EAP-TTLS problem at phase 1

[Rafiqul Ahsan]

Hi all,

I have been trying to figure this out for couple days, but could not get any clue. My test is about authentication with EAP-TTLS/MSCHAPV2.

I am using freeradius v - 1.1.3, on Solaris 10.

No matter what I do, I get "rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request" at the server.

Anybody can help me what went wrong ? Here is my configs..and logs (truncated)

Awaits some solution...

Rafi

 

 

Here is my eap.conf

        eap {
                default_eap_type = ttls

                timer_expire     = 60
                ignore_unknown_eap_types = no

                cisco_accounting_username_bug = no

                md5 {
                }

                leap {
                }

                gtc {
                        auth_type = PAP
                }

    tls {
      rsa_key_exchange = yes
      dh_key_exchange = no
      rsa_key_length = 1024
      dh_key_length = 1024
      verify_depth = 2
      pem_file_type = yes

            private_key_password = "wimax i2 test certs"
            private_key_file = /etc/freeradius/etc/certs/key2.pem
            certificate_file = /etc/freeradius/etc/certs/cert2.pem
            CA_file = /etc/freeradius/etc/certs/cacert.pem
            dh_file = /etc/freeradius/etc/certs/dh
            random_file = /etc/freeradius/etc/certs/random

      fragment_size = 1024

      include_length = yes

      check_cert_cn = %{User-Name}
    }

                ttls {
                        default_eap_type = mschapv2

                #       copy_request_to_tunnel = no

                #       use_tunneled_reply = no
                }

                 peap {
                        default_eap_type = mschapv2

                #       copy_request_to_tunnel = no
                #       use_tunneled_reply = no

                #       proxy_tunneled_request_as_eap = yes
                }

                mschapv2 {
                }
        }

 

 

Here is my users file :

 

"testuser" Auth-Type := EAP, User-Password := "testuser"

DEFAULT Auth-Type := EAP

 

Here is my supplicant config :

# cat supplicant.conf
ctrl_interface=/var/tmp/supplicant.ctl
eap_trace=1
enableWiMAXauth=1
validateFNECerts=1
checkCRL=1
ignoreTimeOfDay=0
update_config=0
data_interface=/var/tmp/supplicant_data.ctl
ap_scan=0
fast_reauth=1
load_dynamic=/usr/lib/wpa_supplicant/eap_ttls.so
network={
eap=TTLS
eap_workaround=1
anonymous_identity="anonymous_identity"
ca_path="/var/tmp/truststore"
ca_cert="/var/tmp/root.crt"
client_cert="/var/tmp/cpe.crt"
private_key="/var/tmp/key"
private_key_passwd="wimax i2 test certs"
phase2="auth=MSCHAPV2"
}

 

Here is the radius log (only shown the failed part)

 

rlm_fastusers:  checking defaults^M
  fastusers: Matched DEFAULT at 6^M
  modcall[authorize]: module "fastusers" returns updated for request 1^M
modcall: leaving group authorize (returns updated) for request 1^M
  rad_check_password:  Found Auth-Type EAP^M
auth: type "EAP"^M
  Processing the authenticate section of radiusd.conf^M
modcall: entering group authenticate for request 1^M
rlm_eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request^M
  rlm_eap: Failed in handler^M
  modcall[authenticate]: module "eap" returns invalid for request 1^M
modcall: leaving group authenticate (returns invalid) for request 1^M

 

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html