Access-Challenge on proxied radius request on eduroam

Turner, Ryan H rhturner at email.unc.edu
Mon Oct 3 22:28:44 CEST 2016 

I am prepared for a lashing, because I am sure I have missed something stupid..

We are running 2.2.8 (yes, I know we should be on 3.X.  My systems architect quit and we are hiring another one and one of the first projects will be to get to 3.X.  If you want to apply, message me).

Eduroam is our primary SSID on campus and we run EAP-TLS.  We authenticate 10s of thousands of people on our campus, and people at foreign campuses, every single day.  However, there is one school nearby where neither our users can authenticate on their network (using eduroam which proxies back to our campus) nor can their users authenticate on ours.  I am totally miffed.  If I do a radius -XXX on an attempt (UNC person is at foreign institution connecting which proxies the auth packet to us), this is what I see on our local freeradius server:

(Summary:  we are sending an access challenge to the user who connects perfectly fine on our own network, but fails to connect on their network- what is going on???)

rad_recv: Access-Request packet from host 152.2.X.X port 1814, id=0, length=276
        User-Name = "username_removed at unc.edu"
        NAS-IP-Address = 10.229.9.1
        NAS-Port = 0
        NAS-Identifier = "10.229.9.1"
        NAS-Port-Type = Wireless-802.11
        Calling-Station-Id = "mac_address_removed"
        Called-Station-Id = "001A1E00ED18"
        Service-Type = Framed-User
        Framed-MTU = 1100
        EAP-Message = 0x020800060d00
        Aruba-Essid-Name = "eduroam"
        Aruba-Location-Id = "aEtc3-W"
        Aruba-AP-Group = "ncssm-hi-avail-hi-density-ap-group"
       Aruba-Device-Type = "OS X"
        Message-Authenticator = 0x7afdd181fbc9ca389829bce95736da1f
        State = 0x16deaa5213d6a791b4d184b49f08d1c8
        Vendor-9048-Attr-0 = 0x50726f786965642d42793d544c5253322e656475726f616d2e7573
        Proxy-State = 0x313937
Mon Oct  3 16:12:29 2016 : Info: # Executing section authorize from file /opt/unc/freeradius-2.2.8/root/etc/raddb/sites-enabled/default
Mon Oct  3 16:12:29 2016 : Info: +group authorize {
Mon Oct  3 16:12:29 2016 : Info: ++[preprocess] = ok
Mon Oct  3 16:12:29 2016 : Info: ++[chap] = noop
Mon Oct  3 16:12:29 2016 : Info: ++[mschap] = noop
Mon Oct  3 16:12:29 2016 : Info: ++[digest] = noop
Mon Oct  3 16:12:29 2016 : Info: [suffix] Looking up realm "unc.edu" for User-Name = "username_removed at unc.edu"
Mon Oct  3 16:12:29 2016 : Info: [suffix] Found realm "unc.edu"
Mon Oct  3 16:12:29 2016 : Info: [suffix] Adding Realm = "unc.edu"
Mon Oct  3 16:12:29 2016 : Info: [suffix] Authentication realm is LOCAL.
Mon Oct  3 16:12:29 2016 : Info: ++[suffix] = ok
Mon Oct  3 16:12:29 2016 : Info: [eap] EAP packet type response id 8 length 6
Mon Oct  3 16:12:29 2016 : Info: [eap] No EAP Start, assuming it's an on-going EAP conversation
Mon Oct  3 16:12:29 2016 : Info: ++[eap] = updated
Mon Oct  3 16:12:29 2016 : Info: [files] users: Matched entry DEFAULT at line 42
Mon Oct  3 16:12:29 2016 : Info: ++[files] = ok
Mon Oct  3 16:12:29 2016 : Info: ++[expiration] = noop
Mon Oct  3 16:12:29 2016 : Info: ++[logintime] = noop
Mon Oct  3 16:12:29 2016 : Info: ++[pap] = noop
Mon Oct  3 16:12:29 2016 : Info: +} # group authorize = updated
Mon Oct  3 16:12:29 2016 : Info: Found Auth-Type = EAP
Mon Oct  3 16:12:29 2016 : Info: # Executing group from file /opt/unc/freeradius-2.2.8/root/etc/raddb/sites-enabled/default
Mon Oct  3 16:12:29 2016 : Info: +group authenticate {
Mon Oct  3 16:12:29 2016 : Info: [eap] Request found, released from the list
Mon Oct  3 16:12:29 2016 : Info: [eap] EAP/tls
Mon Oct  3 16:12:29 2016 : Info: [eap] processing type tls
Mon Oct  3 16:12:29 2016 : Info: [tls] Authenticate
Mon Oct  3 16:12:29 2016 : Info: [tls] processing EAP-TLS
Mon Oct  3 16:12:29 2016 : Info: [tls] Received TLS ACK
Mon Oct  3 16:12:29 2016 : Info: [tls] ACK handshake fragment handler
Mon Oct  3 16:12:29 2016 : Info: [tls] eaptls_verify returned 1
Mon Oct  3 16:12:29 2016 : Info: [tls] eaptls_process returned 13
Mon Oct  3 16:12:29 2016 : Info: ++[eap] = handled
Mon Oct  3 16:12:29 2016 : Info: +} # group authenticate = handled
Sending Access-Challenge of id 0 to 152.2.X.X port 1814
