EAP-TTLS with PAP inner tunnel for Cisco 1100 series AP

James Smallacombe up at 3.am
Tue Oct 26 20:29:29 CEST 2010


I actually had this working last night on a different server running an 
older (2.1.6) version of FreeRADIUS with a pretty basic (unix/pap auth) 
setup.

However, I need to get this working with a newer, more complex setup 
that's using Pam, Ldap, ippools, groups, etc.  I just installed 2.1.10 
with OpenSSL support (had to run ldconfig afterwards, though).  It's able 
to authenticate Pam and LDAP for apache and PPTP users fine.  However, I 
need to be able to auth users from a Cisco 1142N Controller based LW AP. 
The test user (Macbook) is configured to do 802.1X TTLS auth only with PAP 
as the inner tunnel.  Worked ok with the old server, as mentioned. 
However, on the new one, this is the debugging info I get (I'll try to 
keep it to what's relevant):

This is with Auth-type set to "Pam", although I've tried "Ldap" and even 
"Pap" and "Eap" with no luck:

  Module: Linked to module rlm_eap
  Module: Instantiating module "eap" from file /usr/etc/raddb/eap.conf
   eap {
 	default_eap_type = "md5"
 	timer_expire = 60
 	ignore_unknown_eap_types = no
 	cisco_accounting_username_bug = no
 	max_sessions = 2048
   }
  Module: Linked to sub-module rlm_eap_md5
  Module: Instantiating eap-md5
  Module: Linked to sub-module rlm_eap_leap
  Module: Instantiating eap-leap
  Module: Linked to sub-module rlm_eap_gtc
  Module: Instantiating eap-gtc
    gtc {
 	challenge = "Password: "
 	auth_type = "PAP"
    }
  Module: Linked to sub-module rlm_eap_tls
  Module: Instantiating eap-tls
    tls {
 	rsa_key_exchange = no
 	dh_key_exchange = yes
 	rsa_key_length = 512
 	dh_key_length = 512
 	verify_depth = 0
 	pem_file_type = yes
 	private_key_file = "/usr/etc/raddb/certs/server.pem"
 	certificate_file = "/usr/etc/raddb/certs/server.pem"
 	CA_file = "/usr/etc/raddb/certs/ca.pem"
 	private_key_password = "whatever"
 	dh_file = "/usr/etc/raddb/certs/dh"
 	random_file = "/usr/etc/raddb/certs/random"
 	fragment_size = 1024
 	include_length = yes
 	check_crl = no
 	cipher_list = "DEFAULT"
 	make_cert_command = "/usr/etc/raddb/certs/bootstrap"
    }
  Module: Linked to sub-module rlm_eap_ttls
  Module: Instantiating eap-ttls
    ttls {
 	default_eap_type = "md5"
 	copy_request_to_tunnel = no
 	use_tunneled_reply = no
 	virtual_server = "inner-tunnel"
 	include_length = yes
    }
----
server { # from file /usr/etc/raddb/radiusd.conf
  modules {
  Module: Checking authenticate {...} for more modules to load
  Module: Linked to module rlm_pam
  Module: Instantiating module "pam" from file /usr/etc/raddb/radiusd.conf
   pam {
 	pam_auth = "radiusd-auth"
   }
  Module: Checking authorize {...} for more modules to load

<snip bunch of ippools modules stuff>

Ready to process requests.
rad_recv: Access-Request packet from host 10.1.1.1 port 32769, id=15, 
length=154
 	User-Name = "testuser"
 	Calling-Station-Id = "00-1e-HWADDR"
 	Called-Station-Id = "68-bd-abTEST"
 	NAS-Port = 8
 	NAS-IP-Address = 192.168.200.9
 	NAS-Identifier = "Cisco"
 	Airespace-Wlan-Id = 1
 	Service-Type = Framed-User
 	Framed-MTU = 1300
 	NAS-Port-Type = Wireless-802.11
 	EAP-Message = 0x0202000a016a616d6573
 	Message-Authenticator = 0x4903d9a30f5a20b3e3b881815af6ee13
# Executing section authorize from file 
/usr/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "testuser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 2 length 10
[eap] No EAP Start, assuming it's an on-going EAP conversation

(Now here I see what looks like a successfuly ldap conversation, even 
though I do not have auth-type set to ldap)

