802.1x / EAP Assistance
Good morning! We are attempting to implement 802.1x/EAP for the first time, ad we're having some trouble diagnosing what's going on in the various stages of the communications between the NAS and FR. We don't have any experience with it, so it's rather confusing. We're using FR 2.2.8, with the test certs provided. We can see that there is communication, but all attempts to authenticate a device are failing. I've included what I believe to be the relevant portion of the debug output, and I do see several error conditions. The first says that the realm LOCAL is not defined, but in looking at the config, it looks as though it is. There's also a report that there's a missing Cleartext-Password, but that is also defined in the database, so we're at a loss as to the cause of the failure. If someone can point us in the right direction, I'd truly appreciate it! rad_recv: Access-Request packet from host 146.115.19.180 port 50987, id=97, length=394 Acct-Session-Id = "5DB9E1F5-76DF7502" User-Name = "jerry" NAS-IP-Address = 192.168.185.30 NAS-Identifier = "90-3A-72-15-25-1D" NAS-Port = 1 Called-Station-Id = "90-3A-72-15-25-1D:CVGNE_W1" Calling-Station-Id = "D4-53-83-F3-C0-17" Service-Type = Framed-User Chargeable-User-Identity = "" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 802.11a/n/ac" EAP-Message = 0x0208005f1900170303005400000000000000022f4cd34458205cfb0d339d2a9f6dda68b5f7a4ffbd985bbfb9ef4094114e5a1856df8479ea3c4ddc7f293487a00396643c97c4b24f51d67a7c7cc34e9bbbc1c156adc07977d4e095d6fddaa5 State = 0x957bdc849273c5bfd96a2d7f79095e2d Ruckus-SSID = "CVGNE_W1" Ruckus-Attr-14 = 0x903a7215251d Ruckus-Attr-9 = 0x000001c3 Ruckus-SCG-CBlade-IP = 3232282885 Ruckus-Attr-134 = 0x44656661756c74205a6f6e65 Ruckus-Attr-135 = 0x4356474e455f5731 Message-Authenticator = 0xad0239941dd1cf346629d1f1b23805b6 Event-Timestamp = "Oct 30 2019 15:18:14 EDT" Proxy-State = 0x3636 # Executing section authorize from file /etc/raddb/sites-enabled/default +group authorize { ++[preprocess] = ok ++update request { sql_xlat expand: select zone_migration_enabled from sites where id='%{NAS-Identifier}' -> select zone_migration_enabled from sites where id='90-3A-72-15-25-1D' rlm_sql (sql_instance2): Reserving sql socket id: 2 SQL query did not return any results rlm_sql (sql_instance2): Released sql socket id: 2 expand: %{sql_instance2: select zone_migration_enabled from sites where id='%{NAS-Identifier}'} -> ... expanding second conditional expand: %{%{sql_instance2: select zone_migration_enabled from sites where id='%{NAS-Identifier}'}:-0} -> 0 ++} # update request = noop ++? if (("%{Called-Station-Id}" =~ /^00-50-E8-/ || "%{Called-Station-Id}" =~ /^20-4C-03-/ )&& Tmp-String-2 == '1') expand: %{Called-Station-Id} -> 90-3A-72-15-25-1D:CVGNE_W1 ?? Evaluating ("%{Called-Station-Id}" =~ /^00-50-E8-/) -> FALSE expand: %{Called-Station-Id} -> 90-3A-72-15-25-1D:CVGNE_W1 ?? Evaluating ("%{Called-Station-Id}" =~ /^20-4C-03-/) -> FALSE ? Skipping (Tmp-String-2 == '1') ++? if (("%{Called-Station-Id}" =~ /^00-50-E8-/ || "%{Called-Station-Id}" =~ /^20-4C-03-/ )&& Tmp-String-2 == '1') -> FALSE ++[chap] = noop ++[mschap] = noop [suffix] No '@' in User-Name = "jerry", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop [eap] EAP packet type response id 8 length 95 [eap] Continuing tunnel setup. ++[eap] = ok +} # group authorize = ok Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/default +group authenticate { [eap] Request found, released from the list [eap] EAP/peap [eap] processing type peap [peap] processing EAP-TLS [peap] eaptls_verify returned 7 [peap] Done initial handshake [peap] eaptls_process returned 7 [peap] EAPTLS_OK [peap] Session established. Decoding tunneled