Hi,
I'm new to RADIUS servers and I'm trying to enable EAP-FAST. Is there a documentation I can use to enable it? I'm using version 3.0.12.
The documentation in the EAP module is all you need.
Anyway, this is what I've done.
That should work.
I don't know where to look at in the debug output but shown below is part of it.
(9) eap_fast: Got tunneled Access-Reject (9) eap_fast: Reject (9) eap: ERROR: Failed continuing EAP FAST (43) session. EAP sub-module failed
Well... look at the *earlier* messages to see what's wrong. If you're running it in a terminal, the error message will even be colourised to show importance.
I'm seeing another error, MS-CHAP2-Response is failing. And there are warnings also shown. Please help me solve this. Thanks. (8) eap_fast: WARNING: AUTHENTICATION (8) eap_fast: WARNING: AUTHENTICATION (8) WARNING: Outer and inner identities are the same. User privacy is compromised. (9) mschap: ERROR: MS-CHAP2-Response is incorrect (9) eap: ERROR: Failed continuing EAP FAST (43) session. EAP sub-module failed Shown below in a snippet of the debug output. (8) Received Access-Request Id 120 from 10.30.32.46:3073 to 10.30.32.40:1812 length 221 (8) User-Name = "bob" (8) NAS-Port = 0 (8) Called-Station-Id = "14-D6-4D-C7-DC-88:DLINK-SDESQE-EAP-2" (8) Calling-Station-Id = "00-AE-FA-9C-FF-FC" (8) Framed-MTU = 1400 (8) NAS-Port-Type = Wireless-802.11 (8) Connect-Info = "CONNECT 11Mbps 802.11b" (8) EAP-Message = 0x020b003b2b011703010030395790f43e1b9dcf131fb7f74983d279244d9ae2493d1ca9270a9ef434fcafc937b4fcf9cb3e0fc8390047a796569cf6 (8) State = 0xd951d3a9dd5af8abc01e99543ad15de0 (8) Message-Authenticator = 0x52eec993910273fb7aa3ece5018c83fe (8) session-state: No cached attributes (8) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (8) authorize { (8) policy filter_username { (8) if (&User-Name) { (8) if (&User-Name) -> TRUE (8) if (&User-Name) { (8) if (&User-Name =~ / /) { (8) if (&User-Name =~ / /) -> FALSE (8) if (&User-Name =~ /@[^@]*@/ ) { (8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (8) if (&User-Name =~ /\.\./ ) { (8) if (&User-Name =~ /\.\./ ) -> FALSE (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (8) if (&User-Name =~ /\.$/) { (8) if (&User-Name =~ /\.$/) -> FALSE (8) if (&User-Name =~ /@\./) { (8) if (&User-Name =~ /@\./) -> FALSE (8) } # if (&User-Name) = notfound (8) } # policy filter_username = notfound (8) [preprocess] = ok (8) [chap] = noop (8) [mschap] = noop (8) [digest] = noop (8) suffix: Checking for suffix after "@" (8) suffix: No '@' in User-Name = "bob", looking up realm NULL (8) suffix: No such realm "NULL" (8) [suffix] = noop (8) eap: Peer sent EAP Response (code 2) ID 11 length 59 (8) eap: No EAP Start, assuming it's an on-going EAP conversation (8) [eap] = updated (8) files: users: Matched entry bob at line 87 (8) [files] = ok (8) [expiration] = noop (8) [logintime] = noop (8) pap: WARNING: Auth-Type already set. Not setting to PAP (8) [pap] = noop (8) } # authorize = updated (8) Found Auth-Type = eap (8) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (8) authenticate { (8) eap: Expiring EAP session with state 0x592fa0ee5b2c8b60 (8) eap: Finished EAP session with state 0xd951d3a9dd5af8ab (8) eap: Previous EAP request found for state 0xd951d3a9dd5af8ab, released from the list (8) eap: Peer sent packet with method EAP FAST (43) (8) eap: Calling submodule eap_fast to process data (8) eap_fast: Authenticate (8) eap_fast: Continuing EAP-TLS (8) eap_fast: [eaptls verify] = ok (8) eap_fast: Done initial handshake (8) eap_fast: [eaptls process] = ok (8) eap_fast: Session established. Proceeding to decode tunneled attributes (8) eap_fast: Got Tunneled FAST TLVs (8) eap_fast: