(802.1X) PEAPv0/EAP-MSCHAPv2 : duplicate access-request
3@D4rkn3ss DuMb
32d4rkn3ss at gmail.com
Tue Feb 21 07:06:32 CET 2017
Dear list,
After sucessfuly deploying FreeRADIUS v.3.0.11 against an Active Directory
2008, everything seemed to be fine during the test (wired), but when
something weird started to happen when I put the server in production. In
fact, we noticted that some station (windows machine) just got kicked out
randomnly and suddenly. We fired a packet analyzer and found out that the
station got an access-reject from the radius server after a duplicate
"access request".
The following diagram describes a little bit what happened
__________________________________________________________________________________________________________________________________________________________
*+-------------+ +------------+
+--------------+
+---------+| station + |
| | |
| AD 2008 ||
| cisco switch |
freeradius| | || |
| |
| | | |+-------------+
+------------+
+--------------+ +---------+
<------------eap req-id----------------+
+ +---------------eap
resp-id------------> +---------------radius
access-req------> <-------------eap request/eap-type +
challenge <--------------radius access-challenge-+
+
+-------------?-------------------------> +----radius
access-req (duplicate)----->
radius access-reject
<------------------------------------+*
____________________________________________________________________________________________________________________________________________________________
and the corresponding trace
_____________________________________________________________________________________________________________________________________________________________
*No. Time Source Destination
Protocol Length Info*
* 4379 24010.421900 10.100.100.111 192.168.0.13
RADIUS 223 Access-Request(1) (id=120, l=181)*
*Frame 4379: 223 bytes on wire (1784 bits), 223 bytes captured (1784 bits)*
* Encapsulation type: Ethernet (1)*
* Arrival Time: Feb 20, 2017 14:31:42.767734000 Afrique de l’Est*
* [Time shift for this packet: 0.000000000 seconds]*
* Epoch Time: 1487590302.767734000 seconds*
* [Time delta from previous captured frame: 0.015441000 seconds]*
* [Time delta from previous displayed frame: 0.015441000 seconds]*
* [Time since reference or first frame: 24010.421900000 seconds]*
* Frame Number: 4379*
* Frame Length: 223 bytes (1784 bits)*
* Capture Length: 223 bytes (1784 bits)*
* [Frame is marked: False]*
* [Frame is ignored: False]*
* [Protocols in frame: eth:ethertype:ip:udp:radius:eap]*
* [Coloring Rule Name: UDP]*
* [Coloring Rule String: udp]*
*Ethernet II, Src: CiscoInc_e7:58:c1 (6c:20:56:e7:58:c1), Dst:
Vmware_c9:f4:da (00:0c:29:c9:f4:da)*
* Destination: Vmware_c9:f4:da (00:0c:29:c9:f4:da)*
* Address: Vmware_c9:f4:da (00:0c:29:c9:f4:da)*
* .... ..0. .... .... .... .... = LG bit: Globally unique address
(factory default)*
* .... ...0 .... .... .... .... = IG bit: Individual address
(unicast)*
* Source: CiscoInc_e7:58:c1 (6c:20:56:e7:58:c1)*
* Address: CiscoInc_e7:58:c1 (6c:20:56:e7:58:c1)*
* .... ..0. .... .... .... .... = LG bit: Globally unique address
(factory default)*
* .... ...0 .... .... .... .... = IG bit: Individual address
(unicast)*
* Type: IPv4 (0x0800)*
*Internet Protocol Version 4, Src: 10.100.100.111, Dst: 192.168.0.13*
* 0100 .... = Version: 4*
* .... 0101 = Header Length: 20 bytes (5)*
* Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)*
