Hi, FreeRadius Version 1.1.7 I'm looking for some help with regards to setting up EAP-TTLS. I've managed to make some progress, but can't get past the following problem which gets printed in the debug logs: rlm_eap_ttls: Session established. Proceeding to decode tunneled attributes. "rlm_eap_ttls: Non-RADIUS attribute in tunneled authentication is not supported" The message gets generated when attribute length > 255, but none of the attributes I send through are that large. I'm using JRadius to simulate Radius traffic over EAP-TTLS/PAP and are sending through the following when receiving the message. Sending RADIUS Packet: ---------------------------------------------------------- Class: class net.sf.jradius.packet.AccessRequest Attributes: User-Name = edwinvanzyl Tunnel-Password = edwinvzyl09 State = [Binary Data (length=16)] EAP-Message = [Binary Data (length=79)] Message-Authenticator = [Binary Data (length=16)] Can anyone please assist? Kind Regards, Edwin
Edwin van Zyl wrote:
I'm looking for some help with regards to setting up EAP-TTLS. I've managed to make some progress, but can't get past the following problem which gets printed in the debug logs:
"rlm_eap_ttls: Non-RADIUS attribute in tunneled authentication is not supported"
The message gets generated when attribute length > 255, but none of the attributes I send through are that large.
Then (a) the code in FreeRADIUS is buggy, or (b) the code in jradius is buggy, or (c) you actually are sending attributes that are that large.
I'm using JRadius to simulate Radius traffic over EAP-TTLS/PAP and are sending through the following when receiving the message.
Is jradius sending this? Because that message *only* gets printed out for data inside of the TTLS tunnel. And the sample packet you show does not contain enough data to form anything inside of the TTLS tunnel. And... most importantly... if the server was built with debugging symbols (like it usually is), then running in debugging mode would show you the raw data inside of the TLS tunnel, which would give you (and me) enough information to decide definitively what's going on.
Can anyone please assist?
Can you post the debug log, as suggested in the FAQ, README, INSTALL, and daily on this list? Honestly... I'm still amazed at the number of people who careful post what the client is sending... and then ask "Why does the server not do what I expect?" If your car is broken, it is totally pointless to go examine the road. Alan DeKok.
Hi Alan, This is the debug trace rad_recv: Access-Request packet from host 127.0.0.1:49483, id=24, length=69 User-Name = "edwinvanzyl" EAP-Message = 0x0200001001656477696e76616e7a796c Message-Authenticator = 0xed79f4cc7febfa2e6a5b68d140ee542b Processing the authorize section of radiusd.conf modcall: entering group authorize for request 4 rlm_eap: EAP packet type response id 0 length 16 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 4 users: Matched entry edwinvanzyl at line 80 modcall[authorize]: module "files" returns ok for request 4 modcall: leaving group authorize (returns updated) for request 4 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 4 rlm_eap: EAP Identity rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 modcall[authenticate]: module "eap" returns handled for request 4 modcall: leaving group authenticate (returns handled) for request 4 Sending Access-Challenge of id 24 to 127.0.0.1 port 49483 EAP-Message = 0x010100061520 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x59994c8086dcf4cfeabfc31438dbba9d Finished request 4 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... rad_recv: Access-Request packet from host 127.0.0.1:49483, id=25, length=135 User-Name = "edwinvanzyl" State = 0x59994c8086dcf4cfeabfc31438dbba9d EAP-Message = 0x0201004015800000003a16030100310100002d030147b19e11c55051203e70a3b34b02f2af7f42fa8345639d44c65c8f5773ba94aa000006002f003300320100 Message-Authenticator = 0x073d25f7a7bfc79e5cfe9044951bf879 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 5 rlm_eap: EAP packet type response id 1 length 64 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 5 users: Matched entry edwinvanzyl at line 80 modcall[authorize]: module "files" returns ok for request 5 modcall: leaving group authorize (returns updated) for request 5 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 