802.1x / EAP Assistance

J Kephart jkephart at safetynetaccess.com
Thu Oct 31 14:29:40 CET 2019 

Good morning!

We are attempting to implement 802.1x/EAP for the first time, ad we're 
having some trouble diagnosing what's going on in the various stages of 
the communications between the NAS and FR.  We don't have any experience 
with it, so it's rather confusing.

We're using FR 2.2.8, with the test certs provided.  We can see that 
there is communication, but all attempts to authenticate a device are 
failing.  I've included what I believe to be the relevant portion of the 
debug output, and I do see several error conditions. The first says that 
the realm LOCAL is not defined, but in looking at the config, it looks 
as though it is.  There's also a report that there's a missing 
Cleartext-Password, but that is also defined in the database, so we're 
at a loss as to the cause of the failure.

If someone can point us in the right direction, I'd truly appreciate it!

rad_recv: Access-Request packet from host 146.115.19.180 port 50987, 
id=97, length=394
     Acct-Session-Id = "5DB9E1F5-76DF7502"
     User-Name = "jerry"
     NAS-IP-Address = 192.168.185.30
     NAS-Identifier = "90-3A-72-15-25-1D"
     NAS-Port = 1
     Called-Station-Id = "90-3A-72-15-25-1D:CVGNE_W1"
     Calling-Station-Id = "D4-53-83-F3-C0-17"
     Service-Type = Framed-User
     Chargeable-User-Identity = ""
     NAS-Port-Type = Wireless-802.11
     Connect-Info = "CONNECT 802.11a/n/ac"
     EAP-Message = 
0x0208005f1900170303005400000000000000022f4cd34458205cfb0d339d2a9f6dda68b5f7a4ffbd985bbfb9ef4094114e5a1856df8479ea3c4ddc7f293487a00396643c97c4b24f51d67a7c7cc34e9bbbc1c156adc07977d4e095d6fddaa5
     State = 0x957bdc849273c5bfd96a2d7f79095e2d
     Ruckus-SSID = "CVGNE_W1"
     Ruckus-Attr-14 = 0x903a7215251d
     Ruckus-Attr-9 = 0x000001c3
     Ruckus-SCG-CBlade-IP = 3232282885
     Ruckus-Attr-134 = 0x44656661756c74205a6f6e65
     Ruckus-Attr-135 = 0x4356474e455f5731
     Message-Authenticator = 0xad0239941dd1cf346629d1f1b23805b6
     Event-Timestamp = "Oct 30 2019 15:18:14 EDT"
     Proxy-State = 0x3636
# Executing section authorize from file /etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++update request {
sql_xlat
     expand:  select zone_migration_enabled from sites where 
id='%{NAS-Identifier}' ->  select zone_migration_enabled from sites 
where id='90-3A-72-15-25-1D'
rlm_sql (sql_instance2): Reserving sql socket id: 2
SQL query did not return any results
rlm_sql (sql_instance2): Released sql socket id: 2
     expand: %{sql_instance2: select zone_migration_enabled from sites 
where id='%{NAS-Identifier}'} ->
     ... expanding second conditional
     expand: %{%{sql_instance2: select zone_migration_enabled from sites 
where id='%{NAS-Identifier}'}:-0} -> 0
++} # update request = noop
++? if (("%{Called-Station-Id}" =~ /^00-50-E8-/ || 
"%{Called-Station-Id}" =~ /^20-4C-03-/  )&& Tmp-String-2 == '1')
     expand: %{Called-Station-Id} -> 90-3A-72-15-25-1D:CVGNE_W1
?? Evaluating ("%{Called-Station-Id}" =~ /^00-50-E8-/) -> FALSE
     expand: %{Called-Station-Id} -> 90-3A-72-15-25-1D:CVGNE_W1
?? Evaluating ("%{Called-Station-Id}" =~ /^20-4C-03-/) -> FALSE
? Skipping (Tmp-String-2 == '1')
++? if (("%{Called-Station-Id}" =~ /^00-50-E8-/ || 
"%{Called-Station-Id}" =~ /^20-4C-03-/  )&& Tmp-String-2 == '1') -> FALSE
++[chap] = noop
++[mschap] = noop
[suffix] No '@' in User-Name = "jerry", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 8 length 95
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
     EAP-Message = 
0x020800401a0208003b31197eb5bbc69b47c5363805196ff71ff700000000000000008a49a9ade98c47831f6c39043311438b1a56945caec5a5f5006a65727279
server  {
[peap] Setting User-Name to jerry
Sending tunneled request
     EAP-Message = 
0x020800401a0208003b31197eb5bbc69b47c5363805196ff71ff700000000000000008a49a9ade98c47831f6c39043311438b1a56945caec5a5f5006a65727279
     FreeRADIUS-Proxied-To = 127.0.0.1
     User-Name = "jerry"
     State = 0x2b16a6c52b1ebc1c6619c5138158b3f7
server inner-tunnel {
# Executing section authorize from file 
/etc/raddb/sites-enabled/inner-tunnel
+group authorize {
++[chap] = noop
++[mschap] = noop
[suffix] No '@' in User-Name = "jerry", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
++update control {
++} # update control = noop
[eap] EAP packet type response id 8 length 64
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
++[expiration] = noop
++[logintime] = noop
++[pap] = noop
+} # group authorize = updated
WARNING: You set Proxy-To-Realm = LOCAL, but the realm does not exist!  
Cancelling invalid proxy request.
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/inner-tunnel
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
[mschapv2] +group MS-CHAP {
[mschap] No Cleartext-Password configured.  Cannot create LM-Password.
[mschap] No Cleartext-Password configured.  Cannot create NT-Password.
[mschap] Creating challenge hash with username: jerry
[mschap] Client is using MS-CHAPv2 for jerry, we need NT-Password
[mschap] FAILED: No NT/LM-Password.  Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] = reject
+} # group MS-CHAP = reject
[eap] Freeing handler
++[eap] = reject
+} # group authenticate = reject
Failed to authenticate the user.
     expand: %{NAS-IP-Address} ->
Login incorrect: [jerry/<via Auth-Type = EAP>] (from client Office port 
0 via TLS tunnel)
Using Post-Auth-Type REJECT
# Executing group from file /etc/raddb/sites-enabled/inner-tunnel
+group REJECT {
[attr_filter.access_reject]     expand: %{User-Name} -> jerry
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] = updated
+} # group REJECT = updated
} # server inner-tunnel
[peap] Got tunneled reply code 3
     MS-CHAP-Error = "\010E=691 R=1"
     EAP-Message = 0x04080004
     Message-Authenticator = 0x00000000000000000000000000000000
[peap] Got tunneled reply RADIUS code Access-Reject
     MS-CHAP-Error = "\010E=691 R=1"
     EAP-Message = 0x04080004
     Message-Authenticator = 0x00000000000000000000000000000000
[peap] Tunneled authentication was rejected.
[peap] FAILURE
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 97 to 146.115.19.180 port 50987
     EAP-Message = 
0x0109002e1900170303002334c44a5ec04ae1317ed894226db68ba139a09ceb0517c705c20507823d7bb4bc4a05c6
     Message-Authenticator = 0x00000000000000000000000000000000
     State = 0x957bdc849d72c5bfd96a2d7f79095e2d
     Proxy-State = 0x3636
Finished request 214.

Many thanks!
-- Jim

More information about the Freeradius-Users mailing list