Freeradius-Users
Threads by month
- ----- 2026 -----
- July
- June
- May
- April
- March
- February
- January
- ----- 2025 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2005 -----
- December
- November
- October
- September
- August
- July
- June
- May
November 2020
- 45 participants
- 44 discussions
EAP fails on TLS protocol version with Windows 7, works fine with Windows 10
by Jochem Sparla 24 Nov '20
by Jochem Sparla 24 Nov '20
24 Nov '20
I have a setup with a Windows 7 and Windows 10 computer authenticating with FreeRADIUS 3.0.20 running on Ubuntu 20.04.
The Windows 7 client fails due to a TLS protocol version error:
(2) eap_peap: TLS_accept: before SSL initialization
(2) eap_peap: <<< recv TLS 1.3 [length 0062]
(2) eap_peap: >>> send TLS 1.0 Alert [length 0002], fatal protocol_version
(2) eap_peap: ERROR: TLS Alert write:fatal:protocol version
tls: TLS_accept: Error in error
(2) eap_peap: ERROR: Failed in __FUNCTION__ (SSL_read): error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol
(2) eap_peap: ERROR: System call (I/O) error (-1)
(2) eap_peap: ERROR: TLS receive handshake failed during operation
(2) eap_peap: ERROR: [eaptls process] = fail
(2) eap: ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed
(2) eap: Sending EAP Failure (code 4) ID 3 length 4
(2) eap: Failed in EAP select
(2) [eap] = invalid
(2) } # authenticate = invalid
(2) Failed to authenticate the user
(2) Using Post-Auth-Type Reject
The Windows 10 client, with the same settings on both the client, switch and the same RADIUS server, works fine:
(2) eap_peap: TLS_accept: before SSL initialization
(2) eap_peap: <<< recv TLS 1.3 [length 0097]
(2) eap_peap: TLS_accept: SSLv3/TLS read client hello
(2) eap_peap: >>> send TLS 1.2 [length 003d]
(2) eap_peap: TLS_accept: SSLv3/TLS write server hello
(2) eap_peap: >>> send TLS 1.2 [length 0308]
(2) eap_peap: TLS_accept: SSLv3/TLS write certificate
(2) eap_peap: >>> send TLS 1.2 [length 014d]
(2) eap_peap: TLS_accept: SSLv3/TLS write key exchange
(2) eap_peap: >>> send TLS 1.2 [length 0004]
(2) eap_peap: TLS_accept: SSLv3/TLS write server done
(2) eap_peap: TLS_accept: Need to read more data: SSLv3/TLS write server done
(2) eap_peap: TLS - In Handshake Phase
(2) eap_peap: TLS - got 1194 bytes of data
(2) eap_peap: [eaptls process] = handled
(2) eap: Sending EAP Request (code 1) ID 4 length 1004
(2) eap: EAP session adding &reply:State = 0x30a058ae32a441c4
(2) [eap] = handled
(2) } # authenticate = handled
(2) Using Post-Auth-Type Challenge
TLS is configured in mods-enabled/eap:
tls_max_version = "1.2"
tls_min_version = "1.0"
I have been breaking my head and searching this for multiple days.
The problem does not seem to be in the lack of TLS 1.3 support in FreeRADIUS/OpenSSL1.1.1f, because the Win10 client works fine. It starts by asking for TLS 1.3, but gets set to TLS 1.2 and works.
I seems my standard Windows 7 client (fully up to date) sends a bad TLS message, but I have no clue where to look for a solution.
Thanks in advance, Jochem
IOLAN B.V. • Mon Plaisir 26 • 4879 AN Etten-Leur • The Netherlands
T +31 (0)76 50 26 100 • F +31 (0)76 50 26 199
E iolan(a)iolan.com • I http://www.iolan.com/
De informatie opgenomen in dit bericht kan vertrouwelijk zijn en is uitsluitend
bestemd voor de geadresseerde. Indien u dit bericht onterecht ontvangt, wordt u
verzocht de inhoud niet te gebruiken en de afzender direct te informeren door
het bericht te retourneren.
The information contained in this message may be confidential and is
intended to be exclusively for the addressee. Should you receive this message
unintentionally, please do not use the contents here in and notify the sender
immediately by return e-mail.
3
9
Hi Alan,
Thanks for your comments.
>Define "downloaded".
>Did you add that CA to the WiFi profile for the SSID?
I am creating a passpoint.config file for android devices and adding trust root CA certificate to profile. So yes Wifi profile has CA.
I am using GlobalSign Trusted Root certificate both on android clients and freeradius. On freeradies what i did in tls config :
tls-config tls-common {
ca_file = /etc/freeradius/3.0/certs/trustrootg2.pem
}
"trustrootg2.pem" is the certificate which i said GlobalSign Trusted Root certificate.
Also when i try with an ios device ,it does not give a CA error, but still dont Proxy to my home Radius.
Here is the ios log :
Received Access-Request Id 228 from 213.74.143.148:49579 to 10.0.0.4:1812 length 311
(2) User-Name = "iosuser2(a)nevotek.com"
(2) Chargeable-User-Identity = 0x00
(2) Operator-Name = "1nevotek.com"
(2) Location-Capable = Civic-Location
(2) Calling-Station-Id = "74-8d-08-b1-f2-17"
(2) Called-Station-Id = "58-f3-9c-43-52-a0:Nevotek"
(2) NAS-Port = 4
(2) Cisco-AVPair = "audit-session-id=0a0102e1000001495fbd0ab0"
(2) Acct-Session-Id = "5fbd0ab0/74:8d:08:b1:f2:17/395"
(2) NAS-IP-Address = 10.1.2.225
(2) NAS-Identifier = "aa5a6c45-b2c2-436b-90da-0ed2031"
(2) Airespace-Wlan-Id = 7
(2) Service-Type = Framed-User
(2) Framed-MTU = 1300
(2) NAS-Port-Type = Wireless-802.11
(2) EAP-Message = 0x020300061500
(2) State = 0xc1d738d9c0d42d379f86d1a140b85bf5
(2) Message-Authenticator = 0xb6eaf292518a6a1b0412bcf447a369fa
(2) session-state: No cached attributes
(2) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(2) authorize {
(2) policy filter_username {
(2) if (&User-Name) {
(2) if (&User-Name) -> TRUE
(2) if (&User-Name) {
(2) if (&User-Name =~ / /) {
(2) if (&User-Name =~ / /) -> FALSE
(2) if (&User-Name =~ /@[^@]*@/ ) {
(2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(2) if (&User-Name =~ /\.\./ ) {
(2) if (&User-Name =~ /\.\./ ) -> FALSE
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(2) if (&User-Name =~ /\.$/) {
(2) if (&User-Name =~ /\.$/) -> FALSE
(2) if (&User-Name =~ /(a)\./) {
(2) if (&User-Name =~ /(a)\./) -> FALSE
(2) } # if (&User-Name) = notfound
(2) } # policy filter_username = notfound
(2) [preprocess] = ok
(2) [chap] = noop
(2) [mschap] = noop
(2) [digest] = noop
(2) eap: Peer sent EAP Response (code 2) ID 3 length 6
(2) eap: Continuing tunnel setup
(2) [eap] = ok
(2) } # authorize = ok
(2) Found Auth-Type = eap
(2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(2) authenticate {
(2) eap: Expiring EAP session with state 0xc1d738d9c0d42d37
(2) eap: Finished EAP session with state 0xc1d738d9c0d42d37
(2) eap: Previous EAP request found for state 0xc1d738d9c0d42d37, released from the list
(2) eap: Peer sent packet with method EAP TTLS (21)
(2) eap: Calling submodule eap_ttls to process data
(2) eap_ttls: Authenticate
(2) eap_ttls: Continuing EAP-TLS
(2) eap_ttls: Peer ACKed our handshake fragment
(2) eap_ttls: [eaptls verify] = request
(2) eap_ttls: [eaptls process] = handled
(2) eap: Sending EAP Request (code 1) ID 4 length 336
(2) eap: EAP session adding &reply:State = 0xc1d738d9c3d32d37
(2) [eap] = handled
(2) } # authenticate = handled
(2) Using Post-Auth-Type Challenge
(2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(2) Challenge { ... } # empty sub-section is ignored
(2) Sent Access-Challenge Id 228 from 10.0.0.4:1812 to 213.74.143.148:49579 length 0
(2) EAP-Message = 0x01040150158000000528dea40bf695dd65cb94e7c64b46f8258e37d115bb5f05ad0b211b1baa131094fc84322e71cb87edc23a19c828d577c87f25ecca323b3e2dcc510401010075eb53b211d878436e2ddb265dee9684eb997a14467b69e48677af7b3f42eae785a2d3a56a072120c33db568484a78c4
(2) Message-Authenticator = 0x00000000000000000000000000000000
(2) State = 0xc1d738d9c3d32d379f86d1a140b85bf5
(2) Finished request
Thank you so much.
[http://www.nevotek.com/nevotekmail/logo.png] Mesut Ozturk
R&D Senior Developer
P: +902122867576 E: mesut(a)nevotek.com
F: +902122867476 W: www.nevotek.com
[http://www.nevotek.com/nevotekmail/maps-icon.png] Santa Clara-CA, USA<https://www.google.com/maps/place/5201+Great+America+Pkwy+%23320,+Santa+Cla…> [http://www.nevotek.com/nevotekmail/maps-icon.png] Istanbul, TURKEY<https://www.google.com/maps/search/teknokent,+Istanbul,+Turkey/@41.106333,2…> [http://www.nevotek.com/nevotekmail/maps-icon.png] Dubai, UAE<https://www.google.com/maps/place/Internet+City,+Building+%2314+-+Dubai+-+U…>
[www.nevotek.com]<www.nevotek.com>
2
1
Hi Alan,
Thanks for reply.
>The Android device wasn't configured with the CA used by FreeRADIUS. So... add the CA to the android system, and configure it to use that CA when authenticating to FreeRADIUS.
I created freeradius CA certificate according to https://wiki.freeradius.org/config/Certificates link. Then eap config for using new created ca.pem
Also i downloaded ca.pem file to my Android device but still getting same error.
eap_ttls: ERROR: TLS Alert read:fatal:unknown CA
I dont understand what you mean with "use that CA when authenticating to FreeRADIUS". What i read in EAP-TTLS, auth server sends the certificate and client validates for open a secure tunnel. Why client have to sent the certificate ?
Regards.
[http://www.nevotek.com/nevotekmail/logo.png] Mesut Ozturk
R&D Senior Developer
P: +902122867576 E: mesut(a)nevotek.com
F: +902122867476 W: www.nevotek.com
[http://www.nevotek.com/nevotekmail/maps-icon.png] Santa Clara-CA, USA<https://www.google.com/maps/place/5201+Great+America+Pkwy+%23320,+Santa+Cla…> [http://www.nevotek.com/nevotekmail/maps-icon.png] Istanbul, TURKEY<https://www.google.com/maps/search/teknokent,+Istanbul,+Turkey/@41.106333,2…> [http://www.nevotek.com/nevotekmail/maps-icon.png] Dubai, UAE<https://www.google.com/maps/place/Internet+City,+Building+%2314+-+Dubai+-+U…>
[www.nevotek.com]<www.nevotek.com>
2
1
How I do to User/Machine Certificate + LDAP User/Pass Authentication?
by Jose Ramón Arnau Garví 24 Nov '20
by Jose Ramón Arnau Garví 24 Nov '20
24 Nov '20
The ide is some similar to 2fa:
* First I authenticate with User/Machine Certificate
* Next I want to Introduce User/Pass to Authenticate with ldap througt Active Directory
Can Anyone help me
Notes:
* I can authenticate with User/Machine Certificate
* I can authenticate with User/pass with ldapt througt Active Directory
I can't authenticate with 2 simultaneously
Saludos.
Jose Ramón Arnau Garví
Administrador de Sistemas
Área de Tecnologías de la Información
jarnau(a)grupogimeno.com<mailto:jarnau@grupogimeno.com>
[Skype Empleado]<sip:jarnau@grupogimeno.com>
[Logo Empresa]
Avda. del Mar 51 bajo
C.P.: 12003 - Castellón
Tel.: 964 727 101<tel:964%20727%20101>
www.grupogimeno.com<http://www.grupogimeno.com>
[Linkedin Empresa]<https://es.linkedin.com/company/grupogimeno>
[Logo Division]
5
5
Hello,
I desperately need your help. I am noob with FreeRadius so please guide me what i am doing wrong.
My point is using freeradius as a Proxy. Because we already have a PAP supported Radius, so i want to do eap auth part on freeradius and then Proxy the Access-request to our own Radius. We are trying 802.1x authantication.
According to my readings i did below steps :
1 . Edit clients.conf for my mobile devices to Access freeradius
client nevotek {
ipaddr = 213.74.143.140
secret = testing1234
}
2. add home_server in proxy.conf
home_server IAS {
ipaddr = 192.168.0.252<tel:+11921680252>
port = 1812
type = "auth"
secret = "secret"
response_window = 20
max_outstanding = 65536
}
home_server_pool jack_pool {
type = fail-over
home_server = IAS
}
realm nevotek {
auth_pool = jack_pool
nostirp
}
3. edit eap.cof
default_eap_type = ttls
and in ttls function :
ttls {
default_eap_type = md5
copy_request_to_tunnel = no
use_tunneled_reply = yes
proxy_tunneled_request_as_eap = no
virtual_server = "proxy-inner-tunnel"
}
4. prepare Proxy.config soft link for sites-enabled, added nevotek in proxy-inner-tunnel:
server proxy-inner-tunnel {
authorize {
update control {
Proxy-To-Realm := "nevotek"
}
}
authenticate {
eap
}
post-proxy {
eap
}
}
5. disabled "suffix" part in sites-enabled/default
But no chance. Also android and IOS devices has different behaviors.
