EAP-PWD with FreeRADIUS 3

wifi radius freeradius wpa eap
5,777

It was a bug. The person who developed the original PWD code only added the User-Name VALUE_PAIR to the request's user-name caching pointer, not to the actual request list.

Some modules ignore the pointer, it was crappy optimisation from a long time ago.

Adding the pair to the request list fixes the issue. Here's the commit.

Thanks for helping track down this issue. The fix will be released as part of v3.0.8. In the mean time you can download v3.0.x HEAD and try that.

After setting control:Cleartext-Password in the inner tunnel, I got sever successful authentications. Hopefully it'll work for you.

Share:
5,777

Related videos on Youtube

Compizfox
Author by

Compizfox

Updated on September 18, 2022

Comments

  • Compizfox
    Compizfox almost 2 years

    I'm trying to setup EAP-PWD using FreeRADIUS 3.

    However, I can't get it to work and documentation is virtually non-existent. Thus, I don't know whether the problem I'm running into is a misconfiguration or an actual bug.

    Configuration

    This is my configuration (at least the parts that are relevant):

    mods-enabled/eap:

    eap {
    pwd {
    #group = 19

    server_id = [email protected]

    #  This has the same meaning as for TLS.
    fragment_size = 1020

    # The virtual server which determines the "known good" password for the user.
    # Note that unlike TLS, only the "authorize" section is processed.
    # EAP-PWD requests can be distinguished by having a User-Name, but no User-Password, CHAP-Password, EAP-Message, etc.
    #virtual_server = "inner-tunnel"
}

    I don't know what group = 19 is supposed to mean. (It's explained nowhere)

    sites-enabled/default:

    authorize {
    filter_username
    preprocess

    #  Look in an SQL database.
    sql

    #permit_only_eap
    eap {
        ok = return
    }

    logintime
}

authenticate {
    #  Allow EAP authentication.
    eap
}

    sites-enabled/inner-tunnel:

    authorize {
    eap {
        ok = return
    }

    #  Look in an SQL database.
    sql

    expiration
}

authenticate {
    mschap

    #  Allow EAP authentication.
    eap
}

    Honestly, I don't understand if/why EAP-PWD needs a tunneled request anyway. I had it setup because I use PEAPv0/MS-CHAPv2 as well. I tried both virtual servers (default and inner-tunnel)

    Problem

    Well, the problem. I get authentication errors on the supplicant. This is what I see in the logs:

    (2) eap: Peer sent method PWD (52)
(2) eap: EAP PWD (52)
(2) eap: Calling eap_pwd to process EAP data
(2) eap_pwd: Sending tunneled request
(2) eap_pwd: server default {
(2) # Executing section authorize from file /etc/freeradius/sites-enabled/default
(2)   authorize {
(2)     policy filter_username {
(2)       if (!&User-Name) {
(2)       if (!&User-Name)  -> TRUE
(2)       if (!&User-Name)  {
(2)         [noop] = noop
(2)       } # if (!&User-Name)  = noop
(2)       if (&User-Name =~ / /) {
(2)       ERROR: Failed retrieving values required to evaluate condition
(2)       if (&User-Name =~ /@.*@/ ) {
(2)       ERROR: Failed retrieving values required to evaluate condition
(2)       if (&User-Name =~ /\.\./ ) {
(2)       ERROR: Failed retrieving values required to evaluate condition
(2)       if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(2)       ERROR: Failed retrieving values required to evaluate condition
(2)       if (&User-Name =~ /\.$/)  {
(2)       ERROR: Failed retrieving values required to evaluate condition
(2)       if (&User-Name =~ /@\./)  {
(2)       ERROR: Failed retrieving values required to evaluate condition
(2)     } # policy filter_username = noop
(2)     [preprocess] = ok
(2) sql: EXPAND %{User-Name}
(2) sql:    -->
(2) sql: SQL-User-Name set to ''
rlm_sql (sql): Reserved connection (4)
(2) sql: EXPAND SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id
(2) sql:    --> SELECT id, username, attribute, value, op FROM radcheck WHERE username = '' ORDER BY id
(2) sql: Executing select query: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '' ORDER BY id
(2) sql: EXPAND SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority
(2) sql:    --> SELECT groupname FROM radusergroup WHERE username = '' ORDER BY priority
(2) sql: Executing select query: SELECT groupname FROM radusergroup WHERE username = '' ORDER BY priority
(2) sql: User not found in any groups
rlm_sql (sql): Released connection (4)
(2)     [sql] = notfound
(2) eap: No EAP-Message, not doing EAP
(2)     [eap] = noop
(2)     [logintime] = noop
(2)   } # authorize = ok
(2) eap_pwd: } # server default
(2) eap_pwd: Got tunneled reply code 0
failed to find password for lars to do pwd authentication
(2) eap: ERROR: Failed continuing EAP PWD (52) session. EAP sub-module failed
(2) eap: Failed in EAP select
(2)     [eap] = invalid
(2)   } # authenticate = invalid
(2) Failed to authenticate the user
(2) Login incorrect (eap: Failed continuing EAP PWD (52) session. EAP sub-module failed): [lars] (from client LARS-RANNOCH port 4 cli 48-59-29-F6-BA-89)

    The first authorize section (not shown in above log) went OK, but after that EAP-PWD seems to do another tunneled request. (why? I thought that was only necessary for PEAP and EAP-TTLS). In this case I had outcommented the "virtual-server"-line in the EAP config, so the request was handled by the default virtual server.

    As can be seen, the User-Name attribute is empty (SQL-User-Name set to ''), which results in the sql module not being able to fetch the correct record: failed to find password for lars to do pwd authentication.

    Is my configuration for EAP-PWD correct? What causes this error?

    • Compizfox
      Compizfox about 9 years
      Right, thanks for clearing that up! Actually I was testing using my phone (Nexus 5 running CM11)
    • Arran Cudbard-Bell
      Arran Cudbard-Bell about 9 years
      So it could be a supplicant issue as well. Hmm. .pcap would help. Could you DM me on twitter, then i'll give you another contact address. I think this'll need some interactive debugging. EAP-PWD support is fairly new and not well tested.
  • Compizfox
    Compizfox about 9 years
    Thanks! Your link links to freeradius-3.1.x (not 3.0.x), is that intentional?
  • Compizfox
    Compizfox about 9 years
    I just downloaded v3.0.x HEAD (since I saw you committed the fix to both branches) and I think I got it working! At least the eapol_test now succeeds. I will test it later this day with my Android phone.
  • Arran Cudbard-Bell
    Arran Cudbard-Bell about 9 years
    Great! and the commit is the same across both branches and people should cherry-pick across.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Auth-Type :- Reject in RADIUS users file matches inner tunnel request but sends Access-Accept
Freeradius VLAN assignment with EAP-TLS and WiFi 802.1x
Configuring FreeRadius with LDAP for WPA2 Enterprise
wpa_passphrase must be 8..63 characters
radclient:: Failed to find IP address
Network Policy Server error message 'Negotiation failed. No available EAP methods'
Why freeradius server says invalid Message-Authenticator which is generated from radtest?
WIFi Authentication with Windows Active Directory
Certificate Authority - RADIUS/WPA
Separate users in two groups (staff and guests) in FreeRADIUS 3