FreeRadius server rejecting Mikrotik Auth Request
I'm setting up a Mikrotik router to authenticate via my FreeRadius server which is also connected to a Kerberos server. I've set up Juniper/JunOS routers to it and it's working fine. However, with Mikrotik, FreeRadius seems to reject the request. I'm not entirely sure how to move forward and rectify this one. *user.conf:* mihael Auth-Type := kerberos
Service-Type = Administrative-User, Juniper-Local-User-Name := "super-users", Cisco-AVPair = "shell:priv-lvl=15", MikroTik-Group := “write”
*clients.conf:* client 10.129.2.5 {
secret = mysecret shortname = Miktrotik-Device nastype = other }
*tcpdump:*
11:25:45.369063 IP mikrotik.net.55522 > freeradius.net.radius: RADIUS, Access Request (1), id: 0x22 length: 145 11:25:45.669482 IP mikrotik.net.55522 > freeradius.net.radius: RADIUS, Access Request (1), id: 0x22 length: 145 11:25:45.969903 IP mikrotik.net.55522 > freeradius.net.radius: RADIUS, Access Request (1), id: 0x22 length: 145 11:25:46.369565 IP freeradius.net.radius > mikrotik.net.55522: RADIUS, Access Reject (3), id: 0x22 length: 20 11:25:46.369776 IP mikrotik.net > freeradius.net.radius: ICMP czt1-sme2.rise.net.ph udp port 55522 unreachable, length 56
Attached is the logs for the request acquired via `radiusd -X` Thanks, mihael
I'm setting up a Mikrotik router to authenticate via my FreeRadius server which is also connected to a Kerberos server. I've set up Juniper/JunOS routers to it and it's working fine. However, with Mikrotik, FreeRadius seems to reject the request. I'm not entirely sure how to move forward and rectify this one. *user.conf:* mihael Auth-Type := kerberos
Service-Type = Administrative-User, Juniper-Local-User-Name := "super-users", Cisco-AVPair = "shell:priv-lvl=15", MikroTik-Group := “write”
*clients.conf:* client 10.129.2.5 {
secret = mysecret shortname = Miktrotik-Device nastype = other }
*tcpdump:*
11:25:45.369063 IP mikrotik.net.55522 > freeradius.net.radius: RADIUS, Access Request (1), id: 0x22 length: 145 11:25:45.669482 IP mikrotik.net.55522 > freeradius.net.radius: RADIUS, Access Request (1), id: 0x22 length: 145 11:25:45.969903 IP mikrotik.net.55522 > freeradius.net.radius: RADIUS, Access Request (1), id: 0x22 length: 145 11:25:46.369565 IP freeradius.net.radius > mikrotik.net.55522: RADIUS, Access Reject (3), id: 0x22 length: 20 11:25:46.369776 IP mikrotik.net > freeradius.net.radius: ICMP czt1-sme2.rise.net.ph udp port 55522 unreachable, length 56
Attached is the logs for the request acquired via `radiusd -X` Thanks, mihael
I'm setting up a Mikrotik router to authenticate via my FreeRadius server which is also connected to a Kerberos server. I've set up Juniper/JunOS routers to it and it's working fine. However, with Mikrotik, FreeRadius seems to reject the request. I'm not entirely sure how to move forward and rectify this one. *user.conf:* mihael Auth-Type := kerberos
Service-Type = Administrative-User, Juniper-Local-User-Name := "super-users", Cisco-AVPair = "shell:priv-lvl=15", MikroTik-Group := “write”
