Custom handling of EAP module reject

Alberto Martínez alberto_martinez at deusto.es
Thu Apr 6 13:29:08 CEST 2017 

Hi all,

I got this:

(4) eap_rogue: Peer sent packet with method EAP PEAP (25)
(4) eap_rogue: Calling submodule eap_peap to process data
(4) eap_peap: Continuing EAP-TLS
(4) eap_peap: Peer indicated complete TLS record size will be 7 bytes
(4) eap_peap: Got complete TLS record (7 bytes)
(4) eap_peap: [eaptls verify] = length included
(4) eap_peap: <<< recv TLS 1.0 Alert [length 0002], fatal unknown_ca
(4) eap_peap: ERROR: TLS Alert read:fatal:unknown CA
(4) eap_peap: ERROR: TLS_accept: Failed in unknown state
(4) eap_peap: ERROR: Failed in __FUNCTION__ (SSL_read)
(4) eap_peap: ERROR: error:14094418:SSL routines:ssl3_read_bytes:tlsv1
alert unknown ca
(4) eap_peap: ERROR: error:140940E5:SSL routines:ssl3_read_bytes:ssl
handshake failure
(4) eap_peap: ERROR: System call (I/O) error (-1)
(4) eap_peap: ERROR: TLS receive handshake failed during operation
(4) eap_peap: ERROR: [eaptls process] = fail
(4) eap_rogue: ERROR: Failed continuing EAP PEAP (25) session.  EAP
sub-module failed
(4) eap_rogue: Sending EAP Failure (code 4) ID 6 length 4
(4) eap_rogue: Failed in EAP select
(4)     [eap_rogue] = invalid
(4)   } # authenticate = invalid
(4) Failed to authenticate the user
(4) Login incorrect (eap_peap: TLS Alert read:fatal:unknown CA):
[<redacted>] (from client OAW_4650 port 0 cli A0-88-B4-2B-7F-E8)
(4) Using Post-Auth-Type Reject
(4) # Executing group from file /usr/local/freeradius-3.0.13/
etc/raddb/sites-enabled/default
(4)   Post-Auth-Type REJECT {
(4) attr_filter.access_reject: EXPAND %{User-Name}
(4) attr_filter.access_reject:    --> <redacted>
(4) attr_filter.access_reject: Matched entry DEFAULT at line 11
(4)     [attr_filter.access_reject] = updated
(4)     [eap_legit] = noop
(4)     policy remove_reply_message_if_eap {
(4)       if (&reply:EAP-Message && &reply:Reply-Message) {
(4)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(4)       else {
(4)         [noop] = noop
(4)       } # else = noop
(4)     } # policy remove_reply_message_if_eap = noop
(4)   } # Post-Auth-Type REJECT = updated
(4) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(4) Sending delayed response
(4) Sent Access-Reject Id 176 from 172.16.250.29:1812 to
192.168.250.242:56028 length 44
(4)   EAP-Message = 0x04060004
(4)   Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.9 seconds.

I want to make a SQL call whenever the EAP module fails in authorize. I
have tried with a redundant block but the SQL call is not a module and was
ignored.

How can I intercept the reject action?
And, even better: How can I access from unlang to the "TLS Alert
read:fatal:unknown CA" string?

Thanks!

More information about the Freeradius-Users mailing list