dot1x PEAPoMSChapv2 timers

[Matthew Newton]

On Thu, 2017-12-14 at 10:11 +0300, 3 at D4rkn3ss DuMb wrote:
> is currently serving
> around 400 supplicants, it is dropping the clients (randomly) after a
> timeout.

What does this mean? FreeRADIUS doesn't "drop clients".


>  below the setup (simple enough):
> 
> FreeRADIUS authenticates the client (supplicants) to the AD, then
> verifies
> if  its MAC address is authorized to connect or not.

According to the debug output, that all looks OK.

> file /usr/local/etc/raddb/sites-enabled/inner-tunnel
> Wed Dec 13 16:39:52 2017 : Debug: (73) eap_mschapv2:   Auth-Type MS-
> CHAP {
> Wed Dec 13 16:39:52 2017 : Debug: (73) eap_mschapv2:
> modsingle[authenticate]: calling mschap (rlm_mschap)
> Wed Dec 13 16:39:52 2017 : Debug: (73) mschap: Creating challenge
> hash with
> username: host/test0LAB.ar0s.is
> Wed Dec 13 16:39:52 2017 : Debug: (73) mschap: Client is using MS-
> CHAPv2
> Wed Dec 13 16:39:52 2017 : Debug: (73) mschap: Executing:
> /usr/bin/ntlm_auth --request-nt-key --username=%{%{mschap:User-
> Name}:-00}
> --domain=%{mschap:NT-Domain} --challenge=%{%{mschap:Challenge}:-00}
> --nt-response=%{%{mschap:NT-Response}:-00} :
> Wed Dec 13 16:39:52 2017 : Debug: --username=%{%{mschap:User-Name}:-
> 00}
> Wed Dec 13 16:39:52 2017 : Debug: Parsed xlat tree:
> Wed Dec 13 16:39:52 2017 : Debug: literal --> --username=
> Wed Dec 13 16:39:52 2017 : Debug: XLAT-IF {
> Wed Dec 13 16:39:52 2017 : Debug:     xlat --> mschap
> Wed Dec 13 16:39:52 2017 : Debug:     {
> Wed Dec 13 16:39:52 2017 : Debug:         literal --> User-Name
> Wed Dec 13 16:39:52 2017 : Debug:     }
> Wed Dec 13 16:39:52 2017 : Debug: }
> Wed Dec 13 16:39:52 2017 : Debug: XLAT-ELSE {
> Wed Dec 13 16:39:52 2017 : Debug:     literal --> 00
> Wed Dec 13 16:39:52 2017 : Debug: }
> Wed Dec 13 16:39:52 2017 : Debug: (73) mschap: EXPAND
> --username=%{%{mschap:User-Name}:-00}
> Wed Dec 13 16:39:52 2017 : Debug: (73) mschap:    --> --
> username=test0LAB$
> Wed Dec 13 16:39:52 2017 : Debug: --domain=%{mschap:NT-Domain}
> Wed Dec 13 16:39:52 2017 : Debug: Parsed xlat tree:
> Wed Dec 13 16:39:52 2017 : Debug: literal --> --domain=
> Wed Dec 13 16:39:52 2017 : Debug: xlat --> mschap
> Wed Dec 13 16:39:52 2017 : Debug: {
> Wed Dec 13 16:39:52 2017 : Debug:     literal --> NT-Domain
> Wed Dec 13 16:39:52 2017 : Debug: }
> Wed Dec 13 16:39:52 2017 : Debug: (73) mschap: EXPAND
> --domain=%{mschap:NT-Domain}
> Wed Dec 13 16:39:52 2017 : Debug: (73) mschap:    --> --domain=bcm
> Wed Dec 13 16:39:52 2017 : Debug: --challenge=%{%{mschap:Challenge}:-
> 00}
> Wed Dec 13 16:39:52 2017 : Debug: Parsed xlat tree:
> Wed Dec 13 16:39:52 2017 : Debug: literal --> --challenge=
> Wed Dec 13 16:39:52 2017 : Debug: XLAT-IF {
> Wed Dec 13 16:39:52 2017 : Debug:     xlat --> mschap
> Wed Dec 13 16:39:52 2017 : Debug:     {
> Wed Dec 13 16:39:52 2017 : Debug:         literal --> Challenge
