Search code examples
freeradiusradius

Cannot get specific vendor attribute using radius EAP-ttls


I am new to radius and EAP. I fail to retrieve vendor specific attributes from a freeradius server using radius and EAP-TTLS (when performing PAP, user's attributes are well returned by the server).

I work on a linux machine and linux server.

I read this post which helped a lot to understand : How and where RADIUS and EAP combine?, but cannot find my issue anyway.

On the server I have defined a user in the user configuration file with specific attributes:

brendon Cleartext-Password := "XXX"
    IEC62351-8-RoleID = "ROLE1",
    IEC62351-8-RoleID += "ROLE2"

The issue I encounter is that the server always return MS_MPPE_Send_Key and MS_MPPE_Recv_Key and I don't understand why. Here is the log I get from freeradius (running with the -X option):

Copyright (C) 1999-2017 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
Starting - reading configuration files ...
Listening on auth address 127.0.0.1 port 18120 bound to server inner-tunnel
Listening on auth address * port 1812 bound to server default
Listening on acct address * port 1813 bound to server default
Listening on auth address :: port 1812 bound to server default
Listening on acct address :: port 1813 bound to server default
Listening on proxy address * port 56290
Listening on proxy address :: port 38281
Ready to process requests
(0) Received Access-Request Id 26 from 10.214.232.212:52631 to 10.234.31.92:1812 length 66
(0)   EAP-Message = 0x0200000e01616e6f6e796d6f7573
(0)   NAS-Port = 0
(0)   NAS-IP-Address = 10.214.232.212
(0)   Message-Authenticator = 0x5a9d7211de5c5d4c69a26898eea105d3
(0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(0)   authorize {
(0)     policy filter_username {
(0)       if (&User-Name) {
(0)       if (&User-Name)  -> FALSE
(0)     } # policy filter_username = notfound
(0)     [preprocess] = ok
(0)     [chap] = noop
(0)     [mschap] = noop
(0)     [digest] = noop
(0) suffix: Proxy reply, or no User-Name.  Ignoring
(0)     [suffix] = noop
(0) eap: Peer sent EAP Response (code 2) ID 0 length 14
(0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the rest of authorize
(0)     [eap] = ok
(0)   } # authorize = ok
(0) Found Auth-Type = eap
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0)   authenticate {
(0) eap: WARNING: NAS did not set User-Name.  Setting it locally from EAP Identity
(0) eap: Peer sent packet with method EAP Identity (1)
(0) eap: Calling submodule eap_tls to process data
(0) eap_tls: Initiating new EAP-TLS session
(0) eap_tls: Setting verify mode to require certificate from client
(0) eap_tls: [eaptls start] = request
(0) eap: Sending EAP Request (code 1) ID 1 length 6
(0) eap: EAP session adding &reply:State = 0xca6f8448ca6e893f
(0)     [eap] = handled
(0)   } # authenticate = handled
(0) Using Post-Auth-Type Challenge
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0)   Challenge { ... } # empty sub-section is ignored
(0) Sent Access-Challenge Id 26 from 10.234.31.92:1812 to 10.214.232.212:52631 length 0
(0)   EAP-Message = 0x010100060d20
(0)   Message-Authenticator = 0x00000000000000000000000000000000
(0)   State = 0xca6f8448ca6e893fac15f965d7a090eb
(0) Finished request
Waking up in 4.9 seconds.
(1) Received Access-Request Id 0 from 10.214.232.212:52633 to 10.234.31.92:1812 length 76
(1)   EAP-Message = 0x020100060315
(1)   State = 0xca6f8448ca6e893fac15f965d7a090eb
(1)   NAS-Port = 0
(1)   NAS-IP-Address = 10.214.232.212
(1)   Message-Authenticator = 0x530c1b0fc523fbad1f3826c97da0aaaa
(1) session-state: No cached attributes
(1) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(1)   authorize {
(1)     policy filter_username {
(1)       if (&User-Name) {
