peap/mschapv2 + mysql + filter-id
Adam W. Sewell
awsewell at catawba.edu
Wed Jul 30 15:18:49 CEST 2008
Alan,
Thanks for your response, here is my radiusd -x log. Which config files would you need to look at? Also, I should mention that I'm using freeradius 2.0.5 and in the radreply table in the database, I've got the user generic set as such: generic Filter-ID = Enterasys:version=1:policy=good
Radiusd -X :
----------------------------------------
rad_recv: Access-Request packet from host 192.16.240.77 port 1930, id=23, length=232
Message-Authenticator = 0x7bfcf42131d8e9e0ad6bd307268ae929
User-Name = "generic"
State = 0xcff4dbb0ca28c29d2aff3c6f56cfbfb0
NAS-IP-Address = 192.16.240.77
NAS-Port = 8
NAS-Port-Type = Ethernet
Calling-Station-Id = "00-16-D3-30-E5-74"
Called-Station-Id = "00-01-F4-93-14-00"
Framed-MTU = 1000
EAP-Message = 0x02dc00501900170301002035fa330ba4242cd20f856d7f454f3a99369f0d89420580a95672e3a511de75551703010020db4e3af5e6efafb8d60462c5468639a95a088c91dc25d696cba8f952639298f6
NAS-Identifier = "TEST_M48"
NAS-Port-Id = "fe.0.8"
+- entering group authorize
++[preprocess] returns ok
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "generic", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 220 length 80
rlm_eap: Continuing tunnel setup.
++[eap] returns ok
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: Identity - generic
PEAP: Got tunneled identity of generic
PEAP: Setting default EAP type for tunneled EAP session.
PEAP: Setting User-Name to generic
+- entering group authorize
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "generic", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 220 length 13
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
expand: %{User-Name} -> generic
rlm_sql (sql): sql_set_user escaped user --> 'generic'
rlm_sql (sql): Reserving sql socket id: 3
expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'generic' ORDER BY id
rlm_sql (sql): User found in radcheck table
expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'generic' ORDER BY id
expand: SELECT groupname FROM usergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM usergroup WHERE username = 'generic' ORDER BY priority
rlm_sql (sql): Released sql socket id: 3
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: EAP Identity
rlm_eap: processing type mschapv2
rlm_eap_mschapv2: Issuing Challenge
++[eap] returns handled
PEAP: Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 23 to 192.16.240.77 port 1930
EAP-Message = 0x01dd004b190017030100406e513bcbd4bf071acb8020531c484948b552e98290ce2f63732832cf39f800c2cdfe1247a1bdff73f334f40bb98763d6e837a0823b4e02b30a4fc324301868ec
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xcff4dbb0c929c29d2aff3c6f56cfbfb0
Finished request 6.
Going to the next request
Waking up in 4.8 seconds.
rad_recv: Access-Request packet from host 192.16.240.77 port 1930, id=24, length=296
Message-Authenticator = 0x4e783fdb7836cc7f26aba095b8f84dba
User-Name = "generic"
State = 0xcff4dbb0c929c29d2aff3c6f56cfbfb0
NAS-IP-Address = 192.16.240.77
NAS-Port = 8
NAS-Port-Type = Ethernet
Calling-Station-Id = "00-16-D3-30-E5-74"
Called-Station-Id = "00-01-F4-93-14-00"
Framed-MTU = 1000
EAP-Message = 0x02dd009019001703010020d08545003c24b1fc221d759b3397ce513e5a8e4919b77f32d4df3d6729b3fe86170301006040c03f0960339981014df3bb4edff293aac927d2a0fe4ab0eaa5c8b00668ec101a7e4237597001cc42f58922e1540dc3902c9c18b7b8ce243c410ddf32670f0d1a04b3f47661b6ff6877276941b56a78ec60c1b77ca9ba6ec598a30abfc700ec
NAS-Identifier = "TEST_M48"
NAS-Port-Id = "fe.0.8"
+- entering group authorize
++[preprocess] returns ok
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "generic", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 221 length 144
rlm_eap: Continuing tunnel setup.
