Hi all, I'm wondering if my freeradius is acting correctly against the request below: This Mikrotik CPE is authenticathing by an EAP certificate and ad a username with password is requested. The problem is that the CPE is authenticated with every username that doesn't exist in radcheck.
why FR authenticate even with nonexistent username? rad_recv: Access-Request packet from host 10.25.66.8 port 56485, id=162, length=175 Service-Type = Framed-User Framed-MTU = 1400 User-Name = "test155" State = 0x06c5601b03c36da7f69234e83e184b70 NAS-Port-Id = "wlan2" Calling-Station-Id = "00-0C-42-B3-D1-F5" Called-Station-Id = "00-80-48-60-66-D9:WiNET-TR5G506106" EAP-Message = 0x020600060d00 Message-Authenticator = 0xd549039a41edfd3e25ff22bdb1f16d60 NAS-Identifier = "ced-wl3" NAS-IP-Address = 10.25.66.8 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /var/log/freeradius/radacct/10.25.66.8/auth-detail-20110926 [auth_log] /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/freeradius/radacct/10.25.66.8/auth-detail-20110926 [auth_log] expand: %t -> Mon Sep 26 16:35:21 2011 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "test155", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] EAP packet type response id 6 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop [sql] expand: %{User-Name} -> test155 [sql] sql_set_user escaped user --> 'test155' rlm_sql (sql): Reserving sql socket id: 19 [sql] expand: SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = 'test155' ORDER BY id rlm_sql_postgresql: query: SELECT id, UserName, Attribute, Value, Op FROM radcheck WHERE Username = 'test155' ORDER BY id rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: query affected rows = 0 , fields = 5 [sql] expand: SELECT GroupName FROM radusergroup WHERE UserName='%{SQL-User-Name}' ORDER BY priority -> SELECT GroupName FROM radusergroup WHERE UserName='test155' ORDER BY priority rlm_sql_postgresql: query: SELECT GroupName FROM radusergroup WHERE UserName='test155' ORDER BY priority rlm_sql_postgresql: Status: PGRES_TUPLES_OK rlm_sql_postgresql: query affected rows = 0 , fields = 1 rlm_sql (sql): Released sql socket id: 19 [sql] User test155 not found ++[sql] returns notfound ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop Found Auth-Type = EAP # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS [tls] Received TLS ACK [tls] ACK handshake is finished [tls] eaptls_verify returned 3 [tls] eaptls_process returned 3 [tls] Adding user data to cached session [eap] Freeing handler ++[eap] returns ok Login OK: [test155] (from client ced-wl3 port 0 cli 00-0C-42-B3-D1-F5) # Executing section post-auth from file /etc/freeradius/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 162 to 10.25.66.8 port 56485 MS-MPPE-Recv-Key = 0xd020f7a2efbb05c6fb255fe6665a12f09f354bdaa6d01b3d5d2c0786b07ca440 MS-MPPE-Send-Key = 0xa77aaf208423b318ff7f482401d4468af3f9248cbdb611857a5f356bea7725ca EAP-Message = 0x03060004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "test155" Finished request 69. -- View this message in context: http://freeradius.1045715.n5.nabble.com/EAP-authentication-accept-user-not-found-tp4841666p4841666.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html