eap-ttls with challenge-response

Alan DeKok aland at deployingradius.com
Wed Aug 10 12:13:57 UTC 2022

On Aug 10, 2022, at 5:54 AM, zolty <zolty at dzikakuna.net> wrote:
> I've got working 2 factor (challenge-response) authentication by rlm_perl module (https://github.com/LinOTP/linotp-auth-freeradius-perl). I'm trying to secure this communication within tunnel (EAP-TTLS), but it ends with a message: No tunneled reply was found for request.

  I don't think any EAP-TTLS supplicant supports interactive challenge-response.  Which means this will never work.

  Which supplicants do you expect to use?  What goal are you trying to achieve?

  The "No tunneled reply" message is because the code expects to see certain internal structures set correctly.  Just setting the reply Packet-Type doesn't work here.  The "outer" challenge/response functionality does look for the reply Packet-Type, so that's why it works.

  So "fixing" this requires code changes.  And even if you do the code changes, the supplicants are unlikely to support it.  And even if the supplicants do support it, they are very likely to *not* prompt the user for challenge-response.

  And even if the supplicants did prompt the user, it is a HORRIBLE experience to get prompted for a challenge every time you connect to a hotspot.  Which might be a many times a day, if not many times an hour.

  I really don't see any way where this would work, and be useful to anyone.  Perhaps your use-case is different, but you'd have to explain why.

  Alan DeKok.

More information about the Freeradius-Users mailing list