On 09/05/2025 11:08, Christoph Egger wrote:
Am 09.05.25 um 10:55 schrieb Matthew Newton via Freeradius-Users:
On 09/05/2025 08:56, Christoph Egger via Freeradius-Users wrote:
switch -> freeradius: access-request (1), id: 0x2d freeradius -> switch: access-reject (3), id: 0x2d freeradius -> switch: access-accept (2), id: 0x2c
FreeRADIUS never sends a reject followed by an accept for the same request.
As always, what does the full debug output show?
11:02:59.537570 IP (tos 0x0, ttl 64, id 16391, offset 0, flags [DF], proto UDP (17), length 227) SG3206X-M2.example.com.46115 > 10.1.2.1.radius: RADIUS, length: 199 Access-Request (1), id: 0x36, Authenticator: 1c90635e4f03a9b669a2402965fc8e41 User-Name Attribute (1), length: 19, Value: apple_lan_thatsme
request ID 54 (0x36)
11:03:00.540835 IP (tos 0x0, ttl 63, id 34812, offset 0, flags [DF], proto UDP (17), length 66) 10.1.2.1.radius > SG3206X-M2.example.com.46115: RADIUS, length: 38 Access-Reject (3), id: 0x36, Authenticator: d657e1caadf330afa206db0ffe469c17
response to request ID 54
11:03:02.449220 IP (tos 0x0, ttl 63, id 35102, offset 0, flags [DF], proto UDP (17), length 88) 10.1.2.1.radius > SG3206X-M2.example.com.46115: RADIUS, length: 60 Access-Accept (2), id: 0x35, Authenticator: dfd3f8ac0586d2551621d599d5a00839
response to request ID 53 (0x35)
Here it is the EAP-TTLS + PAP, after that the corresponding tcpdump:
... Request ID 53 (number 52), weird looking request, maybe it's an odd form of mac auth bypass?
authentik-freeradius-1 | (52) Received Access-Request Id 53 from 172.16.1.1:49514 to 172.16.1.2:1812 length 217 authentik-freeradius-1 | (52) User-Name = "apple_lan_thatsme" authentik-freeradius-1 | (52) NAS-Identifier = "DC6279CF8CB4" authentik-freeradius-1 | (52) Service-Type = Framed-User authentik-freeradius-1 | (52) # Executing section authorize from file / opt/etc/raddb/sites-enabled/default authentik-freeradius-1 | (52) authorize { authentik-freeradius-1 | (52) } # policy filter_username = notfound authentik-freeradius-1 | (52) [preprocess] = ok authentik-freeradius-1 | (52) [chap] = noop authentik-freeradius-1 | (52) [mschap] = noop authentik-freeradius-1 | (52) [digest] = noop authentik-freeradius-1 | (52) suffix: Checking for suffix after "@" authentik-freeradius-1 | (52) # Executing section authorize from file /opt/etc/raddb/sites-enabled/proxy-inner-tunnel authentik-freeradius-1 | (52) authorize { authentik-freeradius-1 | (52) eap: No EAP-Message, not doing EAP authentik-freeradius-1 | (52) Expecting proxy response no later than 29.667705 seconds from now
waiting for proxy ... request ID 53 (number 53), EAP...
authentik-freeradius-1 | (53) Received Access-Request Id 54 from 172.16.1.1:49514 to 172.16.1.2:1812 length 199 authentik-freeradius-1 | (53) User-Name = "apple_lan_thatsme" authentik-freeradius-1 | (53) EAP-Message = 0x020900531580000000491703030044f5828f0161eb61316a55dc0318f1460b3b7334667f0071641ae2e702ff03769d06cb5b770a0b91a2406baea074cc3469f3bb06a9b829d90524f48ca3d56d8dc94c46827d authentik-freeradius-1 | (53) NAS-IP-Address = 10.0.0.3 authentik-freeradius-1 | (53) NAS-Port = 3 authentik-freeradius-1 | (53) NAS-Identifier = "DC6279CF8CB4" authentik-freeradius-1 | (53) Service-Type = Framed-User authentik-freeradius-1 | (53) Calling-Station-Id = "00-E0-4C-68-20-7E" authentik-freeradius-1 | (53) NAS-Port-Type = Ethernet authentik-freeradius-1 | (53) Message-Authenticator = 0xfdd12d739d02d46620b603b2b5201094 authentik-freeradius-1 | (53) # Executing section authorize from file / opt/etc/raddb/sites-enabled/default authentik-freeradius-1 | (53) authorize { authentik-freeradius-1 | (53) policy filter_username { authentik-freeradius-1 | (53) if (&User-Name) { authentik-freeradius-1 | (53) if (&User-Name) -> TRUE authentik-freeradius-1 | (53) if (&User-Name) { authentik-freeradius-1 | (53) if (&User-Name =~ / /) { authentik-freeradius-1 | (53) if (&User-Name =~ / /) -> FALSE authentik-freeradius-1 | (53) if (&User-Name =~ /@[^@]*@/ ) { authentik-freeradius-1 | (53) if (&User-Name =~ /@[^@]*@/ ) -> FALSE authentik-freeradius-1 | (53) if (&User-Name =~ /\.