EAP-FAST failure in v3.0.12
STE SQE
mnlstesqe at gmail.com
Wed Oct 5 16:38:49 CEST 2016
Hi,
>> I'm new to RADIUS servers and I'm trying to enable EAP-FAST. Is there a
>> documentation I can use to enable it? I'm using version 3.0.12.
> The documentation in the EAP module is all you need.
>> Anyway, this is what I've done.
> That should work.
>> I don't know where to look at in the debug output but shown below is part
>> of it.
>>
>> (9) eap_fast: Got tunneled Access-Reject
>> (9) eap_fast: Reject
>> (9) eap: ERROR: Failed continuing EAP FAST (43) session. EAP sub-module
>> failed
> Well... look at the *earlier* messages to see what's wrong. If you're
running it in a terminal, the error message will even be colourised to show
importance.
I'm seeing another error, MS-CHAP2-Response is failing. And there are
warnings also shown. Please help me solve this. Thanks.
(8) eap_fast: WARNING: AUTHENTICATION
(8) eap_fast: WARNING: AUTHENTICATION
(8) WARNING: Outer and inner identities are the same. User privacy is
compromised.
(9) mschap: ERROR: MS-CHAP2-Response is incorrect
(9) eap: ERROR: Failed continuing EAP FAST (43) session. EAP sub-module
failed
Shown below in a snippet of the debug output.
(8) Received Access-Request Id 120 from 10.30.32.46:3073 to 10.30.32.40:1812
length 221
(8) User-Name = "bob"
(8) NAS-Port = 0
(8) Called-Station-Id = "14-D6-4D-C7-DC-88:DLINK-SDESQE-EAP-2"
(8) Calling-Station-Id = "00-AE-FA-9C-FF-FC"
(8) Framed-MTU = 1400
(8) NAS-Port-Type = Wireless-802.11
(8) Connect-Info = "CONNECT 11Mbps 802.11b"
(8) EAP-Message =
0x020b003b2b011703010030395790f43e1b9dcf131fb7f74983d279244d9ae2493d1ca9270a9ef434fcafc937b4fcf9cb3e0fc8390047a796569cf6
(8) State = 0xd951d3a9dd5af8abc01e99543ad15de0
(8) Message-Authenticator = 0x52eec993910273fb7aa3ece5018c83fe
(8) session-state: No cached attributes
(8) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
(8) authorize {
(8) policy filter_username {
(8) if (&User-Name) {
(8) if (&User-Name) -> TRUE
(8) if (&User-Name) {
(8) if (&User-Name =~ / /) {
(8) if (&User-Name =~ / /) -> FALSE
(8) if (&User-Name =~ /@[^@]*@/ ) {
(8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(8) if (&User-Name =~ /\.\./ ) {
(8) if (&User-Name =~ /\.\./ ) -> FALSE
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(8) if (&User-Name =~ /\.$/) {
(8) if (&User-Name =~ /\.$/) -> FALSE
(8) if (&User-Name =~ /@\./) {
(8) if (&User-Name =~ /@\./) -> FALSE
(8) } # if (&User-Name) = notfound
(8) } # policy filter_username = notfound
(8) [preprocess] = ok
(8) [chap] = noop
(8) [mschap] = noop
(8) [digest] = noop
(8) suffix: Checking for suffix after "@"
(8) suffix: No '@' in User-Name = "bob", looking up realm NULL
(8) suffix: No such realm "NULL"
(8) [suffix] = noop
(8) eap: Peer sent EAP Response (code 2) ID 11 length 59
(8) eap: No EAP Start, assuming it's an on-going EAP conversation
(8) [eap] = updated
(8) files: users: Matched entry bob at line 87
(8) [files] = ok
(8) [expiration] = noop
(8) [logintime] = noop
(8) pap: WARNING: Auth-Type already set. Not setting to PAP
(8) [pap] = noop
(8) } # authorize = updated
(8) Found Auth-Type = eap
(8) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(8) authenticate {
(8) eap: Expiring EAP session with state 0x592fa0ee5b2c8b60
(8) eap: Finished EAP session with state 0xd951d3a9dd5af8ab
(8) eap: Previous EAP request found for state 0xd951d3a9dd5af8ab, released
from the list
(8) eap: Peer sent packet with method EAP FAST (43)
(8) eap: Calling submodule eap_fast to process data
(8) eap_fast: Authenticate
(8) eap_fast: Continuing EAP-TLS
(8) eap_fast: [eaptls verify] = ok
(8) eap_fast: Done initial handshake
(8) eap_fast: [eaptls process] = ok
(8) eap_fast: Session established. Proceeding to decode tunneled attributes
(8) eap_fast: Got Tunneled FAST TLVs
(8) eap_fast: FreeRADIUS-EAP-FAST-EAP-Payload = 0x020b000801626f62
(8) eap_fast: Processing received EAP Payload
(8) eap_fast: Got tunneled request
(8) eap_fast: EAP-Message = 0x020b000801626f62
(8) eap_fast: Got tunneled identity of bob
(8) eap_fast: WARNING: AUTHENTICATION
(8) eap_fast: WARNING: AUTHENTICATION
(8) Virtual server inner-tunnel received request
(8) EAP-Message = 0x020b000801626f62
(8) FreeRADIUS-Proxied-To = 127.0.0.1
(8) User-Name = "bob"
(8) WARNING: Outer and inner identities are the same. User privacy is
compromised.
