WPA and EAP-TTLS oddity

Thierry Chich thierry.chich at ac-clermont.fr
Thu Jan 31 22:05:16 CET 2008 

William Bulley a écrit :
> I swear this has worked for me in the past!  Scenario:
> 
>      +-----------------------------------+
>      | ThinkPad T42 with D-Link DWL-G660 |
>      | (ath0) on FreeBSD 6.2-STABLE      |
>      | running wpa_supplicant 0.4.8      |
>      +-----------------------------------+
>                       ^
>            802.1X     |    EAP-TTLS
>                       v
>    +---------------------------------------+
>    | Cisco 1131AG 802.11a/b/g AP  IOS 12.4 |
>    +---------------------------------------+
>                       ^
>           EAP-TTLS    |    RADIUS
>                       v
>      +-----------------------------------+
>      | FreeRADIUS 1.1.7_2 on FreeBSD 7.0 |
>      +-----------------------------------+
> 
> The configs are at the end of this message.  It almost
> works, but the behaviour changes depending on the case
> (uppercase/lowercase) of the "phase2" value!
> 
> In both cases below ("auth=PAP" and "auth=pap") the EAP-TTLS session
> has been established.  In one case, I get an ERROR because "PAP" is
> unknown.  In the other case ("pap"), FreeRADIUS cannot locate the
> cleartext password ("password").  What am I missing?  Is this an
> issue with wpa_supplicant(8) itself?  Has anyone gotten EAP-TTLS
> to work with simple PAP inside the tunnel?  About two years ago, I
> had this working (using PAP inside the tunnel) but it was an early
> version of wpa_supplicant(8) and probably FreeBSD 4.x or early 5.x
> 
>  =*=*=*=*=*=*=*=*=*= wpa_supplicant.conf =*=*=*=*=*=*=*=*=*=*=*=*=
> 
> ctrl_interface=/var/run/wpa_supplicant
> ctrl_interface_group=0
> 
> network={
>     ssid="testing"
>     key_mgmt=WPA-EAP
>     eap=TTLS
>     anonymous_identity="anonymous"
>     identity="foo"
>     password="password"
>     phase2="auth=PAP"
> }
> 
>  =*=*=*=*=*=*=*=*=*= FreeRADIUS eap.conf =*=*=*=*=*=*=*=*=*=*=*=
> 
> eap {
>     default_eap_type = ttls
>     timer_expire     = 60
>     ignore_unknown_eap_types = no
>     cisco_accounting_username_bug = yes
>     tls {
>         private_key_password = whatever
>         private_key_file = ${raddbdir}/certs/cert-srv.pem
>         certificate_file = ${raddbdir}/certs/cert-srv.pem
>         CA_file = ${raddbdir}/certs/demoCA/cacert.pem
>         dh_file = ${raddbdir}/certs/dh
>         random_file = ${raddbdir}/certs/random
>         fragment_size = 1024
>         include_length = yes
>         cipher_list = "DEFAULT"
>     }
> 
>     ttls {
>         default_eap_type = md5
>         copy_request_to_tunnel = yes
>         use_tunneled_reply = yes
>     }
> }
> 
>  =*=*=*=*=*=*=*=*= simplified radiusd.conf =*=*=*=*=*=*=*=*=*=*=
> 
> [snip] unimportant stuff omitted [/snip]
> 
> $INCLUDE ${confdir}/clients.conf
> $INCLUDE ${confdir}/eap.conf
> 
> instantiate {
> }
> 
> authorize {
>     preprocess
>     auth_log
>     eap
>     files
>     pap
> }
> 
> authenticate {
>     eap
> }
> 


For me, you have to specify
	Auth-Type LDAP {
		ldap
	}
in the authenticate section.

