EAP Auth-Type Error
Hi All I am currently building a Freeradius (Version 3.0.15) on Ubuntu 16.04 in an Azure environment authenticating to an Active Directory server using eap-peap-mschap. I also have a Freeradius version 3.0.12 currently running and have replicated all the settings across to the new build, however, I am unable to successfully authenticate and have noted the error "eap: No EAP-Message, not doing EAP" in the debug as follows particularly when moving from default to inner-tunnel: eap: Continuing tunnel setup (6) [eap] = ok (6) } # authorize = ok (6) Found Auth-Type = eap (6) # Executing group from file /etc/freeradius/sites-enabled/default (6) authenticate { (6) eap: Expiring EAP session with state 0xa70318b8a2020d85 (6) eap: Finished EAP session with state 0xa70318b8a2020d85 (6) eap: Previous EAP request found for state 0xa70318b8a2020d85, released from the list (6) eap: Peer sent packet with method EAP TTLS (21) (6) eap: Calling submodule eap_ttls to process data (6) eap_ttls: Authenticate (6) eap_ttls: Continuing EAP-TLS (6) eap_ttls: Peer indicated complete TLS record size will be 69 bytes (6) eap_ttls: Got complete TLS record (69 bytes) (6) eap_ttls: [eaptls verify] = length included (6) eap_ttls: [eaptls process] = ok (6) eap_ttls: Session established. Proceeding to decode tunneled attributes (6) eap_ttls: Got tunneled request (6) eap_ttls: User-Name = "omitted" (6) eap_ttls: User-Password = "omitted" (6) eap_ttls: FreeRADIUS-Proxied-To = 127.0.0.1 (6) eap_ttls: Sending tunneled request (6) Virtual server inner-tunnel received request (6) User-Name = "omitted" (6) User-Password = "omitted" (6) FreeRADIUS-Proxied-To = 127.0.0.1 *(6) WARNING: Outer and inner identities are the same. User privacy is compromised.* (6) server inner-tunnel { (6) # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel (6) authorize { (6) policy filter_username { (6) if (&User-Name) { (6) if (&User-Name) -> TRUE (6) if (&User-Name) { (6) if (&User-Name =~ / /) { (6) if (&User-Name =~ / /) -> FALSE (6) if (&User-Name =~ /@[^@]*@/ ) { (6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE (6) if (&User-Name =~ /\.\./ ) { (6) if (&User-Name =~ /\.\./ ) -> FALSE (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (6) if (&User-Name =~ /\.$/) { (6) if (&User-Name =~ /\.$/) -> FALSE (6) if (&User-Name =~ /@\./) { (6) if (&User-Name =~ /@\./) -> FALSE (6) } # if (&User-Name) = notfound (6) } # policy filter_username = notfound (6) [mschap] = noop (6) update control { (6) &Proxy-To-Realm := LOCAL (6) } # update control = noop (6) eap: No EAP-Message, not doing EAP (6) [eap] = noop (6) [expiration] = noop (6) [logintime] = noop (6) } # authorize = noop *(6) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject* (6) Failed to authenticate the user (6) Using Post-Auth-Type Reject (6) # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel (6) Post-Auth-Type REJECT { (6) attr_filter.access_reject: EXPAND %{User-Name} (6) attr_filter.access_reject: --> omitted (6) attr_filter.access_reject: Matched entry DEFAULT at line 11 (6) [attr_filter.access_reject] = updated (6) update outer.session-state { (6) &Module-Failure-Message := &request:Module-Failure-Message -> 'No Auth-Type found: rejecting the user via Post-Auth-Type = Reject' (6) } # update outer.session-state = noop (6) } # Post-Auth-Type REJECT = updated (6) } # server inner-tunnel (6) Virtual server sending reply (6) eap_ttls: Got tunneled Access-Reject *(6) eap: ERROR: Failed continuing EAP TTLS (21) session. EAP sub-module failed* (6) eap: Sending EAP Failure (code 4) ID 1 length 4 (6) eap: Failed in EAP select (6) [eap] = invalid (6) } # authenticate = invalid (6) Failed to authenticate the user (6) Using Post-Auth-Type Reject (6) # Executing group from file /etc/freeradius/sites-enabled/default (6) Post-Auth-Type REJECT { (6) attr_filter.access_reject: EXPAND %{User-Name} (6) attr_filter.access_reject: --> omitted (6) attr_filter.access_reject: Matched entry DEFAULT at line 11 (6) [attr_filter.access_reject] = updated (6) [eap] = noop (6) policy remove_reply_message_if_eap { (6) if (&reply:EAP-Message && &reply:Reply-Message) { (6) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (6) else { (6) [noop] = noop (6) } # else = noop (6) } # policy remove_reply_message_if_eap = noop (6) } # Post-Auth-Type REJECT = updated (6) Delaying response for 1.000000 seconds I am a bit stumped as to where I might be going wrong as I have set the default_eap_type = peap in the /mods-enaabled/eap file as well as have the following enabled in the authorise and authentication in the sites-enabled/inner-tunnel file: authorize { filter_username update control { &Proxy-To-Realm := LOCAL } eap { ok = return } expiration logintime } authenticate { Auth-Type ntlm_auth { ntlm_auth } # # MSCHAP authentication. Auth-Type MS-CHAP { mschap } # # For old names, too. # mschap # Allow EAP authentication. eap
From the debug log I posted above, it seems that the eap message is not being passed through to the inner-tunnel.
