Howdy,
I'm trying to get TTLS working. I'm using a TTLS client from
"Alfa & Ariss". It's a free win client which is sort of an add-on
to the native 802.1x client that comes with some SP for win2k.
Anyway, is anybody else using this client ? Does it work ? Any client
side tricks that needs to be performed ?
I'm not sure whether it's the client, my config or the server that is broken.
I shouldn't have to change basically anything from the default config
right ??.
I use the default users + radiusd.conf + enabled tls and ttls, installed
certs and uncommented and set:
eap {
default_eap_type = ttls
...
tls {
private_key_password = 1234
private_key_file = /tmp/cert/key
...
}
ttls {
default_eap_type = md5
....
}
}
Apart from that I shouldn't need to tweak anything .. right.
The users entry that will be hit is the
DEFAULT Auth-Type = System
Client fails and writes an incomprehensible error in the
win32 system log.
I attach the full radiusd -X output:
Cheers
/klacke
--
Claes Wikstrom -- Caps lock is nowhere and
Alteon WebSystems -- everything is under control
http://www.bluetail.com/~klacke
cellphone: +46 70 2097763
rad_recv: Access-Request packet from host 192.168.128.91:2975, id=22, length=125
NAS-IP-Address = 192.168.128.91
NAS-Port-Type = Wireless-802.11
NAS-Port = 1
Framed-MTU = 1400
User-Name = "anonymous"
Calling-Station-Id = "00095b4c3a7f"
Called-Station-Id = "0020d803836a"
NAS-Identifier = "foobar"
EAP-Message = 0x0201000e01616e6f6e796d6f7573
Message-Authenticator = 0x9ce0c44e62147e16a933083e1ad807cb
modcall: entering group authorize for request 1
modcall[authorize]: module "preprocess" returns ok for request 1
modcall[authorize]: module "chap" returns noop for request 1
rlm_eap: EAP packet type response id 1 length 14
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 1
rlm_realm: No '@' in User-Name = "anonymous", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 1
users: Matched DEFAULT at 153
modcall[authorize]: module "files" returns ok for request 1
modcall[authorize]: module "mschap" returns noop for request 1
modcall: group authorize returns updated for request 1
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
modcall: entering group authenticate for request 1
rlm_eap: EAP Identity
rlm_eap: processing type tls
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
modcall[authenticate]: module "eap" returns handled for request 1
modcall: group authenticate returns handled for request 1
Sending Access-Challenge of id 22 to 192.168.128.91:2975
EAP-Message = 0x010200061520
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x43b5ad965593c5983bc88022210d9ad1
Finished request 1
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.128.91:2976, id=23, length=189
NAS-IP-Address = 192.168.128.91
NAS-Port-Type = Wireless-802.11
NAS-Port = 1
Framed-MTU = 1400
User-Name = "anonymous"
Calling-Station-Id = "00095b4c3a7f"
Called-Station-Id = "0020d803836a"
NAS-Identifier = "foobar"
State = 0x43b5ad965593c5983bc88022210d9ad1
EAP-Message =
0x0202003c158000000032160301002d0100002903018f003a00fa37142d63c6b110475b83656de0dc3775fe5f22cb65deb560ae1373000002000a0100
Message-Authenticator = 0x1c1f8ebf963963de2b88395a987319ff
modcall: entering group authorize for request 2
modcall[authorize]: module "preprocess" returns ok for request 2
modcall[authorize]: module "chap" returns noop for request 2
rlm_eap: EAP packet type response id 2 length 60
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 2
rlm_realm: No '@' in User-Name = "anonymous", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 2
users: Matched DEFAULT at 153
modcall[authorize]: module "files" returns ok for request 2
modcall[authorize]: module "mschap" returns noop for request 2
modcall: group authorize returns updated for request 2
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
modcall: entering group authenticate for request 2
rlm_eap: Request found, released from the list
rlm_eap: EAP_TYPE - ttls
rlm_eap: processing type ttls