Here is the output of IOS device :
(2) Received Access-Request Id 216 from 213.74.143.148:19733 to 10.0.0.4:1812 length 311
(2) User-Name = "iosuser2(a)nevotek.com<mailto:iosuser2@nevotek.com>"
(2) Chargeable-User-Identity = 0x00
(2) Operator-Name = "1nevotek.com<http://1nevotek.com/>"
(2) Location-Capable = Civic-Location
(2) Calling-Station-Id = "74-8d-08-b1-f2-17"
(2) Called-Station-Id = "58-f3-9c-43-52-a0:Nevotek"
(2) NAS-Port = 4
(2) Cisco-AVPair = "audit-session-id=0a0102e1000001205<tel:+11000001205>fbba08c"
(2) Acct-Session-Id = "5fbba08c/74:8d:08:b1:f2:17/352"
(2) NAS-IP-Address = 10.1.2.225
(2) NAS-Identifier = "aa5a6c45-b2c2-436b-90da-0ed2031"
(2) Airespace-Wlan-Id = 7
(2) Service-Type = Framed-User
(2) Framed-MTU = 1300
(2) NAS-Port-Type = Wireless-802.11
(2) EAP-Message = 0x020300061500
(2) State = 0xca8e79cacb8d6ce3fd1d37ee8f32d170
(2) Message-Authenticator = 0xc7b01c5b471b2eb70578f1dc7ed6e7ea
(2) session-state: No cached attributes
(2) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(2) authorize {
(2) policy filter_username {
(2) if (&User-Name) {
(2) if (&User-Name) -> TRUE
(2) if (&User-Name) {
(2) if (&User-Name =~ / /) {
(2) if (&User-Name =~ / /) -> FALSE
(2) if (&User-Name =~ /@[^@]*@/ ) {
(2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(2) if (&User-Name =~ /\.\./ ) {
(2) if (&User-Name =~ /\.\./ ) -> FALSE
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)<mailto:/@(.+)\.(.+)$/)>) {
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)<mailto:/@(.+)\.(.+)$/)>) -> FALSE
(2) if (&User-Name =~ /\.$/) {
(2) if (&User-Name =~ /\.$/) -> FALSE
(2) if (&User-Name =~ /(a)\./<mailto:/@\./>) {
(2) if (&User-Name =~ /(a)\./<mailto:/@\./>) -> FALSE
(2) } # if (&User-Name) = notfound
(2) } # policy filter_username = notfound
(2) [preprocess] = ok
(2) [chap] = noop
(2) [mschap] = noop
(2) [digest] = noop
(2) eap: Peer sent EAP Response (code 2) ID 3 length 6
(2) eap: Continuing tunnel setup
(2) [eap] = ok
(2) } # authorize = ok
(2) Found Auth-Type = eap
(2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(2) authenticate {
(2) eap: Expiring EAP session with state 0xca8e79cacb8d6ce3
(2) eap: Finished EAP session with state 0xca8e79cacb8d6ce3
(2) eap: Previous EAP request found for state 0xca8e79cacb8d6ce3, released from the list
(2) eap: Peer sent packet with method EAP TTLS (21)
(2) eap: Calling submodule eap_ttls to process data
(2) eap_ttls: Authenticate
(2) eap_ttls: Continuing EAP-TLS
(2) eap_ttls: Peer ACKed our handshake fragment
(2) eap_ttls: [eaptls verify] = request
(2) eap_ttls: [eaptls process] = handled
(2) eap: Sending EAP Request (code 1) ID 4 length 336
(2) eap: EAP session adding &reply:State = 0xca8e79cac88a6ce3
(2) [eap] = handled
(2) } # authenticate = handled
(2) Using Post-Auth-Type Challenge
(2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(2) Challenge { ... } # empty sub-section is ignored
(2) Sent Access-Challenge Id 216 from 10.0.0.4:1812 to 213.74.143.148:19733 length 0
(2) EAP-Message = 0x01040150158000000528d123b84f84592a0a7ccb12b23ec09a0c025464d3f258d5090bffa282b17870910449329f906380b0b4340ef2b6a1dc73e72d35763148b65bfc0401010038<tel:+10401010038>af8b17d95590598994e5ec35c96642e3e8fce291173f61b7e1ca06aa4b749dd3f2bbe12175a964524311069490e0f6
(2) Message-Authenticator = 0x00000000000000000000000000000000
(2) State = 0xca8e79cac88a6ce3fd1d37ee8f32d170
(2) Finished request
And here is the output of Android device :
(2) Received Access-Request Id 59 from 213.74.143.148:38031 to 10.0.0.4:1812 length 312
(2) User-Name = "anonymous(a)nevotek.com<mailto:anonymous@nevotek.com>"
(2) Chargeable-User-Identity = 0x00
(2) Operator-Name = "1nevotek.com<http://1nevotek.com/>"
(2) Location-Capable = Civic-Location
(2) Calling-Station-Id = "04-b1-a1-53-4d-1e"
(2) Called-Station-Id = "58-f3-9c-43-52-a0:Nevotek"
(2) NAS-Port = 4
(2) Cisco-AVPair = "audit-session-id=0a0102e1000001275<tel:+11000001275>fbbbb17"
(2) Acct-Session-Id = "5fbbbb17/04:b1:a1:53:4d:1e/359"
(2) NAS-IP-Address = 10.1.2.225
(2) NAS-Identifier = "aa5a6c45-b2c2-436b-90da-0ed2031"
(2) Airespace-Wlan-Id = 7
(2) Service-Type = Framed-User
(2) Framed-MTU = 1300
(2) NAS-Port-Type = Wireless-802.11
(2) EAP-Message = 0x020300061500
(2) State = 0xd875f9c9d976ec270910ae6415adb475
(2) Message-Authenticator = 0xe92ebb9e5e7641c5515a25ae2ee50929
(2) session-state: No cached attributes
(2) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(2) authorize {
(2) policy filter_username {
(2) if (&User-Name) {
(2) if (&User-Name) -> TRUE
(2) if (&User-Name) {
(2) if (&User-Name =~ / /) {
(2) if (&User-Name =~ / /) -> FALSE
(2) if (&User-Name =~ /@[^@]*@/ ) {
(2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(2) if (&User-Name =~ /\.\./ ) {
(2) if (&User-Name =~ /\.\./ ) -> FALSE
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)<mailto:/@(.+)\.(.+)$/)>) {
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)<mailto:/@(.+)\.(.+)$/)>) -> FALSE
(2) if (&User-Name =~ /\.$/) {
(2) if (&User-Name =~ /\.$/) -> FALSE
(2) if (&User-Name =~ /(a)\./<mailto:/@\./>) {
(2) if (&User-Name =~ /(a)\./<mailto:/@\./>) -> FALSE
(2) } # if (&User-Name) = notfound
(2) } # policy filter_username = notfound
(2) [preprocess] = ok
(2) [chap] = noop
(2) [mschap] = noop
(2) [digest] = noop
(2) eap: Peer sent EAP Response (code 2) ID 3 length 6
(2) eap: Continuing tunnel setup
(2) [eap] = ok
(2) } # authorize = ok
(2) Found Auth-Type = eap
(2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(2) authenticate {
(2) eap: Expiring EAP session with state 0xd875f9c9d976ec27
(2) eap: Finished EAP session with state 0xd875f9c9d976ec27
(2) eap: Previous EAP request found for state 0xd875f9c9d976ec27, released from the list
(2) eap: Peer sent packet with method EAP TTLS (21)
(2) eap: Calling submodule eap_ttls to process data
(2) eap_ttls: Authenticate
(2) eap_ttls: Continuing EAP-TLS
(2) eap_ttls: Peer ACKed our handshake fragment
(2) eap_ttls: [eaptls verify] = request
(2) eap_ttls: [eaptls process] = handled
(2) eap: Sending EAP Request (code 1) ID 4 length 336
(2) eap: EAP session adding &reply:State = 0xd875f9c9da71ec27
(2) [eap] = handled
(2) } # authenticate = handled
(2) Using Post-Auth-Type Challenge
(2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(2) Challenge { ... } # empty sub-section is ignored
(2) Sent Access-Challenge Id 59 from 10.0.0.4:1812 to 213.74.143.148:38031 length 0
(2) EAP-Message = 0x01040150158000000528a2e03207e6a1163699<tel:+11163699>a1cff7af74692beaafff15b2a3033c4d0238dd7014db04f7f40d669da91832dd39bbdbfca1bdb456f26f4a981b5a820108040100b7a20cf24aad9d35b94575b849f9e8ef528d1b13e7caea59f3cc578845763a601b7fceb8ffda9d989423730b5ea4c0f3
(2) Message-Authenticator = 0x00000000000000000000000000000000
(2) State = 0xd875f9c9da71ec270910ae6415adb475
(2) Finished request
Waking up in 4.3 seconds.
(3) Received Access-Request Id 60 from 213.74.143.148:38031 to 10.0.0.4:1812 length 319
(3) User-Name = "anonymous(a)nevotek.com<mailto:anonymous@nevotek.com>"
(3) Chargeable-User-Identity = 0x00
(3) Operator-Name = "1nevotek.com<http://1nevotek.com/>"
(3) Location-Capable = Civic-Location
(3) Calling-Station-Id = "04-b1-a1-53-4d-1e"
(3) Called-Station-Id = "58-f3-9c-43-52-a0:Nevotek"
(3) NAS-Port = 4
(3) Cisco-AVPair = "audit-session-id=0a0102e1000001275<tel:+11000001275>fbbbb17"
(3) Acct-Session-Id = "5fbbbb17/04:b1:a1:53:4d:1e/359"
(3) NAS-IP-Address = 10.1.2.225
(3) NAS-Identifier = "aa5a6c45-b2c2-436b-90da-0ed2031"
(3) Airespace-Wlan-Id = 7
(3) Service-Type = Framed-User
(3) Framed-MTU = 1300
(3) NAS-Port-Type = Wireless-802.11
(3) EAP-Message = 0x0204000<tel:+10204000>d150015030300020230
(3) State = 0xd875f9c9da71ec270910ae6415adb475
(3) Message-Authenticator = 0xbd27e9cbdb496b0f8072580915<tel:+18072580915>cabc5d
(3) session-state: No cached attributes
(3) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(3) authorize {
(3) policy filter_username {
(3) if (&User-Name) {
(3) if (&User-Name) -> TRUE
(3) if (&User-Name) {
(3) if (&User-Name =~ / /) {
(3) if (&User-Name =~ / /) -> FALSE
(3) if (&User-Name =~ /@[^@]*@/ ) {
(3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(3) if (&User-Name =~ /\.\./ ) {
(3) if (&User-Name =~ /\.\./ ) -> FALSE
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)<mailto:/@(.+)\.(.+)$/)>) {
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)<mailto:/@(.+)\.(.+)$/)>) -> FALSE
(3) if (&User-Name =~ /\.$/) {
(3) if (&User-Name =~ /\.$/) -> FALSE
(3) if (&User-Name =~ /(a)\./<mailto:/@\./>) {
(3) if (&User-Name =~ /(a)\./<mailto:/@\./>) -> FALSE
(3) } # if (&User-Name) = notfound
(3) } # policy filter_username = notfound
(3) [preprocess] = ok
(3) [chap] = noop
(3) [mschap] = noop
(3) [digest] = noop
(3) eap: Peer sent EAP Response (code 2) ID 4 length 13
(3) eap: Continuing tunnel setup
(3) [eap] = ok
(3) } # authorize = ok
(3) Found Auth-Type = eap
(3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(3) authenticate {
(3) eap: Expiring EAP session with state 0xd875f9c9da71ec27
(3) eap: Finished EAP session with state 0xd875f9c9da71ec27
(3) eap: Previous EAP request found for state 0xd875f9c9da71ec27, released from the list
(3) eap: Peer sent packet with method EAP TTLS (21)
(3) eap: Calling submodule eap_ttls to process data
(3) eap_ttls: Authenticate
(3) eap_ttls: Continuing EAP-TLS
(3) eap_ttls: [eaptls verify] = ok
(3) eap_ttls: Done initial handshake
(3) eap_ttls: <<< recv TLS 1.2 [length 0002]
(3) eap_ttls: ERROR: TLS Alert read:fatal:unknown CA
(3) eap_ttls: TLS_accept: Need to read more data: error
(3) eap_ttls: ERROR: Failed in __FUNCTION__ (SSL_read): error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
(3) eap_ttls: In SSL Handshake Phase
(3) eap_ttls: In SSL Accept mode
(3) eap_ttls: SSL Application Data
(3) eap_ttls: ERROR: TLS failed during operation
(3) eap_ttls: ERROR: [eaptls process] = fail
(3) eap: ERROR: Failed continuing EAP TTLS (21) session. EAP sub-module failed
(3) eap: Sending EAP Failure (code 4) ID 4 length 4
(3) eap: Failed in EAP select
(3) [eap] = invalid
(3) } # authenticate = invalid
(3) Failed to authenticate the user
(3) Using Post-Auth-Type Reject
(3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(3) Post-Auth-Type REJECT {
(3) attr_filter.access_reject: EXPAND %{User-Name}
(3) attr_filter.access_reject: --> anonymous(a)nevotek.com<mailto:anonymous@nevotek.com>
(3) attr_filter.access_reject: Matched entry DEFAULT at line 11
(3) [attr_filter.access_reject] = updated
(3) [eap] = noop
(3) policy remove_reply_message_if_eap {
(3) if (&reply:EAP-Message && &reply:Reply-Message) {
(3) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(3) else {
(3) [noop] = noop
(3) } # else = noop
(3) } # policy remove_reply_message_if_eap = noop
(3) } # Post-Auth-Type REJECT = updated
(3) Delaying response for 1.000000<tel:+11000000> seconds Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(3) Sending delayed response
(3) Sent Access-Reject Id 60 from 10.0.0.4:1812 to 213.74.143.148:38031 length 44
(3) EAP-Message = 0x04040004
(3) Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.1 seconds.
