Re: Freeradius-Users Digest, Vol 214, Issue 31 Re: pam_radius with only otp (Jorge Pereira)
On Tue, Feb 28, 2023, 3:45 AM <freeradius-users-request@lists.freeradius.org> wrote:
Send Freeradius-Users mailing list submissions to freeradius-users@lists.freeradius.org
To subscribe or unsubscribe via the World Wide Web, visit https://lists.freeradius.org/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to freeradius-users-request@lists.freeradius.org
You can reach the person managing the list at freeradius-users-owner@lists.freeradius.org
When replying, please edit your Subject line so it is more specific than "Re: Contents of Freeradius-Users digest..."
Today's Topics:
1. Re: pam_radius with only otp (Jorge Pereira) 2. Re: How to check the Extended Key Usage in freeradius? (Alan DeKok) 3. EAP-TLS default config (clement.legoffic@kelio.com)
----------------------------------------------------------------------
Message: 1 Date: Mon, 27 Feb 2023 14:36:08 -0300 From: Jorge Pereira <jpereira@freeradius.org> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: pam_radius with only otp Message-ID: <216B4E15-D452-448B-B9A5-163889996A25@freeradius.org> Content-Type: text/plain; charset=us-ascii
The pam_radius just forward to the FreeRADIUS. In that case, you should do that trick there.
Thank you for the reply. I do not understand what is mean, can you please elaborate? I am using a 3rd party radius server. O ce again, the password + otp works fine but username + otp does not. Thanks
On 23 Feb 2023, at 19:31, Joe Jones <09cicada@gmail.com> wrote:
Hi all,
Is it possible to use the pam_radius .so module with only a otp? It works fine with a password+otp but I cannot get it working with only otp.
Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Jorge Pereira jpereira@networkradius.com
------------------------------
Message: 2 Date: Mon, 27 Feb 2023 13:34:02 -0500 From: Alan DeKok <aland@deployingradius.com> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: How to check the Extended Key Usage in freeradius? Message-ID: <9ED0EA34-872E-4445-88E0-BC3A4AE4F241@deployingradius.com> Content-Type: text/plain; charset=us-ascii
On Feb 27, 2023, at 4:18 AM, Dentzer, Daniel <Dentzer@cpa.de> wrote:
It seems that this doesn't work for me.
Read the debug log. If there's an extended key usage OID, it will show up as TLS-Client-Cert-X509v3-Extended-Key-Usage-OID.
If there's no extended key usage OID, them it won't show up.
In the session-state is only TLS-Session-Information, TLS-Session-Cipher-Suite, TLS-Session-Version. But it seems I can work directly with TLS-Client-Cert-Issuer and TLS-Client-Cert-Subject-Alt-Name-Dns, but not with TLS-Client-Cert-X509v3-Extended-Key-Usage-OID.
Does it exist?
Does it show up in the debug log?
The debug log shows every TLS related attribute it creates.
Is there a way to get TLS-Client-Cert-X509v3-Extended-Key-Usage-OID - in the session-state
Does it exist?
(see below ' (11) policy debug_session_state {') Or - like TLS-Client-Cert-Issuer to use it directly
Does TLS-Client-Cert-Issuer exist?
