I am new to radius and EAP. I fail to retrieve vendor specific attributes from a freeradius
server using radius
and EAP-TTLS
(when performing PAP
, user's attributes are well returned by the server).
I work on a linux machine and linux server.
I read this post which helped a lot to understand : How and where RADIUS and EAP combine?, but cannot find my issue anyway.
On the server I have defined a user in the user
configuration file with specific attributes:
brendon Cleartext-Password := "XXX"
IEC62351-8-RoleID = "ROLE1",
IEC62351-8-RoleID += "ROLE2"
The issue I encounter is that the server always return MS_MPPE_Send_Key
and MS_MPPE_Recv_Key
and I don't understand why. Here is the log I get from freeradius (running with the -X option):
Copyright (C) 1999-2017 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on proxy address * port 56290
Listening on proxy address :: port 38281
Ready to process requests
(0) Received Access-Request Id 26 from 10.214.232.212:52631 to 10.234.31.92:1812 length 66
(0) EAP-Message = 0x0200000e01616e6f6e796d6f7573
(0) NAS-Port = 0
(0) NAS-IP-Address = 10.214.232.212
(0) Message-Authenticator = 0x5a9d7211de5c5d4c69a26898eea105d3
(0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(0) authorize {
(0) policy filter_username {
(0) if (&User-Name) {
(0) if (&User-Name) -> FALSE
(0) } # policy filter_username = notfound
(0) [preprocess] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) [digest] = noop
(0) suffix: Proxy reply, or no User-Name. Ignoring
(0) [suffix] = noop
(0) eap: Peer sent EAP Response (code 2) ID 0 length 14
(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(0) [eap] = ok
(0) } # authorize = ok
(0) Found Auth-Type = eap
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0) authenticate {
(0) eap: WARNING: NAS did not set User-Name. Setting it locally from EAP Identity
(0) eap: Peer sent packet with method EAP Identity (1)
(0) eap: Calling submodule eap_tls to process data
(0) eap_tls: Initiating new EAP-TLS session
(0) eap_tls: Setting verify mode to require certificate from client
(0) eap_tls: [eaptls start] = request
(0) eap: Sending EAP Request (code 1) ID 1 length 6
(0) eap: EAP session adding &reply:State = 0xca6f8448ca6e893f
(0) [eap] = handled
(0) } # authenticate = handled
(0) Using Post-Auth-Type Challenge
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0) Challenge { ... } # empty sub-section is ignored
(0) Sent Access-Challenge Id 26 from 10.234.31.92:1812 to 10.214.232.212:52631 length 0
(0) EAP-Message = 0x010100060d20
(0) Message-Authenticator = 0x00000000000000000000000000000000
(0) State = 0xca6f8448ca6e893fac15f965d7a090eb
(0) Finished request
Waking up in 4.9 seconds.
(1) Received Access-Request Id 0 from 10.214.232.212:52633 to 10.234.31.92:1812 length 76
(1) EAP-Message = 0x020100060315
(1) State = 0xca6f8448ca6e893fac15f965d7a090eb
(1) NAS-Port = 0
(1) NAS-IP-Address = 10.214.232.212
(1) Message-Authenticator = 0x530c1b0fc523fbad1f3826c97da0aaaa
(1) session-state: No cached attributes
(1) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(1) authorize {
(1) policy filter_username {
(1) if (&User-Name) {
(1) if (&User-Name) -> FALSE
(1) } # policy filter_username = notfound
(1) [preprocess] = ok
(1) [chap] = noop
(1) [mschap] = noop
(1) [digest] = noop
(1) suffix: Proxy reply, or no User-Name. Ignoring
(1) [suffix] = noop
(1) eap: Peer sent EAP Response (code 2) ID 1 length 6
(1) eap: No EAP Start, assuming it's an on-going EAP conversation
(1) [eap] = updated
(1) } # authorize = updated
(1) Found Auth-Type = eap
(1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(1) authenticate {
(1) eap: Expiring EAP session with state 0xca6f8448ca6e893f
(1) eap: Finished EAP session with state 0xca6f8448ca6e893f
(1) eap: Previous EAP request found for state 0xca6f8448ca6e893f, released from the list
(1) eap: Broken NAS did not set User-Name, setting from EAP Identity
(1) eap: Peer sent packet with method EAP NAK (3)
(1) eap: Found mutually acceptable type TTLS (21)
(1) eap: Calling submodule eap_ttls to process data
(1) eap_ttls: Initiating new EAP-TLS session
(1) eap_ttls: [eaptls start] = request
(1) eap: Sending EAP Request (code 1) ID 2 length 6
(1) eap: EAP session adding &reply:State = 0xca6f8448cb6d913f
(1) [eap] = handled
(1) } # authenticate = handled
(1) Using Post-Auth-Type Challenge
(1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(1) Challenge { ... } # empty sub-section is ignored
(1) Sent Access-Challenge Id 0 from 10.234.31.92:1812 to 10.214.232.212:52633 length 0
(1) EAP-Message = 0x010200061520
(1) Message-Authenticator = 0x00000000000000000000000000000000
(1) State = 0xca6f8448cb6d913fac15f965d7a090eb
(1) Finished request
Waking up in 4.9 seconds.
