TTLS + GTC Configuration -> No Error in log but cleint stuck on "connecting"

Mark mclarke4 at gmail.com
Fri Sep 15 17:11:54 CEST 2017


Thanks for the quick feedback. It is really appreciated. I will read
through the site referenced this evening. If the MS_MPPE_Recv-Key are the
result of a successful authenticate then does that mean I have been
authenticated successfully?  Could be there is something else that is going
wrong like not getting a dhcp address?
Below is a copy of the message I refer to.

(14) Sent Access-Accept Id 210 from 192.168.10.73:1812 to
192.168.10.103:12115 length 0
(14)   Message-Authenticator = 0x00000000000000000000000000000000
(14)   User-Name = "mark"
(14)   MS-MPPE-Recv-Key =
0xe462a28f0853e9589ad7fa9e50fe3737fe8ff8072e48d081b2dad99ed14ece0a
(14)   MS-MPPE-Send-Key =
0x7f285fae0d10c7111dea2a615626306418f5593198de5d1163dc1da1ff6bf54e
(14)   EAP-Message = 0x03430004
(14) Finished request


On 15 September 2017 at 16:50, Alan DeKok <aland at deployingradius.com> wrote:

> On Sep 15, 2017, at 10:44 AM, Mark <mclarke4 at gmail.com> wrote:
> >
> > Ok so I have gone through the configuration and verified that the ssl
> paths
> > and passwords are correct but the authentication still fails.
>
>   The debug log will show why.
>
> a) something happened in the server, and it will tell you why the user was
> rejected
>
> b) something happened in TLS, and the client will just drop the
> authentication attempt.
>
> > I tried
> > setting the Auth-Type to  local
>
>   Don't do that.  It's been deprecated for about 8 years.
>
> >  Maybe I need to force set
> > it to the provided clear-text password before the inner tunnel is set up?
>
>   No.
>
> > (I am fully aware I could be talking complete nonsense at this point as
> my
> > brain is swimming in a rough see of concepts and, what seems like
> > convoluted labyrinthine mess of configuration options - kind of like
> living
> > a Kafka novel :(  )
>
>   It's simple.  Follow the guide on my site:
>
> http://deployingradius.com
>
>   While there are a lot of configuration options, most of them can be
> ignored.  Follow the guide, and it should work.
>
>   The point is to test each thing in isolation.  Test one thing, get it to
> work, and only then test another thing.
>
>   There's also the "inner-tunnel" virtual server.  Read the comments at
> the start.  You can test EAP-GTC authentication *just* for the
> inner-tunnel, *without* using TTLS.  The eapol_test program can be used to
> test this.
>
>   So follow the guide, and use eapol_test to test EAP-GTC in isolation.
>
>   If nothing else, it will get you MUCH smaller debug output.  That makes
> it easier to see what's going on.
>
> > It tried changing the setting to ldap but still cannot login.  A bit lost
> > really :( I see some time "MS-MPPE-Recv-Key" messages but not sure how
> this
> > got in there as I don't request any MSCHAP authentication?
>
>   Those are put in the Access-Accept when the user successfully
> authenticates.  They're the dynamic WiFi encryption keys.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html
>


More information about the Freeradius-Users mailing list