EAP authentication accept, user not found

andreapepa andrea.pepa at trentinonetwork.it
Mon Sep 26 16:56:38 CEST 2011


Hi all,

I'm wondering if my freeradius is acting correctly against the request
below:
This Mikrotik CPE is authenticathing by an EAP certificate and ad a username
with password is requested.
The problem is that the CPE is authenticated with every username that
doesn't exist in radcheck.

why FR authenticate even with nonexistent username?


rad_recv: Access-Request packet from host 10.25.66.8 port 56485, id=162,
length=175
        Service-Type = Framed-User
        Framed-MTU = 1400
        User-Name = "test155"
        State = 0x06c5601b03c36da7f69234e83e184b70
        NAS-Port-Id = "wlan2"
        Calling-Station-Id = "00-0C-42-B3-D1-F5"
        Called-Station-Id = "00-80-48-60-66-D9:WiNET-TR5G506106"
        EAP-Message = 0x020600060d00
        Message-Authenticator = 0xd549039a41edfd3e25ff22bdb1f16d60
        NAS-Identifier = "ced-wl3"
        NAS-IP-Address = 10.25.66.8
# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log]      expand:
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
/var/log/freeradius/radacct/10.25.66.8/auth-detail-20110926
[auth_log]
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands
to /var/log/freeradius/radacct/10.25.66.8/auth-detail-20110926
[auth_log]      expand: %t -> Mon Sep 26 16:35:21 2011
++[auth_log] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "test155", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 6 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[sql]   expand: %{User-Name} -> test155
[sql] sql_set_user escaped user --> 'test155'
rlm_sql (sql): Reserving sql socket id: 19
[sql]   expand: SELECT id, UserName, Attribute, Value, Op   FROM radcheck  
WHERE Username = '%{SQL-User-Name}'   ORDER BY id -> SELECT id, UserName,
Attribute, Value, Op   FROM radcheck   WHERE Username = 'test155'   ORDER BY
id
rlm_sql_postgresql: query: SELECT id, UserName, Attribute, Value, Op   FROM
radcheck   WHERE Username = 'test155'   ORDER BY id
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 0 , fields = 5
[sql]   expand: SELECT GroupName FROM radusergroup WHERE
UserName='%{SQL-User-Name}' ORDER BY priority -> SELECT GroupName FROM
radusergroup WHERE UserName='test155' ORDER BY priority
rlm_sql_postgresql: query: SELECT GroupName FROM radusergroup WHERE
UserName='test155' ORDER BY priority
rlm_sql_postgresql: Status: PGRES_TUPLES_OK
rlm_sql_postgresql: query affected rows = 0 , fields = 1
rlm_sql (sql): Released sql socket id: 19
[sql] User test155 not found
++[sql] returns notfound
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
[tls] Received TLS ACK
[tls] ACK handshake is finished
[tls] eaptls_verify returned 3
[tls] eaptls_process returned 3
[tls] Adding user data to cached session
[eap] Freeing handler
++[eap] returns ok
Login OK: [test155] (from client ced-wl3 port 0 cli 00-0C-42-B3-D1-F5)
# Executing section post-auth from file
/etc/freeradius/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 162 to 10.25.66.8 port 56485
        MS-MPPE-Recv-Key =
0xd020f7a2efbb05c6fb255fe6665a12f09f354bdaa6d01b3d5d2c0786b07ca440
        MS-MPPE-Send-Key =
0xa77aaf208423b318ff7f482401d4468af3f9248cbdb611857a5f356bea7725ca
        EAP-Message = 0x03060004
        Message-Authenticator = 0x00000000000000000000000000000000
        User-Name = "test155"
Finished request 69.


--
View this message in context: http://freeradius.1045715.n5.nabble.com/EAP-authentication-accept-user-not-found-tp4841666p4841666.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.



More information about the Freeradius-Users mailing list