Re: how to set eap/ttls tunnel with auth-type pap work

2008-07-23 Thread Ivan Kalik 
>rlm_pap: No clear-text password in the request.  Not performing PAP.
>++[pap] returns noop
>auth: No User-Password or CHAP-Password attribute in the request
>auth: Failed to validate the user.

Are you sure your supplicant is set to use PAP inside TTLS? You have
disabled chap and mschap on the server so we can't see what is
supplicant sending - it doesn't seem to be pap.

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

how to set eap/ttls tunnel with auth-type pap work

2008-07-22 Thread Andy An 

Hi Alan/Ivan:
As i configured my freeradius server 2.0.5  for our realm .ca with 
Ivan's guides it works well by local test or NTRadPing (from WinXP) 
which did not use any eap stuff.
But as I tested by  Netgear AP which needs to use eap/ttls/ tunnel and 
in the tunnel to use pap then it failed with message "rlm_pap: No 
clear-text password in the request.  Not performing PAP. ++[pap] returns 
noop auth: No User-Password or CHAP-Password attribute in the request  
auth: Failed to validate the user." (no matter if my username 
with/without realm). Before I created realm .ca in proxy.conf file 
both types of tests( i.e. with/without eap/ttls tunnel)work fine.

enclosed here the debugging output message:
rad_recv: Access-Request packet from host 10.10.10.29 port 1265, id=52, 
length=153

  User-Name = "andyan"
  NAS-IP-Address = 10.10.10.29
  NAS-Port = 2
  Called-Station-Id = "00-14-6C-CC-93-E8:eduroam"
  Calling-Station-Id = "00-17-F2-52-8A-C7"
  Framed-MTU = 1400
  NAS-Port-Type = Wireless-802.11
  Connect-Info = "CONNECT 54Mbps 802.11g"
  EAP-Message = 0x020b01616e6479616e
  Message-Authenticator = 0x9b0622cd28c0ca07a2894252266d9582
+- entering group authorize
  expand: 
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d 
-> /usr/local/var/log/radius/radacct/10.10.10.29/auth-detail-20080722
rlm_detail: 
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d 
expands to 
/usr/local/var/log/radius/radacct/10.10.10.29/auth-detail-20080722

  expand: %t -> Tue Jul 22 17:29:18 2008
++[auth_log] returns ok
  rlm_realm: No '@' in User-Name = "andyan", looking up realm NULL
  rlm_realm: Found realm "NULL"
  rlm_realm: Adding Stripped-User-Name = "andyan"
  rlm_realm: Adding Realm = "NULL"
  rlm_realm: Authentication realm is LOCAL.
++[suffix] returns ok
rlm_eap: EAP packet type response id 0 length 11
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
rlm_ldap: - authorize
rlm_ldap: performing user authorization for andyan
WARNING: Deprecated conditional expansion ":-".  See "man unlang" for 
details

  expand: (uid=%{Stripped-User-Name:-%{User-Name}}) -> (uid=andyan)
  expand: ou=People,dc=eciad,dc=ca -> ou=People,dc=eciad,dc=ca
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ldap1.eciad.ca:389, authentication 0
rlm_ldap: bind as cn=radius,ou=Applications,dc=eciad,dc=ca/#password to 
ldap1.eciad.ca:389

rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in ou=People,dc=eciad,dc=ca, with filter 
(uid=andyan)

rlm_ldap: Added User-Password = {crypt}24234234fsdgfs2342 in check items
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user andyan authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: EAP Identity
rlm_eap: processing type tls
rlm_eap_tls: Initiate
rlm_eap_tls: Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 52 to 10.10.10.29 port 1265
  EAP-Message = 0x010100061520
  Message-Authenticator = 0x
  State = 0x4c8576424c846361777cb0ac160f1e24
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.10.10.29 port 1265, id=53, 
length=272

  User-Name = "andyan"
  NAS-IP-Address = 10.10.10.29
  NAS-Port = 2
  Called-Station-Id = "00-14-6C-CC-93-E8:eduroam"
  Calling-Station-Id = "00-17-F2-52-8A-C7"
  Framed-MTU = 1400
  NAS-Port-Type = Wireless-802.11
  Connect-Info = "CONNECT 54Mbps 802.11g"
  EAP-Message = 
0x02010070158000661603010061015d030148867b68f229dc3370728c32f16cc8eba5dace189d85f03d39f18438ab70dbde36002f000500040035000a000900030008000600320033003800390016001500140013001200110034003a0018001b001a0017001900010100 


  State = 0x4c8576424c846361777cb0ac160f1e24
  Message-Authenticator = 0x5d147b305a321b03b57beb1712544955
+- entering group authorize
  expand: 
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d 
-> /usr/local/var/log/radius/radacct/10.10.10.29/auth-detail-20080722
rlm_detail: 
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d 
expands to 
/usr/local/var/log/radius/radacct/10.10.10.29/auth-detail-20080722

  expand: %t -> Tue Jul 22 17:29:18 2008
++[auth_log] returns ok
  rlm_realm: No '@' in User-Name = "andyan", looking up realm NULL
  rlm_realm: Found realm "NULL"
  rlm_realm: Adding Stripped-User-Name = "andyan"
  rlm_realm: Adding Realm = "NULL"
  rl