PEAP auth rejected due to different inner and outer user-id
Encountered the following issue. Running FR 2.2.3. PEAP tunneled authentication was successful. But get rejected due to username mismatch. No issue when both username are the same. Snippet of the debug log. Full debug.log for the attempt and radiusd -X attached. Tue Feb 11 09:58:32 2014 : Debug: ++update outer.reply { Tue Feb 11 09:58:32 2014 : Debug: expand: %{request:User-Name} -> jacquegp Tue Feb 11 09:58:32 2014 : Debug: ++} # update outer.reply = noop Tue Feb 11 09:58:32 2014 : Debug: +} # group post-auth = noop Tue Feb 11 09:58:32 2014 : Debug: [peap] Tunneled authentication was successful. Tue Feb 11 09:58:32 2014 : Debug: [peap] SUCCESS Tue Feb 11 09:58:32 2014 : Debug: [peap] Saving tunneled attributes for later Tue Feb 11 09:58:32 2014 : Debug: ++[eap_custom] = handled Tue Feb 11 09:58:32 2014 : Debug: +} # group authenticate = handled Tue Feb 11 09:58:32 2014 : Debug: Sending Access-Challenge packet to host 172.23.12.254 port 1645, id=101, length=0 Tue Feb 11 09:58:32 2014 : Debug: User-Name = "jacquegp" Tue Feb 11 09:58:32 2014 : Debug: EAP-Message = 0x010a002b190017030100201278d8b49e1c026b2f34d961bf660de263813d0f9033639f146fe5baf2675fcf Tue Feb 11 09:58:32 2014 : Debug: Message-Authenticator = 0x00000000000000000000000000000000 Tue Feb 11 09:58:32 2014 : Debug: State = 0x1873098d1079106583e3066b1fd4db72 Tue Feb 11 09:58:32 2014 : Debug: Finished request 556186. Tue Feb 11 09:58:32 2014 : Debug: Received Access-Request packet from host 172.23.12.254 port 1645, id=102, length=283 Tue Feb 11 09:58:32 2014 : Debug: User-Name = "jacquegp" Tue Feb 11 09:58:32 2014 : Debug: Framed-MTU = 1400 Tue Feb 11 09:58:32 2014 : Debug: Called-Station-Id = "003a.9aba.7bf0" Tue Feb 11 09:58:32 2014 : Debug: Calling-Station-Id = "8832.9b40.493a" Tue Feb 11 09:58:32 2014 : Debug: Cisco-AVPair = "ssid=Wireless" Tue Feb 11 09:58:32 2014 : Debug: WISPr-Location-Name = "Location" Tue Feb 11 09:58:32 2014 : Debug: Service-Type = Login-User Tue Feb 11 09:58:32 2014 : Debug: Message-Authenticator = 0xd3c7bd34fe6ab7510f2d1c529f4e9513 Tue Feb 11 09:58:32 2014 : Debug: EAP-Message = 0x020a005019001703010020090e5ecf84ca7daf04c43eff2c62dffd490c3165926acddb05e42bca4a2feae7170301002084ce26a1c964a6ab6f8a698a7731102564f9c8867a7a05ddd592d015c17d6649 Tue Feb 11 09:58:32 2014 : Debug: NAS-Port-Type = Wireless-802.11 Tue Feb 11 09:58:32 2014 : Debug: NAS-Port = 4351 Tue Feb 11 09:58:32 2014 : Debug: NAS-Port-Id = "4351" Tue Feb 11 09:58:32 2014 : Debug: State = 0x1873098d1079106583e3066b1fd4db72 Tue Feb 11 09:58:32 2014 : Debug: NAS-IP-Address = 172.23.12.254 Tue Feb 11 09:58:32 2014 : Debug: NAS-Identifier = "Site" Tue Feb 11 09:58:32 2014 : Debug: # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default Tue Feb 11 09:58:32 2014 : Debug: +group authorize { Tue Feb 11 09:58:32 2014 : Debug: ++[preprocess] = ok Tue Feb 11 09:58:32 2014 : Debug: [suffix] No '@' in User-Name = "jacquegp", looking up realm NULL Tue Feb 11 09:58:32 2014 : Debug: [suffix] No such realm "NULL" Tue Feb 11 09:58:32 2014 : Debug: ++[suffix] = noop Tue Feb 11 09:58:32 2014 : Debug: ++? if (Aruba-Essid-Name == "Visitor") Tue Feb 11 09:58:32 2014 : Debug: (Attribute Aruba-Essid-Name was not found) Tue Feb 11 09:58:32 2014 : Debug: ? Evaluating (Aruba-Essid-Name == "Visitor") -> FALSE Tue Feb 11 09:58:32 2014 : Debug: ++? if (Aruba-Essid-Name == "Visitor") -> FALSE Tue Feb 11 09:58:32 2014 : Debug: ++else else { Tue Feb 11 09:58:32 2014 : Debug: [eap_custom] EAP packet type response id 10 length 80 Tue Feb 11 09:58:32 2014 : Debug: [eap_custom] Continuing tunnel setup. Tue Feb 11 09:58:32 2014 : Debug: +++[eap_custom] = ok Tue Feb 11 09:58:32 2014 : Debug: ++} # else else = ok Tue Feb 11 09:58:32 2014 : Debug: ++[expiration] = noop Tue Feb 11 09:58:32 2014 : Debug: ++[logintime] = noop Tue Feb 11 09:58:32 2014 : Debug: ++[pap] = noop Tue Feb 11 09:58:32 2014 : Debug: +} # group authorize = ok Tue Feb 11 09:58:32 2014 : Debug: Found Auth-Type = eap_custom Tue Feb 11 09:58:32 2014 : Debug: # Executing group from file /usr/local/etc/raddb/sites-enabled/default Tue Feb 11 09:58:32 2014 : Debug: +group authenticate { Tue Feb 11 09:58:32 2014 : Debug: [eap_custom] Request found, released from the list Tue Feb 11 09:58:32 2014 : Debug: [eap_custom] Identity does not match User-Name. Authentication failed. Tue Feb 11 09:58:32 2014 : Debug: [eap_custom] Failed in handler Tue Feb 11 09:58:32 2014 : Debug: ++[eap_custom] = invalid Tue Feb 11 09:58:32 2014 : Debug: +} # group authenticate = invalid Tue Feb 11 09:58:32 2014 : Debug: Failed to authenticate the user. Tue Feb 11 09:58:32 2014 : Debug: Using Post-Auth-Type REJECT Tue Feb 11 09:58:32 2014 : Debug: # Executing group from file /usr/local/etc/raddb/sites-enabled/default Tue Feb 11 09:58:32 2014 : Debug: +group REJECT { Tue Feb 11 09:58:32 2014 : Debug: [attr_filter.access_reject] expand: %{User-Name} -> jacquegp Tue Feb 11 09:58:32 2014 : Debug: ++[attr_filter.access_reject] = updated Tue Feb 11 09:58:32 2014 : Debug: +} # group REJECT = updated Tue Feb 11 09:58:32 2014 : Debug: Delaying reject of request 556187 for 1 seconds Tue Feb 11 09:58:33 2014 : Debug: Cleaning up request 556177 ID 92 with timestamp +1110040 Tue Feb 11 09:58:33 2014 : Debug: Sending delayed reject for request 556187 Tue Feb 11 09:58:33 2014 : Debug: Sending Access-Reject packet to host 172.23.12.254 port 1645, id=102, length=0 Anyone seen this issue before? Thanks.