(1)       if (&User-Name)  -> FALSE
(1)     } # policy filter_username = notfound
(1)     [preprocess] = ok
(1)     [chap] = noop
(1)     [mschap] = noop
(1)     [digest] = noop
(1) suffix: Proxy reply, or no User-Name.  Ignoring
(1)     [suffix] = noop
(1) eap: Peer sent EAP Response (code 2) ID 1 length 6
(1) eap: No EAP Start, assuming it's an on-going EAP conversation
(1)     [eap] = updated
(1)   } # authorize = updated
(1) Found Auth-Type = eap
(1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(1)   authenticate {
(1) eap: Expiring EAP session with state 0xca6f8448ca6e893f
(1) eap: Finished EAP session with state 0xca6f8448ca6e893f
(1) eap: Previous EAP request found for state 0xca6f8448ca6e893f, released from the list
(1) eap: Broken NAS did not set User-Name, setting from EAP Identity
(1) eap: Peer sent packet with method EAP NAK (3)
(1) eap: Found mutually acceptable type TTLS (21)
(1) eap: Calling submodule eap_ttls to process data
(1) eap_ttls: Initiating new EAP-TLS session
(1) eap_ttls: [eaptls start] = request
(1) eap: Sending EAP Request (code 1) ID 2 length 6
(1) eap: EAP session adding &reply:State = 0xca6f8448cb6d913f
(1)     [eap] = handled
(1)   } # authenticate = handled
(1) Using Post-Auth-Type Challenge
(1) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(1)   Challenge { ... } # empty sub-section is ignored
(1) Sent Access-Challenge Id 0 from 10.234.31.92:1812 to 10.214.232.212:52633 length 0
(1)   EAP-Message = 0x010200061520
(1)   Message-Authenticator = 0x00000000000000000000000000000000
(1)   State = 0xca6f8448cb6d913fac15f965d7a090eb
(1) Finished request
Waking up in 4.9 seconds.
(2) Received Access-Request Id 76 from 10.214.232.212:49159 to 10.234.31.92:1812 length 162
(2)   EAP-Message = 0x0202005c150016030300510100004d030364390bf93f2a436557592deaa70503e2e0bc7de89b31ddbba6dd90dd038170d6000018006b003d003900350067003c0033002f0016000a000500040100000c000d00080006060105010401
(2)   State = 0xca6f8448cb6d913fac15f965d7a090eb
(2)   NAS-Port = 0
(2)   NAS-IP-Address = 10.214.232.212
(2)   Message-Authenticator = 0xc1f7a27c2f771c3c1b95ed0c06843925
(2) session-state: No cached attributes
(2) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(2)   authorize {
(2)     policy filter_username {
(2)       if (&User-Name) {
(2)       if (&User-Name)  -> FALSE
(2)     } # policy filter_username = notfound
(2)     [preprocess] = ok
(2)     [chap] = noop
(2)     [mschap] = noop
(2)     [digest] = noop
(2) suffix: Proxy reply, or no User-Name.  Ignoring
(2)     [suffix] = noop
(2) eap: Peer sent EAP Response (code 2) ID 2 length 92
(2) eap: Continuing tunnel setup
(2)     [eap] = ok
(2)   } # authorize = ok
(2) Found Auth-Type = eap
(2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(2)   authenticate {
(2) eap: Expiring EAP session with state 0xca6f8448cb6d913f
(2) eap: Finished EAP session with state 0xca6f8448cb6d913f
(2) eap: Previous EAP request found for state 0xca6f8448cb6d913f, released from the list
(2) eap: Broken NAS did not set User-Name, setting from EAP Identity
(2) eap: Peer sent packet with method EAP TTLS (21)
(2) eap: Calling submodule eap_ttls to process data
(2) eap_ttls: Authenticate
(2) eap_ttls: Continuing EAP-TLS
(2) eap_ttls: [eaptls verify] = ok
(2) eap_ttls: Done initial handshake
(2) eap_ttls: (other): before SSL initialization
(2) eap_ttls: TLS_accept: before SSL initialization
(2) eap_ttls: TLS_accept: before SSL initialization
(2) eap_ttls: <<< recv UNKNOWN TLS VERSION ?0304? [length 0051] 
(2) eap_ttls: TLS_accept: SSLv3/TLS read client hello
(2) eap_ttls: >>> send TLS 1.2  [length 002a] 
(2) eap_ttls: TLS_accept: SSLv3/TLS write server hello
(2) eap_ttls: >>> send TLS 1.2  [length 08e9] 
