Freeradius reply attribute problem when using PEAP
freeradius-users at dale.us
Tue Aug 12 17:41:19 CEST 2014
I'm helping Terry out with this issue. Apologies if this doesn't thread
correctly as I wasn't subscribed to the list during the original email
thread and Terry is not available.
On Tue, 2014-08-12 at 10:56 -0400, Alan DeKok wrote:
> Terry Kantorowski wrote:
> > Per your request. I have included the debug output from freeradius.
> > You will see that my test user "rickjames" authenticates just fine.
> > The problem I am having is that the attribute value pairs for his
> > group are not passed and so he never actually "connects" to the
> > wireless network. The AVPs are missing when I try to connect with a
> > device using PEAP, but present when I force connect with TTLS. I did
> > not see this until I ran tcpdump.
> Which is why all of the documentation tells you to run the server in
> debugging mode, and to read the output.
I've gone through the logs but cannot find the issue that is causing the
attributes not to pass. The Ruckus-Role attribute is found throughout
the whole log up until line ~1432 of ttls6.log and ~1761 of peap6.log.
Also of note is line 1508-1509 of ttls6.log:
(9) eap_ttls : Using saved attributes from the original Access-Accept
Ruckus-Role = 'TestSite-Premium'
And 1849-1850 of peap6.log:
(12) eap_peap : Using saved attributes from the original Access-Accept
User-Name = 'rickjames'
Both logs are available here:
> It should be pretty clear from the output. There's a lot of it, but
> reading it is simple.
> > (11) eap_peap : Got tunneled reply code 2
> > MS-MPPE-Encryption-Policy = Encryption-Allowed
> > MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
> > MS-MPPE-Send-Key = 0x179df4ed5c7771b6728858f3b86294c2
> > MS-MPPE-Recv-Key = 0xb9fea9733904585d418bc4af62e467f3
> > EAP-Message = 0x030b0004
> > Message-Authenticator = 0x00000000000000000000000000000000
> > User-Name = 'rickjames'
> So... no authorization attributes are in the tunnel.
> Fix that.
Agreed. I am seeing this on the new debug files as well.
Does PEAP require a different inner-tunnel than TTLS does? At the
moment they are both using the same default inner-tunnel.
More information about the Freeradius-Users