Failed authentication on Eduroam FreeRADIUS server

Stefan Winter stefan.winter at restena.lu
Wed Apr 17 10:18:31 CEST 2019 

Hello,

you have configured the EAP type EAP-MD5, which is not allowed in
eduroam. And it's not used anywhere else in WPA-Enterprise since a
decade, too.

Other than that, nothing's wrong - the EAP conversation is started by
the client, and your server responds with an Access-Challenge. The next
step would be that the client continues the conversation and carries on
with EAP.

Maybe it doesn't do that because EAP-MD5 is dead since a decade. But the
server log doesn't tell you what the client thinks.

First, get rid of the EAP-MD5 configuration and then you can look further.

Greetings,

Stefan Winter

Am 17.04.19 um 09:59 schrieb Tal Nur via Freeradius-Users:
> Dear colleagues 
> 
> I'm trying to setup Freeradius IdP server for Eduroam service.
> I followed the "how-tos" on wiki.geant.org but during the test of my
> setup I'd got the following error messages:
> ===============================================================================
> Ready to process requests
> (1) Received Access-Request Id 0 from 89.250.80.136:1117 to
> 89.250.80.130:1812 length 213
> (1)   Message-Authenticator = 0x0083de2f19d2f059d3d800138a6f7374
> (1)   Service-Type = Framed-User
> (1)   User-Name = "sake at kazrena.kz"
> (1)   Framed-MTU = 1488
> (1)   Called-Station-Id = "00-22-B0-0C-84-71:eduroam"
> (1)   Calling-Station-Id = "18-F4-6A-33-41-A5"
> (1)   NAS-Identifier = "D-Link Access Point"
> (1)   NAS-Port-Type = Wireless-802.11
> (1)   Connect-Info = "CONNECT 54Mbps 802.11g"
> (1)   EAP-Message = 0x020000140173616b65406b617a72656e612e6b7a
> (1)   NAS-IP-Address = 89.250.80.136
> (1)   NAS-Port = 1
> (1)   NAS-Port-Id = "STA port # 1"
> (1) # Executing section authorize from file
> /etc/freeradius/sites-enabled/eduroam
> (1)   authorize {
> (1)     policy filter_username {
> (1)       if (&User-Name) {
> (1)       if (&User-Name)  -> TRUE
> (1)       if (&User-Name)  {
> (1)         if (&User-Name =~ / /) {
> (1)         ERROR: regex failed: Found null in subject at offset 15.
> String unsafe for evaluation
> (1)         ERROR: Failed retrieving values required to evaluate condition
> (1)         if (&User-Name =~ /@[^@]*@/ ) {
> (1)         ERROR: regex failed: Found null in subject at offset 15.
> String unsafe for evaluation
> (1)         ERROR: Failed retrieving values required to evaluate condition
> (1)         if (&User-Name =~ /\.\./ ) {
> (1)         ERROR: regex failed: Found null in subject at offset 15.
> String unsafe for evaluation
> (1)         ERROR: Failed retrieving values required to evaluate condition
> (1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
> (1)         ERROR: regex failed: Found null in subject at offset 15.
> String unsafe for evaluation
> (1)         ERROR: Failed retrieving values required to evaluate condition
> (1)         if (&User-Name =~ /\.$/)  {
> (1)         ERROR: regex failed: Found null in subject at offset 15.
> String unsafe for evaluation
> (1)         ERROR: Failed retrieving values required to evaluate condition
> (1)         if (&User-Name =~ /@\./)  {
> (1)         ERROR: regex failed: Found null in subject at offset 15.
> String unsafe for evaluation
> (1)         ERROR: Failed retrieving values required to evaluate condition
> (1)       } # if (&User-Name)  = notfound
> (1)     } # policy filter_username = notfound
> (1)     update request {
> (1)       Operator-Name := "1kazrena.kz"
> (1)     } # update request = noop
> (1) auth_log: EXPAND
> /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
> (1) auth_log:    -->
> /var/log/freeradius/radacct/89.250.80.136/auth-detail-20190417
> (1) auth_log:
> /var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
> expands to /var/log/freeradius/radacct/89.250.80.136/auth-detail-20190417
> (1) auth_log: EXPAND %t
> (1) auth_log:    --> Wed Apr 17 10:11:36 2019
> (1)     [auth_log] = ok
> (1) suffix: Checking for suffix after "@"
> (1) suffix: Looking up realm "kazrena.kz" for User-Name = "sake at kazrena.kz"
> (1) suffix: Found realm "kazrena.kz"
> (1) suffix: Adding Realm = "kazrena.kz"
> (1) suffix: Authentication realm is LOCAL
> (1)     [suffix] = ok
> rlm_sql (sql): Reserved connection (1)
> rlm_sql (sql): Released connection (1)
> (1)     [sql] = notfound
> (1) eap: Peer sent EAP Response (code 2) ID 0 length 20
> (1) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
> rest of authorize
> (1)     [eap] = ok
> (1)   } # authorize = ok
> (1) Found Auth-Type = eap
> (1) # Executing group from file /etc/freeradius/sites-enabled/eduroam
> (1)   authenticate {
> (1) eap: Peer sent packet with method EAP Identity (1)
> (1) eap: Calling submodule eap_md5 to process data
> (1) eap_md5: Issuing MD5 Challenge
> (1) eap: Sending EAP Request (code 1) ID 1 length 22
> (1) eap: EAP session adding &reply:State = 0x3afb18fa3afa1cb6
> (1)     [eap] = handled
> (1)   } # authenticate = handled
> (1) Using Post-Auth-Type Challenge
> (1) Post-Auth-Type sub-section not found.  Ignoring.
> (1) # Executing group from file /etc/freeradius/sites-enabled/eduroam
> (1) Sent Access-Challenge Id 0 from 89.250.80.130:1812 to
> 89.250.80.136:1117 length 0
> (1)   EAP-Message = 0x010100160410cc91782bcf8cf2f0b4de0ed50943dc6e
> (1)   Message-Authenticator = 0x00000000000000000000000000000000
> (1)   State = 0x3afb18fa3afa1cb6e9d755993b5205d3
> (1) Finished request
> =======================================================================================
> 
> I couldn't understand what's configured wrong. Could you advice me what
> to do to fix the problem?
> 
> Regards, Talgat Nurlybayev
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> 


-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20190417/294fd0f8/attachment.sig>

More information about the Freeradius-Users mailing list