Altering identity
Marek Des
desmarek1 at gmail.com
Thu Aug 15 18:03:43 CEST 2019
I am still running two RADIUS servers (I mean two different physical
installations), one handle eduroam SSID and other handle internal SSID -
"the one with no outer identity".
They work perfectly as each of servers has its own configuration.
Now I am trying to combine those two into one server.
Here we go:
mschap.conf:
network={
key_mgmt=WPA-EAP
eap=PEAP
identity="testuser"
anonymous_identity=""
password="testpasswd"
phase2="auth=MSCHAPV2 mschapv2_retry=0"
phase1="peapver=0"
}
eapol_test -c ./mschap.conf -a 127.0.0.1 -s testing123
Reading configuration file './mschap.conf'
Line: 1 - start of a new network block
key_mgmt: 0x1
eap methods - hexdump(len=16): 00 00 00 00 19 00 00 00 00 00 00 00 00 00 00
00
identity - hexdump_ascii(len=6):
39 39 39 30 30 30 testuser
anonymous_identity - hexdump_ascii(len=0):
password - hexdump_ascii(len=10):
75 66 54 65 37 78 6a 44 39 71 testpasswd
phase2 - hexdump_ascii(len=30):
61 75 74 68 3d 4d 53 43 48 41 50 56 32 20 6d 73 auth=MSCHAPV2 ms
63 68 61 70 76 32 5f 72 65 74 72 79 3d 30 chapv2_retry=0
phase1 - hexdump_ascii(len=9):
70 65 61 70 76 65 72 3d 30 peapver=0
Priority group 0
id=0 ssid=''
Authentication server 127.0.0.1:1812
RADIUS local address: 127.0.0.1:59004
ENGINE: Loading dynamic engine
ENGINE: Loading dynamic engine
EAPOL: SUPP_PAE entering state DISCONNECTED
EAPOL: KEY_RX entering state NO_KEY_RECEIVE
EAPOL: SUPP_BE entering state INITIALIZE
EAP: EAP entering state DISABLED
EAPOL: External notification - portValid=0
EAPOL: External notification - portEnabled=1
EAPOL: SUPP_PAE entering state CONNECTING
EAPOL: SUPP_BE entering state IDLE
EAP: EAP entering state INITIALIZE
EAP: EAP entering state IDLE
Sending fake EAP-Request-Identity
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_PAE entering state RESTART
EAP: EAP entering state INITIALIZE
EAP: EAP entering state IDLE
EAPOL: SUPP_PAE entering state AUTHENTICATING
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Request id=29 method=1 vendor=0 vendorMethod=0
EAP: EAP entering state IDENTITY
CTRL-EVENT-EAP-STARTED EAP authentication started
EAP: Status notification: started (param=)
EAP: EAP-Request Identity data - hexdump_ascii(len=0):
EAP: using anonymous identity - hexdump_ascii(len=0):
EAP: EAP entering state SEND_RESPONSE
EAP: EAP entering state IDLE
EAPOL: SUPP_BE entering state RESPONSE
EAPOL: txSuppRsp
WPA: eapol_test_eapol_send(type=0 len=5)
TX EAP -> RADIUS - hexdump(len=5): 02 1d 00 05 01
Encapsulating EAP message into a RADIUS packet
Learned identity from EAP-Response-Identity - hexdump(len=0):
Sending RADIUS message to authentication server
RADIUS message: code=1 (Access-Request) identifier=0 length=114
Attribute 1 (User-Name) length=2
Value: ''
Attribute 4 (NAS-IP-Address) length=6
Value: 127.0.0.1
Attribute 31 (Calling-Station-Id) length=19
Value: '02-00-00-00-00-01'
Attribute 12 (Framed-MTU) length=6
Value: 1400
Attribute 61 (NAS-Port-Type) length=6
Value: 19
Attribute 6 (Service-Type) length=6
Value: 2
Attribute 77 (Connect-Info) length=24
Value: 'CONNECT 11Mbps 802.11b'
Attribute 79 (EAP-Message) length=7
Value: 021d000501
Attribute 80 (Message-Authenticator) length=18
Value: 27476a384e7596824785e4efdc30b52c
Next RADIUS client retransmit in 3 seconds
EAPOL: SUPP_BE entering state RECEIVE
EAPOL: startWhen --> 0
STA 02:00:00:00:00:01: Resending RADIUS message (id=0)
Next RADIUS client retransmit in 6 seconds
STA 02:00:00:00:00:01: Resending RADIUS message (id=0)
Next RADIUS client retransmit in 12 seconds
^CSignal 2 received - terminating
EAPOL: EAP key not available
EAPOL: EAP Session-Id not available
WPA: Clear old PMK and PTK
MPPE keys OK: 0 mismatch: 1
FAILURE
On Thu, Aug 15, 2019 at 3:25 AM Alan DeKok <aland at deployingradius.com>
wrote:
> On Aug 14, 2019, at 12:58 PM, Marek Des <desmarek1 at gmail.com> wrote:
> >
> > Well, about empty realm - I mean this:
> > 1) outer identity: empty
>
> That's an issue. The outer identity shouldn't be empty. In RADIUS,
> it's *forbidden* to have an empty User-Name.
>
> See RFC 7542. The outer identity should be "anonymous", or maybe
> "@realm" where it's your realm.
>
> > 2) inner identity: username
> >
> > I need to authenticate two kind of users:
> > 1) ones with credentials above
> > 2) eduroam
>
> Except that an empty outer identity means that your users will *never*
> be able to use eduroam. An outer User-Name of "@example.com" is routable
> back to you via eduroam. An empty outer User-Name will just get dropped on
> the floor.
>
> > The only difference is in outer and inner identity.
> > The both setups use EAP + MSCHAPv2 and OpenLDAP.
> >
> > I am trying to handle those two kind of users in single virtual server
>
> You generally *must* run them in a single virtual server. Because the
> Ads will send both user authentications to one RADIUS server. And the
> RADIUS server has to figure it out.
>
> > and
> > it doesn't work - it says it's proxying request to localhost and that's
> it.
>
> See the FAQ for "it doesn't work". And post the *actual* debug output.
> Not a one-line summary.
>
> What you
>
> > proxy.conf:
>
> We don't need to see that. The documentation says to post the debug
> log, *not* the configuration files.
>
> > Virtual server for inner identity:
>
> We don't need to see that, either. If it doesn't work, it's wrong. If
> you post the debug output, we see it *running* the configuration, which is
> infinitely more useful.
>
> What you should be doing is:
>
> * all users log in with a non-empty outer identity.
> * *your* users log in with outer identity of "@my.domain.tld"
> * the FreeRADIUS configuration has that domain as a local one
> * everything else gets proxied to eduroam
>
> A long and detailed guide is in the Wiki:
> https://wiki.freeradius.org/guide/eduroam
>
> Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list