TLS in place of TTLS : help for debugging

David ROUMANET david.roumanet at grenet.fr
Wed Jun 1 14:58:35 CEST 2005 

Hi everybody,

as frequently here, an other EAP-TTLS problem ;)
I use WinXP + SecureW2 + Cisco AP1100 + freeRADIUS 1.0.1 & 1.0.2
freeradius see TLS packet but it's EAP-TTLS (with PAP) so authentication 
doesn't works. Of course eap is set in radiusd.conf (authentication and 
authorization section)

My eap.conf is here :
        eap {
                default_eap_type = ttls
                timer_expire     = 60
                ignore_unknown_eap_types = no
                cisco_accounting_username_bug = no

                # Supported EAP-types
                md5 {
                }
                # EAP-TLS
                tls {
                #       default_eap_type = ttls
                        private_key_password = astronomie
                        private_key_file = 
${raddbdir}/certs/vega.maquette.grenet.fr.pem
                        certificate_file = 
${raddbdir}/certs/vega.maquette.grenet.fr.pem
                        CA_file = ${raddbdir}/certs/root.pem
                        dh_file = ${raddbdir}/certs/dh
                        random_file = ${raddbdir}/certs/random
                        fragment_size = 1024
                        include_length = yes
                #       check_crl = yes
                #       check_cert_cn = %{User-Name}
                }
                ttls {
                        default_eap_type = md5
                        copy_request_to_tunnel = yes
                        use_tunneled_reply = yes
                }
                #peap {
                        #  default_eap_type = mschapv2
                #}
                #mschapv2 {
                #}
        }


When I launch radiusd -X, this is what it says :
...
Module: Loaded eap
 eap: default_eap_type = "md5"
 eap: timer_expire = 60
 eap: ignore_unknown_eap_types = no
 eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
 tls: rsa_key_exchange = no
 tls: dh_key_exchange = yes
 tls: rsa_key_length = 512
 tls: dh_key_length = 512
 tls: verify_depth = 0
 tls: CA_path = "(null)"
 tls: pem_file_type = yes
 tls: private_key_file = "/etc/raddb/certs/vega.maquette.grenet.fr.pem"
 tls: certificate_file = "/etc/raddb/certs/vega.maquette.grenet.fr.pem"
 tls: CA_file = "/etc/raddb/certs/root.pem"
 tls: private_key_password = "astronomie"
 tls: dh_file = "/etc/raddb/certs/dh"
 tls: random_file = "/etc/raddb/certs/random"
 tls: fragment_size = 1024
 tls: include_length = yes
 tls: check_crl = no
 tls: check_cert_cn = "(null)"
rlm_eap: Loaded and initialized type tls
 ttls: default_eap_type = "md5"
 ttls: copy_request_to_tunnel = yes
 ttls: use_tunneled_reply = yes
rlm_eap: Loaded and initialized type ttls
Module: Instantiated eap (eap)
...

When I try to authenticate, is below...
rad_recv: Access-Request packet from host 10.1.1.2:21672, id=106, length=132
        User-Name = "david"
        Framed-MTU = 1400
        Called-Station-Id = "000e.8440.bbb0"
        Calling-Station-Id = "000d.54aa.a39c"
        Service-Type = Login-User
        Message-Authenticator = 0x150c704b98ad730ead5764e4be788835
        EAP-Message = 0x0202000a016461766964
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 7080
        NAS-IP-Address = 10.1.1.2
        NAS-Identifier = "ap-maquette"
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
  modcall[authorize]: module "preprocess" returns ok for request 2
  modcall[authorize]: module "chap" returns noop for request 2
  modcall[authorize]: module "mschap" returns noop for request 2
    rlm_realm: No '@' in User-Name = "david", looking up realm NULL
    rlm_realm: Found realm "NULL"
    rlm_realm: Adding Stripped-User-Name = "david"
    rlm_realm: Proxying request from user david to realm NULL
    rlm_realm: Adding Realm = "NULL"
    rlm_realm: Authentication realm is LOCAL.
  modcall[authorize]: module "suffix" returns noop for request 2
  rlm_eap: EAP packet type response id 2 length 10
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 2
    users: Matched david at 19
  modcall[authorize]: module "files" returns ok for request 2
modcall: group authorize returns updated for request 2
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 2
  rlm_eap: EAP Identity
  rlm_eap: processing type tls               <========= why ? it should 
be TTLS !!!
  rlm_eap_tls: Initiate
  rlm_eap_tls: Start returned 1
  modcall[authenticate]: module "eap" returns handled for request 2
modcall: group authenticate returns handled for request 2
Sending Access-Challenge of id 106 to 10.1.1.2:21672
        Service-Type = Framed-User
        Framed-MTU = 1500
        Tunnel-Type:0 := VLAN
        Tunnel-Medium-Type:0 := IEEE-802
        Tunnel-Private-Group-Id:0 := "402"
        EAP-Message = 0x010300061520
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xdcb2b96e379c8bc2dcb4b5b405a23cab
Finished request 2
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
...
(fall in timeout and process repeat again and again)

Can someone help me ? how can I debug more ? thanks.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: david.roumanet.vcf
Type: text/x-vcard
Size: 353 bytes
Desc: not available
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20050601/de936a71/attachment.vcf>

More information about the Freeradius-Users mailing list