(0) Cleaning up request packet ID 57 with timestamp +25 Waking up in 0.2 seconds.
(1) Cleaning up request packet ID 58 with timestamp +26 Waking up in 0.3 seconds.
(2) Cleaning up request packet ID 59 with timestamp +26 Waking up in 0.2 seconds.
(3) Cleaning up request packet ID 60 with timestamp +26
Regards.
Get Outlook for Android<https://aka.ms/ghei36>
[http://www.nevotek.com/nevotekmail/logo.png] Mesut Ozturk
R&D Senior Developer
P: +902122867576 E: mesut(a)nevotek.com
F: +902122867476 W: www.nevotek.com
[http://www.nevotek.com/nevotekmail/maps-icon.png] Santa Clara-CA, USA<https://www.google.com/maps/place/5201+Great+America+Pkwy+%23320,+Santa+Cla…> [http://www.nevotek.com/nevotekmail/maps-icon.png] Istanbul, TURKEY<https://www.google.com/maps/search/teknokent,+Istanbul,+Turkey/@41.106333,2…> [http://www.nevotek.com/nevotekmail/maps-icon.png] Dubai, UAE<https://www.google.com/maps/place/Internet+City,+Building+%2314+-+Dubai+-+U…>
[www.nevotek.com]<www.nevotek.com>
1
0
Hello,
I desperately need your help. I am noob with FreeRadius so please guide me what i am doing wrong.
My point is using freeradius as a Proxy. Because we already have a PAP supported Radius, so i want to do eap auth part on freeradius and then Proxy the Access-request to our own Radius. We are trying 802.1x authantication.
According to my readings i did below steps :
1 . Edit clients.conf for my mobile devices to Access freeradius
client nevotek {
ipaddr = 213.74.143.140
secret = testing1234
}
2. add home_server in proxy.conf
home_server IAS {
ipaddr = 192.168.0.252
port = 1812
type = "auth"
secret = "secret"
response_window = 20
max_outstanding = 65536
}
home_server_pool jack_pool {
type = fail-over
home_server = IAS
}
realm nevotek {
auth_pool = jack_pool
nostirp
}
3. edit eap.cof
default_eap_type = ttls
and in ttls function :
ttls {
default_eap_type = md5
copy_request_to_tunnel = no
use_tunneled_reply = yes
proxy_tunneled_request_as_eap = no
virtual_server = "proxy-inner-tunnel"
}
4. prepare Proxy.config soft link for sites-enabled, added nevotek in proxy-inner-tunnel:
server proxy-inner-tunnel {
authorize {
update control {
Proxy-To-Realm := "nevotek"
}
}
authenticate {
eap
}
post-proxy {
eap
}
}
5. disabled "suffix" part in sites-enabled/default
But no chance. Also android and IOS devices has different behaviors.
Here is the output of IOS device :
(2) Received Access-Request Id 216 from 213.74.143.148:19733 to 10.0.0.4:1812 length 311
(2) User-Name = "iosuser2(a)nevotek.com"
(2) Chargeable-User-Identity = 0x00
(2) Operator-Name = "1nevotek.com"
(2) Location-Capable = Civic-Location
(2) Calling-Station-Id = "74-8d-08-b1-f2-17"
(2) Called-Station-Id = "58-f3-9c-43-52-a0:Nevotek"
(2) NAS-Port = 4
(2) Cisco-AVPair = "audit-session-id=0a0102e1000001205fbba08c"
(2) Acct-Session-Id = "5fbba08c/74:8d:08:b1:f2:17/352"
(2) NAS-IP-Address = 10.1.2.225
(2) NAS-Identifier = "aa5a6c45-b2c2-436b-90da-0ed2031"
(2) Airespace-Wlan-Id = 7
(2) Service-Type = Framed-User
(2) Framed-MTU = 1300
(2) NAS-Port-Type = Wireless-802.11
(2) EAP-Message = 0x020300061500
(2) State = 0xca8e79cacb8d6ce3fd1d37ee8f32d170
(2) Message-Authenticator = 0xc7b01c5b471b2eb70578f1dc7ed6e7ea
(2) session-state: No cached attributes
(2) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(2) authorize {
(2) policy filter_username {
(2) if (&User-Name) {
(2) if (&User-Name) -> TRUE
(2) if (&User-Name) {
(2) if (&User-Name =~ / /) {
(2) if (&User-Name =~ / /) -> FALSE
(2) if (&User-Name =~ /@[^@]*@/ ) {
(2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(2) if (&User-Name =~ /\.\./ ) {
(2) if (&User-Name =~ /\.\./ ) -> FALSE
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(2) if (&User-Name =~ /\.$/) {
(2) if (&User-Name =~ /\.$/) -> FALSE
(2) if (&User-Name =~ /(a)\./) {
(2) if (&User-Name =~ /(a)\./) -> FALSE
(2) } # if (&User-Name) = notfound
(2) } # policy filter_username = notfound
(2) [preprocess] = ok
(2) [chap] = noop
(2) [mschap] = noop
(2) [digest] = noop
(2) eap: Peer sent EAP Response (code 2) ID 3 length 6
(2) eap: Continuing tunnel setup
(2) [eap] = ok
(2) } # authorize = ok
(2) Found Auth-Type = eap
(2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(2) authenticate {
(2) eap: Expiring EAP session with state 0xca8e79cacb8d6ce3
(2) eap: Finished EAP session with state 0xca8e79cacb8d6ce3
(2) eap: Previous EAP request found for state 0xca8e79cacb8d6ce3, released from the list
(2) eap: Peer sent packet with method EAP TTLS (21)
(2) eap: Calling submodule eap_ttls to process data
(2) eap_ttls: Authenticate
(2) eap_ttls: Continuing EAP-TLS
(2) eap_ttls: Peer ACKed our handshake fragment
(2) eap_ttls: [eaptls verify] = request
(2) eap_ttls: [eaptls process] = handled
(2) eap: Sending EAP Request (code 1) ID 4 length 336
(2) eap: EAP session adding &reply:State = 0xca8e79cac88a6ce3
(2) [eap] = handled
(2) } # authenticate = handled
(2) Using Post-Auth-Type Challenge
(2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(2) Challenge { ... } # empty sub-section is ignored
(2) Sent Access-Challenge Id 216 from 10.0.0.4:1812 to 213.74.143.148:19733 length 0
(2) EAP-Message = 0x01040150158000000528d123b84f84592a0a7ccb12b23ec09a0c025464d3f258d5090bffa282b17870910449329f906380b0b4340ef2b6a1dc73e72d35763148b65bfc0401010038af8b17d95590598994e5ec35c96642e3e8fce291173f61b7e1ca06aa4b749dd3f2bbe12175a964524311069490e0f6
(2) Message-Authenticator = 0x00000000000000000000000000000000
(2) State = 0xca8e79cac88a6ce3fd1d37ee8f32d170
(2) Finished request
And here is the output of Android device :
(2) Received Access-Request Id 59 from 213.74.143.148:38031 to 10.0.0.4:1812 length 312
(2) User-Name = "anonymous(a)nevotek.com"
(2) Chargeable-User-Identity = 0x00
(2) Operator-Name = "1nevotek.com"
(2) Location-Capable = Civic-Location
(2) Calling-Station-Id = "04-b1-a1-53-4d-1e"
(2) Called-Station-Id = "58-f3-9c-43-52-a0:Nevotek"
(2) NAS-Port = 4
(2) Cisco-AVPair = "audit-session-id=0a0102e1000001275fbbbb17"
(2) Acct-Session-Id = "5fbbbb17/04:b1:a1:53:4d:1e/359"
(2) NAS-IP-Address = 10.1.2.225
(2) NAS-Identifier = "aa5a6c45-b2c2-436b-90da-0ed2031"
(2) Airespace-Wlan-Id = 7
(2) Service-Type = Framed-User
(2) Framed-MTU = 1300
(2) NAS-Port-Type = Wireless-802.11
(2) EAP-Message = 0x020300061500
(2) State = 0xd875f9c9d976ec270910ae6415adb475
(2) Message-Authenticator = 0xe92ebb9e5e7641c5515a25ae2ee50929
(2) session-state: No cached attributes
(2) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(2) authorize {
(2) policy filter_username {
(2) if (&User-Name) {
(2) if (&User-Name) -> TRUE
(2) if (&User-Name) {
(2) if (&User-Name =~ / /) {
(2) if (&User-Name =~ / /) -> FALSE
(2) if (&User-Name =~ /@[^@]*@/ ) {
(2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(2) if (&User-Name =~ /\.\./ ) {
(2) if (&User-Name =~ /\.\./ ) -> FALSE
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(2) if (&User-Name =~ /\.$/) {
(2) if (&User-Name =~ /\.$/) -> FALSE
(2) if (&User-Name =~ /(a)\./) {
(2) if (&User-Name =~ /(a)\./) -> FALSE
(2) } # if (&User-Name) = notfound
(2) } # policy filter_username = notfound
(2) [preprocess] = ok
(2) [chap] = noop
(2) [mschap] = noop
(2) [digest] = noop
(2) eap: Peer sent EAP Response (code 2) ID 3 length 6
(2) eap: Continuing tunnel setup
(2) [eap] = ok
(2) } # authorize = ok
(2) Found Auth-Type = eap
(2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(2) authenticate {
(2) eap: Expiring EAP session with state 0xd875f9c9d976ec27
(2) eap: Finished EAP session with state 0xd875f9c9d976ec27
(2) eap: Previous EAP request found for state 0xd875f9c9d976ec27, released from the list
(2) eap: Peer sent packet with method EAP TTLS (21)
(2) eap: Calling submodule eap_ttls to process data
(2) eap_ttls: Authenticate
(2) eap_ttls: Continuing EAP-TLS
(2) eap_ttls: Peer ACKed our handshake fragment
(2) eap_ttls: [eaptls verify] = request
(2) eap_ttls: [eaptls process] = handled
(2) eap: Sending EAP Request (code 1) ID 4 length 336
(2) eap: EAP session adding &reply:State = 0xd875f9c9da71ec27
(2) [eap] = handled
(2) } # authenticate = handled
(2) Using Post-Auth-Type Challenge
(2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(2) Challenge { ... } # empty sub-section is ignored
(2) Sent Access-Challenge Id 59 from 10.0.0.4:1812 to 213.74.143.148:38031 length 0
(2) EAP-Message = 0x01040150158000000528a2e03207e6a1163699a1cff7af74692beaafff15b2a3033c4d0238dd7014db04f7f40d669da91832dd39bbdbfca1bdb456f26f4a981b5a820108040100b7a20cf24aad9d35b94575b849f9e8ef528d1b13e7caea59f3cc578845763a601b7fceb8ffda9d989423730b5ea4c0f3
(2) Message-Authenticator = 0x00000000000000000000000000000000
(2) State = 0xd875f9c9da71ec270910ae6415adb475
(2) Finished request
Waking up in 4.3 seconds.
(3) Received Access-Request Id 60 from 213.74.143.148:38031 to 10.0.0.4:1812 length 319
(3) User-Name = "anonymous(a)nevotek.com"
(3) Chargeable-User-Identity = 0x00
(3) Operator-Name = "1nevotek.com"
(3) Location-Capable = Civic-Location
(3) Calling-Station-Id = "04-b1-a1-53-4d-1e"
(3) Called-Station-Id = "58-f3-9c-43-52-a0:Nevotek"
(3) NAS-Port = 4
(3) Cisco-AVPair = "audit-session-id=0a0102e1000001275fbbbb17"
(3) Acct-Session-Id = "5fbbbb17/04:b1:a1:53:4d:1e/359"
(3) NAS-IP-Address = 10.1.2.225
(3) NAS-Identifier = "aa5a6c45-b2c2-436b-90da-0ed2031"
(3) Airespace-Wlan-Id = 7
(3) Service-Type = Framed-User
(3) Framed-MTU = 1300
(3) NAS-Port-Type = Wireless-802.11
(3) EAP-Message = 0x0204000d150015030300020230
(3) State = 0xd875f9c9da71ec270910ae6415adb475
(3) Message-Authenticator = 0xbd27e9cbdb496b0f8072580915cabc5d
(3) session-state: No cached attributes
(3) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(3) authorize {
(3) policy filter_username {
(3) if (&User-Name) {
(3) if (&User-Name) -> TRUE
(3) if (&User-Name) {
(3) if (&User-Name =~ / /) {
(3) if (&User-Name =~ / /) -> FALSE
(3) if (&User-Name =~ /@[^@]*@/ ) {
(3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(3) if (&User-Name =~ /\.\./ ) {
(3) if (&User-Name =~ /\.\./ ) -> FALSE
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(3) if (&User-Name =~ /\.$/) {
(3) if (&User-Name =~ /\.$/) -> FALSE
(3) if (&User-Name =~ /(a)\./) {
(3) if (&User-Name =~ /(a)\./) -> FALSE
(3) } # if (&User-Name) = notfound
(3) } # policy filter_username = notfound
(3) [preprocess] = ok
(3) [chap] = noop
(3) [mschap] = noop
(3) [digest] = noop
(3) eap: Peer sent EAP Response (code 2) ID 4 length 13
(3) eap: Continuing tunnel setup
(3) [eap] = ok
(3) } # authorize = ok
(3) Found Auth-Type = eap
(3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(3) authenticate {
(3) eap: Expiring EAP session with state 0xd875f9c9da71ec27
(3) eap: Finished EAP session with state 0xd875f9c9da71ec27
(3) eap: Previous EAP request found for state 0xd875f9c9da71ec27, released from the list
(3) eap: Peer sent packet with method EAP TTLS (21)
(3) eap: Calling submodule eap_ttls to process data
(3) eap_ttls: Authenticate
(3) eap_ttls: Continuing EAP-TLS
(3) eap_ttls: [eaptls verify] = ok
(3) eap_ttls: Done initial handshake
(3) eap_ttls: <<< recv TLS 1.2 [length 0002]
(3) eap_ttls: ERROR: TLS Alert read:fatal:unknown CA
(3) eap_ttls: TLS_accept: Need to read more data: error
(3) eap_ttls: ERROR: Failed in __FUNCTION__ (SSL_read): error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
(3) eap_ttls: In SSL Handshake Phase
(3) eap_ttls: In SSL Accept mode
(3) eap_ttls: SSL Application Data
(3) eap_ttls: ERROR: TLS failed during operation
(3) eap_ttls: ERROR: [eaptls process] = fail
(3) eap: ERROR: Failed continuing EAP TTLS (21) session. EAP sub-module failed
(3) eap: Sending EAP Failure (code 4) ID 4 length 4
(3) eap: Failed in EAP select
(3) [eap] = invalid
(3) } # authenticate = invalid
(3) Failed to authenticate the user
(3) Using Post-Auth-Type Reject
(3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(3) Post-Auth-Type REJECT {
(3) attr_filter.access_reject: EXPAND %{User-Name}
(3) attr_filter.access_reject: --> anonymous(a)nevotek.com
(3) attr_filter.access_reject: Matched entry DEFAULT at line 11
(3) [attr_filter.access_reject] = updated
(3) [eap] = noop
(3) policy remove_reply_message_if_eap {
(3) if (&reply:EAP-Message && &reply:Reply-Message) {
(3) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(3) else {
(3) [noop] = noop
(3) } # else = noop
(3) } # policy remove_reply_message_if_eap = noop
(3) } # Post-Auth-Type REJECT = updated
(3) Delaying response for 1.000000 seconds Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(3) Sending delayed response
(3) Sent Access-Reject Id 60 from 10.0.0.4:1812 to 213.74.143.148:38031 length 44
(3) EAP-Message = 0x04040004
(3) Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.1 seconds.
