freeradius 3 - wifi eap authentication with many Calling-station-id

Maksim Bessonov maksim.bessonov2 at gmail.com
Wed Jul 25 18:53:03 CEST 2018 

Hi,

i have FR 3 with mysql. There is no problem with one Calling-station-id  -
to wifi connects only with correct mac address. If i add new calling
station id - no one authenticate.
Is it possible to use more that one Calling-station-id?

Thanks,

Max

(8) Received Access-Request Id 18 from 10.122.0.249:34692 to
10.250.0.89:1812 length 312
(8)   Service-Type = Framed-User
(8)   Framed-MTU = 1400
(8)   User-Name = "6696"
(8)   State = 0xcbcd84becdca9dacd4f4ff79700755f2
(8)   NAS-Port-Id = "wlan3"
(8)   NAS-Port-Type = Wireless-802.11
(8)   Acct-Session-Id = "82400151"
(8)   Acct-Multi-Session-Id =
"CE-2D-E0-12-71-BA-5C-8D-4E-45-26-7E-82-40-00-00-00-00-00-A5"
(8)   Calling-Station-Id = "5C-8D-4E-45-26-7E"
(8)   Called-Station-Id = "CE-2D-E0-12-71-BA:HOT"
(8)   EAP-Message =
0x0207005e1900170303005347ebd30c192c0babeb6419ce6032bfaeb4e0918d9de607b49e6799da14f82658dc3d02f3e5989e1a07fd06fd09eacf152e87ee60baca2ff6c7c171f93f8bb93cf8a862b0f196cfafd11e39c69455139e4c5419
(8)   Message-Authenticator = 0x25eb770a21eb5a60de3ca56f0b906f63
(8)   NAS-Identifier = "MikroTik"
(8)   NAS-IP-Address = 10.122.0.249
(8) session-state: No cached attributes
(8) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(8)   authorize {
(8)     [preprocess] = ok
(8) eap: Peer sent EAP Response (code 2) ID 7 length 94
(8) eap: Continuing tunnel setup
(8)     [eap] = ok
(8)   } # authorize = ok
(8) Found Auth-Type = eap
(8) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(8)   authenticate {
(8) eap: Expiring EAP session with state 0x1f3ac4431f3dde51
(8) eap: Finished EAP session with state 0xcbcd84becdca9dac
(8) eap: Previous EAP request found for state 0xcbcd84becdca9dac, released
from the list
(8) eap: Peer sent packet with method EAP PEAP (25)
(8) eap: Calling submodule eap_peap to process data
(8) eap_peap: Continuing EAP-TLS
(8) eap_peap: [eaptls verify] = ok
(8) eap_peap: Done initial handshake
(8) eap_peap: [eaptls process] = ok
(8) eap_peap: Session established.  Decoding tunneled attributes
(8) eap_peap: PEAP state phase2
(8) eap_peap: EAP method MSCHAPv2 (26)
(8) eap_peap: Got tunneled request
(8) eap_peap:   EAP-Message =
0x0207003f1a0207003a31afa7e13313bb19ccd6a1da23ff37f5f000000000000000000ab6ae29d5f022051dcdf872befccba2dee354235cea2fc80036363936
(8) eap_peap: Setting User-Name to 6696
(8) eap_peap: Sending tunneled request to inner-tunnel
(8) eap_peap:   EAP-Message =
0x0207003f1a0207003a31afa7e13313bb19ccd6a1da23ff37f5f000000000000000000ab6ae29d5f022051dcdf872befccba2dee354235cea2fc80036363936
(8) eap_peap:   FreeRADIUS-Proxied-To = 127.0.0.1
(8) eap_peap:   User-Name = "6696"
(8) eap_peap:   State = 0x1f3ac4431f3dde519eae5f0eeffc795b
(8) eap_peap:   Service-Type = Framed-User
(8) eap_peap:   Framed-MTU = 1400
(8) eap_peap:   NAS-Port-Id = "wlan3"
(8) eap_peap:   NAS-Port-Type = Wireless-802.11
(8) eap_peap:   Acct-Session-Id = "82400151"
(8) eap_peap:   Acct-Multi-Session-Id =
"CE-2D-E0-12-71-BA-5C-8D-4E-45-26-7E-82-40-00-00-00-00-00-A5"
(8) eap_peap:   Calling-Station-Id = "5C-8D-4E-45-26-7E"
(8) eap_peap:   Called-Station-Id = "CE-2D-E0-12-71-BA:HOT"
(8) eap_peap:   NAS-Identifier = "MikroTik"
(8) eap_peap:   NAS-IP-Address = 10.122.0.249
(8) eap_peap:   Event-Timestamp = "Jul 25 2018 19:49:36 MSK"
(8) Virtual server inner-tunnel received request
(8)   EAP-Message =
0x0207003f1a0207003a31afa7e13313bb19ccd6a1da23ff37f5f000000000000000000ab6ae29d5f022051dcdf872befccba2dee354235cea2fc80036363936
