Authentication using LDAP for 802.1x

Marco Streich marco.streich at kshp.ch
Wed Jun 19 14:11:55 CEST 2013


Hi all

We have deployed FreeRADIUS on OS X before, but our configuration was rather ugly. What we would do is authenticate users locally, having the machine attached to our OpenDirectory server directly using the Connect Network Account Server functionality provided by OS X.

I have seen this question getting asked a lot but still wasn't able to fill my gap in understanding the whole process. 

We're now using FreeRADIUS Version 2.1.12, for host x86_64-pc-linux-gnu

As a start, I'm now trying to get a simple user authentication working. What I have done so far is defining ldap {} in the ldap module and added ldap into the authorize {} section.

I also uncommented Auth-Type LDAP { ldap } in the authenticate {} section. <= Bad?!

The same for the virtual inner-tunnel.


When I run radtest from my laptop, the authentication is successful:

$ radtest a4 whatever 192.168.1.231 18120 secret

Sending Access-Request of id 18 to 192.168.1.231 port 1812
	User-Name = "a4"
	User-Password = "whatever"
	NAS-IP-Address = 192.168.17.1
	NAS-Port = 18120
	Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 192.168.1.231 port 1812, id=18, length=20

When I try to authorize a supplicant connected to our switch which is configured to be the authenticator, debug shows me the following:

