xsupplicant - freeradius EAP-TTLS PAP Access-Reject

Nagendra KS ksnaggendra at gmail.com
Tue Oct 13 16:21:32 CEST 2009


Hi All,

Supplicant tries authentication with EAP-TTLS, TLS tunnel is established
properly but Radius sends Access-Reject.

Following are the xsupplicant.conf, eap.conf and radius output. radiusd.conf
is not changed.

It would be great if anyone could help in solving this issue or identify it.

Thanks,
Nagendra.

freeradius version: FreeRADIUS Version 1.0.1
xsupplicant version:  1.2.8

Following is my xsupplicant configuration:

 eap-ttls {
      root_cert = /etc/raddb/certs/ca.pem
      phase2_type = pap
      pap {
        username = test123 at mynet.net
        password = "test123"
      }
}

Following is my eap.conf configuration with freeradius:

        eap {
                default_eap_type = ttls

                timer_expire     = 60

                ignore_unknown_eap_types = no

                cisco_accounting_username_bug = no

                max_sessions = 2048

                md5 {
                }

               leap {
                }
                gtc {
                        auth_type = PAP
                }

                tls {
                        certdir = ${confdir}/certs
                        cadir = ${confdir}/certs

                        private_key_password = nagendra
                        private_key_file = ${certdir}/server.pem

                        certificate_file = ${certdir}/server.pem
                        CA_file = ${cadir}/ca.pem
                        dh_file = ${certdir}/dh
                        random_file = ${certdir}/random
                        fragment_size = 1024
                        include_length = yes
                }

              ttls {
                       default_eap_type = md5
                       copy_request_to_tunnel = no
                        use_tunneled_reply = no
                }
}


Following is the output of freeRadius.

rad_recv: Access-Request packet from host 12.12.12.2:52660, id=201,
length=300
        User-Name = "test123 at mynet.net"
        NAS-Port = 68
        State = 0x31f6a6d18c0edbbe0a8135be701c9eff
        EAP-Message =
0x020e00801500170301002003c6f62435902b65dc7748b238fc47a7e5af9cfdbfed7ce3763b8a3830ac25a41703010050bd010059a58d0a9db18cb4df099dca43c1cadebca1672d9fb2b08a9131aa32b657e2d497196c130405e11396402abbcc130558325bc9ef888c19692d6ce7e2d736b463e6bfa09de4cacdc2511be08c20
        Message-Authenticator = 0x9b2ba395fe336634039600437f39e5e4
        Acct-Session-Id = "8O2.1x81680002"
        NAS-Port-Id = "ge-0/0/0.0"
        Calling-Station-Id = "00-30-48-8b-7f-ff"
        Called-Station-Id = "00-1f-12-3f-89-40"
        NAS-Identifier = "bng-l24f1-dev"
        NAS-Port-Type = Virtual
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 5
  modcall[authorize]: module "preprocess" returns ok for request 5
  rlm_eap: EAP packet type response id 14 length 128
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 5
    users: Matched DEFAULT at 164
    users: Matched test123 at mynet.net at 235
  modcall[authorize]: module "files" returns ok for request 5
modcall: group authorize returns updated for request 5
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 5
  rlm_eap: Request found, released from the list
  rlm_eap: EAP/ttls
  rlm_eap: processing type ttls
  rlm_eap_ttls: Authenticate
  rlm_eap_tls: processing TLS
  eaptls_verify returned 7
  rlm_eap_tls: Done initial handshake
  eaptls_process returned 7
  rlm_eap_ttls: Session established.  Proceeding to decode tunneled
attributes.
  TTLS: Got tunneled request
        User-Name = "test123 at mynet.net"
        User-Password = "test123"
        FreeRADIUS-Proxied-To = 127.0.0.1
  TTLS: Sending tunneled request
        User-Name = "test123 at mynet.net"
        User-Password = "test123"
        FreeRADIUS-Proxied-To = 127.0.0.1
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 5
  modcall[authorize]: module "preprocess" returns ok for request 5
  rlm_eap: No EAP-Message, not doing EAP
  modcall[authorize]: module "eap" returns noop for request 5
    users: Matched DEFAULT at 164
    users: Matched test123 at mynet.net at 235
  modcall[authorize]: module "files" returns ok for request 5
modcall: group authorize returns ok for request 5
  rad_check_password:  Found Auth-Type System
auth: type "System"
  ERROR: Unknown value specified for Auth-Type.  Cannot perform requested
action.
auth: Failed to validate the user.
  TTLS: Got tunneled reply RADIUS code 3
  TTLS: Got tunneled Access-Reject
 rlm_eap: Handler failed in EAP/ttls
  rlm_eap: Failed in EAP select
  modcall[authenticate]: module "eap" returns invalid for request 5
modcall: group authenticate returns invalid for request 5
auth: Failed to validate the user.
Delaying request 5 for 1 seconds
Finished request 5
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 12.12.12.2:52660, id=201,
length=300
Sending Access-Reject of id 201 to 12.12.12.2:52660
        EAP-Message = 0x040e0004
        Message-Authenticator = 0x00000000000000000000000000000000
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20091013/2885c41f/attachment.html>


More information about the Freeradius-Users mailing list