> Wed Dec 13 16:39:52 2017 : Debug:     }
> Wed Dec 13 16:39:52 2017 : Debug: }
> Wed Dec 13 16:39:52 2017 : Debug: XLAT-ELSE {
> Wed Dec 13 16:39:52 2017 : Debug:     literal --> 00
> Wed Dec 13 16:39:52 2017 : Debug: }
> Wed Dec 13 16:39:52 2017 : Debug: (73) mschap: Creating challenge
> hash with
> username: host/test0LAB.ar0s.is
> Wed Dec 13 16:39:52 2017 : Debug: (73) mschap: EXPAND
> --challenge=%{%{mschap:Challenge}:-00}
> Wed Dec 13 16:39:52 2017 : Debug: (73) mschap:    -->
> --challenge=63e591e3006dd7d0
> Wed Dec 13 16:39:52 2017 : Debug: --nt-response=%{%{mschap:NT-
> Response}:-00}
> Wed Dec 13 16:39:52 2017 : Debug: Parsed xlat tree:
> Wed Dec 13 16:39:52 2017 : Debug: literal --> --nt-response=
> Wed Dec 13 16:39:52 2017 : Debug: XLAT-IF {
> Wed Dec 13 16:39:52 2017 : Debug:     xlat --> mschap
> Wed Dec 13 16:39:52 2017 : Debug:     {
> Wed Dec 13 16:39:52 2017 : Debug:         literal --> NT-Response
> Wed Dec 13 16:39:52 2017 : Debug:     }
> Wed Dec 13 16:39:52 2017 : Debug: }
> Wed Dec 13 16:39:52 2017 : Debug: XLAT-ELSE {
> Wed Dec 13 16:39:52 2017 : Debug:     literal --> 00
> Wed Dec 13 16:39:52 2017 : Debug: }
> Wed Dec 13 16:39:52 2017 : Debug: (73) mschap: EXPAND
> --nt-response=%{%{mschap:NT-Response}:-00}
> Wed Dec 13 16:39:52 2017 : Debug: (73) mschap:    -->
> --nt-response=ebe1377d01d09cbe0bfda9256149732ec2b94b30d4cbc327
> Wed Dec 13 16:39:52 2017 : Debug: Waking up in 0.4 seconds.
> Wed Dec 13 16:39:53 2017 : Debug: Waking up in 0.7 seconds.
> Wed Dec 13 16:39:53 2017 : Debug: Waking up in 1.1 seconds.
> Wed Dec 13 16:39:54 2017 : Debug: (73) mschap: Program returned code
> (0)
> and output 'NT_KEY: 584702B9B75800AE1371683946584AFD'
> Wed Dec 13 16:39:54 2017 : Debug: (73) mschap: Adding MS-CHAPv2 MPPE
> keys
> Wed Dec 13 16:39:54 2017 : Debug: (73)     modsingle[authenticate]:
> returned from mschap (rlm_mschap)
> Wed Dec 13 16:39:54 2017 : Debug: (73)     [mschap] = ok
> Wed Dec 13 16:39:54 2017 : Debug: (73)   } # Auth-Type MS-CHAP = ok
> Wed Dec 13 16:39:54 2017 : Debug: (73) MSCHAP Success

ntlm_auth success


> Wed Dec 13 16:39:54 2017 : Debug: (75) Sent Access-Accept Id 255 from
> 192.168.10.13:1812 to 10.100.100.114:1645 length 0
> Wed Dec 13 16:39:54 2017 : Debug: (75)   User-Name =
> "host/test0LAB.ar0s.is"
> Wed Dec 13 16:39:54 2017 : Debug: (75)   MS-MPPE-Recv-Key =
> 0x486fb959688d8e906b557ec62c85361250d02c1d6fc453b68af967fcda89a2b6
> Wed Dec 13 16:39:54 2017 : Debug: (75)   MS-MPPE-Send-Key =
> 0xe3def073214fa616aa59e9f3d67826d872b2872340cc925164c2fb01f4f575b8
> Wed Dec 13 16:39:54 2017 : Debug: (75)   EAP-Message = 0x03ed0004
> Wed Dec 13 16:39:54 2017 : Debug: (75)   Message-Authenticator =
> 0x00000000000000000000000000000000
> Wed Dec 13 16:39:54 2017 : Debug: (75) Finished request

Access-Accept

So, what's the problem?

And next time, *please* just use radiusd -X. Using -Xxxx is just
unnecessary and tedious to read.

-- 
Matthew