search

jimdigriz / freeradius-oauth2-perl

FreeRADIUS OAuth2 (OpenID Connect) using rlm_perl
GNU Affero General Public License v3.0
129 stars 35 forks source link

802.1X met error #44

Closed yuhongwei380 closed 8 months ago

yuhongwei380 commented 8 months ago

i config the 802.1X to my ac ; freeradius-oauth2-perl radtest access success , when i connect to wifi , it reported failed, I don't know how to solve it . Hope your reply , thanks ~

log: (14) Received Access-Request Id 34 from 192.168.9.2:62196 to 192.168.8.199:1812 length 387 (14) User-Name = "ph@test.com" (14) NAS-Port = 10 (14) Service-Type = Framed-User (14) Framed-Protocol = PPP (14) Calling-Station-Id = "a078-1791-c1b2" (14) NAS-Identifier = "AirEngine9700S-S" (14) NAS-Port-Type = Wireless-802.11 (14) NAS-Port-Id = "slot=0;subslot=0;port=0;vlanid=10;interfaceName=Wlan-Dbss17551" (14) State = 0x478426ac44123f627d1e79a3a59d6e07 (14) EAP-Message = 0x029600061900 (14) Message-Authenticator = 0xf5c592c6ff3998233531ad627b0e99a6 (14) Called-Station-Id = "44-22-7C-4A-C5-00:vesoft-radius-test" (14) NAS-IP-Address = 192.168.8.199 (14) Framed-MTU = 1500 (14) Acct-Session-Id = "AirEngi000000000000106f1e300100057" (14) Huawei-Startup-Stamp = 1691862620 (14) Huawei-IPHost-Addr = "255.255.255.255 a0:**:17:91:c1:b2" (14) Huawei-Connect-ID = 4183 (14) Huawei-Version = "V200R022C00" (14) Huawei-Product-ID = "AC" (14) Huawei-Loopback-Address = "***" (14) Huawei-User-Mac = "\000\000\000\001" (14) Restoring &session-state (14) &session-state:Framed-MTU = 994 (14) &session-state:TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (14) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (14) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (14) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (14) &session-state:TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (14) # Executing section authorize from file /etc/freeradius/sites-enabled/default (14) authorize { (14) policy filter_username { (14) if (&User-Name) { (14) if (&User-Name) -> TRUE (14) if (&User-Name) { (14) if (&User-Name =~ / /) { (14) if (&User-Name =~ / /) -> FALSE (14) if (&User-Name =~ /@[^@]@/ ) { (14) if (&User-Name =~ /@[^@]@/ ) -> FALSE (14) if (&User-Name =~ /../ ) { (14) if (&User-Name =~ /../ ) -> FALSE (14) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+).(.+)$/)) { (14) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+).(.+)$/)) -> FALSE (14) if (&User-Name =~ /.$/) { (14) if (&User-Name =~ /.$/) -> FALSE (14) if (&User-Name =~ /@./) { (14) if (&User-Name =~ /@./) -> FALSE (14) } # if (&User-Name) = notfound (14) } # policy filter_username = notfound (14) [preprocess] = ok (14) [chap] = noop (14) [mschap] = noop (14) [digest] = noop (14) suffix: Checking for suffix after "@" (14) suffix: Looking up realm "test.com" for User-Name = "ph@test.com" (14) suffix: Found realm "test.com" (14) suffix: Adding Stripped-User-Name = "ph" (14) suffix: Adding Realm = "test.com" (14) suffix: Authentication realm is LOCAL (14) [suffix] = ok (14) eap: Peer sent EAP Response (code 2) ID 150 length 6 (14) eap: Continuing tunnel setup (14) [eap] = ok (14) } # authorize = ok (14) Found Auth-Type = eap (14) # Executing group from file /etc/freeradius/sites-enabled/default (14) authenticate { (14) eap: Expiring EAP session with state 0x478426ac44123f62 (14) eap: Finished EAP session with state 0x478426ac44123f62 (14) eap: Previous EAP request found for state 0x478426ac44123f62, released from the list (14) eap: Peer sent packet with method EAP PEAP (25) (14) eap: Calling submodule eap_peap to process data (14) eap_peap: (TLS) Peer ACKed our handshake fragment (14) eap: Sending EAP Request (code 1) ID 151 length 743 (14) eap: EAP session adding &reply:State = 0x478426ac43133f62 (14) [eap] = handled (14) } # authenticate = handled (14) Using Post-Auth-Type Challenge (14) # Executing group from file /etc/freeradius/sites-enabled/default (14) Challenge { ... } # empty sub-section is ignored (14) session-state: Saving cached attributes (14) Framed-MTU = 994 (14) TLS-Session-Information = "(TLS) recv TLS 1.3 Handshake, ClientHello" (14) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHello" (14) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, Certificate" (14) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerKeyExchange" (14) TLS-Session-Information = "(TLS) send TLS 1.2 Handshake, ServerHelloDone" (14) Sent Access-Challenge Id 34 from 192.168.8.199:1812 to 192.168.9.2:62196 length 805 (14) EAP-Message = 0x019702e7190072746966696361746520417574686f72697479821417f40863d17bcb92d6d78ed5c3ca55579325c3f3300f0603551d130101ff040530030101ff30360603551d1f042f302d302ba029a0278625687474703a2f2f7777772e6578616d706c652e6f72672f6578616d706c655f63612e63726c300d06092a864886f70d01010b05000382010100434e53b44ae9c2263bab2c813d6d89498f99ef451bc7d489ffc9d69d82c74c08238bc6ecb4137bc1f869494f80c5c60c32002343080b4c48b2dc30de212cc02ae10a2e7afa50d7605bab6655c7e56d0c4c4729d57dccd3e5520847e42e53f17e314e5d3d8b70577c39de5e3090e4e32db45ea293d7c16b465a9f787e2db46d925bd51e10fad1f93328803986dcff00f16955c44b85dff5983cc66207158dce7f814e31c2f32cbbbea0019cbb433bf176968822c03957347c3a795b0957594e9a1da9e527c6590a684ee758444128242e3283c7dc7adddbc610d3fd3f86384d64f1ca175a2ad3354dfecb5a (14) Message-Authenticator = 0x00000000000000000000000000000000 (14) State = 0x478426ac43133f627d1e79a3a59d6e07 (14) Finished request Waking up in 4.8 seconds. (10) Cleaning up request packet ID 30 with timestamp +471 due to cleanup_delay was reached (11) Cleaning up request packet ID 31 with timestamp +471 due to cleanup_delay was reached (12) Cleaning up request packet ID 32 with timestamp +471 due to cleanup_delay was reached (13) Cleaning up request packet ID 33 with timestamp +471 due to cleanup_delay was reached (14) Cleaning up request packet ID 34 with timestamp +471 due to cleanup_delay was reached

