Fwd: Using session resumption with Wifi PEAP/MSCHAPv2
Sylvain Munaut
s.munaut at whatever-company.com
Wed Feb 17 14:43:09 CET 2016
Hi,
I'm using FreeRadius 3.0.10 and I start with a working setup that has
the tls cache disabled.
Originally I was using use_tunneled_reply=yes and I would get a
successfull resumption at the TLS layer :
(16) eap_peap: Skipping Phase2 because of session resumption
(16) eap_peap: SUCCESS
but in the next AccessRequest, I'd get :
(17) eap: Identity does not match User-Name. Authentication failed
(17) eap: Failed in handler
(17) [eap] = invalid
(17) } # authenticate = invalid
(17) Failed to authenticate the user
and it would send a AccessReject accordingly and it would fail.
Since I noticed that use_tunneled_reply is deprecated, I tried
setting it to "no" and uncommented the two "updates" section in
inner-tunnel server.
Using this, it doesn't even attempt to do a session resumption at all.
Auth works now but only because it does a full auth everytime.
My configuration is pretty much the default that comes shipped with
FreeRadius, I just commented out the stuff not used (like other auth
modes not used in PEAP/MSCHAPv2) and did the change recommended to
replace the deprecated use_tunneled_reply=yes .
Cheers,
Sylvain Munaut
----
This is the full log of the two last AccessRequest when using
use_tunneled_reply=yes
(16) Received Access-Request Id 161 from 192.168.1.4:1645 to
192.168.1.64:1812 length 270
(16) User-Name = "anonymous"
(16) Framed-MTU = 1400
(16) Called-Station-Id = "7426.ac84.5240:Whatever"
(16) Calling-Station-Id = "7cdd.9079.f91b"
(16) Cisco-AVPair = "ssid=Whatever"
(16) Service-Type = Login-User
(16) Cisco-AVPair = "service-type=Login"
(16) Message-Authenticator = 0x73fc123c4a4585fdc156814fce66bed0
(16) EAP-Message =
0x020300411900140301000101160301003066fd2450a9f285364308c3e54c9c5673ac7e7627ad24ff52efb282958a551f7637f5a591d37a5ff790526ae5cabf1a6b
(16) NAS-Port-Type = Wireless-802.11
(16) Cisco-NAS-Port = "5714"
(16) NAS-Port = 5714
(16) NAS-Port-Id = "5714"
(16) State = 0x3f9102863e921be7e6003aed13497217
(16) NAS-IP-Address = 192.168.1.4
(16) session-state: No cached attributes
(16) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(16) authorize {
(16) policy filter_username {
(16) if (!&User-Name) {
(16) if (!&User-Name) -> FALSE
(16) if (&User-Name =~ / /) {
(16) if (&User-Name =~ / /) -> FALSE
(16) if (&User-Name =~ /@.*@/ ) {
(16) if (&User-Name =~ /@.*@/ ) -> FALSE
(16) if (&User-Name =~ /\.\./ ) {
(16) if (&User-Name =~ /\.\./ ) -> FALSE
(16) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(16) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(16) if (&User-Name =~ /\.$/) {
(16) if (&User-Name =~ /\.$/) -> FALSE
(16) if (&User-Name =~ /@\./) {
(16) if (&User-Name =~ /@\./) -> FALSE
(16) } # policy filter_username = notfound
(16) [preprocess] = ok
(16) [mschap] = noop
(16) suffix: Checking for suffix after "@"
(16) suffix: No '@' in User-Name = "anonymous", looking up realm NULL
(16) suffix: No such realm "NULL"
(16) [suffix] = noop
(16) eap: Peer sent EAP Response (code 2) ID 3 length 65
(16) eap: Continuing tunnel setup
(16) [eap] = ok
(16) } # authorize = ok
