rad_recv: Access-Request packet from host X.X.X.X port 60228, id=0, length=143 User-Name = "bob@rgorrell.net" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "70-6F-6C-69-73-68" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "rad_eap_test + eapol_test" EAP-Message = 0x0200001501626f624072676f7272656c6c2e6e6574 Message-Authenticator = 0x4f289c2272a467016443cfb6451893d6 # Executing section authorize from file /etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] Looking up realm "rgorrell.net" for User-Name = "bob@rgorrell.net" [suffix] Found realm "rgorrell.net" [suffix] Adding Stripped-User-Name = "bob" [suffix] Adding Realm = "rgorrell.net" [suffix] Proxying request from user bob to realm rgorrell.net [suffix] Preparing to proxy authentication request to realm "rgorrell.net" ++[suffix] = updated [eap] Request is supposed to be proxied to Realm rgorrell.net. Not doing EAP. ++[eap] = noop ++[files] = noop ++[expiration] = noop ++[logintime] = noop ++[pap] = noop +} # group authorize = updated WARNING: Empty pre-proxy section. Using default return values. Sending Access-Request of id 162 to 127.0.0.1 port 1812 User-Name = "bob" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "70-6F-6C-69-73-68" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "rad_eap_test + eapol_test" EAP-Message = 0x0200001501626f624072676f7272656c6c2e6e6574 Message-Authenticator = 0x00000000000000000000000000000000 Proxy-State = 0x30 Proxying request 0 to home server 127.0.0.1 port 1812 Sending Access-Request of id 162 to 127.0.0.1 port 1812 User-Name = "bob" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "70-6F-6C-69-73-68" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "rad_eap_test + eapol_test" EAP-Message = 0x0200001501626f624072676f7272656c6c2e6e6574 Message-Authenticator = 0x00000000000000000000000000000000 Proxy-State = 0x30 Going to the next request Waking up in 0.9 seconds. rad_recv: Access-Request packet from host 127.0.0.1 port 1814, id=162, length=133 User-Name = "bob" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "70-6F-6C-69-73-68" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Connect-Info = "rad_eap_test + eapol_test" EAP-Message = 0x0200001501626f624072676f7272656c6c2e6e6574 Message-Authenticator = 0x07dbdd4ec778378a16cdaa6a93788d62 Proxy-State = 0x30 # Executing section authorize from file /etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++[chap] = noop ++[mschap] = noop ++[digest] = noop [suffix] No '@' in User-Name = "bob", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 0 length 21 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated ++[files] = noop ++[expiration] = noop ++[logintime] = noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +group authenticate { [eap] Identity (bob@rgorrell.net) does not match User-Name (bob). Authentication failed. [eap] Failed in handler ++[eap] = invalid +} # group authenticate = invalid Failed to authenticate the user. Login incorrect: [bob/<via Auth-Type = EAP>] (from client localhost port 0 cli 70-6F-6C-69-73-68) Using Post-Auth-Type REJECT # Executing group from file /etc/raddb/sites-enabled/default +group REJECT { [attr_filter.access_reject] expand: %{User-Name} -> bob attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] = updated +} # group REJECT = updated Delaying reject of request 1 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 1 Sending Access-Reject of id 162 to 127.0.0.1 port 1814 Proxy-State = 0x30 Waking up in 4.9 seconds. rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=162, length=23 Proxy-State = 0x30 # Executing section post-proxy from file /etc/raddb/sites-enabled/default +group post-proxy { [eap] No pre-existing handler found ++[eap] = noop +} # group post-proxy = noop Login incorrect (Home Server says so): [bob@rgorrell.net/<no User-Password attribute>] (from client raddev port 0 cli 70-6F-6C-69-73-68) Using Post-Auth-Type REJECT # Executing group from file /etc/raddb/sites-enabled/default +group REJECT { [attr_filter.access_reject] expand: %{User-Name} -> bob@rgorrell.net attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] = updated +} # group REJECT = updated Sending Access-Reject of id 0 to X.X.X.X port 60228 Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 1 ID 162 with timestamp +9 Cleaning up request 0 ID 0 with timestamp +9 Ready to process requests. On Sun, Mar 13, 2016 at 4:32 PM, Stefan Paetow <Stefan.Paetow@jisc.ac.uk> wrote:
Rob,
Can you show us the full debug log of the home server (I'm assuming you are running that in debug mode)?
Thanks!
Stefan Paetow Moonshot Industry & Research Liaison Coordinator
t: +44 (0)1235 822 125 gpg: 0x3FCE5142 xmpp: stefanp@jabber.dev.ja.net skype: stefan.paetow.janet
jisc.ac.uk
Networkshop44, University of Manchester. Save the date: 22-24 March, 2016. #NWS44
Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc¹s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
Jisc Collections and Janet Ltd. is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under Company No. number 2881024, VAT No. GB 197 0632 86. The registered office is: Lumen House, Library Avenue, Harwell, Didcot, Oxfordshire, OX11 0SG. T 01235 822200.
On 13/03/2016 19:38, "Freeradius-Users on behalf of Rob Gorrell" <freeradius-users-bounces+stefan.paetow=jisc.ac.uk@lists.freeradius.org on behalf of rwgorrel@uncg.edu> wrote:
I am trying to set up a working EAP-TTLS/PAP demo using FreeRadius 2.2.6 on top of CentOS6. For simplicity, I would like to use PAP and statically define Cleartext-Password for users in the users file. But I also would like to be able to authenticate using full realm since I plan on using realm for testing some routing. I currently have this working for basic radius by stripping the realm and then using Cleartext-Password from the users file ... however, when I went to put the same setup through EAP TTLS, I'm now having problems and getting a no User-Password attribute dispite supplying one the same one from radtest but using rad_eap_test.
Sun Mar 13 13:06:32 2016 : Auth: Login incorrect: [bob/<via Auth-Type = EAP>] (from client localhost port 58 cli fcdbb33f581d) Sun Mar 13 13:06:33 2016 : Auth: Login incorrect (Home Server says so): [ bob@rgorrell.net/<no User-Password attribute>] (from client raddev port 58 cli fcdbb33f581d)
While researching, I came across a theory that sounds fitting to my situation... upon receiving a username qualified by a realm, FreeRadius will strip the realm off before matching the username. This results in the User-Name being modified to be different to the EAP Identity field before being sent for actual authenticating. This results in FreeRadius issueing a rejection due to the mismatch between the two fields.
Does that sound right? If so, I'm not sure what I can do about it... I can't nostrip the username as then I won't be able to authenticate via PAP. but I can't login identically matching my users file (ie no realm), because I need the realm for routing.
Suggestions? Thanks, -Rob - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- Robert W. Gorrell Systems Architect, Identity and Access Management University of NC at Greensboro 336-334-5954 PGP Key ID B36DB0CA