Date: Thu, 31 Jan 2008 14:47:04 -0500 From: William Bulley <web@umich.edu> To: Freebsd Questions <freebsd-questions@freebsd.org> Subject: WPA and EAP-TTLS oddity Message-ID: <20080131194704.GA19131@dell1>
next in thread | raw e-mail | index | archive | help
I swear this has worked for me in the past!  Scenario:
     +-----------------------------------+
     | ThinkPad T42 with D-Link DWL-G660 |
     | (ath0) on FreeBSD 6.2-STABLE      |
     | running wpa_supplicant 0.4.8      |
     +-----------------------------------+
                      ^
           802.1X     |    EAP-TTLS
                      v
   +---------------------------------------+
   | Cisco 1131AG 802.11a/b/g AP  IOS 12.4 |
   +---------------------------------------+
                      ^
          EAP-TTLS    |    RADIUS
                      v
     +-----------------------------------+
     | FreeRADIUS 1.1.7_2 on FreeBSD 7.0 |
     +-----------------------------------+
The configs are at the end of this message.  It almost
works, but the behaviour changes depending on the case
(uppercase/lowercase) of the "phase2" value!
In both cases below ("auth=PAP" and "auth=pap") the EAP-TTLS session
has been established.  In one case, I get an ERROR because "PAP" is
unknown.  In the other case ("pap"), FreeRADIUS cannot locate the
cleartext password ("password").  What am I missing?  Is this an
issue with wpa_supplicant(8) itself?  Has anyone gotten EAP-TTLS
to work with simple PAP inside the tunnel?  About two years ago, I
had this working (using PAP inside the tunnel) but it was an early
version of wpa_supplicant(8) and probably FreeBSD 4.x or early 5.x
 =*=*=*=*=*=*=*=*=*= wpa_supplicant.conf =*=*=*=*=*=*=*=*=*=*=*=*=
ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=0
network={
    ssid="testing"
    key_mgmt=WPA-EAP
    eap=TTLS
    anonymous_identity="anonymous"
    identity="foo"
    password="password"
    phase2="auth=PAP"
}
 =*=*=*=*=*=*=*=*=*= FreeRADIUS eap.conf =*=*=*=*=*=*=*=*=*=*=*=
eap {
    default_eap_type = ttls
    timer_expire     = 60
    ignore_unknown_eap_types = no
    cisco_accounting_username_bug = yes
    tls {
        private_key_password = whatever
        private_key_file = ${raddbdir}/certs/cert-srv.pem
        certificate_file = ${raddbdir}/certs/cert-srv.pem
        CA_file = ${raddbdir}/certs/demoCA/cacert.pem
        dh_file = ${raddbdir}/certs/dh
        random_file = ${raddbdir}/certs/random
        fragment_size = 1024
        include_length = yes
        cipher_list = "DEFAULT"
    }
    ttls {
        default_eap_type = md5
        copy_request_to_tunnel = yes
        use_tunneled_reply = yes
    }
}
 =*=*=*=*=*=*=*=*= simplified radiusd.conf =*=*=*=*=*=*=*=*=*=*=
[snip] unimportant stuff omitted [/snip]
$INCLUDE ${confdir}/clients.conf
$INCLUDE ${confdir}/eap.conf
instantiate {
}
authorize {
    preprocess
    auth_log
    eap
    files
    pap
}
authenticate {
    eap
}
preacct {
    preprocess
    acct_unique
}
accounting {
    detail
}
post-auth {
    reply_log
}
 =*=*=*=*=*=*=*=*= debug output snippet with phase2="auth=PAP" =*=*=*=*=*=*=*=*=*=
  rlm_eap_ttls: Session established.  Proceeding to decode tunneled attributes.
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 5
  modcall[authorize]: module "preprocess" returns ok for request 5
radius_xlat:  '/var/log/radacct/127.0.0.1/auth-20080131'
rlm_detail: /var/log/radacct/%{Client-IP-Address}/auth-%Y%m%d
            expands to /var/log/radacct/127.0.0.1/auth-20080131
  modcall[authorize]: module "auth_log" returns ok for request 5
  rlm_eap: No EAP-Message, not doing EAP
  modcall[authorize]: module "eap" returns noop for request 5
    users: Matched entry foo at line 217
  modcall[authorize]: module "files" returns ok for request 5
  modcall[authorize]: module "pap" returns updated for request 5
modcall: leaving group authorize (returns updated) for request 5
  rad_check_password:  Found Auth-Type pap
auth: type "PAP"
  ERROR: Unknown value specified for Auth-Type.  Cannot perform requested action.
auth: Failed to validate the user.
Trying to look up name of unknown client 127.0.0.1. 
Login incorrect: [foo/password]
                 (from client UNKNOWN-CLIENT port 260 cli 00-xx-xx-xx-xx-xx)
  TTLS: Got tunneled Access-Reject
 rlm_eap: Handler failed in EAP/ttls
  rlm_eap: Failed in EAP select
  modcall[authenticate]: module "eap" returns invalid for request 5
modcall: leaving group authenticate (returns invalid) for request 5
auth: Failed to validate the user.
 =*=*=*=*=*=*=*=*= debug output snippet with phase2="auth=pap" =*=*=*=*=*=*=*=*=*=
  rlm_eap_ttls: Session established.  Proceeding to decode tunneled attributes.
  TTLS: Got tunneled identity of foo
  TTLS: Setting default EAP type for tunneled EAP session.
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 5
  modcall[authorize]: module "preprocess" returns ok for request 5
radius_xlat:  '/var/log/radacct/127.0.0.1/auth-20080131'
rlm_detail: /var/log/radacct/%{Client-IP-Address}/auth-%Y%m%d
            expands to /var/log/radacct/127.0.0.1/auth-20080131
  modcall[authorize]: module "auth_log" returns ok for request 5
  rlm_eap: EAP packet type response id 6 length 8
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
  modcall[authorize]: module "eap" returns updated for request 5
    users: Matched entry foo at line 217
  modcall[authorize]: module "files" returns ok for request 5
rlm_pap: Found existing Auth-Type, not changing it.
  modcall[authorize]: module "pap" returns noop for request 5
modcall: leaving group authorize (returns updated) for request 5
  rad_check_password:  Found Auth-Type EAP
auth: type "EAP"
  Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 5
  rlm_eap: EAP Identity
 rlm_eap: No such EAP type md5
  rlm_eap: Failed in EAP select
  modcall[authenticate]: module "eap" returns invalid for request 5
modcall: leaving group authenticate (returns invalid) for request 5
auth: Failed to validate the user.
Trying to look up name of unknown client 127.0.0.1. 
Login incorrect: [foo/<no User-Password attribute>]
                 (from client UNKNOWN-CLIENT port 261 cli 00-xx-xx-xx-xx-xx)
  TTLS: Got tunneled Access-Reject
 rlm_eap: Handler failed in EAP/ttls
  TTLS: Freeing handler for user foo
  rlm_eap: Failed in EAP select
  modcall[authenticate]: module "eap" returns invalid for request 5
modcall: leaving group authenticate (returns invalid) for request 5
auth: Failed to validate the user.
 =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=
This one has me stumped.  :-(
Regards,
web...
--
William Bulley                     Email: web@umich.edu
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080131194704.GA19131>
