Hi all, i'm a FreeRadius (and related auth protocols) newbie, my final goal is to join EDUROAM (!). I'm playing starting with a stock Ubuntu 14.04 + FR 2.1.12. Following http://deployingradius.com/ i succesfully tested EAP as explained here http://deployingradius.com/scripts/eapol_test/. Then i applied some changes to configs in order to forward requests for a specific REALM (generated by eapol_test using ttls-pap), to another FR (2.0 pre cooked using ZeroShell); it didn't work! Looking at the output of freeradius -X (attached), it seems that the problem comes from the "User-Name" field that contains the value assigned by eapol_test to the "anonymous_identity" field rather than that assigned to the "identity" field; then FR isn't able to select the right destination REALM because it doesn't known anything about the effective REALM. Things work if i put the destination FR IP Address in the DEFAULT REALM, but this configuration is not acceptable for me. I known that the EAP protocol uses a fake/anonymous identity during phase 1, but until now i'm not able to understand more than this :-( Any help and suggestion will be appreciated. Attaches: - conf file used by eapol_test - Debug Output - radiusd.conf (comments and blank lines stripped out) - proxy.conf (stripped) - eap.conf (stripped) - sites-enabled/default (stripped) - sites-enabled/inner-tunnel (stripped) ====== conf file used by eapol_test network={ ssid="example" key_mgmt=WPA-EAP eap=TTLS identity="prova2@euclidebari.it" anonymous_identity="mickymouse" password="prova2a" phase2="auth=PAP" } ====== Debug Output FreeRADIUS Version 2.1.12, for host x86_64-pc-linux-gnu, built on Feb 24 2014 at 14:57:57 Copyright (C) 1999-2009 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License v2. Starting - reading configuration files ... including configuration file /etc/freeradius/radiusd.conf including configuration file /etc/freeradius/proxy.conf including configuration file /etc/freeradius/clients.conf including files in directory /etc/freeradius/modules/ including configuration file /etc/freeradius/modules/unix including configuration file /etc/freeradius/modules/wimax including configuration file /etc/freeradius/modules/counter including configuration file /etc/freeradius/modules/cui including configuration file /etc/freeradius/modules/redis including configuration file /etc/freeradius/modules/attr_rewrite including configuration file /etc/freeradius/modules/files including configuration file /etc/freeradius/modules/mac2vlan including configuration file /etc/freeradius/modules/pam including configuration file /etc/freeradius/modules/smsotp including configuration file /etc/freeradius/modules/logintime including configuration file /etc/freeradius/modules/policy including configuration file /etc/freeradius/modules/preprocess including configuration file /etc/freeradius/modules/replicate including configuration file /etc/freeradius/modules/detail.example.com including configuration file /etc/freeradius/modules/checkval including configuration file /etc/freeradius/modules/radutmp including configuration file /etc/freeradius/modules/ntlm_auth including configuration file /etc/freeradius/modules/dynamic_clients including configuration file /etc/freeradius/modules/opendirectory including configuration file /etc/freeradius/modules/chap including configuration file /etc/freeradius/modules/echo including configuration file /etc/freeradius/modules/acct_unique including configuration file /etc/freeradius/modules/soh including configuration file /etc/freeradius/modules/etc_group including configuration file /etc/freeradius/modules/otp including configuration file /etc/freeradius/modules/sradutmp including configuration file /etc/freeradius/modules/always including configuration file /etc/freeradius/modules/digest including configuration file /etc/freeradius/modules/krb5 including configuration file /etc/freeradius/modules/rediswho including configuration file /etc/freeradius/modules/mac2ip including configuration