I've been working trying to setup freeradius to work with peap/mschapv2 backended by a mysql database on Enterasys switches. I've got almost everything working except for when a user authenticates with a 802.1x supplicant with peap/mschapv2, freeradius sends an access-accept packet but does not append the Filter-Id that is required for Enterasys switches to switch the default port policy. However, when I authenticate to the management portion of the switch, which uses pap, it authenticates and sends the Filter-Id as it should. I'm not sure what I'm missing here and I honestly don't know what configs you guys would need to see to help with this. So if I can provide any logs or config files, please let me know. Thanks for any help.
Adam W. Sewell wrote:
I've been working trying to setup freeradius to work with peap/mschapv2 backended by a mysql database on Enterasys switches. I've got almost everything working except for when a user authenticates with a 802.1x supplicant with peap/mschapv2, freeradius sends an access-accept packet but does not append the Filter-Id that is required for Enterasys switches to switch the default port policy. However, when I authenticate to the management portion of the switch, which uses pap, it authenticates and sends the Filter-Id as it should. I'm not sure what I'm missing here and I honestly don't know what configs you guys would need to see to help with this. So if I can provide any logs or config files, please let me know.
Read the debug output. Or, post the output here, and maybe a sample of your config files. Alan DeKok.
Alan, Thanks for your response, here is my radiusd -x log. Which config files would you need to look at? Also, I should mention that I'm using freeradius 2.0.5 and in the radreply table in the database, I've got the user generic set as such: generic Filter-ID = Enterasys:version=1:policy=good Radiusd -X : ---------------------------------------- rad_recv: Access-Request packet from host 192.16.240.77 port 1930, id=23, length=232 Message-Authenticator = 0x7bfcf42131d8e9e0ad6bd307268ae929 User-Name = "generic" State = 0xcff4dbb0ca28c29d2aff3c6f56cfbfb0 NAS-IP-Address = 192.16.240.77 NAS-Port = 8 NAS-Port-Type = Ethernet Calling-Station-Id = "00-16-D3-30-E5-74" Called-Station-Id = "00-01-F4-93-14-00" Framed-MTU = 1000 EAP-Message = 0x02dc00501900170301002035fa330ba4242cd20f856d7f454f3a99369f0d89420580a95672e3a511de75551703010020db4e3af5e6efafb8d60462c5468639a95a088c91dc25d696cba8f952639298f6 NAS-Identifier = "TEST_M48" NAS-Port-Id = "fe.0.8" +- entering group authorize ++[preprocess] returns ok ++[mschap] returns noop rlm_realm: No '@' in User-Name = "generic", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 220 length 80 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Identity - generic PEAP: Got tunneled identity of generic PEAP: Setting default EAP type for tunneled EAP session. PEAP: Setting User-Name to generic +- entering group authorize ++[mschap] returns noop rlm_realm: No '@' in User-Name = "generic", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 220 length 13 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated expand: %{User-Name} -> generic rlm_sql (sql): sql_set_user escaped user --> 'generic' rlm_sql (sql): Reserving sql socket id: 3 expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'generic' ORDER BY id rlm_sql (sql): User found in radcheck table expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'generic' ORDER BY id expand: SELECT groupname FROM usergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM usergroup WHERE username = 'generic' ORDER BY priority rlm_sql (sql): Released sql socket id: 3 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: EAP Identity rlm_eap: processing type mschapv2 rlm_eap_mschapv2: Issuing Challenge ++[eap] returns handled PEAP: Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 23 to 192.16.240.77 port 1930 EAP-Message = 0x01dd004b190017030100406e513bcbd4bf071acb8020531c484948b552e98290ce2f63732832cf39f800c2cdfe1247a1bdff73f334f40bb98763d6e837a0823b4e02b30a4fc324301868ec Message-Authenticator = 