(8) server inner-tunnel {
(8) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/inner-tunnel
(8) authorize {
(8) policy filter_username {
(8) if (&User-Name) {
(8) if (&User-Name) -> TRUE
(8) if (&User-Name) {
(8) if (&User-Name =~ / /) {
(8) if (&User-Name =~ / /) -> FALSE
(8) if (&User-Name =~ /@[^@]*@/ ) {
(8) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(8) if (&User-Name =~ /\.\./ ) {
(8) if (&User-Name =~ /\.\./ ) -> FALSE
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(8) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(8) if (&User-Name =~ /\.$/) {
(8) if (&User-Name =~ /\.$/) -> FALSE
(8) if (&User-Name =~ /@\./) {
(8) if (&User-Name =~ /@\./) -> FALSE
(8) } # if (&User-Name) = notfound
(8) } # policy filter_username = notfound
(8) [chap] = noop
(8) [mschap] = noop
(8) suffix: Checking for suffix after "@"
(8) suffix: No '@' in User-Name = "bob", looking up realm NULL
(8) suffix: No such realm "NULL"
(8) [suffix] = noop
(8) update control {
(8) &Proxy-To-Realm := LOCAL
(8) } # update control = noop
(8) eap: Peer sent EAP Response (code 2) ID 11 length 8
(8) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(8) [eap] = ok
(8) } # authorize = ok
(8) Found Auth-Type = eap
(8) # Executing group from file
/usr/local/etc/raddb/sites-enabled/inner-tunnel
(8) authenticate {
(8) eap: Peer sent packet with method EAP Identity (1)
(8) eap: Calling submodule eap_mschapv2 to process data
(8) eap_mschapv2: Issuing Challenge
(8) eap: Sending EAP Request (code 1) ID 12 length 43
(8) eap: EAP session adding &reply:State = 0xcd5f27e3cd533d7f
(8) [eap] = handled
(8) } # authenticate = handled
(8) } # server inner-tunnel
(8) Virtual server sending reply
(8) EAP-Message =
0x010c002b1a010c002610fba8fb3aac28c0bc78ca631f320436b6667265657261646975732d332e302e3132
(8) Message-Authenticator = 0x00000000000000000000000000000000
(8) State = 0xcd5f27e3cd533d7f53bfae26bc7d5c8e
(8) eap_fast: Got tunneled Access-Challenge
(8) eap_fast: Challenge
(8) eap: Sending EAP Request (code 1) ID 12 length 91
(8) eap: EAP session adding &reply:State = 0xd951d3a9dc5df8ab
(8) [eap] = handled
(8) } # authenticate = handled
(8) Using Post-Auth-Type Challenge
(8) Post-Auth-Type sub-section not found. Ignoring.
(8) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(8) Sent Access-Challenge Id 120 from 10.30.32.40:1812 to 10.30.32.46:3073
length 0
(8) EAP-Message =
0x010c005b2b0117030100505c32d6e574493d1fae7ed03024b6391b56fd8373b43e14b9908313ec682d1b783b962518a2f3666e7f13f843f37e6f924435d3d074119b47d571473c95478d5cfcc443fea1145ff781a807b56b7ccbe1
(8) Message-Authenticator = 0x00000000000000000000000000000000
(8) State = 0xd951d3a9dc5df8abc01e99543ad15de0
(8) Finished request
Waking up in 4.2 seconds.