++[eap] returns ok
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: EAP type mschapv2
PEAP: Setting User-Name to generic
+- entering group authorize
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "generic", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 221 length 67
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
expand: %{User-Name} -> generic
rlm_sql (sql): sql_set_user escaped user --> 'generic'
rlm_sql (sql): Reserving sql socket id: 2
expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'generic' ORDER BY id
rlm_sql (sql): User found in radcheck table
expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'generic' ORDER BY id
expand: SELECT groupname FROM usergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM usergroup WHERE username = 'generic' ORDER BY priority
rlm_sql (sql): Released sql socket id: 2
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/mschapv2
rlm_eap: processing type mschapv2
+- entering group MS-CHAP
rlm_mschap: Told to do MS-CHAPv2 for generic with NT-Password
rlm_mschap: adding MS-CHAPv2 MPPE keys
++[mschap] returns ok
MSCHAP Success
++[eap] returns handled
PEAP: Got tunneled Access-Challenge
++[eap] returns handled
Sending Access-Challenge of id 24 to 192.16.240.77 port 1930
EAP-Message = 0x01de005b19001703010050aaba6e19dc927df16c4fbb14d73abd4a1ba6718b00d562988fc2d4ecce3330337bc03386d060f91ded0d1d2b1f2233718e737eb9f9f2d80bc40d496b60dd9505a92aef9ffbb37710b306c5d974005006
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xcff4dbb0c82ac29d2aff3c6f56cfbfb0
Finished request 7.
Going to the next request
Waking up in 4.7 seconds.
rad_recv: Access-Request packet from host 192.16.240.77 port 1930, id=25, length=232
Message-Authenticator = 0xe41d58872b5680231227ca5a2e4d5da8
User-Name = "generic"
State = 0xcff4dbb0c82ac29d2aff3c6f56cfbfb0
NAS-IP-Address = 192.16.240.77
NAS-Port = 8
NAS-Port-Type = Ethernet
Calling-Station-Id = "00-16-D3-30-E5-74"
Called-Station-Id = "00-01-F4-93-14-00"
Framed-MTU = 1000
EAP-Message = 0x02de0050190017030100200a72ae019719cfe652b0673f44847665a0076c5c567244f9cbf96fdee5c32b5a1703010020a76fa56a89dc65800d2d8b497c0e4c2b5a16d3950a14b484b2709b7e89001bce
NAS-Identifier = "TEST_M48"
NAS-Port-Id = "fe.0.8"
+- entering group authorize
++[preprocess] returns ok
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "generic", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 222 length 80
rlm_eap: Continuing tunnel setup.
++[eap] returns ok
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: EAP type mschapv2
PEAP: Setting User-Name to generic
+- entering group authorize
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "generic", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 222 length 6
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
expand: %{User-Name} -> generic
rlm_sql (sql): sql_set_user escaped user --> 'generic'
rlm_sql (sql): Reserving sql socket id: 1
expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'generic' ORDER BY id
rlm_sql (sql): User found in radcheck table
expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'generic' ORDER BY id
expand: SELECT groupname FROM usergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM usergroup WHERE username = 'generic' ORDER BY priority
rlm_sql (sql): Released sql socket id: 1
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_pap: Found existing Auth-Type, not changing it.
++[pap] returns noop
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/mschapv2
rlm_eap: processing type mschapv2
rlm_eap: Freeing handler
++[eap] returns ok
Login OK: [generic/<via Auth-Type = EAP>] (from client TestSwitches port 0 via TLS tunnel)
PEAP: Tunneled authentication was successful.
rlm_eap_peap: SUCCESS
++[eap] returns handled
Sending Access-Challenge of id 25 to 192.16.240.77 port 1930
EAP-Message = 0x01df002b1900170301002007b66e03cf1277bb89b88a78357462d463bce87424d6f2c889a218e607e2b958
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xcff4dbb0c72bc29d2aff3c6f56cfbfb0
Finished request 8.
