EAP processing again
Emmanuel BILLOT
emmanuel.billot at ac-orleans-tours.fr
Wed Jun 13 10:35:07 CEST 2012
Hi,
Ok i read all of the debug output, and i think i can understand
mechanism. However could you confirm (or not) what i understand ?
In case of an EAP/TTLS connexion :
- Freeradius get a request, with a particular attribut : EAP-Message
- Entering authorize section, only EAP one matches because of EAP
attribut => Auth-Type is set to EAP
- Entering authenticate section, Freeradius sent a challenge to client
- Client answer
- Freeradius get a new request with attribut EAP-Message, State and a
new Message-Authenticator
- Entering authorize section, EAP matches
- Entering authenticate section. EAP matches (Auth-Type = EAP).
Freeradius sent response to client (negociating ?)
- Client answer
- Freeradius get a new request with attribut EAP-Message, State and new
Message-Authenticator
- Entering authorize section, EAP matches, tunnel setup is set
- Entering authenticate section. EAP matches (Auth-Type = EAP). TTLS
type found, beginning with TLS. SSL working, sending response to client
- Client answer
- Freeradius get a new request with attribut EAP-Message, State and new
Message-Authenticator
- Entering authorize section, EAP matches, tunnel continues
- Entering authenticate section. EAP matches (Auth-Type = EAP).
Negociating SSL, sending response to client
- Client answer
- Freeradius get a new request with attribut EAP-Message, State and new
Message-Authenticator
- Entering authorize section, EAP matches, tunnel continues
- Entering authenticate section. EAP matches (Auth-Type = EAP). SSL
tunnel negociated, sending response to client
- Client answer
- Freeradius get a new request with attribut EAP-Message, State and new
Message-Authenticator
- Entering authorize section, EAP matches, tunnel continues
- Entering authenticate section. EAP matches (Auth-Type = EAP). SSL
tunnel negociated, session establisshed, sending response to client
- Client answer
- Freeradius get a new request with attribut EAP-Message, State and new
Message-Authenticator
- Entering authorize section, EAP matches, tunnel continues
- Entering authenticate section. EAP matches (Auth-Type = EAP). Session
establisshed, entering inner-tunnel section.
A this time, no more EAP request/send, only new authorise/authenticate
in the tunnel.
- Entering inner-tunnel authorize section, LDAP matches
- Entering LDAP section : bind successful, login is authenticated
- Access-Accept is send to client
If i'm right, i'm asking some questions :
- in the first step of the connexion, what is exactly the job of
authorize section ? Does it only set auth-type when finding any "clue"
in the request ?
- when connexion is in the tunnel step, a "reduced" request is sent (
without EAP attributes). This request is checked by the inner-tunnel
authorize section which will set the auth-type, right ? Here the
auth-type found is LDAP.
If i follow the entire log, i can see
- entering authorize
- finding Ldap Auth
- entering LDAP section, and then bind...
But i can't see entering authenticate section as we can see in the firt
step with EAP
It's quite hard to explain, but
* Outside tunnel : request -> authorize section -> Foudn type EAP ->
authenticate section -> EAP working
* Inside tunnel : request -> authorize section -> Foudn type LDAP ->
LDAP working
Why is there an "authenticate section" for EAP and a direct use of LDAP
section for LDAP ?
--
Emmanuel BILLOT
CATEL - Dpt. Système et Réseaux
Rectorat - Académie d'Orléans-Tours
10, rue Molière - 45000 Orléans
Tél : 02 38 79 45 57
More information about the Freeradius-Users
mailing list