Odd issue with EAP-TTLS... Tunneled challenge invalid?

Matthew Newton mcn4 at leicester.ac.uk
Tue Aug 25 16:27:06 CEST 2015


On Tue, Aug 25, 2015 at 03:03:41PM +0100, Stefan Paetow wrote:
> One of our sites has run into an issue where they are trying to
> connect to their server with EAP-TTLS. They've used rad_eap_test
> on the same machine just to test the connection locally and this
> is the output log. I'm stumped... I've never seen this error
> before. Any suggestions will be most appreciated! :-)

> (5) eap: Peer sent method TTLS (21)
> (5) eap: EAP TTLS (21)
> (5) eap: Calling eap_ttls to process EAP data
> (5) eap_ttls: Authenticate
> (5) eap_ttls: processing EAP-TLS
> (5) eap_ttls: eaptls_verify returned 7
> (5) eap_ttls: Done initial handshake
> (5) eap_ttls: eaptls_process returned 7
> (5) eap_ttls: Session established.  Proceeding to decode tunneled attributes
> (5) eap_ttls: Tunneled challenge is incorrect
>   SSL: Removing session 33a218d505462c178a405e16e5bed8f0817d9f80e78b6093836ce2edb7050e38 from the cache
> (5) eap: ERROR: Failed continuing EAP TTLS (21) session. EAP sub-module failed
> (5) eap: Failed in EAP select

https://github.com/FreeRADIUS/freeradius-server/blob/v3.1.x/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c#L366-L390

With some notes I wrote on the subject a few years ago when I
couldn't work it out

http://notes.asd.me.uk/2012/04/20/where-is-the-challenge-in-eap-ttls-ms-chapv2/

So my uneducated guess is that rad_eap_test is sending an
incorrect challenge. Are you setting chap-challenge or
ms-chap-challenge manually, which for EAP-TTLS should be generated
from the SSL keying data.

Matthew



-- 
Matthew Newton, Ph.D. <mcn4 at le.ac.uk>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>


More information about the Freeradius-Users mailing list