Date: Thu, 17 Jun 2010 22:14:45 +0100 From: A.L.M.Buxey@lboro.ac.uk To: freeradius-users@lists.freeradius.org Subject: Re: eduroam PEAP + TTLS
Hi,
Hi thank you very much for you quick answer !
I'm trying to implement PEAP-MSCHAPV2 support in an existing and working configuration with EAP-TTLS + PAP, giving users a full support of eduroam. There are proxy radius maintained by our national "provider", and they test authentication every 15 minutes.
When they only test EAP-TTLS authentication, it works, and this is a part of the output of freeradius -X.
can I ask a quick question. do you need/want your own users to use PEAP....whether you choose to use EAP-TTLS/PAP or PEAP/MSCHAPv2 is up to you for your users....a visitor to your site should be able to use PEAP if their home site supports it as your FreeRADIUS boxes will just proxy the request to the national proxies.
I'm not sure why the central test should be forcing you to support all types of EAP - it should only check that you are working for the EAP methods that you, as an IdP support.
I need my own users to use PEAP because on Windows client, there is no support of EAP-TTLS without installing a soft to implement it. And I want to use Active Directory because I can't use actual password field in OpenLDAP with PEAP. Otherwise you're right, this is how eduroam works.
} # server inner-tunnel [ttls] Got tunneled reply code 2 ^^^^^^
eh? I thought you said this second test was a PEAP test. are you sure it is as this looks very much like an EAP-TTLS/MSCHAPv2 test
That's right, whereas before, I've got this line : Login OK: [user/<via Auth-Type = mschap>] (from client proxyradius port 0 cli 02-00-00-00-00-01 via TLS tunnel) Which occurs after these lines : Found Auth-Type = MSCHAP +- entering group MS-CHAP {...} [mschap] Told to do MS-CHAPv2 for user@realm with NT-Password [mschap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [mschap] expand: --username=%{Stripped-User-Name:-%{mschap:User-Name:-None}} -> --username=user [mschap] mschap2: d6 [mschap] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=45d29cf49c25ed29 [mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=6c2dbac31a48ddf0cbf4a1c8e6c5c1262ec6b8f77bb9ae46 Exec-Program output: NT_KEY: 64BA19DEDFDDB5A3ABAC7FEB95BF671F Exec-Program-Wait: plaintext: NT_KEY: 64BA19DEDFDDB5A3ABAC7FEB95BF671F Exec-Program: returned: 0 ++[mschap] returns ok So, I suppose that it's really a PEAP-MSCHAPV2 test. Maybe I've made something wrong in the order of Auth-Type in my conf files ?
Sending Access-Challenge of id 9 to 193.51.182.121 port 35055 User-Name = "user@realm" EAP-Message = 0x010a005f1580000000551703010050f984b434f276e050b0697e427d30ddfe2c0d9cc56a8f5da6ab447bbabae115d8181dfce1b6e52f33fcd2a20d5e26f574b9be69fa946342eafbd7ea350d5782490593a260401dae6b1c71f16f30b3ab38 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xcda13382c4ab2647095b27820a4b1850
theres plenty in the FreeRADIUS docs about 'why do I not get anything after an Access-Challenge' - usually down to certs.
I've already added my certs in the Active Directory, as it's said in eap.conf and that solved the problem for PEAP-MSCHAPV2. So now, I can use default PEAP options in the native wpa supplicant on Windows and that works. I'm gonna look for more about this.
alan
J-P. _________________________________________________________________ Vous voulez regarder la TV directement depuis votre PC ? C'est très simple avec Windows 7 http://clk.atdmt.com/FRM/go/229960614/direct/01/