(2) Received Access-Request Id 76 from 10.214.232.212:49159 to 10.234.31.92:1812 length 162
(2) EAP-Message = 0x0202005c150016030300510100004d030364390bf93f2a436557592deaa70503e2e0bc7de89b31ddbba6dd90dd038170d6000018006b003d003900350067003c0033002f0016000a000500040100000c000d00080006060105010401
(2) State = 0xca6f8448cb6d913fac15f965d7a090eb
(2) NAS-Port = 0
(2) NAS-IP-Address = 10.214.232.212
(2) Message-Authenticator = 0xc1f7a27c2f771c3c1b95ed0c06843925
(2) session-state: No cached attributes
(2) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(2) authorize {
(2) policy filter_username {
(2) if (&User-Name) {
(2) if (&User-Name) -> FALSE
(2) } # policy filter_username = notfound
(2) [preprocess] = ok
(2) [chap] = noop
(2) [mschap] = noop
(2) [digest] = noop
(2) suffix: Proxy reply, or no User-Name. Ignoring
(2) [suffix] = noop
(2) eap: Peer sent EAP Response (code 2) ID 2 length 92
(2) eap: Continuing tunnel setup
(2) [eap] = ok
(2) } # authorize = ok
(2) Found Auth-Type = eap
(2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(2) authenticate {
(2) eap: Expiring EAP session with state 0xca6f8448cb6d913f
(2) eap: Finished EAP session with state 0xca6f8448cb6d913f
(2) eap: Previous EAP request found for state 0xca6f8448cb6d913f, released from the list
(2) eap: Broken NAS did not set User-Name, setting from EAP Identity
(2) eap: Peer sent packet with method EAP TTLS (21)
(2) eap: Calling submodule eap_ttls to process data
(2) eap_ttls: Authenticate
(2) eap_ttls: Continuing EAP-TLS
(2) eap_ttls: [eaptls verify] = ok
(2) eap_ttls: Done initial handshake
(2) eap_ttls: (other): before SSL initialization
(2) eap_ttls: TLS_accept: before SSL initialization
(2) eap_ttls: TLS_accept: before SSL initialization
(2) eap_ttls: <<< recv UNKNOWN TLS VERSION ?0304? [length 0051]
(2) eap_ttls: TLS_accept: SSLv3/TLS read client hello
(2) eap_ttls: >>> send TLS 1.2 [length 002a]
(2) eap_ttls: TLS_accept: SSLv3/TLS write server hello
(2) eap_ttls: >>> send TLS 1.2 [length 08e9]
(2) eap_ttls: TLS_accept: SSLv3/TLS write certificate
(2) eap_ttls: >>> send TLS 1.2 [length 0004]
(2) eap_ttls: TLS_accept: SSLv3/TLS write server done
(2) eap_ttls: TLS_accept: Need to read more data: SSLv3/TLS write server done
(2) eap_ttls: In SSL Handshake Phase
(2) eap_ttls: In SSL Accept mode
(2) eap_ttls: [eaptls process] = handled
(2) eap: Sending EAP Request (code 1) ID 3 length 1004
(2) eap: EAP session adding &reply:State = 0xca6f8448c86c913f
(2) [eap] = handled
(2) } # authenticate = handled
(2) Using Post-Auth-Type Challenge
(2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(2) Challenge { ... } # empty sub-section is ignored
(2) Sent Access-Challenge Id 76 from 10.234.31.92:1812 to 10.214.232.212:49159 length 0
(2) EAP-Message = 0x010303ec15c000000926160303002a020000260303bfeabe84c460d86d6c56c083ac65e152a3f1ff5ca2eb4e28d83375c0fc6b7a2900003d0016030308e90b0008e50008e20003de308203da308202c2a003020102020101300d06092a864886f70d01010b0500308193310b3009060355040613024652
(2) Message-Authenticator = 0x00000000000000000000000000000000
(2) State = 0xca6f8448c86c913fac15f965d7a090eb
(2) Finished request
Waking up in 4.8 seconds.