* 0000 00.. = Differentiated Services Codepoint: Default (0)*
* .... ..00 = Explicit Congestion Notification: Not ECN-Capable
Transport (0)*
* Total Length: 209*
* Identification: 0x6f80 (28544)*
* Flags: 0x00*
* 0... .... = Reserved bit: Not set*
* .0.. .... = Don't fragment: Not set*
* ..0. .... = More fragments: Not set*
* Fragment offset: 0*
* Time to live: 254*
* Protocol: UDP (17)*
* Header checksum: 0x1d13 [validation disabled]*
* [Good: False]*
* [Bad: False]*
* Source: 10.100.100.111*
* Destination: 192.168.0.13*
* [Source GeoIP: Unknown]*
* [Destination GeoIP: Unknown]*
*User Datagram Protocol, Src Port: 1645 (1645), Dst Port: 1812 (1812)*
* Source Port: 1645*
* Destination Port: 1812*
* Length: 189*
* Checksum: 0xcad9 [validation disabled]*
* [Good Checksum: False]*
* [Bad Checksum: False]*
* [Stream index: 0]*
*RADIUS Protocol*
* Code: Access-Request (1)*
* Packet identifier: 0x78 (120)*
* Length: 181*
* Authenticator: 8e1e0033348fcf333cf84a46404d7d73*
* [The response to this request is in frame 4380]*
* Attribute Value Pairs*
* AVP: l=24 t=User-Name(1): host/adminlp.aros.lan*
* User-Name: host/adminlp.aros.lan*
* AVP: l=6 t=Service-Type(6): Framed(2)*
* Service-Type: Framed (2)*
* AVP: l=6 t=Framed-MTU(12): 1500*
* Framed-MTU: 1500*
* AVP: l=19 t=Called-Station-Id(30): AC-7E-8A-7B-7B-A0*
* Called-Station-Id: AC-7E-8A-7B-7B-A0*
* AVP: l=19 t=Calling-Station-Id(31): C4-34-6B-54-C0-2C*
* Calling-Station-Id: C4-34-6B-54-C0-2C*
* AVP: l=8 t=EAP-Message(79) Last Segment[1]*
* EAP fragment: 020800061900*
* Extensible Authentication Protocol*
* Code: Response (2)*
* Id: 8*
* Length: 6*
* Type: Protected EAP (EAP-PEAP) (25)*
* EAP-TLS Flags: 0x00*
* 0... .... = Length Included: False*
* .0.. .... = More Fragments: False*
* ..0. .... = Start: False*
* .... .000 = Version: 0*
* AVP: l=18 t=Message-Authenticator(80):
5563952a01377f93d4e4a02c0dfa30f8*
* Message-Authenticator: 5563952a01377f93d4e4a02c0dfa30f8*
* AVP: l=2 t=EAP-Key-Name(102): *
* EAP-Key-Name: *
* AVP: l=6 t=NAS-Port-Type(61): Ethernet(15)*
* NAS-Port-Type: Ethernet (15)*
* AVP: l=6 t=NAS-Port(5): 50132*
* NAS-Port: 50132*
* AVP: l=23 t=NAS-Port-Id(87): GigabitEthernet1/0/32*
* NAS-Port-Id: GigabitEthernet1/0/32*
* AVP: l=18 t=State(24): 3a9592963b9d8bd01b3c353177f2a183*
* State: 3a9592963b9d8bd01b3c353177f2a183*
* AVP: l=6 t=NAS-IP-Address(4): 10.100.100.111*
* NAS-IP-Address: 10.100.100.111*
* No. Time Source Destination
Protocol Length Info*
* 4380 24010.423040 192.168.0.13 10.100.100.111
RADIUS 1116 Access-Challenge(11) (id=120, l=1074)*
*Frame 4380: 1116 bytes on wire (8928 bits), 1116 bytes captured (8928
bits)*
* Encapsulation type: Ethernet (1)*
* Arrival Time: Feb 20, 2017 14:31:42.768874000 Afrique de l’Est*
* [Time shift for this packet: 0.000000000 seconds]*
* Epoch Time: 1487590302.768874000 seconds*
* [Time delta from previous captured frame: 0.001140000 seconds]*
* [Time delta from previous displayed frame: 0.001140000 seconds]*
* [Time since reference or first frame: 24010.423040000 seconds]*
* Frame Number: 4380*
* Frame Length: 1116 bytes (8928 bits)*
* Capture Length: 1116 bytes (8928 bits)*
* [Frame is marked: False]*
* [Frame is ignored: False]*
* [Protocols in frame: eth:ethertype:ip:udp:radius:eap]*
* [Coloring Rule Name: UDP]*
* [Coloring Rule String: udp]*
*Ethernet II, Src: Vmware_c9:f4:da (00:0c:29:c9:f4:da), Dst:
All-HSRP-routers_01 (00:00:0c:07:ac:01)*
