can peap and ttls live together?

Sergio Belkin sebelk at gmail.com
Tue Apr 29 15:41:08 CEST 2008


2008/4/29 Arran Cudbard-Bell <A.Cudbard-Bell at sussex.ac.uk>:
>
> Sergio Belkin wrote:
>
> > Hi,
> >
> > I had been using EAP-TTLS, but I've commented in an earlier post, I
> > have no luck with securew2 and Vista. So I am planning use a
> > "secondary password" for radius in clear-text. But I'd want to know if
> > TTLS and PEAP can live together, my current eap.conf is as follow:
> >
> > eap {
> >                default_eap_type = ttls
> >                timer_expire     = 60
> >                ignore_unknown_eap_types = no
> >                cisco_accounting_username_bug = no
> >                md5 {
> >                }
> >                leap {
> >                }
> >                gtc {
> >                        auth_type = PAP
> >                }
> >                tls {
> >                        private_key_file =
> > /etc/pki/tls/certs/ips-spectrum-key.pem
> >                        certificate_file =
> > /etc/pki/tls/certs/ips-spectrum-crt.pem
> >                        CA_file = /etc/pki/tls/certs/ips-ca-bundle.crt
> >                        dh_file = ${raddbdir}/certs/dh
> >                        random_file = ${raddbdir}/certs/random
> >                        cipher_list = "DEFAULT"
> >                }
> >                ttls {
> >                        default_eap_type = md5
> >                        copy_request_to_tunnel = no
> >                        use_tunneled_reply = yes
> >                }
> >                peap {
> >                        default_eap_type = mschapv2
> >                        copy_request_to_tunnel = no
> >                        use_tunneled_reply = no
> >                }
> >                mschapv2 {
> >                }
> >        }
> >
> >
> >
> >
>  Yes. If the supplicant doesn't support TTLS it'll NAK the offer of EAP-TTLS
> and request PEAP. Default EAP type specifies the EAP type the server
> initially attempts to negotiate with the supplicant.
>
>  --
>  Arran Cudbard-Bell (A.Cudbard-Bell at sussex.ac.uk)
>  Authentication, Authorisation and Accounting Officer
>  Infrastructure Services | ENG1 E1-1-08 University Of Sussex, Brighton
>  EXT:01273 873900 | INT: 3900
>
>
>
>  -
>  List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>

Thanks Phil and Arran. I am testing peap and ttls and I only modified
default_eap_type to be peap. But I can't connect, this part of the
debugging output:


  rlm_mschap: No Cleartext-Password configured.  Cannot create LM-Password.
  rlm_mschap: No Cleartext-Password configured.  Cannot create NT-Password.
  rlm_mschap: Told to do MS-CHAPv2 for pepepe with NT-Password
  rlm_mschap: FAILED: No NT/LM-Password.  Cannot perform authentication.
  rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
  rlm_eap: Freeing handler
++[eap] returns reject
auth: Failed to validate the user.
Login incorrect: [pepepe/<via Auth-Type = EAP>] (from client
UP-PVIII-VII port 0)
  PEAP: Tunneled authentication was rejected.
  rlm_eap_peap: FAILURE
++[eap] returns handled

(pepepe is the user)

I am setting userPassword in cleartext with Luma  for LDAP
(http://luma.sourceforge.net/ ). What's wrong?

Thanks in advance. Should I define 2 virtual servers as Phil suggested?
-- 
--
Open Kairos http://www.openkairos.com
Watch More TV http://sebelk.blogspot.com
Sergio Belkin -



More information about the Freeradius-Users mailing list