Freeradius issues related with DMZ firewall
Hi Experts, I have a 'funny' problem with my freeradius 3.0.4 and our Aruba controller. I am testing a freeradius with 802.1x (EAP-MSCHAPv2: WPA2-Ent+AES+PEAP) configuration that works pretty well when both, radius & Aruba, are in our internal network. So works fine with Mac,Win7,Android,iphone, etc The problem came when we moved the Machine to DMZ (Pfsense fw). Lots of small problems (dns's, hosts,etc) raised and were solved. I used the eapol_test successfully on an internal linux that connects successfully to de radius in DMZ, so I went ahead. But when we do the same Mac,Win7,Android,etc WiFIi connection tests with the radius in DMZ, the authentication fails (see radius -X log below). To test if it was a Firewall issues, UDP/TCP ports are fully open between radius(DMZ) & Aruba(internal), in both ways. We opened dmz radius to the internal DNS, I used a Firewall catch all rule to get any ipv4+6 that goes missing by the Firewall rules, but nothing shows up. I tried to Wireshark the Wifi connection from the client win7 without success. Well, I hope someone else had a similar problem and could share the solution, or any clue. Logs of the failing connection ( Win7 -> Aruba ->radius DMZ) , maybe you can see something strange: 10.10.10.10: Aruba 84.84.84.84: Radius at DMZ Received Access-Request Id 111 from 10.10.10.10:32866 to 84.84.84.84:1812 length 205 User-Name = 'test@acme.com' NAS-IP-Address = 10.10.10.10 NAS-Port = 0 NAS-Identifier = '10.10.10.10' NAS-Port-Type = Wireless-802.11 Calling-Station-Id = 'A4C494Exxxxx' Called-Station-Id = '000B866xxxxx' Service-Type = Login-User Framed-MTU = 1100 EAP-Message = 0x0xx400xxxxxx146xxxxxxxxxxxc673 Aruba-Essid-Name = 'TEST_SSID' Aruba-Location-Id = 'AP1' Aruba-AP-Group = 'default' Message-Authenticator = 0xbxxx268xxxxxxxxxxxxc10f08dae88 (0) Received Access-Request packet from host 10.10.10.10 port 32866, id=111, length=205 (0) User-Name = 'test@acme.com' (0) NAS-IP-Address = 10.10.10.10 (0) NAS-Port = 0 (0) NAS-Identifier = '10.10.10.10' (0) NAS-Port-Type = Wireless-802.11 (0) Calling-Station-Id = 'A4C494XXXXXX' (0) Called-Station-Id = ''000B86xxxxxx' (0) Service-Type = Login-User (0) Framed-MTU = 1100 (0) EAP-Message = 0x02040019017465xxxxxxxxxxxx4063656c6c732e6573 (0) Aruba-Essid-Name = 'TEST_SSID' (0) Aruba-Location-Id = 'AP1' (0) Aruba-AP-Group = 'default' (0) Message-Authenticator = 0xb268fe2779551dxxxxxxxxxxxx08dae88 (0) # Executing section authorize from file /etc/raddb/sites-enabled/default (0) authorize { (0) filter_username filter_username { (0) if (!&User-Name) (0) if (!&User-Name) -> FALSE (0) if (&User-Name =~ / /) (0) if (&User-Name =~ / /) -> FALSE (0) if (&User-Name =~ /@.*@/ ) (0) if (&User-Name =~ /@.*@/ ) -> FALSE (0) if (&User-Name =~ /\\.\\./ ) (0) if (&User-Name =~ /\\.\\./ ) -> FALSE (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE (0) if (&User-Name =~ /\\.$/) (0) if (&User-Name =~ /\\.$/) -> FALSE (0) if (&User-Name =~ /@\\./) (0) if (&User-Name =~ /@\\./) -> FALSE (0) } # filter_username filter_username = notfound (0) [preprocess] = ok (0) auth_log : EXPAND /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Addres s}}/auth-detail-%Y%m%d (0) auth_log : --> /var/log/radius/radacct/10.10.10.10/auth-detail-20170929 (0) auth_log : /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Addres s}}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/10.10.10.10/auth-detail-20170929 (0) auth_log : EXPAND %t (0) auth_log : --> Fri Sep 29 