Fwd: Using session resumption with Wifi PEAP/MSCHAPv2
Hi, I'm using FreeRadius 3.0.10 and I start with a working setup that has the tls cache disabled. Originally I was using use_tunneled_reply=yes and I would get a successfull resumption at the TLS layer : (16) eap_peap: Skipping Phase2 because of session resumption (16) eap_peap: SUCCESS but in the next AccessRequest, I'd get : (17) eap: Identity does not match User-Name. Authentication failed (17) eap: Failed in handler (17) [eap] = invalid (17) } # authenticate = invalid (17) Failed to authenticate the user and it would send a AccessReject accordingly and it would fail. Since I noticed that use_tunneled_reply is deprecated, I tried setting it to "no" and uncommented the two "updates" section in inner-tunnel server. Using this, it doesn't even attempt to do a session resumption at all. Auth works now but only because it does a full auth everytime. My configuration is pretty much the default that comes shipped with FreeRadius, I just commented out the stuff not used (like other auth modes not used in PEAP/MSCHAPv2) and did the change recommended to replace the deprecated use_tunneled_reply=yes . Cheers, Sylvain Munaut ---- This is the full log of the two last AccessRequest when using use_tunneled_reply=yes (16) Received Access-Request Id 161 from 192.168.1.4:1645 to 192.168.1.64:1812 length 270 (16) User-Name = "anonymous" (16) Framed-MTU = 1400 (16) Called-Station-Id = "7426.ac84.5240:Whatever" (16) Calling-Station-Id = "7cdd.9079.f91b" (16) Cisco-AVPair = "ssid=Whatever" (16) Service-Type = Login-User (16) Cisco-AVPair = "service-type=Login" (16) Message-Authenticator = 0x73fc123c4a4585fdc156814fce66bed0 (16) EAP-Message = 0x020300411900140301000101160301003066fd2450a9f285364308c3e54c9c5673ac7e7627ad24ff52efb282958a551f7637f5a591d37a5ff790526ae5cabf1a6b (16) NAS-Port-Type = Wireless-802.11 (16) Cisco-NAS-Port = "5714" (16) NAS-Port = 5714 (16) NAS-Port-Id = "5714" (16) State = 0x3f9102863e921be7e6003aed13497217 (16) NAS-IP-Address = 192.168.1.4 (16) session-state: No cached attributes (16) # Executing section authorize from file /etc/freeradius/sites-enabled/default (16) authorize { (16) policy filter_username { (16) if (!&User-Name) { (16) if (!&User-Name) -> FALSE (16) if (&User-Name =~ / /) { (16) if (&User-Name =~ / /) -> FALSE (16) if (&User-Name =~ /@.*@/ ) { (16) if (&User-Name =~ /@.*@/ ) -> FALSE (16) if (&User-Name =~ /\.\./ ) { (16) if (&User-Name =~ /\.\./ ) -> FALSE (16) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (16) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (16) if (&User-Name =~ /\.$/) { (16) if (&User-Name =~ /\.$/) -> FALSE (16) if (&User-Name =~ /@\./) { (16) if (&User-Name =~ /@\./) -> FALSE (16) } # policy filter_username = notfound (16) [preprocess] = ok (16) [mschap] = noop (16) suffix: Checking for suffix after "@" (16) suffix: No '@' in User-Name = "anonymous", looking up realm NULL (16) suffix: No such realm "NULL" (16) [suffix] = noop (16) eap: Peer sent EAP Response (code 2) ID 3 length 65 (16) eap: Continuing tunnel setup (16) [eap] = ok (16) } # authorize = ok (16) Found Auth-Type = EAP (16) # Executing group from file /etc/freeradius/sites-enabled/default (16) authenticate { (16) eap: Expiring EAP session with state 0x3f9102863e921be7 (16) eap: Finished EAP session with state 0x3f9102863e921be7 (16) eap: Previous EAP request found for state 0x3f9102863e921be7, released from the list (16) eap: Peer sent packet with method EAP PEAP (25) (16) eap: Calling submodule eap_peap to process data (16) eap_peap: Continuing EAP-TLS (16) eap_peap: [eaptls verify] = ok (16) eap_peap: Done initial handshake (16) eap_peap: <<< TLS 1.0 ChangeCipherSpec [length 0001] (16) eap_peap: <<< TLS 1.0 Handshake [length 0010], Finished (16) eap_peap: TLS_accept: SSLv3 read finished A (16) eap_peap: (other): SSL negotiation finished successfully (16) eap_peap: SSL Connection Established (16) eap_peap: SSL Application Data (16) eap_peap: Adding cached attributes from session df917e29315e01166598f3cb2427c211832e14953e5ec48144debb103f8c1a3b (16) eap_peap: reply:User-Name = "myusername" (16) eap_peap: [eaptls process] = success (16) eap_peap: Session established. Decoding tunneled attributes (16) eap_peap: PEAP state TUNNEL ESTABLISHED (16) eap_peap: Skipping Phase2 because of session resumption (16) eap_peap: SUCCESS (16) eap: Sending EAP Request (code 1) ID 4 length 43 (16) eap: EAP session adding &reply:State = 0x3f9102863d951be7 (16) [eap] = handled (16) } # authenticate = handled (16) Using Post-Auth-Type Challenge (16) Post-Auth-Type sub-section not found. Ignoring. (16) # Executing group from file /etc/freeradius/sites-enabled/default (16) Sent Access-Challenge Id 161 from 192.168.1.64:1812 to 192.168.1.4:1645 length 0 (16) User-Name = "myusername" (16) EAP-Message = 0x0104002b19001703010020132a5838752548b20b79cdfd19856492990d8e2db97e7f38c178cf3861177ef6 (16) Message-Authenticator = 0x00000000000000000000000000000000 (16) State = 0x3f9102863d951be7e6003aed13497217 (16) Finished request Waking up in 3.2 seconds. (17) Received Access-Request Id 162 from 192.168.1.4:1645 to 192.168.1.64:1812 length 285 (17) User-Name = "myusername" (17) Framed-MTU = 1400 (17) Called-Station-Id = "7426.ac84.5240:Whatever" (17) Calling-Station-Id = "7cdd.9079.f91b" (17) Cisco-AVPair = "ssid=Whatever" (17) Service-Type = Login-User (17) Cisco-AVPair = "service-type=Login" (17) Message-Authenticator = 0x8a4fd50b06dea4edb525ac6122810d25 (17) EAP-Message = 0x02040050190017030100202fdd4dca1d915eae9fecc2d267e51466c313b8f900260490946f092d20620a3817030100204ab2fccae9b6725bbd722af7a7ecb1d9de91f87d2cafcc61956f18d3a8753c67 (17) NAS-Port-Type = Wireless-802.11 (17) Cisco-NAS-Port = "5714" (17) NAS-Port = 5714 (17) NAS-Port-Id = "5714" (17) State = 0x3f9102863d951be7e6003aed13497217 (17) NAS-IP-Address = 192.168.1.4 (17) session-state: No cached attributes (17) # Executing section authorize from file /etc/freeradius/sites-enabled/default (17) authorize { (17) policy filter_username { (17) if (!&User-Name) { (17) if (!&User-Name) -> FALSE (17) if (&User-Name =~ / /) { (17) if (&User-Name =~ / /) -> FALSE (17) if (&User-Name =~ /@.*@/ ) { (17) if (&User-Name =~ /@.*@/ ) -> FALSE (17) if (&User-Name =~ /\.\./ ) { (17) if (&User-Name =~ /\.\./ ) -> FALSE (17) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) { (17) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE (17) if (&User-Name =~ /\.$/) { (17) if (&User-Name =~ /\.$/) -> FALSE (17) if (&User-Name =~ /@\./) { (17) if (&User-Name =~ /@\./) -> FALSE (17) } # policy filter_username = notfound (17) [preprocess] = ok (17) [mschap] = noop (17) suffix: Checking for suffix after "@" (17) suffix: No '@' in User-Name = "myusername", looking up realm NULL (17) suffix: No such realm "NULL" (17) [suffix] = noop (17) eap: Peer sent EAP Response (code 2) ID 4 length 80 (17) eap: Continuing tunnel setup (17) [eap] = ok (17) } # authorize = ok (17) Found Auth-Type = EAP (17) # Executing group from file /etc/freeradius/sites-enabled/default (17) authenticate { (17) eap: Expiring EAP session with state 0x3f9102863d951be7 (17) eap: Finished EAP session with state 0x3f9102863d951be7 (17) eap: Previous EAP request found for state 0x3f9102863d951be7, released from the list (17) eap: Identity does not match User-Name. Authentication failed (17) eap: Failed in handler (17) [eap] = invalid (17) } # authenticate = invalid (17) Failed to authenticate the user (17) Using Post-Auth-Type Reject (17) # Executing group from file /etc/freeradius/sites-enabled/default (17) Post-Auth-Type REJECT { (17) sql: EXPAND .query (17) sql: --> .query (17) sql: Using query template 'query' rlm_sql (sql): Reserved connection (2) (17) sql: EXPAND %{User-Name} (17) sql: --> myusername (17) sql: SQL-User-Name set to 'myusername' (17) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES('%{User-Name}', '%{%{User-Password}:-Chap-Password}', '%{reply:Packet-Type}', NOW()) (17) sql: --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES('myusername', 'Chap-Password', 'Access-Reject', NOW()) (17) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES('myusername', 'Chap-Password', 'Access-Reject', NOW()) rlm_sql_postgresql: Status: PGRES_COMMAND_OK rlm_sql_postgresql: query affected rows = 1 (17) sql: SQL query returned: success (17) sql: 1 record(s) updated rlm_sql (sql): Released connection (2) (17) [sql] = ok (17) attr_filter.access_reject: EXPAND %{User-Name} (17) attr_filter.access_reject: --> myusername (17) attr_filter.access_reject: Matched entry DEFAULT at line 11 (17) [attr_filter.access_reject] = updated rlm_eap (EAP): No EAP session matching state 0x3f9102863d951be7 (17) eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request (17) eap: Failed to get handler, probably already removed, not inserting EAP-Failure (17) [eap] = noop (17) policy remove_reply_message_if_eap { (17) if (&reply:EAP-Message && &reply:Reply-Message) { (17) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (17) else { (17) [noop] = noop (17) } # else = noop (17) } # policy remove_reply_message_if_eap = noop (17) } # Post-Auth-Type REJECT = updated (17) Delaying response for 1.000000 seconds Waking up in 0.6 seconds. Waking up in 0.3 seconds. (17) Sending delayed response (17) Sent Access-Reject Id 162 from 192.168.1.64:1812 to 192.168.1.4:1645 length 20
participants (1)
-
Sylvain Munaut