Re: EAP-FAST failure in v3.0.12
Hi,
I'm new to RADIUS servers and I'm trying to enable EAP-FAST. Is there a documentation I can use to enable it? I'm using version 3.0.12.
The documentation in the EAP module is all you need.
Anyway, this is what I've done.
That should work.
I don't know where to look at in the debug output but shown below is part of it.
(9) eap_fast: Got tunneled Access-Reject (9) eap_fast: Reject (9) eap: ERROR: Failed continuing EAP FAST (43) session. EAP sub-module failed
Well... look at the *earlier* messages to see what's wrong. If you're running it in a terminal, the error message will even be colourised to show importance.
I'm seeing another error, MS-CHAP2-Response is failing. And there are warnings also shown. Please help me solve this. Thanks. (8) eap_fast: WARNING: AUTHENTICATION (8) eap_fast: WARNING: AUTHENTICATION (8) WARNING: Outer and inner identities are the same. User privacy is compromised. (9) mschap: ERROR: MS-CHAP2-Response is incorrect (9) eap: ERROR: Failed continuing EAP FAST (43) session. EAP sub-module failed Shown below in a snippet of the debug output. (8) Received Access-Request Id 120 from 10.30.32.46:3073 to 10.30.32.40:1812 length 221 (8) User-Name = "bob" (8) NAS-Port = 0 (8) Called-Station-Id = "14-D6-4D-C7-DC-88:DLINK-SDESQE-EAP-2" (8) Calling-Station-Id = "00-AE-FA-9C-FF-FC" (8) Framed-MTU = 1400 (8) NAS-Port-Type = Wireless-802.11 (8) Connect-Info = "CONNECT 11Mbps 802.11b" (8) EAP-Message = 0x020b003b2b011703010030395790f43e1b9dcf131fb7f74983d279244d9ae2493d1ca9270a9ef434fcafc937b4fcf9cb3e0fc8390047a796569cf6 (8) State = 0xd951d3a9dd5af8abc01e99543ad15de0 (8) Message-Authenticator = 0x52eec993910273fb7aa3ece5018c83fe (8) session-state: No cached attributes (8) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (8) authorize { (8) policy filter_username { (8) if (&User-Name) { (8) if (&User-Name) -> TRUE (8) if (&User-Name) { (8) if (&User-Name =~ / /) { (8) if (&User-Name =~ / /) -> FALSE (8) if (&User-Name =~ /@[^@]*@/ ) { (8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (8) if (&User-Name =~ /\.\./ ) { (8) if (&User-Name =~ /\.\./ ) -> FALSE (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (8) if (&User-Name =~ /\.$/) { (8) if (&User-Name =~ /\.$/) -> FALSE (8) if (&User-Name =~ /@\./) { (8) if (&User-Name =~ /@\./) -> FALSE (8) } # if (&User-Name) = notfound (8) } # policy filter_username = notfound (8) [preprocess] = ok (8) [chap] = noop (8) [mschap] = noop (8) [digest] = noop (8) suffix: Checking for suffix after "@" (8) suffix: No '@' in User-Name = "bob", looking up realm NULL (8) suffix: No such realm "NULL" (8) [suffix] = noop (8) eap: Peer sent EAP Response (code 2) ID 11 length 59 (8) eap: No EAP Start, assuming it's an on-going EAP conversation (8) [eap] = updated (8) files: users: Matched entry bob at line 87 (8) [files] = ok (8) [expiration] = noop (8) [logintime] = noop (8) pap: WARNING: Auth-Type already set. Not setting to PAP (8) [pap] = noop (8) } # authorize = updated (8) Found Auth-Type = eap (8) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (8) authenticate { (8) eap: Expiring EAP session with state 0x592fa0ee5b2c8b60 (8) eap: Finished EAP session with state 0xd951d3a9dd5af8ab (8) eap: Previous EAP request found for state 0xd951d3a9dd5af8ab, released from the list (8) eap: Peer sent packet with method EAP FAST (43) (8) eap: Calling submodule eap_fast to process data (8) eap_fast: Authenticate (8) eap_fast: Continuing EAP-TLS (8) eap_fast: [eaptls verify] = ok (8) eap_fast: Done initial handshake (8) eap_fast: [eaptls process] = ok (8) eap_fast: Session established. Proceeding to decode tunneled attributes (8) eap_fast: Got Tunneled FAST TLVs (8) eap_fast: FreeRADIUS-EAP-FAST-EAP-Payload = 0x020b000801626f62 (8) eap_fast: Processing received EAP Payload (8) eap_fast: Got tunneled request (8) eap_fast: EAP-Message = 0x020b000801626f62 (8) eap_fast: Got tunneled identity