5 rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 (other): before/accept initialization TLS_accept: before/accept initialization rlm_eap_tls: <<< TLS 1.0 Handshake [length 0031], ClientHello TLS_accept: SSLv3 read client hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello TLS_accept: SSLv3 write server hello A rlm_eap_tls: >>> TLS 1.0 Handshake [length 024f], Certificate TLS_accept: SSLv3 write certificate A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone TLS_accept: SSLv3 write server done A TLS_accept: SSLv3 flush data TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 5 modcall: leaving group authenticate (returns handled) for request 5 Sending Access-Challenge of id 25 to 127.0.0.1 port 49483 EAP-Message = 0x010202b21500160301004a02000046030147b19e119f75aea0f1e09e68fba01f980f72263176ebf126951ca3453fd32e9f207f7fffa1bc92784cdb75d44eeec70d263fbc8e6578b680cff8e74e7d9f58737c002f00160301024f0b00024b00024800024530820241308201aa0203100001300d06092a864886f70d0101040500307431173015060355040a130e616c636174656c2d6c7563656e74310e300c060355040b130557694d4158310c300a06035504071303465344310f300d0603550408130670756e6a6162310b300906035504061302706b311d301b060355040313146161617365727665722e616c636174656c2e706b301e170d303730 EAP-Message = 0x3531343131353334365a170d3038303531333131353334365a305c310b300906035504061302706b310f300d0603550408130670756e6a616231173015060355040a130e616c636174656c2d6c7563656e74310e300c060355040b130557694d4158311330110603550403130a7a7978656c2e7573657230819f300d06092a864886f70d010101050003818d0030818902818100baaf122e60946da7ee1dc1101854e1836e848c0f3d5372be31e29eef2566a673f138809b9a118846e6846280408d822960c6345a6ce922155463fe3a267bc8d047aa8a435f506d9df7670e9d5dcc381f48d99662943546c4acca0db93665023181924fa574b52fb8ec EAP-Message = 0x7a05a85edf77fc408350e82f41536fb4584afe6671fd5f0203010001300d06092a864886f70d01010405000381810065c020869992c43b685a15a53ffee8ea31743ac9fe71a741b5265dbc1caa2d01e614820b4d05d2f5bd5bf04804259abfdad4d492877574946c10afba0c07a04304876701ac9e29a8297b2a9f1d6bb5e080d2fc5b633d63433f63e4be896dc4bd9db1606e80af636c2a1eabba9e0c3d73059bfc66efc9d06b8af35a8d2862971416030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xdb9212a8b9011cdfcdf439d379d5f3fd Finished request 5 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 127.0.0.1:49483, id=26, length=279 User-Name = "edwinvanzyl" State = 0xdb9212a8b9011cdfcdf439d379d5f3fd EAP-Message = 0x020200d01580000000ca1603010086100000820080851b83bc1ef0bf9191a86fbaea6ccfc1125f3bb6a921e98c9e4d88a1027f97b7becbfcf93b4680ce3c633d59accde21e782450f8ddc0643fe4940ca0f69bc5685c7c4ad87f6dd48d9071c298444a2aa4c7e00974111f73bed623482b62cafcdd64f80a86c04764eb60cf915817bbfeeeea66c383283f80e9af8f65cba652ea0f1403010001011603010030cbd3122559d1fc2a6ff191e8bdea363db4e5759dcd863977b38556689a77b9711f38db5cace0453b0e1275bb1e6ccd73 Message-Authenticator = 0x6be9cce642516930e4ff0790e2040d11 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 6 rlm_eap: EAP packet type response id 2 length 208 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 6 users: Matched entry edwinvanzyl at line 80 modcall[authorize]: module "files" returns ok for request 6 modcall: leaving group authorize (returns updated) for request 6 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 6 rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange TLS_accept: SSLv3 read client key exchange A rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001] rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 read finished A rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001] TLS_accept: SSLv3 write change cipher spec A rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished TLS_accept: SSLv3 write finished A TLS_accept: SSLv3 flush data (other): SSL negotiation finished successfully SSL Connection Established eaptls_process returned 13 modcall[authenticate]: module "eap" returns handled for request 6 modcall: leaving group authenticate (returns handled) for request 6 Sending Access-Challenge of id 26 to 127.0.0.1 port 49483 EAP-Message = 0x01030041150014030100010116030100303e4590682263ecfae1df520a9e735fc24dc0b9dadc289c73d44c68e892db13489f2a9d4413f92d0ae4225bdea6d680cd Message-Authenticator = 0x00000000000000000000000000000000 State = 0x57145bf98bdf07a373ce7da47d5414ff Finished request 6 