Hi Alan, This is the debug trace rad_recv: Access-Request packet from host 127.0.0.1:49483, id=24, length=69 User-Name = "edwinvanzyl" EAP-Message = 0x0200001001656477696e76616e7a796c Message-Authenticator = 0xed79f4cc7febfa2e6a5b68d140ee542b Processing the authorize section of radiusd.conf modcall: entering group authorize for request 4 rlm_eap: EAP packet type response id 0 length 16 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 4 users: Matched entry edwinvanzyl at line 80 modcall[authorize]: module "files" returns ok for request 4 modcall: leaving group authorize (returns updated) for request 4 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 4 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 4 modcall: leaving group authenticate (returns handled) for request 4 Sending Access-Challenge of id 24 to 127.0.0.1 port 49483 EAP-Message = 0x010100061520 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x59994c8086dcf4cfeabfc31438dbba9d Finished request 4 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 127.0.0.1:49483, id=25, length=135 User-Name = "edwinvanzyl" State = 0x59994c8086dcf4cfeabfc31438dbba9d EAP-Message = 0x0201004015800000003a16030100310100002d030147b19e11c55051203e70a3b34b02f2af7f42fa8345639d44c65c8f5773ba94aa000006002f003300320100 Message-Authenticator = 0x073d25f7a7bfc79e5cfe9044951bf879 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 5 rlm_eap: EAP packet type response id 1 length 64 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 5 users: Matched entry edwinvanzyl at line 80 modcall[authorize]: module "files" returns ok for request 5 modcall: leaving group authorize (returns updated) for request 5 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 5 rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0031], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 024f], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 5 modcall: leaving group authenticate (returns handled) for request 5 Sending Access-Challenge of id 25 to 127.0.0.1 port 49483 EAP-Message = 0x010202b21500160301004a02000046030147b19e119f75aea0f1e09e68fba01f980f72263176ebf126951ca3453fd32e9f207f7fffa1bc92784cdb75d44eeec70d263fbc8e6578b680cff8e74e7d9f58737c002f00160301024f0b00024b00024800024530820241308201aa0203100001300d06092a864886f70d0101040500307431173015060355040a130e616c636174656c2d6c7563656e74310e300c060355040b130557694d4158310c300a06035504071303465344310f300d0603550408130670756e6a6162310b300906035504061302706b311d301b060355040313146161617365727665722e616c636174656c2e706b301e170d303730 EAP-Message = 0x3531343131353334365a170d3038303531333131353334365a305c310b300906035504061302706b310f300d0603550408130670756e6a616231173015060355040a130e616c636174656c2d6c7563656e74310e300c060355040b130557694d4158311330110603550403130a7a7978656c2e7573657230819f300d06092a864886f70d010101050003818d0030818902818100baaf122e60946da7ee1dc1101854e1836e848c0f3d5372be31e29eef2566a673f138809b9a118846e6846280408d822960c6345a6ce922155463fe3a267bc8d047aa8a435f506d9df7670e9d5dcc381f48d99662943546c4acca0db93665023181924fa574b52fb8ec EAP-Message = 0x7a05a85edf77fc408350e82f41536fb4584afe6671fd5f0203010001300d06092a864886f70d01010405000381810065c020869992c43b685a15a53ffee8ea31743ac9fe71a741b5265dbc1caa2d01e614820b4d05d2f5bd5bf04804259abfdad4d492877574946c10afba0c07a04304876701ac9e29a8297b2a9f1d6bb5e080d2fc5b633d63433f63e4be896dc4bd9db1606e80af636c2a1eabba9e0c3d73059bfc66efc9d06b8af35a8d2862971416030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xdb9212a8b9011cdfcdf439d379d5f3fd Finished request 5 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 127.0.0.1:49483, id=26, length=279 User-Name = "edwinvanzyl" State = 0xdb9212a8b9011cdfcdf439d379d5f3fd EAP-Message = 0x020200d01580000000ca1603010086100000820080851b83bc1ef0bf9191a86fbaea6ccfc1125f3bb6a921e98c9e4d88a1027f97b7becbfcf93b4680ce3c633d59accde21e782450f8ddc0643fe4940ca0f69bc5685c7c4ad87f6dd48d9071c298444a2aa4c7e00974111f73bed623482b62cafcdd64f80a86c04764eb60cf915817bbfeeeea66c383283f80e9af8f65cba652ea0f1403010001011603010030cbd3122559d1fc2a6ff191e8bdea363db4e5759dcd863977b38556689a77b9711f38db5cace0453b0e1275bb1e6ccd73 Message-Authenticator = 0x6be9cce642516930e4ff0790e2040d11 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 6 rlm_eap: EAP packet type response id 2 length 208 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 6 users: Matched entry