Connection Failure with PEAP0/1 with MSCHAPv2

classic Classic list List threaded Threaded
2 messages Options
| Threaded
Open this post in threaded view
|

Connection Failure with PEAP0/1 with MSCHAPv2

Ammann, Lukas
I run a freeradius server on ubuntu (self signed certificates) with PEAP0/1 and MSCHAPv2.

On the device side i use: - Windows 10 - Ubuntu - Android - Embedded Device

If i disable certificate validation on Win, Ubuntu and Android, the devices connect successfully.

The embedded device (TI CC3100MOD) however, also has disabled certification validation, but is unable to connect to the server.

I post the debug log output from freeradius below, can someone explain here where is goes wrong based in the log info?

(52) Received Access-Request Id 246 from 192.168.1.20:32778 to 192.168.1.10:1812 length 163

(52)   User-Name = "test01"
(52)   NAS-IP-Address = 192.168.1.20
(52)   NAS-Port = 0
(52)   Called-Station-Id = "70-69-5A-FD-23-05:ophtest-wpa2ent-up"
(52)   Calling-Station-Id = "78-04-73-D4-B4-24"
(52)   Framed-MTU = 1400
(52)   NAS-Port-Type = Wireless-802.11
(52)   Connect-Info = "CONNECT 0Mbps 802.11g"
(52)   EAP-Message = 0x0200000b01746573743031
(52)   Message-Authenticator = 0x4ceab2578c8f02a075a7f11f6320a748
(52) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(52)   authorize {
(52)     policy filter_username {
(52)       if (&User-Name) {
(52)       if (&User-Name)  -> TRUE
(52)       if (&User-Name)  {
(52)         if (&User-Name =~ / /) {
(52)         if (&User-Name =~ / /)  -> FALSE
(52)         if (&User-Name =~ /@[^@]*@/ ) {
(52)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(52)         if (&User-Name =~ /\.\./ ) {
(52)         if (&User-Name =~ /\.\./ )  -> FALSE
(52)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(52)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(52)         if (&User-Name =~ /\.$/)  {
(52)         if (&User-Name =~ /\.$/)   -> FALSE
(52)         if (&User-Name =~ /@\./)  {
(52)         if (&User-Name =~ /@\./)   -> FALSE
(52)       } # if (&User-Name)  = notfound
(52)     } # policy filter_username = notfound
(52)     [preprocess] = ok
(52)     [chap] = noop
(52)     [mschap] = noop
(52)     [digest] = noop
(52) suffix: Checking for suffix after "@"
(52) suffix: No '@' in User-Name = "test01", looking up realm NULL
(52) suffix: No such realm "NULL"
(52)     [suffix] = noop
(52) eap: Peer sent EAP Response (code 2) ID 0 length 11
(52) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(52)     [eap] = ok
(52)   } # authorize = ok
(52) Found Auth-Type = eap
(52) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(52)   authenticate {
(52) eap: Peer sent packet with method EAP Identity (1)
(52) eap: Calling submodule eap_md5 to process data
(52) eap_md5: Issuing MD5 Challenge
(52) eap: Sending EAP Request (code 1) ID 1 length 22
(52) eap: EAP session adding &reply:State = 0x633491436335957d
(52)     [eap] = handled
(52)   } # authenticate = handled
(52) Using Post-Auth-Type Challenge
(52) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(52)   Challenge { ... } # empty sub-section is ignored
(52) Sent Access-Challenge Id 246 from 192.168.1.10:1812 to 192.168.1.20:32778 length 0
(52)   EAP-Message = 0x010100160410ba5f459eda3617acd2e624d807a8723c
(52)   Message-Authenticator = 0x00000000000000000000000000000000
(52)   State = 0x633491436335957dbc3411b176659974
(52) Finished request
Waking up in 4.9 seconds.
(53) Received Access-Request Id 247 from 192.168.1.20:32778 to 192.168.1.10:1812 length 176
(53)   User-Name = "test01"
(53)   NAS-IP-Address = 192.168.1.20
(53)   NAS-Port = 0
(53)   Called-Station-Id = "70-69-5A-FD-23-05:ophtest-wpa2ent-up"
(53)   Calling-Station-Id = "78-04-73-D4-B4-24"
(53)   Framed-MTU = 1400
(53)   NAS-Port-Type = Wireless-802.11
