help with config files for wireless EAP-TTLS

Michael Wang mwang25 at gmail.com
Mon Oct 31 20:50:44 CET 2005 

Hi,

I am trying to set up my FreeRadius 1.0.4 to do wireless EAP-TTLS. I got it
working for EAP-TLS and EAP-PEAP, so I know my config is basically correct.
The problem I am having is that I would like to use the same userid for the
"outer" and "inner" EAP identity string. So in my user's file, I have a line
that looks like:

"qa" Auth-Type := EAP, User-Password == "qa"

Now when my client tries to authenticate, the TLS tunnel is set up OK, but
when we get to the inner MSCHAP protocol, FreeRadius still thinks we are
doing EAP and rejects the authentication attempt. Here is a snippet from the
output of radiusd -A -X

(other): SSL negotiation finished successfully <--- (so far so good)
SSL Connection Established
eaptls_process returned 13
modcall[authenticate]: module "eap" returns handled for request 3
modcall: group authenticate returns handled for request 3
Sending Access-Challenge of id 3 to 10.222.0.18:1025<http://10.222.0.18:1025/>
EAP-Message = 0x0104004515800000003b140301000
10116030100303e6bb07c9ba8bcdd94b7f0ee66d43b439d87b89b99025c1310aa4dc9bf7491555d4d0888ef91a0c7f628b79868ced090
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x3d987f832d6f6ed2f7e42b0fe6b2d77b
Finished request 3
Going to the next request
Waking up in 2 seconds...
rad_recv: Access-Request packet from host
10.222.0.18:1025<http://10.222.0.18:1025/>,
id=4, length=353
Message-Authenticator = 0x1d82927ff8e036beeb0aca3ee45c1608
Service-Type = Framed-User
User-Name = "qa"
Framed-MTU = 1488
State = 0x3d987f832d6f6ed2f7e42b0fe6b2d77b
Called-Station-Id = "00-03-7F-04-03-F6:TomAP48"
Calling-Station-Id = "00-03-7D-00-06-32"
NAS-Port-Type = Wireless-802.11
Connect-Info = "CONNECT 11Mbps 802.11b"
EAP-Message =
0x020400b015001703010020fb074fcc5e5f2df2d24fcee30e4d18a4638a526f045e84651467daae520e2f4417030100809d045521172337970b871775afd53193cae98494128c873dd3786f75c340f7c4992c0f7aa2c4fdecdf595ec0ec65a9692e448c5f7df7b9bff4d975bd7fb112a1cec89c01ea8aba0c328d087ffee23a6637970e1dab1fc959838cbf8e42dae0832c35f409b77a61229991f6ee238292239bec74fc6d5f09a16979aa6f5af4a3c9

NAS-IP-Address = 10.222.0.18 <http://10.222.0.18/>
NAS-Port = 1
NAS-Port-Id = "STA port # 1"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 4
modcall[authorize]: module "preprocess" returns ok for request 4
modcall[authorize]: module "chap" returns noop for request 4
modcall[authorize]: module "mschap" returns noop for request 4
rlm_realm: No '@' in User-Name = "qa", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 4
rlm_eap: EAP packet type response id 4 length 176
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 4
users: Matched entry qa at line 104
modcall[authorize]: module "files" returns ok for request 4
modcall: group authorize returns updated for request 4
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 4
rlm_eap: Request found, released from the list
rlm_eap: EAP/ttls
rlm_eap: processing type ttls
rlm_eap_ttls: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_ttls: Session established. Proceeding to decode tunneled attributes.
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 4
modcall[authorize]: module "preprocess" returns ok for request 4
modcall[authorize]: module "chap" returns noop for request 4
rlm_mschap: Found MS-CHAP attributes. Setting 'Auth-Type = MS-CHAP' <--- (At
this point, freeradius correctly sets auth-type MSCHAP)
modcall[authorize]: module "mschap" returns ok for request 4
rlm_realm: No '@' in User-Name = "qa", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 4
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 4
users: Matched entry qa at line 104 <---- (Uh, oh, we matched that qa line
again, and now.....)
modcall[authorize]: module "files" returns ok for request 4
modcall: group authorize returns ok for request 4
rad_check_password: Found Auth-Type EAP <----- (auth-type is set to EAP
again, which is not what I want.)
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 4
rlm_eap: EAP-Message not found
rlm_eap: Malformed EAP Message
modcall[authenticate]: module "eap" returns fail for request 4
modcall: group authenticate returns fail for request 4
auth: Failed to validate the user.
TTLS: Got tunneled Access-Reject
rlm_eap: Handler failed in EAP/ttls
rlm_eap: Failed in EAP select


I can get around the problem by putting two lines in my users file:

"outerqa" Auth-Type := EAP, User-Password == "qa"
"innerqa" Auth-Type := MS-CHAP, User-Password == "qa"

But I would like to avoid the complexity of setting up two user identities,
one for the outter and one for the inner. Is there any way to configure
FreeRadius so that a single EAP identity can be used for EAP-TTLS?

Thanks in advance for any help you can give.

Michael
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20051031/6d7d071e/attachment.html>

More information about the Freeradius-Users mailing list