Altering identity

Marek Des desmarek1 at gmail.com
Thu Aug 15 18:03:43 CEST 2019


I am still running two RADIUS servers (I mean two different physical
installations), one handle eduroam SSID and other handle  internal SSID -
"the one with no outer identity".
They work perfectly as each of servers has its own configuration.
Now I am trying to combine those two into one server.


Here we go:

mschap.conf:
network={
        key_mgmt=WPA-EAP
        eap=PEAP
        identity="testuser"
        anonymous_identity=""

        password="testpasswd"
        phase2="auth=MSCHAPV2 mschapv2_retry=0"
        phase1="peapver=0"
}


eapol_test -c ./mschap.conf -a 127.0.0.1 -s testing123
Reading configuration file './mschap.conf'
Line: 1 - start of a new network block
key_mgmt: 0x1
eap methods - hexdump(len=16): 00 00 00 00 19 00 00 00 00 00 00 00 00 00 00
00
identity - hexdump_ascii(len=6):
     39 39 39 30 30 30                                 testuser
anonymous_identity - hexdump_ascii(len=0):
password - hexdump_ascii(len=10):
     75 66 54 65 37 78 6a 44 39 71                     testpasswd
phase2 - hexdump_ascii(len=30):
     61 75 74 68 3d 4d 53 43 48 41 50 56 32 20 6d 73   auth=MSCHAPV2 ms
     63 68 61 70 76 32 5f 72 65 74 72 79 3d 30         chapv2_retry=0
phase1 - hexdump_ascii(len=9):
     70 65 61 70 76 65 72 3d 30                        peapver=0
Priority group 0
   id=0 ssid=''
Authentication server 127.0.0.1:1812
RADIUS local address: 127.0.0.1:59004
ENGINE: Loading dynamic engine
ENGINE: Loading dynamic engine
EAPOL: SUPP_PAE entering state DISCONNECTED
EAPOL: KEY_RX entering state NO_KEY_RECEIVE
EAPOL: SUPP_BE entering state INITIALIZE
EAP: EAP entering state DISABLED
EAPOL: External notification - portValid=0
EAPOL: External notification - portEnabled=1
EAPOL: SUPP_PAE entering state CONNECTING
EAPOL: SUPP_BE entering state IDLE
EAP: EAP entering state INITIALIZE
EAP: EAP entering state IDLE
Sending fake EAP-Request-Identity
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_PAE entering state RESTART
EAP: EAP entering state INITIALIZE
EAP: EAP entering state IDLE
EAPOL: SUPP_PAE entering state AUTHENTICATING
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Request id=29 method=1 vendor=0 vendorMethod=0
EAP: EAP entering state IDENTITY
CTRL-EVENT-EAP-STARTED EAP authentication started
EAP: Status notification: started (param=)
EAP: EAP-Request Identity data - hexdump_ascii(len=0):
EAP: using anonymous identity - hexdump_ascii(len=0):
EAP: EAP entering state SEND_RESPONSE
EAP: EAP entering state IDLE
EAPOL: SUPP_BE entering state RESPONSE
EAPOL: txSuppRsp
WPA: eapol_test_eapol_send(type=0 len=5)
TX EAP -> RADIUS - hexdump(len=5): 02 1d 00 05 01
Encapsulating EAP message into a RADIUS packet
Learned identity from EAP-Response-Identity - hexdump(len=0):
Sending RADIUS message to authentication server
RADIUS message: code=1 (Access-Request) identifier=0 length=114
   Attribute 1 (User-Name) length=2
      Value: ''
   Attribute 4 (NAS-IP-Address) length=6
      Value: 127.0.0.1
   Attribute 31 (Calling-Station-Id) length=19
      Value: '02-00-00-00-00-01'
   Attribute 12 (Framed-MTU) length=6
      Value: 1400
   Attribute 61 (NAS-Port-Type) length=6
      Value: 19
   Attribute 6 (Service-Type) length=6
      Value: 2
   Attribute 77 (Connect-Info) length=24
      Value: 'CONNECT 11Mbps 802.11b'
   Attribute 79 (EAP-Message) length=7
      Value: 021d000501
   Attribute 80 (Message-Authenticator) length=18
      Value: 27476a384e7596824785e4efdc30b52c
Next RADIUS client retransmit in 3 seconds
EAPOL: SUPP_BE entering state RECEIVE
EAPOL: startWhen --> 0
STA 02:00:00:00:00:01: Resending RADIUS message (id=0)

Next RADIUS client retransmit in 6 seconds
STA 02:00:00:00:00:01: Resending RADIUS message (id=0)

Next RADIUS client retransmit in 12 seconds
^CSignal 2 received - terminating
EAPOL: EAP key not available
EAPOL: EAP Session-Id not available
WPA: Clear old PMK and PTK
MPPE keys OK: 0  mismatch: 1
FAILURE


On Thu, Aug 15, 2019 at 3:25 AM Alan DeKok <aland at deployingradius.com>
wrote:

> On Aug 14, 2019, at 12:58 PM, Marek Des <desmarek1 at gmail.com> wrote:
> >
> > Well, about empty realm - I mean this:
> > 1) outer identity: empty
>
>   That's an issue.  The outer identity shouldn't be empty.  In RADIUS,
> it's *forbidden* to have an empty User-Name.
>
>   See RFC 7542.  The outer identity should be "anonymous", or maybe
> "@realm" where it's your realm.
>
> > 2) inner identity: username
> >
> > I need to authenticate two kind of users:
> > 1) ones with credentials above
> > 2) eduroam
>
>   Except that an empty outer identity means that your users will *never*
> be able to use eduroam.  An outer User-Name of "@example.com" is routable
> back to you via eduroam.  An empty outer User-Name will just get dropped on
> the floor.
>
> > The only difference is in outer and inner identity.
> > The both setups use EAP + MSCHAPv2 and OpenLDAP.
> >
> > I am trying to handle those two kind of users in single virtual server
>
>   You generally *must* run them in a single virtual server.  Because the
> Ads will send both user authentications to one RADIUS server.  And the
> RADIUS server has to figure it out.
>
> > and
> > it doesn't work - it says it's proxying request to localhost and that's
> it.
>
>   See the FAQ for "it doesn't work".  And post the *actual* debug output.
> Not a one-line summary.
>
>   What you
>
> > proxy.conf:
>
>   We don't need to see that.  The documentation says to post the debug
> log, *not* the configuration files.
>
> > Virtual server for inner identity:
>
>   We don't need to see that, either.  If it doesn't work, it's wrong.  If
> you post the debug output, we see it *running* the configuration, which is
> infinitely more useful.
>
>   What you should be doing is:
>
> * all users log in with a non-empty outer identity.
> * *your* users log in with outer identity of "@my.domain.tld"
> * the FreeRADIUS configuration has that domain as a local one
> * everything else gets proxied to eduroam
>
>   A long and detailed guide is in the Wiki:
> https://wiki.freeradius.org/guide/eduroam
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html


More information about the Freeradius-Users mailing list