(53)   Connect-Info = "CONNECT 0Mbps 802.11g"
(53)   EAP-Message = 0x020100060319
(53)   State = 0x633491436335957dbc3411b176659974
(53)   Message-Authenticator = 0x9cfee8f9a78b498db004da9449e91e98
(53) session-state: No cached attributes
(53) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(53)   authorize {
(53)     policy filter_username {
(53)       if (&User-Name) {
(53)       if (&User-Name)  -> TRUE
(53)       if (&User-Name)  {
(53)         if (&User-Name =~ / /) {
(53)         if (&User-Name =~ / /)  -> FALSE
(53)         if (&User-Name =~ /@[^@]*@/ ) {
(53)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(53)         if (&User-Name =~ /\.\./ ) {
(53)         if (&User-Name =~ /\.\./ )  -> FALSE
(53)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(53)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(53)         if (&User-Name =~ /\.$/)  {
(53)         if (&User-Name =~ /\.$/)   -> FALSE
(53)         if (&User-Name =~ /@\./)  {
(53)         if (&User-Name =~ /@\./)   -> FALSE
(53)       } # if (&User-Name)  = notfound
(53)     } # policy filter_username = notfound
(53)     [preprocess] = ok
(53)     [chap] = noop
(53)     [mschap] = noop
(53)     [digest] = noop
(53) suffix: Checking for suffix after "@"
(53) suffix: No '@' in User-Name = "test01", looking up realm NULL
(53) suffix: No such realm "NULL"
(53)     [suffix] = noop
(53) eap: Peer sent EAP Response (code 2) ID 1 length 6
(53) eap: No EAP Start, assuming it's an on-going EAP conversation
(53)     [eap] = updated
(53) files: users: Matched entry test01 at line 1
(53)     [files] = ok
(53)     [expiration] = noop
(53)     [logintime] = noop
(53) pap: WARNING: Auth-Type already set.  Not setting to PAP
(53)     [pap] = noop
(53)   } # authorize = updated
(53) Found Auth-Type = eap
(53) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(53)   authenticate {
(53) eap: Expiring EAP session with state 0x633491436335957d
(53) eap: Finished EAP session with state 0x633491436335957d
(53) eap: Previous EAP request found for state 0x633491436335957d, released from the list
(53) eap: Peer sent packet with method EAP NAK (3)
(53) eap: Found mutually acceptable type PEAP (25)
(53) eap: Calling submodule eap_peap to process data
(53) eap_peap: Initiating new TLS session
(53) eap_peap: [eaptls start] = request
(53) eap: Sending EAP Request (code 1) ID 2 length 6
(53) eap: EAP session adding &reply:State = 0x633491436236887d
(53)     [eap] = handled
(53)   } # authenticate = handled
(53) Using Post-Auth-Type Challenge
(53) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(53)   Challenge { ... } # empty sub-section is ignored
(53) Sent Access-Challenge Id 247 from 192.168.1.10:1812 to 192.168.1.20:32778 length 0
(53)   EAP-Message = 0x010200061920
(53)   Message-Authenticator = 0x00000000000000000000000000000000
(53)   State = 0x633491436236887dbc3411b176659974
(53) Finished request
Waking up in 4.9 seconds.
(54) Received Access-Request Id 248 from 192.168.1.20:32778 to 192.168.1.10:1812 length 176
(54)   User-Name = "test01"
(54)   NAS-IP-Address = 192.168.1.20
(54)   NAS-Port = 0
(54)   Called-Station-Id = "70-69-5A-FD-23-05:ophtest-wpa2ent-up"
(54)   Calling-Station-Id = "78-04-73-D4-B4-24"
(54)   Framed-MTU = 1400
(54)   NAS-Port-Type = Wireless-802.11
(54)   Connect-Info = "CONNECT 0Mbps 802.11g"
(54)   EAP-Message = 0x020200060300
(54)   State = 0x633491436236887dbc3411b176659974
(54)   Message-Authenticator = 0x90af88c3ea0d47d73d2b5e1764683fd8
(54) session-state: No cached attributes
(54) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(54)   authorize {
(54)     policy filter_username {
(54)       if (&User-Name) {
(54)       if (&User-Name)  -> TRUE
(54)       if (&User-Name)  {
(54)         if (&User-Name =~ / /) {