(16) Found Auth-Type = EAP
(16) # Executing group from file /etc/freeradius/sites-enabled/default
(16) authenticate {
(16) eap: Expiring EAP session with state 0x3f9102863e921be7
(16) eap: Finished EAP session with state 0x3f9102863e921be7
(16) eap: Previous EAP request found for state 0x3f9102863e921be7,
released from the list
(16) eap: Peer sent packet with method EAP PEAP (25)
(16) eap: Calling submodule eap_peap to process data
(16) eap_peap: Continuing EAP-TLS
(16) eap_peap: [eaptls verify] = ok
(16) eap_peap: Done initial handshake
(16) eap_peap: <<< TLS 1.0 ChangeCipherSpec [length 0001]
(16) eap_peap: <<< TLS 1.0 Handshake [length 0010], Finished
(16) eap_peap: TLS_accept: SSLv3 read finished A
(16) eap_peap: (other): SSL negotiation finished successfully
(16) eap_peap: SSL Connection Established
(16) eap_peap: SSL Application Data
(16) eap_peap: Adding cached attributes from session
df917e29315e01166598f3cb2427c211832e14953e5ec48144debb103f8c1a3b
(16) eap_peap: reply:User-Name = "myusername"
(16) eap_peap: [eaptls process] = success
(16) eap_peap: Session established. Decoding tunneled attributes
(16) eap_peap: PEAP state TUNNEL ESTABLISHED
(16) eap_peap: Skipping Phase2 because of session resumption
(16) eap_peap: SUCCESS
(16) eap: Sending EAP Request (code 1) ID 4 length 43
(16) eap: EAP session adding &reply:State = 0x3f9102863d951be7
(16) [eap] = handled
(16) } # authenticate = handled
(16) Using Post-Auth-Type Challenge
(16) Post-Auth-Type sub-section not found. Ignoring.
(16) # Executing group from file /etc/freeradius/sites-enabled/default
(16) Sent Access-Challenge Id 161 from 192.168.1.64:1812 to
192.168.1.4:1645 length 0
(16) User-Name = "myusername"
(16) EAP-Message =
0x0104002b19001703010020132a5838752548b20b79cdfd19856492990d8e2db97e7f38c178cf3861177ef6
(16) Message-Authenticator = 0x00000000000000000000000000000000
(16) State = 0x3f9102863d951be7e6003aed13497217
(16) Finished request
Waking up in 3.2 seconds.
(17) Received Access-Request Id 162 from 192.168.1.4:1645 to
192.168.1.64:1812 length 285
(17) User-Name = "myusername"
(17) Framed-MTU = 1400
(17) Called-Station-Id = "7426.ac84.5240:Whatever"
(17) Calling-Station-Id = "7cdd.9079.f91b"
(17) Cisco-AVPair = "ssid=Whatever"
(17) Service-Type = Login-User
(17) Cisco-AVPair = "service-type=Login"
(17) Message-Authenticator = 0x8a4fd50b06dea4edb525ac6122810d25
(17) EAP-Message =
0x02040050190017030100202fdd4dca1d915eae9fecc2d267e51466c313b8f900260490946f092d20620a3817030100204ab2fccae9b6725bbd722af7a7ecb1d9de91f87d2cafcc61956f18d3a8753c67
(17) NAS-Port-Type = Wireless-802.11
(17) Cisco-NAS-Port = "5714"
(17) NAS-Port = 5714
(17) NAS-Port-Id = "5714"
(17) State = 0x3f9102863d951be7e6003aed13497217
(17) NAS-IP-Address = 192.168.1.4
(17) session-state: No cached attributes
(17) # Executing section authorize from file
/etc/freeradius/sites-enabled/default
(17) authorize {
(17) policy filter_username {
(17) if (!&User-Name) {
(17) if (!&User-Name) -> FALSE
(17) if (&User-Name =~ / /) {
(17) if (&User-Name =~ / /) -> FALSE
(17) if (&User-Name =~ /@.*@/ ) {
(17) if (&User-Name =~ /@.*@/ ) -> FALSE
(17) if (&User-Name =~ /\.\./ ) {
(17) if (&User-Name =~ /\.\./ ) -> FALSE