(9) Received Access-Request Id 121 from 10.30.32.46:3073 to 10.30.32.40:1812
length 269
(9) User-Name = "bob"
(9) NAS-Port = 0
(9) Called-Station-Id = "14-D6-4D-C7-DC-88:DLINK-SDESQE-EAP-2"
(9) Calling-Station-Id = "00-AE-FA-9C-FF-FC"
(9) Framed-MTU = 1400
(9) NAS-Port-Type = Wireless-802.11
(9) Connect-Info = "CONNECT 11Mbps 802.11b"
(9) EAP-Message =
0x020c006b2b011703010060fe42e1f967e18b8037a3c0dc98b2488f66fa4c0f9eb383d19e0632cf01ec98325fbb3eeb5c6f503235e424c8ae20a288d039334e277fc5c34a28d2308b03a2f750b82b736652de1faaf697bdd5171a70727aebda1f253487ef0dd7d9c1d73505
(9) State = 0xd951d3a9dc5df8abc01e99543ad15de0
(9) Message-Authenticator = 0xf2df5a7c3c9352285f1942cc3e56db7b
(9) session-state: No cached attributes
(9) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
(9) authorize {
(9) policy filter_username {
(9) if (&User-Name) {
(9) if (&User-Name) -> TRUE
(9) if (&User-Name) {
(9) if (&User-Name =~ / /) {
(9) if (&User-Name =~ / /) -> FALSE
(9) if (&User-Name =~ /@[^@]*@/ ) {
(9) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(9) if (&User-Name =~ /\.\./ ) {
(9) if (&User-Name =~ /\.\./ ) -> FALSE
(9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(9) if (&User-Name =~ /\.$/) {
(9) if (&User-Name =~ /\.$/) -> FALSE
(9) if (&User-Name =~ /@\./) {
(9) if (&User-Name =~ /@\./) -> FALSE
(9) } # if (&User-Name) = notfound
(9) } # policy filter_username = notfound
(9) [preprocess] = ok
(9) [chap] = noop
(9) [mschap] = noop
(9) [digest] = noop
(9) suffix: Checking for suffix after "@"
(9) suffix: No '@' in User-Name = "bob", looking up realm NULL
(9) suffix: No such realm "NULL"
(9) [suffix] = noop
(9) eap: Peer sent EAP Response (code 2) ID 12 length 107
(9) eap: No EAP Start, assuming it's an on-going EAP conversation
(9) [eap] = updated
(9) files: users: Matched entry bob at line 87
(9) [files] = ok
(9) [expiration] = noop
(9) [logintime] = noop
(9) pap: WARNING: Auth-Type already set. Not setting to PAP
(9) [pap] = noop
(9) } # authorize = updated
(9) Found Auth-Type = eap
(9) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(9) authenticate {
(9) eap: Expiring EAP session with state 0x592fa0ee5b2c8b60
(9) eap: Finished EAP session with state 0xd951d3a9dc5df8ab
(9) eap: Previous EAP request found for state 0xd951d3a9dc5df8ab, released
from the list
(9) eap: Peer sent packet with method EAP FAST (43)
(9) eap: Calling submodule eap_fast to process data
(9) eap_fast: Authenticate
(9) eap_fast: Continuing EAP-TLS
(9) eap_fast: [eaptls verify] = ok
(9) eap_fast: Done initial handshake
(9) eap_fast: [eaptls process] = ok
(9) eap_fast: Session established. Proceeding to decode tunneled attributes
(9) eap_fast: Got Tunneled FAST TLVs
(9) eap_fast: FreeRADIUS-EAP-FAST-EAP-Payload =
0x020c003e1a020c0039310000000000000000000000000000000000000000000000002f87a8fd680c8c2541e34eb0ae6de571dcc6da7cb15872c900626f62
(9) eap_fast: Processing received EAP Payload
(9) eap_fast: Got tunneled request
(9) eap_fast: EAP-Message =
0x020c003e1a020c0039310000000000000000000000000000000000000000000000002f87a8fd680c8c2541e34eb0ae6de571dcc6da7cb15872c900626f62
(9) eap_fast: WARNING: AUTHENTICATION
(9) eap_fast: WARNING: AUTHENTICATION
(9) Virtual server inner-tunnel received request
(9) EAP-Message =
0x020c003e1a020c0039310000000000000000000000000000000000000000000000002f87a8fd680c8c2541e34eb0ae6de571dcc6da7cb15872c900626f62
(9) FreeRADIUS-Proxied-To = 127.0.0.1
(9) User-Name = "bob"
(9) State = 0xcd5f27e3cd533d7f53bfae26bc7d5c8e
(9) WARNING: Outer and inner identities are the same. User privacy is
compromised.
