eap-ttls failing

Josh Hiner josh at remc1.org
Fri Jan 23 18:43:54 CET 2009 

I have a Ruckus ZoneDirector 1025 with waps that I just installed. 
Testing out different EAP types I can use. I am using FreeRadius 2.1.3. 
I have eap-ttls and eap-peapv0 working perfectly (I am using windows to 
control the wireless card for peap and it works great). Was going to try 
eap-tls by assigning client certificate to the machine account so the 
computer account authenticates on the wireless and then the user can log 
into the domain. I did this and get errors. It kind-of looks to me that 
the Zone Director is not sending the correct eap message for eap-tls. 
Maybe someone could point me in the right direction. Also, something is 
putting host/ in front of the User-Name field. In the certificate, I 
have the common name as joshhiner not host/joshhiner. Wonder if the zone 
director is mangling eap? Also, the wireless card is a mini-pci broadcom 
in a compaq 6710b.

Thanks -Josh

Error:

Ready to process requests.
rad_recv: Access-Request packet from host 172.17.10.108 port 1027, 
id=186, length=192
    User-Name = "host/joshhiner"
    NAS-IP-Address = 172.17.10.108
    NAS-Identifier = "00:1f:41:3a:82:f9"
    NAS-Port = 2
    Called-Station-Id = "00-1F-41-3A-82-F9:CCISD-REMC1"
    Calling-Station-Id = "00-21-00-41-AE-4F"
    Framed-MTU = 1400
    NAS-Port-Type = Wireless-802.11
    Connect-Info = "CONNECT 11Mbps 802.11b"
    EAP-Message = 0x0200001301686f73742f6a6f736868696e6572
    Message-Authenticator = 0x5a46b20a893c5d940dfacf2c35c1bd83
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "host/joshhiner", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[ntdomain] No '\' in User-Name = "host/joshhiner", looking up realm NULL
[ntdomain] No such realm "NULL"
++[ntdomain] returns noop
[eap] EAP packet type response id 0 length 19
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
[files] users: Matched entry DEFAULT at line 226
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = Reject
Auth-Type = Reject, rejecting user
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> host/joshhiner
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 2 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 2
Sending Access-Reject of id 186 to 172.17.10.108 port 1027
Waking up in 4.9 seconds.
Cleaning up request 2 ID 186 with timestamp +373
Ready to process requests.

More information about the Freeradius-Users mailing list