debian, wpa_supplicant, TTLS/TLS working, PEAP/TLS fails
Hi. I managed to get EAP-TTLS/TLS working but EAP-PEAP/TLS fails after the outer TLS tunnel is established: WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING: !! EAP session for state 0x992158e5992955e0 did not finish! WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! and then later on rlm_eap: No EAP session matching the State variable. [inner-eap] Either EAP-request timed out OR EAP-response to an unknown EAP-request I've read the instructions but none of that seems to apply to my situation There is TLV result - failure in the supplicant log but I don't have a clue if that is a cause or a effect of the error in freeradius. Aug 21 12:22:34 localhost wpa_supplicant[19681]: EAP-PEAP: received 37 bytes encrypted data for Phase 2 Aug 21 12:22:34 localhost wpa_supplicant[19681]: EAP-PEAP: Decrypted Phase 2 EAP - hexdump(len=5): 01 07 00 05 +01 Aug 21 12:22:34 localhost wpa_supplicant[19681]: EAP-PEAP: received Phase 2: code=1 identifier=7 length=5 Aug 21 12:22:34 localhost wpa_supplicant[19681]: EAP-PEAP: Phase 2 Request: type=1 Aug 21 12:22:34 localhost wpa_supplicant[19681]: EAP-PEAP: Encrypting Phase 2 data - hexdump(len=18): [REMOVED] Aug 21 12:22:34 localhost wpa_supplicant[19681]: SSL: 90 bytes left to be sent out (of total 90 bytes) Aug 21 12:22:34 localhost wpa_supplicant[19681]: EAP: method process -> ignore=FALSE methodState=MAY_CONT +decision=FAIL Aug 21 12:22:34 localhost wpa_supplicant[19681]: EAP: EAP entering state SEND_RESPONSE Aug 21 12:22:34 localhost wpa_supplicant[19681]: EAP: EAP entering state IDLE Aug 21 12:22:34 localhost wpa_supplicant[19681]: EAPOL: SUPP_BE entering state RESPONSE Aug 21 12:22:34 localhost wpa_supplicant[19681]: EAPOL: txSuppRsp Aug 21 12:22:34 localhost wpa_supplicant[19681]: TX EAPOL: dst=00:24:14:3a:95:d0 Aug 21 12:22:34 localhost wpa_supplicant[19681]: EAPOL: SUPP_BE entering state RECEIVE Aug 21 12:22:34 localhost wpa_supplicant[19681]: EAPOL: startWhen --> 0 Aug 21 12:22:46 localhost wpa_supplicant[19681]: EAP-TLV: TLV Result - Failure Aug 21 12:22:47 localhost wpa_supplicant[19681]: wlan0: CTRL-EVENT-EAP-FAILURE EAP authentication failed Thanks for any help Martin
On 21/08/2013 12:17, Martin Kraus wrote:
Hi. I managed to get EAP-TTLS/TLS working but EAP-PEAP/TLS fails after the outer
Is this really what you mean? TTLS outer and TLS inner, versus PEAP outer and TLS inner? Because the latter is unlikely to work; it's not a supported combo per the PEAP spec.
TLS tunnel is established:
WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING: !! EAP session for state 0x992158e5992955e0 did not finish! WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
and then later on
rlm_eap: No EAP session matching the State variable. [inner-eap] Either EAP-request timed out OR EAP-response to an unknown EAP-request
Post a full debug, gathered with "radiusd -X", of a failing attempt.
On Wed, Aug 21, 2013 at 01:13:57PM +0100, Phil Mayers wrote:
On 21/08/2013 12:17, Martin Kraus wrote:
Hi. I managed to get EAP-TTLS/TLS working but EAP-PEAP/TLS fails after the outer
Is this really what you mean? TTLS outer and TLS inner, versus PEAP outer and TLS inner?
Because the latter is unlikely to work; it's not a supported combo per the PEAP spec.
well looking at man wpa_supplicant I can see EAP-PEAP/TLS so I assumed that this is an equivalent of EAP-TTLS/TLS. also from my google searches it might be possible that windows supports PEAP/TLS as well as PEAP/MSCHAPV2 and that's the main reason I'm trying to get it to work because there is no EAP-TTLS/TLS support in windows. There is a concern in our organization with security of PEAP/MSCHAPV2 over Eduroam because we don't really trust supplicants in windows, macs and various phones to do the right thing (windows phone doesn't check the radius certificate for example). I'll paste the full debug tomorrow when I'm back at the office. Martin
On Wed, Aug 21, 2013 at 09:52:14PM +0200, Martin Kraus wrote:
well looking at man wpa_supplicant I can see
EAP-PEAP/TLS
I think that should be PEAP/EAP-TLS. Otherwise I'm not sure what it's talking about.
also from my google searches it might be possible that windows supports PEAP/TLS as well as PEAP/MSCHAPV2 and that's the main reason I'm trying to get
Yes
There is a concern in our organization with security of PEAP/MSCHAPV2 over Eduroam because we don't really trust supplicants in windows, macs and various phones to do the right thing (windows phone doesn't check the radius certificate for example).