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 127.0.0.1:49483, id=27, length=134 User-Name = "edwinvanzyl" State = 0x57145bf98bdf07a373ce7da47d5414ff EAP-Message = 0x0203003f1580000000391703010030d6fe3b607f24657f497e2f40481ba0002aaab90f6a005f62004eb7f6a1ccdbf1a8c3a93780e2e9402f537bd7b080a283 Message-Authenticator = 0x49352d2e77eb31e74b65c2cdc1059f73 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 7 rlm_eap: EAP packet type response id 3 length 63 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 7 users: Matched entry edwinvanzyl at line 80 modcall[authorize]: module "files" returns ok for request 7 modcall: leaving group authorize (returns updated) for request 7 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 7 rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS rlm_eap_tls: Length Included eaptls_verify returned 11 eaptls_process returned 7 rlm_eap_ttls: Session established. Proceeding to decode tunneled attributes. rlm_eap_ttls: Non-RADIUS attribute in tunneled authentication is not supported rlm_eap: Handler failed in EAP/ttls rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 7 modcall: leaving group authenticate (returns invalid) for request 7 auth: Failed to validate the user. Delaying request 7 for 1 seconds Finished request 7 Going to the next request Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 4 ID 24 with timestamp 47b19e11 Cleaning up request 5 ID 25 with timestamp 47b19e11 Cleaning up request 6 ID 26 with timestamp 47b19e11 Sending Access-Reject of id 27 to 127.0.0.1 port 49483 EAP-Message = 0x04030004 Message-Authenticator = 0x00000000000000000000000000000000 Cleaning up request 7 ID 27 with timestamp 47b19e11 Nothing to do. Sleeping until we see a request. Thx Edwin On 12 Feb 2008, at 2:47 PM, Alan DeKok wrote:
Edwin van Zyl wrote:
I'm looking for some help with regards to setting up EAP-TTLS. I've managed to make some progress, but can't get past the following problem which gets printed in the debug logs:
"rlm_eap_ttls: Non-RADIUS attribute in tunneled authentication is not supported"
The message gets generated when attribute length > 255, but none of the attributes I send through are that large.
Then (a) the code in FreeRADIUS is buggy, or (b) the code in jradius is buggy, or (c) you actually are sending attributes that are that large.
I'm using JRadius to simulate Radius traffic over EAP-TTLS/PAP and are sending through the following when receiving the message.
Is jradius sending this? Because that message *only* gets printed out for data inside of the TTLS tunnel. And the sample packet you show does not contain enough data to form anything inside of the TTLS tunnel.
And... most importantly... if the server was built with debugging symbols (like it usually is), then running in debugging mode would show you the raw data inside of the TLS tunnel, which would give you (and me) enough information to decide definitively what's going on.
Can anyone please assist?
Can you post the debug log, as suggested in the FAQ, README, INSTALL, and daily on this list?
Honestly... I'm still amazed at the number of people who careful post what the client is sending... and then ask "Why does the server not do what I expect?" If your car is broken, it is totally pointless to go examine the road.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi Alan, I've configured with the following options: ./configure --enable- debug --enable-developer and re-build, but still don't see the raw data. I've looked at the binary traces and can see that the EAP message contains encrypted application data and the size is less then 100bytes. Am I configuring with the wrong options? Thx Edwin On 12 Feb 2008, at 5:57 PM, Alan DeKok wrote:
Edwin van Zyl wrote:
Hi Alan,
This is the debug trace
It doesn't include the raw dump of the contents of the TLS session. You'll need to re-build the server from source in order to get that, unfortunately.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Edwin van Zyl wrote:
I've configured with the following options: ./configure --enable-debug --enable-developer and re-build, but still don't see the raw data. I've looked at the binary traces and can see that the EAP message contains encrypted application data and the size is less then 100bytes. Am I configuring with the wrong options?
Hmm... try running with with -Xxx Alan DeKok.
