eduroam howto help with the wrong password scenario
first of all, how I wished the eduroam howto (http://wiki.freeradius.org/guide/eduroam) was online when I first had to configure freeradius. Lucky those who can start from it: it used to be harder. Still, I have a problem. Following the howto with the files setup, I can handle the happy path result (user with correct password). Everything works. If I modify the ~/eapol_test/peap-mschapv2.conf file with: password="iamthewrongpassword" the request fails after a while, like the server would give the client a second try: eapol logs: [...] EAP-MSCHAPV2: password changing protocol version 3 EAP-MSCHAPV2: failure message: 'Authentication rejected' (retry allowed, error 691) EAPOL: EAP parameter needed [...] and it takes 30 secs to issue the "FAILURE" line. ./sbin/radiusd -X [...] (14) eap_mschapv2: authenticate { (14) mschap: Found Cleartext-Password, hashing to create NT-Password (14) mschap: Found Cleartext-Password, hashing to create LM-Password (14) mschap: Creating challenge hash with username: a_user@example.org (14) mschap: Client is using MS-CHAPv2 (14) mschap: ERROR: MS-CHAP2-Response is incorrect (14) [mschap] = reject (14) } # authenticate = reject (14) MSCHAP-Error: ?E=691 R=1 C=3277c9a2969ff694b1e423f83f99ecd4 V=3 M=Authentication rejected (14) Found new challenge from MS-CHAP-Error: err=691 retry=1 challenge=3277c9a2969ff694b1e423f83f99ecd4 (14) ERROR: MSCHAP Failure (14) inner-eap: Sending EAP Request (code 1) ID 9 length 83 (14) inner-eap: EAP session adding &reply:State = 0x30262b3d312f3188 (14) [inner-eap] = handled (14) } # authenticate = handled (14) } # server eduroam-inner (14) Virtual server sending reply (14) EAP-Message = 0x010900531a0408004e453d36393120523d3120433d333237376339613239363966663639346231653432336638336639396563643420563d33204d3d41757468656e7469636174696f6e2072656a6563746564 (14) Message-Authenticator = 0x00000000000000000000000000000000 (14) State = 0x30262b3d312f318871613eb63a4734ad (14) eap_peap: Got tunneled reply code 11 (14) eap_peap: EAP-Message = 0x010900531a0408004e453d36393120523d3120433d333237376339613239363966663639346231653432336638336639396563643420563d33204d3d41757468656e7469636174696f6e2072656a6563746564 (14) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (14) eap_peap: State = 0x30262b3d312f318871613eb63a4734ad (14) eap_peap: Got tunneled reply RADIUS code 11 (14) eap_peap: EAP-Message = 0x010900531a0408004e453d36393120523d3120433d333237376339613239363966663639346231653432336638336639396563643420563d33204d3d41757468656e7469636174696f6e2072656a6563746564 (14) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 (14) eap_peap: State = 0x30262b3d312f318871613eb63a4734ad (14) eap_peap: Got tunneled Access-Challenge (14) eap: Sending EAP Request (code 1) ID 9 length 114 (14) eap: EAP session adding &reply:State = 0x8dc44f9585cd5612 (14) [eap] = handled (14) } # authenticate = handled (14) Using Post-Auth-Type Challenge (14) Post-Auth-Type sub-section not found. Ignoring. (14) # Executing group from file /opt/freeradius/etc/raddb/sites-enabled/default (14) session-state: Saving cached attributes (14) Stripped-User-Name := "a_user" (14) Sent Access-Challenge Id 8 from 127.0.0.1:1812 to 127.0.0.1:46152 length 0 (14) EAP-Message = 0x01090072190017030300674cef3f0c59b8f592198c61cd5c9a8810373267c99f6db7b6e410e43143fec0b5f4fb860d8b544e0b844edd43b9b26b119dfa7f1f7d3053bfab5b22f77511dad11e5369876d20211362ed1e949b67950fa465d6aec569ae4beae10d613101854ea2cbc3276df6df (14) Message-Authenticator = 0x00000000000000000000000000000000 (14) State = 0x8dc44f9585cd56126b4642e6eb93d427 (14) Finished request [...] Why am I missing the: linelog_send_reject from my logs? If I choose pap (~/eapol_test/eap-ttls.conf), I can see the failure log line (when password is wrong). And the client takes only one sec to tell me there is a failure. What did I do wrong? Freeradius is 3.0.17 on Debian GNU/Linux 9 (stretch), thank you, Francesco
On Apr 20, 2018, at 8:34 AM, Francesco Malvezzi <francesco.malvezzi@unimore.it> wrote:
Still, I have a problem. Following the howto with the files setup, I can handle the happy path result (user with correct password). Everything works.
