(RADIATOR) Fwd: EAPAnonymous - Different behaviour for EAP-TTLS and PEAP

Hugh Irvine hugh at open.com.au
Thu Apr 12 03:18:03 CDT 2007

Hello Rogier -

Thanks for the additional information.

I have had a look at the debug traces and I am a bit confused as to  
what I am looking at.

Could you please provide a bit more detail about the tests you have  
tried and the expected outcomes versus the actual outcomes?



On 10 Apr 2007, at 22:49, Rogier Krieger wrote:

> After trying several times, the list server appears to quietly refuse
> the trace dumps I wanted to send along (~300 KB). Hence a try without
> the dumps, with (temporary) links to them online.
> http://www.iverdahl.net/pub/radiator-trace/
> ---------- Forwarded message ----------
> From: Rogier Krieger <rkrieger at gmail.com>
> Date: Apr 10, 2007 10:22 AM
> Subject: EAPAnonymous - Different behaviour for EAP-TTLS and PEAP
> To: Radiator list <radiator at open.com.au>
> Dear list,
> Now that both EAP-TTLS PEAP-MSCHAP-V2 are working for me, I felt it
> was time to add a bit of breakage. I am trying to achieve the
> following things:
> + Support for multiple realms for an EAP inner identity
>        -> Regular users (@domain.tld) - from a central LDAP
>        -> Visitors (@visitor.domain.tld) - from a simple database  
> (to be built)
> + A single EAP outer identity: anonymous at domain.tld
> I intend to do this using various <Handler> clauses that define
> appropriate criteria (TunneledByTTLS=1) and realms
> (Realm=visitor.domain.tld). I included my configuration with this
> message. Reading the manual, I gather I should use the EAPAnonymous
> parameter to achieve the above. I am using EAPAnonymous %0.
> Expected issue:
> When using the EAPAnonymous parameter (set to %0), I seem to get
> different results dependent on whether the supplicant uses EAP-TTLS or
> PEAP. TTLS works out of the box, but PEAP seems to handle the request
> based on the *outer* EAP identity.
> Testing:
> I ran several scenarios, with varying outer and inner identities. I
> included traces for both TTLS and PEAP. For an outer identity, I use
> anonymous@$realm. On the inside, I authenticate with my test user
> (test@$realm).
>  Outer identity        Inner identity
> 1 iverdahl.net          iverdahl.net
> 2 iverdahl.net          visitor.iverdahl.net
> 3 visitor.iverdahl.net  iverdahl.net
> 4 visitor.iverdahl.net  visitor.iverdahl.net
> In every case, I expect the final handler to correspond with the inner
> identity realm. Unfortunately, my results are different:
>  Expected              TTLS result     PEAP result
> 1 iverdahl.net          OK              OK
> 2 visitor.iverdahl.net  OK              FAIL (iverdahl.net)
> 3 iverdahl.net          OK              FAIL (visitor.iverdahl.net)
> 4 visitor.iverdahl.net  OK              OK
>> From the above, I suspect Radiator uses the outer identity with the
> inner handler. Can you confirm this? I included both my configuration
> and trace outputs for the specific requests.
> Cheers,
> Rogier
> <radius.cfg>


Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/ 
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
Have you checked the RadiusExpert wiki:

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
CATool: Private Certificate Authority for Unix and Unix-like systems.

Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list