Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
T
T
TyzhSysAdmin2016-11-27 20:51:32
Computer networks
TyzhSysAdmin, 2016-11-27 20:51:32

WPA2-EAP authorization FreeRadius + MikroTik, where am I stupid?

Greetings friends.
I'm trying to raise WPA2-EAP on Mikrotik, freeradius works fine when authorizing on switches and a bunch of network hardware, but I can't configure WPA2-EAP.
The log has:

(220) Received Access-Request Id 234 from 10.10.3.189:42134 to 172.17.0.2:1812 length 264
(220)   Service-Type = Framed-User
(220)   Framed-MTU = 1400
(220)   User-Name = "sys"
(220)   State = 0x9c1eed869b17f40c954b4359550f8eb4
(220)   NAS-Port-Id = "radius"
(220)   NAS-Port-Type = Wireless-802.11
(220)   Acct-Session-Id = "82000020"
(220)   Acct-Multi-Session-Id = "6E-3B-6B-F2-A3-84-80-A5-89-00-3D-A3-82-00-00-00-00-00-00-1D"
(220)   Calling-Station-Id = "80-A5-89-00-3D-A3"
(220)   Called-Station-Id = "6E-3B-6B-F2-A3-84:Radius"
(220)   EAP-Message = 0x0209002b19001703010020f6f18e3b9d1144351e61353162621a3e6de737d51713a7746737b0d5689bf84d
(220)   Message-Authenticator = 0x24d64cf0c1f4b2596164e3b4faca09d1
(220)   NAS-Identifier = "MikroTik"
(220)   NAS-IP-Address = 10.10.3.189
(220) Restoring &session-state
(220)   &session-state:Module-Failure-Message := "No Auth-Type found: rejecting the user via Post-Auth-Type = Reject"
(220) # Executing section authorize from file /radius/conf/sites-enabled/default
(220)   authorize {
(220)     policy filter_username {
(220)       if (&User-Name) {
(220)       if (&User-Name)  -> TRUE
(220)       if (&User-Name)  {
(220)         if (&User-Name =~ / /) {
(220)         if (&User-Name =~ / /)  -> FALSE
(220)         if (&User-Name =~ /@[^@]*@/ ) {
(220)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(220)         if (&User-Name =~ /\.\./ ) {
(220)         if (&User-Name =~ /\.\./ )  -> FALSE
(220)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(220)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(220)         if (&User-Name =~ /\.$/)  {
(220)         if (&User-Name =~ /\.$/)   -> FALSE
(220)         if (&User-Name =~ /@\./)  {
(220)         if (&User-Name =~ /@\./)   -> FALSE
(220)       } # if (&User-Name)  = notfound
(220)     } # policy filter_username = notfound
(220)     [preprocess] = ok
(220)     [chap] = noop
(220)     [mschap] = noop
(220)     [digest] = noop
(220) suffix: Checking for suffix after "@"
(220) suffix: No '@' in User-Name = "sys", looking up realm NULL
(220) suffix: No such realm "NULL"
(220)     [suffix] = noop
(220) eap: Peer sent EAP Response (code 2) ID 9 length 43
(220) eap: Continuing tunnel setup
(220)     [eap] = ok
(220)   } # authorize = ok
(220) Found Auth-Type = eap
(220) # Executing group from file /radius/conf/sites-enabled/default
(220)   authenticate {
(220) eap: Expiring EAP session with state 0x9c1eed869b17f40c
(220) eap: Finished EAP session with state 0x9c1eed869b17f40c
(220) eap: Previous EAP request found for state 0x9c1eed869b17f40c, released from the list
(220) eap: Peer sent packet with method EAP PEAP (25)
(220) eap: Calling submodule eap_peap to process data
(220) eap_peap: Continuing EAP-TLS
(220) eap_peap: [eaptls verify] = ok
(220) eap_peap: Done initial handshake
(220) eap_peap: [eaptls process] = ok
(220) eap_peap: Session established.  Decoding tunneled attributes
(220) eap_peap: PEAP state send tlv failure
(220) eap_peap: Received EAP-TLV response
(220) eap_peap:   The users session was previously rejected: returning reject (again.)
(220) eap_peap:   This means you need to read the PREVIOUS messages in the debug output
(220) eap_peap:   to find out the reason why the user was rejected
(220) eap_peap:   Look for "reject" or "fail".  Those earlier messages will tell you
(220) eap_peap:   what went wrong, and how to fix the problem
(220) eap: ERROR: Failed continuing EAP PEAP (25) session.  EAP sub-module failed
(220) eap: Sending EAP Failure (code 4) ID 9 length 4
(220) eap: Failed in EAP select
(220)     [eap] = invalid
(220)   } # authenticate = invalid
(220) Failed to authenticate the user
(220) Using Post-Auth-Type Reject
(220) # Executing group from file /radius/conf/sites-enabled/default
(220)   Post-Auth-Type REJECT {
(220) sql: EXPAND .query
(220) sql:    --> .query
(220) sql: Using query template 'query'
rlm_sql (sql): Reserved connection (30)
(220) sql: EXPAND %{User-Name}
(220) sql:    --> sys
(220) sql: SQL-User-Name set to 'sys'
(220) sql: EXPAND INSERT INTO radpostauth (username, pass, reply, authdate) VALUES('%{User-Name}', '%{%{User-Password}:-Chap-Password}', '%{reply:Packet-Type}', NOW())
(220) sql:    --> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES('sys', 'Chap-Password', 'Access-Reject', NOW())
(220) sql: Executing query: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES('sys', 'Chap-Password', 'Access-Reject', NOW())
rlm_sql_postgresql: Status: PGRES_COMMAND_OK
rlm_sql_postgresql: query affected rows = 1
(220) sql: SQL query returned: success
(220) sql: 1 record(s) updated
rlm_sql (sql): Released connection (30)
(220)     [sql] = ok
(220) attr_filter.access_reject: EXPAND %{User-Name}
(220) attr_filter.access_reject:    --> sys
(220) attr_filter.access_reject: Matched entry DEFAULT at line 11
(220)     [attr_filter.access_reject] = updated
(220)     policy remove_reply_message_if_eap {
(220)       if (&reply:EAP-Message && &reply:Reply-Message) {
(220)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(220)       else {
(220)         [noop] = noop
(220)       } # else = noop
(220)     } # policy remove_reply_message_if_eap = noop
(220)   } # Post-Auth-Type REJECT = updated
(220) Delaying response for 1.000000 seconds
Waking up in 0.3 seconds.
(220) Discarding duplicate request from client 0.0.0.0/0 port 42134 - ID: 234 due to delayed response
Waking up in 0.6 seconds.
(220) Discarding duplicate request from client 0.0.0.0/0 port 42134 - ID: 234 due to delayed response
Waking up in 0.4 seconds.
(220) Sending delayed response
(220) Sent Access-Reject Id 234 from 172.17.0.2:1812 to 10.10.3.189:42134 length 44
(220)   EAP-Message = 0x04090004
(220)   Message-Authenticator = 0x00000000000000000000000000000000

