Errors authenticating certain users.

Migo Pod migopod at gmail.com
Tue Dec 29 19:16:38 CET 2015 

It did drop some .rpmnew files in raddb, modules and sites-available and
for whatever reason it didn't mess up the custom dictionary this time. I
tried re-symlinking inner-tunnel and default it doesn't appear to be
behaving any differently. The non-rpmnew configuration files haven't
changed recently at all.

Thanks,
 -mat

On Tue, Dec 29, 2015 at 12:02 PM, Peter Lambrechtsen <peter at crypt.co.nz>
wrote:

> I wouldn't be so sure /etc/etc wasn't updated.
>
> Have you gone back to your backup and compared all the files??
>
> If you're not running eap I find the symlink in sites-enabled for
> inner-tunnel always comes back each time I patch. So I wouldn't be at all
> surprised if files got over written by updating core packages.
>
> If you have custom dictionaries they always seem to get messed up by
> patching too.
> On 30/12/2015 6:52 AM, "Migo Pod" <migopod at gmail.com> wrote:
>
> > In proxy.conf all of the defined realms have nostrip included, and the
> only
> > thing I can find that explicitly rewrites anything is a directive in the
> > NULL realm that sets Stripped-User-Name to mschap:User-Name when the
> > User-Name matches a /host\/[^\.].(.+)/ regex, and that's been in there
> > since at least 2013. I've tried removing that clause from the realm and
> it
> > didn't appear to affect anything. Other than that, I can't find anything
> > that sets User-Name to anything at all.
> >
> > Of course things changed on the 16th when updates ran, but none of the
> > files in /etc/raddb were modified since yum doesn't overwrite modified
> > files, and the rpm chagnelogs aren't being particularly helpful.
> >
> > Thanks,
> >  -mat
> >
> > On Tue, Dec 29, 2015 at 10:59 AM, Alan DeKok <aland at deployingradius.com>
> > wrote:
> >
> > > On Dec 29, 2015, at 11:39 AM, Migo Pod <migopod at gmail.com> wrote:
> > > >
> > > > The change would have been whatever changed with yum-update, which
> ran
> > on
> > > > the 16th, and did include the freeradius, freeradius-utils and
> > > > freeradius-mysql packages, but according to the RedHat change logs
> > those
> > > > packages were updated in September to fix the miscalculated MPPE keys
> > > with
> > > > TLS 1.2 and nothing beyond that.
> > >
> > >   Clearly there was something beyond that.
> > >
> > > > Full debug:
> > > > Waking up in 2.6 seconds.
> > > > rad_recv: Access-Request packet from host 172.18.255.6 port 20002,
> > > id=254,
> > > > length=162
> > > >        NAS-Port-Id = "AP1306/2"
> > > >        Calling-Station-Id = "6C-88-14-54-69-28"
> > > >        Called-Station-Id = "00-26-3E-8D-79-C1:UWMWiFi"
> > > >        Service-Type = Framed-User
> > > >        EAP-Message = 0x020100120141445c706f6469612d75736572
> > > >        User-Name = "AD\\podia-user"
> > >
> > >   Which shows that the User-Name is correct.
> > >
> > > >        NAS-Port = 64901
> > > >        NAS-Port-Type = Wireless-802.11
> > > >        NAS-IP-Address = 172.18.255.6
> > > >        NAS-Identifier = "Juniper"
> > > >        Message-Authenticator = 0xe3d83b401df09685c4df6a885095fa4f
> > > > # Executing section authorize from file
> > /etc/raddb/sites-enabled/default
> > > > +group authorize {
> > > > ++[preprocess] = ok
> > > > ++[mschap] = noop
> > > > ++[digest] = noop
> > > > [suffix] No '@' in User-Name = "podia-user", looking up realm NULL
> > > > [suffix] Found realm "NULL"
> > > > [suffix] Adding Realm = "NULL"
> > > > [suffix] Authentication realm is LOCAL.
> > > > ++[suffix] = ok
> > >
> > >   Something there is re-writing the User-Name to remove the "AD"
> portion.
> > >
> > >   Check the configuration of the "suffice" module.  Does it have
> "strip =
> > > yes" ?
> > >
> > > > [eap] EAP packet type response id 1 length 18
> > > > [eap] No EAP Start, assuming it's an on-going EAP conversation
> > > > ++[eap] = updated
> > > > [files] users: Matched entry DEFAULT at line 50
> > >
> > >   Does that entry strip the user name?
> > > >
> > > > [eap] Identity (AD\podia-user) does not match User-Name (podia-user).
> > >
> > >   The User-Name has been re-written from "AD\podia-user" to
> "podia-user".
> > > It doesn't happen by magic.  Something has updated it.
> > >
> > >   Alan DeKok.
> > >
> > >
> > > -
> > > List info/subscribe/unsubscribe? See
> > > http://www.freeradius.org/list/users.html
> > >
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>

More information about the Freeradius-Users mailing list