(3) Received Access-Request Id 118 from 10.214.232.212:49161 to 10.234.31.92:1812 length 76
(3) EAP-Message = 0x020300061500
(3) State = 0xca6f8448c86c913fac15f965d7a090eb
(3) NAS-Port = 0
(3) NAS-IP-Address = 10.214.232.212
(3) Message-Authenticator = 0x1c17e681e7392d1f17aa0e220cdacf3f
(3) session-state: No cached attributes
(3) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(3) authorize {
(3) policy filter_username {
(3) if (&User-Name) {
(3) if (&User-Name) -> FALSE
(3) } # policy filter_username = notfound
(3) [preprocess] = ok
(3) [chap] = noop
(3) [mschap] = noop
(3) [digest] = noop
(3) suffix: Proxy reply, or no User-Name. Ignoring
(3) [suffix] = noop
(3) eap: Peer sent EAP Response (code 2) ID 3 length 6
(3) eap: Continuing tunnel setup
(3) [eap] = ok
(3) } # authorize = ok
(3) Found Auth-Type = eap
(3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(3) authenticate {
(3) eap: Expiring EAP session with state 0xca6f8448c86c913f
(3) eap: Finished EAP session with state 0xca6f8448c86c913f
(3) eap: Previous EAP request found for state 0xca6f8448c86c913f, released from the list
(3) eap: Broken NAS did not set User-Name, setting from EAP Identity
(3) eap: Peer sent packet with method EAP TTLS (21)
(3) eap: Calling submodule eap_ttls to process data
(3) eap_ttls: Authenticate
(3) eap_ttls: Continuing EAP-TLS
(3) eap_ttls: Peer ACKed our handshake fragment
(3) eap_ttls: [eaptls verify] = request
(3) eap_ttls: [eaptls process] = handled
(3) eap: Sending EAP Request (code 1) ID 4 length 1004
(3) eap: EAP session adding &reply:State = 0xca6f8448c96b913f
(3) [eap] = handled
(3) } # authenticate = handled
(3) Using Post-Auth-Type Challenge
(3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(3) Challenge { ... } # empty sub-section is ignored
(3) Sent Access-Challenge Id 118 from 10.234.31.92:1812 to 10.214.232.212:49161 length 0
(3) EAP-Message = 0x010403ec15c0000009268800a977a803b2f219926b4759cfb1dbf1ec31b1c13f81554ad12c84a916499b4aaa2ef57c091d4b2c6e574b938447f18263cb4e450c36a0a3a60004fe308204fa308203e2a00302010202143fb8f121a16d0a0ee175c15ce4ad900eecac4e86300d06092a864886f70d01010b
(3) Message-Authenticator = 0x00000000000000000000000000000000
(3) State = 0xca6f8448c96b913fac15f965d7a090eb
(3) Finished request
Waking up in 4.7 seconds.
