EAP-TLS and EAP-TTLS/MSCHAPv2 in parralel...possible ?

Ben ben+freeradius at list-subs.com
Fri Feb 28 22:31:01 CET 2014 

 > Well.. they shouldn't. And what's with not posting the debug log? Do 
you want to fix the problem or not?

This is what it looks like with ldap uncommented, i.e. EAP-TLS "broken" 
.....  in comparison, lower down you can see with LDAP commented again, 
it just gets on with the job of processing EAP-TLS.


*** LDAP UNCOMMENTED*****

rad_recv: Access-Request packet from host 172.16.100.254 port 32771, 
id=251, length=188
     User-Name = "xyz_laptop_wifi"
     NAS-IP-Address = 172.16.100.254
     NAS-Identifier = "hello"
     NAS-Port = 0
     Called-Station-Id = "84-1B-FF-FF-FF-FF:XXXXXXXXXXXXX"
     Calling-Station-Id = "60-03-FF-FF-FF-FF"
     Framed-MTU = 1400
     NAS-Port-Type = Wireless-802.11
     Connect-Info = "CONNECT 0Mbps 802.11b"
     EAP-Message = 0xXXXXXXXXX
     Message-Authenticator = 0xXXXXXXXXX
# Executing section authorize from file 
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "xyz_laptop_wifi", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 0 length 19
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[ldap] performing user authorization for xyz_laptop_wifi
[ldap]     expand: %{Stripped-User-Name} ->
[ldap]     ... expanding second conditional
[ldap]     expand: %{User-Name} -> xyz_laptop_wifi
[ldap]     expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> 
(uid=xyz_laptop_wifi)
[ldap]     expand: ou=dot1x,dc=mydomain,dc=eu -> ou=dot1x,dc=mydomain,dc=eu
   [ldap] ldap_get_conn: Checking Id: 0
   [ldap] ldap_get_conn: Got Id: 0
   [ldap] attempting LDAP reconnection
   [ldap] (re)connect to localhost:389, authentication 0
   [ldap] bind as cn=admin,dc=mydomain,dc=eu/XXXXXXXXXXXXXX to localhost:389
   [ldap] waiting for bind result ...
   [ldap] LDAP login failed: check identity, password settings in ldap 
section of radiusd.conf
   [ldap] (re)connection attempt failed
[ldap] search failed
   [ldap] ldap_release_conn: Release Id: 0
++[ldap] returns fail
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> xyz_laptop_wifi
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Request packet from host 172.16.100.254 port 32771, 
id=251, length=188
Waiting to send Access-Reject to client wifi2 port 32771 - ID: 251
Sending delayed reject for request 0
Sending Access-Reject of id 251 to 172.16.100.254 port 32771
Waking up in 4.9 seconds.
Cleaning up request 0 ID 251 with timestamp +7
Ready to process requests.



***** LDAP COMMENTED****

rad_recv: Access-Request packet from host 172.16.100.254 port 32771, 
id=252, length=188
     User-Name = "xyzlaptop_wifi"
     NAS-IP-Address = 172.16.100.254
     NAS-Identifier = "hello"
     NAS-Port = 0
     Called-Station-Id = "84-1B-FF-FF-FF-FF:XXXXXXXX"
     Calling-Station-Id = "60-03-FF-FF-FF-FF"
     Framed-MTU = 1400
     NAS-Port-Type = Wireless-802.11
     Connect-Info = "CONNECT 0Mbps 802.11b"
     EAP-Message = 0xXXXX
     Message-Authenticator = 0xXXXX
# Executing section authorize from file 
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "xyzlaptop_wifi", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 0 length 19
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. 
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Requiring client certificate
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 252 to 172.16.100.254 port 32771
     EAP-Message = 0x010100060d20
     Message-Authenticator = 0x00000000000000000000000000000000
     State = 0x7940879679418a6863a4c65145317568
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 172.16.100.254 port 32771, 
id=253, length=339
     User-Name = "xyzlaptop_wifi"
     NAS-IP-Address = 172.16.100.254
     NAS-Identifier = "hello"
     NAS-Port = 0
     Called-Station-Id = "84-1B-FF-FF-FF-FF:XXXXXXXX"
     Calling-Station-Id = "60-03-FF-FF-FF-FF"
     Framed-MTU = 1400
     NAS-Port-Type = Wireless-802.11
     Connect-Info = "CONNECT 0Mbps 802.11b"
     EAP-Message = 0xXXXXXX
     State = 0x7940879679418a6863a4c65145317568
     Message-Authenticator = 0x827b75775f481e9f2b14b64f56443006
# Executing section authorize from file 
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "xyzlaptop_wifi", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 1 length 152
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
   TLS Length 142
[tls] Length Included
[tls] eaptls_verify returned 11
[tls]     (other): before/accept initialization
[tls]     TLS_accept: before/accept initialization
[tls] <<< TLS 1.0 Handshake [length 0089], ClientHello
[tls]     TLS_accept: SSLv3 read client hello A
[tls] >>> TLS 1.0 Handshake [length 0039], ServerHello
[tls]     TLS_accept: SSLv3 write server hello A
[tls] >>> TLS 1.0 Handshake [length 0d03], Certificate
[tls]     TLS_accept: SSLv3 write certificate A
[tls] >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange
[tls]     TLS_accept: SSLv3 write key exchange A
[tls] >>> TLS 1.0 Handshake [length 00ec], CertificateRequest
[tls]     TLS_accept: SSLv3 write certificate request A
[tls]     TLS_accept: SSLv3 flush data
[tls]     TLS_accept: Need to read more data: SSLv3 read client 
certificate A
In SSL Handshake Phase
In SSL Accept mode
[tls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 253 to 172.16.100.254 port 32771
etc. etc. etc.

More information about the Freeradius-Users mailing list