... freeradius | (10) eap_tls: (TLS) Creating attributes from server certificate freeradius | (10) eap_tls: TLS-Cert-Serial := "1400000002219c173715ec84d9000000000002" freeradius | (10) eap_tls: TLS-Cert-Expiration := "20511007092213Z" freeradius | (10) eap_tls: TLS-Cert-Valid-Since := "211007115340Z" freeradius | (10) eap_tls: TLS-Cert-Subject := "/DC=org/DC=example/CN=XY Sub CA" freeradius | (10) eap_tls: TLS-Cert-Issuer := "/C=xxx/ST=xxx/L=xxx/O=xxx/CN=XY Root CA" freeradius | (10) eap_tls: TLS-Cert-Common-Name := "XY Sub CA" freeradius | (10) eap_tls: (TLS) Creating attributes from client certificate freeradius | (10) eap_tls: TLS-Client-Cert-Serial := "16000028666eef874492e150cd000000002866" freeradius | (10) eap_tls: TLS-Client-Cert-Expiration := "240209105026Z" freeradius | (10) eap_tls: TLS-Client-Cert-Valid-Since := "230209105026Z" freeradius | (10) eap_tls: TLS-Client-Cert-Issuer := "/DC=org/DC=example/CN=XY Sub CA" freeradius | (10) eap_tls: TLS-Client-Cert-Subject-Alt-Name-Dns := " host1.XY.example.org" freeradius | (10) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage += "TLS Web Client Authentication, 1.3.6.1.4.1.311.21.8.16510850.12376249.15288979.13711710.10124257.18.15210945.7" freeradius | (10) eap_tls: TLS-Client-Cert-X509v3-Subject-Key-Identifier += "29:AC:A7:3F:AD:4D:C1:29:E6:1D:0B:42:B5:69:2B:0C:B2:1E:EB:16" freeradius | (10) eap_tls: TLS-Client-Cert-X509v3-Authority-Key-Identifier += "keyid:C0:24:69:05:3E:2C:E0:26:AD:85:D9:9E:9D:16:B2:E8:4C:62:81:EC\n" freeradius | (10) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += "1.3.6.1.5.5.7.3.2" freeradius | (10) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += "1.3.6.1.4.1.311.21.8.16510850.12376249.15288979.13711710.10124257.18.15210945.7878633"
OK, that's good. For the initial creation, those attributes are in the request. For subsequent packets, they should be in the session-state list.
... freeradius | (11) Restoring &session-state freeradius | (11) &session-state:Framed-MTU = 1014 freeradius | (11) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" freeradius | (11) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" freeradius | (11) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" freeradius | (11) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" freeradius | (11) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, CertificateRequest" freeradius | (11) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" freeradius | (11) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Certificate" freeradius | (11) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, ClientKeyExchange" freeradius | (11) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, CertificateVerify" freeradius | (11) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.2 Handshake, Finished" freeradius | (11) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 ChangeCipherSpec" freeradius | (11) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Finished" freeradius | (11) &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" freeradius | (11) &session-state:TLS-Session-Version = "TLS 1.2"
Hmm... you can always copy the attributes to the session-state list, where they will automatically be stored and restored.
I'll have to check what's going on behind the scenes. It's been a while since I used v3 like this.
Alan DeKok.
------------------------------
Message: 3 Date: Tue, 28 Feb 2023 10:44:38 +0000 From: "clement.legoffic@kelio.com" <clement.legoffic@kelio.com> To: "freeradius-users@lists.freeradius.org" <freeradius-users@lists.freeradius.org> Subject: EAP-TLS default config Message-ID: <0c68af239c1c4ccea93f58f34928defd@kelio.com> Content-Type: text/plain; charset="iso-8859-1"
Hello,
I started to learn network authentication and I want to setup a litle poc with Freeradius and EAP-TLS. I have previously tested my working configuration with the bob user as in the freeradius docker example.
I use freeradius docker image https://hub.docker.com/r/freeradius/freeradius-server/ in a container. The configs files have been extracted to be configured in my host system and mounted at container's start.
I have follow this tutorial for the radiusd.conf file : https://www.dslreports.com/forum/r9286052-FreeRADIUS-WinXP-Authentication-Se...
As I use the container's default keys, the user file is just a line :
user@example.org Auth-Type := EAP, EAP-Type := EAP-TLS
On my android phone, I connect to a dlink wifi access point (DWL-2100AP) configured for 802.1X. The ca.pem has been installed on my phone in order to use it for EAP-TLS when I select it. The username I use on the phone side is "user@example.org", the domain is "example.org".
When I click on connect on my phone, I get an access reject as shown in the debug output below. I wanted to know if I am doing wrong somewhere and possibly where ?