file /etc/freeradius/modules/inner-eap including configuration file /etc/freeradius/modules/passwd including configuration file /etc/freeradius/modules/mschap including configuration file /etc/freeradius/modules/detail.log including configuration file /etc/freeradius/modules/pap including configuration file /etc/freeradius/modules/expiration including configuration file /etc/freeradius/modules/smbpasswd including configuration file /etc/freeradius/modules/exec including configuration file /etc/freeradius/modules/detail including configuration file /etc/freeradius/modules/perl including configuration file /etc/freeradius/modules/realm including configuration file /etc/freeradius/modules/attr_filter including configuration file /etc/freeradius/modules/linelog including configuration file /etc/freeradius/modules/ippool including configuration file /etc/freeradius/modules/expr including configuration file /etc/freeradius/modules/sql_log including configuration file /etc/freeradius/modules/ldap including configuration file /etc/freeradius/modules/sqlcounter_expire_on_login including configuration file /etc/freeradius/eap.conf including configuration file /etc/freeradius/policy.conf including files in directory /etc/freeradius/sites-enabled/ including configuration file /etc/freeradius/sites-enabled/inner-tunnel including configuration file /etc/freeradius/sites-enabled/default main { user = "freerad" group = "freerad" allow_core_dumps = no } including dictionary file /etc/freeradius/dictionary main { name = "freeradius" prefix = "/usr" localstatedir = "/var" sbindir = "/usr/sbin" logdir = "/var/log/freeradius" run_dir = "/var/run/freeradius" libdir = "/usr/lib/freeradius" radacctdir = "/var/log/freeradius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 pidfile = "/var/run/freeradius/freeradius.pid" checkrad = "/usr/sbin/checkrad" debug_level = 0 proxy_requests = yes log { stripped_names = no auth = no auth_badpass = no auth_goodpass = no } security { max_attributes = 200 reject_delay = 1 status_server = yes } } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server server_euclide_it { ipaddr = 192.168.2.252 port = 1812 type = "auth+acct" secret = "testing123" response_window = 30 max_outstanding = 65536 zombie_period = 40 status_check = "status-server" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 300 status_check_timeout = 4 } home_server_pool pool_euclide_it { type = fail-over home_server = server_euclide_it } realm EUCLIDEBARI.IT { pool = pool_euclide_it nostrip } radiusd: #### Loading Clients #### client localhost { ipaddr = 127.0.0.1 require_message_authenticator = no secret = "testing123" nastype = "other" } client 192.168.0.0/16 { ipaddr = 192.168.0.0 netmask = 16 require_message_authenticator = no secret = "testing123" shortname = "private-network-2" } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating module "exec" from file /etc/freeradius/modules/exec exec { wait = no input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating module "expr" from file /etc/freeradius/modules/expr Module: Linked to module rlm_expiration Module: Instantiating module "expiration" from file /etc/freeradius/modules/expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating module "logintime" from file /etc/freeradius/modules/logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server { # from file /etc/freeradius/radiusd.conf modules { Module: Creating Auth-Type = digest Module: Creating Post-Auth-Type = REJECT Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating module "pap" from file /etc/freeradius/modules/pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating module "chap" from file /etc/freeradius/modules/chap Module: Linked to module rlm_mschap Module: Instantiating module "mschap" from file /etc/freeradius/modules/mschap mschap { use_mppe = yes require_encryption = no require_strong = no with_ntdomain_hack = no allow_retry = yes } Module: Linked to module rlm_digest Module: Instantiating module "digest" from