(54)         if (&User-Name =~ / /)  -> FALSE
(54)         if (&User-Name =~ /@[^@]*@/ ) {
(54)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(54)         if (&User-Name =~ /\.\./ ) {
(54)         if (&User-Name =~ /\.\./ )  -> FALSE
(54)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(54)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(54)         if (&User-Name =~ /\.$/)  {
(54)         if (&User-Name =~ /\.$/)   -> FALSE
(54)         if (&User-Name =~ /@\./)  {
(54)         if (&User-Name =~ /@\./)   -> FALSE
(54)       } # if (&User-Name)  = notfound
(54)     } # policy filter_username = notfound
(54)     [preprocess] = ok
(54)     [chap] = noop
(54)     [mschap] = noop
(54)     [digest] = noop
(54) suffix: Checking for suffix after "@"
(54) suffix: No '@' in User-Name = "test01", looking up realm NULL
(54) suffix: No such realm "NULL"
(54)     [suffix] = noop
(54) eap: Peer sent EAP Response (code 2) ID 2 length 6
(54) eap: No EAP Start, assuming it's an on-going EAP conversation
(54)     [eap] = updated
(54) files: users: Matched entry test01 at line 1
(54)     [files] = ok
(54)     [expiration] = noop
(54)     [logintime] = noop
(54) pap: WARNING: Auth-Type already set.  Not setting to PAP
(54)     [pap] = noop
(54)   } # authorize = updated
(54) Found Auth-Type = eap
(54) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(54)   authenticate {
(54) eap: Expiring EAP session with state 0x633491436236887d
(54) eap: Finished EAP session with state 0x633491436236887d
(54) eap: Previous EAP request found for state 0x633491436236887d, released from the list
(54) eap: Peer sent packet with method EAP NAK (3)
(54) eap: Peer NAK'd indicating it is not willing to continue
(54) eap: Sending EAP Failure (code 4) ID 2 length 4
(54) eap: Failed in EAP select
(54)     [eap] = invalid
(54)   } # authenticate = invalid
(54) Failed to authenticate the user
(54) Using Post-Auth-Type Reject
(54) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(54)   Post-Auth-Type REJECT {
(54) attr_filter.access_reject: EXPAND %{User-Name}
(54) attr_filter.access_reject:    --> test01
(54) attr_filter.access_reject: Matched entry DEFAULT at line 11
(54)     [attr_filter.access_reject] = updated
(54)     [eap] = noop
(54)     policy remove_reply_message_if_eap {
(54)       if (&reply:EAP-Message && &reply:Reply-Message) {
(54)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(54)       else {
(54)         [noop] = noop
(54)       } # else = noop
(54)     } # policy remove_reply_message_if_eap = noop
(54)   } # Post-Auth-Type REJECT = updated
(54) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(54) Sending delayed response
(54) Sent Access-Reject Id 248 from 192.168.1.10:1812 to 192.168.1.20:32778 length 44
(54)   EAP-Message = 0x04020004
(54)   Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 3.9 seconds.
(55) Received Access-Request Id 249 from 192.168.1.20:32778 to 192.168.1.10:1812 length 163
(55)   User-Name = "test01"
(55)   NAS-IP-Address = 192.168.1.20
(55)   NAS-Port = 0
(55)   Called-Station-Id = "70-69-5A-FD-23-05:ophtest-wpa2ent-up"
(55)   Calling-Station-Id = "78-04-73-D4-B4-24"
(55)   Framed-MTU = 1400
(55)   NAS-Port-Type = Wireless-802.11
(55)   Connect-Info = "CONNECT 0Mbps 802.11g"
(55)   EAP-Message = 0x0200000b01746573743031
(55)   Message-Authenticator = 0xef10fa68009844fdf7211b785d7c251b
(55) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(55)   authorize {
(55)     policy filter_username {
(55)       if (&User-Name) {
(55)       if (&User-Name)  -> TRUE
(55)       if (&User-Name)  {
(55)         if (&User-Name =~ / /) {
(55)         if (&User-Name =~ / /)  -> FALSE
(55)         if (&User-Name =~ /@[^@]*@/ ) {
(55)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(55)         if (&User-Name =~ /\.\./ ) {