*clients.conf:* client 10.129.2.5 {
secret = mysecret shortname = Miktrotik-Device nastype = other }
*tcpdump:*
11:25:45.369063 IP mikrotik.net.55522 > freeradius.net.radius: RADIUS, Access Request (1), id: 0x22 length: 145 11:25:45.669482 IP mikrotik.net.55522 > freeradius.net.radius: RADIUS, Access Request (1), id: 0x22 length: 145 11:25:45.969903 IP mikrotik.net.55522 > freeradius.net.radius: RADIUS, Access Request (1), id: 0x22 length: 145 11:25:46.369565 IP freeradius.net.radius > mikrotik.net.55522: RADIUS, Access Reject (3), id: 0x22 length: 20 11:25:46.369776 IP mikrotik.net > freeradius.net.radius: ICMP czt1-sme2.rise.net.ph udp port 55522 unreachable, length 56
Attached is the logs for the request acquired via `radiusd -X` Thanks, mihael
I'm setting up a Mikrotik router to authenticate via my FreeRadius server which is also connected to a Kerberos server. I've set up Juniper/JunOS routers to it and it's working fine. However, with Mikrotik, FreeRadius seems to reject the request. I'm not entirely sure how to move forward and rectify this one. user.conf:
mihael Auth-Type := kerberos Service-Type = Administrative-User, Juniper-Local-User-Name := "super-users", Cisco-AVPair = "shell:priv-lvl=15", MikroTik-Group := “write”
clients.conf:
client 10.129.2.5 { secret = mysecret shortname = Miktrotik-Device nastype = other }
tcpdump:
11:25:45.369063 IP mikrotik.net.55522 > freeradius.net.radius: RADIUS, Access Request (1), id: 0x22 length: 145 11:25:45.669482 IP mikrotik.net.55522 > freeradius.net.radius: RADIUS, Access Request (1), id: 0x22 length: 145 11:25:45.969903 IP mikrotik.net.55522 > freeradius.net.radius: RADIUS, Access Request (1), id: 0x22 length: 145 11:25:46.369565 IP freeradius.net.radius > mikrotik.net.55522: RADIUS, Access Reject (3), id: 0x22 length: 20 11:25:46.369776 IP mikrotik.net > freeradius.net.radius: ICMP czt1-sme2.rise.net.ph udp port 55522 unreachable, length 56
Attached is the logs for the request acquired via `radiusd -X` Thanks, mihael
On Jun 16, 2020, at 3:33 AM, Marcelito de Guzman <marzzz21@gmail.com> wrote: There is no need to post the same message multiple times.
I'm setting up a Mikrotik router to authenticate via my FreeRadius server which is also connected to a Kerberos server.
I've set up Juniper/JunOS routers to it and it's working fine.
However, with Mikrotik, FreeRadius seems to reject the request. I'm not entirely sure how to move forward and rectify this one.
*user.conf:*
No. You need to READ the documentation, and FOLLOW it. http://wiki.freeradius.org/list-help Pretty much every single piece of documentation available tells you that you need to post the debug output, NOT the configuration files. Doing the wrong thing repeatedly is not polite.
Attached is the logs for the request acquired via `radiusd -X`
Is it really that difficult to paste the *text* debug output into an email message? You're making it as hard as possible for anyone to help you. Why? Just read the debug output. It has the answers 99% of the time. Alan DeKok.
