I have been struggling to get the EAP-TTLS to work.
Hello all, I have been struggling to get the EAP-TTLS to work. I have been following this guide: <http://rbirri.9online.fr/howto/Freeradius_+_TTLS.html> http://rbirri.9online.fr/howto/Freeradius_+_TTLS.html And i think the setup of all things has gone fine (biggest problem i had was creating the certifcates). I have tested the connection with "raddtest" and the tool "NTRadPing" and everything seems ok. However when i try to connect from my Linux machine using WPA supplicant, the following errors appear in the Radius server console: ............................................................................ ....... Going to the next request Waking up in 4.9 seconds. User-Name = "johan@mediavisiongroup.se" NAS-IP-Address = 192.168.1.144 Called-Station-Id = "00-20-a6-64-c3-b1:MVG-Personal" Calling-Station-Id = "00-0f-cb-f9-3b-f9;MVG-Personal" NAS-Identifier = "MVG-1" State = 0xdea187e5dea3836d25979821eb25f055 Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x020200060315 Message-Authenticator = 0x80154e870b93b69627ead5a0eee17643 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: Looking up realm "mediavisiongroup.se" for User-Name = "johan@med iavisiongroup.se" rlm_realm: No such realm "mediavisiongroup.se" ++[suffix] returns noop rlm_eap: EAP packet type response id 2 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop rlm_pap: WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP NAK rlm_eap: EAP-NAK asked for EAP-Type/ttls rlm_eap: processing type tls rlm_eap_tls: Initiate rlm_eap_tls: Start returned 1 ++[eap] returns handled EAP-Message = 0x010300061520 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xdea187e5dfa2926d25979821eb25f055 Finished request 1. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 48 with timestamp +3 Cleaning up request 1 ID 49 with timestamp +3 Ready to process requests. ............................................................................ ....... The connection conf from the Linux box is (/etc/wpa_supplicant.conf): network={ ssid="MVG-Personal" scan_ssid=1 key_mgmt=WPA-EAP eap=TTLS identity="johan@mediavisiongroup.se" anonymous_identity="anonymous@example.com" password="foobar" ca_cert="/etc/cert/ca.pem" phase2="auth=MD5" } - I am guessing that the /etc/cert/ca.pem is the "client certification" i created from the freeradius. - User and password above (in the file /etc/wpa_supplicant.conf) do exist and is correct. They match the user and password in the file on the freeradius "/usr/local/etc/raddb/users". ............................................................................ ....... Also so i understand this, three certficates are needed for EAP-TTLS ? CA= root certifcate stored on the freeradius machine Server = certifcate also stored on the freeradius machine Client = certifcate copied to the client trying to connect And on the client the path in the "wpa_supplicant.conf" to the client certificate is correct. In short: the client seem to connect to the freeradius, but i am getting no IP to the client. ............................................................................ ....... Thanks very much for help! Best regards, Johan
Also so i understand this, three certficates are needed for EAP-TTLS ?
CA= root certifcate stored on the freeradius machine
Server = certifcate also stored on the freeradius machine
Client = certifcate copied to the client trying to connect
You need to copy the CA certificate to the client. You don't need client certificate as well for TTLS, only TLS. Ivan Kalik Kalik Informatika ISP
Johan Nyman wrote:
I have been struggling to get the EAP-TTLS to work.
Why? In 2.0 you install it, add a user as suggested in the FAQ, and start it in debug mode. If the client doesn't check the server cert, TTLS will work.
I have been following this guide: http://rbirri.9online.fr/howto/Freeradius_+_TTLS.html
That's the problem. Can you explain why you're following a guide that's over FOUR YEARS out of date? Why haven't you followed the instructions and documentation that came with the server?
And i think the setup of all things has gone fine (biggest problem i had was creating the certifcates).
Uh... in 2.0, it's easy: start the server. Or, read the documentation in raddb/certs/README.
- I am guessing that the /etc/cert/ca.pem is the "client certification" i created from the freeradius.
Don't guess. Read the existing documentation. And you don't need client certs for TTLS. Alan DeKok.
participants (3)
-
Alan DeKok -
Ivan Kalik -
Johan Nyman