Problem with Anonymous Identity
Hi fellow FreeRADIUS users, I ran into a problem with the Anonymous Identity. We are on FreeRADIUS v.3.0.19 with MYSQL. When Anonymous Identity is configured on the client for PEAP authentication, it will fail. Server log (please see below) shows that the RADIUS service didn’t use the real username when comparing the username and password. Instead, the Anonymous Identity was used to compare against the database which caused the authentication to fail. However, if we do not use the Anonymous Identity, then it will pass. Does anyone know how to authenticate with Anonymous Identity configured? I have a portion of the log below for your reference. “aIdentity” is the configured Anonymous Identity and “test” is the real username. Thanks in advance! Any help or hint would be greatly appreciated! Log starts below: (1) Received Access-Request Id 105 from 127.0.0.1:55041 to 127.0.0.1:1812 length 256 (1) User-Name = "aIdentity" (1) Called-Station-Id = "B0-39-45-58-4E-2B:Demo@HT" (1) NAS-Port-Type = Wireless-802.11 (1) Service-Type = Framed-User (1) NAS-Port = 1 (1) Calling-Station-Id = "EE-7E-71-A0-BC-11" (1) Connect-Info = "CONNECT 54Mbps 802.11a" (1) Acct-Session-Id = "0816F02A9CC6C767" (1) WLAN-Pairwise-Cipher = 1027076 (1) WLAN-Group-Cipher = 1027076 (1) WLAN-AKM-Suite = 1027073 (1) Framed-MTU = 1400 (1) EAP-Message = 0x020200060319 (1) State = 0x2c0d44352c0f404cf084667d855c550a (1) Message-Authenticator = 0xf87e83ccd07bd1fb16e0e8a105c1a5aa (1) Event-Timestamp = "May 14 2021 19:43:01 CST" (1) NAS-IP-Address = 70.79.251.29 (1) Proxy-State = 0x32 (1) session-state: No cached attributes (1) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default (18) eap: Calling submodule eap_mschapv2 to process data (18) eap_mschapv2: # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel (18) eap_mschapv2: authenticate { (18) mschap: WARNING: No Cleartext-Password configured. Cannot create NT-Password (18) mschap: WARNING: User-Name (aIdentity) is not the same as MS-CHAP Name (test) from EAP-MSCHAPv2 (18) mschap: Creating challenge hash with username: test (18) mschap: Client is using MS-CHAPv2 (18) mschap: ERROR: FAILED: No NT-Password. Cannot perform authentication (18) mschap: ERROR: MS-CHAP2-Response is incorrect (18) eap_mschapv2: [mschap] = reject (18) eap_mschapv2: } # authenticate = reject =============== Vincent
On Jul 10, 2021, at 6:36 AM, Vincent 珉 Hua 华 <vincenthua@hotmail.com> wrote:
We are on FreeRADIUS v.3.0.19 with MYSQL. When Anonymous Identity is configured on the client for PEAP authentication, it will fail.
Anonymous identity is for the *outer* authentication session. Not the inner-tunnel.
Server log (please see below) shows
Nothing useful. Read http://wiki.freeradius.org/list-help We need the FULL DEBUG OUTPUT.
that the RADIUS service didn’t use the real username when comparing the username and password. Instead, the Anonymous Identity was used to compare against the database which caused the authentication to fail. However, if we do not use the Anonymous Identity, then it will pass.
You've completely misunderstood how RADIUS works. The *client* is sending the identities. FreeRADIUS just received them. So it's wrong to say "the RADIUS server doesn't use...". It's really "the RADIUS server doesn't RECEIVE ..." Which puts the blame where it belongs: the client. Of course, it's possible that you edited the default configuration and broke things. But we don't know that, because you didn't say what you did, and you didn't post the full debug output.
Does anyone know how to authenticate with Anonymous Identity configured?
Configure the client properly. Post the FULL DEBUG OUTPUT.
I have a portion of the log below for your reference. “aIdentity” is the configured Anonymous Identity and “test” is the real username.
Thanks in advance! Any help or hint would be greatly appreciated!
All of the documentation say POST THE FULL DEBUG OUTPUT. I have no idea why people ignore that. Alan DeKok.
Just one small additional caveat when getting this to work: don't use a recently upgraded android to do your tests. Some recent android updates send the outer id as the inner username, totally breaking this feature on those client devices.
On Jul 10, 2021, at 1:44 PM, Brian Julin <BJulin@clarku.edu> wrote:
Just one small additional caveat when getting this to work: don't use a recently upgraded android to do your tests. Some recent android updates send the outer id as the inner username, totally breaking this feature on those client devices.
Arg. What a horrible thing to do. I'm in the process of updating the standards for TTLS, PEAP, FAST, etc. I'll add some text to the IETF specification saying that this is a terrible idea. Every time I think that a vendor can't do something more ludicrous, they go and surprise me. Alan DeKok.
Alan DeKok <aland@deployingradius.com>
On Jul 10, 2021, at 1:44 PM, Brian Julin <BJulin@clarku.edu> wrote:
Just one small additional caveat when getting this to work: don't use a recently upgraded android to do your tests. Some recent android updates send the outer id as the inner username, totally breaking this feature on those client devices.
Arg. What a horrible thing to do. I'm in the process of updating the standards for TTLS, PEAP, FAST, etc. I'll add some text to the IETF specification saying that this is a terrible idea.
I think they just plain broke it by accident. They call the feature "anonymous identity" and then prevent using it for such. This after torturing everyone running a NAC with mac address randomization for supposedly that very purpose.
Every time I think that a vendor can't do something more ludicrous, they go and surprise me.
One other thing they did was put a new dropdown box for OCSP verification right under the box for PEAP certificate validation, so now any instructions that told users not to select "Do not validate" for PEAP certificate validation have to coax any users doing by-hand set-up through setting both boxes appropriately for their environment, because that box also has a "Do not validate" option.
participants (3)
-
Alan DeKok -
Brian Julin -
Vincent 珉 Hua 华