If that's all you're doing, forget about PEAP and just go for straight EAP-TLS. All PEAP really gives you on top is the SoH support, and may cause problems with other non-Windows clients. EAP-TLS should work on more devices. Some devices you'll be stuck with PEAP/MSCHAPv2 though (or TTLS/MSCHAPv2). I'm pretty sure there are some phones that can't do EAP-TLS. You do realise that EAP-TLS is certificate based, not user/password? So you need a full certificate management system to go with it as well to issue certs to your users. You can't get user-based auth with EAP-TLS by doing PEAP/EAP-TLS - it's still certificate (machine auth) only. My advice would be to stick with PEAP/EAP-MSCHAPv2 and use deployment tools to get the devices configured correctly. Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
On Wed, Aug 21, 2013 at 11:45:11PM +0100, Matthew Newton wrote:
If that's all you're doing, forget about PEAP and just go for straight EAP-TLS. All PEAP really gives you on top is the SoH support, and may cause problems with other non-Windows clients. EAP-TLS should work on more devices.
I'm still hoping I'll be able to use the outer and inner TLS for privacy reasons and because right now the radius configuration is doing what I want and merging default and inner-tunnel servers would make the configuration even uglier then it already is:-)
Some devices you'll be stuck with PEAP/MSCHAPv2 though (or TTLS/MSCHAPv2). I'm pretty sure there are some phones that can't do EAP-TLS.
You do realise that EAP-TLS is certificate based, not user/password? So you need a full certificate management system to go with it as well to issue certs to your users. You can't get user-based auth with EAP-TLS by doing PEAP/EAP-TLS - it's still certificate (machine auth) only.
Yes, all our users have a certificate issued for our internal wifi so that's not a problem. I'm actually hoping to phase out passwords for network logons.
My advice would be to stick with PEAP/EAP-MSCHAPv2 and use deployment tools to get the devices configured correctly.
We don't have control over the client devices. We just have to hope that the users know what to do and what their devices are doing. The main problem is that I'm currently not allowed to go on with a migration to 802.1x until the mschap problem is solved. mk
Matthew Newton <mcn4@leicester.ac.uk> wrote:
On Wed, Aug 21, 2013 at 09:52:14PM +0200, Martin Kraus wrote:
well looking at man wpa_supplicant I can see
EAP-PEAP/TLS
I think that should be PEAP/EAP-TLS. Otherwise I'm not sure what it's talking about.
Huh, and I thought MS-PEAP specified only soh and mschap as valid inners. Nice to see ms honouring their own specs ;o) Or maybe they updated it since I last read it. -- Sent from my phone with, please excuse brevity and typos
On Thu, Aug 22, 2013 at 10:30:54AM +0100, Phil Mayers wrote:
Matthew Newton <mcn4@leicester.ac.uk> wrote:
On Wed, Aug 21, 2013 at 09:52:14PM +0200, Martin Kraus wrote:
well looking at man wpa_supplicant I can see
EAP-PEAP/TLS
I think that should be PEAP/EAP-TLS. Otherwise I'm not sure what it's talking about.
Huh, and I thought MS-PEAP specified only soh and mschap as valid inners. Nice to see ms honouring their own specs ;o) Or maybe they updated it since I last read it.
We've been doing it for ~18 months now. Works fine (when the fragment sizes have been set up correctly) so we get domain managed certs and soh. Just a shame you can't do user auth as well at the same time. m. -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
On Wed, Aug 21, 2013 at 01:17:02PM +0200, Martin Kraus wrote:
I managed to get EAP-TTLS/TLS working but EAP-PEAP/TLS fails after the outer TLS tunnel is established:
On the assumption that your certificates are OK... Have you updated the fragment_size so that the outer is larger than the inner? I did a write-up on getting this to work (see http://q.asd.me.uk/pet ) - fragment_size was the biggest gotcha IIRC. Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>
On Wed, Aug 21, 2013 at 01:28:08PM +0100, Matthew Newton wrote:
On Wed, Aug 21, 2013 at 01:17:02PM +0200, Martin Kraus wrote:
I managed to get EAP-TTLS/TLS working but EAP-PEAP/TLS fails after the outer TLS tunnel is established:
On the assumption that your certificates are OK...
Have you updated the fragment_size so that the outer is larger than the inner?
I did a write-up on getting this to work (see http://q.asd.me.uk/pet ) - fragment_size was the biggest gotcha IIRC.
And that solved the problem:-) I had the fragment size the same in both configs, now it's working just like the EAP-TTLS/EAP-TLS. Thank you so much. Martin
participants (3)
-
Martin Kraus -
Matthew Newton -
Phil Mayers