FreeRadius server rejecting Mikrotik Auth Request

I'm setting up a Mikrotik router to authenticate via my FreeRadius server
which is also connected to a Kerberos server.

I've set up Juniper/JunOS routers to it and it's working fine.

However, with Mikrotik, FreeRadius seems to reject the request. I'm not
entirely sure how to move forward and rectify this one.

*user.conf:*

mihael Auth-Type := kerberos
> Service-Type = Administrative-User,
> Juniper-Local-User-Name := "super-users",
> Cisco-AVPair = "shell:priv-lvl=15",
> MikroTik-Group := “write”


*clients.conf:*

 client 10.129.2.5 {
> secret = mysecret
> shortname = Miktrotik-Device
> nastype = other
> }




*tcpdump:*
Attached is the logs for the request acquired via `radiusd -X`


Thanks,
mihael

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

I'm setting up a Mikrotik router to authenticate via my FreeRadius server
which is also connected to a Kerberos server.

I've set up Juniper/JunOS routers to it and it's working fine.

However, with Mikrotik, FreeRadius seems to reject the request. I'm not
entirely sure how to move forward and rectify this one.

*user.conf:*

mihael Auth-Type := kerberos
> Service-Type = Administrative-User,
> Juniper-Local-User-Name := "super-users",
> Cisco-AVPair = "shell:priv-lvl=15",
> MikroTik-Group := “write”


*clients.conf:*

 client 10.129.2.5 {
> secret = mysecret
> shortname = Miktrotik-Device
> nastype = other
> }




*tcpdump:*
Attached is the logs for the request acquired via `radiusd -X`


Thanks,
mihael

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

I'm setting up a Mikrotik router to authenticate via my FreeRadius server
which is also connected to a Kerberos server.

I've set up Juniper/JunOS routers to it and it's working fine.

However, with Mikrotik, FreeRadius seems to reject the request. I'm not
entirely sure how to move forward and rectify this one.

*user.conf:*

mihael Auth-Type := kerberos
> Service-Type = Administrative-User,
> Juniper-Local-User-Name := "super-users",
> Cisco-AVPair = "shell:priv-lvl=15",
> MikroTik-Group := “write”


*clients.conf:*

 client 10.129.2.5 {
> secret = mysecret
> shortname = Miktrotik-Device
> nastype = other
> }




*tcpdump:*
Attached is the logs for the request acquired via `radiusd -X`


Thanks,
mihael

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

I'm setting up a Mikrotik router to authenticate via my FreeRadius
server which is also connected to a Kerberos server.

I've set up Juniper/JunOS routers to it and it's working fine.

However, with Mikrotik, FreeRadius seems to reject the request. I'm
not entirely sure how to move forward and rectify this one.

user.conf:
>
> mihael Auth-Type := kerberos
> Service-Type = Administrative-User,
> Juniper-Local-User-Name := "super-users",
> Cisco-AVPair = "shell:priv-lvl=15",
> MikroTik-Group := “write”


clients.conf:
>
>  client 10.129.2.5 {
> secret = mysecret
> shortname = Miktrotik-Device
> nastype = other
> }



tcpdump:
>
> 11:25:45.369063 IP mikrotik.net.55522 > freeradius.net.radius: RADIUS, Access Request (1), id: 0x22 length: 145
> 11:25:45.669482 IP mikrotik.net.55522 > freeradius.net.radius: RADIUS, Access Request (1), id: 0x22 length: 145
> 11:25:45.969903 IP mikrotik.net.55522 > freeradius.net.radius: RADIUS, Access Request (1), id: 0x22 length: 145
> 11:25:46.369565 IP freeradius.net.radius > mikrotik.net.55522: RADIUS, Access Reject (3), id: 0x22 length: 20
> 11:25:46.369776 IP mikrotik.net > freeradius.net.radius: ICMP czt1-sme2.rise.net.ph udp port 55522 unreachable, length 56


Attached is the logs for the request acquired via `radiusd -X`


Thanks,
mihael

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

On Jun 16, 2020, at 3:33 AM, Marcelito de Guzman <[hidden email]> wrote:

  There is no need to post the same message multiple times.

> I'm setting up a Mikrotik router to authenticate via my FreeRadius server
> which is also connected to a Kerberos server.
>
> I've set up Juniper/JunOS routers to it and it's working fine.
>
> However, with Mikrotik, FreeRadius seems to reject the request. I'm not
> entirely sure how to move forward and rectify this one.
>
> *user.conf:*

  No.

