help for using eap and TTLS
Maurice.Bourguel
bourguel at cirm.univ-mrs.fr
Wed Jun 1 17:19:52 CEST 2005
Hi,
Thanks to David for you answer; Changing tls by ttls in the eap module
don't change the rlm_eap message:
rlm_eap: EAP Identity
rlm_eap: processing type tls
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned
If I change tls par ttls in the tls module the mac OSX ask for accepting
certificate and I obtain: client connected via TTLS in the 802.1X logging
window. But I don't connect to my network. I don't understand what happens now.
If I configure the en1 interface by hand (ifconfig en1 .., route add default .)
I can connect.
Does this problem know of anyone ?
regards
Maurice
----------------------
The used eap.conf file:
-----------------------
eap {
# MB tls default_eap_type = md5
default_eap_type = tls
timer_expire = 60
# MB yes ignore_unknown_eap_types = no
ignore_unknown_eap_types = yes
cisco_accounting_username_bug = no
#MD5#
md5 {
}
# Cisco LEAP
leap {
}
gtc {
auth_type = PAP
}
## EAP-TLS
# decommente MB
tls {
# changing tls by ttls to obtain freeradisu to work
default_eap_type = ttls
# CA_path=${raddbdir}/certs
private_key_password = whatever
private_key_file=${raddbdir}/certs/euler.univ-mrs.fr.pem
# If Private key & Certificate are located in
# the same file, then private_key_file &
# certificate_file must contain the same file
# name.
certificate_file=${raddbdir}/certs/euler.univ-mrs.fr.pem
# Trusted Root CA list
CA_file = ${raddbdir}/certs/root.pem
# CA_file = ${raddbdir}/certs/demoCA/cacert.pem
dh_file = ${raddbdir}/certs/dh
random_file = ${raddbdir}/certs/random
# MB 1750 fragment_size = 1024
fragment_size = 1750
include_length = yes
check_crl = yes
}
ttls {
# default_eap_type = md5
#
# allowed values: {no, yes}
copy_request_to_tunnel = yes # MB yes
# allowed values: {no, yes}
use_tunneled_reply = yesa # MB yes
}
The radiusd debugging output
-----------------------------
auth: type "System"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 26
HASH: user mbourguel found in hashtable bucket 32912
modcall[authenticate]: module "unix" returns ok for request 26
modcall: group authenticate returns ok for request 26
Login OK: [mbourguel/XXXXX] (from client localhost port 265 cli 0011.2420.94f9)
Processing the post-auth section of radiusd.conf
modcall: entering group post-auth for request 26
radius_xlat: '/var/log/radius/radacct/localhost/reply-detail-20050601'
rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d
expands to /var/log/radius/radacct/localhost/reply-detail-20050601
modcall[post-auth]: module "reply_log" returns ok for request 26
modcall: group post-auth returns ok for request 26
TTLS: Got tunneled Access-Accept
rlm_eap: Freeing handler
modcall[authenticate]: module "eap" returns ok for request 26
modcall: group authenticate returns ok for request 26
Login OK: [mbourguel/<no User-Password attribute>] (from client Radius port 265
cli 0011.2420.94f9)
Processing the post-auth section of radiusd.conf
modcall: entering group post-auth for request 26
radius_xlat: '/var/log/radius/radacct/Wf-bast5/reply-detail-20050601'
rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d
expands to /var/log/radius/radacct/Wf-bast5/reply-detail-20050601
modcall[post-auth]: module "reply_log" returns ok for request 26
modcall: group post-auth returns ok for request 26
Sending Access-Accept of id 46 to 139.124.3.235:21645
Framed-MTU = 576
Service-Type = Framed-User
Framed-MTU = 576
Service-Type = Framed-User
MS-MPPE-Recv-Key =
0x6eb67fa031a685d0f892bf8c7d9e03a08f177601494b571538707de605d56af4
MS-MPPE-Send-Key =
0x8899e08fbcfb4523c7c0eb7d734df9973e032b78cb594a7c2d405d5bcba45438
EAP-Message = 0x03050004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "mbourguel"
Finished request 26
Going to the next request
--- Walking the entire request list ---
Waking up in 2 seconds...
