From owner-freebsd-questions@FreeBSD.ORG Thu Jan 31 20:12:01 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 65E3816A469 for ; Thu, 31 Jan 2008 20:12:01 +0000 (UTC) (envelope-from web@umich.edu) Received: from skycaptain.mr.itd.umich.edu (smtp.mail.umich.edu [141.211.93.160]) by mx1.freebsd.org (Postfix) with ESMTP id 20F2513C474 for ; Thu, 31 Jan 2008 20:12:00 +0000 (UTC) (envelope-from web@umich.edu) Received: FROM dell1 (Unknown [141.211.15.39]) BY skycaptain.mr.itd.umich.edu ID 47A22486.BF5C.798 ; 31 Jan 2008 14:41:58 -0500 Date: Thu, 31 Jan 2008 14:47:04 -0500 From: William Bulley To: Freebsd Questions Message-ID: <20080131194704.GA19131@dell1> Mail-Followup-To: Freebsd Questions Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.2.2i Subject: WPA and EAP-TTLS oddity X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 31 Jan 2008 20:12:01 -0000 I swear this has worked for me in the past! Scenario: +-----------------------------------+ | ThinkPad T42 with D-Link DWL-G660 | | (ath0) on FreeBSD 6.2-STABLE | | running wpa_supplicant 0.4.8 | +-----------------------------------+ ^ 802.1X | EAP-TTLS v +---------------------------------------+ | Cisco 1131AG 802.11a/b/g AP IOS 12.4 | +---------------------------------------+ ^ EAP-TTLS | RADIUS v +-----------------------------------+ | FreeRADIUS 1.1.7_2 on FreeBSD 7.0 | +-----------------------------------+ The configs are at the end of this message. It almost works, but the behaviour changes depending on the case (uppercase/lowercase) of the "phase2" value! In both cases below ("auth=PAP" and "auth=pap") the EAP-TTLS session has been established. In one case, I get an ERROR because "PAP" is unknown. In the other case ("pap"), FreeRADIUS cannot locate the cleartext password ("password"). What am I missing? Is this an issue with wpa_supplicant(8) itself? Has anyone gotten EAP-TTLS to work with simple PAP inside the tunnel? About two years ago, I had this working (using PAP inside the tunnel) but it was an early version of wpa_supplicant(8) and probably FreeBSD 4.x or early 5.x =*=*=*=*=*=*=*=*=*= wpa_supplicant.conf =*=*=*=*=*=*=*=*=*=*=*=*= ctrl_interface=/var/run/wpa_supplicant ctrl_interface_group=0 network={ ssid="testing" key_mgmt=WPA-EAP eap=TTLS anonymous_identity="anonymous" identity="foo" password="password" phase2="auth=PAP" } =*=*=*=*=*=*=*=*=*= FreeRADIUS eap.conf =*=*=*=*=*=*=*=*=*=*=*= eap { default_eap_type = ttls timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = yes tls { private_key_password = whatever private_key_file = ${raddbdir}/certs/cert-srv.pem certificate_file = ${raddbdir}/certs/cert-srv.pem CA_file = ${raddbdir}/certs/demoCA/cacert.pem dh_file = ${raddbdir}/certs/dh random_file = ${raddbdir}/certs/random fragment_size = 1024 include_length = yes cipher_list = "DEFAULT" } ttls { default_eap_type = md5 copy_request_to_tunnel = yes use_tunneled_reply = yes } } =*=*=*=*=*=*=*=*= simplified radiusd.conf =*=*=*=*=*=*=*=*=*=*= [snip] unimportant stuff omitted [/snip] $INCLUDE ${confdir}/clients.conf $INCLUDE ${confdir}/eap.conf instantiate { } authorize { preprocess auth_log eap files pap } authenticate { eap } preacct { preprocess acct_unique } accounting { detail } post-auth { reply_log } =*=*=*=*=*=*=*=*= debug output snippet with phase2="auth=PAP" =*=*=*=*=*=*=*=*=*= rlm_eap_ttls: Session established. Proceeding to decode tunneled attributes. Processing the authorize section of radiusd.conf modcall: entering group authorize for request 5 modcall[authorize]: module "preprocess" returns ok for request 5 radius_xlat: '/var/log/radacct/127.0.0.1/auth-20080131' rlm_detail: /var/log/radacct/%{Client-IP-Address}/auth-%Y%m%d expands to /var/log/radacct/127.0.0.1/auth-20080131 modcall[authorize]: module "auth_log" returns ok for request 5 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 5 users: Matched entry foo at line 217 modcall[authorize]: module "files" returns ok for request 5 modcall[authorize]: module "pap" returns updated for request 5 modcall: leaving group authorize (returns updated) for request 5 rad_check_password: Found Auth-Type pap auth: type "PAP" ERROR: Unknown value specified for Auth-Type. Cannot perform requested action. auth: Failed to validate the user. Trying to look up name of unknown client 127.0.0.1. Login incorrect: [foo/password] (from client UNKNOWN-CLIENT port 260 cli 00-xx-xx-xx-xx-xx) TTLS: Got tunneled Access-Reject rlm_eap: Handler failed in EAP/ttls rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 5 modcall: leaving group authenticate (returns invalid) for request 5 auth: Failed to validate the user. =*=*=*=*=*=*=*=*= debug output snippet with phase2="auth=pap" =*=*=*=*=*=*=*=*=*= rlm_eap_ttls: Session established. Proceeding to decode tunneled attributes. TTLS: Got tunneled identity of foo TTLS: Setting default EAP type for tunneled EAP session. Processing the authorize section of radiusd.conf modcall: entering group authorize for request 5 modcall[authorize]: module "preprocess" returns ok for request 5 radius_xlat: '/var/log/radacct/127.0.0.1/auth-20080131' rlm_detail: /var/log/radacct/%{Client-IP-Address}/auth-%Y%m%d expands to /var/log/radacct/127.0.0.1/auth-20080131 modcall[authorize]: module "auth_log" returns ok for request 5 rlm_eap: EAP packet type response id 6 length 8 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module "eap" returns updated for request 5 users: Matched entry foo at line 217 modcall[authorize]: module "files" returns ok for request 5 rlm_pap: Found existing Auth-Type, not changing it. modcall[authorize]: module "pap" returns noop for request 5 modcall: leaving group authorize (returns updated) for request 5 rad_check_password: Found Auth-Type EAP auth: type "EAP" Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 5 rlm_eap: EAP Identity rlm_eap: No such EAP type md5 rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 5 modcall: leaving group authenticate (returns invalid) for request 5 auth: Failed to validate the user. Trying to look up name of unknown client 127.0.0.1. Login incorrect: [foo/] (from client UNKNOWN-CLIENT port 261 cli 00-xx-xx-xx-xx-xx) TTLS: Got tunneled Access-Reject rlm_eap: Handler failed in EAP/ttls TTLS: Freeing handler for user foo rlm_eap: Failed in EAP select modcall[authenticate]: module "eap" returns invalid for request 5 modcall: leaving group authenticate (returns invalid) for request 5 auth: Failed to validate the user. =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*= This one has me stumped. :-( Regards, web... -- William Bulley Email: web@umich.edu