EAP-TTLS not working

Stefan Winter stefan.winter at restena.lu
Thu Nov 3 08:40:28 CET 2016


Hi,

> As far as I understand MacOS tries to use MS-CHAPv2 and this does not
> seem to work. 

IIRC, Apple changed the TTLS default inner method away from PAP to
EAP-MSCHAPv2 (not just MSCHAPv2) a few releases back.

If you want an inner of (non-EAP)PAP then you have to tell the Mac and
iOS devices with a .mobileconfig configuration file.

Or you re-configure your FreeRADIUS to support MSCHAPv2 instead, if you
have NT-Hashes or cleartext of the passwords of your users.

If you want to generate .mobileconfig files and also config files for
lots of other platforms all in one go, try https://802.1x-config.org

Greetings,

Stefan Winter

> It seems my perl auth script does not get a password through while using
> mschapv2. 
> 
> Am 2016-10-17 17:29, schrieb A.L.M.Buxey at lboro.ac.uk: 
> 
>>> /var/log/radius-eduroam/radacct/127.0.0.1/auth-detail-20161017
>>> [auth_log] expand: %t -> Mon Oct 17 15:05:33 2016
>>> ++[auth_log] = ok
>>> [suffix] Looking up realm "ash-berlin.eu" for User-Name =
>>> "anonymous at ash-berlin.eu"
>>> [suffix] No such realm "ash-berlin.eu"
>>
>> so, a realm you are trying to auth isnt defined in the proxy.conf as one of your own eg
>>
>> realm ash-berlin.eu {
>> }
> 
> Did that :) 
> 
>> [files] users: Matched entry DEFAULT at line 1
>> what is on line 1 of your users file?(I shudder to think....)
>>
>> Found Auth-Type = Perl
>> Found Auth-Type = EAP
>> Warning: Found 2 auth-types on request for user
>> yes....see that warning. you are forcing rhe server to do something - eg Auth-Type
>> is being manually set. you shouldnt need to do that...
> 
> I read this in the readme of rlm_perl which I use -
> http://wiki.freeradius.org/modules/Rlm_perl [1] 
> So I set 
> 
> DEFAULT Auth-Type := Perl
>  Fall-Through = yes 
> 
> in the users (ok now it is mods-config/files/authorize) file. The rest
> is commented out. 
> 
> If I take this entry out login via Windows fails, too. 
> 
>> ++? if (("%{control:Proxy-To-Realm}" == "DEFAULT") && (User-Name =~
>> /.*@ash-berlin.eu$/)) -> FALSE
>> as you can see, this policy you have isnt matching. if you have the relam defined, you can just check for %{Realm}
>> being populated...nice and easy.
> 
> Which would be the appropriate file to do this? 
> 
>> now, the debug never shows an access-accept or reject.....the server never ends up in an inner-tunnel.
>>
>> what is the PERL script for? does it need to be called for an EAP auth in the outer phase? you need to
>> streamline the policy so only calls to relevant modules are called in the outer phase and only the
>> bits you need (once EAP tunnel has been configured, client happy with cert from server etc) are
>> called....
> 
> The perl script is for a custom type of authentication only. 
> I have difficulties understanding what inner and outer identity are. Do
> you have a good hint on what to read to fully understand this? 
> 
> With kind regards,
>  Marlen Caemmerer
> 
>  -- 
>  ************************************************
>  Alice Salomon Hochschule
>  Computerzentrum
>  Marlen Caemmerer
>  Alice-Salomon-Platz 5
>  12627 Berlin
> 
>  Email: caemmerer at ash-berlin.eu
>  ************************************************ 
> 
> Links:
> ------
> [1] http://wiki.freeradius.org/modules/Rlm_perl
> 
> 
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> 


-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20161103/5b4b687d/attachment.sig>


More information about the Freeradius-Users mailing list