EAP-TLS User-Name not matching

Huckle Berry huck.berry at gmail.com
Tue Jan 19 02:24:26 CET 2010


On Mon, Jan 18, 2010 at 7:38 PM, Alan DeKok <aland at deployingradius.com>wrote:

>   Delete that.  You don't need it.
>

Tossed the "Auth-Type := Local"  -- I figured that was not needed

>
>   Sorry but NOTHING in the default configuration causes the server to
> proxy packets to itself.
>
> Maybe proxy to itself was a bad way to describe it, you can interpret the
output yourself if you'd like. I took the last 4096 lines of output and cut
out 198 of the Proxy-State attributes from each request, which brought it
down to around 400 lines. Enjoy. This output is all from one request to
authenticate from a WinXP client and only occurs when "nostrip" is present
in proxy.conf under realm example.com.

 Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>

radiusd -X output begins below (last 4096 lines, shortened for brevity)

    Proxy-State = 0x313234
...
    Proxy-State = 0x313937
Proxying request 184 to home server 127.0.0.1 port 1812
Sending Access-Request of id 138 to 127.0.0.1 port 1812
    User-Name = "user at example.com"
    NAS-IP-Address = 192.168.1.1
    Called-Station-Id = "0016b6e2cc20"
    Calling-Station-Id = "00904b1f9671"
    NAS-Identifier = "0016b6e2cc20"
    NAS-Port = 56
    Framed-MTU = 1400
    NAS-Port-Type = Wireless-802.11
    EAP-Message = 0x020000150175736572406578616d706c652e636f6d
    Message-Authenticator = 0x00000000000000000000000000000000
    Proxy-State = 0x30
...
    Proxy-State = 0x313937
Going to the next request
rad_recv: Access-Request packet from host 127.0.0.1 port 1814, id=138,
length=980
    User-Name = "user at example.com"
    NAS-IP-Address = 192.168.1.1
    Called-Station-Id = "0016b6e2cc20"
    Calling-Station-Id = "00904b1f9671"
    NAS-Identifier = "0016b6e2cc20"
    NAS-Port = 56
    Framed-MTU = 1400
    NAS-Port-Type = Wireless-802.11
    EAP-Message = 0x020000150175736572406578616d706c652e636f6d
    Message-Authenticator = 0xe7395d8a2b4734f027531b160ce32c31
    Proxy-State = 0x30
...
    Proxy-State = 0x313937
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm "example.com" for User-Name = "user at example.com"
[suffix] Found realm "example.com"
[suffix] Adding Realm = "example.com"
[suffix] Proxying request from user user to realm example.com
[suffix] Preparing to proxy authentication request to realm "example.com"
++[suffix] returns updated
[eap] Request is supposed to be proxied to Realm example.com.  Not doing
EAP.
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
  WARNING: Empty section.  Using default return values.
Sending Access-Request of id 243 to 127.0.0.1 port 1812
    User-Name = "user at example.com"
    NAS-IP-Address = 192.168.1.1
    Called-Station-Id = "0016b6e2cc20"
    Calling-Station-Id = "00904b1f9671"
    NAS-Identifier = "0016b6e2cc20"
    NAS-Port = 56
    Framed-MTU = 1400
    NAS-Port-Type = Wireless-802.11
    EAP-Message = 0x020000150175736572406578616d706c652e636f6d
    Message-Authenticator = 0x00000000000000000000000000000000
    Proxy-State = 0x30
...
    Proxy-State = 0x313338
Proxying request 185 to home server 127.0.0.1 port 1812
Sending Access-Request of id 243 to 127.0.0.1 port 1812
    User-Name = "user at example.com"
    NAS-IP-Address = 192.168.1.1
    Called-Station-Id = "0016b6e2cc20"
    Calling-Station-Id = "00904b1f9671"
    NAS-Identifier = "0016b6e2cc20"
    NAS-Port = 56
    Framed-MTU = 1400
    NAS-Port-Type = Wireless-802.11
    EAP-Message = 0x020000150175736572406578616d706c652e636f6d
    Message-Authenticator = 0x00000000000000000000000000000000
    Proxy-State = 0x30
...
    Proxy-State = 0x313338
Going to the next request
rad_recv: Access-Request packet from host 127.0.0.1 port 1814, id=243,