file /etc/freeradius/modules/digest Module: Linked to module rlm_unix Module: Instantiating module "unix" from file /etc/freeradius/modules/unix unix { radwtmp = "/var/log/freeradius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating module "eap" from file /etc/freeradius/eap.conf eap { default_eap_type = "ttls" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 CA_path = "/etc/freeradius/certs" pem_file_type = yes private_key_file = "/etc/freeradius/certs/server.key" certificate_file = "/etc/freeradius/certs/server.pem" CA_file = "/etc/freeradius/certs/ca.pem" private_key_password = "whatever" dh_file = "/etc/freeradius/certs/dh" random_file = "/dev/urandom" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "/etc/freeradius/certs/bootstrap" ecdh_curve = "prime256v1" cache { enable = no lifetime = 24 max_entries = 255 } verify { } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" } } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "mschapv2" copy_request_to_tunnel = yes use_tunneled_reply = yes virtual_server = "inner-tunnel" include_length = yes } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = yes use_tunneled_reply = yes proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" soh = no } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no send_error = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating module "preprocess" from file /etc/freeradius/modules/preprocess preprocess { huntgroups = "/etc/freeradius/huntgroups" hints = "/etc/freeradius/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Linked to module rlm_realm Module: Instantiating module "suffix" from file /etc/freeradius/modules/realm realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating module "files" from file /etc/freeradius/modules/files files { usersfile = "/etc/freeradius/users" acctusersfile = "/etc/freeradius/acct_users" preproxy_usersfile = "/etc/freeradius/preproxy_users" compat = "no" } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating module "acct_unique" from file /etc/freeradius/modules/acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating module "detail" from file /etc/freeradius/modules/detail detail { detailfile = "/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Linked to module rlm_radutmp Module: Instantiating module "radutmp" from file /etc/freeradius/modules/radutmp radutmp { filename = "/var/log/freeradius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Linked to module rlm_attr_filter Module: Instantiating module "attr_filter.accounting_response" from file /etc/freeradius/modules/attr_filter attr_filter attr_filter.accounting_response { attrsfile = "/etc/freeradius/attrs.accounting_response" key = "%{User-Name}" relaxed = no } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Instantiating module "attr_filter.access_reject" from file /etc/freeradius/modules/attr_filter attr_filter attr_filter.access_reject { attrsfile = "/etc/freeradius/attrs.access_reject" key = "%{User-Name}" relaxed = no } } # modules } # server server inner-tunnel { # from file /etc/freeradius/sites-enabled/inner-tunnel modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } # modules } # server radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = * port = 0 } listen { type = "acct" ipaddr = * port = 0 } listen { type = "auth" ipaddr = 127.0.0.1 port = 18120 } ... adding new socket proxy address * port 52539 ... adding new socket proxy address * port 36512 Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 192.168.2.227 port 55621, id=0, length=128 User-Name = "mickymouse" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x0200000f016d69636b796d6f757365 Message-Authenticator = 0x8f0e1b2cab6c45f749603dfb9fe3121e # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "mickymouse", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 0 length 15 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 0 to 192.168.2.227 port 55621 EAP-Message = 0x010100061520 