* Destination: All-HSRP-routers_01 (00:00:0c:07:ac:01)*
* Address: All-HSRP-routers_01 (00:00:0c:07:ac:01)*
* .... ..0. .... .... .... .... = LG bit: Globally unique address
(factory default)*
* .... ...0 .... .... .... .... = IG bit: Individual address
(unicast)*
* Source: Vmware_c9:f4:da (00:0c:29:c9:f4:da)*
* Address: Vmware_c9:f4:da (00:0c:29:c9:f4:da)*
* .... ..0. .... .... .... .... = LG bit: Globally unique address
(factory default)*
* .... ...0 .... .... .... .... = IG bit: Individual address
(unicast)*
* Type: IPv4 (0x0800)*
*Internet Protocol Version 4, Src: 192.168.0.13, Dst: 10.100.100.111*
* 0100 .... = Version: 4*
* .... 0101 = Header Length: 20 bytes (5)*
* Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)*
* 0000 00.. = Differentiated Services Codepoint: Default (0)*
* .... ..00 = Explicit Congestion Notification: Not ECN-Capable
Transport (0)*
* Total Length: 1102*
* Identification: 0x2e00 (11776)*
* Flags: 0x00*
* 0... .... = Reserved bit: Not set*
* .0.. .... = Don't fragment: Not set*
* ..0. .... = More fragments: Not set*
* Fragment offset: 0*
* Time to live: 64*
* Protocol: UDP (17)*
* Header checksum: 0x1917 [validation disabled]*
* [Good: False]*
* [Bad: False]*
* Source: 192.168.0.13*
* Destination: 10.100.100.111*
* [Source GeoIP: Unknown]*
* [Destination GeoIP: Unknown]*
*User Datagram Protocol, Src Port: 1812 (1812), Dst Port: 1645 (1645)*
* Source Port: 1812*
* Destination Port: 1645*
* Length: 1082*
* Checksum: 0x33d4 [validation disabled]*
* [Good Checksum: False]*
* [Bad Checksum: False]*
* [Stream index: 0]*
*RADIUS Protocol*
* Code: Access-Challenge (11)*
* Packet identifier: 0x78 (120)*
* Length: 1074*
* Authenticator: c5909ec6bdb68f7077967c825cf2fe9d*
* [This is a response to a request in frame 4379]*
* [Time from request: 0.001140000 seconds]*
* Attribute Value Pairs*
* AVP: l=255 t=EAP-Message(79) Segment[1]*
* EAP fragment:
010903f21940c9ebbb122fd0040cc7a2836a3d5a9474629f...*
* AVP: l=255 t=EAP-Message(79) Segment[2]*
* EAP fragment:
864886f70d010901160f61646d696e7379734062666d2e6d...*
* AVP: l=255 t=EAP-Message(79) Segment[3]*
* EAP fragment:
82010a0282010100cd45365d93a25c082074dd513a1ce5a9...*
* AVP: l=253 t=EAP-Message(79) Last Segment[4]*
* EAP fragment:
b87acae3d07134cf02c67b0203010001a382013830820134...*
* Extensible Authentication Protocol*
* Code: Request (1)*
* Id: 9*
* Length: 1010*
* Type: Protected EAP (EAP-PEAP) (25)*
* EAP-TLS Flags: 0x40*
* 0... .... = Length Included: False*
* .1.. .... = More Fragments: True*
* ..0. .... = Start: False*
* .... .000 = Version: 0*
* AVP: l=18 t=Message-Authenticator(80):
4def88d7c7f2e5a286d7e0b3d96670e9*
* Message-Authenticator: 4def88d7c7f2e5a286d7e0b3d96670e9*
* AVP: l=18 t=State(24): 3a959296389c8bd01b3c353177f2a183*
* State: 3a959296389c8bd01b3c353177f2a183*
* No. Time Source Destination
Protocol Length Info*
* 4381 24015.471825 10.100.100.111 192.168.0.13
RADIUS 223 Access-Request(1) (id=120, l=181), Duplicate Request ID:120*
*Frame 4381: 223 bytes on wire (1784 bits), 223 bytes captured (1784 bits)*
* Encapsulation type: Ethernet (1)*
* Arrival Time: Feb 20, 2017 14:31:47.817659000 Afrique de l’Est*
* [Time shift for this packet: 0.000000000 seconds]*
* Epoch Time: 1487590307.817659000 seconds*
* [Time delta from previous captured frame: 5.048785000 seconds]*
* [Time delta from previous displayed frame: 5.048785000 seconds]*
* [Time since reference or first frame: 24015.471825000 seconds]*
