none
Eduroam Connectivity Problem In Windows 10 (EAP-TTLS/PAP) RRS feed

  • Question

  • Hello, in Microsoft Windows 10, we want to verify eduroam via FREERADIUS using EAP-TTLS/PAP, but we can't verify the password because freeradius has not received clear text. Authentication can be performed successfully using the same protocols (EAP-TTLS/PAP) in the Android operating system.

    I hope you can help me solve the problem.

    Wednesday, October 16, 2019 6:18 AM

All replies

  • Hi ,

    Here is an article talking about accessing Eduroam Wireless with Windows 10, check if it helps:

    Accessing Eduroam Wireless with Windows 10

    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    Best Regards,

    Candy


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com   

    Thursday, October 17, 2019 8:44 AM
  • Hi ,

    Just want to confirm the current situations.

    Please feel free to let us know if you need further assistance.                  

    Best Regards,

    Candy


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com   

    Monday, October 21, 2019 3:34 AM
  • Hi ,

    Did you have any updates on this issue?

    Best Regards,

    Candy


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com   

    Wednesday, October 23, 2019 7:57 AM
  • This link has already been tried. Unfortunately, it didn't work. If you have any other suggestions, please write.

    Best Regards,

    Berke

    Tuesday, November 5, 2019 8:39 AM
  • Hello Berke,

    If you know that FreeRADIUS is not receiving a RADIUS_ATTR_USER_PASSWORD (2) attribute, do you know (and can you share) which attributes it is receiving (e.g. RADIUS_ATTR_CHAP_PASSWORD (3))?

    Gary

    Tuesday, November 5, 2019 10:04 AM
  • Hello Garry,

    You normally say" RADIUS_ATTR_USER_PASSWORD (2) " define in the program part of "eap_ttls.h".(http://docs.ros.org/diamondback/api/wpa_supplicant/html/eap__ttls_8h.html) I've scanned the entire FreeRADIUS, but I haven't come across a program fragment or file in this way.

    Berke



    Tuesday, November 5, 2019 2:58 PM
  • Hello Berke,

    In your first message, you wrote "but we can't verify the password because freeradius has not received clear text" - how do you know that this is the problem? What logging/debugging output did you look at to determine that a clear text password was not present amongst the attributes sent via EAP-TTLS?

    If you are looking for where the definitions of RADIUS attribute names are created in the FreeRADIUS source code, then they might be here: https://github.com/FreeRADIUS/freeradius-server/blob/master/share/dictionary/radius/dictionary.rfc2865

    Gary

    Tuesday, November 5, 2019 3:33 PM

  • Figure 1. Eduroam RadiusDebug For Android Device

    Figure 2. Eduroam RadiusDebug For Windows 10 Device

    Hello Gary,

    The screenshot shows the connection of Android device and Windows 10 device. The password that comes as clear text does not come as clear text on Windows 10 machines.

    Berke



    Thursday, November 21, 2019 10:28 AM
  • Hello Berke,

    This is what I can see in the Windows 10 screenshot:

    A list of RADIUS attributes at the top, including the attribute "EAP-Message". EAP-Message starts (when separated into bytes) 0x02 0x00 0x00 0x1b 0x01; 0x02 means Response, 0x001b is the length and 0x01 is the type (Identity). This is confirmed lower down when we see the text: "Peer sent EAP Response (code 2) ID 0 length 27".

    The next step would be to send a new EAP request with the type 21 (0x15) to start the EAP-TTLS method and this can be seen at the bottom:

        Peer sent packet with method EAP Identity (1)

        Calling submodule eap_ttls to process data

        Initiating new TLS session

    So we are still at an early point in the authentication process - once a TLS session has been established then the RADIUS attributes needed for PAP authentication can be sent in the TLS channel. One might hope to see a plaintext password later in the log.

    This is what I can see in the Android screenshot:

        No EAP-Message, not doing EAP

    Without more context, I can't tell exactly what is happening here - the log seems to show credentials being POSTed via HTTP to some server for verification.

    Gary

    Thursday, November 21, 2019 3:40 PM