0x00000000000000000000000000000000 State = 0xcff4dbb0c929c29d2aff3c6f56cfbfb0 Finished request 6. Going to the next request Waking up in 4.8 seconds. rad_recv: Access-Request packet from host 192.16.240.77 port 1930, id=24, length=296 Message-Authenticator = 0x4e783fdb7836cc7f26aba095b8f84dba User-Name = "generic" State = 0xcff4dbb0c929c29d2aff3c6f56cfbfb0 NAS-IP-Address = 192.16.240.77 NAS-Port = 8 NAS-Port-Type = Ethernet Calling-Station-Id = "00-16-D3-30-E5-74" Called-Station-Id = "00-01-F4-93-14-00" Framed-MTU = 1000 EAP-Message = 0x02dd009019001703010020d08545003c24b1fc221d759b3397ce513e5a8e4919b77f32d4df3d6729b3fe86170301006040c03f0960339981014df3bb4edff293aac927d2a0fe4ab0eaa5c8b00668ec101a7e4237597001cc42f58922e1540dc3902c9c18b7b8ce243c410ddf32670f0d1a04b3f47661b6ff6877276941b56a78ec60c1b77ca9ba6ec598a30abfc700ec NAS-Identifier = "TEST_M48" NAS-Port-Id = "fe.0.8" +- entering group authorize ++[preprocess] returns ok ++[mschap] returns noop rlm_realm: No '@' in User-Name = "generic", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 221 length 144 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: EAP type mschapv2 PEAP: Setting User-Name to generic +- entering group authorize ++[mschap] returns noop rlm_realm: No '@' in User-Name = "generic", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 221 length 67 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated expand: %{User-Name} -> generic rlm_sql (sql): sql_set_user escaped user --> 'generic' rlm_sql (sql): Reserving sql socket id: 2 expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'generic' ORDER BY id rlm_sql (sql): User found in radcheck table expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'generic' ORDER BY id expand: SELECT groupname FROM usergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM usergroup WHERE username = 'generic' ORDER BY priority rlm_sql (sql): Released sql socket id: 2 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 +- entering group MS-CHAP rlm_mschap: Told to do MS-CHAPv2 for generic with NT-Password rlm_mschap: adding MS-CHAPv2 MPPE keys ++[mschap] returns ok MSCHAP Success ++[eap] returns handled PEAP: Got tunneled Access-Challenge ++[eap] returns handled Sending Access-Challenge of id 24 to 192.16.240.77 port 1930 EAP-Message = 0x01de005b19001703010050aaba6e19dc927df16c4fbb14d73abd4a1ba6718b00d562988fc2d4ecce3330337bc03386d060f91ded0d1d2b1f2233718e737eb9f9f2d80bc40d496b60dd9505a92aef9ffbb37710b306c5d974005006 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xcff4dbb0c82ac29d2aff3c6f56cfbfb0 Finished request 7. Going to the next request Waking up in 4.7 seconds. rad_recv: Access-Request packet from host 192.16.240.77 port 1930, id=25, length=232 Message-Authenticator = 0xe41d58872b5680231227ca5a2e4d5da8 User-Name = "generic" State = 0xcff4dbb0c82ac29d2aff3c6f56cfbfb0 NAS-IP-Address = 192.16.240.77 NAS-Port = 8 NAS-Port-Type = Ethernet Calling-Station-Id = "00-16-D3-30-E5-74" Called-Station-Id = "00-01-F4-93-14-00" Framed-MTU = 1000 EAP-Message = 0x02de0050190017030100200a72ae019719cfe652b0673f44847665a0076c5c567244f9cbf96fdee5c32b5a1703010020a76fa56a89dc65800d2d8b497c0e4c2b5a16d3950a14b484b2709b7e89001bce NAS-Identifier = "TEST_M48" NAS-Port-Id = "fe.0.8" +- entering group authorize ++[preprocess] returns ok ++[mschap] returns noop rlm_realm: No '@' in User-Name = "generic", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 222 length 80 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: EAP type mschapv2 PEAP: Setting User-Name to generic +- entering group authorize ++[mschap] returns noop rlm_realm: No '@' in User-Name = "generic", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 222 length 6 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated expand: %{User-Name} -> generic rlm_sql (sql): sql_set_user escaped user --> 'generic' rlm_sql (sql): Reserving sql socket id: 1 expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'generic' ORDER BY id rlm_sql (sql): User found in radcheck table expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'generic' ORDER BY id expand: SELECT groupname