eduroam PEAP + TTLS

Jean-Philippe Ghibaudo legdf at hotmail.com
Mon Jun 21 15:21:19 CEST 2010


Hi,



I need to have EAP-TTLS working with LDAP bind and PEAP-MSCHAPV2 with 
Samba + Winbind + Active Directory.

I've got winbind very unstable... I can successfully authenticate using 
eapol_test but a few minutes later, I've got a

MPPE keys mismatch. If I restart winbind, I can authenticate few times and then, it stops working.

I'm not really sure to understand how I have to set "Auth-Type" in inner-tunnel and/or default (sites-enabled).

I've got :

        Auth-Type MS-CHAP {
                mschap
        }

and then

        Auth-Type LDAP {
                ldap
        }

in the authenticate section. I've got mschap then ldap in authorize section.

Is there a mistake here ?

This is the end of the output of eapol_test for PEAP when it fails :

RADIUS packet matching with station
decapsulated EAP packet (code=1 id=11 len=91) from RADIUS server: EAP-Request-PEAP (25)
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Request id=11 method=25 vendor=0 vendorMethod=0
EAP: EAP entering state METHOD
SSL: Received packet(len=91) - Flags 0x00
EAP-PEAP: received 85 bytes encrypted data for Phase 2
EAP-PEAP: Decrypted Phase 2 EAP - hexdump(len=47): 1a 03 0a 00 2e 53 3d 39 38 37 31 42 31 30 45 38 46 35 35 36 30 41 44 34 37 32 36 36 34 43 34 43 35 45 31 42 32 46 34 39 44 35 36 46 39 39 36
EAP-PEAP: received Phase 2: code=1 identifier=11 length=51
EAP-PEAP: Phase 2 Request: type=26
EAP-MSCHAPV2: RX identifier 11 mschapv2_id 10
EAP-MSCHAPV2: Received success
EAP-MSCHAPV2: Invalid authenticator response in success request
EAP: method process -> ignore=FALSE methodState=MAY_CONT decision=FAIL
EAP: EAP entering state SEND_RESPONSE
EAP: EAP entering state IDLE
Signal 2 received - terminating
EAPOL: EAP key not available
EAP: deinitialize previously used EAP method (25, PEAP) at EAP deinit
ENGINE: engine deinit
MPPE keys OK: 0  mismatch: 1
FAILURE

And then this is the end of the output when it works.

RADIUS packet matching with station
MS-MPPE-Send-Key (sign) - hexdump(len=32): 82 7a 3e ac 0f 7c c7 93 ac af fb d3 02 d7 bd 84 61 44 62 82 82 8b 3d e0 f2 47 27 30 9c a6 12 cb
MS-MPPE-Recv-Key (crypt) - hexdump(len=32): fb 0b 78 97 7c 84 13 38 ba 36 77 b8 88 2b b2 9f 3b 79 4c 87 a7 fa 68 e0 3a e6 0c 47 4d 43 34 5c
decapsulated EAP packet (code=3 id=12 len=4) from RADIUS server: EAP Success
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Success
EAP: EAP entering state SUCCESS
CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully
EAPOL: IEEE 802.1X for plaintext connection; no EAPOL-Key frames required
WPA: EAPOL processing complete
EAPOL: SUPP_PAE entering state AUTHENTICATED
EAPOL: SUPP_BE entering state RECEIVE
EAPOL: SUPP_BE entering state SUCCESS
EAPOL: SUPP_BE entering state IDLE
eapol_sm_cb: success=1
EAPOL: Successfully fetched key (len=32)
PMK from EAPOL - hexdump(len=32): fb 0b 78 97 7c 84 13 38 ba 36 77 b8 88 2b b2 9f 3b 79 4c 87 a7 fa 68 e0 3a e6 0c 47 4d 43 34 5c
EAP: deinitialize previously used EAP method (25, PEAP) at EAP deinit
ENGINE: engine deinit
MPPE keys OK: 1  mismatch: 0
SUCCESS

I finally notice that if I use eapol_test for an TTLS authentication, then, immediately, PEAP doesn't work anymore. If I restart winbind, it works again.

I really don't understand... And because I don't know where is the problem, I've got some difficulties to give you the good informations.

Thank you for your help !

J-P.

From: legdf at hotmail.com
To: freeradius-users at lists.freeradius.org
Subject: RE: eduroam PEAP + TTLS
Date: Fri, 18 Jun 2010 13:18:45 +0000








Ok,

Here is my eap.conf.

    eap {

        default_eap_type = peap

        timer_expire     = 60

        ignore_unknown_eap_types = yes        

        cisco_accounting_username_bug = no

        max_sessions = 4096

        tls {

            certdir = ${confdir}/certs
            cadir = ${confdir}/certs

            private_key_file = ${certdir}/cert.key

            certificate_file = ${certdir}/cert-3169-cert.pem

            CA_file = ${cadir}/chain-3169-cert.pem

            dh_file = ${certdir}/dh
            random_file = ${certdir}/random

            cipher_list = "DEFAULT"

            make_cert_command = "${certdir}/bootstrap"

            cache {

                  enable = no

                  lifetime = 24 # hours

                  max_entries = 255
            }
        }

        ttls {

            default_eap_type = md5

            copy_request_to_tunnel = yes

            use_tunneled_reply = yes

            virtual_server = "inner-tunnel"

            include_length = yes
        }

        peap {

            default_eap_type = mschapv2

            copy_request_to_tunnel = yes
            use_tunneled_reply = yes

            proxy_tunneled_request_as_eap = yes

            virtual_server = "inner-tunnel"
        }

        mschapv2 {
        }
    }

I'm sorry

> Date: Fri, 18 Jun 2010 13:27:28 +0100
> From: A.L.M.Buxey at lboro.ac.uk
> To: freeradius-users at lists.freeradius.org
> Subject: Re: eduroam PEAP + TTLS
> 
> Hi,
> 
> > So this is the true question, what error in my configuration can cause this ?
> 
> I cannot read minds..and you havent supplied eg eap.conf (obfuscated as is reasonable)
> 
> alan
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
 		 	   		  
Votre vie privée l'est-elle vraiment ? Internet Explorer 8 vous protège gratuitement ! 		 	   		  
_________________________________________________________________
Vous voulez regarder la TV directement depuis votre PC ? C'est très simple avec Windows 7
http://clk.atdmt.com/FRM/go/229960614/direct/01/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20100621/40026140/attachment.html>


More information about the Freeradius-Users mailing list