I am still running two RADIUS servers (I mean two different physical installations), one handle eduroam SSID and other handle internal SSID - "the one with no outer identity". They work perfectly as each of servers has its own configuration. Now I am trying to combine those two into one server. Here we go: mschap.conf: network={ key_mgmt=WPA-EAP eap=PEAP identity="testuser" anonymous_identity="" password="testpasswd" phase2="auth=MSCHAPV2 mschapv2_retry=0" phase1="peapver=0" } eapol_test -c ./mschap.conf -a 127.0.0.1 -s testing123 Reading configuration file './mschap.conf' Line: 1 - start of a new network block key_mgmt: 0x1 eap methods - hexdump(len=16): 00 00 00 00 19 00 00 00 00 00 00 00 00 00 00 00 identity - hexdump_ascii(len=6): 39 39 39 30 30 30 testuser anonymous_identity - hexdump_ascii(len=0): password - hexdump_ascii(len=10): 75 66 54 65 37 78 6a 44 39 71 testpasswd phase2 - hexdump_ascii(len=30): 61 75 74 68 3d 4d 53 43 48 41 50 56 32 20 6d 73 auth=MSCHAPV2 ms 63 68 61 70 76 32 5f 72 65 74 72 79 3d 30 chapv2_retry=0 phase1 - hexdump_ascii(len=9): 70 65 61 70 76 65 72 3d 30 peapver=0 Priority group 0 id=0 ssid='' Authentication server 127.0.0.1:1812 RADIUS local address: 127.0.0.1:59004 ENGINE: Loading dynamic engine ENGINE: Loading dynamic engine EAPOL: SUPP_PAE entering state DISCONNECTED EAPOL: KEY_RX entering state NO_KEY_RECEIVE EAPOL: SUPP_BE entering state INITIALIZE EAP: EAP entering state DISABLED EAPOL: External notification - portValid=0 EAPOL: External notification - portEnabled=1 EAPOL: SUPP_PAE entering state CONNECTING EAPOL: SUPP_BE entering state IDLE EAP: EAP entering state INITIALIZE EAP: EAP entering state IDLE Sending fake EAP-Request-Identity EAPOL: Received EAP-Packet frame EAPOL: SUPP_PAE entering state RESTART EAP: EAP entering state INITIALIZE EAP: EAP entering state IDLE EAPOL: SUPP_PAE entering state AUTHENTICATING EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Request id=29 method=1 vendor=0 vendorMethod=0 EAP: EAP entering state IDENTITY CTRL-EVENT-EAP-STARTED EAP authentication started EAP: Status notification: started (param=) EAP: EAP-Request Identity data - hexdump_ascii(len=0): EAP: using anonymous identity - hexdump_ascii(len=0): EAP: EAP entering state SEND_RESPONSE EAP: EAP entering state IDLE EAPOL: SUPP_BE entering state RESPONSE EAPOL: txSuppRsp WPA: eapol_test_eapol_send(type=0 len=5) TX EAP -> RADIUS - hexdump(len=5): 02 1d 00 05 01 Encapsulating EAP message into a RADIUS packet Learned identity from EAP-Response-Identity - hexdump(len=0): Sending RADIUS message to authentication server RADIUS message: code=1 (Access-Request) identifier=0 length=114 Attribute 1 (User-Name) length=2 Value: '' Attribute 4 (NAS-IP-Address) length=6 Value: 127.0.0.1 Attribute 31 (Calling-Station-Id) length=19 Value: '02-00-00-00-00-01' Attribute 12 (Framed-MTU) length=6 Value: 1400 Attribute 61 (NAS-Port-Type) length=6 Value: 19 Attribute 6 (Service-Type) length=6 Value: 2 Attribute 77 (Connect-Info) length=24 Value: 'CONNECT 11Mbps 802.11b' Attribute 79 (EAP-Message) length=7 Value: 021d000501 Attribute 80 (Message-Authenticator) length=18 Value: 27476a384e7596824785e4efdc30b52c Next RADIUS client retransmit in 3 seconds EAPOL: SUPP_BE entering state RECEIVE EAPOL: startWhen --> 0 STA 02:00:00:00:00:01: Resending RADIUS message (id=0) Next RADIUS client retransmit in 6 seconds STA 02:00:00:00:00:01: Resending RADIUS message (id=0) Next RADIUS client retransmit in 12 seconds ^CSignal 2 received - terminating EAPOL: EAP key not available EAPOL: EAP Session-Id not available WPA: Clear old PMK and PTK MPPE keys OK: 0 mismatch: 1 FAILURE On Thu, Aug 15, 2019 at 3:25 AM Alan DeKok <aland@deployingradius.com> wrote:
On Aug 14, 2019, at 12:58 PM, Marek Des <desmarek1@gmail.com> wrote:
Well, about empty realm - I mean this: 1) outer identity: empty
That's an issue. The outer identity shouldn't be empty. In RADIUS, it's *forbidden* to have an empty User-Name.
See RFC 7542. The outer identity should be "anonymous", or maybe "@realm" where it's your realm.
2) inner identity: username
I need to authenticate two kind of users: 1) ones with credentials above 2) eduroam
Except that an empty outer identity means that your users will *never* be able to use eduroam. An outer User-Name of "@example.com" is routable back to you via eduroam. An empty outer User-Name will just get dropped on the floor.
The only difference is in outer and inner identity. The both setups use EAP + MSCHAPv2 and OpenLDAP.
I am trying to handle those two kind of users in single virtual server
You generally *must* run them in a single virtual server. Because the Ads will send both user authentications to one RADIUS server. And the RADIUS server has to figure it out.
and it doesn't work - it says it's proxying request to localhost and that's it.
See the FAQ for "it doesn't work". And post the *actual* debug output. Not a one-line summary.
What you
proxy.conf:
We don't need to see that. The documentation says to post the debug log, *not* the configuration files.
Virtual server for inner identity:
We don't need to see that, either. If it doesn't work, it's wrong. If you post the debug output, we see it *running* the configuration, which is infinitely more useful.
What you should be doing is:
* all users log in with a non-empty outer identity. * *your* users log in with outer identity of "@my.domain.tld" * the FreeRADIUS configuration has that domain as a local one * everything else gets proxied to eduroam
A long and detailed guide is in the Wiki: https://wiki.freeradius.org/guide/eduroam
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html