Freeradius configuration to support EAP-TLS, EAP-TTLS and EAP-PEAP

tnt at kalik.net tnt at kalik.net
Thu Dec 11 16:15:33 CET 2008


>We are having some issues in setting up freeradius to support EAP-TLS, EAP-TTLS and EAP-PEAP.
>Our goal is to have our authentication server providing those three Auth-Type simultaneously.
>To support EAP-TLS, we generate our CA and certificates via TinyCA.
>
>We also add radius' log after an authentication attempt from  windows XP OS
>
>using windows built in supplicant by supplying a username and password stored in 
>
>our /etc/passwd file. But the authentication failed with this error message :
> 
>rlm_eap: identity does not match User-Name, setting from EAP identity
> 
>Thu Dec 11 14:59:10 2008 : Debug: radiusd: #### Loading Realms and Home Servers ####
>Thu Dec 11 14:59:10 2008 : Debug:  proxy server {
>Thu Dec 11 14:59:10 2008 : Debug:       retry_delay = 5
>Thu Dec 11 14:59:10 2008 : Debug:       retry_count = 3
>Thu Dec 11 14:59:10 2008 : Debug:       default_fallback = no
>Thu Dec 11 14:59:10 2008 : Debug:       dead_time = 120
>Thu Dec 11 14:59:10 2008 : Debug:       wake_all_if_all_dead = no
>Thu Dec 11 14:59:10 2008 : Debug:  }
>Thu Dec 11 14:59:10 2008 : Debug:  home_server localhost {
>Thu Dec 11 14:59:10 2008 : Debug:       ipaddr = 127.0.0.1
>Thu Dec 11 14:59:10 2008 : Debug:       port = 1812
>Thu Dec 11 14:59:10 2008 : Debug:       type = "auth"
>Thu Dec 11 14:59:10 2008 : Debug:       secret = "testing123"
>Thu Dec 11 14:59:10 2008 : Debug:       response_window = 20
>Thu Dec 11 14:59:10 2008 : Debug:       max_outstanding = 65536
>Thu Dec 11 14:59:10 2008 : Debug:       zombie_period = 40
>Thu Dec 11 14:59:10 2008 : Debug:       status_check = "status-server"
>Thu Dec 11 14:59:10 2008 : Debug:       ping_check = "none"
>Thu Dec 11 14:59:10 2008 : Debug:       ping_interval = 30
>Thu Dec 11 14:59:10 2008 : Debug:       check_interval = 30
>Thu Dec 11 14:59:10 2008 : Debug:       num_answers_to_alive = 3
>Thu Dec 11 14:59:10 2008 : Debug:       num_pings_to_alive = 3
>Thu Dec 11 14:59:10 2008 : Debug:       revive_interval = 120
>Thu Dec 11 14:59:10 2008 : Debug:       status_check_timeout = 4
>Thu Dec 11 14:59:10 2008 : Debug:  }
>Thu Dec 11 14:59:10 2008 : Debug:  home_server_pool my_auth_failover {
>Thu Dec 11 14:59:10 2008 : Debug:       type = fail-over
>Thu Dec 11 14:59:10 2008 : Debug:       home_server = localhost
>Thu Dec 11 14:59:10 2008 : Debug:  }
>Thu Dec 11 14:59:10 2008 : Debug:  realm uac.bj {
>Thu Dec 11 14:59:10 2008 : Debug:       auth_pool = my_auth_failover
>Thu Dec 11 14:59:10 2008 : Debug:  }

You have configured the server to proxy requests to itself. Don't do
that. Configure it as local realm (just {}).

..
>rad_recv: Access-Request packet from host 172.21.1.251 port 1035, id=233, length=145
>        User-Name = "toto at uac.bj"
>        NAS-IP-Address = 172.21.1.251
>        Connect-Info = "CONNECT 802.11"
>        Called-Station-Id = "0060b33573b4"
>        Calling-Station-Id = "000e35dfc4c9"
>        NAS-Identifier = "ap"
>        NAS-Port-Type = Wireless-802.11
>        NAS-Port = 40
>        NAS-Port-Id = "40"
>        Framed-MTU = 1400
>        EAP-Message = 0x0269001001746f746f407561632e626a
>        Message-Authenticator = 0x4047d95682a4670d24da3c2fa434814e
..
>Thu Dec 11 15:00:37 2008 : Debug: rlm_passwd: Added MD5-Password: 'HsrtQesmWHodM:14211::::::' to config_items

That's not going to work with PEAP.

Ivan Kalik
Kalik Informatika ISP




More information about the Freeradius-Users mailing list