(55)         if (&User-Name =~ /\.\./ )  -> FALSE
(55)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(55)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(55)         if (&User-Name =~ /\.$/)  {
(55)         if (&User-Name =~ /\.$/)   -> FALSE
(55)         if (&User-Name =~ /@\./)  {
(55)         if (&User-Name =~ /@\./)   -> FALSE
(55)       } # if (&User-Name)  = notfound
(55)     } # policy filter_username = notfound
(55)     [preprocess] = ok
(55)     [chap] = noop
(55)     [mschap] = noop
(55)     [digest] = noop
(55) suffix: Checking for suffix after "@"
(55) suffix: No '@' in User-Name = "test01", looking up realm NULL
(55) suffix: No such realm "NULL"
(55)     [suffix] = noop
(55) eap: Peer sent EAP Response (code 2) ID 0 length 11
(55) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(55)     [eap] = ok
(55)   } # authorize = ok
(55) Found Auth-Type = eap
(55) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(55)   authenticate {
(55) eap: Peer sent packet with method EAP Identity (1)
(55) eap: Calling submodule eap_md5 to process data
(55) eap_md5: Issuing MD5 Challenge
(55) eap: Sending EAP Request (code 1) ID 1 length 22
(55) eap: EAP session adding &reply:State = 0x63735e5863725ae6
(55)     [eap] = handled
(55)   } # authenticate = handled
(55) Using Post-Auth-Type Challenge
(55) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(55)   Challenge { ... } # empty sub-section is ignored
(55) Sent Access-Challenge Id 249 from 192.168.1.10:1812 to 192.168.1.20:32778 length 0
(55)   EAP-Message = 0x01010016041068b48875b03f069d5553d10b064ac816
(55)   Message-Authenticator = 0x00000000000000000000000000000000
(55)   State = 0x63735e5863725ae6e05a1d3b154eb421
(55) Finished request
Waking up in 1.6 seconds.
(56) Received Access-Request Id 250 from 192.168.1.20:32778 to 192.168.1.10:1812 length 176
(56)   User-Name = "test01"
(56)   NAS-IP-Address = 192.168.1.20
(56)   NAS-Port = 0
(56)   Called-Station-Id = "70-69-5A-FD-23-05:ophtest-wpa2ent-up"
(56)   Calling-Station-Id = "78-04-73-D4-B4-24"
(56)   Framed-MTU = 1400
(56)   NAS-Port-Type = Wireless-802.11
(56)   Connect-Info = "CONNECT 0Mbps 802.11g"
(56)   EAP-Message = 0x020100060319
(56)   State = 0x63735e5863725ae6e05a1d3b154eb421
(56)   Message-Authenticator = 0xfc3751df489663d525ecfaa82e691525
(56) session-state: No cached attributes
(56) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(56)   authorize {
(56)     policy filter_username {
(56)       if (&User-Name) {
(56)       if (&User-Name)  -> TRUE
(56)       if (&User-Name)  {
(56)         if (&User-Name =~ / /) {
(56)         if (&User-Name =~ / /)  -> FALSE
(56)         if (&User-Name =~ /@[^@]*@/ ) {
(56)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(56)         if (&User-Name =~ /\.\./ ) {
(56)         if (&User-Name =~ /\.\./ )  -> FALSE
(56)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(56)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(56)         if (&User-Name =~ /\.$/)  {
(56)         if (&User-Name =~ /\.$/)   -> FALSE
(56)         if (&User-Name =~ /@\./)  {
(56)         if (&User-Name =~ /@\./)   -> FALSE
(56)       } # if (&User-Name)  = notfound
(56)     } # policy filter_username = notfound
(56)     [preprocess] = ok
(56)     [chap] = noop
(56)     [mschap] = noop
(56)     [digest] = noop
(56) suffix: Checking for suffix after "@"
(56) suffix: No '@' in User-Name = "test01", looking up realm NULL
(56) suffix: No such realm "NULL"
(56)     [suffix] = noop
(56) eap: Peer sent EAP Response (code 2) ID 1 length 6
(56) eap: No EAP Start, assuming it's an on-going EAP conversation
(56)     [eap] = updated
(56) files: users: Matched entry test01 at line 1
(56)     [files] = ok
(56)     [expiration] = noop
