802.1x / EAP Assistance

classic Classic list List threaded Threaded
7 messages Options
| Threaded
Open this post in threaded view
|

802.1x / EAP Assistance

J Kephart
Good morning!

We are attempting to implement 802.1x/EAP for the first time, ad we're
having some trouble diagnosing what's going on in the various stages of
the communications between the NAS and FR.  We don't have any experience
with it, so it's rather confusing.

We're using FR 2.2.8, with the test certs provided.  We can see that
there is communication, but all attempts to authenticate a device are
failing.  I've included what I believe to be the relevant portion of the
debug output, and I do see several error conditions. The first says that
the realm LOCAL is not defined, but in looking at the config, it looks
as though it is.  There's also a report that there's a missing
Cleartext-Password, but that is also defined in the database, so we're
at a loss as to the cause of the failure.

If someone can point us in the right direction, I'd truly appreciate it!

rad_recv: Access-Request packet from host 146.115.19.180 port 50987,
id=97, length=394
     Acct-Session-Id = "5DB9E1F5-76DF7502"
     User-Name = "jerry"
     NAS-IP-Address = 192.168.185.30
     NAS-Identifier = "90-3A-72-15-25-1D"
     NAS-Port = 1
     Called-Station-Id = "90-3A-72-15-25-1D:CVGNE_W1"
     Calling-Station-Id = "D4-53-83-F3-C0-17"
     Service-Type = Framed-User
     Chargeable-User-Identity = ""
     NAS-Port-Type = Wireless-802.11
     Connect-Info = "CONNECT 802.11a/n/ac"
     EAP-Message =
0x0208005f1900170303005400000000000000022f4cd34458205cfb0d339d2a9f6dda68b5f7a4ffbd985bbfb9ef4094114e5a1856df8479ea3c4ddc7f293487a00396643c97c4b24f51d67a7c7cc34e9bbbc1c156adc07977d4e095d6fddaa5
     State = 0x957bdc849273c5bfd96a2d7f79095e2d
     Ruckus-SSID = "CVGNE_W1"
     Ruckus-Attr-14 = 0x903a7215251d
     Ruckus-Attr-9 = 0x000001c3
     Ruckus-SCG-CBlade-IP = 3232282885
     Ruckus-Attr-134 = 0x44656661756c74205a6f6e65
     Ruckus-Attr-135 = 0x4356474e455f5731
     Message-Authenticator = 0xad0239941dd1cf346629d1f1b23805b6
     Event-Timestamp = "Oct 30 2019 15:18:14 EDT"
     Proxy-State = 0x3636
# Executing section authorize from file /etc/raddb/sites-enabled/default
+group authorize {
++[preprocess] = ok
++update request {
sql_xlat
     expand:  select zone_migration_enabled from sites where
id='%{NAS-Identifier}' ->  select zone_migration_enabled from sites
where id='90-3A-72-15-25-1D'
rlm_sql (sql_instance2): Reserving sql socket id: 2
SQL query did not return any results
rlm_sql (sql_instance2): Released sql socket id: 2
     expand: %{sql_instance2: select zone_migration_enabled from sites
where id='%{NAS-Identifier}'} ->
     ... expanding second conditional
     expand: %{%{sql_instance2: select zone_migration_enabled from sites
where id='%{NAS-Identifier}'}:-0} -> 0
++} # update request = noop
++? if (("%{Called-Station-Id}" =~ /^00-50-E8-/ ||
"%{Called-Station-Id}" =~ /^20-4C-03-/  )&& Tmp-String-2 == '1')
     expand: %{Called-Station-Id} -> 90-3A-72-15-25-1D:CVGNE_W1
?? Evaluating ("%{Called-Station-Id}" =~ /^00-50-E8-/) -> FALSE
     expand: %{Called-Station-Id} -> 90-3A-72-15-25-1D:CVGNE_W1
?? Evaluating ("%{Called-Station-Id}" =~ /^20-4C-03-/) -> FALSE
? Skipping (Tmp-String-2 == '1')
++? if (("%{Called-Station-Id}" =~ /^00-50-E8-/ ||
"%{Called-Station-Id}" =~ /^20-4C-03-/  )&& Tmp-String-2 == '1') -> FALSE
