Failed authentication on Eduroam FreeRADIUS server

Tal Nur nurtal at yahoo.com
Wed Apr 17 09:59:06 CEST 2019 

Dear colleagues 

I'm trying to setup Freeradius IdP server for Eduroam service.
I followed the "how-tos" on wiki.geant.org but during the test of my
setup I'd got the following error messages:
===============================================================================
Ready to process requests
(1) Received Access-Request Id 0 from 89.250.80.136:1117 to
89.250.80.130:1812 length 213
(1)   Message-Authenticator = 0x0083de2f19d2f059d3d800138a6f7374
(1)   Service-Type = Framed-User
(1)   User-Name = "sake at kazrena.kz"
(1)   Framed-MTU = 1488
(1)   Called-Station-Id = "00-22-B0-0C-84-71:eduroam"
(1)   Calling-Station-Id = "18-F4-6A-33-41-A5"
(1)   NAS-Identifier = "D-Link Access Point"
(1)   NAS-Port-Type = Wireless-802.11
(1)   Connect-Info = "CONNECT 54Mbps 802.11g"
(1)   EAP-Message = 0x020000140173616b65406b617a72656e612e6b7a
(1)   NAS-IP-Address = 89.250.80.136
(1)   NAS-Port = 1
(1)   NAS-Port-Id = "STA port # 1"
(1) # Executing section authorize from file
/etc/freeradius/sites-enabled/eduroam
(1)   authorize {
(1)     policy filter_username {
(1)       if (&User-Name) {
(1)       if (&User-Name)  -> TRUE
(1)       if (&User-Name)  {
(1)         if (&User-Name =~ / /) {
(1)         ERROR: regex failed: Found null in subject at offset 15.
String unsafe for evaluation
(1)         ERROR: Failed retrieving values required to evaluate condition
(1)         if (&User-Name =~ /@[^@]*@/ ) {
(1)         ERROR: regex failed: Found null in subject at offset 15.
String unsafe for evaluation
(1)         ERROR: Failed retrieving values required to evaluate condition
(1)         if (&User-Name =~ /\.\./ ) {
(1)         ERROR: regex failed: Found null in subject at offset 15.
String unsafe for evaluation
(1)         ERROR: Failed retrieving values required to evaluate condition
(1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(1)         ERROR: regex failed: Found null in subject at offset 15.
String unsafe for evaluation
(1)         ERROR: Failed retrieving values required to evaluate condition
(1)         if (&User-Name =~ /\.$/)  {
(1)         ERROR: regex failed: Found null in subject at offset 15.
String unsafe for evaluation
(1)         ERROR: Failed retrieving values required to evaluate condition
(1)         if (&User-Name =~ /@\./)  {
(1)         ERROR: regex failed: Found null in subject at offset 15.
String unsafe for evaluation
(1)         ERROR: Failed retrieving values required to evaluate condition
(1)       } # if (&User-Name)  = notfound
(1)     } # policy filter_username = notfound
(1)     update request {
(1)       Operator-Name := "1kazrena.kz"
(1)     } # update request = noop
(1) auth_log: EXPAND
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(1) auth_log:    -->
/var/log/freeradius/radacct/89.250.80.136/auth-detail-20190417
(1) auth_log:
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/freeradius/radacct/89.250.80.136/auth-detail-20190417
(1) auth_log: EXPAND %t
(1) auth_log:    --> Wed Apr 17 10:11:36 2019
(1)     [auth_log] = ok
(1) suffix: Checking for suffix after "@"
(1) suffix: Looking up realm "kazrena.kz" for User-Name = "sake at kazrena.kz"
(1) suffix: Found realm "kazrena.kz"
(1) suffix: Adding Realm = "kazrena.kz"
(1) suffix: Authentication realm is LOCAL
(1)     [suffix] = ok
rlm_sql (sql): Reserved connection (1)
rlm_sql (sql): Released connection (1)
(1)     [sql] = notfound
(1) eap: Peer sent EAP Response (code 2) ID 0 length 20
(1) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(1)     [eap] = ok
(1)   } # authorize = ok
(1) Found Auth-Type = eap
(1) # Executing group from file /etc/freeradius/sites-enabled/eduroam
(1)   authenticate {
(1) eap: Peer sent packet with method EAP Identity (1)
(1) eap: Calling submodule eap_md5 to process data
(1) eap_md5: Issuing MD5 Challenge
(1) eap: Sending EAP Request (code 1) ID 1 length 22
(1) eap: EAP session adding &reply:State = 0x3afb18fa3afa1cb6
(1)     [eap] = handled
(1)   } # authenticate = handled
(1) Using Post-Auth-Type Challenge
(1) Post-Auth-Type sub-section not found.  Ignoring.
(1) # Executing group from file /etc/freeradius/sites-enabled/eduroam
(1) Sent Access-Challenge Id 0 from 89.250.80.130:1812 to
89.250.80.136:1117 length 0
(1)   EAP-Message = 0x010100160410cc91782bcf8cf2f0b4de0ed50943dc6e
(1)   Message-Authenticator = 0x00000000000000000000000000000000
(1)   State = 0x3afb18fa3afa1cb6e9d755993b5205d3
(1) Finished request
=======================================================================================

I couldn't understand what's configured wrong. Could you advice me what
to do to fix the problem?

Regards, Talgat Nurlybayev

More information about the Freeradius-Users mailing list