FreeRADIUS-EAP-FAST-EAP-Payload = 0x020b000801626f62 (8) eap_fast: Processing received EAP Payload (8) eap_fast: Got tunneled request (8) eap_fast: EAP-Message = 0x020b000801626f62 (8) eap_fast: Got tunneled identity of bob (8) eap_fast: WARNING: AUTHENTICATION (8) eap_fast: WARNING: AUTHENTICATION (8) Virtual server inner-tunnel received request (8) EAP-Message = 0x020b000801626f62 (8) FreeRADIUS-Proxied-To = 127.0.0.1 (8) User-Name = "bob" (8) WARNING: Outer and inner identities are the same. User privacy is compromised. (8) server inner-tunnel { (8) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel (8) authorize { (8) policy filter_username { (8) if (&User-Name) { (8) if (&User-Name) -> TRUE (8) if (&User-Name) { (8) if (&User-Name =~ / /) { (8) if (&User-Name =~ / /) -> FALSE (8) if (&User-Name =~ /@[^@]*@/ ) { (8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (8) if (&User-Name =~ /\.\./ ) { (8) if (&User-Name =~ /\.\./ ) -> FALSE (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (8) if (&User-Name =~ /\.$/) { (8) if (&User-Name =~ /\.$/) -> FALSE (8) if (&User-Name =~ /@\./) { (8) if (&User-Name =~ /@\./) -> FALSE (8) } # if (&User-Name) = notfound (8) } # policy filter_username = notfound (8) [chap] = noop (8) [mschap] = noop (8) suffix: Checking for suffix after "@" (8) suffix: No '@' in User-Name = "bob", looking up realm NULL (8) suffix: No such realm "NULL" (8) [suffix] = noop (8) update control { (8) &Proxy-To-Realm := LOCAL (8) } # update control = noop (8) eap: Peer sent EAP Response (code 2) ID 11 length 8 (8) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (8) [eap] = ok (8) } # authorize = ok (8) Found Auth-Type = eap (8) # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel (8) authenticate { (8) eap: Peer sent packet with method EAP Identity (1) (8) eap: Calling submodule eap_mschapv2 to process data (8) eap_mschapv2: Issuing Challenge (8) eap: Sending EAP Request (code 1) ID 12 length 43 (8) eap: EAP session adding &reply:State = 0xcd5f27e3cd533d7f (8) [eap] = handled (8) } # authenticate = handled (8) } # server inner-tunnel (8) Virtual server sending reply (8) EAP-Message = 0x010c002b1a010c002610fba8fb3aac28c0bc78ca631f320436b6667265657261646975732d332e302e3132 (8) Message-Authenticator = 0x00000000000000000000000000000000 (8) State = 0xcd5f27e3cd533d7f53bfae26bc7d5c8e (8) eap_fast: Got tunneled Access-Challenge (8) eap_fast: Challenge (8) eap: Sending EAP Request (code 1) ID 12 length 91 (8) eap: EAP session adding &reply:State = 0xd951d3a9dc5df8ab (8) [eap] = handled (8) } # authenticate = handled (8) Using Post-Auth-Type Challenge (8) Post-Auth-Type sub-section not found. Ignoring. (8) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (8) Sent Access-Challenge Id 120 from 10.30.32.40:1812 to 10.30.32.46:3073 length 0 (8) EAP-Message = 0x010c005b2b0117030100505c32d6e574493d1fae7ed03024b6391b56fd8373b43e14b9908313ec682d1b783b962518a2f3666e7f13f843f37e6f924435d3d074119b47d571473c95478d5cfcc443fea1145ff781a807b56b7ccbe1 (8) Message-Authenticator = 0x00000000000000000000000000000000 (8) State = 0xd951d3a9dc5df8abc01e99543ad15de0 (8) Finished request Waking up in 4.2 seconds. (9) Received Access-Request Id 121 from 10.30.32.46:3073 to 10.30.32.40:1812 length 269 (9) User-Name = "bob" (9) NAS-Port = 0 (9) Called-Station-Id = "14-D6-4D-C7-DC-88:DLINK-SDESQE-EAP-2" (9) Calling-Station-Id = "00-AE-FA-9C-FF-FC" (9) Framed-MTU = 1400 (9) NAS-Port-Type = Wireless-802.11 (9) Connect-Info = "CONNECT 11Mbps 802.11b" (9) EAP-Message = 0x020c006b2b011703010060fe42e1f967e18b8037a3c0dc98b2488f66fa4c0f9eb383d19e0632cf01ec98325fbb3eeb5c6f503235e424c8ae20a288d039334e277fc5c34a28d2308b03a2f750b82b736652de1faaf697bdd5171a70727aebda1f253487ef0dd7d9c1d73505 (9) State = 0xd951d3a9dc5df8abc01e99543ad15de0 (9) Message-Authenticator = 0xf2df5a7c3c9352285f1942cc3e56db7b (9) session-state: No cached attributes (9) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (9) authorize { (9) policy filter_username { (9) if (&User-Name) { (9) if (&User-Name) -> TRUE (9) if (&User-Name) { (9) if (&User-Name =~ / /) { (9) if (&User-Name =~ / /) -> FALSE (9) if (&User-Name =~ /@[^@]*@/ ) { (9) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (9) if (&User-Name =~ /\.