Questions about debug output

Paul Long plong at ipdialog.com
Sat Jul 8 01:14:10 CEST 2006 

I have a few questions about the debug output from an ultimately 
successful EAP-TTLS-CHAP authentication. Consider this snippet:
...
rad_recv: Access-Request packet from host 192.168.1.228:1045, id=210, 
length=166

        User-Name = "anonymous"
        NAS-IP-Address = 192.168.1.228
        Connect-Info = "CONNECT 802.11"
        Called-Station-Id = "000b6b8c03f9"
        Calling-Station-Id = "00146c6f2e75"
        NAS-Identifier = "00-14-6c-6f-2e-75"
        NAS-Port-Type = Wireless-802.11
        NAS-Port = 15
        NAS-Port-Id = "15"
        Framed-MTU = 1400
        State = 0x656cef9c49bb7e305b809bc113ece6c4
        EAP-Message = 0x020700061500
        Message-Authenticator = 0xfd14176dee74fed4980d51bbf880b8a6
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 4
  modcall[authorize]: module "preprocess" returns ok for request 4
  modcall[authorize]: module "chap" returns noop for request 4
  modcall[authorize]: module "mschap" returns noop for request 4
    rlm_realm: No '@' in User-Name = "anonymous", looking up realm NULL
    rlm_realm: No such realm "NULL"
  modcall[authorize]: module "suffix" returns noop for request 4
  rlm_eap: EAP packet type response id 7 length 6
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 4
    users: Matched entry DEFAULT at line 173
...

1. First, what does this mean: 'module "chap" returns noop for request 
3?' My client uses CHAP, so why doesn't "chap," here, return ok? What 
does "noop" mean?

2. I read in a comment in the out-of-the-box eap.conf file that it is 
customary to specify "anonymous" for the "name of the user 'outside' of 
the tunnel" with ttls { use_tunneled_reply = yes }. Is the User-Name 
field in the above Access-Request this outside user name?

3. Is the User-Name in the Access-Request the same as what I've seen 
called the "outer identity?"

4. Is just using "anonymous" okay? Should I include a realm, e.g., 
anonymous at example.net? Is there something I lose by not specifying a 
realm in User-Name (everything seems to work okay so far)?

5. What does "No EAP Start" mean?

6. Why does modcall[authorize] say "Matched entry DEFAULT at line 173" 
here and in the subsequent challenge response (not shown), whereas later 
in the challenge response it says "Matched entry plong at line 76" 
("plong" is the name part of the inner identity, if I'm using the 
terminology correctly)?

Paul

More information about the Freeradius-Users mailing list