As a side note, testing ntlm_auth responds with a "NT_STATUS_OK: Success (0x0)" message. I have even rebuilt the server leaving many of the default settings, but am still getting the error. I hope I am not missing the obvious and would appreciate if someone could point me in the right direction. In addition, my other question is why do I get the "*WARNING: Outer and inner identities are the same. User privacy is compromised."* warning and how may I make it more secure? - Kind Regards - Byron Jeffery -
On Oct 17, 2017, at 6:55 PM, Byron Jeffery <byronjeffery@cem.org.au> wrote:
I am currently building a Freeradius (Version 3.0.15) on Ubuntu 16.04 in an Azure environment authenticating to an Active Directory server using eap-peap-mschap.
Follow my guides: http://deployingradius.com It *will* work.
I also have a Freeradius version 3.0.12 currently running and have replicated all the settings across to the new build, however, I am unable to successfully authenticate and have noted the error "eap: No EAP-Message, not doing EAP" in the debug as follows particularly when moving from default to inner-tunnel:
That's not an error. It's just an informative message.
(6) eap_ttls: Got tunneled request
(6) eap_ttls: User-Name = "omitted"
(6) eap_ttls: User-Password = "omitted"
Note that this is EAP-TTLS, with PAP inside of the tunnel. Not PEAP-MSCHAPv2. As always, the debug log tells you what's going on. If you think it's doing PEAP, but the debug log says TTLS, well, it's doing TTLS.
(6) server inner-tunnel {
(6) # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel
And nothing in the inner-tunnel says how to authenticate the user. That's the problem.
I am a bit stumped as to where I might be going wrong as I have set the default_eap_type = peap in the /mods-enaabled/eap file
That's a *proposal* from the server. If (again) you read the debug log, you'll see the server proposing PEAP, and the client NAKing it, and asking for TTLS. If you want the client to do PEAP, you will need to configure the client to do PEAP.
From the debug log I posted above, it seems that the eap message is not being passed through to the inner-tunnel.
No. That's not what's happening. The inner-tunnel contains *no* EAP. Because the client isn't sending EAP in the inner tunnel.
As a side note, testing ntlm_auth responds with a "NT_STATUS_OK: Success (0x0)" message.
Follow my guide. It *will* work.
I have even rebuilt the server leaving many of the default settings, but am still getting the error.
Start from the default configuration, and then follow my guide.
In addition, my other question is why do I get the "*WARNING: Outer and inner identities are the same. User privacy is compromised."* warning and how may I make it more secure?
Set the outer identity to "anonymous". Alan DeKok.
Thanks Alan It all makes sense now and I have resolved the issue. - Kind Regards - Byron Jeffery - On Wed, Oct 18, 2017 at 1:26 PM, Alan DeKok <aland@deployingradius.com> wrote:
On Oct 17, 2017, at 6:55 PM, Byron Jeffery <byronjeffery@cem.org.au> wrote:
I am currently building a Freeradius (Version 3.0.15) on Ubuntu 16.04 in an Azure environment authenticating to an Active Directory server using eap-peap-mschap.
Follow my guides: http://deployingradius.com
It *will* work.
I also have a Freeradius version 3.0.12 currently running and have replicated all the settings across to the new build, however, I am unable to successfully authenticate and have noted the error "eap: No EAP-Message, not doing EAP" in the debug as follows particularly when moving from default to inner-tunnel:
That's not an error. It's just an informative message.
(6) eap_ttls: Got tunneled request
(6) eap_ttls: User-Name = "omitted"
(6) eap_ttls: User-Password = "omitted"
Note that this is EAP-TTLS, with PAP inside of the tunnel. Not PEAP-MSCHAPv2.
As always, the debug log tells you what's going on. If you think it's doing PEAP, but the debug log says TTLS, well, it's doing TTLS.
(6) server inner-tunnel {
(6) # Executing section authorize from file /etc/freeradius/sites-enabled/inner-tunnel
And nothing in the inner-tunnel says how to authenticate the user. That's the problem.
I am a bit stumped as to where I might be going wrong as I have set the default_eap_type = peap in the /mods-enaabled/eap file
That's a *proposal* from the server. If (again) you read the debug log, you'll see the server proposing PEAP, and the client NAKing it, and asking for TTLS.
If you want the client to do PEAP, you will need to configure the client to do PEAP.
From the debug log I posted above, it seems that the eap message is not being passed through to the inner-tunnel.
No. That's not what's happening.
The inner-tunnel contains *no* EAP. Because the client isn't sending EAP in the inner tunnel.
As a side note, testing ntlm_auth responds with a "NT_STATUS_OK: Success (0x0)" message.
Follow my guide. It *will* work.
I have even rebuilt the server leaving many of the default settings, but am still getting the error.
Start from the default configuration, and then follow my guide.
In addition, my other question is why do I get the "*WARNING: Outer and inner identities are the same. User privacy is compromised."* warning and how may I make it more secure?
Set the outer identity to "anonymous".
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
participants (2)
-
Alan DeKok -
Byron Jeffery