rad_recv: Accounting-Request packet from host 139.124.3.235:21645, id=47,
length=210
Acct-Session-Id = "0000000C"
Called-Station-Id = "0012.dacb.b0c0"
Calling-Station-Id = "0011.2420.94f9"
Cisco-AVPair = "ssid=tsunami"
Cisco-AVPair = "nas-location=unspecified"
Cisco-AVPair = "connect-progress=Call Up"
Acct-Authentic = RADIUS
User-Name = "mbourguel"
Acct-Status-Type = Start
NAS-Port-Type = Wireless-802.11
Cisco-NAS-Port = "265"
NAS-Port = 265
Service-Type = Framed-User
NAS-IP-Address = 139.124.3.235
Acct-Delay-Time = 0
Processing the preacct section of radiusd.conf
modcall: entering group preacct for request 27
modcall[preacct]: module "preprocess" returns noop for request 27
rlm_acct_unique: Hashing 'NAS-Port = 265,Client-IP-Address =
Wf-bast5,NAS-IP-Address = 139.124.3.235,Acct-Session-Id = "0000000C",User-Name =
"mbourguel"'
rlm_acct_unique: Acct-Unique-Session-ID = "5c292ba8903fd30c".
modcall[preacct]: module "acct_unique" returns ok for request 27
rlm_realm: No '@' in User-Name = "mbourguel", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[preacct]: module "suffix" returns noop for request 27
modcall[preacct]: module "files" returns noop for request 27
modcall: group preacct returns ok for request 27
Processing the accounting section of radiusd.conf
modcall: entering group accounting for request 27
radius_xlat: '/var/log/radius/radacct/Wf-bast5/detail-20050601'
rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands
to /var/log/radius/radacct/Wf-bast5/detail-20050601
modcall[accounting]: module "detail" returns ok for request 27
radius_xlat: '/var/log/radius/radutmp'
radius_xlat: 'mbourguel'
modcall[accounting]: module "radutmp" returns ok for request 27
modcall: group accounting returns ok for request 27
Sending Accounting-Response of id 47 to 139.124.3.235:21645
Finished request 27
Going to the next request
Waking up in 2 seconds...
--- Walking the entire request list ---
Cleaning up request 22 ID 42 with timestamp 429dc9aa
Cleaning up request 23 ID 43 with timestamp 429dc9aa
Cleaning up request 24 ID 44 with timestamp 429dc9aa
Cleaning up request 25 ID 45 with timestamp 429dc9aa
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 26 ID 46 with timestamp 429dc9ae
Cleaning up request 27 ID 47 with timestamp 429dc9ae
Nothing to do. Sleeping until we see a request.
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 26
HASH: user mbourguel found in hashtable bucket 32912
modcall[authenticate]: module "unix" returns ok for request 26
modcall: group authenticate returns ok for request 26
Login OK: [mbourguel/XXXXXX] (from client localhost port 265 cli 0011.2420.94f9)
Processing the post-auth section of radiusd.conf
modcall: entering group post-auth for request 26
radius_xlat: '/var/log/radius/radacct/localhost/reply-detail-20050601'
rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d
expands to /var/log/radius/radacct/localhost/reply-detail-20050601
modcall[post-auth]: module "reply_log" returns ok for request 26
modcall: group post-auth returns ok for request 26
TTLS: Got tunneled Access-Accept
rlm_eap: Freeing handler
modcall[authenticate]: module "eap" returns ok for request 26
modcall: group authenticate returns ok for request 26
Login OK: [mbourguel/<no User-Password attribute>] (from client Radius port 265
cli 0011.2420.94f9)
***********************************************************
* e-mail : bourguel at cirm.univ-mrs.fr *
----------------------------------------------------------
* Maurice Bourguel + *
* CIRM - MENRT-CNRS-SMF + *
* case 916, 163 Avenue de Luminy + tel (33) 04 91 83 30 23*
* 13288 Marseille Cedex 9 + fax (33) 04 91 83 30 05*
***********************************************************
*http://www.cirm.univ-mrs.fr *
***********************************************************
More information about the Freeradius-Users
mailing list