EAP-TTLS with PAP and Mac Authentication is not working together

Sunil Kulkarni -X (sunikulk - PERSISTENT SYSTEMS INC at Cisco) sunikulk at cisco.com
Wed Jun 10 23:15:11 CEST 2015


Hello All,

I am using FreeRadius 3.0.8 version.
I am able configure EAP-TTLS with PAP on FreeRadius. I have to handle following scenarios when request coming from one of the client IP. I have followed http://wiki.freeradius.org/guide/Mac-Auth to achieve this.

1.       MAC Authentication

2.       EAP-TTLS with PAP


Following are my files:
Client.conf
client <client_ip_address> {
        ipaddr          = <client_ip_address>
        secret          = <secret_key>
        shortname       = <client_ip_address>
       virtual_server  = client-listener
}

Client-lister
server client- listener {

        authorize {
              if (EAP-Message) {
                            eap
              }
              else {
                             preprocess

                            files

                            if (ok) {
                                           update control {
                                                          Auth-Type := Accept
                                           }

                             }
                             else {
                                           # reject
                                           update control {
                                                         Auth-Type := Reject
                                           }

                             }
              }
        }
}

When I removed virtual_server  = client-listener from client.conf file, EAP-TTLS with PAP will work correctly. However, when I am testing with virtual_server  = client-listener, FreeRadius is not able to identify EAP auth type. Below are few lines from log file:

............
............
(0)   NAS-Port-Type = Wireless-802.11
(0)   EAP-Message = 0x0201001a016f73752d64303a61363a33373a62373a33363a6539
(0)   Message-Authenticator = 0x917afa7c89cd3ab4ec557774b058f177
(0) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/client- listener
(0)   authorize {
(0)     if (EAP-Message) {
(0)     if (EAP-Message)  -> TRUE
(0)     if (EAP-Message)  {
(0) eap: Peer sent code Response (2) ID 1 length 26
(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(0)       [eap] = ok
(0)     } # if (EAP-Message)  = ok
(0)     ... skipping else for request 0: Preceding "if" was taken
(0)   } # authorize = ok
(0) Found Auth-Type = EAP
(0) Auth-Type sub-section not found.  Ignoring.
(0) Failed to authenticate the user
(0) Using Post-Auth-Type Reject
(0) Post-Auth-Type sub-section not found.  Ignoring.
(0) Delaying response for 1.000000 seconds
.......
.......


Am I missing any configuration?


---
Thanks,
Sunil Kulkarni



More information about the Freeradius-Users mailing list