Proxy to realm after eap-ttls authantication

Mesut Ozturk mesut at nevotek.com
Tue Nov 24 14:32:26 CET 2020


Hi Alan,

Thanks for your comments.


>Define "downloaded".

>Did you add that CA to the WiFi profile for the SSID?



I am creating a passpoint.config file for android devices and adding trust root CA certificate  to profile. So yes Wifi profile has CA.

I am using GlobalSign Trusted Root certificate both on android clients and freeradius. On freeradies what i did in tls config :



tls-config tls-common {

                ca_file = /etc/freeradius/3.0/certs/trustrootg2.pem

}


"trustrootg2.pem" is the certificate which i said GlobalSign Trusted Root certificate.

Also when i try with an ios device ,it does not give a CA error, but still dont Proxy to my home Radius.

Here is the ios log :

Received Access-Request Id 228 from 213.74.143.148:49579 to 10.0.0.4:1812 length 311
(2)   User-Name = "iosuser2 at nevotek.com"
(2)   Chargeable-User-Identity = 0x00
(2)   Operator-Name = "1nevotek.com"
(2)   Location-Capable = Civic-Location
(2)   Calling-Station-Id = "74-8d-08-b1-f2-17"
(2)   Called-Station-Id = "58-f3-9c-43-52-a0:Nevotek"
(2)   NAS-Port = 4
(2)   Cisco-AVPair = "audit-session-id=0a0102e1000001495fbd0ab0"
(2)   Acct-Session-Id = "5fbd0ab0/74:8d:08:b1:f2:17/395"
(2)   NAS-IP-Address = 10.1.2.225
(2)   NAS-Identifier = "aa5a6c45-b2c2-436b-90da-0ed2031"
(2)   Airespace-Wlan-Id = 7
(2)   Service-Type = Framed-User
(2)   Framed-MTU = 1300
(2)   NAS-Port-Type = Wireless-802.11
(2)   EAP-Message = 0x020300061500
(2)   State = 0xc1d738d9c0d42d379f86d1a140b85bf5
(2)   Message-Authenticator = 0xb6eaf292518a6a1b0412bcf447a369fa
(2) session-state: No cached attributes
(2) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(2)   authorize {
(2)     policy filter_username {
(2)       if (&User-Name) {
(2)       if (&User-Name)  -> TRUE
(2)       if (&User-Name)  {
(2)         if (&User-Name =~ / /) {
(2)         if (&User-Name =~ / /)  -> FALSE
(2)         if (&User-Name =~ /@[^@]*@/ ) {
(2)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(2)         if (&User-Name =~ /\.\./ ) {
(2)         if (&User-Name =~ /\.\./ )  -> FALSE
(2)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(2)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(2)         if (&User-Name =~ /\.$/)  {
(2)         if (&User-Name =~ /\.$/)   -> FALSE
(2)         if (&User-Name =~ /@\./)  {
(2)         if (&User-Name =~ /@\./)   -> FALSE
(2)       } # if (&User-Name)  = notfound
(2)     } # policy filter_username = notfound
(2)     [preprocess] = ok
(2)     [chap] = noop
(2)     [mschap] = noop
(2)     [digest] = noop
(2) eap: Peer sent EAP Response (code 2) ID 3 length 6
(2) eap: Continuing tunnel setup
(2)     [eap] = ok
(2)   } # authorize = ok
(2) Found Auth-Type = eap
(2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(2)   authenticate {
(2) eap: Expiring EAP session with state 0xc1d738d9c0d42d37
(2) eap: Finished EAP session with state 0xc1d738d9c0d42d37
(2) eap: Previous EAP request found for state 0xc1d738d9c0d42d37, released from the list
(2) eap: Peer sent packet with method EAP TTLS (21)
(2) eap: Calling submodule eap_ttls to process data
(2) eap_ttls: Authenticate
(2) eap_ttls: Continuing EAP-TLS
(2) eap_ttls: Peer ACKed our handshake fragment
(2) eap_ttls: [eaptls verify] = request
(2) eap_ttls: [eaptls process] = handled
(2) eap: Sending EAP Request (code 1) ID 4 length 336
(2) eap: EAP session adding &reply:State = 0xc1d738d9c3d32d37
(2)     [eap] = handled
(2)   } # authenticate = handled
(2) Using Post-Auth-Type Challenge
(2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(2)   Challenge { ... } # empty sub-section is ignored
(2) Sent Access-Challenge Id 228 from 10.0.0.4:1812 to 213.74.143.148:49579 length 0
(2)   EAP-Message = 0x01040150158000000528dea40bf695dd65cb94e7c64b46f8258e37d115bb5f05ad0b211b1baa131094fc84322e71cb87edc23a19c828d577c87f25ecca323b3e2dcc510401010075eb53b211d878436e2ddb265dee9684eb997a14467b69e48677af7b3f42eae785a2d3a56a072120c33db568484a78c4
(2)   Message-Authenticator = 0x00000000000000000000000000000000
(2)   State = 0xc1d738d9c3d32d379f86d1a140b85bf5
(2) Finished request

Thank you so much.
[http://www.nevotek.com/nevotekmail/logo.png]   Mesut Ozturk
R&D Senior Developer
P: +902122867576        E:  mesut at nevotek.com
F: +902122867476        W: www.nevotek.com
[http://www.nevotek.com/nevotekmail/maps-icon.png] Santa Clara-CA, USA<https://www.google.com/maps/place/5201+Great+America+Pkwy+%23320,+Santa+Clara,+CA+95054,+USA/@37.4063062,-121.978682,923m/data=!3m2!1e3!4b1!4m5!3m4!1s0x808fc9cc6fc08be1:0xa189e7ab47ebcdc!8m2!3d37.4063062!4d-121.9764933?hl=en>   [http://www.nevotek.com/nevotekmail/maps-icon.png]  Istanbul, TURKEY<https://www.google.com/maps/search/teknokent,+Istanbul,+Turkey/@41.106333,29.015257,876m/data=!3m1!1e3?hl=en>   [http://www.nevotek.com/nevotekmail/maps-icon.png]  Dubai, UAE<https://www.google.com/maps/place/Internet+City,+Building+%2314+-+Dubai+-+United+Arab+Emirates/@25.0984488,55.1609574,1052m/data=!3m2!1e3!4b1!4m13!1m7!3m6!1s0x3e5f6b696d88a9ab:0x6d495147845cd0f1!2sInternet+City,+Building+%2314+-+Dubai+-+United+Arab+Emirates!3b1!8m2!3d25.0983618!4d55.1631953!3m4!1s0x3e5f6b696d88a9ab:0x6d495147845cd0f1!8m2!3d25.0983618!4d55.1631953?hl=en>

[www.nevotek.com]<www.nevotek.com>


More information about the Freeradius-Users mailing list