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x7c24a7dd7c25b2c4284649365cf62b2b Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.2.227 port 55621, id=1, length=424 User-Name = "mickymouse" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x0201012315001603010118010001140303500895fdbcbed3481e543f4718b61dca402a276ee1c5c7b47dbaf08103eb136d000082c030c02cc028c024c014c00a00a3009f006b006a0039003800880087c032c02ec02ac026c00fc005009d003d00350084c012c00800160013c00dc003000ac02fc02bc027c023c013c00900a2009e0067004000330032009a009900450044c031c02dc029c025c00ec004009c003c002f00960041c011c007c00cc0020005000400ff01000069000b000403000102000a00340032000e000d0019000b000c00180009000a00160017000800060007001400150004000500120013000100020003000f00100011000d00 EAP-Message = 0x20001e060106020603050105020503040104020403030103020303020102020203000f000101 State = 0x7c24a7dd7c25b2c4284649365cf62b2b Message-Authenticator = 0x7618307c23dc64560c4545f5568f56d9 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "mickymouse", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 1 length 253 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] eaptls_verify returned 7 [ttls] Done initial handshake [ttls] (other): before/accept initialization [ttls] TLS_accept: before/accept initialization [ttls] <<< TLS 1.0 Handshake [length 0118], ClientHello [ttls] TLS_accept: SSLv3 read client hello A [ttls] >>> TLS 1.0 Handshake [length 003e], ServerHello [ttls] TLS_accept: SSLv3 write server hello A [ttls] >>> TLS 1.0 Handshake [length 02c8], Certificate [ttls] TLS_accept: SSLv3 write certificate A [ttls] >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange [ttls] TLS_accept: SSLv3 write key exchange A [ttls] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone [ttls] TLS_accept: SSLv3 write server done A [ttls] TLS_accept: SSLv3 flush data [ttls] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [ttls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 1 to 192.168.2.227 port 55621 EAP-Message = 0x0102040015c000000469160301003e0200003a0301d72aa49a84707fec19955a71c223b0ddb8809fd6cce5122a2f9675df50fe62bf00c014000012ff01000100000b000403000102000f00010116030102c80b0002c40002c10002be308202ba308201a2a0030201020209008fc4031006f00775300d06092a864886f70d01010b05003015311330110603550403130a65647572756231343034301e170d3135303930353039303235345a170d3235303930323039303235345a3015311330110603550403130a6564757275623134303430820122300d06092a864886f70d01010105000382010f003082010a0282010100f2c1009b1a7294e79f5ca7 EAP-Message = 0x7cc01128a62585c8bb5c11a673bb63b34e427cf0d300a4b69d0fb69c39a017e84527deeb3b850e8c46d294db5d13843dfea0444ad7f9d0c7d499627de1c30fa4faec7ba7b91a6a12db36f3ced751b3655b75ef2e454b01d8b70c1785e9592bcee88c0bfed39e5ed7a8a75fdef14974b62775f4be2c6e67fa9e07a41e93d830ca5201238f80838f3019937e059c55dcc586aec288ee221be019d31a2f3ff403544dce69655b51dc0d994d3d96831f244bcda1b0fa746f27141dd2f79ce2f4d7a68608a5549825313a4adc48627468d6b59f9af22cb981f62bc9968198b92bfcbe05b33487e3233a854be4c26c3642f22f06d91dafbd0203010001a30d30 EAP-Message = 0x0b30090603551d1304023000300d06092a864886f70d01010b0500038201010023a54f9b6a0637be98f3187eac6b4aa0010c79692d5c0615c8a2e31554afe55124a09553666c4897a22bacd781b490899bc5a1726ab7fafa9d55db9341e77dadd93e6811940afba2787129264ea7337d4388977a88d6c07b427296ab7483d6f396c1c507955bf342fea6958dbb70a2865c210f08de87bc8739fe5158368c20fe5d161c46a3034ce26f3c762516d2e86870760cd90ebe6492112a7aa29574423f981764c535f09b635eefb66dbe2d6ad98000163edb33b91fbcd5aca82bad41127caaec3ec09e6bcdfcb21ac66c6cefe2ed559ad949c3d83fc983be17a4 EAP-Message = 0x0ea5a2f786af1fd45fd9aeca267187654809653a46ffb971a42600bcb402d95538c1f3160301014b0c0001470300174104c8a3ba662bc9069d8dadead4549b0422463d4d3492941dd4e2ccf38a9aa6431716beaa6dcf19ccb428ccf2c506b82461f83b3f0e8912a71818bc3437b423ce580100a8556000f3c354ef3feb2753922652e81cbcf594bbe8313e36ace607acb184f17f5dedf36919f3458ca6a583b2c9e474e0401eea28d50bb2239596c9a4d20ab9d44cf59d9b3ad2adbf04f2411cdeda46762f9fe8fdaa6cd91434255937f50366768f72a9bf75f6d79b68278be773be6bb6dd01c65d46a3485ffa1a7437bae0a137016da314f52d50667d