eduroam PEAP + TTLS

Jean-Philippe Ghibaudo legdf at hotmail.com
Thu Jun 17 19:00:59 CEST 2010 

Hi,

Before beginning, sorry for my bad English, I'm French.

I'm trying to implement PEAP-MSCHAPV2 support in an existing and working configuration with EAP-TTLS + PAP,
giving users a full support of eduroam. There are proxy radius maintained by our national "provider", and they test
authentication every 15 minutes.

When they only test EAP-TTLS authentication, it works, and this is a part of the output of freeradius -X.

Login OK: [user/password] (from client proxyradius port 0 cli 02-00-00-00-00-01 via TLS tunnel)
+- entering group post-auth {...}
[sql]   expand: %{User-Name} -> user at realm
[sql] sql_set_user escaped user --> 'user at realm'
[sql]   expand: %{User-Password} -> password
[sql]   expand: INSERT INTO radpostauth                           (username, pass, reply, authdate)                           VALUES (                           '%{User-Name}',                           '%{%{User-Password}:-%{Chap-Password}}',                           '%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth                           (username, pass, reply, authdate)                           VALUES (                           'user at realm',                           'password',                           'Access-Accept', '2010-06-17 18:17:02')
[sql]   expand: /var/log/freeradius/sqltrace.sql -> /var/log/freeradius/sqltrace.sql
rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth                           (username, pass, reply, authdate)                           VALUES (                           'user at realm',                           'password',                           'Access-Accept', '2010-06-17 18:17:02')
rlm_sql (sql): Reserving sql socket id: 4
rlm_sql_mysql: query:  INSERT INTO radpostauth                           (username, pass, reply, authdate)                           VALUES (                           'user at realm',                           'password',                           'Access-Accept', '2010-06-17 18:17:02')
rlm_sql (sql): Released sql socket id: 4
++[sql] returns ok
        expand: %{request:User-Name} -> user at realm
++[outer.reply] returns ok
} # server inner-tunnel
[ttls] Got tunneled reply code 2
        User-Name := "user at realm"
[ttls] Got tunneled Access-Accept
[eap] Freeing handler
++[eap] returns ok
Login OK: [anonymous/<via Auth-Type = EAP>] (from client proxyradius port 0 cli 02-00-00-00-00-01)

Then, when I specify that our FreeRADIUS server support PEAP-MSCHAPV2, they test PEAP first and never 
receive an access-accept or access-reject request form only the outer identity, anonymous at realm. So there is 
the ouput :

Login OK: [user/<via Auth-Type = mschap>] (from client proxyradius port 0 cli 02-00-00-00-00-01 via TLS tunnel)
+- entering group post-auth {...}
[sql]   expand: %{User-Name} -> user at realm
[sql] sql_set_user escaped user --> 'user at realm'
[sql]   expand: %{User-Password} ->
[sql]   ... expanding second conditional
[sql]   expand: %{Chap-Password} ->
[sql]   expand: INSERT INTO radpostauth                           (username, pass, reply, authdate)                           VALUES (                           '%{User-Name}',                           '%{%{User-Password}:-%{Chap-Password}}',                           '%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth                           (username, pass, reply, authdate)                           VALUES (                           'user at realm',                           '',                           'Access-Accept', '2010-06-17 15:32:07')
[sql]   expand: /var/log/freeradius/sqltrace.sql -> /var/log/freeradius/sqltrace.sql
rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth                           (username, pass, reply, authdate)                           VALUES (                           'user at realm',                           '',                           'Access-Accept', '2010-06-17 15:32:07')
rlm_sql (sql): Reserving sql socket id: 2
rlm_sql_mysql: query:  INSERT INTO radpostauth                           (username, pass, reply, authdate)                           VALUES (                           'user at realm',                           '',                           'Access-Accept', '2010-06-17 15:32:07')
rlm_sql (sql): Released sql socket id: 2
++[sql] returns ok
        expand: %{request:User-Name} -> user at realm
++[outer.reply] returns ok
} # server inner-tunnel
[ttls] Got tunneled reply code 2
        User-Name := "user at realm"
        MS-CHAP2-Success = 0x54533d42374134413830313835384530453531383135373131384643424442444432464133384345413836
[ttls] Got tunneled Access-Accept
[ttls] Got MS-CHAP2-Success, tunneling it to the client in a challenge.
++[eap] returns handled
Sending Access-Challenge of id 9 to 193.51.182.121 port 35055
        User-Name = "user at realm"
        EAP-Message = 0x010a005f1580000000551703010050f984b434f276e050b0697e427d30ddfe2c0d9cc56a8f5da6ab447bbabae115d8181dfce1b6e52f33fcd2a20d5e26f574b9be69fa946342eafbd7ea350d5782490593a260401dae6b1c71f16f30b3ab38
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xcda13382c4ab2647095b27820a4b1850
Finished request 11.
Going to the next request
Waking up in 4.7 seconds.

And then, the proxyradius sends new Access-Request and the outer identity is never accepted. But the user at realm is authenticated...

I'm sorry I know you need more informations about my confs and outputs, but I don't want to make this post longer than it is... So, I can
post more informations...

Thank you for helping me !

J-P.

 		 	   		  
_________________________________________________________________
Installez gratuitement les nouvelles Emoch'ticones !
http://www.ilovemessenger.fr/emoticones/telecharger-emoticones-emochticones.aspx
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20100617/2414fdb6/attachment.html>

More information about the Freeradius-Users mailing list