(0) Cleaning up request packet ID 57 with timestamp +25 Waking up in 0.2 seconds.
(1) Cleaning up request packet ID 58 with timestamp +26 Waking up in 0.3 seconds.
(2) Cleaning up request packet ID 59 with timestamp +26 Waking up in 0.2 seconds.
(3) Cleaning up request packet ID 60 with timestamp +26
Regards.
Sent from Yahoo Mail on Android
1
0
Hello,
I desperately need your help. I am noob with FreeRadius so please guide me what i am doing wrong.
My point is using freeradius as a Proxy. Because we already have a PAP supported Radius, so i want to do eap auth part on freeradius and then Proxy the Access-request to our own Radius. We are trying 802.1x authantication.
According to my readings i did below steps :
1 . Edit clients.conf for my mobile devices to Access freeradius
client nevotek {
ipaddr = 213.74.143.140
secret = testing1234
}
2. add home_server in proxy.conf
home_server IAS {
ipaddr = 192.168.0.252
port = 1812
type = "auth"
secret = "secret"
response_window = 20
max_outstanding = 65536
}
home_server_pool jack_pool {
type = fail-over
home_server = IAS
}
realm nevotek {
auth_pool = jack_pool
nostirp
}
3. edit eap.cof
default_eap_type = ttls
and in ttls function :
ttls {
default_eap_type = md5
copy_request_to_tunnel = no
use_tunneled_reply = yes
proxy_tunneled_request_as_eap = no
virtual_server = "proxy-inner-tunnel"
}
4. prepare Proxy.config soft link for sites-enabled, added nevotek in proxy-inner-tunnel:
server proxy-inner-tunnel {
authorize {
update control {
Proxy-To-Realm := "nevotek"
}
}
authenticate {
eap
}
post-proxy {
eap
}
}
5. disabled "suffix" part in sites-enabled/default
But no chance. Also android and IOS devices has different behaviors.
Here is the output of IOS device :
(2) Received Access-Request Id 216 from 213.74.143.148:19733 to 10.0.0.4:1812 length 311
(2) User-Name = "iosuser2(a)nevotek.com<mailto:iosuser2@nevotek.com>"
(2) Chargeable-User-Identity = 0x00
(2) Operator-Name = "1nevotek.com"
(2) Location-Capable = Civic-Location
(2) Calling-Station-Id = "74-8d-08-b1-f2-17"
(2) Called-Station-Id = "58-f3-9c-43-52-a0:Nevotek"
(2) NAS-Port = 4
(2) Cisco-AVPair = "audit-session-id=0a0102e1000001205fbba08c"
(2) Acct-Session-Id = "5fbba08c/74:8d:08:b1:f2:17/352"
(2) NAS-IP-Address = 10.1.2.225
(2) NAS-Identifier = "aa5a6c45-b2c2-436b-90da-0ed2031"
(2) Airespace-Wlan-Id = 7
(2) Service-Type = Framed-User
(2) Framed-MTU = 1300
(2) NAS-Port-Type = Wireless-802.11
(2) EAP-Message = 0x020300061500
(2) State = 0xca8e79cacb8d6ce3fd1d37ee8f32d170
(2) Message-Authenticator = 0xc7b01c5b471b2eb70578f1dc7ed6e7ea
(2) session-state: No cached attributes
(2) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(2) authorize {
(2) policy filter_username {
(2) if (&User-Name) {
(2) if (&User-Name) -> TRUE
(2) if (&User-Name) {
(2) if (&User-Name =~ / /) {
(2) if (&User-Name =~ / /) -> FALSE
(2) if (&User-Name =~ /@[^@]*@/ ) {
(2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(2) if (&User-Name =~ /\.\./ ) {
(2) if (&User-Name =~ /\.\./ ) -> FALSE
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)<mailto:/@(.+)\.(.+)$/)>) {
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)<mailto:/@(.+)\.(.+)$/)>) -> FALSE
(2) if (&User-Name =~ /\.$/) {
(2) if (&User-Name =~ /\.$/) -> FALSE
(2) if (&User-Name =~ /(a)\./<mailto:/@\./>) {
(2) if (&User-Name =~ /(a)\./<mailto:/@\./>) -> FALSE
(2) } # if (&User-Name) = notfound
(2) } # policy filter_username = notfound
(2) [preprocess] = ok
(2) [chap] = noop
(2) [mschap] = noop
(2) [digest] = noop
(2) eap: Peer sent EAP Response (code 2) ID 3 length 6
(2) eap: Continuing tunnel setup
(2) [eap] = ok
(2) } # authorize = ok
(2) Found Auth-Type = eap
(2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(2) authenticate {
(2) eap: Expiring EAP session with state 0xca8e79cacb8d6ce3
(2) eap: Finished EAP session with state 0xca8e79cacb8d6ce3
(2) eap: Previous EAP request found for state 0xca8e79cacb8d6ce3, released from the list
(2) eap: Peer sent packet with method EAP TTLS (21)
(2) eap: Calling submodule eap_ttls to process data
(2) eap_ttls: Authenticate
(2) eap_ttls: Continuing EAP-TLS
(2) eap_ttls: Peer ACKed our handshake fragment
(2) eap_ttls: [eaptls verify] = request
(2) eap_ttls: [eaptls process] = handled
(2) eap: Sending EAP Request (code 1) ID 4 length 336
(2) eap: EAP session adding &reply:State = 0xca8e79cac88a6ce3
(2) [eap] = handled
(2) } # authenticate = handled
(2) Using Post-Auth-Type Challenge
(2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(2) Challenge { ... } # empty sub-section is ignored
(2) Sent Access-Challenge Id 216 from 10.0.0.4:1812 to 213.74.143.148:19733 length 0
(2) EAP-Message = 0x01040150158000000528d123b84f84592a0a7ccb12b23ec09a0c025464d3f258d5090bffa282b17870910449329f906380b0b4340ef2b6a1dc73e72d35763148b65bfc0401010038af8b17d95590598994e5ec35c96642e3e8fce291173f61b7e1ca06aa4b749dd3f2bbe12175a964524311069490e0f6
(2) Message-Authenticator = 0x00000000000000000000000000000000
(2) State = 0xca8e79cac88a6ce3fd1d37ee8f32d170
(2) Finished request
And here is the output of Android device :
(2) Received Access-Request Id 59 from 213.74.143.148:38031 to 10.0.0.4:1812 length 312
(2) User-Name = "anonymous(a)nevotek.com<mailto:anonymous@nevotek.com>"
(2) Chargeable-User-Identity = 0x00
(2) Operator-Name = "1nevotek.com"
(2) Location-Capable = Civic-Location
(2) Calling-Station-Id = "04-b1-a1-53-4d-1e"
(2) Called-Station-Id = "58-f3-9c-43-52-a0:Nevotek"
(2) NAS-Port = 4
(2) Cisco-AVPair = "audit-session-id=0a0102e1000001275fbbbb17"
(2) Acct-Session-Id = "5fbbbb17/04:b1:a1:53:4d:1e/359"
(2) NAS-IP-Address = 10.1.2.225
(2) NAS-Identifier = "aa5a6c45-b2c2-436b-90da-0ed2031"
(2) Airespace-Wlan-Id = 7
(2) Service-Type = Framed-User
(2) Framed-MTU = 1300
(2) NAS-Port-Type = Wireless-802.11
(2) EAP-Message = 0x020300061500
(2) State = 0xd875f9c9d976ec270910ae6415adb475
(2) Message-Authenticator = 0xe92ebb9e5e7641c5515a25ae2ee50929
(2) session-state: No cached attributes
(2) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(2) authorize {
(2) policy filter_username {
(2) if (&User-Name) {
(2) if (&User-Name) -> TRUE
(2) if (&User-Name) {
(2) if (&User-Name =~ / /) {
(2) if (&User-Name =~ / /) -> FALSE
(2) if (&User-Name =~ /@[^@]*@/ ) {
(2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(2) if (&User-Name =~ /\.\./ ) {
(2) if (&User-Name =~ /\.\./ ) -> FALSE
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)<mailto:/@(.+)\.(.+)$/)>) {
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)<mailto:/@(.+)\.(.+)$/)>) -> FALSE
(2) if (&User-Name =~ /\.$/) {
(2) if (&User-Name =~ /\.$/) -> FALSE
(2) if (&User-Name =~ /(a)\./<mailto:/@\./>) {
(2) if (&User-Name =~ /(a)\./<mailto:/@\./>) -> FALSE
(2) } # if (&User-Name) = notfound
(2) } # policy filter_username = notfound
(2) [preprocess] = ok
(2) [chap] = noop
(2) [mschap] = noop
(2) [digest] = noop
(2) eap: Peer sent EAP Response (code 2) ID 3 length 6
(2) eap: Continuing tunnel setup
(2) [eap] = ok
(2) } # authorize = ok
(2) Found Auth-Type = eap
(2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(2) authenticate {
(2) eap: Expiring EAP session with state 0xd875f9c9d976ec27
(2) eap: Finished EAP session with state 0xd875f9c9d976ec27
(2) eap: Previous EAP request found for state 0xd875f9c9d976ec27, released from the list
(2) eap: Peer sent packet with method EAP TTLS (21)
(2) eap: Calling submodule eap_ttls to process data
(2) eap_ttls: Authenticate
(2) eap_ttls: Continuing EAP-TLS
(2) eap_ttls: Peer ACKed our handshake fragment
(2) eap_ttls: [eaptls verify] = request
(2) eap_ttls: [eaptls process] = handled
(2) eap: Sending EAP Request (code 1) ID 4 length 336
(2) eap: EAP session adding &reply:State = 0xd875f9c9da71ec27
(2) [eap] = handled
(2) } # authenticate = handled
(2) Using Post-Auth-Type Challenge
(2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(2) Challenge { ... } # empty sub-section is ignored
(2) Sent Access-Challenge Id 59 from 10.0.0.4:1812 to 213.74.143.148:38031 length 0
(2) EAP-Message = 0x01040150158000000528a2e03207e6a1163699a1cff7af74692beaafff15b2a3033c4d0238dd7014db04f7f40d669da91832dd39bbdbfca1bdb456f26f4a981b5a820108040100b7a20cf24aad9d35b94575b849f9e8ef528d1b13e7caea59f3cc578845763a601b7fceb8ffda9d989423730b5ea4c0f3
(2) Message-Authenticator = 0x00000000000000000000000000000000
(2) State = 0xd875f9c9da71ec270910ae6415adb475
(2) Finished request
Waking up in 4.3 seconds.
