eduroam PEAP + TTLS
Jean-Philippe Ghibaudo
legdf at hotmail.com
Fri Jun 18 11:36:09 CEST 2010
Finally, you're right, there is a confusion with PEAP and TTLS... When I say our FreeRADIUS server doesn't support TTLS but only PEAP, that works...
So this is the true question, what error in my configuration can cause this ?
Thank you very much !
J-P.
From: legdf at hotmail.com
To: freeradius-users at lists.freeradius.org
Subject: RE: eduroam PEAP + TTLS
Date: Fri, 18 Jun 2010 07:56:33 +0000
> Date: Thu, 17 Jun 2010 22:14:45 +0100
> From: A.L.M.Buxey at lboro.ac.uk
> To: freeradius-users at lists.freeradius.org
> Subject: Re: eduroam PEAP + TTLS
>
> Hi,
Hi thank you very much for you quick answer !
> > I'm trying to implement PEAP-MSCHAPV2 support in an existing and working configuration with EAP-TTLS + PAP,
> > giving users a full support of eduroam. There are proxy radius maintained by our national "provider", and they test
> > authentication every 15 minutes.
> >
> > When they only test EAP-TTLS authentication, it works, and this is a part of the output of freeradius -X.
>
> can I ask a quick question. do you need/want your own users to use PEAP....whether
> you choose to use EAP-TTLS/PAP or PEAP/MSCHAPv2 is up to you for your users....a visitor
> to your site should be able to use PEAP if their home site supports it as your FreeRADIUS
> boxes will just proxy the request to the national proxies.
>
> I'm not sure why the central test should be forcing you to support all types of EAP - it
> should only check that you are working for the EAP methods that you, as an IdP support.
I need my own users to use PEAP because on Windows client, there is no support of EAP-TTLS without installing a soft to implement it.
And I want to use Active Directory because I can't use actual password field in OpenLDAP with PEAP.
Otherwise you're right, this is how eduroam works.
> > } # server inner-tunnel
> > [ttls] Got tunneled reply code 2
> ^^^^^^
>
> eh? I thought you said this second test was a PEAP test. are you sure it is as
> this looks very much like an EAP-TTLS/MSCHAPv2 test
That's right, whereas before, I've got this line :
Login OK: [user/<via Auth-Type = mschap>] (from client proxyradius
port 0 cli 02-00-00-00-00-01 via TLS tunnel)
Which occurs after these lines :
Found Auth-Type = MSCHAP
+- entering group MS-CHAP {...}
[mschap] Told to do MS-CHAPv2 for user at realm with NT-Password
[mschap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details
[mschap] expand: --username=%{Stripped-User-Name:-%{mschap:User-Name:-None}} -> --username=user
[mschap] mschap2: d6
[mschap] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=45d29cf49c25ed29
[mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=6c2dbac31a48ddf0cbf4a1c8e6c5c1262ec6b8f77bb9ae46
Exec-Program output: NT_KEY: 64BA19DEDFDDB5A3ABAC7FEB95BF671F
Exec-Program-Wait: plaintext: NT_KEY: 64BA19DEDFDDB5A3ABAC7FEB95BF671F
Exec-Program: returned: 0
++[mschap] returns ok
So, I suppose that it's really a PEAP-MSCHAPV2 test. Maybe I've made something wrong in the order of Auth-Type in my conf files ?
> > Sending Access-Challenge of id 9 to 193.51.182.121 port 35055
> > User-Name = "user at realm"
> > EAP-Message = 0x010a005f1580000000551703010050f984b434f276e050b0697e427d30ddfe2c0d9cc56a8f5da6ab447bbabae115d8181dfce1b6e52f33fcd2a20d5e26f574b9be69fa946342eafbd7ea350d5782490593a260401dae6b1c71f16f30b3ab38
> > Message-Authenticator = 0x00000000000000000000000000000000
> > State = 0xcda13382c4ab2647095b27820a4b1850
>
> theres plenty in the FreeRADIUS docs about 'why do I not get anything after an Access-Challenge'
> - usually down to certs.
I've already added my certs in the Active Directory, as it's said in eap.conf and that solved the problem for PEAP-MSCHAPV2. So now, I can use
default PEAP options in the native wpa supplicant on Windows and that works.
I'm gonna look for more about this.
> alan
J-P.
Envie de plus d'originalité dans vos conversations ? Téléchargez gratuitement les Emoch'ticones !
_________________________________________________________________
Hotmail : Simple et Efficace qui vous facilite la vie… Découvrez la NOW génération !
http://www.windowslive.fr/hotmail/nowgeneration/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20100618/4e6d01ef/attachment.html>
More information about the Freeradius-Users
mailing list