0

I install FreeRadius v 3.0.20 on Linux (F38 and Ubuntu 20.4) from their respective s/w repositories (dnf, apt) but cannot make the simplest self-test with username and password work.
The procedure is described in "getting started" wiki. Basically, it is edit the "users" file and add a user with plaintext password. Then start the radius server on localhost. Then run their utility radtest with these user & password, and it should succeed.

Except it does not, in both attempts, with similar behaviour (Fedora and Ubuntu).

Is the FreeRadius "getting started" guide obsolete or I'm missing something dead obvious?

Details:

  • after installation I sudo & edit the users file (different locations in Fedora vs Ubuntu), add this: tester Cleartext-Password := "secret"
  • Run the server: sudo freeradius -X -xx -i 127.0.0.1 -p 1645
  • In another terminal, run: radtest -x -4 t eap-md5 tester secret 127.0.0.1:1645 0 testing123
  • Get this:
Sent Access-Request Id 36 from 0.0.0.0:50449 to 127.0.0.1:1645 length 69
        User-Name = "tester"
        Cleartext-Password = "secret"
        NAS-IP-Address = 127.0.1.1
        NAS-Port = 0
        Message-Authenticator = 0x00
        EAP-Code = Response
        EAP-Type-Identity = 0x4a49473436
        EAP-Message = 0x0271000a014a49473436
failed decoding EAP: EAP-Message not found
Transaction: 0, received packet (id: 36).
Received Access-Reject Id 36 from 127.0.0.1:1645 to 0.0.0.0:50449 length 20
EAP transaction finished, but reply is not an Access-AcceptDeallocating (sockfd: 5, id: 36)

Get this in the server log:

Mon Aug 14 17:36:54 2023 : Debug: (0) Received Access-Request Id 36 from 127.0.0.1:50449 to 127.0.0.1:1645 length 69
Mon Aug 14 17:36:54 2023 : Debug: (0)   User-Name = "tester"
Mon Aug 14 17:36:54 2023 : Debug: (0)   NAS-IP-Address = 127.0.1.1
Mon Aug 14 17:36:54 2023 : Debug: (0)   NAS-Port = 0
Mon Aug 14 17:36:54 2023 : Debug: (0)   Message-Authenticator = 0x75a83521d32f7707cc160bf43d15fc04
Mon Aug 14 17:36:54 2023 : Debug: (0)   EAP-Message = 0x0271000a014a49473436
Mon Aug 14 17:36:54 2023 : Debug: (0) session-state: No State attribute
Mon Aug 14 17:36:54 2023 : Debug: (0) Empty authorize section.  Using default return values.
Mon Aug 14 17:36:54 2023 : ERROR: (0) No Auth-Type found: rejecting the user via Post-Auth-Type = Reject
Mon Aug 14 17:36:54 2023 : Debug: (0) Failed to authenticate the user
Mon Aug 14 17:36:54 2023 : Debug: (0) Using Post-Auth-Type Reject
Mon Aug 14 17:36:54 2023 : Debug: (0) Post-Auth-Type sub-section not found.  Ignoring.
Mon Aug 14 17:36:54 2023 : Debug: (0) Delaying response for 1.000000 seconds
Mon Aug 14 17:36:54 2023 : Debug: Waking up in 0.3 seconds.
Mon Aug 14 17:36:54 2023 : Debug: Waking up in 0.6 seconds.
Mon Aug 14 17:36:55 2023 : Debug: (0) Sending delayed response
Mon Aug 14 17:36:55 2023 : Debug: (0) Sent Access-Reject Id 36 from 127.0.0.1:1645 to 127.0.0.1:50449 length 20
Mon Aug 14 17:36:55 2023 : Debug: Waking up in 3.9 seconds.
Mon Aug 14 17:36:59 2023 : Debug: (0) Cleaning up request packet ID 36 with timestamp +20
Mon Aug 14 17:36:59 2023 : Info: Ready to process requests

So it looks that the server does not even attempt to start the eap handshake.

From googling, "No state attribute" is not an error.
What I don't understand is "Empty authorize section". The full server log clearly shows the authorize section in the config (untouched, as installed). Can provide the full log.

Similar questions, unanswered and abandoned: this, this.

Thoughts?

ddbug
  • 1,392
  • 1
  • 11
  • 25
  • found also this. But don't want sql yet. Neither docker and so on. https://stackoverflow.com/questions/50971438/expected-access-accept-got-access-reject-in-freeradius-tutorial – ddbug Aug 14 '23 at 14:59
  • Yes, "files" line is present in `sites-enabled/default` – ddbug Aug 14 '23 at 15:00

1 Answers1

0

Received answer via the freeradius mailing list - thanks to Alan DeKok.

Here is my summary for those who may stumble upon the same issue later:

  • Version 3.0.20 is too old for them; advised to install a recent pre-built package, referenced on their main website and wiki
    • Packages for for Fedora currently are listed only in the wiki. From the list of packages, you need only the 1st one and freeradius-utils-... for radtest.
  • Installed on Fedora without any issues for me. Except that radiusd complained about server certificate not found. To fix this, go to /etc/raddb/certs and sudo make all
  • The default config, as installed, works for localhost only if the server runs with default address and port (this means no -i, -p args. Not even -i 127.0.0.1 -p 1812.). Else the server won't find its legs and arms and will miserably fail with non-helpful debug spew.
  • Then the radtest command succeeds.
    In the server log, look for # Executing section authorize ... - this starts the actual server pondering of the request.

The test success in the server log looks so:

 pap: Comparing with "known good" Cleartext-Password "secret" (6)
 Debug: (2) pap: User authenticated successfully
 Debug: (2)     modsingle[authenticate]: returned from pap (rlm_pap)
 Debug: (2)     [pap] = ok
 Debug: (2)   } # Auth-Type PAP = ok
ddbug
  • 1,392
  • 1
  • 11
  • 25
  • The above hints work for me also with freeradius version `3.0.20`, on Ubuntu and under Windows WSL; with real external authenticator (a Cisco switch) and real end user device with `wpa_supplicant` – ddbug Aug 15 '23 at 08:53
  • Tried to change the default IP port for freeradius in various config files (proxy.conf 'home server', clients.conf....) - without success. Stuck to the default port. – ddbug Aug 15 '23 at 08:57