EAP-TTLS with PAP inner tunnel for Cisco 1100 series AP
James Smallacombe
up at 3.am
Tue Oct 26 20:29:29 CEST 2010
I actually had this working last night on a different server running an
older (2.1.6) version of FreeRADIUS with a pretty basic (unix/pap auth)
setup.
However, I need to get this working with a newer, more complex setup
that's using Pam, Ldap, ippools, groups, etc. I just installed 2.1.10
with OpenSSL support (had to run ldconfig afterwards, though). It's able
to authenticate Pam and LDAP for apache and PPTP users fine. However, I
need to be able to auth users from a Cisco 1142N Controller based LW AP.
The test user (Macbook) is configured to do 802.1X TTLS auth only with PAP
as the inner tunnel. Worked ok with the old server, as mentioned.
However, on the new one, this is the debugging info I get (I'll try to
keep it to what's relevant):
This is with Auth-type set to "Pam", although I've tried "Ldap" and even
"Pap" and "Eap" with no luck:
Module: Linked to module rlm_eap
Module: Instantiating module "eap" from file /usr/etc/raddb/eap.conf
eap {
default_eap_type = "md5"
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 2048
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = "Password: "
auth_type = "PAP"
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
pem_file_type = yes
private_key_file = "/usr/etc/raddb/certs/server.pem"
certificate_file = "/usr/etc/raddb/certs/server.pem"
CA_file = "/usr/etc/raddb/certs/ca.pem"
private_key_password = "whatever"
dh_file = "/usr/etc/raddb/certs/dh"
random_file = "/usr/etc/raddb/certs/random"
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
make_cert_command = "/usr/etc/raddb/certs/bootstrap"
}
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = "md5"
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
include_length = yes
}
----
server { # from file /usr/etc/raddb/radiusd.conf
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pam
Module: Instantiating module "pam" from file /usr/etc/raddb/radiusd.conf
pam {
pam_auth = "radiusd-auth"
}
Module: Checking authorize {...} for more modules to load
<snip bunch of ippools modules stuff>
Ready to process requests.
rad_recv: Access-Request packet from host 10.1.1.1 port 32769, id=15,
length=154
User-Name = "testuser"
Calling-Station-Id = "00-1e-HWADDR"
Called-Station-Id = "68-bd-abTEST"
NAS-Port = 8
NAS-IP-Address = 192.168.200.9
NAS-Identifier = "Cisco"
Airespace-Wlan-Id = 1
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
EAP-Message = 0x0202000a016a616d6573
Message-Authenticator = 0x4903d9a30f5a20b3e3b881815af6ee13
# Executing section authorize from file
/usr/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "testuser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 2 length 10
[eap] No EAP Start, assuming it's an on-going EAP conversation
(Now here I see what looks like a successfuly ldap conversation, even
though I do not have auth-type set to ldap)
++[eap] returns updated
++[unix] returns updated
[files] users: Matched entry DEFAULT at line 208
++[files] returns ok
[ldap] performing user authorization for testuser
[ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang"
for details
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} -> testuser
[ldap] expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=testuser)
[ldap] expand: dc=foo,dc=com -> dc=foo,dc=com
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in dc=foo,dc=com, with filter (uid=testuser)
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
[ldap] user testuser authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /usr/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP NAK
[eap] EAP-NAK asked for EAP-Type/ttls
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 16 to 10.1.1.1 port 32769
Framed-Protocol == PPP
Framed-Compression = Van-Jacobson-TCP-IP
EAP-Message = 0x010400061520
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0cc158170dc54d3eb30f385d7ffdd9a0
Finished request 1.
Going to the next request
Waking up in 4.6 seconds.
rad_recv: Access-Request packet from host 10.1.1.1 port 32769, id=17,
length=274
User-Name = "testuser"
Calling-Station-Id = "00-1e-cSNIP"
Called-Station-Id = "68-bd-abTEST"
NAS-Port = 8
NAS-IP-Address = 192.168.200.9
NAS-Identifier = "Cisco"
Airespace-Wlan-Id = 1
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
EAP-Message =
0x0204007015800000006616030100610100005d03014cc70f09b240f6530b566e57515e4ffc48f1e899ff14d65310b81fe0060711b8000036002f000500040035000a000900030008000600320033003800390016001500140013001200110034003a0018001b001a0017001900010100
State = 0x0cc158170dc54d3eb30f385d7ffdd9a0
Message-Authenticator = 0x0aec0b8b08f23742d3abc4eaa3d5325f
# Executing section authorize from file
/usr/etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "testuser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 4 length 112
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /usr/etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
TLS Length 102
[ttls] Length Included
[ttls] eaptls_verify returned 11
[ttls] (other): before/accept initialization
[ttls] TLS_accept: before/accept initialization
[ttls] <<< TLS 1.0 Handshake [length 0061], ClientHello
[ttls] TLS_accept: SSLv3 read client hello A
[ttls] >>> TLS 1.0 Handshake [length 002a], ServerHello
[ttls] TLS_accept: SSLv3 write server hello A
[ttls] >>> TLS 1.0 Handshake [length 084e], Certificate
[ttls] TLS_accept: SSLv3 write certificate A
[ttls] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[ttls] TLS_accept: SSLv3 write server done A
[ttls] TLS_accept: SSLv3 flush data
[ttls] TLS_accept: Need to read more data: SSLv3 read client
certificate A
In SSL Handshake Phase
In SSL Accept mode
[ttls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 17 to 10.1.1.1 port 32769
EAP-Message =
0x0105040015c00000088b160301002a0200002603014cc70f08c2957fc17d52950000314bb2
b78631fa66ac72b4a6c59148dbe89e00002f00160301084e0b00084a0008470003
<snip>
EAP-Message = 0x973082037fa0030201020201
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0cc158170ec44d3eb30f385d7ffdd9a0
Finished request 2.
Going to the next request
Waking up in 4.3 seconds
<you get the picture>
It goes through the cycle above a few times and then:
Failed to authenticate the user.
Login incorrect: [testuser] (from client foo port 0 via TLS tunnel)
} # server inner-tunnel
[ttls] Got tunneled reply code 3
Framed-Protocol == PPP
Framed-Compression = Van-Jacobson-TCP-IP
[ttls] Got tunneled Access-Reject
[eap] Handler failed in EAP/ttls
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Login incorrect: [testuser] (from client foo port 8 cli
00-1e-cSNIP)
Using Post-Auth-Type Reject
# Executing group from file /usr/etc/raddb/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} -> testuser
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 6 for 5 seconds
Going to the next request
-----
Clues gratefully accepted!
James Smallacombe PlantageNet, Inc. CEO and Janitor
up at 3.am http://3.am
=========================================================================
More information about the Freeradius-Users
mailing list