Errors authenticating certain users.
Peter Lambrechtsen
peter at crypt.co.nz
Tue Dec 29 19:02:51 CET 2015
I wouldn't be so sure /etc/etc wasn't updated.
Have you gone back to your backup and compared all the files??
If you're not running eap I find the symlink in sites-enabled for
inner-tunnel always comes back each time I patch. So I wouldn't be at all
surprised if files got over written by updating core packages.
If you have custom dictionaries they always seem to get messed up by
patching too.
On 30/12/2015 6:52 AM, "Migo Pod" <migopod at gmail.com> wrote:
> In proxy.conf all of the defined realms have nostrip included, and the only
> thing I can find that explicitly rewrites anything is a directive in the
> NULL realm that sets Stripped-User-Name to mschap:User-Name when the
> User-Name matches a /host\/[^\.].(.+)/ regex, and that's been in there
> since at least 2013. I've tried removing that clause from the realm and it
> didn't appear to affect anything. Other than that, I can't find anything
> that sets User-Name to anything at all.
>
> Of course things changed on the 16th when updates ran, but none of the
> files in /etc/raddb were modified since yum doesn't overwrite modified
> files, and the rpm chagnelogs aren't being particularly helpful.
>
> Thanks,
> -mat
>
> On Tue, Dec 29, 2015 at 10:59 AM, Alan DeKok <aland at deployingradius.com>
> wrote:
>
> > On Dec 29, 2015, at 11:39 AM, Migo Pod <migopod at gmail.com> wrote:
> > >
> > > The change would have been whatever changed with yum-update, which ran
> on
> > > the 16th, and did include the freeradius, freeradius-utils and
> > > freeradius-mysql packages, but according to the RedHat change logs
> those
> > > packages were updated in September to fix the miscalculated MPPE keys
> > with
> > > TLS 1.2 and nothing beyond that.
> >
> > Clearly there was something beyond that.
> >
> > > Full debug:
> > > Waking up in 2.6 seconds.
> > > rad_recv: Access-Request packet from host 172.18.255.6 port 20002,
> > id=254,
> > > length=162
> > > NAS-Port-Id = "AP1306/2"
> > > Calling-Station-Id = "6C-88-14-54-69-28"
> > > Called-Station-Id = "00-26-3E-8D-79-C1:UWMWiFi"
> > > Service-Type = Framed-User
> > > EAP-Message = 0x020100120141445c706f6469612d75736572
> > > User-Name = "AD\\podia-user"
> >
> > Which shows that the User-Name is correct.
> >
> > > NAS-Port = 64901
> > > NAS-Port-Type = Wireless-802.11
> > > NAS-IP-Address = 172.18.255.6
> > > NAS-Identifier = "Juniper"
> > > Message-Authenticator = 0xe3d83b401df09685c4df6a885095fa4f
> > > # Executing section authorize from file
> /etc/raddb/sites-enabled/default
> > > +group authorize {
> > > ++[preprocess] = ok
> > > ++[mschap] = noop
> > > ++[digest] = noop
> > > [suffix] No '@' in User-Name = "podia-user", looking up realm NULL
> > > [suffix] Found realm "NULL"
> > > [suffix] Adding Realm = "NULL"
> > > [suffix] Authentication realm is LOCAL.
> > > ++[suffix] = ok
> >
> > Something there is re-writing the User-Name to remove the "AD" portion.
> >
> > Check the configuration of the "suffice" module. Does it have "strip =
> > yes" ?
> >
> > > [eap] EAP packet type response id 1 length 18
> > > [eap] No EAP Start, assuming it's an on-going EAP conversation
> > > ++[eap] = updated
> > > [files] users: Matched entry DEFAULT at line 50
> >
> > Does that entry strip the user name?
> > >
> > > [eap] Identity (AD\podia-user) does not match User-Name (podia-user).
> >
> > The User-Name has been re-written from "AD\podia-user" to "podia-user".
> > It doesn't happen by magic. Something has updated it.
> >
> > Alan DeKok.
> >
> >
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> >
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list