EAP processing again

Emmanuel BILLOT emmanuel.billot at ac-orleans-tours.fr
Wed Jun 13 10:35:07 CEST 2012


Hi,

Ok i read all of the debug output, and i think i can understand 
mechanism. However could you confirm (or not) what i understand ?

In case of an EAP/TTLS connexion :

- Freeradius get a request, with a particular attribut : EAP-Message
- Entering authorize section, only EAP one matches because of EAP 
attribut => Auth-Type is set to EAP
- Entering authenticate section, Freeradius sent a challenge to client

- Client answer

- Freeradius get a new request with attribut EAP-Message, State and a 
new Message-Authenticator
- Entering authorize section, EAP matches
- Entering authenticate section. EAP matches (Auth-Type = EAP). 
Freeradius sent response to client (negociating ?)

- Client answer

- Freeradius get a new request with attribut EAP-Message, State and new 
Message-Authenticator
- Entering authorize section, EAP matches, tunnel setup is set
- Entering authenticate section. EAP matches (Auth-Type = EAP). TTLS 
type found, beginning with TLS. SSL working, sending response to client

- Client answer

- Freeradius get a new request with attribut EAP-Message, State and new 
Message-Authenticator
- Entering authorize section, EAP matches, tunnel continues
- Entering authenticate section. EAP matches (Auth-Type = EAP). 
Negociating SSL, sending response to client

- Client answer

- Freeradius get a new request with attribut EAP-Message, State and new 
Message-Authenticator
- Entering authorize section, EAP matches, tunnel continues
- Entering authenticate section. EAP matches (Auth-Type = EAP). SSL 
tunnel negociated, sending response to client

- Client answer

- Freeradius get a new request with attribut EAP-Message, State and new 
Message-Authenticator
- Entering authorize section, EAP matches, tunnel continues
- Entering authenticate section. EAP matches (Auth-Type = EAP). SSL 
tunnel negociated, session establisshed, sending response to client

- Client answer

- Freeradius get a new request with attribut EAP-Message, State and new 
Message-Authenticator
- Entering authorize section, EAP matches, tunnel continues
- Entering authenticate section. EAP matches (Auth-Type = EAP). Session 
establisshed, entering inner-tunnel section.
A this time, no more EAP request/send, only new authorise/authenticate 
in the tunnel.
- Entering inner-tunnel authorize section, LDAP matches
- Entering LDAP section : bind successful, login is authenticated

- Access-Accept is send to client


If i'm right, i'm asking some questions :
- in the first step of the connexion, what is exactly the job of 
authorize section ? Does it only set auth-type when finding any "clue" 
in the request ?
- when connexion is in the tunnel step, a "reduced" request is sent ( 
without EAP attributes). This request is checked by the inner-tunnel 
authorize section which will set the auth-type, right ? Here the 
auth-type found is LDAP.
If i follow the entire log, i can see
     - entering authorize
     - finding Ldap Auth
     - entering LDAP section, and then bind...
But i can't see entering authenticate section as we can see in the firt 
step with EAP
It's quite hard to explain, but
* Outside tunnel : request -> authorize section -> Foudn type EAP -> 
authenticate section -> EAP working
* Inside tunnel : request -> authorize section -> Foudn type LDAP -> 
LDAP working

Why is there an "authenticate section" for EAP and a direct use of LDAP 
section for LDAP ?


-- 
Emmanuel BILLOT
CATEL - Dpt. Système et Réseaux
Rectorat - Académie d'Orléans-Tours
10, rue Molière - 45000 Orléans
Tél : 02 38 79 45 57



More information about the Freeradius-Users mailing list