Let me add an updated Debug output to be thorough: (0) Received Access-Request Id 176 from 172.30.0.9:1025 to 172.16.1.57:1812 length 151 (0) Framed-MTU = 1344 (0) EAP-Message = 0x020100160131302d37622d34342d63312d38362d6530 (0) User-Name = "10-7b-44-c1-86-e0" (0) NAS-Port-Type = Ethernet (0) NAS-Port = 1 (0) NAS-Port-Id = "Port 1" (0) Calling-Station-Id = "10-7b-44-c1-86-e0" (0) Called-Station-Id = "9a-86-02-02-5e-01" (0) NAS-IP-Address = 172.30.0.9 (0) Message-Authenticator = 0xddf33385960dd6418170c55eeeb7333f (0) # Executing section authorize from file /etc/raddb/sites-enabled/default (0) authorize { (0) policy rewrite_stripped_username { (0) if (&User-Name && (&User-Name =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (0) if (&User-Name && (&User-Name =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (0) if (&User-Name && (&User-Name =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (0) update request { (0) EXPAND %{tolower:%{1}%{2}%{3}%{4}%{5}%{6}} (0) --> 107b44c186e0 (0) &Stripped-User-Name := 107b44c186e0 (0) EXPAND %{tolower:%{1}%{2}%{3}%{4}%{5}%{6}} (0) --> 107b44c186e0 (0) &User-Password := 107b44c186e0 (0) } # update request = noop (0) [updated] = updated (0) } # if (&User-Name && (&User-Name =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (0) ... skipping else: Preceding "if" was taken (0) } # policy rewrite_stripped_username = updated (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = updated (0) } # policy filter_username = updated (0) [preprocess] = ok (0) update request { (0) EXPAND %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} (0) --> 107b44c186e0 (0) SQL-User-Name set to '107b44c186e0' rlm_sql (sql): Reserved connection (1) (0) Executing select query: SELECT groupname FROM radhuntgroup WHERE nasipaddress='172.30.0.9' rlm_sql (sql): Released connection (1) Need 4 more connections to reach 10 spares rlm_sql (sql): Opening additional connection (6), 1 of 26 pending slots used rlm_sql_mysql: Starting connect to MySQL server rlm_sql_mysql: Connected to database 'radiusdb' on db4.sailx.co via TCP/IP, server version 5.5.56-MariaDB-wsrep, protocol version 10 (0) EXPAND %{sql:SELECT groupname FROM radhuntgroup WHERE nasipaddress='%{NAS-IP-Address}'} (0) --> mdu_tower1 (0) Huntgroup-Name := mdu_tower1 (0) } # update request = noop (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: No '@' in User-Name = "107b44c186e0", looking up realm NULL (0) suffix: No such realm "NULL" (0) [suffix] = noop (0) eap: Peer sent EAP Response (code 2) ID 1 length 22 (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # authorize = ok (0) Found Auth-Type = eap (0) # Executing group from file /etc/raddb/sites-enabled/default (0) authenticate { (0) eap: Peer sent packet with method EAP Identity (1) (0) eap: Calling submodule eap_md5 to process data (0) eap_md5: Issuing MD5 Challenge (0) eap: Sending EAP Request (code 1) ID 2 length 22 (0) eap: EAP session adding &reply:State = 0x3657989736559c60 (0) [eap] = handled (0) } # authenticate = handled (0) Using Post-Auth-Type Challenge (0) # Executing group from file /etc/raddb/sites-enabled/default (0) Challenge { ... } # empty sub-section is ignored (0) Sent Access-Challenge Id 176 from 172.16.1.57:1812 to 172.30.0.9:1025 length 0 (0) EAP-Message = 0x010200160410fd177e65f2ea8bf1834a748b2123db76 (0) Message-Authenticator = 0x00000000000000000000000000000000 (0) State = 0x3657989736559c60ff03715f4f66cda8 (0) Finished request Waking up in 4.9 seconds. (1) Received Access-Request Id 177 from 172.30.0.9:1025 to 172.16.1.57:1812 length 186 (1) Framed-MTU = 1344 (1) EAP-Message = 0x0202002704100e6271f3258c713ac55764eaa2d52ab231302d37622d34342d63312d38362d6530 (1) State = 0x3657989736559c60ff03715f4f66cda8 (1) User-Name = "10-7b-44-c1-86-e0" (1) NAS-Port-Type = Ethernet (1) NAS-Port = 1 (1) NAS-Port-Id = "Port 1" (1) Calling-Station-Id = "10-7b-44-c1-86-e0" (1) Called-Station-Id = "9a-86-02-02-5e-01" (1) NAS-IP-Address = 172.30.0.9 (1) Message-Authenticator = 0x737a5f0beb4ab57731f2e2a10d510ea8 (1) session-state: No cached attributes (1) # Executing section authorize from file /etc/raddb/sites-enabled/default (1) authorize { (1) policy rewrite_stripped_username { (1) if (&User-Name && (&User-Name =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (1) if (&User-Name && (&User-Name =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) -> TRUE (1) if (&User-Name && (&User-Name =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) { (1) update request { (1) EXPAND %{tolower:%{1}%{2}%{3}%{4}%{5}%{6}} (1) --> 107b44c186e0 (1) &Stripped-User-Name := 107b44c186e0 (1) EXPAND %{tolower:%{1}%{2}%{3}%{4}%{5}%{6}} (1) --> 107b44c186e0 (1) &User-Password := 107b44c186e0 (1) } # update request = noop (1) [updated] = updated (1) } # if (&User-Name && (&User-Name =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) = updated (1) ... skipping else: Preceding "if" was taken (1) } # policy rewrite_stripped_username = updated (1) policy filter_username { (1) if (&User-Name) { (1) if (&User-Name) -> TRUE (1) if (&User-Name) { (1) if (&User-Name =~ / /) { (1) if (&User-Name =~ / /) -> FALSE (1) if (&User-Name =~ /@[^@]*@/ ) { (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (1) if (&User-Name =~ /\.\./ ) { (1) if (&User-Name =~ /\.\./ ) -> FALSE (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (1) if (&User-Name =~ /\.$/) { (1) if (&User-Name =~ /\.$/) -> FALSE (1) if (&User-Name =~ /@\./) { (1) if (&User-Name =~ /@\./) -> FALSE (1) } # if (&User-Name) = updated (1) } # policy filter_username = updated (1) [preprocess] = ok (1) update request { (1) EXPAND %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} (1) --> 107b44c186e0 (1) SQL-User-Name set to '107b44c186e0' rlm_sql (sql): Reserved connection (2) (1) Executing select query: SELECT groupname FROM radhuntgroup WHERE nasipaddress='172.30.0.9' rlm_sql (sql): Released connection (2) (1) EXPAND %{sql:SELECT groupname FROM radhuntgroup WHERE nasipaddress='%{NAS-IP-Address}'} (1) --> mdu_tower1 (1) Huntgroup-Name := mdu_tower1 (1) } # update request = noop (1) [chap] = noop (1) [mschap] = noop (1) [digest] = noop (1) suffix: Checking for suffix after "@" (1) suffix: No '@' in User-Name = "107b44c186e0", looking up realm NULL (1) suffix: No such realm "NULL" (1) [suffix] = noop (1) eap: Peer sent EAP Response (code 2) ID 2 length 39 (1) eap: No EAP Start, assuming it's an on-going EAP conversation (1) [eap] = updated (1) sql: EXPAND %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} (1) sql: --> 107b44c186e0 (1) sql: SQL-User-Name set to '107b44c186e0' rlm_sql (sql): Reserved connection (3) (1) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (1) sql: --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = '107b44c186e0' ORDER BY id (1) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '107b44c186e0' ORDER BY id (1) sql: User found in radcheck table (1) sql: Conditional check items matched, merging assignment check items (1) sql: Cleartext-Password := "107b44c186e0" (1) sql: EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id (1) sql: --> SELECT id, username, attribute, value, op FROM radreply WHERE username = '107b44c186e0' ORDER BY id (1) sql: Executing select query: SELECT id, username, attribute, value, op FROM radreply WHERE username = '107b44c186e0' ORDER BY id (1) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority (1) sql: --> SELECT groupname FROM radusergroup WHERE username = '107b44c186e0' ORDER BY priority (1) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = '107b44c186e0' ORDER BY priority (1) sql: User found in the group table (1) sql: EXPAND SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id (1) sql: --> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'saili_mdu_snjs_133_current' ORDER BY id (1) sql: Executing select