of bob (8) eap_fast: WARNING: AUTHENTICATION (8) eap_fast: WARNING: AUTHENTICATION (8) Virtual server inner-tunnel received request (8) EAP-Message = 0x020b000801626f62 (8) FreeRADIUS-Proxied-To = 127.0.0.1 (8) User-Name = "bob" (8) WARNING: Outer and inner identities are the same. User privacy is compromised. (8) server inner-tunnel { (8) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel (8) authorize { (8) policy filter_username { (8) if (&User-Name) { (8) if (&User-Name) -> TRUE (8) if (&User-Name) { (8) if (&User-Name =~ / /) { (8) if (&User-Name =~ / /) -> FALSE (8) if (&User-Name =~ /@[^@]*@/ ) { (8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (8) if (&User-Name =~ /\.\./ ) { (8) if (&User-Name =~ /\.\./ ) -> FALSE (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (8) if (&User-Name =~ /\.$/) { (8) if (&User-Name =~ /\.$/) -> FALSE (8) if (&User-Name =~ /@\./) { (8) if (&User-Name =~ /@\./) -> FALSE (8) } # if (&User-Name) = notfound (8) } # policy filter_username = notfound (8) [chap] = noop (8) [mschap] = noop (8) suffix: Checking for suffix after "@" (8) suffix: No '@' in User-Name = "bob", looking up realm NULL (8) suffix: No such realm "NULL" (8) [suffix] = noop (8) update control { (8) &Proxy-To-Realm := LOCAL (8) } # update control = noop (8) eap: Peer sent EAP Response (code 2) ID 11 length 8 (8) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (8) [eap] = ok (8) } # authorize = ok (8) Found Auth-Type = eap (8) # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel (8) authenticate { (8) eap: Peer sent packet with method EAP Identity (1) (8) eap: Calling submodule eap_mschapv2 to process data (8) eap_mschapv2: Issuing Challenge (8) eap: Sending EAP Request (code 1) ID 12 length 43 (8) eap: EAP session adding &reply:State = 0xcd5f27e3cd533d7f (8) [eap] = handled (8) } # authenticate = handled (8) } # server inner-tunnel (8) Virtual server sending reply (8) EAP-Message = 0x010c002b1a010c002610fba8fb3aac28c0bc78ca631f320436b6667265657261646975732d332e302e3132 (8) Message-Authenticator = 0x00000000000000000000000000000000 (8) State = 0xcd5f27e3cd533d7f53bfae26bc7d5c8e (8) eap_fast: Got tunneled Access-Challenge (8) eap_fast: Challenge (8) eap: Sending EAP Request (code 1) ID 12 length 91 (8) eap: EAP session adding &reply:State = 0xd951d3a9dc5df8ab (8) [eap] = handled (8) } # authenticate = handled (8) Using Post-Auth-Type Challenge (8) Post-Auth-Type sub-section not found. Ignoring. (8) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (8) Sent Access-Challenge Id 120 from 10.30.32.40:1812 to 10.30.32.46:3073 length 0 (8) EAP-Message = 0x010c005b2b0117030100505c32d6e574493d1fae7ed03024b6391b56fd8373b43e14b9908313ec682d1b783b962518a2f3666e7f13f843f37e6f924435d3d074119b47d571473c95478d5cfcc443fea1145ff781a807b56b7ccbe1 (8) Message-Authenticator = 0x00000000000000000000000000000000 (8) State = 0xd951d3a9dc5df8abc01e99543ad15de0 (8) Finished request Waking up in 4.2 seconds. (9) Received Access-Request Id 121 from 10.30.32.46:3073 to 10.30.32.40:1812 length 269 (9) User-Name = "bob" (9) NAS-Port = 0 (9) Called-Station-Id = "14-D6-4D-C7-DC-88:DLINK-SDESQE-EAP-2" (9) Calling-Station-Id = "00-AE-FA-9C-FF-FC" (9) Framed-MTU = 1400 (9) NAS-Port-Type = Wireless-802.11 (9) Connect-Info = "CONNECT 11Mbps 802.11b" (9) EAP-Message = 0x020c006b2b011703010060fe42e1f967e18b8037a3c0dc98b2488f66fa4c0f9eb383d19e0632cf01ec98325fbb3eeb5c6f503235e424c8ae20a288d039334e277fc5c34a28d2308b03a2f750b82b736652de1faaf697bdd5171a70727aebda1f253487ef0dd7d9c1d73505 (9) State = 0xd951d3a9dc5df8abc01e99543ad15de0 (9) Message-Authenticator = 0xf2df5a7c3c9352285f1942cc3e56db7b (9) session-state: No cached attributes (9) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (9) authorize { (9) policy filter_username { (9) if (&User-Name) { (9) if (&User-Name) -> TRUE (9) if (&User-Name) { (9) if (&User-Name =~ / /) { (9) if (&User-Name =~ / /) -> FALSE (9) if (&User-Name =~ /@[^@]*@/ ) { (9) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (9) if (&User-Name =~ /\.