Stuck at "More than 50 roundtrips"
Hi. I'm trying to set up EAP-TLS with certificates with an Android Pixel 7 Pro, latest OS, via a Unifi U6 Pro, using FreeRadius 3.0.17 on a raspberry pi 4. I took the default config, and changed as little as possible: clients.conf, added: client wifi_aps { ipaddr = 192.168.123.0/24 secret = radiuspasswordhere } In case it would help, I also added a user. PEAP auth with username/password works. wifi Cleartext-Password := "XXXXXXX" Tunnel-Type = "VLAN", Tunnel-Medium-Type = "IEEE-802", Tunnel-Private-Group-Id = "13", Reply-Message = "Hello there!" Made the certificates by editing the .cnf files and doing "make ca.pem", "make server.pem", and "make client.pem". I loaded the .p12 on the Android phone, and changed the paths in mod-enabled/eap. I changed default_eap_type to tls, and added use_tunneled_reply to tls-config. Here's a selection of the output of freeradius -X: First access request in packet 1: (1) Received Access-Request Id 61 from 192.168.XX.Z:59545 to 192.168.XX.Y:1812 length 216 SSL handshake done by packet 8: (8) eap_tls: SSL Connection Established (with client cert details shown) After that there's just a bunch of apparently empty-ish repeating Access-Request/Access-Challenge[1], and it's stuck that way until: (52) eap: ERROR: rlm_eap (EAP): Aborting! More than 50 roundtrips made in session with state 0x8e36e001bc25ed47 What am I doing wrong? In this example I'm putting "wifi" as identity, in case it helps that it's present in the user config. I expect that at some point the server should reply Accepted, instead of a new challenge. I guess the client cert was not enough auth? Is there a config I need to change so that cert is sufficient? I'd appreciate any help. Thanks. [1] (14) Received Access-Request Id 74 from 192.168.XX.Z:59545 to 192.168.XX.Y:1812 length 231 (14) User-Name = "wifi" (14) NAS-IP-Address = 192.168.XX.Z (14) NAS-Identifier = "xxx" (14) Called-Station-Id = "xx-xx-xx-xx-xx-xx:secnet2" (14) NAS-Port-Type = Wireless-802.11 (14) Service-Type = Framed-User (14) Calling-Station-Id = "xx-xx-xx-xx-xx-xx" (14) Connect-Info = "CONNECT 0Mbps 802.11b" (14) Acct-Session-Id = "3E1F2B0282D15C98" (14) Acct-Multi-Session-Id = "3870EEE1F7155662" (14) WLAN-Pairwise-Cipher = 1027076 (14) WLAN-Group-Cipher = 1027076 (14) WLAN-AKM-Suite = 1027073 (14) Framed-MTU = 1400 (14) EAP-Message = 0x02ed00060d00 (14) State = 0x8e36e00182dbed476556c84932fcf3de (14) Message-Authenticator = 0x03a0ae965bd12781a50f91cd3ac1aaf6 (14) session-state: No cached attributes (14) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default (14) authorize { (14) policy filter_username { (14) if (&User-Name) { (14) if (&User-Name) -> TRUE (14) if (&User-Name) { (14) if (&User-Name =~ / /) { (14) if (&User-Name =~ / /) -> FALSE (14) if (&User-Name =~ /@[^@]*@/ ) { (14) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (14) if (&User-Name =~ /\.\./ ) { (14) if (&User-Name =~ /\.\./ ) -> FALSE (14) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (14) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (14) if (&User-Name =~ /\.$/) { (14) if (&User-Name =~ /\.$/) -> FALSE (14) if (&User-Name =~ /@\./) { (14) if (&User-Name =~ /@\./) -> FALSE (14) } # if (&User-Name) = notfound (14) } # policy filter_username = notfound (14) [preprocess] = ok (14) [chap] = noop (14) [mschap] = noop (14) [digest] = noop (14) suffix: Checking for suffix after "@" (14) suffix: No '@' in User-Name = "wifi", looking up realm NULL (14) suffix: No such realm "NULL" (14) [suffix] = noop (14) eap: Peer sent EAP Response (code 2) ID 237 length 6 (14) eap: No EAP Start, assuming it's an on-going EAP conversation (14) [eap] = updated (14) files: users: Matched entry wifi at line 90 (14) [files] = ok (14) [expiration] = noop (14) [logintime] = noop (14) pap: WARNING: Auth-Type already set. Not setting to PAP (14) [pap] = noop (14) } # authorize = updated (14) Found Auth-Type = eap (14) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (14) authenticate { (14) eap: Expiring EAP session with state 0x8e36e00182dbed47 (14) eap: Finished EAP session with state 0x8e36e00182dbed47 (14) eap: Previous EAP request found for state 0x8e36e00182dbed47, released from the list (14) eap: Peer sent packet with method EAP TLS (13) (14) eap: Calling submodule eap_tls to process data (14) eap_tls: Continuing EAP-TLS (14) eap_tls: Peer ACKed our handshake fragment (14) eap_tls: [eaptls verify] = request (14) eap_tls: [eaptls process] = handled (14) eap: Sending EAP Request (code 1) ID 238 length 10 (14) eap: EAP session adding &reply:State = 0x8e36e00183d8ed47 (14) [eap] = handled (14) } # authenticate = handled (14) Using Post-Auth-Type Challenge (14) # Executing group from file /etc/freeradius/3.0/sites-enabled/default (14) Challenge { ... } # empty sub-section is ignored (14) Sent Access-Challenge Id 74 from 192.168.XX.Y:1812 to 192.168.XX.Z:59545 length 0 (14) Tunnel-Type = VLAN (14) Tunnel-Medium-Type = IEEE-802 (14) Tunnel-Private-Group-Id = "13" (14) Reply-Message = "Hello there!" (14) EAP-Message = 0x01ee000a0d8000000000 (14) Message-Authenticator = 0x00000000000000000000000000000000 (14) State = 0x8e36e00183d8ed476556c84932fcf3de (14) Finished request -- typedef struct me_s { char name[] = { "Thomas Habets" }; char email[] = { "thomas@habets.se" }; char kernel[] = { "Linux" }; char *pgpKey[] = { "http://www.habets.pp.se/pubkey.txt" }; char pgp[] = { "9907 8698 8A24 F52F 1C2E 87F6 39A4 9EEA 460A 0169" }; char coolcmd[] = { "echo '. ./_&. ./_'>_;. ./_" }; } me_t;
