freeradius confuses switch
Christoph Egger
christoph_egger at gmx.de
Fri May 9 10:55:56 UTC 2025
Am 09.05.25 um 12:33 schrieb Matthew Newton via Freeradius-Users:
> On 09/05/2025 11:08, Christoph Egger wrote:
>> Am 09.05.25 um 10:55 schrieb Matthew Newton via Freeradius-Users:
>>> On 09/05/2025 08:56, Christoph Egger via Freeradius-Users wrote:
>>>> switch -> freeradius: access-request (1), id: 0x2d
>>>> freeradius -> switch: access-reject (3), id: 0x2d
>>>> freeradius -> switch: access-accept (2), id: 0x2c
>>>
>>> FreeRADIUS never sends a reject followed by an accept for the same request.
>>>
>>> As always, what does the full debug output show?
>>>
>
>
> > 11:02:59.537570 IP (tos 0x0, ttl 64, id 16391, offset 0, flags [DF],
> > proto UDP (17), length 227)
> > SG3206X-M2.example.com.46115 > 10.1.2.1.radius: RADIUS, length: 199
> > Access-Request (1), id: 0x36, Authenticator:
> > 1c90635e4f03a9b669a2402965fc8e41
> > User-Name Attribute (1), length: 19, Value: apple_lan_thatsme
>
> request ID 54 (0x36)
>
> > 11:03:00.540835 IP (tos 0x0, ttl 63, id 34812, offset 0, flags [DF],
> > proto UDP (17), length 66)
> > 10.1.2.1.radius > SG3206X-M2.example.com.46115: RADIUS, length: 38
> > Access-Reject (3), id: 0x36, Authenticator:
> > d657e1caadf330afa206db0ffe469c17
>
> response to request ID 54
>
>
> > 11:03:02.449220 IP (tos 0x0, ttl 63, id 35102, offset 0, flags [DF],
> > proto UDP (17), length 88)
> > 10.1.2.1.radius > SG3206X-M2.example.com.46115: RADIUS, length: 60
> > Access-Accept (2), id: 0x35, Authenticator:
> > dfd3f8ac0586d2551621d599d5a00839
>
> response to request ID 53 (0x35)
>
>
>
>
>>
>> Here it is the EAP-TTLS + PAP, after that the corresponding tcpdump:
>
> ...
>
>
> Request ID 53 (number 52), weird looking request, maybe it's an odd form of mac auth bypass?
MAB is disabled.
>
>> authentik-freeradius-1 | (52) Received Access-Request Id 53 from 172.16.1.1:49514 to 172.16.1.2:1812 length 217
>> authentik-freeradius-1 | (52) User-Name = "apple_lan_thatsme"
>> authentik-freeradius-1 | (52) NAS-Identifier = "DC6279CF8CB4"
>> authentik-freeradius-1 | (52) Service-Type = Framed-User
>> authentik-freeradius-1 | (52) # Executing section authorize from file / opt/etc/raddb/sites-enabled/default
>> authentik-freeradius-1 | (52) authorize {
>> authentik-freeradius-1 | (52) } # policy filter_username = notfound
>> authentik-freeradius-1 | (52) [preprocess] = ok
>> authentik-freeradius-1 | (52) [chap] = noop
>> authentik-freeradius-1 | (52) [mschap] = noop
>> authentik-freeradius-1 | (52) [digest] = noop
>> authentik-freeradius-1 | (52) suffix: Checking for suffix after "@"
>> authentik-freeradius-1 | (52) # Executing section authorize from file /opt/etc/raddb/sites-enabled/proxy-inner-tunnel
>> authentik-freeradius-1 | (52) authorize {
>> authentik-freeradius-1 | (52) eap: No EAP-Message, not doing EAP
>> authentik-freeradius-1 | (52) Expecting proxy response no later than 29.667705 seconds from now
>
> waiting for proxy
>
>
> ...
>
>
> request ID 53 (number 53), EAP...