query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'saili_mdu_snjs_133_current' ORDER BY id (1) sql: EXPAND SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id (1) sql: --> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'saili_mdu_tower2_current' ORDER BY id (1) sql: Executing select query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'saili_mdu_tower2_current' ORDER BY id (1) sql: EXPAND SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id (1) sql: --> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'saili_mdu_tower3_current' ORDER BY id (1) sql: Executing select query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'saili_mdu_tower3_current' ORDER BY id (1) sql: EXPAND SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = '%{SQL-Group}' ORDER BY id (1) sql: --> SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'saili_mdu_tower1_current' ORDER BY id (1) sql: Executing select query: SELECT id, groupname, attribute, Value, op FROM radgroupcheck WHERE groupname = 'saili_mdu_tower1_current' ORDER BY id (1) sql: Group "saili_mdu_tower1_current": Conditional check items matched (1) sql: Group "saili_mdu_tower1_current": Merging assignment check items (1) sql: EXPAND SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = '%{SQL-Group}' ORDER BY id (1) sql: --> SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'saili_mdu_tower1_current' ORDER BY id (1) sql: Executing select query: SELECT id, groupname, attribute, value, op FROM radgroupreply WHERE groupname = 'saili_mdu_tower1_current' ORDER BY id (1) sql: Group "saili_mdu_tower1_current": Merging reply items (1) sql: Tunnel-Type := VLAN (1) sql: Tunnel-Medium-Type := IEEE-802 (1) sql: Tunnel-Private-Group-Id := "90" rlm_sql (sql): Released connection (3) (1) [sql] = ok (1) [expiration] = noop (1) [logintime] = noop (1) pap: WARNING: Auth-Type already set. Not setting to PAP (1) [pap] = noop (1) } # authorize = updated (1) Found Auth-Type = eap (1) # Executing group from file /etc/raddb/sites-enabled/default (1) authenticate { (1) eap: Expiring EAP session with state 0x3657989736559c60 (1) eap: Finished EAP session with state 0x3657989736559c60 (1) eap: Previous EAP request found for state 0x3657989736559c60, released from the list (1) eap: Peer sent packet with method EAP MD5 (4) (1) eap: Calling submodule eap_md5 to process data (1) eap: Sending EAP Failure (code 4) ID 2 length 4 (1) eap: Freeing handler (1) [eap] = reject (1) } # authenticate = reject (1) Failed to authenticate the user (1) Using Post-Auth-Type Reject (1) # Executing group from file /etc/raddb/sites-enabled/default (1) Post-Auth-Type REJECT { (1) sql: EXPAND .query (1) sql: --> .query (1) sql: Using query template 'query' rlm_sql (sql): Reserved connection (4) (1) sql: EXPAND %{%{Stripped-User-Name}:-%{%{User-Name}:-DEFAULT}} (1) sql: --> 107b44c186e0 (1) sql: SQL-User-Name set to '107b44c186e0' (1) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, misc, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%{%{Module-Failure-Message}:-%{reply:Reply-Message}}', '%S') (1) sql: --> INSERT INTO radpostauth (username, pass, reply, misc, authdate) VALUES ( '107b44c186e0', '107b44c186e0', 'Access-Reject', '', '2018-05-11 16:01:35.337981') (1) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, misc, authdate) VALUES ( '107b44c186e0', '107b44c186e0', 'Access-Reject', '', '2018-05-11 16:01:35.337981') (1) sql: SQL query returned: success (1) sql: 1 record(s) updated rlm_sql (sql): Released connection (4) (1) [sql] = ok (1) attr_filter.access_reject: EXPAND %{User-Name} (1) attr_filter.access_reject: --> 10-7b-44-c1-86-e0 (1) attr_filter.access_reject: Matched entry DEFAULT at line 11 (1) [attr_filter.access_reject] = updated (1) [eap] = noop (1) policy remove_reply_message_if_eap { (1) if (&reply:EAP-Message && &reply:Reply-Message) { (1) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (1) else { (1) [noop] = noop (1) } # else = noop (1) } # policy remove_reply_message_if_eap = noop (1) } # Post-Auth-Type REJECT = updated (1) Delaying response for 1.000000 seconds Waking up in 0.2 seconds. Waking up in 0.7 seconds. (1) Sending delayed response (1) Sent Access-Reject Id 177 from 172.16.1.57:1812 to 172.30.0.9:1025 length 44 (1) EAP-Message = 0x04020004 (1) Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.8 seconds. Jeremy On Fri, May 11, 2018 at 9:00 AM, Jeremy Lundquist <pmudan01@gmail.com> wrote:
