Help troubleshooting No EAP session matching...

Dave Aldwinckle daldwinc at uwaterloo.ca
Fri Sep 16 16:37:13 CEST 2016 

I always prefer to do a re-write of the configs when upgrading. I find 
the end result is much cleaner, easier to understand, and performs better.

I'm still having a problem matching "No EAP session matching state" to a 
particular user or request. The linelog below works, but it doesn't seem 
to trigger at the same time that "No EAP session matching state" does. I 
thought about moving log_state to sites-enabled/default, but "    #  The 
"session-state" attributes are not available here" so now I'm lost again.


linelog log_state {

         format = "Rejected user: %{outer.request:User-Name} with State 
ID %{State} from NAS %{outer.request:NAS-IP-Address}"
         filename = syslog
         syslog_facility = news
}


sites-enabled/inner-tunnel

         Post-Auth-Type REJECT {
                 attr_filter.access_reject

                 #
                 #  Let the outer session know which module failed, and why.
                 #

                 update outer.session-state {
                         &Module-Failure-Message := 
&request:Module-Failure-Message
                 }
                 log_state
         }


Off-topic, but related: This particular bit "&Module-Failure-Message := 
&request:Module-Failure-Message" is populated with the first ERROR that 
the mschap module spits out, which for us is always "No NT-Domain was 
found in the User-Name." Since none of our User-Names have NT domains in 
them, the message is confusing. Is there any way to include the other 
errors? "Program returned code (1) and output 'Logon failure 
(0xc000006d)" would be a good one:

(72) mschap: Creating challenge hash with username: nstestnexus at uwaterloo.ca
(72) mschap: Client is using MS-CHAPv2
(72) mschap: Executing: /usr/bin/ntlm_auth --request-nt-key 
--username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} 
--domain=%{%{mschap:NT-Domain}:-NEXUS} 
--challenge=%{%{mschap:Challenge}:-00} 
--nt-response=%{%{mschap:NT-Response}:-00}:
(72) mschap: EXPAND 
--username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}}
(72) mschap:    --> --username=nstestnexus
(72) mschap: ERROR: No NT-Domain was found in the User-Name
(72) mschap: EXPAND --domain=%{%{mschap:NT-Domain}:-NEXUS}
(72) mschap:    --> --domain=NEXUS
(72) mschap: Creating challenge hash with username: nstestnexus at uwaterloo.ca
(72) mschap: EXPAND --challenge=%{%{mschap:Challenge}:-00}
(72) mschap:    --> --challenge=8953cfebb40e879e
(72) mschap: EXPAND --nt-response=%{%{mschap:NT-Response}:-00}
(72) mschap:    --> 
--nt-response=f849c79ecfbba60fe76fe6e688b24d9a0f13eadb23632ef6
(72) mschap: ERROR: Program returned code (1) and output 'Logon failure 
(0xc000006d)'
(72) mschap: External script failed
(72) mschap: ERROR: External script says: Logon failure (0xc000006d)
(72) mschap: ERROR: MS-CHAP2-Response is incorrect

Thanks,

Dave

Dave Aldwinckle
Network Services
Information Systems & Technology
University of Waterloo
(519)-888-4567, x41145

On 16-09-16 09:52 AM, A.L.M.Buxey at lboro.ac.uk wrote:
> Hi,
>
>>    Porting configs from v3.0 /v3.1 to v4 will take some effort.  The modules will be 99% similar.  The contents of "authorize", etc. will be 99% similar.  The names of the processing sections will change, and the "listen" sections will change.
>>
>>    It will all be very mechanical edits, but it's tedious.
> whilst I'd strongly advise that orgs migrate by reading their configs and reimplementing
> (which gives them better understanding of the process and allows them to do things in a better way)
> I was planning on a simple script to convert the section names from old name to new name  ;-)
>
> alan
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list