>
>> authentik-freeradius-1 | (53) Received Access-Request Id 54 from 172.16.1.1:49514 to 172.16.1.2:1812 length 199
>> authentik-freeradius-1 | (53) User-Name = "apple_lan_thatsme"
>> authentik-freeradius-1 | (53) EAP-Message = 0x020900531580000000491703030044f5828f0161eb61316a55dc0318f1460b3b7334667f0071641ae2e702ff03769d06cb5b770a0b91a2406baea074cc3469f3bb06a9b829d90524f48ca3d56d8dc94c46827d
>> authentik-freeradius-1 | (53) NAS-IP-Address = 10.0.0.3
>> authentik-freeradius-1 | (53) NAS-Port = 3
>> authentik-freeradius-1 | (53) NAS-Identifier = "DC6279CF8CB4"
>> authentik-freeradius-1 | (53) Service-Type = Framed-User
>> authentik-freeradius-1 | (53) Calling-Station-Id = "00-E0-4C-68-20-7E"
>> authentik-freeradius-1 | (53) NAS-Port-Type = Ethernet
>> authentik-freeradius-1 | (53) Message-Authenticator = 0xfdd12d739d02d46620b603b2b5201094
>> authentik-freeradius-1 | (53) # Executing section authorize from file / opt/etc/raddb/sites-enabled/default
>> authentik-freeradius-1 | (53) authorize {
>> authentik-freeradius-1 | (53) policy filter_username {
>> authentik-freeradius-1 | (53) if (&User-Name) {
>> authentik-freeradius-1 | (53) if (&User-Name) -> TRUE
>> authentik-freeradius-1 | (53) if (&User-Name) {
>> authentik-freeradius-1 | (53) if (&User-Name =~ / /) {
>> authentik-freeradius-1 | (53) if (&User-Name =~ / /) -> FALSE
>> authentik-freeradius-1 | (53) if (&User-Name =~ /@[^@]*@/ ) {
>> authentik-freeradius-1 | (53) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
>> authentik-freeradius-1 | (53) if (&User-Name =~ /\.\./ ) {
>> authentik-freeradius-1 | (53) if (&User-Name =~ /\.\./ ) -> FALSE
>> authentik-freeradius-1 | (53) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
>> authentik-freeradius-1 | (53) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
>> authentik-freeradius-1 | (53) if (&User-Name =~ /\.$/) {
>> authentik-freeradius-1 | (53) if (&User-Name =~ /\.$/) -> FALSE
>> authentik-freeradius-1 | (53) if (&User-Name =~ /@\./) {
>> authentik-freeradius-1 | (53) if (&User-Name =~ /@\./) -> FALSE
>> authentik-freeradius-1 | (53) } # if (&User-Name) = notfound
>> authentik-freeradius-1 | (53) } # policy filter_username = notfound
>> authentik-freeradius-1 | (53) [preprocess] = ok
>> authentik-freeradius-1 | (53) [chap] = noop
>> authentik-freeradius-1 | (53) [mschap] = noop
>> authentik-freeradius-1 | (53) [digest] = noop
>> authentik-freeradius-1 | (53) suffix: Checking for suffix after "@"
>> authentik-freeradius-1 | (53) suffix: No '@' in User-Name = "apple_lan_thatsme", looking up realm NULL
>> authentik-freeradius-1 | (53) suffix: No such realm "NULL"
>> authentik-freeradius-1 | (53) eap: Continuing tunnel setup
>> authentik-freeradius-1 | (53) [eap] = ok
>> authentik-freeradius-1 | (53) } # authorize = ok
>> authentik-freeradius-1 | (53) Found Auth-Type = eap
>> authentik-freeradius-1 | (53) # Executing group from file /opt/etc/ raddb/sites-enabled/default
>> authentik-freeradius-1 | (53) authenticate {
>> authentik-freeradius-1 | (53) eap: ERROR: EAP requires the State attribute to work, but no State exists in the Access-Request packet.