...
rad_recv: Access-Request packet from host 192.168.99.99 port 1645, id=73, length=217
	User-Name = "a4"
	Service-Type = Framed-User
	Cisco-AVPair = "service-type=Framed"
	Framed-MTU = 9000
	Called-Station-Id = "AC-A0-16-58-EB-07"
	Calling-Station-Id = "00-23-32-CF-1D-A2"
	EAP-Message = 0x020b0007016134
	Message-Authenticator = 0xa3eaf856385eef096a4a8da0a9b938c3
	Cisco-AVPair = "audit-session-id=C0A863630000062C77AFDED6"
	NAS-Port-Type = Ethernet
	NAS-Port = 50007
	NAS-Port-Id = "GigabitEthernet0/7"
	NAS-IP-Address = 192.168.99.99
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "a4", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 11 length 7
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[ldap] performing user authorization for a4
[ldap] 	expand: %{Stripped-User-Name} -> 
[ldap] 	... expanding second conditional
[ldap] 	expand: %{User-Name} -> a4
[ldap] 	expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=a4)
[ldap] 	expand: dc=ldap,dc=hopro,dc=edu -> dc=ldap,dc=hopro,dc=edu
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] attempting LDAP reconnection
  [ldap] (re)connect to ldap.hopro.edu:389, authentication 0
  [ldap] bind as / to ldap.hopro.edu:389
  [ldap] waiting for bind result ...
  [ldap] Bind was successful
  [ldap] performing search in dc=ldap,dc=hopro,dc=edu, with filter (uid=a4)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP.  Are you sure that the user is configured correctly?
[ldap] user a4 authorized to use remote access
  [ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
Sending Access-Challenge of id 73 to 192.168.99.99 port 1645
	EAP-Message = 0x010c00160410f7b955ffcad777bb64a0c2591f2a1852
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0xab1bf9b7ab17fdd1d339d19378335aaa
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.99.99 port 1645, id=74, length=234
	User-Name = "a4"
	Service-Type = Framed-User
	Cisco-AVPair = "service-type=Framed"
	Framed-MTU = 9000
	Called-Station-Id = "AC-A0-16-58-EB-07"
	Calling-Station-Id = "00-23-32-CF-1D-A2"
	EAP-Message = 0x020c00060315
	Message-Authenticator = 0x265e5392ae96ffd2f0c96666a02c9035
	Cisco-AVPair = "audit-session-id=C0A863630000062C77AFDED6"
	NAS-Port-Type = Ethernet
	NAS-Port = 50007
	NAS-Port-Id = "GigabitEthernet0/7"
	State = 0xab1bf9b7ab17fdd1d339d19378335aaa
	NAS-IP-Address = 192.168.99.99
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "a4", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 12 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[ldap] performing user authorization for a4
[ldap] 	expand: %{Stripped-User-Name} -> 
[ldap] 	... expanding second conditional
[ldap] 	expand: %{User-Name} -> a4
[ldap] 	expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=a4)
[ldap] 	expand: dc=ldap,dc=hopro,dc=edu -> dc=ldap,dc=hopro,dc=edu
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in dc=ldap,dc=hopro,dc=edu, with filter (uid=a4)
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP.  Are you sure that the user is configured correctly?
[ldap] user a4 authorized to use remote access
  [ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP NAK
[eap] EAP-NAK asked for EAP-Type/ttls
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 74 to 192.168.99.99 port 1645
	EAP-Message = 0x010d00061520
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0xab1bf9b7aa16ecd1d339d19378335aaa
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.99.99 port 1645, id=75, length=356
	User-Name = "a4"
	Service-Type = Framed-User
	Cisco-AVPair = "service-type=Framed"
	Framed-MTU = 9000
	Called-Station-Id = "AC-A0-16-58-EB-07"
	Calling-Station-Id = "00-23-32-CF-1D-A2"
	EAP-Message = 0x020d008015800000007616030100710100006d030151c19a457c2d148d872abd670c09fe7719d9b316318eb0134b0db1b5ce12e57700003200ffc00ac009c007c008c014c013c011c012c004c005c002c003c00ec00fc00cc00d002f000500040035000a00330039001601000012000a00080006001700180019000b00020100
	Message-Authenticator = 0x474af0e5e41006c5947328ada905bf63
	Cisco-AVPair = "audit-session-id=C0A863630000062C77AFDED6"
	NAS-Port-Type = Ethernet
	NAS-Port = 50007
	NAS-Port-Id = "GigabitEthernet0/7"
	State = 0xab1bf9b7aa16ecd1d339d19378335aaa
	NAS-IP-Address = 192.168.99.99
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "a4", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 13 length 128
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
  TLS Length 118
