freeradius confuses switch
Matthew Newton
mcn at freeradius.org
Fri May 9 10:33:52 UTC 2025
On 09/05/2025 11:08, Christoph Egger wrote:
> Am 09.05.25 um 10:55 schrieb Matthew Newton via Freeradius-Users:
>> On 09/05/2025 08:56, Christoph Egger via Freeradius-Users wrote:
>>> switch -> freeradius: access-request (1), id: 0x2d
>>> freeradius -> switch: access-reject (3), id: 0x2d
>>> freeradius -> switch: access-accept (2), id: 0x2c
>>
>> FreeRADIUS never sends a reject followed by an accept for the same
>> request.
>>
>> As always, what does the full debug output show?
>>
> 11:02:59.537570 IP (tos 0x0, ttl 64, id 16391, offset 0, flags [DF],
> proto UDP (17), length 227)
> SG3206X-M2.example.com.46115 > 10.1.2.1.radius: RADIUS, length: 199
> Access-Request (1), id: 0x36, Authenticator:
> 1c90635e4f03a9b669a2402965fc8e41
> User-Name Attribute (1), length: 19, Value: apple_lan_thatsme
request ID 54 (0x36)
> 11:03:00.540835 IP (tos 0x0, ttl 63, id 34812, offset 0, flags [DF],
> proto UDP (17), length 66)
> 10.1.2.1.radius > SG3206X-M2.example.com.46115: RADIUS, length: 38
> Access-Reject (3), id: 0x36, Authenticator:
> d657e1caadf330afa206db0ffe469c17
response to request ID 54
> 11:03:02.449220 IP (tos 0x0, ttl 63, id 35102, offset 0, flags [DF],
> proto UDP (17), length 88)
> 10.1.2.1.radius > SG3206X-M2.example.com.46115: RADIUS, length: 60
> Access-Accept (2), id: 0x35, Authenticator:
> dfd3f8ac0586d2551621d599d5a00839
response to request ID 53 (0x35)
>
> Here it is the EAP-TTLS + PAP, after that the corresponding tcpdump:
...
Request ID 53 (number 52), weird looking request, maybe it's an odd form
of mac auth bypass?
> authentik-freeradius-1 | (52) Received Access-Request Id 53 from
> 172.16.1.1:49514 to 172.16.1.2:1812 length 217
> authentik-freeradius-1 | (52) User-Name = "apple_lan_thatsme"
> authentik-freeradius-1 | (52) NAS-Identifier = "DC6279CF8CB4"
> authentik-freeradius-1 | (52) Service-Type = Framed-User
> authentik-freeradius-1 | (52) # Executing section authorize from file /
> opt/etc/raddb/sites-enabled/default
> authentik-freeradius-1 | (52) authorize {
> authentik-freeradius-1 | (52) } # policy filter_username = notfound
> authentik-freeradius-1 | (52) [preprocess] = ok
> authentik-freeradius-1 | (52) [chap] = noop
> authentik-freeradius-1 | (52) [mschap] = noop
> authentik-freeradius-1 | (52) [digest] = noop
> authentik-freeradius-1 | (52) suffix: Checking for suffix after "@"
> authentik-freeradius-1 | (52) # Executing section authorize from
> file /opt/etc/raddb/sites-enabled/proxy-inner-tunnel
> authentik-freeradius-1 | (52) authorize {
> authentik-freeradius-1 | (52) eap: No EAP-Message, not doing EAP
> authentik-freeradius-1 | (52) Expecting proxy response no later than
> 29.667705 seconds from now
waiting for proxy
...
request ID 53 (number 53), EAP...