(3) Received Access-Request Id 60 from 213.74.143.148:38031 to 10.0.0.4:1812 length 319
(3) User-Name = "anonymous(a)nevotek.com<mailto:anonymous@nevotek.com>"
(3) Chargeable-User-Identity = 0x00
(3) Operator-Name = "1nevotek.com"
(3) Location-Capable = Civic-Location
(3) Calling-Station-Id = "04-b1-a1-53-4d-1e"
(3) Called-Station-Id = "58-f3-9c-43-52-a0:Nevotek"
(3) NAS-Port = 4
(3) Cisco-AVPair = "audit-session-id=0a0102e1000001275fbbbb17"
(3) Acct-Session-Id = "5fbbbb17/04:b1:a1:53:4d:1e/359"
(3) NAS-IP-Address = 10.1.2.225
(3) NAS-Identifier = "aa5a6c45-b2c2-436b-90da-0ed2031"
(3) Airespace-Wlan-Id = 7
(3) Service-Type = Framed-User
(3) Framed-MTU = 1300
(3) NAS-Port-Type = Wireless-802.11
(3) EAP-Message = 0x0204000d150015030300020230
(3) State = 0xd875f9c9da71ec270910ae6415adb475
(3) Message-Authenticator = 0xbd27e9cbdb496b0f8072580915cabc5d
(3) session-state: No cached attributes
(3) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(3) authorize {
(3) policy filter_username {
(3) if (&User-Name) {
(3) if (&User-Name) -> TRUE
(3) if (&User-Name) {
(3) if (&User-Name =~ / /) {
(3) if (&User-Name =~ / /) -> FALSE
(3) if (&User-Name =~ /@[^@]*@/ ) {
(3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(3) if (&User-Name =~ /\.\./ ) {
(3) if (&User-Name =~ /\.\./ ) -> FALSE
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)<mailto:/@(.+)\.(.+)$/)>) {
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)<mailto:/@(.+)\.(.+)$/)>) -> FALSE
(3) if (&User-Name =~ /\.$/) {
(3) if (&User-Name =~ /\.$/) -> FALSE
(3) if (&User-Name =~ /(a)\./<mailto:/@\./>) {
(3) if (&User-Name =~ /(a)\./<mailto:/@\./>) -> FALSE
(3) } # if (&User-Name) = notfound
(3) } # policy filter_username = notfound
(3) [preprocess] = ok
(3) [chap] = noop
(3) [mschap] = noop
(3) [digest] = noop
(3) eap: Peer sent EAP Response (code 2) ID 4 length 13
(3) eap: Continuing tunnel setup
(3) [eap] = ok
(3) } # authorize = ok
(3) Found Auth-Type = eap
(3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(3) authenticate {
(3) eap: Expiring EAP session with state 0xd875f9c9da71ec27
(3) eap: Finished EAP session with state 0xd875f9c9da71ec27
(3) eap: Previous EAP request found for state 0xd875f9c9da71ec27, released from the list
(3) eap: Peer sent packet with method EAP TTLS (21)
(3) eap: Calling submodule eap_ttls to process data
(3) eap_ttls: Authenticate
(3) eap_ttls: Continuing EAP-TLS
(3) eap_ttls: [eaptls verify] = ok
(3) eap_ttls: Done initial handshake
(3) eap_ttls: <<< recv TLS 1.2 [length 0002]
(3) eap_ttls: ERROR: TLS Alert read:fatal:unknown CA
(3) eap_ttls: TLS_accept: Need to read more data: error
(3) eap_ttls: ERROR: Failed in __FUNCTION__ (SSL_read): error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
(3) eap_ttls: In SSL Handshake Phase
(3) eap_ttls: In SSL Accept mode
(3) eap_ttls: SSL Application Data
(3) eap_ttls: ERROR: TLS failed during operation
(3) eap_ttls: ERROR: [eaptls process] = fail
(3) eap: ERROR: Failed continuing EAP TTLS (21) session. EAP sub-module failed
(3) eap: Sending EAP Failure (code 4) ID 4 length 4
(3) eap: Failed in EAP select
(3) [eap] = invalid
(3) } # authenticate = invalid
(3) Failed to authenticate the user
(3) Using Post-Auth-Type Reject
(3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(3) Post-Auth-Type REJECT {
(3) attr_filter.access_reject: EXPAND %{User-Name}
(3) attr_filter.access_reject: --> anonymous(a)nevotek.com<mailto:anonymous@nevotek.com>
(3) attr_filter.access_reject: Matched entry DEFAULT at line 11
(3) [attr_filter.access_reject] = updated
(3) [eap] = noop
(3) policy remove_reply_message_if_eap {
(3) if (&reply:EAP-Message && &reply:Reply-Message) {
(3) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(3) else {
(3) [noop] = noop
(3) } # else = noop
(3) } # policy remove_reply_message_if_eap = noop
(3) } # Post-Auth-Type REJECT = updated
(3) Delaying response for 1.000000 seconds Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(3) Sending delayed response
(3) Sent Access-Reject Id 60 from 10.0.0.4:1812 to 213.74.143.148:38031 length 44
(3) EAP-Message = 0x04040004
(3) Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.1 seconds.
(0) Cleaning up request packet ID 57 with timestamp +25 Waking up in 0.2 seconds.
(1) Cleaning up request packet ID 58 with timestamp +26 Waking up in 0.3 seconds.
(2) Cleaning up request packet ID 59 with timestamp +26 Waking up in 0.2 seconds.
(3) Cleaning up request packet ID 60 with timestamp +26
Regards.
[http://www.nevotek.com/nevotekmail/logo.png] Mesut Ozturk
R&D Senior Developer
P: +902122867576 E: mesut(a)nevotek.com
F: +902122867476 W: www.nevotek.com
[http://www.nevotek.com/nevotekmail/maps-icon.png] Santa Clara-CA, USA<https://www.google.com/maps/place/5201+Great+America+Pkwy+%23320,+Santa+Cla…> [http://www.nevotek.com/nevotekmail/maps-icon.png] Istanbul, TURKEY<https://www.google.com/maps/search/teknokent,+Istanbul,+Turkey/@41.106333,2…> [http://www.nevotek.com/nevotekmail/maps-icon.png] Dubai, UAE<https://www.google.com/maps/place/Internet+City,+Building+%2314+-+Dubai+-+U…>
[www.nevotek.com]<www.nevotek.com>
1
0
Hello,
I desperately need your help. I am noob with FreeRadius so please guide me what i am doing wrong.
My point is using freeradius as a Proxy. Because we already have a PAP supported Radius, so i want to do eap auth part on freeradius and then Proxy the Access-request to our own Radius. We are trying 802.1x authantication.
According to my readings i did below steps :
1 . Edit clients.conf for my mobile devices to Access freeradius
client nevotek {
ipaddr = 213.74.143.140
secret = testing1234
}
2. add home_server in proxy.conf
home_server IAS {
ipaddr = 192.168.0.252
port = 1812
type = "auth"
secret = "secret"
response_window = 20
max_outstanding = 65536
}
home_server_pool jack_pool {
type = fail-over
home_server = IAS
}
realm nevotek {
auth_pool = jack_pool
nostirp
}
3. edit eap.cof
default_eap_type = ttls
and in ttls function :
ttls {
default_eap_type = md5
copy_request_to_tunnel = no
use_tunneled_reply = yes
proxy_tunneled_request_as_eap = no
virtual_server = "proxy-inner-tunnel"
}
4. prepare Proxy.config soft link for sites-enabled, added nevotek in proxy-inner-tunnel:
server proxy-inner-tunnel {
authorize {
update control {
Proxy-To-Realm := "nevotek"
}
}
authenticate {
eap
}
post-proxy {
eap
}
}
5. disabled "suffix" part in sites-enabled/default
But no chance. Also android and IOS devices has different behaviors.
Here is the output of IOS device :
(2) Received Access-Request Id 216 from 213.74.143.148:19733 to 10.0.0.4:1812 length 311
(2) User-Name = "iosuser2(a)nevotek.com"
(2) Chargeable-User-Identity = 0x00
(2) Operator-Name = "1nevotek.com"
(2) Location-Capable = Civic-Location
(2) Calling-Station-Id = "74-8d-08-b1-f2-17"
(2) Called-Station-Id = "58-f3-9c-43-52-a0:Nevotek"
(2) NAS-Port = 4
(2) Cisco-AVPair = "audit-session-id=0a0102e1000001205fbba08c"
(2) Acct-Session-Id = "5fbba08c/74:8d:08:b1:f2:17/352"
(2) NAS-IP-Address = 10.1.2.225
(2) NAS-Identifier = "aa5a6c45-b2c2-436b-90da-0ed2031"
(2) Airespace-Wlan-Id = 7
(2) Service-Type = Framed-User
(2) Framed-MTU = 1300
(2) NAS-Port-Type = Wireless-802.11
(2) EAP-Message = 0x020300061500
(2) State = 0xca8e79cacb8d6ce3fd1d37ee8f32d170
(2) Message-Authenticator = 0xc7b01c5b471b2eb70578f1dc7ed6e7ea
(2) session-state: No cached attributes
(2) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(2) authorize {
(2) policy filter_username {
(2) if (&User-Name) {
(2) if (&User-Name) -> TRUE
(2) if (&User-Name) {
(2) if (&User-Name =~ / /) {
(2) if (&User-Name =~ / /) -> FALSE
(2) if (&User-Name =~ /@[^@]*@/ ) {
(2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(2) if (&User-Name =~ /\.\./ ) {
(2) if (&User-Name =~ /\.\./ ) -> FALSE
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(2) if (&User-Name =~ /\.$/) {
(2) if (&User-Name =~ /\.$/) -> FALSE
(2) if (&User-Name =~ /(a)\./) {
(2) if (&User-Name =~ /(a)\./) -> FALSE
(2) } # if (&User-Name) = notfound
(2) } # policy filter_username = notfound
(2) [preprocess] = ok
(2) [chap] = noop
(2) [mschap] = noop
(2) [digest] = noop
(2) eap: Peer sent EAP Response (code 2) ID 3 length 6
(2) eap: Continuing tunnel setup
(2) [eap] = ok
(2) } # authorize = ok
(2) Found Auth-Type = eap
(2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(2) authenticate {
(2) eap: Expiring EAP session with state 0xca8e79cacb8d6ce3
(2) eap: Finished EAP session with state 0xca8e79cacb8d6ce3
(2) eap: Previous EAP request found for state 0xca8e79cacb8d6ce3, released from the list
(2) eap: Peer sent packet with method EAP TTLS (21)
(2) eap: Calling submodule eap_ttls to process data
(2) eap_ttls: Authenticate
(2) eap_ttls: Continuing EAP-TLS
(2) eap_ttls: Peer ACKed our handshake fragment
(2) eap_ttls: [eaptls verify] = request
(2) eap_ttls: [eaptls process] = handled
(2) eap: Sending EAP Request (code 1) ID 4 length 336
(2) eap: EAP session adding &reply:State = 0xca8e79cac88a6ce3
(2) [eap] = handled
(2) } # authenticate = handled
(2) Using Post-Auth-Type Challenge
(2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(2) Challenge { ... } # empty sub-section is ignored
(2) Sent Access-Challenge Id 216 from 10.0.0.4:1812 to 213.74.143.148:19733 length 0
(2) EAP-Message = 0x01040150158000000528d123b84f84592a0a7ccb12b23ec09a0c025464d3f258d5090bffa282b17870910449329f906380b0b4340ef2b6a1dc73e72d35763148b65bfc0401010038af8b17d95590598994e5ec35c96642e3e8fce291173f61b7e1ca06aa4b749dd3f2bbe12175a964524311069490e0f6
(2) Message-Authenticator = 0x00000000000000000000000000000000
(2) State = 0xca8e79cac88a6ce3fd1d37ee8f32d170
(2) Finished request
And here is the output of Android device :
(2) Received Access-Request Id 59 from 213.74.143.148:38031 to 10.0.0.4:1812 length 312
(2) User-Name = "anonymous(a)nevotek.com"
(2) Chargeable-User-Identity = 0x00
(2) Operator-Name = "1nevotek.com"
(2) Location-Capable = Civic-Location
(2) Calling-Station-Id = "04-b1-a1-53-4d-1e"
(2) Called-Station-Id = "58-f3-9c-43-52-a0:Nevotek"
(2) NAS-Port = 4
(2) Cisco-AVPair = "audit-session-id=0a0102e1000001275fbbbb17"
(2) Acct-Session-Id = "5fbbbb17/04:b1:a1:53:4d:1e/359"
(2) NAS-IP-Address = 10.1.2.225
(2) NAS-Identifier = "aa5a6c45-b2c2-436b-90da-0ed2031"
(2) Airespace-Wlan-Id = 7
(2) Service-Type = Framed-User
(2) Framed-MTU = 1300
(2) NAS-Port-Type = Wireless-802.11
(2) EAP-Message = 0x020300061500
(2) State = 0xd875f9c9d976ec270910ae6415adb475
(2) Message-Authenticator = 0xe92ebb9e5e7641c5515a25ae2ee50929
(2) session-state: No cached attributes
(2) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(2) authorize {
(2) policy filter_username {
(2) if (&User-Name) {
(2) if (&User-Name) -> TRUE
(2) if (&User-Name) {
(2) if (&User-Name =~ / /) {
(2) if (&User-Name =~ / /) -> FALSE
(2) if (&User-Name =~ /@[^@]*@/ ) {
(2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(2) if (&User-Name =~ /\.\./ ) {
(2) if (&User-Name =~ /\.\./ ) -> FALSE
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(2) if (&User-Name =~ /\.$/) {
(2) if (&User-Name =~ /\.$/) -> FALSE
(2) if (&User-Name =~ /(a)\./) {
(2) if (&User-Name =~ /(a)\./) -> FALSE
(2) } # if (&User-Name) = notfound
(2) } # policy filter_username = notfound
(2) [preprocess] = ok
(2) [chap] = noop
(2) [mschap] = noop
(2) [digest] = noop
(2) eap: Peer sent EAP Response (code 2) ID 3 length 6
(2) eap: Continuing tunnel setup
(2) [eap] = ok
(2) } # authorize = ok
(2) Found Auth-Type = eap
(2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(2) authenticate {
(2) eap: Expiring EAP session with state 0xd875f9c9d976ec27
(2) eap: Finished EAP session with state 0xd875f9c9d976ec27
(2) eap: Previous EAP request found for state 0xd875f9c9d976ec27, released from the list
(2) eap: Peer sent packet with method EAP TTLS (21)
(2) eap: Calling submodule eap_ttls to process data
(2) eap_ttls: Authenticate
(2) eap_ttls: Continuing EAP-TLS
(2) eap_ttls: Peer ACKed our handshake fragment
(2) eap_ttls: [eaptls verify] = request
(2) eap_ttls: [eaptls process] = handled
(2) eap: Sending EAP Request (code 1) ID 4 length 336
(2) eap: EAP session adding &reply:State = 0xd875f9c9da71ec27
(2) [eap] = handled
(2) } # authenticate = handled
(2) Using Post-Auth-Type Challenge
(2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(2) Challenge { ... } # empty sub-section is ignored
(2) Sent Access-Challenge Id 59 from 10.0.0.4:1812 to 213.74.143.148:38031 length 0
(2) EAP-Message = 0x01040150158000000528a2e03207e6a1163699a1cff7af74692beaafff15b2a3033c4d0238dd7014db04f7f40d669da91832dd39bbdbfca1bdb456f26f4a981b5a820108040100b7a20cf24aad9d35b94575b849f9e8ef528d1b13e7caea59f3cc578845763a601b7fceb8ffda9d989423730b5ea4c0f3
(2) Message-Authenticator = 0x00000000000000000000000000000000
(2) State = 0xd875f9c9da71ec270910ae6415adb475
(2) Finished request
Waking up in 4.3 seconds.
