0

I'm using the Version 2 of freeRADIUS. I've successfully changed the default eap type.

Now I'm trying to change the inner auth because I need pap as default.

I've tried to change the inner auth for ttls but then this happens:

   ttls {
    default_eap_type = "pap"
    copy_request_to_tunnel = no
    use_tunneled_reply = no
    virtual_server = "inner-tunnel"
    include_length = yes
   }
rlm_eap_ttls: Unknown EAP type pap
rlm_eap: Failed to initialize type ttls
/usr/local/etc/raddb/eap.conf[17]: Instantiation failed for module "eap"
/usr/local/etc/raddb/sites-enabled/default[310]: Failed to load module "eap".
/usr/local/etc/raddb/sites-enabled/default[252]: Errors parsing authenticate section. 

I've tried to change the inner auth for peap as well, but same problem as before:

   peap {
    default_eap_type = "pap"
    copy_request_to_tunnel = no
    use_tunneled_reply = no
    proxy_tunneled_request_as_eap = yes
    virtual_server = "inner-tunnel"
    soh = no
   }
rlm_eap_peap: Unknown EAP type pap
rlm_eap: Failed to initialize type peap
/usr/local/etc/raddb/eap.conf[17]: Instantiation failed for module "eap"
/usr/local/etc/raddb/sites-enabled/default[310]: Failed to load module "eap".
/usr/local/etc/raddb/sites-enabled/default[252]: Errors parsing authenticate section. 

Why it doesn't recognize pap? Thank you.

Improve this question
0

1 Answer 1

Reset to default
0

The issue is that PAP isn't an EAP type. PAP is an authentication type.

EAP-TTLS is the only widely used EAP type which can use a PAP inner, so I'm assuming you're using that.

When the server processes EAP-TTLS, it extracts the attributes inside EAP-TTLS' TLS tunnel and creates RADIUS attributes from them. It then 'proxies' a request containing these attributes (possibly merged with those from the RADIUS packet carrying EAP), and sends them to another virtual server (the default being 'inner-tunnel').

In order to perform PAP authentication in the inner tunnel, you need to set up PAP as you would for RADIUS.

etc/raddb/sites-available/inner-tunnel

server inner-tunnel {
    authorize {
        ldap | sql | files | whichever module you use to retrieve passwords

        pap
    }

    authenticate {
        pap
    }
}

Note: You also need to select PAP as the inner method on the supplicant. There's no way to negotiate whether the supplicant uses an inner EAP method, or does PAP/CHAP/MSCHAPv2 using tunnel attributes. The supplicant sends attributes, the server goes along with whatever it sends. If the supplicant sends an EAP-Message attribute and the EAP module is configured, the server will do EAP. If the supplicant sends a User-Password attribute and the PAP module is configured the server will do PAP.

This is distinct from EAP, where the supplicant and server can negotiate the EAP method. There's a bunch of example exchanges in RFC5281 where you can see the different attributes being sent.

Improve this answer
2
  • Updated the answer Commented Apr 20, 2017 at 12:28
  • Edited answer to include some more detail. Commented Apr 20, 2017 at 13:10

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.