Switch sends EAP-Fail after Radius Access-Accept

Preyas Kamath p.kamath at cornet.com
Thu Aug 6 18:23:14 CEST 2015


Thanks for the replies. I'm went back to using the default radiusd.conf,
modified the client file to match my client IP subnet. However it seems that
there is still a certificate mismatch. I built the cert in
/etc/radddb/certs. Any ideas? I read that the certficate generated using the
Makefile works with most OS'es. Client is running Windows 7.

rad_recv: Access-Request packet from host 10.1.2.12 port 1645, id=211,
length=156
        User-Name = "testuser"
        Service-Type = Framed-User
        Framed-MTU = 1500
        Called-Station-Id = "24-B6-57-D3-2C-8C"
        Calling-Station-Id = "5C-B9-01-B2-4A-15"
        EAP-Message = 0x0201000d017465737475736572
        Message-Authenticator = 0x991bd0b24878be987307b9720dd4c9ed
        NAS-Port-Type = Ethernet
        NAS-Port = 50112
        NAS-Port-Id = "GigabitEthernet1/0/12"
        NAS-IP-Address = 10.1.2.12
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "testuser", looking up realm NULL [suffix] No
such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 1 length 13 [eap] No EAP Start, assuming
it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry testuser at line 93
[files]         expand: Hello, %{User-Name} -> Hello, testuser
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set.  Not setting to PAP
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 211 to 10.1.2.12 port 1645
        Reply-Message = "Hello, testuser"
        EAP-Message = 0x010200061920
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xadf0c5e3adf2dcafb375283b0a488eb1
Finished request 6.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.1.2.12 port 1645, id=212,
length=167
        User-Name = "testuser"
        Service-Type = Framed-User
        Framed-MTU = 1500
        Called-Station-Id = "24-B6-57-D3-2C-8C"
        Calling-Station-Id = "5C-B9-01-B2-4A-15"
        EAP-Message = 0x020200060311
        Message-Authenticator = 0x54788e58614c18954ae1c9fe3fdaa611
        NAS-Port-Type = Ethernet
        NAS-Port = 50112
        NAS-Port-Id = "GigabitEthernet1/0/12"
        State = 0xadf0c5e3adf2dcafb375283b0a488eb1
        NAS-IP-Address = 10.1.2.12
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "testuser", looking up realm NULL [suffix] No
such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 2 length 6 [eap] No EAP Start, assuming
it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry testuser at line 93
[files]         expand: Hello, %{User-Name} -> Hello, testuser
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set.  Not setting to PAP
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list [eap] EAP NAK [eap] EAP-NAK
asked for EAP-Type/leap [eap] processing type leap
  rlm_eap_leap: Stage 2
  rlm_eap_leap: Issuing AP Challenge
  rlm_eap_leap: Successfully initiated
++[eap] returns handled
Sending Access-Challenge of id 212 to 10.1.2.12 port 1645
        Reply-Message = "Hello, testuser"
        EAP-Message = 0x01030018110100087a19e6f0d4315cd47465737475736572
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xadf0c5e3acf3d4afb375283b0a488eb1
Finished request 7.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.1.2.12 port 1645, id=213,
length=201
        User-Name = "testuser"
        Service-Type = Framed-User
        Framed-MTU = 1500
        Called-Station-Id = "24-B6-57-D3-2C-8C"
        Calling-Station-Id = "5C-B9-01-B2-4A-15"
        EAP-Message =
0x020300281101001866e12f1d13159a30833646856e73271313b09d0bf85f645e7465737475
736572
        Message-Authenticator = 0x22cf06518157775f54c2ecaa09311ee1
        NAS-Port-Type = Ethernet
        NAS-Port = 50112
        NAS-Port-Id = "GigabitEthernet1/0/12"
        State = 0xadf0c5e3acf3d4afb375283b0a488eb1
        NAS-IP-Address = 10.1.2.12
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "testuser", looking up realm NULL [suffix] No
such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 3 length 40 [eap] No EAP Start, assuming
it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry testuser at line 93
[files]         expand: Hello, %{User-Name} -> Hello, testuser
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set.  Not setting to PAP
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list [eap] EAP/leap [eap] processing
type leap
  rlm_eap_leap: Stage 4
  rlm_eap_leap: NtChallengeResponse from AP is valid [eap] Underlying
EAP-Type set EAP ID to 4
++[eap] returns ok
# Executing section post-auth from file /etc/raddb/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Challenge of id 213 to 10.1.2.12 port 1645
        Reply-Message = "Hello, testuser"
        EAP-Message = 0x03040004
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xadf0c5e3aff4d4afb375283b0a488eb1
Finished request 8.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 6 ID 211 with timestamp +10517 Cleaning up request 7 ID
212 with timestamp +10517 Cleaning up request 8 ID 213 with timestamp +10517
WARNING:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
WARNING: !! EAP session for state 0xadf0c5e3aff4d4af did not finish!
WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility
WARNING:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Ready to process requests.

Regards
Preyas

-----Original Message-----
From: Freeradius-Users
[mailto:freeradius-users-bounces+p.kamath=cornet.com at lists.freeradius.org]
On Behalf Of A.L.M.Buxey at lboro.ac.uk
Sent: Thursday, August 06, 2015 9:29 AM
To: FreeRadius users mailing list
Subject: Re: Switch sends EAP-Fail after Radius Access-Accept

Hi,

> [preyask at localhost controller-ned]$ cat /etc/raddb/small.conf listen {
>     type = auth
>     ipaddr = *
>     port = 1812
> }
> client 10.1.2.0/24 { # allow packets from 10.1.2.0/24    
>     secret = testing123
>     shortname = 10.1.2.12
> }
> modules { # We don't use any modules
> }
> authorize { # return Access-Accept for PAP and CHAP
>     update control {
>         Auth-Type := Accept
>     }
> }

yeh. that wont work....start with the default configuration and THEN start
slimming it down

big hints - you are using EAP thus you ARE using modules....in fact ALL work
in FreeRADIUS uses modules.  you are doing EAP - therefore the request needs
to go into a virtual server that is called in the eap.conf configuration.
default in virtual-server.

I'll repeat. stop what you are currently doing, install the default config,
add your client and THEN start work....once its working and you get to know
what each module does and how the server works, THEN reduce the
configuration 

alan
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html



More information about the Freeradius-Users mailing list