eap-ttls pap proxy problem

Tim Tyler tyler at beloit.edu
Wed Jul 13 21:05:33 CEST 2005


  Alan, others,

Ok, we are trying to get wireless clients configured for
802.1x authentication by using wpa configured with pap
authentication.  This works fine on the Freeradius server if
we authenticate against system.  However, when we try to
proxy to other non eap supported radius servers, it fails
and we have tried a lot of permutations.  We know that proxy
works if we simply use NTradPing test utility.  However, our
XP clients using SecureW2 or Mac OS X ver3 simply wont work.
 Below are our critical configuration lines as well as
output from Debug.  If anyone might tell us what we might be
doing wrong, we would very much appreciate it!

users:
DEFAULT Auth-Type := PAP, Proxy-To-Realm = stu
        Fall-Through = 1

proxy.conf:
realm stu {
        type            = radius
        authhost        = stu.beloit.edu:1645
        accthost        = stu.beloit.edu:1646
        secret          = testpass
}

eap.conf:
eap {
	default_eap_type = ttls
	ignore_unknown_eap_types = yes
}

tls {
	private_key_password = tempprivate
        private_key_file =
${raddbdir}/certs/server_keycert.pem

	certificate_file = ${raddbdir}/certs/server_keycert.pem

	CA_file = ${raddbdir}/certs/cacert.pem

	dh_file = ${raddbdir}/certs/dh
	random_file = ${raddbdir}/certs/random
}

ttls {
#       default_eap_type = md5
#	copy_request_to_tunnel = yes
#	use_tunneled_reply = yes
}

Debug:
rad_recv: Access-Request packet from host
144.89.40.251:1451, id=254, length=144
        NAS-IP-Address = 144.89.40.251
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 2
        Framed-MTU = 1400
        User-Name = "leadacid at stu"
        Calling-Station-Id = "00119551d683"
        Called-Station-Id = "0001e6ffc493"
        NAS-Identifier = "ISR Test -don't use"
        EAP-Message = 0x020b0011016c6561646163696440737475
        Message-Authenticator =
0x3a44d6f0ad7b1f8b6b550b65142e2b60
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 5
  modcall[authorize]: module "preprocess" returns ok for
request 5
  modcall[authorize]: module "chap" returns noop for request
5
  modcall[authorize]: module "mschap" returns noop for
request 5
    rlm_realm: Looking up realm "stu" for User-Name =
"leadacid at stu"
    rlm_realm: Found realm "stu"
    rlm_realm: Adding Stripped-User-Name = "leadacid"
    rlm_realm: Proxying request from user leadacid to realm
stu
    rlm_realm: Adding Realm = "stu"
    rlm_realm: Preparing to proxy authentication request to
realm "stu"
  modcall[authorize]: module "suffix" returns updated for
request 5
  rlm_eap: Request is supposed to be proxied to Realm stu. 
Not doing EAP.
  modcall[authorize]: module "eap" returns noop for request
5
  modcall[authorize]: module "files" returns notfound for
request 5
modcall: group authorize returns updated for request 5
Sending Access-Request of id 0 to 144.89.40.6:1645
        NAS-IP-Address = 144.89.40.251
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 2
        Framed-MTU = 1400
        User-Name = "leadacid"
        Calling-Station-Id = "00119551d683"
        Called-Station-Id = "0001e6ffc493"
        NAS-Identifier = "ISR Test -don't use"
        EAP-Message = 0x020b0011016c6561646163696440737475
        Message-Authenticator =
0x00000000000000000000000000000000
        Proxy-State = 0x323534
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Reject packet from host 144.89.40.6:1645,
id=0, length=25
        Proxy-State = 0x323534
  Processing the post-proxy section of radiusd.conf
modcall: entering group post-proxy for request 5
  modcall[post-proxy]: module "eap" returns noop for request
5
modcall: group post-proxy returns noop for request 5
Delaying request 5 for 1 seconds
Finished request 5
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host
144.89.40.251:1451, id=254, length=144
Sending Access-Reject of id 254 to 144.89.40.251:1451

Tim Tyler
Network Engineer



More information about the Freeradius-Users mailing list