password not present in ttls inner-tunnel
Alan DeKok
aland at deployingradius.com
Wed May 7 21:16:33 UTC 2025
On May 7, 2025, at 2:16 PM, Evan Sharp <evan.sharp at coastmountainacademy.ca> wrote:
> Thanks for the direction Alan. Full debug:
So reading it is instructive.
> FreeRADIUS Version 3.2.7
> Copyright (C) 1999-2023 The FreeRADIUS server project and contributors
> There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
> PARTICULAR PURPOSE
The server starts, and there's a ton of debug messages about doing TLS things. Then it starts running the google-ldap virtual server.
i.e. if you're trying to debug what's going on with that virtual server, save the debug log to a file, then open it in a text editor, and look for "google-ldap". After a bit of searching, you will get this:
> ///
> (5) eap_ttls: Session established. Proceeding to decode tunneled attributes
> (5) eap_ttls: Got tunneled request
> (5) eap_ttls: EAP-Message = 0x020000120174726163792e6b65656c696e67
> (5) eap_ttls: FreeRADIUS-Proxied-To = 127.0.0.1
> (5) eap_ttls: Got tunneled identity of tracy.keeling
> (5) eap_ttls: Setting default EAP type for tunneled EAP session
> (5) eap_ttls: Sending tunneled request
> (5) Virtual server google-ldap received request
So there's the issue.
The supplicant (end user device) is configured to send EAP inside of the inner tunnel, and not PAP.
Why isn't there a User-Password? Because the supplicant isn't sending it.
How can you make FreeRADIUS get the User-Password? You can't. The supplicant is choosing to send EAP, instead of User-Password. No amount of poking FreeRADIUS will change the configuration on the supplicant.
Update the supplicant so that it's configured to do PAP authentication inside of TTLS. Nothing else will fix the problem.
Alan DeKok.
More information about the Freeradius-Users
mailing list