1.1.4 - TTLS - missing attributes

Hi list!

Recently upgraded from 1.1.3 to 1.1.4 to support EAP-PEAP for Windows
Vista clients. That works fine but now I got problems with missing reply
attributes for Mac OSX clients using EAP-TTLS.

FreeRADIUS sends an Access-Challenge with the correct attributes but
they are missing from the final Access-Accept.

If I use eapol_test client it works fine.

I used the freeradius.spec file for Suse to build the server. The file
is for 1.1.3. I simply changed the version number to 1.1.4.

Here is the debug output from OSX.
--------------
modcall: leaving group post-auth (returns ok) for request 5
TTLS: Got tunneled reply RADIUS code 2
User-Name = "XXXXXXX"
Tunnel-Private-Group-Id:0 = "315"
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Type:0 = VLAN
MS-CHAP2-Success =
0xe9533d343136323536454632393844423545364333443638 45364130414132374337423333373433324531
MS-MPPE-Recv-Key = 0x2f1c2a0924281f7543ac01a62e5d4959
MS-MPPE-Send-Key = 0x54b7f78adaa581dcbe24933210de2944
MS-MPPE-Encryption-Policy = 0x00000001
MS-MPPE-Encryption-Types = 0x00000006
TTLS: Got tunneled Access-Accept
TTLS: Got MS-CHAP2-Success, tunneling it to the client in a challenge.
modcall[authenticate]: module "eap" returns handled for request 5
modcall: leaving group authenticate (returns handled) for request 5
Sending Access-Challenge of id 57 to 172.20.16.14 port 1645
User-Name = "XXXXXXX"
Tunnel-Private-Group-Id:0 = "315"
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Type:0 = VLAN
MS-MPPE-Recv-Key = 0x2f1c2a0924281f7543ac01a62e5d4959
MS-MPPE-Send-Key = 0x54b7f78adaa581dcbe24933210de2944
MS-MPPE-Encryption-Policy = 0x00000001
MS-MPPE-Encryption-Types = 0x00000006
EAP-Message =
0x0140005f15800000005517030100501cc3ec5991b8db1c9f a0b2a8738e13a3adafa3d12aad4719582298263fd36dd9e40a 95a7b92783655681e701373871336737a7ea70a9a07ea8a015 dc51b734e3700b71dc22b33bc6686f23efc7bfeba8
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xd1d25d75fcc645729434631403c3dd5a
Finished request 5
Going to the next request
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 172.20.16.14:1645, id=58,
length=142
NAS-IP-Address = 172.20.16.14
NAS-Port = 50632
NAS-Port-Type = Ethernet
User-Name = "XXXXXXX"
Called-Station-Id = "00-03-6B-BE-25-8F"
Calling-Station-Id = "00-14-51-2E-6C-50"
Service-Type = Framed-User
Framed-MTU = 1500
State = 0xd1d25d75fcc645729434631403c3dd5a
EAP-Message = 0x024000061500
Message-Authenticator = 0x2d5e6aadce0ad3a0eb864bc26e9271f9
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 6
modcall[authorize]: module "preprocess" returns ok for request 6
rlm_realm: No '@' in User-Name = "XXXXXXX", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 6
rlm_eap: EAP packet type response id 64 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module "eap" returns updated for request 6
modcall[authorize]: module "mschap" returns noop for request 6
modcall[authorize]: module "files" returns notfound for request 6
modcall: leaving group authorize (returns updated) for request 6
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 6
rlm_eap: Request found, released from the list
rlm_eap: EAP/ttls
rlm_eap: processing type ttls
rlm_eap_ttls: Authenticate
rlm_eap_tls: processing TLS
rlm_eap_tls: Received EAP-TLS ACK message
rlm_eap_tls: ack handshake is finished
eaptls_verify returned 3
eaptls_process returned 3
rlm_eap: Freeing handler
modcall[authenticate]: module "eap" returns ok for request 6
modcall: leaving group authenticate (returns ok) for request 6
Login OK: [XXXXXXX/<no User-Password attribute>] (from client SITEALAN
port 50632 cli 00-14-51-2E-6C-50)
Processing the post-auth section of radiusd.conf
modcall: entering group post-auth for request 6
modcall[post-auth]: module "LDAP1LAN" returns noop for request 6
modcall[post-auth]: module "LDAP2LAN" returns noop for request 6
modcall[post-auth]: module "LDAP1AIR" returns noop for request 6
modcall[post-auth]: module "LDAP2AIR" returns noop for request 6
modcall[post-auth]: module "LDAP1VPN" returns noop for request 6
modcall[post-auth]: module "LDAP2VPN" returns noop for request 6
modcall: leaving group post-auth (returns noop) for request 6
Sending Access-Accept of id 58 to 172.20.16.14 port 1645
MS-MPPE-Recv-Key =
0x3e5ac1123d8312388fd89060503bbc0111586573e9b05e01 66f4b738ef11db5a
MS-MPPE-Send-Key =
0x68dce1376add4161d31704257ac1d5d9e891b1905e620646 47c2216b53454986
EAP-Message = 0x03400004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "XXXXXXX"
Finished request 6
-----------------------


