Errors authenticating certain users.

Migo Pod migopod at gmail.com
Tue Dec 29 17:39:31 CET 2015 

The change would have been whatever changed with yum-update, which ran on
the 16th, and did include the freeradius, freeradius-utils and
freeradius-mysql packages, but according to the RedHat change logs those
packages were updated in September to fix the miscalculated MPPE keys with
TLS 1.2 and nothing beyond that. Apart from running updates, the only thing
we typically ever is adding new access points in clients.conf.

Thanks,
-mat

Full debug:
Waking up in 2.6 seconds.
rad_recv: Access-Request packet from host 172.18.255.6 port 20002, id=254,
length=162
        NAS-Port-Id = "AP1306/2"
        Calling-Station-Id = "6C-88-14-54-69-28"
        Called-Station-Id = "00-26-3E-8D-79-C1:UWMWiFi"
        Service-Type = Framed-User
        EAP-Message = 0x020100120141445c706f6469612d75736572
        User-Name = "AD\\podia-user"
        NAS-Port = 64901
        NAS-Port-Type = Wireless-802.11
        NAS-IP-Address = 172.18.255.6
        NAS-Identifier = "Juniper"
        Message-Authenticator = 0xe3d83b401df09685c4df6a885095fa4f
# Executing section authorize from file /etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "podia-user", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] EAP packet type response id 1 length 18
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
[files] users: Matched entry DEFAULT at line 50
++[files] = ok
++[expiration] = noop
++[logintime] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+group authenticate {
[eap] Identity (AD\podia-user) does not match User-Name (podia-user).
Authentication failed.
[eap] Failed in handler
++[eap] = invalid
+} # group authenticate = invalid
Failed to authenticate the user.
Login incorrect: [podia-user] (from client 172.18.255.6 port 64901 cli
6C-88-14-54-69-28)
Using Post-Auth-Type REJECT
# Executing group from file /etc/raddb/sites-enabled/default
+group REJECT {
[attr_filter.access_reject]     expand: %{User-Name} -> podia-user
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] = updated
+} # group REJECT = updated
Delaying reject of request 55 for 1 seconds


On Tue, Dec 29, 2015 at 10:21 AM, Alan DeKok <aland at deployingradius.com>
wrote:

> On Dec 29, 2015, at 11:11 AM, Migo Pod <migopod at gmail.com> wrote:
> > Previously we've been having no issues authenticating people with
> username.
> > AD\username. and username at realm, but on around the 16th people with the
> > AD\username format started getting authentication failures.
>
>   What changed on the 16th?
>
> > We're running RHEL6 with the distro supplied freeradius binary
> > (freeradius-2.2.6-6.el6_7.x86_64) and haven't made any changes to
> anything
> > besides system updates in over a year, and it has been working perfectly
> up
> > until now.
>
>   Things don't change by magic.  *Something* changed.
>
> > Here's a relevant log snippet that appears to describe the issue, but I
> > have no idea where to start looking for a solution.
> > ...
> > [eap] Identity (AD\podia-user) does not match User-Name (podia-user).
>
>   Post the FULL debug log, including the packet that the server received.
>
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list