  You need to READ the documentation, and FOLLOW it.

http://wiki.freeradius.org/list-help

  Pretty much every single piece of documentation available tells you that you need to post the debug output, NOT the configuration files.  Doing the wrong thing repeatedly is not polite.

> Attached is the logs for the request acquired via `radiusd -X`

  Is it really that difficult to paste the *text* debug output into an email message?

  You're making it as hard as possible for anyone to help you.  Why?

  Just read the debug output.  It has the answers 99% of the time.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Ciao.

We have recently upgraded from 3.0.18 to 3.0.22.

We are running some EAP tests, in particular EAP-TLS using eapol_test.

eapol_test tool complains with this message:

      'Locally derived EAP Session-Id does not match EAP-Key-Name from server'

Any pointers would be greatly appreciated.

Thanks in advance.

eapol_test output:

<snip>
RADIUS packet matching with station
MS-MPPE-Send-Key (sign) - hexdump(len=32): 1b 94 19 e6 28 08 ba ac 15 aa f9 2e 3e 42 1e db 25 92 c4 4e 62 76 cc 35 9c 5d 2e 01 68 c9 91 46
MS-MPPE-Recv-Key (crypt) - hexdump(len=32): 2e b8 8c 3d 96 bb 69 66 ab 43 70 06 55 6b 44 13 89 9c 6a 32 1e 72 1b 84 19 cd 5e f3 60 4e 9a 16
decapsulated EAP packet (code=3 id=11 len=4) from RADIUS server: EAP Success
EAPOL: Received EAP-Packet frame
EAPOL: SUPP_BE entering state REQUEST
EAPOL: getSuppRsp
EAP: EAP entering state RECEIVED
EAP: Received EAP-Success
EAP: Status notification: completion (param=success)
EAP: EAP entering state SUCCESS
CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully
EAPOL: IEEE 802.1X for plaintext connection; no EAPOL-Key frames required
WPA: EAPOL processing complete
Cancelling authentication timeout
State: DISCONNECTED -> COMPLETED
EAPOL: SUPP_PAE entering state AUTHENTICATED
EAPOL: SUPP_BE entering state RECEIVE
EAPOL: SUPP_BE entering state SUCCESS
EAPOL: SUPP_BE entering state IDLE
eapol_sm_cb: result=1
EAPOL: Successfully fetched key (len=32)
PMK from EAPOL - hexdump(len=32): 7c 5f bb 17 fe 55 f6 b5 20 45 ab c1 2a 7c 54 98 01 3d 70 6d e0 0e de d1 1b e8 2a 37 7c 36 86 28
WARNING: PMK mismatch
PMK from AS - hexdump(len=32): 2e b8 8c 3d 96 bb 69 66 ab 43 70 06 55 6b 44 13 89 9c 6a 32 1e 72 1b 84 19 cd 5e f3 60 4e 9a 16
Locally derived EAP Session-Id does not match EAP-Key-Name from server
EAP Session-Id - hexdump(len=65): 0d 3b 1b 80 ac 99 3e 8b 9e 47 12 b6 59 86 77 9f 08 c7 f4 15 fe 26 a4 74 42 f4 af 73 14 85 da 3d 20 67 c8 37 57 14 41 e0 49 63 a3 0a a4 4d 3a 45 a0 f3 73 00 68 12 bb ff 79 d5 d1 24 bb 88 fd 22 1b
EAP-Key-Name from server - hexdump(len=65): 0d dd 98 63 f2 b3 7e 6e 7e 07 38 7f 72 10 e6 2e d9 73 85 f4 8c 4b 06 02 ae 4f b4 ae 7a 7e a7 ef c4 fb 9c ec c7 42 38 e9 86 96 34 f6 36 5e 2e c9 75 b1 05 98 1b 5c 01 8c a6 6e 85 a9 97 13 14 7a 42
WPA: Clear old PMK and PTK
EAP: deinitialize previously used EAP method (13, TLS) at EAP deinit
ENGINE: engine deinit
MPPE keys OK: 0  mismatch: 1
FAILURE


FR debug output:

