Hi All I am currently building a Freeradius (Version 3.0.15) on Ubuntu 16.04 in an Azure environment authenticating to an Active Directory server using eap-peap-mschap. I also have a Freeradius version 3.0.12 currently running and have replicated all the settings across to the new build, however, I am unable to successfully authenticate and have noted the error "eap: No EAP-Message, not doing EAP" in the debug as follows particularly when moving from default to inner-tunnel: eap: Continuing tunnel setup (6) [eap] = ok (6) } # authorize = ok (6) Found Auth-Type = eap (6) # Executing group from file /etc/freeradius/sites-enabled/default (6) authenticate { (6) eap: Expiring EAP session with state 0xa70318b8a2020d85 (6) eap: Finished EAP session with state 0xa70318b8a2020d85 (6) eap: Previous EAP request found for state 0xa70318b8a2020d85, released from the list (6) eap: Peer sent packet with method EAP TTLS (21) (6) eap: Calling submodule eap_ttls to process data (6) eap_ttls: Authenticate (6) eap_ttls: Continuing EAP-TLS (6) eap_ttls: Peer indicated complete TLS record size will be 69 bytes (6) eap_ttls: Got complete TLS record (69 bytes) (6) eap_ttls: [eaptls verify] = length included (6) eap_ttls: [eaptls process] = ok (6) eap_ttls: Session established. Proceeding to decode tunneled attributes (6) eap_ttls: Got tunneled request (6) eap_ttls: User-Name = "omitted" (6) eap_ttls: User-Password = "omitted" (6) eap_ttls: FreeRADIUS-Proxied-To = 127.0.0.1 (6) eap_ttls: Sending tunneled request (6) Virtual server inner-tunnel received request (6) User-Name = "omitted" (6) User-Password = "omitted" (6) FreeRADIUS-Proxied-To = 127.0.0.1 *(6) WARNING: Outer and inner identities are the same. User privacy is compromised.* (6) server inner-tunnel { (6) # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel (6) authorize { (6) policy filter_username { (6) if (&User-Name) { (6) if (&User-Name) -> TRUE (6) if (&User-Name) { (6) if (&User-Name =~ / /) { (6) if (&User-Name =~ / /) -> FALSE (6) if (&User-Name =~ /@[^@]*@/ ) { (6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (6) if (&User-Name =~ /\.\./ ) { (6) if (&User-Name =~ /\.\./ ) -> FALSE (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (6) if (&User-Name =~ /\.$/) { (6) if (&User-Name =~ /\.$/) -> FALSE (6) if (&User-Name =~ /@\./) { (6) if (&User-Name =~ /@\./) -> FALSE (6) } # if (&User-Name) = notfound (6) } # policy filter_username = notfound (6) [mschap] = noop (6) update control { (6) &Proxy-To-Realm := LOCAL (6) } # update control = noop (6) eap: No EAP-Message, not doing EAP (6) [eap] = noop (6) [expiration] = noop (6) [logintime] = noop (6) } # authorize = noop *(6) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject* (6) Failed to authenticate the user (6) Using Post-Auth-Type Reject (6) # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel (6) Post-Auth-Type REJECT { (6) attr_filter.access_reject: EXPAND %{User-Name} (6) attr_filter.access_reject: --> omitted (6) attr_filter.access_reject: Matched entry DEFAULT at line 11 (6) [attr_filter.access_reject] = updated (6) update outer.session-state { (6) &Module-Failure-Message := &request:Module-Failure-Message -> 'No Auth-Type found: rejecting the user via Post-Auth-Type = Reject' (6) } # update outer.session-state = noop (6) } # Post-Auth-Type REJECT = updated (6) } # server inner-tunnel (6) Virtual server sending reply (6) eap_ttls: Got tunneled Access-Reject *(6) eap: ERROR: Failed continuing EAP TTLS (21) session. EAP sub-module failed* (6) eap: Sending EAP Failure (code 4) ID 1 length 4 (6) eap: Failed in EAP select (6) [eap] = invalid (6) } # authenticate = invalid (6) Failed to authenticate the user (6) Using Post-Auth-Type Reject (6) # Executing group from file /etc/freeradius/sites-enabled/default (6) Post-Auth-Type REJECT { (6) attr_filter.access_reject: EXPAND %{User-Name} (6) attr_filter.access_reject: --> omitted (6) attr_filter.access_reject: Matched entry DEFAULT at line 11 (6) [attr_filter.access_reject] = updated (6) [eap] = noop (6) policy remove_reply_message_if_eap { (6) if (&reply:EAP-Message && &reply:Reply-Message) { (6) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (6) else { (6) [noop] = noop (6) } # else = noop (6) } # policy remove_reply_message_if_eap = noop (6) } # Post-Auth-Type REJECT = updated (6) Delaying response for 1.000000 seconds I am a bit stumped as to where I might be going wrong as I have set the default_eap_type = peap in the /mods-enaabled/eap file as well as have the following enabled in the authorise and authentication in the sites-enabled/inner-tunnel file: authorize { filter_username update control { &Proxy-To-Realm := LOCAL } eap { ok = return } expiration logintime } authenticate { Auth-Type ntlm_auth { ntlm_auth } # # MSCHAP authentication. Auth-Type MS-CHAP { mschap } # # For old names, too. # mschap # Allow EAP authentication. eap
From the debug log I posted above, it seems that the eap message is not being passed through to the inner-tunnel.
As a side note, testing ntlm_auth responds with a "NT_STATUS_OK: Success (0x0)" message. I have even rebuilt the server leaving many of the default settings, but am still getting the error. I hope I am not missing the obvious and would appreciate if someone could point me in the right direction. In addition, my other question is why do I get the "*WARNING: Outer and inner identities are the same. User privacy is compromised."* warning and how may I make it more secure? - Kind Regards - Byron Jeffery -