16:42:40 2017 (0) [auth_log] = ok (0) [mschap] = noop (0) suffix : Checking for suffix after "@" (0) suffix : Looking up realm "acme.com" for User-Name = "test@acme.com" (0) suffix : Found realm "acme.com" (0) suffix : Adding Realm = "acme.com" (0) suffix : Authentication realm is LOCAL (0) [suffix] = ok (0) eap : Peer sent code Response (2) ID 4 length 25 (0) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize (0) [eap] = ok (0) } # authorize = ok (0) Found Auth-Type = EAP (0) # Executing group from file /etc/raddb/sites-enabled/default (0) authenticate { (0) eap : Peer sent method Identity (1) (0) eap : Calling eap_peap to process EAP data (0) eap_peap : Flushing SSL sessions (of #0) (0) eap_peap : Initiate (0) eap_peap : Start returned 1 (0) eap : New EAP session, adding 'State' attribute to reply 0x7317e1da7312f877 (0) [eap] = handled (0) } # authenticate = handled (0) Sending Access-Challenge packet to host 10.10.10.10 port 32866, id=111, length=0 (0) EAP-Message = 0x010500061920 (0) Message-Authenticator = 0x00000000000000000000000000000000 (0) State = 0x7317e1da7312f877fca7b6e2bbfa846d Sending Access-Challenge Id 111 from 84.84.84.84:1812 to 10.10.10.10:32866 EAP-Message = 0x010500061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x7317e1da7312f877fca7b6e2bbfa846d (0) Finished request Waking up in 0.3 seconds. Waking up in 6.6 seconds. Received Access-Request Id 111 from 10.10.10.10:32866 to 84.84.84.84:1812 length 205 Sending Access-Challenge Id 111 from 84.84.84.84:1812 to 10.10.10.10:32866 Waking up in 999993.0 seconds. Received Access-Request Id 111 from 10.10.10.10:32866 to 84.84.84.84:1812 length 205 Sending Access-Challenge Id 111 from 84.84.84.84:1812 to 10.10.10.10:32866 Waking up in 1999986.0 seconds. Received Access-Request Id 111 from 10.10.10.10:32866 to 84.84.84.84:1812 length 205 Sending Access-Challenge Id 111 from 84.84.84.84:1812 to 10.10.10.10:32866 Waking up in 3999977.0 seconds.
hi, looks like it (RADIUS server) . (and you only need UDP open) cannot talk to 10.10.10.10 - check routing from that DMZ to the Aruba? check that your Aruba has the required things adjusted to (if you've moved the RADIUS server and its IP/name etc) - finally, do a fulllog capture for the successful linux test versus the auth coming in via Aruba alan On 29 September 2017 at 17:32, Ramon Escriba <escriba@cells.es> wrote:
Hi Experts,
I have a 'funny' problem with my freeradius 3.0.4 and our Aruba controller.
I am testing a freeradius with 802.1x (EAP-MSCHAPv2: WPA2-Ent+AES+PEAP) configuration that works pretty well when both, radius & Aruba, are in our internal network.
So works fine with Mac,Win7,Android,iphone, etc
The problem came when we moved the Machine to DMZ (Pfsense fw). Lots of small problems (dns's, hosts,etc) raised and were solved.
I used the eapol_test successfully on an internal linux that connects successfully to de radius in DMZ, so I went ahead.
But when we do the same Mac,Win7,Android,etc WiFIi connection tests with the radius in DMZ, the authentication fails (see radius -X log below).
To test if it was a Firewall issues, UDP/TCP ports are fully open between radius(DMZ) & Aruba(internal), in both ways.
We opened dmz radius to the internal DNS,
I used a Firewall catch all rule to get any ipv4+6 that goes missing by the Firewall rules, but nothing shows up.
I tried to Wireshark the Wifi connection from the client win7 without success.
Well, I hope someone else had a similar problem and could share the solution, or any clue.
