Failed authentication on FreeRadius
I installed FR 3.0.20 with plain text file storing users and their passwords.When I tried to connect end user bob@turan.kz via WiFi AP I failed.What is my mistake? Here is output of freeradius -X command during connection attempt: Received Access-Request Id 30 from 89.250.80.7:1026 to 89.250.80.6:1812 length 182 User-Name = "bob@turan.kz" NAS-IP-Address = 192.168.0.1 NAS-Port = 0 Called-Station-Id = "C8-3A-35-40-1C-F0" Calling-Station-Id = "84-B1-53-DF-3E-BC" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 EAP-Message = 0x02070030190017030300253bc5db1b0542fe953989206abc908f78fc9bd5babd5d93bf8913bf3d361ea67cccdf066be5 State = 0xfefad346fbfdca45684956ecf2b10489 Message-Authenticator = 0x1d94ee8285d897bee4e535fc3012a89a Restoring &session-state &session-state:TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" &session-state:TLS-Session-Version = "TLS 1.2" # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default authorize { policy filter_username { if (&User-Name) { if (&User-Name) -> TRUE if (&User-Name) { if (&User-Name =~ / /) { if (&User-Name =~ / /) -> FALSE if (&User-Name =~ /@[^@]*@/ ) { if (&User-Name =~ /@[^@]*@/ ) -> FALSE if (&User-Name =~ /\.\./ ) { if (&User-Name =~ /\.\./ ) -> FALSE if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE if (&User-Name =~ /\.$/) { if (&User-Name =~ /\.$/) -> FALSE if (&User-Name =~ /@\./) { if (&User-Name =~ /@\./) -> FALSE } # if (&User-Name) = notfound } # policy filter_username = notfound [preprocess] = ok [chap] = noop [mschap] = noop [digest] = noop suffix: Checking for suffix after "@" suffix: Looking up realm "turan.kz" for User-Name = "bob@turan.kz" suffix: Found realm "turan.kz" suffix: Adding Realm = "turan.kz" suffix: Authentication realm is LOCAL [suffix] = ok eap: Peer sent EAP Response (code 2) ID 7 length 48 eap: Continuing tunnel setup [eap] = ok } # authorize = ok Found Auth-Type = eap # Executing group from file /usr/local/etc/raddb/sites-enabled/default authenticate { eap: Expiring EAP session with state 0xfefad346fbfdca45 eap: Finished EAP session with state 0xfefad346fbfdca45 eap: Previous EAP request found for state 0xfefad346fbfdca45, released from the list eap: Peer sent packet with method EAP PEAP (25) eap: Calling submodule eap_peap to process data eap_peap: Continuing EAP-TLS eap_peap: [eaptls verify] = ok eap_peap: Done initial handshake eap_peap: [eaptls process] = ok eap_peap: Session established. Decoding tunneled attributes eap_peap: PEAP state WAITING FOR INNER IDENTITY eap_peap: Identity - bob@turan.kz eap_peap: Got inner identity 'bob@turan.kz' eap_peap: Setting default EAP type for tunneled EAP session eap_peap: Got tunneled request eap_peap: EAP-Message = 0x0207001101626f6240747572616e2e6b7a eap_peap: Setting User-Name to bob@turan.kz eap_peap: Sending tunneled request to eduroam-inner-tunnel eap_peap: EAP-Message = 0x0207001101626f6240747572616e2e6b7a eap_peap: FreeRADIUS-Proxied-To = 127.0.0.1 eap_peap: User-Name = "bob@turan.kz" eap_peap: NAS-IP-Address = 192.168.0.1 eap_peap: NAS-Port = 0 eap_peap: Called-Station-Id = "C8-3A-35-40-1C-F0" eap_peap: Calling-Station-Id = "84-B1-53-DF-3E-BC" eap_peap: Framed-MTU = 1400 eap_peap: NAS-Port-Type = Wireless-802.11 eap_peap: Event-Timestamp = "Jun 26 2019 07:06:42 UTC" Virtual server eduroam-inner-tunnel received request EAP-Message = 0x0207001101626f6240747572616e2e6b7a FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = "bob@turan.kz" NAS-IP-Address = 192.168.0.1 NAS-Port = 0 Called-Station-Id = "C8-3A-35-40-1C-F0" Calling-Station-Id = "84-B1-53-DF-3E-BC" Framed-MTU = 1400 NAS-Port-Type = Wireless-802.11 Event-Timestamp = "Jun 26 2019 07:06:42 UTC" WARNING: Outer and inner identities are the same. User privacy is compromised. server eduroam-inner-tunnel { # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/inner-tunnel authorize { auth_log: EXPAND /usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d auth_log: --> /usr/local/var/log/radius/radacct/89.250.80.7/auth-detail-20190626 auth_log: /usr/local/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/89.250.80.7/auth-detail-20190626 auth_log: EXPAND %t auth_log: --> Wed Jun 26 07:06:42 2019 [auth_log] = ok eap: Peer sent EAP Response (code 2) ID 7 length 17 eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize [eap] = ok files: users: Matched entry bob@turan.kz at line 87 files: EXPAND Hello, %{User-Name} files: --> Hello, bob@turan.kz [files] = ok [mschap] = noop pap: WARNING: Auth-Type already set. Not setting to PAP [pap] = noop } # authorize = ok Found Auth-Type = eap # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel authenticate { eap: Peer sent packet with method EAP Identity (1) eap: Calling submodule eap_mschapv2 to process data eap_mschapv2: Issuing Challenge eap: Sending EAP Request (code 1) ID 8 length 43 eap: EAP session adding &reply:State = 0x58cb71f258c36b09 [eap] = handled } # authenticate = handled } # server eduroam-inner-tunnel Virtual server sending reply Reply-Message = "Hello, bob@turan.kz" EAP-Message = 0x0108002b1a01080026106a0612ff605c3452f6e178745c8eba94667265657261646975732d332e302e3230 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x58cb71f258c36b095384618a82349908 eap_peap: Got tunneled reply code 11 eap_peap: Reply-Message = "Hello, bob@turan.kz" eap_peap: EAP-Message = 0x0108002b1a01080026106a0612ff605c3452f6e178745c8eba94667265657261646975732d332e302e3230 eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 eap_peap: State = 0x58cb71f258c36b095384618a82349908 eap_peap: Got tunneled reply RADIUS code 11 eap_peap: Reply-Message = "Hello, bob@turan.kz" eap_peap: EAP-Message = 0x0108002b1a01080026106a0612ff605c3452f6e178745c8eba94667265657261646975732d332e302e3230 eap_peap: Message-Authenticator = 0x00000000000000000000000000000000 eap_peap: State = 0x58cb71f258c36b095384618a82349908 eap_peap: Got tunneled Access-Challenge eap: Sending EAP Request (code 1) ID 8 length 74 eap: EAP session adding &reply:State = 0xfefad346f8f2ca45 [eap] = handled } # authenticate = handled Using Post-Auth-Type Challenge # Executing group from file /usr/local/etc/raddb/sites-enabled/default Challenge { ... } # empty sub-section is ignored session-state: Saving cached attributes TLS-Session-Cipher-Suite = "ECDHE-RSA-AES256-GCM-SHA384" TLS-Session-Version = "TLS 1.2" Sent Access-Challenge Id 30 from 89.250.80.6:1812 to 89.250.80.7:1026 length 0 EAP-Message = 0x0108004a1900170303003f65d2d81fede8586ad658fe2ef68148cdd00a0fe7d7b86fc891c73f2c4382c50fe3d4c8d8c75decf5ed2e079ab13f12c470df1c6d7eba8b61fcf7cfda3a4603 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xfefad346f8f2ca45684956ecf2b10489 Finished request
On Jun 27, 2019, at 8:14 AM, Tal Nur via Freeradius-Users <freeradius-users@lists.freeradius.org> wrote:
I installed FR 3.0.20 with plain text file storing users and their passwords.When I tried to connect end user bob@turan.kz via WiFi AP I failed.What is my mistake?
Read the FULL debug output to see what's going on.
Here is output of freeradius -X command during connection attempt:
Which doesn't show any errors. Read the documentation: http://wiki.freeradius.org/radiusd-X http://wiki.freeradius.org/list-help Alan DeKok.
participants (2)
-
Alan DeKok -
Tal Nur