yuhongwei380 commented 8 months ago

i use 801.X test, test access: EAPOL: Successfully fetched key (len=32) PMK from EAPOL - hexdump(len=32): 9e b4 c9 be 72 5e 22 37 f1 4b fd 55 68 10 47 84 2b 98 03 ca b8 b7 1b 75 c8 48 a0 8c 02 9d 03 72 No EAP-Key-Name received from server WPA: Clear old PMK and PTK EAP: deinitialize previously used EAP method (21, TTLS) at EAP deinit ENGINE: engine deinit MPPE keys OK: 1 mismatch: 0 SUCCESS

but i config it to my ac , can't connect to the wifi , i am confused ; plz give me some advice ; Thanks~

jimdigriz commented 8 months ago

The instructions are clear (third paragraph at the top), they state you must use TTLS...you have configured your workstation/device to use PEAP.

(14) eap: Peer sent packet with method EAP PEAP (25)
(14) eap: Calling submodule eap_peap to process data
(14) eap_peap: (TLS) Peer ACKed our handshake fragment
(14) eap: Sending EAP Request (code 1) ID 151 length 743
(14) eap: EAP session adding &reply:State = 0x478426ac43133f62
yuhongwei380 commented 8 months ago

OK,thanks for replying, I will try again ~

yuhongwei380 commented 8 months ago

The instructions are clear (third paragraph at the top), they state you must use TTLS...you have configured your workstation/device to use PEAP.

(14) eap: Peer sent packet with method EAP PEAP (25)
(14) eap: Calling submodule eap_peap to process data
(14) eap_peap: (TLS) Peer ACKed our handshake fragment
(14) eap: Sending EAP Request (code 1) ID 151 length 743
(14) eap: EAP session adding &reply:State = 0x478426ac43133f62

Is that mean when I try to connect the wlan ,i should change the auth way first ?

jimdigriz commented 8 months ago

Is that mean when I try to connect the wlan ,i should change the auth way first ?

The instructions are clear (first and second paragraphs): "These instructions assume you are familiar with using FreeRADIUS in an 802.1X environment and if you are not you should start with a EAP-TTLS/PAP 802.1X deployment using static credentials stored in a local users file. If you run into problems getting a users file environment to run, then please seek support from the FreeRADIUS community but do not ask there for help on how to use this module."

If you have been unable to get a non-OAuth2 802.1X session working with FreeRADIUS I am unable to help you pro bono. If you require a RADIUS consultant, I would recommend NetworkRADIUS or coreMem Limited...but you will need a considerable budget.

yuhongwei380 commented 8 months ago

i use this project to connect Azure , thanks for your docs ,now i can run work in radtest ;

jimdigriz commented 8 months ago

Glad the project has helped you!

yuhongwei380 commented 8 months ago

Glad the project has helped you!

I had test in my mobile phone and my windows machine , it seems OK, the setting way need some times ; Now i try to find the way for the Mac OS , seems no result ;

yuhongwei380 commented 8 months ago

I had solve it by using the apple configurator ,to create a new profile and setting the wifi auto connect and the encryption protocol ;Thanks for the project again ~