Freeradius Auth Issues on Password Change

Damon McManus d.mcmanus at swissport.com.au
Wed Feb 19 05:11:44 CET 2020 

Hi Guys,

I have been using freeradius for a while now in production and it was all
working fine.  It is authenticating against Active Directory using EAP and
MSCHAP.  Our network runs only Apple Macs.   About twelve or eighteen
months ago so Apple seemed to make a change to their wireless configuration
(maybe the driver?) for newer macs .  Since then we have had an issue when
a user's password expires.  The authentication seems to get into a loop of
the following messages.

(24) Received Access-Request Id 108 from 10.30.5.5:56026 to
10.250.136.167:1812 length 201
(24)   User-Name = "j.smith"
(24)   NAS-IP-Address = 10.30.5.5
(24)   NAS-Port = 0
(24)   NAS-Identifier = "10.30.5.5"
(24)   NAS-Port-Type = Wireless-802.11
(24)   Calling-Station-Id = "f0189857c82c"
(24)   Called-Station-Id = "40e3d6c1530e"
(24)   Service-Type = Framed-User
(24)   Framed-MTU = 1100
(24)   EAP-Message = 0x0201000e01642e6d636d616e7573
(24)   Aruba-Essid-Name = "ACESSID"
(24)   Aruba-Location-Id = "AccessPoint1"
(24)   Aruba-AP-Group = "AeroCareVC"
(24)   Aruba-Auth-Survivability = "enabled"
(24)   Message-Authenticator = 0x74652b705f9f65a5ae15b211b0cedfbd
(24) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(24)   authorize {
(24)     policy filter_username {
(24)       if (&User-Name) {
(24)       if (&User-Name)  -> TRUE
(24)       if (&User-Name)  {
(24)         if (&User-Name =~ / /) {
(24)         if (&User-Name =~ / /)  -> FALSE
(24)         if (&User-Name =~ /@[^@]*@/ ) {
(24)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(24)         if (&User-Name =~ /\.\./ ) {
(24)         if (&User-Name =~ /\.\./ )  -> FALSE
(24)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(24)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(24)         if (&User-Name =~ /\.$/)  {
(24)         if (&User-Name =~ /\.$/)   -> FALSE
(24)         if (&User-Name =~ /@\./)  {
(24)         if (&User-Name =~ /@\./)   -> FALSE
(24)       } # if (&User-Name)  = notfound
(24)     } # policy filter_username = notfound
(24)     [preprocess] = ok
(24) auth_log: EXPAND
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(24) auth_log:    --> /var/log/radius/radacct/10.30.5.5/auth-detail-20200128
(24) auth_log:
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/10.30.5.5/auth-detail-20200128
(24) auth_log: EXPAND %t
(24) auth_log:    --> Tue Jan 28 01:58:51 2020
(24)     [auth_log] = ok
(24)     [chap] = noop
(24)     [mschap] = noop
(24)     [digest] = noop
(24) suffix: Checking for suffix after "@"
(24) suffix: No '@' in User-Name = "j.smith", looking up realm NULL
(24) suffix: No such realm "NULL"
(24)     [suffix] = noop
(24) eap: Peer sent EAP Response (code 2) ID 1 length 14
(24) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(24)     [eap] = ok
(24)   } # authorize = ok
(24) Found Auth-Type = eap
(24) # Executing group from file /etc/raddb/sites-enabled/default
(24)   authenticate {
(24) eap: Peer sent packet with method EAP Identity (1)
(24) eap: Calling submodule eap_md5 to process data
(24) eap_md5: Issuing MD5 Challenge
(24) eap: Sending EAP Request (code 1) ID 2 length 22
(24) eap: EAP session adding &reply:State = 0xc67bcfadc679cb38
(24)     [eap] = handled
(24)   } # authenticate = handled
(24) Using Post-Auth-Type Challenge
(24) # Executing group from file /etc/raddb/sites-enabled/default
(24)   Challenge { ... } # empty sub-section is ignored
(24) Sent Access-Challenge Id 108 from 10.250.136.167:1812 to
10.30.5.5:56026 length 0
(24)   EAP-Message = 0x010200160410e7b0cac5819493cfed924aab43c435a6
(24)   Message-Authenticator = 0x00000000000000000000000000000000
(24)   State = 0xc67bcfadc679cb38b49f9a453755281b
(24) Finished request
Waking up in 2.5 seconds.
(25) Received Access-Request Id 109 from 10.30.5.5:56026 to
10.250.136.167:1812 length 213
(25)   User-Name = "j.smith"
(25)   NAS-IP-Address = 10.30.5.5
(25)   NAS-Port = 0
(25)   NAS-Identifier = "10.30.5.5"
(25)   NAS-Port-Type = Wireless-802.11
(25)   Calling-Station-Id = "f0189857c82c"
(25)   Called-Station-Id = "40e3d6c1530e"
(25)   Service-Type = Framed-User
(25)   Framed-MTU = 1100
(25)   EAP-Message = 0x020200080319152b
(25)   State = 0xc67bcfadc679cb38b49f9a453755281b
(25)   Aruba-Essid-Name = "ACESSID"
(25)   Aruba-Location-Id = "AccessPoint1"
(25)   Aruba-AP-Group = "AeroCareVC"
(25)   Aruba-Auth-Survivability = "enabled"
