xsupplicant - freeradius EAP-TTLS PAP Access-Reject
Nagendra KS
ksnaggendra at gmail.com
Tue Oct 13 16:21:32 CEST 2009
Hi All,
Supplicant tries authentication with EAP-TTLS, TLS tunnel is established
properly but Radius sends Access-Reject.
Following are the xsupplicant.conf, eap.conf and radius output. radiusd.conf
is not changed.
It would be great if anyone could help in solving this issue or identify it.
Thanks,
Nagendra.
freeradius version: FreeRADIUS Version 1.0.1
xsupplicant version: 1.2.8
Following is my xsupplicant configuration:
eap-ttls {
root_cert = /etc/raddb/certs/ca.pem
phase2_type = pap
pap {
username = test123 at mynet.net
password = "test123"
}
}
Following is my eap.conf configuration with freeradius:
eap {
default_eap_type = ttls
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 2048
md5 {
}
leap {
}
gtc {
auth_type = PAP
}
tls {
certdir = ${confdir}/certs
cadir = ${confdir}/certs
private_key_password = nagendra
private_key_file = ${certdir}/server.pem
certificate_file = ${certdir}/server.pem
CA_file = ${cadir}/ca.pem
dh_file = ${certdir}/dh
random_file = ${certdir}/random
fragment_size = 1024
include_length = yes
}
ttls {
default_eap_type = md5
copy_request_to_tunnel = no
use_tunneled_reply = no
}
}
Following is the output of freeRadius.
rad_recv: Access-Request packet from host 12.12.12.2:52660, id=201,
length=300
User-Name = "test123 at mynet.net"
NAS-Port = 68
State = 0x31f6a6d18c0edbbe0a8135be701c9eff
EAP-Message =
0x020e00801500170301002003c6f62435902b65dc7748b238fc47a7e5af9cfdbfed7ce3763b8a3830ac25a41703010050bd010059a58d0a9db18cb4df099dca43c1cadebca1672d9fb2b08a9131aa32b657e2d497196c130405e11396402abbcc130558325bc9ef888c19692d6ce7e2d736b463e6bfa09de4cacdc2511be08c20
Message-Authenticator = 0x9b2ba395fe336634039600437f39e5e4
Acct-Session-Id = "8O2.1x81680002"
NAS-Port-Id = "ge-0/0/0.0"
Calling-Station-Id = "00-30-48-8b-7f-ff"
Called-Station-Id = "00-1f-12-3f-89-40"
NAS-Identifier = "bng-l24f1-dev"
NAS-Port-Type = Virtual
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 5
modcall[authorize]: module "preprocess" returns ok for request 5
rlm_eap: EAP packet type response id 14 length 128
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 5
users: Matched DEFAULT at 164
users: Matched test123 at mynet.net at 235
modcall[authorize]: module "files" returns ok for request 5
modcall: group authorize returns updated for request 5
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 5
rlm_eap: Request found, released from the list
rlm_eap: EAP/ttls
rlm_eap: processing type ttls
rlm_eap_ttls: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_ttls: Session established. Proceeding to decode tunneled
attributes.
TTLS: Got tunneled request
User-Name = "test123 at mynet.net"
User-Password = "test123"
FreeRADIUS-Proxied-To = 127.0.0.1
TTLS: Sending tunneled request
User-Name = "test123 at mynet.net"
User-Password = "test123"
FreeRADIUS-Proxied-To = 127.0.0.1
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 5
modcall[authorize]: module "preprocess" returns ok for request 5
rlm_eap: No EAP-Message, not doing EAP
modcall[authorize]: module "eap" returns noop for request 5
users: Matched DEFAULT at 164
users: Matched test123 at mynet.net at 235
modcall[authorize]: module "files" returns ok for request 5
modcall: group authorize returns ok for request 5
rad_check_password: Found Auth-Type System
auth: type "System"
ERROR: Unknown value specified for Auth-Type. Cannot perform requested
action.
auth: Failed to validate the user.
TTLS: Got tunneled reply RADIUS code 3
TTLS: Got tunneled Access-Reject
rlm_eap: Handler failed in EAP/ttls
rlm_eap: Failed in EAP select
modcall[authenticate]: module "eap" returns invalid for request 5
modcall: group authenticate returns invalid for request 5
auth: Failed to validate the user.
Delaying request 5 for 1 seconds
Finished request 5
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 12.12.12.2:52660, id=201,
length=300
Sending Access-Reject of id 201 to 12.12.12.2:52660
EAP-Message = 0x040e0004
Message-Authenticator = 0x00000000000000000000000000000000
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20091013/2885c41f/attachment.html>
More information about the Freeradius-Users
mailing list