> authentik-freeradius-1 | (53) Received Access-Request Id 54 from
> 172.16.1.1:49514 to 172.16.1.2:1812 length 199
> authentik-freeradius-1 | (53) User-Name = "apple_lan_thatsme"
> authentik-freeradius-1 | (53) EAP-Message =
> 0x020900531580000000491703030044f5828f0161eb61316a55dc0318f1460b3b7334667f0071641ae2e702ff03769d06cb5b770a0b91a2406baea074cc3469f3bb06a9b829d90524f48ca3d56d8dc94c46827d
> authentik-freeradius-1 | (53) NAS-IP-Address = 10.0.0.3
> authentik-freeradius-1 | (53) NAS-Port = 3
> authentik-freeradius-1 | (53) NAS-Identifier = "DC6279CF8CB4"
> authentik-freeradius-1 | (53) Service-Type = Framed-User
> authentik-freeradius-1 | (53) Calling-Station-Id = "00-E0-4C-68-20-7E"
> authentik-freeradius-1 | (53) NAS-Port-Type = Ethernet
> authentik-freeradius-1 | (53) Message-Authenticator =
> 0xfdd12d739d02d46620b603b2b5201094
> authentik-freeradius-1 | (53) # Executing section authorize from file /
> opt/etc/raddb/sites-enabled/default
> authentik-freeradius-1 | (53) authorize {
> authentik-freeradius-1 | (53) policy filter_username {
> authentik-freeradius-1 | (53) if (&User-Name) {
> authentik-freeradius-1 | (53) if (&User-Name) -> TRUE
> authentik-freeradius-1 | (53) if (&User-Name) {
> authentik-freeradius-1 | (53) if (&User-Name =~ / /) {
> authentik-freeradius-1 | (53) if (&User-Name =~ / /) -> FALSE
> authentik-freeradius-1 | (53) if (&User-Name =~ /@[^@]*@/ ) {
> authentik-freeradius-1 | (53) if (&User-Name =~ /@[^@]*@/ ) ->
> FALSE
> authentik-freeradius-1 | (53) if (&User-Name =~ /\.\./ ) {
> authentik-freeradius-1 | (53) if (&User-Name =~ /\.\./ ) -> FALSE
> authentik-freeradius-1 | (53) if ((&User-Name =~ /@/) &&
> (&User-Name !~ /@(.+)\.(.+)$/)) {
> authentik-freeradius-1 | (53) if ((&User-Name =~ /@/) &&
> (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
> authentik-freeradius-1 | (53) if (&User-Name =~ /\.$/) {
> authentik-freeradius-1 | (53) if (&User-Name =~ /\.$/) -> FALSE
> authentik-freeradius-1 | (53) if (&User-Name =~ /@\./) {
> authentik-freeradius-1 | (53) if (&User-Name =~ /@\./) -> FALSE
> authentik-freeradius-1 | (53) } # if (&User-Name) = notfound
> authentik-freeradius-1 | (53) } # policy filter_username = notfound
> authentik-freeradius-1 | (53) [preprocess] = ok
> authentik-freeradius-1 | (53) [chap] = noop
> authentik-freeradius-1 | (53) [mschap] = noop
> authentik-freeradius-1 | (53) [digest] = noop
> authentik-freeradius-1 | (53) suffix: Checking for suffix after "@"
> authentik-freeradius-1 | (53) suffix: No '@' in User-Name =
> "apple_lan_thatsme", looking up realm NULL
> authentik-freeradius-1 | (53) suffix: No such realm "NULL"
> authentik-freeradius-1 | (53) eap: Continuing tunnel setup
> authentik-freeradius-1 | (53) [eap] = ok
> authentik-freeradius-1 | (53) } # authorize = ok
> authentik-freeradius-1 | (53) Found Auth-Type = eap
> authentik-freeradius-1 | (53) # Executing group from file /opt/etc/
> raddb/sites-enabled/default
> authentik-freeradius-1 | (53) authenticate {
> authentik-freeradius-1 | (53) eap: ERROR: EAP requires the State
> attribute to work, but no State exists in the Access-Request packet.
> authentik-freeradius-1 | (53) eap: ERROR: The RADIUS client is broken.
> No amount of changing FreeRADIUS will fix the RADIUS client.
> authentik-freeradius-1 | (53) eap: Either EAP-request timed out OR EAP-
> response to an unknown EAP-request
...but it's a broken client, FreeRADIUS gives up.
> authentik-freeradius-1 | Waking up in 0.6 seconds.
> authentik-freeradius-1 | (53) Sending delayed response
> authentik-freeradius-1 | (53) Sent Access-Reject Id 54 from
> 172.16.1.2:1812 to 172.16.1.1:49514 length 38
> authentik-freeradius-1 | Waking up in 3.9 seconds.
> authentik-freeradius-1 |
Cleaning up the previous auth after response from proxy server:
> (52) !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> authentik-freeradius-1 | (52) BlastRADIUS check: Received packet
> without Message-Authenticator from home_server authentik_radius_outpost
> authentik-freeradius-1 |
> (52) !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> authentik-freeradius-1 | (52) The packet does not contain Message-
> Authenticator, which is a security issue
> authentik-freeradius-1 | (52) Once the home server is upgraded, set
> "require_message_authenticator = true" for home_server
> authentik_radius_outpost
> authentik-freeradius-1 |
> (52) !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> authentik-freeradius-1 | (52) Clearing existing &reply: attributes
> authentik-freeradius-1 | (52) Found Auth-Type = eap
> authentik-freeradius-1 | (52) Found Auth-Type = Accept
> authentik-freeradius-1 | (52) ERROR: Warning: Found 2 auth-types on
> request for user 'apple_lan_thatsme'
> authentik-freeradius-1 | (52) Auth-Type = Accept, accepting the user
> authentik-freeradius-1 | (52) # Executing section post-auth from file /
> opt/etc/raddb/sites-enabled/default
...
> authentik-freeradius-1 | (52) } # post-auth = updated
> authentik-freeradius-1 | (52) Sent Access-Accept Id 53 from
> 172.16.1.2:1812 to 172.16.1.1:49514 length 60
> authentik-freeradius-1 | (52) Framed-MTU += 994
> authentik-freeradius-1 | (52) Tunnel-Type = VLAN
> authentik-freeradius-1 | (52) Tunnel-Medium-Type = IEEE-802
> authentik-freeradius-1 | (52) Finished request
Looks like your NAS is broken, sending invalid requests, or not waiting
for the first one to finish before sending another.
--
Matthew
More information about the Freeradius-Users
mailing list