(3) Received Access-Request Id 60 from 213.74.143.148:38031 to 10.0.0.4:1812 length 319
(3) User-Name = "anonymous(a)nevotek.com"
(3) Chargeable-User-Identity = 0x00
(3) Operator-Name = "1nevotek.com"
(3) Location-Capable = Civic-Location
(3) Calling-Station-Id = "04-b1-a1-53-4d-1e"
(3) Called-Station-Id = "58-f3-9c-43-52-a0:Nevotek"
(3) NAS-Port = 4
(3) Cisco-AVPair = "audit-session-id=0a0102e1000001275fbbbb17"
(3) Acct-Session-Id = "5fbbbb17/04:b1:a1:53:4d:1e/359"
(3) NAS-IP-Address = 10.1.2.225
(3) NAS-Identifier = "aa5a6c45-b2c2-436b-90da-0ed2031"
(3) Airespace-Wlan-Id = 7
(3) Service-Type = Framed-User
(3) Framed-MTU = 1300
(3) NAS-Port-Type = Wireless-802.11
(3) EAP-Message = 0x0204000d150015030300020230
(3) State = 0xd875f9c9da71ec270910ae6415adb475
(3) Message-Authenticator = 0xbd27e9cbdb496b0f8072580915cabc5d
(3) session-state: No cached attributes
(3) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(3) authorize {
(3) policy filter_username {
(3) if (&User-Name) {
(3) if (&User-Name) -> TRUE
(3) if (&User-Name) {
(3) if (&User-Name =~ / /) {
(3) if (&User-Name =~ / /) -> FALSE
(3) if (&User-Name =~ /@[^@]*@/ ) {
(3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(3) if (&User-Name =~ /\.\./ ) {
(3) if (&User-Name =~ /\.\./ ) -> FALSE
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) {
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)) -> FALSE
(3) if (&User-Name =~ /\.$/) {
(3) if (&User-Name =~ /\.$/) -> FALSE
(3) if (&User-Name =~ /(a)\./) {
(3) if (&User-Name =~ /(a)\./) -> FALSE
(3) } # if (&User-Name) = notfound
(3) } # policy filter_username = notfound
(3) [preprocess] = ok
(3) [chap] = noop
(3) [mschap] = noop
(3) [digest] = noop
(3) eap: Peer sent EAP Response (code 2) ID 4 length 13
(3) eap: Continuing tunnel setup
(3) [eap] = ok
(3) } # authorize = ok
(3) Found Auth-Type = eap
(3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(3) authenticate {
(3) eap: Expiring EAP session with state 0xd875f9c9da71ec27
(3) eap: Finished EAP session with state 0xd875f9c9da71ec27
(3) eap: Previous EAP request found for state 0xd875f9c9da71ec27, released from the list
(3) eap: Peer sent packet with method EAP TTLS (21)
(3) eap: Calling submodule eap_ttls to process data
(3) eap_ttls: Authenticate
(3) eap_ttls: Continuing EAP-TLS
(3) eap_ttls: [eaptls verify] = ok
(3) eap_ttls: Done initial handshake
(3) eap_ttls: <<< recv TLS 1.2 [length 0002]
(3) eap_ttls: ERROR: TLS Alert read:fatal:unknown CA
(3) eap_ttls: TLS_accept: Need to read more data: error
(3) eap_ttls: ERROR: Failed in __FUNCTION__ (SSL_read): error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
(3) eap_ttls: In SSL Handshake Phase
(3) eap_ttls: In SSL Accept mode
(3) eap_ttls: SSL Application Data
(3) eap_ttls: ERROR: TLS failed during operation
(3) eap_ttls: ERROR: [eaptls process] = fail
(3) eap: ERROR: Failed continuing EAP TTLS (21) session. EAP sub-module failed
(3) eap: Sending EAP Failure (code 4) ID 4 length 4
(3) eap: Failed in EAP select
(3) [eap] = invalid
(3) } # authenticate = invalid
(3) Failed to authenticate the user
(3) Using Post-Auth-Type Reject
(3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(3) Post-Auth-Type REJECT {
(3) attr_filter.access_reject: EXPAND %{User-Name}
(3) attr_filter.access_reject: --> anonymous(a)nevotek.com
(3) attr_filter.access_reject: Matched entry DEFAULT at line 11
(3) [attr_filter.access_reject] = updated
(3) [eap] = noop
(3) policy remove_reply_message_if_eap {
(3) if (&reply:EAP-Message && &reply:Reply-Message) {
(3) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(3) else {
(3) [noop] = noop
(3) } # else = noop
(3) } # policy remove_reply_message_if_eap = noop
(3) } # Post-Auth-Type REJECT = updated
(3) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(3) Sending delayed response
(3) Sent Access-Reject Id 60 from 10.0.0.4:1812 to 213.74.143.148:38031 length 44
(3) EAP-Message = 0x04040004
(3) Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.1 seconds.
(0) Cleaning up request packet ID 57 with timestamp +25
Waking up in 0.2 seconds.
(1) Cleaning up request packet ID 58 with timestamp +26
Waking up in 0.3 seconds.
(2) Cleaning up request packet ID 59 with timestamp +26
Waking up in 0.2 seconds.
(3) Cleaning up request packet ID 60 with timestamp +26
Regards.
[http://www.nevotek.com/nevotekmail/logo.png] Mesut Ozturk
R&D Senior Developer
P: +902122867576 E: mesut(a)nevotek.com
F: +902122867476 W: www.nevotek.com
[http://www.nevotek.com/nevotekmail/maps-icon.png] Santa Clara-CA, USA<https://www.google.com/maps/place/5201+Great+America+Pkwy+%23320,+Santa+Cla…> [http://www.nevotek.com/nevotekmail/maps-icon.png] Istanbul, TURKEY<https://www.google.com/maps/search/teknokent,+Istanbul,+Turkey/@41.106333,2…> [http://www.nevotek.com/nevotekmail/maps-icon.png] Dubai, UAE<https://www.google.com/maps/place/Internet+City,+Building+%2314+-+Dubai+-+U…>
[www.nevotek.com]<www.nevotek.com>
2
1
Hello,
I desperately need your help. I am noob with FreeRadius so please guide me what i am doing wrong.
My point is using freeradius as a Proxy. Because we already have a PAP supported Radius, so i want to do eap auth part on freeradius and then Proxy the Access-request to our own Radius. We are trying 802.1x authantication.
According to my readings i did below steps :
1 . Edit clients.conf for my mobile devices to Access freeradius
client nevotek {
ipaddr = 213.74.143.140
secret = testing1234
}
2. add home_server in proxy.conf
home_server IAS {
ipaddr = 192.168.0.252
port = 1812
type = "auth"
secret = "secret"
response_window = 20
max_outstanding = 65536
}
home_server_pool jack_pool {
type = fail-over
home_server = IAS
}
realm nevotek {
auth_pool = jack_pool
nostirp
}
3. edit eap.cof
default_eap_type = ttls
and in ttls function :
ttls {
default_eap_type = md5
copy_request_to_tunnel = no
use_tunneled_reply = yes
proxy_tunneled_request_as_eap = no
virtual_server = "proxy-inner-tunnel"
}
4. prepare Proxy.config soft link for sites-enabled, added nevotek in proxy-inner-tunnel:
server proxy-inner-tunnel {
authorize {
update control {
Proxy-To-Realm := "nevotek"
}
}
authenticate {
eap
}
post-proxy {
eap
}
}
5. disabled "suffix" part in sites-enabled/default
But no chance. Also android and IOS devices has different behaviors.
Here is the output of IOS device :
(2) Received Access-Request Id 216 from 213.74.143.148:19733 to 10.0.0.4:1812 length 311
(2) User-Name = "iosuser2(a)nevotek.com<mailto:iosuser2@nevotek.com><mailto:iosuser2@nevotek.com%3cmailto:iosuser2@nevotek.com%3e>"
(2) Chargeable-User-Identity = 0x00
(2) Operator-Name = "1nevotek.com"
(2) Location-Capable = Civic-Location
(2) Calling-Station-Id = "74-8d-08-b1-f2-17"
(2) Called-Station-Id = "58-f3-9c-43-52-a0:Nevotek"
(2) NAS-Port = 4
(2) Cisco-AVPair = "audit-session-id=0a0102e1000001205fbba08c"
(2) Acct-Session-Id = "5fbba08c/74:8d:08:b1:f2:17/352"
(2) NAS-IP-Address = 10.1.2.225
(2) NAS-Identifier = "aa5a6c45-b2c2-436b-90da-0ed2031"
(2) Airespace-Wlan-Id = 7
(2) Service-Type = Framed-User
(2) Framed-MTU = 1300
(2) NAS-Port-Type = Wireless-802.11
(2) EAP-Message = 0x020300061500
(2) State = 0xca8e79cacb8d6ce3fd1d37ee8f32d170
(2) Message-Authenticator = 0xc7b01c5b471b2eb70578f1dc7ed6e7ea
(2) session-state: No cached attributes
(2) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(2) authorize {
(2) policy filter_username {
(2) if (&User-Name) {
(2) if (&User-Name) -> TRUE
(2) if (&User-Name) {
(2) if (&User-Name =~ / /) {
(2) if (&User-Name =~ / /) -> FALSE
(2) if (&User-Name =~ /@[^@]*@/ ) {
(2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(2) if (&User-Name =~ /\.\./ ) {
(2) if (&User-Name =~ /\.\./ ) -> FALSE
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)<mailto:/@(.+)\.(.+)$/)<mailto:/@(.+)\.(.+)$/)%3cmailto:/@(.+)\.(.+)$/)>>) {
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)<mailto:/@(.+)\.(.+)$/)<mailto:/@(.+)\.(.+)$/)%3cmailto:/@(.+)\.(.+)$/)>>) -> FALSE
(2) if (&User-Name =~ /\.$/) {
(2) if (&User-Name =~ /\.$/) -> FALSE
(2) if (&User-Name =~ /(a)\./<mailto:/@\./<mailto:/@\./%3cmailto:/@\./>>) {
(2) if (&User-Name =~ /(a)\./<mailto:/@\./<mailto:/@\./%3cmailto:/@\./>>) -> FALSE
(2) } # if (&User-Name) = notfound
(2) } # policy filter_username = notfound
(2) [preprocess] = ok
(2) [chap] = noop
(2) [mschap] = noop
(2) [digest] = noop
(2) eap: Peer sent EAP Response (code 2) ID 3 length 6
(2) eap: Continuing tunnel setup
(2) [eap] = ok
(2) } # authorize = ok
(2) Found Auth-Type = eap
(2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(2) authenticate {
(2) eap: Expiring EAP session with state 0xca8e79cacb8d6ce3
(2) eap: Finished EAP session with state 0xca8e79cacb8d6ce3
(2) eap: Previous EAP request found for state 0xca8e79cacb8d6ce3, released from the list
(2) eap: Peer sent packet with method EAP TTLS (21)
(2) eap: Calling submodule eap_ttls to process data
(2) eap_ttls: Authenticate
(2) eap_ttls: Continuing EAP-TLS
(2) eap_ttls: Peer ACKed our handshake fragment
(2) eap_ttls: [eaptls verify] = request
(2) eap_ttls: [eaptls process] = handled
(2) eap: Sending EAP Request (code 1) ID 4 length 336
(2) eap: EAP session adding &reply:State = 0xca8e79cac88a6ce3
(2) [eap] = handled
(2) } # authenticate = handled
(2) Using Post-Auth-Type Challenge
(2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(2) Challenge { ... } # empty sub-section is ignored
(2) Sent Access-Challenge Id 216 from 10.0.0.4:1812 to 213.74.143.148:19733 length 0
(2) EAP-Message = 0x01040150158000000528d123b84f84592a0a7ccb12b23ec09a0c025464d3f258d5090bffa282b17870910449329f906380b0b4340ef2b6a1dc73e72d35763148b65bfc0401010038af8b17d95590598994e5ec35c96642e3e8fce291173f61b7e1ca06aa4b749dd3f2bbe12175a964524311069490e0f6
(2) Message-Authenticator = 0x00000000000000000000000000000000
(2) State = 0xca8e79cac88a6ce3fd1d37ee8f32d170
(2) Finished request
And here is the output of Android device :
(2) Received Access-Request Id 59 from 213.74.143.148:38031 to 10.0.0.4:1812 length 312
(2) User-Name = "anonymous(a)nevotek.com<mailto:anonymous@nevotek.com><mailto:anonymous@nevotek.com%3cmailto:anonymous@nevotek.com%3e>"
