On 06/21/2011 09:53 PM, g17jimmy wrote:
I've been looking at this for a day now and it seems like I'm close, but
something is not right. I have a freeradius server with an openldap backend
for MAC auth bypass. This system is just for test, but it is an essential
first step in my project.
The debug you sent is not mac-auth bypass. It's 802.1x/EAP, and it's
failing for a bunch of reasons.
Firstly, if you want to do mac-auth, you must configure mac-auth on the
switch. 802.1x is not mac-auth.
rad_recv: Access-Request packet from host 192.168.1.254 port 49154, id=0,
length=99
NAS-IP-Address = 192.168.1.254
NAS-Port-Type = Ethernet
NAS-Port = 24
User-Name = "0010182b9065"
Acct-Session-Id = "0500002B"
EAP-Message = 0x0200001101303031303138326239303635
Message-Authenticator = 0x57f15349b978ec4c8dcdda92f6cc6fed
The EAP-Message indicates this is EAP/802.1x
+- entering group authorize {...}
++[preprocess] returns ok
<snip>
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure that the
user is configured correctly?
EAP needs known-good passwords...
[ldap] user 0010182b9065 authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication
may fail because of this.
...so it's going to fail. Anyway, but it doesn't get that far, because...
Now things get really broken:
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 0 to 192.168.1.254 port 49154
EAP-Message = 0x010100061520
Message-Authenticator = 0x00000000000000000000000000000000
State = 0xc26dceefc26cdb5c17fcb167e47515a3
Finished request 4.
This is FreeRADIUS saying, "OK, proceed, using EAP-TLS please"
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.1.254 port 49154, id=0,
length=134
Cleaning up request 4 ID 0 with timestamp +348
NAS-IP-Address = 192.168.1.254
NAS-Port-Type = Ethernet
NAS-Port = 24
User-Name = "0010182b9065"
Acct-Session-Id = "0500002B"
State = 0xc26dceefc26cdb5c17fcb167e47515a3
EAP-Message =
0x0201002204103007f2c1a22a920adc933106b4a62923303031303138326239303635
Message-Authenticator = 0xf9ba8e6f27790169ab8ee1b280fbb4e9
+- entering group authorize {...}
++[preprocess] returns ok
<snip>
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] Response appears to match, but EAP type is wrong.
This is just broken. FreeRADIUS said "use EAP-TLS" and your client
replied with "ok, using EAP-something-else".
What is the NAS and what is the client here?
Is the NAS trying to do mac-auth via some kind of EAP? That's just
crazy, and even if it wasn't, it's managed to break the EAP conversation
so it can't possibly work.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