That worked. thx. rad_recv: Access-Request packet from host 127.0.0.1:50067, id=101, length=79 User-Name = "edwinvanzyl" Called-Station-Id = "internet" EAP-Message = 0x0200001001656477696e76616e7a796c Message-Authenticator = 0xd649ab055e13bef1b25863bcab47f81e Wed Feb 13 11:22:56 2008 : Debug: Processing the authorize section of radiusd.conf Wed Feb 13 11:22:56 2008 : Debug: modcall: entering group authorize for request 4 Wed Feb 13 11:22:56 2008 : Debug: modsingle[authorize]: calling eap (rlm_eap) for request 4 Wed Feb 13 11:22:56 2008 : Debug: rlm_eap: EAP packet type response id 0 length 16 Wed Feb 13 11:22:56 2008 : Debug: rlm_eap: No EAP Start, assuming it's an on-going EAP conversation Wed Feb 13 11:22:56 2008 : Debug: modsingle[authorize]: returned from eap (rlm_eap) for request 4 Wed Feb 13 11:22:56 2008 : Debug: modcall[authorize]: module "eap" returns updated for request 4 Wed Feb 13 11:22:56 2008 : Debug: modsingle[authorize]: calling files (rlm_files) for request 4 Wed Feb 13 11:22:56 2008 : Debug: users: Matched entry edwinvanzyl at line 80 Wed Feb 13 11:22:56 2008 : Debug: modsingle[authorize]: returned from files (rlm_files) for request 4 Wed Feb 13 11:22:56 2008 : Debug: modcall[authorize]: module "files" returns ok for request 4 Wed Feb 13 11:22:56 2008 : Debug: modcall: leaving group authorize (returns updated) for request 4 Wed Feb 13 11:22:56 2008 : Debug: rad_check_password: Found Auth- Type EAP Wed Feb 13 11:22:56 2008 : Debug: auth: type "EAP" Wed Feb 13 11:22:56 2008 : Debug: Processing the authenticate section of radiusd.conf Wed Feb 13 11:22:56 2008 : Debug: modcall: entering group authenticate for request 4 Wed Feb 13 11:22:56 2008 : Debug: modsingle[authenticate]: calling eap (rlm_eap) for request 4 Wed Feb 13 11:22:56 2008 : Debug: rlm_eap: EAP Identity Wed Feb 13 11:22:56 2008 : Debug: rlm_eap: processing type tls Wed Feb 13 11:22:56 2008 : Debug: rlm_eap_tls: Initiate Wed Feb 13 11:22:56 2008 : Debug: rlm_eap_tls: Start returned 1 Wed Feb 13 11:22:56 2008 : Debug: modsingle[authenticate]: returned from eap (rlm_eap) for request 4 Wed Feb 13 11:22:56 2008 : Debug: modcall[authenticate]: module "eap" returns handled for request 4 Wed Feb 13 11:22:56 2008 : Debug: modcall: leaving group authenticate (returns handled) for request 4 Sending Access-Challenge of id 101 to 127.0.0.1 port 50067 EAP-Message = 0x010100061520 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xad2f0e60790267d123b90ade481ecca5 Wed Feb 13 11:22:56 2008 : Debug: Finished request 4 Wed Feb 13 11:22:56 2008 : Debug: Going to the next request Wed Feb 13 11:22:56 2008 : Debug: --- Walking the entire request list --- Wed Feb 13 11:22:56 2008 : Debug: Waking up in 6 seconds... rad_recv: Access-Request packet from host 127.0.0.1:50067, id=102, length=145 User-Name = "edwinvanzyl" Called-Station-Id = "internet" State = 0xad2f0e60790267d123b90ade481ecca5 EAP-Message = 0x0201004015800000003a16030100310100002d030147b2b6f06db8377eae44af2b54c47b7c102f291a22bb62187200777ccdf66216000006002f003300320100 Message-Authenticator = 0x21c075be78867ae66bd77f002e447701 Wed Feb 13 11:22:56 2008 : Debug: Processing the authorize section of radiusd.conf Wed Feb 13 11:22:56 2008 : Debug: modcall: entering group authorize for request 5 Wed Feb 13 11:22:56 2008 : Debug: modsingle[authorize]: calling eap (rlm_eap) for request 5 Wed Feb 13 11:22:56 2008 : Debug: rlm_eap: EAP packet type response id 1 length 64 Wed Feb 13 11:22:56 2008 : Debug: rlm_eap: No EAP Start, assuming it's an on-going EAP conversation Wed Feb 13 11:22:56 2008 : Debug: modsingle[authorize]: returned from eap (rlm_eap) for request 5 Wed Feb 13 11:22:56 2008 : Debug: modcall[authorize]: module "eap" returns updated for request 5 Wed Feb 13 11:22:56 2008 : Debug: modsingle[authorize]: calling files (rlm_files) for request 5 Wed Feb 13 11:22:56 2008 : Debug: users: Matched entry edwinvanzyl at line 80 Wed Feb 13 11:22:56 2008 : Debug: modsingle[authorize]: returned from files (rlm_files) for request 5 Wed Feb 13 11:22:56 2008 : Debug: modcall[authorize]: module "files" returns ok for request 5 Wed Feb 13 11:22:56 2008 : Debug: modcall: leaving group authorize (returns updated) for request 5 Wed Feb 13 11:22:56 2008 : Debug: rad_check_password: Found Auth- Type EAP Wed Feb 13 11:22:56 2008 : Debug: auth: type "EAP" Wed Feb 13 11:22:56 2008 : Debug: Processing the authenticate section of radiusd.conf Wed Feb 13 11:22:56 2008 : Debug: modcall: entering group authenticate for request 5 Wed Feb 13 11:22:56 2008 : Debug: modsingle[authenticate]: calling eap (rlm_eap) for request 5 Wed Feb 13 11:22:56 2008 : Debug: rlm_eap: Request found, released from the list Wed Feb 13 11:22:56 2008 : Debug: rlm_eap: EAP/ttls Wed Feb 13 11:22:56 2008 : Debug: rlm_eap: processing type ttls Wed Feb 13 11:22:56 2008 : Debug: rlm_eap_ttls: Authenticate Wed Feb 13 11:22:56 2008 : Debug: rlm_eap_tls: processing TLS Wed Feb 13 11:22:56 2008 : Debug: rlm_eap_tls: Length Included Wed Feb 13 11:22:56 2008 : Debug: eaptls_verify returned 11 Wed Feb 13 11:22:56 2008 : Debug: (other): before/accept initialization Wed Feb 13 11:22:56 2008 : Debug: TLS_accept: before/accept initialization Wed Feb 13 11:22:56 2008 : Debug: rlm_eap_tls: <<< TLS 1.0 Handshake [length 0031], ClientHello Wed Feb 13 11:22:56 2008 : Debug: TLS_accept: SSLv3 read client hello A Wed Feb 13 11:22:56 2008 : Debug: rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello Wed Feb 13 11:22:56 2008 : Debug: TLS_accept: SSLv3 write server hello A Wed Feb 13 11:22:56 2008 : Debug: rlm_eap_tls: >>> TLS 1.0 Handshake [length 024f], Certificate Wed Feb 13 11:22:56 2008 : Debug: TLS_accept: SSLv3 write certificate A Wed Feb 13 11:22:56 2008 : Debug: rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone Wed Feb 13 11:22:56 2008 : Debug: TLS_accept: SSLv3 write server done A Wed Feb 13 11:22:56 2008 : Debug: TLS_accept: SSLv3 flush data Wed Feb 13 11:22:56 2008 : Debug: TLS_accept: Need to read more data: SSLv3 read client certificate A Wed Feb 13 11:22:56 2008 : Debug: In SSL Handshake Phase Wed Feb 13 11:22:56 2008 : Debug: In SSL Accept mode Wed Feb 13 11:22:56 2008 : Debug: eaptls_process returned 13 Wed Feb 13 11:22:56 2008 : Debug: modsingle[authenticate]: returned from eap (rlm_eap) for request 5 Wed Feb 13 11:22:56 2008 : Debug: modcall[authenticate]: module "eap" returns handled for request 5 Wed Feb 13 11:22:56 2008 : Debug: modcall: leaving group authenticate (returns handled) for request 5 Sending Access-Challenge of id 102 to 127.0.0.1 port 50067 EAP-Message = 0x010202b21500160301004a02000046030147b2b6f05cb491bf2deb1d0bb035590d20dc810639878320773425fd0c84dba4201fa66fa4064e36e8fcf4da3971bb0e26ecb0c26b42041474485586703259d4fe002f00160301024f0b00024b00024800024530820241308201aa0203100001300d06092a864886f70d0101040500307431173015060355040a130e616c636174656c2d6c7563656e74310e300c060355040b130557694d4158310c300a06035504071303465344310f300d0603550408130670756e6a6162310b300906035504061302706b311d301b060355040313146161617365727665722e616c636174656c2e706b301e170d303730 EAP-Message = 0x3531343131353334365a170d3038303531333131353334365a305c310b300906035504061302706b310f300d0603550408130670756e6a616231173015060355040a130e616c636174656c2d6c7563656e74310e300c060355040b130557694d4158311330110603550403130a7a7978656c2e7573657230819f300d06092a864886f70d010101050003818d0030818902818100baaf122e60946da7ee1dc1101854e1836e848c0f3d5372be31e29eef2566a673f138809b9a118846e6846280408d822960c6345a6ce922155463fe3a267bc8d047aa8a435f506d9df7670e9d5dcc381f48d99662943546c4acca0db93665023181924fa574b52fb8ec EAP-Message = 