EAP-TTLS/PAP with realm - <no User-Password attribute>

Rob Gorrell rwgorrel at uncg.edu
Mon Mar 14 00:32:58 CET 2016


rad_recv: Access-Request packet from host X.X.X.X port 60228, id=0,
length=143
        User-Name = "bob at rgorrell.net"
        NAS-IP-Address = 127.0.0.1
        Calling-Station-Id = "70-6F-6C-69-73-68"
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        Connect-Info = "rad_eap_test + eapol_test"
        EAP-Message = 0x0200001501626f624072676f7272656c6c2e6e6574
        Message-Authenticator = 0x4f289c2272a467016443cfb6451893d6
# Executing section authorize from file /etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] Looking up realm "rgorrell.net" for User-Name = "bob at rgorrell.net"
[suffix] Found realm "rgorrell.net"
[suffix] Adding Stripped-User-Name = "bob"
[suffix] Adding Realm = "rgorrell.net"
[suffix] Proxying request from user bob to realm rgorrell.net
[suffix] Preparing to proxy authentication request to realm "rgorrell.net"
++[suffix] = updated
[eap] Request is supposed to be proxied to Realm rgorrell.net.  Not doing
EAP.
++[eap] = noop
++[files] = noop
++[expiration] = noop
++[logintime] = noop
++[pap] = noop
+} # group authorize = updated
  WARNING: Empty pre-proxy section.  Using default return values.
Sending Access-Request of id 162 to 127.0.0.1 port 1812
        User-Name = "bob"
        NAS-IP-Address = 127.0.0.1
        Calling-Station-Id = "70-6F-6C-69-73-68"
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        Connect-Info = "rad_eap_test + eapol_test"
        EAP-Message = 0x0200001501626f624072676f7272656c6c2e6e6574
        Message-Authenticator = 0x00000000000000000000000000000000
        Proxy-State = 0x30
Proxying request 0 to home server 127.0.0.1 port 1812
Sending Access-Request of id 162 to 127.0.0.1 port 1812
        User-Name = "bob"
        NAS-IP-Address = 127.0.0.1
        Calling-Station-Id = "70-6F-6C-69-73-68"
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        Connect-Info = "rad_eap_test + eapol_test"
        EAP-Message = 0x0200001501626f624072676f7272656c6c2e6e6574
        Message-Authenticator = 0x00000000000000000000000000000000
        Proxy-State = 0x30
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 1814, id=162,
length=133
        User-Name = "bob"
        NAS-IP-Address = 127.0.0.1
        Calling-Station-Id = "70-6F-6C-69-73-68"
        Framed-MTU = 1400
        NAS-Port-Type = Wireless-802.11
        Connect-Info = "rad_eap_test + eapol_test"
        EAP-Message = 0x0200001501626f624072676f7272656c6c2e6e6574
        Message-Authenticator = 0x07dbdd4ec778378a16cdaa6a93788d62
        Proxy-State = 0x30
# Executing section authorize from file /etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++[chap] = noop
++[mschap] = noop
++[digest] = noop
[suffix] No '@' in User-Name = "bob", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 0 length 21
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
++[expiration] = noop
++[logintime] = noop
[pap] WARNING! No "known good" password found for the user.  Authentication
may fail because of this.
++[pap] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+group authenticate {
[eap] Identity (bob at rgorrell.net) does not match User-Name (bob).
Authentication failed.
[eap] Failed in handler
++[eap] = invalid
+} # group authenticate = invalid
Failed to authenticate the user.
Login incorrect: [bob/<via Auth-Type = EAP>] (from client localhost port 0
cli 70-6F-6C-69-73-68)
Using Post-Auth-Type REJECT
# Executing group from file /etc/raddb/sites-enabled/default
+group REJECT {
[attr_filter.access_reject]     expand: %{User-Name} -> bob
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] = updated
+} # group REJECT = updated
Delaying reject of request 1 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 1
Sending Access-Reject of id 162 to 127.0.0.1 port 1814
        Proxy-State = 0x30
Waking up in 4.9 seconds.
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=162,
length=23
        Proxy-State = 0x30
# Executing section post-proxy from file /etc/raddb/sites-enabled/default
+group post-proxy {
[eap] No pre-existing handler found
++[eap] = noop
+} # group post-proxy = noop
Login incorrect (Home Server says so): [bob at rgorrell.net/<no User-Password
attribute>] (from client raddev port 0 cli 70-6F-6C-69-73-68)
Using Post-Auth-Type REJECT
# Executing group from file /etc/raddb/sites-enabled/default
+group REJECT {
[attr_filter.access_reject]     expand: %{User-Name} -> bob at rgorrell.net
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] = updated
+} # group REJECT = updated
Sending Access-Reject of id 0 to X.X.X.X port 60228
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 1 ID 162 with timestamp +9
Cleaning up request 0 ID 0 with timestamp +9
Ready to process requests.


