Errors authenticating certain users.
Alan DeKok
aland at deployingradius.com
Tue Dec 29 17:59:01 CET 2015
On Dec 29, 2015, at 11:39 AM, Migo Pod <migopod at gmail.com> wrote:
>
> The change would have been whatever changed with yum-update, which ran on
> the 16th, and did include the freeradius, freeradius-utils and
> freeradius-mysql packages, but according to the RedHat change logs those
> packages were updated in September to fix the miscalculated MPPE keys with
> TLS 1.2 and nothing beyond that.
Clearly there was something beyond that.
> Full debug:
> Waking up in 2.6 seconds.
> rad_recv: Access-Request packet from host 172.18.255.6 port 20002, id=254,
> length=162
> NAS-Port-Id = "AP1306/2"
> Calling-Station-Id = "6C-88-14-54-69-28"
> Called-Station-Id = "00-26-3E-8D-79-C1:UWMWiFi"
> Service-Type = Framed-User
> EAP-Message = 0x020100120141445c706f6469612d75736572
> User-Name = "AD\\podia-user"
Which shows that the User-Name is correct.
> NAS-Port = 64901
> NAS-Port-Type = Wireless-802.11
> NAS-IP-Address = 172.18.255.6
> NAS-Identifier = "Juniper"
> Message-Authenticator = 0xe3d83b401df09685c4df6a885095fa4f
> # Executing section authorize from file /etc/raddb/sites-enabled/default
> +group authorize {
> ++[preprocess] = ok
> ++[mschap] = noop
> ++[digest] = noop
> [suffix] No '@' in User-Name = "podia-user", looking up realm NULL
> [suffix] Found realm "NULL"
> [suffix] Adding Realm = "NULL"
> [suffix] Authentication realm is LOCAL.
> ++[suffix] = ok
Something there is re-writing the User-Name to remove the "AD" portion.
Check the configuration of the "suffice" module. Does it have "strip = yes" ?
> [eap] EAP packet type response id 1 length 18
> [eap] No EAP Start, assuming it's an on-going EAP conversation
> ++[eap] = updated
> [files] users: Matched entry DEFAULT at line 50
Does that entry strip the user name?
>
> [eap] Identity (AD\podia-user) does not match User-Name (podia-user).
The User-Name has been re-written from "AD\podia-user" to "podia-user". It doesn't happen by magic. Something has updated it.
Alan DeKok.
More information about the Freeradius-Users
mailing list