Hi,
Running FR 2.2.3. PEAP tunneled authentication was successful. But get rejected due to username mismatch. No issue when both username are the same.
you are playing with the User-Name....modifying it in some way....the client wont like it..and EAP stuff wont either. use 'Stripped-User-Name' etc in your backend authentication. alan
On Tue, Feb 11, 2014 at 10:04 PM, <A.L.M.Buxey@lboro.ac.uk> wrote:
Hi,
Running FR 2.2.3. PEAP tunneled authentication was successful. But get rejected due to username mismatch. No issue when both username are the same.
you are playing with the User-Name....modifying it in some way....the client wont like it..and EAP stuff wont either. use 'Stripped-User-Name' etc in your backend authentication.
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi Alan, After you mentioned modifying User-Name. I noticed that all but the final Access-requests received by the FR have User-Name="SLO", the last one is User-Name="jacquegp" (the inner username). This is after the post-auth section updated the outer.reply with inner User-Name and sent back in the last Access-Challenge. Could they be related? Thanks.
The "eap_custom" module seems responsible for this behaviour so you should look into its config, curiously enough I've found no traces of it in my freeradius 2.2.3 Tue Feb 11 09:58:32 2014 : Debug: [eap_custom] Request found, released from the list Tue Feb 11 09:58:32 2014 : Debug: [eap_custom] Identity does not match User-Name. Authentication failed. Tue Feb 11 09:58:32 2014 : Debug: [eap_custom] Failed in handler However I consider this a feature, not a bug. In fact as a local policy for eduroam I've placed this in the inner-tunnel 's post-auth section: if ( "%{outer.request:User-Name}" != "%{User-Name}" ){ reject } which does exactly that. If you see something along these lines, you've found the source of your problems Best regards, Inverse On Tue, Feb 11, 2014 at 2:45 PM, douglas eseng <douglas.eseng@gmail.com>wrote:
Encountered the following issue.
Running FR 2.2.3. PEAP tunneled authentication was successful. But get rejected due to username mismatch. No issue when both username are the same.
When this occurs, do you get something in your log that tells you that this is the reason for the auth failure? Also, isn't inner anonymity one of the permitted benefits of the federated EAP structure used by eduroam? That is, guests are permitted to hide their real user IDs while not at "home"? Sent from my mobile device. On Feb 11, 2014, at 8:52, "inverse" <inverse@ngi.it<mailto:inverse@ngi.it>> wrote: The "eap_custom" module seems responsible for this behaviour so you should look into its config, curiously enough I've found no traces of it in my freeradius 2.2.3 Tue Feb 11 09:58:32 2014 : Debug: [eap_custom] Request found, released from the list Tue Feb 11 09:58:32 2014 : Debug: [eap_custom] Identity does not match User-Name. Authentication failed. Tue Feb 11 09:58:32 2014 : Debug: [eap_custom] Failed in handler However I consider this a feature, not a bug. In fact as a local policy for eduroam I've placed this in the inner-tunnel 's post-auth section: if ( "%{outer.request:User-Name}" != "%{User-Name}" ){ reject } which does exactly that. If you see something along these lines, you've found the source of your problems Best regards, Inverse On Tue, Feb 11, 2014 at 2:45 PM, douglas eseng <douglas.eseng@gmail.com<mailto:douglas.eseng@gmail.com>> wrote: Encountered the following issue. Running FR 2.2.3. PEAP tunneled authentication was successful. But get rejected due to username mismatch. No issue when both username are the same. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
McNutt, Justin M. wrote:
Also, isn't inner anonymity one of the permitted benefits of the federated EAP structure used by eduroam? That is, guests are permitted to hide their real user IDs while not at "home"?
Yes. The debug he posted shows he's running the inner-tunnel. i.e. he *is* the home for the user. The problem is that he's editing the User-Name, which causes problems. Alan DeKok.
No, as for this server I don't keep failure auth/reply logs. However I forgot to mention this is currently affecting only our local realms for enrolled students and personnel. The "default" realm is authenticated on another server with no such restriction. Inverse On Thu, Feb 13, 2014 at 1:56 PM, McNutt, Justin M. <McNuttJ@missouri.edu>wrote:
When this occurs, do you get something in your log that tells you that this is the reason for the auth failure?
