Problem with Anonymous Identity

Vincent 珉 Hua 华 vincenthua at hotmail.com
Sat Jul 10 12:36:43 CEST 2021 

Hi fellow FreeRADIUS users,

I ran into a problem with the Anonymous Identity.

We are on FreeRADIUS v.3.0.19 with MYSQL. When Anonymous Identity is configured on the client for PEAP authentication, it will fail.

Server log (please see below) shows that the RADIUS service didn’t use the real username when comparing the username and password. Instead, the Anonymous Identity was used to compare against the database which caused the authentication to fail. However, if we do not use the Anonymous Identity, then it will pass.

Does anyone know how to authenticate with Anonymous Identity configured?

I have a portion of the log below for your reference. “aIdentity” is the configured Anonymous Identity and “test” is the real username.

Thanks in advance! Any help or hint would be greatly appreciated!


Log starts below:

(1) Received Access-Request Id 105 from 127.0.0.1:55041 to 127.0.0.1:1812 length 256
(1)   User-Name = "aIdentity"
(1)   Called-Station-Id = "B0-39-45-58-4E-2B:Demo at HT"
(1)   NAS-Port-Type = Wireless-802.11
(1)   Service-Type = Framed-User
(1)   NAS-Port = 1
(1)   Calling-Station-Id = "EE-7E-71-A0-BC-11"
(1)   Connect-Info = "CONNECT 54Mbps 802.11a"
(1)   Acct-Session-Id = "0816F02A9CC6C767"
(1)   WLAN-Pairwise-Cipher = 1027076
(1)   WLAN-Group-Cipher = 1027076
(1)   WLAN-AKM-Suite = 1027073
(1)   Framed-MTU = 1400
(1)   EAP-Message = 0x020200060319
(1)   State = 0x2c0d44352c0f404cf084667d855c550a
(1)   Message-Authenticator = 0xf87e83ccd07bd1fb16e0e8a105c1a5aa
(1)   Event-Timestamp = "May 14 2021 19:43:01 CST"
(1)   NAS-IP-Address = 70.79.251.29
(1)   Proxy-State = 0x32
(1) session-state: No cached attributes
(1) # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default





(18) eap: Calling submodule eap_mschapv2 to process data
(18) eap_mschapv2: # Executing group from file /usr/local/etc/raddb/sites-enabled/inner-tunnel
(18) eap_mschapv2:   authenticate {
(18) mschap: WARNING: No Cleartext-Password configured.  Cannot create NT-Password
(18) mschap: WARNING: User-Name (aIdentity) is not the same as MS-CHAP Name (test) from EAP-MSCHAPv2
(18) mschap: Creating challenge hash with username: test
(18) mschap: Client is using MS-CHAPv2
(18) mschap: ERROR: FAILED: No NT-Password.  Cannot perform authentication
(18) mschap: ERROR: MS-CHAP2-Response is incorrect
(18) eap_mschapv2:     [mschap] = reject
(18) eap_mschapv2:   } # authenticate = reject





===============
Vincent

More information about the Freeradius-Users mailing list