Loop in sites-enabled/default

Alan Buxey alan.buxey at gmail.com
Thu May 4 23:21:41 CEST 2017


hi,

> The freeradius server is authenticating (verifying passwords) against an external LDAP server (no AD involved). The LDAP  part worked using radtest and plain-text passwords on localhost:1812. I enabled mschap in the authorize  section of the inner-tunnel config, enabled ldap in mods-enabled/inner-tunnel, and enable the control:NT-Password in the update section of the ldap module. Radtest on localhost:18120 now works. Thanks for he help on this.
>
> From the wireless client  authentication without a realm now works. Log still show the authentication process looping through 10 times before sending the Access-Accept response.
>
> Is this normal?


its not 'looping' - its going through the EAP process.  cclient sends
EAP request , server acknowledges, client starts PEA - server sends
its server certificate, client accepts, client sends ID etc server
then starts the MSCHAPv2 challenge response etc (this is all
simplified ;-)  - each of these takes the form of a new access request
and challenge-response etc on RADIUS side. RADIUS is not a 'stateful
conversation' - each RADIUS UDP datagram is its own isolated thing
which passes through the RADIUS server from start to end
(with a few shortcuts - like 'oh this is an ongoing conversation in
the EAP phase, jump straight there' - part of this is because policies
may change during the auth depending on what new bit on info is
seen... and other things are more legacy.

if you test your client with eg eapol_test - which simulates a
conversation via a NAS - you will see this same
conversation....radtest is a very very dumb 'user/password in one
access-request' - only use it for very simple/dumb tests...then stop
using it ;-)

these resources may help :)

http://packetlife.net/blog/2008/nov/10/ieee-8021x-cheat-sheet/
http://ptgmedia.pearsoncmg.com/images/chap07_1587051540/elementLinks/fig15.jpg

alan



More information about the Freeradius-Users mailing list