Proxying authentication from FreeRadius to Cisco ACS

Alexander Clouter alex at digriz.org.uk
Wed Jan 19 09:46:41 CET 2011 

Erisan Nyamutenha <Erisan.Nyamutenha at uct.ac.za> wrote:
> 
> I am setting up an Eduroam authentication server using FreeRadius 2.1.1
> on Suse Linux 12. 
>
Do you mean 2.1.10?  If not, upgrade to 2.1.10.

> I am proxying authentication requests to a Cisco ACS. When testing 
> using radtest from the FreeRadius box authentication is proxyed to ACS 
> fine and i get an access-accept back. However when i try from a 
> wireless client the proxy response from the ACS is an Access-Reject. 
> In the failed attempts logs on the ACS it says bad username or 
> password. i'm pretty sure im using the correct password. Is there any 
> reason why this should not work? I've posted my logs below:-
> 
> rad_recv: Access-Request packet from host 1.1.1.1 port 32768, id=210, length=255
>        User-Name = "username ( mailto:01420893 at uct.ac.za )@xyz.ac.za"
>        Calling-Station-Id = "00-1e-64-8f-f1-2a"
>        Called-Station-Id = "08-17-35-32-f2-90:Eduroam" <--- 'eduroam'
>        NAS-Port = 29
>        NAS-IP-Address = 1.1.1.1       
>        NAS-Identifier = "uc-wism-2"
>        Airespace-Wlan-Id = 4
>        Service-Type = Framed-User
>        Framed-MTU = 1300
>        NAS-Port-Type = Wireless-802.11
>        Tunnel-Type:0 = VLAN
>        Tunnel-Medium-Type:0 = IEEE-802
>        Tunnel-Private-Group-Id:0 = "63"
>        EAP-Message = [snipped]
>        State = [snipped]
>        Message-Authenticator = [snipped]
>
'eduroam' is a case-senstive SSID, it *must* be lowercase otherwise your 
users will be unable to roam and our users will be unable to visit you.

> +- entering group authorize {...}
> ++[preprocess] returns ok
> ++[chap] returns noop
> ++[mschap] returns noop
> [suffix] Looking up realm "xyz.ac.za" for User-Name = "username at xyz.ac.za"
> [suffix] Found realm "xyz.ac.za"
> [suffix] Adding Stripped-User-Name = "username"
> [suffix] Adding Realm = "xyz.ac.za"
> [suffix] Proxying request from user username to realm xyz.ac.za
> [suffix] Preparing to proxy authentication request to realm "xyz.ac.za"
> ++[suffix] returns updated
> [eap] Request is supposed to be proxied to Realm xyz.ac.za.  Not doing EAP.
> ++[eap] returns noop
> ++[unix] returns notfound
> ++[files] returns noop
> ++[expiration] returns noop
> ++[logintime] returns noop
> ++[pap] returns noop
> Sending Access-Request of id 81 to 2.2.2.2 port 1812
>        User-Name = "username"
>        Calling-Station-Id = "00-1e-64-8f-f1-2a"
>        Called-Station-Id = "08-17-35-32-f2-90:Eduroam"
>        NAS-Port = 29
>        NAS-IP-Address = 1.1.1.1        
>        NAS-Identifier = "uc-wism-2"
>        Airespace-Wlan-Id = 4
>        Service-Type = Framed-User
>        Framed-MTU = 1300
>        NAS-Port-Type = Wireless-802.11
>        Tunnel-Type:0 = VLAN
>        Tunnel-Medium-Type:0 = IEEE-802
>        Tunnel-Private-Group-Id:0 = "63"
>        EAP-Message = [snipped]
>        State = [snipped]
>        Message-Authenticator = [snipped]
>        Proxy-State = 0x323130
> Proxying request 8 to home server 2.2.2.2 port 1812
> Sending Access-Request of id 81 to 2.2.2.2 port 1812
>        User-Name = "username"
>        Calling-Station-Id = "00-1e-64-8f-f1-2a"
>        Called-Station-Id = "08-17-35-32-f2-90:Eduroam"
>        NAS-Port = 29
>        NAS-IP-Address = 1.1.1.1        
>        NAS-Identifier = "uc-wism-2"
>        Airespace-Wlan-Id = 4
>        Service-Type = Framed-User
>        Framed-MTU = 1300
>        NAS-Port-Type = Wireless-802.11
>        Tunnel-Type:0 = VLAN
>        Tunnel-Medium-Type:0 = IEEE-802
>        Tunnel-Private-Group-Id:0 = "63"
>        EAP-Message = [snipped]
>        State = [snipped]
>        Message-Authenticator = [snipped]
>        Proxy-State = 0x323130
> Going to the next request
> Waking up in 0.9 seconds.
> rad_recv: Access-Reject packet from host 2.2.2.2 port 1812, id=81, length=61
>        Proxy-State = 0x323130
>        EAP-Message = 0x04a00004
>        Reply-Message = "Rejected\n\r"
>        Message-Authenticator = [snipped]
>
A complete guess, but considering:
 * I am probably not legally permitted to answer your email (due to your 
	disclaimer below)
 * you have not showed an example of the Access-Accept traffic (use 
	tcpdump in verbose mode and/or put a pcap file somewhere)
 * the problem is your *Cisco* box is rejecting the request, not 
	FreeRADIUS, so why do you not, (a) read your Cisco log files, 
	they will tell you why the request was rejected (b) speak to 
	Cisco, it's their kit and you are paying them for support

I am guessing the Cisco box is expecting '@xyz.ac.za' to be appended 
onto the username, and you have configured FreeRADIUS to strip the 
realm.  Without more information, it is hard to help...if I am legally 
permitted to according to the terms of your disclaimer... :-/

> ###
> UNIVERSITY OF CAPE TOWN 
> 
> This e-mail is subject to the UCT ICT policies and e-mail disclaimer
> published on our website at
> http://www.uct.ac.za/about/policies/emaildisclaimer/ or obtainable from
> +27 21 650 9111. This e-mail is intended only for the person(s) to whom
> it is addressed. If the e-mail has reached you in error, please notify
> the author. If you are not the intended recipient of the e-mail you may
> not use, disclose, copy, redirect or print the content. If this e-mail
> is not related to the business of UCT it is sent by the sender in the
> sender's individual capacity.
> 
Please, do not include disclaimers in emails to public mailing lists!  
Get rid of the HTML, and also fix your signature seperator, it should 
not be '###' but '-- '.

http://en.wikipedia.org/wiki/Signature_block#E-mail_and_Usenet

</sig-nazi>

Cheers

-- 
Alexander Clouter
.sigmonster says: A hundred thousand lemmings can't be wrong!

More information about the Freeradius-Users mailing list