having trouble connecting EAP-PEAP

Carlito Nueno carlitonueno at gmail.com
Thu Apr 26 04:37:06 CEST 2018 

hi all,

I am not able to connect to any device, iOS, mac os, or linux to EAP-PEAP

I used `/etc/raddb/certs/ make` script to generate certificates. I
copied the `ca.pem` file to mac OS and installed it.

Any advice?

using freeradius on docker with alpine linux
- FreeRADIUS Version 3.0.15
- OpenSSL 1.0.2o

Changes made:

/etc/raddb/mods-enabled/eap:
default_eap_type = peap

/etc/raddb/mods-enabled/mschap
use_mppe = yes
require_encryption = yes
require_strong = yes

/etc/raddb/sites-enabled/default
#  Allow EAP authentication.
    eap

/etc/raddb/sites-enabled/inner-tunnel
    eap {
        ok = return
    }

    #  Allow EAP authentication.
    eap


radius.log

Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on proxy address * port 58659
Listening on proxy address :: port 46908
Ready to process requests
Thread 1 waiting to be assigned a request
Thread 5 waiting to be assigned a request
Thread 4 waiting to be assigned a request
Thread 3 waiting to be assigned a request
Thread 2 waiting to be assigned a request
Threads: total/active/spare threads = 5/0/5
Waking up in 0.3 seconds.
Thread 5 got semaphore
Thread 5 handling request 1, (1 handled so far)
(1) Received Access-Request Id 7 from 192.168.2.181:40873 to
172.18.0.2:1812 length 190
(1)   User-Name = "test"
(1)   Called-Station-Id = "22-B5-8F-99-AC-00:test11radius"
(1)   NAS-Port-Type = Wireless-802.11
(1)   Service-Type = Framed-User
(1)   NAS-Port = 1
(1)   Calling-Station-Id = "11-11-33-23-FC-33"
(1)   Connect-Info = "CONNECT 54Mbps 802.11a"
(1)   Acct-Session-Id = "BA289D333A540806"
(1)   WLAN-Pairwise-Cipher = 1027076
(1)   WLAN-Group-Cipher = 1027076
(1)   WLAN-AKM-Suite = 1027073
(1)   Framed-MTU = 1400
(1)   EAP-Message = 0x02bc00090174657374
(1)   Message-Authenticator = 0xdb1db3b502505a24e81043b7239ef87e
(1) # Executing section authorize from file /etc/raddb/sites-enabled/default
(1)   authorize {
(1)     policy filter_username {
(1)       if (&User-Name) {
(1)       if (&User-Name)  -> TRUE
(1)       if (&User-Name)  {
(1)         if (&User-Name =~ / /) {
(1)         if (&User-Name =~ / /)  -> FALSE
(1)         if (&User-Name =~ /@[^@]*@/ ) {
(1)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(1)         if (&User-Name =~ /\.\./ ) {
(1)         if (&User-Name =~ /\.\./ )  -> FALSE
(1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(1)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
  -> FALSE
(1)         if (&User-Name =~ /\.$/)  {
(1)         if (&User-Name =~ /\.$/)   -> FALSE
(1)         if (&User-Name =~ /@\./)  {
(1)         if (&User-Name =~ /@\./)   -> FALSE
(1)       } # if (&User-Name)  = notfound
(1)     } # policy filter_username = notfound
(1)     [preprocess] = ok
(1)     [chap] = noop
(1)     [mschap] = noop
(1)     [digest] = noop
(1) suffix: Checking for suffix after "@"
(1) suffix: No '@' in User-Name = "test", looking up realm NULL
(1) suffix: No such realm "NULL"
(1)     [suffix] = noop
(1) files: users: Matched entry test at line 1
(1)     [files] = ok
(1)     [expiration] = noop
(1)     [logintime] = noop
(1) pap: No User-Password attribute in the request.  Cannot do PAP
(1)     [pap] = noop
(1)   } # authorize = ok
(1) WARNING: Please update your configuration, and remove 'Auth-Type = Local'
(1) WARNING: Use the PAP or CHAP modules instead
(1) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject
(1) Failed to authenticate the user
(1) Using Post-Auth-Type Reject
(1) # Executing group from file /etc/raddb/sites-enabled/default
(1)   Post-Auth-Type REJECT {
(1) attr_filter.access_reject: EXPAND %{User-Name}
(1) attr_filter.access_reject:    --> test
(1) attr_filter.access_reject: Matched entry DEFAULT at line 11
(1)     [attr_filter.access_reject] = updated
(1)     policy remove_reply_message_if_eap {
(1)       if (&reply:EAP-Message && &reply:Reply-Message) {
(1)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(1)       else {
(1)         [noop] = noop
(1)       } # else = noop
(1)     } # policy remove_reply_message_if_eap = noop
(1)   } # Post-Auth-Type REJECT = updated
(1) Delaying response for 1.000000 seconds
Thread 5 waiting to be assigned a request
Waking up in 0.6 seconds.
(1) Sending delayed response
(1) Sent Access-Reject Id 7 from 172.18.0.2:1812 to
192.168.2.181:40873 length 20


logs on access point:

hostapd: wlan0-ap: STA 11-11-33-23-FC-33 IEEE 802.1X: Sending EAP
Packet (identifier 188)
hostapd: wlan0-ap: STA 11-11-33-23-FC-33 IEEE 802.1X: received EAP
packet (code=2 id=188 len=9) from STA: EAP Response-Identity (1)
hostapd: wlan0-ap: STA 11-11-33-23-FC-33 IEEE 802.1X: STA identity 'test'
hostapd: wlan0-ap: RADIUS Sending RADIUS message to authentication server
hostapd: wlan0-ap: RADIUS Next RADIUS client retransmit in 3 seconds
hostapd: wlan0-ap: RADIUS Received 20 bytes from RADIUS server
hostapd: wlan0-ap: RADIUS Received RADIUS message
hostapd: wlan0-ap: STA 11-11-33-23-FC-33 RADIUS: Received RADIUS
packet matched with a pending request, round trip time 1.00 sec
hostapd: wlan0-ap: STA 11-11-33-23-FC-33 IEEE 802.1X: could not
extract EAP-Message from RADIUS message


Thanks

More information about the Freeradius-Users mailing list