FreeRadius EAP-TTLS Troubleshooting

Alan DeKok aland at deployingradius.com
Tue May 30 23:38:26 CEST 2017 

On May 30, 2017, at 5:31 PM, Smith, James <james.smith at saabsensis.com> wrote:
> 
> FreeRADIUS Version 3.0.4

  You should really upgrade to 3.0.14.  But anyways...

> Hello,
> I'm new to the FreeRadius community and would like to start by saying hello. I'm working on a FreeRadius issue and am having some trouble figuring out what exactly is going on so I'm going to try to post here to see if there is a possible solution.
> 
> We are utilizing FreeRadius for EAP-TTLS authentication with Siemens radios and I'm not able to get our radio to register with the base station. Certificates are installed on the radio, base station and radius server. I've included the Radius -X output to an text file and have it attached.
> 
> I've looked through the debug file and I'm noticing that the radio is getting through part of the authentication then is failing when it tries to authorize the radio. The error seems like it would be easy to translate but nothing seems to be incorrect in my files regarding the client.conf so I'm having a hard time figuring out why the radio is unable to authorize. The actual error message states "No Auth type found:" rejects the user then says "Login Incorrect".

  The exact messages are:

Tue May 30 18:46:18 2017 : Debug: (11)  eap_ttls : Sending tunneled request
Tue May 30 18:46:18 2017 : Debug: (11)  server inner-tunnel {
Tue May 30 18:46:18 2017 : Debug: (11)    Request:
	User-Name = 'CPE4'
	User-Password = 'password'
Tue May 30 18:46:18 2017 : Debug: (11)  Empty authorize section.  Using default return values.
Tue May 30 18:46:18 2017 : ERROR: (11)  No Auth-Type found: rejecting the user via Post-Auth-Type = Reject

  You deleted the contents of the "inner-tunnel" file, and broke it.  Don't do that.

  Use the default configuration.  It works.

> Note: I changed the actual passwords using the Find/Replace function. The client that is failing is CPE4 at siemens.com<mailto:CPE4 at siemens.com> and it begins authentication as the Debug (7) in the debug log. The first reject happens in Debug (11) (I highlighted in red where the reject message begins.)

  That's fine.

  Alan DeKok.

More information about the Freeradius-Users mailing list