\./ ) { (9) if (&User-Name =~ /\.\./ ) -> FALSE (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (9) if (&User-Name =~ /\.$/) { (9) if (&User-Name =~ /\.$/) -> FALSE (9) if (&User-Name =~ /@\./) { (9) if (&User-Name =~ /@\./) -> FALSE (9) } # if (&User-Name) = notfound (9) } # policy filter_username = notfound (9) [preprocess] = ok (9) [chap] = noop (9) [mschap] = noop (9) [digest] = noop (9) suffix: Checking for suffix after "@" (9) suffix: No '@' in User-Name = "bob", looking up realm NULL (9) suffix: No such realm "NULL" (9) [suffix] = noop (9) eap: Peer sent EAP Response (code 2) ID 12 length 107 (9) eap: No EAP Start, assuming it's an on-going EAP conversation (9) [eap] = updated (9) files: users: Matched entry bob at line 87 (9) [files] = ok (9) [expiration] = noop (9) [logintime] = noop (9) pap: WARNING: Auth-Type already set. Not setting to PAP (9) [pap] = noop (9) } # authorize = updated (9) Found Auth-Type = eap (9) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (9) authenticate { (9) eap: Expiring EAP session with state 0x592fa0ee5b2c8b60 (9) eap: Finished EAP session with state 0xd951d3a9dc5df8ab (9) eap: Previous EAP request found for state 0xd951d3a9dc5df8ab, released from the list (9) eap: Peer sent packet with method EAP FAST (43) (9) eap: Calling submodule eap_fast to process data (9) eap_fast: Authenticate (9) eap_fast: Continuing EAP-TLS (9) eap_fast: [eaptls verify] = ok (9) eap_fast: Done initial handshake (9) eap_fast: [eaptls process] = ok (9) eap_fast: Session established. Proceeding to decode tunneled attributes (9) eap_fast: Got Tunneled FAST TLVs (9) eap_fast: FreeRADIUS-EAP-FAST-EAP-Payload = 0x020c003e1a020c0039310000000000000000000000000000000000000000000000002f87a8fd680c8c2541e34eb0ae6de571dcc6da7cb15872c900626f62 (9) eap_fast: Processing received EAP Payload (9) eap_fast: Got tunneled request (9) eap_fast: EAP-Message = 0x020c003e1a020c0039310000000000000000000000000000000000000000000000002f87a8fd680c8c2541e34eb0ae6de571dcc6da7cb15872c900626f62 (9) eap_fast: WARNING: AUTHENTICATION (9) eap_fast: WARNING: AUTHENTICATION (9) Virtual server inner-tunnel received request (9) EAP-Message = 0x020c003e1a020c0039310000000000000000000000000000000000000000000000002f87a8fd680c8c2541e34eb0ae6de571dcc6da7cb15872c900626f62 (9) FreeRADIUS-Proxied-To = 127.0.0.1 (9) User-Name = "bob" (9) State = 0xcd5f27e3cd533d7f53bfae26bc7d5c8e (9) WARNING: Outer and inner identities are the same. User privacy is compromised. (9) server inner-tunnel { (9) session-state: No cached attributes (9) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel (9) authorize { (9) policy filter_username { (9) if (&User-Name) { (9) if (&User-Name) -> TRUE (9) if (&User-Name) { (9) if (&User-Name =~ / /) { (9) if (&User-Name =~ / /) -> FALSE (9) if (&User-Name =~ /@[^@]*@/ ) { (9) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (9) if (&User-Name =~ /\.\./ ) { (9) if (&User-Name =~ /\.\./ ) -> FALSE (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (9) if (&User-Name =~ /\.$/) { (9) if (&User-Name =~ /\.$/) -> FALSE (9) if (&User-Name =~ /@\./) { (9) if (&User-Name =~ /@\./) -> FALSE (9) } # if (&User-Name) = notfound (9) } # policy filter_username = notfound (9) [chap] = noop (9) [mschap] = noop (9) suffix: Checking for suffix after "@" (9) suffix: No '@' in User-Name = "bob", looking up realm NULL (9) suffix: No such realm "NULL" (9) [suffix] = noop (9) update control { (9) &Proxy-To-Realm := LOCAL (9) } # update control = noop (9) eap: Peer sent EAP Response (code 2) ID 12 length 62 (9) eap: No EAP Start, assuming it's an on-going EAP conversation (9) [eap] = updated (9) files: users: Matched entry bob at line 87 (9) [files] = ok (9) [expiration] = noop (9) [logintime] = noop (9) pap: WARNING: Auth-Type already set. Not setting to PAP (9) [pap] = noop (9) } # authorize = updated (9) Found Auth-Type = eap (9) # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel (9) authenticate { (9) eap: Expiring EAP session with state 0x592fa0ee5b2c8b60 (9) eap: Finished EAP session with state 0xcd5f27e3cd533d7f (9) eap: Previous EAP request found for state 0xcd5f27e3cd533d7f, released from the list (9) eap: Peer sent packet with method EAP MSCHAPv2 (26) (9) eap: Calling submodule eap_mschapv2 to process data (9) eap_mschapv2: # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel (9) eap_mschapv2: authenticate { (9) mschap: Found Cleartext-Password, hashing to create NT-Password (9) mschap: Found Cleartext-Password, hashing to create LM-Password (9) mschap: Creating challenge hash with username: bob (9) mschap: Client is using MS-CHAPv2 (9) mschap: ERROR: MS-CHAP2-Response is incorrect (9) [mschap] = reject (9) } # authenticate = reject (9) eap: Sending EAP Failure (code 4) ID 12 length 4 (9) eap: Freeing handler (9) [eap] = reject (9) } # authenticate = reject (9) Failed to authenticate the user (9) Using Post-Auth-Type Reject (9) # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel (9) Post-Auth-Type REJECT { (9) attr_filter.access_reject: EXPAND %{User-Name} (9) attr_filter.access_reject: --> bob (9) attr_filter.access_reject: Matched entry DEFAULT at line 11 (9) [attr_filter.access_reject] = updated (9) update outer.session-state { (9) &Module-Failure-Message := &request:Module-Failure-Message -> 'mschap: MS-CHAP2-Response is incorrect' (9) } # update outer.session-state = noop (9) } # Post-Auth-Type REJECT = updated (9) } # server inner-tunnel (9) Virtual server sending reply (9) MS-CHAP-Error = "\014E=691 R=1 C=4a33d9cc35a85083c14a907490347b3c V=3 M=Authentication failed" (9) EAP-Message = 0x040c0004 (9) Message-Authenticator = 0x00000000000000000000000000000000 (9) eap_fast: Got tunneled Access-Reject (9) eap_fast: Reject (9) eap: ERROR: Failed continuing EAP FAST (43) session. EAP sub-module failed (9) eap: Sending EAP Failure (code 4) ID 12 length 4 (9) eap: Failed in EAP select (9) [eap] = invalid (9) } # authenticate = invalid (9) Failed to authenticate the user (9) Using Post-Auth-Type Reject (9) # Executing group from file /usr/local/etc/raddb/sites-enabled/default (9) Post-Auth-Type REJECT { (9) attr_filter.access_reject: EXPAND %{User-Name} (9) attr_filter.access_reject: --> bob (9) attr_filter.access_reject: Matched entry DEFAULT at line 11 (9) [attr_filter.access_reject] = updated (9) [eap] = noop (9) policy remove_reply_message_if_eap { (9) if (&reply:EAP-Message && &reply:Reply-Message) { (9) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (9) else { (9) [noop] = noop (9) } # else = noop (9) } # policy remove_reply_message_if_eap = noop (9) } # Post-Auth-Type REJECT = updated (9) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (9) Sending delayed response (9) Sent Access-Reject Id 121 from 10.30.32.40:1812 to 10.30.32.46:3073 length 44 (9) EAP-Message = 0x040c0004 (9) Message-Authenticator = 0x00000000000000000000000000000000
On Oct 5, 2016, at 10:38 AM, STE SQE <mnlstesqe@gmail.com> wrote:
I'm seeing another error, MS-CHAP2-Response is failing. And there are warnings also shown. Please help me solve this. Thanks.
(8) eap_fast: WARNING: AUTHENTICATION (8) eap_fast: WARNING: AUTHENTICATION (8) WARNING: Outer and inner identities are the same. User privacy is compromised. (9) mschap: ERROR: MS-CHAP2-Response is incorrect (9) eap: ERROR: Failed continuing EAP FAST (43) session. EAP sub-module failed
That means that the "known good" password is not the same as the password entered by the user. Go fix that. Be sure that the user enters the correct password, and that it's the same as what's on the server.
(9) files: users: Matched entry bob at line 87 (9) [files] = ok
The password for "bob" is on that line. It's not the same as what the user entered. Alan DeKok.
participants (2)
-
Alan DeKok -
STE SQE