\./ ) { authentik-freeradius-1 | (53) if (&User-Name =~ /\.\./ ) -> FALSE authentik-freeradius-1 | (53) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { authentik-freeradius-1 | (53) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE authentik-freeradius-1 | (53) if (&User-Name =~ /\.$/) { authentik-freeradius-1 | (53) if (&User-Name =~ /\.$/) -> FALSE authentik-freeradius-1 | (53) if (&User-Name =~ /@\./) { authentik-freeradius-1 | (53) if (&User-Name =~ /@\./) -> FALSE authentik-freeradius-1 | (53) } # if (&User-Name) = notfound authentik-freeradius-1 | (53) } # policy filter_username = notfound authentik-freeradius-1 | (53) [preprocess] = ok authentik-freeradius-1 | (53) [chap] = noop authentik-freeradius-1 | (53) [mschap] = noop authentik-freeradius-1 | (53) [digest] = noop authentik-freeradius-1 | (53) suffix: Checking for suffix after "@" authentik-freeradius-1 | (53) suffix: No '@' in User-Name = "apple_lan_thatsme", looking up realm NULL authentik-freeradius-1 | (53) suffix: No such realm "NULL" authentik-freeradius-1 | (53) eap: Continuing tunnel setup authentik-freeradius-1 | (53) [eap] = ok authentik-freeradius-1 | (53) } # authorize = ok authentik-freeradius-1 | (53) Found Auth-Type = eap authentik-freeradius-1 | (53) # Executing group from file /opt/etc/ raddb/sites-enabled/default authentik-freeradius-1 | (53) authenticate { authentik-freeradius-1 | (53) eap: ERROR: EAP requires the State attribute to work, but no State exists in the Access-Request packet. authentik-freeradius-1 | (53) eap: ERROR: The RADIUS client is broken. No amount of changing FreeRADIUS will fix the RADIUS client. authentik-freeradius-1 | (53) eap: Either EAP-request timed out OR EAP- response to an unknown EAP-request
...but it's a broken client, FreeRADIUS gives up.
authentik-freeradius-1 | Waking up in 0.6 seconds. authentik-freeradius-1 | (53) Sending delayed response authentik-freeradius-1 | (53) Sent Access-Reject Id 54 from 172.16.1.2:1812 to 172.16.1.1:49514 length 38 authentik-freeradius-1 | Waking up in 3.9 seconds. authentik-freeradius-1 |
Cleaning up the previous auth after response from proxy server:
(52) !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! authentik-freeradius-1 | (52) BlastRADIUS check: Received packet without Message-Authenticator from home_server authentik_radius_outpost authentik-freeradius-1 | (52) !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! authentik-freeradius-1 | (52) The packet does not contain Message- Authenticator, which is a security issue authentik-freeradius-1 | (52) Once the home server is upgraded, set "require_message_authenticator = true" for home_server authentik_radius_outpost authentik-freeradius-1 | (52) !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! authentik-freeradius-1 | (52) Clearing existing &reply: attributes authentik-freeradius-1 | (52) Found Auth-Type = eap authentik-freeradius-1 | (52) Found Auth-Type = Accept authentik-freeradius-1 | (52) ERROR: Warning: Found 2 auth-types on request for user 'apple_lan_thatsme' authentik-freeradius-1 | (52) Auth-Type = Accept, accepting the user authentik-freeradius-1 | (52) # Executing section post-auth from file / opt/etc/raddb/sites-enabled/default ...
authentik-freeradius-1 | (52) } # post-auth = updated authentik-freeradius-1 | (52) Sent Access-Accept Id 53 from 172.16.1.2:1812 to 172.16.1.1:49514 length 60 authentik-freeradius-1 | (52) Framed-MTU += 994 authentik-freeradius-1 | (52) Tunnel-Type = VLAN authentik-freeradius-1 | (52) Tunnel-Medium-Type = IEEE-802 authentik-freeradius-1 | (52) Finished request
Looks like your NAS is broken, sending invalid requests, or not waiting for the first one to finish before sending another. -- Matthew