EAP-TTLS problem at phase 1

Sat Oct 21 01:44:32 CEST 2006

Hi all,

I have been trying to figure this out for couple days, but could not get any
clue. My test is about authentication with EAP-TTLS/MSCHAPV2.

I am using freeradius v - 1.1.3, on Solaris 10.

No matter what I do, I get "rlm_eap: Either EAP-request timed out OR
EAP-response to an unknown EAP-request" at the server.

Anybody can help me what went wrong ? Here is my configs..and logs
(truncated)

Awaits some solution...

Rafi

Here is my eap.conf

        eap {
                default_eap_type = ttls

                timer_expire     = 60
                ignore_unknown_eap_types = no

                cisco_accounting_username_bug = no

                md5 {
                }

                leap {
                }

                gtc {
                        auth_type = PAP
                }

    tls {
      rsa_key_exchange = yes
      dh_key_exchange = no
      rsa_key_length = 1024
      dh_key_length = 1024
      verify_depth = 2
      pem_file_type = yes

            private_key_password = "wimax i2 test certs"
            private_key_file = /etc/freeradius/etc/certs/key2.pem
            certificate_file = /etc/freeradius/etc/certs/cert2.pem
            CA_file = /etc/freeradius/etc/certs/cacert.pem
            dh_file = /etc/freeradius/etc/certs/dh
            random_file = /etc/freeradius/etc/certs/random

      fragment_size = 1024

      include_length = yes

      check_cert_cn = %{User-Name}
    }

                ttls {
                        default_eap_type = mschapv2

                #       copy_request_to_tunnel = no

                #       use_tunneled_reply = no
                }

                 peap {
                        default_eap_type = mschapv2

                #       copy_request_to_tunnel = no
                #       use_tunneled_reply = no

                #       proxy_tunneled_request_as_eap = yes
                }

                mschapv2 {
                }
        }

Here is my users file :

"testuser" Auth-Type := EAP, User-Password := "testuser"

DEFAULT Auth-Type := EAP

Here is my supplicant config :
# cat supplicant.conf
ctrl_interface=/var/tmp/supplicant.ctl
eap_trace=1
enableWiMAXauth=1
validateFNECerts=1
checkCRL=1
ignoreTimeOfDay=0
update_config=0
data_interface=/var/tmp/supplicant_data.ctl
ap_scan=0
fast_reauth=1
load_dynamic=/usr/lib/wpa_supplicant/eap_ttls.so
network={
eap=TTLS
eap_workaround=1
anonymous_identity="anonymous_identity"
ca_path="/var/tmp/truststore"
ca_cert="/var/tmp/root.crt"
client_cert="/var/tmp/cpe.crt"
private_key="/var/tmp/key"
private_key_passwd="wimax i2 test certs"
phase2="auth=MSCHAPV2"
}

Here is the radius log (only shown the failed part)

rlm_fastusers:  checking defaults^M
  fastusers: Matched DEFAULT at 6^M
  modcall[authorize]: module "fastusers" returns updated for request 1^M
modcall: leaving group authorize (returns updated) for request 1^M
  rad_check_password:  Found Auth-Type EAP^M
auth: type "EAP"^M
  Processing the authenticate section of radiusd.conf^M
modcall: entering group authenticate for request 1^M
rlm_eap: Either EAP-request timed out OR EAP-response to an unknown
EAP-request^M
  rlm_eap: Failed in handler^M
  modcall[authenticate]: module "eap" returns invalid for request 1^M
modcall: leaving group authenticate (returns invalid) for request 1^M
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20061020/123c3013/attachment.html>