Stuck with EAP-TTLS

Ekkehard Burkon eb at tnib.de
Fri Aug 30 18:10:26 CEST 2019


Hi List,

I'm trying to get EAP-TTLS up but im stuck at some point.

According to the docs when I see a lot of diagnostics on the screen ending with "Sent Access-Challenge Id ... " and no further
response the client does not like the certificate.

First I tried it with Certs from the organisations CA but that showed the symptoms above.

Now I created the certificates with the provided scripts in the certs subdir and imported the CA Cert on the client and made it trusted
but no change. So Im stuck here. The Client is Apple IOS.

Could you please help.

Thank you
     Ekkehard




.....
(8) Login OK: [xxx at yyyy.zzz] (from client access-points-1 port 1 cli F4-06-16-E4-B1-FF)
(8) eap: post-auth returns 2
} # server inner-tunnel
(8) eap: Final reply from tunneled session code 2
(8) eap:   Proxy-State = 0x323438
(8) eap:   Reply-Message = "WIFI IT"
(8) eap:   Service-Type = Framed-User
(8) eap:   Tunnel-Medium-Type:0 = IEEE-802
(8) eap:   Tunnel-Private-Group-Id:0 = "9"
(8) eap:   Tunnel-Type:0 = VLAN
(8) eap:   EAP-Message = 0x03030004
(8) eap:   Class = 0x86e307e400000137000102000a00001a0000000021a5ecb23c41586d01d557ce9e5f3e7f0000000000000029
(8) eap:   MS-Link-Utilization-Threshold = 50
(8) eap:   MS-Link-Drop-Time-Limit = 120
(8) eap:   MS-CHAP-Domain = "\001ADMIN"
(8) eap:   MS-MPPE-Send-Key = 0xb9eb50697bf3ff8ce7fd97e1a5637971
(8) eap:   MS-MPPE-Recv-Key = 0xa9dd78d6ecaae8fe912cf55626438624
(8) eap:   MS-CHAP2-Success = 0x01533d45414331314232423242323631453543414638384232453432424536313841444533323231314531
(8) eap:   Message-Authenticator = 0xb9459c3e76127a5f0ae2d72b3d56c528
(8) eap: Got reply 2
(8) eap: Got tunneled Access-Accept
(8) eap: Got MS-CHAP2-Success, tunneling it to the client in a challenge
(8) eap: Sending tunneled reply attributes
(8) eap:   MS-CHAP2-Success = 0x01533d45414331314232423242323631453543414638384232453432424536313841444533323231314531
(8) eap: Reply was handled
(8) eap: Sending EAP Request (code 1) ID 12 length 95
(8) eap: EAP session adding &reply:State = 0xf2877964fa8b6c74
(8)     [eap] = ok
(8)   } # post-proxy = ok
(8) session-state: Saving cached attributes
(8)   Reply-Message += "WIFI IT"
(8)   Service-Type += Framed-User
(8)   Tunnel-Medium-Type:0 += IEEE-802
(8)   Tunnel-Private-Group-Id:0 += "9"
(8)   Tunnel-Type:0 += VLAN
(8)   Class += 0x86e307e400000137000102000a00001a0000000021a5ecb23c41586d01d557ce9e5f3e7f0000000000000029
(8)   MS-Link-Utilization-Threshold += 50
(8)   MS-Link-Drop-Time-Limit += 120
(8)   MS-CHAP-Domain += "\001ADMIN"
(8)   MS-CHAP2-Success += 0x01533d45414331314232423242323631453543414638384232453432424536313841444533323231314531
(8) Using Post-Auth-Type Challenge
(8) Post-Auth-Type sub-section not found.  Ignoring.
(8) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(8) Sent Access-Challenge Id 248 from 10.9.0.204:1812 to 10.250.3.176:40353 length 0
(8)   EAP-Message = 0x010c005f1580000000551703030050b94c579b332b88d667d93a45284c0fcf95aaf2c9c112066a01d1f1aaed130f321ba0078cc8c418bc4b8c1c6f689c11546061b2b415bed683cba30233fb2d67cd914083abd2cd5a394ffd5531cc756f9e
(8)   Message-Authenticator = 0x00000000000000000000000000000000
(8)   State = 0xf2877964fa8b6c743437e83147af1c4b
(8) Finished request
Waking up in 4.8 seconds.
(0) Cleaning up request packet ID 240 with timestamp +68
(1) Cleaning up request packet ID 241 with timestamp +68
(2) Cleaning up request packet ID 242 with timestamp +68
(3) Cleaning up request packet ID 243 with timestamp +68
(4) Cleaning up request packet ID 244 with timestamp +68
(5) Cleaning up request packet ID 245 with timestamp +68
(6) Cleaning up request packet ID 246 with timestamp +68
(7) Cleaning up request packet ID 247 with timestamp +68
(8) Cleaning up request packet ID 248 with timestamp +68


: Trusted Network GmbH
: Max-Planck-Str. 1
: D-85716 Unterschleissheim
: Telefon: 089 / 54 80 163 - 0
: Telefax: 089 / 54 80 163 - 222
: Web: http://www.tnib.de<http://www.tnib.de/>
: Geschaeftsfuehrer: Joerg Staedele, Stefan Kinner
: Sitz der Gesellschaft: Unterschleissheim
: Registergericht: AG Muenchen HRB 108 388

Die Informationspflichten zum Datenschutz, insbesondere zur Rechtsgrundlage zur Mandantenkommunikation,
finden Sie unter https://www.trusted-network.de/datenschutz




More information about the Freeradius-Users mailing list