WPA-Enterprise with TTLS fails to authenticate (from Windows ok, but Linux fails).

Janusz Syrytczyk janusz at uni.opole.pl
Mon Sep 24 12:00:10 CEST 2007


Hello,
I'm running WPA-Enterprise with TTLS authentication and LDAP backend. Config 
was running fine since 1,5 year.

Problem is that I cannot authenticate to my network with wpa_supplicant, 
although I could, and from Windows & Secure2w TTLS wrapper - I can. I use 
Gentoo and did some upgrades (but nothing special I guess, kernel is the 
same, and wpa_supplicant also)

My eap.conf:
eap {
    default_eap_type = mschapv2
    timer_expire     = 60
    ignore_unknown_eap_types = no
    cisco_accounting_username_bug = no
    md5 {
        }
    tls {
        private_key_file = ${raddbdir}/certs/radius1.uni.opole.pl.key
        certificate_file = ${raddbdir}/certs/radius1.uni.opole.pl.pem

        CA_path = ${raddbdir}/certs/
        CA_file = ${raddbdir}/certs/ca.uni.opole.pl.pem
        dh_file = ${raddbdir}/certs/dh
        random_file = ${raddbdir}/certs/random
        fragment_size = 1024
        check_cert_cn = %{User-Name}
        #check_crl = yes
        crl_dir = /etc/raddb/certs
        proxy_tunneled_request_as_eap = yes
        }
    peap {
        default_eap_type = mschapv2
        }
    ttls {
         default_eap_type = md5
         copy_request_to_tunnel = yes
         use_tunneled_reply = yes
        }
    mschapv2 {
        }
}

My wpa_supplicant.conf
ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=0
eapol_version=1
fast_reauth=1
update_config=0

network={
        ssid="eduroam"
        scan_ssid=1
        proto=WPA
        key_mgmt=WPA-EAP
        pairwise=TKIP
        eap=TTLS
        identity="jsyrytczyk at uni.opole.pl"
        password="mycorrectpassword"
        ca_cert="/etc/wpa_supplicant/ca.uni.opole.pl.pem"
        phase2="auth=PAP"
}

My error:

