RADIUS packet did not have correct Message-Authenticator
I do an eap/tls authentication and after that an ad search. This works so far. But when setting the groupmembership in the ldap1 section, there are problems. I do not see the usual eap messages flying around, but nevertheless radius sends an Access-Accept: rlm_ldap::ldap_groupcmp: User found in group 515^M rlm_ldap: ldap_release_conn: Release Id: 0^M users: Matched entry DEFAULT at line 25^M modcall[authorize]: module "files" returns ok for request 0^M modcall: leaving group authorize (returns updated) for request 0^M rad_check_password: Found Auth-Type Accept^M rad_check_password: Auth-Type = Accept, accepting the user^M Sending Access-Accept of id 0 to 149.246.133.44 port 32770^M Tunnel-Type:0 = VLAN^M Tunnel-Medium-Type:0 = 802^M Tunnel-Private-Group-Id:0 = "Core1"^M Finished request 0^M On the client side, where I have eapol_test, I get an error: STA 00:00:00:00:00:02: Received RADIUS packet matched with a pending request, round trip time 0.24 sec No Message-Authenticator attribute found Incoming RADIUS packet did not have correct Message-Authenticator - dropped STA 00:00:00:00:00:02: No RADIUS RX handler found (type=0 code=2 id=0) - dropping packet This is from my radiusd.conf: When it is there, radius sends an Access-Accept. ldap ldap1 { server = "globalcatalogue" port = 3268 #global catalogue server identity = "testrad@TDE002.MYDOM.NET" password = "mypass" basedn = "dc=MYDOM,dc=NET" filter = "(&(servicePrincipalName=%{Stripped-User-Name:-%{User-Name}})(objectClass=computer)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))" ldap_debug= 0xFFFF timeout = 40 timelimit = 30 net_timeout = 10 tls { start_tls = no } dictionary_mapping = ${raddbdir}/ldap.attrmap groupmembership_attribute = "primaryGroupID" } authorize { preprocess eap ldap1 { notfound = reject } files } The complete output of radius -AX is lengthy and therefore nor included. It can be found at: http://www.wegener-net.de/fr/bad-group , where the error occurs, http://www.wegener-net.de/fr/ok-nogroup , where the authentication works as expected. As mentioned above, the only difference in the configuration is the use of groupmembership. Any hints are really appreciated. Thanks Norbert Wegener
Norbert Wegener <nw@sbs.de> wrote:
I do not see the usual eap messages flying around, but nevertheless radius sends an Access-Accept: ... modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type Accept
Who sets that? The server doesn't do that by default. Some part of your configuration sets Auth-Type := Accept. As a result, the EAP module is not run during the "authenticate" stage, and no EAP-Message (or Message-Authenticator) gets sent back in the Access-Accept. I suggest walking through the debug log, looking at each module that's mentioned. Run the LDAP queries by hand, to see if they return Auth-Type = Accept. Look at the "users" file entries. My guess is that the entry at line 25 of the "users" file has the Accept. Alan DeKok.
Alan DeKok wrote:
Norbert Wegener <nw@sbs.de> wrote:
I do not see the usual eap messages flying around, but nevertheless radius sends an Access-Accept:
...
modcall: leaving group authorize (returns updated) for request 0 rad_check_password: Found Auth-Type Accept
Who sets that? The server doesn't do that by default.
Some part of your configuration sets Auth-Type := Accept. As a result, the EAP module is not run during the "authenticate" stage, and no EAP-Message (or Message-Authenticator) gets sent back in the Access-Accept.
I suggest walking through the debug log, looking at each module that's mentioned. Run the LDAP queries by hand, to see if they return Auth-Type = Accept. Look at the "users" file entries.
My guess is that the entry at line 25 of the "users" file has the Accept.
Alan DeKok.
Thank you Alan, although I have not yet found the culprit, it is calming to know the reason behind. I have read this and that documentation about freeradius during the past time, but this one I think, did never cross my way. Is there a document, where this behaviour is described? Norbert Wegener
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Norbert Wegener <nw@sbs.de> wrote:
although I have not yet found the culprit, it is calming to know the reason behind. I have read this and that documentation about freeradius during the past time, but this one I think, did never cross my way. Is there a document, where this behaviour is described?
What behavior? That Auth-Type = Accept by-passes the EAP response? Alan DeKok.
although I have not yet found the culprit, it is calming to know the reason behind. I have read this and that documentation about freeradius during the past time, but this one I think, did never cross my way. Is there a document, where this behaviour is described?
I believe its your users file, from your previous messages on ldap. I had given you an example of using ldap-group to make sure you hit that check-item you want. That worked, but now your access-accept is cancelling the EAP. Sorry if I confused you, but I was just focusing on the ldap part, didn't even realize there was something else going in inside this. Perhaps you should change it from: DEFAULT Ldap-Group == "515", Auth-Type := Accept Framed-Type = Framed, Tunnel-Type:1 = VLAN, Tunnel-Medium-Type:1 = IEEE-802, Tunnel-Private-Group-ID:1 = 100 DEFAULT Auth-Type := Reject To: DEFAULT Ldap-Group == "515" Framed-Type = Framed, Tunnel-Type:1 = VLAN, Tunnel-Medium-Type:1 = IEEE-802, Tunnel-Private-Group-ID:1 = 100 DEFAULT Auth-Type := Reject ?? I have never used EAP, but I belive if you take out the Auth-Type := Accept, the server should pick up on the fact that it needs to do EAP and will continue with that part. Someone else will be able to give more insight on that part.
I must have been blind, as I permanently overlooked the existance of Auth-Type := Accept. Your suggestion solved the problem immediately. Thank you very much. Norbert Dusty Doris wrote:
although I have not yet found the culprit, it is calming to know the reason behind. I have read this and that documentation about freeradius during the past time, but this one I think, did never cross my way. Is there a document, where this behaviour is described?
I believe its your users file, from your previous messages on ldap. I had given you an example of using ldap-group to make sure you hit that check-item you want. That worked, but now your access-accept is cancelling the EAP. Sorry if I confused you, but I was just focusing on the ldap part, didn't even realize there was something else going in inside this.
Perhaps you should change it from:
DEFAULT Ldap-Group == "515", Auth-Type := Accept Framed-Type = Framed, Tunnel-Type:1 = VLAN, Tunnel-Medium-Type:1 = IEEE-802, Tunnel-Private-Group-ID:1 = 100
DEFAULT Auth-Type := Reject
To: DEFAULT Ldap-Group == "515" Framed-Type = Framed, Tunnel-Type:1 = VLAN, Tunnel-Medium-Type:1 = IEEE-802, Tunnel-Private-Group-ID:1 = 100
DEFAULT Auth-Type := Reject
?? I have never used EAP, but I belive if you take out the Auth-Type := Accept, the server should pick up on the fact that it needs to do EAP and will continue with that part. Someone else will be able to give more insight on that part. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (3)
-
Alan DeKok -
Dusty Doris -
Norbert Wegener