TTLS and PAP

martin.p.bradley at bt.com martin.p.bradley at bt.com
Wed Jul 20 10:20:37 CEST 2005 

Folks,

I'm repeating this message incase people thought it was not the
original.  I had the Fw: on the front of the subject.

I'm trying to get TTLS/PAP working using freeradius 1.0.4.  I must have
it configured incorrectly because its giving a Segmentation fault just
before giving the Access-Accept & EAP-Success back to the switch.  I
have searched the archives for a solution but not found help to sort my
problem out.

I have played around with the configuration but don't fully understand
what I'm doing.  Could someone point me to a place where I can read and
understand how the authenticate and autorize sections work.  The
explanation in the radiusd.conf file don't seem to click with me.  


I don't understand is why the modcall[authorise] appear often in request
processing before modcall[authenticate].  I thought the order was to
authenticate a user and then once we are sure they are who they say they
are then we authorise them to use the network.


Thanks for any help,
Martin.


radiusd.conf ................

authenticate {
        Auth-Type PAP {
                pap
        }
        eap
}

authorize {
        preprocess
        eap
        files

}

Users file......................

"Client certificate" Auth-Type := Local, User-Password == "bradley"
        Service-Type = Framed-User,
        Framed-Compression = Van-Jacobsen-TCP-IP


  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 3
  modcall[authorize]: module "preprocess" returns ok for request 3
    users: Matched entry DEFAULT at line 162
  modcall[authorize]: module "files" returns ok for request 3
  rlm_eap: EAP packet type response id 34 length 200
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 3
modcall: group authorize returns updated for request 3
  rad_check_password:  Found Auth-Type System
  rad_check_password:  Found Auth-Type EAP
Warning:  Found 2 auth-types on request for user 'anonymous'
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 3
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/ttls
  rlm_eap: processing type ttls
  rlm_eap_ttls: Authenticate
  rlm_eap_tls: processing TLS
rlm_eap_tls:  Length Included
  eaptls_verify returned 11 
    TLS_accept: SSLv3 read client key exchange A 
    TLS_accept: SSLv3 read finished A 
    TLS_accept: SSLv3 write change cipher spec A 
    TLS_accept: SSLv3 write finished A 
    TLS_accept: SSLv3 flush data 
    (other): SSL negotiation finished successfully 
SSL Connection Established 
  eaptls_process returned 13 
  modcall[authenticate]: module "eap" returns handled for request 3
modcall: group authenticate returns handled for request 3
Sending Access-Challenge of id 34 to 10.230.199.248:1126
        EAP-Message =
0x0123003d15800000003314030100010116030100288b7a33f454f760f4cddff2f95941
b215a6f3d73b5e422d1744b2201bee31448f10dc78f33f354476
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x49b28c5e2307f384db00487f11336474
Going to the next request
Waking up in 5 seconds...
rad_recv: Access-Request packet from host 10.230.199.248:1126, id=35,
length=248
        User-Name = "anonymous"
        NAS-IP-Address = 10.230.199.248
        NAS-Port = 2
        State = 0x49b28c5e2307f384db00487f11336474
        Calling-Station-Id = "00:06:5b:d6:ff:24"
        NAS-Identifier = "radius-netgear"
        NAS-Port-Type = Ethernet
        EAP-Message =
0x02230078150017030100189e2c7d7fea093fe36d2ad301f92cc2ef4cba50563b00a0a8
1703010050b5955c43a5cd51375cebde00ed386a2f4273385aa3f6b0b2c6f7e15b73a75e
e8f64e15abdca0a875fd3408d3ce811a76580cee45fc540215f84bcc2f99a95cc5199a36
da952c0a76243f7f7645f4327b
        Message-Authenticator = 0x3ddd5d8d65f10f4a26c7db7ab52a96db
        X-Ascend-Token-Idle = 1
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 4
  modcall[authorize]: module "preprocess" returns ok for request 4
    users: Matched entry DEFAULT at line 162
  modcall[authorize]: module "files" returns ok for request 4
  rlm_eap: EAP packet type response id 35 length 120
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 4
modcall: group authorize returns updated for request 4
  rad_check_password:  Found Auth-Type System
  rad_check_password:  Found Auth-Type EAP
Warning:  Found 2 auth-types on request for user 'anonymous'
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 4
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/ttls
  rlm_eap: processing type ttls
  rlm_eap_ttls: Authenticate
  rlm_eap_tls: processing TLS
  eaptls_verify returned 7 
  rlm_eap_tls: Done initial handshake
  eaptls_process returned 7 
  rlm_eap_ttls: Session established.  Proceeding to decode tunneled
attributes.
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 4
  modcall[authorize]: module "preprocess" returns ok for request 4
    users: Matched entry Client certificate at line 90
  modcall[authorize]: module "files" returns ok for request 4
  rlm_eap: No EAP-Message, not doing EAP
  modcall[authorize]: module "eap" returns noop for request 4
modcall: group authorize returns ok for request 4
auth: type Local
auth: user supplied User-Password matches local User-Password
  TTLS: Got tunneled Access-Accept
Segmentation fault
[root at mars raddb]#

- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list