EAP Auth-Type Error
Byron Jeffery
byronjeffery at cem.org.au
Wed Oct 18 00:55:38 CEST 2017
Hi All
I am currently building a Freeradius (Version 3.0.15) on Ubuntu 16.04 in an
Azure environment authenticating to an Active Directory server using
eap-peap-mschap.
I also have a Freeradius version 3.0.12 currently running and have
replicated all the settings across to the new build, however, I am unable
to successfully authenticate and have noted the error "eap: No EAP-Message,
not doing EAP" in the debug as follows particularly when moving from
default to inner-tunnel:
eap: Continuing tunnel setup
(6) [eap] = ok
(6) } # authorize = ok
(6) Found Auth-Type = eap
(6) # Executing group from file /etc/freeradius/sites-enabled/default
(6) authenticate {
(6) eap: Expiring EAP session with state 0xa70318b8a2020d85
(6) eap: Finished EAP session with state 0xa70318b8a2020d85
(6) eap: Previous EAP request found for state 0xa70318b8a2020d85, released
from the list
(6) eap: Peer sent packet with method EAP TTLS (21)
(6) eap: Calling submodule eap_ttls to process data
(6) eap_ttls: Authenticate
(6) eap_ttls: Continuing EAP-TLS
(6) eap_ttls: Peer indicated complete TLS record size will be 69 bytes
(6) eap_ttls: Got complete TLS record (69 bytes)
(6) eap_ttls: [eaptls verify] = length included
(6) eap_ttls: [eaptls process] = ok
(6) eap_ttls: Session established. Proceeding to decode tunneled attributes
(6) eap_ttls: Got tunneled request
(6) eap_ttls: User-Name = "omitted"
(6) eap_ttls: User-Password = "omitted"
(6) eap_ttls: FreeRADIUS-Proxied-To = 127.0.0.1
(6) eap_ttls: Sending tunneled request
(6) Virtual server inner-tunnel received request
(6) User-Name = "omitted"
(6) User-Password = "omitted"
(6) FreeRADIUS-Proxied-To = 127.0.0.1
*(6) WARNING: Outer and inner identities are the same. User privacy is
compromised.*
(6) server inner-tunnel {
(6) # Executing section authorize from file
/etc/freeradius/sites-enabled/inner-tunnel
(6) authorize {
(6) policy filter_username {
(6) if (&User-Name) {
(6) if (&User-Name) -> TRUE
(6) if (&User-Name) {
(6) if (&User-Name =~ / /) {
(6) if (&User-Name =~ / /) -> FALSE
(6) if (&User-Name =~ /@[^@]*@/ ) {
(6) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(6) if (&User-Name =~ /\.\./ ) {
(6) if (&User-Name =~ /\.\./ ) -> FALSE
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(6) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) ->
FALSE
(6) if (&User-Name =~ /\.$/) {
(6) if (&User-Name =~ /\.$/) -> FALSE
(6) if (&User-Name =~ /@\./) {
(6) if (&User-Name =~ /@\./) -> FALSE
(6) } # if (&User-Name) = notfound
(6) } # policy filter_username = notfound
(6) [mschap] = noop
(6) update control {
(6) &Proxy-To-Realm := LOCAL
(6) } # update control = noop
(6) eap: No EAP-Message, not doing EAP
(6) [eap] = noop
(6) [expiration] = noop
(6) [logintime] = noop
(6) } # authorize = noop
*(6) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type =
Reject*
(6) Failed to authenticate the user
(6) Using Post-Auth-Type Reject
(6) # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
(6) Post-Auth-Type REJECT {
(6) attr_filter.access_reject: EXPAND %{User-Name}
(6) attr_filter.access_reject: --> omitted
(6) attr_filter.access_reject: Matched entry DEFAULT at line 11
(6) [attr_filter.access_reject] = updated
(6) update outer.session-state {
(6) &Module-Failure-Message := &request:Module-Failure-Message ->
'No Auth-Type found: rejecting the user via Post-Auth-Type = Reject'
(6) } # update outer.session-state = noop
(6) } # Post-Auth-Type REJECT = updated
(6) } # server inner-tunnel
(6) Virtual server sending reply
(6) eap_ttls: Got tunneled Access-Reject
*(6) eap: ERROR: Failed continuing EAP TTLS (21) session. EAP sub-module
failed*
(6) eap: Sending EAP Failure (code 4) ID 1 length 4
(6) eap: Failed in EAP select
(6) [eap] = invalid
(6) } # authenticate = invalid
(6) Failed to authenticate the user
(6) Using Post-Auth-Type Reject
(6) # Executing group from file /etc/freeradius/sites-enabled/default
(6) Post-Auth-Type REJECT {
(6) attr_filter.access_reject: EXPAND %{User-Name}
(6) attr_filter.access_reject: --> omitted
(6) attr_filter.access_reject: Matched entry DEFAULT at line 11
(6) [attr_filter.access_reject] = updated
(6) [eap] = noop
(6) policy remove_reply_message_if_eap {
(6) if (&reply:EAP-Message && &reply:Reply-Message) {
(6) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(6) else {
(6) [noop] = noop
(6) } # else = noop
(6) } # policy remove_reply_message_if_eap = noop
(6) } # Post-Auth-Type REJECT = updated
(6) Delaying response for 1.000000 seconds
I am a bit stumped as to where I might be going wrong as I have set
the default_eap_type
= peap in the /mods-enaabled/eap file as well as have the following
enabled in the authorise and authentication in the
sites-enabled/inner-tunnel file:
authorize {
filter_username
update control {
&Proxy-To-Realm := LOCAL
}
eap {
ok = return
}
expiration
logintime
}
authenticate {
Auth-Type ntlm_auth {
ntlm_auth
}
#
# MSCHAP authentication.
Auth-Type MS-CHAP {
mschap
}
#
# For old names, too.
#
mschap
# Allow EAP authentication.
eap
>From the debug log I posted above, it seems that the eap message is not
being passed through to the inner-tunnel.
As a side note, testing ntlm_auth responds with a "NT_STATUS_OK: Success
(0x0)" message.
I have even rebuilt the server leaving many of the default settings, but am
still getting the error.
I hope I am not missing the obvious and would appreciate if someone could
point me in the right direction.
In addition, my other question is why do I get the "*WARNING: Outer and
inner identities are the same. User privacy is compromised."* warning and
how may I make it more secure?
- Kind Regards
- Byron Jeffery
-
More information about the Freeradius-Users
mailing list