(2) eap_ttls: TLS_accept: SSLv3/TLS write certificate
(2) eap_ttls: >>> send TLS 1.2  [length 0004] 
(2) eap_ttls: TLS_accept: SSLv3/TLS write server done
(2) eap_ttls: TLS_accept: Need to read more data: SSLv3/TLS write server done
(2) eap_ttls: In SSL Handshake Phase
(2) eap_ttls: In SSL Accept mode
(2) eap_ttls: [eaptls process] = handled
(2) eap: Sending EAP Request (code 1) ID 3 length 1004
(2) eap: EAP session adding &reply:State = 0xca6f8448c86c913f
(2)     [eap] = handled
(2)   } # authenticate = handled
(2) Using Post-Auth-Type Challenge
(2) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(2)   Challenge { ... } # empty sub-section is ignored
(2) Sent Access-Challenge Id 76 from 10.234.31.92:1812 to 10.214.232.212:49159 length 0
(2)   EAP-Message = 0x010303ec15c000000926160303002a020000260303bfeabe84c460d86d6c56c083ac65e152a3f1ff5ca2eb4e28d83375c0fc6b7a2900003d0016030308e90b0008e50008e20003de308203da308202c2a003020102020101300d06092a864886f70d01010b0500308193310b3009060355040613024652
(2)   Message-Authenticator = 0x00000000000000000000000000000000
(2)   State = 0xca6f8448c86c913fac15f965d7a090eb
(2) Finished request
Waking up in 4.8 seconds.
(3) Received Access-Request Id 118 from 10.214.232.212:49161 to 10.234.31.92:1812 length 76
(3)   EAP-Message = 0x020300061500
(3)   State = 0xca6f8448c86c913fac15f965d7a090eb
(3)   NAS-Port = 0
(3)   NAS-IP-Address = 10.214.232.212
(3)   Message-Authenticator = 0x1c17e681e7392d1f17aa0e220cdacf3f
(3) session-state: No cached attributes
(3) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(3)   authorize {
(3)     policy filter_username {
(3)       if (&User-Name) {
(3)       if (&User-Name)  -> FALSE
(3)     } # policy filter_username = notfound
(3)     [preprocess] = ok
(3)     [chap] = noop
(3)     [mschap] = noop
(3)     [digest] = noop
(3) suffix: Proxy reply, or no User-Name.  Ignoring
(3)     [suffix] = noop
(3) eap: Peer sent EAP Response (code 2) ID 3 length 6
(3) eap: Continuing tunnel setup
(3)     [eap] = ok
(3)   } # authorize = ok
(3) Found Auth-Type = eap
(3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(3)   authenticate {
(3) eap: Expiring EAP session with state 0xca6f8448c86c913f
(3) eap: Finished EAP session with state 0xca6f8448c86c913f
(3) eap: Previous EAP request found for state 0xca6f8448c86c913f, released from the list
(3) eap: Broken NAS did not set User-Name, setting from EAP Identity
(3) eap: Peer sent packet with method EAP TTLS (21)
(3) eap: Calling submodule eap_ttls to process data
(3) eap_ttls: Authenticate
(3) eap_ttls: Continuing EAP-TLS
(3) eap_ttls: Peer ACKed our handshake fragment
(3) eap_ttls: [eaptls verify] = request
(3) eap_ttls: [eaptls process] = handled
(3) eap: Sending EAP Request (code 1) ID 4 length 1004
(3) eap: EAP session adding &reply:State = 0xca6f8448c96b913f
(3)     [eap] = handled
(3)   } # authenticate = handled
(3) Using Post-Auth-Type Challenge
(3) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(3)   Challenge { ... } # empty sub-section is ignored
(3) Sent Access-Challenge Id 118 from 10.234.31.92:1812 to 10.214.232.212:49161 length 0
(3)   EAP-Message = 0x010403ec15c0000009268800a977a803b2f219926b4759cfb1dbf1ec31b1c13f81554ad12c84a916499b4aaa2ef57c091d4b2c6e574b938447f18263cb4e450c36a0a3a60004fe308204fa308203e2a00302010202143fb8f121a16d0a0ee175c15ce4ad900eecac4e86300d06092a864886f70d01010b
(3)   Message-Authenticator = 0x00000000000000000000000000000000
(3)   State = 0xca6f8448c96b913fac15f965d7a090eb
(3) Finished request
Waking up in 4.7 seconds.
(4) Received Access-Request Id 227 from 10.214.232.212:49163 to 10.234.31.92:1812 length 76
(4)   EAP-Message = 0x020400061500
(4)   State = 0xca6f8448c96b913fac15f965d7a090eb
(4)   NAS-Port = 0
(4)   NAS-IP-Address = 10.214.232.212
