eap: Freeradius proxy doesn't work with EAP PEAP auth
Hi everybody, I have a problem with radius. This my architecture: 1. AP 192.168.0.210 2. Radius proxy: 192.168.0.158 3. Radius server: 192.168.0.243 The operating system of both radius server and radius proxy is CentOS 7, I have installed freeradius 3.0.4. I use MySQL to store the users. When I try to connect by using the command "radtest" everything works perfectly, here the command: "radtest danilo.raspa@realm_example.com 1234 192.168.0.158 18120 password" The problem is that when I try to connect from my phone using EAP PEAP(using same danilo.raspa@realm_example.com/1234) I recieve an "Access Reject" message from the radius server (this is the error: "eap : Identity does not match User-Name, setting from EAP Identity"). Here are some other info: proxy.conf (from radius proxy) [.. default part ..] home_server server1 { type = auth ipaddr = 192.168.0.243 port = 1812 secret = password } home_server_pool server_pool { type = fail-over home_server = server1 } realm "realm_example.com" { auth_pool = server_pool } --------------------------------- mods-enabled/eap eap { default_eap_type = peap proxy_tunneled_request_as_eap = no [..] } --------------------------------- User in table radcheck from schema radius: username: danilo.raspa attribute: Cleartext-Password op: := val: 1234 --------------------------------- Log request from RADIUS PROXY: Received Access-Request Id 168 from 192.168.0.210:3126 to 192.168.0.158:1812 length 168 User-Name = 'danilo.raspa@realm_example.com' NAS-IP-Address = 192.168.0.210 NAS-Identifier = 'RalinkAP0' NAS-Port = 0 Called-Station-Id = '80-1F-02-E0-D9-00' Calling-Station-Id = 'EC-9B-F3-64-E8-00' Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0201001d0164616e696c6f2e7261737061406d6f76656e64612e636f6d Message-Authenticator = 0x450b54bc468fdabb50573826f97ac97a (0) Received Access-Request packet from host 192.168.0.210 port 3126, id=168, length=168 (0) User-Name = 'danilo.raspa@realm_example.com' (0) NAS-IP-Address = 192.168.0.210 (0) NAS-Identifier = 'RalinkAP0' (0) NAS-Port = 0 (0) Called-Station-Id = '80-1F-02-E0-D9-00' (0) Calling-Station-Id = 'EC-9B-F3-64-E8-00' (0) Framed-MTU = 1400 (0) NAS-Port-Type = Wireless-802.11 (0) EAP-Message = 0x0201001d0164616e696c6f2e7261737061406d6f76656e64612e636f6d (0) Message-Authenticator = 0x450b54bc468fdabb50573826f97ac97a (0) # Executing section authorize from file /etc/raddb/sites-enabled/default (0) authorize { (0) filter_username filter_username { (0) if (!&User-Name) (0) if (!&User-Name) -> FALSE (0) if (&User-Name =~ / /) (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@.*@/ ) (0) if (&User-Name =~ /@.*@/ ) -> FALSE (0) if (&User-Name =~ /\\.\\./ ) (0) if (&User-Name =~ /\\.\\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\\.$/) (0) if (&User-Name =~ /\\.$/) -> FALSE (0) if (&User-Name =~ /@\\./) (0) if (&User-Name =~ /@\\./) -> FALSE (0) } # filter_username filter_username = notfound (0) [preprocess] = ok (0) auth_log : EXPAND /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d (0) auth_log : --> /var/log/radius/radacct/ 192.168.0.210/auth-detail-20170705 (0) auth_log : /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.0.210/auth-detail-20170705 (0) auth_log : EXPAND %t (0) auth_log : --> Wed Jul 5 14:55:26 2017 (0) [auth_log] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix : Checking for suffix after "@" (0) suffix : Looking up realm "realm_example.com" for User-Name = " danilo.raspa@realm_example.com" (0) suffix : Found realm "realm_example.com" (0) suffix : Adding Stripped-User-Name = "danilo.raspa" (0) suffix : Adding Realm = "realm_example.com" (0) suffix : Proxying request from user danilo.raspa to realm realm_example.com (0) suffix : Preparing to proxy authentication request to realm " realm_example.com" (0) [suffix] = updated (0) eap : Request is supposed to be proxied to Realm realm_example.com. Not doing EAP. (0) [eap] = noop (0) sql : EXPAND %{User-Name} (0) sql : --> danilo.raspa@realm_example.com (0) sql : SQL-User-Name set to 'danilo.raspa@realm_example.com' rlm_sql (sql): Reserved connection (4) (0) sql : EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (0) sql : --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'danilo.raspa@realm_example.com' ORDER BY id rlm_sql (sql): Executing query: 'SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'danilo.raspa@realm_example.com' ORDER BY id' (0) sql : User found in radcheck table (0) sql : Check items matched (0) sql : EXPAND SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id (0) sql : --> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'danilo.raspa@realm_example.com' ORDER BY id rlm_sql (sql): Executing query: 'SELECT id, username, attribute, value, op FROM radreply WHERE username = 'danilo.raspa@realm_example.com' ORDER BY id' (0) sql : EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority (0) sql : --> SELECT groupname FROM radusergroup WHERE username = ' danilo.raspa@realm_example.com' ORDER BY priority rlm_sql (sql): Executing query: 'SELECT groupname FROM radusergroup WHERE username = 'danilo.raspa@realm_example.com' ORDER BY priority' (0) sql : User not found in any groups rlm_sql (sql): Released connection (4) rlm_sql (sql): Closing connection (0), from 1 unused connections rlm_sql_mysql: Socket destructor called, closing socket rlm_sql (sql): Closing connection (3): Hit idle_timeout, was idle for 88 seconds rlm_sql (sql): You probably need to lower "min" rlm_sql_mysql: Socket destructor called, closing socket rlm_sql (sql): Closing connection (2): Hit idle_timeout, was idle for 88 seconds rlm_sql (sql): You probably need to lower "min" rlm_sql_mysql: Socket destructor called, closing socket rlm_sql (sql): Closing connection (1): Hit idle_timeout, was idle for 88 seconds rlm_sql (sql): You probably need to lower "min" rlm_sql_mysql: Socket destructor called, closing socket (0) [sql] = ok (0) [expiration] = noop (0) [logintime] = noop (0) [pap] = noop (0) } # authorize = updated Opening new proxy socket 'proxy address * port 0' Listening on proxy address * port 41438 (0) Proxying request to home server 192.168.0.243 port 1812 timeout 30.000000 (0) Sending Access-Request packet to host 192.168.0.243 port 1812, id=158, length=0 (0) User-Name = 'danilo.raspa' (0) NAS-IP-Address = 192.168.0.210 (0) NAS-Identifier = 'RalinkAP0' (0) NAS-Port = 0 (0) Called-Station-Id = '80-1F-02-E0-D9-A0' (0) Calling-Station-Id = 'EC-9B-F3-64-E8-D8' (0) Framed-MTU = 1400 (0) NAS-Port-Type = Wireless-802.11 (0) EAP-Message = 0x0201001d0164616e696c6f2e7261737061406d6f76656e64612e636f6d (0) Message-Authenticator = 0x450b54bc468fdabb50573826f97ac97a (0) Event-Timestamp = 'Jul 5 2017 14:55:26 CEST' (0) Stripped-User-Name = 'danilo.raspa' (0) Realm = 'realm_example.com' (0) EAP-Type = Identity (0) Proxy-State = 0x313638 Sending Access-Request Id 158 from 0.0.0.0:41438 to 192.168.0.243:1812 User-Name = 'danilo.raspa' NAS-IP-Address = 192.168.0.210 NAS-Identifier = 'RalinkAP0' NAS-Port = 0 Called-Station-Id = '80-1F-02-E0-D9-00' Calling-Station-Id = 'EC-9B-F3-64-E8-00' Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0201001d0164616e696c6f2e7261737061406d6f76656e64612e636f6d Message-Authenticator = 0x450b54bc468fdabb50573826f97ac97a Event-Timestamp = 'Jul 5 2017 14:55:26 CEST' Proxy-State = 0x313638 Waking up in 0.3 seconds. Waking up in 0.1 seconds. (0) Expecting proxy response no later than 29.499665 seconds from now Waking up in 29.4 seconds. Received Access-Request Id 168 from 192.168.0.210:3126 to 192.168.0.158:1812 length 168 Suppressing duplicate proxied request (too fast) to home server 192.168.0.243 port 1812 proto TCP - ID: 158 Waking up in 29.0 seconds. Received Access-Reject Id 158 from 192.168.0.243:1812 to 192.168.0.158:41438 length 25 Proxy-State = 0x313638 (0) Received Access-Reject packet from host 192.168.0.243 port 1812, id=158, length=25 (0) Proxy-State = 0x313638 (0) # Executing section post-proxy from file /etc/raddb/sites-enabled/default (0) post-proxy { (0) eap : No pre-existing handler found (0) [eap] = noop (0) } # post-proxy = noop (0) Login incorrect (Home Server says so): [danilo.raspa@realm_example.com] (from client company-intranet port 0 cli EC-9B-F3-64-E8-00) (0) Using Post-Auth-Type Reject (0) # Executing group from file /etc/raddb/sites-enabled/default (0) Post-Auth-Type REJECT { (0) sql : EXPAND .query (0) sql : --> .query (0) sql : Using query template 'query' rlm_sql (sql): Reserved connection (4) (0) sql : EXPAND %{User-Name} (0) sql : --> danilo.raspa@realm_example.com (0) sql : SQL-User-Name set to 'danilo.raspa@realm_example.com' (0) sql : EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') (0) sql : --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'danilo.raspa@realm_example.com', '', 'Access-Reject', '2017-07-05 14:55:26') rlm_sql (sql): Executing query: 'INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'danilo.raspa@realm_example.com', '', 'Access-Reject', '2017-07-05 14:55:26')' rlm_sql (sql): Released connection (4) rlm_sql (sql): 0 of 1 connections in use. Need more spares rlm_sql (sql): Opening additional connection (5) rlm_sql_mysql: Starting connect to MySQL server (0) [sql] = ok (0) attr_filter.access_reject : EXPAND %{User-Name} (0) attr_filter.access_reject : --> danilo.raspa@realm_example.com (0) attr_filter.access_reject : Matched entry DEFAULT at line 11 (0) [attr_filter.access_reject] = updated (0) eap : Request was previously rejected, inserting EAP-Failure (0) [eap] = updated (0) remove_reply_message_if_eap remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else else { (0) [noop] = noop (0) } # else else = noop (0) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop (0) } # Post-Auth-Type REJECT = updated (0) Delaying response for 1 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (0) Sending delayed response (0) Sending Access-Reject packet to host 192.168.0.210 port 3126, id=168, length=0 (0) EAP-Message = 0x04010004 (0) Message-Authenticator = 0x00000000000000000000000000000000 Sending Access-Reject Id 168 from 192.168.0.158:1812 to 192.168.0.210:3126 EAP-Message = 0x04010004 Message-Authenticator = 0x00000000000000000000000000000000 Waking up in 3.9 seconds. (0) Cleaning up request packet ID 168 with timestamp +88 Ready to process requests --------------------------------- Log request from RADIUS SERVER: Received Access-Request Id 158 from 192.168.0.158:41438 to 192.168.0.243:1812 length 167 User-Name = 'danilo.raspa' NAS-IP-Address = 192.168.0.210 NAS-Identifier = 'RalinkAP0' NAS-Port = 0 Called-Station-Id = '80-1F-02-E0-D9-00' Calling-Station-Id = 'EC-9B-F3-64-E8-00' Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x0201001d0164616e696c6f2e7261737061406d6f76656e64612e636f6d Message-Authenticator = 0x1a099d1b62181477dc9bd471b56d829e Event-Timestamp = 'Jul 5 2017 14:55:26 CEST' Proxy-State = 0x313638 (0) Received Access-Request packet from host 192.168.0.158 port 41438, id=158, length=167 (0) User-Name = 'danilo.raspa' (0) NAS-IP-Address = 192.168.0.210 (0) NAS-Identifier = 'RalinkAP0' (0) NAS-Port = 0 (0) Called-Station-Id = '80-1F-02-E0-D9-00' (0) Calling-Station-Id = 'EC-9B-F3-64-E8-00' (0) Framed-MTU = 1400 (0) NAS-Port-Type = Wireless-802.11 (0) EAP-Message = 0x0201001d0164616e696c6f2e7261737061406d6f76656e64612e636f6d (0) Message-Authenticator = 0x1a099d1b62181477dc9bd471b56d829e (0) Event-Timestamp = 'Jul 5 2017 14:55:26 CEST' (0) Proxy-State = 0x313638 (0) # Executing section authorize from file /etc/raddb/sites-enabled/default (0) authorize { (0) filter_username filter_username { (0) if (!&User-Name) (0) if (!&User-Name) -> FALSE (0) if (&User-Name =~ / /) (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@.*@/ ) (0) if (&User-Name =~ /@.*@/ ) -> FALSE (0) if (&User-Name =~ /\\.\\./ ) (0) if (&User-Name =~ /\\.\\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\\.$/) (0) if (&User-Name =~ /\\.