
> > just need to authenticate to it from the device, with the server
> > configured to talk EAP-TLS/EAP-TTLS.  The device runs custom software
> > that talks RADIUS, EAP, and TLS, but no matter what I try, I can't
> > find the right combination of messages to get the server to negotiate
> > one of the two TLS protocols.
>
>   The server needs to be configured to *accept* and *negotiate* EAP-TLS.
>
>   If you don't control the server and can't get it's debug output, then you should configure your *own* FreeRADIUS server.  Which you can then control and get debug output for.
>
> > I've tried the obvious option of sending a RADIUS Access-Request
> > containing an EAP-Message TLV with code EAP-Request, type EAP-TLS or
> > EAP-TTLS, but get no response from the server.
>
>   That's not how EAP works.  The client has to start with an EAP-Identity.
>
>   Maybe the admin configured the server to ignore packets that contain EAP.  The default configuration does *not* do this.  The default configuration enables nearly all EAP methods.  And the default configuration will send an Access-Reject for broken EAP negotiations.
>
>   Complain to the admin that they've broken their RADIUS server.  And after you've installed FreeRADIUS yourself on a test system, you can instruct him on how to create a working configuration:
>
>   And, run "eapol_test" yourself to see how EAP is supposed to work.  All the information you need is public.  There isn't really any need to read the RFCs.
>
>   For running eapol_test, see my web site: http://deployingradius.com/  There is detailed documentation.
>
> >  It replies to other
> > random requests with the expected Access-Reject, so it's responding to
> > requests, just not the TLS ones.  All the example message flows I can
> > find, e.g. in RFC 3579, have three parties involved, the client, a
> > NAS, and the RADIUS server, so the client ends up sending an
> > EAP-Response to the NAS rather than anything to the RADIUS server.
>
>   That's how EAP works, yes.
>
> > Does anyone know what I need to send from the client directly to the
> > FreeRADIUS server to trigger the EAP-TLS/TTLS process?  I'm looking
> > for something like RADIUS code, EAP code, and EAP type, along with any
> > other RADIUS and EAP TLVs that may be required.
>
>   Send an EAP-Message containing an EAP-Identity.  That starts EAP.  The server SHOULD respond with an Access-Challenge containing an EAP-Message.  That EAP-Message essentially says "Hi!  Let's do TTLS!"
>
>   And the process continues from there.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html