length=985
    User-Name = "user at example.com"
    NAS-IP-Address = 192.168.1.1
    Called-Station-Id = "0016b6e2cc20"
    Calling-Station-Id = "00904b1f9671"
    NAS-Identifier = "0016b6e2cc20"
    NAS-Port = 56
    Framed-MTU = 1400
    NAS-Port-Type = Wireless-802.11
    EAP-Message = 0x020000150175736572406578616d706c652e636f6d
    Message-Authenticator = 0x70e7c8fb3c9aeecfa1420e1d8684e7de
    Proxy-State = 0x30
...
    Proxy-State = 0x313338
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm "example.com" for User-Name = "user at example.com"
[suffix] Found realm "example.com"
[suffix] Adding Realm = "example.com"
[suffix] Proxying request from user user to realm example.com
[suffix] Preparing to proxy authentication request to realm "example.com"
++[suffix] returns updated
[eap] Request is supposed to be proxied to Realm example.com.  Not doing
EAP.
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
  WARNING: Empty section.  Using default return values.
Sending Access-Request of id 33 to 127.0.0.1 port 1812
    User-Name = "user at example.com"
    NAS-IP-Address = 192.168.1.1
    Called-Station-Id = "0016b6e2cc20"
    Calling-Station-Id = "00904b1f9671"
    NAS-Identifier = "0016b6e2cc20"
    NAS-Port = 56
    Framed-MTU = 1400
    NAS-Port-Type = Wireless-802.11
    EAP-Message = 0x020000150175736572406578616d706c652e636f6d
    Message-Authenticator = 0x00000000000000000000000000000000
    Proxy-State = 0x30
...
    Proxy-State = 0x323433
Proxying request 186 to home server 127.0.0.1 port 1812
Sending Access-Request of id 33 to 127.0.0.1 port 1812
    User-Name = "user at example.com"
    NAS-IP-Address = 192.168.1.1
    Called-Station-Id = "0016b6e2cc20"
    Calling-Station-Id = "00904b1f9671"
    NAS-Identifier = "0016b6e2cc20"
    NAS-Port = 56
    Framed-MTU = 1400
    NAS-Port-Type = Wireless-802.11
    EAP-Message = 0x020000150175736572406578616d706c652e636f6d
    Message-Authenticator = 0x00000000000000000000000000000000
    Proxy-State = 0x30
...
    Proxy-State = 0x313338
    Proxy-State = 0x323433
Going to the next request
rad_recv: Access-Request packet from host 127.0.0.1 port 1814, id=33,
length=990
    User-Name = "user at example.com"
    NAS-IP-Address = 192.168.1.1
    Called-Station-Id = "0016b6e2cc20"
    Calling-Station-Id = "00904b1f9671"
    NAS-Identifier = "0016b6e2cc20"
    NAS-Port = 56
    Framed-MTU = 1400
    NAS-Port-Type = Wireless-802.11
    EAP-Message = 0x020000150175736572406578616d706c652e636f6d
    Message-Authenticator = 0x61f5446e99b9dda2c4002ec4f82d0774
    Proxy-State = 0x30
...
    Proxy-State = 0x323433
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm "example.com" for User-Name = "user at example.com"
[suffix] Found realm "example.com"
[suffix] Adding Realm = "example.com"
[suffix] Proxying request from user user to realm example.com
[suffix] Preparing to proxy authentication request to realm "example.com"
++[suffix] returns updated
[eap] Request is supposed to be proxied to Realm example.com.  Not doing
EAP.
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
  WARNING: Empty section.  Using default return values.
Sending Access-Request of id 34 to 127.0.0.1 port 1812
    User-Name = "user at example.com"
    NAS-IP-Address = 192.168.1.1
    Called-Station-Id = "0016b6e2cc20"
    Calling-Station-Id = "00904b1f9671"
    NAS-Identifier = "0016b6e2cc20"
    NAS-Port = 56
    Framed-MTU = 1400
    NAS-Port-Type = Wireless-802.11
    EAP-Message = 0x020000150175736572406578616d706c652e636f6d
    Message-Authenticator = 0x00000000000000000000000000000000
    Proxy-State = 0x30
...
    Proxy-State = 0x3333
Proxying request 187 to home server 127.0.0.1 port 1812
Sending Access-Request of id 34 to 127.0.0.1 port 1812
