help for using eap and TTLS

Joe Raviele jraviele at gmail.com
Wed Jun 1 18:12:06 CEST 2005


We are doing EAP-TTLS/PAP and have seen this on two different occasions.

We were having this problem with our OSX machines that had upgraded to
Tiger. Something seems to get messed up with the certs during the
upgrade. Once we cleared the CA, and server certs everything worked
fine.

All of our windows machines running the SecureW2 client were initially
having this problem. There is a setting under the advanced config in
the client that says to renew DHCP after connecting. Once we did that
we were fine.

- Joe

On 6/1/05, Maurice.Bourguel <bourguel at cirm.univ-mrs.fr> wrote:
> Hi,
>         Thanks to David for you answer; Changing tls by ttls in the eap module
> don't change the rlm_eap message:
>   rlm_eap: EAP Identity
>   rlm_eap: processing type tls
>   rlm_eap_tls: Initiate
>   rlm_eap_tls: Start returned
> 
>  If I change tls par ttls in the tls module the mac OSX ask for accepting
> certificate and I obtain: client connected via TTLS in the 802.1X logging
> window. But I don't connect to my network. I don't understand what happens now.
>  If I configure the en1 interface by hand (ifconfig en1 .., route add default .)
> I can connect.
>  Does this problem know of anyone ?
> 
> regards
> 
> Maurice
> ----------------------
> The used eap.conf file:
> -----------------------
>                 eap {
> # MB tls        default_eap_type = md5
>                 default_eap_type = tls
>                 timer_expire     = 60
> # MB yes        ignore_unknown_eap_types = no
>                 ignore_unknown_eap_types = yes
>                 cisco_accounting_username_bug = no
> #MD5#
>                 md5 {
>                 }
>                 # Cisco LEAP
>                 leap {
>                 }
>                 gtc {
>                         auth_type = PAP
>                 }
>                 ## EAP-TLS
>                # decommente MB
>                 tls {
> # changing tls by ttls to obtain freeradisu to work
>                       default_eap_type = ttls
> #                     CA_path=${raddbdir}/certs
>                       private_key_password = whatever
>                       private_key_file=${raddbdir}/certs/euler.univ-mrs.fr.pem
>                         #  If Private key & Certificate are located in
>                         #  the same file, then private_key_file &
>                         #  certificate_file must contain the same file
>                         #  name.
>                       certificate_file=${raddbdir}/certs/euler.univ-mrs.fr.pem
>                         #  Trusted Root CA list
>                       CA_file = ${raddbdir}/certs/root.pem
> #                     CA_file = ${raddbdir}/certs/demoCA/cacert.pem
> 
>                       dh_file = ${raddbdir}/certs/dh
>                       random_file = ${raddbdir}/certs/random
> # MB 1750             fragment_size = 1024
>                       fragment_size = 1750
>                       include_length = yes
>                       check_crl = yes
>                 }
> 
>  ttls {
> #                       default_eap_type = md5
>                         #
>                         # allowed values: {no, yes}
>                         copy_request_to_tunnel = yes    # MB yes
>                         # allowed values: {no, yes}
>                         use_tunneled_reply = yesa       # MB yes
>         }
> 
> The radiusd debugging output
> -----------------------------
> auth: type "System"
>   Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 26
>   HASH:  user mbourguel found in hashtable bucket 32912
>   modcall[authenticate]: module "unix" returns ok for request 26
> modcall: group authenticate returns ok for request 26
> Login OK: [mbourguel/XXXXX] (from client localhost port 265 cli 0011.2420.94f9)
>   Processing the post-auth section of radiusd.conf
> modcall: entering group post-auth for request 26
> radius_xlat:  '/var/log/radius/radacct/localhost/reply-detail-20050601'
> rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d
> expands to /var/log/radius/radacct/localhost/reply-detail-20050601
>   modcall[post-auth]: module "reply_log" returns ok for request 26
> modcall: group post-auth returns ok for request 26
>   TTLS: Got tunneled Access-Accept
>   rlm_eap: Freeing handler
>   modcall[authenticate]: module "eap" returns ok for request 26
> modcall: group authenticate returns ok for request 26
> Login OK: [mbourguel/<no User-Password attribute>] (from client Radius port 265
> cli 0011.2420.94f9)
>   Processing the post-auth section of radiusd.conf
> modcall: entering group post-auth for request 26
> radius_xlat:  '/var/log/radius/radacct/Wf-bast5/reply-detail-20050601'
> rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d
> expands to /var/log/radius/radacct/Wf-bast5/reply-detail-20050601
>   modcall[post-auth]: module "reply_log" returns ok for request 26
> modcall: group post-auth returns ok for request 26