$/) -> FALSE (0) if (&User-Name =~ /@\\./) (0) if (&User-Name =~ /@\\./) -> FALSE (0) } # filter_username filter_username = notfound (0) [preprocess] = ok (0) auth_log : EXPAND /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d (0) auth_log : --> /var/log/radius/radacct/ 192.168.0.158/auth-detail-20170705 (0) auth_log : /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/192.168.0.158/auth-detail-20170705 (0) auth_log : EXPAND %t (0) auth_log : --> Wed Jul 5 14:55:26 2017 (0) [auth_log] = ok (0) [chap] = noop (0) [mschap] = noop (0) [digest] = noop (0) suffix : Checking for suffix after "@" (0) suffix : No '@' in User-Name = "danilo.raspa", looking up realm NULL (0) suffix : No such realm "NULL" (0) [suffix] = noop (0) eap : Peer sent code Response (2) ID 1 length 29 (0) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # authorize = ok (0) Found Auth-Type = EAP (0) # Executing group from file /etc/raddb/sites-enabled/default (0) authenticate { (0) eap : Identity does not match User-Name, setting from EAP Identity <-----[I think that the problem is HERE!!] (0) eap : Failed in handler (0) [eap] = invalid (0) } # authenticate = invalid (0) Failed to authenticate the user (0) Using Post-Auth-Type Reject (0) # Executing group from file /etc/raddb/sites-enabled/default (0) Post-Auth-Type REJECT { (0) sql : EXPAND .query (0) sql : --> .query (0) sql : Using query template 'query' rlm_sql (sql): Reserved connection (4) (0) sql : EXPAND %{User-Name} (0) sql : --> danilo.raspa (0) sql : SQL-User-Name set to 'danilo.raspa' (0) sql : EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{SQL-User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') (0) sql : --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'danilo.raspa', '', 'Access-Reject', '2017-07-05 14:55:26') rlm_sql (sql): Executing query: 'INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( 'danilo.raspa', '', 'Access-Reject', '2017-07-05 14:55:26')' rlm_sql (sql): Released connection (4) (0) [sql] = ok (0) attr_filter.access_reject : EXPAND %{User-Name} (0) attr_filter.access_reject : --> danilo.raspa (0) attr_filter.access_reject : Matched entry DEFAULT at line 11 (0) [attr_filter.access_reject] = updated (0) eap : Identity does not match User-Name, setting from EAP Identity (0) eap : Failed to get handler, probably already removed, not inserting EAP-Failure (0) [eap] = noop (0) remove_reply_message_if_eap remove_reply_message_if_eap { (0) if (&reply:EAP-Message && &reply:Reply-Message) (0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (0) else else { (0) [noop] = noop (0) } # else else = noop (0) } # remove_reply_message_if_eap remove_reply_message_if_eap = noop (0) } # Post-Auth-Type REJECT = updated (0) Delaying response for 1 seconds Waking up in 0.3 seconds. Waking up in 0.6 seconds. (0) Sending delayed response (0) Sending Access-Reject packet to host 192.168.0.158 port 41438, id=158, length=0 (0) Proxy-State = 0x313638 Sending Access-Reject Id 158 from 192.168.0.243:1812 to 192.168.0.158:41438 Proxy-State = 0x313638 Waking up in 3.9 seconds. (0) Cleaning up request packet ID 158 with timestamp +7 Ready to process requests ---------------------------------------- Thanks in advance Danilo Raspa
On Jul 5, 2017, at 9:12 AM, Danilo Raspa <danilo.raspa@gmail.com> wrote:
When I try to connect by using the command "radtest" everything works perfectly, here the command: "radtest danilo.raspa@realm_example.com 1234 192.168.0.158 18120 password"
That just tests username / password authentication. It doesn't test anything else. Did you follow the instructions at the top of the "inner-tunnel" virtual server? They describe how to do more detailed testing.
The problem is that when I try to connect from my phone using EAP PEAP(using same danilo.raspa@realm_example.com/1234) I recieve an "Access Reject" message from the radius server (this is the error: "eap : Identity does not match User-Name, setting from EAP Identity").
The debug log should say what's going on.
Here are some other info:
We don't ask for that information. We don't need it.