Going to the next request
Waking up in 4.7 seconds.
rad_recv: Access-Request packet from host 192.16.240.77 port 1930, id=26, length=232
Message-Authenticator = 0xf246ed24c1d8cdece97a0b0814fc0d81
User-Name = "generic"
State = 0xcff4dbb0c72bc29d2aff3c6f56cfbfb0
NAS-IP-Address = 192.16.240.77
NAS-Port = 8
NAS-Port-Type = Ethernet
Calling-Station-Id = "00-16-D3-30-E5-74"
Called-Station-Id = "00-01-F4-93-14-00"
Framed-MTU = 1000
EAP-Message = 0x02df00501900170301002090c5a627b284c660af3348c538297fc2b3e59ebbfa74ed335ebfdf782e3df0721703010020c24cb49475b2e47d8dbd0afb64f429081c610acdac786c7c26f1b28d152927a7
NAS-Identifier = "TEST_M48"
NAS-Port-Id = "fe.0.8"
+- entering group authorize
++[preprocess] returns ok
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "generic", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_eap: EAP packet type response id 223 length 80
rlm_eap: Continuing tunnel setup.
++[eap] returns ok
rad_check_password: Found Auth-Type EAP
auth: type "EAP"
+- entering group authenticate
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: Received EAP-TLV response.
rlm_eap_peap: Success
rlm_eap: Freeing handler
++[eap] returns ok
Login OK: [generic/<via Auth-Type = EAP>] (from client TestSwitches port 8 cli 00-16-D3-30-E5-74)
+- entering group post-auth
++[exec] returns noop
Sending Access-Accept of id 26 to 192.16.240.77 port 1930
MS-MPPE-Recv-Key = 0x680f34a977769aa71a178722683534da074169a1b7f994e643785f0f90ba5930
MS-MPPE-Send-Key = 0x502aacfc317b2197d001bc706b1581972ec6e97ffd344b2fe434dbda852a81c3
EAP-Message = 0x03df0004
Message-Authenticator = 0x00000000000000000000000000000000
User-Name = "generic"
Finished request 9.
Going to the next request
Waking up in 4.7 seconds.
Cleaning up request 0 ID 17 with timestamp +15
Cleaning up request 1 ID 18 with timestamp +15
Cleaning up request 2 ID 19 with timestamp +15
Cleaning up request 3 ID 20 with timestamp +15
Waking up in 0.1 seconds.
Cleaning up request 4 ID 21 with timestamp +15
Cleaning up request 5 ID 22 with timestamp +15
Cleaning up request 6 ID 23 with timestamp +15
Cleaning up request 7 ID 24 with timestamp +15
Cleaning up request 8 ID 25 with timestamp +15
Cleaning up request 9 ID 26 with timestamp +15
Ready to process requests.
-----Original Message-----
From: Alan DeKok [mailto:aland at deployingradius.com]
Sent: Wednesday, July 30, 2008 2:32 AM
To: FreeRadius users mailing list
Subject: Re: peap/mschapv2 + mysql + filter-id
Adam W. Sewell wrote:
> I've been working trying to setup freeradius to work with peap/mschapv2 backended by a mysql database on Enterasys switches. I've got almost everything working except for when a user authenticates with a 802.1x supplicant with peap/mschapv2, freeradius sends an access-accept packet but does not append the Filter-Id that is required for Enterasys switches to switch the default port policy. However, when I authenticate to the management portion of the switch, which uses pap, it authenticates and sends the Filter-Id as it should. I'm not sure what I'm missing here and I honestly don't know what configs you guys would need to see to help with this. So if I can provide any logs or config files, please let me know.
Read the debug output. Or, post the output here, and maybe a sample
of your config files.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list