stefan.pae...@diamond.ac.uk wrote:
> However, when you go to the bottom of the output, where the request for user
> 'steve' (who is a valid user, and for whom a correct password was supplied)
> is sent, the request fails. The session for 'steve' is partial and stops
> prematurely, which leads me to believe that the EAP-TTLS client (the JRadius
> EAPTTLSAuthenticator bean) is not complying with the RFC, i.e. restart the
> EAP session, negotiate a fresh tunnel, and then attempt to authenticate the
> valid user 'steve' with the given password.
Except it's not a request for "steve":
User-Name = "steve"
EAP-Message = 0x0200000801626f62
The EAP-Message says that the EAP Identity is for user "bob".
The EAP client you're using is broken. Fix that before you try
anything else.
> Based on the debug output, it appears that the client simply re-uses the
> existing tunnel, which, according to the RFC and your confirmation, is not
> correct. So thanks for confirming that part of the theory. :-)
Likely, yes.
> To prove that, I've just had a bit more of a play-around with the Java
> webapp, and when we restart it between authentication requests, the correct
> process is followed, i.e. establish an EAP session, negotiate a tunnel,
> attempt authentication, and every session is complete. I'll have a word with
> David over at Coova about the bean in question.
Sounds like a plan.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