(9) server inner-tunnel {
(9) session-state: No cached attributes
(9) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/inner-tunnel
(9) authorize {
(9) policy filter_username {
(9) if (&User-Name) {
(9) if (&User-Name) -> TRUE
(9) if (&User-Name) {
(9) if (&User-Name =~ / /) {
(9) if (&User-Name =~ / /) -> FALSE
(9) if (&User-Name =~ /@[^@]*@/ ) {
(9) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(9) if (&User-Name =~ /\.\./ ) {
(9) if (&User-Name =~ /\.\./ ) -> FALSE
(9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(9) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
-> FALSE
(9) if (&User-Name =~ /\.$/) {
(9) if (&User-Name =~ /\.$/) -> FALSE
(9) if (&User-Name =~ /@\./) {
(9) if (&User-Name =~ /@\./) -> FALSE
(9) } # if (&User-Name) = notfound
(9) } # policy filter_username = notfound
(9) [chap] = noop
(9) [mschap] = noop
(9) suffix: Checking for suffix after "@"
(9) suffix: No '@' in User-Name = "bob", looking up realm NULL
(9) suffix: No such realm "NULL"
(9) [suffix] = noop
(9) update control {
(9) &Proxy-To-Realm := LOCAL
(9) } # update control = noop
(9) eap: Peer sent EAP Response (code 2) ID 12 length 62
(9) eap: No EAP Start, assuming it's an on-going EAP conversation
(9) [eap] = updated
(9) files: users: Matched entry bob at line 87
(9) [files] = ok
(9) [expiration] = noop
(9) [logintime] = noop
(9) pap: WARNING: Auth-Type already set. Not setting to PAP
(9) [pap] = noop
(9) } # authorize = updated
(9) Found Auth-Type = eap
(9) # Executing group from file
/usr/local/etc/raddb/sites-enabled/inner-tunnel
(9) authenticate {
(9) eap: Expiring EAP session with state 0x592fa0ee5b2c8b60
(9) eap: Finished EAP session with state 0xcd5f27e3cd533d7f
(9) eap: Previous EAP request found for state 0xcd5f27e3cd533d7f, released
from the list
(9) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(9) eap: Calling submodule eap_mschapv2 to process data
(9) eap_mschapv2: # Executing group from file
/usr/local/etc/raddb/sites-enabled/inner-tunnel
(9) eap_mschapv2: authenticate {
(9) mschap: Found Cleartext-Password, hashing to create NT-Password
(9) mschap: Found Cleartext-Password, hashing to create LM-Password
(9) mschap: Creating challenge hash with username: bob
(9) mschap: Client is using MS-CHAPv2
(9) mschap: ERROR: MS-CHAP2-Response is incorrect
(9) [mschap] = reject
(9) } # authenticate = reject
(9) eap: Sending EAP Failure (code 4) ID 12 length 4
(9) eap: Freeing handler
(9) [eap] = reject
(9) } # authenticate = reject
(9) Failed to authenticate the user
(9) Using Post-Auth-Type Reject
(9) # Executing group from file
/usr/local/etc/raddb/sites-enabled/inner-tunnel
(9) Post-Auth-Type REJECT {
(9) attr_filter.access_reject: EXPAND %{User-Name}
(9) attr_filter.access_reject: --> bob
(9) attr_filter.access_reject: Matched entry DEFAULT at line 11
(9) [attr_filter.access_reject] = updated
(9) update outer.session-state {
(9) &Module-Failure-Message := &request:Module-Failure-Message ->
'mschap: MS-CHAP2-Response is incorrect'
(9) } # update outer.session-state = noop
(9) } # Post-Auth-Type REJECT = updated
(9) } # server inner-tunnel
(9) Virtual server sending reply
(9) MS-CHAP-Error = "\014E=691 R=1 C=4a33d9cc35a85083c14a907490347b3c V=3
M=Authentication failed"
(9) EAP-Message = 0x040c0004
(9) Message-Authenticator = 0x00000000000000000000000000000000
(9) eap_fast: Got tunneled Access-Reject
(9) eap_fast: Reject
(9) eap: ERROR: Failed continuing EAP FAST (43) session. EAP sub-module
failed
(9) eap: Sending EAP Failure (code 4) ID 12 length 4
(9) eap: Failed in EAP select
(9) [eap] = invalid
(9) } # authenticate = invalid
(9) Failed to authenticate the user
(9) Using Post-Auth-Type Reject
(9) # Executing group from file /usr/local/etc/raddb/sites-enabled/default
(9) Post-Auth-Type REJECT {
(9) attr_filter.access_reject: EXPAND %{User-Name}
(9) attr_filter.access_reject: --> bob
(9) attr_filter.access_reject: Matched entry DEFAULT at line 11
(9) [attr_filter.access_reject] = updated
(9) [eap] = noop
(9) policy remove_reply_message_if_eap {
(9) if (&reply:EAP-Message && &reply:Reply-Message) {
(9) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(9) else {
(9) [noop] = noop
(9) } # else = noop
(9) } # policy remove_reply_message_if_eap = noop
(9) } # Post-Auth-Type REJECT = updated
(9) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(9) Sending delayed response
(9) Sent Access-Reject Id 121 from 10.30.32.40:1812 to 10.30.32.46:3073
length 44
(9) EAP-Message = 0x040c0004
(9) Message-Authenticator = 0x00000000000000000000000000000000
More information about the Freeradius-Users
mailing list