attributes. [peap] Peap state phase2 [peap] EAP type mschapv2 [peap] Got tunneled request EAP-Message = 0x020800401a0208003b31197eb5bbc69b47c5363805196ff71ff700000000000000008a49a9ade98c47831f6c39043311438b1a56945caec5a5f5006a65727279 server { [peap] Setting User-Name to jerry Sending tunneled request EAP-Message = 0x020800401a0208003b31197eb5bbc69b47c5363805196ff71ff700000000000000008a49a9ade98c47831f6c39043311438b1a56945caec5a5f5006a65727279 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "jerry" State = 0x2b16a6c52b1ebc1c6619c5138158b3f7 server inner-tunnel { # Executing section authorize from file /etc/raddb/sites-enabled/inner-tunnel +group authorize { ++[chap] = noop ++[mschap] = noop [suffix] No '@' in User-Name = "jerry", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] = noop ++update control { ++} # update control = noop [eap] EAP packet type response id 8 length 64 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated ++[files] = noop ++[expiration] = noop ++[logintime] = noop ++[pap] = noop +} # group authorize = updated WARNING: You set Proxy-To-Realm = LOCAL, but the realm does not exist! Cancelling invalid proxy request. Found Auth-Type = EAP # Executing group from file /etc/raddb/sites-enabled/inner-tunnel +group authenticate { [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] # Executing group from file /etc/raddb/sites-enabled/inner-tunnel [mschapv2] +group MS-CHAP { [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Password. [mschap] Creating challenge hash with username: jerry [mschap] Client is using MS-CHAPv2 for jerry, we need NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] = reject +} # group MS-CHAP = reject [eap] Freeing handler ++[eap] = reject +} # group authenticate = reject Failed to authenticate the user. expand: %{NAS-IP-Address} -> Login incorrect: [jerry/<via Auth-Type = EAP>] (from client Office port 0 via TLS tunnel) Using Post-Auth-Type REJECT # Executing group from file /etc/raddb/sites-enabled/inner-tunnel +group REJECT { [attr_filter.access_reject] expand: %{User-Name} -> jerry attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] = updated +} # group REJECT = updated } # server inner-tunnel [peap] Got tunneled reply code 3 MS-CHAP-Error = "\010E=691 R=1" EAP-Message = 0x04080004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Got tunneled reply RADIUS code Access-Reject MS-CHAP-Error = "\010E=691 R=1" EAP-Message = 0x04080004 Message-Authenticator = 0x00000000000000000000000000000000 [peap] Tunneled authentication was rejected. [peap] FAILURE ++[eap] = handled +} # group authenticate = handled Sending Access-Challenge of id 97 to 146.115.19.180 port 50987 EAP-Message = 0x0109002e1900170303002334c44a5ec04ae1317ed894226db68ba139a09ceb0517c705c20507823d7bb4bc4a05c6 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x957bdc849d72c5bfd96a2d7f79095e2d Proxy-State = 0x3636 Finished request 214. Many thanks! -- Jim
On Thu, 2019-10-31 at 09:29 -0400, J Kephart wrote:
We are attempting to implement 802.1x/EAP for the first time, ad we're having some trouble diagnosing what's going on in the various stages of the communications between the NAS and FR. We don't have any experience with it, so it's rather confusing.
Yeah, everyone starts somewhere. It's a lot to take in.
We're using FR 2.2.8, with the test certs provided.
Why? v2 is obsolete and end of life. Use v3.0.19, or at least a recent v3 release.
The first says that the realm LOCAL is not defined, but in looking at the config, it looks as though it is.
You can ignore that.
There's also a report that there's a missing Cleartext-Password, but that is also defined in the database, so we're at a loss as to the cause of the failure.
