Errors authenticating certain users.

Alan DeKok aland at deployingradius.com
Tue Dec 29 17:59:01 CET 2015


On Dec 29, 2015, at 11:39 AM, Migo Pod <migopod at gmail.com> wrote:
> 
> The change would have been whatever changed with yum-update, which ran on
> the 16th, and did include the freeradius, freeradius-utils and
> freeradius-mysql packages, but according to the RedHat change logs those
> packages were updated in September to fix the miscalculated MPPE keys with
> TLS 1.2 and nothing beyond that.

  Clearly there was something beyond that.

> Full debug:
> Waking up in 2.6 seconds.
> rad_recv: Access-Request packet from host 172.18.255.6 port 20002, id=254,
> length=162
>        NAS-Port-Id = "AP1306/2"
>        Calling-Station-Id = "6C-88-14-54-69-28"
>        Called-Station-Id = "00-26-3E-8D-79-C1:UWMWiFi"
>        Service-Type = Framed-User
>        EAP-Message = 0x020100120141445c706f6469612d75736572
>        User-Name = "AD\\podia-user"

  Which shows that the User-Name is correct.

>        NAS-Port = 64901
>        NAS-Port-Type = Wireless-802.11
>        NAS-IP-Address = 172.18.255.6
>        NAS-Identifier = "Juniper"
>        Message-Authenticator = 0xe3d83b401df09685c4df6a885095fa4f
> # Executing section authorize from file /etc/raddb/sites-enabled/default
> +group authorize {
> ++[preprocess] = ok
> ++[mschap] = noop
> ++[digest] = noop
> [suffix] No '@' in User-Name = "podia-user", looking up realm NULL
> [suffix] Found realm "NULL"
> [suffix] Adding Realm = "NULL"
> [suffix] Authentication realm is LOCAL.
> ++[suffix] = ok

  Something there is re-writing the User-Name to remove the "AD" portion.

  Check the configuration of the "suffice" module.  Does it have "strip = yes" ?

> [eap] EAP packet type response id 1 length 18
> [eap] No EAP Start, assuming it's an on-going EAP conversation
> ++[eap] = updated
> [files] users: Matched entry DEFAULT at line 50

  Does that entry strip the user name?
> 
> [eap] Identity (AD\podia-user) does not match User-Name (podia-user).

  The User-Name has been re-written from "AD\podia-user" to "podia-user".  It doesn't happen by magic.  Something has updated it.

  Alan DeKok.




More information about the Freeradius-Users mailing list