0x7a05a85edf77fc408350e82f41536fb4584afe6671fd5f0203010001300d06092a864886f70d01010405000381810065c020869992c43b685a15a53ffee8ea31743ac9fe71a741b5265dbc1caa2d01e614820b4d05d2f5bd5bf04804259abfdad4d492877574946c10afba0c07a04304876701ac9e29a8297b2a9f1d6bb5e080d2fc5b633d63433f63e4be896dc4bd9db1606e80af636c2a1eabba9e0c3d73059bfc66efc9d06b8af35a8d2862971416030100040e000000 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xa906824b1c0687f85073022f0177c03d Wed Feb 13 11:22:56 2008 : Debug: Finished request 5 Wed Feb 13 11:22:56 2008 : Debug: Going to the next request Wed Feb 13 11:22:56 2008 : Debug: Waking up in 6 seconds... rad_recv: Access-Request packet from host 127.0.0.1:50067, id=103, length=289 User-Name = "edwinvanzyl" Called-Station-Id = "internet" State = 0xa906824b1c0687f85073022f0177c03d EAP-Message = 0x020200d01580000000ca1603010086100000820080a7846d9c489947c24ca5fe72f8894e2a00f06ffa6628b5f779f2fdeac11978a11438e8102bc929c7ebbc26d09514408471ee6a7ed9faba03c7986cf2a2e8a47603d15f927257e90fac15026e83aef21f1621ba13edafa3c7539647c6582f5413d9c84af5172853966b80b3e26165ce3963faecec04a6da531079c633ffc36dcc14030100010116030100308646fe17348800449f912361f8f22d58b1f0a921533e0ec562c2a034735a723074d7deb42440e08a36d06c81b4273add Message-Authenticator = 0xccf19c9005bab3b128e6dbfb8624d438 Wed Feb 13 11:22:56 2008 : Debug: Processing the authorize section of radiusd.conf Wed Feb 13 11:22:56 2008 : Debug: modcall: entering group authorize for request 6 Wed Feb 13 11:22:56 2008 : Debug: modsingle[authorize]: calling eap (rlm_eap) for request 6 Wed Feb 13 11:22:56 2008 : Debug: rlm_eap: EAP packet type response id 2 length 208 Wed Feb 13 11:22:56 2008 : Debug: rlm_eap: No EAP Start, assuming it's an on-going EAP conversation Wed Feb 13 11:22:56 2008 : Debug: modsingle[authorize]: returned from eap (rlm_eap) for request 6 Wed Feb 13 11:22:56 2008 : Debug: modcall[authorize]: module "eap" returns updated for request 6 Wed Feb 13 11:22:56 2008 : Debug: modsingle[authorize]: calling files (rlm_files) for request 6 Wed Feb 13 11:22:56 2008 : Debug: users: Matched entry edwinvanzyl at line 80 Wed Feb 13 11:22:56 2008 : Debug: modsingle[authorize]: returned from files (rlm_files) for request 6 Wed Feb 13 11:22:56 2008 : Debug: modcall[authorize]: module "files" returns ok for request 6 Wed Feb 13 11:22:56 2008 : Debug: modcall: leaving group authorize (returns updated) for request 6 Wed Feb 13 11:22:56 2008 : Debug: rad_check_password: Found Auth- Type EAP Wed Feb 13 11:22:56 2008 : Debug: auth: type "EAP" Wed Feb 13 11:22:56 2008 : Debug: Processing the authenticate section of radiusd.conf Wed Feb 13 11:22:56 2008 : Debug: modcall: entering group authenticate for request 6 Wed Feb 13 11:22:56 2008 : Debug: modsingle[authenticate]: calling eap (rlm_eap) for request 6 Wed Feb 13 11:22:56 2008 : Debug: rlm_eap: Request found, released from the list Wed Feb 13 11:22:56 2008 : Debug: rlm_eap: EAP/ttls Wed Feb 13 11:22:56 2008 : Debug: rlm_eap: processing type ttls Wed Feb 13 11:22:56 2008 : Debug: rlm_eap_ttls: Authenticate Wed Feb 13 11:22:56 2008 : Debug: rlm_eap_tls: processing TLS Wed Feb 13 11:22:56 2008 : Debug: rlm_eap_tls: Length Included Wed Feb 13 11:22:56 2008 : Debug: eaptls_verify returned 11 Wed Feb 13 11:22:56 2008 : Debug: rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange Wed Feb 13 11:22:56 2008 : Debug: TLS_accept: SSLv3 read client key exchange A Wed Feb 13 11:22:56 2008 : Debug: rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001] Wed Feb 13 11:22:56 2008 : Debug: rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished Wed Feb 13 11:22:56 2008 : Debug: TLS_accept: SSLv3 read finished A Wed Feb 13 11:22:56 2008 : Debug: rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001] Wed Feb 13 11:22:56 2008 : Debug: TLS_accept: SSLv3 write change cipher spec A Wed Feb 13 11:22:56 2008 : Debug: rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished Wed Feb 13 11:22:56 2008 : Debug: TLS_accept: SSLv3 write finished A Wed Feb 