TTLS authentication slow

Artur Hecker hecker at wave-storm.com
Wed Nov 14 10:52:15 CET 2007 

Hello Allan


On 14 Nov 2007, at 00:15, Allan Riordan Boll wrote:

> >> Maybe I missed it, but what client do you use? Windows does not yet
> >> support TTLS natively.
>
> yes sorry, i forgot to say. I am already using SecureW2 of course.  
> And it does work, it's just very slow at authenticating... Also,  
> I'm using FreeRADIUS 1.1.7.

ok, that's what I thought, but there are people outthere actually  
using other stuff (wire1X, xsupplicant, etc).

from the experience, SecureW2 TTLS works just fine with freeradius.

but just for the sake of an experiment, maybe you could also test  
PEAP. that should not change anything from the freeradius user DB  
perspective.


>>>> Well, the default config had the same problem. That's why I  
>>>> tried writing one from scratch, to make sure there wasn't some  
>>>> obscure module making the server hang. Is this an unusual  
>>>> approach to write a config from scratch, or is it a good idea?  
>>>> Would love to hear what's normal.

the default config should work just fine.

what I would do in your position is simplify stuff. I did not look at  
your config, but:

- try PEAP with the built in windows EAP peer and then TTLS with the  
SecureW2, see if something changes;

- in the standard config, both should work as soon as you add a user  
with a User-Password to your users file. in the beginning and for  
testing, don't use databases, maybe your server has difficulties  
connecting to it, or something.

- if the server replies correctly with -X, then this is probably a  
user right issue.

- to me it looks like some issue with the server certificate validity  
(mutual authentication). how did you configure SecureW2? does it  
verify the server certificate? does it ask the user if the  
certificate is unnknown? the best would be to add the signing CA to  
your trusted roots at the windows pc *before* any authentication  
tries. you should verify that the server certificate is correctly  
verified by the windows pc (simply download the server certficate  
in .der format and open it in the explorer. it should not say  
"untrusted").

it would be *very* surprising if the communication were still as you  
described it. what authenticator do you use?


artur

More information about the Freeradius-Users mailing list