My long term goal is EAP-TTLS + PAP with FreeRadius 2.0 and LDAP That being said I have taken one of my existing, working with FreeRadius 1.1.5, access points and pointed it at my test radius server.
When I try and connect the agent sends dozens of requests that the debug log seems very happy with "Login OK: [prieheck] (from client...." However, that seems to be the extent of it. The login's are approved, but it doesn't seem like anyone is getting informed. A radeapclient test: +++> About to send encoded packet: User-Name = "prieheck" Cleartext-Password = "please" NAS-IP-Address = 127.0.0.1 EAP-Code = Response EAP-Id = 210 EAP-Type-Identity = "prieheck" Message-Authenticator = 0x00 NAS-Port = 0 <+++ EAP decoded packet: EAP-Message = 0x01d300160410e04884bebefb1c9c1940272ac62346e4 Message-Authenticator = 0xe1b0cbd908bc1932ee01c1634efccc17 State = 0x5d58d3605d8bd76df879afd5c99b16ef EAP-Id = 211 EAP-Code = Request EAP-Type-MD5 = 0x10e04884bebefb1c9c1940272ac62346e4 +++> About to send encoded packet: User-Name = "prieheck" Cleartext-Password = "please" NAS-IP-Address = 127.0.0.1 EAP-Code = Response EAP-Id = 211 Message-Authenticator = 0x00000000000000000000000000000000 NAS-Port = 0 EAP-Type-MD5 = 0x105df5963fda67a6941067d7019e8bbe14 State = 0x5d58d3605d8bd76df879afd5c99b16ef <+++ EAP decoded packet: EAP-Message = 0x03d30004 Message-Authenticator = 0xd8d24fc4a6faa627be412bfc40169290 User-Name = "prieheck" EAP-Id = 211 EAP-Code = Success Total approved auths: 1 Total denied auths: 1 So it looks to me like the eap bit is all going good, but I am at a loss (especially concerning the denied auth there...). EAP/PEAP is working just fine so I think it may be my eap.conf file related to ttls: #### eap.conf eap { default_eap_type = md5 timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no md5 { } leap { } gtc { auth_type = PAP } tls { certdir = ${confdir}/certs cadir = ${confdir}/certs private_key_file = ${certdir}/radius.key certificate_file = ${certdir}/radius.crt CA_file = ${cadir}/cacert.pem dh_file = ${certdir}/dh random_file = ${certdir}/random cipher_list = "DEFAULT" make_cert_command = "${certdir}/bootstrap" } ttls { default_eap_type = md5 copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" } peap { default_eap_type = mschapv2 copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" } mschapv2 { } md5 { } } This is a bit of the debug output from free radius <snip> ++[pap] returns ok Login OK: [prieheck] (from client AP1200 port 0 via TLS tunnel) } # server inner-tunnel TTLS: Got tunneled reply RADIUS code 2 TTLS: Got tunneled Access-Accept rlm_eap: Freeing handler ++[eap] returns ok Login OK: [prieheck] (from client AP1200 port 385 cli 0106.cfa9.d2eb) +- entering group post-auth ++[exec] returns noop Sending Access-Accept of id 222 to 10.4.6.7 port 1645 MS-MPPE-Recv-Key = 0x9a15665cdb643dd496bc1bf028a244b31833e89886d373d74f7864714839c048 MS-MPPE-Send-Key = 0x92acfe330cfa9a94b9fc61226a1c438c2572287a8aac94c71ed2e0828050f174 EAP-Message = 0x03060004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "prieheck" Finished request 4. Going to the next request Waking up in 4.0 seconds. Cleaning up request 0 ID 218 with timestamp +19 Waking up in 0.3 seconds. Cleaning up request 1 ID 219 with timestamp +20 Cleaning up request 2 ID 220 with timestamp +20 Waking up in 0.4 seconds. rad_recv: Access-Request packet from host 10.4.6.7 port 1645, id=223, length=142 User-Name = "prieheck" Framed-MTU = 1400 Called-Station-Id = "000f.f7d4.d460" Calling-Station-Id = "0106.cfa9.d2eb" Service-Type = Login-User </snip> Currently using FreeRadius 2.0.5 on 32-bit Ubuntu, built by me. I would happily share any of my other config lines, but don't know what you would want to see and don't want to flood you with too much data.... Pat - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html