EAP request to FreeRADIUS 3 server backed by MariaDB has empty password

Alan DeKok aland at deployingradius.com
Mon Oct 2 22:42:36 CEST 2017 

On Oct 2, 2017, at 4:28 PM, Oliver Webb <ow97nospam at outlook.com> wrote:
> 
> Apologies for the inconvenience. As requested, the server's debug output as produced during a radeapclient request:

  Let's go through out it and pick out the important bits.

> (0) Received Access-Request Id 231 from 192.168.1.106:35591 to 192.168.2.110:1812 length 51
> (0)   User-Name = "tu"
> (0)   Message-Authenticator = 0x79b0471727dfc9526dfc5f2427b06cc9
> (0)   EAP-Message = 0x02d20007017475

  Note there's no User-Password attribute in the request.

  Because it's EAP.  There's not *supposed* to be a User-Password attribute.
> ...
> (1) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
> (1) sql:    --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'tu' ORDER BY id
> (1) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'tu' ORDER BY id
> (1) sql: User found in radcheck table
> (1) sql: Conditional check items matched, merging assignment check items
> (1) sql:   Cleartext-Password := "testp2"

  That's good.

> ...
> (1) Found Auth-Type = eap
> (1) # Executing group from file /etc/raddb/sites-enabled/default
> (1)   authenticate {
> (1) eap: Expiring EAP session with state 0xfdc37fcafd107bfc
> (1) eap: Finished EAP session with state 0xfdc37fcafd107bfc
> (1) eap: Previous EAP request found for state 0xfdc37fcafd107bfc, released from the list
> (1) eap: Peer sent packet with method EAP MD5 (4)
> (1) eap: Calling submodule eap_md5 to process data
> (1) eap: Sending EAP Failure (code 4) ID 211 length 4
> (1) eap: Freeing handler
> (1)     [eap] = reject

  Whatever password you entered in radeapclient doesn't match what's in the SQL database.

  It works for me with this input file in radeapclient:

User-Name = "bob"
Cleartext-Password = "bob"
NAS-IP-Address = 127.0.0.1
EAP-Code = Response
EAP-Id = 210
EAP-Type-Identity = "bob"
Message-Authenticator = 0
NAS-Port = 0



  Alan DeKok.

More information about the Freeradius-Users mailing list