rlm_eap_ttls: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Length Included
eaptls_verify returned 11
undefined: before/accept initialization
TLS_accept: before/accept initialization
rlm_eap_tls: <<< TLS 1.0 Handshake [length 002d], ClientHello
TLS_accept: SSLv3 read client hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 004a], ServerHello
TLS_accept: SSLv3 write server hello A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0400], Certificate
TLS_accept: SSLv3 write certificate A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
TLS_accept: SSLv3 write server done A
TLS_accept: SSLv3 flush data
TLS_accept:error in SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
eaptls_process returned 13
modcall[authenticate]: module "eap" returns handled for request 2
modcall: group authenticate returns handled for request 2
Sending Access-Challenge of id 23 to 192.168.128.91:2976
EAP-Message =
0x0103040a15c00000045d160301004a0200004603013f9e818a9bfad215306445e5923606019374db8aced289780ac29009a167554c202511b05062117d8f986a3671429551d55a76aca12e9c8519093d9c2912797ab6000a0016030104000b0003fc0003f90003f6308203f23082035ba003020102020100300d06092a864886f70d010104050030818e310b3009060355040613025345311430120603550408130b73746f636b686f6c6d6961311430120603550407130b6b756e6773686f6c6d6961310f300d060355040a1306616c74656f6e310c300a060355040b1303646576311a301806035504031311746974612e626c75657461696c2e636f
EAP-Message =
0x6d3118301606092a864886f70d01090116096b40666f6f2e636f6d301e170d3033313030393131323032375a170d3034313030383131323032375a30818e310b3009060355040613025345311430120603550408130b73746f636b686f6c6d6961311430120603550407130b6b756e6773686f6c6d6961310f300d060355040a1306616c74656f6e310c300a060355040b1303646576311a301806035504031311746974612e626c75657461696c2e636f6d3118301606092a864886f70d01090116096b40666f6f2e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100d189f30e2c0bd58e824ca0cd9d450729ffcc023d
EAP-Message =
0x97a8b05071a57e953cdc91ae44bf9eb47866553d42854c889bbeea9235a1ec7e25ce209da0474f845fc53482d2be17690dc199b7e9a555eb9dafae112ba9561695d925c598888906e4739ad4b4e1b4d028eebd0e1aca82cf6799313d5ccbcc565f2c7cb63230e0683482072b0203010001a382015c30820158300c0603551d13040530030101ff301106096086480186f8420101040403020244302c06096086480186f842010d041f161d6953442d53534c2047656e657261746564204365727469666963617465301d0603551d0e041604145213bd3c47a56b59f195ce0a4ee958d8f326e5673081bb0603551d230481b33081b080145213bd3c47a5
EAP-Message =
0x6b59f195ce0a4ee958d8f326e567a18194a4819130818e310b3009060355040613025345311430120603550408130b73746f636b686f6c6d6961311430120603550407130b6b756e6773686f6c6d6961310f300d060355040a1306616c74656f6e310c300a060355040b1303646576311a301806035504031311746974612e626c75657461696c2e636f6d3118301606092a864886f70d01090116096b40666f6f2e636f6d82010030140603551d11040d300b81096b40666f6f2e636f6d30140603551d12040d300b81096b40666f6f2e636f6d300d06092a864886f70d01010405000381810096be2bb32ab73934d13079a077a5b41e04841d4bbfba
EAP-Message = 0xc6a0ca0d0fe85e7f593915ef379e2c5e422e651bd0cc
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x9a896baeb2a093d489631704fe3e7275
Finished request 2
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.128.91:2977, id=24, length=134
NAS-IP-Address = 192.168.128.91
NAS-Port-Type = Wireless-802.11
NAS-Port = 1
Framed-MTU = 1400
User-Name = "anonymous"
Calling-Station-Id = "00095b4c3a7f"
Called-Station-Id = "0020d803836a"
NAS-Identifier = "foobar"
State = 0x9a896baeb2a093d489631704fe3e7275
EAP-Message = 0x0203000515
Message-Authenticator = 0x5e201ec22f21bd778f184f00adf7ea04
modcall: entering group authorize for request 3
modcall[authorize]: module "preprocess" returns ok for request 3
modcall[authorize]: module "chap" returns noop for request 3
rlm_eap: EAP packet type response id 3 length 5
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 3
rlm_realm: No '@' in User-Name = "anonymous", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 3
users: Matched DEFAULT at 153
modcall[authorize]: module "files" returns ok for request 3
