Authentication issues

David le Roux david.leroux at miller.co.uk
Fri Jun 3 14:43:05 UTC 2022 

Hi Alan,

> The "invalid user" message is correct.  The MAC address in the User-Name isn't found in the "authorized_macs" list.  Note that it does it's lookup by exact string match.  So check that the MAC address is listed, and has exactly the same format.

I've checked an the mac is certainly there in lower case. However I notice this in the debug:
> (2)         update request {
> (2)           EXPAND %{toupper:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
> (2)              --> 08-00-0F-82-64-F0

I can't find anywhere in the config a command to make it upper case (though several "to lower"). Do I need to make my entire list upper case or am I missing a config option?

Kind regards,

David le Roux



-----Original Message-----
From: Freeradius-Users <freeradius-users-bounces+david.leroux=miller.co.uk at lists.freeradius.org> On Behalf Of Alan DeKok
Sent: 31 May 2022 14:58
To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Subject: Re: Authentication issues

On May 31, 2022, at 9:49 AM, David le Roux <david.leroux at miller.co.uk> wrote:
> I've got two different authentication issues. The server is meant to service both mac-based authentication (using authorized_macs file) and eap-tls using certificates. This is for a production environment where I have done my best to mimic our old setup which is working but on EOL software.
>
> In the logs I get "invalid user" for the mac-based auth and "eap_tls: ERROR: TLS alert werite:fatal:internal error.

  I don't see the TLS error in the logs.  What I do see is that FreeRADIUS sends an Access-Challenge, the client doesn't respond.

  This is almost always because of certificate issues.  The client doesn't know / trust the certificates presented by FreeRADIUS.

  The "invalid user" message is correct.  The MAC address in the User-Name isn't found in the "authorized_macs" list.  Note that it does it's lookup by exact string match.  So check that the MAC address is listed, and has exactly the same format.

  That's why it prints everything in debug mode... so you can check the printed MAC against what's in the file, and verify for yourself that it should / should not work.

> FreeRADIUS Version 3.0.21

  I'd upgrade to 3.2.0.  it has many fixes and enhancements.

  Alan DeKok.
________________________________


Miller Homes Limited Registered in Scotland - SC255429
2 Lochside View, Edinburgh Park, Edinburgh, EH12 9DH

Disclaimer: The Information in this e-mail is confidential and for use by the addressee(s) only. It may also be privileged. If you are not the intended recipient please notify us immediately on +44 (0) 870 336 5000 and delete the message from your computer: you may not copy or forward it, or use or disclose its contents to any other person. We do not accept any liability or responsibility for: (1) changes made to this email after it was sent, or (2) viruses transmitted through this email or any attachment.

Miller Homes Limited <https://www.millerhomes.co.uk>

More information about the Freeradius-Users mailing list