EAP-Message = 0x57c13c77e0a793bcdc3bc219 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x7c24a7dd7d26b2c4284649365cf62b2b Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.2.227 port 55621, id=2, length=137 User-Name = "mickymouse" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020200061500 State = 0x7c24a7dd7d26b2c4284649365cf62b2b Message-Authenticator = 0xf74709dd977c95c2b2640c86b1739969 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "mickymouse", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 2 length 6 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] Received TLS ACK [ttls] ACK handshake fragment handler [ttls] eaptls_verify returned 1 [ttls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 2 to 192.168.2.227 port 55621 EAP-Message = 0x0103007d15800000046969e584db8b5a1f010df7edbcea505a2c90151217ad9eb037080b6fcf41e4f7b24c8fec0b256bdb4ec5db293ace737a2a222a4eed091a0a6734445285374f64d8ada192c2493acd9a1e4fcc92afaaa48a79219e902ac442e08a6cf4456b26e5fb52c1fb70a1018175c7d916030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x7c24a7dd7e27b2c4284649365cf62b2b Finished request 2. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.2.227 port 55621, id=3, length=271 User-Name = "mickymouse" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x0203008c15001603010046100000424104222a353de69eeb9551f4f95c5490822c143d3d58b226f8862fbcb47d87be003124b0e5cd1cd558606740eb9c62a874a38335d43ca5d73bc239e25674f2356ca214030100010116030100307341e04e67aa3d57f7faa35ef13eb27d25564e6b398438b99058508ff8fa5fb772e5fc8292ca0d5c1be44f09249c569e State = 0x7c24a7dd7e27b2c4284649365cf62b2b Message-Authenticator = 0x6ac83dfd3eda6275d10752c19c3e0360 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "mickymouse", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 3 length 140 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] eaptls_verify returned 7 [ttls] Done initial handshake [ttls] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange [ttls] TLS_accept: SSLv3 read client key exchange A [ttls] <<< TLS 1.0 ChangeCipherSpec [length 0001] [ttls] <<< TLS 1.0 Handshake [length 0010], Finished [ttls] TLS_accept: SSLv3 read finished A [ttls] >>> TLS 1.0 ChangeCipherSpec [length 0001] [ttls] TLS_accept: SSLv3 write change cipher spec A [ttls] >>> TLS 1.0 Handshake [length 0010], Finished [ttls] TLS_accept: SSLv3 write finished A [ttls] TLS_accept: SSLv3 flush data [ttls] (other): SSL negotiation finished successfully SSL Connection Established [ttls] eaptls_process returned 13 ++[eap] returns handled Sending Access-Challenge of id 3 to 192.168.2.227 port 55621 EAP-Message = 0x0104004515800000003b14030100010116030100308c5e8e1e455e6c47ddc6b0809952b277649c52cf89acf888bbd75965ebce92e51c0b641dca8cc5b5f316018adccb425c Message-Authenticator = 0x00000000000000000000000000000000 State = 0x7c24a7dd7f20b2c4284649365cf62b2b Finished request 3. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.2.227 port 55621, id=4, length=259 User-Name = "mickymouse" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x02040080150017030100208fae9376270446a8e7c337264836d70b0afd3cf2aa06df21f18d2367e850caa71703010050e335abefb024141930ef3a96365da9cf12d8dc57a6d04176119feb77ace448fef427911d840a4bf2bfcff577eb7ca2d97a5db81b5d2a3335d2fcee0eee096671fbd5eb1648fc92c98ec9c5a8f621f48c State = 0x7c24a7dd7f20b2c4284649365cf62b2b Message-Authenticator = 0x0ca4e41ee6414ebbd652b69cdeb714b1 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "mickymouse", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 4 length 128 [eap] Continuing tunnel setup. ++[eap] returns ok Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/ttls [eap] processing type ttls [ttls] Authenticate [ttls] processing EAP-TLS [ttls] eaptls_verify returned 7 [ttls] Done initial handshake [ttls] eaptls_process returned 7 [ttls] Session established. Proceeding to decode tunneled attributes. [ttls] Got tunneled request User-Name = "prova2@euclidebari.it" User-Password = "prova2a" FreeRADIUS-Proxied-To = 127.0.0.1 [ttls] Sending tunneled request User-Name = "prova2@euclidebari.it" User-Password = "prova2a" FreeRADIUS-Proxied-To = 127.0.0.1 NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" server inner-tunnel { # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group authorize {...