modcall[authorize]: module "mschap" returns noop for request 3
modcall: group authorize returns updated for request 3
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
modcall: entering group authenticate for request 3
rlm_eap: Request found, released from the list
rlm_eap: EAP_TYPE - ttls
rlm_eap: processing type ttls
rlm_eap_ttls: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake fragment handler
eaptls_verify returned 1
eaptls_process returned 13
modcall[authenticate]: module "eap" returns handled for request 3
modcall: group authenticate returns handled for request 3
Sending Access-Challenge of id 24 to 192.168.128.91:2977
EAP-Message =
0x0104006315000b69bd6b113da054e04f2aa0c2cd35c0bb2f81df494e178a75210c778d6098439af30e7f24a0b13da9fbacaeb795282818966bfc2c9c1b43e42fe2a837d7e1e8d747559ecc23ea820f31f4336ca7d3395b9f5f6016030100040e000000
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x1ec260e91a4a660b870d55ad47cd4615
Finished request 3
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 192.168.128.91:2978, id=25, length=329
NAS-IP-Address = 192.168.128.91
NAS-Port-Type = Wireless-802.11
NAS-Port = 1
Framed-MTU = 1400
User-Name = "anonymous"
Calling-Station-Id = "00095b4c3a7f"
Called-Station-Id = "0020d803836a"
NAS-Identifier = "foobar"
State = 0x1ec260e91a4a660b870d55ad47cd4615
EAP-Message =
0x020400c81580000000be16030100861000008200803b2375afa46d85684cf8629d4a677333ad036d0748bb80f7315c3a10f14ff3aa7ac4cdc70702ee352e1b12ad60224932e9c84dce419b1e45fda0cd2c820aaae44eb077b242fe35befe7abd9191c556fed8af41d7f35d45c2d2e42d590b7cc5c9a5760bfd53affcf954df6b3409583ce5b53680d16120d0422632b380619dc36c14030100010116030100281eacef00336ef528d5e1cfba51803c8f722015b9c1c27bd81fbf481dde3f54950a0c45bf8bafbea4
Message-Authenticator = 0x2ae56997c8003f7698f7d5bf5e10ceba
modcall: entering group authorize for request 4
modcall[authorize]: module "preprocess" returns ok for request 4
modcall[authorize]: module "chap" returns noop for request 4
rlm_eap: EAP packet type response id 4 length 200
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 4
rlm_realm: No '@' in User-Name = "anonymous", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 4
users: Matched DEFAULT at 153
modcall[authorize]: module "files" returns ok for request 4
modcall[authorize]: module "mschap" returns noop for request 4
modcall: group authorize returns updated for request 4
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
modcall: entering group authenticate for request 4
rlm_eap: Request found, released from the list
rlm_eap: EAP_TYPE - ttls
rlm_eap: processing type ttls
rlm_eap_ttls: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Length Included
eaptls_verify returned 11
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
TLS_accept: SSLv3 read client key exchange A
rlm_eap_tls: <<< TLS 1.0 ChangeCipherSpec [length 0001]
rlm_eap_tls: <<< TLS 1.0 Handshake [length 0010], Finished
TLS_accept: SSLv3 read finished A
rlm_eap_tls: >>> TLS 1.0 ChangeCipherSpec [length 0001]
TLS_accept: SSLv3 write change cipher spec A
rlm_eap_tls: >>> TLS 1.0 Handshake [length 0010], Finished
TLS_accept: SSLv3 write finished A
TLS_accept: SSLv3 flush data
undefined: SSL negotiation finished successfully
SSL Connection Established
eaptls_process returned 13
modcall[authenticate]: module "eap" returns handled for request 4
modcall: group authenticate returns handled for request 4
Sending Access-Challenge of id 25 to 192.168.128.91:2978
EAP-Message =
0x010500391500140301000101160301002847b9b6c231fca0109e1d9bc96937f08e9db6fe6d66f789bdf46a0209a1b415cd28e6c6177b2551a3
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x0a17b7f9c8ce10c9ee3d9e76d620e39c
Finished request 4
Going to the next request
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 1 ID 22 with timestamp 3f9e818a
Cleaning up request 2 ID 23 with timestamp 3f9e818a
Cleaning up request 3 ID 24 with timestamp 3f9e818a
Cleaning up request 4 ID 25 with timestamp 3f9e818a
Nothing to do. Sleeping until we see a request.
