Can't get past first stage of authentication

Nick Howitt nick at howitts.co.uk
Wed May 2 12:52:00 CEST 2018 

On 02/05/2018 10:43, Nick Howitt wrote:
>
>
> On 02/05/2018 10:02, Adam Bishop wrote:
>> On 2 May 2018, at 09:55, Nick Howitt <nick at howitts.co.uk> wrote:
>>>    eap {
>>>          default_eap_type = "md5"
>> You probably want to set this to 'peap' or 'ttls' for wireless clients.
>>
>> Adam Bishop
>> Senior Infrastructure and Systems Architect
>>
>>    gpg: E75B 1F92 6407 DFDF 9F1C  BF10 C993 2504 6609 D460
>>      t: +44 (0)1235 822 245
>>   xmpp: adamb at jabber.dev.ja.net
>>
>> jisc.ac.uk
>>
>> Jisc is a registered charity (number 1149740) and a company limited 
>> by guarantee which is registered in England under Company No. 
>> 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One 
>> Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
>>
>> Jisc Services Limited is a wholly owned Jisc subsidiary and a company 
>> limited by guarantee which is registered in England under company 
>> number 2881024, VAT number GB 197 0632 86. The registered office is: 
>> One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.
>>
>>
>> -
>> List info/subscribe/unsubscribe? See 
>> http://www.freeradius.org/list/users.html
> Changing to peap gives:
>
> Ready to process requests
> (0) Received Access-Request Id 128 from 172.22.22.2:3600 to 
> 172.22.22.1:1812 length 81
> (0)   User-Name = "test1"
> (0)   NAS-IP-Address = 172.22.22.2
> (0)   NAS-Port = 29
> (0)   NAS-Port-Type = Wireless-802.11
> (0)   Framed-MTU = 1396
> (0)   EAP-Message = 0x0200000a017465737431
> (0)   Message-Authenticator = 0x5ab518eaa9df382184bb9dc33fc6fe0e
> (0) # Executing section authorize from file 
> /etc/raddb/sites-enabled/default
> (0)   authorize {
> (0)     [preprocess] = ok
> (0)     [chap] = noop
> (0)     [mschap] = noop
> (0)     [digest] = noop
> (0) suffix: Checking for suffix after "@"
> (0) suffix: No '@' in User-Name = "test1", looking up realm NULL
> (0) suffix: No such realm "NULL"
> (0)     [suffix] = noop
> (0) ntdomain: Checking for prefix before "\"
> (0) ntdomain: No '\' in User-Name = "test1", looking up realm NULL
> (0) ntdomain: No such realm "NULL"
> (0)     [ntdomain] = noop
> (0) eap: Peer sent EAP Response (code 2) ID 0 length 10
> (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit 
> the rest of authorize
> (0)     [eap] = ok
> (0)   } # authorize = ok
> (0) Found Auth-Type = eap
> (0) # Executing group from file /etc/raddb/sites-enabled/default
> (0)   authenticate {
> (0) eap: Peer sent packet with method EAP Identity (1)
> (0) eap: Calling submodule eap_peap to process data
> (0) eap_peap: Initiating new EAP-TLS session
> (0) eap_peap: [eaptls start] = request
> (0) eap: Sending EAP Request (code 1) ID 1 length 6
> (0) eap: EAP session adding &reply:State = 0x3e72e94e3e73f08d
> (0)     [eap] = handled
> (0)   } # authenticate = handled
> (0) Using Post-Auth-Type Challenge
> (0) Post-Auth-Type sub-section not found.  Ignoring.
> (0) # Executing group from file /etc/raddb/sites-enabled/default
> (0) Sent Access-Challenge Id 128 from 172.22.22.1:1812 to 
> 172.22.22.2:3600 length 0
> (0)   EAP-Message = 0x010100061920
> (0)   Message-Authenticator = 0x00000000000000000000000000000000
> (0)   State = 0x3e72e94e3e73f08d09b1afbce1068a81
> (0) Finished request
> Waking up in 4.9 seconds.
> (0) Cleaning up request packet ID 128 with timestamp +135
> Ready to process requests
>
> but no progress
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
Ok so that's a day of my life I won't get back. Swapping the WAP from an 
old Draytek router to a not quite so old Buffalo router running Tomato 
and I can log in. Sorry for wasting your time.

More information about the Freeradius-Users mailing list