13 11:22:56 2008 : Debug: TLS_accept: SSLv3 flush data Wed Feb 13 11:22:56 2008 : Debug: (other): SSL negotiation finished successfully Wed Feb 13 11:22:56 2008 : Debug: SSL Connection Established Wed Feb 13 11:22:56 2008 : Debug: eaptls_process returned 13 Wed Feb 13 11:22:56 2008 : Debug: modsingle[authenticate]: returned from eap (rlm_eap) for request 6 Wed Feb 13 11:22:56 2008 : Debug: modcall[authenticate]: module "eap" returns handled for request 6 Wed Feb 13 11:22:56 2008 : Debug: modcall: leaving group authenticate (returns handled) for request 6 Sending Access-Challenge of id 103 to 127.0.0.1 port 50067 EAP-Message = 0x01030041150014030100010116030100306e67219d42247698b9a3a37e6205bbf5432619a2c997a30809f82412d93286b9410636ff327ff3b62df678e540bae2bc Message-Authenticator = 0x00000000000000000000000000000000 State = 0x868bf596b4e632edce8c663e4ff20895 Wed Feb 13 11:22:56 2008 : Debug: Finished request 6 Wed Feb 13 11:22:56 2008 : Debug: Going to the next request Wed Feb 13 11:22:56 2008 : Debug: Waking up in 6 seconds... rad_recv: Access-Request packet from host 127.0.0.1:50067, id=104, length=160 User-Name = "edwinvanzyl" Called-Station-Id = "internet" State = 0x868bf596b4e632edce8c663e4ff20895 EAP-Message = 0x0203004f158000000049170301004092cf380f7dcc8e70a90786295ec7d8501d9b66debb6c833e413c3e97d1de6575a0946e29604e8e5c918a430d8abe24a8fb902e747e8564a530aa3cf4d9c45bf3 Message-Authenticator = 0x2f5fa680eb9fd89cebdbc5f34e07eaa6 Wed Feb 13 11:22:56 2008 : Debug: Processing the authorize section of radiusd.conf Wed Feb 13 11:22:56 2008 : Debug: modcall: entering group authorize for request 7 Wed Feb 13 11:22:56 2008 : Debug: modsingle[authorize]: calling eap (rlm_eap) for request 7 Wed Feb 13 11:22:56 2008 : Debug: rlm_eap: EAP packet type response id 3 length 79 Wed Feb 13 11:22:56 2008 : Debug: rlm_eap: No EAP Start, assuming it's an on-going EAP conversation Wed Feb 13 11:22:56 2008 : Debug: modsingle[authorize]: returned from eap (rlm_eap) for request 7 Wed Feb 13 11:22:56 2008 : Debug: modcall[authorize]: module "eap" returns updated for request 7 Wed Feb 13 11:22:56 2008 : Debug: modsingle[authorize]: calling files (rlm_files) for request 7 Wed Feb 13 11:22:56 2008 : Debug: users: Matched entry edwinvanzyl at line 80 Wed Feb 13 11:22:56 2008 : Debug: modsingle[authorize]: returned from files (rlm_files) for request 7 Wed Feb 13 11:22:56 2008 : Debug: modcall[authorize]: module "files" returns ok for request 7 Wed Feb 13 11:22:56 2008 : Debug: modcall: leaving group authorize (returns updated) for request 7 Wed Feb 13 11:22:56 2008 : Debug: rad_check_password: Found Auth- Type EAP Wed Feb 13 11:22:56 2008 : Debug: auth: type "EAP" Wed Feb 13 11:22:56 2008 : Debug: Processing the authenticate section of radiusd.conf Wed Feb 13 11:22:56 2008 : Debug: modcall: entering group authenticate for request 7 Wed Feb 13 11:22:56 2008 : Debug: modsingle[authenticate]: calling eap (rlm_eap) for request 7 Wed Feb 13 11:22:56 2008 : Debug: rlm_eap: Request found, released from the list Wed Feb 13 11:22:56 2008 : Debug: rlm_eap: EAP/ttls Wed Feb 13 11:22:56 2008 : Debug: rlm_eap: processing type ttls Wed Feb 13 11:22:56 2008 : Debug: rlm_eap_ttls: Authenticate Wed Feb 13 11:22:56 2008 : Debug: rlm_eap_tls: processing TLS Wed Feb 13 11:22:56 2008 : Debug: rlm_eap_tls: Length Included Wed Feb 13 11:22:56 2008 : Debug: eaptls_verify returned 11 Wed Feb 13 11:22:56 2008 : Debug: eaptls_process returned 7 Wed Feb 13 11:22:56 2008 : Debug: rlm_eap_ttls: Session established. Proceeding to decode tunneled attributes. TTLS tunnel data in 0000: 01 0d 65 64 77 69 6e 76 61 6e 7a 79 6c 02 09 74 TTLS tunnel data in 0010: 65 73 74 69 6e 67 1e 0a 69 6e 74 65 72 6e 65 74 Wed Feb 13 11:22:56 2008 : Debug: rlm_eap_ttls: Non-RADIUS attribute in tunneled authentication is not supported Wed Feb 13 11:22:56 2008 : Debug: rlm_eap: Handler