Freeradius issues related with DMZ firewall

Alan Buxey alan.buxey at gmail.com
Mon Oct 2 12:13:16 CEST 2017 

hi,

looks like it (RADIUS server) . (and you only need UDP open) cannot
talk to 10.10.10.10 - check routing from that DMZ to the Aruba?
check that your Aruba has the required things adjusted to (if you've
moved the RADIUS server and its IP/name etc) - finally, do a fulllog
capture for the successful linux test versus the auth coming in via
Aruba

alan

On 29 September 2017 at 17:32, Ramon Escriba <escriba at cells.es> wrote:
> Hi Experts,
>
> I have a 'funny' problem with my freeradius 3.0.4 and our Aruba controller.
>
>
>
> I am testing a freeradius  with 802.1x (EAP-MSCHAPv2: WPA2-Ent+AES+PEAP)
> configuration that works pretty well when both, radius & Aruba, are in our
> internal network.
>
> So works fine with Mac,Win7,Android,iphone, etc
>
>
>
> The problem came when we moved the Machine to DMZ (Pfsense fw). Lots of
> small problems (dns's, hosts,etc) raised and were solved.
>
>
>
> I used the eapol_test successfully on an internal  linux that connects
> successfully to de radius in DMZ, so I went ahead.
>
>
>
> But when we do the same Mac,Win7,Android,etc  WiFIi connection tests with
> the radius in DMZ, the authentication fails (see radius -X  log below).
>
>
>
> To test if it was a Firewall issues, UDP/TCP ports are fully open between
> radius(DMZ) & Aruba(internal), in both ways.
>
>
>
> We opened dmz radius to the internal DNS,
>
> I used a Firewall catch all rule to get any ipv4+6 that goes missing by the
> Firewall rules, but nothing shows up.
>
>
>
> I tried to Wireshark the Wifi connection from the client win7 without
> success.
>
>
>
> Well, I hope someone else had a similar problem and could share the
> solution, or any clue.
>
>
>
> Logs of the failing connection ( Win7 -> Aruba ->radius DMZ) , maybe you can
> see something strange:
>
>
>
> 10.10.10.10: Aruba
>
> 84.84.84.84: Radius at DMZ
>
>
>
> Received Access-Request Id 111 from 10.10.10.10:32866 to 84.84.84.84:1812
> length 205
>
>         User-Name = 'test at acme.com'
>
>         NAS-IP-Address = 10.10.10.10
>
>         NAS-Port = 0
>
>         NAS-Identifier = '10.10.10.10'
>
>         NAS-Port-Type = Wireless-802.11
>
>         Calling-Station-Id = 'A4C494Exxxxx'
>
>         Called-Station-Id = '000B866xxxxx'
>
>         Service-Type = Login-User
>
>         Framed-MTU = 1100
>
>         EAP-Message = 0x0xx400xxxxxx146xxxxxxxxxxxc673
>
>         Aruba-Essid-Name = 'TEST_SSID'
>
>         Aruba-Location-Id = 'AP1'
>
>         Aruba-AP-Group = 'default'
>
>         Message-Authenticator = 0xbxxx268xxxxxxxxxxxxc10f08dae88
>
> (0) Received Access-Request packet from host 10.10.10.10 port 32866, id=111,
> length=205
>
> (0)     User-Name = 'test at acme.com'
>
> (0)     NAS-IP-Address = 10.10.10.10
>
> (0)     NAS-Port = 0
>
> (0)     NAS-Identifier = '10.10.10.10'
>
> (0)     NAS-Port-Type = Wireless-802.11
>
> (0)     Calling-Station-Id = 'A4C494XXXXXX'
>
> (0)     Called-Station-Id = ''000B86xxxxxx'
>
> (0)     Service-Type = Login-User
>
> (0)     Framed-MTU = 1100
>
> (0)     EAP-Message = 0x02040019017465xxxxxxxxxxxx4063656c6c732e6573
>
> (0)     Aruba-Essid-Name = 'TEST_SSID'
>
> (0)     Aruba-Location-Id = 'AP1'
>
> (0)     Aruba-AP-Group = 'default'
>
> (0)     Message-Authenticator = 0xb268fe2779551dxxxxxxxxxxxx08dae88
>
> (0) # Executing section authorize from file /etc/raddb/sites-enabled/default
>
> (0)   authorize {
>
> (0)   filter_username filter_username {