++[eap] returns updated
++[unix] returns updated
[files] users: Matched entry DEFAULT at line 208
++[files] returns ok
[ldap] performing user authorization for testuser
[ldap] WARNING: Deprecated conditional expansion ":-".  See "man unlang" 
for details
[ldap] 	... expanding second conditional
[ldap] 	expand: %{User-Name} -> testuser
[ldap] 	expand: (uid=%{Stripped-User-Name:-%{User-Name}}) ->  (uid=testuser)
[ldap] 	expand: dc=foo,dc=com -> dc=foo,dc=com
   [ldap] ldap_get_conn: Checking Id: 0
   [ldap] ldap_get_conn: Got Id: 0
   [ldap] performing search in dc=foo,dc=com, with filter (uid=testuser)
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
[ldap] user testuser authorized to use remote access
   [ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok

++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set.  Not setting to PAP
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /usr/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP NAK
[eap] EAP-NAK asked for EAP-Type/ttls
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 16 to 10.1.1.1 port 32769
 	Framed-Protocol == PPP
 	Framed-Compression = Van-Jacobson-TCP-IP
 	EAP-Message = 0x010400061520
 	Message-Authenticator = 0x00000000000000000000000000000000
 	State = 0x0cc158170dc54d3eb30f385d7ffdd9a0
Finished request 1.
Going to the next request
Waking up in 4.6 seconds.
rad_recv: Access-Request packet from host 10.1.1.1 port 32769, id=17, 
length=274
 	User-Name = "testuser"
 	Calling-Station-Id = "00-1e-cSNIP"
 	Called-Station-Id = "68-bd-abTEST"
 	NAS-Port = 8
 	NAS-IP-Address = 192.168.200.9
 	NAS-Identifier = "Cisco"
 	Airespace-Wlan-Id = 1
 	Service-Type = Framed-User
 	Framed-MTU = 1300
 	NAS-Port-Type = Wireless-802.11
 	EAP-Message = 
0x0204007015800000006616030100610100005d03014cc70f09b240f6530b566e57515e4ffc48f1e899ff14d65310b81fe0060711b8000036002f000500040035000a000900030008000600320033003800390016001500140013001200110034003a0018001b001a0017001900010100
 	State = 0x0cc158170dc54d3eb30f385d7ffdd9a0
 	Message-Authenticator = 0x0aec0b8b08f23742d3abc4eaa3d5325f
# Executing section authorize from file 
/usr/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "testuser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 4 length 112
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
   TLS Length 102
[ttls] Length Included
[ttls] eaptls_verify returned 11
[ttls]     (other): before/accept initialization
[ttls]     TLS_accept: before/accept initialization
[ttls] <<< TLS 1.0 Handshake [length 0061], ClientHello
[ttls]     TLS_accept: SSLv3 read client hello A
[ttls] >>> TLS 1.0 Handshake [length 002a], ServerHello
[ttls]     TLS_accept: SSLv3 write server hello A
[ttls] >>> TLS 1.0 Handshake [length 084e], Certificate
[ttls]     TLS_accept: SSLv3 write certificate A
[ttls] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[ttls]     TLS_accept: SSLv3 write server done A
[ttls]     TLS_accept: SSLv3 flush data
[ttls]     TLS_accept: Need to read more data: SSLv3 read client 
certificate A
In SSL Handshake Phase
In SSL Accept mode
[ttls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 17 to 10.1.1.1 port 32769
 	EAP-Message =
0x0105040015c00000088b160301002a0200002603014cc70f08c2957fc17d52950000314bb2
b78631fa66ac72b4a6c59148dbe89e00002f00160301084e0b00084a0008470003
<snip>
 	EAP-Message = 0x973082037fa0030201020201
 	Message-Authenticator = 0x00000000000000000000000000000000
 	State = 0x0cc158170ec44d3eb30f385d7ffdd9a0
Finished request 2.
Going to the next request
Waking up in 4.3 seconds

<you get the picture>

It goes through the cycle above a few times and then:

Failed to authenticate the user.
Login incorrect: [testuser] (from client foo port 0 via TLS tunnel)
} # server inner-tunnel
[ttls] Got tunneled reply code 3
 	Framed-Protocol == PPP
 	Framed-Compression = Van-Jacobson-TCP-IP
[ttls] Got tunneled Access-Reject
[eap] Handler failed in EAP/ttls
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Login incorrect: [testuser] (from client foo port 8 cli 
00-1e-cSNIP)
Using Post-Auth-Type Reject
# Executing group from file /usr/etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] 	expand: %{User-Name} -> testuser
  attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 6 for 5 seconds
Going to the next request

-----

Clues gratefully accepted!

James Smallacombe		      PlantageNet, Inc. CEO and Janitor
up at 3.am							    http://3.am
=========================================================================



More information about the Freeradius-Users mailing list