Ready to process requests.
rad_recv: Access-Request packet from host 217.173.193.40:4347, id=89, 
length=205
        User-Name = "jsyrytczyk at uni.opole.pl"
        Framed-MTU = 1400
        Called-Station-Id = "0019.a9b5.3a01"
        Calling-Station-Id = "0002.7258.7f14"
        Cisco-AVPair = "ssid=eduroam"
        Service-Type = Login-User
        Message-Authenticator = 0x2e72d462f1fb588c9674049e6b61e580
        EAP-Message = 
0x0201001c016a7379727974637a796b40756e692e6f706f6c652e706c
        NAS-Port-Type = Wireless-802.11
        Cisco-NAS-Port = "461"
        NAS-Port = 461
        NAS-IP-Address = 10.59.223.247
        NAS-Identifier = "AP1242_eduroam_CI"
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
  modcall[authorize]: module "preprocess" returns ok for request 0
    rlm_realm: Looking up realm "uni.opole.pl" for User-Name 
= "jsyrytczyk at uni.opole.pl"
    rlm_realm: Found realm "uni.opole.pl"
    rlm_realm: Proxying request from user jsyrytczyk to realm uni.opole.pl
    rlm_realm: Adding Realm = "uni.opole.pl"
    rlm_realm: Authentication realm is LOCAL.
  modcall[authorize]: module "suffix" returns noop for request 0
rlm_acct_unique: WARNING: Attribute Acct-Session-Id was not found in request, 
unique ID MAY be inconsistent
rlm_acct_unique: Hashing 'NAS-Port = 461,Client-IP-Address = 
217.173.193.40,NAS-IP-Address = 10.59.223.247,,User-Name 
= "jsyrytczyk at uni.opole.pl"'
rlm_acct_unique: Acct-Unique-Session-ID = "0e208dc42b670eee".
  modcall[authorize]: module "acct_unique" returns ok for request 0
radius_xlat:  'jsyrytczyk at uni.opole.pl'
rlm_attr_rewrite: Added attribute Stripped-User-Name with 
value 'jsyrytczyk at uni.opole.pl'
  modcall[authorize]: module "copy.user-name" returns ok for request 0
radius_xlat:  '@.*$'
rlm_attr_rewrite: Changed value for attribute Stripped-User-Name 
from 'jsyrytczyk at uni.opole.pl' to 'jsyrytczyk'
  modcall[authorize]: module "strip.user-name" returns ok for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for jsyrytczyk at uni.opole.pl
radius_xlat:  '(&(objectClass=VirtualMailAccount)
(mail=jsyrytczyk at uni.opole.pl)(accountActive=TRUE)(delete=FALSE))'
radius_xlat:  'o=hosting,dc=uo,dc=opole,dc=pl'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 217.173.193.3:389, authentication 0
rlm_ldap: bind as cn=dovecot,dc=uo,dc=opole,dc=pl/hereismyldapdatabasepass to 
217.173.193.3:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in o=hosting,dc=uo,dc=opole,dc=pl, with filter 
(&(objectClass=VirtualMailAccount)(mail=jsyrytczyk at uni.opole.pl)
(accountActive=TRUE)(delete=FALSE))
rlm_ldap: checking if remote access for jsyrytczyk at uni.opole.pl is allowed by 
dialupAccess
rlm_ldap: Password header not found in password {CRYPT}hash for user 
jsyrytczyk at uni.opole.pl
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding userPassword as User-Password == "{CRYPT}hash"
rlm_ldap: looking for reply items in directory...
rlm_ldap: user jsyrytczyk at uni.opole.pl authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns ok for request 0
  rlm_eap: EAP packet type response id 1 length 28
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 0
  modcall[authorize]: module "files" returns notfound for request 0
modcall: leaving group authorize (returns updated) for request 0
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
  rlm_eap: EAP Identity
  rlm_eap: processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
  modcall[authenticate]: module "eap" returns handled for request 0
modcall: leaving group authenticate (returns handled) for request 0
Sending Access-Challenge of id 89 to 217.173.193.40 port 4347
        EAP-Message = 
0x010200311a0102002c10124897b1c632a0dd9edec5d89e10c5bc6a7379727974637a796b40756e692e6f706f6c652e706c
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xcdc132917ef520c9537ed9cbb1481929
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 217.173.193.40:4347, id=90, 
length=201
        User-Name = "jsyrytczyk at uni.opole.pl"
