EAP-TTLS/PAP with realm - <no User-Password attribute>

Rob Gorrell rwgorrel at uncg.edu
Sun Mar 13 20:38:55 CET 2016


I am trying to set up a working EAP-TTLS/PAP demo using FreeRadius 2.2.6 on
top of CentOS6.
For simplicity, I would like to use PAP and statically define
Cleartext-Password for users in the users file.
But I also would like to be able to authenticate using full realm since I
plan on using realm for testing some routing.
I currently have this working for basic radius by stripping the realm and
then using  Cleartext-Password from the users file ... however, when I went
to put the same setup through EAP TTLS, I'm now having problems and getting
a no User-Password attribute dispite supplying one the same one from
radtest but using rad_eap_test.

Sun Mar 13 13:06:32 2016 : Auth: Login incorrect: [bob/<via Auth-Type =
EAP>] (from client localhost port 58 cli fcdbb33f581d)
Sun Mar 13 13:06:33 2016 : Auth: Login incorrect (Home Server says so): [
bob at rgorrell.net/<no User-Password attribute>] (from client raddev port 58
cli fcdbb33f581d)

While researching, I came across a theory that sounds fitting to my
situation... upon receiving a username qualified by a realm, FreeRadius
will strip the realm off before matching the username. This results in the
User-Name being modified to be different to the EAP Identity field before
being sent for actual authenticating.  This results in FreeRadius issueing
a rejection due to the mismatch between the two fields.

Does that sound right? If so, I'm not sure what I can do about it... I
can't nostrip the username as then I won't be able to authenticate via PAP.
but I can't login identically matching my users file (ie no realm), because
I need the realm for routing.

Suggestions? Thanks,
-Rob


More information about the Freeradius-Users mailing list