(56)     [logintime] = noop
(56) pap: WARNING: Auth-Type already set.  Not setting to PAP
(56)     [pap] = noop
(56)   } # authorize = updated
(56) Found Auth-Type = eap
(56) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(56)   authenticate {
(56) eap: Expiring EAP session with state 0x63735e5863725ae6
(56) eap: Finished EAP session with state 0x63735e5863725ae6
(56) eap: Previous EAP request found for state 0x63735e5863725ae6, released from the list
(56) eap: Peer sent packet with method EAP NAK (3)
(56) eap: Found mutually acceptable type PEAP (25)
(56) eap: Calling submodule eap_peap to process data
(56) eap_peap: Initiating new TLS session
(56) eap_peap: [eaptls start] = request
(56) eap: Sending EAP Request (code 1) ID 2 length 6
(56) eap: EAP session adding &reply:State = 0x63735e58627147e6
(56)     [eap] = handled
(56)   } # authenticate = handled
(56) Using Post-Auth-Type Challenge
(56) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(56)   Challenge { ... } # empty sub-section is ignored
(56) Sent Access-Challenge Id 250 from 192.168.1.10:1812 to 192.168.1.20:32778 length 0
(56)   EAP-Message = 0x010200061920
(56)   Message-Authenticator = 0x00000000000000000000000000000000
(56)   State = 0x63735e58627147e6e05a1d3b154eb421
(56) Finished request
Waking up in 1.6 seconds.
(57) Received Access-Request Id 251 from 192.168.1.20:32778 to 192.168.1.10:1812 length 176
(57)   User-Name = "test01"
(57)   NAS-IP-Address = 192.168.1.20
(57)   NAS-Port = 0
(57)   Called-Station-Id = "70-69-5A-FD-23-05:ophtest-wpa2ent-up"
(57)   Calling-Station-Id = "78-04-73-D4-B4-24"
(57)   Framed-MTU = 1400
(57)   NAS-Port-Type = Wireless-802.11
(57)   Connect-Info = "CONNECT 0Mbps 802.11g"
(57)   EAP-Message = 0x020200060300
(57)   State = 0x63735e58627147e6e05a1d3b154eb421
(57)   Message-Authenticator = 0xc33ab970a8a9c1c0e5a1e367b874a105
(57) session-state: No cached attributes
(57) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(57)   authorize {
(57)     policy filter_username {
(57)       if (&User-Name) {
(57)       if (&User-Name)  -> TRUE
(57)       if (&User-Name)  {
(57)         if (&User-Name =~ / /) {
(57)         if (&User-Name =~ / /)  -> FALSE
(57)         if (&User-Name =~ /@[^@]*@/ ) {
(57)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(57)         if (&User-Name =~ /\.\./ ) {
(57)         if (&User-Name =~ /\.\./ )  -> FALSE
(57)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(57)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(57)         if (&User-Name =~ /\.$/)  {
(57)         if (&User-Name =~ /\.$/)   -> FALSE
(57)         if (&User-Name =~ /@\./)  {
(57)         if (&User-Name =~ /@\./)   -> FALSE
(57)       } # if (&User-Name)  = notfound
(57)     } # policy filter_username = notfound
(57)     [preprocess] = ok
(57)     [chap] = noop
(57)     [mschap] = noop
(57)     [digest] = noop
(57) suffix: Checking for suffix after "@"
(57) suffix: No '@' in User-Name = "test01", looking up realm NULL
(57) suffix: No such realm "NULL"
(57)     [suffix] = noop
(57) eap: Peer sent EAP Response (code 2) ID 2 length 6
(57) eap: No EAP Start, assuming it's an on-going EAP conversation
(57)     [eap] = updated
(57) files: users: Matched entry test01 at line 1
(57)     [files] = ok
(57)     [expiration] = noop
(57)     [logintime] = noop
(57) pap: WARNING: Auth-Type already set.  Not setting to PAP
(57)     [pap] = noop
(57)   } # authorize = updated
(57) Found Auth-Type = eap
(57) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(57)   authenticate {
(57) eap: Expiring EAP session with state 0x63735e58627147e6
(57) eap: Finished EAP session with state 0x63735e58627147e6
(57) eap: Previous EAP request found for state 0x63735e58627147e6, released from the list
(57) eap: Peer sent packet with method EAP NAK (3)
