On Tue, Aug 25, 2015 at 03:03:41PM +0100, Stefan Paetow wrote:
One of our sites has run into an issue where they are trying to connect to their server with EAP-TTLS. They've used rad_eap_test on the same machine just to test the connection locally and this is the output log. I'm stumped... I've never seen this error before. Any suggestions will be most appreciated! :-)
(5) eap: Peer sent method TTLS (21) (5) eap: EAP TTLS (21) (5) eap: Calling eap_ttls to process EAP data (5) eap_ttls: Authenticate (5) eap_ttls: processing EAP-TLS (5) eap_ttls: eaptls_verify returned 7 (5) eap_ttls: Done initial handshake (5) eap_ttls: eaptls_process returned 7 (5) eap_ttls: Session established. Proceeding to decode tunneled attributes (5) eap_ttls: Tunneled challenge is incorrect SSL: Removing session 33a218d505462c178a405e16e5bed8f0817d9f80e78b6093836ce2edb7050e38 from the cache (5) eap: ERROR: Failed continuing EAP TTLS (21) session. EAP sub-module failed (5) eap: Failed in EAP select
https://github.com/FreeRADIUS/freeradius-server/blob/v3.1.x/src/modules/rlm_... With some notes I wrote on the subject a few years ago when I couldn't work it out http://notes.asd.me.uk/2012/04/20/where-is-the-challenge-in-eap-ttls-ms-chap... So my uneducated guess is that rad_eap_test is sending an incorrect challenge. Are you setting chap-challenge or ms-chap-challenge manually, which for EAP-TTLS should be generated from the SSL keying data. Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>