(Freeradius Version 3.2.0)
(0) Received Access-Request Id 0 from 10.17.30.60:1061 to 172.17.0.2:1812 length 212 (0) Message-Authenticator = 0x46c9071611e746712984ef9165b516eb (0) Service-Type = Framed-User (0) User-Name = "user@example.org" (0) Framed-MTU = 1488 (0) Called-Station-Id = "00-26-5A-84-0D-89:dlink" (0) Calling-Station-Id = "22-85-59-7C-27-7A" (0) NAS-Identifier = "D-Link Access Point" (0) NAS-Port-Type = Wireless-802.11 (0) Connect-Info = "CONNECT 54Mbps 802.11g" (0) EAP-Message = 0x020000150175736572406578616d706c652e6f7267 (0) NAS-IP-Address = 10.17.30.60 (0) NAS-Port = 1 (0) NAS-Port-Id = "STA port # 1" (0) # Executing section authorize from file /etc/freeradius/sites-enabled/default (0) authorize { (0) policy filter_username { (0) if (&User-Name) { (0) if (&User-Name) -> TRUE (0) if (&User-Name) { (0) if (&User-Name =~ / /) { (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@[^@]*@/ ) { (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (0) if (&User-Name =~ /\.\./ ) { (0) if (&User-Name =~ /\.\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\.$/) { (0) if (&User-Name =~ /\.$/) -> FALSE (0) if (&User-Name =~ /@\./) { (0) if (&User-Name =~ /@\./) -> FALSE (0) } # if (&User-Name) = notfound (0) } # policy filter_username = notfound (0) [preprocess] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix: Checking for suffix after "@" (0) suffix: Looking up realm "example.org" for User-Name = " user@example.org" (0) suffix: No such realm "example.org" (0) [suffix] = noop (0) eap: Peer sent EAP Response (code 2) ID 0 length 21 (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # authorize = ok (0) Found Auth-Type = eap (0) # Executing group from file /etc/freeradius/sites-enabled/default (0) authenticate { (0) eap: Peer sent packet with method EAP Identity (1) (0) eap: Calling submodule eap_tls to process data (0) eap_tls: (TLS) Initiating new session (0) eap_tls: (TLS) Setting verify mode to require certificate from client (0) eap: Sending EAP Request (code 1) ID 1 length 6 (0) eap: EAP session adding &reply:State = 0xbced3a8cbcec3700 (0) [eap] = handled (0) } # authenticate = handled (0) Using Post-Auth-Type Challenge (0) # Executing group from file /etc/freeradius/sites-enabled/default (0) Challenge { ... } # empty sub-section is ignored (0) session-state: Saving cached attributes (0) Framed-MTU = 994 (0) Sent Access-Challenge Id 0 from 172.17.0.2:1812 to 10.17.30.60:1061 length 64 (0) EAP-Message = 0x010100060d20 (0) Message-Authenticator = 0x00000000000000000000000000000000 (0) State = 0xbced3a8cbcec37005a032dcfba50bf3a (0) Finished request Waking up in 4.9 seconds. (1) Received Access-Request Id 1 from 10.17.30.60:1061 to 172.17.0.2:1812 length 215 (1) Message-Authenticator = 0x2660937420c3367bd057db626b743cc5 (1) Service-Type = Framed-User (1) User-Name = "user@example.org" (1) Framed-MTU = 1488 (1) State = 0xbced3a8cbcec37005a032dcfba50bf3a (1) Called-Station-Id = "00-26-5A-84-0D-89:dlink" (1) Calling-Station-Id = "22-85-59-7C-27-7A" (1) NAS-Identifier = "D-Link Access Point" (1) NAS-Port-Type = Wireless-802.11 (1) Connect-Info = "CONNECT 54Mbps 802.11g" (1) EAP-Message = 0x020100060300 (1) NAS-IP-Address = 10.17.30.60 (1) NAS-Port = 1 (1) NAS-Port-Id = "STA port # 1" (1) Restoring &session-state (1) &session-state:Framed-MTU = 994 (1) # Executing section authorize from file /etc/freeradius/sites-enabled/default (1) authorize { (1) policy filter_username { (1) if (&User-Name) { (1) if (&User-Name) -> TRUE (1) if (&User-Name) { (1) if (&User-Name =~ / /) { (1) if (&User-Name =~ / /) -> FALSE (1) if (&User-Name =~ /@[^@]*@/ ) { (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (1) if (&User-Name =~ /\.