[ttls] Length Included
[ttls] eaptls_verify returned 11 
[ttls]     (other): before/accept initialization
[ttls]     TLS_accept: before/accept initialization
[ttls] <<< TLS 1.0 Handshake [length 0071], ClientHello  
[ttls]     TLS_accept: SSLv3 read client hello A
[ttls] >>> TLS 1.0 Handshake [length 0039], ServerHello  
[ttls]     TLS_accept: SSLv3 write server hello A
[ttls] >>> TLS 1.0 Handshake [length 084f], Certificate  
[ttls]     TLS_accept: SSLv3 write certificate A
[ttls] >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange  
[ttls]     TLS_accept: SSLv3 write key exchange A
[ttls] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone  
[ttls]     TLS_accept: SSLv3 write server done A
[ttls]     TLS_accept: SSLv3 flush data
[ttls]     TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase 
In SSL Accept mode  
[ttls] eaptls_process returned 13 
++[eap] returns handled
Sending Access-Challenge of id 75 to 192.168.99.99 port 1645
	EAP-Message = 0x010e040015c0000009eb160301003902000035030151c19a44f7368e4456fc7b31270848d83dbe071b6969f1e6f9d0d7adb8527c9400c01400000dff01000100000b000403000102160301084f0b00084b0008480003a33082039f30820287a003020102020101300d06092a864886f70d010105050030818f310b3009060355040613024348310b3009060355040813025a483110300e060355040713075a75657269636831253023060355040a131c4b616e746f6e73736368756c6520486f68652050726f6d656e616465311f301d06092a864886f70d010901161069637461646d696e406b7368702e636831193017060355040313107261646975
	EAP-Message = 0x732e686f70726f2e656475301e170d3132313231393130353634305a170d3133313231393130353634305a307d310b3009060355040613024348310b3009060355040813025a4831253023060355040a131c4b616e746f6e73736368756c6520486f68652050726f6d656e61646531193017060355040313107261646975732e686f70726f2e656475311f301d06092a864886f70d010901161069637461646d696e406b7368702e636830820122300d06092a864886f70d01010105000382010f003082010a0282010100bdd4065ec39decc5191947b7fae6df68b82333bce018385b48d641bfde2d9ba6294a786cd7e15b7d1824591d077af2a4c2fe
	EAP-Message = 0x7e66cbccd3f279171bb3e77936b8e6a92cbb0e17eb0abbcdac9945db8c11af0074d9480d263664e17d021663e0694dbfe839def4202ddede6958974bc82e8023c68adc741ab7c9e64027171b32d0d04c3e93cf1bd49947e3e462ed368fb71e8ce9fcff7414fe921494836b128635e0004e8ce29dc26a919f58d7c91f7181dcb1a71e404960f04ba20c51d42ff3872c3335cbb612ac48c6234a326c9d83f6416e32a070f6307496ca83066f071d92b29732c4045105a726e359388542437214e6480df09c8e4ce4149f53da2b449d0203010001a317301530130603551d25040c300a06082b06010505070301300d06092a864886f70d01010505000382
	EAP-Message = 0x0101000e14a8494074acd8a45fb6b8e3a4ed0966823b82d9aa29417ccfd1b47764a8ae60cf65b6cf411e686e0fd8748ca655495d30408f12afef47897e31af44e8833601af028f101df0a2534f680ce10df4c7d88c312af4a5b2fc3711d2ce021bbe0ab4e439d095c102005dbce074a0a90767729ea3f1edb88b2c7d4b9e5f727cb10c5309afb41d0acdd75548de5508de058b2d684e1390fe1d917da97c34bbc13548ef1fc71aa8b4bf52dc76ccaa537f96b2460e56faa0ed34b1a3b5e4d6b3f10458883ba6bf4cb38f9096300181038c2d471e21bb4a9184d7521ba143fcf19608677da5b9e3ecce9b4d47d6f0a3b44c85380c1bd4cd15e325160d28
	EAP-Message = 0x324bf7e31c3b00049f308204
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0xab1bf9b7a915ecd1d339d19378335aaa
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.99.99 port 1645, id=76, length=234
	User-Name = "a4"
	Service-Type = Framed-User
	Cisco-AVPair = "service-type=Framed"
	Framed-MTU = 9000
	Called-Station-Id = "AC-A0-16-58-EB-07"
	Calling-Station-Id = "00-23-32-CF-1D-A2"
	EAP-Message = 0x020e00061500
	Message-Authenticator = 0x37d15b32cc7d6ece0c91b13551cd0b93
	Cisco-AVPair = "audit-session-id=C0A863630000062C77AFDED6"
	NAS-Port-Type = Ethernet
	NAS-Port = 50007
	NAS-Port-Id = "GigabitEthernet0/7"
	State = 0xab1bf9b7a915ecd1d339d19378335aaa
	NAS-IP-Address = 192.168.99.99
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "a4", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 14 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] Received TLS ACK
[ttls] ACK handshake fragment handler
[ttls] eaptls_verify returned 1 
[ttls] eaptls_process returned 13 
++[eap] returns handled
Sending Access-Challenge of id 76 to 192.168.99.99 port 1645