Log request from RADIUS PROXY:
Received Access-Request Id 168 from 192.168.0.210:3126 to 192.168.0.158:1812 length 168 User-Name = 'danilo.raspa@realm_example.com' .. (0) suffix : Looking up realm "realm_example.com" for User-Name = " danilo.raspa@realm_example.com" (0) suffix : Found realm "realm_example.com" (0) suffix : Adding Stripped-User-Name = "danilo.raspa" (0) suffix : Adding Realm = "realm_example.com" (0) suffix : Proxying request from user danilo.raspa to realm realm_example.com (0) suffix : Preparing to proxy authentication request to realm " ... (0) Sending Access-Request packet to host 192.168.0.243 port 1812, id=158, length=0 (0) User-Name = 'danilo.raspa'
You have the proxy editing the User-Name. Don't do that. See the documentation in proxy.conf. You can configure it to *not* edit the User-Name. Alan DeKok.
Hi Alan, Thanks for your contribute.
Did you follow the instructions at the top of the "inner-tunnel" virtual server? They describe how to do more detailed testing.
I launched the following command from another server: radtest -t mschap danilo.raspa%realm_example.com 1234 192.168.0.158:1812 0 password Sending Access-Request Id 91 from 0.0.0.0:36986 to 192.168.0.158:1812 User-Name = 'danilo.raspa%realm_example.com' NAS-IP-Address = 192.168.0.158 NAS-Port = 0 Message-Authenticator = 0x00 MS-CHAP-Challenge = 0xfd0947b33c5ba968 MS-CHAP-Response = 0x00010000000000000000000000000000000000000000000000007c95160f801e9ec0811d7b6f29e4c4dab3627a5669d4a235 Received Access-Accept Id 91 from 192.168.0.158:1812 to 192.168.0.155:36986 length 68 MS-CHAP-MPPE-Keys = 0xb757bf5c0d87772f6ece635e056440 MS-MPPE-Encryption-Policy = Encryption-Allowed MS-MPPE-Encryption-Types = RC4-40or128-bit-Allowed Everything work great but from the radius server log I can read: (0) eap : No EAP-Message, not doing EAP (0) [eap] = noop
You have the proxy editing the User-Name. Don't do that.
See the documentation in proxy.conf. You can configure it to *not* edit the User-Name.
I added "nostrip" inside the realm "realm_example.com" in proxy.conf and the error changed("(82) ERROR: mschap : MS-CHAP2-Response is incorrect"), I attached the radius server log below: (82) eap : Peer sent code Response (2) ID 9 length 123 (82) eap : Continuing tunnel setup (82) [eap] = ok (82) } # authorize = ok (82) Found Auth-Type = EAP (82) # Executing group from file /etc/raddb/sites-enabled/default (82) authenticate { (82) eap : Expiring EAP session with state 0x90a420c290ad3a6f (82) eap : Finished EAP session with state 0x38cae7a53fc3fe25 (82) eap : Previous EAP request found for state 0x38cae7a53fc3fe25, released from the list (82) eap : Peer sent method PEAP (25) (82) eap : EAP PEAP (25) (82) eap : Calling eap_peap to process EAP data (82) eap_peap : processing EAP-TLS (82) eap_peap : eaptls_verify returned 7 (82) eap_peap : Done initial handshake (82) eap_peap : eaptls_process returned 7 (82) eap_peap : FR_TLS_OK (82) eap_peap : Session established. Decoding tunneled attributes (82) eap_peap : Peap state phase2 (82) eap_peap : EAP type MSCHAPv2 (26) (82) eap_peap : Got tunneled request EAP-Message = 0x020900531a0209004e3176495e338130f40a70357647b9aa0fcc000000000000000049632cf2caac4929ad1f63acf90fa2b39931f340df9ba7a00064616e696c6f2e7261737061256d6f76656e64612e636f6d server default { (82) eap_peap : Setting User-Name to danilo.raspa%realm_example.com Sending tunneled request EAP-Message = 0x020900531a0209004e3176495e338130f40a70357647b9aa0fcc000000000000000049632cf2caac4929ad1f63acf90fa2b39931f340df9ba7a00064616e696c6f2e7261737061256d6f76656e64612e636f6d FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = 'danilo.raspa%realm_example.com' State = 0x90a420c290ad3a6f59be74fda79cf503 server inner-tunnel { (82) server inner-tunnel { (82) Request: EAP-Message = 0x020900531a0209004e3176495e338130f40a70357647b9aa0fcc000000000000000049632cf2caac4929ad1f63acf90fa2b39931f340df9ba7a00064616e696c6f2e7261737061256d6f76656e64612e636f6d FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = 'danilo.raspa%realm_example.com' State = 