(57) eap: Peer NAK'd indicating it is not willing to continue
(57) eap: Sending EAP Failure (code 4) ID 2 length 4
(57) eap: Failed in EAP select
(57)     [eap] = invalid
(57)   } # authenticate = invalid
(57) Failed to authenticate the user
(57) Using Post-Auth-Type Reject
(57) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(57)   Post-Auth-Type REJECT {
(57) attr_filter.access_reject: EXPAND %{User-Name}
(57) attr_filter.access_reject:    --> test01
(57) attr_filter.access_reject: Matched entry DEFAULT at line 11
(57)     [attr_filter.access_reject] = updated
(57)     [eap] = noop
(57)     policy remove_reply_message_if_eap {
(57)       if (&reply:EAP-Message && &reply:Reply-Message) {
(57)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(57)       else {
(57)         [noop] = noop
(57)       } # else = noop
(57)     } # policy remove_reply_message_if_eap = noop
(57)   } # Post-Auth-Type REJECT = updated
(57) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
Waking up in 0.6 seconds.
(57) Sending delayed response
(57) Sent Access-Reject Id 251 from 192.168.1.10:1812 to 192.168.1.20:32778 length 44
(57)   EAP-Message = 0x04020004
(57)   Message-Authenticator = 0x00000000000000000000000000000000
Waking up in 0.6 seconds.
(52) Cleaning up request packet ID 246 with timestamp +2298
(53) Cleaning up request packet ID 247 with timestamp +2298
(54) Cleaning up request packet ID 248 with timestamp +2298
Waking up in 3.3 seconds.
(58) Received Access-Request Id 252 from 192.168.1.20:32778 to 192.168.1.10:1812 length 163
(58)   User-Name = "test01"
(58)   NAS-IP-Address = 192.168.1.20
(58)   NAS-Port = 0
(58)   Called-Station-Id = "70-69-5A-FD-23-05:ophtest-wpa2ent-up"
(58)   Calling-Station-Id = "78-04-73-D4-B4-24"
(58)   Framed-MTU = 1400
(58)   NAS-Port-Type = Wireless-802.11
(58)   Connect-Info = "CONNECT 0Mbps 802.11g"
(58)   EAP-Message = 0x0200000b01746573743031
(58)   Message-Authenticator = 0x8087e4271b0fdcde223342ef9dd07a2d
(58) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(58)   authorize {
(58)     policy filter_username {
(58)       if (&User-Name) {
(58)       if (&User-Name)  -> TRUE
(58)       if (&User-Name)  {
(58)         if (&User-Name =~ / /) {
(58)         if (&User-Name =~ / /)  -> FALSE
(58)         if (&User-Name =~ /@[^@]*@/ ) {
(58)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(58)         if (&User-Name =~ /\.\./ ) {
(58)         if (&User-Name =~ /\.\./ )  -> FALSE
(58)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(58)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(58)         if (&User-Name =~ /\.$/)  {
(58)         if (&User-Name =~ /\.$/)   -> FALSE
(58)         if (&User-Name =~ /@\./)  {
(58)         if (&User-Name =~ /@\./)   -> FALSE
(58)       } # if (&User-Name)  = notfound
(58)     } # policy filter_username = notfound
(58)     [preprocess] = ok
(58)     [chap] = noop
(58)     [mschap] = noop
(58)     [digest] = noop
(58) suffix: Checking for suffix after "@"
(58) suffix: No '@' in User-Name = "test01", looking up realm NULL
(58) suffix: No such realm "NULL"
(58)     [suffix] = noop
(58) eap: Peer sent EAP Response (code 2) ID 0 length 11
(58) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(58)     [eap] = ok
(58)   } # authorize = ok
(58) Found Auth-Type = eap
(58) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(58)   authenticate {
(58) eap: Peer sent packet with method EAP Identity (1)
(58) eap: Calling submodule eap_md5 to process data
(58) eap_md5: Issuing MD5 Challenge
(58) eap: Sending EAP Request (code 1) ID 1 length 22
(58) eap: EAP session adding &reply:State = 0x2495222a249426c6
(58)     [eap] = handled
(58)   } # authenticate = handled
(58) Using Post-Auth-Type Challenge