(25)   Message-Authenticator = 0xd1c2467a441c5a3efd8a4f3f29e0dc27
(25) session-state: No cached attributes
(25) # Executing section authorize from file
/etc/raddb/sites-enabled/default
(25)   authorize {
(25)     policy filter_username {
(25)       if (&User-Name) {
(25)       if (&User-Name)  -> TRUE
(25)       if (&User-Name)  {
(25)         if (&User-Name =~ / /) {
(25)         if (&User-Name =~ / /)  -> FALSE
(25)         if (&User-Name =~ /@[^@]*@/ ) {
(25)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(25)         if (&User-Name =~ /\.\./ ) {
(25)         if (&User-Name =~ /\.\./ )  -> FALSE
(25)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(25)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(25)         if (&User-Name =~ /\.$/)  {
(25)         if (&User-Name =~ /\.$/)   -> FALSE
(25)         if (&User-Name =~ /@\./)  {
(25)         if (&User-Name =~ /@\./)   -> FALSE
(25)       } # if (&User-Name)  = notfound
(25)     } # policy filter_username = notfound
(25)     [preprocess] = ok
(25) auth_log: EXPAND
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(25) auth_log:    --> /var/log/radius/radacct/10.30.5.5/auth-detail-20200128
(25) auth_log:
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/10.30.5.5/auth-detail-20200128
(25) auth_log: EXPAND %t
(25) auth_log:    --> Tue Jan 28 01:58:51 2020
(25)     [auth_log] = ok
(25)     [chap] = noop
(25)     [mschap] = noop
(25)     [digest] = noop
(25) suffix: Checking for suffix after "@"
(25) suffix: No '@' in User-Name = "j.smith", looking up realm NULL
(25) suffix: No such realm "NULL"
(25)     [suffix] = noop
(25) eap: Peer sent EAP Response (code 2) ID 2 length 8
(25) eap: No EAP Start, assuming it's an on-going EAP conversation
(25)     [eap] = updated
(25)     [files] = noop
(25)     [expiration] = noop
(25)     [logintime] = noop
(25) pap: WARNING: No "known good" password found for the user.  Not
setting Auth-Type
(25) pap: WARNING: Authentication will fail unless a "known good" password
is available
(25)     [pap] = noop
(25)   } # authorize = updated
(25) Found Auth-Type = eap
(25) # Executing group from file /etc/raddb/sites-enabled/default
(25)   authenticate {
(25) eap: Expiring EAP session with state 0x8a35a5508831bc44
(25) eap: Finished EAP session with state 0xc67bcfadc679cb38
(25) eap: Previous EAP request found for state 0xc67bcfadc679cb38, released
from the list
(25) eap: Peer sent packet with method EAP NAK (3)
(25) eap: Found mutually acceptable type PEAP (25)
(25) eap: Calling submodule eap_peap to process data
(25) eap_peap: Initiating new EAP-TLS session
(25) eap_peap: [eaptls start] = request
(25) eap: Sending EAP Request (code 1) ID 3 length 6
(25) eap: EAP session adding &reply:State = 0xc67bcfadc778d638
(25)     [eap] = handled
(25)   } # authenticate = handled
(25) Using Post-Auth-Type Challenge
(25) # Executing group from file /etc/raddb/sites-enabled/default
(25)   Challenge { ... } # empty sub-section is ignored
(25) Sent Access-Challenge Id 109 from 10.250.136.167:1812 to
10.30.5.5:56026 length 0
(25)   EAP-Message = 0x010300061920
(25)   Message-Authenticator = 0x00000000000000000000000000000000
(25)   State = 0xc67bcfadc778d638b49f9a453755281b
(25) Finished request
Waking up in 2.4 seconds.

If I forget the wireless network on the client OS and then reconnect it
works fine.  Can you experts see the error on the radius side or have you
heard of this issue before?  I recently upgraded the radius server (running
Amazon Linux 2) from version 2 to version 3.0.13 but that hasn't seemed to
have fixed it.

Any help or hints would be much appreciated,

Damon

-- 
Attention:



The contents of this email, including any attachments, are 
intended only for the named recipients to which the email is addressed. The 
information contained in this email may be confidential or may contain 
legally privileged information or copyright material. You should only read, 
disclose, retransmit, copy or act in reliance on the information if you are 
authorised to do so. If you are not the intended recipient of this email, 
please notify the sender immediately and then destroy any electronic or 
paper copy of this message. Swissport Operations Pty Ltd, Swissport Flight 
Support Pty Ltd, Carbridge Pty. Ltd. and their related entities do not 
represent, warrant or guarantee that the integrity of this email has been 
maintained or that the email is free of errors, spam, malware, viruses or 
interference.

More information about the Freeradius-Users mailing list