\./ ) { (1) if (&User-Name =~ /\.\./ ) -> FALSE (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (1) if (&User-Name =~ /\.$/) { (1) if (&User-Name =~ /\.$/) -> FALSE (1) if (&User-Name =~ /@\./) { (1) if (&User-Name =~ /@\./) -> FALSE (1) } # if (&User-Name) = notfound (1) } # policy filter_username = notfound (1) [preprocess] = ok (1) [chap] = noop (1) [mschap] = noop (1) [digest] = noop (1) suffix: Checking for suffix after "@" (1) suffix: Looking up realm "example.org" for User-Name = " user@example.org" (1) suffix: No such realm "example.org" (1) [suffix] = noop (1) eap: Peer sent EAP Response (code 2) ID 1 length 6 (1) eap: No EAP Start, assuming it's an on-going EAP conversation (1) [eap] = updated (1) files: users: Matched entry user@example.org at line 2 (1) [files] = ok (1) [expiration] = noop (1) [logintime] = noop Not doing PAP as Auth-Type is already set. (1) [pap] = noop (1) } # authorize = updated (1) Found Auth-Type = eap (1) # Executing group from file /etc/freeradius/sites-enabled/default (1) authenticate { (1) eap: Expiring EAP session with state 0xbced3a8cbcec3700 (1) eap: Finished EAP session with state 0xbced3a8cbcec3700 (1) eap: Previous EAP request found for state 0xbced3a8cbcec3700, released from the list (1) eap: Peer sent packet with method EAP NAK (3) (1) eap: Peer NAK'd indicating it is not willing to continue (1) eap: Sending EAP Failure (code 4) ID 1 length 4 (1) eap: Failed in EAP select (1) [eap] = invalid (1) } # authenticate = invalid (1) Failed to authenticate the user (1) Using Post-Auth-Type Reject (1) # Executing group from file /etc/freeradius/sites-enabled/default (1) Post-Auth-Type REJECT { (1) attr_filter.access_reject: EXPAND %{User-Name} (1) attr_filter.access_reject: --> user@example.org (1) attr_filter.access_reject: Matched entry DEFAULT at line 11 (1) [attr_filter.access_reject] = updated (1) [eap] = noop (1) policy remove_reply_message_if_eap { (1) if (&reply:EAP-Message && &reply:Reply-Message) { (1) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (1) else { (1) [noop] = noop (1) } # else = noop (1) } # policy remove_reply_message_if_eap = noop (1) } # Post-Auth-Type REJECT = updated (1) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (1) Sending delayed response (1) Sent Access-Reject Id 1 from 172.17.0.2:1812 to 10.17.30.60:1061 length 44 (1) EAP-Message = 0x04010004 (1) Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.9 seconds. (2) Received Access-Request Id 0 from 10.17.30.60:1063 to 172.17.0.2:1812 length 212 (2) Message-Authenticator = 0x10dad86d8ca96900ee9e41a3f3215e04 (2) Service-Type = Framed-User (2) User-Name = "user@example.org" (2) Framed-MTU = 1488 (2) Called-Station-Id = "00-26-5A-84-0D-89:dlink" (2) Calling-Station-Id = "22-85-59-7C-27-7A" (2) NAS-Identifier = "D-Link Access Point" (2) NAS-Port-Type = Wireless-802.11 (2) Connect-Info = "CONNECT 54Mbps 802.11g" (2) EAP-Message = 0x020000150175736572406578616d706c652e6f7267 (2) NAS-IP-Address = 10.17.30.60 (2) NAS-Port = 1 (2) NAS-Port-Id = "STA port # 1" (2) # Executing section authorize from file /etc/freeradius/sites-enabled/default (2) authorize { (2) policy filter_username { (2) if (&User-Name) { (2) if (&User-Name) -> TRUE (2) if (&User-Name) { (2) if (&User-Name =~ / /) { (2) if (&User-Name =~ / /) -> FALSE (2) if (&User-Name =~ /@[^@]*@/ ) { (2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (2) if (&User-Name =~ /\.\./ ) { (2) if (&User-Name =~ /\.