FR 3.1 access-accept

Chris Howley C.P.Howley at leeds.ac.uk
Wed Nov 30 10:26:18 CET 2016 

Hi,

In using eapol_test against FreeRADIUS 2.2.3 and 3.1 (3.1.0-dead (git #4870102)) I noticed that the following attributes are NOT included in the Access-Accept sent by FR 3.1: EAP-MSK, EAP-EMSK and  EAP-Session-Id. Are these attributes required in the Access-Accept? If so, how can I copy them from the inner-tunner server to the Access-Accept?

Thanks, Chris


1. FreeRADIUS 2.2.3

Mon Nov 28 08:46:27 2016 : Debug: # Executing section post-auth from file /etc/raddb/sites-enabled/LOCAL-WLAN-outer
Mon Nov 28 08:46:27 2016 : Debug: +group post-auth {
Mon Nov 28 08:46:27 2016 : Debug: [linelog_reply]       expand: %{reply:Packet-Type} -> Access-Accept
Mon Nov 28 08:46:27 2016 : Debug: [linelog_reply]       expand: %{Operator-Name} ->
Mon Nov 28 08:46:27 2016 : Debug: [linelog_reply]       ... expanding second conditional
Mon Nov 28 08:46:27 2016 : Debug: [linelog_reply]       expand: %{Calling-Station-ID} -> 02:00:00:00:00:01
Mon Nov 28 08:46:27 2016 : Debug: [linelog_reply]       expand: %{NAS-IP-Address} -> 127.0.0.1
Mon Nov 28 08:46:27 2016 : Debug: [linelog_reply]       expand: %{NAS-Port} ->
Mon Nov 28 08:46:27 2016 : Debug: [linelog_reply]       ... expanding second conditional
Mon Nov 28 08:46:27 2016 : Debug: [linelog_reply]       expand: %t : %{%{reply:Packet-Type}:-unknown-method} [%{User-Name}] ( %{%{Operator-Name}:-No_Operator} client=%{%{Calling-Station-ID}:-00:00:de:ad:be:ef} NAS-IP-Address %{%{NAS-IP-Address}:-0.0.0.0} port %{%{NAS-Port}:-0}) -> Mon Nov 28 08:46:27 2016 : Access-Accept [testuser at leeds.ac.uk] ( No_Operator client=02:00:00:00:00:01 NAS-IP-Address 127.0.0.1 port 0)
Mon Nov 28 08:46:27 2016 : Debug: ++[linelog_reply] = ok
Mon Nov 28 08:46:27 2016 : Debug: ++[exec] = noop
Mon Nov 28 08:46:27 2016 : Debug: +} # group post-auth = ok
Mon Nov 28 08:46:27 2016 : Debug: Sending Access-Accept packet to host X.X.X.X port 49011, id=11, length=0
Mon Nov 28 08:46:27 2016 : Debug:       User-Name = "testuser"
Mon Nov 28 08:46:27 2016 : Debug:       MS-MPPE-Recv-Key = 0x88f27e096616e54304666947eaa5c38d3b3b62ba9b116e0c2b476718a56ca767
Mon Nov 28 08:46:27 2016 : Debug:       MS-MPPE-Send-Key = 0xbb1a28fa8663a7c7516d89ed921db7159fc05315f5578e7c715fe9261d83ddd6
Mon Nov 28 08:46:27 2016 : Debug:       EAP-MSK = 0x88f27e096616e54304666947eaa5c38d3b3b62ba9b116e0c2b476718a56ca767bb1a28fa8663a7c7516d89ed921db7159fc05315f5578e7c715fe9261d83ddd6
Mon Nov 28 08:46:27 2016 : Debug:       EAP-EMSK = 0x22ad8973c9357152405aec86b3911658adde465b54757f85d8b35e32fc89bb4e6ba96fc01bd1497afc430b403d51487f0df830c75b11fc40edc42595eb4ea37d
Mon Nov 28 08:46:27 2016 : Debug:       EAP-Session-Id = 0x19583beee34ffd6c9a5fa449c2ee1648b00378dcf0123d0ec8deed9d57ec59edf7583beee384531fad7b0362375c1618ad5923cec29d453037d7b4f88594db792f
Mon Nov 28 08:46:27 2016 : Debug:       EAP-Message = 0x030b0004
Mon Nov 28 08:46:27 2016 : Debug:       Message-Authenticator = 0x00000000000000000000000000000000
Mon Nov 28 08:46:27 2016 : Debug: Finished request 287510.

