Freeradius configuration to support EAP-TLS, EAP-TTLS and EAP-PEAP

Thu Dec 11 16:15:33 CET 2008

>We are having some issues in setting up freeradius to support EAP-TLS, EAP-TTLS and EAP-PEAP.
>Our goal is to have our authentication server providing those three Auth-Type simultaneously.
>To support EAP-TLS, we generate our CA and certificates via TinyCA.
>
>We also add radius' log after an authentication attempt fromÂ  windows XP OS
>
>using windows built in supplicant by supplying a username and password stored in 
>
>our /etc/passwd file. But the authentication failed with this errorÂ message :
>Â 
>rlm_eap: identity does not match User-Name, setting from EAP identity
>Â 
>Thu Dec 11 14:59:10 2008 : Debug: radiusd: #### Loading Realms and Home Servers ####
>Thu Dec 11 14:59:10 2008 : Debug:Â  proxy server {
>Thu Dec 11 14:59:10 2008 : Debug:Â Â Â Â Â Â  retry_delay = 5
>Thu Dec 11 14:59:10 2008 : Debug:Â Â Â Â Â Â  retry_count = 3
>Thu Dec 11 14:59:10 2008 : Debug:Â Â Â Â Â Â  default_fallback = no
>Thu Dec 11 14:59:10 2008 : Debug:Â Â Â Â Â Â  dead_time = 120
>Thu Dec 11 14:59:10 2008 : Debug:Â Â Â Â Â Â  wake_all_if_all_dead = no
>Thu Dec 11 14:59:10 2008 : Debug:Â  }
>Thu Dec 11 14:59:10 2008 : Debug:Â  home_server localhost {
>Thu Dec 11 14:59:10 2008 : Debug:Â Â Â Â Â Â  ipaddr = 127.0.0.1
>Thu Dec 11 14:59:10 2008 : Debug:Â Â Â Â Â Â  port = 1812
>Thu Dec 11 14:59:10 2008 : Debug:Â Â Â Â Â Â  type = "auth"
>Thu Dec 11 14:59:10 2008 : Debug:Â Â Â Â Â Â  secret = "testing123"
>Thu Dec 11 14:59:10 2008 : Debug:Â Â Â Â Â Â  response_window = 20
>Thu Dec 11 14:59:10 2008 : Debug:Â Â Â Â Â Â  max_outstanding = 65536
>Thu Dec 11 14:59:10 2008 : Debug:Â Â Â Â Â Â  zombie_period = 40
>Thu Dec 11 14:59:10 2008 : Debug:Â Â Â Â Â Â  status_check = "status-server"
>Thu Dec 11 14:59:10 2008 : Debug:Â Â Â Â Â Â  ping_check = "none"
>Thu Dec 11 14:59:10 2008 : Debug:Â Â Â Â Â Â  ping_interval = 30
>Thu Dec 11 14:59:10 2008 : Debug:Â Â Â Â Â Â  check_interval = 30
>Thu Dec 11 14:59:10 2008 : Debug:Â Â Â Â Â Â  num_answers_to_alive = 3
>Thu Dec 11 14:59:10 2008 : Debug:Â Â Â Â Â Â  num_pings_to_alive = 3
>Thu Dec 11 14:59:10 2008 : Debug:Â Â Â Â Â Â  revive_interval = 120
>Thu Dec 11 14:59:10 2008 : Debug:Â Â Â Â Â Â  status_check_timeout = 4
>Thu Dec 11 14:59:10 2008 : Debug:Â  }
>Thu Dec 11 14:59:10 2008 : Debug:Â  home_server_pool my_auth_failover {
>Thu Dec 11 14:59:10 2008 : Debug:Â Â Â Â Â Â  type = fail-over
>Thu Dec 11 14:59:10 2008 : Debug:Â Â Â Â Â Â  home_server = localhost
>Thu Dec 11 14:59:10 2008 : Debug:Â  }
>Thu Dec 11 14:59:10 2008 : Debug:Â  realm uac.bj {
>Thu Dec 11 14:59:10 2008 : Debug:Â Â Â Â Â Â  auth_pool = my_auth_failover
>Thu Dec 11 14:59:10 2008 : Debug:Â  }

You have configured the server to proxy requests to itself. Don't do
that. Configure it as local realm (just {}).

..
>rad_recv: Access-Request packet from host 172.21.1.251 port 1035, id=233, length=145
>Â Â Â Â Â Â Â  User-Name = "toto at uac.bj"
>Â Â Â Â Â Â Â  NAS-IP-Address = 172.21.1.251
>Â Â Â Â Â Â Â  Connect-Info = "CONNECT 802.11"
>Â Â Â Â Â Â Â  Called-Station-Id = "0060b33573b4"
>Â Â Â Â Â Â Â  Calling-Station-Id = "000e35dfc4c9"
>Â Â Â Â Â Â Â  NAS-Identifier = "ap"
>Â Â Â Â Â Â Â  NAS-Port-Type = Wireless-802.11
>Â Â Â Â Â Â Â  NAS-Port = 40
>Â Â Â Â Â Â Â  NAS-Port-Id = "40"
>Â Â Â Â Â Â Â  Framed-MTU = 1400
>Â Â Â Â Â Â Â  EAP-Message = 0x0269001001746f746f407561632e626a
>Â Â Â Â Â Â Â  Message-Authenticator = 0x4047d95682a4670d24da3c2fa434814e
..
>Thu Dec 11 15:00:37 2008 : Debug: rlm_passwd: Added MD5-Password: 'HsrtQesmWHodM:14211::::::' to config_items

That's not going to work with PEAP.

Ivan Kalik
Kalik Informatika ISP