(58) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(58)   Challenge { ... } # empty sub-section is ignored
(58) Sent Access-Challenge Id 252 from 192.168.1.10:1812 to 192.168.1.20:32778 length 0
(58)   EAP-Message = 0x01010016041039f1f2b9147a22c98fa2c02d2638cf8c
(58)   Message-Authenticator = 0x00000000000000000000000000000000
(58)   State = 0x2495222a249426c65548f2a1339b6a08
(58) Finished request
Waking up in 1.3 seconds.
(59) Received Access-Request Id 253 from 192.168.1.20:32778 to 192.168.1.10:1812 length 176
(59)   User-Name = "test01"
(59)   NAS-IP-Address = 192.168.1.20
(59)   NAS-Port = 0
(59)   Called-Station-Id = "70-69-5A-FD-23-05:ophtest-wpa2ent-up"
(59)   Calling-Station-Id = "78-04-73-D4-B4-24"
(59)   Framed-MTU = 1400
(59)   NAS-Port-Type = Wireless-802.11
(59)   Connect-Info = "CONNECT 0Mbps 802.11g"
(59)   EAP-Message = 0x020100060319
(59)   State = 0x2495222a249426c65548f2a1339b6a08
(59)   Message-Authenticator = 0x14fc2eea705ed936b8612c6f0d377d37
(59) session-state: No cached attributes
(59) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(59)   authorize {
(59)     policy filter_username {
(59)       if (&User-Name) {
(59)       if (&User-Name)  -> TRUE
(59)       if (&User-Name)  {
(59)         if (&User-Name =~ / /) {
(59)         if (&User-Name =~ / /)  -> FALSE
(59)         if (&User-Name =~ /@[^@]*@/ ) {
(59)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(59)         if (&User-Name =~ /\.\./ ) {
(59)         if (&User-Name =~ /\.\./ )  -> FALSE
(59)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(59)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(59)         if (&User-Name =~ /\.$/)  {
(59)         if (&User-Name =~ /\.$/)   -> FALSE
(59)         if (&User-Name =~ /@\./)  {
(59)         if (&User-Name =~ /@\./)   -> FALSE
(59)       } # if (&User-Name)  = notfound
(59)     } # policy filter_username = notfound
(59)     [preprocess] = ok
(59)     [chap] = noop
(59)     [mschap] = noop
(59)     [digest] = noop
(59) suffix: Checking for suffix after "@"
(59) suffix: No '@' in User-Name = "test01", looking up realm NULL
(59) suffix: No such realm "NULL"
(59)     [suffix] = noop
(59) eap: Peer sent EAP Response (code 2) ID 1 length 6
(59) eap: No EAP Start, assuming it's an on-going EAP conversation
(59)     [eap] = updated
(59) files: users: Matched entry test01 at line 1
(59)     [files] = ok
(59)     [expiration] = noop
(59)     [logintime] = noop
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Connection Failure with PEAP0/1 with MSCHAPv2

Matthew Newton-3


On 13/05/2020 09:17, Ammann, Lukas wrote:
> If i disable certificate validation on Win, Ubuntu and Android, the devices connect successfully.

Not a good idea, but for testing things, OK.

> The embedded device (TI CC3100MOD) however, also has disabled certification validation, but is unable to connect to the server.

It doesn't get as far as checking any certificates.

> I post the debug log output from freeradius below, can someone explain here where is goes wrong based in the log info?

> (52) eap: Peer sent packet with method EAP Identity (1)
> (52) eap: Calling submodule eap_md5 to process data
> (52) eap_md5: Issuing MD5 Challenge

...

> (53) eap: Peer sent packet with method EAP NAK (3)
> (53) eap: Found mutually acceptable type PEAP (25)
> (53) eap: Calling submodule eap_peap to process data


Set the default EAP type to peap and you'll save one round trip.

> (54) eap: Peer sent packet with method EAP NAK (3)
> (54) eap: Peer NAK'd indicating it is not willing to continue
> (54) eap: Sending EAP Failure (code 4) ID 2 length 4

You need to look in the logs on the device to see why it's not willing
to continue. It hasn't even got as far as exchanging certificates.

--
Matthew
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html