FreeRadius, Eduroam, and me...

Matthew Newton mcn at freeradius.org
Sat Jun 20 21:35:16 CEST 2020



On 20/06/2020 20:08, Tim Young wrote:
> The site that I have permissions for has recently deployed a free-radius 
> server to use as an eduroam endpoint, authenticating off their Active 
> Directory.  They managed to get it to work such that they can properly 
> authenticate using "radtest -t mschap ..."

That's not a good indicator for a start. eduroam uses EAP. The only way 
that radtest will work against an EAP configuration is by pointing it 
directly at the inner-tunnel config, which won't test half of the 
eduroam setup.
> Running "freeradius -xX" and looking at the failure and the success, and 
> I can see a dramatic difference:

Use "freeradius -X" - the extra '-x's just add things you don't need and 
confuse matters in 99% of situations.

> The working connection:
> 
> Sat Jun 20 14:10:22 2020 : Info: Ready to process requests
> Sat Jun 20 14:10:25 2020 : Debug: (1) Received Access-Request Id 180 
> from 127.0.0.1:59459 to 127.0.0.1:1812 length 166
> Sat Jun 20 14:10:25 2020 : Debug: (1) User-Name = "user at domain.name"
> Sat Jun 20 14:10:25 2020 : Debug: (1) NAS-IP-Address = 10.1.2.11
> Sat Jun 20 14:10:25 2020 : Debug: (1) NAS-Port = 1812
> Sat Jun 20 14:10:25 2020 : Debug: (1) Message-Authenticator = 
> 0xc89e50f3f488393d2b4738522be27bcc
> Sat Jun 20 14:10:25 2020 : Debug: (1) MS-CHAP-Challenge = 
> 0x8860d7d61af05416
> Sat Jun 20 14:10:25 2020 : Debug: (1) MS-CHAP-Response = 
> 0x000SOMEBIGLONGNUMBER
> Sat Jun 20 14:10:25 2020 : Debug: (1) session-state: No State attribute
> Sat Jun 20 14:10:25 2020 : Debug: (1) # Executing section authorize from

Working in what sense? That's not EAP (there's no EAP-Message 
attribute), so won't work with eduroam.

Have you tried it via a wireless AP/controller?

> The failed connection:
> 
> Sat Jun 20 12:26:22 2020 : Info: Ready to process requests
> Sat Jun 20 12:27:05 2020 : Debug: (2) Received Access-Request Id 11 from 
> [outsideIP]:37127 to 10.1.2.11:1812 length 91
> Sat Jun 20 12:27:05 2020 : Debug: (2) User-Name = "user at domain.name"
> Sat Jun 20 12:27:05 2020 : Debug: (2) User-Password = "ActualTextPassword"
> Sat Jun 20 12:27:05 2020 : Debug: (2) NAS-IP-Address = [secondIP]
> Sat Jun 20 12:27:05 2020 : Debug: (2) Proxy-State = 0x313632
> Sat Jun 20 12:27:05 2020 : Debug: (2) session-state: No State attribute
> Sat Jun 20 12:27:05 2020 : Debug: (2) # Executing section authorize from 
> file /etc/freeradius/3.0/sitesenabled/eduroam

Sure, OK, so PAP isn't configured. But it shouldn't be for eduroam (at 
least, not in the default outer server).

> Not knowing what I am stepping into, I am a bit unsure where to begin. 
> In checking with the people involved, the incoming request may be 
> correct, or it may have issues.  The local configuration may have 
> issues, or it may be correct...  Any clues as to how I should begin to 
> figure out which are has the problem, and then any pointers for how to 
> fix it?
> 
> What do you need from your end to be able to ask good questions?

The *full* FreeRADIUS debug output (just -X) for a start, not just 
little bits. See

   https://wiki.freeradius.org/list-help

Have you got EAP working (in an eduroam setting or not)? It sounds like 
you need an understanding of that for basics. What is the RADIUS client 
you are using to test?

There's a basic guide to setting up FreeRADIUS for eduroam at

   https://wiki.freeradius.org/guide/eduroam

 From what you've posted it doesn't sound like the server is set up 
correctly at all. At least any good consultants would actually test that 
the system works in the environment it was designed for, not with an 
inappropriate test utility.

-- 
Matthew


More information about the Freeradius-Users mailing list