>
> (0)     if (!&User-Name)
>
> (0)     if (!&User-Name)  -> FALSE
>
> (0)     if (&User-Name =~ / /)
>
> (0)     if (&User-Name =~ / /)  -> FALSE
>
> (0)     if (&User-Name =~ /@.*@/ )
>
> (0)     if (&User-Name =~ /@.*@/ )  -> FALSE
>
> (0)     if (&User-Name =~ /\\.\\./ )
>
> (0)     if (&User-Name =~ /\\.\\./ )  -> FALSE
>
> (0)     if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
>
> (0)     if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))   ->
> FALSE
>
> (0)     if (&User-Name =~ /\\.$/)
>
> (0)     if (&User-Name =~ /\\.$/)   -> FALSE
>
> (0)     if (&User-Name =~ /@\\./)
>
> (0)     if (&User-Name =~ /@\\./)   -> FALSE
>
> (0)   } # filter_username filter_username = notfound
>
> (0)   [preprocess] = ok
>
> (0)  auth_log : EXPAND
> /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Addres
> s}}/auth-detail-%Y%m%d
>
> (0)  auth_log :    -->
> /var/log/radius/radacct/10.10.10.10/auth-detail-20170929
>
> (0)  auth_log :
> /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Addres
> s}}/auth-detail-%Y%m%d expands to
> /var/log/radius/radacct/10.10.10.10/auth-detail-20170929
>
> (0)  auth_log : EXPAND %t
>
> (0)  auth_log :    --> Fri Sep 29 16:42:40 2017
>
> (0)   [auth_log] = ok
>
> (0)   [mschap] = noop
>
> (0)  suffix : Checking for suffix after "@"
>
> (0)  suffix : Looking up realm "acme.com" for User-Name = "test at acme.com"
>
> (0)  suffix : Found realm "acme.com"
>
> (0)  suffix : Adding Realm = "acme.com"
>
> (0)  suffix : Authentication realm is LOCAL
>
> (0)   [suffix] = ok
>
> (0)  eap : Peer sent code Response (2) ID 4 length 25
>
> (0)  eap : EAP-Identity reply, returning 'ok' so we can short-circuit the
> rest of authorize
>
> (0)   [eap] = ok
>
> (0)  } #  authorize = ok
>
> (0) Found Auth-Type = EAP
>
> (0) # Executing group from file /etc/raddb/sites-enabled/default
>
> (0)   authenticate {
>
> (0)  eap : Peer sent method Identity (1)
>
> (0)  eap : Calling eap_peap to process EAP data
>
> (0)  eap_peap : Flushing SSL sessions (of #0)
>
> (0)  eap_peap : Initiate
>
> (0)  eap_peap : Start returned 1
>
> (0)  eap : New EAP session, adding 'State' attribute to reply
> 0x7317e1da7312f877
>
> (0)   [eap] = handled
>
> (0)  } #  authenticate = handled
>
> (0) Sending Access-Challenge packet to host 10.10.10.10 port 32866, id=111,
> length=0
>
> (0)     EAP-Message = 0x010500061920
>
> (0)     Message-Authenticator = 0x00000000000000000000000000000000
>
> (0)     State = 0x7317e1da7312f877fca7b6e2bbfa846d
>
> Sending Access-Challenge Id 111 from 84.84.84.84:1812 to 10.10.10.10:32866
>
>         EAP-Message = 0x010500061920
>
>         Message-Authenticator = 0x00000000000000000000000000000000
>
>         State = 0x7317e1da7312f877fca7b6e2bbfa846d
>
> (0) Finished request
>
> Waking up in 0.3 seconds.
>
> Waking up in 6.6 seconds.
>
> Received Access-Request Id 111 from 10.10.10.10:32866 to 84.84.84.84:1812
> length 205
>
> Sending Access-Challenge Id 111 from 84.84.84.84:1812 to 10.10.10.10:32866
>
> Waking up in 999993.0 seconds.
>
> Received Access-Request Id 111 from 10.10.10.10:32866 to 84.84.84.84:1812
> length 205
>
> Sending Access-Challenge Id 111 from 84.84.84.84:1812 to 10.10.10.10:32866
>
> Waking up in 1999986.0 seconds.
>
> Received Access-Request Id 111 from 10.10.10.10:32866 to 84.84.84.84:1812
> length 205
>
> Sending Access-Challenge Id 111 from 84.84.84.84:1812 to 10.10.10.10:32866
>
> Waking up in 3999977.0 seconds.
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list