Ok, I have had a look at the code and as far as I can see the following occurs:
- TTLS handshake successful - TTLS tunnels decrypt inner EAP-Identity message - EAP-Identity is sent to inner EAP-MD5 Module - Inner EAP-MD5 module generates EAP Access-Challenge message - The EAP-TTLS module looks at the Access-Challenge and generates a RLM_MODULE_HANDLED return code - The EAP-TTLS module looks at the return code, and because RLM_MODULE_HANDLED is not handled it generates an error and the authentication fails... Does this mean Inner EAP is not supported in EAP-TTLS? Gr, Tom Rixom > -----Original Message----- > From: Tom Rixom > Sent: Friday, March 05, 2004 11:22 AM > To: Freeradius-Users (E-mail) > Subject: EAP-TTLS-EAP-* > > > Howdie, > > I am trying to get EAP-TTLS-EAP-* working... but I keep > running into the > following with any EAP type within EAP-TTLS. > > rlm_eap_tls: Length Included > eaptls_verify returned 11 > eaptls_process returned 7 > rlm_eap_ttls: Session established. Proceeding to decode > tunneled attributes. > TTLS: Got tunneled request > EAP-Message = 0x0200001701746f6d2e7269786f6d40746573742e636f6d > Message-Authenticator = 0x00000000000000000000000000000000 > FreeRADIUS-Proxied-To = 127.0.0.1 > TTLS: Got tunneled identity of [EMAIL PROTECTED] > TTLS: Setting default EAP type for tunneled EAP session. > TTLS: Sending tunneled request > EAP-Message = 0x0200001701746f6d2e7269786f6d40746573742e636f6d > Message-Authenticator = 0x00000000000000000000000000000000 > FreeRADIUS-Proxied-To = 127.0.0.1 > User-Name = "[EMAIL PROTECTED]" > Processing the authorize section of radiusd.conf > modcall: entering group authorize for request 5 > modcall[authorize]: module "preprocess" returns ok for request 5 > modcall[authorize]: module "chap" returns noop for request 5 > modcall[authorize]: module "mschap" returns noop for request 5 > rlm_realm: Looking up realm "test.com" for User-Name = > "[EMAIL PROTECTED]" > rlm_realm: Found realm "test.com" > rlm_realm: Adding Stripped-User-Name = "tom.rixom" > rlm_realm: Proxying request from user tom.rixom to realm test.com > rlm_realm: Adding Realm = "test.com" > rlm_realm: Authentication realm is LOCAL. > modcall[authorize]: module "suffix" returns noop for request 5 > rlm_eap: EAP packet type response id 0 length 23 > rlm_eap: No EAP Start, assuming it's an on-going EAP conversation > modcall[authorize]: module "eap" returns updated for request 5 > users: Matched tom.rixom at 80 > modcall[authorize]: module "files" returns ok for request 5 > modcall: group authorize returns updated for request 5 > rad_check_password: Found Auth-Type EAP > auth: type "EAP" > Processing the authenticate section of radiusd.conf > modcall: entering group authenticate for request 5 > rlm_eap: EAP Identity > rlm_eap: processing type md5 > rlm_eap_md5: Issuing Challenge > modcall[authenticate]: module "eap" returns handled for request 5 > modcall: group authenticate returns handled for request 5 > TTLS: Got tunneled reply RADIUS code 11 > EAP-Message = 0x010100160410450549cc85b2e560a6c7010b8a0d456a > Message-Authenticator = 0x00000000000000000000000000000000 > State = 0xc286e5115c81914c9ae2633ea0b90b4f > TTLS: Got tunneled Access-Challenge > rlm_eap: Handler failed in EAP/ttls > TTLS: Freeing handler for user [EMAIL PROTECTED] > rlm_eap: Failed in EAP select > modcall[authenticate]: module "eap" returns invalid for request 5 > modcall: group authenticate returns invalid for request 5 > auth: Failed to validate the user. > Delaying request 5 for 1 seconds > Finished request 5 > Going to the next request > > I guess this is a config problem... > > As you can see the rlm_eap_md5 does issue a challenge but > when the rlm_eap > module takes over it fails without an error message... > > Has anyone got this workging with the Odyssey or Aegis client? > > Tom Rixom > > Alfa & Ariss > Network Security Solutions > www.alfa-ariss.com > > Lansinkesweg 4-226 > 7553 AE Hengelo Ov > PO Box 960-35 > 7550 AZ Hengelo Ov > The Netherlands > > Tel: +31 (0)74 2555 636 > E-mail: [EMAIL PROTECTED] > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