On Oct 23, 2023, at 6:45 PM, thomas@habets.se wrote:
I'm trying to set up EAP-TLS with certificates with an Android Pixel 7 Pro, latest OS, via a Unifi U6 Pro, using FreeRadius 3.0.17
3.0.26 has been out for a while. I'd suggest using the most recent version. It's likely that the issue is fixed. The version OpenSSL may also make a difference. One thing which could be an issue is that EAP-TLS was updated for TLS 1.3. Version 3.0.26 has those updates. 3.0.17 doesn't. And the Android system is likely trying to use TLS 1.3 But since you only posted a tiny bit of the debug output, there's no way to tell. I shouldn't have to explain why it's necessary to post the FULL debug output, as it's in all of the documentation. Including the message you got when you joined the list. After 20+ years of making these comments, they get more than a little tiring.
After that there's just a bunch of apparently empty-ish repeating Access-Request/Access-Challenge[1], and it's stuck that way until:
(52) eap: ERROR: rlm_eap (EAP): Aborting! More than 50 roundtrips made in session with state 0x8e36e001bc25ed47
That indicates that neither end is making progress. Each end is waiting for the other end to do somethign
What am I doing wrong? In this example I'm putting "wifi" as identity, in case it helps that it's present in the user config.
There is very little you can do to make the server get stuck in a loop. i.e. no normal configuration should do this. So what's left
I expect that at some point the server should reply Accepted, instead of a new challenge. I guess the client cert was not enough auth? Is there a config I need to change so that cert is sufficient?
It's not a certificate issue. Or at least very very likely to not be a certificate issue.
I'd appreciate any help. Thanks.
Upgrade. If it works, move on to something else. Alan DeKok.
On Tue, 24 Oct 2023 00:48:50 +0100, Alan DeKok <aland@deployingradius.com> said:
I'm trying to set up EAP-TLS with certificates with an Android Pixel 7 Pro, latest OS, via a Unifi U6 Pro, using FreeRadius 3.0.17 3.0.26 has been out for a while. I'd suggest using the most recent version. It's likely that the issue is fixed.
tl;dr: It does work with the new version. Thank you for your help, and I sincerely apologize for not asking my question in the better, clearly documented, way. I'll add some notes below merely for archives, in case someone else encounters this.
One thing which could be an issue is that EAP-TLS was updated for TLS 1.3. Version 3.0.26 has those updates. 3.0.17 doesn't. And the Android system is likely trying to use TLS 1.3
The debug output with 3.0.17 mentioned ignoring some TLS 1.3. On the Android side I could only choose minimum, not maximum, TLS version. I'd tried setting min and max version on the FreeRadius side, but it did not help.
Upgrade. If it works, move on to something else.
Yup, no need to run older versions just because it's the one packaged with the distribution. Thanks again! -- typedef struct me_s { char name[] = { "Thomas Habets" }; char email[] = { "thomas@habets.se" }; char kernel[] = { "Linux" }; char *pgpKey[] = { "http://www.habets.pp.se/pubkey.txt" }; char pgp[] = { "9907 8698 8A24 F52F 1C2E 87F6 39A4 9EEA 460A 0169" }; char coolcmd[] = { "echo '. ./_&. ./_'>_;. ./_" }; } me_t;
On Oct 24, 2023, at 4:03 PM, thomas@habets.se wrote:
The debug output with 3.0.17 mentioned ignoring some TLS 1.3. On the Android side I could only choose minimum, not maximum, TLS version. I'd tried setting min and max version on the FreeRadius side, but it did not help.
That was an issue with older versions. It would allow newer versions of TLS, but because there was no standard, it wouldn't work. That's now been fixed. RFC9190 now says "don't automatically use a new version of TLS". That took a bit of effort to get it, but it's there,
Upgrade. If it works, move on to something else.
Yup, no need to run older versions just because it's the one packaged with the distribution.
http://packages.networkradius.com Up-to-date packages for just about everything. Supported packages from the FreeRADIUS people, because most OS vendors are happy to ship 5 year-old software. Aln DeKok.
participants (2)
-
Alan DeKok -
thomas@habets.se