Thank you for that. Your right. I did not compile this freeradius server, so im working with something that has been modded heavily. But i did get in there, and add eap to authorize. that got it going. i loaded in eap.conf with the right mods too (changed md5 to tls). After reviewing the debug output, i think the router was sending the password inside "EAP-Message" or somehow mschapv2 is coming in as EAP-message? OR mikrotik is trying to pull a client cert from radius. im not sure.... this is after putting eap in authorize, and modding the eap.conf to point to the certs and md5>tls my desired goal is to get user/pass to work through EAP, with no client certs. im not sure it is possible, but each reply i get from you, and then research more, gets me a few steps closer. i also wrote mikrotik to see if their setup is passing the password through EAP message, or their ignoring it, and the EAP-radius is designed for cert only, no passwords. but maybe you can tell when looking at the cert error below. Found Auth-Type = EAP !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Replacing User-Password in config items with Cleartext-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 1. Executing group from file /etc/freeradius/sites-enabled/server01.rad +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS TLS Length 141 [tls] Length Included [tls] eaptls_verify returned 11 [tls] <<< TLS 1.0 Handshake [length 0007], Certificate [tls] >>> TLS 1.0 Alert [length 0002], fatal handshake_failure TLS Alert write:fatal:handshake failure TLS_accept: error in SSLv3 read client certificate B rlm_eap: SSL error error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate SSL: SSL_read failed in a system call (-1), TLS session fails. TLS receive handshake failed during operation [tls] eaptls_process returned 4 [eap] Handler failed in EAP/tls [eap] Failed in EAP select ++[eap] returns invalid Failed to authenticate the user. Login incorrect (TLS Alert write:fatal:handshake failure): [maxx09/<via Auth-Type = EAP>] (from client wificpa port 0 cli 44.55.66.77) On Sun, Mar 22, 2020 at 12:55 PM Alan DeKok <aland@deployingradius.com> wrote:
On Mar 22, 2020, at 1:07 PM, Sam T <givemesam@gmail.com> wrote:
What you are trying to do: Get radius to work with mikrotik ikev2 authorization / client has self signed CA cert, Server has signed server
+
CA cert
- why you are trying to do it: to add ikev2 radius auth while also supporting wifi authorization (which is working great) - what you expect the server to do: to accept user pass from mikrotik, and provide authorization reply w/ radreply attributes - what the server does instead (i.e. debug output). see output
(my previous submission ran freeradius -X on top of a running server, this time i followed the instructions, here is 1 clean process of the ikev2 request)
rad_recv: Access-Request packet from host 45.63.66.220 port 40641, id=66, length=143 User-Name = "maxx09" Called-Station-Id = "444.555.666.777" Calling-Station-Id = "222.333.444.555" NAS-Port-Id = "\000\000\000\r" NAS-Port-Type = Virtual Service-Type = Framed-User Event-Timestamp = "Mar 22 2020 16:54:39 UTC" Framed-MTU = 1400 EAP-Message = 0x0200000b016d6178783039
It's EAP, which means that there is likely no User-Password *ever* in the request.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Replacing User-Password in config items with Cleartext-Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!!
Please follow that advice. The "known good" password should be in Cleartext-Password. Putting it into User-Password has been deprecated for 15+ years.
Cannot perform authentication. Failed to authenticate the user.
Because the user is doing EAP, and you deleted the "eap" module from the "authorize" section.
The default configuration works. Start with that, and make small changes, in order to get what you want.
If you delete massive amounts of things from the default configuration, you are very likely to break something. As has been done here.
The EAP module does EAP authentication. You MUST configure the EAP module in order for this to work.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html