[Freeradius][EAP] Issues using EAP-GTC for inner phase 2 authentication.

1.1k views Asked by At

I am trying to set up EAP-TTLS/GTC authentication. In phase 1 ,the server offers EAP-TTLS and the client accepts it. The client is set to automatic for phase 2 and I expect server to offer GTC for phase 2 authentication which is not happening. Can someone help me figure out what is missing in the conf file.

eap {
            default_eap_type = ttls
            timer_expire     = 60
            ignore_unknown_eap_types = no
            cisco_accounting_username_bug = no
            max_sessions = 4096
            md5 {
            }
            leap {
            }
            gtc {
                    auth_type = Local
            }
            tls {
                    certdir = ${confdir}/certs_freeradius2
                    cadir = ${confdir}/certs_freeradius2
                    private_key_password = radius
                    private_key_file = /etc/freeradius/certs/server.key
                    certificate_file = /etc/freeradius/certs/server.pem
                    CA_file = /etc/freeradius/certs/ca.pem
                    dh_file = ${certdir}/dh
                    random_file = ${certdir}/random
                    fragment_size = 1024
                    include_length = yes
                    cipher_list = "DEFAULT"
                    make_cert_command = "${certdir}/bootstrap"
                    cache {
                    }
            }
            ttls {
                    default_eap_type = gtc
                    copy_request_to_tunnel = yes
                    use_tunneled_reply = yes
                    virtual_server = "inner-tunnel"
            }
            peap {
                    default_eap_type = mschapv2
                    copy_request_to_tunnel = yes
                    use_tunneled_reply = yes
                    proxy_tunneled_request_as_eap = yes
                    virtual_server = "inner-tunnel"
            }
            mschapv2 {
            }
    }

Other thing I would like to point is that I do see gtc initiation and processing in the radius.log but I don't think the phase 2 was successful.

73 Wed Aug  5 16:22:48 2015 : Debug:  Module: Linked to sub-module rlm_eap_gtc
  74 Wed Aug  5 16:22:48 2015 : Debug:  Module: Instantiating eap-gtc
  75 Wed Aug  5 16:22:48 2015 : Debug:    gtc {
  76 Wed Aug  5 16:22:48 2015 : Debug:       challenge = "Password: "
  77 Wed Aug  5 16:22:48 2015 : Debug:       auth_type = "Local"
  78 Wed Aug  5 16:22:48 2015 : Debug:    }
  79 Wed Aug  5 16:22:48 2015 : Debug:  Module: Linked to sub-module rlm_eap_tls
  80 Wed Aug  5 16:22:48 2015 : Debug:  Module: Instantiating eap-tls
  81 Wed Aug  5 16:22:48 2015 : Debug:    tls {
  82 Wed Aug  5 16:22:48 2015 : Debug:       rsa_key_exchange = no
  83 Wed Aug  5 16:22:48 2015 : Debug:       dh_key_exchange = yes
  84 Wed Aug  5 16:22:48 2015 : Debug:       rsa_key_length = 512
  85 Wed Aug  5 16:22:48 2015 : Debug:       dh_key_length = 512



106 Wed Aug  5 16:22:48 2015 : Debug:  Module: Instantiating eap-ttls
 107 Wed Aug  5 16:22:48 2015 : Debug:    ttls {
 108 Wed Aug  5 16:22:48 2015 : Debug:       default_eap_type = "gtc"
 109 Wed Aug  5 16:22:48 2015 : Debug:       copy_request_to_tunnel = no
 110 Wed Aug  5 16:22:48 2015 : Debug:       use_tunneled_reply = no
 111 Wed Aug  5 16:22:48 2015 : Debug:       virtual_server = "inner-tunnel"
 112 Wed Aug  5 16:22:48 2015 : Debug:       include_length = yes
 113 Wed Aug  5 16:22:48 2015 : Debug:    }

552 Wed Aug  5 16:25:43 2015 : Info: [eap] EAP Identity
 553 Wed Aug  5 16:25:43 2015 : Info: [eap] processing type gtc
 554 Wed Aug  5 16:25:43 2015 : Info: ++[eap] returns handled
 555 Wed Aug  5 16:25:43 2015 : Info: [ttls] Got tunneled Access-Challenge
 556 Wed Aug  5 16:25:43 2015 : Info: ++[eap] returns handled
 557 Wed Aug  5 16:25:43 2015 : Info: Finished request 5.
 558 Wed Aug  5 16:25:43 20

Wed Aug  5 16:25:43 2015 : Info: [pap] WARNING: Auth-Type already set.  Not setting to PAP
 612 Wed Aug  5 16:25:43 2015 : Info: ++[pap] returns noop
 613 Wed Aug  5 16:25:43 2015 : Info: Found Auth-Type = EAP
 614 Wed Aug  5 16:25:43 2015 : Info: # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
 615 Wed Aug  5 16:25:43 2015 : Info: +- entering group authenticate {...}
 616 Wed Aug  5 16:25:43 2015 : Info: [eap] Request found, released from the list
 617 Wed Aug  5 16:25:43 2015 : Info: [eap] EAP/gtc
 618 Wed Aug  5 16:25:43 2015 : Info: [eap] processing type gtc
 619 Wed Aug  5 16:25:43 2015 : Debug:   rlm_eap_gtc: Everything is OK.
 620 Wed Aug  5 16:25:43 2015 : Info: [eap] Freeing handler
 621 Wed Aug  5 16:25:43 2015 : Info: ++[eap] returns ok
 622 Wed Aug  5 16:25:43 2015 : Auth: Login OK: [CrOS] (from client 172.16.10.3 port 0 via TLS tunnel)
 623 Wed Aug  5 16:25:43 2015 : Info:   WARNING: Empty post-auth section.  Using default return values.
 624 Wed Aug  5 16:25:43 2015 : Info: # Executing section post-auth from file /etc/freeradius/sites-enabled/inner-tunnel
 625 Wed Aug  5 16:25:43 2015 : Info: [ttls] Got tunneled Access-Accept
1

There are 1 answers

4
Arran Cudbard-Bell On

The debug log you've posted indicates that auth completed successfully

[ttls] Got tunneled Access-Accept indicates that Phase2 completed successfully, with a positive authentication response.