\./ ) { (9) if (&User-Name =~ /\.\./ ) -> FALSE (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (9) if (&User-Name =~ /\.$/) { (9) if (&User-Name =~ /\.$/) -> FALSE (9) if (&User-Name =~ /@\./) { (9) if (&User-Name =~ /@\./) -> FALSE (9) } # if (&User-Name) = notfound (9) } # policy filter_username = notfound (9) [preprocess] = ok (9) [chap] = noop (9) [mschap] = noop (9) [digest] = noop (9) suffix: Checking for suffix after "@" (9) suffix: No '@' in User-Name = "bob", looking up realm NULL (9) suffix: No such realm "NULL" (9) [suffix] = noop (9) eap: Peer sent EAP Response (code 2) ID 12 length 107 (9) eap: No EAP Start, assuming it's an on-going EAP conversation (9) [eap] = updated (9) files: users: Matched entry bob at line 87 (9) [files] = ok (9) [expiration] = noop (9) [logintime] = noop (9) pap: WARNING: Auth-Type already set. Not setting to PAP (9) [pap] = noop (9) } # authorize = updated (9) Found Auth-Type = eap (9) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (9) authenticate { (9) eap: Expiring EAP session with state 0x592fa0ee5b2c8b60 (9) eap: Finished EAP session with state 0xd951d3a9dc5df8ab (9) eap: Previous EAP request found for state 0xd951d3a9dc5df8ab, released from the list (9) eap: Peer sent packet with method EAP FAST (43) (9) eap: Calling submodule eap_fast to process data (9) eap_fast: Authenticate (9) eap_fast: Continuing EAP-TLS (9) eap_fast: [eaptls verify] = ok (9) eap_fast: Done initial handshake (9) eap_fast: [eaptls process] = ok (9) eap_fast: Session established. Proceeding to decode tunneled attributes (9) eap_fast: Got Tunneled FAST TLVs (9) eap_fast: FreeRADIUS-EAP-FAST-EAP-Payload = 0x020c003e1a020c0039310000000000000000000000000000000000000000000000002f87a8fd680c8c2541e34eb0ae6de571dcc6da7cb15872c900626f62 (9) eap_fast: Processing received EAP Payload (9) eap_fast: Got tunneled request (9) eap_fast: EAP-Message = 0x020c003e1a020c0039310000000000000000000000000000000000000000000000002f87a8fd680c8c2541e34eb0ae6de571dcc6da7cb15872c900626f62 (9) eap_fast: WARNING: AUTHENTICATION (9) eap_fast: WARNING: AUTHENTICATION (9) Virtual server inner-tunnel received request (9) EAP-Message = 0x020c003e1a020c0039310000000000000000000000000000000000000000000000002f87a8fd680c8c2541e34eb0ae6de571dcc6da7cb15872c900626f62 (9) FreeRADIUS-Proxied-To = 127.0.0.1 (9) User-Name = "bob" (9) State = 0xcd5f27e3cd533d7f53bfae26bc7d5c8e (9) WARNING: Outer and inner identities are the same. User privacy is compromised. (9) server inner-tunnel { (9) session-state: No cached attributes (9) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel (9) authorize { (9) policy filter_username { (9) if (&User-Name) { (9) if (&User-Name) -> TRUE (9) if (&User-Name) { (9) if (&User-Name =~ / /) { (9) if (&User-Name =~ / /) -> FALSE (9) if (&User-Name =~ /@[^@]*@/ ) { (9) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (9) if (&User-Name =~ /\.\./ ) { (9) if (&User-Name =~ /\.\./ ) -> FALSE (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (9) if (&User-Name =~ /\.$/) { (9) if (&User-Name =~ /\.