EAP-PWD Authentication with Username and MAC

[Alan DeKok]

On Jul 27, 2020, at 11:18 AM, psuet <psuet at kawo1.rwth-aachen.de> wrote:
> here is my log for a EAP-PWD Authentication and the following content in my authorize file:
> 
> "fEAy7zL2B9" Calling-Station-Id == "D8-C7-71-88-93-83", Cleartext-Password := "password"
>        Tunnel-Type = 13,
>        Tunnel-Medium-Type = 6,
>        Tunnel-Private-Group-Id = 3706
> 
> Thanks for any answer!

  You didn't set "virtual_server" in the pwd module.

> eap {
>  	default_eap_type = "pwd"
>  	timer_expire = 60
>  	ignore_unknown_eap_types = no
>  	cisco_accounting_username_bug = no
>  	max_sessions = 16384
>  }
> ...
>   # Linked to sub-module rlm_eap_pwd
>   pwd {
>   	group = 19
>   	fragment_size = 1020
>   	server_id = "radius-1 at domain.de"
>   }

  See the comments in the default configuration.

> ...
> (3) eap: Calling submodule eap_pwd to process data
> (3) eap_pwd: Sending tunneled request
> (3) eap_pwd:   User-Name = "fEAy7zL2B9 at sub3.domain.de"
> (3) eap_pwd: server default {

  Which means it's running the packet through the default virtual server again.

  Note that the User-Name printed here is NOT the same as the one you put into the "authorize" file.

  In order for the file to match, the names have to match.

> (3) suffix: Checking for suffix after "@"
> (3) suffix: Looking up realm "sub3.domain.de" for User-Name = "fEAy7zL2B9 at sub3.domain.de"
> (3) suffix: Found realm "sub3.domain.de"
> (3) suffix: Adding Stripped-User-Name = "fEAy7zL2B9"
> (3) suffix: Adding Realm = "sub3.domain.de"
> (3) suffix: Authentication realm is LOCAL
> (3)     [suffix] = ok
> (3) eap: No EAP-Message, not doing EAP
> (3)     [eap] = noop
> (3) files: EXPAND %{%{Stripped-User-Name}:-%{User-Name}}
> (3) files:    --> fEAy7zL2B9
> (3)     [files] = noop

  Hmm... that should match.  Are you sure that you put the entry into the "authorize" file?  If so, where?
 
  Alan DeKok.