++[chap] = noop
++[mschap] = noop
[suffix] No '@' in User-Name = "jerry", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
[eap] EAP packet type response id 8 length 95
[eap] Continuing tunnel setup.
++[eap] = ok
+} # group authorize = ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state phase2
[peap] EAP type mschapv2
[peap] Got tunneled request
     EAP-Message =
0x020800401a0208003b31197eb5bbc69b47c5363805196ff71ff700000000000000008a49a9ade98c47831f6c39043311438b1a56945caec5a5f5006a65727279
server  {
[peap] Setting User-Name to jerry
Sending tunneled request
     EAP-Message =
0x020800401a0208003b31197eb5bbc69b47c5363805196ff71ff700000000000000008a49a9ade98c47831f6c39043311438b1a56945caec5a5f5006a65727279
     FreeRADIUS-Proxied-To = 127.0.0.1
     User-Name = "jerry"
     State = 0x2b16a6c52b1ebc1c6619c5138158b3f7
server inner-tunnel {
# Executing section authorize from file
/etc/raddb/sites-enabled/inner-tunnel
+group authorize {
++[chap] = noop
++[mschap] = noop
[suffix] No '@' in User-Name = "jerry", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] = noop
++update control {
++} # update control = noop
[eap] EAP packet type response id 8 length 64
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
++[expiration] = noop
++[logintime] = noop
++[pap] = noop
+} # group authorize = updated
WARNING: You set Proxy-To-Realm = LOCAL, but the realm does not exist! 
Cancelling invalid proxy request.
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/inner-tunnel
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] # Executing group from file /etc/raddb/sites-enabled/inner-tunnel
[mschapv2] +group MS-CHAP {
[mschap] No Cleartext-Password configured.  Cannot create LM-Password.
[mschap] No Cleartext-Password configured.  Cannot create NT-Password.
[mschap] Creating challenge hash with username: jerry
[mschap] Client is using MS-CHAPv2 for jerry, we need NT-Password
[mschap] FAILED: No NT/LM-Password.  Cannot perform authentication.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] = reject
+} # group MS-CHAP = reject
[eap] Freeing handler
++[eap] = reject
+} # group authenticate = reject
Failed to authenticate the user.
     expand: %{NAS-IP-Address} ->
Login incorrect: [jerry/<via Auth-Type = EAP>] (from client Office port
0 via TLS tunnel)
Using Post-Auth-Type REJECT
# Executing group from file /etc/raddb/sites-enabled/inner-tunnel
+group REJECT {
[attr_filter.access_reject]     expand: %{User-Name} -> jerry
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] = updated
+} # group REJECT = updated
} # server inner-tunnel
[peap] Got tunneled reply code 3
     MS-CHAP-Error = "\010E=691 R=1"
     EAP-Message = 0x04080004
     Message-Authenticator = 0x00000000000000000000000000000000
[peap] Got tunneled reply RADIUS code Access-Reject
     MS-CHAP-Error = "\010E=691 R=1"
     EAP-Message = 0x04080004
     Message-Authenticator = 0x00000000000000000000000000000000
[peap] Tunneled authentication was rejected.
[peap] FAILURE
++[eap] = handled
+} # group authenticate = handled
Sending Access-Challenge of id 97 to 146.115.19.180 port 50987
     EAP-Message =
0x0109002e1900170303002334c44a5ec04ae1317ed894226db68ba139a09ceb0517c705c20507823d7bb4bc4a05c6
     Message-Authenticator = 0x00000000000000000000000000000000
     State = 0x957bdc849d72c5bfd96a2d7f79095e2d
     Proxy-State = 0x3636
Finished request 214.