That's good.
If I modify the ~/eapol_test/peap-mschapv2.conf file with:
password="iamthewrongpassword"
the request fails after a while, like the server would give the client a second try:
eapol logs: [...] EAP-MSCHAPV2: password changing protocol version 3 EAP-MSCHAPV2: failure message: 'Authentication rejected' (retry allowed, error 691) EAPOL: EAP parameter needed [...] and it takes 30 secs to issue the "FAILURE" line.
Then you edited your configuration and broke something. The default configuration does *not* do password changes over MSCHAP. The default configuration does *not* wait 30 seconds to reject a user. Edit the "mschap" module configuration, and disable password changes.
Why am I missing the: linelog_send_reject from my logs?
I have no idea. Is it supposed to be there? Why?
If I choose pap (~/eapol_test/eap-ttls.conf), I can see the failure log line (when password is wrong). And the client takes only one sec to tell me there is a failure.
What did I do wrong? Freeradius is 3.0.17 on Debian GNU/Linux 9 (stretch),
You're not describing what you want to do. Therefore we have no idea what you're doing wrong, if anything. Alan DeKok.
Hello,
first of all, how I wished the eduroam howto (http://wiki.freeradius.org/guide/eduroam) was online when I first had to configure freeradius. Lucky those who can start from it: it used to be harder.
Still, I have a problem. Following the howto with the files setup, I can handle the happy path result (user with correct password). Everything works.
If I modify the ~/eapol_test/peap-mschapv2.conf file with:
password="iamthewrongpassword"
the request fails after a while, like the server would give the client a second try:
And that's exactly what happens. MSCHAPv2 by default gets back to the client with "Password was wrong, try again." Only if the client says, "no thanks, I'm sure this was the one password I wanted to try" will the conversation be terminated. And only then will you get the reject logs. Of course this doesn't make much sense when *testing* with eapol_test - you've configured it with exactly one password and that's it. That's why wpa_supplicant allows you to send back the "no thanks". Quoting the wpa_supplicant.conf: # phase2: Phase2 (inner authentication with TLS tunnel) parameters # (string with field-value pairs, e.g., "auth=MSCHAPV2" for # EAP-PEAP or "autheap=MSCHAPV2 autheap=MD5" for EAP-TTLS). # "mschapv2_retry=0" can be used to disable MSCHAPv2 password # retry in authentication failure cases. The retry option in the protocol probably *is* what you want when the real client with an actual human sits on the other end. Stefan -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 2, avenue de l'Université L-4365 Esch-sur-Alzette Tel: +352 424409 1 Fax: +352 422473 PGP key updated to 4096 Bit RSA - I will encrypt all mails if the recipient's key is known to me http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
On Apr 21, 2018, at 12:34 AM, Francesco Malvezzi <francesco.malvezzi@unimore.it> wrote:
first of all, how I wished the eduroam howto (http://wiki.freeradius.org/guide/eduroam) was online when I first had to configure freeradius. Lucky those who can start from it: it used to be harder.
You're welcome :) Thanks for fixing up the eapol_test config for PEAPv0. -Arran
participants (4)
-
Alan DeKok -
Arran Cudbard-Bell -
Francesco Malvezzi -
Stefan Winter