> Sending Access-Accept of id 46 to 139.124.3.235:21645
>         Framed-MTU = 576
>         Service-Type = Framed-User
>         Framed-MTU = 576
>         Service-Type = Framed-User
>         MS-MPPE-Recv-Key =
> 0x6eb67fa031a685d0f892bf8c7d9e03a08f177601494b571538707de605d56af4
>         MS-MPPE-Send-Key =
> 0x8899e08fbcfb4523c7c0eb7d734df9973e032b78cb594a7c2d405d5bcba45438
>         EAP-Message = 0x03050004
>         Message-Authenticator = 0x00000000000000000000000000000000
>         User-Name = "mbourguel"
> Finished request 26
> Going to the next request
> --- Walking the entire request list ---
> Waking up in 2 seconds...
> rad_recv: Accounting-Request packet from host 139.124.3.235:21645, id=47,
> length=210
>         Acct-Session-Id = "0000000C"
>         Called-Station-Id = "0012.dacb.b0c0"
>         Calling-Station-Id = "0011.2420.94f9"
>         Cisco-AVPair = "ssid=tsunami"
>         Cisco-AVPair = "nas-location=unspecified"
>         Cisco-AVPair = "connect-progress=Call Up"
>         Acct-Authentic = RADIUS
>         User-Name = "mbourguel"
>         Acct-Status-Type = Start
>         NAS-Port-Type = Wireless-802.11
>         Cisco-NAS-Port = "265"
>         NAS-Port = 265
>         Service-Type = Framed-User
>         NAS-IP-Address = 139.124.3.235
>         Acct-Delay-Time = 0
>   Processing the preacct section of radiusd.conf
> modcall: entering group preacct for request 27
>   modcall[preacct]: module "preprocess" returns noop for request 27
> rlm_acct_unique: Hashing 'NAS-Port = 265,Client-IP-Address =
> Wf-bast5,NAS-IP-Address = 139.124.3.235,Acct-Session-Id = "0000000C",User-Name =
> "mbourguel"'
> rlm_acct_unique: Acct-Unique-Session-ID = "5c292ba8903fd30c".
>   modcall[preacct]: module "acct_unique" returns ok for request 27
>     rlm_realm: No '@' in User-Name = "mbourguel", looking up realm NULL
>     rlm_realm: No such realm "NULL"
>   modcall[preacct]: module "suffix" returns noop for request 27
>   modcall[preacct]: module "files" returns noop for request 27
> modcall: group preacct returns ok for request 27
>   Processing the accounting section of radiusd.conf
> modcall: entering group accounting for request 27
> radius_xlat:  '/var/log/radius/radacct/Wf-bast5/detail-20050601'
> rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands
> to /var/log/radius/radacct/Wf-bast5/detail-20050601
>   modcall[accounting]: module "detail" returns ok for request 27
> radius_xlat:  '/var/log/radius/radutmp'
> radius_xlat:  'mbourguel'
>   modcall[accounting]: module "radutmp" returns ok for request 27
> modcall: group accounting returns ok for request 27
> Sending Accounting-Response of id 47 to 139.124.3.235:21645
> Finished request 27
> Going to the next request
> Waking up in 2 seconds...
> --- Walking the entire request list ---
> Cleaning up request 22 ID 42 with timestamp 429dc9aa
> Cleaning up request 23 ID 43 with timestamp 429dc9aa
> Cleaning up request 24 ID 44 with timestamp 429dc9aa
> Cleaning up request 25 ID 45 with timestamp 429dc9aa
> Waking up in 4 seconds...
> --- Walking the entire request list ---
> Cleaning up request 26 ID 46 with timestamp 429dc9ae
> Cleaning up request 27 ID 47 with timestamp 429dc9ae
> Nothing to do.  Sleeping until we see a request.
>  Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 26
>   HASH:  user mbourguel found in hashtable bucket 32912
>   modcall[authenticate]: module "unix" returns ok for request 26
> modcall: group authenticate returns ok for request 26
> Login OK: [mbourguel/XXXXXX] (from client localhost port 265 cli 0011.2420.94f9)
>   Processing the post-auth section of radiusd.conf
> modcall: entering group post-auth for request 26
> radius_xlat:  '/var/log/radius/radacct/localhost/reply-detail-20050601'
> rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d
> expands to /var/log/radius/radacct/localhost/reply-detail-20050601
>   modcall[post-auth]: module "reply_log" returns ok for request 26
> modcall: group post-auth returns ok for request 26
>   TTLS: Got tunneled Access-Accept
>   rlm_eap: Freeing handler
>   modcall[authenticate]: module "eap" returns ok for request 26
> modcall: group authenticate returns ok for request 26
> Login OK: [mbourguel/<no User-Password attribute>] (from client Radius port 265
> cli 0011.2420.94f9)
> 
> ***********************************************************
> * e-mail : bourguel at cirm.univ-mrs.fr                      *
> ----------------------------------------------------------
> * Maurice Bourguel               +                        *
> * CIRM - MENRT-CNRS-SMF          +                        *
> * case 916, 163 Avenue de Luminy + tel (33) 04 91 83 30 23*
> * 13288 Marseille Cedex 9        + fax (33) 04 91 83 30 05*
> ***********************************************************
> *http://www.cirm.univ-mrs.fr                              *
> ***********************************************************
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>




More information about the Freeradius-Users mailing list