TLS in place of TTLS : help for debugging

Wed, 01 Jun 2005 06:06:28 -0700 

Hi everybody,

as frequently here, an other EAP-TTLS problem ;)
I use WinXP + SecureW2 + Cisco AP1100 + freeRADIUS 1.0.1 & 1.0.2
freeradius see TLS packet but it's EAP-TTLS (with PAP) so authentication doesn't works. Of course eap is set in radiusd.conf (authentication and authorization section) 

My eap.conf is here :
       eap {
               default_eap_type = ttls
               timer_expire     = 60
               ignore_unknown_eap_types = no
               cisco_accounting_username_bug = no

               # Supported EAP-types
               md5 {
               }
               # EAP-TLS
               tls {
               #       default_eap_type = ttls
                       private_key_password = astronomie

                       private_key_file = 
${raddbdir}/certs/vega.maquette.grenet.fr.pem
                       certificate_file = 
${raddbdir}/certs/vega.maquette.grenet.fr.pem

                       CA_file = ${raddbdir}/certs/root.pem
                       dh_file = ${raddbdir}/certs/dh
                       random_file = ${raddbdir}/certs/random
                       fragment_size = 1024
                       include_length = yes
               #       check_crl = yes
               #       check_cert_cn = %{User-Name}
               }
               ttls {
                       default_eap_type = md5
                       copy_request_to_tunnel = yes
                       use_tunneled_reply = yes
               }
               #peap {
                       #  default_eap_type = mschapv2
               #}
               #mschapv2 {
               #}
       }


When I launch radiusd -X, this is what it says :
...
Module: Loaded eap
eap: default_eap_type = "md5"
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
tls: rsa_key_exchange = no
tls: dh_key_exchange = yes
tls: rsa_key_length = 512
tls: dh_key_length = 512
tls: verify_depth = 0
tls: CA_path = "(null)"
tls: pem_file_type = yes
tls: private_key_file = "/etc/raddb/certs/vega.maquette.grenet.fr.pem"
tls: certificate_file = "/etc/raddb/certs/vega.maquette.grenet.fr.pem"
tls: CA_file = "/etc/raddb/certs/root.pem"
tls: private_key_password = "astronomie"
tls: dh_file = "/etc/raddb/certs/dh"
tls: random_file = "/etc/raddb/certs/random"
tls: fragment_size = 1024
tls: include_length = yes
tls: check_crl = no
tls: check_cert_cn = "(null)"
rlm_eap: Loaded and initialized type tls
ttls: default_eap_type = "md5"
ttls: copy_request_to_tunnel = yes
ttls: use_tunneled_reply = yes
rlm_eap: Loaded and initialized type ttls
Module: Instantiated eap (eap)
...

When I try to authenticate, is below...
rad_recv: Access-Request packet from host 10.1.1.2:21672, id=106, length=132
       User-Name = "david"
       Framed-MTU = 1400
       Called-Station-Id = "000e.8440.bbb0"
       Calling-Station-Id = "000d.54aa.a39c"
       Service-Type = Login-User
       Message-Authenticator = 0x150c704b98ad730ead5764e4be788835
       EAP-Message = 0x0202000a016461766964
       NAS-Port-Type = Wireless-802.11
       NAS-Port = 7080
       NAS-IP-Address = 10.1.1.2
       NAS-Identifier = "ap-maquette"
 Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 2
 modcall[authorize]: module "preprocess" returns ok for request 2
 modcall[authorize]: module "chap" returns noop for request 2
 modcall[authorize]: module "mschap" returns noop for request 2
   rlm_realm: No '@' in User-Name = "david", looking up realm NULL
   rlm_realm: Found realm "NULL"
   rlm_realm: Adding Stripped-User-Name = "david"
   rlm_realm: Proxying request from user david to realm NULL
   rlm_realm: Adding Realm = "NULL"
   rlm_realm: Authentication realm is LOCAL.
 modcall[authorize]: module "suffix" returns noop for request 2
 rlm_eap: EAP packet type response id 2 length 10
 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
 modcall[authorize]: module "eap" returns updated for request 2
   users: Matched david at 19
 modcall[authorize]: module "files" returns ok for request 2
modcall: group authorize returns updated for request 2
 rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
 Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 2
 rlm_eap: EAP Identity

 rlm_eap: processing type tls               <========= why ? it should 
be TTLS !!!

 rlm_eap_tls: Initiate
 rlm_eap_tls: Start returned 1
 modcall[authenticate]: module "eap" returns handled for request 2
modcall: group authenticate returns handled for request 2
Sending Access-Challenge of id 106 to 10.1.1.2:21672
       Service-Type = Framed-User
       Framed-MTU = 1500
       Tunnel-Type:0 := VLAN
       Tunnel-Medium-Type:0 := IEEE-802
       Tunnel-Private-Group-Id:0 := "402"
       EAP-Message = 0x010300061520
       Message-Authenticator = 0x00000000000000000000000000000000
       State = 0xdcb2b96e379c8bc2dcb4b5b405a23cab
Finished request 2
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
...
(fall in timeout and process repeat again and again)

Can someone help me ? how can I debug more ? thanks.

begin:vcard
fn:David ROUMANET
n:ROUMANET;David
org:CICG
adr;quoted-printable;quoted-printable;dom:;;351 avenue de la Biblioth=C3=A8que;Saint-Martin d'H=C3=A8res;;38
email;internet:[EMAIL PROTECTED]
title;quoted-printable:Ing=C3=A9nieur R=C3=A9seau
tel;work:+33 (0)4 76 51 46 08
x-mozilla-html:TRUE
url:http://www.grenet.fr
version:2.1
end:vcard


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html













    











					Reply via email to