        EAP-Message = 0x010904000dc0000016d755040313056d736361310078307631133011060a0992268993f22c640119160365647531133011060a0992268993f22c6401191603756e6331123010060a0992268993f22c64011916026164313630340603550403132d556e6976657273697479206f66204e6f727468204361726f6c696e612043686170656c2048696c6c2053756234003b3039313730350603550403132e556e6976657273697479206f66204e6f727468204361726f6c696e612043686170656c2048696c6c20526f6f74330078307631133011060a0992268993f22c640119160365647531133011060a0992268993f22c6401191603756e6331123010        EAP-Message = 0x060a0992268993f22c64011916026164313630340603550403132d556e6976657273697479206f66204e6f727468204361726f6c696e612043686170656c2048696c6c205375623300b73081b4310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c65311a3018060355040a1311476f44616464792e636f6d2c20496e632e312d302b060355040b1324687474703a2f2f63657274732e676f64616464792e636f6d2f7265706f7369746f72792f313330310603550403132a476f2044616464792053656375726520436572746966696361746520417574686f7269747920
Mon Oct  3 16:12:29 2016 : Info: ++[files] = ok
Mon Oct  3 16:12:29 2016 : Info: ++[expiration] = noop
Mon Oct  3 16:12:29 2016 : Info: ++[logintime] = noop
Mon Oct  3 16:12:29 2016 : Info: ++[pap] = noop
Mon Oct  3 16:12:29 2016 : Info: +} # group authorize = updated
Mon Oct  3 16:12:29 2016 : Info: Found Auth-Type = EAP
Mon Oct  3 16:12:29 2016 : Info: # Executing group from file /opt/unc/freeradius-2.2.8/root/etc/raddb/sites-enabled/default
Mon Oct  3 16:12:29 2016 : Info: +group authenticate {
Mon Oct  3 16:12:29 2016 : Info: [eap] Request found, released from the list
Mon Oct  3 16:12:29 2016 : Info: [eap] EAP/tls
Mon Oct  3 16:12:29 2016 : Info: [eap] processing type tls
Mon Oct  3 16:12:29 2016 : Info: [tls] Authenticate
Mon Oct  3 16:12:29 2016 : Info: [tls] processing EAP-TLS
Mon Oct  3 16:12:29 2016 : Info: [tls] Received TLS ACK
Mon Oct  3 16:12:29 2016 : Info: [tls] ACK handshake fragment handler
Mon Oct  3 16:12:29 2016 : Info: [tls] eaptls_verify returned 1
Mon Oct  3 16:12:29 2016 : Info: [tls] eaptls_process returned 13
Mon Oct  3 16:12:29 2016 : Info: ++[eap] = handled
Mon Oct  3 16:12:29 2016 : Info: +} # group authenticate = handled
Sending Access-Challenge of id 0 to 152.2.X.X port 1814
        EAP-Message = 0x010904000dc0000016d755040313056d736361310078307631133011060a0992268993f22c640119160365647531133011060a0992268993f22c6401191603756e6331123010060a0992268993f22c64011916026164313630340603550403132d556e6976657273697479206f66204e6f727468204361726f6c696e612043686170656c2048696c6c2053756234003b3039313730350603550403132e556e6976657273697479206f66204e6f727468204361726f6c696e612043686170656c2048696c6c20526f6f74330078307631133011060a0992268993f22c640119160365647531133011060a0992268993f22c6401191603756e6331123010
        EAP-Message = 0x060a0992268993f22c64011916026164313630340603550403132d556e6976657273697479206f66204e6f727468204361726f6c696e612043686170656c2048696c6c205375623300b73081b4310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c65311a3018060355040a1311476f44616464792e636f6d2c20496e632e312d302b060355040b1324687474703a2f2f63657274732e676f64616464792e636f6d2f7265706f7369746f72792f313330310603550403132a476f2044616464792053656375726520436572746966696361746520417574686f7269747920        EAP-Message = 0x2d2047320086308183310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c65311a3018060355040a1311476f44616464792e636f6d2c20496e632e3131302f06035504031328476f20446164647920526f6f7420436572746966696361746520417574686f72697479202d20473200653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747900cd3081ca310b300906        EAP-Message = 0x03550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c65311a3018060355040a1311476f44616464792e636f6d2c20496e632e31333031060355040b132a687474703a2f2f6365727469666963617465732e676f64616464792e636f6d2f7265706f7369746f72793130302e06035504031327476f204461646479205365637572652043657274696669636174696f6e20417574686f726974793111300f06035504051308303739363932383701423082013e3136303406035504030c2d554e432d5365637572652047756573742041636365737320436572746966696361746520417574
        EAP-Message = 0x686f72697479313830360603
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x16deaa5210d7a791b4d184b49f08d1c8
        Proxy-State = 0x313937
Mon Oct  3 16:12:29 2016 : Info: Finished request 888.
Mon Oct  3 16:12:29 2016 : Debug: Going to the next request
Mon Oct  3 16:12:29 2016 : Debug: Waking up in 0.3 seconds.



Ryan Turner
Manager of Network Operations
ITS Communication Technologies
The University of North Carolina at Chapel Hill

r at unc.edu<mailto:r at unc.edu>
+1 919 445 0113 Office
+1 919 274 7926 Mobile

More information about the Freeradius-Users mailing list