help for using eap and TTLS

Maurice.Bourguel bourguel at cirm.univ-mrs.fr
Wed Jun 1 17:19:52 CEST 2005


Hi,
	Thanks to David for you answer; Changing tls by ttls in the eap module
don't change the rlm_eap message:
  rlm_eap: EAP Identity
  rlm_eap: processing type tls
  rlm_eap_tls: Initiate
  rlm_eap_tls: Start returned  

 If I change tls par ttls in the tls module the mac OSX ask for accepting
certificate and I obtain: client connected via TTLS in the 802.1X logging
window. But I don't connect to my network. I don't understand what happens now.
 If I configure the en1 interface by hand (ifconfig en1 .., route add default .) 
I can connect.
 Does this problem know of anyone ?

regards 

Maurice
----------------------
The used eap.conf file:	
-----------------------
	        eap {
# MB tls        default_eap_type = md5
                default_eap_type = tls
                timer_expire     = 60
# MB yes        ignore_unknown_eap_types = no
                ignore_unknown_eap_types = yes
                cisco_accounting_username_bug = no
#MD5#
                md5 {
                }
                # Cisco LEAP
                leap {
                }
                gtc {
                        auth_type = PAP
                }
                ## EAP-TLS
               # decommente MB
                tls {
# changing tls by ttls to obtain freeradisu to work        
                      default_eap_type = ttls
#                     CA_path=${raddbdir}/certs
                      private_key_password = whatever
                      private_key_file=${raddbdir}/certs/euler.univ-mrs.fr.pem
                        #  If Private key & Certificate are located in
                        #  the same file, then private_key_file &
                        #  certificate_file must contain the same file
                        #  name.
                      certificate_file=${raddbdir}/certs/euler.univ-mrs.fr.pem
                        #  Trusted Root CA list
                      CA_file = ${raddbdir}/certs/root.pem
#                     CA_file = ${raddbdir}/certs/demoCA/cacert.pem

                      dh_file = ${raddbdir}/certs/dh
                      random_file = ${raddbdir}/certs/random
# MB 1750             fragment_size = 1024
                      fragment_size = 1750
                      include_length = yes
                      check_crl = yes
		}
		
 ttls {
#                       default_eap_type = md5
                        #
                        # allowed values: {no, yes}
                        copy_request_to_tunnel = yes    # MB yes
                        # allowed values: {no, yes}
                        use_tunneled_reply = yesa	# MB yes
	}