Many thanks!
-- Jim
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: 802.1x / EAP Assistance

Matthew Newton-3
On Thu, 2019-10-31 at 09:29 -0400, J Kephart wrote:
> We are attempting to implement 802.1x/EAP for the first time, ad
> we're having some trouble diagnosing what's going on in the various
> stages of the communications between the NAS and FR.  We don't have
> any experience with it, so it's rather confusing.

Yeah, everyone starts somewhere. It's a lot to take in.


> We're using FR 2.2.8, with the test certs provided.

Why?

v2 is obsolete and end of life. Use v3.0.19, or at least a recent v3
release.


> The first says that the realm LOCAL is not defined, but in looking at
the config, it looks as though it is.

You can ignore that.


> There's also a report that there's a missing
> Cleartext-Password, but that is also defined in the database, so
> we're at a loss as to the cause of the failure.

It's in the database, but you've not told freeradius to look in the
database to pull it out.

Looking at the debug output, you need to add a call to "sql" in the
inner tunnel. At least, start there.

--
Matthew


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: 802.1x / EAP Assistance

J Kephart

> It's in the database, but you've not told freeradius to look in the
> database to pull it out.
>
> Looking at the debug output, you need to add a call to "sql" in the
> inner tunnel. At least, start there.
>
>

I've uncommented the line in the inner-tunnel configuration where it
says to look in the sql database for the user.  The result is that we
get a new error when starting 'radiusd -X':

/etc/raddb/sites-enabled/inner-tunnel[132]: Failed to find "sql" in the
"modules" section.

What am I missing here?

Thanks, again, Matthew!

-- Jim
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: 802.1x / EAP Assistance

Alan DeKok-2
On Oct 31, 2019, at 11:24 AM, J Kephart <[hidden email]> wrote:
>
> I've uncommented the line in the inner-tunnel configuration where it says to look in the sql database for the user.  The result is that we get a new error when starting 'radiusd -X':
>
> /etc/raddb/sites-enabled/inner-tunnel[132]: Failed to find "sql" in the "modules" section.
>
> What am I missing here?

  Are you using SQL?  If not, why uncomment the "sql" module?

  Which database are you using?  I don't think you've said.

  If you are using SQL, then clearly you've renamed the default SQL module.  So what was it renamed to?

  If you aren't using SQL, then you need to configure the inner tunnel with *that* database.  You seem to have configured the outer tunnel with a database.  So why not configure the inner tunnel with that same database?
 
  This shouldn't be difficult.  Take a careful step-by-step approach, and *understand* what you're doing.  Blindly doing random things isn't helpful.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: 802.1x / EAP Assistance

Matthew Newton-3
In reply to this post by J Kephart
On Thu, 2019-10-31 at 11:24 -0400, J Kephart wrote:
> /etc/raddb/sites-enabled/inner-tunnel[132]: Failed to find "sql" in
> the "modules" section.
>
> What am I missing here?

Have you configured the sql module to point at the database that has
your users in it?

At least, you just said that Cleartext-Password is defined in the
database, so I assume it's in an SQL database?

--
Matthew


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: 802.1x / EAP Assistance

J Kephart
In reply to this post by Alan DeKok-2

>    Are you using SQL?  If not, why uncomment the "sql" module?
>
>    Which database are you using?  I don't think you've said.
>
>    If you are using SQL, then clearly you've renamed the default SQL module.  So what was it renamed to?
>
>    If you aren't using SQL, then you need to configure the inner tunnel with *that* database.  You seem to have configured the outer tunnel with a database.  So why not configure the inner tunnel with that same database?

Yes, we are using an SQL database (MySQL), and no, we have not renamed
the module.

>
>    This shouldn't be difficult.  Take a careful step-by-step approach, and *understand* what you're doing.  Blindly doing random things isn't helpful.

We're not trying to do things blindly, but it seems that, as in the
"default" section, this should have been as simple as simply
uncommenting the "sql" line.  As we've never used the inner-tunnel
feature, if there is something else that needs to be done, we're not
aware of it, and we haven't seen anything special in the docs.  We *are*
trying to be very careful and methodical, and this is the only change
we've made to the server's configuration.

Jim
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: 802.1x / EAP Assistance

Alan DeKok-2
On Oct 31, 2019, at 11:42 AM, J Kephart <[hidden email]> wrote:
> Yes, we are using an SQL database (MySQL), and no, we have not renamed the module.

  Then it should find "sql" in the "modules" section.

  So don't just post "it's fine".  FIND OUT why it's broken.  You have the files on disk in your local system.  LOOK there.  It's not hard.  READ them.

  Or, post the FULL DEBUG OUTPUT so that we can read it.  This is suggested in the FAQ, web pages, "man" pages, and daily on this list.

>>   This shouldn't be difficult.  Take a careful step-by-step approach, and *understand* what you're doing.  Blindly doing random things isn't helpful.
>
> We're not trying to do things blindly, but it seems that, as in the "default" section, this should have been as simple as simply uncommenting the "sql" line.  As we've never used the inner-tunnel feature, if there is something else that needs to be done, we're not aware of it, and we haven't seen anything special in the docs.  We *are* trying to be very careful and methodical, and this is the only change we've made to the server's configuration.

  It's important for you to *understand* the system you're administering.  This means taking a look at it yourself, instead of just posting things to the list going "I did what you said and it didn't work.  What next?"

  Well, what's next is for you to do some IT system administration and root thru the config files and read the debug output.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html