0x90a420c290ad3a6f59be74fda79cf503 (82) # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel (82) authorize { (82) [chap] = noop (82) [mschap] = noop (82) suffix : Checking for suffix after "@" (82) suffix : No '@' in User-Name = "danilo.raspa%realm_example.com", looking up realm NULL (82) suffix : No such realm "NULL" (82) [suffix] = noop (82) update control { (82) Proxy-To-Realm := 'LOCAL' (82) } # update control = noop (82) eap : Peer sent code Response (2) ID 9 length 83 (82) eap : No EAP Start, assuming it's an on-going EAP conversation (82) [eap] = updated (82) [files] = noop (82) sql : EXPAND %{User-Name} (82) sql : --> danilo.raspa%realm_example.com (82) sql : SQL-User-Name set to 'danilo.raspa%realm_example.com' rlm_sql (sql): Reserved connection (11) (82) sql : EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id (82) sql : --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'danilo.raspa=25realm_example.com' ORDER BY id rlm_sql (sql): Executing query: 'SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'danilo.raspa=25realm_example.com' ORDER BY id' (82) sql : EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority (82) sql : --> SELECT groupname FROM radusergroup WHERE username = 'danilo.raspa=25realm_example.com' ORDER BY priority rlm_sql (sql): Executing query: 'SELECT groupname FROM radusergroup WHERE username = 'danilo.raspa=25realm_example.com' ORDER BY priority' (82) sql : User not found in any groups rlm_sql (sql): Released connection (11) (82) [sql] = notfound (82) [expiration] = noop (82) [logintime] = noop (82) [pap] = noop (82) } # authorize = updated (82) Found Auth-Type = EAP (82) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (82) authenticate { (82) eap : Expiring EAP session with state 0x90a420c290ad3a6f (82) eap : Finished EAP session with state 0x90a420c290ad3a6f (82) eap : Previous EAP request found for state 0x90a420c290ad3a6f, released from the list (82) eap : Peer sent method MSCHAPv2 (26) (82) eap : EAP MSCHAPv2 (26) (82) eap : Calling eap_mschapv2 to process EAP data (82) eap_mschapv2 : # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (82) eap_mschapv2 : Auth-Type MS-CHAP { (82) WARNING: mschap : No Cleartext-Password configured. Cannot create LM-Password (82) WARNING: mschap : No Cleartext-Password configured. Cannot create NT-Password (82) mschap : Creating challenge hash with username: danilo.raspa% realm_example.com (82) mschap : Client is using MS-CHAPv2 (82) ERROR: mschap : FAILED: No NT/LM-Password. Cannot perform authentication (82) ERROR: mschap : MS-CHAP2-Response is incorrect (82) [mschap] = reject (82) } # Auth-Type MS-CHAP = reject Thank you in advance Danilo Raspa
On Jul 5, 2017, at 11:11 AM, Danilo Raspa <danilo.raspa@gmail.com> wrote:
I launched the following command from another server: radtest -t mschap danilo.raspa%realm_example.com 1234 192.168.0.158:1812 0 password
You're not testing it with the same user-name?
I added "nostrip" inside the realm "realm_example.com" in proxy.conf and the error changed("(82) ERROR: mschap : MS-CHAP2-Response is incorrect"), I attached the radius server log below:
I think you missed my point... If you add "nostrip", you should test *PROXYING* again. With the SAME USERNAME as before. Don't do a DIFFERENT test, where you're trying a different User-Name, and where you're trying to authenticate the user locally on the proxy. Alan DeKok.
Hi Alan,
You're not testing it with the same user-name? Sorry Alan, I forgot to say that I've modified the delimiter from @ to %. Yes I used the same user-name. After adding the property "nostrip" in proxy.conf I modified the username in radcheck from danilo.raspa to danilo.raspa%realm_example.com
I think you missed my point...
Maybe yes... What do you mean with this phrase "You have the proxy editing the User-Name." ? Thank you
On Jul 5, 2017, at 11:54 AM, Danilo Raspa <danilo.raspa@gmail.com> wrote:
Hi Alan,
You're not testing it with the same user-name? Sorry Alan, I forgot to say that I've modified the delimiter from @ to %. Yes I used the same user-name.