$/) -> FALSE (9) if (&User-Name =~ /@\./) { (9) if (&User-Name =~ /@\./) -> FALSE (9) } # if (&User-Name) = notfound (9) } # policy filter_username = notfound (9) [chap] = noop (9) [mschap] = noop (9) suffix: Checking for suffix after "@" (9) suffix: No '@' in User-Name = "bob", looking up realm NULL (9) suffix: No such realm "NULL" (9) [suffix] = noop (9) update control { (9) &Proxy-To-Realm := LOCAL (9) } # update control = noop (9) eap: Peer sent EAP Response (code 2) ID 12 length 62 (9) eap: No EAP Start, assuming it's an on-going EAP conversation (9) [eap] = updated (9) files: users: Matched entry bob at line 87 (9) [files] = ok (9) [expiration] = noop (9) [logintime] = noop (9) pap: WARNING: Auth-Type already set. Not setting to PAP (9) [pap] = noop (9) } # authorize = updated (9) Found Auth-Type = eap (9) # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel (9) authenticate { (9) eap: Expiring EAP session with state 0x592fa0ee5b2c8b60 (9) eap: Finished EAP session with state 0xcd5f27e3cd533d7f (9) eap: Previous EAP request found for state 0xcd5f27e3cd533d7f, released from the list (9) eap: Peer sent packet with method EAP MSCHAPv2 (26) (9) eap: Calling submodule eap_mschapv2 to process data (9) eap_mschapv2: # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel (9) eap_mschapv2: authenticate { (9) mschap: Found Cleartext-Password, hashing to create NT-Password (9) mschap: Found Cleartext-Password, hashing to create LM-Password (9) mschap: Creating challenge hash with username: bob (9) mschap: Client is using MS-CHAPv2 (9) mschap: ERROR: MS-CHAP2-Response is incorrect (9) [mschap] = reject (9) } # authenticate = reject (9) eap: Sending EAP Failure (code 4) ID 12 length 4 (9) eap: Freeing handler (9) [eap] = reject (9) } # authenticate = reject (9) Failed to authenticate the user (9) Using Post-Auth-Type Reject (9) # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel (9) Post-Auth-Type REJECT { (9) attr_filter.access_reject: EXPAND %{User-Name} (9) attr_filter.access_reject: --> bob (9) attr_filter.access_reject: Matched entry DEFAULT at line 11 (9) [attr_filter.access_reject] = updated (9) update outer.session-state { (9) &Module-Failure-Message := &request:Module-Failure-Message -> 'mschap: MS-CHAP2-Response is incorrect' (9) } # update outer.session-state = noop (9) } # Post-Auth-Type REJECT = updated (9) } # server inner-tunnel (9) Virtual server sending reply (9) MS-CHAP-Error = "\014E=691 R=1 C=4a33d9cc35a85083c14a907490347b3c V=3 M=Authentication failed" (9) EAP-Message = 0x040c0004 (9) Message-Authenticator = 0x00000000000000000000000000000000 (9) eap_fast: Got tunneled Access-Reject (9) eap_fast: Reject (9) eap: ERROR: Failed continuing EAP FAST (43) session. EAP sub-module failed (9) eap: Sending EAP Failure (code 4) ID 12 length 4 (9) eap: Failed in EAP select (9) [eap] = invalid (9) } # authenticate = invalid (9) Failed to authenticate the user (9) Using Post-Auth-Type Reject (9) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (9) Post-Auth-Type REJECT { (9) attr_filter.access_reject: EXPAND %{User-Name} (9) attr_filter.access_reject: --> bob (9) attr_filter.access_reject: Matched entry DEFAULT at line 11 (9) [attr_filter.access_reject] = updated (9) [eap] = noop (9) policy remove_reply_message_if_eap { (9) if (&reply:EAP-Message && &reply:Reply-Message) { (9) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (9) else { (9) [noop] = noop (9) } # else = noop (9) } # policy remove_reply_message_if_eap = noop (9) } # Post-Auth-Type REJECT = updated (9) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (9) Sending delayed response (9) Sent Access-Reject Id 121 from 10.30.32.40:1812 to 10.30.32.46:3073 length 44 (9) EAP-Message = 0x040c0004 (9) Message-Authenticator = 0x00000000000000000000000000000000