The radiusd debugging output
-----------------------------
auth: type "System"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 26
  HASH:  user mbourguel found in hashtable bucket 32912
  modcall[authenticate]: module "unix" returns ok for request 26
modcall: group authenticate returns ok for request 26
Login OK: [mbourguel/XXXXX] (from client localhost port 265 cli 0011.2420.94f9)
  Processing the post-auth section of radiusd.conf
modcall: entering group post-auth for request 26
radius_xlat:  '/var/log/radius/radacct/localhost/reply-detail-20050601'
rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d 
expands to /var/log/radius/radacct/localhost/reply-detail-20050601
  modcall[post-auth]: module "reply_log" returns ok for request 26
modcall: group post-auth returns ok for request 26
  TTLS: Got tunneled Access-Accept
  rlm_eap: Freeing handler
  modcall[authenticate]: module "eap" returns ok for request 26
modcall: group authenticate returns ok for request 26
Login OK: [mbourguel/<no User-Password attribute>] (from client Radius port 265 
cli 0011.2420.94f9)
  Processing the post-auth section of radiusd.conf
modcall: entering group post-auth for request 26
radius_xlat:  '/var/log/radius/radacct/Wf-bast5/reply-detail-20050601'
rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d 
expands to /var/log/radius/radacct/Wf-bast5/reply-detail-20050601
  modcall[post-auth]: module "reply_log" returns ok for request 26
modcall: group post-auth returns ok for request 26
Sending Access-Accept of id 46 to 139.124.3.235:21645
        Framed-MTU = 576
        Service-Type = Framed-User
        Framed-MTU = 576
        Service-Type = Framed-User
        MS-MPPE-Recv-Key = 
0x6eb67fa031a685d0f892bf8c7d9e03a08f177601494b571538707de605d56af4
        MS-MPPE-Send-Key = 
0x8899e08fbcfb4523c7c0eb7d734df9973e032b78cb594a7c2d405d5bcba45438
        EAP-Message = 0x03050004
        Message-Authenticator = 0x00000000000000000000000000000000
        User-Name = "mbourguel"
Finished request 26
Going to the next request
--- Walking the entire request list ---
Waking up in 2 seconds...
rad_recv: Accounting-Request packet from host 139.124.3.235:21645, id=47, 
length=210
        Acct-Session-Id = "0000000C"
        Called-Station-Id = "0012.dacb.b0c0"
        Calling-Station-Id = "0011.2420.94f9"
        Cisco-AVPair = "ssid=tsunami"
        Cisco-AVPair = "nas-location=unspecified"
        Cisco-AVPair = "connect-progress=Call Up"
        Acct-Authentic = RADIUS
        User-Name = "mbourguel"
        Acct-Status-Type = Start
        NAS-Port-Type = Wireless-802.11
        Cisco-NAS-Port = "265"
        NAS-Port = 265
        Service-Type = Framed-User
        NAS-IP-Address = 139.124.3.235
        Acct-Delay-Time = 0
  Processing the preacct section of radiusd.conf
modcall: entering group preacct for request 27
  modcall[preacct]: module "preprocess" returns noop for request 27
rlm_acct_unique: Hashing 'NAS-Port = 265,Client-IP-Address = 
Wf-bast5,NAS-IP-Address = 139.124.3.235,Acct-Session-Id = "0000000C",User-Name = 
"mbourguel"'
rlm_acct_unique: Acct-Unique-Session-ID = "5c292ba8903fd30c".
  modcall[preacct]: module "acct_unique" returns ok for request 27
    rlm_realm: No '@' in User-Name = "mbourguel", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[preacct]: module "suffix" returns noop for request 27
  modcall[preacct]: module "files" returns noop for request 27
modcall: group preacct returns ok for request 27
  Processing the accounting section of radiusd.conf
modcall: entering group accounting for request 27
radius_xlat:  '/var/log/radius/radacct/Wf-bast5/detail-20050601'
rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands 
to /var/log/radius/radacct/Wf-bast5/detail-20050601
  modcall[accounting]: module "detail" returns ok for request 27
radius_xlat:  '/var/log/radius/radutmp'
radius_xlat:  'mbourguel'
  modcall[accounting]: module "radutmp" returns ok for request 27
modcall: group accounting returns ok for request 27
Sending Accounting-Response of id 47 to 139.124.3.235:21645
Finished request 27
Going to the next request
Waking up in 2 seconds...
--- Walking the entire request list ---
Cleaning up request 22 ID 42 with timestamp 429dc9aa
Cleaning up request 23 ID 43 with timestamp 429dc9aa
Cleaning up request 24 ID 44 with timestamp 429dc9aa
Cleaning up request 25 ID 45 with timestamp 429dc9aa
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 26 ID 46 with timestamp 429dc9ae
Cleaning up request 27 ID 47 with timestamp 429dc9ae
Nothing to do.  Sleeping until we see a request.
 Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 26
  HASH:  user mbourguel found in hashtable bucket 32912
  modcall[authenticate]: module "unix" returns ok for request 26
modcall: group authenticate returns ok for request 26
Login OK: [mbourguel/XXXXXX] (from client localhost port 265 cli 0011.2420.94f9)
  Processing the post-auth section of radiusd.conf
modcall: entering group post-auth for request 26
radius_xlat:  '/var/log/radius/radacct/localhost/reply-detail-20050601'
rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d 
expands to /var/log/radius/radacct/localhost/reply-detail-20050601
  modcall[post-auth]: module "reply_log" returns ok for request 26
modcall: group post-auth returns ok for request 26
  TTLS: Got tunneled Access-Accept
  rlm_eap: Freeing handler
  modcall[authenticate]: module "eap" returns ok for request 26
modcall: group authenticate returns ok for request 26
Login OK: [mbourguel/<no User-Password attribute>] (from client Radius port 265 
cli 0011.2420.94f9)

***********************************************************
* e-mail : bourguel at cirm.univ-mrs.fr                      *
----------------------------------------------------------
* Maurice Bourguel               +                        *
* CIRM - MENRT-CNRS-SMF          +                        *
* case 916, 163 Avenue de Luminy + tel (33) 04 91 83 30 23*
* 13288 Marseille Cedex 9        + fax (33) 04 91 83 30 05*
***********************************************************
*http://www.cirm.univ-mrs.fr                              *
***********************************************************




More information about the Freeradius-Users mailing list