(17) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(17) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(17) if (&User-Name =~ /\.$/) {
(17) if (&User-Name =~ /\.$/) -> FALSE
(17) if (&User-Name =~ /@\./) {
(17) if (&User-Name =~ /@\./) -> FALSE
(17) } # policy filter_username = notfound
(17) [preprocess] = ok
(17) [mschap] = noop
(17) suffix: Checking for suffix after "@"
(17) suffix: No '@' in User-Name = "myusername", looking up realm NULL
(17) suffix: No such realm "NULL"
(17) [suffix] = noop
(17) eap: Peer sent EAP Response (code 2) ID 4 length 80
(17) eap: Continuing tunnel setup
(17) [eap] = ok
(17) } # authorize = ok
(17) Found Auth-Type = EAP
(17) # Executing group from file /etc/freeradius/sites-enabled/default
(17) authenticate {
(17) eap: Expiring EAP session with state 0x3f9102863d951be7
(17) eap: Finished EAP session with state 0x3f9102863d951be7
(17) eap: Previous EAP request found for state 0x3f9102863d951be7,
released from the list
(17) eap: Identity does not match User-Name. Authentication failed
(17) eap: Failed in handler
(17) [eap] = invalid
(17) } # authenticate = invalid
(17) Failed to authenticate the user
(17) Using Post-Auth-Type Reject
(17) # Executing group from file /etc/freeradius/sites-enabled/default
(17) Post-Auth-Type REJECT {
(17) sql: EXPAND .query
(17) sql: --> .query
(17) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (2)
(17) sql: EXPAND %{User-Name}
(17) sql: --> myusername
(17) sql: SQL-User-Name set to 'myusername'
(17) sql: EXPAND INSERT INTO radpostauth (username, pass, reply,
authdate) VALUES('%{User-Name}', '%{%{User-Password}:-Chap-Password}',
'%{reply:Packet-Type}', NOW())
(17) sql: --> INSERT INTO radpostauth (username, pass, reply,
authdate) VALUES('myusername', 'Chap-Password', 'Access-Reject',
NOW())
(17) sql: Executing query: INSERT INTO radpostauth (username, pass,
reply, authdate) VALUES('myusername', 'Chap-Password',
'Access-Reject', NOW())
rlm_sql_postgresql: Status: PGRES_COMMAND_OK
rlm_sql_postgresql: query affected rows = 1
(17) sql: SQL query returned: success
(17) sql: 1 record(s) updated
rlm_sql (sql): Released connection (2)
(17) [sql] = ok
(17) attr_filter.access_reject: EXPAND %{User-Name}
(17) attr_filter.access_reject: --> myusername
(17) attr_filter.access_reject: Matched entry DEFAULT at line 11
(17) [attr_filter.access_reject] = updated
rlm_eap (EAP): No EAP session matching state 0x3f9102863d951be7
(17) eap: Either EAP-request timed out OR EAP-response to an unknown EAP-request
(17) eap: Failed to get handler, probably already removed, not
inserting EAP-Failure
(17) [eap] = noop
(17) policy remove_reply_message_if_eap {
(17) if (&reply:EAP-Message && &reply:Reply-Message) {
(17) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(17) else {
(17) [noop] = noop
(17) } # else = noop
(17) } # policy remove_reply_message_if_eap = noop
(17) } # Post-Auth-Type REJECT = updated
(17) Delaying response for 1.000000 seconds
Waking up in 0.6 seconds.
Waking up in 0.3 seconds.
(17) Sending delayed response
(17) Sent Access-Reject Id 162 from 192.168.1.64:1812 to
192.168.1.4:1645 length 20
More information about the Freeradius-Users
mailing list