published at 2014-12-03
created at 2014
written by Ivan Stana

Freeradius Notes

Put FreeRadius into Debug Mode

If tests don't work, you need to put FreeRadius into debug mode and read the output. However debugging process is very comfortable and easy.

systemctl stop freeradius
# or /etc/init.d/freeradius stop
freeradius -X

Test login

Login with plaintext:

radtest testing password 127.0.0.1:18120 testing123

Login with mschap:

radtest -t mschap testing password 127.0.0.1:18120 0 testing 123

Eapol Testing

radtest is great for testing simple scenarios, but to test the whole process, like from a Wifi access point, there is a utility eapol_test. It is a part of wpa_supplicant.

Download wpa_supplicant at https://w1.fi/wpa_supplicant/ and compile (./configure && make)and then you get eapol_test at wpa_supplicant-2.2/wpa_supplicant/eapol_test.

Copy the binary somewhere, e.g. home directory.

Test EAP-TTLS/PAP

# file: ttls-pap.conf
#
#   eapol_test -c ttls-pap.conf -s testing123
#
network={
        ssid="lulzcats"
        key_mgmt=WPA-EAP
        eap=TTLS
        identity="ivan"
        anonymous_identity="anonymous"
        password="" # fill this in
        phase2="auth=PAP"

    #
    #  Uncomment the following to perform server certificate validation.
#   ca_cert="/etc/raddb/certs/ca.der"
}

And them fire up the test. You need to enable "testing123" line in client.conf. Then it can be disabled again.

./eapol_test -c ttls-pap.conf -s testing123

And you should see this:

RADIUS packet matching with station
MS-MPPE-Send-Key (sign) - hexdump(len=32): fc 0c df 50 ff d6 10 fa a0 87 3f cf 04 46 f0 9e 53 de 51 6e a0 39 30 42 aa df 16 32 55 30 e7 49
MS-MPPE-Recv-Key (crypt) - hexdump(len=32): ea 38 2c 5d ff 19 85 a8 59 96 11 0f 12 dc 74 9f 5e 07 48 f4 e1 18 df 7f 8d 5c 51 50 c8 51 38 38
decapsulated EAP packet (code=3 id=6 len=4) from RADIUS server: EAP Success
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Success
EAP: Status notification: completion (param=success)
EAP: EAP entering state SUCCESS
CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully
EAPOL: IEEE 802.1X for plaintext connection; no EAPOL-Key frames required
WPA: EAPOL processing complete
EAPOL: SUPP_PAE entering state AUTHENTICATED
EAPOL: SUPP_BE entering state RECEIVE
EAPOL: SUPP_BE entering state SUCCESS
EAPOL: SUPP_BE entering state IDLE
eapol_sm_cb: result=1
EAPOL: Successfully fetched key (len=32)
PMK from EAPOL - hexdump(len=32): ea 38 2c 5d ff 19 85 a8 59 96 11 0f 12 dc 74 9f 5e 07 48 f4 e1 18 df 7f 8d 5c 51 50 c8 51 38 38
No EAP-Key-Name received from server
EAP: deinitialize previously used EAP method (21, TTLS) at EAP deinit
ENGINE: engine deinit
MPPE keys OK: 1  mismatch: 0
SUCCESS

And not this:

RADIUS packet matching with station
decapsulated EAP packet (code=4 id=6 len=4) from RADIUS server: EAP Failure
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Failure
EAP: Status notification: completion (param=failure)
EAP: EAP entering state FAILURE
CTRL-EVENT-EAP-FAILURE EAP authentication failed
EAPOL: SUPP_PAE entering state HELD
EAPOL: SUPP_BE entering state RECEIVE
EAPOL: SUPP_BE entering state FAIL
EAPOL: SUPP_BE entering state IDLE
eapol_sm_cb: result=0
EAPOL: EAP key not available
EAPOL: EAP Session-Id not available
EAP: deinitialize previously used EAP method (21, TTLS) at EAP deinit
ENGINE: engine deinit
MPPE keys OK: 0  mismatch: 1
FAILURE

If EAP-TTLS works, then EAP-TLS works too. Unless configuration is modified too heavily.

Test EAP-PEAP/MSSCHAP2

Much less secure than EAP-TTLS, but you know, compatibility with old Windowses (<=7).

# file: peap.conf
#
#   eapol_test -c ttls-pap.conf -s testing123
#
network={
        ssid="lulzcats"
        key_mgmt=WPA-EAP
        eap=PEAP
        identity="ivan"
        anonymous_identity="anonymous"
        password=""
        phase2="auth=MSCHAPv2"

    #
    #  Uncomment the following to perform server certificate validation.
#   ca_cert="/etc/raddb/certs/ca.der"
}

Test command:

./eapol_test -c peap.conf -s testing123

iOS or macOS cannot log in, but Windows, Android or Linux can

If you put freeradius into debug mode, you will see:

Module-Failure-Message -> eap: Tried to start unsupported EAP type MD5 (4)

Bizzare bug, but apparently only Apple devices try to use EAP-MD5. I disabled MD5 in the configuration, but left it as a default authentication method.

So....

# /etc/freeradius/3.0/mods-enabled-eap

eap {
  default_eap_type = ttls
  ....
}