EAP-TTLS not working

Marlen Caemmerer caemmerer at ash-berlin.eu
Thu Oct 27 12:49:13 CEST 2016 

 

Hello, 

thanks for your answers. 

I upgraded to 3.0.12 and got debug output as attached. 

It seems strange that Windows 8 and 10 are able to connect while MacOS
and Linux aren't. 

As far as I understand MacOS tries to use MS-CHAPv2 and this does not
seem to work. 

It seems my perl auth script does not get a password through while using
mschapv2. 

Am 2016-10-17 17:29, schrieb A.L.M.Buxey at lboro.ac.uk: 

>> /var/log/radius-eduroam/radacct/127.0.0.1/auth-detail-20161017
>> [auth_log] expand: %t -> Mon Oct 17 15:05:33 2016
>> ++[auth_log] = ok
>> [suffix] Looking up realm "ash-berlin.eu" for User-Name =
>> "anonymous at ash-berlin.eu"
>> [suffix] No such realm "ash-berlin.eu"
> 
> so, a realm you are trying to auth isnt defined in the proxy.conf as one of your own eg
> 
> realm ash-berlin.eu {
> }

Did that :) 

> [files] users: Matched entry DEFAULT at line 1
> what is on line 1 of your users file?(I shudder to think....)
> 
> Found Auth-Type = Perl
> Found Auth-Type = EAP
> Warning: Found 2 auth-types on request for user
> yes....see that warning. you are forcing rhe server to do something - eg Auth-Type
> is being manually set. you shouldnt need to do that...

I read this in the readme of rlm_perl which I use -
http://wiki.freeradius.org/modules/Rlm_perl [1] 
So I set 

DEFAULT Auth-Type := Perl
 Fall-Through = yes 

in the users (ok now it is mods-config/files/authorize) file. The rest
is commented out. 

If I take this entry out login via Windows fails, too. 

> ++? if (("%{control:Proxy-To-Realm}" == "DEFAULT") && (User-Name =~
> /.*@ash-berlin.eu$/)) -> FALSE
> as you can see, this policy you have isnt matching. if you have the relam defined, you can just check for %{Realm}
> being populated...nice and easy.

Which would be the appropriate file to do this? 

> now, the debug never shows an access-accept or reject.....the server never ends up in an inner-tunnel.
> 
> what is the PERL script for? does it need to be called for an EAP auth in the outer phase? you need to
> streamline the policy so only calls to relevant modules are called in the outer phase and only the
> bits you need (once EAP tunnel has been configured, client happy with cert from server etc) are
> called....

The perl script is for a custom type of authentication only. 
I have difficulties understanding what inner and outer identity are. Do
you have a good hint on what to read to fully understand this? 

With kind regards,
 Marlen Caemmerer

 -- 
 ************************************************
 Alice Salomon Hochschule
 Computerzentrum
 Marlen Caemmerer
 Alice-Salomon-Platz 5
 12627 Berlin

 Email: caemmerer at ash-berlin.eu
 ************************************************ 

Links:
------
[1] http://wiki.freeradius.org/modules/Rlm_perl
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: debug-win-working.txt
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20161027/7d2b18d1/attachment-0002.txt>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: debug-mac.txt
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20161027/7d2b18d1/attachment-0003.txt>

More information about the Freeradius-Users mailing list