My long term goal is EAP-TTLS + PAP with FreeRadius 2.0 and LDAP
That being said I have taken one of my existing, working with FreeRadius
1.1.5, access points and pointed it at my test radius server.
When I try and connect the agent sends dozens of requests that the debug
log seems very happy with "Login OK: [prieheck] (from client...."
However, that seems to be the extent of it. The login's are approved,
but it doesn't seem like anyone is getting informed.
A radeapclient test:
+++> About to send encoded packet:
User-Name = "prieheck"
Cleartext-Password = "please"
NAS-IP-Address = 127.0.0.1
EAP-Code = Response
EAP-Id = 210
EAP-Type-Identity = "prieheck"
Message-Authenticator = 0x00
NAS-Port = 0
<+++ EAP decoded packet:
EAP-Message = 0x01d300160410e04884bebefb1c9c1940272ac62346e4
Message-Authenticator = 0xe1b0cbd908bc1932ee01c1634efccc17
State = 0x5d58d3605d8bd76df879afd5c99b16ef
EAP-Id = 211
EAP-Code = Request
EAP-Type-MD5 = 0x10e04884bebefb1c9c1940272ac62346e4
+++> About to send encoded packet:
User-Name = "prieheck"
Cleartext-Password = "please"
NAS-IP-Address = 127.0.0.1
EAP-Code = Response
EAP-Id = 211
Message-Authenticator = 0x00000000000000000000000000000000
NAS-Port = 0
EAP-Type-MD5 = 0x105df5963fda67a6941067d7019e8bbe14
State = 0x5d58d3605d8bd76df879afd5c99b16ef
<+++ EAP decoded packet:
EAP-Message = 0x03d30004
Message-Authenticator = 0xd8d24fc4a6faa627be412bfc40169290
User-Name = "prieheck"
EAP-Id = 211
EAP-Code = Success
Total approved auths: 1
Total denied auths: 1
So it looks to me like the eap bit is all going good, but I am at a loss
(especially concerning the denied auth there...).
EAP/PEAP is working just fine so I think it may be my eap.conf file
related to ttls:
#### eap.conf
eap {
default_eap_type = md5
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
md5 {
}
leap {
}
gtc {
auth_type = PAP
}
tls {
certdir = ${confdir}/certs
cadir = ${confdir}/certs
private_key_file = ${certdir}/radius.key
certificate_file = ${certdir}/radius.crt
CA_file = ${cadir}/cacert.pem
dh_file = ${certdir}/dh
random_file = ${certdir}/random
cipher_list = "DEFAULT"
make_cert_command = "${certdir}/bootstrap"
}
ttls {
default_eap_type = md5
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
}
peap {
default_eap_type = mschapv2
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = "inner-tunnel"
}
mschapv2 {
}
md5 {
}
}
This is a bit of the debug output from free radius
<snip>
++[pap] returns ok
Login OK: [prieheck] (from client AP1200 port 0 via TLS tunnel)
} # server inner-tunnel
TTLS: Got tunneled reply RADIUS code 2
TTLS: Got tunneled Access-Accept
rlm_eap: Freeing handler
++[eap] returns ok
Login OK: [prieheck] (from client AP1200 port 385 cli 0106.cfa9.d2eb)
+- entering group post-auth
++[exec] returns noop
Sending Access-Accept of id 222 to 10.4.6.7 port 1645
MS-MPPE-Recv-Key =
0x9a15665cdb643dd496bc1bf028a244b31833e89886d373d74f7864714839c048
MS-MPPE-Send-Key =
0x92acfe330cfa9a94b9fc61226a1c438c2572287a8aac94c71ed2e0828050f174
EAP-Message = 0x03060004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "prieheck"
Finished request 4.
Going to the next request
Waking up in 4.0 seconds.
Cleaning up request 0 ID 218 with timestamp +19
Waking up in 0.3 seconds.
Cleaning up request 1 ID 219 with timestamp +20
Cleaning up request 2 ID 220 with timestamp +20
Waking up in 0.4 seconds.
rad_recv: Access-Request packet from host 10.4.6.7 port 1645, id=223,
length=142
User-Name = "prieheck"
Framed-MTU = 1400
Called-Station-Id = "000f.f7d4.d460"
Calling-Station-Id = "0106.cfa9.d2eb"
Service-Type = Login-User
</snip>
Currently using FreeRadius 2.0.5 on 32-bit Ubuntu, built by me.
I would happily share any of my other config lines, but don't know what
you would want to see and don't want to flood you with too much data....
Pat
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
