eduroam howto help with the wrong password scenario
Francesco Malvezzi
francesco.malvezzi at unimore.it
Fri Apr 20 14:34:11 CEST 2018
first of all, how I wished the eduroam howto
(http://wiki.freeradius.org/guide/eduroam) was online when I first had
to configure freeradius. Lucky those who can start from it: it used to
be harder.
Still, I have a problem. Following the howto with the files setup, I can
handle the happy path result (user with correct password). Everything works.
If I modify the ~/eapol_test/peap-mschapv2.conf file with:
password="iamthewrongpassword"
the request fails after a while, like the server would give the client a
second try:
eapol logs:
[...]
EAP-MSCHAPV2: password changing protocol version 3
EAP-MSCHAPV2: failure message: 'Authentication rejected' (retry allowed,
error 691)
EAPOL: EAP parameter needed
[...]
and it takes 30 secs to issue the "FAILURE" line.
./sbin/radiusd -X
[...]
(14) eap_mschapv2: authenticate {
(14) mschap: Found Cleartext-Password, hashing to create NT-Password
(14) mschap: Found Cleartext-Password, hashing to create LM-Password
(14) mschap: Creating challenge hash with username: a_user at example.org
(14) mschap: Client is using MS-CHAPv2
(14) mschap: ERROR: MS-CHAP2-Response is incorrect
(14) [mschap] = reject
(14) } # authenticate = reject
(14) MSCHAP-Error: ?E=691 R=1 C=3277c9a2969ff694b1e423f83f99ecd4 V=3
M=Authentication rejected
(14) Found new challenge from MS-CHAP-Error: err=691 retry=1
challenge=3277c9a2969ff694b1e423f83f99ecd4
(14) ERROR: MSCHAP Failure
(14) inner-eap: Sending EAP Request (code 1) ID 9 length 83
(14) inner-eap: EAP session adding &reply:State = 0x30262b3d312f3188
(14) [inner-eap] = handled
(14) } # authenticate = handled
(14) } # server eduroam-inner
(14) Virtual server sending reply
(14) EAP-Message =
0x010900531a0408004e453d36393120523d3120433d333237376339613239363966663639346231653432336638336639396563643420563d33204d3d41757468656e7469636174696f6e2072656a6563746564
(14) Message-Authenticator = 0x00000000000000000000000000000000
(14) State = 0x30262b3d312f318871613eb63a4734ad
(14) eap_peap: Got tunneled reply code 11
(14) eap_peap: EAP-Message =
0x010900531a0408004e453d36393120523d3120433d333237376339613239363966663639346231653432336638336639396563643420563d33204d3d41757468656e7469636174696f6e2072656a6563746564
(14) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(14) eap_peap: State = 0x30262b3d312f318871613eb63a4734ad
(14) eap_peap: Got tunneled reply RADIUS code 11
(14) eap_peap: EAP-Message =
0x010900531a0408004e453d36393120523d3120433d333237376339613239363966663639346231653432336638336639396563643420563d33204d3d41757468656e7469636174696f6e2072656a6563746564
(14) eap_peap: Message-Authenticator = 0x00000000000000000000000000000000
(14) eap_peap: State = 0x30262b3d312f318871613eb63a4734ad
(14) eap_peap: Got tunneled Access-Challenge
(14) eap: Sending EAP Request (code 1) ID 9 length 114
(14) eap: EAP session adding &reply:State = 0x8dc44f9585cd5612
(14) [eap] = handled
(14) } # authenticate = handled
(14) Using Post-Auth-Type Challenge
(14) Post-Auth-Type sub-section not found. Ignoring.
(14) # Executing group from file
/opt/freeradius/etc/raddb/sites-enabled/default
(14) session-state: Saving cached attributes
(14) Stripped-User-Name := "a_user"
(14) Sent Access-Challenge Id 8 from 127.0.0.1:1812 to 127.0.0.1:46152
length 0
(14) EAP-Message =
0x01090072190017030300674cef3f0c59b8f592198c61cd5c9a8810373267c99f6db7b6e410e43143fec0b5f4fb860d8b544e0b844edd43b9b26b119dfa7f1f7d3053bfab5b22f77511dad11e5369876d20211362ed1e949b67950fa465d6aec569ae4beae10d613101854ea2cbc3276df6df
(14) Message-Authenticator = 0x00000000000000000000000000000000
(14) State = 0x8dc44f9585cd56126b4642e6eb93d427
(14) Finished request
[...]
Why am I missing the:
linelog_send_reject
from my logs?
If I choose pap (~/eapol_test/eap-ttls.conf), I can see the failure log
line (when password is wrong). And the client takes only one sec to tell
me there is a failure.
What did I do wrong? Freeradius is 3.0.17 on Debian GNU/Linux 9 (stretch),
thank you,
Francesco
More information about the Freeradius-Users
mailing list