Logs of the failing connection ( Win7 -> Aruba ->radius DMZ) , maybe you can see something strange:
10.10.10.10: Aruba
84.84.84.84: Radius at DMZ
Received Access-Request Id 111 from 10.10.10.10:32866 to 84.84.84.84:1812 length 205
User-Name = 'test@acme.com'
NAS-IP-Address = 10.10.10.10
NAS-Port = 0
NAS-Identifier = '10.10.10.10'
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = 'A4C494Exxxxx'
Called-Station-Id = '000B866xxxxx'
Service-Type = Login-User
Framed-MTU = 1100
EAP-Message = 0x0xx400xxxxxx146xxxxxxxxxxxc673
Aruba-Essid-Name = 'TEST_SSID'
Aruba-Location-Id = 'AP1'
Aruba-AP-Group = 'default'
Message-Authenticator = 0xbxxx268xxxxxxxxxxxxc10f08dae88
(0) Received Access-Request packet from host 10.10.10.10 port 32866, id=111, length=205
(0) User-Name = 'test@acme.com'
(0) NAS-IP-Address = 10.10.10.10
(0) NAS-Port = 0
(0) NAS-Identifier = '10.10.10.10'
(0) NAS-Port-Type = Wireless-802.11
(0) Calling-Station-Id = 'A4C494XXXXXX'
(0) Called-Station-Id = ''000B86xxxxxx'
(0) Service-Type = Login-User
(0) Framed-MTU = 1100
(0) EAP-Message = 0x02040019017465xxxxxxxxxxxx4063656c6c732e6573
(0) Aruba-Essid-Name = 'TEST_SSID'
(0) Aruba-Location-Id = 'AP1'
(0) Aruba-AP-Group = 'default'
(0) Message-Authenticator = 0xb268fe2779551dxxxxxxxxxxxx08dae88
(0) # Executing section authorize from file /etc/raddb/sites-enabled/default
(0) authorize {
(0) filter_username filter_username {
(0) if (!&User-Name)
(0) if (!&User-Name) -> FALSE
(0) if (&User-Name =~ / /)
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@.*@/ )
(0) if (&User-Name =~ /@.*@/ ) -> FALSE
(0) if (&User-Name =~ /\\.\\./ )
(0) if (&User-Name =~ /\\.\\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) -> FALSE
(0) if (&User-Name =~ /\\.$/)
(0) if (&User-Name =~ /\\.$/) -> FALSE
(0) if (&User-Name =~ /@\\./)
(0) if (&User-Name =~ /@\\./) -> FALSE
(0) } # filter_username filter_username = notfound
(0) [preprocess] = ok
(0) auth_log : EXPAND /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Addres s}}/auth-detail-%Y%m%d
(0) auth_log : --> /var/log/radius/radacct/10.10.10.10/auth-detail-20170929
(0) auth_log : /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Addres s}}/auth-detail-%Y%m%d expands to /var/log/radius/radacct/10.10.10.10/auth-detail-20170929
(0) auth_log : EXPAND %t
(0) auth_log : --> Fri Sep 29 16:42:40 2017
(0) [auth_log] = ok
(0) [mschap] = noop
(0) suffix : Checking for suffix after "@"
(0) suffix : Looking up realm "acme.com" for User-Name = "test@acme.com"
(0) suffix : Found realm "acme.com"
(0) suffix : Adding Realm = "acme.com"
(0) suffix : Authentication realm is LOCAL
(0) [suffix] = ok
(0) eap : Peer sent code Response (2) ID 4 length 25
(0) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(0) [eap] = ok
(0) } # authorize = ok
(0) Found Auth-Type = EAP
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0) authenticate {
(0) eap : Peer sent method Identity (1)
(0) eap : Calling eap_peap to process EAP data
(0) eap_peap : Flushing SSL sessions (of #0)
(0) eap_peap : Initiate
(0) eap_peap : Start returned 1
(0) eap : New EAP session, adding 'State' attribute to reply 0x7317e1da7312f877
(0) [eap] = handled
(0) } # authenticate = handled
(0) Sending Access-Challenge packet to host 10.10.10.10 port 32866, id=111, length=0
(0) EAP-Message = 0x010500061920
(0) Message-Authenticator = 0x00000000000000000000000000000000
(0) State = 0x7317e1da7312f877fca7b6e2bbfa846d
Sending Access-Challenge Id 111 from 84.84.84.84:1812 to 10.10.10.10:32866
EAP-Message = 0x010500061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x7317e1da7312f877fca7b6e2bbfa846d
(0) Finished request
Waking up in 0.3 seconds.
Waking up in 6.6 seconds.
Received Access-Request Id 111 from 10.10.10.10:32866 to 84.84.84.84:1812 length 205
Sending Access-Challenge Id 111 from 84.84.84.84:1812 to 10.10.10.10:32866
Waking up in 999993.0 seconds.
Received Access-Request Id 111 from 10.10.10.10:32866 to 84.84.84.84:1812 length 205
Sending Access-Challenge Id 111 from 84.84.84.84:1812 to 10.10.10.10:32866
Waking up in 1999986.0 seconds.
Received Access-Request Id 111 from 10.10.10.10:32866 to 84.84.84.84:1812 length 205
Sending Access-Challenge Id 111 from 84.84.84.84:1812 to 10.10.10.10:32866
Waking up in 3999977.0 seconds.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (2)
-
Alan Buxey -
Ramon Escriba