The line is confusing,
(220) eap_peap: PEAP state send tlv failure
but Google did not clarify the situation.
Windows7 acts as a client,
Mikrosoft EAP(PEAP) + EAP-MSCHAPv2 connection settings
Please share your experience, what configs are needed, I will show you.
Solution:
mods-avaliable/eap , the string
default_eap_type = tls
must be converted to the form
default_eap_type = tls,peap
(from the third version, the separator is a comma and not a space)
and then actually configure mschap itself
mods-avaliable/mschap
use_mppe = yes
require_encryption = yes
require_strong = yes

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

1 answer(s)
Report
A
Anton Ulanov, 2016-11-27
@POS_troi

in your log it gives an error ERROR: Failed continuing EAP PEAP (25) session. EAP sub-module failed

Similar questions
A
Alexander2015-07-08 14:41:15
Are there analytical modeling systems using voxels? 2Reply
S
Sergey Kutylev2015-09-17 22:05:18
How to resolve routing in a network with openvpn server? 2Reply
A
Andrey2019-07-25 02:47:08
Why doesn't Ubuntu ping machines in the domain? 1Reply
A
a-kalashnikov2017-02-28 16:35:18
Is there a messenger/online consultant that supports discussion threads? 6Reply
S
Stepan2017-02-28 19:02:03
Is it possible to connect to several Wi-Fi points at the same time to increase the bandwidth of the communication channel? 5Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question