edwinvanzyl at line 80 modcall[authorize]: module "files" returns ok for request 6 modcall: leaving group authorize (returns updated) for request 6 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange TLS_accept: SSLv3 read client key exchange A rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001] rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 read finished A rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001] TLS_accept: SSLv3 write change cipher spec A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 write finished A TLS_accept: SSLv3 flush data (other): SSL negotiation finished successfully SSL Connection Established eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 6 modcall: leaving group authenticate (returns handled) for request 6 Sending Access-Challenge of id 26 to 127.0.0.1 port 49483 EAP-Message = 0x01030041150014030100010116030100303e4590682263ecfae1df520a9e735fc24dc0b9dadc289c73d44c68e892db13489f2a9d4413f92d0ae4225bdea6d680cd Message-Authenticator = 0x00000000000000000000000000000000 State = 0x57145bf98bdf07a373ce7da47d5414ff Finished request 6 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 127.0.0.1:49483, id=27, length=134 User-Name = "edwinvanzyl" State = 0x57145bf98bdf07a373ce7da47d5414ff EAP-Message = 0x0203003f1580000000391703010030d6fe3b607f24657f497e2f40481ba0002aaab90f6a005f62004eb7f6a1ccdbf1a8c3a93780e2e9402f537bd7b080a283 Message-Authenticator = 0x49352d2e77eb31e74b65c2cdc1059f73 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 7 rlm_eap: EAP packet type response id 3 length 63 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 7 users: Matched entry edwinvanzyl at line 80 modcall[authorize]: module "files" returns ok for request 7 modcall: leaving group authorize (returns updated) for request 7 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 7 rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 eaptls_process returned 7 rlm_eap_ttls: Session established. Proceeding to decode tunneled attributes. rlm_eap_ttls: Non-RADIUS attribute in tunneled authentication is not supported rlm_eap: Handler failed in EAP/ttls rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 7 modcall: leaving group authenticate (returns invalid) for request 7 auth: Failed to validate the user. Delaying request 7 for 1 seconds Finished request 7 Going to the next request Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 4 ID 24 with timestamp 47b19e11 Cleaning up request 5 ID 25 with timestamp 47b19e11 Cleaning up request 6 ID 26 with timestamp 47b19e11 Sending Access-Reject of id 27 to 127.0.0.1 port 49483 EAP-Message = 0x04030004 Message-Authenticator = 0x00000000000000000000000000000000 Cleaning up request 7 ID 27 with timestamp 47b19e11 Nothing to do. Sleeping until we see a request. Thx Edwin On 12 Feb 2008, at 2:47 PM, Alan DeKok wrote:
Edwin van Zyl wrote:
I'm looking for some help with regards to setting up EAP-TTLS. I've managed to make some progress, but can't get past the following problem which gets printed in the debug logs:
"rlm_eap_ttls: Non-RADIUS attribute in tunneled authentication is not supported"
The message gets generated when attribute length > 255, but none of the attributes I send through are that large.
Then (a) the code in FreeRADIUS is buggy, or (b) the code in jradius is buggy, or (c) you actually are sending attributes that are that large.
I'm using JRadius to simulate Radius traffic over EAP-TTLS/PAP and are sending through the following when receiving the message.
Is jradius sending this? Because that message *only* gets printed out for data inside of the TTLS tunnel. And the sample packet you show does not contain enough data to form anything inside of the TTLS tunnel.
And... most importantly... if the server was built with debugging symbols (like it usually is), then running in debugging mode would show you the raw data inside of the TLS tunnel, which would give you (and me) enough information to decide definitively what's going on.
Can anyone please assist?
Can you post the debug log, as suggested in the FAQ, README, INSTALL, and daily on this list?
Honestly... I'm still amazed at the number of people who careful post what the client is sending... and then ask "Why does the server not do what I expect?" If your car is broken, it is totally pointless to go examine the road.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html