Wired 802.1X + FreeRADIUS + LDAP issue
Ryan Garland
sheffy at gmail.com
Tue Dec 13 03:37:59 CET 2011
On Mon, Dec 12, 2011 at 6:30 PM, Ryan Garland <sheffy at gmail.com> wrote:
>
> Thanks for the response, Alan.
>
> It turns out part of my issue was certificate related. This has been
> resolved, but eapol_test continues to fail for a different reason.
> However, I am having trouble determining a fix.
>
> Attached is the eapol_test configuration, debug output, FreeRADIUS
> configuration & debug output.
>
> It appears that the relevant portion of the FreeRADIUS debug output is:
>
> Found Auth-Type = EAP
> # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
> +- entering group authenticate {...}
> [eap] Request found, released from the list
> [eap] EAP/md5
> [eap] processing type md5
> rlm_eap_md5: Cleartext-Password is required for EAP-MD5 authentication
> [eap] Handler failed in EAP/md5
> [eap] Failed in EAP select
> ++[eap] returns invalid
> Failed to authenticate the user.
> } # server inner-tunnel
> [ttls] Got tunneled reply code 3
> EAP-Message = 0x04010004
> Message-Authenticator = 0x00000000000000000000000000000000
> [ttls] Got tunneled Access-Reject
> [eap] Handler failed in EAP/ttls
> rlm_eap_ttls: Freeing handler for user ryan
> [eap] Failed in EAP select
> ++[eap] returns invalid
> Failed to authenticate the user.
>
> I am having an even more difficult time deciphering the eapol_test
> debug output - I just see the EAP failure from the radius server.
>
> I have also tried commenting out 'virtual_server = "inner-tunnel"' in
> the ttls section of eap.conf to force it to use default (as the
> documentation inside the "default" virtual server would seem to imply
> I should do) and I get the same result. I may be mis-reading it,
> however.
>
> Do you see something glaringly wrong? I appreciate any insight you can provide.
Sorry, I should have been more clear.
I'm not sure what my options are with regards to Cleartext-Password
and using EAP-MD5, if that is indeed what is causing the failure.
I am attempting to get eapol_test to work since it sounds like this
should be my first priority. The OS X supplicant continues not to
respond to the Access-Challenge even though its profile is set up with
the corrected ca.der - but, one step at a time.
-RG
More information about the Freeradius-Users
mailing list