EAP-TTLS (PAP) with Win2K3 domain not working

Petar Marinkovic highl1 at gmail.com
Fri Jun 26 15:28:28 CEST 2009

Thing is that, colleague has a software, developed by his company, I cannot
disclose which one, that can test eap-gtc,and that works. And the thing is,
when he tries to connect to freeradius server I set up, he cannot auth with
domain username and pw. He can auth with EAP-TLS, EAP-TTLS with PAP,
EAP-mschapv1 and EAP-mschapv2 and the only thing left to try is EAP-GTC. So
my question is, what need's to be done on server side to make that happen?

This is server output

[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
++? if (!control:Auth-Type)
? Evaluating !(control:Auth-Type) -> FALSE
++? if (!control:Auth-Type) -> FALSE
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/gtc
[eap] processing type gtc
[gtc] +- entering group PAP {...}
[pap] login attempt with password "testpass"
[pap] No password configured for the user.  Cannot do authentication
++[pap] returns fail
[eap] Handler failed in EAP/gtc
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
} # server inner-tunnel
[ttls] Got tunneled reply code 3
    EAP-Message = 0x04030004
    Message-Authenticator = 0x00000000000000000000000000000000
[ttls] Got tunneled Access-Reject
  SSL: Removing session
28767d93f75a91c5975ff5a5bb2862e3703de9c700b7e4e1a6db061068d2a37a from
the cache

[eap] Handler failed in EAP/ttls
rlm_eap_ttls: Freeing handler for user test
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> Anonymous
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated

So my question is, what needs to be setup in order to make eap-gtc work with
win2k3 domain?

Thanks once again, you've been most helpful



On Fri, Jun 26, 2009 at 14:10, Ivan Kalik <tnt at kalik.net> wrote:

> > All of this is for testing purposes. So, I just need all of those methods
> > to
> > work, if it can't work with domain, then cleartext password will be fine.
> > Can you give me some more info about seting up TTLS-GTC, testing is being
> > done on Windows XP. Also, for EAP-TTLS with chap, enabling user is
> enough,
> > right?
> Every method that works with passwords will work with Cleartext-Password
> in users file. Working with encrypted passwords is restricting choice.
> wpa_supplicant has a Windows port. It should work with all the mentioned
> protocols. For download and documentation (installation, configuration)
> look up their site. Their testing tool (eapol_test) is used extensively by
> freeradius developers for testing EAP protocols without the hardware.
> Ivan Kalik
> Kalik Informatika ISP
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20090626/d03ab8db/attachment.html>

More information about the Freeradius-Users mailing list