} ++[chap] returns noop ++[mschap] returns noop [suffix] Looking up realm "euclidebari.it" for User-Name = " prova2@euclidebari.it" [suffix] Found realm "EUCLIDEBARI.IT" [suffix] Adding Realm = "EUCLIDEBARI.IT" [suffix] Proxying request from user prova2 to realm EUCLIDEBARI.IT [suffix] Preparing to proxy authentication request to realm "EUCLIDEBARI.IT " ++[suffix] returns updated ++[control] returns updated [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop WARNING: You set Proxy-To-Realm = LOCAL, but the realm does not exist! Cancelling invalid proxy request. ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Failed to authenticate the user. } # server inner-tunnel [ttls] Got tunneled reply code 3 [ttls] Got tunneled Access-Reject [eap] Handler failed in EAP/ttls [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type Reject # Executing group from file /etc/freeradius/sites-enabled/default +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> mickymouse attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 4 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 4 Sending Access-Reject of id 4 to 192.168.2.227 port 55621 EAP-Message = 0x04040004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.9 seconds. Cleaning up request 0 ID 0 with timestamp +37 Cleaning up request 1 ID 1 with timestamp +37 Cleaning up request 2 ID 2 with timestamp +37 Cleaning up request 3 ID 3 with timestamp +37 Waking up in 0.5 seconds. Cleaning up request 4 ID 4 with timestamp +37 Ready to process requests. ====== radiusd.conf prefix = /usr exec_prefix = /usr sysconfdir = /etc localstatedir = /var sbindir = ${exec_prefix}/sbin logdir = /var/log/freeradius raddbdir = /etc/freeradius radacctdir = ${logdir}/radacct name = freeradius confdir = ${raddbdir} run_dir = ${localstatedir}/run/${name} db_dir = ${raddbdir} libdir = /usr/lib/freeradius pidfile = ${run_dir}/${name}.pid user = freerad group = freerad max_request_time = 30 cleanup_delay = 5 max_requests = 1024 listen { type = auth ipaddr = * port = 0 } listen { ipaddr = * port = 0 type = acct } hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions = yes log { destination = files file = ${logdir}/radius.log syslog_facility = daemon stripped_names = no auth = no auth_badpass = no auth_goodpass = no } checkrad = ${sbindir}/checkrad security { max_attributes = 200 reject_delay = 1 status_server = yes } proxy_requests = yes $INCLUDE proxy.conf $INCLUDE clients.conf thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } modules { $INCLUDE ${confdir}/modules/ $INCLUDE eap.conf } instantiate { exec expr expiration logintime } $INCLUDE policy.conf $INCLUDE sites-enabled/ ====== proxy.conf proxy server { default_fallback = no } home_server server_euclide_it { type = auth+acct ipaddr = 192.168.2.252 port = 1812 secret = testing123 status_check = status-server } home_server_pool pool_euclide_it { type = fail-over home_server = server_euclide_it } realm EUCLIDEBARI.IT { pool = pool_euclide_it nostrip } ===== eap.conf eap { default_eap_type = ttls timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 4096 md5 { } leap { } gtc { auth_type = PAP } tls { certdir = ${confdir}/certs cadir = ${confdir}/certs private_key_password = whatever private_key_file = ${certdir}/server.key certificate_file = ${certdir}/server.pem CA_file = ${cadir}/ca.pem dh_file = ${certdir}/dh random_file = /dev/urandom CA_path = ${cadir} cipher_list = "DEFAULT" make_cert_command = "${certdir}/bootstrap" ecdh_curve = "prime256v1" cache { enable = no lifetime = 24 # hours max_entries = 255 } verify { } ocsp { enable = no override_cert_url = yes url = "http://127.0.0.1/ocsp/" } } ttls { default_eap_type = mschapv2 copy_request_to_tunnel = yes