    User-Name = "user at example.com"
    NAS-IP-Address = 192.168.1.1
    Called-Station-Id = "0016b6e2cc20"
    Calling-Station-Id = "00904b1f9671"
    NAS-Identifier = "0016b6e2cc20"
    NAS-Port = 56
    Framed-MTU = 1400
    NAS-Port-Type = Wireless-802.11
    EAP-Message = 0x020000150175736572406578616d706c652e636f6d
    Message-Authenticator = 0x00000000000000000000000000000000
    Proxy-State = 0x30
...
    Proxy-State = 0x3333
Going to the next request
rad_recv: Access-Request packet from host 127.0.0.1 port 1814, id=34,
length=994
    User-Name = "user at example.com"
    NAS-IP-Address = 192.168.1.1
    Called-Station-Id = "0016b6e2cc20"
    Calling-Station-Id = "00904b1f9671"
    NAS-Identifier = "0016b6e2cc20"
    NAS-Port = 56
    Framed-MTU = 1400
    NAS-Port-Type = Wireless-802.11
    EAP-Message = 0x020000150175736572406578616d706c652e636f6d
    Message-Authenticator = 0x03998bfa676bbe0703e5d46be2ac2c59
    Proxy-State = 0x30
...
    Proxy-State = 0x3333
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm "example.com" for User-Name = "user at example.com"
[suffix] Found realm "example.com"
[suffix] Adding Realm = "example.com"
[suffix] Proxying request from user user to realm example.com
[suffix] Preparing to proxy authentication request to realm "example.com"
++[suffix] returns updated
[eap] Request is supposed to be proxied to Realm example.com.  Not doing
EAP.
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
  WARNING: Empty section.  Using default return values.
Sending Access-Request of id 147 to 127.0.0.1 port 1812
    User-Name = "user at example.com"
    NAS-IP-Address = 192.168.1.1
    Called-Station-Id = "0016b6e2cc20"
    Calling-Station-Id = "00904b1f9671"
    NAS-Identifier = "0016b6e2cc20"
    NAS-Port = 56
    Framed-MTU = 1400
    NAS-Port-Type = Wireless-802.11
    EAP-Message = 0x020000150175736572406578616d706c652e636f6d
    Message-Authenticator = 0x00000000000000000000000000000000
    Proxy-State = 0x30
...
    Proxy-State = 0x3333
    Proxy-State = 0x3334
Proxying request 188 to home server 127.0.0.1 port 1812
Sending Access-Request of id 147 to 127.0.0.1 port 1812
    User-Name = "user at example.com"
    NAS-IP-Address = 192.168.1.1
    Called-Station-Id = "0016b6e2cc20"
    Calling-Station-Id = "00904b1f9671"
    NAS-Identifier = "0016b6e2cc20"
    NAS-Port = 56
    Framed-MTU = 1400
    NAS-Port-Type = Wireless-802.11
    EAP-Message = 0x020000150175736572406578616d706c652e636f6d
    Message-Authenticator = 0x00000000000000000000000000000000
    Proxy-State = 0x30
...
    Proxy-State = 0x3333
    Proxy-State = 0x3334
Going to the next request
rad_recv: Access-Request packet from host 127.0.0.1 port 1814, id=147,
length=998
    User-Name = "user at example.com"
    NAS-IP-Address = 192.168.1.1
    Called-Station-Id = "0016b6e2cc20"
    Calling-Station-Id = "00904b1f9671"
    NAS-Identifier = "0016b6e2cc20"
    NAS-Port = 56
    Framed-MTU = 1400
    NAS-Port-Type = Wireless-802.11
    EAP-Message = 0x020000150175736572406578616d706c652e636f6d
    Message-Authenticator = 0xeba6020979709e88ea30973cdcf74295
    Proxy-State = 0x30
...
    Proxy-State = 0x3333
    Proxy-State = 0x3334
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm "example.com" for User-Name = "user at example.com"
[suffix] Found realm "example.com"
[suffix] Adding Realm = "example.com"
[suffix] Proxying request from user user to realm example.com
[suffix] Preparing to proxy authentication request to realm "example.com"
++[suffix] returns updated
[eap] Request is supposed to be proxied to Realm example.com.  Not doing
EAP.
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
  WARNING: Empty section.  Using default return values.
