WPA and EAP-TTLS oddity
William Bulley
web at umich.edu
Thu Jan 31 21:01:06 CET 2008
I swear this has worked for me in the past! Scenario:
+-----------------------------------+
| ThinkPad T42 with D-Link DWL-G660 |
| (ath0) on FreeBSD 6.2-STABLE |
| running wpa_supplicant 0.4.8 |
+-----------------------------------+
^
802.1X | EAP-TTLS
v
+---------------------------------------+
| Cisco 1131AG 802.11a/b/g AP IOS 12.4 |
+---------------------------------------+
^
EAP-TTLS | RADIUS
v
+-----------------------------------+
| FreeRADIUS 1.1.7_2 on FreeBSD 7.0 |
+-----------------------------------+
The configs are at the end of this message. It almost
works, but the behaviour changes depending on the case
(uppercase/lowercase) of the "phase2" value!
In both cases below ("auth=PAP" and "auth=pap") the EAP-TTLS session
has been established. In one case, I get an ERROR because "PAP" is
unknown. In the other case ("pap"), FreeRADIUS cannot locate the
cleartext password ("password"). What am I missing? Is this an
issue with wpa_supplicant(8) itself? Has anyone gotten EAP-TTLS
to work with simple PAP inside the tunnel? About two years ago, I
had this working (using PAP inside the tunnel) but it was an early
version of wpa_supplicant(8) and probably FreeBSD 4.x or early 5.x
=*=*=*=*=*=*=*=*=*= wpa_supplicant.conf =*=*=*=*=*=*=*=*=*=*=*=*=
ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=0
network={
ssid="testing"
key_mgmt=WPA-EAP
eap=TTLS
anonymous_identity="anonymous"
identity="foo"
password="password"
phase2="auth=PAP"
}
=*=*=*=*=*=*=*=*=*= FreeRADIUS eap.conf =*=*=*=*=*=*=*=*=*=*=*=
eap {
default_eap_type = ttls
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = yes
tls {
private_key_password = whatever
private_key_file = ${raddbdir}/certs/cert-srv.pem
certificate_file = ${raddbdir}/certs/cert-srv.pem
CA_file = ${raddbdir}/certs/demoCA/cacert.pem
dh_file = ${raddbdir}/certs/dh
random_file = ${raddbdir}/certs/random
fragment_size = 1024
include_length = yes
cipher_list = "DEFAULT"
}
ttls {
default_eap_type = md5
copy_request_to_tunnel = yes
use_tunneled_reply = yes
}
}
=*=*=*=*=*=*=*=*= simplified radiusd.conf =*=*=*=*=*=*=*=*=*=*=
[snip] unimportant stuff omitted [/snip]
$INCLUDE ${confdir}/clients.conf
$INCLUDE ${confdir}/eap.conf
instantiate {
}
authorize {
preprocess
auth_log
eap
files
pap
}
authenticate {
eap
}
preacct {
preprocess
acct_unique
}
accounting {
detail
}
post-auth {
reply_log
}
=*=*=*=*=*=*=*=*= debug output snippet with phase2="auth=PAP" =*=*=*=*=*=*=*=*=*=
rlm_eap_ttls: Session established. Proceeding to decode tunneled attributes.
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 5
modcall[authorize]: module "preprocess" returns ok for request 5
radius_xlat: '/var/log/radacct/127.0.0.1/auth-20080131'
rlm_detail: /var/log/radacct/%{Client-IP-Address}/auth-%Y%m%d
expands to /var/log/radacct/127.0.0.1/auth-20080131
modcall[authorize]: module "auth_log" returns ok for request 5
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 5
users: Matched entry foo at line 217
modcall[authorize]: module "files" returns ok for request 5
modcall[authorize]: module "pap" returns updated for request 5
modcall: leaving group authorize (returns updated) for request 5
rad_check_password: Found Auth-Type pap
auth: type "PAP"
ERROR: Unknown value specified for Auth-Type. Cannot perform requested action.
auth: Failed to validate the user.
Trying to look up name of unknown client 127.0.0.1.
Login incorrect: [foo/password]
(from client UNKNOWN-CLIENT port 260 cli 00-xx-xx-xx-xx-xx)
TTLS: Got tunneled Access-Reject
rlm_eap: Handler failed in EAP/ttls
rlm_eap: Failed in EAP select
modcall[authenticate]: module "eap" returns invalid for request 5
modcall: leaving group authenticate (returns invalid) for request 5
auth: Failed to validate the user.
=*=*=*=*=*=*=*=*= debug output snippet with phase2="auth=pap" =*=*=*=*=*=*=*=*=*=
rlm_eap_ttls: Session established. Proceeding to decode tunneled attributes.
TTLS: Got tunneled identity of foo
TTLS: Setting default EAP type for tunneled EAP session.
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 5
modcall[authorize]: module "preprocess" returns ok for request 5
radius_xlat: '/var/log/radacct/127.0.0.1/auth-20080131'
rlm_detail: /var/log/radacct/%{Client-IP-Address}/auth-%Y%m%d
expands to /var/log/radacct/127.0.0.1/auth-20080131
modcall[authorize]: module "auth_log" returns ok for request 5
rlm_eap: EAP packet type response id 6 length 8
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 5
users: Matched entry foo at line 217
modcall[authorize]: module "files" returns ok for request 5
rlm_pap: Found existing Auth-Type, not changing it.
modcall[authorize]: module "pap" returns noop for request 5
modcall: leaving group authorize (returns updated) for request 5
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 5
rlm_eap: EAP Identity
rlm_eap: No such EAP type md5
rlm_eap: Failed in EAP select
modcall[authenticate]: module "eap" returns invalid for request 5
modcall: leaving group authenticate (returns invalid) for request 5
auth: Failed to validate the user.
Trying to look up name of unknown client 127.0.0.1.
Login incorrect: [foo/<no User-Password attribute>]
(from client UNKNOWN-CLIENT port 261 cli 00-xx-xx-xx-xx-xx)
TTLS: Got tunneled Access-Reject
rlm_eap: Handler failed in EAP/ttls
TTLS: Freeing handler for user foo
rlm_eap: Failed in EAP select
modcall[authenticate]: module "eap" returns invalid for request 5
modcall: leaving group authenticate (returns invalid) for request 5
auth: Failed to validate the user.
=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=
This one has me stumped. :-(
Regards,
web...
--
William Bulley Email: web at umich.edu
More information about the Freeradius-Users
mailing list