rlm_passwd fails Stripped-User-Name check when in inner-tunnel mode (PEAP)

Tim Chen gphoto6 at gmail.com
Thu Nov 12 08:15:10 CET 2015 

On Thu, Nov 12, 2015 at 10:13 AM, Alan DeKok <aland at deployingradius.com>
wrote:

> On Nov 11, 2015, at 8:02 PM, Tim Chen <gphoto6 at gmail.com> wrote:
> > However, I did more tests:
> ...
> > 2. if I change modules/passwd into
> >   passwd passwdf1 {
> >        filename = /home/radius/passwd1
> >        format = "*Stripped-User-Name:NT-Password:"
> >   Then ALL authentication tests FAILED
>
>   What does the debug output show?
>

When I tried to set modules/passwd into
passwd passwdf1 {
format = "*Stripped-User-Name:NT-Password:"

And test by the following command:
radtest john at eduroam.example.edu PASS 140.X.X.X 1812 testing123
(PAP)

I got the following error:

rad_recv: Access-Request packet from host XXX port 60992, id=162, length=92
        User-Name = "john at eduroam.example.edu"
        User-Password = "PASS"
        NAS-IP-Address = XXX
        NAS-Port = 1812
        Message-Authenticator = 0x35f44df400fa512aef4a447642eeff85
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[passwdf1] = notfound
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] Looking up realm "eduroam.example.edu" for User-Name = "
john at eduroam.example.edu"
[suffix] Found realm "eduroam.example.edu"
[suffix] Adding Stripped-User-Name = "john"
[suffix] Adding Realm = "eduroam.example.edu"
[suffix] Proxying request from user john to realm eduroam.example.edu
[suffix] Preparing to proxy authentication request to realm "
eduroam.example.edu"
++[suffix] = updated
[eap] No EAP-Message, not doing EAP
++[eap] = noop
[files] file_common
++[files] = noop
++[expiration] = noop
++[logintime] = noop
++[pap] = noop
+} # group authorize = updated
  WARNING: Empty pre-proxy section.  Using default return values.
Sending Access-Request of id 187 to 127.0.0.1 port 1812
        User-Name = "john"
        User-Password = "PASS"
        NAS-IP-Address = XXX
        NAS-Port = 1812
        Message-Authenticator = 0x00000000000000000000000000000000
        Proxy-State = 0x313632
Proxying request 0 to home server 127.0.0.1 port 1812
Sending Access-Request of id 187 to 127.0.0.1 port 1812
        User-Name = "john"
        User-Password = "PASS"
        NAS-IP-Address = XXX
        NAS-Port = 1812
        Message-Authenticator = 0x00000000000000000000000000000000
        Proxy-State = 0x313632
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 1814, id=187,
length=78
        User-Name = "john"
        User-Password = "PASS"
        NAS-IP-Address = XXX
        NAS-Port = 1812
        Message-Authenticator = 0x3755dea88f500f9d9ec1b923f614b849
        Proxy-State = 0x313632
# Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[passwdf1] = notfound
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "john", looking up realm NULL
[suffix] Found realm "NULL"
[suffix] Adding Stripped-User-Name = "john"
[suffix] Adding Realm = "NULL"
[suffix] Authentication realm is LOCAL.
++[suffix] = ok
[eap] No EAP-Message, not doing EAP
++[eap] = noop
[files] file_common
++[files] = noop
++[expiration] = noop
++[logintime] = noop
[pap] WARNING! No "known good" password found for the user.  Authentication
may fail because of this.
++[pap] = noop
+} # group authorize = ok
ERROR: No authenticate method (Auth-Type) found for the request: Rejecting
the user
Failed to authenticate the user.
Login incorrect: [john/PASS] (from client localhost port 1812)
Using Post-Auth-Type Reject
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+group REJECT {
[eap] Request didn't contain an EAP-Message, not inserting EAP-Failure
++[eap] = noop
[attr_filter.access_reject]     expand: %{User-Name} -> john
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] = updated
+} # group REJECT = updated
Delaying reject of request 1 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 1
Sending Access-Reject of id 187 to 127.0.0.1 port 1814
        Proxy-State = 0x313632
Waking up in 4.9 seconds.
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=187,
length=25
        Proxy-State = 0x313632
# Executing section post-proxy from file
/usr/local/etc/raddb/sites-enabled/default
+group post-proxy {
[eap] No pre-existing handler found
++[eap] = noop
+} # group post-proxy = noop
Login incorrect (Home Server says so): [john at eduroam.example.edu/PASS]
(from client network8 port 1812)
Using Post-Auth-Type Reject
# Executing group from file /usr/local/etc/raddb/sites-enabled/default
+group REJECT {
[eap] Request didn't contain an EAP-Message, not inserting EAP-Failure
++[eap] = noop
[attr_filter.access_reject]     expand: %{User-Name} ->
john at eduroam.example.edu
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] = updated
+} # group REJECT = updated
Sending Access-Reject of id 162 to XXX port 60992
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 1 ID 187 with timestamp +31
Cleaning up request 0 ID 162 with timestamp +31
Ready to process requests.

More information about the Freeradius-Users mailing list