my aim is to to have eap-ttls/pap working using an openldap user
database with MD5
hashed passwords. I got it working configuring ldap parameters in
and applying two changes in /etc/raddb/sites-available/inner-tunnel:
1) uncommented "ldap" in the authorize section
2) uncommented these lines in the authenticate section:
   Auth-Type LDAP {
Am I doing it right?
What puzzles me is the following comment in the authenticate section that seems
to warn me not to do what I have done ("EAP wont'work"):
  # Uncomment it if you want to use ldap for authentication
  # Note that this means "check plain-text password against
  # the ldap database", which means that EAP won't work,
  # as it does not supply a plain-text password.

Thanks a lot for your time and help,

Here's the very long of the debug output (test done with
JRadusSimulator with EAP-TTLS/PAP Authentication Protocol):

rad_recv: Access-Request packet from host port 41898,
id=204, length=95
        NAS-Port = 100
        NAS-IP-Address =
        User-Name = "anonym...@unipd.it"
        EAP-Message = 0x0200001701616e6f6e796d6f757340756e6970642e6974
        Message-Authenticator = 0x4a6c7626f1ae57fabb14be50dbc07a24
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm "unipd.it" for User-Name = "anonym...@unipd.it"
[suffix] No such realm "unipd.it"
++[suffix] returns noop
[eap] EAP packet type response id 0 length 23
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.
Authentication may fail because of this.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 204 to port 41898
        EAP-Message = 0x010100061520
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xcd7901eacd78148a4b2cea7aabcc02f2
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host port 41898,
id=205, length=162
        NAS-Port = 100
        NAS-IP-Address =
        User-Name = "anonym...@unipd.it"
        State = 0xcd7901eacd78148a4b2cea7aabcc02f2
        EAP-Message =
        Message-Authenticator = 0x19b7441b270f62ebbc9d4840c09bdb7a
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm "unipd.it" for User-Name = "anonym...@unipd.it"
[suffix] No such realm "unipd.it"
++[suffix] returns noop
[eap] EAP packet type response id 1 length 72
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7
[ttls] Done initial handshake
[ttls]     (other): before/accept initialization
[ttls]     TLS_accept: before/accept initialization
[ttls] <<< TLS 1.0 Handshake [length 003d], ClientHello
[ttls]     TLS_accept: SSLv3 read client hello A
[ttls] >>> TLS 1.0 Handshake [length 002a], ServerHello
[ttls]     TLS_accept: SSLv3 write server hello A
[ttls] >>> TLS 1.0 Handshake [length 085e], Certificate
[ttls]     TLS_accept: SSLv3 write certificate A
[ttls] >>> TLS 1.0 Handshake [length 020d], ServerKeyExchange
[ttls]     TLS_accept: SSLv3 write key exchange A
[ttls] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone
[ttls]     TLS_accept: SSLv3 write server done A
[ttls]     TLS_accept: SSLv3 flush data
[ttls]     TLS_accept: Need to read more data: SSLv3 read client certificate A
In SSL Handshake Phase
In SSL Accept mode
[ttls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 205 to port 41898
        EAP-Message =
        EAP-Message =
        EAP-Message =
        EAP-Message =
        EAP-Message = 0xa73082038fa0030201020209
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xcd7901eacc7b148a4b2cea7aabcc02f2
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host port 41898,
id=206, length=96
        NAS-Port = 100
        NAS-IP-Address =
        User-Name = "anonym...@unipd.it"
        State = 0xcd7901eacc7b148a4b2cea7aabcc02f2
        EAP-Message = 0x020200061500
        Message-Authenticator = 0xa2c22a1a2e8fa392e6f8babe34a8a605
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm "unipd.it" for User-Name = "anonym...@unipd.it"
[suffix] No such realm "unipd.it"
++[suffix] returns noop
[eap] EAP packet type response id 2 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] Received TLS ACK
[ttls] ACK handshake fragment handler
[ttls] eaptls_verify returned 1
[ttls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 206 to port 41898
        EAP-Message =
        EAP-Message =
        EAP-Message =
        EAP-Message =
        EAP-Message = 0x95aabab449a37124b01f7d23
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xcd7901eacf7a148a4b2cea7aabcc02f2
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host port 41898,
id=207, length=96
        NAS-Port = 100
        NAS-IP-Address =
        User-Name = "anonym...@unipd.it"
        State = 0xcd7901eacf7a148a4b2cea7aabcc02f2
        EAP-Message = 0x020300061500
        Message-Authenticator = 0x7de069de52a18aaf03a8a63845bb52ab
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm "unipd.it" for User-Name = "anonym...@unipd.it"
[suffix] No such realm "unipd.it"
++[suffix] returns noop
[eap] EAP packet type response id 3 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] Received TLS ACK
[ttls] ACK handshake fragment handler
[ttls] eaptls_verify returned 1
[ttls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 207 to port 41898
        EAP-Message =
        EAP-Message =
        EAP-Message =
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xcd7901eace7d148a4b2cea7aabcc02f2
Finished request 3.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host port 41898,
id=208, length=310
        NAS-Port = 100
        NAS-IP-Address =
        User-Name = "anonym...@unipd.it"
        State = 0xcd7901eace7d148a4b2cea7aabcc02f2
        EAP-Message =
        Message-Authenticator = 0x3f0e85870f20ce1a998879c107f38832