That's wrong. You should test ONE thing at a time. Don't make 3-4 changes, and wonder why it doesn't work. Make ONE change. The answer I gave in my first message WILL WORK. The reason it doesn't work is because you went and changed lots of other things, and didn't re-run the same test.
Maybe yes... What do you mean with this phrase "You have the proxy editing the User-Name." ?
I meant you should add "nostrip", which makes the proxy stop editing the User-Name. Alan DeKok.
Hi Alan, Thank you for your time. I removed the extra changes and now I'm at the same situation that I was in the first mail, now I added "nostrip" for my realm. I remember you that I modified the mods-enabled/eap with this two lines: eap { default_eap_type = peap proxy_tunneled_request_as_eap = no [..] } Now when I tried to login I can read the folling lines from Radius server log: (20) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (20) authenticate { (20) eap : Expiring EAP session with state 0x6ddc6af26dd57012 (20) eap : Finished EAP session with state 0x6ddc6af26dd57012 (20) eap : Previous EAP request found for state 0x6ddc6af26dd57012, released from the list (20) eap : Peer sent method MSCHAPv2 (26) (20) eap : EAP MSCHAPv2 (26) (20) eap : Calling eap_mschapv2 to process EAP data (20) eap_mschapv2 : # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (20) eap_mschapv2 : Auth-Type MS-CHAP { (20) WARNING: mschap : No Cleartext-Password configured. Cannot create LM-Password (20) WARNING: mschap : No Cleartext-Password configured. Cannot create NT-Password (20) mschap : Creating challenge hash with username: danilo.raspa@realm_example.com (20) mschap : Client is using MS-CHAPv2 (20) ERROR: mschap : FAILED: No NT/LM-Password. Cannot perform authentication (20) ERROR: mschap : MS-CHAP2-Response is incorrect (20) [mschap] = reject (20) } # Auth-Type MS-CHAP = reject Thank you in advance Danilo Danilo 2017-07-05 20:13 GMT+02:00 Alan DeKok <aland@deployingradius.com>:
On Jul 5, 2017, at 11:54 AM, Danilo Raspa <danilo.raspa@gmail.com> wrote:
Hi Alan,
You're not testing it with the same user-name? Sorry Alan, I forgot to say that I've modified the delimiter from @ to %. Yes I used the same user-name.
That's wrong.
You should test ONE thing at a time. Don't make 3-4 changes, and wonder why it doesn't work. Make ONE change.
The answer I gave in my first message WILL WORK. The reason it doesn't work is because you went and changed lots of other things, and didn't re-run the same test.
Maybe yes... What do you mean with this phrase "You have the proxy editing the User-Name." ?
I meant you should add "nostrip", which makes the proxy stop editing the User-Name.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
On Jul 6, 2017, at 7:06 AM, Danilo Raspa <danilo.raspa@gmail.com> wrote:
I removed the extra changes and now I'm at the same situation that I was in the first mail, now I added "nostrip" for my realm.
No, you're not. The partial debug log you posted shows that it's now trying to authenticate the user locally instead of proxying it. And it's a *partial* debug log, not a full one with the outer packets showing. Honestly, you're taking every effort to ignore my advice. I can't help you. Alan DeKok.
Alan,
Now when I tried to login I can read the folling lines from Radius server log: The partial log is from RADIUS SERVER And no Radius proxy. Thanks Il 06 Lug 2017 13:06, "Danilo Raspa" <danilo.raspa@gmail.com> ha scritto:
Hi Alan, Thank you for your time. I removed the extra changes and now I'm at the same situation that I was in the first mail, now I added "nostrip" for my realm. I remember you that I modified the mods-enabled/eap with this two lines: eap { default_eap_type = peap proxy_tunneled_request_as_eap = no [..] } Now when I tried to login I can read the folling lines from Radius server log: (20) # Executing group from file /etc/raddb/sites-enabled/inner-tunnel (20) authenticate { (20) eap : Expiring EAP session with state 0x6ddc6af26dd57012 (20) eap : Finished EAP session with state 0x6ddc6af26dd57012 (20) eap : Previous EAP request found for state 0x6ddc6af26dd57012, released from the list (20) eap : Peer sent method MSCHAPv2 (26) (20) eap : EAP MSCHAPv2 (26) (20) eap : Calling eap_mschapv2 to process EAP data (20) eap_mschapv2 : # Executing group from file /etc/raddb/sites-enabled/ inner-tunnel (20) eap_mschapv2 : Auth-Type MS-CHAP { (20) WARNING: mschap : No Cleartext-Password configured. Cannot create LM-Password (20) WARNING: mschap : No Cleartext-Password configured. Cannot create NT-Password (20) mschap : Creating challenge hash with username: danilo.raspa@realm_example.com (20) mschap : Client is using MS-CHAPv2 (20) ERROR: mschap : FAILED: No NT/LM-Password. Cannot perform authentication (20) ERROR: mschap : MS-CHAP2-Response is incorrect (20) [mschap] = reject (20) } # Auth-Type MS-CHAP = reject Thank you in advance Danilo Danilo 2017-07-05 20:13 GMT+02:00 Alan DeKok <aland@deployingradius.com>:
On Jul 5, 2017, at 11:54 AM, Danilo Raspa <danilo.raspa@gmail.com> wrote:
Hi Alan,
You're not testing it with the same user-name? Sorry Alan, I forgot to say that I've modified the delimiter from @ to %. Yes I used the same user-name.