2. FreeRADIUS 3.1

(12,1)  Using 'Auth-Type = eap' for authenticate {...}
(12,1)  Running Auth-Type eap from file /etc/raddb/sites-enabled/default
(12,1)    Auth-Type eap {
(12,1)      eap - Peer sent packet with EAP method PEAP (25)
(12,1)      eap - Calling submodule eap_peap to process data
(12,1)      eap_peap - Continuing EAP-TLS
(12,1)      eap_peap - Got complete TLS record (74 bytes)
(12,1)      eap_peap - [eap-tls verify] = complete
(12,1)      eap_peap - Decrypted TLS application data (11 bytes)
(12,1)      eap_peap - [eap-tls process] = complete
(12,1)      eap_peap - Session established.  Decoding tunneled data
(12,1)      eap_peap - PEAP state send tlv success
(12,1)      eap_peap - Received EAP-TLV response
(12,1)      eap_peap - Success
(12,1)      eap_peap - Adding session keys
(12,1)      eap_peap -   &reply:MS-MPPE-Recv-Key = 0xc81a9fdb4896685f70a38fcf16fe2403b8c3a767e6f9537be9b51b34ee21f755
(12,1)      eap_peap -   &reply:MS-MPPE-Send-Key = 0x96c61060a7081969287257d3905acfc21f27ae5093c42ed9b057a2be6c818a21
(12,1)      eap_peap -   &reply:EAP-MSK = 0xc81a9fdb4896685f70a38fcf16fe2403b8c3a767e6f9537be9b51b34ee21f75596c61060a7081969287257d3905acfc21f27ae5093c42ed9b057a2be6c818a21
(12,1)      eap_peap -   &reply:EAP-EMSK = 0xb96c201642eb34b43d228b912522eb2fef02d0fbd93a60d2d4d1c90ce5dea84c5a288b49d95fbd9ae1eabfa681064f5e8b1a190ce97500aa79f0a93fffdc0ed7
(12,1)      eap - Sending EAP Success (code 3) ID 11 length 4
(12,1)      eap - Cleaning up EAP session
(12,1)      eap (ok)
(12,1)      if (handled && (Response-Packet-Type == Access-Challenge)) {
(12,1)        ...
(12,1)      }
(12,1)    } # Auth-Type eap (ok)
(12,1)  Login OK: [testuser at realm] (from client netserv5 port 0 cli 02:00:00:00:00:01)
(12,1)  Running section post-auth from file /etc/raddb/sites-enabled/default
(12,1)    post-auth {
(12,1)      update {
(12,1)        &reply: += &session-state:Stripped-User-Name -> "testuser"
(12,1)        &reply: += &session-state:Reply-Message -> "successful authentication"
(12,1)      } # update (noop)
(12,1)      update reply {
(12,1)        &reply:Reply-Message := successful authentication
(12,1)      } # update reply (noop)
(12,1)      default-accept-log - Using default message
(12,1)      default-accept-log - EXPAND %S (%l) id %I DEFAULT ACCEPT %{User-Name} cli %{%{Calling-Station-Id}:--} auth-type %{control:Auth-Type}/%{EAP-Type} realm %{Realm} operator %{%{Operator-Name}:--} client %{%{Packet-Src-IP-Address}:-%{%{Packet-Src-IPv6-Address}:--}} (%{Client-Shortname}) essid (%{%{Called-Station-SSID}:--}) reply-msg '%{reply:Reply-Message}'
(12,1)      default-accept-log - --> 2016-11-28 13:44:16 (1480340656) id 11 DEFAULT ACCEPT testuser at realm cli 02:00:00:00:00:01 auth-type eap/PEAP realm realm operator - client Y.Y.Y.Y (netserv5) essid (-) reply-msg 'successful authentication'
(12,1)      default-accept-log - EXPAND /var/log/radius/auth.log
(12,1)      default-accept-log - --> /var/log/radius/auth.log
(12,1)      default-accept-log (ok)
(12,1)      exec (noop)
(12,1)      remove_reply_message_if_eap {
(12,1)        if (&reply:EAP-Message && &reply:Reply-Message) {
(12,1)          update reply {
(12,1)            &reply:Reply-Message !* ANY
(12,1)          } # update reply (noop)
(12,1)        } # if (&reply:EAP-Message && &reply:Reply-Message) (noop)
(12,1)        else {
(12,1)        ... skipping else for request 12: Preceding "if" was taken
(12,1)        }
(12,1)      } # remove_reply_message_if_eap (noop)
(12,1)    } # post-auth (ok)
(12,1)  Sent Access-Accept Id 11 from Y.Y.Y.Y:1812 to Y.Y.Y.Y:53223 via em1 length 0
(12,1)    MS-MPPE-Recv-Key = 0xc81a9fdb4896685f70a38fcf16fe2403b8c3a767e6f9537be9b51b34ee21f755
(12,1)    MS-MPPE-Send-Key = 0x96c61060a7081969287257d3905acfc21f27ae5093c42ed9b057a2be6c818a21
(12,1)    EAP-Message = 0x030b0004
(12,1)    Message-Authenticator = 0x00000000000000000000000000000000
(12,1)  Finished request

More information about the Freeradius-Users mailing list