Calling eap_md5 to process EAP data in inner-tunnel

Oleksandr Yermolenko aae at sumix.com
Wed Oct 8 10:08:37 CEST 2014 

Hello, everyone,

Environment: freeradius 3.0.4, strongswan 5.2.0.

Could someone give me advices or info why it happened?
stages how eap-md5 should work in innner-tunnel?
I saw http://wiki.freeradius.org/guide/EAPMD5-HOWTO but it's not enough 
in my scenario.

..... begin cut ....
(5) # Executing group from file /etc/raddb/sites-enabled/default
(5)   authenticate {
(5)  eap : Expiring EAP session with state 0xea78d7a3ea79d3c6
(5)  eap : Finished EAP session with state 0x9da50fdc99a01a4f
(5)  eap : Previous EAP request found for state 0x9da50fdc99a01a4f, 
released from the list
(5)  eap : Peer sent method TTLS (21)
(5)  eap : EAP TTLS (21)
(5)  eap : Calling eap_ttls to process EAP data
(5)  eap_ttls : Authenticate
(5)  eap_ttls : processing EAP-TLS
   TLS Length 69
(5)  eap_ttls : Length Included
(5)  eap_ttls : eaptls_verify returned 11
(5)  eap_ttls : eaptls_process returned 7
(5)  eap_ttls : Session established.  Proceeding to decode tunneled 
attributes
(5)  eap_ttls : Got tunneled request
     EAP-Message = 0x020100160410521e6638c06be72697c7697d1a2289b9
(5)  eap_ttls : Sending tunneled request
(5)  server inner-tunnel {
(5)    Request:
     EAP-Message = 0x020100160410521e6638c06be72697c7697d1a2289b9
     User-Name = 'stu at sumix.com'
     State = 0xea78d7a3ea79d3c6e940fe67ef2f7464
(5)  # Executing section authorize from file 
/etc/raddb/sites-enabled/inner-tunnel
(5)    authorize {
(5)    [preprocess] = ok
(5)    [files] = noop
(5)   eap : Peer sent code Response (2) ID 1 length 22
(5)   eap : No EAP Start, assuming it's an on-going EAP conversation
(5)    [eap] = updated
(5)   } #  authorize = updated
(5)  Found Auth-Type = EAP
(5)  # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(5)    authenticate {
(5)   eap : Expiring EAP session with state 0xea78d7a3ea79d3c6
(5)   eap : Finished EAP session with state 0xea78d7a3ea79d3c6
(5)   eap : Previous EAP request found for state 0xea78d7a3ea79d3c6, 
released from the list
(5)   eap : Peer sent method MD5 (4)
(5)   eap : EAP MD5 (4)
(5)   eap : Calling eap_md5 to process EAP data
(5)   eap_md5 : Cleartext-Password is required for EAP-MD5 authentication
(5)   ERROR: eap : Failed continuing EAP MD5 (4) session. EAP sub-module 
failed
(5)   eap : Failed in EAP select
(5)    [eap] = invalid
(5)   } #  authenticate = invalid
(5)  Failed to authenticate the user
(5)  Login incorrect (eap: Failed continuing EAP MD5 (4) session. EAP 
sub-module failed): [stu at sumix.com/<via Auth-Type = EAP>] (from client 
aae-vm port 0 via TLS tunnel)
(5)  Using Post-Auth-Type Reject
(5)  # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
(5)   Post-Auth-Type REJECT {
(5)   attr_filter.access_reject : EXPAND %{User-Name}
(5)   attr_filter.access_reject :    --> stu at sumix.com
(5)   attr_filter.access_reject : Matched entry DEFAULT at line 11
(5)    [attr_filter.access_reject] = updated
(5)   } # Post-Auth-Type REJECT = updated
(5)    Reply:
     EAP-Message = 0x04010004
     Message-Authenticator = 0x00000000000000000000000000000000
(5)  } # server inner-tunnel
(5)  eap_ttls : Got tunneled Access-Reject
   SSL: Removing session 
adf6f0ff78ebe6faaa6f3949f499535dc8a21dfc72a066a288b3e0e0bfbc9339 from 
the cache
(5)  ERROR: eap : Failed continuing EAP TTLS (21) session. EAP 
sub-module failed
(5)  eap : Failed in EAP select
(5)   [eap] = invalid
(5)  } #  authenticate = invalid
(5) Failed to authenticate the user
(5) Login incorrect (eap: Failed continuing EAP TTLS (21) session. EAP 
sub-module failed): [stu at sumix.com/<via Auth-Type = EAP>] (from client 
aae-vm port 68 cli 10.20.9.8[4500])
(5) Using Post-Auth-Type Reject
(5) # Executing group from file /etc/raddb/sites-enabled/default
(5)  Post-Auth-Type REJECT {
(5)  attr_filter.access_reject : EXPAND %{User-Name}
(5)  attr_filter.access_reject :    --> stu at sumix.com
(5)  attr_filter.access_reject : Matched entry DEFAULT at line 11
(5)   [attr_filter.access_reject] = updated
(5)  eap : Reply already contained an EAP-Message, not inserting EAP-Failure
(5)   [eap] = noop
(5)   remove_reply_message_if_eap remove_reply_message_if_eap {
(5)     if (&reply:EAP-Message && &reply:Reply-Message)
(5)     if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(5)    else else {
(5)     [noop] = noop
(5)    } # else else = noop
(5)   } # remove_reply_message_if_eap remove_reply_message_if_eap = noop
(5)  } # Post-Auth-Type REJECT = updated
(5) Delaying response for 1 seconds

.....
users file

stu    Cleartext-Password := "x3DdEhgN"
stu at sumix.com    Cleartext-Password := "x3DdEhgN"


big thanks for your help and advices.

Oleksandr

More information about the Freeradius-Users mailing list