Ciao. We have recently upgraded from 3.0.18 to 3.0.22. We are running some EAP tests, in particular EAP-TLS using eapol_test. eapol_test tool complains with this message: 'Locally derived EAP Session-Id does not match EAP-Key-Name from server' Any pointers would be greatly appreciated. Thanks in advance. eapol_test output: <snip> RADIUS packet matching with station MS-MPPE-Send-Key (sign) - hexdump(len=32): 1b 94 19 e6 28 08 ba ac 15 aa f9 2e 3e 42 1e db 25 92 c4 4e 62 76 cc 35 9c 5d 2e 01 68 c9 91 46 MS-MPPE-Recv-Key (crypt) - hexdump(len=32): 2e b8 8c 3d 96 bb 69 66 ab 43 70 06 55 6b 44 13 89 9c 6a 32 1e 72 1b 84 19 cd 5e f3 60 4e 9a 16 decapsulated EAP packet (code=3 id=11 len=4) from RADIUS server: EAP Success EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Success EAP: Status notification: completion (param=success) EAP: EAP entering state SUCCESS CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully EAPOL: IEEE 802.1X for plaintext connection; no EAPOL-Key frames required WPA: EAPOL processing complete Cancelling authentication timeout State: DISCONNECTED -> COMPLETED EAPOL: SUPP_PAE entering state AUTHENTICATED EAPOL: SUPP_BE entering state RECEIVE EAPOL: SUPP_BE entering state SUCCESS EAPOL: SUPP_BE entering state IDLE eapol_sm_cb: result=1 EAPOL: Successfully fetched key (len=32) PMK from EAPOL - hexdump(len=32): 7c 5f bb 17 fe 55 f6 b5 20 45 ab c1 2a 7c 54 98 01 3d 70 6d e0 0e de d1 1b e8 2a 37 7c 36 86 28 WARNING: PMK mismatch PMK from AS - hexdump(len=32): 2e b8 8c 3d 96 bb 69 66 ab 43 70 06 55 6b 44 13 89 9c 6a 32 1e 72 1b 84 19 cd 5e f3 60 4e 9a 16 Locally derived EAP Session-Id does not match EAP-Key-Name from server EAP Session-Id - hexdump(len=65): 0d 3b 1b 80 ac 99 3e 8b 9e 47 12 b6 59 86 77 9f 08 c7 f4 15 fe 26 a4 74 42 f4 af 73 14 85 da 3d 20 67 c8 37 57 14 41 e0 49 63 a3 0a a4 4d 3a 45 a0 f3 73 00 68 12 bb ff 79 d5 d1 24 bb 88 fd 22 1b EAP-Key-Name from server - hexdump(len=65): 0d dd 98 63 f2 b3 7e 6e 7e 07 38 7f 72 10 e6 2e d9 73 85 f4 8c 4b 06 02 ae 4f b4 ae 7a 7e a7 ef c4 fb 9c ec c7 42 38 e9 86 96 34 f6 36 5e 2e c9 75 b1 05 98 1b 5c 01 8c a6 6e 85 a9 97 13 14 7a 42 WPA: Clear old PMK and PTK EAP: deinitialize previously used EAP method (13, TLS) at EAP deinit ENGINE: engine deinit MPPE keys OK: 0 mismatch: 1 FAILURE FR debug output: <snip> (9) eap_tls: <<< recv TLS 1.3 [length 0001] (9) eap_tls: TLS_accept: SSLv3/TLS read client certificate (9) eap_tls: <<< recv TLS 1.3 [length 0108] (9) eap_tls: <<< recv TLS 1.3 [length 0001] (9) eap_tls: TLS_accept: SSLv3/TLS read certificate verify (9) eap_tls: <<< recv TLS 1.3 [length 0034] (9) eap_tls: TLS_accept: SSLv3/TLS read finished (9) eap_tls: (other): SSL negotiation finished successfully (9) eap_tls: TLS - Connection Established (9) eap_tls: TLS-Session-Cipher-Suite = "TLS_AES_256_GCM_SHA384" (9) eap_tls: TLS-Session-Version = "TLS 1.3" (9) eap_tls: TLS - Application data. (9) eap_tls: WARNING: No information in cached session (9) eap_tls: [eaptls process] = success (9) eap: Sending EAP Success (code 3) ID 11 length 4 (9) eap: Freeing handler (9) [eap] = ok (9) } # authenticate = ok (9) # Executing section post-auth from file \freeradius-3.0.22\etc\raddb/sites-enabled/default (9) post-auth { (9) update { (9) &reply::TLS-Session-Cipher-Suite += &session-state:TLS-Session-Cipher-Suite[*] -> 'TLS_AES_256_GCM_SHA384' (9) &reply::TLS-Session-Version += &session-state:TLS-Session-Version[*] -> 'TLS 1.3' (9) } # update = noop (9) [exec] = noop (9) if (&reply:EAP-Session-Id) { (9) if (&reply:EAP-Session-Id) -> TRUE (9) if (&reply:EAP-Session-Id) { (9) update reply { (9) EAP-Key-Name := &reply:EAP-Session-Id -> 0x0ddd9863f2b37e6e7e07387f7210e62ed97385f48c4b0602ae4fb4ae7a7ea7efc4fb9cecc74238e9869634f6365e2ec975b105981b5c018ca66e85a99713147a42 (9) } # update reply = noop (9) } # if (&reply:EAP-Session-Id) = noop (9) policy remove_reply_message_if_eap { (9) if (&reply:EAP-Message && &reply:Reply-Message) { (9) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (9) else { (9) [noop] = noop (9) } # else = noop (9) } # policy remove_reply_message_if_eap = noop (9) } # post-auth = noop (9) Sent Access-Accept Id 9 from 0.0.0.0:1812 to 127.0.0.1:55914 length 0 (9) MS-MPPE-Recv-Key = 0x2eb88c3d96bb6966ab437006556b4413899c6a321e721b8419cd5ef3604e9a16 (9) MS-MPPE-Send-Key = 0x1b9419e62808baac15aaf92e3e421edb2592c44e6276cc359c5d2e0168c99146 (9) EAP-Message = 0x030b0004 (9) Message-Authenticator = 0x00000000000000000000000000000000 (9) User-Name = "mgw" (9) EAP-Key-Name := 0x0ddd9863f2b37e6e7e07387f7210e62ed97385f48c4b0602ae4fb4ae7a7ea7efc4fb9cecc74238e9869634f6365e2ec975b105981b5c018ca66e85a99713147a42 (9) Finished request Ready to process requests
On Jun 16, 2020, at 8:39 AM, Sergio NNX <sfhacker@hotmail.com> wrote:
We have recently upgraded from 3.0.18 to 3.0.22.
We are running some EAP tests, in particular EAP-TLS using eapol_test.
eapol_test tool complains with this message:
'Locally derived EAP Session-Id does not match EAP-Key-Name from server'
It works in my tests. However...
Any pointers would be greatly appreciated. ... (9) eap_tls: <<< recv TLS 1.3 [length 0001]
Don't use TLS 1.3. In mods-enabled/eap, set: tls_max_version = "1.2" There is currently no standard for using TLS 1.3 with EAP-TLS. It's being worked on, and should be available late this year. i.e. *no one* implements TLS 1.3 for EAP-TLS properly. Because the standard isn't finished. Hostap has implemented support for TLS 1.3 according to the current proposal , but the standard may change. FreeRADIUS doesn't even try to implement the standard yet. We hope to have preliminary support for TLS 1.3 in the next release. Alan DeKok.
My apologies, I sent it multiple times because the first three sent me a reply that my email wasn't sent cause I'm unauthorized. On Tue, 16 Jun 2020, 8:04 PM Alan DeKok <aland@deployingradius.com> wrote:
On Jun 16, 2020, at 3:33 AM, Marcelito de Guzman <marzzz21@gmail.com> wrote:
There is no need to post the same message multiple times.
I'm setting up a Mikrotik router to authenticate via my FreeRadius server which is also connected to a Kerberos server.
I've set up Juniper/JunOS routers to it and it's working fine.
However, with Mikrotik, FreeRadius seems to reject the request. I'm not entirely sure how to move forward and rectify this one.
*user.conf:*
No.
You need to READ the documentation, and FOLLOW it.
http://wiki.freeradius.org/list-help
Pretty much every single piece of documentation available tells you that you need to post the debug output, NOT the configuration files. Doing the wrong thing repeatedly is not polite.
Attached is the logs for the request acquired via `radiusd -X`
Is it really that difficult to paste the *text* debug output into an email message?
You're making it as hard as possible for anyone to help you. Why?
Just read the debug output. It has the answers 99% of the time.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (3)
-
Alan DeKok -
Marcelito de Guzman -
Sergio NNX