\./ ) -> FALSE (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (2) if (&User-Name =~ /\.$/) { (2) if (&User-Name =~ /\.$/) -> FALSE (2) if (&User-Name =~ /@\./) { (2) if (&User-Name =~ /@\./) -> FALSE (2) } # if (&User-Name) = notfound (2) } # policy filter_username = notfound (2) [preprocess] = ok (2) [chap] = noop (2) [mschap] = noop (2) [digest] = noop (2) suffix: Checking for suffix after "@" (2) suffix: Looking up realm "example.org" for User-Name = " user@example.org" (2) suffix: No such realm "example.org" (2) [suffix] = noop (2) eap: Peer sent EAP Response (code 2) ID 0 length 21 (2) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (2) [eap] = ok (2) } # authorize = ok (2) Found Auth-Type = eap (2) # Executing group from file /etc/freeradius/sites-enabled/default (2) authenticate { (2) eap: Peer sent packet with method EAP Identity (1) (2) eap: Calling submodule eap_tls to process data (2) eap_tls: (TLS) Initiating new session (2) eap_tls: (TLS) Setting verify mode to require certificate from client (2) eap: Sending EAP Request (code 1) ID 1 length 6 (2) eap: EAP session adding &reply:State = 0x61a7200961a62df0 (2) [eap] = handled (2) } # authenticate = handled (2) Using Post-Auth-Type Challenge (2) # Executing group from file /etc/freeradius/sites-enabled/default (2) Challenge { ... } # empty sub-section is ignored (2) session-state: Saving cached attributes (2) Framed-MTU = 994 (2) Sent Access-Challenge Id 0 from 172.17.0.2:1812 to 10.17.30.60:1063 length 64 (2) EAP-Message = 0x010100060d20 (2) Message-Authenticator = 0x00000000000000000000000000000000 (2) State = 0x61a7200961a62df0743c98b3a07aed8f (2) Finished request Waking up in 1.9 seconds. (3) Received Access-Request Id 1 from 10.17.30.60:1063 to 172.17.0.2:1812 length 215 (3) Message-Authenticator = 0x2946bae5a640bdd89ef938aa738b4b94 (3) Service-Type = Framed-User (3) User-Name = "user@example.org" (3) Framed-MTU = 1488 (3) State = 0x61a7200961a62df0743c98b3a07aed8f (3) Called-Station-Id = "00-26-5A-84-0D-89:dlink" (3) Calling-Station-Id = "22-85-59-7C-27-7A" (3) NAS-Identifier = "D-Link Access Point" (3) NAS-Port-Type = Wireless-802.11 (3) Connect-Info = "CONNECT 54Mbps 802.11g" (3) EAP-Message = 0x020100060300 (3) NAS-IP-Address = 10.17.30.60 (3) NAS-Port = 1 (3) NAS-Port-Id = "STA port # 1" (3) Restoring &session-state (3) &session-state:Framed-MTU = 994 (3) # Executing section authorize from file /etc/freeradius/sites-enabled/default (3) authorize { (3) policy filter_username { (3) if (&User-Name) { (3) if (&User-Name) -> TRUE (3) if (&User-Name) { (3) if (&User-Name =~ / /) { (3) if (&User-Name =~ / /) -> FALSE (3) if (&User-Name =~ /@[^@]*@/ ) { (3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (3) if (&User-Name =~ /\.\./ ) { (3) if (&User-Name =~ /\.\./ ) -> FALSE (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (3) if (&User-Name =~ /\.$/) { (3) if (&User-Name =~ /\.$/) -> FALSE (3) if (&User-Name =~ /@\./) { (3) if (&User-Name =~ /@\./) -> FALSE (3) } # if (&User-Name) = notfound (3) } # policy filter_username = notfound (3) [preprocess] = ok (3) [chap] = noop (3) [mschap] = noop (3) [digest] = noop (3) suffix: Checking for suffix after "@" (3) suffix: Looking up realm "example.org" for User-Name = " user@example.org" (3) suffix: No such realm "example.org" (3) [suffix] = noop (3) eap: Peer sent EAP Response (code 2) ID 1 length 6 (3) eap: No EAP Start, assuming it's an on-going EAP conversation (3) [eap] = updated (3) files: users: Matched entry user@example.org at line 2 (3) [files] = ok (3) [expiration] = noop (3) [logintime] = noop Not doing PAP as Auth-Type is already set. (3) [pap] = noop (3) } # authorize = updated (3) Found Auth-Type = eap (3) # Executing group from file /etc/freeradius/sites-enabled/default (3) authenticate { (3) eap: Expiring EAP session with state 0x61a7200961a62df0 (3) eap: Finished EAP session with state 0x61a7200961a62df0 (3) eap: Previous EAP request found for state 0x61a7200961a62df0, released from the list (3) eap: Peer sent packet with method EAP NAK (3) (3) eap: Peer NAK'd indicating it is not willing to continue (3) eap: Sending EAP Failure (code 4) ID 1 length 4 (3) eap: Failed in EAP select (3) [eap] = invalid (3) } # authenticate = invalid (3) Failed to authenticate the user (3) Using Post-Auth-Type Reject (3) # Executing group from file /etc/freeradius/sites-enabled/default (3) Post-Auth-Type REJECT { (3) attr_filter.access_reject: EXPAND %{User-Name} (3) attr_filter.access_reject: --> user@example.org (3) attr_filter.access_reject: Matched entry DEFAULT at line 11 (3) [attr_filter.access_reject] = updated (3) [eap] = noop (3) policy remove_reply_message_if_eap { (3) if (&reply:EAP-Message && &reply:Reply-Message) { (3) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (3) else { (3) [noop] = noop (3) } # else = noop (3) } # policy remove_reply_message_if_eap = noop (3) } # Post-Auth-Type REJECT = updated (3) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (3) Sending delayed response (3) Sent Access-Reject Id 1 from 172.17.0.2:1812 to 10.17.30.60:1063 length 44 (3) EAP-Message = 0x04010004 (3) Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 0.8 seconds. (0) Cleaning up request packet ID 0 with timestamp +74 due to cleanup_delay was reached (1) Cleaning up request packet ID 1 with timestamp +74 due to cleanup_delay was reached Waking up in 3.0 seconds. (4) Received Access-Request Id 0 from 10.17.30.60:1065 to 172.17.0.2:1812 length 212 (4) Message-Authenticator = 0x7e90cef35650d96b0188a6bcc9040100 (4) Service-Type = Framed-User (4) User-Name = "user@example.org" (4) Framed-MTU = 1488 (4) Called-Station-Id = "00-26-5A-84-0D-89:dlink" (4) Calling-Station-Id = "22-85-59-7C-27-7A" (4) NAS-Identifier = "D-Link Access Point" (4) NAS-Port-Type = Wireless-802.11 (4) Connect-Info = "CONNECT 54Mbps 802.11g" (4) EAP-Message = 0x020000150175736572406578616d706c652e6f7267 (4) NAS-IP-Address = 10.17.30.60 (4) NAS-Port = 1 (4) NAS-Port-Id = "STA port # 1" (4) # Executing section authorize from file /etc/freeradius/sites-enabled/default (4) authorize { (4) policy filter_username { (4) if (&User-Name) { (4) if (&User-Name) -> TRUE (4) if (&User-Name) { (4) if (&User-Name =~ / /) { (4) if (&User-Name =~ / /) -> FALSE (4) if (&User-Name =~ /@[^@]*@/ ) { (4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (4) if (&User-Name =~ /\.\./ ) { (4) if (&User-Name =~ /\.\./ ) -> FALSE (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (4) if (&User-Name =~ /\.$/) { (4) if (&User-Name =~ /\.$/) -> FALSE (4) if (&User-Name =~ /@\./) { (4) if (&User-Name =~ /@\./) -> FALSE (4) } # if (&User-Name) = notfound (4) } # policy filter_username = notfound (4) [preprocess] = ok (4) [chap] = noop (4) [mschap] = noop (4) [digest] = noop (4) suffix: Checking for suffix after "@" (4) suffix: Looking up realm "example.org" for User-Name = " user@example.org" (4) suffix: No such realm "example.org" (4) [suffix] = noop (4) eap: Peer sent EAP Response (code 2) ID 0 length 21 (4) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (4) [eap] = ok (4) } # authorize = ok (4) Found Auth-Type = eap (4) # Executing group from file /etc/freeradius/sites-enabled/default (4) authenticate { (4) eap: Peer sent packet with method EAP Identity (1) (4) eap: Calling submodule eap_tls to process data (4) eap_tls: (TLS) Initiating new session (4) eap_tls: (TLS) Setting verify mode to require certificate from client (4) eap: Sending EAP Request (code 1) ID 1 length 6 (4) eap: EAP session adding &reply:State = 0x10b8d47310b9d97a (4) [eap] = handled (4) } # authenticate = handled (4) Using Post-Auth-Type Challenge (4) # Executing group from file /etc/freeradius/sites-enabled/default (4) Challenge { ... } # empty sub-section is ignored (4) session-state: Saving cached attributes (4) Framed-MTU = 994 (4) Sent Access-Challenge Id 0 from 172.17.0.2:1812 to 10.17.30.60:1065 length 64 (4) EAP-Message = 0x010100060d20 (4) Message-Authenticator = 0x00000000000000000000000000000000 (4) State = 0x10b8d47310b9d97a65ed29a95486330e (4) Finished request Waking up in 1.8 seconds. (5) Received Access-Request Id 1 from 10.17.30.60:1065 to 172.17.0.2:1812 length 215 (5) Message-Authenticator = 0x4024c8a365e14657a651ceb71b9f5f61 (5) Service-Type = Framed-User (5) User-Name = "user@example.org" (5) Framed-MTU = 1488 (5) State = 0x10b8d47310b9d97a65ed29a95486330e (5) Called-Station-Id = "00-26-5A-84-0D-89:dlink" (5) Calling-Station-Id = "22-85-59-7C-27-7A" (5) NAS-Identifier = "D-Link Access Point" (5) NAS-Port-Type = Wireless-802.11 (5) Connect-Info = "CONNECT 54Mbps 802.11g" (5) EAP-Message = 0x020100060300 (5) NAS-IP-Address = 10.17.30.60 (5) NAS-Port = 1 (5) NAS-Port-Id = "STA port # 1" (5) Restoring &session-state (5) &session-state:Framed-MTU = 994 (5) # Executing section authorize from file /etc/freeradius/sites-enabled/default (5) authorize { (5) policy filter_username { (5) if (&User-Name) { (5) if (&User-Name) -> TRUE (5) if (&User-Name) { (5) if (&User-Name =~ / /) { (5) if (&User-Name =~ / /) -> FALSE (5) if (&User-Name =~ /@[^@]*@/ ) { (5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (5) if (&User-Name =~ /\.\./ ) { (5) if (&User-Name =~ /\.\./ ) -> FALSE (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (5) if (&User-Name =~ /\.$/) { (5) if (&User-Name =~ /\.$/) -> FALSE (5) if (&User-Name =~ /@\./) { (5) if (&User-Name =~ /@\./) -> FALSE (5) } # if (&User-Name) = notfound (5) } # policy filter_username = notfound (5) [preprocess] = ok (5) [chap] = noop (5) [mschap] = noop (5) [digest] = noop (5) suffix: Checking for suffix after "@" (5) suffix: Looking up realm "example.org" for User-Name = " user@example.org" (5) suffix: No such realm "example.org" (5) [suffix] = noop (5) eap: Peer sent EAP Response (code 2) ID 1 length 6 (5) eap: No EAP Start, assuming it's an on-going EAP conversation (5) [eap] = updated (5) files: users: Matched entry user@example.org at line 2 (5) [files] = ok (5) [expiration] = noop (5) [logintime] = noop Not doing PAP as Auth-Type is already set. (5) [pap] = noop (5) } # authorize = updated (5) Found Auth-Type = eap (5) # Executing group from file /etc/freeradius/sites-enabled/default (5) authenticate { (5) eap: Expiring EAP session with state 0x10b8d47310b9d97a (5) eap: Finished EAP session with state 0x10b8d47310b9d97a (5) eap: Previous EAP request found for state 0x10b8d47310b9d97a, released from the list (5) eap: Peer sent packet with method EAP NAK (3) (5) eap: Peer NAK'd indicating it is not willing to continue (5) eap: Sending EAP Failure (code 4) ID 1 length 4 (5) eap: Failed in EAP select (5) [eap] = invalid (5) } # authenticate = invalid (5) Failed to authenticate the user (5) Using