having problems with different eap modules

Sergio sergioyebenes at alumnos.upm.es
Sat Jul 12 23:03:17 CEST 2008 

Hi,

my users file contains this:

"YEBENES MORENO, SERGIO (AUTENTICACIÓN)"
"NOMBRE YEBENES MORENO SERGIO"


my sites-enabled/default contains this

authorize {

......
if (User-Name == "YEBENES MORENO, SERGIO (AUTENTICACIÓN)") {
		DNIe
	}
	elsif (User-Name == "NOMBRE YEBENES MORENO SERGIO") { 
		FNMT
	}
......
}
authenticate {
	......
	DNIe
	FNMT
	.....	
	}

my radiusd.conf contains this

......
eap DNIe {....}
eap FNMT {....}
.....
#being separated, working ok

I've deactivated proxy-request also, and commented $INCLUDE proxy.conf.
Sometimes I can authenticate both users but sometimes I have this log
with first user in this case:

rad_recv: Access-Request packet from host 192.168.0.3 port 3072, id=0,
length=191
        User-Name = "YEBENES MORENO, SERGIO (AUTENTICACIÓN)"
        NAS-IP-Address = 192.168.0.3
        Called-Station-Id = "0014c145956f"
        Calling-Station-Id = "001cf01294dd"
        NAS-Identifier = "0014c145956f"
        NAS-Port = 27
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        EAP-Message =
0x0200002c01594542454e4553204d4f52454e4f2c2053455247494f2028415554454e544943414349c3934e29
        Message-Authenticator = 0xa54b6486b856720c5b53d13d93a3c986
+- entering group authorize
++[preprocess] returns ok
    rlm_realm: No '@' in User-Name = "YEBENES MORENO, SERGIO
(AUTENTICACI�?N)", looking up realm NULL
    rlm_realm: No such realm "NULL"
++[suffix] returns noop
++? if (User-Name == "YEBENES MORENO, SERGIO (AUTENTICACI�?N)")
? Evaluating (User-Name == "YEBENES MORENO, SERGIO (AUTENTICACI�?N)") ->
TRUE
++? if (User-Name == "YEBENES MORENO, SERGIO (AUTENTICACI�?N)") -> TRUE
++- entering if (User-Name == "YEBENES MORENO, SERGIO (AUTENTICACI�?N)")
  rlm_eap: EAP packet type response id 0 length 44
  rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
+++[DNIe] returns updated
++- if (User-Name == "YEBENES MORENO, SERGIO (AUTENTICACI�?N)") returns
updated
++ ... skipping elsif for request 0: Preceding "if" was taken
++[unix] returns notfound
    users: Matched entry YEBENES MORENO, SERGIO (AUTENTICACI�?N) at line
64
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
  rad_check_password:  Found Auth-Type DNIe
auth: type "DNIe"
+- entering group authenticate
  rlm_eap: EAP Identity
  rlm_eap: processing type tls
 rlm_eap_tls: Requiring client certificate
  rlm_eap_tls: Initiate
  rlm_eap_tls: Start returned 1
++[DNIe] returns handled
Sending Access-Challenge of id 0 to 192.168.0.3 port 3072
        EAP-Message = 0x010100060d20
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0x4b4488b94b458530f65cf8f80cfd1f5e
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 0 with timestamp +8
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.0.3 port 3072, id=0,
length=199
        NAS-IP-Address = 192.168.0.3
        Called-Station-Id = "0014c145956f"
        Calling-Station-Id = "001cf01294dd"
        NAS-Identifier = "0014c145956f"
        NAS-Port = 27
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        EAP-Message =
0x0201005d0d0016030100520100004e030148791746f321838297028ad0310c01e89a8658b33fb6d1912141922b623886ab00002600390038003500160013000a00330032002f0005000400150012000900140011000800060003020100
        Message-Authenticator = 0x6e7ed6d984d2842c80ec94779dbd71c7
+- entering group authorize
++[preprocess] returns ok
    rlm_realm: Proxy reply, or no User-Name.  Ignoring.
++[suffix] returns ok
++? if (User-Name == "YEBENES MORENO, SERGIO (AUTENTICACI�?N)")
    (Attribute User-Name was not found)
++? elsif (User-Name == "NOMBRE YEBENES MORENO SERGIO")
    (Attribute User-Name was not found)
++[unix] returns noop
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
auth: No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user
auth: Failed to validate the user.
  Found Post-Auth-Type Reject
+- entering group REJECT
        expand: %{User-Name} ->
++[attr_filter.access_reject] returns noop
Sending Access-Reject of id 0 to 192.168.0.3 port 3072
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 1 ID 0 with timestamp +38
Ready to process requests.

why User-Name couldn't be found?
If first match with users file was ok and found DNIe module, radius
should begin tls handshake.
Does wpa_supplicant sends identity only in the rist Access-Request? this
sounds a little strange...
Any "Sauron Eye" which can help me? Thanks

More information about the Freeradius-Users mailing list