Freeradius: Android device: Login incorrect "no User-Password attribute"



  • Hi,

    I think I just haven't setup the configuration of the client/server quite right.  I've checked the username/password using radtest against the radius server, and it is accepted.

    Every time my Android 5.1 device (FYI tested successfully on non-RADIUS wireless) tries to access the RADIUS wireless, the RADIUS proxy server records the below entry in the logs:

    
    radiusd[38289]: Login incorrect (Home Server says so): [username@REALM/<no user-password="" attribute="">] (from client wirelessap port 0 cli XX-XX-XX-XX-XX-XX) username@REALM</no> 
    

    I tried it with an incorrect password using radtest, and it gave a similar message but actually showed the incorrect password, whereas this says no attribute.

    I think I've not configured the client quite right.  Under the wireless settings, I have set:

    
    SSID: myssid
    EAP Method: PEAP
    Phase-2 authentication: MSCHAPV2
    CA Certificate: (unspecified)  <---- So far as I am aware, this is not actually required???
    Identity: username@REALM
    Anonymous identity: <blank>Password: password
    Proxy: None
    IP settings: Static
    IP address: 10.x.x.x
    Gateway: 10.x.x.1
    Network prefix length: 24
    DNS 1: 10.x.x.1</blank> 
    

    I have posted my radiusd.conf and eap.conf files from the server below.  Any ideas?

    Regards,
    Rob.

    radiusd.conf

    
    /usr/pbi/freeradius-amd64/etc/raddb/radiusd.conf
    prefix = /usr/pbi/freeradius-amd64
    exec_prefix = ${prefix}
    sysconfdir = ${prefix}/etc
    localstatedir = /var
    sbindir = ${exec_prefix}/sbin
    logdir = ${localstatedir}/log
    raddbdir = ${sysconfdir}/raddb
    radacctdir = ${logdir}/radacct
    confdir = ${raddbdir}
    run_dir = ${localstatedir}/run
    libdir = 
    pidfile = ${run_dir}/radiusd.pid
    db_dir = ${raddbdir}
    name = radiusd
    max_request_time = 30
    cleanup_delay = 5
    max_requests = 1024
    hostname_lookups = no
    allow_core_dumps = no
    regular_expressions = yes
    extended_expressions = yes
    listen {
    		type = auth
    		ipaddr = 127.0.0.1
    		port = 1812
    }
    listen {
    		type = auth
    		ipaddr = 10.x.x.x
    		port = 1812
    }
    listen {
    		type = auth
    		ipaddr = 10.x.x.x
    		port = 1812
    }
    listen {
    		type = proxy
    		ipaddr = 10.x.x.x
    		port = 1814
    }
    listen {
    		type = auth
    		ipaddr = 10.x.x.x
    		port = 1812
    }
    
    log {
    	destination = syslog
    	file = ${logdir}/radius.log
    	syslog_facility = daemon
    	stripped_names = no
    	auth = yes
    	auth_badpass = yes
    	auth_goodpass = no
    	msg_goodpass = ""
    	msg_badpass = "%{User-Name}"
    }
    checkrad = ${sbindir}/checkrad
    security {
    	max_attributes = 200
    	reject_delay = 1
    	status_server = no
    }
    proxy_requests = yes
    $INCLUDE  proxy.conf
    $INCLUDE  clients.conf
    thread pool {
    	start_servers = 5
    	max_servers = 32
    	min_spare_servers = 3
    	max_spare_servers = 10
    	max_queue_size = 65536
    	max_requests_per_server = 0
    }
    modules {
    	$INCLUDE ${confdir}/modules/
    	$INCLUDE eap.conf
    }
    instantiate {
    
    	exec
    	expr
    	daily
    	weekly
    	monthly
    	forever
    	expiration
    	logintime
    }
    $INCLUDE policy.conf
    $INCLUDE sites-enabled/
    
    

    eap.conf

    
    /usr/pbi/freeradius-amd64/etc/raddb/eap.conf
    Array	### EAP
    	eap {
    		default_eap_type = mschapv2
    		timer_expire     = 60
    		ignore_unknown_eap_types = no
    		cisco_accounting_username_bug = no
    		max_sessions = 256
    		tls {
    			certdir = ${confdir}/certs
    			cadir = ${confdir}/certs
    			private_key_password = whatever
    			private_key_file = ${certdir}/server_key.pem
    			certificate_file = ${certdir}/server_cert.pem
    			CA_file = ${cadir}/ca_cert.pem
    			dh_file = ${certdir}/dh
    			random_file = ${certdir}/random
    			fragment_size = 1024
    			include_length = yes
    			check_crl = no
    			CA_path = ${cadir}
    			cipher_list = "DEFAULT"
    			ecdh_curve = "prime256v1"
    			cache {
    			      enable = yes
    			      lifetime = 1
    			      max_entries = 255
    			}
    			verify {
    			}
    			ocsp {
    			      enable = no
    			      override_cert_url = no
    			      url = "http://127.0.0.1/ocsp/"
    			}
    		}
    		ttls {
    			default_eap_type = md5
    			copy_request_to_tunnel = no
    			use_tunneled_reply = no
    			include_length = yes
    		}
    		peap {
    			default_eap_type = mschapv2
    			copy_request_to_tunnel = no
    			use_tunneled_reply = no
    		}
    		mschapv2 {
    		}	
    	}
    
    


  • Solved.

    Wasn't a problem with most of my configuration, turned out to be a change to the proxy.conf file on pfSense.

    It turns out that when freeRADIUS decodes an eap message, there is an eap Identity field that the original username is populated into.  The RADIUS server performing the authentication will compare the Identity to the User-Name submitted, and if they do not match it will reject the request.

    freeRADIUS has a default behaviour that affects this.  Upon receiving a username qualified by a Realm (which I use because the proxy needs that information to route the request), it will strip the realm off before matching the username.

    In the case of a proxy server, this results in the User-Name being modified to be different to the eap Identity field, before being sent to the actual authenticating server.  This in turn results in a rejection due to the mismatch between the two fields.

    In order to prevent the Realm from being stripped away (which is still acceptable to Kerberos for the User-Name), you need to put the keyword "nostrip" in the proxy.conf file on the proxy RADIUS server, within the realm section and just before the auth_pool is defined.

    This will ensure that the values received by the authenticating server are a match, and allow the process to complete.

    Regards,
    Rob.



  • Hello,
    i have same kind of issue.
    i am able to use EAP-TLS with windows 8.1 machine just fine.
    i was unable to connect my android 5.0.1 device "LG G3" using EAP-TLS
    i imported the p12 cert and CA and installed both certificates on the device.
    getting error
    radiusd[43014]: Login incorrect: [<no user-name="" attribute="">] (from client xxxxxxx port 0)

    i am kind of noob on all this EAP thingi but trying to learn.

    Please help.</no>


Log in to reply