	EAP-Message = 0x010f040015c0000009eb9b30820383a003020102020900b75f4cb4031a50e3300d06092a864886f70d010105050030818f310b3009060355040613024348310b3009060355040813025a483110300e060355040713075a75657269636831253023060355040a131c4b616e746f6e73736368756c6520486f68652050726f6d656e616465311f301d06092a864886f70d010901161069637461646d696e406b7368702e636831193017060355040313107261646975732e686f70726f2e656475301e170d3132313231393130353634305a170d3133313231393130353634305a30818f310b3009060355040613024348310b3009060355040813025a48
	EAP-Message = 0x3110300e060355040713075a75657269636831253023060355040a131c4b616e746f6e73736368756c6520486f68652050726f6d656e616465311f301d06092a864886f70d010901161069637461646d696e406b7368702e636831193017060355040313107261646975732e686f70726f2e65647530820122300d06092a864886f70d01010105000382010f003082010a0282010100d63a0ad9924d4bbf29ea25b2abfa17eb9d47e36ad480ce8dc1ec454aaf6470396a570eebeec3363c818882061081437e5367266e30b91be77f4e37ea9a01e56221dcbeb6f52c2157da7a74b5b024f98e3f45670aa8b6968c4b939c6b80302c318bf66f63d4f116
	EAP-Message = 0x450cbb35f51f3565e121276f7fa61f2a326d432cc0cfbb94411671b3a3e3db42879419f0e18b86ba020a8d5c6e8c817f755891eb10876a57194f57780baef2b90997c16b03aab89d66833765b711bb66453be64883c0265ddc50c761525902e16cbfc7567962037f2b1ddd49e700ea4f94a55864ef801aad3315c688de2e6e15141ccedcdc016745a3ad46aef6223c66cadab19fe17cc3b7a50203010001a381f73081f4301d0603551d0e0416041442c8e782326f14866e14f0328f22ef21e5dca7683081c40603551d230481bc3081b9801442c8e782326f14866e14f0328f22ef21e5dca768a18195a4819230818f310b3009060355040613024348
	EAP-Message = 0x310b3009060355040813025a483110300e060355040713075a75657269636831253023060355040a131c4b616e746f6e73736368756c6520486f68652050726f6d656e616465311f301d06092a864886f70d010901161069637461646d696e406b7368702e636831193017060355040313107261646975732e686f70726f2e656475820900b75f4cb4031a50e3300c0603551d13040530030101ff300d06092a864886f70d010105050003820101000b570cdc802ec347643ce7e5a81cd487273f8eb79f7580d9423e0ac121c39d23b8d7e606fa291515bfa8e232e845b04788cb14bbac1e67cdeded46cdead9957a88eb3c04075cbb2f9d66c81451f7
	EAP-Message = 0xc982a3f0ae66f5d41f3c2ff9
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0xab1bf9b7a814ecd1d339d19378335aaa
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.99.99 port 1645, id=77, length=234
	User-Name = "a4"
	Service-Type = Framed-User
	Cisco-AVPair = "service-type=Framed"
	Framed-MTU = 9000
	Called-Station-Id = "AC-A0-16-58-EB-07"
	Calling-Station-Id = "00-23-32-CF-1D-A2"
	EAP-Message = 0x020f00061500
	Message-Authenticator = 0x49c786eea0efa3a358db3c5c61d82830
	Cisco-AVPair = "audit-session-id=C0A863630000062C77AFDED6"
	NAS-Port-Type = Ethernet
	NAS-Port = 50007
	NAS-Port-Id = "GigabitEthernet0/7"
	State = 0xab1bf9b7a814ecd1d339d19378335aaa
	NAS-IP-Address = 192.168.99.99
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "a4", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 15 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] Received TLS ACK
[ttls] ACK handshake fragment handler
[ttls] eaptls_verify returned 1 
[ttls] eaptls_process returned 13 
++[eap] returns handled
Sending Access-Challenge of id 77 to 192.168.99.99 port 1645
	EAP-Message = 0x011002091580000009eb6cf7c88612440aaa64dd8ca6d9533e4bd26a893bbee70e343d13c54accb14ee61b9e7ec6ee78090b76e0e353da5da86cfeb3f2c9381011e5f25cfb755e4dbcc8a78f37d906019e5a2c2225a03a5f2318e3bf8c56eb0b43ad64ac8ddebb84ca1352b5a80b4a8c8757c5a37352508833404ebd868c5dd0cc92b3df240cf05b1e721b7a90d8e0a060e4834fff2dc79a04353dab2492381d4488ab7e92257f4ed7fb3eb4053e22a3160301014b0c0001470300174104e284bd8b7ec8e3510d4a6bb593e671a0945af1e997ce5cc010d13fd0e76a68e71c034e1412d7fc4b26233ca3df8dba3463719b1fa33f4ab4934a7208005205
	EAP-Message = 0x5f010042df9b97e266190e04d0b6ea3fdaf36282b104caaee17a75acbccf6e74e427b6fa6a600c9db92fcbe7e34cffc49deb6a2e3949e17692845c03a7ab92d4daf19bee3788c1afcf23fbc5c9ddd487f335bd83d238cfe52f80ca59a6cc6ad58b3ecb7502ab687184733c42cd5de45e06cd101ae2e41f4943c01ac3379e928240ac532451599dce12979065ad088a056130f57d119038f40003d55fcebe5edd0acde65036f24fd69cc0fda63ff408c25ee9c3ad100bf0a90d6031a0034d064b8ecf8a5323d79e7d7b764d08105ea8c35c7548983060ce8f8577909b8a2c2049d78f99b0acc37a55b993519f1e475b7b4f9fff67e943f61c7a9f4a18fd
	EAP-Message = 0x05b6bbbc248c16030100040e000000
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0xab1bf9b7af0becd1d339d19378335aaa
Finished request 4.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.99.99 port 1645, id=78, length=372
	User-Name = "a4"
	Service-Type = Framed-User
	Cisco-AVPair = "service-type=Framed"
	Framed-MTU = 9000
	Called-Station-Id = "AC-A0-16-58-EB-07"