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm "unipd.it" for User-Name = "anonym...@unipd.it"
[suffix] No such realm "unipd.it"
++[suffix] returns noop
[eap] EAP packet type response id 4 length 220
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7
[ttls] Done initial handshake
[ttls] <<< TLS 1.0 Handshake [length 0086], ClientKeyExchange
[ttls]     TLS_accept: SSLv3 read client key exchange A
[ttls] <<< TLS 1.0 ChangeCipherSpec [length 0001]
[ttls] <<< TLS 1.0 Handshake [length 0010], Finished
[ttls]     TLS_accept: SSLv3 read finished A
[ttls] >>> TLS 1.0 ChangeCipherSpec [length 0001]
[ttls]     TLS_accept: SSLv3 write change cipher spec A
[ttls] >>> TLS 1.0 Handshake [length 0010], Finished
[ttls]     TLS_accept: SSLv3 write finished A
[ttls]     TLS_accept: SSLv3 flush data
[ttls]     (other): SSL negotiation finished successfully
SSL Connection Established
[ttls] eaptls_process returned 13
++[eap] returns handled
Sending Access-Challenge of id 208 to port 41898
        EAP-Message =
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xcd7901eac97c148a4b2cea7aabcc02f2
Finished request 4.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host port 41898,
id=209, length=96
        NAS-Port = 100
        NAS-IP-Address =
        User-Name = "anonym...@unipd.it"
        State = 0xcd7901eac97c148a4b2cea7aabcc02f2
        EAP-Message = 0x020500061500
        Message-Authenticator = 0x5bee6ebbb1f0dfb633b2c47db5deb0af
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm "unipd.it" for User-Name = "anonym...@unipd.it"
[suffix] No such realm "unipd.it"
++[suffix] returns noop
[eap] EAP packet type response id 5 length 6
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] Received TLS ACK
[ttls] ACK handshake is finished
[ttls] eaptls_verify returned 3
[ttls] eaptls_process returned 3
++[eap] returns handled
Sending Access-Challenge of id 209 to port 41898
        EAP-Message = 0x0106000a158000000000
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xcd7901eac87f148a4b2cea7aabcc02f2
Finished request 5.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host port 41898,
id=210, length=250
        NAS-Port = 100
        NAS-IP-Address =
        User-Name = "anonym...@unipd.it"
        State = 0xcd7901eac87f148a4b2cea7aabcc02f2
        EAP-Message =
        Message-Authenticator = 0x60c9bcb9cdef0bee42e5b4ccec949aed
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm "unipd.it" for User-Name = "anonym...@unipd.it"
[suffix] No such realm "unipd.it"
++[suffix] returns noop
[eap] EAP packet type response id 6 length 160
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/ttls
[eap] processing type ttls
[ttls] Authenticate
[ttls] processing EAP-TLS
[ttls] eaptls_verify returned 7
[ttls] Done initial handshake
[ttls] eaptls_process returned 7
[ttls] Session established.  Proceeding to decode tunneled attributes.
[ttls] Got tunneled request
        User-Name = "test.u...@studenti.unipd.it"
        User-Password = "XXX"
        FreeRADIUS-Proxied-To =
[ttls] Sending tunneled request
        User-Name = "test.u...@studenti.unipd.it"
        User-Password = "XXX"
        FreeRADIUS-Proxied-To =
server inner-tunnel {
+- entering group authorize {...}
++[chap] returns noop
++[mschap] returns noop
++[unix] returns notfound
[suffix] Looking up realm "studenti.unipd.it" for User-Name =
[suffix] No such realm "studenti.unipd.it"
++[suffix] returns noop
++[control] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
[ldap] performing user authorization for test.u...@studenti.unipd.it
[ldap]  expand: %{Stripped-User-Name} ->
[ldap]  expand: %{User-Name} -> test.u...@studenti.unipd.it
[ldap]  expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) ->
[ldap]  expand: dc=unipd,dc=it -> dc=unipd,dc=it
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to mytestingdirectory.it:389, authentication 0
rlm_ldap: bind as
to mytestingdirectory.it:389
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=unipd,dc=it, with filter
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP.  Are you sure
that the user is configured correctly?
[ldap] Setting Auth-Type = LDAP
[ldap] user test.u...@studenti.unipd.it authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = LDAP
+- entering group LDAP {...}
[ldap] login attempt by "test.u...@studenti.unipd.it" with password "XXX"
[ldap] user DN: uid=test.u...@studenti.unipd.it,ou=students,dc=unipd,dc=it
rlm_ldap: (re)connect to mytestingdirectory.it:389, authentication 1
rlm_ldap: bind as
uid=test.u...@studenti.unipd.it,ou=students,dc=unipd,dc=it/XXX to
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
[ldap] user test.u...@studenti.unipd.it authenticated succesfully
++[ldap] returns ok
  WARNING: Empty section.  Using default return values.
} # server inner-tunnel
[ttls] Got tunneled reply code 2
[ttls] Got tunneled Access-Accept
[eap] Freeing handler
++[eap] returns ok
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 210 to port 41898
        MS-MPPE-Recv-Key =
        MS-MPPE-Send-Key =
        EAP-Message = 0x03060004
        Message-Authenticator = 0x00000000000000000000000000000000
        User-Name = "anonym...@unipd.it"
Finished request 6.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 204 with timestamp +12
Cleaning up request 1 ID 205 with timestamp +12
Cleaning up request 2 ID 206 with timestamp +12
Cleaning up request 3 ID 207 with timestamp +12
Cleaning up request 4 ID 208 with timestamp +12
Cleaning up request 5 ID 209 with timestamp +12
Cleaning up request 6 ID 210 with timestamp +12
Ready to process requests.
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to