Post-Auth-Type Reject (5) # Executing group from file /etc/freeradius/sites-enabled/default (5) Post-Auth-Type REJECT { (5) attr_filter.access_reject: EXPAND %{User-Name} (5) attr_filter.access_reject: --> user@example.org (5) attr_filter.access_reject: Matched entry DEFAULT at line 11 (5) [attr_filter.access_reject] = updated (5) [eap] = noop (5) policy remove_reply_message_if_eap { (5) if (&reply:EAP-Message && &reply:Reply-Message) { (5) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (5) else { (5) [noop] = noop (5) } # else = noop (5) } # policy remove_reply_message_if_eap = noop (5) } # Post-Auth-Type REJECT = updated (5) Delaying response for 1.000000 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (5) Sending delayed response (5) Sent Access-Reject Id 1 from 172.17.0.2:1812 to 10.17.30.60:1065 length 44 (5) EAP-Message = 0x04010004 (5) Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 0.8 seconds. (2) Cleaning up request packet ID 0 with timestamp +77 due to cleanup_delay was reached (3) Cleaning up request packet ID 1 with timestamp +77 due to cleanup_delay was reached Waking up in 3.1 seconds. (4) Cleaning up request packet ID 0 with timestamp +80 due to cleanup_delay was reached (5) Cleaning up request packet ID 1 with timestamp +80 due to cleanup_delay was reached Ready to process requests
Thanks,
Cl?ment
Ce message et toutes les pieces jointes (ci-apres le "message") sont etablis a l'intention exclusive de ses destinataires. Si vous recevez ce message par erreur, merci de le detruire et d'en avertir immediatement l'expediteur par e-mail. Toute utilisation de ce message non conforme a sa destination, toute diffusion ou toute publication, totale ou partielle, est interdite, sauf autorisation expresse. Les communications sur Internet n'etant pas securisees, l'expediteur informe qu'il ne peut accepter aucune responsabilite quant au contenu de ce message. This mail message and attachments (the "message") are solely intended for the addresses. It is confidential in nature. If you receive this message in error, please delete it and immediately notify the sender by e-mail. Any use other than its intended purpose, dissemination or disclosure, either whole or partial, is prohibited except if formal approval is granted. As communication on the Internet is not secure, the sender does not accept responsibility for the content of this message.
------------------------------
Subject: Digest Footer
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
------------------------------
End of Freeradius-Users Digest, Vol 214, Issue 31 *************************************************
On Mar 4, 2023, at 5:03 PM, Joe Jones <09cicada@gmail.com> wrote?:
Thank you for the reply. I do not understand what is mean, can you please elaborate?
I suggest instead that you elaborate on the problem you're having.
I am using a 3rd party radius server. O ce again, the password + otp works fine but username + otp does not.
"Stuff sometimes does things, but other stuff doesn't do things". There is no possible way that we can help you with a content-free statement like that. Describe what you're doing. Describe what happens. Describe what goes wrong. Use debug output if you have it. Or describe packet traces. But the most useless question you can ask is "I did a bunch of things and it didn't work. How do I fix it?" The only possible answer to that is "do different things". If you want a more helpful answer, then you've got to give some useful information in your question. Alan DeKok.
participants (2)
-
Alan DeKok -
Joe Jones