(4) Received Access-Request Id 227 from 10.214.232.212:49163 to 10.234.31.92:1812 length 76
(4) EAP-Message = 0x020400061500
(4) State = 0xca6f8448c96b913fac15f965d7a090eb
(4) NAS-Port = 0
(4) NAS-IP-Address = 10.214.232.212
(4) Message-Authenticator = 0x631fd6b0ac1a7cd86c58f36e07fffe82
(4) session-state: No cached attributes
(4) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(4) authorize {
(4) policy filter_username {
(4) if (&User-Name) {
(4) if (&User-Name) -> FALSE
(4) } # policy filter_username = notfound
(4) [preprocess] = ok
(4) [chap] = noop
(4) [mschap] = noop
(4) [digest] = noop
(4) suffix: Proxy reply, or no User-Name. Ignoring
(4) [suffix] = noop
(4) eap: Peer sent EAP Response (code 2) ID 4 length 6
(4) eap: Continuing tunnel setup
(4) [eap] = ok
(4) } # authorize = ok
(4) Found Auth-Type = eap
(4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(4) authenticate {
(4) eap: Expiring EAP session with state 0xca6f8448c96b913f
(4) eap: Finished EAP session with state 0xca6f8448c96b913f
(4) eap: Previous EAP request found for state 0xca6f8448c96b913f, released from the list
(4) eap: Broken NAS did not set User-Name, setting from EAP Identity
(4) eap: Peer sent packet with method EAP TTLS (21)
(4) eap: Calling submodule eap_ttls to process data
(4) eap_ttls: Authenticate
(4) eap_ttls: Continuing EAP-TLS
(4) eap_ttls: Peer ACKed our handshake fragment
(4) eap_ttls: [eaptls verify] = request
(4) eap_ttls: [eaptls process] = handled
(4) eap: Sending EAP Request (code 1) ID 5 length 364
(4) eap: EAP session adding &reply:State = 0xca6f8448ce6a913f
(4) [eap] = handled
(4) } # authenticate = handled
(4) Using Post-Auth-Type Challenge
(4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(4) Challenge { ... } # empty sub-section is ignored
(4) Sent Access-Challenge Id 227 from 10.234.31.92:1812 to 10.214.232.212:49163 length 0
(4) EAP-Message = 0x0105016c158000000926551d130101ff040530030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e6f72672f6578616d706c655f63612e63726c300d06092a864886f70d01010b050003820101007e21180e883167354b7b139f27709b2f9c7f5524
(4) Message-Authenticator = 0x00000000000000000000000000000000
(4) State = 0xca6f8448ce6a913fac15f965d7a090eb
(4) Finished request
Waking up in 4.6 seconds.
(5) Received Access-Request Id 64 from 10.214.232.212:49165 to 10.234.31.92:1812 length 436
(5) EAP-Message = 0x0205016c1500160303010610000102010072c9a295aa179141e03937b0c18c8fae57f4ad6be416334aa40bfe0106e14d379ecbb14ae07386268808b8d6deb7f2674f094b8906f01e7b49009eb259820d355e067ece0779e5a35d8f67381692286408cdf50093ecf5518cd9aa650ab71241f5696c62ca63
(5) State = 0xca6f8448ce6a913fac15f965d7a090eb
(5) NAS-Port = 0
(5) NAS-IP-Address = 10.214.232.212
(5) Message-Authenticator = 0x33d3e95a174b6095ebbbde42cd794c61
(5) session-state: No cached attributes
(5) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(5) authorize {
(5) policy filter_username {
(5) if (&User-Name) {
(5) if (&User-Name) -> FALSE
(5) } # policy filter_username = notfound
(5) [preprocess] = ok
(5) [chap] = noop
(5) [mschap] = noop
(5) [digest] = noop
(5) suffix: Proxy reply, or no User-Name. Ignoring
(5) [suffix] = noop
(5) eap: Peer sent EAP Response (code 2) ID 5 length 364
(5) eap: Continuing tunnel setup
(5) [eap] = ok
(5) } # authorize = ok
(5) Found Auth-Type = eap
(5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(5) authenticate {
(5) eap: Expiring EAP session with state 0xca6f8448ce6a913f
