eduroam PEAP + TTLS

Thu, 17 Jun 2010 10:09:05 -0700 

Hi,

Before beginning, sorry for my bad English, I'm French.

I'm trying to implement PEAP-MSCHAPV2 support in an existing and working 
configuration with EAP-TTLS + PAP,
giving users a full support of eduroam. There are proxy radius maintained by 
our national "provider", and they test
authentication every 15 minutes.

When they only test EAP-TTLS authentication, it works, and this is a part of 
the output of freeradius -X.

Login OK: [user/password] (from client proxyradius port 0 cli 02-00-00-00-00-01 
via TLS tunnel)
+- entering group post-auth {...}
[sql]   expand: %{User-Name} -> u...@realm
[sql] sql_set_user escaped user --> 'u...@realm'
[sql]   expand: %{User-Password} -> password
[sql]   expand: INSERT INTO radpostauth                           (username, 
pass, reply, authdate)                           VALUES (                       
    '%{User-Name}',                           
'%{%{User-Password}:-%{Chap-Password}}',                           
'%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth                        
   (username, pass, reply, authdate)                           VALUES (         
                  'u...@realm',                           'password',           
                'Access-Accept', '2010-06-17 18:17:02')
[sql]   expand: /var/log/freeradius/sqltrace.sql -> 
/var/log/freeradius/sqltrace.sql
rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth                 
          (username, pass, reply, authdate)                           VALUES (  
                         'u...@realm',                           'password',    
                       'Access-Accept', '2010-06-17 18:17:02')
rlm_sql (sql): Reserving sql socket id: 4
rlm_sql_mysql: query:  INSERT INTO radpostauth                           
(username, pass, reply, authdate)                           VALUES (            
               'u...@realm',                           'password',              
             'Access-Accept', '2010-06-17 18:17:02')
rlm_sql (sql): Released sql socket id: 4
++[sql] returns ok
        expand: %{request:User-Name} -> u...@realm
++[outer.reply] returns ok
} # server inner-tunnel
[ttls] Got tunneled reply code 2
        User-Name := "u...@realm"
[ttls] Got tunneled Access-Accept
[eap] Freeing handler
++[eap] returns ok
Login OK: [anonymous/<via Auth-Type = EAP>] (from client proxyradius port 0 cli 
02-00-00-00-00-01)

Then, when I specify that our FreeRADIUS server support PEAP-MSCHAPV2, they 
test PEAP first and never 
receive an access-accept or access-reject request form only the outer identity, 
anonym...@realm. So there is 
the ouput :

Login OK: [user/<via Auth-Type = mschap>] (from client proxyradius port 0 cli 
02-00-00-00-00-01 via TLS tunnel)
+- entering group post-auth {...}
[sql]   expand: %{User-Name} -> u...@realm
[sql] sql_set_user escaped user --> 'u...@realm'
[sql]   expand: %{User-Password} ->
[sql]   ... expanding second conditional
[sql]   expand: %{Chap-Password} ->
[sql]   expand: INSERT INTO radpostauth                           (username, 
pass, reply, authdate)                           VALUES (                       
    '%{User-Name}',                           
'%{%{User-Password}:-%{Chap-Password}}',                           
'%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth                        
   (username, pass, reply, authdate)                           VALUES (         
                  'u...@realm',                           '',                   
        'Access-Accept', '2010-06-17 15:32:07')
[sql]   expand: /var/log/freeradius/sqltrace.sql -> 
/var/log/freeradius/sqltrace.sql
rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth                 
          (username, pass, reply, authdate)                           VALUES (  
                         'u...@realm',                           '',            
               'Access-Accept', '2010-06-17 15:32:07')
rlm_sql (sql): Reserving sql socket id: 2
rlm_sql_mysql: query:  INSERT INTO radpostauth                           
(username, pass, reply, authdate)                           VALUES (            
               'u...@realm',                           '',                      
     'Access-Accept', '2010-06-17 15:32:07')
rlm_sql (sql): Released sql socket id: 2
++[sql] returns ok
        expand: %{request:User-Name} -> u...@realm
++[outer.reply] returns ok
} # server inner-tunnel
[ttls] Got tunneled reply code 2
        User-Name := "u...@realm"
        MS-CHAP2-Success = 
0x54533d42374134413830313835384530453531383135373131384643424442444432464133384345413836
[ttls] Got tunneled Access-Accept
[ttls] Got MS-CHAP2-Success, tunneling it to the client in a challenge.
++[eap] returns handled
Sending Access-Challenge of id 9 to 193.51.182.121 port 35055
        User-Name = "u...@realm"
        EAP-Message = 
0x010a005f1580000000551703010050f984b434f276e050b0697e427d30ddfe2c0d9cc56a8f5da6ab447bbabae115d8181dfce1b6e52f33fcd2a20d5e26f574b9be69fa946342eafbd7ea350d5782490593a260401dae6b1c71f16f30b3ab38
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xcda13382c4ab2647095b27820a4b1850
Finished request 11.
Going to the next request
Waking up in 4.7 seconds.

And then, the proxyradius sends new Access-Request and the outer identity is 
never accepted. But the u...@realm is authenticated...

I'm sorry I know you need more informations about my confs and outputs, but I 
don't want to make this post longer than it is... So, I can
post more informations...

Thank you for helping me !

J-P.

                                          
_________________________________________________________________
Installez gratuitement les nouvelles Emoch'ticones !
http://www.ilovemessenger.fr/emoticones/telecharger-emoticones-emochticones.aspx
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to