Freeradius Auth Issues on Password Change
Hi Guys, I have been using freeradius for a while now in production and it was all working fine. It is authenticating against Active Directory using EAP and MSCHAP. Our network runs only Apple Macs. About twelve or eighteen months ago so Apple seemed to make a change to their wireless configuration (maybe the driver?) for newer macs . Since then we have had an issue when a user's password expires. The authentication seems to get into a loop of the following messages. (24) Received Access-Request Id 108 from 10.30.5.5:56026 to 10.250.136.167:1812 length 201 (24) User-Name = "j.smith" (24) NAS-IP-Address = 10.30.5.5 (24) NAS-Port = 0 (24) NAS-Identifier = "10.30.5.5" (24) NAS-Port-Type = Wireless-802.11 (24) Calling-Station-Id = "f0189857c82c" (24) Called-Station-Id = "40e3d6c1530e" (24) Service-Type = Framed-User (24) Framed-MTU = 1100 (24) EAP-Message = 0x0201000e01642e6d636d616e7573 (24) Aruba-Essid-Name = "ACESSID" (24) Aruba-Location-Id = "AccessPoint1" (24) Aruba-AP-Group = "AeroCareVC" (24) Aruba-Auth-Survivability = "enabled" (24) Message-Authenticator = 0x74652b705f9f65a5ae15b211b0cedfbd (24) # Executing section authorize from file /etc/raddb/sites-enabled/default (24) authorize { (24) policy filter_username { (24) if (&User-Name) { (24) if (&User-Name) -> TRUE (24) if (&User-Name) { (24) if (&User-Name =~ / /) { (24) if (&User-Name =~ / /) -> FALSE (24) if (&User-Name =~ /@[^@]*@/ ) { (24) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (24) if (&User-Name =~ /\.\./ ) { (24) if (&User-Name =~ /\.\./ ) -> FALSE (24) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (24) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (24) if (&User-Name =~ /\.$/) { (24) if (&User-Name =~ /\.$/) -> FALSE (24) if (&User-Name =~ /@\./) { (24) if (&User-Name =~ /@\./) -> FALSE (24) } # if (&User-Name) = notfound (24) } # policy filter_username = notfound (24) [preprocess] = ok (24) auth_log: EXPAND /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d (24) auth_log: --> /var/log/radius/radacct/10.30.5.5/auth-detail-20200128 (24) auth_log: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/10.30.5.5/auth-detail-20200128 (24) auth_log: EXPAND %t (24) auth_log: --> Tue Jan 28 01:58:51 2020 (24) [auth_log] = ok (24) [chap] = noop (24) [mschap] = noop (24) [digest] = noop (24) suffix: Checking for suffix after "@" (24) suffix: No '@' in User-Name = "j.smith", looking up realm NULL (24) suffix: No such realm "NULL" (24) [suffix] = noop (24) eap: Peer sent EAP Response (code 2) ID 1 length 14 (24) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (24) [eap] = ok (24) } # authorize = ok (24) Found Auth-Type = eap (24) # Executing group from file /etc/raddb/sites-enabled/default (24) authenticate { (24) eap: Peer sent packet with method EAP Identity (1) (24) eap: Calling submodule eap_md5 to process data (24) eap_md5: Issuing MD5 Challenge (24) eap: Sending EAP Request (code 1) ID 2 length 22 (24) eap: EAP session adding &reply:State = 0xc67bcfadc679cb38 (24) [eap] = handled (24) } # authenticate = handled (24) Using Post-Auth-Type Challenge (24) # Executing group from file /etc/raddb/sites-enabled/default (24) Challenge { ... } # empty sub-section is ignored (24) Sent Access-Challenge Id 108 from 10.250.136.167:1812 to 10.30.5.5:56026 length 0 (24) EAP-Message = 0x010200160410e7b0cac5819493cfed924aab43c435a6 (24) Message-Authenticator = 0x00000000000000000000000000000000 (24) State = 0xc67bcfadc679cb38b49f9a453755281b (24) Finished request Waking up in 2.5 seconds. (25) Received Access-Request Id 109 from 10.30.5.5:56026 to 10.250.136.167:1812 