On Mon, Dec 12, 2011 at 6:30 PM, Ryan Garland <sheffy@gmail.com> wrote:
Thanks for the response, Alan.
It turns out part of my issue was certificate related. This has been resolved, but eapol_test continues to fail for a different reason. However, I am having trouble determining a fix.
Attached is the eapol_test configuration, debug output, FreeRADIUS configuration & debug output.
It appears that the relevant portion of the FreeRADIUS debug output is:
Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/md5 [eap] processing type md5 rlm_eap_md5: Cleartext-Password is required for EAP-MD5 authentication [eap] Handler failed in EAP/md5 [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. } # server inner-tunnel [ttls] Got tunneled reply code 3 EAP-Message = 0x04010004 Message-Authenticator = 0x00000000000000000000000000000000 [ttls] Got tunneled Access-Reject [eap] Handler failed in EAP/ttls rlm_eap_ttls: Freeing handler for user ryan [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user.
I am having an even more difficult time deciphering the eapol_test debug output - I just see the EAP failure from the radius server.
I have also tried commenting out 'virtual_server = "inner-tunnel"' in the ttls section of eap.conf to force it to use default (as the documentation inside the "default" virtual server would seem to imply I should do) and I get the same result. I may be mis-reading it, however.
Do you see something glaringly wrong? I appreciate any insight you can provide.
Sorry, I should have been more clear. I'm not sure what my options are with regards to Cleartext-Password and using EAP-MD5, if that is indeed what is causing the failure. I am attempting to get eapol_test to work since it sounds like this should be my first priority. The OS X supplicant continues not to respond to the Access-Challenge even though its profile is set up with the corrected ca.der - but, one step at a time. -RG