Freeradius: Android device: Login incorrect "no User-Password attribute"
-
Hi,
I think I just haven't setup the configuration of the client/server quite right. I've checked the username/password using radtest against the radius server, and it is accepted.
Every time my Android 5.1 device (FYI tested successfully on non-RADIUS wireless) tries to access the RADIUS wireless, the RADIUS proxy server records the below entry in the logs:
radiusd[38289]: Login incorrect (Home Server says so): [username@REALM/<no user-password="" attribute="">] (from client wirelessap port 0 cli XX-XX-XX-XX-XX-XX) username@REALM</no>
I tried it with an incorrect password using radtest, and it gave a similar message but actually showed the incorrect password, whereas this says no attribute.
I think I've not configured the client quite right. Under the wireless settings, I have set:
SSID: myssid EAP Method: PEAP Phase-2 authentication: MSCHAPV2 CA Certificate: (unspecified) <---- So far as I am aware, this is not actually required??? Identity: username@REALM Anonymous identity: <blank>Password: password Proxy: None IP settings: Static IP address: 10.x.x.x Gateway: 10.x.x.1 Network prefix length: 24 DNS 1: 10.x.x.1</blank>
I have posted my radiusd.conf and eap.conf files from the server below. Any ideas?
Regards,
Rob.radiusd.conf
/usr/pbi/freeradius-amd64/etc/raddb/radiusd.conf prefix = /usr/pbi/freeradius-amd64 exec_prefix = ${prefix} sysconfdir = ${prefix}/etc localstatedir = /var sbindir = ${exec_prefix}/sbin logdir = ${localstatedir}/log raddbdir = ${sysconfdir}/raddb radacctdir = ${logdir}/radacct confdir = ${raddbdir} run_dir = ${localstatedir}/run libdir = pidfile = ${run_dir}/radiusd.pid db_dir = ${raddbdir} name = radiusd max_request_time = 30 cleanup_delay = 5 max_requests = 1024 hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions = yes listen { type = auth ipaddr = 127.0.0.1 port = 1812 } listen { type = auth ipaddr = 10.x.x.x port = 1812 } listen { type = auth ipaddr = 10.x.x.x port = 1812 } listen { type = proxy ipaddr = 10.x.x.x port = 1814 } listen { type = auth ipaddr = 10.x.x.x port = 1812 } log { destination = syslog file = ${logdir}/radius.log syslog_facility = daemon stripped_names = no auth = yes auth_badpass = yes auth_goodpass = no msg_goodpass = "" msg_badpass = "%{User-Name}" } checkrad = ${sbindir}/checkrad security { max_attributes = 200 reject_delay = 1 status_server = no } proxy_requests = yes $INCLUDE proxy.conf $INCLUDE clients.conf thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_queue_size = 65536 max_requests_per_server = 0 } modules { $INCLUDE ${confdir}/modules/ $INCLUDE eap.conf } instantiate { exec expr daily weekly monthly forever expiration logintime } $INCLUDE policy.conf $INCLUDE sites-enabled/
eap.conf
/usr/pbi/freeradius-amd64/etc/raddb/eap.conf Array ### EAP eap { default_eap_type = mschapv2 timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no max_sessions = 256 tls { certdir = ${confdir}/certs cadir = ${confdir}/certs private_key_password = whatever private_key_file = ${certdir}/server_key.pem certificate_file = ${certdir}/server_cert.pem CA_file = ${cadir}/ca_cert.pem dh_file = ${certdir}/dh random_file = ${certdir}/random fragment_size = 1024 include_length = yes check_crl = no CA_path = ${cadir} cipher_list = "DEFAULT" ecdh_curve = "prime256v1" cache { enable = yes lifetime = 1 max_entries = 255 } verify { } ocsp { enable = no override_cert_url = no url = "http://127.0.0.1/ocsp/" } } ttls { default_eap_type = md5 copy_request_to_tunnel = no use_tunneled_reply = no include_length = yes } peap { default_eap_type = mschapv2 copy_request_to_tunnel = no use_tunneled_reply = no } mschapv2 { } }
-
Solved.
Wasn't a problem with most of my configuration, turned out to be a change to the proxy.conf file on pfSense.
It turns out that when freeRADIUS decodes an eap message, there is an eap Identity field that the original username is populated into. The RADIUS server performing the authentication will compare the Identity to the User-Name submitted, and if they do not match it will reject the request.
freeRADIUS has a default behaviour that affects this. Upon receiving a username qualified by a Realm (which I use because the proxy needs that information to route the request), it will strip the realm off before matching the username.
In the case of a proxy server, this results in the User-Name being modified to be different to the eap Identity field, before being sent to the actual authenticating server. This in turn results in a rejection due to the mismatch between the two fields.
In order to prevent the Realm from being stripped away (which is still acceptable to Kerberos for the User-Name), you need to put the keyword "nostrip" in the proxy.conf file on the proxy RADIUS server, within the realm section and just before the auth_pool is defined.
This will ensure that the values received by the authenticating server are a match, and allow the process to complete.
Regards,
Rob. -
Hello,
i have same kind of issue.
i am able to use EAP-TLS with windows 8.1 machine just fine.
i was unable to connect my android 5.0.1 device "LG G3" using EAP-TLS
i imported the p12 cert and CA and installed both certificates on the device.
getting error
radiusd[43014]: Login incorrect: [<no user-name="" attribute="">] (from client xxxxxxx port 0)i am kind of noob on all this EAP thingi but trying to learn.
Please help.</no>