Thanks for the quick feedback. It is really appreciated. I will read through the site referenced this evening. If the MS_MPPE_Recv-Key are the result of a successful authenticate then does that mean I have been authenticated successfully? Could be there is something else that is going wrong like not getting a dhcp address? Below is a copy of the message I refer to. (14) Sent Access-Accept Id 210 from 192.168.10.73:1812 to 192.168.10.103:12115 length 0 (14) Message-Authenticator = 0x00000000000000000000000000000000 (14) User-Name = "mark" (14) MS-MPPE-Recv-Key = 0xe462a28f0853e9589ad7fa9e50fe3737fe8ff8072e48d081b2dad99ed14ece0a (14) MS-MPPE-Send-Key = 0x7f285fae0d10c7111dea2a615626306418f5593198de5d1163dc1da1ff6bf54e (14) EAP-Message = 0x03430004 (14) Finished request On 15 September 2017 at 16:50, Alan DeKok <aland@deployingradius.com> wrote:
On Sep 15, 2017, at 10:44 AM, Mark <mclarke4@gmail.com> wrote:
Ok so I have gone through the configuration and verified that the ssl
paths
and passwords are correct but the authentication still fails.
The debug log will show why.
a) something happened in the server, and it will tell you why the user was rejected
b) something happened in TLS, and the client will just drop the authentication attempt.
I tried setting the Auth-Type to local
Don't do that. It's been deprecated for about 8 years.
Maybe I need to force set it to the provided clear-text password before the inner tunnel is set up?
No.
(I am fully aware I could be talking complete nonsense at this point as my brain is swimming in a rough see of concepts and, what seems like convoluted labyrinthine mess of configuration options - kind of like living a Kafka novel :( )
It's simple. Follow the guide on my site:
While there are a lot of configuration options, most of them can be ignored. Follow the guide, and it should work.
The point is to test each thing in isolation. Test one thing, get it to work, and only then test another thing.
There's also the "inner-tunnel" virtual server. Read the comments at the start. You can test EAP-GTC authentication *just* for the inner-tunnel, *without* using TTLS. The eapol_test program can be used to test this.
So follow the guide, and use eapol_test to test EAP-GTC in isolation.
If nothing else, it will get you MUCH smaller debug output. That makes it easier to see what's going on.
It tried changing the setting to ldap but still cannot login. A bit lost really :( I see some time "MS-MPPE-Recv-Key" messages but not sure how this got in there as I don't request any MSCHAP authentication?
Those are put in the Access-Accept when the user successfully authenticates. They're the dynamic WiFi encryption keys.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html