On Sun, Mar 13, 2016 at 4:32 PM, Stefan Paetow <Stefan.Paetow at jisc.ac.uk>
wrote:

> Rob,
>
> Can you show us the full debug log of the home server (I'm assuming you
> are running that in debug mode)?
>
> Thanks!
>
> Stefan Paetow
> Moonshot Industry & Research Liaison Coordinator
>
> t: +44 (0)1235 822 125
> gpg: 0x3FCE5142
> xmpp: stefanp at jabber.dev.ja.net
> skype: stefan.paetow.janet
>
> jisc.ac.uk
>
> Networkshop44, University of Manchester. Save the date: 22-24 March, 2016.
> #NWS44
>
> Jisc is a registered charity (number 1149740) and a company limited by
> guarantee which is registered in England under Company No. 5747339, VAT
> No. GB 197 0632 86. JiscĀ¹s registered office is: One Castlepark, Tower
> Hill, Bristol, BS2 0JA. T 0203 697 5800.
>
> Jisc Collections and Janet Ltd. is a wholly owned Jisc subsidiary and a
> company limited by guarantee which is registered in England under Company
> No. number 2881024, VAT No. GB 197 0632 86. The registered office is:
> Lumen House, Library Avenue, Harwell, Didcot, Oxfordshire, OX11 0SG. T
> 01235 822200.
>
>
>
> On 13/03/2016 19:38, "Freeradius-Users on behalf of Rob Gorrell"
> <freeradius-users-bounces+stefan.paetow=jisc.ac.uk at lists.freeradius.org on
> behalf of rwgorrel at uncg.edu> wrote:
>
> >I am trying to set up a working EAP-TTLS/PAP demo using FreeRadius 2.2.6
> >on
> >top of CentOS6.
> >For simplicity, I would like to use PAP and statically define
> >Cleartext-Password for users in the users file.
> >But I also would like to be able to authenticate using full realm since I
> >plan on using realm for testing some routing.
> >I currently have this working for basic radius by stripping the realm and
> >then using  Cleartext-Password from the users file ... however, when I
> >went
> >to put the same setup through EAP TTLS, I'm now having problems and
> >getting
> >a no User-Password attribute dispite supplying one the same one from
> >radtest but using rad_eap_test.
> >
> >Sun Mar 13 13:06:32 2016 : Auth: Login incorrect: [bob/<via Auth-Type =
> >EAP>] (from client localhost port 58 cli fcdbb33f581d)
> >Sun Mar 13 13:06:33 2016 : Auth: Login incorrect (Home Server says so): [
> >bob at rgorrell.net/<no User-Password attribute>] (from client raddev port
> 58
> >cli fcdbb33f581d)
> >
> >While researching, I came across a theory that sounds fitting to my
> >situation... upon receiving a username qualified by a realm, FreeRadius
> >will strip the realm off before matching the username. This results in the
> >User-Name being modified to be different to the EAP Identity field before
> >being sent for actual authenticating.  This results in FreeRadius issueing
> >a rejection due to the mismatch between the two fields.
> >
> >Does that sound right? If so, I'm not sure what I can do about it... I
> >can't nostrip the username as then I won't be able to authenticate via
> >PAP.
> >but I can't login identically matching my users file (ie no realm),
> >because
> >I need the realm for routing.
> >
> >Suggestions? Thanks,
> >-Rob
> >-
> >List info/subscribe/unsubscribe? See
> >http://www.freeradius.org/list/users.html
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html




-- 
Robert W. Gorrell
Systems Architect, Identity and Access Management
University of NC at Greensboro
336-334-5954
PGP Key ID B36DB0CA


More information about the Freeradius-Users mailing list