Hi all, I'm wondering if my freeradius is acting correctly against the request below: This Mikrotik CPE is authenticathing by an EAP certificate and ad a username with password is requested. The problem is that the CPE is authenticated with every username that doesn't exist in radcheck. why FR authenticate even with nonexistent username? rad_recv: Access-Request packet from host 10.25.66.8 port 56485, id=162, length=175 Service-Type = Framed-User Framed-MTU = 1400 User-Name = "test155" State = 0x06c5601b03c36da7f69234e83e184b70 NAS-Port-Id = "wlan2" Calling-Station-Id = "00-0C-42-B3-D1-F5" Called-Station-Id = "00-80-48-60-66-D9:WiNET-TR5G506106" EAP-Message = 0x020600060d00 Message-Authenticator = 0xd549039a41edfd3e25ff22bdb1f16d60 NAS-Identifier = "ced-wl3" NAS-IP-Address = 10.25.66.8 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/10.25.66.8/auth-detail-20110926 [auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/10.25.66.8/auth-detail-20110926 [auth_log] expand: %t -> Mon Sep 26 16:35:21 2011 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "test155", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 6 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [sql] expand: %{User-Name} -> test155 [sql] sql_set_user escaped user --> 'test155' rlm_sql (sql): Reserving sql socket id: 19 [sql] expand: SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = 'test155' ORDER BY id rlm_sql_postgresql: query: SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = 'test155' ORDER BY id rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: query affected rows = 0 , fields = 5 [sql] expand: SELECT GroupName FROM radusergroup WHERE UserName='%{SQL-User-Name}' ORDER BY priority -> SELECT GroupName FROM radusergroup WHERE UserName='test155' ORDER BY priority rlm_sql_postgresql: query: SELECT GroupName FROM radusergroup WHERE UserName='test155' ORDER BY priority rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: query affected rows = 0 , fields = 1 rlm_sql (sql): Released sql socket id: 19 [sql] User test155 not found ++[sql] returns notfound ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS [tls] Received TLS ACK [tls] ACK handshake is finished [tls] eaptls_verify returned 3 [tls] eaptls_process returned 3 [tls] Adding user data to cached session [eap] Freeing handler ++[eap] returns ok Login OK: [test155] (from client ced-wl3 port 0 cli 00-0C-42-B3-D1-F5) # Executing section post-auth from file /etc/freeradius/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 162 to 10.25.66.8 port 56485 MS-MPPE-Recv-Key = 0xd020f7a2efbb05c6fb255fe6665a12f09f354bdaa6d01b3d5d2c0786b07ca440 MS-MPPE-Send-Key = 0xa77aaf208423b318ff7f482401d4468af3f9248cbdb611857a5f356bea7725ca EAP-Message = 0x03060004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "test155" Finished request 69. -- View this message in context: http://freeradius.1045715.n5.nabble.com/EAP-authentication-accept-user-not-f... Sent from the FreeRadius - User mailing list archive at Nabble.com.
why FR authenticate even with nonexistent username?
I don't know... Why don't you send the full debug log (you know, the bit where the certificates are actually being checked) instead of the last round, where EAP is just inserting the cached response. -Arran Arran Cudbard-Bell a.cudbardb@freeradius.org Betelwiki, Betelwiki, Betelwiki.... http://wiki.freeradius.org/ !
http://freeradius.1045715.n5.nabble.com/file/n4841780/putty4.log putty4.log In the attached file the complete log, didn't noticed before that the process was so long.. -- View this message in context: http://freeradius.1045715.n5.nabble.com/EAP-authentication-accept-user-not-f... Sent from the FreeRadius - User mailing list archive at Nabble.com.
On 26 Sep 2011, at 17:27, andreapepa wrote:
http://freeradius.1045715.n5.nabble.com/file/n4841780/putty4.log putty4.log
In the attached file the complete log, didn't noticed before that the process was so long..
A notfound return code in the authorize section means continue with a priority of 1. The EAP module runs after the SQL module and returns handled. A handled return code in the authorize section means return and so the notfound return code is never processed. If you want the server to stop processing the request if the user isn't found in the SQL database, rewrite the notfound return code to reject. sql { notfound = reject } Unfortunately there's no way to signal the EAP module to send an EAP fail, so you have to do it manually... Add the following to policy.conf policy { eap_failure { if(EAP-Message =~ /^..([0-9a-f]{2})/i){ update reply { EAP-Message := "0x04%{1}0004" } } } ... } The add a call in post-auth { post-auth-type REJECT { eap_failure } } That rewrites the EAP message returned with the reject to be a 'fail' with the correct ID field value. Extremely hacky, but it works, and is the only way to do it currently... -Arran Arran Cudbard-Bell a.cudbardb@freeradius.org Betelwiki, Betelwiki, Betelwiki.... http://wiki.freeradius.org/ !
Hi Arran, Thank you that works great! -- View this message in context: http://freeradius.1045715.n5.nabble.com/EAP-authentication-accept-user-not-f... Sent from the FreeRadius - User mailing list archive at Nabble.com.
Hi, I'm having the same problem on another Freeradius 1.1.6, tried to modify in the same way but i dont know where to insert the eap action, there is non policy.conf file and cannot find the same configurations in other files. I can't upgrade this freeradius , also because has been heavily modified by other consultants, including default tables and query. Is it possible to do the same thing in this version? where i've to modify? Thanks -- View this message in context: http://freeradius.1045715.n5.nabble.com/EAP-authentication-accept-user-not-f... Sent from the FreeRadius - User mailing list archive at Nabble.com.
andreapepa wrote:
I can't upgrade this freeradius , also because has been heavily modified by other consultants, including default tables and query.
Yes, you can upgrade. It just takes time. If you understand the system, upgrading isn't hard. If you don't understand it, why are you running it?
Is it possible to do the same thing in this version?
No. Alan DeKok.
participants (3)
-
Alan DeKok -
andreapepa -
Arran Cudbard-Bell