(4)   Message-Authenticator = 0x631fd6b0ac1a7cd86c58f36e07fffe82
(4) session-state: No cached attributes
(4) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(4)   authorize {
(4)     policy filter_username {
(4)       if (&User-Name) {
(4)       if (&User-Name)  -> FALSE
(4)     } # policy filter_username = notfound
(4)     [preprocess] = ok
(4)     [chap] = noop
(4)     [mschap] = noop
(4)     [digest] = noop
(4) suffix: Proxy reply, or no User-Name.  Ignoring
(4)     [suffix] = noop
(4) eap: Peer sent EAP Response (code 2) ID 4 length 6
(4) eap: Continuing tunnel setup
(4)     [eap] = ok
(4)   } # authorize = ok
(4) Found Auth-Type = eap
(4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(4)   authenticate {
(4) eap: Expiring EAP session with state 0xca6f8448c96b913f
(4) eap: Finished EAP session with state 0xca6f8448c96b913f
(4) eap: Previous EAP request found for state 0xca6f8448c96b913f, released from the list
(4) eap: Broken NAS did not set User-Name, setting from EAP Identity
(4) eap: Peer sent packet with method EAP TTLS (21)
(4) eap: Calling submodule eap_ttls to process data
(4) eap_ttls: Authenticate
(4) eap_ttls: Continuing EAP-TLS
(4) eap_ttls: Peer ACKed our handshake fragment
(4) eap_ttls: [eaptls verify] = request
(4) eap_ttls: [eaptls process] = handled
(4) eap: Sending EAP Request (code 1) ID 5 length 364
(4) eap: EAP session adding &reply:State = 0xca6f8448ce6a913f
(4)     [eap] = handled
(4)   } # authenticate = handled
(4) Using Post-Auth-Type Challenge
(4) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(4)   Challenge { ... } # empty sub-section is ignored
(4) Sent Access-Challenge Id 227 from 10.234.31.92:1812 to 10.214.232.212:49163 length 0
(4)   EAP-Message = 0x0105016c158000000926551d130101ff040530030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e6f72672f6578616d706c655f63612e63726c300d06092a864886f70d01010b050003820101007e21180e883167354b7b139f27709b2f9c7f5524
(4)   Message-Authenticator = 0x00000000000000000000000000000000
(4)   State = 0xca6f8448ce6a913fac15f965d7a090eb
(4) Finished request
Waking up in 4.6 seconds.
(5) Received Access-Request Id 64 from 10.214.232.212:49165 to 10.234.31.92:1812 length 436
(5)   EAP-Message = 0x0205016c1500160303010610000102010072c9a295aa179141e03937b0c18c8fae57f4ad6be416334aa40bfe0106e14d379ecbb14ae07386268808b8d6deb7f2674f094b8906f01e7b49009eb259820d355e067ece0779e5a35d8f67381692286408cdf50093ecf5518cd9aa650ab71241f5696c62ca63
(5)   State = 0xca6f8448ce6a913fac15f965d7a090eb
(5)   NAS-Port = 0
(5)   NAS-IP-Address = 10.214.232.212
(5)   Message-Authenticator = 0x33d3e95a174b6095ebbbde42cd794c61
(5) session-state: No cached attributes
(5) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(5)   authorize {
(5)     policy filter_username {
(5)       if (&User-Name) {
(5)       if (&User-Name)  -> FALSE
(5)     } # policy filter_username = notfound
(5)     [preprocess] = ok
(5)     [chap] = noop
(5)     [mschap] = noop
(5)     [digest] = noop
(5) suffix: Proxy reply, or no User-Name.  Ignoring
(5)     [suffix] = noop
(5) eap: Peer sent EAP Response (code 2) ID 5 length 364
(5) eap: Continuing tunnel setup
(5)     [eap] = ok
(5)   } # authorize = ok
(5) Found Auth-Type = eap
(5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(5)   authenticate {
(5) eap: Expiring EAP session with state 0xca6f8448ce6a913f
(5) eap: Finished EAP session with state 0xca6f8448ce6a913f
(5) eap: Previous EAP request found for state 0xca6f8448ce6a913f, released from the list
(5) eap: Broken NAS did not set User-Name, setting from EAP Identity
(5) eap: Peer sent packet with method EAP TTLS (21)
(5) eap: Calling submodule eap_ttls to process data
(5) eap_ttls: Authenticate
(5) eap_ttls: Continuing EAP-TLS
