EAP Auth-Type Error

Byron Jeffery byronjeffery at cem.org.au
Wed Oct 18 06:27:39 CEST 2017 

Thanks Alan

It all makes sense now and I have resolved the issue.


   - Kind Regards

   - Byron Jeffery
   -


On Wed, Oct 18, 2017 at 1:26 PM, Alan DeKok <aland at deployingradius.com>
wrote:

> On Oct 17, 2017, at 6:55 PM, Byron Jeffery <byronjeffery at cem.org.au>
> wrote:
> > I am currently building a Freeradius (Version 3.0.15) on Ubuntu 16.04 in
> an
> > Azure environment authenticating to an Active Directory server using
> > eap-peap-mschap.
>
>   Follow my guides:  http://deployingradius.com
>
>   It *will* work.
>
> > I also have a Freeradius version 3.0.12 currently running and have
> > replicated all the settings across to the new build, however, I am unable
> > to successfully authenticate and have noted the error "eap: No
> EAP-Message,
> > not doing EAP" in the debug as follows particularly when moving from
> > default to inner-tunnel:
>
>   That's not an error.  It's just an informative message.
>
> > (6) eap_ttls: Got tunneled request
> >
> > (6) eap_ttls:   User-Name = "omitted"
> >
> > (6) eap_ttls:   User-Password = "omitted"
>
>   Note that this is EAP-TTLS, with PAP inside of the tunnel.  Not
> PEAP-MSCHAPv2.
>
>   As always, the debug log tells you what's going on.  If you think it's
> doing PEAP, but the debug log says TTLS, well, it's doing TTLS.
>
> > (6) server inner-tunnel {
> >
> > (6)   # Executing section authorize from file
> > /etc/freeradius/sites-enabled/inner-tunnel
>
>   And nothing in the inner-tunnel says how to authenticate the user.
> That's the problem.
>
> > I am a bit stumped as to where I might be going wrong as I have set
> > the default_eap_type
> > = peap  in the /mods-enaabled/eap file
>
>   That's a *proposal* from the server.  If (again) you read the debug log,
> you'll see the server proposing PEAP, and the client NAKing it, and asking
> for TTLS.
>
>   If you want the client to do PEAP, you will need to configure the client
> to do PEAP.
>
> > From the debug log I posted above, it seems that the eap message is not
> > being passed through to the inner-tunnel.
>
>   No.  That's not what's happening.
>
>   The inner-tunnel contains *no* EAP.  Because the client isn't sending
> EAP in the inner tunnel.
>
> > As a side note, testing ntlm_auth responds with a "NT_STATUS_OK: Success
> > (0x0)"  message.
>
>   Follow my guide.  It *will* work.
>
> > I have even rebuilt the server leaving many of the default settings, but
> am
> > still getting the error.
>
>   Start from the default configuration, and then follow my guide.
>
> > In addition, my other question is why do I get the "*WARNING: Outer and
> > inner identities are the same.  User privacy is compromised."* warning
> and
> > how may I make it more secure?
>
>   Set the outer identity to "anonymous".
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html

More information about the Freeradius-Users mailing list