use_tunneled_reply = yes virtual_server = "inner-tunnel" } peap { default_eap_type = mschapv2 copy_request_to_tunnel = yes use_tunneled_reply = yes virtual_server = "inner-tunnel" } mschapv2 { } } ====== sites-enabled/default authorize { preprocess chap mschap digest suffix eap { ok = return } files expiration logintime pap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } digest unix eap } preacct { preprocess acct_unique suffix files } accounting { detail unix radutmp exec attr_filter.accounting_response } session { radutmp } post-auth { exec Post-Auth-Type REJECT { attr_filter.access_reject } } pre-proxy { } post-proxy { eap } ===== sites-enabled/inner-tunnel server inner-tunnel { listen { ipaddr = 127.0.0.1 port = 18120 type = auth } authorize { chap mschap suffix update control { Proxy-To-Realm := LOCAL } eap { ok = return } files expiration logintime pap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } unix eap } session { radutmp } post-auth { Post-Auth-Type REJECT { attr_filter.access_reject } } pre-proxy { } post-proxy { eap } } # inner-tunnel server block -- Vito A. Smaldino
Hi,
====== conf file used by eapol_test network={ ssid="example" key_mgmt=WPA-EAP eap=TTLS identity="prova2@euclidebari.it" anonymous_identity="mickymouse" password="prova2a" phase2="auth=PAP" }
theres your problem - anonymous_identity="mickymouse" - theres no realm! that should be either anonymous_identity="mickymouse@euclidebari.it" or anonymous_identity="@euclidebari.it" the anonymous identity will still have the correct realm in it or nothing would work. in most OS's, the anonymous identity automatically inherits the inner id realm... however, the inner ID can be realm-less with only the outer ID containing the realm eg network={ ssid="eduroam" key_mgmt=WPA-EAP eap=TTLS identity="prova2" anonymous_identity="mickymouse@euclidebari.it" password="prova2a" phase2="auth=PAP" } now try..... PS if starting a new install, dont even bother with 2.x - go straight to 3.x and start with that - otherwise you'll have to be migrating 2.x to 3.x within the year anyway.... alan
HI,
theres your problem - anonymous_identity="mickymouse" - theres no realm!
that should be either
anonymous_identity="mickymouse@euclidebari.it" or anonymous_identity="@euclidebari.it"
the anonymous identity will still have the correct realm in it or nothing would work. in most OS's, the anonymous identity automatically inherits the inner id realm... however, the inner ID can be realm-less with only the outer ID containing the realm eg
network={ ssid="eduroam" key_mgmt=WPA-EAP eap=TTLS identity="prova2" anonymous_identity="mickymouse@euclidebari.it" password="prova2a" phase2="auth=PAP" }
Great explain!
now try.....
I'll test it ASAP
PS if starting a new install, dont even bother with 2.x - go straight to 3.x and start with that - otherwise you'll have to be migrating 2.x to 3.x within the year anyway....
Good suggestion, after the test, i'll restart using FR 3.x
Many thanks VS <http://www.freeradius.org/list/users.html>
Hi, i just tested it, it works as expected! Note: eapol_test fills correctly the field anonymous_identity if left unspecified in the config file. network={ ssid="example" key_mgmt=WPA-EAP eap=TTLS identity="prova2@euclidebari.it" ####### anonymous_identity="anonymous@euclidebari.it" password="prova2a" phase2="auth=CHAP" # # Uncomment the following to perform server certificate validation. # ca_cert="/etc/raddb/certs/ca.der" }
PS if starting a new install, dont even bother with 2.x - go straight to 3.x and start with that - otherwise you'll have to be migrating 2.x to 3.x within the year anyway....
I installed FR 3 on Ubuntu 14.04 getting it from this ppa https://launchpad.net/~freeradius/+archive/ubuntu/stable-3.0; it as a lot of inconsistencies between config files (/etc/freeradius), run time files (/var/run/...) and control script (/etc/init.d/freeradius) that require several manual adjustments. V -- Vito A. Smaldino
participants (2)
-
A.L.M.Buxey@lboro.ac.uk -
Vito A. Smaldino