* Frame Number: 4381*
* Frame Length: 223 bytes (1784 bits)*
* Capture Length: 223 bytes (1784 bits)*
* [Frame is marked: False]*
* [Frame is ignored: False]*
* [Protocols in frame: eth:ethertype:ip:udp:radius:eap]*
* [Coloring Rule Name: UDP]*
* [Coloring Rule String: udp]*
*Ethernet II, Src: CiscoInc_e7:58:c1 (6c:20:56:e7:58:c1), Dst:
Vmware_c9:f4:da (00:0c:29:c9:f4:da)*
* Destination: Vmware_c9:f4:da (00:0c:29:c9:f4:da)*
* Address: Vmware_c9:f4:da (00:0c:29:c9:f4:da)*
* .... ..0. .... .... .... .... = LG bit: Globally unique address
(factory default)*
* .... ...0 .... .... .... .... = IG bit: Individual address
(unicast)*
* Source: CiscoInc_e7:58:c1 (6c:20:56:e7:58:c1)*
* Address: CiscoInc_e7:58:c1 (6c:20:56:e7:58:c1)*
* .... ..0. .... .... .... .... = LG bit: Globally unique address
(factory default)*
* .... ...0 .... .... .... .... = IG bit: Individual address
(unicast)*
* Type: IPv4 (0x0800)*
*Internet Protocol Version 4, Src: 10.100.100.111, Dst: 192.168.0.13*
* 0100 .... = Version: 4*
* .... 0101 = Header Length: 20 bytes (5)*
* Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)*
* 0000 00.. = Differentiated Services Codepoint: Default (0)*
* .... ..00 = Explicit Congestion Notification: Not ECN-Capable
Transport (0)*
* Total Length: 209*
* Identification: 0x6f83 (28547)*
* Flags: 0x00*
* 0... .... = Reserved bit: Not set*
* .0.. .... = Don't fragment: Not set*
* ..0. .... = More fragments: Not set*
* Fragment offset: 0*
* Time to live: 254*
* Protocol: UDP (17)*
* Header checksum: 0x1d10 [validation disabled]*
* [Good: False]*
* [Bad: False]*
* Source: 10.100.100.111*
* Destination: 192.168.0.13*
* [Source GeoIP: Unknown]*
* [Destination GeoIP: Unknown]*
*User Datagram Protocol, Src Port: 1645 (1645), Dst Port: 1812 (1812)*
* Source Port: 1645*
* Destination Port: 1812*
* Length: 189*
* Checksum: 0xcad9 [validation disabled]*
* [Good Checksum: False]*
* [Bad Checksum: False]*
* [Stream index: 0]*
*RADIUS Protocol*
* Code: Access-Request (1)*
* Packet identifier: 0x78 (120)*
* Length: 181*
* Authenticator: 8e1e0033348fcf333cf84a46404d7d73*
* [Duplicate Request: 120]*
* [The response to this request is in frame 4380]*
* Attribute Value Pairs*
* AVP: l=24 t=User-Name(1): host/adminlp.aros.lan*
* User-Name: host/adminlp.aros.lan*
* AVP: l=6 t=Service-Type(6): Framed(2)*
* Service-Type: Framed (2)*
* AVP: l=6 t=Framed-MTU(12): 1500*
* Framed-MTU: 1500*
* AVP: l=19 t=Called-Station-Id(30): AC-7E-8A-7B-7B-A0*
* Called-Station-Id: AC-7E-8A-7B-7B-A0*
* AVP: l=19 t=Calling-Station-Id(31): C4-34-6B-54-C0-2C*
* Calling-Station-Id: C4-34-6B-54-C0-2C*
* AVP: l=8 t=EAP-Message(79) Last Segment[1]*
* EAP fragment: 020800061900*
* Extensible Authentication Protocol*
* Code: Response (2)*
* Id: 8*
* Length: 6*
* Type: Protected EAP (EAP-PEAP) (25)*
* EAP-TLS Flags: 0x00*
* 0... .... = Length Included: False*
* .0.. .... = More Fragments: False*
* ..0. .... = Start: False*
* .... .000 = Version: 0*
* AVP: l=18 t=Message-Authenticator(80):
5563952a01377f93d4e4a02c0dfa30f8*
* Message-Authenticator: 5563952a01377f93d4e4a02c0dfa30f8*
* AVP: l=2 t=EAP-Key-Name(102): *
* EAP-Key-Name: *
* AVP: l=6 t=NAS-Port-Type(61): Ethernet(15)*
* NAS-Port-Type: Ethernet (15)*
* AVP: l=6 t=NAS-Port(5): 50132*
* NAS-Port: 50132*
* AVP: l=23 t=NAS-Port-Id(87): GigabitEthernet1/0/32*
* NAS-Port-Id: GigabitEthernet1/0/32*
* AVP: l=18 t=State(24): 3a9592963b9d8bd01b3c353177f2a183*