>> authentik-freeradius-1 | (53) eap: ERROR: The RADIUS client is broken. No amount of changing FreeRADIUS will fix the RADIUS client.
>> authentik-freeradius-1 | (53) eap: Either EAP-request timed out OR EAP- response to an unknown EAP-request
>
> ...but it's a broken client, FreeRADIUS gives up.
The client is a MacBook (Sonoma) configured to use EAP-TTLS+PAP only.
Without any configuration it does EAP-TLS.
>> authentik-freeradius-1 | Waking up in 0.6 seconds.
>> authentik-freeradius-1 | (53) Sending delayed response
>> authentik-freeradius-1 | (53) Sent Access-Reject Id 54 from 172.16.1.2:1812 to 172.16.1.1:49514 length 38
>> authentik-freeradius-1 | Waking up in 3.9 seconds.
>> authentik-freeradius-1 |
>
>
>
> Cleaning up the previous auth after response from proxy server:
>
>
>> (52) !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
>> authentik-freeradius-1 | (52) BlastRADIUS check: Received packet without Message-Authenticator from home_server authentik_radius_outpost
>> authentik-freeradius-1 | (52) !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
>> authentik-freeradius-1 | (52) The packet does not contain Message- Authenticator, which is a security issue
>> authentik-freeradius-1 | (52) Once the home server is upgraded, set "require_message_authenticator = true" for home_server authentik_radius_outpost
>> authentik-freeradius-1 | (52) !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
>> authentik-freeradius-1 | (52) Clearing existing &reply: attributes
>> authentik-freeradius-1 | (52) Found Auth-Type = eap
>> authentik-freeradius-1 | (52) Found Auth-Type = Accept
>> authentik-freeradius-1 | (52) ERROR: Warning: Found 2 auth-types on request for user 'apple_lan_thatsme'
>> authentik-freeradius-1 | (52) Auth-Type = Accept, accepting the user
>> authentik-freeradius-1 | (52) # Executing section post-auth from file / opt/etc/raddb/sites-enabled/default
> ...
>
>> authentik-freeradius-1 | (52) } # post-auth = updated
>> authentik-freeradius-1 | (52) Sent Access-Accept Id 53 from 172.16.1.2:1812 to 172.16.1.1:49514 length 60
>> authentik-freeradius-1 | (52) Framed-MTU += 994
>> authentik-freeradius-1 | (52) Tunnel-Type = VLAN
>> authentik-freeradius-1 | (52) Tunnel-Medium-Type = IEEE-802
>> authentik-freeradius-1 | (52) Finished request
>
>
> Looks like your NAS is broken, sending invalid requests, ...
>
I don't know why docker-compose logs does not show everything at the end.
The last part here again:
authentik-freeradius-1 | (52) } # post-auth = updated
authentik-freeradius-1 | (52) Sent Access-Accept Id 53 from 172.16.1.2:1812 to 172.16.1.1:49514 length 60
authentik-freeradius-1 | (52) Framed-MTU += 994
authentik-freeradius-1 | (52) Tunnel-Type = VLAN
authentik-freeradius-1 | (52) Tunnel-Medium-Type = IEEE-802
authentik-freeradius-1 | (52) Tunnel-Private-Group-Id = "11"
authentik-freeradius-1 | (52) Finished request
authentik-freeradius-1 | Waking up in 2.0 seconds.
authentik-freeradius-1 | (53) Cleaning up request packet ID 54 with timestamp +11392 due to cleanup_delay was reached
authentik-freeradius-1 | Waking up in 2.9 seconds.
authentik-freeradius-1 | (52) Cleaning up request packet ID 53 with timestamp +11387 due to cleanup_delay was reached
authentik-freeradius-1 | Ready to process requests
> ... or not waiting for the first one to finish before sending another.
I suppose that is the case.
How can I tell freeradius to wait for the first one?
More information about the Freeradius-Users
mailing list