(5) eap_ttls: [eaptls verify] = ok
(5) eap_ttls: Done initial handshake
(5) eap_ttls: TLS_accept: SSLv3/TLS write server done
(5) eap_ttls: <<< recv TLS 1.2  [length 0106] 
(5) eap_ttls: TLS_accept: SSLv3/TLS read client key exchange
(5) eap_ttls: TLS_accept: SSLv3/TLS read change cipher spec
(5) eap_ttls: <<< recv TLS 1.2  [length 0010] 
(5) eap_ttls: TLS_accept: SSLv3/TLS read finished
(5) eap_ttls: >>> send TLS 1.2  [length 0001] 
(5) eap_ttls: TLS_accept: SSLv3/TLS write change cipher spec
(5) eap_ttls: >>> send TLS 1.2  [length 0010] 
(5) eap_ttls: TLS_accept: SSLv3/TLS write finished
(5) eap_ttls: (other): SSL negotiation finished successfully
(5) eap_ttls: SSL Connection Established
(5) eap_ttls: [eaptls process] = handled
(5) eap: Sending EAP Request (code 1) ID 6 length 101
(5) eap: EAP session adding &reply:State = 0xca6f8448cf69913f
(5)     [eap] = handled
(5)   } # authenticate = handled
(5) Using Post-Auth-Type Challenge
(5) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(5)   Challenge { ... } # empty sub-section is ignored
(5) Sent Access-Challenge Id 64 from 10.234.31.92:1812 to 10.214.232.212:49165 length 0
(5)   EAP-Message = 0x0106006515800000005b14030300010116030300500e01ea4a3c1744a693a78e0c24bbaa4205b73616a68270625289080f663625794d236f222cc62bf34e901353102a08c09852c7ffd49ff1abd9ad7fdd240d0915d43ed3cbc25cfc073b20b05ecb2ce581
(5)   Message-Authenticator = 0x00000000000000000000000000000000
(5)   State = 0xca6f8448cf69913fac15f965d7a090eb
(5) Finished request
Waking up in 4.5 seconds.
(6) Received Access-Request Id 29 from 10.214.232.212:49167 to 10.234.31.92:1812 length 177
(6)   EAP-Message = 0x0206006b15001703030060583bd9865086316dfd855e553a4eebbf201383d7c0ebee1a5d8473aff7d592465a655442fded16656e6dbbb712eff4a2655b6895ef5ec72c2aff56c914627d9df248c6e718e48cbeb53f828be82d80a3fe15a03059f9cea7832eabed3fde3cec
(6)   State = 0xca6f8448cf69913fac15f965d7a090eb
(6)   NAS-Port = 0
(6)   NAS-IP-Address = 10.214.232.212
(6)   Message-Authenticator = 0x3e371922ea1733f51a920a7298e5cbcb
(6) session-state: No cached attributes
(6) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(6)   authorize {
(6)     policy filter_username {
(6)       if (&User-Name) {
(6)       if (&User-Name)  -> FALSE
(6)     } # policy filter_username = notfound
(6)     [preprocess] = ok
(6)     [chap] = noop
(6)     [mschap] = noop
(6)     [digest] = noop
(6) suffix: Proxy reply, or no User-Name.  Ignoring
(6)     [suffix] = noop
(6) eap: Peer sent EAP Response (code 2) ID 6 length 107
(6) eap: Continuing tunnel setup
(6)     [eap] = ok
(6)   } # authorize = ok
(6) Found Auth-Type = eap
(6) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(6)   authenticate {
(6) eap: Expiring EAP session with state 0xca6f8448cf69913f
(6) eap: Finished EAP session with state 0xca6f8448cf69913f
(6) eap: Previous EAP request found for state 0xca6f8448cf69913f, released from the list
(6) eap: Broken NAS did not set User-Name, setting from EAP Identity
(6) eap: Peer sent packet with method EAP TTLS (21)
(6) eap: Calling submodule eap_ttls to process data
(6) eap_ttls: Authenticate
(6) eap_ttls: Continuing EAP-TLS
(6) eap_ttls: [eaptls verify] = ok
(6) eap_ttls: Done initial handshake
(6) eap_ttls: [eaptls process] = ok
(6) eap_ttls: Session established.  Proceeding to decode tunneled attributes
(6) eap_ttls: Got tunneled request
(6) eap_ttls:   User-Name = "brendon"
(6) eap_ttls:   User-Password = "hello"
(6) eap_ttls:   FreeRADIUS-Proxied-To = 127.0.0.1
(6) eap_ttls: Sending tunneled request
(6) Virtual server inner-tunnel received request
(6)   User-Name = "brendon"
(6)   User-Password = "hello"
(6)   FreeRADIUS-Proxied-To = 127.0.0.1
(6) server inner-tunnel {