length 213 (25) User-Name = "j.smith" (25) NAS-IP-Address = 10.30.5.5 (25) NAS-Port = 0 (25) NAS-Identifier = "10.30.5.5" (25) NAS-Port-Type = Wireless-802.11 (25) Calling-Station-Id = "f0189857c82c" (25) Called-Station-Id = "40e3d6c1530e" (25) Service-Type = Framed-User (25) Framed-MTU = 1100 (25) EAP-Message = 0x020200080319152b (25) State = 0xc67bcfadc679cb38b49f9a453755281b (25) Aruba-Essid-Name = "ACESSID" (25) Aruba-Location-Id = "AccessPoint1" (25) Aruba-AP-Group = "AeroCareVC" (25) Aruba-Auth-Survivability = "enabled" (25) Message-Authenticator = 0xd1c2467a441c5a3efd8a4f3f29e0dc27 (25) session-state: No cached attributes (25) # Executing section authorize from file /etc/raddb/sites-enabled/default (25) authorize { (25) policy filter_username { (25) if (&User-Name) { (25) if (&User-Name) -> TRUE (25) if (&User-Name) { (25) if (&User-Name =~ / /) { (25) if (&User-Name =~ / /) -> FALSE (25) if (&User-Name =~ /@[^@]*@/ ) { (25) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (25) if (&User-Name =~ /\.\./ ) { (25) if (&User-Name =~ /\.\./ ) -> FALSE (25) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (25) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (25) if (&User-Name =~ /\.$/) { (25) if (&User-Name =~ /\.$/) -> FALSE (25) if (&User-Name =~ /@\./) { (25) if (&User-Name =~ /@\./) -> FALSE (25) } # if (&User-Name) = notfound (25) } # policy filter_username = notfound (25) [preprocess] = ok (25) auth_log: EXPAND /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d (25) auth_log: --> /var/log/radius/radacct/10.30.5.5/auth-detail-20200128 (25) auth_log: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/10.30.5.5/auth-detail-20200128 (25) auth_log: EXPAND %t (25) auth_log: --> Tue Jan 28 01:58:51 2020 (25) [auth_log] = ok (25) [chap] = noop (25) [mschap] = noop (25) [digest] = noop (25) suffix: Checking for suffix after "@" (25) suffix: No '@' in User-Name = "j.smith", looking up realm NULL (25) suffix: No such realm "NULL" (25) [suffix] = noop (25) eap: Peer sent EAP Response (code 2) ID 2 length 8 (25) eap: No EAP Start, assuming it's an on-going EAP conversation (25) [eap] = updated (25) [files] = noop (25) [expiration] = noop (25) [logintime] = noop (25) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type (25) pap: WARNING: Authentication will fail unless a "known good" password is available (25) [pap] = noop (25) } # authorize = updated (25) Found Auth-Type = eap (25) # Executing group from file /etc/raddb/sites-enabled/default (25) authenticate { (25) eap: Expiring EAP session with state 0x8a35a5508831bc44 (25) eap: Finished EAP session with state 0xc67bcfadc679cb38 (25) eap: Previous EAP request found for state 0xc67bcfadc679cb38, released from the list (25) eap: Peer sent packet with method EAP NAK (3) (25) eap: Found mutually acceptable type PEAP (25) (25) eap: Calling submodule eap_peap to process data (25) eap_peap: Initiating new EAP-TLS session (25) eap_peap: [eaptls start] = request (25) eap: Sending EAP Request (code 1) ID 3 length 6 (25) eap: EAP session adding &reply:State = 0xc67bcfadc778d638 (25) [eap] = handled (25) } # authenticate = handled (25) Using Post-Auth-Type Challenge (25) # Executing group from file /etc/raddb/sites-enabled/default (25) Challenge { ... } # empty sub-section is ignored (25) Sent Access-Challenge Id 109 from 10.250.136.167:1812 to 10.30.5.5:56026 length 0 (25) EAP-Message = 0x010300061920 (25) Message-Authenticator = 0x00000000000000000000000000000000 (25) State = 0xc67bcfadc778d638b49f9a453755281b (25) Finished request Waking up in 2.4 seconds. If I forget the wireless network on the client OS and then reconnect