EAP-TLS doesn't work - EAP Failure

Wed Feb 28 13:54:14 UTC 2024

On Feb 28, 2024, at 12:10 AM, Lucas Guimaraes via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> For a few days, I'm trying to test FreeRADIUS server to see how EAP-TLS
> authentication works on Wifi through a POC first.
> 
> So far, I think I could advance pretty well since I didn't know very much
> about the EAP-TLS authentication method.

  It can be a bit finicky to configure, but that's largely due to the fact that there are a lot of technical details to get right.  That's the nature of EAP-TLS.

> The expectation using FreeRADIUS is to see this POC working proporly using
> the method EAP-TLS but I'm at a certain point where I don't understand why
> I'm not getting an Access-Accept where should contain the MS-MPPE-Recv-Key
> and MS-MPPE-Send-Key attributes too.

  The server only sends those attribute if the EAP authentication works.

> Instead, what I'm understanding is, the server output is kind saying
> "...Auth-Type sub-section not found.  Ignoring...."

  The supplicant is going EAP, but somehow the EAP configuration has been removed from the "default" virtual server.

  I'd suggest also reading http://wiki.freeradius.org/radiusd-X

  That page describes how to read the debug output, and what to look for.

> ...
> server default { # from file /etc/freeradius/3.0/sites-enabled/default
> # Loading authenticate {...}
> Compiling Auth-Type PAP for attr Auth-Type
> Compiling Auth-Type CHAP for attr Auth-Type
> Compiling Auth-Type MS-CHAP for attr Auth-Type

  Note that there's no reference to "eap".

> /etc/freeradius/3.0/sites-enabled/inner-tunnel
> # Loading authenticate {...}
> Compiling Auth-Type PAP for attr Auth-Type
> Compiling Auth-Type CHAP for attr Auth-Type
> Compiling Auth-Type MS-CHAP for attr Auth-Type

  And there's no reference to "eap" here, either.
> 
> (0) Received Access-Request Id 0 from 127.0.0.1:47287 to 127.0.0.1:1812
> length 146
> (0)   User-Name = "user at example.org"
> (0)   NAS-IP-Address = 127.0.0.1
> (0)   Calling-Station-Id = "02-00-00-00-00-01"
> (0)   Framed-MTU = 1400
> (0)   NAS-Port-Type = Wireless-802.11
> (0)   Service-Type = Framed-User
> (0)   Connect-Info = "CONNECT 11Mbps 802.11b"
> (0)   EAP-Message = 0x02e400150175736572406578616d706c652e6f7267

  A packet with EAP, good.

> (0) eap: Peer sent EAP Response (code 2) ID 228 length 21
> (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
> rest of authorize
> (0)     [eap] = ok
> (0)   } # authorize = ok

  The EAP module is being run in the "authorize" section.

> (0) Found Auth-Type = eap
> (0) Auth-Type sub-section not found.  Ignoring.

  And there's no "Auth-Type EAP" section.

  Why?  Someone deleted it from the default configuration.

> About the certs, all the certs were generated by the ./bootstrap script and
> nothing was changed from the original files.

  The debug output shows this isn't true.

  Someone edited the configuration files to remove "eap" from the "authenticate" section.  And that change broke the server.

  So... don't do that.

> Please, I kindly ask for this help to manage to authenticate with EAP-TLS.

  Go back to the default configuration files.  They work.

  At the minimum, compare the default configuration files with the local versions.  You'll note that the "authenticate" section in the default files has "eap", and your local copy doesn't have that.

  Alan DeKok.