Here is the debug output from eapol_test.

--------------
modcall: leaving group post-auth (returns ok) for request 5
TTLS: Got tunneled reply RADIUS code 2
User-Name = "XXXXXXX"
Tunnel-Private-Group-Id:0 = "328"
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Type:0 = VLAN
MS-CHAP-MPPE-Keys =
0x79b109dec67d52c6b969bc2f0b8a40a4f2df16f387f6ee98 0000000000000000
MS-MPPE-Encryption-Policy = 0x00000001
MS-MPPE-Encryption-Types = 0x00000006
TTLS: Got tunneled Access-Accept
rlm_eap: Freeing handler
modcall[authenticate]: module "eap" returns ok for request 5
modcall: leaving group authenticate (returns ok) for request 5
Login OK: [anon/<no User-Password attribute>] (from client localhost
port 0 cli 00-00-00-00-00-02)
Processing the post-auth section of radiusd.conf
modcall: entering group post-auth for request 5
modcall[post-auth]: module "LDAP1LAN" returns noop for request 5
modcall[post-auth]: module "LDAP2LAN" returns noop for request 5
modcall[post-auth]: module "LDAP1AIR" returns noop for request 5
modcall[post-auth]: module "LDAP2AIR" returns noop for request 5
modcall[post-auth]: module "LDAP1VPN" returns noop for request 5
modcall[post-auth]: module "LDAP2VPN" returns noop for request 5
modcall: leaving group post-auth (returns noop) for request 5
Sending Access-Accept of id 5 to 127.0.0.1 port 32777
User-Name = "XXXXXXX"
Tunnel-Private-Group-Id:0 = "328"
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Type:0 = VLAN
MS-CHAP-MPPE-Keys =
0x79b109dec67d52c6b969bc2f0b8a40a4f2df16f387f6ee98 0000000000000000
MS-MPPE-Encryption-Policy = 0x00000001
MS-MPPE-Encryption-Types = 0x00000006
MS-MPPE-Recv-Key =
0xa74558be21dd80fe6f406921c6e2aa367e840ac12405c4ab 86adf7fa48c4effa
MS-MPPE-Send-Key =
0x9901fdcc0f86e0091f1a16795ff2a480b99d28b46094b557 cae32f81bb4b16e2
EAP-Message = 0x03050004
Message-Authenticator = 0x00000000000000000000000000000000
Finished request 5
-------------------

/etc/raddb/eap.conf

--------------
eap {
default_eap_type = peap
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no


tls {
private_key_password = ***************
private_key_file =
${raddbdir}/certs/server_key.pem
certificate_file =
${raddbdir}/certs/server_cert.pem
CA_file = ${raddbdir}/certs/rootcert.pem
dh_file = ${raddbdir}/certs/dh
random_file = ${raddbdir}/certs/random
}

ttls {
default_eap_type = mschapv2
use_tunneled_reply = yes
copy_request_to_tunnel = yes
}
mschapv2 {
}
peap {
default_eap_type = mschapv2
use_tunneled_reply = yes
copy_request_to_tunnel = yes
}
mschapv2 {
}

}
--------------

/etc/raddb/users

--------------
DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1
User-Name = "%{User-Name}",
Fall-Through = Yes

DEFAULT Huntgroup-name == "LAN", FreeRADIUS-Proxied-To == 127.0.0.1,
Autz-Type := LAN
DEFAULT Huntgroup-name == "AIR", FreeRADIUS-Proxied-To == 127.0.0.1,
Autz-Type := AIR
DEFAULT Huntgroup-Name == "VPN", Autz-Type := VPN, Auth-Type := Local
--------------


regards/mvh
Bjarni Hardarson
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html