I'm setting up a Mikrotik router to authenticate via my FreeRadius server
which is also connected to a Kerberos server. I've set up Juniper/JunOS routers to it and it's working fine. However, with Mikrotik, FreeRadius seems to reject the request. I'm not entirely sure how to move forward and rectify this one. *user.conf:* mihael Auth-Type := kerberos > Service-Type = Administrative-User, > Juniper-Local-User-Name := "super-users", > Cisco-AVPair = "shell:priv-lvl=15", > MikroTik-Group := “write” *clients.conf:* client 10.129.2.5 { > secret = mysecret > shortname = Miktrotik-Device > nastype = other > } *tcpdump:* > > 11:25:45.369063 IP mikrotik.net.55522 > freeradius.net.radius: RADIUS, > Access Request (1), id: 0x22 length: 145 > 11:25:45.669482 IP mikrotik.net.55522 > freeradius.net.radius: RADIUS, > Access Request (1), id: 0x22 length: 145 > 11:25:45.969903 IP mikrotik.net.55522 > freeradius.net.radius: RADIUS, > Access Request (1), id: 0x22 length: 145 > 11:25:46.369565 IP freeradius.net.radius > mikrotik.net.55522: RADIUS, > Access Reject (3), id: 0x22 length: 20 > 11:25:46.369776 IP mikrotik.net > freeradius.net.radius: ICMP > czt1-sme2.rise.net.ph udp port 55522 unreachable, length 56 Attached is the logs for the request acquired via `radiusd -X` Thanks, mihael - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html |
I'm setting up a Mikrotik router to authenticate via my FreeRadius server
which is also connected to a Kerberos server. I've set up Juniper/JunOS routers to it and it's working fine. However, with Mikrotik, FreeRadius seems to reject the request. I'm not entirely sure how to move forward and rectify this one. *user.conf:* mihael Auth-Type := kerberos > Service-Type = Administrative-User, > Juniper-Local-User-Name := "super-users", > Cisco-AVPair = "shell:priv-lvl=15", > MikroTik-Group := “write” *clients.conf:* client 10.129.2.5 { > secret = mysecret > shortname = Miktrotik-Device > nastype = other > } *tcpdump:* > > 11:25:45.369063 IP mikrotik.net.55522 > freeradius.net.radius: RADIUS, > Access Request (1), id: 0x22 length: 145 > 11:25:45.669482 IP mikrotik.net.55522 > freeradius.net.radius: RADIUS, > Access Request (1), id: 0x22 length: 145 > 11:25:45.969903 IP mikrotik.net.55522 > freeradius.net.radius: RADIUS, > Access Request (1), id: 0x22 length: 145 > 11:25:46.369565 IP freeradius.net.radius > mikrotik.net.55522: RADIUS, > Access Reject (3), id: 0x22 length: 20 > 11:25:46.369776 IP mikrotik.net > freeradius.net.radius: ICMP > czt1-sme2.rise.net.ph udp port 55522 unreachable, length 56 Attached is the logs for the request acquired via `radiusd -X` Thanks, mihael - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html |
I'm setting up a Mikrotik router to authenticate via my FreeRadius server
which is also connected to a Kerberos server. I've set up Juniper/JunOS routers to it and it's working fine. However, with Mikrotik, FreeRadius seems to reject the request. I'm not entirely sure how to move forward and rectify this one. *user.conf:* mihael Auth-Type := kerberos > Service-Type = Administrative-User, > Juniper-Local-User-Name := "super-users", > Cisco-AVPair = "shell:priv-lvl=15", > MikroTik-Group := “write” *clients.conf:* client 10.129.2.5 { > secret = mysecret > shortname = Miktrotik-Device > nastype = other > } *tcpdump:* > > 11:25:45.369063 IP mikrotik.net.55522 > freeradius.net.radius: RADIUS, > Access Request (1), id: 0x22 length: 145 > 11:25:45.669482 IP mikrotik.net.55522 > freeradius.net.radius: RADIUS, > Access Request (1), id: 0x22 length: 145 > 11:25:45.969903 IP mikrotik.net.55522 > freeradius.net.radius: RADIUS, > Access Request (1), id: 0x22 length: 145 > 11:25:46.369565 IP freeradius.net.radius > mikrotik.net.55522: RADIUS, > Access Reject (3), id: 0x22 length: 20 > 11:25:46.369776 IP mikrotik.net > freeradius.net.radius: ICMP > czt1-sme2.rise.net.ph udp port 55522 unreachable, length 56 Attached is the logs for the request acquired via `radiusd -X` Thanks, mihael - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html |
I'm setting up a Mikrotik router to authenticate via my FreeRadius
server which is also connected to a Kerberos server. I've set up Juniper/JunOS routers to it and it's working fine. However, with Mikrotik, FreeRadius seems to reject the request. I'm not entirely sure how to move forward and rectify this one. user.conf: > > mihael Auth-Type := kerberos > Service-Type = Administrative-User, > Juniper-Local-User-Name := "super-users", > Cisco-AVPair = "shell:priv-lvl=15", > MikroTik-Group := “write” clients.conf: > > client 10.129.2.5 { > secret = mysecret > shortname = Miktrotik-Device > nastype = other > } tcpdump: > > 11:25:45.369063 IP mikrotik.net.55522 > freeradius.net.radius: RADIUS, Access Request (1), id: 0x22 length: 145 > 11:25:45.669482 IP mikrotik.net.55522 > freeradius.net.radius: RADIUS, Access Request (1), id: 0x22 length: 145 > 11:25:45.969903 IP mikrotik.net.55522 > freeradius.net.radius: RADIUS, Access Request (1), id: 0x22 length: 145 > 11:25:46.369565 IP freeradius.net.radius > mikrotik.net.55522: RADIUS, Access Reject (3), id: 0x22 length: 20 > 11:25:46.369776 IP mikrotik.net > freeradius.net.radius: ICMP czt1-sme2.rise.net.ph udp port 55522 unreachable, length 56 Attached is the logs for the request acquired via `radiusd -X` Thanks, mihael - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html |
In reply to this post by Marcelito de Guzman
On Jun 16, 2020, at 3:33 AM, Marcelito de Guzman <[hidden email]> wrote:
There is no need to post the same message multiple times. > I'm setting up a Mikrotik router to authenticate via my FreeRadius server > which is also connected to a Kerberos server. > > I've set up Juniper/JunOS routers to it and it's working fine. > > However, with Mikrotik, FreeRadius seems to reject the request. I'm not > entirely sure how to move forward and rectify this one. > > *user.conf:* No. You need to READ the documentation, and FOLLOW it. http://wiki.freeradius.org/list-help Pretty much every single piece of documentation available tells you that you need to post the debug output, NOT the configuration files. Doing the wrong thing repeatedly is not polite. > Attached is the logs for the request acquired via `radiusd -X` Is it really that difficult to paste the *text* debug output into an email message? You're making it as hard as possible for anyone to help you. Why? Just read the debug output. It has the answers 99% of the time. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html |
Ciao.