Thxs Alan B and Alan D for the follow ups. So the password is the issue as not only does this NAS vendor not put the MAC in the correct format but they are also currently not sending a password :) In an attempt to get around this for this vendor I'm trying to manually set the User-Password then. I'll be modifying the coding to make it based on the specific vendors Called-Station-Id, but for now I'm just statically setting it for testing purposes at the same time as I'm setting the Stripped-User-Name. Ie, see here (reusing some of what's already in policy.d/canonicalization):
rewrite_stripped_username { if (&User-Name && (&User-Name =~ /^${policy.mac-addr-regexp}$/i)) { update request { &Stripped-User-Name := "%{tolower:%{1}%{2}%{3}%{4}%{5}%{6}}" &User-Password := "%{tolower:%{1}%{2}%{3}%{4}%{ 5}%{6}}" } updated } else { noop } }
So this should leave username as the original, but change the Stripped-User-Name and set User-Password (I can see/verify this in the debug as see these values entered into the DB radauthpost table). I've also configure the SQL queries to use Stripped-User-Name. And I've included this into my authorization section of site-enables/default, but I'm still getting the EAP failure as shown in the previous debug: Should I be adding it elsewhere also or am I missing something still?
Thxs Jeremy
On Fri, May 11, 2018 at 5:23 AM, Alan DeKok <aland@deployingradius.com> wrote:
On May 10, 2018, at 5:23 PM, Jeremy Lundquist <pmudan01@gmail.com> wrote:
Currently using freeradius 3.0.13, have it installed and configured (using mysql DB as the backend) and working fine. We are using MAC Based Authentication for authenticating/authorizing our end users equipment and till now working great. We went out the door using a MAC format of aabbccddeeff for username/password as our initial equipment passes it over this way, but we have some new equipment going into the network that sends the MAC as the username in the format aa-bb-cc-dd-ee-ff.
There is a specification (mostly) for MAC address formats in RADIUS. Sadly, many NAS vendors ignore that, like they ignore much else in the specs.
So I'm trying to figure out how we can continue to use the username in the format aabbccddeeff (in the radcheck DB table) but accept the new format (with dashes) in the Access-Request and then modify the User-Name (or Stripped-User-Name) to use the non-dash format during the authentication/authorization process.
Don't modify the User-Name for EAP.
I've seen in various posts that I should not modify the User-Name attribute, so I'm currently trying to use the Stripped-User-Name. I've defined a way to strip the dashes (-) from the User-Name and assign it to the Stripped-User-Name and can see this being used.
raddb/policy.d/canonicalization contains ways of doing this.
But the issue I'm running into is during the authentication process I hit a part that shows EAP failing. I've been trying to understand why it's failing and how to work around it, but no luck and thus the reason for my question to the list. Any help or guidance would be greatly appreciated.
See below the debug output (radiusd -X) for my radius setup.
Hmm... better debug messages would help there.
But in the end what's happening is that the EAP-MD5 calculations don't match. So the user entered the wrong password.
You can test this by trying PAP authentication.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list /users.html