        Framed-MTU = 1400
        Called-Station-Id = "0019.a9b5.3a01"
        Calling-Station-Id = "0002.7258.7f14"
        Cisco-AVPair = "ssid=eduroam"
        Service-Type = Login-User
        Message-Authenticator = 0x1290a4533963f73ed925dec295cbefdf
        EAP-Message = 0x020200060315
        NAS-Port-Type = Wireless-802.11
        Cisco-NAS-Port = "461"
        NAS-Port = 461
        State = 0xcdc132917ef520c9537ed9cbb1481929
        NAS-IP-Address = 10.59.223.247
        NAS-Identifier = "AP1242_eduroam_CI"
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 1
  modcall[authorize]: module "preprocess" returns ok for request 1
    rlm_realm: Looking up realm "uni.opole.pl" for User-Name 
= "jsyrytczyk at uni.opole.pl"
    rlm_realm: Found realm "uni.opole.pl"
    rlm_realm: Proxying request from user jsyrytczyk to realm uni.opole.pl
    rlm_realm: Adding Realm = "uni.opole.pl"
    rlm_realm: Authentication realm is LOCAL.
  modcall[authorize]: module "suffix" returns noop for request 1
rlm_acct_unique: WARNING: Attribute Acct-Session-Id was not found in request, 
unique ID MAY be inconsistent
rlm_acct_unique: Hashing 'NAS-Port = 461,Client-IP-Address = 
217.173.193.40,NAS-IP-Address = 10.59.223.247,,User-Name 
= "jsyrytczyk at uni.opole.pl"'
rlm_acct_unique: Acct-Unique-Session-ID = "0e208dc42b670eee".
  modcall[authorize]: module "acct_unique" returns ok for request 1
radius_xlat:  'jsyrytczyk at uni.opole.pl'
rlm_attr_rewrite: Added attribute Stripped-User-Name with 
value 'jsyrytczyk at uni.opole.pl'
  modcall[authorize]: module "copy.user-name" returns ok for request 1
radius_xlat:  '@.*$'
rlm_attr_rewrite: Changed value for attribute Stripped-User-Name 
from 'jsyrytczyk at uni.opole.pl' to 'jsyrytczyk'
  modcall[authorize]: module "strip.user-name" returns ok for request 1
rlm_ldap: - authorize
rlm_ldap: performing user authorization for jsyrytczyk at uni.opole.pl
radius_xlat:  '(&(objectClass=VirtualMailAccount)
(mail=jsyrytczyk at uni.opole.pl)(accountActive=TRUE)(delete=FALSE))'
radius_xlat:  'o=hosting,dc=uo,dc=opole,dc=pl'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in o=hosting,dc=uo,dc=opole,dc=pl, with filter 
(&(objectClass=VirtualMailAccount)(mail=jsyrytczyk at uni.opole.pl)
(accountActive=TRUE)(delete=FALSE))
rlm_ldap: checking if remote access for jsyrytczyk at uni.opole.pl is allowed by 
dialupAccess
rlm_ldap: Password header not found in password {CRYPT}hashed for user 
jsyrytczyk at uni.opole.pl
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding userPassword as User-Password == "{CRYPT}hashed"
rlm_ldap: looking for reply items in directory...
rlm_ldap: user jsyrytczyk at uni.opole.pl authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns ok for request 1
  rlm_eap: EAP packet type response id 2 length 6
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 1
  modcall[authorize]: module "files" returns notfound for request 1
modcall: leaving group authorize (returns updated) for request 1
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 1
  rlm_eap: Request found, released from the list
  rlm_eap: EAP NAK
 rlm_eap: EAP-NAK asked for EAP-Type/ttls
  rlm_eap: processing type tls
  rlm_eap_tls: Initiate
  rlm_eap_tls: Start returned 1
  modcall[authenticate]: module "eap" returns handled for request 1
modcall: leaving group authenticate (returns handled) for request 1
Sending Access-Challenge of id 90 to 217.173.193.40 port 4347
        EAP-Message = 0x010300061520
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xf7496deb8d0573d9ee6c13a2b51ba8bc
Finished request 1
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 217.173.193.40:4347, id=91, 
length=201
        User-Name = "jsyrytczyk at uni.opole.pl"
        Framed-MTU = 1400
        Called-Station-Id = "0019.a9b5.3a01"
        Calling-Station-Id = "0002.7258.7f14"
        Cisco-AVPair = "ssid=eduroam"
        Service-Type = Login-User
        Message-Authenticator = 0xed18d300aabdabba014117f1b2bca527