Also, isn't inner anonymity one of the permitted benefits of the federated EAP structure used by eduroam? That is, guests are permitted to hide their real user IDs while not at "home"?
Sent from my mobile device.
On Feb 11, 2014, at 8:52, "inverse" <inverse@ngi.it> wrote:
The "eap_custom" module seems responsible for this behaviour so you should look into its config, curiously enough I've found no traces of it in my freeradius 2.2.3
Tue Feb 11 09:58:32 2014 : Debug: [eap_custom] Request found, released from the list Tue Feb 11 09:58:32 2014 : Debug: [eap_custom] Identity does not match User-Name. Authentication failed. Tue Feb 11 09:58:32 2014 : Debug: [eap_custom] Failed in handler
However I consider this a feature, not a bug. In fact as a local policy for eduroam I've placed this in the inner-tunnel 's post-auth section:
if ( "%{outer.request:User-Name}" != "%{User-Name}" ){ reject }
which does exactly that. If you see something along these lines, you've found the source of your problems
Best regards,
Inverse
On Tue, Feb 11, 2014 at 2:45 PM, douglas eseng <douglas.eseng@gmail.com>wrote:
Encountered the following issue.
Running FR 2.2.3. PEAP tunneled authentication was successful. But get rejected due to username mismatch. No issue when both username are the same.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- "In a sea of glass shards, I hear you screaming" --icchan
Ah, cool. Thanks. I've been thinking about doing the same thing for our local realms as well, but I would absolutely have to have some kind of log message for rejections or I won't be able to make it fly. --J From: freeradius-users-bounces+mcnuttj=missouri.edu@lists.freeradius.org [mailto:freeradius-users-bounces+mcnuttj=missouri.edu@lists.freeradius.org] On Behalf Of inverse Sent: Thursday, February 13, 2014 8:32 AM To: FreeRadius users mailing list Subject: Re: PEAP auth rejected due to different inner and outer user-id No, as for this server I don't keep failure auth/reply logs. However I forgot to mention this is currently affecting only our local realms for enrolled students and personnel. The "default" realm is authenticated on another server with no such restriction. Inverse On Thu, Feb 13, 2014 at 1:56 PM, McNutt, Justin M. <McNuttJ@missouri.edu<mailto:McNuttJ@missouri.edu>> wrote: When this occurs, do you get something in your log that tells you that this is the reason for the auth failure? Also, isn't inner anonymity one of the permitted benefits of the federated EAP structure used by eduroam? That is, guests are permitted to hide their real user IDs while not at "home"? Sent from my mobile device. On Feb 11, 2014, at 8:52, "inverse" <inverse@ngi.it<mailto:inverse@ngi.it>> wrote: The "eap_custom" module seems responsible for this behaviour so you should look into its config, curiously enough I've found no traces of it in my freeradius 2.2.3 Tue Feb 11 09:58:32 2014 : Debug: [eap_custom] Request found, released from the list Tue Feb 11 09:58:32 2014 : Debug: [eap_custom] Identity does not match User-Name. Authentication failed. Tue Feb 11 09:58:32 2014 : Debug: [eap_custom] Failed in handler However I consider this a feature, not a bug. In fact as a local policy for eduroam I've placed this in the inner-tunnel 's post-auth section: if ( "%{outer.request:User-Name}" != "%{User-Name}" ){ reject } which does exactly that. If you see something along these lines, you've found the source of your problems Best regards, Inverse On Tue, Feb 11, 2014 at 2:45 PM, douglas eseng <douglas.eseng@gmail.com<mailto:douglas.eseng@gmail.com>> wrote: Encountered the following issue. Running FR 2.2.3. PEAP tunneled authentication was successful. But get rejected due to username mismatch. No issue when both username are the same. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- "In a sea of glass shards, I hear you screaming" --icchan
participants (5)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
douglas eseng -
inverse -
McNutt, Justin M.