We have recently upgraded from 3.0.18 to 3.0.22. We are running some EAP tests, in particular EAP-TLS using eapol_test. eapol_test tool complains with this message: 'Locally derived EAP Session-Id does not match EAP-Key-Name from server' Any pointers would be greatly appreciated. Thanks in advance. eapol_test output: <snip> RADIUS packet matching with station MS-MPPE-Send-Key (sign) - hexdump(len=32): 1b 94 19 e6 28 08 ba ac 15 aa f9 2e 3e 42 1e db 25 92 c4 4e 62 76 cc 35 9c 5d 2e 01 68 c9 91 46 MS-MPPE-Recv-Key (crypt) - hexdump(len=32): 2e b8 8c 3d 96 bb 69 66 ab 43 70 06 55 6b 44 13 89 9c 6a 32 1e 72 1b 84 19 cd 5e f3 60 4e 9a 16 decapsulated EAP packet (code=3 id=11 len=4) from RADIUS server: EAP Success EAPOL: Received EAP-Packet frame EAPOL: SUPP_BE entering state REQUEST EAPOL: getSuppRsp EAP: EAP entering state RECEIVED EAP: Received EAP-Success EAP: Status notification: completion (param=success) EAP: EAP entering state SUCCESS CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully EAPOL: IEEE 802.1X for plaintext connection; no EAPOL-Key frames required WPA: EAPOL processing complete Cancelling authentication timeout State: DISCONNECTED -> COMPLETED EAPOL: SUPP_PAE entering state AUTHENTICATED EAPOL: SUPP_BE entering state RECEIVE EAPOL: SUPP_BE entering state SUCCESS EAPOL: SUPP_BE entering state IDLE eapol_sm_cb: result=1 EAPOL: Successfully fetched key (len=32) PMK from EAPOL - hexdump(len=32): 7c 5f bb 17 fe 55 f6 b5 20 45 ab c1 2a 7c 54 98 01 3d 70 6d e0 0e de d1 1b e8 2a 37 7c 36 86 28 WARNING: PMK mismatch PMK from AS - hexdump(len=32): 2e b8 8c 3d 96 bb 69 66 ab 43 70 06 55 6b 44 13 89 9c 6a 32 1e 72 1b 84 19 cd 5e f3 60 4e 9a 16 Locally derived EAP Session-Id does not match EAP-Key-Name from server EAP Session-Id - hexdump(len=65): 0d 3b 1b 80 ac 99 3e 8b 9e 47 12 b6 59 86 77 9f 08 c7 f4 15 fe 26 a4 74 42 f4 af 73 14 85 da 3d 20 67 c8 37 57 14 41 e0 49 63 a3 0a a4 4d 3a 45 a0 f3 73 00 68 12 bb ff 79 d5 d1 24 bb 88 fd 22 1b EAP-Key-Name from server - hexdump(len=65): 0d dd 98 63 f2 b3 7e 6e 7e 07 38 7f 72 10 e6 2e d9 73 85 f4 8c 4b 06 02 ae 4f b4 ae 7a 7e a7 ef c4 fb 9c ec c7 42 38 e9 86 96 34 f6 36 5e 2e c9 75 b1 05 98 1b 5c 01 8c a6 6e 85 a9 97 13 14 7a 42 WPA: Clear old PMK and PTK EAP: deinitialize previously used EAP method (13, TLS) at EAP deinit ENGINE: engine deinit MPPE keys OK: 0 mismatch: 1 FAILURE FR debug output: <snip> (9) eap_tls: <<< recv TLS 1.3 [length 0001] (9) eap_tls: TLS_accept: SSLv3/TLS read client certificate (9) eap_tls: <<< recv TLS 1.3 [length 0108] (9) eap_tls: <<< recv TLS 1.3 [length 0001] (9) eap_tls: TLS_accept: SSLv3/TLS read certificate verify (9) eap_tls: <<< recv TLS 1.3 [length 0034] (9) eap_tls: TLS_accept: SSLv3/TLS read finished (9) eap_tls: (other): SSL negotiation finished successfully (9) eap_tls: TLS - Connection Established (9) eap_tls: TLS-Session-Cipher-Suite = "TLS_AES_256_GCM_SHA384" (9) eap_tls: TLS-Session-Version = "TLS 1.3" (9) eap_tls: TLS - Application data. (9) eap_tls: WARNING: No information in cached session (9) eap_tls: [eaptls process] = success (9) eap: Sending EAP Success (code 3) ID 11 length 4 (9) eap: Freeing handler (9) [eap] = ok (9) } # authenticate = ok (9) # Executing section post-auth from file \freeradius-3.0.22\etc\raddb/sites-enabled/default (9) post-auth { (9) update { (9) &reply::TLS-Session-Cipher-Suite += &session-state:TLS-Session-Cipher-Suite[*] -> 'TLS_AES_256_GCM_SHA384' (9) &reply::TLS-Session-Version += &session-state:TLS-Session-Version[*] -> 'TLS 1.3' (9) } # update = noop (9) [exec] = noop (9) if (&reply:EAP-Session-Id) { (9) if (&reply:EAP-Session-Id) -> TRUE (9) if (&reply:EAP-Session-Id) { (9) update reply { (9) EAP-Key-Name := &reply:EAP-Session-Id -> 0x0ddd9863f2b37e6e7e07387f7210e62ed97385f48c4b0602ae4fb4ae7a7ea7efc4fb9cecc74238e9869634f6365e2ec975b105981b5c018ca66e85a99713147a42 (9) } # update reply = noop (9) } # if (&reply:EAP-Session-Id) = noop (9) policy remove_reply_message_if_eap { (9) if (&reply:EAP-Message && &reply:Reply-Message) { (9) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE (9) else { (9) [noop] = noop (9) } # else = noop (9) } # policy remove_reply_message_if_eap = noop (9) } # post-auth = noop (9) Sent Access-Accept Id 9 from 0.0.0.0:1812 to 127.0.0.1:55914 length 0 (9) MS-MPPE-Recv-Key = 0x2eb88c3d96bb6966ab437006556b4413899c6a321e721b8419cd5ef3604e9a16 (9) MS-MPPE-Send-Key = 0x1b9419e62808baac15aaf92e3e421edb2592c44e6276cc359c5d2e0168c99146 (9) EAP-Message = 0x030b0004 (9) Message-Authenticator = 0x00000000000000000000000000000000 (9) User-Name = "mgw" (9) EAP-Key-Name := 0x0ddd9863f2b37e6e7e07387f7210e62ed97385f48c4b0602ae4fb4ae7a7ea7efc4fb9cecc74238e9869634f6365e2ec975b105981b5c018ca66e85a99713147a42 (9) Finished request Ready to process requests - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html |
On Jun 16, 2020, at 8:39 AM, Sergio NNX <[hidden email]> wrote:
> > We have recently upgraded from 3.0.18 to 3.0.22. > > We are running some EAP tests, in particular EAP-TLS using eapol_test. > > eapol_test tool complains with this message: > > 'Locally derived EAP Session-Id does not match EAP-Key-Name from server' It works in my tests. However... > Any pointers would be greatly appreciated. ... > (9) eap_tls: <<< recv TLS 1.3 [length 0001] Don't use TLS 1.3. In mods-enabled/eap, set: tls_max_version = "1.2" There is currently no standard for using TLS 1.3 with EAP-TLS. It's being worked on, and should be available late this year. i.e. *no one* implements TLS 1.3 for EAP-TLS properly. Because the standard isn't finished. Hostap has implemented support for TLS 1.3 according to the current proposal , but the standard may change. FreeRADIUS doesn't even try to implement the standard yet. We hope to have preliminary support for TLS 1.3 in the next release. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html |
In reply to this post by Alan DeKok-2
My apologies, I sent it multiple times because the first three sent me a
reply that my email wasn't sent cause I'm unauthorized. On Tue, 16 Jun 2020, 8:04 PM Alan DeKok <[hidden email]> wrote: > On Jun 16, 2020, at 3:33 AM, Marcelito de Guzman <[hidden email]> > wrote: > > There is no need to post the same message multiple times. > > > I'm setting up a Mikrotik router to authenticate via my FreeRadius server > > which is also connected to a Kerberos server. > > > > I've set up Juniper/JunOS routers to it and it's working fine. > > > > However, with Mikrotik, FreeRadius seems to reject the request. I'm not > > entirely sure how to move forward and rectify this one. > > > > *user.conf:* > > No. > > You need to READ the documentation, and FOLLOW it. > > http://wiki.freeradius.org/list-help > > Pretty much every single piece of documentation available tells you that > you need to post the debug output, NOT the configuration files. Doing the > wrong thing repeatedly is not polite. > > > Attached is the logs for the request acquired via `radiusd -X` > > Is it really that difficult to paste the *text* debug output into an > email message? > > You're making it as hard as possible for anyone to help you. Why? > > Just read the debug output. It has the answers 99% of the time. > > Alan DeKok. > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html |
Free forum by Nabble | Edit this page |