* State: 3a9592963b9d8bd01b3c353177f2a183*
* AVP: l=6 t=NAS-IP-Address(4): 10.100.100.111*
* NAS-IP-Address: 10.100.100.111*
* No. Time Source Destination
Protocol Length Info*
* 4382 24016.478317 192.168.0.13 10.100.100.111
RADIUS 62 Access-Reject(3) (id=120, l=20)*
*Frame 4382: 62 bytes on wire (496 bits), 62 bytes captured (496 bits)*
* Encapsulation type: Ethernet (1)*
* Arrival Time: Feb 20, 2017 14:31:48.824151000 Afrique de l’Est*
* [Time shift for this packet: 0.000000000 seconds]*
* Epoch Time: 1487590308.824151000 seconds*
* [Time delta from previous captured frame: 1.006492000 seconds]*
* [Time delta from previous displayed frame: 1.006492000 seconds]*
* [Time since reference or first frame: 24016.478317000 seconds]*
* Frame Number: 4382*
* Frame Length: 62 bytes (496 bits)*
* Capture Length: 62 bytes (496 bits)*
* [Frame is marked: False]*
* [Frame is ignored: False]*
* [Protocols in frame: eth:ethertype:ip:udp:radius]*
* [Coloring Rule Name: UDP]*
* [Coloring Rule String: udp]*
*Ethernet II, Src: Vmware_c9:f4:da (00:0c:29:c9:f4:da), Dst:
All-HSRP-routers_01 (00:00:0c:07:ac:01)*
* Destination: All-HSRP-routers_01 (00:00:0c:07:ac:01)*
* Address: All-HSRP-routers_01 (00:00:0c:07:ac:01)*
* .... ..0. .... .... .... .... = LG bit: Globally unique address
(factory default)*
* .... ...0 .... .... .... .... = IG bit: Individual address
(unicast)*
* Source: Vmware_c9:f4:da (00:0c:29:c9:f4:da)*
* Address: Vmware_c9:f4:da (00:0c:29:c9:f4:da)*
* .... ..0. .... .... .... .... = LG bit: Globally unique address
(factory default)*
* .... ...0 .... .... .... .... = IG bit: Individual address
(unicast)*
* Type: IPv4 (0x0800)*
*Internet Protocol Version 4, Src: 192.168.0.13, Dst: 10.100.100.111*
* 0100 .... = Version: 4*
* .... 0101 = Header Length: 20 bytes (5)*
* Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)*
* 0000 00.. = Differentiated Services Codepoint: Default (0)*
* .... ..00 = Explicit Congestion Notification: Not ECN-Capable
Transport (0)*
* Total Length: 48*
* Identification: 0x32b3 (12979)*
* Flags: 0x00*
* 0... .... = Reserved bit: Not set*
* .0.. .... = Don't fragment: Not set*
* ..0. .... = More fragments: Not set*
* Fragment offset: 0*
* Time to live: 64*
* Protocol: UDP (17)*
* Header checksum: 0x1882 [validation disabled]*
* [Good: False]*
* [Bad: False]*
* Source: 192.168.0.13*
* Destination: 10.100.100.111*
* [Source GeoIP: Unknown]*
* [Destination GeoIP: Unknown]*
*User Datagram Protocol, Src Port: 1812 (1812), Dst Port: 1645 (1645)*
* Source Port: 1812*
* Destination Port: 1645*
* Length: 28*
* Checksum: 0x2fb6 [validation disabled]*
* [Good Checksum: False]*
* [Bad Checksum: False]*
* [Stream index: 0]*
*RADIUS Protocol*
* Code: Access-Reject (3)*
* Packet identifier: 0x78 (120)*
* Length: 20*
* Authenticator: 47a65c80d6517f720b429b3084dfd86e*
Sometimes, FreeRADIUS is also complaining about:
*Mon Feb 20 20:58:56 2017 : Error: rlm_eap (EAP): No EAP session matching
state 0x01194816005c5102*
_____________________________________________________________________________________________________________________________________________________________________
We thought it might have something to do with some hotfixes/patch missing
on the windows environment. We deployed the recommended ones by the vendor,
but the issue persist! Any hints would really be appreciated. Thank you.
Regards
More information about the Freeradius-Users
mailing list