EAP Auth-Type Error

Alan DeKok aland at deployingradius.com
Wed Oct 18 04:26:50 CEST 2017

On Oct 17, 2017, at 6:55 PM, Byron Jeffery <byronjeffery at cem.org.au> wrote:
> I am currently building a Freeradius (Version 3.0.15) on Ubuntu 16.04 in an
> Azure environment authenticating to an Active Directory server using
> eap-peap-mschap.

  Follow my guides:  http://deployingradius.com

  It *will* work.

> I also have a Freeradius version 3.0.12 currently running and have
> replicated all the settings across to the new build, however, I am unable
> to successfully authenticate and have noted the error "eap: No EAP-Message,
> not doing EAP" in the debug as follows particularly when moving from
> default to inner-tunnel:

  That's not an error.  It's just an informative message.

> (6) eap_ttls: Got tunneled request
> (6) eap_ttls:   User-Name = "omitted"
> (6) eap_ttls:   User-Password = "omitted"

  Note that this is EAP-TTLS, with PAP inside of the tunnel.  Not PEAP-MSCHAPv2.

  As always, the debug log tells you what's going on.  If you think it's doing PEAP, but the debug log says TTLS, well, it's doing TTLS.

> (6) server inner-tunnel {
> (6)   # Executing section authorize from file
> /etc/freeradius/sites-enabled/inner-tunnel

  And nothing in the inner-tunnel says how to authenticate the user.  That's the problem.

> I am a bit stumped as to where I might be going wrong as I have set
> the default_eap_type
> = peap  in the /mods-enaabled/eap file

  That's a *proposal* from the server.  If (again) you read the debug log, you'll see the server proposing PEAP, and the client NAKing it, and asking for TTLS.

  If you want the client to do PEAP, you will need to configure the client to do PEAP.

> From the debug log I posted above, it seems that the eap message is not
> being passed through to the inner-tunnel.

  No.  That's not what's happening.

  The inner-tunnel contains *no* EAP.  Because the client isn't sending EAP in the inner tunnel.

> As a side note, testing ntlm_auth responds with a "NT_STATUS_OK: Success
> (0x0)"  message.

  Follow my guide.  It *will* work.

> I have even rebuilt the server leaving many of the default settings, but am
> still getting the error.

  Start from the default configuration, and then follow my guide.

> In addition, my other question is why do I get the "*WARNING: Outer and
> inner identities are the same.  User privacy is compromised."* warning and
> how may I make it more secure?

  Set the outer identity to "anonymous".

  Alan DeKok.

More information about the Freeradius-Users mailing list