Sending Access-Request of id 241 to 127.0.0.1 port 1812
    User-Name = "user at example.com"
    NAS-IP-Address = 192.168.1.1
    Called-Station-Id = "0016b6e2cc20"
    Calling-Station-Id = "00904b1f9671"
    NAS-Identifier = "0016b6e2cc20"
    NAS-Port = 56
    Framed-MTU = 1400
    NAS-Port-Type = Wireless-802.11
    EAP-Message = 0x020000150175736572406578616d706c652e636f6d
    Message-Authenticator = 0x00000000000000000000000000000000
    Proxy-State = 0x30
    Proxy-State = 0x3133
...
    Proxy-State = 0x313437
Proxying request 189 to home server 127.0.0.1 port 1812
Sending Access-Request of id 241 to 127.0.0.1 port 1812
    User-Name = "user at example.com"
    NAS-IP-Address = 192.168.1.1
    Called-Station-Id = "0016b6e2cc20"
    Calling-Station-Id = "00904b1f9671"
    NAS-Identifier = "0016b6e2cc20"
    NAS-Port = 56
    Framed-MTU = 1400
    NAS-Port-Type = Wireless-802.11
    EAP-Message = 0x020000150175736572406578616d706c652e636f6d
    Message-Authenticator = 0x00000000000000000000000000000000
    Proxy-State = 0x30
    Proxy-State = 0x323437
...
    Proxy-State = 0x3334
    Proxy-State = 0x313437
Going to the next request
rad_recv: Access-Request packet from host 127.0.0.1 port 1814, id=241,
length=1003
    User-Name = "user at example.com"
    NAS-IP-Address = 192.168.1.1
    Called-Station-Id = "0016b6e2cc20"
    Calling-Station-Id = "00904b1f9671"
    NAS-Identifier = "0016b6e2cc20"
    NAS-Port = 56
    Framed-MTU = 1400
    NAS-Port-Type = Wireless-802.11
    EAP-Message = 0x020000150175736572406578616d706c652e636f6d
    Message-Authenticator = 0x6821c9ece7894c509901e6be862a5159
    Proxy-State = 0x30
...
    Proxy-State = 0x3334
    Proxy-State = 0x313437
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm "example.com" for User-Name = "user at example.com"
[suffix] Found realm "example.com"
[suffix] Adding Realm = "example.com"
[suffix] Proxying request from user user to realm example.com
[suffix] Preparing to proxy authentication request to realm "example.com"
++[suffix] returns updated
[eap] Request is supposed to be proxied to Realm example.com.  Not doing
EAP.
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
  WARNING: Empty section.  Using default return values.
Sending Access-Request of id 163 to 127.0.0.1 port 1812
    User-Name = "user at example.com"
    NAS-IP-Address = 192.168.1.1
    Called-Station-Id = "0016b6e2cc20"
    Calling-Station-Id = "00904b1f9671"
    NAS-Identifier = "0016b6e2cc20"
    NAS-Port = 56
    Framed-MTU = 1400
    NAS-Port-Type = Wireless-802.11
    EAP-Message = 0x020000150175736572406578616d706c652e636f6d
    Message-Authenticator = 0x00000000000000000000000000000000
    Proxy-State = 0x30
    Proxy-State = 0x3339
...
    Proxy-State = 0x3334
    Proxy-State = 0x313437
    Proxy-State = 0x323431
Proxying request 190 to home server 127.0.0.1 port 1812
Sending Access-Request of id 163 to 127.0.0.1 port 1812
    User-Name = "user at example.com"
    NAS-IP-Address = 192.168.1.1
    Called-Station-Id = "0016b6e2cc20"
    Calling-Station-Id = "00904b1f9671"
    NAS-Identifier = "0016b6e2cc20"
    NAS-Port = 56
    Framed-MTU = 1400
    NAS-Port-Type = Wireless-802.11
    EAP-Message = 0x020000150175736572406578616d706c652e636f6d
    Message-Authenticator = 0x00000000000000000000000000000000
    Proxy-State = 0x30
    Proxy-State = 0x3133
...

    Proxy-State = 0x313437
    Proxy-State = 0x323431
Going to the next request
WARNING: Possible DoS attack from host 127.0.0.1: Too many attributes in
request (received 201, max 200 are allowed).
Waking up in 0.7 seconds.
Waking up in 16.2 seconds.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20100118/dc83c871/attachment.html>


More information about the Freeradius-Users mailing list