FreeRadius, Eduroam, and me...

Sat Jun 20 21:08:43 CEST 2020

This is using FreeRADIUS Version 3.0.16

I find myself in the middle of an odd situation.  I am not directly part 
of any of this, but I have root permissions and everyone involved is 
asking me to fix what they have deployed.  :(

The site that I have permissions for has recently deployed a free-radius 
server to use as an eduroam endpoint, authenticating off their Active 
Directory.  They managed to get it to work such that they can properly 
authenticate using "radtest -t mschap ..."

The consultant setting that up smiled smugly at that success and then 
left.  But the access from outside, using the same credentials, fails.  
A consultant working at the far end is telling my friends that it is 
broken, and in asking that consultant if they can give us info from any 
of their working sites, we find out that none of their client sites are 
working with this configuration.  So, I do not know if it is my fault, 
or theirs... Oh Joy.

Running "freeradius -xX" and looking at the failure and the success, and 
I can see a dramatic difference:

The working connection:

Sat Jun 20 14:10:22 2020 : Info: Ready to process requests
Sat Jun 20 14:10:25 2020 : Debug: (1) Received Access-Request Id 180 
from 127.0.0.1:59459 to 127.0.0.1:1812 length 166
Sat Jun 20 14:10:25 2020 : Debug: (1) User-Name = "user at domain.name"
Sat Jun 20 14:10:25 2020 : Debug: (1) NAS-IP-Address = 10.1.2.11
Sat Jun 20 14:10:25 2020 : Debug: (1) NAS-Port = 1812
Sat Jun 20 14:10:25 2020 : Debug: (1) Message-Authenticator = 
0xc89e50f3f488393d2b4738522be27bcc
Sat Jun 20 14:10:25 2020 : Debug: (1) MS-CHAP-Challenge = 0x8860d7d61af05416
Sat Jun 20 14:10:25 2020 : Debug: (1) MS-CHAP-Response = 
0x000SOMEBIGLONGNUMBER
Sat Jun 20 14:10:25 2020 : Debug: (1) session-state: No State attribute
Sat Jun 20 14:10:25 2020 : Debug: (1) # Executing section authorize from

The failed connection:

Sat Jun 20 12:26:22 2020 : Info: Ready to process requests
Sat Jun 20 12:27:05 2020 : Debug: (2) Received Access-Request Id 11 from 
[outsideIP]:37127 to 10.1.2.11:1812 length 91
Sat Jun 20 12:27:05 2020 : Debug: (2) User-Name = "user at domain.name"
Sat Jun 20 12:27:05 2020 : Debug: (2) User-Password = "ActualTextPassword"
Sat Jun 20 12:27:05 2020 : Debug: (2) NAS-IP-Address = [secondIP]
Sat Jun 20 12:27:05 2020 : Debug: (2) Proxy-State = 0x313632
Sat Jun 20 12:27:05 2020 : Debug: (2) session-state: No State attribute
Sat Jun 20 12:27:05 2020 : Debug: (2) # Executing section authorize from 
file /etc/freeradius/3.0/sitesenabled/eduroam

We are authenticating off of an internal MS Domain Controller, so we 
need mschap configured, and on the failed connection we are getting:

Sat Jun 20 12:27:05 2020 : Debug: (2) modsingle[authorize]: calling 
mschap (rlm_mschap)
Sat Jun 20 12:27:05 2020 : Debug: (2) modsingle[authorize]: returned 
from mschap (rlm_mschap)
Sat Jun 20 12:27:05 2020 : Debug: (2) [mschap] = noop

And eventually:

Sat Jun 20 12:27:05 2020 : ERROR: (2) No Auth-Type found: rejecting the 
user via Post-Auth-Type = Reject
Sat Jun 20 12:27:05 2020 : Debug: (2) Failed to authenticate the user
Sat Jun 20 12:27:05 2020 : Debug: (2) Using Post-Auth-Type Reject

Not knowing what I am stepping into, I am a bit unsure where to begin.  
In checking with the people involved, the incoming request may be 
correct, or it may have issues.  The local configuration may have 
issues, or it may be correct...  Any clues as to how I should begin to 
figure out which are has the problem, and then any pointers for how to 
fix it?

What do you need from your end to be able to ask good questions?

     - Tim