TTLS authentication slow
Artur Hecker
hecker at wave-storm.com
Wed Nov 14 10:52:15 CET 2007
Hello Allan
On 14 Nov 2007, at 00:15, Allan Riordan Boll wrote:
> >> Maybe I missed it, but what client do you use? Windows does not yet
> >> support TTLS natively.
>
> yes sorry, i forgot to say. I am already using SecureW2 of course.
> And it does work, it's just very slow at authenticating... Also,
> I'm using FreeRADIUS 1.1.7.
ok, that's what I thought, but there are people outthere actually
using other stuff (wire1X, xsupplicant, etc).
from the experience, SecureW2 TTLS works just fine with freeradius.
but just for the sake of an experiment, maybe you could also test
PEAP. that should not change anything from the freeradius user DB
perspective.
>>>> Well, the default config had the same problem. That's why I
>>>> tried writing one from scratch, to make sure there wasn't some
>>>> obscure module making the server hang. Is this an unusual
>>>> approach to write a config from scratch, or is it a good idea?
>>>> Would love to hear what's normal.
the default config should work just fine.
what I would do in your position is simplify stuff. I did not look at
your config, but:
- try PEAP with the built in windows EAP peer and then TTLS with the
SecureW2, see if something changes;
- in the standard config, both should work as soon as you add a user
with a User-Password to your users file. in the beginning and for
testing, don't use databases, maybe your server has difficulties
connecting to it, or something.
- if the server replies correctly with -X, then this is probably a
user right issue.
- to me it looks like some issue with the server certificate validity
(mutual authentication). how did you configure SecureW2? does it
verify the server certificate? does it ask the user if the
certificate is unnknown? the best would be to add the signing CA to
your trusted roots at the windows pc *before* any authentication
tries. you should verify that the server certificate is correctly
verified by the windows pc (simply download the server certficate
in .der format and open it in the explorer. it should not say
"untrusted").
it would be *very* surprising if the communication were still as you
described it. what authenticator do you use?
artur
More information about the Freeradius-Users
mailing list