it works fine. Can you experts see the error on the radius side or have you heard of this issue before? I recently upgraded the radius server (running Amazon Linux 2) from version 2 to version 3.0.13 but that hasn't seemed to have fixed it. Any help or hints would be much appreciated, Damon -- Attention: The contents of this email, including any attachments, are intended only for the named recipients to which the email is addressed. The information contained in this email may be confidential or may contain legally privileged information or copyright material. You should only read, disclose, retransmit, copy or act in reliance on the information if you are authorised to do so. If you are not the intended recipient of this email, please notify the sender immediately and then destroy any electronic or paper copy of this message. Swissport Operations Pty Ltd, Swissport Flight Support Pty Ltd, Carbridge Pty. Ltd. and their related entities do not represent, warrant or guarantee that the integrity of this email has been maintained or that the email is free of errors, spam, malware, viruses or interference.
Hi Guys, Here it is again in plain text. Just got the rules email. :/ I have been using freeradius for a while now in production and it was all working fine. It is authenticating against Active Directory using EAP and MSCHAP. Our network runs only Apple Macs. About twelve or eighteen months ago so Apple seemed to make a change to their wireless configuration (maybe the driver?) for newer macs . Since then we have had an issue when a user's password expires. The authentication seems to get into a loop of the following messages. (24) Received Access-Request Id 108 from 10.30.5.5:56026 to 10.250.136.167:1812 length 201 (24) User-Name = "j.smith" (24) NAS-IP-Address = 10.30.5.5 (24) NAS-Port = 0 (24) NAS-Identifier = "10.30.5.5" (24) NAS-Port-Type = Wireless-802.11 (24) Calling-Station-Id = "f0189857c82c" (24) Called-Station-Id = "40e3d6c1530e" (24) Service-Type = Framed-User (24) Framed-MTU = 1100 (24) EAP-Message = 0x0201000e01642e6d636d616e7573 (24) Aruba-Essid-Name = "ACESSID" (24) Aruba-Location-Id = "AccessPoint1" (24) Aruba-AP-Group = "AeroCareVC" (24) Aruba-Auth-Survivability = "enabled" (24) Message-Authenticator = 0x74652b705f9f65a5ae15b211b0cedfbd (24) # Executing section authorize from file /etc/raddb/sites-enabled/default (24) authorize { (24) policy filter_username { (24) if (&User-Name) { (24) if (&User-Name) -> TRUE (24) if (&User-Name) { (24) if (&User-Name =~ / /) { (24) if (&User-Name =~ / /) -> FALSE (24) if (&User-Name =~ /@[^@]*@/ ) { (24) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (24) if (&User-Name =~ /\.\./ ) { (24) if (&User-Name =~ /\.\./ ) -> FALSE (24) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (24) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (24) if (&User-Name =~ /\.$/) { (24) if (&User-Name =~ /\.$/) -> FALSE (24) if (&User-Name =~ /@\./) { (24) if (&User-Name =~ /@\./) -> FALSE (24) } # if (&User-Name) = notfound (24) } # policy filter_username = notfound (24) [preprocess] = ok (24) auth_log: EXPAND /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d (24) auth_log: --> /var/log/radius/radacct/10.30.5.5/auth-detail-20200128 (24) auth_log: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/10.30.5.5/auth-detail-20200128 (24) auth_log: EXPAND %t (24) auth_log: --> Tue Jan 28 01:58:51 2020 (24) [auth_log] = ok (24) [chap] = noop (24) [mschap] = noop (24) [digest] = noop (24) suffix: Checking for suffix after "@" (24) suffix: No '@' in User-Name = "j.smith", looking up realm NULL (24) suffix: No such realm "NULL" (24) [suffix] = noop (24) eap: Peer sent EAP Response (code 2) ID 1 length 14 (24) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (24) [eap] = ok (24) } # authorize = ok (24) Found Auth-Type = eap (24) # Executing group from file /etc/raddb/sites-enabled/default (24) authenticate { (24) eap: Peer sent packet with method EAP Identity (1) (24) eap: Calling submodule eap_md5 to process data (24) eap_md5: Issuing MD5 Challenge (24) eap: Sending EAP Request (code 1) ID 2 length 22 (24) eap: EAP session adding &reply:State = 0xc67bcfadc679cb38 (24) [eap] = handled (24) } # authenticate = handled (24) Using Post-Auth-Type Challenge (24) # Executing group from file /etc/raddb/sites-enabled/default (24) Challenge { ... } # empty sub-section is ignored (24) Sent Access-Challenge Id 108 from 10.250.136.167:1812 to 10.30.5.5:56026 length 0 (24) EAP-Message = 0x010200160410e7b0cac5819493cfed924aab43c435a6 (24) Message-Authenticator = 0x00000000000000000000000000000000 (24) State = 0xc67bcfadc679cb38b49f9a453755281b (24) Finished request Waking up in 2.5 seconds. (25) Received Access-Request Id 109 from 10.30.5.5:56026 to 10.250.136.167:1812 length 213 (25) User-Name = "j.smith" (25) NAS-IP-Address = 10.30.5.5 (25) NAS-Port = 0 (25) NAS-Identifier = "10.30.5.5" (25) NAS-Port-Type = Wireless-802.11 (25) Calling-Station-Id = "f0189857c82c" (25) Called-Station-Id = "40e3d6c1530e" (25) Service-Type = Framed-User (25) Framed-MTU = 1100 (25) EAP-Message = 0x020200080319152b (25) State = 0xc67bcfadc679cb38b49f9a453755281b (25) Aruba-Essid-Name = "ACESSID" (25) Aruba-Location-Id = "AccessPoint1" (25) Aruba-AP-Group = "AeroCareVC" (25) Aruba-Auth-Survivability = "enabled" (25) Message-Authenticator = 0xd1c2467a441c5a3efd8a4f3f29e0dc27 (25) session-state: No cached attributes (25) # Executing section authorize from file /etc/raddb/sites-enabled/default (25) authorize { (25) policy filter_username { (25) if (&User-Name) { (25) if (&User-Name) -> TRUE (25) if (&User-Name) { (25) if (&User-Name =~ / /) { (25) if (&User-Name =~ / /) -> FALSE (25) if (&User-Name =~ /@[^@]*@/ ) { (25) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (25) if (&User-Name =~ /\.\./ ) { (25) if (&User-Name =~ /\.\./ ) -> FALSE (25) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (25) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (25) if (&User-Name =~ /\.$/) { (25) if (&User-Name =~ /\.$/) -> FALSE (25) if (&User-Name =~ /@\./) { (25) if (&User-Name =~ /@\./) -> FALSE (25) } # if (&User-Name) = notfound (25) } # policy filter_username = notfound (25) [preprocess] = ok (25) auth_log: EXPAND /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d (25) auth_log: --> /var/log/radius/radacct/10.30.5.5/auth-detail-20200128 (25) auth_log: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/10.30.5.5/auth-detail-20200128 (25) auth_log: EXPAND %t (25) auth_log: --> Tue Jan 28 01:58:51 2020 (25) [auth_log] = ok (25) [chap] = noop (25) [mschap] = noop (25) [digest] = noop (25) suffix: Checking for suffix after "@" (25) suffix: No '@' in User-Name = "j.smith", looking up realm NULL (25) suffix: No such realm "NULL" (25) [suffix] = noop (25) eap: Peer sent EAP Response (code 2) ID 2 length 8 (25) eap: No EAP Start, assuming it's an on-going EAP conversation (25) [eap] = updated (25) [files] = noop (25) [expiration] = noop (25) [logintime] = noop (25) pap: WARNING: No "known good" password found for the user. Not setting Auth-Type (25) pap: WARNING: Authentication will fail unless a "known good" password is available (25) [pap] = noop (25) } # authorize = updated (25) Found Auth-Type = eap (25) # Executing group from file /etc/raddb/sites-enabled/default (25) authenticate { (25) eap: Expiring EAP session with state 0x8a35a5508831bc44 (25) eap: Finished EAP session with state 0xc67bcfadc679cb38 (25) eap: Previous EAP request found for state 0xc67bcfadc679cb38, released from the list (25) eap: Peer sent packet with method EAP NAK (3) (25) eap: Found mutually acceptable type PEAP (25) (25) eap: Calling submodule eap_peap to process data (25) eap_peap: Initiating new EAP-TLS session (25) eap_peap: [eaptls start] = request (25) eap: Sending EAP Request (code 1) ID 3 length 6 (25) eap: EAP session adding &reply:State = 0xc67bcfadc778d638 (25) [eap] = handled (25) } # authenticate = handled (25) Using Post-Auth-Type Challenge (25) # Executing group from file /etc/raddb/sites-enabled/default (25) Challenge { ... } # empty sub-section is ignored (25) Sent Access-Challenge Id 109 from 10.250.136.167:1812 to 10.30.5.5:56026 length 0 (25) EAP-Message = 0x010300061920 (25) Message-Authenticator = 0x00000000000000000000000000000000 (25) State = 0xc67bcfadc778d638b49f9a453755281b (25) Finished request Waking up in 2.4 seconds. If I forget the wireless network on the client OS and then reconnect it works fine. Can you experts see the error on the radius side or have you heard of this issue before? I recently upgraded the radius server (running Amazon Linux 2) from version 2 to version 3.0.13 but that hasn't seemed to have fixed it. Any help or hints would be much appreciated, Damon -- Attention: The contents of this email, including any attachments, are intended only for the named recipients to which the email is addressed. The information contained in this email may be confidential or may contain legally privileged information or copyright material. You should only read, disclose, retransmit, copy or act in reliance on the information if you are authorised to do so. If you are not the intended recipient of this email, please notify the sender immediately and then destroy any electronic or paper copy of this message. Swissport Operations Pty Ltd, Swissport Flight Support Pty Ltd, Carbridge Pty. Ltd. and their related entities do not represent, warrant or guarantee that the integrity of this email has been maintained or that the email is free of errors, spam, malware, viruses or interference.
On Feb 19, 2020, at 5:11 AM, Damon McManus <d.mcmanus@swissport.com.au> wrote:
I have been using freeradius for a while now in production and it was all working fine. It is authenticating against Active Directory using EAP and MSCHAP. Our network runs only Apple Macs. About twelve or eighteen months ago so Apple seemed to make a change to their wireless configuration (maybe the driver?) for newer macs . Since then we have had an issue when a user's password expires. The authentication seems to get into a loop of the following messages.
I use Macs and FreeRADIUS for authentication all of the time. It seems to work.
(24) eap: Peer sent packet with method EAP Identity (1) (24) eap: Calling submodule eap_md5 to process data (24) eap_md5: Issuing MD5 Challenge
You probably want to change mods-enabled/eap, and set default_eap_type = peap That will prevent it from doing MD5, NAKing it, and then doing PEAP. Other than that, nothing else in the debug log looks wrong.
If I forget the wireless network on the client OS and then reconnect it works fine. Can you experts see the error on the radius side or have you heard of this issue before? I recently upgraded the radius server (running Amazon Linux 2) from version 2 to version 3.0.13 but that hasn't seemed to have fixed it.
Then it's an Apple issue :( Alan DeKok.
participants (2)
-
Alan DeKok -
Damon McManus