(8)   FreeRADIUS-Proxied-To = 127.0.0.1
(8)   User-Name = "6696"
(8)   State = 0x1f3ac4431f3dde519eae5f0eeffc795b
(8)   Service-Type = Framed-User
(8)   Framed-MTU = 1400
(8)   NAS-Port-Id = "wlan3"
(8)   NAS-Port-Type = Wireless-802.11
(8)   Acct-Session-Id = "82400151"
(8)   Acct-Multi-Session-Id =
"CE-2D-E0-12-71-BA-5C-8D-4E-45-26-7E-82-40-00-00-00-00-00-A5"
(8)   Calling-Station-Id = "5C-8D-4E-45-26-7E"
(8)   Called-Station-Id = "CE-2D-E0-12-71-BA:HOT"
(8)   NAS-Identifier = "MikroTik"
(8)   NAS-IP-Address = 10.122.0.249
(8)   Event-Timestamp = "Jul 25 2018 19:49:36 MSK"
(8) WARNING: Outer and inner identities are the same.  User privacy is
compromised.
(8) server inner-tunnel {
(8)   session-state: No cached attributes
(8)   # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(8)     authorize {
(8)       foreach &control:Calling-Station-Id {
(8)       } # foreach &control:Calling-Station-Id = noop
(8)       [mschap] = noop
(8)       update control {
(8)         &Proxy-To-Realm := LOCAL
(8)       } # update control = noop
(8) eap: Peer sent EAP Response (code 2) ID 7 length 63
(8) eap: No EAP Start, assuming it's an on-going EAP conversation
(8)       [eap] = updated
(8) sql: EXPAND %{User-Name}
(8) sql:    --> 6696
(8) sql: SQL-User-Name set to '6696'
rlm_sql (sql): Reserved connection (3)
(8) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck
WHERE username = '%{SQL-User-Name}' ORDER BY id
(8) sql:    --> SELECT id, username, attribute, value, op FROM radcheck
WHERE username = '6696' ORDER BY id
(8) sql: Executing select query: SELECT id, username, attribute, value, op
FROM radcheck WHERE username = '6696' ORDER BY id
(8) sql: User found in radcheck table
(8) sql: EXPAND SELECT groupname FROM radusergroup WHERE username =
'%{SQL-User-Name}' ORDER BY priority
(8) sql:    --> SELECT groupname FROM radusergroup WHERE username = '6696'
ORDER BY priority
(8) sql: Executing select query: SELECT groupname FROM radusergroup WHERE
username = '6696' ORDER BY priority
(8) sql: User not found in any groups
rlm_sql (sql): Released connection (3)
(8)       [sql] = noop
(8)       [expiration] = noop
(8)       [logintime] = noop
(8)     } # authorize = updated
(8)   Found Auth-Type = eap
(8)   # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(8)     authenticate {
(8) eap: Expiring EAP session with state 0x1f3ac4431f3dde51
(8) eap: Finished EAP session with state 0x1f3ac4431f3dde51
(8) eap: Previous EAP request found for state 0x1f3ac4431f3dde51, released
from the list
(8) eap: Peer sent packet with method EAP MSCHAPv2 (26)
(8) eap: Calling submodule eap_mschapv2 to process data
(8) eap_mschapv2: # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(8) eap_mschapv2:   authenticate {
(8) mschap: WARNING: No Cleartext-Password configured.  Cannot create
NT-Password
(8) mschap: WARNING: No Cleartext-Password configured.  Cannot create
LM-Password
(8) mschap: Creating challenge hash with username: 6696
(8) mschap: Client is using MS-CHAPv2
(8) mschap: ERROR: FAILED: No NT/LM-Password.  Cannot perform authentication
(8) mschap: ERROR: MS-CHAP2-Response is incorrect
(8)     [mschap] = reject
(8)   } # authenticate = reject
(8) eap: Sending EAP Failure (code 4) ID 7 length 4
(8) eap: Freeing handler
(8)       [eap] = reject
(8)     } # authenticate = reject
(8)   Failed to authenticate the user
(8)   Using Post-Auth-Type Reject
(8)   # Executing group from file
/etc/freeradius/3.0/sites-enabled/inner-tunnel
(8)     Post-Auth-Type REJECT {

More information about the Freeradius-Users mailing list