EAP/TTLS Auth problem

Mon May 14 17:22:18 CEST 2012

On 14/05/12 15:58, Steve Hopps wrote:
> I'll post the full log. It should be pulling from OpenLDAP. I had to

It's not. You haven't configured it to do that.

>   Module: Instantiating module "ldap" from file /etc/freeradius/radiusd.conf
>    ldap {
> 	server = "localhost"
> 	port = 389

Ok, you have LDAP configured

> rad_recv: Access-Request packet from host 6.6.6.6 port 37880, id=0, length=119
> 	User-Name = "test"
> 	NAS-IP-Address = 127.0.0.1
> 	Calling-Station-Id = "70-6F-6C-69-73-68"
> 	Framed-MTU = 1400
> 	NAS-Port-Type = Wireless-802.11
> 	Connect-Info = "rad_eap_test + eapol_test"
> 	EAP-Message = 0x020000090174657374
> 	Message-Authenticator = 0xcfdd7846ad5afe2989a9f95268623b3a
> # Executing section authorize from file /etc/freeradius/sites-enabled/default
> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> [suffix] No '@' in User-Name = "test", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> [eap] EAP packet type response id 0 length 9
> [eap] No EAP Start, assuming it's an on-going EAP conversation
> ++[eap] returns updated
> ++[unix] returns updated
> ++[files] returns noop
> [ldap] performing user authorization for test

"ldap" is running in the "outer" tunnel; that's probably not where you 
want it. You need to put it in the "inner" tunnel.

Compare and contrast sites-enabled/default and sites-enabled/inner-tunnel.

> /etc/freeradius/sites-enabled/inner-tunnel

Note above, once the EAP outer tunnel has succeeded, further processing 
happens in the "sites-enabled/inner-tunnel" virtual server.

> +- entering group authorize {...}
> ++[chap] returns noop
> ++[control] returns noop
> ++[mschap] returns noop
> ++[unix] returns updated

^^^ this is the problem; the "unix" module is running inside the tunnel 
and extracting the password for the user "test" from the local 
/etc/passwd file

Comment this line out. Then replace it with "ldap"

> [suffix] No '@' in User-Name = "test", looking up realm NULL
> [suffix] No such realm "NULL"
> ++[suffix] returns noop
> ++[control] returns noop
> [eap] No EAP-Message, not doing EAP
> ++[eap] returns noop
> ++[files] returns noop
> ++[expiration] returns noop
> ++[logintime] returns noop
> ++[pap] returns updated
> WARNING: You set Proxy-To-Realm = LOCAL, but the realm does not exist!
>   Cancelling invalid proxy request.
> Found Auth-Type = PAP
> # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
> +- entering group PAP {...}
> [pap] login attempt with password "test123"
> [pap] Using CRYPT password "*"
> [pap] Passwords don't match
> ++[pap] returns reject

...and it fails.