Hello all,

I have been struggling to get the EAP-TTLS to work.

I have been following this guide:
http://rbirri.9online.fr/howto/Freeradius_+_TTLS.html

And i think the setup of all things has gone fine (biggest problem i had was creating the certifcates).

I have tested the connection with "raddtest" and the tool "NTRadPing" and everything seems ok.

However when i try to connect from my Linux machine using WPA supplicant, the following errors appear in the Radius server console:

...................................................................................
Going to the next request
Waking up in 4.9 seconds.
        User-Name = "johan@mediavisiongroup.se"
        NAS-IP-Address = 192.168.1.144
        Called-Station-Id = "00-20-a6-64-c3-b1:MVG-Personal"
        Calling-Station-Id = "00-0f-cb-f9-3b-f9;MVG-Personal"
        NAS-Identifier = "MVG-1"
        State = 0xdea187e5dea3836d25979821eb25f055
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        EAP-Message = 0x020200060315
        Message-Authenticator = 0x80154e870b93b69627ead5a0eee17643
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
    rlm_realm: Looking up realm "mediavisiongroup.se" for User-Name = "johan@med                                                              iavisiongroup.se"
    rlm_realm: No such realm "mediavisiongroup.se"
++[suffix] returns noop
  rlm_eap: EAP packet type response id 2 length 6
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: WARNING! No "known good" password found for the user.  Authentication may fail because of this.
++[pap] returns noop
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
  rlm_eap: Request found, released from the list
  rlm_eap: EAP NAK
 rlm_eap: EAP-NAK asked for EAP-Type/ttls
  rlm_eap: processing type tls
  rlm_eap_tls: Initiate
  rlm_eap_tls: Start returned 1
++[eap] returns handled
        EAP-Message = 0x010300061520
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xdea187e5dfa2926d25979821eb25f055
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 48 with timestamp +3
Cleaning up request 1 ID 49 with timestamp +3
Ready to process requests.

...................................................................................


The connection conf from the Linux box is (/etc/wpa_supplicant.conf):

network={
ssid="MVG-Personal"
scan_ssid=1
key_mgmt=WPA-EAP
eap=TTLS
identity="johan@mediavisiongroup.se"
anonymous_identity="anonymous@example.com"
password="foobar"
ca_cert="/etc/cert/ca.pem"
phase2="auth=MD5"
}


- I am guessing that the /etc/cert/ca.pem is the "client certification" i created from the freeradius.

- User and password above (in the file /etc/wpa_supplicant.conf) do exist and is correct. They match the user and password in the file on the freeradius "/usr/local/etc/raddb/users".

...................................................................................


Also so i understand this, three certficates are needed for EAP-TTLS ?

CA= root certifcate stored on the freeradius machine

Server = certifcate also stored on the freeradius machine

Client = certifcate copied to the client trying to connect

And on the client the path in the "wpa_supplicant.conf" to the client certificate is correct.

 

In short: the client seem to connect to the freeradius, but i am getting no IP to the client.

 

 

...................................................................................


Thanks very much for help!

Best regards,
Johan