<snip>
(9) eap_tls: <<< recv TLS 1.3  [length 0001]
(9) eap_tls: TLS_accept: SSLv3/TLS read client certificate
(9) eap_tls: <<< recv TLS 1.3  [length 0108]
(9) eap_tls: <<< recv TLS 1.3  [length 0001]
(9) eap_tls: TLS_accept: SSLv3/TLS read certificate verify
(9) eap_tls: <<< recv TLS 1.3  [length 0034]
(9) eap_tls: TLS_accept: SSLv3/TLS read finished
(9) eap_tls: (other): SSL negotiation finished successfully
(9) eap_tls: TLS - Connection Established
(9) eap_tls: TLS-Session-Cipher-Suite = "TLS_AES_256_GCM_SHA384"
(9) eap_tls: TLS-Session-Version = "TLS 1.3"
(9) eap_tls: TLS - Application data.
(9) eap_tls: WARNING: No information in cached session
(9) eap_tls: [eaptls process] = success
(9) eap: Sending EAP Success (code 3) ID 11 length 4
(9) eap: Freeing handler
(9)     [eap] = ok
(9)   } # authenticate = ok
(9) # Executing section post-auth from file \freeradius-3.0.22\etc\raddb/sites-enabled/default
(9)   post-auth {
(9)     update {
(9)       &reply::TLS-Session-Cipher-Suite += &session-state:TLS-Session-Cipher-Suite[*] -> 'TLS_AES_256_GCM_SHA384'
(9)       &reply::TLS-Session-Version += &session-state:TLS-Session-Version[*] -> 'TLS 1.3'
(9)     } # update = noop
(9)     [exec] = noop
(9)     if (&reply:EAP-Session-Id) {
(9)     if (&reply:EAP-Session-Id)  -> TRUE
(9)     if (&reply:EAP-Session-Id)  {
(9)       update reply {
(9)         EAP-Key-Name := &reply:EAP-Session-Id -> 0x0ddd9863f2b37e6e7e07387f7210e62ed97385f48c4b0602ae4fb4ae7a7ea7efc4fb9cecc74238e9869634f6365e2ec975b105981b5c018ca66e85a99713147a42
(9)       } # update reply = noop
(9)     } # if (&reply:EAP-Session-Id)  = noop
(9)     policy remove_reply_message_if_eap {
(9)       if (&reply:EAP-Message && &reply:Reply-Message) {
(9)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(9)       else {
(9)         [noop] = noop
(9)       } # else = noop
(9)     } # policy remove_reply_message_if_eap = noop
(9)   } # post-auth = noop
(9) Sent Access-Accept Id 9 from 0.0.0.0:1812 to 127.0.0.1:55914 length 0
(9)   MS-MPPE-Recv-Key = 0x2eb88c3d96bb6966ab437006556b4413899c6a321e721b8419cd5ef3604e9a16
(9)   MS-MPPE-Send-Key = 0x1b9419e62808baac15aaf92e3e421edb2592c44e6276cc359c5d2e0168c99146
(9)   EAP-Message = 0x030b0004
(9)   Message-Authenticator = 0x00000000000000000000000000000000
(9)   User-Name = "mgw"
(9)   EAP-Key-Name := 0x0ddd9863f2b37e6e7e07387f7210e62ed97385f48c4b0602ae4fb4ae7a7ea7efc4fb9cecc74238e9869634f6365e2ec975b105981b5c018ca66e85a99713147a42
(9) Finished request
Ready to process requests

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

On Jun 16, 2020, at 8:39 AM, Sergio NNX <[hidden email]> wrote:
>
> We have recently upgraded from 3.0.18 to 3.0.22.
>
> We are running some EAP tests, in particular EAP-TLS using eapol_test.
>
> eapol_test tool complains with this message:
>
>      'Locally derived EAP Session-Id does not match EAP-Key-Name from server'

  It works in my tests.  However...

> Any pointers would be greatly appreciated.
...
> (9) eap_tls: <<< recv TLS 1.3  [length 0001]

  Don't use TLS 1.3.  In mods-enabled/eap, set:

                tls_max_version = "1.2"

  There is currently no standard for using TLS 1.3 with EAP-TLS.  It's being worked on, and should be available late this year.

  i.e. *no one* implements TLS 1.3 for EAP-TLS properly.  Because the standard isn't finished.

  Hostap has implemented support for TLS 1.3 according to the current proposal , but the standard may change.  FreeRADIUS doesn't even try to implement the standard yet.

  We hope to have preliminary support for TLS 1.3 in the next release.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

My apologies, I sent it multiple times because the first three sent me a
reply that my email wasn't sent cause I'm unauthorized.

On Tue, 16 Jun 2020, 8:04 PM Alan DeKok <[hidden email]> wrote:
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html