It's in the database, but you've not told freeradius to look in the database to pull it out. Looking at the debug output, you need to add a call to "sql" in the inner tunnel. At least, start there. -- Matthew
It's in the database, but you've not told freeradius to look in the database to pull it out.
Looking at the debug output, you need to add a call to "sql" in the inner tunnel. At least, start there.
I've uncommented the line in the inner-tunnel configuration where it says to look in the sql database for the user. The result is that we get a new error when starting 'radiusd -X': /etc/raddb/sites-enabled/inner-tunnel[132]: Failed to find "sql" in the "modules" section. What am I missing here? Thanks, again, Matthew! -- Jim
On Oct 31, 2019, at 11:24 AM, J Kephart <jkephart@safetynetaccess.com> wrote:
I've uncommented the line in the inner-tunnel configuration where it says to look in the sql database for the user. The result is that we get a new error when starting 'radiusd -X':
/etc/raddb/sites-enabled/inner-tunnel[132]: Failed to find "sql" in the "modules" section.
What am I missing here?
Are you using SQL? If not, why uncomment the "sql" module? Which database are you using? I don't think you've said. If you are using SQL, then clearly you've renamed the default SQL module. So what was it renamed to? If you aren't using SQL, then you need to configure the inner tunnel with *that* database. You seem to have configured the outer tunnel with a database. So why not configure the inner tunnel with that same database? This shouldn't be difficult. Take a careful step-by-step approach, and *understand* what you're doing. Blindly doing random things isn't helpful. Alan DeKok.
Are you using SQL? If not, why uncomment the "sql" module?
Which database are you using? I don't think you've said.
If you are using SQL, then clearly you've renamed the default SQL module. So what was it renamed to?
If you aren't using SQL, then you need to configure the inner tunnel with *that* database. You seem to have configured the outer tunnel with a database. So why not configure the inner tunnel with that same database?
Yes, we are using an SQL database (MySQL), and no, we have not renamed the module.
This shouldn't be difficult. Take a careful step-by-step approach, and *understand* what you're doing. Blindly doing random things isn't helpful.
We're not trying to do things blindly, but it seems that, as in the "default" section, this should have been as simple as simply uncommenting the "sql" line. As we've never used the inner-tunnel feature, if there is something else that needs to be done, we're not aware of it, and we haven't seen anything special in the docs. We *are* trying to be very careful and methodical, and this is the only change we've made to the server's configuration. Jim
On Oct 31, 2019, at 11:42 AM, J Kephart <jkephart@safetynetaccess.com> wrote:
Yes, we are using an SQL database (MySQL), and no, we have not renamed the module.
Then it should find "sql" in the "modules" section. So don't just post "it's fine". FIND OUT why it's broken. You have the files on disk in your local system. LOOK there. It's not hard. READ them. Or, post the FULL DEBUG OUTPUT so that we can read it. This is suggested in the FAQ, web pages, "man" pages, and daily on this list.
This shouldn't be difficult. Take a careful step-by-step approach, and *understand* what you're doing. Blindly doing random things isn't helpful.
We're not trying to do things blindly, but it seems that, as in the "default" section, this should have been as simple as simply uncommenting the "sql" line. As we've never used the inner-tunnel feature, if there is something else that needs to be done, we're not aware of it, and we haven't seen anything special in the docs. We *are* trying to be very careful and methodical, and this is the only change we've made to the server's configuration.
It's important for you to *understand* the system you're administering. This means taking a look at it yourself, instead of just posting things to the list going "I did what you said and it didn't work. What next?" Well, what's next is for you to do some IT system administration and root thru the config files and read the debug output. Alan DeKok.
On Thu, 2019-10-31 at 11:24 -0400, J Kephart wrote:
/etc/raddb/sites-enabled/inner-tunnel[132]: Failed to find "sql" in the "modules" section.
What am I missing here?
Have you configured the sql module to point at the database that has your users in it? At least, you just said that Cleartext-Password is defined in the database, so I assume it's in an SQL database? -- Matthew
participants (3)
-
Alan DeKok -
J Kephart -
Matthew Newton