Authentication issues

David le Roux david.leroux at miller.co.uk
Fri Jun 24 12:56:46 UTC 2022 

So I used the scriptlet below to remove the host/ section and now no longer get the error message.

if (&User-Name =~ /^host\/(.*)$/) {
   update request {
     &Cert-CN := "%{1}"
   }
}

As I was getting this error:

(8) eap_tls:    --> host/hostname.domain.com
(8) eap_tls: checking certificate CN (hostname.domain.com) with xlat'ed value (host/hostname.domain.com)
tls: Certificate CN (hostname.domain.com) does not match specified value (host/hostname.domain.com)!
(8) eap_tls: >>> send TLS 1.2  [length 0002]
(8) eap_tls: ERROR: TLS Alert write:fatal:internal error
tls: TLS_accept: Error in error

However I now get the following error:

(2) Received Access-Request Id 15 from 10.37.80.11:1812 to 10.10.251.2:1812 length 547
(2)   Framed-MTU = 1480
(2)   NAS-IP-Address = 10.37.80.11
(2)   NAS-Identifier = "de-sw01"
(2)   User-Name = "host/hostname.domain.com"
(2)   Service-Type = Framed-User
(2)   Framed-Protocol = PPP
(2)   NAS-Port = 26
(2)   NAS-Port-Type = Ethernet
(2)   NAS-Port-Id = "26"
(2)   Called-Station-Id = "ec-9a-74-19-ad-00"
(2)   Calling-Station-Id = "e4-54-e8-54-4a-de"
(2)   Connect-Info = "CONNECT Ethernet 100Mbps Full duplex"
(2)   Tunnel-Type:0 = VLAN
(2)   Tunnel-Medium-Type:0 = IEEE-802
(2)   Tunnel-Private-Group-Id:0 = "2"
(2)   State = 0x0c28a8740c27a50f9f6de32a28f2c7f2
(2)   EAP-Message = 0x020f00a60d800000009c160303009701000093030362b4ac3d2994f113ce5e3bd59fbac73691749a9495b7fbc7539910760601aea700002ac02cc02bc030c02f009f009ec024c023c028c027c00ac009c014c013009d009c003d003c0035002f000a01000040000500050100000000000a00080006001d00170018000b00020100000d001400120401050102010403050302030202060106030023000000170000ff01000100
(2)   Message-Authenticator = 0xc559daf1fcab5e9b102c581c18f3c4c0
(2)   MS-RAS-Vendor = 11
(2)   HP-Capability-Advert = 0x011a0000000b28
(2)   HP-Capability-Advert = 0x011a0000000b2e
(2)   HP-Capability-Advert = 0x011a0000000b30
(2)   HP-Capability-Advert = 0x011a0000000b3d
(2)   HP-Capability-Advert = 0x011a0000000b18
(2)   HP-Capability-Advert = 0x011a0000000b19
(2)   HP-Capability-Advert = 0x0138
(2)   HP-Capability-Advert = 0x013a
(2)   HP-Capability-Advert = 0x0140
(2)   HP-Capability-Advert = 0x0141
(2)   HP-Capability-Advert = 0x0151
(2) Restoring &session-state
(2)   &session-state:Framed-MTU = 994
(2) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/mh-site
(2)   authorize {
(2)     policy filter_username {
(2)       if (&User-Name) {
(2)       if (&User-Name)  -> TRUE
(2)       if (&User-Name)  {
(2)         if (&User-Name =~ / /) {
(2)         if (&User-Name =~ / /)  -> FALSE
(2)         if (&User-Name =~ /@[^@]*@/ ) {
(2)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(2)         if (&User-Name =~ /\.\./ ) {
(2)         if (&User-Name =~ /\.\./ )  -> FALSE
(2)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(2)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(2)         if (&User-Name =~ /\.$/)  {
(2)         if (&User-Name =~ /\.$/)   -> FALSE
(2)         if (&User-Name =~ /@\./)  {
(2)         if (&User-Name =~ /@\./)   -> FALSE
(2)       } # if (&User-Name)  = notfound
(2)     } # policy filter_username = notfound
(2)     [preprocess] = ok
(2)     [chap] = noop
(2) eap: Peer sent EAP Response (code 2) ID 15 length 166
(2) eap: No EAP Start, assuming it's an on-going EAP conversation
