Hi,Ok i read all of the debug output, and i think i can understand mechanism. However could you confirm (or not) what i understand ?
In case of an EAP/TTLS connexion : - Freeradius get a request, with a particular attribut : EAP-Message- Entering authorize section, only EAP one matches because of EAP attribut => Auth-Type is set to EAP
- Entering authenticate section, Freeradius sent a challenge to client - Client answer- Freeradius get a new request with attribut EAP-Message, State and a new Message-Authenticator
- Entering authorize section, EAP matches- Entering authenticate section. EAP matches (Auth-Type = EAP). Freeradius sent response to client (negociating ?)
- Client answer- Freeradius get a new request with attribut EAP-Message, State and new Message-Authenticator
- Entering authorize section, EAP matches, tunnel setup is set- Entering authenticate section. EAP matches (Auth-Type = EAP). TTLS type found, beginning with TLS. SSL working, sending response to client
- Client answer- Freeradius get a new request with attribut EAP-Message, State and new Message-Authenticator
- Entering authorize section, EAP matches, tunnel continues- Entering authenticate section. EAP matches (Auth-Type = EAP). Negociating SSL, sending response to client
- Client answer- Freeradius get a new request with attribut EAP-Message, State and new Message-Authenticator
- Entering authorize section, EAP matches, tunnel continues- Entering authenticate section. EAP matches (Auth-Type = EAP). SSL tunnel negociated, sending response to client
- Client answer- Freeradius get a new request with attribut EAP-Message, State and new Message-Authenticator
- Entering authorize section, EAP matches, tunnel continues- Entering authenticate section. EAP matches (Auth-Type = EAP). SSL tunnel negociated, session establisshed, sending response to client
- Client answer- Freeradius get a new request with attribut EAP-Message, State and new Message-Authenticator
- Entering authorize section, EAP matches, tunnel continues- Entering authenticate section. EAP matches (Auth-Type = EAP). Session establisshed, entering inner-tunnel section. A this time, no more EAP request/send, only new authorise/authenticate in the tunnel.
- Entering inner-tunnel authorize section, LDAP matches - Entering LDAP section : bind successful, login is authenticated - Access-Accept is send to client If i'm right, i'm asking some questions :- in the first step of the connexion, what is exactly the job of authorize section ? Does it only set auth-type when finding any "clue" in the request ? - when connexion is in the tunnel step, a "reduced" request is sent ( without EAP attributes). This request is checked by the inner-tunnel authorize section which will set the auth-type, right ? Here the auth-type found is LDAP.
If i follow the entire log, i can see
- entering authorize
- finding Ldap Auth
- entering LDAP section, and then bind...
But i can't see entering authenticate section as we can see in the firt
step with EAP
It's quite hard to explain, but* Outside tunnel : request -> authorize section -> Foudn type EAP -> authenticate section -> EAP working * Inside tunnel : request -> authorize section -> Foudn type LDAP -> LDAP working
Why is there an "authenticate section" for EAP and a direct use of LDAP section for LDAP ?
-- Emmanuel BILLOT CATEL - Dpt. Système et Réseaux Rectorat - Académie d'Orléans-Tours 10, rue Molière - 45000 Orléans Tél : 02 38 79 45 57 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
