Authentication seems to work, only it doesn't actually (EAP-TTLS)
My long term goal is EAP-TTLS + PAP with FreeRadius 2.0 and LDAP That being said I have taken one of my existing, working with FreeRadius 1.1.5, access points and pointed it at my test radius server. When I try and connect the agent sends dozens of requests that the debug log seems very happy with "Login OK: [prieheck] (from client...." However, that seems to be the extent of it. The login's are approved, but it doesn't seem like anyone is getting informed. A radeapclient test: +++> About to send encoded packet: User-Name = "prieheck" Cleartext-Password = "please" NAS-IP-Address = 127.0.0.1 EAP-Code = Response EAP-Id = 210 EAP-Type-Identity = "prieheck" Message-Authenticator = 0x00 NAS-Port = 0 <+++ EAP decoded packet: EAP-Message = 0x01d300160410e04884bebefb1c9c1940272ac62346e4 Message-Authenticator = 0xe1b0cbd908bc1932ee01c1634efccc17 State = 0x5d58d3605d8bd76df879afd5c99b16ef EAP-Id = 211 EAP-Code = Request EAP-Type-MD5 = 0x10e04884bebefb1c9c1940272ac62346e4 +++> About to send encoded packet: User-Name = "prieheck" Cleartext-Password = "please" NAS-IP-Address = 127.0.0.1 EAP-Code = Response EAP-Id = 211 Message-Authenticator = 0x00000000000000000000000000000000 NAS-Port = 0 EAP-Type-MD5 = 0x105df5963fda67a6941067d7019e8bbe14 State = 0x5d58d3605d8bd76df879afd5c99b16ef <+++ EAP decoded packet: EAP-Message = 0x03d30004 Message-Authenticator = 0xd8d24fc4a6faa627be412bfc40169290 User-Name = "prieheck" EAP-Id = 211 EAP-Code = Success Total approved auths: 1 Total denied auths: 1 So it looks to me like the eap bit is all going good, but I am at a loss (especially concerning the denied auth there...). EAP/PEAP is working just fine so I think it may be my eap.conf file related to ttls: #### eap.conf eap { default_eap_type = md5 timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no md5 { } leap { } gtc { auth_type = PAP } tls { certdir = ${confdir}/certs cadir = ${confdir}/certs private_key_file = ${certdir}/radius.key certificate_file = ${certdir}/radius.crt CA_file = ${cadir}/cacert.pem dh_file = ${certdir}/dh random_file = ${certdir}/random cipher_list = "DEFAULT" make_cert_command = "${certdir}/bootstrap" } ttls { default_eap_type = md5 copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" } peap { default_eap_type = mschapv2 copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" } mschapv2 { } md5 { } } This is a bit of the debug output from free radius <snip> ++[pap] returns ok Login OK: [prieheck] (from client AP1200 port 0 via TLS tunnel) } # server inner-tunnel TTLS: Got tunneled reply RADIUS code 2 TTLS: Got tunneled Access-Accept rlm_eap: Freeing handler ++[eap] returns ok Login OK: [prieheck] (from client AP1200 port 385 cli 0106.cfa9.d2eb) +- entering group post-auth ++[exec] returns noop Sending Access-Accept of id 222 to 10.4.6.7 port 1645 MS-MPPE-Recv-Key = 0x9a15665cdb643dd496bc1bf028a244b31833e89886d373d74f7864714839c048 MS-MPPE-Send-Key = 0x92acfe330cfa9a94b9fc61226a1c438c2572287a8aac94c71ed2e0828050f174 EAP-Message = 0x03060004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "prieheck" Finished request 4. Going to the next request Waking up in 4.0 seconds. Cleaning up request 0 ID 218 with timestamp +19 Waking up in 0.3 seconds. Cleaning up request 1 ID 219 with timestamp +20 Cleaning up request 2 ID 220 with timestamp +20 Waking up in 0.4 seconds. rad_recv: Access-Request packet from host 10.4.6.7 port 1645, id=223, length=142 User-Name = "prieheck" Framed-MTU = 1400 Called-Station-Id = "000f.f7d4.d460" Calling-Station-Id = "0106.cfa9.d2eb" Service-Type = Login-User </snip> Currently using FreeRadius 2.0.5 on 32-bit Ubuntu, built by me. I would happily share any of my other config lines, but don't know what you would want to see and don't want to flood you with too much data.... Pat
Pat Riehecky wrote:
My long term goal is EAP-TTLS + PAP with FreeRadius 2.0 and LDAP
That should be easy enough.
That being said I have taken one of my existing, working with FreeRadius 1.1.5, access points and pointed it at my test radius server.
Why? Why not just test everything from the command-line? See my web site for examples of testing EAP (http://deployingradius.com).
When I try and connect the agent sends dozens of requests that the debug log seems very happy with "Login OK: [prieheck] (from client...." However, that seems to be the extent of it. The login's are approved, but it doesn't seem like anyone is getting informed.
I have no idea what that means. ...
Sending Access-Accept of id 222 to 10.4.6.7 port 1645
Well, that looks like it's working.
I would happily share any of my other config lines, but don't know what you would want to see and don't want to flood you with too much data....
Perhaps you could explain what's going wrong. Saying "no one is getting informed" makes no sense. Alan DeKok.
On Thu, 2008-08-14 at 15:59 +0200, Alan DeKok wrote:
Pat Riehecky wrote:
My long term goal is EAP-TTLS + PAP with FreeRadius 2.0 and LDAP
That should be easy enough.
That being said I have taken one of my existing, working with FreeRadius 1.1.5, access points and pointed it at my test radius server.
Why? Why not just test everything from the command-line? See my web site for examples of testing EAP (http://deployingradius.com).
Found the tools needed (knowledge) to figure out my own errors there. Thanks! Pat
participants (2)
-
Alan DeKok -
Pat Riehecky