        EAP-Message = 0x020200060315
        NAS-Port-Type = Wireless-802.11
        Cisco-NAS-Port = "461"
        NAS-Port = 461
        State = 0xf7496deb8d0573d9ee6c13a2b51ba8bc
        NAS-IP-Address = 10.59.223.247
        NAS-Identifier = "AP1242_eduroam_CI"
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
  modcall[authorize]: module "preprocess" returns ok for request 2
    rlm_realm: Looking up realm "uni.opole.pl" for User-Name 
= "jsyrytczyk at uni.opole.pl"
    rlm_realm: Found realm "uni.opole.pl"
    rlm_realm: Proxying request from user jsyrytczyk to realm uni.opole.pl
    rlm_realm: Adding Realm = "uni.opole.pl"
    rlm_realm: Authentication realm is LOCAL.
  modcall[authorize]: module "suffix" returns noop for request 2
rlm_acct_unique: WARNING: Attribute Acct-Session-Id was not found in request, 
unique ID MAY be inconsistent
rlm_acct_unique: Hashing 'NAS-Port = 461,Client-IP-Address = 
217.173.193.40,NAS-IP-Address = 10.59.223.247,,User-Name 
= "jsyrytczyk at uni.opole.pl"'
rlm_acct_unique: Acct-Unique-Session-ID = "0e208dc42b670eee".
  modcall[authorize]: module "acct_unique" returns ok for request 2
radius_xlat:  'jsyrytczyk at uni.opole.pl'
rlm_attr_rewrite: Added attribute Stripped-User-Name with 
value 'jsyrytczyk at uni.opole.pl'
  modcall[authorize]: module "copy.user-name" returns ok for request 2
radius_xlat:  '@.*$'
rlm_attr_rewrite: Changed value for attribute Stripped-User-Name 
from 'jsyrytczyk at uni.opole.pl' to 'jsyrytczyk'
  modcall[authorize]: module "strip.user-name" returns ok for request 2
rlm_ldap: - authorize
rlm_ldap: performing user authorization for jsyrytczyk at uni.opole.pl
radius_xlat:  '(&(objectClass=VirtualMailAccount)
(mail=jsyrytczyk at uni.opole.pl)(accountActive=TRUE)(delete=FALSE))'
radius_xlat:  'o=hosting,dc=uo,dc=opole,dc=pl'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in o=hosting,dc=uo,dc=opole,dc=pl, with filter 
(&(objectClass=VirtualMailAccount)(mail=jsyrytczyk at uni.opole.pl)
(accountActive=TRUE)(delete=FALSE))
rlm_ldap: checking if remote access for jsyrytczyk at uni.opole.pl is allowed by 
dialupAccess
rlm_ldap: Password header not found in password {CRYPT}hashed for user 
jsyrytczyk at uni.opole.pl
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding userPassword as User-Password == "{CRYPT}hashed"
rlm_ldap: looking for reply items in directory...
rlm_ldap: user jsyrytczyk at uni.opole.pl authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "ldap" returns ok for request 2
  rlm_eap: EAP packet type response id 2 length 6
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 2
  modcall[authorize]: module "files" returns notfound for request 2
modcall: leaving group authorize (returns updated) for request 2
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 2
  rlm_eap: Request not found in the list
rlm_eap: Either EAP-request timed out OR EAP-response to an unknown 
EAP-request
  rlm_eap: Failed in handler
  modcall[authenticate]: module "eap" returns invalid for request 2
modcall: leaving group authenticate (returns invalid) for request 2
auth: Failed to validate the user.
Login incorrect: [jsyrytczyk at uni.opole.pl] (from client UniNet port 461 cli 
0002.7258.7f14)
Delaying request 2 for 1 seconds
Finished request 2
Going to the next request
Waking up in 6 seconds...

Freeradius writes my password is incorrect, but of course it is correct. It 
also complains about bad {crypt} header, but it performs well with it when 
using Windows. Anyway, when I pass correct header or change it to any other 
in radiusd.conf it changes nothing.

I substituted all passwords of course.

-- 
Syrytczyk Janusz - Administrator serwerów
Centrum Informatyczne Uniwersytetu Opolskiego
Nr telefonu: +48 77 452-70-91
E-mail: jsyrytczyk at uni.opole.pl
-- 
Syrytczyk Janusz - Administrator serwerów
Centrum Informatyczne Uniwersytetu Opolskiego
Nr telefonu: +48 77 452-70-91
E-mail: jsyrytczyk at uni.opole.pl




More information about the Freeradius-Users mailing list