(5) eap: Finished EAP session with state 0xca6f8448ce6a913f
(5) eap: Previous EAP request found for state 0xca6f8448ce6a913f, released from the list
(5) eap: Broken NAS did not set User-Name, setting from EAP Identity
(5) eap: Peer sent packet with method EAP TTLS (21)
(5) eap: Calling submodule eap_ttls to process data
(5) eap_ttls: Authenticate
(5) eap_ttls: Continuing EAP-TLS
(5) eap_ttls: [eaptls verify] = ok
(5) eap_ttls: Done initial handshake
(5) eap_ttls: TLS_accept: SSLv3/TLS write server done
(5) eap_ttls: <<< recv TLS 1.2 [length 0106]
(5) eap_ttls: TLS_accept: SSLv3/TLS read client key exchange
(5) eap_ttls: TLS_accept: SSLv3/TLS read change cipher spec
(5) eap_ttls: <<< recv TLS 1.2 [length 0010]
(5) eap_ttls: TLS_accept: SSLv3/TLS read finished
(5) eap_ttls: >>> send TLS 1.2 [length 0001]
(5) eap_ttls: TLS_accept: SSLv3/TLS write change cipher spec
(5) eap_ttls: >>> send TLS 1.2 [length 0010]
(5) eap_ttls: TLS_accept: SSLv3/TLS write finished
(5) eap_ttls: (other): SSL negotiation finished successfully
(5) eap_ttls: SSL Connection Established
(5) eap_ttls: [eaptls process] = handled
(5) eap: Sending EAP Request (code 1) ID 6 length 101
(5) eap: EAP session adding &reply:State = 0xca6f8448cf69913f
(5) [eap] = handled
(5) } # authenticate = handled
(5) Using Post-Auth-Type Challenge
(5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(5) Challenge { ... } # empty sub-section is ignored
(5) Sent Access-Challenge Id 64 from 10.234.31.92:1812 to 10.214.232.212:49165 length 0
(5) EAP-Message = 0x0106006515800000005b14030300010116030300500e01ea4a3c1744a693a78e0c24bbaa4205b73616a68270625289080f663625794d236f222cc62bf34e901353102a08c09852c7ffd49ff1abd9ad7fdd240d0915d43ed3cbc25cfc073b20b05ecb2ce581
(5) Message-Authenticator = 0x00000000000000000000000000000000
(5) State = 0xca6f8448cf69913fac15f965d7a090eb
(5) Finished request
Waking up in 4.5 seconds.
(6) Received Access-Request Id 29 from 10.214.232.212:49167 to 10.234.31.92:1812 length 177
(6) EAP-Message = 0x0206006b15001703030060583bd9865086316dfd855e553a4eebbf201383d7c0ebee1a5d8473aff7d592465a655442fded16656e6dbbb712eff4a2655b6895ef5ec72c2aff56c914627d9df248c6e718e48cbeb53f828be82d80a3fe15a03059f9cea7832eabed3fde3cec
(6) State = 0xca6f8448cf69913fac15f965d7a090eb
(6) NAS-Port = 0
(6) NAS-IP-Address = 10.214.232.212
(6) Message-Authenticator = 0x3e371922ea1733f51a920a7298e5cbcb
(6) session-state: No cached attributes
(6) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(6) authorize {
(6) policy filter_username {
(6) if (&User-Name) {
(6) if (&User-Name) -> FALSE
(6) } # policy filter_username = notfound
(6) [preprocess] = ok
(6) [chap] = noop
(6) [mschap] = noop
(6) [digest] = noop
(6) suffix: Proxy reply, or no User-Name. Ignoring
(6) [suffix] = noop
(6) eap: Peer sent EAP Response (code 2) ID 6 length 107
(6) eap: Continuing tunnel setup
(6) [eap] = ok
(6) } # authorize = ok
(6) Found Auth-Type = eap
(6) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(6) authenticate {
(6) eap: Expiring EAP session with state 0xca6f8448cf69913f
(6) eap: Finished EAP session with state 0xca6f8448cf69913f
(6) eap: Previous EAP request found for state 0xca6f8448cf69913f, released from the list
(6) eap: Broken NAS did not set User-Name, setting from EAP Identity
(6) eap: Peer sent packet with method EAP TTLS (21)
(6) eap: Calling submodule eap_ttls to process data
(6) eap_ttls: Authenticate
