On 2/19/13, Phil Mayers <p.mayers@imperial.ac.uk> wrote:
On 19/02/13 09:11, Muhammad Nadeem wrote:
Hi, everybody I have used pre-shipped certificates of Freeradius for testing purpose. This testing was succeed with a test user 'bob', with files authentication. Now in the next step I wanna authenticate a user from my Database with Digital certificates. When i authenticate the user, server side confirm and send "Access-Accept" packet, but at client, following error occurs. " No Message-Authenticator attribute found Incoming RADIUS packet did not have correct Message-Authenticator - dropped STA 02:00:00:00:00:01: No RADIUS RX handler found (type=0 code=2 id=0) - dropping packet"
I googled this problem and found a solution that the user Auth-type is set to Accept (I manually checked the user in Database , and its Auth-Type was Accept) and this type prevent further process.
Yes
Now my question is that , could I continue EAP-TLS authentication, regardless of Auth-Type is set to Accept???
No. Don't set Auth-Type unless you know what you're doing. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ok thanx, I suucceed to authenticate the users from a database. But when i setup the same setup on another machine, I was failed :( The following output is the debug output of the freeradius server. (I think EAP NAK,, is creating problems). Ready to process requests. rad_recv: Access-Request packet from host 192.168.0.112 port 35397, id=0, length=132 User-Name = "001AAD3F8165" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x0200001101303031414144334638313635 Message-Authenticator = 0xebcf3f94a32bf89eaabf4be3b2ce493b # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "001AAD3F8165", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 0 length 17 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [eap] EAP packet type response id 0 length 17 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [sql] expand: %{User-Name} -> 001AAD3F8165 [sql] sql_set_user escaped user --> '001AAD3F8165' rlm_sql (sql): Reserving sql socket id: 9 [sql] expand: SELECT '1' AS RC_ID,'%{SQL-USER-NAME}' AS USERNAME,'Auth-Type' AS Attribute, AAA_GETVALUETOCHECKWITRIBE('%{SQL-User-Name}') AS Value,':=' AS op FROM dual ORDER BY RC_ID -> SELECT '1' AS RC_ID,'001AAD3F8165' AS USERNAME,'Auth-Type' AS Attribute, AAA_GETVALUETOCHECKWITRIBE('001AAD3F8165') AS Value,':=' AS op FROM dual ORDER BY RC_ID [sql] User found in radcheck table [sql] expand: select rownum, '%{SQL-USER-NAME}', RR_ATTRIBUTE, RR_VALUE, RR_OP FROM AAA_TBLRADREPLY where PI_PROFILEID in (SELECT PI_PROFILEID FROM SM_TBLSUBSIDENTIFICATIONS WHERE SI_IDENTIFICATION = upper(replace('%{SQL-USER-NAME}',':','')) ) AND NE_ELEMENTID in (SELECT NE_ELEMENTID FROM NC_TBLNEACESSCONF WHERE NEAC_IPADDRESS = '%{NAS-IP-Address}') -> select rownum, '001AAD3F8165', RR_ATTRIBUTE, RR_VALUE, RR_OP FROM AAA_TBLRADREPLY where PI_PROFILEID in (SELECT PI_PROFILEID FROM SM_TBLSUBSIDENTIFICATIONS WHERE SI_IDENTIFICATION = upper(replace('001AAD3F8165',':','')) ) AND NE_ELEMENTID in (SELECT NE_ELEMENTID FROM NC_TBLNEACESSCONF WHERE NEAC_IPADDRESS = '127.0.0.1') rlm_sql (sql): Released sql socket id: 9 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = Accept Found Auth-Type = EAP Warning: Found 2 auth-types on request for user '001AAD3F8165' # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type tls [tls] Requiring client certificate [tls] Initiate [tls] Start returned 1 ++[eap] returns handled Sending Access-Challenge of id 0 to 192.168.0.112 port 35397 Qos-Policing-Profile-Name := "128K_UL" Qos-Metering-Profile-Name := "512K_DL" Context-Name := "Postpaid-VR" DHCP-Max-Leases := 1 Forward-Policy := "in:nonpayment_redirect_post" HTTP-Redirect-Profile-Name := "nonpayment_redirect" EAP-Message = 0x010100060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xb13fd7b2b13eda2327535c6f1b5e461f Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.0.112 port 35397, id=1, length=139 User-Name = "001AAD3F8165" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = 0x020100060300 State = 0xb13fd7b2b13eda2327535c6f1b5e461f Message-Authenticator = 0x568912b7d14f9d2ed1a8cad6e4504182 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "001AAD3F8165", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 1 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [eap] EAP packet type response id 1 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [sql] expand: %{User-Name} -> 001AAD3F8165 [sql] sql_set_user escaped user --> '001AAD3F8165' rlm_sql (sql): Reserving sql socket id: 8 [sql] expand: SELECT '1' AS RC_ID,'%{SQL-USER-NAME}' AS USERNAME,'Auth-Type' AS Attribute, AAA_GETVALUETOCHECKWITRIBE('%{SQL-User-Name}') AS Value,':=' AS op FROM dual ORDER BY RC_ID -> SELECT '1' AS RC_ID,'001AAD3F8165' AS USERNAME,'Auth-Type' AS Attribute, AAA_GETVALUETOCHECKWITRIBE('001AAD3F8165') AS Value,':=' AS op FROM dual ORDER BY RC_ID [sql] User found in radcheck table [sql] expand: select rownum, '%{SQL-USER-NAME}', RR_ATTRIBUTE, RR_VALUE, RR_OP FROM AAA_TBLRADREPLY where PI_PROFILEID in (SELECT PI_PROFILEID FROM SM_TBLSUBSIDENTIFICATIONS WHERE SI_IDENTIFICATION = upper(replace('%{SQL-USER-NAME}',':','')) ) AND NE_ELEMENTID in (SELECT NE_ELEMENTID FROM NC_TBLNEACESSCONF WHERE NEAC_IPADDRESS = '%{NAS-IP-Address}') -> select rownum, '001AAD3F8165', RR_ATTRIBUTE, RR_VALUE, RR_OP FROM AAA_TBLRADREPLY where PI_PROFILEID in (SELECT PI_PROFILEID FROM SM_TBLSUBSIDENTIFICATIONS WHERE SI_IDENTIFICATION = upper(replace('001AAD3F8165',':','')) ) AND NE_ELEMENTID in (SELECT NE_ELEMENTID FROM NC_TBLNEACESSCONF WHERE NEAC_IPADDRESS = '127.0.0.1') rlm_sql (sql): Released sql socket id: 8 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = Accept Found Auth-Type = EAP Warning: Found 2 auth-types on request for user '001AAD3F8165' # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP NAK [eap] NAK asked for bad type 0 [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Using Post-Auth-Type REJECT # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group REJECT {...} [sql] expand: %{User-Name} -> 001AAD3F8165 [sql] sql_set_user escaped user --> '001AAD3F8165' ++[sql] returns noop [attr_filter.access_reject] expand: %{User-Name} -> 001AAD3F8165 attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 1 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 1 Sending Access-Reject of id 1 to 192.168.0.112 port 35397 EAP-Message = 0x04010004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.9 seconds. Cleaning up request 0 ID 0 with timestamp +7 Waking up in 0.9 seconds. Cleaning up request 1 ID 1 with timestamp +7 Ready to process requests.