(2)     [eap] = updated
(2) files: users: Matched entry DEFAULT at line 167
(2)     [files] = ok
(2)     [expiration] = noop
(2)     [logintime] = noop
(2)     policy rewrite_calling_station_id {
(2)       if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i)) {
(2)       if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))  -> TRUE
(2)       if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))  {
(2)         update request {
(2)           EXPAND %{tolower:%{1}-%{2}-%{3}-%{4}-%{5}-%{6}}
(2)              --> e4-54-e8-54-4a-de
(2)           &Calling-Station-Id := e4-54-e8-54-4a-de
(2)         } # update request = noop
(2)         [updated] = updated
(2)       } # if (&Calling-Station-Id && (&Calling-Station-Id =~ /^([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})[^0-9a-f]?([0-9a-f]{2})$/i))  = updated
(2)       ... skipping else: Preceding "if" was taken
(2)     } # policy rewrite_calling_station_id = updated
(2)     if (&User-Name =~ /^host\/(.*)$/) {
(2)     if (&User-Name =~ /^host\/(.*)$/)  -> TRUE
(2)     if (&User-Name =~ /^host\/(.*)$/)  {
(2)       update request {
(2)         EXPAND %{1}
(2)            --> hostname.domain.com
(2)         &User-Name := hostname.domain.com
(2)       } # update request = noop
(2)     } # if (&User-Name =~ /^host\/(.*)$/)  = noop
(2)     if (!EAP-Message) {
(2)     if (!EAP-Message)  -> FALSE
(2)     else {
(2) eap: Peer sent EAP Response (code 2) ID 15 length 166
(2) eap: No EAP Start, assuming it's an on-going EAP conversation
(2)       [eap] = updated
(2)     } # else = updated
(2)   } # authorize = updated
(2) Found Auth-Type = eap
(2) Found Auth-Type = eap
(2) ERROR: Warning:  Found 2 auth-types on request for user 'hostname.domain.com'
(2) # Executing group from file /etc/freeradius/3.0/sites-enabled/mh-site
(2)   Auth-Type EAP {
(2) eap: Expiring EAP session with state 0xf81b3429f8f739ad
(2) eap: Finished EAP session with state 0x0c28a8740c27a50f
(2) eap: Previous EAP request found for state 0x0c28a8740c27a50f, released from the list
(2) eap: Identity does not match User-Name.  Authentication failed
(2) eap: Failed in handler
(2)     [eap] = invalid
(2)   } # Auth-Type EAP = invalid
(2) Failed to authenticate the user
(2) Using Post-Auth-Type Reject
(2) Post-Auth-Type sub-section not found.  Ignoring.
(2) Login incorrect (Warning:  Found 2 auth-types on request for user 'hostname.domain.com'): [hostname.domain.com] (from client de-sw01 port 26 cli e4-54-e8-54-4a-de)
(2) Delaying response for 1.000000 seconds

I imagine that having now modified the username it no longer matches its identity. I'm not sure how to remediate that.
________________________________


Miller Homes Limited Registered in Scotland - SC255429
2 Lochside View, Edinburgh Park, Edinburgh, EH12 9DH

Disclaimer: The Information in this e-mail is confidential and for use by the addressee(s) only. It may also be privileged. If you are not the intended recipient please notify us immediately on +44 (0) 870 336 5000 and delete the message from your computer: you may not copy or forward it, or use or disclose its contents to any other person. We do not accept any liability or responsibility for: (1) changes made to this email after it was sent, or (2) viruses transmitted through this email or any attachment.

Miller Homes Limited <https://www.millerhomes.co.uk>

More information about the Freeradius-Users mailing list