Mac client fails to authenticate after upgrade from 3.0.16 to 3.0.26

Matthew Newton mcn at freeradius.org
Wed Feb 7 16:27:37 UTC 2024 


On 07/02/2024 14:06, Cezary via Freeradius-Users wrote:
> (6) eap: Peer sent packet with method EAP TTLS (21)
> (6) eap: Calling submodule eap_ttls to process data
> (6) eap_ttls: Authenticate
> (6) eap_ttls: Continuing EAP-TLS
> (6) eap_ttls: Peer indicated complete TLS record size will be 85 bytes
> (6) eap_ttls: Got complete TLS record (85 bytes)
> (6) eap_ttls: [eaptls verify] = length included
> (6) eap_ttls: [eaptls process] = ok
> (6) eap_ttls: Session established.  Proceeding to decode tunneled attributes
> (6) eap_ttls: Got tunneled request
> (6) eap_ttls:   User-Name = "cza"
> (6) eap_ttls:   User-Password = "Password123$"
> (6) eap_ttls:   FreeRADIUS-Proxied-To = 127.0.0.1
> (6) eap_ttls: Sending tunneled request
> (6) Virtual server inner-tunnel received request
> (6)   User-Name = "cza"
> (6)   User-Password = "Password123$"
> (6)   FreeRADIUS-Proxied-To = 127.0.0.1

Client is sending EAP-TTLS/PAP


> (6) eap: Peer sent packet with method EAP TTLS (21)
> (6) eap: Calling submodule eap_ttls to process data
> (6) eap_ttls: Authenticate
> (6) eap_ttls: (TLS) EAP Peer says that the final record size will be 45 bytes
> (6) eap_ttls: (TLS) EAP Got all data (45 bytes)
> (6) eap_ttls: Session established.  Proceeding to decode tunneled attributes
> (6) eap_ttls: Got tunneled request
> (6) eap_ttls:   EAP-Message = 0x0200000801637a61
> (6) eap_ttls:   FreeRADIUS-Proxied-To = 127.0.0.1
> (6) eap_ttls: Got tunneled identity of cza
> (6) eap_ttls: Setting default EAP type for tunneled EAP session

Client is sending EAP-TTLS and trying to negotiate EAP inside the tunnel.

> (6) eap: Peer sent packet with method EAP Identity (1)
> (6) eap: Calling submodule eap_md5 to process data
> (6) eap_md5: Issuing MD5 Challenge

Falls to default, MD5

> (7) eap: Peer sent packet with method EAP TTLS (21)
> (7) eap: Calling submodule eap_ttls to process data
> (7) eap_ttls: Authenticate
> (7) eap_ttls: (TLS) EAP Peer says that the final record size will be 65 bytes
> (7) eap_ttls: (TLS) EAP Got all data (65 bytes)
> (7) eap_ttls: Session established.  Proceeding to decode tunneled attributes
> (7) eap_ttls: Got tunneled request
> (7) eap_ttls:   EAP-Message = 0x020100190410c5b623d691d9aa887263aa412269fbb3637a61
> (7) eap_ttls:   FreeRADIUS-Proxied-To = 127.0.0.1
> (7) eap_ttls: Sending tunneled request
> (7) Virtual server inner-tunnel received request
> (7)   EAP-Message = 0x02010019 04 ....
Client sends EAP-TTLS/MD5 (ugh, what?)


> (7) pap: Converted: &control:Password-With-Header -> &control:SSHA1-Password
> (7) pap: Removing &control:Password-With-Header
> (7) pap: Normalizing SSHA1-Password from base64 encoding, 44 bytes -> 32 bytes

Gets SSHA1-Password from LDAP...

> (7) eap: Peer sent packet with method EAP MD5 (4)
> (7) eap: Calling submodule eap_md5 to process data
> (7) eap_md5: ERROR: Cleartext-Password is required for EAP-MD5 authentication

...which isn't compatible with MD5


Fix the config on the client so it sends EAP-TTLS/PAP again.

This is not a FreeRADIUS issue.


-- 
Matthew

More information about the Freeradius-Users mailing list