(6) eap_ttls: Continuing EAP-TLS
(6) eap_ttls: [eaptls verify] = ok
(6) eap_ttls: Done initial handshake
(6) eap_ttls: [eaptls process] = ok
(6) eap_ttls: Session established. Proceeding to decode tunneled attributes
(6) eap_ttls: Got tunneled request
(6) eap_ttls: User-Name = "brendon"
(6) eap_ttls: User-Password = "hello"
(6) eap_ttls: FreeRADIUS-Proxied-To = 127.0.0.1
(6) eap_ttls: Sending tunneled request
(6) Virtual server inner-tunnel received request
(6) User-Name = "brendon"
(6) User-Password = "hello"
(6) FreeRADIUS-Proxied-To = 127.0.0.1
(6) server inner-tunnel {
(6) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(6) authorize {
(6) policy filter_username {
(6) if (&User-Name) {
(6) if (&User-Name) -> TRUE
(6) if (&User-Name) {
(6) if (&User-Name =~ / /) {
(6) if (&User-Name =~ / /) -> FALSE
(6) if (&User-Name =~ /@[^@]*@/ ) {
(6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(6) if (&User-Name =~ /\.\./ ) {
(6) if (&User-Name =~ /\.\./ ) -> FALSE
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(6) if (&User-Name =~ /\.$/) {
(6) if (&User-Name =~ /\.$/) -> FALSE
(6) if (&User-Name =~ /@\./) {
(6) if (&User-Name =~ /@\./) -> FALSE
(6) } # if (&User-Name) = notfound
(6) } # policy filter_username = notfound
(6) [chap] = noop
(6) [mschap] = noop
(6) suffix: Checking for suffix after "@"
(6) suffix: No '@' in User-Name = "brendon", looking up realm NULL
(6) suffix: No such realm "NULL"
(6) [suffix] = noop
(6) update control {
(6) &Proxy-To-Realm := LOCAL
(6) } # update control = noop
(6) eap: No EAP-Message, not doing EAP
(6) [eap] = noop
(6) files: users: Matched entry brendon at line 230
(6) [files] = ok
(6) [expiration] = noop
(6) [logintime] = noop
(6) [pap] = updated
(6) } # authorize = updated
(6) Found Auth-Type = PAP
(6) # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(6) Auth-Type PAP {
(6) pap: Login attempt with password
(6) pap: Comparing with "known good" Cleartext-Password
(6) pap: User authenticated successfully
(6) [pap] = ok
(6) } # Auth-Type PAP = ok
(6) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(6) post-auth {
(6) if (0) {
(6) if (0) -> FALSE
(6) } # post-auth = noop
(6) Login OK: [brendon/hello] (from client whatever port 0 via TLS tunnel)
(6) } # server inner-tunnel
(6) Virtual server sending reply
(6) IEC62351-8-RoleID = "OPERATOR"
(6) IEC62351-8-RoleID = "ENGINEER"
(6) eap_ttls: Got tunneled Access-Accept
(6) eap: Sending EAP Success (code 3) ID 6 length 4
(6) eap: Freeing handler
(6) [eap] = ok
(6) } # authenticate = ok
(6) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default
(6) post-auth {
(6) update {
(6) No attributes updated
(6) } # update = noop
(6) [exec] = noop
(6) policy remove_reply_message_if_eap {
(6) if (&reply:EAP-Message && &reply:Reply-Message) {
(6) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(6) else {
(6) [noop] = noop
(6) } # else = noop
(6) } # policy remove_reply_message_if_eap = noop
(6) } # post-auth = noop
(6) Login OK: [anonymous/<via Auth-Type = eap>] (from client whatever port 0)
(6) Sent Access-Accept Id 29 from XX.XX.XX.XX:1812 to XX.XX.XX.XX:49167 length 0
(6) MS-MPPE-Recv-Key = 0x612dbdf934dde72a902cbb61f7b317f0ab027e043211d743bb15f39d1b7df21b
(6) MS-MPPE-Send-Key = 0x508c9aefdb3b61db7d53ce2232efce1ebcec0b67fb40c205639779f2b3e4e820
(6) EAP-Message = 0x03060004
(6) Message-Authenticator = 0x00000000000000000000000000000000
(6) Finished request
Waking up in 4.5 seconds.
