I am trying to set up EAP-TTLS/GTC authentication. In phase 1 ,the server offers EAP-TTLS and the client accepts it. The client is set to automatic for phase 2 and I expect server to offer GTC for phase 2 authentication which is not happening. Can someone help me figure out what is missing in the conf file.
eap {
default_eap_type = ttls
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 4096
md5 {
}
leap {
}
gtc {
auth_type = Local
}
tls {
certdir = ${confdir}/certs_freeradius2
cadir = ${confdir}/certs_freeradius2
private_key_password = radius
private_key_file = /etc/freeradius/certs/server.key
certificate_file = /etc/freeradius/certs/server.pem
CA_file = /etc/freeradius/certs/ca.pem
dh_file = ${certdir}/dh
random_file = ${certdir}/random
fragment_size = 1024
include_length = yes
cipher_list = "DEFAULT"
make_cert_command = "${certdir}/bootstrap"
cache {
}
}
ttls {
default_eap_type = gtc
copy_request_to_tunnel = yes
use_tunneled_reply = yes
virtual_server = "inner-tunnel"
}
peap {
default_eap_type = mschapv2
copy_request_to_tunnel = yes
use_tunneled_reply = yes
proxy_tunneled_request_as_eap = yes
virtual_server = "inner-tunnel"
}
mschapv2 {
}
}
Other thing I would like to point is that I do see gtc initiation and processing in the radius.log but I don't think the phase 2 was successful.
73 Wed Aug 5 16:22:48 2015 : Debug: Module: Linked to sub-module rlm_eap_gtc
74 Wed Aug 5 16:22:48 2015 : Debug: Module: Instantiating eap-gtc
75 Wed Aug 5 16:22:48 2015 : Debug: gtc {
76 Wed Aug 5 16:22:48 2015 : Debug: challenge = "Password: "
77 Wed Aug 5 16:22:48 2015 : Debug: auth_type = "Local"
78 Wed Aug 5 16:22:48 2015 : Debug: }
79 Wed Aug 5 16:22:48 2015 : Debug: Module: Linked to sub-module rlm_eap_tls
80 Wed Aug 5 16:22:48 2015 : Debug: Module: Instantiating eap-tls
81 Wed Aug 5 16:22:48 2015 : Debug: tls {
82 Wed Aug 5 16:22:48 2015 : Debug: rsa_key_exchange = no
83 Wed Aug 5 16:22:48 2015 : Debug: dh_key_exchange = yes
84 Wed Aug 5 16:22:48 2015 : Debug: rsa_key_length = 512
85 Wed Aug 5 16:22:48 2015 : Debug: dh_key_length = 512
106 Wed Aug 5 16:22:48 2015 : Debug: Module: Instantiating eap-ttls
107 Wed Aug 5 16:22:48 2015 : Debug: ttls {
108 Wed Aug 5 16:22:48 2015 : Debug: default_eap_type = "gtc"
109 Wed Aug 5 16:22:48 2015 : Debug: copy_request_to_tunnel = no
110 Wed Aug 5 16:22:48 2015 : Debug: use_tunneled_reply = no
111 Wed Aug 5 16:22:48 2015 : Debug: virtual_server = "inner-tunnel"
112 Wed Aug 5 16:22:48 2015 : Debug: include_length = yes
113 Wed Aug 5 16:22:48 2015 : Debug: }
552 Wed Aug 5 16:25:43 2015 : Info: [eap] EAP Identity
553 Wed Aug 5 16:25:43 2015 : Info: [eap] processing type gtc
554 Wed Aug 5 16:25:43 2015 : Info: ++[eap] returns handled
555 Wed Aug 5 16:25:43 2015 : Info: [ttls] Got tunneled Access-Challenge
556 Wed Aug 5 16:25:43 2015 : Info: ++[eap] returns handled
557 Wed Aug 5 16:25:43 2015 : Info: Finished request 5.
558 Wed Aug 5 16:25:43 20
Wed Aug 5 16:25:43 2015 : Info: [pap] WARNING: Auth-Type already set. Not setting to PAP
612 Wed Aug 5 16:25:43 2015 : Info: ++[pap] returns noop
613 Wed Aug 5 16:25:43 2015 : Info: Found Auth-Type = EAP
614 Wed Aug 5 16:25:43 2015 : Info: # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
615 Wed Aug 5 16:25:43 2015 : Info: +- entering group authenticate {...}
616 Wed Aug 5 16:25:43 2015 : Info: [eap] Request found, released from the list
617 Wed Aug 5 16:25:43 2015 : Info: [eap] EAP/gtc
618 Wed Aug 5 16:25:43 2015 : Info: [eap] processing type gtc
619 Wed Aug 5 16:25:43 2015 : Debug: rlm_eap_gtc: Everything is OK.
620 Wed Aug 5 16:25:43 2015 : Info: [eap] Freeing handler
621 Wed Aug 5 16:25:43 2015 : Info: ++[eap] returns ok
622 Wed Aug 5 16:25:43 2015 : Auth: Login OK: [CrOS] (from client 172.16.10.3 port 0 via TLS tunnel)
623 Wed Aug 5 16:25:43 2015 : Info: WARNING: Empty post-auth section. Using default return values.
624 Wed Aug 5 16:25:43 2015 : Info: # Executing section post-auth from file /etc/freeradius/sites-enabled/inner-tunnel
625 Wed Aug 5 16:25:43 2015 : Info: [ttls] Got tunneled Access-Accept
The debug log you've posted indicates that auth completed successfully
[ttls] Got tunneled Access-Accept
indicates that Phase2 completed successfully, with a positive authentication response.