Questions about debug output

Fri, 07 Jul 2006 16:27:34 -0700

I have a few questions about the debug output from an ultimately successful EAP-TTLS-CHAP authentication. Consider this snippet: 
...
rad_recv: Access-Request packet from host 192.168.1.228:1045, id=210, length=166 

       User-Name = "anonymous"
       NAS-IP-Address = 192.168.1.228
       Connect-Info = "CONNECT 802.11"
       Called-Station-Id = "000b6b8c03f9"
       Calling-Station-Id = "00146c6f2e75"
       NAS-Identifier = "00-14-6c-6f-2e-75"
       NAS-Port-Type = Wireless-802.11
       NAS-Port = 15
       NAS-Port-Id = "15"
       Framed-MTU = 1400
       State = 0x656cef9c49bb7e305b809bc113ece6c4
       EAP-Message = 0x020700061500
       Message-Authenticator = 0xfd14176dee74fed4980d51bbf880b8a6
 Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 4
 modcall[authorize]: module "preprocess" returns ok for request 4
 modcall[authorize]: module "chap" returns noop for request 4
 modcall[authorize]: module "mschap" returns noop for request 4
   rlm_realm: No '@' in User-Name = "anonymous", looking up realm NULL
   rlm_realm: No such realm "NULL"
 modcall[authorize]: module "suffix" returns noop for request 4
 rlm_eap: EAP packet type response id 7 length 6
 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
 modcall[authorize]: module "eap" returns updated for request 4
   users: Matched entry DEFAULT at line 173
...


1. First, what does this mean: 'module "chap" returns noop for request 
3?' My client uses CHAP, so why doesn't "chap," here, return ok? What 
does "noop" mean?



2. I read in a comment in the out-of-the-box eap.conf file that it is 
customary to specify "anonymous" for the "name of the user 'outside' of 
the tunnel" with ttls { use_tunneled_reply = yes }. Is the User-Name 
field in the above Access-Request this outside user name?



3. Is the User-Name in the Access-Request the same as what I've seen 
called the "outer identity?"



4. Is just using "anonymous" okay? Should I include a realm, e.g., 
[EMAIL PROTECTED] Is there something I lose by not specifying a 
realm in User-Name (everything seems to work okay so far)?


5. What does "No EAP Start" mean?


6. Why does modcall[authorize] say "Matched entry DEFAULT at line 173" 
here and in the subsequent challenge response (not shown), whereas later 
in the challenge response it says "Matched entry plong at line 76" 
("plong" is the name part of the inner identity, if I'm using the 
terminology correctly)?


Paul


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html





















					Reply via email to