> preacct {
>     preprocess
>     acct_unique
> }
> 
> accounting {
>     detail
> }
> 
> post-auth {
>     reply_log
> }
> 
>  =*=*=*=*=*=*=*=*= debug output snippet with phase2="auth=PAP" =*=*=*=*=*=*=*=*=*=
> 
>   rlm_eap_ttls: Session established.  Proceeding to decode tunneled attributes.
>   Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 5
>   modcall[authorize]: module "preprocess" returns ok for request 5
> radius_xlat:  '/var/log/radacct/127.0.0.1/auth-20080131'
> rlm_detail: /var/log/radacct/%{Client-IP-Address}/auth-%Y%m%d
>             expands to /var/log/radacct/127.0.0.1/auth-20080131
>   modcall[authorize]: module "auth_log" returns ok for request 5
>   rlm_eap: No EAP-Message, not doing EAP
>   modcall[authorize]: module "eap" returns noop for request 5
>     users: Matched entry foo at line 217
>   modcall[authorize]: module "files" returns ok for request 5
>   modcall[authorize]: module "pap" returns updated for request 5
> modcall: leaving group authorize (returns updated) for request 5
>   rad_check_password:  Found Auth-Type pap
> auth: type "PAP"
>   ERROR: Unknown value specified for Auth-Type.  Cannot perform requested action.
> auth: Failed to validate the user.
> Trying to look up name of unknown client 127.0.0.1. 
> Login incorrect: [foo/password]
>                  (from client UNKNOWN-CLIENT port 260 cli 00-xx-xx-xx-xx-xx)
>   TTLS: Got tunneled Access-Reject
>  rlm_eap: Handler failed in EAP/ttls
>   rlm_eap: Failed in EAP select
>   modcall[authenticate]: module "eap" returns invalid for request 5
> modcall: leaving group authenticate (returns invalid) for request 5
> auth: Failed to validate the user.
> 
>  =*=*=*=*=*=*=*=*= debug output snippet with phase2="auth=pap" =*=*=*=*=*=*=*=*=*=
> 
>   rlm_eap_ttls: Session established.  Proceeding to decode tunneled attributes.
>   TTLS: Got tunneled identity of foo
>   TTLS: Setting default EAP type for tunneled EAP session.
>   Processing the authorize section of radiusd.conf
> modcall: entering group authorize for request 5
>   modcall[authorize]: module "preprocess" returns ok for request 5
> radius_xlat:  '/var/log/radacct/127.0.0.1/auth-20080131'
> rlm_detail: /var/log/radacct/%{Client-IP-Address}/auth-%Y%m%d
>             expands to /var/log/radacct/127.0.0.1/auth-20080131
>   modcall[authorize]: module "auth_log" returns ok for request 5
>   rlm_eap: EAP packet type response id 6 length 8
>   rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
>   modcall[authorize]: module "eap" returns updated for request 5
>     users: Matched entry foo at line 217
>   modcall[authorize]: module "files" returns ok for request 5
> rlm_pap: Found existing Auth-Type, not changing it.
>   modcall[authorize]: module "pap" returns noop for request 5
> modcall: leaving group authorize (returns updated) for request 5
>   rad_check_password:  Found Auth-Type EAP
> auth: type "EAP"
>   Processing the authenticate section of radiusd.conf
> modcall: entering group authenticate for request 5
>   rlm_eap: EAP Identity
>  rlm_eap: No such EAP type md5
>   rlm_eap: Failed in EAP select
>   modcall[authenticate]: module "eap" returns invalid for request 5
> modcall: leaving group authenticate (returns invalid) for request 5
> auth: Failed to validate the user.
> Trying to look up name of unknown client 127.0.0.1. 
> Login incorrect: [foo/<no User-Password attribute>]
>                  (from client UNKNOWN-CLIENT port 261 cli 00-xx-xx-xx-xx-xx)
>   TTLS: Got tunneled Access-Reject
>  rlm_eap: Handler failed in EAP/ttls
>   TTLS: Freeing handler for user foo
>   rlm_eap: Failed in EAP select
>   modcall[authenticate]: module "eap" returns invalid for request 5
> modcall: leaving group authenticate (returns invalid) for request 5
> auth: Failed to validate the user.
> 
>  =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=
> 
> This one has me stumped.  :-(
> 
> Regards,
> 
> web...
> 
> --
> William Bulley                     Email: web at umich.edu
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list