(2) Chargeable-User-Identity = 0x00
(2) Operator-Name = "1nevotek.com"
(2) Location-Capable = Civic-Location
(2) Calling-Station-Id = "04-b1-a1-53-4d-1e"
(2) Called-Station-Id = "58-f3-9c-43-52-a0:Nevotek"
(2) NAS-Port = 4
(2) Cisco-AVPair = "audit-session-id=0a0102e1000001275fbbbb17"
(2) Acct-Session-Id = "5fbbbb17/04:b1:a1:53:4d:1e/359"
(2) NAS-IP-Address = 10.1.2.225
(2) NAS-Identifier = "aa5a6c45-b2c2-436b-90da-0ed2031"
(2) Airespace-Wlan-Id = 7
(2) Service-Type = Framed-User
(2) Framed-MTU = 1300
(2) NAS-Port-Type = Wireless-802.11
(2) EAP-Message = 0x020300061500
(2) State = 0xd875f9c9d976ec270910ae6415adb475
(2) Message-Authenticator = 0xe92ebb9e5e7641c5515a25ae2ee50929
(2) session-state: No cached attributes
(2) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(2) authorize {
(2) policy filter_username {
(2) if (&User-Name) {
(2) if (&User-Name) -> TRUE
(2) if (&User-Name) {
(2) if (&User-Name =~ / /) {
(2) if (&User-Name =~ / /) -> FALSE
(2) if (&User-Name =~ /@[^@]*@/ ) {
(2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(2) if (&User-Name =~ /\.\./ ) {
(2) if (&User-Name =~ /\.\./ ) -> FALSE
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)<mailto:/@(.+)\.(.+)$/)<mailto:/@(.+)\.(.+)$/)%3cmailto:/@(.+)\.(.+)$/)>>) {
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)<mailto:/@(.+)\.(.+)$/)<mailto:/@(.+)\.(.+)$/)%3cmailto:/@(.+)\.(.+)$/)>>) -> FALSE
(2) if (&User-Name =~ /\.$/) {
(2) if (&User-Name =~ /\.$/) -> FALSE
(2) if (&User-Name =~ /(a)\./<mailto:/@\./<mailto:/@\./%3cmailto:/@\./>>) {
(2) if (&User-Name =~ /(a)\./<mailto:/@\./<mailto:/@\./%3cmailto:/@\./>>) -> FALSE
(2) } # if (&User-Name) = notfound
(2) } # policy filter_username = notfound
(2) [preprocess] = ok
(2) [chap] = noop
(2) [mschap] = noop
(2) [digest] = noop
(2) eap: Peer sent EAP Response (code 2) ID 3 length 6
(2) eap: Continuing tunnel setup
(2) [eap] = ok
(2) } # authorize = ok
(2) Found Auth-Type = eap
(2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(2) authenticate {
(2) eap: Expiring EAP session with state 0xd875f9c9d976ec27
(2) eap: Finished EAP session with state 0xd875f9c9d976ec27
(2) eap: Previous EAP request found for state 0xd875f9c9d976ec27, released from the list
(2) eap: Peer sent packet with method EAP TTLS (21)
(2) eap: Calling submodule eap_ttls to process data
(2) eap_ttls: Authenticate
(2) eap_ttls: Continuing EAP-TLS
(2) eap_ttls: Peer ACKed our handshake fragment
(2) eap_ttls: [eaptls verify] = request
(2) eap_ttls: [eaptls process] = handled
(2) eap: Sending EAP Request (code 1) ID 4 length 336
(2) eap: EAP session adding &reply:State = 0xd875f9c9da71ec27
(2) [eap] = handled
(2) } # authenticate = handled
(2) Using Post-Auth-Type Challenge
(2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(2) Challenge { ... } # empty sub-section is ignored
(2) Sent Access-Challenge Id 59 from 10.0.0.4:1812 to 213.74.143.148:38031 length 0
(2) EAP-Message = 0x01040150158000000528a2e03207e6a1163699a1cff7af74692beaafff15b2a3033c4d0238dd7014db04f7f40d669da91832dd39bbdbfca1bdb456f26f4a981b5a820108040100b7a20cf24aad9d35b94575b849f9e8ef528d1b13e7caea59f3cc578845763a601b7fceb8ffda9d989423730b5ea4c0f3
(2) Message-Authenticator = 0x00000000000000000000000000000000
(2) State = 0xd875f9c9da71ec270910ae6415adb475
(2) Finished request
Waking up in 4.3 seconds.
(3) Received Access-Request Id 60 from 213.74.143.148:38031 to 10.0.0.4:1812 length 319
(3) User-Name = "anonymous(a)nevotek.com<mailto:anonymous@nevotek.com><mailto:anonymous@nevotek.com%3cmailto:anonymous@nevotek.com%3e>"
(3) Chargeable-User-Identity = 0x00
(3) Operator-Name = "1nevotek.com"
(3) Location-Capable = Civic-Location
(3) Calling-Station-Id = "04-b1-a1-53-4d-1e"
(3) Called-Station-Id = "58-f3-9c-43-52-a0:Nevotek"
(3) NAS-Port = 4
(3) Cisco-AVPair = "audit-session-id=0a0102e1000001275fbbbb17"
(3) Acct-Session-Id = "5fbbbb17/04:b1:a1:53:4d:1e/359"
(3) NAS-IP-Address = 10.1.2.225
(3) NAS-Identifier = "aa5a6c45-b2c2-436b-90da-0ed2031"
(3) Airespace-Wlan-Id = 7
(3) Service-Type = Framed-User
(3) Framed-MTU = 1300
(3) NAS-Port-Type = Wireless-802.11
(3) EAP-Message = 0x0204000d150015030300020230
(3) State = 0xd875f9c9da71ec270910ae6415adb475
(3) Message-Authenticator = 0xbd27e9cbdb496b0f8072580915cabc5d
(3) session-state: No cached attributes
(3) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(3) authorize {
(3) policy filter_username {
(3) if (&User-Name) {
(3) if (&User-Name) -> TRUE
(3) if (&User-Name) {
(3) if (&User-Name =~ / /) {
(3) if (&User-Name =~ / /) -> FALSE
(3) if (&User-Name =~ /@[^@]*@/ ) {
(3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(3) if (&User-Name =~ /\.\./ ) {
(3) if (&User-Name =~ /\.\./ ) -> FALSE
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)<mailto:/@(.+)\.(.+)$/)<mailto:/@(.+)\.(.+)$/)%3cmailto:/@(.+)\.(.+)$/)>>) {
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)<mailto:/@(.+)\.(.+)$/)<mailto:/@(.+)\.(.+)$/)%3cmailto:/@(.+)\.(.+)$/)>>) -> FALSE
(3) if (&User-Name =~ /\.$/) {
(3) if (&User-Name =~ /\.$/) -> FALSE
(3) if (&User-Name =~ /(a)\./<mailto:/@\./<mailto:/@\./%3cmailto:/@\./>>) {
(3) if (&User-Name =~ /(a)\./<mailto:/@\./<mailto:/@\./%3cmailto:/@\./>>) -> FALSE
(3) } # if (&User-Name) = notfound
(3) } # policy filter_username = notfound
(3) [preprocess] = ok
(3) [chap] = noop
(3) [mschap] = noop
(3) [digest] = noop
(3) eap: Peer sent EAP Response (code 2) ID 4 length 13
(3) eap: Continuing tunnel setup
(3) [eap] = ok
(3) } # authorize = ok
(3) Found Auth-Type = eap
(3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(3) authenticate {
(3) eap: Expiring EAP session with state 0xd875f9c9da71ec27
(3) eap: Finished EAP session with state 0xd875f9c9da71ec27
(3) eap: Previous EAP request found for state 0xd875f9c9da71ec27, released from the list
(3) eap: Peer sent packet with method EAP TTLS (21)
(3) eap: Calling submodule eap_ttls to process data
(3) eap_ttls: Authenticate
(3) eap_ttls: Continuing EAP-TLS
(3) eap_ttls: [eaptls verify] = ok
(3) eap_ttls: Done initial handshake
(3) eap_ttls: <<< recv TLS 1.2 [length 0002]
(3) eap_ttls: ERROR: TLS Alert read:fatal:unknown CA
(3) eap_ttls: TLS_accept: Need to read more data: error
(3) eap_ttls: ERROR: Failed in __FUNCTION__ (SSL_read): error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
(3) eap_ttls: In SSL Handshake Phase
(3) eap_ttls: In SSL Accept mode
(3) eap_ttls: SSL Application Data
(3) eap_ttls: ERROR: TLS failed during operation
(3) eap_ttls: ERROR: [eaptls process] = fail
(3) eap: ERROR: Failed continuing EAP TTLS (21) session. EAP sub-module failed
(3) eap: Sending EAP Failure (code 4) ID 4 length 4
(3) eap: Failed in EAP select
(3) [eap] = invalid
(3) } # authenticate = invalid
(3) Failed to authenticate the user
(3) Using Post-Auth-Type Reject
(3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(3) Post-Auth-Type REJECT {
(3) attr_filter.access_reject: EXPAND %{User-Name}
(3) attr_filter.access_reject: --> anonymous(a)nevotek.com<mailto:anonymous@nevotek.com<mailto:anonymous@nevotek.com%3cmailto:anonymous@nevotek.com>>
(3) attr_filter.access_reject: Matched entry DEFAULT at line 11
(3) [attr_filter.access_reject] = updated
(3) [eap] = noop
(3) policy remove_reply_message_if_eap {
(3) if (&reply:EAP-Message && &reply:Reply-Message) {
(3) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(3) else {
(3) [noop] = noop
(3) } # else = noop
(3) } # policy remove_reply_message_if_eap = noop
(3) } # Post-Auth-Type REJECT = updated
(3) Delaying response for 1.000000 seconds Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(3) Sending delayed response
(3) Sent Access-Reject Id 60 from 10.0.0.4:1812 to 213.74.143.148:38031 length 44
(3) EAP-Message = 0x04040004
(3) Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.1 seconds.
(0) Cleaning up request packet ID 57 with timestamp +25 Waking up in 0.2 seconds.
(1) Cleaning up request packet ID 58 with timestamp +26 Waking up in 0.3 seconds.
(2) Cleaning up request packet ID 59 with timestamp +26 Waking up in 0.2 seconds.
(3) Cleaning up request packet ID 60 with timestamp +26
Regards.
[http://www.nevotek.com/nevotekmail/logo.png] Mesut Ozturk
R&D Senior Developer
P: +902122867576 E: mesut(a)nevotek.com
F: +902122867476 W: www.nevotek.com
[http://www.nevotek.com/nevotekmail/maps-icon.png] Santa Clara-CA, USA<https://www.google.com/maps/place/5201+Great+America+Pkwy+%23320,+Santa+Cla…> [http://www.nevotek.com/nevotekmail/maps-icon.png] Istanbul, TURKEY<https://www.google.com/maps/search/teknokent,+Istanbul,+Turkey/@41.106333,2…> [http://www.nevotek.com/nevotekmail/maps-icon.png] Dubai, UAE<https://www.google.com/maps/place/Internet+City,+Building+%2314+-+Dubai+-+U…>
[www.nevotek.com]<www.nevotek.com>
1
0
Hello,
I desperately need your help. I am noob with FreeRadius so please guide me what i am doing wrong.
My point is using freeradius as a Proxy. Because we already have a PAP supported Radius, so i want to do eap auth part on freeradius and then Proxy the Access-request to our own Radius. We are trying 802.1x authantication.
According to my readings i did below steps :
1 . Edit clients.conf for my mobile devices to Access freeradius
client nevotek {
ipaddr = 213.74.143.140
secret = testing1234
}
2. add home_server in proxy.conf
home_server IAS {
ipaddr = 192.168.0.252
port = 1812
type = "auth"
secret = "secret"
response_window = 20
max_outstanding = 65536
}
home_server_pool jack_pool {
type = fail-over
home_server = IAS
}
realm nevotek {
auth_pool = jack_pool
nostirp
}
3. edit eap.cof
default_eap_type = ttls
and in ttls function :
ttls {
default_eap_type = md5
copy_request_to_tunnel = no
use_tunneled_reply = yes
proxy_tunneled_request_as_eap = no
virtual_server = "proxy-inner-tunnel"
}
4. prepare Proxy.config soft link for sites-enabled, added nevotek in proxy-inner-tunnel:
server proxy-inner-tunnel {
authorize {
update control {
Proxy-To-Realm := "nevotek"
}
}
authenticate {
eap
}
post-proxy {
eap
}
}
5. disabled "suffix" part in sites-enabled/default
But no chance. Also android and IOS devices has different behaviors.