(6)   # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(6)     authorize {
(6)       policy filter_username {
(6)         if (&User-Name) {
(6)         if (&User-Name)  -> TRUE
(6)         if (&User-Name)  {
(6)           if (&User-Name =~ / /) {
(6)           if (&User-Name =~ / /)  -> FALSE
(6)           if (&User-Name =~ /@[^@]*@/ ) {
(6)           if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(6)           if (&User-Name =~ /\.\./ ) {
(6)           if (&User-Name =~ /\.\./ )  -> FALSE
(6)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(6)           if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(6)           if (&User-Name =~ /\.$/)  {
(6)           if (&User-Name =~ /\.$/)   -> FALSE
(6)           if (&User-Name =~ /@\./)  {
(6)           if (&User-Name =~ /@\./)   -> FALSE
(6)         } # if (&User-Name)  = notfound
(6)       } # policy filter_username = notfound
(6)       [chap] = noop
(6)       [mschap] = noop
(6) suffix: Checking for suffix after "@"
(6) suffix: No '@' in User-Name = "brendon", looking up realm NULL
(6) suffix: No such realm "NULL"
(6)       [suffix] = noop
(6)       update control {
(6)         &Proxy-To-Realm := LOCAL
(6)       } # update control = noop
(6) eap: No EAP-Message, not doing EAP
(6)       [eap] = noop
(6) files: users: Matched entry brendon at line 230
(6)       [files] = ok
(6)       [expiration] = noop
(6)       [logintime] = noop
(6)       [pap] = updated
(6)     } # authorize = updated
(6)   Found Auth-Type = PAP
(6)   # Executing group from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(6)     Auth-Type PAP {
(6) pap: Login attempt with password
(6) pap: Comparing with "known good" Cleartext-Password
(6) pap: User authenticated successfully
(6)       [pap] = ok
(6)     } # Auth-Type PAP = ok
(6)   # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/inner-tunnel
(6)     post-auth {
(6)       if (0) {
(6)       if (0)  -> FALSE
(6)     } # post-auth = noop
(6)   Login OK: [brendon/hello] (from client whatever port 0 via TLS tunnel)
(6) } # server inner-tunnel
(6) Virtual server sending reply
(6)   IEC62351-8-RoleID = "OPERATOR"
(6)   IEC62351-8-RoleID = "ENGINEER"
(6) eap_ttls: Got tunneled Access-Accept
(6) eap: Sending EAP Success (code 3) ID 6 length 4
(6) eap: Freeing handler
(6)     [eap] = ok
(6)   } # authenticate = ok
(6) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default
(6)   post-auth {
(6)     update {
(6)       No attributes updated
(6)     } # update = noop
(6)     [exec] = noop
(6)     policy remove_reply_message_if_eap {
(6)       if (&reply:EAP-Message && &reply:Reply-Message) {
(6)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(6)       else {
(6)         [noop] = noop
(6)       } # else = noop
(6)     } # policy remove_reply_message_if_eap = noop
(6)   } # post-auth = noop
(6) Login OK: [anonymous/<via Auth-Type = eap>] (from client whatever port 0)
(6) Sent Access-Accept Id 29 from XX.XX.XX.XX:1812 to XX.XX.XX.XX:49167 length 0
(6)   MS-MPPE-Recv-Key = 0x612dbdf934dde72a902cbb61f7b317f0ab027e043211d743bb15f39d1b7df21b
(6)   MS-MPPE-Send-Key = 0x508c9aefdb3b61db7d53ce2232efce1ebcec0b67fb40c205639779f2b3e4e820
(6)   EAP-Message = 0x03060004
(6)   Message-Authenticator = 0x00000000000000000000000000000000
(6) Finished request
Waking up in 4.5 seconds.
(0) Cleaning up request packet ID 26 with timestamp +9
(1) Cleaning up request packet ID 0 with timestamp +9
(2) Cleaning up request packet ID 76 with timestamp +9
(3) Cleaning up request packet ID 118 with timestamp +9
(4) Cleaning up request packet ID 227 with timestamp +9
Waking up in 0.1 seconds.
(5) Cleaning up request packet ID 64 with timestamp +10
(6) Cleaning up request packet ID 29 with timestamp +10
Ready to process requests