That's wrong.
You should test ONE thing at a time. Don't make 3-4 changes, and wonder why it doesn't work. Make ONE change.
The answer I gave in my first message WILL WORK. The reason it doesn't work is because you went and changed lots of other things, and didn't re-run the same test.
Maybe yes... What do you mean with this phrase "You have the proxy editing the User-Name." ?
I meant you should add "nostrip", which makes the proxy stop editing the User-Name.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list /users.html
On Jul 6, 2017, at 7:57 AM, Danilo Raspa <danilo.raspa@gmail.com> wrote:
Alan,
Now when I tried to login I can read the folling lines from Radius server log: The partial log is from RADIUS SERVER And no Radius proxy.
Even with that... the documentation describes how to authenticate a user. The examples show how to configure modules. And the documentation says to post the FULL debug log. The issue is you're not following instructions. You're not reading the documentation that comes with the server. You're not reading the comments in the default configuration files. And you're not reading the debug output you post to the list. Correcting any one of those issues would let you fix the problem on your own. Alan DeKok.
Thank you Alan, I will try to resolve my problem. have a good day Danilo 2017-07-06 14:02 GMT+02:00 Alan DeKok <aland@deployingradius.com>:
On Jul 6, 2017, at 7:57 AM, Danilo Raspa <danilo.raspa@gmail.com> wrote:
Alan,
Now when I tried to login I can read the folling lines from Radius
server
log: The partial log is from RADIUS SERVER And no Radius proxy.
Even with that... the documentation describes how to authenticate a user. The examples show how to configure modules.
And the documentation says to post the FULL debug log.
The issue is you're not following instructions. You're not reading the documentation that comes with the server. You're not reading the comments in the default configuration files. And you're not reading the debug output you post to the list.
Correcting any one of those issues would let you fix the problem on your own.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
Hi Alan, I solved my problem. The "nostrip" is just a part of the correct configuration. Below the steps that I followed to reach the goal, I hope this might help someone in the future: 1. proxy.conf specify "nostrip" in realm as Alan suggested 2. in mods-enabled/eap eap { ... default_eap_type = ttls ... ttls { ... ##default_eap_type = md5 ... copy_request_to_tunnel = yes ... use_tunneled_reply = yes ... } ... peap { ... copy_request_to_tunnel = yes ... use_tunneled_reply = yes } ... } Thanks for your time Danilo Raspa 2017-07-06 14:17 GMT+02:00 Danilo Raspa <danilo.raspa@gmail.com>:
Thank you Alan, I will try to resolve my problem.
have a good day
Danilo
2017-07-06 14:02 GMT+02:00 Alan DeKok <aland@deployingradius.com>:
On Jul 6, 2017, at 7:57 AM, Danilo Raspa <danilo.raspa@gmail.com> wrote:
Alan,
Now when I tried to login I can read the folling lines from Radius
server
log: The partial log is from RADIUS SERVER And no Radius proxy.
Even with that... the documentation describes how to authenticate a user. The examples show how to configure modules.
And the documentation says to post the FULL debug log.
The issue is you're not following instructions. You're not reading the documentation that comes with the server. You're not reading the comments in the default configuration files. And you're not reading the debug output you post to the list.
Correcting any one of those issues would let you fix the problem on your own.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list /users.html
participants (2)
-
Alan DeKok -
Danilo Raspa