Questions about debug output

Stefan Winter stefan.winter at restena.lu
Sat Jul 8 10:24:53 CEST 2006 

> 1. First, what does this mean: 'module "chap" returns noop for request
> 3?' My client uses CHAP, so why doesn't "chap," here, return ok? What
> does "noop" mean?

This packet was the one coming from the client, and as such only contains the 
TTLS tunnel. The "inside" of the TTLS tunnel can't be seen at this stage, so 
there is no CHAP here at all. "noop" means "no operation" - the module just 
didn't do anything.

> 2. I read in a comment in the out-of-the-box eap.conf file that it is
> customary to specify "anonymous" for the "name of the user 'outside' of
> the tunnel" with ttls { use_tunneled_reply = yes }. Is the User-Name
> field in the above Access-Request this outside user name?

This has nothing to do with use_tunneled_reply. You can use anonymous also 
without this option.
But, yes, this is the outside user name.

> 3. Is the User-Name in the Access-Request the same as what I've seen
> called the "outer identity?"

Yes. In your above terminology, "outside user name" = "outer identity".

> 4. Is just using "anonymous" okay? Should I include a realm, e.g.,
> anonymous at example.net? Is there something I lose by not specifying a
> realm in User-Name (everything seems to work okay so far)?

If your real (inside) user name contains a realm, use the same realm for 
outer. The not-realm-specific part doesn't matter. If you don't use realms, 
but anything in it you like (except the realm delimiter). You lose or gain 
nothing, except that if your server is configured for multiple realms and you 
confuse it by using the wrong/no realms, things might break.

> 5. What does "No EAP Start" mean?

You picked a packet in the middle of an authentication. So it's not the start 
of the process, but an ongoing packet. There are multiple RADIUS messages 
exchanged during an EAP authentication.

> 6. Why does modcall[authorize] say "Matched entry DEFAULT at line 173"
> here and in the subsequent challenge response (not shown), whereas later
> in the challenge response it says "Matched entry plong at line 76"
> ("plong" is the name part of the inner identity, if I'm using the
> terminology correctly)?

Eventually, the tunneled data arrived and your user was authenticated with the 
entry you set in line 76. As long as only the TTLS tunnel is being looked at, 
it's obvious that the server can't use line 76 (it doesn't *know* the inner 
user name yet), so the packet fell through up to line 173. If you're curious, 
look into line 173 of the "users" file, and you will see what's in there. 
Nothing spectacular, I guess.

Greetings,

Stefan Winter

-- 
Stefan WINTER

Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de 
la Recherche - Ingénieur de recherche

6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

More information about the Freeradius-Users mailing list