Hi,<br>
<br>
I am trying to set up my FreeRadius 1.0.4 to do wireless
EAP-TTLS. I got it working for EAP-TLS and EAP-PEAP, so I know my
config is basically correct. The problem I am having is that I
would like to use the same userid for the "outer" and "inner" EAP
identity string. So in my user's file, I have a line that looks
like:<br>
<br>
"qa" Auth-Type := EAP, User-Password == "qa"<br>
<br>
Now when my client tries to authenticate, the TLS tunnel is set up OK,
but when we get to the inner MSCHAP protocol, FreeRadius still thinks
we are doing EAP and rejects the authentication attempt. Here is
a snippet from the output of radiusd -A -X<br>
<br>
(other): SSL negotiation finished successfully <--- (so far so good)<br>
SSL Connection Established<br>
eaptls_process returned 13<br>
modcall[authenticate]: module "eap" returns handled for request 3<br>
modcall: group authenticate returns handled for request 3<br>
Sending Access-Challenge of id 3 to <a href="http://10.222.0.18:1025/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">10.222.0.18:1025</a><br>
EAP-Message =
0x0104004515800000003b140301000
<div id="mb_0">10116030100303e6bb07c9ba8bcdd94b7f0ee66d43b439d87b89b99025c1310aa4dc9bf7491555d4d0888ef91a0c7f628b79868ced090<br>
Message-Authenticator = 0x00000000000000000000000000000000<br>
State = 0x3d987f832d6f6ed2f7e42b0fe6b2d77b<br>
Finished request 3<br>
Going to the next request<br>
Waking up in 2 seconds...<br>
rad_recv: Access-Request packet from host <a href="http://10.222.0.18:1025/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">10.222.0.18:1025</a>, id=4, length=353<br>
Message-Authenticator = 0x1d82927ff8e036beeb0aca3ee45c1608<br>
Service-Type = Framed-User<br>
User-Name = "qa"<br>
Framed-MTU = 1488<br>
State = 0x3d987f832d6f6ed2f7e42b0fe6b2d77b<br>
Called-Station-Id = "00-03-7F-04-03-F6:TomAP48"<br>
Calling-Station-Id = "00-03-7D-00-06-32"<br>
NAS-Port-Type = Wireless-802.11<br>
Connect-Info = "CONNECT 11Mbps 802.11b"<br>
EAP-Message =
0x020400b015001703010020fb074fcc5e5f2df2d24fcee30e4d18a4638a526f045e84651467daae520e2f4417030100809d045521172337970b871775afd53193cae98494128c873dd3786f75c340f7c4992c0f7aa2c4fdecdf595ec0ec65a9692e448c5f7df7b9bff4d975bd7fb112a1cec89c01ea8aba0c328d087ffee23a6637970e1dab1fc959838cbf8e42dae0832c35f409b77a61229991f6ee238292239bec74fc6d5f09a16979aa6f5af4a3c9
<br>
NAS-IP-Address = <a href="http://10.222.0.18/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">10.222.0.18</a><br>
NAS-Port = 1<br>
NAS-Port-Id = "STA port # 1"<br>
Processing the authorize section of radiusd.conf<br>
modcall: entering group authorize for request 4<br>
modcall[authorize]: module "preprocess" returns ok for request 4<br>
modcall[authorize]: module "chap" returns noop for request 4<br>
modcall[authorize]: module "mschap" returns noop for request 4<br>
rlm_realm: No '@' in User-Name = "qa", looking up realm NULL<br>
rlm_realm: No such realm "NULL"<br>
modcall[authorize]: module "suffix" returns noop for request 4<br>
rlm_eap: EAP packet type response id 4 length 176<br>
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation<br>
modcall[authorize]: module "eap" returns updated for request 4<br>
users: Matched entry qa at line 104<br>
modcall[authorize]: module "files" returns ok for request 4<br>
modcall: group authorize returns updated for request 4<br>
rad_check_password: Found Auth-Type EAP<br>
auth: type "EAP"<br>
Processing the authenticate section of radiusd.conf<br>
modcall: entering group authenticate for request 4<br>
rlm_eap: Request found, released from the list<br>
rlm_eap: EAP/ttls<br>
rlm_eap: processing type ttls<br>
rlm_eap_ttls: Authenticate<br>
rlm_eap_tls: processing TLS<br>
eaptls_verify returned 7<br>
rlm_eap_tls: Done initial handshake<br>
eaptls_process returned 7<br>
rlm_eap_ttls: Session established. Proceeding to decode tunneled attributes.<br>
Processing the authorize section of radiusd.conf<br>
modcall: entering group authorize for request 4<br>
modcall[authorize]: module "preprocess" returns ok for request 4<br>
modcall[authorize]: module "chap" returns noop for request 4<br>
rlm_mschap: Found MS-CHAP attributes. Setting
'Auth-Type = MS-CHAP' <--- (At this point, freeradius
correctly sets auth-type MSCHAP)<br>
modcall[authorize]: module "mschap" returns ok for request 4<br>
rlm_realm: No '@' in User-Name = "qa", looking up realm NULL<br>
rlm_realm: No such realm "NULL"<br>
modcall[authorize]: module "suffix" returns noop for request 4<br>
rlm_eap: No EAP-Message, not doing EAP<br>
modcall[authorize]: module "eap" returns noop for request 4<br>
users: Matched entry qa at line
104
<---- (Uh, oh, we matched that qa line again, and now.....)<br>
modcall[authorize]: module "files" returns ok for request 4<br>
modcall: group authorize returns ok for request 4<br>
rad_check_password: Found Auth-Type
EAP <----- (auth-type is set to
EAP again, which is not what I want.)<br>
auth: type "EAP"<br>
Processing the authenticate section of radiusd.conf<br>
modcall: entering group authenticate for request 4<br>
rlm_eap: EAP-Message not found<br>
rlm_eap: Malformed EAP Message<br>
modcall[authenticate]: module "eap" returns fail for request 4<br>
modcall: group authenticate returns fail for request 4<br>
auth: Failed to validate the user.<br>
TTLS: Got tunneled Access-Reject<br>
rlm_eap: Handler failed in EAP/ttls<br>
rlm_eap: Failed in EAP select<br>
<br>
<br>
I can get around the problem by putting two lines in my users file:<br>
<br>
"outerqa" Auth-Type := EAP, User-Password == "qa"<br>
"innerqa" Auth-Type := MS-CHAP, User-Password == "qa"<br>
<br>
But I would like to avoid the complexity of setting up two user
identities, one for the outter and one for the inner. Is there
any way to configure FreeRadius so that a single EAP identity can be
used for EAP-TTLS?<br>
<br>
Thanks in advance for any help you can give.<br>
<br>
Michael</div>