(0) Cleaning up request packet ID 26 with timestamp +9
(1) Cleaning up request packet ID 0 with timestamp +9
(2) Cleaning up request packet ID 76 with timestamp +9
(3) Cleaning up request packet ID 118 with timestamp +9
(4) Cleaning up request packet ID 227 with timestamp +9
Waking up in 0.1 seconds.
(5) Cleaning up request packet ID 64 with timestamp +10
(6) Cleaning up request packet ID 29 with timestamp +10
Ready to process requests
As we can see at the end, the server "knows" the attributes linked with the user:
(6) Virtual server sending reply
(6) IEC62351-8-RoleID = "OPERATOR"
(6) IEC62351-8-RoleID = "ENGINEER"
but they are not returned. Instead it is:
(6) Login OK: [anonymous/<via Auth-Type = eap>] (from client whatever port 0)
(6) Sent Access-Accept Id 29 from XX.XX.XX.XX:1812 to XX.XX.XX.XX:49167 length 0
(6) MS-MPPE-Recv-Key = 0x612dbdf934dde72a902cbb61f7b317f0ab027e043211d743bb15f39d1b7df21b
(6) MS-MPPE-Send-Key = 0x508c9aefdb3b61db7d53ce2232efce1ebcec0b67fb40c205639779f2b3e4e820
If it can help, here is the wireshark packets:
Access-Request:
Frame 23: 219 bytes on wire (1752 bits), 219 bytes captured (1752 bits) on interface \Device\NPF_{58F84452-96E4-452B-98A5-663F8E4D7FDB}, id 0
Ethernet II, Src: XX:XX:XX:XX:XX:XX (XX:XX:XX:XX:XX:XX), Dst: XX:XX:XX:XX:XX:XX (XX:XX:XX:XX:XX:XX)
Internet Protocol Version 4, Src: XX.XX.XX.XX, Dst: XX.XX.XX.XX
User Datagram Protocol, Src Port: 49167, Dst Port: 1812
RADIUS Protocol
Code: Access-Request (1)
Packet identifier: 0x1d (29)
Length: 177
Authenticator: a95b00007e62000008380000fc5f0000
[The response to this request is in frame 24]
Attribute Value Pairs
AVP: t=EAP-Message(79) l=109 Last Segment[1]
AVP: t=State(24) l=18 val=ca6f8448cf69913fac15f965d7a090eb
AVP: t=NAS-Port(5) l=6 val=0
AVP: t=NAS-IP-Address(4) l=6 val=XX.XX.XX.XX
AVP: t=Message-Authenticator(80) l=18 val=3e371922ea1733f51a920a7298e5cbcb
Access-Accept:
Frame 24: 202 bytes on wire (1616 bits), 202 bytes captured (1616 bits) on interface \Device\NPF_{58F84452-96E4-452B-98A5-663F8E4D7FDB}, id 0
Ethernet II, Src: XX:XX:XX:XX:XX:XX (XX:XX:XX:XX:XX:XX), Dst: XX:XX:XX:XX:XX:XX (XX:XX:XX:XX:XX:XX)
Internet Protocol Version 4, Src: XX.XX.XX.XX, Dst: XX.XX.XX.XX
User Datagram Protocol, Src Port: 1812, Dst Port: 49167
RADIUS Protocol
Code: Access-Accept (2)
Packet identifier: 0x1d (29)
Length: 160
Authenticator: 9f6d9c09c55e654a93f47a4215a8418e
[This is a response to a request in frame 23]
[Time from request: 0.069017000 seconds]
Attribute Value Pairs
AVP: t=Vendor-Specific(26) l=58 vnd=Microsoft(311)
AVP: t=Vendor-Specific(26) l=58 vnd=Microsoft(311)
AVP: t=EAP-Message(79) l=6 Last Segment[1]
AVP: t=Message-Authenticator(80) l=18 val=9eb84fabca3ba8c74ae5db4db35aad07
Is it a server miscounfiguration ? or an issue in the Access-Request ? or anything else ?
The problem was a freeradius
server misconfiguration.
In my case, I needed to add to /etc/freeradius/3.0/mods-available/eap
:
ttls {
[...]
use_tunneled_reply = yes
[...]
}
to ask the server to add the Attribute to the reply message.