failed in EAP/ttls Wed Feb 13 11:22:56 2008 : Debug: rlm_eap: Failed in EAP select Wed Feb 13 11:22:56 2008 : Debug: modsingle[authenticate]: returned from eap (rlm_eap) for request 7 Wed Feb 13 11:22:56 2008 : Debug: modcall[authenticate]: module "eap" returns invalid for request 7 Wed Feb 13 11:22:56 2008 : Debug: modcall: leaving group authenticate (returns invalid) for request 7 Wed Feb 13 11:22:56 2008 : Debug: auth: Failed to validate the user. Wed Feb 13 11:22:56 2008 : Debug: Delaying request 7 for 1 seconds Wed Feb 13 11:22:56 2008 : Debug: Finished request 7 Wed Feb 13 11:22:56 2008 : Debug: Going to the next request Wed Feb 13 11:22:56 2008 : Debug: Waking up in 6 seconds... Wed Feb 13 11:23:02 2008 : Debug: --- Walking the entire reques On 13 Feb 2008, at 11:09 AM, Alan DeKok wrote:
Edwin van Zyl wrote:
I've configured with the following options: ./configure --enable- debug --enable-developer and re-build, but still don't see the raw data. I've looked at the binary traces and can see that the EAP message contains encrypted application data and the size is less then 100bytes. Am I configuring with the wrong options?
Hmm... try running with with -Xxx
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Edwin van Zyl wrote:
That worked. thx. ... Wed Feb 13 11:22:56 2008 : Debug: rlm_eap_ttls: Session established. Proceeding to decode tunneled attributes. TTLS tunnel data in 0000: 01 0d 65 64 77 69 6e 76 61 6e 7a 79 6c 02 09 74 TTLS tunnel data in 0010: 65 73 74 69 6e 67 1e 0a 69 6e 74 65 72 6e 65 74
The supplicant is sending data inside the TTLS tunnel packed as *RADIUS* attributes. That's wrong. They attributes are supposed to be packed in the *Diameter* AVP format. Whatever supplicant you're using is broken, and WILL NOT work with *any* RADIUS server supporting TTLS. Alan DeKok.
I've been simulating the traffic with JRadiusSimulator and used the EAP-TTLS/PAP option. Is there any other simulator you know of which I can use to simulate EAP-TTLS/(PAP and MS-CHAPv1)? I appreciate your help. On 13 Feb 2008, at 12:20 PM, Alan DeKok wrote:
Edwin van Zyl wrote:
That worked. thx. ... Wed Feb 13 11:22:56 2008 : Debug: rlm_eap_ttls: Session established. Proceeding to decode tunneled attributes. TTLS tunnel data in 0000: 01 0d 65 64 77 69 6e 76 61 6e 7a 79 6c 02 09 74 TTLS tunnel data in 0010: 65 73 74 69 6e 67 1e 0a 69 6e 74 65 72 6e 65 74
The supplicant is sending data inside the TTLS tunnel packed as *RADIUS* attributes. That's wrong. They attributes are supposed to be packed in the *Diameter* AVP format.
Whatever supplicant you're using is broken, and WILL NOT work with *any* RADIUS server supporting TTLS.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Edwin van Zyl wrote:
I've been simulating the traffic with JRadiusSimulator and used the EAP-TTLS/PAP option.
It *should* be working...
Is there any other simulator you know of which I can use to simulate EAP-TTLS/(PAP and MS-CHAPv1)? I appreciate your help.
eapol_test, which is part of wpa_supplicant. Alan DeKok.
Your comment *should* focussed my attention on the JRadius simulator and I finally got it to work. Problem: Old version of JRadiusSimulator. The one I used, I've downloaded from http://sourceforge.net/projects/jradius . Rather use the java web start option at http://coova.org/wiki/index.php/JRadius/Simulator for the latest version. Thx for your assistance. Kind Regards, Edwin On 13 Feb 2008, at 4:33 PM, Alan DeKok wrote:
Edwin van Zyl wrote:
I've been simulating the traffic with JRadiusSimulator and used the EAP-TTLS/PAP option.
It *should* be working...
Is there any other simulator you know of which I can use to simulate EAP-TTLS/(PAP and MS-CHAPv1)? I appreciate your help.
eapol_test, which is part of wpa_supplicant.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (3)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Edwin van Zyl