eap-ttls with challenge-response

zolty zolty at dzikakuna.net
Wed Aug 10 09:54:26 UTC 2022 

Hi,

I've got working 2 factor (challenge-response) authentication by 
rlm_perl module (https://github.com/LinOTP/linotp-auth-freeradius-perl). 
I'm trying to secure this communication within tunnel (EAP-TTLS), but it 
ends with a message: No tunneled reply was found for request.

If I disable challenge-response while using EAP-TTLS it works like a 
charm - Auth-Type linotp2 ends with ok state, and sends Access-Accept 
through tunnel.

I've got no idea why it's not working with Access-Challenge reply and I 
think I've already tried every possible setup.

This is my ttls config:

    ttls {
         tls = "tls-common"
         default_eap_type = "gtc"
         copy_request_to_tunnel = yes
         use_tunneled_reply = no
         virtual_server = "inner-tunnel"
         include_length = yes
         require_client_cert = no
    }

and debug output:

(5) perl: &request:User-Password = $RAD_REQUEST{'User-Password'} -> 
'password'
(5) perl: &request:User-Name = $RAD_REQUEST{'User-Name'} -> 'username'
(5) perl: &request:Framed-MTU = $RAD_REQUEST{'Framed-MTU'} -> '1200'
(5) perl: ERROR: Failed to create pair - failed to parse time string 
"sie 10 2022 11:23:48 CEST"
(5) perl: ERROR:     &request:Event-Timestamp = 
$RAD_REQUEST{'Event-Timestamp'} -> 'sie 10 2022 11:23:48 CEST'
(5) perl: &request:Framed-IP-Address = $RAD_REQUEST{'Framed-IP-Address'} 
-> 'some_IP'
(5) perl: &request:Service-Type = $RAD_REQUEST{'Service-Type'} -> 
'Framed-User'
(5) perl: &request:NAS-Identifier = $RAD_REQUEST{'NAS-Identifier'} -> 
'linotp'
(5) perl: &request:FreeRADIUS-Proxied-To = 
$RAD_REQUEST{'FreeRADIUS-Proxied-To'} -> '127.0.0.1'
(5) perl: &request:NAS-IP-Address = $RAD_REQUEST{'NAS-IP-Address'} -> 
'some_IP'
(5) perl: &reply:State = $RAD_REPLY{'State'} -> '81561830980360'
(5) perl: &reply:Reply-Message = $RAD_REPLY{'Reply-Message'} -> 
'Multiple challenges submitted.'
(5) perl: &control:Response-Packet-Type = 
$RAD_CHECK{'Response-Packet-Type'} -> 'Access-Challenge'
(5) perl: &control:Auth-Type = $RAD_CHECK{'Auth-Type'} -> 'linotp2'
(5)       [perl] = handled
(5)     } # Auth-Type linotp2 = handled
(5) } # server inner-tunnel
(5) Virtual server sending reply
(5)   State = 0x3831353631383330393830333630
(5)   Reply-Message = "Multiple challenges submitted."
(5) eap_ttls: No tunneled reply was found for request 5 , and the 
request was not proxied: rejecting the user.
(5) eap: ERROR: Failed continuing EAP TTLS (21) session.  EAP sub-module 
failed
(5) eap: Sending EAP Failure (code 4) ID 5 length 4
(5) eap: Failed in EAP select
(5)     [eap] = invalid
(5)   } # authenticate = invalid
(5) Failed to authenticate the user

Thanks for any advice and tips.
Przemek

More information about the Freeradius-Users mailing list