EAP Auth-Type Error

Byron Jeffery byronjeffery at cem.org.au
Wed Oct 18 00:55:38 CEST 2017


Hi All

I am currently building a Freeradius (Version 3.0.15) on Ubuntu 16.04 in an
Azure environment authenticating to an Active Directory server using
eap-peap-mschap.

I also have a Freeradius version 3.0.12 currently running and have
replicated all the settings across to the new build, however, I am unable
to successfully authenticate and have noted the error "eap: No EAP-Message,
not doing EAP" in the debug as follows particularly when moving from
default to inner-tunnel:

eap: Continuing tunnel setup

(6)     [eap] = ok

(6)   } # authorize = ok

(6) Found Auth-Type = eap

(6) # Executing group from file /etc/freeradius/sites-enabled/default

(6)   authenticate {

(6) eap: Expiring EAP session with state 0xa70318b8a2020d85

(6) eap: Finished EAP session with state 0xa70318b8a2020d85

(6) eap: Previous EAP request found for state 0xa70318b8a2020d85, released
from the list

(6) eap: Peer sent packet with method EAP TTLS (21)

(6) eap: Calling submodule eap_ttls to process data

(6) eap_ttls: Authenticate

(6) eap_ttls: Continuing EAP-TLS

(6) eap_ttls: Peer indicated complete TLS record size will be 69 bytes

(6) eap_ttls: Got complete TLS record (69 bytes)

(6) eap_ttls: [eaptls verify] = length included

(6) eap_ttls: [eaptls process] = ok

(6) eap_ttls: Session established.  Proceeding to decode tunneled attributes

(6) eap_ttls: Got tunneled request

(6) eap_ttls:   User-Name = "omitted"

(6) eap_ttls:   User-Password = "omitted"

(6) eap_ttls:   FreeRADIUS-Proxied-To = 127.0.0.1

(6) eap_ttls: Sending tunneled request

(6) Virtual server inner-tunnel received request

(6)   User-Name = "omitted"

(6)   User-Password = "omitted"

(6)   FreeRADIUS-Proxied-To = 127.0.0.1

*(6) WARNING: Outer and inner identities are the same.  User privacy is
compromised.*

(6) server inner-tunnel {

(6)   # Executing section authorize from file
/etc/freeradius/sites-enabled/inner-tunnel

(6)     authorize {

(6)       policy filter_username {

(6)         if (&User-Name) {

(6)         if (&User-Name)  -> TRUE

(6)         if (&User-Name)  {

(6)           if (&User-Name =~ / /) {

(6)           if (&User-Name =~ / /)  -> FALSE

(6)           if (&User-Name =~ /@[^@]*@/ ) {

(6)           if (&User-Name =~ /@[^@]*@/ )  -> FALSE

(6)           if (&User-Name =~ /\.\./ ) {

(6)           if (&User-Name =~ /\.\./ )  -> FALSE

(6)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {

(6)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   ->
FALSE

(6)           if (&User-Name =~ /\.$/)  {

(6)           if (&User-Name =~ /\.$/)   -> FALSE

(6)           if (&User-Name =~ /@\./)  {

(6)           if (&User-Name =~ /@\./)   -> FALSE

(6)         } # if (&User-Name)  = notfound

(6)       } # policy filter_username = notfound

(6)       [mschap] = noop

(6)       update control {

(6)         &Proxy-To-Realm := LOCAL

(6)       } # update control = noop

(6) eap: No EAP-Message, not doing EAP

(6)       [eap] = noop

(6)       [expiration] = noop

(6)       [logintime] = noop

(6)     } # authorize = noop

*(6)   ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type =
Reject*

(6)   Failed to authenticate the user

(6)   Using Post-Auth-Type Reject

(6)   # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel

(6)     Post-Auth-Type REJECT {

(6) attr_filter.access_reject: EXPAND %{User-Name}

(6) attr_filter.access_reject:    --> omitted

(6) attr_filter.access_reject: Matched entry DEFAULT at line 11

(6)       [attr_filter.access_reject] = updated

(6)       update outer.session-state {

(6)         &Module-Failure-Message := &request:Module-Failure-Message ->
'No Auth-Type found: rejecting the user via Post-Auth-Type = Reject'

(6)       } # update outer.session-state = noop

(6)     } # Post-Auth-Type REJECT = updated

(6) } # server inner-tunnel

(6) Virtual server sending reply

(6) eap_ttls: Got tunneled Access-Reject

*(6) eap: ERROR: Failed continuing EAP TTLS (21) session.  EAP sub-module
failed*

(6) eap: Sending EAP Failure (code 4) ID 1 length 4

(6) eap: Failed in EAP select

(6)     [eap] = invalid

(6)   } # authenticate = invalid

(6) Failed to authenticate the user

(6) Using Post-Auth-Type Reject

(6) # Executing group from file /etc/freeradius/sites-enabled/default

(6)   Post-Auth-Type REJECT {

(6) attr_filter.access_reject: EXPAND %{User-Name}

(6) attr_filter.access_reject:    --> omitted

(6) attr_filter.access_reject: Matched entry DEFAULT at line 11

(6)     [attr_filter.access_reject] = updated

(6)     [eap] = noop

(6)     policy remove_reply_message_if_eap {

(6)       if (&reply:EAP-Message && &reply:Reply-Message) {

(6)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE

(6)       else {

(6)         [noop] = noop

(6)       } # else = noop

(6)     } # policy remove_reply_message_if_eap = noop

(6)   } # Post-Auth-Type REJECT = updated

(6) Delaying response for 1.000000 seconds

I am a bit stumped as to where I might be going wrong as I have set
the default_eap_type
= peap  in the /mods-enaabled/eap file as well as have the following
enabled in the authorise and authentication in the
sites-enabled/inner-tunnel file:

authorize {
filter_username

update control {
&Proxy-To-Realm := LOCAL
}

eap {
ok = return
}

expiration
logintime
}



authenticate {

Auth-Type ntlm_auth {
ntlm_auth
}

#
#  MSCHAP authentication.
Auth-Type MS-CHAP {
mschap
}

#
#  For old names, too.
#
mschap

#  Allow EAP authentication.
eap


>From the debug log I posted above, it seems that the eap message is not
being passed through to the inner-tunnel.

As a side note, testing ntlm_auth responds with a "NT_STATUS_OK: Success
(0x0)"  message.

I have even rebuilt the server leaving many of the default settings, but am
still getting the error.

I hope I am not missing the obvious and would appreciate if someone could
point me in the right direction.

In addition, my other question is why do I get the "*WARNING: Outer and
inner identities are the same.  User privacy is compromised."* warning and
how may I make it more secure?


   - Kind Regards

   - Byron Jeffery
   -


More information about the Freeradius-Users mailing list