Hi, I am trying to set up my FreeRadius 1.0.4 to do wireless EAP-TTLS. I got it working for EAP-TLS and EAP-PEAP, so I know my config is basically correct. The problem I am having is that I would like to use the same userid for the "outer" and "inner" EAP identity string. So in my user's file, I have a line that looks like: "qa" Auth-Type := EAP, User-Password == "qa" Now when my client tries to authenticate, the TLS tunnel is set up OK, but when we get to the inner MSCHAP protocol, FreeRadius still thinks we are doing EAP and rejects the authentication attempt. Here is a snippet from the output of radiusd -A -X (other): SSL negotiation finished successfully <--- (so far so good) SSL Connection Established eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 3 modcall: group authenticate returns handled for request 3 Sending Access-Challenge of id 3 to 10.222.0.18:1025<http://10.222.0.18:1025/> EAP-Message = 0x0104004515800000003b140301000 10116030100303e6bb07c9ba8bcdd94b7f0ee66d43b439d87b89b99025c1310aa4dc9bf7491555d4d0888ef91a0c7f628b79868ced090 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x3d987f832d6f6ed2f7e42b0fe6b2d77b Finished request 3 Going to the next request Waking up in 2 seconds... rad_recv: Access-Request packet from host 10.222.0.18:1025<http://10.222.0.18:1025/>, id=4, length=353 Message-Authenticator = 0x1d82927ff8e036beeb0aca3ee45c1608 Service-Type = Framed-User User-Name = "qa" Framed-MTU = 1488 State = 0x3d987f832d6f6ed2f7e42b0fe6b2d77b Called-Station-Id = "00-03-7F-04-03-F6:TomAP48" Calling-Station-Id = "00-03-7D-00-06-32" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020400b015001703010020fb074fcc5e5f2df2d24fcee30e4d18a4638a526f045e84651467daae520e2f4417030100809d045521172337970b871775afd53193cae98494128c873dd3786f75c340f7c4992c0f7aa2c4fdecdf595ec0ec65a9692e448c5f7df7b9bff4d975bd7fb112a1cec89c01ea8aba0c328d087ffee23a6637970e1dab1fc959838cbf8e42dae0832c35f409b77a61229991f6ee238292239bec74fc6d5f09a16979aa6f5af4a3c9 NAS-IP-Address = 10.222.0.18 <http://10.222.0.18/> NAS-Port = 1 NAS-Port-Id = "STA port # 1" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 4 modcall[authorize]: module "preprocess" returns ok for request 4 modcall[authorize]: module "chap" returns noop for request 4 modcall[authorize]: module "mschap" returns noop for request 4 rlm_realm: No '@' in User-Name = "qa", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 4 rlm_eap: EAP packet type response id 4 length 176 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 4 users: Matched entry qa at line 104 modcall[authorize]: module "files" returns ok for request 4 modcall: group authorize returns updated for request 4 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 4 rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_ttls: Session established. Proceeding to decode tunneled attributes. Processing the authorize section of radiusd.conf modcall: entering group authorize for request 4 modcall[authorize]: module "preprocess" returns ok for request 4 modcall[authorize]: module "chap" returns noop for request 4 rlm_mschap: Found MS-CHAP attributes. Setting 'Auth-Type = MS-CHAP' <--- (At this point, freeradius correctly sets auth-type MSCHAP) modcall[authorize]: module "mschap" returns ok for request 4 rlm_realm: No '@' in User-Name = "qa", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 4 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 4 users: Matched entry qa at line 104 <---- (Uh, oh, we matched that qa line again, and now.....) modcall[authorize]: module "files" returns ok for request 4 modcall: group authorize returns ok for request 4 rad_check_password: Found Auth-Type EAP <----- (auth-type is set to EAP again, which is not what I want.) auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 4 rlm_eap: EAP-Message not found rlm_eap: Malformed EAP Message modcall[authenticate]: module "eap" returns fail for request 4 modcall: group authenticate returns fail for request 4 auth: Failed to validate the user. TTLS: Got tunneled Access-Reject rlm_eap: Handler failed in EAP/ttls rlm_eap: Failed in EAP select I can get around the problem by putting two lines in my users file: "outerqa" Auth-Type := EAP, User-Password == "qa" "innerqa" Auth-Type := MS-CHAP, User-Password == "qa" But I would like to avoid the complexity of setting up two user identities, one for the outter and one for the inner. Is there any way to configure FreeRadius so that a single EAP identity can be used for EAP-TTLS? Thanks in advance for any help you can give. Michael
Michael Wang <mwang25@gmail.com> wrote:
"qa" Auth-Type := EAP, User-Password == "qa"
Don't set "Auth-Type := EAP". See the long explanation why at the top of the "eap.conf" file. Also, use ":=" for the User-Password. See the "man users" page for details. If there's no User-Password in the packet, then '==' can't compare "qa" to anything in the password, and that entry will never match. Alan DeKok.
participants (2)
-
Alan DeKok -
Michael Wang