On 07/02/2024 14:06, Cezary via Freeradius-Users wrote:
(6) eap: Peer sent packet with method EAP TTLS (21) (6) eap: Calling submodule eap_ttls to process data (6) eap_ttls: Authenticate (6) eap_ttls: Continuing EAP-TLS (6) eap_ttls: Peer indicated complete TLS record size will be 85 bytes (6) eap_ttls: Got complete TLS record (85 bytes) (6) eap_ttls: [eaptls verify] = length included (6) eap_ttls: [eaptls process] = ok (6) eap_ttls: Session established. Proceeding to decode tunneled attributes (6) eap_ttls: Got tunneled request (6) eap_ttls: User-Name = "cza" (6) eap_ttls: User-Password = "Password123$" (6) eap_ttls: FreeRADIUS-Proxied-To = 127.0.0.1 (6) eap_ttls: Sending tunneled request (6) Virtual server inner-tunnel received request (6) User-Name = "cza" (6) User-Password = "Password123$" (6) FreeRADIUS-Proxied-To = 127.0.0.1
Client is sending EAP-TTLS/PAP
(6) eap: Peer sent packet with method EAP TTLS (21) (6) eap: Calling submodule eap_ttls to process data (6) eap_ttls: Authenticate (6) eap_ttls: (TLS) EAP Peer says that the final record size will be 45 bytes (6) eap_ttls: (TLS) EAP Got all data (45 bytes) (6) eap_ttls: Session established. Proceeding to decode tunneled attributes (6) eap_ttls: Got tunneled request (6) eap_ttls: EAP-Message = 0x0200000801637a61 (6) eap_ttls: FreeRADIUS-Proxied-To = 127.0.0.1 (6) eap_ttls: Got tunneled identity of cza (6) eap_ttls: Setting default EAP type for tunneled EAP session
Client is sending EAP-TTLS and trying to negotiate EAP inside the tunnel.
(6) eap: Peer sent packet with method EAP Identity (1) (6) eap: Calling submodule eap_md5 to process data (6) eap_md5: Issuing MD5 Challenge
Falls to default, MD5
(7) eap: Peer sent packet with method EAP TTLS (21) (7) eap: Calling submodule eap_ttls to process data (7) eap_ttls: Authenticate (7) eap_ttls: (TLS) EAP Peer says that the final record size will be 65 bytes (7) eap_ttls: (TLS) EAP Got all data (65 bytes) (7) eap_ttls: Session established. Proceeding to decode tunneled attributes (7) eap_ttls: Got tunneled request (7) eap_ttls: EAP-Message = 0x020100190410c5b623d691d9aa887263aa412269fbb3637a61 (7) eap_ttls: FreeRADIUS-Proxied-To = 127.0.0.1 (7) eap_ttls: Sending tunneled request (7) Virtual server inner-tunnel received request (7) EAP-Message = 0x02010019 04 .... Client sends EAP-TTLS/MD5 (ugh, what?)
(7) pap: Converted: &control:Password-With-Header -> &control:SSHA1-Password (7) pap: Removing &control:Password-With-Header (7) pap: Normalizing SSHA1-Password from base64 encoding, 44 bytes -> 32 bytes
Gets SSHA1-Password from LDAP...
(7) eap: Peer sent packet with method EAP MD5 (4) (7) eap: Calling submodule eap_md5 to process data (7) eap_md5: ERROR: Cleartext-Password is required for EAP-MD5 authentication
...which isn't compatible with MD5 Fix the config on the client so it sends EAP-TTLS/PAP again. This is not a FreeRADIUS issue. -- Matthew