Hi Alan, I am able to authenticate both the certificates in the inner tunnel. I have hard coded to request the client first User and Machine authentication. I am receiving those certificates as expected , validate those certificates and server sends the EAP-Success in plain text without encryption for some reason the client doesn't respond anything and just says *Can't Connect to this Network* For reference *(51) Login OK: [anonymous/<via Auth-Type = eap_S_94de66e8-556a-4d56-8780-a114620a5c42>] (from client localhost port 0 cli BC-6E-E2-F2-22-CC)* *(51) Sent Access-Accept Id 36 from 0.0.0.0:3000 <http://0.0.0.0:3000> to 100.96.1.28:35488 <http://100.96.1.28:35488> length 183* *(51) MS-MPPE-Recv-Key = 0x456ec819f468acc0c54be0be0b7e5fe301a6842101f2ade041e2da5643acbc54* *(51) MS-MPPE-Send-Key = 0x1a2c3e892943e6955152ce9912c118e070681098a18c9ee4f7e18fbfd52def91* *(51) EAP-Message = 0x03a00004* *(51) Message-Authenticator = 0x00000000000000000000000000000000* *(51) User-Name = "anonymous"* *(51) Framed-MTU = 994* *(51) Acct-Interim-Interval = 7200* *(51) Finished request* I verified all the communication between client and server which is in the exact sequence described in Appendix C.6. Sequence of EAP Methods I checked the Event Viewer from the client and the information is not that clear. It complains* "A fatal error occured while creating a TLS credential. The internal error state is 10013."* Do we have a better way to debug this issue? Thank you so much for your help Regards, Suriya On Mon, Aug 21, 2023 at 5:34 PM Alan DeKok <aland@deployingradius.com> wrote:
On Aug 21, 2023, at 8:14 PM, Suriya Shankar <suriya.dshankar@gmail.com> wrote:
Thank you. I am able to bring up the eap_teap module from 3.2.x and the client is happy until the first inner TLS. Intermediate Result Success is being shared with each other.
That's good.
But with the vp = fr_pair_find_by_num(request->state,
PW_EAP_TEAP_TLV_IDENTITY, VENDORPEC_FREERADIUS, TAG_ANY);
is being returned null and before the second certificate exchange, server is sending success and so client rejects the authentication saying Unexpected TLV.
You have to configure the Identity-Type correctly. It's all a bit magical.
Where do we set the request->state with the Attr pair to avoid this?
We're working on documentation for TEAP. For now, it's still largely experimental.
For the same reason EAP_TEAP_TLV_IDENTITY is not being sent even for the first Inner tunnel authentication. As per the documentation the TLV is the hint for the client and I believe it may not essential for the connection to establish.
Is 3.2.x the right version for eap_teap?
All of the code is public. If I say TEAP is in v3.2.x, then I'm not trying to mislead you. There is no secret repository of TEAP that you only get access to by asking nicely.
Since all of the code is public, you can also walk through the way rlm_eap_teap works, to see what it's doing. Then, configure the server the way the module expects.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/devel.html