Here is the output of IOS device :
(2) Received Access-Request Id 216 from 213.74.143.148:19733 to 10.0.0.4:1812 length 311
(2) User-Name = "iosuser2(a)nevotek.com<mailto:iosuser2@nevotek.com>"
(2) Chargeable-User-Identity = 0x00
(2) Operator-Name = "1nevotek.com"
(2) Location-Capable = Civic-Location
(2) Calling-Station-Id = "74-8d-08-b1-f2-17"
(2) Called-Station-Id = "58-f3-9c-43-52-a0:Nevotek"
(2) NAS-Port = 4
(2) Cisco-AVPair = "audit-session-id=0a0102e1000001205fbba08c"
(2) Acct-Session-Id = "5fbba08c/74:8d:08:b1:f2:17/352"
(2) NAS-IP-Address = 10.1.2.225
(2) NAS-Identifier = "aa5a6c45-b2c2-436b-90da-0ed2031"
(2) Airespace-Wlan-Id = 7
(2) Service-Type = Framed-User
(2) Framed-MTU = 1300
(2) NAS-Port-Type = Wireless-802.11
(2) EAP-Message = 0x020300061500
(2) State = 0xca8e79cacb8d6ce3fd1d37ee8f32d170
(2) Message-Authenticator = 0xc7b01c5b471b2eb70578f1dc7ed6e7ea
(2) session-state: No cached attributes
(2) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(2) authorize {
(2) policy filter_username {
(2) if (&User-Name) {
(2) if (&User-Name) -> TRUE
(2) if (&User-Name) {
(2) if (&User-Name =~ / /) {
(2) if (&User-Name =~ / /) -> FALSE
(2) if (&User-Name =~ /@[^@]*@/ ) {
(2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(2) if (&User-Name =~ /\.\./ ) {
(2) if (&User-Name =~ /\.\./ ) -> FALSE
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)<mailto:/@(.+)\.(.+)$/)>) {
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)<mailto:/@(.+)\.(.+)$/)>) -> FALSE
(2) if (&User-Name =~ /\.$/) {
(2) if (&User-Name =~ /\.$/) -> FALSE
(2) if (&User-Name =~ /(a)\./<mailto:/@\./>) {
(2) if (&User-Name =~ /(a)\./<mailto:/@\./>) -> FALSE
(2) } # if (&User-Name) = notfound
(2) } # policy filter_username = notfound
(2) [preprocess] = ok
(2) [chap] = noop
(2) [mschap] = noop
(2) [digest] = noop
(2) eap: Peer sent EAP Response (code 2) ID 3 length 6
(2) eap: Continuing tunnel setup
(2) [eap] = ok
(2) } # authorize = ok
(2) Found Auth-Type = eap
(2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(2) authenticate {
(2) eap: Expiring EAP session with state 0xca8e79cacb8d6ce3
(2) eap: Finished EAP session with state 0xca8e79cacb8d6ce3
(2) eap: Previous EAP request found for state 0xca8e79cacb8d6ce3, released from the list
(2) eap: Peer sent packet with method EAP TTLS (21)
(2) eap: Calling submodule eap_ttls to process data
(2) eap_ttls: Authenticate
(2) eap_ttls: Continuing EAP-TLS
(2) eap_ttls: Peer ACKed our handshake fragment
(2) eap_ttls: [eaptls verify] = request
(2) eap_ttls: [eaptls process] = handled
(2) eap: Sending EAP Request (code 1) ID 4 length 336
(2) eap: EAP session adding &reply:State = 0xca8e79cac88a6ce3
(2) [eap] = handled
(2) } # authenticate = handled
(2) Using Post-Auth-Type Challenge
(2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(2) Challenge { ... } # empty sub-section is ignored
(2) Sent Access-Challenge Id 216 from 10.0.0.4:1812 to 213.74.143.148:19733 length 0
(2) EAP-Message = 0x01040150158000000528d123b84f84592a0a7ccb12b23ec09a0c025464d3f258d5090bffa282b17870910449329f906380b0b4340ef2b6a1dc73e72d35763148b65bfc0401010038af8b17d95590598994e5ec35c96642e3e8fce291173f61b7e1ca06aa4b749dd3f2bbe12175a964524311069490e0f6
(2) Message-Authenticator = 0x00000000000000000000000000000000
(2) State = 0xca8e79cac88a6ce3fd1d37ee8f32d170
(2) Finished request
And here is the output of Android device :
(2) Received Access-Request Id 59 from 213.74.143.148:38031 to 10.0.0.4:1812 length 312
(2) User-Name = "anonymous(a)nevotek.com<mailto:anonymous@nevotek.com>"
(2) Chargeable-User-Identity = 0x00
(2) Operator-Name = "1nevotek.com"
(2) Location-Capable = Civic-Location
(2) Calling-Station-Id = "04-b1-a1-53-4d-1e"
(2) Called-Station-Id = "58-f3-9c-43-52-a0:Nevotek"
(2) NAS-Port = 4
(2) Cisco-AVPair = "audit-session-id=0a0102e1000001275fbbbb17"
(2) Acct-Session-Id = "5fbbbb17/04:b1:a1:53:4d:1e/359"
(2) NAS-IP-Address = 10.1.2.225
(2) NAS-Identifier = "aa5a6c45-b2c2-436b-90da-0ed2031"
(2) Airespace-Wlan-Id = 7
(2) Service-Type = Framed-User
(2) Framed-MTU = 1300
(2) NAS-Port-Type = Wireless-802.11
(2) EAP-Message = 0x020300061500
(2) State = 0xd875f9c9d976ec270910ae6415adb475
(2) Message-Authenticator = 0xe92ebb9e5e7641c5515a25ae2ee50929
(2) session-state: No cached attributes
(2) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(2) authorize {
(2) policy filter_username {
(2) if (&User-Name) {
(2) if (&User-Name) -> TRUE
(2) if (&User-Name) {
(2) if (&User-Name =~ / /) {
(2) if (&User-Name =~ / /) -> FALSE
(2) if (&User-Name =~ /@[^@]*@/ ) {
(2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(2) if (&User-Name =~ /\.\./ ) {
(2) if (&User-Name =~ /\.\./ ) -> FALSE
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)<mailto:/@(.+)\.(.+)$/)>) {
(2) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)<mailto:/@(.+)\.(.+)$/)>) -> FALSE
(2) if (&User-Name =~ /\.$/) {
(2) if (&User-Name =~ /\.$/) -> FALSE
(2) if (&User-Name =~ /(a)\./<mailto:/@\./>) {
(2) if (&User-Name =~ /(a)\./<mailto:/@\./>) -> FALSE
(2) } # if (&User-Name) = notfound
(2) } # policy filter_username = notfound
(2) [preprocess] = ok
(2) [chap] = noop
(2) [mschap] = noop
(2) [digest] = noop
(2) eap: Peer sent EAP Response (code 2) ID 3 length 6
(2) eap: Continuing tunnel setup
(2) [eap] = ok
(2) } # authorize = ok
(2) Found Auth-Type = eap
(2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(2) authenticate {
(2) eap: Expiring EAP session with state 0xd875f9c9d976ec27
(2) eap: Finished EAP session with state 0xd875f9c9d976ec27
(2) eap: Previous EAP request found for state 0xd875f9c9d976ec27, released from the list
(2) eap: Peer sent packet with method EAP TTLS (21)
(2) eap: Calling submodule eap_ttls to process data
(2) eap_ttls: Authenticate
(2) eap_ttls: Continuing EAP-TLS
(2) eap_ttls: Peer ACKed our handshake fragment
(2) eap_ttls: [eaptls verify] = request
(2) eap_ttls: [eaptls process] = handled
(2) eap: Sending EAP Request (code 1) ID 4 length 336
(2) eap: EAP session adding &reply:State = 0xd875f9c9da71ec27
(2) [eap] = handled
(2) } # authenticate = handled
(2) Using Post-Auth-Type Challenge
(2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(2) Challenge { ... } # empty sub-section is ignored
(2) Sent Access-Challenge Id 59 from 10.0.0.4:1812 to 213.74.143.148:38031 length 0
(2) EAP-Message = 0x01040150158000000528a2e03207e6a1163699a1cff7af74692beaafff15b2a3033c4d0238dd7014db04f7f40d669da91832dd39bbdbfca1bdb456f26f4a981b5a820108040100b7a20cf24aad9d35b94575b849f9e8ef528d1b13e7caea59f3cc578845763a601b7fceb8ffda9d989423730b5ea4c0f3
(2) Message-Authenticator = 0x00000000000000000000000000000000
(2) State = 0xd875f9c9da71ec270910ae6415adb475
(2) Finished request
Waking up in 4.3 seconds.
(3) Received Access-Request Id 60 from 213.74.143.148:38031 to 10.0.0.4:1812 length 319
(3) User-Name = "anonymous(a)nevotek.com<mailto:anonymous@nevotek.com>"
(3) Chargeable-User-Identity = 0x00
(3) Operator-Name = "1nevotek.com"
(3) Location-Capable = Civic-Location
(3) Calling-Station-Id = "04-b1-a1-53-4d-1e"
(3) Called-Station-Id = "58-f3-9c-43-52-a0:Nevotek"
(3) NAS-Port = 4
(3) Cisco-AVPair = "audit-session-id=0a0102e1000001275fbbbb17"
(3) Acct-Session-Id = "5fbbbb17/04:b1:a1:53:4d:1e/359"
(3) NAS-IP-Address = 10.1.2.225
(3) NAS-Identifier = "aa5a6c45-b2c2-436b-90da-0ed2031"
(3) Airespace-Wlan-Id = 7
(3) Service-Type = Framed-User
(3) Framed-MTU = 1300
(3) NAS-Port-Type = Wireless-802.11
(3) EAP-Message = 0x0204000d150015030300020230
(3) State = 0xd875f9c9da71ec270910ae6415adb475
(3) Message-Authenticator = 0xbd27e9cbdb496b0f8072580915cabc5d
(3) session-state: No cached attributes
(3) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(3) authorize {
(3) policy filter_username {
(3) if (&User-Name) {
(3) if (&User-Name) -> TRUE
(3) if (&User-Name) {
(3) if (&User-Name =~ / /) {
(3) if (&User-Name =~ / /) -> FALSE
(3) if (&User-Name =~ /@[^@]*@/ ) {
(3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(3) if (&User-Name =~ /\.\./ ) {
(3) if (&User-Name =~ /\.\./ ) -> FALSE
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)<mailto:/@(.+)\.(.+)$/)>) {
(3) if ((&User-Name =~ /@/) && (&User-Name !~ /(a)(.+)\.(.+)$/)<mailto:/@(.+)\.(.+)$/)>) -> FALSE
(3) if (&User-Name =~ /\.$/) {
(3) if (&User-Name =~ /\.$/) -> FALSE
(3) if (&User-Name =~ /(a)\./<mailto:/@\./>) {
(3) if (&User-Name =~ /(a)\./<mailto:/@\./>) -> FALSE
(3) } # if (&User-Name) = notfound
(3) } # policy filter_username = notfound
(3) [preprocess] = ok
(3) [chap] = noop
(3) [mschap] = noop
(3) [digest] = noop
(3) eap: Peer sent EAP Response (code 2) ID 4 length 13
(3) eap: Continuing tunnel setup
(3) [eap] = ok
(3) } # authorize = ok
(3) Found Auth-Type = eap
(3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(3) authenticate {
(3) eap: Expiring EAP session with state 0xd875f9c9da71ec27
(3) eap: Finished EAP session with state 0xd875f9c9da71ec27
(3) eap: Previous EAP request found for state 0xd875f9c9da71ec27, released from the list
(3) eap: Peer sent packet with method EAP TTLS (21)
(3) eap: Calling submodule eap_ttls to process data
(3) eap_ttls: Authenticate
(3) eap_ttls: Continuing EAP-TLS
(3) eap_ttls: [eaptls verify] = ok
(3) eap_ttls: Done initial handshake
(3) eap_ttls: <<< recv TLS 1.2 [length 0002]
(3) eap_ttls: ERROR: TLS Alert read:fatal:unknown CA
(3) eap_ttls: TLS_accept: Need to read more data: error
(3) eap_ttls: ERROR: Failed in __FUNCTION__ (SSL_read): error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
(3) eap_ttls: In SSL Handshake Phase
(3) eap_ttls: In SSL Accept mode
(3) eap_ttls: SSL Application Data
(3) eap_ttls: ERROR: TLS failed during operation
(3) eap_ttls: ERROR: [eaptls process] = fail
(3) eap: ERROR: Failed continuing EAP TTLS (21) session. EAP sub-module failed
(3) eap: Sending EAP Failure (code 4) ID 4 length 4
(3) eap: Failed in EAP select
(3) [eap] = invalid
(3) } # authenticate = invalid
(3) Failed to authenticate the user
(3) Using Post-Auth-Type Reject
(3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(3) Post-Auth-Type REJECT {
(3) attr_filter.access_reject: EXPAND %{User-Name}
(3) attr_filter.access_reject: --> anonymous(a)nevotek.com<mailto:anonymous@nevotek.com>
(3) attr_filter.access_reject: Matched entry DEFAULT at line 11
(3) [attr_filter.access_reject] = updated
(3) [eap] = noop
(3) policy remove_reply_message_if_eap {
(3) if (&reply:EAP-Message && &reply:Reply-Message) {
(3) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(3) else {
(3) [noop] = noop
(3) } # else = noop
(3) } # policy remove_reply_message_if_eap = noop
(3) } # Post-Auth-Type REJECT = updated
(3) Delaying response for 1.000000 seconds Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(3) Sending delayed response
(3) Sent Access-Reject Id 60 from 10.0.0.4:1812 to 213.74.143.148:38031 length 44
(3) EAP-Message = 0x04040004
(3) Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.1 seconds.
(0) Cleaning up request packet ID 57 with timestamp +25 Waking up in 0.2 seconds.
(1) Cleaning up request packet ID 58 with timestamp +26 Waking up in 0.3 seconds.
(2) Cleaning up request packet ID 59 with timestamp +26 Waking up in 0.2 seconds.
(3) Cleaning up request packet ID 60 with timestamp +26
Regards.
[http://www.nevotek.com/nevotekmail/logo.png] Mesut Ozturk
R&D Senior Developer
P: +902122867576 E: mesut(a)nevotek.com
F: +902122867476 W: www.nevotek.com
[http://www.nevotek.com/nevotekmail/maps-icon.png] Santa Clara-CA, USA<https://www.google.com/maps/place/5201+Great+America+Pkwy+%23320,+Santa+Cla…> [http://www.nevotek.com/nevotekmail/maps-icon.png] Istanbul, TURKEY<https://www.google.com/maps/search/teknokent,+Istanbul,+Turkey/@41.106333,2…> [http://www.nevotek.com/nevotekmail/maps-icon.png] Dubai, UAE<https://www.google.com/maps/place/Internet+City,+Building+%2314+-+Dubai+-+U…>
[www.nevotek.com]<www.nevotek.com>
1
0