Freeradius reply attribute problem when using PEAP

Dale Blount freeradius-users at dale.us
Tue Aug 12 17:41:19 CEST 2014 

Hello,

I'm helping Terry out with this issue.  Apologies if this doesn't thread
correctly as I wasn't subscribed to the list during the original email
thread and Terry is not available.


On Tue, 2014-08-12 at 10:56 -0400, Alan DeKok wrote:
> Terry Kantorowski wrote:
> > Per your request. I have included the debug output from freeradius.
> > You will see that my test user "rickjames" authenticates just fine.
> > The problem I am having is that the attribute value pairs for his
> > group are not passed and so he never actually "connects" to the
> > wireless network. The AVPs are missing when I try to connect with a
> > device using PEAP, but present when I force connect with TTLS. I did
> > not see this until I ran tcpdump.
> 
>   Which is why all of the documentation tells you to run the server in
> debugging mode, and to read the output.
> 

I've gone through the logs but cannot find the issue that is causing the
attributes not to pass.  The Ruckus-Role attribute is found throughout
the whole log up until line ~1432 of ttls6.log and ~1761 of peap6.log.

Also of note is line 1508-1509 of ttls6.log:
(9) eap_ttls : Using saved attributes from the original Access-Accept
	Ruckus-Role = 'TestSite-Premium'

And 1849-1850 of peap6.log:
(12) eap_peap : Using saved attributes from the original Access-Accept
	User-Name = 'rickjames'


Both logs are available here:
http://dale.us/temp/peap6.log
http://dale.us/temp/ttls6.log



>   It should be pretty clear from the output.  There's a lot of it, but
> reading it is simple.
> 
> > (11)  eap_peap : Got tunneled reply code 2
> >         MS-MPPE-Encryption-Policy = Encryption-Allowed
> >         MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed
> >         MS-MPPE-Send-Key = 0x179df4ed5c7771b6728858f3b86294c2
> >         MS-MPPE-Recv-Key = 0xb9fea9733904585d418bc4af62e467f3
> >         EAP-Message = 0x030b0004
> >         Message-Authenticator = 0x00000000000000000000000000000000
> >         User-Name = 'rickjames'
> 
>   So... no authorization attributes are in the tunnel.
> 
>   Fix that.

Agreed.  I am seeing this on the new debug files as well.


Does PEAP require a different inner-tunnel than TTLS does?  At the
moment they are both using the same default inner-tunnel.

Thanks,

Dale

More information about the Freeradius-Users mailing list