Re: EAP/TTLS w/ PAP (tunnel) works, w/ EAP (tunnel) it doesn't

Sun, 18 Jul 2004 22:28:09 -0700 

Hello Kasper.

Kaspar Landsberg pravi:

I successfully set up a WLAN/radius system with a Cisco AP-1100, Windows XP (securew2) and freeradius v1.0.0-pre3 using EAP/TTLS with PAP inside the tunnel.

But trying to use the same system with EAP/MD5 inside the tunnel instead of PAP (as suggested in the eap.conf file) gives me the following error:

--- radiusd -xx ---
[...]
  TTLS: Got tunneled request
        EAP-Message = 0x0200000b01617074657374
        Message-Authenticator = 0x00000000000000000000000000000000
        FreeRADIUS-Proxied-To = 127.0.0.1
  TTLS: Got tunneled identity of aptest
  TTLS: Setting default EAP type for tunneled EAP session.
  TTLS: Sending tunneled request
        EAP-Message = 0x0200000b01617074657374
        Message-Authenticator = 0x00000000000000000000000000000000
        FreeRADIUS-Proxied-To = 127.0.0.1
        User-Name = "aptest"
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 4
  modcall[authorize]: module "preprocess" returns ok for request 4
  rlm_eap: EAP packet type response id 0 length 11
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 4
    users: Matched DEFAULT at 222
    users: Matched DEFAULT at 225
  modcall[authorize]: module "files" returns ok for request 4
modcall: group authorize returns updated for request 4
  rad_check_password:  Found Auth-Type EAP
  rad_check_password:  Found Auth-Type System
Warning:  Found 2 auth-types on request for user 'aptest'
auth: type "System"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 4
rlm_unix: Attribute "User-Password" is required for authentication.
  modcall[authenticate]: module "unix" returns invalid for request 4
modcall: group authenticate returns invalid for request 4
auth: Failed to validate the user.
Login incorrect: [aptest] (from client localhost port 0)
  TTLS: Got tunneled reply RADIUS code 3
  TTLS: Got tunneled Access-Reject


[...]

I suppose that my "users" file is not correctly set up for EAP/TTLS with EAP/MD5 inside the tunnel: 

SecureW2 supports EAP-TTLS-PAP and EAP-TTLS-EAP-<windows EAPs>, in your case
EAP-TTLS-EAP-MD5. Please read the logfiles again, they clearly state you are
having an EAP inside a tunnel and complain about double Auth-Type setting
(EAP and System).

(anonymous is the UID used by securew2 for the outer identity.)

--- users ---
anonymous

DEFAULT Freeradius-Proxied-To == 127.0.0.1
        Fall-Through = yes

DEFAULT Auth-Type += System
--- users ---

I'm pretty sure I'm missing something rather basic and simple. But up to now, this something has managed to escape my attention... 

:)

--
Lep pozdrav,
Rok Papez.

- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to