Hi All, Supplicant tries authentication with EAP-TTLS, TLS tunnel is established properly but Radius sends Access-Reject.
Following are the xsupplicant.conf, eap.conf and radius output. radiusd.conf is not changed. It would be great if anyone could help in solving this issue or identify it. Thanks, Nagendra. freeradius version: FreeRADIUS Version 1.0.1 xsupplicant version: 1.2.8 Following is my xsupplicant configuration: eap-ttls { root_cert = /etc/raddb/certs/ca.pem phase2_type = pap pap { username = test...@mynet.net password = "test123" } } Following is my eap.conf configuration with freeradius: eap { default_eap_type = ttls timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 2048 md5 { } leap { } gtc { auth_type = PAP } tls { certdir = ${confdir}/certs cadir = ${confdir}/certs private_key_password = nagendra private_key_file = ${certdir}/server.pem certificate_file = ${certdir}/server.pem CA_file = ${cadir}/ca.pem dh_file = ${certdir}/dh random_file = ${certdir}/random fragment_size = 1024 include_length = yes } ttls { default_eap_type = md5 copy_request_to_tunnel = no use_tunneled_reply = no } } Following is the output of freeRadius. rad_recv: Access-Request packet from host 12.12.12.2:52660, id=201, length=300 User-Name = "test...@mynet.net" NAS-Port = 68 State = 0x31f6a6d18c0edbbe0a8135be701c9eff EAP-Message = 0x020e00801500170301002003c6f62435902b65dc7748b238fc47a7e5af9cfdbfed7ce3763b8a3830ac25a41703010050bd010059a58d0a9db18cb4df099dca43c1cadebca1672d9fb2b08a9131aa32b657e2d497196c130405e11396402abbcc130558325bc9ef888c19692d6ce7e2d736b463e6bfa09de4cacdc2511be08c20 Message-Authenticator = 0x9b2ba395fe336634039600437f39e5e4 Acct-Session-Id = "8O2.1x81680002" NAS-Port-Id = "ge-0/0/0.0" Calling-Station-Id = "00-30-48-8b-7f-ff" Called-Station-Id = "00-1f-12-3f-89-40" NAS-Identifier = "bng-l24f1-dev" NAS-Port-Type = Virtual Processing the authorize section of radiusd.conf modcall: entering group authorize for request 5 modcall[authorize]: module "preprocess" returns ok for request 5 rlm_eap: EAP packet type response id 14 length 128 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 5 users: Matched DEFAULT at 164 users: Matched test...@mynet.net at 235 modcall[authorize]: module "files" returns ok for request 5 modcall: group authorize returns updated for request 5 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 5 rlm_eap: Request found, released from the list rlm_eap: EAP/ttls rlm_eap: processing type ttls rlm_eap_ttls: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_ttls: Session established. Proceeding to decode tunneled attributes. TTLS: Got tunneled request User-Name = "test...@mynet.net" User-Password = "test123" FreeRADIUS-Proxied-To = 127.0.0.1 TTLS: Sending tunneled request User-Name = "test...@mynet.net" User-Password = "test123" FreeRADIUS-Proxied-To = 127.0.0.1 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 5 modcall[authorize]: module "preprocess" returns ok for request 5 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 5 users: Matched DEFAULT at 164 users: Matched test...@mynet.net at 235 modcall[authorize]: module "files" returns ok for request 5 modcall: group authorize returns ok for request 5 rad_check_password: Found Auth-Type System auth: type "System" ERROR: Unknown value specified for Auth-Type. Cannot perform requested action. auth: Failed to validate the user. TTLS: Got tunneled reply RADIUS code 3 TTLS: Got tunneled Access-Reject rlm_eap: Handler failed in EAP/ttls rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 5 modcall: group authenticate returns invalid for request 5 auth: Failed to validate the user. Delaying request 5 for 1 seconds Finished request 5 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 12.12.12.2:52660, id=201, length=300 Sending Access-Reject of id 201 to 12.12.12.2:52660 EAP-Message = 0x040e0004 Message-Authenticator = 0x00000000000000000000000000000000
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html