As we can see at the end, the server "knows" the attributes linked with the user:

(6) Virtual server sending reply
(6)   IEC62351-8-RoleID = "OPERATOR"
(6)   IEC62351-8-RoleID = "ENGINEER"

but they are not returned. Instead it is:

(6) Login OK: [anonymous/<via Auth-Type = eap>] (from client whatever port 0)
(6) Sent Access-Accept Id 29 from XX.XX.XX.XX:1812 to XX.XX.XX.XX:49167 length 0
(6)   MS-MPPE-Recv-Key = 0x612dbdf934dde72a902cbb61f7b317f0ab027e043211d743bb15f39d1b7df21b
(6)   MS-MPPE-Send-Key = 0x508c9aefdb3b61db7d53ce2232efce1ebcec0b67fb40c205639779f2b3e4e820

If it can help, here is the wireshark packets:

Access-Request:

Frame 23: 219 bytes on wire (1752 bits), 219 bytes captured (1752 bits) on interface \Device\NPF_{58F84452-96E4-452B-98A5-663F8E4D7FDB}, id 0
Ethernet II, Src: XX:XX:XX:XX:XX:XX (XX:XX:XX:XX:XX:XX), Dst: XX:XX:XX:XX:XX:XX (XX:XX:XX:XX:XX:XX)
Internet Protocol Version 4, Src: XX.XX.XX.XX, Dst: XX.XX.XX.XX
User Datagram Protocol, Src Port: 49167, Dst Port: 1812
RADIUS Protocol
    Code: Access-Request (1)
    Packet identifier: 0x1d (29)
    Length: 177
    Authenticator: a95b00007e62000008380000fc5f0000
    [The response to this request is in frame 24]
    Attribute Value Pairs
        AVP: t=EAP-Message(79) l=109 Last Segment[1]
        AVP: t=State(24) l=18 val=ca6f8448cf69913fac15f965d7a090eb
        AVP: t=NAS-Port(5) l=6 val=0
        AVP: t=NAS-IP-Address(4) l=6 val=XX.XX.XX.XX
        AVP: t=Message-Authenticator(80) l=18 val=3e371922ea1733f51a920a7298e5cbcb

Access-Accept:

Frame 24: 202 bytes on wire (1616 bits), 202 bytes captured (1616 bits) on interface \Device\NPF_{58F84452-96E4-452B-98A5-663F8E4D7FDB}, id 0
Ethernet II, Src: XX:XX:XX:XX:XX:XX (XX:XX:XX:XX:XX:XX), Dst: XX:XX:XX:XX:XX:XX (XX:XX:XX:XX:XX:XX)
Internet Protocol Version 4, Src: XX.XX.XX.XX, Dst: XX.XX.XX.XX
User Datagram Protocol, Src Port: 1812, Dst Port: 49167
RADIUS Protocol
    Code: Access-Accept (2)
    Packet identifier: 0x1d (29)
    Length: 160
    Authenticator: 9f6d9c09c55e654a93f47a4215a8418e
    [This is a response to a request in frame 23]
    [Time from request: 0.069017000 seconds]
    Attribute Value Pairs
        AVP: t=Vendor-Specific(26) l=58 vnd=Microsoft(311)
        AVP: t=Vendor-Specific(26) l=58 vnd=Microsoft(311)
        AVP: t=EAP-Message(79) l=6 Last Segment[1]
        AVP: t=Message-Authenticator(80) l=18 val=9eb84fabca3ba8c74ae5db4db35aad07

Is it a server miscounfiguration ? or an issue in the Access-Request ? or anything else ?


Solution

  • The problem was a freeradius server misconfiguration.

    In my case, I needed to add to /etc/freeradius/3.0/mods-available/eap:

    ttls {
      [...]
      use_tunneled_reply = yes
      [...]
    }
    

    to ask the server to add the Attribute to the reply message.