Stuck at "More than 50 roundtrips"

thomas at habets.se thomas at habets.se
Mon Oct 23 22:45:06 UTC 2023 

Hi.

I'm trying to set up EAP-TLS with certificates with an Android Pixel 7
Pro, latest OS, via a Unifi U6 Pro, using FreeRadius 3.0.17 on a
raspberry pi 4.

I took the default config, and changed as little as possible:

clients.conf, added:

client wifi_aps {
       ipaddr = 192.168.123.0/24
       secret = radiuspasswordhere
}

In case it would help, I also added a user. PEAP auth with
username/password works.

wifi    Cleartext-Password := "XXXXXXX"
        Tunnel-Type = "VLAN",
        Tunnel-Medium-Type = "IEEE-802",
        Tunnel-Private-Group-Id = "13",
        Reply-Message = "Hello there!"

Made the certificates by editing the .cnf files and doing "make
ca.pem", "make server.pem", and "make client.pem".

I loaded the .p12 on the Android phone, and changed the paths in
mod-enabled/eap.

I changed default_eap_type to tls, and added use_tunneled_reply to
tls-config.

Here's a selection of the output of freeradius -X:

First access request in packet 1:
(1) Received Access-Request Id 61 from 192.168.XX.Z:59545 to
192.168.XX.Y:1812 length 216

SSL handshake done by packet 8:
(8) eap_tls: SSL Connection Established
(with client cert details shown)

After that there's just a bunch of apparently empty-ish repeating
Access-Request/Access-Challenge[1], and it's stuck that way until:

(52) eap: ERROR: rlm_eap (EAP): Aborting! More than 50 roundtrips made
in session with state 0x8e36e001bc25ed47

What am I doing wrong? In this example I'm putting "wifi" as identity,
in case it helps that it's present in the user config.

I expect that at some point the server should reply Accepted, instead
of a new challenge. I guess the client cert was not enough auth? Is
there a config I need to change so that cert is sufficient?

I'd appreciate any help. Thanks.

[1]

(14) Received Access-Request Id 74 from 192.168.XX.Z:59545 to
192.168.XX.Y:1812 length 231
(14)   User-Name = "wifi"
(14)   NAS-IP-Address = 192.168.XX.Z
(14)   NAS-Identifier = "xxx"
(14)   Called-Station-Id = "xx-xx-xx-xx-xx-xx:secnet2"
(14)   NAS-Port-Type = Wireless-802.11
(14)   Service-Type = Framed-User
(14)   Calling-Station-Id = "xx-xx-xx-xx-xx-xx"
(14)   Connect-Info = "CONNECT 0Mbps 802.11b"
(14)   Acct-Session-Id = "3E1F2B0282D15C98"
(14)   Acct-Multi-Session-Id = "3870EEE1F7155662"
(14)   WLAN-Pairwise-Cipher = 1027076
(14)   WLAN-Group-Cipher = 1027076
(14)   WLAN-AKM-Suite = 1027073
(14)   Framed-MTU = 1400
(14)   EAP-Message = 0x02ed00060d00
(14)   State = 0x8e36e00182dbed476556c84932fcf3de
(14)   Message-Authenticator = 0x03a0ae965bd12781a50f91cd3ac1aaf6
(14) session-state: No cached attributes
(14) # Executing section authorize from file
/etc/freeradius/3.0/sites-enabled/default
(14)   authorize {
(14)     policy filter_username {
(14)       if (&User-Name) {
(14)       if (&User-Name)  -> TRUE
(14)       if (&User-Name)  {
(14)         if (&User-Name =~ / /) {
(14)         if (&User-Name =~ / /)  -> FALSE
(14)         if (&User-Name =~ /@[^@]*@/ ) {
(14)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(14)         if (&User-Name =~ /\.\./ ) {
(14)         if (&User-Name =~ /\.\./ )  -> FALSE
(14)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(14)         if ((&User-Name =~ /@/) && (&User-Name !~
/@(.+)\.(.+)$/))   -> FALSE
(14)         if (&User-Name =~ /\.$/)  {
(14)         if (&User-Name =~ /\.$/)   -> FALSE
(14)         if (&User-Name =~ /@\./)  {
(14)         if (&User-Name =~ /@\./)   -> FALSE
(14)       } # if (&User-Name)  = notfound
(14)     } # policy filter_username = notfound
(14)     [preprocess] = ok
(14)     [chap] = noop
(14)     [mschap] = noop
(14)     [digest] = noop
(14) suffix: Checking for suffix after "@"
(14) suffix: No '@' in User-Name = "wifi", looking up realm NULL
(14) suffix: No such realm "NULL"
(14)     [suffix] = noop
(14) eap: Peer sent EAP Response (code 2) ID 237 length 6
(14) eap: No EAP Start, assuming it's an on-going EAP conversation
(14)     [eap] = updated
(14) files: users: Matched entry wifi at line 90
(14)     [files] = ok
(14)     [expiration] = noop
(14)     [logintime] = noop
(14) pap: WARNING: Auth-Type already set.  Not setting to PAP
(14)     [pap] = noop
(14)   } # authorize = updated
(14) Found Auth-Type = eap
(14) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(14)   authenticate {
(14) eap: Expiring EAP session with state 0x8e36e00182dbed47
(14) eap: Finished EAP session with state 0x8e36e00182dbed47
(14) eap: Previous EAP request found for state 0x8e36e00182dbed47,
released from the list
(14) eap: Peer sent packet with method EAP TLS (13)
(14) eap: Calling submodule eap_tls to process data
(14) eap_tls: Continuing EAP-TLS
(14) eap_tls: Peer ACKed our handshake fragment
(14) eap_tls: [eaptls verify] = request
(14) eap_tls: [eaptls process] = handled
(14) eap: Sending EAP Request (code 1) ID 238 length 10
(14) eap: EAP session adding &reply:State = 0x8e36e00183d8ed47
(14)     [eap] = handled
(14)   } # authenticate = handled
(14) Using Post-Auth-Type Challenge
(14) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(14)   Challenge { ... } # empty sub-section is ignored
(14) Sent Access-Challenge Id 74 from 192.168.XX.Y:1812 to
192.168.XX.Z:59545 length 0
(14)   Tunnel-Type = VLAN
(14)   Tunnel-Medium-Type = IEEE-802
(14)   Tunnel-Private-Group-Id = "13"
(14)   Reply-Message = "Hello there!"
(14)   EAP-Message = 0x01ee000a0d8000000000
(14)   Message-Authenticator = 0x00000000000000000000000000000000
(14)   State = 0x8e36e00183d8ed476556c84932fcf3de
(14) Finished request

--
typedef struct me_s {
  char name[]      = { "Thomas Habets" };
  char email[]     = { "thomas at habets.se" };
  char kernel[]    = { "Linux" };
  char *pgpKey[]   = { "http://www.habets.pp.se/pubkey.txt" };
  char pgp[] = { "9907 8698 8A24 F52F 1C2E  87F6 39A4 9EEA 460A 0169" };
  char coolcmd[]   = { "echo '. ./_&. ./_'>_;. ./_" };
} me_t;

More information about the Freeradius-Users mailing list