	Calling-Station-Id = "00-23-32-CF-1D-A2"
	EAP-Message = 0x021000901580000000861603010046100000424104ee7b81c5eb47db38fd9999628065d8bc69504fd008ffcce581bf49a5dc349fac012b27f4d21db7352c31e8be8bc097f9fd3414f7160990963cd9ad8e53166e951403010001011603010030ed341f879e3591dedc6633d8a0376280178fe300950d293b30747d15b35f4867c69765e98c2f0a15bcb95a992cbc77a4
	Message-Authenticator = 0xe7c4329c24d68ad3919250d82c96961a
	Cisco-AVPair = "audit-session-id=C0A863630000062C77AFDED6"
	NAS-Port-Type = Ethernet
	NAS-Port = 50007
	NAS-Port-Id = "GigabitEthernet0/7"
	State = 0xab1bf9b7af0becd1d339d19378335aaa
	NAS-IP-Address = 192.168.99.99
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "a4", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 16 length 144
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
  TLS Length 134
[ttls] Length Included
[ttls] eaptls_verify returned 11 
[ttls] <<< TLS 1.0 Handshake [length 0046], ClientKeyExchange  
[ttls]     TLS_accept: SSLv3 read client key exchange A
[ttls] <<< TLS 1.0 ChangeCipherSpec [length 0001]  
[ttls] <<< TLS 1.0 Handshake [length 0010], Finished  
[ttls]     TLS_accept: SSLv3 read finished A
[ttls] >>> TLS 1.0 ChangeCipherSpec [length 0001]  
[ttls]     TLS_accept: SSLv3 write change cipher spec A
[ttls] >>> TLS 1.0 Handshake [length 0010], Finished  
[ttls]     TLS_accept: SSLv3 write finished A
[ttls]     TLS_accept: SSLv3 flush data
[ttls]     (other): SSL negotiation finished successfully
SSL Connection Established 
[ttls] eaptls_process returned 13 
++[eap] returns handled
Sending Access-Challenge of id 78 to 192.168.99.99 port 1645
	EAP-Message = 0x0111004515800000003b1403010001011603010030b0518066786178044d44483eb37026fdd8406df7f6eaae28282bc696f782e64198a16f06ecde63a263375845bf3304f7
	Message-Authenticator = 0x00000000000000000000000000000000
	State = 0xab1bf9b7ae0aecd1d339d19378335aaa
Finished request 5.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 192.168.99.99 port 1645, id=79, length=275
	User-Name = "a4"
	Service-Type = Framed-User
	Cisco-AVPair = "service-type=Framed"
	Framed-MTU = 9000
	Called-Station-Id = "AC-A0-16-58-EB-07"
	Calling-Station-Id = "00-23-32-CF-1D-A2"
	EAP-Message = 0x0211002f1580000000251503010020f0c878ea3889abbd6850566e4a4b6b5e5777dc3f5e0f11789e9a9430219cc5b3
	Message-Authenticator = 0x69b565f9da2f3112f04fc8a2197444a4
	Cisco-AVPair = "audit-session-id=C0A863630000062C77AFDED6"
	NAS-Port-Type = Ethernet
	NAS-Port = 50007
	NAS-Port-Id = "GigabitEthernet0/7"
	State = 0xab1bf9b7ae0aecd1d339d19378335aaa
	NAS-IP-Address = 192.168.99.99
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "a4", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 17 length 47
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
  TLS Length 37
[ttls] Length Included
[ttls] eaptls_verify returned 11 
[ttls] <<< TLS 1.0 Alert [length 0002], warning close_notify  
TLS Alert read:warning:close notify
[ttls] WARNING: No data inside of the tunnel.
[ttls] eaptls_process returned 7 
[ttls] Session established.  Proceeding to decode tunneled attributes.
[ttls] SSL_read Error
[eap] Handler failed in EAP/ttls
[eap] Failed in EAP select
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject] 	expand: %{User-Name} -> a4
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 6 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 6
Sending Access-Reject of id 79 to 192.168.99.99 port 1645
	EAP-Message = 0x04110004
	Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.7 seconds.
...

>[ttls] WARNING: No data inside of the tunnel.

At this moment, I cannot wrap my mind around what is going on here.

I understand that ldap tries to authenticate the user by itself, instead of handing it to the LDAP server. But what is different when I run radtest?

Debug from radtest:
...
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group LDAP {...}
[ldap] login attempt by "a4" with password "whatever"
[ldap] user DN: uid=a4,cn=users,dc=ldap,dc=hopro,dc=edu
  [ldap] (re)connect to ldap.hopro.edu:389, authentication 1
  [ldap] bind as uid=a4,cn=users,dc=ldap,dc=hopro,dc=edu/whatever to ldap.hopro.edu:389
  [ldap] waiting for bind result ...
  [ldap] Bind was successful
[ldap] user a4 authenticated successfully
++[ldap] returns ok
...


Would someone from you guys guide me in the right direction?

Thank you in advance

Marco



More information about the Freeradius-Users mailing list