FROM usergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM usergroup WHERE username = 'generic' ORDER BY priority rlm_sql (sql): Released sql socket id: 1 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop rlm_pap: Found existing Auth-Type, not changing it. ++[pap] returns noop rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 rlm_eap: Freeing handler ++[eap] returns ok Login OK: [generic/<via Auth-Type = EAP>] (from client TestSwitches port 0 via TLS tunnel) PEAP: Tunneled authentication was successful. rlm_eap_peap: SUCCESS ++[eap] returns handled Sending Access-Challenge of id 25 to 192.16.240.77 port 1930 EAP-Message = 0x01df002b1900170301002007b66e03cf1277bb89b88a78357462d463bce87424d6f2c889a218e607e2b958 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xcff4dbb0c72bc29d2aff3c6f56cfbfb0 Finished request 8. Going to the next request Waking up in 4.7 seconds. rad_recv: Access-Request packet from host 192.16.240.77 port 1930, id=26, length=232 Message-Authenticator = 0xf246ed24c1d8cdece97a0b0814fc0d81 User-Name = "generic" State = 0xcff4dbb0c72bc29d2aff3c6f56cfbfb0 NAS-IP-Address = 192.16.240.77 NAS-Port = 8 NAS-Port-Type = Ethernet Calling-Station-Id = "00-16-D3-30-E5-74" Called-Station-Id = "00-01-F4-93-14-00" Framed-MTU = 1000 EAP-Message = 0x02df00501900170301002090c5a627b284c660af3348c538297fc2b3e59ebbfa74ed335ebfdf782e3df0721703010020c24cb49475b2e47d8dbd0afb64f429081c610acdac786c7c26f1b28d152927a7 NAS-Identifier = "TEST_M48" NAS-Port-Id = "fe.0.8" +- entering group authorize ++[preprocess] returns ok ++[mschap] returns noop rlm_realm: No '@' in User-Name = "generic", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_eap: EAP packet type response id 223 length 80 rlm_eap: Continuing tunnel setup. ++[eap] returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" +- entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Success rlm_eap: Freeing handler ++[eap] returns ok Login OK: [generic/<via Auth-Type = EAP>] (from client TestSwitches port 8 cli 00-16-D3-30-E5-74) +- entering group post-auth ++[exec] returns noop Sending Access-Accept of id 26 to 192.16.240.77 port 1930 MS-MPPE-Recv-Key = 0x680f34a977769aa71a178722683534da074169a1b7f994e643785f0f90ba5930 MS-MPPE-Send-Key = 0x502aacfc317b2197d001bc706b1581972ec6e97ffd344b2fe434dbda852a81c3 EAP-Message = 0x03df0004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "generic" Finished request 9. Going to the next request Waking up in 4.7 seconds. Cleaning up request 0 ID 17 with timestamp +15 Cleaning up request 1 ID 18 with timestamp +15 Cleaning up request 2 ID 19 with timestamp +15 Cleaning up request 3 ID 20 with timestamp +15 Waking up in 0.1 seconds. Cleaning up request 4 ID 21 with timestamp +15 Cleaning up request 5 ID 22 with timestamp +15 Cleaning up request 6 ID 23 with timestamp +15 Cleaning up request 7 ID 24 with timestamp +15 Cleaning up request 8 ID 25 with timestamp +15 Cleaning up request 9 ID 26 with timestamp +15 Ready to process requests. -----Original Message----- From: Alan DeKok [mailto:aland@deployingradius.com] Sent: Wednesday, July 30, 2008 2:32 AM To: FreeRadius users mailing list Subject: Re: peap/mschapv2 + mysql + filter-id Adam W. Sewell wrote:
I've been working trying to setup freeradius to work with peap/mschapv2 backended by a mysql database on Enterasys switches. I've got almost everything working except for when a user authenticates with a 802.1x supplicant with peap/mschapv2, freeradius sends an access-accept packet but does not append the Filter-Id that is required for Enterasys switches to switch the default port policy. However, when I authenticate to the management portion of the switch, which uses pap, it authenticates and sends the Filter-Id as it should. I'm not sure what I'm missing here and I honestly don't know what configs you guys would need to see to help with this. So if I can provide any logs or config files, please let me know.
Read the debug output. Or, post the output here, and maybe a sample of your config files. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (2)
-
Adam W. Sewell -
Alan DeKok