Freeradius issues related with DMZ firewall
Ramon Escriba
escriba at cells.es
Fri Sep 29 18:32:42 CEST 2017
Hi Experts,
I have a 'funny' problem with my freeradius 3.0.4 and our Aruba controller.
I am testing a freeradius with 802.1x (EAP-MSCHAPv2: WPA2-Ent+AES+PEAP)
configuration that works pretty well when both, radius & Aruba, are in our
internal network.
So works fine with Mac,Win7,Android,iphone, etc
The problem came when we moved the Machine to DMZ (Pfsense fw). Lots of
small problems (dns's, hosts,etc) raised and were solved.
I used the eapol_test successfully on an internal linux that connects
successfully to de radius in DMZ, so I went ahead.
But when we do the same Mac,Win7,Android,etc WiFIi connection tests with
the radius in DMZ, the authentication fails (see radius -X log below).
To test if it was a Firewall issues, UDP/TCP ports are fully open between
radius(DMZ) & Aruba(internal), in both ways.
We opened dmz radius to the internal DNS,
I used a Firewall catch all rule to get any ipv4+6 that goes missing by the
Firewall rules, but nothing shows up.
I tried to Wireshark the Wifi connection from the client win7 without
success.
Well, I hope someone else had a similar problem and could share the
solution, or any clue.
Logs of the failing connection ( Win7 -> Aruba ->radius DMZ) , maybe you can
see something strange:
10.10.10.10: Aruba
84.84.84.84: Radius at DMZ
Received Access-Request Id 111 from 10.10.10.10:32866 to 84.84.84.84:1812
length 205
User-Name = 'test at acme.com'
NAS-IP-Address = 10.10.10.10
NAS-Port = 0
NAS-Identifier = '10.10.10.10'
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = 'A4C494Exxxxx'
Called-Station-Id = '000B866xxxxx'
Service-Type = Login-User
Framed-MTU = 1100
EAP-Message = 0x0xx400xxxxxx146xxxxxxxxxxxc673
Aruba-Essid-Name = 'TEST_SSID'
Aruba-Location-Id = 'AP1'
Aruba-AP-Group = 'default'
Message-Authenticator = 0xbxxx268xxxxxxxxxxxxc10f08dae88
(0) Received Access-Request packet from host 10.10.10.10 port 32866, id=111,
length=205
(0) User-Name = 'test at acme.com'
(0) NAS-IP-Address = 10.10.10.10
(0) NAS-Port = 0
(0) NAS-Identifier = '10.10.10.10'
(0) NAS-Port-Type = Wireless-802.11
(0) Calling-Station-Id = 'A4C494XXXXXX'
(0) Called-Station-Id = ''000B86xxxxxx'
(0) Service-Type = Login-User
(0) Framed-MTU = 1100
(0) EAP-Message = 0x02040019017465xxxxxxxxxxxx4063656c6c732e6573
(0) Aruba-Essid-Name = 'TEST_SSID'
(0) Aruba-Location-Id = 'AP1'
(0) Aruba-AP-Group = 'default'
(0) Message-Authenticator = 0xb268fe2779551dxxxxxxxxxxxx08dae88
(0) # Executing section authorize from file /etc/raddb/sites-enabled/default
(0) authorize {
(0) filter_username filter_username {
(0) if (!&User-Name)
(0) if (!&User-Name) -> FALSE
(0) if (&User-Name =~ / /)
(0) if (&User-Name =~ / /) -> FALSE
(0) if (&User-Name =~ /@.*@/ )
(0) if (&User-Name =~ /@.*@/ ) -> FALSE
(0) if (&User-Name =~ /\\.\\./ )
(0) if (&User-Name =~ /\\.\\./ ) -> FALSE
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/))
(0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\\.(.+)$/)) ->
FALSE
(0) if (&User-Name =~ /\\.$/)
(0) if (&User-Name =~ /\\.$/) -> FALSE
(0) if (&User-Name =~ /@\\./)
(0) if (&User-Name =~ /@\\./) -> FALSE
(0) } # filter_username filter_username = notfound
(0) [preprocess] = ok
(0) auth_log : EXPAND
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Addres
s}}/auth-detail-%Y%m%d
(0) auth_log : -->
/var/log/radius/radacct/10.10.10.10/auth-detail-20170929
(0) auth_log :
/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Addres
s}}/auth-detail-%Y%m%d expands to
/var/log/radius/radacct/10.10.10.10/auth-detail-20170929
(0) auth_log : EXPAND %t
(0) auth_log : --> Fri Sep 29 16:42:40 2017
(0) [auth_log] = ok
(0) [mschap] = noop
(0) suffix : Checking for suffix after "@"
(0) suffix : Looking up realm "acme.com" for User-Name = "test at acme.com"
(0) suffix : Found realm "acme.com"
(0) suffix : Adding Realm = "acme.com"
(0) suffix : Authentication realm is LOCAL
(0) [suffix] = ok
(0) eap : Peer sent code Response (2) ID 4 length 25
(0) eap : EAP-Identity reply, returning 'ok' so we can short-circuit the
rest of authorize
(0) [eap] = ok
(0) } # authorize = ok
(0) Found Auth-Type = EAP
(0) # Executing group from file /etc/raddb/sites-enabled/default
(0) authenticate {
(0) eap : Peer sent method Identity (1)
(0) eap : Calling eap_peap to process EAP data
(0) eap_peap : Flushing SSL sessions (of #0)
(0) eap_peap : Initiate
(0) eap_peap : Start returned 1
(0) eap : New EAP session, adding 'State' attribute to reply
0x7317e1da7312f877
(0) [eap] = handled
(0) } # authenticate = handled
(0) Sending Access-Challenge packet to host 10.10.10.10 port 32866, id=111,
length=0
(0) EAP-Message = 0x010500061920
(0) Message-Authenticator = 0x00000000000000000000000000000000
(0) State = 0x7317e1da7312f877fca7b6e2bbfa846d
Sending Access-Challenge Id 111 from 84.84.84.84:1812 to 10.10.10.10:32866
EAP-Message = 0x010500061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x7317e1da7312f877fca7b6e2bbfa846d
(0) Finished request
Waking up in 0.3 seconds.
Waking up in 6.6 seconds.
Received Access-Request Id 111 from 10.10.10.10:32866 to 84.84.84.84:1812
length 205
Sending Access-Challenge Id 111 from 84.84.84.84:1812 to 10.10.10.10:32866
Waking up in 999993.0 seconds.
Received Access-Request Id 111 from 10.10.10.10:32866 to 84.84.84.84:1812
length 205
Sending Access-Challenge Id 111 from 84.84.84.84:1812 to 10.10.10.10:32866
Waking up in 1999986.0 seconds.
Received Access-Request Id 111 from 10.10.10.10:32866 to 84.84.84.84:1812
length 205
Sending Access-Challenge Id 111 from 84.84.84.84:1812 to 10.10.10.10:32866
Waking up in 3999977.0 seconds.
More information about the Freeradius-Users
mailing list